3 |
* |
* |
4 |
* Copyright (C) 2005-2010 NTT DATA CORPORATION |
* Copyright (C) 2005-2010 NTT DATA CORPORATION |
5 |
* |
* |
6 |
* Version: 1.8.0-pre 2010/10/28 |
* Version: 1.8.0+ 2010/12/31 |
|
* |
|
|
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
|
|
* See README.ccs for ChangeLog. |
|
|
* |
|
7 |
*/ |
*/ |
8 |
|
|
9 |
#include "internal.h" |
#include "internal.h" |
257 |
|
|
258 |
/* String table for PREFERENCE keyword. */ |
/* String table for PREFERENCE keyword. */ |
259 |
static const char * const ccs_pref_keywords[CCS_MAX_PREF] = { |
static const char * const ccs_pref_keywords[CCS_MAX_PREF] = { |
260 |
[CCS_PREF_MAX_GRANT_LOG] = "max_grant_log", |
[CCS_PREF_MAX_AUDIT_LOG] = "max_audit_log", |
|
[CCS_PREF_MAX_REJECT_LOG] = "max_reject_log", |
|
261 |
[CCS_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry", |
[CCS_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry", |
262 |
[CCS_PREF_ENFORCING_PENALTY] = "enforcing_penalty", |
[CCS_PREF_ENFORCING_PENALTY] = "enforcing_penalty", |
263 |
}; |
}; |
272 |
* |
* |
273 |
* Returns "yes" if @value is not 0, "no" otherwise. |
* Returns "yes" if @value is not 0, "no" otherwise. |
274 |
*/ |
*/ |
275 |
static const char *ccs_yesno(const unsigned int value) |
const char *ccs_yesno(const unsigned int value) |
276 |
{ |
{ |
277 |
return value ? "yes" : "no"; |
return value ? "yes" : "no"; |
278 |
} |
} |
441 |
CCS_CONFIG_WANT_GRANT_LOG | CCS_CONFIG_WANT_REJECT_LOG; |
CCS_CONFIG_WANT_GRANT_LOG | CCS_CONFIG_WANT_REJECT_LOG; |
442 |
memset(ptr->config, CCS_CONFIG_USE_DEFAULT, |
memset(ptr->config, CCS_CONFIG_USE_DEFAULT, |
443 |
sizeof(ptr->config)); |
sizeof(ptr->config)); |
444 |
ptr->pref[CCS_PREF_MAX_GRANT_LOG] = |
ptr->pref[CCS_PREF_MAX_AUDIT_LOG] = |
445 |
CONFIG_CCSECURITY_MAX_GRANT_LOG; |
CONFIG_CCSECURITY_MAX_AUDIT_LOG; |
|
ptr->pref[CCS_PREF_MAX_REJECT_LOG] = |
|
|
CONFIG_CCSECURITY_MAX_REJECT_LOG; |
|
446 |
ptr->pref[CCS_PREF_MAX_LEARNING_ENTRY] = |
ptr->pref[CCS_PREF_MAX_LEARNING_ENTRY] = |
447 |
CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY; |
CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY; |
448 |
mb(); /* Avoid out-of-order execution. */ |
mb(); /* Avoid out-of-order execution. */ |
469 |
const u8 profile = domain->profile; |
const u8 profile = domain->profile; |
470 |
if (ccs_profile_ptr[profile]) |
if (ccs_profile_ptr[profile]) |
471 |
continue; |
continue; |
472 |
printk(KERN_ERR "You need to define profile %u before using it.\n", |
printk(KERN_ERR "Profile %u must be defined before using it.\n", |
473 |
profile); |
profile); |
474 |
printk(KERN_ERR "Please see http://tomoyo.sourceforge.jp/1.8/ " |
printk(KERN_ERR "Please see http://tomoyo.sourceforge.jp/1.8/ " |
475 |
"for more information.\n"); |
"for more information.\n"); |
478 |
} |
} |
479 |
ccs_read_unlock(idx); |
ccs_read_unlock(idx); |
480 |
if (ccs_profile_version != 20100903) { |
if (ccs_profile_version != 20100903) { |
481 |
printk(KERN_ERR "You need to install userland programs for " |
printk(KERN_ERR "Userland tools must be installed for " |
482 |
"TOMOYO 1.8 and initialize policy configuration.\n"); |
"TOMOYO 1.8, and policy must be initialized.\n"); |
483 |
printk(KERN_ERR "Please see http://tomoyo.sourceforge.jp/1.8/ " |
printk(KERN_ERR "Please see http://tomoyo.sourceforge.jp/1.8/ " |
484 |
"for more information.\n"); |
"for more information.\n"); |
485 |
panic("Profile version %u is not supported.\n", |
panic("Profile version %u is not supported.\n", |
486 |
ccs_profile_version); |
ccs_profile_version); |
487 |
} |
} |
488 |
printk(KERN_INFO "CCSecurity: 1.8.0-pre 2010/10/28\n"); |
printk(KERN_INFO "CCSecurity: 1.8.0+ 2010/12/31\n"); |
489 |
printk(KERN_INFO "Mandatory Access Control activated.\n"); |
printk(KERN_INFO "Mandatory Access Control activated.\n"); |
490 |
} |
} |
491 |
|
|
1125 |
if (sscanf(data, "use_profile %u\n", &profile) == 1 |
if (sscanf(data, "use_profile %u\n", &profile) == 1 |
1126 |
&& profile < CCS_MAX_PROFILES) { |
&& profile < CCS_MAX_PROFILES) { |
1127 |
if (!ccs_policy_loaded || ccs_profile_ptr[(u8) profile]) |
if (!ccs_policy_loaded || ccs_profile_ptr[(u8) profile]) |
1128 |
domain->profile = (u8) profile; |
if (!is_delete) |
1129 |
|
domain->profile = (u8) profile; |
1130 |
return 0; |
return 0; |
1131 |
} |
} |
1132 |
if (sscanf(data, "use_group %u\n", &profile) == 1 |
if (sscanf(data, "use_group %u\n", &profile) == 1 |
1133 |
&& profile < CCS_MAX_ACL_GROUPS) { |
&& profile < CCS_MAX_ACL_GROUPS) { |
1134 |
domain->group = (u8) profile; |
if (!is_delete) |
1135 |
|
domain->group = (u8) profile; |
1136 |
return 0; |
return 0; |
1137 |
} |
} |
1138 |
for (profile = 0; profile < CCS_MAX_DOMAIN_INFO_FLAGS; profile++) { |
for (profile = 0; profile < CCS_MAX_DOMAIN_INFO_FLAGS; profile++) { |
1348 |
ccs_yesno(cond->grant_log == |
ccs_yesno(cond->grant_log == |
1349 |
CCS_GRANTLOG_YES)); |
CCS_GRANTLOG_YES)); |
1350 |
if (cond->transit) { |
if (cond->transit) { |
1351 |
ccs_set_string(head, " auto_domain_transitition=\""); |
ccs_set_string(head, " auto_domain_transition=\""); |
1352 |
ccs_set_string(head, cond->transit->name); |
ccs_set_string(head, cond->transit->name); |
1353 |
ccs_set_string(head, "\""); |
ccs_set_string(head, "\""); |
1354 |
} |
} |
2143 |
va_start(args, fmt); |
va_start(args, fmt); |
2144 |
len = vsnprintf((char *) &len, 1, fmt, args) + 1; |
len = vsnprintf((char *) &len, 1, fmt, args) + 1; |
2145 |
va_end(args); |
va_end(args); |
2146 |
/* Write /proc/ccs/grant_log or /proc/ccs/reject_log. */ |
/* Write /proc/ccs/audit. */ |
2147 |
va_start(args, fmt); |
va_start(args, fmt); |
2148 |
ccs_write_log2(r, len, fmt, args); |
ccs_write_log2(r, len, fmt, args); |
2149 |
va_end(args); |
va_end(args); |
2159 |
error = -EPERM; |
error = -EPERM; |
2160 |
if (atomic_read(&ccs_query_observers)) |
if (atomic_read(&ccs_query_observers)) |
2161 |
break; |
break; |
2162 |
if (ccs_current_flags() & CCS_DONT_SLEEP_ON_ENFORCE_ERROR) |
if (r->dont_sleep_on_enforce_error) |
2163 |
goto out; |
goto out; |
2164 |
p = ccs_profile(r->profile); |
p = ccs_profile(r->profile); |
2165 |
/* Check enforcing_penalty parameter. */ |
/* Check enforcing_penalty parameter. */ |
