| 34 |
const unsigned int max_value; |
const unsigned int max_value; |
| 35 |
} ccs_control_array[CCS_MAX_CONTROL_INDEX] = { |
} ccs_control_array[CCS_MAX_CONTROL_INDEX] = { |
| 36 |
[CCS_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 }, |
[CCS_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 }, |
| 37 |
|
[CCS_AUTOLEARN_EXEC_REALPATH] = { "AUTOLEARN_EXEC_REALPATH", 0, 1 }, |
| 38 |
|
[CCS_AUTOLEARN_EXEC_ARGV0] = { "AUTOLEARN_EXEC_ARGV0", 0, 1 }, |
| 39 |
[CCS_MAC_FOR_IOCTL] = { "MAC_FOR_IOCTL", 0, 3 }, |
[CCS_MAC_FOR_IOCTL] = { "MAC_FOR_IOCTL", 0, 3 }, |
| 40 |
[CCS_MAC_FOR_FILEATTR] = { "MAC_FOR_FILEATTR", 0, 3 }, |
[CCS_MAC_FOR_FILEATTR] = { "MAC_FOR_FILEATTR", 0, 3 }, |
|
[CCS_MAC_FOR_ARGV0] = { "MAC_FOR_ARGV0", 0, 3 }, |
|
| 41 |
[CCS_MAC_FOR_ENV] = { "MAC_FOR_ENV", 0, 3 }, |
[CCS_MAC_FOR_ENV] = { "MAC_FOR_ENV", 0, 3 }, |
| 42 |
[CCS_MAC_FOR_NETWORK] = { "MAC_FOR_NETWORK", 0, 3 }, |
[CCS_MAC_FOR_NETWORK] = { "MAC_FOR_NETWORK", 0, 3 }, |
| 43 |
[CCS_MAC_FOR_SIGNAL] = { "MAC_FOR_SIGNAL", 0, 3 }, |
[CCS_MAC_FOR_SIGNAL] = { "MAC_FOR_SIGNAL", 0, 3 }, |
| 108 |
* |
* |
| 109 |
* Returns pointer to "struct ccs_profile" on success, NULL otherwise. |
* Returns pointer to "struct ccs_profile" on success, NULL otherwise. |
| 110 |
*/ |
*/ |
| 111 |
struct ccs_profile *ccs_find_or_assign_new_profile(const unsigned int |
static struct ccs_profile *ccs_find_or_assign_new_profile(const unsigned int |
| 112 |
profile) |
profile) |
| 113 |
{ |
{ |
| 114 |
struct ccs_profile *ptr; |
struct ccs_profile *ptr; |
| 115 |
struct ccs_profile *entry; |
struct ccs_profile *entry; |
| 116 |
int i; |
int i; |
| 117 |
if (profile >= MAX_PROFILES) |
if (profile >= CCS_MAX_PROFILES) |
| 118 |
return NULL; |
return NULL; |
| 119 |
ptr = ccs_profile_ptr[profile]; |
ptr = ccs_profile_ptr[profile]; |
| 120 |
if (ptr) |
if (ptr) |
| 181 |
ccs_profile_entry_used[0] = true; |
ccs_profile_entry_used[0] = true; |
| 182 |
return 0; |
return 0; |
| 183 |
} |
} |
| 184 |
if (ccs_str_starts(&data, KEYWORD_MAC_FOR_CAPABILITY)) { |
if (ccs_str_starts(&data, CCS_KEYWORD_MAC_FOR_CAPABILITY)) { |
| 185 |
if (sscanf(cp + 1, "%u", &value) != 1) { |
if (sscanf(cp + 1, "%u", &value) != 1) { |
| 186 |
for (i = 0; i < 4; i++) { |
for (i = 0; i < 4; i++) { |
| 187 |
if (strcmp(cp + 1, ccs_mode_4[i])) |
if (strcmp(cp + 1, ccs_mode_4[i])) |
| 211 |
int j; |
int j; |
| 212 |
const char **modes; |
const char **modes; |
| 213 |
switch (i) { |
switch (i) { |
| 214 |
|
case CCS_AUTOLEARN_EXEC_REALPATH: |
| 215 |
|
case CCS_AUTOLEARN_EXEC_ARGV0: |
| 216 |
case CCS_RESTRICT_AUTOBIND: |
case CCS_RESTRICT_AUTOBIND: |
| 217 |
case CCS_VERBOSE: |
case CCS_VERBOSE: |
| 218 |
modes = ccs_mode_2; |
modes = ccs_mode_2; |
| 253 |
int step; |
int step; |
| 254 |
if (head->read_eof) |
if (head->read_eof) |
| 255 |
return 0; |
return 0; |
| 256 |
for (step = head->read_step; step < MAX_PROFILES * ccs_total; step++) { |
for (step = head->read_step; step < CCS_MAX_PROFILES * ccs_total; |
| 257 |
|
step++) { |
| 258 |
const u8 index = step / ccs_total; |
const u8 index = step / ccs_total; |
| 259 |
u8 type = step % ccs_total; |
u8 type = step % ccs_total; |
| 260 |
const struct ccs_profile *ccs_profile = ccs_profile_ptr[index]; |
const struct ccs_profile *ccs_profile = ccs_profile_ptr[index]; |
| 281 |
const int i = type - CCS_MAX_CONTROL_INDEX; |
const int i = type - CCS_MAX_CONTROL_INDEX; |
| 282 |
const u8 value = ccs_profile->capability_value[i]; |
const u8 value = ccs_profile->capability_value[i]; |
| 283 |
if (!ccs_io_printf(head, |
if (!ccs_io_printf(head, |
| 284 |
"%u-" KEYWORD_MAC_FOR_CAPABILITY |
"%u-" CCS_KEYWORD_MAC_FOR_CAPABILITY |
| 285 |
"%s=%s\n", index, |
"%s=%s\n", index, |
| 286 |
ccs_capability_control_keyword[i], |
ccs_capability_control_keyword[i], |
| 287 |
ccs_mode_4[value])) |
ccs_mode_4[value])) |
| 309 |
} |
} |
