aboutsummaryrefslogtreecommitdiffstats
path: root/security/tomoyo
diff options
context:
space:
mode:
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>2009-12-02 07:09:48 -0500
committerJames Morris <jmorris@namei.org>2009-12-07 22:58:05 -0500
commit937bf6133b21b16965f75223085f4314ae32b8eb (patch)
tree4a042bc9298ffddfaf4017a5796cae46e9594d2c /security/tomoyo
parent5d0901a3a0c39c97ca504f73d24030f63cfc9fa2 (diff)
TOMOYO: Add rest of file operation restrictions.
LSM hooks for chmod()/chown()/chroot() are now ready. This patch utilizes these hooks. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo')
-rw-r--r--security/tomoyo/common.c61
-rw-r--r--security/tomoyo/common.h12
-rw-r--r--security/tomoyo/file.c47
-rw-r--r--security/tomoyo/tomoyo.c61
-rw-r--r--security/tomoyo/tomoyo.h12
5 files changed, 132 insertions, 61 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index e0d0354008b7..6c6061682438 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -842,52 +842,27 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain)
842 if (ptr->type & TOMOYO_ACL_DELETED) 842 if (ptr->type & TOMOYO_ACL_DELETED)
843 continue; 843 continue;
844 switch (tomoyo_acl_type2(ptr)) { 844 switch (tomoyo_acl_type2(ptr)) {
845 struct tomoyo_single_path_acl_record *acl1; 845 struct tomoyo_single_path_acl_record *acl;
846 struct tomoyo_double_path_acl_record *acl2; 846 u32 perm;
847 u16 perm; 847 u8 i;
848 case TOMOYO_TYPE_SINGLE_PATH_ACL: 848 case TOMOYO_TYPE_SINGLE_PATH_ACL:
849 acl1 = container_of(ptr, 849 acl = container_of(ptr,
850 struct tomoyo_single_path_acl_record, 850 struct tomoyo_single_path_acl_record,
851 head); 851 head);
852 perm = acl1->perm; 852 perm = acl->perm | (((u32) acl->perm_high) << 16);
853 if (perm & (1 << TOMOYO_TYPE_EXECUTE_ACL)) 853 for (i = 0; i < TOMOYO_MAX_SINGLE_PATH_OPERATION; i++)
854 count++; 854 if (perm & (1 << i))
855 if (perm & 855 count++;
856 ((1 << TOMOYO_TYPE_READ_ACL) | 856 if (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))
857 (1 << TOMOYO_TYPE_WRITE_ACL))) 857 count -= 2;
858 count++;
859 if (perm & (1 << TOMOYO_TYPE_CREATE_ACL))
860 count++;
861 if (perm & (1 << TOMOYO_TYPE_UNLINK_ACL))
862 count++;
863 if (perm & (1 << TOMOYO_TYPE_MKDIR_ACL))
864 count++;
865 if (perm & (1 << TOMOYO_TYPE_RMDIR_ACL))
866 count++;
867 if (perm & (1 << TOMOYO_TYPE_MKFIFO_ACL))
868 count++;
869 if (perm & (1 << TOMOYO_TYPE_MKSOCK_ACL))
870 count++;
871 if (perm & (1 << TOMOYO_TYPE_MKBLOCK_ACL))
872 count++;
873 if (perm & (1 << TOMOYO_TYPE_MKCHAR_ACL))
874 count++;
875 if (perm & (1 << TOMOYO_TYPE_TRUNCATE_ACL))
876 count++;
877 if (perm & (1 << TOMOYO_TYPE_SYMLINK_ACL))
878 count++;
879 if (perm & (1 << TOMOYO_TYPE_REWRITE_ACL))
880 count++;
881 break; 858 break;
882 case TOMOYO_TYPE_DOUBLE_PATH_ACL: 859 case TOMOYO_TYPE_DOUBLE_PATH_ACL:
883 acl2 = container_of(ptr, 860 perm = container_of(ptr,
884 struct tomoyo_double_path_acl_record, 861 struct tomoyo_double_path_acl_record,
885 head); 862 head)->perm;
886 perm = acl2->perm; 863 for (i = 0; i < TOMOYO_MAX_DOUBLE_PATH_OPERATION; i++)
887 if (perm & (1 << TOMOYO_TYPE_LINK_ACL)) 864 if (perm & (1 << i))
888 count++; 865 count++;
889 if (perm & (1 << TOMOYO_TYPE_RENAME_ACL))
890 count++;
891 break; 866 break;
892 } 867 }
893 } 868 }
@@ -1426,7 +1401,7 @@ static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head,
1426 u8 bit; 1401 u8 bit;
1427 const char *atmark = ""; 1402 const char *atmark = "";
1428 const char *filename; 1403 const char *filename;
1429 const u16 perm = ptr->perm; 1404 const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16);
1430 1405
1431 filename = ptr->filename->name; 1406 filename = ptr->filename->name;
1432 for (bit = head->read_bit; bit < TOMOYO_MAX_SINGLE_PATH_OPERATION; 1407 for (bit = head->read_bit; bit < TOMOYO_MAX_SINGLE_PATH_OPERATION;
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 92169d29b2db..bd10f9fa3511 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -108,7 +108,7 @@ struct tomoyo_path_info_with_data {
108 * (b) type & 0x80 : whether the entry is marked as "deleted". 108 * (b) type & 0x80 : whether the entry is marked as "deleted".
