diff options
Diffstat (limited to 'security/tomoyo/common.h')
| -rw-r--r-- | security/tomoyo/common.h | 53 |
1 files changed, 12 insertions, 41 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 8b59ec8fe11e..509ced9ce698 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h | |||
| @@ -101,11 +101,9 @@ struct tomoyo_path_info_with_data { | |||
| 101 | * | 101 | * |
| 102 | * (1) "list" which is linked to the ->acl_info_list of | 102 | * (1) "list" which is linked to the ->acl_info_list of |
| 103 | * "struct tomoyo_domain_info" | 103 | * "struct tomoyo_domain_info" |
| 104 | * (2) "type" which tells | 104 | * (2) "type" which tells type of the entry (either |
| 105 | * (a) type & 0x7F : type of the entry (either | 105 | * "struct tomoyo_single_path_acl_record" or |
| 106 | * "struct tomoyo_single_path_acl_record" or | 106 | * "struct tomoyo_double_path_acl_record"). |
| 107 | * "struct tomoyo_double_path_acl_record") | ||
| 108 | * (b) type & 0x80 : whether the entry is marked as "deleted". | ||
| 109 | * | 107 | * |
| 110 | * Packing "struct tomoyo_acl_info" allows | 108 | * Packing "struct tomoyo_acl_info" allows |
| 111 | * "struct tomoyo_single_path_acl_record" to embed "u8" + "u16" and | 109 | * "struct tomoyo_single_path_acl_record" to embed "u8" + "u16" and |
| @@ -114,17 +112,9 @@ struct tomoyo_path_info_with_data { | |||
| 114 | */ | 112 | */ |
| 115 | struct tomoyo_acl_info { | 113 | struct tomoyo_acl_info { |
| 116 | struct list_head list; | 114 | struct list_head list; |
| 117 | /* | ||
| 118 | * Type of this ACL entry. | ||
| 119 | * | ||
| 120 | * MSB is is_deleted flag. | ||
| 121 | */ | ||
| 122 | u8 type; | 115 | u8 type; |
| 123 | } __packed; | 116 | } __packed; |
| 124 | 117 | ||
| 125 | /* This ACL entry is deleted. */ | ||
| 126 | #define TOMOYO_ACL_DELETED 0x80 | ||
| 127 | |||
| 128 | /* | 118 | /* |
| 129 | * tomoyo_domain_info is a structure which is used for holding permissions | 119 | * tomoyo_domain_info is a structure which is used for holding permissions |
| 130 | * (e.g. "allow_read /lib/libc-2.5.so") given to each domain. | 120 | * (e.g. "allow_read /lib/libc-2.5.so") given to each domain. |
| @@ -138,7 +128,13 @@ struct tomoyo_acl_info { | |||
| 138 | * "deleted", false otherwise. | 128 | * "deleted", false otherwise. |
| 139 | * (6) "quota_warned" is a bool which is used for suppressing warning message | 129 | * (6) "quota_warned" is a bool which is used for suppressing warning message |
| 140 | * when learning mode learned too much entries. | 130 | * when learning mode learned too much entries. |
| 141 | * (7) "flags" which remembers this domain's attributes. | 131 | * (7) "ignore_global_allow_read" is a bool which is true if this domain |
| 132 | * should ignore "allow_read" directive in exception policy. | ||
| 133 | * (8) "transition_failed" is a bool which is set to true when this domain was | ||
| 134 | * unable to create a new domain at tomoyo_find_next_domain() because the | ||
| 135 | * name of the domain to be created was too long or it could not allocate | ||
| 136 | * memory. If set to true, more than one process continued execve() | ||
| 137 | * without domain transition. | ||
| 142 | * | 138 | * |
| 143 | * A domain's lifecycle is an analogy of files on / directory. | 139 | * A domain's lifecycle is an analogy of files on / directory. |
| 144 | * Multiple domains with the same domainname cannot be created (as with | 140 | * Multiple domains with the same domainname cannot be created (as with |
| @@ -155,23 +151,13 @@ struct tomoyo_domain_info { | |||
| 155 | u8 profile; /* Profile number to use. */ | 151 | u8 profile; /* Profile number to use. */ |
| 156 | bool is_deleted; /* Delete flag. */ | 152 | bool is_deleted; /* Delete flag. */ |
| 157 | bool quota_warned; /* Quota warnning flag. */ | 153 | bool quota_warned; /* Quota warnning flag. */ |
| 158 | /* DOMAIN_FLAGS_*. Use tomoyo_set_domain_flag() to modify. */ | 154 | bool ignore_global_allow_read; /* Ignore "allow_read" flag. */ |
| 159 | u8 flags; | 155 | bool transition_failed; /* Domain transition failed flag. */ |
| 160 | }; | 156 | }; |
| 161 | 157 | ||
| 162 | /* Profile number is an integer between 0 and 255. */ | 158 | /* Profile number is an integer between 0 and 255. */ |
| 163 | #define TOMOYO_MAX_PROFILES 256 | 159 | #define TOMOYO_MAX_PROFILES 256 |
| 164 | 160 | ||
| 165 | /* Ignore "allow_read" directive in exception policy. */ | ||
| 166 | #define TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ 1 | ||
| 167 | /* | ||
| 168 | * This domain was unable to create a new domain at tomoyo_find_next_domain() | ||
| 169 | * because the name of the domain to be created was too long or | ||
| 170 | * it could not allocate memory. | ||
| 171 | * More than one process continued execve() without domain transition. | ||
| 172 | */ | ||
| 173 | #define TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED 2 | ||
| 174 | |||
| 175 | /* | 161 | /* |
| 176 | * tomoyo_single_path_acl_record is a structure which is used for holding an | 162 | * tomoyo_single_path_acl_record is a structure which is used for holding an |
| 177 | * entry with one pathname operation (e.g. open(), mkdir()). | 163 | * entry with one pathname operation (e.g. open(), mkdir()). |
| @@ -380,9 +366,6 @@ unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, | |||
| 380 | void tomoyo_fill_path_info(struct tomoyo_path_info *ptr); | 366 | void tomoyo_fill_path_info(struct tomoyo_path_info *ptr); |
| 381 | /* Run policy loader when /sbin/init starts. */ | 367 | /* Run policy loader when /sbin/init starts. */ |
| 382 | void tomoyo_load_policy(const char *filename); | 368 | void tomoyo_load_policy(const char *filename); |
| 383 | /* Change "struct tomoyo_domain_info"->flags. */ | ||
| 384 | void tomoyo_set_domain_flag(struct tomoyo_domain_info *domain, | ||
| 385 | const bool is_delete, const u8 flags); | ||
| 386 | 369 | ||
| 387 | /* strcmp() for "struct tomoyo_path_info" structure. */ | 370 | /* strcmp() for "struct tomoyo_path_info" structure. */ |
| 388 | static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a, | 371 | static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a, |
| @@ -391,18 +374,6 @@ static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a, | |||
| 391 | return a->hash != b->hash || strcmp(a->name, b->name); | 374 | return a->hash != b->hash || strcmp(a->name, b->name); |
| 392 | } | 375 | } |
| 393 | 376 | ||
| 394 | /* Get type of an ACL entry. */ | ||
| 395 | static inline u8 tomoyo_acl_type1(struct tomoyo_acl_info *ptr) | ||
| 396 | { | ||
| 397 | return ptr->type & ~TOMOYO_ACL_DELETED; | ||
| 398 | } | ||
| 399 | |||
| 400 | /* Get type of an ACL entry. */ | ||
| 401 | static inline u8 tomoyo_acl_type2(struct tomoyo_acl_info *ptr) | ||
| 402 | { | ||
| 403 | return ptr->type; | ||
| 404 | } | ||
| 405 | |||
| 406 | /** | 377 | /** |
| 407 | * tomoyo_is_valid - Check whether the character is a valid char. | 378 | * tomoyo_is_valid - Check whether the character is a valid char. |
| 408 | * | 379 | * |