mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-12 05:48:40 +00:00
d58e0da854
This patch adds support for checking environment variable's names. Although TOMOYO already provides ability to check argv[]/envp[] passed to execve() requests, file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar" will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined, administrators have to specify like file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib" file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL . Since there are many environment variables whereas conditional checks are applied as "&&", it is difficult to cover all combinations. Therefore, this patch supports conditional checks that are applied as "||", by specifying like file execute /bin/sh misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib" which means "grant execution of /bin/sh if environment variable is not defined or is defined and its value is /system/lib". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
48 lines
2.1 KiB
Makefile
48 lines
2.1 KiB
Makefile
obj-y = audit.o common.o condition.o domain.o environ.o file.o gc.o group.o load_policy.o memory.o mount.o realpath.o securityfs_if.o tomoyo.o util.o
|
|
|
|
$(obj)/policy/profile.conf:
|
|
@mkdir -p $(obj)/policy/
|
|
@echo Creating an empty policy/profile.conf
|
|
@touch $@
|
|
|
|
$(obj)/policy/exception_policy.conf:
|
|
@mkdir -p $(obj)/policy/
|
|
@echo Creating a default policy/exception_policy.conf
|
|
@echo initialize_domain /sbin/modprobe from any >> $@
|
|
@echo initialize_domain /sbin/hotplug from any >> $@
|
|
|
|
$(obj)/policy/domain_policy.conf:
|
|
@mkdir -p $(obj)/policy/
|
|
@echo Creating an empty policy/domain_policy.conf
|
|
@touch $@
|
|
|
|
$(obj)/policy/manager.conf:
|
|
@mkdir -p $(obj)/policy/
|
|
@echo Creating an empty policy/manager.conf
|
|
@touch $@
|
|
|
|
$(obj)/policy/stat.conf:
|
|
@mkdir -p $(obj)/policy/
|
|
@echo Creating an empty policy/stat.conf
|
|
@touch $@
|
|
|
|
$(obj)/builtin-policy.h: $(obj)/policy/profile.conf $(obj)/policy/exception_policy.conf $(obj)/policy/domain_policy.conf $(obj)/policy/manager.conf $(obj)/policy/stat.conf
|
|
@echo Generating built-in policy for TOMOYO 2.4.x.
|
|
@echo "static char tomoyo_builtin_profile[] __initdata =" > $@.tmp
|
|
@sed -e 's/\\/\\\\/g' -e 's/\"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $(obj)/policy/profile.conf >> $@.tmp
|
|
@echo "\"\";" >> $@.tmp
|
|
@echo "static char tomoyo_builtin_exception_policy[] __initdata =" >> $@.tmp
|
|
@sed -e 's/\\/\\\\/g' -e 's/\"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $(obj)/policy/exception_policy.conf >> $@.tmp
|
|
@echo "\"\";" >> $@.tmp
|
|
@echo "static char tomoyo_builtin_domain_policy[] __initdata =" >> $@.tmp
|
|
@sed -e 's/\\/\\\\/g' -e 's/\"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $(obj)/policy/domain_policy.conf >> $@.tmp
|
|
@echo "\"\";" >> $@.tmp
|
|
@echo "static char tomoyo_builtin_manager[] __initdata =" >> $@.tmp
|
|
@sed -e 's/\\/\\\\/g' -e 's/\"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $(obj)/policy/manager.conf >> $@.tmp
|
|
@echo "\"\";" >> $@.tmp
|
|
@echo "static char tomoyo_builtin_stat[] __initdata =" >> $@.tmp
|
|
@sed -e 's/\\/\\\\/g' -e 's/\"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $(obj)/policy/stat.conf >> $@.tmp
|
|
@echo "\"\";" >> $@.tmp
|
|
@mv $@.tmp $@
|
|
|
|
$(obj)/common.o: $(obj)/builtin-policy.h
|