オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照

/[tomoyo]/trunk/1.6.x/ccs-patch/fs/ccs_common.c

Diff of /trunk/1.6.x/ccs-patch/fs/ccs_common.c

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 512 by kumaneko, Thu Sep 27 08:52:16 2007 UTC revision 581 by kumaneko, Tue Oct 16 08:00:21 2007 UTC
# Line 5  Line 5 
5   *   *
6   * Copyright (C) 2005-2007  NTT DATA CORPORATION   * Copyright (C) 2005-2007  NTT DATA CORPORATION
7   *   *
8   * Version: 1.5.0   2007/09/20   * Version: 1.5.1-pre   2007/10/16
9   *   *
10   * This file is applicable to both 2.4.30 and 2.6.11 and later.   * This file is applicable to both 2.4.30 and 2.6.11 and later.
11   * See README.ccs for ChangeLog.   * See README.ccs for ChangeLog.
# Line 64  static struct { Line 64  static struct {
64          [CCS_PROFILE_COMMENT]            = { "COMMENT",             0, 0 }, /* Reserved for string. */          [CCS_PROFILE_COMMENT]            = { "COMMENT",             0, 0 }, /* Reserved for string. */
65          [CCS_TOMOYO_MAC_FOR_FILE]        = { "MAC_FOR_FILE",        0, 3 },          [CCS_TOMOYO_MAC_FOR_FILE]        = { "MAC_FOR_FILE",        0, 3 },
66          [CCS_TOMOYO_MAC_FOR_ARGV0]       = { "MAC_FOR_ARGV0",       0, 3 },          [CCS_TOMOYO_MAC_FOR_ARGV0]       = { "MAC_FOR_ARGV0",       0, 3 },
67            [CCS_TOMOYO_MAC_FOR_ENV]         = { "MAC_FOR_ENV",         0, 3 },
68          [CCS_TOMOYO_MAC_FOR_NETWORK]     = { "MAC_FOR_NETWORK",     0, 3 },          [CCS_TOMOYO_MAC_FOR_NETWORK]     = { "MAC_FOR_NETWORK",     0, 3 },
69          [CCS_TOMOYO_MAC_FOR_SIGNAL]      = { "MAC_FOR_SIGNAL",      0, 3 },          [CCS_TOMOYO_MAC_FOR_SIGNAL]      = { "MAC_FOR_SIGNAL",      0, 3 },
70          [CCS_SAKURA_DENY_CONCEAL_MOUNT]  = { "DENY_CONCEAL_MOUNT",  0, 3 },          [CCS_SAKURA_DENY_CONCEAL_MOUNT]  = { "DENY_CONCEAL_MOUNT",  0, 3 },
# Line 619  static int ReadProfile(struct io_buffer Line 620  static int ReadProfile(struct io_buffer
620  #ifndef CONFIG_TOMOYO  #ifndef CONFIG_TOMOYO
621                                  case CCS_TOMOYO_MAC_FOR_FILE:                                  case CCS_TOMOYO_MAC_FOR_FILE:
622                                  case CCS_TOMOYO_MAC_FOR_ARGV0:                                  case CCS_TOMOYO_MAC_FOR_ARGV0:
623                                    case CCS_TOMOYO_MAC_FOR_ENV:
624                                  case CCS_TOMOYO_MAC_FOR_NETWORK:                                  case CCS_TOMOYO_MAC_FOR_NETWORK:
625                                  case CCS_TOMOYO_MAC_FOR_SIGNAL:                                  case CCS_TOMOYO_MAC_FOR_SIGNAL:
626                                  case CCS_TOMOYO_MAX_ACCEPT_ENTRY:                                  case CCS_TOMOYO_MAX_ACCEPT_ENTRY:
# Line 761  static int IsPolicyManager(void) Line 763  static int IsPolicyManager(void)
763    
764  /*************************  DOMAIN POLICY HANDLER  *************************/  /*************************  DOMAIN POLICY HANDLER  *************************/
765    
766    static char *FindConditionPart(char *data)
767    {
768            char *cp = strstr(data, " if "), *cp2;
769            if (cp) {
770                    while ((cp2 = strstr(cp + 3, " if ")) != NULL) cp = cp2;
771                    *cp++ = '\0';
772            }
773            return cp;
774    }
775    
776  static int AddDomainPolicy(struct io_buffer *head)  static int AddDomainPolicy(struct io_buffer *head)
777  {  {
778          char *data = head->write_buf;          char *data = head->write_buf;
