diff options
| author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2010-05-16 21:06:58 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2010-08-02 01:33:35 -0400 |
| commit | 4c3e9e2ded48bcf696a45945ea7d25bb15b873fd (patch) | |
| tree | 0be326f0f90b0279ae83594e9244c3739d348df1 /security/tomoyo/common.h | |
| parent | babcd37821fba57048b30151969d28303f2a8b6b (diff) | |
TOMOYO: Add numeric values grouping support.
This patch adds numeric values grouping support, which is useful for grouping
numeric values such as file's UID, DAC's mode, ioctl()'s cmd number.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/common.h')
| -rw-r--r-- | security/tomoyo/common.h | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 9f1ae5e3ba51..33d3072f9bb4 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h | |||
| @@ -55,6 +55,7 @@ struct linux_binprm; | |||
| 55 | #define TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN "no_initialize_domain " | 55 | #define TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN "no_initialize_domain " |
| 56 | #define TOMOYO_KEYWORD_NO_KEEP_DOMAIN "no_keep_domain " | 56 | #define TOMOYO_KEYWORD_NO_KEEP_DOMAIN "no_keep_domain " |
| 57 | #define TOMOYO_KEYWORD_PATH_GROUP "path_group " | 57 | #define TOMOYO_KEYWORD_PATH_GROUP "path_group " |
| 58 | #define TOMOYO_KEYWORD_NUMBER_GROUP "number_group " | ||
| 58 | #define TOMOYO_KEYWORD_SELECT "select " | 59 | #define TOMOYO_KEYWORD_SELECT "select " |
| 59 | #define TOMOYO_KEYWORD_USE_PROFILE "use_profile " | 60 | #define TOMOYO_KEYWORD_USE_PROFILE "use_profile " |
| 60 | #define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read" | 61 | #define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read" |
| @@ -62,6 +63,12 @@ struct linux_binprm; | |||
| 62 | #define TOMOYO_ROOT_NAME "<kernel>" | 63 | #define TOMOYO_ROOT_NAME "<kernel>" |
| 63 | #define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1) | 64 | #define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1) |
| 64 | 65 | ||
| 66 | /* Value type definition. */ | ||
| 67 | #define TOMOYO_VALUE_TYPE_INVALID 0 | ||
| 68 | #define TOMOYO_VALUE_TYPE_DECIMAL 1 | ||
| 69 | #define TOMOYO_VALUE_TYPE_OCTAL 2 | ||
| 70 | #define TOMOYO_VALUE_TYPE_HEXADECIMAL 3 | ||
| 71 | |||
| 65 | /* Index numbers for Access Controls. */ | 72 | /* Index numbers for Access Controls. */ |
| 66 | enum tomoyo_mac_index { | 73 | enum tomoyo_mac_index { |
| 67 | TOMOYO_MAC_FOR_FILE, /* domain_policy.conf */ | 74 | TOMOYO_MAC_FOR_FILE, /* domain_policy.conf */ |
| @@ -211,6 +218,14 @@ struct tomoyo_name_union { | |||
| 211 | u8 is_group; | 218 | u8 is_group; |
| 212 | }; | 219 | }; |
| 213 | 220 | ||
| 221 | struct tomoyo_number_union { | ||
| 222 | unsigned long values[2]; | ||
| 223 | struct tomoyo_number_group *group; | ||
| 224 | u8 min_type; | ||
| 225 | u8 max_type; | ||
| 226 | u8 is_group; | ||
| 227 | }; | ||
| 228 | |||
| 214 | /* Structure for "path_group" directive. */ | 229 | /* Structure for "path_group" directive. */ |
| 215 | struct tomoyo_path_group { | 230 | struct tomoyo_path_group { |
| 216 | struct list_head list; | 231 | struct list_head list; |
| @@ -219,6 +234,14 @@ struct tomoyo_path_group { | |||
| 219 | atomic_t users; | 234 | atomic_t users; |
| 220 | }; | 235 | }; |
| 221 | 236 | ||
| 237 | /* Structure for "number_group" directive. */ | ||
| 238 | struct tomoyo_number_group { | ||
| 239 | struct list_head list; | ||
| 240 | const struct tomoyo_path_info *group_name; | ||
| 241 | struct list_head member_list; | ||
| 242 | atomic_t users; | ||
| 243 | }; | ||
| 244 | |||
| 222 | /* Structure for "path_group" directive. */ | 245 | /* Structure for "path_group" directive. */ |
| 223 | struct tomoyo_path_group_member { | 246 | struct tomoyo_path_group_member { |
| 224 | struct list_head list; | 247 | struct list_head list; |
| @@ -226,6 +249,13 @@ struct tomoyo_path_group_member { | |||
