diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-06-26 10:20:23 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-06-28 19:31:21 -0400 |
commit | 5625f2e3266319fd29fe4f1c76ccd3f550c79ac4 (patch) | |
tree | 190e96d956213b22da705872094ebdf5272af972 /security/tomoyo/file.c | |
parent | bd03a3e4c9a9df0c6b007045fa7fc8889111a478 (diff) |
TOMOYO: Change pathname for non-rename()able filesystems.
TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if $PID matches current
thread's process ID in order to prevent current thread from accessing other
process's information unless needed.
But since procfs can be mounted on various locations (e.g. /proc/ /proc2/ /p/
/tmp/foo/100/p/ ), TOMOYO cannot tell that whether the numeric part in the
string returned by __d_path() represents process ID or not.
Therefore, to be able to convert from $PID to self no matter where procfs is
mounted, this patch changes pathname representations for filesystems which do
not support rename() operation (e.g. proc, sysfs, securityfs).
Examples:
/proc/self/mounts => proc:/self/mounts
/sys/kernel/security/ => sys:/kernel/security/
/dev/pts/0 => devpts:/0
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/file.c')
-rw-r--r-- | security/tomoyo/file.c | 12 |
1 files changed, 3 insertions, 9 deletions
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 323ddc73a125..8410f28a35e0 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c | |||
@@ -712,7 +712,7 @@ int tomoyo_path_number_perm(const u8 type, struct path *path, | |||
712 | int idx; | 712 | int idx; |
713 | 713 | ||
714 | if (tomoyo_init_request_info(&r, NULL, tomoyo_pn2mac[type]) | 714 | if (tomoyo_init_request_info(&r, NULL, tomoyo_pn2mac[type]) |
715 | == TOMOYO_CONFIG_DISABLED || !path->mnt || !path->dentry) | 715 | == TOMOYO_CONFIG_DISABLED || !path->dentry) |
716 | return 0; | 716 | return 0; |
717 | idx = tomoyo_read_lock(); | 717 | idx = tomoyo_read_lock(); |
718 | if (!tomoyo_get_realpath(&buf, path)) | 718 | if (!tomoyo_get_realpath(&buf, path)) |
@@ -753,8 +753,6 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | |||
753 | struct tomoyo_request_info r; | 753 | struct tomoyo_request_info r; |
754 | int idx; | 754 | int idx; |
755 | 755 | ||
756 | if (!path->mnt) | ||
757 | return 0; | ||
758 | buf.name = NULL; | 756 | buf.name = NULL; |
759 | r.mode = TOMOYO_CONFIG_DISABLED; | 757 | r.mode = TOMOYO_CONFIG_DISABLED; |
760 | idx = tomoyo_read_lock(); | 758 | idx = tomoyo_read_lock(); |
@@ -798,8 +796,6 @@ int tomoyo_path_perm(const u8 operation, struct path *path) | |||
798 | bool is_enforce; | 796 | bool is_enforce; |
799 | int idx; | 797 | int idx; |
800 | 798 | ||
801 | if (!path->mnt) | ||
802 | return 0; | ||
803 | if (tomoyo_init_request_info(&r, NULL, tomoyo_p2mac[operation]) | 799 | if (tomoyo_init_request_info(&r, NULL, tomoyo_p2mac[operation]) |
804 | == TOMOYO_CONFIG_DISABLED) | 800 | == TOMOYO_CONFIG_DISABLED) |
805 | return 0; | 801 | return 0; |
@@ -842,8 +838,7 @@ int tomoyo_mkdev_perm(const u8 operation, struct path *path, | |||
842 | struct tomoyo_path_info buf; | 838 | struct tomoyo_path_info buf; |
843 | int idx; | 839 | int idx; |
844 | 840 | ||
845 | if (!path->mnt || | 841 | if (tomoyo_init_request_info(&r, NULL, tomoyo_pnnn2mac[operation]) |
846 | tomoyo_init_request_info(&r, NULL, tomoyo_pnnn2mac[operation]) | ||
847 | == TOMOYO_CONFIG_DISABLED) | 842 | == TOMOYO_CONFIG_DISABLED) |
848 | return 0; | 843 | return 0; |
849 | idx = tomoyo_read_lock(); | 844 | idx = tomoyo_read_lock(); |
@@ -884,8 +879,7 @@ int tomoyo_path2_perm(const u8 operation, struct path *path1, | |||
884 | struct tomoyo_request_info r; | 879 | struct tomoyo_request_info r; |
885 | int idx; | 880 | int idx; |
886 | 881 | ||
887 | if (!path1->mnt || !path2->mnt || | 882 | if (tomoyo_init_request_info(&r, NULL, tomoyo_pp2mac[operation]) |
888 | tomoyo_init_request_info(&r, NULL, tomoyo_pp2mac[operation]) | ||
889 | == TOMOYO_CONFIG_DISABLED) | 883 | == TOMOYO_CONFIG_DISABLED) |
890 | return 0; | 884 | return 0; |
891 | buf1.name = NULL; | 885 | buf1.name = NULL; |