lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201006102111.DBB12907.VFFSFHQtOJOOML@I-love.SAKURA.ne.jp>
Date:	Thu, 10 Jun 2010 21:11:01 +0900
From:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To:	linux-security-module@...r.kernel.org
Cc:	linux-kernel@...r.kernel.org
Subject: [PATCH 4/4] TOMOYO: Remove alias support.

Now "allow_execute" checks symlink's pathname and "if exec.realpath" checks
dereferenced pathname, "alias" is no longer needed. Removing "alias" shortens
TOMOYO's installation time from several minutes to few seconds since scanning
the entire disk for symlinks becomes unnecessary.

Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
---
 security/tomoyo/common.c   |    4 -
 security/tomoyo/common.h   |   30 --------
 security/tomoyo/domain.c   |  164 ---------------------------------------------
 security/tomoyo/file.c     |    4 -
 security/tomoyo/gc.c       |   21 -----
 security/tomoyo/realpath.c |   19 -----
 6 files changed, 5 insertions(+), 237 deletions(-)

--- security-testing-2.6.orig/security/tomoyo/common.c
+++ security-testing-2.6/security/tomoyo/common.c
@@ -1455,8 +1455,6 @@ static int tomoyo_write_exception_policy
 							      is_delete);
 	if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_AGGREGATOR))
 		return tomoyo_write_aggregator_policy(data, is_delete);
-	if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS))
-		return tomoyo_write_alias_policy(data, is_delete);
 	if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ))
 		return tomoyo_write_globally_readable_policy(data, is_delete);
 	if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN))
@@ -1505,8 +1503,6 @@ static int tomoyo_read_exception_policy(
 			head->read_var2 = NULL;
 			head->read_step = 5;
 		case 5:
-			if (!tomoyo_read_alias_policy(head))
-				break;
 			head->read_var2 = NULL;
 			head->read_step = 6;
 		case 6:
--- security-testing-2.6.orig/security/tomoyo/common.h
+++ security-testing-2.6/security/tomoyo/common.h
@@ -48,7 +48,6 @@ enum tomoyo_mode_index {
 
 /* Keywords for ACLs. */
 #define TOMOYO_KEYWORD_AGGREGATOR                "aggregator "
-#define TOMOYO_KEYWORD_ALIAS                     "alias "
 #define TOMOYO_KEYWORD_ALLOW_MOUNT               "allow_mount "
 #define TOMOYO_KEYWORD_ALLOW_READ                "allow_read "
 #define TOMOYO_KEYWORD_DELETE                    "delete "
@@ -740,23 +739,6 @@ struct tomoyo_aggregator_entry {
 };
 
 /*
- * tomoyo_alias_entry is a structure which is used for holding "alias" entries.
- * It has following fields.
- *
- *  (1) "list" which is linked to tomoyo_alias_list .
- *  (2) "original_name" which is a dereferenced pathname.
- *  (3) "aliased_name" which is a symlink's pathname.
- *  (4) "is_deleted" is a bool which is true if marked as deleted, false
- *      otherwise.
- */
-struct tomoyo_alias_entry {
-	struct list_head list;
-	const struct tomoyo_path_info *original_name;
-	const struct tomoyo_path_info *aliased_name;
-	bool is_deleted;
-};
-
-/*
  * tomoyo_policy_manager_entry is a structure which is used for holding list of
  * domainnames or programs which are permitted to modify configuration via
  * /sys/kernel/security/tomoyo/ interface.
@@ -870,8 +852,6 @@ bool tomoyo_parse_number_union(char *dat
 
