summaryrefslogtreecommitdiffstats
path: root/security/tomoyo/domain.c
diff options
context:
space:
mode:
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>2011-06-26 16:19:28 +0200
committerJames Morris <jmorris@namei.org>2011-06-29 01:31:20 +0200
commit32997144fd9925fc4d506a16990a0c405f766526 (patch)
tree52332d25e9317250a1af1b06008d7eae18717c70 /security/tomoyo/domain.c
parentTOMOYO: Add auditing interface. (diff)
downloadlinux-32997144fd9925fc4d506a16990a0c405f766526.tar.xz
linux-32997144fd9925fc4d506a16990a0c405f766526.zip
TOMOYO: Add ACL group support.
ACL group allows administrator to globally grant not only "file read" permission but also other permissions. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/domain.c')
-rw-r--r--security/tomoyo/domain.c23
1 files changed, 22 insertions, 1 deletions
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index cb5d2b05c244..af5f325e2f33 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -12,6 +12,9 @@
/* Variables definitions.*/
+/* The global ACL referred by "use_group" keyword. */
+struct list_head tomoyo_acl_group[TOMOYO_MAX_ACL_GROUPS];
+
/* The initial domain. */
struct tomoyo_domain_info tomoyo_kernel_domain;
@@ -125,14 +128,27 @@ int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
return error;
}
+/**
+ * tomoyo_check_acl - Do permission check.
+ *
+ * @r: Pointer to "struct tomoyo_request_info".
+ * @check_entry: Callback function to check type specific parameters.
+ *
+ * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
+ */
void tomoyo_check_acl(struct tomoyo_request_info *r,
bool (*check_entry) (struct tomoyo_request_info *,
const struct tomoyo_acl_info *))
{
const struct tomoyo_domain_info *domain = r->domain;
struct tomoyo_acl_info *ptr;
+ bool retried = false;
+ const struct list_head *list = &domain->acl_info_list;
- list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
+retry:
+ list_for_each_entry_rcu(ptr, list, list) {
if (ptr->is_deleted || ptr->type != r->param_type)
continue;
if (check_entry(r, ptr)) {
@@ -140,6 +156,11 @@ void tomoyo_check_acl(struct tomoyo_request_info *r,
return;
}
}
+ if (!retried) {
+ retried = true;
+ list = &tomoyo_acl_group[domain->group];
+ goto retry;
+ }
r->granted = false;
}