71 |
= "file::truncate", |
= "file::truncate", |
72 |
[CCS_MAC_FILE_SYMLINK] |
[CCS_MAC_FILE_SYMLINK] |
73 |
= "file::symlink", |
= "file::symlink", |
|
[CCS_MAC_FILE_REWRITE] |
|
|
= "file::rewrite", |
|
74 |
[CCS_MAC_FILE_MKBLOCK] |
[CCS_MAC_FILE_MKBLOCK] |
75 |
= "file::mkblock", |
= "file::mkblock", |
76 |
[CCS_MAC_FILE_MKCHAR] |
[CCS_MAC_FILE_MKCHAR] |
926 |
unsigned int pid; |
unsigned int pid; |
927 |
struct ccs_domain_info *domain = NULL; |
struct ccs_domain_info *domain = NULL; |
928 |
bool global_pid = false; |
bool global_pid = false; |
929 |
if (!strcmp(data, "allow_execute")) { |
if (!strcmp(data, "execute")) { |
930 |
head->r.print_execute_only = true; |
head->r.print_execute_only = true; |
931 |
return true; |
return true; |
932 |
} |
} |
972 |
const char *keyword; |
const char *keyword; |
973 |
int (*write) (char *, struct ccs_domain_info *, |
int (*write) (char *, struct ccs_domain_info *, |
974 |
struct ccs_condition *, const bool); |
struct ccs_condition *, const bool); |
975 |
} ccs_callback[5] = { |
} ccs_callback[4] = { |
976 |
{ CCS_KEYWORD_ALLOW_NETWORK, ccs_write_network }, |
{ "network ", ccs_write_network }, |
977 |
{ CCS_KEYWORD_ALLOW_ENV, ccs_write_env }, |
{ "misc ", ccs_write_misc }, |
978 |
{ CCS_KEYWORD_ALLOW_CAPABILITY, ccs_write_capability }, |
{ "capability ", ccs_write_capability }, |
979 |
{ CCS_KEYWORD_ALLOW_SIGNAL, ccs_write_signal }, |
{ "ipc ", ccs_write_ipc }, |
|
{ CCS_KEYWORD_ALLOW_MOUNT, ccs_write_mount } |
|
980 |
}; |
}; |
981 |
int (*write) (char *, struct ccs_domain_info *, struct ccs_condition *, |
int (*write) (char *, struct ccs_domain_info *, struct ccs_condition *, |
982 |
const bool) = ccs_write_file; |
const bool) = ccs_write_file; |
989 |
if (!cond) |
if (!cond) |
990 |
return -EINVAL; |
return -EINVAL; |
991 |
} |
} |
992 |
for (i = 0; i < 5; i++) { |
for (i = 0; i < 4; i++) { |
993 |
if (!ccs_str_starts(&data, ccs_callback[i].keyword)) |
if (!ccs_str_starts(&data, ccs_callback[i].keyword)) |
994 |
continue; |
continue; |
995 |
write = ccs_callback[i].write; |
write = ccs_callback[i].write; |
1004 |
static const char *ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS] = { |
static const char *ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS] = { |
1005 |
[CCS_DIF_QUOTA_WARNED] = CCS_KEYWORD_QUOTA_EXCEEDED "\n", |
[CCS_DIF_QUOTA_WARNED] = CCS_KEYWORD_QUOTA_EXCEEDED "\n", |
1006 |
[CCS_DIF_IGNORE_GLOBAL] = CCS_KEYWORD_IGNORE_GLOBAL "\n", |
[CCS_DIF_IGNORE_GLOBAL] = CCS_KEYWORD_IGNORE_GLOBAL "\n", |
|
[CCS_DIF_IGNORE_GLOBAL_ALLOW_READ] |
|
|
= CCS_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n", |
|
|
[CCS_DIF_IGNORE_GLOBAL_ALLOW_ENV] |
|
|
= CCS_KEYWORD_IGNORE_GLOBAL_ALLOW_ENV "\n", |
|
1007 |
[CCS_DIF_TRANSITION_FAILED] = CCS_KEYWORD_TRANSITION_FAILED "\n" |
[CCS_DIF_TRANSITION_FAILED] = CCS_KEYWORD_TRANSITION_FAILED "\n" |
1008 |
}; |
}; |
1009 |
|
|
1325 |
if (head->r.print_execute_only && |
if (head->r.print_execute_only && |
1326 |
bit != CCS_TYPE_EXECUTE && bit != CCS_TYPE_TRANSIT) |
bit != CCS_TYPE_EXECUTE && bit != CCS_TYPE_TRANSIT) |
1327 |
continue; |
continue; |
|
/* Print "read/write" instead of "read" and "write". */ |
|
|
if ((bit == CCS_TYPE_READ || bit == CCS_TYPE_WRITE) |
|
|
&& (perm & (1 << CCS_TYPE_READ_WRITE))) |
|
|
continue; |
|
1328 |
break; |
break; |
1329 |
} |
} |
1330 |
