Diff of /trunk/1.8.x/ccs-patch/security/ccsecurity/policy_io.c

TOMOYO

 Subversion リポジトリの参照



/[tomoyo]/trunk/1.8.x/ccs-patch/security/ccsecurity/policy_io.c




Diff of /trunk/1.8.x/ccs-patch/security/ccsecurity/policy_io.c



 Parent Directory

|  Revision Log



|  Patch














revision 2870 by kumaneko,
Sat Aug  8 03:09:07 2009 UTC




revision 2871 by kumaneko,
Sat Aug  8 08:03:30 2009 UTC






#

Line 35 
 static struct {


Line 35 
 static struct {












35
 } ccs_control_array[CCS_MAX_CONTROL_INDEX] = {
 } ccs_control_array[CCS_MAX_CONTROL_INDEX] = {

















36
         [CCS_MAC_FOR_FILE]        = { "MAC_FOR_FILE",        0, 3 },
         [CCS_MAC_FOR_FILE]        = { "MAC_FOR_FILE",        0, 3 },

















37
         [CCS_MAC_FOR_IOCTL]       = { "MAC_FOR_IOCTL",       0, 3 },
         [CCS_MAC_FOR_IOCTL]       = { "MAC_FOR_IOCTL",       0, 3 },












38
 
         [CCS_MAC_FOR_FILEATTR]    = { "MAC_FOR_FILEATTR",    0, 3 },












39
         [CCS_MAC_FOR_ARGV0]       = { "MAC_FOR_ARGV0",       0, 3 },
         [CCS_MAC_FOR_ARGV0]       = { "MAC_FOR_ARGV0",       0, 3 },

















40
         [CCS_MAC_FOR_ENV]         = { "MAC_FOR_ENV",         0, 3 },
         [CCS_MAC_FOR_ENV]         = { "MAC_FOR_ENV",         0, 3 },

















41
         [CCS_MAC_FOR_NETWORK]     = { "MAC_FOR_NETWORK",     0, 3 },
         [CCS_MAC_FOR_NETWORK]     = { "MAC_FOR_NETWORK",     0, 3 },











#

Line 619 
 static int ccs_write_domain_policy(struc


Line 620 
 static int ccs_write_domain_policy(struc












620
                 error = ccs_write_argv0_policy(data, domain, cond, is_delete);
                 error = ccs_write_argv0_policy(data, domain, cond, is_delete);

















621
         else if (ccs_str_starts(&data, KEYWORD_ALLOW_ENV))
         else if (ccs_str_starts(&data, KEYWORD_ALLOW_ENV))

















622
                 error = ccs_write_env_policy(data, domain, cond, is_delete);
                 error = ccs_write_env_policy(data, domain, cond, is_delete);














         else if (ccs_str_starts(&data, KEYWORD_ALLOW_IOCTL))
 










                 error = ccs_write_ioctl_policy(data, domain, cond, is_delete);
 













623
         else if (ccs_str_starts(&data, KEYWORD_ALLOW_MOUNT))
         else if (ccs_str_starts(&data, KEYWORD_ALLOW_MOUNT))

















624
                 error = ccs_write_mount_policy(data, domain, cond, is_delete);
                 error = ccs_write_mount_policy(data, domain, cond, is_delete);

















625
         else if (ccs_str_starts(&data, KEYWORD_ALLOW_UNMOUNT))
         else if (ccs_str_starts(&data, KEYWORD_ALLOW_UNMOUNT))











#

Line 785 
 static bool ccs_print_double_path_acl(st


Line 784 
 static bool ccs_print_double_path_acl(st












784
 }
 }

















785
 
 

















786
 /**
 /**















787


  * ccs_print_ioctl_acl - Print an ioctl ACL entry.


  * ccs_print_path_number_acl - Print an ioctl/chmod/chown/chgrp ACL entry.















788
  *
  *

















789
  * @head: Pointer to "struct ccs_io_buffer".
  * @head: Pointer to "struct ccs_io_buffer".















790


  * @ptr:  Pointer to "struct ccs_ioctl_acl_record".


  * @ptr:  Pointer to "struct ccs_path_number_acl_record".















791
  * @cond: Pointer to "struct ccs_condition". May be NULL.
  * @cond: Pointer to "struct ccs_condition". May be NULL.

















792
  *
  *

















793
  * Returns true on success, false otherwise.
  * Returns true on success, false otherwise.

















