| 460 |
/* The list for "struct condition_list". */ |
/* The list for "struct condition_list". */ |
| 461 |
static LIST1_HEAD(condition_list); |
static LIST1_HEAD(condition_list); |
| 462 |
|
|
| 463 |
#define TASK_UID 0 |
enum conditions_index { |
| 464 |
#define TASK_EUID 1 |
TASK_UID, /* current->uid */ |
| 465 |
#define TASK_SUID 2 |
TASK_EUID, /* current->euid */ |
| 466 |
#define TASK_FSUID 3 |
TASK_SUID, /* current->suid */ |
| 467 |
#define TASK_GID 4 |
TASK_FSUID, /* current->fsuid */ |
| 468 |
#define TASK_EGID 5 |
TASK_GID, /* current->gid */ |
| 469 |
#define TASK_SGID 6 |
TASK_EGID, /* current->egid */ |
| 470 |
#define TASK_FSGID 7 |
TASK_SGID, /* current->sgid */ |
| 471 |
#define TASK_PID 8 |
TASK_FSGID, /* current->fsgid */ |
| 472 |
#define TASK_PPID 9 |
TASK_PID, /* sys_getpid() */ |
| 473 |
#define PATH1_UID 10 |
TASK_PPID, /* sys_getppid() */ |
| 474 |
#define PATH1_GID 11 |
EXEC_ARGC, /* "struct linux_binprm *"->argc */ |
| 475 |
#define PATH1_INO 12 |
EXEC_ENVC, /* "struct linux_binprm *"->envc */ |
| 476 |
#define PATH1_PARENT_UID 13 |
TASK_STATE_0, /* (u8) (current->tomoyo_flags >> 24) */ |
| 477 |
#define PATH1_PARENT_GID 14 |
TASK_STATE_1, /* (u8) (current->tomoyo_flags >> 16) */ |
| 478 |
#define PATH1_PARENT_INO 15 |
TASK_STATE_2, /* (u8) (task->tomoyo_flags >> 8) */ |
| 479 |
#define PATH2_PARENT_UID 16 |
TYPE_SOCKET, /* S_IFSOCK */ |
| 480 |
#define PATH2_PARENT_GID 17 |
TYPE_SYMLINK, /* S_IFLNK */ |
| 481 |
#define PATH2_PARENT_INO 18 |
TYPE_FILE, /* S_IFREG */ |
| 482 |
#define EXEC_ARGC 19 |
TYPE_BLOCK_DEV, /* S_IFBLK */ |
| 483 |
#define EXEC_ENVC 20 |
TYPE_DIRECTORY, /* S_IFDIR */ |
| 484 |
#define TASK_STATE_0 21 |
TYPE_CHAR_DEV, /* S_IFCHR */ |
| 485 |
#define TASK_STATE_1 22 |
TYPE_FIFO, /* S_IFIFO */ |
| 486 |
#define TASK_STATE_2 23 |
MODE_SETUID, /* S_ISUID */ |
| 487 |
#define MAX_KEYWORD 24 |
MODE_SETGID, /* S_ISGID */ |
| 488 |
|
MODE_STICKY, /* S_ISVTX */ |
| 489 |
static struct { |
MODE_OWNER_READ, /* S_IRUSR */ |
| 490 |
const char *keyword; |
MODE_OWNER_WRITE, /* S_IWUSR */ |
| 491 |
const int keyword_len; /* strlen(keyword) */ |
MODE_OWNER_EXECUTE, /* S_IXUSR */ |
| 492 |
} condition_control_keyword[MAX_KEYWORD] = { |
MODE_GROUP_READ, /* S_IRGRP */ |
| 493 |
[TASK_UID] = { "task.uid", 8 }, |
MODE_GROUP_WRITE, /* S_IWGRP */ |
| 494 |
[TASK_EUID] = { "task.euid", 9 }, |
MODE_GROUP_EXECUTE, /* S_IXGRP */ |
| 495 |
[TASK_SUID] = { "task.suid", 9 }, |
MODE_OTHERS_READ, /* S_IROTH */ |
| 496 |
[TASK_FSUID] = { "task.fsuid", 10 }, |
MODE_OTHERS_WRITE, /* S_IWOTH */ |
| 497 |
[TASK_GID] = { "task.gid", 8 }, |
MODE_OTHERS_EXECUTE, /* S_IXOTH */ |
| 498 |
[TASK_EGID] = { "task.egid", 9 }, |
TASK_TYPE, /* ((u8) task->tomoyo_flags) & |
| 499 |
[TASK_SGID] = { "task.sgid", 9 }, |
TOMOYO_TASK_IS_EXECUTE_HANDLER */ |
| 500 |
[TASK_FSGID] = { "task.fsgid", 10 }, |
TASK_EXECUTE_HANDLER, /* TOMOYO_TASK_IS_EXECUTE_HANDLER */ |
| 501 |
[TASK_PID] = { "task.pid", 8 }, |
PATH1_UID, |
| 502 |
[TASK_PPID] = { "task.ppid", 9 }, |
PATH1_GID, |
| 503 |
[PATH1_UID] = { "path1.uid", 9 }, |
PATH1_INO, |
| 504 |
[PATH1_GID] = { "path1.gid", 9 }, |
PATH1_PARENT_UID, |
| 505 |
[PATH1_INO] = { "path1.ino", 9 }, |
PATH1_PARENT_GID, |
| 506 |
[PATH1_PARENT_UID] = { "path1.parent.uid", 16 }, |
PATH1_PARENT_INO, |
| 507 |
[PATH1_PARENT_GID] = { "path1.parent.gid", 16 }, |
PATH2_PARENT_UID, |
| 508 |
[PATH1_PARENT_INO] = { "path1.parent.ino", 16 }, |
PATH2_PARENT_GID, |
| 509 |
[PATH2_PARENT_UID] = { "path2.parent.uid", 16 }, |
PATH2_PARENT_INO, |
| 510 |
[PATH2_PARENT_GID] = { "path2.parent.gid", 16 }, |
PATH1_TYPE, |
| 511 |
[PATH2_PARENT_INO] = { "path2.parent.ino", 16 }, |
PATH1_DEV_MAJOR, |
| 512 |
[EXEC_ARGC] = { "exec.argc", 9 }, |
PATH1_DEV_MINOR, |
| 513 |
[EXEC_ENVC] = { "exec.envc", 9 }, |
PATH1_MODE, |
| 514 |
[TASK_STATE_0] = { "task.state[0]", 13 }, |
PATH1_PARENT_MODE, |
| 515 |
[TASK_STATE_1] = { "task.state[1]", 13 }, |
PATH2_PARENT_MODE, |
| 516 |
[TASK_STATE_2] = { "task.state[2]", 13 }, |
MAX_KEYWORD |
| 517 |
|
}; |
| 518 |
|
|
| 519 |
|
static const char *condition_control_keyword[MAX_KEYWORD] = { |
| 520 |
|
[TASK_UID] = "task.uid", |
| 521 |
|
[TASK_EUID] = "task.euid", |
| 522 |
|
[TASK_SUID] = "task.suid", |
| 523 |
|
[TASK_FSUID] = "task.fsuid", |
| 524 |
|
[TASK_GID] = "task.gid", |
| 525 |
|
[TASK_EGID] = "task.egid", |
| 526 |
|
[TASK_SGID] = "task.sgid", |
| 527 |
|
[TASK_FSGID] = "task.fsgid", |
| 528 |
|
[TASK_PID] = "task.pid", |
| 529 |
|
[TASK_PPID] = "task.ppid", |
| 530 |
|
[EXEC_ARGC] = "exec.argc", |
| 531 |
|
[EXEC_ENVC] = "exec.envc", |
| 532 |
|
[TASK_STATE_0] = "task.state[0]", |
| 533 |
|
[TASK_STATE_1] = "task.state[1]", |
| 534 |
|
[TASK_STATE_2] = "task.state[2]", |
| 535 |
|
[TYPE_SOCKET] = "socket", |
| 536 |
|
[TYPE_SYMLINK] = "symlink", |
| 537 |
|
[TYPE_FILE] = "file", |
| 538 |
|
[TYPE_BLOCK_DEV] = "block", |
| 539 |
|
[TYPE_DIRECTORY] = "directory", |
| 540 |
|
[TYPE_CHAR_DEV] = "char", |
| 541 |
|
[TYPE_FIFO] = "fifo", |
| 542 |
|
[MODE_SETUID] = "setuid", |
| 543 |
|
[MODE_SETGID] = "setgid", |
| 544 |
|
[MODE_STICKY] = "sticky", |
| 545 |
|
[MODE_OWNER_READ] = "user_read", |
| 546 |
|
[MODE_OWNER_WRITE] = "user_write", |
| 547 |
|
[MODE_OWNER_EXECUTE] = "user_execute", |
| 548 |
|
[MODE_GROUP_READ] = "group_read", |
| 549 |
|
[MODE_GROUP_WRITE] = "group_write", |
| 550 |
|
[MODE_GROUP_EXECUTE] = "group_execute", |
| 551 |
|
[MODE_OTHERS_READ] = "others_read", |
| 552 |
|
[MODE_OTHERS_WRITE] = "others_write", |
| 553 |
|
[MODE_OTHERS_EXECUTE] = "others_execute", |
| 554 |
|
[TASK_TYPE] = "task.type", |
| 555 |
|
[TASK_EXECUTE_HANDLER] = "execute_handler", |
| 556 |
|
[PATH1_UID] = "path1.uid", |
| 557 |
|
[PATH1_GID] = "path1.gid", |
| 558 |
|
[PATH1_INO] = "path1.ino", |
| 559 |
|
[PATH1_PARENT_UID] = "path1.parent.uid", |
| 560 |
|
[PATH1_PARENT_GID] = "path1.parent.gid", |
| 561 |
|
[PATH1_PARENT_INO] = "path1.parent.ino", |
| 562 |
|
[PATH2_PARENT_UID] = "path2.parent.uid", |
| 563 |
|
[PATH2_PARENT_GID] = "path2.parent.gid", |
| 564 |
|
[PATH2_PARENT_INO] = "path2.parent.ino", |
| 565 |
|
[PATH1_TYPE] = "path1.type", |
| 566 |
|
[PATH1_DEV_MAJOR] = "path1.major", |
| 567 |
|
[PATH1_DEV_MINOR] = "path1.minor", |
| 568 |
|
[PATH1_MODE] = "path1.mode", |
| 569 |
|
[PATH1_PARENT_MODE] = "path1.parent.mode", |
| 570 |
|
[PATH2_PARENT_MODE] = "path2.parent.mode", |
| 571 |
}; |
}; |
| 572 |
|
|
| 573 |
/** |
/** |
| 688 |
u16 argc = 0; |
u16 argc = 0; |
| 689 |
u16 envc = 0; |
u16 envc = 0; |
| 690 |
u8 post_state[4] = { 0, 0, 0, 0 }; |
u8 post_state[4] = { 0, 0, 0, 0 }; |
| 691 |
|
/* Calculate at runtime. */ |
| 692 |
|
static u8 condition_control_keyword_len[MAX_KEYWORD]; |
| 693 |
|
if (!condition_control_keyword_len[MAX_KEYWORD - 1]) { |
