3 |
* |
* |
4 |
* Copyright (C) 2005-2009 NTT DATA CORPORATION |
* Copyright (C) 2005-2009 NTT DATA CORPORATION |
5 |
* |
* |
6 |
* Version: 1.7.0-pre 2009/08/08 |
* Version: 1.7.0-pre 2009/08/24 |
7 |
* |
* |
8 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
9 |
* See README.ccs for ChangeLog. |
* See README.ccs for ChangeLog. |
24 |
"disabled", "learning", "permissive", "enforcing" |
"disabled", "learning", "permissive", "enforcing" |
25 |
}; |
}; |
26 |
|
|
|
static bool ccs_mac_keywords_used[CCS_MAX_MAC_INDEX + |
|
|
CCS_MAX_CAPABILITY_INDEX]; |
|
|
|
|
27 |
static const char *ccs_mac_keywords[CCS_MAX_MAC_INDEX + |
static const char *ccs_mac_keywords[CCS_MAX_MAC_INDEX + |
28 |
CCS_MAX_CAPABILITY_INDEX] = { |
CCS_MAX_CAPABILITY_INDEX + |
29 |
[CCS_MAC_EXECUTE] = "execute", |
CCS_MAX_MAC_CATEGORY_INDEX] = { |
30 |
[CCS_MAC_OPEN] = "open", |
[CCS_MAC_FILE_EXECUTE] |
31 |
[CCS_MAC_CREATE] = "create", |
= "file::execute", |
32 |
[CCS_MAC_UNLINK] = "unlink", |
[CCS_MAC_FILE_OPEN] |
33 |
[CCS_MAC_MKDIR] = "mkdir", |
= "file::open", |
34 |
[CCS_MAC_RMDIR] = "rmdir", |
[CCS_MAC_FILE_CREATE] |
35 |
[CCS_MAC_MKFIFO] = "mkfifo", |
= "file::create", |
36 |
[CCS_MAC_MKSOCK] = "mksock", |
[CCS_MAC_FILE_UNLINK] |
37 |
[CCS_MAC_TRUNCATE] = "truncate", |
= "file::unlink", |
38 |
[CCS_MAC_SYMLINK] = "symlink", |
[CCS_MAC_FILE_MKDIR] |
39 |
[CCS_MAC_REWRITE] = "rewrite", |
= "file::mkdir", |
40 |
[CCS_MAC_MKBLOCK] = "mkblock", |
[CCS_MAC_FILE_RMDIR] |
41 |
[CCS_MAC_MKCHAR] = "mkchar", |
= "file::rmdir", |
42 |
[CCS_MAC_LINK] = "link", |
[CCS_MAC_FILE_MKFIFO] |
43 |
[CCS_MAC_RENAME] = "rename", |
= "file::mkfifo", |
44 |
[CCS_MAC_CHMOD] = "chmod", |
[CCS_MAC_FILE_MKSOCK] |
45 |
[CCS_MAC_CHOWN] = "chown", |
= "file::mksock", |
46 |
[CCS_MAC_CHGRP] = "chgrp", |
[CCS_MAC_FILE_TRUNCATE] |
47 |
[CCS_MAC_IOCTL] = "ioctl", |
= "file::truncate", |
48 |
[CCS_MAC_CHROOT] = "chroot", |
[CCS_MAC_FILE_SYMLINK] |
49 |
[CCS_MAC_MOUNT] = "mount", |
= "file::symlink", |
50 |
[CCS_MAC_UMOUNT] = "umount", |
[CCS_MAC_FILE_REWRITE] |
51 |
[CCS_MAC_PIVOT_ROOT] = "pivot_root", |
= "file::rewrite", |
52 |
[CCS_MAC_ENVIRON] = "env", |
[CCS_MAC_FILE_MKBLOCK] |
53 |
[CCS_MAC_NETWORK] = "network", |
= "file::mkblock", |
54 |
[CCS_MAC_SIGNAL] = "signal", |
[CCS_MAC_FILE_MKCHAR] |
55 |
|
= "file::mkchar", |
56 |
|
[CCS_MAC_FILE_LINK] |
57 |
|
= "file::link", |
58 |
|
[CCS_MAC_FILE_RENAME] |
59 |
|
= "file::rename", |
60 |
|
[CCS_MAC_FILE_CHMOD] |
61 |
|
= "file::chmod", |
62 |
|
[CCS_MAC_FILE_CHOWN] |
63 |
|
= "file::chown", |
64 |
|
[CCS_MAC_FILE_CHGRP] |
65 |
|
= "file::chgrp", |
66 |
|
[CCS_MAC_FILE_IOCTL] |
67 |
|
= "file::ioctl", |
68 |
|
[CCS_MAC_FILE_CHROOT] |
69 |
|
= "file::chroot", |
70 |
|
[CCS_MAC_FILE_MOUNT] |
71 |
|
= "file::mount", |
72 |
|
[CCS_MAC_FILE_UMOUNT] |
73 |
|
= "file::umount", |
74 |
|
[CCS_MAC_FILE_PIVOT_ROOT] |
75 |
|
= "file::pivot_root", |
76 |
|
[CCS_MAC_ENVIRON] |
77 |
|
= "misc::env", |
78 |
|
[CCS_MAC_NETWORK_UDP_BIND] |
79 |
|
= "network::inet_udp_bind", |
80 |
|
[CCS_MAC_NETWORK_UDP_CONNECT] |
81 |
|
= "network::inet_udp_connect", |
82 |
|
[CCS_MAC_NETWORK_TCP_BIND] |
83 |
|
= "network::inet_tcp_bind", |
84 |
|
[CCS_MAC_NETWORK_TCP_LISTEN] |
85 |
|
= "network::inet_tcp_listen", |
86 |
|
[CCS_MAC_NETWORK_TCP_CONNECT] |
87 |
|
= "network::inet_tcp_connect", |
88 |
|
[CCS_MAC_NETWORK_TCP_ACCEPT] |
89 |
|
= "network::inet_tcp_accept", |
90 |
|
[CCS_MAC_NETWORK_RAW_BIND] |
91 |
|
= "network::inet_raw_bind", |
92 |
|
[CCS_MAC_NETWORK_RAW_CONNECT] |
93 |
|
= "network::inet_raw_connect", |
94 |
|
[CCS_MAC_SIGNAL] |
95 |
|
= "ipc::signal", |
96 |
[CCS_MAX_MAC_INDEX + CCS_INET_STREAM_SOCKET_CREATE] |
[CCS_MAX_MAC_INDEX + CCS_INET_STREAM_SOCKET_CREATE] |
97 |
= "inet_tcp_create", |
= "capability::inet_tcp_create", |
98 |
[CCS_MAX_MAC_INDEX + CCS_INET_STREAM_SOCKET_LISTEN] |
[CCS_MAX_MAC_INDEX + CCS_INET_STREAM_SOCKET_LISTEN] |
99 |
= "inet_tcp_listen", |
= "capability::inet_tcp_listen", |
100 |
[CCS_MAX_MAC_INDEX + CCS_INET_STREAM_SOCKET_CONNECT] |
[CCS_MAX_MAC_INDEX + CCS_INET_STREAM_SOCKET_CONNECT] |
101 |