| 310 |
} |
} |
| 311 |
} |
} |
| 312 |
if (step == MAX_PROFILES * ccs_total) |
if (step == CCS_MAX_PROFILES * ccs_total) |
| 313 |
head->read_eof = true; |
head->read_eof = true; |
| 314 |
return 0; |
return 0; |
| 315 |
} |
} |
| 377 |
static int ccs_write_manager_policy(struct ccs_io_buffer *head) |
static int ccs_write_manager_policy(struct ccs_io_buffer *head) |
| 378 |
{ |
{ |
| 379 |
char *data = head->write_buf; |
char *data = head->write_buf; |
| 380 |
bool is_delete = ccs_str_starts(&data, KEYWORD_DELETE); |
bool is_delete = ccs_str_starts(&data, CCS_KEYWORD_DELETE); |
| 381 |
if (!strcmp(data, "manage_by_non_root")) { |
if (!strcmp(data, "manage_by_non_root")) { |
| 382 |
ccs_manage_by_non_root = !is_delete; |
ccs_manage_by_non_root = !is_delete; |
| 383 |
return 0; |
return 0; |
| 570 |
struct ccs_condition *cond = NULL; |
struct ccs_condition *cond = NULL; |
| 571 |
char *cp; |
char *cp; |
| 572 |
int error; |
int error; |
| 573 |
if (ccs_str_starts(&data, KEYWORD_DELETE)) |
if (ccs_str_starts(&data, CCS_KEYWORD_DELETE)) |
| 574 |
is_delete = true; |
is_delete = true; |
| 575 |
else if (ccs_str_starts(&data, KEYWORD_SELECT)) |
else if (ccs_str_starts(&data, CCS_KEYWORD_SELECT)) |
| 576 |
is_select = true; |
is_select = true; |
| 577 |
if (is_select && ccs_is_select_one(head, data)) |
if (is_select && ccs_is_select_one(head, data)) |
| 578 |
return 0; |
return 0; |
| 593 |
if (!domain) |
if (!domain) |
| 594 |
return -EINVAL; |
return -EINVAL; |
| 595 |
|
|
| 596 |
if (sscanf(data, KEYWORD_USE_PROFILE "%u", &profile) == 1 |
if (sscanf(data, CCS_KEYWORD_USE_PROFILE "%u", &profile) == 1 |
| 597 |
&& profile < MAX_PROFILES) { |
&& profile < CCS_MAX_PROFILES) { |
| 598 |
if (ccs_profile_ptr[profile] || !ccs_policy_loaded) |
if (ccs_profile_ptr[profile] || !ccs_policy_loaded) |
| 599 |
domain->profile = (u8) profile; |
domain->profile = (u8) profile; |
| 600 |
return 0; |
return 0; |
| 601 |
} |
} |
| 602 |
if (!strcmp(data, KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) { |
if (!strcmp(data, CCS_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) { |
| 603 |
domain->ignore_global_allow_read = !is_delete; |
domain->ignore_global_allow_read = !is_delete; |
| 604 |
return 0; |
return 0; |
| 605 |
} |
} |
| 606 |
if (!strcmp(data, KEYWORD_IGNORE_GLOBAL_ALLOW_ENV)) { |
if (!strcmp(data, CCS_KEYWORD_IGNORE_GLOBAL_ALLOW_ENV)) { |
| 607 |
domain->ignore_global_allow_env = !is_delete; |
domain->ignore_global_allow_env = !is_delete; |
| 608 |
return 0; |
return 0; |
| 609 |
} |
} |
| 613 |
if (!cond) |
if (!cond) |
| 614 |
return -EINVAL; |
return -EINVAL; |
| 615 |
} |
} |
| 616 |
if (ccs_str_starts(&data, KEYWORD_ALLOW_CAPABILITY)) |
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_CAPABILITY)) |
| 617 |
error = ccs_write_capability_policy(data, domain, cond, |
error = ccs_write_capability_policy(data, domain, cond, |
| 618 |
is_delete); |
is_delete); |
| 619 |
else if (ccs_str_starts(&data, KEYWORD_ALLOW_NETWORK)) |
else if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_NETWORK)) |
| 620 |
error = ccs_write_network_policy(data, domain, cond, is_delete); |
error = ccs_write_network_policy(data, domain, cond, is_delete); |
| 621 |
else if (ccs_str_starts(&data, KEYWORD_ALLOW_SIGNAL)) |
else if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_SIGNAL)) |
| 622 |
error = ccs_write_signal_policy(data, domain, cond, is_delete); |
error = ccs_write_signal_policy(data, domain, cond, is_delete); |
| 623 |
else if (ccs_str_starts(&data, KEYWORD_ALLOW_ARGV0)) |
else if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_ENV)) |
|
error = ccs_write_argv0_policy(data, domain, cond, is_delete); |
|
|
else if (ccs_str_starts(&data, KEYWORD_ALLOW_ENV)) |
|
| 624 |
error = ccs_write_env_policy(data, domain, cond, is_delete); |
error = ccs_write_env_policy(data, domain, cond, is_delete); |