| 694 |
|
for (i = 0; i < MAX_KEYWORD; i++) |
| 695 |
|
condition_control_keyword_len[i] |
| 696 |
|
= strlen(condition_control_keyword[i]); |
| 697 |
|
} |
| 698 |
if (!parse_post_condition(start, post_state)) |
if (!parse_post_condition(start, post_state)) |
| 699 |
goto out; |
goto out; |
| 700 |
start = condition; |
start = condition; |
| 722 |
} |
} |
| 723 |
for (left = 0; left < MAX_KEYWORD; left++) { |
for (left = 0; left < MAX_KEYWORD; left++) { |
| 724 |
const int len = |
const int len = |
| 725 |
condition_control_keyword[left].keyword_len; |
condition_control_keyword_len[left]; |
| 726 |
if (strncmp(start, |
if (strncmp(start, condition_control_keyword[left], |
|
condition_control_keyword[left].keyword, |
|
| 727 |
len)) |
len)) |
| 728 |
continue; |
continue; |
| 729 |
start += len; |
start += len; |
| 750 |
condc++; /* header */ |
condc++; /* header */ |
| 751 |
for (right = 0; right < MAX_KEYWORD; right++) { |
for (right = 0; right < MAX_KEYWORD; right++) { |
| 752 |
const int len = |
const int len = |
| 753 |
condition_control_keyword[right].keyword_len; |
condition_control_keyword_len[right]; |
| 754 |
if (strncmp(start, |
if (strncmp(start, condition_control_keyword[right], |
|
condition_control_keyword[right].keyword, |
|
| 755 |
len)) |
len)) |
| 756 |
continue; |
continue; |
| 757 |
start += len; |
start += len; |
| 830 |
} |
} |
| 831 |
for (left = 0; left < MAX_KEYWORD; left++) { |
for (left = 0; left < MAX_KEYWORD; left++) { |
| 832 |
const int len = |
const int len = |
| 833 |
condition_control_keyword[left].keyword_len; |
condition_control_keyword_len[left]; |
| 834 |
if (strncmp(start, |
if (strncmp(start, condition_control_keyword[left], |
|
condition_control_keyword[left].keyword, |
|
| 835 |
len)) |
len)) |
| 836 |
continue; |
continue; |
| 837 |
start += len; |
start += len; |
| 859 |
condc--; /* header */ |
condc--; /* header */ |
| 860 |
for (right = 0; right < MAX_KEYWORD; right++) { |
for (right = 0; right < MAX_KEYWORD; right++) { |
| 861 |
const int len = |
const int len = |
| 862 |
condition_control_keyword[right].keyword_len; |
condition_control_keyword_len[right]; |
| 863 |
if (strncmp(start, |
if (strncmp(start, condition_control_keyword[right], |
|
condition_control_keyword[right].keyword, |
|
| 864 |
len)) |
len)) |
| 865 |
continue; |
continue; |
| 866 |
start += len; |
start += len; |
| 999 |
obj->path1_stat.uid = stat.uid; |
obj->path1_stat.uid = stat.uid; |
| 1000 |
obj->path1_stat.gid = stat.gid; |
obj->path1_stat.gid = stat.gid; |
| 1001 |
obj->path1_stat.ino = stat.ino; |
obj->path1_stat.ino = stat.ino; |
| 1002 |
|
obj->path1_stat.rdev = stat.rdev; |
| 1003 |
obj->path1_valid = true; |
obj->path1_valid = true; |
| 1004 |
} |
} |
| 1005 |
} |
} |
| 1013 |
obj->path1_parent_stat.uid = stat.uid; |
obj->path1_parent_stat.uid = stat.uid; |
| 1014 |
obj->path1_parent_stat.gid = stat.gid; |
obj->path1_parent_stat.gid = stat.gid; |
| 1015 |
obj->path1_parent_stat.ino = stat.ino; |
obj->path1_parent_stat.ino = stat.ino; |
| 1016 |
|
obj->path1_parent_stat.rdev = stat.rdev; |
| 1017 |
obj->path1_parent_valid = true; |
obj->path1_parent_valid = true; |
| 1018 |
} |
} |
| 1019 |
} |
} |
| 1030 |
obj->path2_parent_stat.uid = stat.uid; |
obj->path2_parent_stat.uid = stat.uid; |
| 1031 |
obj->path2_parent_stat.gid = stat.gid; |
