| 3 |
* |
* |
| 4 |
* Copyright (C) 2005-2009 NTT DATA CORPORATION |
* Copyright (C) 2005-2009 NTT DATA CORPORATION |
| 5 |
* |
* |
| 6 |
* Version: 1.7.0-rc 2009/09/01 |
* Version: 1.7.1+ 2009/12/20 |
| 7 |
* |
* |
| 8 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
| 9 |
* See README.ccs for ChangeLog. |
* See README.ccs for ChangeLog. |
| 16 |
.learning = &ccs_default_profile.preference, |
.learning = &ccs_default_profile.preference, |
| 17 |
.permissive = &ccs_default_profile.preference, |
.permissive = &ccs_default_profile.preference, |
| 18 |
.enforcing = &ccs_default_profile.preference, |
.enforcing = &ccs_default_profile.preference, |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
| 19 |
.audit = &ccs_default_profile.preference, |
.audit = &ccs_default_profile.preference, |
| 20 |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
| 21 |
.preference.audit_max_grant_log = CONFIG_CCSECURITY_MAX_GRANT_LOG, |
.preference.audit_max_grant_log = CONFIG_CCSECURITY_MAX_GRANT_LOG, |
| 22 |
.preference.audit_max_reject_log = CONFIG_CCSECURITY_MAX_REJECT_LOG, |
.preference.audit_max_reject_log = CONFIG_CCSECURITY_MAX_REJECT_LOG, |
| 23 |
#endif |
#endif |
| 24 |
|
.preference.audit_task_info = true, |
| 25 |
|
.preference.audit_path_info = true, |
| 26 |
.preference.enforcing_penalty = 0, |
.preference.enforcing_penalty = 0, |
| 27 |
.preference.enforcing_verbose = true, |
.preference.enforcing_verbose = true, |
| 28 |
.preference.learning_max_entry = CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY, |
.preference.learning_max_entry = CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY, |
| 33 |
.preference.permissive_verbose = true |
.preference.permissive_verbose = true |
| 34 |
}; |
}; |
| 35 |
|
|
| 36 |
|
/* Profile version. Currently only 20090903 is defined. */ |
| 37 |
|
static unsigned int ccs_profile_version; |
| 38 |
|
|
| 39 |
/* Profile table. Memory is allocated as needed. */ |
/* Profile table. Memory is allocated as needed. */ |
| 40 |
static struct ccs_profile *ccs_profile_ptr[CCS_MAX_PROFILES]; |
static struct ccs_profile *ccs_profile_ptr[CCS_MAX_PROFILES]; |
| 41 |
|
|
|
/* Lock for protecting "struct ccs_profile"->comment */ |
|
|
static DEFINE_SPINLOCK(ccs_profile_comment_lock); |
|
|
|
|
| 42 |
/* String table for functionality that takes 4 modes. */ |
/* String table for functionality that takes 4 modes. */ |
| 43 |
static const char *ccs_mode_4[4] = { |
static const char *ccs_mode_4[4] = { |
| 44 |
"disabled", "learning", "permissive", "enforcing" |
"disabled", "learning", "permissive", "enforcing" |
| 265 |
ptr = ccs_profile_ptr[profile]; |
ptr = ccs_profile_ptr[profile]; |
| 266 |
if (!ptr && ccs_memory_ok(entry, sizeof(*entry))) { |
if (!ptr && ccs_memory_ok(entry, sizeof(*entry))) { |
| 267 |
ptr = entry; |
ptr = entry; |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
| 268 |
ptr->audit = &ccs_default_profile.preference; |
ptr->audit = &ccs_default_profile.preference; |
|
#endif |
|
| 269 |
ptr->learning = &ccs_default_profile.preference; |
ptr->learning = &ccs_default_profile.preference; |
| 270 |
ptr->permissive = &ccs_default_profile.preference; |
ptr->permissive = &ccs_default_profile.preference; |
| 271 |
ptr->enforcing = &ccs_default_profile.preference; |
ptr->enforcing = &ccs_default_profile.preference; |
| 283 |
} |
} |
| 284 |
|
|
| 285 |
/** |
/** |
| 286 |
|
* ccs_check_profile - Check all profiles currently assigned to domains are defined. |
| 287 |
|
*/ |
| 288 |
|
void ccs_check_profile(void) |
| 289 |
|
{ |
| 290 |
|
struct ccs_domain_info *domain; |
| 291 |
|
ccs_policy_loaded = true; |
| 292 |
|
list_for_each_entry_rcu(domain, &ccs_domain_list, list) { |
| 293 |
|
const u8 profile = domain->profile; |
| 294 |
|
if (ccs_profile_ptr[profile]) |
| 295 |
|
continue; |
| 296 |
|
panic("Profile %u (used by '%s') not defined.\n", |
| 297 |
|
profile, domain->domainname->name); |
| 298 |
|
} |
| 299 |
|
if (ccs_profile_version != 20090903) |
| 300 |
|
panic("Profile version %u is not supported.\n", |
| 301 |
|
ccs_profile_version); |
| 302 |
|
} |
| 303 |
|
|
| 304 |
|
/** |
| 305 |
* ccs_profile - Find a profile. |
* ccs_profile - Find a profile. |
| 306 |
* |
* |
| 307 |
* @profile: Profile number to find. |
* @profile: Profile number to find. |
| 308 |
* |
* |
| 309 |
* Returns pointer to "struct ccs_profile" on success, NULL otherwise. |
* Returns pointer to "struct ccs_profile". |
| 310 |
*/ |
*/ |
| 311 |
struct ccs_profile *ccs_profile(const u8 profile) |
struct ccs_profile *ccs_profile(const u8 profile) |
| 312 |
{ |
{ |
| 334 |
bool use_default = false; |
bool use_default = false; |
| 335 |
char *cp; |
char *cp; |
| 336 |
struct ccs_profile *profile; |
struct ccs_profile *profile; |
| 337 |
|
if (sscanf(data, "PROFILE_VERSION=%u", &ccs_profile_version) == 1) |
| 338 |
|
return 0; |
| 339 |
i = simple_strtoul(data, &cp, 10); |
i = simple_strtoul(data, &cp, 10); |
| 340 |
if (data == cp) { |
if (data == cp) { |
| 341 |
profile = &ccs_default_profile; |
profile = &ccs_default_profile; |
| 359 |
value = 0; |
value = 0; |
| 360 |
else |
else |
| 361 |
value = -1; |
value = -1; |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
| 362 |
if (!strcmp(data, "PREFERENCE::audit")) { |
if (!strcmp(data, "PREFERENCE::audit")) { |
| 363 |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
| 364 |
char *cp2; |
char *cp2; |
| 365 |
|
#endif |
| 366 |
if (use_default) { |
if (use_default) { |
| 367 |
profile->audit = &ccs_default_profile.preference; |
profile->audit = &ccs_default_profile.preference; |
| 368 |
return 0; |
return 0; |
| 369 |
} |
} |
| 370 |
profile->audit = &profile->preference; |
profile->audit = &profile->preference; |
| 371 |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
| 372 |
cp2 = strstr(cp, "max_grant_log="); |
cp2 = strstr(cp, "max_grant_log="); |
| 373 |
if (cp2) |
if (cp2) |
| 374 |
sscanf(cp2 + 14, "%u", |
sscanf(cp2 + 14, "%u", |
| 377 |
if (cp2) |
if (cp2) |
| 378 |
sscanf(cp2 + 15, "%u", |
sscanf(cp2 + 15, "%u", |
| 379 |
&profile->preference.audit_max_reject_log); |
&profile->preference.audit_max_reject_log); |
| 380 |
|
#endif |
| 381 |
|
if (strstr(cp, "task_info=yes")) |
| 382 |
|
profile->preference.audit_task_info = true; |
| 383 |
|
else if (strstr(cp, "task_info=no")) |
| 384 |
|
profile->preference.audit_task_info = false; |
| 385 |
|
if (strstr(cp, "path_info=yes")) |
| 386 |
|
profile->preference.audit_path_info = true; |
| 387 |
|
else if (strstr(cp, "path_info=no")) |
| 388 |
|
profile->preference.audit_path_info = false; |
| 389 |
return 0; |
return 0; |
| 390 |
} |
} |
|
#endif |
|
| 391 |
if (!strcmp(data, "PREFERENCE::enforcing")) { |
if (!strcmp(data, "PREFERENCE::enforcing")) { |
| 392 |
char *cp2; |
char *cp2; |
| 393 |
if (use_default) { |
if (use_default) { |
| 443 |
if (profile == &ccs_default_profile) |
if (profile == &ccs_default_profile) |
| 444 |
return -EINVAL; |
return -EINVAL; |
| 445 |
if (!strcmp(data, "COMMENT")) { |
if (!strcmp(data, "COMMENT")) { |
| 446 |
const struct ccs_path_info *new_comment = ccs_get_name(cp); |
const struct ccs_path_info *old_comment = profile->comment; |
| 447 |
const struct ccs_path_info *old_comment; |
profile->comment = ccs_get_name(cp); |
|
/* Protect reader from ccs_put_name(). */ |
|
|
spin_lock(&ccs_profile_comment_lock); |
|
|
old_comment = profile->comment; |
|
|
profile->comment = new_comment; |
|
|
spin_unlock(&ccs_profile_comment_lock); |
|
| 448 |
ccs_put_name(old_comment); |
ccs_put_name(old_comment); |
| 449 |
return 0; |
return 0; |
| 450 |
} |
} |
| 510 |
return; |
return; |
| 511 |
if (head->read_bit) |
if (head->read_bit) |
| 512 |
goto body; |
goto body; |
| 513 |
ccs_io_printf(head, "PROFILE_VERSION=%s\n", "20090827"); |
ccs_io_printf(head, "PROFILE_VERSION=%s\n", "20090903"); |
| 514 |
|
ccs_io_printf(head, "PREFERENCE::audit={ " |
| 515 |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
| 516 |
|
"max_grant_log=%u max_reject_log=%u " |
| 517 |
|
#endif |
| 518 |
|
"task_info=%s path_info=%s }\n", |
| 519 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
|
ccs_io_printf(head, "PREFERENCE::audit={ max_grant_log=%u " |
|
|
"max_reject_log=%u }\n", |
|
| 520 |
ccs_default_profile.preference.audit_max_grant_log, |
ccs_default_profile.preference.audit_max_grant_log, |
| 521 |
ccs_default_profile.preference.audit_max_reject_log); |
ccs_default_profile.preference.audit_max_reject_log, |
| 522 |
#endif |
#endif |
| 523 |
|
ccs_yesno(ccs_default_profile.preference. |
| 524 |
|
audit_task_info), |
| 525 |
|
ccs_yesno(ccs_default_profile.preference. |
| 526 |
|
audit_path_info)); |
| 527 |
ccs_io_printf(head, "PREFERENCE::learning={ verbose=%s max_entry=%u " |
ccs_io_printf(head, "PREFERENCE::learning={ verbose=%s max_entry=%u " |
| 528 |
"exec.realpath=%s exec.argv0=%s symlink.target=%s }\n", |
"exec.realpath=%s exec.argv0=%s symlink.target=%s }\n", |
| 529 |
ccs_yesno(ccs_default_profile.preference. |
ccs_yesno(ccs_default_profile.preference. |
| 551 |
int i; |
int i; |
| 552 |
int pos; |
int pos; |
| 553 |
const struct ccs_profile *profile = ccs_profile_ptr[index]; |
const struct ccs_profile *profile = ccs_profile_ptr[index]; |
| 554 |
|
const struct ccs_path_info *comment; |
| 555 |
head->read_step = index; |
head->read_step = index; |
| 556 |
if (!profile) |
if (!profile) |
| 557 |
continue; |
continue; |
| 558 |
pos = head->read_avail; |
pos = head->read_avail; |
| 559 |
spin_lock(&ccs_profile_comment_lock); |
comment = profile->comment; |
| 560 |
done = ccs_io_printf(head, "%u-COMMENT=%s\n", index, |
done = ccs_io_printf(head, "%u-COMMENT=%s\n", index, |
| 561 |
profile->comment ? profile->comment->name |
comment ? comment->name : ""); |
|
: ""); |
|
|
spin_unlock(&ccs_profile_comment_lock); |
|
| 562 |
if (!done) |
if (!done) |
| 563 |
goto out; |
goto out; |
| 564 |
config = profile->default_config; |
config = profile->default_config; |
| 600 |
goto out; |
goto out; |
| 601 |
#endif |
#endif |
| 602 |
} |
} |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
| 603 |
if (profile->audit != &ccs_default_profile.preference && |
if (profile->audit != &ccs_default_profile.preference && |
| 604 |
!ccs_io_printf(head, "%u-PREFERENCE::audit={ " |
!ccs_io_printf(head, "%u-PREFERENCE::audit={ " |
| 605 |
"max_grant_log=%u max_reject_log=%u }\n", |
#ifdef CONFIG_CCSECURITY_AUDIT |
| 606 |
index, |
"max_grant_log=%u max_reject_log=%u " |
| 607 |
|
#endif |
| 608 |
|
"task_info=%s path_info=%s }\n", index, |
| 609 |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
| 610 |
profile->preference.audit_max_grant_log, |
profile->preference.audit_max_grant_log, |
| 611 |
profile->preference.audit_max_reject_log)) |
profile->preference.audit_max_reject_log, |
|
goto out; |
|
| 612 |
#endif |
#endif |
| 613 |
|
ccs_yesno(profile->preference. |
| 614 |
|
audit_task_info), |
| 615 |
|
ccs_yesno(profile->preference. |
| 616 |
|
audit_path_info))) |
| 617 |
|
goto out; |
| 618 |
if (profile->learning != &ccs_default_profile.preference && |
if (profile->learning != &ccs_default_profile.preference && |
| 619 |
!ccs_io_printf(head, "%u-PREFERENCE::learning={ " |
!ccs_io_printf(head, "%u-PREFERENCE::learning={ " |
| 620 |
"verbose=%s max_entry=%u exec.realpath=%s " |
"verbose=%s max_entry=%u exec.realpath=%s " |
| 846 |
if (sscanf(data, "pid=%u", &pid) == 1 || |
if (sscanf(data, "pid=%u", &pid) == 1 || |
| 847 |
(global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { |
(global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { |
| 848 |
struct task_struct *p; |
struct task_struct *p; |
| 849 |
read_lock(&tasklist_lock); |
ccs_tasklist_lock(); |
| 850 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) |
| 851 |
if (global_pid) |
if (global_pid) |
| 852 |
p = find_task_by_pid_ns(pid, &init_pid_ns); |
p = find_task_by_pid_ns(pid, &init_pid_ns); |
| 857 |
#endif |
#endif |
| 858 |
if (p) |
if (p) |
| 859 |
domain = ccs_task_domain(p); |
domain = ccs_task_domain(p); |
| 860 |
read_unlock(&tasklist_lock); |
ccs_tasklist_unlock(); |
| 861 |
} else if (!strncmp(data, "domain=", 7)) { |
} else if (!strncmp(data, "domain=", 7)) { |
