aboutsummaryrefslogtreecommitdiffstats
path: root/security/tomoyo/common.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/tomoyo/common.c')
-rw-r--r--security/tomoyo/common.c42
1 files changed, 6 insertions, 36 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 9eeb19ec6af4..cb1aaf148ad4 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -434,38 +434,6 @@ static void tomoyo_read_profile(struct tomoyo_io_buffer *head)
434 head->read_eof = true; 434 head->read_eof = true;
435} 435}
436 436
437/*
438 * tomoyo_policy_manager_list is used for holding list of domainnames or
439 * programs which are permitted to modify configuration via
440 * /sys/kernel/security/tomoyo/ interface.
441 *
442 * An entry is added by
443 *
444 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
445 * /sys/kernel/security/tomoyo/manager
446 * (if you want to specify by a domainname)
447 *
448 * or
449 *
450 * # echo '/usr/sbin/tomoyo-editpolicy' > /sys/kernel/security/tomoyo/manager
451 * (if you want to specify by a program's location)
452 *
453 * and is deleted by
454 *
455 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
456 * /sys/kernel/security/tomoyo/manager
457 *
458 * or
459 *
460 * # echo 'delete /usr/sbin/tomoyo-editpolicy' > \
461 * /sys/kernel/security/tomoyo/manager
462 *
463 * and all entries are retrieved by
464 *
465 * # cat /sys/kernel/security/tomoyo/manager
466 */
467LIST_HEAD(tomoyo_policy_manager_list);
468
469static bool tomoyo_same_manager_entry(const struct tomoyo_acl_head *a, 437static bool tomoyo_same_manager_entry(const struct tomoyo_acl_head *a,
470 const struct tomoyo_acl_head *b) 438 const struct tomoyo_acl_head *b)
471{ 439{
@@ -503,7 +471,7 @@ static int tomoyo_update_manager_entry(const char *manager,
503 if (!e.manager) 471 if (!e.manager)
504 return -ENOMEM; 472 return -ENOMEM;
505 error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, 473 error = tomoyo_update_policy(&e.head, sizeof(e), is_delete,
506 &tomoyo_policy_manager_list, 474 &tomoyo_policy_list[TOMOYO_ID_MANAGER],
507 tomoyo_same_manager_entry); 475 tomoyo_same_manager_entry);
508 tomoyo_put_name(e.manager); 476 tomoyo_put_name(e.manager);
509 return error; 477 return error;
@@ -545,7 +513,7 @@ static void tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
545 if (head->read_eof) 513 if (head->read_eof)
546 return; 514 return;
547 list_for_each_cookie(pos, head->read_var2, 515 list_for_each_cookie(pos, head->read_var2,
548 &tomoyo_policy_manager_list) { 516 &tomoyo_policy_list[TOMOYO_ID_MANAGER]) {
549 struct tomoyo_policy_manager_entry *ptr; 517 struct tomoyo_policy_manager_entry *ptr;
550 ptr = list_entry(pos, struct tomoyo_policy_manager_entry, 518 ptr = list_entry(pos, struct tomoyo_policy_manager_entry,
551 head.list); 519 head.list);
@@ -578,7 +546,8 @@ static bool tomoyo_policy_manager(void)
578 return true; 546 return true;
579 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) 547 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
580 return false; 548 return false;
581 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, head.list) { 549 list_for_each_entry_rcu(ptr, &tomoyo_policy_list[TOMOYO_ID_MANAGER],
550 head.list) {
582 if (!ptr->head.is_deleted && ptr->is_domain 551 if (!ptr->head.is_deleted && ptr->is_domain
583 && !tomoyo_pathcmp(domainname, ptr->manager)) { 552 && !tomoyo_pathcmp(domainname, ptr->manager)) {
584 found = true; 553 found = true;
@@ -590,7 +559,8 @@ static bool tomoyo_policy_manager(void)
590 exe = tomoyo_get_exe(); 559 exe = tomoyo_get_exe();
591 if (!exe) 560 if (!exe)
592 return false; 561 return false;
593 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, head.list) { 562 list_for_each_entry_rcu(ptr, &tomoyo_policy_list[TOMOYO_ID_MANAGER],
563 head.list) {
594 if (!ptr->head.is_deleted && !ptr->is_domain 564 if (!ptr->head.is_deleted && !ptr->is_domain
595 && !strcmp(exe, ptr->manager->name)) { 565 && !strcmp(exe, ptr->manager->name)) {
596 found = true; 566 found = true;