diff options
-rw-r--r-- | security/tomoyo/common.c | 74 | ||||
-rw-r--r-- | security/tomoyo/common.h | 90 | ||||
-rw-r--r-- | security/tomoyo/file.c | 295 | ||||
-rw-r--r-- | security/tomoyo/gc.c | 18 | ||||
-rw-r--r-- | security/tomoyo/tomoyo.c | 72 |
5 files changed, 250 insertions, 299 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 3a36b56a2f5c..ffcf02450560 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c | |||
@@ -841,25 +841,22 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain) | |||
841 | return true; | 841 | return true; |
842 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { | 842 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { |
843 | switch (ptr->type) { | 843 | switch (ptr->type) { |
844 | struct tomoyo_single_path_acl_record *acl; | 844 | struct tomoyo_path_acl *acl; |
845 | u32 perm; | 845 | u32 perm; |
846 | u8 i; | 846 | u8 i; |
847 | case TOMOYO_TYPE_SINGLE_PATH_ACL: | 847 | case TOMOYO_TYPE_PATH_ACL: |
848 | acl = container_of(ptr, | 848 | acl = container_of(ptr, struct tomoyo_path_acl, head); |
849 | struct tomoyo_single_path_acl_record, | ||
850 | head); | ||
851 | perm = acl->perm | (((u32) acl->perm_high) << 16); | 849 | perm = acl->perm | (((u32) acl->perm_high) << 16); |
852 | for (i = 0; i < TOMOYO_MAX_SINGLE_PATH_OPERATION; i++) | 850 | for (i = 0; i < TOMOYO_MAX_PATH_OPERATION; i++) |
853 | if (perm & (1 << i)) | 851 | if (perm & (1 << i)) |
854 | count++; | 852 | count++; |
855 | if (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)) | 853 | if (perm & (1 << TOMOYO_TYPE_READ_WRITE)) |
856 | count -= 2; | 854 | count -= 2; |
857 | break; | 855 | break; |
858 | case TOMOYO_TYPE_DOUBLE_PATH_ACL: | 856 | case TOMOYO_TYPE_PATH2_ACL: |
859 | perm = container_of(ptr, | 857 | perm = container_of(ptr, struct tomoyo_path2_acl, head) |
860 | struct tomoyo_double_path_acl_record, | 858 | ->perm; |
861 | head)->perm; | 859 | for (i = 0; i < TOMOYO_MAX_PATH2_OPERATION; i++) |
862 | for (i = 0; i < TOMOYO_MAX_DOUBLE_PATH_OPERATION; i++) | ||
863 | if (perm & (1 << i)) | 860 | if (perm & (1 << i)) |
864 | count++; | 861 | count++; |
865 | break; | 862 | break; |
@@ -1366,16 +1363,15 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head) | |||
1366 | } | 1363 | } |
1367 | 1364 | ||
1368 | /** | 1365 | /** |
1369 | * tomoyo_print_single_path_acl - Print a single path ACL entry. | 1366 | * tomoyo_print_path_acl - Print a single path ACL entry. |
1370 | * | 1367 | * |
1371 | * @head: Pointer to "struct tomoyo_io_buffer". | 1368 | * @head: Pointer to "struct tomoyo_io_buffer". |
1372 | * @ptr: Pointer to "struct tomoyo_single_path_acl_record". | 1369 | * @ptr: Pointer to "struct tomoyo_path_acl". |
1373 | * | 1370 | * |
1374 | * Returns true on success, false otherwise. | 1371 | * Returns true on success, false otherwise. |
1375 | */ | 1372 | */ |
1376 | static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head, | 1373 | static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head, |
1377 | struct tomoyo_single_path_acl_record * | 1374 | struct tomoyo_path_acl *ptr) |
1378 | ptr) | ||
1379 | { | 1375 | { |
1380 | int pos; | 1376 | int pos; |
1381 | u8 bit; | 1377 | u8 bit; |
@@ -1384,17 +1380,15 @@ static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head, | |||
1384 | const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16); | 1380 | const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16); |
1385 | 1381 | ||
1386 | filename = ptr->filename->name; | 1382 | filename = ptr->filename->name; |
1387 | for (bit = head->read_bit; bit < TOMOYO_MAX_SINGLE_PATH_OPERATION; | 1383 | for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { |
1388 | bit++) { | ||
1389 | const char *msg; | 1384 | const char *msg; |
1390 | if (!(perm & (1 << bit))) | 1385 | if (!(perm & (1 << bit))) |
1391 | continue; | 1386 | continue; |
1392 | /* Print "read/write" instead of "read" and "write". */ | 1387 | /* Print "read/write" instead of "read" and "write". */ |
1393 | if ((bit == TOMOYO_TYPE_READ_ACL || | 1388 | if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE) |
1394 | bit == TOMOYO_TYPE_WRITE_ACL) | 1389 | && (perm & (1 << TOMOYO_TYPE_READ_WRITE))) |
1395 | && (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))) | ||
1396 | continue; | 1390 | continue; |
1397 | msg = tomoyo_sp2keyword(bit); | 1391 | msg = tomoyo_path2keyword(bit); |
1398 | pos = head->read_avail; | 1392 | pos = head->read_avail; |
1399 | if (!tomoyo_io_printf(head, "allow_%s %s%s\n", msg, | 1393 | if (!tomoyo_io_printf(head, "allow_%s %s%s\n", msg, |
1400 | atmark, filename)) | 1394 | atmark, filename)) |
@@ -1409,16 +1403,15 @@ static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head, | |||
1409 | } | 1403 | } |
1410 | 1404 | ||
1411 | /** | 1405 | /** |
1412 | * tomoyo_print_double_path_acl - Print a double path ACL entry. | 1406 | * tomoyo_print_path2_acl - Print a double path ACL entry. |
1413 | * | 1407 | * |
1414 | * @head: Pointer to "struct tomoyo_io_buffer". | 1408 | * @head: Pointer to "struct tomoyo_io_buffer". |
1415 | * @ptr: Pointer to "struct tomoyo_double_path_acl_record". | 1409 | * @ptr: Pointer to "struct tomoyo_path2_acl". |
1416 | * | 1410 | * |
1417 | * Returns true on success, false otherwise. | 1411 | * Returns true on success, false otherwise. |
1418 | */ | 1412 | */ |
1419 | static bool tomoyo_print_double_path_acl(struct tomoyo_io_buffer *head, | 1413 | static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer *head, |
1420 | struct tomoyo_double_path_acl_record * | 1414 | struct tomoyo_path2_acl *ptr) |
1421 | ptr) | ||
1422 | { | 1415 | { |
1423 | int pos; | 1416 | int pos; |
1424 | const char *atmark1 = ""; | 1417 | const char *atmark1 = ""; |
@@ -1430,12 +1423,11 @@ static bool tomoyo_print_double_path_acl(struct tomoyo_io_buffer *head, | |||
1430 | 1423 | ||
1431 | filename1 = ptr->filename1->name; | 1424 | filename1 = ptr->filename1->name; |
1432 | filename2 = ptr->filename2->name; | 1425 | filename2 = ptr->filename2->name; |
1433 | for (bit = head->read_bit; bit < TOMOYO_MAX_DOUBLE_PATH_OPERATION; | 1426 | for (bit = head->read_bit; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) { |
1434 | bit++) { | ||
1435 | const char *msg; | 1427 | const char *msg; |
1436 | if (!(perm & (1 << bit))) | 1428 | if (!(perm & (1 << bit))) |
1437 | continue; | 1429 | continue; |
1438 | msg = tomoyo_dp2keyword(bit); | 1430 | msg = tomoyo_path22keyword(bit); |
1439 | pos = head->read_avail; | 1431 | pos = head->read_avail; |
1440 | if (!tomoyo_io_printf(head, "allow_%s %s%s %s%s\n", msg, | 1432 | if (!tomoyo_io_printf(head, "allow_%s %s%s %s%s\n", msg, |
1441 | atmark1, filename1, atmark2, filename2)) | 1433 | atmark1, filename1, atmark2, filename2)) |
@@ -1462,19 +1454,15 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, | |||
1462 | { | 1454 | { |
1463 | const u8 acl_type = ptr->type; | 1455 | const u8 acl_type = ptr->type; |
1464 | 1456 | ||
1465 | if (acl_type == TOMOYO_TYPE_SINGLE_PATH_ACL) { | 1457 | if (acl_type == TOMOYO_TYPE_PATH_ACL) { |
1466 | struct tomoyo_single_path_acl_record *acl | 1458 | struct tomoyo_path_acl *acl |
1467 | = container_of(ptr, | 1459 | = container_of(ptr, struct tomoyo_path_acl, head); |
1468 | struct tomoyo_single_path_acl_record, | 1460 | return tomoyo_print_path_acl(head, acl); |
1469 | head); | ||
1470 | return tomoyo_print_single_path_acl(head, acl); | ||
1471 | } | 1461 | } |
1472 | if (acl_type == TOMOYO_TYPE_DOUBLE_PATH_ACL) { | 1462 | if (acl_type == TOMOYO_TYPE_PATH2_ACL) { |
1473 | struct tomoyo_double_path_acl_record *acl | 1463 | struct tomoyo_path2_acl *acl |
1474 | = container_of(ptr, | 1464 | = container_of(ptr, struct tomoyo_path2_acl, head); |
1475 | struct tomoyo_double_path_acl_record, | 1465 | return tomoyo_print_path2_acl(head, acl); |
