diff options
-rw-r--r-- | security/tomoyo/common.h | 10 | ||||
-rw-r--r-- | security/tomoyo/file.c | 15 | ||||
-rw-r--r-- | security/tomoyo/tomoyo.c | 40 |
3 files changed, 27 insertions, 38 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index f4d3050b9c0e..17ed365521b1 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h | |||
@@ -637,12 +637,10 @@ int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, | |||
637 | const struct tomoyo_path_info *filename); | 637 | const struct tomoyo_path_info *filename); |
638 | int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | 638 | int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, |
639 | struct path *path, const int flag); | 639 | struct path *path, const int flag); |
640 | int tomoyo_path_perm(struct tomoyo_domain_info *domain, const u8 operation, | 640 | int tomoyo_path_perm(const u8 operation, struct path *path); |
641 | struct path *path); | 641 | int tomoyo_path2_perm(const u8 operation, struct path *path1, |
642 | int tomoyo_path2_perm(struct tomoyo_domain_info *domain, const u8 operation, | 642 | struct path *path2); |
643 | struct path *path1, struct path *path2); | 643 | int tomoyo_check_rewrite_permission(struct file *filp); |
644 | int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, | ||
645 | struct file *filp); | ||
646 | int tomoyo_find_next_domain(struct linux_binprm *bprm); | 644 | int tomoyo_find_next_domain(struct linux_binprm *bprm); |
647 | 645 | ||
648 | /* Run garbage collector. */ | 646 | /* Run garbage collector. */ |
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 09feaf24864d..db342ef87af7 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c | |||
@@ -1135,17 +1135,16 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | |||
1135 | /** | 1135 | /** |
1136 | * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount". | 1136 | * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount". |
1137 | * | 1137 | * |
1138 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
1139 | * @operation: Type of operation. | 1138 | * @operation: Type of operation. |
1140 | * @path: Pointer to "struct path". | 1139 | * @path: Pointer to "struct path". |
1141 | * | 1140 | * |
1142 | * Returns 0 on success, negative value otherwise. | 1141 | * Returns 0 on success, negative value otherwise. |
1143 | */ | 1142 | */ |
1144 | int tomoyo_path_perm(struct tomoyo_domain_info *domain, | 1143 | int tomoyo_path_perm(const u8 operation, struct path *path) |
1145 | const u8 operation, struct path *path) | ||
1146 | { | 1144 | { |
1147 | int error = -ENOMEM; | 1145 | int error = -ENOMEM; |
1148 | struct tomoyo_path_info *buf; | 1146 | struct tomoyo_path_info *buf; |
1147 | struct tomoyo_domain_info *domain = tomoyo_domain(); | ||
1149 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); | 1148 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); |
1150 | const bool is_enforce = (mode == 3); | 1149 | const bool is_enforce = (mode == 3); |
1151 | int idx; | 1150 | int idx; |
@@ -1180,15 +1179,14 @@ int tomoyo_path_perm(struct tomoyo_domain_info *domain, | |||
1180 | /** | 1179 | /** |
1181 | * tomoyo_check_rewrite_permission - Check permission for "rewrite". | 1180 | * tomoyo_check_rewrite_permission - Check permission for "rewrite". |
1182 | * | 1181 | * |
1183 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
1184 | * @filp: Pointer to "struct file". | 1182 | * @filp: Pointer to "struct file". |
1185 | * | 1183 | * |
1186 | * Returns 0 on success, negative value otherwise. | 1184 | * Returns 0 on success, negative value otherwise. |
1187 | */ | 1185 | */ |
1188 | int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, | 1186 | int tomoyo_check_rewrite_permission(struct file *filp) |
1189 | struct file *filp) | ||
1190 | { | 1187 | { |
1191 | int error = -ENOMEM; | 1188 | int error = -ENOMEM; |
1189 | struct tomoyo_domain_info *domain = tomoyo_domain(); | ||
1192 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); | 1190 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); |
1193 | const bool is_enforce = (mode == 3); | 1191 | const bool is_enforce = (mode == 3); |
1194 | struct tomoyo_path_info *buf; | 1192 | struct tomoyo_path_info *buf; |
@@ -1217,19 +1215,18 @@ int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, | |||
1217 | /** | 1215 | /** |
1218 | * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root". | 1216 | * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root". |
1219 | * | 1217 | * |
1220 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
1221 | * @operation: Type of operation. | 1218 | * @operation: Type of operation. |
1222 | * @path1: Pointer to "struct path". | 1219 | * @path1: Pointer to "struct path". |
1223 | * @path2: Pointer to "struct path". | 1220 | * @path2: Pointer to "struct path". |
1224 | * | 1221 | * |
1225 | * Returns 0 on success, negative value otherwise. | 1222 | * Returns 0 on success, negative value otherwise. |
1226 | */ | 1223 | */ |
1227 | int tomoyo_path2_perm(struct tomoyo_domain_info * const domain, | 1224 | int tomoyo_path2_perm(const u8 operation, struct path *path1, |
1228 | const u8 operation, struct path *path1, | ||
1229 | struct path *path2) | 1225 | struct path *path2) |
1230 | { | 1226 | { |
1231 | int error = -ENOMEM; | 1227 | int error = -ENOMEM; |
1232 | struct tomoyo_path_info *buf1, *buf2; | 1228 | struct tomoyo_path_info *buf1, *buf2; |
1229 | struct tomoyo_domain_info *domain = tomoyo_domain(); | ||
1233 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); | 1230 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); |
1234 | const bool is_enforce = (mode == 3); | 1231 | const bool is_enforce = (mode == 3); |
1235 | const char *msg; | 1232 | const char *msg; |
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index e3945d0511b8..c94e35c3c759 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c | |||
@@ -100,33 +100,33 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm) | |||
100 | static int tomoyo_path_truncate(struct path *path, loff_t length, | 100 | static int tomoyo_path_truncate(struct path *path, loff_t length, |
101 | unsigned int time_attrs) | 101 | unsigned int time_attrs) |
102 | { | 102 | { |
103 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_TRUNCATE, path); | 103 | return tomoyo_path_perm(TOMOYO_TYPE_TRUNCATE, path); |
104 | } | 104 | } |
105 | 105 | ||
106 | static int tomoyo_path_unlink(struct path *parent, struct dentry *dentry) | 106 | static int tomoyo_path_unlink(struct path *parent, struct dentry *dentry) |
107 | { | 107 | { |
108 | struct path path = { parent->mnt, dentry }; | 108 | struct path path = { parent->mnt, dentry }; |
109 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_UNLINK, &path); | 109 | return tomoyo_path_perm(TOMOYO_TYPE_UNLINK, &path); |
110 | } | 110 | } |
111 | 111 | ||
112 | static int tomoyo_path_mkdir(struct path *parent, struct dentry *dentry, | 112 | static int tomoyo_path_mkdir(struct path *parent, struct dentry *dentry, |
113 | int mode) | 113 | int mode) |
114 | { | 114 | { |
115 | struct path path = { parent->mnt, dentry }; | 115 | struct path path = { parent->mnt, dentry }; |
116 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_MKDIR, &path); | 116 | return tomoyo_path_perm(TOMOYO_TYPE_MKDIR, &path); |
117 | } | 117 | } |
118 | 118 | ||
119 | static int tomoyo_path_rmdir(struct path *parent, struct dentry *dentry) | 119 | static int tomoyo_path_rmdir(struct path *parent, struct dentry *dentry) |
120 | { | 120 | { |
121 | struct path path = { parent->mnt, dentry }; | 121 | struct path path = { parent->mnt, dentry }; |
122 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_RMDIR, &path); | 122 | return tomoyo_path_perm(TOMOYO_TYPE_RMDIR, &path); |
123 | } | 123 | } |
124 | 124 | ||
125 | static int tomoyo_path_symlink(struct path *parent, struct dentry *dentry, | 125 | static int tomoyo_path_symlink(struct path *parent, struct dentry *dentry, |
126 | const char *old_name) | 126 | const char *old_name) |
127 | { | 127 | { |
128 | struct path path = { parent->mnt, dentry }; | 128 | struct path path = { parent->mnt, dentry }; |
129 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_SYMLINK, &path); | 129 | return tomoyo_path_perm(TOMOYO_TYPE_SYMLINK, &path); |
130 | } | 130 | } |
131 | 131 | ||
132 | static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry, | 132 | static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry, |
@@ -149,7 +149,7 @@ static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry, | |||
149 | type = TOMOYO_TYPE_MKSOCK; | 149 | type = TOMOYO_TYPE_MKSOCK; |
150 | break; | 150 | break; |
151 | } | 151 | } |
152 | return tomoyo_path_perm(tomoyo_domain(), type, &path); | 152 | return tomoyo_path_perm(type, &path); |
153 | } | 153 | } |
154 | 154 | ||
155 | static int tomoyo_path_link(struct dentry *old_dentry, struct path *new_dir, | 155 | static int tomoyo_path_link(struct dentry *old_dentry, struct path *new_dir, |
@@ -157,8 +157,7 @@ static int tomoyo_path_link(struct dentry *old_dentry, struct path *new_dir, | |||
157 | { | 157 | { |
158 | struct path path1 = { new_dir->mnt, old_dentry }; | 158 | struct path path1 = { new_dir->mnt, old_dentry }; |
159 | struct path path2 = { new_dir->mnt, new_dentry }; | 159 | struct path path2 = { new_dir->mnt, new_dentry }; |
160 | return tomoyo_path2_perm(tomoyo_domain(), TOMOYO_TYPE_LINK, &path1, | 160 | return tomoyo_path2_perm(TOMOYO_TYPE_LINK, &path1, &path2); |
161 | &path2); | ||
162 | } | 161 | } |
163 | 162 | ||
164 | static int tomoyo_path_rename(struct path *old_parent, | 163 | static int tomoyo_path_rename(struct path *old_parent, |
@@ -168,15 +167,14 @@ static int tomoyo_path_rename(struct path *old_parent, | |||
168 | { | 167 | { |
169 | struct path path1 = { old_parent->mnt, old_dentry }; | 168 | struct path path1 = { old_parent->mnt, old_dentry }; |
170 | struct path path2 = { new_parent->mnt, new_dentry }; | 169 | struct path path2 = { new_parent->mnt, new_dentry }; |
171 | return tomoyo_path2_perm(tomoyo_domain(), TOMOYO_TYPE_RENAME, &path1, | 170 | return tomoyo_path2_perm(TOMOYO_TYPE_RENAME, &path1, &path2); |
172 | &path2); | ||
173 | } | 171 | } |
174 | 172 | ||
175 | static int tomoyo_file_fcntl(struct file *file, unsigned int cmd, | 173 | static int tomoyo_file_fcntl(struct file *file, unsigned int cmd, |
176 | unsigned long arg) | 174 | unsigned long arg) |
177 | { | 175 | { |
178 | if (cmd == F_SETFL && ((arg ^ file->f_flags) & O_APPEND)) | 176 | if (cmd == F_SETFL && ((arg ^ file->f_flags) & O_APPEND)) |
179 | return tomoyo_check_rewrite_permission(tomoyo_domain(), file); | 177 | return tomoyo_check_rewrite_permission(file); |
180 | return 0; | 178 | return 0; |
181 | } | 179 | } |
182 | 180 | ||
@@ -196,50 +194,46 @@ static int tomoyo_dentry_open(struct file *f, const struct cred *cred) | |||
196 | static int tomoyo_file_ioctl(struct file *file, unsigned int cmd, | 194 | static int tomoyo_file_ioctl(struct file *file, unsigned int cmd, |
197 | unsigned long arg) | 195 | unsigned long arg) |
198 | { | 196 | { |
199 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_IOCTL, | 197 | return tomoyo_path_perm(TOMOYO_TYPE_IOCTL, &file->f_path); |
200 | &file->f_path); | ||
201 | } | 198 | } |
202 | 199 | ||
203 | static int tomoyo_path_chmod(struct dentry *dentry, struct vfsmount *mnt, | 200 | static int tomoyo_path_chmod(struct dentry *dentry, struct vfsmount *mnt, |
204 | mode_t mode) | 201 | mode_t mode) |
205 | { | 202 | { |
206 | struct path path = { mnt, dentry }; | 203 | struct path path = { mnt, dentry }; |
207 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHMOD, &path); | 204 | return tomoyo_path_perm(TOMOYO_TYPE_CHMOD, &path); |
208 | } | 205 | } |
209 | 206 | ||
210 | static int tomoyo_path_chown(struct path *path, uid_t uid, gid_t gid) | 207 | static int tomoyo_path_chown(struct path *path, uid_t uid, gid_t gid) |
211 | { | 208 | { |
212 | int error = 0; | 209 | int error = 0; |
213 | if (uid != (uid_t) -1) | 210 | if (uid != (uid_t) -1) |
214 | error = tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHOWN, | 211 | error = tomoyo_path_perm(TOMOYO_TYPE_CHOWN, path); |
215 | path); | ||
216 | if (!error && gid != (gid_t) -1) | 212 | if (!error && gid != (gid_t) -1) |
217 | error = tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHGRP, | 213 | error = tomoyo_path_perm(TOMOYO_TYPE_CHGRP, path); |
218 | path); | ||
219 | return error; | 214 | return error; |
220 | } | 215 | } |
221 | 216 | ||
222 | static int tomoyo_path_chroot(struct path *path) | 217 | static int tomoyo_path_chroot(struct path *path) |
223 | { | 218 | { |
224 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHROOT, path); | 219 | return tomoyo_path_perm(TOMOYO_TYPE_CHROOT, path); |
225 | } | 220 | } |
226 | 221 | ||
227 | static int tomoyo_sb_mount(char *dev_name, struct path *path, | 222 | static int tomoyo_sb_mount(char *dev_name, struct path *path, |
228 | char *type, unsigned long flags, void *data) | 223 | char *type, unsigned long flags, void *data) |
229 | { | 224 | { |
230 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_MOUNT, path); | 225 | return tomoyo_path_perm(TOMOYO_TYPE_MOUNT, path); |
231 | } | 226 | } |
232 | 227 | ||
233 | static int tomoyo_sb_umount(struct vfsmount *mnt, int flags) | 228 | static int tomoyo_sb_umount(struct vfsmount *mnt, int flags) |
234 | { | 229 | { |
235 | struct path path = { mnt, mnt->mnt_root }; | 230 | struct path path = { mnt, mnt->mnt_root }; |
236 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_UMOUNT, &path); | 231 | return tomoyo_path_perm(TOMOYO_TYPE_UMOUNT, &path); |
237 | } | 232 | } |
238 | 233 | ||
239 | static int tomoyo_sb_pivotroot(struct path *old_path, struct path *new_path) | 234 | static int tomoyo_sb_pivotroot(struct path *old_path, struct path *new_path) |
240 | { | 235 | { |
241 | return tomoyo_path2_perm(tomoyo_domain(), TOMOYO_TYPE_PIVOT_ROOT, | 236 | return tomoyo_path2_perm(TOMOYO_TYPE_PIVOT_ROOT, new_path, old_path); |
242 | new_path, old_path); | ||
243 | } | 237 | } |
244 | 238 | ||
245 | /* | 239 | /* |