3 files changed, 83 insertions, 168 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 465df022c211..2b280350708f 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -11,16 +11,6 @@
 #include <linux/security.h>
 #include "common.h"
-static struct tomoyo_profile tomoyo_default_profile = {
-        .learning = &tomoyo_default_profile.preference,
-        .permissive = &tomoyo_default_profile.preference,
-        .enforcing = &tomoyo_default_profile.preference,
-        .preference.enforcing_verbose = true,
-        .preference.learning_max_entry = 2048,
-        .preference.learning_verbose = false,
-        .preference.permissive_verbose = true
-};
 /* Profile version. Currently only 20090903 is defined. */
 static unsigned int tomoyo_profile_version;
@@ -61,6 +51,11 @@ static const char *tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
        [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file",
 };
+/* String table for PREFERENCE keyword. */
+static const char * const tomoyo_pref_keywords[TOMOYO_MAX_PREF] = {
+        [TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry",
+};
 /* Permit policy management by non-root user? */
 static bool tomoyo_manage_by_non_root;
@@ -71,11 +66,22 @@ static bool tomoyo_manage_by_non_root;
 *
 * @value: Bool value.
 */
+/*
 static const char *tomoyo_yesno(const unsigned int value)
 {
        return value ? "yes" : "no";
 }
+*/
+/**
+ * tomoyo_addprintf - strncat()-like-snprintf().
+ *
+ * @buffer: Buffer to write to. Must be '\0'-terminated.
+ * @len:    Size of @buffer.
+ * @fmt:    The printf()'s format string, followed by parameters.
+ *
+ * Returns nothing.
+ */
 static void tomoyo_addprintf(char *buffer, int len, const char *fmt, ...)
 {
        va_list args;
@@ -294,12 +300,10 @@ static struct tomoyo_profile *tomoyo_assign_profile(const unsigned int profile)
        ptr = tomoyo_profile_ptr[profile];
        if (!ptr && tomoyo_memory_ok(entry)) {
                ptr = entry;
-                ptr->learning = &tomoyo_default_profile.preference;
-                ptr->permissive = &tomoyo_default_profile.preference;
-                ptr->enforcing = &tomoyo_default_profile.preference;
                ptr->default_config = TOMOYO_CONFIG_DISABLED;
                memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT,
                       sizeof(ptr->config));
+                ptr->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] = 2048;
                mb(); /* Avoid out-of-order execution. */
                tomoyo_profile_ptr[profile] = ptr;
                entry = NULL;
@@ -319,13 +323,22 @@ static struct tomoyo_profile *tomoyo_assign_profile(const unsigned int profile)
 */
 struct tomoyo_profile *tomoyo_profile(const u8 profile)
 {
+        static struct tomoyo_profile tomoyo_null_profile;
        struct tomoyo_profile *ptr = tomoyo_profile_ptr[profile];
-        if (!tomoyo_policy_loaded)
+        if (!ptr)
-                return &tomoyo_default_profile;
+                ptr = &tomoyo_null_profile;
-        BUG_ON(!ptr);
        return ptr;
 }
+/**
+ * tomoyo_find_yesno - Find values for specified keyword.
+ *
+ * @string: String to check.
+ * @find:   Name of keyword.
+ *
+ * Returns 1 if "@find=yes" was found, 0 if "@find=no" was found, -1 otherwise.
+ */
+/*
 static s8 tomoyo_find_yesno(const char *string, const char *find)
 {
        const char *cp = strstr(string, find);
@@ -338,19 +351,17 @@ static s8 tomoyo_find_yesno(const char *string, const char *find)
        }
        return -1;
 }
+*/
-static void tomoyo_set_bool(bool *b, const char *string, const char *find)
+/**
-{
+ * tomoyo_set_uint - Set value for specified preference.
-        switch (tomoyo_find_yesno(string, find)) {
+ *
-        case 1:
+ * @i:      Pointer to "unsigned int".
-                *b = true;
+ * @string: String to check.
-                break;
+ * @find:   Name of keyword.
-        case 0:
+ *
-                *b = false;
+ * Returns nothing.
-                break;
+ */
-        }
-}
 static void tomoyo_set_uint(unsigned int *i, const char *string,
                            const char *find)
 {
@@ -359,51 +370,16 @@ static void tomoyo_set_uint(unsigned int *i, const char *string,
                sscanf(cp + strlen(find), "=%u", i);
 }
-static void tomoyo_set_pref(const char *name, const char *value,
+/**
-                            const bool use_default,
+ * tomoyo_set_mode - Set mode for specified profile.
