2 * security/tomoyo/domain.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
13 #include <linux/binfmts.h>
14 #include <linux/slab.h>
16 /* Variables definitions.*/
18 /* The initial domain. */
19 struct tomoyo_domain_info tomoyo_kernel_domain;
22 * tomoyo_domain_list is used for holding list of domains.
23 * The ->acl_info_list of "struct tomoyo_domain_info" is used for holding
24 * permissions (e.g. "allow_read /lib/libc-2.5.so") given to each domain.
26 * An entry is added by
28 * # ( echo "<kernel>"; echo "allow_execute /sbin/init" ) > \
29 * /sys/kernel/security/tomoyo/domain_policy
33 * # ( echo "<kernel>"; echo "delete allow_execute /sbin/init" ) > \
34 * /sys/kernel/security/tomoyo/domain_policy
36 * and all entries are retrieved by
38 * # cat /sys/kernel/security/tomoyo/domain_policy
40 * A domain is added by
42 * # echo "<kernel>" > /sys/kernel/security/tomoyo/domain_policy
46 * # echo "delete <kernel>" > /sys/kernel/security/tomoyo/domain_policy
48 * and all domains are retrieved by
50 * # grep '^<kernel>' /sys/kernel/security/tomoyo/domain_policy
52 * Normally, a domainname is monotonically getting longer because a domainname
53 * which the process will belong to if an execve() operation succeeds is
54 * defined as a concatenation of "current domainname" + "pathname passed to
56 * See tomoyo_domain_initializer_list and tomoyo_domain_keeper_list for
59 LIST_HEAD(tomoyo_domain_list);
62 * tomoyo_get_last_name - Get last component of a domainname.
64 * @domain: Pointer to "struct tomoyo_domain_info".
66 * Returns the last component of the domainname.
68 const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain)
70 const char *cp0 = domain->domainname->name;
71 const char *cp1 = strrchr(cp0, ' ');
79 * tomoyo_domain_initializer_list is used for holding list of programs which
80 * triggers reinitialization of domainname. Normally, a domainname is
81 * monotonically getting longer. But sometimes, we restart daemon programs.
82 * It would be convenient for us that "a daemon started upon system boot" and
83 * "the daemon restarted from console" belong to the same domain. Thus, TOMOYO
84 * provides a way to shorten domainnames.
86 * An entry is added by
88 * # echo 'initialize_domain /usr/sbin/httpd' > \
89 * /sys/kernel/security/tomoyo/exception_policy
93 * # echo 'delete initialize_domain /usr/sbin/httpd' > \
94 * /sys/kernel/security/tomoyo/exception_policy
96 * and all entries are retrieved by
98 * # grep ^initialize_domain /sys/kernel/security/tomoyo/exception_policy
100 * In the example above, /usr/sbin/httpd will belong to
101 * "<kernel> /usr/sbin/httpd" domain.
103 * You may specify a domainname using "from" keyword.
104 * "initialize_domain /usr/sbin/httpd from <kernel> /etc/rc.d/init.d/httpd"
105 * will cause "/usr/sbin/httpd" executed from "<kernel> /etc/rc.d/init.d/httpd"
106 * domain to belong to "<kernel> /usr/sbin/httpd" domain.
108 * You may add "no_" prefix to "initialize_domain".
109 * "initialize_domain /usr/sbin/httpd" and
110 * "no_initialize_domain /usr/sbin/httpd from <kernel> /etc/rc.d/init.d/httpd"
111 * will cause "/usr/sbin/httpd" to belong to "<kernel> /usr/sbin/httpd" domain
112 * unless executed from "<kernel> /etc/rc.d/init.d/httpd" domain.
114 LIST_HEAD(tomoyo_domain_initializer_list);
117 * tomoyo_update_domain_initializer_entry - Update "struct tomoyo_domain_initializer_entry" list.
119 * @domainname: The name of domain. May be NULL.
120 * @program: The name of program.
121 * @is_not: True if it is "no_initialize_domain" entry.
122 * @is_delete: True if it is a delete request.
124 * Returns 0 on success, negative value otherwise.
126 * Caller holds tomoyo_read_lock().
