[tomoyo-users-en 449] Re: Tomoyo 2.5 and sockets beginning with nullcharacters

Sat, 14 Jan 2012 19:44:49 -0800 

The patch fixes it, thanks.

On 01-15-12, Tetsuo Handa wrote:
> Steven Allen wrote:
> > In Tomoyo 2.5 (kernel 3.2.1) I am unable to add ACLs for sockets with
> > null characters as per:
> > http://tomoyo.sourceforge.jp/2.5/policy-specification/domain-policy-syntax.html.en
> > 
> > Nothing happens when I add them through tomoyo-editpolicy. If I manually
> > add them to the domain policy, they are removed on load. Using \?
> > instead of \000 works. Policy violations involving \000 are correctly
> > logged.
> > 
> > The ACL in question:
> > network unix stream connect \000/tmp/.X11-unix/X\$
> > 
> Thank you for catching this bug. I found below difference between
> http://tomoyo.sourceforge.jp/cgi-bin/lxr/ident?i=ccs_correct_word2 and
> http://tomoyo.sourceforge.jp/cgi-bin/lxr/ident?i=tomoyo_correct_word2 .
> 
> Below patch should fix this bug. (And if the patch works, please reply to
> [email protected] because I'm unable to send mails to / receive mails from
> vger.kernel.org domain due to unknown problem since 05 Jan 2012 17:20 GMT.)
> ----------------------------------------
> [PATCH] TOMOYO: Accept \000 as a valid character.
> 
> TOMOYO 2.5 in Linux 3.2 and later handles Unix domain socket's address.
> Thus, tomoyo_correct_word2() needs to accept \000 as a valid character, or
> TOMOYO 2.5 cannot handle Unix domain's abstract socket address.
> 
> Reported-by: Steven Allen <[email protected]>
> Signed-off-by: Tetsuo Handa <[email protected]>
> CC: [email protected] [3.2+]
> ----------
> diff --git a/security/tomoyo/util.c b/security/tomoyo/util.c
> index 4a9b4b2..867558c 100644
> --- a/security/tomoyo/util.c
> +++ b/security/tomoyo/util.c
> @@ -492,13 +492,13 @@ static bool tomoyo_correct_word2(const char *string, 
> size_t len)
>                               if (d < '0' || d > '7' || e < '0' || e > '7')
>                                       break;
>                               c = tomoyo_make_byte(c, d, e);
> -                             if (tomoyo_invalid(c))
> -                                     continue; /* pattern is not \000 */
> +                             if (c <= ' ' || c >= 127)
> +                                     continue;
>                       }
>                       goto out;
>               } else if (in_repetition && c == '/') {
>                       goto out;
> -             } else if (tomoyo_invalid(c)) {
> +             } else if (c <= ' ' || c >= 127) {
>                       goto out;
>               }
>       }
> 
> _______________________________________________
> tomoyo-users-en mailing list
> [email protected]
> http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

-- 
Steven Allen
MIT 2014, EECS
MacGregor #E221
(310) 433-5865

Attachment: pgpNhABWelvLU.pgp
Description: PGP signature

_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

Reply via email to