| 37 |
/** |
/** |
| 38 |
* ccs_audit_execute_handler_log - Audit execute_handler log. |
* ccs_audit_execute_handler_log - Audit execute_handler log. |
| 39 |
* |
* |
| 40 |
* @ee: Pointer to "struct ccs_execve_entry". |
* @ee: Pointer to "struct ccs_execve". |
| 41 |
* |
* |
| 42 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
| 43 |
*/ |
*/ |
| 44 |
static int ccs_audit_execute_handler_log(struct ccs_execve_entry *ee) |
static int ccs_audit_execute_handler_log(struct ccs_execve *ee) |
| 45 |
{ |
{ |
| 46 |
struct ccs_request_info *r = &ee->r; |
struct ccs_request_info *r = &ee->r; |
| 47 |
const char *handler = ee->handler->name; |
const char *handler = ee->handler->name; |
| 119 |
return error; |
return error; |
| 120 |
} |
} |
| 121 |
|
|
| 122 |
int ccs_update_domain_policy(struct ccs_acl_info *new_entry, const int size, |
int ccs_update_domain(struct ccs_acl_info *new_entry, const int size, |
| 123 |
bool is_delete, struct ccs_domain_info *domain, |
bool is_delete, struct ccs_domain_info *domain, |
| 124 |
bool (*check_duplicate) |
bool (*check_duplicate) (const struct ccs_acl_info *, |
| 125 |
(const struct ccs_acl_info *, |
const struct ccs_acl_info *), |
| 126 |
const struct ccs_acl_info *), |
bool (*merge_duplicate) (struct ccs_acl_info *, |
| 127 |
bool (*merge_duplicate) (struct ccs_acl_info *, |
struct ccs_acl_info *, |
| 128 |
struct ccs_acl_info *, |
const bool)) |
|
const bool)) |
|
| 129 |
{ |
{ |
| 130 |
int error = is_delete ? -ENOENT : -ENOMEM; |
int error = is_delete ? -ENOENT : -ENOMEM; |
| 131 |
struct ccs_acl_info *entry; |
struct ccs_acl_info *entry; |
| 153 |
return error; |
return error; |
| 154 |
} |
} |
| 155 |
|
|
| 156 |
static bool ccs_is_same_domain_initializer_entry(const struct ccs_acl_head *a, |
static bool ccs_same_domain_initializer_entry(const struct ccs_acl_head *a, |
| 157 |
const struct ccs_acl_head *b) |
const struct ccs_acl_head *b) |
| 158 |
{ |
{ |
| 159 |
const struct ccs_domain_initializer_entry *p1 = |
const struct ccs_domain_initializer *p1 = |
| 160 |
container_of(a, typeof(*p1), head); |
container_of(a, typeof(*p1), head); |
| 161 |
const struct ccs_domain_initializer_entry *p2 = |
const struct ccs_domain_initializer *p2 = |
| 162 |
container_of(b, typeof(*p2), head); |
container_of(b, typeof(*p2), head); |
| 163 |
return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name |
return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name |
| 164 |
&& p1->domainname == p2->domainname |
&& p1->domainname == p2->domainname |
| 166 |
} |
} |
| 167 |
|
|
| 168 |
/** |
/** |
| 169 |
* ccs_update_domain_initializer_entry - Update "struct ccs_domain_initializer_entry" list. |
* ccs_update_domain_initializer_entry - Update "struct ccs_domain_initializer" list. |
| 170 |
* |
* |
| 171 |
* @domainname: The name of domain. May be NULL. |
* @domainname: The name of domain. May be NULL. |
| 172 |
* @program: The name of program. |
* @program: The name of program. |
| 180 |
const bool is_not, |
const bool is_not, |
| 181 |
const bool is_delete) |
const bool is_delete) |
| 182 |
{ |
{ |
| 183 |
struct ccs_domain_initializer_entry e = { .is_not = is_not }; |
struct ccs_domain_initializer e = { .is_not = is_not }; |
| 184 |
int error = is_delete ? -ENOENT : -ENOMEM; |
int error = is_delete ? -ENOENT : -ENOMEM; |
| 185 |
if (!ccs_is_correct_path(program, 1, -1, -1)) |
if (!ccs_correct_path(program, 1, -1, -1)) |
| 186 |
return -EINVAL; /* No patterns allowed. */ |
return -EINVAL; /* No patterns allowed. */ |
| 187 |
if (domainname) { |
if (domainname) { |
| 188 |
if (!ccs_is_domain_def(domainname) && |
if (!ccs_domain_def(domainname) && |
| 189 |
ccs_is_correct_path(domainname, 1, -1, -1)) |
ccs_correct_path(domainname, 1, -1, -1)) |
| 190 |
e.is_last_name = true; |
e.is_last_name = true; |
| 191 |
else if (!ccs_is_correct_domain(domainname)) |
else if (!ccs_correct_domain(domainname)) |
| 192 |
return -EINVAL; |
return -EINVAL; |
| 193 |
e.domainname = ccs_get_name(domainname); |
e.domainname = ccs_get_name(domainname); |
| 194 |
if (!e.domainname) |
if (!e.domainname) |
| 199 |
goto out; |
goto out; |
| 200 |
error = ccs_update_policy(&e.head, sizeof(e), is_delete, |
error = ccs_update_policy(&e.head, sizeof(e), is_delete, |
| 201 |
CCS_ID_DOMAIN_INITIALIZER, |
CCS_ID_DOMAIN_INITIALIZER, |
| 202 |
ccs_is_same_domain_initializer_entry); |
ccs_same_domain_initializer_entry); |
| 203 |
out: |
out: |
| 204 |
ccs_put_name(e.domainname); |
ccs_put_name(e.domainname); |
| 205 |
ccs_put_name(e.program); |
ccs_put_name(e.program); |
| 207 |
} |
} |
| 208 |
|
|
| 209 |
/** |
/** |
| 210 |
* ccs_write_domain_initializer_policy - Write "struct ccs_domain_initializer_entry" list. |
* ccs_write_domain_initializer - Write "struct ccs_domain_initializer" list. |
| 211 |
* |
* |
| 212 |
* @data: String to parse. |
* @data: String to parse. |
| 213 |
* @is_delete: True if it is a delete request. |
* @is_delete: True if it is a delete request. |
| 214 |
* |
* |
| 215 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
| 216 |
*/ |
*/ |
| 217 |
int ccs_write_domain_initializer_policy(char *data, const bool is_delete, const u8 flags) |
int ccs_write_domain_initializer(char *data, const bool is_delete, const u8 flags) |
| 218 |
{ |
{ |
| 219 |
char *domainname = strstr(data, " from "); |
char *domainname = strstr(data, " from "); |
| 220 |
if (domainname) { |
if (domainname) { |
| 226 |
} |
} |
| 227 |
|
|
| 228 |
/** |
/** |
| 229 |
* ccs_is_domain_initializer - Check whether the given program causes domainname reinitialization. |
* ccs_domain_initializer - Check whether the given program causes domainname reinitialization. |
| 230 |
* |
* |
| 231 |
* @domainname: The name of domain. |
* @domainname: The name of domain. |
| 232 |
* @program: The name of program. |
* @program: The name of program. |
| 237 |
* |
* |
| 238 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
| 239 |
*/ |
*/ |
| 240 |
static bool ccs_is_domain_initializer(const struct ccs_path_info *domainname, |
static bool ccs_domain_initializer(const struct ccs_path_info *domainname, |
| 241 |
const struct ccs_path_info *program, |
const struct ccs_path_info *program, |
| 242 |
const struct ccs_path_info *last_name) |
const struct ccs_path_info *last_name) |
| 243 |
{ |
{ |
| 244 |
struct ccs_domain_initializer_entry *ptr; |
struct ccs_domain_initializer *ptr; |
| 245 |
bool flag = false; |
bool flag = false; |
| 246 |
list_for_each_entry_rcu(ptr, &ccs_policy_list |
list_for_each_entry_rcu(ptr, &ccs_policy_list |
| 247 |
[CCS_ID_DOMAIN_INITIALIZER], head.list) { |
[CCS_ID_DOMAIN_INITIALIZER], head.list) { |
| 267 |
return flag; |
return flag; |
| 268 |
} |
} |
| 269 |
|
|
| 270 |
static bool ccs_is_same_domain_keeper_entry(const struct ccs_acl_head *a, |
static bool ccs_same_domain_keeper_entry(const struct ccs_acl_head *a, |
| 271 |
const struct ccs_acl_head *b) |
const struct ccs_acl_head *b) |
| 272 |
{ |
{ |
| 273 |
const struct ccs_domain_keeper_entry *p1 = |
const struct ccs_domain_keeper *p1 = |
| 274 |
container_of(a, typeof(*p1), head); |
container_of(a, typeof(*p1), head); |
| 275 |
const struct ccs_domain_keeper_entry *p2 = |
const struct ccs_domain_keeper *p2 = |
| 276 |
container_of(b, typeof(*p2), head); |
container_of(b, typeof(*p2), head); |
| 277 |
return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name |
return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name |
| 278 |
&& p1->domainname == p2->domainname |
&& p1->domainname == p2->domainname |
| 280 |
} |
} |
| 281 |
|
|
| 282 |
/** |
/** |
| 283 |
* ccs_update_domain_keeper_entry - Update "struct ccs_domain_keeper_entry" list. |
* ccs_update_domain_keeper_entry - Update "struct ccs_domain_keeper" list. |
| 284 |
* |
* |
| 285 |
* @domainname: The name of domain. |
* @domainname: The name of domain. |
| 286 |
* @program: The name of program. May be NULL. |
* @program: The name of program. May be NULL. |
| 294 |
const bool is_not, |
const bool is_not, |
| 295 |
const bool is_delete) |
const bool is_delete) |
| 296 |
{ |
{ |
| 297 |
struct ccs_domain_keeper_entry e = { .is_not = is_not }; |
struct ccs_domain_keeper e = { .is_not = is_not }; |
| 298 |
int error = is_delete ? -ENOENT : -ENOMEM; |
int error = is_delete ? -ENOENT : -ENOMEM; |
| 299 |
if (!ccs_is_domain_def(domainname) && |
if (!ccs_domain_def(domainname) && |
| 300 |
ccs_is_correct_path(domainname, 1, -1, -1)) |
ccs_correct_path(domainname, 1, -1, -1)) |
| 301 |
e.is_last_name = true; |
e.is_last_name = true; |
| 302 |
else if (!ccs_is_correct_domain(domainname)) |
else if (!ccs_correct_domain(domainname)) |
| 303 |
return -EINVAL; |
return -EINVAL; |
| 304 |
if (program) { |
if (program) { |
| 305 |
if (!ccs_is_correct_path(program, 1, -1, -1)) |
if (!ccs_correct_path(program, 1, -1, -1)) |
| 306 |
return -EINVAL; |
return -EINVAL; |
| 307 |
e.program = ccs_get_name(program); |
e.program = ccs_get_name(program); |
| 308 |
if (!e.program) |
if (!e.program) |
| 313 |
goto out; |
goto out; |
| 314 |
error = ccs_update_policy(&e.head, sizeof(e), is_delete, |
error = ccs_update_policy(&e.head, sizeof(e), is_delete, |
| 315 |
CCS_ID_DOMAIN_KEEPER, |
CCS_ID_DOMAIN_KEEPER, |
| 316 |
ccs_is_same_domain_keeper_entry); |
ccs_same_domain_keeper_entry); |
| 317 |
out: |
out: |
| 318 |
ccs_put_name(e.domainname); |
ccs_put_name(e.domainname); |
| 319 |
ccs_put_name(e.program); |
ccs_put_name(e.program); |
| 321 |
} |
} |
| 322 |
|
|
| 323 |
/** |
/** |
| 324 |
* ccs_write_domain_keeper_policy - Write "struct ccs_domain_keeper_entry" list. |
* ccs_write_domain_keeper - Write "struct ccs_domain_keeper" list. |
| 325 |
* |
* |
| 326 |
* @data: String to parse. |
* @data: String to parse. |
| 327 |
* @is_delete: True if it is a delete request. |
* @is_delete: True if it is a delete request. |
| 328 |
* |
* |
| 329 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
| 330 |
*/ |
*/ |
| 331 |
int ccs_write_domain_keeper_policy(char *data, const bool is_delete, |
int ccs_write_domain_keeper(char *data, const bool is_delete, const u8 flags) |
|
const u8 flags) |
|
| 332 |
{ |
{ |
| 333 |
char *domainname = strstr(data, " from "); |
char *domainname = strstr(data, " from "); |
| 334 |
if (domainname) { |
if (domainname) { |
| 343 |
} |
} |
| 344 |
|
|
| 345 |
/** |
/** |
| 346 |
* ccs_is_domain_keeper - Check whether the given program causes domain transition suppression. |
* ccs_domain_keeper - Check whether the given program causes domain transition suppression. |
| 347 |
* |
* |
| 348 |
* @domainname: The name of domain. |
* @domainname: The name of domain. |
| 349 |
* @program: The name of program. |
* @program: The name of program. |
| 354 |
* |
* |
| 355 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
| 356 |
*/ |
*/ |
| 357 |
static bool ccs_is_domain_keeper(const struct ccs_path_info *domainname, |
static bool ccs_domain_keeper(const struct ccs_path_info *domainname, |
| 358 |
const struct ccs_path_info *program, |
const struct ccs_path_info *program, |
| 359 |
const struct ccs_path_info *last_name) |
const struct ccs_path_info *last_name) |
| 360 |
{ |
{ |
| 361 |
struct ccs_domain_keeper_entry *ptr; |
struct ccs_domain_keeper *ptr; |
| 362 |
bool flag = false; |
bool flag = false; |
| 363 |
list_for_each_entry_rcu(ptr, &ccs_policy_list[CCS_ID_DOMAIN_KEEPER], |
list_for_each_entry_rcu(ptr, &ccs_policy_list[CCS_ID_DOMAIN_KEEPER], |
| 364 |
head.list) { |
head.list) { |
| 382 |
return flag; |
return flag; |
| 383 |
} |
} |
| 384 |
|
|
| 385 |
static bool ccs_is_same_aggregator_entry(const struct ccs_acl_head *a, |
static bool ccs_same_aggregator_entry(const struct ccs_acl_head *a, |
| 386 |
const struct ccs_acl_head *b) |
const struct ccs_acl_head *b) |
| 387 |
{ |
{ |
| 388 |
const struct ccs_aggregator_entry *p1 = |
const struct ccs_aggregator *p1 = |
| 389 |
container_of(a, typeof(*p1), head); |
container_of(a, typeof(*p1), head); |
| 390 |
const struct ccs_aggregator_entry *p2 = |
const struct ccs_aggregator *p2 = |
| 391 |
container_of(b, typeof(*p2), head); |
container_of(b, typeof(*p2), head); |
| 392 |
return p1->original_name == p2->original_name && |
return p1->original_name == p2->original_name && |
| 393 |
p1->aggregated_name == p2->aggregated_name; |
p1->aggregated_name == p2->aggregated_name; |
| 394 |
} |
} |
| 395 |
|
|
| 396 |
/** |
/** |
| 397 |
* ccs_update_aggregator_entry - Update "struct ccs_aggregator_entry" list. |
* ccs_update_aggregator_entry - Update "struct ccs_aggregator" list. |
| 398 |
* |
* |
| 399 |
* @original_name: The original program's name. |
* @original_name: The original program's name. |
| 400 |
* @aggregated_name: The aggregated program's name. |
* @aggregated_name: The aggregated program's name. |
| 406 |
const char *aggregated_name, |
const char *aggregated_name, |
| 407 |
const bool is_delete) |
const bool is_delete) |
| 408 |
{ |
{ |
| 409 |
struct ccs_aggregator_entry e = { }; |
struct ccs_aggregator e = { }; |
| 410 |
int error = is_delete ? -ENOENT : -ENOMEM; |
int error = is_delete ? -ENOENT : -ENOMEM; |
| 411 |
if (!ccs_is_correct_path(original_name, 1, 0, -1) || |
if (!ccs_correct_path(original_name, 1, 0, -1) || |
| 412 |
!ccs_is_correct_path(aggregated_name, 1, -1, -1)) |
!ccs_correct_path(aggregated_name, 1, -1, -1)) |
| 413 |
return -EINVAL; |
return -EINVAL; |
| 414 |
e.original_name = ccs_get_name(original_name); |
e.original_name = ccs_get_name(original_name); |
| 415 |
e.aggregated_name = ccs_get_name(aggregated_name); |
e.aggregated_name = ccs_get_name(aggregated_name); |
| 417 |
goto out; |
goto out; |
| 418 |
error = ccs_update_policy(&e.head, sizeof(e), is_delete, |
error = ccs_update_policy(&e.head, sizeof(e), is_delete, |
| 419 |
CCS_ID_AGGREGATOR, |
CCS_ID_AGGREGATOR, |
| 420 |
ccs_is_same_aggregator_entry); |
ccs_same_aggregator_entry); |
| 421 |
out: |
out: |
| 422 |
ccs_put_name(e.original_name); |
ccs_put_name(e.original_name); |
| 423 |
ccs_put_name(e.aggregated_name); |
ccs_put_name(e.aggregated_name); |
| 425 |
} |
} |
| 426 |
|
|
| 427 |
/** |
/** |
| 428 |
* ccs_write_aggregator_policy - Write "struct ccs_aggregator_entry" list. |
* ccs_write_aggregator - Write "struct ccs_aggregator" list. |
| 429 |
* |
* |
| 430 |
* @data: String to parse. |
* @data: String to parse. |
| 431 |
* @is_delete: True if it is a delete request. |
* @is_delete: True if it is a delete request. |
| 432 |
* |
* |
| 433 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
| 434 |
*/ |
*/ |
| 435 |
int ccs_write_aggregator_policy(char *data, const bool is_delete, const u8 flags) |
int ccs_write_aggregator(char *data, const bool is_delete, const u8 flags) |
| 436 |
{ |
{ |
| 437 |
char *w[2]; |
char *w[2]; |
| 438 |
if (!ccs_tokenize(data, w, sizeof(w)) || !w[1][0]) |
if (!ccs_tokenize(data, w, sizeof(w)) || !w[1][0]) |
| 488 |
const struct ccs_path_info *saved_domainname; |
const struct ccs_path_info *saved_domainname; |
| 489 |
bool found = false; |
bool found = false; |
| 490 |
|
|
| 491 |
if (!ccs_is_correct_domain(domainname)) |
if (!ccs_correct_domain(domainname)) |
| 492 |
return NULL; |
return NULL; |
| 493 |
saved_domainname = ccs_get_name(domainname); |
saved_domainname = ccs_get_name(domainname); |
| 494 |
if (!saved_domainname) |
if (!saved_domainname) |
| 523 |
/** |
/** |
| 524 |
* ccs_find_next_domain - Find a domain. |
* ccs_find_next_domain - Find a domain. |
| 525 |
* |
* |
| 526 |
* @ee: Pointer to "struct ccs_execve_entry". |
* @ee: Pointer to "struct ccs_execve". |
| 527 |
* |
* |
| 528 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
| 529 |
* |
* |
| 530 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
| 531 |
*/ |
*/ |
| 532 |
static int ccs_find_next_domain(struct ccs_execve_entry *ee) |
static int ccs_find_next_domain(struct ccs_execve *ee) |
| 533 |
{ |
{ |
| 534 |
struct ccs_request_info *r = &ee->r; |
struct ccs_request_info *r = &ee->r; |
| 535 |
const struct ccs_path_info *handler = ee->handler; |
const struct ccs_path_info *handler = ee->handler; |
| 572 |
