5 |
* |
* |
6 |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
7 |
* |
* |
8 |
* Version: 1.6.0-pre 2008/03/24 |
* Version: 1.6.1 2008/06/05 |
9 |
* |
* |
10 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
11 |
* See README.ccs for ChangeLog. |
* See README.ccs for ChangeLog. |
41 |
*/ |
*/ |
42 |
static int update_chroot_acl(const char *dir, const bool is_delete) |
static int update_chroot_acl(const char *dir, const bool is_delete) |
43 |
{ |
{ |
44 |
struct chroot_entry *new_entry, *ptr; |
struct chroot_entry *new_entry; |
45 |
|
struct chroot_entry *ptr; |
46 |
const struct path_info *saved_dir; |
const struct path_info *saved_dir; |
47 |
static DEFINE_MUTEX(lock); |
static DEFINE_MUTEX(lock); |
48 |
int error = -ENOMEM; |
int error = -ENOMEM; |
53 |
return -ENOMEM; |
return -ENOMEM; |
54 |
mutex_lock(&lock); |
mutex_lock(&lock); |
55 |
list1_for_each_entry(ptr, &chroot_list, list) { |
list1_for_each_entry(ptr, &chroot_list, list) { |
56 |
if (ptr->dir == saved_dir) { |
if (ptr->dir != saved_dir) |
57 |
ptr->is_deleted = is_delete; |
continue; |
58 |
error = 0; |
ptr->is_deleted = is_delete; |
59 |
goto out; |
error = 0; |
60 |
} |
goto out; |
61 |
} |
} |
62 |
if (is_delete) { |
if (is_delete) { |
63 |
error = -ENOENT; |
error = -ENOENT; |
72 |
printk(KERN_CONT "%sAllow chroot() to %s\n", ccs_log_level, dir); |
printk(KERN_CONT "%sAllow chroot() to %s\n", ccs_log_level, dir); |
73 |
out: |
out: |
74 |
mutex_unlock(&lock); |
mutex_unlock(&lock); |
75 |
|
ccs_update_counter(CCS_UPDATES_COUNTER_SYSTEM_POLICY); |
76 |
return error; |
return error; |
77 |
} |
} |
78 |
|
|
81 |
* |
* |
82 |
* @root_name: Requested directory name. |
* @root_name: Requested directory name. |
83 |
* @mode: Access control mode. |
* @mode: Access control mode. |
|
* @error: Error value. |
|
84 |
* |
* |
85 |
* Returns 0 if @mode is not enforcing mode or permitted by the administrator's |
* Returns 0 if @mode is not enforcing mode or permitted by the administrator's |
86 |
* decision, negative value otherwise. |
* decision, negative value otherwise. |
87 |
*/ |
*/ |
88 |
static int print_error(const char *root_name, const u8 mode, int error) |
static int print_error(const char *root_name, const u8 mode) |
89 |
{ |
{ |
90 |
|
int error; |
91 |
const bool is_enforce = (mode == 3); |
const bool is_enforce = (mode == 3); |
92 |
const char *exename = ccs_get_exe(); |
const char *exename = ccs_get_exe(); |
93 |
printk(KERN_WARNING "SAKURA-%s: chroot %s (pid=%d:exe=%s): " |
printk(KERN_WARNING "SAKURA-%s: chroot %s (pid=%d:exe=%s): " |
94 |
"Permission denied.\n", ccs_get_msg(is_enforce), |
"Permission denied.\n", ccs_get_msg(is_enforce), |
95 |
root_name, current->pid, exename); |
root_name, current->pid, exename); |
96 |
if (is_enforce && |
if (is_enforce) |
97 |
ccs_check_supervisor("# %s is requesting\n" |
error = ccs_check_supervisor(NULL, "# %s is requesting\n" |
98 |
"chroot %s\n", exename, root_name) == 0) |
"chroot %s\n", exename, root_name); |
99 |
|
else |
100 |
error = 0; |
error = 0; |
101 |
if (exename) |
if (exename) |
102 |
ccs_free(exename); |
ccs_free(exename); |
103 |
if (mode == 1 && root_name) { |
if (mode == 1 && root_name) |
104 |
update_chroot_acl(root_name, 0); |
update_chroot_acl(root_name, false); |
|
ccs_update_counter(CCS_UPDATES_COUNTER_SYSTEM_POLICY); |
|
|
} |
|
|
if (!is_enforce) |
|
|
error = 0; |
|
105 |
return error; |
return error; |
106 |
} |
} |
107 |
|
|
133 |
list1_for_each_entry(ptr, &chroot_list, list) { |
list1_for_each_entry(ptr, &chroot_list, list) { |
134 |
if (ptr->is_deleted) |
if (ptr->is_deleted) |
135 |
continue; |
continue; |
136 |
if (ccs_path_matches_pattern(&dir, ptr->dir)) { |
if (!ccs_path_matches_pattern(&dir, ptr->dir)) |
137 |
error = 0; |
continue; |
138 |
break; |
error = 0; |
139 |
} |
break; |
140 |
} |
} |
141 |
} |
} |
142 |
} |
} |
143 |
if (error) |
if (error) |
144 |
error = print_error(root_name, mode, error); |
error = print_error(root_name, mode); |
145 |
ccs_free(root_name); |
ccs_free(root_name); |
146 |
return error; |
return error; |
147 |
} |
} |