diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-06-26 23:19:28 +0900 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-06-29 09:31:20 +1000 |
commit | 32997144fd9925fc4d506a16990a0c405f766526 (patch) | |
tree | 52332d25e9317250a1af1b06008d7eae18717c70 /security/tomoyo/domain.c | |
parent | eadd99cc85347b4f9eb10122ac90032eb4971b02 (diff) | |
download | talos-op-linux-32997144fd9925fc4d506a16990a0c405f766526.tar.gz talos-op-linux-32997144fd9925fc4d506a16990a0c405f766526.zip |
TOMOYO: Add ACL group support.
ACL group allows administrator to globally grant not only "file read"
permission but also other permissions.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/domain.c')
-rw-r--r-- | security/tomoyo/domain.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index cb5d2b05c244..af5f325e2f33 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -12,6 +12,9 @@ /* Variables definitions.*/ +/* The global ACL referred by "use_group" keyword. */ +struct list_head tomoyo_acl_group[TOMOYO_MAX_ACL_GROUPS]; + /* The initial domain. */ struct tomoyo_domain_info tomoyo_kernel_domain; @@ -125,14 +128,27 @@ int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size, return error; } +/** + * tomoyo_check_acl - Do permission check. + * + * @r: Pointer to "struct tomoyo_request_info". + * @check_entry: Callback function to check type specific parameters. + * + * Returns 0 on success, negative value otherwise. + * + * Caller holds tomoyo_read_lock(). + */ void tomoyo_check_acl(struct tomoyo_request_info *r, bool (*check_entry) (struct tomoyo_request_info *, const struct tomoyo_acl_info *)) { const struct tomoyo_domain_info *domain = r->domain; struct tomoyo_acl_info *ptr; + bool retried = false; + const struct list_head *list = &domain->acl_info_list; - list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { +retry: + list_for_each_entry_rcu(ptr, list, list) { if (ptr->is_deleted || ptr->type != r->param_type) continue; if (check_entry(r, ptr)) { @@ -140,6 +156,11 @@ void tomoyo_check_acl(struct tomoyo_request_info *r, return; } } + if (!retried) { + retried = true; + list = &tomoyo_acl_group[domain->group]; + goto retry; + } r->granted = false; } |