obj->path2_parent_stat.gid = stat.gid; |
| 1032 |
obj->path2_parent_stat.ino = stat.ino; |
obj->path2_parent_stat.ino = stat.ino; |
| 1033 |
|
obj->path2_parent_stat.rdev = stat.rdev; |
| 1034 |
obj->path2_parent_valid = true; |
obj->path2_parent_valid = true; |
| 1035 |
} |
} |
| 1036 |
} |
} |
| 1082 |
const bool match = (header >> 16) & 1; |
const bool match = (header >> 16) & 1; |
| 1083 |
const u8 left = header >> 8; |
const u8 left = header >> 8; |
| 1084 |
const u8 right = header; |
const u8 right = header; |
| 1085 |
|
bool left_is_bitop = false; |
| 1086 |
|
bool right_is_bitop = false; |
| 1087 |
|
u8 j; |
| 1088 |
ptr++; |
ptr++; |
| 1089 |
if ((left >= PATH1_UID && left < EXEC_ARGC) || |
for (j = 0; j < 2; j++) { |
| 1090 |
(right >= PATH1_UID && right < EXEC_ARGC)) { |
const u8 index = j ? right : left; |
| 1091 |
if (!obj) |
unsigned long min_v = 0; |
| 1092 |
goto out; |
unsigned long max_v = 0; |
| 1093 |
if (!obj->validate_done) { |
bool is_bitop = false; |
| 1094 |
get_attributes(obj); |
switch (index) { |
| 1095 |
obj->validate_done = true; |
case TASK_UID: |
| 1096 |
|
max_v = task->uid; |
| 1097 |
|
break; |
| 1098 |
|
case TASK_EUID: |
| 1099 |
|
max_v = task->euid; |
| 1100 |
|
break; |
| 1101 |
|
case TASK_SUID: |
| 1102 |
|
max_v = task->suid; |
| 1103 |
|
break; |
| 1104 |
|
case TASK_FSUID: |
| 1105 |
|
max_v = task->fsuid; |
| 1106 |
|
break; |
| 1107 |
|
case TASK_GID: |
| 1108 |
|
max_v = task->gid; |
| 1109 |
|
break; |
| 1110 |
|
case TASK_EGID: |
| 1111 |
|
max_v = task->egid; |
| 1112 |
|
break; |
| 1113 |
|
case TASK_SGID: |
| 1114 |
|
max_v = task->sgid; |
| 1115 |
|
break; |
| 1116 |
|
case TASK_FSGID: |
| 1117 |
|
max_v = task->fsgid; |
| 1118 |
|
break; |
| 1119 |
|
case TASK_PID: |
| 1120 |
|
max_v = sys_getpid(); |
| 1121 |
|
break; |
| 1122 |
|
case TASK_PPID: |
| 1123 |
|
max_v = sys_getppid(); |
| 1124 |
|
break; |
| 1125 |
|
case TYPE_SOCKET: |
| 1126 |
|
max_v = S_IFSOCK; |
| 1127 |
|
break; |
| 1128 |
|
case TYPE_SYMLINK: |
| 1129 |
|
max_v = S_IFLNK; |
| 1130 |
|
break; |
| 1131 |
|
case TYPE_FILE: |
| 1132 |
|
max_v = S_IFREG; |
| 1133 |
|
break; |
| 1134 |
|
case TYPE_BLOCK_DEV: |
| 1135 |
|
max_v = S_IFBLK; |
| 1136 |
|
break; |
| 1137 |
|
case TYPE_DIRECTORY: |
| 1138 |
|
max_v = S_IFDIR; |
| 1139 |
|
break; |
| 1140 |
|
case TYPE_CHAR_DEV: |
| 1141 |
|
max_v = S_IFCHR; |
| 1142 |
|
break; |
| 1143 |
|
case TYPE_FIFO: |
| 1144 |
|
max_v = S_IFIFO; |
| 1145 |
|
break; |
| 1146 |
|
case MODE_SETUID: |
| 1147 |
|
max_v = S_ISUID; |
| 1148 |
|
is_bitop = true; |
| 1149 |
|
break; |
| 1150 |
|
case MODE_SETGID: |
| 1151 |
|
max_v = S_ISGID; |
| 1152 |
|
is_bitop = true; |
| 1153 |
|
break; |
| 1154 |
|
case MODE_STICKY: |
| 1155 |
|
max_v = S_ISVTX; |
| 1156 |
|
is_bitop = true; |
| 1157 |
|
break; |
| 1158 |
|
case MODE_OWNER_READ: |
| 1159 |
|
max_v = S_IRUSR; |
| 1160 |
|
is_bitop = true; |
| 1161 |
|
break; |
| 1162 |
|
case MODE_OWNER_WRITE: |
| 1163 |
|
max_v = S_IWUSR; |
| 1164 |
|
is_bitop = true; |
| 1165 |
|
break; |
| 1166 |
|
case MODE_OWNER_EXECUTE: |
| 1167 |
|
max_v = S_IXUSR; |
| 1168 |
|
is_bitop = true; |
| 1169 |
|
break; |
| 1170 |
|
case MODE_GROUP_READ: |
| 1171 |
|
max_v = S_IRGRP; |
| 1172 |
|
is_bitop = true; |
| 1173 |
|
break; |
| 1174 |
|
case MODE_GROUP_WRITE: |
| 1175 |
|
max_v = S_IWGRP; |
| 1176 |
|
is_bitop = true; |
