472 |
* @max_address: End of IPv4 or IPv6 address range. |
* @max_address: End of IPv4 or IPv6 address range. |
473 |
* @min_port: Start of port number range. |
* @min_port: Start of port number range. |
474 |
* @max_port: End of port number range. |
* @max_port: End of port number range. |
475 |
* @domain: Pointer to "struct domain_info". |
* @domain: Pointer to "struct ccs_domain_info". |
476 |
* @condition: Pointer to "struct ccs_condition_list". May be NULL. |
* @condition: Pointer to "struct ccs_condition_list". May be NULL. |
477 |
* @is_delete: True if it is a delete request. |
* @is_delete: True if it is a delete request. |
478 |
* |
* |
483 |
const u32 *min_address, |
const u32 *min_address, |
484 |
const u32 *max_address, |
const u32 *max_address, |
485 |
const u16 min_port, const u16 max_port, |
const u16 min_port, const u16 max_port, |
486 |
struct domain_info *domain, |
struct ccs_domain_info *domain, |
487 |
const struct ccs_condition_list *condition, |
const struct ccs_condition_list *condition, |
488 |
const bool is_delete) |
const bool is_delete) |
489 |
{ |
{ |
609 |
char buf[64]; |
char buf[64]; |
610 |
if (!ccs_can_sleep()) |
if (!ccs_can_sleep()) |
611 |
return 0; |
return 0; |
612 |
ccs_init_request_info(&r, NULL, CCS_TOMOYO_MAC_FOR_NETWORK); |
ccs_init_request_info(&r, NULL, CCS_MAC_FOR_NETWORK); |
613 |
is_enforce = (r.mode == 3); |
is_enforce = (r.mode == 3); |
614 |
if (!r.mode) |
if (!r.mode) |
615 |
return 0; |
return 0; |
674 |
* ccs_write_network_policy - Write "struct ccs_ip_network_acl_record" list. |
* ccs_write_network_policy - Write "struct ccs_ip_network_acl_record" list. |
675 |
* |
* |
676 |
* @data: String to parse. |
* @data: String to parse. |
677 |
* @domain: Pointer to "struct domain_info". |
* @domain: Pointer to "struct ccs_domain_info". |
678 |
* @condition: Pointer to "struct ccs_condition_list". May be NULL. |
* @condition: Pointer to "struct ccs_condition_list". May be NULL. |
679 |
* @is_delete: True if it is a delete request. |
* @is_delete: True if it is a delete request. |
680 |
* |
* |
681 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
682 |
*/ |
*/ |
683 |
int ccs_write_network_policy(char *data, struct domain_info *domain, |
int ccs_write_network_policy(char *data, struct ccs_domain_info *domain, |
684 |
const struct ccs_condition_list *condition, |
const struct ccs_condition_list *condition, |
685 |
const bool is_delete) |
const bool is_delete) |
686 |
{ |
{ |
863 |
const u16 port) |
const u16 port) |
864 |
{ |
{ |
865 |
int retval; |
int retval; |
866 |
current->tomoyo_flags |= CCS_DONT_SLEEP_ON_ENFORCE_ERROR; |
current->ccs_flags |= CCS_DONT_SLEEP_ON_ENFORCE_ERROR; |
867 |
retval = ccs_check_network_entry(is_ipv6, NETWORK_ACL_TCP_ACCEPT, |
retval = ccs_check_network_entry(is_ipv6, NETWORK_ACL_TCP_ACCEPT, |
868 |
(const u32 *) address, ntohs(port)); |
(const u32 *) address, ntohs(port)); |
869 |
current->tomoyo_flags &= ~CCS_DONT_SLEEP_ON_ENFORCE_ERROR; |
current->ccs_flags &= ~CCS_DONT_SLEEP_ON_ENFORCE_ERROR; |
