Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

TOMOYO: Cleanup part 4.

Browse source 
Gather string constants to one file in order to make the object size smaller.
Use unsigned type where appropriate.
read()/write() returns ssize_t.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Tetsuo Handa 2011-06-26 23:21:19 +09:00 committed by James Morris
parent 2e503bbb43
commit 2c47ab9353
6 changed files with 177 additions and 121 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
security/tomoyo/audit.c
View file

@ -163,7 +163,8 @@ static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns,
const bool is_granted) const bool is_granted)
{ {
u8 mode; u8 mode;
const u8 category = TOMOYO_MAC_CATEGORY_FILE + TOMOYO_MAX_MAC_INDEX; const u8 category = tomoyo_index2category[index] +
TOMOYO_MAX_MAC_INDEX;
struct tomoyo_profile *p; struct tomoyo_profile *p;
if (!tomoyo_policy_loaded) if (!tomoyo_policy_loaded)
return false; return false;

135
security/tomoyo/common.c
View file

@ -20,31 +20,31 @@ const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE] = {
}; };
/* String table for /sys/kernel/security/tomoyo/profile */ /* String table for /sys/kernel/security/tomoyo/profile */
static const char *tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
+ TOMOYO_MAX_MAC_CATEGORY_INDEX] = { + TOMOYO_MAX_MAC_CATEGORY_INDEX] = {
[TOMOYO_MAC_FILE_EXECUTE] = "file::execute", [TOMOYO_MAC_FILE_EXECUTE] = "execute",
[TOMOYO_MAC_FILE_OPEN] = "file::open", [TOMOYO_MAC_FILE_OPEN] = "open",
[TOMOYO_MAC_FILE_CREATE] = "file::create", [TOMOYO_MAC_FILE_CREATE] = "create",
[TOMOYO_MAC_FILE_UNLINK] = "file::unlink", [TOMOYO_MAC_FILE_UNLINK] = "unlink",
[TOMOYO_MAC_FILE_GETATTR] = "file::getattr", [TOMOYO_MAC_FILE_GETATTR] = "getattr",
[TOMOYO_MAC_FILE_MKDIR] = "file::mkdir", [TOMOYO_MAC_FILE_MKDIR] = "mkdir",
[TOMOYO_MAC_FILE_RMDIR] = "file::rmdir", [TOMOYO_MAC_FILE_RMDIR] = "rmdir",
[TOMOYO_MAC_FILE_MKFIFO] = "file::mkfifo", [TOMOYO_MAC_FILE_MKFIFO] = "mkfifo",
[TOMOYO_MAC_FILE_MKSOCK] = "file::mksock", [TOMOYO_MAC_FILE_MKSOCK] = "mksock",
[TOMOYO_MAC_FILE_TRUNCATE] = "file::truncate", [TOMOYO_MAC_FILE_TRUNCATE] = "truncate",
[TOMOYO_MAC_FILE_SYMLINK] = "file::symlink", [TOMOYO_MAC_FILE_SYMLINK] = "symlink",
[TOMOYO_MAC_FILE_MKBLOCK] = "file::mkblock", [TOMOYO_MAC_FILE_MKBLOCK] = "mkblock",
[TOMOYO_MAC_FILE_MKCHAR] = "file::mkchar", [TOMOYO_MAC_FILE_MKCHAR] = "mkchar",
[TOMOYO_MAC_FILE_LINK] = "file::link", [TOMOYO_MAC_FILE_LINK] = "link",
[TOMOYO_MAC_FILE_RENAME] = "file::rename", [TOMOYO_MAC_FILE_RENAME] = "rename",
[TOMOYO_MAC_FILE_CHMOD] = "file::chmod", [TOMOYO_MAC_FILE_CHMOD] = "chmod",
[TOMOYO_MAC_FILE_CHOWN] = "file::chown", [TOMOYO_MAC_FILE_CHOWN] = "chown",
[TOMOYO_MAC_FILE_CHGRP] = "file::chgrp", [TOMOYO_MAC_FILE_CHGRP] = "chgrp",
[TOMOYO_MAC_FILE_IOCTL] = "file::ioctl", [TOMOYO_MAC_FILE_IOCTL] = "ioctl",
[TOMOYO_MAC_FILE_CHROOT] = "file::chroot", [TOMOYO_MAC_FILE_CHROOT] = "chroot",
[TOMOYO_MAC_FILE_MOUNT] = "file::mount", [TOMOYO_MAC_FILE_MOUNT] = "mount",
[TOMOYO_MAC_FILE_UMOUNT] = "file::unmount", [TOMOYO_MAC_FILE_UMOUNT] = "unmount",
[TOMOYO_MAC_FILE_PIVOT_ROOT] = "file::pivot_root", [TOMOYO_MAC_FILE_PIVOT_ROOT] = "pivot_root",
[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file", [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file",
}; };
