aha/security
Kentaro Takeda c73bd6d473 Memory and pathname management functions.
TOMOYO Linux performs pathname based access control.
To remove factors that make pathname based access control difficult
(e.g. symbolic links, "..", "//" etc.), TOMOYO Linux derives realpath
of requested pathname from "struct dentry" and "struct vfsmount".

The maximum length of string data is limited to 4000 including trailing '\0'.
Since TOMOYO Linux uses '\ooo' style representation for non ASCII printable
characters, maybe TOMOYO Linux should be able to support 16336 (which means
(NAME_MAX * (PATH_MAX / (NAME_MAX + 1)) * 4 + (PATH_MAX / (NAME_MAX + 1)))
including trailing '\0'), but I think 4000 is enough for practical use.

TOMOYO uses only 0x21 - 0x7E (as printable characters) and 0x20 (as word
delimiter) and 0x0A (as line delimiter).
0x01 - 0x20 and 0x80 - 0xFF is handled in \ooo style representation.
The reason to use \ooo is to guarantee that "%s" won't damage logs.
Userland program can request

 open("/tmp/file granted.\nAccess /tmp/file ", O_WRONLY | O_CREAT, 0600)

and logging such crazy pathname using "Access %s denied.\n" format will cause
"fabrication of logs" like

 Access /tmp/file granted.
 Access /tmp/file denied.

TOMOYO converts such characters to \ooo so that the logs will become

 Access /tmp/file\040granted.\012Access\040/tmp/file denied.

and the administrator can read the logs safely using /bin/cat .
Likewise, a crazy request like

 open("/tmp/\x01\x02\x03\x04\x05\x06\x07\x08\x09", O_WRONLY | O_CREAT, 0600)

will be processed safely by converting to

 Access /tmp/\001\002\003\004\005\006\007\010\011 denied.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
2009-02-12 15:15:04 +11:00
..
integrity/ima integrity: audit update 2009-02-12 09:40:14 +11:00
keys security: introduce missing kfree 2009-01-17 14:24:46 -08:00
selinux Merge branch 'master' into next 2009-02-06 11:01:45 +11:00
smack smackfs load append mode fix 2009-01-27 20:13:32 -08:00
tomoyo Memory and pathname management functions. 2009-02-12 15:15:04 +11:00
capability.c Revert "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]" 2009-01-07 09:21:54 +11:00
commoncap.c Merge branch 'next' into for-linus 2009-01-07 09:58:22 +11:00
device_cgroup.c devices cgroup: allow mkfifo 2009-01-08 08:31:03 -08:00
inode.c Merge branch 'master' into next 2009-02-06 11:01:45 +11:00
Kconfig Merge branch 'master' into next 2009-02-06 11:01:45 +11:00
Makefile integrity: IMA as an integrity service provider 2009-02-06 09:05:30 +11:00
root_plug.c Revert "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]" 2009-01-07 09:21:54 +11:00
security.c Merge branch 'next' into for-linus 2009-01-07 09:58:22 +11:00