git.openpandora.org / pandora-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 475e6fa)
TOMOYO: Allow reading only execute permission.
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Thu, 24 Jun 2010 03:00:25 +0000 (12:00 +0900)
committerJames Morris <jmorris@namei.org>
Mon, 2 Aug 2010 05:34:44 +0000 (15:34 +1000)
Policy editor needs to know allow_execute entries in order to build domain
transition tree. Reading all entries is slow. Thus, allow reading only
allow_execute entries.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
security/tomoyo/common.c patch | blob | history
security/tomoyo/common.h patch | blob | history

diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 2a5330e..6c68981 100644 (file)
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -594,6 +594,10 @@ static bool tomoyo_select_one(struct tomoyo_io_buffer *head, const char *data)
        struct tomoyo_domain_info *domain = NULL;
        bool global_pid = false;
 
+       if (!strcmp(data, "allow_execute")) {
+               head->print_execute_only = true;
+               return true;
+       }
        if (sscanf(data, "pid=%u", &pid) == 1 ||
            (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) {
                struct task_struct *p;
@@ -759,6 +763,8 @@ static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head,
        for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
                if (!(perm & (1 << bit)))
                        continue;
+               if (head->print_execute_only && bit != TOMOYO_TYPE_EXECUTE)
+                       continue;
                /* Print "read/write" instead of "read" and "write". */
                if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE)
                    && (perm & (1 << TOMOYO_TYPE_READ_WRITE)))
@@ -926,6 +932,8 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
                        = container_of(ptr, struct tomoyo_path_acl, head);
                return tomoyo_print_path_acl(head, acl);
        }
+       if (head->print_execute_only)
+               return true;
        if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
                struct tomoyo_path2_acl *acl
                        = container_of(ptr, struct tomoyo_path2_acl, head);
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index cdc9ef5..67b9aea 100644 (file)
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -571,6 +571,8 @@ struct tomoyo_io_buffer {
        bool read_single_domain;
        /* Extra variable for reading.          */
        u8 read_bit;
+       /* Read only TOMOYO_TYPE_EXECUTE        */
+       bool print_execute_only;
        /* Bytes available for reading.         */
        int read_avail;
        /* Size of read buffer.                 */
Pandora Kernel Repository