@ -54,6 +54,27 @@ static const char * const tomoyo_pref_keywords[TOMOYO_MAX_PREF] = {
[TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry", [TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry",
}; };
/* String table for path operation. */
const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
[TOMOYO_TYPE_EXECUTE] = "execute",
[TOMOYO_TYPE_READ] = "read",
[TOMOYO_TYPE_WRITE] = "write",
[TOMOYO_TYPE_APPEND] = "append",
[TOMOYO_TYPE_UNLINK] = "unlink",
[TOMOYO_TYPE_GETATTR] = "getattr",
[TOMOYO_TYPE_RMDIR] = "rmdir",
[TOMOYO_TYPE_TRUNCATE] = "truncate",
[TOMOYO_TYPE_SYMLINK] = "symlink",
[TOMOYO_TYPE_CHROOT] = "chroot",
[TOMOYO_TYPE_UMOUNT] = "unmount",
};
/* String table for categories. */
static const char * const tomoyo_category_keywords
[TOMOYO_MAX_MAC_CATEGORY_INDEX] = {
[TOMOYO_MAC_CATEGORY_FILE] = "file",
};
/* Permit policy management by non-root user? */ /* Permit policy management by non-root user? */
static bool tomoyo_manage_by_non_root; static bool tomoyo_manage_by_non_root;
@ -98,7 +119,7 @@ static bool tomoyo_flush(struct tomoyo_io_buffer *head)
{ {
while (head->r.w_pos) { while (head->r.w_pos) {
const char *w = head->r.w[0]; const char *w = head->r.w[0];
int len = strlen(w); size_t len = strlen(w);
if (len) { if (len) {
if (len > head->read_user_buf_avail) if (len > head->read_user_buf_avail)
len = head->read_user_buf_avail; len = head->read_user_buf_avail;
@ -157,8 +178,8 @@ static void tomoyo_set_string(struct tomoyo_io_buffer *head, const char *string)
void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
{ {
va_list args; va_list args;
int len; size_t len;
int pos = head->r.avail; size_t pos = head->r.avail;
int size = head->readbuf_size - pos; int size = head->readbuf_size - pos;
if (size <= 0) if (size <= 0)
return; return;
@ -436,7 +457,17 @@ static int tomoyo_set_mode(char *name, const char *value,
config = 0; config = 0;
for (i = 0; i < TOMOYO_MAX_MAC_INDEX for (i = 0; i < TOMOYO_MAX_MAC_INDEX
+ TOMOYO_MAX_MAC_CATEGORY_INDEX; i++) { + TOMOYO_MAX_MAC_CATEGORY_INDEX; i++) {
if (strcmp(name, tomoyo_mac_keywords[i])) int len = 0;
if (i < TOMOYO_MAX_MAC_INDEX) {
const u8 c = tomoyo_index2category[i];
const char *category =
tomoyo_category_keywords[c];
len = strlen(category);
if (strncmp(name, category, len) ||
name[len++] != ':' || name[len++] != ':')
continue;
}
if (strcmp(name + len, tomoyo_mac_keywords[i]))
continue; continue;
config = profile->config[i]; config = profile->config[i];
break; break;
@ -620,8 +651,15 @@ static void tomoyo_read_profile(struct tomoyo_io_buffer *head)
if (config == TOMOYO_CONFIG_USE_DEFAULT) if (config == TOMOYO_CONFIG_USE_DEFAULT)
continue; continue;
tomoyo_print_namespace(head); tomoyo_print_namespace(head);
tomoyo_io_printf(head, "%u-%s%s", index, "CONFIG::", if (i < TOMOYO_MAX_MAC_INDEX)
tomoyo_mac_keywords[i]); tomoyo_io_printf(head, "%u-CONFIG::%s::%s",
index,
tomoyo_category_keywords
[tomoyo_index2category[i]],
tomoyo_mac_keywords[i]);
else
tomoyo_io_printf(head, "%u-CONFIG::%s", index,
tomoyo_mac_keywords[i]);
tomoyo_print_config(head, config); tomoyo_print_config(head, config);
head->r.bit++; head->r.bit++;
break; break;
@ -905,6 +943,12 @@ static int tomoyo_write_domain2(struct tomoyo_policy_namespace *ns,
return -EINVAL; return -EINVAL;
} }
/* String table for domain flags. */
