5 |
* |
* |
6 |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
7 |
* |
* |
8 |
* Version: 1.6.0-pre 2008/03/04 |
* Version: 1.6.0-pre 2008/03/10 |
9 |
* |
* |
10 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
11 |
* See README.ccs for ChangeLog. |
* See README.ccs for ChangeLog. |
85 |
[CCS_TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 }, |
[CCS_TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 }, |
86 |
[CCS_ALLOW_ENFORCE_GRACE] = { "ALLOW_ENFORCE_GRACE", 0, 1 }, |
[CCS_ALLOW_ENFORCE_GRACE] = { "ALLOW_ENFORCE_GRACE", 0, 1 }, |
87 |
[CCS_SLEEP_PERIOD] = { "SLEEP_PERIOD", 0, 3000 }, /* in 0.1 second */ |
[CCS_SLEEP_PERIOD] = { "SLEEP_PERIOD", 0, 3000 }, /* in 0.1 second */ |
|
[CCS_TOMOYO_ALT_EXEC] = { "ALT_EXEC", 0, 0 }, /* Reserved for string. */ |
|
88 |
}; |
}; |
89 |
|
|
90 |
#ifdef CONFIG_TOMOYO |
#ifdef CONFIG_TOMOYO |
126 |
struct profile { |
struct profile { |
127 |
unsigned int value[CCS_MAX_CONTROL_INDEX]; |
unsigned int value[CCS_MAX_CONTROL_INDEX]; |
128 |
const struct path_info *comment; |
const struct path_info *comment; |
|
const struct path_info *alt_exec; |
|
129 |
#ifdef CONFIG_TOMOYO |
#ifdef CONFIG_TOMOYO |
130 |
unsigned char capability_value[TOMOYO_MAX_CAPABILITY_INDEX]; |
unsigned char capability_value[TOMOYO_MAX_CAPABILITY_INDEX]; |
131 |
#endif |
#endif |
531 |
if (is_enforce) return "ERROR"; else return "WARNING"; |
if (is_enforce) return "ERROR"; else return "WARNING"; |
532 |
} |
} |
533 |
|
|
|
const char *GetAltExec(void) |
|
|
{ |
|
|
const u8 profile = current->domain_info->profile; |
|
|
const struct path_info *alt_exec = profile_ptr[profile] ? profile_ptr[profile]->alt_exec : NULL; |
|
|
return alt_exec ? alt_exec->name : NULL; |
|
|
} |
|
|
|
|
534 |
/************************* DOMAIN POLICY HANDLER *************************/ |
/************************* DOMAIN POLICY HANDLER *************************/ |
535 |
|
|
536 |
/* Check whether the given access control is enabled. */ |
/* Check whether the given access control is enabled. */ |
649 |
return 0; |
return 0; |
650 |
} |
} |
651 |
#ifdef CONFIG_TOMOYO |
#ifdef CONFIG_TOMOYO |
|
if (strcmp(data, ccs_control_array[CCS_TOMOYO_ALT_EXEC].keyword) == 0) { |
|
|
cp++; |
|
|
if (*cp && !IsCorrectPath(cp, 1, -1, -1, __FUNCTION__)) cp = ""; |
|
|
profile->alt_exec = SaveName(cp); |
|
|
return 0; |
|
|
} |
|
|
#endif |
|
|
#ifdef CONFIG_TOMOYO |
|
652 |
if (strncmp(data, KEYWORD_MAC_FOR_CAPABILITY, KEYWORD_MAC_FOR_CAPABILITY_LEN) == 0) { |
if (strncmp(data, KEYWORD_MAC_FOR_CAPABILITY, KEYWORD_MAC_FOR_CAPABILITY_LEN) == 0) { |
653 |
if (sscanf(cp + 1, "%u", &value) != 1) { |
if (sscanf(cp + 1, "%u", &value) != 1) { |
654 |
for (i = 0; i < 4; i++) { |
for (i = 0; i < 4; i++) { |
737 |
} |
} |
738 |
if (j == CCS_PROFILE_COMMENT) { |
if (j == CCS_PROFILE_COMMENT) { |
739 |
if (io_printf(head, "%u-%s=%s\n", i, ccs_control_array[CCS_PROFILE_COMMENT].keyword, profile->comment ? profile->comment->name : "")) break; |
