aboutsummaryrefslogtreecommitdiffstats
path: root/security/tomoyo
Commit message (Collapse)AuthorAgeFilesLines
* tomoyo: cleanup. don't store bogus pointerDan Carpenter2010-10-211-2/+4
| | | | | | | | | | | If domain is NULL then &domain->list is a bogus address. Let's leave head->r.domain NULL instead of saving an unusable pointer. This is just a cleanup. The current code always checks head->r.eof before dereferencing head->r.domain. Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
* TOMOYO: Don't abuse sys_getpid(), sys_getppid()Ben Hutchings2010-09-272-4/+5
| | | | | | | | | | | System call entry functions sys_*() are never to be called from general kernel code. The fact that they aren't declared in header files should have been a clue. These functions also don't exist on Alpha since it has sys_getxpid() instead. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Use pathname specified by policy rather than execve()Tetsuo Handa2010-08-025-23/+48
| | | | | | | | | | | | | | | Commit c9e69318 "TOMOYO: Allow wildcard for execute permission." changed execute permission and domainname to accept wildcards. But tomoyo_find_next_domain() was using pathname passed to execve() rather than pathname specified by the execute permission. As a result, processes were not able to transit to domains which contain wildcards in their domainnames. This patch passes pathname specified by the execute permission back to tomoyo_find_next_domain() so that processes can transit to domains which contain wildcards in their domainnames. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Update version to 2.3.0Tetsuo Handa2010-08-021-2/+2
| | | | | Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Fix quota check.Tetsuo Handa2010-08-021-1/+1
| | | | | | | | | Commit d74725b9 "TOMOYO: Use callback for updating entries." broke tomoyo_domain_quota_is_ok() by counting deleted entries. It needs to count non-deleted entries. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Explicitly set file_operations->llseek pointer.Tetsuo Handa2010-08-021-0/+1
| | | | | | | | | | TOMOYO does not deal offset pointer. Thus seek operation makes no sense. Changing default seek operation from default_llseek() to no_llseek() might break some applications. Thus, explicitly set noop_llseek(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Add missing poll() hook.Tetsuo Handa2010-08-023-0/+33
| | | | | | | | Commit 1dae08c "TOMOYO: Add interactive enforcing mode." forgot to register poll() hook. As a result, /usr/sbin/tomoyo-queryd was doing busy loop. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Rename symbols.Tetsuo Handa2010-08-028-240/+199
| | | | | | | Use shorter name in order to make it easier to fit 80 columns limit. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Small cleanup.Tetsuo Handa2010-08-021-74/+121
| | | | | | | Split tomoyo_write_profile() into several functions. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Copy directly to userspace buffer.Tetsuo Handa2010-08-023-459/+499
| | | | | | | | | | | | | | | | | | When userspace program reads policy from /sys/kernel/security/tomoyo/ interface, TOMOYO uses line buffered mode. A line has at least one word. Commit 006dacc "TOMOYO: Support longer pathname." changed a word's max length from 4000 bytes to max kmalloc()able bytes. By that commit, a line's max length changed from 8192 bytes to more than max kmalloc()able bytes. Max number of words in a line remains finite. This patch changes the way of buffering so that all words in a line are firstly directly copied to userspace buffer as much as possible and are secondly queued for next read request. Words queued are guaranteed to be valid until /sys/kernel/security/tomoyo/ interface is close()d. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Use common code for policy reading.Tetsuo Handa2010-08-021-178/+82
| | | | | | | tomoyo_print_..._acl() are similar. Merge them. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Allow reading only execute permission.Tetsuo Handa2010-08-022-0/+10
| | | | | | | | | Policy editor needs to know allow_execute entries in order to build domain transition tree. Reading all entries is slow. Thus, allow reading only allow_execute entries. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Change list iterator.Tetsuo Handa2010-08-022-57/+34
| | | | | | | | | | | Change list_for_each_cookie to (1) start from current position rather than next position (2) remove temporary cursor (3) check that srcu_read_lock() is held Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Use common code for domain transition control.Tetsuo Handa2010-08-026-305/+159
| | | | | | | | Use common code for "initialize_domain"/"no_initialize_domain"/"keep_domain"/ "no_keep_domain" keywords. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Remove alias keyword.Tetsuo Handa2010-08-025-164/+8