| 1177 |
|
break; |
| 1178 |
|
case MODE_GROUP_EXECUTE: |
| 1179 |
|
max_v = S_IXGRP; |
| 1180 |
|
is_bitop = true; |
| 1181 |
|
break; |
| 1182 |
|
case MODE_OTHERS_READ: |
| 1183 |
|
max_v = S_IROTH; |
| 1184 |
|
is_bitop = true; |
| 1185 |
|
break; |
| 1186 |
|
case MODE_OTHERS_WRITE: |
| 1187 |
|
max_v = S_IWOTH; |
| 1188 |
|
is_bitop = true; |
| 1189 |
|
break; |
| 1190 |
|
case MODE_OTHERS_EXECUTE: |
| 1191 |
|
max_v = S_IXOTH; |
| 1192 |
|
is_bitop = true; |
| 1193 |
|
break; |
| 1194 |
|
case EXEC_ARGC: |
| 1195 |
|
if (!bprm) |
| 1196 |
|
goto out; |
| 1197 |
|
max_v = bprm->argc; |
| 1198 |
|
i++; |
| 1199 |
|
break; |
| 1200 |
|
case EXEC_ENVC: |
| 1201 |
|
if (!bprm) |
| 1202 |
|
goto out; |
| 1203 |
|
max_v = bprm->envc; |
| 1204 |
|
i++; |
| 1205 |
|
break; |
| 1206 |
|
case TASK_STATE_0: |
| 1207 |
|
max_v = (u8) (task->tomoyo_flags >> 24); |
| 1208 |
|
break; |
| 1209 |
|
case TASK_STATE_1: |
| 1210 |
|
max_v = (u8) (task->tomoyo_flags >> 16); |
| 1211 |
|
break; |
| 1212 |
|
case TASK_STATE_2: |
| 1213 |
|
max_v = (u8) (task->tomoyo_flags >> 8); |
| 1214 |
|
break; |
| 1215 |
|
case TASK_TYPE: |
| 1216 |
|
max_v = ((u8) task->tomoyo_flags) |
| 1217 |
|
& TOMOYO_TASK_IS_EXECUTE_HANDLER; |
| 1218 |
|
break; |
| 1219 |
|
case TASK_EXECUTE_HANDLER: |
| 1220 |
|
max_v = TOMOYO_TASK_IS_EXECUTE_HANDLER; |
| 1221 |
|
break; |
| 1222 |
|
case MAX_KEYWORD: |
| 1223 |
|
max_v = *ptr; |
| 1224 |
|
ptr++; |
| 1225 |
|
i++; |
| 1226 |
|
break; |
| 1227 |
|
case MAX_KEYWORD + 1: |
| 1228 |
|
min_v = *ptr; |
| 1229 |
|
ptr++; |
| 1230 |
|
max_v = *ptr; |
| 1231 |
|
ptr++; |
| 1232 |
|
i += 2; |
| 1233 |
|
break; |
| 1234 |
|
default: |
| 1235 |
|
if (!obj) |
| 1236 |
|
goto out; |
| 1237 |
|
if (!obj->validate_done) { |
| 1238 |
|
get_attributes(obj); |
| 1239 |
|
obj->validate_done = true; |
| 1240 |
|
} |
| 1241 |
|
switch (index) { |
| 1242 |
|
case PATH1_UID: |
| 1243 |
|
if (!obj->path1_valid) |
| 1244 |
|
goto out; |
| 1245 |
|
max_v = obj->path1_stat.uid; |
| 1246 |
|
break; |
| 1247 |
|
case PATH1_GID: |
| 1248 |
|
if (!obj->path1_valid) |
| 1249 |
|
goto out; |
| 1250 |
|
max_v = obj->path1_stat.gid; |
| 1251 |
|
break; |
| 1252 |
|
case PATH1_INO: |
| 1253 |
|
if (!obj->path1_valid) |
| 1254 |
|
goto out; |
| 1255 |
|
max_v = obj->path1_stat.ino; |
| 1256 |
|
break; |
| 1257 |
|
case PATH1_PARENT_UID: |
| 1258 |
|
if (!obj->path1_parent_valid) |
| 1259 |
|
goto out; |
| 1260 |
|
max_v = obj->path1_parent_stat.uid; |
| 1261 |
|
break; |
| 1262 |
|
case PATH1_PARENT_GID: |
| 1263 |
|
if (!obj->path1_parent_valid) |
| 1264 |
|
goto out; |
| 1265 |
|
max_v = obj->path1_parent_stat.gid; |
| 1266 |
|
break; |
| 1267 |
|
case PATH1_PARENT_INO: |
| 1268 |
|
if (!obj->path1_parent_valid) |
| 1269 |
|
goto out; |
| 1270 |
|
max_v = obj->path1_parent_stat.ino; |
| 1271 |
|
break; |
| 1272 |
|
case PATH2_PARENT_UID: |
| 1273 |
|
if (!obj->path2_parent_valid) |
| 1274 |
|
goto out; |
| 1275 |
|
max_v = obj->path2_parent_stat.uid; |
| 1276 |
|
break; |
| 1277 |
|
case PATH2_PARENT_GID: |
| 1278 |
|
if (!obj->path2_parent_valid) |
| 1279 |
|
goto out; |
| 1280 |
|
max_v = obj->path2_parent_stat.gid; |
| 1281 |
|
break; |
| 1282 |
|
case PATH2_PARENT_INO: |
| 1283 |
|
if (!obj->path2_parent_valid) |
| 1284 |
|
goto out; |
| 1285 |
|
max_v = obj->path2_parent_stat.ino; |
| 1286 |
|
break; |
| 1287 |
|
case PATH1_TYPE: |
| 1288 |
|
if (!obj->path1_valid) |
| 1289 |
|
goto out; |
| 1290 |
|
max_v = obj->path1_stat.mode & S_IFMT; |
| 1291 |
|
break; |
| 1292 |
|
case PATH1_DEV_MAJOR: |
| 1293 |
|
if (!obj->path1_valid) |
| 1294 |
|
goto out; |
| 1295 |
|
max_v = MAJOR(obj->path1_stat.rdev); |
| 1296 |
|
break; |
| 1297 |
|
case PATH1_DEV_MINOR: |
| 1298 |
|
if (!obj->path1_valid) |
| 1299 |
|
goto out; |
| 1300 |
|
max_v = MINOR(obj->path1_stat.rdev); |
| 1301 |
|
break; |
| 1302 |
|
case PATH1_MODE: |
| 1303 |
|
if (!obj->path1_valid) |
| 1304 |
|
goto out; |
| 1305 |
|
max_v = obj->path1_stat.mode |
| 1306 |
|
& S_IALLUGO; |
| 1307 |
|
break; |
| 1308 |
|
case PATH1_PARENT_MODE: |
| 1309 |
|
if (!obj->path1_parent_valid) |
| 1310 |
|
goto out; |
| 1311 |
|
max_v = obj->path1_parent_stat.mode |
| 1312 |
|
& S_IALLUGO; |
| 1313 |
|
break; |
| 1314 |
|
case PATH2_PARENT_MODE: |
| 1315 |
|
if (!obj->path2_parent_valid) |
| 1316 |
|
goto out; |
| 1317 |
|
max_v = obj->path2_parent_stat.mode |
| 1318 |
|
& S_IALLUGO; |
| 1319 |
|
break; |
| 1320 |
|
} |
| 1321 |
|
break; |
| 1322 |
|
} |
| 1323 |
|
if (index != MAX_KEYWORD + 1) |
| 1324 |
|
min_v = max_v; |
| 1325 |
|
if (j) { |
| 1326 |
|
right_max = max_v; |
| 1327 |
|
right_min = min_v; |
| 1328 |
|
right_is_bitop = is_bitop; |
| 1329 |
|
} else { |
| 1330 |
|
left_max = max_v; |
| 1331 |
|
left_min = min_v; |
| 1332 |
|
left_is_bitop = is_bitop; |
| 1333 |
} |
} |
| 1334 |
} |
} |
| 1335 |
switch (left) { |
/* |
| 1336 |
case TASK_UID: |
* Bit operation is valid only when counterpart value |
| 1337 |
left_max = task->uid; |
* represents permission. |
| 1338 |
break; |
*/ |
| 1339 |
case TASK_EUID: |
if (left_is_bitop && right_is_bitop) |
| 1340 |
left_max = task->euid; |
goto out; |
| 1341 |
break; |
if (left_is_bitop) { |
| 1342 |
case TASK_SUID: |
if (right == PATH1_MODE || right == PATH1_PARENT_MODE |
| 1343 |
left_max = task->suid; |
|| right == PATH2_PARENT_MODE) { |
| 1344 |
break; |
if (match) { |
| 1345 |
case TASK_FSUID: |
if ((right_max & left_max)) |
| 1346 |
left_max = task->fsuid; |
continue; |
| 1347 |
break; |
} else { |
| 1348 |
case TASK_GID: |
if (!(right_max & left_max)) |
| 1349 |
left_max = task->gid; |
continue; |
| 1350 |
break; |
} |
| 1351 |
case TASK_EGID: |
} |
| 1352 |
left_max = task->egid; |
goto out; |
|
break; |
|
|
case TASK_SGID: |
|
|
left_max = task->sgid; |
|
|
break; |
|
|
case TASK_FSGID: |
|
|
left_max = task->fsgid; |
|
|
break; |
|
|
case TASK_PID: |
|
|
left_max = sys_getpid(); |
|
|
break; |
|
|
case TASK_PPID: |
|
|
left_max = sys_getppid(); |
|
|
break; |
|
|
case PATH1_UID: |
|
|
if (!obj->path1_valid) |
|
|
goto out; |
|
|
left_max = obj->path1_stat.uid; |
|
|
break; |
|
|
case PATH1_GID: |
|
|
if (!obj->path1_valid) |
|
|
goto out; |
|
|
left_max = obj->path1_stat.gid; |
|
|
break; |
|
|
case PATH1_INO: |
|
|
if (!obj->path1_valid) |
|
|
goto out; |
|
|
left_max = obj->path1_stat.ino; |
|
|
break; |
|
|
case PATH1_PARENT_UID: |
|
|
if (!obj->path1_parent_valid) |
|
|
goto out; |
|
|
left_max = obj->path1_parent_stat.uid; |
|
|
break; |
|
|
case PATH1_PARENT_GID: |
|
|
if (!obj->path1_parent_valid) |
|
|
goto out; |
|
|
left_max = obj->path1_parent_stat.gid; |
|
|
break; |
|
|
case PATH1_PARENT_INO: |
|
|
if (!obj->path1_parent_valid) |
|
|
goto out; |
|
|
left_max = obj->path1_parent_stat.ino; |
|
|
break; |
|
|
case PATH2_PARENT_UID: |
|
|
if (!obj->path2_parent_valid) |
|
|
goto out; |
|
|
left_max = obj->path2_parent_stat.uid; |
|
|
break; |
|
|
case PATH2_PARENT_GID: |
|
|
if (!obj->path2_parent_valid) |
|
|
goto out; |
|
|
left_max = obj->path2_parent_stat.gid; |
|
|
break; |
|
|
case PATH2_PARENT_INO: |
|
|
if (!obj->path2_parent_valid) |
|
|
goto out; |
|
|
left_max = obj->path2_parent_stat.ino; |
|
|
break; |
|
|
case EXEC_ARGC: |
|
|
if (!bprm) |
|
|
goto out; |
|
|
left_max = bprm->argc; |
|
|
i++; |
|
|
break; |
|
|
case EXEC_ENVC: |
|
|
if (!bprm) |
|
|
goto out; |
|
|
left_max = bprm->envc; |
|
|
i++; |
|
|
break; |
|
|
case TASK_STATE_0: |
|
|
left_max = (u8) (task->tomoyo_flags >> 24); |
|
|
break; |
|
|
case TASK_STATE_1: |
|
|
left_max = (u8) (task->tomoyo_flags >> 16); |
|
|
break; |
|
|
case TASK_STATE_2: |
|
|
left_max = (u8) (task->tomoyo_flags >> 8); |
|
|
break; |
|
|
case MAX_KEYWORD: |
|
|
left_max = *ptr; |
|
|
ptr++; |
|
|
i++; |
|
|
break; |
|
|
case MAX_KEYWORD + 1: |
|
|
left_min = *ptr; |
|
|
ptr++; |
|
|
left_max = *ptr; |
|
|
ptr++; |
|
|
i += 2; |
|
|
break; |
|
| 1353 |
} |
} |
| 1354 |
if (left != MAX_KEYWORD + 1) |
if (right_is_bitop) { |
| 1355 |
left_min = left_max; |
if (left == PATH1_MODE || left == PATH1_PARENT_MODE |
| 1356 |
switch (right) { |
|| left == PATH2_PARENT_MODE) { |
| 1357 |
case TASK_UID: |
if (match) { |
| 1358 |
right_max = task->uid; |
if ((left_max & right_max)) |
| 1359 |
break; |
continue; |
| 1360 |
case TASK_EUID: |
} else { |
| 1361 |
right_max = task->euid; |
if (!(left_max & right_max)) |
| 1362 |
break; |
continue; |
| 1363 |
case TASK_SUID: |
} |
| 1364 |
right_max = task->suid; |
} |
| 1365 |
break; |
goto out; |
|
case TASK_FSUID: |
|
|
right_max = task->fsuid; |
|
|
break; |
|
|
case TASK_GID: |
|
|
right_max = task->gid; |
|
|
break; |
|
|
case TASK_EGID: |
|
|
right_max = task->egid; |
|
|
break; |
|
|
case TASK_SGID: |
|
|
right_max = task->sgid; |
|
|
break; |
|
|
case TASK_FSGID: |
|
|
right_max = task->fsgid; |
|
|
break; |
|
|
case TASK_PID: |
|
|
right_max = sys_getpid(); |
|
|
break; |
|
|
case TASK_PPID: |
|
|
right_max = sys_getppid(); |
|
|
break; |
|
|
case PATH1_UID: |
|
|
if (!obj->path1_valid) |
|
|
goto out; |
|
|
right_max = obj->path1_stat.uid; |
|
|
break; |
|
|
case PATH1_GID: |
|
|
if (!obj->path1_valid) |
|
|
goto out; |
|
|
right_max = obj->path1_stat.gid; |
|
|
break; |
|
|
case PATH1_INO: |
|
|
if (!obj->path1_valid) |
|
|
goto out; |
|
|
right_max = obj->path1_stat.ino; |
|
|
break; |
|
|
case PATH1_PARENT_UID: |
|
|
if (!obj->path1_parent_valid) |
|
|
goto out; |
|
|
right_max = obj->path1_parent_stat.uid; |
|
|
break; |
|
|
case PATH1_PARENT_GID: |
|
|
if (!obj->path1_parent_valid) |
|
|
goto out; |
|
|
right_max = obj->path1_parent_stat.gid; |
|
|
break; |
|
|
case PATH1_PARENT_INO: |
|
|
if (!obj->path1_parent_valid) |
|
|
goto out; |
|
|
right_max = obj->path1_parent_stat.ino; |
|
|
break; |
|
|
case PATH2_PARENT_UID: |
|
|
if (!obj->path2_parent_valid) |
|
|
goto out; |
|
|
right_max = obj->path2_parent_stat.uid; |
|
|
break; |
|
|
case PATH2_PARENT_GID: |
|
|
if (!obj->path2_parent_valid) |
|
|
goto out; |
|
|
right_max = obj->path2_parent_stat.gid; |
|
|
break; |
|
|
case PATH2_PARENT_INO: |
|
|
if (!obj->path2_parent_valid) |
|
|
goto out; |
|
|
right_max = obj->path2_parent_stat.ino; |
|
|
break; |
|
|
case EXEC_ARGC: |
|
|
if (!bprm) |
|
|
goto out; |
|
|
right_max = bprm->argc; |
|
|
i++; |
|
|
break; |
|
|
case EXEC_ENVC: |
|
|
if (!bprm) |
|
|
goto out; |
|
|
right_max = bprm->envc; |
|
|
i++; |
|
|
break; |
|
|
case TASK_STATE_0: |
|
|
right_max = (u8) (task->tomoyo_flags >> 24); |
|
|
break; |
|
|
case TASK_STATE_1: |
|
|
right_max = (u8) (task->tomoyo_flags >> 16); |
|
|
break; |
|
|
case TASK_STATE_2: |
|
|
right_max = (u8) (task->tomoyo_flags >> 8); |
|
|
break; |
|
|
case MAX_KEYWORD: |
|
|
right_max = *ptr; |
|
|
ptr++; |
|
|
i++; |
|
|
break; |
|
|
case MAX_KEYWORD + 1: |
|
|
right_min = *ptr; |
|
|
ptr++; |
|
|
right_max = *ptr; |
|
|
ptr++; |
|
|
i += 2; |
|
|
break; |
|
| 1366 |
} |
} |
| 1367 |
if (right != MAX_KEYWORD + 1) |
/* Normal value range comparison. */ |
|
right_min = right_max; |
|
| 1368 |
if (match) { |
if (match) { |
| 1369 |
if (left_min <= right_max && left_max >= right_min) |
if (left_min <= right_max && left_max >= right_min) |
| 1370 |
continue; |
continue; |
| 1422 |
if (!ccs_io_printf(head, "%s", i ? " " : " if ")) |
if (!ccs_io_printf(head, "%s", i ? " " : " if ")) |
| 1423 |
goto out; |
goto out; |
| 1424 |
if (left < MAX_KEYWORD) { |
if (left < MAX_KEYWORD) { |
| 1425 |
const char *keyword |
const char *keyword = condition_control_keyword[left]; |
|
= condition_control_keyword[left].keyword; |
|
| 1426 |
if (!ccs_io_printf(head, "%s", keyword)) |
if (!ccs_io_printf(head, "%s", keyword)) |
| 1427 |
goto out; |
goto out; |
| 1428 |
goto print_operator; |
goto print_operator; |
| 1443 |
if (!ccs_io_printf(head, "%s", match ? "=" : "!=")) |
if (!ccs_io_printf(head, "%s", match ? "=" : "!=")) |
| 1444 |
goto out; |
goto out; |
| 1445 |
if (right < MAX_KEYWORD) { |
if (right < MAX_KEYWORD) { |
| 1446 |
const char *keyword |
const char *keyword = condition_control_keyword[right]; |
|
= condition_control_keyword[right].keyword; |
|
| 1447 |
if (!ccs_io_printf(head, "%s", keyword)) |
if (!ccs_io_printf(head, "%s", keyword)) |
| 1448 |
goto out; |
goto out; |
| 1449 |
continue; |
continue; |
| 1506 |
out: |
out: |
| 1507 |
return false; |
return false; |
| 1508 |
} |
} |
| 1509 |
|
|
| 1510 |
|
/** |
| 1511 |
|
* ccs_handler_cond - Create conditional part for execute_handler process. |
| 1512 |
|
* |
| 1513 |
|
* Returns pointer to "struct condition_list" if current process is an |
| 1514 |
|
* execute handler, NULL otherwise. |
| 1515 |
|
*/ |
| 1516 |
|
const struct condition_list *ccs_handler_cond(void) |
| 1517 |
|
{ |
| 1518 |
|
static const struct condition_list *cond; |
| 1519 |
|
if (!(current->tomoyo_flags & TOMOYO_TASK_IS_EXECUTE_HANDLER)) |
| 1520 |
|
return NULL; |
| 1521 |
|
if (!cond) { |
| 1522 |
|
static u8 counter = 20; |
| 1523 |
|
const char *str = "if task.type=execute_handler"; |
| 1524 |
|
const int len = strlen(str) + 1; |
| 1525 |
|
char *tmp = kzalloc(len, GFP_KERNEL); |
| 1526 |
|
if (tmp) { |
| 1527 |
|
memmove(tmp, str, len); |
| 1528 |
|
cond = ccs_find_or_assign_new_condition(tmp); |
| 1529 |
|
kfree(tmp); |
| 1530 |
|
} |
| 1531 |
|
if (!cond && counter) { |
| 1532 |
|
counter--; |
| 1533 |
|
printk(KERN_WARNING "TOMOYO-WARNING: Failed to create " |
| 1534 |
|
"condition for execute_handler.\n"); |
| 1535 |
|
} |
| 1536 |
|
} |
| 1537 |
|
return cond; |
| 1538 |
|
} |
TOMOYO
Parent Directory
Revision Log
Patch