| 862 |
if (ccs_is_domain_def(data + 7)) |
if (ccs_is_domain_def(data + 7)) |
| 863 |
domain = ccs_find_domain(data + 7); |
domain = ccs_find_domain(data + 7); |
| 903 |
return ccs_write_env_policy(data, domain, cond, is_delete); |
return ccs_write_env_policy(data, domain, cond, is_delete); |
| 904 |
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_MOUNT)) |
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_MOUNT)) |
| 905 |
return ccs_write_mount_policy(data, domain, cond, is_delete); |
return ccs_write_mount_policy(data, domain, cond, is_delete); |
|
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_UNMOUNT)) |
|
|
return ccs_write_umount_policy(data, domain, cond, is_delete); |
|
|
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_CHROOT)) |
|
|
return ccs_write_chroot_policy(data, domain, cond, is_delete); |
|
|
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_PIVOT_ROOT)) |
|
|
return ccs_write_pivot_root_policy(data, domain, cond, |
|
|
is_delete); |
|
| 906 |
return ccs_write_file_policy(data, domain, cond, is_delete); |
return ccs_write_file_policy(data, domain, cond, is_delete); |
| 907 |
} |
} |
| 908 |
|
|
| 948 |
|
|
| 949 |
if (sscanf(data, CCS_KEYWORD_USE_PROFILE "%u", &profile) == 1 |
if (sscanf(data, CCS_KEYWORD_USE_PROFILE "%u", &profile) == 1 |
| 950 |
&& profile < CCS_MAX_PROFILES) { |
&& profile < CCS_MAX_PROFILES) { |
| 951 |
if (ccs_profile(profile)) |
if (!ccs_policy_loaded || ccs_profile_ptr[(u8) profile]) |
| 952 |
domain->profile = (u8) profile; |
domain->profile = (u8) profile; |
| 953 |
return 0; |
return 0; |
| 954 |
} |
} |
| 960 |
domain->ignore_global_allow_env = !is_delete; |
domain->ignore_global_allow_env = !is_delete; |
| 961 |
return 0; |
return 0; |
| 962 |
} |
} |
| 963 |
|
if (!strcmp(data, CCS_KEYWORD_QUOTA_EXCEEDED)) { |
| 964 |
|
domain->quota_warned = !is_delete; |
| 965 |
|
return 0; |
| 966 |
|
} |
| 967 |
|
if (!strcmp(data, CCS_KEYWORD_TRANSITION_FAILED)) { |
| 968 |
|
domain->domain_transition_failed = !is_delete; |
| 969 |
|
return 0; |
| 970 |
|
} |
| 971 |
cp = ccs_find_condition_part(data); |
cp = ccs_find_condition_part(data); |
| 972 |
if (cp) { |
if (cp) { |
| 973 |
cond = ccs_get_condition(cp); |
cond = ccs_get_condition(cp); |
| 1209 |
} |
} |
| 1210 |
|
|
| 1211 |
/** |
/** |
| 1212 |
* ccs_print_path_acl - Print a single path ACL entry. |
* ccs_print_path_acl - Print a path ACL entry. |
| 1213 |
* |
* |
| 1214 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
| 1215 |
* @ptr: Pointer to "struct ccs_path_acl". |
* @ptr: Pointer to "struct ccs_path_acl". |
| 1560 |
} |
} |
| 1561 |
|
|
| 1562 |
/** |
/** |
|
* ccs_print_umount_acl - Print a mount ACL entry. |
|
|
* |
|
|
* @head: Pointer to "struct ccs_io_buffer". |
|
|
* @ptr: Pointer to "struct ccs_umount_acl". |
|
|
* @cond: Pointer to "struct ccs_condition". May be NULL. |
|
|
* |
|
|
* Returns true on success, false otherwise. |
|
|
*/ |
|
|
static bool ccs_print_umount_acl(struct ccs_io_buffer *head, |
|
|
