diff options
Diffstat (limited to 'security/tomoyo/file.c')
| -rw-r--r-- | security/tomoyo/file.c | 114 |
1 files changed, 15 insertions, 99 deletions
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 6c2ba69fc89..df3b203d7d4 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c @@ -265,33 +265,6 @@ static int tomoyo_audit_path_number_log(struct tomoyo_request_info *r) tomoyo_file_pattern(filename), buffer); } -/* - * tomoyo_globally_readable_list is used for holding list of pathnames which - * are by default allowed to be open()ed for reading by any process. - * - * An entry is added by - * - * # echo 'allow_read /lib/libc-2.5.so' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and is deleted by - * - * # echo 'delete allow_read /lib/libc-2.5.so' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and all entries are retrieved by - * - * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy - * - * In the example above, any process is allowed to - * open("/lib/libc-2.5.so", O_RDONLY). - * One exception is, if the domain which current process belongs to is marked - * as "ignore_global_allow_read", current process can't do so unless explicitly - * given "allow_read /lib/libc-2.5.so" to the domain which current process - * belongs to. - */ -LIST_HEAD(tomoyo_globally_readable_list); - static bool tomoyo_same_globally_readable(const struct tomoyo_acl_head *a, const struct tomoyo_acl_head *b) { @@ -323,7 +296,8 @@ static int tomoyo_update_globally_readable_entry(const char *filename, if (!e.filename) return -ENOMEM; error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, - &tomoyo_globally_readable_list, + &tomoyo_policy_list + [TOMOYO_ID_GLOBALLY_READABLE], tomoyo_same_globally_readable); tomoyo_put_name(e.filename); return error; @@ -344,8 +318,8 @@ static bool tomoyo_globally_readable_file(const struct tomoyo_path_info * struct tomoyo_globally_readable_file_entry *ptr; bool found = false; - list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, - head.list) { + list_for_each_entry_rcu(ptr, &tomoyo_policy_list + [TOMOYO_ID_GLOBALLY_READABLE], head.list) { if (!ptr->head.is_deleted && tomoyo_path_matches_pattern(filename, ptr->filename)) { found = true; @@ -385,7 +359,7 @@ bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head) bool done = true; list_for_each_cookie(pos, head->read_var2, - &tomoyo_globally_readable_list) { + &tomoyo_policy_list[TOMOYO_ID_GLOBALLY_READABLE]) { struct tomoyo_globally_readable_file_entry *ptr; ptr = list_entry(pos, struct tomoyo_globally_readable_file_entry, @@ -400,37 +374,6 @@ bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head) return done; } -/* tomoyo_pattern_list is used for holding list of pathnames which are used for - * converting pathnames to pathname patterns during learning mode. - * - * An entry is added by - * - * # echo 'file_pattern /proc/\$/mounts' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and is deleted by - * - * # echo 'delete file_pattern /proc/\$/mounts' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and all entries are retrieved by - * - * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy - * - * In the example above, if a process which belongs to a domain which is in - * learning mode requested open("/proc/1/mounts", O_RDONLY), - * "allow_read /proc/\$/mounts" is automatically added to the domain which that - * process belongs to. - * - * It is not a desirable behavior that we have to use /proc/\$/ instead of - * /proc/self/ when current process needs to access only current process's - * information. As of now, LSM version of TOMOYO is using __d_path() for - * calculating pathname. Non LSM version of TOMOYO is using its own function - * which pretends as if /proc/self/ is not a symlink; so that we can forbid - * current process from accessing other process's information. - */ -LIST_HEAD(tomoyo_pattern_list); - static bool tomoyo_same_pattern(const struct tomoyo_acl_head *a, const struct tomoyo_acl_head *b) { @@ -460,7 +403,7 @@ static int tomoyo_update_file_pattern_entry(const char *pattern, if (!e.pattern) return -ENOMEM; error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, - &tomoyo_pattern_list, + &tomoyo_policy_list[TOMOYO_ID_PATTERN], tomoyo_same_pattern); tomoyo_put_name(e.pattern); return error; @@ -480,7 +423,8 @@ const char *tomoyo_file_pattern(const struct tomoyo_path_info *filename) struct tomoyo_pattern_entry *ptr; const struct tomoyo_path_info *pattern = NULL; - list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, head.list) { + list_for_each_entry_rcu(ptr, &tomoyo_policy_list[TOMOYO_ID_PATTERN], + head.list) { if (ptr->head.is_deleted) continue; if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) @@ -527,7 +471,8 @@ bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head) struct list_head *pos; bool done = true; - list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) { + list_for_each_cookie(pos, head->read_var2, + &tomoyo_policy_list[TOMOYO_ID_PATTERN]) { struct tomoyo_pattern_entry *ptr; ptr = list_entry(pos, struct tomoyo_pattern_entry, head.list); if (ptr->head.is_deleted) @@ -540,37 +485,6 @@ bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head) return done; } -/* - * tomoyo_no_rewrite_list is used for holding list of pathnames which are by - * default forbidden to modify already written content of a file. - * - * An entry is added by - * - * # echo 'deny_rewrite /var/log/messages' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and is deleted by - * - * # echo 'delete deny_rewrite /var/log/messages' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and all entries are retrieved by - * - * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy - * - * In the example above, if a process requested to rewrite /var/log/messages , - * the process can't rewrite unless the domain which that process belongs to - * has "allow_rewrite /var/log/messages" entry. - * - * It is not a desirable behavior that we have to add "\040(deleted)" suffix - * when we want to allow rewriting already unlink()ed file. As of now, - * LSM version of TOMOYO is using __d_path() for calculating pathname. - * Non LSM version of TOMOYO is using its own function which doesn't append - * " (deleted)" suffix if the file is already unlink()ed; so that we don't - * need to worry whether the file is already unlink()ed or not. - */ -LIST_HEAD(tomoyo_no_rewrite_list); - static bool tomoyo_same_no_rewrite(const struct tomoyo_acl_head *a, const struct tomoyo_acl_head *b) { @@ -601,7 +515,7 @@ static int tomoyo_update_no_rewrite_entry(const char *pattern, if (!e.pattern) return -ENOMEM; error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, - &tomoyo_no_rewrite_list, + &tomoyo_policy_list[TOMOYO_ID_NO_REWRITE], tomoyo_same_no_rewrite); tomoyo_put_name(e.pattern); return error; @@ -622,7 +536,8 @@ static bool tomoyo_no_rewrite_file(const struct tomoyo_path_info *filename) struct tomoyo_no_rewrite_entry *ptr; bool found = false; - list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, head.list) { + list_for_each_entry_rcu(ptr, &tomoyo_policy_list[TOMOYO_ID_NO_REWRITE], + head.list) { if (ptr->head.is_deleted) continue; if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) @@ -662,7 +577,8 @@ bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head) struct list_head *pos; bool done = true; - list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) { + list_for_each_cookie(pos, head->read_var2, + &tomoyo_policy_list[TOMOYO_ID_NO_REWRITE]) { struct tomoyo_no_rewrite_entry *ptr; ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, head.list); |