オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照

/[tomoyo]/trunk/1.8.x/ccs-patch/security/ccsecurity/domain.c

Diff of /trunk/1.8.x/ccs-patch/security/ccsecurity/domain.c

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 2918 by kumaneko, Tue Aug 18 05:21:21 2009 UTC revision 2922 by kumaneko, Wed Aug 19 04:26:56 2009 UTC
# Line 64  static int ccs_audit_execute_handler_log Line 64  static int ccs_audit_execute_handler_log
64  {  {
65          struct ccs_request_info *r = &ee->r;          struct ccs_request_info *r = &ee->r;
66          const char *handler = ee->handler->name;          const char *handler = ee->handler->name;
67          r->mode = ccs_check_flags(r->domain, CCS_MAC_EXECUTE);          r->mode = ccs_flags(r->domain, CCS_MAC_EXECUTE);
68          return ccs_write_audit_log(true, r, "%s %s\n",          return ccs_write_audit_log(true, r, "%s %s\n",
69                                     is_default ? CCS_KEYWORD_EXECUTE_HANDLER :                                     is_default ? CCS_KEYWORD_EXECUTE_HANDLER :
70                                     CCS_KEYWORD_DENIED_EXECUTE_HANDLER, handler);                                     CCS_KEYWORD_DENIED_EXECUTE_HANDLER, handler);
# Line 160  bool ccs_read_domain_initializer_policy( Line 160  bool ccs_read_domain_initializer_policy(
160  {  {
161          struct list_head *pos;          struct list_head *pos;
162          bool done = true;          bool done = true;
163          ccs_check_read_lock();          ccs_assert_read_lock();
164          list_for_each_cookie(pos, head->read_var2,          list_for_each_cookie(pos, head->read_var2,
165                               &ccs_domain_initializer_list) {                               &ccs_domain_initializer_list) {
166                  const char *no;                  const char *no;
# Line 225  static bool ccs_is_domain_initializer(co Line 225  static bool ccs_is_domain_initializer(co
225  {  {
226          struct ccs_domain_initializer_entry *ptr;          struct ccs_domain_initializer_entry *ptr;
227          bool flag = false;          bool flag = false;
228          ccs_check_read_lock();          ccs_assert_read_lock();
229          list_for_each_entry_rcu(ptr, &ccs_domain_initializer_list, list) {          list_for_each_entry_rcu(ptr, &ccs_domain_initializer_list, list) {
230                  if (ptr->is_deleted)                  if (ptr->is_deleted)
231                          continue;                          continue;
# Line 343  bool ccs_read_domain_keeper_policy(struc Line 343  bool ccs_read_domain_keeper_policy(struc
343  {  {
344          struct list_head *pos;          struct list_head *pos;
345          bool done = true;          bool done = true;
346          ccs_check_read_lock();          ccs_assert_read_lock();
347          list_for_each_cookie(pos, head->read_var2,          list_for_each_cookie(pos, head->read_var2,
348                               &ccs_domain_keeper_list) {                               &ccs_domain_keeper_list) {
349                  struct ccs_domain_keeper_entry *ptr;                  struct ccs_domain_keeper_entry *ptr;
# Line 385  static bool ccs_is_domain_keeper(const s Line 385  static bool ccs_is_domain_keeper(const s
385  {  {
386          struct ccs_domain_keeper_entry *ptr;          struct ccs_domain_keeper_entry *ptr;
387          bool flag = false;          bool flag = false;
388          ccs_check_read_lock();          ccs_assert_read_lock();
389          list_for_each_entry_rcu(ptr, &ccs_domain_keeper_list, list) {          list_for_each_entry_rcu(ptr, &ccs_domain_keeper_list, list) {
390                  if (ptr->is_deleted)                  if (ptr->is_deleted)
391                          continue;                          continue;
# Line 471  bool ccs_read_aggregator_policy(struct c Line 471  bool ccs_read_aggregator_policy(struct c
471  {  {
472          struct list_head *pos;          struct list_head *pos;
473          bool done = true;          bool done = true;
474          ccs_check_read_lock();          ccs_assert_read_lock();
475          list_for_each_cookie(pos, head->read_var2, &ccs_aggregator_list) {          list_for_each_cookie(pos, head->read_var2, &ccs_aggregator_list) {
476                  struct ccs_aggregator_entry *ptr;                  struct ccs_aggregator_entry *ptr;
477                  ptr = list_entry(pos, struct ccs_aggregator_entry, list);                  ptr = list_entry(pos, struct ccs_aggregator_entry, list);
# Line 602  static int ccs_find_next_domain(struct c Line 602  static int ccs_find_next_domain(struct c
602          struct ccs_path_info rn; /* real name */          struct ccs_path_info rn; /* real name */
603          struct ccs_path_info ln; /* last name */          struct ccs_path_info ln; /* last name */
604          int retval;          int retval;
605          ccs_check_read_lock();          ccs_assert_read_lock();
606   retry:   retry:
607          current->ccs_flags = ccs_flags;          current->ccs_flags = ccs_flags;
608          r->cond = NULL;          r->cond = NULL;
# Line 647  static int ccs_find_next_domain(struct c Line 647  static int ccs_find_next_domain(struct c
647    
648          /* Check execute permission. */          /* Check execute permission. */
649          r->mode = mode;          r->mode = mode;
650          retval = ccs_check_exec_perm(r, &rn);          retval = ccs_exec_perm(r, &rn);
651          if (retval == 1)          if (retval == 1)
652                  goto retry;                  goto retry;
653          if (retval < 0)          if (retval < 0)
# Line 680  static int ccs_find_next_domain(struct c Line 680  static int ccs_find_next_domain(struct c
680          if (domain)          if (domain)
681                  goto done;                  goto done;
682          if (is_enforce) {          if (is_enforce) {
683                  int error = ccs_check_supervisor(r,                  int error = ccs_supervisor(r,
684                                                   "# wants to create domain\n"                                                   "# wants to create domain\n"
685                                                   "%s\n", new_domain_name);                                                   "%s\n", new_domain_name);
686                  if (error == 1)                  if (error == 1)
# Line 711  static int ccs_find_next_domain(struct c Line 711  static int ccs_find_next_domain(struct c
711  }  }
712    
713  /**  /**
714   * ccs_check_environ - Check permission for environment variable names.   * ccs_environ - Check permission for environment variable names.
715   *   *
716   * @ee: Pointer to "struct ccs_execve_entry".   * @ee: Pointer to "struct ccs_execve_entry".
717   *   *
718   * Returns 0 on success, negative value otherwise.   * Returns 0 on success, negative value otherwise.
719   */   */
720  static int ccs_check_environ(struct ccs_execve_entry *ee)  static int ccs_environ(struct ccs_execve_entry *ee)
721  {  {
722          struct ccs_request_info *r = &ee->r;          struct ccs_request_info *r = &ee->r;
723          struct linux_binprm *bprm = ee->bprm;          struct linux_binprm *bprm = ee->bprm;
# Line 768  static int ccs_check_environ(struct ccs_ Line 768  static int ccs_check_environ(struct ccs_
768                          }                          }
769                          if (c)                          if (c)
770                                  continue;                                  continue;
771                          if (ccs_check_env_perm(r, arg_ptr)) {                          if (ccs_env_perm(r, arg_ptr)) {
772                                  error = -EPERM;                                  error = -EPERM;
773                                  break;                                  break;
774                          }                          }
# Line 1196  static bool ccs_find_execute_handler(str Line 1196  static bool ccs_find_execute_handler(str
1196          const struct ccs_domain_info *domain = ccs_current_domain();          const struct ccs_domain_info *domain = ccs_current_domain();
1197          struct ccs_acl_info *ptr;          struct ccs_acl_info *ptr;
1198          bool found = false;          bool found = false;
1199          ccs_check_read_lock();          ccs_assert_read_lock();
1200          /*          /*
1201           * Don't use execute handler if the current process is           * Don't use execute handler if the current process is
1202           * marked as execute handler to avoid infinite execute handler loop.           * marked as execute handler to avoid infinite execute handler loop.
# Line 1324  int ccs_start_execve(struct linux_binprm Line 1324  int ccs_start_execve(struct linux_binprm
1324   ok:   ok:
1325          if (retval < 0)          if (retval < 0)
1326                  goto out;                  goto out;
1327          ee->r.mode = ccs_check_flags(ee->r.domain, CCS_MAC_ENVIRON);          ee->r.mode = ccs_flags(ee->r.domain, CCS_MAC_ENVIRON);
1328          retval = ccs_check_environ(ee);          retval = ccs_environ(ee);
1329          if (retval < 0)          if (retval < 0)
1330                  goto out;                  goto out;
1331          task->ccs_flags |= CCS_CHECK_READ_FOR_OPEN_EXEC;          task->ccs_flags |= CCS_CHECK_READ_FOR_OPEN_EXEC;
# Line 1347  void ccs_finish_execve(int retval) Line 1347  void ccs_finish_execve(int retval)
1347  {  {
1348          struct task_struct *task = current;          struct task_struct *task = current;
1349          struct ccs_execve_entry *ee = ccs_find_execve_entry();          struct ccs_execve_entry *ee = ccs_find_execve_entry();
1350          ccs_check_read_lock();          ccs_assert_read_lock();
1351          task->ccs_flags &= ~CCS_CHECK_READ_FOR_OPEN_EXEC;          task->ccs_flags &= ~CCS_CHECK_READ_FOR_OPEN_EXEC;
1352          if (!ee)          if (!ee)
1353                  return;                  return;
Legend:
Removed from v.2918  
changed lines
  Added in v.2922
Back to OSDN">Back to OSDN
 ViewVC Help
Powered by ViewVC 1.1.26  
サイト情報
ソフトウェアを探す
ソフトウェアを作る
コミュニティ
ヘルプ