1476 | head); | ||
1477 | return tomoyo_print_double_path_acl(head, acl); | ||
1478 | } | 1466 | } |
1479 | BUG(); /* This must not happen. */ | 1467 | BUG(); /* This must not happen. */ |
1480 | return false; | 1468 | return false; |
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 3727296f01f9..f4d3050b9c0e 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h | |||
@@ -71,8 +71,8 @@ enum tomoyo_mac_index { | |||
71 | 71 | ||
72 | /* Index numbers for Access Controls. */ | 72 | /* Index numbers for Access Controls. */ |
73 | enum tomoyo_acl_entry_type_index { | 73 | enum tomoyo_acl_entry_type_index { |
74 | TOMOYO_TYPE_SINGLE_PATH_ACL, | 74 | TOMOYO_TYPE_PATH_ACL, |
75 | TOMOYO_TYPE_DOUBLE_PATH_ACL, | 75 | TOMOYO_TYPE_PATH2_ACL, |
76 | }; | 76 | }; |
77 | 77 | ||
78 | /* Index numbers for File Controls. */ | 78 | /* Index numbers for File Controls. */ |
@@ -87,36 +87,36 @@ enum tomoyo_acl_entry_type_index { | |||
87 | */ | 87 | */ |
88 | 88 | ||
89 | enum tomoyo_path_acl_index { | 89 | enum tomoyo_path_acl_index { |
90 | TOMOYO_TYPE_READ_WRITE_ACL, | 90 | TOMOYO_TYPE_READ_WRITE, |
91 | TOMOYO_TYPE_EXECUTE_ACL, | 91 | TOMOYO_TYPE_EXECUTE, |
92 | TOMOYO_TYPE_READ_ACL, | 92 | TOMOYO_TYPE_READ, |
93 | TOMOYO_TYPE_WRITE_ACL, | 93 | TOMOYO_TYPE_WRITE, |
94 | TOMOYO_TYPE_CREATE_ACL, | 94 | TOMOYO_TYPE_CREATE, |
95 | TOMOYO_TYPE_UNLINK_ACL, | 95 | TOMOYO_TYPE_UNLINK, |
96 | TOMOYO_TYPE_MKDIR_ACL, | 96 | TOMOYO_TYPE_MKDIR, |
97 | TOMOYO_TYPE_RMDIR_ACL, | 97 | TOMOYO_TYPE_RMDIR, |
98 | TOMOYO_TYPE_MKFIFO_ACL, | 98 | TOMOYO_TYPE_MKFIFO, |
99 | TOMOYO_TYPE_MKSOCK_ACL, | 99 | TOMOYO_TYPE_MKSOCK, |
100 | TOMOYO_TYPE_MKBLOCK_ACL, | 100 | TOMOYO_TYPE_MKBLOCK, |
101 | TOMOYO_TYPE_MKCHAR_ACL, | 101 | TOMOYO_TYPE_MKCHAR, |
102 | TOMOYO_TYPE_TRUNCATE_ACL, | 102 | TOMOYO_TYPE_TRUNCATE, |
103 | TOMOYO_TYPE_SYMLINK_ACL, | 103 | TOMOYO_TYPE_SYMLINK, |
104 | TOMOYO_TYPE_REWRITE_ACL, | 104 | TOMOYO_TYPE_REWRITE, |
105 | TOMOYO_TYPE_IOCTL_ACL, | 105 | TOMOYO_TYPE_IOCTL, |
106 | TOMOYO_TYPE_CHMOD_ACL, | 106 | TOMOYO_TYPE_CHMOD, |
107 | TOMOYO_TYPE_CHOWN_ACL, | 107 | TOMOYO_TYPE_CHOWN, |
108 | TOMOYO_TYPE_CHGRP_ACL, | 108 | TOMOYO_TYPE_CHGRP, |
109 | TOMOYO_TYPE_CHROOT_ACL, | 109 | TOMOYO_TYPE_CHROOT, |
110 | TOMOYO_TYPE_MOUNT_ACL, | 110 | TOMOYO_TYPE_MOUNT, |
111 | TOMOYO_TYPE_UMOUNT_ACL, | 111 | TOMOYO_TYPE_UMOUNT, |
112 | TOMOYO_MAX_SINGLE_PATH_OPERATION | 112 | TOMOYO_MAX_PATH_OPERATION |
113 | }; | 113 | }; |
114 | 114 | ||
115 | enum tomoyo_path2_acl_index { | 115 | enum tomoyo_path2_acl_index { |
116 | TOMOYO_TYPE_LINK_ACL, | 116 | TOMOYO_TYPE_LINK, |
117 | TOMOYO_TYPE_RENAME_ACL, | 117 | TOMOYO_TYPE_RENAME, |
118 | TOMOYO_TYPE_PIVOT_ROOT_ACL, | 118 | TOMOYO_TYPE_PIVOT_ROOT, |
119 | TOMOYO_MAX_DOUBLE_PATH_OPERATION | 119 | TOMOYO_MAX_PATH2_OPERATION |
120 | }; | 120 | }; |
121 | 121 | ||
122 | enum tomoyo_securityfs_interface_index { | 122 | enum tomoyo_securityfs_interface_index { |
@@ -210,12 +210,11 @@ struct tomoyo_path_info_with_data { | |||
210 | * (1) "list" which is linked to the ->acl_info_list of | 210 | * (1) "list" which is linked to the ->acl_info_list of |
211 | * "struct tomoyo_domain_info" | 211 | * "struct tomoyo_domain_info" |
212 | * (2) "type" which tells type of the entry (either | 212 | * (2) "type" which tells type of the entry (either |
213 | * "struct tomoyo_single_path_acl_record" or | 213 | * "struct tomoyo_path_acl" or "struct tomoyo_path2_acl"). |
214 | * "struct tomoyo_double_path_acl_record"). | ||
215 | * | 214 | * |
216 | * Packing "struct tomoyo_acl_info" allows | 215 | * Packing "struct tomoyo_acl_info" allows |
217 | * "struct tomoyo_single_path_acl_record" to embed "u8" + "u16" and | 216 | * "struct tomoyo_path_acl" to embed "u8" + "u16" and |
218 | * "struct tomoyo_double_path_acl_record" to embed "u8" | 217 | * "struct tomoyo_path2_acl" to embed "u8" |
219 | * without enlarging their structure size. | 218 | * without enlarging their structure size. |
220 | */ | 219 | */ |
221 | struct tomoyo_acl_info { | 220 | struct tomoyo_acl_info { |
@@ -269,7 +268,7 @@ struct tomoyo_domain_info { | |||
269 | }; | 268 | }; |
270 | 269 | ||
271 | /* | 270 | /* |
272 | * tomoyo_single_path_acl_record is a structure which is used for holding an | 271 | * tomoyo_path_acl is a structure which is used for holding an |
273 | * entry with one pathname operation (e.g. open(), mkdir()). | 272 | * entry with one pathname operation (e.g. open(), mkdir()). |
274 | * It has following fields. | 273 | * It has following fields. |
275 | * | 274 | * |
@@ -284,8 +283,8 @@ struct tomoyo_domain_info { | |||
284 | * "allow_chmod", "allow_chown", "allow_chgrp", "allow_chroot", "allow_mount" | 283 | * "allow_chmod", "allow_chown", "allow_chgrp", "allow_chroot", "allow_mount" |
285 | * and "allow_unmount". | 284 | * and "allow_unmount". |
286 | */ | 285 | */ |
287 | struct tomoyo_single_path_acl_record { | 286 | struct tomoyo_path_acl { |
288 | struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_SINGLE_PATH_ACL */ | 287 | struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */ |
289 | u8 perm_high; | 288 | u8 perm_high; |
290 | u16 perm; | 289 | u16 perm; |
291 | /* Pointer to single pathname. */ | 290 | /* Pointer to single pathname. */ |
@@ -293,7 +292,7 @@ struct tomoyo_single_path_acl_record { | |||
293 | }; | 292 | }; |
294 | 293 | ||
295 | /* | 294 | /* |
296 | * tomoyo_double_path_acl_record is a structure which is used for holding an | 295 | * tomoyo_path2_acl is a structure which is used for holding an |
297 | * entry with two pathnames operation (i.e. link(), rename() and pivot_root()). | 296 | * entry with two pathnames operation (i.e. link(), rename() and pivot_root()). |
298 | * It has following fields. | 297 | * It has following fields. |
299 | * | 298 | * |
@@ -305,8 +304,8 @@ struct tomoyo_single_path_acl_record { | |||
305 | * Directives held by this structure are "allow_rename", "allow_link" and | 304 | * Directives held by this structure are "allow_rename", "allow_link" and |
306 | * "allow_pivot_root". | 305 | * "allow_pivot_root". |
307 | */ | 306 | */ |
308 | struct tomoyo_double_path_acl_record { | 307 | struct tomoyo_path2_acl { |
309 | struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_DOUBLE_PATH_ACL */ | 308 | struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */ |
310 | u8 perm; | 309 | u8 perm; |
311 | /* Pointer to single pathname. */ | 310 | /* Pointer to single pathname. */ |
312 | const struct tomoyo_path_info *filename1; | 311 | const struct tomoyo_path_info *filename1; |
@@ -550,13 +549,13 @@ bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head); | |||
550 | /* Write domain policy violation warning message to console? */ | 549 | /* Write domain policy violation warning message to console? */ |
551 | bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain); | 550 | bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain); |
552 | /* Convert double path operation to operation name. */ | 551 | /* Convert double path operation to operation name. */ |
553 | const char *tomoyo_dp2keyword(const u8 operation); | 552 | const char *tomoyo_path22keyword(const u8 operation); |
554 | /* Get the last component of the given domainname. */ | 553 | /* Get the last component of the given domainname. */ |
555 | const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain); | 554 | const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain); |
556 | /* Get warning message. */ | 555 | /* Get warning message. */ |
557 | const char *tomoyo_get_msg(const bool is_enforce); | 556 | const char *tomoyo_get_msg(const bool is_enforce); |
558 | /* Convert single path operation to operation name. */ | 557 | /* Convert single path operation to operation name. */ |
559 | const char *tomoyo_sp2keyword(const u8 operation); | 558 | const char *tomoyo_path2keyword(const u8 operation); |
