diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2010-06-16 09:22:51 +0200 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2010-08-02 07:34:32 +0200 |
commit | 99a852596beb26cc449ca1a79834c107ef4080e1 (patch) | |
tree | 8d593b0af85f6cbbfe73b916f7449148ccf93133 /security/tomoyo/mount.c | |
parent | TOMOYO: Pass parameters via structure. (diff) | |
download | linux-99a852596beb26cc449ca1a79834c107ef4080e1.tar.xz linux-99a852596beb26cc449ca1a79834c107ef4080e1.zip |
TOMOYO: Use callback for permission check.
We can use callback function since parameters are passed via
"const struct tomoyo_request_info".
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to '')
-rw-r--r-- | security/tomoyo/mount.c | 73 |
1 files changed, 52 insertions, 21 deletions
diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c index 554de173152c..8f3ac251c571 100644 --- a/security/tomoyo/mount.c +++ b/security/tomoyo/mount.c @@ -25,6 +25,54 @@ #define TOMOYO_MOUNT_MAKE_SHARED_KEYWORD "--make-shared" /** + * tomoyo_audit_mount_log - Audit mount log. + * + * @r: Pointer to "struct tomoyo_request_info". + * + * Returns 0 on success, negative value otherwise. + */ +static int tomoyo_audit_mount_log(struct tomoyo_request_info *r) +{ + const char *dev = r->param.mount.dev->name; + const char *dir = r->param.mount.dir->name; + const char *type = r->param.mount.type->name; + const unsigned long flags = r->param.mount.flags; + if (r->granted) + return 0; + if (!strcmp(type, TOMOYO_MOUNT_REMOUNT_KEYWORD)) + tomoyo_warn_log(r, "mount -o remount %s 0x%lX", dir, flags); + else if (!strcmp(type, TOMOYO_MOUNT_BIND_KEYWORD) + || !strcmp(type, TOMOYO_MOUNT_MOVE_KEYWORD)) + tomoyo_warn_log(r, "mount %s %s %s 0x%lX", type, dev, dir, + flags); + else if (!strcmp(type, TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD) || + !strcmp(type, TOMOYO_MOUNT_MAKE_PRIVATE_KEYWORD) || + !strcmp(type, TOMOYO_MOUNT_MAKE_SLAVE_KEYWORD) || + !strcmp(type, TOMOYO_MOUNT_MAKE_SHARED_KEYWORD)) + tomoyo_warn_log(r, "mount %s %s 0x%lX", type, dir, flags); + else + tomoyo_warn_log(r, "mount -t %s %s %s 0x%lX", type, dev, dir, + flags); + return tomoyo_supervisor(r, + TOMOYO_KEYWORD_ALLOW_MOUNT "%s %s %s 0x%lX\n", + tomoyo_file_pattern(r->param.mount.dev), + tomoyo_file_pattern(r->param.mount.dir), type, + flags); +} + +static bool tomoyo_check_mount_acl(const struct tomoyo_request_info *r, + const struct tomoyo_acl_info *ptr) +{ + const struct tomoyo_mount_acl *acl = + container_of(ptr, typeof(*acl), head); + return tomoyo_compare_number_union(r->param.mount.flags, &acl->flags) && + tomoyo_compare_name_union(r->param.mount.type, &acl->fs_type) && + tomoyo_compare_name_union(r->param.mount.dir, &acl->dir_name) && + (!r->param.mount.need_dev || + tomoyo_compare_name_union(r->param.mount.dev, &acl->dev_name)); +} + +/** * tomoyo_mount_acl2 - Check permission for mount() operation. * * @r: Pointer to "struct tomoyo_request_info". @@ -41,7 +89,6 @@ static int tomoyo_mount_acl2(struct tomoyo_request_info *r, char *dev_name, struct path *dir, char *type, unsigned long flags) { struct path path; - struct tomoyo_acl_info *ptr; struct file_system_type *fstype = NULL; const char *requested_type = NULL; const char *requested_dir_name = NULL; @@ -118,26 +165,10 @@ static int tomoyo_mount_acl2(struct tomoyo_request_info *r, char *dev_name, r->param.mount.dir = &rdir; r->param.mount.type = &rtype; r->param.mount.flags = flags; - list_for_each_entry_rcu(ptr, &r->domain->acl_info_list, list) { - struct tomoyo_mount_acl *acl; - if (ptr->is_deleted || ptr->type != TOMOYO_TYPE_MOUNT_ACL) - continue; - acl = container_of(ptr, struct tomoyo_mount_acl, head); - if (!tomoyo_compare_number_union(flags, &acl->flags) || - !tomoyo_compare_name_union(&rtype, &acl->fs_type) || - !tomoyo_compare_name_union(&rdir, &acl->dir_name) || - (need_dev && - !tomoyo_compare_name_union(&rdev, &acl->dev_name))) - continue; - error = 0; - break; - } - if (error) - error = tomoyo_supervisor(r, TOMOYO_KEYWORD_ALLOW_MOUNT - "%s %s %s 0x%lX\n", - tomoyo_file_pattern(&rdev), - tomoyo_file_pattern(&rdir), - requested_type, flags); + do { + tomoyo_check_acl(r, tomoyo_check_mount_acl); + error = tomoyo_audit_mount_log(r); + } while (error == TOMOYO_RETRY_REQUEST); out: kfree(requested_dev_name); kfree(requested_dir_name); |