diff options
Diffstat (limited to 'security/tomoyo')
-rw-r--r-- | security/tomoyo/common.c | 25 | ||||
-rw-r--r-- | security/tomoyo/common.h | 2 | ||||
-rw-r--r-- | security/tomoyo/path_group.c | 2 |
3 files changed, 23 insertions, 6 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 57ddfc5d9c52..98e3639db990 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c | |||
@@ -366,7 +366,7 @@ static int tomoyo_read_profile(struct tomoyo_io_buffer *head) | |||
366 | * | 366 | * |
367 | * or | 367 | * or |
368 | * | 368 | * |
369 | * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager | 369 | * # echo '/usr/sbin/tomoyo-editpolicy' > /sys/kernel/security/tomoyo/manager |
370 | * (if you want to specify by a program's location) | 370 | * (if you want to specify by a program's location) |
371 | * | 371 | * |
372 | * and is deleted by | 372 | * and is deleted by |
@@ -376,7 +376,7 @@ static int tomoyo_read_profile(struct tomoyo_io_buffer *head) | |||
376 | * | 376 | * |
377 | * or | 377 | * or |
378 | * | 378 | * |
379 | * # echo 'delete /usr/lib/ccs/editpolicy' > \ | 379 | * # echo 'delete /usr/sbin/tomoyo-editpolicy' > \ |
380 | * /sys/kernel/security/tomoyo/manager | 380 | * /sys/kernel/security/tomoyo/manager |
381 | * | 381 | * |
382 | * and all entries are retrieved by | 382 | * and all entries are retrieved by |
@@ -556,12 +556,17 @@ static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head, | |||
556 | { | 556 | { |
557 | unsigned int pid; | 557 | unsigned int pid; |
558 | struct tomoyo_domain_info *domain = NULL; | 558 | struct tomoyo_domain_info *domain = NULL; |
559 | bool global_pid = false; | ||
559 | 560 | ||
560 | if (sscanf(data, "pid=%u", &pid) == 1) { | 561 | if (sscanf(data, "pid=%u", &pid) == 1 || |
562 | (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { | ||
561 | struct task_struct *p; | 563 | struct task_struct *p; |
562 | rcu_read_lock(); | 564 | rcu_read_lock(); |
563 | read_lock(&tasklist_lock); | 565 | read_lock(&tasklist_lock); |
564 | p = find_task_by_vpid(pid); | 566 | if (global_pid) |
567 | p = find_task_by_pid_ns(pid, &init_pid_ns); | ||
568 | else | ||
569 | p = find_task_by_vpid(pid); | ||
565 | if (p) | 570 | if (p) |
566 | domain = tomoyo_real_domain(p); | 571 | domain = tomoyo_real_domain(p); |
567 | read_unlock(&tasklist_lock); | 572 | read_unlock(&tasklist_lock); |
@@ -697,6 +702,14 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head) | |||
697 | domain->ignore_global_allow_read = !is_delete; | 702 | domain->ignore_global_allow_read = !is_delete; |
698 | return 0; | 703 | return 0; |
699 | } | 704 | } |
705 | if (!strcmp(data, TOMOYO_KEYWORD_QUOTA_EXCEEDED)) { | ||
706 | domain->quota_warned = !is_delete; | ||
707 | return 0; | ||
708 | } | ||
709 | if (!strcmp(data, TOMOYO_KEYWORD_TRANSITION_FAILED)) { | ||
710 | domain->transition_failed = !is_delete; | ||
711 | return 0; | ||
712 | } | ||
700 | return tomoyo_write_domain_policy2(data, domain, is_delete); | 713 | return tomoyo_write_domain_policy2(data, domain, is_delete); |
701 | } | 714 | } |
702 | 715 | ||
@@ -853,6 +866,8 @@ static bool tomoyo_print_mount_acl(struct tomoyo_io_buffer *head, | |||
853 | struct tomoyo_mount_acl *ptr) | 866 | struct tomoyo_mount_acl *ptr) |
854 | { | 867 | { |
855 | const int pos = head->read_avail; | 868 | const int pos = head->read_avail; |
869 | if (ptr->is_deleted) | ||
870 | return true; | ||
856 | if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) || | 871 | if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) || |
857 | !tomoyo_print_name_union(head, &ptr->dev_name) || | 872 | !tomoyo_print_name_union(head, &ptr->dev_name) || |
858 | !tomoyo_print_name_union(head, &ptr->dir_name) || | 873 | !tomoyo_print_name_union(head, &ptr->dir_name) || |
@@ -993,7 +1008,7 @@ tail_mark: | |||
993 | * This is equivalent to doing | 1008 | * This is equivalent to doing |
994 | * | 1009 | * |
995 | * ( echo "select " $domainname; echo "use_profile " $profile ) | | 1010 | * ( echo "select " $domainname; echo "use_profile " $profile ) | |
996 | * /usr/lib/ccs/loadpolicy -d | 1011 | * /usr/sbin/tomoyo-loadpolicy -d |
997 | * | 1012 | * |
998 | * Caller holds tomoyo_read_lock(). | 1013 | * Caller holds tomoyo_read_lock(). |
999 | */ | 1014 | */ |
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index be03e4a21db0..6270a530c4d8 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h | |||
@@ -68,6 +68,8 @@ enum tomoyo_mode_index { | |||
68 | #define TOMOYO_KEYWORD_SELECT "select " | 68 | #define TOMOYO_KEYWORD_SELECT "select " |
69 | #define TOMOYO_KEYWORD_USE_PROFILE "use_profile " | 69 | #define TOMOYO_KEYWORD_USE_PROFILE "use_profile " |
70 | #define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read" | 70 | #define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read" |
71 | #define TOMOYO_KEYWORD_QUOTA_EXCEEDED "quota_exceeded" | ||
72 | #define TOMOYO_KEYWORD_TRANSITION_FAILED "transition_failed" | ||
71 | /* A domain definition starts with <kernel>. */ | 73 | /* A domain definition starts with <kernel>. */ |
72 | #define TOMOYO_ROOT_NAME "<kernel>" | 74 | #define TOMOYO_ROOT_NAME "<kernel>" |
73 | #define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1) | 75 | #define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1) |
diff --git a/security/tomoyo/path_group.c b/security/tomoyo/path_group.c index c988041c8e1c..636025e26b06 100644 --- a/security/tomoyo/path_group.c +++ b/security/tomoyo/path_group.c | |||
@@ -6,7 +6,7 @@ | |||
6 | 6 | ||
7 | #include <linux/slab.h> | 7 | #include <linux/slab.h> |
8 | #include "common.h" | 8 | #include "common.h" |
9 | /* The list for "struct ccs_path_group". */ | 9 | /* The list for "struct tomoyo_path_group". */ |
10 | LIST_HEAD(tomoyo_path_group_list); | 10 | LIST_HEAD(tomoyo_path_group_list); |
11 | 11 | ||
12 | /** | 12 | /** |