| 3 |
* |
* |
| 4 |
* Copyright (C) 2005-2010 NTT DATA CORPORATION |
* Copyright (C) 2005-2010 NTT DATA CORPORATION |
| 5 |
* |
* |
| 6 |
* Version: 1.8.0-rc 2010/11/09 |
* Version: 1.8.0+ 2010/12/31 |
| 7 |
*/ |
*/ |
| 8 |
|
|
| 9 |
#include "internal.h" |
#include "internal.h" |
| 257 |
|
|
| 258 |
/* String table for PREFERENCE keyword. */ |
/* String table for PREFERENCE keyword. */ |
| 259 |
static const char * const ccs_pref_keywords[CCS_MAX_PREF] = { |
static const char * const ccs_pref_keywords[CCS_MAX_PREF] = { |
| 260 |
[CCS_PREF_MAX_GRANT_LOG] = "max_grant_log", |
[CCS_PREF_MAX_AUDIT_LOG] = "max_audit_log", |
|
[CCS_PREF_MAX_REJECT_LOG] = "max_reject_log", |
|
| 261 |
[CCS_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry", |
[CCS_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry", |
| 262 |
[CCS_PREF_ENFORCING_PENALTY] = "enforcing_penalty", |
[CCS_PREF_ENFORCING_PENALTY] = "enforcing_penalty", |
| 263 |
}; |
}; |
| 272 |
* |
* |
| 273 |
* Returns "yes" if @value is not 0, "no" otherwise. |
* Returns "yes" if @value is not 0, "no" otherwise. |
| 274 |
*/ |
*/ |
| 275 |
static const char *ccs_yesno(const unsigned int value) |
const char *ccs_yesno(const unsigned int value) |
| 276 |
{ |
{ |
| 277 |
return value ? "yes" : "no"; |
return value ? "yes" : "no"; |
| 278 |
} |
} |
| 441 |
CCS_CONFIG_WANT_GRANT_LOG | CCS_CONFIG_WANT_REJECT_LOG; |
CCS_CONFIG_WANT_GRANT_LOG | CCS_CONFIG_WANT_REJECT_LOG; |
| 442 |
memset(ptr->config, CCS_CONFIG_USE_DEFAULT, |
memset(ptr->config, CCS_CONFIG_USE_DEFAULT, |
| 443 |
sizeof(ptr->config)); |
sizeof(ptr->config)); |
| 444 |
ptr->pref[CCS_PREF_MAX_GRANT_LOG] = |
ptr->pref[CCS_PREF_MAX_AUDIT_LOG] = |
| 445 |
CONFIG_CCSECURITY_MAX_GRANT_LOG; |
CONFIG_CCSECURITY_MAX_AUDIT_LOG; |
|
ptr->pref[CCS_PREF_MAX_REJECT_LOG] = |
|
|
CONFIG_CCSECURITY_MAX_REJECT_LOG; |
|
| 446 |
ptr->pref[CCS_PREF_MAX_LEARNING_ENTRY] = |
ptr->pref[CCS_PREF_MAX_LEARNING_ENTRY] = |
| 447 |
CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY; |
CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY; |
| 448 |
mb(); /* Avoid out-of-order execution. */ |
mb(); /* Avoid out-of-order execution. */ |
| 469 |
const u8 profile = domain->profile; |
const u8 profile = domain->profile; |
| 470 |
if (ccs_profile_ptr[profile]) |
if (ccs_profile_ptr[profile]) |
| 471 |
continue; |
continue; |
| 472 |
printk(KERN_ERR "You need to define profile %u before using it.\n", |
printk(KERN_ERR "Profile %u must be defined before using it.\n", |
| 473 |
profile); |
profile); |
| 474 |
printk(KERN_ERR "Please see http://tomoyo.sourceforge.jp/1.8/ " |
printk(KERN_ERR "Please see http://tomoyo.sourceforge.jp/1.8/ " |
| 475 |
"for more information.\n"); |
"for more information.\n"); |
| 478 |
} |
} |
| 479 |
ccs_read_unlock(idx); |
ccs_read_unlock(idx); |
| 480 |
if (ccs_profile_version != 20100903) { |
if (ccs_profile_version != 20100903) { |
| 481 |
printk(KERN_ERR "You need to install userland programs for " |
