TOMOYO: Allow reading only execute permission.

Policy editor needs to know allow_execute entries in order to build domain
transition tree. Reading all entries is slow. Thus, allow reading only
allow_execute entries.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>

diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 2a5330ec06c9da90a40671452401032cfb9cafc2..6c68981c0f5f51b70e47fb6098a3b262497b1ad3 100644 (file)
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -594,6 +594,10 @@ static bool tomoyo_select_one(struct tomoyo_io_buffer *head, const char *data)
        struct tomoyo_domain_info *domain = NULL;
        bool global_pid = false;
 
+       if (!strcmp(data, "allow_execute")) {
+               head->print_execute_only = true;
+               return true;
+       }
        if (sscanf(data, "pid=%u", &pid) == 1 ||
            (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) {
                struct task_struct *p;
@@ -759,6 +763,8 @@ static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head,
        for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
                if (!(perm & (1 << bit)))
                        continue;
+               if (head->print_execute_only && bit != TOMOYO_TYPE_EXECUTE)
+                       continue;
                /* Print "read/write" instead of "read" and "write". */
                if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE)
                    && (perm & (1 << TOMOYO_TYPE_READ_WRITE)))
@@ -926,6 +932,8 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
                        = container_of(ptr, struct tomoyo_path_acl, head);
                return tomoyo_print_path_acl(head, acl);
        }
+       if (head->print_execute_only)
+               return true;
        if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
                struct tomoyo_path2_acl *acl
                        = container_of(ptr, struct tomoyo_path2_acl, head);

diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index cdc9ef56fd86d35fee83d1b554cad30aebe146c4..67b9aeae80a74bab9230ef4224229117b756c5e0 100644 (file)
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -571,6 +571,8 @@ struct tomoyo_io_buffer {
        bool read_single_domain;
        /* Extra variable for reading.          */
        u8 read_bit;
+       /* Read only TOMOYO_TYPE_EXECUTE        */
+       bool print_execute_only;
        /* Bytes available for reading.         */
        int read_avail;
        /* Size of read buffer.                 */