TOMOYO: Use common code for open and mkdir etc.

tomoyo_file_perm() and tomoyo_path_permission() are similar.
We can embed tomoyo_file_perm() into tomoyo_path_permission().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>

security/tomoyo/common.h

@@ -880,7 +880,7 @@ int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head);
 
 /* Initialize mm related code. */
 void __init tomoyo_mm_init(void);
-int tomoyo_check_exec_perm(struct tomoyo_request_info *r,
+int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
 			   const struct tomoyo_path_info *filename);
 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
 				 struct path *path, const int flag);

security/tomoyo/domain.c

@@ -960,7 +960,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
 	}
 
 	/* Check execute permission. */
-	retval = tomoyo_check_exec_perm(&r, &rn);
+	retval = tomoyo_path_permission(&r, TOMOYO_TYPE_EXECUTE, &rn);
 	if (retval == TOMOYO_RETRY_REQUEST)
 		goto retry;
 	if (retval < 0)

security/tomoyo/file.c

@@ -670,62 +670,6 @@ static int tomoyo_path_acl(const struct tomoyo_request_info *r,
 	return error;
 }
 
-/**
- * tomoyo_file_perm - Check permission for opening files.
- *
- * @r:         Pointer to "struct tomoyo_request_info".
- * @filename:  Filename to check.
- * @mode:      Mode ("read" or "write" or "read/write" or "execute").
- *
- * Returns 0 on success, negative value otherwise.
- *
- * Caller holds tomoyo_read_lock().
- */
-static int tomoyo_file_perm(struct tomoyo_request_info *r,
-			    const struct tomoyo_path_info *filename,
-			    const u8 mode)
-{
-	const char *msg = "<unknown>";
-	int error = 0;
-	u32 perm = 0;
-
-	if (!filename)
-		return 0;
-
-	if (mode == 6) {
-		msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
-		perm = 1 << TOMOYO_TYPE_READ_WRITE;
-	} else if (mode == 4) {
-		msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
-		perm = 1 << TOMOYO_TYPE_READ;
-	} else if (mode == 2) {
-		msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
-		perm = 1 << TOMOYO_TYPE_WRITE;
-	} else if (mode == 1) {
-		msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
-		perm = 1 << TOMOYO_TYPE_EXECUTE;
-	} else
-		BUG();
-	do {
-		error = tomoyo_path_acl(r, filename, perm);
-		if (error && mode == 4 && !r->domain->ignore_global_allow_read
-		    && tomoyo_is_globally_readable_file(filename))
-			error = 0;
-		if (!error)
-			break;
-		tomoyo_warn_log(r, "%s %s", msg, filename->name);
-		error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
-					  tomoyo_file_pattern(filename));
-		/*
-                 * Do not retry for execute request, for alias may have
-		 * changed.
-                 */
-	} while (error == TOMOYO_RETRY_REQUEST && mode != 1);
-	if (r->mode != TOMOYO_CONFIG_ENFORCING)
-		error = 0;
-	return error;
-}
-
 static bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a,
 				 const struct tomoyo_acl_info *b)
 {
@@ -1018,8 +962,8 @@ static int tomoyo_path2_acl(const struct tomoyo_request_info *r, const u8 type,
  *
  * Caller holds tomoyo_read_lock().
  */
-static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
+int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
-				  const struct tomoyo_path_info *filename)
+			   const struct tomoyo_path_info *filename)
 {
 	const char *msg;
 	int error;
@@ -1031,15 +975,22 @@ static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
 		return 0;
 	do {
 		error = tomoyo_path_acl(r, filename, 1 << operation);
+		if (error && operation == TOMOYO_TYPE_READ &&
+		    !r->domain->ignore_global_allow_read &&
+		    tomoyo_is_globally_readable_file(filename))
+			error = 0;
 		if (!error)
 			break;
 		msg = tomoyo_path2keyword(operation);
 		tomoyo_warn_log(r, "%s %s", msg, filename->name);
 		error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
 					  tomoyo_file_pattern(filename));
-	} while (error == TOMOYO_RETRY_REQUEST);
+		/*
-	if (r->mode != TOMOYO_CONFIG_ENFORCING)
+		 * Do not retry for execute request, for alias may have
-		error = 0;
+		 * changed.
+		 */
+	} while (error == TOMOYO_RETRY_REQUEST &&
+		 operation != TOMOYO_TYPE_EXECUTE);
 	/*
 	 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
 	 * we need to check "allow_rewrite" permission if the filename is
@@ -1202,8 +1153,6 @@ static int tomoyo_path_number_perm2(struct tomoyo_request_info *r,
 					  tomoyo_file_pattern(filename),
 					  buffer);
 	} while (error == TOMOYO_RETRY_REQUEST);
-	if (r->mode != TOMOYO_CONFIG_ENFORCING)
-		error = 0;
 	return error;
 }
 
@@ -1241,24 +1190,6 @@ int tomoyo_path_number_perm(const u8 type, struct path *path,
 	return error;
 }
 
-/**
- * tomoyo_check_exec_perm - Check permission for "execute".
- *
- * @r:        Pointer to "struct tomoyo_request_info".
- * @filename: Check permission for "execute".
- *
- * Returns 0 on success, negativevalue otherwise.
- *
- * Caller holds tomoyo_read_lock().
- */
-int tomoyo_check_exec_perm(struct tomoyo_request_info *r,
-			   const struct tomoyo_path_info *filename)
-{
-	if (r->mode == TOMOYO_CONFIG_DISABLED)
-		return 0;
-	return tomoyo_file_perm(r, filename, 1);
-}
-
 /**
  * tomoyo_check_open_permission - Check permission for "read" and "write".
  *
@@ -1305,11 +1236,18 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
 	if (!error && acc_mode &&
 	    tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_OPEN)
 	    != TOMOYO_CONFIG_DISABLED) {
+		u8 operation;
 		if (!buf.name && !tomoyo_get_realpath(&buf, path)) {
 			error = -ENOMEM;
 			goto out;
 		}
-		error = tomoyo_file_perm(&r, &buf, acc_mode);
+		if (acc_mode == (MAY_READ | MAY_WRITE))
+			operation = TOMOYO_TYPE_READ_WRITE;
+		else if (acc_mode == MAY_READ)
+			operation = TOMOYO_TYPE_READ;
+		else
+			operation = TOMOYO_TYPE_WRITE;
+		error = tomoyo_path_permission(&r, operation, &buf);
 	}
  out:
 	kfree(buf.name);