779          struct domain_info *domain = head->write_var1;          struct domain_info *domain = head->write_var1;
780          u8 is_delete = 0, is_select = 0, is_undelete = 0;          u8 is_delete = 0, is_select = 0, is_undelete = 0;
781          unsigned int profile;          unsigned int profile;
782            const struct condition_list *cond = NULL;
783            char *cp;      
784          if (!isRoot()) return -EPERM;          if (!isRoot()) return -EPERM;
785          if (strncmp(data, KEYWORD_DELETE, KEYWORD_DELETE_LEN) == 0) {          if (strncmp(data, KEYWORD_DELETE, KEYWORD_DELETE_LEN) == 0) {
786                  data += KEYWORD_DELETE_LEN;                  data += KEYWORD_DELETE_LEN;
# Line 794  static int AddDomainPolicy(struct io_buf Line 808  static int AddDomainPolicy(struct io_buf
808                  return 0;                  return 0;
809          }          }
810          if (!domain) return -EINVAL;          if (!domain) return -EINVAL;
811    
812          if (sscanf(data, KEYWORD_USE_PROFILE "%u", &profile) == 1 && profile < MAX_PROFILES) {          if (sscanf(data, KEYWORD_USE_PROFILE "%u", &profile) == 1 && profile < MAX_PROFILES) {
813                  if (profile_ptr[profile] || !sbin_init_started) domain->profile = (u8) profile;                  if (profile_ptr[profile] || !sbin_init_started) domain->profile = (u8) profile;
814          } else if (strncmp(data, KEYWORD_ALLOW_CAPABILITY, KEYWORD_ALLOW_CAPABILITY_LEN) == 0) {                  return 0;
815                  return AddCapabilityPolicy(data + KEYWORD_ALLOW_CAPABILITY_LEN, domain, is_delete);          }
816            cp = FindConditionPart(data);
817            if (cp && (cond = FindOrAssignNewCondition(cp)) == NULL) return -EINVAL;
818            if (strncmp(data, KEYWORD_ALLOW_CAPABILITY, KEYWORD_ALLOW_CAPABILITY_LEN) == 0) {
819                    return AddCapabilityPolicy(data + KEYWORD_ALLOW_CAPABILITY_LEN, domain, cond, is_delete);
820          } else if (strncmp(data, KEYWORD_ALLOW_NETWORK, KEYWORD_ALLOW_NETWORK_LEN) == 0) {          } else if (strncmp(data, KEYWORD_ALLOW_NETWORK, KEYWORD_ALLOW_NETWORK_LEN) == 0) {
821                  return AddNetworkPolicy(data + KEYWORD_ALLOW_NETWORK_LEN, domain, is_delete);                  return AddNetworkPolicy(data + KEYWORD_ALLOW_NETWORK_LEN, domain, cond, is_delete);
822          } else if (strncmp(data, KEYWORD_ALLOW_SIGNAL, KEYWORD_ALLOW_SIGNAL_LEN) == 0) {          } else if (strncmp(data, KEYWORD_ALLOW_SIGNAL, KEYWORD_ALLOW_SIGNAL_LEN) == 0) {
823                  return AddSignalPolicy(data + KEYWORD_ALLOW_SIGNAL_LEN, domain, is_delete);                  return AddSignalPolicy(data + KEYWORD_ALLOW_SIGNAL_LEN, domain, cond, is_delete);
824          } else if (strncmp(data, KEYWORD_ALLOW_ARGV0, KEYWORD_ALLOW_ARGV0_LEN) == 0) {          } else if (strncmp(data, KEYWORD_ALLOW_ARGV0, KEYWORD_ALLOW_ARGV0_LEN) == 0) {
825                  return AddArgv0Policy(data + KEYWORD_ALLOW_ARGV0_LEN, domain, is_delete);                  return AddArgv0Policy(data + KEYWORD_ALLOW_ARGV0_LEN, domain, cond, is_delete);
826            } else if (strncmp(data, KEYWORD_ALLOW_ENV, KEYWORD_ALLOW_ENV_LEN) == 0) {
827                    return AddEnvPolicy(data + KEYWORD_ALLOW_ENV_LEN, domain, cond, is_delete);
828          } else {          } else {
829                  return AddFilePolicy(data, domain, is_delete);                  return AddFilePolicy(data, domain, cond, is_delete);
830          }          }
