(empty log message)
@@ -491,7 +491,8 @@ | ||
491 | 491 | static ssize_t ccs_write(struct file *file, const char __user *buf, |
492 | 492 | size_t count, loff_t *ppos); |
493 | 493 | static struct ccs_condition *ccs_commit_condition(struct ccs_condition *entry); |
494 | -static struct ccs_condition *ccs_get_condition(struct ccs_acl_param *param); | |
494 | +static struct ccs_condition *ccs_get_condition(struct ccs_acl_param *param, | |
495 | + const bool pref); | |
495 | 496 | static struct ccs_domain_info *ccs_find_domain(const char *domainname); |
496 | 497 | static struct ccs_domain_info *ccs_find_domain_by_qid(unsigned int serial); |
497 | 498 | static struct ccs_group *ccs_get_group(struct ccs_acl_param *param, |
@@ -1955,7 +1956,8 @@ | ||
1955 | 1956 | cp = pos; |
1956 | 1957 | while (*cp && *cp != '/' && *cp != '.' && *cp != ' ') |
1957 | 1958 | cp++; |
1958 | - if (*cp != '.') | |
1959 | + if (memchr(pos, '/', cp - pos + (*cp != '\0')) && | |
1960 | + strncmp(pos, "auto_domain_transition=\"", 24)) | |
1959 | 1961 | continue; |
1960 | 1962 | *(pos - 1) = '\0'; |
1961 | 1963 | break; |
@@ -2012,10 +2014,12 @@ | ||
2012 | 2014 | * ccs_get_condition - Parse condition part. |
2013 | 2015 | * |
2014 | 2016 | * @param: Pointer to "struct ccs_acl_param". |
2017 | + * @pref: Can include domain transition preference? | |
2015 | 2018 | * |
2016 | 2019 | * Returns pointer to "struct ccs_condition" on success, NULL otherwise. |
2017 | 2020 | */ |
2018 | -static struct ccs_condition *ccs_get_condition(struct ccs_acl_param *param) | |
2021 | +static struct ccs_condition *ccs_get_condition(struct ccs_acl_param *param, | |
2022 | + const bool pref) | |
2019 | 2023 | { |
2020 | 2024 | struct ccs_condition *entry = NULL; |
2021 | 2025 | struct ccs_condition_element *condp = NULL; |
@@ -2024,7 +2028,8 @@ | ||
2024 | 2028 | struct ccs_argv *argv = NULL; |
2025 | 2029 | struct ccs_envp *envp = NULL; |
2026 | 2030 | struct ccs_condition e = { }; |
2027 | - char * const start_of_string = ccs_get_transit_preference(param, &e); | |
2031 | + char * const start_of_string = pref ? | |
2032 | + ccs_get_transit_preference(param, &e) : param->data; | |
2028 | 2033 | char * const end_of_string = start_of_string + strlen(start_of_string); |
2029 | 2034 | char *pos; |
2030 | 2035 | rerun: |
@@ -3142,23 +3147,21 @@ | ||
3142 | 3147 | struct list_head * const list = param->list; |
3143 | 3148 | BUG_ON(size < sizeof(*entry)); |
3144 | 3149 | if (param->data[0]) { |
3145 | - new_entry->cond = ccs_get_condition(param); | |
3146 | - if (!new_entry->cond) | |
3147 | - return -EINVAL; | |
3148 | 3150 | /* |
3149 | 3151 | * Domain transition preference is allowed for only |
3150 | 3152 | * "file execute"/"task auto_execute_handler"/ |
3151 | 3153 | * "task denied_auto_execute_handler" entries. |
3152 | 3154 | */ |
3153 | - if (new_entry->cond->exec_transit && | |
3154 | - !(new_entry->type == CCS_TYPE_PATH_ACL && | |
3155 | - new_entry->perm == 1 << CCS_TYPE_EXECUTE) | |
3155 | + const bool pref = (new_entry->type == CCS_TYPE_PATH_ACL && | |
3156 | + new_entry->perm == 1 << CCS_TYPE_EXECUTE) | |
3156 | 3157 | #ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER |
3157 | - && new_entry->type != CCS_TYPE_AUTO_EXECUTE_HANDLER && | |
3158 | - new_entry->type != CCS_TYPE_DENIED_EXECUTE_HANDLER | |
3158 | + || new_entry->type == CCS_TYPE_AUTO_EXECUTE_HANDLER | |
3159 | + || new_entry->type == CCS_TYPE_DENIED_EXECUTE_HANDLER | |
3159 | 3160 | #endif |
3160 | - ) | |
3161 | - return -EINVAL; | |
3161 | + ; | |
3162 | + new_entry->cond = ccs_get_condition(param, pref); | |
3163 | + if (!new_entry->cond) | |
3164 | + return error; | |
3162 | 3165 | } |
3163 | 3166 | if (mutex_lock_interruptible(&ccs_policy_lock)) |
3164 | 3167 | return -ENOMEM; |
@@ -1544,7 +1544,8 @@ | ||
1544 | 1544 | cp = pos; |
1545 | 1545 | while (*cp && *cp != '/' && *cp != '.' && *cp != ' ') |
1546 | 1546 | cp++; |
1547 | - if (*cp != '.') | |
1547 | + if (memchr(pos, '/', cp - pos + (*cp != '\0')) && | |
1548 | + strncmp(pos, "auto_domain_transition=\"", 24)) | |
1548 | 1549 | continue; |
1549 | 1550 | *(pos - 1) = '\0'; |
1550 | 1551 | break; |
@@ -2029,10 +2030,12 @@ | ||
2029 | 2030 | * ccs_get_condition - Parse condition part. |
2030 | 2031 | * |
2031 | 2032 | * @param: Pointer to "struct ccs_acl_param". |
2033 | + * @pref: Can include domain transition preference? | |
2032 | 2034 | * |
2033 | 2035 | * Returns pointer to "struct ccs_condition" on success, NULL otherwise. |
2034 | 2036 | */ |
2035 | -static struct ccs_condition *ccs_get_condition(struct ccs_acl_param *param) | |
2037 | +static struct ccs_condition *ccs_get_condition(struct ccs_acl_param *param, | |
2038 | + const bool pref) | |
2036 | 2039 | { |
2037 | 2040 | struct ccs_condition *entry = NULL; |
2038 | 2041 | struct ccs_condition_element *condp = NULL; |
@@ -2041,7 +2044,8 @@ | ||
2041 | 2044 | struct ccs_argv *argv = NULL; |
2042 | 2045 | struct ccs_envp *envp = NULL; |
2043 | 2046 | struct ccs_condition e = { }; |
2044 | - char * const start_of_string = ccs_get_transit_preference(param, &e); | |
2047 | + char * const start_of_string = pref ? | |
2048 | + ccs_get_transit_preference(param, &e) : param->data; | |
2045 | 2049 | char * const end_of_string = start_of_string + strlen(start_of_string); |
2046 | 2050 | char *pos; |
2047 | 2051 | rerun: |
@@ -2283,21 +2287,19 @@ | ||
2283 | 2287 | struct ccs_acl_info *entry; |
2284 | 2288 | struct list_head * const list = param->list; |
2285 | 2289 | if (param->data[0]) { |
2286 | - new_entry->cond = ccs_get_condition(param); | |
2287 | - if (!new_entry->cond) | |
2288 | - return -EINVAL; | |
2289 | 2290 | /* |
2290 | 2291 | * Domain transition preference is allowed for only |
2291 | 2292 | * "file execute"/"task auto_execute_handler"/ |
2292 | 2293 | * "task denied_execute_handler" entries. |
2293 | 2294 | */ |
2294 | - if (new_entry->cond->exec_transit && | |
2295 | - !(new_entry->type == CCS_TYPE_PATH_ACL && | |
2296 | - container_of(new_entry, struct ccs_path_acl, head)->perm | |
2297 | - == 1 << CCS_TYPE_EXECUTE) && | |
2298 | - new_entry->type != CCS_TYPE_AUTO_EXECUTE_HANDLER && | |
2299 | - new_entry->type != CCS_TYPE_DENIED_EXECUTE_HANDLER) | |
2300 | - goto out; | |
2295 | + const bool pref = (new_entry->type == CCS_TYPE_PATH_ACL && | |
2296 | + container_of(new_entry, struct ccs_path_acl, head)->perm | |
2297 | + == 1 << CCS_TYPE_EXECUTE) || | |
2298 | + new_entry->type == CCS_TYPE_AUTO_EXECUTE_HANDLER || | |
2299 | + new_entry->type == CCS_TYPE_DENIED_EXECUTE_HANDLER; | |
2300 | + new_entry->cond = ccs_get_condition(param, pref); | |
2301 | + if (!new_entry->cond) | |
2302 | + return error; | |
2301 | 2303 | } |
2302 | 2304 | list_for_each_entry(entry, list, list) { |
2303 | 2305 | if (!ccs_same_acl_head(entry, new_entry) || |