Commit ad2aec7c authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'tomoyo-pr-20250123' of git://git.code.sf.net/p/tomoyo/tomoyo 

Pull tomoyo updates from Tetsuo Handa:
 "Small changes to improve usability"

* tag 'tomoyo-pr-20250123' of git://git.code.sf.net/p/tomoyo/tomoyo:
  tomoyo: automatically use patterns for several situations in learning mode
  tomoyo: use realpath if symlink's pathname refers to procfs
  tomoyo: don't emit warning in tomoyo_write_control()
parents de5817bb 08ae2487

security/tomoyo/common.c

+31 −1
Original line number Diff line number Diff line
@@ -2024,6 +2024,36 @@ static void tomoyo_add_entry(struct tomoyo_domain_info *domain, char *header) 
	if (!buffer)

		return;

	snprintf(buffer, len - 1, "%s", cp);

	if (*cp == 'f' && strchr(buffer, ':')) {

		/* Automatically replace 2 or more digits with \$ pattern. */

		char *cp2;



		/* e.g. file read proc:/$PID/stat */

		cp = strstr(buffer, " proc:/");

		if (cp && simple_strtoul(cp + 7, &cp2, 10) >= 10 && *cp2 == '/') {

			*(cp + 7) = '\\';

			*(cp + 8) = '$';

			memmove(cp + 9, cp2, strlen(cp2) + 1);

			goto ok;

		}

		/* e.g. file ioctl pipe:[$INO] $CMD */

		cp = strstr(buffer, " pipe:[");

		if (cp && simple_strtoul(cp + 7, &cp2, 10) >= 10 && *cp2 == ']') {

			*(cp + 7) = '\\';

			*(cp + 8) = '$';

			memmove(cp + 9, cp2, strlen(cp2) + 1);

			goto ok;

		}

		/* e.g. file ioctl socket:[$INO] $CMD */

		cp = strstr(buffer, " socket:[");

		if (cp && simple_strtoul(cp + 9, &cp2, 10) >= 10 && *cp2 == ']') {

			*(cp + 9) = '\\';

			*(cp + 10) = '$';

			memmove(cp + 11, cp2, strlen(cp2) + 1);

			goto ok;

		}

	}

ok:

	if (realpath)

		tomoyo_addprintf(buffer, len, " exec.%s", realpath);

	if (argv0)
@@ -2665,7 +2695,7 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, 


		if (head->w.avail >= head->writebuf_size - 1) {

			const int len = head->writebuf_size * 2;

			char *cp = kzalloc(len, GFP_NOFS);

			char *cp = kzalloc(len, GFP_NOFS | __GFP_NOWARN);



			if (!cp) {

				error = -ENOMEM;

security/tomoyo/domain.c

+9 −2
Original line number Diff line number Diff line
@@ -722,10 +722,17 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) 
	ee->bprm = bprm;

	ee->r.obj = &ee->obj;

	ee->obj.path1 = bprm->file->f_path;

	/* Get symlink's pathname of program. */

	/*

	 * Get symlink's pathname of program, but fallback to realpath if

	 * symlink's pathname does not exist or symlink's pathname refers

	 * to proc filesystem (e.g. /dev/fd/<num> or /proc/self/fd/<num> ).

	 */

	exename.name = tomoyo_realpath_nofollow(original_name);

	if (exename.name && !strncmp(exename.name, "proc:/", 6)) {

		kfree(exename.name);

		exename.name = NULL;

	}

	if (!exename.name) {

		/* Fallback to realpath if symlink's pathname does not exist. */

		exename.name = tomoyo_realpath_from_path(&bprm->file->f_path);

		if (!exename.name)

			goto out;