794
  */
  */















795


 static bool ccs_print_ioctl_acl(struct ccs_io_buffer *head,


 static bool ccs_print_path_number_acl(struct ccs_io_buffer *head,













796


                                 struct ccs_ioctl_acl_record *ptr,


                                       struct ccs_path_number_acl_record *ptr,













797


                                 const struct ccs_condition *cond)


                                       const struct ccs_condition *cond)















798
 {
 {















799


         int pos = head->read_avail;


         int pos;













800


         if (!ccs_io_printf(head, KEYWORD_ALLOW_IOCTL) ||


         u8 bit;













801


             !ccs_print_name_union(head, ptr->name_is_group, &ptr->name) ||


         const u8 perm = ptr->perm;













802


             !ccs_print_number_union(head, ptr->cmd_is_group, &ptr->cmd) ||


         for (bit = head->read_bit; bit < MAX_PATH_NUMBER_OPERATION; bit++) {













803


             !ccs_print_condition(head, cond))


                 const char *msg;













804


                 goto out;


                 if (!(perm & (1 << bit)))













805


 


                         continue;













806


 


                 msg = ccs_path_number2keyword(bit);













807


 


                 pos = head->read_avail;













808


 


                 if (!ccs_io_printf(head, "allow_%s", msg) ||













809


 


                     !ccs_print_name_union(head, ptr->name_is_group,













810


 


                                           &ptr->name) ||













811


 


                     !ccs_print_number_union(head, ptr->number_is_group,













812


 


                                             &ptr->number) ||













813


 


                     !ccs_print_condition(head, cond))













814


 


                         goto out;













815


 


         }













816


 


         head->read_bit = 0;















817
         return true;
         return true;

















818
  out:
  out:












819
 
         head->read_bit = bit;












820
         head->read_avail = pos;
         head->read_avail = pos;

















821
         return false;
         return false;

















822
 }
 }











#

Line 1161 
 static bool ccs_print_entry(struct ccs_i


Line 1173 
 static bool ccs_print_entry(struct ccs_i












1173
                                        head);
                                        head);

















1174
                 return ccs_print_double_path_acl(head, acl, cond);
                 return ccs_print_double_path_acl(head, acl, cond);

















1175
         }
         }















1176


         if (acl_type == TYPE_IOCTL_ACL) {


         if (acl_type == TYPE_PATH_NUMBER_ACL) {













1177


                 struct ccs_ioctl_acl_record *acl


                 struct ccs_path_number_acl_record *acl













1178


                         = container_of(ptr, struct ccs_ioctl_acl_record, head);


                         = container_of(ptr, struct ccs_path_number_acl_record,













1179


                 return ccs_print_ioctl_acl(head, acl, cond);


                                        head);













1180


 


                 return ccs_print_path_number_acl(head, acl, cond);















1181
         }
         }

















1182
         if (acl_type == TYPE_ARGV0_ACL) {
         if (acl_type == TYPE_ARGV0_ACL) {

















1183
                 struct ccs_argv0_acl_record *acl
                 struct ccs_argv0_acl_record *acl





























Legend:



