オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照

/[tomoyo]/trunk/1.6.x/ccs-patch/patches/ccs-patch-2.6.21.diff

Contents of /trunk/1.6.x/ccs-patch/patches/ccs-patch-2.6.21.diff

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1187 - (show annotations) (download) (as text)
Thu May 8 03:19:35 2008 UTC (16 years, 1 month ago) by kumaneko
File MIME type: text/x-diff
File size: 49775 byte(s) 
Sort ccs-patch-\*.diff using quilt refresh --sort option.
1 This is TOMOYO Linux patch for kernel 2.6.21.
2
3 Source code for this patch is http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.21.tar.bz2
4 ---
5 Makefile | 2
6 arch/alpha/kernel/ptrace.c | 9 +++
7 arch/ia64/ia32/sys_ia32.c | 9 +++
8 arch/ia64/kernel/ptrace.c | 9 +++
9 arch/m32r/kernel/ptrace.c | 9 +++
10 arch/mips/kernel/ptrace32.c | 9 +++
11 arch/powerpc/kernel/ptrace32.c | 9 +++
12 arch/s390/kernel/ptrace.c | 9 +++
13 arch/sh64/kernel/ptrace.c | 9 +++
14 arch/sparc/kernel/ptrace.c | 11 +++
15 arch/sparc64/kernel/ptrace.c | 11 +++
16 arch/x86_64/ia32/ptrace32.c | 9 +++
17 fs/Kconfig | 2
18 fs/Makefile | 2
19 fs/attr.c | 19 ++++++
20 fs/compat.c | 11 +++
21 fs/exec.c | 20 ++++++-
22 fs/fcntl.c | 9 +++
23 fs/ioctl.c | 7 ++
24 fs/namei.c | 112 ++++++++++++++++++++++++++++++++++++++++
25 fs/namespace.c | 49 +++++++++++++++++
26 fs/open.c | 27 +++++++++
27 fs/proc/Makefile | 3 +
28 fs/proc/proc_misc.c | 5 +
29 include/linux/init_task.h | 4 +
30 include/linux/sched.h | 9 +++
31 kernel/compat.c | 7 ++
32 kernel/kexec.c | 7 ++
33 kernel/kmod.c | 5 +
34 kernel/module.c | 11 +++
35 kernel/ptrace.c | 9 +++
36 kernel/sched.c | 7 ++
37 kernel/signal.c | 21 +++++++
38 kernel/sys.c | 21 +++++++
39 kernel/sysctl.c | 95 +++++++++++++++++++++++++++++++++
40 kernel/time.c | 11 +++
41 kernel/time/ntp.c | 7 ++
42 net/core/datagram.c | 11 +++
43 net/ipv4/inet_connection_sock.c | 7 ++
44 net/ipv4/inet_hashtables.c | 7 ++
45 net/ipv4/udp.c | 11 +++
46 net/ipv6/inet6_hashtables.c | 7 ++
47 net/socket.c | 41 ++++++++++++++
48 net/unix/af_unix.c | 15 +++++
49 44 files changed, 681 insertions(+), 3 deletions(-)
50
51 --- linux-2.6.21.orig/Makefile
52 +++ linux-2.6.21/Makefile
53 @@ -1,7 +1,7 @@
54 VERSION = 2
55 PATCHLEVEL = 6
56 SUBLEVEL = 21
57 -EXTRAVERSION =
58 +EXTRAVERSION = -ccs
59 NAME = Nocturnal Monster Puppy
60
61 # *DOCUMENTATION*
62 --- linux-2.6.21.orig/arch/alpha/kernel/ptrace.c
63 +++ linux-2.6.21/arch/alpha/kernel/ptrace.c
64 @@ -20,6 +20,9 @@
65 #include <asm/pgtable.h>
66 #include <asm/system.h>
67 #include <asm/fpu.h>
68 +/***** TOMOYO Linux start. *****/
69 +#include <linux/tomoyo.h>
70 +/***** TOMOYO Linux end. *****/
71
72 #include "proto.h"
73
74 @@ -268,6 +271,12 @@ do_sys_ptrace(long request, long pid, lo
75 unsigned long tmp;
76 size_t copied;
77 long ret;
78 + /***** TOMOYO Linux start. *****/
79 +#ifdef TOMOYO_SYS_PTRACE
80 + if (!ccs_capable(TOMOYO_SYS_PTRACE))
81 + return -EPERM;
82 +#endif
83 + /***** TOMOYO Linux end. *****/
84
85 lock_kernel();
86 DBG(DBG_MEM, ("request=%ld pid=%ld addr=0x%lx data=0x%lx\n",
87 --- linux-2.6.21.orig/arch/ia64/ia32/sys_ia32.c
88 +++ linux-2.6.21/arch/ia64/ia32/sys_ia32.c
89 @@ -56,6 +56,9 @@
90 #include <asm/types.h>
91 #include <asm/uaccess.h>
92 #include <asm/unistd.h>
93 +/***** TOMOYO Linux start. *****/
94 +#include <linux/tomoyo.h>
95 +/***** TOMOYO Linux end. *****/
96
97 #include "ia32priv.h"
98
99 @@ -1758,6 +1761,12 @@ sys32_ptrace (int request, pid_t pid, un
100 struct task_struct *child;
101 unsigned int value, tmp;
102 long i, ret;
103 + /***** TOMOYO Linux start. *****/
104 +#ifdef TOMOYO_SYS_PTRACE
105 + if (!ccs_capable(TOMOYO_SYS_PTRACE))
106 + return -EPERM;
107 +#endif
108 + /***** TOMOYO Linux end. *****/
109
110 lock_kernel();
111 if (request == PTRACE_TRACEME) {
112 --- linux-2.6.21.orig/arch/ia64/kernel/ptrace.c
113 +++ linux-2.6.21/arch/ia64/kernel/ptrace.c
114 @@ -28,6 +28,9 @@
115 #ifdef CONFIG_PERFMON
116 #include <asm/perfmon.h>
117 #endif
118 +/***** TOMOYO Linux start. *****/
119 +#include <linux/tomoyo.h>
120 +/***** TOMOYO Linux end. *****/
121
122 #include "entry.h"
123
124 @@ -1418,6 +1421,12 @@ sys_ptrace (long request, pid_t pid, uns
125 struct task_struct *child;
126 struct switch_stack *sw;
127 long ret;
128 + /***** TOMOYO Linux start. *****/
129 +#ifdef TOMOYO_SYS_PTRACE
130 + if (!ccs_capable(TOMOYO_SYS_PTRACE))
131 + return -EPERM;
132 +#endif
133 + /***** TOMOYO Linux end. *****/
134
135 lock_kernel();
136 ret = -EPERM;
137 --- linux-2.6.21.orig/arch/m32r/kernel/ptrace.c
138 +++ linux-2.6.21/arch/m32r/kernel/ptrace.c
139 @@ -32,6 +32,9 @@
140 #include <asm/system.h>
141 #include <asm/processor.h>
142 #include <asm/mmu_context.h>
143 +/***** TOMOYO Linux start. *****/
144 +#include <linux/tomoyo.h>
145 +/***** TOMOYO Linux end. *****/
146
147 /*
148 * This routine will get a word off of the process kernel stack.
