diff options
| author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-09-10 02:24:56 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2011-09-13 18:27:06 -0400 |
| commit | 1f067a682a9bd252107ac6f6946b7332fde42344 (patch) | |
| tree | 379bbbf02f0a802453e585a2a482192409308fbb /security/tomoyo/condition.c | |
| parent | 059d84dbb3897d4ee494a9c842c5dda54316cb47 (diff) | |
TOMOYO: Allow controlling generation of access granted logs for per an entry basis.
Add per-entry flag which controls generation of grant logs because Xen and KVM
issues ioctl requests so frequently. For example,
file ioctl /dev/null 0x5401 grant_log=no
will suppress /sys/kernel/security/tomoyo/audit even if preference says
grant_log=yes .
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/condition.c')
| -rw-r--r-- | security/tomoyo/condition.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/security/tomoyo/condition.c b/security/tomoyo/condition.c index 8a05f71eaf67..3a05eb3e2a64 100644 --- a/security/tomoyo/condition.c +++ b/security/tomoyo/condition.c | |||
| @@ -348,6 +348,7 @@ static inline bool tomoyo_same_condition(const struct tomoyo_condition *a, | |||
| 348 | a->numbers_count == b->numbers_count && | 348 | a->numbers_count == b->numbers_count && |
| 349 | a->names_count == b->names_count && | 349 | a->names_count == b->names_count && |
| 350 | a->argc == b->argc && a->envc == b->envc && | 350 | a->argc == b->argc && a->envc == b->envc && |
| 351 | a->grant_log == b->grant_log && | ||
| 351 | !memcmp(a + 1, b + 1, a->size - sizeof(*a)); | 352 | !memcmp(a + 1, b + 1, a->size - sizeof(*a)); |
| 352 | } | 353 | } |
| 353 | 354 | ||
| @@ -486,6 +487,20 @@ rerun: | |||
| 486 | goto out; | 487 | goto out; |
| 487 | dprintk(KERN_WARNING "%u: <%s>%s=<%s>\n", __LINE__, left_word, | 488 | dprintk(KERN_WARNING "%u: <%s>%s=<%s>\n", __LINE__, left_word, |
| 488 | is_not ? "!" : "", right_word); | 489 | is_not ? "!" : "", right_word); |
| 490 | if (!strcmp(left_word, "grant_log")) { | ||
| 491 | if (entry) { | ||
| 492 | if (is_not || | ||
| 493 | entry->grant_log != TOMOYO_GRANTLOG_AUTO) | ||
| 494 | goto out; | ||
| 495 | else if (!strcmp(right_word, "yes")) | ||
| 496 | entry->grant_log = TOMOYO_GRANTLOG_YES; | ||
| 497 | else if (!strcmp(right_word, "no")) | ||
| 498 | entry->grant_log = TOMOYO_GRANTLOG_NO; | ||
| 499 | else | ||
| 500 | goto out; | ||
| 501 | } | ||
| 502 | continue; | ||
| 503 | } | ||
| 489 | if (!strncmp(left_word, "exec.argv[", 10)) { | 504 | if (!strncmp(left_word, "exec.argv[", 10)) { |
| 490 | if (!argv) { | 505 | if (!argv) { |
| 491 | e.argc++; | 506 | e.argc++; |