| 36 |
static struct ccs_profile *ccs_profile_ptr[CCS_MAX_PROFILES]; |
static struct ccs_profile *ccs_profile_ptr[CCS_MAX_PROFILES]; |
| 37 |
|
|
| 38 |
/* String table for functionality that takes 4 modes. */ |
/* String table for functionality that takes 4 modes. */ |
| 39 |
const char *ccs_mode[CCS_CONFIG_MAX_MODE] = { |
const char * const ccs_mode[CCS_CONFIG_MAX_MODE] = { |
| 40 |
[CCS_CONFIG_DISABLED] = "disabled", |
[CCS_CONFIG_DISABLED] = "disabled", |
| 41 |
[CCS_CONFIG_LEARNING] = "learning", |
[CCS_CONFIG_LEARNING] = "learning", |
| 42 |
[CCS_CONFIG_PERMISSIVE] = "permissive", |
[CCS_CONFIG_PERMISSIVE] = "permissive", |
| 43 |
[CCS_CONFIG_ENFORCING] = "enforcing" |
[CCS_CONFIG_ENFORCING] = "enforcing" |
| 44 |
}; |
}; |
| 45 |
|
|
| 46 |
/* String table for /proc/ccs/profile */ |
/* String table for /proc/ccs/profile */ |
| 47 |
static const char *ccs_mac_keywords[CCS_MAX_MAC_INDEX + |
const char * const ccs_mac_keywords[CCS_MAX_MAC_INDEX |
| 48 |
CCS_MAX_CAPABILITY_INDEX + |
+ CCS_MAX_MAC_CATEGORY_INDEX] = { |
| 49 |
CCS_MAX_MAC_CATEGORY_INDEX] = { |
[CCS_MAC_FILE_EXECUTE] = "execute", |
| 50 |
[CCS_MAC_FILE_EXECUTE] |
[CCS_MAC_FILE_OPEN] = "open", |
| 51 |
= "file::execute", |
[CCS_MAC_FILE_CREATE] = "create", |
| 52 |
[CCS_MAC_FILE_OPEN] |
[CCS_MAC_FILE_UNLINK] = "unlink", |
| 53 |
= "file::open", |
[CCS_MAC_FILE_MKDIR] = "mkdir", |
| 54 |
[CCS_MAC_FILE_CREATE] |
[CCS_MAC_FILE_RMDIR] = "rmdir", |
| 55 |
= "file::create", |
[CCS_MAC_FILE_MKFIFO] = "mkfifo", |
| 56 |
[CCS_MAC_FILE_UNLINK] |
[CCS_MAC_FILE_MKSOCK] = "mksock", |
| 57 |
= "file::unlink", |
[CCS_MAC_FILE_TRUNCATE] = "truncate", |
| 58 |
[CCS_MAC_FILE_MKDIR] |
[CCS_MAC_FILE_SYMLINK] = "symlink", |
| 59 |
= "file::mkdir", |
[CCS_MAC_FILE_MKBLOCK] = "mkblock", |
| 60 |
[CCS_MAC_FILE_RMDIR] |
[CCS_MAC_FILE_MKCHAR] = "mkchar", |
| 61 |
= "file::rmdir", |
[CCS_MAC_FILE_LINK] = "link", |
| 62 |
[CCS_MAC_FILE_MKFIFO] |
[CCS_MAC_FILE_RENAME] = "rename", |
| 63 |
= "file::mkfifo", |
[CCS_MAC_FILE_CHMOD] = "chmod", |
| 64 |
[CCS_MAC_FILE_MKSOCK] |
[CCS_MAC_FILE_CHOWN] = "chown", |
| 65 |
= "file::mksock", |
[CCS_MAC_FILE_CHGRP] = "chgrp", |
| 66 |
[CCS_MAC_FILE_TRUNCATE] |
[CCS_MAC_FILE_IOCTL] = "ioctl", |
| 67 |
= "file::truncate", |
[CCS_MAC_FILE_CHROOT] = "chroot", |
| 68 |
[CCS_MAC_FILE_SYMLINK] |
[CCS_MAC_FILE_MOUNT] = "mount", |
| 69 |
= "file::symlink", |
[CCS_MAC_FILE_UMOUNT] = "unmount", |
| 70 |
[CCS_MAC_FILE_MKBLOCK] |
[CCS_MAC_FILE_PIVOT_ROOT] = "pivot_root", |
| 71 |
= "file::mkblock", |
[CCS_MAC_ENVIRON] = "env", |
| 72 |
[CCS_MAC_FILE_MKCHAR] |
[CCS_MAC_NETWORK_INET_STREAM_BIND] = "inet_stream_bind", |
| 73 |
= "file::mkchar", |
[CCS_MAC_NETWORK_INET_STREAM_LISTEN] = "inet_stream_listen", |
| 74 |
[CCS_MAC_FILE_LINK] |
[CCS_MAC_NETWORK_INET_STREAM_CONNECT] = "inet_stream_connect", |
| 75 |
= "file::link", |
[CCS_MAC_NETWORK_INET_STREAM_ACCEPT] = "inet_stream_accept", |
| 76 |
[CCS_MAC_FILE_RENAME] |
[CCS_MAC_NETWORK_INET_DGRAM_BIND] = "inet_dgram_bind", |
| 77 |
= "file::rename", |
[CCS_MAC_NETWORK_INET_DGRAM_SEND] = "inet_dgram_send", |
| 78 |
[CCS_MAC_FILE_CHMOD] |
[CCS_MAC_NETWORK_INET_DGRAM_RECV] = "inet_dgram_recv", |
| 79 |
= "file::chmod", |
[CCS_MAC_NETWORK_INET_RAW_BIND] = "inet_raw_bind", |
| 80 |
[CCS_MAC_FILE_CHOWN] |
[CCS_MAC_NETWORK_INET_RAW_SEND] = "inet_raw_send", |
| 81 |
= "file::chown", |
[CCS_MAC_NETWORK_INET_RAW_RECV] = "inet_raw_recv", |
| 82 |
[CCS_MAC_FILE_CHGRP] |
[CCS_MAC_NETWORK_UNIX_STREAM_BIND] = "unix_stream_bind", |
| 83 |
= "file::chgrp", |
[CCS_MAC_NETWORK_UNIX_STREAM_LISTEN] = "unix_stream_listen", |
| 84 |
[CCS_MAC_FILE_IOCTL] |
