3 |
* |
* |
4 |
* Copyright (C) 2005-2009 NTT DATA CORPORATION |
* Copyright (C) 2005-2009 NTT DATA CORPORATION |
5 |
* |
* |
6 |
* Version: 1.7.0-rc 2009/09/01 |
* Version: 1.7.1+ 2009/12/20 |
7 |
* |
* |
8 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
9 |
* See README.ccs for ChangeLog. |
* See README.ccs for ChangeLog. |
16 |
.learning = &ccs_default_profile.preference, |
.learning = &ccs_default_profile.preference, |
17 |
.permissive = &ccs_default_profile.preference, |
.permissive = &ccs_default_profile.preference, |
18 |
.enforcing = &ccs_default_profile.preference, |
.enforcing = &ccs_default_profile.preference, |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
19 |
.audit = &ccs_default_profile.preference, |
.audit = &ccs_default_profile.preference, |
20 |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
21 |
.preference.audit_max_grant_log = CONFIG_CCSECURITY_MAX_GRANT_LOG, |
.preference.audit_max_grant_log = CONFIG_CCSECURITY_MAX_GRANT_LOG, |
22 |
.preference.audit_max_reject_log = CONFIG_CCSECURITY_MAX_REJECT_LOG, |
.preference.audit_max_reject_log = CONFIG_CCSECURITY_MAX_REJECT_LOG, |
23 |
#endif |
#endif |
24 |
|
.preference.audit_task_info = true, |
25 |
|
.preference.audit_path_info = true, |
26 |
.preference.enforcing_penalty = 0, |
.preference.enforcing_penalty = 0, |
27 |
.preference.enforcing_verbose = true, |
.preference.enforcing_verbose = true, |
28 |
.preference.learning_max_entry = CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY, |
.preference.learning_max_entry = CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY, |
33 |
.preference.permissive_verbose = true |
.preference.permissive_verbose = true |
34 |
}; |
}; |
35 |
|
|
36 |
|
/* Profile version. Currently only 20090903 is defined. */ |
37 |
|
static unsigned int ccs_profile_version; |
38 |
|
|
39 |
/* Profile table. Memory is allocated as needed. */ |
/* Profile table. Memory is allocated as needed. */ |
40 |
static struct ccs_profile *ccs_profile_ptr[CCS_MAX_PROFILES]; |
static struct ccs_profile *ccs_profile_ptr[CCS_MAX_PROFILES]; |
41 |
|
|
|
/* Lock for protecting "struct ccs_profile"->comment */ |
|
|
static DEFINE_SPINLOCK(ccs_profile_comment_lock); |
|
|
|
|
42 |
/* String table for functionality that takes 4 modes. */ |
/* String table for functionality that takes 4 modes. */ |
43 |
static const char *ccs_mode_4[4] = { |
static const char *ccs_mode_4[4] = { |
44 |
"disabled", "learning", "permissive", "enforcing" |
"disabled", "learning", "permissive", "enforcing" |
265 |
ptr = ccs_profile_ptr[profile]; |
ptr = ccs_profile_ptr[profile]; |
266 |
if (!ptr && ccs_memory_ok(entry, sizeof(*entry))) { |
if (!ptr && ccs_memory_ok(entry, sizeof(*entry))) { |
267 |
ptr = entry; |
ptr = entry; |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
268 |
ptr->audit = &ccs_default_profile.preference; |
ptr->audit = &ccs_default_profile.preference; |
|
#endif |
|
269 |
ptr->learning = &ccs_default_profile.preference; |
ptr->learning = &ccs_default_profile.preference; |
270 |
ptr->permissive = &ccs_default_profile.preference; |
ptr->permissive = &ccs_default_profile.preference; |
271 |
ptr->enforcing = &ccs_default_profile.preference; |
ptr->enforcing = &ccs_default_profile.preference; |
283 |
} |
} |
284 |
|
|
285 |
/** |
/** |
286 |
|
* ccs_check_profile - Check all profiles currently assigned to domains are defined. |
287 |
|
*/ |
288 |
|
void ccs_check_profile(void) |
289 |
|
{ |
290 |
|
struct ccs_domain_info *domain; |
291 |
|
ccs_policy_loaded = true; |
292 |
|
list_for_each_entry_rcu(domain, &ccs_domain_list, list) { |
293 |
|
const u8 profile = domain->profile; |
294 |
|
if (ccs_profile_ptr[profile]) |
295 |
|
continue; |
296 |
|
panic("Profile %u (used by '%s') not defined.\n", |
297 |
|
profile, domain->domainname->name); |
298 |
|
} |
299 |
|
if (ccs_profile_version != 20090903) |
300 |
|
panic("Profile version %u is not supported.\n", |
301 |
|
ccs_profile_version); |
302 |
|
} |
303 |
|
|
304 |
|
/** |
305 |
* ccs_profile - Find a profile. |
* ccs_profile - Find a profile. |
306 |
* |
* |
307 |
* @profile: Profile number to find. |
* @profile: Profile number to find. |
308 |
* |
* |
309 |
* Returns pointer to "struct ccs_profile" on success, NULL otherwise. |
* Returns pointer to "struct ccs_profile". |
310 |
*/ |
*/ |
311 |
struct ccs_profile *ccs_profile(const u8 profile) |
struct ccs_profile *ccs_profile(const u8 profile) |
312 |
{ |
{ |
334 |
bool use_default = false; |
bool use_default = false; |
335 |
char *cp; |
char *cp; |
336 |
struct ccs_profile *profile; |
struct ccs_profile *profile; |
337 |
|
if (sscanf(data, "PROFILE_VERSION=%u", &ccs_profile_version) == 1) |
338 |
|
return 0; |
339 |
i = simple_strtoul(data, &cp, 10); |
i = simple_strtoul(data, &cp, 10); |
340 |
if (data == cp) { |
if (data == cp) { |
341 |
profile = &ccs_default_profile; |
profile = &ccs_default_profile; |
359 |
value = 0; |
value = 0; |
360 |
else |
else |
361 |
value = -1; |
value = -1; |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
362 |
if (!strcmp(data, "PREFERENCE::audit")) { |
if (!strcmp(data, "PREFERENCE::audit")) { |
363 |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
364 |
char *cp2; |
char *cp2; |
365 |
|
#endif |
366 |
if (use_default) { |
if (use_default) { |
367 |
profile->audit = &ccs_default_profile.preference; |
profile->audit = &ccs_default_profile.preference; |
368 |
return 0; |
return 0; |
369 |
} |
} |
370 |
profile->audit = &profile->preference; |
profile->audit = &profile->preference; |
371 |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
372 |
cp2 = strstr(cp, "max_grant_log="); |
cp2 = strstr(cp, "max_grant_log="); |
373 |
if (cp2) |
if (cp2) |
374 |
sscanf(cp2 + 14, "%u", |
sscanf(cp2 + 14, "%u", |
377 |
if (cp2) |
if (cp2) |
378 |
sscanf(cp2 + 15, "%u", |
sscanf(cp2 + 15, "%u", |
379 |
&profile->preference.audit_max_reject_log); |
&profile->preference.audit_max_reject_log); |
380 |
|
#endif |
381 |
|
if (strstr(cp, "task_info=yes")) |
382 |
|
profile->preference.audit_task_info = true; |
383 |
|
else if (strstr(cp, "task_info=no")) |
384 |
|
profile->preference.audit_task_info = false; |
385 |
|
if (strstr(cp, "path_info=yes")) |
386 |
|
profile->preference.audit_path_info = true; |
387 |
|
else if (strstr(cp, "path_info=no")) |
388 |
|
profile->preference.audit_path_info = false; |
389 |
return 0; |
return 0; |
390 |
} |
} |
|
#endif |
|
391 |
if (!strcmp(data, "PREFERENCE::enforcing")) { |
if (!strcmp(data, "PREFERENCE::enforcing")) { |
392 |
char *cp2; |
char *cp2; |
393 |
if (use_default) { |
if (use_default) { |
443 |
if (profile == &ccs_default_profile) |
if (profile == &ccs_default_profile) |
444 |
return -EINVAL; |
return -EINVAL; |
445 |