struct ccs_umount_acl *ptr, |
|
|
const struct ccs_condition *cond) |
|
|
{ |
|
|
const int pos = head->read_avail; |
|
|
if (!ccs_io_printf(head, CCS_KEYWORD_ALLOW_UNMOUNT) || |
|
|
!ccs_print_name_union(head, &ptr->dir) || |
|
|
!ccs_print_condition(head, cond)) { |
|
|
head->read_avail = pos; |
|
|
return false; |
|
|
} |
|
|
return true; |
|
|
} |
|
|
|
|
|
/** |
|
|
* ccs_print_chroot_acl - Print a chroot ACL entry. |
|
|
* |
|
|
* @head: Pointer to "struct ccs_io_buffer". |
|
|
* @ptr: Pointer to "struct ccs_chroot_acl". |
|
|
* @cond: Pointer to "struct ccs_condition". May be NULL. |
|
|
* |
|
|
* Returns true on success, false otherwise. |
|
|
*/ |
|
|
static bool ccs_print_chroot_acl(struct ccs_io_buffer *head, |
|
|
struct ccs_chroot_acl *ptr, |
|
|
const struct ccs_condition *cond) |
|
|
{ |
|
|
const int pos = head->read_avail; |
|
|
if (!ccs_io_printf(head, CCS_KEYWORD_ALLOW_CHROOT) || |
|
|
!ccs_print_name_union(head, &ptr->dir) || |
|
|
!ccs_print_condition(head, cond)) { |
|
|
head->read_avail = pos; |
|
|
return false; |
|
|
} |
|
|
return true; |
|
|
} |
|
|
|
|
|
/** |
|
|
* ccs_print_pivot_root_acl - Print a pivot_root ACL entry. |
|
|
* |
|
|
* @head: Pointer to "struct ccs_io_buffer". |
|
|
* @ptr: Pointer to "struct ccs_pivot_root_acl". |
|
|
* @cond: Pointer to "struct ccs_condition". May be NULL. |
|
|
* |
|
|
* Returns true on success, false otherwise. |
|
|
*/ |
|
|
static bool ccs_print_pivot_root_acl(struct ccs_io_buffer *head, |
|
|
struct ccs_pivot_root_acl *ptr, |
|
|
const struct ccs_condition *cond) |
|
|
{ |
|
|
const int pos = head->read_avail; |
|
|
if (!ccs_io_printf(head, CCS_KEYWORD_ALLOW_PIVOT_ROOT) || |
|
|
!ccs_print_name_union(head, &ptr->new_root) || |
|
|
!ccs_print_name_union(head, &ptr->old_root) || |
|
|
!ccs_print_condition(head, cond)) { |
|
|
head->read_avail = pos; |
|
|
return false; |
|
|
} |
|
|
return true; |
|
|
} |
|
|
|
|
|
/** |
|
| 1563 |
* ccs_print_entry - Print an ACL entry. |
* ccs_print_entry - Print an ACL entry. |
| 1564 |
* |
* |
| 1565 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
| 1576 |
return true; |
return true; |
| 1577 |
if (acl_type == CCS_TYPE_PATH_ACL) { |
if (acl_type == CCS_TYPE_PATH_ACL) { |
| 1578 |
struct ccs_path_acl *acl |
struct ccs_path_acl *acl |
| 1579 |
= container_of(ptr, struct ccs_path_acl, |
= container_of(ptr, struct ccs_path_acl, head); |
|
head); |
|
| 1580 |
return ccs_print_path_acl(head, acl, cond); |
return ccs_print_path_acl(head, acl, cond); |
| 1581 |
} |
} |
| 1582 |
if (acl_type == CCS_TYPE_EXECUTE_HANDLER) { |
if (acl_type == CCS_TYPE_EXECUTE_HANDLER) { |
| 1602 |
} |
} |
| 1603 |
if (acl_type == CCS_TYPE_PATH2_ACL) { |
if (acl_type == CCS_TYPE_PATH2_ACL) { |
| 1604 |
struct ccs_path2_acl *acl |
struct ccs_path2_acl *acl |
| 1605 |
= container_of(ptr, struct ccs_path2_acl, |
= container_of(ptr, struct ccs_path2_acl, head); |
|
head); |
|
| 1606 |
return ccs_print_path2_acl(head, acl, cond); |
return ccs_print_path2_acl(head, acl, cond); |
| 1607 |
} |
} |
| 1608 |
