TOMOYO: Cleanup part 3.

Use common structure for ACL with "struct list_head" + "atomic_t".
Use array/struct where possible.
Remove is_group from "struct tomoyo_name_union"/"struct tomoyo_number_union".
Pass "struct file"->private_data rather than "struct file".
Update some of comments.
Bring tomoyo_same_acl_head() from common.h to domain.c .
Bring tomoyo_invalid()/tomoyo_valid() from common.h to util.c .

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Tetsuo Handa 2011-06-26 23:16:36 +09:00 committed by James Morris
parent b5bc60b4ce
commit 0df7e8b8f1
9 changed files with 410 additions and 153 deletions

View file

@ -192,7 +192,7 @@ static void tomoyo_print_name_union(struct tomoyo_io_buffer *head,
const struct tomoyo_name_union *ptr) const struct tomoyo_name_union *ptr)
{ {
tomoyo_set_space(head); tomoyo_set_space(head);
if (ptr->is_group) { if (ptr->group) {
tomoyo_set_string(head, "@"); tomoyo_set_string(head, "@");
tomoyo_set_string(head, ptr->group->group_name->name); tomoyo_set_string(head, ptr->group->group_name->name);
} else { } else {
@ -210,15 +210,15 @@ static void tomoyo_print_number_union(struct tomoyo_io_buffer *head,
const struct tomoyo_number_union *ptr) const struct tomoyo_number_union *ptr)
{ {
tomoyo_set_space(head); tomoyo_set_space(head);
if (ptr->is_group) { if (ptr->group) {
tomoyo_set_string(head, "@"); tomoyo_set_string(head, "@");
tomoyo_set_string(head, ptr->group->group_name->name); tomoyo_set_string(head, ptr->group->group_name->name);
} else { } else {
int i; int i;
unsigned long min = ptr->values[0]; unsigned long min = ptr->values[0];
const unsigned long max = ptr->values[1]; const unsigned long max = ptr->values[1];
u8 min_type = ptr->min_type; u8 min_type = ptr->value_type[0];
const u8 max_type = ptr->max_type; const u8 max_type = ptr->value_type[1];
char buffer[128]; char buffer[128];
buffer[0] = '\0'; buffer[0] = '\0';
for (i = 0; i < 2; i++) { for (i = 0; i < 2; i++) {
@ -769,7 +769,7 @@ static bool tomoyo_select_one(struct tomoyo_io_buffer *head, const char *data)
domain = tomoyo_find_domain(data + 7); domain = tomoyo_find_domain(data + 7);
} else } else
return false; return false;
head->write_var1 = domain; head->w.domain = domain;
/* Accessing read_buf is safe because head->io_sem is held. */ /* Accessing read_buf is safe because head->io_sem is held. */
if (!head->read_buf) if (!head->read_buf)
return true; /* Do nothing if open(O_WRONLY). */ return true; /* Do nothing if open(O_WRONLY). */
@ -847,7 +847,7 @@ static int tomoyo_write_domain2(char *data, struct tomoyo_domain_info *domain,
static int tomoyo_write_domain(struct tomoyo_io_buffer *head) static int tomoyo_write_domain(struct tomoyo_io_buffer *head)
{ {
char *data = head->write_buf; char *data = head->write_buf;
struct tomoyo_domain_info *domain = head->write_var1; struct tomoyo_domain_info *domain = head->w.domain;
bool is_delete = false; bool is_delete = false;
bool is_select = false; bool is_select = false;
unsigned int profile; unsigned int profile;
@ -869,7 +869,7 @@ static int tomoyo_write_domain(struct tomoyo_io_buffer *head)
domain = tomoyo_find_domain(data); domain = tomoyo_find_domain(data);
else else
domain = tomoyo_assign_domain(data, 0); domain = tomoyo_assign_domain(data, 0);
head->write_var1 = domain; head->w.domain = domain;
return 0; return 0;
} }
if (!domain) if (!domain)
@ -1250,7 +1250,7 @@ static bool tomoyo_read_group(struct tomoyo_io_buffer *head, const int idx)
{ {
list_for_each_cookie(head->r.group, &tomoyo_group_list[idx]) { list_for_each_cookie(head->r.group, &tomoyo_group_list[idx]) {
struct tomoyo_group *group = struct tomoyo_group *group =
list_entry(head->r.group, typeof(*group), list); list_entry(head->r.group, typeof(*group), head.list);
list_for_each_cookie(head->r.acl, &group->member_list) { list_for_each_cookie(head->r.acl, &group->member_list) {
struct tomoyo_acl_head *ptr = struct tomoyo_acl_head *ptr =
list_entry(head->r.acl, typeof(*ptr), list); list_entry(head->r.acl, typeof(*ptr), list);
@ -1874,7 +1874,7 @@ int tomoyo_poll_control(struct file *file, poll_table *wait)
/** /**
* tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
* *
* @file: Pointer to "struct file". * @head: Pointer to "struct tomoyo_io_buffer".
* @buffer: Poiner to buffer to write to. * @buffer: Poiner to buffer to write to.
* @buffer_len: Size of @buffer. * @buffer_len: Size of @buffer.
* *
@ -1882,11 +1882,10 @@ int tomoyo_poll_control(struct file *file, poll_table *wait)
* *
* Caller holds tomoyo_read_lock(). * Caller holds tomoyo_read_lock().
*/ */
int tomoyo_read_control(struct file *file, char __user *buffer, int tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
const int buffer_len) const int buffer_len)
{ {
int len; int len;
struct tomoyo_io_buffer *head = file->private_data;
if (!head->read) if (!head->read)
return -ENOSYS; return -ENOSYS;
@ -1906,7 +1905,7 @@ int tomoyo_read_control(struct file *file, char __user *buffer,
/** /**
* tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
* *
* @file: Pointer to "struct file". * @head: Pointer to "struct tomoyo_io_buffer".
* @buffer: Pointer to buffer to read from. * @buffer: Pointer to buffer to read from.
* @buffer_len: Size of @buffer. * @buffer_len: Size of @buffer.
* *
@ -1914,10 +1913,9 @@ int tomoyo_read_control(struct file *file, char __user *buffer,
* *
* Caller holds tomoyo_read_lock(). * Caller holds tomoyo_read_lock().
*/ */
int tomoyo_write_control(struct file *file, const char __user *buffer, int tomoyo_write_control(struct tomoyo_io_buffer *head,
const int buffer_len) const char __user *buffer, const int buffer_len)
{ {
struct tomoyo_io_buffer *head = file->private_data;
int error = buffer_len; int error = buffer_len;
int avail_len = buffer_len; int avail_len = buffer_len;
char *cp0 = head->write_buf; char *cp0 = head->write_buf;
@ -1935,7 +1933,7 @@ int tomoyo_write_control(struct file *file, const char __user *buffer,
/* Read a line and dispatch it to the policy handler. */ /* Read a line and dispatch it to the policy handler. */
while (avail_len > 0) { while (avail_len > 0) {
char c; char c;
if (head->write_avail >= head->writebuf_size - 1) { if (head->w.avail >= head->writebuf_size - 1) {
error = -ENOMEM; error = -ENOMEM;
break; break;
} else if (get_user(c, buffer)) { } else if (get_user(c, buffer)) {
@ -1944,11 +1942,11 @@ int tomoyo_write_control(struct file *file, const char __user *buffer,
} }
buffer++; buffer++;
avail_len--; avail_len--;
cp0[head->write_avail++] = c; cp0[head->w.avail++] = c;
if (c != '\n') if (c != '\n')
continue; continue;
cp0[head->write_avail - 1] = '\0'; cp0[head->w.avail - 1] = '\0';
head->write_avail = 0; head->w.avail = 0;
tomoyo_normalize_line(cp0); tomoyo_normalize_line(cp0);
head->write(head); head->write(head);
} }
@ -1959,15 +1957,14 @@ int tomoyo_write_control(struct file *file, const char __user *buffer,
/** /**
* tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
* *
* @file: Pointer to "struct file". * @head: Pointer to "struct tomoyo_io_buffer".
* *
* Releases memory and returns 0. * Releases memory and returns 0.
* *
* Caller looses tomoyo_read_lock(). * Caller looses tomoyo_read_lock().
*/ */
int tomoyo_close_control(struct file *file) int tomoyo_close_control(struct tomoyo_io_buffer *head)
{ {
struct tomoyo_io_buffer *head = file->private_data;
const bool is_write = !!head->write_buf; const bool is_write = !!head->write_buf;
/* /*
@ -1984,8 +1981,6 @@ int tomoyo_close_control(struct file *file)
kfree(head->write_buf); kfree(head->write_buf);
head->write_buf = NULL; head->write_buf = NULL;
kfree(head); kfree(head);
head = NULL;
file->private_data = NULL;
if (is_write) if (is_write)
tomoyo_run_gc(); tomoyo_run_gc();
return 0; return 0;