const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS] = {
[TOMOYO_DIF_QUOTA_WARNED] = "quota_exceeded\n",
[TOMOYO_DIF_TRANSITION_FAILED] = "transition_failed\n",
};
/** /**
* tomoyo_write_domain - Write domain policy. * tomoyo_write_domain - Write domain policy.
* *
@ -948,12 +992,11 @@ static int tomoyo_write_domain(struct tomoyo_io_buffer *head)
domain->group = (u8) profile; domain->group = (u8) profile;
return 0; return 0;
} }
if (!strcmp(data, "quota_exceeded")) { for (profile = 0; profile < TOMOYO_MAX_DOMAIN_INFO_FLAGS; profile++) {
domain->quota_warned = !is_delete; const char *cp = tomoyo_dif[profile];
return 0; if (strncmp(data, cp, strlen(cp) - 1))
} continue;
if (!strcmp(data, "transition_failed")) { domain->flags[profile] = !is_delete;
domain->transition_failed = !is_delete;
return 0; return 0;
} }
return tomoyo_write_domain2(ns, &domain->acl_info_list, data, return tomoyo_write_domain2(ns, &domain->acl_info_list, data,
@ -1134,6 +1177,7 @@ static void tomoyo_read_domain(struct tomoyo_io_buffer *head)
struct tomoyo_domain_info *domain = struct tomoyo_domain_info *domain =
list_entry(head->r.domain, typeof(*domain), list); list_entry(head->r.domain, typeof(*domain), list);
switch (head->r.step) { switch (head->r.step) {
u8 i;
case 0: case 0:
if (domain->is_deleted && if (domain->is_deleted &&
!head->r.print_this_domain_only) !head->r.print_this_domain_only)
@ -1145,10 +1189,9 @@ static void tomoyo_read_domain(struct tomoyo_io_buffer *head)
domain->profile); domain->profile);
tomoyo_io_printf(head, "use_group %u\n", tomoyo_io_printf(head, "use_group %u\n",
domain->group); domain->group);
if (domain->quota_warned) for (i = 0; i < TOMOYO_MAX_DOMAIN_INFO_FLAGS; i++)
tomoyo_set_string(head, "quota_exceeded\n"); if (domain->flags[i])
if (domain->transition_failed) tomoyo_set_string(head, tomoyo_dif[i]);
tomoyo_set_string(head, "transition_failed\n");
head->r.step++; head->r.step++;
tomoyo_set_lf(head); tomoyo_set_lf(head);
/* fall through */ /* fall through */
@ -1691,8 +1734,8 @@ static int tomoyo_poll_query(struct file *file, poll_table *wait)
static void tomoyo_read_query(struct tomoyo_io_buffer *head) static void tomoyo_read_query(struct tomoyo_io_buffer *head)
{ {
struct list_head *tmp; struct list_head *tmp;
int pos = 0; unsigned int pos = 0;
int len = 0; size_t len = 0;
char *buf; char *buf;
if (head->r.w_pos) if (head->r.w_pos)
return; return;
@ -1998,8 +2041,8 @@ static inline bool tomoyo_has_more_namespace(struct tomoyo_io_buffer *head)
* *
* Returns bytes read on success, negative value otherwise. * Returns bytes read on success, negative value otherwise.
*/ */
int tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
const int buffer_len) const int buffer_len)
{ {
int len; int len;
int idx; int idx;
@ -2070,8 +2113,8 @@ static int tomoyo_parse_policy(struct tomoyo_io_buffer *head, char *line)
* *
* Returns @buffer_len on success, negative value otherwise. * Returns @buffer_len on success, negative value otherwise.
*/ */
int tomoyo_write_control(struct tomoyo_io_buffer *head, ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
const char __user *buffer, const int buffer_len) const char __user *buffer, const int buffer_len)
{ {
int error = buffer_len; int error = buffer_len;
size_t avail_len = buffer_len; size_t avail_len = buffer_len;

