diff options
| -rw-r--r-- | security/tomoyo/common.c | 35 | ||||
| -rw-r--r-- | security/tomoyo/common.h | 39 | ||||
| -rw-r--r-- | security/tomoyo/domain.c | 184 | ||||
| -rw-r--r-- | security/tomoyo/file.c | 107 | ||||
| -rw-r--r-- | security/tomoyo/number_group.c | 45 | ||||
| -rw-r--r-- | security/tomoyo/path_group.c | 32 |
6 files changed, 190 insertions, 252 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 7bfad45fcd61..4ee47af0917d 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c | |||
| @@ -469,6 +469,15 @@ static int tomoyo_read_profile(struct tomoyo_io_buffer *head) | |||
| 469 | */ | 469 | */ |
| 470 | LIST_HEAD(tomoyo_policy_manager_list); | 470 | LIST_HEAD(tomoyo_policy_manager_list); |
| 471 | 471 | ||
| 472 | static bool tomoyo_same_manager_entry(const struct tomoyo_acl_head *a, | ||
| 473 | const struct tomoyo_acl_head *b) | ||
| 474 | { | ||
| 475 | return container_of(a, struct tomoyo_policy_manager_entry, head) | ||
| 476 | ->manager == | ||
| 477 | container_of(b, struct tomoyo_policy_manager_entry, head) | ||
| 478 | ->manager; | ||
| 479 | } | ||
| 480 | |||
| 472 | /** | 481 | /** |
| 473 | * tomoyo_update_manager_entry - Add a manager entry. | 482 | * tomoyo_update_manager_entry - Add a manager entry. |
| 474 | * | 483 | * |
| @@ -482,9 +491,8 @@ LIST_HEAD(tomoyo_policy_manager_list); | |||
| 482 | static int tomoyo_update_manager_entry(const char *manager, | 491 | static int tomoyo_update_manager_entry(const char *manager, |
| 483 | const bool is_delete) | 492 | const bool is_delete) |
| 484 | { | 493 | { |
| 485 | struct tomoyo_policy_manager_entry *ptr; | ||
| 486 | struct tomoyo_policy_manager_entry e = { }; | 494 | struct tomoyo_policy_manager_entry e = { }; |
| 487 | int error = is_delete ? -ENOENT : -ENOMEM; | 495 | int error; |
| 488 | 496 | ||
| 489 | if (tomoyo_is_domain_def(manager)) { | 497 | if (tomoyo_is_domain_def(manager)) { |
| 490 | if (!tomoyo_is_correct_domain(manager)) | 498 | if (!tomoyo_is_correct_domain(manager)) |
| @@ -497,26 +505,9 @@ static int tomoyo_update_manager_entry(const char *manager, | |||
| 497 | e.manager = tomoyo_get_name(manager); | 505 | e.manager = tomoyo_get_name(manager); |
| 498 | if (!e.manager) | 506 | if (!e.manager) |
| 499 | return -ENOMEM; | 507 | return -ENOMEM; |
| 500 | if (mutex_lock_interruptible(&tomoyo_policy_lock)) | 508 | error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, |
| 501 | goto out; | 509 | &tomoyo_policy_manager_list, |
| 502 | list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, head.list) { | 510 | tomoyo_same_manager_entry); |
| 503 | if (ptr->manager != e.manager) | ||
| 504 | continue; | ||
| 505 | ptr->head.is_deleted = is_delete; | ||
| 506 | error = 0; | ||
| 507 | break; | ||
| 508 | } | ||
| 509 | if (!is_delete && error) { | ||
| 510 | struct tomoyo_policy_manager_entry *entry = | ||
| 511 | tomoyo_commit_ok(&e, sizeof(e)); | ||
| 512 | if (entry) { | ||
| 513 | list_add_tail_rcu(&entry->head.list, | ||
| 514 | &tomoyo_policy_manager_list); | ||
| 515 | error = 0; | ||
| 516 | } | ||
| 517 | } | ||
| 518 | mutex_unlock(&tomoyo_policy_lock); | ||
| 519 | out: | ||
| 520 | tomoyo_put_name(e.manager); | 511 | tomoyo_put_name(e.manager); |
| 521 | return error; | 512 | return error; |
| 522 | } | 513 | } |
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 0ab6e86f90aa..c8ab7553c48c 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h | |||
| @@ -913,6 +913,12 @@ int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size, | |||
| 913 | bool (*merge_duplicate) (struct tomoyo_acl_info *, | 913 | bool (*merge_duplicate) (struct tomoyo_acl_info *, |
| 914 | struct tomoyo_acl_info *, | 914 | struct tomoyo_acl_info *, |
| 915 | const bool)); | 915 | const bool)); |
| 916 | int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size, | ||
| 917 | bool is_delete, struct list_head *list, | ||
| 918 | bool (*check_duplicate) (const struct tomoyo_acl_head | ||
| 919 | *, | ||
| 920 | const struct tomoyo_acl_head | ||
| 921 | *)); | ||
| 916 | 922 | ||
| 917 | /********** External variable definitions. **********/ | 923 | /********** External variable definitions. **********/ |
| 918 | 924 | ||
| @@ -1042,39 +1048,6 @@ static inline bool tomoyo_is_same_number_union | |||
