aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/tomoyo/audit.c3
-rw-r--r--security/tomoyo/common.c135
-rw-r--r--security/tomoyo/common.h51
-rw-r--r--security/tomoyo/domain.c7
-rw-r--r--security/tomoyo/file.c63
-rw-r--r--security/tomoyo/util.c39
6 files changed, 177 insertions, 121 deletions
diff --git a/security/tomoyo/audit.c b/security/tomoyo/audit.c
index ef2172f29583..45e0a9f3c384 100644
--- a/security/tomoyo/audit.c
+++ b/security/tomoyo/audit.c
@@ -163,7 +163,8 @@ static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns,
163 const bool is_granted) 163 const bool is_granted)
164{ 164{
165 u8 mode; 165 u8 mode;
166 const u8 category = TOMOYO_MAC_CATEGORY_FILE + TOMOYO_MAX_MAC_INDEX; 166 const u8 category = tomoyo_index2category[index] +
167 TOMOYO_MAX_MAC_INDEX;
167 struct tomoyo_profile *p; 168 struct tomoyo_profile *p;
168 if (!tomoyo_policy_loaded) 169 if (!tomoyo_policy_loaded)
169 return false; 170 return false;
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 691c34025a4a..6402183e2a6b 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -20,31 +20,31 @@ const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE] = {
20}; 20};
21 21
22/* String table for /sys/kernel/security/tomoyo/profile */ 22/* String table for /sys/kernel/security/tomoyo/profile */
23static const char *tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX 23const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
24 + TOMOYO_MAX_MAC_CATEGORY_INDEX] = { 24 + TOMOYO_MAX_MAC_CATEGORY_INDEX] = {
25 [TOMOYO_MAC_FILE_EXECUTE] = "file::execute", 25 [TOMOYO_MAC_FILE_EXECUTE] = "execute",
26 [TOMOYO_MAC_FILE_OPEN] = "file::open", 26 [TOMOYO_MAC_FILE_OPEN] = "open",
27 [TOMOYO_MAC_FILE_CREATE] = "file::create", 27 [TOMOYO_MAC_FILE_CREATE] = "create",
28 [TOMOYO_MAC_FILE_UNLINK] = "file::unlink", 28 [TOMOYO_MAC_FILE_UNLINK] = "unlink",
29 [TOMOYO_MAC_FILE_GETATTR] = "file::getattr", 29 [TOMOYO_MAC_FILE_GETATTR] = "getattr",
30 [TOMOYO_MAC_FILE_MKDIR] = "file::mkdir", 30 [TOMOYO_MAC_FILE_MKDIR] = "mkdir",
31 [TOMOYO_MAC_FILE_RMDIR] = "file::rmdir", 31 [TOMOYO_MAC_FILE_RMDIR] = "rmdir",
32 [TOMOYO_MAC_FILE_MKFIFO] = "file::mkfifo", 32 [TOMOYO_MAC_FILE_MKFIFO] = "mkfifo",
33 [TOMOYO_MAC_FILE_MKSOCK] = "file::mksock", 33 [TOMOYO_MAC_FILE_MKSOCK] = "mksock",
34 [TOMOYO_MAC_FILE_TRUNCATE] = "file::truncate", 34 [TOMOYO_MAC_FILE_TRUNCATE] = "truncate",
35 [TOMOYO_MAC_FILE_SYMLINK] = "file::symlink", 35 [TOMOYO_MAC_FILE_SYMLINK] = "symlink",
36 [TOMOYO_MAC_FILE_MKBLOCK] = "file::mkblock", 36 [TOMOYO_MAC_FILE_MKBLOCK] = "mkblock",
37 [TOMOYO_MAC_FILE_MKCHAR] = "file::mkchar", 37 [TOMOYO_MAC_FILE_MKCHAR] = "mkchar",
38 [TOMOYO_MAC_FILE_LINK] = "file::link", 38 [TOMOYO_MAC_FILE_LINK] = "link",
39 [TOMOYO_MAC_FILE_RENAME] = "file::rename", 39 [TOMOYO_MAC_FILE_RENAME] = "rename",
40 [TOMOYO_MAC_FILE_CHMOD] = "file::chmod", 40 [TOMOYO_MAC_FILE_CHMOD] = "chmod",
41 [TOMOYO_MAC_FILE_CHOWN] = "file::chown", 41 [TOMOYO_MAC_FILE_CHOWN] = "chown",
42 [TOMOYO_MAC_FILE_CHGRP] = "file::chgrp", 42 [TOMOYO_MAC_FILE_CHGRP] = "chgrp",
43 [TOMOYO_MAC_FILE_IOCTL] = "file::ioctl", 43 [TOMOYO_MAC_FILE_IOCTL] = "ioctl",
44 [TOMOYO_MAC_FILE_CHROOT] = "file::chroot", 44 [TOMOYO_MAC_FILE_CHROOT] = "chroot",
45 [TOMOYO_MAC_FILE_MOUNT] = "file::mount", 45 [TOMOYO_MAC_FILE_MOUNT] = "mount",
46 [TOMOYO_MAC_FILE_UMOUNT] = "file::unmount", 46 [TOMOYO_MAC_FILE_UMOUNT] = "unmount",
