aboutsummaryrefslogtreecommitdiffstats
path: root/security/tomoyo/file.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/tomoyo/file.c')
-rw-r--r--security/tomoyo/file.c295
1 files changed, 139 insertions, 156 deletions
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
index 10ee7cece080..09feaf24864d 100644
--- a/security/tomoyo/file.c
+++ b/security/tomoyo/file.c
@@ -12,62 +12,62 @@
12#include "common.h" 12#include "common.h"
13 13
14/* Keyword array for single path operations. */ 14/* Keyword array for single path operations. */
15static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = { 15static const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
16 [TOMOYO_TYPE_READ_WRITE_ACL] = "read/write", 16 [TOMOYO_TYPE_READ_WRITE] = "read/write",
17 [TOMOYO_TYPE_EXECUTE_ACL] = "execute", 17 [TOMOYO_TYPE_EXECUTE] = "execute",
18 [TOMOYO_TYPE_READ_ACL] = "read", 18 [TOMOYO_TYPE_READ] = "read",
19 [TOMOYO_TYPE_WRITE_ACL] = "write", 19 [TOMOYO_TYPE_WRITE] = "write",
20 [TOMOYO_TYPE_CREATE_ACL] = "create", 20 [TOMOYO_TYPE_CREATE] = "create",
21 [TOMOYO_TYPE_UNLINK_ACL] = "unlink", 21 [TOMOYO_TYPE_UNLINK] = "unlink",
22 [TOMOYO_TYPE_MKDIR_ACL] = "mkdir", 22 [TOMOYO_TYPE_MKDIR] = "mkdir",
23 [TOMOYO_TYPE_RMDIR_ACL] = "rmdir", 23 [TOMOYO_TYPE_RMDIR] = "rmdir",
24 [TOMOYO_TYPE_MKFIFO_ACL] = "mkfifo", 24 [TOMOYO_TYPE_MKFIFO] = "mkfifo",
25 [TOMOYO_TYPE_MKSOCK_ACL] = "mksock", 25 [TOMOYO_TYPE_MKSOCK] = "mksock",
26 [TOMOYO_TYPE_MKBLOCK_ACL] = "mkblock", 26 [TOMOYO_TYPE_MKBLOCK] = "mkblock",
27 [TOMOYO_TYPE_MKCHAR_ACL] = "mkchar", 27 [TOMOYO_TYPE_MKCHAR] = "mkchar",
28 [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate", 28 [TOMOYO_TYPE_TRUNCATE] = "truncate",
29 [TOMOYO_TYPE_SYMLINK_ACL] = "symlink", 29 [TOMOYO_TYPE_SYMLINK] = "symlink",
30 [TOMOYO_TYPE_REWRITE_ACL] = "rewrite", 30 [TOMOYO_TYPE_REWRITE] = "rewrite",
31 [TOMOYO_TYPE_IOCTL_ACL] = "ioctl", 31 [TOMOYO_TYPE_IOCTL] = "ioctl",
32 [TOMOYO_TYPE_CHMOD_ACL] = "chmod", 32 [TOMOYO_TYPE_CHMOD] = "chmod",
33 [TOMOYO_TYPE_CHOWN_ACL] = "chown", 33 [TOMOYO_TYPE_CHOWN] = "chown",
34 [TOMOYO_TYPE_CHGRP_ACL] = "chgrp", 34 [TOMOYO_TYPE_CHGRP] = "chgrp",
35 [TOMOYO_TYPE_CHROOT_ACL] = "chroot", 35 [TOMOYO_TYPE_CHROOT] = "chroot",
36 [TOMOYO_TYPE_MOUNT_ACL] = "mount", 36 [TOMOYO_TYPE_MOUNT] = "mount",
37 [TOMOYO_TYPE_UMOUNT_ACL] = "unmount", 37 [TOMOYO_TYPE_UMOUNT] = "unmount",
38}; 38};
39 39
40/* Keyword array for double path operations. */ 40/* Keyword array for double path operations. */
41static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = { 41static const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = {
42 [TOMOYO_TYPE_LINK_ACL] = "link", 42 [TOMOYO_TYPE_LINK] = "link",
43 [TOMOYO_TYPE_RENAME_ACL] = "rename", 43 [TOMOYO_TYPE_RENAME] = "rename",
44 [TOMOYO_TYPE_PIVOT_ROOT_ACL] = "pivot_root", 44 [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root",
45}; 45};
46 46
47/** 47/**
48 * tomoyo_sp2keyword - Get the name of single path operation. 48 * tomoyo_path2keyword - Get the name of single path operation.
49 * 49 *
50 * @operation: Type of operation. 50 * @operation: Type of operation.
51 * 51 *
52 * Returns the name of single path operation. 52 * Returns the name of single path operation.
53 */ 53 */
54const char *tomoyo_sp2keyword(const u8 operation) 54const char *tomoyo_path2keyword(const u8 operation)
55{ 55{
56 return (operation < TOMOYO_MAX_SINGLE_PATH_OPERATION) 56 return (operation < TOMOYO_MAX_PATH_OPERATION)
57 ? tomoyo_sp_keyword[operation] : NULL; 57 ? tomoyo_path_keyword[operation] : NULL;
58} 58}
59 59
60/** 60/**
61 * tomoyo_dp2keyword - Get the name of double path operation. 61 * tomoyo_path22keyword - Get the name of double path operation.
62 * 62 *
63 * @operation: Type of operation. 63 * @operation: Type of operation.
64 * 64 *
65 * Returns the name of double path operation. 65 * Returns the name of double path operation.
66 */ 66 */
67const char *tomoyo_dp2keyword(const u8 operation) 67const char *tomoyo_path22keyword(const u8 operation)
68{ 68{
69 return (operation < TOMOYO_MAX_DOUBLE_PATH_OPERATION) 69 return (operation < TOMOYO_MAX_PATH2_OPERATION)
70 ? tomoyo_dp_keyword[operation] : NULL; 70 ? tomoyo_path2_keyword[operation] : NULL;
71} 71}
72 72
73/** 73/**
@@ -115,13 +115,13 @@ static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
115 return NULL; 115 return NULL;
116} 116}
117 117
118static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, 118static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
119 const char *filename2, 119 const char *filename2,
120 struct tomoyo_domain_info * 120 struct tomoyo_domain_info *const domain,
121 const domain, const bool is_delete); 121 const bool is_delete);
122static int tomoyo_update_single_path_acl(const u8 type, const char *filename, 122static int tomoyo_update_path_acl(const u8 type, const char *filename,
123 struct tomoyo_domain_info * 123 struct tomoyo_domain_info *const domain,
124 const domain, const bool is_delete); 124 const bool is_delete);
125 125
126/* 126/*
127 * tomoyo_globally_readable_list is used for holding list of pathnames which 127 * tomoyo_globally_readable_list is used for holding list of pathnames which
@@ -597,19 +597,19 @@ static int tomoyo_update_file_acl(const char *filename, u8 perm,
597 */ 597 */
598 return 0; 598 return 0;
599 if (perm & 4) 599 if (perm & 4)
600 tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL, filename, 600 tomoyo_update_path_acl(TOMOYO_TYPE_READ, filename, domain,
601 domain, is_delete); 601 is_delete);
602 if (perm & 2) 602 if (perm & 2)
603 tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL, filename, 603 tomoyo_update_path_acl(TOMOYO_TYPE_WRITE, filename, domain,
604 domain, is_delete); 604 is_delete);
605 if (perm & 1) 605 if (perm & 1)
606 tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL, 606 tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE, filename, domain,
607 filename, domain, is_delete); 607 is_delete);
608 return 0; 608 return 0;
609} 609}
610 610
611/** 611/**
612 * tomoyo_check_single_path_acl2 - Check permission for single path operation. 612 * tomoyo_path_acl2 - Check permission for single path operation.
613 * 613 *
614 * @domain: Pointer to "struct tomoyo_domain_info". 614 * @domain: Pointer to "struct tomoyo_domain_info".
615 * @filename: Filename to check. 615 * @filename: Filename to check.
@@ -620,22 +620,18 @@ static int tomoyo_update_file_acl(const char *filename, u8 perm,
620 * 620 *
621 * Caller holds tomoyo_read_lock(). 621 * Caller holds tomoyo_read_lock().
622 */ 622 */
623static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info * 623static int tomoyo_path_acl2(const struct tomoyo_domain_info *domain,
624 domain, 624 const struct tomoyo_path_info *filename,
625 const struct tomoyo_path_info * 625 const u32 perm, const bool may_use_pattern)
626 filename,
627 const u32 perm,
628 const bool may_use_pattern)
629{ 626{
630 struct tomoyo_acl_info *ptr; 627 struct tomoyo_acl_info *ptr;
631 int error = -EPERM; 628 int error = -EPERM;
632 629
633 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 630 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
634 struct tomoyo_single_path_acl_record *acl; 631 struct tomoyo_path_acl *acl;
635 if (ptr->type != TOMOYO_TYPE_SINGLE_PATH_ACL) 632 if (ptr->type != TOMOYO_TYPE_PATH_ACL)
636 continue; 633 continue;
637 acl = container_of(ptr, struct tomoyo_single_path_acl_record, 634 acl = container_of(ptr, struct tomoyo_path_acl, head);
638 head);
639 if (perm <= 0xFFFF) { 635 if (perm <= 0xFFFF) {
640 if (!(acl->perm & perm)) 636 if (!(acl->perm & perm))
641 continue; 637 continue;
@@ -676,17 +672,16 @@ static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
676 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 672 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
677 return 0; 673 return 0;
678 if (operation == 6) 674 if (operation == 6)
679 perm = 1 << TOMOYO_TYPE_READ_WRITE_ACL; 675 perm = 1 << TOMOYO_TYPE_READ_WRITE;
680 else if (operation == 4) 676 else if (operation == 4)
681 perm = 1 << TOMOYO_TYPE_READ_ACL; 677 perm = 1 << TOMOYO_TYPE_READ;
682 else if (operation == 2) 678 else if (operation == 2)
683 perm = 1 << TOMOYO_TYPE_WRITE_ACL; 679 perm = 1 << TOMOYO_TYPE_WRITE;
684 else if (operation == 1) 680 else if (operation == 1)
685 perm = 1 << TOMOYO_TYPE_EXECUTE_ACL; 681 perm = 1 << TOMOYO_TYPE_EXECUTE;
686 else 682 else
687 BUG(); 683 BUG();
688 return tomoyo_check_single_path_acl2(domain, filename, perm, 684 return tomoyo_path_acl2(domain, filename, perm, operation != 1);
689 operation != 1);
690} 685}
691 686
692/** 687/**
@@ -718,13 +713,13 @@ static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
718 && tomoyo_is_globally_readable_file(filename)) 713 && tomoyo_is_globally_readable_file(filename))
719 error = 0; 714 error = 0;
720 if (perm == 6) 715 if (perm == 6)
721 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL); 716 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
722 else if (perm == 4) 717 else if (perm == 4)
723 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL); 718 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
724 else if (perm == 2) 719 else if (perm == 2)
725 msg = tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL); 720 msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
726 else if (perm == 1) 721 else if (perm == 1)
727 msg = tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL); 722 msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
728 else 723 else
729 BUG(); 724 BUG();
730 if (!error) 725 if (!error)
@@ -773,28 +768,28 @@ int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
773 if (strncmp(data, "allow_", 6)) 768 if (strncmp(data, "allow_", 6))
774 goto out; 769 goto out;
775 data += 6; 770 data += 6;
776 for (type = 0; type < TOMOYO_MAX_SINGLE_PATH_OPERATION; type++) { 771 for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) {
777 if (strcmp(data, tomoyo_sp_keyword[type])) 772 if (strcmp(data, tomoyo_path_keyword[type]))
778 continue; 773 continue;
779 return tomoyo_update_single_path_acl(type, filename, 774 return tomoyo_update_path_acl(type, filename, domain,
780 domain, is_delete); 775 is_delete);
781 } 776 }
782 filename2 = strchr(filename, ' '); 777 filename2 = strchr(filename, ' ');
783 if (!filename2) 778 if (!filename2)
784 goto out; 779 goto out;
785 *filename2++ = '\0'; 780 *filename2++ = '\0';
786 for (type = 0; type < TOMOYO_MAX_DOUBLE_PATH_OPERATION; type++) { 781 for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) {
787 if (strcmp(data, tomoyo_dp_keyword[type])) 782 if (strcmp(data, tomoyo_path2_keyword[type]))
788 continue; 783 continue;
789 return tomoyo_update_double_path_acl(type, filename, filename2, 784 return tomoyo_update_path2_acl(type, filename, filename2,
790 domain, is_delete); 785 domain, is_delete);
791 } 786 }
792 out: 787 out:
793 return -EINVAL; 788 return -EINVAL;
794} 789}
795 790
796/** 791/**
797 * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list. 792 * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list.
798 * 793 *
799 * @type: Type of operation. 794 * @type: Type of operation.
800 * @filename: Filename. 795 * @filename: Filename.
@@ -805,15 +800,15 @@ int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
805 * 800 *
806 * Caller holds tomoyo_read_lock(). 801 * Caller holds tomoyo_read_lock().
807 */ 802 */
808static int tomoyo_update_single_path_acl(const u8 type, const char *filename, 803static int tomoyo_update_path_acl(const u8 type, const char *filename,
809 struct tomoyo_domain_info * 804 struct tomoyo_domain_info *const domain,
810 const domain, const bool is_delete) 805 const bool is_delete)
811{ 806{
812 static const u32 rw_mask = 807 static const u32 rw_mask =
813 (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL); 808 (1 << TOMOYO_TYPE_READ) | (1 << TOMOYO_TYPE_WRITE);
814 const struct tomoyo_path_info *saved_filename; 809 const struct tomoyo_path_info *saved_filename;
815 struct tomoyo_acl_info *ptr; 810 struct tomoyo_acl_info *ptr;
816 struct tomoyo_single_path_acl_record *entry = NULL; 811 struct tomoyo_path_acl *entry = NULL;
817 int error = is_delete ? -ENOENT : -ENOMEM; 812 int error = is_delete ? -ENOENT : -ENOMEM;
818 const u32 perm = 1 << type; 813 const u32 perm = 1 << type;
819 814
@@ -828,10 +823,9 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
828 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 823 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
829 mutex_lock(&tomoyo_policy_lock); 824 mutex_lock(&tomoyo_policy_lock);
830 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 825 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
831 struct tomoyo_single_path_acl_record *acl = 826 struct tomoyo_path_acl *acl =
832 container_of(ptr, struct tomoyo_single_path_acl_record, 827 container_of(ptr, struct tomoyo_path_acl, head);
833 head); 828 if (ptr->type != TOMOYO_TYPE_PATH_ACL)
834 if (ptr->type != TOMOYO_TYPE_SINGLE_PATH_ACL)
835 continue; 829 continue;
836 if (acl->filename != saved_filename) 830 if (acl->filename != saved_filename)
837 continue; 831 continue;
@@ -841,9 +835,8 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
841 else 835 else
842 acl->perm_high &= ~(perm >> 16); 836 acl->perm_high &= ~(perm >> 16);
843 if ((acl->perm & rw_mask) != rw_mask) 837 if ((acl->perm & rw_mask) != rw_mask)
844 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL); 838 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE);
845 else if (!(acl->perm & 839 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE)))
846 (1 << TOMOYO_TYPE_READ_WRITE_ACL)))
847 acl->perm &= ~rw_mask; 840 acl->perm &= ~rw_mask;
848 } else { 841 } else {
849 if (perm <= 0xFFFF) 842 if (perm <= 0xFFFF)
@@ -851,20 +844,20 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
851 else 844 else
852 acl->perm_high |= (perm >> 16); 845 acl->perm_high |= (perm >> 16);
853 if ((acl->perm & rw_mask) == rw_mask) 846 if ((acl->perm & rw_mask) == rw_mask)
854 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL; 847 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE;
855 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)) 848 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE))
856 acl->perm |= rw_mask; 849 acl->perm |= rw_mask;
857 } 850 }
858 error = 0; 851 error = 0;
859 break; 852 break;
860 } 853 }
861 if (!is_delete && error && tomoyo_memory_ok(entry)) { 854 if (!is_delete && error && tomoyo_memory_ok(entry)) {
862 entry->head.type = TOMOYO_TYPE_SINGLE_PATH_ACL; 855 entry->head.type = TOMOYO_TYPE_PATH_ACL;
863 if (perm <= 0xFFFF) 856 if (perm <= 0xFFFF)
864 entry->perm = perm; 857 entry->perm = perm;
865 else 858 else
866 entry->perm_high = (perm >> 16); 859 entry->perm_high = (perm >> 16);
867 if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL)) 860 if (perm == (1 << TOMOYO_TYPE_READ_WRITE))
868 entry->perm |= rw_mask; 861 entry->perm |= rw_mask;
869 entry->filename = saved_filename; 862 entry->filename = saved_filename;
870 saved_filename = NULL; 863 saved_filename = NULL;
@@ -879,7 +872,7 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
879} 872}
880 873
881/** 874/**
882 * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list. 875 * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list.
883 * 876 *
884 * @type: Type of operation. 877 * @type: Type of operation.
885 * @filename1: First filename. 878 * @filename1: First filename.
@@ -891,15 +884,15 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
891 * 884 *
892 * Caller holds tomoyo_read_lock(). 885 * Caller holds tomoyo_read_lock().
893 */ 886 */
894static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, 887static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
895 const char *filename2, 888 const char *filename2,
896 struct tomoyo_domain_info * 889 struct tomoyo_domain_info *const domain,
897 const domain, const bool is_delete) 890 const bool is_delete)
898{ 891{
899 const struct tomoyo_path_info *saved_filename1; 892 const struct tomoyo_path_info *saved_filename1;
900 const struct tomoyo_path_info *saved_filename2; 893 const struct tomoyo_path_info *saved_filename2;
901 struct tomoyo_acl_info *ptr; 894 struct tomoyo_acl_info *ptr;
902 struct tomoyo_double_path_acl_record *entry = NULL; 895 struct tomoyo_path2_acl *entry = NULL;
903 int error = is_delete ? -ENOENT : -ENOMEM; 896 int error = is_delete ? -ENOENT : -ENOMEM;
904 const u8 perm = 1 << type; 897 const u8 perm = 1 << type;
905 898
@@ -916,10 +909,9 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
916 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 909 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
917 mutex_lock(&tomoyo_policy_lock); 910 mutex_lock(&tomoyo_policy_lock);
918 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 911 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
919 struct tomoyo_double_path_acl_record *acl = 912 struct tomoyo_path2_acl *acl =
920 container_of(ptr, struct tomoyo_double_path_acl_record, 913 container_of(ptr, struct tomoyo_path2_acl, head);
921 head); 914 if (ptr->type != TOMOYO_TYPE_PATH2_ACL)
922 if (ptr->type != TOMOYO_TYPE_DOUBLE_PATH_ACL)
923 continue; 915 continue;
924 if (acl->filename1 != saved_filename1 || 916 if (acl->filename1 != saved_filename1 ||
925 acl->filename2 != saved_filename2) 917 acl->filename2 != saved_filename2)
@@ -932,7 +924,7 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
932 break; 924 break;
933 } 925 }
934 if (!is_delete && error && tomoyo_memory_ok(entry)) { 926 if (!is_delete && error && tomoyo_memory_ok(entry)) {
935 entry->head.type = TOMOYO_TYPE_DOUBLE_PATH_ACL; 927 entry->head.type = TOMOYO_TYPE_PATH2_ACL;
936 entry->perm = perm; 928 entry->perm = perm;
937 entry->filename1 = saved_filename1; 929 entry->filename1 = saved_filename1;
938 saved_filename1 = NULL; 930 saved_filename1 = NULL;
@@ -951,7 +943,7 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
951} 943}
952 944
953/** 945/**
954 * tomoyo_check_single_path_acl - Check permission for single path operation. 946 * tomoyo_path_acl - Check permission for single path operation.
955 * 947 *
956 * @domain: Pointer to "struct tomoyo_domain_info". 948 * @domain: Pointer to "struct tomoyo_domain_info".
957 * @type: Type of operation. 949 * @type: Type of operation.
