diff options
-rw-r--r-- | security/tomoyo/common.h | 33 | ||||
-rw-r--r-- | security/tomoyo/file.c | 20 | ||||
-rw-r--r-- | security/tomoyo/mount.c | 6 |
3 files changed, 58 insertions, 1 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 2034540..f055e27 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -212,6 +212,39 @@ struct tomoyo_acl_head { */ struct tomoyo_request_info { struct tomoyo_domain_info *domain; + /* For holding parameters. */ + union { + struct { + const struct tomoyo_path_info *filename; + u8 operation; + } path; + struct { + const struct tomoyo_path_info *filename1; + const struct tomoyo_path_info *filename2; + u8 operation; + } path2; + struct { + const struct tomoyo_path_info *filename; + unsigned int mode; + unsigned int major; + unsigned int minor; + u8 operation; + } mkdev; + struct { + const struct tomoyo_path_info *filename; + unsigned long number; + u8 operation; + } path_number; + struct { + const struct tomoyo_path_info *type; + const struct tomoyo_path_info *dir; + const struct tomoyo_path_info *dev; + unsigned long flags; + int need_dev; + } mount; + } param; + u8 param_type; + bool granted; u8 retry; u8 profile; u8 mode; /* One of tomoyo_mode_index . */ diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 50875d7..32661df 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c @@ -973,6 +973,9 @@ int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation, r->mode = tomoyo_get_mode(r->profile, r->type); if (r->mode == TOMOYO_CONFIG_DISABLED) return 0; + r->param_type = TOMOYO_TYPE_PATH_ACL; + r->param.path.filename = filename; + r->param.path.operation = operation; do { error = tomoyo_path_acl(r, filename, 1 << operation); if (error && operation == TOMOYO_TYPE_READ && @@ -1143,6 +1146,10 @@ static int tomoyo_path_number_perm2(struct tomoyo_request_info *r, break; } tomoyo_print_ulong(buffer, sizeof(buffer), number, radix); + r->param_type = TOMOYO_TYPE_PATH_NUMBER_ACL; + r->param.path_number.operation = type; + r->param.path_number.filename = filename; + r->param.path_number.number = number; do { error = tomoyo_path_number_acl(r, type, filename, number); if (!error) @@ -1369,8 +1376,15 @@ int tomoyo_path_number3_perm(const u8 operation, struct path *path, idx = tomoyo_read_lock(); error = -ENOMEM; if (tomoyo_get_realpath(&buf, path)) { + dev = new_decode_dev(dev); + r.param_type = TOMOYO_TYPE_PATH_NUMBER3_ACL; + r.param.mkdev.filename = &buf; + r.param.mkdev.operation = operation; + r.param.mkdev.mode = mode; + r.param.mkdev.major = MAJOR(dev); + r.param.mkdev.minor = MINOR(dev); error = tomoyo_path_number3_perm2(&r, operation, &buf, mode, - new_decode_dev(dev)); + dev); kfree(buf.name); } tomoyo_read_unlock(idx); @@ -1421,6 +1435,10 @@ int tomoyo_path2_perm(const u8 operation, struct path *path1, tomoyo_add_slash(&buf2); break; } + r.param_type = TOMOYO_TYPE_PATH2_ACL; + r.param.path2.operation = operation; + r.param.path2.filename1 = &buf1; + r.param.path2.filename2 = &buf2; do { error = tomoyo_path2_acl(&r, operation, &buf1, &buf2); if (!error) diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c index c170b41..554de17 100644 --- a/security/tomoyo/mount.c +++ b/security/tomoyo/mount.c @@ -112,6 +112,12 @@ static int tomoyo_mount_acl2(struct tomoyo_request_info *r, char *dev_name, } rdev.name = requested_dev_name; tomoyo_fill_path_info(&rdev); + r->param_type = TOMOYO_TYPE_MOUNT_ACL; + r->param.mount.need_dev = need_dev; + r->param.mount.dev = &rdev; + r->param.mount.dir = &rdir; + r->param.mount.type = &rtype; + r->param.mount.flags = flags; list_for_each_entry_rcu(ptr, &r->domain->acl_info_list, list) { struct tomoyo_mount_acl *acl; if (ptr->is_deleted || ptr->type != TOMOYO_TYPE_MOUNT_ACL) |