5 |
* |
* |
6 |
* Copyright (C) 2005-2007 NTT DATA CORPORATION |
* Copyright (C) 2005-2007 NTT DATA CORPORATION |
7 |
* |
* |
8 |
* Version: 1.5.0 2007/09/20 |
* Version: 1.5.1-pre 2007/10/16 |
9 |
* |
* |
10 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
11 |
* See README.ccs for ChangeLog. |
* See README.ccs for ChangeLog. |
64 |
[CCS_PROFILE_COMMENT] = { "COMMENT", 0, 0 }, /* Reserved for string. */ |
[CCS_PROFILE_COMMENT] = { "COMMENT", 0, 0 }, /* Reserved for string. */ |
65 |
[CCS_TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 }, |
[CCS_TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 }, |
66 |
[CCS_TOMOYO_MAC_FOR_ARGV0] = { "MAC_FOR_ARGV0", 0, 3 }, |
[CCS_TOMOYO_MAC_FOR_ARGV0] = { "MAC_FOR_ARGV0", 0, 3 }, |
67 |
|
[CCS_TOMOYO_MAC_FOR_ENV] = { "MAC_FOR_ENV", 0, 3 }, |
68 |
[CCS_TOMOYO_MAC_FOR_NETWORK] = { "MAC_FOR_NETWORK", 0, 3 }, |
[CCS_TOMOYO_MAC_FOR_NETWORK] = { "MAC_FOR_NETWORK", 0, 3 }, |
69 |
[CCS_TOMOYO_MAC_FOR_SIGNAL] = { "MAC_FOR_SIGNAL", 0, 3 }, |
[CCS_TOMOYO_MAC_FOR_SIGNAL] = { "MAC_FOR_SIGNAL", 0, 3 }, |
70 |
[CCS_SAKURA_DENY_CONCEAL_MOUNT] = { "DENY_CONCEAL_MOUNT", 0, 3 }, |
[CCS_SAKURA_DENY_CONCEAL_MOUNT] = { "DENY_CONCEAL_MOUNT", 0, 3 }, |
620 |
#ifndef CONFIG_TOMOYO |
#ifndef CONFIG_TOMOYO |
621 |
case CCS_TOMOYO_MAC_FOR_FILE: |
case CCS_TOMOYO_MAC_FOR_FILE: |
622 |
case CCS_TOMOYO_MAC_FOR_ARGV0: |
case CCS_TOMOYO_MAC_FOR_ARGV0: |
623 |
|
case CCS_TOMOYO_MAC_FOR_ENV: |
624 |
case CCS_TOMOYO_MAC_FOR_NETWORK: |
case CCS_TOMOYO_MAC_FOR_NETWORK: |
625 |
case CCS_TOMOYO_MAC_FOR_SIGNAL: |
case CCS_TOMOYO_MAC_FOR_SIGNAL: |
626 |
case CCS_TOMOYO_MAX_ACCEPT_ENTRY: |
case CCS_TOMOYO_MAX_ACCEPT_ENTRY: |
763 |
|
|
764 |
/************************* DOMAIN POLICY HANDLER *************************/ |
/************************* DOMAIN POLICY HANDLER *************************/ |
765 |
|
|
766 |
|
static char *FindConditionPart(char *data) |
767 |
|
{ |
768 |
|
char *cp = strstr(data, " if "), *cp2; |
769 |
|
if (cp) { |
770 |
|
while ((cp2 = strstr(cp + 3, " if ")) != NULL) cp = cp2; |
771 |
|
*cp++ = '\0'; |
772 |
|
} |
773 |
|
return cp; |
774 |
|
} |
775 |
|
|
776 |
static int AddDomainPolicy(struct io_buffer *head) |
static int AddDomainPolicy(struct io_buffer *head) |
777 |
{ |
{ |
778 |
char *data = head->write_buf; |
char *data = head->write_buf; |
779 |
struct domain_info *domain = head->write_var1; |
struct domain_info *domain = head->write_var1; |
780 |
u8 is_delete = 0, is_select = 0, is_undelete = 0; |
u8 is_delete = 0, is_select = 0, is_undelete = 0; |
781 |
unsigned int profile; |
unsigned int profile; |
782 |
|
const struct condition_list *cond = NULL; |
783 |
|
char *cp; |
784 |
if (!isRoot()) return -EPERM; |
if (!isRoot()) return -EPERM; |
785 |
if (strncmp(data, KEYWORD_DELETE, KEYWORD_DELETE_LEN) == 0) { |
if (strncmp(data, KEYWORD_DELETE, KEYWORD_DELETE_LEN) == 0) { |
786 |
data += KEYWORD_DELETE_LEN; |
data += KEYWORD_DELETE_LEN; |
808 |
return 0; |
return 0; |
809 |
} |
} |
810 |
if (!domain) return -EINVAL; |
if (!domain) return -EINVAL; |
811 |
|
|
812 |
if (sscanf(data, KEYWORD_USE_PROFILE "%u", &profile) == 1 && profile < MAX_PROFILES) { |
if (sscanf(data, KEYWORD_USE_PROFILE "%u", &profile) == 1 && profile < MAX_PROFILES) { |
813 |
