diff options
-rw-r--r-- | security/tomoyo/common.c | 42 | ||||
-rw-r--r-- | security/tomoyo/common.h | 38 | ||||
-rw-r--r-- | security/tomoyo/domain.c | 219 | ||||
-rw-r--r-- | security/tomoyo/file.c | 114 | ||||
-rw-r--r-- | security/tomoyo/gc.c | 41 | ||||
-rw-r--r-- | security/tomoyo/memory.c | 4 | ||||
-rw-r--r-- | security/tomoyo/number_group.c | 12 | ||||
-rw-r--r-- | security/tomoyo/path_group.c | 11 |
8 files changed, 98 insertions, 383 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 9eeb19ec..cb1aaf1 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -434,38 +434,6 @@ static void tomoyo_read_profile(struct tomoyo_io_buffer *head) head->read_eof = true; } -/* - * tomoyo_policy_manager_list is used for holding list of domainnames or - * programs which are permitted to modify configuration via - * /sys/kernel/security/tomoyo/ interface. - * - * An entry is added by - * - * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \ - * /sys/kernel/security/tomoyo/manager - * (if you want to specify by a domainname) - * - * or - * - * # echo '/usr/sbin/tomoyo-editpolicy' > /sys/kernel/security/tomoyo/manager - * (if you want to specify by a program's location) - * - * and is deleted by - * - * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \ - * /sys/kernel/security/tomoyo/manager - * - * or - * - * # echo 'delete /usr/sbin/tomoyo-editpolicy' > \ - * /sys/kernel/security/tomoyo/manager - * - * and all entries are retrieved by - * - * # cat /sys/kernel/security/tomoyo/manager - */ -LIST_HEAD(tomoyo_policy_manager_list); - static bool tomoyo_same_manager_entry(const struct tomoyo_acl_head *a, const struct tomoyo_acl_head *b) { @@ -503,7 +471,7 @@ static int tomoyo_update_manager_entry(const char *manager, if (!e.manager) return -ENOMEM; error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, - &tomoyo_policy_manager_list, + &tomoyo_policy_list[TOMOYO_ID_MANAGER], tomoyo_same_manager_entry); tomoyo_put_name(e.manager); return error; @@ -545,7 +513,7 @@ static void tomoyo_read_manager_policy(struct tomoyo_io_buffer *head) if (head->read_eof) return; list_for_each_cookie(pos, head->read_var2, - &tomoyo_policy_manager_list) { + &tomoyo_policy_list[TOMOYO_ID_MANAGER]) { struct tomoyo_policy_manager_entry *ptr; ptr = list_entry(pos, struct tomoyo_policy_manager_entry, head.list); @@ -578,7 +546,8 @@ static bool tomoyo_policy_manager(void) return true; if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) return false; - list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, head.list) { + list_for_each_entry_rcu(ptr, &tomoyo_policy_list[TOMOYO_ID_MANAGER], + head.list) { if (!ptr->head.is_deleted && ptr->is_domain && !tomoyo_pathcmp(domainname, ptr->manager)) { found = true; @@ -590,7 +559,8 @@ static bool tomoyo_policy_manager(void) exe = tomoyo_get_exe(); if (!exe) return false; - list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, head.list) { + list_for_each_entry_rcu(ptr, &tomoyo_policy_list[TOMOYO_ID_MANAGER], + head.list) { if (!ptr->head.is_deleted && !ptr->is_domain && !strcmp(exe, ptr->manager->name)) { found = true; diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 9f289e4..451dc3c 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -46,6 +46,30 @@ enum tomoyo_mode_index { TOMOYO_CONFIG_USE_DEFAULT = 255 }; +enum tomoyo_policy_id { + TOMOYO_ID_GROUP, + TOMOYO_ID_PATH_GROUP, + TOMOYO_ID_NUMBER_GROUP, + TOMOYO_ID_DOMAIN_INITIALIZER, + TOMOYO_ID_DOMAIN_KEEPER, + TOMOYO_ID_AGGREGATOR, + TOMOYO_ID_ALIAS, + TOMOYO_ID_GLOBALLY_READABLE, + TOMOYO_ID_PATTERN, + TOMOYO_ID_NO_REWRITE, + TOMOYO_ID_MANAGER, + TOMOYO_ID_NAME, + TOMOYO_ID_ACL, + TOMOYO_ID_DOMAIN, + TOMOYO_MAX_POLICY +}; + +enum tomoyo_group_id { + TOMOYO_PATH_GROUP, + TOMOYO_NUMBER_GROUP, + TOMOYO_MAX_GROUP +}; + /* Keywords for ACLs. */ #define TOMOYO_KEYWORD_AGGREGATOR "aggregator " #define TOMOYO_KEYWORD_ALIAS "alias " @@ -570,7 +594,7 @@ struct