TOMOYO: Use pathname specified by policy rather than execve()
Commit c9e69318 "TOMOYO: Allow wildcard for execute permission." changed execute
permission and domainname to accept wildcards. But tomoyo_find_next_domain()
was using pathname passed to execve() rather than pathname specified by the
execute permission. As a result, processes were not able to transit to domains
which contain wildcards in their domainnames.
This patch passes pathname specified by the execute permission back to
tomoyo_find_next_domain() so that processes can transit to domains which
contain wildcards in their domainnames.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
diff --git a/security/tomoyo/group.c b/security/tomoyo/group.c
index 3f0a2ab..e94352c 100644
--- a/security/tomoyo/group.c
+++ b/security/tomoyo/group.c
@@ -80,24 +80,24 @@
* @pathname: The name of pathname.
* @group: Pointer to "struct tomoyo_path_group".
*
- * Returns true if @pathname matches pathnames in @group, false otherwise.
+ * Returns matched member's pathname if @pathname matches pathnames in @group,
+ * NULL otherwise.
*
* Caller holds tomoyo_read_lock().
*/
-bool tomoyo_path_matches_group(const struct tomoyo_path_info *pathname,
- const struct tomoyo_group *group)
+const struct tomoyo_path_info *
+tomoyo_path_matches_group(const struct tomoyo_path_info *pathname,
+ const struct tomoyo_group *group)
{
struct tomoyo_path_group *member;
- bool matched = false;
list_for_each_entry_rcu(member, &group->member_list, head.list) {
if (member->head.is_deleted)
continue;
if (!tomoyo_path_matches_pattern(pathname, member->member_name))
continue;
- matched = true;
- break;
+ return member->member_name;
}
- return matched;
+ return NULL;
}
/**