mirror of
https://github.com/torvalds/linux.git
synced 2024-11-22 04:38:03 +00:00
tomoyo: preparation step for building as a loadable LSM module
In order to allow Makefile to generate tomoyo.ko as output, rename tomoyo.c to hooks.h and cut out LSM hook registration part that will be built into vmlinux from hooks.h to init.c . Also, update comments and relocate some variables. No behavior changes. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
This commit is contained in:
parent
de5cb0dcb7
commit
268225a1de
@ -1,5 +1,5 @@
|
|||||||
# SPDX-License-Identifier: GPL-2.0
|
# SPDX-License-Identifier: GPL-2.0
|
||||||
obj-y = audit.o common.o condition.o domain.o environ.o file.o gc.o group.o load_policy.o memory.o mount.o network.o realpath.o securityfs_if.o tomoyo.o util.o
|
obj-y = audit.o common.o condition.o domain.o environ.o file.o gc.o group.o init.o load_policy.o memory.o mount.o network.o realpath.o securityfs_if.o util.o
|
||||||
|
|
||||||
targets += builtin-policy.h
|
targets += builtin-policy.h
|
||||||
|
|
||||||
|
@ -9,6 +9,9 @@
|
|||||||
#include <linux/kthread.h>
|
#include <linux/kthread.h>
|
||||||
#include <linux/slab.h>
|
#include <linux/slab.h>
|
||||||
|
|
||||||
|
/* Lock for GC. */
|
||||||
|
DEFINE_SRCU(tomoyo_ss);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* tomoyo_memory_free - Free memory for elements.
|
* tomoyo_memory_free - Free memory for elements.
|
||||||
*
|
*
|
||||||
|
@ -1,12 +1,10 @@
|
|||||||
// SPDX-License-Identifier: GPL-2.0
|
// SPDX-License-Identifier: GPL-2.0
|
||||||
/*
|
/*
|
||||||
* security/tomoyo/tomoyo.c
|
* security/tomoyo/hooks.h
|
||||||
*
|
*
|
||||||
* Copyright (C) 2005-2011 NTT DATA CORPORATION
|
* Copyright (C) 2005-2011 NTT DATA CORPORATION
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <linux/lsm_hooks.h>
|
|
||||||
#include <uapi/linux/lsm.h>
|
|
||||||
#include "common.h"
|
#include "common.h"
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -18,10 +16,6 @@ struct tomoyo_domain_info *tomoyo_domain(void)
|
|||||||
{
|
{
|
||||||
struct tomoyo_task *s = tomoyo_task(current);
|
struct tomoyo_task *s = tomoyo_task(current);
|
||||||
|
|
||||||
if (s->old_domain_info && !current->in_execve) {
|
|
||||||
atomic_dec(&s->old_domain_info->users);
|
|
||||||
s->old_domain_info = NULL;
|
|
||||||
}
|
|
||||||
return s->domain_info;
|
return s->domain_info;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -62,26 +56,6 @@ static void tomoyo_bprm_committed_creds(const struct linux_binprm *bprm)
|
|||||||
s->old_domain_info = NULL;
|
s->old_domain_info = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
|
|
||||||
/**
|
|
||||||
* tomoyo_bprm_creds_for_exec - Target for security_bprm_creds_for_exec().
|
|
||||||
*
|
|
||||||
* @bprm: Pointer to "struct linux_binprm".
|
|
||||||
*
|
|
||||||
* Returns 0.
|
|
||||||
*/
|
|
||||||
static int tomoyo_bprm_creds_for_exec(struct linux_binprm *bprm)
|
|
||||||
{
|
|
||||||
/*
|
|
||||||
* Load policy if /sbin/tomoyo-init exists and /sbin/init is requested
|
|
||||||
* for the first time.
|
|
||||||
*/
|
|
||||||
if (!tomoyo_policy_loaded)
|
|
||||||
tomoyo_load_policy(bprm->filename);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* tomoyo_bprm_check_security - Target for security_bprm_check().
|
* tomoyo_bprm_check_security - Target for security_bprm_check().
|
||||||
*
|
*
|
||||||
@ -501,10 +475,6 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
|
|||||||
return tomoyo_socket_sendmsg_permission(sock, msg, size);
|
return tomoyo_socket_sendmsg_permission(sock, msg, size);
|
||||||
}
|
}
|
||||||
|
|
||||||
struct lsm_blob_sizes tomoyo_blob_sizes __ro_after_init = {
|
|
||||||
.lbs_task = sizeof(struct tomoyo_task),
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* tomoyo_task_alloc - Target for security_task_alloc().
|
* tomoyo_task_alloc - Target for security_task_alloc().
|
||||||
*
|
*
|
||||||
@ -543,81 +513,3 @@ static void tomoyo_task_free(struct task_struct *task)
|
|||||||
s->old_domain_info = NULL;
|
s->old_domain_info = NULL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static const struct lsm_id tomoyo_lsmid = {
|
|
||||||
.name = "tomoyo",
|
|
||||||
.id = LSM_ID_TOMOYO,
|
|
||||||
};
|
|
||||||
|
|
||||||
/*
|
|
||||||
* tomoyo_security_ops is a "struct security_operations" which is used for
|
|
||||||
* registering TOMOYO.
|
|
||||||
*/
|
|
||||||
static struct security_hook_list tomoyo_hooks[] __ro_after_init = {
|
|
||||||
LSM_HOOK_INIT(cred_prepare, tomoyo_cred_prepare),
|
|
||||||
LSM_HOOK_INIT(bprm_committed_creds, tomoyo_bprm_committed_creds),
|
|
||||||
LSM_HOOK_INIT(task_alloc, tomoyo_task_alloc),
|
|
||||||
LSM_HOOK_INIT(task_free, tomoyo_task_free),
|
|
||||||
#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
|
|
||||||
LSM_HOOK_INIT(bprm_creds_for_exec, tomoyo_bprm_creds_for_exec),
|
|
||||||
#endif
|
|
||||||
LSM_HOOK_INIT(bprm_check_security, tomoyo_bprm_check_security),
|
|
||||||
LSM_HOOK_INIT(file_fcntl, tomoyo_file_fcntl),
|
|
||||||
LSM_HOOK_INIT(file_open, tomoyo_file_open),
|
|
||||||
LSM_HOOK_INIT(file_truncate, tomoyo_file_truncate),
|
|
||||||
LSM_HOOK_INIT(path_truncate, tomoyo_path_truncate),
|
|
||||||
LSM_HOOK_INIT(path_unlink, tomoyo_path_unlink),
|
|
||||||
LSM_HOOK_INIT(path_mkdir, tomoyo_path_mkdir),
|
|
||||||
LSM_HOOK_INIT(path_rmdir, tomoyo_path_rmdir),
|
|
||||||
LSM_HOOK_INIT(path_symlink, tomoyo_path_symlink),
|
|
||||||
LSM_HOOK_INIT(path_mknod, tomoyo_path_mknod),
|
|
||||||
LSM_HOOK_INIT(path_link, tomoyo_path_link),
|
|
||||||
LSM_HOOK_INIT(path_rename, tomoyo_path_rename),
|
|
||||||
LSM_HOOK_INIT(inode_getattr, tomoyo_inode_getattr),
|
|
||||||
LSM_HOOK_INIT(file_ioctl, tomoyo_file_ioctl),
|
|
||||||
LSM_HOOK_INIT(file_ioctl_compat, tomoyo_file_ioctl),
|
|
||||||
LSM_HOOK_INIT(path_chmod, tomoyo_path_chmod),
|
|
||||||
LSM_HOOK_INIT(path_chown, tomoyo_path_chown),
|
|
||||||
LSM_HOOK_INIT(path_chroot, tomoyo_path_chroot),
|
|
||||||
LSM_HOOK_INIT(sb_mount, tomoyo_sb_mount),
|
|
||||||
LSM_HOOK_INIT(sb_umount, tomoyo_sb_umount),
|
|
||||||
LSM_HOOK_INIT(sb_pivotroot, tomoyo_sb_pivotroot),
|
|
||||||
LSM_HOOK_INIT(socket_bind, tomoyo_socket_bind),
|
|
||||||
LSM_HOOK_INIT(socket_connect, tomoyo_socket_connect),
|
|
||||||
LSM_HOOK_INIT(socket_listen, tomoyo_socket_listen),
|
|
||||||
LSM_HOOK_INIT(socket_sendmsg, tomoyo_socket_sendmsg),
|
|
||||||
};
|
|
||||||
|
|
||||||
/* Lock for GC. */
|
|
||||||
DEFINE_SRCU(tomoyo_ss);
|
|
||||||
|
|
||||||
int tomoyo_enabled __ro_after_init = 1;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* tomoyo_init - Register TOMOYO Linux as a LSM module.
|
|
||||||
*
|
|
||||||
* Returns 0.
|
|
||||||
*/
|
|
||||||
static int __init tomoyo_init(void)
|
|
||||||
{
|
|
||||||
struct tomoyo_task *s = tomoyo_task(current);
|
|
||||||
|
|
||||||
/* register ourselves with the security framework */
|
|
||||||
security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks),
|
|
||||||
&tomoyo_lsmid);
|
|
||||||
pr_info("TOMOYO Linux initialized\n");
|
|
||||||
s->domain_info = &tomoyo_kernel_domain;
|
|
||||||
atomic_inc(&tomoyo_kernel_domain.users);
|
|
||||||
s->old_domain_info = NULL;
|
|
||||||
tomoyo_mm_init();
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
DEFINE_LSM(tomoyo) = {
|
|
||||||
.name = "tomoyo",
|
|
||||||
.enabled = &tomoyo_enabled,
|
|
||||||
.flags = LSM_FLAG_LEGACY_MAJOR,
|
|
||||||
.blobs = &tomoyo_blob_sizes,
|
|
||||||
.init = tomoyo_init,
|
|
||||||
};
|
|
104
security/tomoyo/init.c
Normal file
104
security/tomoyo/init.c
Normal file
@ -0,0 +1,104 @@
|
|||||||
|
// SPDX-License-Identifier: GPL-2.0
|
||||||
|
/*
|
||||||
|
* security/tomoyo/init.c
|
||||||
|
*
|
||||||
|
* Copyright (C) 2005-2011 NTT DATA CORPORATION
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <linux/lsm_hooks.h>
|
||||||
|
#include <uapi/linux/lsm.h>
|
||||||
|
#include "common.h"
|
||||||
|
|
||||||
|
#include "hooks.h"
|
||||||
|
|
||||||
|
#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
|
||||||
|
static int tomoyo_bprm_creds_for_exec(struct linux_binprm *bprm)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Load policy if /sbin/tomoyo-init exists and /sbin/init is requested
|
||||||
|
* for the first time.
|
||||||
|
*/
|
||||||
|
if (!tomoyo_policy_loaded)
|
||||||
|
tomoyo_load_policy(bprm->filename);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
struct lsm_blob_sizes tomoyo_blob_sizes __ro_after_init = {
|
||||||
|
.lbs_task = sizeof(struct tomoyo_task),
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct lsm_id tomoyo_lsmid = {
|
||||||
|
.name = "tomoyo",
|
||||||
|
.id = LSM_ID_TOMOYO,
|
||||||
|
};
|
||||||
|
|
||||||
|
/* tomoyo_hooks is used for registering TOMOYO. */
|
||||||
|
static struct security_hook_list tomoyo_hooks[] __ro_after_init = {
|
||||||
|
LSM_HOOK_INIT(cred_prepare, tomoyo_cred_prepare),
|
||||||
|
LSM_HOOK_INIT(bprm_committed_creds, tomoyo_bprm_committed_creds),
|
||||||
|
LSM_HOOK_INIT(task_alloc, tomoyo_task_alloc),
|
||||||
|
LSM_HOOK_INIT(task_free, tomoyo_task_free),
|
||||||
|
#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
|
||||||
|
LSM_HOOK_INIT(bprm_creds_for_exec, tomoyo_bprm_creds_for_exec),
|
||||||
|
#endif
|
||||||
|
LSM_HOOK_INIT(bprm_check_security, tomoyo_bprm_check_security),
|
||||||
|
LSM_HOOK_INIT(file_fcntl, tomoyo_file_fcntl),
|
||||||
|
LSM_HOOK_INIT(file_open, tomoyo_file_open),
|
||||||
|
LSM_HOOK_INIT(file_truncate, tomoyo_file_truncate),
|
||||||
|
LSM_HOOK_INIT(path_truncate, tomoyo_path_truncate),
|
||||||
|
LSM_HOOK_INIT(path_unlink, tomoyo_path_unlink),
|
||||||
|
LSM_HOOK_INIT(path_mkdir, tomoyo_path_mkdir),
|
||||||
|
LSM_HOOK_INIT(path_rmdir, tomoyo_path_rmdir),
|
||||||
|
LSM_HOOK_INIT(path_symlink, tomoyo_path_symlink),
|
||||||
|
LSM_HOOK_INIT(path_mknod, tomoyo_path_mknod),
|
||||||
|
LSM_HOOK_INIT(path_link, tomoyo_path_link),
|
||||||
|
LSM_HOOK_INIT(path_rename, tomoyo_path_rename),
