1. 13 Sep, 2011 1 commit
    • Tetsuo Handa's avatar
      TOMOYO: Add environment variable name restriction support. · d58e0da8
      Tetsuo Handa authored
      
      
      This patch adds support for checking environment variable's names.
      Although TOMOYO already provides ability to check argv[]/envp[] passed to
      execve() requests,
      
        file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar"
      
      will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not
      defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined,
      administrators have to specify like
      
        file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib"
        file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL
      
      . Since there are many environment variables whereas conditional checks are
      applied as "&&", it is difficult to cover all combinations. Therefore, this
      patch supports conditional checks that are applied as "||", by specifying like
      
        file execute /bin/sh
        misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib"
      
      which means "grant execution of /bin/sh if environment variable is not defined
      or is defined and its value is /system/lib".
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      d58e0da8
  2. 11 Jul, 2011 1 commit
  3. 28 Jun, 2011 2 commits
  4. 02 Aug, 2010 4 commits
  5. 16 May, 2010 1 commit
  6. 14 Feb, 2010 1 commit
  7. 12 Feb, 2009 1 commit