if (acl_type == CCS_TYPE_PATH_NUMBER_ACL) { |
if (acl_type == CCS_TYPE_PATH_NUMBER_ACL) { |
| 1609 |
struct ccs_path_number_acl *acl |
struct ccs_path_number_acl *acl |
| 1610 |
= container_of(ptr, struct ccs_path_number_acl, |
= container_of(ptr, struct ccs_path_number_acl, head); |
|
head); |
|
| 1611 |
return ccs_print_path_number_acl(head, acl, cond); |
return ccs_print_path_number_acl(head, acl, cond); |
| 1612 |
} |
} |
| 1613 |
if (acl_type == CCS_TYPE_ENV_ACL) { |
if (acl_type == CCS_TYPE_ENV_ACL) { |
| 1617 |
} |
} |
| 1618 |
if (acl_type == CCS_TYPE_CAPABILITY_ACL) { |
if (acl_type == CCS_TYPE_CAPABILITY_ACL) { |
| 1619 |
struct ccs_capability_acl *acl |
struct ccs_capability_acl *acl |
| 1620 |
= container_of(ptr, struct ccs_capability_acl, |
= container_of(ptr, struct ccs_capability_acl, head); |
|
head); |
|
| 1621 |
return ccs_print_capability_acl(head, acl, cond); |
return ccs_print_capability_acl(head, acl, cond); |
| 1622 |
} |
} |
| 1623 |
if (acl_type == CCS_TYPE_IP_NETWORK_ACL) { |
if (acl_type == CCS_TYPE_IP_NETWORK_ACL) { |
| 1624 |
struct ccs_ip_network_acl *acl |
struct ccs_ip_network_acl *acl |
| 1625 |
= container_of(ptr, struct ccs_ip_network_acl, |
= container_of(ptr, struct ccs_ip_network_acl, head); |
|
head); |
|
| 1626 |
return ccs_print_network_acl(head, acl, cond); |
return ccs_print_network_acl(head, acl, cond); |
| 1627 |
} |
} |
| 1628 |
if (acl_type == CCS_TYPE_SIGNAL_ACL) { |
if (acl_type == CCS_TYPE_SIGNAL_ACL) { |
| 1635 |
= container_of(ptr, struct ccs_mount_acl, head); |
= container_of(ptr, struct ccs_mount_acl, head); |
| 1636 |
return ccs_print_mount_acl(head, acl, cond); |
return ccs_print_mount_acl(head, acl, cond); |
| 1637 |
} |
} |
|
if (acl_type == CCS_TYPE_UMOUNT_ACL) { |
|
|
struct ccs_umount_acl *acl |
|
|
= container_of(ptr, struct ccs_umount_acl, head); |
|
|
return ccs_print_umount_acl(head, acl, cond); |
|
|
} |
|
|
if (acl_type == CCS_TYPE_CHROOT_ACL) { |
|
|
struct ccs_chroot_acl *acl |
|
|
= container_of(ptr, struct ccs_chroot_acl, head); |
|
|
return ccs_print_chroot_acl(head, acl, cond); |
|
|
} |
|
|
if (acl_type == CCS_TYPE_PIVOT_ROOT_ACL) { |
|
|
struct ccs_pivot_root_acl *acl |
|
|
= container_of(ptr, struct ccs_pivot_root_acl, |
|
|
head); |
|
|
return ccs_print_pivot_root_acl(head, acl, cond); |
|
|
} |
|
| 1638 |
BUG(); /* This must not happen. */ |
BUG(); /* This must not happen. */ |
| 1639 |
return false; |
return false; |
| 1640 |
} |
} |
| 1667 |
continue; |
continue; |
| 1668 |
/* Print domainname and flags. */ |
/* Print domainname and flags. */ |
| 1669 |
if (domain->quota_warned) |
if (domain->quota_warned) |
| 1670 |
quota_exceeded = "quota_exceeded\n"; |
quota_exceeded = CCS_KEYWORD_QUOTA_EXCEEDED "\n"; |
| 1671 |
if (domain->domain_transition_failed) |
if (domain->domain_transition_failed) |
| 1672 |
transition_failed = "transition_failed\n"; |
transition_failed = CCS_KEYWORD_TRANSITION_FAILED "\n"; |
| 1673 |
if (domain->ignore_global_allow_read) |
if (domain->ignore_global_allow_read) |
| 1674 |