47 [TOMOYO_MAC_FILE_PIVOT_ROOT] = "file::pivot_root", 47 [TOMOYO_MAC_FILE_PIVOT_ROOT] = "pivot_root",
48 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file", 48 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file",
49}; 49};
50 50
@@ -54,6 +54,27 @@ static const char * const tomoyo_pref_keywords[TOMOYO_MAX_PREF] = {
54 [TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry", 54 [TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry",
55}; 55};
56 56
57/* String table for path operation. */
58const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
59 [TOMOYO_TYPE_EXECUTE] = "execute",
60 [TOMOYO_TYPE_READ] = "read",
61 [TOMOYO_TYPE_WRITE] = "write",
62 [TOMOYO_TYPE_APPEND] = "append",
63 [TOMOYO_TYPE_UNLINK] = "unlink",
64 [TOMOYO_TYPE_GETATTR] = "getattr",
65 [TOMOYO_TYPE_RMDIR] = "rmdir",
66 [TOMOYO_TYPE_TRUNCATE] = "truncate",
67 [TOMOYO_TYPE_SYMLINK] = "symlink",
68 [TOMOYO_TYPE_CHROOT] = "chroot",
69 [TOMOYO_TYPE_UMOUNT] = "unmount",
70};
71
72/* String table for categories. */
73static const char * const tomoyo_category_keywords
74[TOMOYO_MAX_MAC_CATEGORY_INDEX] = {
75 [TOMOYO_MAC_CATEGORY_FILE] = "file",
76};
77
57/* Permit policy management by non-root user? */ 78/* Permit policy management by non-root user? */
58static bool tomoyo_manage_by_non_root; 79static bool tomoyo_manage_by_non_root;
59 80
@@ -98,7 +119,7 @@ static bool tomoyo_flush(struct tomoyo_io_buffer *head)
98{ 119{
99 while (head->r.w_pos) { 120 while (head->r.w_pos) {
100 const char *w = head->r.w[0]; 121 const char *w = head->r.w[0];
101 int len = strlen(w); 122 size_t len = strlen(w);
102 if (len) { 123 if (len) {
103 if (len > head->read_user_buf_avail) 124 if (len > head->read_user_buf_avail)
104 len = head->read_user_buf_avail; 125 len = head->read_user_buf_avail;
@@ -157,8 +178,8 @@ static void tomoyo_set_string(struct tomoyo_io_buffer *head, const char *string)
157void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) 178void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
158{ 179{
159 va_list args; 180 va_list args;
160 int len; 181 size_t len;
161 int pos = head->r.avail; 182 size_t pos = head->r.avail;
162 int size = head->readbuf_size - pos; 183 int size = head->readbuf_size - pos;
163 if (size <= 0) 184 if (size <= 0)
164 return; 185 return;
@@ -436,7 +457,17 @@ static int tomoyo_set_mode(char *name, const char *value,
436 config = 0; 457 config = 0;
437 for (i = 0; i < TOMOYO_MAX_MAC_INDEX 458 for (i = 0; i < TOMOYO_MAX_MAC_INDEX
438 + TOMOYO_MAX_MAC_CATEGORY_INDEX; i++) { 459 + TOMOYO_MAX_MAC_CATEGORY_INDEX; i++) {
439 if (strcmp(name, tomoyo_mac_keywords[i])) 460 int len = 0;
461 if (i < TOMOYO_MAX_MAC_INDEX) {
462 const u8 c = tomoyo_index2category[i];
463 const char *category =
464 tomoyo_category_keywords[c];
465 len = strlen(category);
466 if (strncmp(name, category, len) ||
467 name[len++] != ':' || name[len++] != ':')
468 continue;
469 }
470 if (strcmp(name + len, tomoyo_mac_keywords[i]))
440 continue; 471 continue;
441 config = profile->config[i]; 472 config = profile->config[i];
442 break; 473 break;
@@ -620,8 +651,15 @@ static void tomoyo_read_profile(struct tomoyo_io_buffer *head)
620 if (config == TOMOYO_CONFIG_USE_DEFAULT) 651 if (config == TOMOYO_CONFIG_USE_DEFAULT)
621 continue; 652 continue;
622 tomoyo_print_namespace(head); 653 tomoyo_print_namespace(head);
623 tomoyo_io_printf(head, "%u-%s%s", index, "CONFIG::", 654 if (i < TOMOYO_MAX_MAC_INDEX)
624 tomoyo_mac_keywords[i]); 655 tomoyo_io_printf(head, "%u-CONFIG::%s::%s",
656 index,
657 tomoyo_category_keywords
658 [tomoyo_index2category[i]],
659 tomoyo_mac_keywords[i]);
660 else
661 tomoyo_io_printf(head, "%u-CONFIG::%s", index,
662 tomoyo_mac_keywords[i]);
625 tomoyo_print_config(head, config); 663 tomoyo_print_config(head, config);
626 head->r.bit++; 664 head->r.bit++;
627 break; 665 break;
@@ -905,6 +943,12 @@ static int tomoyo_write_domain2(struct tomoyo_policy_namespace *ns,
905 return -EINVAL; 943 return -EINVAL;
906} 944}
907 945
946/* String table for domain flags. */
947const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS] = {
948 [TOMOYO_DIF_QUOTA_WARNED] = "quota_exceeded\n",
949 [TOMOYO_DIF_TRANSITION_FAILED] = "transition_failed\n",
950};
951
908/** 952/**
909 * tomoyo_write_domain - Write domain policy. 953 * tomoyo_write_domain - Write domain policy.
910 * 954 *
@@ -948,12 +992,11 @@ static int tomoyo_write_domain(struct tomoyo_io_buffer *head)
948 domain->group = (u8) profile; 992 domain->group = (u8) profile;
949 return 0; 993 return 0;
950 } 994 }
951 if (!strcmp(data, "quota_exceeded")) { 995 for (profile = 0; profile < TOMOYO_MAX_DOMAIN_INFO_FLAGS; profile++) {
952 domain->quota_warned = !is_delete; 996 const char *cp = tomoyo_dif[profile];
953 return 0; 997 if (strncmp(data, cp, strlen(cp) - 1))
954 } 998 continue;
955 if (!strcmp(data, "transition_failed")) { 999 domain->flags[profile] = !is_delete;
956 domain->transition_failed = !is_delete;
957 return 0; 1000 return 0;
958 } 1001 }
959 return tomoyo_write_domain2(ns, &domain->acl_info_list, data, 1002 return tomoyo_write_domain2(ns, &domain->acl_info_list, data,
@@ -1134,6 +1177,7 @@ static void tomoyo_read_domain(struct tomoyo_io_buffer *head)
1134 struct tomoyo_domain_info *domain = 1177 struct tomoyo_domain_info *domain =
1135 list_entry(head->r.domain, typeof(*domain), list); 1178 list_entry(head->r.domain, typeof(*domain), list);
1136 switch (head->r.step) { 1179 switch (head->r.step) {
1180 u8 i;
1137 case 0: 1181 case 0:
1138 if (domain->is_deleted && 1182 if (domain->is_deleted &&
1139 !head->r.print_this_domain_only) 1183 !head->r.print_this_domain_only)
@@ -1145,10 +1189,9 @@ static void tomoyo_read_domain(struct tomoyo_io_buffer *head)
1145 domain->profile); 1189 domain->profile);
1146 tomoyo_io_printf(head, "use_group %u\n", 1190 tomoyo_io_printf(head, "use_group %u\n",
1147 domain->group); 1191 domain->group);
1148 if (domain->quota_warned) 1192 for (i = 0; i < TOMOYO_MAX_DOMAIN_INFO_FLAGS; i++)
1149 tomoyo_set_string(head, "quota_exceeded\n"); 1193 if (domain->flags[i])
1150 if (domain->transition_failed) 1194 tomoyo_set_string(head, tomoyo_dif[i]);
1151 tomoyo_set_string(head, "transition_failed\n");
1152 head->r.step++; 1195 head->r.step++;
1153 tomoyo_set_lf(head); 1196 tomoyo_set_lf(head);
1154 /* fall through */ 1197 /* fall through */
@@ -1691,8 +1734,8 @@ static int tomoyo_poll_query(struct file *file, poll_table *wait)
1691static void tomoyo_read_query(struct tomoyo_io_buffer *head) 1734static void tomoyo_read_query(struct tomoyo_io_buffer *head)
1692{ 1735{
1693 struct list_head *tmp; 1736 struct list_head *tmp;
1694 int pos = 0; 1737 unsigned int pos = 0;
1695 int len = 0; 1738 size_t len = 0;
1696 char *buf; 1739 char *buf;
1697 if (head->r.w_pos) 1740 if (head->r.w_pos)
1698 return; 1741 return;
