Commit 1f067a68 authored by Tetsuo Handa's avatar Tetsuo Handa Committed by James Morris

TOMOYO: Allow controlling generation of access granted logs for per an entry basis.

Add per-entry flag which controls generation of grant logs because Xen and KVM
issues ioctl requests so frequently. For example,

  file ioctl /dev/null 0x5401 grant_log=no

will suppress /sys/kernel/security/tomoyo/audit even if preference says
grant_log=yes .
Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 059d84db
...@@ -313,6 +313,7 @@ static unsigned int tomoyo_log_count; ...@@ -313,6 +313,7 @@ static unsigned int tomoyo_log_count;
*/ */
static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns, static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns,
const u8 profile, const u8 index, const u8 profile, const u8 index,
const struct tomoyo_acl_info *matched_acl,
const bool is_granted) const bool is_granted)
{ {
u8 mode; u8 mode;
...@@ -324,6 +325,9 @@ static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns, ...@@ -324,6 +325,9 @@ static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns,
p = tomoyo_profile(ns, profile); p = tomoyo_profile(ns, profile);
if (tomoyo_log_count >= p->pref[TOMOYO_PREF_MAX_AUDIT_LOG]) if (tomoyo_log_count >= p->pref[TOMOYO_PREF_MAX_AUDIT_LOG])
return false; return false;
if (is_granted && matched_acl && matched_acl->cond &&
matched_acl->cond->grant_log != TOMOYO_GRANTLOG_AUTO)
return matched_acl->cond->grant_log == TOMOYO_GRANTLOG_YES;
mode = p->config[index]; mode = p->config[index];
if (mode == TOMOYO_CONFIG_USE_DEFAULT) if (mode == TOMOYO_CONFIG_USE_DEFAULT)
mode = p->config[category]; mode = p->config[category];
...@@ -350,7 +354,8 @@ void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt, ...@@ -350,7 +354,8 @@ void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt,
char *buf; char *buf;
struct tomoyo_log *entry; struct tomoyo_log *entry;
bool quota_exceeded = false; bool quota_exceeded = false;
if (!tomoyo_get_audit(r->domain->ns, r->profile, r->type, r->granted)) if (!tomoyo_get_audit(r->domain->ns, r->profile, r->type,
r->matched_acl, r->granted))
goto out; goto out;
buf = tomoyo_init_log(r, len, fmt, args); buf = tomoyo_init_log(r, len, fmt, args);
if (!buf) if (!buf)
......
...@@ -1272,6 +1272,10 @@ static bool tomoyo_print_condition(struct tomoyo_io_buffer *head, ...@@ -1272,6 +1272,10 @@ static bool tomoyo_print_condition(struct tomoyo_io_buffer *head,
head->r.cond_step++; head->r.cond_step++;
/* fall through */ /* fall through */
case 3: case 3:
if (cond->grant_log != TOMOYO_GRANTLOG_AUTO)
tomoyo_io_printf(head, " grant_log=%s",
tomoyo_yesno(cond->grant_log ==
TOMOYO_GRANTLOG_YES));
tomoyo_set_lf(head); tomoyo_set_lf(head);
return true; return true;
} }
......
...@@ -179,6 +179,16 @@ enum tomoyo_domain_info_flags_index { ...@@ -179,6 +179,16 @@ enum tomoyo_domain_info_flags_index {
TOMOYO_MAX_DOMAIN_INFO_FLAGS TOMOYO_MAX_DOMAIN_INFO_FLAGS
}; };
/* Index numbers for audit type. */
enum tomoyo_grant_log {
/* Follow profile's configuration. */
TOMOYO_GRANTLOG_AUTO,
/* Do not generate grant log. */
TOMOYO_GRANTLOG_NO,
/* Generate grant_log. */
TOMOYO_GRANTLOG_YES,
};
/* Index numbers for group entries. */ /* Index numbers for group entries. */
enum tomoyo_group_id { enum tomoyo_group_id {
TOMOYO_PATH_GROUP, TOMOYO_PATH_GROUP,
...@@ -471,6 +481,7 @@ struct tomoyo_request_info { ...@@ -471,6 +481,7 @@ struct tomoyo_request_info {
int need_dev; int need_dev;
} mount; } mount;
} param; } param;
struct tomoyo_acl_info *matched_acl;
u8 param_type; u8 param_type;
bool granted; bool granted;
u8 retry; u8 retry;
...@@ -635,6 +646,7 @@ struct tomoyo_condition { ...@@ -635,6 +646,7 @@ struct tomoyo_condition {
u16 names_count; /* Number of "struct tomoyo_name_union names". */ u16 names_count; /* Number of "struct tomoyo_name_union names". */
u16 argc; /* Number of "struct tomoyo_argv". */ u16 argc; /* Number of "struct tomoyo_argv". */
u16 envc; /* Number of "struct tomoyo_envp". */ u16 envc; /* Number of "struct tomoyo_envp". */
u8 grant_log; /* One of values in "enum tomoyo_grant_log". */
/* /*
* struct tomoyo_condition_element condition[condc]; * struct tomoyo_condition_element condition[condc];
* struct tomoyo_number_union values[numbers_count]; * struct tomoyo_number_union values[numbers_count];
......
...@@ -348,6 +348,7 @@ static inline bool tomoyo_same_condition(const struct tomoyo_condition *a, ...@@ -348,6 +348,7 @@ static inline bool tomoyo_same_condition(const struct tomoyo_condition *a,
a->numbers_count == b->numbers_count && a->numbers_count == b->numbers_count &&
a->names_count == b->names_count && a->names_count == b->names_count &&
a->argc == b->argc && a->envc == b->envc && a->argc == b->argc && a->envc == b->envc &&
a->grant_log == b->grant_log &&
!memcmp(a + 1, b + 1, a->size - sizeof(*a)); !memcmp(a + 1, b + 1, a->size - sizeof(*a));
} }
...@@ -486,6 +487,20 @@ struct tomoyo_condition *tomoyo_get_condition(struct tomoyo_acl_param *param) ...@@ -486,6 +487,20 @@ struct tomoyo_condition *tomoyo_get_condition(struct tomoyo_acl_param *param)
goto out; goto out;
dprintk(KERN_WARNING "%u: <%s>%s=<%s>\n", __LINE__, left_word, dprintk(KERN_WARNING "%u: <%s>%s=<%s>\n", __LINE__, left_word,
is_not ? "!" : "", right_word); is_not ? "!" : "", right_word);
if (!strcmp(left_word, "grant_log")) {
if (entry) {
if (is_not ||
entry->grant_log != TOMOYO_GRANTLOG_AUTO)
goto out;
else if (!strcmp(right_word, "yes"))
entry->grant_log = TOMOYO_GRANTLOG_YES;
else if (!strcmp(right_word, "no"))
entry->grant_log = TOMOYO_GRANTLOG_NO;
else
goto out;
}
continue;
}
if (!strncmp(left_word, "exec.argv[", 10)) { if (!strncmp(left_word, "exec.argv[", 10)) {
if (!argv) { if (!argv) {
e.argc++; e.argc++;
......
...@@ -157,6 +157,7 @@ void tomoyo_check_acl(struct tomoyo_request_info *r, ...@@ -157,6 +157,7 @@ void tomoyo_check_acl(struct tomoyo_request_info *r,
continue; continue;
if (!tomoyo_condition(r, ptr->cond)) if (!tomoyo_condition(r, ptr->cond))
continue; continue;
r->matched_acl = ptr;
r->granted = true; r->granted = true;
return; return;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment