| 367 |
value = 0; |
value = 0; |
| 368 |
else |
else |
| 369 |
value = -1; |
value = -1; |
| 370 |
if (!strcmp(data, "PREFERENCE::audit")) { |
if (!strcmp(data, CCS_KEYWORD_PREFERENCE_AUDIT)) { |
| 371 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
| 372 |
char *cp2; |
char *cp2; |
| 373 |
#endif |
#endif |
| 396 |
profile->preference.audit_path_info = false; |
profile->preference.audit_path_info = false; |
| 397 |
return 0; |
return 0; |
| 398 |
} |
} |
| 399 |
if (!strcmp(data, "PREFERENCE::enforcing")) { |
if (!strcmp(data, CCS_KEYWORD_PREFERENCE_ENFORCING)) { |
| 400 |
char *cp2; |
char *cp2; |
| 401 |
if (use_default) { |
if (use_default) { |
| 402 |
profile->enforcing = &ccs_default_profile.preference; |
profile->enforcing = &ccs_default_profile.preference; |
| 411 |
&profile->preference.enforcing_penalty); |
&profile->preference.enforcing_penalty); |
| 412 |
return 0; |
return 0; |
| 413 |
} |
} |
| 414 |
if (!strcmp(data, "PREFERENCE::permissive")) { |
if (!strcmp(data, CCS_KEYWORD_PREFERENCE_PERMISSIVE)) { |
| 415 |
if (use_default) { |
if (use_default) { |
| 416 |
profile->permissive = &ccs_default_profile.preference; |
profile->permissive = &ccs_default_profile.preference; |
| 417 |
return 0; |
return 0; |
| 421 |
profile->preference.permissive_verbose = value; |
profile->preference.permissive_verbose = value; |
| 422 |
return 0; |
return 0; |
| 423 |
} |
} |
| 424 |
if (!strcmp(data, "PREFERENCE::learning")) { |
if (!strcmp(data, CCS_KEYWORD_PREFERENCE_LEARNING)) { |
| 425 |
char *cp2; |
char *cp2; |
| 426 |
if (use_default) { |
if (use_default) { |
| 427 |
profile->learning = &ccs_default_profile.preference; |
profile->learning = &ccs_default_profile.preference; |
| 506 |
return 0; |
return 0; |
| 507 |
} |
} |
| 508 |
|
|
| 509 |
|
static bool ccs_print_preference(struct ccs_io_buffer *head, const int idx) |
| 510 |
|
{ |
| 511 |
|
struct ccs_preference *pref = &ccs_default_profile.preference; |
| 512 |
|
const struct ccs_profile *profile = idx >= 0 ? |
| 513 |
|
ccs_profile_ptr[idx] : NULL; |
| 514 |
|
char buffer[16] = ""; |
| 515 |
|
if (profile) { |
| 516 |
|
buffer[sizeof(buffer) - 1] = '\0'; |
| 517 |
|
snprintf(buffer, sizeof(buffer) - 1, "%u-", idx); |
| 518 |
|
} |
| 519 |
|
if (profile) { |
| 520 |
|
pref = profile->audit; |
| 521 |
|
if (pref == &ccs_default_profile.preference) |
| 522 |
|
pref = NULL; |
| 523 |
|
} |
| 524 |
|
if (pref && !ccs_io_printf(head, "%s%s={ " |
| 525 |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
| 526 |
|
"max_grant_log=%u max_reject_log=%u " |
| 527 |
|
#endif |
| 528 |
|
"task_info=%s path_info=%s }\n", buffer, |
| 529 |
|
CCS_KEYWORD_PREFERENCE_AUDIT, |
| 530 |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
| 531 |
|
pref->audit_max_grant_log, |
| 532 |
|
pref->audit_max_reject_log, |
| 533 |
|
#endif |
| 534 |
|
ccs_yesno(pref->audit_task_info), |
| 535 |
|
ccs_yesno(pref->audit_path_info))) |
| 536 |
|
return false; |
| 537 |
|
if (profile) { |
| 538 |
|
pref = profile->learning; |
| 539 |
|
if (pref == &ccs_default_profile.preference) |
| 540 |
|
pref = NULL; |
| 541 |
|
} |
| 542 |
|
if (pref && !ccs_io_printf(head, "%s%s={ " |
| 543 |
|
"verbose=%s max_entry=%u exec.realpath=%s " |
| 544 |
|
"exec.argv0=%s symlink.target=%s }\n", |
| 545 |
|
buffer, CCS_KEYWORD_PREFERENCE_LEARNING, |
| 546 |
|
ccs_yesno(pref->learning_verbose), |
| 547 |
|
pref->learning_max_entry, |
| 548 |
|
ccs_yesno(pref->learning_exec_realpath), |
| 549 |
|
ccs_yesno(pref->learning_exec_argv0), |
| 550 |
|
ccs_yesno(pref->learning_symlink_target))) |
| 551 |
|
return false; |
| 552 |
|
if (profile) { |
| 553 |
|
pref = profile->permissive; |
| 554 |
|
if (pref == &ccs_default_profile.preference) |
| 555 |
|
pref = NULL; |
| 556 |
|
} |
| 557 |
|
if (pref && !ccs_io_printf(head, "%s%s={ verbose=%s }\n", buffer, |
| 558 |
|
CCS_KEYWORD_PREFERENCE_PERMISSIVE, |
| 559 |
|
ccs_yesno(pref->permissive_verbose))) |
| 560 |
|
return false; |
| 561 |
|
if (profile) { |
| 562 |
|
pref = profile->enforcing; |
| 563 |
|
if (pref == &ccs_default_profile.preference) |
| 564 |
|
pref = NULL; |
| 565 |
|
} |
| 566 |
|
return !pref || ccs_io_printf(head, "%s%s={ verbose=%s penalty=%u }\n", |
| 567 |
|
buffer, CCS_KEYWORD_PREFERENCE_ENFORCING, |
| 568 |
|
ccs_yesno(pref->enforcing_verbose), |
| 569 |
|
pref->enforcing_penalty); |
| 570 |
|
} |
| 571 |
|
|
| 572 |
/** |
/** |
| 573 |
* ccs_read_profile - Read profile table. |
* ccs_read_profile - Read profile table. |
| 574 |
* |
* |
| 582 |
if (head->read_bit) |
if (head->read_bit) |
| 583 |
goto body; |
goto body; |
| 584 |
ccs_io_printf(head, "PROFILE_VERSION=%s\n", "20090903"); |
ccs_io_printf(head, "PROFILE_VERSION=%s\n", "20090903"); |
| 585 |
ccs_io_printf(head, "PREFERENCE::audit={ " |
ccs_print_preference(head, -1); |
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
|
"max_grant_log=%u max_reject_log=%u " |
|
|
#endif |
|
|
"task_info=%s path_info=%s }\n", |
|
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
|
ccs_default_profile.preference.audit_max_grant_log, |
|
|
ccs_default_profile.preference.audit_max_reject_log, |
|
|
#endif |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
audit_task_info), |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
audit_path_info)); |
|
|
ccs_io_printf(head, "PREFERENCE::learning={ verbose=%s max_entry=%u " |
|
|
"exec.realpath=%s exec.argv0=%s symlink.target=%s }\n", |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
learning_verbose), |
|
|
ccs_default_profile.preference.learning_max_entry, |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
learning_exec_realpath), |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
learning_exec_argv0), |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
learning_symlink_target)); |
|
|
ccs_io_printf(head, "PREFERENCE::permissive={ verbose=%s }\n", |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