[CCS_MAC_NETWORK_UNIX_STREAM_CONNECT] = "unix_stream_connect", |
| 85 |
= "file::ioctl", |
[CCS_MAC_NETWORK_UNIX_STREAM_ACCEPT] = "unix_stream_accept", |
| 86 |
[CCS_MAC_FILE_CHROOT] |
[CCS_MAC_NETWORK_UNIX_DGRAM_BIND] = "unix_dgram_bind", |
| 87 |
= "file::chroot", |
[CCS_MAC_NETWORK_UNIX_DGRAM_SEND] = "unix_dgram_send", |
| 88 |
[CCS_MAC_FILE_MOUNT] |
[CCS_MAC_NETWORK_UNIX_DGRAM_RECV] = "unix_dgram_recv", |
| 89 |
= "file::mount", |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_BIND] = "unix_seqpacket_bind", |
| 90 |
[CCS_MAC_FILE_UMOUNT] |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_LISTEN] = "unix_seqpacket_listen", |
| 91 |
= "file::umount", |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_CONNECT] = "unix_seqpacket_connect", |
| 92 |
[CCS_MAC_FILE_PIVOT_ROOT] |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_ACCEPT] = "unix_seqpacket_accept", |
| 93 |
= "file::pivot_root", |
[CCS_MAC_SIGNAL] = "signal", |
| 94 |
[CCS_MAC_ENVIRON] |
[CCS_MAC_CAPABILITY_USE_ROUTE_SOCKET] = "use_route", |
| 95 |
= "misc::env", |
[CCS_MAC_CAPABILITY_USE_PACKET_SOCKET] = "use_packet", |
| 96 |
[CCS_MAC_NETWORK_INET_STREAM_BIND] |
[CCS_MAC_CAPABILITY_SYS_REBOOT] = "SYS_REBOOT", |
| 97 |
= "network::inet_stream_bind", |
[CCS_MAC_CAPABILITY_SYS_VHANGUP] = "SYS_VHANGUP", |
| 98 |
[CCS_MAC_NETWORK_INET_STREAM_LISTEN] |
[CCS_MAC_CAPABILITY_SYS_SETTIME] = "SYS_TIME", |
| 99 |
= "network::inet_stream_listen", |
[CCS_MAC_CAPABILITY_SYS_NICE] = "SYS_NICE", |
| 100 |
[CCS_MAC_NETWORK_INET_STREAM_CONNECT] |
[CCS_MAC_CAPABILITY_SYS_SETHOSTNAME] = "SYS_SETHOSTNAME", |
| 101 |
= "network::inet_stream_connect", |
[CCS_MAC_CAPABILITY_USE_KERNEL_MODULE] = "use_kernel_module", |
| 102 |
[CCS_MAC_NETWORK_INET_STREAM_ACCEPT] |
[CCS_MAC_CAPABILITY_SYS_KEXEC_LOAD] = "SYS_KEXEC_LOAD", |
| 103 |
= "network::inet_stream_accept", |
[CCS_MAC_CAPABILITY_SYS_PTRACE] = "SYS_PTRACE", |
| 104 |
[CCS_MAC_NETWORK_INET_DGRAM_BIND] |
[CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_FILE] = "file", |
| 105 |
= "network::inet_dgram_bind", |
[CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_NETWORK] = "network", |
| 106 |
[CCS_MAC_NETWORK_INET_DGRAM_SEND] |
[CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_MISC] = "misc", |
| 107 |
= "network::inet_dgram_send", |
[CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_IPC] = "ipc", |
| 108 |
[CCS_MAC_NETWORK_INET_DGRAM_RECV] |
[CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_CAPABILITY] = "capability", |
| 109 |
= "network::inet_dgram_recv", |
}; |
| 110 |
[CCS_MAC_NETWORK_INET_RAW_BIND] |
|
| 111 |
= "network::inet_raw_bind", |
const char * const ccs_path_keyword[CCS_MAX_PATH_OPERATION] = { |
| 112 |
[CCS_MAC_NETWORK_INET_RAW_SEND] |
[CCS_TYPE_EXECUTE] = "execute", |
| 113 |
= "network::inet_raw_send", |
[CCS_TYPE_READ] = "read", |
| 114 |
[CCS_MAC_NETWORK_INET_RAW_RECV] |
[CCS_TYPE_WRITE] = "write", |
| 115 |
= "network::inet_raw_recv", |
[CCS_TYPE_APPEND] = "append", |
| 116 |
[CCS_MAC_NETWORK_UNIX_STREAM_BIND] |
[CCS_TYPE_UNLINK] = "unlink", |
| 117 |
= "network::unix_stream_bind", |
[CCS_TYPE_RMDIR] = "rmdir", |
| 118 |
[CCS_MAC_NETWORK_UNIX_STREAM_LISTEN] |
[CCS_TYPE_TRUNCATE] = "truncate", |
| 119 |
= "network::unix_stream_listen", |
[CCS_TYPE_SYMLINK] = "symlink", |
| 120 |
[CCS_MAC_NETWORK_UNIX_STREAM_CONNECT] |
[CCS_TYPE_CHROOT] = "chroot", |
| 121 |
= "network::unix_stream_connect", |
[CCS_TYPE_UMOUNT] = "unmount", |
| 122 |
[CCS_MAC_NETWORK_UNIX_STREAM_ACCEPT] |
}; |
| 123 |
= "network::unix_stream_accept", |
|
| 124 |
[CCS_MAC_NETWORK_UNIX_DGRAM_BIND] |
static const char * const ccs_category_keywords[CCS_MAX_MAC_CATEGORY_INDEX] = { |
| 125 |
= "network::unix_dgram_bind", |
[CCS_MAC_CATEGORY_FILE] = "file", |
| 126 |
[CCS_MAC_NETWORK_UNIX_DGRAM_SEND] |
[CCS_MAC_CATEGORY_NETWORK] = "network", |
| 127 |
= "network::unix_dgram_send", |
[CCS_MAC_CATEGORY_MISC] = "misc", |
| 128 |
[CCS_MAC_NETWORK_UNIX_DGRAM_RECV] |
[CCS_MAC_CATEGORY_IPC] = "ipc", |
| 129 |
= "network::unix_dgram_recv", |
[CCS_MAC_CATEGORY_CAPABILITY] = "capability", |
| 130 |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_BIND] |
}; |
| 131 |
= "network::unix_seqpacket_bind", |
|
| 132 |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_LISTEN] |
const char * const ccs_condition_keyword[CCS_MAX_CONDITION_KEYWORD] = { |
| 133 |
= "network::unix_seqpacket_listen", |
[CCS_TASK_UID] = "task.uid", |
| 134 |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_CONNECT] |
[CCS_TASK_EUID] = "task.euid", |
| 135 |
= "network::unix_seqpacket_connect", |
[CCS_TASK_SUID] = "task.suid", |
| 136 |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_ACCEPT] |
[CCS_TASK_FSUID] = "task.fsuid", |
| 137 |
= "network::unix_seqpacket_accept", |
[CCS_TASK_GID] = "task.gid", |
| 138 |
[CCS_MAC_SIGNAL] |
[CCS_TASK_EGID] = "task.egid", |
| 139 |
= "ipc::signal", |
[CCS_TASK_SGID] = "task.sgid", |
| 140 |
[CCS_MAX_MAC_INDEX + CCS_USE_ROUTE_SOCKET] |
[CCS_TASK_FSGID] = "task.fsgid", |
| 141 |
= "capability::use_route", |
[CCS_TASK_PID] = "task.pid", |
| 142 |
[CCS_MAX_MAC_INDEX + CCS_USE_PACKET_SOCKET] |
[CCS_TASK_PPID] = "task.ppid", |
| 143 |
= "capability::use_packet", |
[CCS_EXEC_ARGC] = "exec.argc", |
| 144 |
[CCS_MAX_MAC_INDEX + CCS_SYS_REBOOT] |
[CCS_EXEC_ENVC] = "exec.envc", |
| 145 |
= "capability::SYS_REBOOT", |
[CCS_TYPE_IS_SOCKET] = "socket", |
| 146 |
[CCS_MAX_MAC_INDEX + CCS_SYS_VHANGUP] |
[CCS_TYPE_IS_SYMLINK] = "symlink", |
| 147 |
= "capability::SYS_VHANGUP", |
[CCS_TYPE_IS_FILE] = "file", |
| 148 |
[CCS_MAX_MAC_INDEX + CCS_SYS_SETTIME] |
[CCS_TYPE_IS_BLOCK_DEV] = "block", |
| 149 |
= "capability::SYS_TIME", |
[CCS_TYPE_IS_DIRECTORY] = "directory", |
| 150 |
[CCS_MAX_MAC_INDEX + CCS_SYS_NICE] |
[CCS_TYPE_IS_CHAR_DEV] = "char", |
| 151 |
= "capability::SYS_NICE", |
[CCS_TYPE_IS_FIFO] = "fifo", |
| 152 |
[CCS_MAX_MAC_INDEX + CCS_SYS_SETHOSTNAME] |
[CCS_MODE_SETUID] = "setuid", |
| 153 |
= "capability::SYS_SETHOSTNAME", |
[CCS_MODE_SETGID] = "setgid", |
| 154 |
[CCS_MAX_MAC_INDEX + CCS_USE_KERNEL_MODULE] |
[CCS_MODE_STICKY] = "sticky", |
| 155 |
= "capability::use_kernel_module", |
[CCS_MODE_OWNER_READ] = "owner_read", |
| 156 |
[CCS_MAX_MAC_INDEX + CCS_SYS_KEXEC_LOAD] |
[CCS_MODE_OWNER_WRITE] = "owner_write", |
| 157 |
= "capability::SYS_KEXEC_LOAD", |
[CCS_MODE_OWNER_EXECUTE] = "owner_execute", |
| 158 |
[CCS_MAX_MAC_INDEX + CCS_SYS_PTRACE] |
[CCS_MODE_GROUP_READ] = "group_read", |
| 159 |
= "capability::SYS_PTRACE", |
[CCS_MODE_GROUP_WRITE] = "group_write", |
| 160 |
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
[CCS_MODE_GROUP_EXECUTE] = "group_execute", |
| 161 |
+ CCS_MAC_CATEGORY_FILE] = "file", |
[CCS_MODE_OTHERS_READ] = "others_read", |
| 162 |
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
[CCS_MODE_OTHERS_WRITE] = "others_write", |
| 163 |
+ CCS_MAC_CATEGORY_NETWORK] = "network", |
[CCS_MODE_OTHERS_EXECUTE] = "others_execute", |
| 164 |
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
[CCS_TASK_TYPE] = "task.type", |
| 165 |
+ CCS_MAC_CATEGORY_MISC] = "misc", |
[CCS_TASK_EXECUTE_HANDLER] = "execute_handler", |
| 166 |
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
[CCS_EXEC_REALPATH] = "exec.realpath", |
| 167 |
+ CCS_MAC_CATEGORY_IPC] = "ipc", |