| 625 |
else if (ccs_str_starts(&data, KEYWORD_ALLOW_MOUNT)) |
else if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_MOUNT)) |
| 626 |
error = ccs_write_mount_policy(data, domain, cond, is_delete); |
error = ccs_write_mount_policy(data, domain, cond, is_delete); |
| 627 |
else if (ccs_str_starts(&data, KEYWORD_ALLOW_UNMOUNT)) |
else if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_UNMOUNT)) |
| 628 |
error = ccs_write_umount_policy(data, domain, cond, is_delete); |
error = ccs_write_umount_policy(data, domain, cond, is_delete); |
| 629 |
else if (ccs_str_starts(&data, KEYWORD_ALLOW_CHROOT)) |
else if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_CHROOT)) |
| 630 |
error = ccs_write_chroot_policy(data, domain, cond, is_delete); |
error = ccs_write_chroot_policy(data, domain, cond, is_delete); |
| 631 |
else if (ccs_str_starts(&data, KEYWORD_ALLOW_PIVOT_ROOT)) |
else if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_PIVOT_ROOT)) |
| 632 |
error = ccs_write_pivot_root_policy(data, domain, cond, |
error = ccs_write_pivot_root_policy(data, domain, cond, |
| 633 |
is_delete); |
is_delete); |
| 634 |
else |
else |
| 665 |
min = ptr->values[0]; |
min = ptr->values[0]; |
| 666 |
max = ptr->values[1]; |
max = ptr->values[1]; |
| 667 |
switch (min_type) { |
switch (min_type) { |
| 668 |
case VALUE_TYPE_HEXADECIMAL: |
case CCS_VALUE_TYPE_HEXADECIMAL: |
| 669 |
if (!ccs_io_printf(head, " 0x%lX", min)) |
if (!ccs_io_printf(head, " 0x%lX", min)) |
| 670 |
return false; |
return false; |
| 671 |
break; |
break; |
| 672 |
case VALUE_TYPE_OCTAL: |
case CCS_VALUE_TYPE_OCTAL: |
| 673 |
if (!ccs_io_printf(head, " 0%lo", min)) |
if (!ccs_io_printf(head, " 0%lo", min)) |
| 674 |
return false; |
return false; |
| 675 |
break; |
break; |
| 681 |
if (min == max && min_type == max_type) |
if (min == max && min_type == max_type) |
| 682 |
return true; |
return true; |
| 683 |
switch (max_type) { |
switch (max_type) { |
| 684 |
case VALUE_TYPE_HEXADECIMAL: |
case CCS_VALUE_TYPE_HEXADECIMAL: |
| 685 |
return ccs_io_printf(head, "-0x%lX", max); |
return ccs_io_printf(head, "-0x%lX", max); |
| 686 |
case VALUE_TYPE_OCTAL: |
case CCS_VALUE_TYPE_OCTAL: |
| 687 |
return ccs_io_printf(head, "-0%lo", max); |
return ccs_io_printf(head, "-0%lo", max); |
| 688 |
default: |
default: |
| 689 |
return ccs_io_printf(head, "-%lu", max); |
return ccs_io_printf(head, "-%lu", max); |
| 706 |
int pos; |
int pos; |
| 707 |
u8 bit; |
u8 bit; |
| 708 |
const u16 perm = ptr->perm; |
const u16 perm = ptr->perm; |
| 709 |
for (bit = head->read_bit; bit < MAX_SINGLE_PATH_OPERATION; bit++) { |
for (bit = head->read_bit; bit < CCS_MAX_SINGLE_PATH_OPERATION; bit++) { |
| 710 |
const char *msg; |
const char *msg; |
| 711 |
if (!(perm & (1 << bit))) |
if (!(perm & (1 << bit))) |
| 712 |
continue; |
continue; |
| 713 |
if (head->read_execute_only && bit != TYPE_EXECUTE_ACL) |
if (head->read_execute_only && bit != CCS_TYPE_EXECUTE_ACL) |
| 714 |
continue; |
continue; |
| 715 |
/* Print "read/write" instead of "read" and "write". */ |
/* Print "read/write" instead of "read" and "write". */ |
| 716 |
if ((bit == TYPE_READ_ACL || bit == TYPE_WRITE_ACL) |
if ((bit == CCS_TYPE_READ_ACL || bit == CCS_TYPE_WRITE_ACL) |
| 717 |
&& (perm & (1 << TYPE_READ_WRITE_ACL))) |
&& (perm & (1 << CCS_TYPE_READ_WRITE_ACL))) |
| 718 |
continue; |
continue; |
| 719 |
msg = ccs_sp2keyword(bit); |
msg = ccs_sp2keyword(bit); |
| 720 |
pos = head->read_avail; |
pos = head->read_avail; |
| 747 |
int pos; |
int pos; |
| 748 |
u8 bit; |
u8 bit; |
| 749 |
const u16 perm = ptr->perm; |
const u16 perm = ptr->perm; |
| 750 |
for (bit = head->read_bit; bit < MAX_MKDEV_OPERATION; bit++) { |
for (bit = head->read_bit; bit < CCS_MAX_MKDEV_OPERATION; bit++) { |
| 751 |
const char *msg; |
const char *msg; |
| 752 |
if (!(perm & (1 << bit))) |
if (!(perm & (1 << bit))) |
| 753 |
continue; |
continue; |
| 784 |
int pos; |
int pos; |
| 785 |
u8 bit; |
u8 bit; |
| 786 |
const u8 perm = ptr->perm; |
const u8 perm = ptr->perm; |
| 787 |
for (bit = head->read_bit; bit < MAX_DOUBLE_PATH_OPERATION; bit++) { |
for (bit = head->read_bit; bit < CCS_MAX_DOUBLE_PATH_OPERATION; bit++) { |
| 788 |
const char *msg; |
const char *msg; |
| 789 |
if (!(perm & (1 << bit))) |
if (!(perm & (1 << bit))) |
| 790 |
continue; |
continue; |
| 820 |
int pos; |
int pos; |
| 821 |
u8 bit; |
u8 bit; |
| 822 |
const u8 perm = ptr->perm; |
const u8 perm = ptr->perm; |
| 823 |
for (bit = head->read_bit; bit < MAX_PATH_NUMBER_OPERATION; bit++) { |
for (bit = head->read_bit; bit < CCS_MAX_PATH_NUMBER_OPERATION; bit++) { |
| 824 |
const char *msg; |
const char *msg; |
| 825 |
if (!(perm & (1 << bit))) |
if (!(perm & (1 << bit))) |
| 826 |
continue; |
continue; |
| 841 |
} |
} |
| 842 |
|
|
| 843 |
/** |
/** |
|
* ccs_print_argv0_acl - Print an argv[0] ACL entry. |
|
|
* |
|
|
* @head: Pointer to "struct ccs_io_buffer". |
|
|
* @ptr: Pointer to "struct ccs_argv0_acl_record". |
|
|
* @cond: Pointer to "struct ccs_condition". May be NULL. |
|
|
* |
|
|
* Returns true on success, false otherwise. |
|
|
*/ |
|
|
static bool ccs_print_argv0_acl(struct ccs_io_buffer *head, |
|
|
struct ccs_argv0_acl_record *ptr, |
|
|
const struct ccs_condition *cond) |
|
|
{ |
|
|
int pos = head->read_avail; |
|
|
if (!ccs_io_printf(head, KEYWORD_ALLOW_ARGV0 "%s %s", |
|
|
ptr->filename->name, ptr->argv0->name)) |
|
|
goto out; |
|
|
if (!ccs_print_condition(head, cond)) |
|
|
goto out; |
|
|
return true; |
|
|
out: |
|
|
head->read_avail = pos; |
|
|
return false; |
|
|
} |
|
|
|
|
|
/** |
|
| 844 |
* ccs_print_env_acl - Print an evironment variable name's ACL entry. |
* ccs_print_env_acl - Print an evironment variable name's ACL entry. |
| 845 |
* |
* |
| 846 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
| 854 |
const struct ccs_condition *cond) |
const struct ccs_condition *cond) |
| 855 |
{ |
{ |
| 856 |
int pos = head->read_avail; |
int pos = head->read_avail; |
| 857 |
if (!ccs_io_printf(head, KEYWORD_ALLOW_ENV "%s", ptr->env->name)) |
if (!ccs_io_printf(head, CCS_KEYWORD_ALLOW_ENV "%s", ptr->env->name)) |
| 858 |
goto out; |
goto out; |
| 859 |
if (!ccs_print_condition(head, cond)) |
if (!ccs_print_condition(head, cond)) |
| 860 |
goto out; |
goto out; |
| 878 |
const struct ccs_condition *cond) |
const struct ccs_condition *cond) |
| 879 |
{ |
{ |
| 880 |
int pos = head->read_avail; |
int pos = head->read_avail; |
| 881 |
if (!ccs_io_printf(head, KEYWORD_ALLOW_CAPABILITY "%s", |
if (!ccs_io_printf(head, CCS_KEYWORD_ALLOW_CAPABILITY "%s", |
| 882 |
ccs_cap2keyword(ptr->operation))) |
ccs_cap2keyword(ptr->operation))) |
| 883 |
goto out; |
goto out; |
| 884 |
if (!ccs_print_condition(head, cond)) |
if (!ccs_print_condition(head, cond)) |
| 949 |
const struct ccs_condition *cond) |
const struct ccs_condition *cond) |
| 950 |
{ |
{ |
| 951 |
int pos = head->read_avail; |
int pos = head->read_avail; |
| 952 |
if (!ccs_io_printf(head, KEYWORD_ALLOW_NETWORK "%s ", |
if (!ccs_io_printf(head, CCS_KEYWORD_ALLOW_NETWORK "%s ", |
| 953 |
ccs_net2keyword(ptr->operation_type))) |
ccs_net2keyword(ptr->operation_type))) |
| 954 |
goto out; |
goto out; |
| 955 |
switch (ptr->record_type) { |
switch (ptr->record_type) { |
| 956 |
case IP_RECORD_TYPE_ADDRESS_GROUP: |
case CCS_IP_RECORD_TYPE_ADDRESS_GROUP: |
| 957 |
if (!ccs_io_printf(head, "@%s", |
if (!ccs_io_printf(head, "@%s", |
| 958 |
ptr->address.group->group_name->name)) |
ptr->address.group->group_name->name)) |
| 959 |
goto out; |
goto out; |
| 960 |
break; |
break; |
| 961 |
case IP_RECORD_TYPE_IPv4: |
case CCS_IP_RECORD_TYPE_IPv4: |
| 962 |
if (!ccs_print_ipv4_entry(head, ptr)) |
if (!ccs_print_ipv4_entry(head, ptr)) |
| 963 |
goto out; |
goto out; |
| 964 |
break; |
break; |
| 965 |
case IP_RECORD_TYPE_IPv6: |
case CCS_IP_RECORD_TYPE_IPv6: |
| 966 |
if (!ccs_print_ipv6_entry(head, ptr)) |
if (!ccs_print_ipv6_entry(head, ptr)) |
| 967 |
goto out; |
goto out; |
| 968 |
break; |
break; |
| 990 |
const struct ccs_condition *cond) |
const struct ccs_condition *cond) |
| 991 |
{ |
{ |
| 992 |
int pos = head->read_avail; |
int pos = head->read_avail; |
| 993 |
if (!ccs_io_printf(head, KEYWORD_ALLOW_SIGNAL "%u %s", |
if (!ccs_io_printf(head, CCS_KEYWORD_ALLOW_SIGNAL "%u %s", |
| 994 |
ptr->sig, ptr->domainname->name)) |
ptr->sig, ptr->domainname->name)) |
| 995 |
goto out; |
goto out; |
| 996 |
if (!ccs_print_condition(head, cond)) |
if (!ccs_print_condition(head, cond)) |
| 1032 |
const struct ccs_condition *cond) |
const struct ccs_condition *cond) |
| 1033 |
{ |
{ |
| 1034 |
int pos = head->read_avail; |
int pos = head->read_avail; |
| 1035 |
if (!ccs_io_printf(head, KEYWORD_ALLOW_MOUNT "%s %s %s 0x%lX\n", |
if (!ccs_io_printf(head, CCS_KEYWORD_ALLOW_MOUNT "%s %s %s 0x%lX\n", |
| 1036 |
ptr->dev_name->name, ptr->dir_name->name, |
ptr->dev_name->name, ptr->dir_name->name, |
| 1037 |
ptr->fs_type->name, ptr->flags)) |
ptr->fs_type->name, ptr->flags)) |
| 1038 |
goto out; |
goto out; |
| 1058 |
const struct ccs_condition *cond) |
const struct ccs_condition *cond) |
| 1059 |
{ |
{ |
| 1060 |
int pos = head->read_avail; |
int pos = head->read_avail; |
| 1061 |
if (!ccs_io_printf(head, KEYWORD_ALLOW_UNMOUNT "%s\n", |
if (!ccs_io_printf(head, CCS_KEYWORD_ALLOW_UNMOUNT "%s\n", |
| 1062 |
ptr->dir->name)) |
ptr->dir->name)) |
| 1063 |
goto out; |
goto out; |
| 1064 |
if (!ccs_print_condition(head, cond)) |
if (!ccs_print_condition(head, cond)) |
| 1083 |
const struct ccs_condition *cond) |
const struct ccs_condition *cond) |
| 1084 |
{ |
{ |
| 1085 |
int pos = head->read_avail; |
int pos = head->read_avail; |
| 1086 |
if (!ccs_io_printf(head, KEYWORD_ALLOW_CHROOT "%s\n", |
if (!ccs_io_printf(head, CCS_KEYWORD_ALLOW_CHROOT "%s\n", |
| 1087 |
ptr->dir->name)) |
ptr->dir->name)) |
| 1088 |
goto out; |
goto out; |
| 1089 |
if (!ccs_print_condition(head, cond)) |
if (!ccs_print_condition(head, cond)) |
| 1108 |
const struct ccs_condition *cond) |
const struct ccs_condition *cond) |
| 1109 |
{ |
{ |
| 1110 |
int pos = head->read_avail; |
int pos = head->read_avail; |
| 1111 |
if (!ccs_io_printf(head, KEYWORD_ALLOW_PIVOT_ROOT "%s %s\n", |
if (!ccs_io_printf(head, CCS_KEYWORD_ALLOW_PIVOT_ROOT "%s %s\n", |
| 1112 |
ptr->new_root->name, ptr->old_root->name)) |
ptr->new_root->name, ptr->old_root->name)) |
| 1113 |
goto out; |
goto out; |
| 1114 |
if (!ccs_print_condition(head, cond)) |
if (!ccs_print_condition(head, cond)) |
| 1132 |
{ |
{ |
| 1133 |
const struct ccs_condition *cond = ptr->cond; |
const struct ccs_condition *cond = ptr->cond; |
| 1134 |
const u8 acl_type = ccs_acl_type2(ptr); |
const u8 acl_type = ccs_acl_type2(ptr); |
| 1135 |
if (acl_type & ACL_DELETED) |
if (acl_type & CCS_ACL_DELETED) |
| 1136 |
return true; |
return true; |
| 1137 |
if (acl_type == TYPE_SINGLE_PATH_ACL) { |
if (acl_type == CCS_TYPE_SINGLE_PATH_ACL) { |
| 1138 |
struct ccs_single_path_acl_record *acl |
struct ccs_single_path_acl_record *acl |
| 1139 |
= container_of(ptr, struct ccs_single_path_acl_record, |
= container_of(ptr, struct ccs_single_path_acl_record, |
| 1140 |
head); |
head); |
| 1141 |
return ccs_print_single_path_acl(head, acl, cond); |
return ccs_print_single_path_acl(head, acl, cond); |
| 1142 |
} |
} |
| 1143 |
if (acl_type == TYPE_EXECUTE_HANDLER) { |
if (acl_type == CCS_TYPE_EXECUTE_HANDLER) { |
| 1144 |
struct ccs_execute_handler_record *acl |
struct ccs_execute_handler_record *acl |
| 1145 |
= container_of(ptr, struct ccs_execute_handler_record, |
= container_of(ptr, struct ccs_execute_handler_record, |
| 1146 |
head); |
head); |
| 1147 |
const char *keyword = KEYWORD_EXECUTE_HANDLER; |
const char *keyword = CCS_KEYWORD_EXECUTE_HANDLER; |
| 1148 |
return ccs_print_execute_handler_record(head, keyword, acl); |
return ccs_print_execute_handler_record(head, keyword, acl); |
| 1149 |
} |
} |
| 1150 |
if (acl_type == TYPE_DENIED_EXECUTE_HANDLER) { |
if (acl_type == CCS_TYPE_DENIED_EXECUTE_HANDLER) { |
| 1151 |
struct ccs_execute_handler_record *acl |
struct ccs_execute_handler_record *acl |
| 1152 |
= container_of(ptr, struct ccs_execute_handler_record, |
= container_of(ptr, struct ccs_execute_handler_record, |
| 1153 |
head); |
head); |
| 1154 |
const char *keyword = KEYWORD_DENIED_EXECUTE_HANDLER; |
const char *keyword = CCS_KEYWORD_DENIED_EXECUTE_HANDLER; |
| 1155 |
return ccs_print_execute_handler_record(head, keyword, acl); |
return ccs_print_execute_handler_record(head, keyword, acl); |
| 1156 |
} |
} |
| 1157 |
if (head->read_execute_only) |
if (head->read_execute_only) |
| 1158 |
return true; |
return true; |
| 1159 |
if (acl_type == TYPE_MKDEV_ACL) { |
if (acl_type == CCS_TYPE_MKDEV_ACL) { |
| 1160 |
struct ccs_mkdev_acl_record *acl |
struct ccs_mkdev_acl_record *acl |
| 1161 |
= container_of(ptr, struct ccs_mkdev_acl_record, head); |
= container_of(ptr, struct ccs_mkdev_acl_record, head); |
| 1162 |
return ccs_print_mkdev_acl(head, acl, cond); |
return ccs_print_mkdev_acl(head, acl, cond); |
| 1163 |
} |
} |
| 1164 |
if (acl_type == TYPE_DOUBLE_PATH_ACL) { |
if (acl_type == CCS_TYPE_DOUBLE_PATH_ACL) { |
| 1165 |
struct ccs_double_path_acl_record *acl |
struct ccs_double_path_acl_record *acl |
| 1166 |
= container_of(ptr, struct ccs_double_path_acl_record, |
= container_of(ptr, struct ccs_double_path_acl_record, |
| 1167 |
head); |
head); |
| 1168 |
return ccs_print_double_path_acl(head, acl, cond); |
return ccs_print_double_path_acl(head, acl, cond); |
| 1169 |
} |
} |
| 1170 |
if (acl_type == TYPE_PATH_NUMBER_ACL) { |
if (acl_type == CCS_TYPE_PATH_NUMBER_ACL) { |
| 1171 |
struct ccs_path_number_acl_record *acl |
struct ccs_path_number_acl_record *acl |
| 1172 |
= container_of(ptr, struct ccs_path_number_acl_record, |
= container_of(ptr, struct ccs_path_number_acl_record, |
| 1173 |
head); |
head); |
| 1174 |
return ccs_print_path_number_acl(head, acl, cond); |
return ccs_print_path_number_acl(head, acl, cond); |
| 1175 |
} |
} |
| 1176 |
if (acl_type == TYPE_ARGV0_ACL) { |
if (acl_type == CCS_TYPE_ENV_ACL) { |
|
struct ccs_argv0_acl_record *acl |
|
|
= container_of(ptr, struct ccs_argv0_acl_record, head); |
|
|
return ccs_print_argv0_acl(head, acl, cond); |
|
|
} |
|
|
if (acl_type == TYPE_ENV_ACL) { |
|
| 1177 |
struct ccs_env_acl_record *acl |
struct ccs_env_acl_record *acl |
| 1178 |
= container_of(ptr, struct ccs_env_acl_record, head); |
= container_of(ptr, struct ccs_env_acl_record, head); |
| 1179 |
return ccs_print_env_acl(head, acl, cond); |
return ccs_print_env_acl(head, acl, cond); |
| 1180 |
} |
} |
| 1181 |
if (acl_type == TYPE_CAPABILITY_ACL) { |
if (acl_type == CCS_TYPE_CAPABILITY_ACL) { |
| 1182 |
struct ccs_capability_acl_record *acl |
struct ccs_capability_acl_record *acl |
| 1183 |
= container_of(ptr, struct ccs_capability_acl_record, |
= container_of(ptr, struct ccs_capability_acl_record, |
| 1184 |
head); |
head); |
| 1185 |
return ccs_print_capability_acl(head, acl, cond); |
return ccs_print_capability_acl(head, acl, cond); |
| 1186 |
} |
} |
| 1187 |
if (acl_type == TYPE_IP_NETWORK_ACL) { |
if (acl_type == CCS_TYPE_IP_NETWORK_ACL) { |
| 1188 |
struct ccs_ip_network_acl_record *acl |
struct ccs_ip_network_acl_record *acl |
| 1189 |
= container_of(ptr, struct ccs_ip_network_acl_record, |
= container_of(ptr, struct ccs_ip_network_acl_record, |
| 1190 |
head); |
head); |
| 1191 |
return ccs_print_network_acl(head, acl, cond); |
return ccs_print_network_acl(head, acl, cond); |
