diff options
| author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-07-08 00:25:53 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2011-07-10 21:05:34 -0400 |
| commit | 97fb35e413f256ded07b88c73b3d932ec31ea84e (patch) | |
| tree | d16cb1dcb6d16938aa01c071fdcd1cbbf85b5153 /security/tomoyo/file.c | |
| parent | 5b636857fee642694e287e3a181b523b16098c93 (diff) | |
TOMOYO: Enable conditional ACL.
Enable conditional ACL by passing object's pointers.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/file.c')
| -rw-r--r-- | security/tomoyo/file.c | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 6ab9e4cdd61f..31a9a4ab7af9 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c | |||
| @@ -667,6 +667,9 @@ int tomoyo_path_number_perm(const u8 type, struct path *path, | |||
| 667 | unsigned long number) | 667 | unsigned long number) |
| 668 | { | 668 | { |
| 669 | struct tomoyo_request_info r; | 669 | struct tomoyo_request_info r; |
| 670 | struct tomoyo_obj_info obj = { | ||
| 671 | .path1 = *path, | ||
| 672 | }; | ||
| 670 | int error = -ENOMEM; | 673 | int error = -ENOMEM; |
| 671 | struct tomoyo_path_info buf; | 674 | struct tomoyo_path_info buf; |
| 672 | int idx; | 675 | int idx; |
| @@ -677,6 +680,7 @@ int tomoyo_path_number_perm(const u8 type, struct path *path, | |||
| 677 | idx = tomoyo_read_lock(); | 680 | idx = tomoyo_read_lock(); |
| 678 | if (!tomoyo_get_realpath(&buf, path)) | 681 | if (!tomoyo_get_realpath(&buf, path)) |
| 679 | goto out; | 682 | goto out; |
| 683 | r.obj = &obj; | ||
| 680 | if (type == TOMOYO_TYPE_MKDIR) | 684 | if (type == TOMOYO_TYPE_MKDIR) |
| 681 | tomoyo_add_slash(&buf); | 685 | tomoyo_add_slash(&buf); |
| 682 | r.param_type = TOMOYO_TYPE_PATH_NUMBER_ACL; | 686 | r.param_type = TOMOYO_TYPE_PATH_NUMBER_ACL; |
| @@ -711,6 +715,9 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | |||
| 711 | int error = 0; | 715 | int error = 0; |
| 712 | struct tomoyo_path_info buf; | 716 | struct tomoyo_path_info buf; |
| 713 | struct tomoyo_request_info r; | 717 | struct tomoyo_request_info r; |
| 718 | struct tomoyo_obj_info obj = { | ||
| 719 | .path1 = *path, | ||
| 720 | }; | ||
| 714 | int idx; | 721 | int idx; |
| 715 | 722 | ||
| 716 | buf.name = NULL; | 723 | buf.name = NULL; |
| @@ -723,6 +730,7 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | |||
| 723 | error = -ENOMEM; | 730 | error = -ENOMEM; |
| 724 | goto out; | 731 | goto out; |
| 725 | } | 732 | } |
| 733 | r.obj = &obj; | ||
| 726 | if (acc_mode & MAY_READ) | 734 | if (acc_mode & MAY_READ) |
| 727 | error = tomoyo_path_permission(&r, TOMOYO_TYPE_READ, | 735 | error = tomoyo_path_permission(&r, TOMOYO_TYPE_READ, |
| 728 | &buf); | 736 | &buf); |
| @@ -745,15 +753,21 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | |||
| 745 | * | 753 | * |
| 746 | * @operation: Type of operation. | 754 | * @operation: Type of operation. |
| 747 | * @path: Pointer to "struct path". | 755 | * @path: Pointer to "struct path". |
| 756 | * @target: Symlink's target if @operation is TOMOYO_TYPE_SYMLINK, | ||
| 757 | * NULL otherwise. | ||
| 748 | * | 758 | * |
| 749 | * Returns 0 on success, negative value otherwise. | 759 | * Returns 0 on success, negative value otherwise. |
| 750 | */ | 760 | */ |
| 751 | int tomoyo_path_perm(const u8 operation, struct path *path) | 761 | int tomoyo_path_perm(const u8 operation, struct path *path, const char *target) |
| 752 | { | 762 | { |
| 753 | struct tomoyo_request_info r; | 763 | struct tomoyo_request_info r; |
| 764 | struct tomoyo_obj_info obj = { | ||
| 765 | .path1 = *path, | ||
| 766 | }; | ||
| 754 | int error; | 767 | int error; |
| 755 | struct tomoyo_path_info buf; | 768 | struct tomoyo_path_info buf; |
| 756 | bool is_enforce; | 769 | bool is_enforce; |
| 770 | struct tomoyo_path_info symlink_target; | ||
