diff options
Diffstat (limited to 'security/tomoyo')
-rw-r--r-- | security/tomoyo/common.c | 226 | ||||
-rw-r--r-- | security/tomoyo/common.h | 54 | ||||
-rw-r--r-- | security/tomoyo/domain.c | 60 | ||||
-rw-r--r-- | security/tomoyo/file.c | 63 | ||||
-rw-r--r-- | security/tomoyo/gc.c | 22 | ||||
-rw-r--r-- | security/tomoyo/memory.c | 2 | ||||
-rw-r--r-- | security/tomoyo/mount.c | 10 | ||||
-rw-r--r-- | security/tomoyo/util.c | 2 |
8 files changed, 199 insertions, 240 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 30e4b08905e..65c18af3ffe 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -248,14 +248,13 @@ static void tomoyo_print_number_union(struct tomoyo_io_buffer *head, } /** - * tomoyo_find_or_assign_new_profile - Create a new profile. + * tomoyo_assign_profile - Create a new profile. * * @profile: Profile number to create. * * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. */ -static struct tomoyo_profile *tomoyo_find_or_assign_new_profile -(const unsigned int profile) +static struct tomoyo_profile *tomoyo_assign_profile(const unsigned int profile) { struct tomoyo_profile *ptr; struct tomoyo_profile *entry; @@ -443,7 +442,7 @@ static int tomoyo_write_profile(struct tomoyo_io_buffer *head) if (*cp != '-') return -EINVAL; data = cp + 1; - profile = tomoyo_find_or_assign_new_profile(i); + profile = tomoyo_assign_profile(i); if (!profile) return -EINVAL; } @@ -584,13 +583,11 @@ static void tomoyo_read_profile(struct tomoyo_io_buffer *head) goto next; } -static bool tomoyo_same_manager_entry(const struct tomoyo_acl_head *a, - const struct tomoyo_acl_head *b) +static bool tomoyo_same_manager(const struct tomoyo_acl_head *a, + const struct tomoyo_acl_head *b) { - return container_of(a, struct tomoyo_policy_manager_entry, head) - ->manager == - container_of(b, struct tomoyo_policy_manager_entry, head) - ->manager; + return container_of(a, struct tomoyo_manager, head)->manager == + container_of(b, struct tomoyo_manager, head)->manager; } /** @@ -606,7 +603,7 @@ static bool tomoyo_same_manager_entry(const struct tomoyo_acl_head *a, static int tomoyo_update_manager_entry(const char *manager, const bool is_delete) { - struct tomoyo_policy_manager_entry e = { }; + struct tomoyo_manager e = { }; int error; if (tomoyo_domain_def(manager)) { @@ -622,13 +619,13 @@ static int tomoyo_update_manager_entry(const char *manager, return -ENOMEM; error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, &tomoyo_policy_list[TOMOYO_ID_MANAGER], - tomoyo_same_manager_entry); + tomoyo_same_manager); tomoyo_put_name(e.manager); return error; } /** - * tomoyo_write_manager_policy - Write manager policy. + * tomoyo_write_manager - Write manager policy. * * @head: Pointer to "struct tomoyo_io_buffer". * @@ -636,7 +633,7 @@ static int tomoyo_update_manager_entry(const char *manager, * * Caller holds tomoyo_read_lock(). */ -static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head) +static int tomoyo_write_manager(struct tomoyo_io_buffer *head) { char *data = head->write_buf; bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); @@ -649,19 +646,19 @@ static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head) } /** - * tomoyo_read_manager_policy - Read manager policy. + * tomoyo_read_manager - Read manager policy. * * @head: Pointer to "struct tomoyo_io_buffer". * * Caller holds tomoyo_read_lock(). */ -static void tomoyo_read_manager_policy(struct tomoyo_io_buffer *head) +static void tomoyo_read_manager(struct tomoyo_io_buffer *head) { if (head->r.eof) return; list_for_each_cookie(head->r.acl, &tomoyo_policy_list[TOMOYO_ID_MANAGER]) { - struct tomoyo_policy_manager_entry *ptr = + struct tomoyo_manager *ptr = list_entry(head->r.acl, typeof(*ptr), head.list); if (ptr->head.is_deleted) continue; @@ -674,16 +671,16 @@ static void tomoyo_read_manager_policy(struct tomoyo_io_buffer *head) } /** - * tomoyo_policy_manager - Check whether the current process is a policy manager. + * tomoyo_manager - Check whether the current process is a policy manager. * * Returns true if the current process is permitted to modify policy * via /sys/kernel/security/tomoyo/ interface. * * Caller holds tomoyo_read_lock(). */ -static bool tomoyo_policy_manager(void) +static bool tomoyo_manager(void) { - struct tomoyo_policy_manager_entry *ptr; + struct tomoyo_manager *ptr; const char *exe; const struct task_struct *task = current; const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; @@ -813,7 +810,7 @@ static int tomoyo_delete_domain(char *domainname) } /** - * tomoyo_write_domain_policy2 - Write domain policy. + * tomoyo_write_domain2 - Write domain policy. * * @head: Pointer to "struct tomoyo_io_buffer". * @@ -821,17 +818,16 @@ static int tomoyo_delete_domain(char *domainname) * * Caller holds tomoyo_read_lock(). */ -static int tomoyo_write_domain_policy2(char *data, - struct tomoyo_domain_info *domain, - const bool is_delete) +static int tomoyo_write_domain2(char *data, struct tomoyo_domain_info *domain, + const bool is_delete) { if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_MOUNT)) - return tomoyo_write_mount_policy(data, domain, is_delete); - return tomoyo_write_file_policy(data, domain, is_delete); + return tomoyo_write_mount(data, domain, is_delete); + return tomoyo_write_file(data, domain, is_delete); } /** - * tomoyo_write_domain_policy - Write domain policy. + * tomoyo_write_domain - Write domain policy. * * @head: Pointer to "struct tomoyo_io_buffer". * @@ -839,7 +835,7 @@ static int tomoyo_write_domain_policy2(char *data, * * Caller holds tomoyo_read_lock(). */ -static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head) +static int tomoyo_write_domain(struct tomoyo_io_buffer *head) { char *data = head->write_buf; struct tomoyo_domain_info *domain = head->write_var1; @@ -854,7 +850,7 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head) if (is_select && tomoyo_select_one(head, data)) return 0; /* Don't allow updating policies by non manager programs. */ - if (!tomoyo_policy_manager()) + if (!tomoyo_manager()) return -EPERM; if (tomoyo_domain_def(data)) { domain = NULL; @@ -863,7 +859,7 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head) else if (is_select) domain = tomoyo_find_domain(data); else - domain = tomoyo_find_or_assign_new_domain(data, 0); + domain = tomoyo_assign_domain(data, 0); head->write_var1 = domain; return 0; } @@ -888,7 +884,7 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head) domain->transition_failed = !is_delete; return 0; } - return tomoyo_write_domain_policy2(data, domain, is_delete); + return tomoyo_write_domain2(data, domain, is_delete); } /** @@ -1022,13 +1018,13 @@ static bool tomoyo_read_domain2(struct tomoyo_io_buffer *head, } /** - * tomoyo_read_domain_policy - Read domain policy. + * tomoyo_read_domain - Read domain policy. * * @head: Pointer to "struct tomoyo_io_buffer". * * Caller holds tomoyo_read_lock(). */ -static void tomoyo_read_domain_policy(struct tomoyo_io_buffer *head) +static void tomoyo_read_domain(struct tomoyo_io_buffer *head) { if (head->r.eof) return; @@ -1208,8 +1204,13 @@ static const char *tomoyo_transition_type[TOMOYO_MAX_TRANSITION_TYPE] = { [TOMOYO_TRANSITION_CONTROL_KEEP] = TOMOYO_KEYWORD_KEEP_DOMAIN }; +static const char *tomoyo_group_name[TOMOYO_MAX_GROUP] = { + [TOMOYO_PATH_GROUP] = TOMOYO_KEYWORD_PATH_GROUP, + [TOMOYO_NUMBER_GROUP] = TOMOYO_KEYWORD_NUMBER_GROUP +}; + /** - * tomoyo_write_exception_policy - Write exception policy. + * tomoyo_write_exception - Write exception policy. * * @head: Pointer to "struct tomoyo_io_buffer". * @@ -1217,37 +1218,34 @@ static const char *tomoyo_transition_type[TOMOYO_MAX_TRANSITION_TYPE] = { * * Caller holds tomoyo_read_lock(). */ -static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head) +static int tomoyo_write_exception(struct tomoyo_io_buffer *head) { char *data = head->write_buf; bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); u8 i; - - for (i = 0; i < TOMOYO_MAX_TRANSITION_TYPE; i++) { + static const struct { + const char *keyword; + int (*write) (char *, const bool); + } tomoyo_callback[4] = { + { TOMOYO_KEYWORD_AGGREGATOR, tomoyo_write_aggregator }, + { TOMOYO_KEYWORD_FILE_PATTERN, tomoyo_write_pattern }, + { TOMOYO_KEYWORD_DENY_REWRITE, tomoyo_write_no_rewrite }, + { TOMOYO_KEYWORD_ALLOW_READ, tomoyo_write_globally_readable }, + }; + + for (i = 0; i < TOMOYO_MAX_TRANSITION_TYPE; i++) if (tomoyo_str_starts(&data, tomoyo_transition_type[i])) return tomoyo_write_transition_control(data, is_delete, i); - } - if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_AGGREGATOR)) - return tomoyo_write_aggregator_policy(data, is_delete); - if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ)) - return tomoyo_write_globally_readable_policy(data, is_delete); - if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN)) - return tomoyo_write_pattern_policy(data, is_delete); - if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE)) - return tomoyo_write_no_rewrite_policy(data, is_delete); - if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_PATH_GROUP)) - return tomoyo_write_group(data, is_delete, TOMOYO_PATH_GROUP); - if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NUMBER_GROUP)) - return tomoyo_write_group(data, is_delete, TOMOYO_NUMBER_GROUP); + for (i = 0; i < 4; i++) + if (tomoyo_str_starts(&data, tomoyo_callback[i].keyword)) + return tomoyo_callback[i].write(data, is_delete); + for (i = 0; i < TOMOYO_MAX_GROUP; i++) + if (tomoyo_str_starts(&data, tomoyo_group_name[i])) + return tomoyo_write_group(data, is_delete, i); return -EINVAL; } -static const char *tomoyo_group_name[TOMOYO_MAX_GROUP] = { - [TOMOYO_PATH_GROUP] = TOMOYO_KEYWORD_PATH_GROUP, - [TOMOYO_NUMBER_GROUP] = TOMOYO_KEYWORD_NUMBER_GROUP -}; - /** * tomoyo_read_group - Read "struct tomoyo_path_group"/"struct tomoyo_number_group" list. * @@ -1331,8 +1329,8 @@ static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx) break; case TOMOYO_ID_GLOBALLY_READABLE: { - struct tomoyo_globally_readable_file_entry *ptr - = container_of(acl, typeof(*ptr), head); + struct tomoyo_readable_file *ptr = + container_of(acl, typeof(*ptr), head); tomoyo_set_string(head, TOMOYO_KEYWORD_ALLOW_READ); tomoyo_set_string(head, ptr->filename->name); @@ -1340,7 +1338,7 @@ static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx) break; case TOMOYO_ID_AGGREGATOR: { - struct tomoyo_aggregator_entry *ptr = + struct tomoyo_aggregator *ptr = container_of(acl, typeof(*ptr), head); tomoyo_set_string(head, TOMOYO_KEYWORD_AGGREGATOR); @@ -1353,7 +1351,7 @@ static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx) break; case TOMOYO_ID_PATTERN: { - struct tomoyo_pattern_entry *ptr = + struct tomoyo_no_pattern *ptr = container_of(acl, typeof(*ptr), head); tomoyo_set_string(head, TOMOYO_KEYWORD_FILE_PATTERN); @@ -1362,7 +1360,7 @@ static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx) break; case TOMOYO_ID_NO_REWRITE: { - struct tomoyo_no_rewrite_entry *ptr = + struct tomoyo_no_rewrite *ptr = container_of(acl, typeof(*ptr), head); tomoyo_set_string(head, TOMOYO_KEYWORD_DENY_REWRITE); @@ -1379,13 +1377,13 @@ static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx) } /** - * tomoyo_read_exception_policy - Read exception policy. + * tomoyo_read_exception - Read exception policy. * * @head: Pointer to "struct tomoyo_io_buffer". * * Caller holds tomoyo_read_lock(). */ -static void tomoyo_read_exception_policy(struct tomoyo_io_buffer *head) +static void tomoyo_read_exception(struct tomoyo_io_buffer *head) { if (head->r.eof) return; @@ -1472,7 +1470,7 @@ static DECLARE_WAIT_QUEUE_HEAD(tomoyo_query_wait); static DEFINE_SPINLOCK(tomoyo_query_list_lock); /* Structure for query. */ -struct tomoyo_query_entry { +struct tomoyo_query { struct list_head list; char *query; int query_len; @@ -1481,7 +1479,7 @@ struct tomoyo_query_entry { int answer; }; -/* The list for "struct tomoyo_query_entry". */ +/* The list for "struct tomoyo_query". */ static LIST_HEAD(tomoyo_query_list); /* @@ -1508,7 +1506,7 @@ int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) int pos; int len; static unsigned int tomoyo_serial; - struct tomoyo_query_entry *tomoyo_query_entry = NULL; + struct tomoyo_query *entry = NULL; bool quota_exceeded = false; char *header; switch (r->mode) { @@ -1526,7 +1524,7 @@ int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) vsnprintf(buffer, len - 1, fmt, args); va_end(args); tomoyo_normalize_line(buffer); - tomoyo_write_domain_policy2(buffer, r->domain, false); + tomoyo_write_domain2(buffer, r->domain, false); kfree(buffer); /* fall