diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-10-19 17:48:57 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-10-28 17:34:41 -0400 |
commit | 59df3166ef293288d164ab3362a717743e62d20c (patch) | |
tree | ee10bb9ae940bf59beaf05dd5925d03044eb6559 /security | |
parent | c45ed235abf1b0b6666417e3c394f18717976acd (diff) |
TOMOYO: Fix interactive judgment functionality.
Commit 17fcfbd9 "TOMOYO: Add interactive enforcing mode." introduced ability
to query access decision using userspace programs. It was using global PID for
reaching policy configuration of the process. However, use of PID returns stale
policy configuration when the process's subjective credentials and objective
credentials differ. Fix this problem by allowing reaching policy configuration
via query id.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/tomoyo/common.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index d41900de8a69..610b535108af 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c | |||
@@ -963,6 +963,9 @@ static bool tomoyo_manager(void) | |||
963 | return found; | 963 | return found; |
964 | } | 964 | } |
965 | 965 | ||
966 | static struct tomoyo_domain_info *tomoyo_find_domain_by_qid | ||
967 | (unsigned int serial); | ||
968 | |||
966 | /** | 969 | /** |
967 | * tomoyo_select_domain - Parse select command. | 970 | * tomoyo_select_domain - Parse select command. |
968 | * | 971 | * |
@@ -996,6 +999,8 @@ static bool tomoyo_select_domain(struct tomoyo_io_buffer *head, | |||
996 | } else if (!strncmp(data, "domain=", 7)) { | 999 | } else if (!strncmp(data, "domain=", 7)) { |
997 | if (tomoyo_domain_def(data + 7)) | 1000 | if (tomoyo_domain_def(data + 7)) |
998 | domain = tomoyo_find_domain(data + 7); | 1001 | domain = tomoyo_find_domain(data + 7); |
1002 | } else if (sscanf(data, "Q=%u", &pid) == 1) { | ||
1003 | domain = tomoyo_find_domain_by_qid(pid); | ||
999 | } else | 1004 | } else |
1000 | return false; | 1005 | return false; |
1001 | head->w.domain = domain; | 1006 | head->w.domain = domain; |
@@ -1891,6 +1896,7 @@ static DECLARE_WAIT_QUEUE_HEAD(tomoyo_answer_wait); | |||
1891 | /* Structure for query. */ | 1896 | /* Structure for query. */ |
1892 | struct tomoyo_query { | 1897 | struct tomoyo_query { |
1893 | struct list_head list; | 1898 | struct list_head list; |
1899 | struct tomoyo_domain_info *domain; | ||
1894 | char *query; | 1900 | char *query; |
1895 | size_t query_len; | 1901 | size_t query_len; |
1896 | unsigned int serial; | 1902 | unsigned int serial; |
@@ -2041,6 +2047,7 @@ int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) | |||
2041 | goto out; | 2047 | goto out; |
2042 | } | 2048 | } |
2043 | len = tomoyo_round2(entry.query_len); | 2049 | len = tomoyo_round2(entry.query_len); |
2050 | entry.domain = r->domain; | ||
2044 | spin_lock(&tomoyo_query_list_lock); | 2051 | spin_lock(&tomoyo_query_list_lock); |
2045 | if (tomoyo_memory_quota[TOMOYO_MEMORY_QUERY] && | 2052 | if (tomoyo_memory_quota[TOMOYO_MEMORY_QUERY] && |
2046 | tomoyo_memory_used[TOMOYO_MEMORY_QUERY] + len | 2053 | tomoyo_memory_used[TOMOYO_MEMORY_QUERY] + len |
@@ -2088,6 +2095,29 @@ out: | |||
2088 | } | 2095 | } |
2089 | 2096 | ||
2090 | /** | 2097 | /** |
2098 | * tomoyo_find_domain_by_qid - Get domain by query id. | ||
2099 | * | ||
2100 | * @serial: Query ID assigned by tomoyo_supervisor(). | ||
2101 | * | ||
2102 | * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise. | ||
2103 | */ | ||
2104 | static struct tomoyo_domain_info *tomoyo_find_domain_by_qid | ||
2105 | (unsigned int serial) | ||
2106 | { | ||
2107 | struct tomoyo_query *ptr; | ||
2108 | struct tomoyo_domain_info *domain = NULL; | ||
2109 | spin_lock(&tomoyo_query_list_lock); | ||
2110 | list_for_each_entry(ptr, &tomoyo_query_list, list) { | ||
2111 | if (ptr->serial != serial || ptr->answer) | ||
2112 | continue; | ||
2113 | domain = ptr->domain; | ||
2114 | break; | ||
2115 | } | ||
2116 | spin_unlock(&tomoyo_query_list_lock); | ||
2117 | return domain; | ||
2118 | } | ||
2119 | |||
2120 | /** | ||
2091 | * tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query. | 2121 | * tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query. |
2092 | * | 2122 | * |
2093 | * @file: Pointer to "struct file". | 2123 | * @file: Pointer to "struct file". |