| 226 | const struct tomoyo_path_info *member_name; | 249 | const struct tomoyo_path_info *member_name; |
| 227 | }; | 250 | }; |
| 228 | 251 | ||
| 252 | /* Structure for "number_group" directive. */ | ||
| 253 | struct tomoyo_number_group_member { | ||
| 254 | struct list_head list; | ||
| 255 | bool is_deleted; | ||
| 256 | struct tomoyo_number_union number; | ||
| 257 | }; | ||
| 258 | |||
| 229 | /* | 259 | /* |
| 230 | * tomoyo_acl_info is a structure which is used for holding | 260 | * tomoyo_acl_info is a structure which is used for holding |
| 231 | * | 261 | * |
| @@ -554,9 +584,18 @@ bool tomoyo_parse_name_union(const char *filename, | |||
| 554 | bool tomoyo_path_matches_group(const struct tomoyo_path_info *pathname, | 584 | bool tomoyo_path_matches_group(const struct tomoyo_path_info *pathname, |
| 555 | const struct tomoyo_path_group *group, | 585 | const struct tomoyo_path_group *group, |
| 556 | const bool may_use_pattern); | 586 | const bool may_use_pattern); |
| 587 | /* Check whether the given value matches the given number_group. */ | ||
| 588 | bool tomoyo_number_matches_group(const unsigned long min, | ||
| 589 | const unsigned long max, | ||
| 590 | const struct tomoyo_number_group *group); | ||
| 557 | /* Check whether the given filename matches the given pattern. */ | 591 | /* Check whether the given filename matches the given pattern. */ |
| 558 | bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, | 592 | bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, |
| 559 | const struct tomoyo_path_info *pattern); | 593 | const struct tomoyo_path_info *pattern); |
| 594 | |||
| 595 | bool tomoyo_print_number_union(struct tomoyo_io_buffer *head, | ||
| 596 | const struct tomoyo_number_union *ptr); | ||
| 597 | bool tomoyo_parse_number_union(char *data, struct tomoyo_number_union *num); | ||
| 598 | |||
| 560 | /* Read "alias" entry in exception policy. */ | 599 | /* Read "alias" entry in exception policy. */ |
| 561 | bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head); | 600 | bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head); |
| 562 | /* | 601 | /* |
| @@ -570,6 +609,8 @@ bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head); | |||
| 570 | bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head); | 609 | bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head); |
| 571 | /* Read "path_group" entry in exception policy. */ | 610 | /* Read "path_group" entry in exception policy. */ |
| 572 | bool tomoyo_read_path_group_policy(struct tomoyo_io_buffer *head); | 611 | bool tomoyo_read_path_group_policy(struct tomoyo_io_buffer *head); |
| 612 | /* Read "number_group" entry in exception policy. */ | ||
| 613 | bool tomoyo_read_number_group_policy(struct tomoyo_io_buffer *head); | ||
| 573 | /* Read "allow_read" entry in exception policy. */ | 614 | /* Read "allow_read" entry in exception policy. */ |
| 574 | bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head); | 615 | bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head); |
| 575 | /* Read "deny_rewrite" entry in exception policy. */ | 616 | /* Read "deny_rewrite" entry in exception policy. */ |
| @@ -614,6 +655,8 @@ int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete); | |||
| 614 | int tomoyo_write_pattern_policy(char *data, const bool is_delete); | 655 | int tomoyo_write_pattern_policy(char *data, const bool is_delete); |
| 615 | /* Create "path_group" entry in exception policy. */ | 656 | /* Create "path_group" entry in exception policy. */ |
| 616 | int tomoyo_write_path_group_policy(char *data, const bool is_delete); | 657 | int tomoyo_write_path_group_policy(char *data, const bool is_delete); |
| 658 | /* Create "number_group" entry in exception policy. */ | ||
| 659 | int tomoyo_write_number_group_policy(char *data, const bool is_delete); | ||
| 617 | /* Find a domain by the given name. */ | 660 | /* Find a domain by the given name. */ |
