security/tomoyo: Add a special case to handle accesses through the internal proc...
authorEric W. Biederman <ebiederm@xmission.com>
Fri, 20 Nov 2009 17:12:22 +0000 (09:12 -0800)
committerEric W. Biederman <ebiederm@xmission.com>
Fri, 20 Nov 2009 17:23:22 +0000 (09:23 -0800)
With the change of sys_sysctl going through the internal proc mount we no
longer need to handle security_sysctl in tomoyo as we have valid pathnames
for all sysctl accesses.  There is one slight caveat to that in that
all of the paths from the internal mount look like
"/sys/net/ipv4/ip_local_port_range" instead of
"/proc/sys/net/ipv4/ip_local_port_range" so tomoyo needs to add the
"/proc" portion manually when resolving to full path names to get what it expects.

This change teaches tomoyo perform that modification.

Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
security/tomoyo/realpath.c

index 5f2e3326337118c9252dc80ec10e53b3365c0a9c..0b55faab3b328ff9aea5f3f9dcd68a9b50bcfbd6 100644 (file)
@@ -108,6 +108,15 @@ int tomoyo_realpath_from_path2(struct path *path, char *newname,
                spin_unlock(&dcache_lock);
                path_put(&root);
                path_put(&ns_root);
+               /* Prepend "/proc" prefix if using internal proc vfs mount. */
+               if (!IS_ERR(sp) && (path->mnt->mnt_parent == path->mnt) &&
+                   (strcmp(path->mnt->mnt_sb->s_type->name, "proc") == 0)) {
+                       sp -= 5;
+                       if (sp >= newname)
+                               memcpy(sp, "/proc", 5);
+                       else
+                               sp = ERR_PTR(-ENOMEM);
+               }
        }
        if (IS_ERR(sp))
                error = PTR_ERR(sp);