diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2010-06-21 09:58:53 +0900 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2010-08-02 15:34:42 +1000 |
commit | 0617c7ff34dc9b1d641640c3953274bb2dbe21a6 (patch) | |
tree | 6be51af32ad65380aff9b7fa385f65ef15b3d53b /security | |
parent | 7c2ea22e3c5463627ca98924cd65cb9e480dc29c (diff) | |
download | lwn-0617c7ff34dc9b1d641640c3953274bb2dbe21a6.tar.gz lwn-0617c7ff34dc9b1d641640c3953274bb2dbe21a6.zip |
TOMOYO: Remove alias keyword.
Some programs behave differently depending on argv[0] passed to execve().
TOMOYO has "alias" keyword in order to allow administrators to define different
domains if requested pathname passed to execve() is a symlink. But "alias"
keyword is incomplete because this keyword assumes that requested pathname and
argv[0] are identical. Thus, remove "alias" keyword (by this patch) and add
syntax for checking argv[0] (by future patches).
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/tomoyo/common.c | 12 | ||||
-rw-r--r-- | security/tomoyo/common.h | 30 | ||||
-rw-r--r-- | security/tomoyo/domain.c | 100 | ||||
-rw-r--r-- | security/tomoyo/gc.c | 11 | ||||
-rw-r--r-- | security/tomoyo/realpath.c | 19 |
5 files changed, 8 insertions, 164 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 183fe6513400..0e6b1b598b86 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -1177,8 +1177,6 @@ static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head) is_delete); if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_AGGREGATOR)) return tomoyo_write_aggregator_policy(data, is_delete); - if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS)) - return tomoyo_write_alias_policy(data, is_delete); if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ)) return tomoyo_write_globally_readable_policy(data, is_delete); if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN)) @@ -1334,16 +1332,6 @@ static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx) w[1] = ptr->filename->name; } break; - case TOMOYO_ID_ALIAS: - { - struct tomoyo_alias_entry *ptr = - container_of(acl, typeof(*ptr), head); - w[0] = TOMOYO_KEYWORD_ALIAS; - w[1] = ptr->original_name->name; - w[2] = " "; - w[3] = ptr->aliased_name->name; - } - break; case TOMOYO_ID_AGGREGATOR: { struct tomoyo_aggregator_entry *ptr = diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index ec3ed488ee30..12b0c5c46c8d 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -53,7 +53,6 @@ enum tomoyo_policy_id { TOMOYO_ID_DOMAIN_INITIALIZER, TOMOYO_ID_DOMAIN_KEEPER, TOMOYO_ID_AGGREGATOR, - TOMOYO_ID_ALIAS, TOMOYO_ID_GLOBALLY_READABLE, TOMOYO_ID_PATTERN, TOMOYO_ID_NO_REWRITE, @@ -72,7 +71,6 @@ enum tomoyo_group_id { /* Keywords for ACLs. */ #define TOMOYO_KEYWORD_AGGREGATOR "aggregator " -#define TOMOYO_KEYWORD_ALIAS "alias " #define TOMOYO_KEYWORD_ALLOW_MOUNT "allow_mount " #define TOMOYO_KEYWORD_ALLOW_READ "allow_read " #define TOMOYO_KEYWORD_DELETE "delete " @@ -683,20 +681,6 @@ struct tomoyo_aggregator_entry { }; /* - * tomoyo_alias_entry is a structure which is used for holding "alias" entries. - * It has following fields. - * - * (1) "head" is "struct tomoyo_acl_head". - * (2) "original_name" which is a dereferenced pathname. - * (3) "aliased_name" which is a symlink's pathname. - */ -struct tomoyo_alias_entry { - struct tomoyo_acl_head head; - const struct tomoyo_path_info *original_name; - const struct tomoyo_path_info *aliased_name; -}; - -/* * tomoyo_policy_manager_entry is a structure which is used for holding list of * domainnames or programs which are permitted to modify configuration via * /sys/kernel/security/tomoyo/ interface. @@ -809,8 +793,6 @@ int tomoyo_mount_permission(char *dev_name, struct path *path, char *type, unsigned long flags, void *data_page); /* Create "aggregator" entry in exception policy. */ int tomoyo_write_aggregator_policy(char *data, const bool is_delete); -/* Create "alias" entry in exception policy. */ -int tomoyo_write_alias_policy(char *data, const bool is_delete); /* * Create "initialize_domain" and "no_initialize_domain" entry * in exception policy. @@ -868,16 +850,14 @@ void tomoyo_put_number_union(struct tomoyo_number_union *ptr); char *tomoyo_encode(const char *str); /* - * Returns realpath(3) of the given pathname but ignores chroot'ed root. - * These functions use kzalloc(), so the caller must call kfree() - * if these functions didn't return NULL. + * Returns realpath(3) of the given pathname except that + * ignores chroot'ed root and does not follow the final symlink. */ -char *tomoyo_realpath(const char *pathname); +char *tomoyo_realpath_nofollow(const char *pathname); /* - * Same with tomoyo_realpath() except that it doesn't follow the final symlink. + * Returns realpath(3) of the given pathname except that + * ignores chroot'ed root and the pathname is already solved. */ -char *tomoyo_realpath_nofollow(const char *pathname); -/* Same with tomoyo_realpath() except that the pathname is already solved. */ char *tomoyo_realpath_from_path(struct path *path); /* Get patterned pathname. */ const char *tomoyo_file_pattern(const struct tomoyo_path_info *filename); diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index 038071a8a3d3..273e670acf0c 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -467,72 +467,6 @@ int tomoyo_write_aggregator_policy(char *data, const bool is_delete) return tomoyo_update_aggregator_entry(data, cp, is_delete); } -static bool tomoyo_same_alias_entry(const struct tomoyo_acl_head *a, - const struct tomoyo_acl_head *b) -{ - const struct tomoyo_alias_entry *p1 = container_of(a, typeof(*p1), - head); - const struct tomoyo_alias_entry *p2 = container_of(b, typeof(*p2), - head); - return p1->original_name == p2->original_name && - p1->aliased_name == p2->aliased_name; -} - -/** - * tomoyo_update_alias_entry - Update "struct tomoyo_alias_entry" list. - * - * @original_name: The original program's real name. - * @aliased_name: The symbolic program's symbolic link's name. - * @is_delete: True if it is a delete request. - * - * Returns 0 on success, negative value otherwise. - * - * Caller holds tomoyo_read_lock(). - */ -static int tomoyo_update_alias_entry(const char *original_name, - const char *aliased_name, - const bool is_delete) -{ - struct tomoyo_alias_entry e = { }; - int error = is_delete ? -ENOENT : -ENOMEM; - - if (!tomoyo_correct_path(original_name) || - !tomoyo_correct_path(aliased_name)) - return -EINVAL; - e.original_name = tomoyo_get_name(original_name); - e.aliased_name = tomoyo_get_name(aliased_name); - if (!e.original_name || !e.aliased_name || - e.original_name->is_patterned || e.aliased_name->is_patterned) - goto out; /* No patterns allowed. */ - error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, - &tomoyo_policy_list[TOMOYO_ID_ALIAS], - tomoyo_same_alias_entry); - out: - tomoyo_put_name(e.original_name); - tomoyo_put_name(e.aliased_name); - return error; -} - -/** - * tomoyo_write_alias_policy - Write "struct tomoyo_alias_entry" list. - * - * @data: String to parse. - * @is_delete: True if it is a delete request. - * - * Returns 0 on success, negative value otherwise. - * - * Caller holds tomoyo_read_lock(). - */ -int tomoyo_write_alias_policy(char *data, const bool is_delete) -{ - char *cp = strchr(data, ' '); - - if (!cp) - return -EINVAL; - *cp++ = '\0'; - return tomoyo_update_alias_entry(data, cp, is_delete); -} - /** * tomoyo_find_or_assign_new_domain - Create a domain. * @@ -606,7 +540,6 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) int retval = -ENOMEM; bool need_kfree = false; struct tomoyo_path_info rn = { }; /* real name */ - struct tomoyo_path_info sn = { }; /* symlink name */ struct tomoyo_path_info ln; /* last name */ ln.name = tomoyo_get_last_name(old_domain); @@ -621,39 +554,14 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) kfree(rn.name); need_kfree = false; } - /* Get tomoyo_realpath of program. */ + /* Get symlink's pathname of program. */ retval = -ENOENT; - rn.name = tomoyo_realpath(original_name); + rn.name = tomoyo_realpath_nofollow(original_name); if (!rn.name) goto out; tomoyo_fill_path_info(&rn); need_kfree = true; - /* Get tomoyo_realpath of symbolic link. */ - sn.name = tomoyo_realpath_nofollow(original_name); - if (!sn.name) - goto out; - tomoyo_fill_path_info(&sn); - - /* Check 'alias' directive. */ - if (tomoyo_pathcmp(&rn, &sn)) { - struct tomoyo_alias_entry *ptr; - /* Is this program allowed to be called via symbolic links? */ - list_for_each_entry_rcu(ptr, - &tomoyo_policy_list[TOMOYO_ID_ALIAS], - head.list) { - if (ptr->head.is_deleted || - tomoyo_pathcmp(&rn, ptr->original_name) || - tomoyo_pathcmp(&sn, ptr->aliased_name)) - continue; - kfree(rn.name); - need_kfree = false; - /* This is OK because it is read only. */ - rn = *ptr->aliased_name; - break; - } - } - /* Check 'aggregator' directive. */ { struct tomoyo_aggregator_entry *ptr; @@ -663,8 +571,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) !tomoyo_path_matches_pattern(&rn, ptr->original_name)) continue; - if (need_kfree) - kfree(rn.name); + kfree(rn.name); need_kfree = false; /* This is OK because it is read only. */ rn = *ptr->aggregated_name; @@ -729,7 +636,6 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) bprm->cred->security = domain; if (need_kfree) kfree(rn.name); - kfree(sn.name); kfree(tmp); return retval; } diff --git a/security/tomoyo/gc.c b/security/tomoyo/gc.c index cf62a4ee79c2..4d4ba84f8749 100644 --- a/security/tomoyo/gc.c +++ b/security/tomoyo/gc.c @@ -77,14 +77,6 @@ static void tomoyo_del_aggregator(struct list_head *element) tomoyo_put_name(ptr->aggregated_name); } -static void tomoyo_del_alias(struct list_head *element) -{ - struct tomoyo_alias_entry *ptr = - container_of(element, typeof(*ptr), head.list); - tomoyo_put_name(ptr->original_name); - tomoyo_put_name(ptr->aliased_name); -} - static void tomoyo_del_manager(struct list_head *element) { struct tomoyo_policy_manager_entry *ptr = @@ -309,9 +301,6 @@ static void tomoyo_kfree_entry(void) case TOMOYO_ID_AGGREGATOR: tomoyo_del_aggregator(element); break; - case TOMOYO_ID_ALIAS: - tomoyo_del_alias(element); - break; case TOMOYO_ID_GLOBALLY_READABLE: tomoyo_del_allow_read(element); break; diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c index 153fa23a05cc..ed8ccd680102 100644 --- a/security/tomoyo/realpath.c +++ b/security/tomoyo/realpath.c @@ -162,25 +162,6 @@ char *tomoyo_realpath_from_path(struct path *path) } /** - * tomoyo_realpath - Get realpath of a pathname. - * - * @pathname: The pathname to solve. - * - * Returns the realpath of @pathname on success, NULL otherwise. - */ -char *tomoyo_realpath(const char *pathname) -{ - struct path path; - - if (pathname && kern_path(pathname, LOOKUP_FOLLOW, &path) == 0) { - char *buf = tomoyo_realpath_from_path(&path); - path_put(&path); - return buf; - } - return NULL; -} - -/** * tomoyo_realpath_nofollow - Get realpath of a pathname. * * @pathname: The pathname to solve. |