109 * 109 *
110 * Packing "struct tomoyo_acl_info" allows 110 * Packing "struct tomoyo_acl_info" allows
111 * "struct tomoyo_single_path_acl_record" to embed "u16" and 111 * "struct tomoyo_single_path_acl_record" to embed "u8" + "u16" and
112 * "struct tomoyo_double_path_acl_record" to embed "u8" 112 * "struct tomoyo_double_path_acl_record" to embed "u8"
113 * without enlarging their structure size. 113 * without enlarging their structure size.
114 */ 114 */
@@ -184,10 +184,13 @@ struct tomoyo_domain_info {
184 * Directives held by this structure are "allow_read/write", "allow_execute", 184 * Directives held by this structure are "allow_read/write", "allow_execute",
185 * "allow_read", "allow_write", "allow_create", "allow_unlink", "allow_mkdir", 185 * "allow_read", "allow_write", "allow_create", "allow_unlink", "allow_mkdir",
186 * "allow_rmdir", "allow_mkfifo", "allow_mksock", "allow_mkblock", 186 * "allow_rmdir", "allow_mkfifo", "allow_mksock", "allow_mkblock",
187 * "allow_mkchar", "allow_truncate", "allow_symlink" and "allow_rewrite". 187 * "allow_mkchar", "allow_truncate", "allow_symlink", "allow_rewrite",
188 * "allow_chmod", "allow_chown", "allow_chgrp", "allow_chroot", "allow_mount"
189 * and "allow_unmount".
188 */ 190 */
189struct tomoyo_single_path_acl_record { 191struct tomoyo_single_path_acl_record {
190 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_SINGLE_PATH_ACL */ 192 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_SINGLE_PATH_ACL */
193 u8 perm_high;
191 u16 perm; 194 u16 perm;
192 /* Pointer to single pathname. */ 195 /* Pointer to single pathname. */
193 const struct tomoyo_path_info *filename; 196 const struct tomoyo_path_info *filename;
@@ -195,7 +198,7 @@ struct tomoyo_single_path_acl_record {
195 198
196/* 199/*
197 * tomoyo_double_path_acl_record is a structure which is used for holding an 200 * tomoyo_double_path_acl_record is a structure which is used for holding an
198 * entry with two pathnames operation (i.e. link() and rename()). 201 * entry with two pathnames operation (i.e. link(), rename() and pivot_root()).
199 * It has following fields. 202 * It has following fields.
200 * 203 *
201 * (1) "head" which is a "struct tomoyo_acl_info". 204 * (1) "head" which is a "struct tomoyo_acl_info".
@@ -203,7 +206,8 @@ struct tomoyo_single_path_acl_record {
203 * (3) "filename1" is the source/old pathname. 206 * (3) "filename1" is the source/old pathname.
204 * (4) "filename2" is the destination/new pathname. 207 * (4) "filename2" is the destination/new pathname.
205 * 208 *
206 * Directives held by this structure are "allow_rename" and "allow_link". 209 * Directives held by this structure are "allow_rename", "allow_link" and
210 * "allow_pivot_root".
