TOMOYO: Allow controlling generation of access granted logs for per an entry basis.
Tetsuo Handa [Sat, 10 Sep 2011 06:24:56 +0000 (15:24 +0900)]
Add per-entry flag which controls generation of grant logs because Xen and KVM
issues ioctl requests so frequently. For example,

  file ioctl /dev/null 0x5401 grant_log=no

will suppress /sys/kernel/security/tomoyo/audit even if preference says
grant_log=yes .

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>

security/tomoyo/audit.c
security/tomoyo/common.c
security/tomoyo/common.h
security/tomoyo/condition.c
security/tomoyo/domain.c

index 5dbb1f7..075c3a6 100644 (file)
@@ -313,6 +313,7 @@ static unsigned int tomoyo_log_count;
  */
 static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns,
                             const u8 profile, const u8 index,
+                            const struct tomoyo_acl_info *matched_acl,
                             const bool is_granted)
 {
        u8 mode;
@@ -324,6 +325,9 @@ static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns,
        p = tomoyo_profile(ns, profile);
        if (tomoyo_log_count >= p->pref[TOMOYO_PREF_MAX_AUDIT_LOG])
                return false;
+       if (is_granted && matched_acl && matched_acl->cond &&
+           matched_acl->cond->grant_log != TOMOYO_GRANTLOG_AUTO)
+               return matched_acl->cond->grant_log == TOMOYO_GRANTLOG_YES;
        mode = p->config[index];
        if (mode == TOMOYO_CONFIG_USE_DEFAULT)
                mode = p->config[category];
@@ -350,7 +354,8 @@ void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt,
        char *buf;
        struct tomoyo_log *entry;
        bool quota_exceeded = false;
-       if (!tomoyo_get_audit(r->domain->ns, r->profile, r->type, r->granted))
+       if (!tomoyo_get_audit(r->domain->ns, r->profile, r->type,
+                             r->matched_acl, r->granted))
                goto out;
        buf = tomoyo_init_log(r, len, fmt, args);
        if (!buf)
index 85d9155..2704c38 100644 (file)
@@ -1272,6 +1272,10 @@ static bool tomoyo_print_condition(struct tomoyo_io_buffer *head,
                head->r.cond_step++;
                /* fall through */
        case 3:
+               if (cond->grant_log != TOMOYO_GRANTLOG_AUTO)
+                       tomoyo_io_printf(head, " grant_log=%s",
+                                        tomoyo_yesno(cond->grant_log ==
+                                                     TOMOYO_GRANTLOG_YES));
                tomoyo_set_lf(head);
                return true;
        }
index d1c758e..435b3d8 100644 (file)
@@ -179,6 +179,16 @@ enum tomoyo_domain_info_flags_index {
        TOMOYO_MAX_DOMAIN_INFO_FLAGS
 };
 
+/* Index numbers for audit type. */
+enum tomoyo_grant_log {
+       /* Follow profile's configuration. */
+       TOMOYO_GRANTLOG_AUTO,
+       /* Do not generate grant log. */
+       TOMOYO_GRANTLOG_NO,
+       /* Generate grant_log. */
+       TOMOYO_GRANTLOG_YES,
+};
+
 /* Index numbers for group entries. */
 enum tomoyo_group_id {
        TOMOYO_PATH_GROUP,
@@ -471,6 +481,7 @@ struct tomoyo_request_info {
                        int need_dev;
                } mount;
        } param;
+       struct tomoyo_acl_info *matched_acl;
        u8 param_type;
        bool granted;
        u8 retry;
@@ -635,6 +646,7 @@ struct tomoyo_condition {
        u16 names_count; /* Number of "struct tomoyo_name_union names". */
        u16 argc; /* Number of "struct tomoyo_argv". */
        u16 envc; /* Number of "struct tomoyo_envp". */
+       u8 grant_log; /* One of values in "enum tomoyo_grant_log". */
        /*
         * struct tomoyo_condition_element condition[condc];
         * struct tomoyo_number_union values[numbers_count];
index 8a05f71..3a05eb3 100644 (file)
@@ -348,6 +348,7 @@ static inline bool tomoyo_same_condition(const struct tomoyo_condition *a,
                a->numbers_count == b->numbers_count &&
                a->names_count == b->names_count &&
                a->argc == b->argc && a->envc == b->envc &&
+               a->grant_log == b->grant_log &&
                !memcmp(a + 1, b + 1, a->size - sizeof(*a));
 }
 
@@ -486,6 +487,20 @@ rerun:
                        goto out;
                dprintk(KERN_WARNING "%u: <%s>%s=<%s>\n", __LINE__, left_word,
                        is_not ? "!" : "", right_word);
+               if (!strcmp(left_word, "grant_log")) {
+                       if (entry) {
+                               if (is_not ||
+                                   entry->grant_log != TOMOYO_GRANTLOG_AUTO)
+                                       goto out;
+                               else if (!strcmp(right_word, "yes"))
+                                       entry->grant_log = TOMOYO_GRANTLOG_YES;
+                               else if (!strcmp(right_word, "no"))
+                                       entry->grant_log = TOMOYO_GRANTLOG_NO;
+                               else
+                                       goto out;
+                       }
+                       continue;
+               }
                if (!strncmp(left_word, "exec.argv[", 10)) {
                        if (!argv) {
                                e.argc++;
index 5931fb1..498fea7 100644 (file)
@@ -157,6 +157,7 @@ retry:
                        continue;
                if (!tomoyo_condition(r, ptr->cond))
                        continue;
+               r->matched_acl = ptr;
                r->granted = true;
                return;
        }