| 1042 | p1->max_type == p2->max_type && p1->is_group == p2->is_group; | 1048 | p1->max_type == p2->max_type && p1->is_group == p2->is_group; |
| 1043 | } | 1049 | } |
| 1044 | 1050 | ||
| 1045 | static inline bool tomoyo_is_same_domain_initializer_entry | ||
| 1046 | (const struct tomoyo_domain_initializer_entry *p1, | ||
| 1047 | const struct tomoyo_domain_initializer_entry *p2) | ||
| 1048 | { | ||
| 1049 | return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name | ||
| 1050 | && p1->domainname == p2->domainname | ||
| 1051 | && p1->program == p2->program; | ||
| 1052 | } | ||
| 1053 | |||
| 1054 | static inline bool tomoyo_is_same_domain_keeper_entry | ||
| 1055 | (const struct tomoyo_domain_keeper_entry *p1, | ||
| 1056 | const struct tomoyo_domain_keeper_entry *p2) | ||
| 1057 | { | ||
| 1058 | return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name | ||
| 1059 | && p1->domainname == p2->domainname | ||
| 1060 | && p1->program == p2->program; | ||
| 1061 | } | ||
| 1062 | |||
| 1063 | static inline bool tomoyo_is_same_aggregator_entry | ||
| 1064 | (const struct tomoyo_aggregator_entry *p1, | ||
| 1065 | const struct tomoyo_aggregator_entry *p2) | ||
| 1066 | { | ||
| 1067 | return p1->original_name == p2->original_name && | ||
| 1068 | p1->aggregated_name == p2->aggregated_name; | ||
| 1069 | } | ||
| 1070 | |||
| 1071 | static inline bool tomoyo_is_same_alias_entry | ||
| 1072 | (const struct tomoyo_alias_entry *p1, const struct tomoyo_alias_entry *p2) | ||
| 1073 | { | ||
| 1074 | return p1->original_name == p2->original_name && | ||
| 1075 | p1->aliased_name == p2->aliased_name; | ||
| 1076 | } | ||
| 1077 | |||
| 1078 | /** | 1051 | /** |
| 1079 | * list_for_each_cookie - iterate over a list with cookie. | 1052 | * list_for_each_cookie - iterate over a list with cookie. |
| 1080 | * @pos: the &struct list_head to use as a loop cursor. | 1053 | * @pos: the &struct list_head to use as a loop cursor. |
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index 60297da6adcf..fe621af46c2e 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c | |||
| @@ -16,6 +16,49 @@ | |||
| 16 | struct tomoyo_domain_info tomoyo_kernel_domain; | 16 | struct tomoyo_domain_info tomoyo_kernel_domain; |
| 17 | 17 | ||
| 18 | /** | 18 | /** |
| 19 | * tomoyo_update_policy - Update an entry for exception policy. | ||
| 20 | * | ||
| 21 | * @new_entry: Pointer to "struct tomoyo_acl_info". | ||
| 22 | * @size: Size of @new_entry in bytes. | ||
| 23 | * @is_delete: True if it is a delete request. | ||
| 24 | * @list: Pointer to "struct list_head". | ||
| 25 | * @check_duplicate: Callback function to find duplicated entry. | ||
| 26 | * | ||
| 27 | * Returns 0 on success, negative value otherwise. | ||
| 28 | * | ||
| 29 | * Caller holds tomoyo_read_lock(). | ||
| 30 | */ | ||
| 31 | int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size, | ||
| 32 | bool is_delete, struct list_head *list, | ||
| 33 | bool (*check_duplicate) (const struct tomoyo_acl_head | ||
| 34 | *, | ||
| 35 | const struct tomoyo_acl_head | ||
| 36 | *)) | ||
| 37 | { | ||
| 38 | int error = is_delete ? -ENOENT : -ENOMEM; | ||
| 39 | struct tomoyo_acl_head *entry; | ||
| 40 | |||
| 41 | if (mutex_lock_interruptible(&tomoyo_policy_lock)) | ||
| 42 | return -ENOMEM; | ||
| 43 | list_for_each_entry_rcu(entry, list, list) { | ||
| 44 | if (!check_duplicate(entry, new_entry)) | ||
| 45 | continue; | ||
| 46 | entry->is_deleted = is_delete; | ||
| 47 | error = 0; | ||
| 48 | break; | ||
| 49 | } | ||
| 50 | if (error && !is_delete) { | ||
| 51 | entry = tomoyo_commit_ok(new_entry, size); | ||
| 52 | if (entry) { | ||
| 53 | list_add_tail_rcu(&entry->list, list); | ||
| 54 | error = 0; | ||
| 55 | } | ||
| 56 | } | ||
| 57 | mutex_unlock(&tomoyo_policy_lock); | ||
| 58 | return error; | ||
| 59 | } | ||
| 60 | |||
| 61 | /** | ||
| 19 | * tomoyo_update_domain - Update an entry for domain policy. | 62 | * tomoyo_update_domain - Update an entry for domain policy. |
| 20 | * | 63 | * |
| 21 | * @new_entry: Pointer to "struct tomoyo_acl_info". | 64 | * @new_entry: Pointer to "struct tomoyo_acl_info". |
| @@ -161,6 +204,20 @@ const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain) | |||
| 161 | */ | 204 | */ |
| 162 | LIST_HEAD(tomoyo_domain_initializer_list); | 205 | LIST_HEAD(tomoyo_domain_initializer_list); |
