mirror of
https://github.com/torvalds/linux.git
synced 2026-06-04 20:46:48 +02:00
d58e0da854
This patch adds support for checking environment variable's names. Although TOMOYO already provides ability to check argv[]/envp[] passed to execve() requests, file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar" will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined, administrators have to specify like file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib" file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL . Since there are many environment variables whereas conditional checks are applied as "&&", it is difficult to cover all combinations. Therefore, this patch supports conditional checks that are applied as "||", by specifying like file execute /bin/sh misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib" which means "grant execution of /bin/sh if environment variable is not defined or is defined and its value is /system/lib". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org> |
||
|---|---|---|
| .. | ||
| audit.c | ||
| common.c | ||
| common.h | ||
| condition.c | ||
| domain.c | ||
| environ.c | ||
| file.c | ||
| gc.c | ||
| group.c | ||
| Kconfig | ||
| load_policy.c | ||
| Makefile | ||
| memory.c | ||
| mount.c | ||
| realpath.c | ||
| securityfs_if.c | ||
| tomoyo.c | ||
| util.c | ||