12 |
|
|
13 |
#include "internal.h" |
#include "internal.h" |
14 |
|
|
15 |
static struct ccs_profile ccs_default_profile = { |
struct ccs_preference ccs_preference = { |
16 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
17 |
.preference.audit_max_grant_log = CONFIG_CCSECURITY_MAX_GRANT_LOG, |
.audit_max_grant_log = CONFIG_CCSECURITY_MAX_GRANT_LOG, |
18 |
.preference.audit_max_reject_log = CONFIG_CCSECURITY_MAX_REJECT_LOG, |
.audit_max_reject_log = CONFIG_CCSECURITY_MAX_REJECT_LOG, |
19 |
#endif |
#endif |
20 |
.preference.audit_task_info = true, |
.audit_task_info = true, |
21 |
.preference.audit_path_info = true, |
.audit_path_info = true, |
22 |
.preference.enforcing_penalty = 0, |
.enforcing_penalty = 0, |
23 |
.preference.learning_max_entry = CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY, |
.enforcing_verbose = true, |
24 |
.preference.learning_exec_realpath = true, |
.learning_max_entry = CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY, |
25 |
.preference.learning_exec_argv0 = true, |
.learning_verbose = false, |
26 |
.preference.learning_symlink_target = true, |
.learning_exec_realpath = true, |
27 |
|
.learning_exec_argv0 = true, |
28 |
|
.learning_symlink_target = true, |
29 |
|
.permissive_verbose = true, |
30 |
}; |
}; |
31 |
|
|
32 |
/* Profile version. Currently only 20100903 is defined. */ |
/* Profile version. Currently only 20100903 is defined. */ |
325 |
if (!ptr && ccs_memory_ok(entry, sizeof(*entry))) { |
if (!ptr && ccs_memory_ok(entry, sizeof(*entry))) { |
326 |
ptr = entry; |
ptr = entry; |
327 |
ptr->default_config = CCS_CONFIG_DISABLED | |
ptr->default_config = CCS_CONFIG_DISABLED | |
|
CCS_CONFIG_VERBOSE | |
|
328 |
CCS_CONFIG_WANT_GRANT_LOG | CCS_CONFIG_WANT_REJECT_LOG; |
CCS_CONFIG_WANT_GRANT_LOG | CCS_CONFIG_WANT_REJECT_LOG; |
329 |
memset(ptr->config, CCS_CONFIG_USE_DEFAULT, |
memset(ptr->config, CCS_CONFIG_USE_DEFAULT, |
330 |
sizeof(ptr->config)); |
sizeof(ptr->config)); |
370 |
*/ |
*/ |
371 |
struct ccs_profile *ccs_profile(const u8 profile) |
struct ccs_profile *ccs_profile(const u8 profile) |
372 |
{ |
{ |
373 |
|
static struct ccs_profile ccs_null_profile; |
374 |
struct ccs_profile *ptr = ccs_profile_ptr[profile]; |
struct ccs_profile *ptr = ccs_profile_ptr[profile]; |
375 |
if (!ccs_policy_loaded) |
if (!ptr) |
376 |
return &ccs_default_profile; |
ptr = &ccs_null_profile; |
|
BUG_ON(!ptr); |
|
377 |
return ptr; |
return ptr; |
378 |
} |
} |
379 |
|
|
409 |
sscanf(cp + strlen(find), "=%u", i); |
sscanf(cp + strlen(find), "=%u", i); |
410 |
} |
} |
411 |
|
|
412 |
static void ccs_set_pref(const char *name, const char *value, |
static int ccs_set_pref(char *data) |
|
struct ccs_profile *profile) |
|
413 |
{ |
{ |
414 |
if (!strcmp(name, "audit")) { |
if (ccs_str_starts(&data, "audit")) { |
415 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
416 |
ccs_set_uint(&profile->preference.audit_max_grant_log, value, |
ccs_set_uint(&ccs_preference.audit_max_grant_log, data, |
417 |
"max_grant_log"); |
"max_grant_log"); |
