TOMOYO: Rename directives.
Convert "allow_..." style directives to "file ..." style directives.
By converting to the latter style, we can pack policy like
"file read/write/execute /path/to/file".
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 2cfadaf..465df02 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -56,7 +56,7 @@
[TOMOYO_MAC_FILE_IOCTL] = "file::ioctl",
[TOMOYO_MAC_FILE_CHROOT] = "file::chroot",
[TOMOYO_MAC_FILE_MOUNT] = "file::mount",
- [TOMOYO_MAC_FILE_UMOUNT] = "file::umount",
+ [TOMOYO_MAC_FILE_UMOUNT] = "file::unmount",
[TOMOYO_MAC_FILE_PIVOT_ROOT] = "file::pivot_root",
[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file",
};
@@ -171,11 +171,25 @@
tomoyo_set_string(head, head->read_buf + pos);
}
+/**
+ * tomoyo_set_space - Put a space to "struct tomoyo_io_buffer" structure.
+ *
+ * @head: Pointer to "struct tomoyo_io_buffer".
+ *
+ * Returns nothing.
+ */
static void tomoyo_set_space(struct tomoyo_io_buffer *head)
{
tomoyo_set_string(head, " ");
}
+/**
+ * tomoyo_set_lf - Put a line feed to "struct tomoyo_io_buffer" structure.
+ *
+ * @head: Pointer to "struct tomoyo_io_buffer".
+ *
+ * Returns nothing.
+ */
static bool tomoyo_set_lf(struct tomoyo_io_buffer *head)
{
tomoyo_set_string(head, "\n");
@@ -183,6 +197,18 @@
}
/**
+ * tomoyo_set_slash - Put a shash to "struct tomoyo_io_buffer" structure.
+ *
+ * @head: Pointer to "struct tomoyo_io_buffer".
+ *
+ * Returns nothing.
+ */
+static void tomoyo_set_slash(struct tomoyo_io_buffer *head)
+{
+ tomoyo_set_string(head, "/");
+}
+
+/**
* tomoyo_print_name_union - Print a tomoyo_name_union.
*
* @head: Pointer to "struct tomoyo_io_buffer".
@@ -913,19 +939,17 @@
}
/**
- * tomoyo_fns - Find next set bit.
+ * tomoyo_set_group - Print category name.
*
- * @perm: 8 bits value.
- * @bit: First bit to find.
+ * @head: Pointer to "struct tomoyo_io_buffer".
+ * @category: Category name.
*
- * Returns next on-bit on success, 8 otherwise.
+ * Returns nothing.
*/
-static u8 tomoyo_fns(const u8 perm, u8 bit)
+static void tomoyo_set_group(struct tomoyo_io_buffer *head,
+ const char *category)
{
- for ( ; bit < 8; bit++)
- if (perm & (1 << bit))
- break;
- return bit;
+ tomoyo_set_string(head, category);
}
/**
@@ -940,58 +964,94 @@
struct tomoyo_acl_info *acl)
{
const u8 acl_type = acl->type;
+ bool first = true;
u8 bit;
if (acl->is_deleted)
return true;
- next:
- bit = head->r.bit;
if (!tomoyo_flush(head))
return false;
else if (acl_type == TOMOYO_TYPE_PATH_ACL) {
struct tomoyo_path_acl *ptr =
container_of(acl, typeof(*ptr), head);
const u16 perm = ptr->perm;
- for ( ; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
+ for (bit = 0; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
if (!(perm & (1 << bit)))
continue;
if (head->r.print_execute_only &&
bit != TOMOYO_TYPE_EXECUTE)
continue;
- break;
+ if (first) {
+ tomoyo_set_group(head, "file ");
+ first = false;
+ } else {
+ tomoyo_set_slash(head);
+ }
+ tomoyo_set_string(head, tomoyo_path_keyword[bit]);
}
- if (bit >= TOMOYO_MAX_PATH_OPERATION)
- goto done;
- tomoyo_io_printf(head, "allow_%s", tomoyo_path_keyword[bit]);
+ if (first)
+ return true;
tomoyo_print_name_union(head, &ptr->name);
} else if (head->r.print_execute_only) {
return true;
} else if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
struct tomoyo_path2_acl *ptr =
