diff options
| author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2010-06-20 20:58:53 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2010-08-02 01:34:42 -0400 |
| commit | 0617c7ff34dc9b1d641640c3953274bb2dbe21a6 (patch) | |
| tree | 6be51af32ad65380aff9b7fa385f65ef15b3d53b /security/tomoyo/domain.c | |
| parent | 7c2ea22e3c5463627ca98924cd65cb9e480dc29c (diff) | |
TOMOYO: Remove alias keyword.
Some programs behave differently depending on argv[0] passed to execve().
TOMOYO has "alias" keyword in order to allow administrators to define different
domains if requested pathname passed to execve() is a symlink. But "alias"
keyword is incomplete because this keyword assumes that requested pathname and
argv[0] are identical. Thus, remove "alias" keyword (by this patch) and add
syntax for checking argv[0] (by future patches).
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/domain.c')
| -rw-r--r-- | security/tomoyo/domain.c | 100 |
1 files changed, 3 insertions, 97 deletions
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index 038071a8a3d3..273e670acf0c 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c | |||
| @@ -467,72 +467,6 @@ int tomoyo_write_aggregator_policy(char *data, const bool is_delete) | |||
| 467 | return tomoyo_update_aggregator_entry(data, cp, is_delete); | 467 | return tomoyo_update_aggregator_entry(data, cp, is_delete); |
| 468 | } | 468 | } |
| 469 | 469 | ||
| 470 | static bool tomoyo_same_alias_entry(const struct tomoyo_acl_head *a, | ||
| 471 | const struct tomoyo_acl_head *b) | ||
| 472 | { | ||
| 473 | const struct tomoyo_alias_entry *p1 = container_of(a, typeof(*p1), | ||
| 474 | head); | ||
| 475 | const struct tomoyo_alias_entry *p2 = container_of(b, typeof(*p2), | ||
| 476 | head); | ||
| 477 | return p1->original_name == p2->original_name && | ||
| 478 | p1->aliased_name == p2->aliased_name; | ||
| 479 | } | ||
| 480 | |||
| 481 | /** | ||
| 482 | * tomoyo_update_alias_entry - Update "struct tomoyo_alias_entry" list. | ||
| 483 | * | ||
| 484 | * @original_name: The original program's real name. | ||
| 485 | * @aliased_name: The symbolic program's symbolic link's name. | ||
| 486 | * @is_delete: True if it is a delete request. | ||
| 487 | * | ||
| 488 | * Returns 0 on success, negative value otherwise. | ||
| 489 | * | ||
| 490 | * Caller holds tomoyo_read_lock(). | ||
| 491 | */ | ||
| 492 | static int tomoyo_update_alias_entry(const char *original_name, | ||
| 493 | const char *aliased_name, | ||
| 494 | const bool is_delete) | ||
| 495 | { | ||
| 496 | struct tomoyo_alias_entry e = { }; | ||
| 497 | int error = is_delete ? -ENOENT : -ENOMEM; | ||
| 498 | |||
| 499 | if (!tomoyo_correct_path(original_name) || | ||
| 500 | !tomoyo_correct_path(aliased_name)) | ||
| 501 | return -EINVAL; | ||
| 502 | e.original_name = tomoyo_get_name(original_name); | ||
| 503 | e.aliased_name = tomoyo_get_name(aliased_name); | ||
| 504 | if (!e.original_name || !e.aliased_name || | ||
| 505 | e.original_name->is_patterned || e.aliased_name->is_patterned) | ||
| 506 | goto out; /* No patterns allowed. */ | ||
| 507 | error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, | ||
| 508 | &tomoyo_policy_list[TOMOYO_ID_ALIAS], | ||
| 509 | tomoyo_same_alias_entry); | ||
| 510 | out: | ||
| 511 | tomoyo_put_name(e.original_name); | ||
| 512 | tomoyo_put_name(e.aliased_name); | ||
| 513 | return error; | ||
| 514 | } | ||
| 515 | |||
| 516 | /** | ||
| 517 | * tomoyo_write_alias_policy - Write "struct tomoyo_alias_entry" list. | ||
| 518 | * | ||
| 519 | * @data: String to parse. | ||
| 520 | * @is_delete: True if it is a delete request. | ||
| 521 | * | ||
| 522 | * Returns 0 on success, negative value otherwise. | ||
| 523 | * | ||
| 524 | * Caller holds tomoyo_read_lock(). | ||
| 525 | */ | ||
| 526 | int tomoyo_write_alias_policy(char *data, const bool is_delete) | ||