| 1192 |
} |
} |
| 1193 |
if (acl_type == TYPE_SIGNAL_ACL) { |
if (acl_type == CCS_TYPE_SIGNAL_ACL) { |
| 1194 |
struct ccs_signal_acl_record *acl |
struct ccs_signal_acl_record *acl |
| 1195 |
= container_of(ptr, struct ccs_signal_acl_record, head); |
= container_of(ptr, struct ccs_signal_acl_record, head); |
| 1196 |
return ccs_print_signal_acl(head, acl, cond); |
return ccs_print_signal_acl(head, acl, cond); |
| 1197 |
} |
} |
| 1198 |
if (acl_type == TYPE_MOUNT_ACL) { |
if (acl_type == CCS_TYPE_MOUNT_ACL) { |
| 1199 |
struct ccs_mount_acl_record *acl |
struct ccs_mount_acl_record *acl |
| 1200 |
= container_of(ptr, struct ccs_mount_acl_record, head); |
= container_of(ptr, struct ccs_mount_acl_record, head); |
| 1201 |
return ccs_print_mount_acl(head, acl, cond); |
return ccs_print_mount_acl(head, acl, cond); |
| 1202 |
} |
} |
| 1203 |
if (acl_type == TYPE_UMOUNT_ACL) { |
if (acl_type == CCS_TYPE_UMOUNT_ACL) { |
| 1204 |
struct ccs_umount_acl_record *acl |
struct ccs_umount_acl_record *acl |
| 1205 |
= container_of(ptr, struct ccs_umount_acl_record, head); |
= container_of(ptr, struct ccs_umount_acl_record, head); |
| 1206 |
return ccs_print_umount_acl(head, acl, cond); |
return ccs_print_umount_acl(head, acl, cond); |
| 1207 |
} |
} |
| 1208 |
if (acl_type == TYPE_CHROOT_ACL) { |
if (acl_type == CCS_TYPE_CHROOT_ACL) { |
| 1209 |
struct ccs_chroot_acl_record *acl |
struct ccs_chroot_acl_record *acl |
| 1210 |
= container_of(ptr, struct ccs_chroot_acl_record, head); |
= container_of(ptr, struct ccs_chroot_acl_record, head); |
| 1211 |
return ccs_print_chroot_acl(head, acl, cond); |
return ccs_print_chroot_acl(head, acl, cond); |
| 1212 |
} |
} |
| 1213 |
if (acl_type == TYPE_PIVOT_ROOT_ACL) { |
if (acl_type == CCS_TYPE_PIVOT_ROOT_ACL) { |
| 1214 |
struct ccs_pivot_root_acl_record *acl |
struct ccs_pivot_root_acl_record *acl |
| 1215 |
= container_of(ptr, struct ccs_pivot_root_acl_record, |
= container_of(ptr, struct ccs_pivot_root_acl_record, |
| 1216 |
head); |
head); |
| 1217 |
return ccs_print_pivot_root_acl(head, acl, cond); |
return ccs_print_pivot_root_acl(head, acl, cond); |
| 1218 |
} |
} |
| 1219 |
/* Workaround for gcc 3.2.2's inline bug. */ |
/* Workaround for gcc 3.2.2's inline bug. */ |
| 1220 |
if (acl_type & ACL_DELETED) |
if (acl_type & CCS_ACL_DELETED) |
| 1221 |
return true; |
return true; |
| 1222 |
BUG(); /* This must not happen. */ |
BUG(); /* This must not happen. */ |
| 1223 |
return false; |
return false; |
| 1259 |
transition_failed = "transition_failed\n"; |
transition_failed = "transition_failed\n"; |
| 1260 |
if (domain->ignore_global_allow_read) |
if (domain->ignore_global_allow_read) |
| 1261 |
ignore_global_allow_read |
ignore_global_allow_read |
| 1262 |
= KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n"; |
= CCS_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n"; |
| 1263 |
if (domain->ignore_global_allow_env) |
if (domain->ignore_global_allow_env) |
| 1264 |
ignore_global_allow_env |
ignore_global_allow_env |
| 1265 |
= KEYWORD_IGNORE_GLOBAL_ALLOW_ENV "\n"; |
= CCS_KEYWORD_IGNORE_GLOBAL_ALLOW_ENV "\n"; |
| 1266 |
if (!ccs_io_printf(head, "%s\n" KEYWORD_USE_PROFILE "%u\n" |
if (!ccs_io_printf(head, "%s\n" CCS_KEYWORD_USE_PROFILE "%u\n" |
| 1267 |
"%s%s%s%s\n", domain->domainname->name, |
"%s%s%s%s\n", domain->domainname->name, |
| 1268 |
domain->profile, quota_exceeded, |
domain->profile, quota_exceeded, |
| 1269 |
transition_failed, |
transition_failed, |
| 1319 |
return -EINVAL; |
return -EINVAL; |
| 1320 |
*cp = '\0'; |
*cp = '\0'; |
| 1321 |
profile = simple_strtoul(data, NULL, 10); |
profile = simple_strtoul(data, NULL, 10); |
| 1322 |
if (profile >= MAX_PROFILES) |
if (profile >= CCS_MAX_PROFILES) |
| 1323 |
return -EINVAL; |
return -EINVAL; |
| 1324 |
domain = ccs_find_domain(cp + 1); |
domain = ccs_find_domain(cp + 1); |