418 |
ccs_set_uint(&profile->preference.audit_max_reject_log, value, |
ccs_set_uint(&ccs_preference.audit_max_reject_log, data, |
419 |
"max_reject_log"); |
"max_reject_log"); |
420 |
#endif |
#endif |
421 |
ccs_set_bool(&profile->preference.audit_task_info, value, |
ccs_set_bool(&ccs_preference.audit_task_info, data, |
422 |
"task_info"); |
"task_info"); |
423 |
ccs_set_bool(&profile->preference.audit_path_info, value, |
ccs_set_bool(&ccs_preference.audit_path_info, data, |
424 |
"path_info"); |
"path_info"); |
425 |
return; |
} else if (ccs_str_starts(&data, "enforcing")) { |
426 |
} |
ccs_set_bool(&ccs_preference.enforcing_verbose, data, |
427 |
if (!strcmp(name, "enforcing")) { |
"verbose"); |
428 |
ccs_set_uint(&profile->preference.enforcing_penalty, value, |
ccs_set_uint(&ccs_preference.enforcing_penalty, data, |
429 |
"penalty"); |
"penalty"); |
430 |
return; |
} else if (ccs_str_starts(&data, "permissive")) { |
431 |
} |
ccs_set_bool(&ccs_preference.permissive_verbose, data, |
432 |
if (!strcmp(name, "learning")) { |
"verbose"); |
433 |
ccs_set_uint(&profile->preference.learning_max_entry, value, |
} else if (ccs_str_starts(&data, "learning")) { |
434 |
|
ccs_set_bool(&ccs_preference.learning_verbose, data, |
435 |
|
"verbose"); |
436 |
|
ccs_set_uint(&ccs_preference.learning_max_entry, data, |
437 |
"max_entry"); |
"max_entry"); |
438 |
ccs_set_bool(&profile->preference.learning_exec_realpath, |
ccs_set_bool(&ccs_preference.learning_exec_realpath, data, |
439 |
value, "exec.realpath"); |
"exec.realpath"); |
440 |
ccs_set_bool(&profile->preference.learning_exec_argv0, value, |
ccs_set_bool(&ccs_preference.learning_exec_argv0, data, |
441 |
"exec.argv0"); |
"exec.argv0"); |
442 |
ccs_set_bool(&profile->preference.learning_symlink_target, |
ccs_set_bool(&ccs_preference.learning_symlink_target, data, |
443 |
value, "symlink.target"); |
"symlink.target"); |
444 |
return; |
} else |
445 |
} |
return -EINVAL; |
446 |
|
return 0; |
447 |
} |
} |
448 |
|
|
449 |
static int ccs_set_mode(char *name, const char *value, |
static int ccs_set_mode(char *name, const char *value, |
482 |
*/ |
*/ |
483 |
config = (config & ~7) | mode; |
config = (config & ~7) | mode; |
484 |
if (config != CCS_CONFIG_USE_DEFAULT) { |
if (config != CCS_CONFIG_USE_DEFAULT) { |
|
switch (ccs_find_yesno(value, "verbose")) { |
|
|
case 1: |
|
|
config |= CCS_CONFIG_VERBOSE; |
|
|
break; |
|
|
case 0: |
|
|
config &= ~CCS_CONFIG_VERBOSE; |
|
|
break; |
|
|
} |
|
485 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
486 |
switch (ccs_find_yesno(value, "grant_log")) { |
switch (ccs_find_yesno(value, "grant_log")) { |
487 |
case 1: |
case 1: |
525 |
struct ccs_profile *profile; |
struct ccs_profile *profile; |
526 |
if (sscanf(data, "PROFILE_VERSION=%u", &ccs_profile_version) == 1) |
if (sscanf(data, "PROFILE_VERSION=%u", &ccs_profile_version) == 1) |
527 |
return 0; |
return 0; |
528 |
|
if (ccs_str_starts(&data, "PREFERENCE::")) |
529 |
|
return ccs_set_pref(data); |
530 |
i = simple_strtoul(data, &cp, 10); |
i = simple_strtoul(data, &cp, 10); |
531 |
if (*cp != '-') |
if (*cp != '-') |
532 |
return -EINVAL; |
return -EINVAL; |
538 |
if (!cp) |
if (!cp) |
539 |
return -EINVAL; |
return -EINVAL; |
540 |
*cp++ = '\0'; |
*cp++ = '\0'; |
|
if (ccs_str_starts(&data, "PREFERENCE::")) { |
|
|
ccs_set_pref(data, cp, profile); |
|
|
return 0; |
|
|
} |
|
541 |
if (!strcmp(data, "COMMENT")) { |
if (!strcmp(data, "COMMENT")) { |
542 |
const struct ccs_path_info *old_comment = profile->comment; |
const struct ccs_path_info *old_comment = profile->comment; |
543 |
profile->comment = ccs_get_name(cp); |
profile->comment = ccs_get_name(cp); |
547 |
return ccs_set_mode(data, cp, profile); |
return ccs_set_mode(data, cp, profile); |
548 |
} |
} |
549 |
|
|
550 |
static void ccs_print_preference(struct ccs_io_buffer *head, const int index) |
static void ccs_print_preference(struct ccs_io_buffer *head) |
551 |
{ |
{ |
552 |
struct ccs_profile *profile = ccs_profile_ptr[index]; |
ccs_io_printf(head, "PREFERENCE::%s={ " |
|
struct ccs_preference *pref = &profile->preference; |
|
|
ccs_io_printf(head, "%u-PREFERENCE::%s={ " |
|
553 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
554 |
"max_grant_log=%u max_reject_log=%u " |
"max_grant_log=%u max_reject_log=%u " |
555 |
#endif |
#endif |
556 |
"task_info=%s path_info=%s }\n", index, |
"task_info=%s path_info=%s }\n", "audit", |
|
"audit", |
|
557 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
558 |
pref->audit_max_grant_log, |
ccs_preference.audit_max_grant_log, |
559 |
pref->audit_max_reject_log, |
ccs_preference.audit_max_reject_log, |
560 |
#endif |
#endif |
561 |
ccs_yesno(pref->audit_task_info), |
ccs_yesno(ccs_preference.audit_task_info), |
562 |
ccs_yesno(pref->audit_path_info)); |
ccs_yesno(ccs_preference.audit_path_info)); |
563 |
ccs_io_printf(head, "%u-PREFERENCE::%s={ " |
ccs_io_printf(head, "PREFERENCE::%s={ verbose=%s max_entry=%u " |
564 |
"max_entry=%u exec.realpath=%s " |
"exec.realpath=%s exec.argv0=%s symlink.target=%s }\n", |
565 |
"exec.argv0=%s symlink.target=%s }\n", |
"learning", ccs_yesno(ccs_preference.learning_verbose), |
566 |
index, "learning", |
ccs_preference.learning_max_entry, |
567 |
pref->learning_max_entry, |
ccs_yesno(ccs_preference.learning_exec_realpath), |
568 |
ccs_yesno(pref->learning_exec_realpath), |
ccs_yesno(ccs_preference.learning_exec_argv0), |
569 |
ccs_yesno(pref->learning_exec_argv0), |
ccs_yesno(ccs_preference.learning_symlink_target)); |
570 |
ccs_yesno(pref->learning_symlink_target)); |
ccs_io_printf(head, "PREFERENCE::%s={ verbose=%s }\n", "permissive", |
571 |
ccs_io_printf(head, "%u-PREFERENCE::%s={ penalty=%u }\n", index, |
ccs_yesno(ccs_preference.permissive_verbose)); |
572 |
"enforcing", pref->enforcing_penalty); |
ccs_io_printf(head, "PREFERENCE::%s={ verbose=%s penalty=%u }\n", |
573 |
|
"enforcing", ccs_yesno(ccs_preference.enforcing_verbose), |
574 |
|
ccs_preference.enforcing_penalty); |
575 |
} |
} |
576 |
|
|
577 |
static void ccs_print_config(struct ccs_io_buffer *head, const u8 config) |
static void ccs_print_config(struct ccs_io_buffer *head, const u8 config) |
578 |
{ |
{ |
579 |
ccs_io_printf(head, "={ mode=%s verbose=%s", ccs_mode[config & 3], |
ccs_io_printf(head, "={ mode=%s", ccs_mode[config & 3]); |
|
ccs_yesno(config & CCS_CONFIG_VERBOSE)); |
|
580 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
581 |
ccs_io_printf(head, " grant_log=%s reject_log=%s", |
ccs_io_printf(head, " grant_log=%s reject_log=%s", |
582 |
ccs_yesno(config & CCS_CONFIG_WANT_GRANT_LOG), |
ccs_yesno(config & CCS_CONFIG_WANT_GRANT_LOG), |
600 |
switch (head->r.step) { |
switch (head->r.step) { |
601 |
case 0: |
case 0: |
602 |
ccs_io_printf(head, "PROFILE_VERSION=%s\n", "20100903"); |
ccs_io_printf(head, "PROFILE_VERSION=%s\n", "20100903"); |
603 |
|
ccs_print_preference(head); |
604 |
head->r.step++; |
head->r.step++; |
605 |
break; |
break; |
606 |
case 1: |
case 1: |
646 |
if (head->r.bit == CCS_MAX_MAC_INDEX |
if (head->r.bit == CCS_MAX_MAC_INDEX |
647 |
+ CCS_MAX_CAPABILITY_INDEX |
+ CCS_MAX_CAPABILITY_INDEX |
648 |
+ CCS_MAX_MAC_CATEGORY_INDEX) { |
+ CCS_MAX_MAC_CATEGORY_INDEX) { |
|
ccs_print_preference(head, index); |
|
649 |
head->r.index++; |
head->r.index++; |
650 |
head->r.step = 1; |
head->r.step = 1; |
651 |
} |
} |
787 |
} |
} |
788 |
|
|
789 |
/** |
/** |
|
* ccs_find_condition_part - Find condition part from the statement. |
|
|
* |
|
|
* @data: String to parse. |
|
|
* |
|
|
* Returns pointer to the condition part if it was found in the statement, |
|
|
* NULL otherwise. |
|
|
*/ |
|
|
static char *ccs_find_condition_part(char *data) |
|
|
{ |
|
|
char *cp = strstr(data, " if "); |
|
|
if (cp) { |
|
|
while (1) { |
|
|
char *cp2 = strstr(cp + 3, " if "); |
|
|
if (!cp2) |
|
|
break; |
|
|
cp = cp2; |
|
|
} |
|
|
*cp = '\0'; |
|
|
cp += 4; |
|
|
} |
|
|
return cp; |
|
|
} |
|
|
|
|
|
/** |
|
790 |
* ccs_select_one - Parse select command. |
* ccs_select_one - Parse select command. |
791 |
* |
* |
792 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
847 |
{ |
{ |
848 |
const struct ccs_handler_acl *p1 = container_of(a, typeof(*p1), head); |
const struct ccs_handler_acl *p1 = container_of(a, typeof(*p1), head); |
849 |
const struct ccs_handler_acl *p2 = container_of(b, typeof(*p2), head); |
const struct ccs_handler_acl *p2 = container_of(b, typeof(*p2), head); |
850 |
return ccs_same_acl_head(&p1->head, &p2->head) && |
return p1->handler == p2->handler; |
|
p1->handler == p2->handler; |
|
851 |
} |
} |
852 |
|
|
853 |
static bool ccs_same_task_acl(const struct ccs_acl_info *a, |
static bool ccs_same_task_acl(const struct ccs_acl_info *a, |
855 |
{ |
{ |
856 |
const struct ccs_task_acl *p1 = container_of(a, typeof(*p1), head); |
const struct ccs_task_acl *p1 = container_of(a, typeof(*p1), head); |
857 |
const struct ccs_task_acl *p2 = container_of(b, typeof(*p2), head); |
const struct ccs_task_acl *p2 = container_of(b, typeof(*p2), head); |
858 |
return ccs_same_acl_head(&p1->head, &p2->head) && |
return p1->domainname == p2->domainname; |
|
p1->domainname == p2->domainname; |
|
859 |
} |
} |
860 |
|
|
861 |
/** |
/** |
862 |
* ccs_write_task - Update task related list. |
* ccs_write_task - Update task related list. |
863 |
* |
* |
864 |
* @data: String to parse. |
* @param: Pointer to "struct ccs_acl_param". |
|
* @domain: Pointer to "struct ccs_domain_info". |
|
|
* @condition: Pointer to "struct ccs_condition". Maybe NULL. |
|
|
* @is_delete: True if it is a delete request. |
|
865 |
* |
* |
866 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
867 |
*/ |
*/ |
868 |
static int ccs_write_task(char *data, struct ccs_domain_info *domain, |
static int ccs_write_task(struct ccs_acl_param *param) |
|
struct ccs_condition *condition, |
|
|
const bool is_delete) |
|
869 |
{ |
{ |
870 |
int error; |
int error; |
871 |
const bool is_auto = ccs_str_starts(&data, "auto_domain_transition "); |
const bool is_auto = ccs_str_starts(¶m->data, |
872 |
if (!is_auto && !ccs_str_starts(&data, "manual_domain_transition ")) { |
"auto_domain_transition "); |
873 |
struct ccs_handler_acl e = { |
if (!is_auto && !ccs_str_starts(¶m->data, |
874 |
.head.cond = condition, |
"manual_domain_transition ")) { |
875 |
}; |
struct ccs_handler_acl e = { }; |
876 |
if (ccs_str_starts(&data, "auto_execute_handler ")) |
char *handler; |
877 |
|
if (ccs_str_starts(¶m->data, "auto_execute_handler ")) |
878 |
e.head.type = CCS_TYPE_AUTO_EXECUTE_HANDLER; |
e.head.type = CCS_TYPE_AUTO_EXECUTE_HANDLER; |
879 |
else if (ccs_str_starts(&data, "denied_execute_handler ")) |
else if (ccs_str_starts(¶m->data, |
880 |
|
"denied_execute_handler ")) |
881 |
e.head.type = CCS_TYPE_DENIED_EXECUTE_HANDLER; |
e.head.type = CCS_TYPE_DENIED_EXECUTE_HANDLER; |
882 |
else |
else |
883 |
return -EINVAL; |
return -EINVAL; |
884 |
if (!ccs_correct_path(data)) |
handler = ccs_read_token(param); |
885 |
|
if (!ccs_correct_path(handler)) |
886 |
return -EINVAL; |
return -EINVAL; |
887 |
e.handler = ccs_get_name(data); |
e.handler = ccs_get_name(handler); |
888 |
if (!e.handler) |
if (!e.handler) |
889 |
return -ENOMEM; |
return -ENOMEM; |
890 |
if (e.handler->is_patterned) |
if (e.handler->is_patterned) |
891 |
error = -EINVAL; /* No patterns allowed. */ |
error = -EINVAL; /* No patterns allowed. */ |
892 |
else |
else |
893 |
error = ccs_update_domain(&e.head, sizeof(e), |
error = ccs_update_domain(&e.head, sizeof(e), param, |
|
is_delete, domain, |
|
894 |
ccs_same_handler_acl, NULL); |
ccs_same_handler_acl, NULL); |
895 |
ccs_put_name(e.handler); |
ccs_put_name(e.handler); |
896 |
} else { |
} else { |
897 |
struct ccs_task_acl e = { |
struct ccs_task_acl e = { |
898 |
.head.type = is_auto ? |
.head.type = is_auto ? |
899 |
CCS_TYPE_AUTO_TASK_ACL : CCS_TYPE_MANUAL_TASK_ACL, |
CCS_TYPE_AUTO_TASK_ACL : CCS_TYPE_MANUAL_TASK_ACL, |
900 |
.head.cond = condition, |
.domainname = ccs_get_domainname(param), |
901 |
}; |
}; |
|
if (!ccs_correct_domain(data)) |
|
|
return -EINVAL; |
|
|
e.domainname = ccs_get_name(data); |
|
902 |
if (!e.domainname) |
if (!e.domainname) |
903 |
return -ENOMEM; |
error = -EINVAL; |
904 |
error = ccs_update_domain(&e.head, sizeof(e), is_delete, |
else |
905 |
domain, ccs_same_task_acl, NULL); |
error = ccs_update_domain(&e.head, sizeof(e), param, |
906 |
|
ccs_same_task_acl, NULL); |
907 |
ccs_put_name(e.domainname); |
ccs_put_name(e.domainname); |
908 |
} |
} |
909 |
return error; |
return error; |
912 |
static int ccs_write_domain2(char *data, struct ccs_domain_info *domain, |
static int ccs_write_domain2(char *data, struct ccs_domain_info *domain, |
913 |
const bool is_delete) |
const bool is_delete) |
914 |
{ |
{ |
915 |
|
struct ccs_acl_param param = { |
916 |
|
.data = data, |
917 |
|
.domain = domain, |
918 |
|
.is_delete = is_delete, |
919 |
|
}; |
920 |
static const struct { |
static const struct { |
921 |
const char *keyword; |
const char *keyword; |
922 |
int (*write) (char *, struct ccs_domain_info *, |
int (*write) (struct ccs_acl_param *); |
|
struct ccs_condition *, const bool); |
|
923 |
} ccs_callback[7] = { |
} ccs_callback[7] = { |
924 |
{ "file ", ccs_write_file }, |
{ "file ", ccs_write_file }, |
925 |
{ "network inet ", ccs_write_inet_network }, |
{ "network inet ", ccs_write_inet_network }, |
929 |
{ "ipc ", ccs_write_ipc }, |
{ "ipc ", ccs_write_ipc }, |
930 |
{ "task ", ccs_write_task }, |
{ "task ", ccs_write_task }, |
931 |
}; |
}; |
|
int error = -EINVAL; |
|
932 |
u8 i; |
u8 i; |
|
struct ccs_condition *cond = NULL; |
|
|
char *cp = ccs_find_condition_part(data); |
|
|
if (cp) { |
|
|
cond = ccs_get_condition(cp); |
|
|
if (!cond) |
|
|
return -EINVAL; |
|
|
} |
|
933 |
for (i = 0; i < 7; i++) { |
for (i = 0; i < 7; i++) { |
934 |
if (!ccs_str_starts(&data, ccs_callback[i].keyword)) |
if (!ccs_str_starts(¶m.data, ccs_callback[i].keyword)) |
935 |
continue; |
continue; |
936 |
error = ccs_callback[i].write(data, domain, cond, is_delete); |
return ccs_callback[i].write(¶m); |
|
break; |
|
937 |
} |
} |
938 |
if (cond) |
return -EINVAL; |
|
ccs_put_condition(cond); |
|
|
return error; |
|
939 |
} |
} |
940 |
|
|
941 |
static const char *ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS] = { |
static const char *ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS] = { |
1085 |
{ |
{ |
1086 |
switch (head->r.cond_step) { |
switch (head->r.cond_step) { |
1087 |
case 0: |
case 0: |
1088 |
{ |
head->r.cond_index = 0; |
1089 |
ccs_set_string(head, " if"); |
head->r.cond_step++; |
|
head->r.cond_index = 0; |
|
|
head->r.cond_step++; |
|
|
} |
|
1090 |
/* fall through */ |
/* fall through */ |
1091 |
case 1: |
case 1: |
1092 |
{ |
{ |
1195 |
head->r.cond_step++; |
head->r.cond_step++; |
1196 |
/* fall through */ |
/* fall through */ |
1197 |
case 3: |
case 3: |
1198 |
if (cond->audit) |
if (cond->grant_log) |
1199 |
ccs_io_printf(head, " audit=%s", |
ccs_io_printf(head, " grant_log=%s", |
1200 |
ccs_yesno(cond->audit == 2)); |
ccs_yesno(cond->grant_log == 2)); |
1201 |
if (cond->transit) { |
if (cond->transit) { |
1202 |
ccs_set_string(head, " auto_domain_transitition=\""); |