= "inet_tcp_connect", |
= "capability::inet_tcp_connect", |
102 |
[CCS_MAX_MAC_INDEX + CCS_USE_INET_DGRAM_SOCKET] = "use_inet_udp", |
[CCS_MAX_MAC_INDEX + CCS_USE_INET_DGRAM_SOCKET] |
103 |
[CCS_MAX_MAC_INDEX + CCS_USE_INET_RAW_SOCKET] = "use_inet_ip", |
= "capability::use_inet_udp", |
104 |
[CCS_MAX_MAC_INDEX + CCS_USE_ROUTE_SOCKET] = "use_route", |
[CCS_MAX_MAC_INDEX + CCS_USE_INET_RAW_SOCKET] |
105 |
[CCS_MAX_MAC_INDEX + CCS_USE_PACKET_SOCKET] = "use_packet", |
= "capability::use_inet_ip", |
106 |
[CCS_MAX_MAC_INDEX + CCS_SYS_MOUNT] = "SYS_MOUNT", |
[CCS_MAX_MAC_INDEX + CCS_USE_ROUTE_SOCKET] |
107 |
[CCS_MAX_MAC_INDEX + CCS_SYS_UMOUNT] = "SYS_UMOUNT", |
= "capability::use_route", |
108 |
[CCS_MAX_MAC_INDEX + CCS_SYS_REBOOT] = "SYS_REBOOT", |
[CCS_MAX_MAC_INDEX + CCS_USE_PACKET_SOCKET] |
109 |
[CCS_MAX_MAC_INDEX + CCS_SYS_CHROOT] = "SYS_CHROOT", |
= "capability::use_packet", |
110 |
[CCS_MAX_MAC_INDEX + CCS_SYS_KILL] = "SYS_KILL", |
[CCS_MAX_MAC_INDEX + CCS_SYS_MOUNT] |
111 |
[CCS_MAX_MAC_INDEX + CCS_SYS_VHANGUP] = "SYS_VHANGUP", |
= "capability::SYS_MOUNT", |
112 |
[CCS_MAX_MAC_INDEX + CCS_SYS_SETTIME] = "SYS_TIME", |
[CCS_MAX_MAC_INDEX + CCS_SYS_UMOUNT] |
113 |
[CCS_MAX_MAC_INDEX + CCS_SYS_NICE] = "SYS_NICE", |
= "capability::SYS_UMOUNT", |
114 |
[CCS_MAX_MAC_INDEX + CCS_SYS_SETHOSTNAME] = "SYS_SETHOSTNAME", |
[CCS_MAX_MAC_INDEX + CCS_SYS_REBOOT] |
115 |
[CCS_MAX_MAC_INDEX + CCS_USE_KERNEL_MODULE] = "use_kernel_module", |
= "capability::SYS_REBOOT", |
116 |
[CCS_MAX_MAC_INDEX + CCS_CREATE_FIFO] = "create_fifo", |
[CCS_MAX_MAC_INDEX + CCS_SYS_CHROOT] |
117 |
[CCS_MAX_MAC_INDEX + CCS_CREATE_BLOCK_DEV] = "create_block_dev", |
= "capability::SYS_CHROOT", |
118 |
[CCS_MAX_MAC_INDEX + CCS_CREATE_CHAR_DEV] = "create_char_dev", |
[CCS_MAX_MAC_INDEX + CCS_SYS_KILL] |
119 |
[CCS_MAX_MAC_INDEX + CCS_CREATE_UNIX_SOCKET] = "create_unix_socket", |
= "capability::SYS_KILL", |
120 |
[CCS_MAX_MAC_INDEX + CCS_SYS_LINK] = "SYS_LINK", |
[CCS_MAX_MAC_INDEX + CCS_SYS_VHANGUP] |
121 |
[CCS_MAX_MAC_INDEX + CCS_SYS_SYMLINK] = "SYS_SYMLINK", |
= "capability::SYS_VHANGUP", |
122 |
[CCS_MAX_MAC_INDEX + CCS_SYS_RENAME] = "SYS_RENAME", |
[CCS_MAX_MAC_INDEX + CCS_SYS_SETTIME] |
123 |
[CCS_MAX_MAC_INDEX + CCS_SYS_UNLINK] = "SYS_UNLINK", |
= "capability::SYS_TIME", |
124 |
[CCS_MAX_MAC_INDEX + CCS_SYS_CHMOD] = "SYS_CHMOD", |
[CCS_MAX_MAC_INDEX + CCS_SYS_NICE] |
125 |
[CCS_MAX_MAC_INDEX + CCS_SYS_CHOWN] = "SYS_CHOWN", |
= "capability::SYS_NICE", |
126 |
[CCS_MAX_MAC_INDEX + CCS_SYS_IOCTL] = "SYS_IOCTL", |
[CCS_MAX_MAC_INDEX + CCS_SYS_SETHOSTNAME] |
127 |
[CCS_MAX_MAC_INDEX + CCS_SYS_KEXEC_LOAD] = "SYS_KEXEC_LOAD", |
= "capability::SYS_SETHOSTNAME", |
128 |
[CCS_MAX_MAC_INDEX + CCS_SYS_PIVOT_ROOT] = "SYS_PIVOT_ROOT", |
[CCS_MAX_MAC_INDEX + CCS_USE_KERNEL_MODULE] |
129 |
[CCS_MAX_MAC_INDEX + CCS_SYS_PTRACE] = "SYS_PTRACE", |
= "capability::use_kernel_module", |
130 |
[CCS_MAX_MAC_INDEX + CCS_CONCEAL_MOUNT] = "conceal_mount" |
[CCS_MAX_MAC_INDEX + CCS_CREATE_FIFO] |
131 |
|
= "capability::create_fifo", |
132 |
|
[CCS_MAX_MAC_INDEX + CCS_CREATE_BLOCK_DEV] |
133 |
|
= "capability::create_block_dev", |
134 |
|
[CCS_MAX_MAC_INDEX + CCS_CREATE_CHAR_DEV] |
135 |
|
= "capability::create_char_dev", |
136 |
|
[CCS_MAX_MAC_INDEX + CCS_CREATE_UNIX_SOCKET] |
137 |
|
= "capability::create_unix_socket", |
138 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_LINK] |
139 |
|
= "capability::SYS_LINK", |
140 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_SYMLINK] |
141 |
|
= "capability::SYS_SYMLINK", |
142 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_RENAME] |
143 |
|
= "capability::SYS_RENAME", |
144 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_UNLINK] |
145 |
|
= "capability::SYS_UNLINK", |
146 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_CHMOD] |
147 |
|
= "capability::SYS_CHMOD", |
148 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_CHOWN] |
149 |
|
= "capability::SYS_CHOWN", |
150 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_IOCTL] |
151 |
|
= "capability::SYS_IOCTL", |