128 static int tomoyo_update_domain_initializer_entry(const char *domainname,
131 const bool is_delete)
133 struct tomoyo_domain_initializer_entry *entry = NULL;
134 struct tomoyo_domain_initializer_entry *ptr;
135 const struct tomoyo_path_info *saved_program = NULL;
136 const struct tomoyo_path_info *saved_domainname = NULL;
137 int error = is_delete ? -ENOENT : -ENOMEM;
138 bool is_last_name = false;
140 if (!tomoyo_is_correct_path(program, 1, -1, -1))
141 return -EINVAL; /* No patterns allowed. */
143 if (!tomoyo_is_domain_def(domainname) &&
144 tomoyo_is_correct_path(domainname, 1, -1, -1))
146 else if (!tomoyo_is_correct_domain(domainname))
148 saved_domainname = tomoyo_get_name(domainname);
149 if (!saved_domainname)
152 saved_program = tomoyo_get_name(program);
156 entry = kmalloc(sizeof(*entry), GFP_NOFS);
157 if (mutex_lock_interruptible(&tomoyo_policy_lock))
159 list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, list) {
160 if (ptr->is_not != is_not ||
161 ptr->domainname != saved_domainname ||
162 ptr->program != saved_program)
164 ptr->is_deleted = is_delete;
168 if (!is_delete && error && tomoyo_memory_ok(entry)) {
169 entry->domainname = saved_domainname;
170 saved_domainname = NULL;
171 entry->program = saved_program;
172 saved_program = NULL;
173 entry->is_not = is_not;
174 entry->is_last_name = is_last_name;
175 list_add_tail_rcu(&entry->list,
176 &tomoyo_domain_initializer_list);
180 mutex_unlock(&tomoyo_policy_lock);
182 tomoyo_put_name(saved_domainname);
183 tomoyo_put_name(saved_program);
189 * tomoyo_read_domain_initializer_policy - Read "struct tomoyo_domain_initializer_entry" list.
191 * @head: Pointer to "struct tomoyo_io_buffer".
193 * Returns true on success, false otherwise.
195 * Caller holds tomoyo_read_lock().
197 bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head)
199 struct list_head *pos;
202 list_for_each_cookie(pos, head->read_var2,
203 &tomoyo_domain_initializer_list) {
205 const char *from = "";
206 const char *domain = "";
207 struct tomoyo_domain_initializer_entry *ptr;
208 ptr = list_entry(pos, struct tomoyo_domain_initializer_entry,
212 no = ptr->is_not ? "no_" : "";
213 if (ptr->domainname) {
215 domain = ptr->domainname->name;
217 done = tomoyo_io_printf(head,
218 "%s" TOMOYO_KEYWORD_INITIALIZE_DOMAIN
219 "%s%s%s\n", no, ptr->program->name,
228 * tomoyo_write_domain_initializer_policy - Write "struct tomoyo_domain_initializer_entry" list.
230 * @data: String to parse.
231 * @is_not: True if it is "no_initialize_domain" entry.
232 * @is_delete: True if it is a delete request.
234 * Returns 0 on success, negative value otherwise.
236 * Caller holds tomoyo_read_lock().
238 int tomoyo_write_domain_initializer_policy(char *data, const bool is_not,
239 const bool is_delete)
241 char *cp = strstr(data, " from ");
245 return tomoyo_update_domain_initializer_entry(cp + 6, data,
249 return tomoyo_update_domain_initializer_entry(NULL, data, is_not,
254 * tomoyo_is_domain_initializer - Check whether the given program causes domainname reinitialization.
256 * @domainname: The name of domain.
257 * @program: The name of program.
258 * @last_name: The last component of @domainname.
260 * Returns true if executing @program reinitializes domain transition,
263 * Caller holds tomoyo_read_lock().
265 static bool tomoyo_is_domain_initializer(const struct tomoyo_path_info *
267 const struct tomoyo_path_info *program,
268 const struct tomoyo_path_info *
271 struct tomoyo_domain_initializer_entry *ptr;
274 list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, list) {
277 if (ptr->domainname) {
278 if (!ptr->is_last_name) {
279 if (ptr->domainname != domainname)
282 if (tomoyo_pathcmp(ptr->domainname, last_name))
286 if (tomoyo_pathcmp(ptr->program, program))
298 * tomoyo_domain_keeper_list is used for holding list of domainnames which
299 * suppresses domain transition. Normally, a domainname is monotonically
300 * getting longer. But sometimes, we want to suppress domain transition.
301 * It would be convenient for us that programs executed from a login session
302 * belong to the same domain. Thus, TOMOYO provides a way to suppress domain
305 * An entry is added by
307 * # echo 'keep_domain <kernel> /usr/sbin/sshd /bin/bash' > \
308 * /sys/kernel/security/tomoyo/exception_policy
312 * # echo 'delete keep_domain <kernel> /usr/sbin/sshd /bin/bash' > \
313 * /sys/kernel/security/tomoyo/exception_policy
315 * and all entries are retrieved by
317 * # grep ^keep_domain /sys/kernel/security/tomoyo/exception_policy
319 * In the example above, any process which belongs to
320 * "<kernel> /usr/sbin/sshd /bin/bash" domain will remain in that domain,
321 * unless explicitly specified by "initialize_domain" or "no_keep_domain".
323 * You may specify a program using "from" keyword.
324 * "keep_domain /bin/pwd from <kernel> /usr/sbin/sshd /bin/bash"
325 * will cause "/bin/pwd" executed from "<kernel> /usr/sbin/sshd /bin/bash"
326 * domain to remain in "<kernel> /usr/sbin/sshd /bin/bash" domain.
328 * You may add "no_" prefix to "keep_domain".
329 * "keep_domain <kernel> /usr/sbin/sshd /bin/bash" and
330 * "no_keep_domain /usr/bin/passwd from <kernel> /usr/sbin/sshd /bin/bash" will
331 * cause "/usr/bin/passwd" to belong to
332 * "<kernel> /usr/sbin/sshd /bin/bash /usr/bin/passwd" domain, unless
333 * explicitly specified by "initialize_domain".
335 LIST_HEAD(tomoyo_domain_keeper_list);
338 * tomoyo_update_domain_keeper_entry - Update "struct tomoyo_domain_keeper_entry" list.
340 * @domainname: The name of domain.
341 * @program: The name of program. May be NULL.
342 * @is_not: True if it is "no_keep_domain" entry.
343 * @is_delete: True if it is a delete request.
345 * Returns 0 on success, negative value otherwise.
347 * Caller holds tomoyo_read_lock().
349 static int tomoyo_update_domain_keeper_entry(const char *domainname,
352 const bool is_delete)
354 struct tomoyo_domain_keeper_entry *entry = NULL;
355 struct tomoyo_domain_keeper_entry *ptr;
356 const struct tomoyo_path_info *saved_domainname = NULL;
357 const struct tomoyo_path_info *saved_program = NULL;
358 int error = is_delete ? -ENOENT : -ENOMEM;
359 bool is_last_name = false;
361 if (!tomoyo_is_domain_def(domainname) &&
362 tomoyo_is_correct_path(domainname, 1, -1, -1))
364 else if (!tomoyo_is_correct_domain(domainname))
367 if (!tomoyo_is_correct_path(program, 1, -1, -1))
369 saved_program = tomoyo_get_name(program);
373 saved_domainname = tomoyo_get_name(domainname);
374 if (!saved_domainname)
377 entry = kmalloc(sizeof(*entry), GFP_NOFS);
378 if (mutex_lock_interruptible(&tomoyo_policy_lock))
380 list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) {
381 if (ptr->is_not != is_not ||
382 ptr->domainname != saved_domainname ||
383 ptr->program != saved_program)
385 ptr->is_deleted = is_delete;
389 if (!is_delete && error && tomoyo_memory_ok(entry)) {
390 entry->domainname = saved_domainname;
391 saved_domainname = NULL;
392 entry->program = saved_program;
393 saved_program = NULL;
394 entry->is_not = is_not;
395 entry->is_last_name = is_last_name;
396 list_add_tail_rcu(&entry->list, &tomoyo_domain_keeper_list);
400 mutex_unlock(&tomoyo_policy_lock);
402 tomoyo_put_name(saved_domainname);
403 tomoyo_put_name(saved_program);
409 * tomoyo_write_domain_keeper_policy - Write "struct tomoyo_domain_keeper_entry" list.
411 * @data: String to parse.