[CCS_SYMLINK_TARGET] = "symlink.target", |
| 168 |
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
[CCS_PATH1_UID] = "path1.uid", |
| 169 |
+ CCS_MAC_CATEGORY_CAPABILITY] = "capability", |
[CCS_PATH1_GID] = "path1.gid", |
| 170 |
|
[CCS_PATH1_INO] = "path1.ino", |
| 171 |
|
[CCS_PATH1_MAJOR] = "path1.major", |
| 172 |
|
[CCS_PATH1_MINOR] = "path1.minor", |
| 173 |
|
[CCS_PATH1_PERM] = "path1.perm", |
| 174 |
|
[CCS_PATH1_TYPE] = "path1.type", |
| 175 |
|
[CCS_PATH1_DEV_MAJOR] = "path1.dev_major", |
| 176 |
|
[CCS_PATH1_DEV_MINOR] = "path1.dev_minor", |
| 177 |
|
[CCS_PATH2_UID] = "path2.uid", |
| 178 |
|
[CCS_PATH2_GID] = "path2.gid", |
| 179 |
|
[CCS_PATH2_INO] = "path2.ino", |
| 180 |
|
[CCS_PATH2_MAJOR] = "path2.major", |
| 181 |
|
[CCS_PATH2_MINOR] = "path2.minor", |
| 182 |
|
[CCS_PATH2_PERM] = "path2.perm", |
| 183 |
|
[CCS_PATH2_TYPE] = "path2.type", |
| 184 |
|
[CCS_PATH2_DEV_MAJOR] = "path2.dev_major", |
| 185 |
|
[CCS_PATH2_DEV_MINOR] = "path2.dev_minor", |
| 186 |
|
[CCS_PATH1_PARENT_UID] = "path1.parent.uid", |
| 187 |
|
[CCS_PATH1_PARENT_GID] = "path1.parent.gid", |
| 188 |
|
[CCS_PATH1_PARENT_INO] = "path1.parent.ino", |
| 189 |
|
[CCS_PATH1_PARENT_PERM] = "path1.parent.perm", |
| 190 |
|
[CCS_PATH2_PARENT_UID] = "path2.parent.uid", |
| 191 |
|
[CCS_PATH2_PARENT_GID] = "path2.parent.gid", |
| 192 |
|
[CCS_PATH2_PARENT_INO] = "path2.parent.ino", |
| 193 |
|
[CCS_PATH2_PARENT_PERM] = "path2.parent.perm", |
| 194 |
}; |
}; |
| 195 |
|
|
| 196 |
/* Permit policy management by non-root user? */ |
/* Permit policy management by non-root user? */ |
| 197 |
static bool ccs_manage_by_non_root; |
static bool ccs_manage_by_non_root; |
| 198 |
|
|
| 199 |
/** |
/** |
|
* ccs_cap2keyword - Convert capability operation to capability name. |
|
|
* |
|
|
* @operation: The capability index. |
|
|
* |
|
|
* Returns the name of the specified capability's name. |
|
|
*/ |
|
|
const char *ccs_cap2keyword(const u8 operation) |
|
|
{ |
|
|
return operation < CCS_MAX_CAPABILITY_INDEX |
|
|
? ccs_mac_keywords[CCS_MAX_MAC_INDEX + operation] + 12 : NULL; |
|
|
} |
|
|
|
|
|
/** |
|
| 200 |
* ccs_yesno - Return "yes" or "no". |
* ccs_yesno - Return "yes" or "no". |
| 201 |
* |
* |
| 202 |
* @value: Bool value. |
* @value: Bool value. |
| 447 |
ccs_set_uint(&ccs_preference.learning_max_entry, data, |
ccs_set_uint(&ccs_preference.learning_max_entry, data, |
| 448 |
"max_entry"); |
"max_entry"); |
| 449 |
ccs_set_bool(&ccs_preference.learning_exec_realpath, data, |
ccs_set_bool(&ccs_preference.learning_exec_realpath, data, |
| 450 |
"exec.realpath"); |
ccs_condition_keyword[CCS_EXEC_REALPATH]); |
| 451 |
ccs_set_bool(&ccs_preference.learning_exec_argv0, data, |
ccs_set_bool(&ccs_preference.learning_exec_argv0, data, |
| 452 |
"exec.argv0"); |
"exec.argv0"); |
| 453 |
ccs_set_bool(&ccs_preference.learning_symlink_target, data, |
ccs_set_bool(&ccs_preference.learning_symlink_target, data, |
| 454 |
"symlink.target"); |
ccs_condition_keyword[CCS_SYMLINK_TARGET]); |
| 455 |
} else |
} else |
| 456 |
return -EINVAL; |
return -EINVAL; |
| 457 |
return 0; |
return 0; |
| 463 |
u8 i; |
u8 i; |
| 464 |
u8 config; |
u8 config; |
| 465 |
if (!strcmp(name, "CONFIG")) { |
if (!strcmp(name, "CONFIG")) { |
| 466 |
i = CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
i = CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX; |
|
+ CCS_MAX_MAC_CATEGORY_INDEX; |
|
| 467 |
config = profile->default_config; |
config = profile->default_config; |
| 468 |
} else if (ccs_str_starts(&name, "CONFIG::")) { |
} else if (ccs_str_starts(&name, "CONFIG::")) { |
| 469 |