if (!strcmp(data, "COMMENT")) { |
if (!strcmp(data, "COMMENT")) { |
446 |
const struct ccs_path_info *new_comment = ccs_get_name(cp); |
const struct ccs_path_info *old_comment = profile->comment; |
447 |
const struct ccs_path_info *old_comment; |
profile->comment = ccs_get_name(cp); |
|
/* Protect reader from ccs_put_name(). */ |
|
|
spin_lock(&ccs_profile_comment_lock); |
|
|
old_comment = profile->comment; |
|
|
profile->comment = new_comment; |
|
|
spin_unlock(&ccs_profile_comment_lock); |
|
448 |
ccs_put_name(old_comment); |
ccs_put_name(old_comment); |
449 |
return 0; |
return 0; |
450 |
} |
} |
510 |
return; |
return; |
511 |
if (head->read_bit) |
if (head->read_bit) |
512 |
goto body; |
goto body; |
513 |
ccs_io_printf(head, "PROFILE_VERSION=%s\n", "20090827"); |
ccs_io_printf(head, "PROFILE_VERSION=%s\n", "20090903"); |
514 |
|
ccs_io_printf(head, "PREFERENCE::audit={ " |
515 |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
516 |
|
"max_grant_log=%u max_reject_log=%u " |
517 |
|
#endif |
518 |
|
"task_info=%s path_info=%s }\n", |
519 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
|
ccs_io_printf(head, "PREFERENCE::audit={ max_grant_log=%u " |
|
|
"max_reject_log=%u }\n", |
|
520 |
ccs_default_profile.preference.audit_max_grant_log, |
ccs_default_profile.preference.audit_max_grant_log, |
521 |
ccs_default_profile.preference.audit_max_reject_log); |
ccs_default_profile.preference.audit_max_reject_log, |
522 |
#endif |
#endif |
523 |
|
ccs_yesno(ccs_default_profile.preference. |
524 |
|
audit_task_info), |
525 |
|
ccs_yesno(ccs_default_profile.preference. |
526 |
|
audit_path_info)); |
527 |
ccs_io_printf(head, "PREFERENCE::learning={ verbose=%s max_entry=%u " |
ccs_io_printf(head, "PREFERENCE::learning={ verbose=%s max_entry=%u " |
528 |
"exec.realpath=%s exec.argv0=%s symlink.target=%s }\n", |
"exec.realpath=%s exec.argv0=%s symlink.target=%s }\n", |
529 |
ccs_yesno(ccs_default_profile.preference. |
ccs_yesno(ccs_default_profile.preference. |
551 |
int i; |
int i; |
552 |
int pos; |
int pos; |
553 |
const struct ccs_profile *profile = ccs_profile_ptr[index]; |
const struct ccs_profile *profile = ccs_profile_ptr[index]; |
554 |
|
const struct ccs_path_info *comment; |
555 |
head->read_step = index; |
head->read_step = index; |
556 |
if (!profile) |
if (!profile) |
557 |
continue; |
continue; |
558 |
pos = head->read_avail; |
pos = head->read_avail; |
559 |
spin_lock(&ccs_profile_comment_lock); |
comment = profile->comment; |
560 |
done = ccs_io_printf(head, "%u-COMMENT=%s\n", index, |
done = ccs_io_printf(head, "%u-COMMENT=%s\n", index, |
561 |
profile->comment ? profile->comment->name |
comment ? comment->name : ""); |
|
: ""); |
|
|
spin_unlock(&ccs_profile_comment_lock); |
|
562 |
if (!done) |
if (!done) |
563 |
goto out; |
goto out; |
564 |
config = profile->default_config; |
config = profile->default_config; |
600 |
goto out; |
goto out; |
601 |
#endif |
#endif |
602 |
} |
} |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
603 |
if (profile->audit != &ccs_default_profile.preference && |
if (profile->audit != &ccs_default_profile.preference && |
604 |
!ccs_io_printf(head, "%u-PREFERENCE::audit={ " |
!ccs_io_printf(head, "%u-PREFERENCE::audit={ " |
605 |
"max_grant_log=%u max_reject_log=%u }\n", |
#ifdef CONFIG_CCSECURITY_AUDIT |
606 |
index, |
"max_grant_log=%u max_reject_log=%u " |