View file

@ -219,6 +219,12 @@ struct tomoyo_acl_head {
bool is_deleted; bool is_deleted;
} __packed; } __packed;
/* Common header for shared entries. */
struct tomoyo_shared_acl_head {
struct list_head list;
atomic_t users;
} __packed;
/* Structure for request info. */ /* Structure for request info. */
struct tomoyo_request_info { struct tomoyo_request_info {
struct tomoyo_domain_info *domain; struct tomoyo_domain_info *domain;
@ -281,8 +287,7 @@ struct tomoyo_path_info {
/* Structure for holding string data. */ /* Structure for holding string data. */
struct tomoyo_name { struct tomoyo_name {
struct list_head list; struct tomoyo_shared_acl_head head;
atomic_t users;
struct tomoyo_path_info entry; struct tomoyo_path_info entry;
}; };
@ -291,8 +296,6 @@ struct tomoyo_name_union {
/* Either @filename or @group is NULL. */ /* Either @filename or @group is NULL. */
const struct tomoyo_path_info *filename; const struct tomoyo_path_info *filename;
struct tomoyo_group *group; struct tomoyo_group *group;
/* True if @group != NULL, false if @filename != NULL. */
u8 is_group;
}; };
/* Structure for holding a number. */ /* Structure for holding a number. */
@ -300,18 +303,14 @@ struct tomoyo_number_union {
unsigned long values[2]; unsigned long values[2];
struct tomoyo_group *group; /* Maybe NULL. */ struct tomoyo_group *group; /* Maybe NULL. */
/* One of values in "enum tomoyo_value_type". */ /* One of values in "enum tomoyo_value_type". */
u8 min_type; u8 value_type[2];
u8 max_type;
/* True if @group != NULL, false otherwise. */
u8 is_group;
}; };
/* Structure for "path_group"/"number_group" directive. */ /* Structure for "path_group"/"number_group" directive. */
struct tomoyo_group { struct tomoyo_group {
struct list_head list; struct tomoyo_shared_acl_head head;
const struct tomoyo_path_info *group_name; const struct tomoyo_path_info *group_name;
struct list_head member_list; struct list_head member_list;
atomic_t users;
}; };
/* Structure for "path_group" directive. */ /* Structure for "path_group" directive. */
@ -429,16 +428,18 @@ struct tomoyo_io_buffer {
bool print_execute_only; bool print_execute_only;
const char *w[TOMOYO_MAX_IO_READ_QUEUE]; const char *w[TOMOYO_MAX_IO_READ_QUEUE];
} r; } r;
/* The position currently writing to. */ struct {
struct tomoyo_domain_info *write_var1; /* The position currently writing to. */
struct tomoyo_domain_info *domain;
/* Bytes available for writing. */
int avail;
} w;
/* Buffer for reading. */ /* Buffer for reading. */
char *read_buf; char *read_buf;
/* Size of read buffer. */ /* Size of read buffer. */
int readbuf_size; int readbuf_size;
/* Buffer for writing. */ /* Buffer for writing. */
char *write_buf; char *write_buf;
/* Bytes available for writing. */
int write_avail;
/* Size of write buffer. */ /* Size of write buffer. */
int writebuf_size; int writebuf_size;
/* Type of this interface. */ /* Type of this interface. */
@ -500,12 +501,12 @@ void tomoyo_warn_log(struct tomoyo_request_info *r, const char *fmt, ...)
__attribute__ ((format(printf, 2, 3))); __attribute__ ((format(printf, 2, 3)));
void tomoyo_check_profile(void); void tomoyo_check_profile(void);
int tomoyo_open_control(const u8 type, struct file *file); int tomoyo_open_control(const u8 type, struct file *file);
int tomoyo_close_control(struct file *file); int tomoyo_close_control(struct tomoyo_io_buffer *head);
int tomoyo_poll_control(struct file *file, poll_table *wait); int tomoyo_poll_control(struct file *file, poll_table *wait);
int tomoyo_read_control(struct file *file, char __user *buffer, int tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
const int buffer_len); const int buffer_len);
int tomoyo_write_control(struct file *file, const char __user *buffer, int tomoyo_write_control(struct tomoyo_io_buffer *head,
const int buffer_len); const char __user *buffer, const int buffer_len);
bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r); bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r);
void tomoyo_warn_oom(const char *function); void tomoyo_warn_oom(const char *function);
const struct tomoyo_path_info * const struct tomoyo_path_info *
@ -671,30 +672,6 @@ static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a,
return a->hash != b->hash || strcmp(a->name, b->name); return a->hash != b->hash || strcmp(a->name, b->name);
} }
/**
* tomoyo_valid - Check whether the character is a valid char.
*
* @c: The character to check.
*
* Returns true if @c is a valid character, false otherwise.
*/
static inline bool tomoyo_valid(const unsigned char c)
{
return c > ' ' && c < 127;
}
/**
* tomoyo_invalid - Check whether the character is an invalid char.
*
* @c: The character to check.
*
* Returns true if @c is an invalid character, false otherwise.
*/
static inline bool tomoyo_invalid(const unsigned char c)
{
return c && (c <= ' ' || c >= 127);
}
/** /**
* tomoyo_put_name - Drop reference on "struct tomoyo_name". * tomoyo_put_name - Drop reference on "struct tomoyo_name".
* *
@ -707,7 +684,7 @@ static inline void tomoyo_put_name(const struct tomoyo_path_info *name)
if (name) { if (name) {
struct tomoyo_name *ptr = struct tomoyo_name *ptr =
container_of(name, typeof(*ptr), entry); container_of(name, typeof(*ptr), entry);
atomic_dec(&ptr->users); atomic_dec(&ptr->head.users);
} }
} }
@ -721,7 +698,7 @@ static inline void tomoyo_put_name(const struct tomoyo_path_info *name)
static inline void tomoyo_put_group(struct tomoyo_group *group) static inline void tomoyo_put_group(struct tomoyo_group *group)
{ {
if (group) if (group)
atomic_dec(&group->users); atomic_dec(&group->head.users);
} }
/** /**
@ -747,12 +724,6 @@ static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
return task_cred_xxx(task, security); return task_cred_xxx(task, security);
} }
static inline bool tomoyo_same_acl_head(const struct tomoyo_acl_info *p1,
const struct tomoyo_acl_info *p2)
{
return p1->type == p2->type;
}
/** /**
* tomoyo_same_name_union - Check for duplicated "struct tomoyo_name_union" entry. * tomoyo_same_name_union - Check for duplicated "struct tomoyo_name_union" entry.
* *
@ -764,8 +735,7 @@ static inline bool tomoyo_same_acl_head(const struct tomoyo_acl_info *p1,
static inline bool tomoyo_same_name_union static inline bool tomoyo_same_name_union
(const struct tomoyo_name_union *a, const struct tomoyo_name_union *b) (const struct tomoyo_name_union *a, const struct tomoyo_name_union *b)
{ {
return a->filename == b->filename && a->group == b->group && return a->filename == b->filename && a->group == b->group;
a->is_group == b->is_group;
} }
/** /**
@ -780,8 +750,8 @@ static inline bool tomoyo_same_number_union
(const struct tomoyo_number_union *a, const struct tomoyo_number_union *b) (const struct tomoyo_number_union *a, const struct tomoyo_number_union *b)
{ {
return a->values[0] == b->values[0] && a->values[1] == b->values[1] && return a->values[0] == b->values[0] && a->values[1] == b->values[1] &&
a->group == b->group && a->min_type == b->min_type && a->group == b->group && a->value_type[0] == b->value_type[0] &&
a->max_type == b->max_type && a->is_group == b->is_group; a->value_type[1] == b->value_type[1];
} }
/** /**

View file

@ -58,6 +58,20 @@ int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
return error; return error;
} }
/**
* tomoyo_same_acl_head - Check for duplicated "struct tomoyo_acl_info" entry.
*
* @a: Pointer to "struct tomoyo_acl_info".
* @b: Pointer to "struct tomoyo_acl_info".
*
* Returns true if @a == @b, false otherwise.
*/
static inline bool tomoyo_same_acl_head(const struct tomoyo_acl_info *a,
const struct tomoyo_acl_info *b)
{
return a->type == b->type;
}
/** /**
* tomoyo_update_domain - Update an entry for domain policy. * tomoyo_update_domain - Update an entry for domain policy.
* *
@ -88,7 +102,8 @@ int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
if (mutex_lock_interruptible(&tomoyo_policy_lock)) if (mutex_lock_interruptible(&tomoyo_policy_lock))
return error; return error;
list_for_each_entry_rcu(entry, &domain->acl_info_list, list) { list_for_each_entry_rcu(entry, &domain->acl_info_list, list) {
if (!check_duplicate(entry, new_entry)) if (!tomoyo_same_acl_head(entry, new_entry) ||
!check_duplicate(entry, new_entry))
continue; continue;
if (merge_duplicate) if (merge_duplicate)
entry->is_deleted = merge_duplicate(entry, new_entry, entry->is_deleted = merge_duplicate(entry, new_entry,

