diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2011-10-25 03:45:31 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-10-25 03:45:31 -0400 |
commit | 36b8d186e6cc8e32cb5227f5645a58e1bc0af190 (patch) | |
tree | 1000ad26e189e6ff2c53fb7eeff605f59c7ad94e /security/tomoyo/util.c | |
parent | cd85b557414fe4cd44ea6608825e96612a5fe2b2 (diff) | |
parent | c45ed235abf1b0b6666417e3c394f18717976acd (diff) |
Merge branch 'next' of git://selinuxproject.org/~jmorris/linux-security
* 'next' of git://selinuxproject.org/~jmorris/linux-security: (95 commits)
TOMOYO: Fix incomplete read after seek.
Smack: allow to access /smack/access as normal user
TOMOYO: Fix unused kernel config option.
Smack: fix: invalid length set for the result of /smack/access
Smack: compilation fix
Smack: fix for /smack/access output, use string instead of byte
Smack: domain transition protections (v3)
Smack: Provide information for UDS getsockopt(SO_PEERCRED)
Smack: Clean up comments
Smack: Repair processing of fcntl
Smack: Rule list lookup performance
Smack: check permissions from user space (v2)
TOMOYO: Fix quota and garbage collector.
TOMOYO: Remove redundant tasklist_lock.
TOMOYO: Fix domain transition failure warning.
TOMOYO: Remove tomoyo_policy_memory_lock spinlock.
TOMOYO: Simplify garbage collector.
TOMOYO: Fix make namespacecheck warnings.
target: check hex2bin result
encrypted-keys: check hex2bin result
...
Diffstat (limited to 'security/tomoyo/util.c')
-rw-r--r-- | security/tomoyo/util.c | 80 |
1 files changed, 76 insertions, 4 deletions
diff --git a/security/tomoyo/util.c b/security/tomoyo/util.c index c36bd1107fc8..4a9b4b2eb755 100644 --- a/security/tomoyo/util.c +++ b/security/tomoyo/util.c | |||
@@ -42,6 +42,39 @@ const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX] = { | |||
42 | [TOMOYO_MAC_FILE_MOUNT] = TOMOYO_MAC_CATEGORY_FILE, | 42 | [TOMOYO_MAC_FILE_MOUNT] = TOMOYO_MAC_CATEGORY_FILE, |
43 | [TOMOYO_MAC_FILE_UMOUNT] = TOMOYO_MAC_CATEGORY_FILE, | 43 | [TOMOYO_MAC_FILE_UMOUNT] = TOMOYO_MAC_CATEGORY_FILE, |
44 | [TOMOYO_MAC_FILE_PIVOT_ROOT] = TOMOYO_MAC_CATEGORY_FILE, | 44 | [TOMOYO_MAC_FILE_PIVOT_ROOT] = TOMOYO_MAC_CATEGORY_FILE, |
45 | /* CONFIG::network group */ | ||
46 | [TOMOYO_MAC_NETWORK_INET_STREAM_BIND] = | ||
47 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
48 | [TOMOYO_MAC_NETWORK_INET_STREAM_LISTEN] = | ||
49 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
50 | [TOMOYO_MAC_NETWORK_INET_STREAM_CONNECT] = | ||
51 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
52 | [TOMOYO_MAC_NETWORK_INET_DGRAM_BIND] = | ||
53 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
54 | [TOMOYO_MAC_NETWORK_INET_DGRAM_SEND] = | ||
55 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
56 | [TOMOYO_MAC_NETWORK_INET_RAW_BIND] = | ||
57 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
58 | [TOMOYO_MAC_NETWORK_INET_RAW_SEND] = | ||
59 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
60 | [TOMOYO_MAC_NETWORK_UNIX_STREAM_BIND] = | ||
61 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
62 | [TOMOYO_MAC_NETWORK_UNIX_STREAM_LISTEN] = | ||
63 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
64 | [TOMOYO_MAC_NETWORK_UNIX_STREAM_CONNECT] = | ||
65 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
66 | [TOMOYO_MAC_NETWORK_UNIX_DGRAM_BIND] = | ||
67 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
68 | [TOMOYO_MAC_NETWORK_UNIX_DGRAM_SEND] = | ||
69 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
