TOMOYO: Several fixes for TOMOYO's management programs.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>

TOMOYO: Several fixes for TOMOYO's management programs.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
9b244373 · Tetsuo Handa · James Morris · ea0d3ab2 · 9b244373 · 9b244373
Commit 9b244373 authored Jun 03, 2010 by Tetsuo Handa Committed by James Morris Aug 02, 2010
Showing with 23 additions and 6 deletions

security/tomoyo/common.c security/tomoyo/common.c +20 -5

security/tomoyo/common.h security/tomoyo/common.h +2 -0

security/tomoyo/path_group.c security/tomoyo/path_group.c +1 -1

No files found.
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -366,7 +366,7 @@ static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
 *
 *  or
 *
- * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
+ * # echo '/usr/sbin/tomoyo-editpolicy' > /sys/kernel/security/tomoyo/manager
 *  (if you want to specify by a program's location)
 *
 * and is deleted by
@@ -376,7 +376,7 @@ static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
 *
 *  or
 *
- * # echo 'delete /usr/lib/ccs/editpolicy' > \
+ * # echo 'delete /usr/sbin/tomoyo-editpolicy' > \
 *                                        /sys/kernel/security/tomoyo/manager
 *
 * and all entries are retrieved by
@@ -556,11 +556,16 @@ static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
 {
 	unsigned int pid;
 	struct tomoyo_domain_info *domain = NULL;
+	bool global_pid = false;
-	if (sscanf(data, "pid=%u", &pid) == 1) {
+	if (sscanf(data, "pid=%u", &pid) == 1 ||
+	    (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) {
 		struct task_struct *p;
 		rcu_read_lock();
 		read_lock(&tasklist_lock);
+		if (global_pid)
+			p = find_task_by_pid_ns(pid, &init_pid_ns);
+		else
 			p = find_task_by_vpid(pid);
 		if (p)
 			domain = tomoyo_real_domain(p);
@@ -697,6 +702,14 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
 		domain->ignore_global_allow_read = !is_delete;
 		return 0;
 	}
+	if (!strcmp(data, TOMOYO_KEYWORD_QUOTA_EXCEEDED)) {
+		domain->quota_warned = !is_delete;
+		return 0;
+	}
+	if (!strcmp(data, TOMOYO_KEYWORD_TRANSITION_FAILED)) {
+		domain->transition_failed = !is_delete;
+		return 0;
+	}
 	return tomoyo_write_domain_policy2(data, domain, is_delete);
 }
@@ -853,6 +866,8 @@ static bool tomoyo_print_mount_acl(struct tomoyo_io_buffer *head,
 				   struct tomoyo_mount_acl *ptr)
 {
 	const int pos = head->read_avail;
+	if (ptr->is_deleted)
+		return true;
 	if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) ||
 	    !tomoyo_print_name_union(head, &ptr->dev_name) ||
 	    !tomoyo_print_name_union(head, &ptr->dir_name) ||
@@ -993,7 +1008,7 @@ static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head)
 * This is equivalent to doing
 *
 *     ( echo "select " $domainname; echo "use_profile " $profile ) |
- *     /usr/lib/ccs/loadpolicy -d
+ *     /usr/sbin/tomoyo-loadpolicy -d
 *
 * Caller holds tomoyo_read_lock().
 */

--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -68,6 +68,8 @@ enum tomoyo_mode_index {
 #define TOMOYO_KEYWORD_SELECT                    "select "
 #define TOMOYO_KEYWORD_USE_PROFILE               "use_profile "
 #define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ  "ignore_global_allow_read"
+#define TOMOYO_KEYWORD_QUOTA_EXCEEDED            "quota_exceeded"
+#define TOMOYO_KEYWORD_TRANSITION_FAILED         "transition_failed"
 /* A domain definition starts with <kernel>. */
 #define TOMOYO_ROOT_NAME                         "<kernel>"
 #define TOMOYO_ROOT_NAME_LEN                     (sizeof(TOMOYO_ROOT_NAME) - 1)

--- a/security/tomoyo/path_group.c
+++ b/security/tomoyo/path_group.c
@@ -6,7 +6,7 @@
 #include <linux/slab.h>
 #include "common.h"
-/* The list for "struct ccs_path_group". */
+/* The list for "struct tomoyo_path_group". */
 LIST_HEAD(tomoyo_path_group_list);
 /**