TOMOYO: Use common code for open and mkdir etc.

tomoyo_file_perm() and tomoyo_path_permission() are similar.
We can embed tomoyo_file_perm() into tomoyo_path_permission().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Tetsuo Handa 2010-06-16 16:20:24 +09:00 committed by James Morris
parent 9ee0c823c1
commit 05336dee9f
3 changed files with 22 additions and 84 deletions

View File

@ -880,7 +880,7 @@ int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head);
/* Initialize mm related code. */ /* Initialize mm related code. */
void __init tomoyo_mm_init(void); void __init tomoyo_mm_init(void);
int tomoyo_check_exec_perm(struct tomoyo_request_info *r, int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
const struct tomoyo_path_info *filename); const struct tomoyo_path_info *filename);
int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
struct path *path, const int flag); struct path *path, const int flag);

View File

@ -960,7 +960,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
} }
/* Check execute permission. */ /* Check execute permission. */
retval = tomoyo_check_exec_perm(&r, &rn); retval = tomoyo_path_permission(&r, TOMOYO_TYPE_EXECUTE, &rn);
if (retval == TOMOYO_RETRY_REQUEST) if (retval == TOMOYO_RETRY_REQUEST)
goto retry; goto retry;
if (retval < 0) if (retval < 0)

View File

@ -670,62 +670,6 @@ static int tomoyo_path_acl(const struct tomoyo_request_info *r,
return error; return error;
} }
/**
* tomoyo_file_perm - Check permission for opening files.
*
* @r: Pointer to "struct tomoyo_request_info".
* @filename: Filename to check.
* @mode: Mode ("read" or "write" or "read/write" or "execute").
*
* Returns 0 on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_file_perm(struct tomoyo_request_info *r,
const struct tomoyo_path_info *filename,
const u8 mode)
{
const char *msg = "<unknown>";
int error = 0;
u32 perm = 0;
if (!filename)
return 0;
if (mode == 6) {
msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
perm = 1 << TOMOYO_TYPE_READ_WRITE;
} else if (mode == 4) {
msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
perm = 1 << TOMOYO_TYPE_READ;
} else if (mode == 2) {
msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
perm = 1 << TOMOYO_TYPE_WRITE;
} else if (mode == 1) {
msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
perm = 1 << TOMOYO_TYPE_EXECUTE;
} else
BUG();
do {
error = tomoyo_path_acl(r, filename, perm);
if (error && mode == 4 && !r->domain->ignore_global_allow_read
&& tomoyo_is_globally_readable_file(filename))
error = 0;
if (!error)
break;
tomoyo_warn_log(r, "%s %s", msg, filename->name);
error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
tomoyo_file_pattern(filename));
/*
* Do not retry for execute request, for alias may have
* changed.
*/
} while (error == TOMOYO_RETRY_REQUEST && mode != 1);
if (r->mode != TOMOYO_CONFIG_ENFORCING)
error = 0;
return error;
}
static bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a, static bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a,
const struct tomoyo_acl_info *b) const struct tomoyo_acl_info *b)
{ {
@ -1018,7 +962,7 @@ static int tomoyo_path2_acl(const struct tomoyo_request_info *r, const u8 type,
* *
* Caller holds tomoyo_read_lock(). * Caller holds tomoyo_read_lock().
*/ */
static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation, int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
const struct tomoyo_path_info *filename) const struct tomoyo_path_info *filename)
{ {
const char *msg; const char *msg;
@ -1031,15 +975,22 @@ static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
return 0; return 0;
do { do {
error = tomoyo_path_acl(r, filename, 1 << operation); error = tomoyo_path_acl(r, filename, 1 << operation);
if (error && operation == TOMOYO_TYPE_READ &&
!r->domain->ignore_global_allow_read &&
tomoyo_is_globally_readable_file(filename))
error = 0;
if (!error) if (!error)
break; break;
msg = tomoyo_path2keyword(operation); msg = tomoyo_path2keyword(operation);
tomoyo_warn_log(r, "%s %s", msg, filename->name); tomoyo_warn_log(r, "%s %s", msg, filename->name);
error = tomoyo_supervisor(r, "allow_%s %s\n", msg, error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
tomoyo_file_pattern(filename)); tomoyo_file_pattern(filename));
} while (error == TOMOYO_RETRY_REQUEST); /*
if (r->mode != TOMOYO_CONFIG_ENFORCING) * Do not retry for execute request, for alias may have
error = 0; * changed.
*/
} while (error == TOMOYO_RETRY_REQUEST &&
operation != TOMOYO_TYPE_EXECUTE);
/* /*
* Since "allow_truncate" doesn't imply "allow_rewrite" permission, * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
* we need to check "allow_rewrite" permission if the filename is * we need to check "allow_rewrite" permission if the filename is
@ -1202,8 +1153,6 @@ static int tomoyo_path_number_perm2(struct tomoyo_request_info *r,
tomoyo_file_pattern(filename), tomoyo_file_pattern(filename),
buffer); buffer);
} while (error == TOMOYO_RETRY_REQUEST); } while (error == TOMOYO_RETRY_REQUEST);
if (r->mode != TOMOYO_CONFIG_ENFORCING)
error = 0;
return error; return error;
} }
@ -1241,24 +1190,6 @@ int tomoyo_path_number_perm(const u8 type, struct path *path,
return error; return error;
} }
/**
* tomoyo_check_exec_perm - Check permission for "execute".
*
* @r: Pointer to "struct tomoyo_request_info".
* @filename: Check permission for "execute".
*
* Returns 0 on success, negativevalue otherwise.
*
* Caller holds tomoyo_read_lock().
*/
int tomoyo_check_exec_perm(struct tomoyo_request_info *r,
const struct tomoyo_path_info *filename)
{
if (r->mode == TOMOYO_CONFIG_DISABLED)
return 0;
return tomoyo_file_perm(r, filename, 1);
}
/** /**
* tomoyo_check_open_permission - Check permission for "read" and "write". * tomoyo_check_open_permission - Check permission for "read" and "write".
* *
@ -1305,11 +1236,18 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
if (!error && acc_mode && if (!error && acc_mode &&
tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_OPEN) tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_OPEN)
!= TOMOYO_CONFIG_DISABLED) { != TOMOYO_CONFIG_DISABLED) {
u8 operation;
if (!buf.name && !tomoyo_get_realpath(&buf, path)) { if (!buf.name && !tomoyo_get_realpath(&buf, path)) {
error = -ENOMEM; error = -ENOMEM;
goto out; goto out;
} }
error = tomoyo_file_perm(&r, &buf, acc_mode); if (acc_mode == (MAY_READ | MAY_WRITE))
operation = TOMOYO_TYPE_READ_WRITE;
else if (acc_mode == MAY_READ)
operation = TOMOYO_TYPE_READ;
else
operation = TOMOYO_TYPE_WRITE;
error = tomoyo_path_permission(&r, operation, &buf);
} }
out: out:
kfree(buf.name); kfree(buf.name);