TOMOYO: Add policy namespace support.

Mauras Olivier reported that it is difficult to use TOMOYO in LXC environments, for TOMOYO cannot distinguish between environments outside the container and environments inside the container since LXC environments are created using pivot_root(). To address this problem, this patch introduces policy namespace. Each policy namespace has its own set of domain policy, exception policy and profiles, which are all independent of other namespaces. This independency allows users to develop policy without worrying interference among namespaces. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2011-06-26 10:19:52 -0400
committer: James Morris <jmorris@namei.org> 2011-06-28 19:31:21 -0400
commit: bd03a3e4c9a9df0c6b007045fa7fc8889111a478 (patch)
tree: 9d78290c878e6466fe3e0bda7ee5989c0dc39e40 /security/tomoyo/memory.c
parent: 32997144fd9925fc4d506a16990a0c405f766526 (diff)
1 files changed, 8 insertions, 13 deletions
diff --git a/security/tomoyo/memory.c b/security/tomoyo/memory.c
index 7a0493943d6d..39d012823f84 100644
--- a/security/tomoyo/memory.c
+++ b/security/tomoyo/memory.c
@@ -118,7 +118,7 @@ struct tomoyo_group *tomoyo_get_group(struct tomoyo_acl_param *param,
                return NULL;
        if (mutex_lock_interruptible(&tomoyo_policy_lock))
                goto out;
-        list = &tomoyo_group_list[idx];
+        list = &param->ns->group_list[idx];
        list_for_each_entry(group, list, head.list) {
                if (e.group_name != group->group_name)
                        continue;
@@ -199,27 +199,23 @@ const struct tomoyo_path_info *tomoyo_get_name(const char *name)
        return ptr ? &ptr->entry : NULL;
 }
+/* Initial namespace.*/
+struct tomoyo_policy_namespace tomoyo_kernel_namespace;
 /**
 * tomoyo_mm_init - Initialize mm related code.
 */
 void __init tomoyo_mm_init(void)
 {
        int idx;
-        for (idx = 0; idx < TOMOYO_MAX_POLICY; idx++)
-                INIT_LIST_HEAD(&tomoyo_policy_list[idx]);
-        for (idx = 0; idx < TOMOYO_MAX_GROUP; idx++)
-                INIT_LIST_HEAD(&tomoyo_group_list[idx]);
        for (idx = 0; idx < TOMOYO_MAX_HASH; idx++)
                INIT_LIST_HEAD(&tomoyo_name_list[idx]);
+        tomoyo_kernel_namespace.name = "<kernel>";
+        tomoyo_init_policy_namespace(&tomoyo_kernel_namespace);
+        tomoyo_kernel_domain.ns = &tomoyo_kernel_namespace;
        INIT_LIST_HEAD(&tomoyo_kernel_domain.acl_info_list);
-        for (idx = 0; idx < TOMOYO_MAX_ACL_GROUPS; idx++)
+        tomoyo_kernel_domain.domainname = tomoyo_get_name("<kernel>");
-                INIT_LIST_HEAD(&tomoyo_acl_group[idx]);
-        tomoyo_kernel_domain.domainname = tomoyo_get_name(TOMOYO_ROOT_NAME);
        list_add_tail_rcu(&tomoyo_kernel_domain.list, &tomoyo_domain_list);
-        idx = tomoyo_read_lock();
-        if (tomoyo_find_domain(TOMOYO_ROOT_NAME) != &tomoyo_kernel_domain)
-                panic("Can't register tomoyo_kernel_domain");
 #if 0
        /* Will be replaced with tomoyo_load_builtin_policy(). */
        {
@@ -230,7 +226,6 @@ void __init tomoyo_mm_init(void)
                                        TOMOYO_TRANSITION_CONTROL_INITIALIZE);
        }
 #endif
-        tomoyo_read_unlock(idx);
 }
author	Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>	2011-06-26 10:19:52 -0400
committer	James Morris <jmorris@namei.org>	2011-06-28 19:31:21 -0400
commit	bd03a3e4c9a9df0c6b007045fa7fc8889111a478 (patch)
tree	9d78290c878e6466fe3e0bda7ee5989c0dc39e40 /security/tomoyo/memory.c
parent	32997144fd9925fc4d506a16990a0c405f766526 (diff)