831          return -EINVAL;          return -EINVAL;
832  }  }
# Line 852  static int ReadDomainPolicy(struct io_bu Line 873  static int ReadDomainPolicy(struct io_bu
873                                              DumpCondition(head, ptr->cond)) {                                              DumpCondition(head, ptr->cond)) {
874                                                  head->read_avail = pos; break;                                                  head->read_avail = pos; break;
875                                          }                                          }
876                                    } else if (acl_type == TYPE_ENV_ACL) {
877                                            struct env_acl_record *ptr2 = (struct env_acl_record *) ptr;
878                                            if (io_printf(head, KEYWORD_ALLOW_ENV "%s", ptr2->env->name) ||
879                                                DumpCondition(head, ptr->cond)) {
880                                                    head->read_avail = pos; break;
881                                            }
882                                  } else if (acl_type == TYPE_CAPABILITY_ACL) {                                  } else if (acl_type == TYPE_CAPABILITY_ACL) {
883                                          struct capability_acl_record *ptr2 = (struct capability_acl_record *) ptr;                                          struct capability_acl_record *ptr2 = (struct capability_acl_record *) ptr;
884                                          if (io_printf(head, KEYWORD_ALLOW_CAPABILITY "%s", capability2keyword(ptr2->capability)) ||                                          if (io_printf(head, KEYWORD_ALLOW_CAPABILITY "%s", capability2keyword(ptr2->capability)) ||
# Line 1024  static int AddExceptionPolicy(struct io_ Line 1051  static int AddExceptionPolicy(struct io_
1051                  return AddAggregatorPolicy(data + KEYWORD_AGGREGATOR_LEN, is_delete);                  return AddAggregatorPolicy(data + KEYWORD_AGGREGATOR_LEN, is_delete);
1052          } else if (strncmp(data, KEYWORD_ALLOW_READ, KEYWORD_ALLOW_READ_LEN) == 0) {          } else if (strncmp(data, KEYWORD_ALLOW_READ, KEYWORD_ALLOW_READ_LEN) == 0) {
1053                  return AddGloballyReadablePolicy(data + KEYWORD_ALLOW_READ_LEN, is_delete);                  return AddGloballyReadablePolicy(data + KEYWORD_ALLOW_READ_LEN, is_delete);
1054            } else if (strncmp(data, KEYWORD_ALLOW_ENV, KEYWORD_ALLOW_ENV_LEN) == 0) {
1055                    return AddGloballyUsableEnvPolicy(data + KEYWORD_ALLOW_ENV_LEN, is_delete);
1056          } else if (strncmp(data, KEYWORD_FILE_PATTERN, KEYWORD_FILE_PATTERN_LEN) == 0) {          } else if (strncmp(data, KEYWORD_FILE_PATTERN, KEYWORD_FILE_PATTERN_LEN) == 0) {
1057                  return AddPatternPolicy(data + KEYWORD_FILE_PATTERN_LEN, is_delete);                  return AddPatternPolicy(data + KEYWORD_FILE_PATTERN_LEN, is_delete);
1058          } else if (strncmp(data, KEYWORD_PATH_GROUP, KEYWORD_PATH_GROUP_LEN) == 0) {          } else if (strncmp(data, KEYWORD_PATH_GROUP, KEYWORD_PATH_GROUP_LEN) == 0) {
# Line 1050  static int ReadExceptionPolicy(struct io Line 1079  static int ReadExceptionPolicy(struct io
1079                          if (ReadGloballyReadablePolicy(head)) break;                          if (ReadGloballyReadablePolicy(head)) break;
1080                          head->read_var2 = NULL; head->read_step = 3;                          head->read_var2 = NULL; head->read_step = 3;