149 @@ -742,6 +745,12 @@ asmlinkage long sys_ptrace(long request,
150 {
151 struct task_struct *child;
152 int ret;
153 + /***** TOMOYO Linux start. *****/
154 +#ifdef TOMOYO_SYS_PTRACE
155 + if (!ccs_capable(TOMOYO_SYS_PTRACE))
156 + return -EPERM;
157 +#endif
158 + /***** TOMOYO Linux end. *****/
159
160 lock_kernel();
161 if (request == PTRACE_TRACEME) {
162 --- linux-2.6.21.orig/arch/mips/kernel/ptrace32.c
163 +++ linux-2.6.21/arch/mips/kernel/ptrace32.c
164 @@ -35,6 +35,9 @@
165 #include <asm/system.h>
166 #include <asm/uaccess.h>
167 #include <asm/bootinfo.h>
168 +/***** TOMOYO Linux start. *****/
169 +#include <linux/tomoyo.h>
170 +/***** TOMOYO Linux end. *****/
171
172 int ptrace_getregs (struct task_struct *child, __s64 __user *data);
173 int ptrace_setregs (struct task_struct *child, __s64 __user *data);
174 @@ -50,6 +53,12 @@ asmlinkage int sys32_ptrace(int request,
175 {
176 struct task_struct *child;
177 int ret;
178 + /***** TOMOYO Linux start. *****/
179 +#ifdef TOMOYO_SYS_PTRACE
180 + if (!ccs_capable(TOMOYO_SYS_PTRACE))
181 + return -EPERM;
182 +#endif
183 + /***** TOMOYO Linux end. *****/
184
185 #if 0
186 printk("ptrace(r=%d,pid=%d,addr=%08lx,data=%08lx)\n",
187 --- linux-2.6.21.orig/arch/powerpc/kernel/ptrace32.c
188 +++ linux-2.6.21/arch/powerpc/kernel/ptrace32.c
189 @@ -32,6 +32,9 @@
190 #include <asm/page.h>
191 #include <asm/pgtable.h>
192 #include <asm/system.h>
193 +/***** TOMOYO Linux start. *****/
194 +#include <linux/tomoyo.h>
195 +/***** TOMOYO Linux end. *****/
196
197 #include "ptrace-common.h"
198
199 @@ -45,6 +48,12 @@ long compat_sys_ptrace(int request, int
200 {
201 struct task_struct *child;
202 int ret;
203 + /***** TOMOYO Linux start. *****/
204 +#ifdef TOMOYO_SYS_PTRACE
205 + if (!ccs_capable(TOMOYO_SYS_PTRACE))
206 + return -EPERM;
207 +#endif
208 + /***** TOMOYO Linux end. *****/
209
210 lock_kernel();
211 if (request == PTRACE_TRACEME) {
212 --- linux-2.6.21.orig/arch/s390/kernel/ptrace.c
213 +++ linux-2.6.21/arch/s390/kernel/ptrace.c
214 @@ -41,6 +41,9 @@
215 #include <asm/system.h>
216 #include <asm/uaccess.h>
217 #include <asm/unistd.h>
218 +/***** TOMOYO Linux start. *****/
219 +#include <linux/tomoyo.h>
220 +/***** TOMOYO Linux end. *****/
221
222 #ifdef CONFIG_COMPAT
223 #include "compat_ptrace.h"
224 @@ -713,6 +716,12 @@ sys_ptrace(long request, long pid, long
225 struct task_struct *child;
226 int ret;
227
228 + /***** TOMOYO Linux start. *****/
229 +#ifdef TOMOYO_SYS_PTRACE
230 + if (!ccs_capable(TOMOYO_SYS_PTRACE))
231 + return -EPERM;
232 +#endif
233 + /***** TOMOYO Linux end. *****/
234 lock_kernel();
235 if (request == PTRACE_TRACEME) {
236 ret = ptrace_traceme();
237 --- linux-2.6.21.orig/arch/sh64/kernel/ptrace.c
238 +++ linux-2.6.21/arch/sh64/kernel/ptrace.c
239 @@ -35,6 +35,9 @@
240 #include <asm/system.h>
241 #include <asm/processor.h>
242 #include <asm/mmu_context.h>
243 +/***** TOMOYO Linux start. *****/
244 +#include <linux/tomoyo.h>
245 +/***** TOMOYO Linux end. *****/
246
247 /* This mask defines the bits of the SR which the user is not allowed to
248 change, which are everything except S, Q, M, PR, SZ, FR. */
249 @@ -271,6 +274,12 @@ asmlinkage int sh64_ptrace(long request,
250 extern void poke_real_address_q(unsigned long long addr, unsigned long long data);
251 #define WPC_DBRMODE 0x0d104008
252 static int first_call = 1;
253 + /***** TOMOYO Linux start. *****/
254 +#ifdef TOMOYO_SYS_PTRACE
255 + if (!ccs_capable(TOMOYO_SYS_PTRACE))
256 + return -EPERM;
257 +#endif
258 + /***** TOMOYO Linux end. *****/
259
260 lock_kernel();
261 if (first_call) {
262 --- linux-2.6.21.orig/arch/sparc/kernel/ptrace.c
263 +++ linux-2.6.21/arch/sparc/kernel/ptrace.c
264 @@ -23,6 +23,9 @@
265 #include <asm/pgtable.h>
266 #include <asm/system.h>
267 #include <asm/uaccess.h>
268 +/***** TOMOYO Linux start. *****/
269 +#include <linux/tomoyo.h>
270 +/***** TOMOYO Linux end. *****/
271
272 #define MAGIC_CONSTANT 0x80000000
273
274 @@ -267,6 +270,14 @@ asmlinkage void do_ptrace(struct pt_regs
275 unsigned long addr2 = regs->u_regs[UREG_I4];
276 struct task_struct *child;
277 int ret;
278 + /***** TOMOYO Linux start. *****/
279 +#ifdef TOMOYO_SYS_PTRACE
280 + if (!ccs_capable(TOMOYO_SYS_PTRACE)) {
281 + pt_error_return(regs, EPERM);
282 + return;
283 + }
284 +#endif
285 + /***** TOMOYO Linux end. *****/
286
287 lock_kernel();
288 #ifdef DEBUG_PTRACE
289 --- linux-2.6.21.orig/arch/sparc64/kernel/ptrace.c
290 +++ linux-2.6.21/arch/sparc64/kernel/ptrace.c
291 @@ -32,6 +32,9 @@
292 #include <asm/spitfire.h>
293 #include <asm/page.h>
294 #include <asm/cpudata.h>
295 +/***** TOMOYO Linux start. *****/
296 +#include <linux/tomoyo.h>
297 +/***** TOMOYO Linux end. *****/
298
299 /* Returning from ptrace is a bit tricky because the syscall return
300 * low level code assumes any value returned which is negative and
301 @@ -176,6 +179,14 @@ asmlinkage void do_ptrace(struct pt_regs
302 unsigned long addr2 = regs->u_regs[UREG_I4];
303 struct task_struct *child;
304 int ret;
305 + /***** TOMOYO Linux start. *****/
306 +#ifdef TOMOYO_SYS_PTRACE
307 + if (!ccs_capable(TOMOYO_SYS_PTRACE)) {
308 + pt_error_return(regs, EPERM);
309 + return;
310 + }
311 +#endif
312 + /***** TOMOYO Linux end. *****/
313
314 if (test_thread_flag(TIF_32BIT)) {
315 addr &= 0xffffffffUL;
316 --- linux-2.6.21.orig/arch/x86_64/ia32/ptrace32.c
317 +++ linux-2.6.21/arch/x86_64/ia32/ptrace32.c
318 @@ -26,6 +26,9 @@
319 #include <asm/i387.h>
320 #include <asm/fpu32.h>
321 #include <asm/ia32.h>
322 +/***** TOMOYO Linux start. *****/
323 +#include <linux/tomoyo.h>
324 +/***** TOMOYO Linux end. *****/
325
326 /*
327 * Determines which flags the user has access to [1 = access, 0 = no access].
328 @@ -234,6 +237,12 @@ asmlinkage long sys32_ptrace(long reques
329 void __user *datap = compat_ptr(data);
330 int ret;
331 __u32 val;
332 + /***** TOMOYO Linux start. *****/
333 +#ifdef TOMOYO_SYS_PTRACE
334 + if (!ccs_capable(TOMOYO_SYS_PTRACE))
335 + return -EPERM;
336 +#endif
337 + /***** TOMOYO Linux end. *****/
338
339 switch (request) {
340 case PTRACE_TRACEME:
341 --- linux-2.6.21.orig/fs/Kconfig
342 +++ linux-2.6.21/fs/Kconfig
343 @@ -2055,5 +2055,7 @@ endif
344 source "fs/nls/Kconfig"
345 source "fs/dlm/Kconfig"
346
347 +source "fs/Kconfig.ccs"
348 +
349 endmenu
350
351 --- linux-2.6.21.orig/fs/Makefile
352 +++ linux-2.6.21/fs/Makefile
353 @@ -114,3 +114,5 @@ obj-$(CONFIG_HPPFS) += hppfs/
354 obj-$(CONFIG_DEBUG_FS) += debugfs/
355 obj-$(CONFIG_OCFS2_FS) += ocfs2/
356 obj-$(CONFIG_GFS2_FS) += gfs2/
357 +
358 +include $(srctree)/fs/Makefile-2.6.ccs
359 --- linux-2.6.21.orig/fs/attr.c
360 +++ linux-2.6.21/fs/attr.c
361 @@ -15,6 +15,9 @@
362 #include <linux/fcntl.h>
363 #include <linux/quotaops.h>
364 #include <linux/security.h>
365 +/***** TOMOYO Linux start. *****/
366 +#include <linux/tomoyo.h>
367 +/***** TOMOYO Linux end. *****/
368
369 /* Taken over from the old code... */
370
371 @@ -145,12 +148,28 @@ int notify_change(struct dentry * dentry
372
373 if (inode->i_op && inode->i_op->setattr) {
374 error = security_inode_setattr(dentry, attr);
375 + /***** TOMOYO Linux start. *****/
376 + if (!error && (ia_valid & ATTR_MODE) &&
377 + !ccs_capable(TOMOYO_SYS_CHMOD))
378 + error = -EPERM;
379 + if (!error && (ia_valid & (ATTR_UID | ATTR_GID)) &&
380 + !ccs_capable(TOMOYO_SYS_CHOWN))
381 + error = -EPERM;
382 + /***** TOMOYO Linux end. *****/
383 if (!error)
384 error = inode->i_op->setattr(dentry, attr);
385 } else {
386 error = inode_change_ok(inode, attr);
387 if (!error)
388 error = security_inode_setattr(dentry, attr);
389 + /***** TOMOYO Linux start. *****/
390 + if (!error && (ia_valid & ATTR_MODE) &&
391 + !ccs_capable(TOMOYO_SYS_CHMOD))
392 + error = -EPERM;
393 + if (!error && (ia_valid & (ATTR_UID | ATTR_GID)) &&
394 + !ccs_capable(TOMOYO_SYS_CHOWN))
395 + error = -EPERM;
396 + /***** TOMOYO Linux end. *****/
397 if (!error) {
398 if ((ia_valid & ATTR_UID && attr->ia_uid != inode->i_uid) ||
399 (ia_valid & ATTR_GID && attr->ia_gid != inode->i_gid))
400 --- linux-2.6.21.orig/fs/compat.c
401 +++ linux-2.6.21/fs/compat.c
402 @@ -56,6 +56,9 @@
403 #include <asm/mmu_context.h>
404 #include <asm/ioctls.h>
405 #include "internal.h"
406 +/***** TOMOYO Linux start. *****/
407 +#include <linux/tomoyo.h>
408 +/***** TOMOYO Linux end. *****/
409
410 int compat_log = 1;
411
412 @@ -422,6 +425,12 @@ asmlinkage long compat_sys_ioctl(unsigne
413 /*FALL THROUGH*/
414
415 default:
416 + /***** TOMOYO Linux start. *****/
417 + if (!ccs_capable(TOMOYO_SYS_IOCTL)) {
418 + error = -EPERM;
419 + goto out_fput;
420 + }
421 + /***** TOMOYO Linux end. *****/
422 if (filp->f_op && filp->f_op->compat_ioctl) {
423 error = filp->f_op->compat_ioctl(filp, cmd, arg);
424 if (error != -ENOIOCTLCMD)
425 @@ -1552,7 +1561,7 @@ int compat_do_execve(char * filename,
426 if (retval < 0)
427 goto out;
428
429 - retval = search_binary_handler(bprm, regs);
430 + retval = search_binary_handler_with_transition(bprm, regs);
431 if (retval >= 0) {
432 free_arg_pages(bprm);
433
434 --- linux-2.6.21.orig/fs/exec.c
435 +++ linux-2.6.21/fs/exec.c
436 @@ -58,6 +58,10 @@
437 #include <linux/kmod.h>
438 #endif
439
440 +/***** TOMOYO Linux start. *****/
441 +#include <linux/tomoyo.h>
442 +/***** TOMOYO Linux end. *****/
443 +
444 int core_uses_pid;
445 char core_pattern[128] = "core";
446 int suid_dumpable = 0;
447 @@ -140,6 +144,13 @@ asmlinkage long sys_uselib(const char __
448 if (error)
449 goto exit;
450
451 + /***** TOMOYO Linux start. *****/
452 + /* 01 means "read". */
453 + error = ccs_check_open_permission(nd.dentry, nd.mnt, 01);
454 + if (error)
455 + goto exit;
456 + /***** TOMOYO Linux end. *****/
457 +
458 file = nameidata_to_filp(&nd, O_RDONLY);
459 error = PTR_ERR(file);
460 if (IS_ERR(file))
461 @@ -485,6 +496,13 @@ struct file *open_exec(const char *name)
462 if (!(nd.mnt->mnt_flags & MNT_NOEXEC) &&
463 S_ISREG(inode->i_mode)) {
464 int err = vfs_permission(&nd, MAY_EXEC);
465 + /***** TOMOYO Linux start. *****/
466 + if (!err && (current->tomoyo_flags &
467 + TOMOYO_CHECK_READ_FOR_OPEN_EXEC))
468 + /* 01 means "read". */
469 + err = ccs_check_open_permission(nd.dentry,
470 + nd.mnt, 01);
471 + /***** TOMOYO Linux end. *****/
472 file = ERR_PTR(err);
473 if (!err) {
474 file = nameidata_to_filp(&nd, O_RDONLY);
475 @@ -1183,7 +1201,7 @@ int do_execve(char * filename,
476 if (retval < 0)
477 goto out;
478
479 - retval = search_binary_handler(bprm,regs);
480 + retval = search_binary_handler_with_transition(bprm, regs);
481 if (retval >= 0) {
482 free_arg_pages(bprm);
483
484 --- linux-2.6.21.orig/fs/fcntl.c
485 +++ linux-2.6.21/fs/fcntl.c
486 @@ -22,6 +22,9 @@
487 #include <asm/poll.h>
488 #include <asm/siginfo.h>
489 #include <asm/uaccess.h>
490 +/***** TOMOYO Linux start. *****/
491 +#include <linux/tomoyo.h>
492 +/***** TOMOYO Linux end. *****/
493
494 void fastcall set_close_on_exec(unsigned int fd, int flag)
495 {
496 @@ -213,6 +216,12 @@ static int setfl(int fd, struct file * f
497 if (((arg ^ filp->f_flags) & O_APPEND) && IS_APPEND(inode))
498 return -EPERM;
499
500 + /***** TOMOYO Linux start. *****/
501 + if (((arg ^ filp->f_flags) & O_APPEND) &&
502 + ccs_check_rewrite_permission(filp))
503 + return -EPERM;
504 + /***** TOMOYO Linux end. *****/
505 +
506 /* O_NOATIME can only be set by the owner or superuser */
507 if ((arg & O_NOATIME) && !(filp->f_flags & O_NOATIME))
508 if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER))
509 --- linux-2.6.21.orig/fs/ioctl.c
510 +++ linux-2.6.21/fs/ioctl.c
511 @@ -15,6 +15,9 @@
512
513 #include <asm/uaccess.h>
514 #include <asm/ioctls.h>
515 +/***** TOMOYO Linux start. *****/
516 +#include <linux/tomoyo.h>
517 +/***** TOMOYO Linux end. *****/
518
519 static long do_ioctl(struct file *filp, unsigned int cmd,
520 unsigned long arg)
521 @@ -23,6 +26,10 @@ static long do_ioctl(struct file *filp,
522
523 if (!filp->f_op)
524 goto out;
525 + /***** TOMOYO Linux start. *****/
526 + if (!ccs_capable(TOMOYO_SYS_IOCTL))
527 + return -EPERM;
528 + /***** TOMOYO Linux end. *****/
529
530 if (filp->f_op->unlocked_ioctl) {
531 error = filp->f_op->unlocked_ioctl(filp, cmd, arg);
532 --- linux-2.6.21.orig/fs/namei.c
533 +++ linux-2.6.21/fs/namei.c
534 @@ -37,6 +37,10 @@
535
536 #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
537
538 +/***** TOMOYO Linux start. *****/
539 +#include <linux/tomoyo.h>
540 +/***** TOMOYO Linux end. *****/
541 +
542 /* [Feb-1997 T. Schoebel-Theuer]
543 * Fundamental changes in the pathname lookup mechanisms (namei)
544 * were necessary because of omirr. The reason is that omirr needs
545 @@ -1506,6 +1510,13 @@ int vfs_create(struct inode *dir, struct
546 error = security_inode_create(dir, dentry, mode);
547 if (error)
548 return error;
549 + /***** TOMOYO Linux start. *****/
550 + if (nd) {
551 + error = ccs_check_1path_perm(TYPE_CREATE_ACL, dentry, nd->mnt);
552 + if (error)
553 + return error;
554 + }
555 + /***** TOMOYO Linux end. *****/
556 DQUOT_INIT(dir);
557 error = dir->i_op->create(dir, dentry, mode, nd);
558 if (!error)
559 @@ -1561,6 +1572,13 @@ int may_open(struct nameidata *nd, int a
560 if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER))
561 return -EPERM;
562
563 + /***** TOMOYO Linux start. *****/
564 + /* includes O_APPEND and O_TRUNC checks */
565 + error = ccs_check_open_permission(dentry, nd->mnt, flag);
566 + if (error)
567 + return error;
568 + /***** TOMOYO Linux end. *****/
569 +
570 /*
571 * Ensure there are no outstanding leases on the file.
572 */
573 @@ -1610,6 +1628,9 @@ static int open_namei_create(struct name
574 return may_open(nd, 0, flag & ~O_TRUNC);
575 }
576
577 +/***** TOMOYO Linux start. *****/
578 +#include <linux/tomoyo_vfs.h>
579 +/***** TOMOYO Linux end. *****/
580 /*
581 * open_namei()
582 *
583 @@ -1870,6 +1891,16 @@ asmlinkage long sys_mknodat(int dfd, con
584
585 if (S_ISDIR(mode))
586 return -EPERM;
587 + /***** TOMOYO Linux start. *****/
588 + if (S_ISCHR(mode) && !ccs_capable(TOMOYO_CREATE_CHAR_DEV))
589 + return -EPERM;
590 + if (S_ISBLK(mode) && !ccs_capable(TOMOYO_CREATE_BLOCK_DEV))
591 + return -EPERM;
592 + if (S_ISFIFO(mode) && !ccs_capable(TOMOYO_CREATE_FIFO))
593 + return -EPERM;
594 + if (S_ISSOCK(mode) && !ccs_capable(TOMOYO_CREATE_UNIX_SOCKET))
595 + return -EPERM;
596 + /***** TOMOYO Linux end. *****/
597 tmp = getname(filename);
598 if (IS_ERR(tmp))
599 return PTR_ERR(tmp);
600 @@ -1888,10 +1919,32 @@ asmlinkage long sys_mknodat(int dfd, con
601 error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd);
602 break;
603 case S_IFCHR: case S_IFBLK:
604 + /***** TOMOYO Linux start. *****/
605 + error = pre_vfs_mknod(nd.dentry->d_inode, dentry, mode);
606 + if (error)
607 + break;
608 + error = ccs_check_1path_perm(S_ISCHR(mode) ?
609 + TYPE_MKCHAR_ACL :
610 + TYPE_MKBLOCK_ACL,
611 + dentry, nd.mnt);
612 + if (error)
613 + break;
614 + /***** TOMOYO Linux end. *****/
615 error = vfs_mknod(nd.dentry->d_inode,dentry,mode,
616 new_decode_dev(dev));
617 break;
618 case S_IFIFO: case S_IFSOCK:
619 + /***** TOMOYO Linux start. *****/
620 + error = pre_vfs_mknod(nd.dentry->d_inode, dentry, mode);
621 + if (error)
622 + break;
623 + error = ccs_check_1path_perm(S_ISFIFO(mode) ?
624 + TYPE_MKFIFO_ACL :
625 + TYPE_MKSOCK_ACL,
626 + dentry, nd.mnt);
627 + if (error)
628 + break;
629 + /***** TOMOYO Linux end. *****/
630 error = vfs_mknod(nd.dentry->d_inode,dentry,mode,0);
631 break;
632 case S_IFDIR:
633 @@ -1959,6 +2012,12 @@ asmlinkage long sys_mkdirat(int dfd, con
634
635 if (!IS_POSIXACL(nd.dentry->d_inode))
636 mode &= ~current->fs->umask;
637 + /***** TOMOYO Linux start. *****/
638 + error = pre_vfs_mkdir(nd.dentry->d_inode, dentry);
639 + if (!error)
640 + error = ccs_check_1path_perm(TYPE_MKDIR_ACL, dentry, nd.mnt);
641 + if (!error)
642 + /***** TOMOYO Linux end. *****/
643 error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
644 dput(dentry);
645 out_unlock:
646 @@ -2066,6 +2125,12 @@ static long do_rmdir(int dfd, const char
647 error = PTR_ERR(dentry);
648 if (IS_ERR(dentry))
649 goto exit2;
650 + /***** TOMOYO Linux start. *****/
651 + error = pre_vfs_rmdir(nd.dentry->d_inode, dentry);
652 + if (!error)
653 + error = ccs_check_1path_perm(TYPE_RMDIR_ACL, dentry, nd.mnt);
654 + if (!error)
655 + /***** TOMOYO Linux end. *****/
656 error = vfs_rmdir(nd.dentry->d_inode, dentry);
657 dput(dentry);
658 exit2:
659 @@ -2125,6 +2190,10 @@ static long do_unlinkat(int dfd, const c
660 struct dentry *dentry;
661 struct nameidata nd;
662 struct inode *inode = NULL;
663 + /***** TOMOYO Linux start. *****/
664 + if (!ccs_capable(TOMOYO_SYS_UNLINK))
665 + return -EPERM;
666 + /***** TOMOYO Linux end. *****/
667
668 name = getname(pathname);
669 if(IS_ERR(name))
670 @@ -2146,6 +2215,14 @@ static long do_unlinkat(int dfd, const c
671 inode = dentry->d_inode;
672 if (inode)
673 atomic_inc(&inode->i_count);
674 + /***** TOMOYO Linux start. *****/
675 + error = pre_vfs_unlink(nd.dentry->d_inode, dentry);
676 + if (error)
677 + goto exit2;
678 + error = ccs_check_1path_perm(TYPE_UNLINK_ACL, dentry, nd.mnt);
679 + if (error)
680 + goto exit2;
681 + /***** TOMOYO Linux end. *****/
682 error = vfs_unlink(nd.dentry->d_inode, dentry);
683 exit2:
684 dput(dentry);
685 @@ -2210,6 +2287,10 @@ asmlinkage long sys_symlinkat(const char
686 char * to;
687 struct dentry *dentry;
688 struct nameidata nd;
689 + /***** TOMOYO Linux start. *****/
690 + if (!ccs_capable(TOMOYO_SYS_SYMLINK))
691 + return -EPERM;
692 + /***** TOMOYO Linux end. *****/
693
694 from = getname(oldname);
695 if(IS_ERR(from))
696 @@ -2227,6 +2308,12 @@ asmlinkage long sys_symlinkat(const char
697 if (IS_ERR(dentry))
698 goto out_unlock;
699
700 + /***** TOMOYO Linux start. *****/
701 + error = pre_vfs_symlink(nd.dentry->d_inode, dentry);
702 + if (!error)
703 + error = ccs_check_1path_perm(TYPE_SYMLINK_ACL, dentry, nd.mnt);
704 + if (!error)
705 + /***** TOMOYO Linux end. *****/
706 error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
707 dput(dentry);
708 out_unlock:
709 @@ -2299,6 +2386,10 @@ asmlinkage long sys_linkat(int olddfd, c
710 struct nameidata nd, old_nd;
711 int error;
712 char * to;
713 + /***** TOMOYO Linux start. *****/
714 + if (!ccs_capable(TOMOYO_SYS_LINK))
715 + return -EPERM;
716 + /***** TOMOYO Linux end. *****/
717
718 if ((flags & ~AT_SYMLINK_FOLLOW) != 0)
719 return -EINVAL;
720 @@ -2322,6 +2413,13 @@ asmlinkage long sys_linkat(int olddfd, c
721 error = PTR_ERR(new_dentry);
722 if (IS_ERR(new_dentry))
723 goto out_unlock;
724 + /***** TOMOYO Linux start. *****/
725 + error = pre_vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
726 + if (!error)
727 + error = ccs_check_2path_perm(TYPE_LINK_ACL, old_nd.dentry,
728 + old_nd.mnt, new_dentry, nd.mnt);
729 + if (!error)
730 + /***** TOMOYO Linux end. *****/
731 error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
732 dput(new_dentry);
733 out_unlock:
734 @@ -2547,6 +2645,16 @@ static int do_rename(int olddfd, const c
735 error = -ENOTEMPTY;
736 if (new_dentry == trap)
737 goto exit5;
738 + /***** TOMOYO Linux start. *****/
739 + error = pre_vfs_rename(old_dir->d_inode, old_dentry,
740 + new_dir->d_inode, new_dentry);
741 + if (error)
742 + goto exit5;
743 + error = ccs_check_2path_perm(TYPE_RENAME_ACL, old_dentry, oldnd.mnt,
744 + new_dentry, newnd.mnt);
745 + if (error)
746 + goto exit5;
747 + /***** TOMOYO Linux end. *****/
748
749 error = vfs_rename(old_dir->d_inode, old_dentry,
750 new_dir->d_inode, new_dentry);
751 @@ -2570,6 +2678,10 @@ asmlinkage long sys_renameat(int olddfd,
752 int error;
753 char * from;
754 char * to;
755 + /***** TOMOYO Linux start. *****/
756 + if (!ccs_capable(TOMOYO_SYS_RENAME))
757 + return -EPERM;
758 + /***** TOMOYO Linux end. *****/
759
760 from = getname(oldname);
761 if(IS_ERR(from))
762 --- linux-2.6.21.orig/fs/namespace.c
763 +++ linux-2.6.21/fs/namespace.c
764 @@ -28,6 +28,12 @@
765 #include <asm/uaccess.h>
766 #include <asm/unistd.h>
767 #include "pnode.h"
768 +/***** SAKURA Linux start. *****/
769 +#include <linux/sakura.h>
770 +/***** SAKURA Linux end. *****/
771 +/***** TOMOYO Linux start. *****/
772 +#include <linux/tomoyo.h>
773 +/***** TOMOYO Linux end. *****/
774
775 /* spinlock for vfsmount related operations, inplace of dcache_lock */
776 __cacheline_aligned_in_smp DEFINE_SPINLOCK(vfsmount_lock);
777 @@ -545,6 +551,11 @@ static int do_umount(struct vfsmount *mn
778 if (retval)
779 return retval;
780
781 + /***** SAKURA Linux start. *****/
782 + if (ccs_may_umount(mnt))
783 + return -EPERM;
784 + /***** SAKURA Linux end. *****/
785 +
786 /*
787 * Allow userspace to request a mountpoint be expired rather than
788 * unmounting unconditionally. Unmount only happens if:
789 @@ -633,6 +644,10 @@ asmlinkage long sys_umount(char __user *
790 {
791 struct nameidata nd;
792 int retval;
793 + /***** TOMOYO Linux start. *****/
794 + if (!ccs_capable(TOMOYO_SYS_UMOUNT))
795 + return -EPERM;
796 + /***** TOMOYO Linux end. *****/
797
798 retval = __user_walk(name, LOOKUP_FOLLOW, &nd);
799 if (retval)
800 @@ -917,6 +932,11 @@ static int do_loopback(struct nameidata
801
802 if (!check_mnt(nd->mnt) || !check_mnt(old_nd.mnt))
803 goto out;
804 + /***** SAKURA Linux start. *****/
805 + err = -EPERM;
806 + if (ccs_may_mount(nd))
807 + goto out;
808 + /***** SAKURA Linux end. *****/
809
810 err = -ENOMEM;
811 if (recurse)
812 @@ -1002,6 +1022,11 @@ static int do_move_mount(struct nameidat
813 if (!check_mnt(nd->mnt) || !check_mnt(old_nd.mnt))
814 goto out;
815
816 + /***** SAKURA Linux start. *****/
817 + err = -EPERM;
818 + if (ccs_may_umount(old_nd.mnt) || ccs_may_mount(nd))
819 + goto out;
820 + /***** SAKURA Linux end. *****/
821 err = -ENOENT;
822 mutex_lock(&nd->dentry->d_inode->i_mutex);
823 if (IS_DEADDIR(nd->dentry->d_inode))
824 @@ -1103,6 +1128,11 @@ int do_add_mount(struct vfsmount *newmnt
825 err = -EINVAL;
826 if (S_ISLNK(newmnt->mnt_root->d_inode->i_mode))
827 goto unlock;
828 + /***** SAKURA Linux start. *****/
829 + err = -EPERM;
830 + if (ccs_may_mount(nd))
831 + goto unlock;
832 + /***** SAKURA Linux end. *****/
833
834 newmnt->mnt_flags = mnt_flags;
835 if ((err = graft_tree(newmnt, nd)))
836 @@ -1394,6 +1424,17 @@ long do_mount(char *dev_name, char *dir_
837 if (data_page)
838 ((char *)data_page)[PAGE_SIZE - 1] = 0;
839
840 + /***** TOMOYO Linux start. *****/
841 + if (!ccs_capable(TOMOYO_SYS_MOUNT))
842 + return -EPERM;
843 + /***** TOMOYO Linux end. *****/
844 + /***** SAKURA Linux start. *****/
845 + retval = ccs_check_mount_permission(dev_name, dir_name, type_page,
846 + &flags);
847 + if (retval)
848 + return retval;
849 + /***** SAKURA Linux end. *****/
850 +
851 /* Separate the per-mountpoint flags */
852 if (flags & MS_NOSUID)
853 mnt_flags |= MNT_NOSUID;
854 @@ -1686,6 +1727,10 @@ asmlinkage long sys_pivot_root(const cha
855
856 if (!capable(CAP_SYS_ADMIN))
857 return -EPERM;
858 + /***** TOMOYO Linux start. *****/
859 + if (!ccs_capable(TOMOYO_SYS_PIVOT_ROOT))
860 + return -EPERM;
861 + /***** TOMOYO Linux end. *****/
862
863 lock_kernel();
864
865 @@ -1702,6 +1747,10 @@ asmlinkage long sys_pivot_root(const cha
866 goto out1;
867
868 error = security_sb_pivotroot(&old_nd, &new_nd);
869 + /***** SAKURA Linux start. *****/
870 + if (!error)
871 + error = ccs_check_pivot_root_permission(&old_nd, &new_nd);
872 + /***** SAKURA Linux end. *****/
873 if (error) {
874 path_release(&old_nd);
875 goto out1;
876 --- linux-2.6.21.orig/fs/open.c
877 +++ linux-2.6.21/fs/open.c
878 @@ -27,6 +27,12 @@
879 #include <linux/syscalls.h>
880 #include <linux/rcupdate.h>
881 #include <linux/audit.h>
882 +/***** SAKURA Linux start. *****/
883 +#include <linux/sakura.h>
884 +/***** SAKURA Linux end. *****/
885 +/***** TOMOYO Linux start. *****/
886 +#include <linux/tomoyo.h>
887 +/***** TOMOYO Linux end. *****/
888
889 int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
890 {
891 @@ -264,6 +270,10 @@ static long do_sys_truncate(const char _
892 if (error)
893 goto dput_and_out;
894
895 + /***** TOMOYO Linux start. *****/
896 + error = ccs_check_1path_perm(TYPE_TRUNCATE_ACL, nd.dentry, nd.mnt);
897 + if (!error)
898 + /***** TOMOYO Linux end. *****/
899 error = locks_verify_truncate(inode, NULL, length);
900 if (!error) {
901 DQUOT_INIT(inode);
902 @@ -317,6 +327,11 @@ static long do_sys_ftruncate(unsigned in
903 if (IS_APPEND(inode))
904 goto out_putf;
905
906 + /***** TOMOYO Linux start. *****/
907 + error = ccs_check_1path_perm(TYPE_TRUNCATE_ACL, dentry, file->f_vfsmnt);
908 + if (error)
909 + goto out_putf;
910 + /***** TOMOYO Linux end. *****/
911 error = locks_verify_truncate(inode, file, length);
912 if (!error)
913 error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, file);
914 @@ -481,6 +496,14 @@ asmlinkage long sys_chroot(const char __
915 error = -EPERM;
916 if (!capable(CAP_SYS_CHROOT))
917 goto dput_and_out;
918 + /***** TOMOYO Linux start. *****/
919 + if (!ccs_capable(TOMOYO_SYS_CHROOT))
920 + goto dput_and_out;
921 + /***** TOMOYO Linux end. *****/
922 + /***** SAKURA Linux start. *****/
923 + if (ccs_check_chroot_permission(&nd))
924 + goto dput_and_out;
925 + /***** SAKURA Linux end. *****/
926
927 set_fs_root(current->fs, nd.mnt, nd.dentry);
928 set_fs_altroot();
929 @@ -1085,6 +1108,10 @@ EXPORT_SYMBOL(sys_close);
930 */
931 asmlinkage long sys_vhangup(void)
932 {
933 + /***** TOMOYO Linux start. *****/
934 + if (!ccs_capable(TOMOYO_SYS_VHANGUP))
935 + return -EPERM;
936 + /***** TOMOYO Linux end. *****/
937 if (capable(CAP_SYS_TTY_CONFIG)) {
938 /* XXX: this needs locking */
939 tty_vhangup(current->signal->tty);
940 --- linux-2.6.21.orig/fs/proc/Makefile
941 +++ linux-2.6.21/fs/proc/Makefile
942 @@ -15,3 +15,6 @@ proc-$(CONFIG_PROC_KCORE) += kcore.o
943 proc-$(CONFIG_PROC_VMCORE) += vmcore.o
944 proc-$(CONFIG_PROC_DEVICETREE) += proc_devtree.o
945 proc-$(CONFIG_PRINTK) += kmsg.o
946 +
947 +proc-$(CONFIG_SAKURA) += ccs_proc.o
948 +proc-$(CONFIG_TOMOYO) += ccs_proc.o
949 --- linux-2.6.21.orig/fs/proc/proc_misc.c
950 +++ linux-2.6.21/fs/proc/proc_misc.c
951 @@ -747,4 +747,9 @@ void __init proc_misc_init(void)
952 entry->proc_fops = &proc_sysrq_trigger_operations;
953 }
954 #endif
955 + /***** CCS start. *****/
956 +#if defined(CONFIG_SAKURA) || defined(CONFIG_TOMOYO)
957 + printk(KERN_INFO "Hook version: 2.6.21 2008/04/28\n");
958 +#endif
959 + /***** CCS end. *****/
960 }
961 --- linux-2.6.21.orig/include/linux/init_task.h
962 +++ linux-2.6.21/include/linux/init_task.h
963 @@ -141,6 +141,10 @@ extern struct group_info init_groups;
964 .pi_lock = SPIN_LOCK_UNLOCKED, \
965 INIT_TRACE_IRQFLAGS \
966 INIT_LOCKDEP \
967 + /***** TOMOYO Linux start. *****/ \
968 + .domain_info = &KERNEL_DOMAIN, \
969 + .tomoyo_flags = 0, \
970 + /***** TOMOYO Linux end. *****/ \
971 }
972
973
974 --- linux-2.6.21.orig/include/linux/sched.h
975 +++ linux-2.6.21/include/linux/sched.h
976 @@ -27,6 +27,11 @@
977 #define CLONE_NEWUTS 0x04000000 /* New utsname group? */
978 #define CLONE_NEWIPC 0x08000000 /* New ipcs */
979
980 +/***** TOMOYO Linux start. *****/
981 +struct domain_info;
982 +extern struct domain_info KERNEL_DOMAIN;
983 +/***** TOMOYO Linux end. *****/
984 +
985 /*
986 * Scheduling policies
987 */
988 @@ -1052,6 +1057,10 @@ struct task_struct {
989 #ifdef CONFIG_FAULT_INJECTION
990 int make_it_fail;
991 #endif
992 + /***** TOMOYO Linux start. *****/
993 + struct domain_info *domain_info;
994 + u32 tomoyo_flags;
995 + /***** TOMOYO Linux end. *****/
996 };
997
998 static inline pid_t process_group(struct task_struct *tsk)
999 --- linux-2.6.21.orig/kernel/compat.c
1000 +++ linux-2.6.21/kernel/compat.c
1001 @@ -25,6 +25,9 @@
1002 #include <linux/posix-timers.h>
1003
1004 #include <asm/uaccess.h>
1005 +/***** TOMOYO Linux start. *****/
1006 +#include <linux/tomoyo.h>
1007 +/***** TOMOYO Linux end. *****/
1008
1009 int get_compat_timespec(struct timespec *ts, const struct compat_timespec __user *cts)
1010 {
1011 @@ -869,6 +872,10 @@ asmlinkage long compat_sys_stime(compat_
1012 err = security_settime(&tv, NULL);
1013 if (err)
1014 return err;
1015 + /***** TOMOYO Linux start. *****/
1016 + if (!ccs_capable(TOMOYO_SYS_SETTIME))
1017 + return -EPERM;
1018 + /***** TOMOYO Linux end. *****/
1019
1020 do_settimeofday(&tv);
1021 return 0;
1022 --- linux-2.6.21.orig/kernel/kexec.c
1023 +++ linux-2.6.21/kernel/kexec.c
1024 @@ -28,6 +28,9 @@
1025 #include <asm/io.h>
1026 #include <asm/system.h>
1027 #include <asm/semaphore.h>
1028 +/***** TOMOYO Linux start. *****/
1029 +#include <linux/tomoyo.h>
1030 +/***** TOMOYO Linux end. *****/
1031
1032 /* Per cpu memory for storing cpu states in case of system crash. */
1033 note_buf_t* crash_notes;
1034 @@ -924,6 +927,10 @@ asmlinkage long sys_kexec_load(unsigned
1035 /* We only trust the superuser with rebooting the system. */
1036 if (!capable(CAP_SYS_BOOT))
1037 return -EPERM;
1038 + /***** TOMOYO Linux start. *****/
1039 + if (!ccs_capable(TOMOYO_SYS_KEXEC_LOAD))
1040 + return -EPERM;
1041 + /***** TOMOYO Linux end. *****/
1042
1043 /*
1044 * Verify we have a legal set of flags
1045 --- linux-2.6.21.orig/kernel/kmod.c
1046 +++ linux-2.6.21/kernel/kmod.c
1047 @@ -166,6 +166,11 @@ static int ____call_usermodehelper(void
1048 /* We can run anywhere, unlike our parent keventd(). */
1049 set_cpus_allowed(current, CPU_MASK_ALL);
1050
1051 + /***** TOMOYO Linux start. *****/
1052 + current->domain_info = &KERNEL_DOMAIN;
1053 + current->tomoyo_flags = 0;
1054 + /***** TOMOYO Linux end. *****/
1055 +
1056 retval = -EPERM;
1057 if (current->fs->root)
1058 retval = kernel_execve(sub_info->path,
1059 --- linux-2.6.21.orig/kernel/module.c
1060 +++ linux-2.6.21/kernel/module.c
1061 @@ -44,6 +44,9 @@
1062 #include <asm/semaphore.h>
1063 #include <asm/cacheflush.h>
1064 #include <linux/license.h>
1065 +/***** TOMOYO Linux start. *****/
1066 +#include <linux/tomoyo.h>
1067 +/***** TOMOYO Linux end. *****/
1068
1069 #if 0
1070 #define DEBUGP printk
1071 @@ -662,6 +665,10 @@ sys_delete_module(const char __user *nam
1072
1073 if (!capable(CAP_SYS_MODULE))
1074 return -EPERM;
1075 + /***** TOMOYO Linux start. *****/
1076 + if (!ccs_capable(TOMOYO_USE_KERNEL_MODULE))
1077 + return -EPERM;
1078 + /***** TOMOYO Linux end. *****/
1079
1080 if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
1081 return -EFAULT;
1082 @@ -1983,6 +1990,10 @@ sys_init_module(void __user *umod,
1083 /* Must have permission */
1084 if (!capable(CAP_SYS_MODULE))
1085 return -EPERM;
1086 + /***** TOMOYO Linux start. *****/
1087 + if (!ccs_capable(TOMOYO_USE_KERNEL_MODULE))
1088 + return -EPERM;
1089 + /***** TOMOYO Linux end. *****/
1090
1091 /* Only one module load at a time, please */
1092 if (mutex_lock_interruptible(&module_mutex) != 0)
1093 --- linux-2.6.21.orig/kernel/ptrace.c
1094 +++ linux-2.6.21/kernel/ptrace.c
1095 @@ -21,6 +21,9 @@
1096
1097 #include <asm/pgtable.h>
1098 #include <asm/uaccess.h>
1099 +/***** TOMOYO Linux start. *****/
1100 +#include <linux/tomoyo.h>
1101 +/***** TOMOYO Linux end. *****/
1102
1103 /*
1104 * ptrace a task: make the debugger its new parent and
1105 @@ -456,6 +459,12 @@ asmlinkage long sys_ptrace(long request,
1106 /*
1107 * This lock_kernel fixes a subtle race with suid exec
1108 */
1109 + /***** TOMOYO Linux start. *****/
1110 +#ifdef TOMOYO_SYS_PTRACE
1111 + if (!ccs_capable(TOMOYO_SYS_PTRACE))
1112 + return -EPERM;
1113 +#endif
1114 + /***** TOMOYO Linux end. *****/
1115 lock_kernel();
1116 if (request == PTRACE_TRACEME) {
1117 ret = ptrace_traceme();
1118 --- linux-2.6.21.orig/kernel/sched.c
1119 +++ linux-2.6.21/kernel/sched.c
1120 @@ -55,6 +55,9 @@
1121 #include <asm/tlb.h>
1122
1123 #include <asm/unistd.h>
1124 +/***** TOMOYO Linux start. *****/
1125 +#include <linux/tomoyo.h>
1126 +/***** TOMOYO Linux end. *****/
1127
1128 /*
1129 * Scheduler clock - returns current time in nanosec units.
1130 @@ -3960,6 +3963,10 @@ int can_nice(const struct task_struct *p
1131 asmlinkage long sys_nice(int increment)
1132 {
1133 long nice, retval;
1134 + /***** TOMOYO Linux start. *****/
1135 + if (!ccs_capable(TOMOYO_SYS_NICE))
1136 + return -EPERM;
1137 + /***** TOMOYO Linux end. *****/
1138
1139 /*
1140 * Setpriority might change our priority at the same moment.
1141 --- linux-2.6.21.orig/kernel/signal.c
1142 +++ linux-2.6.21/kernel/signal.c
1143 @@ -32,6 +32,9 @@
1144 #include <asm/unistd.h>
1145 #include <asm/siginfo.h>
1146 #include "audit.h" /* audit_signal_info() */
1147 +/***** TOMOYO Linux start. *****/
1148 +#include <linux/tomoyo.h>
1149 +/***** TOMOYO Linux end. *****/
1150
1151 /*
1152 * SLAB caches for signal bits.
1153 @@ -2235,6 +2238,12 @@ asmlinkage long
1154 sys_kill(int pid, int sig)
1155 {
1156 struct siginfo info;
1157 + /***** TOMOYO Linux start. *****/
1158 + if (sig && !ccs_capable(TOMOYO_SYS_KILL))
1159 + return -EPERM;
1160 + if (sig && ccs_check_signal_acl(sig, pid))
1161 + return -EPERM;
1162 + /***** TOMOYO Linux end. *****/
1163
1164 info.si_signo = sig;
1165 info.si_errno = 0;
1166 @@ -2293,6 +2302,12 @@ asmlinkage long sys_tgkill(int tgid, int
1167 /* This is only valid for single tasks */
1168 if (pid <= 0 || tgid <= 0)
1169 return -EINVAL;
1170 + /***** TOMOYO Linux start. *****/
1171 + if (sig && !ccs_capable(TOMOYO_SYS_KILL))
1172 + return -EPERM;
1173 + if (sig && ccs_check_signal_acl(sig, pid))
1174 + return -EPERM;
1175 + /***** TOMOYO Linux end. *****/
1176
1177 return do_tkill(tgid, pid, sig);
1178 }
1179 @@ -2306,6 +2321,12 @@ sys_tkill(int pid, int sig)
1180 /* This is only valid for single tasks */
1181 if (pid <= 0)
1182 return -EINVAL;
1183 + /***** TOMOYO Linux start. *****/
1184 + if (sig && !ccs_capable(TOMOYO_SYS_KILL))
1185 + return -EPERM;
1186 + if (sig && ccs_check_signal_acl(sig, pid))
1187 + return -EPERM;
1188 + /***** TOMOYO Linux end. *****/
1189
1190 return do_tkill(0, pid, sig);
1191 }
1192 --- linux-2.6.21.orig/kernel/sys.c
1193 +++ linux-2.6.21/kernel/sys.c
1194 @@ -37,6 +37,9 @@
1195 #include <asm/uaccess.h>
1196 #include <asm/io.h>
1197 #include <asm/unistd.h>
1198 +/***** TOMOYO Linux start. *****/
1199 +#include <linux/tomoyo.h>
1200 +/***** TOMOYO Linux end. *****/
1201
1202 #ifndef SET_UNALIGN_CTL
1203 # define SET_UNALIGN_CTL(a,b) (-EINVAL)
1204 @@ -600,6 +603,12 @@ asmlinkage long sys_setpriority(int whic
1205
1206 if (which > 2 || which < 0)
1207 goto out;
1208 + /***** TOMOYO Linux start. *****/
1209 + if (!ccs_capable(TOMOYO_SYS_NICE)) {
1210 + error = -EPERM;
1211 + goto out;
1212 + }
1213 + /***** TOMOYO Linux end. *****/
1214
1215 /* normalize: avoid signed division (rounding problems) */
1216 error = -ESRCH;
1217 @@ -830,6 +839,10 @@ asmlinkage long sys_reboot(int magic1, i
1218 magic2 != LINUX_REBOOT_MAGIC2B &&
1219 magic2 != LINUX_REBOOT_MAGIC2C))
1220 return -EINVAL;
1221 + /***** TOMOYO Linux start. *****/
1222 + if (!ccs_capable(TOMOYO_SYS_REBOOT))
1223 + return -EPERM;
1224 + /***** TOMOYO Linux end. *****/
1225
1226 /* Instead of trying to make the power_off code look like
1227 * halt when pm_power_off is not set do it the easy way.