152 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_KEXEC_LOAD] |
153 |
|
= "capability::SYS_KEXEC_LOAD", |
154 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_PIVOT_ROOT] |
155 |
|
= "capability::SYS_PIVOT_ROOT", |
156 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_PTRACE] |
157 |
|
= "capability::SYS_PTRACE", |
158 |
|
[CCS_MAX_MAC_INDEX + CCS_CONCEAL_MOUNT] |
159 |
|
= "capability::conceal_mount", |
160 |
|
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
161 |
|
+ CCS_MAC_CATEGORY_FILE] = "file", |
162 |
|
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
163 |
|
+ CCS_MAC_CATEGORY_NETWORK] = "network", |
164 |
|
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
165 |
|
+ CCS_MAC_CATEGORY_MISC] = "misc", |
166 |
|
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
167 |
|
+ CCS_MAC_CATEGORY_IPC] = "ipc", |
168 |
|
[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
169 |
|
+ CCS_MAC_CATEGORY_CAPABILITY] = "capability", |
170 |
}; |
}; |
171 |
|
|
172 |
/* Table for profile. */ |
/* Table for profile. */ |
202 |
const char *ccs_cap2keyword(const u8 operation) |
const char *ccs_cap2keyword(const u8 operation) |
203 |
{ |
{ |
204 |
return operation < CCS_MAX_CAPABILITY_INDEX |
return operation < CCS_MAX_CAPABILITY_INDEX |
205 |
? ccs_mac_keywords[CCS_MAX_MAC_INDEX + operation] : NULL; |
? ccs_mac_keywords[CCS_MAX_MAC_INDEX + operation] + 12 : NULL; |
206 |
} |
} |
207 |
|
|
208 |
/** |
/** |
272 |
ptr = entry; |
ptr = entry; |
273 |
for (i = 0; i < CCS_MAX_CONTROL_INDEX; i++) |
for (i = 0; i < CCS_MAX_CONTROL_INDEX; i++) |
274 |
ptr->value[i] = ccs_control_array[i].current_value; |
ptr->value[i] = ccs_control_array[i].current_value; |
275 |
|
ptr->default_config = CCS_MAC_MODE_DISABLED; |
276 |
|
memset(ptr->config, CCS_MAC_MODE_USE_DEFAULT, |
277 |
|
sizeof(ptr->config)); |
278 |
mb(); /* Avoid out-of-order execution. */ |
mb(); /* Avoid out-of-order execution. */ |
279 |
ccs_profile_ptr[profile] = ptr; |
ccs_profile_ptr[profile] = ptr; |
280 |
entry = NULL; |
entry = NULL; |
296 |
char *data = head->write_buf; |
char *data = head->write_buf; |
297 |
unsigned int i; |
unsigned int i; |
298 |
unsigned int value; |
unsigned int value; |
|
int index = -1; |
|
299 |
int mode; |
int mode; |
300 |
|
u8 config; |
301 |
char *cp; |
char *cp; |
302 |
struct ccs_profile *ccs_profile; |
struct ccs_profile *ccs_profile; |
303 |
i = simple_strtoul(data, &cp, 10); |
i = simple_strtoul(data, &cp, 10); |
324 |
ccs_put_name(old_comment); |
ccs_put_name(old_comment); |
325 |
return 0; |
return 0; |
326 |
} |
} |
|
if (!ccs_str_starts(&data, "MAC::")) |
|
|
goto not_mac; |
|
|
if (ccs_str_starts(&data, CCS_KEYWORD_CAPABILITY)) |
|
|
for (i = 0; i < CCS_MAX_CAPABILITY_INDEX; i++) { |
|
|
if (strcmp(data, |
|
|
ccs_mac_keywords[CCS_MAX_MAC_INDEX + i])) |
|
|
continue; |
|
|
index = CCS_MAX_MAC_INDEX + i; |
|
|
break; |
|
|
} |
|
|
else |
|
|
for (i = 0; i < CCS_MAX_MAC_INDEX; i++) { |
|
|
if (strcmp(data, ccs_mac_keywords[i])) |
|
|
continue; |
|
|
index = i; |
|
|
break; |
|
|
} |
|
|
if (index < 0) |
|
|
return -EINVAL; |
|
|
ccs_mac_keywords_used[index] = 1; |
|
|
ccs_profile->no_grant_log[index] = !!strstr(cp, "no_grant_log"); |
|
|
ccs_profile->no_reject_log[index] = !!strstr(cp, "no_reject_log"); |
|
|
for (mode = 0; mode < 4; mode++) |
|
|
if (strstr(cp, ccs_mode_4[mode])) |
|
|
ccs_profile->mac_mode[index] = mode; |
|
|
return 0; |
|
|
not_mac: |
|
327 |
for (i = 0; i < CCS_MAX_CONTROL_INDEX; i++) { |
for (i = 0; i < CCS_MAX_CONTROL_INDEX; i++) { |
328 |
if (strcmp(data, ccs_control_array[i].keyword)) |
if (strcmp(data, ccs_control_array[i].keyword)) |
329 |
continue; |
continue; |
343 |
ccs_profile->value[i] = value; |
ccs_profile->value[i] = value; |
344 |
return 0; |
return 0; |
345 |
} |
} |
346 |
return -EINVAL; |
config = 0; |
347 |
|
if (strstr(cp, "no_grant_log")) |
348 |
|
config |= CCS_MAC_MODE_NO_GRANT_LOG; |
349 |
|
if (strstr(cp, "no_reject_log")) |
350 |
|
config |= CCS_MAC_MODE_NO_REJECT_LOG; |
351 |
|
for (mode = 3; mode >= 0; mode--) |
352 |
|
if (strstr(cp, ccs_mode_4[mode])) |
353 |
|
break; |
