TOMOYO: Cleanup part 4.

			     const bool is_granted)

{

	u8 mode;

	const u8 category = TOMOYO_MAC_CATEGORY_FILE + TOMOYO_MAX_MAC_INDEX;

	const u8 category = tomoyo_index2category[index] +

		TOMOYO_MAX_MAC_INDEX;

	struct tomoyo_profile *p;

	if (!tomoyo_policy_loaded)

		return false;

};

/* String table for /sys/kernel/security/tomoyo/profile */

static const char *tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX

const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX

				       + TOMOYO_MAX_MAC_CATEGORY_INDEX] = {

	[TOMOYO_MAC_FILE_EXECUTE]    = "file::execute",

	[TOMOYO_MAC_FILE_OPEN]       = "file::open",

	[TOMOYO_MAC_FILE_CREATE]     = "file::create",

	[TOMOYO_MAC_FILE_UNLINK]     = "file::unlink",

	[TOMOYO_MAC_FILE_GETATTR]    = "file::getattr",

	[TOMOYO_MAC_FILE_MKDIR]      = "file::mkdir",

	[TOMOYO_MAC_FILE_RMDIR]      = "file::rmdir",

	[TOMOYO_MAC_FILE_MKFIFO]     = "file::mkfifo",

	[TOMOYO_MAC_FILE_MKSOCK]     = "file::mksock",

	[TOMOYO_MAC_FILE_TRUNCATE]   = "file::truncate",

	[TOMOYO_MAC_FILE_SYMLINK]    = "file::symlink",

	[TOMOYO_MAC_FILE_MKBLOCK]    = "file::mkblock",

	[TOMOYO_MAC_FILE_MKCHAR]     = "file::mkchar",

	[TOMOYO_MAC_FILE_LINK]       = "file::link",

	[TOMOYO_MAC_FILE_RENAME]     = "file::rename",

	[TOMOYO_MAC_FILE_CHMOD]      = "file::chmod",

	[TOMOYO_MAC_FILE_CHOWN]      = "file::chown",

	[TOMOYO_MAC_FILE_CHGRP]      = "file::chgrp",

	[TOMOYO_MAC_FILE_IOCTL]      = "file::ioctl",

	[TOMOYO_MAC_FILE_CHROOT]     = "file::chroot",

	[TOMOYO_MAC_FILE_MOUNT]      = "file::mount",

	[TOMOYO_MAC_FILE_UMOUNT]     = "file::unmount",

	[TOMOYO_MAC_FILE_PIVOT_ROOT] = "file::pivot_root",

	[TOMOYO_MAC_FILE_EXECUTE]    = "execute",

	[TOMOYO_MAC_FILE_OPEN]       = "open",

	[TOMOYO_MAC_FILE_CREATE]     = "create",

	[TOMOYO_MAC_FILE_UNLINK]     = "unlink",

	[TOMOYO_MAC_FILE_GETATTR]    = "getattr",

	[TOMOYO_MAC_FILE_MKDIR]      = "mkdir",

	[TOMOYO_MAC_FILE_RMDIR]      = "rmdir",

	[TOMOYO_MAC_FILE_MKFIFO]     = "mkfifo",

	[TOMOYO_MAC_FILE_MKSOCK]     = "mksock",

	[TOMOYO_MAC_FILE_TRUNCATE]   = "truncate",

	[TOMOYO_MAC_FILE_SYMLINK]    = "symlink",

	[TOMOYO_MAC_FILE_MKBLOCK]    = "mkblock",

	[TOMOYO_MAC_FILE_MKCHAR]     = "mkchar",

	[TOMOYO_MAC_FILE_LINK]       = "link",

	[TOMOYO_MAC_FILE_RENAME]     = "rename",

	[TOMOYO_MAC_FILE_CHMOD]      = "chmod",

	[TOMOYO_MAC_FILE_CHOWN]      = "chown",

	[TOMOYO_MAC_FILE_CHGRP]      = "chgrp",

	[TOMOYO_MAC_FILE_IOCTL]      = "ioctl",

	[TOMOYO_MAC_FILE_CHROOT]     = "chroot",

	[TOMOYO_MAC_FILE_MOUNT]      = "mount",

	[TOMOYO_MAC_FILE_UMOUNT]     = "unmount",

	[TOMOYO_MAC_FILE_PIVOT_ROOT] = "pivot_root",

	[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file",

};

	[TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry",

};

/* String table for path operation. */

const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {

	[TOMOYO_TYPE_EXECUTE]    = "execute",

	[TOMOYO_TYPE_READ]       = "read",

	[TOMOYO_TYPE_WRITE]      = "write",

	[TOMOYO_TYPE_APPEND]     = "append",

	[TOMOYO_TYPE_UNLINK]     = "unlink",

	[TOMOYO_TYPE_GETATTR]    = "getattr",

	[TOMOYO_TYPE_RMDIR]      = "rmdir",

	[TOMOYO_TYPE_TRUNCATE]   = "truncate",

	[TOMOYO_TYPE_SYMLINK]    = "symlink",

	[TOMOYO_TYPE_CHROOT]     = "chroot",

	[TOMOYO_TYPE_UMOUNT]     = "unmount",

};

/* String table for categories. */

static const char * const tomoyo_category_keywords

[TOMOYO_MAX_MAC_CATEGORY_INDEX] = {

	[TOMOYO_MAC_CATEGORY_FILE]       = "file",

};

/* Permit policy management by non-root user? */

static bool tomoyo_manage_by_non_root;

{

	while (head->r.w_pos) {

		const char *w = head->r.w[0];

		int len = strlen(w);

		size_t len = strlen(w);

		if (len) {

			if (len > head->read_user_buf_avail)

				len = head->read_user_buf_avail;

void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)

{

	va_list args;

	int len;

	int pos = head->r.avail;

	size_t len;

	size_t pos = head->r.avail;

	int size = head->readbuf_size - pos;

	if (size <= 0)

		return;

		config = 0;

		for (i = 0; i < TOMOYO_MAX_MAC_INDEX

			     + TOMOYO_MAX_MAC_CATEGORY_INDEX; i++) {

			if (strcmp(name, tomoyo_mac_keywords[i]))

			int len = 0;

			if (i < TOMOYO_MAX_MAC_INDEX) {

				const u8 c = tomoyo_index2category[i];

				const char *category =

					tomoyo_category_keywords[c];

				len = strlen(category);

				if (strncmp(name, category, len) ||

				    name[len++] != ':' || name[len++] != ':')

					continue;

			}

			if (strcmp(name + len, tomoyo_mac_keywords[i]))

				continue;

			config = profile->config[i];

			break;

			if (config == TOMOYO_CONFIG_USE_DEFAULT)

				continue;

			tomoyo_print_namespace(head);

			tomoyo_io_printf(head, "%u-%s%s", index, "CONFIG::",

			if (i < TOMOYO_MAX_MAC_INDEX)

				tomoyo_io_printf(head, "%u-CONFIG::%s::%s",

						 index,

						 tomoyo_category_keywords

						 [tomoyo_index2category[i]],

						 tomoyo_mac_keywords[i]);

			else

				tomoyo_io_printf(head, "%u-CONFIG::%s", index,

						 tomoyo_mac_keywords[i]);

			tomoyo_print_config(head, config);

			head->r.bit++;

	return -EINVAL;

}

/* String table for domain flags. */

const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS] = {

	[TOMOYO_DIF_QUOTA_WARNED]      = "quota_exceeded\n",

	[TOMOYO_DIF_TRANSITION_FAILED] = "transition_failed\n",

};

/**

 * tomoyo_write_domain - Write domain policy.

 *

			domain->group = (u8) profile;

		return 0;

	}

	if (!strcmp(data, "quota_exceeded")) {

		domain->quota_warned = !is_delete;

		return 0;

	}

	if (!strcmp(data, "transition_failed")) {

		domain->transition_failed = !is_delete;

	for (profile = 0; profile < TOMOYO_MAX_DOMAIN_INFO_FLAGS; profile++) {

		const char *cp = tomoyo_dif[profile];

		if (strncmp(data, cp, strlen(cp) - 1))

			continue;

		domain->flags[profile] = !is_delete;

		return 0;

	}

	return tomoyo_write_domain2(ns, &domain->acl_info_list, data,

		struct tomoyo_domain_info *domain =

			list_entry(head->r.domain, typeof(*domain), list);

		switch (head->r.step) {

			u8 i;

		case 0:

			if (domain->is_deleted &&

			    !head->r.print_this_domain_only)

					 domain->profile);

			tomoyo_io_printf(head, "use_group %u\n",

					 domain->group);

			if (domain->quota_warned)

				tomoyo_set_string(head, "quota_exceeded\n");

			if (domain->transition_failed)

				tomoyo_set_string(head, "transition_failed\n");

			for (i = 0; i < TOMOYO_MAX_DOMAIN_INFO_FLAGS; i++)

				if (domain->flags[i])

					tomoyo_set_string(head, tomoyo_dif[i]);

			head->r.step++;

			tomoyo_set_lf(head);

			/* fall through */

static void tomoyo_read_query(struct tomoyo_io_buffer *head)

{

	struct list_head *tmp;

	int pos = 0;

	int len = 0;

	unsigned int pos = 0;

	size_t len = 0;

	char *buf;

	if (head->r.w_pos)

		return;

 *

 * Returns bytes read on success, negative value otherwise.