container_of(acl, typeof(*ptr), head);
- bit = tomoyo_fns(ptr->perm, bit);
- if (bit >= TOMOYO_MAX_PATH2_OPERATION)
- goto done;
- tomoyo_io_printf(head, "allow_%s", tomoyo_path2_keyword[bit]);
+ const u8 perm = ptr->perm;
+ for (bit = 0; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) {
+ if (!(perm & (1 << bit)))
+ continue;
+ if (first) {
+ tomoyo_set_group(head, "file ");
+ first = false;
+ } else {
+ tomoyo_set_slash(head);
+ }
+ tomoyo_set_string(head, tomoyo_mac_keywords
+ [tomoyo_pp2mac[bit]]);
+ }
+ if (first)
+ return true;
tomoyo_print_name_union(head, &ptr->name1);
tomoyo_print_name_union(head, &ptr->name2);
} else if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) {
struct tomoyo_path_number_acl *ptr =
container_of(acl, typeof(*ptr), head);
- bit = tomoyo_fns(ptr->perm, bit);
- if (bit >= TOMOYO_MAX_PATH_NUMBER_OPERATION)
- goto done;
- tomoyo_io_printf(head, "allow_%s",
- tomoyo_path_number_keyword[bit]);
+ const u8 perm = ptr->perm;
+ for (bit = 0; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION; bit++) {
+ if (!(perm & (1 << bit)))
+ continue;
+ if (first) {
+ tomoyo_set_group(head, "file ");
+ first = false;
+ } else {
+ tomoyo_set_slash(head);
+ }
+ tomoyo_set_string(head, tomoyo_mac_keywords
+ [tomoyo_pn2mac[bit]]);
+ }
+ if (first)
+ return true;
tomoyo_print_name_union(head, &ptr->name);
tomoyo_print_number_union(head, &ptr->number);
} else if (acl_type == TOMOYO_TYPE_MKDEV_ACL) {
struct tomoyo_mkdev_acl *ptr =
container_of(acl, typeof(*ptr), head);
- bit = tomoyo_fns(ptr->perm, bit);
- if (bit >= TOMOYO_MAX_MKDEV_OPERATION)
- goto done;
- tomoyo_io_printf(head, "allow_%s", tomoyo_mkdev_keyword[bit]);
+ const u8 perm = ptr->perm;
+ for (bit = 0; bit < TOMOYO_MAX_MKDEV_OPERATION; bit++) {
+ if (!(perm & (1 << bit)))
+ continue;
+ if (first) {
+ tomoyo_set_group(head, "file ");
+ first = false;
+ } else {
+ tomoyo_set_slash(head);
+ }
+ tomoyo_set_string(head, tomoyo_mac_keywords
+ [tomoyo_pnnn2mac[bit]]);
+ }
+ if (first)
+ return true;
tomoyo_print_name_union(head, &ptr->name);
tomoyo_print_number_union(head, &ptr->mode);
tomoyo_print_number_union(head, &ptr->major);
@@ -999,18 +1059,13 @@
} else if (acl_type == TOMOYO_TYPE_MOUNT_ACL) {
struct tomoyo_mount_acl *ptr =
container_of(acl, typeof(*ptr), head);
- tomoyo_io_printf(head, "allow_mount");
+ tomoyo_set_group(head, "file mount");
tomoyo_print_name_union(head, &ptr->dev_name);
tomoyo_print_name_union(head, &ptr->dir_name);
tomoyo_print_name_union(head, &ptr->fs_type);
tomoyo_print_number_union(head, &ptr->flags);
}
- head->r.bit = bit + 1;
- tomoyo_io_printf(head, "\n");
- if (acl_type != TOMOYO_TYPE_MOUNT_ACL)
- goto next;
- done:
- head->r.bit = 0;
+ tomoyo_set_lf(head);
return true;
}
@@ -1316,18 +1371,14 @@
{
struct tomoyo_transition_control *ptr =
container_of(acl, typeof(*ptr), head);
- tomoyo_set_string(head,
- tomoyo_transition_type
+ tomoyo_set_string(head, tomoyo_transition_type
[ptr->type]);
- if (ptr->program)
- tomoyo_set_string(head,
- ptr->program->name);
- if (ptr->program && ptr->domainname)
- tomoyo_set_string(head, " from ");
- if (ptr->domainname)
- tomoyo_set_string(head,
- ptr->domainname->
- name);
+ tomoyo_set_string(head, ptr->program ?
+ ptr->program->name : "any");
+ tomoyo_set_string(head, " from ");
+ tomoyo_set_string(head, ptr->domainname ?