permissive_verbose)); |
|
|
ccs_io_printf(head, "PREFERENCE::enforcing={ verbose=%s penalty=%u " |
|
|
"}\n", |
|
|
ccs_yesno(ccs_default_profile.preference. |
|
|
enforcing_verbose), |
|
|
ccs_default_profile.preference.enforcing_penalty); |
|
| 586 |
head->read_bit = 1; |
head->read_bit = 1; |
| 587 |
body: |
body: |
| 588 |
for (index = head->read_step; index < CCS_MAX_PROFILES; index++) { |
for (index = head->read_step; index < CCS_MAX_PROFILES; index++) { |
| 603 |
goto out; |
goto out; |
| 604 |
config = profile->default_config; |
config = profile->default_config; |
| 605 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
| 606 |
if (!ccs_io_printf(head, "%u-CONFIG={ mode=%s grant_log=%s " |
if (!ccs_io_printf(head, "%u-%s%s={ mode=%s " |
| 607 |
"reject_log=%s }\n", index, |
"grant_log=%s reject_log=%s }\n", index, |
| 608 |
ccs_mode_4[config & 3], |
"CONFIG", "", ccs_mode_4[config & 3], |
| 609 |
ccs_yesno(config & |
ccs_yesno(config & |
| 610 |
CCS_CONFIG_WANT_GRANT_LOG), |
CCS_CONFIG_WANT_GRANT_LOG), |
| 611 |
ccs_yesno(config & |
ccs_yesno(config & |
| 612 |
CCS_CONFIG_WANT_REJECT_LOG))) |
CCS_CONFIG_WANT_REJECT_LOG))) |
| 613 |
goto out; |
goto out; |
| 614 |
#else |
#else |
| 615 |
if (!ccs_io_printf(head, "%u-CONFIG={ mode=%s }\n", index, |
if (!ccs_io_printf(head, "%u-%s%s={ mode=%s }\n", index, |
| 616 |
ccs_mode_4[config & 3])) |
"CONFIG", "", ccs_mode_4[config & 3])) |
| 617 |
goto out; |
goto out; |
| 618 |
#endif |
#endif |
| 619 |
for (i = 0; i < CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
for (i = 0; i < CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX |
| 628 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
| 629 |
g = ccs_yesno(config & CCS_CONFIG_WANT_GRANT_LOG); |
g = ccs_yesno(config & CCS_CONFIG_WANT_GRANT_LOG); |
| 630 |
r = ccs_yesno(config & CCS_CONFIG_WANT_REJECT_LOG); |
r = ccs_yesno(config & CCS_CONFIG_WANT_REJECT_LOG); |
| 631 |
if (!ccs_io_printf(head, "%u-CONFIG::%s={ mode=%s " |
if (!ccs_io_printf(head, "%u-%s%s={ mode=%s " |
| 632 |
"grant_log=%s reject_log=%s }\n", |
"grant_log=%s reject_log=%s }\n", |
| 633 |
index, ccs_mac_keywords[i], |
index, "CONFIG::", |
| 634 |
|
ccs_mac_keywords[i], |
| 635 |
ccs_mode_4[config & 3], g, r)) |
ccs_mode_4[config & 3], g, r)) |
| 636 |
goto out; |
goto out; |
| 637 |
#else |
#else |
| 638 |
if (!ccs_io_printf(head, "%u-CONFIG::%s={ mode=%s }\n", |
if (!ccs_io_printf(head, "%u-%s%s={ mode=%s }\n", |
| 639 |
index, ccs_mac_keywords[i], |
index, "CONFIG::", |
| 640 |
|
ccs_mac_keywords[i], |
| 641 |
ccs_mode_4[config & 3])) |
ccs_mode_4[config & 3])) |
| 642 |
goto out; |
goto out; |
| 643 |
#endif |
#endif |
| 644 |
} |
} |
| 645 |
if (profile->audit != &ccs_default_profile.preference && |
if (!ccs_print_preference(head, index)) |
|
!ccs_io_printf(head, "%u-PREFERENCE::audit={ " |
|
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
|
"max_grant_log=%u max_reject_log=%u " |