354 |
|
if (mode < 0) |
355 |
|
sscanf(cp, "%u", &mode); |
356 |
|
if (mode < 0 || mode > 3) |
357 |
|
return -EINVAL; |
358 |
|
config |= mode; |
359 |
|
if (!strcmp(data, "MAC")) |
360 |
|
ccs_profile->default_config = config; |
361 |
|
else if (ccs_str_starts(&data, "MAC::")) |
362 |
|
for (i = 0; i < CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
363 |
|
+ CCS_MAX_MAC_CATEGORY_INDEX; i++) { |
364 |
|
if (strcmp(data, ccs_mac_keywords[i])) |
365 |
|
continue; |
366 |
|
ccs_profile->config[i] = config; |
367 |
|
break; |
368 |
|
} |
369 |
|
return 0; |
370 |
} |
} |
371 |
|
|
372 |
static bool ccs_print_mac_mode(struct ccs_io_buffer *head, u8 index) |
static bool ccs_print_mac_mode(struct ccs_io_buffer *head, u8 index) |
374 |
const int pos = head->read_avail; |
const int pos = head->read_avail; |
375 |
int i; |
int i; |
376 |
const struct ccs_profile *ccs_profile = ccs_profile_ptr[index]; |
const struct ccs_profile *ccs_profile = ccs_profile_ptr[index]; |
377 |
for (i = 0; i < CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX; i++) { |
u8 config = ccs_profile->default_config; |
378 |
if (!ccs_mac_keywords_used[i]) |
if (!ccs_io_printf(head, "%u-MAC=%s %s %s\n", index, |
379 |
|
ccs_mode_4[config & 3], |
380 |
|
config & CCS_MAC_MODE_NO_GRANT_LOG ? |
381 |
|
"no_grant_log" : "", |
382 |
|
config & CCS_MAC_MODE_NO_REJECT_LOG ? |
383 |
|
"no_reject_log" : "")) |
384 |
|
goto out; |
385 |
|
for (i = 0; i < CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
386 |
|
+ CCS_MAX_MAC_CATEGORY_INDEX; i++) { |
387 |
|
config = ccs_profile->config[i]; |
388 |
|
if (config == CCS_MAC_MODE_USE_DEFAULT) |
389 |
continue; |
continue; |
390 |
if (!ccs_io_printf(head, "%u-MAC::%s%s=%s %s %s\n", index, |
if (!ccs_io_printf(head, "%u-MAC::%s=%s %s %s\n", index, |
|
i >= CCS_MAX_MAC_INDEX ? |
|
|
CCS_KEYWORD_CAPABILITY : "", |
|
391 |
ccs_mac_keywords[i], |
ccs_mac_keywords[i], |
392 |
ccs_mode_4[ccs_profile->mac_mode[i]], |
ccs_mode_4[config & 3], |
393 |
ccs_profile->no_grant_log[i] ? |
config & CCS_MAC_MODE_NO_GRANT_LOG ? |
394 |
"no_grant_log" : "", |
"no_grant_log" : "", |
395 |
ccs_profile->no_reject_log[i] ? |
config & CCS_MAC_MODE_NO_REJECT_LOG ? |
396 |
"no_reject_log" : "")) |
"no_reject_log" : "")) |
397 |
goto out; |
goto out; |
398 |
} |
} |
406 |
* ccs_read_profile - Read profile table. |
* ccs_read_profile - Read profile table. |
407 |
* |
* |
408 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
|
* |
|
|
* Returns 0. |
|
409 |
*/ |
*/ |
410 |
static int ccs_read_profile(struct ccs_io_buffer *head) |
static void ccs_read_profile(struct ccs_io_buffer *head) |
411 |
{ |
{ |
412 |
static const int ccs_total = CCS_MAX_CONTROL_INDEX + 2; |
static const int ccs_total = CCS_MAX_CONTROL_INDEX + 2; |
413 |
int step; |
int step; |
414 |
if (head->read_eof) |
if (head->read_eof) |
415 |
return 0; |
return; |
416 |
for (step = head->read_step; step < CCS_MAX_PROFILES * ccs_total; |
for (step = head->read_step; step < CCS_MAX_PROFILES * ccs_total; |
417 |
step++) { |
step++) { |
418 |
const u8 index = step / ccs_total; |
const u8 index = step / ccs_total; |
453 |
} |
} |
454 |
if (step == CCS_MAX_PROFILES * ccs_total) |
if (step == CCS_MAX_PROFILES * ccs_total) |
455 |
head->read_eof = true; |
head->read_eof = true; |
|
return 0; |
|
456 |
} |
} |
457 |
|
|
458 |
/* The list for "struct ccs_policy_manager_entry". */ |
/* The list for "struct ccs_policy_manager_entry". */ |
527 |
* |
* |
528 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
529 |
* |
* |
|
* Returns 0. |
|
|
* |
|
530 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
531 |
*/ |
*/ |
532 |
static int ccs_read_manager_policy(struct ccs_io_buffer *head) |
static void ccs_read_manager_policy(struct ccs_io_buffer *head) |
533 |
{ |
{ |
534 |
struct list_head *pos; |
struct list_head *pos; |
535 |
ccs_assert_read_lock(); |
ccs_assert_read_lock(); |
536 |
if (head->read_eof) |
if (head->read_eof) |
537 |
return 0; |
return; |
538 |
list_for_each_cookie(pos, head->read_var2, &ccs_policy_manager_list) { |