207 */ 211 */
208struct tomoyo_double_path_acl_record { 212struct tomoyo_double_path_acl_record {
209 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_DOUBLE_PATH_ACL */ 213 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_DOUBLE_PATH_ACL */
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
index 5ae3a571559f..2d10f98fc551 100644
--- a/security/tomoyo/file.c
+++ b/security/tomoyo/file.c
@@ -81,12 +81,20 @@ static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = {
81 [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate", 81 [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate",
82 [TOMOYO_TYPE_SYMLINK_ACL] = "symlink", 82 [TOMOYO_TYPE_SYMLINK_ACL] = "symlink",
83 [TOMOYO_TYPE_REWRITE_ACL] = "rewrite", 83 [TOMOYO_TYPE_REWRITE_ACL] = "rewrite",
84 [TOMOYO_TYPE_IOCTL_ACL] = "ioctl",
85 [TOMOYO_TYPE_CHMOD_ACL] = "chmod",
86 [TOMOYO_TYPE_CHOWN_ACL] = "chown",
87 [TOMOYO_TYPE_CHGRP_ACL] = "chgrp",
88 [TOMOYO_TYPE_CHROOT_ACL] = "chroot",
89 [TOMOYO_TYPE_MOUNT_ACL] = "mount",
90 [TOMOYO_TYPE_UMOUNT_ACL] = "unmount",
84}; 91};
85 92
86/* Keyword array for double path operations. */ 93/* Keyword array for double path operations. */
87static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = { 94static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = {
88 [TOMOYO_TYPE_LINK_ACL] = "link", 95 [TOMOYO_TYPE_LINK_ACL] = "link",
89 [TOMOYO_TYPE_RENAME_ACL] = "rename", 96 [TOMOYO_TYPE_RENAME_ACL] = "rename",
97 [TOMOYO_TYPE_PIVOT_ROOT_ACL] = "pivot_root",
90}; 98};
91 99
92/** 100/**
@@ -655,7 +663,7 @@ static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info *
655 domain, 663 domain,
656 const struct tomoyo_path_info * 664 const struct tomoyo_path_info *
657 filename, 665 filename,
658 const u16 perm, 666 const u32 perm,
659 const bool may_use_pattern) 667 const bool may_use_pattern)
660{ 668{
661 struct tomoyo_acl_info *ptr; 669 struct tomoyo_acl_info *ptr;
@@ -668,8 +676,13 @@ static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info *
668 continue; 676 continue;
669 acl = container_of(ptr, struct tomoyo_single_path_acl_record, 677 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
670 head); 678 head);
671 if (!(acl->perm & perm)) 679 if (perm <= 0xFFFF) {
672 continue; 680 if (!(acl->perm & perm))
681 continue;
682 } else {
683 if (!(acl->perm_high & (perm >> 16)))
684 continue;
685 }
673 if (may_use_pattern || !acl->filename->is_patterned) { 686 if (may_use_pattern || !acl->filename->is_patterned) {
674 if (!tomoyo_path_matches_pattern(filename, 687 if (!tomoyo_path_matches_pattern(filename,
675 acl->filename)) 688 acl->filename))
@@ -697,7 +710,7 @@ static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
697 const struct tomoyo_path_info *filename, 710 const struct tomoyo_path_info *filename,
698 const u8 operation) 711 const u8 operation)
699{ 712{
700 u16 perm = 0; 713 u32 perm = 0;
701 714
702 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 715 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
703 return 0; 716 return 0;
@@ -830,13 +843,13 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
830 struct tomoyo_domain_info * 843 struct tomoyo_domain_info *
831 const domain, const bool is_delete) 844 const domain, const bool is_delete)
832{ 845{
833 static const u16 rw_mask = 846 static const u32 rw_mask =
834 (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL); 847 (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL);
835 const struct tomoyo_path_info *saved_filename; 848 const struct tomoyo_path_info *saved_filename;
836 struct tomoyo_acl_info *ptr; 849 struct tomoyo_acl_info *ptr;
837 struct tomoyo_single_path_acl_record *acl; 850 struct tomoyo_single_path_acl_record *acl;
838 int error = -ENOMEM; 851 int error = -ENOMEM;
839 const u16 perm = 1 << type; 852 const u32 perm = 1 << type;
840 853
841 if (!domain) 854 if (!domain)
842 return -EINVAL; 855 return -EINVAL;
@@ -858,7 +871,10 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
858 /* Special case. Clear all bits if marked as deleted. */ 871 /* Special case. Clear all bits if marked as deleted. */
859 if (ptr->type & TOMOYO_ACL_DELETED) 872 if (ptr->type & TOMOYO_ACL_DELETED)
860 acl->perm = 0; 873 acl->perm = 0;
861 acl->perm |= perm; 874 if (perm <= 0xFFFF)
875 acl->perm |= perm;
876 else
877 acl->perm_high |= (perm >> 16);
862 if ((acl->perm & rw_mask) == rw_mask) 878 if ((acl->perm & rw_mask) == rw_mask)
863 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL; 879 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL;
864 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)) 880 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))
@@ -871,7 +887,10 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
871 acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_SINGLE_PATH_ACL); 887 acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_SINGLE_PATH_ACL);
872 if (!acl) 888 if (!acl)
873 goto out; 889 goto out;
874 acl->perm = perm; 890 if (perm <= 0xFFFF)
891 acl->perm = perm;
892 else
893 acl->perm_high = (perm >> 16);
875 if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL)) 894 if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL))
876 acl->perm |= rw_mask; 895 acl->perm |= rw_mask;
877 acl->filename = saved_filename; 896 acl->filename = saved_filename;
@@ -887,12 +906,15 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
887 head); 906 head);
888 if (acl->filename != saved_filename) 907 if (acl->filename != saved_filename)
889 continue; 908 continue;
890 acl->perm &= ~perm; 909 if (perm <= 0xFFFF)
910 acl->perm &= ~perm;
911 else
912 acl->perm_high &= ~(perm >> 16);
891 if ((acl->perm & rw_mask) != rw_mask) 913 if ((acl->perm & rw_mask) != rw_mask)
892 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL); 914 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL);
893 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))) 915 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)))
894 acl->perm &= ~rw_mask; 916 acl->perm &= ~rw_mask;
895 if (!acl->perm) 917 if (!acl->perm && !acl->perm_high)
896 ptr->type |= TOMOYO_ACL_DELETED; 918 ptr->type |= TOMOYO_ACL_DELETED;
897 error = 0; 919 error = 0;
898 break; 920 break;
@@ -1193,7 +1215,7 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1193} 1215}
1194 1216
1195/** 1217/**
1196 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate" and "symlink". 1218 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1197 * 1219 *
1198 * @domain: Pointer to "struct tomoyo_domain_info". 1220 * @domain: Pointer to "struct tomoyo_domain_info".
1199 * @operation: Type of operation. 1221 * @operation: Type of operation.
@@ -1217,6 +1239,7 @@ int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
1217 switch (operation) { 1239 switch (operation) {
1218 case TOMOYO_TYPE_MKDIR_ACL: 1240 case TOMOYO_TYPE_MKDIR_ACL:
1219 case TOMOYO_TYPE_RMDIR_ACL: 1241 case TOMOYO_TYPE_RMDIR_ACL:
1242 case TOMOYO_TYPE_CHROOT_ACL:
1220 if (!buf->is_dir) { 1243 if (!buf->is_dir) {
1221 /* 1244 /*
1222 * tomoyo_get_path() reserves space for appending "/." 1245 * tomoyo_get_path() reserves space for appending "/."
@@ -1270,7 +1293,7 @@ int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
1270} 1293}
1271 1294
1272/** 1295/**
1273 * tomoyo_check_2path_perm - Check permission for "rename" and "link". 1296 * tomoyo_check_2path_perm - Check permission for "rename", "link" and "pivot_root".
1274 * 1297 *
1275 * @domain: Pointer to "struct tomoyo_domain_info". 1298 * @domain: Pointer to "struct tomoyo_domain_info".
1276 * @operation: Type of operation. 1299 * @operation: Type of operation.
