diff options
| author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-07-08 00:24:54 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2011-07-10 21:05:33 -0400 |
| commit | 5b636857fee642694e287e3a181b523b16098c93 (patch) | |
| tree | 24afcc11fc35350a29f5d6d73d376a551c5569b8 /security/tomoyo/common.h | |
| parent | 2ca9bf453bdd478bcb6c01aa2d0bd4c2f4350563 (diff) | |
TOMOYO: Allow using argv[]/envp[] of execve() as conditions.
This patch adds support for permission checks using argv[]/envp[] of execve()
request. Hooks are in the last patch of this pathset.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/common.h')
| -rw-r--r-- | security/tomoyo/common.h | 45 |
1 files changed, 43 insertions, 2 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 7e56e6b364e5..6c013b177791 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h | |||
| @@ -54,6 +54,8 @@ enum tomoyo_conditions_index { | |||
| 54 | TOMOYO_TASK_FSGID, /* current_fsgid() */ | 54 | TOMOYO_TASK_FSGID, /* current_fsgid() */ |
| 55 | TOMOYO_TASK_PID, /* sys_getpid() */ | 55 | TOMOYO_TASK_PID, /* sys_getpid() */ |
| 56 | TOMOYO_TASK_PPID, /* sys_getppid() */ | 56 | TOMOYO_TASK_PPID, /* sys_getppid() */ |
| 57 | TOMOYO_EXEC_ARGC, /* "struct linux_binprm *"->argc */ | ||
| 58 | TOMOYO_EXEC_ENVC, /* "struct linux_binprm *"->envc */ | ||
| 57 | TOMOYO_TYPE_IS_SOCKET, /* S_IFSOCK */ | 59 | TOMOYO_TYPE_IS_SOCKET, /* S_IFSOCK */ |
| 58 | TOMOYO_TYPE_IS_SYMLINK, /* S_IFLNK */ | 60 | TOMOYO_TYPE_IS_SYMLINK, /* S_IFLNK */ |
| 59 | TOMOYO_TYPE_IS_FILE, /* S_IFREG */ | 61 | TOMOYO_TYPE_IS_FILE, /* S_IFREG */ |
| @@ -104,6 +106,8 @@ enum tomoyo_conditions_index { | |||
| 104 | TOMOYO_MAX_CONDITION_KEYWORD, | 106 | TOMOYO_MAX_CONDITION_KEYWORD, |
| 105 | TOMOYO_NUMBER_UNION, | 107 | TOMOYO_NUMBER_UNION, |
| 106 | TOMOYO_NAME_UNION, | 108 | TOMOYO_NAME_UNION, |
| 109 | TOMOYO_ARGV_ENTRY, | ||
| 110 | TOMOYO_ENVP_ENTRY, | ||
| 107 | }; | 111 | }; |
| 108 | 112 | ||
| 109 | 113 | ||
| @@ -467,6 +471,12 @@ struct tomoyo_mini_stat { | |||
| 467 | dev_t rdev; | 471 | dev_t rdev; |
| 468 | }; | 472 | }; |
| 469 | 473 | ||
| 474 | /* Structure for dumping argv[] and envp[] of "struct linux_binprm". */ | ||
| 475 | struct tomoyo_page_dump { | ||
| 476 | struct page *page; /* Previously dumped page. */ | ||
| 477 | char *data; /* Contents of "page". Size is PAGE_SIZE. */ | ||
| 478 | }; | ||
| 479 | |||
| 470 | /* Structure for attribute checks in addition to pathname checks. */ | 480 | /* Structure for attribute checks in addition to pathname checks. */ |
| 471 | struct tomoyo_obj_info { | 481 | struct tomoyo_obj_info { |
| 472 | /* | 482 | /* |
| @@ -491,20 +501,45 @@ struct tomoyo_obj_info { | |||
| 491 | struct tomoyo_path_info *symlink_target; | 501 | struct tomoyo_path_info *symlink_target; |
| 492 | }; | 502 | }; |
| 493 | 503 | ||
| 504 | /* Structure for argv[]. */ | ||
| 505 | struct tomoyo_argv { | ||
| 506 | unsigned long index; | ||
| 507 | const struct tomoyo_path_info *value; | ||
| 508 | bool is_not; | ||
| 509 | }; | ||
| 510 | |||
| 511 | /* Structure for envp[]. */ | ||
| 512 | struct tomoyo_envp { | ||
| 513 | const struct tomoyo_path_info *name; | ||
| 514 | const struct tomoyo_path_info *value; | ||
| 515 | bool is_not; | ||
| 516 | }; | ||
| 517 | |||
| 494 | /* Structure for execve() operation. */ | 518 | /* Structure for execve() operation. */ |
| 495 | struct tomoyo_execve { | 519 | struct tomoyo_execve { |
| 496 | struct tomoyo_request_info r; | 520 | struct tomoyo_request_info r; |
| 497 | struct tomoyo_obj_info obj; | 521 | struct tomoyo_obj_info obj; |
| 498 | struct linux_binprm *bprm; | 522 | struct linux_binprm *bprm; |
| 523 | /* For dumping argv[] and envp[]. */ | ||
| 524 | struct tomoyo_page_dump dump; | ||
| 499 | /* For temporary use. */ | 525 | /* For temporary use. */ |
| 500 | char *tmp; /* Size is TOMOYO_EXEC_TMPSIZE bytes */ | 526 | char *tmp; /* Size is TOMOYO_EXEC_TMPSIZE bytes */ |
| 501 | }; | 527 | }; |
| 502 | 528 | ||
| 503 | /* Structure for entries which follows "struct tomoyo_condition". */ | 529 | /* Structure for entries which follows "struct tomoyo_condition". */ |
| 504 | struct tomoyo_condition_element { | 530 | struct tomoyo_condition_element { |
| 505 | /* Left hand operand. */ | 531 | /* |
| 532 | * Left hand operand. A "struct tomoyo_argv" for TOMOYO_ARGV_ENTRY, a | ||
| 533 | * "struct tomoyo_envp" for TOMOYO_ENVP_ENTRY is attached to the tail | ||
| 534 | * of the array of this struct. | ||
| 535 | */ | ||
| 506 | u8 left; | 536 | u8 left; |
| 507 | /* Right hand operand. */ | 537 | /* |
| 538 | * Right hand operand. A "struct tomoyo_number_union" for | ||
| 539 | * TOMOYO_NUMBER_UNION, a "struct tomoyo_name_union" for | ||
| 540 | * TOMOYO_NAME_UNION is attached to the tail of the array of this | ||
| 541 | * struct. | ||
| 542 | */ | ||
| 508 | u8 right; | 543 | u8 right; |
| 509 | /* Equation operator. True if equals or overlaps, false otherwise. */ | 544 | /* Equation operator. True if equals or overlaps, false otherwise. */ |
| 510 | bool equals; | 545 | bool equals; |
| @@ -517,10 +552,14 @@ struct tomoyo_condition { | |||
| 517 | u16 condc; /* Number of conditions in this struct. */ | 552 | u16 condc; /* Number of conditions in this struct. */ |
| 518 | u16 numbers_count; /* Number of "struct tomoyo_number_union values". */ | 553 | u16 numbers_count; /* Number of "struct tomoyo_number_union values". */ |
| 519 | u16 names_count; /* Number of "struct tomoyo_name_union names". */ | 554 | u16 names_count; /* Number of "struct tomoyo_name_union names". */ |
| 555 | u16 argc; /* Number of "struct tomoyo_argv". */ | ||
| 556 | u16 envc; /* Number of "struct tomoyo_envp". */ | ||
| 520 | /* | 557 | /* |
| 521 | * struct tomoyo_condition_element condition[condc]; | 558 | * struct tomoyo_condition_element condition[condc]; |
| 522 | * struct tomoyo_number_union values[numbers_count]; | 559 | * struct tomoyo_number_union values[numbers_count]; |
| 523 | * struct tomoyo_name_union names[names_count]; | 560 | * struct tomoyo_name_union names[names_count]; |
| 561 | * struct tomoyo_argv argv[argc]; | ||
| 562 | * struct tomoyo_envp envp[envc]; | ||
| 524 | */ | 563 | */ |
| 525 | }; | 564 | }; |
| 526 | 565 | ||
| @@ -751,6 +790,8 @@ bool tomoyo_correct_path(const char *filename); | |||
| 751 | bool tomoyo_correct_word(const char *string); | 790 | bool tomoyo_correct_word(const char *string); |
| 752 | bool tomoyo_domain_def(const unsigned char *buffer); | 791 | bool tomoyo_domain_def(const unsigned char *buffer); |
| 753 | bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r); | 792 | bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r); |
| 793 | bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos, | ||
| 794 | struct tomoyo_page_dump *dump); | ||
| 754 | bool tomoyo_memory_ok(void *ptr); | 795 | bool tomoyo_memory_ok(void *ptr); |
| 755 | bool tomoyo_number_matches_group(const unsigned long min, | 796 | bool tomoyo_number_matches_group(const unsigned long min, |
| 756 | const unsigned long max, | 797 | const unsigned long max, |