| 12 |
|
|
| 13 |
#include "internal.h" |
#include "internal.h" |
| 14 |
|
|
| 15 |
static struct ccs_profile ccs_default_profile = { |
struct ccs_preference ccs_preference = { |
| 16 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
| 17 |
.preference.audit_max_grant_log = CONFIG_CCSECURITY_MAX_GRANT_LOG, |
.audit_max_grant_log = CONFIG_CCSECURITY_MAX_GRANT_LOG, |
| 18 |
.preference.audit_max_reject_log = CONFIG_CCSECURITY_MAX_REJECT_LOG, |
.audit_max_reject_log = CONFIG_CCSECURITY_MAX_REJECT_LOG, |
| 19 |
#endif |
#endif |
| 20 |
.preference.audit_task_info = true, |
.audit_task_info = true, |
| 21 |
.preference.audit_path_info = true, |
.audit_path_info = true, |
| 22 |
.preference.enforcing_penalty = 0, |
.enforcing_penalty = 0, |
| 23 |
.preference.learning_max_entry = CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY, |
.enforcing_verbose = true, |
| 24 |
.preference.learning_exec_realpath = true, |
.learning_max_entry = CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY, |
| 25 |
.preference.learning_exec_argv0 = true, |
.learning_verbose = false, |
| 26 |
.preference.learning_symlink_target = true, |
.learning_exec_realpath = true, |
| 27 |
|
.learning_exec_argv0 = true, |
| 28 |
|
.learning_symlink_target = true, |
| 29 |
|
.permissive_verbose = true, |
| 30 |
}; |
}; |
| 31 |
|
|
| 32 |
/* Profile version. Currently only 20100903 is defined. */ |
/* Profile version. Currently only 20100903 is defined. */ |
| 325 |
if (!ptr && ccs_memory_ok(entry, sizeof(*entry))) { |
if (!ptr && ccs_memory_ok(entry, sizeof(*entry))) { |
| 326 |
ptr = entry; |
ptr = entry; |
| 327 |
ptr->default_config = CCS_CONFIG_DISABLED | |
ptr->default_config = CCS_CONFIG_DISABLED | |
|
CCS_CONFIG_VERBOSE | |
|
| 328 |
CCS_CONFIG_WANT_GRANT_LOG | CCS_CONFIG_WANT_REJECT_LOG; |
CCS_CONFIG_WANT_GRANT_LOG | CCS_CONFIG_WANT_REJECT_LOG; |
| 329 |
memset(ptr->config, CCS_CONFIG_USE_DEFAULT, |
memset(ptr->config, CCS_CONFIG_USE_DEFAULT, |
| 330 |
sizeof(ptr->config)); |
sizeof(ptr->config)); |
| 370 |
*/ |
*/ |
| 371 |
struct ccs_profile *ccs_profile(const u8 profile) |
struct ccs_profile *ccs_profile(const u8 profile) |
| 372 |
{ |
{ |
| 373 |
|
static struct ccs_profile ccs_null_profile; |
| 374 |
struct ccs_profile *ptr = ccs_profile_ptr[profile]; |
struct ccs_profile *ptr = ccs_profile_ptr[profile]; |
| 375 |
if (!ccs_policy_loaded) |
if (!ptr) |
| 376 |
return &ccs_default_profile; |
ptr = &ccs_null_profile; |
|
BUG_ON(!ptr); |
|
| 377 |
return ptr; |
return ptr; |
| 378 |
} |
} |
| 379 |
|
|
| 409 |
sscanf(cp + strlen(find), "=%u", i); |
sscanf(cp + strlen(find), "=%u", i); |
| 410 |
} |
} |
| 411 |
|
|
| 412 |
static void ccs_set_pref(const char *name, const char *value, |
static int ccs_set_pref(char *data) |
|
struct ccs_profile *profile) |
|
| 413 |
{ |
{ |
| 414 |
if (!strcmp(name, "audit")) { |
if (ccs_str_starts(&data, "audit")) { |
| 415 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
| 416 |
ccs_set_uint(&profile->preference.audit_max_grant_log, value, |
ccs_set_uint(&ccs_preference.audit_max_grant_log, data, |
| 417 |
"max_grant_log"); |
"max_grant_log"); |
| 418 |
ccs_set_uint(&profile->preference.audit_max_reject_log, value, |
ccs_set_uint(&ccs_preference.audit_max_reject_log, data, |
| 419 |
"max_reject_log"); |
"max_reject_log"); |
| 420 |
#endif |
#endif |
| 421 |
ccs_set_bool(&profile->preference.audit_task_info, value, |
ccs_set_bool(&ccs_preference.audit_task_info, data, |
| 422 |
"task_info"); |
"task_info"); |
| 423 |
ccs_set_bool(&profile->preference.audit_path_info, value, |
ccs_set_bool(&ccs_preference.audit_path_info, data, |
| 424 |
"path_info"); |
"path_info"); |
| 425 |
return; |
} else if (ccs_str_starts(&data, "enforcing")) { |
| 426 |
} |
ccs_set_bool(&ccs_preference.enforcing_verbose, data, |
| 427 |
if (!strcmp(name, "enforcing")) { |
"verbose"); |
| 428 |
ccs_set_uint(&profile->preference.enforcing_penalty, value, |
ccs_set_uint(&ccs_preference.enforcing_penalty, data, |
| 429 |
"penalty"); |
"penalty"); |
| 430 |
return; |
} else if (ccs_str_starts(&data, "permissive")) { |
| 431 |
} |
ccs_set_bool(&ccs_preference.permissive_verbose, data, |
| 432 |
if (!strcmp(name, "learning")) { |
"verbose"); |
| 433 |
ccs_set_uint(&profile->preference.learning_max_entry, value, |
} else if (ccs_str_starts(&data, "learning")) { |
| 434 |
|
ccs_set_bool(&ccs_preference.learning_verbose, data, |
| 435 |
|
"verbose"); |
| 436 |
|
ccs_set_uint(&ccs_preference.learning_max_entry, data, |
| 437 |
"max_entry"); |
"max_entry"); |
| 438 |
ccs_set_bool(&profile->preference.learning_exec_realpath, |
ccs_set_bool(&ccs_preference.learning_exec_realpath, data, |
| 439 |
value, "exec.realpath"); |
"exec.realpath"); |
| 440 |
ccs_set_bool(&profile->preference.learning_exec_argv0, value, |
ccs_set_bool(&ccs_preference.learning_exec_argv0, data, |
| 441 |
"exec.argv0"); |
"exec.argv0"); |
| 442 |
ccs_set_bool(&profile->preference.learning_symlink_target, |
ccs_set_bool(&ccs_preference.learning_symlink_target, data, |
| 443 |
value, "symlink.target"); |
"symlink.target"); |
| 444 |
return; |
} else |
| 445 |
} |
return -EINVAL; |
| 446 |
|
return 0; |
| 447 |
} |
} |
| 448 |
|
|
| 449 |
static int ccs_set_mode(char *name, const char *value, |
static int ccs_set_mode(char *name, const char *value, |
| 482 |
*/ |
*/ |
| 483 |
config = (config & ~7) | mode; |
config = (config & ~7) | mode; |
| 484 |
if (config != CCS_CONFIG_USE_DEFAULT) { |
if (config != CCS_CONFIG_USE_DEFAULT) { |
|
switch (ccs_find_yesno(value, "verbose")) { |
|
|
case 1: |
|
|
config |= CCS_CONFIG_VERBOSE; |
|
|
break; |
|
|
case 0: |
|
|
config &= ~CCS_CONFIG_VERBOSE; |
|
|
break; |
|
|
} |
|
| 485 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
| 486 |
switch (ccs_find_yesno(value, "grant_log")) { |
switch (ccs_find_yesno(value, "grant_log")) { |
| 487 |
case 1: |
case 1: |
| 525 |
struct ccs_profile *profile; |
struct ccs_profile *profile; |
| 526 |
if (sscanf(data, "PROFILE_VERSION=%u", &ccs_profile_version) == 1) |
if (sscanf(data, "PROFILE_VERSION=%u", &ccs_profile_version) == 1) |
| 527 |
return 0; |
return 0; |
| 528 |
|
if (ccs_str_starts(&data, "PREFERENCE::")) |
| 529 |
|
return ccs_set_pref(data); |
| 530 |
i = simple_strtoul(data, &cp, 10); |
i = simple_strtoul(data, &cp, 10); |
| 531 |
if (*cp != '-') |
if (*cp != '-') |
| 532 |
return -EINVAL; |
return -EINVAL; |
| 538 |
if (!cp) |
if (!cp) |
| 539 |
return -EINVAL; |
return -EINVAL; |
| 540 |
*cp++ = '\0'; |
*cp++ = '\0'; |
|
if (ccs_str_starts(&data, "PREFERENCE::")) { |
|
|
ccs_set_pref(data, cp, profile); |
|
|
return 0; |
|
|
} |
|
| 541 |
if (!strcmp(data, "COMMENT")) { |
if (!strcmp(data, "COMMENT")) { |
| 542 |
const struct ccs_path_info *old_comment = profile->comment; |
const struct ccs_path_info *old_comment = profile->comment; |
| 543 |
profile->comment = ccs_get_name(cp); |
profile->comment = ccs_get_name(cp); |
| 547 |
return ccs_set_mode(data, cp, profile); |
return ccs_set_mode(data, cp, profile); |
| 548 |
} |
} |
| 549 |
|
|
| 550 |
static void ccs_print_preference(struct ccs_io_buffer *head, const int index) |
static void ccs_print_preference(struct ccs_io_buffer *head) |
| 551 |
{ |
{ |
| 552 |
struct ccs_profile *profile = ccs_profile_ptr[index]; |
ccs_io_printf(head, "PREFERENCE::%s={ " |
|
struct ccs_preference *pref = &profile->preference; |
|
|
ccs_io_printf(head, "%u-PREFERENCE::%s={ " |
|
| 553 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
| 554 |
"max_grant_log=%u max_reject_log=%u " |
"max_grant_log=%u max_reject_log=%u " |
| 555 |
#endif |
#endif |
| 556 |
"task_info=%s path_info=%s }\n", index, |
"task_info=%s path_info=%s }\n", "audit", |
|
"audit", |
|
| 557 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
| 558 |
pref->audit_max_grant_log, |
ccs_preference.audit_max_grant_log, |
| 559 |
pref->audit_max_reject_log, |
ccs_preference.audit_max_reject_log, |
| 560 |
#endif |
#endif |
| 561 |
ccs_yesno(pref->audit_task_info), |
ccs_yesno(ccs_preference.audit_task_info), |
| 562 |
ccs_yesno(pref->audit_path_info)); |
ccs_yesno(ccs_preference.audit_path_info)); |
| 563 |
ccs_io_printf(head, "%u-PREFERENCE::%s={ " |
ccs_io_printf(head, "PREFERENCE::%s={ verbose=%s max_entry=%u " |
| 564 |
"max_entry=%u exec.realpath=%s " |
"exec.realpath=%s exec.argv0=%s symlink.target=%s }\n", |
| 565 |
"exec.argv0=%s symlink.target=%s }\n", |
"learning", ccs_yesno(ccs_preference.learning_verbose), |
| 566 |
index, "learning", |
ccs_preference.learning_max_entry, |
| 567 |
pref->learning_max_entry, |
ccs_yesno(ccs_preference.learning_exec_realpath), |
| 568 |
ccs_yesno(pref->learning_exec_realpath), |
ccs_yesno(ccs_preference.learning_exec_argv0), |
| 569 |
ccs_yesno(pref->learning_exec_argv0), |
ccs_yesno(ccs_preference.learning_symlink_target)); |
| 570 |
ccs_yesno(pref->learning_symlink_target)); |
ccs_io_printf(head, "PREFERENCE::%s={ verbose=%s }\n", "permissive", |
| 571 |
ccs_io_printf(head, "%u-PREFERENCE::%s={ penalty=%u }\n", index, |
ccs_yesno(ccs_preference.permissive_verbose)); |
| 572 |
"enforcing", pref->enforcing_penalty); |
ccs_io_printf(head, "PREFERENCE::%s={ verbose=%s penalty=%u }\n", |
| 573 |
|
"enforcing", ccs_yesno(ccs_preference.enforcing_verbose), |
| 574 |
|
ccs_preference.enforcing_penalty); |
| 575 |
} |
} |
| 576 |
|
|
| 577 |
static void ccs_print_config(struct ccs_io_buffer *head, const u8 config) |
static void ccs_print_config(struct ccs_io_buffer *head, const u8 config) |
| 578 |
{ |
{ |
| 579 |
ccs_io_printf(head, "={ mode=%s verbose=%s", ccs_mode[config & 3], |
ccs_io_printf(head, "={ mode=%s", ccs_mode[config & 3]); |
|
ccs_yesno(config & CCS_CONFIG_VERBOSE)); |
|
| 580 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
| 581 |
ccs_io_printf(head, " grant_log=%s reject_log=%s", |
ccs_io_printf(head, " grant_log=%s reject_log=%s", |
| 582 |
ccs_yesno(config & CCS_CONFIG_WANT_GRANT_LOG), |
ccs_yesno(config & CCS_CONFIG_WANT_GRANT_LOG), |
| 600 |
switch (head->r.step) { |
switch (head->r.step) { |
| 601 |
case 0: |
case 0: |
| 602 |
ccs_io_printf(head, "PROFILE_VERSION=%s\n", "20100903"); |
ccs_io_printf(head, "PROFILE_VERSION=%s\n", "20100903"); |
| 603 |
|
ccs_print_preference(head); |
| 604 |
head->r.step++; |
head->r.step++; |
| 605 |
break; |
break; |
| 606 |
case 1: |
case 1: |
| 646 |
if (head->r.bit == CCS_MAX_MAC_INDEX |
if (head->r.bit == CCS_MAX_MAC_INDEX |
| 647 |
+ CCS_MAX_CAPABILITY_INDEX |
+ CCS_MAX_CAPABILITY_INDEX |
| 648 |
+ CCS_MAX_MAC_CATEGORY_INDEX) { |
+ CCS_MAX_MAC_CATEGORY_INDEX) { |
|
ccs_print_preference(head, index); |
|
| 649 |
head->r.index++; |
head->r.index++; |
| 650 |
head->r.step = 1; |
head->r.step = 1; |
| 651 |
} |
} |
| 787 |
} |
} |
| 788 |
|
|
| 789 |
/** |
/** |
|
* ccs_find_condition_part - Find condition part from the statement. |
|
|
* |
|
|
* @data: String to parse. |
|
|
* |
|
|
* Returns pointer to the condition part if it was found in the statement, |
|
|
* NULL otherwise. |
|
|
*/ |
|
|
static char *ccs_find_condition_part(char *data) |
|
|
{ |
|
|
char *cp = strstr(data, " if "); |
|
|
if (cp) { |
|
|
while (1) { |
|
|
char *cp2 = strstr(cp + 3, " if "); |
|
|
if (!cp2) |
|
|
break; |
|
|
cp = cp2; |
|
|
} |
|
|
*cp = '\0'; |
|
|
cp += 4; |
|
|
} |
|
|
return cp; |
|
|
} |
|
|
|
|
|
/** |
|
| 790 |
* ccs_select_one - Parse select command. |
* ccs_select_one - Parse select command. |
| 791 |
* |
* |
| 792 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
| 847 |
{ |
{ |
| 848 |
const struct ccs_handler_acl *p1 = container_of(a, typeof(*p1), head); |
const struct ccs_handler_acl *p1 = container_of(a, typeof(*p1), head); |
| 849 |
const struct ccs_handler_acl *p2 = container_of(b, typeof(*p2), head); |
const struct ccs_handler_acl *p2 = container_of(b, typeof(*p2), head); |
| 850 |
return ccs_same_acl_head(&p1->head, &p2->head) && |
return p1->handler == p2->handler; |
|
p1->handler == p2->handler; |
|
| 851 |
} |
} |
| 852 |
|
|
| 853 |
static bool ccs_same_task_acl(const struct ccs_acl_info *a, |
static bool ccs_same_task_acl(const struct ccs_acl_info *a, |
| 855 |
{ |
{ |
| 856 |
const struct ccs_task_acl *p1 = container_of(a, typeof(*p1), head); |
const struct ccs_task_acl *p1 = container_of(a, typeof(*p1), head); |
| 857 |
const struct ccs_task_acl *p2 = container_of(b, typeof(*p2), head); |
const struct ccs_task_acl *p2 = container_of(b, typeof(*p2), head); |
| 858 |
return ccs_same_acl_head(&p1->head, &p2->head) && |
return p1->domainname == p2->domainname; |
|
p1->domainname == p2->domainname; |
|
| 859 |
} |
} |
| 860 |
|
|
| 861 |
/** |
/** |
| 862 |
* ccs_write_task - Update task related list. |
* ccs_write_task - Update task related list. |
| 863 |
* |
* |
| 864 |
* @data: String to parse. |
* @param: Pointer to "struct ccs_acl_param". |
|
* @domain: Pointer to "struct ccs_domain_info". |
|
|
* @condition: Pointer to "struct ccs_condition". Maybe NULL. |
|
|
* @is_delete: True if it is a delete request. |
|
| 865 |
* |
* |
| 866 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
| 867 |
*/ |
*/ |
| 868 |
static int ccs_write_task(char *data, struct ccs_domain_info *domain, |
static int ccs_write_task(struct ccs_acl_param *param) |
|
struct ccs_condition *condition, |
|
|
const bool is_delete) |
|
| 869 |
{ |
{ |
| 870 |
int error; |
int error; |
| 871 |
const bool is_auto = ccs_str_starts(&data, "auto_domain_transition "); |
const bool is_auto = ccs_str_starts(¶m->data, |
| 872 |
if (!is_auto && !ccs_str_starts(&data, "manual_domain_transition ")) { |
"auto_domain_transition "); |
| 873 |
struct ccs_handler_acl e = { |
if (!is_auto && !ccs_str_starts(¶m->data, |
| 874 |
.head.cond = condition, |
"manual_domain_transition ")) { |
| 875 |
}; |
struct ccs_handler_acl e = { }; |
| 876 |
if (ccs_str_starts(&data, "auto_execute_handler ")) |
char *handler; |
| 877 |
|
if (ccs_str_starts(¶m->data, "auto_execute_handler ")) |
| 878 |
e.head.type = CCS_TYPE_AUTO_EXECUTE_HANDLER; |
e.head.type = CCS_TYPE_AUTO_EXECUTE_HANDLER; |
| 879 |
else if (ccs_str_starts(&data, "denied_execute_handler ")) |
else if (ccs_str_starts(¶m->data, |
| 880 |
|
"denied_execute_handler ")) |
| 881 |
e.head.type = CCS_TYPE_DENIED_EXECUTE_HANDLER; |
e.head.type = CCS_TYPE_DENIED_EXECUTE_HANDLER; |
| 882 |
else |
else |
| 883 |
return -EINVAL; |
return -EINVAL; |
| 884 |
if (!ccs_correct_path(data)) |
handler = ccs_read_token(param); |
| 885 |
|
if (!ccs_correct_path(handler)) |
| 886 |
return -EINVAL; |
return -EINVAL; |
| 887 |
e.handler = ccs_get_name(data); |
e.handler = ccs_get_name(handler); |
| 888 |
if (!e.handler) |
if (!e.handler) |
| 889 |
return -ENOMEM; |
return -ENOMEM; |
| 890 |
if (e.handler->is_patterned) |
if (e.handler->is_patterned) |
| 891 |
error = -EINVAL; /* No patterns allowed. */ |
error = -EINVAL; /* No patterns allowed. */ |
| 892 |
else |
else |
| 893 |
error = ccs_update_domain(&e.head, sizeof(e), |
error = ccs_update_domain(&e.head, sizeof(e), param, |
|
is_delete, domain, |
|
| 894 |
ccs_same_handler_acl, NULL); |
ccs_same_handler_acl, NULL); |
| 895 |
ccs_put_name(e.handler); |
ccs_put_name(e.handler); |
| 896 |
} else { |
} else { |
| 897 |
struct ccs_task_acl e = { |
struct ccs_task_acl e = { |
| 898 |
.head.type = is_auto ? |
.head.type = is_auto ? |
| 899 |
CCS_TYPE_AUTO_TASK_ACL : CCS_TYPE_MANUAL_TASK_ACL, |
CCS_TYPE_AUTO_TASK_ACL : CCS_TYPE_MANUAL_TASK_ACL, |
| 900 |
.head.cond = condition, |
.domainname = ccs_get_domainname(param), |
| 901 |
}; |
}; |
|
if (!ccs_correct_domain(data)) |
|
|
return -EINVAL; |
|
|
e.domainname = ccs_get_name(data); |
|
| 902 |
if (!e.domainname) |
if (!e.domainname) |
| 903 |
return -ENOMEM; |
error = -EINVAL; |
| 904 |
error = ccs_update_domain(&e.head, sizeof(e), is_delete, |
else |
| 905 |
domain, ccs_same_task_acl, NULL); |
error = ccs_update_domain(&e.head, sizeof(e), param, |
| 906 |
|
ccs_same_task_acl, NULL); |
| 907 |
ccs_put_name(e.domainname); |
ccs_put_name(e.domainname); |
| 908 |
} |
} |
| 909 |
return error; |
return error; |
| 912 |
static int ccs_write_domain2(char *data, struct ccs_domain_info *domain, |
static int ccs_write_domain2(char *data, struct ccs_domain_info *domain, |
| 913 |
const bool is_delete) |
const bool is_delete) |
| 914 |
{ |
{ |
| 915 |
|
struct ccs_acl_param param = { |
| 916 |
|
.data = data, |
| 917 |
|
.domain = domain, |
| 918 |
|
.is_delete = is_delete, |
| 919 |
|
}; |
| 920 |
static const struct { |
static const struct { |
| 921 |
const char *keyword; |
const char *keyword; |
| 922 |
int (*write) (char *, struct ccs_domain_info *, |
int (*write) (struct ccs_acl_param *); |
|
struct ccs_condition *, const bool); |
|
| 923 |
} ccs_callback[7] = { |
} ccs_callback[7] = { |
| 924 |
{ "file ", ccs_write_file }, |
{ "file ", ccs_write_file }, |
| 925 |
{ "network inet ", ccs_write_inet_network }, |
{ "network inet ", ccs_write_inet_network }, |
| 929 |
{ "ipc ", ccs_write_ipc }, |
{ "ipc ", ccs_write_ipc }, |
| 930 |
{ "task ", ccs_write_task }, |
{ "task ", ccs_write_task }, |
| 931 |
}; |
}; |
|
int error = -EINVAL; |
|
| 932 |
u8 i; |
u8 i; |
|
struct ccs_condition *cond = NULL; |
|
|
char *cp = ccs_find_condition_part(data); |
|
|
if (cp) { |
|
|
cond = ccs_get_condition(cp); |
|
|
if (!cond) |
|
|
return -EINVAL; |
|
|
} |
|
| 933 |
for (i = 0; i < 7; i++) { |
for (i = 0; i < 7; i++) { |
| 934 |
if (!ccs_str_starts(&data, ccs_callback[i].keyword)) |
if (!ccs_str_starts(¶m.data, ccs_callback[i].keyword)) |
| 935 |
continue; |
continue; |
| 936 |
error = ccs_callback[i].write(data, domain, cond, is_delete); |
return ccs_callback[i].write(¶m); |
|
break; |
|
| 937 |
} |
} |
| 938 |
if (cond) |
return -EINVAL; |
|
ccs_put_condition(cond); |
|
|
return error; |
|
| 939 |
} |
} |
| 940 |
|
|
| 941 |
static const char *ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS] = { |
static const char *ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS] = { |
| 1085 |
{ |
{ |
| 1086 |
switch (head->r.cond_step) { |
switch (head->r.cond_step) { |
| 1087 |
case 0: |
case 0: |
| 1088 |
{ |
head->r.cond_index = 0; |
| 1089 |
ccs_set_string(head, " if"); |
head->r.cond_step++; |
|
head->r.cond_index = 0; |
|
|
head->r.cond_step++; |
|
|
} |
|
| 1090 |
/* fall through */ |
/* fall through */ |
| 1091 |
case 1: |
case 1: |
| 1092 |
{ |
{ |
| 1195 |
head->r.cond_step++; |
head->r.cond_step++; |
| 1196 |
/* fall through */ |
/* fall through */ |
| 1197 |
case 3: |
case 3: |
| 1198 |
if (cond->audit) |
if (cond->grant_log) |
| 1199 |
ccs_io_printf(head, " audit=%s", |
ccs_io_printf(head, " grant_log=%s", |
| 1200 |
ccs_yesno(cond->audit == 2)); |
ccs_yesno(cond->grant_log == 2)); |
| 1201 |
if (cond->transit) { |
if (cond->transit) { |
| 1202 |
ccs_set_string(head, " auto_domain_transitition=\""); |
ccs_set_string(head, " auto_domain_transitition=\""); |
| 1203 |
ccs_set_string(head, cond->transit->name); |
ccs_set_string(head, cond->transit->name); |
| 1927 |
char *argv0 = NULL; |
char *argv0 = NULL; |
| 1928 |
char *symlink = NULL; |
char *symlink = NULL; |
| 1929 |
char *handler = NULL; |
char *handler = NULL; |
|
const struct ccs_preference *pref; |
|
| 1930 |
if (!ccs_domain_quota_ok(r)) |
if (!ccs_domain_quota_ok(r)) |
| 1931 |
return 0; |
return 0; |
| 1932 |
header = ccs_init_log(&len, r); |
header = ccs_init_log(&len, r); |
| 1933 |
if (!header) |
if (!header) |
| 1934 |
return 0; |
return 0; |
|
pref = &ccs_profile(r->profile)->preference; |
|
| 1935 |
/* strstr() will return NULL if ordering is wrong. */ |
/* strstr() will return NULL if ordering is wrong. */ |
| 1936 |
if (r->param_type == CCS_TYPE_PATH_ACL && |
if (r->param_type == CCS_TYPE_PATH_ACL && |
| 1937 |
r->param.path.operation == CCS_TYPE_EXECUTE) { |
r->param.path.operation == CCS_TYPE_EXECUTE) { |
| 1938 |
if (pref->learning_exec_argv0) { |
if (ccs_preference.learning_exec_argv0) { |
| 1939 |
argv0 = strstr(header, " argv[]={ \""); |
argv0 = strstr(header, " argv[]={ \""); |
| 1940 |
if (argv0) { |
if (argv0) { |
| 1941 |
argv0 += 10; |
argv0 += 10; |
| 1942 |
ccs_truncate(argv0); |
ccs_truncate(argv0); |
| 1943 |
} |
} |
| 1944 |
} |
} |
| 1945 |
if (pref->learning_exec_realpath) { |
if (ccs_preference.learning_exec_realpath) { |
| 1946 |
realpath = strstr(header, |
realpath = strstr(header, |
| 1947 |
" exec={ realpath=\""); |
" exec={ realpath=\""); |
| 1948 |
if (realpath) { |
if (realpath) { |
| 1952 |
} |
} |
| 1953 |
} else if (r->param_type == CCS_TYPE_PATH_ACL && |
} else if (r->param_type == CCS_TYPE_PATH_ACL && |
| 1954 |
r->param.path.operation == CCS_TYPE_SYMLINK && |
r->param.path.operation == CCS_TYPE_SYMLINK && |
| 1955 |
pref->learning_symlink_target) { |
ccs_preference.learning_symlink_target) { |
| 1956 |
symlink = strstr(header, " symlink.target=\""); |
symlink = strstr(header, " symlink.target=\""); |
| 1957 |
if (symlink) |
if (symlink) |
| 1958 |
ccs_truncate(symlink + 1); |
ccs_truncate(symlink + 1); |
| 1966 |
vsnprintf(buffer, len - 1, fmt, args); |
vsnprintf(buffer, len - 1, fmt, args); |
| 1967 |
va_end(args); |
va_end(args); |
| 1968 |
if (handler || realpath || argv0 || symlink) { |
if (handler || realpath || argv0 || symlink) { |
|
ccs_addprintf(buffer, len, " if"); |
|
| 1969 |
if (handler) |
if (handler) |
| 1970 |
ccs_addprintf(buffer, len, " task.%s", |
ccs_addprintf(buffer, len, " task.%s", |
| 1971 |
handler); |
handler); |
| 1993 |
int i; |
int i; |
| 1994 |
if (current->ccs_flags & CCS_DONT_SLEEP_ON_ENFORCE_ERROR) |
if (current->ccs_flags & CCS_DONT_SLEEP_ON_ENFORCE_ERROR) |
| 1995 |
return -EPERM; |
return -EPERM; |
| 1996 |
for (i = 0; i < ccs_profile(domain->profile)->preference. |
for (i = 0; i < ccs_preference.enforcing_penalty; i++) { |
|
enforcing_penalty; i++) { |
|
| 1997 |
set_current_state(TASK_INTERRUPTIBLE); |
set_current_state(TASK_INTERRUPTIBLE); |
| 1998 |
schedule_timeout(HZ / 10); |
schedule_timeout(HZ / 10); |
| 1999 |
} |
} |
TOMOYO
Parent Directory
Revision Log
Patch