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 9548a0984cc4..3fb5f6ea4fc9 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -271,6 +271,60 @@ static int tomoyo_dentry_open(struct file *f, const struct cred *cred)
271 return tomoyo_check_open_permission(tomoyo_domain(), &f->f_path, flags); 271 return tomoyo_check_open_permission(tomoyo_domain(), &f->f_path, flags);
272} 272}
273 273
274static int tomoyo_file_ioctl(struct file *file, unsigned int cmd,
275 unsigned long arg)
276{
277 return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_IOCTL_ACL,
278 &file->f_path);
279}
280
281static int tomoyo_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
282 mode_t mode)
283{
284 struct path path = { mnt, dentry };
285 return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_CHMOD_ACL,
286 &path);
287}
288
289static int tomoyo_path_chown(struct path *path, uid_t uid, gid_t gid)
290{
291 int error = 0;
292 if (uid != (uid_t) -1)
293 error = tomoyo_check_1path_perm(tomoyo_domain(),
294 TOMOYO_TYPE_CHOWN_ACL, path);
295 if (!error && gid != (gid_t) -1)
296 error = tomoyo_check_1path_perm(tomoyo_domain(),
297 TOMOYO_TYPE_CHGRP_ACL, path);
298 return error;
299}
300
301static int tomoyo_path_chroot(struct path *path)
302{
303 return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_CHROOT_ACL,
304 path);
305}
306
307static int tomoyo_sb_mount(char *dev_name, struct path *path,
308 char *type, unsigned long flags, void *data)
309{
310 return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_MOUNT_ACL,
311 path);
312}
313
314static int tomoyo_sb_umount(struct vfsmount *mnt, int flags)
315{
316 struct path path = { mnt, mnt->mnt_root };
317 return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_UMOUNT_ACL,
318 &path);
319}
320
321static int tomoyo_sb_pivotroot(struct path *old_path, struct path *new_path)
322{
323 return tomoyo_check_2path_perm(tomoyo_domain(),
324 TOMOYO_TYPE_PIVOT_ROOT_ACL,
325 new_path, old_path);
326}
327
274/* 328/*
275 * tomoyo_security_ops is a "struct security_operations" which is used for 329 * tomoyo_security_ops is a "struct security_operations" which is used for
276 * registering TOMOYO. 330 * registering TOMOYO.
@@ -295,6 +349,13 @@ static struct security_operations tomoyo_security_ops = {
295 .path_mknod = tomoyo_path_mknod, 349 .path_mknod = tomoyo_path_mknod,
296 .path_link = tomoyo_path_link, 350 .path_link = tomoyo_path_link,
297 .path_rename = tomoyo_path_rename, 351 .path_rename = tomoyo_path_rename,
352 .file_ioctl = tomoyo_file_ioctl,
353 .path_chmod = tomoyo_path_chmod,
354 .path_chown = tomoyo_path_chown,
355 .path_chroot = tomoyo_path_chroot,
356 .sb_mount = tomoyo_sb_mount,
357 .sb_umount = tomoyo_sb_umount,
358 .sb_pivotroot = tomoyo_sb_pivotroot,
298}; 359};
299 360
300static int __init tomoyo_init(void) 361static int __init tomoyo_init(void)
diff --git a/security/tomoyo/tomoyo.h b/security/tomoyo/tomoyo.h
index cd6ba0bf7069..fac02655ea4b 100644
--- a/security/tomoyo/tomoyo.h
+++ b/security/tomoyo/tomoyo.h
@@ -64,11 +64,19 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm);
64#define TOMOYO_TYPE_TRUNCATE_ACL 12 64#define TOMOYO_TYPE_TRUNCATE_ACL 12
65#define TOMOYO_TYPE_SYMLINK_ACL 13 65#define TOMOYO_TYPE_SYMLINK_ACL 13
66#define TOMOYO_TYPE_REWRITE_ACL 14 66#define TOMOYO_TYPE_REWRITE_ACL 14
67#define TOMOYO_MAX_SINGLE_PATH_OPERATION 15 67#define TOMOYO_TYPE_IOCTL_ACL 15
68#define TOMOYO_TYPE_CHMOD_ACL 16
69#define TOMOYO_TYPE_CHOWN_ACL 17
70#define TOMOYO_TYPE_CHGRP_ACL 18
71#define TOMOYO_TYPE_CHROOT_ACL 19
72#define TOMOYO_TYPE_MOUNT_ACL 20
73#define TOMOYO_TYPE_UMOUNT_ACL 21
74#define TOMOYO_MAX_SINGLE_PATH_OPERATION 22
68 75
69#define TOMOYO_TYPE_LINK_ACL 0 76#define TOMOYO_TYPE_LINK_ACL 0
70#define TOMOYO_TYPE_RENAME_ACL 1 77#define TOMOYO_TYPE_RENAME_ACL 1
71#define TOMOYO_MAX_DOUBLE_PATH_OPERATION 2 78#define TOMOYO_TYPE_PIVOT_ROOT_ACL 2
79#define TOMOYO_MAX_DOUBLE_PATH_OPERATION 3
72 80
73#define TOMOYO_DOMAINPOLICY 0 81#define TOMOYO_DOMAINPOLICY 0
74#define TOMOYO_EXCEPTIONPOLICY 1 82#define TOMOYO_EXCEPTIONPOLICY 1