提交 ec8e6a4e 编写于 作者: T Tetsuo Handa 提交者: James Morris

TOMOYO: Add refcounter on domain structure.

Add refcounter to "struct tomoyo_domain_info" since garbage collector needs to
determine whether this struct is referred by "struct cred"->security or not.
Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: NSerge Hallyn <serue@us.ibm.com>
Signed-off-by: NJames Morris <jmorris@namei.org>
上级 76bb0895
...@@ -234,6 +234,10 @@ struct tomoyo_acl_info { ...@@ -234,6 +234,10 @@ struct tomoyo_acl_info {
* name of the domain to be created was too long or it could not allocate * name of the domain to be created was too long or it could not allocate
* memory. If set to true, more than one process continued execve() * memory. If set to true, more than one process continued execve()
* without domain transition. * without domain transition.
* (9) "users" is an atomic_t that holds how many "struct cred"->security
* are referring this "struct tomoyo_domain_info". If is_deleted == true
* and users == 0, this struct will be kfree()d upon next garbage
* collection.
* *
* A domain's lifecycle is an analogy of files on / directory. * A domain's lifecycle is an analogy of files on / directory.
* Multiple domains with the same domainname cannot be created (as with * Multiple domains with the same domainname cannot be created (as with
...@@ -252,6 +256,7 @@ struct tomoyo_domain_info { ...@@ -252,6 +256,7 @@ struct tomoyo_domain_info {
bool quota_warned; /* Quota warnning flag. */ bool quota_warned; /* Quota warnning flag. */
bool ignore_global_allow_read; /* Ignore "allow_read" flag. */ bool ignore_global_allow_read; /* Ignore "allow_read" flag. */
bool transition_failed; /* Domain transition failed flag. */ bool transition_failed; /* Domain transition failed flag. */
atomic_t users; /* Number of referring credentials. */
}; };
/* /*
......
...@@ -817,6 +817,8 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) ...@@ -817,6 +817,8 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
out: out:
if (!domain) if (!domain)
domain = old_domain; domain = old_domain;
/* Update reference count on "struct tomoyo_domain_info". */
atomic_inc(&domain->users);
bprm->cred->security = domain; bprm->cred->security = domain;
kfree(real_program_name); kfree(real_program_name);
kfree(symlink_program_name); kfree(symlink_program_name);
......
...@@ -21,21 +21,23 @@ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp) ...@@ -21,21 +21,23 @@ static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp)
static int tomoyo_cred_prepare(struct cred *new, const struct cred *old, static int tomoyo_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp) gfp_t gfp)
{ {
/* struct tomoyo_domain_info *domain = old->security;
* Since "struct tomoyo_domain_info *" is a sharable pointer, new->security = domain;
* we don't need to duplicate. if (domain)
*/ atomic_inc(&domain->users);
new->security = old->security;
return 0; return 0;
} }
static void tomoyo_cred_transfer(struct cred *new, const struct cred *old) static void tomoyo_cred_transfer(struct cred *new, const struct cred *old)
{ {
/* tomoyo_cred_prepare(new, old, 0);
* Since "struct tomoyo_domain_info *" is a sharable pointer, }
* we don't need to duplicate.
*/ static void tomoyo_cred_free(struct cred *cred)
new->security = old->security; {
struct tomoyo_domain_info *domain = cred->security;
if (domain)
atomic_dec(&domain->users);
} }
static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
...@@ -58,6 +60,14 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) ...@@ -58,6 +60,14 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
*/ */
if (!tomoyo_policy_loaded) if (!tomoyo_policy_loaded)
tomoyo_load_policy(bprm->filename); tomoyo_load_policy(bprm->filename);
/*
* Release reference to "struct tomoyo_domain_info" stored inside
* "bprm->cred->security". New reference to "struct tomoyo_domain_info"
* stored inside "bprm->cred->security" will be acquired later inside
* tomoyo_find_next_domain().
*/
atomic_dec(&((struct tomoyo_domain_info *)
bprm->cred->security)->users);
/* /*
* Tell tomoyo_bprm_check_security() is called for the first time of an * Tell tomoyo_bprm_check_security() is called for the first time of an
* execve operation. * execve operation.
...@@ -75,12 +85,6 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm) ...@@ -75,12 +85,6 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
* using current domain. * using current domain.
*/ */
if (!domain) { if (!domain) {
/*
* We will need to protect whole execve() operation when GC
* starts kfree()ing "struct tomoyo_domain_info" because
* bprm->cred->security points to "struct tomoyo_domain_info"
* but "struct tomoyo_domain_info" does not have a refcounter.
*/
const int idx = tomoyo_read_lock(); const int idx = tomoyo_read_lock();
const int err = tomoyo_find_next_domain(bprm); const int err = tomoyo_find_next_domain(bprm);
tomoyo_read_unlock(idx); tomoyo_read_unlock(idx);
...@@ -265,6 +269,7 @@ static struct security_operations tomoyo_security_ops = { ...@@ -265,6 +269,7 @@ static struct security_operations tomoyo_security_ops = {
.cred_alloc_blank = tomoyo_cred_alloc_blank, .cred_alloc_blank = tomoyo_cred_alloc_blank,
.cred_prepare = tomoyo_cred_prepare, .cred_prepare = tomoyo_cred_prepare,
.cred_transfer = tomoyo_cred_transfer, .cred_transfer = tomoyo_cred_transfer,
.cred_free = tomoyo_cred_free,
.bprm_set_creds = tomoyo_bprm_set_creds, .bprm_set_creds = tomoyo_bprm_set_creds,
.bprm_check_security = tomoyo_bprm_check_security, .bprm_check_security = tomoyo_bprm_check_security,
.file_fcntl = tomoyo_file_fcntl, .file_fcntl = tomoyo_file_fcntl,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册