commit 2066a36125fcbf5220990173b9d8e8bc49ad7538
author Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Fri Jul 08 13:21:37 2011 +0900
committer James Morris <jmorris@namei.org> Mon Jul 11 11:05:32 2011 +1000
tree c8ea3a6d92a8b4b68cda986601336e8e8f58553e
parent 5c4274f13819b40e726f6ee4ef13b4952cff5010

TOMOYO: Allow using UID/GID etc. of current thread as conditions.

This patch adds support for permission checks using current thread's UID/GID
etc. in addition to pathnames.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>

security/tomoyo/domain.c

diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index 7893127..0f02c78 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -69,7 +69,7 @@
 static inline bool tomoyo_same_acl_head(const struct tomoyo_acl_info *a,
 					const struct tomoyo_acl_info *b)
 {
-	return a->type == b->type;
+	return a->type == b->type && a->cond == b->cond;
 }
 
 /**
@@ -100,8 +100,13 @@
 	struct tomoyo_acl_info *entry;
 	struct list_head * const list = param->list;
 
+	if (param->data[0]) {
+		new_entry->cond = tomoyo_get_condition(param);
+		if (!new_entry->cond)
+			return -EINVAL;
+	}
 	if (mutex_lock_interruptible(&tomoyo_policy_lock))
-		return error;
+		goto out;
 	list_for_each_entry_rcu(entry, list, list) {
 		if (!tomoyo_same_acl_head(entry, new_entry) ||
 		    !check_duplicate(entry, new_entry))
@@ -122,6 +127,8 @@
 		}
 	}
 	mutex_unlock(&tomoyo_policy_lock);
+out:
+	tomoyo_put_condition(new_entry->cond);
 	return error;
 }
 
@@ -148,10 +155,12 @@
 	list_for_each_entry_rcu(ptr, list, list) {
 		if (ptr->is_deleted || ptr->type != r->param_type)
 			continue;
-		if (check_entry(r, ptr)) {
-			r->granted = true;
-			return;
-		}
+		if (!check_entry(r, ptr))
+			continue;
+		if (!tomoyo_condition(r, ptr->cond))
+			continue;
+		r->granted = true;
+		return;
 	}
 	if (!retried) {
 		retried = true;