-                            struct tomoyo_profile *profile)
+ *
-{
+ * @name:    Name of functionality.
-        struct tomoyo_preference **pref;
+ * @value:   Mode for @name.
-        bool *verbose;
+ * @profile: Pointer to "struct tomoyo_profile".
-        if (!strcmp(name, "enforcing")) {
+ *
-                if (use_default) {
+ * Returns 0 on success, negative value otherwise.
-                        pref = &profile->enforcing;
+ */
-                        goto set_default;
-                }
-                profile->enforcing = &profile->preference;
-                verbose = &profile->preference.enforcing_verbose;
-                goto set_verbose;
-        }
-        if (!strcmp(name, "permissive")) {
-                if (use_default) {
-                        pref = &profile->permissive;
-                        goto set_default;
-                }
-                profile->permissive = &profile->preference;
-                verbose = &profile->preference.permissive_verbose;
-                goto set_verbose;
-        }
-        if (!strcmp(name, "learning")) {
-                if (use_default) {
-                        pref = &profile->learning;
-                        goto set_default;
-                }
-                profile->learning = &profile->preference;
-                tomoyo_set_uint(&profile->preference.learning_max_entry, value,
-                             "max_entry");
-                verbose = &profile->preference.learning_verbose;
-                goto set_verbose;
-        }
-        return;
- set_default:
-        *pref = &tomoyo_default_profile.preference;
-        return;
- set_verbose:
-        tomoyo_set_bool(verbose, value, "verbose");
-}
 static int tomoyo_set_mode(char *name, const char *value,
-                           const bool use_default,
                           struct tomoyo_profile *profile)
 {
        u8 i;
@@ -425,7 +401,7 @@ static int tomoyo_set_mode(char *name, const char *value,
        } else {
                return -EINVAL;
        }
-        if (use_default) {
+        if (strstr(value, "use_default")) {
                config = TOMOYO_CONFIG_USE_DEFAULT;
        } else {
                u8 mode;
@@ -455,34 +431,21 @@ static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
 {
        char *data = head->write_buf;
        unsigned int i;
-        bool use_default = false;
        char *cp;
        struct tomoyo_profile *profile;
        if (sscanf(data, "PROFILE_VERSION=%u", &tomoyo_profile_version) == 1)
                return 0;
        i = simple_strtoul(data, &cp, 10);
-        if (data == cp) {
+        if (*cp != '-')
-                profile = &tomoyo_default_profile;
+                return -EINVAL;
-        } else {
+        data = cp + 1;
-                if (*cp != '-')
+        profile = tomoyo_assign_profile(i);
-                        return -EINVAL;
+        if (!profile)
-                data = cp + 1;
+                return -EINVAL;
-                profile = tomoyo_assign_profile(i);
-                if (!profile)
-                        return -EINVAL;
-        }
        cp = strchr(data, '=');
        if (!cp)
                return -EINVAL;
        *cp++ = '\0';
-        if (profile != &tomoyo_default_profile)
-                use_default = strstr(cp, "use_default") != NULL;
-        if (tomoyo_str_starts(&data, "PREFERENCE::")) {
-                tomoyo_set_pref(data, cp, use_default, profile);
-                return 0;
-        }
-        if (profile == &tomoyo_default_profile)
-                return -EINVAL;
        if (!strcmp(data, "COMMENT")) {
                static DEFINE_SPINLOCK(lock);
                const struct tomoyo_path_info *new_comment
@@ -497,48 +460,13 @@ static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
                tomoyo_put_name(old_comment);
                return 0;
        }
-        return tomoyo_set_mode(data, cp, use_default, profile);
+        if (!strcmp(data, "PREFERENCE")) {
-}
+                for (i = 0; i < TOMOYO_MAX_PREF; i++)
+                        tomoyo_set_uint(&profile->pref[i], cp,
-static void tomoyo_print_preference(struct tomoyo_io_buffer *head,
+                                        tomoyo_pref_keywords[i]);
-                                    const int idx)
+                return 0;
-{
-        struct tomoyo_preference *pref = &tomoyo_default_profile.preference;
-        const struct tomoyo_profile *profile = idx >= 0 ?