if (bit >= CCS_MAX_PATH_OPERATION) |
if (bit >= CCS_MAX_PATH_OPERATION) |
1331 |
goto done; |
goto done; |
1332 |
ccs_io_printf(head, "allow_%s", ccs_path_keyword[bit]); |
ccs_set_string(head, "file "); |
1333 |
|
ccs_set_string(head, ccs_path_keyword[bit]); |
1334 |
ccs_print_name_union(head, &ptr->name); |
ccs_print_name_union(head, &ptr->name); |
1335 |
} else if (acl_type == CCS_TYPE_EXECUTE_HANDLER || |
} else if (acl_type == CCS_TYPE_EXECUTE_HANDLER || |
1336 |
acl_type == CCS_TYPE_DENIED_EXECUTE_HANDLER) { |
acl_type == CCS_TYPE_DENIED_EXECUTE_HANDLER) { |
1349 |
bit = ccs_fns(ptr->perm, bit); |
bit = ccs_fns(ptr->perm, bit); |
1350 |
if (bit >= CCS_MAX_MKDEV_OPERATION) |
if (bit >= CCS_MAX_MKDEV_OPERATION) |
1351 |
goto done; |
goto done; |
1352 |
ccs_io_printf(head, "allow_%s", ccs_mkdev_keyword[bit]); |
ccs_set_string(head, "file "); |
1353 |
|
ccs_set_string(head, ccs_mkdev_keyword[bit]); |
1354 |
ccs_print_name_union(head, &ptr->name); |
ccs_print_name_union(head, &ptr->name); |
1355 |
ccs_print_number_union(head, &ptr->mode); |
ccs_print_number_union(head, &ptr->mode); |
1356 |
ccs_print_number_union(head, &ptr->major); |
ccs_print_number_union(head, &ptr->major); |
1361 |
bit = ccs_fns(ptr->perm, bit); |
bit = ccs_fns(ptr->perm, bit); |
1362 |
if (bit >= CCS_MAX_PATH2_OPERATION) |
if (bit >= CCS_MAX_PATH2_OPERATION) |
1363 |
goto done; |
goto done; |
1364 |
ccs_io_printf(head, "allow_%s", ccs_path2_keyword[bit]); |
ccs_set_string(head, "file "); |
1365 |
|
ccs_set_string(head, ccs_path2_keyword[bit]); |
1366 |
ccs_print_name_union(head, &ptr->name1); |
ccs_print_name_union(head, &ptr->name1); |
1367 |
ccs_print_name_union(head, &ptr->name2); |
ccs_print_name_union(head, &ptr->name2); |
1368 |
} else if (acl_type == CCS_TYPE_PATH_NUMBER_ACL) { |
} else if (acl_type == CCS_TYPE_PATH_NUMBER_ACL) { |
1371 |
bit = ccs_fns(ptr->perm, bit); |
bit = ccs_fns(ptr->perm, bit); |
1372 |
if (bit >= CCS_MAX_PATH_NUMBER_OPERATION) |
if (bit >= CCS_MAX_PATH_NUMBER_OPERATION) |
1373 |
goto done; |
goto done; |
1374 |
ccs_io_printf(head, "allow_%s", |
ccs_set_string(head, "file "); |
1375 |
ccs_path_number_keyword[bit]); |
ccs_set_string(head, ccs_path_number_keyword[bit]); |
1376 |
ccs_print_name_union(head, &ptr->name); |
ccs_print_name_union(head, &ptr->name); |
1377 |
ccs_print_number_union(head, &ptr->number); |
ccs_print_number_union(head, &ptr->number); |
1378 |
} else if (acl_type == CCS_TYPE_ENV_ACL) { |
} else if (acl_type == CCS_TYPE_ENV_ACL) { |
1379 |
struct ccs_env_acl *ptr = |
struct ccs_env_acl *ptr = |
1380 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
1381 |
ccs_set_string(head, CCS_KEYWORD_ALLOW_ENV); |
ccs_set_string(head, "misc env "); |
1382 |
ccs_set_string(head, ptr->env->name); |
ccs_set_string(head, ptr->env->name); |
1383 |
} else if (acl_type == CCS_TYPE_CAPABILITY_ACL) { |
} else if (acl_type == CCS_TYPE_CAPABILITY_ACL) { |
1384 |
struct ccs_capability_acl *ptr = |
struct ccs_capability_acl *ptr = |
1385 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
1386 |
ccs_set_string(head, CCS_KEYWORD_ALLOW_CAPABILITY); |
ccs_set_string(head, "capability "); |
1387 |
ccs_set_string(head, ccs_cap2keyword(ptr->operation)); |
ccs_set_string(head, ccs_cap2keyword(ptr->operation)); |
1388 |
} else if (acl_type == CCS_TYPE_IP_NETWORK_ACL) { |
} else if (acl_type == CCS_TYPE_IP_NETWORK_ACL) { |
1389 |
struct ccs_ip_network_acl *ptr = |
struct ccs_ip_network_acl *ptr = |
1391 |
bit = ccs_fns(ptr->perm, bit); |
bit = ccs_fns(ptr->perm, bit); |
1392 |
if (bit >= CCS_MAX_NETWORK_OPERATION) |
if (bit >= CCS_MAX_NETWORK_OPERATION) |
1393 |
goto done; |
goto done; |
1394 |
ccs_io_printf(head, CCS_KEYWORD_ALLOW_NETWORK "%s ", |
ccs_set_string(head, "network "); |
1395 |
ccs_net_keyword[bit]); |
ccs_set_string(head, ccs_net_keyword[bit]); |
1396 |
|
ccs_set_space(head); |
1397 |
switch (ptr->address_type) { |
switch (ptr->address_type) { |
1398 |
char buf[128]; |
char buf[128]; |
1399 |
case CCS_IP_ADDRESS_TYPE_ADDRESS_GROUP: |
case CCS_IP_ADDRESS_TYPE_ADDRESS_GROUP: |
1416 |
} else if (acl_type == CCS_TYPE_SIGNAL_ACL) { |
} else if (acl_type == CCS_TYPE_SIGNAL_ACL) { |
1417 |
struct ccs_signal_acl *ptr = |
struct ccs_signal_acl *ptr = |
1418 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
1419 |
ccs_io_printf(head, CCS_KEYWORD_ALLOW_SIGNAL "%u ", ptr->sig); |
ccs_set_string(head, "ipc signal "); |
1420 |
|
ccs_io_printf(head, "%u ", ptr->sig); |
1421 |
ccs_set_string(head, ptr->domainname->name); |
ccs_set_string(head, ptr->domainname->name); |
1422 |
} else if (acl_type == CCS_TYPE_MOUNT_ACL) { |
} else if (acl_type == CCS_TYPE_MOUNT_ACL) { |
1423 |
struct ccs_mount_acl *ptr = |
struct ccs_mount_acl *ptr = |
1424 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
1425 |
ccs_io_printf(head, "allow_mount"); |
ccs_io_printf(head, "file mount"); |
1426 |
ccs_print_name_union(head, &ptr->dev_name); |
ccs_print_name_union(head, &ptr->dev_name); |
1427 |
ccs_print_name_union(head, &ptr->dir_name); |
ccs_print_name_union(head, &ptr->dir_name); |
1428 |
ccs_print_name_union(head, &ptr->fs_type); |
ccs_print_name_union(head, &ptr->fs_type); |
1696 |
static const struct { |
static const struct { |
1697 |
const char *keyword; |
const char *keyword; |
1698 |
int (*write) (char *, const bool); |
int (*write) (char *, const bool); |
1699 |
} ccs_callback[4] = { |
} ccs_callback[3] = { |
1700 |
{ CCS_KEYWORD_AGGREGATOR, ccs_write_aggregator }, |
{ CCS_KEYWORD_AGGREGATOR, ccs_write_aggregator }, |
1701 |
{ CCS_KEYWORD_FILE_PATTERN, ccs_write_pattern }, |
{ CCS_KEYWORD_FILE_PATTERN, ccs_write_pattern }, |
|
{ CCS_KEYWORD_DENY_REWRITE, ccs_write_no_rewrite }, |
|
1702 |
{ CCS_KEYWORD_DENY_AUTOBIND, ccs_write_reserved_port } |
{ CCS_KEYWORD_DENY_AUTOBIND, ccs_write_reserved_port } |
1703 |
}; |
}; |
1704 |
for (i = 0; i < 4; i++) |
for (i = 0; i < 3; i++) |
1705 |
if (ccs_str_starts(&data, ccs_callback[i].keyword)) |
if (ccs_str_starts(&data, ccs_callback[i].keyword)) |
1706 |
return ccs_callback[i].write(data, is_delete); |
return ccs_callback[i].write(data, is_delete); |
1707 |
for (i = 0; i < CCS_MAX_TRANSITION_TYPE; i++) |
for (i = 0; i < CCS_MAX_TRANSITION_TYPE; i++) |
1822 |
ccs_set_string(head, ptr->pattern->name); |
ccs_set_string(head, ptr->pattern->name); |
1823 |
} |
} |
1824 |
break; |
break; |
|
case CCS_ID_NO_REWRITE: |
|
|
{ |
|
|
struct ccs_no_rewrite *ptr = |
|
|
container_of(acl, typeof(*ptr), head); |
|
|
ccs_set_string(head, CCS_KEYWORD_DENY_REWRITE); |
|
|
ccs_set_string(head, ptr->pattern->name); |
|
|
} |
|
|
break; |
|
1825 |
case CCS_ID_RESERVEDPORT: |
case CCS_ID_RESERVEDPORT: |
1826 |
{ |
{ |
1827 |
struct ccs_reserved *ptr = |
struct ccs_reserved *ptr = |