if (profile_ptr[profile] || !sbin_init_started) domain->profile = (u8) profile; |
if (profile_ptr[profile] || !sbin_init_started) domain->profile = (u8) profile; |
814 |
} else if (strncmp(data, KEYWORD_ALLOW_CAPABILITY, KEYWORD_ALLOW_CAPABILITY_LEN) == 0) { |
return 0; |
815 |
return AddCapabilityPolicy(data + KEYWORD_ALLOW_CAPABILITY_LEN, domain, is_delete); |
} |
816 |
|
cp = FindConditionPart(data); |
817 |
|
if (cp && (cond = FindOrAssignNewCondition(cp)) == NULL) return -EINVAL; |
818 |
|
if (strncmp(data, KEYWORD_ALLOW_CAPABILITY, KEYWORD_ALLOW_CAPABILITY_LEN) == 0) { |
819 |
|
return AddCapabilityPolicy(data + KEYWORD_ALLOW_CAPABILITY_LEN, domain, cond, is_delete); |
820 |
} else if (strncmp(data, KEYWORD_ALLOW_NETWORK, KEYWORD_ALLOW_NETWORK_LEN) == 0) { |
} else if (strncmp(data, KEYWORD_ALLOW_NETWORK, KEYWORD_ALLOW_NETWORK_LEN) == 0) { |
821 |
return AddNetworkPolicy(data + KEYWORD_ALLOW_NETWORK_LEN, domain, is_delete); |
return AddNetworkPolicy(data + KEYWORD_ALLOW_NETWORK_LEN, domain, cond, is_delete); |
822 |
} else if (strncmp(data, KEYWORD_ALLOW_SIGNAL, KEYWORD_ALLOW_SIGNAL_LEN) == 0) { |
} else if (strncmp(data, KEYWORD_ALLOW_SIGNAL, KEYWORD_ALLOW_SIGNAL_LEN) == 0) { |
823 |
return AddSignalPolicy(data + KEYWORD_ALLOW_SIGNAL_LEN, domain, is_delete); |
return AddSignalPolicy(data + KEYWORD_ALLOW_SIGNAL_LEN, domain, cond, is_delete); |
824 |
} else if (strncmp(data, KEYWORD_ALLOW_ARGV0, KEYWORD_ALLOW_ARGV0_LEN) == 0) { |
} else if (strncmp(data, KEYWORD_ALLOW_ARGV0, KEYWORD_ALLOW_ARGV0_LEN) == 0) { |
825 |
return AddArgv0Policy(data + KEYWORD_ALLOW_ARGV0_LEN, domain, is_delete); |
return AddArgv0Policy(data + KEYWORD_ALLOW_ARGV0_LEN, domain, cond, is_delete); |
826 |
|
} else if (strncmp(data, KEYWORD_ALLOW_ENV, KEYWORD_ALLOW_ENV_LEN) == 0) { |
827 |
|
return AddEnvPolicy(data + KEYWORD_ALLOW_ENV_LEN, domain, cond, is_delete); |
828 |
} else { |
} else { |
829 |
return AddFilePolicy(data, domain, is_delete); |
return AddFilePolicy(data, domain, cond, is_delete); |
830 |
} |
} |
831 |
return -EINVAL; |
return -EINVAL; |
832 |
} |
} |
873 |
DumpCondition(head, ptr->cond)) { |
DumpCondition(head, ptr->cond)) { |
874 |
head->read_avail = pos; break; |
head->read_avail = pos; break; |
875 |
} |
} |
876 |
|
} else if (acl_type == TYPE_ENV_ACL) { |
877 |
|
struct env_acl_record *ptr2 = (struct env_acl_record *) ptr; |
878 |
|
if (io_printf(head, KEYWORD_ALLOW_ENV "%s", ptr2->env->name) || |
879 |
|
DumpCondition(head, ptr->cond)) { |
880 |
|
head->read_avail = pos; break; |
881 |
|
} |
882 |
} else if (acl_type == TYPE_CAPABILITY_ACL) { |
} else if (acl_type == TYPE_CAPABILITY_ACL) { |
883 |
struct capability_acl_record *ptr2 = (struct capability_acl_record *) ptr; |
struct capability_acl_record *ptr2 = (struct capability_acl_record *) ptr; |
884 |
if (io_printf(head, KEYWORD_ALLOW_CAPABILITY "%s", capability2keyword(ptr2->capability)) || |
if (io_printf(head, KEYWORD_ALLOW_CAPABILITY "%s", capability2keyword(ptr2->capability)) || |
1051 |
return AddAggregatorPolicy(data + KEYWORD_AGGREGATOR_LEN, is_delete); |
return AddAggregatorPolicy(data + KEYWORD_AGGREGATOR_LEN, is_delete); |
1052 |
} else if (strncmp(data, KEYWORD_ALLOW_READ, KEYWORD_ALLOW_READ_LEN) == 0) { |
} else if (strncmp(data, KEYWORD_ALLOW_READ, KEYWORD_ALLOW_READ_LEN) == 0) { |
