37 |
/** |
/** |
38 |
* ccs_audit_execute_handler_log - Audit execute_handler log. |
* ccs_audit_execute_handler_log - Audit execute_handler log. |
39 |
* |
* |
40 |
* @ee: Pointer to "struct ccs_execve_entry". |
* @ee: Pointer to "struct ccs_execve". |
41 |
* |
* |
42 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
43 |
*/ |
*/ |
44 |
static int ccs_audit_execute_handler_log(struct ccs_execve_entry *ee) |
static int ccs_audit_execute_handler_log(struct ccs_execve *ee) |
45 |
{ |
{ |
46 |
struct ccs_request_info *r = &ee->r; |
struct ccs_request_info *r = &ee->r; |
47 |
const char *handler = ee->handler->name; |
const char *handler = ee->handler->name; |
119 |
return error; |
return error; |
120 |
} |
} |
121 |
|
|
122 |
int ccs_update_domain_policy(struct ccs_acl_info *new_entry, const int size, |
int ccs_update_domain(struct ccs_acl_info *new_entry, const int size, |
123 |
bool is_delete, struct ccs_domain_info *domain, |
bool is_delete, struct ccs_domain_info *domain, |
124 |
bool (*check_duplicate) |
bool (*check_duplicate) (const struct ccs_acl_info *, |
125 |
(const struct ccs_acl_info *, |
const struct ccs_acl_info *), |
126 |
const struct ccs_acl_info *), |
bool (*merge_duplicate) (struct ccs_acl_info *, |
127 |
bool (*merge_duplicate) (struct ccs_acl_info *, |
struct ccs_acl_info *, |
128 |
struct ccs_acl_info *, |
const bool)) |
|
const bool)) |
|
129 |
{ |
{ |
130 |
int error = is_delete ? -ENOENT : -ENOMEM; |
int error = is_delete ? -ENOENT : -ENOMEM; |
131 |
struct ccs_acl_info *entry; |
struct ccs_acl_info *entry; |
153 |
return error; |
return error; |
154 |
} |
} |
155 |
|
|
156 |
static bool ccs_is_same_domain_initializer_entry(const struct ccs_acl_head *a, |
static bool ccs_same_domain_initializer_entry(const struct ccs_acl_head *a, |
157 |
const struct ccs_acl_head *b) |
const struct ccs_acl_head *b) |
158 |
{ |
{ |
159 |
const struct ccs_domain_initializer_entry *p1 = |
const struct ccs_domain_initializer *p1 = |
160 |
container_of(a, typeof(*p1), head); |
container_of(a, typeof(*p1), head); |
161 |
const struct ccs_domain_initializer_entry *p2 = |
const struct ccs_domain_initializer *p2 = |
162 |
container_of(b, typeof(*p2), head); |
container_of(b, typeof(*p2), head); |
163 |
return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name |
return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name |
164 |
&& p1->domainname == p2->domainname |
&& p1->domainname == p2->domainname |
166 |
} |
} |
167 |
|
|
168 |
/** |
/** |
169 |
* ccs_update_domain_initializer_entry - Update "struct ccs_domain_initializer_entry" list. |
* ccs_update_domain_initializer_entry - Update "struct ccs_domain_initializer" list. |
170 |
* |
* |
171 |
* @domainname: The name of domain. May be NULL. |
* @domainname: The name of domain. May be NULL. |
172 |
* @program: The name of program. |
* @program: The name of program. |
180 |
const bool is_not, |
const bool is_not, |
181 |
const bool is_delete) |
const bool is_delete) |
182 |
{ |
{ |
183 |
struct ccs_domain_initializer_entry e = { .is_not = is_not }; |
struct ccs_domain_initializer e = { .is_not = is_not }; |
184 |
int error = is_delete ? -ENOENT : -ENOMEM; |
int error = is_delete ? -ENOENT : -ENOMEM; |
185 |
if (!ccs_is_correct_path(program, 1, -1, -1)) |
if (!ccs_correct_path(program, 1, -1, -1)) |
186 |
return -EINVAL; /* No patterns allowed. */ |
return -EINVAL; /* No patterns allowed. */ |
187 |
if (domainname) { |
if (domainname) { |
188 |
if (!ccs_is_domain_def(domainname) && |
if (!ccs_domain_def(domainname) && |
189 |
ccs_is_correct_path(domainname, 1, -1, -1)) |