412 * @is_not: True if it is "no_keep_domain" entry.
413 * @is_delete: True if it is a delete request.
415 * Caller holds tomoyo_read_lock().
417 int tomoyo_write_domain_keeper_policy(char *data, const bool is_not,
418 const bool is_delete)
420 char *cp = strstr(data, " from ");
424 return tomoyo_update_domain_keeper_entry(cp + 6, data, is_not,
427 return tomoyo_update_domain_keeper_entry(data, NULL, is_not, is_delete);
431 * tomoyo_read_domain_keeper_policy - Read "struct tomoyo_domain_keeper_entry" list.
433 * @head: Pointer to "struct tomoyo_io_buffer".
435 * Returns true on success, false otherwise.
437 * Caller holds tomoyo_read_lock().
439 bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head)
441 struct list_head *pos;
444 list_for_each_cookie(pos, head->read_var2,
445 &tomoyo_domain_keeper_list) {
446 struct tomoyo_domain_keeper_entry *ptr;
448 const char *from = "";
449 const char *program = "";
451 ptr = list_entry(pos, struct tomoyo_domain_keeper_entry, list);
454 no = ptr->is_not ? "no_" : "";
457 program = ptr->program->name;
459 done = tomoyo_io_printf(head,
460 "%s" TOMOYO_KEYWORD_KEEP_DOMAIN
461 "%s%s%s\n", no, program, from,
462 ptr->domainname->name);
470 * tomoyo_is_domain_keeper - Check whether the given program causes domain transition suppression.
472 * @domainname: The name of domain.
473 * @program: The name of program.
474 * @last_name: The last component of @domainname.
476 * Returns true if executing @program supresses domain transition,
479 * Caller holds tomoyo_read_lock().
481 static bool tomoyo_is_domain_keeper(const struct tomoyo_path_info *domainname,
482 const struct tomoyo_path_info *program,
483 const struct tomoyo_path_info *last_name)
485 struct tomoyo_domain_keeper_entry *ptr;
488 list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) {
491 if (!ptr->is_last_name) {
492 if (ptr->domainname != domainname)
495 if (tomoyo_pathcmp(ptr->domainname, last_name))
498 if (ptr->program && tomoyo_pathcmp(ptr->program, program))
510 * tomoyo_alias_list is used for holding list of symlink's pathnames which are
511 * allowed to be passed to an execve() request. Normally, the domainname which
512 * the current process will belong to after execve() succeeds is calculated
513 * using dereferenced pathnames. But some programs behave differently depending
514 * on the name passed to argv[0]. For busybox, calculating domainname using
515 * dereferenced pathnames will cause all programs in the busybox to belong to
516 * the same domain. Thus, TOMOYO provides a way to allow use of symlink's
517 * pathname for checking execve()'s permission and calculating domainname which
518 * the current process will belong to after execve() succeeds.
520 * An entry is added by
522 * # echo 'alias /bin/busybox /bin/cat' > \
523 * /sys/kernel/security/tomoyo/exception_policy
527 * # echo 'delete alias /bin/busybox /bin/cat' > \
528 * /sys/kernel/security/tomoyo/exception_policy
530 * and all entries are retrieved by
532 * # grep ^alias /sys/kernel/security/tomoyo/exception_policy
534 * In the example above, if /bin/cat is a symlink to /bin/busybox and execution
535 * of /bin/cat is requested, permission is checked for /bin/cat rather than
536 * /bin/busybox and domainname which the current process will belong to after
537 * execve() succeeds is calculated using /bin/cat rather than /bin/busybox .
539 LIST_HEAD(tomoyo_alias_list);
542 * tomoyo_update_alias_entry - Update "struct tomoyo_alias_entry" list.
544 * @original_name: The original program's real name.
545 * @aliased_name: The symbolic program's symbolic link's name.
546 * @is_delete: True if it is a delete request.
548 * Returns 0 on success, negative value otherwise.
550 * Caller holds tomoyo_read_lock().