51
security/tomoyo/common.h
View file

@ -67,6 +67,20 @@ enum tomoyo_policy_id {
TOMOYO_MAX_POLICY TOMOYO_MAX_POLICY
}; };
/* Index numbers for domain's attributes. */
enum tomoyo_domain_info_flags_index {
/* Quota warnning flag. */
TOMOYO_DIF_QUOTA_WARNED,
/*
* This domain was unable to create a new domain at
* tomoyo_find_next_domain() because the name of the domain to be
* created was too long or it could not allocate memory.
* More than one process continued execve() without domain transition.
*/
TOMOYO_DIF_TRANSITION_FAILED,
TOMOYO_MAX_DOMAIN_INFO_FLAGS
};
/* Index numbers for group entries. */ /* Index numbers for group entries. */
enum tomoyo_group_id { enum tomoyo_group_id {
TOMOYO_PATH_GROUP, TOMOYO_PATH_GROUP,
@ -364,8 +378,7 @@ struct tomoyo_domain_info {
u8 profile; /* Profile number to use. */ u8 profile; /* Profile number to use. */
u8 group; /* Group number to use. */ u8 group; /* Group number to use. */
bool is_deleted; /* Delete flag. */ bool is_deleted; /* Delete flag. */
bool quota_warned; /* Quota warnning flag. */ bool flags[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
bool transition_failed; /* Domain transition failed flag. */
atomic_t users; /* Number of referring credentials. */ atomic_t users; /* Number of referring credentials. */
}; };
@ -442,15 +455,15 @@ struct tomoyo_io_buffer {
/* Exclusive lock for this structure. */ /* Exclusive lock for this structure. */
struct mutex io_sem; struct mutex io_sem;
char __user *read_user_buf; char __user *read_user_buf;
int read_user_buf_avail; size_t read_user_buf_avail;
struct { struct {
struct list_head *ns; struct list_head *ns;
struct list_head *domain; struct list_head *domain;
struct list_head *group; struct list_head *group;
struct list_head *acl; struct list_head *acl;
int avail; size_t avail;
int step; unsigned int step;
int query_index; unsigned int query_index;
u16 index; u16 index;
u8 acl_group_index; u8 acl_group_index;
u8 bit; u8 bit;
@ -465,19 +478,19 @@ struct tomoyo_io_buffer {
/* The position currently writing to. */ /* The position currently writing to. */
struct tomoyo_domain_info *domain; struct tomoyo_domain_info *domain;
/* Bytes available for writing. */ /* Bytes available for writing. */
int avail; size_t avail;
bool is_delete; bool is_delete;
} w; } w;
/* Buffer for reading. */ /* Buffer for reading. */
char *read_buf; char *read_buf;
/* Size of read buffer. */ /* Size of read buffer. */
int readbuf_size; size_t readbuf_size;
/* Buffer for writing. */ /* Buffer for writing. */
char *write_buf; char *write_buf;
/* Size of write buffer. */ /* Size of write buffer. */
int writebuf_size; size_t writebuf_size;
/* Type of this interface. */ /* Type of this interface. */
u8 type; enum tomoyo_securityfs_interface_index type;
/* Users counter protected by tomoyo_io_buffer_list_lock. */ /* Users counter protected by tomoyo_io_buffer_list_lock. */
u8 users; u8 users;
/* List for telling GC not to kfree() elements. */ /* List for telling GC not to kfree() elements. */
@ -569,10 +582,10 @@ void tomoyo_check_profile(void);
int tomoyo_open_control(const u8 type, struct file *file); int tomoyo_open_control(const u8 type, struct file *file);
int tomoyo_close_control(struct tomoyo_io_buffer *head); int tomoyo_close_control(struct tomoyo_io_buffer *head);
int tomoyo_poll_control(struct file *file, poll_table *wait); int tomoyo_poll_control(struct file *file, poll_table *wait);
int tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
const int buffer_len); const int buffer_len);
int tomoyo_write_control(struct tomoyo_io_buffer *head, ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
const char __user *buffer, const int buffer_len); const char __user *buffer, const int buffer_len);
bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r); bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r);
void tomoyo_warn_oom(const char *function); void tomoyo_warn_oom(const char *function);
const struct tomoyo_path_info * const struct tomoyo_path_info *
@ -707,15 +720,17 @@ extern struct tomoyo_domain_info tomoyo_kernel_domain;
extern struct tomoyo_policy_namespace tomoyo_kernel_namespace; extern struct tomoyo_policy_namespace tomoyo_kernel_namespace;
extern struct list_head tomoyo_namespace_list; extern struct list_head tomoyo_namespace_list;
extern const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION]; extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX +
extern const char *tomoyo_mkdev_keyword[TOMOYO_MAX_MKDEV_OPERATION]; TOMOYO_MAX_MAC_CATEGORY_INDEX];
extern const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION]; extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
extern const char *tomoyo_path_number_keyword[TOMOYO_MAX_PATH_NUMBER_OPERATION]; extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX];
extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION]; extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION];
extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION]; extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION];
extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION]; extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];
extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE]; extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT]; extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT];
extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT]; extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT];