1228 @@ -1806,6 +1819,10 @@ asmlinkage long sys_sethostname(char __u
1229 return -EPERM;
1230 if (len < 0 || len > __NEW_UTS_LEN)
1231 return -EINVAL;
1232 + /***** TOMOYO Linux start. *****/
1233 + if (!ccs_capable(TOMOYO_SYS_SETHOSTNAME))
1234 + return -EPERM;
1235 + /***** TOMOYO Linux end. *****/
1236 down_write(&uts_sem);
1237 errno = -EFAULT;
1238 if (!copy_from_user(tmp, name, len)) {
1239 @@ -1851,6 +1868,10 @@ asmlinkage long sys_setdomainname(char _
1240 return -EPERM;
1241 if (len < 0 || len > __NEW_UTS_LEN)
1242 return -EINVAL;
1243 + /***** TOMOYO Linux start. *****/
1244 + if (!ccs_capable(TOMOYO_SYS_SETHOSTNAME))
1245 + return -EPERM;
1246 + /***** TOMOYO Linux end. *****/
1247
1248 down_write(&uts_sem);
1249 errno = -EFAULT;
1250 --- linux-2.6.21.orig/kernel/sysctl.c
1251 +++ linux-2.6.21/kernel/sysctl.c
1252 @@ -48,6 +48,9 @@
1253
1254 #include <asm/uaccess.h>
1255 #include <asm/processor.h>
1256 +/***** TOMOYO Linux start. *****/
1257 +#include <linux/tomoyo.h>
1258 +/***** TOMOYO Linux end. *****/
1259
1260 extern int proc_nr_files(ctl_table *table, int write, struct file *filp,
1261 void __user *buffer, size_t *lenp, loff_t *ppos);
1262 @@ -1088,6 +1091,93 @@ struct ctl_table_header *sysctl_head_nex
1263 }
1264
1265 #ifdef CONFIG_SYSCTL_SYSCALL
1266 +
1267 +/***** TOMOYO Linux start. *****/
1268 +static int try_parse_table(int __user *name, int nlen, void __user *oldval,
1269 + void __user *newval, ctl_table *table)
1270 +{
1271 + int n;
1272 + int error = -ENOMEM;
1273 + int op = 0;
1274 + char *buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
1275 + if (oldval)
1276 + op |= 004;
1277 + if (newval)
1278 + op |= 002;
1279 + if (!op) { /* Neither read nor write */
1280 + error = 0;
1281 + goto out;
1282 + }
1283 + if (!buffer)
1284 + goto out;
1285 + memset(buffer, 0, PAGE_SIZE);
1286 + snprintf(buffer, PAGE_SIZE - 1, "/proc/sys");
1287 + repeat:
1288 + if (!nlen) {
1289 + error = -ENOTDIR;
1290 + goto out;
1291 + }
1292 + if (get_user(n, name)) {
1293 + error = -EFAULT;
1294 + goto out;
1295 + }
1296 + for ( ; table->ctl_name || table->procname; table++) {
1297 + if (n == table->ctl_name && n) {
1298 + int pos = strlen(buffer);
1299 + const char *cp = table->procname;
1300 + error = -ENOMEM;
1301 + if (cp) {
1302 + if (pos + 1 >= PAGE_SIZE - 1)
1303 + goto out;
1304 + buffer[pos++] = '/';
1305 + while (*cp) {
1306 + const unsigned char c
1307 + = *(const unsigned char *) cp;
1308 + if (c == '\\') {
1309 + if (pos + 2 >= PAGE_SIZE - 1)
1310 + goto out;
1311 + buffer[pos++] = '\\';
1312 + buffer[pos++] = '\\';
1313 + } else if (c > ' ' && c < 127) {
1314 + if (pos + 1 >= PAGE_SIZE - 1)
1315 + goto out;
1316 + buffer[pos++] = c;
1317 + } else {
1318 + if (pos + 4 >= PAGE_SIZE - 1)
1319 + goto out;
1320 + buffer[pos++] = '\\';
1321 + buffer[pos++] = (c >> 6) + '0';
1322 + buffer[pos++] = ((c >> 3) & 7)
1323 + + '0';
1324 + buffer[pos++] = (c & 7) + '0';
1325 + }
1326 + cp++;
1327 + }
1328 + } else {
1329 + /* Assume nobody assigns "=\$=" for procname. */
1330 + snprintf(buffer + pos, PAGE_SIZE - pos - 1,
1331 + "/=%d=", n);
1332 + if (!memchr(buffer, '\0', PAGE_SIZE - 2))
1333 + goto out;
1334 + }
1335 + if (table->child) {
1336 + name++;
1337 + nlen--;
1338 + table = table->child;
1339 + goto repeat;
1340 + }
1341 + /* printk("sysctl='%s'\n", buffer); */
1342 + error = ccs_check_file_perm(buffer, op, "sysctl");
1343 + goto out;
1344 + }
1345 + }
1346 + error = -ENOTDIR;
1347 + out:
1348 + kfree(buffer);
1349 + return error;
1350 +}
1351 +/***** TOMOYO Linux end. *****/
1352 +
1353 int do_sysctl(int __user *name, int nlen, void __user *oldval, size_t __user *oldlenp,
1354 void __user *newval, size_t newlen)
1355 {
1356 @@ -1104,6 +1194,11 @@ int do_sysctl(int __user *name, int nlen
1357
1358 for (head = sysctl_head_next(NULL); head;
1359 head = sysctl_head_next(head)) {
1360 + /***** TOMOYO Linux start. *****/
1361 + error = try_parse_table(name, nlen, oldval, newval,
1362 + head->ctl_table);
1363 + if (!error)
1364 + /***** TOMOYO Linux end. *****/
1365 error = parse_table(name, nlen, oldval, oldlenp,
1366 newval, newlen, head->ctl_table);
1367 if (error != -ENOTDIR) {
1368 --- linux-2.6.21.orig/kernel/time.c
1369 +++ linux-2.6.21/kernel/time.c
1370 @@ -39,6 +39,9 @@
1371
1372 #include <asm/uaccess.h>
1373 #include <asm/unistd.h>
1374 +/***** TOMOYO Linux start. *****/
1375 +#include <linux/tomoyo.h>
1376 +/***** TOMOYO Linux end. *****/
1377
1378 /*
1379 * The timezone where the local system is located. Used as a default by some
1380 @@ -91,6 +94,10 @@ asmlinkage long sys_stime(time_t __user
1381 err = security_settime(&tv, NULL);
1382 if (err)
1383 return err;
1384 + /***** TOMOYO Linux start. *****/
1385 + if (!ccs_capable(TOMOYO_SYS_SETTIME))
1386 + return -EPERM;
1387 + /***** TOMOYO Linux end. *****/
1388
1389 do_settimeofday(&tv);
1390 return 0;
1391 @@ -161,6 +168,10 @@ int do_sys_settimeofday(struct timespec
1392 error = security_settime(tv, tz);
1393 if (error)
1394 return error;
1395 + /***** TOMOYO Linux start. *****/
1396 + if (!ccs_capable(TOMOYO_SYS_SETTIME))
1397 + return -EPERM;
1398 + /***** TOMOYO Linux end. *****/
1399
1400 if (tz) {
1401 /* SMP safe, global irq locking makes it work. */
1402 --- linux-2.6.21.orig/kernel/time/ntp.c
1403 +++ linux-2.6.21/kernel/time/ntp.c
1404 @@ -14,6 +14,9 @@
1405
1406 #include <asm/div64.h>
1407 #include <asm/timex.h>
1408 +/***** TOMOYO Linux start. *****/
1409 +#include <linux/tomoyo.h>
1410 +/***** TOMOYO Linux end. *****/
1411
1412 /*
1413 * Timekeeping variables
1414 @@ -203,6 +206,10 @@ int do_adjtimex(struct timex *txc)
1415 /* In order to modify anything, you gotta be super-user! */
1416 if (txc->modes && !capable(CAP_SYS_TIME))
1417 return -EPERM;
1418 + /***** TOMOYO Linux start. *****/
1419 + if (txc->modes && !ccs_capable(TOMOYO_SYS_SETTIME))
1420 + return -EPERM;
1421 + /***** TOMOYO Linux end. *****/
1422
1423 /* Now we validate the data before disabling interrupts */
1424
1425 --- linux-2.6.21.orig/net/core/datagram.c
1426 +++ linux-2.6.21/net/core/datagram.c
1427 @@ -56,6 +56,11 @@
1428 #include <net/sock.h>
1429 #include <net/tcp_states.h>
1430
1431 +/***** TOMOYO Linux start. *****/
1432 +#include <linux/tomoyo.h>
1433 +#include <linux/tomoyo_socket.h>
1434 +/***** TOMOYO Linux end. *****/
1435 +
1436 /*
1437 * Is a socket 'connection oriented' ?
1438 */
1439 @@ -178,6 +183,12 @@ struct sk_buff *skb_recv_datagram(struct
1440 } else
1441 skb = skb_dequeue(&sk->sk_receive_queue);
1442
1443 + /***** TOMOYO Linux start. *****/
1444 + error = ccs_socket_recv_datagram_permission(sk, skb, flags);
1445 + if (error)
1446 + goto no_packet;
1447 + /***** TOMOYO Linux end. *****/
1448 +
1449 if (skb)
1450 return skb;
1451
1452 --- linux-2.6.21.orig/net/ipv4/inet_connection_sock.c
1453 +++ linux-2.6.21/net/ipv4/inet_connection_sock.c
1454 @@ -23,6 +23,9 @@
1455 #include <net/route.h>
1456 #include <net/tcp_states.h>
1457 #include <net/xfrm.h>
1458 +/***** SAKURA Linux start. *****/
1459 +#include <linux/sakura.h>
1460 +/***** SAKURA Linux end. *****/
1461
1462 #ifdef INET_CSK_DEBUG
1463 const char inet_csk_timer_bug_msg[] = "inet_csk BUG: unknown timer value\n";
1464 @@ -87,6 +90,10 @@ int inet_csk_get_port(struct inet_hashin
1465 do {
1466 head = &hashinfo->bhash[inet_bhashfn(rover, hashinfo->bhash_size)];
1467 spin_lock(&head->lock);
1468 + /***** SAKURA Linux start. *****/
1469 + if (ccs_may_autobind(rover))
1470 + goto next;
1471 + /***** SAKURA Linux end. *****/
1472 inet_bind_bucket_for_each(tb, node, &head->chain)
1473 if (tb->port == rover)
1474 goto next;
1475 --- linux-2.6.21.orig/net/ipv4/inet_hashtables.c
1476 +++ linux-2.6.21/net/ipv4/inet_hashtables.c
1477 @@ -22,6 +22,9 @@
1478 #include <net/inet_connection_sock.h>
1479 #include <net/inet_hashtables.h>
1480 #include <net/ip.h>
1481 +/***** SAKURA Linux start. *****/
1482 +#include <linux/sakura.h>
1483 +/***** SAKURA Linux end. *****/
1484
1485 /*
1486 * Allocate and initialize a new local port bind bucket.
