commit 484ca79c653121d3c79fffb86e1deea724f2e20b
author Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Thu Jul 29 14:29:55 2010 +0900
committer James Morris <jmorris@namei.org> Mon Aug 02 15:38:38 2010 +1000
tree 457aa73e37c9b5e5b4306430f40d1985b59ca226
parent 4d6ec10bb4461fdc9a9ab94ef32934e13564e873

TOMOYO: Use pathname specified by policy rather than execve()

Commit c9e69318 "TOMOYO: Allow wildcard for execute permission." changed execute
permission and domainname to accept wildcards. But tomoyo_find_next_domain()
was using pathname passed to execve() rather than pathname specified by the
execute permission. As a result, processes were not able to transit to domains
which contain wildcards in their domainnames.

This patch passes pathname specified by the execute permission back to
tomoyo_find_next_domain() so that processes can transit to domains which
contain wildcards in their domainnames.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>

security/tomoyo/file.c

diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
index f7877fa..9d32f18 100644
--- a/security/tomoyo/file.c
+++ b/security/tomoyo/file.c
@@ -95,12 +95,15 @@
 		tomoyo_put_name(ptr->filename);
 }
 
-bool tomoyo_compare_name_union(const struct tomoyo_path_info *name,
-			       const struct tomoyo_name_union *ptr)
+const struct tomoyo_path_info *
+tomoyo_compare_name_union(const struct tomoyo_path_info *name,
+			  const struct tomoyo_name_union *ptr)
 {
 	if (ptr->is_group)
 		return tomoyo_path_matches_group(name, ptr->group);
-	return tomoyo_path_matches_pattern(name, ptr->filename);
+	if (tomoyo_path_matches_pattern(name, ptr->filename))
+		return ptr->filename;
+	return NULL;
 }
 
 void tomoyo_put_number_union(struct tomoyo_number_union *ptr)
@@ -504,16 +507,21 @@
 	return tomoyo_update_no_rewrite_entry(data, is_delete);
 }
 
-static bool tomoyo_check_path_acl(const struct tomoyo_request_info *r,
+static bool tomoyo_check_path_acl(struct tomoyo_request_info *r,
 				  const struct tomoyo_acl_info *ptr)
 {
 	const struct tomoyo_path_acl *acl = container_of(ptr, typeof(*acl),
 							 head);
-	return (acl->perm & (1 << r->param.path.operation)) &&
-		tomoyo_compare_name_union(r->param.path.filename, &acl->name);
+	if (acl->perm & (1 << r->param.path.operation)) {
+		r->param.path.matched_path =
+			tomoyo_compare_name_union(r->param.path.filename,
+						  &acl->name);
+		return r->param.path.matched_path != NULL;
+	}
+	return false;
 }
 
-static bool tomoyo_check_path_number_acl(const struct tomoyo_request_info *r,
+static bool tomoyo_check_path_number_acl(struct tomoyo_request_info *r,
 					 const struct tomoyo_acl_info *ptr)
 {
 	const struct tomoyo_path_number_acl *acl =
@@ -525,7 +533,7 @@
 					  &acl->name);
 }
 
-static bool tomoyo_check_path2_acl(const struct tomoyo_request_info *r,
+static bool tomoyo_check_path2_acl(struct tomoyo_request_info *r,
 				   const struct tomoyo_acl_info *ptr)
 {
 	const struct tomoyo_path2_acl *acl =
@@ -536,7 +544,7 @@
 					     &acl->name2);
 }
 
-static bool tomoyo_check_mkdev_acl(const struct tomoyo_request_info *r,
+static bool tomoyo_check_mkdev_acl(struct tomoyo_request_info *r,
 				const struct tomoyo_acl_info *ptr)
 {
 	const struct tomoyo_mkdev_acl *acl =