return error;
}
-/**
- * tomoyo_file_perm - Check permission for opening files.
- *
- * @r: Pointer to "struct tomoyo_request_info".
- * @filename: Filename to check.
- * @mode: Mode ("read" or "write" or "read/write" or "execute").
- *
- * Returns 0 on success, negative value otherwise.
- *
- * Caller holds tomoyo_read_lock().
- */
-static int tomoyo_file_perm(struct tomoyo_request_info *r,
- const struct tomoyo_path_info *filename,
- const u8 mode)
-{
- const char *msg = "<unknown>";
- int error = 0;
- u32 perm = 0;
-
- if (!filename)
- return 0;
-
- if (mode == 6) {
- msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
- perm = 1 << TOMOYO_TYPE_READ_WRITE;
- } else if (mode == 4) {
- msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
- perm = 1 << TOMOYO_TYPE_READ;
- } else if (mode == 2) {
- msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
- perm = 1 << TOMOYO_TYPE_WRITE;
- } else if (mode == 1) {
- msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
- perm = 1 << TOMOYO_TYPE_EXECUTE;
- } else
- BUG();
- do {
- error = tomoyo_path_acl(r, filename, perm);
- if (error && mode == 4 && !r->domain->ignore_global_allow_read
- && tomoyo_is_globally_readable_file(filename))
- error = 0;
- if (!error)
- break;
- tomoyo_warn_log(r, "%s %s", msg, filename->name);
- error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
- tomoyo_file_pattern(filename));
- /*
- * Do not retry for execute request, for alias may have
- * changed.
- */
- } while (error == TOMOYO_RETRY_REQUEST && mode != 1);
- if (r->mode != TOMOYO_CONFIG_ENFORCING)
- error = 0;
- return error;
-}
-
static bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a,
const struct tomoyo_acl_info *b)
{
*
* Caller holds tomoyo_read_lock().
*/
-static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
- const struct tomoyo_path_info *filename)
+int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
+ const struct tomoyo_path_info *filename)
{
const char *msg;
int error;
return 0;
do {
error = tomoyo_path_acl(r, filename, 1 << operation);
+ if (error && operation == TOMOYO_TYPE_READ &&
+ !r->domain->ignore_global_allow_read &&
+ tomoyo_is_globally_readable_file(filename))
+ error = 0;
if (!error)
break;
msg = tomoyo_path2keyword(operation);
tomoyo_warn_log(r, "%s %s", msg, filename->name);
error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
tomoyo_file_pattern(filename));
- } while (error == TOMOYO_RETRY_REQUEST);
- if (r->mode != TOMOYO_CONFIG_ENFORCING)
- error = 0;
+ /*
+ * Do not retry for execute request, for alias may have
+ * changed.
+ */
+ } while (error == TOMOYO_RETRY_REQUEST &&
+ operation != TOMOYO_TYPE_EXECUTE);
/*
* Since "allow_truncate" doesn't imply "allow_rewrite" permission,
* we need to check "allow_rewrite" permission if the filename is
tomoyo_file_pattern(filename),
buffer);
} while (error == TOMOYO_RETRY_REQUEST);
- if (r->mode != TOMOYO_CONFIG_ENFORCING)
- error = 0;
return error;
}
return error;
}
-/**
- * tomoyo_check_exec_perm - Check permission for "execute".
- *
- * @r: Pointer to "struct tomoyo_request_info".
- * @filename: Check permission for "execute".
- *
- * Returns 0 on success, negativevalue otherwise.
- *
- * Caller holds tomoyo_read_lock().
- */
-int tomoyo_check_exec_perm(struct tomoyo_request_info *r,
- const struct tomoyo_path_info *filename)
-{
- if (r->mode == TOMOYO_CONFIG_DISABLED)
- return 0;
- return tomoyo_file_perm(r, filename, 1);
-}
-
/**
* tomoyo_check_open_permission - Check permission for "read" and "write".
*
if (!error && acc_mode &&
tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_OPEN)
!= TOMOYO_CONFIG_DISABLED) {
+ u8 operation;
if (!buf.name && !tomoyo_get_realpath(&buf, path)) {
error = -ENOMEM;
goto out;
}
- error = tomoyo_file_perm(&r, &buf, acc_mode);
+ if (acc_mode == (MAY_READ | MAY_WRITE))
+ operation = TOMOYO_TYPE_READ_WRITE;
+ else if (acc_mode == MAY_READ)
+ operation = TOMOYO_TYPE_READ;
+ else
+ operation = TOMOYO_TYPE_WRITE;
+ error = tomoyo_path_permission(&r, operation, &buf);
}
out:
kfree(buf.name);