diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2010-06-03 20:37:26 +0900 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2010-08-02 15:33:42 +1000 |
commit | 3f629636320dfa65804779a3fc333f3147f3b064 (patch) | |
tree | e44dc9f63ae8c6cd37d5471d014cd9b0449027e7 /security/tomoyo/domain.c | |
parent | c8c57e842720d8cc92ac8607f2d1c16d92314573 (diff) | |
download | lwn-3f629636320dfa65804779a3fc333f3147f3b064.tar.gz lwn-3f629636320dfa65804779a3fc333f3147f3b064.zip |
TOMOYO: Allow wildcard for execute permission.
Some applications create and execute programs dynamically. We need to accept
wildcard for execute permission because such programs contain random suffix
in their filenames. This patch loosens up regulation of string parameters.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/domain.c')
-rw-r--r-- | security/tomoyo/domain.c | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index 7b8693e29a13..50f6e7972174 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -131,11 +131,11 @@ static int tomoyo_update_domain_initializer_entry(const char *domainname, struct tomoyo_domain_initializer_entry e = { .is_not = is_not }; int error = is_delete ? -ENOENT : -ENOMEM; - if (!tomoyo_is_correct_path(program, 1, -1, -1)) - return -EINVAL; /* No patterns allowed. */ + if (!tomoyo_is_correct_path(program)) + return -EINVAL; if (domainname) { if (!tomoyo_is_domain_def(domainname) && - tomoyo_is_correct_path(domainname, 1, -1, -1)) + tomoyo_is_correct_path(domainname)) e.is_last_name = true; else if (!tomoyo_is_correct_domain(domainname)) return -EINVAL; @@ -342,12 +342,12 @@ static int tomoyo_update_domain_keeper_entry(const char *domainname, int error = is_delete ? -ENOENT : -ENOMEM; if (!tomoyo_is_domain_def(domainname) && - tomoyo_is_correct_path(domainname, 1, -1, -1)) + tomoyo_is_correct_path(domainname)) e.is_last_name = true; else if (!tomoyo_is_correct_domain(domainname)) return -EINVAL; if (program) { - if (!tomoyo_is_correct_path(program, 1, -1, -1)) + if (!tomoyo_is_correct_path(program)) return -EINVAL; e.program = tomoyo_get_name(program); if (!e.program) @@ -533,13 +533,14 @@ static int tomoyo_update_alias_entry(const char *original_name, struct tomoyo_alias_entry e = { }; int error = is_delete ? -ENOENT : -ENOMEM; - if (!tomoyo_is_correct_path(original_name, 1, -1, -1) || - !tomoyo_is_correct_path(aliased_name, 1, -1, -1)) - return -EINVAL; /* No patterns allowed. */ + if (!tomoyo_is_correct_path(original_name) || + !tomoyo_is_correct_path(aliased_name)) + return -EINVAL; e.original_name = tomoyo_get_name(original_name); e.aliased_name = tomoyo_get_name(aliased_name); - if (!e.original_name || !e.aliased_name) - goto out; + if (!e.original_name || !e.aliased_name || + e.original_name->is_patterned || e.aliased_name->is_patterned) + goto out; /* No patterns allowed. */ if (mutex_lock_interruptible(&tomoyo_policy_lock)) goto out; list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) { |