(empty log message)
trunk/1.8.x/ccs-patch/security/ccsecurity/policy_io.c (diff) trunk/1.8.x/ccs-tools/usr_sbin/editpolicy_offline.c (diff)| @@ -491,7 +491,8 @@ | ||
| 491 | 491 | static ssize_t ccs_write(struct file *file, const char __user *buf, |
| 492 | 492 | size_t count, loff_t *ppos); |
| 493 | 493 | static struct ccs_condition *ccs_commit_condition(struct ccs_condition *entry); |
| 494 | -static struct ccs_condition *ccs_get_condition(struct ccs_acl_param *param); | |
| 494 | +static struct ccs_condition *ccs_get_condition(struct ccs_acl_param *param, | |
| 495 | + const bool pref); | |
| 495 | 496 | static struct ccs_domain_info *ccs_find_domain(const char *domainname); |
| 496 | 497 | static struct ccs_domain_info *ccs_find_domain_by_qid(unsigned int serial); |
| 497 | 498 | static struct ccs_group *ccs_get_group(struct ccs_acl_param *param, |
| @@ -1955,7 +1956,8 @@ | ||
| 1955 | 1956 | cp = pos; |
| 1956 | 1957 | while (*cp && *cp != '/' && *cp != '.' && *cp != ' ') |
| 1957 | 1958 | cp++; |
| 1958 | - if (*cp != '.') | |
| 1959 | + if (memchr(pos, '/', cp - pos + (*cp != '\0')) && | |
| 1960 | + strncmp(pos, "auto_domain_transition=\"", 24)) | |
| 1959 | 1961 | continue; |
| 1960 | 1962 | *(pos - 1) = '\0'; |
| 1961 | 1963 | break; |
| @@ -2012,10 +2014,12 @@ | ||
| 2012 | 2014 | * ccs_get_condition - Parse condition part. |
| 2013 | 2015 | * |
| 2014 | 2016 | * @param: Pointer to "struct ccs_acl_param". |
| 2017 | + * @pref: Can include domain transition preference? | |
| 2015 | 2018 | * |
| 2016 | 2019 | * Returns pointer to "struct ccs_condition" on success, NULL otherwise. |
| 2017 | 2020 | */ |
| 2018 | -static struct ccs_condition *ccs_get_condition(struct ccs_acl_param *param) | |
| 2021 | +static struct ccs_condition *ccs_get_condition(struct ccs_acl_param *param, | |
| 2022 | + const bool pref) | |
| 2019 | 2023 | { |
| 2020 | 2024 | struct ccs_condition *entry = NULL; |
| 2021 | 2025 | struct ccs_condition_element *condp = NULL; |
| @@ -2024,7 +2028,8 @@ | ||
| 2024 | 2028 | struct ccs_argv *argv = NULL; |
| 2025 | 2029 | struct ccs_envp *envp = NULL; |
| 2026 | 2030 | struct ccs_condition e = { }; |
| 2027 | - char * const start_of_string = ccs_get_transit_preference(param, &e); | |
| 2031 | + char * const start_of_string = pref ? | |
| 2032 | + ccs_get_transit_preference(param, &e) : param->data; | |
| 2028 | 2033 | char * const end_of_string = start_of_string + strlen(start_of_string); |
| 2029 | 2034 | char *pos; |
| 2030 | 2035 | rerun: |
| @@ -3142,23 +3147,21 @@ | ||
| 3142 | 3147 | struct list_head * const list = param->list; |
| 3143 | 3148 | BUG_ON(size < sizeof(*entry)); |
| 3144 | 3149 | if (param->data[0]) { |
| 3145 | - new_entry->cond = ccs_get_condition(param); | |
| 3146 | - if (!new_entry->cond) | |
| 3147 | - return -EINVAL; | |
| 3148 | 3150 | /* |
| 3149 | 3151 | * Domain transition preference is allowed for only |
| 3150 | 3152 | * "file execute"/"task auto_execute_handler"/ |
| 3151 | 3153 | * "task denied_auto_execute_handler" entries. |
| 3152 | 3154 | */ |
| 3153 | - if (new_entry->cond->exec_transit && | |
| 3154 | - !(new_entry->type == CCS_TYPE_PATH_ACL && | |
| 3155 | - new_entry->perm == 1 << CCS_TYPE_EXECUTE) | |
| 3155 | + const bool pref = (new_entry->type == CCS_TYPE_PATH_ACL && | |
| 3156 | + new_entry->perm == 1 << CCS_TYPE_EXECUTE) | |
| 3156 | 3157 | #ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER |
| 3157 | - && new_entry->type != CCS_TYPE_AUTO_EXECUTE_HANDLER && | |
| 3158 | - new_entry->type != CCS_TYPE_DENIED_EXECUTE_HANDLER | |
| 3158 | + || new_entry->type == CCS_TYPE_AUTO_EXECUTE_HANDLER | |
| 3159 | + || new_entry->type == CCS_TYPE_DENIED_EXECUTE_HANDLER | |
| 3159 | 3160 | #endif |
| 3160 | - ) | |
| 3161 | - return -EINVAL; | |
| 3161 | + ; | |
| 3162 | + new_entry->cond = ccs_get_condition(param, pref); | |
| 3163 | + if (!new_entry->cond) | |
| 3164 | + return error; | |
| 3162 | 3165 | } |
| 3163 | 3166 | if (mutex_lock_interruptible(&ccs_policy_lock)) |
| 3164 | 3167 | return -ENOMEM; |
| @@ -1544,7 +1544,8 @@ | ||
| 1544 | 1544 | cp = pos; |
| 1545 | 1545 | while (*cp && *cp != '/' && *cp != '.' && *cp != ' ') |
| 1546 | 1546 | cp++; |
| 1547 | - if (*cp != '.') | |
| 1547 | + if (memchr(pos, '/', cp - pos + (*cp != '\0')) && | |
| 1548 | + strncmp(pos, "auto_domain_transition=\"", 24)) | |
| 1548 | 1549 | continue; |
| 1549 | 1550 | *(pos - 1) = '\0'; |
| 1550 | 1551 | break; |
| @@ -2029,10 +2030,12 @@ | ||
| 2029 | 2030 | * ccs_get_condition - Parse condition part. |
| 2030 | 2031 | * |
| 2031 | 2032 | * @param: Pointer to "struct ccs_acl_param". |
| 2033 | + * @pref: Can include domain transition preference? | |
| 2032 | 2034 | * |
| 2033 | 2035 | * Returns pointer to "struct ccs_condition" on success, NULL otherwise. |
| 2034 | 2036 | */ |
| 2035 | -static struct ccs_condition *ccs_get_condition(struct ccs_acl_param *param) | |
| 2037 | +static struct ccs_condition *ccs_get_condition(struct ccs_acl_param *param, | |
| 2038 | + const bool pref) | |
| 2036 | 2039 | { |
| 2037 | 2040 | struct ccs_condition *entry = NULL; |
| 2038 | 2041 | struct ccs_condition_element *condp = NULL; |
| @@ -2041,7 +2044,8 @@ | ||
| 2041 | 2044 | struct ccs_argv *argv = NULL; |
| 2042 | 2045 | struct ccs_envp *envp = NULL; |
| 2043 | 2046 | struct ccs_condition e = { }; |
| 2044 | - char * const start_of_string = ccs_get_transit_preference(param, &e); | |
| 2047 | + char * const start_of_string = pref ? | |
| 2048 | + ccs_get_transit_preference(param, &e) : param->data; | |
| 2045 | 2049 | char * const end_of_string = start_of_string + strlen(start_of_string); |
| 2046 | 2050 | char *pos; |
| 2047 | 2051 | rerun: |
| @@ -2283,21 +2287,19 @@ | ||
| 2283 | 2287 | struct ccs_acl_info *entry; |
| 2284 | 2288 | struct list_head * const list = param->list; |
| 2285 | 2289 | if (param->data[0]) { |
| 2286 | - new_entry->cond = ccs_get_condition(param); | |
| 2287 | - if (!new_entry->cond) | |
| 2288 | - return -EINVAL; | |
| 2289 | 2290 | /* |
| 2290 | 2291 | * Domain transition preference is allowed for only |
| 2291 | 2292 | * "file execute"/"task auto_execute_handler"/ |
| 2292 | 2293 | * "task denied_execute_handler" entries. |
| 2293 | 2294 | */ |
| 2294 | - if (new_entry->cond->exec_transit && | |
| 2295 | - !(new_entry->type == CCS_TYPE_PATH_ACL && | |
| 2296 | - container_of(new_entry, struct ccs_path_acl, head)->perm | |
| 2297 | - == 1 << CCS_TYPE_EXECUTE) && | |
| 2298 | - new_entry->type != CCS_TYPE_AUTO_EXECUTE_HANDLER && | |
| 2299 | - new_entry->type != CCS_TYPE_DENIED_EXECUTE_HANDLER) | |
| 2300 | - goto out; | |
| 2295 | + const bool pref = (new_entry->type == CCS_TYPE_PATH_ACL && | |
| 2296 | + container_of(new_entry, struct ccs_path_acl, head)->perm | |
| 2297 | + == 1 << CCS_TYPE_EXECUTE) || | |
| 2298 | + new_entry->type == CCS_TYPE_AUTO_EXECUTE_HANDLER || | |
| 2299 | + new_entry->type == CCS_TYPE_DENIED_EXECUTE_HANDLER; | |
| 2300 | + new_entry->cond = ccs_get_condition(param, pref); | |
| 2301 | + if (!new_entry->cond) | |
| 2302 | + return error; | |
| 2301 | 2303 | } |
| 2302 | 2304 | list_for_each_entry(entry, list, list) { |
| 2303 | 2305 | if (!ccs_same_acl_head(entry, new_entry) || |
TOMOYO
Fork