aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>2010-06-03 07:35:53 -0400
committerJames Morris <jmorris@namei.org>2010-08-02 01:33:41 -0400
commit9b244373da3eab671da6c5125482121528a9ebf3 (patch)
treeabbe091de54a260aec57e56ce79c164834354fc8 /security
parentea0d3ab239fba48d6e998b19c28d78f765963007 (diff)
TOMOYO: Several fixes for TOMOYO's management programs.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/tomoyo/common.c25
-rw-r--r--security/tomoyo/common.h2
-rw-r--r--security/tomoyo/path_group.c2
3 files changed, 23 insertions, 6 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 57ddfc5d9c52..98e3639db990 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -366,7 +366,7 @@ static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
366 * 366 *
367 * or 367 * or
368 * 368 *
369 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager 369 * # echo '/usr/sbin/tomoyo-editpolicy' > /sys/kernel/security/tomoyo/manager
370 * (if you want to specify by a program's location) 370 * (if you want to specify by a program's location)
371 * 371 *
372 * and is deleted by 372 * and is deleted by
@@ -376,7 +376,7 @@ static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
376 * 376 *
377 * or 377 * or
378 * 378 *
379 * # echo 'delete /usr/lib/ccs/editpolicy' > \ 379 * # echo 'delete /usr/sbin/tomoyo-editpolicy' > \
380 * /sys/kernel/security/tomoyo/manager 380 * /sys/kernel/security/tomoyo/manager
381 * 381 *
382 * and all entries are retrieved by 382 * and all entries are retrieved by
@@ -556,12 +556,17 @@ static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
556{ 556{
557 unsigned int pid; 557 unsigned int pid;
558 struct tomoyo_domain_info *domain = NULL; 558 struct tomoyo_domain_info *domain = NULL;
559 bool global_pid = false;
559 560
560 if (sscanf(data, "pid=%u", &pid) == 1) { 561 if (sscanf(data, "pid=%u", &pid) == 1 ||
562 (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) {
561 struct task_struct *p; 563 struct task_struct *p;
562 rcu_read_lock(); 564 rcu_read_lock();
563 read_lock(&tasklist_lock); 565 read_lock(&tasklist_lock);
564 p = find_task_by_vpid(pid); 566 if (global_pid)
567 p = find_task_by_pid_ns(pid, &init_pid_ns);
568 else
569 p = find_task_by_vpid(pid);
565 if (p) 570 if (p)
566 domain = tomoyo_real_domain(p); 571 domain = tomoyo_real_domain(p);
567 read_unlock(&tasklist_lock); 572 read_unlock(&tasklist_lock);
@@ -697,6 +702,14 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
697 domain->ignore_global_allow_read = !is_delete; 702 domain->ignore_global_allow_read = !is_delete;
698 return 0; 703 return 0;
699 } 704 }
705 if (!strcmp(data, TOMOYO_KEYWORD_QUOTA_EXCEEDED)) {
706 domain->quota_warned = !is_delete;
707 return 0;
708 }
709 if (!strcmp(data, TOMOYO_KEYWORD_TRANSITION_FAILED)) {
710 domain->transition_failed = !is_delete;
711 return 0;
712 }
700 return tomoyo_write_domain_policy2(data, domain, is_delete); 713 return tomoyo_write_domain_policy2(data, domain, is_delete);
701} 714}
702 715
@@ -853,6 +866,8 @@ static bool tomoyo_print_mount_acl(struct tomoyo_io_buffer *head,
853 struct tomoyo_mount_acl *ptr) 866 struct tomoyo_mount_acl *ptr)
854{ 867{
855 const int pos = head->read_avail; 868 const int pos = head->read_avail;
869 if (ptr->is_deleted)
870 return true;
856 if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) || 871 if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) ||
857 !tomoyo_print_name_union(head, &ptr->dev_name) || 872 !tomoyo_print_name_union(head, &ptr->dev_name) ||
858 !tomoyo_print_name_union(head, &ptr->dir_name) || 873 !tomoyo_print_name_union(head, &ptr->dir_name) ||
@@ -993,7 +1008,7 @@ tail_mark:
993 * This is equivalent to doing 1008 * This is equivalent to doing
994 * 1009 *
995 * ( echo "select " $domainname; echo "use_profile " $profile ) | 1010 * ( echo "select " $domainname; echo "use_profile " $profile ) |
996 * /usr/lib/ccs/loadpolicy -d 1011 * /usr/sbin/tomoyo-loadpolicy -d
997 * 1012 *
998 * Caller holds tomoyo_read_lock(). 1013 * Caller holds tomoyo_read_lock().
999 */ 1014 */
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index be03e4a21db0..6270a530c4d8 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -68,6 +68,8 @@ enum tomoyo_mode_index {
68#define TOMOYO_KEYWORD_SELECT "select " 68#define TOMOYO_KEYWORD_SELECT "select "
69#define TOMOYO_KEYWORD_USE_PROFILE "use_profile " 69#define TOMOYO_KEYWORD_USE_PROFILE "use_profile "
70#define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read" 70#define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read"
71#define TOMOYO_KEYWORD_QUOTA_EXCEEDED "quota_exceeded"
72#define TOMOYO_KEYWORD_TRANSITION_FAILED "transition_failed"
71/* A domain definition starts with <kernel>. */ 73/* A domain definition starts with <kernel>. */
72#define TOMOYO_ROOT_NAME "<kernel>" 74#define TOMOYO_ROOT_NAME "<kernel>"
73#define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1) 75#define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1)
diff --git a/security/tomoyo/path_group.c b/security/tomoyo/path_group.c
index c988041c8e1c..636025e26b06 100644
--- a/security/tomoyo/path_group.c
+++ b/security/tomoyo/path_group.c
@@ -6,7 +6,7 @@
6 6
7#include <linux/slab.h> 7#include <linux/slab.h>
8#include "common.h" 8#include "common.h"
9/* The list for "struct ccs_path_group". */ 9/* The list for "struct tomoyo_path_group". */
10LIST_HEAD(tomoyo_path_group_list); 10LIST_HEAD(tomoyo_path_group_list);
11 11
12/** 12/**