7
security/tomoyo/domain.c
View file

@ -684,10 +684,11 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
retval = -ENOMEM; retval = -ENOMEM;
else { else {
retval = 0; retval = 0;
if (!old_domain->transition_failed) { if (!old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED]) {
old_domain->transition_failed = true; old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED] = true;
r.granted = false; r.granted = false;
tomoyo_write_log(&r, "%s", "transition_failed\n"); tomoyo_write_log(&r, "%s", tomoyo_dif
[TOMOYO_DIF_TRANSITION_FAILED]);
printk(KERN_WARNING printk(KERN_WARNING
"ERROR: Domain '%s' not defined.\n", tmp); "ERROR: Domain '%s' not defined.\n", tmp);
} }

63
security/tomoyo/file.c
View file

@ -9,46 +9,6 @@
#include "common.h" #include "common.h"
#include <linux/slab.h> #include <linux/slab.h>
/* Keyword array for operations with one pathname. */
const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
[TOMOYO_TYPE_EXECUTE] = "execute",
[TOMOYO_TYPE_READ] = "read",
[TOMOYO_TYPE_WRITE] = "write",
[TOMOYO_TYPE_APPEND] = "append",
[TOMOYO_TYPE_UNLINK] = "unlink",
[TOMOYO_TYPE_GETATTR] = "getattr",
[TOMOYO_TYPE_RMDIR] = "rmdir",
[TOMOYO_TYPE_TRUNCATE] = "truncate",
[TOMOYO_TYPE_SYMLINK] = "symlink",
[TOMOYO_TYPE_CHROOT] = "chroot",
[TOMOYO_TYPE_UMOUNT] = "unmount",
};
/* Keyword array for operations with one pathname and three numbers. */
const char *tomoyo_mkdev_keyword[TOMOYO_MAX_MKDEV_OPERATION] = {
[TOMOYO_TYPE_MKBLOCK] = "mkblock",
[TOMOYO_TYPE_MKCHAR] = "mkchar",
};
/* Keyword array for operations with two pathnames. */
const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = {
[TOMOYO_TYPE_LINK] = "link",
[TOMOYO_TYPE_RENAME] = "rename",
[TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root",
};
/* Keyword array for operations with one pathname and one number. */
const char *tomoyo_path_number_keyword[TOMOYO_MAX_PATH_NUMBER_OPERATION] = {
[TOMOYO_TYPE_CREATE] = "create",
[TOMOYO_TYPE_MKDIR] = "mkdir",
[TOMOYO_TYPE_MKFIFO] = "mkfifo",
[TOMOYO_TYPE_MKSOCK] = "mksock",
[TOMOYO_TYPE_IOCTL] = "ioctl",
[TOMOYO_TYPE_CHMOD] = "chmod",
[TOMOYO_TYPE_CHOWN] = "chown",
[TOMOYO_TYPE_CHGRP] = "chgrp",
};
/* /*
* Mapping table from "enum tomoyo_path_acl_index" to "enum tomoyo_mac_index". * Mapping table from "enum tomoyo_path_acl_index" to "enum tomoyo_mac_index".
*/ */
@ -220,8 +180,8 @@ static int tomoyo_audit_path_log(struct tomoyo_request_info *r)
*/ */
static int tomoyo_audit_path2_log(struct tomoyo_request_info *r) static int tomoyo_audit_path2_log(struct tomoyo_request_info *r)
{ {
return tomoyo_supervisor(r, "file %s %s %s\n", tomoyo_path2_keyword return tomoyo_supervisor(r, "file %s %s %s\n", tomoyo_mac_keywords
[r->param.path2.operation], [tomoyo_pp2mac[r->param.path2.operation]],
r->param.path2.filename1->name, r->param.path2.filename1->name,