if (io_printf(head, "%u-%s=%s\n", i, ccs_control_array[CCS_PROFILE_COMMENT].keyword, profile->comment ? profile->comment->name : "")) break; |
|
} else if (j == CCS_TOMOYO_ALT_EXEC) { |
|
|
const struct path_info *alt_exec = profile->alt_exec; |
|
|
if (io_printf(head, "%u-%s=%s\n", i, ccs_control_array[CCS_TOMOYO_ALT_EXEC].keyword, alt_exec ? alt_exec->name : "")) break; |
|
740 |
} else if (j >= CCS_MAX_CONTROL_INDEX) { |
} else if (j >= CCS_MAX_CONTROL_INDEX) { |
741 |
#ifdef CONFIG_TOMOYO |
#ifdef CONFIG_TOMOYO |
742 |
const int k = j - CCS_MAX_CONTROL_INDEX; |
const int k = j - CCS_MAX_CONTROL_INDEX; |
821 |
is_delete = true; |
is_delete = true; |
822 |
} |
} |
823 |
if (strcmp(data, "manage_by_non_root") == 0) { |
if (strcmp(data, "manage_by_non_root") == 0) { |
824 |
manage_by_non_root = is_delete; |
manage_by_non_root = !is_delete; |
825 |
return 0; |
return 0; |
826 |
} |
} |
827 |
return AddManagerEntry(data, is_delete); |
return AddManagerEntry(data, is_delete); |
929 |
return 0; |
return 0; |
930 |
} |
} |
931 |
if (strcmp(data, KEYWORD_IGNORE_GLOBAL_ALLOW_READ) == 0) { |
if (strcmp(data, KEYWORD_IGNORE_GLOBAL_ALLOW_READ) == 0) { |
932 |
if (!is_delete) domain->flags |= DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ; |
SetDomainFlag(domain, is_delete, DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ); |
|
else domain->flags &= ~DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ; |
|
933 |
return 0; |
return 0; |
934 |
} |
} |
935 |
if (strcmp(data, KEYWORD_IGNORE_GLOBAL_ALLOW_ENV) == 0) { |
if (strcmp(data, KEYWORD_IGNORE_GLOBAL_ALLOW_ENV) == 0) { |
936 |
if (!is_delete) domain->flags |= DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_ENV; |
SetDomainFlag(domain, is_delete, DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_ENV); |
|
else domain->flags &= ~DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_ENV; |
|
|
return 0; |
|
|
} |
|
|
if (strcmp(data, KEYWORD_FORCE_ALT_EXEC) == 0) { |
|
|
if (!is_delete) domain->flags |= DOMAIN_FLAGS_FORCE_ALT_EXEC; |
|
|
else domain->flags &= ~DOMAIN_FLAGS_FORCE_ALT_EXEC; |
|
937 |
return 0; |
return 0; |
938 |
} |
} |
939 |
cp = FindConditionPart(data); |
cp = FindConditionPart(data); |
1090 |
return false; |
return false; |
1091 |
} |
} |
1092 |
|
|
1093 |
|
static bool print_execute_handler_record(struct io_buffer *head, const char *keyword, struct execute_handler_record *ptr) |
1094 |
|
{ |
1095 |
|
return io_printf(head, "%s %s\n", keyword, ptr->handler->name) == 0; |
1096 |
|
} |
1097 |
|
|
1098 |
static int ReadDomainPolicy(struct io_buffer *head) |
static int ReadDomainPolicy(struct io_buffer *head) |
1099 |
{ |
{ |
1100 |
struct list1_head *dpos; |
struct list1_head *dpos; |
1106 |
domain = list1_entry(dpos, struct domain_info, list); |
domain = list1_entry(dpos, struct domain_info, list); |
1107 |
if (head->read_step != 1) goto acl_loop; |
if (head->read_step != 1) goto acl_loop; |
1108 |
if (domain->is_deleted) continue; |
if (domain->is_deleted) continue; |
1109 |
if (io_printf(head, "%s\n" KEYWORD_USE_PROFILE "%u\n%s\n%s%s%s", domain->domainname->name, domain->profile, domain->quota_warned ? "quota_exceeded\n" : "", domain->flags & DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ ? KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n" : "", domain->flags & DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_ENV ? KEYWORD_IGNORE_GLOBAL_ALLOW_ENV "\n" : "", domain->flags & DOMAIN_FLAGS_FORCE_ALT_EXEC ? KEYWORD_FORCE_ALT_EXEC "\n" : "")) return 0; |
if (io_printf(head, "%s\n" KEYWORD_USE_PROFILE "%u\n%s\n%s%s", domain->domainname->name, domain->profile, domain->quota_warned ? "quota_exceeded\n" : "", domain->flags & DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ ? KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n" : "", domain->flags & DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_ENV ? KEYWORD_IGNORE_GLOBAL_ALLOW_ENV "\n" : "")) return 0; |
1110 |
head->read_step = 2; |
head->read_step = 2; |
1111 |
acl_loop: ; |
acl_loop: ; |
1112 |
if (head->read_step == 3) goto tail_mark; |
if (head->read_step == 3) goto tail_mark; |
1133 |
if (!print_network_acl(head, container_of(ptr, struct ip_network_acl_record, head), cond)) return 0; |
if (!print_network_acl(head, container_of(ptr, struct ip_network_acl_record, head), cond)) return 0; |
1134 |
} else if (acl_type == TYPE_SIGNAL_ACL) { |
} else if (acl_type == TYPE_SIGNAL_ACL) { |
1135 |
if (!print_signal_acl(head, container_of(ptr, struct signal_acl_record, head), cond)) return 0; |
if (!print_signal_acl(head, container_of(ptr, struct signal_acl_record, head), cond)) return 0; |
1136 |
|
} else if (acl_type == TYPE_PREFERRED_EXECUTE_HANDLER) { |
1137 |
|
if (!print_execute_handler_record(head, KEYWORD_PREFERRED_EXECUTE_HANDLER, container_of(ptr, struct execute_handler_record, head))) return 0; |
1138 |
|
} else if (acl_type == TYPE_DEFAULT_EXECUTE_HANDLER) { |
1139 |
|
if (!print_execute_handler_record(head, KEYWORD_DEFAULT_EXECUTE_HANDLER, container_of(ptr, struct execute_handler_record, head))) return 0; |
1140 |
} else { |
} else { |
1141 |
BUG(); |
BUG(); |
1142 |
} |
} |
1412 |
} |
} |
1413 |
} |
} |
1414 |
#ifdef CONFIG_SAKURA |
#ifdef CONFIG_SAKURA |
1415 |
printk("SAKURA: 1.6.0-pre 2008/03/04\n"); |
printk("SAKURA: 1.6.0-pre 2008/03/10\n"); |
1416 |
#endif |
#endif |
1417 |
#ifdef CONFIG_TOMOYO |
#ifdef CONFIG_TOMOYO |
1418 |
printk("TOMOYO: 1.6.0-pre 2008/03/04\n"); |
printk("TOMOYO: 1.6.0-pre 2008/03/10\n"); |
1419 |
#endif |
#endif |
1420 |
printk("Mandatory Access Control activated.\n"); |
printk("Mandatory Access Control activated.\n"); |
1421 |
sbin_init_started = true; |
sbin_init_started = true; |
1879 |
case TYPE_SIGNAL_ACL: |
case TYPE_SIGNAL_ACL: |
1880 |
len = sizeof(struct signal_acl_record); |
len = sizeof(struct signal_acl_record); |
1881 |
break; |
break; |
1882 |
|
case TYPE_PREFERRED_EXECUTE_HANDLER: |
1883 |
|
case TYPE_DEFAULT_EXECUTE_HANDLER: |
1884 |
|
len = sizeof(struct execute_handler_record); |
1885 |
|
break; |
1886 |
default: |
default: |
1887 |
return NULL; |
return NULL; |
1888 |
} |
} |