オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照

/[tomoyo]/trunk/1.6.x/ccs-patch/fs/tomoyo_network.c

Contents of /trunk/1.6.x/ccs-patch/fs/tomoyo_network.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 708 - (show annotations) (download) (as text)
Mon Nov 19 08:44:45 2007 UTC (16 years, 6 months ago) by kumaneko
Original Path: trunk/1.5.x/ccs-patch/fs/tomoyo_network.c
File MIME type: text/x-csrc
File size: 18805 byte(s) 
Use "struct list_head". Not tested.
1 /*
2 * fs/tomoyo_network.c
3 *
4 * Implementation of the Domain-Based Mandatory Access Control.
5 *
6 * Copyright (C) 2005-2007 NTT DATA CORPORATION
7 *
8 * Version: 1.5.2-pre 2007/11/19
9 *
10 * This file is applicable to both 2.4.30 and 2.6.11 and later.
11 * See README.ccs for ChangeLog.
12 *
13 */
14 /***** TOMOYO Linux start. *****/
15
16 #include <linux/ccs_common.h>
17 #include <linux/tomoyo.h>
18 #include <linux/realpath.h>
19 #include <net/ip.h>
20
21 /************************* VARIABLES *************************/
22
23 extern struct mutex domain_acl_lock;
24
25 /************************* AUDIT FUNCTIONS *************************/
26
27 static int AuditNetworkLog(const bool is_ipv6, const char *operation, const u32 *address, const u16 port, const bool is_granted)
28 {
29 char *buf;
30 int len = 256;
31 if (CanSaveAuditLog(is_granted) < 0) return -ENOMEM;
32 if ((buf = InitAuditLog(&len)) == NULL) return -ENOMEM;
33 snprintf(buf + strlen(buf), len - strlen(buf) - 1, KEYWORD_ALLOW_NETWORK "%s ", operation);
34 if (is_ipv6) {
35 print_ipv6(buf + strlen(buf), len - strlen(buf), (const u16 *) address);
36 } else {
37 u32 ip = *address;
38 snprintf(buf + strlen(buf), len - strlen(buf) - 1, "%u.%u.%u.%u", NIPQUAD(ip));
39 }
40 snprintf(buf + strlen(buf), len - strlen(buf) - 1, " %u\n", port);
41 return WriteAuditLog(buf, is_granted);
42 }
43
44 /************************* ADDRESS GROUP HANDLER *************************/
45
46 static LIST_HEAD(address_group_list);
47
48 static int AddAddressGroupEntry(const char *group_name, const bool is_ipv6, const u16 *min_address, const u16 *max_address, const bool is_delete)
49 {
50 static DEFINE_MUTEX(lock);
51 struct address_group_entry *new_group, *group;
52 struct address_group_member *new_member, *member;
53 const struct path_info *saved_group_name;
54 int error = -ENOMEM;
55 bool found = 0;
56 if (!IsCorrectPath(group_name, 0, 0, 0, __FUNCTION__) || !group_name[0]) return -EINVAL;
57 if ((saved_group_name = SaveName(group_name)) == NULL) return -ENOMEM;
58 mutex_lock(&lock);
59 list_for_each_entry(group, &address_group_list, list) {
60 if (saved_group_name != group->group_name) continue;
61 list_for_each_entry(member, &group->address_group_member_list, list) {
62 if (member->is_ipv6 != is_ipv6) continue;
63 if (is_ipv6) {
64 if (memcmp(member->min.ipv6, min_address, 16) || memcmp(member->max.ipv6, max_address, 16)) continue;
65 } else {
66 if (member->min.ipv4 != * (u32 *) min_address || member->max.ipv4 != * (u32 *) max_address) continue;
67 }
68 member->is_deleted = is_delete;
69 error = 0;
70 goto out;
71 }
72 found = 1;
73 break;
74 }
75 if (is_delete) {
76 error = -ENOENT;
77 goto out;
78 }
79 if (!found) {
80 if ((new_group = alloc_element(sizeof(*new_group))) == NULL) goto out;
81 INIT_LIST_HEAD(&new_group->address_group_member_list);
82 new_group->group_name = saved_group_name;
83 list_add_tail_mb(&new_group->list, &address_group_list);
84 group = new_group;
85 }
86 if ((new_member = alloc_element(sizeof(*new_member))) == NULL) goto out;
87 new_member->is_ipv6 = is_ipv6;
88 if (is_ipv6) {
89 memmove(new_member->min.ipv6, min_address, 16);
90 memmove(new_member->max.ipv6, max_address, 16);
91 } else {
92 new_member->min.ipv4 = * (u32 *) min_address;
93 new_member->max.ipv4 = * (u32 *) max_address;
94 }
95 list_add_tail_mb(&new_member->list, &group->address_group_member_list);
96 error = 0;
97 out:
98 mutex_unlock(&lock);
99 return error;
100 }
101
102 int AddAddressGroupPolicy(char *data, const bool is_delete)
103 {
104 int count, is_ipv6;
105 u16 min_address[8], max_address[8];
106 char *cp = strchr(data, ' ');
107 if (!cp) return -EINVAL;
108 *cp++ = '\0';
109 if ((count = sscanf(cp, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx-%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
110 &min_address[0], &min_address[1], &min_address[2], &min_address[3],
111 &min_address[4], &min_address[5], &min_address[6], &min_address[7],
112 &max_address[0], &max_address[1], &max_address[2], &max_address[3],
113 &max_address[4], &max_address[5], &max_address[6], &max_address[7])) == 8 || count == 16) {
114 int i;
115 for (i = 0; i < 8; i++) {
116 min_address[i] = htons(min_address[i]);
117 max_address[i] = htons(max_address[i]);
118 }
119 if (count == 8) memmove(max_address, min_address, sizeof(min_address));
120 is_ipv6 = 1;
121 } else if ((count = sscanf(cp, "%hu.%hu.%hu.%hu-%hu.%hu.%hu.%hu",
122 &min_address[0], &min_address[1], &min_address[2], &min_address[3],
123 &max_address[0], &max_address[1], &max_address[2], &max_address[3])) == 4 || count == 8) {
124 u32 ip = ((((u8) min_address[0]) << 24) + (((u8) min_address[1]) << 16) + (((u8) min_address[2]) << 8) + (u8) min_address[3]);
125 * (u32 *) min_address = ip;
126 if (count == 8) ip = ((((u8) max_address[0]) << 24) + (((u8) max_address[1]) << 16) + (((u8) max_address[2]) << 8) + (u8) max_address[3]);
127 * (u32 *) max_address = ip;
128 is_ipv6 = 0;
129 } else {
130 return -EINVAL;
131 }
132 return AddAddressGroupEntry(data, is_ipv6, min_address, max_address, is_delete);
133 }
134
135 static struct address_group_entry *FindOrAssignNewAddressGroup(const char *group_name)
136 {
137 int i;
138 struct address_group_entry *group;
139 for (i = 0; i <= 1; i++) {
140 list_for_each_entry(group, &address_group_list, list) {
141 if (strcmp(group_name, group->group_name->name) == 0) return group;
142 }
143 if (i == 0) {
144 const u16 dummy[2] = { 0, 0 };
145 AddAddressGroupEntry(group_name, 0, dummy, dummy, 0);
146 AddAddressGroupEntry(group_name, 0, dummy, dummy, 1);
147 }
148 }
149 return NULL;
150 }
151
152 static int AddressMatchesToGroup(const bool is_ipv6, const u32 *address, const struct address_group_entry *group)
153 {
154 struct address_group_member *member;
155 const u32 ip = ntohl(*address);
156 list_for_each_entry(member, &group->address_group_member_list, list) {
157 if (member->is_deleted) continue;
158 if (member->is_ipv6) {
159 if (is_ipv6 && memcmp(member->min.ipv6, address, 16) <= 0 && memcmp(address, member->max.ipv6, 16) <= 0) return 1;
160 } else {
161 if (!is_ipv6 && member->min.ipv4 <= ip && ip <= member->max.ipv4) return 1;
162 }
163 }
164 return 0;
165 }
166
167 int ReadAddressGroupPolicy(struct io_buffer *head)
168 {
169 struct list_head *gpos;