r->param.path2.filename2->name); r->param.path2.filename2->name);
} }
@ -236,8 +196,8 @@ static int tomoyo_audit_path2_log(struct tomoyo_request_info *r)
static int tomoyo_audit_mkdev_log(struct tomoyo_request_info *r) static int tomoyo_audit_mkdev_log(struct tomoyo_request_info *r)
{ {
return tomoyo_supervisor(r, "file %s %s 0%o %u %u\n", return tomoyo_supervisor(r, "file %s %s 0%o %u %u\n",
tomoyo_mkdev_keyword tomoyo_mac_keywords
[r->param.mkdev.operation], [tomoyo_pnnn2mac[r->param.mkdev.operation]],
r->param.mkdev.filename->name, r->param.mkdev.filename->name,
r->param.mkdev.mode, r->param.mkdev.major, r->param.mkdev.mode, r->param.mkdev.major,
r->param.mkdev.minor); r->param.mkdev.minor);
@ -272,8 +232,8 @@ static int tomoyo_audit_path_number_log(struct tomoyo_request_info *r)
} }
tomoyo_print_ulong(buffer, sizeof(buffer), r->param.path_number.number, tomoyo_print_ulong(buffer, sizeof(buffer), r->param.path_number.number,
radix); radix);
return tomoyo_supervisor(r, "file %s %s %s\n", return tomoyo_supervisor(r, "file %s %s %s\n", tomoyo_mac_keywords
tomoyo_path_number_keyword[type], [tomoyo_pn2mac[type]],
r->param.path_number.filename->name, buffer); r->param.path_number.filename->name, buffer);
} }
@ -985,22 +945,25 @@ int tomoyo_write_file(struct tomoyo_acl_param *param)
if (perm) if (perm)
return tomoyo_update_path_acl(perm, param); return tomoyo_update_path_acl(perm, param);
for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++)
if (tomoyo_permstr(operation, tomoyo_path2_keyword[type])) if (tomoyo_permstr(operation,
tomoyo_mac_keywords[tomoyo_pp2mac[type]]))
perm |= 1 << type; perm |= 1 << type;
if (perm) if (perm)
return tomoyo_update_path2_acl(perm, param); return tomoyo_update_path2_acl(perm, param);
for (type = 0; type < TOMOYO_MAX_PATH_NUMBER_OPERATION; type++) for (type = 0; type < TOMOYO_MAX_PATH_NUMBER_OPERATION; type++)
if (tomoyo_permstr(operation, if (tomoyo_permstr(operation,
tomoyo_path_number_keyword[type])) tomoyo_mac_keywords[tomoyo_pn2mac[type]]))
perm |= 1 << type; perm |= 1 << type;
if (perm) if (perm)
return tomoyo_update_path_number_acl(perm, param); return tomoyo_update_path_number_acl(perm, param);
for (type = 0; type < TOMOYO_MAX_MKDEV_OPERATION; type++) for (type = 0; type < TOMOYO_MAX_MKDEV_OPERATION; type++)
if (tomoyo_permstr(operation, tomoyo_mkdev_keyword[type])) if (tomoyo_permstr(operation,
tomoyo_mac_keywords[tomoyo_pnnn2mac[type]]))
perm |= 1 << type; perm |= 1 << type;
if (perm) if (perm)
return tomoyo_update_mkdev_acl(perm, param); return tomoyo_update_mkdev_acl(perm, param);
if (tomoyo_permstr(operation, "mount")) if (tomoyo_permstr(operation,
tomoyo_mac_keywords[TOMOYO_MAC_FILE_MOUNT]))
return tomoyo_update_mount_acl(param); return tomoyo_update_mount_acl(param);
return -EINVAL; return -EINVAL;
} }

