diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-06-26 23:20:23 +0900 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-06-29 09:31:21 +1000 |
commit | 5625f2e3266319fd29fe4f1c76ccd3f550c79ac4 (patch) | |
tree | 190e96d956213b22da705872094ebdf5272af972 /security/tomoyo/file.c | |
parent | bd03a3e4c9a9df0c6b007045fa7fc8889111a478 (diff) | |
download | lwn-5625f2e3266319fd29fe4f1c76ccd3f550c79ac4.tar.gz lwn-5625f2e3266319fd29fe4f1c76ccd3f550c79ac4.zip |
TOMOYO: Change pathname for non-rename()able filesystems.
TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if $PID matches current
thread's process ID in order to prevent current thread from accessing other
process's information unless needed.
But since procfs can be mounted on various locations (e.g. /proc/ /proc2/ /p/
/tmp/foo/100/p/ ), TOMOYO cannot tell that whether the numeric part in the
string returned by __d_path() represents process ID or not.
Therefore, to be able to convert from $PID to self no matter where procfs is
mounted, this patch changes pathname representations for filesystems which do
not support rename() operation (e.g. proc, sysfs, securityfs).
Examples:
/proc/self/mounts => proc:/self/mounts
/sys/kernel/security/ => sys:/kernel/security/
/dev/pts/0 => devpts:/0
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/file.c')
-rw-r--r-- | security/tomoyo/file.c | 12 |
1 files changed, 3 insertions, 9 deletions
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 323ddc73a125..8410f28a35e0 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c @@ -712,7 +712,7 @@ int tomoyo_path_number_perm(const u8 type, struct path *path, int idx; if (tomoyo_init_request_info(&r, NULL, tomoyo_pn2mac[type]) - == TOMOYO_CONFIG_DISABLED || !path->mnt || !path->dentry) + == TOMOYO_CONFIG_DISABLED || !path->dentry) return 0; idx = tomoyo_read_lock(); if (!tomoyo_get_realpath(&buf, path)) @@ -753,8 +753,6 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, struct tomoyo_request_info r; int idx; - if (!path->mnt) - return 0; buf.name = NULL; r.mode = TOMOYO_CONFIG_DISABLED; idx = tomoyo_read_lock(); @@ -798,8 +796,6 @@ int tomoyo_path_perm(const u8 operation, struct path *path) bool is_enforce; int idx; - if (!path->mnt) - return 0; if (tomoyo_init_request_info(&r, NULL, tomoyo_p2mac[operation]) == TOMOYO_CONFIG_DISABLED) return 0; @@ -842,8 +838,7 @@ int tomoyo_mkdev_perm(const u8 operation, struct path *path, struct tomoyo_path_info buf; int idx; - if (!path->mnt || - tomoyo_init_request_info(&r, NULL, tomoyo_pnnn2mac[operation]) + if (tomoyo_init_request_info(&r, NULL, tomoyo_pnnn2mac[operation]) == TOMOYO_CONFIG_DISABLED) return 0; idx = tomoyo_read_lock(); @@ -884,8 +879,7 @@ int tomoyo_path2_perm(const u8 operation, struct path *path1, struct tomoyo_request_info r; int idx; - if (!path1->mnt || !path2->mnt || - tomoyo_init_request_info(&r, NULL, tomoyo_pp2mac[operation]) + if (tomoyo_init_request_info(&r, NULL, tomoyo_pp2mac[operation]) == TOMOYO_CONFIG_DISABLED) return 0; buf1.name = NULL; |