 /* Read "aggregator" entry in exception policy. */
 bool tomoyo_read_aggregator_policy(struct tomoyo_io_buffer *head);
-/* Read "alias" entry in exception policy. */
-bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head);
 /*
  * Read "initialize_domain" and "no_initialize_domain" entry
  * in exception policy.
@@ -910,8 +890,6 @@ int tomoyo_mount_permission(char *dev_na
 			    unsigned long flags, void *data_page);
 /* Create "aggregator" entry in exception policy. */
 int tomoyo_write_aggregator_policy(char *data, const bool is_delete);
-/* Create "alias" entry in exception policy. */
-int tomoyo_write_alias_policy(char *data, const bool is_delete);
 /*
  * Create "initialize_domain" and "no_initialize_domain" entry
  * in exception policy.
@@ -1041,7 +1019,6 @@ extern struct list_head tomoyo_number_gr
 extern struct list_head tomoyo_domain_initializer_list;
 extern struct list_head tomoyo_domain_keeper_list;
 extern struct list_head tomoyo_aggregator_list;
-extern struct list_head tomoyo_alias_list;
 extern struct list_head tomoyo_globally_readable_list;
 extern struct list_head tomoyo_pattern_list;
 extern struct list_head tomoyo_no_rewrite_list;
@@ -1254,13 +1231,6 @@ static inline bool tomoyo_is_same_condit
 		!memcmp(p1 + 1, p2 + 1, p1->size - sizeof(*p1));
 }
 
-static inline bool tomoyo_is_same_alias_entry
-(const struct tomoyo_alias_entry *p1, const struct tomoyo_alias_entry *p2)
-{
-	return p1->original_name == p2->original_name &&
-		p1->aliased_name == p2->aliased_name;
-}
-
 /**
  * list_for_each_cookie - iterate over a list with cookie.
  * @pos:        the &struct list_head to use as a loop cursor.
--- security-testing-2.6.orig/security/tomoyo/domain.c
+++ security-testing-2.6/security/tomoyo/domain.c
@@ -613,138 +613,6 @@ int tomoyo_write_aggregator_policy(char 
 	return tomoyo_update_aggregator_entry(data, cp, is_delete);
 }
 
-/*
- * tomoyo_alias_list is used for holding list of symlink's pathnames which are
- * allowed to be passed to an execve() request. Normally, the domainname which
- * the current process will belong to after execve() succeeds is calculated
- * using dereferenced pathnames. But some programs behave differently depending
- * on the name passed to argv[0]. For busybox, calculating domainname using
- * dereferenced pathnames will cause all programs in the busybox to belong to
- * the same domain. Thus, TOMOYO provides a way to allow use of symlink's
- * pathname for checking execve()'s permission and calculating domainname which
- * the current process will belong to after execve() succeeds.
- *
- * An entry is added by
- *
- * # echo 'alias /bin/busybox /bin/cat' > \
- *                            /sys/kernel/security/tomoyo/exception_policy
- *
- * and is deleted by
- *
- * # echo 'delete alias /bin/busybox /bin/cat' > \
- *                            /sys/kernel/security/tomoyo/exception_policy
- *
- * and all entries are retrieved by
- *
- * # grep ^alias /sys/kernel/security/tomoyo/exception_policy
- *
- * In the example above, if /bin/cat is a symlink to /bin/busybox and execution
- * of /bin/cat is requested, permission is checked for /bin/cat rather than
- * /bin/busybox and domainname which the current process will belong to after
- * execve() succeeds is calculated using /bin/cat rather than /bin/busybox .
- */
-LIST_HEAD(tomoyo_alias_list);
-
-/**
- * tomoyo_update_alias_entry - Update "struct tomoyo_alias_entry" list.
- *
- * @original_name: The original program's real name.
- * @aliased_name:  The symbolic program's symbolic link's name.
- * @is_delete:     True if it is a delete request.
- *
- * Returns 0 on success, negative value otherwise.
- *
- * Caller holds tomoyo_read_lock().
- */
-static int tomoyo_update_alias_entry(const char *original_name,
-				     const char *aliased_name,
-				     const bool is_delete)
-{
-	struct tomoyo_alias_entry *ptr;
-	struct tomoyo_alias_entry e = { };
-	int error = is_delete ? -ENOENT : -ENOMEM;
-
-	if (!tomoyo_is_correct_path(original_name) ||
-	    !tomoyo_is_correct_path(aliased_name))
-		return -EINVAL;
-	e.original_name = tomoyo_get_name(original_name);
-	e.aliased_name = tomoyo_get_name(aliased_name);
-	if (!e.original_name || !e.aliased_name ||
-	    e.original_name->is_patterned || e.aliased_name->is_patterned)
-		goto out; /* No patterns allowed. */
-	if (mutex_lock_interruptible(&tomoyo_policy_lock))
-		goto out;
-	list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) {
-		if (!tomoyo_is_same_alias_entry(ptr, &e))
-			continue;
-		ptr->is_deleted = is_delete;
-		error = 0;
-		break;
-	}
-	if (!is_delete && error) {
-		struct tomoyo_alias_entry *entry =
-			tomoyo_commit_ok(&e, sizeof(e));
-		if (entry) {
-			list_add_tail_rcu(&entry->list, &tomoyo_alias_list);
-			error = 0;
-		}
-	}
-	mutex_unlock(&tomoyo_policy_lock);
- out:
-	tomoyo_put_name(e.original_name);
-	tomoyo_put_name(e.aliased_name);
-	return error;
-}
-
-/**
- * tomoyo_read_alias_policy - Read "struct tomoyo_alias_entry" list.
- *
- * @head: Pointer to "struct tomoyo_io_buffer".
- *
- * Returns true on success, false otherwise.
- *
- * Caller holds tomoyo_read_lock().
- */
-bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head)
-{
-	struct list_head *pos;
-	bool done = true;
-
-	list_for_each_cookie(pos, head->read_var2, &tomoyo_alias_list) {
-		struct tomoyo_alias_entry *ptr;
-
-		ptr = list_entry(pos, struct tomoyo_alias_entry, list);
-		if (ptr->is_deleted)
-			continue;
-		done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALIAS "%s %s\n",
-					ptr->original_name->name,
-					ptr->aliased_name->name);
-		if (!done)
-			break;
-	}
-	return done;
-}
-
-/**
- * tomoyo_write_alias_policy - Write "struct tomoyo_alias_entry" list.
- *
- * @data:      String to parse.
- * @is_delete: True if it is a delete request.
- *
- * Returns 0 on success, negative value otherwise.
- *
- * Caller holds tomoyo_read_lock().
- */
-int tomoyo_write_alias_policy(char *data, const bool is_delete)
-{
-	char *cp = strchr(data, ' ');
-
-	if (!cp)
-		return -EINVAL;
-	*cp++ = '\0';
-	return tomoyo_update_alias_entry(data, cp, is_delete);
-}
-
 /**
  * tomoyo_find_or_assign_new_domain - Create a domain.
  *
@@ -862,7 +730,6 @@ static int tomoyo_find_next_domain2(stru
 	int retval = -ENOMEM;
 	bool need_kfree = false;
 	struct tomoyo_path_info rn = { }; /* real name */
-	struct tomoyo_path_info sn = { }; /* symlink name */
 	struct tomoyo_path_info ln; /* last name */
 
