TOMOYO: Use common code for open and mkdir etc.
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Wed, 16 Jun 2010 07:20:24 +0000 (16:20 +0900)
committerJames Morris <jmorris@namei.org>
Mon, 2 Aug 2010 05:34:31 +0000 (15:34 +1000)
tomoyo_file_perm() and tomoyo_path_permission() are similar.
We can embed tomoyo_file_perm() into tomoyo_path_permission().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
security/tomoyo/common.h
security/tomoyo/domain.c
security/tomoyo/file.c

index c8ab7553c48c048eda9c4c0c525c5c1edddd4d2d..203454025410a1d0a3bdcd4314b55d2b1c11b206 100644 (file)
@@ -880,7 +880,7 @@ int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head);
 
 /* Initialize mm related code. */
 void __init tomoyo_mm_init(void);
-int tomoyo_check_exec_perm(struct tomoyo_request_info *r,
+int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
                           const struct tomoyo_path_info *filename);
 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
                                 struct path *path, const int flag);
index fe621af46c2e46b2d6054a2f159a2f8f51bcc327..35317e783f3458c6a06bfa4fae4441b6a959fd33 100644 (file)
@@ -960,7 +960,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
        }
 
        /* Check execute permission. */
-       retval = tomoyo_check_exec_perm(&r, &rn);
+       retval = tomoyo_path_permission(&r, TOMOYO_TYPE_EXECUTE, &rn);
        if (retval == TOMOYO_RETRY_REQUEST)
                goto retry;
        if (retval < 0)
index 8015719926d5e48cd3ed5a15fd362a29a4c22f5d..50875d7e8603375d9d5774e4abbde1d7a5bcba5b 100644 (file)
@@ -670,62 +670,6 @@ static int tomoyo_path_acl(const struct tomoyo_request_info *r,
        return error;
 }
 
-/**
- * tomoyo_file_perm - Check permission for opening files.
- *
- * @r:         Pointer to "struct tomoyo_request_info".
- * @filename:  Filename to check.
- * @mode:      Mode ("read" or "write" or "read/write" or "execute").
- *
- * Returns 0 on success, negative value otherwise.
- *
- * Caller holds tomoyo_read_lock().
- */
-static int tomoyo_file_perm(struct tomoyo_request_info *r,
-                           const struct tomoyo_path_info *filename,
-                           const u8 mode)
-{
-       const char *msg = "<unknown>";
-       int error = 0;
-       u32 perm = 0;
-
-       if (!filename)
-               return 0;
-
-       if (mode == 6) {
-               msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
-               perm = 1 << TOMOYO_TYPE_READ_WRITE;
-       } else if (mode == 4) {
-               msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
-               perm = 1 << TOMOYO_TYPE_READ;
-       } else if (mode == 2) {
-               msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
-               perm = 1 << TOMOYO_TYPE_WRITE;
-       } else if (mode == 1) {
-               msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
-               perm = 1 << TOMOYO_TYPE_EXECUTE;
-       } else
-               BUG();
-       do {
-               error = tomoyo_path_acl(r, filename, perm);
-               if (error && mode == 4 && !r->domain->ignore_global_allow_read
-                   && tomoyo_is_globally_readable_file(filename))
-                       error = 0;
-               if (!error)
-                       break;
-               tomoyo_warn_log(r, "%s %s", msg, filename->name);
-               error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
-                                         tomoyo_file_pattern(filename));
-               /*
-                 * Do not retry for execute request, for alias may have
-                * changed.
-                 */
-       } while (error == TOMOYO_RETRY_REQUEST && mode != 1);
-       if (r->mode != TOMOYO_CONFIG_ENFORCING)
-               error = 0;
-       return error;
-}
-
 static bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a,
                                 const struct tomoyo_acl_info *b)
 {
@@ -1018,8 +962,8 @@ static int tomoyo_path2_acl(const struct tomoyo_request_info *r, const u8 type,
  *
  * Caller holds tomoyo_read_lock().
  */
-static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
-                                 const struct tomoyo_path_info *filename)
+int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
+                          const struct tomoyo_path_info *filename)
 {
        const char *msg;
        int error;
@@ -1031,15 +975,22 @@ static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
                return 0;
        do {
                error = tomoyo_path_acl(r, filename, 1 << operation);
+               if (error && operation == TOMOYO_TYPE_READ &&
+                   !r->domain->ignore_global_allow_read &&
+                   tomoyo_is_globally_readable_file(filename))
+                       error = 0;
                if (!error)
                        break;
                msg = tomoyo_path2keyword(operation);
                tomoyo_warn_log(r, "%s %s", msg, filename->name);
                error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
                                          tomoyo_file_pattern(filename));
-       } while (error == TOMOYO_RETRY_REQUEST);
-       if (r->mode != TOMOYO_CONFIG_ENFORCING)
-               error = 0;
+               /*
+                * Do not retry for execute request, for alias may have
+                * changed.
+                */
+       } while (error == TOMOYO_RETRY_REQUEST &&
+                operation != TOMOYO_TYPE_EXECUTE);
        /*
         * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
         * we need to check "allow_rewrite" permission if the filename is
@@ -1202,8 +1153,6 @@ static int tomoyo_path_number_perm2(struct tomoyo_request_info *r,
                                          tomoyo_file_pattern(filename),
                                          buffer);
        } while (error == TOMOYO_RETRY_REQUEST);
-       if (r->mode != TOMOYO_CONFIG_ENFORCING)
-               error = 0;
        return error;
 }
 
@@ -1241,24 +1190,6 @@ int tomoyo_path_number_perm(const u8 type, struct path *path,
        return error;
 }
 
-/**
- * tomoyo_check_exec_perm - Check permission for "execute".
- *
- * @r:        Pointer to "struct tomoyo_request_info".
- * @filename: Check permission for "execute".
- *
- * Returns 0 on success, negativevalue otherwise.
- *
- * Caller holds tomoyo_read_lock().
- */
-int tomoyo_check_exec_perm(struct tomoyo_request_info *r,
-                          const struct tomoyo_path_info *filename)
-{
-       if (r->mode == TOMOYO_CONFIG_DISABLED)
-               return 0;
-       return tomoyo_file_perm(r, filename, 1);
-}
-
 /**
  * tomoyo_check_open_permission - Check permission for "read" and "write".
  *
@@ -1305,11 +1236,18 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
        if (!error && acc_mode &&
            tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_OPEN)
            != TOMOYO_CONFIG_DISABLED) {
+               u8 operation;
                if (!buf.name && !tomoyo_get_realpath(&buf, path)) {
                        error = -ENOMEM;
                        goto out;
                }
-               error = tomoyo_file_perm(&r, &buf, acc_mode);
+               if (acc_mode == (MAY_READ | MAY_WRITE))
+                       operation = TOMOYO_TYPE_READ_WRITE;
+               else if (acc_mode == MAY_READ)
+                       operation = TOMOYO_TYPE_READ;
+               else
+                       operation = TOMOYO_TYPE_WRITE;
+               error = tomoyo_path_permission(&r, operation, &buf);
        }
  out:
        kfree(buf.name);