| 618 | struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname); | 661 | struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname); |
| 619 | /* Find or create a domain by the given name. */ | 662 | /* Find or create a domain by the given name. */ |
| @@ -623,6 +666,7 @@ struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * | |||
| 623 | 666 | ||
| 624 | /* Allocate memory for "struct tomoyo_path_group". */ | 667 | /* Allocate memory for "struct tomoyo_path_group". */ |
| 625 | struct tomoyo_path_group *tomoyo_get_path_group(const char *group_name); | 668 | struct tomoyo_path_group *tomoyo_get_path_group(const char *group_name); |
| 669 | struct tomoyo_number_group *tomoyo_get_number_group(const char *group_name); | ||
| 626 | 670 | ||
| 627 | /* Check mode for specified functionality. */ | 671 | /* Check mode for specified functionality. */ |
| 628 | unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, | 672 | unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, |
| @@ -632,6 +676,8 @@ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr); | |||
| 632 | /* Run policy loader when /sbin/init starts. */ | 676 | /* Run policy loader when /sbin/init starts. */ |
| 633 | void tomoyo_load_policy(const char *filename); | 677 | void tomoyo_load_policy(const char *filename); |
| 634 | 678 | ||
| 679 | void tomoyo_put_number_union(struct tomoyo_number_union *ptr); | ||
| 680 | |||
| 635 | /* Convert binary string to ascii string. */ | 681 | /* Convert binary string to ascii string. */ |
| 636 | int tomoyo_encode(char *buffer, int buflen, const char *str); | 682 | int tomoyo_encode(char *buffer, int buflen, const char *str); |
| 637 | 683 | ||
| @@ -697,6 +743,7 @@ extern struct srcu_struct tomoyo_ss; | |||
| 697 | extern struct list_head tomoyo_domain_list; | 743 | extern struct list_head tomoyo_domain_list; |
| 698 | 744 | ||
| 699 | extern struct list_head tomoyo_path_group_list; | 745 | extern struct list_head tomoyo_path_group_list; |
| 746 | extern struct list_head tomoyo_number_group_list; | ||
| 700 | extern struct list_head tomoyo_domain_initializer_list; | 747 | extern struct list_head tomoyo_domain_initializer_list; |
| 701 | extern struct list_head tomoyo_domain_keeper_list; | 748 | extern struct list_head tomoyo_domain_keeper_list; |
| 702 | extern struct list_head tomoyo_alias_list; | 749 | extern struct list_head tomoyo_alias_list; |
| @@ -773,6 +820,12 @@ static inline void tomoyo_put_path_group(struct tomoyo_path_group *group) | |||
| 773 | atomic_dec(&group->users); | 820 | atomic_dec(&group->users); |
| 774 | } | 821 | } |
| 775 | 822 | ||
| 823 | static inline void tomoyo_put_number_group(struct tomoyo_number_group *group) | ||
| 824 | { | ||
| 825 | if (group) | ||
| 826 | atomic_dec(&group->users); | ||
| 827 | } | ||
| 828 | |||
| 776 | static inline struct tomoyo_domain_info *tomoyo_domain(void) | 829 | static inline struct tomoyo_domain_info *tomoyo_domain(void) |
| 777 | { | 830 | { |
| 778 | return current_cred()->security; | 831 | return current_cred()->security; |
| @@ -797,6 +850,14 @@ static inline bool tomoyo_is_same_name_union | |||
| 797 | p1->is_group == p2->is_group; | 850 | p1->is_group == p2->is_group; |
| 798 | } | 851 | } |
| 799 | 852 | ||
| 853 | static inline bool tomoyo_is_same_number_union | ||
| 854 | (const struct tomoyo_number_union *p1, const struct tomoyo_number_union *p2) | ||
| 855 | { | ||
| 856 | return p1->values[0] == p2->values[0] && p1->values[1] == p2->values[1] | ||
| 857 | && p1->group == p2->group && p1->min_type == p2->min_type && | ||
| 858 | p1->max_type == p2->max_type && p1->is_group == p2->is_group; | ||
| 859 | } | ||
| 860 | |||
| 800 | static inline bool tomoyo_is_same_path_acl(const struct tomoyo_path_acl *p1, | 861 | static inline bool tomoyo_is_same_path_acl(const struct tomoyo_path_acl *p1, |
| 801 | const struct tomoyo_path_acl *p2) | 862 | const struct tomoyo_path_acl *p2) |
| 802 | { | 863 | { |