 	ln.name = tomoyo_get_last_name(old_domain);
@@ -872,37 +739,14 @@ static int tomoyo_find_next_domain2(stru
 		kfree(rn.name);
 		need_kfree = false;
 	}
-	/* Get tomoyo_realpath of program. */
+	/* Get symlink's pathname of program. */
 	retval = -ENOENT;
-	rn.name = tomoyo_realpath(original_name);
+	rn.name = tomoyo_realpath_nofollow(original_name);
 	if (!rn.name)
 		goto out;
 	tomoyo_fill_path_info(&rn);
 	need_kfree = true;
 
-	/* Get tomoyo_realpath of symbolic link. */
-	sn.name = tomoyo_realpath_nofollow(original_name);
-	if (!sn.name)
-		goto out;
-	tomoyo_fill_path_info(&sn);
-
-	/* Check 'alias' directive. */
-	if (tomoyo_pathcmp(&rn, &sn)) {
-		struct tomoyo_alias_entry *ptr;
-		/* Is this program allowed to be called via symbolic links? */
-		list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) {
-			if (ptr->is_deleted ||
-			    tomoyo_pathcmp(&rn, ptr->original_name) ||
-			    tomoyo_pathcmp(&sn, ptr->aliased_name))
-				continue;
-			kfree(rn.name);
-			need_kfree = false;
-			/* This is OK because it is read only. */
-			rn = *ptr->aliased_name;
-			break;
-		}
-	}
-
 	/* Check 'aggregator' directive. */
 	{
 		struct tomoyo_aggregator_entry *ptr;
@@ -911,8 +755,7 @@ static int tomoyo_find_next_domain2(stru
 			    !tomoyo_path_matches_pattern(&rn,
 							 ptr->original_name))
 				continue;
-			if (need_kfree)
-				kfree(rn.name);
+			kfree(rn.name);
 			need_kfree = false;
 			/* This is OK because it is read only. */
 			rn = *ptr->aggregated_name;
@@ -978,7 +821,6 @@ static int tomoyo_find_next_domain2(stru
 	ee->bprm->cred->security = domain;
 	if (need_kfree)
 		kfree(rn.name);
-	kfree(sn.name);
 	return retval;
 }
 
