TOMOYO: Allow controlling generation of access granted logs for per an entry basis.
Add per-entry flag which controls generation of grant logs because Xen and KVM issues ioctl requests so frequently. For example, file ioctl /dev/null 0x5401 grant_log=no will suppress /sys/kernel/security/tomoyo/audit even if preference says grant_log=yes . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>hifive-unleashed-5.1
parent
059d84dbb3
commit
1f067a682a
|
@ -313,6 +313,7 @@ static unsigned int tomoyo_log_count;
|
||||||
*/
|
*/
|
||||||
static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns,
|
static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns,
|
||||||
const u8 profile, const u8 index,
|
const u8 profile, const u8 index,
|
||||||
|
const struct tomoyo_acl_info *matched_acl,
|
||||||
const bool is_granted)
|
const bool is_granted)
|
||||||
{
|
{
|
||||||
u8 mode;
|
u8 mode;
|
||||||
|
@ -324,6 +325,9 @@ static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns,
|
||||||
p = tomoyo_profile(ns, profile);
|
p = tomoyo_profile(ns, profile);
|
||||||
if (tomoyo_log_count >= p->pref[TOMOYO_PREF_MAX_AUDIT_LOG])
|
if (tomoyo_log_count >= p->pref[TOMOYO_PREF_MAX_AUDIT_LOG])
|
||||||
return false;
|
return false;
|
||||||
|
if (is_granted && matched_acl && matched_acl->cond &&
|
||||||
|
matched_acl->cond->grant_log != TOMOYO_GRANTLOG_AUTO)
|
||||||
|
return matched_acl->cond->grant_log == TOMOYO_GRANTLOG_YES;
|
||||||
mode = p->config[index];
|
mode = p->config[index];
|
||||||
if (mode == TOMOYO_CONFIG_USE_DEFAULT)
|
if (mode == TOMOYO_CONFIG_USE_DEFAULT)
|
||||||
mode = p->config[category];
|
mode = p->config[category];
|
||||||
|
@ -350,7 +354,8 @@ void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt,
|
||||||
char *buf;
|
char *buf;
|
||||||
struct tomoyo_log *entry;
|
struct tomoyo_log *entry;
|
||||||
bool quota_exceeded = false;
|
bool quota_exceeded = false;
|
||||||
if (!tomoyo_get_audit(r->domain->ns, r->profile, r->type, r->granted))
|
if (!tomoyo_get_audit(r->domain->ns, r->profile, r->type,
|
||||||
|
r->matched_acl, r->granted))
|
||||||
goto out;
|
goto out;
|
||||||
buf = tomoyo_init_log(r, len, fmt, args);
|
buf = tomoyo_init_log(r, len, fmt, args);
|
||||||
if (!buf)
|
if (!buf)
|
||||||
|
|
|
@ -1272,6 +1272,10 @@ static bool tomoyo_print_condition(struct tomoyo_io_buffer *head,
|
||||||
head->r.cond_step++;
|
head->r.cond_step++;
|
||||||
/* fall through */
|
/* fall through */
|
||||||
case 3:
|
case 3:
|
||||||
|
if (cond->grant_log != TOMOYO_GRANTLOG_AUTO)
|
||||||
|
tomoyo_io_printf(head, " grant_log=%s",
|
||||||
|
tomoyo_yesno(cond->grant_log ==
|
||||||
|
TOMOYO_GRANTLOG_YES));
|
||||||
tomoyo_set_lf(head);
|
tomoyo_set_lf(head);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
|
@ -179,6 +179,16 @@ enum tomoyo_domain_info_flags_index {
|
||||||
TOMOYO_MAX_DOMAIN_INFO_FLAGS
|
TOMOYO_MAX_DOMAIN_INFO_FLAGS
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/* Index numbers for audit type. */
|
||||||
|
enum tomoyo_grant_log {
|
||||||
|
/* Follow profile's configuration. */
|
||||||
|
TOMOYO_GRANTLOG_AUTO,
|
||||||
|
/* Do not generate grant log. */
|
||||||
|
