Commit c9ea870c authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'tomoyo-pr-20211222' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1 

Pull tomoyo fixes from Tetsuo Handa:
 "Two overhead reduction patches for testing/fuzzing environment"

* tag 'tomoyo-pr-20211222' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1:
  tomoyo: use hweight16() in tomoyo_domain_quota_is_ok()
  tomoyo: Check exceeded quota early in tomoyo_domain_quota_is_ok().
parents e19e2263 f702e110

security/tomoyo/util.c

+14 −17
Original line number Diff line number Diff line
@@ -1051,10 +1051,11 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r) 
		return false;

	if (!domain)

		return true;

	if (READ_ONCE(domain->flags[TOMOYO_DIF_QUOTA_WARNED]))

		return false;

	list_for_each_entry_rcu(ptr, &domain->acl_info_list, list,

				srcu_read_lock_held(&tomoyo_ss)) {

		u16 perm;

		u8 i;



		if (ptr->is_deleted)

			continue;
@@ -1065,23 +1066,23 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r) 
		 */

		switch (ptr->type) {

		case TOMOYO_TYPE_PATH_ACL:

			data_race(perm = container_of(ptr, struct tomoyo_path_acl, head)->perm);

			perm = data_race(container_of(ptr, struct tomoyo_path_acl, head)->perm);

			break;

		case TOMOYO_TYPE_PATH2_ACL:

			data_race(perm = container_of(ptr, struct tomoyo_path2_acl, head)->perm);

			perm = data_race(container_of(ptr, struct tomoyo_path2_acl, head)->perm);

			break;

		case TOMOYO_TYPE_PATH_NUMBER_ACL:

			data_race(perm = container_of(ptr, struct tomoyo_path_number_acl, head)

			perm = data_race(container_of(ptr, struct tomoyo_path_number_acl, head)

				  ->perm);

			break;

		case TOMOYO_TYPE_MKDEV_ACL:

			data_race(perm = container_of(ptr, struct tomoyo_mkdev_acl, head)->perm);

			perm = data_race(container_of(ptr, struct tomoyo_mkdev_acl, head)->perm);

			break;

		case TOMOYO_TYPE_INET_ACL:

			data_race(perm = container_of(ptr, struct tomoyo_inet_acl, head)->perm);

			perm = data_race(container_of(ptr, struct tomoyo_inet_acl, head)->perm);

			break;

		case TOMOYO_TYPE_UNIX_ACL:

			data_race(perm = container_of(ptr, struct tomoyo_unix_acl, head)->perm);

			perm = data_race(container_of(ptr, struct tomoyo_unix_acl, head)->perm);

			break;

		case TOMOYO_TYPE_MANUAL_TASK_ACL:

			perm = 0;
@@ -1089,21 +1090,17 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r) 
		default:

			perm = 1;

		}

		for (i = 0; i < 16; i++)

			if (perm & (1 << i))

				count++;

		count += hweight16(perm);

	}

	if (count < tomoyo_profile(domain->ns, domain->profile)->

	    pref[TOMOYO_PREF_MAX_LEARNING_ENTRY])

		return true;

	if (!domain->flags[TOMOYO_DIF_QUOTA_WARNED]) {

		domain->flags[TOMOYO_DIF_QUOTA_WARNED] = true;

	WRITE_ONCE(domain->flags[TOMOYO_DIF_QUOTA_WARNED], true);

	/* r->granted = false; */

	tomoyo_write_log(r, "%s", tomoyo_dif[TOMOYO_DIF_QUOTA_WARNED]);

#ifndef CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING

	pr_warn("WARNING: Domain '%s' has too many ACLs to hold. Stopped learning mode.\n",

		domain->domainname->name);

#endif

	}

	return false;

}