list_for_each_cookie(pos, head->read_var2, &ccs_policy_manager_list) { |
539 |
struct ccs_policy_manager_entry *ptr; |
struct ccs_policy_manager_entry *ptr; |
540 |
ptr = list_entry(pos, struct ccs_policy_manager_entry, list); |
ptr = list_entry(pos, struct ccs_policy_manager_entry, list); |
541 |
if (ptr->is_deleted) |
if (ptr->is_deleted) |
542 |
continue; |
continue; |
543 |
if (!ccs_io_printf(head, "%s\n", ptr->manager->name)) |
if (!ccs_io_printf(head, "%s\n", ptr->manager->name)) |
544 |
return 0; |
return; |
545 |
} |
} |
546 |
head->read_eof = true; |
head->read_eof = true; |
|
return 0; |
|
547 |
} |
} |
548 |
|
|
549 |
/** |
/** |
973 |
* Returns true on success, false otherwise. |
* Returns true on success, false otherwise. |
974 |
*/ |
*/ |
975 |
static bool ccs_print_path_acl(struct ccs_io_buffer *head, |
static bool ccs_print_path_acl(struct ccs_io_buffer *head, |
976 |
struct ccs_path_acl *ptr, |
struct ccs_path_acl *ptr, |
977 |
const struct ccs_condition *cond) |
const struct ccs_condition *cond) |
978 |
{ |
{ |
979 |
int pos; |
int pos; |
980 |
u8 bit; |
u8 bit; |
1011 |
* Returns true on success, false otherwise. |
* Returns true on success, false otherwise. |
1012 |
*/ |
*/ |
1013 |
static bool ccs_print_path_number3_acl(struct ccs_io_buffer *head, |
static bool ccs_print_path_number3_acl(struct ccs_io_buffer *head, |
1014 |
struct ccs_path_number3_acl *ptr, |
struct ccs_path_number3_acl *ptr, |
1015 |
const struct ccs_condition *cond) |
const struct ccs_condition *cond) |
1016 |
{ |
{ |
1017 |
int pos; |
int pos; |
1018 |
u8 bit; |
u8 bit; |
1048 |
* Returns true on success, false otherwise. |
* Returns true on success, false otherwise. |
1049 |
*/ |
*/ |
1050 |
static bool ccs_print_path2_acl(struct ccs_io_buffer *head, |
static bool ccs_print_path2_acl(struct ccs_io_buffer *head, |
1051 |
struct ccs_path2_acl *ptr, |
struct ccs_path2_acl *ptr, |
1052 |
const struct ccs_condition *cond) |
const struct ccs_condition *cond) |
1053 |
{ |
{ |
1054 |
int pos; |
int pos; |
1055 |
u8 bit; |
u8 bit; |
1490 |
* |
* |
1491 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
1492 |
* |
* |
|
* Returns 0. |
|
|
* |
|
1493 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
1494 |
*/ |
*/ |
1495 |
static int ccs_read_domain_policy(struct ccs_io_buffer *head) |
static void ccs_read_domain_policy(struct ccs_io_buffer *head) |
1496 |
{ |
{ |
1497 |
struct list_head *dpos; |
struct list_head *dpos; |
1498 |
struct list_head *apos; |
struct list_head *apos; |
1499 |
ccs_assert_read_lock(); |
ccs_assert_read_lock(); |
1500 |
if (head->read_eof) |
if (head->read_eof) |
1501 |
return 0; |
return; |
1502 |
if (head->read_step == 0) |
if (head->read_step == 0) |
1503 |
head->read_step = 1; |
head->read_step = 1; |
1504 |
list_for_each_cookie(dpos, head->read_var1, &ccs_domain_list) { |
list_for_each_cookie(dpos, head->read_var1, &ccs_domain_list) { |
1529 |
transition_failed, |
transition_failed, |
1530 |
ignore_global_allow_read, |
ignore_global_allow_read, |
1531 |
ignore_global_allow_env)) |
ignore_global_allow_env)) |
1532 |
return 0; |
return; |
1533 |
head->read_step = 2; |
head->read_step = 2; |
1534 |
acl_loop: |
acl_loop: |
1535 |
if (head->read_step == 3) |
if (head->read_step == 3) |
1540 |
struct ccs_acl_info *ptr |
struct ccs_acl_info *ptr |
1541 |
= list_entry(apos, struct ccs_acl_info, list); |
= list_entry(apos, struct ccs_acl_info, list); |
1542 |
if (!ccs_print_entry(head, ptr)) |
if (!ccs_print_entry(head, ptr)) |
1543 |
return 0; |
return; |
1544 |
} |
} |
1545 |
head->read_step = 3; |
head->read_step = 3; |
1546 |
tail_mark: |
tail_mark: |
1547 |
if (!ccs_io_printf(head, "\n")) |
if (!ccs_io_printf(head, "\n")) |
1548 |
return 0; |
return; |
1549 |
head->read_step = 1; |
head->read_step = 1; |
1550 |
if (head->read_single_domain) |
if (head->read_single_domain) |
1551 |
break; |
break; |
1552 |
} |
} |
1553 |
head->read_eof = true; |
head->read_eof = true; |
|
return 0; |
|
1554 |
} |
} |
1555 |
|
|
1556 |
/** |
/** |
1591 |
* |
* |
1592 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
1593 |
* |
* |
|
* Returns list of profile number and domainname pairs. |
|
|
* |
|
1594 |
* This is equivalent to doing |
* This is equivalent to doing |
1595 |
* |
* |
1596 |
* grep -A 1 '^<kernel>' /proc/ccs/domain_policy | |
* grep -A 1 '^<kernel>' /proc/ccs/domain_policy | |
1600 |
* |
* |
1601 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
1602 |
*/ |
*/ |
1603 |
static int ccs_read_domain_profile(struct ccs_io_buffer *head) |
static void ccs_read_domain_profile(struct ccs_io_buffer *head) |
1604 |
{ |
{ |
1605 |
struct list_head *pos; |
struct list_head *pos; |
1606 |
ccs_assert_read_lock(); |
ccs_assert_read_lock(); |
1607 |
if (head->read_eof) |
if (head->read_eof) |
1608 |
return 0; |
return; |
1609 |
list_for_each_cookie(pos, head->read_var1, &ccs_domain_list) { |
list_for_each_cookie(pos, head->read_var1, &ccs_domain_list) { |
1610 |
struct ccs_domain_info *domain; |
struct ccs_domain_info *domain; |
1611 |
domain = list_entry(pos, struct ccs_domain_info, list); |
domain = list_entry(pos, struct ccs_domain_info, list); |
1613 |
continue; |
continue; |
1614 |
if (!ccs_io_printf(head, "%u %s\n", domain->profile, |
if (!ccs_io_printf(head, "%u %s\n", domain->profile, |
1615 |
domain->domainname->name)) |
domain->domainname->name)) |
1616 |
return 0; |
return; |
1617 |
} |
} |
1618 |
head->read_eof = true; |
head->read_eof = true; |
|
return 0; |
|
1619 |
} |
} |
1620 |
|
|
1621 |
/** |
/** |
1642 |
* |
* |
1643 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
1644 |
*/ |
*/ |
1645 |
static int ccs_read_pid(struct ccs_io_buffer *head) |
static void ccs_read_pid(struct ccs_io_buffer *head) |
1646 |
{ |
{ |
1647 |
char *buf = head->write_buf; |
char *buf = head->write_buf; |
1648 |
bool task_info = false; |
bool task_info = false; |
1653 |
ccs_assert_read_lock(); |
ccs_assert_read_lock(); |
1654 |
/* Accessing write_buf is safe because head->io_sem is held. */ |
/* Accessing write_buf is safe because head->io_sem is held. */ |
1655 |
if (!buf) |
if (!buf) |
1656 |
goto done; /* Do nothing if open(O_RDONLY). */ |
return; /* Do nothing if open(O_RDONLY). */ |
1657 |
if (head->read_avail || head->read_eof) |
if (head->read_avail || head->read_eof) |
1658 |
goto done; |
return; |
1659 |
head->read_eof = true; |
head->read_eof = true; |
1660 |
if (ccs_str_starts(&buf, "info ")) |
if (ccs_str_starts(&buf, "info ")) |
1661 |
task_info = true; |
task_info = true; |
1668 |
} |
} |
1669 |
read_unlock(&tasklist_lock); |
read_unlock(&tasklist_lock); |
1670 |
if (!domain) |
if (!domain) |
1671 |
goto done; |
return; |
1672 |
if (!task_info) |
if (!task_info) |
1673 |
ccs_io_printf(head, "%u %u %s", pid, domain->profile, |
ccs_io_printf(head, "%u %u %s", pid, domain->profile, |
1674 |
domain->domainname->name); |
domain->domainname->name); |
1682 |
(u8) (ccs_flags >> 24), |
(u8) (ccs_flags >> 24), |
1683 |
(u8) (ccs_flags >> 16), |
(u8) (ccs_flags >> 16), |
1684 |
(u8) (ccs_flags >> 8)); |
(u8) (ccs_flags >> 8)); |
|
done: |
|
|
return 0; |
|
1685 |
} |
} |
1686 |
|
|
1687 |
/** |
/** |
1731 |
* |
* |
1732 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
1733 |
* |
* |
|
* Returns 0 on success, -EINVAL otherwise. |
|
|
* |
|
1734 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
1735 |
*/ |
*/ |
1736 |
static int ccs_read_exception_policy(struct ccs_io_buffer *head) |
static void ccs_read_exception_policy(struct ccs_io_buffer *head) |
1737 |
{ |
{ |
1738 |
ccs_assert_read_lock(); |
ccs_assert_read_lock(); |
1739 |
if (!head->read_eof) { |
if (head->read_eof) |
1740 |
switch (head->read_step) { |
return; |
1741 |
case 0: |
switch (head->read_step) { |
1742 |
head->read_var2 = NULL; |
case 0: |
1743 |
head->read_step = 1; |
head->read_var2 = NULL; |
1744 |
case 1: |
head->read_step = 1; |
1745 |
if (!ccs_read_domain_keeper_policy(head)) |
case 1: |
1746 |
break; |
if (!ccs_read_domain_keeper_policy(head)) |
|
head->read_var2 = NULL; |
|
|
head->read_step = 2; |
|
|
case 2: |
|
|
if (!ccs_read_globally_readable_policy(head)) |
|
|
break; |
|
|
head->read_var2 = NULL; |
|
|
head->read_step = 3; |
|
|