printk(KERN_ERR "Userland tools must be installed for " |
| 482 |
"TOMOYO 1.8 and initialize policy configuration.\n"); |
"TOMOYO 1.8, and policy must be initialized.\n"); |
| 483 |
printk(KERN_ERR "Please see http://tomoyo.sourceforge.jp/1.8/ " |
printk(KERN_ERR "Please see http://tomoyo.sourceforge.jp/1.8/ " |
| 484 |
"for more information.\n"); |
"for more information.\n"); |
| 485 |
panic("Profile version %u is not supported.\n", |
panic("Profile version %u is not supported.\n", |
| 486 |
ccs_profile_version); |
ccs_profile_version); |
| 487 |
} |
} |
| 488 |
printk(KERN_INFO "CCSecurity: 1.8.0-rc 2010/11/09\n"); |
printk(KERN_INFO "CCSecurity: 1.8.0+ 2010/12/31\n"); |
| 489 |
printk(KERN_INFO "Mandatory Access Control activated.\n"); |
printk(KERN_INFO "Mandatory Access Control activated.\n"); |
| 490 |
} |
} |
| 491 |
|
|
| 1125 |
if (sscanf(data, "use_profile %u\n", &profile) == 1 |
if (sscanf(data, "use_profile %u\n", &profile) == 1 |
| 1126 |
&& profile < CCS_MAX_PROFILES) { |
&& profile < CCS_MAX_PROFILES) { |
| 1127 |
if (!ccs_policy_loaded || ccs_profile_ptr[(u8) profile]) |
if (!ccs_policy_loaded || ccs_profile_ptr[(u8) profile]) |
| 1128 |
domain->profile = (u8) profile; |
if (!is_delete) |
| 1129 |
|
domain->profile = (u8) profile; |
| 1130 |
return 0; |
return 0; |
| 1131 |
} |
} |
| 1132 |
if (sscanf(data, "use_group %u\n", &profile) == 1 |
if (sscanf(data, "use_group %u\n", &profile) == 1 |
| 1133 |
&& profile < CCS_MAX_ACL_GROUPS) { |
&& profile < CCS_MAX_ACL_GROUPS) { |
| 1134 |
domain->group = (u8) profile; |
if (!is_delete) |
| 1135 |
|
domain->group = (u8) profile; |
| 1136 |
return 0; |
return 0; |
| 1137 |
} |
} |
| 1138 |
for (profile = 0; profile < CCS_MAX_DOMAIN_INFO_FLAGS; profile++) { |
for (profile = 0; profile < CCS_MAX_DOMAIN_INFO_FLAGS; profile++) { |
| 2143 |
va_start(args, fmt); |
va_start(args, fmt); |
| 2144 |
len = vsnprintf((char *) &len, 1, fmt, args) + 1; |
len = vsnprintf((char *) &len, 1, fmt, args) + 1; |
| 2145 |
va_end(args); |
va_end(args); |
| 2146 |
/* Write /proc/ccs/grant_log or /proc/ccs/reject_log. */ |
/* Write /proc/ccs/audit. */ |
| 2147 |
va_start(args, fmt); |
va_start(args, fmt); |
| 2148 |
ccs_write_log2(r, len, fmt, args); |
ccs_write_log2(r, len, fmt, args); |
| 2149 |
va_end(args); |
va_end(args); |
| 2159 |
error = -EPERM; |
error = -EPERM; |
| 2160 |
if (atomic_read(&ccs_query_observers)) |
if (atomic_read(&ccs_query_observers)) |
| 2161 |
break; |
break; |
| 2162 |
if (ccs_current_flags() & CCS_DONT_SLEEP_ON_ENFORCE_ERROR) |
if (r->dont_sleep_on_enforce_error) |
| 2163 |
goto out; |
goto out; |
| 2164 |
p = ccs_profile(r->profile); |
p = ccs_profile(r->profile); |
| 2165 |
/* Check enforcing_penalty parameter. */ |
/* Check enforcing_penalty parameter. */ |
| 2285 |
char *buf; |
char *buf; |
| 2286 |
if (head->r.w_pos) |
if (head->r.w_pos) |
| 2287 |
return; |
return; |
| 2288 |
if (head->read_buf) { |
kfree(head->read_buf); |
| 2289 |
kfree(head->read_buf); |
head->read_buf = NULL; |
