367 |
value = 0; |
value = 0; |
368 |
else |
else |
369 |
value = -1; |
value = -1; |
370 |
if (!strcmp(data, "PREFERENCE::audit")) { |
if (!strcmp(data, CCS_KEYWORD_PREFERENCE_AUDIT)) { |
371 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
372 |
char *cp2; |
char *cp2; |
373 |
#endif |
#endif |
396 |
profile->preference.audit_path_info = false; |
profile->preference.audit_path_info = false; |
397 |
return 0; |
return 0; |
398 |
} |
} |
399 |
if (!strcmp(data, "PREFERENCE::enforcing")) { |
if (!strcmp(data, CCS_KEYWORD_PREFERENCE_ENFORCING)) { |
400 |
char *cp2; |
char *cp2; |
401 |
if (use_default) { |
if (use_default) { |
402 |
profile->enforcing = &ccs_default_profile.preference; |
profile->enforcing = &ccs_default_profile.preference; |
411 |
&profile->preference.enforcing_penalty); |
&profile->preference.enforcing_penalty); |
412 |
return 0; |
return 0; |
413 |
} |
} |
414 |
if (!strcmp(data, "PREFERENCE::permissive")) { |
if (!strcmp(data, CCS_KEYWORD_PREFERENCE_PERMISSIVE)) { |
415 |
if (use_default) { |
if (use_default) { |
416 |
profile->permissive = &ccs_default_profile.preference; |
profile->permissive = &ccs_default_profile.preference; |
417 |
return 0; |
return 0; |
421 |
profile->preference.permissive_verbose = value; |
profile->preference.permissive_verbose = value; |
422 |
return 0; |
return 0; |
423 |
} |
} |
424 |
if (!strcmp(data, "PREFERENCE::learning")) { |
if (!strcmp(data, CCS_KEYWORD_PREFERENCE_LEARNING)) { |
425 |
char *cp2; |
char *cp2; |
426 |
if (use_default) { |
if (use_default) { |
427 |
profile->learning = &ccs_default_profile.preference; |
profile->learning = &ccs_default_profile.preference; |
506 |
return 0; |
return 0; |
507 |
} |
} |
508 |
|
|
509 |
|
static bool ccs_print_preference(struct ccs_io_buffer *head, const int idx) |
510 |
|
{ |
511 |
|
struct ccs_preference *pref = &ccs_default_profile.preference; |
512 |
|
const struct ccs_profile *profile = idx >= 0 ? |
513 |
|
ccs_profile_ptr[idx] : NULL; |
514 |
|
char buffer[16] = ""; |
515 |
|
if (profile) { |
516 |
|
buffer[sizeof(buffer) - 1] = '\0'; |
517 |
|
snprintf(buffer, sizeof(buffer) - 1, "%u-", idx); |
518 |
|
} |
519 |
|
if (profile) { |
520 |
|
pref = profile->audit; |
521 |
|
if (pref == &ccs_default_profile.preference) |
522 |
|
pref = NULL; |
523 |
|
} |
524 |
|
if (pref && !ccs_io_printf(head, "%s%s={ " |
525 |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
526 |
|
"max_grant_log=%u max_reject_log=%u " |
527 |
|
#endif |
528 |
|
"task_info=%s path_info=%s }\n", buffer, |
529 |
|
CCS_KEYWORD_PREFERENCE_AUDIT, |
530 |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
531 |
|
pref->audit_max_grant_log, |
532 |
|
pref->audit_max_reject_log, |
533 |
|
#endif |
534 |
|
ccs_yesno(pref->audit_task_info), |
535 |
|
ccs_yesno(pref->audit_path_info))) |
536 |
|
return false; |
537 |
|
if (profile) { |
538 |
|
pref = profile->learning; |
539 |
|
if (pref == &ccs_default_profile.preference) |
540 |
|
pref = NULL; |
541 |
|
} |
542 |
|
if (pref && !ccs_io_printf(head, "%s%s={ " |
543 |
|
"verbose=%s max_entry=%u exec.realpath=%s " |
544 |
|
"exec.argv0=%s symlink.target=%s }\n", |
545 |
|
buffer, CCS_KEYWORD_PREFERENCE_LEARNING, |
546 |
|
ccs_yesno(pref->learning_verbose), |
547 |
|
pref->learning_max_entry, |
548 |
|
ccs_yesno(pref->learning_exec_realpath), |
549 |
|
ccs_yesno(pref->learning_exec_argv0), |
550 |
|
ccs_yesno(pref->learning_symlink_target))) |
551 |
|
return false; |
552 |
|
if (profile) { |
553 |
|
pref = profile->permissive; |
554 |
|
if (pref == &ccs_default_profile.preference) |
555 |
|
pref = NULL; |
556 |
|
} |
557 |
|
if (pref && !ccs_io_printf(head, "%s%s={ verbose=%s }\n", buffer, |
558 |
|
CCS_KEYWORD_PREFERENCE_PERMISSIVE, |
559 |
|
ccs_yesno(pref->permissive_verbose))) |
560 |
|
return false; |
561 |
|
if (profile) { |
562 |
|
pref = profile->enforcing; |
563 |
|
if (pref == &ccs_default_profile.preference) |
564 |
|
pref = NULL; |
565 |
|
} |
566 |
|
return !pref || ccs_io_printf(head, "%s%s={ verbose=%s penalty=%u }\n", |
567 |
|
buffer, CCS_KEYWORD_PREFERENCE_ENFORCING, |
568 |
|
ccs_yesno(pref->enforcing_verbose), |
569 |
|
pref->enforcing_penalty); |
570 |
|
} |
571 |
|
|
572 |
/** |
/** |
573 |
* ccs_read_profile - Read profile table. |
* ccs_read_profile - Read profile table. |
574 |
* |
* |
582 |
if (head->read_bit) |
if (head->read_bit) |
583 |
goto body; |
goto body; |
584 |
ccs_io_printf(head, "PROFILE_VERSION=%s\n", "20090903"); |
ccs_io_printf(head, "PROFILE_VERSION=%s\n", "20090903"); |
585 |
ccs_io_printf(head, "PREFERENCE::audit={ " |
ccs_print_preference(head, -1); |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
|
"max_grant_log=%u max_reject_log=%u " |
|
|
#endif |
|
|
"task_info=%s path_info=%s }\n", |
|
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
|
ccs_default_profile.preference.audit_max_grant_log, |
|
|
ccs_default_profile.preference.audit_max_reject_log, |
|
|
#endif |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
audit_task_info), |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
audit_path_info)); |
|
|
ccs_io_printf(head, "PREFERENCE::learning={ verbose=%s max_entry=%u " |
|
|
"exec.realpath=%s exec.argv0=%s symlink.target=%s }\n", |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
learning_verbose), |
|
|
ccs_default_profile.preference.learning_max_entry, |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
learning_exec_realpath), |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
learning_exec_argv0), |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
learning_symlink_target)); |
|
|
ccs_io_printf(head, "PREFERENCE::permissive={ verbose=%s }\n", |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
permissive_verbose)); |
|
|
ccs_io_printf(head, "PREFERENCE::enforcing={ verbose=%s penalty=%u " |
|
|
"}\n", |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
enforcing_verbose), |
|
|
ccs_default_profile.preference.enforcing_penalty); |
|
586 |
head->read_bit = 1; |
head->read_bit = 1; |
587 |
body: |
body: |
588 |
for (index = head->read_step; index < CCS_MAX_PROFILES; index++) { |
for (index = head->read_step; index < CCS_MAX_PROFILES; index++) { |
603 |
goto out; |
goto out; |
604 |
config = profile->default_config; |
config = profile->default_config; |
605 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
606 |
if (!ccs_io_printf(head, "%u-CONFIG={ mode=%s grant_log=%s " |
if (!ccs_io_printf(head, "%u-%s%s={ mode=%s " |
607 |
"reject_log=%s }\n", index, |
"grant_log=%s reject_log=%s }\n", index, |
608 |
ccs_mode_4[config & 3], |
"CONFIG", "", ccs_mode_4[config & 3], |
609 |
ccs_yesno(config & |
ccs_yesno(config & |
610 |
CCS_CONFIG_WANT_GRANT_LOG), |
CCS_CONFIG_WANT_GRANT_LOG), |
611 |
ccs_yesno(config & |
ccs_yesno(config & |
612 |
CCS_CONFIG_WANT_REJECT_LOG))) |
CCS_CONFIG_WANT_REJECT_LOG))) |
613 |
goto out; |
goto out; |
614 |
#else |
#else |
615 |
if (!ccs_io_printf(head, "%u-CONFIG={ mode=%s }\n", index, |
if (!ccs_io_printf(head, "%u-%s%s={ mode=%s }\n", index, |
616 |
ccs_mode_4[config & 3])) |
"CONFIG", "", ccs_mode_4[config & 3])) |
617 |
goto out; |
goto out; |
618 |
#endif |
#endif |
619 |
for (i = 0; i < CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
for (i = 0; i < CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
628 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
629 |
g = ccs_yesno(config & CCS_CONFIG_WANT_GRANT_LOG); |
g = ccs_yesno(config & CCS_CONFIG_WANT_GRANT_LOG); |
630 |
r = ccs_yesno(config & CCS_CONFIG_WANT_REJECT_LOG); |
r = ccs_yesno(config & CCS_CONFIG_WANT_REJECT_LOG); |
631 |
if (!ccs_io_printf(head, "%u-CONFIG::%s={ mode=%s " |
if (!ccs_io_printf(head, "%u-%s%s={ mode=%s " |
632 |
"grant_log=%s reject_log=%s }\n", |
"grant_log=%s reject_log=%s }\n", |
633 |
index, ccs_mac_keywords[i], |
index, "CONFIG::", |
634 |
|
ccs_mac_keywords[i], |
635 |
ccs_mode_4[config & 3], g, r)) |
ccs_mode_4[config & 3], g, r)) |
636 |
goto out; |
goto out; |
637 |
#else |
#else |
638 |
if (!ccs_io_printf(head, "%u-CONFIG::%s={ mode=%s }\n", |
if (!ccs_io_printf(head, "%u-%s%s={ mode=%s }\n", |
639 |
index, ccs_mac_keywords[i], |
index, "CONFIG::", |
640 |
|
ccs_mac_keywords[i], |
641 |
ccs_mode_4[config & 3])) |
ccs_mode_4[config & 3])) |
642 |
goto out; |
goto out; |
643 |
#endif |
#endif |
644 |
} |
} |
645 |
if (profile->audit != &ccs_default_profile.preference && |
if (!ccs_print_preference(head, index)) |
|
!ccs_io_printf(head, "%u-PREFERENCE::audit={ " |
|
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
|
"max_grant_log=%u max_reject_log=%u " |
|
|
#endif |
|
|
"task_info=%s path_info=%s }\n", index, |
|
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
|
profile->preference.audit_max_grant_log, |
|
|
profile->preference.audit_max_reject_log, |
|
|
#endif |
|
|
ccs_yesno(profile->preference. |
|
|
audit_task_info), |
|
|
ccs_yesno(profile->preference. |
|
|
audit_path_info))) |
|
|
goto out; |
|
|
if (profile->learning != &ccs_default_profile.preference && |
|
|
!ccs_io_printf(head, "%u-PREFERENCE::learning={ " |
|
|
"verbose=%s max_entry=%u exec.realpath=%s " |
|
|
"exec.argv0=%s symlink.target=%s }\n", |
|
|
index, |
|
|
ccs_yesno(profile->preference. |
|
|
learning_verbose), |
|
|
profile->preference.learning_max_entry, |
|
|
ccs_yesno(profile->preference. |
|
|
learning_exec_realpath), |
|
|
ccs_yesno(profile->preference. |
|
|
learning_exec_argv0), |
|
|
ccs_yesno(profile->preference. |
|
|
learning_symlink_target))) |
|
|
goto out; |
|
|
if (profile->permissive != &ccs_default_profile.preference && |
|
|
!ccs_io_printf(head, "%u-PREFERENCE::permissive={ " |
|
|
"verbose=%s }\n", index, |
|
|
ccs_yesno(profile->preference. |
|
|
permissive_verbose))) |
|
|
goto out; |
|
|
if (profile->enforcing != &ccs_default_profile.preference && |
|
|
!ccs_io_printf(head, "%u-PREFERENCE::enforcing={ " |
|
|
"verbose=%s penalty=%u }\n", index, |
|
|
ccs_yesno(profile->preference. |
|
|
enforcing_verbose), |
|
|
profile->preference.enforcing_penalty)) |
|
646 |
goto out; |
goto out; |
647 |
continue; |
continue; |
648 |
out: |
out: |
1812 |
static int ccs_write_exception_policy(struct ccs_io_buffer *head) |
static int ccs_write_exception_policy(struct ccs_io_buffer *head) |
1813 |
{ |
{ |
1814 |
char *data = head->write_buf; |
char *data = head->write_buf; |
1815 |
bool is_delete = ccs_str_starts(&data, CCS_KEYWORD_DELETE); |
const bool is_delete = ccs_str_starts(&data, CCS_KEYWORD_DELETE); |
1816 |
if (ccs_str_starts(&data, CCS_KEYWORD_KEEP_DOMAIN)) |
u8 i; |
1817 |
return ccs_write_domain_keeper_policy(data, false, is_delete); |
static const struct { |
1818 |
if (ccs_str_starts(&data, CCS_KEYWORD_NO_KEEP_DOMAIN)) |
const char *keyword; |
1819 |