goto out; |
goto out; |
| 573 |
} |
} |
| 574 |
} else { |
} else { |
| 575 |
struct ccs_aggregator_entry *ptr; |
struct ccs_aggregator *ptr; |
| 576 |
/* Check 'aggregator' directive. */ |
/* Check 'aggregator' directive. */ |
| 577 |
list_for_each_entry_rcu(ptr, |
list_for_each_entry_rcu(ptr, |
| 578 |
&ccs_policy_list[CCS_ID_AGGREGATOR], |
&ccs_policy_list[CCS_ID_AGGREGATOR], |
| 596 |
} |
} |
| 597 |
|
|
| 598 |
/* Calculate domain to transit to. */ |
/* Calculate domain to transit to. */ |
| 599 |
if (ccs_is_domain_initializer(old_domain->domainname, &rn, &ln)) { |
if (ccs_domain_initializer(old_domain->domainname, &rn, &ln)) { |
| 600 |
/* Transit to the child of ccs_kernel_domain domain. */ |
/* Transit to the child of ccs_kernel_domain domain. */ |
| 601 |
snprintf(ee->tmp, CCS_EXEC_TMPSIZE - 1, ROOT_NAME " " "%s", |
snprintf(ee->tmp, CCS_EXEC_TMPSIZE - 1, ROOT_NAME " " "%s", |
| 602 |
rn.name); |
rn.name); |
| 607 |
* initializers because they might start before /sbin/init. |
* initializers because they might start before /sbin/init. |
| 608 |
*/ |
*/ |
| 609 |
domain = old_domain; |
domain = old_domain; |
| 610 |
} else if (ccs_is_domain_keeper(old_domain->domainname, &rn, &ln)) { |
} else if (ccs_domain_keeper(old_domain->domainname, &rn, &ln)) { |
| 611 |
/* Keep current domain. */ |
/* Keep current domain. */ |
| 612 |
domain = old_domain; |
domain = old_domain; |
| 613 |
} else { |
} else { |
| 676 |
/** |
/** |
| 677 |
* ccs_environ - Check permission for environment variable names. |
* ccs_environ - Check permission for environment variable names. |
| 678 |
* |
* |
| 679 |
* @ee: Pointer to "struct ccs_execve_entry". |
* @ee: Pointer to "struct ccs_execve". |
| 680 |
* |
* |
| 681 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
| 682 |
*/ |
*/ |
| 683 |
static int ccs_environ(struct ccs_execve_entry *ee) |
static int ccs_environ(struct ccs_execve *ee) |
| 684 |
{ |
{ |
| 685 |
struct ccs_request_info *r = &ee->r; |
struct ccs_request_info *r = &ee->r; |
| 686 |
struct linux_binprm *bprm = ee->bprm; |
struct linux_binprm *bprm = ee->bprm; |
| 861 |
/** |
/** |
| 862 |
* ccs_try_alt_exec - Try to start execute handler. |
* ccs_try_alt_exec - Try to start execute handler. |
| 863 |
* |
* |
| 864 |
* @ee: Pointer to "struct ccs_execve_entry". |
* @ee: Pointer to "struct ccs_execve". |
| 865 |
* |
* |
| 866 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
| 867 |
*/ |
*/ |
| 868 |
static int ccs_try_alt_exec(struct ccs_execve_entry *ee) |
static int ccs_try_alt_exec(struct ccs_execve *ee) |
| 869 |
{ |
{ |
| 870 |
/* |
/* |
| 871 |
* Contents of modified bprm. |
* Contents of modified bprm. |
| 1063 |
/** |
/** |
| 1064 |
* ccs_find_execute_handler - Find an execute handler. |
* ccs_find_execute_handler - Find an execute handler. |
| 1065 |
* |
* |
| 1066 |
* @ee: Pointer to "struct ccs_execve_entry". |
* @ee: Pointer to "struct ccs_execve". |
| 1067 |
* @type: Type of execute handler. |
* @type: Type of execute handler. |
| 1068 |
* |
* |
| 1069 |
* Returns true if found, false otherwise. |
* Returns true if found, false otherwise. |
| 1070 |
* |
* |
| 1071 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
| 1072 |
*/ |
*/ |
| 1073 |
static bool ccs_find_execute_handler(struct ccs_execve_entry *ee, |
static bool ccs_find_execute_handler(struct ccs_execve *ee, |
| 1074 |
const u8 type) |
const u8 type) |
| 1075 |
{ |
{ |
| 1076 |
struct task_struct *task = current; |
struct task_struct *task = current; |
| 1157 |
* ccs_start_execve - Prepare for execve() operation. |
* ccs_start_execve - Prepare for execve() operation. |
| 1158 |
* |
* |
| 1159 |
* @bprm: Pointer to "struct linux_binprm". |
* @bprm: Pointer to "struct linux_binprm". |
| 1160 |
* @eep: Pointer to "struct ccs_execve_entry *". |
* @eep: Pointer to "struct ccs_execve *". |
| 1161 |
* |
* |
| 1162 |
* Returns 0 on success, negative value otherwise. |
* Returns 0 on success, negative value otherwise. |
| 1163 |
*/ |
*/ |
| 1164 |
static int ccs_start_execve(struct linux_binprm *bprm, |
static int ccs_start_execve(struct linux_binprm *bprm, |
| 1165 |
struct ccs_execve_entry **eep) |
struct ccs_execve **eep) |
| 1166 |
{ |
{ |
| 1167 |
int retval; |
int retval; |
| 1168 |
struct task_struct *task = current; |
struct task_struct *task = current; |
| 1169 |
struct ccs_execve_entry *ee; |
struct ccs_execve *ee; |
| 1170 |
*eep = NULL; |
*eep = NULL; |
| 1171 |
ee = kzalloc(sizeof(*ee), CCS_GFP_FLAGS); |
ee = kzalloc(sizeof(*ee), CCS_GFP_FLAGS); |
| 1172 |
if (!ee) |
if (!ee) |
| 1180 |
/* ee->dump->data is allocated by ccs_dump_page(). */ |
/* ee->dump->data is allocated by ccs_dump_page(). */ |
| 1181 |
ee->previous_domain = task->ccs_domain_info; |
ee->previous_domain = task->ccs_domain_info; |
| 1182 |
/* Clear manager flag. */ |
/* Clear manager flag. */ |
| 1183 |
task->ccs_flags &= ~CCS_TASK_IS_POLICY_MANAGER; |
task->ccs_flags &= ~CCS_TASK_IS_MANAGER; |
| 1184 |
*eep = ee; |
*eep = ee; |
| 1185 |
ccs_init_request_info(&ee->r, CCS_MAC_FILE_EXECUTE); |
ccs_init_request_info(&ee->r, CCS_MAC_FILE_EXECUTE); |
| 1186 |
ee->r.ee = ee; |
ee->r.ee = ee; |
| 1209 |
* ccs_finish_execve - Clean up execve() operation. |
* ccs_finish_execve - Clean up execve() operation. |
| 1210 |
* |
* |
| 1211 |
* @retval: Return code of an execve() operation. |
* @retval: Return code of an execve() operation. |
| 1212 |
* @ee: Pointer to "struct ccs_execve_entry". |
* @ee: Pointer to "struct ccs_execve". |
| 1213 |
* |
* |
| 1214 |
* Caller holds ccs_read_lock(). |
* Caller holds ccs_read_lock(). |
| 1215 |
*/ |
*/ |
| 1216 |
static void ccs_finish_execve(int retval, struct ccs_execve_entry *ee) |
static void ccs_finish_execve(int retval, struct ccs_execve *ee) |
| 1217 |
{ |
{ |
| 1218 |
struct task_struct *task = current; |
struct task_struct *task = current; |
| 1219 |
if (!ee) |
if (!ee) |
| 1288 |
static int __ccs_search_binary_handler(struct linux_binprm *bprm, |
static int __ccs_search_binary_handler(struct linux_binprm *bprm, |
| 1289 |
struct pt_regs *regs) |
struct pt_regs *regs) |
| 1290 |
{ |
{ |
| 1291 |
struct ccs_execve_entry *ee; |
struct ccs_execve *ee; |
| 1292 |
int retval; |
int retval; |
| 1293 |
if (!ccs_policy_loaded) |
if (!ccs_policy_loaded) |
| 1294 |
ccsecurity_exports.load_policy(bprm->filename); |
ccsecurity_exports.load_policy(bprm->filename); |
TOMOYO
Parent Directory
Revision Log
Patch