| 5 |
* |
* |
| 6 |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
| 7 |
* |
* |
| 8 |
* Version: 1.6.0-pre 2008/03/04 |
* Version: 1.6.0-pre 2008/03/10 |
| 9 |
* |
* |
| 10 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
| 11 |
* See README.ccs for ChangeLog. |
* See README.ccs for ChangeLog. |
| 85 |
[CCS_TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 }, |
[CCS_TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 }, |
| 86 |
[CCS_ALLOW_ENFORCE_GRACE] = { "ALLOW_ENFORCE_GRACE", 0, 1 }, |
[CCS_ALLOW_ENFORCE_GRACE] = { "ALLOW_ENFORCE_GRACE", 0, 1 }, |
| 87 |
[CCS_SLEEP_PERIOD] = { "SLEEP_PERIOD", 0, 3000 }, /* in 0.1 second */ |
[CCS_SLEEP_PERIOD] = { "SLEEP_PERIOD", 0, 3000 }, /* in 0.1 second */ |
|
[CCS_TOMOYO_ALT_EXEC] = { "ALT_EXEC", 0, 0 }, /* Reserved for string. */ |
|
| 88 |
}; |
}; |
| 89 |
|
|
| 90 |
#ifdef CONFIG_TOMOYO |
#ifdef CONFIG_TOMOYO |
| 126 |
struct profile { |
struct profile { |
| 127 |
unsigned int value[CCS_MAX_CONTROL_INDEX]; |
unsigned int value[CCS_MAX_CONTROL_INDEX]; |
| 128 |
const struct path_info *comment; |
const struct path_info *comment; |
|
const struct path_info *alt_exec; |
|
| 129 |
#ifdef CONFIG_TOMOYO |
#ifdef CONFIG_TOMOYO |
| 130 |
unsigned char capability_value[TOMOYO_MAX_CAPABILITY_INDEX]; |
unsigned char capability_value[TOMOYO_MAX_CAPABILITY_INDEX]; |
| 131 |
#endif |
#endif |
| 531 |
if (is_enforce) return "ERROR"; else return "WARNING"; |
if (is_enforce) return "ERROR"; else return "WARNING"; |
| 532 |
} |
} |
| 533 |
|
|
|
const char *GetAltExec(void) |
|
|
{ |
|
|
const u8 profile = current->domain_info->profile; |
|
|
const struct path_info *alt_exec = profile_ptr[profile] ? profile_ptr[profile]->alt_exec : NULL; |
|
|
return alt_exec ? alt_exec->name : NULL; |
|
|
} |
|
|
|
|
| 534 |
/************************* DOMAIN POLICY HANDLER *************************/ |
/************************* DOMAIN POLICY HANDLER *************************/ |
| 535 |
|
|
| 536 |
/* Check whether the given access control is enabled. */ |
/* Check whether the given access control is enabled. */ |
| 649 |
return 0; |
return 0; |
| 650 |
} |
} |
| 651 |
#ifdef CONFIG_TOMOYO |
#ifdef CONFIG_TOMOYO |
|
if (strcmp(data, ccs_control_array[CCS_TOMOYO_ALT_EXEC].keyword) == 0) { |
|
|
cp++; |
|
|
if (*cp && !IsCorrectPath(cp, 1, -1, -1, __FUNCTION__)) cp = ""; |
|
|
profile->alt_exec = SaveName(cp); |
|
|
return 0; |
|
|
} |
|
|
#endif |
|
|
#ifdef CONFIG_TOMOYO |
|
| 652 |
if (strncmp(data, KEYWORD_MAC_FOR_CAPABILITY, KEYWORD_MAC_FOR_CAPABILITY_LEN) == 0) { |
if (strncmp(data, KEYWORD_MAC_FOR_CAPABILITY, KEYWORD_MAC_FOR_CAPABILITY_LEN) == 0) { |
| 653 |
if (sscanf(cp + 1, "%u", &value) != 1) { |
if (sscanf(cp + 1, "%u", &value) != 1) { |
| 654 |
for (i = 0; i < 4; i++) { |
for (i = 0; i < 4; i++) { |
| 737 |
} |
} |
| 738 |
if (j == CCS_PROFILE_COMMENT) { |
if (j == CCS_PROFILE_COMMENT) { |
| 739 |
if (io_printf(head, "%u-%s=%s\n", i, ccs_control_array[CCS_PROFILE_COMMENT].keyword, profile->comment ? profile->comment->name : "")) break; |
if (io_printf(head, "%u-%s=%s\n", i, ccs_control_array[CCS_PROFILE_COMMENT].keyword, profile->comment ? profile->comment->name : "")) break; |
|
} else if (j == CCS_TOMOYO_ALT_EXEC) { |
|
|
const struct path_info *alt_exec = profile->alt_exec; |
|
|
if (io_printf(head, "%u-%s=%s\n", i, ccs_control_array[CCS_TOMOYO_ALT_EXEC].keyword, alt_exec ? alt_exec->name : "")) break; |
|
| 740 |
} else if (j >= CCS_MAX_CONTROL_INDEX) { |
} else if (j >= CCS_MAX_CONTROL_INDEX) { |
| 741 |
#ifdef CONFIG_TOMOYO |
#ifdef CONFIG_TOMOYO |
| 742 |
const int k = j - CCS_MAX_CONTROL_INDEX; |
const int k = j - CCS_MAX_CONTROL_INDEX; |
| 821 |
is_delete = true; |
is_delete = true; |
| 822 |
} |
} |
| 823 |
if (strcmp(data, "manage_by_non_root") == 0) { |
if (strcmp(data, "manage_by_non_root") == 0) { |
| 824 |
manage_by_non_root = is_delete; |
manage_by_non_root = !is_delete; |
| 825 |
return 0; |
return 0; |
| 826 |
} |
} |
| 827 |
return AddManagerEntry(data, is_delete); |
return AddManagerEntry(data, is_delete); |
| 929 |
return 0; |
return 0; |
| 930 |
} |
} |
| 931 |
if (strcmp(data, KEYWORD_IGNORE_GLOBAL_ALLOW_READ) == 0) { |
if (strcmp(data, KEYWORD_IGNORE_GLOBAL_ALLOW_READ) == 0) { |
| 932 |
if (!is_delete) domain->flags |= DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ; |
SetDomainFlag(domain, is_delete, DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ); |
|
else domain->flags &= ~DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ; |
|
| 933 |
return 0; |
return 0; |
| 934 |
} |
} |
| 935 |
if (strcmp(data, KEYWORD_IGNORE_GLOBAL_ALLOW_ENV) == 0) { |
if (strcmp(data, KEYWORD_IGNORE_GLOBAL_ALLOW_ENV) == 0) { |
| 936 |
if (!is_delete) domain->flags |= DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_ENV; |
SetDomainFlag(domain, is_delete, DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_ENV); |
|
else domain->flags &= ~DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_ENV; |
|
|
return 0; |
|
|
} |
|
|
if (strcmp(data, KEYWORD_FORCE_ALT_EXEC) == 0) { |
|
|
if (!is_delete) domain->flags |= DOMAIN_FLAGS_FORCE_ALT_EXEC; |
|
|
else domain->flags &= ~DOMAIN_FLAGS_FORCE_ALT_EXEC; |
|
| 937 |
return 0; |
return 0; |
| 938 |
} |
} |
| 939 |
cp = FindConditionPart(data); |
cp = FindConditionPart(data); |
| 1090 |
return false; |
return false; |
| 1091 |
} |
} |
| 1092 |
|
|
| 1093 |
|
static bool print_execute_handler_record(struct io_buffer *head, const char *keyword, struct execute_handler_record *ptr) |
| 1094 |
|
{ |
| 1095 |
|
return io_printf(head, "%s %s\n", keyword, ptr->handler->name) == 0; |
| 1096 |
|
} |
| 1097 |
|
|
| 1098 |
static int ReadDomainPolicy(struct io_buffer *head) |
static int ReadDomainPolicy(struct io_buffer *head) |
| 1099 |
{ |
{ |
| 1100 |
struct list1_head *dpos; |
struct list1_head *dpos; |
| 1106 |
domain = list1_entry(dpos, struct domain_info, list); |
domain = list1_entry(dpos, struct domain_info, list); |
| 1107 |
if (head->read_step != 1) goto acl_loop; |
if (head->read_step != 1) goto acl_loop; |
| 1108 |
if (domain->is_deleted) continue; |
if (domain->is_deleted) continue; |
| 1109 |
if (io_printf(head, "%s\n" KEYWORD_USE_PROFILE "%u\n%s\n%s%s%s", domain->domainname->name, domain->profile, domain->quota_warned ? "quota_exceeded\n" : "", domain->flags & DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ ? KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n" : "", domain->flags & DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_ENV ? KEYWORD_IGNORE_GLOBAL_ALLOW_ENV "\n" : "", domain->flags & DOMAIN_FLAGS_FORCE_ALT_EXEC ? KEYWORD_FORCE_ALT_EXEC "\n" : "")) return 0; |
if (io_printf(head, "%s\n" KEYWORD_USE_PROFILE "%u\n%s\n%s%s", domain->domainname->name, domain->profile, domain->quota_warned ? "quota_exceeded\n" : "", domain->flags & DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ ? KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n" : "", domain->flags & DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_ENV ? KEYWORD_IGNORE_GLOBAL_ALLOW_ENV "\n" : "")) return 0; |
| 1110 |
head->read_step = 2; |
head->read_step = 2; |
| 1111 |
acl_loop: ; |
acl_loop: ; |
| 1112 |
if (head->read_step == 3) goto tail_mark; |
if (head->read_step == 3) goto tail_mark; |
| 1133 |
if (!print_network_acl(head, container_of(ptr, struct ip_network_acl_record, head), cond)) return 0; |
if (!print_network_acl(head, container_of(ptr, struct ip_network_acl_record, head), cond)) return 0; |
| 1134 |
} else if (acl_type == TYPE_SIGNAL_ACL) { |
} else if (acl_type == TYPE_SIGNAL_ACL) { |
| 1135 |
if (!print_signal_acl(head, container_of(ptr, struct signal_acl_record, head), cond)) return 0; |
if (!print_signal_acl(head, container_of(ptr, struct signal_acl_record, head), cond)) return 0; |
| 1136 |
|
} else if (acl_type == TYPE_PREFERRED_EXECUTE_HANDLER) { |
| 1137 |
|
if (!print_execute_handler_record(head, KEYWORD_PREFERRED_EXECUTE_HANDLER, container_of(ptr, struct execute_handler_record, head))) return 0; |
| 1138 |
|
} else if (acl_type == TYPE_DEFAULT_EXECUTE_HANDLER) { |
| 1139 |
|
if (!print_execute_handler_record(head, KEYWORD_DEFAULT_EXECUTE_HANDLER, container_of(ptr, struct execute_handler_record, head))) return 0; |
| 1140 |
} else { |
} else { |
| 1141 |
BUG(); |
BUG(); |
| 1142 |
} |
} |
| 1412 |
} |
} |
| 1413 |
} |
} |
| 1414 |
#ifdef CONFIG_SAKURA |
#ifdef CONFIG_SAKURA |
| 1415 |
printk("SAKURA: 1.6.0-pre 2008/03/04\n"); |
printk("SAKURA: 1.6.0-pre 2008/03/10\n"); |
| 1416 |
#endif |
#endif |
| 1417 |
#ifdef CONFIG_TOMOYO |
#ifdef CONFIG_TOMOYO |
| 1418 |
printk("TOMOYO: 1.6.0-pre 2008/03/04\n"); |
printk("TOMOYO: 1.6.0-pre 2008/03/10\n"); |
| 1419 |
#endif |
#endif |
| 1420 |
printk("Mandatory Access Control activated.\n"); |
printk("Mandatory Access Control activated.\n"); |
| 1421 |
sbin_init_started = true; |
sbin_init_started = true; |
| 1879 |
case TYPE_SIGNAL_ACL: |
case TYPE_SIGNAL_ACL: |
| 1880 |
len = sizeof(struct signal_acl_record); |
len = sizeof(struct signal_acl_record); |
| 1881 |
break; |
break; |
| 1882 |
|
case TYPE_PREFERRED_EXECUTE_HANDLER: |
| 1883 |
|
case TYPE_DEFAULT_EXECUTE_HANDLER: |
| 1884 |
|
len = sizeof(struct execute_handler_record); |
| 1885 |
|
break; |
| 1886 |
default: |
default: |
| 1887 |
return NULL; |
return NULL; |
| 1888 |
} |
} |
TOMOYO
Parent Directory
Revision Log
Patch