|
||||||
|
LSM_HOOK_INIT(inode_getattr, tomoyo_inode_getattr),
|
||||||
|
LSM_HOOK_INIT(file_ioctl, tomoyo_file_ioctl),
|
||||||
|
LSM_HOOK_INIT(file_ioctl_compat, tomoyo_file_ioctl),
|
||||||
|
LSM_HOOK_INIT(path_chmod, tomoyo_path_chmod),
|
||||||
|
LSM_HOOK_INIT(path_chown, tomoyo_path_chown),
|
||||||
|
LSM_HOOK_INIT(path_chroot, tomoyo_path_chroot),
|
||||||
|
LSM_HOOK_INIT(sb_mount, tomoyo_sb_mount),
|
||||||
|
LSM_HOOK_INIT(sb_umount, tomoyo_sb_umount),
|
||||||
|
LSM_HOOK_INIT(sb_pivotroot, tomoyo_sb_pivotroot),
|
||||||
|
LSM_HOOK_INIT(socket_bind, tomoyo_socket_bind),
|
||||||
|
LSM_HOOK_INIT(socket_connect, tomoyo_socket_connect),
|
||||||
|
LSM_HOOK_INIT(socket_listen, tomoyo_socket_listen),
|
||||||
|
LSM_HOOK_INIT(socket_sendmsg, tomoyo_socket_sendmsg),
|
||||||
|
};
|
||||||
|
|
||||||
|
int tomoyo_enabled __ro_after_init = 1;
|
||||||
|
|
||||||
|
/* Has /sbin/init started? */
|
||||||
|
bool tomoyo_policy_loaded;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* tomoyo_init - Register TOMOYO Linux as a LSM module.
|
||||||
|
*
|
||||||
|
* Returns 0.
|
||||||
|
*/
|
||||||
|
static int __init tomoyo_init(void)
|
||||||
|
{
|
||||||
|
struct tomoyo_task *s = tomoyo_task(current);
|
||||||
|
|
||||||
|
/* register ourselves with the security framework */
|
||||||
|
security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks),
|
||||||
|
&tomoyo_lsmid);
|
||||||
|
pr_info("TOMOYO Linux initialized\n");
|
||||||
|
s->domain_info = &tomoyo_kernel_domain;
|
||||||
|
atomic_inc(&tomoyo_kernel_domain.users);
|
||||||
|
s->old_domain_info = NULL;
|
||||||
|
tomoyo_mm_init();
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
DEFINE_LSM(tomoyo) = {
|
||||||
|
.name = "tomoyo",
|
||||||
|
.enabled = &tomoyo_enabled,
|
||||||
|
.flags = LSM_FLAG_LEGACY_MAJOR,
|
||||||
|
.blobs = &tomoyo_blob_sizes,
|
||||||
|
.init = tomoyo_init,
|
||||||
|
};
|
@ -229,11 +229,11 @@ static void __init tomoyo_create_entry(const char *name, const umode_t mode,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
|
* tomoyo_interface_init - Initialize /sys/kernel/security/tomoyo/ interface.
|
||||||
*
|
*
|
||||||
* Returns 0.
|
* Returns 0.
|
||||||
*/
|
*/
|
||||||
static int __init tomoyo_initerface_init(void)
|
static int __init tomoyo_interface_init(void)
|
||||||
{
|
{
|
||||||
struct tomoyo_domain_info *domain;
|
struct tomoyo_domain_info *domain;
|
||||||
struct dentry *tomoyo_dir;
|
struct dentry *tomoyo_dir;
|
||||||
@ -270,4 +270,4 @@ static int __init tomoyo_initerface_init(void)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
fs_initcall(tomoyo_initerface_init);
|
fs_initcall(tomoyo_interface_init);
|
||||||
|
@ -13,9 +13,6 @@
|
|||||||
/* Lock for protecting policy. */
|
/* Lock for protecting policy. */
|
||||||
DEFINE_MUTEX(tomoyo_policy_lock);
|
DEFINE_MUTEX(tomoyo_policy_lock);
|
||||||
|
|
||||||
/* Has /sbin/init started? */
|
|
||||||
bool tomoyo_policy_loaded;
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Mapping table from "enum tomoyo_mac_index" to
|
* Mapping table from "enum tomoyo_mac_index" to
|
||||||
* "enum tomoyo_mac_category_index".
|
* "enum tomoyo_mac_category_index".
|
||||||
|
Loading…
Reference in New Issue
Block a user