--- security-testing-2.6.orig/security/tomoyo/file.c
+++ security-testing-2.6/security/tomoyo/file.c
@@ -793,9 +793,9 @@ static int tomoyo_file_perm(struct tomoy
 		error = tomoyo_supervisor(r, "allow_%s %s\n", msg,
 					  tomoyo_file_pattern(filename));
 		/*
-                 * Do not retry for execute request, for alias may have
+		 * Do not retry for execute request, for agrgegator may have
 		 * changed.
-                 */
+		 */
 	} while (error == TOMOYO_RETRY_REQUEST && mode != 1);
 	if (r->mode != TOMOYO_CONFIG_ENFORCING)
 		error = 0;
--- security-testing-2.6.orig/security/tomoyo/gc.c
+++ security-testing-2.6/security/tomoyo/gc.c
@@ -19,7 +19,6 @@ enum tomoyo_gc_id {
 	TOMOYO_ID_DOMAIN_INITIALIZER,
 	TOMOYO_ID_DOMAIN_KEEPER,
 	TOMOYO_ID_AGGREGATOR,
-	TOMOYO_ID_ALIAS,
 	TOMOYO_ID_GLOBALLY_READABLE,
 	TOMOYO_ID_PATTERN,
 	TOMOYO_ID_NO_REWRITE,
@@ -85,12 +84,6 @@ static void tomoyo_del_aggregator(struct
 	tomoyo_put_name(ptr->aggregated_name);
 }
 
-static void tomoyo_del_alias(struct tomoyo_alias_entry *ptr)
-{
-	tomoyo_put_name(ptr->original_name);
-	tomoyo_put_name(ptr->aliased_name);
-}
-
 static void tomoyo_del_manager(struct tomoyo_policy_manager_entry *ptr)
 {
 	tomoyo_put_name(ptr->manager);
@@ -318,17 +311,6 @@ static void tomoyo_collect_entry(void)
 		}
 	}
 	{
-		struct tomoyo_alias_entry *ptr;
-		list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) {
-			if (!ptr->is_deleted)
-				continue;
-			if (tomoyo_add_to_gc(TOMOYO_ID_ALIAS, ptr))
-				list_del_rcu(&ptr->list);
-			else
-				break;
-		}
-	}
-	{
 		struct tomoyo_policy_manager_entry *ptr;
 		list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list,
 					list) {
@@ -491,9 +473,6 @@ static void tomoyo_kfree_entry(void)
 		case TOMOYO_ID_AGGREGATOR:
 			tomoyo_del_aggregator(p->element);
 			break;
-		case TOMOYO_ID_ALIAS:
-			tomoyo_del_alias(p->element);
-			break;
 		case TOMOYO_ID_GLOBALLY_READABLE:
 			tomoyo_del_allow_read(p->element);
 			break;
--- security-testing-2.6.orig/security/tomoyo/realpath.c
+++ security-testing-2.6/security/tomoyo/realpath.c
@@ -162,25 +162,6 @@ char *tomoyo_realpath_from_path(struct p
 }
 
 /**
- * tomoyo_realpath - Get realpath of a pathname.
- *
- * @pathname: The pathname to solve.
- *
- * Returns the realpath of @pathname on success, NULL otherwise.
- */
-char *tomoyo_realpath(const char *pathname)
-{
-	struct path path;
-
-	if (pathname && kern_path(pathname, LOOKUP_FOLLOW, &path) == 0) {
-		char *buf = tomoyo_realpath_from_path(&path);
-		path_put(&path);
-		return buf;
-	}
-	return NULL;
-}
-
-/**
  * tomoyo_realpath_nofollow - Get realpath of a pathname.
  *
  * @pathname: The pathname to solve.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