| 163 | 206 | ||
| 207 | static bool tomoyo_same_domain_initializer_entry(const struct tomoyo_acl_head * | ||
| 208 | a, | ||
| 209 | const struct tomoyo_acl_head * | ||
| 210 | b) | ||
| 211 | { | ||
| 212 | const struct tomoyo_domain_initializer_entry *p1 = | ||
| 213 | container_of(a, typeof(*p1), head); | ||
| 214 | const struct tomoyo_domain_initializer_entry *p2 = | ||
| 215 | container_of(b, typeof(*p2), head); | ||
| 216 | return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name | ||
| 217 | && p1->domainname == p2->domainname | ||
| 218 | && p1->program == p2->program; | ||
| 219 | } | ||
| 220 | |||
| 164 | /** | 221 | /** |
| 165 | * tomoyo_update_domain_initializer_entry - Update "struct tomoyo_domain_initializer_entry" list. | 222 | * tomoyo_update_domain_initializer_entry - Update "struct tomoyo_domain_initializer_entry" list. |
| 166 | * | 223 | * |
| @@ -178,7 +235,6 @@ static int tomoyo_update_domain_initializer_entry(const char *domainname, | |||
| 178 | const bool is_not, | 235 | const bool is_not, |
| 179 | const bool is_delete) | 236 | const bool is_delete) |
| 180 | { | 237 | { |
| 181 | struct tomoyo_domain_initializer_entry *ptr; | ||
| 182 | struct tomoyo_domain_initializer_entry e = { .is_not = is_not }; | 238 | struct tomoyo_domain_initializer_entry e = { .is_not = is_not }; |
| 183 | int error = is_delete ? -ENOENT : -ENOMEM; | 239 | int error = is_delete ? -ENOENT : -ENOMEM; |
| 184 | 240 | ||
| @@ -197,26 +253,9 @@ static int tomoyo_update_domain_initializer_entry(const char *domainname, | |||
| 197 | e.program = tomoyo_get_name(program); | 253 | e.program = tomoyo_get_name(program); |
| 198 | if (!e.program) | 254 | if (!e.program) |
| 199 | goto out; | 255 | goto out; |
| 200 | if (mutex_lock_interruptible(&tomoyo_policy_lock)) | 256 | error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, |
| 201 | goto out; | 257 | &tomoyo_domain_initializer_list, |
| 202 | list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, | 258 | tomoyo_same_domain_initializer_entry); |
| 203 | head.list) { | ||
| 204 | if (!tomoyo_is_same_domain_initializer_entry(ptr, &e)) | ||
| 205 | continue; | ||
| 206 | ptr->head.is_deleted = is_delete; | ||
| 207 | error = 0; | ||
| 208 | break; | ||
| 209 | } | ||
| 210 | if (!is_delete && error) { | ||
| 211 | struct tomoyo_domain_initializer_entry *entry = | ||
| 212 | tomoyo_commit_ok(&e, sizeof(e)); | ||
| 213 | if (entry) { | ||
| 214 | list_add_tail_rcu(&entry->head.list, | ||
| 215 | &tomoyo_domain_initializer_list); | ||
| 216 | error = 0; | ||
| 217 | } | ||
| 218 | } | ||
| 219 | mutex_unlock(&tomoyo_policy_lock); | ||
| 220 | out: | 259 | out: |
| 221 | tomoyo_put_name(e.domainname); | 260 | tomoyo_put_name(e.domainname); |
| 222 | tomoyo_put_name(e.program); | 261 | tomoyo_put_name(e.program); |
| @@ -373,6 +412,18 @@ static bool tomoyo_is_domain_initializer(const struct tomoyo_path_info * | |||
| 373 | */ | 412 | */ |
| 374 | LIST_HEAD(tomoyo_domain_keeper_list); | 413 | LIST_HEAD(tomoyo_domain_keeper_list); |
| 375 | 414 | ||
| 415 | static bool tomoyo_same_domain_keeper_entry(const struct tomoyo_acl_head *a, | ||
| 416 | const struct tomoyo_acl_head *b) | ||
| 417 | { | ||
| 418 | const struct tomoyo_domain_keeper_entry *p1 = | ||
| 419 | container_of(a, typeof(*p1), head); | ||
| 420 | const struct tomoyo_domain_keeper_entry *p2 = | ||
| 421 | container_of(b, typeof(*p2), head); | ||
| 422 | return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name | ||
| 423 | && p1->domainname == p2->domainname | ||
| 424 | && p1->program == p2->program; | ||
| 425 | } | ||
| 426 | |||
| 376 | /** | 427 | /** |
| 377 | * tomoyo_update_domain_keeper_entry - Update "struct tomoyo_domain_keeper_entry" list. | 428 | * tomoyo_update_domain_keeper_entry - Update "struct tomoyo_domain_keeper_entry" list. |
| 378 | * | 429 | * |
| @@ -390,7 +441,6 @@ static int tomoyo_update_domain_keeper_entry(const char *domainname, | |||
| 390 | const bool is_not, | 441 | const bool is_not, |
| 391 | const bool is_delete) | 442 | const bool is_delete) |
| 392 | { | 443 | { |
| 393 | struct tomoyo_domain_keeper_entry *ptr; | ||
| 394 | struct tomoyo_domain_keeper_entry e = { .is_not = is_not }; | 444 | struct tomoyo_domain_keeper_entry e = { .is_not = is_not }; |
| 395 | int error = is_delete ? -ENOENT : -ENOMEM; | 445 | int error = is_delete ? -ENOENT : -ENOMEM; |
| 396 | 446 | ||
| @@ -409,25 +459,9 @@ static int tomoyo_update_domain_keeper_entry(const char *domainname, | |||
| 409 | e.domainname = tomoyo_get_name(domainname); | 459 | e.domainname = tomoyo_get_name(domainname); |
| 410 | if (!e.domainname) | 460 | if (!e.domainname) |
| 411 | goto out; | 461 | goto out; |
| 412 | if (mutex_lock_interruptible(&tomoyo_policy_lock)) | 462 | error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, |
| 413 | goto out; | 463 | &tomoyo_domain_keeper_list, |
| 414 | list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, head.list) { | 464 | tomoyo_same_domain_keeper_entry); |
| 415 | if (!tomoyo_is_same_domain_keeper_entry(ptr, &e)) | ||
| 416 | continue; | ||
| 417 | ptr->head.is_deleted = is_delete; | ||
| 418 | error = 0; | ||
| 419 | break; | ||
| 420 | } | ||
| 421 | if (!is_delete && error) { | ||
| 422 | struct tomoyo_domain_keeper_entry *entry = | ||
| 423 | tomoyo_commit_ok(&e, sizeof(e)); | ||
| 424 | if (entry) { | ||
| 425 | list_add_tail_rcu(&entry->head.list, | ||
| 426 | &tomoyo_domain_keeper_list); | ||
| 427 | error = 0; | ||
| 428 | } | ||
| 429 | } | ||
| 430 | mutex_unlock(&tomoyo_policy_lock); | ||
| 431 | out: | 465 | out: |
| 432 | tomoyo_put_name(e.domainname); | 466 | tomoyo_put_name(e.domainname); |
| 433 | tomoyo_put_name(e.program); | 467 | tomoyo_put_name(e.program); |
| @@ -565,6 +599,17 @@ static bool tomoyo_is_domain_keeper(const struct tomoyo_path_info *domainname, | |||
| 565 | */ | 599 | */ |
| 566 | LIST_HEAD(tomoyo_aggregator_list); | 600 | LIST_HEAD(tomoyo_aggregator_list); |
| 567 | 601 | ||
| 602 | static bool tomoyo_same_aggregator_entry(const struct tomoyo_acl_head *a, | ||
| 603 | const struct tomoyo_acl_head *b) | ||
| 604 | { | ||
| 605 | const struct tomoyo_aggregator_entry *p1 = container_of(a, typeof(*p1), | ||
| 606 | head); | ||
| 607 | const struct tomoyo_aggregator_entry *p2 = container_of(b, typeof(*p2), | ||
| 608 | head); | ||
| 609 | return p1->original_name == p2->original_name && | ||
| 610 | p1->aggregated_name == p2->aggregated_name; | ||
| 611 | } | ||
| 612 | |||
| 568 | /** | 613 | /** |
| 569 | * tomoyo_update_aggregator_entry - Update "struct tomoyo_aggregator_entry" list. | 614 | * tomoyo_update_aggregator_entry - Update "struct tomoyo_aggregator_entry" list. |
| 570 | * | 615 | * |
| @@ -580,7 +625,6 @@ static int tomoyo_update_aggregator_entry(const char *original_name, | |||
| 580 | const char *aggregated_name, | 625 | const char *aggregated_name, |
| 581 | const bool is_delete) | 626 | const bool is_delete) |
| 582 | { | 627 | { |
| 583 | struct tomoyo_aggregator_entry *ptr; | ||
| 584 | struct tomoyo_aggregator_entry e = { }; | 628 | struct tomoyo_aggregator_entry e = { }; |
| 585 | int error = is_delete ? -ENOENT : -ENOMEM; | 629 | int error = is_delete ? -ENOENT : -ENOMEM; |
| 586 | 630 | ||
| @@ -592,25 +636,9 @@ static int tomoyo_update_aggregator_entry(const char *original_name, | |||
| 592 | if (!e.original_name || !e.aggregated_name || | 636 | if (!e.original_name || !e.aggregated_name || |
| 593 | e.aggregated_name->is_patterned) /* No patterns allowed. */ | 637 | e.aggregated_name->is_patterned) /* No patterns allowed. */ |
| 594 | goto out; | 638 | goto out; |
| 595 | if (mutex_lock_interruptible(&tomoyo_policy_lock)) | 639 | error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, |
| 596 | goto out; | 640 | &tomoyo_aggregator_list, |
| 597 | list_for_each_entry_rcu(ptr, &tomoyo_aggregator_list, head.list) { | 641 | tomoyo_same_aggregator_entry); |
| 598 | if (!tomoyo_is_same_aggregator_entry(ptr, &e)) | ||
| 599 | continue; | ||
| 600 | ptr->head.is_deleted = is_delete; | ||
| 601 | error = 0; | ||
| 602 | break; | ||
| 603 | } | ||
| 604 | if (!is_delete && error) { | ||
| 605 | struct tomoyo_aggregator_entry *entry = | ||
| 606 | tomoyo_commit_ok(&e, sizeof(e)); | ||
| 607 | if (entry) { | ||
| 608 | list_add_tail_rcu(&entry->head.list, | ||
| 609 | &tomoyo_aggregator_list); | ||
| 610 | error = 0; | ||
| 611 | } | ||
| 612 | } | ||
| 613 | mutex_unlock(&tomoyo_policy_lock); | ||
| 614 | out: | 642 | out: |
| 615 | tomoyo_put_name(e.original_name); | 643 | tomoyo_put_name(e.original_name); |
| 616 | tomoyo_put_name(e.aggregated_name); | 644 | tomoyo_put_name(e.aggregated_name); |
| @@ -699,6 +727,17 @@ int tomoyo_write_aggregator_policy(char *data, const bool is_delete) | |||
| 699 | */ | 727 | */ |
| 700 | LIST_HEAD(tomoyo_alias_list); | 728 | LIST_HEAD(tomoyo_alias_list); |
| 701 | 729 | ||
| 730 | static bool tomoyo_same_alias_entry(const struct tomoyo_acl_head *a, | ||
| 731 | const struct tomoyo_acl_head *b) | ||
| 732 | { | ||
| 733 | const struct tomoyo_alias_entry *p1 = container_of(a, typeof(*p1), | ||
| 734 | head); | ||
| 735 | const struct tomoyo_alias_entry *p2 = container_of(b, typeof(*p2), | ||
| 736 | head); | ||
| 737 | return p1->original_name == p2->original_name && | ||
| 738 | p1->aliased_name == p2->aliased_name; | ||
| 739 | } | ||
| 740 | |||
| 702 | /** | 741 | /** |
| 703 | * tomoyo_update_alias_entry - Update "struct tomoyo_alias_entry" list. | 742 | * tomoyo_update_alias_entry - Update "struct tomoyo_alias_entry" list. |
| 704 | * | 743 | * |
| @@ -714,7 +753,6 @@ static int tomoyo_update_alias_entry(const char *original_name, | |||
| 714 | const char *aliased_name, | 753 | const char *aliased_name, |
| 715 | const bool is_delete) | 754 | const bool is_delete) |
| 716 | { | 755 | { |
| 717 | struct tomoyo_alias_entry *ptr; | ||
| 718 | struct tomoyo_alias_entry e = { }; | 756 | struct tomoyo_alias_entry e = { }; |
| 719 | int error = is_delete ? -ENOENT : -ENOMEM; | 757 | int error = is_delete ? -ENOENT : -ENOMEM; |
| 720 | 758 | ||
| @@ -726,25 +764,9 @@ static int tomoyo_update_alias_entry(const char *original_name, | |||
| 726 | if (!e.original_name || !e.aliased_name || | 764 | if (!e.original_name || !e.aliased_name || |
| 727 | e.original_name->is_patterned || e.aliased_name->is_patterned) | 765 | e.original_name->is_patterned || e.aliased_name->is_patterned) |
| 728 | goto out; /* No patterns allowed. */ | 766 | goto out; /* No patterns allowed. */ |
| 729 | if (mutex_lock_interruptible(&tomoyo_policy_lock)) | 767 | error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, |
| 730 | goto out; | 768 | &tomoyo_alias_list, |
| 731 | list_for_each_entry_rcu(ptr, &tomoyo_alias_list, head.list) { | 769 | tomoyo_same_alias_entry); |
| 732 | if (!tomoyo_is_same_alias_entry(ptr, &e)) | ||
| 733 | continue; | ||
| 734 | ptr->head.is_deleted = is_delete; | ||
| 735 | error = 0; | ||
| 736 | break; | ||
| 737 | } | ||
| 738 | if (!is_delete && error) { | ||
| 739 | struct tomoyo_alias_entry *entry = | ||
| 740 | tomoyo_commit_ok(&e, sizeof(e)); | ||
| 741 | if (entry) { | ||
| 742 | list_add_tail_rcu(&entry->head.list, | ||
| 743 | &tomoyo_alias_list); | ||
| 744 | error = 0; | ||
| 745 | } | ||
| 746 | } | ||
| 747 | mutex_unlock(&tomoyo_policy_lock); | ||
| 748 | out: | 770 | out: |
| 749 | tomoyo_put_name(e.original_name); | 771 | tomoyo_put_name(e.original_name); |
| 750 | tomoyo_put_name(e.aliased_name); | 772 | tomoyo_put_name(e.aliased_name); |
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 09436d11f298..8015719926d5 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c | |||
| @@ -253,6 +253,15 @@ static int tomoyo_update_path_acl(const u8 type, const char *filename, | |||
| 253 | */ | 253 | */ |
| 254 | LIST_HEAD(tomoyo_globally_readable_list); | 254 | LIST_HEAD(tomoyo_globally_readable_list); |
| 255 | 255 | ||
| 256 | static bool tomoyo_same_globally_readable(const struct tomoyo_acl_head *a, | ||
| 257 | const struct tomoyo_acl_head *b) | ||
| 258 | { | ||
| 259 | return container_of(a, struct tomoyo_globally_readable_file_entry, | ||
| 260 | head)->filename == | ||
| 261 | container_of(b, struct tomoyo_globally_readable_file_entry, | ||
| 262 | head)->filename; | ||
| 263 | } | ||
| 264 | |||
| 256 | /** | 265 | /** |
| 257 | * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list. | 266 | * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list. |
| 258 | * | 267 | * |
| @@ -266,36 +275,17 @@ LIST_HEAD(tomoyo_globally_readable_list); | |||
| 266 | static int tomoyo_update_globally_readable_entry(const char *filename, | 275 | static int tomoyo_update_globally_readable_entry(const char *filename, |
| 267 | const bool is_delete) | 276 | const bool is_delete) |
| 268 | { | 277 | { |
| 269 | struct tomoyo_globally_readable_file_entry *ptr; | ||
