Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 05336dee authored by Tetsuo Handa's avatar Tetsuo Handa Committed by James Morris
Browse files

TOMOYO: Use common code for open and mkdir etc.



tomoyo_file_perm() and tomoyo_path_permission() are similar.
We can embed tomoyo_file_perm() into tomoyo_path_permission().

Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 9ee0c823
Loading
Loading
Loading
Loading
+1 −1
Original line number Diff line number Diff line
@@ -880,7 +880,7 @@ int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head);

/* Initialize mm related code. */
void __init tomoyo_mm_init(void);
int tomoyo_check_exec_perm(struct tomoyo_request_info *r,
int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
			   const struct tomoyo_path_info *filename);
int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
				 struct path *path, const int flag);
+1 −1
Original line number Diff line number Diff line
@@ -960,7 +960,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
	}

	/* Check execute permission. */
	retval = tomoyo_check_exec_perm(&r, &rn);
	retval = tomoyo_path_permission(&r, TOMOYO_TYPE_EXECUTE, &rn);
	if (retval == TOMOYO_RETRY_REQUEST)
		goto retry;
	if (retval < 0)
+20 −82
Original line number Diff line number Diff line
@@ -670,62 +670,6 @@ static int tomoyo_path_acl(const struct tomoyo_request_info *r,
	return error;
}

/**
 * tomoyo_file_perm - Check permission for opening files.
 *
 * @r:         Pointer to "struct tomoyo_request_info".
 * @filename:  Filename to check.
 * @mode:      Mode ("read" or "write" or "read/write" or "execute").
 *
 * Returns 0 on success, negative value otherwise.
 *
 * Caller holds tomoyo_read_lock().
 */
static int tomoyo_file_perm(struct tomoyo_request_info *r,
			    const struct tomoyo_path_info *filename,
			    const u8 mode)
{
	const char *msg = "<unknown>";
	int error = 0;
	u32 perm = 0;

	if (!filename)
		return 0;

	if (mode == 6) {
		msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
		perm = 1 << TOMOYO_TYPE_READ_WRITE;
	} else if (mode == 4) {
		msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
		perm = 1 << TOMOYO_TYPE_READ;
	} else if (mode == 2) {
		msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
		perm = 1 << TOMOYO_TYPE_WRITE;
	} else if (mode == 1) {
		msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
		perm = 1 << TOMOYO_TYPE_EXECUTE;
	} else
		BUG();
	do {
		error = tomoyo_path_acl(r, filename, perm);
		if (error && mode == 4 && !r->domain->ignore_global_allow_read
		    && tomoyo_is_globally_readable_file(filename))
			error = 0;
		if (!error)
			break;
		tomoyo_warn_log(r, "%s %s", msg, filename->name);
		error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
					  tomoyo_file_pattern(filename));
		/*
                 * Do not retry for execute request, for alias may have
		 * changed.
                 */
	} while (error == TOMOYO_RETRY_REQUEST && mode != 1);
	if (r->mode != TOMOYO_CONFIG_ENFORCING)
		error = 0;
	return error;
}

static bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a,
				 const struct tomoyo_acl_info *b)
{
@@ -1018,7 +962,7 @@ static int tomoyo_path2_acl(const struct tomoyo_request_info *r, const u8 type,
 *
 * Caller holds tomoyo_read_lock().
 */
static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
			   const struct tomoyo_path_info *filename)
{
	const char *msg;
@@ -1031,15 +975,22 @@ static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
		return 0;
	do {
		error = tomoyo_path_acl(r, filename, 1 << operation);
		if (error && operation == TOMOYO_TYPE_READ &&
		    !r->domain->ignore_global_allow_read &&
		    tomoyo_is_globally_readable_file(filename))
			error = 0;
		if (!error)
			break;
		msg = tomoyo_path2keyword(operation);
		tomoyo_warn_log(r, "%s %s", msg, filename->name);
		error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
					  tomoyo_file_pattern(filename));
	} while (error == TOMOYO_RETRY_REQUEST);
	if (r->mode != TOMOYO_CONFIG_ENFORCING)
		error = 0;
		/*
		 * Do not retry for execute request, for alias may have
		 * changed.
		 */
	} while (error == TOMOYO_RETRY_REQUEST &&
		 operation != TOMOYO_TYPE_EXECUTE);
	/*
	 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
	 * we need to check "allow_rewrite" permission if the filename is
@@ -1202,8 +1153,6 @@ static int tomoyo_path_number_perm2(struct tomoyo_request_info *r,
					  tomoyo_file_pattern(filename),
					  buffer);
	} while (error == TOMOYO_RETRY_REQUEST);
	if (r->mode != TOMOYO_CONFIG_ENFORCING)
		error = 0;
	return error;
}

@@ -1241,24 +1190,6 @@ int tomoyo_path_number_perm(const u8 type, struct path *path,
	return error;
}

/**
 * tomoyo_check_exec_perm - Check permission for "execute".
 *
 * @r:        Pointer to "struct tomoyo_request_info".
 * @filename: Check permission for "execute".
 *
 * Returns 0 on success, negativevalue otherwise.
 *
 * Caller holds tomoyo_read_lock().
 */
int tomoyo_check_exec_perm(struct tomoyo_request_info *r,
			   const struct tomoyo_path_info *filename)
{
	if (r->mode == TOMOYO_CONFIG_DISABLED)
		return 0;
	return tomoyo_file_perm(r, filename, 1);
}

/**
 * tomoyo_check_open_permission - Check permission for "read" and "write".
 *
@@ -1305,11 +1236,18 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
	if (!error && acc_mode &&
	    tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_OPEN)
	    != TOMOYO_CONFIG_DISABLED) {
		u8 operation;
		if (!buf.name && !tomoyo_get_realpath(&buf, path)) {
			error = -ENOMEM;
			goto out;
		}
		error = tomoyo_file_perm(&r, &buf, acc_mode);
		if (acc_mode == (MAY_READ | MAY_WRITE))
			operation = TOMOYO_TYPE_READ_WRITE;
		else if (acc_mode == MAY_READ)
			operation = TOMOYO_TYPE_READ;
		else
			operation = TOMOYO_TYPE_WRITE;
		error = tomoyo_path_permission(&r, operation, &buf);
	}
 out:
	kfree(buf.name);