 */

int tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,

ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,

			    const int buffer_len)

{

	int len;

 *

 * Returns @buffer_len on success, negative value otherwise.

 */

int tomoyo_write_control(struct tomoyo_io_buffer *head,

ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,

			     const char __user *buffer, const int buffer_len)

{

	int error = buffer_len;

	TOMOYO_MAX_POLICY

};

/* Index numbers for domain's attributes. */

enum tomoyo_domain_info_flags_index {

	/* Quota warnning flag.   */

	TOMOYO_DIF_QUOTA_WARNED,

	/*

	 * This domain was unable to create a new domain at

	 * tomoyo_find_next_domain() because the name of the domain to be

	 * created was too long or it could not allocate memory.

	 * More than one process continued execve() without domain transition.

	 */

	TOMOYO_DIF_TRANSITION_FAILED,

	TOMOYO_MAX_DOMAIN_INFO_FLAGS

};

/* Index numbers for group entries. */

enum tomoyo_group_id {

	TOMOYO_PATH_GROUP,

	u8 profile;        /* Profile number to use. */

	u8 group;          /* Group number to use.   */

	bool is_deleted;   /* Delete flag.           */

	bool quota_warned; /* Quota warnning flag.   */

	bool transition_failed; /* Domain transition failed flag. */

	bool flags[TOMOYO_MAX_DOMAIN_INFO_FLAGS];

	atomic_t users; /* Number of referring credentials. */

};

	/* Exclusive lock for this structure.   */

	struct mutex io_sem;

	char __user *read_user_buf;

	int read_user_buf_avail;

	size_t read_user_buf_avail;

	struct {

		struct list_head *ns;

		struct list_head *domain;

		struct list_head *group;

		struct list_head *acl;

		int avail;

		int step;

		int query_index;

		size_t avail;

		unsigned int step;

		unsigned int query_index;

		u16 index;

		u8 acl_group_index;

		u8 bit;

		/* The position currently writing to.   */

		struct tomoyo_domain_info *domain;

		/* Bytes available for writing.         */

		int avail;

		size_t avail;

		bool is_delete;

	} w;

	/* Buffer for reading.                  */

	char *read_buf;

	/* Size of read buffer.                 */

	int readbuf_size;

	size_t readbuf_size;

	/* Buffer for writing.                  */

	char *write_buf;

	/* Size of write buffer.                */

	int writebuf_size;

	size_t writebuf_size;

	/* Type of this interface.              */

	u8 type;

	enum tomoyo_securityfs_interface_index type;

	/* Users counter protected by tomoyo_io_buffer_list_lock. */

	u8 users;

	/* List for telling GC not to kfree() elements. */

int tomoyo_open_control(const u8 type, struct file *file);

int tomoyo_close_control(struct tomoyo_io_buffer *head);

int tomoyo_poll_control(struct file *file, poll_table *wait);

int tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,

ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,

			    const int buffer_len);

int tomoyo_write_control(struct tomoyo_io_buffer *head,

ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,

			     const char __user *buffer, const int buffer_len);

bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r);

void tomoyo_warn_oom(const char *function);

extern struct tomoyo_policy_namespace tomoyo_kernel_namespace;

extern struct list_head tomoyo_namespace_list;

extern const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];

extern const char *tomoyo_mkdev_keyword[TOMOYO_MAX_MKDEV_OPERATION];

extern const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION];

extern const char *tomoyo_path_number_keyword[TOMOYO_MAX_PATH_NUMBER_OPERATION];

extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX +

					      TOMOYO_MAX_MAC_CATEGORY_INDEX];

extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];

extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX];

extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION];

extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION];

extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];

extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS];

extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];

extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT];

extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT];

		retval = -ENOMEM;

	else {

		retval = 0;

		if (!old_domain->transition_failed) {

			old_domain->transition_failed = true;

		if (!old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED]) {

			old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED] = true;

			r.granted = false;

			tomoyo_write_log(&r, "%s", "transition_failed\n");

			tomoyo_write_log(&r, "%s", tomoyo_dif

					 [TOMOYO_DIF_TRANSITION_FAILED]);

			printk(KERN_WARNING

			       "ERROR: Domain '%s' not defined.\n", tmp);

		}

#include "common.h"