config = 0; |
config = 0; |
| 470 |
for (i = 0; i < CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
for (i = 0; i < CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX; |
| 471 |
+ CCS_MAX_MAC_CATEGORY_INDEX; i++) { |
i++) { |
| 472 |
if (strcmp(name, ccs_mac_keywords[i])) |
int len = 0; |
| 473 |
|
if (i < CCS_MAX_MAC_INDEX) { |
| 474 |
|
const u8 c = ccs_index2category[i]; |
| 475 |
|
const char *category = ccs_category_keywords[c]; |
| 476 |
|
len = strlen(category); |
| 477 |
|
if (strncmp(name, category, len) || |
| 478 |
|
name[len++] != ':' || name[len++] != ':') |
| 479 |
|
continue; |
| 480 |
|
} |
| 481 |
|
if (strcmp(name + len, ccs_mac_keywords[i])) |
| 482 |
continue; |
continue; |
| 483 |
config = profile->config[i]; |
config = profile->config[i]; |
| 484 |
break; |
break; |
| 485 |
} |
} |
| 486 |
if (i == CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
if (i == CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX) |
|
+ CCS_MAX_MAC_CATEGORY_INDEX) |
|
| 487 |
return -EINVAL; |
return -EINVAL; |
| 488 |
} else { |
} else { |
| 489 |
return -EINVAL; |
return -EINVAL; |
| 499 |
* 'config' from 'CCS_CONFIG_USE_DEAFULT'. |
* 'config' from 'CCS_CONFIG_USE_DEAFULT'. |
| 500 |
*/ |
*/ |
| 501 |
config = (config & ~7) | mode; |
config = (config & ~7) | mode; |
|
if (config != CCS_CONFIG_USE_DEFAULT) { |
|
| 502 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
| 503 |
|
if (config != CCS_CONFIG_USE_DEFAULT) { |
| 504 |
switch (ccs_find_yesno(value, "grant_log")) { |
switch (ccs_find_yesno(value, "grant_log")) { |
| 505 |
case 1: |
case 1: |
| 506 |
config |= CCS_CONFIG_WANT_GRANT_LOG; |
config |= CCS_CONFIG_WANT_GRANT_LOG; |
| 517 |
config &= ~CCS_CONFIG_WANT_REJECT_LOG; |
config &= ~CCS_CONFIG_WANT_REJECT_LOG; |
| 518 |
break; |
break; |
| 519 |
} |
} |
|
#endif |
|
| 520 |
} |
} |
| 521 |
|
#endif |
| 522 |
} |
} |
| 523 |
if (i < CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
if (i < CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX) |
|
+ CCS_MAX_MAC_CATEGORY_INDEX) |
|
| 524 |
profile->config[i] = config; |
profile->config[i] = config; |
| 525 |
else if (config != CCS_CONFIG_USE_DEFAULT) |
else if (config != CCS_CONFIG_USE_DEFAULT) |
| 526 |
profile->default_config = config; |
profile->default_config = config; |
| 648 |
break; |
break; |
| 649 |
case 4: |
case 4: |
| 650 |
for ( ; head->r.bit < CCS_MAX_MAC_INDEX |
for ( ; head->r.bit < CCS_MAX_MAC_INDEX |
|
+ CCS_MAX_CAPABILITY_INDEX |
|
| 651 |
+ CCS_MAX_MAC_CATEGORY_INDEX; head->r.bit++) { |
+ CCS_MAX_MAC_CATEGORY_INDEX; head->r.bit++) { |
| 652 |
const u8 i = head->r.bit; |
const u8 i = head->r.bit; |
| 653 |
const u8 config = profile->config[i]; |
const u8 config = profile->config[i]; |
| 654 |
if (config == CCS_CONFIG_USE_DEFAULT) |
if (config == CCS_CONFIG_USE_DEFAULT) |
| 655 |
continue; |
continue; |
| 656 |
ccs_io_printf(head, "%u-%s%s", index, "CONFIG::", |
if (i < CCS_MAX_MAC_INDEX) |
| 657 |
ccs_mac_keywords[i]); |
ccs_io_printf(head, "%u-CONFIG::%s::%s", index, |
| 658 |
|
ccs_category_keywords |
| 659 |
|
[ccs_index2category[i]], |
| 660 |
|
ccs_mac_keywords[i]); |
| 661 |
|
else |
| 662 |
|
ccs_io_printf(head, "%u-CONFIG::%s", index, |
| 663 |
|
ccs_mac_keywords[i]); |
| 664 |
ccs_print_config(head, config); |
ccs_print_config(head, config); |
| 665 |
head->r.bit++; |
head->r.bit++; |
| 666 |
break; |
break; |
| 667 |
} |
} |
| 668 |
if (head->r.bit == CCS_MAX_MAC_INDEX |
if (head->r.bit == CCS_MAX_MAC_INDEX |
|
+ CCS_MAX_CAPABILITY_INDEX |
|
| 669 |
+ CCS_MAX_MAC_CATEGORY_INDEX) { |
+ CCS_MAX_MAC_CATEGORY_INDEX) { |
| 670 |
