| 71 |
= "file::truncate", |
= "file::truncate", |
| 72 |
[CCS_MAC_FILE_SYMLINK] |
[CCS_MAC_FILE_SYMLINK] |
| 73 |
= "file::symlink", |
= "file::symlink", |
|
[CCS_MAC_FILE_REWRITE] |
|
|
= "file::rewrite", |
|
| 74 |
[CCS_MAC_FILE_MKBLOCK] |
[CCS_MAC_FILE_MKBLOCK] |
| 75 |
= "file::mkblock", |
= "file::mkblock", |
| 76 |
[CCS_MAC_FILE_MKCHAR] |
[CCS_MAC_FILE_MKCHAR] |
| 926 |
unsigned int pid; |
unsigned int pid; |
| 927 |
struct ccs_domain_info *domain = NULL; |
struct ccs_domain_info *domain = NULL; |
| 928 |
bool global_pid = false; |
bool global_pid = false; |
| 929 |
if (!strcmp(data, "allow_execute")) { |
if (!strcmp(data, "execute")) { |
| 930 |
head->r.print_execute_only = true; |
head->r.print_execute_only = true; |
| 931 |
return true; |
return true; |
| 932 |
} |
} |
| 972 |
const char *keyword; |
const char *keyword; |
| 973 |
int (*write) (char *, struct ccs_domain_info *, |
int (*write) (char *, struct ccs_domain_info *, |
| 974 |
struct ccs_condition *, const bool); |
struct ccs_condition *, const bool); |
| 975 |
} ccs_callback[5] = { |
} ccs_callback[4] = { |
| 976 |
{ CCS_KEYWORD_ALLOW_NETWORK, ccs_write_network }, |
{ "network ", ccs_write_network }, |
| 977 |
{ CCS_KEYWORD_ALLOW_ENV, ccs_write_env }, |
{ "misc ", ccs_write_misc }, |
| 978 |
{ CCS_KEYWORD_ALLOW_CAPABILITY, ccs_write_capability }, |
{ "capability ", ccs_write_capability }, |
| 979 |
{ CCS_KEYWORD_ALLOW_SIGNAL, ccs_write_signal }, |
{ "ipc ", ccs_write_ipc }, |
|
{ CCS_KEYWORD_ALLOW_MOUNT, ccs_write_mount } |
|
| 980 |
}; |
}; |
| 981 |
int (*write) (char *, struct ccs_domain_info *, struct ccs_condition *, |
int (*write) (char *, struct ccs_domain_info *, struct ccs_condition *, |
| 982 |
const bool) = ccs_write_file; |
const bool) = ccs_write_file; |
| 989 |
if (!cond) |
if (!cond) |
| 990 |
return -EINVAL; |
return -EINVAL; |
| 991 |
} |
} |
| 992 |
for (i = 0; i < 5; i++) { |
for (i = 0; i < 4; i++) { |
| 993 |
if (!ccs_str_starts(&data, ccs_callback[i].keyword)) |
if (!ccs_str_starts(&data, ccs_callback[i].keyword)) |
| 994 |
continue; |
continue; |
| 995 |
write = ccs_callback[i].write; |
write = ccs_callback[i].write; |
| 1004 |
static const char *ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS] = { |
static const char *ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS] = { |
| 1005 |
[CCS_DIF_QUOTA_WARNED] = CCS_KEYWORD_QUOTA_EXCEEDED "\n", |
[CCS_DIF_QUOTA_WARNED] = CCS_KEYWORD_QUOTA_EXCEEDED "\n", |
| 1006 |
[CCS_DIF_IGNORE_GLOBAL] = CCS_KEYWORD_IGNORE_GLOBAL "\n", |
[CCS_DIF_IGNORE_GLOBAL] = CCS_KEYWORD_IGNORE_GLOBAL "\n", |
|
[CCS_DIF_IGNORE_GLOBAL_ALLOW_READ] |
|
|
= CCS_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n", |
|
|
[CCS_DIF_IGNORE_GLOBAL_ALLOW_ENV] |
|
|
= CCS_KEYWORD_IGNORE_GLOBAL_ALLOW_ENV "\n", |
|
| 1007 |
[CCS_DIF_TRANSITION_FAILED] = CCS_KEYWORD_TRANSITION_FAILED "\n" |
[CCS_DIF_TRANSITION_FAILED] = CCS_KEYWORD_TRANSITION_FAILED "\n" |
| 1008 |
}; |
}; |
| 1009 |
|
|
| 1325 |
if (head->r.print_execute_only && |
if (head->r.print_execute_only && |
| 1326 |
bit != CCS_TYPE_EXECUTE && bit != CCS_TYPE_TRANSIT) |
bit != CCS_TYPE_EXECUTE && bit != CCS_TYPE_TRANSIT) |
| 1327 |
continue; |
continue; |
|
/* Print "read/write" instead of "read" and "write". */ |
|
|
if ((bit == CCS_TYPE_READ || bit == CCS_TYPE_WRITE) |
|
|
&& (perm & (1 << CCS_TYPE_READ_WRITE))) |
|
|
continue; |
|
| 1328 |
break; |
break; |
| 1329 |
} |
} |
| 1330 |
if (bit >= CCS_MAX_PATH_OPERATION) |
if (bit >= CCS_MAX_PATH_OPERATION) |
| 1331 |
goto done; |
goto done; |
| 1332 |
ccs_io_printf(head, "allow_%s", ccs_path_keyword[bit]); |
ccs_set_string(head, "file "); |
| 1333 |
|
ccs_set_string(head, ccs_path_keyword[bit]); |
| 1334 |
ccs_print_name_union(head, &ptr->name); |
ccs_print_name_union(head, &ptr->name); |
| 1335 |
} else if (acl_type == CCS_TYPE_EXECUTE_HANDLER || |
} else if (acl_type == CCS_TYPE_EXECUTE_HANDLER || |
| 1336 |
acl_type == CCS_TYPE_DENIED_EXECUTE_HANDLER) { |
acl_type == CCS_TYPE_DENIED_EXECUTE_HANDLER) { |
| 1349 |
bit = ccs_fns(ptr->perm, bit); |
bit = ccs_fns(ptr->perm, bit); |
| 1350 |
if (bit >= CCS_MAX_MKDEV_OPERATION) |
if (bit >= CCS_MAX_MKDEV_OPERATION) |
| 1351 |
goto done; |
goto done; |
| 1352 |
ccs_io_printf(head, "allow_%s", ccs_mkdev_keyword[bit]); |
ccs_set_string(head, "file "); |
| 1353 |
|
ccs_set_string(head, ccs_mkdev_keyword[bit]); |
| 1354 |
ccs_print_name_union(head, &ptr->name); |
ccs_print_name_union(head, &ptr->name); |
| 1355 |
ccs_print_number_union(head, &ptr->mode); |
ccs_print_number_union(head, &ptr->mode); |
| 1356 |
ccs_print_number_union(head, &ptr->major); |
ccs_print_number_union(head, &ptr->major); |
| 1361 |
bit = ccs_fns(ptr->perm, bit); |
bit = ccs_fns(ptr->perm, bit); |
| 1362 |
if (bit >= CCS_MAX_PATH2_OPERATION) |
if (bit >= CCS_MAX_PATH2_OPERATION) |
| 1363 |
goto done; |
goto done; |
| 1364 |
ccs_io_printf(head, "allow_%s", ccs_path2_keyword[bit]); |
ccs_set_string(head, "file "); |
| 1365 |
|
ccs_set_string(head, ccs_path2_keyword[bit]); |
| 1366 |
ccs_print_name_union(head, &ptr->name1); |
ccs_print_name_union(head, &ptr->name1); |
| 1367 |
ccs_print_name_union(head, &ptr->name2); |