ignore_global_allow_read |
ignore_global_allow_read |
| 1675 |
= CCS_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n"; |
= CCS_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n"; |
| 1733 |
if (profile >= CCS_MAX_PROFILES) |
if (profile >= CCS_MAX_PROFILES) |
| 1734 |
return -EINVAL; |
return -EINVAL; |
| 1735 |
domain = ccs_find_domain(cp + 1); |
domain = ccs_find_domain(cp + 1); |
| 1736 |
if (domain && ccs_profile(profile)) |
if (domain && (!ccs_policy_loaded || ccs_profile_ptr[(u8) profile])) |
| 1737 |
domain->profile = (u8) profile; |
domain->profile = (u8) profile; |
| 1738 |
return 0; |
return 0; |
| 1739 |
} |
} |
| 1803 |
struct ccs_domain_info *domain = NULL; |
struct ccs_domain_info *domain = NULL; |
| 1804 |
u32 ccs_flags = 0; |
u32 ccs_flags = 0; |
| 1805 |
/* Accessing write_buf is safe because head->io_sem is held. */ |
/* Accessing write_buf is safe because head->io_sem is held. */ |
| 1806 |
if (!buf) |
if (!buf) { |
| 1807 |
|
head->read_eof = true; |
| 1808 |
return; /* Do nothing if open(O_RDONLY). */ |
return; /* Do nothing if open(O_RDONLY). */ |
| 1809 |
|
} |
| 1810 |
if (head->read_avail || head->read_eof) |
if (head->read_avail || head->read_eof) |
| 1811 |
return; |
return; |
| 1812 |
head->read_eof = true; |
head->read_eof = true; |
| 1815 |
if (ccs_str_starts(&buf, "global-pid ")) |
if (ccs_str_starts(&buf, "global-pid ")) |
| 1816 |
global_pid = true; |
global_pid = true; |
| 1817 |
pid = (unsigned int) simple_strtoul(buf, NULL, 10); |
pid = (unsigned int) simple_strtoul(buf, NULL, 10); |
| 1818 |
read_lock(&tasklist_lock); |
ccs_tasklist_lock(); |
| 1819 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) |
| 1820 |
if (global_pid) |
if (global_pid) |
| 1821 |
p = find_task_by_pid_ns(pid, &init_pid_ns); |
p = find_task_by_pid_ns(pid, &init_pid_ns); |
| 1828 |
domain = ccs_task_domain(p); |
domain = ccs_task_domain(p); |
| 1829 |
ccs_flags = p->ccs_flags; |
ccs_flags = p->ccs_flags; |
| 1830 |
} |
} |
| 1831 |
read_unlock(&tasklist_lock); |
ccs_tasklist_unlock(); |
| 1832 |
if (!domain) |
if (!domain) |
| 1833 |
return; |
return; |
| 1834 |
if (!task_info) |
if (!task_info) |
| 2420 |
{ |
{ |
| 2421 |
if (head->read_eof) |
if (head->read_eof) |
| 2422 |
return; |
return; |
| 2423 |
ccs_io_printf(head, "1.7.0-rc"); |
ccs_io_printf(head, "1.7.1"); |
| 2424 |
head->read_eof = true; |
head->read_eof = true; |
| 2425 |
} |
} |
| 2426 |
|
|
| 2578 |
* Waits for read readiness. |
* Waits for read readiness. |
| 2579 |
* /proc/ccs/query is handled by /usr/sbin/ccs-queryd and |
* /proc/ccs/query is handled by /usr/sbin/ccs-queryd and |
| 2580 |
* /proc/ccs/grant_log and /proc/ccs/reject_log are handled by |
* /proc/ccs/grant_log and /proc/ccs/reject_log are handled by |
| 2581 |
* /usr/sbin/ccs-auditd. |
* /usr/sbin/ccs-auditd . |
| 2582 |
*/ |
*/ |
| 2583 |
int ccs_poll_control(struct file *file, poll_table *wait) |
int ccs_poll_control(struct file *file, poll_table *wait) |
| 2584 |
{ |
{ |
TOMOYO
Parent Directory
Revision Log
Patch