iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

userns: Convert tomoyo to use kuid and kgid where appropriate

Browse Source 
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
This commit is contained in:
Eric W. Biederman 2012-02-07 16:34:10 -08:00
parent 2db8145293
commit 609fcd1b3a
5 changed files with 31 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
init/Kconfig
View File

@ -962,9 +962,6 @@ config UIDGID_CONVERTED
# The rare drivers that won't build # The rare drivers that won't build
depends on ANDROID_BINDER_IPC = n depends on ANDROID_BINDER_IPC = n
# Security modules
depends on SECURITY_TOMOYO = n
config UIDGID_STRICT_TYPE_CHECKS config UIDGID_STRICT_TYPE_CHECKS
bool "Require conversions between uid/gids and their internal representation" bool "Require conversions between uid/gids and their internal representation"
depends on UIDGID_CONVERTED depends on UIDGID_CONVERTED

23
security/tomoyo/audit.c
View File

@ -168,9 +168,14 @@ static char *tomoyo_print_header(struct tomoyo_request_info *r)
stamp.day, stamp.hour, stamp.min, stamp.sec, r->profile, stamp.day, stamp.hour, stamp.min, stamp.sec, r->profile,
tomoyo_mode[r->mode], tomoyo_yesno(r->granted), gpid, tomoyo_mode[r->mode], tomoyo_yesno(r->granted), gpid,
tomoyo_sys_getpid(), tomoyo_sys_getppid(), tomoyo_sys_getpid(), tomoyo_sys_getppid(),
current_uid(), current_gid(), current_euid(), from_kuid(&init_user_ns, current_uid()),
current_egid(), current_suid(), current_sgid(), from_kgid(&init_user_ns, current_gid()),
current_fsuid(), current_fsgid()); from_kuid(&init_user_ns, current_euid()),
from_kgid(&init_user_ns, current_egid()),
from_kuid(&init_user_ns, current_suid()),
from_kgid(&init_user_ns, current_sgid()),
from_kuid(&init_user_ns, current_fsuid()),
from_kgid(&init_user_ns, current_fsgid()));
if (!obj) if (!obj)
goto no_obj_info; goto no_obj_info;
if (!obj->validate_done) { if (!obj->validate_done) {
@ -191,15 +196,19 @@ static char *tomoyo_print_header(struct tomoyo_request_info *r)
tomoyo_buffer_len - 1 - pos, tomoyo_buffer_len - 1 - pos,
" path%u.parent={ uid=%u gid=%u " " path%u.parent={ uid=%u gid=%u "
"ino=%lu perm=0%o }", (i >> 1) + 1, "ino=%lu perm=0%o }", (i >> 1) + 1,
stat->uid, stat->gid, (unsigned long) from_kuid(&init_user_ns, stat->uid),
stat->ino, stat->mode & S_IALLUGO); from_kgid(&init_user_ns, stat->gid),
(unsigned long)stat->ino,
stat->mode & S_IALLUGO);
continue; continue;
} }
pos += snprintf(buffer + pos, tomoyo_buffer_len - 1 - pos, pos += snprintf(buffer + pos, tomoyo_buffer_len - 1 - pos,
" path%u={ uid=%u gid=%u ino=%lu major=%u" " path%u={ uid=%u gid=%u ino=%lu major=%u"
" minor=%u perm=0%o type=%s", (i >> 1) + 1, " minor=%u perm=0%o type=%s", (i >> 1) + 1,
stat->uid, stat->gid, (unsigned long) from_kuid(&init_user_ns, stat->uid),
stat->ino, MAJOR(dev), MINOR(dev), from_kgid(&init_user_ns, stat->gid),
(unsigned long)stat->ino,
MAJOR(dev), MINOR(dev),
mode & S_IALLUGO, tomoyo_filetype(mode)); mode & S_IALLUGO, tomoyo_filetype(mode));
if (S_ISCHR(mode) || S_ISBLK(mode)) { if (S_ISCHR(mode) || S_ISBLK(mode)) {
dev = stat->rdev; dev = stat->rdev;

