aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/tomoyo/common.h10
-rw-r--r--security/tomoyo/file.c15
-rw-r--r--security/tomoyo/tomoyo.c40
3 files changed, 27 insertions, 38 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index f4d3050b9c0e..17ed365521b1 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -637,12 +637,10 @@ int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
637 const struct tomoyo_path_info *filename); 637 const struct tomoyo_path_info *filename);
638int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, 638int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
639 struct path *path, const int flag); 639 struct path *path, const int flag);
640int tomoyo_path_perm(struct tomoyo_domain_info *domain, const u8 operation, 640int tomoyo_path_perm(const u8 operation, struct path *path);
641 struct path *path); 641int tomoyo_path2_perm(const u8 operation, struct path *path1,
642int tomoyo_path2_perm(struct tomoyo_domain_info *domain, const u8 operation, 642 struct path *path2);
643 struct path *path1, struct path *path2); 643int tomoyo_check_rewrite_permission(struct file *filp);
644int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
645 struct file *filp);
646int tomoyo_find_next_domain(struct linux_binprm *bprm); 644int tomoyo_find_next_domain(struct linux_binprm *bprm);
647 645
648/* Run garbage collector. */ 646/* Run garbage collector. */
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
index 09feaf24864d..db342ef87af7 100644
--- a/security/tomoyo/file.c
+++ b/security/tomoyo/file.c
@@ -1135,17 +1135,16 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1135/** 1135/**
1136 * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount". 1136 * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1137 * 1137 *
1138 * @domain: Pointer to "struct tomoyo_domain_info".
1139 * @operation: Type of operation. 1138 * @operation: Type of operation.
1140 * @path: Pointer to "struct path". 1139 * @path: Pointer to "struct path".
1141 * 1140 *
1142 * Returns 0 on success, negative value otherwise. 1141 * Returns 0 on success, negative value otherwise.
1143 */ 1142 */
1144int tomoyo_path_perm(struct tomoyo_domain_info *domain, 1143int tomoyo_path_perm(const u8 operation, struct path *path)
1145 const u8 operation, struct path *path)
1146{ 1144{
1147 int error = -ENOMEM; 1145 int error = -ENOMEM;
1148 struct tomoyo_path_info *buf; 1146 struct tomoyo_path_info *buf;
1147 struct tomoyo_domain_info *domain = tomoyo_domain();
1149 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1148 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1150 const bool is_enforce = (mode == 3); 1149 const bool is_enforce = (mode == 3);
1151 int idx; 1150 int idx;
@@ -1180,15 +1179,14 @@ int tomoyo_path_perm(struct tomoyo_domain_info *domain,
1180/** 1179/**
1181 * tomoyo_check_rewrite_permission - Check permission for "rewrite". 1180 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1182 * 1181 *
1183 * @domain: Pointer to "struct tomoyo_domain_info".
1184 * @filp: Pointer to "struct file". 1182 * @filp: Pointer to "struct file".
1185 * 1183 *
1186 * Returns 0 on success, negative value otherwise. 1184 * Returns 0 on success, negative value otherwise.
1187 */ 1185 */
1188int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, 1186int tomoyo_check_rewrite_permission(struct file *filp)
1189 struct file *filp)
1190{ 1187{
1191 int error = -ENOMEM; 1188 int error = -ENOMEM;
1189 struct tomoyo_domain_info *domain = tomoyo_domain();
1192 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1190 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1193 const bool is_enforce = (mode == 3); 1191 const bool is_enforce = (mode == 3);
1194 struct tomoyo_path_info *buf; 1192 struct tomoyo_path_info *buf;
@@ -1217,19 +1215,18 @@ int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
1217/** 1215/**
1218 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root". 1216 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root".
1219 * 1217 *
1220 * @domain: Pointer to "struct tomoyo_domain_info".
1221 * @operation: Type of operation. 1218 * @operation: Type of operation.
1222 * @path1: Pointer to "struct path". 1219 * @path1: Pointer to "struct path".
1223 * @path2: Pointer to "struct path". 1220 * @path2: Pointer to "struct path".
1224 * 1221 *
1225 * Returns 0 on success, negative value otherwise. 1222 * Returns 0 on success, negative value otherwise.
1226 */ 1223 */
1227int tomoyo_path2_perm(struct tomoyo_domain_info * const domain, 1224int tomoyo_path2_perm(const u8 operation, struct path *path1,
1228 const u8 operation, struct path *path1,
1229 struct path *path2) 1225 struct path *path2)
1230{ 1226{
1231 int error = -ENOMEM; 1227 int error = -ENOMEM;
1232 struct tomoyo_path_info *buf1, *buf2; 1228 struct tomoyo_path_info *buf1, *buf2;
1229 struct tomoyo_domain_info *domain = tomoyo_domain();
1233 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1230 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1234 const bool is_enforce = (mode == 3); 1231 const bool is_enforce = (mode == 3);
1235 const char *msg; 1232 const char *msg;
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index e3945d0511b8..c94e35c3c759 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -100,33 +100,33 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
100static int tomoyo_path_truncate(struct path *path, loff_t length, 100static int tomoyo_path_truncate(struct path *path, loff_t length,
101 unsigned int time_attrs) 101 unsigned int time_attrs)
102{ 102{
103 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_TRUNCATE, path); 103 return tomoyo_path_perm(TOMOYO_TYPE_TRUNCATE, path);
104} 104}
105 105
106static int tomoyo_path_unlink(struct path *parent, struct dentry *dentry) 106static int tomoyo_path_unlink(struct path *parent, struct dentry *dentry)
107{ 107{
108 struct path path = { parent->mnt, dentry }; 108 struct path path = { parent->mnt, dentry };
109 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_UNLINK, &path); 109 return tomoyo_path_perm(TOMOYO_TYPE_UNLINK, &path);
110} 110}
111 111
112static int tomoyo_path_mkdir(struct path *parent, struct dentry *dentry, 112static int tomoyo_path_mkdir(struct path *parent, struct dentry *dentry,
113 int mode) 113 int mode)
114{ 114{
115 struct path path = { parent->mnt, dentry }; 115 struct path path = { parent->mnt, dentry };
116 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_MKDIR, &path); 116 return tomoyo_path_perm(TOMOYO_TYPE_MKDIR, &path);
117} 117}
118 118
119static int tomoyo_path_rmdir(struct path *parent, struct dentry *dentry) 119static int tomoyo_path_rmdir(struct path *parent, struct dentry *dentry)
120{ 120{
121 struct path path = { parent->mnt, dentry }; 121 struct path path = { parent->mnt, dentry };
122 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_RMDIR, &path); 122 return tomoyo_path_perm(TOMOYO_TYPE_RMDIR, &path);
123} 123}
124 124
125static int tomoyo_path_symlink(struct path *parent, struct dentry *dentry, 125static int tomoyo_path_symlink(struct path *parent, struct dentry *dentry,
126 const char *old_name) 126 const char *old_name)
127{ 127{
128 struct path path = { parent->mnt, dentry }; 128 struct path path = { parent->mnt, dentry };
129 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_SYMLINK, &path); 129 return tomoyo_path_perm(TOMOYO_TYPE_SYMLINK, &path);
130} 130}
131 131
132static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry, 132static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry,
@@ -149,7 +149,7 @@ static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry,
149 type = TOMOYO_TYPE_MKSOCK; 149 type = TOMOYO_TYPE_MKSOCK;
150 break; 150 break;
151 } 151 }
152 return tomoyo_path_perm(tomoyo_domain(), type, &path); 152 return tomoyo_path_perm(type, &path);
153} 153}
154 154
155static int tomoyo_path_link(struct dentry *old_dentry, struct path *new_dir, 155static int tomoyo_path_link(struct dentry *old_dentry, struct path *new_dir,
@@ -157,8 +157,7 @@ static int tomoyo_path_link(struct dentry *old_dentry, struct path *new_dir,
157{ 157{
158 struct path path1 = { new_dir->mnt, old_dentry }; 158 struct path path1 = { new_dir->mnt, old_dentry };
159 struct path path2 = { new_dir->mnt, new_dentry }; 159 struct path path2 = { new_dir->mnt, new_dentry };
160 return tomoyo_path2_perm(tomoyo_domain(), TOMOYO_TYPE_LINK, &path1, 160 return tomoyo_path2_perm(TOMOYO_TYPE_LINK, &path1, &path2);
161 &path2);
162} 161}
163 162
164static int tomoyo_path_rename(struct path *old_parent, 163static int tomoyo_path_rename(struct path *old_parent,
@@ -168,15 +167,14 @@ static int tomoyo_path_rename(struct path *old_parent,
168{ 167{
169 struct path path1 = { old_parent->mnt, old_dentry }; 168 struct path path1 = { old_parent->mnt, old_dentry };
170 struct path path2 = { new_parent->mnt, new_dentry }; 169 struct path path2 = { new_parent->mnt, new_dentry };
171 return tomoyo_path2_perm(tomoyo_domain(), TOMOYO_TYPE_RENAME, &path1, 170 return tomoyo_path2_perm(TOMOYO_TYPE_RENAME, &path1, &path2);
172 &path2);
173} 171}
174 172
175static int tomoyo_file_fcntl(struct file *file, unsigned int cmd, 173static int tomoyo_file_fcntl(struct file *file, unsigned int cmd,
176 unsigned long arg) 174 unsigned long arg)
177{ 175{
178 if (cmd == F_SETFL && ((arg ^ file->f_flags) & O_APPEND)) 176 if (cmd == F_SETFL && ((arg ^ file->f_flags) & O_APPEND))
179 return tomoyo_check_rewrite_permission(tomoyo_domain(), file); 177 return tomoyo_check_rewrite_permission(file);
180 return 0; 178 return 0;
181} 179}
182 180
@@ -196,50 +194,46 @@ static int tomoyo_dentry_open(struct file *f, const struct cred *cred)
196static int tomoyo_file_ioctl(struct file *file, unsigned int cmd, 194static int tomoyo_file_ioctl(struct file *file, unsigned int cmd,
197 unsigned long arg) 195 unsigned long arg)
198{ 196{
199 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_IOCTL, 197 return tomoyo_path_perm(TOMOYO_TYPE_IOCTL, &file->f_path);
200 &file->f_path);
201} 198}
202 199
203static int tomoyo_path_chmod(struct dentry *dentry, struct vfsmount *mnt, 200static int tomoyo_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
204 mode_t mode) 201 mode_t mode)
205{ 202{
206 struct path path = { mnt, dentry }; 203 struct path path = { mnt, dentry };
207 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHMOD, &path); 204 return tomoyo_path_perm(TOMOYO_TYPE_CHMOD, &path);
208} 205}
209 206
210static int tomoyo_path_chown(struct path *path, uid_t uid, gid_t gid) 207static int tomoyo_path_chown(struct path *path, uid_t uid, gid_t gid)
211{ 208{
212 int error = 0; 209 int error = 0;
213 if (uid != (uid_t) -1) 210 if (uid != (uid_t) -1)
214 error = tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHOWN, 211 error = tomoyo_path_perm(TOMOYO_TYPE_CHOWN, path);
215 path);
216 if (!error && gid != (gid_t) -1) 212 if (!error && gid != (gid_t) -1)
217 error = tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHGRP, 213 error = tomoyo_path_perm(TOMOYO_TYPE_CHGRP, path);
218 path);
219 return error; 214 return error;
220} 215}
221 216
222static int tomoyo_path_chroot(struct path *path) 217static int tomoyo_path_chroot(struct path *path)
223{ 218{
224 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_CHROOT, path); 219 return tomoyo_path_perm(TOMOYO_TYPE_CHROOT, path);
225} 220}
226 221
227static int tomoyo_sb_mount(char *dev_name, struct path *path, 222static int tomoyo_sb_mount(char *dev_name, struct path *path,
228 char *type, unsigned long flags, void *data) 223 char *type, unsigned long flags, void *data)
229{ 224{
230 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_MOUNT, path); 225 return tomoyo_path_perm(TOMOYO_TYPE_MOUNT, path);
231} 226}
232 227
233static int tomoyo_sb_umount(struct vfsmount *mnt, int flags) 228static int tomoyo_sb_umount(struct vfsmount *mnt, int flags)
234{ 229{
235 struct path path = { mnt, mnt->mnt_root }; 230 struct path path = { mnt, mnt->mnt_root };
236 return tomoyo_path_perm(tomoyo_domain(), TOMOYO_TYPE_UMOUNT, &path); 231 return tomoyo_path_perm(TOMOYO_TYPE_UMOUNT, &path);
237} 232}
238 233
239static int tomoyo_sb_pivotroot(struct path *old_path, struct path *new_path) 234static int tomoyo_sb_pivotroot(struct path *old_path, struct path *new_path)
240{ 235{
241 return tomoyo_path2_perm(tomoyo_domain(), TOMOYO_TYPE_PIVOT_ROOT, 236 return tomoyo_path2_perm(TOMOYO_TYPE_PIVOT_ROOT, new_path, old_path);
242 new_path, old_path);
243} 237}
244 238
245/* 239/*