through */ case TOMOYO_CONFIG_PERMISSIVE: @@ -1542,51 +1540,50 @@ int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) header = tomoyo_init_audit_log(&len, r); if (!header) goto out; - tomoyo_query_entry = kzalloc(sizeof(*tomoyo_query_entry), GFP_NOFS); - if (!tomoyo_query_entry) + entry = kzalloc(sizeof(*entry), GFP_NOFS); + if (!entry) goto out; - tomoyo_query_entry->query = kzalloc(len, GFP_NOFS); - if (!tomoyo_query_entry->query) + entry->query = kzalloc(len, GFP_NOFS); + if (!entry->query) goto out; - len = ksize(tomoyo_query_entry->query); - INIT_LIST_HEAD(&tomoyo_query_entry->list); + len = ksize(entry->query); spin_lock(&tomoyo_query_list_lock); if (tomoyo_quota_for_query && tomoyo_query_memory_size + len + - sizeof(*tomoyo_query_entry) >= tomoyo_quota_for_query) { + sizeof(*entry) >= tomoyo_quota_for_query) { quota_exceeded = true; } else { - tomoyo_query_memory_size += len + sizeof(*tomoyo_query_entry); - tomoyo_query_entry->serial = tomoyo_serial++; + tomoyo_query_memory_size += len + sizeof(*entry); + entry->serial = tomoyo_serial++; } spin_unlock(&tomoyo_query_list_lock); if (quota_exceeded) goto out; - pos = snprintf(tomoyo_query_entry->query, len - 1, "Q%u-%hu\n%s", - tomoyo_query_entry->serial, r->retry, header); + pos = snprintf(entry->query, len - 1, "Q%u-%hu\n%s", + entry->serial, r->retry, header); kfree(header); header = NULL; va_start(args, fmt); - vsnprintf(tomoyo_query_entry->query + pos, len - 1 - pos, fmt, args); - tomoyo_query_entry->query_len = strlen(tomoyo_query_entry->query) + 1; + vsnprintf(entry->query + pos, len - 1 - pos, fmt, args); + entry->query_len = strlen(entry->query) + 1; va_end(args); spin_lock(&tomoyo_query_list_lock); - list_add_tail(&tomoyo_query_entry->list, &tomoyo_query_list); + list_add_tail(&entry->list, &tomoyo_query_list); spin_unlock(&tomoyo_query_list_lock); /* Give 10 seconds for supervisor's opinion. */ - for (tomoyo_query_entry->timer = 0; - atomic_read(&tomoyo_query_observers) && tomoyo_query_entry->timer < 100; - tomoyo_query_entry->timer++) { + for (entry->timer = 0; + atomic_read(&tomoyo_query_observers) && entry->timer < 100; + entry->timer++) { wake_up(&tomoyo_query_wait); set_current_state(TASK_INTERRUPTIBLE); schedule_timeout(HZ / 10); - if (tomoyo_query_entry->answer) + if (entry->answer) break; } spin_lock(&tomoyo_query_list_lock); - list_del(&tomoyo_query_entry->list); - tomoyo_query_memory_size -= len + sizeof(*tomoyo_query_entry); + list_del(&entry->list); + tomoyo_query_memory_size -= len + sizeof(*entry); spin_unlock(&tomoyo_query_list_lock); - switch (tomoyo_query_entry->answer) { + switch (entry->answer) { case 3: /* Asked to retry by administrator. */ error = TOMOYO_RETRY_REQUEST; r->retry++; @@ -1603,9 +1600,9 @@ int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) break; } out: - if (tomoyo_query_entry) - kfree(tomoyo_query_entry->query); - kfree(tomoyo_query_entry); + if (entry) + kfree(entry->query); + kfree(entry); kfree(header); return error; } @@ -1628,9 +1625,8 @@ static int tomoyo_poll_query(struct file *file, poll_table *wait) for (i = 0; i < 2; i++) { spin_lock(&tomoyo_query_list_lock); list_for_each(tmp, &tomoyo_query_list) { - struct tomoyo_query_entry *ptr - = list_entry(tmp, struct tomoyo_query_entry, - list); + struct tomoyo_query *ptr = + list_entry(tmp, typeof(*ptr), list); if (ptr->answer) continue; found = true; @@ -1665,8 +1661,7 @@ static void tomoyo_read_query(struct tomoyo_io_buffer *head) } spin_lock(&tomoyo_query_list_lock); list_for_each(tmp, &tomoyo_query_list) { - struct tomoyo_query_entry *ptr = - list_entry(tmp, typeof(*ptr), list); + struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); if (ptr->answer) continue; if (pos++ != head->r.query_index) @@ -1685,8 +1680,7 @@ static void tomoyo_read_query(struct tomoyo_io_buffer *head) pos = 0; spin_lock(&tomoyo_query_list_lock); list_for_each(tmp, &tomoyo_query_list) { - struct tomoyo_query_entry *ptr = - list_entry(tmp, typeof(*ptr), list); + struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); if (ptr->answer) continue; if (pos++ != head->r.query_index) @@ -1724,8 +1718,7 @@ static int