170 struct list_head *mpos;
171 list_for_each_cookie(gpos, head->read_var1, &address_group_list) {
172 struct address_group_entry *group;
173 group = list_entry(gpos, struct address_group_entry, list);
174 list_for_each_cookie(mpos, head->read_var2, &group->address_group_member_list) {
175 char buf[128];
176 struct address_group_member *member;
177 member = list_entry(mpos, struct address_group_member, list);
178 if (member->is_deleted) continue;
179 if (member->is_ipv6) {
180 const u16 *min_address = member->min.ipv6, *max_address = member->max.ipv6;
181 print_ipv6(buf, sizeof(buf), min_address);
182 if (memcmp(min_address, max_address, 16)) {
183 char *cp = strchr(buf, '\0');
184 *cp++ = '-';
185 print_ipv6(cp, sizeof(buf) - strlen(buf), max_address);
186 }
187 } else {
188 const u32 min_address = member->min.ipv4, max_address = member->max.ipv4;
189 memset(buf, 0, sizeof(buf));
190 snprintf(buf, sizeof(buf) - 1, "%u.%u.%u.%u", HIPQUAD(min_address));
191 if (min_address != max_address) {
192 const int len = strlen(buf);
193 snprintf(buf + len, sizeof(buf) - 1 - len, "-%u.%u.%u.%u", HIPQUAD(max_address));
194 }
195 }
196 if (io_printf(head, KEYWORD_ADDRESS_GROUP "%s %s\n", group->group_name->name, buf)) return -ENOMEM;
197 }
198 }
199 return 0;
200 }
201
202 /************************* NETWORK NETWORK ACL HANDLER *************************/
203
204 char *print_ipv6(char *buffer, const int buffer_len, const u16 *ip)
205 {
206 memset(buffer, 0, buffer_len);
207 snprintf(buffer, buffer_len - 1, "%x:%x:%x:%x:%x:%x:%x:%x", ntohs(ip[0]), ntohs(ip[1]), ntohs(ip[2]), ntohs(ip[3]), ntohs(ip[4]), ntohs(ip[5]), ntohs(ip[6]), ntohs(ip[7]));
208 return buffer;
209 }
210
211 const char *network2keyword(const unsigned int operation)
212 {
213 const char *keyword = "unknown";
214 switch (operation) {
215 case NETWORK_ACL_UDP_BIND:
216 keyword = "UDP bind";
217 break;
218 case NETWORK_ACL_UDP_CONNECT:
219 keyword = "UDP connect";
220 break;
221 case NETWORK_ACL_TCP_BIND:
222 keyword = "TCP bind";
223 break;
224 case NETWORK_ACL_TCP_LISTEN:
225 keyword = "TCP listen";
226 break;
227 case NETWORK_ACL_TCP_CONNECT:
228 keyword = "TCP connect";
229 break;
230 case NETWORK_ACL_TCP_ACCEPT:
231 keyword = "TCP accept";
232 break;
233 case NETWORK_ACL_RAW_BIND:
234 keyword = "RAW bind";
235 break;
236 case NETWORK_ACL_RAW_CONNECT:
237 keyword = "RAW connect";
238 break;
239 }
240 return keyword;
241 }
242
243 static int AddNetworkEntry(const u8 operation, const u8 record_type, const struct address_group_entry *group, const u32 *min_address, const u32 *max_address, const u16 min_port, const u16 max_port, struct domain_info *domain, const struct condition_list *condition, const bool is_delete)
244 {
245 struct acl_info *ptr;
246 struct ip_network_acl_record *acl;
247 int error = -ENOMEM;
248 const u32 min_ip = ntohl(*min_address), max_ip = ntohl(*max_address); /* using host byte order to allow u32 comparison than memcmp().*/
249 if (!domain) return -EINVAL;
250 mutex_lock(&domain_acl_lock);
251 if (!is_delete) {
252 list_for_each_entry(ptr, &domain->acl_info_list, list) {
253 acl = list_entry(ptr, struct ip_network_acl_record, head);
254 if (ptr->type == TYPE_IP_NETWORK_ACL && acl->operation_type == operation && acl->record_type == record_type && ptr->cond == condition && acl->min_port == min_port && max_port == acl->max_port) {
255 if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) {
256 if (acl->u.group == group) {
257 ptr->is_deleted = 0;
258 /* Found. Nothing to do. */
259 error = 0;
260 goto out;
261 }
262 } else if (record_type == IP_RECORD_TYPE_IPv4) {
263 if (acl->u.ipv4.min == min_ip && max_ip == acl->u.ipv4.max) {
264 ptr->is_deleted = 0;
265 /* Found. Nothing to do. */
266 error = 0;
267 goto out;
268 }
269 } else if (record_type == IP_RECORD_TYPE_IPv6) {
270 if (memcmp(acl->u.ipv6.min, min_address, 16) == 0 && memcmp(max_address, acl->u.ipv6.max, 16) == 0) {
271 ptr->is_deleted = 0;
272 /* Found. Nothing to do. */
273 error = 0;
274 goto out;
275 }
276 }
277 }
278 }
279 /* Not found. Append it to the tail. */
280 if ((acl = alloc_element(sizeof(*acl))) == NULL) goto out;
281 acl->head.type = TYPE_IP_NETWORK_ACL;
282 acl->operation_type = operation;
283 acl->record_type = record_type;
284 acl->head.cond = condition;
285 if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) {
286 acl->u.group = group;
287 } else if (record_type == IP_RECORD_TYPE_IPv4) {
288 acl->u.ipv4.min = min_ip;
289 acl->u.ipv4.max = max_ip;
290 } else {
291 memmove(acl->u.ipv6.min, min_address, 16);
292 memmove(acl->u.ipv6.max, max_address, 16);
293 }
294 acl->min_port = min_port;
295 acl->max_port = max_port;
296 error = AddDomainACL(domain, &acl->head);
297 } else {
298 error = -ENOENT;
299 list_for_each_entry(ptr, &domain->acl_info_list, list) {
300 acl = list_entry(ptr, struct ip_network_acl_record, head);
301 if (ptr->type != TYPE_IP_NETWORK_ACL || ptr->is_deleted || acl->operation_type != operation || acl->record_type != record_type || ptr->cond != condition || acl->min_port != min_port || acl->max_port != max_port) continue;
302 if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) {
303 if (acl->u.group != group) continue;
304 } else if (record_type == IP_RECORD_TYPE_IPv4) {
305 if (acl->u.ipv4.min != min_ip || max_ip != acl->u.ipv4.max) continue;
306 } else if (record_type == IP_RECORD_TYPE_IPv6) {
307 if (memcmp(acl->u.ipv6.min, min_address, 16) || memcmp(max_address, acl->u.ipv6.max, 16)) continue;
308 }
309 error = DelDomainACL(ptr);
310 break;
311 }
312 }
313 out: ;
314 mutex_unlock(&domain_acl_lock);
315 return error;
316 }
317
318 static int CheckNetworkEntry(const bool is_ipv6, const int operation, const u32 *address, const u16 port)
319 {
320 struct domain_info * const domain = current->domain_info;
321 struct acl_info *ptr;
322 const char *keyword = network2keyword(operation);
323 const bool is_enforce = CheckCCSEnforce(CCS_TOMOYO_MAC_FOR_NETWORK);
324 const u32 ip = ntohl(*address); /* using host byte order to allow u32 comparison than memcmp().*/
325 bool found = 0;
326 if (!CheckCCSFlags(CCS_TOMOYO_MAC_FOR_NETWORK)) return 0;
327 list_for_each_entry(ptr, &domain->acl_info_list, list) {
328 struct ip_network_acl_record *acl;
329 acl = list_entry(ptr, struct ip_network_acl_record, head);
330 if (ptr->type != TYPE_IP_NETWORK_ACL || ptr->is_deleted || acl->operation_type != operation || port < acl->min_port || acl->max_port < port || CheckCondition(ptr->cond, NULL)) continue;
331 if (acl->record_type == IP_RECORD_TYPE_ADDRESS_GROUP) {
332 if (!AddressMatchesToGroup(is_ipv6, address, acl->u.group)) continue;
333 } else if (acl->record_type == IP_RECORD_TYPE_IPv4) {
334 if (is_ipv6 || ip < acl->u.ipv4.min || acl->u.ipv4.max < ip) continue;
335 } else {
336 if (!is_ipv6 || memcmp(acl->u.ipv6.min, address, 16) > 0 || memcmp(address, acl->u.ipv6.max, 16) > 0) continue;
337 }
338 found = 1;
339 break;
340
341 }
342 AuditNetworkLog(is_ipv6, keyword, address, port, found);
343 if (found) return 0;
344 if (TomoyoVerboseMode()) {
345 if (is_ipv6) {
346 char buf[64];
347 print_ipv6(buf, sizeof(buf), (const u16 *) address);
348 printk("TOMOYO-%s: %s to %s %u denied for %s\n", GetMSG(is_enforce), keyword, buf, port, GetLastName(domain));
349 } else {
350 printk("TOMOYO-%s: %s to %u.%u.%u.%u %u denied for %s\n", GetMSG(is_enforce), keyword, HIPQUAD(ip), port, GetLastName(domain));
351 }
352 }
353 AuditNetworkLog(is_ipv6, keyword, address, port, 0);
354 if (is_enforce) {
355 if (is_ipv6) {
356 char buf[64];
357 print_ipv6(buf, sizeof(buf), (const u16 *) address);
358 return CheckSupervisor("%s\n" KEYWORD_ALLOW_NETWORK "%s %s %u\n", domain->domainname->name, keyword, buf, port);
359 }
360 return CheckSupervisor("%s\n" KEYWORD_ALLOW_NETWORK "%s %u.%u.%u.%u %u\n", domain->domainname->name, keyword, HIPQUAD(ip), port);
361 }
362 if (CheckCCSAccept(CCS_TOMOYO_MAC_FOR_NETWORK, domain)) AddNetworkEntry(operation, is_ipv6 ? IP_RECORD_TYPE_IPv6 : IP_RECORD_TYPE_IPv4, NULL, address, address, port, port, domain, NULL, 0);
363 return 0;
364 }
365
366 int AddNetworkPolicy(char *data, struct domain_info *domain, const struct condition_list *condition, const bool is_delete)
367 {
368 u8 sock_type, operation, record_type;
369 u16 min_address[8], max_address[8];
370 struct address_group_entry *group = NULL;
371 u16 min_port, max_port;
372 int count;
373 char *cp1 = NULL, *cp2 = NULL;
374 if ((cp1 = strchr(data, ' ')) == NULL) goto out; cp1++;
375 if (strncmp(data, "TCP ", 4) == 0) sock_type = SOCK_STREAM;
376 else if (strncmp(data, "UDP ", 4) == 0) sock_type = SOCK_DGRAM;
377 else if (strncmp(data, "RAW ", 4) == 0) sock_type = SOCK_RAW;
378 else goto out;
379 if ((cp2 = strchr(cp1, ' ')) == NULL) goto out; cp2++;
380 if (strncmp(cp1, "bind ", 5) == 0) {
381 operation = (sock_type == SOCK_STREAM) ? NETWORK_ACL_TCP_BIND : (sock_type == SOCK_DGRAM) ? NETWORK_ACL_UDP_BIND : NETWORK_ACL_RAW_BIND;
382 } else if (strncmp(cp1, "connect ", 8) == 0) {
383 operation = (sock_type == SOCK_STREAM) ? NETWORK_ACL_TCP_CONNECT : (sock_type == SOCK_DGRAM) ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT;
384 } else if (sock_type == SOCK_STREAM && strncmp(cp1, "listen ", 7) == 0) {
385 operation = NETWORK_ACL_TCP_LISTEN;
386 } else if (sock_type == SOCK_STREAM && strncmp(cp1, "accept ", 7) == 0) {
387 operation = NETWORK_ACL_TCP_ACCEPT;
388 } else {
389 goto out;
390 }
391 if ((cp1 = strchr(cp2, ' ')) == NULL) goto out; *cp1++ = '\0';
392 if ((count = sscanf(cp2, "%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx-%hx:%hx:%hx:%hx:%hx:%hx:%hx:%hx",
393 &min_address[0], &min_address[1], &min_address[2], &min_address[3],
394 &min_address[4], &min_address[5], &min_address[6], &min_address[7],
395 &max_address[0], &max_address[1], &max_address[2], &max_address[3],
396 &max_address[4], &max_address[5], &max_address[6], &max_address[7])) == 8 || count == 16) {
397 int i;
398 for (i = 0; i < 8; i++) {
399 min_address[i] = htons(min_address[i]);
400 max_address[i] = htons(max_address[i]);
401 }
402 if (count == 8) memmove(max_address, min_address, sizeof(min_address));
403 record_type = IP_RECORD_TYPE_IPv6;
404 } else if ((count = sscanf(cp2, "%hu.%hu.%hu.%hu-%hu.%hu.%hu.%hu",
405 &min_address[0], &min_address[1], &min_address[2], &min_address[3],
406 &max_address[0], &max_address[1], &max_address[2], &max_address[3])) == 4 || count == 8) {
407 u32 ip = htonl((((u8) min_address[0]) << 24) + (((u8) min_address[1]) << 16) + (((u8) min_address[2]) << 8) + (u8) min_address[3]);
408 * (u32 *) min_address = ip;
409 if (count == 8) ip = htonl((((u8) max_address[0]) << 24) + (((u8) max_address[1]) << 16) + (((u8) max_address[2]) << 8) + (u8) max_address[3]);
410 * (u32 *) max_address = ip;
411 record_type = IP_RECORD_TYPE_IPv4;
412 } else if (*cp2 == '@') {
413 if ((group = FindOrAssignNewAddressGroup(cp2 + 1)) == NULL) return -ENOMEM;
414 record_type = IP_RECORD_TYPE_ADDRESS_GROUP;
415 } else {
416 goto out;
417 }
418 if (strchr(cp1, ' ')) goto out;
419 if ((count = sscanf(cp1, "%hu-%hu", &min_port, &max_port)) == 1 || count == 2) {
420 if (count == 1) max_port = min_port;
421 return AddNetworkEntry(operation, record_type, group, (u32 *) min_address, (u32 *) max_address, min_port, max_port, domain, condition, is_delete);
422 }
423 out: ;
424 return -EINVAL;
425 }
426
427 int CheckNetworkListenACL(const _Bool is_ipv6, const u8 *address, const u16 port)
428 {
429 return CheckNetworkEntry(is_ipv6, NETWORK_ACL_TCP_LISTEN, (const u32 *) address, ntohs(port));
430 }
431 EXPORT_SYMBOL(CheckNetworkListenACL);
432
433 int CheckNetworkConnectACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port)
434 {
435 return CheckNetworkEntry(is_ipv6, sock_type == SOCK_STREAM ? NETWORK_ACL_TCP_CONNECT : (sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT), (const u32 *) address, ntohs(port));
436 }
437 EXPORT_SYMBOL(CheckNetworkConnectACL);
438
439 int CheckNetworkBindACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port)
440 {
441 return CheckNetworkEntry(is_ipv6, sock_type == SOCK_STREAM ? NETWORK_ACL_TCP_BIND : (sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_BIND : NETWORK_ACL_RAW_BIND), (const u32 *) address, ntohs(port));
442 }
443 EXPORT_SYMBOL(CheckNetworkBindACL);
444
445 int CheckNetworkAcceptACL(const _Bool is_ipv6, const u8 *address, const u16 port)
446 {
447 int retval;
448 current->tomoyo_flags |= CCS_DONT_SLEEP_ON_ENFORCE_ERROR;
449 retval = CheckNetworkEntry(is_ipv6, NETWORK_ACL_TCP_ACCEPT, (const u32 *) address, ntohs(port));
450 current->tomoyo_flags &= ~CCS_DONT_SLEEP_ON_ENFORCE_ERROR;
451 return retval;
452 }
453 EXPORT_SYMBOL(CheckNetworkAcceptACL);
454
455 int CheckNetworkSendMsgACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port)
456 {
457 return CheckNetworkEntry(is_ipv6, sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT, (const u32 *) address, ntohs(port));
458 }
459 EXPORT_SYMBOL(CheckNetworkSendMsgACL);
460
461 int CheckNetworkRecvMsgACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port)
462 {
463 int retval;
464 current->tomoyo_flags |= CCS_DONT_SLEEP_ON_ENFORCE_ERROR;
465 retval = CheckNetworkEntry(is_ipv6, sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT, (const u32 *) address, ntohs(port));
466 current->tomoyo_flags &= ~CCS_DONT_SLEEP_ON_ENFORCE_ERROR;
467 return retval;
468 }
469 EXPORT_SYMBOL(CheckNetworkRecvMsgACL);
470
471 /***** TOMOYO Linux end. *****/
Back to OSDN">Back to OSDN
 ViewVC Help
Powered by ViewVC 1.1.26  
サイト情報
ソフトウェアを探す
ソフトウェアを作る
コミュニティ
ヘルプ