return ccs_write_domain_keeper_policy(data, true, is_delete); |
int (*write) (char *, const bool, const u8); |
1820 |
if (ccs_str_starts(&data, CCS_KEYWORD_INITIALIZE_DOMAIN)) |
} ccs_callback[13] = { |
1821 |
return ccs_write_domain_initializer_policy(data, false, |
{ CCS_KEYWORD_NO_KEEP_DOMAIN, ccs_write_domain_keeper_policy }, |
1822 |
is_delete); |
{ CCS_KEYWORD_NO_INITIALIZE_DOMAIN, |
1823 |
if (ccs_str_starts(&data, CCS_KEYWORD_NO_INITIALIZE_DOMAIN)) |
ccs_write_domain_initializer_policy }, |
1824 |
return ccs_write_domain_initializer_policy(data, true, |
{ CCS_KEYWORD_KEEP_DOMAIN, ccs_write_domain_keeper_policy }, |
1825 |
is_delete); |
{ CCS_KEYWORD_INITIALIZE_DOMAIN, |
1826 |
if (ccs_str_starts(&data, CCS_KEYWORD_AGGREGATOR)) |
ccs_write_domain_initializer_policy }, |
1827 |
return ccs_write_aggregator_policy(data, is_delete); |
{ CCS_KEYWORD_AGGREGATOR, ccs_write_aggregator_policy }, |
1828 |
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_READ)) |
{ CCS_KEYWORD_ALLOW_READ, ccs_write_globally_readable_policy }, |
1829 |
return ccs_write_globally_readable_policy(data, is_delete); |
{ CCS_KEYWORD_ALLOW_ENV, |
1830 |
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_ENV)) |
ccs_write_globally_usable_env_policy }, |
1831 |
return ccs_write_globally_usable_env_policy(data, is_delete); |
{ CCS_KEYWORD_FILE_PATTERN, ccs_write_pattern_policy }, |
1832 |
if (ccs_str_starts(&data, CCS_KEYWORD_FILE_PATTERN)) |
{ CCS_KEYWORD_PATH_GROUP, ccs_write_path_group_policy }, |
1833 |
return ccs_write_pattern_policy(data, is_delete); |
{ CCS_KEYWORD_NUMBER_GROUP, ccs_write_number_group_policy }, |
1834 |
if (ccs_str_starts(&data, CCS_KEYWORD_PATH_GROUP)) |
{ CCS_KEYWORD_ADDRESS_GROUP, ccs_write_address_group_policy }, |
1835 |
return ccs_write_path_group_policy(data, is_delete); |
{ CCS_KEYWORD_DENY_REWRITE, ccs_write_no_rewrite_policy }, |
1836 |
if (ccs_str_starts(&data, CCS_KEYWORD_NUMBER_GROUP)) |
{ CCS_KEYWORD_DENY_AUTOBIND, ccs_write_reserved_port_policy } |
1837 |
return ccs_write_number_group_policy(data, is_delete); |
}; |
1838 |
if (ccs_str_starts(&data, CCS_KEYWORD_DENY_REWRITE)) |
for (i = 0; i < 13; i++) { |
1839 |
return ccs_write_no_rewrite_policy(data, is_delete); |
if (ccs_str_starts(&data, ccs_callback[i].keyword)) |
1840 |
if (ccs_str_starts(&data, CCS_KEYWORD_ADDRESS_GROUP)) |
return ccs_callback[i].write(data, is_delete, i < 2); |
1841 |
return ccs_write_address_group_policy(data, is_delete); |
} |
|
if (ccs_str_starts(&data, CCS_KEYWORD_DENY_AUTOBIND)) |
|
|
return ccs_write_reserved_port_policy(data, is_delete); |
|
1842 |
return -EINVAL; |
return -EINVAL; |
1843 |
} |
} |
1844 |
|
|
1931 |
struct ccs_domain_keeper_entry *ptr = |
struct ccs_domain_keeper_entry *ptr = |
1932 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
1933 |
w[0] = ptr->is_not ? |
w[0] = ptr->is_not ? |
1934 |
"no_" CCS_KEYWORD_KEEP_DOMAIN : |
CCS_KEYWORD_NO_KEEP_DOMAIN : |
1935 |
CCS_KEYWORD_KEEP_DOMAIN; |
CCS_KEYWORD_KEEP_DOMAIN; |
1936 |
if (ptr->program) { |
if (ptr->program) { |
1937 |
w[1] = ptr->program->name; |
w[1] = ptr->program->name; |
1945 |
struct ccs_domain_initializer_entry *ptr = |
struct ccs_domain_initializer_entry *ptr = |
1946 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
1947 |
w[0] = ptr->is_not ? |
w[0] = ptr->is_not ? |
1948 |
"no_" CCS_KEYWORD_INITIALIZE_DOMAIN : |
CCS_KEYWORD_NO_INITIALIZE_DOMAIN : |
1949 |
CCS_KEYWORD_INITIALIZE_DOMAIN; |
CCS_KEYWORD_INITIALIZE_DOMAIN; |
1950 |
w[1] = ptr->program->name; |
w[1] = ptr->program->name; |
1951 |
if (ptr->domainname) { |
if (ptr->domainname) { |