aboutsummaryrefslogtreecommitdiff
path: root/security/tomoyo
diff options
context:
space:
mode:
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>2010-06-16 16:20:24 +0900
committerJames Morris <jmorris@namei.org>2010-08-02 15:34:31 +1000
commit05336dee9f5a23c042e5938b42f996dd35e31ee6 (patch)
treec5dd4abb5bf15e06b399aa1b1e5db56bd848c762 /security/tomoyo
parent9ee0c823c18119914283358b35a1c3ebb14c2f90 (diff)
TOMOYO: Use common code for open and mkdir etc.
tomoyo_file_perm() and tomoyo_path_permission() are similar. We can embed tomoyo_file_perm() into tomoyo_path_permission(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo')
-rw-r--r--security/tomoyo/common.h2
-rw-r--r--security/tomoyo/domain.c2
-rw-r--r--security/tomoyo/file.c102
3 files changed, 22 insertions, 84 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index c8ab7553c48..20345402541 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -880,7 +880,7 @@ int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head);
/* Initialize mm related code. */
void __init tomoyo_mm_init(void);
-int tomoyo_check_exec_perm(struct tomoyo_request_info *r,
+int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
const struct tomoyo_path_info *filename);
int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
struct path *path, const int flag);
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index fe621af46c2..35317e783f3 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -960,7 +960,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
}
/* Check execute permission. */
- retval = tomoyo_check_exec_perm(&r, &rn);
+ retval = tomoyo_path_permission(&r, TOMOYO_TYPE_EXECUTE, &rn);
if (retval == TOMOYO_RETRY_REQUEST)
goto retry;
if (retval < 0)
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
index 8015719926d..50875d7e860 100644
--- a/security/tomoyo/file.c
+++ b/security/tomoyo/file.c
@@ -670,62 +670,6 @@ static int tomoyo_path_acl(const struct tomoyo_request_info *r,
return error;
}
-/**
- * tomoyo_file_perm - Check permission for opening files.
- *
- * @r: Pointer to "struct tomoyo_request_info".
- * @filename: Filename to check.
- * @mode: Mode ("read" or "write" or "read/write" or "execute").
- *
- * Returns 0 on success, negative value otherwise.
- *
- * Caller holds tomoyo_read_lock().
- */
-static int tomoyo_file_perm(struct tomoyo_request_info *r,
- const struct tomoyo_path_info *filename,
- const u8 mode)
-{
- const char *msg = "<unknown>";
- int error = 0;
- u32 perm = 0;
-
- if (!filename)
- return 0;
-
- if (mode == 6) {
- msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
- perm = 1 << TOMOYO_TYPE_READ_WRITE;
- } else if (mode == 4) {
- msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
- perm = 1 << TOMOYO_TYPE_READ;
- } else if (mode == 2) {
- msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
- perm = 1 << TOMOYO_TYPE_WRITE;
- } else if (mode == 1) {
- msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
- perm = 1 << TOMOYO_TYPE_EXECUTE;
- } else
- BUG();
- do {
- error = tomoyo_path_acl(r, filename, perm);
- if (error && mode == 4 && !r->domain->ignore_global_allow_read
- && tomoyo_is_globally_readable_file(filename))
- error = 0;
- if (!error)
- break;
- tomoyo_warn_log(r, "%s %s", msg, filename->name);
- error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
- tomoyo_file_pattern(filename));
- /*
- * Do not retry for execute request, for alias may have
- * changed.
- */
- } while (error == TOMOYO_RETRY_REQUEST && mode != 1);
- if (r->mode != TOMOYO_CONFIG_ENFORCING)
- error = 0;
- return error;
-}
-
static bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a,
const struct tomoyo_acl_info *b)
{
@@ -1018,8 +962,8 @@ static int tomoyo_path2_acl(const struct tomoyo_request_info *r, const u8 type,
*
* Caller holds tomoyo_read_lock().
*/
-static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
- const struct tomoyo_path_info *filename)
+int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
+ const struct tomoyo_path_info *filename)
{
const char *msg;
int error;
@@ -1031,15 +975,22 @@ static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
return 0;
do {
error = tomoyo_path_acl(r, filename, 1 << operation);
+ if (error && operation == TOMOYO_TYPE_READ &&
+ !r->domain->ignore_global_allow_read &&
+ tomoyo_is_globally_readable_file(filename))
+ error = 0;
if (!error)
break;
msg = tomoyo_path2keyword(operation);
tomoyo_warn_log(r, "%s %s", msg, filename->name);
error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
tomoyo_file_pattern(filename));
- } while (error == TOMOYO_RETRY_REQUEST);
- if (r->mode != TOMOYO_CONFIG_ENFORCING)
- error = 0;
+ /*
+ * Do not retry for execute request, for alias may have
+ * changed.
+ */
+ } while (error == TOMOYO_RETRY_REQUEST &&
+ operation != TOMOYO_TYPE_EXECUTE);
/*
* Since "allow_truncate" doesn't imply "allow_rewrite" permission,
* we need to check "allow_rewrite" permission if the filename is
@@ -1202,8 +1153,6 @@ static int tomoyo_path_number_perm2(struct tomoyo_request_info *r,
tomoyo_file_pattern(filename),
buffer);
} while (error == TOMOYO_RETRY_REQUEST);
- if (r->mode != TOMOYO_CONFIG_ENFORCING)
- error = 0;
return error;
}
@@ -1242,24 +1191,6 @@ int tomoyo_path_number_perm(const u8 type, struct path *path,
}
/**
- * tomoyo_check_exec_perm - Check permission for "execute".
- *
- * @r: Pointer to "struct tomoyo_request_info".
- * @filename: Check permission for "execute".
- *
- * Returns 0 on success, negativevalue otherwise.
- *
- * Caller holds tomoyo_read_lock().
- */
-int tomoyo_check_exec_perm(struct tomoyo_request_info *r,
- const struct tomoyo_path_info *filename)
-{
- if (r->mode == TOMOYO_CONFIG_DISABLED)
- return 0;
- return tomoyo_file_perm(r, filename, 1);
-}
-
-/**
* tomoyo_check_open_permission - Check permission for "read" and "write".
*
* @domain: Pointer to "struct tomoyo_domain_info".
@@ -1305,11 +1236,18 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
if (!error && acc_mode &&
tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_OPEN)
!= TOMOYO_CONFIG_DISABLED) {
+ u8 operation;
if (!buf.name && !tomoyo_get_realpath(&buf, path)) {
error = -ENOMEM;
goto out;
}
- error = tomoyo_file_perm(&r, &buf, acc_mode);
+ if (acc_mode == (MAY_READ | MAY_WRITE))
+ operation = TOMOYO_TYPE_READ_WRITE;
+ else if (acc_mode == MAY_READ)
+ operation = TOMOYO_TYPE_READ;
+ else
+ operation = TOMOYO_TYPE_WRITE;
+ error = tomoyo_path_permission(&r, operation, &buf);
}
out:
kfree(buf.name);