36 |
static struct ccs_profile *ccs_profile_ptr[CCS_MAX_PROFILES]; |
static struct ccs_profile *ccs_profile_ptr[CCS_MAX_PROFILES]; |
37 |
|
|
38 |
/* String table for functionality that takes 4 modes. */ |
/* String table for functionality that takes 4 modes. */ |
39 |
const char *ccs_mode[CCS_CONFIG_MAX_MODE] = { |
const char * const ccs_mode[CCS_CONFIG_MAX_MODE] = { |
40 |
[CCS_CONFIG_DISABLED] = "disabled", |
[CCS_CONFIG_DISABLED] = "disabled", |
41 |
[CCS_CONFIG_LEARNING] = "learning", |
[CCS_CONFIG_LEARNING] = "learning", |
42 |
[CCS_CONFIG_PERMISSIVE] = "permissive", |
[CCS_CONFIG_PERMISSIVE] = "permissive", |
43 |
[CCS_CONFIG_ENFORCING] = "enforcing" |
[CCS_CONFIG_ENFORCING] = "enforcing" |
44 |
}; |
}; |
45 |
|
|
46 |
/* String table for /proc/ccs/profile */ |
/* String table for /proc/ccs/profile */ |
47 |
static const char *ccs_mac_keywords[CCS_MAX_MAC_INDEX + |
const char * const ccs_mac_keywords[CCS_MAX_MAC_INDEX |
48 |
CCS_MAX_CAPABILITY_INDEX + |
+ CCS_MAX_MAC_CATEGORY_INDEX] = { |
49 |
CCS_MAX_MAC_CATEGORY_INDEX] = { |
[CCS_MAC_FILE_EXECUTE] = "execute", |
50 |
[CCS_MAC_FILE_EXECUTE] |
[CCS_MAC_FILE_OPEN] = "open", |
51 |
= "file::execute", |
[CCS_MAC_FILE_CREATE] = "create", |
52 |
[CCS_MAC_FILE_OPEN] |
[CCS_MAC_FILE_UNLINK] = "unlink", |
53 |
= "file::open", |
[CCS_MAC_FILE_MKDIR] = "mkdir", |
54 |
[CCS_MAC_FILE_CREATE] |
[CCS_MAC_FILE_RMDIR] = "rmdir", |
55 |
= "file::create", |
[CCS_MAC_FILE_MKFIFO] = "mkfifo", |
56 |
[CCS_MAC_FILE_UNLINK] |
[CCS_MAC_FILE_MKSOCK] = "mksock", |
57 |
= "file::unlink", |
[CCS_MAC_FILE_TRUNCATE] = "truncate", |
58 |
[CCS_MAC_FILE_MKDIR] |
[CCS_MAC_FILE_SYMLINK] = "symlink", |
59 |
= "file::mkdir", |
[CCS_MAC_FILE_MKBLOCK] = "mkblock", |
60 |
[CCS_MAC_FILE_RMDIR] |
[CCS_MAC_FILE_MKCHAR] = "mkchar", |
61 |
= "file::rmdir", |
[CCS_MAC_FILE_LINK] = "link", |
62 |
[CCS_MAC_FILE_MKFIFO] |
[CCS_MAC_FILE_RENAME] = "rename", |
63 |
= "file::mkfifo", |
[CCS_MAC_FILE_CHMOD] = "chmod", |
64 |
[CCS_MAC_FILE_MKSOCK] |
[CCS_MAC_FILE_CHOWN] = "chown", |
65 |
= "file::mksock", |
[CCS_MAC_FILE_CHGRP] = "chgrp", |
66 |
[CCS_MAC_FILE_TRUNCATE] |
[CCS_MAC_FILE_IOCTL] = "ioctl", |
67 |
= "file::truncate", |
[CCS_MAC_FILE_CHROOT] = "chroot", |
68 |
[CCS_MAC_FILE_SYMLINK] |
[CCS_MAC_FILE_MOUNT] = "mount", |
69 |
= "file::symlink", |
[CCS_MAC_FILE_UMOUNT] = "unmount", |
70 |
[CCS_MAC_FILE_MKBLOCK] |
[CCS_MAC_FILE_PIVOT_ROOT] = "pivot_root", |
71 |
= "file::mkblock", |
[CCS_MAC_ENVIRON] = "env", |
72 |
[CCS_MAC_FILE_MKCHAR] |
[CCS_MAC_NETWORK_INET_STREAM_BIND] = "inet_stream_bind", |
73 |
= "file::mkchar", |
[CCS_MAC_NETWORK_INET_STREAM_LISTEN] = "inet_stream_listen", |
74 |
[CCS_MAC_FILE_LINK] |
[CCS_MAC_NETWORK_INET_STREAM_CONNECT] = "inet_stream_connect", |
75 |
= "file::link", |
[CCS_MAC_NETWORK_INET_STREAM_ACCEPT] = "inet_stream_accept", |
76 |
[CCS_MAC_FILE_RENAME] |
[CCS_MAC_NETWORK_INET_DGRAM_BIND] = "inet_dgram_bind", |
77 |
= "file::rename", |
[CCS_MAC_NETWORK_INET_DGRAM_SEND] = "inet_dgram_send", |
78 |
[CCS_MAC_FILE_CHMOD] |
[CCS_MAC_NETWORK_INET_DGRAM_RECV] = "inet_dgram_recv", |
79 |
= "file::chmod", |
[CCS_MAC_NETWORK_INET_RAW_BIND] = "inet_raw_bind", |
80 |
[CCS_MAC_FILE_CHOWN] |
[CCS_MAC_NETWORK_INET_RAW_SEND] = "inet_raw_send", |
81 |
= "file::chown", |
[CCS_MAC_NETWORK_INET_RAW_RECV] = "inet_raw_recv", |
82 |
[CCS_MAC_FILE_CHGRP] |
[CCS_MAC_NETWORK_UNIX_STREAM_BIND] = "unix_stream_bind", |
83 |
= "file::chgrp", |
[CCS_MAC_NETWORK_UNIX_STREAM_LISTEN] = "unix_stream_listen", |
84 |
[CCS_MAC_FILE_IOCTL] |
[CCS_MAC_NETWORK_UNIX_STREAM_CONNECT] = "unix_stream_connect", |
85 |
= "file::ioctl", |
[CCS_MAC_NETWORK_UNIX_STREAM_ACCEPT] = "unix_stream_accept", |
86 |
[CCS_MAC_FILE_CHROOT] |
[CCS_MAC_NETWORK_UNIX_DGRAM_BIND] = "unix_dgram_bind", |
87 |
= "file::chroot", |
[CCS_MAC_NETWORK_UNIX_DGRAM_SEND] = "unix_dgram_send", |
88 |
[CCS_MAC_FILE_MOUNT] |
[CCS_MAC_NETWORK_UNIX_DGRAM_RECV] = "unix_dgram_recv", |
89 |
= "file::mount", |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_BIND] = "unix_seqpacket_bind", |
90 |
[CCS_MAC_FILE_UMOUNT] |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_LISTEN] = "unix_seqpacket_listen", |
91 |
= "file::umount", |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_CONNECT] = "unix_seqpacket_connect", |
92 |
[CCS_MAC_FILE_PIVOT_ROOT] |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_ACCEPT] = "unix_seqpacket_accept", |
93 |
= "file::pivot_root", |
[CCS_MAC_SIGNAL] = "signal", |
94 |
[CCS_MAC_ENVIRON] |
[CCS_MAC_CAPABILITY_USE_ROUTE_SOCKET] = "use_route", |
95 |
= "misc::env", |
[CCS_MAC_CAPABILITY_USE_PACKET_SOCKET] = "use_packet", |
96 |
[CCS_MAC_NETWORK_INET_STREAM_BIND] |
[CCS_MAC_CAPABILITY_SYS_REBOOT] = "SYS_REBOOT", |
97 |
= "network::inet_stream_bind", |
[CCS_MAC_CAPABILITY_SYS_VHANGUP] = "SYS_VHANGUP", |
98 |
[CCS_MAC_NETWORK_INET_STREAM_LISTEN] |
[CCS_MAC_CAPABILITY_SYS_SETTIME] = "SYS_TIME", |
99 |
= "network::inet_stream_listen", |
[CCS_MAC_CAPABILITY_SYS_NICE] = "SYS_NICE", |
100 |
[CCS_MAC_NETWORK_INET_STREAM_CONNECT] |
[CCS_MAC_CAPABILITY_SYS_SETHOSTNAME] = "SYS_SETHOSTNAME", |
101 |
= "network::inet_stream_connect", |
[CCS_MAC_CAPABILITY_USE_KERNEL_MODULE] = "use_kernel_module", |
102 |
[CCS_MAC_NETWORK_INET_STREAM_ACCEPT] |
[CCS_MAC_CAPABILITY_SYS_KEXEC_LOAD] = "SYS_KEXEC_LOAD", |
103 |
= "network::inet_stream_accept", |
[CCS_MAC_CAPABILITY_SYS_PTRACE] = "SYS_PTRACE", |
104 |
[CCS_MAC_NETWORK_INET_DGRAM_BIND] |
[CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_FILE] = "file", |
105 |
= "network::inet_dgram_bind", |
[CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_NETWORK] = "network", |
106 |
[CCS_MAC_NETWORK_INET_DGRAM_SEND] |
[CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_MISC] = "misc", |
107 |
= "network::inet_dgram_send", |
[CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_IPC] = "ipc", |
108 |
[CCS_MAC_NETWORK_INET_DGRAM_RECV] |
[CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_CAPABILITY] = "capability", |
109 |
= "network::inet_dgram_recv", |
}; |
110 |
[CCS_MAC_NETWORK_INET_RAW_BIND] |
|
111 |
= "network::inet_raw_bind", |
const char * const ccs_path_keyword[CCS_MAX_PATH_OPERATION] = { |
112 |
[CCS_MAC_NETWORK_INET_RAW_SEND] |
[CCS_TYPE_EXECUTE] = "execute", |
113 |
= "network::inet_raw_send", |
[CCS_TYPE_READ] = "read", |
114 |
[CCS_MAC_NETWORK_INET_RAW_RECV] |
[CCS_TYPE_WRITE] = "write", |
115 |
= "network::inet_raw_recv", |
[CCS_TYPE_APPEND] = "append", |
116 |
[CCS_MAC_NETWORK_UNIX_STREAM_BIND] |
[CCS_TYPE_UNLINK] = "unlink", |
117 |
= "network::unix_stream_bind", |
[CCS_TYPE_RMDIR] = "rmdir", |
118 |
[CCS_MAC_NETWORK_UNIX_STREAM_LISTEN] |
[CCS_TYPE_TRUNCATE] = "truncate", |
119 |
= "network::unix_stream_listen", |
[CCS_TYPE_SYMLINK] = "symlink", |
120 |
[CCS_MAC_NETWORK_UNIX_STREAM_CONNECT] |
[CCS_TYPE_CHROOT] = "chroot", |
121 |
= "network::unix_stream_connect", |
[CCS_TYPE_UMOUNT] = "unmount", |
122 |
[CCS_MAC_NETWORK_UNIX_STREAM_ACCEPT] |
}; |
123 |
= "network::unix_stream_accept", |
|
124 |
[CCS_MAC_NETWORK_UNIX_DGRAM_BIND] |
