aboutsummaryrefslogtreecommitdiff
path: root/security/tomoyo
diff options
context:
space:
mode:
Diffstat (limited to 'security/tomoyo')
-rw-r--r--security/tomoyo/common.c25
-rw-r--r--security/tomoyo/common.h2
-rw-r--r--security/tomoyo/path_group.c2
3 files changed, 23 insertions, 6 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 57ddfc5d9c5..98e3639db99 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -366,7 +366,7 @@ static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
*
* or
*
- * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
+ * # echo '/usr/sbin/tomoyo-editpolicy' > /sys/kernel/security/tomoyo/manager
* (if you want to specify by a program's location)
*
* and is deleted by
@@ -376,7 +376,7 @@ static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
*
* or
*
- * # echo 'delete /usr/lib/ccs/editpolicy' > \
+ * # echo 'delete /usr/sbin/tomoyo-editpolicy' > \
* /sys/kernel/security/tomoyo/manager
*
* and all entries are retrieved by
@@ -556,12 +556,17 @@ static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
{
unsigned int pid;
struct tomoyo_domain_info *domain = NULL;
+ bool global_pid = false;
- if (sscanf(data, "pid=%u", &pid) == 1) {
+ if (sscanf(data, "pid=%u", &pid) == 1 ||
+ (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) {
struct task_struct *p;
rcu_read_lock();
read_lock(&tasklist_lock);
- p = find_task_by_vpid(pid);
+ if (global_pid)
+ p = find_task_by_pid_ns(pid, &init_pid_ns);
+ else
+ p = find_task_by_vpid(pid);
if (p)
domain = tomoyo_real_domain(p);
read_unlock(&tasklist_lock);
@@ -697,6 +702,14 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
domain->ignore_global_allow_read = !is_delete;
return 0;
}
+ if (!strcmp(data, TOMOYO_KEYWORD_QUOTA_EXCEEDED)) {
+ domain->quota_warned = !is_delete;
+ return 0;
+ }
+ if (!strcmp(data, TOMOYO_KEYWORD_TRANSITION_FAILED)) {
+ domain->transition_failed = !is_delete;
+ return 0;
+ }
return tomoyo_write_domain_policy2(data, domain, is_delete);
}
@@ -853,6 +866,8 @@ static bool tomoyo_print_mount_acl(struct tomoyo_io_buffer *head,
struct tomoyo_mount_acl *ptr)
{
const int pos = head->read_avail;
+ if (ptr->is_deleted)
+ return true;
if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) ||
!tomoyo_print_name_union(head, &ptr->dev_name) ||
!tomoyo_print_name_union(head, &ptr->dir_name) ||
@@ -993,7 +1008,7 @@ tail_mark:
* This is equivalent to doing
*
* ( echo "select " $domainname; echo "use_profile " $profile ) |
- * /usr/lib/ccs/loadpolicy -d
+ * /usr/sbin/tomoyo-loadpolicy -d
*
* Caller holds tomoyo_read_lock().
*/
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index be03e4a21db..6270a530c4d 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -68,6 +68,8 @@ enum tomoyo_mode_index {
#define TOMOYO_KEYWORD_SELECT "select "
#define TOMOYO_KEYWORD_USE_PROFILE "use_profile "
#define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read"
+#define TOMOYO_KEYWORD_QUOTA_EXCEEDED "quota_exceeded"
+#define TOMOYO_KEYWORD_TRANSITION_FAILED "transition_failed"
/* A domain definition starts with <kernel>. */
#define TOMOYO_ROOT_NAME "<kernel>"
#define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1)
diff --git a/security/tomoyo/path_group.c b/security/tomoyo/path_group.c
index c988041c8e1..636025e26b0 100644
--- a/security/tomoyo/path_group.c
+++ b/security/tomoyo/path_group.c
@@ -6,7 +6,7 @@
#include <linux/slab.h>
#include "common.h"
-/* The list for "struct ccs_path_group". */
+/* The list for "struct tomoyo_path_group". */
LIST_HEAD(tomoyo_path_group_list);
/**