ccs_print_name_union(head, &ptr->name2); |
| 1368 |
} else if (acl_type == CCS_TYPE_PATH_NUMBER_ACL) { |
} else if (acl_type == CCS_TYPE_PATH_NUMBER_ACL) { |
| 1371 |
bit = ccs_fns(ptr->perm, bit); |
bit = ccs_fns(ptr->perm, bit); |
| 1372 |
if (bit >= CCS_MAX_PATH_NUMBER_OPERATION) |
if (bit >= CCS_MAX_PATH_NUMBER_OPERATION) |
| 1373 |
goto done; |
goto done; |
| 1374 |
ccs_io_printf(head, "allow_%s", |
ccs_set_string(head, "file "); |
| 1375 |
ccs_path_number_keyword[bit]); |
ccs_set_string(head, ccs_path_number_keyword[bit]); |
| 1376 |
ccs_print_name_union(head, &ptr->name); |
ccs_print_name_union(head, &ptr->name); |
| 1377 |
ccs_print_number_union(head, &ptr->number); |
ccs_print_number_union(head, &ptr->number); |
| 1378 |
} else if (acl_type == CCS_TYPE_ENV_ACL) { |
} else if (acl_type == CCS_TYPE_ENV_ACL) { |
| 1379 |
struct ccs_env_acl *ptr = |
struct ccs_env_acl *ptr = |
| 1380 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
| 1381 |
ccs_set_string(head, CCS_KEYWORD_ALLOW_ENV); |
ccs_set_string(head, "misc env "); |
| 1382 |
ccs_set_string(head, ptr->env->name); |
ccs_set_string(head, ptr->env->name); |
| 1383 |
} else if (acl_type == CCS_TYPE_CAPABILITY_ACL) { |
} else if (acl_type == CCS_TYPE_CAPABILITY_ACL) { |
| 1384 |
struct ccs_capability_acl *ptr = |
struct ccs_capability_acl *ptr = |
| 1385 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
| 1386 |
ccs_set_string(head, CCS_KEYWORD_ALLOW_CAPABILITY); |
ccs_set_string(head, "capability "); |
| 1387 |
ccs_set_string(head, ccs_cap2keyword(ptr->operation)); |
ccs_set_string(head, ccs_cap2keyword(ptr->operation)); |
| 1388 |
} else if (acl_type == CCS_TYPE_IP_NETWORK_ACL) { |
} else if (acl_type == CCS_TYPE_IP_NETWORK_ACL) { |
| 1389 |
struct ccs_ip_network_acl *ptr = |
struct ccs_ip_network_acl *ptr = |
| 1391 |
bit = ccs_fns(ptr->perm, bit); |
bit = ccs_fns(ptr->perm, bit); |
| 1392 |
if (bit >= CCS_MAX_NETWORK_OPERATION) |
if (bit >= CCS_MAX_NETWORK_OPERATION) |
| 1393 |
goto done; |
goto done; |
| 1394 |
ccs_io_printf(head, CCS_KEYWORD_ALLOW_NETWORK "%s ", |
ccs_set_string(head, "network "); |
| 1395 |
ccs_net_keyword[bit]); |
ccs_set_string(head, ccs_net_keyword[bit]); |
| 1396 |
|
ccs_set_space(head); |
| 1397 |
switch (ptr->address_type) { |
switch (ptr->address_type) { |
| 1398 |
char buf[128]; |
char buf[128]; |
| 1399 |
case CCS_IP_ADDRESS_TYPE_ADDRESS_GROUP: |
case CCS_IP_ADDRESS_TYPE_ADDRESS_GROUP: |
| 1416 |
} else if (acl_type == CCS_TYPE_SIGNAL_ACL) { |
} else if (acl_type == CCS_TYPE_SIGNAL_ACL) { |
| 1417 |
struct ccs_signal_acl *ptr = |
struct ccs_signal_acl *ptr = |