560 | /* Create "alias" entry in exception policy. */ | 559 | /* Create "alias" entry in exception policy. */ |
561 | int tomoyo_write_alias_policy(char *data, const bool is_delete); | 560 | int tomoyo_write_alias_policy(char *data, const bool is_delete); |
562 | /* | 561 | /* |
@@ -638,11 +637,10 @@ int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, | |||
638 | const struct tomoyo_path_info *filename); | 637 | const struct tomoyo_path_info *filename); |
639 | int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | 638 | int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, |
640 | struct path *path, const int flag); | 639 | struct path *path, const int flag); |
641 | int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain, | 640 | int tomoyo_path_perm(struct tomoyo_domain_info *domain, const u8 operation, |
642 | const u8 operation, struct path *path); | 641 | struct path *path); |
643 | int tomoyo_check_2path_perm(struct tomoyo_domain_info *domain, | 642 | int tomoyo_path2_perm(struct tomoyo_domain_info *domain, const u8 operation, |
644 | const u8 operation, struct path *path1, | 643 | struct path *path1, struct path *path2); |
645 | struct path *path2); | ||
646 | int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, | 644 | int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, |
647 | struct file *filp); | 645 | struct file *filp); |
648 | int tomoyo_find_next_domain(struct linux_binprm *bprm); | 646 | int tomoyo_find_next_domain(struct linux_binprm *bprm); |
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 10ee7cece080..09feaf24864d 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c | |||
@@ -12,62 +12,62 @@ | |||
12 | #include "common.h" | 12 | #include "common.h" |
13 | 13 | ||
14 | /* Keyword array for single path operations. */ | 14 | /* Keyword array for single path operations. */ |
15 | static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = { | 15 | static const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = { |
16 | [TOMOYO_TYPE_READ_WRITE_ACL] = "read/write", | 16 | [TOMOYO_TYPE_READ_WRITE] = "read/write", |
17 | [TOMOYO_TYPE_EXECUTE_ACL] = "execute", | 17 | [TOMOYO_TYPE_EXECUTE] = "execute", |
18 | [TOMOYO_TYPE_READ_ACL] = "read", | 18 | [TOMOYO_TYPE_READ] = "read", |
19 | [TOMOYO_TYPE_WRITE_ACL] = "write", | 19 | [TOMOYO_TYPE_WRITE] = "write", |
20 | [TOMOYO_TYPE_CREATE_ACL] = "create", | 20 | [TOMOYO_TYPE_CREATE] = "create", |
21 | [TOMOYO_TYPE_UNLINK_ACL] = "unlink", | 21 | [TOMOYO_TYPE_UNLINK] = "unlink", |
22 | [TOMOYO_TYPE_MKDIR_ACL] = "mkdir", | 22 | [TOMOYO_TYPE_MKDIR] = "mkdir", |
23 | [TOMOYO_TYPE_RMDIR_ACL] = "rmdir", | 23 | [TOMOYO_TYPE_RMDIR] = "rmdir", |
24 | [TOMOYO_TYPE_MKFIFO_ACL] = "mkfifo", | 24 | [TOMOYO_TYPE_MKFIFO] = "mkfifo", |
25 | [TOMOYO_TYPE_MKSOCK_ACL] = "mksock", | 25 | [TOMOYO_TYPE_MKSOCK] = "mksock", |
26 | [TOMOYO_TYPE_MKBLOCK_ACL] = "mkblock", | 26 | [TOMOYO_TYPE_MKBLOCK] = "mkblock", |
27 | [TOMOYO_TYPE_MKCHAR_ACL] = "mkchar", | 27 | [TOMOYO_TYPE_MKCHAR] = "mkchar", |
28 | [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate", | 28 | [TOMOYO_TYPE_TRUNCATE] = "truncate", |
29 | [TOMOYO_TYPE_SYMLINK_ACL] = "symlink", | 29 | [TOMOYO_TYPE_SYMLINK] = "symlink", |
30 | [TOMOYO_TYPE_REWRITE_ACL] = "rewrite", | 30 | [TOMOYO_TYPE_REWRITE] = "rewrite", |
31 | [TOMOYO_TYPE_IOCTL_ACL] = "ioctl", | 31 | [TOMOYO_TYPE_IOCTL] = "ioctl", |
32 | [TOMOYO_TYPE_CHMOD_ACL] = "chmod", | 32 | [TOMOYO_TYPE_CHMOD] = "chmod", |
33 | [TOMOYO_TYPE_CHOWN_ACL] = "chown", | 33 | [TOMOYO_TYPE_CHOWN] = "chown", |
34 | [TOMOYO_TYPE_CHGRP_ACL] = "chgrp", | 34 | [TOMOYO_TYPE_CHGRP] = "chgrp", |
35 | [TOMOYO_TYPE_CHROOT_ACL] = "chroot", | 35 | [TOMOYO_TYPE_CHROOT] = "chroot", |
36 | [TOMOYO_TYPE_MOUNT_ACL] = "mount", | 36 | [TOMOYO_TYPE_MOUNT] = "mount", |
37 | [TOMOYO_TYPE_UMOUNT_ACL] = "unmount", | 37 | [TOMOYO_TYPE_UMOUNT] = "unmount", |
38 | }; | 38 | }; |
39 | 39 | ||
40 | /* Keyword array for double path operations. */ | 40 | /* Keyword array for double path operations. */ |
41 | static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = { | 41 | static const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = { |
42 | [TOMOYO_TYPE_LINK_ACL] = "link", | 42 | [TOMOYO_TYPE_LINK] = "link", |
43 | [TOMOYO_TYPE_RENAME_ACL] = "rename", | 43 | [TOMOYO_TYPE_RENAME] = "rename", |
44 | [TOMOYO_TYPE_PIVOT_ROOT_ACL] = "pivot_root", | 44 | [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root", |
45 | }; | 45 | }; |
46 | 46 | ||
47 | /** | 47 | /** |
48 | * tomoyo_sp2keyword - Get the name of single path operation. | 48 | * tomoyo_path2keyword - Get the name of single path operation. |
49 | * | 49 | * |
50 | * @operation: Type of operation. | 50 | * @operation: Type of operation. |
51 | * | 51 | * |
52 | * Returns the name of single path operation. | 52 | * Returns the name of single path operation. |
53 | */ | 53 | */ |
54 | const char *tomoyo_sp2keyword(const u8 operation) | 54 | const char *tomoyo_path2keyword(const u8 operation) |
55 | { | 55 | { |
56 | return (operation < TOMOYO_MAX_SINGLE_PATH_OPERATION) | 56 | return (operation < TOMOYO_MAX_PATH_OPERATION) |
57 | ? tomoyo_sp_keyword[operation] : NULL; | 57 | ? tomoyo_path_keyword[operation] : NULL; |
58 | } | 58 | } |
59 | 59 | ||
60 | /** | 60 | /** |
61 | * tomoyo_dp2keyword - Get the name of double path operation. | 61 | * tomoyo_path22keyword - Get the name of double path operation. |
62 | * | 62 | * |
63 | * @operation: Type of operation. | 63 | * @operation: Type of operation. |
64 | * | 64 | * |
65 | * Returns the name of double path operation. | 65 | * Returns the name of double path operation. |
66 | */ | 66 | */ |
67 | const char *tomoyo_dp2keyword(const u8 operation) | 67 | const char *tomoyo_path22keyword(const u8 operation) |
68 | { | 68 | { |
69 | return (operation < TOMOYO_MAX_DOUBLE_PATH_OPERATION) | 69 | return (operation < TOMOYO_MAX_PATH2_OPERATION) |
70 | ? tomoyo_dp_keyword[operation] : NULL; | 70 | ? tomoyo_path2_keyword[operation] : NULL; |
71 | } | 71 | } |
72 | 72 | ||
73 | /** | 73 | /** |
@@ -115,13 +115,13 @@ static struct tomoyo_path_info *tomoyo_get_path(struct path *path) | |||
115 | return NULL; | 115 | return NULL; |
116 | } | 116 | } |
117 | 117 | ||
118 | static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, | 118 | static int tomoyo_update_path2_acl(const u8 type, const char *filename1, |
119 | const char *filename2, | 119 | const char *filename2, |
120 | struct tomoyo_domain_info * | 120 | struct tomoyo_domain_info *const domain, |
121 | const domain, const bool is_delete); | 121 | const bool is_delete); |
122 | static int tomoyo_update_single_path_acl(const u8 type, const char *filename, | 122 | static int tomoyo_update_path_acl(const u8 type, const char *filename, |
123 | struct tomoyo_domain_info * | 123 | struct tomoyo_domain_info *const domain, |
124 | const domain, const bool is_delete); | 124 | const bool is_delete); |
125 | 125 | ||
126 | /* | 126 | /* |
127 | * tomoyo_globally_readable_list is used for holding list of pathnames which | 127 | * tomoyo_globally_readable_list is used for holding list of pathnames which |
@@ -597,19 +597,19 @@ static int tomoyo_update_file_acl(const char *filename, u8 perm, | |||
597 | */ | 597 | */ |
598 | return 0; | 598 | return 0; |
599 | if (perm & 4) | 599 | if (perm & 4) |
600 | tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL, filename, | 600 | tomoyo_update_path_acl(TOMOYO_TYPE_READ, filename, domain, |
601 | domain, is_delete); | 601 | is_delete); |
602 | if (perm & 2) | 602 | if (perm & 2) |
603 | tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL, filename, | 603 | tomoyo_update_path_acl(TOMOYO_TYPE_WRITE, filename, domain, |
604 | domain, is_delete); | 604 | is_delete); |
605 | if (perm & 1) | 605 | if (perm & 1) |