@@ -1998,8 +2041,8 @@ static inline bool tomoyo_has_more_namespace(struct tomoyo_io_buffer *head)
1998 * 2041 *
1999 * Returns bytes read on success, negative value otherwise. 2042 * Returns bytes read on success, negative value otherwise.
2000 */ 2043 */
2001int tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, 2044ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
2002 const int buffer_len) 2045 const int buffer_len)
2003{ 2046{
2004 int len; 2047 int len;
2005 int idx; 2048 int idx;
@@ -2070,8 +2113,8 @@ static int tomoyo_parse_policy(struct tomoyo_io_buffer *head, char *line)
2070 * 2113 *
2071 * Returns @buffer_len on success, negative value otherwise. 2114 * Returns @buffer_len on success, negative value otherwise.
2072 */ 2115 */
2073int tomoyo_write_control(struct tomoyo_io_buffer *head, 2116ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
2074 const char __user *buffer, const int buffer_len) 2117 const char __user *buffer, const int buffer_len)
2075{ 2118{
2076 int error = buffer_len; 2119 int error = buffer_len;
2077 size_t avail_len = buffer_len; 2120 size_t avail_len = buffer_len;
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index a5eeabcc0738..b54455dfe0ca 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -67,6 +67,20 @@ enum tomoyo_policy_id {
67 TOMOYO_MAX_POLICY 67 TOMOYO_MAX_POLICY
68}; 68};
69 69
70/* Index numbers for domain's attributes. */
71enum tomoyo_domain_info_flags_index {
72 /* Quota warnning flag. */
73 TOMOYO_DIF_QUOTA_WARNED,
74 /*
75 * This domain was unable to create a new domain at
76 * tomoyo_find_next_domain() because the name of the domain to be
77 * created was too long or it could not allocate memory.
78 * More than one process continued execve() without domain transition.
79 */
80 TOMOYO_DIF_TRANSITION_FAILED,
81 TOMOYO_MAX_DOMAIN_INFO_FLAGS
82};
83
70/* Index numbers for group entries. */ 84/* Index numbers for group entries. */
71enum tomoyo_group_id { 85enum tomoyo_group_id {
72 TOMOYO_PATH_GROUP, 86 TOMOYO_PATH_GROUP,
@@ -364,8 +378,7 @@ struct tomoyo_domain_info {
364 u8 profile; /* Profile number to use. */ 378 u8 profile; /* Profile number to use. */
365 u8 group; /* Group number to use. */ 379 u8 group; /* Group number to use. */
366 bool is_deleted; /* Delete flag. */ 380 bool is_deleted; /* Delete flag. */
367 bool quota_warned; /* Quota warnning flag. */ 381 bool flags[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
368 bool transition_failed; /* Domain transition failed flag. */
369 atomic_t users; /* Number of referring credentials. */ 382 atomic_t users; /* Number of referring credentials. */
370}; 383};
371 384
@@ -442,15 +455,15 @@ struct tomoyo_io_buffer {
442 /* Exclusive lock for this structure. */ 455 /* Exclusive lock for this structure. */
443 struct mutex io_sem; 456 struct mutex io_sem;
444 char __user *read_user_buf; 457 char __user *read_user_buf;
445 int read_user_buf_avail; 458 size_t read_user_buf_avail;
446 struct { 459 struct {
447 struct list_head *ns; 460 struct list_head *ns;
448 struct list_head *domain; 461 struct list_head *domain;
449 struct list_head *group; 462 struct list_head *group;
450 struct list_head *acl; 463 struct list_head *acl;
451 int avail; 464 size_t avail;
452 int step; 465 unsigned int step;
453 int query_index; 466 unsigned int query_index;
454 u16 index; 467 u16 index;
455 u8 acl_group_index; 468 u8 acl_group_index;
456 u8 bit; 469 u8 bit;
@@ -465,19 +478,19 @@ struct tomoyo_io_buffer {
465 /* The position currently writing to. */ 478 /* The position currently writing to. */
466 struct tomoyo_domain_info *domain; 479 struct tomoyo_domain_info *domain;
467 /* Bytes available for writing. */ 480 /* Bytes available for writing. */
468 int avail; 481 size_t avail;
469 bool is_delete; 482 bool is_delete;
470 } w; 483 } w;
471 /* Buffer for reading. */ 484 /* Buffer for reading. */
472 char *read_buf; 485 char *read_buf;
473 /* Size of read buffer. */ 486 /* Size of read buffer. */
474 int readbuf_size; 487 size_t readbuf_size;
475 /* Buffer for writing. */ 488 /* Buffer for writing. */
476 char *write_buf; 489 char *write_buf;
477 /* Size of write buffer. */ 490 /* Size of write buffer. */
478 int writebuf_size; 491 size_t writebuf_size;
479 /* Type of this interface. */ 492 /* Type of this interface. */
480 u8 type; 493 enum tomoyo_securityfs_interface_index type;
481 /* Users counter protected by tomoyo_io_buffer_list_lock. */ 494 /* Users counter protected by tomoyo_io_buffer_list_lock. */
482 u8 users; 495 u8 users;
483 /* List for telling GC not to kfree() elements. */ 496 /* List for telling GC not to kfree() elements. */
@@ -569,10 +582,10 @@ void tomoyo_check_profile(void);
569int tomoyo_open_control(const u8 type, struct file *file); 582int tomoyo_open_control(const u8 type, struct file *file);
570int tomoyo_close_control(struct tomoyo_io_buffer *head); 583int tomoyo_close_control(struct tomoyo_io_buffer *head);
571int tomoyo_poll_control(struct file *file, poll_table *wait); 584int tomoyo_poll_control(struct file *file, poll_table *wait);
572int tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, 585ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
573 const int buffer_len); 586 const int buffer_len);
574int tomoyo_write_control(struct tomoyo_io_buffer *head, 587ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
575 const char __user *buffer, const int buffer_len); 588 const char __user *buffer, const int buffer_len);
576bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r); 589bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r);
577void tomoyo_warn_oom(const char *function); 590void tomoyo_warn_oom(const char *function);
578const struct tomoyo_path_info * 591const struct tomoyo_path_info *
@@ -707,15 +720,17 @@ extern struct tomoyo_domain_info tomoyo_kernel_domain;
707extern struct tomoyo_policy_namespace tomoyo_kernel_namespace; 720extern struct tomoyo_policy_namespace tomoyo_kernel_namespace;
708extern struct list_head tomoyo_namespace_list; 721extern struct list_head tomoyo_namespace_list;
709 722
710extern const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION]; 723extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX +
711extern const char *tomoyo_mkdev_keyword[TOMOYO_MAX_MKDEV_OPERATION]; 724 TOMOYO_MAX_MAC_CATEGORY_INDEX];
712extern const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION]; 725extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
713extern const char *tomoyo_path_number_keyword[TOMOYO_MAX_PATH_NUMBER_OPERATION]; 726extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX];
727
714 728
715extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION]; 729extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION];
716extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION]; 730extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION];
717extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION]; 731extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];
718 732
733extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
719extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE]; 734extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
720extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT]; 735extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT];
721extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT]; 736extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT];
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index 71acebc747c3..7893127d8770 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -684,10 +684,11 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
684 retval = -ENOMEM; 684 retval = -ENOMEM;
685 else { 685 else {
686 retval = 0; 686 retval = 0;
687 if (!old_domain->transition_failed) { 687 if (!old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED]) {
688 old_domain->transition_failed = true; 688 old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED] = true;
689 r.granted = false; 689 r.granted = false;
690 tomoyo_write_log(&r, "%s", "transition_failed\n"); 690 tomoyo_write_log(&r, "%s", tomoyo_dif
691 [TOMOYO_DIF_TRANSITION_FAILED]);
691 printk(KERN_WARNING 692 printk(KERN_WARNING
692 "ERROR: Domain '%s' not defined.\n", tmp); 693 "ERROR: Domain '%s' not defined.\n", tmp);
693 } 694 }
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
index 8410f28a35e0..6ab9e4cdd61f 100644
--- a/security/tomoyo/file.c
+++ b/security/tomoyo/file.c
@@ -9,46 +9,6 @@
9#include "common.h" 9#include "common.h"
10#include <linux/slab.h> 10#include <linux/slab.h>
11 11
12/* Keyword array for operations with one pathname. */
13const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
14 [TOMOYO_TYPE_EXECUTE] = "execute",
15 [TOMOYO_TYPE_READ] = "read",
16 [TOMOYO_TYPE_WRITE] = "write",
17 [TOMOYO_TYPE_APPEND] = "append",
18 [TOMOYO_TYPE_UNLINK] = "unlink",
19 [TOMOYO_TYPE_GETATTR] = "getattr",
20 [TOMOYO_TYPE_RMDIR] = "rmdir",
21 [TOMOYO_TYPE_TRUNCATE] = "truncate",
22 [TOMOYO_TYPE_SYMLINK] = "symlink",
23 [TOMOYO_TYPE_CHROOT] = "chroot",
24 [TOMOYO_TYPE_UMOUNT] = "unmount",
25};
26
27/* Keyword array for operations with one pathname and three numbers. */
28const char *tomoyo_mkdev_keyword[TOMOYO_MAX_MKDEV_OPERATION] = {
29 [TOMOYO_TYPE_MKBLOCK] = "mkblock",
30 [TOMOYO_TYPE_MKCHAR] = "mkchar",
31};
32
33/* Keyword array for operations with two pathnames. */
34const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = {
35 [TOMOYO_TYPE_LINK] = "link",
36 [TOMOYO_TYPE_RENAME] = "rename",
37 [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root",
38};
39
40/* Keyword array for operations with one pathname and one number. */
41const char *tomoyo_path_number_keyword[TOMOYO_MAX_PATH_NUMBER_OPERATION] = {
42 [TOMOYO_TYPE_CREATE] = "create",
43 [TOMOYO_TYPE_MKDIR] = "mkdir",
44 [TOMOYO_TYPE_MKFIFO] = "mkfifo",
45 [TOMOYO_TYPE_MKSOCK] = "mksock",
46 [TOMOYO_TYPE_IOCTL] = "ioctl",
47 [TOMOYO_TYPE_CHMOD] = "chmod",
48 [TOMOYO_TYPE_CHOWN] = "chown",
49 [TOMOYO_TYPE_CHGRP] = "chgrp",
50};
51
52/* 12/*
53 * Mapping table from "enum tomoyo_path_acl_index" to "enum tomoyo_mac_index". 13 * Mapping table from "enum tomoyo_path_acl_index" to "enum tomoyo_mac_index".
