216 |
if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER)) |
if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER)) |
217 |
return -EPERM; |
return -EPERM; |
218 |
|
|
219 |
+ /***** TOMOYO Linux start. *****/ |
+ /***** TOMOYO Linux start. *****/ |
220 |
+ error = CheckOpenPermission(dentry, nd->mnt, flag); /* includes O_APPEND and O_TRUNC checks */ |
+ error = CheckOpenPermission(dentry, nd->mnt, flag); /* includes O_APPEND and O_TRUNC checks */ |
221 |
+ if (error) return error; |
+ if (error) return error; |
222 |
+ /***** TOMOYO Linux end. *****/ |
+ /***** TOMOYO Linux end. *****/ |
223 |
+ |
+ |
224 |
/* |
/* |
225 |
* Ensure there are no outstanding leases on the file. |
* Ensure there are no outstanding leases on the file. |
369 |
if(IS_ERR(from)) |
if(IS_ERR(from)) |
370 |
diff -ubBpEr linux-2.6.21/fs/namespace.c linux-2.6.21-ccs/fs/namespace.c |
diff -ubBpEr linux-2.6.21/fs/namespace.c linux-2.6.21-ccs/fs/namespace.c |
371 |
--- linux-2.6.21/fs/namespace.c 2007-04-28 04:02:41.000000000 +0900 |
--- linux-2.6.21/fs/namespace.c 2007-04-28 04:02:41.000000000 +0900 |
372 |
+++ linux-2.6.21-ccs/fs/namespace.c 2007-04-28 04:02:47.000000000 +0900 |
+++ linux-2.6.21-ccs/fs/namespace.c 2007-09-05 14:52:13.677479112 +0900 |
373 |
@@ -28,6 +28,12 @@ |
@@ -28,6 +28,12 @@ |
374 |
#include <asm/uaccess.h> |
#include <asm/uaccess.h> |
375 |
#include <asm/unistd.h> |
#include <asm/unistd.h> |
445 |
+ if (CheckCapabilityACL(TOMOYO_SYS_MOUNT)) return -EPERM; |
+ if (CheckCapabilityACL(TOMOYO_SYS_MOUNT)) return -EPERM; |
446 |
+ /***** TOMOYO Linux end. *****/ |
+ /***** TOMOYO Linux end. *****/ |
447 |
+ /***** SAKURA Linux start. *****/ |
+ /***** SAKURA Linux start. *****/ |
448 |
+ if (CheckMountPermission(dev_name, dir_name, type_page, &flags)) return -EPERM; |
+ if ((retval = CheckMountPermission(dev_name, dir_name, type_page, &flags)) < 0) return retval; |
449 |
+ /***** SAKURA Linux end. *****/ |
+ /***** SAKURA Linux end. *****/ |
450 |
+ |
+ |
451 |
/* Separate the per-mountpoint flags */ |
/* Separate the per-mountpoint flags */ |
542 |
+proc-$(CONFIG_TOMOYO) += ccs_proc.o |
+proc-$(CONFIG_TOMOYO) += ccs_proc.o |
543 |
diff -ubBpEr linux-2.6.21/fs/proc/proc_misc.c linux-2.6.21-ccs/fs/proc/proc_misc.c |
diff -ubBpEr linux-2.6.21/fs/proc/proc_misc.c linux-2.6.21-ccs/fs/proc/proc_misc.c |
544 |
--- linux-2.6.21/fs/proc/proc_misc.c 2007-04-28 04:02:41.000000000 +0900 |
--- linux-2.6.21/fs/proc/proc_misc.c 2007-04-28 04:02:41.000000000 +0900 |
545 |
+++ linux-2.6.21-ccs/fs/proc/proc_misc.c 2007-07-10 09:03:54.000000000 +0900 |
+++ linux-2.6.21-ccs/fs/proc/proc_misc.c 2007-09-05 14:49:39.022990168 +0900 |
546 |
@@ -747,4 +747,13 @@ void __init proc_misc_init(void) |
@@ -747,4 +747,13 @@ void __init proc_misc_init(void) |
547 |
entry->proc_fops = &proc_sysrq_trigger_operations; |
entry->proc_fops = &proc_sysrq_trigger_operations; |
548 |
} |
} |
552 |
+ { |
+ { |
553 |
+ extern void __init CCSProc_Init(void); |
+ extern void __init CCSProc_Init(void); |
554 |
+ CCSProc_Init(); |
+ CCSProc_Init(); |
555 |
+ printk("Hook version: 2.6.21 2007/08/14\n"); |
+ printk("Hook version: 2.6.21 2007/09/05\n"); |
556 |
+ } |
+ } |
557 |
+#endif |
+#endif |
558 |
+ /***** CCS end. *****/ |
+ /***** CCS end. *****/ |
976 |
/* SMP safe, global irq locking makes it work. */ |
/* SMP safe, global irq locking makes it work. */ |