View file

@ -49,6 +49,9 @@ const char *tomoyo_path_number_keyword[TOMOYO_MAX_PATH_NUMBER_OPERATION] = {
[TOMOYO_TYPE_CHGRP] = "chgrp", [TOMOYO_TYPE_CHGRP] = "chgrp",
}; };
/*
* Mapping table from "enum tomoyo_path_acl_index" to "enum tomoyo_mac_index".
*/
static const u8 tomoyo_p2mac[TOMOYO_MAX_PATH_OPERATION] = { static const u8 tomoyo_p2mac[TOMOYO_MAX_PATH_OPERATION] = {
[TOMOYO_TYPE_EXECUTE] = TOMOYO_MAC_FILE_EXECUTE, [TOMOYO_TYPE_EXECUTE] = TOMOYO_MAC_FILE_EXECUTE,
[TOMOYO_TYPE_READ] = TOMOYO_MAC_FILE_OPEN, [TOMOYO_TYPE_READ] = TOMOYO_MAC_FILE_OPEN,
@ -63,17 +66,27 @@ static const u8 tomoyo_p2mac[TOMOYO_MAX_PATH_OPERATION] = {
[TOMOYO_TYPE_UMOUNT] = TOMOYO_MAC_FILE_UMOUNT, [TOMOYO_TYPE_UMOUNT] = TOMOYO_MAC_FILE_UMOUNT,
}; };
/*
* Mapping table from "enum tomoyo_mkdev_acl_index" to "enum tomoyo_mac_index".
*/
static const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION] = { static const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION] = {
[TOMOYO_TYPE_MKBLOCK] = TOMOYO_MAC_FILE_MKBLOCK, [TOMOYO_TYPE_MKBLOCK] = TOMOYO_MAC_FILE_MKBLOCK,
[TOMOYO_TYPE_MKCHAR] = TOMOYO_MAC_FILE_MKCHAR, [TOMOYO_TYPE_MKCHAR] = TOMOYO_MAC_FILE_MKCHAR,
}; };
/*
* Mapping table from "enum tomoyo_path2_acl_index" to "enum tomoyo_mac_index".
*/
static const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION] = { static const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION] = {
[TOMOYO_TYPE_LINK] = TOMOYO_MAC_FILE_LINK, [TOMOYO_TYPE_LINK] = TOMOYO_MAC_FILE_LINK,
[TOMOYO_TYPE_RENAME] = TOMOYO_MAC_FILE_RENAME, [TOMOYO_TYPE_RENAME] = TOMOYO_MAC_FILE_RENAME,
[TOMOYO_TYPE_PIVOT_ROOT] = TOMOYO_MAC_FILE_PIVOT_ROOT, [TOMOYO_TYPE_PIVOT_ROOT] = TOMOYO_MAC_FILE_PIVOT_ROOT,
}; };
/*
* Mapping table from "enum tomoyo_path_number_acl_index" to
* "enum tomoyo_mac_index".
*/
static const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION] = { static const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION] = {
[TOMOYO_TYPE_CREATE] = TOMOYO_MAC_FILE_CREATE, [TOMOYO_TYPE_CREATE] = TOMOYO_MAC_FILE_CREATE,
[TOMOYO_TYPE_MKDIR] = TOMOYO_MAC_FILE_MKDIR, [TOMOYO_TYPE_MKDIR] = TOMOYO_MAC_FILE_MKDIR,
@ -85,41 +98,76 @@ static const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION] = {
[TOMOYO_TYPE_CHGRP] = TOMOYO_MAC_FILE_CHGRP, [TOMOYO_TYPE_CHGRP] = TOMOYO_MAC_FILE_CHGRP,
}; };
/**
* tomoyo_put_name_union - Drop reference on "struct tomoyo_name_union".
*
* @ptr: Pointer to "struct tomoyo_name_union".
*
* Returns nothing.
*/
void tomoyo_put_name_union(struct tomoyo_name_union *ptr) void tomoyo_put_name_union(struct tomoyo_name_union *ptr)
{ {
if (!ptr) tomoyo_put_group(ptr->group);
return; tomoyo_put_name(ptr->filename);
if (ptr->is_group)
tomoyo_put_group(ptr->group);
else
tomoyo_put_name(ptr->filename);
} }
/**
* tomoyo_compare_name_union - Check whether a name matches "struct tomoyo_name_union" or not.
*
* @name: Pointer to "struct tomoyo_path_info".
* @ptr: Pointer to "struct tomoyo_name_union".
*
* Returns "struct tomoyo_path_info" if @name matches @ptr, NULL otherwise.
*/
const struct tomoyo_path_info * const struct tomoyo_path_info *
tomoyo_compare_name_union(const struct tomoyo_path_info *name, tomoyo_compare_name_union(const struct tomoyo_path_info *name,
const struct tomoyo_name_union *ptr) const struct tomoyo_name_union *ptr)
{ {
if (ptr->is_group) if (ptr->group)
return tomoyo_path_matches_group(name, ptr->group); return tomoyo_path_matches_group(name, ptr->group);
if (tomoyo_path_matches_pattern(name, ptr->filename)) if (tomoyo_path_matches_pattern(name, ptr->filename))
return ptr->filename; return ptr->filename;
return NULL; return NULL;
} }
/**
* tomoyo_put_number_union - Drop reference on "struct tomoyo_number_union".
*
* @ptr: Pointer to "struct tomoyo_number_union".
*
* Returns nothing.
*/
void tomoyo_put_number_union(struct tomoyo_number_union *ptr) void tomoyo_put_number_union(struct tomoyo_number_union *ptr)
{ {
if (ptr && ptr->is_group) tomoyo_put_group(ptr->group);
tomoyo_put_group(ptr->group);
} }
/**
* tomoyo_compare_number_union - Check whether a value matches "struct tomoyo_number_union" or not.
*
* @value: Number to check.
* @ptr: Pointer to "struct tomoyo_number_union".
*
* Returns true if @value matches @ptr, false otherwise.
*/
bool tomoyo_compare_number_union(const unsigned long value, bool tomoyo_compare_number_union(const unsigned long value,
const struct tomoyo_number_union *ptr) const struct tomoyo_number_union *ptr)
{ {
if (ptr->is_group) if (ptr->group)
return tomoyo_number_matches_group(value, value, ptr->group); return tomoyo_number_matches_group(value, value, ptr->group);
return value >= ptr->values[0] && value <= ptr->values[1]; return value >= ptr->values[0] && value <= ptr->values[1];
} }
/**
* tomoyo_add_slash - Add trailing '/' if needed.
*
* @buf: Pointer to "struct tomoyo_path_info".
*
* Returns nothing.
*
* @buf must be generated by tomoyo_encode() because this function does not
* allocate memory for adding '/'.
*/
static void tomoyo_add_slash(struct tomoyo_path_info *buf) static void tomoyo_add_slash(struct tomoyo_path_info *buf)
{ {
if (buf->is_dir) if (buf->is_dir)
@ -247,6 +295,18 @@ static int tomoyo_audit_path_number_log(struct tomoyo_request_info *r)
filename->name, buffer); filename->name, buffer);
} }
/**
* tomoyo_check_path_acl - Check permission for path operation.
*
* @r: Pointer to "struct tomoyo_request_info".
* @ptr: Pointer to "struct tomoyo_acl_info".
*
* Returns true if granted, false otherwise.
*
* To be able to use wildcard for domain transition, this function sets
* matching entry on success. Since the caller holds tomoyo_read_lock(),
* it is safe to set matching entry.
*/
static bool tomoyo_check_path_acl(struct tomoyo_request_info *r, static bool tomoyo_check_path_acl(struct tomoyo_request_info *r,
const struct tomoyo_acl_info *ptr) const struct tomoyo_acl_info *ptr)
{ {
@ -261,6 +321,14 @@ static bool tomoyo_check_path_acl(struct tomoyo_request_info *r,
return false; return false;
} }
/**
* tomoyo_check_path_number_acl - Check permission for path number operation.
*
* @r: Pointer to "struct tomoyo_request_info".
* @ptr: Pointer to "struct tomoyo_acl_info".
*
* Returns true if granted, false otherwise.
*/
static bool tomoyo_check_path_number_acl(struct tomoyo_request_info *r, static bool tomoyo_check_path_number_acl(struct tomoyo_request_info *r,
const struct tomoyo_acl_info *ptr) const struct tomoyo_acl_info *ptr)
{ {
@ -273,6 +341,14 @@ static bool tomoyo_check_path_number_acl(struct tomoyo_request_info *r,
&acl->name); &acl->name);
} }
/**
* tomoyo_check_path2_acl - Check permission for path path operation.
*
* @r: Pointer to "struct tomoyo_request_info".
* @ptr: Pointer to "struct tomoyo_acl_info".
*
* Returns true if granted, false otherwise.
*/
static bool tomoyo_check_path2_acl(struct tomoyo_request_info *r, static bool tomoyo_check_path2_acl(struct tomoyo_request_info *r,
const struct tomoyo_acl_info *ptr) const struct tomoyo_acl_info *ptr)
{ {
@ -284,8 +360,16 @@ static bool tomoyo_check_path2_acl(struct tomoyo_request_info *r,
&acl->name2); &acl->name2);
} }
/**
* tomoyo_check_mkdev_acl - Check permission for path number number number operation.
*
* @r: Pointer to "struct tomoyo_request_info".
* @ptr: Pointer to "struct tomoyo_acl_info".
*
* Returns true if granted, false otherwise.
*/
static bool tomoyo_check_mkdev_acl(struct tomoyo_request_info *r, static bool tomoyo_check_mkdev_acl(struct tomoyo_request_info *r,
const struct tomoyo_acl_info *ptr) const struct tomoyo_acl_info *ptr)
{ {
const struct tomoyo_mkdev_acl *acl = const struct tomoyo_mkdev_acl *acl =
container_of(ptr, typeof(*acl), head); container_of(ptr, typeof(*acl), head);
@ -300,13 +384,20 @@ static bool tomoyo_check_mkdev_acl(struct tomoyo_request_info *r,
&acl->name); &acl->name);
} }
/**
* tomoyo_same_path_acl - Check for duplicated "struct tomoyo_path_acl" entry.
*
* @a: Pointer to "struct tomoyo_acl_info".
* @b: Pointer to "struct tomoyo_acl_info".
*
* Returns true if @a == @b except permission bits, false otherwise.
*/
static bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a, static bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a,
const struct tomoyo_acl_info *b) const struct tomoyo_acl_info *b)
{ {
const struct tomoyo_path_acl *p1 = container_of(a, typeof(*p1), head); const struct tomoyo_path_acl *p1 = container_of(a, typeof(*p1), head);
const struct tomoyo_path_acl *p2 = container_of(b, typeof(*p2), head); const struct tomoyo_path_acl *p2 = container_of(b, typeof(*p2), head);
return tomoyo_same_acl_head(&p1->head, &p2->head) && return tomoyo_same_name_union(&p1->name, &p2->name);
tomoyo_same_name_union(&p1->name, &p2->name);
} }
/** /**
@ -364,23 +455,37 @@ static int tomoyo_update_path_acl(const u8 type, const char *filename,
return error; return error;
} }
/**
* tomoyo_same_mkdev_acl - Check for duplicated "struct tomoyo_mkdev_acl" entry.
*
* @a: Pointer to "struct tomoyo_acl_info".
* @b: Pointer to "struct tomoyo_acl_info".
*
* Returns true if @a == @b except permission bits, false otherwise.
*/
static bool tomoyo_same_mkdev_acl(const struct tomoyo_acl_info *a, static bool tomoyo_same_mkdev_acl(const struct tomoyo_acl_info *a,
const struct tomoyo_acl_info *b) const struct tomoyo_acl_info *b)
{ {
const struct tomoyo_mkdev_acl *p1 = container_of(a, typeof(*p1), const struct tomoyo_mkdev_acl *p1 = container_of(a, typeof(*p1), head);
head); const struct tomoyo_mkdev_acl *p2 = container_of(b, typeof(*p2), head);
const struct tomoyo_mkdev_acl *p2 = container_of(b, typeof(*p2), return tomoyo_same_name_union(&p1->name, &p2->name) &&
head); tomoyo_same_number_union(&p1->mode, &p2->mode) &&
return tomoyo_same_acl_head(&p1->head, &p2->head) tomoyo_same_number_union(&p1->major, &p2->major) &&
&& tomoyo_same_name_union(&p1->name, &p2->name) tomoyo_same_number_union(&p1->minor, &p2->minor);
&& tomoyo_same_number_union(&p1->mode, &p2->mode)
&& tomoyo_same_number_union(&p1->major, &p2->major)
&& tomoyo_same_number_union(&p1->minor, &p2->minor);
} }
/**
* tomoyo_merge_mkdev_acl - Merge duplicated "struct tomoyo_mkdev_acl" entry.
*
* @a: Pointer to "struct tomoyo_acl_info".
* @b: Pointer to "struct tomoyo_acl_info".
* @is_delete: True for @a &= ~@b, false for @a |= @b.
*
* Returns true if @a is empty, false otherwise.
*/
static bool tomoyo_merge_mkdev_acl(struct tomoyo_acl_info *a, static bool tomoyo_merge_mkdev_acl(struct tomoyo_acl_info *a,
struct tomoyo_acl_info *b, struct tomoyo_acl_info *b,
const bool is_delete) const bool is_delete)
{ {
u8 *const a_perm = &container_of(a, struct tomoyo_mkdev_acl, u8 *const a_perm = &container_of(a, struct tomoyo_mkdev_acl,
head)->perm; head)->perm;
@ -411,9 +516,9 @@ static bool tomoyo_merge_mkdev_acl(struct tomoyo_acl_info *a,
* Caller holds tomoyo_read_lock(). * Caller holds tomoyo_read_lock().
*/ */
static int tomoyo_update_mkdev_acl(const u8 type, const char *filename, static int tomoyo_update_mkdev_acl(const u8 type, const char *filename,
char *mode, char *major, char *minor, char *mode, char *major, char *minor,
struct tomoyo_domain_info * const struct tomoyo_domain_info * const domain,
domain, const bool is_delete) const bool is_delete)
{ {
struct tomoyo_mkdev_acl e = { struct tomoyo_mkdev_acl e = {
.head.type = TOMOYO_TYPE_MKDEV_ACL, .head.type = TOMOYO_TYPE_MKDEV_ACL,
@ -436,16 +541,32 @@ static int tomoyo_update_mkdev_acl(const u8 type, const char *filename,
return error; return error;
} }
/**
* tomoyo_same_path2_acl - Check for duplicated "struct tomoyo_path2_acl" entry.
*
* @a: Pointer to "struct tomoyo_acl_info".
* @b: Pointer to "struct tomoyo_acl_info".
*
* Returns true if @a == @b except permission bits, false otherwise.
*/
static bool tomoyo_same_path2_acl(const struct tomoyo_acl_info *a, static bool tomoyo_same_path2_acl(const struct tomoyo_acl_info *a,
const struct tomoyo_acl_info *b) const struct tomoyo_acl_info *b)
{ {
const struct tomoyo_path2_acl *p1 = container_of(a, typeof(*p1), head); const struct tomoyo_path2_acl *p1 = container_of(a, typeof(*p1), head);
const struct tomoyo_path2_acl *p2 = container_of(b, typeof(*p2), head); const struct tomoyo_path2_acl *p2 = container_of(b, typeof(*p2), head);
return tomoyo_same_acl_head(&p1->head, &p2->head) return tomoyo_same_name_union(&p1->name1, &p2->name1) &&
&& tomoyo_same_name_union(&p1->name1, &p2->name1) tomoyo_same_name_union(&p1->name2, &p2->name2);
&& tomoyo_same_name_union(&p1->name2, &p2->name2);
} }
/**
* tomoyo_merge_path2_acl - Merge duplicated "struct tomoyo_path2_acl" entry.
*
* @a: Pointer to "struct tomoyo_acl_info".
* @b: Pointer to "struct tomoyo_acl_info".
* @is_delete: True for @a &= ~@b, false for @a |= @b.
*
* Returns true if @a is empty, false otherwise.
*/
static bool tomoyo_merge_path2_acl(struct tomoyo_acl_info *a, static bool tomoyo_merge_path2_acl(struct tomoyo_acl_info *a,
struct tomoyo_acl_info *b, struct tomoyo_acl_info *b,
const bool is_delete) const bool is_delete)
@ -532,6 +653,14 @@ int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
return error; return error;
} }
/**
* tomoyo_same_path_number_acl - Check for duplicated "struct tomoyo_path_number_acl" entry.
*
* @a: Pointer to "struct tomoyo_acl_info".
* @b: Pointer to "struct tomoyo_acl_info".
*
* Returns true if @a == @b except permission bits, false otherwise.
*/
static bool tomoyo_same_path_number_acl(const struct tomoyo_acl_info *a, static bool tomoyo_same_path_number_acl(const struct tomoyo_acl_info *a,
const struct tomoyo_acl_info *b) const struct tomoyo_acl_info *b)
{ {
@ -539,11 +668,19 @@ static bool tomoyo_same_path_number_acl(const struct tomoyo_acl_info *a,
head); head);
const struct tomoyo_path_number_acl *p2 = container_of(b, typeof(*p2), const struct tomoyo_path_number_acl *p2 = container_of(b, typeof(*p2),
head); head);
return tomoyo_same_acl_head(&p1->head, &p2->head) return tomoyo_same_name_union(&p1->name, &p2->name) &&
&& tomoyo_same_name_union(&p1->name, &p2->name) tomoyo_same_number_union(&p1->number, &p2->number);
&& tomoyo_same_number_union(&p1->number, &p2->number);
} }
/**
* tomoyo_merge_path_number_acl - Merge duplicated "struct tomoyo_path_number_acl" entry.
*
* @a: Pointer to "struct tomoyo_acl_info".
* @b: Pointer to "struct tomoyo_acl_info".
* @is_delete: True for @a &= ~@b, false for @a |= @b.
*
* Returns true if @a is empty, false otherwise.
*/
static bool tomoyo_merge_path_number_acl(struct tomoyo_acl_info *a, static bool tomoyo_merge_path_number_acl(struct tomoyo_acl_info *a,
struct tomoyo_acl_info *b, struct tomoyo_acl_info *b,
const bool is_delete) const bool is_delete)
@ -575,8 +712,7 @@ static bool tomoyo_merge_path_number_acl(struct tomoyo_acl_info *a,
static int tomoyo_update_path_number_acl(const u8 type, const char *filename, static int tomoyo_update_path_number_acl(const u8 type, const char *filename,
char *number, char *number,
struct tomoyo_domain_info * const struct tomoyo_domain_info * const
domain, domain, const bool is_delete)
const bool is_delete)
{ {
struct tomoyo_path_number_acl e = { struct tomoyo_path_number_acl e = {
.head.type = TOMOYO_TYPE_PATH_NUMBER_ACL, .head.type = TOMOYO_TYPE_PATH_NUMBER_ACL,
@ -737,7 +873,7 @@ int tomoyo_path_perm(const u8 operation, struct path *path)
* Returns 0 on success, negative value otherwise. * Returns 0 on success, negative value otherwise.
*/ */
int tomoyo_mkdev_perm(const u8 operation, struct path *path, int tomoyo_mkdev_perm(const u8 operation, struct path *path,
const unsigned int mode, unsigned int dev) const unsigned int mode, unsigned int dev)
{ {
struct tomoyo_request_info r; struct tomoyo_request_info r;
int error = -ENOMEM; int error = -ENOMEM;

View file

@ -13,13 +13,30 @@
struct tomoyo_gc { struct tomoyo_gc {
struct list_head list; struct list_head list;
int type; enum tomoyo_policy_id type;
struct list_head *element; struct list_head *element;
}; };
static LIST_HEAD(tomoyo_gc_queue); static LIST_HEAD(tomoyo_gc_queue);
static DEFINE_MUTEX(tomoyo_gc_mutex); static DEFINE_MUTEX(tomoyo_gc_mutex);
/* Caller holds tomoyo_policy_lock mutex. */ /**
* tomoyo_add_to_gc - Add an entry to to be deleted list.
*
* @type: One of values in "enum tomoyo_policy_id".
* @element: Pointer to "struct list_head".
*
* Returns true on success, false otherwise.
*
* Caller holds tomoyo_policy_lock mutex.
*
* Adding an entry needs kmalloc(). Thus, if we try to add thousands of
* entries at once, it will take too long time. Thus, do not add more than 128
* entries per a scan. But to be able to handle worst case where all entries
* are in-use, we accept one more entry per a scan.
*
* If we use singly linked list using "struct list_head"->prev (which is
* LIST_POISON2), we can avoid kmalloc().
*/
static bool tomoyo_add_to_gc(const int type, struct list_head *element) static bool tomoyo_add_to_gc(const int type, struct list_head *element)
{ {
struct tomoyo_gc *entry = kzalloc(sizeof(*entry), GFP_ATOMIC); struct tomoyo_gc *entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
@ -32,6 +49,13 @@ static bool tomoyo_add_to_gc(const int type, struct list_head *element)
return true; return true;
} }
/**
* tomoyo_del_transition_control - Delete members in "struct tomoyo_transition_control".
*
* @element: Pointer to "struct list_head".
*
* Returns nothing.
*/
static void tomoyo_del_transition_control(struct list_head *element) static void tomoyo_del_transition_control(struct list_head *element)
{ {
struct tomoyo_transition_control *ptr = struct tomoyo_transition_control *ptr =
@ -40,6 +64,13 @@ static void tomoyo_del_transition_control(struct list_head *element)
tomoyo_put_name(ptr->program); tomoyo_put_name(ptr->program);
} }
/**
* tomoyo_del_aggregator - Delete members in "struct tomoyo_aggregator".
*
* @element: Pointer to "struct list_head".
*
* Returns nothing.
*/
static void tomoyo_del_aggregator(struct list_head *element) static void tomoyo_del_aggregator(struct list_head *element)
{ {
struct tomoyo_aggregator *ptr = struct tomoyo_aggregator *ptr =
@ -48,6 +79,13 @@ static void tomoyo_del_aggregator(struct list_head *element)
tomoyo_put_name(ptr->aggregated_name); tomoyo_put_name(ptr->aggregated_name);
} }
/**
* tomoyo_del_manager - Delete members in "struct tomoyo_manager".
*
* @element: Pointer to "struct list_head".
*
* Returns nothing.
*/
static void tomoyo_del_manager(struct list_head *element) static void tomoyo_del_manager(struct list_head *element)
{ {
struct tomoyo_manager *ptr = struct tomoyo_manager *ptr =
@ -55,6 +93,13 @@ static void tomoyo_del_manager(struct list_head *element)
tomoyo_put_name(ptr->manager); tomoyo_put_name(ptr->manager);
} }
/**
* tomoyo_del_acl - Delete members in "struct tomoyo_acl_info".
*
* @element: Pointer to "struct list_head".
*
* Returns nothing.
*/
static void tomoyo_del_acl(struct list_head *element) static void tomoyo_del_acl(struct list_head *element)
{ {
struct tomoyo_acl_info *acl = struct tomoyo_acl_info *acl =
@ -145,12 +190,26 @@ static bool tomoyo_del_domain(struct list_head *element)
} }
/**
* tomoyo_del_name - Delete members in "struct tomoyo_name".
*
* @element: Pointer to "struct list_head".
*
* Returns nothing.
*/
static void tomoyo_del_name(struct list_head *element) static void tomoyo_del_name(struct list_head *element)
{ {
const struct tomoyo_name *ptr = const struct tomoyo_name *ptr =
container_of(element, typeof(*ptr), list); container_of(element, typeof(*ptr), head.list);
} }
/**
* tomoyo_del_path_group - Delete members in "struct tomoyo_path_group".
*
* @element: Pointer to "struct list_head".
*
* Returns nothing.
*/
static void tomoyo_del_path_group(struct list_head *element) static void tomoyo_del_path_group(struct list_head *element)
{ {
struct tomoyo_path_group *member = struct tomoyo_path_group *member =
@ -158,20 +217,43 @@ static void tomoyo_del_path_group(struct list_head *element)
tomoyo_put_name(member->member_name); tomoyo_put_name(member->member_name);
} }
/**
* tomoyo_del_group - Delete "struct tomoyo_group".
*
* @element: Pointer to "struct list_head".
*
* Returns nothing.
*/
static void tomoyo_del_group(struct list_head *element) static void tomoyo_del_group(struct list_head *element)
{ {
struct tomoyo_group *group = struct tomoyo_group *group =
container_of(element, typeof(*group), list); container_of(element, typeof(*group), head.list);
tomoyo_put_name(group->group_name); tomoyo_put_name(group->group_name);
} }
/**
* tomoyo_del_number_group - Delete members in "struct tomoyo_number_group".
*
* @element: Pointer to "struct list_head".
*
* Returns nothing.
*/
static void tomoyo_del_number_group(struct list_head *element) static void tomoyo_del_number_group(struct list_head *element)
{ {
struct tomoyo_number_group *member = struct tomoyo_number_group *member =
container_of(element, typeof(*member), head.list); container_of(element, typeof(*member), head.list);
} }
static bool tomoyo_collect_member(struct list_head *member_list, int id) /**
* tomoyo_collect_member - Delete elements with "struct tomoyo_acl_head".
*
* @id: One of values in "enum tomoyo_policy_id".
* @member_list: Pointer to "struct list_head".
*
* Returns true if some elements are deleted, false otherwise.
*/
static bool tomoyo_collect_member(const enum tomoyo_policy_id id,
struct list_head *member_list)
{ {
struct tomoyo_acl_head *member; struct tomoyo_acl_head *member;
list_for_each_entry(member, member_list, list) { list_for_each_entry(member, member_list, list) {
@ -195,13 +277,18 @@ static bool tomoyo_collect_acl(struct tomoyo_domain_info *domain)
return true; return true;
} }
/**
* tomoyo_collect_entry - Scan lists for deleted elements.
*
* Returns nothing.
*/
static void tomoyo_collect_entry(void) static void tomoyo_collect_entry(void)
{ {
int i; int i;
if (mutex_lock_interruptible(&tomoyo_policy_lock)) if (mutex_lock_interruptible(&tomoyo_policy_lock))
return; return;
for (i = 0; i < TOMOYO_MAX_POLICY; i++) { for (i = 0; i < TOMOYO_MAX_POLICY; i++) {
if (!tomoyo_collect_member(&tomoyo_policy_list[i], i)) if (!tomoyo_collect_member(i, &tomoyo_policy_list[i]))
goto unlock; goto unlock;
} }
{ {
@ -222,10 +309,10 @@ static void tomoyo_collect_entry(void)
} }
for (i = 0; i < TOMOYO_MAX_HASH; i++) { for (i = 0; i < TOMOYO_MAX_HASH; i++) {
struct tomoyo_name *ptr; struct tomoyo_name *ptr;
list_for_each_entry_rcu(ptr, &tomoyo_name_list[i], list) { list_for_each_entry_rcu(ptr, &tomoyo_name_list[i], head.list) {
if (atomic_read(&ptr->users)) if (atomic_read(&ptr->head.users))
continue; continue;
if (!tomoyo_add_to_gc(TOMOYO_ID_NAME, &ptr->list)) if (!tomoyo_add_to_gc(TOMOYO_ID_NAME, &ptr->head.list))
goto unlock; goto unlock;
} }
} }
@ -241,13 +328,14 @@ static void tomoyo_collect_entry(void)
id = TOMOYO_ID_NUMBER_GROUP; id = TOMOYO_ID_NUMBER_GROUP;
break; break;
} }
list_for_each_entry(group, list, list) { list_for_each_entry(group, list, head.list) {
if (!tomoyo_collect_member(&group->member_list, id)) if (!tomoyo_collect_member(id, &group->member_list))
goto unlock; goto unlock;
if (!list_empty(&group->member_list) || if (!list_empty(&group->member_list) ||
atomic_read(&group->users)) atomic_read(&group->head.users))
continue; continue;
if (!tomoyo_add_to_gc(TOMOYO_ID_GROUP, &group->list)) if (!tomoyo_add_to_gc(TOMOYO_ID_GROUP,
&group->head.list))
goto unlock; goto unlock;
} }
} }
@ -291,6 +379,8 @@ static void tomoyo_kfree_entry(void)
case TOMOYO_ID_NUMBER_GROUP: case TOMOYO_ID_NUMBER_GROUP:
tomoyo_del_number_group(element); tomoyo_del_number_group(element);
break; break;
case TOMOYO_MAX_POLICY:
break;
} }
tomoyo_memory_free(element); tomoyo_memory_free(element);
list_del(&p->list); list_del(&p->list);
@ -298,6 +388,17 @@ static void tomoyo_kfree_entry(void)
} }
} }
/**
* tomoyo_gc_thread - Garbage collector thread function.
*
* @unused: Unused.
*
* In case OOM-killer choose this thread for termination, we create this thread
* as a short live thread whenever /sys/kernel/security/tomoyo/ interface was
* close()d.
*
* Returns 0.
*/
static int tomoyo_gc_thread(void *unused) static int tomoyo_gc_thread(void *unused)
{ {
daemonize("GC for TOMOYO"); daemonize("GC for TOMOYO");

