5 |
* |
* |
6 |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
7 |
* |
* |
8 |
* Version: 1.6.1 2008/06/05 |
* Version: 1.6.5-rc 2008/11/05 |
9 |
* |
* |
10 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
11 |
* See README.ccs for ChangeLog. |
* See README.ccs for ChangeLog. |
79 |
/** |
/** |
80 |
* print_error - Print error message. |
* print_error - Print error message. |
81 |
* |
* |
82 |
|
* @r: Pointer to "struct ccs_request_info". |
83 |
* @root_name: Requested directory name. |
* @root_name: Requested directory name. |
|
* @mode: Access control mode. |
|
84 |
* |
* |
85 |
* Returns 0 if @mode is not enforcing mode or permitted by the administrator's |
* Returns 0 if @r->mode is not enforcing mode or permitted by the |
86 |
* decision, negative value otherwise. |
* administrator's decision, negative value otherwise. |
87 |
*/ |
*/ |
88 |
static int print_error(const char *root_name, const u8 mode) |
static int print_error(struct ccs_request_info *r, const char *root_name) |
89 |
{ |
{ |
90 |
int error; |
int error; |
91 |
const bool is_enforce = (mode == 3); |
const bool is_enforce = (r->mode == 3); |
92 |
const char *exename = ccs_get_exe(); |
const char *exename = ccs_get_exe(); |
93 |
printk(KERN_WARNING "SAKURA-%s: chroot %s (pid=%d:exe=%s): " |
printk(KERN_WARNING "SAKURA-%s: chroot %s (pid=%d:exe=%s): " |
94 |
"Permission denied.\n", ccs_get_msg(is_enforce), |
"Permission denied.\n", ccs_get_msg(is_enforce), |
95 |
root_name, current->pid, exename); |
root_name, (pid_t) sys_getpid(), exename); |
96 |
if (is_enforce) |
if (is_enforce) |
97 |
error = ccs_check_supervisor(NULL, "# %s is requesting\n" |
error = ccs_check_supervisor(r, |
98 |
"chroot %s\n", exename, root_name); |
"# %s is requesting\nchroot %s\n", |
99 |
|
exename, root_name); |
100 |
else |
else |
101 |
error = 0; |
error = 0; |
102 |
if (exename) |
if (exename) |
103 |
ccs_free(exename); |
ccs_free(exename); |
104 |
if (mode == 1 && root_name) |
if (r->mode == 1 && root_name) |
105 |
update_chroot_acl(root_name, false); |
update_chroot_acl(root_name, false); |
106 |
return error; |
return error; |
107 |
} |
} |
108 |
|
|
109 |
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27) |
110 |
|
#define PATH_or_NAMEIDATA path |
111 |
|
#else |
112 |
|
#define PATH_or_NAMEIDATA nameidata |
113 |
|
#endif |
114 |
/** |
/** |
115 |
* ccs_check_chroot_permission - Check permission for chroot(). |
* ccs_check_chroot_permission - Check permission for chroot(). |
116 |
* |
* |
117 |
* @nd: Pointer to "struct nameidata". |
* @path: Pointer to "struct path" (for 2.6.27 and later). |
118 |
|
* Pointer to "struct nameidata" (for 2.6.26 and earlier). |
119 |
* |
* |
120 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
121 |
*/ |
*/ |
122 |
int ccs_check_chroot_permission(struct nameidata *nd) |
int ccs_check_chroot_permission(struct PATH_or_NAMEIDATA *path) |
123 |
{ |
{ |
124 |
int error = -EPERM; |
struct ccs_request_info r; |
125 |
|
int error; |
126 |
char *root_name; |
char *root_name; |
127 |
const u8 mode = ccs_check_flags(CCS_SAKURA_RESTRICT_CHROOT); |
if (!ccs_can_sleep()) |
128 |
if (!mode) |
return 0; |
129 |
|
ccs_init_request_info(&r, NULL, CCS_SAKURA_RESTRICT_CHROOT); |
130 |
|
if (!r.mode) |
131 |
return 0; |
return 0; |
132 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) |
retry: |
133 |
root_name = ccs_realpath_from_dentry(nd->path.dentry, nd->path.mnt); |
error = -EPERM; |
134 |
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) && LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 26) |
135 |
|
root_name = ccs_realpath_from_dentry(path->path.dentry, path->path.mnt); |
136 |
#else |
#else |
137 |
root_name = ccs_realpath_from_dentry(nd->dentry, nd->mnt); |
root_name = ccs_realpath_from_dentry(path->dentry, path->mnt); |
138 |
#endif |
#endif |
139 |
if (root_name) { |
if (root_name) { |
140 |
struct path_info dir; |
struct path_info dir; |
153 |
} |
} |
154 |
} |
} |
155 |
if (error) |
if (error) |
156 |
error = print_error(root_name, mode); |
error = print_error(&r, root_name); |
157 |
ccs_free(root_name); |
ccs_free(root_name); |
158 |
|
if (error == 1) |
159 |
|
goto retry; |
160 |
return error; |
return error; |
161 |
} |
} |
162 |
|
|