aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--security/tomoyo/common.c74
-rw-r--r--security/tomoyo/common.h90
-rw-r--r--security/tomoyo/file.c295
-rw-r--r--security/tomoyo/gc.c18
-rw-r--r--security/tomoyo/tomoyo.c72
5 files changed, 250 insertions, 299 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 3a36b56a2f5c..ffcf02450560 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -841,25 +841,22 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain)
841 return true; 841 return true;
842 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 842 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
843 switch (ptr->type) { 843 switch (ptr->type) {
844 struct tomoyo_single_path_acl_record *acl; 844 struct tomoyo_path_acl *acl;
845 u32 perm; 845 u32 perm;
846 u8 i; 846 u8 i;
847 case TOMOYO_TYPE_SINGLE_PATH_ACL: 847 case TOMOYO_TYPE_PATH_ACL:
848 acl = container_of(ptr, 848 acl = container_of(ptr, struct tomoyo_path_acl, head);
849 struct tomoyo_single_path_acl_record,
850 head);
851 perm = acl->perm | (((u32) acl->perm_high) << 16); 849 perm = acl->perm | (((u32) acl->perm_high) << 16);
852 for (i = 0; i < TOMOYO_MAX_SINGLE_PATH_OPERATION; i++) 850 for (i = 0; i < TOMOYO_MAX_PATH_OPERATION; i++)
853 if (perm & (1 << i)) 851 if (perm & (1 << i))
854 count++; 852 count++;
855 if (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)) 853 if (perm & (1 << TOMOYO_TYPE_READ_WRITE))
856 count -= 2; 854 count -= 2;
857 break; 855 break;
858 case TOMOYO_TYPE_DOUBLE_PATH_ACL: 856 case TOMOYO_TYPE_PATH2_ACL:
859 perm = container_of(ptr, 857 perm = container_of(ptr, struct tomoyo_path2_acl, head)
860 struct tomoyo_double_path_acl_record, 858 ->perm;
861 head)->perm; 859 for (i = 0; i < TOMOYO_MAX_PATH2_OPERATION; i++)
862 for (i = 0; i < TOMOYO_MAX_DOUBLE_PATH_OPERATION; i++)
863 if (perm & (1 << i)) 860 if (perm & (1 << i))
864 count++; 861 count++;
865 break; 862 break;
@@ -1366,16 +1363,15 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
1366} 1363}
1367 1364
1368/** 1365/**
1369 * tomoyo_print_single_path_acl - Print a single path ACL entry. 1366 * tomoyo_print_path_acl - Print a single path ACL entry.
1370 * 1367 *
1371 * @head: Pointer to "struct tomoyo_io_buffer". 1368 * @head: Pointer to "struct tomoyo_io_buffer".
1372 * @ptr: Pointer to "struct tomoyo_single_path_acl_record". 1369 * @ptr: Pointer to "struct tomoyo_path_acl".
1373 * 1370 *
1374 * Returns true on success, false otherwise. 1371 * Returns true on success, false otherwise.
1375 */ 1372 */
1376static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head, 1373static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head,
1377 struct tomoyo_single_path_acl_record * 1374 struct tomoyo_path_acl *ptr)
1378 ptr)
1379{ 1375{
1380 int pos; 1376 int pos;
1381 u8 bit; 1377 u8 bit;
@@ -1384,17 +1380,15 @@ static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head,
1384 const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16); 1380 const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16);
1385 1381
1386 filename = ptr->filename->name; 1382 filename = ptr->filename->name;
1387 for (bit = head->read_bit; bit < TOMOYO_MAX_SINGLE_PATH_OPERATION; 1383 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
1388 bit++) {
1389 const char *msg; 1384 const char *msg;
1390 if (!(perm & (1 << bit))) 1385 if (!(perm & (1 << bit)))
1391 continue; 1386 continue;
1392 /* Print "read/write" instead of "read" and "write". */ 1387 /* Print "read/write" instead of "read" and "write". */
1393 if ((bit == TOMOYO_TYPE_READ_ACL || 1388 if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE)
1394 bit == TOMOYO_TYPE_WRITE_ACL) 1389 && (perm & (1 << TOMOYO_TYPE_READ_WRITE)))
1395 && (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)))
1396 continue; 1390 continue;
1397 msg = tomoyo_sp2keyword(bit); 1391 msg = tomoyo_path2keyword(bit);
1398 pos = head->read_avail; 1392 pos = head->read_avail;
1399 if (!tomoyo_io_printf(head, "allow_%s %s%s\n", msg, 1393 if (!tomoyo_io_printf(head, "allow_%s %s%s\n", msg,
1400 atmark, filename)) 1394 atmark, filename))
@@ -1409,16 +1403,15 @@ static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head,
1409} 1403}
1410 1404
1411/** 1405/**
1412 * tomoyo_print_double_path_acl - Print a double path ACL entry. 1406 * tomoyo_print_path2_acl - Print a double path ACL entry.
1413 * 1407 *
1414 * @head: Pointer to "struct tomoyo_io_buffer". 1408 * @head: Pointer to "struct tomoyo_io_buffer".
1415 * @ptr: Pointer to "struct tomoyo_double_path_acl_record". 1409 * @ptr: Pointer to "struct tomoyo_path2_acl".
1416 * 1410 *
1417 * Returns true on success, false otherwise. 1411 * Returns true on success, false otherwise.
1418 */ 1412 */
1419static bool tomoyo_print_double_path_acl(struct tomoyo_io_buffer *head, 1413static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer *head,
1420 struct tomoyo_double_path_acl_record * 1414 struct tomoyo_path2_acl *ptr)
1421 ptr)
1422{ 1415{
1423 int pos; 1416 int pos;
1424 const char *atmark1 = ""; 1417 const char *atmark1 = "";
@@ -1430,12 +1423,11 @@ static bool tomoyo_print_double_path_acl(struct tomoyo_io_buffer *head,
1430 1423
1431 filename1 = ptr->filename1->name; 1424 filename1 = ptr->filename1->name;
1432 filename2 = ptr->filename2->name; 1425 filename2 = ptr->filename2->name;
1433 for (bit = head->read_bit; bit < TOMOYO_MAX_DOUBLE_PATH_OPERATION; 1426 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) {
1434 bit++) {
1435 const char *msg; 1427 const char *msg;
1436 if (!(perm & (1 << bit))) 1428 if (!(perm & (1 << bit)))
1437 continue; 1429 continue;
1438 msg = tomoyo_dp2keyword(bit); 1430 msg = tomoyo_path22keyword(bit);
1439 pos = head->read_avail; 1431 pos = head->read_avail;
1440 if (!tomoyo_io_printf(head, "allow_%s %s%s %s%s\n", msg, 1432 if (!tomoyo_io_printf(head, "allow_%s %s%s %s%s\n", msg,
1441 atmark1, filename1, atmark2, filename2)) 1433 atmark1, filename1, atmark2, filename2))
@@ -1462,19 +1454,15 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
1462{ 1454{
1463 const u8 acl_type = ptr->type; 1455 const u8 acl_type = ptr->type;