View file

@ -110,10 +110,10 @@ struct tomoyo_group *tomoyo_get_group(const char *group_name, const u8 idx)
return NULL; return NULL;
if (mutex_lock_interruptible(&tomoyo_policy_lock)) if (mutex_lock_interruptible(&tomoyo_policy_lock))
goto out; goto out;
list_for_each_entry(group, &tomoyo_group_list[idx], list) { list_for_each_entry(group, &tomoyo_group_list[idx], head.list) {
if (e.group_name != group->group_name) if (e.group_name != group->group_name)
continue; continue;
atomic_inc(&group->users); atomic_inc(&group->head.users);
found = true; found = true;
break; break;
} }
@ -121,8 +121,8 @@ struct tomoyo_group *tomoyo_get_group(const char *group_name, const u8 idx)
struct tomoyo_group *entry = tomoyo_commit_ok(&e, sizeof(e)); struct tomoyo_group *entry = tomoyo_commit_ok(&e, sizeof(e));
if (entry) { if (entry) {
INIT_LIST_HEAD(&entry->member_list); INIT_LIST_HEAD(&entry->member_list);
atomic_set(&entry->users, 1); atomic_set(&entry->head.users, 1);
list_add_tail_rcu(&entry->list, list_add_tail_rcu(&entry->head.list,
&tomoyo_group_list[idx]); &tomoyo_group_list[idx]);
group = entry; group = entry;
found = true; found = true;
@ -164,10 +164,10 @@ const struct tomoyo_path_info *tomoyo_get_name(const char *name)
head = &tomoyo_name_list[hash_long(hash, TOMOYO_HASH_BITS)]; head = &tomoyo_name_list[hash_long(hash, TOMOYO_HASH_BITS)];
if (mutex_lock_interruptible(&tomoyo_policy_lock)) if (mutex_lock_interruptible(&tomoyo_policy_lock))
return NULL; return NULL;
list_for_each_entry(ptr, head, list) { list_for_each_entry(ptr, head, head.list) {
if (hash != ptr->entry.hash || strcmp(name, ptr->entry.name)) if (hash != ptr->entry.hash || strcmp(name, ptr->entry.name))
continue; continue;
atomic_inc(&ptr->users); atomic_inc(&ptr->head.users);
goto out; goto out;
} }
ptr = kzalloc(sizeof(*ptr) + len, GFP_NOFS); ptr = kzalloc(sizeof(*ptr) + len, GFP_NOFS);
@ -183,9 +183,9 @@ const struct tomoyo_path_info *tomoyo_get_name(const char *name)
atomic_add(allocated_len, &tomoyo_policy_memory_size); atomic_add(allocated_len, &tomoyo_policy_memory_size);
ptr->entry.name = ((char *) ptr) + sizeof(*ptr); ptr->entry.name = ((char *) ptr) + sizeof(*ptr);
memmove((char *) ptr->entry.name, name, len); memmove((char *) ptr->entry.name, name, len);
atomic_set(&ptr->users, 1); atomic_set(&ptr->head.users, 1);
tomoyo_fill_path_info(&ptr->entry); tomoyo_fill_path_info(&ptr->entry);
list_add_tail(&ptr->list, head); list_add_tail(&ptr->head.list, head);
out: out:
mutex_unlock(&tomoyo_policy_lock); mutex_unlock(&tomoyo_policy_lock);
return ptr ? &ptr->entry : NULL; return ptr ? &ptr->entry : NULL;

View file

@ -52,16 +52,28 @@ static int tomoyo_audit_mount_log(struct tomoyo_request_info *r)
r->param.mount.dir->name, type, flags); r->param.mount.dir->name, type, flags);
} }
/**
* tomoyo_check_mount_acl - Check permission for path path path number operation.
*
* @r: Pointer to "struct tomoyo_request_info".
* @ptr: Pointer to "struct tomoyo_acl_info".
*
* Returns true if granted, false otherwise.
*/
static bool tomoyo_check_mount_acl(struct tomoyo_request_info *r, static bool tomoyo_check_mount_acl(struct tomoyo_request_info *r,
const struct tomoyo_acl_info *ptr) const struct tomoyo_acl_info *ptr)
{ {
const struct tomoyo_mount_acl *acl = const struct tomoyo_mount_acl *acl =
container_of(ptr, typeof(*acl), head); container_of(ptr, typeof(*acl), head);
return tomoyo_compare_number_union(r->param.mount.flags, &acl->flags) && return tomoyo_compare_number_union(r->param.mount.flags,
tomoyo_compare_name_union(r->param.mount.type, &acl->fs_type) && &acl->flags) &&
tomoyo_compare_name_union(r->param.mount.dir, &acl->dir_name) && tomoyo_compare_name_union(r->param.mount.type,
&acl->fs_type) &&
tomoyo_compare_name_union(r->param.mount.dir,
&acl->dir_name) &&
(!r->param.mount.need_dev || (!r->param.mount.need_dev ||
tomoyo_compare_name_union(r->param.mount.dev, &acl->dev_name)); tomoyo_compare_name_union(r->param.mount.dev,
&acl->dev_name));
} }
/** /**
@ -232,13 +244,20 @@ int tomoyo_mount_permission(char *dev_name, struct path *path,
return error; return error;
} }
/**
* tomoyo_same_mount_acl - Check for duplicated "struct tomoyo_mount_acl" entry.
*
* @a: Pointer to "struct tomoyo_acl_info".
* @b: Pointer to "struct tomoyo_acl_info".
*
* Returns true if @a == @b, false otherwise.
*/
static bool tomoyo_same_mount_acl(const struct tomoyo_acl_info *a, static bool tomoyo_same_mount_acl(const struct tomoyo_acl_info *a,
const struct tomoyo_acl_info *b) const struct tomoyo_acl_info *b)
{ {
const struct tomoyo_mount_acl *p1 = container_of(a, typeof(*p1), head); const struct tomoyo_mount_acl *p1 = container_of(a, typeof(*p1), head);
const struct tomoyo_mount_acl *p2 = container_of(b, typeof(*p2), head); const struct tomoyo_mount_acl *p2 = container_of(b, typeof(*p2), head);
return tomoyo_same_acl_head(&p1->head, &p2->head) && return tomoyo_same_name_union(&p1->dev_name, &p2->dev_name) &&
tomoyo_same_name_union(&p1->dev_name, &p2->dev_name) &&
tomoyo_same_name_union(&p1->dir_name, &p2->dir_name) && tomoyo_same_name_union(&p1->dir_name, &p2->dir_name) &&
tomoyo_same_name_union(&p1->fs_type, &p2->fs_type) && tomoyo_same_name_union(&p1->fs_type, &p2->fs_type) &&
tomoyo_same_number_union(&p1->flags, &p2->flags); tomoyo_same_number_union(&p1->flags, &p2->flags);

View file

@ -34,7 +34,7 @@ static int tomoyo_open(struct inode *inode, struct file *file)
*/ */
static int tomoyo_release(struct inode *inode, struct file *file) static int tomoyo_release(struct inode *inode, struct file *file)
{ {
return tomoyo_close_control(file); return tomoyo_close_control(file->private_data);
} }
/** /**
@ -63,7 +63,7 @@ static unsigned int tomoyo_poll(struct file *file, poll_table *wait)
static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count, static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count,
loff_t *ppos) loff_t *ppos)
{ {
return tomoyo_read_control(file, buf, count); return tomoyo_read_control(file->private_data, buf, count);
} }
/** /**
@ -79,7 +79,7 @@ static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count,
static ssize_t tomoyo_write(struct file *file, const char __user *buf, static ssize_t tomoyo_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
return tomoyo_write_control(file, buf, count); return tomoyo_write_control(file->private_data, buf, count);
} }
/* /*

View file

@ -21,7 +21,7 @@ bool tomoyo_policy_loaded;
* @result: Pointer to "unsigned long". * @result: Pointer to "unsigned long".
* @str: Pointer to string to parse. * @str: Pointer to string to parse.
* *
* Returns value type on success, 0 otherwise. * Returns one of values in "enum tomoyo_value_type".
* *
* The @src is updated to point the first character after the value * The @src is updated to point the first character after the value
* on success. * on success.
@ -43,7 +43,7 @@ static u8 tomoyo_parse_ulong(unsigned long *result, char **str)
} }
*result = simple_strtoul(cp, &ep, base); *result = simple_strtoul(cp, &ep, base);
if (cp == ep) if (cp == ep)
return 0; return TOMOYO_VALUE_TYPE_INVALID;
*str = ep; *str = ep;
switch (base) { switch (base) {
case 16: case 16:
@ -93,11 +93,9 @@ bool tomoyo_parse_name_union(const char *filename,
return false; return false;
if (filename[0] == '@') { if (filename[0] == '@') {
ptr->group = tomoyo_get_group(filename + 1, TOMOYO_PATH_GROUP); ptr->group = tomoyo_get_group(filename + 1, TOMOYO_PATH_GROUP);
ptr->is_group = true;
return ptr->group != NULL; return ptr->group != NULL;
} }
ptr->filename = tomoyo_get_name(filename); ptr->filename = tomoyo_get_name(filename);
ptr->is_group = false;
return ptr->filename != NULL; return ptr->filename != NULL;
} }
@ -118,17 +116,16 @@ bool tomoyo_parse_number_union(char *data, struct tomoyo_number_union *num)
if (!tomoyo_correct_word(data)) if (!tomoyo_correct_word(data))
return false; return false;
num->group = tomoyo_get_group(data + 1, TOMOYO_NUMBER_GROUP); num->group = tomoyo_get_group(data + 1, TOMOYO_NUMBER_GROUP);
num->is_group = true;
return num->group != NULL; return num->group != NULL;
} }
type = tomoyo_parse_ulong(&v, &data); type = tomoyo_parse_ulong(&v, &data);
if (!type) if (!type)
return false; return false;
num->values[0] = v; num->values[0] = v;
num->min_type = type; num->value_type[0] = type;
if (!*data) { if (!*data) {
num->values[1] = v; num->values[1] = v;
num->max_type = type; num->value_type[1] = type;
return true; return true;
} }
if (*data++ != '-') if (*data++ != '-')
@ -137,7 +134,7 @@ bool tomoyo_parse_number_union(char *data, struct tomoyo_number_union *num)
if (!type || *data) if (!type || *data)
return false; return false;
num->values[1] = v; num->values[1] = v;
num->max_type = type; num->value_type[1] = type;
return true; return true;
} }
@ -184,6 +181,30 @@ static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3)
return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0'); return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0');
} }
/**
* tomoyo_valid - Check whether the character is a valid char.
*
* @c: The character to check.
*
* Returns true if @c is a valid character, false otherwise.
*/
static inline bool tomoyo_valid(const unsigned char c)
{
return c > ' ' && c < 127;
}
/**
* tomoyo_invalid - Check whether the character is an invalid char.
*
* @c: The character to check.
*
* Returns true if @c is an invalid character, false otherwise.
*/
static inline bool tomoyo_invalid(const unsigned char c)
{
return c && (c <= ' ' || c >= 127);
}
/** /**
* tomoyo_str_starts - Check whether the given string starts with the given keyword. * tomoyo_str_starts - Check whether the given string starts with the given keyword.
* *