1081                  case 3:                  case 3:
1082                          if (ReadDomainInitializerPolicy(head)) break;                          if (ReadGloballyUsableEnvPolicy(head)) break;
1083                          head->read_var2 = NULL; head->read_step = 4;                          head->read_var2 = NULL; head->read_step = 4;
1084                  case 4:                  case 4:
1085                          if (ReadAliasPolicy(head)) break;                          if (ReadDomainInitializerPolicy(head)) break;
1086                          head->read_var2 = NULL; head->read_step = 5;                          head->read_var2 = NULL; head->read_step = 5;
1087                  case 5:                  case 5:
1088                          if (ReadAggregatorPolicy(head)) break;                          if (ReadAliasPolicy(head)) break;
1089                          head->read_var2 = NULL; head->read_step = 6;                          head->read_var2 = NULL; head->read_step = 6;
1090                  case 6:                  case 6:
1091                          if (ReadPatternPolicy(head)) break;                          if (ReadAggregatorPolicy(head)) break;
1092                          head->read_var2 = NULL; head->read_step = 7;                          head->read_var2 = NULL; head->read_step = 7;
1093                  case 7:                  case 7:
1094                          if (ReadNoRewritePolicy(head)) break;                          if (ReadPatternPolicy(head)) break;
1095                          head->read_var2 = NULL; head->read_step = 8;                          head->read_var2 = NULL; head->read_step = 8;
1096                  case 8:                  case 8:
1097                          if (ReadGroupPolicy(head)) break;                          if (ReadNoRewritePolicy(head)) break;
1098                          head->read_var1 = head->read_var2 = NULL; head->read_step = 9;                          head->read_var2 = NULL; head->read_step = 9;
1099                  case 9:                  case 9:
1100                            if (ReadGroupPolicy(head)) break;
1101                            head->read_var1 = head->read_var2 = NULL; head->read_step = 10;
1102                    case 10:
1103                          if (ReadAddressGroupPolicy(head)) break;                          if (ReadAddressGroupPolicy(head)) break;
1104                          head->read_eof = 1;                          head->read_eof = 1;
1105                          break;                          break;
# Line 1200  void CCS_LoadPolicy(const char *filename Line 1232  void CCS_LoadPolicy(const char *filename
1232          printk("SAKURA: 1.5.1-pre   2007/09/27\n");          printk("SAKURA: 1.5.1-pre   2007/09/27\n");
1233  #endif  #endif
1234  #ifdef CONFIG_TOMOYO  #ifdef CONFIG_TOMOYO
1235          printk("TOMOYO: 1.5.1-pre   2007/09/27\n");          printk("TOMOYO: 1.5.1-pre   2007/10/16\n");
1236  #endif  #endif
1237          //if (!profile_loaded) panic("No profiles loaded. Run policy loader using 'init=' option.\n");          //if (!profile_loaded) panic("No profiles loaded. Run policy loader using 'init=' option.\n");
1238          printk("Mandatory Access Control activated.\n");          printk("Mandatory Access Control activated.\n");
Legend:
Removed from v.512  
changed lines
  Added in v.581
Back to OSDN">Back to OSDN
 ViewVC Help
Powered by ViewVC 1.1.26  
サイト情報
ソフトウェアを探す
ソフトウェアを作る
コミュニティ
ヘルプ