552 static int tomoyo_update_alias_entry(const char *original_name,
553 const char *aliased_name,
554 const bool is_delete)
556 struct tomoyo_alias_entry *entry = NULL;
557 struct tomoyo_alias_entry *ptr;
558 const struct tomoyo_path_info *saved_original_name;
559 const struct tomoyo_path_info *saved_aliased_name;
560 int error = is_delete ? -ENOENT : -ENOMEM;
562 if (!tomoyo_is_correct_path(original_name, 1, -1, -1) ||
563 !tomoyo_is_correct_path(aliased_name, 1, -1, -1))
564 return -EINVAL; /* No patterns allowed. */
565 saved_original_name = tomoyo_get_name(original_name);
566 saved_aliased_name = tomoyo_get_name(aliased_name);
567 if (!saved_original_name || !saved_aliased_name)
570 entry = kmalloc(sizeof(*entry), GFP_NOFS);
571 if (mutex_lock_interruptible(&tomoyo_policy_lock))
573 list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) {
574 if (ptr->original_name != saved_original_name ||
575 ptr->aliased_name != saved_aliased_name)
577 ptr->is_deleted = is_delete;
581 if (!is_delete && error && tomoyo_memory_ok(entry)) {
582 entry->original_name = saved_original_name;
583 saved_original_name = NULL;
584 entry->aliased_name = saved_aliased_name;
585 saved_aliased_name = NULL;
586 list_add_tail_rcu(&entry->list, &tomoyo_alias_list);
590 mutex_unlock(&tomoyo_policy_lock);
592 tomoyo_put_name(saved_original_name);
593 tomoyo_put_name(saved_aliased_name);
599 * tomoyo_read_alias_policy - Read "struct tomoyo_alias_entry" list.
601 * @head: Pointer to "struct tomoyo_io_buffer".
603 * Returns true on success, false otherwise.
605 * Caller holds tomoyo_read_lock().
607 bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head)
609 struct list_head *pos;
612 list_for_each_cookie(pos, head->read_var2, &tomoyo_alias_list) {
613 struct tomoyo_alias_entry *ptr;
615 ptr = list_entry(pos, struct tomoyo_alias_entry, list);
618 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALIAS "%s %s\n",
619 ptr->original_name->name,
620 ptr->aliased_name->name);
628 * tomoyo_write_alias_policy - Write "struct tomoyo_alias_entry" list.
630 * @data: String to parse.
631 * @is_delete: True if it is a delete request.
633 * Returns 0 on success, negative value otherwise.
635 * Caller holds tomoyo_read_lock().
637 int tomoyo_write_alias_policy(char *data, const bool is_delete)
639 char *cp = strchr(data, ' ');
644 return tomoyo_update_alias_entry(data, cp, is_delete);
648 * tomoyo_find_or_assign_new_domain - Create a domain.
650 * @domainname: The name of domain.
651 * @profile: Profile number to assign if the domain was newly created.
653 * Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise.
655 * Caller holds tomoyo_read_lock().
657 struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char *
661 struct tomoyo_domain_info *entry;
662 struct tomoyo_domain_info *domain = NULL;
663 const struct tomoyo_path_info *saved_domainname;
666 if (!tomoyo_is_correct_domain(domainname))
668 saved_domainname = tomoyo_get_name(domainname);
669 if (!saved_domainname)
671 entry = kzalloc(sizeof(*entry), GFP_NOFS);
672 if (mutex_lock_interruptible(&tomoyo_policy_lock))
674 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
675 if (domain->is_deleted ||
676 tomoyo_pathcmp(saved_domainname, domain->domainname))
681 if (!found && tomoyo_memory_ok(entry)) {
682 INIT_LIST_HEAD(&entry->acl_info_list);
683 entry->domainname = saved_domainname;
684 saved_domainname = NULL;
685 entry->profile = profile;
686 list_add_tail_rcu(&entry->list, &tomoyo_domain_list);
691 mutex_unlock(&tomoyo_policy_lock);
693 tomoyo_put_name(saved_domainname);
695 return found ? domain : NULL;
699 * tomoyo_find_next_domain - Find a domain.
701 * @bprm: Pointer to "struct linux_binprm".
703 * Returns 0 on success, negative value otherwise.
705 * Caller holds tomoyo_read_lock().
707 int tomoyo_find_next_domain(struct linux_binprm *bprm)
710 * This function assumes that the size of buffer returned by
711 * tomoyo_realpath() = TOMOYO_MAX_PATHNAME_LEN.
