diff options
| author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-06-26 10:15:31 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2011-06-28 19:31:19 -0400 |
| commit | 7c75964f432d14062d8eccfc916aa290f56b5aab (patch) | |
| tree | 8aecdb96f9f079dd36735c3acccb79f3d10d6559 /security/tomoyo/util.c | |
| parent | 1252cc3b232e582e887623dc5f70979418caaaa2 (diff) | |
TOMOYO: Cleanup part 1.
In order to synchronize with TOMOYO 1.8's syntax,
(1) Remove special handling for allow_read/write permission.
(2) Replace deny_rewrite/allow_rewrite permission with allow_append permission.
(3) Remove file_pattern keyword.
(4) Remove allow_read permission from exception policy.
(5) Allow creating domains in enforcing mode without calling supervisor.
(6) Add permission check for opening directory for reading.
(7) Add permission check for stat() operation.
(8) Make "cat < /sys/kernel/security/tomoyo/self_domain" behave as if
"cat /sys/kernel/security/tomoyo/self_domain".
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/util.c')
| -rw-r--r-- | security/tomoyo/util.c | 23 |
1 files changed, 6 insertions, 17 deletions
diff --git a/security/tomoyo/util.c b/security/tomoyo/util.c index 6d5393204d95..7fb9bbf7021a 100644 --- a/security/tomoyo/util.c +++ b/security/tomoyo/util.c | |||
| @@ -911,44 +911,33 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r) | |||
| 911 | if (!domain) | 911 | if (!domain) |
| 912 | return true; | 912 | return true; |
| 913 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { | 913 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { |
| 914 | u16 perm; | ||
| 915 | u8 i; | ||
| 914 | if (ptr->is_deleted) | 916 | if (ptr->is_deleted) |
| 915 | continue; | 917 | continue; |
| 916 | switch (ptr->type) { | 918 | switch (ptr->type) { |
| 917 | u16 perm; | ||
| 918 | u8 i; | ||
| 919 | case TOMOYO_TYPE_PATH_ACL: | 919 | case TOMOYO_TYPE_PATH_ACL: |
| 920 | perm = container_of(ptr, struct tomoyo_path_acl, head) | 920 | perm = container_of(ptr, struct tomoyo_path_acl, head) |
| 921 | ->perm; | 921 | ->perm; |
| 922 | for (i = 0; i < TOMOYO_MAX_PATH_OPERATION; i++) | ||
| 923 | if (perm & (1 << i)) | ||
| 924 | count++; | ||
| 925 | if (perm & (1 << TOMOYO_TYPE_READ_WRITE)) | ||
| 926 | count -= 2; | ||
| 927 | break; | 922 | break; |
| 928 | case TOMOYO_TYPE_PATH2_ACL: | 923 | case TOMOYO_TYPE_PATH2_ACL: |
| 929 | perm = container_of(ptr, struct tomoyo_path2_acl, head) | 924 | perm = container_of(ptr, struct tomoyo_path2_acl, head) |
| 930 | ->perm; | 925 | ->perm; |
| 931 | for (i = 0; i < TOMOYO_MAX_PATH2_OPERATION; i++) | ||
| 932 | if (perm & (1 << i)) | ||
| 933 | count++; | ||
| 934 | break; | 926 | break; |
| 935 | case TOMOYO_TYPE_PATH_NUMBER_ACL: | 927 | case TOMOYO_TYPE_PATH_NUMBER_ACL: |
| 936 | perm = container_of(ptr, struct tomoyo_path_number_acl, | 928 | perm = container_of(ptr, struct tomoyo_path_number_acl, |
| 937 | head)->perm; | 929 | head)->perm; |
| 938 | for (i = 0; i < TOMOYO_MAX_PATH_NUMBER_OPERATION; i++) | ||
| 939 | if (perm & (1 << i)) | ||
| 940 | count++; | ||
| 941 | break; | 930 | break; |
| 942 | case TOMOYO_TYPE_MKDEV_ACL: | 931 | case TOMOYO_TYPE_MKDEV_ACL: |
| 943 | perm = container_of(ptr, struct tomoyo_mkdev_acl, | 932 | perm = container_of(ptr, struct tomoyo_mkdev_acl, |
| 944 | head)->perm; | 933 | head)->perm; |
| 945 | for (i = 0; i < TOMOYO_MAX_MKDEV_OPERATION; i++) | ||
| 946 | if (perm & (1 << i)) | ||
| 947 | count++; | ||
| 948 | break; | 934 | break; |
| 949 | default: | 935 | default: |
| 950 | count++; | 936 | perm = 1; |
| 951 | } | 937 | } |
| 938 | for (i = 0; i < 16; i++) | ||
| 939 | if (perm & (1 << i)) | ||
| 940 | count++; | ||
| 952 | } | 941 | } |
| 953 | if (count < tomoyo_profile(domain->profile)->learning-> | 942 | if (count < tomoyo_profile(domain->profile)->learning-> |
| 954 | learning_max_entry) | 943 | learning_max_entry) |