+ ptr->domainname->name :
+ "any");
}
break;
case TOMOYO_ID_AGGREGATOR:
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 6f9711f..139ad75 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -404,7 +404,7 @@
bool is_delete;
};
-#define TOMOYO_MAX_IO_READ_QUEUE 32
+#define TOMOYO_MAX_IO_READ_QUEUE 64
/*
* Structure for reading/writing policy via /sys/kernel/security/tomoyo
@@ -639,6 +639,10 @@
extern const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION];
extern const char *tomoyo_path_number_keyword[TOMOYO_MAX_PATH_NUMBER_OPERATION];
+extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION];
+extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION];
+extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];
+
extern unsigned int tomoyo_quota_for_query;
extern unsigned int tomoyo_query_memory_size;
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index d8187179..cb5d2b0 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -209,14 +209,14 @@
domainname = program;
program = NULL;
}
- if (program) {
+ if (program && strcmp(program, "any")) {
if (!tomoyo_correct_path(program))
return -EINVAL;
e.program = tomoyo_get_name(program);
if (!e.program)
goto out;
}
- if (domainname) {
+ if (domainname && strcmp(domainname, "any")) {
if (!tomoyo_correct_domain(domainname)) {
if (!tomoyo_correct_path(domainname))
goto out;
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
index e60745f9..0673a69 100644
--- a/security/tomoyo/file.c
+++ b/security/tomoyo/file.c
@@ -69,7 +69,7 @@
/*
* Mapping table from "enum tomoyo_mkdev_acl_index" to "enum tomoyo_mac_index".
*/
-static const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION] = {
+const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION] = {
[TOMOYO_TYPE_MKBLOCK] = TOMOYO_MAC_FILE_MKBLOCK,
[TOMOYO_TYPE_MKCHAR] = TOMOYO_MAC_FILE_MKCHAR,
};
@@ -77,7 +77,7 @@
/*
* Mapping table from "enum tomoyo_path2_acl_index" to "enum tomoyo_mac_index".
*/
-static const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION] = {
+const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION] = {
[TOMOYO_TYPE_LINK] = TOMOYO_MAC_FILE_LINK,
[TOMOYO_TYPE_RENAME] = TOMOYO_MAC_FILE_RENAME,
[TOMOYO_TYPE_PIVOT_ROOT] = TOMOYO_MAC_FILE_PIVOT_ROOT,
@@ -87,7 +87,7 @@
* Mapping table from "enum tomoyo_path_number_acl_index" to
* "enum tomoyo_mac_index".
*/
-static const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION] = {
+const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION] = {
[TOMOYO_TYPE_CREATE] = TOMOYO_MAC_FILE_CREATE,
[TOMOYO_TYPE_MKDIR] = TOMOYO_MAC_FILE_MKDIR,
[TOMOYO_TYPE_MKFIFO] = TOMOYO_MAC_FILE_MKFIFO,
@@ -211,8 +211,7 @@
if (r->granted)
return 0;
tomoyo_warn_log(r, "%s %s", operation, filename->name);
- return tomoyo_supervisor(r, "allow_%s %s\n", operation,
- filename->name);
+ return tomoyo_supervisor(r, "file %s %s\n", operation, filename->name);
}
/**
@@ -231,7 +230,7 @@
return 0;
tomoyo_warn_log(r, "%s %s %s", operation, filename1->name,
filename2->name);
- return tomoyo_supervisor(r, "allow_%s %s %s\n", operation,
+ return tomoyo_supervisor(r, "file %s %s %s\n", operation,
filename1->name, filename2->name);
}
@@ -253,7 +252,7 @@
return 0;
tomoyo_warn_log(r, "%s %s 0%o %u %u", operation, filename->name, mode,
major, minor);
- return tomoyo_supervisor(r, "allow_%s %s 0%o %u %u\n", operation,
+ return tomoyo_supervisor(r, "file %s %s 0%o %u %u\n", operation,
filename->name, mode, major, minor);
}
@@ -291,7 +290,7 @@
tomoyo_print_ulong(buffer, sizeof(buffer), r->param.path_number.number,
radix);
tomoyo_warn_log(r, "%s %s %s", operation, filename->name, buffer);
- return tomoyo_supervisor(r, "allow_%s %s %s\n", operation,
+ return tomoyo_supervisor(r, "file %s %s %s\n", operation,
filename->name, buffer);
}