case 3: |
|
|
if (!ccs_read_globally_usable_env_policy(head)) |
|
|
break; |
|
|
head->read_var2 = NULL; |
|
|
head->read_step = 4; |
|
|
case 4: |
|
|
if (!ccs_read_domain_initializer_policy(head)) |
|
|
break; |
|
|
head->read_var2 = NULL; |
|
|
head->read_step = 6; |
|
|
case 6: |
|
|
if (!ccs_read_aggregator_policy(head)) |
|
|
break; |
|
|
head->read_var2 = NULL; |
|
|
head->read_step = 7; |
|
|
case 7: |
|
|
if (!ccs_read_file_pattern(head)) |
|
|
break; |
|
|
head->read_var2 = NULL; |
|
|
head->read_step = 8; |
|
|
case 8: |
|
|
if (!ccs_read_no_rewrite_policy(head)) |
|
|
break; |
|
|
head->read_var2 = NULL; |
|
|
head->read_step = 9; |
|
|
case 9: |
|
|
if (!ccs_read_path_group_policy(head)) |
|
|
break; |
|
|
head->read_var1 = NULL; |
|
|
head->read_var2 = NULL; |
|
|
head->read_step = 10; |
|
|
case 10: |
|
|
if (!ccs_read_number_group_policy(head)) |
|
|
break; |
|
|
head->read_var1 = NULL; |
|
|
head->read_var2 = NULL; |
|
|
head->read_step = 11; |
|
|
case 11: |
|
|
if (!ccs_read_address_group_policy(head)) |
|
|
break; |
|
|
head->read_var2 = NULL; |
|
|
head->read_step = 12; |
|
|
case 12: |
|
|
if (!ccs_read_reserved_port_policy(head)) |
|
|
break; |
|
|
head->read_eof = true; |
|
1747 |
break; |
break; |
1748 |
default: |
head->read_var2 = NULL; |
1749 |
return -EINVAL; |
head->read_step = 2; |
1750 |
} |
case 2: |
1751 |
|
if (!ccs_read_globally_readable_policy(head)) |
1752 |
|
break; |
1753 |
|
head->read_var2 = NULL; |
1754 |
|
head->read_step = 3; |
1755 |
|
case 3: |
1756 |
|
if (!ccs_read_globally_usable_env_policy(head)) |
1757 |
|
break; |
1758 |
|
head->read_var2 = NULL; |
1759 |
|
head->read_step = 4; |
1760 |
|
case 4: |
1761 |
|
if (!ccs_read_domain_initializer_policy(head)) |
1762 |
|
break; |
1763 |
|
head->read_var2 = NULL; |
1764 |
|
head->read_step = 6; |
1765 |
|
case 6: |
1766 |
|
if (!ccs_read_aggregator_policy(head)) |
1767 |
|
break; |
1768 |
|
head->read_var2 = NULL; |
1769 |
|
head->read_step = 7; |
1770 |
|
case 7: |
1771 |
|
if (!ccs_read_file_pattern(head)) |
1772 |
|
break; |
1773 |
|
head->read_var2 = NULL; |
1774 |
|
head->read_step = 8; |
1775 |
|
case 8: |
1776 |
|
if (!ccs_read_no_rewrite_policy(head)) |
1777 |
|
break; |
1778 |
|
head->read_var2 = NULL; |
1779 |
|
head->read_step = 9; |
1780 |
|
case 9: |
1781 |
|
if (!ccs_read_path_group_policy(head)) |
1782 |
|
break; |
1783 |
|
head->read_var1 = NULL; |
1784 |
|
head->read_var2 = NULL; |
1785 |
|
head->read_step = 10; |
1786 |
|
case 10: |
1787 |
|
if (!ccs_read_number_group_policy(head)) |
1788 |
|
break; |
1789 |
|
head->read_var1 = NULL; |
1790 |
|
head->read_var2 = NULL; |
1791 |
|
head->read_step = 11; |
1792 |
|
case 11: |
1793 |
|
if (!ccs_read_address_group_policy(head)) |
1794 |
|
break; |
1795 |
|
head->read_var2 = NULL; |
1796 |
|
head->read_step = 12; |
1797 |
|
case 12: |
1798 |
|
if (!ccs_read_reserved_port_policy(head)) |
1799 |
|
break; |
1800 |
|
head->read_eof = true; |
1801 |
} |
} |
|
return 0; |
|
1802 |
} |
} |
1803 |
|
|
1804 |
/** |
/** |
1954 |
switch (r->mode) { |
switch (r->mode) { |
1955 |
char *buffer; |
char *buffer; |
1956 |
struct ccs_condition *cond; |
struct ccs_condition *cond; |
1957 |
case 1: |
case CCS_MAC_MODE_LEARNING: |
1958 |
if (!ccs_domain_quota_ok(r)) |
if (!ccs_domain_quota_ok(r)) |
1959 |
return 0; |
return 0; |
1960 |
va_start(args, fmt); |
va_start(args, fmt); |
1978 |
ccs_put_condition(cond); |
ccs_put_condition(cond); |
1979 |
kfree(buffer); |
kfree(buffer); |
1980 |
/* fall through */ |
/* fall through */ |
1981 |
case 2: |
case CCS_MAC_MODE_PERMISSIVE: |
1982 |
return 0; |
return 0; |
1983 |
} |
} |
1984 |
if (!atomic_read(&ccs_query_observers)) { |
if (!atomic_read(&ccs_query_observers)) { |
2105 |
* ccs_read_query - Read access requests which violated policy in enforcing mode. |
* ccs_read_query - Read access requests which violated policy in enforcing mode. |
2106 |
* |
* |
2107 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
|
* |
|
|
* Returns 0. |
|
2108 |
*/ |
*/ |
2109 |
static int ccs_read_query(struct ccs_io_buffer *head) |