@@ -961,17 +953,16 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
961 * 953 *
962 * Caller holds tomoyo_read_lock(). 954 * Caller holds tomoyo_read_lock().
963 */ 955 */
964static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain, 956static int tomoyo_path_acl(struct tomoyo_domain_info *domain, const u8 type,
965 const u8 type, 957 const struct tomoyo_path_info *filename)
966 const struct tomoyo_path_info *filename)
967{ 958{
968 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 959 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
969 return 0; 960 return 0;
970 return tomoyo_check_single_path_acl2(domain, filename, 1 << type, 1); 961 return tomoyo_path_acl2(domain, filename, 1 << type, 1);
971} 962}
972 963
973/** 964/**
974 * tomoyo_check_double_path_acl - Check permission for double path operation. 965 * tomoyo_path2_acl - Check permission for double path operation.
975 * 966 *
976 * @domain: Pointer to "struct tomoyo_domain_info". 967 * @domain: Pointer to "struct tomoyo_domain_info".
977 * @type: Type of operation. 968 * @type: Type of operation.
@@ -982,12 +973,10 @@ static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain,
982 * 973 *
983 * Caller holds tomoyo_read_lock(). 974 * Caller holds tomoyo_read_lock().
984 */ 975 */
985static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain, 976static int tomoyo_path2_acl(const struct tomoyo_domain_info *domain,
986 const u8 type, 977 const u8 type,
987 const struct tomoyo_path_info * 978 const struct tomoyo_path_info *filename1,
988 filename1, 979 const struct tomoyo_path_info *filename2)
989 const struct tomoyo_path_info *
990 filename2)
991{ 980{
992 struct tomoyo_acl_info *ptr; 981 struct tomoyo_acl_info *ptr;
993 const u8 perm = 1 << type; 982 const u8 perm = 1 << type;
@@ -996,11 +985,10 @@ static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
996 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 985 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
997 return 0; 986 return 0;
998 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 987 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
999 struct tomoyo_double_path_acl_record *acl; 988 struct tomoyo_path2_acl *acl;
1000 if (ptr->type != TOMOYO_TYPE_DOUBLE_PATH_ACL) 989 if (ptr->type != TOMOYO_TYPE_PATH2_ACL)
1001 continue; 990 continue;
1002 acl = container_of(ptr, struct tomoyo_double_path_acl_record, 991 acl = container_of(ptr, struct tomoyo_path2_acl, head);
1003 head);
1004 if (!(acl->perm & perm)) 992 if (!(acl->perm & perm))
1005 continue; 993 continue;
1006 if (!tomoyo_path_matches_pattern(filename1, acl->filename1)) 994 if (!tomoyo_path_matches_pattern(filename1, acl->filename1))
@@ -1014,7 +1002,7 @@ static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
1014} 1002}
1015 1003
1016/** 1004/**
1017 * tomoyo_check_single_path_permission2 - Check permission for single path operation. 1005 * tomoyo_path_permission2 - Check permission for single path operation.
1018 * 1006 *
1019 * @domain: Pointer to "struct tomoyo_domain_info". 1007 * @domain: Pointer to "struct tomoyo_domain_info".
1020 * @operation: Type of operation. 1008 * @operation: Type of operation.
@@ -1025,10 +1013,10 @@ static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
1025 * 1013 *
1026 * Caller holds tomoyo_read_lock(). 1014 * Caller holds tomoyo_read_lock().
1027 */ 1015 */
1028static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info * 1016static int tomoyo_path_permission2(struct tomoyo_domain_info *const domain,
1029 const domain, u8 operation, 1017 u8 operation,
1030 const struct tomoyo_path_info * 1018 const struct tomoyo_path_info *filename,
1031 filename, const u8 mode) 1019 const u8 mode)
1032{ 1020{
1033 const char *msg; 1021 const char *msg;
1034 int error; 1022 int error;
@@ -1037,8 +1025,8 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
1037 if (!mode) 1025 if (!mode)
1038 return 0; 1026 return 0;
1039 next: 1027 next:
1040 error = tomoyo_check_single_path_acl(domain, operation, filename); 1028 error = tomoyo_path_acl(domain, operation, filename);
1041 msg = tomoyo_sp2keyword(operation); 1029 msg = tomoyo_path2keyword(operation);
1042 if (!error) 1030 if (!error)
1043 goto ok; 1031 goto ok;
1044 if (tomoyo_verbose_mode(domain)) 1032 if (tomoyo_verbose_mode(domain))
@@ -1047,7 +1035,7 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
1047 tomoyo_get_last_name(domain)); 1035 tomoyo_get_last_name(domain));
1048 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { 1036 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1049 const char *name = tomoyo_get_file_pattern(filename)->name; 1037 const char *name = tomoyo_get_file_pattern(filename)->name;
1050 tomoyo_update_single_path_acl(operation, name, domain, false); 1038 tomoyo_update_path_acl(operation, name, domain, false);
1051 } 1039 }
1052 if (!is_enforce) 1040 if (!is_enforce)
1053 error = 0; 1041 error = 0;
@@ -1057,9 +1045,9 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
1057 * we need to check "allow_rewrite" permission if the filename is 1045 * we need to check "allow_rewrite" permission if the filename is
1058 * specified by "deny_rewrite" keyword. 1046 * specified by "deny_rewrite" keyword.
1059 */ 1047 */
1060 if (!error && operation == TOMOYO_TYPE_TRUNCATE_ACL && 1048 if (!error && operation == TOMOYO_TYPE_TRUNCATE &&
1061 tomoyo_is_no_rewrite_file(filename)) { 1049 tomoyo_is_no_rewrite_file(filename)) {
1062 operation = TOMOYO_TYPE_REWRITE_ACL; 1050 operation = TOMOYO_TYPE_REWRITE;
1063 goto next; 1051 goto next;
1064 } 1052 }
1065 return error; 1053 return error;
@@ -1127,17 +1115,15 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1127 if ((acc_mode & MAY_WRITE) && 1115 if ((acc_mode & MAY_WRITE) &&
1128 ((flag & O_TRUNC) || !(flag & O_APPEND)) && 1116 ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
1129 (tomoyo_is_no_rewrite_file(buf))) { 1117 (tomoyo_is_no_rewrite_file(buf))) {
1130 error = tomoyo_check_single_path_permission2(domain, 1118 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE,
1131 TOMOYO_TYPE_REWRITE_ACL, 1119 buf, mode);
1132 buf, mode);
1133 } 1120 }
1134 if (!error) 1121 if (!error)
1135 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open", 1122 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open",
1136 mode); 1123 mode);
1137 if (!error && (flag & O_TRUNC)) 1124 if (!error && (flag & O_TRUNC))
1138 error = tomoyo_check_single_path_permission2(domain, 1125 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_TRUNCATE,
1139 TOMOYO_TYPE_TRUNCATE_ACL, 1126 buf, mode);
1140 buf, mode);
1141 out: 1127 out:
1142 kfree(buf); 1128 kfree(buf);
1143 tomoyo_read_unlock(idx); 1129 tomoyo_read_unlock(idx);
@@ -1147,7 +1133,7 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1147} 1133}
1148 1134
1149/** 1135/**
1150 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount". 1136 * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1151 * 1137 *
1152 * @domain: Pointer to "struct tomoyo_domain_info". 1138 * @domain: Pointer to "struct tomoyo_domain_info".
1153 * @operation: Type of operation. 1139 * @operation: Type of operation.
@@ -1155,8 +1141,8 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1155 * 1141 *
1156 * Returns 0 on success, negative value otherwise. 1142 * Returns 0 on success, negative value otherwise.
1157 */ 1143 */
1158int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain, 1144int tomoyo_path_perm(struct tomoyo_domain_info *domain,
1159 const u8 operation, struct path *path) 1145 const u8 operation, struct path *path)
1160{ 1146{
1161 int error = -ENOMEM; 1147 int error = -ENOMEM;
1162 struct tomoyo_path_info *buf; 1148 struct tomoyo_path_info *buf;
@@ -1171,9 +1157,9 @@ int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
1171 if (!buf) 1157 if (!buf)
1172 goto out; 1158 goto out;
1173 switch (operation) { 1159 switch (operation) {
1174 case TOMOYO_TYPE_MKDIR_ACL: 1160 case TOMOYO_TYPE_MKDIR:
1175 case TOMOYO_TYPE_RMDIR_ACL: 1161 case TOMOYO_TYPE_RMDIR:
1176 case TOMOYO_TYPE_CHROOT_ACL: 1162 case TOMOYO_TYPE_CHROOT:
1177 if (!buf->is_dir) { 1163 if (!buf->is_dir) {
1178 /* 1164 /*
1179 * tomoyo_get_path() reserves space for appending "/." 1165 * tomoyo_get_path() reserves space for appending "/."