1464 1456
1465 if (acl_type == TOMOYO_TYPE_SINGLE_PATH_ACL) { 1457 if (acl_type == TOMOYO_TYPE_PATH_ACL) {
1466 struct tomoyo_single_path_acl_record *acl 1458 struct tomoyo_path_acl *acl
1467 = container_of(ptr, 1459 = container_of(ptr, struct tomoyo_path_acl, head);
1468 struct tomoyo_single_path_acl_record, 1460 return tomoyo_print_path_acl(head, acl);
1469 head);
1470 return tomoyo_print_single_path_acl(head, acl);
1471 } 1461 }
1472 if (acl_type == TOMOYO_TYPE_DOUBLE_PATH_ACL) { 1462 if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
1473 struct tomoyo_double_path_acl_record *acl 1463 struct tomoyo_path2_acl *acl
1474 = container_of(ptr, 1464 = container_of(ptr, struct tomoyo_path2_acl, head);
1475 struct tomoyo_double_path_acl_record, 1465 return tomoyo_print_path2_acl(head, acl);
1476 head);
1477 return tomoyo_print_double_path_acl(head, acl);
1478 } 1466 }
1479 BUG(); /* This must not happen. */ 1467 BUG(); /* This must not happen. */
1480 return false; 1468 return false;
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 3727296f01f9..f4d3050b9c0e 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -71,8 +71,8 @@ enum tomoyo_mac_index {
71 71
72/* Index numbers for Access Controls. */ 72/* Index numbers for Access Controls. */
73enum tomoyo_acl_entry_type_index { 73enum tomoyo_acl_entry_type_index {
74 TOMOYO_TYPE_SINGLE_PATH_ACL, 74 TOMOYO_TYPE_PATH_ACL,
75 TOMOYO_TYPE_DOUBLE_PATH_ACL, 75 TOMOYO_TYPE_PATH2_ACL,
76}; 76};
77 77
78/* Index numbers for File Controls. */ 78/* Index numbers for File Controls. */
@@ -87,36 +87,36 @@ enum tomoyo_acl_entry_type_index {
87 */ 87 */
88 88
89enum tomoyo_path_acl_index { 89enum tomoyo_path_acl_index {
90 TOMOYO_TYPE_READ_WRITE_ACL, 90 TOMOYO_TYPE_READ_WRITE,
91 TOMOYO_TYPE_EXECUTE_ACL, 91 TOMOYO_TYPE_EXECUTE,
92 TOMOYO_TYPE_READ_ACL, 92 TOMOYO_TYPE_READ,
93 TOMOYO_TYPE_WRITE_ACL, 93 TOMOYO_TYPE_WRITE,
94 TOMOYO_TYPE_CREATE_ACL, 94 TOMOYO_TYPE_CREATE,
95 TOMOYO_TYPE_UNLINK_ACL, 95 TOMOYO_TYPE_UNLINK,
96 TOMOYO_TYPE_MKDIR_ACL, 96 TOMOYO_TYPE_MKDIR,
97 TOMOYO_TYPE_RMDIR_ACL, 97 TOMOYO_TYPE_RMDIR,
98 TOMOYO_TYPE_MKFIFO_ACL, 98 TOMOYO_TYPE_MKFIFO,
99 TOMOYO_TYPE_MKSOCK_ACL, 99 TOMOYO_TYPE_MKSOCK,
100 TOMOYO_TYPE_MKBLOCK_ACL, 100 TOMOYO_TYPE_MKBLOCK,
101 TOMOYO_TYPE_MKCHAR_ACL, 101 TOMOYO_TYPE_MKCHAR,
102 TOMOYO_TYPE_TRUNCATE_ACL, 102 TOMOYO_TYPE_TRUNCATE,
103 TOMOYO_TYPE_SYMLINK_ACL, 103 TOMOYO_TYPE_SYMLINK,
104 TOMOYO_TYPE_REWRITE_ACL, 104 TOMOYO_TYPE_REWRITE,
105 TOMOYO_TYPE_IOCTL_ACL, 105 TOMOYO_TYPE_IOCTL,
106 TOMOYO_TYPE_CHMOD_ACL, 106 TOMOYO_TYPE_CHMOD,
107 TOMOYO_TYPE_CHOWN_ACL, 107 TOMOYO_TYPE_CHOWN,
108 TOMOYO_TYPE_CHGRP_ACL, 108 TOMOYO_TYPE_CHGRP,
109 TOMOYO_TYPE_CHROOT_ACL, 109 TOMOYO_TYPE_CHROOT,
110 TOMOYO_TYPE_MOUNT_ACL, 110 TOMOYO_TYPE_MOUNT,
111 TOMOYO_TYPE_UMOUNT_ACL, 111 TOMOYO_TYPE_UMOUNT,
112 TOMOYO_MAX_SINGLE_PATH_OPERATION 112 TOMOYO_MAX_PATH_OPERATION
113}; 113};
114 114
115enum tomoyo_path2_acl_index { 115enum tomoyo_path2_acl_index {
116 TOMOYO_TYPE_LINK_ACL, 116 TOMOYO_TYPE_LINK,
117 TOMOYO_TYPE_RENAME_ACL, 117 TOMOYO_TYPE_RENAME,
118 TOMOYO_TYPE_PIVOT_ROOT_ACL, 118 TOMOYO_TYPE_PIVOT_ROOT,
119 TOMOYO_MAX_DOUBLE_PATH_OPERATION 119 TOMOYO_MAX_PATH2_OPERATION
120}; 120};
121 121
122enum tomoyo_securityfs_interface_index { 122enum tomoyo_securityfs_interface_index {
@@ -210,12 +210,11 @@ struct tomoyo_path_info_with_data {
210 * (1) "list" which is linked to the ->acl_info_list of 210 * (1) "list" which is linked to the ->acl_info_list of
211 * "struct tomoyo_domain_info" 211 * "struct tomoyo_domain_info"
212 * (2) "type" which tells type of the entry (either 212 * (2) "type" which tells type of the entry (either
213 * "struct tomoyo_single_path_acl_record" or 213 * "struct tomoyo_path_acl" or "struct tomoyo_path2_acl").
214 * "struct tomoyo_double_path_acl_record").
215 * 214 *
216 * Packing "struct tomoyo_acl_info" allows 215 * Packing "struct tomoyo_acl_info" allows
217 * "struct tomoyo_single_path_acl_record" to embed "u8" + "u16" and 216 * "struct tomoyo_path_acl" to embed "u8" + "u16" and
218 * "struct tomoyo_double_path_acl_record" to embed "u8" 217 * "struct tomoyo_path2_acl" to embed "u8"
219 * without enlarging their structure size. 218 * without enlarging their structure size.
220 */ 219 */
221struct tomoyo_acl_info { 220struct tomoyo_acl_info {
@@ -269,7 +268,7 @@ struct tomoyo_domain_info {
269}; 268};
270 269
271/* 270/*
272 * tomoyo_single_path_acl_record is a structure which is used for holding an 271 * tomoyo_path_acl is a structure which is used for holding an
273 * entry with one pathname operation (e.g. open(), mkdir()). 272 * entry with one pathname operation (e.g. open(), mkdir()).
274 * It has following fields. 273 * It has following fields.
275 * 274 *
@@ -284,8 +283,8 @@ struct tomoyo_domain_info {
284 * "allow_chmod", "allow_chown", "allow_chgrp", "allow_chroot", "allow_mount" 283 * "allow_chmod", "allow_chown", "allow_chgrp", "allow_chroot", "allow_mount"
285 * and "allow_unmount". 284 * and "allow_unmount".
286 */ 285 */
287struct tomoyo_single_path_acl_record { 286struct tomoyo_path_acl {
288 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_SINGLE_PATH_ACL */ 287 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */
289 u8 perm_high; 288 u8 perm_high;
290 u16 perm; 289 u16 perm;
291 /* Pointer to single pathname. */ 290 /* Pointer to single pathname. */
@@ -293,7 +292,7 @@ struct tomoyo_single_path_acl_record {
293}; 292};
294 293
295/* 294/*
296 * tomoyo_double_path_acl_record is a structure which is used for holding an 295 * tomoyo_path2_acl is a structure which is used for holding an
297 * entry with two pathnames operation (i.e. link(), rename() and pivot_root()). 296 * entry with two pathnames operation (i.e. link(), rename() and pivot_root()).
298 * It has following fields. 297 * It has following fields.
299 * 298 *
@@ -305,8 +304,8 @@ struct tomoyo_single_path_acl_record {
305 * Directives held by this structure are "allow_rename", "allow_link" and 304 * Directives held by this structure are "allow_rename", "allow_link" and
306 * "allow_pivot_root". 305 * "allow_pivot_root".
