TOMOYO: Add interactive enforcing mode.

Since the behavior of the system is restricted by policy, we may need to update
policy when you update packages.

We need to update policy in the following cases.

    * The pathname of files has changed.
    * The dependency of files has changed.
    * The access permissions required has increased.

The ideal way to update policy is to rebuild from the scratch using learning
mode. But it is not desirable to change from enforcing mode to other mode if
the system has once entered in production state. Suppose MAC could support
per-application enforcing mode, the MAC becomes useless if an application that
is not running in enforcing mode was cracked. For example, the whole system
becomes vulnerable if only HTTP server application is running in learning mode
to rebuild policy for the application. So, in TOMOYO Linux, updating policy is
done while the system is running in enforcing mode.

This patch implements "interactive enforcing mode" which allows administrators
to judge whether to accept policy violation in enforcing mode or not.
A demo movie is available at http://www.youtube.com/watch?v=b9q1Jo25LPA .

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 17 insertions, 2 deletions

diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c
index d1b96f019621..3ceb1724c92d 100644
--- a/security/tomoyo/realpath.c
+++ b/security/tomoyo/realpath.c
@@ -333,6 +333,9 @@ void __init tomoyo_realpath_init(void)
                 panic("Can't register tomoyo_kernel_domain");
 }
 
+unsigned int tomoyo_quota_for_query;
+unsigned int tomoyo_query_memory_size;
+
 /**
  * tomoyo_read_memory_counter - Check for memory usage in bytes.
  *
@@ -345,6 +348,7 @@ int tomoyo_read_memory_counter(struct tomoyo_io_buffer *head)
         if (!head->read_eof) {
                 const unsigned int policy
                         = atomic_read(&tomoyo_policy_memory_size);
+                const unsigned int query = tomoyo_query_memory_size;
                 char buffer[64];
 
                 memset(buffer, 0, sizeof(buffer));
@@ -354,8 +358,17 @@ int tomoyo_read_memory_counter(struct tomoyo_io_buffer *head)
                                  tomoyo_quota_for_policy);
                 else
                         buffer[0] = '\0';
-                tomoyo_io_printf(head, "Policy:  %10u%s\n", policy, buffer);
-                tomoyo_io_printf(head, "Total:   %10u\n", policy);
+                tomoyo_io_printf(head, "Policy:       %10u%s\n", policy,
+                                 buffer);
+                if (tomoyo_quota_for_query)
+                        snprintf(buffer, sizeof(buffer) - 1,
+                                 "   (Quota: %10u)",
+                                 tomoyo_quota_for_query);
+                else
+                        buffer[0] = '\0';
+                tomoyo_io_printf(head, "Query lists:  %10u%s\n", query,
+                                 buffer);
+                tomoyo_io_printf(head, "Total:        %10u\n", policy + query);
                 head->read_eof = true;
         }
         return 0;
@@ -375,5 +388,7 @@ int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head)
 
         if (sscanf(data, "Policy: %u", &size) == 1)
                 tomoyo_quota_for_policy = size;
+        else if (sscanf(data, "Query lists: %u", &size) == 1)
+                tomoyo_quota_for_query = size;
         return 0;
 }