606 | tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL, | 606 | tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE, filename, domain, |
607 | filename, domain, is_delete); | 607 | is_delete); |
608 | return 0; | 608 | return 0; |
609 | } | 609 | } |
610 | 610 | ||
611 | /** | 611 | /** |
612 | * tomoyo_check_single_path_acl2 - Check permission for single path operation. | 612 | * tomoyo_path_acl2 - Check permission for single path operation. |
613 | * | 613 | * |
614 | * @domain: Pointer to "struct tomoyo_domain_info". | 614 | * @domain: Pointer to "struct tomoyo_domain_info". |
615 | * @filename: Filename to check. | 615 | * @filename: Filename to check. |
@@ -620,22 +620,18 @@ static int tomoyo_update_file_acl(const char *filename, u8 perm, | |||
620 | * | 620 | * |
621 | * Caller holds tomoyo_read_lock(). | 621 | * Caller holds tomoyo_read_lock(). |
622 | */ | 622 | */ |
623 | static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info * | 623 | static int tomoyo_path_acl2(const struct tomoyo_domain_info *domain, |
624 | domain, | 624 | const struct tomoyo_path_info *filename, |
625 | const struct tomoyo_path_info * | 625 | const u32 perm, const bool may_use_pattern) |
626 | filename, | ||
627 | const u32 perm, | ||
628 | const bool may_use_pattern) | ||
629 | { | 626 | { |
630 | struct tomoyo_acl_info *ptr; | 627 | struct tomoyo_acl_info *ptr; |
631 | int error = -EPERM; | 628 | int error = -EPERM; |
632 | 629 | ||
633 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { | 630 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { |
634 | struct tomoyo_single_path_acl_record *acl; | 631 | struct tomoyo_path_acl *acl; |
635 | if (ptr->type != TOMOYO_TYPE_SINGLE_PATH_ACL) | 632 | if (ptr->type != TOMOYO_TYPE_PATH_ACL) |
636 | continue; | 633 | continue; |
637 | acl = container_of(ptr, struct tomoyo_single_path_acl_record, | 634 | acl = container_of(ptr, struct tomoyo_path_acl, head); |
638 | head); | ||
639 | if (perm <= 0xFFFF) { | 635 | if (perm <= 0xFFFF) { |
640 | if (!(acl->perm & perm)) | 636 | if (!(acl->perm & perm)) |
641 | continue; | 637 | continue; |
@@ -676,17 +672,16 @@ static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain, | |||
676 | if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) | 672 | if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) |
677 | return 0; | 673 | return 0; |
678 | if (operation == 6) | 674 | if (operation == 6) |
679 | perm = 1 << TOMOYO_TYPE_READ_WRITE_ACL; | 675 | perm = 1 << TOMOYO_TYPE_READ_WRITE; |
680 | else if (operation == 4) | 676 | else if (operation == 4) |
681 | perm = 1 << TOMOYO_TYPE_READ_ACL; | 677 | perm = 1 << TOMOYO_TYPE_READ; |
682 | else if (operation == 2) | 678 | else if (operation == 2) |
683 | perm = 1 << TOMOYO_TYPE_WRITE_ACL; | 679 | perm = 1 << TOMOYO_TYPE_WRITE; |
684 | else if (operation == 1) | 680 | else if (operation == 1) |
685 | perm = 1 << TOMOYO_TYPE_EXECUTE_ACL; | 681 | perm = 1 << TOMOYO_TYPE_EXECUTE; |
686 | else | 682 | else |
687 | BUG(); | 683 | BUG(); |
688 | return tomoyo_check_single_path_acl2(domain, filename, perm, | 684 | return tomoyo_path_acl2(domain, filename, perm, operation != 1); |
689 | operation != 1); | ||
690 | } | 685 | } |
691 | 686 | ||
692 | /** | 687 | /** |
@@ -718,13 +713,13 @@ static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain, | |||
718 | && tomoyo_is_globally_readable_file(filename)) | 713 | && tomoyo_is_globally_readable_file(filename)) |
719 | error = 0; | 714 | error = 0; |
720 | if (perm == 6) | 715 | if (perm == 6) |
721 | msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL); | 716 | msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE); |
722 | else if (perm == 4) | 717 | else if (perm == 4) |
723 | msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL); | 718 | msg = tomoyo_path2keyword(TOMOYO_TYPE_READ); |
724 | else if (perm == 2) | 719 | else if (perm == 2) |
725 | msg = tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL); | 720 | msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE); |
726 | else if (perm == 1) | 721 | else if (perm == 1) |
727 | msg = tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL); | 722 | msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE); |
728 | else | 723 | else |
729 | BUG(); | 724 | BUG(); |
730 | if (!error) | 725 | if (!error) |
@@ -773,28 +768,28 @@ int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, | |||
773 | if (strncmp(data, "allow_", 6)) | 768 | if (strncmp(data, "allow_", 6)) |
774 | goto out; | 769 | goto out; |
775 | data += 6; | 770 | data += 6; |
776 | for (type = 0; type < TOMOYO_MAX_SINGLE_PATH_OPERATION; type++) { | 771 | for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) { |
777 | if (strcmp(data, tomoyo_sp_keyword[type])) | 772 | if (strcmp(data, tomoyo_path_keyword[type])) |
778 | continue; | 773 | continue; |
779 | return tomoyo_update_single_path_acl(type, filename, | 774 | return tomoyo_update_path_acl(type, filename, domain, |
780 | domain, is_delete); | 775 | is_delete); |
781 | } | 776 | } |
782 | filename2 = strchr(filename, ' '); | 777 | filename2 = strchr(filename, ' '); |
783 | if (!filename2) | 778 | if (!filename2) |
784 | goto out; | 779 | goto out; |
785 | *filename2++ = '\0'; | 780 | *filename2++ = '\0'; |
786 | for (type = 0; type < TOMOYO_MAX_DOUBLE_PATH_OPERATION; type++) { | 781 | for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) { |
787 | if (strcmp(data, tomoyo_dp_keyword[type])) | 782 | if (strcmp(data, tomoyo_path2_keyword[type])) |
788 | continue; | 783 | continue; |
789 | return tomoyo_update_double_path_acl(type, filename, filename2, | 784 | return tomoyo_update_path2_acl(type, filename, filename2, |
790 | domain, is_delete); | 785 | domain, is_delete); |
791 | } | 786 | } |
792 | out: | 787 | out: |
793 | return -EINVAL; | 788 | return -EINVAL; |
794 | } | 789 | } |
795 | 790 | ||
796 | /** | 791 | /** |
797 | * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list. | 792 | * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list. |
798 | * | 793 | * |
799 | * @type: Type of operation. | 794 | * @type: Type of operation. |
800 | * @filename: Filename. | 795 | * @filename: Filename. |
@@ -805,15 +800,15 @@ int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, | |||
805 | * | 800 | * |
806 | * Caller holds tomoyo_read_lock(). | 801 | * Caller holds tomoyo_read_lock(). |
807 | */ | 802 | */ |
808 | static int tomoyo_update_single_path_acl(const u8 type, const char *filename, | 803 | static int tomoyo_update_path_acl(const u8 type, const char *filename, |
809 | struct tomoyo_domain_info * | 804 | struct tomoyo_domain_info *const domain, |
810 | const domain, const bool is_delete) | 805 | const bool is_delete) |
811 | { | 806 | { |
812 | static const u32 rw_mask = | 807 | static const u32 rw_mask = |
813 | (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL); | 808 | (1 << TOMOYO_TYPE_READ) | (1 << TOMOYO_TYPE_WRITE); |
814 | const struct tomoyo_path_info *saved_filename; | 809 | const struct tomoyo_path_info *saved_filename; |
815 | struct tomoyo_acl_info *ptr; | 810 | struct tomoyo_acl_info *ptr; |
816 | struct tomoyo_single_path_acl_record *entry = NULL; | 811 | struct tomoyo_path_acl *entry = NULL; |
817 | int error = is_delete ? -ENOENT : -ENOMEM; | 812 | int error = is_delete ? -ENOENT : -ENOMEM; |
818 | const u32 perm = 1 << type; | 813 | const u32 perm = 1 << type; |
819 | 814 | ||
@@ -828,10 +823,9 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename, | |||
828 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | 823 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); |
829 | mutex_lock(&tomoyo_policy_lock); | 824 | mutex_lock(&tomoyo_policy_lock); |
830 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { | 825 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { |
831 | struct tomoyo_single_path_acl_record *acl = | 826 | struct tomoyo_path_acl *acl = |
832 | container_of(ptr, struct tomoyo_single_path_acl_record, | 827 | container_of(ptr, struct tomoyo_path_acl, head); |
833 | head); | 828 | if (ptr->type != TOMOYO_TYPE_PATH_ACL) |
834 | if (ptr->type != TOMOYO_TYPE_SINGLE_PATH_ACL) | ||
835 | continue; | 829 | continue; |
836 | if (acl->filename != saved_filename) | 830 | if (acl->filename != saved_filename) |
837 | continue; | 831 | continue; |
@@ -841,9 +835,8 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename, | |||
841 | else | 835 | else |
842 | acl->perm_high &= ~(perm >> 16); | 836 | acl->perm_high &= ~(perm >> 16); |
843 | if ((acl->perm & rw_mask) != rw_mask) | 837 | if ((acl->perm & rw_mask) != rw_mask) |
844 | acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL); | 838 | acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE); |
845 | else if (!(acl->perm & | 839 | else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE))) |
846 | (1 << TOMOYO_TYPE_READ_WRITE_ACL))) | ||
847 | acl->perm &= ~rw_mask; | 840 | acl->perm &= ~rw_mask; |
848 | } else { | 841 | } else { |
849 | if (perm <= 0xFFFF) | 842 | if (perm <= 0xFFFF) |
@@ -851,20 +844,20 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename, | |||
851 | else | 844 | else |
852 | acl->perm_high |= (perm >> 16); | 845 | acl->perm_high |= (perm >> 16); |
853 | if ((acl->perm & rw_mask) == rw_mask) | 846 | if ((acl->perm & rw_mask) == rw_mask) |
854 | acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL; | 847 | acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE; |
855 | else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)) | 848 | else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE)) |
856 | acl->perm |= rw_mask; | 849 | acl->perm |= rw_mask; |
857 | } | 850 | } |
858 | error = 0; | 851 | error = 0; |
859 | break; | 852 | break; |
860 | } | 853 | } |
861 | if (!is_delete && error && tomoyo_memory_ok(entry)) { | 854 | if (!is_delete && error && tomoyo_memory_ok(entry)) { |
862 | entry->head.type = TOMOYO_TYPE_SINGLE_PATH_ACL; | 855 | entry->head.type = TOMOYO_TYPE_PATH_ACL; |
863 | if (perm <= 0xFFFF) | 856 | if (perm <= 0xFFFF) |
864 | entry->perm = perm; | 857 | entry->perm = perm; |
865 | else | 858 | else |
866 | entry->perm_high = (perm >> 16); | 859 | entry->perm_high = (perm >> 16); |
867 | if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL)) | 860 | if (perm == (1 << TOMOYO_TYPE_READ_WRITE)) |
868 | entry->perm |= rw_mask; | 861 | entry->perm |= rw_mask; |
869 | entry->filename = saved_filename; | 862 | entry->filename = saved_filename; |
870 | saved_filename = NULL; | 863 | saved_filename = NULL; |
@@ -879,7 +872,7 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename, | |||
879 | } | 872 | } |
880 | 873 | ||
881 | /** | 874 | /** |
882 | * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list. | 875 | * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list. |
883 | * | 876 | * |
884 | * @type: Type of operation. | 877 | * @type: Type of operation. |
885 | * @filename1: First filename. | 878 | * @filename1: First filename. |
@@ -891,15 +884,15 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename, | |||
891 | * | 884 | * |
892 | * Caller holds tomoyo_read_lock(). | 885 | * Caller holds tomoyo_read_lock(). |
893 | */ | 886 | */ |
894 | static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, | 887 | static int tomoyo_update_path2_acl(const u8 type, const char *filename1, |
895 | const char *filename2, | 888 | const char *filename2, |
896 | struct tomoyo_domain_info * | 889 | struct tomoyo_domain_info *const domain, |
897 | const domain, const bool is_delete) | 890 | const bool is_delete) |
898 | { | 891 | { |
899 | const struct tomoyo_path_info *saved_filename1; | 892 | const struct tomoyo_path_info *saved_filename1; |
900 | const struct tomoyo_path_info *saved_filename2; | 893 | const struct tomoyo_path_info *saved_filename2; |
901 | struct tomoyo_acl_info *ptr; | 894 | struct tomoyo_acl_info *ptr; |
902 | struct tomoyo_double_path_acl_record *entry = NULL; | 895 | struct tomoyo_path2_acl *entry = NULL; |
903 | int error = is_delete ? -ENOENT : -ENOMEM; | 896 | int error = is_delete ? -ENOENT : -ENOMEM; |
904 | const u8 perm = 1 << type; | 897 | const u8 perm = 1 << type; |
905 | 898 | ||
@@ -916,10 +909,9 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, | |||
916 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | 909 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); |
917 | mutex_lock(&tomoyo_policy_lock); | 910 | mutex_lock(&tomoyo_policy_lock); |
918 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { | 911 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { |
919 | struct tomoyo_double_path_acl_record *acl = | 912 | struct tomoyo_path2_acl *acl = |
920 | container_of(ptr, struct tomoyo_double_path_acl_record, | 913 | container_of(ptr, struct tomoyo_path2_acl, head); |
921 | head); | 914 | if (ptr->type != TOMOYO_TYPE_PATH2_ACL) |
922 | if (ptr->type != TOMOYO_TYPE_DOUBLE_PATH_ACL) | ||
923 | continue; | 915 | continue; |
924 | if (acl->filename1 != saved_filename1 || | 916 | if (acl->filename1 != saved_filename1 || |
925 | acl->filename2 != saved_filename2) | 917 | acl->filename2 != saved_filename2) |
@@ -932,7 +924,7 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, | |||
932 | break; | 924 | break; |
933 | } | 925 | } |
934 | if (!is_delete && error && tomoyo_memory_ok(entry)) { | 926 | if (!is_delete && error && tomoyo_memory_ok(entry)) { |
935 | entry->head.type = TOMOYO_TYPE_DOUBLE_PATH_ACL; | 927 | entry->head.type = TOMOYO_TYPE_PATH2_ACL; |
936 | entry->perm = perm; | 928 | entry->perm = perm; |
937 | entry->filename1 = saved_filename1; | 929 | entry->filename1 = saved_filename1; |
938 | saved_filename1 = NULL; | 930 | saved_filename1 = NULL; |
@@ -951,7 +943,7 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, | |||
951 | } | 943 | } |
952 | 944 | ||
953 | /** | 945 | /** |
954 | * tomoyo_check_single_path_acl - Check permission for single path operation. | 946 | * tomoyo_path_acl - Check permission for single path operation. |
955 | * | 947 | * |
956 | * @domain: Pointer to "struct tomoyo_domain_info". | 948 | * @domain: Pointer to "struct tomoyo_domain_info". |
957 | * @type: Type of operation. | 949 | * @type: Type of operation. |
@@ -961,17 +953,16 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, | |||
961 | * | 953 | * |
962 | * Caller holds tomoyo_read_lock(). | 954 | * Caller holds tomoyo_read_lock(). |
963 | */ | 955 | */ |
964 | static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain, | 956 | static int tomoyo_path_acl(struct tomoyo_domain_info *domain, const u8 type, |
965 | const u8 type, | 957 | const struct tomoyo_path_info *filename) |
966 | const struct tomoyo_path_info *filename) | ||
967 | { | 958 | { |
968 | if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) | 959 | if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) |
969 | return 0; | 960 | return 0; |
970 | return tomoyo_check_single_path_acl2(domain, filename, 1 << type, 1); | 961 | return tomoyo_path_acl2(domain, filename, 1 << type, 1); |
971 | } | 962 | } |
972 | 963 | ||
973 | /** | 964 | /** |
974 | * tomoyo_check_double_path_acl - Check permission for double path operation. | 965 | * tomoyo_path2_acl - Check permission for double path operation. |
975 | * | 966 | * |
976 | * @domain: Pointer to "struct tomoyo_domain_info". | 967 | * @domain: Pointer to "struct tomoyo_domain_info". |
977 | * @type: Type of operation. | 968 | * @type: Type of operation. |
@@ -982,12 +973,10 @@ static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain, | |||
982 | * | 973 | * |