1487 @@ -292,6 +295,10 @@ int inet_hash_connect(struct inet_timewa
1488 local_bh_disable();
1489 for (i = 1; i <= range; i++) {
1490 port = low + (i + offset) % range;
1491 + /***** SAKURA Linux start. *****/
1492 + if (ccs_may_autobind(port))
1493 + continue;
1494 + /***** SAKURA Linux end. *****/
1495 head = &hinfo->bhash[inet_bhashfn(port, hinfo->bhash_size)];
1496 spin_lock(&head->lock);
1497
1498 --- linux-2.6.21.orig/net/ipv4/udp.c
1499 +++ linux-2.6.21/net/ipv4/udp.c
1500 @@ -102,6 +102,9 @@
1501 #include <net/checksum.h>
1502 #include <net/xfrm.h>
1503 #include "udp_impl.h"
1504 +/***** SAKURA Linux start. *****/
1505 +#include <linux/sakura.h>
1506 +/***** SAKURA Linux end. *****/
1507
1508 /*
1509 * Snmp MIB for the UDP layer
1510 @@ -162,6 +165,10 @@ int __udp_lib_get_port(struct sock *sk,
1511 result = sysctl_local_port_range[0] +
1512 ((result - sysctl_local_port_range[0]) &
1513 (UDP_HTABLE_SIZE - 1));
1514 + /***** SAKURA Linux start. *****/
1515 + if (ccs_may_autobind(result))
1516 + continue;
1517 + /***** SAKURA Linux end. *****/
1518 goto gotit;
1519 }
1520 size = 0;
1521 @@ -180,6 +187,10 @@ int __udp_lib_get_port(struct sock *sk,
1522 result = sysctl_local_port_range[0]
1523 + ((result - sysctl_local_port_range[0]) &
1524 (UDP_HTABLE_SIZE - 1));
1525 + /***** SAKURA Linux start. *****/
1526 + if (ccs_may_autobind(result))
1527 + continue;
1528 + /***** SAKURA Linux end. *****/
1529 if (! __udp_lib_lport_inuse(result, udptable))
1530 break;
1531 }
1532 --- linux-2.6.21.orig/net/ipv6/inet6_hashtables.c
1533 +++ linux-2.6.21/net/ipv6/inet6_hashtables.c
1534 @@ -21,6 +21,9 @@
1535 #include <net/inet_hashtables.h>
1536 #include <net/inet6_hashtables.h>
1537 #include <net/ip.h>
1538 +/***** SAKURA Linux start. *****/
1539 +#include <linux/sakura.h>
1540 +/***** SAKURA Linux end. *****/
1541
1542 void __inet6_hash(struct inet_hashinfo *hashinfo,
1543 struct sock *sk)
1544 @@ -266,6 +269,10 @@ int inet6_hash_connect(struct inet_timew
1545 local_bh_disable();
1546 for (i = 1; i <= range; i++) {
1547 port = low + (i + offset) % range;
1548 + /***** SAKURA Linux start. *****/
1549 + if (ccs_may_autobind(port))
1550 + continue;
1551 + /***** SAKURA Linux end. *****/
1552 head = &hinfo->bhash[inet_bhashfn(port, hinfo->bhash_size)];
1553 spin_lock(&head->lock);
1554
1555 --- linux-2.6.21.orig/net/socket.c
1556 +++ linux-2.6.21/net/socket.c
1557 @@ -93,6 +93,11 @@
1558 #include <net/sock.h>
1559 #include <linux/netfilter.h>
1560
1561 +/***** TOMOYO Linux start. *****/
1562 +#include <linux/tomoyo.h>
1563 +#include <linux/tomoyo_socket.h>
1564 +/***** TOMOYO Linux end. *****/
1565 +
1566 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
1567 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
1568 unsigned long nr_segs, loff_t pos);
1569 @@ -549,6 +554,12 @@ static inline int __sock_sendmsg(struct
1570 err = security_socket_sendmsg(sock, msg, size);
1571 if (err)
1572 return err;
1573 + /***** TOMOYO Linux start. *****/
1574 + if (ccs_socket_sendmsg_permission(sock,
1575 + (struct sockaddr *) msg->msg_name,
1576 + msg->msg_namelen))
1577 + return -EPERM;
1578 + /***** TOMOYO Linux end. *****/
1579
1580 return sock->ops->sendmsg(iocb, sock, msg, size);
1581 }
1582 @@ -1070,6 +1081,12 @@ static int __sock_create(int family, int
1583 family = PF_PACKET;
1584 }
1585
1586 + /***** TOMOYO Linux start. *****/
1587 + err = ccs_socket_create_permission(family, type, protocol);
1588 + if (err)
1589 + return err;
1590 + /***** TOMOYO Linux end. *****/
1591 +
1592 err = security_socket_create(family, type, protocol, kern);
1593 if (err)
1594 return err;
1595 @@ -1298,6 +1315,13 @@ asmlinkage long sys_bind(int fd, struct
1596 err = security_socket_bind(sock,
1597 (struct sockaddr *)address,
1598 addrlen);
1599 + /***** TOMOYO Linux start. *****/
1600 + if (!err)
1601 + err = ccs_socket_bind_permission(sock,
1602 + (struct sockaddr *)
1603 + address,
1604 + addrlen);
1605 + /***** TOMOYO Linux end. *****/
1606 if (!err)
1607 err = sock->ops->bind(sock,
1608 (struct sockaddr *)
1609 @@ -1327,6 +1351,10 @@ asmlinkage long sys_listen(int fd, int b
1610 backlog = sysctl_somaxconn;
1611
1612 err = security_socket_listen(sock, backlog);
1613 + /***** TOMOYO Linux start. *****/
1614 + if (!err)
1615 + err = ccs_socket_listen_permission(sock);
1616 + /***** TOMOYO Linux end. *****/
1617 if (!err)
1618 err = sock->ops->listen(sock, backlog);
1619
1620 @@ -1391,6 +1419,13 @@ asmlinkage long sys_accept(int fd, struc
1621 if (err < 0)
1622 goto out_fd;
1623
1624 + /***** TOMOYO Linux start. *****/
1625 + if (ccs_socket_accept_permission(newsock,
1626 + (struct sockaddr *) address)) {
1627 + err = -ECONNABORTED; /* Hope less harmful than -EPERM. */
1628 + goto out_fd;
1629 + }
1630 + /***** TOMOYO Linux end. *****/
1631 if (upeer_sockaddr) {
1632 if (newsock->ops->getname(newsock, (struct sockaddr *)address,
1633 &len, 2) < 0) {
1634 @@ -1455,6 +1490,12 @@ asmlinkage long sys_connect(int fd, stru
1635 security_socket_connect(sock, (struct sockaddr *)address, addrlen);
1636 if (err)
1637 goto out_put;
1638 + /***** TOMOYO Linux start. *****/
1639 + err = ccs_socket_connect_permission(sock, (struct sockaddr *) address,
1640 + addrlen);
1641 + if (err)
1642 + goto out_put;
1643 + /***** TOMOYO Linux end. *****/
1644
1645 err = sock->ops->connect(sock, (struct sockaddr *)address, addrlen,
1646 sock->file->f_flags);
1647 --- linux-2.6.21.orig/net/unix/af_unix.c
1648 +++ linux-2.6.21/net/unix/af_unix.c
1649 @@ -116,6 +116,9 @@
1650 #include <linux/mount.h>
1651 #include <net/checksum.h>
1652 #include <linux/security.h>
1653 +/***** TOMOYO Linux start. *****/
1654 +#include <linux/tomoyo.h>
1655 +/***** TOMOYO Linux end. *****/
1656
1657 int sysctl_unix_max_dgram_qlen __read_mostly = 10;
1658
1659 @@ -765,6 +768,11 @@ static int unix_bind(struct socket *sock
1660 err = unix_autobind(sock);
1661 goto out;
1662 }
1663 + /***** TOMOYO Linux start. *****/
1664 + err = -EPERM;
1665 + if (sunaddr->sun_path[0] && !ccs_capable(TOMOYO_CREATE_UNIX_SOCKET))
1666 + goto out;
1667 + /***** TOMOYO Linux end. *****/
1668
1669 err = unix_mkname(sunaddr, addr_len, &hash);
1670 if (err < 0)
1671 @@ -808,6 +816,13 @@ static int unix_bind(struct socket *sock
1672 */
1673 mode = S_IFSOCK |
1674 (SOCK_INODE(sock)->i_mode & ~current->fs->umask);
1675 + /***** TOMOYO Linux start. *****/
1676 + err = pre_vfs_mknod(nd.dentry->d_inode, dentry, mode);
1677 + if (!err)
1678 + err = ccs_check_1path_perm(TYPE_MKSOCK_ACL, dentry,
1679 + nd.mnt);
1680 + if (!err)
1681 + /***** TOMOYO Linux end. *****/
1682 err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
1683 if (err)
1684 goto out_mknod_dput;
Back to OSDN">Back to OSDN
 ViewVC Help
Powered by ViewVC 1.1.26  
サイト情報
ソフトウェアを探す
ソフトウェアを作る
コミュニティ
ヘルプ