head->r.index++; |
head->r.index++; |
| 671 |
head->r.step = 1; |
head->r.step = 1; |
| 723 |
static int ccs_write_manager(struct ccs_io_buffer *head) |
static int ccs_write_manager(struct ccs_io_buffer *head) |
| 724 |
{ |
{ |
| 725 |
char *data = head->write_buf; |
char *data = head->write_buf; |
| 726 |
bool is_delete = ccs_str_starts(&data, CCS_KEYWORD_DELETE); |
bool is_delete = ccs_str_starts(&data, "delete "); |
| 727 |
if (!strcmp(data, "manage_by_non_root")) { |
if (!strcmp(data, "manage_by_non_root")) { |
| 728 |
ccs_manage_by_non_root = !is_delete; |
ccs_manage_by_non_root = !is_delete; |
| 729 |
return 0; |
return 0; |
| 959 |
return -EINVAL; |
return -EINVAL; |
| 960 |
} |
} |
| 961 |
|
|
| 962 |
static const char *ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS] = { |
const char * const ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS] = { |
| 963 |
[CCS_DIF_QUOTA_WARNED] = CCS_KEYWORD_QUOTA_EXCEEDED "\n", |
[CCS_DIF_QUOTA_WARNED] = "quota_exceeded\n", |
| 964 |
[CCS_DIF_TRANSITION_FAILED] = CCS_KEYWORD_TRANSITION_FAILED "\n" |
[CCS_DIF_TRANSITION_FAILED] = "transition_failed\n", |
| 965 |
}; |
}; |
| 966 |
|
|
| 967 |
/** |
/** |
| 968 |
* ccs_write_domain - Write domain policy. |
* ccs_write_domain - Write domain policy. |
| 969 |
* |
* |
| 978 |
bool is_delete = false; |
bool is_delete = false; |
| 979 |
bool is_select = false; |
bool is_select = false; |
| 980 |
unsigned int profile; |
unsigned int profile; |
| 981 |
if (ccs_str_starts(&data, CCS_KEYWORD_DELETE)) |
if (ccs_str_starts(&data, "delete ")) |
| 982 |
is_delete = true; |
is_delete = true; |
| 983 |
else if (ccs_str_starts(&data, CCS_KEYWORD_SELECT)) |
else if (ccs_str_starts(&data, "select ")) |
| 984 |
is_select = true; |
is_select = true; |
| 985 |
if (is_select && ccs_select_one(head, data)) |
if (is_select && ccs_select_one(head, data)) |
| 986 |
return 0; |
return 0; |
| 1001 |
if (!domain) |
if (!domain) |
| 1002 |
return -EINVAL; |
return -EINVAL; |
| 1003 |
|
|
| 1004 |
if (sscanf(data, CCS_KEYWORD_USE_PROFILE "%u", &profile) == 1 |
if (sscanf(data, "use_profile %u\n", &profile) == 1 |
| 1005 |
&& profile < CCS_MAX_PROFILES) { |
&& profile < CCS_MAX_PROFILES) { |
| 1006 |
if (!ccs_policy_loaded || ccs_profile_ptr[(u8) profile]) |
if (!ccs_policy_loaded || ccs_profile_ptr[(u8) profile]) |
| 1007 |
domain->profile = (u8) profile; |
domain->profile = (u8) profile; |
| 1008 |
return 0; |
return 0; |
| 1009 |
} |
} |
| 1010 |
if (sscanf(data, CCS_KEYWORD_USE_GROUP "%u", &profile) == 1 |
if (sscanf(data, "use_group %u\n", &profile) == 1 |
| 1011 |
&& profile < CCS_MAX_ACL_GROUPS) { |
&& profile < CCS_MAX_ACL_GROUPS) { |
| 1012 |
domain->group = (u8) profile; |
domain->group = (u8) profile; |
| 1013 |
return 0; |
return 0; |
| 1322 |
goto done; |
goto done; |
| 1323 |
ccs_set_group(head); |
ccs_set_group(head); |
| 1324 |
ccs_set_string(head, "file "); |
ccs_set_string(head, "file "); |
| 1325 |
ccs_set_string(head, ccs_mkdev_keyword[bit]); |
ccs_set_string(head, ccs_mac_keywords[ccs_pnnn2mac[bit]]); |
| 1326 |
ccs_print_name_union(head, &ptr->name); |
ccs_print_name_union(head, &ptr->name); |
| 1327 |
ccs_print_number_union(head, &ptr->mode); |
ccs_print_number_union(head, &ptr->mode); |
| 1328 |
ccs_print_number_union(head, &ptr->major); |
ccs_print_number_union(head, &ptr->major); |
| 1335 |
goto done; |
goto done; |
| 1336 |
ccs_set_group(head); |
ccs_set_group(head); |
| 1337 |
ccs_set_string(head, "file "); |
ccs_set_string(head, "file "); |
| 1338 |
ccs_set_string(head, ccs_path2_keyword[bit]); |
ccs_set_string(head, ccs_mac_keywords[ccs_pp2mac[bit]]); |
| 1339 |
ccs_print_name_union(head, &ptr->name1); |
ccs_print_name_union(head, &ptr->name1); |
| 1340 |
ccs_print_name_union(head, &ptr->name2); |
ccs_print_name_union(head, &ptr->name2); |
| 1341 |
} else if (acl_type == CCS_TYPE_PATH_NUMBER_ACL) { |
} else if (acl_type == CCS_TYPE_PATH_NUMBER_ACL) { |
| 1346 |
goto done; |
goto done; |
| 1347 |
ccs_set_group(head); |
ccs_set_group(head); |
| 1348 |
ccs_set_string(head, "file "); |
ccs_set_string(head, "file "); |
| 1349 |
ccs_set_string(head, ccs_path_number_keyword[bit]); |
ccs_set_string(head, ccs_mac_keywords[ccs_pn2mac[bit]]); |
| 1350 |
ccs_print_name_union(head, &ptr->name); |
ccs_print_name_union(head, &ptr->name); |
| 1351 |
ccs_print_number_union(head, &ptr->number); |
ccs_print_number_union(head, &ptr->number); |
| 1352 |
} else if (acl_type == CCS_TYPE_ENV_ACL) { |
} else if (acl_type == CCS_TYPE_ENV_ACL) { |
| 1360 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
| 1361 |
ccs_set_group(head); |
ccs_set_group(head); |
| 1362 |
ccs_set_string(head, "capability "); |
ccs_set_string(head, "capability "); |
| 1363 |
ccs_set_string(head, ccs_cap2keyword(ptr->operation)); |
ccs_set_string(head, |
| 1364 |
|
ccs_mac_keywords[ccs_c2mac[ptr->operation]]); |
| 1365 |
} else if (acl_type == CCS_TYPE_INET_ACL) { |
} else if (acl_type == CCS_TYPE_INET_ACL) { |
| 1366 |
struct ccs_inet_acl *ptr = |
struct ccs_inet_acl *ptr = |
| 1367 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
| 1497 |
/* Print domainname and flags. */ |
/* Print domainname and flags. */ |
| 1498 |
ccs_set_string(head, domain->domainname->name); |
ccs_set_string(head, domain->domainname->name); |
| 1499 |
ccs_set_lf(head); |
ccs_set_lf(head); |
| 1500 |
ccs_io_printf(head, CCS_KEYWORD_USE_PROFILE "%u\n", |
ccs_io_printf(head, "use_profile %u\n", |
| 1501 |
domain->profile); |
domain->profile); |
| 1502 |
ccs_io_printf(head, CCS_KEYWORD_USE_GROUP "%u\n", |
ccs_io_printf(head, "use_group %u\n", domain->group); |
|
domain->group); |
|
| 1503 |
for (i = 0; i < CCS_MAX_DOMAIN_INFO_FLAGS; i++) |
for (i = 0; i < CCS_MAX_DOMAIN_INFO_FLAGS; i++) |
| 1504 |
if (domain->flags[i]) |
if (domain->flags[i]) |
| 1505 |
ccs_set_string(head, ccs_dif[i]); |
ccs_set_string(head, ccs_dif[i]); |
| 1666 |
} |
} |
| 1667 |
} |
} |
| 1668 |
|
|
| 1669 |
static const char *ccs_transition_type[CCS_MAX_TRANSITION_TYPE] = { |
static const char * const ccs_transition_type[CCS_MAX_TRANSITION_TYPE] = { |
| 1670 |
[CCS_TRANSITION_CONTROL_NO_INITIALIZE] |
[CCS_TRANSITION_CONTROL_NO_INITIALIZE] = "no_initialize_domain ", |
| 1671 |
= CCS_KEYWORD_NO_INITIALIZE_DOMAIN, |
[CCS_TRANSITION_CONTROL_INITIALIZE] = "initialize_domain ", |
| 1672 |
[CCS_TRANSITION_CONTROL_INITIALIZE] = CCS_KEYWORD_INITIALIZE_DOMAIN, |
[CCS_TRANSITION_CONTROL_NO_KEEP] = "no_keep_domain ", |
| 1673 |
[CCS_TRANSITION_CONTROL_NO_KEEP] = CCS_KEYWORD_NO_KEEP_DOMAIN, |
[CCS_TRANSITION_CONTROL_KEEP] = "keep_domain ", |
|
[CCS_TRANSITION_CONTROL_KEEP] = CCS_KEYWORD_KEEP_DOMAIN |
|
| 1674 |
}; |
}; |
| 1675 |
|
|
| 1676 |
static const char *ccs_group_name[CCS_MAX_GROUP] = { |
static const char * const ccs_group_name[CCS_MAX_GROUP] = { |
| 1677 |
[CCS_PATH_GROUP] = CCS_KEYWORD_PATH_GROUP, |
[CCS_PATH_GROUP] = "path_group ", |
| 1678 |
[CCS_NUMBER_GROUP] = CCS_KEYWORD_NUMBER_GROUP, |
[CCS_NUMBER_GROUP] = "number_group ", |
| 1679 |
[CCS_ADDRESS_GROUP] = CCS_KEYWORD_ADDRESS_GROUP |
[CCS_ADDRESS_GROUP] = "address_group ", |
| 1680 |
}; |
}; |
| 1681 |
|
|
| 1682 |
/** |
/** |
| 1689 |
static int ccs_write_exception(struct ccs_io_buffer *head) |
static int ccs_write_exception(struct ccs_io_buffer *head) |
| 1690 |
{ |
{ |
| 1691 |
char *data = head->write_buf; |
char *data = head->write_buf; |
| 1692 |
const bool is_delete = ccs_str_starts(&data, CCS_KEYWORD_DELETE); |
const bool is_delete = ccs_str_starts(&data, "delete "); |
| 1693 |
u8 i; |
u8 i; |
| 1694 |
static const struct { |
static const struct { |
| 1695 |
const char *keyword; |
const char *keyword; |
| 1696 |
int (*write) (char *, const bool); |
int (*write) (char *, const bool); |
| 1697 |
} ccs_callback[3] = { |
} ccs_callback[3] = { |
| 1698 |
{ CCS_KEYWORD_AGGREGATOR, ccs_write_aggregator }, |
{ "aggregator ", ccs_write_aggregator }, |
| 1699 |
{ CCS_KEYWORD_FILE_PATTERN, ccs_write_pattern }, |
{ "file_pattern ", ccs_write_pattern }, |
| 1700 |
{ CCS_KEYWORD_DENY_AUTOBIND, ccs_write_reserved_port } |
{ "deny_autobind ", ccs_write_reserved_port }, |
| 1701 |
}; |
}; |
| 1702 |
for (i = 0; i < 3; i++) |
for (i = 0; i < 3; i++) |
| 1703 |
if (ccs_str_starts(&data, ccs_callback[i].keyword)) |
if (ccs_str_starts(&data, ccs_callback[i].keyword)) |
| 1816 |
{ |
{ |
| 1817 |
struct ccs_aggregator *ptr = |
struct ccs_aggregator *ptr = |
| 1818 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
| 1819 |
ccs_set_string(head, CCS_KEYWORD_AGGREGATOR); |
ccs_set_string(head, "aggregator "); |
| 1820 |
ccs_set_string(head, ptr->original_name->name); |
ccs_set_string(head, ptr->original_name->name); |
| 1821 |
ccs_set_space(head); |
ccs_set_space(head); |
| 1822 |
ccs_set_string(head, |
ccs_set_string(head, |
| 1827 |
{ |
{ |
| 1828 |
struct ccs_pattern *ptr = |
struct ccs_pattern *ptr = |
| 1829 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
| 1830 |
ccs_set_string(head, CCS_KEYWORD_FILE_PATTERN); |
ccs_set_string(head, "file_pattern "); |
| 1831 |
ccs_set_string(head, ptr->pattern->name); |
ccs_set_string(head, ptr->pattern->name); |
| 1832 |
} |
} |
| 1833 |
break; |
break; |
| 1837 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
| 1838 |
const u16 min_port = ptr->min_port; |
const u16 min_port = ptr->min_port; |
| 1839 |
const u16 max_port = ptr->max_port; |
const u16 max_port = ptr->max_port; |
| 1840 |
ccs_set_string(head, |
ccs_set_string(head, "deny_autobind "); |
|
CCS_KEYWORD_DENY_AUTOBIND); |
|
| 1841 |
ccs_io_printf(head, "%u", min_port); |
ccs_io_printf(head, "%u", min_port); |
| 1842 |
if (min_port != max_port) |
if (min_port != max_port) |
| 1843 |
ccs_io_printf(head, "-%u", max_port); |
ccs_io_printf(head, "-%u", max_port); |
| 1984 |
va_start(args, fmt); |
va_start(args, fmt); |
| 1985 |
vsnprintf(buffer, len - 1, fmt, args); |
vsnprintf(buffer, len - 1, fmt, args); |
| 1986 |
va_end(args); |
va_end(args); |
| 1987 |
if (handler || realpath || argv0 || symlink) { |
if (handler) |
| 1988 |
if (handler) |
ccs_addprintf(buffer, len, " task.%s", |
| 1989 |
ccs_addprintf(buffer, len, " task.%s", |
handler); |
| 1990 |
handler); |
if (realpath) |
| 1991 |
if (realpath) |
ccs_addprintf(buffer, len, " exec.%s", |
| 1992 |
ccs_addprintf(buffer, len, " exec.%s", |
realpath); |
| 1993 |
realpath); |
if (argv0) |
| 1994 |
if (argv0) |
ccs_addprintf(buffer, len, " exec.argv[0]=%s", |
| 1995 |
ccs_addprintf(buffer, len, |
argv0); |
| 1996 |
" exec.argv[0]=%s", |
if (symlink) |
| 1997 |
argv0); |
ccs_addprintf(buffer, len, "%s", symlink); |
|
if (symlink) |
|
|
ccs_addprintf(buffer, len, "%s", |
|
|
symlink); |
|
|
} |
|
| 1998 |
ccs_normalize_line(buffer); |
ccs_normalize_line(buffer); |
| 1999 |
ccs_write_domain2(buffer, domain, false); |
ccs_write_domain2(buffer, domain, false); |
| 2000 |
kfree(buffer); |
kfree(buffer); |
TOMOYO
Parent Directory
Revision Log
Patch