983 | * Caller holds tomoyo_read_lock(). | 974 | * Caller holds tomoyo_read_lock(). |
984 | */ | 975 | */ |
985 | static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain, | 976 | static int tomoyo_path2_acl(const struct tomoyo_domain_info *domain, |
986 | const u8 type, | 977 | const u8 type, |
987 | const struct tomoyo_path_info * | 978 | const struct tomoyo_path_info *filename1, |
988 | filename1, | 979 | const struct tomoyo_path_info *filename2) |
989 | const struct tomoyo_path_info * | ||
990 | filename2) | ||
991 | { | 980 | { |
992 | struct tomoyo_acl_info *ptr; | 981 | struct tomoyo_acl_info *ptr; |
993 | const u8 perm = 1 << type; | 982 | const u8 perm = 1 << type; |
@@ -996,11 +985,10 @@ static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain, | |||
996 | if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) | 985 | if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) |
997 | return 0; | 986 | return 0; |
998 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { | 987 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { |
999 | struct tomoyo_double_path_acl_record *acl; | 988 | struct tomoyo_path2_acl *acl; |
1000 | if (ptr->type != TOMOYO_TYPE_DOUBLE_PATH_ACL) | 989 | if (ptr->type != TOMOYO_TYPE_PATH2_ACL) |
1001 | continue; | 990 | continue; |
1002 | acl = container_of(ptr, struct tomoyo_double_path_acl_record, | 991 | acl = container_of(ptr, struct tomoyo_path2_acl, head); |
1003 | head); | ||
1004 | if (!(acl->perm & perm)) | 992 | if (!(acl->perm & perm)) |
1005 | continue; | 993 | continue; |
1006 | if (!tomoyo_path_matches_pattern(filename1, acl->filename1)) | 994 | if (!tomoyo_path_matches_pattern(filename1, acl->filename1)) |
@@ -1014,7 +1002,7 @@ static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain, | |||
1014 | } | 1002 | } |
1015 | 1003 | ||
1016 | /** | 1004 | /** |
1017 | * tomoyo_check_single_path_permission2 - Check permission for single path operation. | 1005 | * tomoyo_path_permission2 - Check permission for single path operation. |
1018 | * | 1006 | * |
1019 | * @domain: Pointer to "struct tomoyo_domain_info". | 1007 | * @domain: Pointer to "struct tomoyo_domain_info". |
1020 | * @operation: Type of operation. | 1008 | * @operation: Type of operation. |
@@ -1025,10 +1013,10 @@ static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain, | |||
1025 | * | 1013 | * |
1026 | * Caller holds tomoyo_read_lock(). | 1014 | * Caller holds tomoyo_read_lock(). |
1027 | */ | 1015 | */ |
1028 | static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info * | 1016 | static int tomoyo_path_permission2(struct tomoyo_domain_info *const domain, |
1029 | const domain, u8 operation, | 1017 | u8 operation, |
1030 | const struct tomoyo_path_info * | 1018 | const struct tomoyo_path_info *filename, |
1031 | filename, const u8 mode) | 1019 | const u8 mode) |
1032 | { | 1020 | { |
1033 | const char *msg; | 1021 | const char *msg; |
1034 | int error; | 1022 | int error; |
@@ -1037,8 +1025,8 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info * | |||
1037 | if (!mode) | 1025 | if (!mode) |
1038 | return 0; | 1026 | return 0; |
1039 | next: | 1027 | next: |
1040 | error = tomoyo_check_single_path_acl(domain, operation, filename); | 1028 | error = tomoyo_path_acl(domain, operation, filename); |
1041 | msg = tomoyo_sp2keyword(operation); | 1029 | msg = tomoyo_path2keyword(operation); |
1042 | if (!error) | 1030 | if (!error) |
1043 | goto ok; | 1031 | goto ok; |
1044 | if (tomoyo_verbose_mode(domain)) | 1032 | if (tomoyo_verbose_mode(domain)) |
@@ -1047,7 +1035,7 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info * | |||
1047 | tomoyo_get_last_name(domain)); | 1035 | tomoyo_get_last_name(domain)); |
1048 | if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { | 1036 | if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { |
1049 | const char *name = tomoyo_get_file_pattern(filename)->name; | 1037 | const char *name = tomoyo_get_file_pattern(filename)->name; |
1050 | tomoyo_update_single_path_acl(operation, name, domain, false); | 1038 | tomoyo_update_path_acl(operation, name, domain, false); |
1051 | } | 1039 | } |
1052 | if (!is_enforce) | 1040 | if (!is_enforce) |
1053 | error = 0; | 1041 | error = 0; |
@@ -1057,9 +1045,9 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info * | |||
1057 | * we need to check "allow_rewrite" permission if the filename is | 1045 | * we need to check "allow_rewrite" permission if the filename is |
1058 | * specified by "deny_rewrite" keyword. | 1046 | * specified by "deny_rewrite" keyword. |
1059 | */ | 1047 | */ |
1060 | if (!error && operation == TOMOYO_TYPE_TRUNCATE_ACL && | 1048 | if (!error && operation == TOMOYO_TYPE_TRUNCATE && |
1061 | tomoyo_is_no_rewrite_file(filename)) { | 1049 | tomoyo_is_no_rewrite_file(filename)) { |
1062 | operation = TOMOYO_TYPE_REWRITE_ACL; | 1050 | operation = TOMOYO_TYPE_REWRITE; |
1063 | goto next; | 1051 | goto next; |
1064 | } | 1052 | } |
1065 | return error; | 1053 | return error; |
@@ -1127,17 +1115,15 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | |||
1127 | if ((acc_mode & MAY_WRITE) && | 1115 | if ((acc_mode & MAY_WRITE) && |
1128 | ((flag & O_TRUNC) || !(flag & O_APPEND)) && | 1116 | ((flag & O_TRUNC) || !(flag & O_APPEND)) && |
1129 | (tomoyo_is_no_rewrite_file(buf))) { | 1117 | (tomoyo_is_no_rewrite_file(buf))) { |
1130 | error = tomoyo_check_single_path_permission2(domain, | 1118 | error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE, |
1131 | TOMOYO_TYPE_REWRITE_ACL, | 1119 | buf, mode); |
1132 | buf, mode); | ||
1133 | } | 1120 | } |
1134 | if (!error) | 1121 | if (!error) |
1135 | error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open", | 1122 | error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open", |
1136 | mode); | 1123 | mode); |
1137 | if (!error && (flag & O_TRUNC)) | 1124 | if (!error && (flag & O_TRUNC)) |
1138 | error = tomoyo_check_single_path_permission2(domain, | 1125 | error = tomoyo_path_permission2(domain, TOMOYO_TYPE_TRUNCATE, |
1139 | TOMOYO_TYPE_TRUNCATE_ACL, | 1126 | buf, mode); |
1140 | buf, mode); | ||
1141 | out: | 1127 | out: |
1142 | kfree(buf); | 1128 | kfree(buf); |
1143 | tomoyo_read_unlock(idx); | 1129 | tomoyo_read_unlock(idx); |
@@ -1147,7 +1133,7 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | |||
1147 | } | 1133 | } |
1148 | 1134 | ||
1149 | /** | 1135 | /** |
1150 | * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount". | 1136 | * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount". |
1151 | * | 1137 | * |
1152 | * @domain: Pointer to "struct tomoyo_domain_info". | 1138 | * @domain: Pointer to "struct tomoyo_domain_info". |
1153 | * @operation: Type of operation. | 1139 | * @operation: Type of operation. |
@@ -1155,8 +1141,8 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | |||
1155 | * | 1141 | * |
1156 | * Returns 0 on success, negative value otherwise. | 1142 | * Returns 0 on success, negative value otherwise. |
1157 | */ | 1143 | */ |
1158 | int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain, | 1144 | int tomoyo_path_perm(struct tomoyo_domain_info *domain, |
1159 | const u8 operation, struct path *path) | 1145 | const u8 operation, struct path *path) |
1160 | { | 1146 | { |
1161 | int error = -ENOMEM; | 1147 | int error = -ENOMEM; |
1162 | struct tomoyo_path_info *buf; | 1148 | struct tomoyo_path_info *buf; |
@@ -1171,9 +1157,9 @@ int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain, | |||
1171 | if (!buf) | 1157 | if (!buf) |
1172 | goto out; | 1158 | goto out; |
1173 | switch (operation) { | 1159 | switch (operation) { |
1174 | case TOMOYO_TYPE_MKDIR_ACL: | 1160 | case TOMOYO_TYPE_MKDIR: |
1175 | case TOMOYO_TYPE_RMDIR_ACL: | 1161 | case TOMOYO_TYPE_RMDIR: |
1176 | case TOMOYO_TYPE_CHROOT_ACL: | 1162 | case TOMOYO_TYPE_CHROOT: |