static const char * const ccs_category_keywords[CCS_MAX_MAC_CATEGORY_INDEX] = { |
125 |
= "network::unix_dgram_bind", |
[CCS_MAC_CATEGORY_FILE] = "file", |
126 |
[CCS_MAC_NETWORK_UNIX_DGRAM_SEND] |
[CCS_MAC_CATEGORY_NETWORK] = "network", |
127 |
= "network::unix_dgram_send", |
[CCS_MAC_CATEGORY_MISC] = "misc", |
128 |
[CCS_MAC_NETWORK_UNIX_DGRAM_RECV] |
[CCS_MAC_CATEGORY_IPC] = "ipc", |
129 |
= "network::unix_dgram_recv", |
[CCS_MAC_CATEGORY_CAPABILITY] = "capability", |
130 |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_BIND] |
}; |
131 |
= "network::unix_seqpacket_bind", |
|
132 |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_LISTEN] |
const char * const ccs_condition_keyword[CCS_MAX_CONDITION_KEYWORD] = { |
133 |
= "network::unix_seqpacket_listen", |
[CCS_TASK_UID] = "task.uid", |
134 |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_CONNECT] |
[CCS_TASK_EUID] = "task.euid", |
135 |
= "network::unix_seqpacket_connect", |
[CCS_TASK_SUID] = "task.suid", |
136 |
[CCS_MAC_NETWORK_UNIX_SEQPACKET_ACCEPT] |
[CCS_TASK_FSUID] = "task.fsuid", |
137 |
= "network::unix_seqpacket_accept", |
[CCS_TASK_GID] = "task.gid", |
138 |
[CCS_MAC_SIGNAL] |
[CCS_TASK_EGID] = "task.egid", |
139 |
= "ipc::signal", |
[CCS_TASK_SGID] = "task.sgid", |
140 |
[CCS_MAX_MAC_INDEX + CCS_USE_ROUTE_SOCKET] |
[CCS_TASK_FSGID] = "task.fsgid", |
141 |
= "capability::use_route", |
[CCS_TASK_PID] = "task.pid", |
142 |
[CCS_MAX_MAC_INDEX + CCS_USE_PACKET_SOCKET] |
[CCS_TASK_PPID] = "task.ppid", |
143 |
= "capability::use_packet", |
[CCS_EXEC_ARGC] = "exec.argc", |
144 |
[CCS_MAX_MAC_INDEX + CCS_SYS_REBOOT] |
[CCS_EXEC_ENVC] = "exec.envc", |
145 |
= "capability::SYS_REBOOT", |
[CCS_TYPE_IS_SOCKET] = "socket", |
146 |
[CCS_MAX_MAC_INDEX + CCS_SYS_VHANGUP] |
[CCS_TYPE_IS_SYMLINK] = "symlink", |
147 |
= "capability::SYS_VHANGUP", |
[CCS_TYPE_IS_FILE] = "file", |
148 |
[CCS_MAX_MAC_INDEX + CCS_SYS_SETTIME] |
[CCS_TYPE_IS_BLOCK_DEV] = "block", |
149 |
= "capability::SYS_TIME", |
[CCS_TYPE_IS_DIRECTORY] = "directory", |
150 |
[CCS_MAX_MAC_INDEX + CCS_SYS_NICE] |
[CCS_TYPE_IS_CHAR_DEV] = "char", |
151 |
= "capability::SYS_NICE", |
[CCS_TYPE_IS_FIFO] = "fifo", |
152 |
[CCS_MAX_MAC_INDEX + CCS_SYS_SETHOSTNAME] |
[CCS_MODE_SETUID] = "setuid", |
153 |
= "capability::SYS_SETHOSTNAME", |
[CCS_MODE_SETGID] = "setgid", |
154 |
[CCS_MAX_MAC_INDEX + CCS_USE_KERNEL_MODULE] |
[CCS_MODE_STICKY] = "sticky", |
155 |
= "capability::use_kernel_module", |
[CCS_MODE_OWNER_READ] = "owner_read", |
156 |
[CCS_MAX_MAC_INDEX + CCS_SYS_KEXEC_LOAD] |
[CCS_MODE_OWNER_WRITE] = "owner_write", |
157 |
= "capability::SYS_KEXEC_LOAD", |
[CCS_MODE_OWNER_EXECUTE] = "owner_execute", |
158 |
[CCS_MAX_MAC_INDEX + CCS_SYS_PTRACE] |
[CCS_MODE_GROUP_READ] = "group_read", |
159 |
= "capability::SYS_PTRACE", |
[CCS_MODE_GROUP_WRITE] = "group_write", |
160 |
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
[CCS_MODE_GROUP_EXECUTE] = "group_execute", |
161 |
+ CCS_MAC_CATEGORY_FILE] = "file", |
[CCS_MODE_OTHERS_READ] = "others_read", |
162 |
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
[CCS_MODE_OTHERS_WRITE] = "others_write", |
163 |
+ CCS_MAC_CATEGORY_NETWORK] = "network", |
[CCS_MODE_OTHERS_EXECUTE] = "others_execute", |
164 |
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
[CCS_TASK_TYPE] = "task.type", |
165 |
+ CCS_MAC_CATEGORY_MISC] = "misc", |
[CCS_TASK_EXECUTE_HANDLER] = "execute_handler", |
166 |
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
[CCS_EXEC_REALPATH] = "exec.realpath", |
167 |
+ CCS_MAC_CATEGORY_IPC] = "ipc", |
[CCS_SYMLINK_TARGET] = "symlink.target", |
168 |
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
[CCS_PATH1_UID] = "path1.uid", |
169 |
+ CCS_MAC_CATEGORY_CAPABILITY] = "capability", |
[CCS_PATH1_GID] = "path1.gid", |
170 |
|
[CCS_PATH1_INO] = "path1.ino", |
171 |
|
[CCS_PATH1_MAJOR] = "path1.major", |
172 |
|
[CCS_PATH1_MINOR] = "path1.minor", |
173 |
|
[CCS_PATH1_PERM] = "path1.perm", |
174 |
|
[CCS_PATH1_TYPE] = "path1.type", |
175 |
|
[CCS_PATH1_DEV_MAJOR] = "path1.dev_major", |
176 |
|
[CCS_PATH1_DEV_MINOR] = "path1.dev_minor", |
177 |
|
[CCS_PATH2_UID] = "path2.uid", |
178 |
|
[CCS_PATH2_GID] = "path2.gid", |
179 |
|
[CCS_PATH2_INO] = "path2.ino", |
180 |
|
[CCS_PATH2_MAJOR] = "path2.major", |
181 |
|
[CCS_PATH2_MINOR] = "path2.minor", |
182 |
|
[CCS_PATH2_PERM] = "path2.perm", |
183 |
|
[CCS_PATH2_TYPE] = "path2.type", |
184 |
|
[CCS_PATH2_DEV_MAJOR] = "path2.dev_major", |
185 |
|
[CCS_PATH2_DEV_MINOR] = "path2.dev_minor", |
186 |
|
[CCS_PATH1_PARENT_UID] = "path1.parent.uid", |
187 |
|
[CCS_PATH1_PARENT_GID] = "path1.parent.gid", |
188 |
|
[CCS_PATH1_PARENT_INO] = "path1.parent.ino", |
189 |
|
[CCS_PATH1_PARENT_PERM] = "path1.parent.perm", |
190 |
|
[CCS_PATH2_PARENT_UID] = "path2.parent.uid", |
191 |
|
[CCS_PATH2_PARENT_GID] = "path2.parent.gid", |
192 |
|
[CCS_PATH2_PARENT_INO] = "path2.parent.ino", |
193 |
|
[CCS_PATH2_PARENT_PERM] = "path2.parent.perm", |
194 |
}; |
}; |
195 |
|
|
196 |
/* Permit policy management by non-root user? */ |
/* Permit policy management by non-root user? */ |
197 |
static bool ccs_manage_by_non_root; |
static bool ccs_manage_by_non_root; |
198 |
|
|
199 |
/** |
/** |
|
* ccs_cap2keyword - Convert capability operation to capability name. |
|
|
* |
|
|
* @operation: The capability index. |
|
|
* |
|
|
* Returns the name of the specified capability's name. |
|
|
*/ |
|
|
const char *ccs_cap2keyword(const u8 operation) |
|
|
{ |
|
|
return operation < CCS_MAX_CAPABILITY_INDEX |
|
|
? ccs_mac_keywords[CCS_MAX_MAC_INDEX + operation] + 12 : NULL; |
|
|
} |
|
|
|
|
|
/** |
|
200 |
* ccs_yesno - Return "yes" or "no". |
* ccs_yesno - Return "yes" or "no". |
201 |
* |
* |
202 |
* @value: Bool value. |
* @value: Bool value. |
447 |
ccs_set_uint(&ccs_preference.learning_max_entry, data, |
ccs_set_uint(&ccs_preference.learning_max_entry, data, |
448 |
"max_entry"); |
"max_entry"); |
449 |
ccs_set_bool(&ccs_preference.learning_exec_realpath, data, |
ccs_set_bool(&ccs_preference.learning_exec_realpath, data, |
450 |
"exec.realpath"); |
ccs_condition_keyword[CCS_EXEC_REALPATH]); |
451 |
ccs_set_bool(&ccs_preference.learning_exec_argv0, data, |
ccs_set_bool(&ccs_preference.learning_exec_argv0, data, |
452 |
"exec.argv0"); |
"exec.argv0"); |
453 |
ccs_set_bool(&ccs_preference.learning_symlink_target, data, |
ccs_set_bool(&ccs_preference.learning_symlink_target, data, |
454 |
"symlink.target"); |
ccs_condition_keyword[CCS_SYMLINK_TARGET]); |
455 |
} else |
} else |
456 |
return -EINVAL; |
return -EINVAL; |
457 |
return 0; |
return 0; |
463 |
u8 i; |
u8 i; |
464 |
u8 config; |
u8 config; |
465 |
if (!strcmp(name, "CONFIG")) { |
if (!strcmp(name, "CONFIG")) { |
466 |
i = CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
i = CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX; |
|
+ CCS_MAX_MAC_CATEGORY_INDEX; |
|
467 |
config = profile->default_config; |
config = profile->default_config; |
468 |
} else if (ccs_str_starts(&name, "CONFIG::")) { |
} else if (ccs_str_starts(&name, "CONFIG::")) { |
469 |
config = 0; |
config = 0; |
470 |
for (i = 0; i < CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
for (i = 0; i < CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX; |
471 |
+ CCS_MAX_MAC_CATEGORY_INDEX; i++) { |
i++) { |
472 |
if (strcmp(name, ccs_mac_keywords[i])) |
int len = 0; |
473 |
|
if (i < CCS_MAX_MAC_INDEX) { |
474 |
|
const u8 c = ccs_index2category[i]; |
475 |
|
const char *category = ccs_category_keywords[c]; |
476 |
|
len = strlen(category); |
477 |
|
if (strncmp(name, category, len) || |
478 |
|
name[len++] != ':' || name[len++] != ':') |
479 |
|
continue; |
480 |
|
} |
481 |
|
if (strcmp(name + len, ccs_mac_keywords[i])) |
482 |
continue; |
continue; |
483 |
config = profile->config[i]; |
config = profile->config[i]; |
484 |
break; |
break; |
485 |
} |
} |
486 |
if (i == CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
if (i == CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX) |
|
+ CCS_MAX_MAC_CATEGORY_INDEX) |
|
487 |
return -EINVAL; |
return -EINVAL; |
488 |
} else { |
} else { |
489 |
return -EINVAL; |
return -EINVAL; |
499 |
* 'config' from 'CCS_CONFIG_USE_DEAFULT'. |
* 'config' from 'CCS_CONFIG_USE_DEAFULT'. |
500 |
*/ |
*/ |
501 |
config = (config & ~7) | mode; |
config = (config & ~7) | mode; |
|
if (config != CCS_CONFIG_USE_DEFAULT) { |
|
502 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
503 |
|
if (config != CCS_CONFIG_USE_DEFAULT) { |
504 |
switch (ccs_find_yesno(value, "grant_log")) { |
switch (ccs_find_yesno(value, "grant_log")) { |
505 |
case 1: |
case 1: |
506 |
config |= CCS_CONFIG_WANT_GRANT_LOG; |
config |= CCS_CONFIG_WANT_GRANT_LOG; |
517 |
config &= ~CCS_CONFIG_WANT_REJECT_LOG; |
config &= ~CCS_CONFIG_WANT_REJECT_LOG; |
518 |
break; |
break; |
519 |
} |
} |
|
#endif |
|
520 |
} |
} |
521 |
|
#endif |
522 |
} |
} |
523 |
if (i < CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
if (i < CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX) |
|
+ CCS_MAX_MAC_CATEGORY_INDEX) |
|
524 |
profile->config[i] = config; |
profile->config[i] = config; |
525 |
else if (config != CCS_CONFIG_USE_DEFAULT) |
else if (config != CCS_CONFIG_USE_DEFAULT) |
526 |
profile->default_config = config; |
profile->default_config = config; |
648 |
break; |
break; |
649 |
case 4: |
case 4: |
650 |
for ( ; head->r.bit < CCS_MAX_MAC_INDEX |
for ( ; head->r.bit < CCS_MAX_MAC_INDEX |
|
+ CCS_MAX_CAPABILITY_INDEX |
|
651 |
+ CCS_MAX_MAC_CATEGORY_INDEX; head->r.bit++) { |
+ CCS_MAX_MAC_CATEGORY_INDEX; head->r.bit++) { |
652 |
const u8 i = head->r.bit; |
const u8 i = head->r.bit; |
653 |
const u8 config = profile->config[i]; |
const u8 config = profile->config[i]; |
654 |
if (config == CCS_CONFIG_USE_DEFAULT) |
if (config == CCS_CONFIG_USE_DEFAULT) |
655 |
continue; |
continue; |
656 |
ccs_io_printf(head, "%u-%s%s", index, "CONFIG::", |
if (i < CCS_MAX_MAC_INDEX) |
657 |
ccs_mac_keywords[i]); |
ccs_io_printf(head, "%u-CONFIG::%s::%s", index, |
658 |
|
ccs_category_keywords |
659 |
|
[ccs_index2category[i]], |
660 |
|
ccs_mac_keywords[i]); |
661 |
|
else |
662 |
|
ccs_io_printf(head, "%u-CONFIG::%s", index, |
663 |
|
ccs_mac_keywords[i]); |
664 |
ccs_print_config(head, config); |
ccs_print_config(head, config); |
665 |
head->r.bit++; |
head->r.bit++; |
666 |
break; |
break; |
667 |
} |
} |
668 |
if (head->r.bit == CCS_MAX_MAC_INDEX |
if (head->r.bit == CCS_MAX_MAC_INDEX |
|
+ CCS_MAX_CAPABILITY_INDEX |
|
669 |
+ CCS_MAX_MAC_CATEGORY_INDEX) { |
+ CCS_MAX_MAC_CATEGORY_INDEX) { |
670 |
head->r.index++; |
head->r.index++; |
671 |
head->r.step = 1; |
head->r.step = 1; |
723 |
static int ccs_write_manager(struct ccs_io_buffer *head) |
static int ccs_write_manager(struct ccs_io_buffer *head) |
724 |
{ |
{ |
725 |
char *data = head->write_buf; |
char *data = head->write_buf; |
726 |
bool is_delete = ccs_str_starts(&data, CCS_KEYWORD_DELETE); |
bool is_delete = ccs_str_starts(&data, "delete "); |
727 |
if (!strcmp(data, "manage_by_non_root")) { |
if (!strcmp(data, "manage_by_non_root")) { |
728 |
ccs_manage_by_non_root = !is_delete; |
ccs_manage_by_non_root = !is_delete; |
729 |
return 0; |
return 0; |
959 |
return -EINVAL; |
return -EINVAL; |
960 |
} |
} |
961 |
|
|
962 |
static const char *ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS] = { |
const char * const ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS] = { |
963 |
[CCS_DIF_QUOTA_WARNED] = CCS_KEYWORD_QUOTA_EXCEEDED "\n", |
[CCS_DIF_QUOTA_WARNED] = "quota_exceeded\n", |
964 |
[CCS_DIF_TRANSITION_FAILED] = CCS_KEYWORD_TRANSITION_FAILED "\n" |
[CCS_DIF_TRANSITION_FAILED] = "transition_failed\n", |
965 |
}; |
}; |
966 |
|
|
967 |
/** |
/** |
968 |
* ccs_write_domain - Write domain policy. |
* ccs_write_domain - Write domain policy. |
969 |
* |
* |
978 |
bool is_delete = false; |
bool is_delete = false; |
979 |
bool is_select = false; |
bool is_select = false; |
980 |
unsigned int profile; |
unsigned int profile; |
981 |
if (ccs_str_starts(&data, CCS_KEYWORD_DELETE)) |
if (ccs_str_starts(&data, "delete ")) |
982 |
is_delete = true; |
is_delete = true; |
983 |
else if (ccs_str_starts(&data, CCS_KEYWORD_SELECT)) |
else if (ccs_str_starts(&data, "select ")) |
984 |
is_select = true; |
is_select = true; |
985 |
if (is_select && ccs_select_one(head, data)) |
if (is_select && ccs_select_one(head, data)) |
986 |
return 0; |
return 0; |
1001 |
if (!domain) |
if (!domain) |
1002 |
return -EINVAL; |
return -EINVAL; |
1003 |
|
|
1004 |
if (sscanf(data, CCS_KEYWORD_USE_PROFILE "%u", &profile) == 1 |
if (sscanf(data, "use_profile %u\n", &profile) == 1 |
1005 |
&& profile < CCS_MAX_PROFILES) { |
&& profile < CCS_MAX_PROFILES) { |
1006 |
if (!ccs_policy_loaded || ccs_profile_ptr[(u8) profile]) |
if (!ccs_policy_loaded || ccs_profile_ptr[(u8) profile]) |
1007 |
domain->profile = (u8) profile; |
domain->profile = (u8) profile; |
1008 |
return 0; |
return 0; |
1009 |
} |
} |
1010 |
if (sscanf(data, CCS_KEYWORD_USE_GROUP "%u", &profile) == 1 |
if (sscanf(data, "use_group %u\n", &profile) == 1 |
1011 |
&& profile < CCS_MAX_ACL_GROUPS) { |
&& profile < CCS_MAX_ACL_GROUPS) { |
1012 |
domain->group = (u8) profile; |
domain->group = (u8) profile; |
1013 |
return 0; |
return 0; |
1322 |
goto done; |
goto done; |
1323 |
ccs_set_group(head); |
ccs_set_group(head); |
1324 |
ccs_set_string(head, "file "); |
ccs_set_string(head, "file "); |
1325 |
ccs_set_string(head, ccs_mkdev_keyword[bit]); |
ccs_set_string(head, ccs_mac_keywords[ccs_pnnn2mac[bit]]); |
1326 |
ccs_print_name_union(head, &ptr->name); |
ccs_print_name_union(head, &ptr->name); |
1327 |
ccs_print_number_union(head, &ptr->mode); |
ccs_print_number_union(head, &ptr->mode); |
1328 |
ccs_print_number_union(head, &ptr->major); |
ccs_print_number_union(head, &ptr->major); |
1335 |
goto done; |
goto done; |
1336 |
ccs_set_group(head); |
ccs_set_group(head); |
1337 |
ccs_set_string(head, "file "); |
ccs_set_string(head, "file "); |
1338 |
ccs_set_string(head, ccs_path2_keyword[bit]); |
ccs_set_string(head, ccs_mac_keywords[ccs_pp2mac[bit]]); |
1339 |
ccs_print_name_union(head, &ptr->name1); |
ccs_print_name_union(head, &ptr->name1); |
1340 |
ccs_print_name_union(head, &ptr->name2); |
ccs_print_name_union(head, &ptr->name2); |
1341 |
} else if (acl_type == CCS_TYPE_PATH_NUMBER_ACL) { |
} else if (acl_type == CCS_TYPE_PATH_NUMBER_ACL) { |
1346 |
goto done; |
goto done; |
1347 |
ccs_set_group(head); |
ccs_set_group(head); |
1348 |
ccs_set_string(head, "file "); |
ccs_set_string(head, "file "); |
1349 |
ccs_set_string(head, ccs_path_number_keyword[bit]); |
ccs_set_string(head, ccs_mac_keywords[ccs_pn2mac[bit]]); |
1350 |
ccs_print_name_union(head, &ptr->name); |
ccs_print_name_union(head, &ptr->name); |
1351 |
ccs_print_number_union(head, &ptr->number); |
ccs_print_number_union(head, &ptr->number); |
1352 |
} else if (acl_type == CCS_TYPE_ENV_ACL) { |
} else if (acl_type == CCS_TYPE_ENV_ACL) { |
1360 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
1361 |
ccs_set_group(head); |
ccs_set_group(head); |
1362 |
ccs_set_string(head, "capability "); |
ccs_set_string(head, "capability "); |
1363 |
ccs_set_string(head, ccs_cap2keyword(ptr->operation)); |
ccs_set_string(head, |
1364 |
|
ccs_mac_keywords[ccs_c2mac[ptr->operation]]); |
1365 |
} else if (acl_type == CCS_TYPE_INET_ACL) { |
} else if (acl_type == CCS_TYPE_INET_ACL) { |
1366 |
struct ccs_inet_acl *ptr = |
struct ccs_inet_acl *ptr = |
1367 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
1497 |
/* Print domainname and flags. */ |
/* Print domainname and flags. */ |
1498 |
ccs_set_string(head, domain->domainname->name); |
ccs_set_string(head, domain->domainname->name); |
1499 |
ccs_set_lf(head); |
ccs_set_lf(head); |
1500 |
ccs_io_printf(head, CCS_KEYWORD_USE_PROFILE "%u\n", |
ccs_io_printf(head, "use_profile %u\n", |
1501 |
domain->profile); |
domain->profile); |
1502 |
ccs_io_printf(head, CCS_KEYWORD_USE_GROUP "%u\n", |
ccs_io_printf(head, "use_group %u\n", domain->group); |
|
domain->group); |
|
1503 |
for (i = 0; i < CCS_MAX_DOMAIN_INFO_FLAGS; i++) |
for (i = 0; i < CCS_MAX_DOMAIN_INFO_FLAGS; i++) |
1504 |
if (domain->flags[i]) |
if (domain->flags[i]) |
1505 |
ccs_set_string(head, ccs_dif[i]); |
ccs_set_string(head, ccs_dif[i]); |
1666 |
} |
} |
1667 |
} |
} |
1668 |
|
|
1669 |
static const char *ccs_transition_type[CCS_MAX_TRANSITION_TYPE] = { |
static const char * const ccs_transition_type[CCS_MAX_TRANSITION_TYPE] = { |
1670 |
[CCS_TRANSITION_CONTROL_NO_INITIALIZE] |
[CCS_TRANSITION_CONTROL_NO_INITIALIZE] = "no_initialize_domain ", |
1671 |
= CCS_KEYWORD_NO_INITIALIZE_DOMAIN, |
[CCS_TRANSITION_CONTROL_INITIALIZE] = "initialize_domain ", |
1672 |
[CCS_TRANSITION_CONTROL_INITIALIZE] = CCS_KEYWORD_INITIALIZE_DOMAIN, |
[CCS_TRANSITION_CONTROL_NO_KEEP] = "no_keep_domain ", |
1673 |
[CCS_TRANSITION_CONTROL_NO_KEEP] = CCS_KEYWORD_NO_KEEP_DOMAIN, |
[CCS_TRANSITION_CONTROL_KEEP] = "keep_domain ", |
|
[CCS_TRANSITION_CONTROL_KEEP] = CCS_KEYWORD_KEEP_DOMAIN |
|
1674 |
}; |
}; |
1675 |
|
|
1676 |
static const char *ccs_group_name[CCS_MAX_GROUP] = { |
static const char * const ccs_group_name[CCS_MAX_GROUP] = { |
1677 |
[CCS_PATH_GROUP] = CCS_KEYWORD_PATH_GROUP, |
[CCS_PATH_GROUP] = "path_group ", |
1678 |
[CCS_NUMBER_GROUP] = CCS_KEYWORD_NUMBER_GROUP, |
[CCS_NUMBER_GROUP] = "number_group ", |
1679 |
[CCS_ADDRESS_GROUP] = CCS_KEYWORD_ADDRESS_GROUP |
[CCS_ADDRESS_GROUP] = "address_group ", |
1680 |
}; |
}; |
1681 |
|
|
1682 |
/** |
/** |
1689 |
static int ccs_write_exception(struct ccs_io_buffer *head) |