| 270 | struct tomoyo_globally_readable_file_entry e = { }; | 278 | struct tomoyo_globally_readable_file_entry e = { }; |
| 271 | int error = is_delete ? -ENOENT : -ENOMEM; | 279 | int error; |
| 272 | 280 | ||
| 273 | if (!tomoyo_is_correct_word(filename)) | 281 | if (!tomoyo_is_correct_word(filename)) |
| 274 | return -EINVAL; | 282 | return -EINVAL; |
| 275 | e.filename = tomoyo_get_name(filename); | 283 | e.filename = tomoyo_get_name(filename); |
| 276 | if (!e.filename) | 284 | if (!e.filename) |
| 277 | return -ENOMEM; | 285 | return -ENOMEM; |
| 278 | if (mutex_lock_interruptible(&tomoyo_policy_lock)) | 286 | error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, |
| 279 | goto out; | 287 | &tomoyo_globally_readable_list, |
| 280 | list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, | 288 | tomoyo_same_globally_readable); |
| 281 | head.list) { | ||
| 282 | if (ptr->filename != e.filename) | ||
| 283 | continue; | ||
| 284 | ptr->head.is_deleted = is_delete; | ||
| 285 | error = 0; | ||
| 286 | break; | ||
| 287 | } | ||
| 288 | if (!is_delete && error) { | ||
| 289 | struct tomoyo_globally_readable_file_entry *entry = | ||
| 290 | tomoyo_commit_ok(&e, sizeof(e)); | ||
| 291 | if (entry) { | ||
| 292 | list_add_tail_rcu(&entry->head.list, | ||
| 293 | &tomoyo_globally_readable_list); | ||
| 294 | error = 0; | ||
| 295 | } | ||
| 296 | } | ||
| 297 | mutex_unlock(&tomoyo_policy_lock); | ||
| 298 | out: | ||
| 299 | tomoyo_put_name(e.filename); | 289 | tomoyo_put_name(e.filename); |
| 300 | return error; | 290 | return error; |
| 301 | } | 291 | } |
| @@ -402,6 +392,13 @@ bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head) | |||
| 402 | */ | 392 | */ |
| 403 | LIST_HEAD(tomoyo_pattern_list); | 393 | LIST_HEAD(tomoyo_pattern_list); |
| 404 | 394 | ||
| 395 | static bool tomoyo_same_pattern(const struct tomoyo_acl_head *a, | ||
| 396 | const struct tomoyo_acl_head *b) | ||
| 397 | { | ||
| 398 | return container_of(a, struct tomoyo_pattern_entry, head)->pattern == | ||
| 399 | container_of(b, struct tomoyo_pattern_entry, head)->pattern; | ||
| 400 | } | ||
| 401 | |||
| 405 | /** | 402 | /** |
| 406 | * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list. | 403 | * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list. |
| 407 | * | 404 | * |
| @@ -415,35 +412,17 @@ LIST_HEAD(tomoyo_pattern_list); | |||
| 415 | static int tomoyo_update_file_pattern_entry(const char *pattern, | 412 | static int tomoyo_update_file_pattern_entry(const char *pattern, |
| 416 | const bool is_delete) | 413 | const bool is_delete) |
| 417 | { | 414 | { |
| 418 | struct tomoyo_pattern_entry *ptr; | ||
| 419 | struct tomoyo_pattern_entry e = { }; | 415 | struct tomoyo_pattern_entry e = { }; |
| 420 | int error = is_delete ? -ENOENT : -ENOMEM; | 416 | int error; |
| 421 | 417 | ||
| 422 | if (!tomoyo_is_correct_word(pattern)) | 418 | if (!tomoyo_is_correct_word(pattern)) |
| 423 | return -EINVAL; | 419 | return -EINVAL; |
| 424 | e.pattern = tomoyo_get_name(pattern); | 420 | e.pattern = tomoyo_get_name(pattern); |
| 425 | if (!e.pattern) | 421 | if (!e.pattern) |
| 426 | return error; | 422 | return -ENOMEM; |
| 427 | if (mutex_lock_interruptible(&tomoyo_policy_lock)) | 423 | error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, |
| 428 | goto out; | 424 | &tomoyo_pattern_list, |
| 429 | list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, head.list) { | 425 | tomoyo_same_pattern); |
| 430 | if (e.pattern != ptr->pattern) | ||
| 431 | continue; | ||
| 432 | ptr->head.is_deleted = is_delete; | ||
| 433 | error = 0; | ||
| 434 | break; | ||
| 435 | } | ||
| 436 | if (!is_delete && error) { | ||
| 437 | struct tomoyo_pattern_entry *entry = | ||
| 438 | tomoyo_commit_ok(&e, sizeof(e)); | ||
| 439 | if (entry) { | ||
| 440 | list_add_tail_rcu(&entry->head.list, | ||
| 441 | &tomoyo_pattern_list); | ||
| 442 | error = 0; | ||
| 443 | } | ||
| 444 | } | ||
| 445 | mutex_unlock(&tomoyo_policy_lock); | ||
| 446 | out: | ||
| 447 | tomoyo_put_name(e.pattern); | 426 | tomoyo_put_name(e.pattern); |
| 448 | return error; | 427 | return error; |
| 449 | } | 428 | } |
| @@ -553,6 +532,14 @@ bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head) | |||
| 553 | */ | 532 | */ |
| 554 | LIST_HEAD(tomoyo_no_rewrite_list); | 533 | LIST_HEAD(tomoyo_no_rewrite_list); |
