From 063821c8160568b3390044390c8328e36c5696ad Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Thu, 24 Jun 2010 12:00:25 +0900 Subject: [PATCH] TOMOYO: Allow reading only execute permission. Policy editor needs to know allow_execute entries in order to build domain transition tree. Reading all entries is slow. Thus, allow reading only allow_execute entries. Signed-off-by: Tetsuo Handa Signed-off-by: James Morris --- security/tomoyo/common.c | 8 ++++++++ security/tomoyo/common.h | 2 ++ 2 files changed, 10 insertions(+) diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 2a5330ec06c9..6c68981c0f5f 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -594,6 +594,10 @@ static bool tomoyo_select_one(struct tomoyo_io_buffer *head, const char *data) struct tomoyo_domain_info *domain = NULL; bool global_pid = false; + if (!strcmp(data, "allow_execute")) { + head->print_execute_only = true; + return true; + } if (sscanf(data, "pid=%u", &pid) == 1 || (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { struct task_struct *p; @@ -759,6 +763,8 @@ static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head, for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { if (!(perm & (1 << bit))) continue; + if (head->print_execute_only && bit != TOMOYO_TYPE_EXECUTE) + continue; /* Print "read/write" instead of "read" and "write". */ if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE) && (perm & (1 << TOMOYO_TYPE_READ_WRITE))) @@ -926,6 +932,8 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, = container_of(ptr, struct tomoyo_path_acl, head); return tomoyo_print_path_acl(head, acl); } + if (head->print_execute_only) + return true; if (acl_type == TOMOYO_TYPE_PATH2_ACL) { struct tomoyo_path2_acl *acl = container_of(ptr, struct tomoyo_path2_acl, head); diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index cdc9ef56fd86..67b9aeae80a7 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -571,6 +571,8 @@ struct tomoyo_io_buffer { bool read_single_domain; /* Extra variable for reading. */ u8 read_bit; + /* Read only TOMOYO_TYPE_EXECUTE */ + bool print_execute_only; /* Bytes available for reading. */ int read_avail; /* Size of read buffer. */ -- 2.20.1