607 |
|
#endif |
608 |
|
"task_info=%s path_info=%s }\n", index, |
609 |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
610 |
profile->preference.audit_max_grant_log, |
profile->preference.audit_max_grant_log, |
611 |
profile->preference.audit_max_reject_log)) |
profile->preference.audit_max_reject_log, |
|
goto out; |
|
612 |
#endif |
#endif |
613 |
|
ccs_yesno(profile->preference. |
614 |
|
audit_task_info), |
615 |
|
ccs_yesno(profile->preference. |
616 |
|
audit_path_info))) |
617 |
|
goto out; |
618 |
if (profile->learning != &ccs_default_profile.preference && |
if (profile->learning != &ccs_default_profile.preference && |
619 |
!ccs_io_printf(head, "%u-PREFERENCE::learning={ " |
!ccs_io_printf(head, "%u-PREFERENCE::learning={ " |
620 |
"verbose=%s max_entry=%u exec.realpath=%s " |
"verbose=%s max_entry=%u exec.realpath=%s " |
846 |
if (sscanf(data, "pid=%u", &pid) == 1 || |
if (sscanf(data, "pid=%u", &pid) == 1 || |
847 |
(global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { |
(global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { |
848 |
struct task_struct *p; |
struct task_struct *p; |
849 |
read_lock(&tasklist_lock); |
ccs_tasklist_lock(); |
850 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) |
851 |
if (global_pid) |
if (global_pid) |
852 |
p = find_task_by_pid_ns(pid, &init_pid_ns); |
p = find_task_by_pid_ns(pid, &init_pid_ns); |
857 |
#endif |
#endif |
858 |
if (p) |
if (p) |
859 |
domain = ccs_task_domain(p); |
domain = ccs_task_domain(p); |
860 |
read_unlock(&tasklist_lock); |
ccs_tasklist_unlock(); |
861 |
} else if (!strncmp(data, "domain=", 7)) { |
} else if (!strncmp(data, "domain=", 7)) { |
862 |
if (ccs_is_domain_def(data + 7)) |
if (ccs_is_domain_def(data + 7)) |
863 |
domain = ccs_find_domain(data + 7); |
domain = ccs_find_domain(data + 7); |
903 |
return ccs_write_env_policy(data, domain, cond, is_delete); |
return ccs_write_env_policy(data, domain, cond, is_delete); |
904 |
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_MOUNT)) |
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_MOUNT)) |
905 |
return ccs_write_mount_policy(data, domain, cond, is_delete); |
return ccs_write_mount_policy(data, domain, cond, is_delete); |
|
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_UNMOUNT)) |
|
|
return ccs_write_umount_policy(data, domain, cond, is_delete); |
|
|
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_CHROOT)) |
|
|
return ccs_write_chroot_policy(data, domain, cond, is_delete); |
|
|
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_PIVOT_ROOT)) |
|
|
return ccs_write_pivot_root_policy(data, domain, cond, |
|
|
is_delete); |
|
906 |
return ccs_write_file_policy(data, domain, cond, is_delete); |
return ccs_write_file_policy(data, domain, cond, is_delete); |
907 |
} |
} |
908 |
|
|
948 |
|
|
949 |
if (sscanf(data, CCS_KEYWORD_USE_PROFILE "%u", &profile) == 1 |
if (sscanf(data, CCS_KEYWORD_USE_PROFILE "%u", &profile) == 1 |
950 |
&& profile < CCS_MAX_PROFILES) { |
&& profile < CCS_MAX_PROFILES) { |
951 |
if (ccs_profile(profile)) |
if (!ccs_policy_loaded || ccs_profile_ptr[(u8) profile]) |
952 |
domain->profile = (u8) profile; |
domain->profile = (u8) profile; |
953 |
return 0; |
return 0; |
954 |
} |
} |
960 |
domain->ignore_global_allow_env = !is_delete; |
domain->ignore_global_allow_env = !is_delete; |
961 |
return 0; |
return 0; |
962 |
} |
} |
963 |
|
if (!strcmp(data, CCS_KEYWORD_QUOTA_EXCEEDED)) { |
964 |
|
domain->quota_warned = !is_delete; |
965 |
|
return 0; |
966 |
|
} |
967 |
|
if (!strcmp(data, CCS_KEYWORD_TRANSITION_FAILED)) { |
968 |
|
domain->domain_transition_failed = !is_delete; |
969 |
|
return 0; |
970 |
|
} |
971 |
cp = ccs_find_condition_part(data); |
cp = ccs_find_condition_part(data); |
972 |
if (cp) { |
if (cp) { |
973 |
cond = ccs_get_condition(cp); |
cond = ccs_get_condition(cp); |
1209 |
} |
} |
1210 |
|
|
1211 |
/** |
/** |
1212 |
* ccs_print_path_acl - Print a single path ACL entry. |
* ccs_print_path_acl - Print a path ACL entry. |
1213 |
* |
* |
1214 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
1215 |
* @ptr: Pointer to "struct ccs_path_acl". |
* @ptr: Pointer to "struct ccs_path_acl". |
1560 |
} |
} |
1561 |
|
|
1562 |
/** |
/** |
|
* ccs_print_umount_acl - Print a mount ACL entry. |
|
|
* |
|
|
* @head: Pointer to "struct ccs_io_buffer". |
|
|
* @ptr: Pointer to "struct ccs_umount_acl". |
|
|
* @cond: Pointer to "struct ccs_condition". May be NULL. |
|
|
* |
|
|
* Returns true on success, false otherwise. |
|
|
*/ |
|
|
static bool ccs_print_umount_acl(struct ccs_io_buffer *head, |
|
|
struct ccs_umount_acl *ptr, |
|
|
const struct ccs_condition *cond) |
|
|
{ |
|
|
const int pos = head->read_avail; |
|
|
if (!ccs_io_printf(head, CCS_KEYWORD_ALLOW_UNMOUNT) || |
|
|
!ccs_print_name_union(head, &ptr->dir) || |
|
|
!ccs_print_condition(head, cond)) { |
|
|
head->read_avail = pos; |
|
|
return false; |
|
|
} |
|
|
return true; |
|
|
} |
|
|
|
|
|
/** |
|
|
* ccs_print_chroot_acl - Print a chroot ACL entry. |
|
|
* |
|
|
* @head: Pointer to "struct ccs_io_buffer". |
|
|
* @ptr: Pointer to "struct ccs_chroot_acl". |
|
|
* @cond: Pointer to "struct ccs_condition". May be NULL. |
|
|
* |
|
|
* Returns true on success, false otherwise. |
|
|
*/ |
|
|
static bool ccs_print_chroot_acl(struct ccs_io_buffer *head, |
|
|
struct ccs_chroot_acl *ptr, |
|
|
const struct ccs_condition *cond) |
|
|
{ |
|
|
const int pos = head->read_avail; |
|
|
if (!ccs_io_printf(head, CCS_KEYWORD_ALLOW_CHROOT) || |
|
|
!ccs_print_name_union(head, &ptr->dir) || |
|
|
!ccs_print_condition(head, cond)) { |
|
|
head->read_avail = pos; |
|
|
return false; |
|
|
} |
|
|
return true; |
|
|
} |
|
|
|
|
|
/** |
|
|
* ccs_print_pivot_root_acl - Print a pivot_root ACL entry. |
|
|
* |
|
|
* @head: Pointer to "struct ccs_io_buffer". |
|
|
* @ptr: Pointer to "struct ccs_pivot_root_acl". |
|
|
* @cond: Pointer to "struct ccs_condition". May be NULL. |
|
|
* |
|
|
* Returns true on success, false otherwise. |
|
|
*/ |
|
|
static bool ccs_print_pivot_root_acl(struct ccs_io_buffer *head, |
|
|
struct ccs_pivot_root_acl *ptr, |
|
|
const struct ccs_condition *cond) |
|
|
{ |
|
|
const int pos = head->read_avail; |
|
|
if (!ccs_io_printf(head, CCS_KEYWORD_ALLOW_PIVOT_ROOT) || |
|
|
!ccs_print_name_union(head, &ptr->new_root) || |
|
|
!ccs_print_name_union(head, &ptr->old_root) || |
|
|
!ccs_print_condition(head, cond)) { |
|
|
head->read_avail = pos; |
|
|
return false; |
|
|
} |
|
|
return true; |
|
|
} |
|
|
|
|
|
/** |
|
1563 |
* ccs_print_entry - Print an ACL entry. |
* ccs_print_entry - Print an ACL entry. |
1564 |
* |
* |
1565 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
1576 |
return true; |
return true; |
1577 |