54 */ 14 */
@@ -220,8 +180,8 @@ static int tomoyo_audit_path_log(struct tomoyo_request_info *r)
220 */ 180 */
221static int tomoyo_audit_path2_log(struct tomoyo_request_info *r) 181static int tomoyo_audit_path2_log(struct tomoyo_request_info *r)
222{ 182{
223 return tomoyo_supervisor(r, "file %s %s %s\n", tomoyo_path2_keyword 183 return tomoyo_supervisor(r, "file %s %s %s\n", tomoyo_mac_keywords
224 [r->param.path2.operation], 184 [tomoyo_pp2mac[r->param.path2.operation]],
225 r->param.path2.filename1->name, 185 r->param.path2.filename1->name,
226 r->param.path2.filename2->name); 186 r->param.path2.filename2->name);
227} 187}
@@ -236,8 +196,8 @@ static int tomoyo_audit_path2_log(struct tomoyo_request_info *r)
236static int tomoyo_audit_mkdev_log(struct tomoyo_request_info *r) 196static int tomoyo_audit_mkdev_log(struct tomoyo_request_info *r)
237{ 197{
238 return tomoyo_supervisor(r, "file %s %s 0%o %u %u\n", 198 return tomoyo_supervisor(r, "file %s %s 0%o %u %u\n",
239 tomoyo_mkdev_keyword 199 tomoyo_mac_keywords
240 [r->param.mkdev.operation], 200 [tomoyo_pnnn2mac[r->param.mkdev.operation]],
241 r->param.mkdev.filename->name, 201 r->param.mkdev.filename->name,
242 r->param.mkdev.mode, r->param.mkdev.major, 202 r->param.mkdev.mode, r->param.mkdev.major,
243 r->param.mkdev.minor); 203 r->param.mkdev.minor);
@@ -272,8 +232,8 @@ static int tomoyo_audit_path_number_log(struct tomoyo_request_info *r)
272 } 232 }
273 tomoyo_print_ulong(buffer, sizeof(buffer), r->param.path_number.number, 233 tomoyo_print_ulong(buffer, sizeof(buffer), r->param.path_number.number,
274 radix); 234 radix);
275 return tomoyo_supervisor(r, "file %s %s %s\n", 235 return tomoyo_supervisor(r, "file %s %s %s\n", tomoyo_mac_keywords
276 tomoyo_path_number_keyword[type], 236 [tomoyo_pn2mac[type]],
277 r->param.path_number.filename->name, buffer); 237 r->param.path_number.filename->name, buffer);
278} 238}
279 239
@@ -985,22 +945,25 @@ int tomoyo_write_file(struct tomoyo_acl_param *param)
985 if (perm) 945 if (perm)
986 return tomoyo_update_path_acl(perm, param); 946 return tomoyo_update_path_acl(perm, param);
987 for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) 947 for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++)
988 if (tomoyo_permstr(operation, tomoyo_path2_keyword[type])) 948 if (tomoyo_permstr(operation,
949 tomoyo_mac_keywords[tomoyo_pp2mac[type]]))
989 perm |= 1 << type; 950 perm |= 1 << type;
990 if (perm) 951 if (perm)
991 return tomoyo_update_path2_acl(perm, param); 952 return tomoyo_update_path2_acl(perm, param);
992 for (type = 0; type < TOMOYO_MAX_PATH_NUMBER_OPERATION; type++) 953 for (type = 0; type < TOMOYO_MAX_PATH_NUMBER_OPERATION; type++)
993 if (tomoyo_permstr(operation, 954 if (tomoyo_permstr(operation,
994 tomoyo_path_number_keyword[type])) 955 tomoyo_mac_keywords[tomoyo_pn2mac[type]]))
995 perm |= 1 << type; 956 perm |= 1 << type;
996 if (perm) 957 if (perm)
997 return tomoyo_update_path_number_acl(perm, param); 958 return tomoyo_update_path_number_acl(perm, param);
998 for (type = 0; type < TOMOYO_MAX_MKDEV_OPERATION; type++) 959 for (type = 0; type < TOMOYO_MAX_MKDEV_OPERATION; type++)
999 if (tomoyo_permstr(operation, tomoyo_mkdev_keyword[type])) 960 if (tomoyo_permstr(operation,
961 tomoyo_mac_keywords[tomoyo_pnnn2mac[type]]))
1000 perm |= 1 << type; 962 perm |= 1 << type;
1001 if (perm) 963 if (perm)
1002 return tomoyo_update_mkdev_acl(perm, param); 964 return tomoyo_update_mkdev_acl(perm, param);
1003 if (tomoyo_permstr(operation, "mount")) 965 if (tomoyo_permstr(operation,
966 tomoyo_mac_keywords[TOMOYO_MAC_FILE_MOUNT]))
1004 return tomoyo_update_mount_acl(param); 967 return tomoyo_update_mount_acl(param);
1005 return -EINVAL; 968 return -EINVAL;
1006} 969}
diff --git a/security/tomoyo/util.c b/security/tomoyo/util.c
index fda15c1fc1c0..daf7a45f70f1 100644
--- a/security/tomoyo/util.c
+++ b/security/tomoyo/util.c
@@ -15,6 +15,37 @@ DEFINE_MUTEX(tomoyo_policy_lock);
15/* Has /sbin/init started? */ 15/* Has /sbin/init started? */
16bool tomoyo_policy_loaded; 16bool tomoyo_policy_loaded;
17 17
18/*
19 * Mapping table from "enum tomoyo_mac_index" to
20 * "enum tomoyo_mac_category_index".
21 */
22const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX] = {
23 /* CONFIG::file group */
24 [TOMOYO_MAC_FILE_EXECUTE] = TOMOYO_MAC_CATEGORY_FILE,
25 [TOMOYO_MAC_FILE_OPEN] = TOMOYO_MAC_CATEGORY_FILE,
26 [TOMOYO_MAC_FILE_CREATE] = TOMOYO_MAC_CATEGORY_FILE,
27 [TOMOYO_MAC_FILE_UNLINK] = TOMOYO_MAC_CATEGORY_FILE,
28 [TOMOYO_MAC_FILE_GETATTR] = TOMOYO_MAC_CATEGORY_FILE,
29 [TOMOYO_MAC_FILE_MKDIR] = TOMOYO_MAC_CATEGORY_FILE,
30 [TOMOYO_MAC_FILE_RMDIR] = TOMOYO_MAC_CATEGORY_FILE,
31 [TOMOYO_MAC_FILE_MKFIFO] = TOMOYO_MAC_CATEGORY_FILE,
32 [TOMOYO_MAC_FILE_MKSOCK] = TOMOYO_MAC_CATEGORY_FILE,
33 [TOMOYO_MAC_FILE_TRUNCATE] = TOMOYO_MAC_CATEGORY_FILE,
34 [TOMOYO_MAC_FILE_SYMLINK] = TOMOYO_MAC_CATEGORY_FILE,
35 [TOMOYO_MAC_FILE_MKBLOCK] = TOMOYO_MAC_CATEGORY_FILE,
36 [TOMOYO_MAC_FILE_MKCHAR] = TOMOYO_MAC_CATEGORY_FILE,
37 [TOMOYO_MAC_FILE_LINK] = TOMOYO_MAC_CATEGORY_FILE,
38 [TOMOYO_MAC_FILE_RENAME] = TOMOYO_MAC_CATEGORY_FILE,
39 [TOMOYO_MAC_FILE_CHMOD] = TOMOYO_MAC_CATEGORY_FILE,
40 [TOMOYO_MAC_FILE_CHOWN] = TOMOYO_MAC_CATEGORY_FILE,
41 [TOMOYO_MAC_FILE_CHGRP] = TOMOYO_MAC_CATEGORY_FILE,
42 [TOMOYO_MAC_FILE_IOCTL] = TOMOYO_MAC_CATEGORY_FILE,
43 [TOMOYO_MAC_FILE_CHROOT] = TOMOYO_MAC_CATEGORY_FILE,
44 [TOMOYO_MAC_FILE_MOUNT] = TOMOYO_MAC_CATEGORY_FILE,
45 [TOMOYO_MAC_FILE_UMOUNT] = TOMOYO_MAC_CATEGORY_FILE,
46 [TOMOYO_MAC_FILE_PIVOT_ROOT] = TOMOYO_MAC_CATEGORY_FILE,
47};
48
18/** 49/**
19 * tomoyo_permstr - Find permission keywords. 50 * tomoyo_permstr - Find permission keywords.
20 * 51 *
@@ -936,9 +967,11 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r)
936 if (count < tomoyo_profile(domain->ns, domain->profile)-> 967 if (count < tomoyo_profile(domain->ns, domain->profile)->
937 pref[TOMOYO_PREF_MAX_LEARNING_ENTRY]) 968 pref[TOMOYO_PREF_MAX_LEARNING_ENTRY])
938 return true; 969 return true;
939 if (!domain->quota_warned) { 970 if (!domain->flags[TOMOYO_DIF_QUOTA_WARNED]) {
940 domain->quota_warned = true; 971 domain->flags[TOMOYO_DIF_QUOTA_WARNED] = true;
941 printk(KERN_WARNING "TOMOYO-WARNING: " 972 /* r->granted = false; */
973 tomoyo_write_log(r, "%s", tomoyo_dif[TOMOYO_DIF_QUOTA_WARNED]);
974 printk(KERN_WARNING "WARNING: "
942 "Domain '%s' has too many ACLs to hold. " 975 "Domain '%s' has too many ACLs to hold. "
943 "Stopped learning mode.\n", domain->domainname->name); 976 "Stopped learning mode.\n", domain->domainname->name);
944 } 977 }