Eric Lee / smarc-fsl-linux-kernel

08 Apr, 2015

3 commits

  • f02dee2d1   tomoyo: Do not generate empty policy files ... Browse Code »

    The Makefile automatically generates the tomoyo policy files, which are
    not removed by make clean (because they could have been provided by the
    user). Instead of generating the missing files, use /dev/null if a
    given file is not provided. Store the default exception_policy in
    exception_policy.conf.default.

    Acked-by: Tetsuo Handa
    Signed-off-by: Michal Marek

    Michal Marek
     
  • bf7a9ab43   tomoyo: Use if_changed when generating builtin-policy.h ... Browse Code »

    Combine the generation of builtin-policy.h into a single command and use
    if_changed, so that the file is regenerated each time the command
    changes. The next patch will make use of this.

    Acked-by: Tetsuo Handa
    Signed-off-by: Michal Marek

    Michal Marek
     
  • 7e114bbf5   tomoyo: Use bin2c to generate builtin-policy.h ... Browse Code »

    Simplify the Makefile by using a readily available tool instead of a
    custom sed script. The downside is that builtin-policy.h becomes
    unreadable for humans, but it is only a generated file.

    Acked-by: Tetsuo Handa
    Signed-off-by: Michal Marek

    Michal Marek
     

15 Sep, 2011

1 commit

14 Sep, 2011

2 commits

  • 059d84dbb   TOMOYO: Add socket operation restriction support. ... Browse Code »

    This patch adds support for permission checks for PF_INET/PF_INET6/PF_UNIX
    socket's bind()/listen()/connect()/send() operations.

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • d58e0da85   TOMOYO: Add environment variable name restriction support. ... Browse Code »

    This patch adds support for checking environment variable's names.
    Although TOMOYO already provides ability to check argv[]/envp[] passed to
    execve() requests,

    file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar"

    will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not
    defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined,
    administrators have to specify like

    file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib"
    file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL

    . Since there are many environment variables whereas conditional checks are
    applied as "&&", it is difficult to cover all combinations. Therefore, this
    patch supports conditional checks that are applied as "||", by specifying like

    file execute /bin/sh
    misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib"

    which means "grant execution of /bin/sh if environment variable is not defined
    or is defined and its value is /system/lib".

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     

11 Jul, 2011

1 commit

29 Jun, 2011

2 commits

  • efe836ab2   TOMOYO: Add built-in policy support. ... Browse Code »

    To be able to start using enforcing mode from the early stage of boot sequence,
    this patch adds support for built-in policy configuration (and next patch adds
    support for activating access control without calling external policy loader
    program).

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • eadd99cc8   TOMOYO: Add auditing interface. ... Browse Code »

    Add /sys/kernel/security/tomoyo/audit interface. This interface generates audit
    logs in the form of domain policy so that /usr/sbin/tomoyo-auditd can reuse
    audit logs for appending to /sys/kernel/security/tomoyo/domain_policy
    interface.

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     

02 Aug, 2010

4 commits

17 May, 2010

1 commit

15 Feb, 2010

1 commit

12 Feb, 2009

1 commit