1 files changed, 52 insertions, 21 deletions
diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c
index 554de173152c..8f3ac251c571 100644
--- a/security/tomoyo/mount.c
+++ b/security/tomoyo/mount.c
@@ -25,6 +25,54 @@
 #define TOMOYO_MOUNT_MAKE_SHARED_KEYWORD                 "--make-shared"
 /**
+ * tomoyo_audit_mount_log - Audit mount log.
+ *
+ * @r: Pointer to "struct tomoyo_request_info".
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
+static int tomoyo_audit_mount_log(struct tomoyo_request_info *r)
+{
+        const char *dev = r->param.mount.dev->name;
+        const char *dir = r->param.mount.dir->name;
+        const char *type = r->param.mount.type->name;
+        const unsigned long flags = r->param.mount.flags;
+        if (r->granted)
+                return 0;
+        if (!strcmp(type, TOMOYO_MOUNT_REMOUNT_KEYWORD))
+                tomoyo_warn_log(r, "mount -o remount %s 0x%lX", dir, flags);
+        else if (!strcmp(type, TOMOYO_MOUNT_BIND_KEYWORD)
+                 || !strcmp(type, TOMOYO_MOUNT_MOVE_KEYWORD))
+                tomoyo_warn_log(r, "mount %s %s %s 0x%lX", type, dev, dir,
+                                flags);
+        else if (!strcmp(type, TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD) ||
+                 !strcmp(type, TOMOYO_MOUNT_MAKE_PRIVATE_KEYWORD) ||
+                 !strcmp(type, TOMOYO_MOUNT_MAKE_SLAVE_KEYWORD) ||
+                 !strcmp(type, TOMOYO_MOUNT_MAKE_SHARED_KEYWORD))
+                tomoyo_warn_log(r, "mount %s %s 0x%lX", type, dir, flags);
+        else
+                tomoyo_warn_log(r, "mount -t %s %s %s 0x%lX", type, dev, dir,
+                                flags);
+        return tomoyo_supervisor(r,
+                                 TOMOYO_KEYWORD_ALLOW_MOUNT "%s %s %s 0x%lX\n",
+                                 tomoyo_file_pattern(r->param.mount.dev),
+                                 tomoyo_file_pattern(r->param.mount.dir), type,
+                                 flags);
+}
+static bool tomoyo_check_mount_acl(const struct tomoyo_request_info *r,
+                                   const struct tomoyo_acl_info *ptr)
+{
+        const struct tomoyo_mount_acl *acl =
+                container_of(ptr, typeof(*acl), head);
+        return tomoyo_compare_number_union(r->param.mount.flags, &acl->flags) &&
+                tomoyo_compare_name_union(r->param.mount.type, &acl->fs_type) &&
+                tomoyo_compare_name_union(r->param.mount.dir, &acl->dir_name) &&
+                (!r->param.mount.need_dev ||
+                 tomoyo_compare_name_union(r->param.mount.dev, &acl->dev_name));
+}
+/**
 * tomoyo_mount_acl2 - Check permission for mount() operation.
 *
 * @r:        Pointer to "struct tomoyo_request_info".
@@ -41,7 +89,6 @@ static int tomoyo_mount_acl2(struct tomoyo_request_info *r, char *dev_name,
                             struct path *dir, char *type, unsigned long flags)
 {
        struct path path;
-        struct tomoyo_acl_info *ptr;
        struct file_system_type *fstype = NULL;
        const char *requested_type = NULL;
        const char *requested_dir_name = NULL;
@@ -118,26 +165,10 @@ static int tomoyo_mount_acl2(struct tomoyo_request_info *r, char *dev_name,
        r->param.mount.dir = &rdir;
        r->param.mount.type = &rtype;
        r->param.mount.flags = flags;
-        list_for_each_entry_rcu(ptr, &r->domain->acl_info_list, list) {
+        do {
-                struct tomoyo_mount_acl *acl;
+                tomoyo_check_acl(r, tomoyo_check_mount_acl);
-                if (ptr->is_deleted || ptr->type != TOMOYO_TYPE_MOUNT_ACL)
+                error = tomoyo_audit_mount_log(r);
-                        continue;
+        } while (error == TOMOYO_RETRY_REQUEST);
-                acl = container_of(ptr, struct tomoyo_mount_acl, head);
-                if (!tomoyo_compare_number_union(flags, &acl->flags) ||
-                    !tomoyo_compare_name_union(&rtype, &acl->fs_type) ||
-                    !tomoyo_compare_name_union(&rdir, &acl->dir_name) ||
-                    (need_dev &&
-                     !tomoyo_compare_name_union(&rdev, &acl->dev_name)))
-                        continue;
-                error = 0;
-                break;
-        }
-        if (error)
-                error = tomoyo_supervisor(r, TOMOYO_KEYWORD_ALLOW_MOUNT
-                                          "%s %s %s 0x%lX\n",
-                                          tomoyo_file_pattern(&rdev),
-                                          tomoyo_file_pattern(&rdir),
-                                          requested_type, flags);
 out:
        kfree(requested_dev_name);
        kfree(requested_dir_name);

diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c index 554de173152c..8f3ac251c571 100644 --- a/security/tomoyo/mount.c +++ b/security/tomoyo/mount.c
@@ -25,6 +25,54 @@
25	#define TOMOYO_MOUNT_MAKE_SHARED_KEYWORD "--make-shared"	25	#define TOMOYO_MOUNT_MAKE_SHARED_KEYWORD "--make-shared"
26		26
27	/**	27	/**
		28	* tomoyo_audit_mount_log - Audit mount log.
