オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照

/[tomoyo]/trunk/1.6.x/ccs-patch/fs/sakura_chroot.c

Annotation of /trunk/1.6.x/ccs-patch/fs/sakura_chroot.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 992 - (hide annotations) (download) (as text)
Mon Feb 18 01:40:06 2008 UTC (16 years, 3 months ago) by kumaneko
File MIME type: text/x-csrc
File size: 3321 byte(s) 
























1

kumaneko
111

/*








2

 
 

 * fs/sakura_chroot.c








3

 
 

 *








4

 
 

 * Implementation of the Domain-Free Mandatory Access Control.








5

 
 

 *













6

kumaneko
852

 * Copyright (C) 2005-2008  NTT DATA CORPORATION













7

kumaneko
111

 *













8

kumaneko
990

 * Version: 1.6.0-pre   2008/02/16













9

kumaneko
111

 *








10

 
 

 * This file is applicable to both 2.4.30 and 2.6.11 and later.








11

 
 

 * See README.ccs for ChangeLog.








12

 
 

 *








13

 
 

 */








14

 
 

/***** SAKURA Linux start. *****/








15

 
 










16

 
 

#include <linux/ccs_common.h>








17

 
 

#include <linux/sakura.h>








18

 
 

#include <linux/realpath.h>













19

kumaneko
141

#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,5,0)








20

 
 

#include <linux/namei.h>








21

 
 

#else








22

 
 

#include <linux/fs.h>








23

 
 

#endif













24

kumaneko
111










25

 
 

extern const char *ccs_log_level;








26

 
 










27

 
 

/***** The structure for chroot restrictions. *****/








28

 
 















29

kumaneko
214

struct chroot_entry {













30

kumaneko
722

        struct list1_head list;













31

kumaneko
111

        const struct path_info *dir;













32

kumaneko
621

        bool is_deleted;













33

kumaneko
214

};













34

kumaneko
111










35

 
 

/*************************  CHROOT RESTRICTION HANDLER  *************************/








36

 
 















37

kumaneko
722

static LIST1_HEAD(chroot_list);













38

kumaneko
111















39

kumaneko
621

static int AddChrootACL(const char *dir, const bool is_delete)













40

kumaneko
111

{













41

kumaneko
214

        struct chroot_entry *new_entry, *ptr;













42

kumaneko
111

        const struct path_info *saved_dir;













43

kumaneko
652

        static DEFINE_MUTEX(lock);













44

kumaneko
111

        int error = -ENOMEM;








45

 
 

        if (!IsCorrectPath(dir, 1, 0, 1, __FUNCTION__)) return -EINVAL;








46

 
 

        if ((saved_dir = SaveName(dir)) == NULL) return -ENOMEM;













47

kumaneko
652

        mutex_lock(&lock);













48

kumaneko
722

        list1_for_each_entry(ptr, &chroot_list, list) {













49

kumaneko
141

                if (ptr->dir == saved_dir) {













50

kumaneko
111

                        ptr->is_deleted = is_delete;








51

 
 

                        error = 0;








52

 
 

                        goto out;








53

 
 

                }








54

 
 

        }








55

 
 

        if (is_delete) {








56

 
 

                error = -ENOENT;








57

 
 

                goto out;








58

 
 

        }













59

kumaneko
214

        if ((new_entry = alloc_element(sizeof(*new_entry))) == NULL) goto out;













60

kumaneko
111

        new_entry->dir = saved_dir;













61

kumaneko
722

        list1_add_tail_mb(&new_entry->list, &chroot_list);













62

kumaneko
111

        error = 0;








63

 
 

        printk("%sAllow chroot() to %s\n", ccs_log_level, dir);








64

 
 

 out:













65

kumaneko
652

        mutex_unlock(&lock);













66

kumaneko
111

        return error;








67

 
 

}








68

 
 















69

kumaneko
141

int CheckChRootPermission(struct nameidata *nd)













70

kumaneko
111

{













71

kumaneko
141

        int error = -EPERM;








72

 
 

        char *root_name;













73

kumaneko
852

        const u8 mode = CheckCCSFlags(CCS_SAKURA_RESTRICT_CHROOT); 













74

kumaneko
815

        if (!mode) return 0;











75

kumaneko
992

#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25)













76

kumaneko
990

        root_name = realpath_from_dentry(nd->path.dentry, nd->path.mnt);








77

 
 

#else













78

kumaneko
141

        root_name = realpath_from_dentry(nd->dentry, nd->mnt);













79

kumaneko
990

#endif













80

kumaneko
141

        if (root_name) {













81

kumaneko
111

                struct path_info dir;













82

kumaneko
141

                dir.name = root_name;













83

kumaneko
111

                fill_path_info(&dir);








84

 
 

                if (dir.is_dir) {













85

kumaneko
214

                        struct chroot_entry *ptr;













86

kumaneko
722

                        list1_for_each_entry(ptr, &chroot_list, list) {













87

kumaneko
111

                                if (ptr->is_deleted) continue;








88

 
 

                                if (PathMatchesToPattern(&dir, ptr->dir)) {













89

kumaneko
141

                                        error = 0;













90

kumaneko
111

                                        break;








91

 
 

                                }








92

 
 

                        }








93

 
 

                }








94

 
 

        }













95

kumaneko
141

        if (error) {













96

kumaneko
815

                const bool is_enforce = (mode == 3);













97

kumaneko
141

                const char *exename = GetEXE();








98

 
 

                printk("SAKURA-%s: chroot %s (pid=%d:exe=%s): Permission denied.\n", GetMSG(is_enforce), root_name, current->pid, exename);








99

 
 

                if (is_enforce && CheckSupervisor("# %s is requesting\nchroot %s\n", exename, root_name) == 0) error = 0;













100

kumaneko
111

                if (exename) ccs_free(exename);













101

kumaneko
815

                if (mode == 1 && root_name) {













102

kumaneko
141

                        AddChrootACL(root_name, 0);













103

kumaneko
111

                        UpdateCounter(CCS_UPDATES_COUNTER_SYSTEM_POLICY);








104

 
 

                }













105

kumaneko
141

                if (!is_enforce) error = 0;













106

kumaneko
111

        }













107

kumaneko
141

        ccs_free(root_name);








108

 
 

        return error;













109

kumaneko
111

}








110

 
 















111

kumaneko
621

int AddChrootPolicy(char *data, const bool is_delete)













112

kumaneko
111

{








113

 
 

        return AddChrootACL(data, is_delete);








114

 
 

}








115

 
 















116

kumaneko
214

int ReadChrootPolicy(struct io_buffer *head)













117

kumaneko
111

{













118

kumaneko
722

        struct list1_head *pos;








119

 
 

        list1_for_each_cookie(pos, head->read_var2, &chroot_list) {













120

kumaneko
708

                struct chroot_entry *ptr;













121

kumaneko
722

                ptr = list1_entry(pos, struct chroot_entry, list);













122

kumaneko
708

                if (ptr->is_deleted) continue;








123

 
 

                if (io_printf(head, KEYWORD_ALLOW_CHROOT "%s\n", ptr->dir->name)) return -ENOMEM;













124

kumaneko
111

        }













125

kumaneko
708

        return 0;













126

kumaneko
111

}








127

 
 










128

 
 

/***** SAKURA Linux end. *****/




















Back to OSDN">Back to OSDN

ViewVC Help




Powered by ViewVC 1.1.26
 



















サイト情報





ソフトウェアを探す





ソフトウェアを作る





コミュニティ





ヘルプ