-                tomoyo_profile_ptr[idx] : NULL;
-        char buffer[16] = "";
-        if (profile) {
-                buffer[sizeof(buffer) - 1] = '\0';
-                snprintf(buffer, sizeof(buffer) - 1, "%u-", idx);
-        }
-        if (profile) {
-                pref = profile->learning;
-                if (pref == &tomoyo_default_profile.preference)
-                        goto skip1;
-        }
-        tomoyo_io_printf(head, "%sPREFERENCE::%s={ "
-                         "verbose=%s max_entry=%u }\n",
-                         buffer, "learning",
-                         tomoyo_yesno(pref->learning_verbose),
-                         pref->learning_max_entry);
- skip1:
-        if (profile) {
-                pref = profile->permissive;
-                if (pref == &tomoyo_default_profile.preference)
-                        goto skip2;
-        }
-        tomoyo_io_printf(head, "%sPREFERENCE::%s={ verbose=%s }\n",
-                         buffer, "permissive",
-                         tomoyo_yesno(pref->permissive_verbose));
- skip2:
-        if (profile) {
-                pref = profile->enforcing;
-                if (pref == &tomoyo_default_profile.preference)
-                        return;
        }
-        tomoyo_io_printf(head, "%sPREFERENCE::%s={ verbose=%s }\n",
+        return tomoyo_set_mode(data, cp, profile);
-                         buffer, "enforcing",
-                         tomoyo_yesno(pref->enforcing_verbose));
 }
 static void tomoyo_print_config(struct tomoyo_io_buffer *head, const u8 config)
@@ -561,7 +489,6 @@ static void tomoyo_read_profile(struct tomoyo_io_buffer *head)
        switch (head->r.step) {
        case 0:
                tomoyo_io_printf(head, "PROFILE_VERSION=%s\n", "20090903");
-                tomoyo_print_preference(head, -1);
                head->r.step++;
                break;
        case 1:
@@ -575,11 +502,18 @@ static void tomoyo_read_profile(struct tomoyo_io_buffer *head)
                break;
        case 2:
                {
+                        u8 i;
                        const struct tomoyo_path_info *comment =
                                profile->comment;
                        tomoyo_io_printf(head, "%u-COMMENT=", index);
                        tomoyo_set_string(head, comment ? comment->name : "");
                        tomoyo_set_lf(head);
+                        tomoyo_io_printf(head, "%u-PREFERENCE={ ", index);
+                        for (i = 0; i < TOMOYO_MAX_PREF; i++)
+                                tomoyo_io_printf(head, "%s=%u ",
+                                                 tomoyo_pref_keywords[i],
+                                                 profile->pref[i]);
+                        tomoyo_set_string(head, "}\n");
                        head->r.step++;
                }
                break;
@@ -606,7 +540,6 @@ static void tomoyo_read_profile(struct tomoyo_io_buffer *head)
                }
                if (head->r.bit == TOMOYO_MAX_MAC_INDEX
                    + TOMOYO_MAX_MAC_CATEGORY_INDEX) {
-                        tomoyo_print_preference(head, index);
                        head->r.index++;
                        head->r.step = 1;
                }
@@ -1777,7 +1710,7 @@ static int tomoyo_write_answer(struct tomoyo_io_buffer *head)
 static void tomoyo_read_version(struct tomoyo_io_buffer *head)
 {
        if (!head->r.eof) {
-                tomoyo_io_printf(head, "2.3.0");
+                tomoyo_io_printf(head, "2.4.0");
                head->r.eof = true;
        }
 }
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 139ad7544460..2b39e63234c8 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -211,6 +211,12 @@ enum tomoyo_mac_category_index {
 */
 #define TOMOYO_RETRY_REQUEST 1
+/* Index numbers for profile's PREFERENCE values. */
+enum tomoyo_pref_index {
+        TOMOYO_PREF_MAX_LEARNING_ENTRY,
+        TOMOYO_MAX_PREF
+};
 /********** Structure definitions. **********/
 /* Common header for holding ACL entries. */
@@ -497,6 +503,7 @@ struct tomoyo_profile {
        struct tomoyo_preference preference;
        u8 default_config;
        u8 config[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX];
+        unsigned int pref[TOMOYO_MAX_PREF];
 };
 /********** Function prototypes. **********/
diff --git a/security/tomoyo/util.c b/security/tomoyo/util.c
index 72cd2b97cae8..adcbdebd7352 100644
--- a/security/tomoyo/util.c
+++ b/security/tomoyo/util.c
@@ -899,35 +899,10 @@ const char *tomoyo_last_word(const char *name)
 */
 void tomoyo_warn_log(struct tomoyo_request_info *r, const char *fmt, ...)
 {
-        va_list args;
+        /*
-        char *buffer;
+         * Temporarily disabled.
-        const struct tomoyo_domain_info * const domain = r->domain;
+         * Will be replaced with /sys/kernel/security/tomoyo/audit interface.
-        const struct tomoyo_profile *profile = tomoyo_profile(domain->profile);
+         */
-        switch (r->mode) {
-        case TOMOYO_CONFIG_ENFORCING:
-                if (!profile->enforcing->enforcing_verbose)
-                        return;
-                break;
-        case TOMOYO_CONFIG_PERMISSIVE:
-                if (!profile->permissive->permissive_verbose)
-                        return;
-                break;
-        case TOMOYO_CONFIG_LEARNING:
-                if (!profile->learning->learning_verbose)
-                        return;
-                break;
-        }
-        buffer = kmalloc(4096, GFP_NOFS);
-        if (!buffer)
-                return;
-        va_start(args, fmt);
-        vsnprintf(buffer, 4095, fmt, args);
-        va_end(args);
-        buffer[4095] = '\0';
-        printk(KERN_WARNING "%s: Access %s denied for %s\n",
-               r->mode == TOMOYO_CONFIG_ENFORCING ? "ERROR" : "WARNING", buffer,
-               tomoyo_last_word(domain->domainname->name));
-        kfree(buffer);
 }
 /**
@@ -978,13 +953,13 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r)
                        if (perm & (1 << i))
                                count++;
        }
-        if (count < tomoyo_profile(domain->profile)->learning->
+        if (count < tomoyo_profile(domain->profile)->
-            learning_max_entry)
+            pref[TOMOYO_PREF_MAX_LEARNING_ENTRY])
                return true;
        if (!domain->quota_warned) {
                domain->quota_warned = true;
                printk(KERN_WARNING "TOMOYO-WARNING: "
-                       "Domain '%s' has so many ACLs to hold. "
+                       "Domain '%s' has too many ACLs to hold. "
                       "Stopped learning mode.\n", domain->domainname->name);
        }
        return false;

diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 465df022c211..2b280350708f 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c
@@ -11,16 +11,6 @@
11	#include <linux/security.h>	11	#include <linux/security.h>
12	#include "common.h"	12	#include "common.h"
13		13
14	static struct tomoyo_profile tomoyo_default_profile = {
15	.learning = &tomoyo_default_profile.preference,
16	.permissive = &tomoyo_default_profile.preference,
17	.enforcing = &tomoyo_default_profile.preference,
18	.preference.enforcing_verbose = true,
19	.preference.learning_max_entry = 2048,
20	.preference.learning_verbose = false,
21	.preference.permissive_verbose = true
22	};
23
24	/* Profile version. Currently only 20090903 is defined. */	14	/* Profile version. Currently only 20090903 is defined. */
25	static unsigned int tomoyo_profile_version;	15	static unsigned int tomoyo_profile_version;
26		16
@@ -61,6 +51,11 @@ static const char *tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
61	[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file",	51	[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file",
62	};	52	};
63		53
		54	/* String table for PREFERENCE keyword. */
		55	static const char * const tomoyo_pref_keywords[TOMOYO_MAX_PREF] = {
		56	[TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry",
		57	};
		58
64	/* Permit policy management by non-root user? */	59	/* Permit policy management by non-root user? */
65	static bool tomoyo_manage_by_non_root;	60	static bool tomoyo_manage_by_non_root;
66		61
@@ -71,11 +66,22 @@ static bool tomoyo_manage_by_non_root;
71	*	66	*
72	* @value: Bool value.	67	* @value: Bool value.
73	*/	68	*/
		69	/*
74	static const char *tomoyo_yesno(const unsigned int value)	70	static const char *tomoyo_yesno(const unsigned int value)
75	{	71	{
76	return value ? "yes" : "no";	72	return value ? "yes" : "no";
77	}	73	}
		74	*/
78		75
		76	/**
		77	* tomoyo_addprintf - strncat()-like-snprintf().
		78	*
		79	* @buffer: Buffer to write to. Must be '\0'-terminated.
		80	* @len: Size of @buffer.
		81	* @fmt: The printf()'s format string, followed by parameters.
		82	*
		83	* Returns nothing.
		84	*/
79	static void tomoyo_addprintf(char buffer, int len, const char fmt, ...)	85	static void tomoyo_addprintf(char buffer, int len, const char fmt, ...)