		29	*
		30	* @r: Pointer to "struct tomoyo_request_info".
		31	*
		32	* Returns 0 on success, negative value otherwise.
		33	*/
		34	static int tomoyo_audit_mount_log(struct tomoyo_request_info *r)
		35	{
		36	const char *dev = r->param.mount.dev->name;
		37	const char *dir = r->param.mount.dir->name;
		38	const char *type = r->param.mount.type->name;
		39	const unsigned long flags = r->param.mount.flags;
		40	if (r->granted)
		41	return 0;
		42	if (!strcmp(type, TOMOYO_MOUNT_REMOUNT_KEYWORD))
		43	tomoyo_warn_log(r, "mount -o remount %s 0x%lX", dir, flags);
		44	else if (!strcmp(type, TOMOYO_MOUNT_BIND_KEYWORD)
		45	\|\| !strcmp(type, TOMOYO_MOUNT_MOVE_KEYWORD))
		46	tomoyo_warn_log(r, "mount %s %s %s 0x%lX", type, dev, dir,
		47	flags);
		48	else if (!strcmp(type, TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD) \|\|
		49	!strcmp(type, TOMOYO_MOUNT_MAKE_PRIVATE_KEYWORD) \|\|
		50	!strcmp(type, TOMOYO_MOUNT_MAKE_SLAVE_KEYWORD) \|\|
		51	!strcmp(type, TOMOYO_MOUNT_MAKE_SHARED_KEYWORD))
		52	tomoyo_warn_log(r, "mount %s %s 0x%lX", type, dir, flags);
		53	else
		54	tomoyo_warn_log(r, "mount -t %s %s %s 0x%lX", type, dev, dir,
		55	flags);
		56	return tomoyo_supervisor(r,
		57	TOMOYO_KEYWORD_ALLOW_MOUNT "%s %s %s 0x%lX\n",
		58	tomoyo_file_pattern(r->param.mount.dev),
		59	tomoyo_file_pattern(r->param.mount.dir), type,
		60	flags);
		61	}
		62
		63	static bool tomoyo_check_mount_acl(const struct tomoyo_request_info *r,
		64	const struct tomoyo_acl_info *ptr)
		65	{
		66	const struct tomoyo_mount_acl *acl =
		67	container_of(ptr, typeof(*acl), head);
		68	return tomoyo_compare_number_union(r->param.mount.flags, &acl->flags) &&
		69	tomoyo_compare_name_union(r->param.mount.type, &acl->fs_type) &&
		70	tomoyo_compare_name_union(r->param.mount.dir, &acl->dir_name) &&
		71	(!r->param.mount.need_dev \|\|
		72	tomoyo_compare_name_union(r->param.mount.dev, &acl->dev_name));
		73	}
		74
		75	/**
28	* tomoyo_mount_acl2 - Check permission for mount() operation.	76	* tomoyo_mount_acl2 - Check permission for mount() operation.
29	*	77	*
30	* @r: Pointer to "struct tomoyo_request_info".	78	* @r: Pointer to "struct tomoyo_request_info".
@@ -41,7 +89,6 @@ static int tomoyo_mount_acl2(struct tomoyo_request_info r, char dev_name,
41	struct path dir, char type, unsigned long flags)	89	struct path dir, char type, unsigned long flags)
42	{	90	{
43	struct path path;	91	struct path path;
44	struct tomoyo_acl_info *ptr;
45	struct file_system_type *fstype = NULL;	92	struct file_system_type *fstype = NULL;
46	const char *requested_type = NULL;	93	const char *requested_type = NULL;
47	const char *requested_dir_name = NULL;	94	const char *requested_dir_name = NULL;
@@ -118,26 +165,10 @@ static int tomoyo_mount_acl2(struct tomoyo_request_info r, char dev_name,
118	r->param.mount.dir = &rdir;	165	r->param.mount.dir = &rdir;
119	r->param.mount.type = &rtype;	166	r->param.mount.type = &rtype;
120	r->param.mount.flags = flags;	167	r->param.mount.flags = flags;
121	list_for_each_entry_rcu(ptr, &r->domain->acl_info_list, list) {	168	do {
122	struct tomoyo_mount_acl *acl;	169	tomoyo_check_acl(r, tomoyo_check_mount_acl);
123	if (ptr->is_deleted \|\| ptr->type != TOMOYO_TYPE_MOUNT_ACL)	170	error = tomoyo_audit_mount_log(r);
124	continue;	171	} while (error == TOMOYO_RETRY_REQUEST);
125	acl = container_of(ptr, struct tomoyo_mount_acl, head);
126	if (!tomoyo_compare_number_union(flags, &acl->flags) \|\|
127	!tomoyo_compare_name_union(&rtype, &acl->fs_type) \|\|
128	!tomoyo_compare_name_union(&rdir, &acl->dir_name) \|\|
129	(need_dev &&
130	!tomoyo_compare_name_union(&rdev, &acl->dev_name)))
131	continue;
132	error = 0;
133	break;
134	}
135	if (error)
136	error = tomoyo_supervisor(r, TOMOYO_KEYWORD_ALLOW_MOUNT
137	"%s %s %s 0x%lX\n",
138	tomoyo_file_pattern(&rdev),
139	tomoyo_file_pattern(&rdir),
140	requested_type, flags);
141	out:	172	out:
142	kfree(requested_dev_name);	173	kfree(requested_dev_name);
143	kfree(requested_dir_name);	174	kfree(requested_dir_name);