| 15 |
fs/Kconfig | 2 |
fs/Kconfig | 2 |
| 16 |
fs/Makefile | 2 |
fs/Makefile | 2 |
| 17 |
fs/attr.c | 19 ++++++ |
fs/attr.c | 19 ++++++ |
| 18 |
fs/compat.c | 15 ++++- |
fs/compat.c | 15 +++++ |
| 19 |
fs/exec.c | 21 ++++++- |
fs/exec.c | 21 +++++++ |
| 20 |
fs/fcntl.c | 8 ++ |
fs/fcntl.c | 8 ++ |
| 21 |
fs/ioctl.c | 11 +++ |
fs/ioctl.c | 11 +++ |
| 22 |
fs/namei.c | 118 ++++++++++++++++++++++++++++++++++++++++ |
fs/namei.c | 60 +++++++++++++++++++++ |
| 23 |
fs/namespace.c | 50 ++++++++++++++++ |
fs/namespace.c | 50 +++++++++++++++++- |
| 24 |
fs/open.c | 29 +++++++++ |
fs/open.c | 30 ++++++++++ |
| 25 |
fs/proc/Makefile | 3 + |
fs/proc/Makefile | 3 + |
| 26 |
fs/proc/proc_misc.c | 5 + |
fs/proc/proc_misc.c | 5 + |
| 27 |
include/linux/init_task.h | 4 + |
include/linux/init_task.h | 4 + |
| 34 |
kernel/sched.c | 7 ++ |
kernel/sched.c | 7 ++ |
| 35 |
kernel/signal.c | 21 +++++++ |
kernel/signal.c | 21 +++++++ |
| 36 |
kernel/sys.c | 21 +++++++ |
kernel/sys.c | 21 +++++++ |
| 37 |
kernel/sysctl.c | 111 +++++++++++++++++++++++++++++++++++++ |
kernel/sysctl.c | 111 ++++++++++++++++++++++++++++++++++++++++ |
| 38 |
kernel/time.c | 15 +++++ |
kernel/time.c | 15 +++++ |
| 39 |
net/core/datagram.c | 11 +++ |
net/core/datagram.c | 11 +++ |
| 40 |
net/ipv4/inet_connection_sock.c | 7 ++ |
net/ipv4/inet_connection_sock.c | 7 ++ |
| 42 |
net/ipv4/udp.c | 11 +++ |
net/ipv4/udp.c | 11 +++ |
| 43 |
net/ipv6/tcp_ipv6.c | 11 +++ |
net/ipv6/tcp_ipv6.c | 11 +++ |
| 44 |
net/ipv6/udp.c | 11 +++ |
net/ipv6/udp.c | 11 +++ |
| 45 |
net/socket.c | 43 +++++++++++++- |
net/socket.c | 43 ++++++++++++++- |
| 46 |
net/unix/af_unix.c | 15 +++++ |
net/unix/af_unix.c | 8 ++ |
| 47 |
42 files changed, 690 insertions(+), 9 deletions(-) |
42 files changed, 626 insertions(+), 9 deletions(-) |
| 48 |
|
|
| 49 |
--- linux-2.6.15-53.75.orig/arch/alpha/kernel/ptrace.c |
--- linux-2.6.15-53.75.orig/arch/alpha/kernel/ptrace.c |
| 50 |
+++ linux-2.6.15-53.75/arch/alpha/kernel/ptrace.c |
+++ linux-2.6.15-53.75/arch/alpha/kernel/ptrace.c |
| 506 |
/* [Feb-1997 T. Schoebel-Theuer] |
/* [Feb-1997 T. Schoebel-Theuer] |
| 507 |
* Fundamental changes in the pathname lookup mechanisms (namei) |
* Fundamental changes in the pathname lookup mechanisms (namei) |
| 508 |
* were necessary because of omirr. The reason is that omirr needs |
* were necessary because of omirr. The reason is that omirr needs |
| 509 |
@@ -1433,6 +1437,13 @@ int vfs_create(struct inode *dir, struct |
@@ -1488,6 +1492,13 @@ int may_open(struct nameidata *nd, int a |
|
error = security_inode_create(dir, dentry, mode); |
|
|
if (error) |
|
|
return error; |
|
|
+ /***** TOMOYO Linux start. *****/ |
|
|
+ if (nd) { |
|
|
+ error = ccs_check_1path_perm(TYPE_CREATE_ACL, dentry, nd->mnt); |
|
|
+ if (error) |
|
|
+ return error; |
|
|
+ } |
|
|
+ /***** TOMOYO Linux end. *****/ |
|
|
DQUOT_INIT(dir); |
|
|
error = dir->i_op->create(dir, dentry, mode, nd); |
|
|
if (!error) |
|
|