ccs_set_string(head, " auto_domain_transitition=\""); |
1203 |
ccs_set_string(head, cond->transit->name); |
ccs_set_string(head, cond->transit->name); |
1927 |
char *argv0 = NULL; |
char *argv0 = NULL; |
1928 |
char *symlink = NULL; |
char *symlink = NULL; |
1929 |
char *handler = NULL; |
char *handler = NULL; |
|
const struct ccs_preference *pref; |
|
1930 |
if (!ccs_domain_quota_ok(r)) |
if (!ccs_domain_quota_ok(r)) |
1931 |
return 0; |
return 0; |
1932 |
header = ccs_init_log(&len, r); |
header = ccs_init_log(&len, r); |
1933 |
if (!header) |
if (!header) |
1934 |
return 0; |
return 0; |
|
pref = &ccs_profile(r->profile)->preference; |
|
1935 |
/* strstr() will return NULL if ordering is wrong. */ |
/* strstr() will return NULL if ordering is wrong. */ |
1936 |
if (r->param_type == CCS_TYPE_PATH_ACL && |
if (r->param_type == CCS_TYPE_PATH_ACL && |
1937 |
r->param.path.operation == CCS_TYPE_EXECUTE) { |
r->param.path.operation == CCS_TYPE_EXECUTE) { |
1938 |
if (pref->learning_exec_argv0) { |
if (ccs_preference.learning_exec_argv0) { |
1939 |
argv0 = strstr(header, " argv[]={ \""); |
argv0 = strstr(header, " argv[]={ \""); |
1940 |
if (argv0) { |
if (argv0) { |
1941 |
argv0 += 10; |
argv0 += 10; |
1942 |
ccs_truncate(argv0); |
ccs_truncate(argv0); |
1943 |
} |
} |
1944 |
} |
} |
1945 |
if (pref->learning_exec_realpath) { |
if (ccs_preference.learning_exec_realpath) { |
1946 |
realpath = strstr(header, |
realpath = strstr(header, |
1947 |
" exec={ realpath=\""); |
" exec={ realpath=\""); |
1948 |
if (realpath) { |
if (realpath) { |
1952 |
} |
} |
1953 |
} else if (r->param_type == CCS_TYPE_PATH_ACL && |
} else if (r->param_type == CCS_TYPE_PATH_ACL && |
1954 |
r->param.path.operation == CCS_TYPE_SYMLINK && |
r->param.path.operation == CCS_TYPE_SYMLINK && |
1955 |
pref->learning_symlink_target) { |
ccs_preference.learning_symlink_target) { |
1956 |
symlink = strstr(header, " symlink.target=\""); |
symlink = strstr(header, " symlink.target=\""); |
1957 |
if (symlink) |
if (symlink) |
1958 |
ccs_truncate(symlink + 1); |
ccs_truncate(symlink + 1); |
1966 |
vsnprintf(buffer, len - 1, fmt, args); |
vsnprintf(buffer, len - 1, fmt, args); |
1967 |
va_end(args); |
va_end(args); |
1968 |
if (handler || realpath || argv0 || symlink) { |
if (handler || realpath || argv0 || symlink) { |
|
ccs_addprintf(buffer, len, " if"); |
|
1969 |
if (handler) |
if (handler) |
1970 |
ccs_addprintf(buffer, len, " task.%s", |
ccs_addprintf(buffer, len, " task.%s", |
1971 |
handler); |
handler); |
1993 |
int i; |
int i; |
1994 |
if (current->ccs_flags & CCS_DONT_SLEEP_ON_ENFORCE_ERROR) |
if (current->ccs_flags & CCS_DONT_SLEEP_ON_ENFORCE_ERROR) |
1995 |
return -EPERM; |
return -EPERM; |
1996 |
for (i = 0; i < ccs_profile(domain->profile)->preference. |
for (i = 0; i < ccs_preference.enforcing_penalty; i++) { |
|
enforcing_penalty; i++) { |
|
1997 |
set_current_state(TASK_INTERRUPTIBLE); |
set_current_state(TASK_INTERRUPTIBLE); |
1998 |
schedule_timeout(HZ / 10); |
schedule_timeout(HZ / 10); |
1999 |
} |
} |