tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
TOMOYO: Allow controlling generation of access granted logs for per an entry basis.
Add per-entry flag which controls generation of grant logs because Xen and KVM
issues ioctl requests so frequently. For example,
file ioctl /dev/null 0x5401 grant_log=no
will suppress /sys/kernel/security/tomoyo/audit even if preference says
grant_log=yes .
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
authored by
Tetsuo Handa
and committed by
James Morris
1f067a68
059d84db
+38
-1
+6
-1
security/tomoyo/audit.c
+6
-1
security/tomoyo/audit.c
···
313
313
*/
314
314
static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns,
315
315
const u8 profile, const u8 index,
316
+
const struct tomoyo_acl_info *matched_acl,
316
317
const bool is_granted)
317
318
{
318
319
u8 mode;
···
325
324
p = tomoyo_profile(ns, profile);
326
325
if (tomoyo_log_count >= p->pref[TOMOYO_PREF_MAX_AUDIT_LOG])
327
326
return false;
327
+
if (is_granted && matched_acl && matched_acl->cond &&
328
+
matched_acl->cond->grant_log != TOMOYO_GRANTLOG_AUTO)
329
+
return matched_acl->cond->grant_log == TOMOYO_GRANTLOG_YES;
328
330
mode = p->config[index];
329
331
if (mode == TOMOYO_CONFIG_USE_DEFAULT)
330
332
mode = p->config[category];
···
354
350
char *buf;
355
351
struct tomoyo_log *entry;
356
352
bool quota_exceeded = false;
357
-
if (!tomoyo_get_audit(r->domain->ns, r->profile, r->type, r->granted))
353
+
if (!tomoyo_get_audit(r->domain->ns, r->profile, r->type,
354
+
r->matched_acl, r->granted))
358
355
goto out;
359
356
buf = tomoyo_init_log(r, len, fmt, args);
360
357
if (!buf)
+4
security/tomoyo/common.c
+4
security/tomoyo/common.c
···
1272
1272
head->r.cond_step++;
1273
1273
/* fall through */
1274
1274
case 3:
1275
+
if (cond->grant_log != TOMOYO_GRANTLOG_AUTO)
1276
+
tomoyo_io_printf(head, " grant_log=%s",
1277
+
tomoyo_yesno(cond->grant_log ==
1278
+
TOMOYO_GRANTLOG_YES));
1275
1279
tomoyo_set_lf(head);
1276
1280
return true;
1277
1281
}
+12
security/tomoyo/common.h
+12
security/tomoyo/common.h
···
179
179
TOMOYO_MAX_DOMAIN_INFO_FLAGS
180
180
};
181
181
182
+
/* Index numbers for audit type. */
183
+
enum tomoyo_grant_log {
184
+
/* Follow profile's configuration. */
185
+
TOMOYO_GRANTLOG_AUTO,
186
+
/* Do not generate grant log. */
187
+
TOMOYO_GRANTLOG_NO,
188
+
/* Generate grant_log. */
189
+
TOMOYO_GRANTLOG_YES,
190
+
};
191
+
182
192
/* Index numbers for group entries. */
183
193
enum tomoyo_group_id {
184
194
TOMOYO_PATH_GROUP,
···
481
471
int need_dev;
482
472
} mount;
483
473
} param;
474
+
struct tomoyo_acl_info *matched_acl;
484
475
u8 param_type;
485
476
bool granted;
486
477
u8 retry;
···
646
635
u16 names_count; /* Number of "struct tomoyo_name_union names". */
647
636
u16 argc; /* Number of "struct tomoyo_argv". */
648
637
u16 envc; /* Number of "struct tomoyo_envp". */
638
+
u8 grant_log; /* One of values in "enum tomoyo_grant_log". */
649
639
/*
650
640
* struct tomoyo_condition_element condition[condc];
651
641
* struct tomoyo_number_union values[numbers_count];
+15
security/tomoyo/condition.c
+15
security/tomoyo/condition.c
···
348
348
a->numbers_count == b->numbers_count &&
349
349
a->names_count == b->names_count &&
350
350
a->argc == b->argc && a->envc == b->envc &&
351
+
a->grant_log == b->grant_log &&
351
352
!memcmp(a + 1, b + 1, a->size - sizeof(*a));
352
353
}
353
354
···
487
486
goto out;
488
487
dprintk(KERN_WARNING "%u: <%s>%s=<%s>\n", __LINE__, left_word,
489
488
is_not ? "!" : "", right_word);
489
+
if (!strcmp(left_word, "grant_log")) {
490
+
if (entry) {
491
+
if (is_not ||
492
+
entry->grant_log != TOMOYO_GRANTLOG_AUTO)
493
+
goto out;
494
+
else if (!strcmp(right_word, "yes"))
495
+
entry->grant_log = TOMOYO_GRANTLOG_YES;
496
+
else if (!strcmp(right_word, "no"))
497
+
entry->grant_log = TOMOYO_GRANTLOG_NO;
498
+
else
499
+
goto out;
500
+
}
501
+
continue;
502
+
}
490
503
if (!strncmp(left_word, "exec.argv[", 10)) {
491
504
if (!argv) {
492
505
e.argc++;