@@ -1488,6 +1499,13 @@ int may_open(struct nameidata *nd, int a |
|
| 510 |
if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER)) |
if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER)) |
| 511 |
return -EPERM; |
return -EPERM; |
| 512 |
|
|
| 520 |
/* |
/* |
| 521 |
* Ensure there are no outstanding leases on the file. |
* Ensure there are no outstanding leases on the file. |
| 522 |
*/ |
*/ |
| 523 |
@@ -1519,6 +1537,9 @@ int may_open(struct nameidata *nd, int a |
@@ -1519,6 +1530,9 @@ int may_open(struct nameidata *nd, int a |
| 524 |
return 0; |
return 0; |
| 525 |
} |
} |
| 526 |
|
|
| 530 |
/* |
/* |
| 531 |
* open_namei() |
* open_namei() |
| 532 |
* |
* |
| 533 |
@@ -1768,6 +1789,16 @@ asmlinkage long sys_mknod(const char __u |
@@ -1594,6 +1608,11 @@ do_last: |
| 534 |
|
if (!path.dentry->d_inode) { |
| 535 |
if (S_ISDIR(mode)) |
if (!IS_POSIXACL(dir->d_inode)) |
| 536 |
return -EPERM; |
mode &= ~current->fs->umask; |
| 537 |
+ /***** TOMOYO Linux start. *****/ |
+ /***** TOMOYO Linux start. *****/ |
| 538 |
+ if (S_ISCHR(mode) && !ccs_capable(CCS_CREATE_CHAR_DEV)) |
+ error = ccs_check_mknod_permission(dir->d_inode, path.dentry, |
| 539 |
+ return -EPERM; |
+ nd->path.mnt, mode, 0); |
| 540 |
+ if (S_ISBLK(mode) && !ccs_capable(CCS_CREATE_BLOCK_DEV)) |
+ if (!error) |
| 541 |
+ return -EPERM; |
+ /***** TOMOYO Linux end. *****/ |
| 542 |
+ if (S_ISFIFO(mode) && !ccs_capable(CCS_CREATE_FIFO)) |
error = vfs_create(dir->d_inode, path.dentry, mode, nd); |
| 543 |
+ return -EPERM; |
up(&dir->d_inode->i_sem); |
| 544 |
+ if (S_ISSOCK(mode) && !ccs_capable(CCS_CREATE_UNIX_SOCKET)) |
dput(nd->dentry); |
| 545 |
+ return -EPERM; |
@@ -1781,6 +1800,12 @@ asmlinkage long sys_mknod(const char __u |
| 546 |
+ /***** TOMOYO Linux end. *****/ |
if (!IS_POSIXACL(nd.dentry->d_inode)) |
| 547 |
tmp = getname(filename); |
mode &= ~current->fs->umask; |
| 548 |
if (IS_ERR(tmp)) |
if (!IS_ERR(dentry)) { |
| 549 |
return PTR_ERR(tmp); |
+ /***** TOMOYO Linux start. *****/ |
| 550 |
@@ -1786,10 +1817,32 @@ asmlinkage long sys_mknod(const char __u |
+ error = ccs_check_mknod_permission(nd.path.dentry->d_inode, |
| 551 |
|
+ dentry, nd.path.mnt, mode, |
| 552 |
|
+ new_decode_dev(dev)); |
| 553 |
|
+ if (!error) |
| 554 |
|
+ /***** TOMOYO Linux end. *****/ |
| 555 |
|
switch (mode & S_IFMT) { |
| 556 |
|
case 0: case S_IFREG: |
| 557 |
error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd); |
error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd); |
| 558 |
break; |
@@ -1849,6 +1874,12 @@ asmlinkage long sys_mkdir(const char __u |
|
case S_IFCHR: case S_IFBLK: |
|
|
+ /***** TOMOYO Linux start. *****/ |
|
|
+ error = pre_vfs_mknod(nd.dentry->d_inode, dentry, mode); |
|
|
+ if (error) |
|
|
+ break; |
|
|
+ error = ccs_check_1path_perm(S_ISCHR(mode) ? |
|
|
+ TYPE_MKCHAR_ACL : |
|
|
+ TYPE_MKBLOCK_ACL, |
|
|
+ dentry, nd.mnt); |
|
|
+ if (error) |
|
|
+ break; |
|
|
+ /***** TOMOYO Linux end. *****/ |
|
|
error = vfs_mknod(nd.dentry->d_inode,dentry,mode, |
|
|
new_decode_dev(dev)); |
|
|
break; |
|
|
case S_IFIFO: case S_IFSOCK: |
|
|
+ /***** TOMOYO Linux start. *****/ |
|
|
+ error = pre_vfs_mknod(nd.dentry->d_inode, dentry, mode); |
|
|
+ if (error) |
|
|
+ break; |
|
|
+ error = ccs_check_1path_perm(S_ISFIFO(mode) ? |
|
|
+ TYPE_MKFIFO_ACL : |
|
|
+ TYPE_MKSOCK_ACL, |
|
|
+ dentry, nd.mnt); |
|
|
+ if (error) |
|
|
+ break; |
|
|
+ /***** TOMOYO Linux end. *****/ |
|
|
error = vfs_mknod(nd.dentry->d_inode,dentry,mode,0); |
|
|
break; |
|
|
case S_IFDIR: |
|
|
@@ -1849,6 +1902,13 @@ asmlinkage long sys_mkdir(const char __u |
|
| 559 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
| 560 |
if (!IS_POSIXACL(nd.dentry->d_inode)) |
if (!IS_POSIXACL(nd.dentry->d_inode)) |
| 561 |
mode &= ~current->fs->umask; |
mode &= ~current->fs->umask; |
| 562 |
+ /***** TOMOYO Linux start. *****/ |
+ /***** TOMOYO Linux start. *****/ |
| 563 |
+ error = pre_vfs_mkdir(nd.dentry->d_inode, dentry); |
+ error = ccs_check_mkdir_permission(nd.dentry->d_inode, |
| 564 |
+ if (!error) |
+ dentry, nd.mnt, |
| 565 |
+ error = ccs_check_1path_perm(TYPE_MKDIR_ACL, |
+ mode); |
|
+ dentry, nd.mnt); |
|
| 566 |
+ if (!error) |
+ if (!error) |
| 567 |
+ /***** TOMOYO Linux end. *****/ |
+ /***** TOMOYO Linux end. *****/ |
| 568 |
error = vfs_mkdir(nd.dentry->d_inode, dentry, mode); |
error = vfs_mkdir(nd.dentry->d_inode, dentry, mode); |
| 569 |
dput(dentry); |
dput(dentry); |
| 570 |
} |
} |
| 571 |
@@ -1952,6 +2012,13 @@ asmlinkage long sys_rmdir(const char __u |
@@ -1952,6 +1983,11 @@ asmlinkage long sys_rmdir(const char __u |
| 572 |
dentry = lookup_hash(&nd); |
dentry = lookup_hash(&nd); |
| 573 |
error = PTR_ERR(dentry); |
error = PTR_ERR(dentry); |
| 574 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
| 575 |
+ /***** TOMOYO Linux start. *****/ |
+ /***** TOMOYO Linux start. *****/ |
| 576 |
+ error = pre_vfs_rmdir(nd.dentry->d_inode, dentry); |
+ error = ccs_check_rmdir_permission(nd.dentry->d_inode, dentry, |
| 577 |
+ if (!error) |
+ nd.mnt); |
|
+ error = ccs_check_1path_perm(TYPE_RMDIR_ACL, dentry, |
|
|
+ nd.mnt); |
|
| 578 |
+ if (!error) |
+ if (!error) |
| 579 |
+ /***** TOMOYO Linux end. *****/ |
+ /***** TOMOYO Linux end. *****/ |
| 580 |
error = vfs_rmdir(nd.dentry->d_inode, dentry); |
error = vfs_rmdir(nd.dentry->d_inode, dentry); |
| 581 |
dput(dentry); |
dput(dentry); |
| 582 |
} |
} |
| 583 |
@@ -2006,6 +2073,10 @@ asmlinkage long sys_unlink(const char __ |
@@ -2027,6 +2063,11 @@ asmlinkage long sys_unlink(const char __ |
|
struct dentry *dentry; |
|
|
struct nameidata nd; |
|
|
struct inode *inode = NULL; |
|
|
+ /***** TOMOYO Linux start. *****/ |
|
|
+ if (!ccs_capable(CCS_SYS_UNLINK)) |
|
|
+ return -EPERM; |
|
|
+ /***** TOMOYO Linux end. *****/ |
|
|
|
|
|
name = getname(pathname); |
|
|
if(IS_ERR(name)) |
|
|
@@ -2027,6 +2098,14 @@ asmlinkage long sys_unlink(const char __ |
|
| 584 |
inode = dentry->d_inode; |
inode = dentry->d_inode; |
| 585 |
if (inode) |
if (inode) |
| 586 |
atomic_inc(&inode->i_count); |
atomic_inc(&inode->i_count); |
| 587 |
+ /***** TOMOYO Linux start. *****/ |
+ /***** TOMOYO Linux start. *****/ |
| 588 |
+ error = pre_vfs_unlink(nd.dentry->d_inode, dentry); |
+ error = ccs_check_unlink_permission(nd.dentry->d_inode, dentry, |
| 589 |
+ if (error) |
+ nd.mnt); |
| 590 |
+ goto exit2; |
+ if (!error) |
|
+ error = ccs_check_1path_perm(TYPE_UNLINK_ACL, dentry, nd.mnt); |
|
|
+ if (error) |
|
|
+ goto exit2; |
|
| 591 |
+ /***** TOMOYO Linux end. *****/ |
+ /***** TOMOYO Linux end. *****/ |
| 592 |
error = vfs_unlink(nd.dentry->d_inode, dentry); |
error = vfs_unlink(nd.dentry->d_inode, dentry); |
| 593 |
exit2: |
exit2: |
| 594 |
dput(dentry); |
dput(dentry); |
| 595 |
@@ -2072,6 +2151,10 @@ asmlinkage long sys_symlink(const char _ |
@@ -2088,6 +2129,12 @@ asmlinkage long sys_symlink(const char _ |
|
int error = 0; |
|
|
char * from; |
|
|
char * to; |
|
|
+ /***** TOMOYO Linux start. *****/ |
|
|
+ if (!ccs_capable(CCS_SYS_SYMLINK)) |
|
|
+ return -EPERM; |
|
|
+ /***** TOMOYO Linux end. *****/ |
|
|
|
|
|
from = getname(oldname); |
|
|
if(IS_ERR(from)) |
|
|
@@ -2088,6 +2171,13 @@ asmlinkage long sys_symlink(const char _ |
|
| 596 |
dentry = lookup_create(&nd, 0); |
dentry = lookup_create(&nd, 0); |
| 597 |
error = PTR_ERR(dentry); |
error = PTR_ERR(dentry); |
| 598 |
if (!IS_ERR(dentry)) { |
if (!IS_ERR(dentry)) { |
| 599 |
+ /***** TOMOYO Linux start. *****/ |
+ /***** TOMOYO Linux start. *****/ |
| 600 |
+ error = pre_vfs_symlink(nd.dentry->d_inode, dentry); |
+ error = ccs_check_symlink_permission(nd.dentry->d_inode, |
| 601 |
+ if (!error) |
+ dentry, nd.mnt, |
| 602 |
+ error = ccs_check_1path_perm(TYPE_SYMLINK_ACL, |
+ from); |
|
+ dentry, nd.mnt); |
|
| 603 |
+ if (!error) |
+ if (!error) |
| 604 |
+ /***** TOMOYO Linux end. *****/ |
+ /***** TOMOYO Linux end. *****/ |
| 605 |
error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO); |
error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO); |
| 606 |
dput(dentry); |
dput(dentry); |
| 607 |
} |
} |
| 608 |
@@ -2153,6 +2243,10 @@ asmlinkage long sys_link(const char __us |
@@ -2170,6 +2217,12 @@ asmlinkage long sys_link(const char __us |
|
struct nameidata nd, old_nd; |
|
|
int error; |
|
|
char * to; |
|
|
+ /***** TOMOYO Linux start. *****/ |
|
|
+ if (!ccs_capable(CCS_SYS_LINK)) |
|
|
+ return -EPERM; |
|
|
+ /***** TOMOYO Linux end. *****/ |
|
|
|
|
|
to = getname(newname); |
|
|
if (IS_ERR(to)) |
|
|
@@ -2170,6 +2264,15 @@ asmlinkage long sys_link(const char __us |
|
| 609 |
new_dentry = lookup_create(&nd, 0); |
new_dentry = lookup_create(&nd, 0); |
| 610 |
error = PTR_ERR(new_dentry); |
error = PTR_ERR(new_dentry); |
| 611 |
if (!IS_ERR(new_dentry)) { |
if (!IS_ERR(new_dentry)) { |
| 612 |
+ /***** TOMOYO Linux start. *****/ |
+ /***** TOMOYO Linux start. *****/ |
| 613 |
+ error = pre_vfs_link(old_nd.dentry, nd.dentry->d_inode, |
+ error = ccs_check_link_permission(old_nd.dentry, |
| 614 |
+ new_dentry); |
+ nd.dentry->d_inode, |
| 615 |
+ if (!error) |
+ new_dentry, nd.mnt); |
|
+ error = ccs_check_2path_perm(TYPE_LINK_ACL, |
|
|
+ old_nd.dentry, old_nd.mnt, |
|
|
+ new_dentry, nd.mnt); |
|
| 616 |
+ if (!error) |
+ if (!error) |
| 617 |
+ /***** TOMOYO Linux end. *****/ |
+ /***** TOMOYO Linux end. *****/ |
| 618 |
error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); |
error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry); |
| 619 |
dput(new_dentry); |
dput(new_dentry); |
| 620 |
} |
} |
| 621 |
@@ -2390,6 +2493,17 @@ static inline int do_rename(const char * |
@@ -2390,6 +2443,13 @@ static inline int do_rename(const char * |
| 622 |
if (new_dentry == trap) |
if (new_dentry == trap) |
| 623 |
goto exit5; |
goto exit5; |
| 624 |
|
|
| 625 |
+ /***** TOMOYO Linux start. *****/ |
+ /***** TOMOYO Linux start. *****/ |
| 626 |
+ error = pre_vfs_rename(old_dir->d_inode, old_dentry, |
+ error = ccs_check_rename_permission(old_dir->d_inode, old_dentry, |
| 627 |
+ new_dir->d_inode, new_dentry); |
+ new_dir->d_inode, new_dentry, |
| 628 |
+ if (error) |
+ newnd.mnt); |
| 629 |
+ goto exit5; |
+ if (!error) |
|
+ error = ccs_check_2path_perm(TYPE_RENAME_ACL, old_dentry, oldnd.mnt, |
|
|
+ new_dentry, newnd.mnt); |
|
|
+ if (error) |
|
|
+ goto exit5; |
|
| 630 |
+ /***** TOMOYO Linux end. *****/ |
+ /***** TOMOYO Linux end. *****/ |
| 631 |
+ |
+ |
| 632 |
error = vfs_rename(old_dir->d_inode, old_dentry, |
error = vfs_rename(old_dir->d_inode, old_dentry, |
| 633 |
new_dir->d_inode, new_dentry); |
new_dir->d_inode, new_dentry); |
| 634 |
exit5: |
exit5: |
|
@@ -2411,6 +2525,10 @@ asmlinkage long sys_rename(const char __ |
|
|
int error; |
|
|
char * from; |
|
|
char * to; |
|
|
+ /***** TOMOYO Linux start. *****/ |
|
|
+ if (!ccs_capable(CCS_SYS_RENAME)) |
|
|
+ return -EPERM; |
|
|
+ /***** TOMOYO Linux end. *****/ |
|
|
|
|
|
from = getname(oldname); |
|
|
if(IS_ERR(from)) |
|
| 635 |
--- linux-2.6.15-53.75.orig/fs/namespace.c |
--- linux-2.6.15-53.75.orig/fs/namespace.c |
| 636 |
+++ linux-2.6.15-53.75/fs/namespace.c |
+++ linux-2.6.15-53.75/fs/namespace.c |
| 637 |
@@ -25,6 +25,12 @@ |
@@ -25,6 +25,12 @@ |
| 768 |
goto dput_and_out; |
goto dput_and_out; |
| 769 |
|
|
| 770 |
+ /***** TOMOYO Linux start. *****/ |
+ /***** TOMOYO Linux start. *****/ |
| 771 |
+ error = ccs_check_1path_perm(TYPE_TRUNCATE_ACL, nd.dentry, nd.mnt); |
+ error = ccs_check_truncate_permission(nd.dentry, nd.mnt, length, 0); |
| 772 |
+ if (!error) |
+ if (!error) |
| 773 |
+ /***** TOMOYO Linux end. *****/ |
+ /***** TOMOYO Linux end. *****/ |
| 774 |
error = locks_verify_truncate(inode, NULL, length); |
error = locks_verify_truncate(inode, NULL, length); |
| 775 |
if (!error) { |
if (!error) { |
| 776 |
DQUOT_INIT(inode); |
DQUOT_INIT(inode); |
| 777 |
@@ -337,7 +348,11 @@ static inline long do_sys_ftruncate(unsi |
@@ -337,7 +348,12 @@ static inline long do_sys_ftruncate(unsi |
| 778 |
error = -EPERM; |
error = -EPERM; |
| 779 |
if (IS_APPEND(inode)) |
if (IS_APPEND(inode)) |
| 780 |
goto out_putf; |
goto out_putf; |
| 781 |
- |
- |
| 782 |
+ /***** TOMOYO Linux start. *****/ |
+ /***** TOMOYO Linux start. *****/ |
| 783 |
+ error = ccs_check_1path_perm(TYPE_TRUNCATE_ACL, dentry, file->f_vfsmnt); |
+ error = ccs_check_truncate_permission(dentry, file->f_vfsmnt, length, |
| 784 |
|
+ 0); |
| 785 |
+ if (error) |
+ if (error) |
| 786 |
+ goto out_putf; |
+ goto out_putf; |
| 787 |
+ /***** TOMOYO Linux end. *****/ |
+ /***** TOMOYO Linux end. *****/ |
| 788 |
error = locks_verify_truncate(inode, file, length); |
error = locks_verify_truncate(inode, file, length); |
| 789 |
if (!error) |
if (!error) |
| 790 |
error = do_truncate(dentry, length, file); |
error = do_truncate(dentry, length, file); |
| 791 |
@@ -610,6 +625,14 @@ asmlinkage long sys_chroot(const char __ |
@@ -610,6 +626,14 @@ asmlinkage long sys_chroot(const char __ |
| 792 |
error = -EPERM; |
error = -EPERM; |
| 793 |
if (!capable(CAP_SYS_CHROOT)) |
if (!capable(CAP_SYS_CHROOT)) |
| 794 |
goto dput_and_out; |
goto dput_and_out; |
| 803 |
|
|
| 804 |
set_fs_root(current->fs, nd.mnt, nd.dentry); |
set_fs_root(current->fs, nd.mnt, nd.dentry); |
| 805 |
set_fs_altroot(); |
set_fs_altroot(); |
| 806 |
@@ -1141,6 +1164,10 @@ EXPORT_SYMBOL(sys_close); |
@@ -1141,6 +1165,10 @@ EXPORT_SYMBOL(sys_close); |
| 807 |
*/ |
*/ |
| 808 |
asmlinkage long sys_vhangup(void) |
asmlinkage long sys_vhangup(void) |
| 809 |
{ |
{ |
| 1590 |
|
|
| 1591 |
int sysctl_unix_max_dgram_qlen = 10; |
int sysctl_unix_max_dgram_qlen = 10; |
| 1592 |
|
|
| 1593 |
@@ -738,6 +741,11 @@ static int unix_bind(struct socket *sock |
@@ -781,6 +784,11 @@ static int unix_bind(struct socket *sock |
|
err = unix_autobind(sock); |
|
|
goto out; |
|
|
} |
|
|
+ /***** TOMOYO Linux start. *****/ |
|
|
+ err = -EPERM; |
|
|
+ if (sunaddr->sun_path[0] && !ccs_capable(CCS_CREATE_UNIX_SOCKET)) |
|
|
+ goto out; |
|
|
+ /***** TOMOYO Linux end. *****/ |
|
|
|
|
|
err = unix_mkname(sunaddr, addr_len, &hash); |
|
|
if (err < 0) |
|
|
@@ -781,6 +789,13 @@ static int unix_bind(struct socket *sock |
|
| 1594 |
*/ |
*/ |
| 1595 |
mode = S_IFSOCK | |
mode = S_IFSOCK | |
| 1596 |
(SOCK_INODE(sock)->i_mode & ~current->fs->umask); |
(SOCK_INODE(sock)->i_mode & ~current->fs->umask); |
| 1597 |
+ /***** TOMOYO Linux start. *****/ |
+ /***** TOMOYO Linux start. *****/ |
| 1598 |
+ err = pre_vfs_mknod(nd.dentry->d_inode, dentry, mode); |
+ err = ccs_check_mknod_permission(nd.dentry->d_inode, dentry, |
| 1599 |
+ if (!err) |
+ nd.mnt, mode, 0); |
|
+ err = ccs_check_1path_perm(TYPE_MKSOCK_ACL, dentry, |
|
|
+ nd.mnt); |
|
| 1600 |
+ if (!err) |
+ if (!err) |
| 1601 |
+ /***** TOMOYO Linux end. *****/ |
+ /***** TOMOYO Linux end. *****/ |
| 1602 |
err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0); |
err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0); |
TOMOYO
Parent Directory
Revision Log
Patch