1177 | if (!buf->is_dir) { | 1163 | if (!buf->is_dir) { |
1178 | /* | 1164 | /* |
1179 | * tomoyo_get_path() reserves space for appending "/." | 1165 | * tomoyo_get_path() reserves space for appending "/." |
@@ -1182,8 +1168,7 @@ int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain, | |||
1182 | tomoyo_fill_path_info(buf); | 1168 | tomoyo_fill_path_info(buf); |
1183 | } | 1169 | } |
1184 | } | 1170 | } |
1185 | error = tomoyo_check_single_path_permission2(domain, operation, buf, | 1171 | error = tomoyo_path_permission2(domain, operation, buf, mode); |
1186 | mode); | ||
1187 | out: | 1172 | out: |
1188 | kfree(buf); | 1173 | kfree(buf); |
1189 | tomoyo_read_unlock(idx); | 1174 | tomoyo_read_unlock(idx); |
@@ -1220,9 +1205,7 @@ int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, | |||
1220 | error = 0; | 1205 | error = 0; |
1221 | goto out; | 1206 | goto out; |
1222 | } | 1207 | } |
1223 | error = tomoyo_check_single_path_permission2(domain, | 1208 | error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE, buf, mode); |
1224 | TOMOYO_TYPE_REWRITE_ACL, | ||
1225 | buf, mode); | ||
1226 | out: | 1209 | out: |
1227 | kfree(buf); | 1210 | kfree(buf); |
1228 | tomoyo_read_unlock(idx); | 1211 | tomoyo_read_unlock(idx); |
@@ -1232,7 +1215,7 @@ int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, | |||
1232 | } | 1215 | } |
1233 | 1216 | ||
1234 | /** | 1217 | /** |
1235 | * tomoyo_check_2path_perm - Check permission for "rename", "link" and "pivot_root". | 1218 | * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root". |
1236 | * | 1219 | * |
1237 | * @domain: Pointer to "struct tomoyo_domain_info". | 1220 | * @domain: Pointer to "struct tomoyo_domain_info". |
1238 | * @operation: Type of operation. | 1221 | * @operation: Type of operation. |
@@ -1241,9 +1224,9 @@ int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, | |||
1241 | * | 1224 | * |
1242 | * Returns 0 on success, negative value otherwise. | 1225 | * Returns 0 on success, negative value otherwise. |
1243 | */ | 1226 | */ |
1244 | int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain, | 1227 | int tomoyo_path2_perm(struct tomoyo_domain_info * const domain, |
1245 | const u8 operation, struct path *path1, | 1228 | const u8 operation, struct path *path1, |
1246 | struct path *path2) | 1229 | struct path *path2) |
1247 | { | 1230 | { |
1248 | int error = -ENOMEM; | 1231 | int error = -ENOMEM; |
1249 | struct tomoyo_path_info *buf1, *buf2; | 1232 | struct tomoyo_path_info *buf1, *buf2; |
@@ -1275,8 +1258,8 @@ int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain, | |||
1275 | } | 1258 | } |
1276 | } | 1259 | } |
1277 | } | 1260 | } |
1278 | error = tomoyo_check_double_path_acl(domain, operation, buf1, buf2); | 1261 | error = tomoyo_path2_acl(domain, operation, buf1, buf2); |
1279 | msg = tomoyo_dp2keyword(operation); | 1262 | msg = tomoyo_path22keyword(operation); |
1280 | if (!error) | 1263 | if (!error) |
1281 | goto out; | 1264 | goto out; |
1282 | if (tomoyo_verbose_mode(domain)) | 1265 | if (tomoyo_verbose_mode(domain)) |
@@ -1287,8 +1270,8 @@ int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain, | |||
1287 | if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { | 1270 | if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { |
1288 | const char *name1 = tomoyo_get_file_pattern(buf1)->name; | 1271 | const char *name1 = tomoyo_get_file_pattern(buf1)->name; |
1289 | const char *name2 = tomoyo_get_file_pattern(buf2)->name; | 1272 | const char *name2 = tomoyo_get_file_pattern(buf2)->name; |
1290 | tomoyo_update_double_path_acl(operation, name1, name2, domain, | 1273 | tomoyo_update_path2_acl(operation, name1, name2, domain, |
1291 | false); | 1274 | false); |
1292 | } | 1275 | } |
1293 | out: | 1276 | out: |
1294 | kfree(buf1); | 1277 | kfree(buf1); |
diff --git a/security/tomoyo/gc.c b/security/tomoyo/gc.c index ee15da39387d..9645525ccdd4 100644 --- a/security/tomoyo/gc.c +++ b/security/tomoyo/gc.c | |||
@@ -86,16 +86,16 @@ static void tomoyo_del_manager(struct tomoyo_policy_manager_entry *ptr) | |||
86 | static void tomoyo_del_acl(struct tomoyo_acl_info *acl) | 86 | static void tomoyo_del_acl(struct tomoyo_acl_info *acl) |
87 | { | 87 | { |
88 | switch (acl->type) { | 88 | switch (acl->type) { |
89 | case TOMOYO_TYPE_SINGLE_PATH_ACL: | 89 | case TOMOYO_TYPE_PATH_ACL: |
90 | { | 90 | { |
91 | struct tomoyo_single_path_acl_record *entry | 91 | struct tomoyo_path_acl *entry |
92 | = container_of(acl, typeof(*entry), head); | 92 | = container_of(acl, typeof(*entry), head); |
93 | tomoyo_put_name(entry->filename); | 93 | tomoyo_put_name(entry->filename); |
94 | } | 94 | } |
95 | break; | 95 | break; |
96 | case TOMOYO_TYPE_DOUBLE_PATH_ACL: | 96 | case TOMOYO_TYPE_PATH2_ACL: |
97 | { | 97 | { |
98 | struct tomoyo_double_path_acl_record *entry | 98 | struct tomoyo_path2_acl *entry |
99 | = container_of(acl, typeof(*entry), head); | 99 | = container_of(acl, typeof(*entry), head); |
100 | tomoyo_put_name(entry->filename1); | 100 | tomoyo_put_name(entry->filename1); |
101 | tomoyo_put_name(entry->filename2); | 101 | tomoyo_put_name(entry->filename2); |
@@ -238,18 +238,18 @@ static void tomoyo_collect_entry(void) | |||
238 | list_for_each_entry_rcu(acl, &domain->acl_info_list, | 238 | list_for_each_entry_rcu(acl, &domain->acl_info_list, |
239 | list) { | 239 | list) { |
240 | switch (acl->type) { | 240 | switch (acl->type) { |
241 | case TOMOYO_TYPE_SINGLE_PATH_ACL: | 241 | case TOMOYO_TYPE_PATH_ACL: |
242 | if (container_of(acl, | 242 | if (container_of(acl, |
243 | struct tomoyo_single_path_acl_record, | 243 | struct tomoyo_path_acl, |
244 | head)->perm || | 244 | head)->perm || |
245 | container_of(acl, | 245 | container_of(acl, |
246 | struct tomoyo_single_path_acl_record, | 246 | struct tomoyo_path_acl, |
247 | head)->perm_high) | 247 | head)->perm_high) |
248 | continue; | 248 | continue; |
249 | break; | 249 | break; |
250 | case TOMOYO_TYPE_DOUBLE_PATH_ACL: | 250 | case TOMOYO_TYPE_PATH2_ACL: |
251 | if (container_of(acl, | 251 | if (container_of(acl, |
252 | struct tomoyo_double_path_acl_record, | 252 | struct tomoyo_path2_acl, |
253 | head)->perm) | 253 | head)->perm) |
254 | continue; | 254 | continue; |
255 | break; | 255 | break; |
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 87e82bfeac2f..e3945d0511b8 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c | |||
@@ -100,67 +100,56 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm) | |||
100 | static int tomoyo_path_truncate(struct path *path, loff_t length, | 100 | static int tomoyo_path_truncate(struct path *path, loff_t length, |
101 | unsigned int time_attrs) | 101 | unsigned int time_attrs) |
102 | { | 102 | { |
103 | return tomoyo_check_1path_perm(tomoyo_domain(), | 103 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_TRUNCATE, path); |
104 | TOMOYO_TYPE_TRUNCATE_ACL, | ||
105 | path); | ||
106 | } | 104 | } |
107 | 105 | ||
108 | static int tomoyo_path_unlink(struct path *parent, struct dentry *dentry) | 106 | static int tomoyo_path_unlink(struct path *parent, struct dentry *dentry) |
109 | { | 107 | { |
110 | struct path path = { parent->mnt, dentry }; | 108 | struct path path = { parent->mnt, dentry }; |
111 | return tomoyo_check_1path_perm(tomoyo_domain(), | 109 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_UNLINK, &path); |
112 | TOMOYO_TYPE_UNLINK_ACL, | ||
113 | &path); | ||
114 | } | 110 | } |
115 | 111 | ||
116 | static int tomoyo_path_mkdir(struct path *parent, struct dentry *dentry, | 112 | static int tomoyo_path_mkdir(struct path *parent, struct dentry *dentry, |
117 | int mode) | 113 | int mode) |
118 | { | 114 | { |
119 | struct path path = { parent->mnt, dentry }; | 115 | struct path path = { parent->mnt, dentry }; |
