diff options
| -rw-r--r-- | security/tomoyo/common.c | 28 | ||||
| -rw-r--r-- | security/tomoyo/domain.c | 147 | ||||
| -rw-r--r-- | security/tomoyo/file.c | 234 |
3 files changed, 183 insertions, 226 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index ae3ed7313ee0..a53ee059da48 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c | |||
| @@ -1103,10 +1103,10 @@ static LIST_HEAD(tomoyo_policy_manager_list); | |||
| 1103 | static int tomoyo_update_manager_entry(const char *manager, | 1103 | static int tomoyo_update_manager_entry(const char *manager, |
| 1104 | const bool is_delete) | 1104 | const bool is_delete) |
| 1105 | { | 1105 | { |
| 1106 | struct tomoyo_policy_manager_entry *new_entry; | 1106 | struct tomoyo_policy_manager_entry *entry = NULL; |
| 1107 | struct tomoyo_policy_manager_entry *ptr; | 1107 | struct tomoyo_policy_manager_entry *ptr; |
| 1108 | const struct tomoyo_path_info *saved_manager; | 1108 | const struct tomoyo_path_info *saved_manager; |
| 1109 | int error = -ENOMEM; | 1109 | int error = is_delete ? -ENOENT : -ENOMEM; |
| 1110 | bool is_domain = false; | 1110 | bool is_domain = false; |
| 1111 | 1111 | ||
| 1112 | if (tomoyo_is_domain_def(manager)) { | 1112 | if (tomoyo_is_domain_def(manager)) { |
| @@ -1120,29 +1120,25 @@ static int tomoyo_update_manager_entry(const char *manager, | |||
| 1120 | saved_manager = tomoyo_save_name(manager); | 1120 | saved_manager = tomoyo_save_name(manager); |
| 1121 | if (!saved_manager) | 1121 | if (!saved_manager) |
| 1122 | return -ENOMEM; | 1122 | return -ENOMEM; |
| 1123 | new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL); | 1123 | if (!is_delete) |
| 1124 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | ||
| 1124 | mutex_lock(&tomoyo_policy_lock); | 1125 | mutex_lock(&tomoyo_policy_lock); |
| 1125 | list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { | 1126 | list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { |
| 1126 | if (ptr->manager != saved_manager) | 1127 | if (ptr->manager != saved_manager) |
| 1127 | continue; | 1128 | continue; |
| 1128 | ptr->is_deleted = is_delete; | 1129 | ptr->is_deleted = is_delete; |
| 1129 | error = 0; | 1130 | error = 0; |
| 1130 | goto out; | 1131 | break; |
| 1131 | } | 1132 | } |
| 1132 | if (is_delete) { | 1133 | if (!is_delete && error && tomoyo_memory_ok(entry)) { |
| 1133 | error = -ENOENT; | 1134 | entry->manager = saved_manager; |
| 1134 | goto out; | 1135 | entry->is_domain = is_domain; |
| 1136 | list_add_tail_rcu(&entry->list, &tomoyo_policy_manager_list); | ||
| 1137 | entry = NULL; | ||
| 1138 | error = 0; | ||
| 1135 | } | 1139 | } |
| 1136 | if (!tomoyo_memory_ok(new_entry)) | ||
| 1137 | goto out; | ||
| 1138 | new_entry->manager = saved_manager; | ||
| 1139 | new_entry->is_domain = is_domain; | ||
| 1140 | list_add_tail_rcu(&new_entry->list, &tomoyo_policy_manager_list); | ||
| 1141 | new_entry = NULL; | ||
| 1142 | error = 0; | ||
| 1143 | out: | ||
| 1144 | mutex_unlock(&tomoyo_policy_lock); | 1140 | mutex_unlock(&tomoyo_policy_lock); |
| 1145 | kfree(new_entry); | 1141 | kfree(entry); |
| 1146 | return error; | 1142 | return error; |
| 1147 | } | 1143 | } |
| 1148 | 1144 | ||
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index ec612ae87b51..229de1e71a38 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c | |||
| @@ -201,11 +201,11 @@ static int tomoyo_update_domain_initializer_entry(const char *domainname, | |||
| 201 | const bool is_not, | 201 | const bool is_not, |
| 202 | const bool is_delete) | 202 | const bool is_delete) |
| 203 | { | 203 | { |
| 204 | struct tomoyo_domain_initializer_entry *new_entry; | 204 | struct tomoyo_domain_initializer_entry *entry = NULL; |
| 205 | struct tomoyo_domain_initializer_entry *ptr; | 205 | struct tomoyo_domain_initializer_entry *ptr; |
| 206 | const struct tomoyo_path_info *saved_program; | 206 | const struct tomoyo_path_info *saved_program; |
| 207 | const struct tomoyo_path_info *saved_domainname = NULL; | 207 | const struct tomoyo_path_info *saved_domainname = NULL; |
| 208 | int error = -ENOMEM; | 208 | int error = is_delete ? -ENOENT : -ENOMEM; |
| 209 | bool is_last_name = false; | 209 | bool is_last_name = false; |
| 210 | 210 | ||
| 211 | if (!tomoyo_is_correct_path(program, 1, -1, -1, __func__)) | 211 | if (!tomoyo_is_correct_path(program, 1, -1, -1, __func__)) |
| @@ -218,12 +218,13 @@ static int tomoyo_update_domain_initializer_entry(const char *domainname, | |||
| 218 | return -EINVAL; | 218 | return -EINVAL; |
| 219 | saved_domainname = tomoyo_save_name(domainname); | 219 | saved_domainname = tomoyo_save_name(domainname); |
| 220 | if (!saved_domainname) | 220 | if (!saved_domainname) |
| 221 | return -ENOMEM; | 221 | goto out; |
| 222 | } | 222 | } |
| 223 | saved_program = tomoyo_save_name(program); | 223 | saved_program = tomoyo_save_name(program); |
| 224 | if (!saved_program) | 224 | if (!saved_program) |
| 225 | return -ENOMEM; | 225 | goto out; |
| 226 | new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL); | 226 | if (!is_delete) |
| 227 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | ||
| 227 | mutex_lock(&tomoyo_policy_lock); | 228 | mutex_lock(&tomoyo_policy_lock); |
| 228 | list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, list) { | 229 | list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, list) { |
| 229 | if (ptr->is_not != is_not || | 230 | if (ptr->is_not != is_not || |
| @@ -232,24 +233,21 @@ static int tomoyo_update_domain_initializer_entry(const char *domainname, | |||
| 232 | continue; | 233 | continue; |
| 233 | ptr->is_deleted = is_delete; | 234 | ptr->is_deleted = is_delete; |
| 234 | error = 0; | 235 | error = 0; |
| 235 | goto out; | 236 | break; |
| 236 | } | 237 | } |
| 237 | if (is_delete) { | 238 | if (!is_delete && error && tomoyo_memory_ok(entry)) { |
| 238 | error = -ENOENT; | 239 | entry->domainname = saved_domainname; |
| 239 | goto out; | 240 | entry->program = saved_program; |
| 241 | entry->is_not = is_not; | ||
| 242 | entry->is_last_name = is_last_name; | ||
| 243 | list_add_tail_rcu(&entry->list, | ||
| 244 | &tomoyo_domain_initializer_list); | ||
| 245 | entry = NULL; | ||
| 246 | error = 0; | ||
| 240 | } | 247 | } |
| 241 | if (!tomoyo_memory_ok(new_entry)) | ||
| 242 | goto out; | ||
| 243 | new_entry->domainname = saved_domainname; | ||
| 244 | new_entry->program = saved_program; | ||
| 245 | new_entry->is_not = is_not; | ||
| 246 | new_entry->is_last_name = is_last_name; | ||
| 247 | list_add_tail_rcu(&new_entry->list, &tomoyo_domain_initializer_list); | ||
| 248 | new_entry = NULL; | ||
| 249 | error = 0; | ||
| 250 | out: | ||
| 251 | mutex_unlock(&tomoyo_policy_lock); | 248 | mutex_unlock(&tomoyo_policy_lock); |
| 252 | kfree(new_entry); | 249 | out: |
| 250 | kfree(entry); | ||
| 253 | return error; | 251 | return error; |
| 254 | } | 252 | } |
| 255 | 253 | ||
| @@ -419,11 +417,11 @@ static int tomoyo_update_domain_keeper_entry(const char *domainname, | |||
| 419 | const bool is_not, | 417 | const bool is_not, |
| 420 | const bool is_delete) | 418 | const bool is_delete) |
| 421 | { | 419 | { |
| 422 | struct tomoyo_domain_keeper_entry *new_entry; | 420 | struct tomoyo_domain_keeper_entry *entry = NULL; |
| 423 | struct tomoyo_domain_keeper_entry *ptr; | 421 | struct tomoyo_domain_keeper_entry *ptr; |
| 424 | const struct tomoyo_path_info *saved_domainname; | 422 | const struct tomoyo_path_info *saved_domainname; |
| 425 | const struct tomoyo_path_info *saved_program = NULL; | 423 | const struct tomoyo_path_info *saved_program = NULL; |
| 426 | int error = -ENOMEM; | 424 | int error = is_delete ? -ENOENT : -ENOMEM; |
| 427 | bool is_last_name = false; | 425 | bool is_last_name = false; |
| 428 | 426 | ||
| 429 | if (!tomoyo_is_domain_def(domainname) && | 427 | if (!tomoyo_is_domain_def(domainname) && |
| @@ -436,12 +434,13 @@ static int tomoyo_update_domain_keeper_entry(const char *domainname, | |||
| 436 | return -EINVAL; | 434 | return -EINVAL; |
| 437 | saved_program = tomoyo_save_name(program); | 435 | saved_program = tomoyo_save_name(program); |
| 438 | if (!saved_program) | 436 | if (!saved_program) |
| 439 | return -ENOMEM; | 437 | goto out; |
| 440 | } | 438 | } |
| 441 | saved_domainname = tomoyo_save_name(domainname); | 439 | saved_domainname = tomoyo_save_name(domainname); |
| 442 | if (!saved_domainname) | 440 | if (!saved_domainname) |
| 443 | return -ENOMEM; | 441 | goto out; |
| 444 | new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL); | 442 | if (!is_delete) |
| 443 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | ||
| 445 | mutex_lock(&tomoyo_policy_lock); | 444 | mutex_lock(&tomoyo_policy_lock); |
| 446 | list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) { | 445 | list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) { |
| 447 | if (ptr->is_not != is_not || | 446 | if (ptr->is_not != is_not || |
| @@ -450,24 +449,20 @@ static int tomoyo_update_domain_keeper_entry(const char *domainname, | |||
| 450 | continue; | 449 | continue; |
| 451 | ptr->is_deleted = is_delete; | 450 | ptr->is_deleted = is_delete; |
| 452 | error = 0; | 451 | error = 0; |
| 453 | goto out; | 452 | break; |
| 454 | } | 453 | } |
| 455 | if (is_delete) { | 454 | if (!is_delete && error && tomoyo_memory_ok(entry)) { |
| 456 | error = -ENOENT; | 455 | entry->domainname = saved_domainname; |
| 457 | goto out; | 456 | entry->program = saved_program; |
| 457 | entry->is_not = is_not; | ||
| 458 | entry->is_last_name = is_last_name; | ||
| 459 | list_add_tail_rcu(&entry->list, &tomoyo_domain_keeper_list); | ||
| 460 | entry = NULL; | ||
| 461 | error = 0; | ||
| 458 | } | 462 | } |
| 459 | if (!tomoyo_memory_ok(new_entry)) | ||
| 460 | goto out; | ||
| 461 | new_entry->domainname = saved_domainname; | ||
| 462 | new_entry->program = saved_program; | ||
| 463 | new_entry->is_not = is_not; | ||
| 464 | new_entry->is_last_name = is_last_name; | ||
| 465 | list_add_tail_rcu(&new_entry->list, &tomoyo_domain_keeper_list); | ||
| 466 | new_entry = NULL; | ||
| 467 | error = 0; | ||
| 468 | out: | ||
| 469 | mutex_unlock(&tomoyo_policy_lock); | 463 | mutex_unlock(&tomoyo_policy_lock); |
| 470 | kfree(new_entry); | 464 | out: |
| 465 | kfree(entry); | ||
| 471 | return error; | 466 | return error; |
| 472 | } | 467 | } |
| 473 | 468 | ||
| @@ -619,11 +614,11 @@ static int tomoyo_update_alias_entry(const char *original_name, | |||
| 619 | const char *aliased_name, | 614 | const char *aliased_name, |
| 620 | const bool is_delete) | 615 | const bool is_delete) |
| 621 | { | 616 | { |
| 622 | struct tomoyo_alias_entry *new_entry; | 617 | struct tomoyo_alias_entry *entry = NULL; |
| 623 | struct tomoyo_alias_entry *ptr; | 618 | struct tomoyo_alias_entry *ptr; |
| 624 | const struct tomoyo_path_info *saved_original_name; | 619 | const struct tomoyo_path_info *saved_original_name; |
| 625 | const struct tomoyo_path_info *saved_aliased_name; | 620 | const struct tomoyo_path_info *saved_aliased_name; |
| 626 | int error = -ENOMEM; | 621 | int error = is_delete ? -ENOENT : -ENOMEM; |
| 627 | 622 | ||
| 628 | if (!tomoyo_is_correct_path(original_name, 1, -1, -1, __func__) || | 623 | if (!tomoyo_is_correct_path(original_name, 1, -1, -1, __func__) || |
| 629 | !tomoyo_is_correct_path(aliased_name, 1, -1, -1, __func__)) | 624 | !tomoyo_is_correct_path(aliased_name, 1, -1, -1, __func__)) |
| @@ -631,8 +626,9 @@ static int tomoyo_update_alias_entry(const char *original_name, | |||
| 631 | saved_original_name = tomoyo_save_name(original_name); | 626 | saved_original_name = tomoyo_save_name(original_name); |
| 632 | saved_aliased_name = tomoyo_save_name(aliased_name); | 627 | saved_aliased_name = tomoyo_save_name(aliased_name); |
| 633 | if (!saved_original_name || !saved_aliased_name) | 628 | if (!saved_original_name || !saved_aliased_name) |
| 634 | return -ENOMEM; | 629 | goto out; |
| 635 | new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL); | 630 | if (!is_delete) |
| 631 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | ||
| 636 | mutex_lock(&tomoyo_policy_lock); | 632 | mutex_lock(&tomoyo_policy_lock); |
| 637 | list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) { | 633 | list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) { |
| 638 | if (ptr->original_name != saved_original_name || | 634 | if (ptr->original_name != saved_original_name || |
| @@ -640,22 +636,18 @@ static int tomoyo_update_alias_entry(const char *original_name, | |||
| 640 | continue; | 636 | continue; |
| 641 | ptr->is_deleted = is_delete; | 637 | ptr->is_deleted = is_delete; |
| 642 | error = 0; | 638 | error = 0; |
| 643 | goto out; | 639 | break; |
| 644 | } | 640 | } |
| 645 | if (is_delete) { | 641 | if (!is_delete && error && tomoyo_memory_ok(entry)) { |
| 646 | error = -ENOENT; | 642 | entry->original_name = saved_original_name; |
| 647 | goto out; | 643 | entry->aliased_name = saved_aliased_name; |
| 644 | list_add_tail_rcu(&entry->list, &tomoyo_alias_list); | ||
| 645 | entry = NULL; | ||
| 646 | error = 0; | ||
| 648 | } | 647 | } |
| 649 | if (!tomoyo_memory_ok(new_entry)) | ||
| 650 | goto out; | ||
| 651 | new_entry->original_name = saved_original_name; | ||
| 652 | new_entry->aliased_name = saved_aliased_name; | ||
| 653 | list_add_tail_rcu(&new_entry->list, &tomoyo_alias_list); | ||
| 654 | new_entry = NULL; | ||
| 655 | error = 0; | ||
| 656 | out: | ||
| 657 | mutex_unlock(&tomoyo_policy_lock); | 648 | mutex_unlock(&tomoyo_policy_lock); |
| 658 | kfree(new_entry); | 649 | out: |
| 650 | kfree(entry); | ||
| 659 | return error; | 651 | return error; |
| 660 | } | 652 | } |
| 661 | 653 | ||
| @@ -722,32 +714,37 @@ struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * | |||
| 722 | domainname, | 714 | domainname, |
| 723 | const u8 profile) | 715 | const u8 profile) |
| 724 | { | 716 | { |
| 717 | struct tomoyo_domain_info *entry; | ||
| 725 | struct tomoyo_domain_info *domain; | 718 | struct tomoyo_domain_info *domain; |
| 726 | const struct tomoyo_path_info *saved_domainname; | 719 | const struct tomoyo_path_info *saved_domainname; |
| 720 | bool found = false; | ||
| 727 | 721 | ||
| 728 | mutex_lock(&tomoyo_policy_lock); | ||
| 729 | domain = tomoyo_find_domain(domainname); | ||
| 730 | if (domain) | ||
| 731 | goto out; | ||
| 732 | if (!tomoyo_is_correct_domain(domainname, __func__)) | 722 | if (!tomoyo_is_correct_domain(domainname, __func__)) |
| 733 | goto out; | 723 | return NULL; |
| 734 | saved_domainname = tomoyo_save_name(domainname); | 724 | saved_domainname = tomoyo_save_name(domainname); |
| 735 | if (!saved_domainname) | 725 | if (!saved_domainname) |
| 736 | goto out; | 726 | return NULL; |
| 737 | domain = kmalloc(sizeof(*domain), GFP_KERNEL); | 727 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); |
| 738 | if (tomoyo_memory_ok(domain)) { | 728 | mutex_lock(&tomoyo_policy_lock); |
| 739 | INIT_LIST_HEAD(&domain->acl_info_list); | 729 | list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { |
| 740 | domain->domainname = saved_domainname; | 730 | if (domain->is_deleted || |
| 741 | domain->profile = profile; | 731 | tomoyo_pathcmp(saved_domainname, domain->domainname)) |
| 742 | list_add_tail_rcu(&domain->list, &tomoyo_domain_list); | 732 | continue; |
| 743 | } else { | 733 | found = true; |
| 744 | kfree(domain); | 734 | break; |
| 745 | domain = NULL; | 735 | } |
| 736 | if (!found && tomoyo_memory_ok(entry)) { | ||
| 737 | INIT_LIST_HEAD(&entry->acl_info_list); | ||
| 738 | entry->domainname = saved_domainname; | ||
| 739 | entry->profile = profile; | ||
| 740 | list_add_tail_rcu(&entry->list, &tomoyo_domain_list); | ||
| 741 | domain = entry; | ||
| 742 | entry = NULL; | ||
| 743 | found = true; | ||
| 746 | } | 744 | } |
| 747 | |||
| 748 | out: | ||
| 749 | mutex_unlock(&tomoyo_policy_lock); | 745 | mutex_unlock(&tomoyo_policy_lock); |
| 750 | return domain; | 746 | kfree(entry); |
| 747 | return found ? domain : NULL; | ||
| 751 | } | 748 | } |
| 752 | 749 | ||
| 753 | /** | 750 | /** |
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 84c821a245ca..f4a27714e077 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c | |||
| @@ -215,38 +215,34 @@ static LIST_HEAD(tomoyo_globally_readable_list); | |||
| 215 | static int tomoyo_update_globally_readable_entry(const char *filename, | 215 | static int tomoyo_update_globally_readable_entry(const char *filename, |
| 216 | const bool is_delete) | 216 | const bool is_delete) |
| 217 | { | 217 | { |
| 218 | struct tomoyo_globally_readable_file_entry *new_entry; | 218 | struct tomoyo_globally_readable_file_entry *entry = NULL; |