| 757 | int idx; | 771 | int idx; |
| 758 | 772 | ||
| 759 | if (tomoyo_init_request_info(&r, NULL, tomoyo_p2mac[operation]) | 773 | if (tomoyo_init_request_info(&r, NULL, tomoyo_p2mac[operation]) |
| @@ -765,13 +779,23 @@ int tomoyo_path_perm(const u8 operation, struct path *path) | |||
| 765 | idx = tomoyo_read_lock(); | 779 | idx = tomoyo_read_lock(); |
| 766 | if (!tomoyo_get_realpath(&buf, path)) | 780 | if (!tomoyo_get_realpath(&buf, path)) |
| 767 | goto out; | 781 | goto out; |
| 782 | r.obj = &obj; | ||
| 768 | switch (operation) { | 783 | switch (operation) { |
| 769 | case TOMOYO_TYPE_RMDIR: | 784 | case TOMOYO_TYPE_RMDIR: |
| 770 | case TOMOYO_TYPE_CHROOT: | 785 | case TOMOYO_TYPE_CHROOT: |
| 771 | tomoyo_add_slash(&buf); | 786 | tomoyo_add_slash(&buf); |
| 772 | break; | 787 | break; |
| 788 | case TOMOYO_TYPE_SYMLINK: | ||
| 789 | symlink_target.name = tomoyo_encode(target); | ||
| 790 | if (!symlink_target.name) | ||
| 791 | goto out; | ||
| 792 | tomoyo_fill_path_info(&symlink_target); | ||
| 793 | obj.symlink_target = &symlink_target; | ||
| 794 | break; | ||
| 773 | } | 795 | } |
| 774 | error = tomoyo_path_permission(&r, operation, &buf); | 796 | error = tomoyo_path_permission(&r, operation, &buf); |
| 797 | if (operation == TOMOYO_TYPE_SYMLINK) | ||
| 798 | kfree(symlink_target.name); | ||
| 775 | out: | 799 | out: |
| 776 | kfree(buf.name); | 800 | kfree(buf.name); |
| 777 | tomoyo_read_unlock(idx); | 801 | tomoyo_read_unlock(idx); |
| @@ -794,6 +818,9 @@ int tomoyo_mkdev_perm(const u8 operation, struct path *path, | |||
| 794 | const unsigned int mode, unsigned int dev) | 818 | const unsigned int mode, unsigned int dev) |
| 795 | { | 819 | { |
| 796 | struct tomoyo_request_info r; | 820 | struct tomoyo_request_info r; |
| 821 | struct tomoyo_obj_info obj = { | ||
| 822 | .path1 = *path, | ||
| 823 | }; | ||
| 797 | int error = -ENOMEM; | 824 | int error = -ENOMEM; |
| 798 | struct tomoyo_path_info buf; | 825 | struct tomoyo_path_info buf; |
| 799 | int idx; | 826 | int idx; |
| @@ -804,6 +831,7 @@ int tomoyo_mkdev_perm(const u8 operation, struct path *path, | |||
| 804 | idx = tomoyo_read_lock(); | 831 | idx = tomoyo_read_lock(); |
| 805 | error = -ENOMEM; | 832 | error = -ENOMEM; |
| 806 | if (tomoyo_get_realpath(&buf, path)) { | 833 | if (tomoyo_get_realpath(&buf, path)) { |
| 834 | r.obj = &obj; | ||
| 807 | dev = new_decode_dev(dev); | 835 | dev = new_decode_dev(dev); |
| 808 | r.param_type = TOMOYO_TYPE_MKDEV_ACL; | 836 | r.param_type = TOMOYO_TYPE_MKDEV_ACL; |
| 809 | r.param.mkdev.filename = &buf; | 837 | r.param.mkdev.filename = &buf; |
| @@ -837,6 +865,10 @@ int tomoyo_path2_perm(const u8 operation, struct path *path1, | |||
| 837 | struct tomoyo_path_info buf1; | 865 | struct tomoyo_path_info buf1; |
| 838 | struct tomoyo_path_info buf2; | 866 | struct tomoyo_path_info buf2; |
| 839 | struct tomoyo_request_info r; | 867 | struct tomoyo_request_info r; |
| 868 | struct tomoyo_obj_info obj = { | ||
| 869 | .path1 = *path1, | ||
| 870 | .path2 = *path2, | ||
| 871 | }; | ||
| 840 | int idx; | 872 | int idx; |
| 841 | 873 | ||
| 842 | if (tomoyo_init_request_info(&r, NULL, tomoyo_pp2mac[operation]) | 874 | if (tomoyo_init_request_info(&r, NULL, tomoyo_pp2mac[operation]) |
| @@ -861,6 +893,7 @@ int tomoyo_path2_perm(const u8 operation, struct path *path1, | |||
| 861 | tomoyo_add_slash(&buf2); | 893 | tomoyo_add_slash(&buf2); |
| 862 | break; | 894 | break; |
| 863 | } | 895 | } |
| 896 | r.obj = &obj; | ||
| 864 | r.param_type = TOMOYO_TYPE_PATH2_ACL; | 897 | r.param_type = TOMOYO_TYPE_PATH2_ACL; |
| 865 | r.param.path2.operation = operation; | 898 | r.param.path2.operation = operation; |
| 866 | r.param.path2.filename1 = &buf1; | 899 | r.param.path2.filename1 = &buf1; |