120 | return tomoyo_check_1path_perm(tomoyo_domain(), | 116 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_MKDIR, &path); |
121 | TOMOYO_TYPE_MKDIR_ACL, | ||
122 | &path); | ||
123 | } | 117 | } |
124 | 118 | ||
125 | static int tomoyo_path_rmdir(struct path *parent, struct dentry *dentry) | 119 | static int tomoyo_path_rmdir(struct path *parent, struct dentry *dentry) |
126 | { | 120 | { |
127 | struct path path = { parent->mnt, dentry }; | 121 | struct path path = { parent->mnt, dentry }; |
128 | return tomoyo_check_1path_perm(tomoyo_domain(), | 122 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_RMDIR, &path); |
129 | TOMOYO_TYPE_RMDIR_ACL, | ||
130 | &path); | ||
131 | } | 123 | } |
132 | 124 | ||
133 | static int tomoyo_path_symlink(struct path *parent, struct dentry *dentry, | 125 | static int tomoyo_path_symlink(struct path *parent, struct dentry *dentry, |
134 | const char *old_name) | 126 | const char *old_name) |
135 | { | 127 | { |
136 | struct path path = { parent->mnt, dentry }; | 128 | struct path path = { parent->mnt, dentry }; |
137 | return tomoyo_check_1path_perm(tomoyo_domain(), | 129 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_SYMLINK, &path); |
138 | TOMOYO_TYPE_SYMLINK_ACL, | ||
139 | &path); | ||
140 | } | 130 | } |
141 | 131 | ||
142 | static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry, | 132 | static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry, |
143 | int mode, unsigned int dev) | 133 | int mode, unsigned int dev) |
144 | { | 134 | { |
145 | struct path path = { parent->mnt, dentry }; | 135 | struct path path = { parent->mnt, dentry }; |
146 | int type = TOMOYO_TYPE_CREATE_ACL; | 136 | int type = TOMOYO_TYPE_CREATE; |
147 | 137 | ||
148 | switch (mode & S_IFMT) { | 138 | switch (mode & S_IFMT) { |
149 | case S_IFCHR: | 139 | case S_IFCHR: |
150 | type = TOMOYO_TYPE_MKCHAR_ACL; | 140 | type = TOMOYO_TYPE_MKCHAR; |
151 | break; | 141 | break; |
152 | case S_IFBLK: | 142 | case S_IFBLK: |
153 | type = TOMOYO_TYPE_MKBLOCK_ACL; | 143 | type = TOMOYO_TYPE_MKBLOCK; |
154 | break; | 144 | break; |
155 | case S_IFIFO: | 145 | case S_IFIFO: |
156 | type = TOMOYO_TYPE_MKFIFO_ACL; | 146 | type = TOMOYO_TYPE_MKFIFO; |
157 | break; | 147 | break; |
158 | case S_IFSOCK: | 148 | case S_IFSOCK: |
159 | type = TOMOYO_TYPE_MKSOCK_ACL; | 149 | type = TOMOYO_TYPE_MKSOCK; |
160 | break; | 150 | break; |
161 | } | 151 | } |
162 | return tomoyo_check_1path_perm(tomoyo_domain(), | 152 | return tomoyo_path_perm(tomoyo_domain(), type, &path); |
163 | type, &path); | ||
164 | } | 153 | } |
165 | 154 | ||
166 | static int tomoyo_path_link(struct dentry *old_dentry, struct path *new_dir, | 155 | static int tomoyo_path_link(struct dentry *old_dentry, struct path *new_dir, |
@@ -168,9 +157,8 @@ static int tomoyo_path_link(struct dentry *old_dentry, struct path *new_dir, | |||
168 | { | 157 | { |
169 | struct path path1 = { new_dir->mnt, old_dentry }; | 158 | struct path path1 = { new_dir->mnt, old_dentry }; |
170 | struct path path2 = { new_dir->mnt, new_dentry }; | 159 | struct path path2 = { new_dir->mnt, new_dentry }; |
171 | return tomoyo_check_2path_perm(tomoyo_domain(), | 160 | return tomoyo_path2_perm(tomoyo_domain(), TOMOYO_TYPE_LINK, &path1, |
172 | TOMOYO_TYPE_LINK_ACL, | 161 | &path2); |
173 | &path1, &path2); | ||
174 | } | 162 | } |
175 | 163 | ||
176 | static int tomoyo_path_rename(struct path *old_parent, | 164 | static int tomoyo_path_rename(struct path *old_parent, |
@@ -180,9 +168,8 @@ static int tomoyo_path_rename(struct path *old_parent, | |||
180 | { | 168 | { |
181 | struct path path1 = { old_parent->mnt, old_dentry }; | 169 | struct path path1 = { old_parent->mnt, old_dentry }; |
182 | struct path path2 = { new_parent->mnt, new_dentry }; | 170 | struct path path2 = { new_parent->mnt, new_dentry }; |
183 | return tomoyo_check_2path_perm(tomoyo_domain(), | 171 | return tomoyo_path2_perm(tomoyo_domain(), TOMOYO_TYPE_RENAME, &path1, |
184 | TOMOYO_TYPE_RENAME_ACL, | 172 | &path2); |
185 | &path1, &path2); | ||
186 | } | 173 | } |
187 | 174 | ||
188 | static int tomoyo_file_fcntl(struct file *file, unsigned int cmd, | 175 | static int tomoyo_file_fcntl(struct file *file, unsigned int cmd, |
@@ -209,55 +196,50 @@ static int tomoyo_dentry_open(struct file *f, const struct cred *cred) | |||
209 | static int tomoyo_file_ioctl(struct file *file, unsigned int cmd, | 196 | static int tomoyo_file_ioctl(struct file *file, unsigned int cmd, |
210 | unsigned long arg) | 197 | unsigned long arg) |
211 | { | 198 | { |
212 | return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_IOCTL_ACL, | 199 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_IOCTL, |
213 | &file->f_path); | 200 | &file->f_path); |
214 | } | 201 | } |
215 | 202 | ||
216 | static int tomoyo_path_chmod(struct dentry *dentry, struct vfsmount *mnt, | 203 | static int tomoyo_path_chmod(struct dentry *dentry, struct vfsmount *mnt, |
217 | mode_t mode) | 204 | mode_t mode) |
218 | { | 205 | { |
219 | struct path path = { mnt, dentry }; | 206 | struct path path = { mnt, dentry }; |
220 | return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_CHMOD_ACL, | 207 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHMOD, &path); |
221 | &path); | ||
222 | } | 208 | } |
223 | 209 | ||
224 | static int tomoyo_path_chown(struct path *path, uid_t uid, gid_t gid) | 210 | static int tomoyo_path_chown(struct path *path, uid_t uid, gid_t gid) |
225 | { | 211 | { |
226 | int error = 0; | 212 | int error = 0; |
227 | if (uid != (uid_t) -1) | 213 | if (uid != (uid_t) -1) |
228 | error = tomoyo_check_1path_perm(tomoyo_domain(), | 214 | error = tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHOWN, |
229 | TOMOYO_TYPE_CHOWN_ACL, path); | 215 | path); |
230 | if (!error && gid != (gid_t) -1) | 216 | if (!error && gid != (gid_t) -1) |
231 | error = tomoyo_check_1path_perm(tomoyo_domain(), | 217 | error = tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHGRP, |
232 | TOMOYO_TYPE_CHGRP_ACL, path); | 218 | path); |
233 | return error; | 219 | return error; |
234 | } | 220 | } |
235 | 221 | ||
236 | static int tomoyo_path_chroot(struct path *path) | 222 | static int tomoyo_path_chroot(struct path *path) |
237 | { | 223 | { |
238 | return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_CHROOT_ACL, | 224 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHROOT, path); |
239 | path); | ||
240 | } | 225 | } |
241 | 226 | ||
242 | static int tomoyo_sb_mount(char *dev_name, struct path *path, | 227 | static int tomoyo_sb_mount(char *dev_name, struct path *path, |
243 | char *type, unsigned long flags, void *data) | 228 | char *type, unsigned long flags, void *data) |
244 | { | 229 | { |
245 | return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_MOUNT_ACL, | 230 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_MOUNT, path); |
246 | path); | ||
247 | } | 231 | } |
248 | 232 | ||
249 | static int tomoyo_sb_umount(struct vfsmount *mnt, int flags) | 233 | static int tomoyo_sb_umount(struct vfsmount *mnt, int flags) |
250 | { | 234 | { |
251 | struct path path = { mnt, mnt->mnt_root }; | 235 | struct path path = { mnt, mnt->mnt_root }; |
252 | return tomoyo_check_1path_perm(tomoyo_domain(), TOMOYO_TYPE_UMOUNT_ACL, | 236 | return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_UMOUNT, &path); |
253 | &path); | ||
254 | } | 237 | } |
255 | 238 | ||
256 | static int tomoyo_sb_pivotroot(struct path *old_path, struct path *new_path) | 239 | static int tomoyo_sb_pivotroot(struct path *old_path, struct path *new_path) |
257 | { | 240 | { |
258 | return tomoyo_check_2path_perm(tomoyo_domain(), | 241 | return tomoyo_path2_perm(tomoyo_domain(), TOMOYO_TYPE_PIVOT_ROOT, |
259 | TOMOYO_TYPE_PIVOT_ROOT_ACL, | 242 | new_path, old_path); |
260 | new_path, old_path); | ||
261 | } | 243 | } |
262 | 244 | ||
263 | /* | 245 | /* |