307 */ 306 */
308struct tomoyo_double_path_acl_record { 307struct tomoyo_path2_acl {
309 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_DOUBLE_PATH_ACL */ 308 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */
310 u8 perm; 309 u8 perm;
311 /* Pointer to single pathname. */ 310 /* Pointer to single pathname. */
312 const struct tomoyo_path_info *filename1; 311 const struct tomoyo_path_info *filename1;
@@ -550,13 +549,13 @@ bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head);
550/* Write domain policy violation warning message to console? */ 549/* Write domain policy violation warning message to console? */
551bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain); 550bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain);
552/* Convert double path operation to operation name. */ 551/* Convert double path operation to operation name. */
553const char *tomoyo_dp2keyword(const u8 operation); 552const char *tomoyo_path22keyword(const u8 operation);
554/* Get the last component of the given domainname. */ 553/* Get the last component of the given domainname. */
555const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain); 554const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain);
556/* Get warning message. */ 555/* Get warning message. */
557const char *tomoyo_get_msg(const bool is_enforce); 556const char *tomoyo_get_msg(const bool is_enforce);
558/* Convert single path operation to operation name. */ 557/* Convert single path operation to operation name. */
559const char *tomoyo_sp2keyword(const u8 operation); 558const char *tomoyo_path2keyword(const u8 operation);
560/* Create "alias" entry in exception policy. */ 559/* Create "alias" entry in exception policy. */
561int tomoyo_write_alias_policy(char *data, const bool is_delete); 560int tomoyo_write_alias_policy(char *data, const bool is_delete);
562/* 561/*
@@ -638,11 +637,10 @@ int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
638 const struct tomoyo_path_info *filename); 637 const struct tomoyo_path_info *filename);
639int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, 638int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
640 struct path *path, const int flag); 639 struct path *path, const int flag);
641int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain, 640int tomoyo_path_perm(struct tomoyo_domain_info *domain, const u8 operation,
642 const u8 operation, struct path *path); 641 struct path *path);
643int tomoyo_check_2path_perm(struct tomoyo_domain_info *domain, 642int tomoyo_path2_perm(struct tomoyo_domain_info *domain, const u8 operation,
644 const u8 operation, struct path *path1, 643 struct path *path1, struct path *path2);
645 struct path *path2);
646int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, 644int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
647 struct file *filp); 645 struct file *filp);
648int tomoyo_find_next_domain(struct linux_binprm *bprm); 646int tomoyo_find_next_domain(struct linux_binprm *bprm);
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
index 10ee7cece080..09feaf24864d 100644
--- a/security/tomoyo/file.c
+++ b/security/tomoyo/file.c
@@ -12,62 +12,62 @@
12#include "common.h" 12#include "common.h"
13 13
14/* Keyword array for single path operations. */ 14/* Keyword array for single path operations. */
15static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = { 15static const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
16 [TOMOYO_TYPE_READ_WRITE_ACL] = "read/write", 16 [TOMOYO_TYPE_READ_WRITE] = "read/write",
17 [TOMOYO_TYPE_EXECUTE_ACL] = "execute", 17 [TOMOYO_TYPE_EXECUTE] = "execute",
18 [TOMOYO_TYPE_READ_ACL] = "read", 18 [TOMOYO_TYPE_READ] = "read",
19 [TOMOYO_TYPE_WRITE_ACL] = "write", 19 [TOMOYO_TYPE_WRITE] = "write",
20 [TOMOYO_TYPE_CREATE_ACL] = "create", 20 [TOMOYO_TYPE_CREATE] = "create",
21 [TOMOYO_TYPE_UNLINK_ACL] = "unlink", 21 [TOMOYO_TYPE_UNLINK] = "unlink",
22 [TOMOYO_TYPE_MKDIR_ACL] = "mkdir", 22 [TOMOYO_TYPE_MKDIR] = "mkdir",
23 [TOMOYO_TYPE_RMDIR_ACL] = "rmdir", 23 [TOMOYO_TYPE_RMDIR] = "rmdir",
24 [TOMOYO_TYPE_MKFIFO_ACL] = "mkfifo", 24 [TOMOYO_TYPE_MKFIFO] = "mkfifo",
25 [TOMOYO_TYPE_MKSOCK_ACL] = "mksock", 25 [TOMOYO_TYPE_MKSOCK] = "mksock",
26 [TOMOYO_TYPE_MKBLOCK_ACL] = "mkblock", 26 [TOMOYO_TYPE_MKBLOCK] = "mkblock",
27 [TOMOYO_TYPE_MKCHAR_ACL] = "mkchar", 27 [TOMOYO_TYPE_MKCHAR] = "mkchar",
28 [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate", 28 [TOMOYO_TYPE_TRUNCATE] = "truncate",
29 [TOMOYO_TYPE_SYMLINK_ACL] = "symlink", 29 [TOMOYO_TYPE_SYMLINK] = "symlink",
30 [TOMOYO_TYPE_REWRITE_ACL] = "rewrite", 30 [TOMOYO_TYPE_REWRITE] = "rewrite",
31 [TOMOYO_TYPE_IOCTL_ACL] = "ioctl", 31 [TOMOYO_TYPE_IOCTL] = "ioctl",
32 [TOMOYO_TYPE_CHMOD_ACL] = "chmod", 32 [TOMOYO_TYPE_CHMOD] = "chmod",
33 [TOMOYO_TYPE_CHOWN_ACL] = "chown", 33 [TOMOYO_TYPE_CHOWN] = "chown",
34 [TOMOYO_TYPE_CHGRP_ACL] = "chgrp", 34 [TOMOYO_TYPE_CHGRP] = "chgrp",
35 [TOMOYO_TYPE_CHROOT_ACL] = "chroot", 35 [TOMOYO_TYPE_CHROOT] = "chroot",
36 [TOMOYO_TYPE_MOUNT_ACL] = "mount", 36 [TOMOYO_TYPE_MOUNT] = "mount",
37 [TOMOYO_TYPE_UMOUNT_ACL] = "unmount", 37 [TOMOYO_TYPE_UMOUNT] = "unmount",
38}; 38};
39 39
40/* Keyword array for double path operations. */ 40/* Keyword array for double path operations. */
41static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = { 41static const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = {
42 [TOMOYO_TYPE_LINK_ACL] = "link", 42 [TOMOYO_TYPE_LINK] = "link",
43 [TOMOYO_TYPE_RENAME_ACL] = "rename", 43 [TOMOYO_TYPE_RENAME] = "rename",
44 [TOMOYO_TYPE_PIVOT_ROOT_ACL] = "pivot_root", 44 [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root",
45}; 45};
46 46
47/** 47/**
48 * tomoyo_sp2keyword - Get the name of single path operation. 48 * tomoyo_path2keyword - Get the name of single path operation.
49 * 49 *
50 * @operation: Type of operation. 50 * @operation: Type of operation.
51 * 51 *
52 * Returns the name of single path operation. 52 * Returns the name of single path operation.
53 */ 53 */
54const char *tomoyo_sp2keyword(const u8 operation) 54const char *tomoyo_path2keyword(const u8 operation)
55{ 55{
56 return (operation < TOMOYO_MAX_SINGLE_PATH_OPERATION) 56 return (operation < TOMOYO_MAX_PATH_OPERATION)
57 ? tomoyo_sp_keyword[operation] : NULL; 57 ? tomoyo_path_keyword[operation] : NULL;
58} 58}
59 59
60/** 60/**
61 * tomoyo_dp2keyword - Get the name of double path operation. 61 * tomoyo_path22keyword - Get the name of double path operation.
62 * 62 *
63 * @operation: Type of operation. 63 * @operation: Type of operation.
64 * 64 *
65 * Returns the name of double path operation. 65 * Returns the name of double path operation.