| 219 | struct tomoyo_globally_readable_file_entry *ptr; | 219 | struct tomoyo_globally_readable_file_entry *ptr; |
| 220 | const struct tomoyo_path_info *saved_filename; | 220 | const struct tomoyo_path_info *saved_filename; |
| 221 | int error = -ENOMEM; | 221 | int error = is_delete ? -ENOENT : -ENOMEM; |
| 222 | 222 | ||
| 223 | if (!tomoyo_is_correct_path(filename, 1, 0, -1, __func__)) | 223 | if (!tomoyo_is_correct_path(filename, 1, 0, -1, __func__)) |
| 224 | return -EINVAL; | 224 | return -EINVAL; |
| 225 | saved_filename = tomoyo_save_name(filename); | 225 | saved_filename = tomoyo_save_name(filename); |
| 226 | if (!saved_filename) | 226 | if (!saved_filename) |
| 227 | return -ENOMEM; | 227 | return -ENOMEM; |
| 228 | new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL); | 228 | if (!is_delete) |
| 229 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | ||
| 229 | mutex_lock(&tomoyo_policy_lock); | 230 | mutex_lock(&tomoyo_policy_lock); |
| 230 | list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) { | 231 | list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) { |
| 231 | if (ptr->filename != saved_filename) | 232 | if (ptr->filename != saved_filename) |
| 232 | continue; | 233 | continue; |
| 233 | ptr->is_deleted = is_delete; | 234 | ptr->is_deleted = is_delete; |
| 234 | error = 0; | 235 | error = 0; |
| 235 | goto out; | 236 | break; |
| 236 | } | 237 | } |
| 237 | if (is_delete) { | 238 | if (!is_delete && error && tomoyo_memory_ok(entry)) { |
| 238 | error = -ENOENT; | 239 | entry->filename = saved_filename; |
| 239 | goto out; | 240 | list_add_tail_rcu(&entry->list, &tomoyo_globally_readable_list); |
| 241 | entry = NULL; | ||
| 242 | error = 0; | ||
| 240 | } | 243 | } |
| 241 | if (!tomoyo_memory_ok(new_entry)) | ||
| 242 | goto out; | ||
| 243 | new_entry->filename = saved_filename; | ||
| 244 | list_add_tail_rcu(&new_entry->list, &tomoyo_globally_readable_list); | ||
| 245 | new_entry = NULL; | ||
| 246 | error = 0; | ||
| 247 | out: | ||
| 248 | mutex_unlock(&tomoyo_policy_lock); | 244 | mutex_unlock(&tomoyo_policy_lock); |
| 249 | kfree(new_entry); | 245 | kfree(entry); |
| 250 | return error; | 246 | return error; |
| 251 | } | 247 | } |
| 252 | 248 | ||
| @@ -364,38 +360,35 @@ static LIST_HEAD(tomoyo_pattern_list); | |||
| 364 | static int tomoyo_update_file_pattern_entry(const char *pattern, | 360 | static int tomoyo_update_file_pattern_entry(const char *pattern, |
| 365 | const bool is_delete) | 361 | const bool is_delete) |
| 366 | { | 362 | { |
| 367 | struct tomoyo_pattern_entry *new_entry; | 363 | struct tomoyo_pattern_entry *entry = NULL; |
| 368 | struct tomoyo_pattern_entry *ptr; | 364 | struct tomoyo_pattern_entry *ptr; |
| 369 | const struct tomoyo_path_info *saved_pattern; | 365 | const struct tomoyo_path_info *saved_pattern; |
| 370 | int error = -ENOMEM; | 366 | int error = is_delete ? -ENOENT : -ENOMEM; |
| 371 | 367 | ||
| 372 | if (!tomoyo_is_correct_path(pattern, 0, 1, 0, __func__)) | ||
| 373 | return -EINVAL; | ||
| 374 | saved_pattern = tomoyo_save_name(pattern); | 368 | saved_pattern = tomoyo_save_name(pattern); |
| 375 | if (!saved_pattern) | 369 | if (!saved_pattern) |
| 376 | return -ENOMEM; | 370 | return error; |
| 377 | new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL); | 371 | if (!saved_pattern->is_patterned) |
| 372 | goto out; | ||
| 373 | if (!is_delete) | ||
| 374 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | ||
| 378 | mutex_lock(&tomoyo_policy_lock); | 375 | mutex_lock(&tomoyo_policy_lock); |
| 379 | list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) { | 376 | list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) { |
| 380 | if (saved_pattern != ptr->pattern) | 377 | if (saved_pattern != ptr->pattern) |
| 381 | continue; | 378 | continue; |
| 382 | ptr->is_deleted = is_delete; | 379 | ptr->is_deleted = is_delete; |
| 383 | error = 0; | 380 | error = 0; |
| 384 | goto out; | 381 | break; |
| 385 | } | 382 | } |
| 386 | if (is_delete) { | 383 | if (!is_delete && error && tomoyo_memory_ok(entry)) { |
| 387 | error = -ENOENT; | 384 | entry->pattern = saved_pattern; |
| 388 | goto out; | 385 | list_add_tail_rcu(&entry->list, &tomoyo_pattern_list); |
| 386 | entry = NULL; | ||
| 387 | error = 0; | ||
| 389 | } | 388 | } |
| 390 | if (!tomoyo_memory_ok(new_entry)) | ||
| 391 | goto out; | ||
| 392 | new_entry->pattern = saved_pattern; | ||
| 393 | list_add_tail_rcu(&new_entry->list, &tomoyo_pattern_list); | ||
| 394 | new_entry = NULL; | ||
| 395 | error = 0; | ||
| 396 | out: | ||
| 397 | mutex_unlock(&tomoyo_policy_lock); | 389 | mutex_unlock(&tomoyo_policy_lock); |
| 398 | kfree(new_entry); | 390 | out: |
| 391 | kfree(entry); | ||
| 399 | return error; | 392 | return error; |
| 400 | } | 393 | } |
| 401 | 394 | ||
| @@ -518,37 +511,34 @@ static LIST_HEAD(tomoyo_no_rewrite_list); | |||
| 518 | static int tomoyo_update_no_rewrite_entry(const char *pattern, | 511 | static int tomoyo_update_no_rewrite_entry(const char *pattern, |
| 519 | const bool is_delete) | 512 | const bool is_delete) |
| 520 | { | 513 | { |
| 521 | struct tomoyo_no_rewrite_entry *new_entry, *ptr; | 514 | struct tomoyo_no_rewrite_entry *entry = NULL; |
| 515 | struct tomoyo_no_rewrite_entry *ptr; | ||
| 522 | const struct tomoyo_path_info *saved_pattern; | 516 | const struct tomoyo_path_info *saved_pattern; |
| 523 | int error = -ENOMEM; | 517 | int error = is_delete ? -ENOENT : -ENOMEM; |
| 524 | 518 | ||
| 525 | if (!tomoyo_is_correct_path(pattern, 0, 0, 0, __func__)) | 519 | if (!tomoyo_is_correct_path(pattern, 0, 0, 0, __func__)) |
| 526 | return -EINVAL; | 520 | return -EINVAL; |
| 527 | saved_pattern = tomoyo_save_name(pattern); | 521 | saved_pattern = tomoyo_save_name(pattern); |
| 528 | if (!saved_pattern) | 522 | if (!saved_pattern) |
| 529 | return -ENOMEM; | 523 | return error; |
| 530 | new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL); | 524 | if (!is_delete) |
| 525 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | ||
| 531 | mutex_lock(&tomoyo_policy_lock); | 526 | mutex_lock(&tomoyo_policy_lock); |
| 532 | list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) { | 527 | list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) { |
| 533 | if (ptr->pattern != saved_pattern) | 528 | if (ptr->pattern != saved_pattern) |
| 534 | continue; | 529 | continue; |
| 535 | ptr->is_deleted = is_delete; | 530 | ptr->is_deleted = is_delete; |
| 536 | error = 0; | 531 | error = 0; |
| 537 | goto out; | 532 | break; |
| 538 | } | 533 | } |
| 539 | if (is_delete) { | 534 | if (!is_delete && error && tomoyo_memory_ok(entry)) { |
| 540 | error = -ENOENT; | 535 | entry->pattern = saved_pattern; |
| 541 | goto out; | 536 | list_add_tail_rcu(&entry->list, &tomoyo_no_rewrite_list); |
| 537 | entry = NULL; | ||
| 538 | error = 0; | ||
| 542 | } | 539 | } |
| 543 | if (!tomoyo_memory_ok(new_entry)) | ||
| 544 | goto out; | ||
| 545 | new_entry->pattern = saved_pattern; | ||
| 546 | list_add_tail_rcu(&new_entry->list, &tomoyo_no_rewrite_list); | ||
| 547 | new_entry = NULL; | ||
| 548 | error = 0; | ||
| 549 | out: | ||
| 550 | mutex_unlock(&tomoyo_policy_lock); | 540 | mutex_unlock(&tomoyo_policy_lock); |
| 551 | kfree(new_entry); | 541 | kfree(entry); |
| 552 | return error; | 542 | return error; |
| 553 | } | 543 | } |
| 554 | 544 | ||
| @@ -869,8 +859,8 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename, | |||
| 869 | (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL); | 859 | (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL); |
| 870 | const struct tomoyo_path_info *saved_filename; | 860 | const struct tomoyo_path_info *saved_filename; |
| 871 | struct tomoyo_acl_info *ptr; | 861 | struct tomoyo_acl_info *ptr; |
| 872 | struct tomoyo_single_path_acl_record *acl; | 862 | struct tomoyo_single_path_acl_record *entry = NULL; |
| 873 | int error = -ENOMEM; | 863 | int error = is_delete ? -ENOENT : -ENOMEM; |
| 874 | const u32 perm = 1 << type; | 864 | const u32 perm = 1 << type; |
| 875 | 865 | ||
| 876 | if (!domain) | 866 | if (!domain) |
| @@ -880,67 +870,55 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename, | |||
| 880 | saved_filename = tomoyo_save_name(filename); | 870 | saved_filename = tomoyo_save_name(filename); |
| 881 | if (!saved_filename) | 871 | if (!saved_filename) |
| 882 | return -ENOMEM; | 872 | return -ENOMEM; |
| 873 | if (!is_delete) | ||
| 874 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | ||
| 883 | mutex_lock(&tomoyo_policy_lock); | 875 | mutex_lock(&tomoyo_policy_lock); |
| 884 | if (is_delete) | ||
| 885 | goto delete; | ||
| 886 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { | 876 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { |
| 877 | struct tomoyo_single_path_acl_record *acl = | ||
| 878 | container_of(ptr, struct tomoyo_single_path_acl_record, | ||
| 879 | head); | ||
| 887 | if (ptr->type != TOMOYO_TYPE_SINGLE_PATH_ACL) | 880 | if (ptr->type != TOMOYO_TYPE_SINGLE_PATH_ACL) |
| 888 | continue; | 881 | continue; |
| 889 | acl = container_of(ptr, struct tomoyo_single_path_acl_record, | ||
| 890 | head); | ||
| 891 | if (acl->filename != saved_filename) | 882 | if (acl->filename != saved_filename) |
| 892 | continue; | 883 | continue; |
| 893 | if (perm <= 0xFFFF) | 884 | if (is_delete) { |
| 894 | acl->perm |= perm; | 885 | if (perm <= 0xFFFF) |
| 895 | else | 886 | acl->perm &= ~perm; |
| 896 | acl->perm_high |= (perm >> 16); | 887 | else |
| 897 | if ((acl->perm & rw_mask) == rw_mask) | 888 | acl->perm_high &= ~(perm >> 16); |
| 898 | acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL; | 889 | if ((acl->perm & rw_mask) != rw_mask) |
| 899 | else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)) | 890 | acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL); |
| 900 | acl->perm |= rw_mask; | 891 | else if (!(acl->perm & |
| 892 | (1 << TOMOYO_TYPE_READ_WRITE_ACL))) | ||
| 893 | acl->perm &= ~rw_mask; | ||
| 894 | } else { | ||
| 895 | if (perm <= 0xFFFF) | ||
| 896 | acl->perm |= perm; | ||
| 897 | else | ||
| 898 | acl->perm_high |= (perm >> 16); | ||
| 899 | if ((acl->perm & rw_mask) == rw_mask) | ||
| 900 | acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL; | ||
| 901 | else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)) | ||
| 902 | acl->perm |= rw_mask; | ||
| 903 | } | ||
| 901 | error = 0; | 904 | error = 0; |
| 902 | goto out; | 905 | break; |
| 903 | } | ||
| 904 | /* Not found. Append it to the tail. */ | ||
| 905 | acl = kmalloc(sizeof(*acl), GFP_KERNEL); | ||
| 906 | if (!tomoyo_memory_ok(acl)) { | ||
| 907 | kfree(acl); | ||
| 908 | acl = NULL; | ||
| 909 | goto out; | ||
| 910 | } | 906 | } |
| 911 | acl->head.type = TOMOYO_TYPE_SINGLE_PATH_ACL; | 907 | if (!is_delete && error && tomoyo_memory_ok(entry)) { |
| 912 | if (perm <= 0xFFFF) | 908 | entry->head.type = TOMOYO_TYPE_SINGLE_PATH_ACL; |
| 913 | acl->perm = perm; | ||
| 914 | else | ||
| 915 | acl->perm_high = (perm >> 16); | ||
| 916 | if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL)) | ||
| 917 | acl->perm |= rw_mask; | ||
| 918 | acl->filename = saved_filename; | ||
| 919 | list_add_tail_rcu(&acl->head.list, &domain->acl_info_list); | ||
| 920 | error = 0; | ||
| 921 | goto out; | ||
| 922 | delete: | ||
| 923 | error = -ENOENT; | ||
| 924 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { | ||
| 925 | if (ptr->type != TOMOYO_TYPE_SINGLE_PATH_ACL) | ||
| 926 | continue; | ||
| 927 | acl = container_of(ptr, struct tomoyo_single_path_acl_record, | ||
| 928 | head); | ||
| 929 | if (acl->filename != saved_filename) | ||
| 930 | continue; | ||
| 931 | if (perm <= 0xFFFF) | 909 | if (perm <= 0xFFFF) |
| 932 | acl->perm &= ~perm; | 910 | entry->perm = perm; |
| 933 | else | 911 | else |
| 934 | acl->perm_high &= ~(perm >> 16); | 912 | entry->perm_high = (perm >> 16); |
| 935 | if ((acl->perm & rw_mask) != rw_mask) | 913 | if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL)) |
| 936 | acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL); | 914 | entry->perm |= rw_mask; |
| 937 | else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))) | 915 | entry->filename = saved_filename; |
| 938 | acl->perm &= ~rw_mask; | 916 | list_add_tail_rcu(&entry->head.list, &domain->acl_info_list); |
| 917 | entry = NULL; | ||
| 939 | error = 0; | 918 | error = 0; |
| 940 | break; | ||
| 941 | } | 919 | } |
| 942 | out: | ||
| 943 | mutex_unlock(&tomoyo_policy_lock); | 920 | mutex_unlock(&tomoyo_policy_lock); |
| 921 | kfree(entry); | ||
| 944 | return error; | 922 | return error; |
| 945 | } | 923 | } |
| 946 | 924 | ||
| @@ -965,8 +943,8 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, | |||
| 965 | const struct tomoyo_path_info *saved_filename1; | 943 | const struct tomoyo_path_info *saved_filename1; |
| 966 | const struct tomoyo_path_info *saved_filename2; | 944 | const struct tomoyo_path_info *saved_filename2; |
| 967 | struct tomoyo_acl_info *ptr; | 945 | struct tomoyo_acl_info *ptr; |
| 968 | struct tomoyo_double_path_acl_record *acl; | 946 | struct tomoyo_double_path_acl_record *entry = NULL; |
| 969 | int error = -ENOMEM; | 947 | int error = is_delete ? -ENOENT : -ENOMEM; |
| 970 | const u8 perm = 1 << type; | 948 | const u8 perm = 1 << type; |
| 971 | 949 | ||
| 972 | if (!domain) | 950 | if (!domain) |
| @@ -977,52 +955,38 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, | |||
| 977 | saved_filename1 = tomoyo_save_name(filename1); | 955 | saved_filename1 = tomoyo_save_name(filename1); |
| 978 | saved_filename2 = tomoyo_save_name(filename2); | 956 | saved_filename2 = tomoyo_save_name(filename2); |
| 979 | if (!saved_filename1 || !saved_filename2) | 957 | if (!saved_filename1 || !saved_filename2) |
| 980 | return -ENOMEM; | 958 | goto out; |
| 959 | if (!is_delete) | ||
| 960 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | ||
| 981 | mutex_lock(&tomoyo_policy_lock); | 961 | mutex_lock(&tomoyo_policy_lock); |
| 982 | if (is_delete) | ||
| 983 | goto delete; | ||
| 984 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { | 962 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { |
| 963 | struct tomoyo_double_path_acl_record *acl = | ||
| 964 | container_of(ptr, struct tomoyo_double_path_acl_record, | ||
| 965 | head); | ||
| 985 | if (ptr->type != TOMOYO_TYPE_DOUBLE_PATH_ACL) | 966 | if (ptr->type != TOMOYO_TYPE_DOUBLE_PATH_ACL) |
| 986 | continue; | 967 | continue; |
| 987 | acl = container_of(ptr, struct tomoyo_double_path_acl_record, | ||
| 988 | head); | ||
| 989 | if (acl->filename1 != saved_filename1 || | 968 | if (acl->filename1 != saved_filename1 || |
| 990 | acl->filename2 != saved_filename2) | 969 | acl->filename2 != saved_filename2) |
| 991 | continue; | 970 | continue; |
| 992 | acl->perm |= perm; | 971 | if (is_delete) |
| 972 | acl->perm &= ~perm; | ||
| 973 | else | ||
| 974 | acl->perm |= perm; | ||
| 993 | error = 0; | 975 | error = 0; |
| 994 | goto out; | 976 | break; |
| 995 | } | ||
| 996 | /* Not found. Append it to the tail. */ | ||
| 997 | acl = kmalloc(sizeof(*acl), GFP_KERNEL); | ||
| 998 | if (!tomoyo_memory_ok(acl)) { | ||
| 999 | kfree(acl); | ||
| 1000 | acl = NULL; | ||
| 1001 | goto out; | ||
| 1002 | } | 977 | } |
| 1003 | acl->head.type = TOMOYO_TYPE_DOUBLE_PATH_ACL; | 978 | if (!is_delete && error && tomoyo_memory_ok(entry)) { |
| 1004 | acl->perm = perm; | 979 | entry->head.type = TOMOYO_TYPE_DOUBLE_PATH_ACL; |
| 1005 | acl->filename1 = saved_filename1; | 980 | entry->perm = perm; |
| 1006 | acl->filename2 = saved_filename2; | 981 | entry->filename1 = saved_filename1; |
| 1007 | list_add_tail_rcu(&acl->head.list, &domain->acl_info_list); | 982 | entry->filename2 = saved_filename2; |
| 1008 | error = 0; | 983 | list_add_tail_rcu(&entry->head.list, &domain->acl_info_list); |
| 1009 | goto out; | 984 | entry = NULL; |
| 1010 | delete: | ||
| 1011 | error = -ENOENT; | ||
| 1012 | list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { | ||
| 1013 | if (ptr->type != TOMOYO_TYPE_DOUBLE_PATH_ACL) | ||
| 1014 | continue; | ||
| 1015 | acl = container_of(ptr, struct tomoyo_double_path_acl_record, | ||
| 1016 | head); | ||
| 1017 | if (acl->filename1 != saved_filename1 || | ||
| 1018 | acl->filename2 != saved_filename2) | ||
| 1019 | continue; | ||
| 1020 | acl->perm &= ~perm; | ||
| 1021 | error = 0; | 985 | error = 0; |
| 1022 | break; | ||
| 1023 | } | 986 | } |
| 1024 | out: | ||
| 1025 | mutex_unlock(&tomoyo_policy_lock); | 987 | mutex_unlock(&tomoyo_policy_lock); |
| 988 | out: | ||
| 989 | kfree(entry); | ||
| 1026 | return error; | 990 | return error; |
| 1027 | } | 991 | } |
| 1028 | 992 | ||