1053 |
return AddGloballyReadablePolicy(data + KEYWORD_ALLOW_READ_LEN, is_delete); |
return AddGloballyReadablePolicy(data + KEYWORD_ALLOW_READ_LEN, is_delete); |
1054 |
|
} else if (strncmp(data, KEYWORD_ALLOW_ENV, KEYWORD_ALLOW_ENV_LEN) == 0) { |
1055 |
|
return AddGloballyUsableEnvPolicy(data + KEYWORD_ALLOW_ENV_LEN, is_delete); |
1056 |
} else if (strncmp(data, KEYWORD_FILE_PATTERN, KEYWORD_FILE_PATTERN_LEN) == 0) { |
} else if (strncmp(data, KEYWORD_FILE_PATTERN, KEYWORD_FILE_PATTERN_LEN) == 0) { |
1057 |
return AddPatternPolicy(data + KEYWORD_FILE_PATTERN_LEN, is_delete); |
return AddPatternPolicy(data + KEYWORD_FILE_PATTERN_LEN, is_delete); |
1058 |
} else if (strncmp(data, KEYWORD_PATH_GROUP, KEYWORD_PATH_GROUP_LEN) == 0) { |
} else if (strncmp(data, KEYWORD_PATH_GROUP, KEYWORD_PATH_GROUP_LEN) == 0) { |
1079 |
if (ReadGloballyReadablePolicy(head)) break; |
if (ReadGloballyReadablePolicy(head)) break; |
1080 |
head->read_var2 = NULL; head->read_step = 3; |
head->read_var2 = NULL; head->read_step = 3; |
1081 |
case 3: |
case 3: |
1082 |
if (ReadDomainInitializerPolicy(head)) break; |
if (ReadGloballyUsableEnvPolicy(head)) break; |
1083 |
head->read_var2 = NULL; head->read_step = 4; |
head->read_var2 = NULL; head->read_step = 4; |
1084 |
case 4: |
case 4: |
1085 |
if (ReadAliasPolicy(head)) break; |
if (ReadDomainInitializerPolicy(head)) break; |
1086 |
head->read_var2 = NULL; head->read_step = 5; |
head->read_var2 = NULL; head->read_step = 5; |
1087 |
case 5: |
case 5: |
1088 |
if (ReadAggregatorPolicy(head)) break; |
if (ReadAliasPolicy(head)) break; |
1089 |
head->read_var2 = NULL; head->read_step = 6; |
head->read_var2 = NULL; head->read_step = 6; |
1090 |
case 6: |
case 6: |
1091 |
if (ReadPatternPolicy(head)) break; |
if (ReadAggregatorPolicy(head)) break; |
1092 |
head->read_var2 = NULL; head->read_step = 7; |
head->read_var2 = NULL; head->read_step = 7; |
1093 |
case 7: |
case 7: |
1094 |
if (ReadNoRewritePolicy(head)) break; |
if (ReadPatternPolicy(head)) break; |
1095 |
head->read_var2 = NULL; head->read_step = 8; |
head->read_var2 = NULL; head->read_step = 8; |
1096 |
case 8: |
case 8: |
1097 |
if (ReadGroupPolicy(head)) break; |
if (ReadNoRewritePolicy(head)) break; |
1098 |
head->read_var1 = head->read_var2 = NULL; head->read_step = 9; |
head->read_var2 = NULL; head->read_step = 9; |
1099 |
case 9: |
case 9: |
1100 |
|
if (ReadGroupPolicy(head)) break; |
1101 |
|
head->read_var1 = head->read_var2 = NULL; head->read_step = 10; |
1102 |
|
case 10: |
1103 |
if (ReadAddressGroupPolicy(head)) break; |
if (ReadAddressGroupPolicy(head)) break; |
1104 |
head->read_eof = 1; |
head->read_eof = 1; |
1105 |
break; |
break; |
1232 |
printk("SAKURA: 1.5.1-pre 2007/09/27\n"); |
printk("SAKURA: 1.5.1-pre 2007/09/27\n"); |
1233 |
#endif |
#endif |
1234 |
#ifdef CONFIG_TOMOYO |
#ifdef CONFIG_TOMOYO |
1235 |
printk("TOMOYO: 1.5.1-pre 2007/09/27\n"); |
printk("TOMOYO: 1.5.1-pre 2007/10/16\n"); |
1236 |
#endif |
#endif |
1237 |
//if (!profile_loaded) panic("No profiles loaded. Run policy loader using 'init=' option.\n"); |
//if (!profile_loaded) panic("No profiles loaded. Run policy loader using 'init=' option.\n"); |
1238 |
printk("Mandatory Access Control activated.\n"); |
printk("Mandatory Access Control activated.\n"); |