| 555 | 534 | ||
| 535 | static bool tomoyo_same_no_rewrite(const struct tomoyo_acl_head *a, | ||
| 536 | const struct tomoyo_acl_head *b) | ||
| 537 | { | ||
| 538 | return container_of(a, struct tomoyo_no_rewrite_entry, head)->pattern | ||
| 539 | == container_of(b, struct tomoyo_no_rewrite_entry, head) | ||
| 540 | ->pattern; | ||
| 541 | } | ||
| 542 | |||
| 556 | /** | 543 | /** |
| 557 | * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list. | 544 | * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list. |
| 558 | * | 545 | * |
| @@ -566,35 +553,17 @@ LIST_HEAD(tomoyo_no_rewrite_list); | |||
| 566 | static int tomoyo_update_no_rewrite_entry(const char *pattern, | 553 | static int tomoyo_update_no_rewrite_entry(const char *pattern, |
| 567 | const bool is_delete) | 554 | const bool is_delete) |
| 568 | { | 555 | { |
| 569 | struct tomoyo_no_rewrite_entry *ptr; | ||
| 570 | struct tomoyo_no_rewrite_entry e = { }; | 556 | struct tomoyo_no_rewrite_entry e = { }; |
| 571 | int error = is_delete ? -ENOENT : -ENOMEM; | 557 | int error; |
| 572 | 558 | ||
| 573 | if (!tomoyo_is_correct_word(pattern)) | 559 | if (!tomoyo_is_correct_word(pattern)) |
| 574 | return -EINVAL; | 560 | return -EINVAL; |
| 575 | e.pattern = tomoyo_get_name(pattern); | 561 | e.pattern = tomoyo_get_name(pattern); |
| 576 | if (!e.pattern) | 562 | if (!e.pattern) |
| 577 | return error; | 563 | return -ENOMEM; |
| 578 | if (mutex_lock_interruptible(&tomoyo_policy_lock)) | 564 | error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, |
| 579 | goto out; | 565 | &tomoyo_no_rewrite_list, |
| 580 | list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, head.list) { | 566 | tomoyo_same_no_rewrite); |
| 581 | if (ptr->pattern != e.pattern) | ||
| 582 | continue; | ||
| 583 | ptr->head.is_deleted = is_delete; | ||
| 584 | error = 0; | ||
| 585 | break; | ||
| 586 | } | ||
| 587 | if (!is_delete && error) { | ||
| 588 | struct tomoyo_no_rewrite_entry *entry = | ||
| 589 | tomoyo_commit_ok(&e, sizeof(e)); | ||
| 590 | if (entry) { | ||
| 591 | list_add_tail_rcu(&entry->head.list, | ||
| 592 | &tomoyo_no_rewrite_list); | ||
| 593 | error = 0; | ||
| 594 | } | ||
| 595 | } | ||
| 596 | mutex_unlock(&tomoyo_policy_lock); | ||
| 597 | out: | ||
| 598 | tomoyo_put_name(e.pattern); | 567 | tomoyo_put_name(e.pattern); |
| 599 | return error; | 568 | return error; |
| 600 | } | 569 | } |
diff --git a/security/tomoyo/number_group.c b/security/tomoyo/number_group.c index afc5b6972129..7266a7462c45 100644 --- a/security/tomoyo/number_group.c +++ b/security/tomoyo/number_group.c | |||
| @@ -56,6 +56,18 @@ struct tomoyo_number_group *tomoyo_get_number_group(const char *group_name) | |||
| 56 | return !error ? group : NULL; | 56 | return !error ? group : NULL; |
| 57 | } | 57 | } |
| 58 | 58 | ||
| 59 | static bool tomoyo_same_number_group(const struct tomoyo_acl_head *a, | ||
| 60 | const struct tomoyo_acl_head *b) | ||
| 61 | { | ||
| 62 | return !memcmp(&container_of(a, struct tomoyo_number_group_member, | ||
| 63 | head)->number, | ||
| 64 | &container_of(b, struct tomoyo_number_group_member, | ||
| 65 | head)->number, | ||
| 66 | sizeof(container_of(a, | ||
| 67 | struct tomoyo_number_group_member, | ||
| 68 | head)->number)); | ||
| 69 | } | ||
| 70 | |||
| 59 | /** | 71 | /** |
| 60 | * tomoyo_write_number_group_policy - Write "struct tomoyo_number_group" list. | 72 | * tomoyo_write_number_group_policy - Write "struct tomoyo_number_group" list. |
| 61 | * | 73 | * |
| @@ -68,40 +80,19 @@ int tomoyo_write_number_group_policy(char *data, const bool is_delete) | |||
| 68 | { | 80 | { |
| 69 | struct tomoyo_number_group *group; | 81 | struct tomoyo_number_group *group; |
| 70 | struct tomoyo_number_group_member e = { }; | 82 | struct tomoyo_number_group_member e = { }; |
| 71 | struct tomoyo_number_group_member *member; | 83 | int error; |
| 72 | int error = is_delete ? -ENOENT : -ENOMEM; | ||
| 73 | char *w[2]; | 84 | char *w[2]; |
| 74 | if (!tomoyo_tokenize(data, w, sizeof(w))) | 85 | if (!tomoyo_tokenize(data, w, sizeof(w))) |
| 75 | return -EINVAL; | 86 | return -EINVAL; |
| 76 | if (!tomoyo_parse_number_union(w[1], &e.number)) | 87 | if (w[1][0] == '@' || !tomoyo_parse_number_union(w[1], &e.number) || |
