diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2010-06-24 12:00:25 +0900 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2010-08-02 15:34:44 +1000 |
commit | 063821c8160568b3390044390c8328e36c5696ad (patch) | |
tree | 68a61753cdc6b0edaf0358eebdea8c20aaa713b1 /security | |
parent | 475e6fa3d340e75a454ea09191a29e52e2ee6e71 (diff) | |
download | op-kernel-dev-063821c8160568b3390044390c8328e36c5696ad.zip op-kernel-dev-063821c8160568b3390044390c8328e36c5696ad.tar.gz |
TOMOYO: Allow reading only execute permission.
Policy editor needs to know allow_execute entries in order to build domain
transition tree. Reading all entries is slow. Thus, allow reading only
allow_execute entries.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/tomoyo/common.c | 8 | ||||
-rw-r--r-- | security/tomoyo/common.h | 2 |
2 files changed, 10 insertions, 0 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 2a5330e..6c68981 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -594,6 +594,10 @@ static bool tomoyo_select_one(struct tomoyo_io_buffer *head, const char *data) struct tomoyo_domain_info *domain = NULL; bool global_pid = false; + if (!strcmp(data, "allow_execute")) { + head->print_execute_only = true; + return true; + } if (sscanf(data, "pid=%u", &pid) == 1 || (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { struct task_struct *p; @@ -759,6 +763,8 @@ static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head, for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { if (!(perm & (1 << bit))) continue; + if (head->print_execute_only && bit != TOMOYO_TYPE_EXECUTE) + continue; /* Print "read/write" instead of "read" and "write". */ if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE) && (perm & (1 << TOMOYO_TYPE_READ_WRITE))) @@ -926,6 +932,8 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, = container_of(ptr, struct tomoyo_path_acl, head); return tomoyo_print_path_acl(head, acl); } + if (head->print_execute_only) + return true; if (acl_type == TOMOYO_TYPE_PATH2_ACL) { struct tomoyo_path2_acl *acl = container_of(ptr, struct tomoyo_path2_acl, head); diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index cdc9ef5..67b9aea 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -571,6 +571,8 @@ struct tomoyo_io_buffer { bool read_single_domain; /* Extra variable for reading. */ u8 read_bit; + /* Read only TOMOYO_TYPE_EXECUTE */ + bool print_execute_only; /* Bytes available for reading. */ int read_avail; /* Size of read buffer. */ |