#include <linux/slab.h>

/* Keyword array for operations with one pathname. */

const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {

	[TOMOYO_TYPE_EXECUTE]    = "execute",

	[TOMOYO_TYPE_READ]       = "read",

	[TOMOYO_TYPE_WRITE]      = "write",

	[TOMOYO_TYPE_APPEND]     = "append",

	[TOMOYO_TYPE_UNLINK]     = "unlink",

	[TOMOYO_TYPE_GETATTR]    = "getattr",

	[TOMOYO_TYPE_RMDIR]      = "rmdir",

	[TOMOYO_TYPE_TRUNCATE]   = "truncate",

	[TOMOYO_TYPE_SYMLINK]    = "symlink",

	[TOMOYO_TYPE_CHROOT]     = "chroot",

	[TOMOYO_TYPE_UMOUNT]     = "unmount",

};

/* Keyword array for operations with one pathname and three numbers. */

const char *tomoyo_mkdev_keyword[TOMOYO_MAX_MKDEV_OPERATION] = {

	[TOMOYO_TYPE_MKBLOCK]    = "mkblock",

	[TOMOYO_TYPE_MKCHAR]     = "mkchar",

};

/* Keyword array for operations with two pathnames. */

const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = {

	[TOMOYO_TYPE_LINK]       = "link",

	[TOMOYO_TYPE_RENAME]     = "rename",

	[TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root",

};

/* Keyword array for operations with one pathname and one number. */

const char *tomoyo_path_number_keyword[TOMOYO_MAX_PATH_NUMBER_OPERATION] = {

	[TOMOYO_TYPE_CREATE]     = "create",

	[TOMOYO_TYPE_MKDIR]      = "mkdir",

	[TOMOYO_TYPE_MKFIFO]     = "mkfifo",

	[TOMOYO_TYPE_MKSOCK]     = "mksock",

	[TOMOYO_TYPE_IOCTL]      = "ioctl",

	[TOMOYO_TYPE_CHMOD]      = "chmod",

	[TOMOYO_TYPE_CHOWN]      = "chown",

	[TOMOYO_TYPE_CHGRP]      = "chgrp",

};

/*

 * Mapping table from "enum tomoyo_path_acl_index" to "enum tomoyo_mac_index".

 */

 */

static int tomoyo_audit_path2_log(struct tomoyo_request_info *r)

{

	return tomoyo_supervisor(r, "file %s %s %s\n", tomoyo_path2_keyword

				 [r->param.path2.operation],

	return tomoyo_supervisor(r, "file %s %s %s\n", tomoyo_mac_keywords

				 [tomoyo_pp2mac[r->param.path2.operation]],

				 r->param.path2.filename1->name,

				 r->param.path2.filename2->name);

}

static int tomoyo_audit_mkdev_log(struct tomoyo_request_info *r)

{

	return tomoyo_supervisor(r, "file %s %s 0%o %u %u\n",

				 tomoyo_mkdev_keyword

				 [r->param.mkdev.operation],

				 tomoyo_mac_keywords

				 [tomoyo_pnnn2mac[r->param.mkdev.operation]],

				 r->param.mkdev.filename->name,

				 r->param.mkdev.mode, r->param.mkdev.major,

				 r->param.mkdev.minor);

	}

	tomoyo_print_ulong(buffer, sizeof(buffer), r->param.path_number.number,

			   radix);

	return tomoyo_supervisor(r, "file %s %s %s\n",

				 tomoyo_path_number_keyword[type],

	return tomoyo_supervisor(r, "file %s %s %s\n", tomoyo_mac_keywords

				 [tomoyo_pn2mac[type]],

				 r->param.path_number.filename->name, buffer);

}

	if (perm)

		return tomoyo_update_path_acl(perm, param);

	for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++)

		if (tomoyo_permstr(operation, tomoyo_path2_keyword[type]))

		if (tomoyo_permstr(operation,

				   tomoyo_mac_keywords[tomoyo_pp2mac[type]]))

			perm |= 1 << type;

	if (perm)

		return tomoyo_update_path2_acl(perm, param);

	for (type = 0; type < TOMOYO_MAX_PATH_NUMBER_OPERATION; type++)

		if (tomoyo_permstr(operation,

				   tomoyo_path_number_keyword[type]))

				   tomoyo_mac_keywords[tomoyo_pn2mac[type]]))

			perm |= 1 << type;

	if (perm)

		return tomoyo_update_path_number_acl(perm, param);

	for (type = 0; type < TOMOYO_MAX_MKDEV_OPERATION; type++)

		if (tomoyo_permstr(operation, tomoyo_mkdev_keyword[type]))

		if (tomoyo_permstr(operation,

				   tomoyo_mac_keywords[tomoyo_pnnn2mac[type]]))

			perm |= 1 << type;

	if (perm)

		return tomoyo_update_mkdev_acl(perm, param);

	if (tomoyo_permstr(operation, "mount"))

	if (tomoyo_permstr(operation,

			   tomoyo_mac_keywords[TOMOYO_MAC_FILE_MOUNT]))

		return tomoyo_update_mount_acl(param);

	return -EINVAL;

}