66 */ 66 */
67const char *tomoyo_dp2keyword(const u8 operation) 67const char *tomoyo_path22keyword(const u8 operation)
68{ 68{
69 return (operation < TOMOYO_MAX_DOUBLE_PATH_OPERATION) 69 return (operation < TOMOYO_MAX_PATH2_OPERATION)
70 ? tomoyo_dp_keyword[operation] : NULL; 70 ? tomoyo_path2_keyword[operation] : NULL;
71} 71}
72 72
73/** 73/**
@@ -115,13 +115,13 @@ static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
115 return NULL; 115 return NULL;
116} 116}
117 117
118static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, 118static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
119 const char *filename2, 119 const char *filename2,
120 struct tomoyo_domain_info * 120 struct tomoyo_domain_info *const domain,
121 const domain, const bool is_delete); 121 const bool is_delete);
122static int tomoyo_update_single_path_acl(const u8 type, const char *filename, 122static int tomoyo_update_path_acl(const u8 type, const char *filename,
123 struct tomoyo_domain_info * 123 struct tomoyo_domain_info *const domain,
124 const domain, const bool is_delete); 124 const bool is_delete);
125 125
126/* 126/*
127 * tomoyo_globally_readable_list is used for holding list of pathnames which 127 * tomoyo_globally_readable_list is used for holding list of pathnames which
@@ -597,19 +597,19 @@ static int tomoyo_update_file_acl(const char *filename, u8 perm,
597 */ 597 */
598 return 0; 598 return 0;
599 if (perm & 4) 599 if (perm & 4)
600 tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL, filename, 600 tomoyo_update_path_acl(TOMOYO_TYPE_READ, filename, domain,
601 domain, is_delete); 601 is_delete);
602 if (perm & 2) 602 if (perm & 2)
603 tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL, filename, 603 tomoyo_update_path_acl(TOMOYO_TYPE_WRITE, filename, domain,
604 domain, is_delete); 604 is_delete);
605 if (perm & 1) 605 if (perm & 1)
606 tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL, 606 tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE, filename, domain,
607 filename, domain, is_delete); 607 is_delete);
608 return 0; 608 return 0;
609} 609}
610 610
611/** 611/**
612 * tomoyo_check_single_path_acl2 - Check permission for single path operation. 612 * tomoyo_path_acl2 - Check permission for single path operation.
613 * 613 *
614 * @domain: Pointer to "struct tomoyo_domain_info". 614 * @domain: Pointer to "struct tomoyo_domain_info".
615 * @filename: Filename to check. 615 * @filename: Filename to check.
@@ -620,22 +620,18 @@ static int tomoyo_update_file_acl(const char *filename, u8 perm,
620 * 620 *
621 * Caller holds tomoyo_read_lock(). 621 * Caller holds tomoyo_read_lock().
622 */ 622 */
623static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info * 623static int tomoyo_path_acl2(const struct tomoyo_domain_info *domain,
624 domain, 624 const struct tomoyo_path_info *filename,
625 const struct tomoyo_path_info * 625 const u32 perm, const bool may_use_pattern)
626 filename,
627 const u32 perm,
628 const bool may_use_pattern)
629{ 626{
630 struct tomoyo_acl_info *ptr; 627 struct tomoyo_acl_info *ptr;
631 int error = -EPERM; 628 int error = -EPERM;
632 629
633 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 630 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
634 struct tomoyo_single_path_acl_record *acl; 631 struct tomoyo_path_acl *acl;
635 if (ptr->type != TOMOYO_TYPE_SINGLE_PATH_ACL) 632 if (ptr->type != TOMOYO_TYPE_PATH_ACL)
636 continue; 633 continue;
637 acl = container_of(ptr, struct tomoyo_single_path_acl_record, 634 acl = container_of(ptr, struct tomoyo_path_acl, head);
638 head);
639 if (perm <= 0xFFFF) { 635 if (perm <= 0xFFFF) {
640 if (!(acl->perm & perm)) 636 if (!(acl->perm & perm))
641 continue; 637 continue;
@@ -676,17 +672,16 @@ static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
676 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 672 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
677 return 0; 673 return 0;
678 if (operation == 6) 674 if (operation == 6)
679 perm = 1 << TOMOYO_TYPE_READ_WRITE_ACL; 675 perm = 1 << TOMOYO_TYPE_READ_WRITE;
680 else if (operation == 4) 676 else if (operation == 4)
681 perm = 1 << TOMOYO_TYPE_READ_ACL; 677 perm = 1 << TOMOYO_TYPE_READ;
682 else if (operation == 2) 678 else if (operation == 2)
683 perm = 1 << TOMOYO_TYPE_WRITE_ACL; 679 perm = 1 << TOMOYO_TYPE_WRITE;
684 else if (operation == 1) 680 else if (operation == 1)
685 perm = 1 << TOMOYO_TYPE_EXECUTE_ACL; 681 perm = 1 << TOMOYO_TYPE_EXECUTE;
686 else 682 else
687 BUG(); 683 BUG();
688 return tomoyo_check_single_path_acl2(domain, filename, perm, 684 return tomoyo_path_acl2(domain, filename, perm, operation != 1);
689 operation != 1);
690} 685}
691 686
692/** 687/**
@@ -718,13 +713,13 @@ static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
718 && tomoyo_is_globally_readable_file(filename)) 713 && tomoyo_is_globally_readable_file(filename))
719 error = 0; 714 error = 0;
720 if (perm == 6) 715 if (perm == 6)
721 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL); 716 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
722 else if (perm == 4) 717 else if (perm == 4)
723 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL); 718 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
724 else if (perm == 2) 719 else if (perm == 2)
725 msg = tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL); 720 msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
726 else if (perm == 1) 721 else if (perm == 1)
727 msg = tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL); 722 msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
728 else 723 else
729 BUG(); 724 BUG();
730 if (!error) 725 if (!error)
@@ -773,28 +768,28 @@ int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
773 if (strncmp(data, "allow_", 6)) 768 if (strncmp(data, "allow_", 6))
774 goto out; 769 goto out;
775 data += 6; 770 data += 6;
776 for (type = 0; type < TOMOYO_MAX_SINGLE_PATH_OPERATION; type++) { 771 for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) {
777 if (strcmp(data, tomoyo_sp_keyword[type])) 772 if (strcmp(data, tomoyo_path_keyword[type]))
778 continue; 773 continue;
779 return tomoyo_update_single_path_acl(type, filename, 774 return tomoyo_update_path_acl(type, filename, domain,
780 domain, is_delete); 775 is_delete);
781 } 776 }
782 filename2 = strchr(filename, ' '); 777 filename2 = strchr(filename, ' ');
783 if (!filename2) 778 if (!filename2)
784 goto out; 779 goto out;
785 *filename2++ = '\0'; 780 *filename2++ = '\0';
786 for (type = 0; type < TOMOYO_MAX_DOUBLE_PATH_OPERATION; type++) { 781 for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) {
787 if (strcmp(data, tomoyo_dp_keyword[type])) 782 if (strcmp(data, tomoyo_path2_keyword[type]))
788 continue; 783 continue;
789 return tomoyo_update_double_path_acl(type, filename, filename2, 784 return tomoyo_update_path2_acl(type, filename, filename2,
790 domain, is_delete); 785 domain, is_delete);
791 } 786 }
792 out: 787 out:
793 return -EINVAL; 788 return -EINVAL;
794} 789}
795 790
796/** 791/**
797 * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list. 792 * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list.
798 * 793 *
799 * @type: Type of operation. 794 * @type: Type of operation.
800 * @filename: Filename. 795 * @filename: Filename.
@@ -805,15 +800,15 @@ int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
805 * 800 *
806 * Caller holds tomoyo_read_lock(). 801 * Caller holds tomoyo_read_lock().
807 */ 802 */
808static int tomoyo_update_single_path_acl(const u8 type, const char *filename, 803static int tomoyo_update_path_acl(const u8 type, const char *filename,
809 struct tomoyo_domain_info * 804 struct tomoyo_domain_info *const domain,
810 const domain, const bool is_delete) 805 const bool is_delete)
811{ 806{
812 static const u32 rw_mask = 807 static const u32 rw_mask =
813 (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL); 808 (1 << TOMOYO_TYPE_READ) | (1 << TOMOYO_TYPE_WRITE);
814 const struct tomoyo_path_info *saved_filename; 809 const struct tomoyo_path_info *saved_filename;
815 struct tomoyo_acl_info *ptr; 810 struct tomoyo_acl_info *ptr;
816 struct tomoyo_single_path_acl_record *entry = NULL; 811 struct tomoyo_path_acl *entry = NULL;
817 int error = is_delete ? -ENOENT : -ENOMEM; 812 int error = is_delete ? -ENOENT : -ENOMEM;
818 const u32 perm = 1 << type; 813 const u32 perm = 1 << type;
819 814
@@ -828,10 +823,9 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
828 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 823 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
829 mutex_lock(&tomoyo_policy_lock); 824 mutex_lock(&tomoyo_policy_lock);
830 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 825 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
831 struct tomoyo_single_path_acl_record *acl = 826 struct tomoyo_path_acl *acl =
832 container_of(ptr, struct tomoyo_single_path_acl_record, 827 container_of(ptr, struct tomoyo_path_acl, head);
833 head); 828 if (ptr->type != TOMOYO_TYPE_PATH_ACL)
834 if (ptr->type != TOMOYO_TYPE_SINGLE_PATH_ACL)
835 continue; 829 continue;
836 if (acl->filename != saved_filename) 830 if (acl->filename != saved_filename)
837 continue; 831 continue;
@@ -841,9 +835,8 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
841 else 835 else
842 acl->perm_high &= ~(perm >> 16); 836 acl->perm_high &= ~(perm >> 16);
843 if ((acl->perm & rw_mask) != rw_mask) 837 if ((acl->perm & rw_mask) != rw_mask)
844 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL); 838 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE);
845 else if (!(acl->perm & 839 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE)))
846 (1 << TOMOYO_TYPE_READ_WRITE_ACL)))
847 acl->perm &= ~rw_mask; 840 acl->perm &= ~rw_mask;
848 } else { 841 } else {
849 if (perm <= 0xFFFF) 842 if (perm <= 0xFFFF)
@@ -851,20 +844,20 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
851 else 844 else
852 acl->perm_high |= (perm >> 16); 845 acl->perm_high |= (perm >> 16);
853 if ((acl->perm & rw_mask) == rw_mask) 846 if ((acl->perm & rw_mask) == rw_mask)
854 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL; 847 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE;
855 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)) 848 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE))
856 acl->perm |= rw_mask; 849 acl->perm |= rw_mask;
857 } 850 }
858 error = 0; 851 error = 0;
859 break; 852 break;
860 } 853 }
861 if (!is_delete && error && tomoyo_memory_ok(entry)) { 854 if (!is_delete && error && tomoyo_memory_ok(entry)) {
862 entry->head.type = TOMOYO_TYPE_SINGLE_PATH_ACL; 855 entry->head.type = TOMOYO_TYPE_PATH_ACL;
863 if (perm <= 0xFFFF) 856 if (perm <= 0xFFFF)
864 entry->perm = perm; 857 entry->perm = perm;
865 else 858 else
866 entry->perm_high = (perm >> 16); 859 entry->perm_high = (perm >> 16);
867 if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL)) 860 if (perm == (1 << TOMOYO_TYPE_READ_WRITE))
868 entry->perm |= rw_mask; 861 entry->perm |= rw_mask;
869 entry->filename = saved_filename; 862 entry->filename = saved_filename;
870 saved_filename = NULL; 863 saved_filename = NULL;
@@ -879,7 +872,7 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
879} 872}
880 873
881/** 874/**
882 * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list. 875 * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list.
883 * 876 *
884 * @type: Type of operation. 877 * @type: Type of operation.
885 * @filename1: First filename. 878 * @filename1: First filename.
@@ -891,15 +884,15 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
891 * 884 *
892 * Caller holds tomoyo_read_lock(). 885 * Caller holds tomoyo_read_lock().
893 */ 886 */
894static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, 887static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
895 const char *filename2, 888 const char *filename2,
896 struct tomoyo_domain_info * 889 struct tomoyo_domain_info *const domain,
897 const domain, const bool is_delete) 890 const bool is_delete)
898{ 891{
899 const struct tomoyo_path_info *saved_filename1; 892 const struct tomoyo_path_info *saved_filename1;
900 const struct tomoyo_path_info *saved_filename2; 893 const struct tomoyo_path_info *saved_filename2;
901 struct tomoyo_acl_info *ptr; 894 struct tomoyo_acl_info *ptr;
902 struct tomoyo_double_path_acl_record *entry = NULL; 895 struct tomoyo_path2_acl *entry = NULL;
903 int error = is_delete ? -ENOENT : -ENOMEM; 896 int error = is_delete ? -ENOENT : -ENOMEM;
904 const u8 perm = 1 << type; 897 const u8 perm = 1 << type;
905 898
@@ -916,10 +909,9 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
916 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 909 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
917 mutex_lock(&tomoyo_policy_lock); 910 mutex_lock(&tomoyo_policy_lock);
918 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 911 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
919 struct tomoyo_double_path_acl_record *acl = 912 struct tomoyo_path2_acl *acl =
920 container_of(ptr, struct tomoyo_double_path_acl_record, 913 container_of(ptr, struct tomoyo_path2_acl, head);
921 head); 914 if (ptr->type != TOMOYO_TYPE_PATH2_ACL)
922 if (ptr->type != TOMOYO_TYPE_DOUBLE_PATH_ACL)
923 continue; 915 continue;
924 if (acl->filename1 != saved_filename1 || 916 if (acl->filename1 != saved_filename1 ||
925 acl->filename2 != saved_filename2) 917 acl->filename2 != saved_filename2)
@@ -932,7 +924,7 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
932 break; 924 break;
933 } 925 }
934 if (!is_delete && error && tomoyo_memory_ok(entry)) { 926 if (!is_delete && error && tomoyo_memory_ok(entry)) {
935 entry->head.type = TOMOYO_TYPE_DOUBLE_PATH_ACL; 927 entry->head.type = TOMOYO_TYPE_PATH2_ACL;
936 entry->perm = perm; 928 entry->perm = perm;
937 entry->filename1 = saved_filename1; 929 entry->filename1 = saved_filename1;
938 saved_filename1 = NULL; 930 saved_filename1 = NULL;
@@ -951,7 +943,7 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
951} 943}
952 944
953/** 945/**
954 * tomoyo_check_single_path_acl - Check permission for single path operation. 946 * tomoyo_path_acl - Check permission for single path operation.
955 * 947 *
956 * @domain: Pointer to "struct tomoyo_domain_info". 948 * @domain: Pointer to "struct tomoyo_domain_info".
957 * @type: Type of operation. 949 * @type: Type of operation.
@@ -961,17 +953,16 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
961 * 953 *
962 * Caller holds tomoyo_read_lock(). 954 * Caller holds tomoyo_read_lock().
963 */ 955 */
964static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain, 956static int tomoyo_path_acl(struct tomoyo_domain_info *domain, const u8 type,
965 const u8 type, 957 const struct tomoyo_path_info *filename)
966 const struct tomoyo_path_info *filename)
967{ 958{
968 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 959 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
969 return 0; 960 return 0;
970 return tomoyo_check_single_path_acl2(domain, filename, 1 << type, 1); 961 return tomoyo_path_acl2(domain, filename, 1 << type, 1);
971} 962}
972 963
973/** 964/**
974 * tomoyo_check_double_path_acl - Check permission for double path operation. 965 * tomoyo_path2_acl - Check permission for double path operation.
975 * 966 *
976 * @domain: Pointer to "struct tomoyo_domain_info". 967 * @domain: Pointer to "struct tomoyo_domain_info".
977 * @type: Type of operation. 968 * @type: Type of operation.
@@ -982,12 +973,10 @@ static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain,
982 * 973 *
983 * Caller holds tomoyo_read_lock(). 974 * Caller holds tomoyo_read_lock().
984 */ 975 */
985static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain, 976static int tomoyo_path2_acl(const struct tomoyo_domain_info *domain,
986 const u8 type, 977 const u8 type,
987 const struct tomoyo_path_info * 978 const struct tomoyo_path_info *filename1,
988 filename1, 979 const struct tomoyo_path_info *filename2)
989 const struct tomoyo_path_info *
990 filename2)
991{ 980{
992 struct tomoyo_acl_info *ptr; 981 struct tomoyo_acl_info *ptr;
993 const u8 perm = 1 << type; 982 const u8 perm = 1 << type;
@@ -996,11 +985,10 @@ static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
996 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 985 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
997 return 0; 986 return 0;
998 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 987 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
999 struct tomoyo_double_path_acl_record *acl; 988 struct tomoyo_path2_acl *acl;
1000 if (ptr->type != TOMOYO_TYPE_DOUBLE_PATH_ACL) 989 if (ptr->type != TOMOYO_TYPE_PATH2_ACL)
1001 continue; 990 continue;
1002 acl = container_of(ptr, struct tomoyo_double_path_acl_record, 991 acl = container_of(ptr, struct tomoyo_path2_acl, head);
1003 head);
1004 if (!(acl->perm & perm)) 992 if (!(acl->perm & perm))
1005 continue; 993 continue;
1006 if (!tomoyo_path_matches_pattern(filename1, acl->filename1)) 994 if (!tomoyo_path_matches_pattern(filename1, acl->filename1))
@@ -1014,7 +1002,7 @@ static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
1014} 1002}
1015 1003
1016/** 1004/**
1017 * tomoyo_check_single_path_permission2 - Check permission for single path operation. 1005 * tomoyo_path_permission2 - Check permission for single path operation.
1018 * 1006 *
1019 * @domain: Pointer to "struct tomoyo_domain_info". 1007 * @domain: Pointer to "struct tomoyo_domain_info".
1020 * @operation: Type of operation. 1008 * @operation: Type of operation.
@@ -1025,10 +1013,10 @@ static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
1025 * 1013 *
1026 * Caller holds tomoyo_read_lock(). 1014 * Caller holds tomoyo_read_lock().
1027 */ 1015 */
1028static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info * 1016static int tomoyo_path_permission2(struct tomoyo_domain_info *const domain,
1029 const domain, u8 operation, 1017 u8 operation,
1030 const struct tomoyo_path_info * 1018 const struct tomoyo_path_info *filename,
1031 filename, const u8 mode) 1019 const u8 mode)
1032{ 1020{
1033 const char *msg; 1021 const char *msg;
1034 int error; 1022 int error;
@@ -1037,8 +1025,8 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
1037 if (!mode) 1025 if (!mode)
1038 return 0; 1026 return 0;
1039 next: 1027 next:
1040 error = tomoyo_check_single_path_acl(domain, operation, filename); 1028 error = tomoyo_path_acl(domain, operation, filename);
1041 msg = tomoyo_sp2keyword(operation); 1029 msg = tomoyo_path2keyword(operation);
1042 if (!error) 1030 if (!error)
1043 goto ok; 1031 goto ok;
1044 if (tomoyo_verbose_mode(domain)) 1032 if (tomoyo_verbose_mode(domain))
@@ -1047,7 +1035,7 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
1047 tomoyo_get_last_name(domain)); 1035 tomoyo_get_last_name(domain));
1048 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { 1036 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1049 const char *name = tomoyo_get_file_pattern(filename)->name; 1037 const char *name = tomoyo_get_file_pattern(filename)->name;
1050 tomoyo_update_single_path_acl(operation, name, domain, false); 1038 tomoyo_update_path_acl(operation, name, domain, false);
1051 } 1039 }
1052 if (!is_enforce) 1040 if (!is_enforce)
1053 error = 0; 1041 error = 0;
@@ -1057,9 +1045,9 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
1057 * we need to check "allow_rewrite" permission if the filename is 1045 * we need to check "allow_rewrite" permission if the filename is
1058 * specified by "deny_rewrite" keyword. 1046 * specified by "deny_rewrite" keyword.
1059 */ 1047 */
1060 if (!error && operation == TOMOYO_TYPE_TRUNCATE_ACL && 1048 if (!error && operation == TOMOYO_TYPE_TRUNCATE &&
1061 tomoyo_is_no_rewrite_file(filename)) { 1049 tomoyo_is_no_rewrite_file(filename)) {
1062 operation = TOMOYO_TYPE_REWRITE_ACL; 1050 operation = TOMOYO_TYPE_REWRITE;
1063 goto next; 1051 goto next;
1064 } 1052 }
1065 return error; 1053 return error;
@@ -1127,17 +1115,15 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1127 if ((acc_mode & MAY_WRITE) && 1115 if ((acc_mode & MAY_WRITE) &&
1128 ((flag & O_TRUNC) || !(flag & O_APPEND)) && 1116 ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
1129 (tomoyo_is_no_rewrite_file(buf))) { 1117 (tomoyo_is_no_rewrite_file(buf))) {
1130 error = tomoyo_check_single_path_permission2(domain, 1118 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE,
1131 TOMOYO_TYPE_REWRITE_ACL, 1119 buf, mode);
1132 buf, mode);
1133 } 1120 }
1134 if (!error) 1121 if (!error)
1135 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open", 1122 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open",
1136 mode); 1123 mode);
1137 if (!error && (flag & O_TRUNC)) 1124 if (!error && (flag & O_TRUNC))
1138 error = tomoyo_check_single_path_permission2(domain, 1125 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_TRUNCATE,
1139 TOMOYO_TYPE_TRUNCATE_ACL, 1126 buf, mode);
1140 buf, mode);
1141 out: 1127 out:
1142 kfree(buf); 1128 kfree(buf);
1143 tomoyo_read_unlock(idx); 1129 tomoyo_read_unlock(idx);
@@ -1147,7 +1133,7 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1147} 1133}
1148 1134
1149/** 1135/**
1150 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount". 1136 * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1151 * 1137 *
1152 * @domain: Pointer to "struct tomoyo_domain_info". 1138 * @domain: Pointer to "struct tomoyo_domain_info".
1153 * @operation: Type of operation. 1139 * @operation: Type of operation.
@@ -1155,8 +1141,8 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1155 * 1141 *
1156 * Returns 0 on success, negative value otherwise. 1142 * Returns 0 on success, negative value otherwise.
1157 */ 1143 */
1158int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain, 1144int tomoyo_path_perm(struct tomoyo_domain_info *domain,
1159 const u8 operation, struct path *path) 1145 const u8 operation, struct path *path)
1160{ 1146{
1161 int error = -ENOMEM; 1147 int error = -ENOMEM;
1162 struct tomoyo_path_info *buf; 1148 struct tomoyo_path_info *buf;
@@ -1171,9 +1157,9 @@ int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
1171 if (!buf) 1157 if (!buf)
1172 goto out; 1158 goto out;
1173 switch (operation) { 1159 switch (operation) {
1174 case TOMOYO_TYPE_MKDIR_ACL: 1160 case TOMOYO_TYPE_MKDIR:
1175 case TOMOYO_TYPE_RMDIR_ACL: 1161 case TOMOYO_TYPE_RMDIR:
1176 case TOMOYO_TYPE_CHROOT_ACL: 1162 case TOMOYO_TYPE_CHROOT:
1177 if (!buf->is_dir) { 1163 if (!buf->is_dir) {
1178 /* 1164 /*
1179 * tomoyo_get_path() reserves space for appending "/." 1165 * tomoyo_get_path() reserves space for appending "/."
