TOMOYO: Add policy namespace support.
Mauras Olivier reported that it is difficult to use TOMOYO in LXC environments,
for TOMOYO cannot distinguish between environments outside the container and
environments inside the container since LXC environments are created using
pivot_root(). To address this problem, this patch introduces policy namespace.
Each policy namespace has its own set of domain policy, exception policy and
profiles, which are all independent of other namespaces. This independency
allows users to develop policy without worrying interference among namespaces.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
diff --git a/security/tomoyo/audit.c b/security/tomoyo/audit.c
index e882f17..ef2172f 100644
--- a/security/tomoyo/audit.c
+++ b/security/tomoyo/audit.c
@@ -151,13 +151,15 @@
/**
* tomoyo_get_audit - Get audit mode.
*
+ * @ns: Pointer to "struct tomoyo_policy_namespace".
* @profile: Profile number.
* @index: Index number of functionality.
* @is_granted: True if granted log, false otherwise.
*
* Returns true if this request should be audited, false otherwise.
*/
-static bool tomoyo_get_audit(const u8 profile, const u8 index,
+static bool tomoyo_get_audit(const struct tomoyo_policy_namespace *ns,
+ const u8 profile, const u8 index,
const bool is_granted)
{
u8 mode;
@@ -165,7 +167,7 @@
struct tomoyo_profile *p;
if (!tomoyo_policy_loaded)
return false;
- p = tomoyo_profile(profile);
+ p = tomoyo_profile(ns, profile);
if (tomoyo_log_count >= p->pref[TOMOYO_PREF_MAX_AUDIT_LOG])
return false;
mode = p->config[index];
@@ -194,7 +196,7 @@
char *buf;
struct tomoyo_log *entry;
bool quota_exceeded = false;
- if (!tomoyo_get_audit(r->profile, r->type, r->granted))
+ if (!tomoyo_get_audit(r->domain->ns, r->profile, r->type, r->granted))
goto out;
buf = tomoyo_init_log(r, len, fmt, args);
if (!buf)