| 1418 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
| 1419 |
ccs_io_printf(head, CCS_KEYWORD_ALLOW_SIGNAL "%u ", ptr->sig); |
ccs_set_string(head, "ipc signal "); |
| 1420 |
|
ccs_io_printf(head, "%u ", ptr->sig); |
| 1421 |
ccs_set_string(head, ptr->domainname->name); |
ccs_set_string(head, ptr->domainname->name); |
| 1422 |
} else if (acl_type == CCS_TYPE_MOUNT_ACL) { |
} else if (acl_type == CCS_TYPE_MOUNT_ACL) { |
| 1423 |
struct ccs_mount_acl *ptr = |
struct ccs_mount_acl *ptr = |
| 1424 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
| 1425 |
ccs_io_printf(head, "allow_mount"); |
ccs_io_printf(head, "file mount"); |
| 1426 |
ccs_print_name_union(head, &ptr->dev_name); |
ccs_print_name_union(head, &ptr->dev_name); |
| 1427 |
ccs_print_name_union(head, &ptr->dir_name); |
ccs_print_name_union(head, &ptr->dir_name); |
| 1428 |
ccs_print_name_union(head, &ptr->fs_type); |
ccs_print_name_union(head, &ptr->fs_type); |
| 1696 |
static const struct { |
static const struct { |
| 1697 |
const char *keyword; |
const char *keyword; |
| 1698 |
int (*write) (char *, const bool); |
int (*write) (char *, const bool); |
| 1699 |
} ccs_callback[4] = { |
} ccs_callback[3] = { |
| 1700 |
{ CCS_KEYWORD_AGGREGATOR, ccs_write_aggregator }, |
{ CCS_KEYWORD_AGGREGATOR, ccs_write_aggregator }, |
| 1701 |
{ CCS_KEYWORD_FILE_PATTERN, ccs_write_pattern }, |
{ CCS_KEYWORD_FILE_PATTERN, ccs_write_pattern }, |
|
{ CCS_KEYWORD_DENY_REWRITE, ccs_write_no_rewrite }, |
|
| 1702 |
{ CCS_KEYWORD_DENY_AUTOBIND, ccs_write_reserved_port } |
{ CCS_KEYWORD_DENY_AUTOBIND, ccs_write_reserved_port } |
| 1703 |
}; |
}; |
| 1704 |
for (i = 0; i < 4; i++) |
for (i = 0; i < 3; i++) |
| 1705 |
if (ccs_str_starts(&data, ccs_callback[i].keyword)) |
if (ccs_str_starts(&data, ccs_callback[i].keyword)) |
| 1706 |
return ccs_callback[i].write(data, is_delete); |
return ccs_callback[i].write(data, is_delete); |
| 1707 |
for (i = 0; i < CCS_MAX_TRANSITION_TYPE; i++) |
for (i = 0; i < CCS_MAX_TRANSITION_TYPE; i++) |
| 1822 |
ccs_set_string(head, ptr->pattern->name); |
ccs_set_string(head, ptr->pattern->name); |
| 1823 |
} |
} |
| 1824 |
break; |
break; |
|
case CCS_ID_NO_REWRITE: |
|
|
{ |
|
|
struct ccs_no_rewrite *ptr = |
|
|
container_of(acl, typeof(*ptr), head); |
|
|
ccs_set_string(head, CCS_KEYWORD_DENY_REWRITE); |
|
|
ccs_set_string(head, ptr->pattern->name); |
|
|
} |
|
|
break; |
|
| 1825 |
case CCS_ID_RESERVEDPORT: |
case CCS_ID_RESERVEDPORT: |
| 1826 |
{ |
{ |
| 1827 |
struct ccs_reserved *ptr = |
struct ccs_reserved *ptr = |
TOMOYO
Parent Directory
Revision Log
Patch