@@ -1182,8 +1168,7 @@ int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
1182 tomoyo_fill_path_info(buf); 1168 tomoyo_fill_path_info(buf);
1183 } 1169 }
1184 } 1170 }
1185 error = tomoyo_check_single_path_permission2(domain, operation, buf, 1171 error = tomoyo_path_permission2(domain, operation, buf, mode);
1186 mode);
1187 out: 1172 out:
1188 kfree(buf); 1173 kfree(buf);
1189 tomoyo_read_unlock(idx); 1174 tomoyo_read_unlock(idx);
@@ -1220,9 +1205,7 @@ int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
1220 error = 0; 1205 error = 0;
1221 goto out; 1206 goto out;
1222 } 1207 }
1223 error = tomoyo_check_single_path_permission2(domain, 1208 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE, buf, mode);
1224 TOMOYO_TYPE_REWRITE_ACL,
1225 buf, mode);
1226 out: 1209 out:
1227 kfree(buf); 1210 kfree(buf);
1228 tomoyo_read_unlock(idx); 1211 tomoyo_read_unlock(idx);
@@ -1232,7 +1215,7 @@ int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
1232} 1215}
1233 1216
1234/** 1217/**
1235 * tomoyo_check_2path_perm - Check permission for "rename", "link" and "pivot_root". 1218 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root".
1236 * 1219 *
1237 * @domain: Pointer to "struct tomoyo_domain_info". 1220 * @domain: Pointer to "struct tomoyo_domain_info".
1238 * @operation: Type of operation. 1221 * @operation: Type of operation.
@@ -1241,9 +1224,9 @@ int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
1241 * 1224 *
1242 * Returns 0 on success, negative value otherwise. 1225 * Returns 0 on success, negative value otherwise.
1243 */ 1226 */
1244int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain, 1227int tomoyo_path2_perm(struct tomoyo_domain_info * const domain,
1245 const u8 operation, struct path *path1, 1228 const u8 operation, struct path *path1,
1246 struct path *path2) 1229 struct path *path2)
1247{ 1230{
1248 int error = -ENOMEM; 1231 int error = -ENOMEM;
1249 struct tomoyo_path_info *buf1, *buf2; 1232 struct tomoyo_path_info *buf1, *buf2;
@@ -1275,8 +1258,8 @@ int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain,
1275 } 1258 }
1276 } 1259 }
1277 } 1260 }
1278 error = tomoyo_check_double_path_acl(domain, operation, buf1, buf2); 1261 error = tomoyo_path2_acl(domain, operation, buf1, buf2);
1279 msg = tomoyo_dp2keyword(operation); 1262 msg = tomoyo_path22keyword(operation);
1280 if (!error) 1263 if (!error)
1281 goto out; 1264 goto out;
1282 if (tomoyo_verbose_mode(domain)) 1265 if (tomoyo_verbose_mode(domain))
@@ -1287,8 +1270,8 @@ int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain,
1287 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { 1270 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1288 const char *name1 = tomoyo_get_file_pattern(buf1)->name; 1271 const char *name1 = tomoyo_get_file_pattern(buf1)->name;
1289 const char *name2 = tomoyo_get_file_pattern(buf2)->name; 1272 const char *name2 = tomoyo_get_file_pattern(buf2)->name;
1290 tomoyo_update_double_path_acl(operation, name1, name2, domain, 1273 tomoyo_update_path2_acl(operation, name1, name2, domain,
1291 false); 1274 false);
1292 } 1275 }
1293 out: 1276 out:
1294 kfree(buf1); 1277 kfree(buf1);
diff --git a/security/tomoyo/gc.c b/security/tomoyo/gc.c
index ee15da39387d..9645525ccdd4 100644
--- a/security/tomoyo/gc.c
+++ b/security/tomoyo/gc.c
@@ -86,16 +86,16 @@ static void tomoyo_del_manager(struct tomoyo_policy_manager_entry *ptr)
86static void tomoyo_del_acl(struct tomoyo_acl_info *acl) 86static void tomoyo_del_acl(struct tomoyo_acl_info *acl)
87{ 87{
88 switch (acl->type) { 88 switch (acl->type) {
89 case TOMOYO_TYPE_SINGLE_PATH_ACL: 89 case TOMOYO_TYPE_PATH_ACL:
90 { 90 {
91 struct tomoyo_single_path_acl_record *entry 91 struct tomoyo_path_acl *entry
92 = container_of(acl, typeof(*entry), head); 92 = container_of(acl, typeof(*entry), head);
93 tomoyo_put_name(entry->filename); 93 tomoyo_put_name(entry->filename);
94 } 94 }
95 break; 95 break;
96 case TOMOYO_TYPE_DOUBLE_PATH_ACL: 96 case TOMOYO_TYPE_PATH2_ACL:
97 { 97 {
98 struct tomoyo_double_path_acl_record *entry 98 struct tomoyo_path2_acl *entry
99 = container_of(acl, typeof(*entry), head); 99 = container_of(acl, typeof(*entry), head);
100 tomoyo_put_name(entry->filename1); 100 tomoyo_put_name(entry->filename1);
101 tomoyo_put_name(entry->filename2); 101 tomoyo_put_name(entry->filename2);
@@ -238,18 +238,18 @@ static void tomoyo_collect_entry(void)
238 list_for_each_entry_rcu(acl, &domain->acl_info_list, 238 list_for_each_entry_rcu(acl, &domain->acl_info_list,
239 list) { 239 list) {
240 switch (acl->type) { 240 switch (acl->type) {
241 case TOMOYO_TYPE_SINGLE_PATH_ACL: 241 case TOMOYO_TYPE_PATH_ACL:
242 if (container_of(acl, 242 if (container_of(acl,
243 struct tomoyo_single_path_acl_record, 243 struct tomoyo_path_acl,
244 head)->perm || 244 head)->perm ||
245 container_of(acl, 245 container_of(acl,
246 struct tomoyo_single_path_acl_record, 246 struct tomoyo_path_acl,
247 head)->perm_high) 247 head)->perm_high)
248 continue; 248 continue;
249 break; 249 break;
250 case TOMOYO_TYPE_DOUBLE_PATH_ACL: 250 case TOMOYO_TYPE_PATH2_ACL:
251 if (container_of(acl, 251 if (container_of(acl,
252 struct tomoyo_double_path_acl_record, 252 struct tomoyo_path2_acl,
253 head)->perm) 253 head)->perm)
254 continue; 254 continue;
255 break; 255 break;
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 87e82bfeac2f..e3945d0511b8 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -100,67 +100,56 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
100static int tomoyo_path_truncate(struct path *path, loff_t length, 100static int tomoyo_path_truncate(struct path *path, loff_t length,
101 unsigned int time_attrs) 101 unsigned int time_attrs)
102{ 102{
103 return tomoyo_check_1path_perm(tomoyo_domain(), 103 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_TRUNCATE, path);
104 TOMOYO_TYPE_TRUNCATE_ACL,
105 path);
106} 104}
107 105
108static int tomoyo_path_unlink(struct path *parent, struct dentry *dentry) 106static int tomoyo_path_unlink(struct path *parent, struct dentry *dentry)
109{ 107{
110 struct path path = { parent->mnt, dentry }; 108 struct path path = { parent->mnt, dentry };
111 return tomoyo_check_1path_perm(tomoyo_domain(), 109 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_UNLINK, &path);
112 TOMOYO_TYPE_UNLINK_ACL,
113 &path);
114} 110}
115 111
116static int tomoyo_path_mkdir(struct path *parent, struct dentry *dentry, 112static int tomoyo_path_mkdir(struct path *parent, struct dentry *dentry,
117 int mode) 113 int mode)
118{ 114{
119 struct path path = { parent->mnt, dentry }; 115 struct path path = { parent->mnt, dentry };
120 return tomoyo_check_1path_perm(tomoyo_domain(), 116 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_MKDIR, &path);
121 TOMOYO_TYPE_MKDIR_ACL,
122 &path);
123} 117}
124 118
125static int tomoyo_path_rmdir(struct path *parent, struct dentry *dentry) 119static int tomoyo_path_rmdir(struct path *parent, struct dentry *dentry)
126{ 120{
127 struct path path = { parent->mnt, dentry }; 121 struct path path = { parent->mnt, dentry };
128 return tomoyo_check_1path_perm(tomoyo_domain(), 122 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_RMDIR, &path);
129 TOMOYO_TYPE_RMDIR_ACL,
130 &path);
131} 123}
132 124
133static int tomoyo_path_symlink(struct path *parent, struct dentry *dentry, 125static int tomoyo_path_symlink(struct path *parent, struct dentry *dentry,
134 const char *old_name) 126 const char *old_name)
135{ 127{
136 struct path path = { parent->mnt, dentry }; 128 struct path path = { parent->mnt, dentry };
137 return tomoyo_check_1path_perm(tomoyo_domain(), 129 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_SYMLINK, &path);
138 TOMOYO_TYPE_SYMLINK_ACL,
139 &path);
140} 130}
141 131
142static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry, 132static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry,
143 int mode, unsigned int dev) 133 int mode, unsigned int dev)
144{ 134{
145 struct path path = { parent->mnt, dentry }; 135 struct path path = { parent->mnt, dentry };
146 int type = TOMOYO_TYPE_CREATE_ACL; 136 int type = TOMOYO_TYPE_CREATE;
147 137
148 switch (mode & S_IFMT) { 138 switch (mode & S_IFMT) {
149 case S_IFCHR: 139 case S_IFCHR:
150 type = TOMOYO_TYPE_MKCHAR_ACL; 140 type = TOMOYO_TYPE_MKCHAR;
151 break; 141 break;
152 case S_IFBLK: 142 case S_IFBLK:
153 type = TOMOYO_TYPE_MKBLOCK_ACL; 143 type = TOMOYO_TYPE_MKBLOCK;
154 break; 144 break;
155 case S_IFIFO: 145 case S_IFIFO:
156 type = TOMOYO_TYPE_MKFIFO_ACL; 146 type = TOMOYO_TYPE_MKFIFO;
157 break; 147 break;
158 case S_IFSOCK: 148 case S_IFSOCK:
159 type = TOMOYO_TYPE_MKSOCK_ACL; 149 type = TOMOYO_TYPE_MKSOCK;
160 break; 150 break;
161 } 151 }
162 return tomoyo_check_1path_perm(tomoyo_domain(), 152 return tomoyo_path_perm(tomoyo_domain(), type, &path);
163 type, &path);
164} 153}
165 154
166static int tomoyo_path_link(struct dentry *old_dentry, struct path *new_dir, 155static int tomoyo_path_link(struct dentry *old_dentry, struct path *new_dir,
@@ -168,9 +157,8 @@ static int tomoyo_path_link(struct dentry *old_dentry, struct path *new_dir,
168{ 157{
169 struct path path1 = { new_dir->mnt, old_dentry }; 158 struct path path1 = { new_dir->mnt, old_dentry };
170 struct path path2 = { new_dir->mnt, new_dentry }; 159 struct path path2 = { new_dir->mnt, new_dentry };
171 return tomoyo_check_2path_perm(tomoyo_domain(), 160 return tomoyo_path2_perm(tomoyo_domain(), TOMOYO_TYPE_LINK, &path1,
172 TOMOYO_TYPE_LINK_ACL, 161 &path2);
173 &path1, &path2);
174} 162}
175 163
176static int tomoyo_path_rename(struct path *old_parent, 164static int tomoyo_path_rename(struct path *old_parent,
@@ -180,9 +168,8 @@ static int tomoyo_path_rename(struct path *old_parent,
180{ 168{
181 struct path path1 = { old_parent->mnt, old_dentry }; 169 struct path path1 = { old_parent->mnt, old_dentry };
182 struct path path2 = { new_parent->mnt, new_dentry }; 170 struct path path2 = { new_parent->mnt, new_dentry };
183 return tomoyo_check_2path_perm(tomoyo_domain(), 171 return tomoyo_path2_perm(tomoyo_domain(), TOMOYO_TYPE_RENAME, &path1,
184 TOMOYO_TYPE_RENAME_ACL, 172 &path2);
185 &path1, &path2);
186} 173}
187 174
188static int tomoyo_file_fcntl(struct file *file, unsigned int cmd, 175static int tomoyo_file_fcntl(struct file *file, unsigned int cmd,
@@ -209,55 +196,50 @@ static int tomoyo_dentry_open(struct file *f, const struct cred *cred)
209static int tomoyo_file_ioctl(struct file *file, unsigned int cmd, 196static int tomoyo_file_ioctl(struct file *file, unsigned int cmd,
210 unsigned long arg) 197 unsigned long arg)
211{ 198{
212 return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_IOCTL_ACL, 199 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_IOCTL,
213 &file->f_path); 200 &file->f_path);
214} 201}
215 202
216static int tomoyo_path_chmod(struct dentry *dentry, struct vfsmount *mnt, 203static int tomoyo_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
217 mode_t mode) 204 mode_t mode)
218{ 205{
219 struct path path = { mnt, dentry }; 206 struct path path = { mnt, dentry };
220 return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_CHMOD_ACL, 207 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHMOD, &path);
221 &path);
222} 208}
223 209
224static int tomoyo_path_chown(struct path *path, uid_t uid, gid_t gid) 210static int tomoyo_path_chown(struct path *path, uid_t uid, gid_t gid)
225{ 211{
226 int error = 0; 212 int error = 0;
227 if (uid != (uid_t) -1) 213 if (uid != (uid_t) -1)
228 error = tomoyo_check_1path_perm(tomoyo_domain(), 214 error = tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHOWN,
229 TOMOYO_TYPE_CHOWN_ACL, path); 215 path);
230 if (!error && gid != (gid_t) -1) 216 if (!error && gid != (gid_t) -1)
231 error = tomoyo_check_1path_perm(tomoyo_domain(), 217 error = tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHGRP,
232 TOMOYO_TYPE_CHGRP_ACL, path); 218 path);
233 return error; 219 return error;
234} 220}
235 221
236static int tomoyo_path_chroot(struct path *path) 222static int tomoyo_path_chroot(struct path *path)
237{ 223{
238 return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_CHROOT_ACL, 224 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHROOT, path);
239 path);
240} 225}
241 226
242static int tomoyo_sb_mount(char *dev_name, struct path *path, 227static int tomoyo_sb_mount(char *dev_name, struct path *path,
243 char *type, unsigned long flags, void *data) 228 char *type, unsigned long flags, void *data)
244{ 229{
245 return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_MOUNT_ACL, 230 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_MOUNT, path);
246 path);
247} 231}
248 232
249static int tomoyo_sb_umount(struct vfsmount *mnt, int flags) 233static int tomoyo_sb_umount(struct vfsmount *mnt, int flags)
250{ 234{
251 struct path path = { mnt, mnt->mnt_root }; 235 struct path path = { mnt, mnt->mnt_root };
252 return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_UMOUNT_ACL, 236 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_UMOUNT, &path);
253 &path);
254} 237}
255 238
256static int tomoyo_sb_pivotroot(struct path *old_path, struct path *new_path) 239static int tomoyo_sb_pivotroot(struct path *old_path, struct path *new_path)
257{ 240{
258 return tomoyo_check_2path_perm(tomoyo_domain(), 241 return tomoyo_path2_perm(tomoyo_domain(), TOMOYO_TYPE_PIVOT_ROOT,
259 TOMOYO_TYPE_PIVOT_ROOT_ACL, 242 new_path, old_path);
260 new_path, old_path);
261} 243}
262 244
263/* 245/*