4
security/tomoyo/common.c
View File

@ -925,7 +925,9 @@ static bool tomoyo_manager(void)
if (!tomoyo_policy_loaded) if (!tomoyo_policy_loaded)
return true; return true;
if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) if (!tomoyo_manage_by_non_root &&
(!uid_eq(task->cred->uid, GLOBAL_ROOT_UID) ||
!uid_eq(task->cred->euid, GLOBAL_ROOT_UID)))
return false; return false;
exe = tomoyo_get_exe(); exe = tomoyo_get_exe();
if (!exe) if (!exe)

4
security/tomoyo/common.h
View File

@ -561,8 +561,8 @@ struct tomoyo_address_group {
/* Subset of "struct stat". Used by conditional ACL and audit logs. */ /* Subset of "struct stat". Used by conditional ACL and audit logs. */
struct tomoyo_mini_stat { struct tomoyo_mini_stat {
uid_t uid; kuid_t uid;
gid_t gid; kgid_t gid;
ino_t ino; ino_t ino;
umode_t mode; umode_t mode;
dev_t dev; dev_t dev;

20
security/tomoyo/condition.c
View File

@ -813,28 +813,28 @@ bool tomoyo_condition(struct tomoyo_request_info *r,
unsigned long value = 0; unsigned long value = 0;
switch (index) { switch (index) {
case TOMOYO_TASK_UID: case TOMOYO_TASK_UID:
value = current_uid(); value = from_kuid(&init_user_ns, current_uid());
break; break;
case TOMOYO_TASK_EUID: case TOMOYO_TASK_EUID:
value = current_euid(); value = from_kuid(&init_user_ns, current_euid());
break; break;
case TOMOYO_TASK_SUID: case TOMOYO_TASK_SUID:
value = current_suid(); value = from_kuid(&init_user_ns, current_suid());
break; break;
case TOMOYO_TASK_FSUID: case TOMOYO_TASK_FSUID:
value = current_fsuid(); value = from_kuid(&init_user_ns, current_fsuid());
break; break;
case TOMOYO_TASK_GID: case TOMOYO_TASK_GID:
value = current_gid(); value = from_kgid(&init_user_ns, current_gid());
break; break;
case TOMOYO_TASK_EGID: case TOMOYO_TASK_EGID:
value = current_egid(); value = from_kgid(&init_user_ns, current_egid());
break; break;
case TOMOYO_TASK_SGID: case TOMOYO_TASK_SGID:
value = current_sgid(); value = from_kgid(&init_user_ns, current_sgid());
break; break;
case TOMOYO_TASK_FSGID: case TOMOYO_TASK_FSGID:
value = current_fsgid(); value = from_kgid(&init_user_ns, current_fsgid());
break; break;
case TOMOYO_TASK_PID: case TOMOYO_TASK_PID:
value = tomoyo_sys_getpid(); value = tomoyo_sys_getpid();
@ -970,13 +970,13 @@ bool tomoyo_condition(struct tomoyo_request_info *r,
case TOMOYO_PATH2_UID: case TOMOYO_PATH2_UID:
case TOMOYO_PATH1_PARENT_UID: case TOMOYO_PATH1_PARENT_UID:
case TOMOYO_PATH2_PARENT_UID: case TOMOYO_PATH2_PARENT_UID:
value = stat->uid; value = from_kuid(&init_user_ns, stat->uid);
break; break;
case TOMOYO_PATH1_GID: case TOMOYO_PATH1_GID:
case TOMOYO_PATH2_GID: case TOMOYO_PATH2_GID:
case TOMOYO_PATH1_PARENT_GID: case TOMOYO_PATH1_PARENT_GID:
case TOMOYO_PATH2_PARENT_GID: case TOMOYO_PATH2_PARENT_GID:
value = stat->gid; value = from_kgid(&init_user_ns, stat->gid);
break; break;
case TOMOYO_PATH1_INO: case TOMOYO_PATH1_INO:
case TOMOYO_PATH2_INO: case TOMOYO_PATH2_INO: