Open-Source-Software-Entwicklung und Downloads

TOMOYO

Browse Subversion Repository

/[tomoyo]/trunk/1.6.x/ccs-patch/fs/tomoyo_exec.c

Contents of /trunk/1.6.x/ccs-patch/fs/tomoyo_exec.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 111 - (show annotations) (download) (as text)
Wed Feb 28 11:45:08 2007 UTC (17 years, 3 months ago) by kumaneko
Original Path: trunk/ccs-patch/fs/tomoyo_exec.c
File MIME type: text/x-csrc
File size: 5008 byte(s) 
























1

/*








2

 * fs/tomoyo_exec.c








3

 *








4

 * Implementation of the Domain-Based Mandatory Access Control.








5

 *








6

 * Copyright (C) 2005-2007  NTT DATA CORPORATION








7

 *








8

 * Version: 1.3.2   2007/02/14








9

 *








10

 * This file is applicable to both 2.4.30 and 2.6.11 and later.








11

 * See README.ccs for ChangeLog.








12

 *








13

 */








14

/***** TOMOYO Linux start. *****/








15










16

#include <linux/ccs_common.h>








17

#include <linux/tomoyo.h>








18

#include <linux/realpath.h>








19










20

/*************************  VARIABLES  *************************/








21










22

extern struct semaphore domain_acl_lock;








23










24

/*************************  AUDIT FUNCTIONS  *************************/








25










26

#ifdef CONFIG_TOMOYO_AUDIT








27

static int AuditArgv0Log(const struct path_info *filename, const char *argv0, const int is_granted)








28

{








29

        char *buf;








30

        int len;








31

        if (CanSaveAuditLog(is_granted) < 0) return -ENOMEM;








32

        len = filename->total_len + strlen(argv0) + 8;








33

        if ((buf = InitAuditLog(&len)) == NULL) return -ENOMEM;








34

        snprintf(buf + strlen(buf), len - strlen(buf) - 1, KEYWORD_ALLOW_ARGV0 "%s %s\n", filename->name, argv0);








35

        return WriteAuditLog(buf, is_granted);








36

}








37










38

#else








39

static inline void AuditArgv0Log(const struct path_info *filename, const char *argv0, const int is_granted) {}








40

#endif








41










42

/*************************  ARGV0 MISMATCH HANDLER  *************************/








43










44

static int AddArgv0Entry(const char *filename, const char *argv0, struct domain_info *domain, const int is_delete, const struct condition_list *condition)








45

{








46

        struct acl_info *ptr;








47

        const struct path_info *saved_filename, *saved_argv0;








48

        int error = -ENOMEM;








49

        if (!IsCorrectPath(filename, 1, 0, -1, __FUNCTION__) || !IsCorrectPath(argv0, -1, 0, -1, __FUNCTION__) || strchr(argv0, '/')) return -EINVAL;








50

        if ((saved_filename = SaveName(filename)) == NULL || (saved_argv0 = SaveName(argv0)) == NULL) return -ENOMEM;








51

        down(&domain_acl_lock);








52

        if (!is_delete) {








53

                if ((ptr = domain->first_acl_ptr) == NULL) goto first_entry;








54

                while (1) {








55

                        ARGV0_ACL_RECORD *new_ptr;








56

                        if (ptr->type == TYPE_ARGV0_ACL && ptr->cond == condition) {








57

                                if (((ARGV0_ACL_RECORD *) ptr)->filename == saved_filename && ((ARGV0_ACL_RECORD *) ptr)->argv0 == saved_argv0) {








58

                                        ptr->is_deleted = 0;








59

                                        /* Found. Nothing to do. */








60

                                        error = 0;








61

                                        break;








62

                                }








63

                        }








64

                        if (ptr->next) {








65

                                ptr = ptr->next;








66

                                continue;








67

                        }








68

                first_entry: ;








69

                        /* Not found. Append it to the tail. */








70

                        if ((new_ptr = (ARGV0_ACL_RECORD *) alloc_element(sizeof(ARGV0_ACL_RECORD))) == NULL) break;








71

                        new_ptr->head.type = TYPE_ARGV0_ACL;








72

                        new_ptr->head.cond = condition;








73

                        new_ptr->filename = saved_filename;








74

                        new_ptr->argv0 = saved_argv0;








75

                        error = AddDomainACL(ptr, domain, (struct acl_info *) new_ptr);








76

                        break;








77

                }








78

        } else {








79

                error = -ENOENT;








80

                for (ptr = domain->first_acl_ptr; ptr; ptr = ptr->next) {








81

                        if (ptr->type != TYPE_ARGV0_ACL || ptr->is_deleted || ptr->cond != condition) continue;








82

                        if (((ARGV0_ACL_RECORD *) ptr)->filename != saved_filename || ((ARGV0_ACL_RECORD *) ptr)->argv0 != saved_argv0) continue;








83

                        error = DelDomainACL(ptr);








84

                        break;








85

                }








86

        }








87

        up(&domain_acl_lock);








88

        return error;








89

}








90










91

static int CheckArgv0ACL(const struct path_info *filename, const char *argv0_)








92

{








93

        const struct domain_info *domain = current->domain_info;








94

        int error = -EPERM;








95

        struct acl_info *ptr;








96

        struct path_info argv0;








97

        if (!CheckCCSFlags(CCS_TOMOYO_MAC_FOR_ARGV0)) return 0;








98

        argv0.name = argv0_;








99

        fill_path_info(&argv0);








100

        for (ptr = domain->first_acl_ptr; ptr; ptr = ptr->next) {








101

                if (ptr->type == TYPE_ARGV0_ACL && ptr->is_deleted == 0 && CheckCondition(ptr->cond, NULL) == 0 &&








102

                        PathMatchesToPattern(filename, ((ARGV0_ACL_RECORD *) ptr)->filename) &&








103

                        PathMatchesToPattern(&argv0, ((ARGV0_ACL_RECORD *) ptr)->argv0)) {








104

                        error = 0;








105

                        break;








106

                }








107

        }








108

        return error;








109

}








110










111

int CheckArgv0Perm(const struct path_info *filename, const char *argv0)








112

{








113

        int error = 0;








114

        if (!CheckCCSFlags(CCS_TOMOYO_MAC_FOR_ARGV0)) return 0;








115

        if (!filename || !argv0) return 0;








116

        error = CheckArgv0ACL(filename, argv0);








117

        AuditArgv0Log(filename, argv0, !error);








118

        if (error) {








119

                struct domain_info * const domain = current->domain_info;








120

                const int is_enforce = CheckCCSEnforce(CCS_TOMOYO_MAC_FOR_ARGV0);








121

                if (TomoyoVerboseMode()) {








122

                        printk("TOMOYO-%s: Run %s as %s denied for %s\n", GetMSG(is_enforce), filename->name, argv0, GetLastName(domain));








123

                }








124

                if (is_enforce) error = CheckSupervisor("%s\n" KEYWORD_ALLOW_ARGV0 "%s %s\n", domain->domainname->name, filename->name, argv0);








125

                else if (CheckCCSAccept(CCS_TOMOYO_MAC_FOR_ARGV0)) AddArgv0Entry(filename->name, argv0, domain, 0, NULL);








126

                if (!is_enforce) error = 0;








127

        }








128

        return error;








129

}








130










131

int AddArgv0Policy(char *data, struct domain_info *domain, const int is_delete)








132

{








133

        char *argv0 = strchr(data, ' ');








134

        char *cp;








135

        const struct condition_list *condition = NULL;








136

        if (!argv0) return -EINVAL;








137

        *argv0++ = '\0';








138

        cp = FindConditionPart(argv0);








139

        if (cp && (condition = FindOrAssignNewCondition(cp)) == NULL) return -EINVAL;








140

        return AddArgv0Entry(data, argv0, domain, is_delete, condition);








141

}








142










143

EXPORT_SYMBOL(CheckArgv0Perm);








144










145

/***** TOMOYO Linux end. *****/




















Back to OSDN">Back to OSDN

ViewVC Help




Powered by ViewVC 1.1.26
 



















Über OSDN





Software suchen





Entwickeln Software





Hilfeseiten