Removed from v.2870
 


changed lines


 
Added in v.2871













Back to OSDN">Back to OSDN
ViewVC Help


Powered by ViewVC 1.1.26
 /[tomoyo]/trunk/1.8.x/ccs-patch/security/ccsecurity/policy_io.c
-revision 2870 by kumaneko,
Sat Aug  8 03:09:07 2009 UTC
+revision 2871 by kumaneko,
Sat Aug  8 08:03:30 2009 UTC
 Line 35 
 static struct {
  } ccs_control_array[CCS_MAX_CONTROL_INDEX] = {
          [CCS_MAC_FOR_FILE]        = { "MAC_FOR_FILE",        0, 3 },
          [CCS_MAC_FOR_IOCTL]       = { "MAC_FOR_IOCTL",       0, 3 },
+         [CCS_MAC_FOR_FILEATTR]    = { "MAC_FOR_FILEATTR",    0, 3 },
          [CCS_MAC_FOR_ARGV0]       = { "MAC_FOR_ARGV0",       0, 3 },
          [CCS_MAC_FOR_ENV]         = { "MAC_FOR_ENV",         0, 3 },
          [CCS_MAC_FOR_NETWORK]     = { "MAC_FOR_NETWORK",     0, 3 },
-Line 619 
 static int ccs_write_domain_policy(struc
+Line 620 
 static int ccs_write_domain_policy(struc
                  error = ccs_write_argv0_policy(data, domain, cond, is_delete);
          else if (ccs_str_starts(&data, KEYWORD_ALLOW_ENV))
                  error = ccs_write_env_policy(data, domain, cond, is_delete);
-         else if (ccs_str_starts(&data, KEYWORD_ALLOW_IOCTL))
-                 error = ccs_write_ioctl_policy(data, domain, cond, is_delete);
          else if (ccs_str_starts(&data, KEYWORD_ALLOW_MOUNT))
                  error = ccs_write_mount_policy(data, domain, cond, is_delete);
          else if (ccs_str_starts(&data, KEYWORD_ALLOW_UNMOUNT))
-Line 785 
 static bool ccs_print_double_path_acl(st
+Line 784 
 static bool ccs_print_double_path_acl(st
  }
  /**
-  * ccs_print_ioctl_acl - Print an ioctl ACL entry.
+  * ccs_print_path_number_acl - Print an ioctl/chmod/chown/chgrp ACL entry.
   *
   * @head: Pointer to "struct ccs_io_buffer".
-  * @ptr:  Pointer to "struct ccs_ioctl_acl_record".
+  * @ptr:  Pointer to "struct ccs_path_number_acl_record".
   * @cond: Pointer to "struct ccs_condition". May be NULL.
   *
   * Returns true on success, false otherwise.
   */
- static bool ccs_print_ioctl_acl(struct ccs_io_buffer *head,
+ static bool ccs_print_path_number_acl(struct ccs_io_buffer *head,
-                                 struct ccs_ioctl_acl_record *ptr,
+                                       struct ccs_path_number_acl_record *ptr,
-                                 const struct ccs_condition *cond)
+                                       const struct ccs_condition *cond)
  {
-         int pos = head->read_avail;
+         int pos;
-         if (!ccs_io_printf(head, KEYWORD_ALLOW_IOCTL) ||
+         u8 bit;
-             !ccs_print_name_union(head, ptr->name_is_group, &ptr->name) ||
+         const u8 perm = ptr->perm;
-             !ccs_print_number_union(head, ptr->cmd_is_group, &ptr->cmd) ||
+         for (bit = head->read_bit; bit < MAX_PATH_NUMBER_OPERATION; bit++) {
-             !ccs_print_condition(head, cond))
+                 const char *msg;
-                 goto out;
+                 if (!(perm & (1 << bit)))
+                         continue;
+                 msg = ccs_path_number2keyword(bit);
+                 pos = head->read_avail;
+                 if (!ccs_io_printf(head, "allow_%s", msg) ||
+                     !ccs_print_name_union(head, ptr->name_is_group,
+                                           &ptr->name) ||
+                     !ccs_print_number_union(head, ptr->number_is_group,
+                                             &ptr->number) ||
+                     !ccs_print_condition(head, cond))
+                         goto out;
+         }
+         head->read_bit = 0;
          return true;
   out:
+         head->read_bit = bit;
          head->read_avail = pos;
          return false;
  }
-Line 1161 
 static bool ccs_print_entry(struct ccs_i
+Line 1173 
 static bool ccs_print_entry(struct ccs_i
                                         head);
                  return ccs_print_double_path_acl(head, acl, cond);
          }
-         if (acl_type == TYPE_IOCTL_ACL) {
+         if (acl_type == TYPE_PATH_NUMBER_ACL) {
-                 struct ccs_ioctl_acl_record *acl
+                 struct ccs_path_number_acl_record *acl
-                         = container_of(ptr, struct ccs_ioctl_acl_record, head);
+                         = container_of(ptr, struct ccs_path_number_acl_record,
-                 return ccs_print_ioctl_acl(head, acl, cond);
+                                        head);
+                 return ccs_print_path_number_acl(head, acl, cond);
          }
          if (acl_type == TYPE_ARGV0_ACL) {
                  struct ccs_argv0_acl_record *acl
 Legend:



Removed from v.2870
 


changed lines


 
Added in v.2871
 Legend:



Removed from v.2870
 


changed lines


 
Added in v.2871
-Removed from v.2870
+Added in v.2871
-Back to OSDN">Back to OSDN
+ViewVC Help
 Powered by ViewVC 1.1.26

オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照