if (acl_type == CCS_TYPE_PATH_ACL) { |
if (acl_type == CCS_TYPE_PATH_ACL) { |
1578 |
struct ccs_path_acl *acl |
struct ccs_path_acl *acl |
1579 |
= container_of(ptr, struct ccs_path_acl, |
= container_of(ptr, struct ccs_path_acl, head); |
|
head); |
|
1580 |
return ccs_print_path_acl(head, acl, cond); |
return ccs_print_path_acl(head, acl, cond); |
1581 |
} |
} |
1582 |
if (acl_type == CCS_TYPE_EXECUTE_HANDLER) { |
if (acl_type == CCS_TYPE_EXECUTE_HANDLER) { |
1602 |
} |
} |
1603 |
if (acl_type == CCS_TYPE_PATH2_ACL) { |
if (acl_type == CCS_TYPE_PATH2_ACL) { |
1604 |
struct ccs_path2_acl *acl |
struct ccs_path2_acl *acl |
1605 |
= container_of(ptr, struct ccs_path2_acl, |
= container_of(ptr, struct ccs_path2_acl, head); |
|
head); |
|
1606 |
return ccs_print_path2_acl(head, acl, cond); |
return ccs_print_path2_acl(head, acl, cond); |
1607 |
} |
} |
1608 |
if (acl_type == CCS_TYPE_PATH_NUMBER_ACL) { |
if (acl_type == CCS_TYPE_PATH_NUMBER_ACL) { |
1609 |
struct ccs_path_number_acl *acl |
struct ccs_path_number_acl *acl |
1610 |
= container_of(ptr, struct ccs_path_number_acl, |
= container_of(ptr, struct ccs_path_number_acl, head); |
|
head); |
|
1611 |
return ccs_print_path_number_acl(head, acl, cond); |
return ccs_print_path_number_acl(head, acl, cond); |
1612 |
} |
} |
1613 |
if (acl_type == CCS_TYPE_ENV_ACL) { |
if (acl_type == CCS_TYPE_ENV_ACL) { |
1617 |
} |
} |
1618 |
if (acl_type == CCS_TYPE_CAPABILITY_ACL) { |
if (acl_type == CCS_TYPE_CAPABILITY_ACL) { |
1619 |
struct ccs_capability_acl *acl |
struct ccs_capability_acl *acl |
1620 |
= container_of(ptr, struct ccs_capability_acl, |
= container_of(ptr, struct ccs_capability_acl, head); |
|
head); |
|
1621 |
return ccs_print_capability_acl(head, acl, cond); |
return ccs_print_capability_acl(head, acl, cond); |
1622 |
} |
} |
1623 |
if (acl_type == CCS_TYPE_IP_NETWORK_ACL) { |
if (acl_type == CCS_TYPE_IP_NETWORK_ACL) { |
1624 |
struct ccs_ip_network_acl *acl |
struct ccs_ip_network_acl *acl |
1625 |
= container_of(ptr, struct ccs_ip_network_acl, |
= container_of(ptr, struct ccs_ip_network_acl, head); |
|
head); |
|
1626 |
return ccs_print_network_acl(head, acl, cond); |
return ccs_print_network_acl(head, acl, cond); |
1627 |
} |
} |
1628 |
if (acl_type == CCS_TYPE_SIGNAL_ACL) { |
if (acl_type == CCS_TYPE_SIGNAL_ACL) { |
1635 |
= container_of(ptr, struct ccs_mount_acl, head); |
= container_of(ptr, struct ccs_mount_acl, head); |
1636 |
return ccs_print_mount_acl(head, acl, cond); |
return ccs_print_mount_acl(head, acl, cond); |
1637 |
} |
} |
|
if (acl_type == CCS_TYPE_UMOUNT_ACL) { |
|
|
struct ccs_umount_acl *acl |
|
|
= container_of(ptr, struct ccs_umount_acl, head); |
|
|
return ccs_print_umount_acl(head, acl, cond); |
|
|
} |
|
|
if (acl_type == CCS_TYPE_CHROOT_ACL) { |
|
|
struct ccs_chroot_acl *acl |
|
|
= container_of(ptr, struct ccs_chroot_acl, head); |
|
|
return ccs_print_chroot_acl(head, acl, cond); |
|
|
} |
|
|
if (acl_type == CCS_TYPE_PIVOT_ROOT_ACL) { |
|
|
struct ccs_pivot_root_acl *acl |
|
|
= container_of(ptr, struct ccs_pivot_root_acl, |
|
|
head); |
|
|
return ccs_print_pivot_root_acl(head, acl, cond); |
|
|
} |
|
1638 |
BUG(); /* This must not happen. */ |
BUG(); /* This must not happen. */ |
1639 |
return false; |
return false; |
1640 |
} |
} |
1667 |
continue; |
continue; |
1668 |
/* Print domainname and flags. */ |
/* Print domainname and flags. */ |
1669 |
if (domain->quota_warned) |
if (domain->quota_warned) |
1670 |
quota_exceeded = "quota_exceeded\n"; |
quota_exceeded = CCS_KEYWORD_QUOTA_EXCEEDED "\n"; |
1671 |
if (domain->domain_transition_failed) |
if (domain->domain_transition_failed) |
1672 |
transition_failed = "transition_failed\n"; |
transition_failed = CCS_KEYWORD_TRANSITION_FAILED "\n"; |
1673 |
if (domain->ignore_global_allow_read) |
if (domain->ignore_global_allow_read) |
1674 |
ignore_global_allow_read |
ignore_global_allow_read |
1675 |
= CCS_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n"; |
= CCS_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n"; |
1733 |
if (profile >= CCS_MAX_PROFILES) |
if (profile >= CCS_MAX_PROFILES) |
1734 |
return -EINVAL; |
return -EINVAL; |
1735 |
domain = ccs_find_domain(cp + 1); |
domain = ccs_find_domain(cp + 1); |
1736 |
if (domain && ccs_profile(profile)) |
if (domain && (!ccs_policy_loaded || ccs_profile_ptr[(u8) profile])) |
1737 |
domain->profile = (u8) profile; |
domain->profile = (u8) profile; |
1738 |
return 0; |
return 0; |
1739 |
} |
} |
1803 |
struct ccs_domain_info *domain = NULL; |
struct ccs_domain_info *domain = NULL; |
1804 |
u32 ccs_flags = 0; |
u32 ccs_flags = 0; |
1805 |
/* Accessing write_buf is safe because head->io_sem is held. */ |
/* Accessing write_buf is safe because head->io_sem is held. */ |
1806 |
if (!buf) |
if (!buf) { |
1807 |
|
head->read_eof = true; |
1808 |
return; /* Do nothing if open(O_RDONLY). */ |
return; /* Do nothing if open(O_RDONLY). */ |
1809 |
|
} |
1810 |
if (head->read_avail || head->read_eof) |
if (head->read_avail || head->read_eof) |
1811 |
return; |
return; |
1812 |
head->read_eof = true; |
head->read_eof = true; |
1815 |
if (ccs_str_starts(&buf, "global-pid ")) |
if (ccs_str_starts(&buf, "global-pid ")) |
1816 |
global_pid = true; |
global_pid = true; |
1817 |
pid = (unsigned int) simple_strtoul(buf, NULL, 10); |
pid = (unsigned int) simple_strtoul(buf, NULL, 10); |
1818 |
read_lock(&tasklist_lock); |
ccs_tasklist_lock(); |
1819 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) |
1820 |
if (global_pid) |
if (global_pid) |
1821 |
p = find_task_by_pid_ns(pid, &init_pid_ns); |
p = find_task_by_pid_ns(pid, &init_pid_ns); |
1828 |
domain = ccs_task_domain(p); |
domain = ccs_task_domain(p); |
1829 |
ccs_flags = p->ccs_flags; |
ccs_flags = p->ccs_flags; |
1830 |
} |
} |
1831 |
read_unlock(&tasklist_lock); |
ccs_tasklist_unlock(); |
1832 |
if (!domain) |
if (!domain) |
1833 |
return; |
return; |
1834 |
if (!task_info) |
if (!task_info) |
2420 |
{ |
{ |
2421 |
if (head->read_eof) |
if (head->read_eof) |
2422 |
return; |
return; |
2423 |
ccs_io_printf(head, "1.7.0-rc"); |
ccs_io_printf(head, "1.7.1"); |
2424 |
head->read_eof = true; |
head->read_eof = true; |
2425 |
} |
} |
2426 |
|
|
2578 |
* Waits for read readiness. |
* Waits for read readiness. |
2579 |
* /proc/ccs/query is handled by /usr/sbin/ccs-queryd and |
* /proc/ccs/query is handled by /usr/sbin/ccs-queryd and |
2580 |
* /proc/ccs/grant_log and /proc/ccs/reject_log are handled by |
* /proc/ccs/grant_log and /proc/ccs/reject_log are handled by |
2581 |
* /usr/sbin/ccs-auditd. |
* /usr/sbin/ccs-auditd . |
2582 |
*/ |
*/ |
2583 |
int ccs_poll_control(struct file *file, poll_table *wait) |
int ccs_poll_control(struct file *file, poll_table *wait) |
2584 |
{ |
{ |