tomoyo_write_answer(struct tomoyo_io_buffer *head) unsigned int answer; spin_lock(&tomoyo_query_list_lock); list_for_each(tmp, &tomoyo_query_list) { - struct tomoyo_query_entry *ptr - = list_entry(tmp, struct tomoyo_query_entry, list); + struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); ptr->timer = 0; } spin_unlock(&tomoyo_query_list_lock); @@ -1733,8 +1726,7 @@ static int tomoyo_write_answer(struct tomoyo_io_buffer *head) return -EINVAL; spin_lock(&tomoyo_query_list_lock); list_for_each(tmp, &tomoyo_query_list) { - struct tomoyo_query_entry *ptr - = list_entry(tmp, struct tomoyo_query_entry, list); + struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); if (ptr->serial != serial) continue; if (!ptr->answer) @@ -1801,13 +1793,13 @@ int tomoyo_open_control(const u8 type, struct file *file) switch (type) { case TOMOYO_DOMAINPOLICY: /* /sys/kernel/security/tomoyo/domain_policy */ - head->write = tomoyo_write_domain_policy; - head->read = tomoyo_read_domain_policy; + head->write = tomoyo_write_domain; + head->read = tomoyo_read_domain; break; case TOMOYO_EXCEPTIONPOLICY: /* /sys/kernel/security/tomoyo/exception_policy */ - head->write = tomoyo_write_exception_policy; - head->read = tomoyo_read_exception_policy; + head->write = tomoyo_write_exception; + head->read = tomoyo_read_exception; break; case TOMOYO_SELFDOMAIN: /* /sys/kernel/security/tomoyo/self_domain */ @@ -1846,8 +1838,8 @@ int tomoyo_open_control(const u8 type, struct file *file) break; case TOMOYO_MANAGER: /* /sys/kernel/security/tomoyo/manager */ - head->write = tomoyo_write_manager_policy; - head->read = tomoyo_read_manager_policy; + head->write = tomoyo_write_manager; + head->read = tomoyo_read_manager; break; } if (!(file->f_mode & FMODE_READ)) { @@ -1906,23 +1898,6 @@ int tomoyo_open_control(const u8 type, struct file *file) } /** - * tomoyo_poll_control - poll() for /sys/kernel/security/tomoyo/ interface. - * - * @file: Pointer to "struct file". - * @wait: Pointer to "poll_table". - * - * Waits for read readiness. - * /sys/kernel/security/tomoyo/query is handled by /usr/sbin/tomoyo-queryd . - */ -int tomoyo_poll_control(struct file *file, poll_table *wait) -{ - struct tomoyo_io_buffer *head = file->private_data; - if (!head->poll) - return -ENOSYS; - return head->poll(file, wait); -} - -/** * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. * * @file: Pointer to "struct file". @@ -1979,8 +1954,7 @@ int tomoyo_write_control(struct file *file, const char __user *buffer, return -EFAULT; /* Don't allow updating policies by non manager programs. */ if (head->write != tomoyo_write_pid && - head->write != tomoyo_write_domain_policy && - !tomoyo_policy_manager()) + head->write != tomoyo_write_domain && !tomoyo_manager()) return -EPERM; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index ef8fecddb65..b8b2dac656f 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -310,10 +310,10 @@ struct tomoyo_path_info { }; /* - * tomoyo_name_entry is a structure which is used for linking + * tomoyo_name is a structure which is used for linking * "struct tomoyo_path_info" into tomoyo_name_list . */ -struct tomoyo_name_entry { +struct tomoyo_name { struct list_head list; atomic_t users; struct tomoyo_path_info entry; @@ -572,20 +572,20 @@ struct tomoyo_io_buffer { }; /* - * tomoyo_globally_readable_file_entry is a structure which is used for holding + * tomoyo_readable_file is a structure which is used for holding * "allow_read" entries. * It has following fields. * * (1) "head" is "struct tomoyo_acl_head". * (2) "filename" is a pathname which is allowed to open(O_RDONLY). */ -struct tomoyo_globally_readable_file_entry { +struct tomoyo_readable_file { struct tomoyo_acl_head head; const struct tomoyo_path_info *filename; }; /* - * tomoyo_pattern_entry is a structure which is used for holding + * tomoyo_no_pattern is a structure which is used for holding * "file_pattern" entries. * It has following fields. * @@ -593,13 +593,13 @@ struct tomoyo_globally_readable_file_entry { * (2) "pattern" is a pathname pattern which is used for converting pathnames * to pathname patterns during learning mode. */ -struct tomoyo_pattern_entry { +struct tomoyo_no_pattern { struct tomoyo_acl_head head; const struct tomoyo_path_info *pattern; }; /* - * tomoyo_no_rewrite_entry is a structure which is used for holding + * tomoyo_no_rewrite is a structure which is used for holding * "deny_rewrite" entries. * It has following fields. * @@ -607,7 +607,7 @@ struct tomoyo_pattern_entry { * (2) "pattern" is a pathname which is by default not permitted to modify * already existing content. */ -struct tomoyo_no_rewrite_entry { +struct tomoyo_no_rewrite { struct tomoyo_acl_head head; const struct tomoyo_path_info *pattern; }; @@ -636,7 +636,7 @@ struct tomoyo_transition_control { }; /* - * tomoyo_aggregator_entry is a structure which is used for holding + * tomoyo_aggregator is a structure which is used for holding * "aggregator" entries. * It has following fields. * @@ -644,14 +644,14 @@ struct tomoyo_transition_control { * (2) "original_name" which is originally requested name. * (3) "aggregated_name" which is name to rewrite. */ -struct tomoyo_aggregator_entry { +struct tomoyo_aggregator { struct tomoyo_acl_head head; const struct tomoyo_path_info *original_name; const struct tomoyo_path_info *aggregated_name; }; /* - * tomoyo_policy_manager_entry is a structure which is used for holding list of + * tomoyo_manager is a structure which is used for holding list of * domainnames or programs which are permitted to modify configuration via * /sys/kernel/security/tomoyo/ interface. * It has following fields. @@ -661,7 +661,7 @@ struct tomoyo_aggregator_entry { * otherwise. * (3) "manager" is a domainname or a program's pathname. */ -struct tomoyo_policy_manager_entry { +struct tomoyo_manager { struct tomoyo_acl_head head; bool is_domain; /* True if manager is a domainname. */ /* A path to program or a domainname. */ @@ -749,8 +749,6 @@ bool tomoyo_parse_number_union(char *data, struct tomoyo_number_union *num); bool tomoyo_tokenize(char *buffer, char *w[], size_t size); /* Write domain policy violation warning message to console? */ bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain); -/* Get the last component of the given domainname. */ -const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain); /* Fill "struct tomoyo_request_info". */ int tomoyo_init_request_info(struct tomoyo_request_info *r, struct tomoyo_domain_info *domain, @@ -759,7 +757,7 @@ int tomoyo_init_request_info(struct tomoyo_request_info *r, int tomoyo_mount_permission(char *dev_name, struct path *path, char *type, unsigned long flags, void *data_page); /* Create "aggregator" entry in exception policy. */ -int tomoyo_write_aggregator_policy(char *data, const bool is_delete); +int tomoyo_write_aggregator(char *data, const bool is_delete); int tomoyo_write_transition_control(char *data, const bool is_delete, const u8 type); /* @@ -769,17 +767,17 @@ int tomoyo_write_transition_control(char *data, const bool is_delete, * "allow_truncate", "allow_symlink", "allow_rewrite", "allow_rename" and * "allow_link" entry in domain policy. */ -int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, - const bool is_delete); +int tomoyo_write_file(char *data, struct tomoyo_domain_info *domain, + const bool is_delete); /* Create "allow_read" entry in exception policy. */ -int tomoyo_write_globally_readable_policy(char *data, const bool is_delete); +int tomoyo_write_globally_readable(char *data, const bool is_delete); /* Create "allow_mount" entry in domain policy. */ -int tomoyo_write_mount_policy(char *data, struct tomoyo_domain_info *domain, - const bool is_delete); +int tomoyo_write_mount(char *data, struct tomoyo_domain_info *domain, + const bool is_delete); /* Create "deny_rewrite" entry in exception policy. */ -int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete); +int tomoyo_write_no_rewrite(char *data, const bool is_delete); /* Create "file_pattern" entry in exception policy. */ -int tomoyo_write_pattern_policy(char *data, const bool is_delete); +int tomoyo_write_pattern(char *data, const bool is_delete); /* Create "path_group"/"number_group" entry in exception policy. */ int tomoyo_write_group(char *data, const bool is_delete, const u8 type); int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) @@ -787,9 +785,8 @@ int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) /* Find a domain by the given name. */ struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname); /* Find or create a domain by the given name. */ -struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * - domainname, - const u8 profile); +struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname, + const u8 profile); struct tomoyo_profile *tomoyo_profile(const u8 profile); /* * Allocate memory for "struct tomoyo_path_group"/"struct tomoyo_number_group". @@ -820,7 +817,7 @@ char *tomoyo_realpath_nofollow(const char *pathname); */ char *tomoyo_realpath_from_path(struct path *path); /* Get patterned pathname. */ -const char *tomoyo_file_pattern(const struct tomoyo_path_info *filename); +const char *tomoyo_pattern(const struct tomoyo_path_info *filename); /* Check memory quota. */ bool tomoyo_memory_ok(void *ptr); @@ -882,7 +879,6 @@ int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size, void tomoyo_check_acl(struct tomoyo_request_info *r, bool (*check_entry) (const struct tomoyo_request_info *, const struct tomoyo_acl_info *)); -const char *tomoyo_last_word(const char *name); /********** External variable definitions. **********/ @@ -959,8 +955,8 @@ static inline bool tomoyo_invalid(const unsigned char c) static inline void tomoyo_put_name(const struct tomoyo_path_info *name) { if (name) { - struct tomoyo_name_entry *ptr = - container_of(name, struct tomoyo_name_entry, entry); + struct tomoyo_name *ptr = + container_of(name, typeof(*ptr), entry); atomic_dec(&ptr->users); } } diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index 05450b17c57..4e0101b0041 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -134,26 +134,22 @@ struct list_head tomoyo_policy_list[TOMOYO_MAX_POLICY]; struct list_head tomoyo_group_list[TOMOYO_MAX_GROUP]; /** - * tomoyo_get_last_name - Get last component of a domainname. + * tomoyo_last_word - Get last component of a domainname. * - * @domain: Pointer to "struct tomoyo_domain_info". + * @domainname: Domainname to check. * - * Returns the last component of the domainname. + * Returns the last word of @domainname. */ -const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain) +static const char *tomoyo_last_word(const char *name) { - const char *cp0 = domain->domainname->name; - const char *cp1 = strrchr(cp0, ' '); - - if (cp1) - return cp1 + 1; - return cp0; + const char *cp = strrchr(name, ' '); + if (cp) + return cp + 1; + return name; } -static bool tomoyo_same_transition_control_entry(const struct tomoyo_acl_head * - a, - const struct tomoyo_acl_head * - b) +static bool tomoyo_same_transition_control(const struct tomoyo_acl_head *a, + const struct tomoyo_acl_head *b) { const struct tomoyo_transition_control *p1 = container_of(a, typeof(*p1), @@ -203,7 +199,7 @@ static int tomoyo_update_transition_control_entry(const char *domainname, error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, &tomoyo_policy_list [TOMOYO_ID_TRANSITION_CONTROL], - tomoyo_same_transition_control_entry); + tomoyo_same_transition_control); out: tomoyo_put_name(e.domainname); tomoyo_put_name(e.program); @@ -292,19 +288,17 @@ static u8 tomoyo_transition_type(const struct tomoyo_path_info *domainname, return type; } -static bool tomoyo_same_aggregator_entry(const struct tomoyo_acl_head *a, - const struct tomoyo_acl_head *b) +static bool tomoyo_same_aggregator(const struct tomoyo_acl_head *a, + const struct tomoyo_acl_head *b) { - const struct tomoyo_aggregator_entry *p1 = container_of(a, typeof(*p1), - head); - const struct tomoyo_aggregator_entry *p2 = container_of(b, typeof(*p2), - head); + const struct tomoyo_aggregator *p1 = container_of(a, typeof(*p1), head); + const struct tomoyo_aggregator *p2 = container_of(b, typeof(*p2), head); return p1->original_name == p2->original_name && p1->aggregated_name == p2->aggregated_name; } /** - * tomoyo_update_aggregator_entry - Update "struct tomoyo_aggregator_entry" list. + * tomoyo_update_aggregator_entry - Update "struct tomoyo_aggregator" list. * * @original_name: The original program's name. * @aggregated_name: The program name to use. @@ -318,7 +312,7 @@ static int tomoyo_update_aggregator_entry(const char *original_name, const char *aggregated_name, const bool is_delete) { - struct tomoyo_aggregator_entry e = { }; + struct tomoyo_aggregator e = { }; int error = is_delete ? -ENOENT : -ENOMEM; if (!tomoyo_correct_path(original_name) || @@ -331,7 +325,7 @@ static int tomoyo_update_aggregator_entry(const char *original_name, goto out; error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, &tomoyo_policy_list[TOMOYO_ID_AGGREGATOR], - tomoyo_same_aggregator_entry); + tomoyo_same_aggregator); out: tomoyo_put_name(e.original_name); tomoyo_put_name(e.aggregated_name); @@ -339,7 +333,7 @@ static int tomoyo_update_aggregator_entry(const char *original_name, } /** - * tomoyo_write_aggregator_policy - Write "struct tomoyo_aggregator_entry" list. + * tomoyo_write_aggregator - Write "struct tomoyo_aggregator" list. * * @data: String to parse. * @is_delete: True if it is a delete request. @@ -348,7 +342,7 @@ static int tomoyo_update_aggregator_entry(const char *original_name, * * Caller holds tomoyo_read_lock(). */ -int tomoyo_write_aggregator_policy(char *data, const bool is_delete) +int tomoyo_write_aggregator(char *data, const bool is_delete) { char *cp = strchr(data, ' '); @@ -359,7 +353,7 @@ int tomoyo_write_aggregator_policy(char *data, const bool is_delete) } /** - * tomoyo_find_or_assign_new_domain - Create a domain. + * tomoyo_assign_domain - Create a domain. * * @domainname: The name of domain. * @profile: Profile number to assign if the domain was newly created. @@ -368,9 +362,8 @@ int tomoyo_write_aggregator_policy(char *data, const bool is_delete) * * Caller holds tomoyo_read_lock(). */ -struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * - domainname, - const u8 profile) +struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname, + const u8 profile) { struct tomoyo_domain_info *entry; struct tomoyo_domain_info *domain = NULL; @@ -430,10 +423,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) int retval = -ENOMEM; bool need_kfree = false; struct tomoyo_path_info rn = { }; /* real name */ - struct tomoyo_path_info ln; /* last name */ - ln.name = tomoyo_get_last_name(old_domain); - tomoyo_fill_path_info(&ln); mode = tomoyo_init_request_info(&r, NULL, TOMOYO_MAC_FILE_EXECUTE); is_enforce = (mode == TOMOYO_CONFIG_ENFORCING); if (!tmp) @@ -454,7 +444,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) /* Check 'aggregator' directive. */ { - struct tomoyo_aggregator_entry *ptr; + struct tomoyo_aggregator *ptr; list_for_each_entry_rcu(ptr, &tomoyo_policy_list [TOMOYO_ID_AGGREGATOR], head.list) { if (ptr->head.is_deleted || @@ -517,7 +507,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) if (error < 0) goto done; } - domain = tomoyo_find_or_assign_new_domain(tmp, old_domain->profile); + domain = tomoyo_assign_domain(tmp, old_domain->profile); done: if (domain) goto out; diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index e7687ebdc5f..f7877fa80f1 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c @@ -179,7 +179,7 @@ static int tomoyo_audit_path_log(struct tomoyo_request_info *r) return 0; tomoyo_warn_log(r, "%s %s", operation, filename->name); return tomoyo_supervisor(r, "allow_%s %s\n", operation, - tomoyo_file_pattern(filename)); + tomoyo_pattern(filename)); } /** @@ -199,8 +199,8 @@ static int tomoyo_audit_path2_log(struct tomoyo_request_info *r) tomoyo_warn_log(r, "%s %s %s", operation, filename1->name, filename2->name); return tomoyo_supervisor(r, "allow_%s %s %s\n", operation, - tomoyo_file_pattern(filename1), - tomoyo_file_pattern(filename2)); + tomoyo_pattern(filename1), + tomoyo_pattern(filename2)); } /** @@ -222,8 +222,7 @@ static int tomoyo_audit_mkdev_log(struct tomoyo_request_info *r) tomoyo_warn_log(r, "%s %s 0%o %u %u", operation, filename->name, mode, major, minor); return tomoyo_supervisor(r, "allow_%s %s 0%o %u %u\n", operation, - tomoyo_file_pattern(filename), mode, major, - minor); + tomoyo_pattern(filename), mode, major, minor); } /** @@ -262,20 +261,20 @@ static int tomoyo_audit_path_number_log(struct tomoyo_request_info *r) radix); tomoyo_warn_log(r, "%s %s %s", operation, filename->name, buff |