OpenCloudOS-Kernel/security/tomoyo
Tetsuo Handa d58e0da854 TOMOYO: Add environment variable name restriction support.
This patch adds support for checking environment variable's names.
Although TOMOYO already provides ability to check argv[]/envp[] passed to
execve() requests,

  file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar"

will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not
defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined,
administrators have to specify like

  file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib"
  file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL

. Since there are many environment variables whereas conditional checks are
applied as "&&", it is difficult to cover all combinations. Therefore, this
patch supports conditional checks that are applied as "||", by specifying like

  file execute /bin/sh
  misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib"

which means "grant execution of /bin/sh if environment variable is not defined
or is defined and its value is /system/lib".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
2011-09-14 08:27:05 +10:00
..
Kconfig TOMOYO: Make several options configurable. 2011-06-29 09:31:22 +10:00
Makefile TOMOYO: Add environment variable name restriction support. 2011-09-14 08:27:05 +10:00
audit.c TOMOYO: Update kernel-doc. 2011-07-14 17:50:03 +10:00
common.c TOMOYO: Add environment variable name restriction support. 2011-09-14 08:27:05 +10:00
common.h TOMOYO: Add environment variable name restriction support. 2011-09-14 08:27:05 +10:00
condition.c TOMOYO: Allow using argv[]/envp[] of execve() as conditions. 2011-07-11 11:05:33 +10:00
domain.c TOMOYO: Add environment variable name restriction support. 2011-09-14 08:27:05 +10:00
environ.c TOMOYO: Add environment variable name restriction support. 2011-09-14 08:27:05 +10:00
file.c TOMOYO: Update kernel-doc. 2011-07-14 17:50:03 +10:00
gc.c TOMOYO: Add environment variable name restriction support. 2011-09-14 08:27:05 +10:00
group.c TOMOYO: Update kernel-doc. 2011-07-14 17:50:03 +10:00
load_policy.c TOMOYO: Update kernel-doc. 2011-07-14 17:50:03 +10:00
memory.c TOMOYO: Update kernel-doc. 2011-07-14 17:50:03 +10:00
mount.c TOMOYO: Update kernel-doc. 2011-07-14 17:50:03 +10:00
realpath.c TOMOYO: Update kernel-doc. 2011-07-14 17:50:03 +10:00
securityfs_if.c TOMOYO: Update kernel-doc. 2011-07-14 17:50:03 +10:00
tomoyo.c TOMOYO: Update kernel-doc. 2011-07-14 17:50:03 +10:00
util.c TOMOYO: Add environment variable name restriction support. 2011-09-14 08:27:05 +10:00