870 |
return retval; |
return retval; |
871 |
} |
} |
872 |
|
|
913 |
const u8 operation |
const u8 operation |
914 |
= (sock_type == SOCK_DGRAM) ? |
= (sock_type == SOCK_DGRAM) ? |
915 |
NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT; |
NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT; |
916 |
current->tomoyo_flags |= CCS_DONT_SLEEP_ON_ENFORCE_ERROR; |
current->ccs_flags |= CCS_DONT_SLEEP_ON_ENFORCE_ERROR; |
917 |
retval = ccs_check_network_entry(is_ipv6, operation, |
retval = ccs_check_network_entry(is_ipv6, operation, |
918 |
(const u32 *) address, ntohs(port)); |
(const u32 *) address, ntohs(port)); |
919 |
current->tomoyo_flags &= ~CCS_DONT_SLEEP_ON_ENFORCE_ERROR; |
current->ccs_flags &= ~CCS_DONT_SLEEP_ON_ENFORCE_ERROR; |
920 |
return retval; |
return retval; |
921 |
} |
} |
922 |
|
|
929 |
/* Nothing to do if I am a kernel service. */ |
/* Nothing to do if I am a kernel service. */ |
930 |
if (segment_eq(get_fs(), KERNEL_DS)) |
if (segment_eq(get_fs(), KERNEL_DS)) |
931 |
return 0; |
return 0; |
932 |
if (family == PF_PACKET && !ccs_capable(TOMOYO_USE_PACKET_SOCKET)) |
if (family == PF_PACKET && !ccs_capable(CCS_USE_PACKET_SOCKET)) |
933 |
return -EPERM; |
return -EPERM; |
934 |
if (family == PF_ROUTE && !ccs_capable(TOMOYO_USE_ROUTE_SOCKET)) |
if (family == PF_ROUTE && !ccs_capable(CCS_USE_ROUTE_SOCKET)) |
935 |
return -EPERM; |
return -EPERM; |
936 |
if (family != PF_INET && family != PF_INET6) |
if (family != PF_INET && family != PF_INET6) |
937 |
return 0; |
return 0; |
938 |
switch (type) { |
switch (type) { |
939 |
case SOCK_STREAM: |
case SOCK_STREAM: |
940 |
if (!ccs_capable(TOMOYO_INET_STREAM_SOCKET_CREATE)) |
if (!ccs_capable(CCS_INET_STREAM_SOCKET_CREATE)) |
941 |
error = -EPERM; |
error = -EPERM; |
942 |
break; |
break; |
943 |
case SOCK_DGRAM: |
case SOCK_DGRAM: |
944 |
if (!ccs_capable(TOMOYO_USE_INET_DGRAM_SOCKET)) |
if (!ccs_capable(CCS_USE_INET_DGRAM_SOCKET)) |
945 |
error = -EPERM; |
error = -EPERM; |
946 |
break; |
break; |
947 |
case SOCK_RAW: |
case SOCK_RAW: |
948 |
if (!ccs_capable(TOMOYO_USE_INET_RAW_SOCKET)) |
if (!ccs_capable(CCS_USE_INET_RAW_SOCKET)) |
949 |
error = -EPERM; |
error = -EPERM; |
950 |
break; |
break; |
951 |
} |
} |
970 |
default: |
default: |
971 |
return 0; |
return 0; |
972 |
} |
} |
973 |
if (!ccs_capable(TOMOYO_INET_STREAM_SOCKET_LISTEN)) |
if (!ccs_capable(CCS_INET_STREAM_SOCKET_LISTEN)) |
974 |
return -EPERM; |
return -EPERM; |
975 |
if (sock->ops->getname(sock, (struct sockaddr *) addr, &addr_len, 0)) |
if (sock->ops->getname(sock, (struct sockaddr *) addr, &addr_len, 0)) |
976 |
return -EPERM; |
return -EPERM; |
1044 |
switch (sock->sk->sk_family) { |
switch (sock->sk->sk_family) { |
1045 |
case PF_INET: |
case PF_INET: |
1046 |
case PF_INET6: |
case PF_INET6: |
1047 |
if (!ccs_capable(TOMOYO_INET_STREAM_SOCKET_CONNECT)) |
if (!ccs_capable(CCS_INET_STREAM_SOCKET_CONNECT)) |
1048 |
error = -EPERM; |
error = -EPERM; |
1049 |
break; |
break; |
1050 |
} |
} |