| 527 | { | ||
| 528 | char *cp = strchr(data, ' '); | ||
| 529 | |||
| 530 | if (!cp) | ||
| 531 | return -EINVAL; | ||
| 532 | *cp++ = '\0'; | ||
| 533 | return tomoyo_update_alias_entry(data, cp, is_delete); | ||
| 534 | } | ||
| 535 | |||
| 536 | /** | 470 | /** |
| 537 | * tomoyo_find_or_assign_new_domain - Create a domain. | 471 | * tomoyo_find_or_assign_new_domain - Create a domain. |
| 538 | * | 472 | * |
| @@ -606,7 +540,6 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) | |||
| 606 | int retval = -ENOMEM; | 540 | int retval = -ENOMEM; |
| 607 | bool need_kfree = false; | 541 | bool need_kfree = false; |
| 608 | struct tomoyo_path_info rn = { }; /* real name */ | 542 | struct tomoyo_path_info rn = { }; /* real name */ |
| 609 | struct tomoyo_path_info sn = { }; /* symlink name */ | ||
| 610 | struct tomoyo_path_info ln; /* last name */ | 543 | struct tomoyo_path_info ln; /* last name */ |
| 611 | 544 | ||
| 612 | ln.name = tomoyo_get_last_name(old_domain); | 545 | ln.name = tomoyo_get_last_name(old_domain); |
| @@ -621,39 +554,14 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) | |||
| 621 | kfree(rn.name); | 554 | kfree(rn.name); |
| 622 | need_kfree = false; | 555 | need_kfree = false; |
| 623 | } | 556 | } |
| 624 | /* Get tomoyo_realpath of program. */ | 557 | /* Get symlink's pathname of program. */ |
| 625 | retval = -ENOENT; | 558 | retval = -ENOENT; |
| 626 | rn.name = tomoyo_realpath(original_name); | 559 | rn.name = tomoyo_realpath_nofollow(original_name); |
| 627 | if (!rn.name) | 560 | if (!rn.name) |
| 628 | goto out; | 561 | goto out; |
| 629 | tomoyo_fill_path_info(&rn); | 562 | tomoyo_fill_path_info(&rn); |
| 630 | need_kfree = true; | 563 | need_kfree = true; |
| 631 | 564 | ||
| 632 | /* Get tomoyo_realpath of symbolic link. */ | ||
| 633 | sn.name = tomoyo_realpath_nofollow(original_name); | ||
| 634 | if (!sn.name) | ||
| 635 | goto out; | ||
| 636 | tomoyo_fill_path_info(&sn); | ||
| 637 | |||
| 638 | /* Check 'alias' directive. */ | ||
| 639 | if (tomoyo_pathcmp(&rn, &sn)) { | ||
| 640 | struct tomoyo_alias_entry *ptr; | ||
| 641 | /* Is this program allowed to be called via symbolic links? */ | ||
| 642 | list_for_each_entry_rcu(ptr, | ||
| 643 | &tomoyo_policy_list[TOMOYO_ID_ALIAS], | ||
| 644 | head.list) { | ||
| 645 | if (ptr->head.is_deleted || | ||
| 646 | tomoyo_pathcmp(&rn, ptr->original_name) || | ||
| 647 | tomoyo_pathcmp(&sn, ptr->aliased_name)) | ||
| 648 | continue; | ||
| 649 | kfree(rn.name); | ||
| 650 | need_kfree = false; | ||
| 651 | /* This is OK because it is read only. */ | ||
| 652 | rn = *ptr->aliased_name; | ||
| 653 | break; | ||
| 654 | } | ||
| 655 | } | ||
| 656 | |||
| 657 | /* Check 'aggregator' directive. */ | 565 | /* Check 'aggregator' directive. */ |
| 658 | { | 566 | { |
| 659 | struct tomoyo_aggregator_entry *ptr; | 567 | struct tomoyo_aggregator_entry *ptr; |
| @@ -663,8 +571,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) | |||
| 663 | !tomoyo_path_matches_pattern(&rn, | 571 | !tomoyo_path_matches_pattern(&rn, |
| 664 | ptr->original_name)) | 572 | ptr->original_name)) |
| 665 | continue; | 573 | continue; |
| 666 | if (need_kfree) | 574 | kfree(rn.name); |
| 667 | kfree(rn.name); | ||
| 668 | need_kfree = false; | 575 | need_kfree = false; |
| 669 | /* This is OK because it is read only. */ | 576 | /* This is OK because it is read only. */ |
| 670 | rn = *ptr->aggregated_name; | 577 | rn = *ptr->aggregated_name; |
| @@ -729,7 +636,6 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) | |||
| 729 | bprm->cred->security = domain; | 636 | bprm->cred->security = domain; |
| 730 | if (need_kfree) | 637 | if (need_kfree) |
| 731 | kfree(rn.name); | 638 | kfree(rn.name); |
| 732 | kfree(sn.name); | ||
| 733 | kfree(tmp); | 639 | kfree(tmp); |
| 734 | return retval; | 640 | return retval; |
| 735 | } | 641 | } |