@@ -1182,8 +1168,7 @@ int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
1182 tomoyo_fill_path_info(buf); 1168 tomoyo_fill_path_info(buf);
1183 } 1169 }
1184 } 1170 }
1185 error = tomoyo_check_single_path_permission2(domain, operation, buf, 1171 error = tomoyo_path_permission2(domain, operation, buf, mode);
1186 mode);
1187 out: 1172 out:
1188 kfree(buf); 1173 kfree(buf);
1189 tomoyo_read_unlock(idx); 1174 tomoyo_read_unlock(idx);
@@ -1220,9 +1205,7 @@ int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
1220 error = 0; 1205 error = 0;
1221 goto out; 1206 goto out;
1222 } 1207 }
1223 error = tomoyo_check_single_path_permission2(domain, 1208 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE, buf, mode);
1224 TOMOYO_TYPE_REWRITE_ACL,
1225 buf, mode);
1226 out: 1209 out:
1227 kfree(buf); 1210 kfree(buf);
1228 tomoyo_read_unlock(idx); 1211 tomoyo_read_unlock(idx);
@@ -1232,7 +1215,7 @@ int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
1232} 1215}
1233 1216
1234/** 1217/**
1235 * tomoyo_check_2path_perm - Check permission for "rename", "link" and "pivot_root". 1218 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root".
1236 * 1219 *
1237 * @domain: Pointer to "struct tomoyo_domain_info". 1220 * @domain: Pointer to "struct tomoyo_domain_info".
1238 * @operation: Type of operation. 1221 * @operation: Type of operation.
@@ -1241,9 +1224,9 @@ int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
1241 * 1224 *
1242 * Returns 0 on success, negative value otherwise. 1225 * Returns 0 on success, negative value otherwise.
1243 */ 1226 */
1244int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain, 1227int tomoyo_path2_perm(struct tomoyo_domain_info * const domain,
1245 const u8 operation, struct path *path1, 1228 const u8 operation, struct path *path1,
1246 struct path *path2) 1229 struct path *path2)
1247{ 1230{
1248 int error = -ENOMEM; 1231 int error = -ENOMEM;
1249 struct tomoyo_path_info *buf1, *buf2; 1232 struct tomoyo_path_info *buf1, *buf2;
@@ -1275,8 +1258,8 @@ int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain,
1275 } 1258 }
1276 } 1259 }
1277 } 1260 }
1278 error = tomoyo_check_double_path_acl(domain, operation, buf1, buf2); 1261 error = tomoyo_path2_acl(domain, operation, buf1, buf2);
1279 msg = tomoyo_dp2keyword(operation); 1262 msg = tomoyo_path22keyword(operation);
1280 if (!error) 1263 if (!error)
1281 goto out; 1264 goto out;
1282 if (tomoyo_verbose_mode(domain)) 1265 if (tomoyo_verbose_mode(domain))
@@ -1287,8 +1270,8 @@ int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain,
1287 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { 1270 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1288 const char *name1 = tomoyo_get_file_pattern(buf1)->name; 1271 const char *name1 = tomoyo_get_file_pattern(buf1)->name;
1289 const char *name2 = tomoyo_get_file_pattern(buf2)->name; 1272 const char *name2 = tomoyo_get_file_pattern(buf2)->name;
1290 tomoyo_update_double_path_acl(operation, name1, name2, domain, 1273 tomoyo_update_path2_acl(operation, name1, name2, domain,
1291 false); 1274 false);
1292 } 1275 }
1293 out: 1276 out:
1294 kfree(buf1); 1277 kfree(buf1);
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-15 13:56:56 -0500