summaryrefslogtreecommitdiffstats
path: root/security/tomoyo/util.c
diff options
context:
space:
mode:
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>2011-09-10 15:25:58 +0900
committerJames Morris <jmorris@namei.org>2011-09-14 08:27:06 +1000
commit731d37aa70c7b9de3be6bf2c8287366223bf5ce5 (patch)
tree8ac6028511485862572695eb91e2d461e0636182 /security/tomoyo/util.c
parent1f067a682a9bd252107ac6f6946b7332fde42344 (diff)
TOMOYO: Allow domain transition without execve().
To be able to split permissions for Apache's CGI programs which are executed without execve(), add special domain transition which is performed by writing a TOMOYO's domainname to /sys/kernel/security/tomoyo/self_domain interface. This is an API for TOMOYO-aware userland applications. However, since I expect TOMOYO and other LSM modules to run in parallel, this patch does not use /proc/self/attr/ interface in order to avoid conflicts with other LSM modules when it became possible to run multiple LSM modules in parallel. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/util.c')
-rw-r--r--security/tomoyo/util.c25
1 files changed, 25 insertions, 0 deletions
diff --git a/security/tomoyo/util.c b/security/tomoyo/util.c
index a1c3d9ccebf..50e9b4c73ce 100644
--- a/security/tomoyo/util.c
+++ b/security/tomoyo/util.c
@@ -159,6 +159,31 @@ char *tomoyo_read_token(struct tomoyo_acl_param *param)
}
/**
+ * tomoyo_get_domainname - Read a domainname from a line.
+ *
+ * @param: Pointer to "struct tomoyo_acl_param".
+ *
+ * Returns a domainname on success, NULL otherwise.
+ */
+const struct tomoyo_path_info *tomoyo_get_domainname
+(struct tomoyo_acl_param *param)
+{
+ char *start = param->data;
+ char *pos = start;
+ while (*pos) {
+ if (*pos++ != ' ' || *pos++ == '/')
+ continue;
+ pos -= 2;
+ *pos++ = '\0';
+ break;
+ }
+ param->data = pos;
+ if (tomoyo_correct_domain(start))
+ return tomoyo_get_name(start);
+ return NULL;
+}
+
+/**
* tomoyo_parse_ulong - Parse an "unsigned long" value.
*
* @result: Pointer to "unsigned long".