| | | | | | | | | | | | Some programs behave differently depending on argv[0] passed to execve(). TOMOYO has "alias" keyword in order to allow administrators to define different domains if requested pathname passed to execve() is a symlink. But "alias" keyword is incomplete because this keyword assumes that requested pathname and argv[0] are identical. Thus, remove "alias" keyword (by this patch) and add syntax for checking argv[0] (by future patches). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Merge path_group and number_group.Tetsuo Handa2010-08-029-282/+199
| | | | | | | Use common code for "path_group" and "number_group". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Aggregate reader functions.Tetsuo Handa2010-08-026-384/+200
| | | | | | | Now lists are accessible via array index. Aggregate reader functions using index. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Use array of "struct list_head".Tetsuo Handa2010-08-028-383/+98
| | | | | | | Assign list id and make the lists as array of "struct list_head". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Merge tomoyo_path_group and tomoyo_number_groupTetsuo Handa2010-08-025-84/+59
| | | | | | | | | | "struct tomoyo_path_group" and "struct tomoyo_number_group" are identical. Rename tomoyo_path_group/tomoyo_number_group to tomoyo_group and tomoyo_path_group_member to tomoyo_path_group and tomoyo_number_group_member to tomoyo_unmber_group. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Pass "struct list_head" rather than "void *".Tetsuo Handa2010-08-021-58/+72
| | | | | | | | Pass "struct list_head" to tomoyo_add_to_gc() and bring list_del_rcu() to tomoyo_add_to_gc(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Make read function to void.Tetsuo Handa2010-08-023-42/+20
| | | | | | | Read functions do not fail. Make them from int to void. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Merge functions.Tetsuo Handa2010-08-021-41/+9
| | | | | | | Embed tomoyo_path_number_perm2() into tomoyo_path_number_perm(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Remove wrapper function for reading keyword.Tetsuo Handa2010-08-023-70/+14
| | | | | | | Keyword strings are read-only. We can directly access them to reduce code size. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Loosen parameter check for mount operation.Tetsuo Handa2010-08-021-91/+33
| | | | | | | | If invalid combination of mount flags are given, it will be rejected later. Thus, no need for TOMOYO to reject invalid combination of mount flags. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Rename symbols.Tetsuo Handa2010-08-0210-157/+157
| | | | | | | Use shorter name in order to make it easier to fix 80 columns limit. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Use callback for permission check.Tetsuo Handa2010-08-024-258/+230
| | | | | | | | We can use callback function since parameters are passed via "const struct tomoyo_request_info". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Pass parameters via structure.Tetsuo Handa2010-08-023-1/+58
| | | | | | | | To make it possible to use callback function, pass parameters via "struct tomoyo_request_info". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Use common code for open and mkdir etc.Tetsuo Handa2010-08-023-84/+22
| | | | | | | | tomoyo_file_perm() and tomoyo_path_permission() are similar. We can embed tomoyo_file_perm() into tomoyo_path_permission(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Use common code for garbage collection.Tetsuo Handa2010-08-021-146/+66
| | | | | | | Use common code for elements using "struct list_head" + "bool" structure. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Use callback for updating entries.Tetsuo Handa2010-08-026-252/+190
| | | | | | | Use common code for elements using "struct list_head" + "bool" structure. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Use common structure for list element.Tetsuo Handa2010-08-027-164/+167
| | | | | | | Use common "struct list_head" + "bool" structure. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Use callback for updating entries.Tetsuo Handa2010-08-027-312/+253
| | | | | | | | Use common "struct list_head" + "bool" + "u8" structure and use common code for elements using that structure. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Update profile structure.Tetsuo Handa2010-08-026-248/+486
| | | | | | | | | | | | | | | | | | This patch allows users to change access control mode for per-operation basis. This feature comes from non LSM version of TOMOYO which is designed for permitting users to use SELinux and TOMOYO at the same time. SELinux does not care filename in a directory whereas TOMOYO does. Change of filename can change how the file is used. For example, renaming index.txt to .htaccess will change how the file is used. Thus, letting SELinux to enforce read()/write()/mmap() etc. restriction and letting TOMOYO to enforce rename() restriction is an example usage of this feature. What is unfortunate for me is that currently LSM does not allow users to use SELinux and LSM version of TOMOYO at the same time... Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Add pathname aggregation support.Tetsuo Handa2010-08-024-0/+204
| | | | | | | | This patch allows users to aggregate programs which provide similar functionality (e.g. /usr/bin/vi and /usr/bin/emacs ). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Allow wildcard for execute permission.Tetsuo Handa2010-08-027-151/+90
| | | | | | | | | Some applications create and execute programs dynamically. We need to accept wildcard for execute permission because such programs contain random suffix in their filenames. This patch loosens up regulation of string parameters. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Support longer pathname.Tetsuo Handa2010-08-026-318/+208
| | | | | | | Allow pathnames longer than 4000 bytes. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Several fixes for TOMOYO's management programs.Tetsuo Handa2010-08-023-6/+23
| | | | | Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* LSM: Remove unused arguments from security_path_truncate().Tetsuo Handa2010-08-021-2/+1
| | | | | | | | | | | | When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks where vfsmount is available." was proposed, regarding security_path_truncate(), only "struct file *" argument (which AppArmor wanted to use) was removed. But length and time_attrs arguments are not used by TOMOYO nor AppArmor. Thus, let's remove these arguments. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Nick Piggin <npiggin@suse.de> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Split files into some pieces.Tetsuo Handa2010-08-0211-1416/+1469
| | | | | | | security/tomoyo/common.c became too large to read. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Add interactive enforcing mode.Tetsuo Handa2010-08-026-120/+564
| | | | | | | | | | | | | | | | | | | | | | | | | | | Since the behavior of the system is restricted by policy, we may need to update policy when you update packages. We need to update policy in the following cases. * The pathname of files has changed. * The dependency of files has changed. * The access permissions required has increased. The ideal way to update policy is to rebuild from the scratch using learning mode. But it is not desirable to change from enforcing mode to other mode if the system has once entered in production state. Suppose MAC could support per-application enforcing mode, the MAC becomes useless if an application that is not running in enforcing mode was cracked. For example, the whole system becomes vulnerable if only HTTP server application is running in learning mode to rebuild policy for the application. So, in TOMOYO Linux, updating policy is done while the system is running in enforcing mode. This patch implements "interactive enforcing mode" which allows administrators to judge whether to accept policy violation in enforcing mode or not. A demo movie is available at http://www.youtube.com/watch?v=b9q1Jo25LPA . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Add mount restriction.Tetsuo Handa2010-08-027-11/+469
| | | | | | | | mount(2) has three string and one numeric parameters. Split mount restriction code from security/tomoyo/file.c . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Split file access control functions by type of parameters.Tetsuo Handa2010-08-025-123/+752
| | | | | | | | Check numeric parameters for operations that deal them (e.g. chmod/chown/ioctl). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Use structure for passing common arguments.Tetsuo Handa2010-08-025-206/+162
| | | | | | | Use "struct tomoyo_request_info" instead of passing individual arguments. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Add numeric values grouping support.Tetsuo Handa2010-08-026-1/+454
| | | | | | | | This patch adds numeric values grouping support, which is useful for grouping numeric values such as file's UID, DAC's mode, ioctl()'s cmd number. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Add pathname grouping support.Tetsuo Handa2010-05-176-54/+433
| | | | | | | | This patch adds pathname grouping support, which is useful for grouping pathnames that cannot be represented using /\{dir\}/ pattern. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Use stack memory for pending entry.Tetsuo Handa2010-05-105-192/+190
| | | | | | | Use stack memory for pending entry to reduce kmalloc() which will be kfree()d. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* TOMOYO: Use mutex_lock_interruptible.Tetsuo Handa2010-05-066-24/+37
| | | | | | | | | | Some of TOMOYO's functions may sleep after mutex_lock(). If OOM-killer selected a process which is waiting at mutex_lock(), the to-be-killed process can't be killed. Thus, replace mutex_lock() with mutex_lock_interruptible() so that the to-be-killed process can immediately return from TOMOYO's functions. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
* Merge branch 'master' into nextJames Morris2010-05-065-0/+5
|\
| * include cleanup: Update gfp.h and slab.h includes to prepare for breaking ↵Tejun Heo2010-03-305-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | implicit slab.h inclusion from percpu.h percpu.h is included by sched.h and module.h and thus ends up being included when building most .c files. percpu.h includes slab.h which in turn includes gfp.h making everything defined by the two files universally available and complicating inclusion dependencies. percpu.h -> slab.h dependency is about to be removed. Prepare for this change by updating users of gfp and slab facilities include those headers directly instead of assuming availability. As this conversion needs to touch large number of source files, the following script is used as the basis of conversion. http://userweb.kernel.org/~tj/misc/slabh-sweep.py The script does the followings. * Scan files for gfp and slab usages and update includes such that only the necessary includes are there. ie. if only gfp is used, gfp.h, if slab is used, slab.h. * When the script inserts a new include, it looks at the include blocks and try to put the new include such that its order conforms to its surrounding. It's put in the include block which contains core kernel includes, in the same order that the rest are ordered - alphabetical, Christmas tree, rev-Xmas-tree or at the end if there doesn't seem to be any matching order. * If the script can't find a place to put a new include (mostly because the file doesn't have fitting include block), it prints out an error message indicating which .h file needs to be added to the file. The conversion was done in the following steps. 1. The initial automatic conversion of all .c files updated slightly over 4000 files, deleting around 700 includes and adding ~480 gfp.h and ~3000 slab.h inclusions. The script emitted errors for ~400 files. 2. Each error was manually checked. Some didn't need the inclusion, some needed manual addition while adding it to implementation .h or embedding .c file was more appropriate for others. This step added inclusions to around 150 files. 3. The script was run again and the output was compared to the edits from #2 to make sure no file was left behind. 4. Several build tests were done and a couple of problems were fixed. e.g. lib/decompress_*.c used malloc/free() wrappers around slab APIs requiring slab.h to be added manually. 5. The script was run on all .h files but without automatically editing them as sprinkling gfp.h and slab.h inclusions around .h files could easily lead to inclusion dependency hell. Most gfp.h inclusion directives were ignored as stuff from gfp.h was usually wildly available and often used in preprocessor macros. Each slab.h inclusion directive was examined and added manually as necessary. 6. percpu.h was updated not to include slab.h. 7. Build test were done on the following configurations and failures were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my distributed build env didn't work with gcov compiles) and a few more options had to be turned off depending on archs to make things build (like ipr on powerpc/64 which failed due to missing writeq). * x86 and x86_64 UP and SMP allmodconfig and a custom test config. * powerpc and powerpc64 SMP allmodconfig * sparc and sparc64 SMP allmodconfig * ia64 SMP allmodconfig * s390 SMP allmodconfig * alpha SMP allmodconfig * um on x86_64 SMP allmodconfig 8. percpu.h modifications were reverted so that it could be applied as a separate patch and serve as bisection point. Given the fact that I had only a couple of failures from tests on step 6, I'm fairly confident about the coverage of this conversion patch. If there is a breakage, it's likely to be something in one of the arch headers which should be easily discoverable easily on most builds of the specific arch. Signed-off-by: Tejun Heo <tj@kernel.org> Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
* | TOMOYO: Use GFP_NOFS rather than GFP_KERNEL.Tetsuo Handa2010-05-064-18/+18
| | | | | | | | | | | | | | | | | | In Ubuntu, security_path_*() hooks are exported to Unionfs. Thus, prepare for being called from inside VFS functions because I'm not sure whether it is safe to use GFP_KERNEL or not. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>