static int ccs_write_exception(struct ccs_io_buffer *head) |
1690 |
{ |
{ |
1691 |
char *data = head->write_buf; |
char *data = head->write_buf; |
1692 |
const bool is_delete = ccs_str_starts(&data, CCS_KEYWORD_DELETE); |
const bool is_delete = ccs_str_starts(&data, "delete "); |
1693 |
u8 i; |
u8 i; |
1694 |
static const struct { |
static const struct { |
1695 |
const char *keyword; |
const char *keyword; |
1696 |
int (*write) (char *, const bool); |
int (*write) (char *, const bool); |
1697 |
} ccs_callback[3] = { |
} ccs_callback[3] = { |
1698 |
{ CCS_KEYWORD_AGGREGATOR, ccs_write_aggregator }, |
{ "aggregator ", ccs_write_aggregator }, |
1699 |
{ CCS_KEYWORD_FILE_PATTERN, ccs_write_pattern }, |
{ "file_pattern ", ccs_write_pattern }, |
1700 |
{ CCS_KEYWORD_DENY_AUTOBIND, ccs_write_reserved_port } |
{ "deny_autobind ", ccs_write_reserved_port }, |
1701 |
}; |
}; |
1702 |
for (i = 0; i < 3; i++) |
for (i = 0; i < 3; i++) |
1703 |
if (ccs_str_starts(&data, ccs_callback[i].keyword)) |
if (ccs_str_starts(&data, ccs_callback[i].keyword)) |
1816 |
{ |
{ |
1817 |
struct ccs_aggregator *ptr = |
struct ccs_aggregator *ptr = |
1818 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
1819 |
ccs_set_string(head, CCS_KEYWORD_AGGREGATOR); |
ccs_set_string(head, "aggregator "); |
1820 |
ccs_set_string(head, ptr->original_name->name); |
ccs_set_string(head, ptr->original_name->name); |
1821 |
ccs_set_space(head); |
ccs_set_space(head); |
1822 |
ccs_set_string(head, |
ccs_set_string(head, |
1827 |
{ |
{ |
1828 |
struct ccs_pattern *ptr = |
struct ccs_pattern *ptr = |
1829 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
1830 |
ccs_set_string(head, CCS_KEYWORD_FILE_PATTERN); |
ccs_set_string(head, "file_pattern "); |
1831 |
ccs_set_string(head, ptr->pattern->name); |
ccs_set_string(head, ptr->pattern->name); |
1832 |
} |
} |
1833 |
break; |
break; |
1837 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
1838 |
const u16 min_port = ptr->min_port; |
const u16 min_port = ptr->min_port; |
1839 |
const u16 max_port = ptr->max_port; |
const u16 max_port = ptr->max_port; |
1840 |
ccs_set_string(head, |
ccs_set_string(head, "deny_autobind "); |
|
CCS_KEYWORD_DENY_AUTOBIND); |
|
1841 |
ccs_io_printf(head, "%u", min_port); |
ccs_io_printf(head, "%u", min_port); |
1842 |
if (min_port != max_port) |
if (min_port != max_port) |
1843 |
ccs_io_printf(head, "-%u", max_port); |
ccs_io_printf(head, "-%u", max_port); |
1984 |
va_start(args, fmt); |
va_start(args, fmt); |
1985 |
vsnprintf(buffer, len - 1, fmt, args); |
vsnprintf(buffer, len - 1, fmt, args); |
1986 |
va_end(args); |
va_end(args); |
1987 |
if (handler || realpath || argv0 || symlink) { |
if (handler) |
1988 |
if (handler) |
ccs_addprintf(buffer, len, " task.%s", |
1989 |
ccs_addprintf(buffer, len, " task.%s", |
handler); |
1990 |
handler); |
if (realpath) |
1991 |
if (realpath) |
ccs_addprintf(buffer, len, " exec.%s", |
1992 |
ccs_addprintf(buffer, len, " exec.%s", |
realpath); |
1993 |
realpath); |
if (argv0) |
1994 |
if (argv0) |
ccs_addprintf(buffer, len, " exec.argv[0]=%s", |
1995 |
ccs_addprintf(buffer, len, |
argv0); |
1996 |
" exec.argv[0]=%s", |
if (symlink) |
1997 |
argv0); |
ccs_addprintf(buffer, len, "%s", symlink); |
|
if (symlink) |
|
|
ccs_addprintf(buffer, len, "%s", |
|
|
symlink); |
|
|
} |
|
1998 |
ccs_normalize_line(buffer); |
ccs_normalize_line(buffer); |
1999 |
ccs_write_domain2(buffer, domain, false); |
ccs_write_domain2(buffer, domain, false); |
2000 |
kfree(buffer); |
kfree(buffer); |