| 1325 |
if (domain && (ccs_profile_ptr[profile] || !ccs_policy_loaded)) |
if (domain && (ccs_profile_ptr[profile] || !ccs_policy_loaded)) |
| 1442 |
static int ccs_write_exception_policy(struct ccs_io_buffer *head) |
static int ccs_write_exception_policy(struct ccs_io_buffer *head) |
| 1443 |
{ |
{ |
| 1444 |
char *data = head->write_buf; |
char *data = head->write_buf; |
| 1445 |
bool is_delete = ccs_str_starts(&data, KEYWORD_DELETE); |
bool is_delete = ccs_str_starts(&data, CCS_KEYWORD_DELETE); |
| 1446 |
if (ccs_str_starts(&data, KEYWORD_KEEP_DOMAIN)) |
if (ccs_str_starts(&data, CCS_KEYWORD_KEEP_DOMAIN)) |
| 1447 |
return ccs_write_domain_keeper_policy(data, false, is_delete); |
return ccs_write_domain_keeper_policy(data, false, is_delete); |
| 1448 |
if (ccs_str_starts(&data, KEYWORD_NO_KEEP_DOMAIN)) |
if (ccs_str_starts(&data, CCS_KEYWORD_NO_KEEP_DOMAIN)) |
| 1449 |
return ccs_write_domain_keeper_policy(data, true, is_delete); |
return ccs_write_domain_keeper_policy(data, true, is_delete); |
| 1450 |
if (ccs_str_starts(&data, KEYWORD_INITIALIZE_DOMAIN)) |
if (ccs_str_starts(&data, CCS_KEYWORD_INITIALIZE_DOMAIN)) |
| 1451 |
return ccs_write_domain_initializer_policy(data, false, |
return ccs_write_domain_initializer_policy(data, false, |
| 1452 |
is_delete); |
is_delete); |
| 1453 |
if (ccs_str_starts(&data, KEYWORD_NO_INITIALIZE_DOMAIN)) |
if (ccs_str_starts(&data, CCS_KEYWORD_NO_INITIALIZE_DOMAIN)) |
| 1454 |
return ccs_write_domain_initializer_policy(data, true, |
return ccs_write_domain_initializer_policy(data, true, |
| 1455 |
is_delete); |
is_delete); |
| 1456 |
if (ccs_str_starts(&data, KEYWORD_AGGREGATOR)) |
if (ccs_str_starts(&data, CCS_KEYWORD_AGGREGATOR)) |
| 1457 |
return ccs_write_aggregator_policy(data, is_delete); |
return ccs_write_aggregator_policy(data, is_delete); |
| 1458 |
if (ccs_str_starts(&data, KEYWORD_ALLOW_READ)) |
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_READ)) |
| 1459 |
return ccs_write_globally_readable_policy(data, is_delete); |
return ccs_write_globally_readable_policy(data, is_delete); |
| 1460 |
if (ccs_str_starts(&data, KEYWORD_ALLOW_ENV)) |
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_ENV)) |
| 1461 |
return ccs_write_globally_usable_env_policy(data, is_delete); |
return ccs_write_globally_usable_env_policy(data, is_delete); |
| 1462 |
if (ccs_str_starts(&data, KEYWORD_FILE_PATTERN)) |
if (ccs_str_starts(&data, CCS_KEYWORD_FILE_PATTERN)) |
| 1463 |
return ccs_write_pattern_policy(data, is_delete); |
return ccs_write_pattern_policy(data, is_delete); |
| 1464 |
if (ccs_str_starts(&data, KEYWORD_PATH_GROUP)) |
if (ccs_str_starts(&data, CCS_KEYWORD_PATH_GROUP)) |
| 1465 |
return ccs_write_path_group_policy(data, is_delete); |
return ccs_write_path_group_policy(data, is_delete); |
| 1466 |
if (ccs_str_starts(&data, KEYWORD_NUMBER_GROUP)) |
if (ccs_str_starts(&data, CCS_KEYWORD_NUMBER_GROUP)) |
| 1467 |
return ccs_write_number_group_policy(data, is_delete); |
return ccs_write_number_group_policy(data, is_delete); |
| 1468 |
if (ccs_str_starts(&data, KEYWORD_DENY_REWRITE)) |
if (ccs_str_starts(&data, CCS_KEYWORD_DENY_REWRITE)) |
| 1469 |
return ccs_write_no_rewrite_policy(data, is_delete); |
return ccs_write_no_rewrite_policy(data, is_delete); |
| 1470 |
if (ccs_str_starts(&data, KEYWORD_ADDRESS_GROUP)) |
if (ccs_str_starts(&data, CCS_KEYWORD_ADDRESS_GROUP)) |
| 1471 |
return ccs_write_address_group_policy(data, is_delete); |
return ccs_write_address_group_policy(data, is_delete); |
| 1472 |
if (ccs_str_starts(&data, KEYWORD_DENY_AUTOBIND)) |
if (ccs_str_starts(&data, CCS_KEYWORD_DENY_AUTOBIND)) |
| 1473 |
return ccs_write_reserved_port_policy(data, is_delete); |
return ccs_write_reserved_port_policy(data, is_delete); |
| 1474 |
return -EINVAL; |
return -EINVAL; |
| 1475 |
} |
} |
TOMOYO
Parent Directory
Revision Log
Patch