713 struct tomoyo_page_buffer *tmp = kzalloc(sizeof(*tmp), GFP_NOFS);
714 struct tomoyo_domain_info *old_domain = tomoyo_domain();
715 struct tomoyo_domain_info *domain = NULL;
716 const char *old_domain_name = old_domain->domainname->name;
717 const char *original_name = bprm->filename;
718 char *new_domain_name = NULL;
719 char *real_program_name = NULL;
720 char *symlink_program_name = NULL;
721 const u8 mode = tomoyo_check_flags(old_domain, TOMOYO_MAC_FOR_FILE);
722 const bool is_enforce = (mode == 3);
723 int retval = -ENOMEM;
724 struct tomoyo_path_info r; /* real name */
725 struct tomoyo_path_info s; /* symlink name */
726 struct tomoyo_path_info l; /* last name */
727 static bool initialized;
734 * Built-in initializers. This is needed because policies are
735 * not loaded until starting /sbin/init.
737 tomoyo_update_domain_initializer_entry(NULL, "/sbin/hotplug",
739 tomoyo_update_domain_initializer_entry(NULL, "/sbin/modprobe",
744 /* Get tomoyo_realpath of program. */
746 /* I hope tomoyo_realpath() won't fail with -ENOMEM. */
747 real_program_name = tomoyo_realpath(original_name);
748 if (!real_program_name)
750 /* Get tomoyo_realpath of symbolic link. */
751 symlink_program_name = tomoyo_realpath_nofollow(original_name);
752 if (!symlink_program_name)
755 r.name = real_program_name;
756 tomoyo_fill_path_info(&r);
757 s.name = symlink_program_name;
758 tomoyo_fill_path_info(&s);
759 l.name = tomoyo_get_last_name(old_domain);
760 tomoyo_fill_path_info(&l);
762 /* Check 'alias' directive. */
763 if (tomoyo_pathcmp(&r, &s)) {
764 struct tomoyo_alias_entry *ptr;
765 /* Is this program allowed to be called via symbolic links? */
766 list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) {
767 if (ptr->is_deleted ||
768 tomoyo_pathcmp(&r, ptr->original_name) ||
769 tomoyo_pathcmp(&s, ptr->aliased_name))
771 memset(real_program_name, 0, TOMOYO_MAX_PATHNAME_LEN);
772 strncpy(real_program_name, ptr->aliased_name->name,
773 TOMOYO_MAX_PATHNAME_LEN - 1);
774 tomoyo_fill_path_info(&r);
779 /* Check execute permission. */
780 retval = tomoyo_check_exec_perm(old_domain, &r);
784 new_domain_name = tmp->buffer;
785 if (tomoyo_is_domain_initializer(old_domain->domainname, &r, &l)) {
786 /* Transit to the child of tomoyo_kernel_domain domain. */
787 snprintf(new_domain_name, TOMOYO_MAX_PATHNAME_LEN + 1,
788 TOMOYO_ROOT_NAME " " "%s", real_program_name);
789 } else if (old_domain == &tomoyo_kernel_domain &&
790 !tomoyo_policy_loaded) {
792 * Needn't to transit from kernel domain before starting
793 * /sbin/init. But transit from kernel domain if executing
794 * initializers because they might start before /sbin/init.
797 } else if (tomoyo_is_domain_keeper(old_domain->domainname, &r, &l)) {
798 /* Keep current domain. */
801 /* Normal domain transition. */
802 snprintf(new_domain_name, TOMOYO_MAX_PATHNAME_LEN + 1,
803 "%s %s", old_domain_name, real_program_name);
805 if (domain || strlen(new_domain_name) >= TOMOYO_MAX_PATHNAME_LEN)
807 domain = tomoyo_find_domain(new_domain_name);
812 domain = tomoyo_find_or_assign_new_domain(new_domain_name,
813 old_domain->profile);
817 printk(KERN_WARNING "TOMOYO-ERROR: Domain '%s' not defined.\n",
822 old_domain->transition_failed = true;
826 /* Update reference count on "struct tomoyo_domain_info". */
827 atomic_inc(&domain->users);
828 bprm->cred->security = domain;
829 kfree(real_program_name);
830 kfree(symlink_program_name);