aboutsummaryrefslogtreecommitdiffstats
path: root/security/tomoyo
diff options
context:
space:
mode:
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>2010-06-23 23:00:25 -0400
committerJames Morris <jmorris@namei.org>2010-08-02 01:34:44 -0400
commit063821c8160568b3390044390c8328e36c5696ad (patch)
tree68a61753cdc6b0edaf0358eebdea8c20aaa713b1 /security/tomoyo
parent475e6fa3d340e75a454ea09191a29e52e2ee6e71 (diff)
TOMOYO: Allow reading only execute permission.
Policy editor needs to know allow_execute entries in order to build domain transition tree. Reading all entries is slow. Thus, allow reading only allow_execute entries. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo')
-rw-r--r--security/tomoyo/common.c8
-rw-r--r--security/tomoyo/common.h2
2 files changed, 10 insertions, 0 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 2a5330ec06c9..6c68981c0f5f 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -594,6 +594,10 @@ static bool tomoyo_select_one(struct tomoyo_io_buffer *head, const char *data)
594 struct tomoyo_domain_info *domain = NULL; 594 struct tomoyo_domain_info *domain = NULL;
595 bool global_pid = false; 595 bool global_pid = false;
596 596
597 if (!strcmp(data, "allow_execute")) {
598 head->print_execute_only = true;
599 return true;
600 }
597 if (sscanf(data, "pid=%u", &pid) == 1 || 601 if (sscanf(data, "pid=%u", &pid) == 1 ||
598 (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { 602 (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) {
599 struct task_struct *p; 603 struct task_struct *p;
@@ -759,6 +763,8 @@ static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head,
759 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { 763 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
760 if (!(perm & (1 << bit))) 764 if (!(perm & (1 << bit)))
761 continue; 765 continue;
766 if (head->print_execute_only && bit != TOMOYO_TYPE_EXECUTE)
767 continue;
762 /* Print "read/write" instead of "read" and "write". */ 768 /* Print "read/write" instead of "read" and "write". */
763 if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE) 769 if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE)
764 && (perm & (1 << TOMOYO_TYPE_READ_WRITE))) 770 && (perm & (1 << TOMOYO_TYPE_READ_WRITE)))
@@ -926,6 +932,8 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
926 = container_of(ptr, struct tomoyo_path_acl, head); 932 = container_of(ptr, struct tomoyo_path_acl, head);
927 return tomoyo_print_path_acl(head, acl); 933 return tomoyo_print_path_acl(head, acl);
928 } 934 }
935 if (head->print_execute_only)
936 return true;
929 if (acl_type == TOMOYO_TYPE_PATH2_ACL) { 937 if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
930 struct tomoyo_path2_acl *acl 938 struct tomoyo_path2_acl *acl
931 = container_of(ptr, struct tomoyo_path2_acl, head); 939 = container_of(ptr, struct tomoyo_path2_acl, head);
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index cdc9ef56fd86..67b9aeae80a7 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -571,6 +571,8 @@ struct tomoyo_io_buffer {
571 bool read_single_domain; 571 bool read_single_domain;
572 /* Extra variable for reading. */ 572 /* Extra variable for reading. */
573 u8 read_bit; 573 u8 read_bit;
574 /* Read only TOMOYO_TYPE_EXECUTE */
575 bool print_execute_only;
574 /* Bytes available for reading. */ 576 /* Bytes available for reading. */
575 int read_avail; 577 int read_avail;
576 /* Size of read buffer. */ 578 /* Size of read buffer. */