|
head->read_buf = NULL; |
|
|
} |
|
| 2290 |
spin_lock(&ccs_query_list_lock); |
spin_lock(&ccs_query_list_lock); |
| 2291 |
list_for_each(tmp, &ccs_query_list) { |
list_for_each(tmp, &ccs_query_list) { |
| 2292 |
struct ccs_query *ptr = list_entry(tmp, typeof(*ptr), list); |
struct ccs_query *ptr = list_entry(tmp, typeof(*ptr), list); |
| 2378 |
{ |
{ |
| 2379 |
if (head->r.eof) |
if (head->r.eof) |
| 2380 |
return; |
return; |
| 2381 |
ccs_set_string(head, "1.8.0-pre"); |
ccs_set_string(head, "1.8.0"); |
| 2382 |
head->r.eof = true; |
head->r.eof = true; |
| 2383 |
} |
} |
| 2384 |
|
|
| 2554 |
head->write = ccs_write_exception; |
head->write = ccs_write_exception; |
| 2555 |
head->read = ccs_read_exception; |
head->read = ccs_read_exception; |
| 2556 |
break; |
break; |
| 2557 |
case CCS_GRANTLOG: /* /proc/ccs/grant_log */ |
case CCS_AUDIT: /* /proc/ccs/audit */ |
|
case CCS_REJECTLOG: /* /proc/ccs/reject_log */ |
|
| 2558 |
head->poll = ccs_poll_log; |
head->poll = ccs_poll_log; |
| 2559 |
head->read = ccs_read_log; |
head->read = ccs_read_log; |
| 2560 |
break; |
break; |
| 2640 |
*/ |
*/ |
| 2641 |
if (type == CCS_QUERY) |
if (type == CCS_QUERY) |
| 2642 |
atomic_inc(&ccs_query_observers); |
atomic_inc(&ccs_query_observers); |
| 2643 |
else if (type != CCS_GRANTLOG && type != CCS_REJECTLOG && |
else if (type != CCS_AUDIT && type != CCS_VERSION && |
| 2644 |
type != CCS_VERSION && type != CCS_MEMINFO && |
type != CCS_MEMINFO && type != CCS_STAT) |
|
type != CCS_STAT) |
|
| 2645 |
head->reader_idx = ccs_lock(); |
head->reader_idx = ccs_lock(); |
| 2646 |
file->private_data = head; |
file->private_data = head; |
| 2647 |
return 0; |
return 0; |
| 2657 |
* |
* |
| 2658 |
* Waits for read readiness. |
* Waits for read readiness. |
| 2659 |
* /proc/ccs/query is handled by /usr/sbin/ccs-queryd and |
* /proc/ccs/query is handled by /usr/sbin/ccs-queryd and |
| 2660 |
* /proc/ccs/grant_log and /proc/ccs/reject_log are handled by |
* /proc/ccs/audit is handled by /usr/sbin/ccs-auditd. |
|
* /usr/sbin/ccs-auditd. |
|
| 2661 |
*/ |
*/ |
| 2662 |
int ccs_poll_control(struct file *file, poll_table *wait) |
int ccs_poll_control(struct file *file, poll_table *wait) |
| 2663 |
{ |
{ |
| 2795 |
if (type == CCS_QUERY) { |
if (type == CCS_QUERY) { |
| 2796 |
if (atomic_dec_and_test(&ccs_query_observers)) |
if (atomic_dec_and_test(&ccs_query_observers)) |
| 2797 |
wake_up_all(&ccs_answer_wait); |
wake_up_all(&ccs_answer_wait); |
| 2798 |
} else if (type != CCS_GRANTLOG && type != CCS_REJECTLOG && |
} else if (type != CCS_AUDIT && type != CCS_VERSION && |
| 2799 |
type != CCS_VERSION && type != CCS_MEMINFO && |
type != CCS_MEMINFO && type != CCS_STAT) |
|
type != CCS_STAT) |
|
| 2800 |
ccs_unlock(head->reader_idx); |
ccs_unlock(head->reader_idx); |
| 2801 |
/* Release memory used for policy I/O. */ |
/* Release memory used for policy I/O. */ |
| 2802 |
kfree(head->read_buf); |
kfree(head->read_buf); |
TOMOYO
Parent Directory
Revision Log
Patch