diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/keys/sysctl.c | 17 | ||||
-rw-r--r-- | security/tomoyo/file.c | 21 | ||||
-rw-r--r-- | security/tomoyo/realpath.c | 9 | ||||
-rw-r--r-- | security/tomoyo/tomoyo.c | 80 | ||||
-rw-r--r-- | security/tomoyo/tomoyo.h | 2 |
5 files changed, 15 insertions, 114 deletions
diff --git a/security/keys/sysctl.c b/security/keys/sysctl.c index 5e05dc09e2d..ee32d181764 100644 --- a/security/keys/sysctl.c +++ b/security/keys/sysctl.c @@ -17,54 +17,49 @@ static const int zero, one = 1, max = INT_MAX; ctl_table key_sysctls[] = { { - .ctl_name = CTL_UNNUMBERED, .procname = "maxkeys", .data = &key_quota_maxkeys, .maxlen = sizeof(unsigned), .mode = 0644, - .proc_handler = &proc_dointvec_minmax, + .proc_handler = proc_dointvec_minmax, .extra1 = (void *) &one, .extra2 = (void *) &max, }, { - .ctl_name = CTL_UNNUMBERED, .procname = "maxbytes", .data = &key_quota_maxbytes, .maxlen = sizeof(unsigned), .mode = 0644, - .proc_handler = &proc_dointvec_minmax, + .proc_handler = proc_dointvec_minmax, .extra1 = (void *) &one, .extra2 = (void *) &max, }, { - .ctl_name = CTL_UNNUMBERED, .procname = "root_maxkeys", .data = &key_quota_root_maxkeys, .maxlen = sizeof(unsigned), .mode = 0644, - .proc_handler = &proc_dointvec_minmax, + .proc_handler = proc_dointvec_minmax, .extra1 = (void *) &one, .extra2 = (void *) &max, }, { - .ctl_name = CTL_UNNUMBERED, .procname = "root_maxbytes", .data = &key_quota_root_maxbytes, .maxlen = sizeof(unsigned), .mode = 0644, - .proc_handler = &proc_dointvec_minmax, + .proc_handler = proc_dointvec_minmax, .extra1 = (void *) &one, .extra2 = (void *) &max, }, { - .ctl_name = CTL_UNNUMBERED, .procname = "gc_delay", .data = &key_gc_delay, .maxlen = sizeof(unsigned), .mode = 0644, - .proc_handler = &proc_dointvec_minmax, + .proc_handler = proc_dointvec_minmax, .extra1 = (void *) &zero, .extra2 = (void *) &max, }, - { .ctl_name = 0 } + { } }; diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 5ae3a571559..8346938809b 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c @@ -1096,27 +1096,6 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info * } /** - * tomoyo_check_file_perm - Check permission for sysctl()'s "read" and "write". - * - * @domain: Pointer to "struct tomoyo_domain_info". - * @filename: Filename to check. - * @perm: Mode ("read" or "write" or "read/write"). - * Returns 0 on success, negative value otherwise. - */ -int tomoyo_check_file_perm(struct tomoyo_domain_info *domain, - const char *filename, const u8 perm) -{ - struct tomoyo_path_info name; - const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); - - if (!mode) - return 0; - name.name = filename; - tomoyo_fill_path_info(&name); - return tomoyo_check_file_perm2(domain, &name, perm, "sysctl", mode); -} - -/** * tomoyo_check_exec_perm - Check permission for "execute". * * @domain: Pointer to "struct tomoyo_domain_info". diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c index 917f564cdab..18369d497eb 100644 --- a/security/tomoyo/realpath.c +++ b/security/tomoyo/realpath.c @@ -110,6 +110,15 @@ int tomoyo_realpath_from_path2(struct path *path, char *newname, spin_unlock(&dcache_lock); path_put(&root); path_put(&ns_root); + /* Prepend "/proc" prefix if using internal proc vfs mount. */ + if (!IS_ERR(sp) && (path->mnt->mnt_parent == path->mnt) && + (strcmp(path->mnt->mnt_sb->s_type->name, "proc") == 0)) { + sp -= 5; + if (sp >= newname) + memcpy(sp, "/proc", 5); + else + sp = ERR_PTR(-ENOMEM); + } } if (IS_ERR(sp)) error = PTR_ERR(sp); diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 9548a0984cc..8a00ade8516 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -85,83 +85,6 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm) return tomoyo_check_open_permission(domain, &bprm->file->f_path, 1); } -#ifdef CONFIG_SYSCTL - -static int tomoyo_prepend(char **buffer, int *buflen, const char *str) -{ - int namelen = strlen(str); - - if (*buflen < namelen) - return -ENOMEM; - *buflen -= namelen; - *buffer -= namelen; - memcpy(*buffer, str, namelen); - return 0; -} - -/** - * tomoyo_sysctl_path - return the realpath of a ctl_table. - * @table: pointer to "struct ctl_table". - * - * Returns realpath(3) of the @table on success. - * Returns NULL on failure. - * - * This function uses tomoyo_alloc(), so the caller must call tomoyo_free() - * if this function didn't return NULL. - */ -static char *tomoyo_sysctl_path(struct ctl_table *table) -{ - int buflen = TOMOYO_MAX_PATHNAME_LEN; - char *buf = tomoyo_alloc(buflen); - char *end = buf + buflen; - int error = -ENOMEM; - - if (!buf) - return NULL; - - *--end = '\0'; - buflen--; - while (table) { - char num[32]; - const char *sp = table->procname; - - if (!sp) { - memset(num, 0, sizeof(num)); - snprintf(num, sizeof(num) - 1, "=%d=", table->ctl_name); - sp = num; - } - if (tomoyo_prepend(&end, &buflen, sp) || - tomoyo_prepend(&end, &buflen, "/")) - goto out; - table = table->parent; - } - if (tomoyo_prepend(&end, &buflen, "/proc/sys")) - goto out; - error = tomoyo_encode(buf, end - buf, end); - out: - if (!error) - return buf; - tomoyo_free(buf); - return NULL; -} - -static int tomoyo_sysctl(struct ctl_table *table, int op) -{ - int error; - char *name; - - op &= MAY_READ | MAY_WRITE; - if (!op) - return 0; - name = tomoyo_sysctl_path(table); - if (!name) - return -ENOMEM; - error = tomoyo_check_file_perm(tomoyo_domain(), name, op); - tomoyo_free(name); - return error; -} -#endif - static int tomoyo_path_truncate(struct path *path, loff_t length, unsigned int time_attrs) { @@ -282,9 +205,6 @@ static struct security_operations tomoyo_security_ops = { .cred_transfer = tomoyo_cred_transfer, .bprm_set_creds = tomoyo_bprm_set_creds, .bprm_check_security = tomoyo_bprm_check_security, -#ifdef CONFIG_SYSCTL - .sysctl = tomoyo_sysctl, -#endif .file_fcntl = tomoyo_file_fcntl, .dentry_open = tomoyo_dentry_open, .path_truncate = tomoyo_path_truncate, diff --git a/security/tomoyo/tomoyo.h b/security/tomoyo/tomoyo.h index cd6ba0bf706..ed758325b1a 100644 --- a/security/tomoyo/tomoyo.h +++ b/security/tomoyo/tomoyo.h @@ -18,8 +18,6 @@ struct inode; struct linux_binprm; struct pt_regs; -int tomoyo_check_file_perm(struct tomoyo_domain_info *domain, - const char *filename, const u8 perm); int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, const struct tomoyo_path_info *filename); int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, |