tomoyo_globally_readable_file_entry { /* * tomoyo_pattern_entry is a structure which is used for holding - * "tomoyo_pattern_list" entries. + * "file_pattern" entries. * It has following fields. * * (1) "head" is "struct tomoyo_acl_head". @@ -950,16 +974,8 @@ extern struct srcu_struct tomoyo_ss; /* The list for "struct tomoyo_domain_info". */ extern struct list_head tomoyo_domain_list; -extern struct list_head tomoyo_path_group_list; -extern struct list_head tomoyo_number_group_list; -extern struct list_head tomoyo_domain_initializer_list; -extern struct list_head tomoyo_domain_keeper_list; -extern struct list_head tomoyo_aggregator_list; -extern struct list_head tomoyo_alias_list; -extern struct list_head tomoyo_globally_readable_list; -extern struct list_head tomoyo_pattern_list; -extern struct list_head tomoyo_no_rewrite_list; -extern struct list_head tomoyo_policy_manager_list; +extern struct list_head tomoyo_policy_list[TOMOYO_MAX_POLICY]; +extern struct list_head tomoyo_group_list[TOMOYO_MAX_GROUP]; extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH]; /* Lock for protecting policy. */ diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index 1a12297..3575b0e 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -127,46 +127,12 @@ void tomoyo_check_acl(struct tomoyo_request_info *r, r->granted = false; } -/* - * tomoyo_domain_list is used for holding list of domains. - * The ->acl_info_list of "struct tomoyo_domain_info" is used for holding - * permissions (e.g. "allow_read /lib/libc-2.5.so") given to each domain. - * - * An entry is added by - * - * # ( echo "<kernel>"; echo "allow_execute /sbin/init" ) > \ - * /sys/kernel/security/tomoyo/domain_policy - * - * and is deleted by - * - * # ( echo "<kernel>"; echo "delete allow_execute /sbin/init" ) > \ - * /sys/kernel/security/tomoyo/domain_policy - * - * and all entries are retrieved by - * - * # cat /sys/kernel/security/tomoyo/domain_policy - * - * A domain is added by - * - * # echo "<kernel>" > /sys/kernel/security/tomoyo/domain_policy - * - * and is deleted by - * - * # echo "delete <kernel>" > /sys/kernel/security/tomoyo/domain_policy - * - * and all domains are retrieved by - * - * # grep '^<kernel>' /sys/kernel/security/tomoyo/domain_policy - * - * Normally, a domainname is monotonically getting longer because a domainname - * which the process will belong to if an execve() operation succeeds is - * defined as a concatenation of "current domainname" + "pathname passed to - * execve()". - * See tomoyo_domain_initializer_list and tomoyo_domain_keeper_list for - * exceptions. - */ +/* The list for "struct tomoyo_domain_info". */ LIST_HEAD(tomoyo_domain_list); +struct list_head tomoyo_policy_list[TOMOYO_MAX_POLICY]; +struct list_head tomoyo_group_list[TOMOYO_MAX_GROUP]; + /** * tomoyo_get_last_name - Get last component of a domainname. * @@ -184,44 +150,6 @@ const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain) return cp0; } -/* - * tomoyo_domain_initializer_list is used for holding list of programs which - * triggers reinitialization of domainname. Normally, a domainname is - * monotonically getting longer. But sometimes, we restart daemon programs. - * It would be convenient for us that "a daemon started upon system boot" and - * "the daemon restarted from console" belong to the same domain. Thus, TOMOYO - * provides a way to shorten domainnames. - * - * An entry is added by - * - * # echo 'initialize_domain /usr/sbin/httpd' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and is deleted by - * - * # echo 'delete initialize_domain /usr/sbin/httpd' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and all entries are retrieved by - * - * # grep ^initialize_domain /sys/kernel/security/tomoyo/exception_policy - * - * In the example above, /usr/sbin/httpd will belong to - * "<kernel> /usr/sbin/httpd" domain. - * - * You may specify a domainname using "from" keyword. - * "initialize_domain /usr/sbin/httpd from <kernel> /etc/rc.d/init.d/httpd" - * will cause "/usr/sbin/httpd" executed from "<kernel> /etc/rc.d/init.d/httpd" - * domain to belong to "<kernel> /usr/sbin/httpd" domain. - * - * You may add "no_" prefix to "initialize_domain". - * "initialize_domain /usr/sbin/httpd" and - * "no_initialize_domain /usr/sbin/httpd from <kernel> /etc/rc.d/init.d/httpd" - * will cause "/usr/sbin/httpd" to belong to "<kernel> /usr/sbin/httpd" domain - * unless executed from "<kernel> /etc/rc.d/init.d/httpd" domain. - */ -LIST_HEAD(tomoyo_domain_initializer_list); - static bool tomoyo_same_domain_initializer_entry(const struct tomoyo_acl_head * a, const struct tomoyo_acl_head * @@ -272,7 +200,8 @@ static int tomoyo_update_domain_initializer_entry(const char *domainname, if (!e.program) goto out; error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, - &tomoyo_domain_initializer_list, + &tomoyo_policy_list + [TOMOYO_ID_DOMAIN_INITIALIZER], tomoyo_same_domain_initializer_entry); out: tomoyo_put_name(e.domainname); @@ -294,8 +223,8 @@ bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head) struct list_head *pos; bool done = true; - list_for_each_cookie(pos, head->read_var2, - &tomoyo_domain_initializer_list) { + list_for_each_cookie(pos, head->read_var2, &tomoyo_policy_list + [TOMOYO_ID_DOMAIN_INITIALIZER]) { const char *no; const char *from = ""; const char *domain = ""; @@ -366,8 +295,8 @@ static bool tomoyo_domain_initializer(const struct tomoyo_path_info * struct tomoyo_domain_initializer_entry *ptr; bool flag = false; - list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, - head.list) { + list_for_each_entry_rcu(ptr, &tomoyo_policy_list + [TOMOYO_ID_DOMAIN_INITIALIZER], head.list) { if (ptr->head.is_deleted) continue; if (ptr->domainname) { @@ -390,46 +319,6 @@ static bool tomoyo_domain_initializer(const struct tomoyo_path_info * return flag; } -/* - * tomoyo_domain_keeper_list is used for holding list of domainnames which - * suppresses domain transition. Normally, a domainname is monotonically - * getting longer. But sometimes, we want to suppress domain transition. - * It would be convenient for us that programs executed from a login session - * belong to the same domain. Thus, TOMOYO provides a way to suppress domain - * transition. - * - * An entry is added by - * - * # echo 'keep_domain <kernel> /usr/sbin/sshd /bin/bash' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and is deleted by - * - * # echo 'delete keep_domain <kernel> /usr/sbin/sshd /bin/bash' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and all entries are retrieved by - * - * # grep ^keep_domain /sys/kernel/security/tomoyo/exception_policy - * - * In the example above, any process which belongs to - * "<kernel> /usr/sbin/sshd /bin/bash" domain will remain in that domain, - * unless explicitly specified by "initialize_domain" or "no_keep_domain". - * - * You may specify a program using "from" keyword. - * "keep_domain /bin/pwd from <kernel> /usr/sbin/sshd /bin/bash" - * will cause "/bin/pwd" executed from "<kernel> /usr/sbin/sshd /bin/bash" - * domain to remain in "<kernel> /usr/sbin/sshd /bin/bash" domain. - * - * You may add "no_" prefix to "keep_domain". - * "keep_domain <kernel> /usr/sbin/sshd /bin/bash" and - * "no_keep_domain /usr/bin/passwd from <kernel> /usr/sbin/sshd /bin/bash" will - * cause "/usr/bin/passwd" to belong to - * "<kernel> /usr/sbin/sshd /bin/bash /usr/bin/passwd" domain, unless - * explicitly specified by "initialize_domain". - */ -LIST_HEAD(tomoyo_domain_keeper_list); - static bool tomoyo_same_domain_keeper_entry(const struct tomoyo_acl_head *a, const struct tomoyo_acl_head *b) { @@ -478,7 +367,8 @@ static int tomoyo_update_domain_keeper_entry(const char *domainname, if (!e.domainname) goto out; error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, - &tomoyo_domain_keeper_list, + &tomoyo_policy_list + [TOMOYO_ID_DOMAIN_KEEPER], tomoyo_same_domain_keeper_entry); out: tomoyo_put_name(e.domainname); @@ -523,7 +413,7 @@ bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head) bool done = true; list_for_each_cookie(pos, head->read_var2, - &tomoyo_domain_keeper_list) { + &tomoyo_policy_list[TOMOYO_ID_DOMAIN_KEEPER]) { struct tomoyo_domain_keeper_entry *ptr; const char *no; const char *from = ""; @@ -567,7 +457,9 @@ static bool tomoyo_domain_keeper(const struct tomoyo_path_info *domainname, struct tomoyo_domain_keeper_entry *ptr; bool flag = false; - list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, head.list) { + list_for_each_entry_rcu(ptr, + &tomoyo_policy_list[TOMOYO_ID_DOMAIN_KEEPER], + head.list) { if (ptr->head.is_deleted) continue; if (!ptr->is_last_name) { @@ -588,35 +480,6 @@ static bool tomoyo_domain_keeper(const struct tomoyo_path_info *domainname, return flag; } -/* - * tomoyo_aggregator_list is used for holding list of rewrite table for - * execve() request. Some programs provides similar functionality. This keyword - * allows users to aggregate such programs. - * - * Entries are added by - * - * # echo 'aggregator /usr/bin/vi /./editor' > \ - * /sys/kernel/security/tomoyo/exception_policy - * # echo 'aggregator /usr/bin/emacs /./editor' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and are deleted by - * - * # echo 'delete aggregator /usr/bin/vi /./editor' > \ - * /sys/kernel/security/tomoyo/exception_policy - * # echo 'delete aggregator /usr/bin/emacs /./editor' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and all entries are retrieved by - * - * # grep ^aggregator /sys/kernel/security/tomoyo/exception_policy - * - * In the example above, if /usr/bin/vi or /usr/bin/emacs are executed, - * permission is checked for /./editor and domainname which the current process - * will belong to after execve() succeeds is calculated using /./editor . - */ -LIST_HEAD(tomoyo_aggregator_list); - static bool tomoyo_same_aggregator_entry(const struct tomoyo_acl_head *a, const struct tomoyo_acl_head *b) { @@ -655,7 +518,7 @@ static int tomoyo_update_aggregator_entry(const char *original_name, e.aggregated_name->is_patterned) /* No patterns allowed. */ goto out; error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, - &tomoyo_aggregator_list, + &tomoyo_policy_list[TOMOYO_ID_AGGREGATOR], tomoyo_same_aggregator_entry); out: tomoyo_put_name(e.original_name); @@ -677,7 +540,8 @@ bool tomoyo_read_aggregator_policy(struct tomoyo_io_buffer *head) struct list_head *pos; bool done = true; - list_for_each_cookie(pos, head->read_var2, &tomoyo_aggregator_list) { + list_for_each_cookie(pos, head->read_var2, + &tomoyo_policy_list[TOMOYO_ID_AGGREGATOR]) { struct tomoyo_aggregator_entry *ptr; ptr = list_entry(pos, struct tomoyo_aggregator_entry, @@ -713,38 +577,6 @@ int tomoyo_write_aggregator_policy(char *data, const bool is_delete) return tomoyo_update_aggregator_entry(data, cp, is_delete); } -/* - * tomoyo_alias_list is used for holding list of symlink's pathnames which are - * allowed to be passed to an execve() request. Normally, the domainname which - * the current process will belong to after execve() succeeds is calculated - * using dereferenced pathnames. But some programs behave differently depending - * on the name passed to argv[0]. For busybox, calculating domainname using - * dereferenced pathnames will cause all programs in the busybox to belong to - * the same domain. Thus, TOMOYO provides a way to allow use of symlink's - * pathname for checking execve()'s permission and calculating domainname which - * the current process will belong to after execve() succeeds. - * - * An entry is added by - * - * # echo 'alias /bin/busybox /bin/cat' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and is deleted by - * - * # echo 'delete alias /bin/busybox /bin/cat' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and all entries are retrieved by - * - * # grep ^alias /sys/kernel/security/tomoyo/exception_policy - * - * In the example above, if /bin/cat is a symlink to /bin/busybox and execution - * of /bin/cat is requested, permission is checked for /bin/cat rather than - * /bin/busybox and domainname which the current process will belong to after - * execve() succeeds is calculated using /bin/cat rather than /bin/busybox . - */ -LIST_HEAD(tomoyo_alias_list); - static bool tomoyo_same_alias_entry(const struct tomoyo_acl_head *a, const struct tomoyo_acl_head *b) { @@ -783,7 +615,7 @@ static int tomoyo_update_alias_entry(const char *original_name, e.original_name->is_patterned || e.aliased_name->is_patterned) goto out; /* No patterns allowed. */ error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, - &tomoyo_alias_list, + &tomoyo_policy_list[TOMOYO_ID_ALIAS], tomoyo_same_alias_entry); out: tomoyo_put_name(e.original_name); @@ -805,7 +637,8 @@ bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head) struct list_head *pos; bool done = true; - list_for_each_cookie(pos, head->read_var2, &tomoyo_alias_list) { + list_for_each_cookie(pos, head->read_var2, + &tomoyo_policy_list[TOMOYO_ID_ALIAS]) { struct tomoyo_alias_entry *ptr; ptr = list_entry(pos, struct tomoyo_alias_entry, head.list); @@ -946,7 +779,9 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) if (tomoyo_pathcmp(&rn, &sn)) { struct tomoyo_alias_entry *ptr; /* Is this program allowed to be called via symbolic links? */ - list_for_each_entry_rcu(ptr, &tomoyo_alias_list, head.list) { + list_for_each_entry_rcu(ptr, + &tomoyo_policy_list[TOMOYO_ID_ALIAS], + head.list) { if (ptr->head.is_deleted || tomoyo_pathcmp(&rn, ptr->original_name) || tomoyo_pathcmp(&sn, ptr->aliased_name)) @@ -962,8 +797,8 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) /* Check 'aggregator' directive. */ { struct tomoyo_aggregator_entry *ptr; - list_for_each_entry_rcu(ptr, &tomoyo_aggregator_list, - head.list) { + list_for_each_entry_rcu(ptr, &tomoyo_policy_list + [TOMOYO_ID_AGGREGATOR], head.list) { if (ptr->head.is_deleted || !tomoyo_path_matches_pattern(&rn, ptr->original_name)) diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 6c2ba69..df3b203 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c @@ -265,33 +265,6 @@ static int tomoyo_audit_path_number_log(struct tomoyo_request_info *r) tomoyo_file_pattern(filename), buffer); } -/* - * tomoyo_globally_readable_list is used for holding list of pathnames which - * are by default allowed to be open()ed for reading by any process. - * - * An entry is added by - * - * # echo 'allow_read /lib/libc-2.5.so' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and is deleted by - * - * # echo 'delete allow_read /lib/libc-2.5.so' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and all entries are retrieved by - * - * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy - * - * In the example above, any process is allowed to - * open("/lib/libc-2.5.so", O_RDONLY). - * One exception is, if the domain which current process belongs to is marked - * as "ignore_global_allow_read", current process can't do so unless explicitly - * given "allow_read /lib/libc-2.5.so" to the domain which current process - * belongs to. - */ -LIST_HEAD(tomoyo_globally_readable_list); - static bool tomoyo_same_globally_readable(const struct tomoyo_acl_head *a, const struct tomoyo_acl_head *b) { @@ -323,7 +296,8 @@ static int tomoyo_update_globally_readable_entry(const char *filename, if (!e.filename) return -ENOMEM; error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, - &tomoyo_globally_readable_list, + &tomoyo_policy_list + [TOMOYO_ID_GLOBALLY_READABLE], tomoyo_same_globally_readable); tomoyo_put_name(e.filename); return error; @@ -344,8 +318,8 @@ static bool tomoyo_globally_readable_file(const struct tomoyo_path_info * struct tomoyo_globally_readable_file_entry *ptr; bool found = false; - list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, - head.list) { + list_for_each_entry_rcu(ptr, &tomoyo_policy_list + [TOMOYO_ID_GLOBALLY_READABLE], head.list) { if (!ptr->head.is_deleted && tomoyo_path_matches_pattern(filename, ptr->filename)) { found = true; @@ -385,7 +359,7 @@ bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head) bool done = true; list_for_each_cookie(pos, head->read_var2, - &tomoyo_globally_readable_list) { + &tomoyo_policy_list[TOMOYO_ID_GLOBALLY_READABLE]) { struct tomoyo_globally_readable_file_entry *ptr; ptr = list_entry(pos, struct tomoyo_globally_readable_file_entry, @@ -400,37 +374,6 @@ bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head) return done; } -/* tomoyo_pattern_list is used for holding list of pathnames which are used for - * converting pathnames to pathname patterns during learning mode. - * - * An entry is added by - * - * # echo 'file_pattern /proc/\$/mounts' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and is deleted by - * - * # echo 'delete file_pattern /proc/\$/mounts' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and all entries are retrieved by - * - * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy - * - * In the example above, if a process which belongs to a domain which is in - * learning mode requested open("/proc/1/mounts", O_RDONLY), - * "allow_read /proc/\$/mounts" is automatically added to the domain which that - * process belongs to. - * - * It is not a desirable behavior that we have to use /proc/\$/ instead of - * /proc/self/ when current process needs to access only current process's - * information. As of now, LSM version of TOMOYO is using __d_path() for - * calculating pathname. Non LSM version of TOMOYO is using its own function - * which pretends as if /proc/self/ is not a symlink; so that we can forbid - * current process from accessing other process's information. - */ -LIST_HEAD(tomoyo_pattern_list); - static bool tomoyo_same_pattern(const struct tomoyo_acl_head *a, const struct tomoyo_acl_head *b) { @@ -460,7 +403,7 @@ static int tomoyo_update_file_pattern_entry(const char *pattern, if (!e.pattern) return -ENOMEM; error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, - &tomoyo_pattern_list, + &tomoyo_policy_list[TOMOYO_ID_PATTERN], tomoyo_same_pattern); tomoyo_put_name(e.pattern); return error; @@ -480,7 +423,8 @@ const char *tomoyo_file_pattern(const struct tomoyo_path_info *filename) struct tomoyo_pattern_entry *ptr; const struct tomoyo_path_info *pattern = NULL; - list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, head.list) { + list_for_each_entry_rcu(ptr, &tomoyo_policy_list[TOMOYO_ID_PATTERN], + head.list) { if (ptr->head.is_deleted) continue; if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) @@ -527,7 +471,8 @@ bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head) struct list_head *pos; bool done = true; - list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) { + list_for_each_cookie(pos, head->read_var2, + &tomoyo_policy_list[TOMOYO_ID_PATTERN]) { struct tomoyo_pattern_entry *ptr; ptr = list_entry(pos, struct tomoyo_pattern_entry, head.list); if (ptr->head.is_deleted) @@ -540,37 +485,6 @@ bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head) return done; } -/* - * tomoyo_no_rewrite_list is used for holding list of pathnames which are by - * default forbidden to modify already written content of a file. - * - * An entry is added by - * - * # echo 'deny_rewrite /var/log/messages' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and is deleted by - * - * # echo 'delete deny_rewrite /var/log/messages' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and all entries are retrieved by - * - * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy - * - * In the example above, if a process requested to rewrite /var/log/messages , - * the process can't rewrite unless the domain which that process belongs to - * has "allow_rewrite /var/log/messages" entry. - * - * It is not a desirable behavior that we have to add "\040(deleted)" suffix - * when we want to allow rewriting already unlink()ed file. As of now, - * LSM version of TOMOYO is using __d_path() for calculating pathname. - * Non LSM version of TOMOYO is using its own function which doesn't append - * " (deleted)" suffix if the file is already unlink()ed; so that we don't - * need to worry whether the file is already unlink()ed or not. - */ -LIST_HEAD(tomoyo_no_rewrite_list); - static bool tomoyo_same_no_rewrite(const struct tomoyo_acl_head *a, const struct tomoyo_acl_head *b) { @@ -601,7 +515,7 @@ static int tomoyo_update_no_rewrite_entry(const char *pattern, if (!e.pattern) return -ENOMEM; error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, - &tomoyo_no_rewrite_list, + &tomoyo_policy_list[TOMOYO_ID_NO_REWRITE], tomoyo_same_no_rewrite); tomoyo_put_name(e.pattern); return error; @@ -622,7 +536,8 @@ static bool tomoyo_no_rewrite_file(const struct tomoyo_path_info *filename) struct tomoyo_no_rewrite_entry *ptr; bool found = false; - list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, head.list) { + list_for_each_entry_rcu(ptr, &tomoyo_policy_list[TOMOYO_ID_NO_REWRITE], + head.list) { if (ptr->head.is_deleted) continue; if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) @@ -662,7 +577,8 @@ bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head) struct list_head *pos; bool done = true; - list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) { + list_for_each_cookie(pos, head->read_var2, + &tomoyo_policy_list[TOMOYO_ID_NO_REWRITE]) { struct tomoyo_no_rewrite_entry *ptr; ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, head.list); diff --git a/security/tomoyo/gc.c b/security/tomoyo/gc.c index 446d59f..414e18b 100644 --- a/security/tomoyo/gc.c +++ b/security/tomoyo/gc.c @@ -11,24 +11,6 @@ #include <linux/kthread.h> #include <linux/slab.h> -enum tomoyo_policy_id { - TOMOYO_ID_GROUP, - TOMOYO_ID_PATH_GROUP, - TOMOYO_ID_NUMBER_GROUP, - TOMOYO_ID_DOMAIN_INITIALIZER, - TOMOYO_ID_DOMAIN_KEEPER, - TOMOYO_ID_AGGREGATOR, - TOMOYO_ID_ALIAS, - TOMOYO_ID_GLOBALLY_READABLE, - TOMOYO_ID_PATTERN, - TOMOYO_ID_NO_REWRITE, - TOMOYO_ID_MANAGER, - TOMOYO_ID_NAME, - TOMOYO_ID_ACL, - TOMOYO_ID_DOMAIN, - TOMOYO_MAX_POLICY -}; - struct tomoyo_gc_entry { struct list_head list; int type; @@ -226,17 +208,6 @@ static void tomoyo_del_number_group(struct list_head *element) container_of(element, typeof(*member), head.list); } -static struct list_head *tomoyo_policy_list[TOMOYO_MAX_POLICY] = { - [TOMOYO_ID_GLOBALLY_READABLE] = &tomoyo_globally_readable_list, - [TOMOYO_ID_PATTERN] = &tomoyo_pattern_list, - [TOMOYO_ID_NO_REWRITE] = &tomoyo_no_rewrite_list, - [TOMOYO_ID_DOMAIN_INITIALIZER] = &tomoyo_domain_initializer_list, - [TOMOYO_ID_DOMAIN_KEEPER] = &tomoyo_domain_keeper_list, - [TOMOYO_ID_AGGREGATOR] = &tomoyo_aggregator_list, - [TOMOYO_ID_ALIAS] = &tomoyo_alias_list, - [TOMOYO_ID_MANAGER] = &tomoyo_policy_manager_list, -}; - static bool tomoyo_collect_member(struct list_head *member_list, int id) { struct tomoyo_acl_head *member; @@ -267,9 +238,8 @@ static void tomoyo_collect_entry(void) if (mutex_lock_interruptible(&tomoyo_policy_lock)) return; for (i = 0; i < TOMOYO_MAX_POLICY; i++) { - if (tomoyo_policy_list[i]) - if (!tomoyo_collect_member(tomoyo_policy_list[i], i)) - goto unlock; + if (!tomoyo_collect_member(&tomoyo_policy_list[i], i)) + goto unlock; } { struct tomoyo_domain_info *domain; @@ -298,7 +268,9 @@ static void tomoyo_collect_entry(void) } { struct tomoyo_group *group; - list_for_each_entry_rcu(group, &tomoyo_path_group_list, list) { + list_for_each_entry_rcu(group, + &tomoyo_group_list[TOMOYO_PATH_GROUP], + list) { tomoyo_collect_member(&group->member_list, TOMOYO_ID_PATH_GROUP); if (!list_empty(&group->member_list) || @@ -311,7 +283,8 @@ static void tomoyo_collect_entry(void) } { struct tomoyo_group *group; - list_for_each_entry_rcu(group, &tomoyo_number_group_list, + list_for_each_entry_rcu(group, + &tomoyo_group_list[TOMOYO_NUMBER_GROUP], list) { tomoyo_collect_member(&group->member_list, TOMOYO_ID_NUMBER_GROUP); diff --git a/security/tomoyo/memory.c b/security/tomoyo/memory.c index 8de5333..249835a 100644 --- a/security/tomoyo/memory.c +++ b/security/tomoyo/memory.c @@ -153,6 +153,10 @@ void __init tomoyo_mm_init(void) { int idx; + for (idx = 0; idx < TOMOYO_MAX_POLICY; idx++) + INIT_LIST_HEAD(&tomoyo_policy_list[idx]); + for (idx = 0; idx < TOMOYO_MAX_GROUP; idx++) + INIT_LIST_HEAD(&tomoyo_group_list[idx]); for (idx = 0; idx < TOMOYO_MAX_HASH; idx++) INIT_LIST_HEAD(&tomoyo_name_list[idx]); INIT_LIST_HEAD(&tomoyo_kernel_domain.acl_info_list); diff --git a/security/tomoyo/number_group.c b/security/tomoyo/number_group.c index eca20d6..9969415 100644 --- a/security/tomoyo/number_group.c +++ b/security/tomoyo/number_group.c @@ -7,9 +7,6 @@ #include <linux/slab.h> #include "common.h" -/* The list for "struct tomoyo_number_group". */ -LIST_HEAD(tomoyo_number_group_list); - /** * tomoyo_get_group - Allocate memory for "struct tomoyo_number_group". * @@ -32,7 +29,8 @@ struct tomoyo_group *tomoyo_get_number_group(const char *group_name) entry = kzalloc(sizeof(*entry), GFP_NOFS); if (mutex_lock_interruptible(&tomoyo_policy_lock)) goto out; - list_for_each_entry_rcu(group, &tomoyo_number_group_list, list) { + list_for_each_entry_rcu(group, &tomoyo_group_list[TOMOYO_NUMBER_GROUP], + list) { if (saved_group_name != group->group_name) continue; atomic_inc(&group->users); @@ -44,7 +42,8 @@ struct tomoyo_group *tomoyo_get_number_group(const char *group_name) entry->group_name = saved_group_name; saved_group_name = NULL; atomic_set(&entry->users, 1); - list_add_tail_rcu(&entry->list, &tomoyo_number_group_list); + list_add_tail_rcu(&entry->list, + &tomoyo_group_list[TOMOYO_NUMBER_GROUP]); group = entry; entry = NULL; error = 0; @@ -110,7 +109,8 @@ bool tomoyo_read_number_group_policy(struct tomoyo_io_buffer *head) { struct list_head *gpos; struct list_head *mpos; - list_for_each_cookie(gpos, head->read_var1, &tomoyo_number_group_list) { + list_for_each_cookie(gpos, head->read_var1, + &tomoyo_group_list[TOMOYO_NUMBER_GROUP]) { struct tomoyo_group *group; const char *name; group = list_entry(gpos, struct tomoyo_group, list); diff --git a/security/tomoyo/path_group.c b/security/tomoyo/path_group.c index bce2524..44e8a5b 100644 --- a/security/tomoyo/path_group.c +++ b/security/tomoyo/path_group.c @@ -6,8 +6,6 @@ #include <linux/slab.h> #include "common.h" -/* The list for "struct tomoyo_path_group". */ -LIST_HEAD(tomoyo_path_group_list); /** * tomoyo_get_group - Allocate memory for "struct tomoyo_path_group". @@ -30,7 +28,8 @@ struct tomoyo_group *tomoyo_get_path_group(const char *group_name) entry = kzalloc(sizeof(*entry), GFP_NOFS); if (mutex_lock_interruptible(&tomoyo_policy_lock)) goto out; - list_for_each_entry_rcu(group, &tomoyo_path_group_list, list) { + list_for_each_entry_rcu(group, &tomoyo_group_list[TOMOYO_PATH_GROUP], + list) { if (saved_group_name != group->group_name) continue; atomic_inc(&group->users); @@ -42,7 +41,8 @@ struct tomoyo_group *tomoyo_get_path_group(const char *group_name) entry->group_name = saved_group_name; saved_group_name = NULL; atomic_set(&entry->users, 1); - list_add_tail_rcu(&entry->list, &tomoyo_path_group_list); + list_add_tail_rcu(&entry->list, + &tomoyo_group_list[TOMOYO_PATH_GROUP]); group = entry; entry = NULL; error = 0; @@ -107,7 +107,8 @@ bool tomoyo_read_path_group_policy(struct tomoyo_io_buffer *head) { struct list_head *gpos; struct list_head *mpos; - list_for_each_cookie(gpos, head->read_var1, &tomoyo_path_group_list) { + list_for_each_cookie(gpos, head->read_var1, + &tomoyo_group_list[TOMOYO_PATH_GROUP]) { struct tomoyo_group *group; group = list_entry(gpos, struct tomoyo_group, list); list_for_each_cookie(mpos, head->read_var2, |