| 77 | return -EINVAL; | 88 | e.number.values[0] > e.number.values[1]) |
| 78 | if (e.number.is_group || e.number.values[0] > e.number.values[1]) { | ||
| 79 | tomoyo_put_number_union(&e.number); | ||
| 80 | return -EINVAL; | 89 | return -EINVAL; |
| 81 | } | ||
| 82 | group = tomoyo_get_number_group(w[0]); | 90 | group = tomoyo_get_number_group(w[0]); |
| 83 | if (!group) | 91 | if (!group) |
| 84 | return -ENOMEM; | 92 | return -ENOMEM; |
| 85 | if (mutex_lock_interruptible(&tomoyo_policy_lock)) | 93 | error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, |
| 86 | goto out; | 94 | &group->member_list, |
| 87 | list_for_each_entry_rcu(member, &group->member_list, head.list) { | 95 | tomoyo_same_number_group); |
| 88 | if (memcmp(&member->number, &e.number, sizeof(e.number))) | ||
| 89 | continue; | ||
| 90 | member->head.is_deleted = is_delete; | ||
| 91 | error = 0; | ||
| 92 | break; | ||
| 93 | } | ||
| 94 | if (!is_delete && error) { | ||
| 95 | struct tomoyo_number_group_member *entry = | ||
| 96 | tomoyo_commit_ok(&e, sizeof(e)); | ||
| 97 | if (entry) { | ||
| 98 | list_add_tail_rcu(&entry->head.list, | ||
| 99 | &group->member_list); | ||
| 100 | error = 0; | ||
| 101 | } | ||
| 102 | } | ||
| 103 | mutex_unlock(&tomoyo_policy_lock); | ||
| 104 | out: | ||
| 105 | tomoyo_put_number_group(group); | 96 | tomoyo_put_number_group(group); |
| 106 | return error; | 97 | return error; |
| 107 | } | 98 | } |
diff --git a/security/tomoyo/path_group.c b/security/tomoyo/path_group.c index 7838f7681297..5b71d8868453 100644 --- a/security/tomoyo/path_group.c +++ b/security/tomoyo/path_group.c | |||
| @@ -54,6 +54,15 @@ struct tomoyo_path_group *tomoyo_get_path_group(const char *group_name) | |||
| 54 | return !error ? group : NULL; | 54 | return !error ? group : NULL; |
| 55 | } | 55 | } |
| 56 | 56 | ||
| 57 | static bool tomoyo_same_path_group(const struct tomoyo_acl_head *a, | ||
| 58 | const struct tomoyo_acl_head *b) | ||
| 59 | { | ||
| 60 | return container_of(a, struct tomoyo_path_group_member, head) | ||
| 61 | ->member_name == | ||
| 62 | container_of(b, struct tomoyo_path_group_member, head) | ||
| 63 | ->member_name; | ||
| 64 | } | ||
| 65 | |||
| 57 | /** | 66 | /** |
| 58 | * tomoyo_write_path_group_policy - Write "struct tomoyo_path_group" list. | 67 | * tomoyo_write_path_group_policy - Write "struct tomoyo_path_group" list. |
| 59 | * | 68 | * |
| @@ -65,7 +74,6 @@ struct tomoyo_path_group *tomoyo_get_path_group(const char *group_name) | |||
| 65 | int tomoyo_write_path_group_policy(char *data, const bool is_delete) | 74 | int tomoyo_write_path_group_policy(char *data, const bool is_delete) |
| 66 | { | 75 | { |
| 67 | struct tomoyo_path_group *group; | 76 | struct tomoyo_path_group *group; |
| 68 | struct tomoyo_path_group_member *member; | ||
| 69 | struct tomoyo_path_group_member e = { }; | 77 | struct tomoyo_path_group_member e = { }; |
| 70 | int error = is_delete ? -ENOENT : -ENOMEM; | 78 | int error = is_delete ? -ENOENT : -ENOMEM; |
| 71 | char *w[2]; | 79 | char *w[2]; |
| @@ -77,25 +85,9 @@ int tomoyo_write_path_group_policy(char *data, const bool is_delete) | |||
| 77 | e.member_name = tomoyo_get_name(w[1]); | 85 | e.member_name = tomoyo_get_name(w[1]); |
| 78 | if (!e.member_name) | 86 | if (!e.member_name) |
| 79 | goto out; | 87 | goto out; |
| 80 | if (mutex_lock_interruptible(&tomoyo_policy_lock)) | 88 | error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, |
| 81 | goto out; | 89 | &group->member_list, |
| 82 | list_for_each_entry_rcu(member, &group->member_list, head.list) { | 90 | tomoyo_same_path_group); |
| 83 | if (member->member_name != e.member_name) | ||
| 84 | continue; | ||
| 85 | member->head.is_deleted = is_delete; | ||
| 86 | error = 0; | ||
| 87 | break; | ||
| 88 | } | ||
| 89 | if (!is_delete && error) { | ||
| 90 | struct tomoyo_path_group_member *entry = | ||
| 91 | tomoyo_commit_ok(&e, sizeof(e)); | ||
| 92 | if (entry) { | ||
| 93 | list_add_tail_rcu(&entry->head.list, | ||
| 94 | &group->member_list); | ||
| 95 | error = 0; | ||
| 96 | } | ||
| 97 | } | ||
| 98 | mutex_unlock(&tomoyo_policy_lock); | ||
| 99 | out: | 91 | out: |
| 100 | tomoyo_put_name(e.member_name); | 92 | tomoyo_put_name(e.member_name); |
| 101 | tomoyo_put_path_group(group); | 93 | tomoyo_put_path_group(group); |