ccs_correct_path(domainname, 1, -1, -1)) |
190 |
e.is_last_name = true; |
e.is_last_name = true; |
191 |
else if (!ccs_is_correct_domain(domainname)) |
else if (!ccs_correct_domain(domainname)) |
192 |
return -EINVAL; |
return -EINVAL; |
193 |
e.domainname = ccs_get_name(domainname); |
e.domainname = ccs_get_name(domainname); |
194 |
if (!e.domainname) |
if (!e.domainname) |
199 |
goto out; |
goto out; |
200 |
error = ccs_update_policy(&e.head, sizeof(e), is_delete, |
error = ccs_update_policy(&e.head, sizeof(e), is_delete, |
201 |
CCS_ID_DOMAIN_INITIALIZER, |
CCS_ID_DOMAIN_INITIALIZER, |
202 |
ccs_is_same_domain_initializer_entry); |
ccs_same_domain_initializer_entry); |
203 |
out: |
out: |
204 |
ccs_put_name(e.domainname); |
ccs_put_name(e.domainname); |
205 |
ccs_put_name(e.program); |
ccs_put_name(e.program); |
207 |
} |
} |
208 |
|
|
209 |
/** |
/** |
210 |
* ccs_write_domain_initializer_policy - Write "struct ccs_domain_initializer_entry" list. |
* ccs_write_domain_initializer - Write "struct ccs_domain_initializer" list. |
211 |
* |
* |
212 |
* @data: String to parse. |
* @data: String to parse. |
213 |
* @is_delete: True if it is a delete request. |
* @is_delete: True if it is a delete request. |
214 |
* |
* |
215 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
216 |
*/ |
*/ |
217 |
int ccs_write_domain_initializer_policy(char *data, const bool is_delete, const u8 flags) |
int ccs_write_domain_initializer(char *data, const bool is_delete, const u8 flags) |
218 |
{ |
{ |
219 |
char *domainname = strstr(data, " from "); |
char *domainname = strstr(data, " from "); |
220 |
if (domainname) { |
if (domainname) { |
226 |
} |
} |
227 |
|
|
228 |
/** |
/** |
229 |
* ccs_is_domain_initializer - Check whether the given program causes domainname reinitialization. |
* ccs_domain_initializer - Check whether the given program causes domainname reinitialization. |
230 |
* |
* |
231 |
* @domainname: The name of domain. |
* @domainname: The name of domain. |
232 |
* @program: The name of program. |
* @program: The name of program. |
237 |
* |
* |
238 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
239 |
*/ |
*/ |
240 |
static bool ccs_is_domain_initializer(const struct ccs_path_info *domainname, |
static bool ccs_domain_initializer(const struct ccs_path_info *domainname, |
241 |
const struct ccs_path_info *program, |
const struct ccs_path_info *program, |
242 |
const struct ccs_path_info *last_name) |
const struct ccs_path_info *last_name) |
243 |
{ |
{ |
244 |
struct ccs_domain_initializer_entry *ptr; |
struct ccs_domain_initializer *ptr; |
245 |
bool flag = false; |
bool flag = false; |
246 |
list_for_each_entry_rcu(ptr, &ccs_policy_list |
list_for_each_entry_rcu(ptr, &ccs_policy_list |
247 |
[CCS_ID_DOMAIN_INITIALIZER], head.list) { |
[CCS_ID_DOMAIN_INITIALIZER], head.list) { |
267 |
return flag; |
return flag; |
268 |
} |
} |
269 |
|
|
270 |
static bool ccs_is_same_domain_keeper_entry(const struct ccs_acl_head *a, |
static bool ccs_same_domain_keeper_entry(const struct ccs_acl_head *a, |
271 |
const struct ccs_acl_head *b) |
const struct ccs_acl_head *b) |
272 |
{ |
{ |
273 |
const struct ccs_domain_keeper_entry *p1 = |
const struct ccs_domain_keeper *p1 = |
274 |
container_of(a, typeof(*p1), head); |
container_of(a, typeof(*p1), head); |
275 |
const struct ccs_domain_keeper_entry *p2 = |
const struct ccs_domain_keeper *p2 = |
276 |
container_of(b, typeof(*p2), head); |
container_of(b, typeof(*p2), head); |
277 |
return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name |
return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name |
278 |
&& p1->domainname == p2->domainname |
&& p1->domainname == p2->domainname |
280 |
} |
} |
281 |
|
|
282 |
/** |
/** |
283 |
* ccs_update_domain_keeper_entry - Update "struct ccs_domain_keeper_entry" list. |
* ccs_update_domain_keeper_entry - Update "struct ccs_domain_keeper" list. |
284 |
* |
* |
285 |
* @domainname: The name of domain. |
* @domainname: The name of domain. |
286 |
* @program: The name of program. May be NULL. |
* @program: The name of program. May be NULL. |
294 |
const bool is_not, |
const bool is_not, |
295 |
const bool is_delete) |
const bool is_delete) |
296 |
{ |
{ |
297 |
struct ccs_domain_keeper_entry e = { .is_not = is_not }; |
struct ccs_domain_keeper e = { .is_not = is_not }; |
298 |
int error = is_delete ? -ENOENT : -ENOMEM; |
int error = is_delete ? -ENOENT : -ENOMEM; |
299 |
if (!ccs_is_domain_def(domainname) && |
if (!ccs_domain_def(domainname) && |
300 |
ccs_is_correct_path(domainname, 1, -1, -1)) |
ccs_correct_path(domainname, 1, -1, -1)) |
301 |
e.is_last_name = true; |
e.is_last_name = true; |
302 |
else if (!ccs_is_correct_domain(domainname)) |
else if (!ccs_correct_domain(domainname)) |
303 |
return -EINVAL; |
return -EINVAL; |
304 |
if (program) { |
if (program) { |
305 |
if (!ccs_is_correct_path(program, 1, -1, -1)) |
if (!ccs_correct_path(program, 1, -1, -1)) |
306 |
return -EINVAL; |
return -EINVAL; |
307 |
e.program = ccs_get_name(program); |
e.program = ccs_get_name(program); |
308 |
if (!e.program) |
if (!e.program) |
313 |
goto out; |
goto out; |
314 |
error = ccs_update_policy(&e.head, sizeof(e), is_delete, |
error = ccs_update_policy(&e.head, sizeof(e), is_delete, |
315 |
CCS_ID_DOMAIN_KEEPER, |
CCS_ID_DOMAIN_KEEPER, |
316 |
ccs_is_same_domain_keeper_entry); |
ccs_same_domain_keeper_entry); |
317 |
out: |
out: |
318 |
ccs_put_name(e.domainname); |
ccs_put_name(e.domainname); |
319 |
ccs_put_name(e.program); |
ccs_put_name(e.program); |
321 |
} |
} |
322 |
|
|
323 |
/** |
/** |
324 |
* ccs_write_domain_keeper_policy - Write "struct ccs_domain_keeper_entry" list. |
* ccs_write_domain_keeper - Write "struct ccs_domain_keeper" list. |
325 |
* |
* |
326 |
* @data: String to parse. |
* @data: String to parse. |
327 |
* @is_delete: True if it is a delete request. |
* @is_delete: True if it is a delete request. |
328 |
* |
* |
329 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
330 |
*/ |
*/ |
331 |
int ccs_write_domain_keeper_policy(char *data, const bool is_delete, |
int ccs_write_domain_keeper(char *data, const bool is_delete, const u8 flags) |
|
const u8 flags) |
|
332 |
{ |
{ |
333 |
char *domainname = strstr(data, " from "); |
char *domainname = strstr(data, " from "); |
334 |
if (domainname) { |
if (domainname) { |
343 |
} |
} |
344 |
|
|
345 |
/** |
/** |
346 |
* ccs_is_domain_keeper - Check whether the given program causes domain transition suppression. |
* ccs_domain_keeper - Check whether the given program causes domain transition suppression. |
347 |
* |
* |
348 |
* @domainname: The name of domain. |
* @domainname: The name of domain. |
349 |
* @program: The name of program. |
* @program: The name of program. |
354 |
* |
* |
355 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
356 |
*/ |
*/ |
357 |
static bool ccs_is_domain_keeper(const struct ccs_path_info *domainname, |
static bool ccs_domain_keeper(const struct ccs_path_info *domainname, |
358 |
const struct ccs_path_info *program, |
const struct ccs_path_info *program, |
359 |
const struct ccs_path_info *last_name) |
const struct ccs_path_info *last_name) |
360 |
{ |
{ |
361 |
struct ccs_domain_keeper_entry *ptr; |
struct ccs_domain_keeper *ptr; |
362 |
bool flag = false; |
bool flag = false; |
363 |
list_for_each_entry_rcu(ptr, &ccs_policy_list[CCS_ID_DOMAIN_KEEPER], |
list_for_each_entry_rcu(ptr, &ccs_policy_list[CCS_ID_DOMAIN_KEEPER], |
364 |
head.list) { |
head.list) { |
382 |
return flag; |
return flag; |
383 |
} |
} |
384 |
|
|
385 |
static bool ccs_is_same_aggregator_entry(const struct ccs_acl_head *a, |
static bool ccs_same_aggregator_entry(const struct ccs_acl_head *a, |
386 |
const struct ccs_acl_head *b) |
const struct ccs_acl_head *b) |
387 |
{ |
{ |
388 |
const struct ccs_aggregator_entry *p1 = |
const struct ccs_aggregator *p1 = |
389 |
container_of(a, typeof(*p1), head); |
container_of(a, typeof(*p1), head); |
390 |
const struct ccs_aggregator_entry *p2 = |
const struct ccs_aggregator *p2 = |
391 |
container_of(b, typeof(*p2), head); |
container_of(b, typeof(*p2), head); |
392 |
return p1->original_name == p2->original_name && |
return p1->original_name == p2->original_name && |
393 |
p1->aggregated_name == p2->aggregated_name; |
p1->aggregated_name == p2->aggregated_name; |
394 |
} |
} |
395 |
|
|
396 |
/** |
/** |
397 |
* ccs_update_aggregator_entry - Update "struct ccs_aggregator_entry" list. |
* ccs_update_aggregator_entry - Update "struct ccs_aggregator" list. |
398 |
* |
* |
399 |
* @original_name: The original program's name. |
* @original_name: The original program's name. |
400 |
* @aggregated_name: The aggregated program's name. |
* @aggregated_name: The aggregated program's name. |
406 |
const char *aggregated_name, |
const char *aggregated_name, |
407 |
const bool is_delete) |
const bool is_delete) |
408 |
{ |
{ |
409 |
struct ccs_aggregator_entry e = { }; |
struct ccs_aggregator e = { }; |
410 |
int error = is_delete ? -ENOENT : -ENOMEM; |
int error = is_delete ? -ENOENT : -ENOMEM; |
411 |
if (!ccs_is_correct_path(original_name, 1, 0, -1) || |
if (!ccs_correct_path(original_name, 1, 0, -1) || |
412 |
!ccs_is_correct_path(aggregated_name, 1, -1, -1)) |
!ccs_correct_path(aggregated_name, 1, -1, -1)) |
413 |
return -EINVAL; |
return -EINVAL; |
414 |
e.original_name = ccs_get_name(original_name); |
e.original_name = ccs_get_name(original_name); |
415 |
e.aggregated_name = ccs_get_name(aggregated_name); |
e.aggregated_name = ccs_get_name(aggregated_name); |
417 |
goto out; |
goto out; |
418 |
error = ccs_update_policy(&e.head, sizeof(e), is_delete, |
error = ccs_update_policy(&e.head, sizeof(e), is_delete, |
419 |
CCS_ID_AGGREGATOR, |
CCS_ID_AGGREGATOR, |
420 |
ccs_is_same_aggregator_entry); |
ccs_same_aggregator_entry); |
421 |
out: |
out: |
422 |
ccs_put_name(e.original_name); |
ccs_put_name(e.original_name); |
423 |
ccs_put_name(e.aggregated_name); |
ccs_put_name(e.aggregated_name); |
425 |
} |
} |
426 |
|
|
427 |
/** |
/** |
428 |
* ccs_write_aggregator_policy - Write "struct ccs_aggregator_entry" list. |
* ccs_write_aggregator - Write "struct ccs_aggregator" list. |
429 |
* |
* |
430 |
* @data: String to parse. |
* @data: String to parse. |
431 |
* @is_delete: True if it is a delete request. |
* @is_delete: True if it is a delete request. |
432 |
* |
* |
433 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
434 |
*/ |
*/ |
435 |
int ccs_write_aggregator_policy(char *data, const bool is_delete, const u8 flags) |
int ccs_write_aggregator(char *data, const bool is_delete, const u8 flags) |
436 |
{ |
{ |
437 |
char *w[2]; |
char *w[2]; |
438 |
if (!ccs_tokenize(data, w, sizeof(w)) || !w[1][0]) |
if (!ccs_tokenize(data, w, sizeof(w)) || !w[1][0]) |
488 |
const struct ccs_path_info *saved_domainname; |
const struct ccs_path_info *saved_domainname; |
489 |
bool found = false; |
bool found = false; |
490 |
|
|
491 |
if (!ccs_is_correct_domain(domainname)) |
if (!ccs_correct_domain(domainname)) |
492 |
return NULL; |
return NULL; |
493 |
saved_domainname = ccs_get_name(domainname); |
saved_domainname = ccs_get_name(domainname); |
494 |
if (!saved_domainname) |
if (!saved_domainname) |
523 |
/** |
/** |
524 |
* ccs_find_next_domain - Find a domain. |
* ccs_find_next_domain - Find a domain. |
525 |
* |
* |
526 |
* @ee: Pointer to "struct ccs_execve_entry". |
* @ee: Pointer to "struct ccs_execve". |
527 |
* |
* |
528 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
529 |
* |
* |
530 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
531 |
*/ |
*/ |
532 |
static int ccs_find_next_domain(struct ccs_execve_entry *ee) |
static int ccs_find_next_domain(struct ccs_execve *ee) |
533 |
{ |
{ |
534 |
struct ccs_request_info *r = &ee->r; |
struct ccs_request_info *r = &ee->r; |
535 |
const struct ccs_path_info *handler = ee->handler; |
const struct ccs_path_info *handler = ee->handler; |
572 |
goto out; |
goto out; |
573 |
} |
} |
574 |
} else { |
} else { |
575 |
struct ccs_aggregator_entry *ptr; |
struct ccs_aggregator *ptr; |
576 |
/* Check 'aggregator' directive. */ |
/* Check 'aggregator' directive. */ |
577 |
list_for_each_entry_rcu(ptr, |
list_for_each_entry_rcu(ptr, |
578 |
&ccs_policy_list[CCS_ID_AGGREGATOR], |
&ccs_policy_list[CCS_ID_AGGREGATOR], |
596 |
} |
} |
597 |
|
|
598 |
/* Calculate domain to transit to. */ |
/* Calculate domain to transit to. */ |
599 |
if (ccs_is_domain_initializer(old_domain->domainname, &rn, &ln)) { |
if (ccs_domain_initializer(old_domain->domainname, &rn, &ln)) { |
600 |
/* Transit to the child of ccs_kernel_domain domain. */ |
/* Transit to the child of ccs_kernel_domain domain. */ |
601 |
snprintf(ee->tmp, CCS_EXEC_TMPSIZE - 1, ROOT_NAME " " "%s", |
snprintf(ee->tmp, CCS_EXEC_TMPSIZE - 1, ROOT_NAME " " "%s", |
602 |
rn.name); |
rn.name); |
607 |
* initializers because they might start before /sbin/init. |
* initializers because they might start before /sbin/init. |
608 |
*/ |
*/ |
609 |
domain = old_domain; |
domain = old_domain; |
610 |
} else if (ccs_is_domain_keeper(old_domain->domainname, &rn, &ln)) { |
} else if (ccs_domain_keeper(old_domain->domainname, &rn, &ln)) { |
611 |
/* Keep current domain. */ |
/* Keep current domain. */ |
612 |
domain = old_domain; |
domain = old_domain; |
613 |
} else { |
} else { |
676 |
/** |
/** |
677 |
* ccs_environ - Check permission for environment variable names. |
* ccs_environ - Check permission for environment variable names. |
678 |
* |
* |
679 |
* @ee: Pointer to "struct ccs_execve_entry". |
* @ee: Pointer to "struct ccs_execve". |
680 |
* |
* |
681 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
682 |
*/ |
*/ |
683 |
static int ccs_environ(struct ccs_execve_entry *ee) |
static int ccs_environ(struct ccs_execve *ee) |
684 |
{ |
{ |
685 |
struct ccs_request_info *r = &ee->r; |
struct ccs_request_info *r = &ee->r; |
686 |
struct linux_binprm *bprm = ee->bprm; |
struct linux_binprm *bprm = ee->bprm; |
861 |
/** |
/** |
862 |
* ccs_try_alt_exec - Try to start execute handler. |
* ccs_try_alt_exec - Try to start execute handler. |
863 |
* |
* |
864 |
* @ee: Pointer to "struct ccs_execve_entry". |
* @ee: Pointer to "struct ccs_execve". |
865 |
* |
* |
866 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
867 |
*/ |
*/ |
868 |
static int ccs_try_alt_exec(struct ccs_execve_entry *ee) |
static int ccs_try_alt_exec(struct ccs_execve *ee) |
869 |
{ |
{ |
870 |
/* |
/* |
871 |
* Contents of modified bprm. |
* Contents of modified bprm. |
1063 |
/** |
/** |
1064 |
* ccs_find_execute_handler - Find an execute handler. |
* ccs_find_execute_handler - Find an execute handler. |
1065 |
* |
* |
1066 |
* @ee: Pointer to "struct ccs_execve_entry". |
* @ee: Pointer to "struct ccs_execve". |
1067 |
* @type: Type of execute handler. |
* @type: Type of execute handler. |
1068 |
* |
* |
1069 |
* Returns true if found, false otherwise. |
* Returns true if found, false otherwise. |
1070 |
* |
* |
1071 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
1072 |
*/ |
*/ |
1073 |
static bool ccs_find_execute_handler(struct ccs_execve_entry *ee, |
static bool ccs_find_execute_handler(struct ccs_execve *ee, |
1074 |
const u8 type) |
const u8 type) |
1075 |
{ |
{ |
1076 |
struct task_struct *task = current; |
struct task_struct *task = current; |
1157 |
* ccs_start_execve - Prepare for execve() operation. |
* ccs_start_execve - Prepare for execve() operation. |
1158 |
* |
* |
1159 |
* @bprm: Pointer to "struct linux_binprm". |
* @bprm: Pointer to "struct linux_binprm". |
1160 |
* @eep: Pointer to "struct ccs_execve_entry *". |
* @eep: Pointer to "struct ccs_execve *". |
1161 |
* |
* |
1162 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
1163 |
*/ |
*/ |
1164 |
static int ccs_start_execve(struct linux_binprm *bprm, |
static int ccs_start_execve(struct linux_binprm *bprm, |
1165 |
struct ccs_execve_entry **eep) |
struct ccs_execve **eep) |
1166 |
{ |
{ |
1167 |
int retval; |
int retval; |
1168 |
struct task_struct *task = current; |
struct task_struct *task = current; |
1169 |
struct ccs_execve_entry *ee; |
struct ccs_execve *ee; |
1170 |
*eep = NULL; |
*eep = NULL; |
1171 |
ee = kzalloc(sizeof(*ee), CCS_GFP_FLAGS); |
ee = kzalloc(sizeof(*ee), CCS_GFP_FLAGS); |
1172 |
if (!ee) |
if (!ee) |
1180 |
/* ee->dump->data is allocated by ccs_dump_page(). */ |
/* ee->dump->data is allocated by ccs_dump_page(). */ |
1181 |
ee->previous_domain = task->ccs_domain_info; |
ee->previous_domain = task->ccs_domain_info; |
1182 |
/* Clear manager flag. */ |
/* Clear manager flag. */ |
1183 |
task->ccs_flags &= ~CCS_TASK_IS_POLICY_MANAGER; |
task->ccs_flags &= ~CCS_TASK_IS_MANAGER; |
1184 |
*eep = ee; |
*eep = ee; |
1185 |
ccs_init_request_info(&ee->r, CCS_MAC_FILE_EXECUTE); |
ccs_init_request_info(&ee->r, CCS_MAC_FILE_EXECUTE); |
1186 |
ee->r.ee = ee; |
ee->r.ee = ee; |
1209 |
* ccs_finish_execve - Clean up execve() operation. |
* ccs_finish_execve - Clean up execve() operation. |
1210 |
* |
* |
1211 |
* @retval: Return code of an execve() operation. |
* @retval: Return code of an execve() operation. |
1212 |
* @ee: Pointer to "struct ccs_execve_entry". |
* @ee: Pointer to "struct ccs_execve". |
1213 |
* |
* |
1214 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
1215 |
*/ |
*/ |
1216 |
static void ccs_finish_execve(int retval, struct ccs_execve_entry *ee) |
static void ccs_finish_execve(int retval, struct ccs_execve *ee) |
1217 |
{ |
{ |
1218 |
struct task_struct *task = current; |
struct task_struct *task = current; |
1219 |
if (!ee) |
if (!ee) |
1288 |
static int __ccs_search_binary_handler(struct linux_binprm *bprm, |
static int __ccs_search_binary_handler(struct linux_binprm *bprm, |
1289 |
struct pt_regs *regs) |
struct pt_regs *regs) |
1290 |
{ |
{ |
1291 |
struct ccs_execve_entry *ee; |
struct ccs_execve *ee; |
1292 |
int retval; |
int retval; |
1293 |
if (!ccs_policy_loaded) |
if (!ccs_policy_loaded) |
1294 |
ccsecurity_exports.load_policy(bprm->filename); |
ccsecurity_exports.load_policy(bprm->filename); |