70 | [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_BIND] = | ||
71 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
72 | [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_LISTEN] = | ||
73 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
74 | [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_CONNECT] = | ||
75 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
76 | /* CONFIG::misc group */ | ||
77 | [TOMOYO_MAC_ENVIRON] = TOMOYO_MAC_CATEGORY_MISC, | ||
45 | }; | 78 | }; |
46 | 79 | ||
47 | /** | 80 | /** |
@@ -126,6 +159,31 @@ char *tomoyo_read_token(struct tomoyo_acl_param *param) | |||
126 | } | 159 | } |
127 | 160 | ||
128 | /** | 161 | /** |
162 | * tomoyo_get_domainname - Read a domainname from a line. | ||
163 | * | ||
164 | * @param: Pointer to "struct tomoyo_acl_param". | ||
165 | * | ||
166 | * Returns a domainname on success, NULL otherwise. | ||
167 | */ | ||
168 | const struct tomoyo_path_info *tomoyo_get_domainname | ||
169 | (struct tomoyo_acl_param *param) | ||
170 | { | ||
171 | char *start = param->data; | ||
172 | char *pos = start; | ||
173 | while (*pos) { | ||
174 | if (*pos++ != ' ' || *pos++ == '/') | ||
175 | continue; | ||
176 | pos -= 2; | ||
177 | *pos++ = '\0'; | ||
178 | break; | ||
179 | } | ||
180 | param->data = pos; | ||
181 | if (tomoyo_correct_domain(start)) | ||
182 | return tomoyo_get_name(start); | ||
183 | return NULL; | ||
184 | } | ||
185 | |||
186 | /** | ||
129 | * tomoyo_parse_ulong - Parse an "unsigned long" value. | 187 | * tomoyo_parse_ulong - Parse an "unsigned long" value. |
130 | * | 188 | * |
131 | * @result: Pointer to "unsigned long". | 189 | * @result: Pointer to "unsigned long". |
@@ -920,14 +978,17 @@ int tomoyo_get_mode(const struct tomoyo_policy_namespace *ns, const u8 profile, | |||
920 | const u8 index) | 978 | const u8 index) |
921 | { | 979 | { |
922 | u8 mode; | 980 | u8 mode; |
923 | const u8 category = TOMOYO_MAC_CATEGORY_FILE; | 981 | struct tomoyo_profile *p; |
982 | |||
924 | if (!tomoyo_policy_loaded) | 983 | if (!tomoyo_policy_loaded) |
925 | return TOMOYO_CONFIG_DISABLED; | 984 | return TOMOYO_CONFIG_DISABLED; |
926 | mode = tomoyo_profile(ns, profile)->config[index]; | 985 | p = tomoyo_profile(ns, profile); |
986 | mode = p->config[index]; | ||
927 | if (mode == TOMOYO_CONFIG_USE_DEFAULT) | 987 | if (mode == TOMOYO_CONFIG_USE_DEFAULT) |
928 | mode = tomoyo_profile(ns, profile)->config[category]; | 988 | mode = p->config[tomoyo_index2category[index] |
989 | + TOMOYO_MAX_MAC_INDEX]; | ||
929 | if (mode == TOMOYO_CONFIG_USE_DEFAULT) | 990 | if (mode == TOMOYO_CONFIG_USE_DEFAULT) |
930 | mode = tomoyo_profile(ns, profile)->default_config; | 991 | mode = p->default_config; |
931 | return mode & 3; | 992 | return mode & 3; |
932 | } | 993 | } |
933 | 994 | ||
@@ -996,6 +1057,17 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r) | |||
996 | perm = container_of(ptr, struct tomoyo_mkdev_acl, | 1057 | perm = container_of(ptr, struct tomoyo_mkdev_acl, |
997 | head)->perm; | 1058 | head)->perm; |
998 | break; | 1059 | break; |
1060 | case TOMOYO_TYPE_INET_ACL: | ||
1061 | perm = container_of(ptr, struct tomoyo_inet_acl, | ||
1062 | head)->perm; | ||
1063 | break; | ||
1064 | case TOMOYO_TYPE_UNIX_ACL: | ||
1065 | perm = container_of(ptr, struct tomoyo_unix_acl, | ||
1066 | head)->perm; | ||
1067 | break; | ||
1068 | case TOMOYO_TYPE_MANUAL_TASK_ACL: | ||
1069 | perm = 0; | ||
1070 | break; | ||
999 | default: | 1071 | default: |
1000 | perm = 1; | 1072 | perm = 1; |
1001 | } | 1073 | } |