977 |
diff -ubBpEr linux-2.6.21/net/core/datagram.c linux-2.6.21-ccs/net/core/datagram.c |
diff -ubBpEr linux-2.6.21/net/core/datagram.c linux-2.6.21-ccs/net/core/datagram.c |
978 |
--- linux-2.6.21/net/core/datagram.c 2007-04-26 12:08:32.000000000 +0900 |
--- linux-2.6.21/net/core/datagram.c 2007-04-26 12:08:32.000000000 +0900 |
979 |
+++ linux-2.6.21-ccs/net/core/datagram.c 2007-08-14 10:55:26.000000000 +0900 |
+++ linux-2.6.21-ccs/net/core/datagram.c 2007-09-05 14:46:28.016027640 +0900 |
980 |
@@ -56,6 +56,11 @@ |
@@ -56,6 +56,11 @@ |
981 |
#include <net/sock.h> |
#include <net/sock.h> |
982 |
#include <net/tcp_states.h> |
#include <net/tcp_states.h> |
989 |
/* |
/* |
990 |
* Is a socket 'connection oriented' ? |
* Is a socket 'connection oriented' ? |
991 |
*/ |
*/ |
992 |
@@ -178,6 +183,14 @@ struct sk_buff *skb_recv_datagram(struct |
@@ -178,6 +183,10 @@ struct sk_buff *skb_recv_datagram(struct |
993 |
} else |
} else |
994 |
skb = skb_dequeue(&sk->sk_receive_queue); |
skb = skb_dequeue(&sk->sk_receive_queue); |
995 |
|
|
996 |
+ /***** TOMOYO Linux start. *****/ |
+ /***** TOMOYO Linux start. *****/ |
997 |
+ error = CheckSocketRecvDatagramPermission(sk, skb); |
+ if ((error = CheckSocketRecvDatagramPermission(sk, skb, flags)) < 0) goto no_packet; |
998 |
+ if (error) { |
+ /***** TOMOYO Linux end. *****/ |
|
+ skb_kill_datagram(sk, skb, flags); |
|
|
+ goto no_packet; |
|
|
+ } |
|
|
+ /***** TOMOYO Linux end. *****/ |
|
999 |
+ |
+ |
1000 |
if (skb) |
if (skb) |
1001 |
return skb; |
return skb; |
1048 |
|
|
1049 |
diff -ubBpEr linux-2.6.21/net/ipv4/udp.c linux-2.6.21-ccs/net/ipv4/udp.c |
diff -ubBpEr linux-2.6.21/net/ipv4/udp.c linux-2.6.21-ccs/net/ipv4/udp.c |
1050 |
--- linux-2.6.21/net/ipv4/udp.c 2007-04-28 04:02:41.000000000 +0900 |
--- linux-2.6.21/net/ipv4/udp.c 2007-04-28 04:02:41.000000000 +0900 |
1051 |
+++ linux-2.6.21-ccs/net/ipv4/udp.c 2007-05-23 14:50:12.000000000 +0900 |
+++ linux-2.6.21-ccs/net/ipv4/udp.c 2007-08-15 16:15:01.000000000 +0900 |
1052 |
@@ -102,6 +102,9 @@ |
@@ -102,6 +102,9 @@ |
1053 |
#include <net/checksum.h> |
#include <net/checksum.h> |
1054 |
#include <net/xfrm.h> |
#include <net/xfrm.h> |
1104 |
|
|
1105 |
diff -ubBpEr linux-2.6.21/net/socket.c linux-2.6.21-ccs/net/socket.c |
diff -ubBpEr linux-2.6.21/net/socket.c linux-2.6.21-ccs/net/socket.c |
1106 |
--- linux-2.6.21/net/socket.c 2007-04-28 04:02:41.000000000 +0900 |
--- linux-2.6.21/net/socket.c 2007-04-28 04:02:41.000000000 +0900 |
1107 |
+++ linux-2.6.21-ccs/net/socket.c 2007-08-14 10:46:32.000000000 +0900 |
+++ linux-2.6.21-ccs/net/socket.c 2007-08-27 16:06:11.000000000 +0900 |
1108 |
@@ -93,6 +93,11 @@ |
@@ -93,6 +93,11 @@ |
1109 |
#include <net/sock.h> |
#include <net/sock.h> |
1110 |
#include <linux/netfilter.h> |
#include <linux/netfilter.h> |
1123 |
return err; |
return err; |
1124 |
+ /***** TOMOYO Linux start. *****/ |
+ /***** TOMOYO Linux start. *****/ |
1125 |
+ if (CheckSocketSendMsgPermission(sock, (struct sockaddr *) msg->msg_name, msg->msg_namelen)) return -EPERM; |
+ if (CheckSocketSendMsgPermission(sock, (struct sockaddr *) msg->msg_name, msg->msg_namelen)) return -EPERM; |
1126 |
+ /***** TOMOYO Linux start. *****/ |
+ /***** TOMOYO Linux end. *****/ |
1127 |
|
|
1128 |
return sock->ops->sendmsg(iocb, sock, msg, size); |
return sock->ops->sendmsg(iocb, sock, msg, size); |
1129 |
} |
} |