2285 |
char *buf; |
char *buf; |
2286 |
if (head->r.w_pos) |
if (head->r.w_pos) |
2287 |
return; |
return; |
2288 |
if (head->read_buf) { |
kfree(head->read_buf); |
2289 |
kfree(head->read_buf); |
head->read_buf = NULL; |
|
head->read_buf = NULL; |
|
|
} |
|
2290 |
spin_lock(&ccs_query_list_lock); |
spin_lock(&ccs_query_list_lock); |
2291 |
list_for_each(tmp, &ccs_query_list) { |
list_for_each(tmp, &ccs_query_list) { |
2292 |
struct ccs_query *ptr = list_entry(tmp, typeof(*ptr), list); |
struct ccs_query *ptr = list_entry(tmp, typeof(*ptr), list); |
2378 |
{ |
{ |
2379 |
if (head->r.eof) |
if (head->r.eof) |
2380 |
return; |
return; |
2381 |
ccs_set_string(head, "1.8.0-pre"); |
ccs_set_string(head, "1.8.0"); |
2382 |
head->r.eof = true; |
head->r.eof = true; |
2383 |
} |
} |
2384 |
|
|
2554 |
head->write = ccs_write_exception; |
head->write = ccs_write_exception; |
2555 |
head->read = ccs_read_exception; |
head->read = ccs_read_exception; |
2556 |
break; |
break; |
2557 |
case CCS_GRANTLOG: /* /proc/ccs/grant_log */ |
case CCS_AUDIT: /* /proc/ccs/audit */ |
|
case CCS_REJECTLOG: /* /proc/ccs/reject_log */ |
|
2558 |
head->poll = ccs_poll_log; |
head->poll = ccs_poll_log; |
2559 |
head->read = ccs_read_log; |
head->read = ccs_read_log; |
2560 |
break; |
break; |
2640 |
*/ |
*/ |
2641 |
if (type == CCS_QUERY) |
if (type == CCS_QUERY) |
2642 |
atomic_inc(&ccs_query_observers); |
atomic_inc(&ccs_query_observers); |
2643 |
else if (type != CCS_GRANTLOG && type != CCS_REJECTLOG && |
else if (type != CCS_AUDIT && type != CCS_VERSION && |
2644 |
type != CCS_VERSION && type != CCS_MEMINFO && |
type != CCS_MEMINFO && type != CCS_STAT) |
|
type != CCS_STAT) |
|
2645 |
head->reader_idx = ccs_lock(); |
head->reader_idx = ccs_lock(); |
2646 |
file->private_data = head; |
file->private_data = head; |
2647 |
return 0; |
return 0; |
2657 |
* |
* |
2658 |
* Waits for read readiness. |
* Waits for read readiness. |
2659 |
* /proc/ccs/query is handled by /usr/sbin/ccs-queryd and |
* /proc/ccs/query is handled by /usr/sbin/ccs-queryd and |
2660 |
* /proc/ccs/grant_log and /proc/ccs/reject_log are handled by |
* /proc/ccs/audit is handled by /usr/sbin/ccs-auditd. |
|
* /usr/sbin/ccs-auditd. |
|
2661 |
*/ |
*/ |
2662 |
int ccs_poll_control(struct file *file, poll_table *wait) |
int ccs_poll_control(struct file *file, poll_table *wait) |
2663 |
{ |
{ |
2795 |
if (type == CCS_QUERY) { |
if (type == CCS_QUERY) { |
2796 |
if (atomic_dec_and_test(&ccs_query_observers)) |
if (atomic_dec_and_test(&ccs_query_observers)) |
2797 |
wake_up_all(&ccs_answer_wait); |
wake_up_all(&ccs_answer_wait); |
2798 |
} else if (type != CCS_GRANTLOG && type != CCS_REJECTLOG && |
} else if (type != CCS_AUDIT && type != CCS_VERSION && |
2799 |
type != CCS_VERSION && type != CCS_MEMINFO && |
type != CCS_MEMINFO && type != CCS_STAT) |
|
type != CCS_STAT) |
|
2800 |
ccs_unlock(head->reader_idx); |
ccs_unlock(head->reader_idx); |
2801 |
/* Release memory used for policy I/O. */ |
/* Release memory used for policy I/O. */ |
2802 |
kfree(head->read_buf); |
kfree(head->read_buf); |