|
|
#endif |
|
|
"task_info=%s path_info=%s }\n", index, |
|
|
#ifdef CONFIG_CCSECURITY_AUDIT |
|
|
profile->preference.audit_max_grant_log, |
|
|
profile->preference.audit_max_reject_log, |
|
|
#endif |
|
|
ccs_yesno(profile->preference. |
|
|
audit_task_info), |
|
|
ccs_yesno(profile->preference. |
|
|
audit_path_info))) |
|
|
goto out; |
|
|
if (profile->learning != &ccs_default_profile.preference && |
|
|
!ccs_io_printf(head, "%u-PREFERENCE::learning={ " |
|
|
"verbose=%s max_entry=%u exec.realpath=%s " |
|
|
"exec.argv0=%s symlink.target=%s }\n", |
|
|
index, |
|
|
ccs_yesno(profile->preference. |
|
|
learning_verbose), |
|
|
profile->preference.learning_max_entry, |
|
|
ccs_yesno(profile->preference. |
|
|
learning_exec_realpath), |
|
|
ccs_yesno(profile->preference. |
|
|
learning_exec_argv0), |
|
|
ccs_yesno(profile->preference. |
|
|
learning_symlink_target))) |
|
|
goto out; |
|
|
if (profile->permissive != &ccs_default_profile.preference && |
|
|
!ccs_io_printf(head, "%u-PREFERENCE::permissive={ " |
|
|
"verbose=%s }\n", index, |
|
|
ccs_yesno(profile->preference. |
|
|
permissive_verbose))) |
|
|
goto out; |
|
|
if (profile->enforcing != &ccs_default_profile.preference && |
|
|
!ccs_io_printf(head, "%u-PREFERENCE::enforcing={ " |
|
|
"verbose=%s penalty=%u }\n", index, |
|
|
ccs_yesno(profile->preference. |
|
|
enforcing_verbose), |
|
|
profile->preference.enforcing_penalty)) |
|
| 646 |
goto out; |
goto out; |
| 647 |
continue; |
continue; |
| 648 |
out: |
out: |
| 1812 |
static int ccs_write_exception_policy(struct ccs_io_buffer *head) |
static int ccs_write_exception_policy(struct ccs_io_buffer *head) |
| 1813 |
{ |
{ |
| 1814 |
char *data = head->write_buf; |
char *data = head->write_buf; |
| 1815 |
bool is_delete = ccs_str_starts(&data, CCS_KEYWORD_DELETE); |
const bool is_delete = ccs_str_starts(&data, CCS_KEYWORD_DELETE); |
| 1816 |
if (ccs_str_starts(&data, CCS_KEYWORD_KEEP_DOMAIN)) |
u8 i; |
| 1817 |
return ccs_write_domain_keeper_policy(data, false, is_delete); |
static const struct { |
| 1818 |
if (ccs_str_starts(&data, CCS_KEYWORD_NO_KEEP_DOMAIN)) |
const char *keyword; |
| 1819 |
return ccs_write_domain_keeper_policy(data, true, is_delete); |
int (*write) (char *, const bool, const u8); |
| 1820 |
if (ccs_str_starts(&data, CCS_KEYWORD_INITIALIZE_DOMAIN)) |
} ccs_callback[13] = { |
| 1821 |
return ccs_write_domain_initializer_policy(data, false, |
{ CCS_KEYWORD_NO_KEEP_DOMAIN, ccs_write_domain_keeper_policy }, |
| 1822 |
is_delete); |
{ CCS_KEYWORD_NO_INITIALIZE_DOMAIN, |
| 1823 |
if (ccs_str_starts(&data, CCS_KEYWORD_NO_INITIALIZE_DOMAIN)) |
ccs_write_domain_initializer_policy }, |
| 1824 |
return ccs_write_domain_initializer_policy(data, true, |
{ CCS_KEYWORD_KEEP_DOMAIN, ccs_write_domain_keeper_policy }, |
| 1825 |
is_delete); |
{ CCS_KEYWORD_INITIALIZE_DOMAIN, |
| 1826 |
if (ccs_str_starts(&data, CCS_KEYWORD_AGGREGATOR)) |
ccs_write_domain_initializer_policy }, |
| 1827 |
return ccs_write_aggregator_policy(data, is_delete); |
{ CCS_KEYWORD_AGGREGATOR, ccs_write_aggregator_policy }, |
| 1828 |
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_READ)) |
{ CCS_KEYWORD_ALLOW_READ, ccs_write_globally_readable_policy }, |
| 1829 |
return ccs_write_globally_readable_policy(data, is_delete); |
{ CCS_KEYWORD_ALLOW_ENV, |
| 1830 |
if (ccs_str_starts(&data, CCS_KEYWORD_ALLOW_ENV)) |
ccs_write_globally_usable_env_policy }, |
| 1831 |
return ccs_write_globally_usable_env_policy(data, is_delete); |
{ CCS_KEYWORD_FILE_PATTERN, ccs_write_pattern_policy }, |
| 1832 |
if (ccs_str_starts(&data, CCS_KEYWORD_FILE_PATTERN)) |
{ CCS_KEYWORD_PATH_GROUP, ccs_write_path_group_policy }, |
| 1833 |
return ccs_write_pattern_policy(data, is_delete); |
{ CCS_KEYWORD_NUMBER_GROUP, ccs_write_number_group_policy }, |
| 1834 |
if (ccs_str_starts(&data, CCS_KEYWORD_PATH_GROUP)) |
{ CCS_KEYWORD_ADDRESS_GROUP, ccs_write_address_group_policy }, |
| 1835 |
return ccs_write_path_group_policy(data, is_delete); |
{ CCS_KEYWORD_DENY_REWRITE, ccs_write_no_rewrite_policy }, |
| 1836 |
if (ccs_str_starts(&data, CCS_KEYWORD_NUMBER_GROUP)) |
{ CCS_KEYWORD_DENY_AUTOBIND, ccs_write_reserved_port_policy } |
| 1837 |
return ccs_write_number_group_policy(data, is_delete); |
}; |
| 1838 |
if (ccs_str_starts(&data, CCS_KEYWORD_DENY_REWRITE)) |
for (i = 0; i < 13; i++) { |
| 1839 |
return ccs_write_no_rewrite_policy(data, is_delete); |
if (ccs_str_starts(&data, ccs_callback[i].keyword)) |
| 1840 |
if (ccs_str_starts(&data, CCS_KEYWORD_ADDRESS_GROUP)) |
return ccs_callback[i].write(data, is_delete, i < 2); |
| 1841 |
return ccs_write_address_group_policy(data, is_delete); |
} |
|
if (ccs_str_starts(&data, CCS_KEYWORD_DENY_AUTOBIND)) |
|
|
return ccs_write_reserved_port_policy(data, is_delete); |
|
| 1842 |
return -EINVAL; |
return -EINVAL; |
| 1843 |
} |
} |
| 1844 |
|
|
| 1931 |
struct ccs_domain_keeper_entry *ptr = |
struct ccs_domain_keeper_entry *ptr = |
| 1932 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
| 1933 |
w[0] = ptr->is_not ? |
w[0] = ptr->is_not ? |
| 1934 |
"no_" CCS_KEYWORD_KEEP_DOMAIN : |
CCS_KEYWORD_NO_KEEP_DOMAIN : |
| 1935 |
CCS_KEYWORD_KEEP_DOMAIN; |
CCS_KEYWORD_KEEP_DOMAIN; |
| 1936 |
if (ptr->program) { |
if (ptr->program) { |
| 1937 |
w[1] = ptr->program->name; |
w[1] = ptr->program->name; |
| 1945 |
struct ccs_domain_initializer_entry *ptr = |
struct ccs_domain_initializer_entry *ptr = |
| 1946 |
container_of(acl, typeof(*ptr), head); |
container_of(acl, typeof(*ptr), head); |
| 1947 |
w[0] = ptr->is_not ? |
w[0] = ptr->is_not ? |
| 1948 |
"no_" CCS_KEYWORD_INITIALIZE_DOMAIN : |
CCS_KEYWORD_NO_INITIALIZE_DOMAIN : |
| 1949 |
CCS_KEYWORD_INITIALIZE_DOMAIN; |
CCS_KEYWORD_INITIALIZE_DOMAIN; |
| 1950 |
w[1] = ptr->program->name; |
w[1] = ptr->program->name; |
| 1951 |
if (ptr->domainname) { |
if (ptr->domainname) { |
TOMOYO
Parent Directory
Revision Log
Patch