diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2019-01-24 12:37:36 +0300 |
---|---|---|
committer | James Morris <james.morris@microsoft.com> | 2019-01-25 01:50:27 +0300 |
commit | 4b42564181d683d767b495d7041b1f229468042f (patch) | |
tree | 8f100d312c522aa2a0d3cfbb118293919826702d /security/tomoyo/domain.c | |
parent | cdcf6723add57a0ffb37cfde1ca54a00f5715b71 (diff) | |
download | linux-4b42564181d683d767b495d7041b1f229468042f.tar.xz |
tomoyo: Allow multiple use_group lines.
Being able to specify multiple "use_group" lines makes it
easier to write whitelisted policies.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <james.morris@microsoft.com>
Diffstat (limited to 'security/tomoyo/domain.c')
-rw-r--r-- | security/tomoyo/domain.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index bf832b301412..8526a0a74023 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -162,8 +162,8 @@ void tomoyo_check_acl(struct tomoyo_request_info *r, { const struct tomoyo_domain_info *domain = r->domain; struct tomoyo_acl_info *ptr; - bool retried = false; const struct list_head *list = &domain->acl_info_list; + u16 i = 0; retry: list_for_each_entry_rcu(ptr, list, list) { @@ -177,9 +177,10 @@ retry: r->granted = true; return; } - if (!retried) { - retried = true; - list = &domain->ns->acl_group[domain->group]; + for (; i < TOMOYO_MAX_ACL_GROUPS; i++) { + if (!test_bit(i, domain->group)) + continue; + list = &domain->ns->acl_group[i++]; goto retry; } r->granted = false; @@ -561,7 +562,7 @@ struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname, const struct tomoyo_domain_info *domain = tomoyo_domain(); e.profile = domain->profile; - e.group = domain->group; + memcpy(e.group, domain->group, sizeof(e.group)); } e.domainname = tomoyo_get_name(domainname); if (!e.domainname) @@ -583,13 +584,17 @@ out: if (entry && transit) { if (created) { struct tomoyo_request_info r; + int i; tomoyo_init_request_info(&r, entry, TOMOYO_MAC_FILE_EXECUTE); r.granted = false; tomoyo_write_log(&r, "use_profile %u\n", entry->profile); - tomoyo_write_log(&r, "use_group %u\n", entry->group); + for (i = 0; i < TOMOYO_MAX_ACL_GROUPS; i++) + if (test_bit(i, entry->group)) + tomoyo_write_log(&r, "use_group %u\n", + i); tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); } } |