static void ccs_read_query(struct ccs_io_buffer *head) |
2110 |
{ |
{ |
2111 |
struct list_head *tmp; |
struct list_head *tmp; |
2112 |
int pos = 0; |
int pos = 0; |
2113 |
int len = 0; |
int len = 0; |
2114 |
char *buf; |
char *buf; |
2115 |
if (head->read_avail) |
if (head->read_avail) |
2116 |
return 0; |
return; |
2117 |
if (head->read_buf) { |
if (head->read_buf) { |
2118 |
kfree(head->read_buf); |
kfree(head->read_buf); |
2119 |
head->read_buf = NULL; |
head->read_buf = NULL; |
2133 |
spin_unlock(&ccs_query_list_lock); |
spin_unlock(&ccs_query_list_lock); |
2134 |
if (!len) { |
if (!len) { |
2135 |
head->read_step = 0; |
head->read_step = 0; |
2136 |
return 0; |
return; |
2137 |
} |
} |
2138 |
buf = kzalloc(len, GFP_KERNEL); |
buf = kzalloc(len, GFP_KERNEL); |
2139 |
if (!buf) |
if (!buf) |
2140 |
return 0; |
return; |
2141 |
pos = 0; |
pos = 0; |
2142 |
spin_lock(&ccs_query_list_lock); |
spin_lock(&ccs_query_list_lock); |
2143 |
list_for_each(tmp, &ccs_query_list) { |
list_for_each(tmp, &ccs_query_list) { |
2164 |
} else { |
} else { |
2165 |
kfree(buf); |
kfree(buf); |
2166 |
} |
} |
|
return 0; |
|
2167 |
} |
} |
2168 |
|
|
2169 |
/** |
/** |
2206 |
* ccs_read_version: Get version. |
* ccs_read_version: Get version. |
2207 |
* |
* |
2208 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
|
* |
|
|
* Returns version information. |
|
2209 |
*/ |
*/ |
2210 |
static int ccs_read_version(struct ccs_io_buffer *head) |
static void ccs_read_version(struct ccs_io_buffer *head) |
2211 |
{ |
{ |
2212 |
if (!head->read_eof) { |
if (head->read_eof) |
2213 |
ccs_io_printf(head, "1.7.0-pre"); |
return; |
2214 |
head->read_eof = true; |
ccs_io_printf(head, "1.7.0-pre"); |
2215 |
} |
head->read_eof = true; |
|
return 0; |
|
2216 |
} |
} |
2217 |
|
|
2218 |
/** |
/** |
2219 |
* ccs_read_self_domain - Get the current process's domainname. |
* ccs_read_self_domain - Get the current process's domainname. |
2220 |
* |
* |
2221 |
* @head: Pointer to "struct ccs_io_buffer". |
* @head: Pointer to "struct ccs_io_buffer". |
|
* |
|
|
* Returns the current process's domainname. |
|
2222 |
*/ |
*/ |
2223 |
static int ccs_read_self_domain(struct ccs_io_buffer *head) |
static void ccs_read_self_domain(struct ccs_io_buffer *head) |
2224 |
{ |
{ |
2225 |
if (!head->read_eof) { |
if (head->read_eof) |
2226 |
/* |
return; |
2227 |
* ccs_current_domain()->domainname != NULL |
/* |
2228 |
* because every process belongs to a domain and |
* ccs_current_domain()->domainname != NULL because every process |
2229 |
* the domain's name cannot be NULL. |
* belongs to a domain and the domain's name cannot be NULL. |
2230 |
*/ |
*/ |
2231 |
ccs_io_printf(head, "%s", |
ccs_io_printf(head, "%s", ccs_current_domain()->domainname->name); |
2232 |
ccs_current_domain()->domainname->name); |
head->read_eof = true; |
|
head->read_eof = true; |
|
|
} |
|
|
return 0; |
|
2233 |
} |
} |
2234 |
|
|
2235 |
/** |
/** |
2400 |
return -EFAULT; |
return -EFAULT; |
2401 |
if (mutex_lock_interruptible(&head->io_sem)) |
if (mutex_lock_interruptible(&head->io_sem)) |
2402 |
return -EINTR; |
return -EINTR; |
2403 |
retry: |
while (1) { |
2404 |
/* Call the policy handler. */ |
/* Call the policy handler. */ |
2405 |
len = head->read(head); |
head->read(head); |
2406 |
if (len < 0) |
/* Write to buffer. */ |
2407 |
goto out; |
len = head->read_avail; |
2408 |
/* Write to buffer. */ |
if (len || head->poll || head->read_eof) |
2409 |
len = head->read_avail; |
break; |
2410 |
if (!len && !head->poll && !head->read_eof) { |
len = head->readbuf_size * 2; |
|
const int len = head->readbuf_size * 2; |
|
2411 |
cp = kzalloc(len, GFP_KERNEL); |
cp = kzalloc(len, GFP_KERNEL); |
2412 |
if (cp) { |
if (!cp) { |
2413 |
kfree(head->read_buf); |
len = -ENOMEM; |
2414 |
head->read_buf = cp; |
goto out; |
|
head->readbuf_size = len; |
|
|
goto retry; |
|
2415 |
} |
} |
2416 |
|
kfree(head->read_buf); |
2417 |
|
head->read_buf = cp; |
2418 |
|
head->readbuf_size = len; |
2419 |
} |
} |
2420 |
if (len > buffer_len) |
if (len > buffer_len) |
2421 |
len = buffer_len; |
len = buffer_len; |