64 |
{ |
{ |
65 |
struct ccs_request_info *r = &ee->r; |
struct ccs_request_info *r = &ee->r; |
66 |
const char *handler = ee->handler->name; |
const char *handler = ee->handler->name; |
67 |
r->mode = ccs_check_flags(r->domain, CCS_MAC_EXECUTE); |
r->mode = ccs_flags(r->domain, CCS_MAC_EXECUTE); |
68 |
return ccs_write_audit_log(true, r, "%s %s\n", |
return ccs_write_audit_log(true, r, "%s %s\n", |
69 |
is_default ? CCS_KEYWORD_EXECUTE_HANDLER : |
is_default ? CCS_KEYWORD_EXECUTE_HANDLER : |
70 |
CCS_KEYWORD_DENIED_EXECUTE_HANDLER, handler); |
CCS_KEYWORD_DENIED_EXECUTE_HANDLER, handler); |
160 |
{ |
{ |
161 |
struct list_head *pos; |
struct list_head *pos; |
162 |
bool done = true; |
bool done = true; |
163 |
ccs_check_read_lock(); |
ccs_assert_read_lock(); |
164 |
list_for_each_cookie(pos, head->read_var2, |
list_for_each_cookie(pos, head->read_var2, |
165 |
&ccs_domain_initializer_list) { |
&ccs_domain_initializer_list) { |
166 |
const char *no; |
const char *no; |
225 |
{ |
{ |
226 |
struct ccs_domain_initializer_entry *ptr; |
struct ccs_domain_initializer_entry *ptr; |
227 |
bool flag = false; |
bool flag = false; |
228 |
ccs_check_read_lock(); |
ccs_assert_read_lock(); |
229 |
list_for_each_entry_rcu(ptr, &ccs_domain_initializer_list, list) { |
list_for_each_entry_rcu(ptr, &ccs_domain_initializer_list, list) { |
230 |
if (ptr->is_deleted) |
if (ptr->is_deleted) |
231 |
continue; |
continue; |
343 |
{ |
{ |
344 |
struct list_head *pos; |
struct list_head *pos; |
345 |
bool done = true; |
bool done = true; |
346 |
ccs_check_read_lock(); |
ccs_assert_read_lock(); |
347 |
list_for_each_cookie(pos, head->read_var2, |
list_for_each_cookie(pos, head->read_var2, |
348 |
&ccs_domain_keeper_list) { |
&ccs_domain_keeper_list) { |
349 |
struct ccs_domain_keeper_entry *ptr; |
struct ccs_domain_keeper_entry *ptr; |
385 |
{ |
{ |
386 |
struct ccs_domain_keeper_entry *ptr; |
struct ccs_domain_keeper_entry *ptr; |
387 |
bool flag = false; |
bool flag = false; |
388 |
ccs_check_read_lock(); |
ccs_assert_read_lock(); |
389 |
list_for_each_entry_rcu(ptr, &ccs_domain_keeper_list, list) { |
list_for_each_entry_rcu(ptr, &ccs_domain_keeper_list, list) { |
390 |
if (ptr->is_deleted) |
if (ptr->is_deleted) |
391 |
continue; |
continue; |
471 |
{ |
{ |
472 |
struct list_head *pos; |
struct list_head *pos; |
473 |
bool done = true; |
bool done = true; |
474 |
ccs_check_read_lock(); |
ccs_assert_read_lock(); |
475 |
list_for_each_cookie(pos, head->read_var2, &ccs_aggregator_list) { |
list_for_each_cookie(pos, head->read_var2, &ccs_aggregator_list) { |
476 |
struct ccs_aggregator_entry *ptr; |
struct ccs_aggregator_entry *ptr; |
477 |
ptr = list_entry(pos, struct ccs_aggregator_entry, list); |
ptr = list_entry(pos, struct ccs_aggregator_entry, list); |
602 |
struct ccs_path_info rn; /* real name */ |
struct ccs_path_info rn; /* real name */ |
603 |
struct ccs_path_info ln; /* last name */ |
struct ccs_path_info ln; /* last name */ |
604 |
int retval; |
int retval; |
605 |
ccs_check_read_lock(); |
ccs_assert_read_lock(); |
606 |
retry: |
retry: |
607 |
current->ccs_flags = ccs_flags; |
current->ccs_flags = ccs_flags; |
608 |
r->cond = NULL; |
r->cond = NULL; |
647 |
|
|
648 |
/* Check execute permission. */ |
/* Check execute permission. */ |
649 |
r->mode = mode; |
r->mode = mode; |
650 |
retval = ccs_check_exec_perm(r, &rn); |
retval = ccs_exec_perm(r, &rn); |
651 |
if (retval == 1) |
if (retval == 1) |
652 |
goto retry; |
goto retry; |
653 |
if (retval < 0) |
if (retval < 0) |
680 |
if (domain) |
if (domain) |
681 |
goto done; |
goto done; |
682 |
if (is_enforce) { |
if (is_enforce) { |
683 |
int error = ccs_check_supervisor(r, |
int error = ccs_supervisor(r, |
684 |
"# wants to create domain\n" |
"# wants to create domain\n" |
685 |
"%s\n", new_domain_name); |
"%s\n", new_domain_name); |
686 |
if (error == 1) |
if (error == 1) |
711 |
} |
} |
712 |
|
|
713 |
/** |
/** |
714 |
* ccs_check_environ - Check permission for environment variable names. |
* ccs_environ - Check permission for environment variable names. |
715 |
* |
* |
716 |
* @ee: Pointer to "struct ccs_execve_entry". |
* @ee: Pointer to "struct ccs_execve_entry". |
717 |
* |
* |
718 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
719 |
*/ |
*/ |
720 |
static int ccs_check_environ(struct ccs_execve_entry *ee) |
static int ccs_environ(struct ccs_execve_entry *ee) |
721 |
{ |
{ |
722 |
struct ccs_request_info *r = &ee->r; |
struct ccs_request_info *r = &ee->r; |
723 |
struct linux_binprm *bprm = ee->bprm; |
struct linux_binprm *bprm = ee->bprm; |
768 |
} |
} |
769 |
if (c) |
if (c) |
770 |
continue; |
continue; |
771 |
if (ccs_check_env_perm(r, arg_ptr)) { |
if (ccs_env_perm(r, arg_ptr)) { |
772 |
error = -EPERM; |
error = -EPERM; |
773 |
break; |
break; |
774 |
} |
} |
1196 |
const struct ccs_domain_info *domain = ccs_current_domain(); |
const struct ccs_domain_info *domain = ccs_current_domain(); |
1197 |
struct ccs_acl_info *ptr; |
struct ccs_acl_info *ptr; |
1198 |
bool found = false; |
bool found = false; |
1199 |
ccs_check_read_lock(); |
ccs_assert_read_lock(); |
1200 |
/* |
/* |
1201 |
* Don't use execute handler if the current process is |
* Don't use execute handler if the current process is |
1202 |
* marked as execute handler to avoid infinite execute handler loop. |
* marked as execute handler to avoid infinite execute handler loop. |
1324 |
ok: |
ok: |
1325 |
if (retval < 0) |
if (retval < 0) |
1326 |
goto out; |
goto out; |
1327 |
ee->r.mode = ccs_check_flags(ee->r.domain, CCS_MAC_ENVIRON); |
ee->r.mode = ccs_flags(ee->r.domain, CCS_MAC_ENVIRON); |
1328 |
retval = ccs_check_environ(ee); |
retval = ccs_environ(ee); |
1329 |
if (retval < 0) |
if (retval < 0) |
1330 |
goto out; |
goto out; |
1331 |
task->ccs_flags |= CCS_CHECK_READ_FOR_OPEN_EXEC; |
task->ccs_flags |= CCS_CHECK_READ_FOR_OPEN_EXEC; |
1347 |
{ |
{ |
1348 |
struct task_struct *task = current; |
struct task_struct *task = current; |
1349 |
struct ccs_execve_entry *ee = ccs_find_execve_entry(); |
struct ccs_execve_entry *ee = ccs_find_execve_entry(); |
1350 |
ccs_check_read_lock(); |
ccs_assert_read_lock(); |
1351 |
task->ccs_flags &= ~CCS_CHECK_READ_FOR_OPEN_EXEC; |
task->ccs_flags &= ~CCS_CHECK_READ_FOR_OPEN_EXEC; |
1352 |
if (!ee) |
if (!ee) |
1353 |
return; |
return; |