diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 57ddfc5d9c52..98e3639db990 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -366,7 +366,7 @@ static int tomoyo_read_profile(struct tomoyo_io_buffer *head) * * or * - * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager + * # echo '/usr/sbin/tomoyo-editpolicy' > /sys/kernel/security/tomoyo/manager * (if you want to specify by a program's location) * * and is deleted by @@ -376,7 +376,7 @@ static int tomoyo_read_profile(struct tomoyo_io_buffer *head) * * or * - * # echo 'delete /usr/lib/ccs/editpolicy' > \ + * # echo 'delete /usr/sbin/tomoyo-editpolicy' > \ * /sys/kernel/security/tomoyo/manager * * and all entries are retrieved by @@ -556,12 +556,17 @@ static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head, { unsigned int pid; struct tomoyo_domain_info *domain = NULL; + bool global_pid = false; - if (sscanf(data, "pid=%u", &pid) == 1) { + if (sscanf(data, "pid=%u", &pid) == 1 || + (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { struct task_struct *p; rcu_read_lock(); read_lock(&tasklist_lock); - p = find_task_by_vpid(pid); + if (global_pid) + p = find_task_by_pid_ns(pid, &init_pid_ns); + else + p = find_task_by_vpid(pid); if (p) domain = tomoyo_real_domain(p); read_unlock(&tasklist_lock); @@ -697,6 +702,14 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head) domain->ignore_global_allow_read = !is_delete; return 0; } + if (!strcmp(data, TOMOYO_KEYWORD_QUOTA_EXCEEDED)) { + domain->quota_warned = !is_delete; + return 0; + } + if (!strcmp(data, TOMOYO_KEYWORD_TRANSITION_FAILED)) { + domain->transition_failed = !is_delete; + return 0; + } return tomoyo_write_domain_policy2(data, domain, is_delete); } @@ -853,6 +866,8 @@ static bool tomoyo_print_mount_acl(struct tomoyo_io_buffer *head, struct tomoyo_mount_acl *ptr) { const int pos = head->read_avail; + if (ptr->is_deleted) + return true; if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) || !tomoyo_print_name_union(head, &ptr->dev_name) || !tomoyo_print_name_union(head, &ptr->dir_name) || @@ -993,7 +1008,7 @@ static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head) * This is equivalent to doing * * ( echo "select " $domainname; echo "use_profile " $profile ) | - * /usr/lib/ccs/loadpolicy -d + * /usr/sbin/tomoyo-loadpolicy -d * * Caller holds tomoyo_read_lock(). */ diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index be03e4a21db0..6270a530c4d8 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -68,6 +68,8 @@ enum tomoyo_mode_index { #define TOMOYO_KEYWORD_SELECT "select " #define TOMOYO_KEYWORD_USE_PROFILE "use_profile " #define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read" +#define TOMOYO_KEYWORD_QUOTA_EXCEEDED "quota_exceeded" +#define TOMOYO_KEYWORD_TRANSITION_FAILED "transition_failed" /* A domain definition starts with . */ #define TOMOYO_ROOT_NAME "" #define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1) diff --git a/security/tomoyo/path_group.c b/security/tomoyo/path_group.c index c988041c8e1c..636025e26b06 100644 --- a/security/tomoyo/path_group.c +++ b/security/tomoyo/path_group.c @@ -6,7 +6,7 @@ #include #include "common.h" -/* The list for "struct ccs_path_group". */ +/* The list for "struct tomoyo_path_group". */ LIST_HEAD(tomoyo_path_group_list); /**