TOMOYO_GRANTLOG_NO,
|
||||||
|
/* Generate grant_log. */
|
||||||
|
TOMOYO_GRANTLOG_YES,
|
||||||
|
};
|
||||||
|
|
||||||
/* Index numbers for group entries. */
|
/* Index numbers for group entries. */
|
||||||
enum tomoyo_group_id {
|
enum tomoyo_group_id {
|
||||||
TOMOYO_PATH_GROUP,
|
TOMOYO_PATH_GROUP,
|
||||||
|
@ -471,6 +481,7 @@ struct tomoyo_request_info {
|
||||||
int need_dev;
|
int need_dev;
|
||||||
} mount;
|
} mount;
|
||||||
} param;
|
} param;
|
||||||
|
struct tomoyo_acl_info *matched_acl;
|
||||||
u8 param_type;
|
u8 param_type;
|
||||||
bool granted;
|
bool granted;
|
||||||
u8 retry;
|
u8 retry;
|
||||||
|
@ -635,6 +646,7 @@ struct tomoyo_condition {
|
||||||
u16 names_count; /* Number of "struct tomoyo_name_union names". */
|
u16 names_count; /* Number of "struct tomoyo_name_union names". */
|
||||||
u16 argc; /* Number of "struct tomoyo_argv". */
|
u16 argc; /* Number of "struct tomoyo_argv". */
|
||||||
u16 envc; /* Number of "struct tomoyo_envp". */
|
u16 envc; /* Number of "struct tomoyo_envp". */
|
||||||
|
u8 grant_log; /* One of values in "enum tomoyo_grant_log". */
|
||||||
/*
|
/*
|
||||||
* struct tomoyo_condition_element condition[condc];
|
* struct tomoyo_condition_element condition[condc];
|
||||||
* struct tomoyo_number_union values[numbers_count];
|
* struct tomoyo_number_union values[numbers_count];
|
||||||
|
|
|
@ -348,6 +348,7 @@ static inline bool tomoyo_same_condition(const struct tomoyo_condition *a,
|
||||||
a->numbers_count == b->numbers_count &&
|
a->numbers_count == b->numbers_count &&
|
||||||
a->names_count == b->names_count &&
|
a->names_count == b->names_count &&
|
||||||
a->argc == b->argc && a->envc == b->envc &&
|
a->argc == b->argc && a->envc == b->envc &&
|
||||||
|
a->grant_log == b->grant_log &&
|
||||||
!memcmp(a + 1, b + 1, a->size - sizeof(*a));
|
!memcmp(a + 1, b + 1, a->size - sizeof(*a));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -486,6 +487,20 @@ rerun:
|
||||||
goto out;
|
goto out;
|
||||||
dprintk(KERN_WARNING "%u: <%s>%s=<%s>\n", __LINE__, left_word,
|
dprintk(KERN_WARNING "%u: <%s>%s=<%s>\n", __LINE__, left_word,
|
||||||
is_not ? "!" : "", right_word);
|
is_not ? "!" : "", right_word);
|
||||||
|
if (!strcmp(left_word, "grant_log")) {
|
||||||
|
if (entry) {
|
||||||
|
if (is_not ||
|
||||||
|
entry->grant_log != TOMOYO_GRANTLOG_AUTO)
|
||||||
|
goto out;
|
||||||
|
else if (!strcmp(right_word, "yes"))
|
||||||
|
entry->grant_log = TOMOYO_GRANTLOG_YES;
|
||||||
|
else if (!strcmp(right_word, "no"))
|
||||||
|
entry->grant_log = TOMOYO_GRANTLOG_NO;
|
||||||
|
else
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
continue;
|
||||||
|
}
|
||||||
if (!strncmp(left_word, "exec.argv[", 10)) {
|
if (!strncmp(left_word, "exec.argv[", 10)) {
|
||||||
if (!argv) {
|
if (!argv) {
|
||||||
e.argc++;
|
e.argc++;
|
||||||
|
|
|
@ -157,6 +157,7 @@ retry:
|
||||||
continue;
|
continue;
|
||||||
if (!tomoyo_condition(r, ptr->cond))
|
if (!tomoyo_condition(r, ptr->cond))
|
||||||
continue;
|
continue;
|
||||||
|
r->matched_acl = ptr;
|
||||||
r->granted = true;
|
r->granted = true;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue