TOMOYO: Simplify policy reader.
[linux-3.10.git] / security / tomoyo / common.c
index 8bedfb1..6d25612 100644 (file)
@@ -5,7 +5,7 @@
  *
  * Copyright (C) 2005-2009  NTT DATA CORPORATION
  *
- * Version: 2.2.0-pre   2009/02/01
+ * Version: 2.2.0   2009/04/01
  *
  */
 
@@ -866,7 +866,6 @@ static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned
 
        if (profile >= TOMOYO_MAX_PROFILES)
                return NULL;
-       /***** EXCLUSIVE SECTION START *****/
        mutex_lock(&lock);
        ptr = tomoyo_profile_ptr[profile];
        if (ptr)
@@ -880,7 +879,6 @@ static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned
        tomoyo_profile_ptr[profile] = ptr;
  ok:
        mutex_unlock(&lock);
-       /***** EXCLUSIVE SECTION END *****/
        return ptr;
 }
 
@@ -1050,7 +1048,6 @@ static int tomoyo_update_manager_entry(const char *manager,
        saved_manager = tomoyo_save_name(manager);
        if (!saved_manager)
                return -ENOMEM;
-       /***** EXCLUSIVE SECTION START *****/
        down_write(&tomoyo_policy_manager_list_lock);
        list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) {
                if (ptr->manager != saved_manager)
@@ -1072,7 +1069,6 @@ static int tomoyo_update_manager_entry(const char *manager,
        error = 0;
  out:
        up_write(&tomoyo_policy_manager_list_lock);
-       /***** EXCLUSIVE SECTION END *****/
        return error;
 }
 
@@ -1117,10 +1113,9 @@ static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
                                 list);
                if (ptr->is_deleted)
                        continue;
-               if (!tomoyo_io_printf(head, "%s\n", ptr->manager->name)) {
-                       done = false;
+               done = tomoyo_io_printf(head, "%s\n", ptr->manager->name);
+               if (!done)
                        break;
-               }
        }
        up_read(&tomoyo_policy_manager_list_lock);
        head->read_eof = done;
@@ -1197,13 +1192,11 @@ static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
 
        if (sscanf(data, "pid=%u", &pid) == 1) {
                struct task_struct *p;
-               /***** CRITICAL SECTION START *****/
                read_lock(&tasklist_lock);
                p = find_task_by_vpid(pid);
                if (p)
                        domain = tomoyo_real_domain(p);
                read_unlock(&tasklist_lock);
-               /***** CRITICAL SECTION END *****/
        } else if (!strncmp(data, "domain=", 7)) {
                if (tomoyo_is_domain_def(data + 7)) {
                        down_read(&tomoyo_domain_list_lock);
@@ -1252,15 +1245,12 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
        struct tomoyo_domain_info *domain = head->write_var1;
        bool is_delete = false;
        bool is_select = false;
-       bool is_undelete = false;
        unsigned int profile;
 
        if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE))
                is_delete = true;
        else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT))
                is_select = true;
-       else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_UNDELETE))
-               is_undelete = true;
        if (is_select && tomoyo_is_select_one(head, data))
                return 0;
        /* Don't allow updating policies by non manager programs. */
@@ -1274,9 +1264,7 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
                        down_read(&tomoyo_domain_list_lock);
                        domain = tomoyo_find_domain(data);
                        up_read(&tomoyo_domain_list_lock);
-               } else if (is_undelete)
-                       domain = tomoyo_undelete_domain(data);
-               else
+               } else
                        domain = tomoyo_find_or_assign_new_domain(data, 0);
                head->write_var1 = domain;
                return 0;
@@ -1452,15 +1440,14 @@ static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head)
                    TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ)
                        ignore_global_allow_read
                                = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n";
-               if (!tomoyo_io_printf(head,
-                                     "%s\n" TOMOYO_KEYWORD_USE_PROFILE "%u\n"
-                                     "%s%s%s\n", domain->domainname->name,
-                                     domain->profile, quota_exceeded,
-                                     transition_failed,
-                                     ignore_global_allow_read)) {
-                       done = false;
+               done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
+                                       "%u\n%s%s%s\n",
+                                       domain->domainname->name,
+                                       domain->profile, quota_exceeded,
+                                       transition_failed,
+                                       ignore_global_allow_read);
+               if (!done)
                        break;
-               }
                head->read_step = 2;
 acl_loop:
                if (head->read_step == 3)
@@ -1468,24 +1455,22 @@ acl_loop:
                /* Print ACL entries in the domain. */
                down_read(&tomoyo_domain_acl_info_list_lock);
                list_for_each_cookie(apos, head->read_var2,
-                                     &domain->acl_info_list) {
+                                    &domain->acl_info_list) {
                        struct tomoyo_acl_info *ptr
                                = list_entry(apos, struct tomoyo_acl_info,
-                                             list);
-                       if (!tomoyo_print_entry(head, ptr)) {
-                               done = false;
+                                            list);
+                       done = tomoyo_print_entry(head, ptr);
+                       if (!done)
                                break;
-                       }
                }
                up_read(&tomoyo_domain_acl_info_list_lock);
                if (!done)
                        break;
                head->read_step = 3;
 tail_mark:
-               if (!tomoyo_io_printf(head, "\n")) {
-                       done = false;
+               done = tomoyo_io_printf(head, "\n");
+               if (!done)
                        break;
-               }
                head->read_step = 1;
                if (head->read_single_domain)
                        break;
@@ -1555,11 +1540,10 @@ static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head)
                domain = list_entry(pos, struct tomoyo_domain_info, list);
                if (domain->is_deleted)
                        continue;
-               if (!tomoyo_io_printf(head, "%u %s\n", domain->profile,
-                                     domain->domainname->name)) {
-                       done = false;
+               done = tomoyo_io_printf(head, "%u %s\n", domain->profile,
+                                       domain->domainname->name);
+               if (!done)
                        break;
-               }
        }
        up_read(&tomoyo_domain_list_lock);
        head->read_eof = done;
@@ -1599,13 +1583,11 @@ static int tomoyo_read_pid(struct tomoyo_io_buffer *head)
                const int pid = head->read_step;
                struct task_struct *p;
                struct tomoyo_domain_info *domain = NULL;
-               /***** CRITICAL SECTION START *****/
                read_lock(&tasklist_lock);
                p = find_task_by_vpid(pid);
                if (p)
                        domain = tomoyo_real_domain(p);
                read_unlock(&tasklist_lock);
-               /***** CRITICAL SECTION END *****/
                if (domain)
                        tomoyo_io_printf(head, "%d %u %s", pid, domain->profile,
                                         domain->domainname->name);
@@ -1725,14 +1707,14 @@ static bool tomoyo_policy_loader_exists(void)
         * policies are not loaded yet.
         * Thus, let do_execve() call this function everytime.
         */
-       struct nameidata nd;
+       struct path path;
 
-       if (path_lookup(tomoyo_loader, LOOKUP_FOLLOW, &nd)) {
+       if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
                printk(KERN_INFO "Not activating Mandatory Access Control now "
                       "since %s doesn't exist.\n", tomoyo_loader);
                return false;
        }
-       path_put(&nd.path);
+       path_put(&path);
        return true;
 }
 
@@ -1778,7 +1760,7 @@ void tomoyo_load_policy(const char *filename)
        envp[2] = NULL;
        call_usermodehelper(argv[0], argv, envp, 1);
 
-       printk(KERN_INFO "TOMOYO: 2.2.0-pre   2009/02/01\n");
+       printk(KERN_INFO "TOMOYO: 2.2.0   2009/04/01\n");
        printk(KERN_INFO "Mandatory Access Control activated.\n");
        tomoyo_policy_loaded = true;
        { /* Check all profiles currently assigned to domains are defined. */
@@ -1805,7 +1787,7 @@ void tomoyo_load_policy(const char *filename)
 static int tomoyo_read_version(struct tomoyo_io_buffer *head)
 {
        if (!head->read_eof) {
-               tomoyo_io_printf(head, "2.2.0-pre");
+               tomoyo_io_printf(head, "2.2.0");
                head->read_eof = true;
        }
        return 0;
@@ -2177,6 +2159,10 @@ static int __init tomoyo_initerface_init(void)
 {
        struct dentry *tomoyo_dir;
 
+       /* Don't create securityfs entries unless registered. */
+       if (current_cred()->security != &tomoyo_kernel_domain)
+               return 0;
+
        tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
        tomoyo_create_entry("domain_policy",    0600, tomoyo_dir,
                            TOMOYO_DOMAINPOLICY);