TOMOYO: Use common code for open and mkdir etc.
tomoyo_file_perm() and tomoyo_path_permission() are similar. We can embed tomoyo_file_perm() into tomoyo_path_permission(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
9ee0c823c1
commit
05336dee9f
3 changed files with 22 additions and 84 deletions
|
@ -880,7 +880,7 @@ int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head);
|
|||
|
||||
/* Initialize mm related code. */
|
||||
void __init tomoyo_mm_init(void);
|
||||
int tomoyo_check_exec_perm(struct tomoyo_request_info *r,
|
||||
int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
|
||||
const struct tomoyo_path_info *filename);
|
||||
int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
|
||||
struct path *path, const int flag);
|
||||
|
|
|
@ -960,7 +960,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
|
|||
}
|
||||
|
||||
/* Check execute permission. */
|
||||
retval = tomoyo_check_exec_perm(&r, &rn);
|
||||
retval = tomoyo_path_permission(&r, TOMOYO_TYPE_EXECUTE, &rn);
|
||||
if (retval == TOMOYO_RETRY_REQUEST)
|
||||
goto retry;
|
||||
if (retval < 0)
|
||||
|
|
|
@ -670,62 +670,6 @@ static int tomoyo_path_acl(const struct tomoyo_request_info *r,
|
|||
return error;
|
||||
}
|
||||
|
||||
/**
|
||||
* tomoyo_file_perm - Check permission for opening files.
|
||||
*
|
||||
* @r: Pointer to "struct tomoyo_request_info".
|
||||
* @filename: Filename to check.
|
||||
* @mode: Mode ("read" or "write" or "read/write" or "execute").
|
||||
*
|
||||
* Returns 0 on success, negative value otherwise.
|
||||
*
|
||||
* Caller holds tomoyo_read_lock().
|
||||
*/
|
||||
static int tomoyo_file_perm(struct tomoyo_request_info *r,
|
||||
const struct tomoyo_path_info *filename,
|
||||
const u8 mode)
|
||||
{
|
||||
const char *msg = "<unknown>";
|
||||
int error = 0;
|
||||
u32 perm = 0;
|
||||
|
||||
if (!filename)
|
||||
return 0;
|
||||
|
||||
if (mode == 6) {
|
||||
msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
|
||||
perm = 1 << TOMOYO_TYPE_READ_WRITE;
|
||||
} else if (mode == 4) {
|
||||
msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
|
||||
perm = 1 << TOMOYO_TYPE_READ;
|
||||
} else if (mode == 2) {
|
||||
msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
|
||||
perm = 1 << TOMOYO_TYPE_WRITE;
|
||||
} else if (mode == 1) {
|
||||
msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
|
||||
perm = 1 << TOMOYO_TYPE_EXECUTE;
|
||||
} else
|
||||
BUG();
|
||||
do {
|
||||
error = tomoyo_path_acl(r, filename, perm);
|
||||
if (error && mode == 4 && !r->domain->ignore_global_allow_read
|
||||
&& tomoyo_is_globally_readable_file(filename))
|
||||
error = 0;
|
||||
if (!error)
|
||||
break;
|
||||
tomoyo_warn_log(r, "%s %s", msg, filename->name);
|
||||
error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
|
||||
tomoyo_file_pattern(filename));
|
||||
/*
|
||||
* Do not retry for execute request, for alias may have
|
||||
* changed.
|
||||
*/
|
||||
} while (error == TOMOYO_RETRY_REQUEST && mode != 1);
|
||||
if (r->mode != TOMOYO_CONFIG_ENFORCING)
|
||||
error = 0;
|
||||
return error;
|
||||
}
|
||||
|
||||
static bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a,
|
||||
const struct tomoyo_acl_info *b)
|
||||
{
|
||||
|
@ -1018,8 +962,8 @@ static int tomoyo_path2_acl(const struct tomoyo_request_info *r, const u8 type,
|
|||
*
|
||||
* Caller holds tomoyo_read_lock().
|
||||
*/
|
||||
static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
|
||||
const struct tomoyo_path_info *filename)
|
||||
int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
|
||||
const struct tomoyo_path_info *filename)
|
||||
{
|
||||
const char *msg;
|
||||
int error;
|
||||
|
@ -1031,15 +975,22 @@ static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
|
|||
return 0;
|
||||
do {
|
||||
error = tomoyo_path_acl(r, filename, 1 << operation);
|
||||
if (error && operation == TOMOYO_TYPE_READ &&
|
||||
!r->domain->ignore_global_allow_read &&
|
||||
tomoyo_is_globally_readable_file(filename))
|
||||
error = 0;
|
||||
if (!error)
|
||||
break;
|
||||
msg = tomoyo_path2keyword(operation);
|
||||
tomoyo_warn_log(r, "%s %s", msg, filename->name);
|
||||
error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
|
||||
tomoyo_file_pattern(filename));
|
||||
} while (error == TOMOYO_RETRY_REQUEST);
|
||||
if (r->mode != TOMOYO_CONFIG_ENFORCING)
|
||||
error = 0;
|
||||
/*
|
||||
* Do not retry for execute request, for alias may have
|
||||
* changed.
|
||||
*/
|
||||
} while (error == TOMOYO_RETRY_REQUEST &&
|
||||
operation != TOMOYO_TYPE_EXECUTE);
|
||||
/*
|
||||
* Since "allow_truncate" doesn't imply "allow_rewrite" permission,
|
||||
* we need to check "allow_rewrite" permission if the filename is
|
||||
|
@ -1202,8 +1153,6 @@ static int tomoyo_path_number_perm2(struct tomoyo_request_info *r,
|
|||
tomoyo_file_pattern(filename),
|
||||
buffer);
|
||||
} while (error == TOMOYO_RETRY_REQUEST);
|
||||
if (r->mode != TOMOYO_CONFIG_ENFORCING)
|
||||
error = 0;
|
||||
return error;
|
||||
}
|
||||
|
||||
|
@ -1241,24 +1190,6 @@ int tomoyo_path_number_perm(const u8 type, struct path *path,
|
|||
return error;
|
||||
}
|
||||
|
||||
/**
|
||||
* tomoyo_check_exec_perm - Check permission for "execute".
|
||||
*
|
||||
* @r: Pointer to "struct tomoyo_request_info".
|
||||
* @filename: Check permission for "execute".
|
||||
*
|
||||
* Returns 0 on success, negativevalue otherwise.
|
||||
*
|
||||
* Caller holds tomoyo_read_lock().
|
||||
*/
|
||||
int tomoyo_check_exec_perm(struct tomoyo_request_info *r,
|
||||
const struct tomoyo_path_info *filename)
|
||||
{
|
||||
if (r->mode == TOMOYO_CONFIG_DISABLED)
|
||||
return 0;
|
||||
return tomoyo_file_perm(r, filename, 1);
|
||||
}
|
||||
|
||||
/**
|
||||
* tomoyo_check_open_permission - Check permission for "read" and "write".
|
||||
*
|
||||
|
@ -1305,11 +1236,18 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
|
|||
if (!error && acc_mode &&
|
||||
tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_OPEN)
|
||||
!= TOMOYO_CONFIG_DISABLED) {
|
||||
u8 operation;
|
||||
if (!buf.name && !tomoyo_get_realpath(&buf, path)) {
|
||||
error = -ENOMEM;
|
||||
goto out;
|
||||
}
|
||||
error = tomoyo_file_perm(&r, &buf, acc_mode);
|
||||
if (acc_mode == (MAY_READ | MAY_WRITE))
|
||||
operation = TOMOYO_TYPE_READ_WRITE;
|
||||
else if (acc_mode == MAY_READ)
|
||||
operation = TOMOYO_TYPE_READ;
|
||||
else
|
||||
operation = TOMOYO_TYPE_WRITE;
|
||||
error = tomoyo_path_permission(&r, operation, &buf);
|
||||
}
|
||||
out:
|
||||
kfree(buf.name);
|
||||
|
|
Loading…
Reference in a new issue