39
security/tomoyo/util.c
View file

@ -15,6 +15,37 @@ DEFINE_MUTEX(tomoyo_policy_lock);
/* Has /sbin/init started? */ /* Has /sbin/init started? */
bool tomoyo_policy_loaded; bool tomoyo_policy_loaded;
/*
* Mapping table from "enum tomoyo_mac_index" to
* "enum tomoyo_mac_category_index".
*/
const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX] = {
/* CONFIG::file group */
[TOMOYO_MAC_FILE_EXECUTE] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_OPEN] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_CREATE] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_UNLINK] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_GETATTR] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_MKDIR] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_RMDIR] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_MKFIFO] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_MKSOCK] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_TRUNCATE] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_SYMLINK] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_MKBLOCK] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_MKCHAR] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_LINK] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_RENAME] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_CHMOD] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_CHOWN] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_CHGRP] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_IOCTL] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_CHROOT] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_MOUNT] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_UMOUNT] = TOMOYO_MAC_CATEGORY_FILE,
[TOMOYO_MAC_FILE_PIVOT_ROOT] = TOMOYO_MAC_CATEGORY_FILE,
};
/** /**
* tomoyo_permstr - Find permission keywords. * tomoyo_permstr - Find permission keywords.
* *
@ -936,9 +967,11 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r)
if (count < tomoyo_profile(domain->ns, domain->profile)-> if (count < tomoyo_profile(domain->ns, domain->profile)->
pref[TOMOYO_PREF_MAX_LEARNING_ENTRY]) pref[TOMOYO_PREF_MAX_LEARNING_ENTRY])
return true; return true;
if (!domain->quota_warned) { if (!domain->flags[TOMOYO_DIF_QUOTA_WARNED]) {
domain->quota_warned = true; domain->flags[TOMOYO_DIF_QUOTA_WARNED] = true;
printk(KERN_WARNING "TOMOYO-WARNING: " /* r->granted = false; */
tomoyo_write_log(r, "%s", tomoyo_dif[TOMOYO_DIF_QUOTA_WARNED]);
printk(KERN_WARNING "WARNING: "
"Domain '%s' has too many ACLs to hold. " "Domain '%s' has too many ACLs to hold. "
"Stopped learning mode.\n", domain->domainname->name); "Stopped learning mode.\n", domain->domainname->name);
} }