80	{	86	{
81	va_list args;	87	va_list args;
@@ -294,12 +300,10 @@ static struct tomoyo_profile *tomoyo_assign_profile(const unsigned int profile)
294	ptr = tomoyo_profile_ptr[profile];	300	ptr = tomoyo_profile_ptr[profile];
295	if (!ptr && tomoyo_memory_ok(entry)) {	301	if (!ptr && tomoyo_memory_ok(entry)) {
296	ptr = entry;	302	ptr = entry;
297	ptr->learning = &tomoyo_default_profile.preference;
298	ptr->permissive = &tomoyo_default_profile.preference;
299	ptr->enforcing = &tomoyo_default_profile.preference;
300	ptr->default_config = TOMOYO_CONFIG_DISABLED;	303	ptr->default_config = TOMOYO_CONFIG_DISABLED;
301	memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT,	304	memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT,
302	sizeof(ptr->config));	305	sizeof(ptr->config));
		306	ptr->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] = 2048;
303	mb(); /* Avoid out-of-order execution. */	307	mb(); /* Avoid out-of-order execution. */
304	tomoyo_profile_ptr[profile] = ptr;	308	tomoyo_profile_ptr[profile] = ptr;
305	entry = NULL;	309	entry = NULL;
@@ -319,13 +323,22 @@ static struct tomoyo_profile *tomoyo_assign_profile(const unsigned int profile)
319	*/	323	*/
320	struct tomoyo_profile *tomoyo_profile(const u8 profile)	324	struct tomoyo_profile *tomoyo_profile(const u8 profile)
321	{	325	{
		326	static struct tomoyo_profile tomoyo_null_profile;
322	struct tomoyo_profile *ptr = tomoyo_profile_ptr[profile];	327	struct tomoyo_profile *ptr = tomoyo_profile_ptr[profile];
323	if (!tomoyo_policy_loaded)	328	if (!ptr)
324	return &tomoyo_default_profile;	329	ptr = &tomoyo_null_profile;
325	BUG_ON(!ptr);
326	return ptr;	330	return ptr;
327	}	331	}
328		332
		333	/**
		334	* tomoyo_find_yesno - Find values for specified keyword.
		335	*
		336	* @string: String to check.
		337	* @find: Name of keyword.
		338	*
		339	* Returns 1 if "@find=yes" was found, 0 if "@find=no" was found, -1 otherwise.
		340	*/
		341	/*
329	static s8 tomoyo_find_yesno(const char string, const char find)	342	static s8 tomoyo_find_yesno(const char string, const char find)
330	{	343	{
331	const char *cp = strstr(string, find);	344	const char *cp = strstr(string, find);
@@ -338,19 +351,17 @@ static s8 tomoyo_find_yesno(const char string, const char find)
338	}	351	}
339	return -1;	352	return -1;
340	}	353	}
		354	*/
341		355
342	static void tomoyo_set_bool(bool b, const char string, const char *find)	356	/**
343	{	357	* tomoyo_set_uint - Set value for specified preference.
344	switch (tomoyo_find_yesno(string, find)) {	358	*
345	case 1:	359	* @i: Pointer to "unsigned int".
346	*b = true;	360	* @string: String to check.
347	break;	361	* @find: Name of keyword.
348	case 0:	362	*
349	*b = false;	363	* Returns nothing.
350	break;	364	*/
351	}
352	}
353
354	static void tomoyo_set_uint(unsigned int i, const char string,	365	static void tomoyo_set_uint(unsigned int i, const char string,
355	const char *find)	366	const char *find)
356	{	367	{
@@ -359,51 +370,16 @@ static void tomoyo_set_uint(unsigned int i, const char string,
359	sscanf(cp + strlen(find), "=%u", i);	370	sscanf(cp + strlen(find), "=%u", i);
360	}	371	}
361		372
362	static void tomoyo_set_pref(const char name, const char value,	373	/**
363	const bool use_default,	374	* tomoyo_set_mode - Set mode for specified profile.
364	struct tomoyo_profile *profile)	375	*
365	{	376	* @name: Name of functionality.
366	struct tomoyo_preference **pref;	377	* @value: Mode for @name.
367	bool *verbose;	378	* @profile: Pointer to "struct tomoyo_profile".
368	if (!strcmp(name, "enforcing")) {	379	*
369	if (use_default) {	380	* Returns 0 on success, negative value otherwise.
370	pref = &profile->enforcing;	381	*/
371	goto set_default;
372	}
373	profile->enforcing = &profile->preference;
374	verbose = &profile->preference.enforcing_verbose;
375	goto set_verbose;
376	}
377	if (!strcmp(name, "permissive")) {
378	if (use_default) {
379	pref = &profile->permissive;
380	goto set_default;
381	}
382	profile->permissive = &profile->preference;
383	verbose = &profile->preference.permissive_verbose;
384	goto set_verbose;
385	}
386	if (!strcmp(name, "learning")) {
387	if (use_default) {
388	pref = &profile->learning;
389	goto set_default;
390	}
391	profile->learning = &profile->preference;
392	tomoyo_set_uint(&profile->preference.learning_max_entry, value,
393	"max_entry");
394	verbose = &profile->preference.learning_verbose;
395	goto set_verbose;
396	}
397	return;
398	set_default:
399	*pref = &tomoyo_default_profile.preference;
400	return;
401	set_verbose:
402	tomoyo_set_bool(verbose, value, "verbose");
403	}
404
405	static int tomoyo_set_mode(char name, const char value,	382	static int tomoyo_set_mode(char name, const char value,
406	const bool use_default,
407	struct tomoyo_profile *profile)	383	struct tomoyo_profile *profile)
408	{	384	{
409	u8 i;	385	u8 i;
@@ -425,7 +401,7 @@ static int tomoyo_set_mode(char name, const char value,
425	} else {	401	} else {
426	return -EINVAL;	402	return -EINVAL;
427	}	403	}
428	if (use_default) {	404	if (strstr(value, "use_default")) {
429	config = TOMOYO_CONFIG_USE_DEFAULT;	405	config = TOMOYO_CONFIG_USE_DEFAULT;
430	} else {	406	} else {
431	u8 mode;	407	u8 mode;
@@ -455,34 +431,21 @@ static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
455	{	431	{
456	char *data = head->write_buf;	432	char *data = head->write_buf;
457	unsigned int i;	433	unsigned int i;
458	bool use_default = false;
459	char *cp;	434	char *cp;
460	struct tomoyo_profile *profile;	435	struct tomoyo_profile *profile;
461	if (sscanf(data, "PROFILE_VERSION=%u", &tomoyo_profile_version) == 1)	436	if (sscanf(data, "PROFILE_VERSION=%u", &tomoyo_profile_version) == 1)
462	return 0;	437	return 0;
463	i = simple_strtoul(data, &cp, 10);	438	i = simple_strtoul(data, &cp, 10);
464	if (data == cp) {	439	if (*cp != '-')
465	profile = &tomoyo_default_profile;	440	return -EINVAL;
466	} else {	441	data = cp + 1;
467	if (*cp != '-')	442	profile = tomoyo_assign_profile(i);
468	return -EINVAL;	443	if (!profile)
469	data = cp + 1;	444	return -EINVAL;
470	profile = tomoyo_assign_profile(i);
471	if (!profile)
472	return -EINVAL;
473	}
474	cp = strchr(data, '=');	445	cp = strchr(data, '=');
475	if (!cp)	446	if (!cp)
476	return -EINVAL;	447	return -EINVAL;
477	*cp++ = '\0';	448	*cp++ = '\0';
478	if (profile != &tomoyo_default_profile)
479	use_default = strstr(cp, "use_default") != NULL;
480	if (tomoyo_str_starts(&data, "PREFERENCE::")) {
481	tomoyo_set_pref(data, cp, use_default, profile);
482	return 0;
483	}
484	if (profile == &tomoyo_default_profile)
485	return -EINVAL;
486	if (!strcmp(data, "COMMENT")) {	449	if (!strcmp(data, "COMMENT")) {
487	static DEFINE_SPINLOCK(lock);	450	static DEFINE_SPINLOCK(lock);
488	const struct tomoyo_path_info *new_comment	451	const struct tomoyo_path_info *new_comment
@@ -497,48 +460,13 @@ static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
497	tomoyo_put_name(old_comment);	460	tomoyo_put_name(old_comment);
498	return 0;	461	return 0;
499	}	462	}
500	return tomoyo_set_mode(data, cp, use_default, profile);	463	if (!strcmp(data, "PREFERENCE")) {
501	}	464	for (i = 0; i < TOMOYO_MAX_PREF; i++)
502		465	tomoyo_set_uint(&profile->pref[i], cp,
503	static void tomoyo_print_preference(struct tomoyo_io_buffer *head,	466	tomoyo_pref_keywords[i]);
504	const int idx)	467	return 0;
505	{
506	struct tomoyo_preference *pref = &tomoyo_default_profile.preference;
507	const struct tomoyo_profile *profile = idx >= 0 ?
508	tomoyo_profile_ptr[idx] : NULL;
509	char buffer[16] = "";
510	if (profile) {
511	buffer[sizeof(buffer) - 1] = '\0';
512	snprintf(buffer, sizeof(buffer) - 1, "%u-", idx);
513	}
514	if (profile) {
515	pref = profile->learning;
516	if (pref == &tomoyo_default_profile.preference)
517	goto skip1;
518	}
519	tomoyo_io_printf(head, "%sPREFERENCE::%s={ "
520	"verbose=%s max_entry=%u }\n",
521	buffer, "learning",
522	tomoyo_yesno(pref->learning_verbose),
523	pref->learning_max_entry);
524	skip1:
525	if (profile) {
526	pref = profile->permissive;
527	if (pref == &tomoyo_default_profile.preference)
528	goto skip2;
529	}
530	tomoyo_io_printf(head, "%sPREFERENCE::%s={ verbose=%s }\n",
531	buffer, "permissive",
532	tomoyo_yesno(pref->permissive_verbose));
533	skip2:
534	if (profile) {
535	pref = profile->enforcing;
536	if (pref == &tomoyo_default_profile.preference)
537	return;
538	}	468	}
539	tomoyo_io_printf(head, "%sPREFERENCE::%s={ verbose=%s }\n",	469	return tomoyo_set_mode(data, cp, profile);
540	buffer, "enforcing",
541	tomoyo_yesno(pref->enforcing_verbose));
542	}	470	}
543		471
544	static void tomoyo_print_config(struct tomoyo_io_buffer *head, const u8 config)	472	static void tomoyo_print_config(struct tomoyo_io_buffer *head, const u8 config)
@@ -561,7 +489,6 @@ static void tomoyo_read_profile(struct tomoyo_io_buffer *head)
561	switch (head->r.step) {	489	switch (head->r.step) {
562	case 0:	490	case 0:
563	tomoyo_io_printf(head, "PROFILE_VERSION=%s\n", "20090903");	491	tomoyo_io_printf(head, "PROFILE_VERSION=%s\n", "20090903");
564	tomoyo_print_preference(head, -1);
565	head->r.step++;	492	head->r.step++;
566	break;	493	break;
567	case 1:	494	case 1:
@@ -575,11 +502,18 @@ static void tomoyo_read_profile(struct tomoyo_io_buffer *head)
575	break;	502	break;
576	case 2:	503	case 2:
577	{	504	{
		505	u8 i;
578	const struct tomoyo_path_info *comment =	506	const struct tomoyo_path_info *comment =
579	profile->comment;	507	profile->comment;
580	tomoyo_io_printf(head, "%u-COMMENT=", index);	508	tomoyo_io_printf(head, "%u-COMMENT=", index);
581	tomoyo_set_string(head, comment ? comment->name : "");	509	tomoyo_set_string(head, comment ? comment->name : "");
582	tomoyo_set_lf(head);	510	tomoyo_set_lf(head);
		511	tomoyo_io_printf(head, "%u-PREFERENCE={ ", index);
		512	for (i = 0; i < TOMOYO_MAX_PREF; i++)
		513	tomoyo_io_printf(head, "%s=%u ",
		514	tomoyo_pref_keywords[i],
		515	profile->pref[i]);
		516	tomoyo_set_string(head, "}\n");
583	head->r.step++;	517	head->r.step++;
584	}	518	}
585	break;	519	break;
@@ -606,7 +540,6 @@ static void tomoyo_read_profile(struct tomoyo_io_buffer *head)
606	}	540	}
607	if (head->r.bit == TOMOYO_MAX_MAC_INDEX	541	if (head->r.bit == TOMOYO_MAX_MAC_INDEX
608	+ TOMOYO_MAX_MAC_CATEGORY_INDEX) {	542	+ TOMOYO_MAX_MAC_CATEGORY_INDEX) {
609	tomoyo_print_preference(head, index);
610	head->r.index++;	543	head->r.index++;
611	head->r.step = 1;	544	head->r.step = 1;
612	}	545	}
@@ -1777,7 +1710,7 @@ static int tomoyo_write_answer(struct tomoyo_io_buffer *head)
1777	static void tomoyo_read_version(struct tomoyo_io_buffer *head)	1710	static void tomoyo_read_version(struct tomoyo_io_buffer *head)
1778	{	1711	{
1779	if (!head->r.eof) {	1712	if (!head->r.eof) {
1780	tomoyo_io_printf(head, "2.3.0");	1713	tomoyo_io_printf(head, "2.4.0");
1781	head->r.eof = true;	1714	head->r.eof = true;
1782	}	1715	}
1783	}	1716	}


diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 139ad7544460..2b39e63234c8 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h
@@ -211,6 +211,12 @@ enum tomoyo_mac_category_index {
211	*/	211	*/
212	#define TOMOYO_RETRY_REQUEST 1	212	#define TOMOYO_RETRY_REQUEST 1
213		213
		214	/* Index numbers for profile's PREFERENCE values. */
		215	enum tomoyo_pref_index {
		216	TOMOYO_PREF_MAX_LEARNING_ENTRY,
		217	TOMOYO_MAX_PREF
		218	};
		219
214	/******** Structure definitions. ********/	220	/******** Structure definitions. ********/
215		221
216	/* Common header for holding ACL entries. */	222	/* Common header for holding ACL entries. */
@@ -497,6 +503,7 @@ struct tomoyo_profile {
497	struct tomoyo_preference preference;	503	struct tomoyo_preference preference;
498	u8 default_config;	504	u8 default_config;
499	u8 config[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX];	505	u8 config[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX];
		506	unsigned int pref[TOMOYO_MAX_PREF];
500	};	507	};
501		508
502	/******** Function prototypes. ********/	509	/******** Function prototypes. ********/


diff --git a/security/tomoyo/util.c b/security/tomoyo/util.c index 72cd2b97cae8..adcbdebd7352 100644 --- a/security/tomoyo/util.c +++ b/security/tomoyo/util.c
@@ -899,35 +899,10 @@ const char tomoyo_last_word(const char name)
899	*/	899	*/
900	void tomoyo_warn_log(struct tomoyo_request_info r, const char fmt, ...)	900	void tomoyo_warn_log(struct tomoyo_request_info r, const char fmt, ...)
901	{	901	{
902	va_list args;	902	/*
903	char *buffer;	903	* Temporarily disabled.
904	const struct tomoyo_domain_info * const domain = r->domain;	904	* Will be replaced with /sys/kernel/security/tomoyo/audit interface.
905	const struct tomoyo_profile *profile = tomoyo_profile(domain->profile);	905	*/
906	switch (r->mode) {
907	case TOMOYO_CONFIG_ENFORCING:
908	if (!profile->enforcing->enforcing_verbose)
909	return;
910	break;
911	case TOMOYO_CONFIG_PERMISSIVE:
912	if (!profile->permissive->permissive_verbose)
913	return;
914	break;
915	case TOMOYO_CONFIG_LEARNING:
916	if (!profile->learning->learning_verbose)
917	return;
918	break;
919	}
920	buffer = kmalloc(4096, GFP_NOFS);
921	if (!buffer)
922	return;
923	va_start(args, fmt);
924	vsnprintf(buffer, 4095, fmt, args);
925	va_end(args);
926	buffer[4095] = '\0';
927	printk(KERN_WARNING "%s: Access %s denied for %s\n",
928	r->mode == TOMOYO_CONFIG_ENFORCING ? "ERROR" : "WARNING", buffer,
929	tomoyo_last_word(domain->domainname->name));
930	kfree(buffer);
931	}	906	}
932		907
933	/**	908	/**
@@ -978,13 +953,13 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r)
978	if (perm & (1 << i))	953	if (perm & (1 << i))
979	count++;	954	count++;
980	}	955	}
981	if (count < tomoyo_profile(domain->profile)->learning->	956	if (count < tomoyo_profile(domain->profile)->
982	learning_max_entry)	957	pref[TOMOYO_PREF_MAX_LEARNING_ENTRY])
983	return true;	958	return true;
984	if (!domain->quota_warned) {	959	if (!domain->quota_warned) {
985	domain->quota_warned = true;	960	domain->quota_warned = true;
986	printk(KERN_WARNING "TOMOYO-WARNING: "	961	printk(KERN_WARNING "TOMOYO-WARNING: "
987	"Domain '%s' has so many ACLs to hold. "	962	"Domain '%s' has too many ACLs to hold. "
988	"Stopped learning mode.\n", domain->domainname->name);	963	"Stopped learning mode.\n", domain->domainname->name);
989	}	964	}
990	return false;	965	return false;