Commit | Line | Data |
---|---|---|
c73bd6d4 KT |
1 | /* |
2 | * security/tomoyo/realpath.c | |
3 | * | |
4 | * Get the canonicalized absolute pathnames. The basis for TOMOYO. | |
5 | * | |
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | |
7 | * | |
39826a1e | 8 | * Version: 2.2.0 2009/04/01 |
c73bd6d4 KT |
9 | * |
10 | */ | |
11 | ||
12 | #include <linux/types.h> | |
13 | #include <linux/mount.h> | |
14 | #include <linux/mnt_namespace.h> | |
5ad4e53b | 15 | #include <linux/fs_struct.h> |
024e1a49 | 16 | #include <linux/hash.h> |
67fa4880 | 17 | #include <linux/magic.h> |
024e1a49 | 18 | |
c73bd6d4 KT |
19 | #include "common.h" |
20 | #include "realpath.h" | |
21 | ||
22 | /** | |
23 | * tomoyo_encode: Convert binary string to ascii string. | |
24 | * | |
25 | * @buffer: Buffer for ASCII string. | |
26 | * @buflen: Size of @buffer. | |
27 | * @str: Binary string. | |
28 | * | |
29 | * Returns 0 on success, -ENOMEM otherwise. | |
30 | */ | |
31 | int tomoyo_encode(char *buffer, int buflen, const char *str) | |
32 | { | |
33 | while (1) { | |
34 | const unsigned char c = *(unsigned char *) str++; | |
35 | ||
36 | if (tomoyo_is_valid(c)) { | |
37 | if (--buflen <= 0) | |
38 | break; | |
39 | *buffer++ = (char) c; | |
40 | if (c != '\\') | |
41 | continue; | |
42 | if (--buflen <= 0) | |
43 | break; | |
44 | *buffer++ = (char) c; | |
45 | continue; | |
46 | } | |
47 | if (!c) { | |
48 | if (--buflen <= 0) | |
49 | break; | |
50 | *buffer = '\0'; | |
51 | return 0; | |
52 | } | |
53 | buflen -= 4; | |
54 | if (buflen <= 0) | |
55 | break; | |
56 | *buffer++ = '\\'; | |
57 | *buffer++ = (c >> 6) + '0'; | |
58 | *buffer++ = ((c >> 3) & 7) + '0'; | |
59 | *buffer++ = (c & 7) + '0'; | |
60 | } | |
61 | return -ENOMEM; | |
62 | } | |
63 | ||
64 | /** | |
65 | * tomoyo_realpath_from_path2 - Returns realpath(3) of the given dentry but ignores chroot'ed root. | |
66 | * | |
67 | * @path: Pointer to "struct path". | |
68 | * @newname: Pointer to buffer to return value in. | |
69 | * @newname_len: Size of @newname. | |
70 | * | |
71 | * Returns 0 on success, negative value otherwise. | |
72 | * | |
73 | * If dentry is a directory, trailing '/' is appended. | |
74 | * Characters out of 0x20 < c < 0x7F range are converted to | |
75 | * \ooo style octal string. | |
76 | * Character \ is converted to \\ string. | |
77 | */ | |
78 | int tomoyo_realpath_from_path2(struct path *path, char *newname, | |
79 | int newname_len) | |
80 | { | |
81 | int error = -ENOMEM; | |
82 | struct dentry *dentry = path->dentry; | |
83 | char *sp; | |
84 | ||
85 | if (!dentry || !path->mnt || !newname || newname_len <= 2048) | |
86 | return -EINVAL; | |
87 | if (dentry->d_op && dentry->d_op->d_dname) { | |
88 | /* For "socket:[\$]" and "pipe:[\$]". */ | |
89 | static const int offset = 1536; | |
90 | sp = dentry->d_op->d_dname(dentry, newname + offset, | |
91 | newname_len - offset); | |
92 | } else { | |
93 | /* Taken from d_namespace_path(). */ | |
94 | struct path root; | |
95 | struct path ns_root = { }; | |
96 | struct path tmp; | |
97 | ||
98 | read_lock(¤t->fs->lock); | |
99 | root = current->fs->root; | |
100 | path_get(&root); | |
101 | read_unlock(¤t->fs->lock); | |
102 | spin_lock(&vfsmount_lock); | |
103 | if (root.mnt && root.mnt->mnt_ns) | |
104 | ns_root.mnt = mntget(root.mnt->mnt_ns->root); | |
105 | if (ns_root.mnt) | |
106 | ns_root.dentry = dget(ns_root.mnt->mnt_root); | |
107 | spin_unlock(&vfsmount_lock); | |
108 | spin_lock(&dcache_lock); | |
109 | tmp = ns_root; | |
110 | sp = __d_path(path, &tmp, newname, newname_len); | |
111 | spin_unlock(&dcache_lock); | |
112 | path_put(&root); | |
113 | path_put(&ns_root); | |
a4054b6b EB |
114 | /* Prepend "/proc" prefix if using internal proc vfs mount. */ |
115 | if (!IS_ERR(sp) && (path->mnt->mnt_parent == path->mnt) && | |
67fa4880 | 116 | (path->mnt->mnt_sb->s_magic == PROC_SUPER_MAGIC)) { |
a4054b6b EB |
117 | sp -= 5; |
118 | if (sp >= newname) | |
119 | memcpy(sp, "/proc", 5); | |
120 | else | |
121 | sp = ERR_PTR(-ENOMEM); | |
122 | } | |
c73bd6d4 KT |
123 | } |
124 | if (IS_ERR(sp)) | |
125 | error = PTR_ERR(sp); | |
126 | else | |
127 | error = tomoyo_encode(newname, sp - newname, sp); | |
128 | /* Append trailing '/' if dentry is a directory. */ | |
129 | if (!error && dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode) | |
130 | && *newname) { | |
131 | sp = newname + strlen(newname); | |
132 | if (*(sp - 1) != '/') { | |
133 | if (sp < newname + newname_len - 4) { | |
134 | *sp++ = '/'; | |
135 | *sp = '\0'; | |
136 | } else { | |
137 | error = -ENOMEM; | |
138 | } | |
139 | } | |
140 | } | |
141 | if (error) | |
142 | printk(KERN_WARNING "tomoyo_realpath: Pathname too long.\n"); | |
143 | return error; | |
144 | } | |
145 | ||
146 | /** | |
147 | * tomoyo_realpath_from_path - Returns realpath(3) of the given pathname but ignores chroot'ed root. | |
148 | * | |
149 | * @path: Pointer to "struct path". | |
150 | * | |
151 | * Returns the realpath of the given @path on success, NULL otherwise. | |
152 | * | |
153 | * These functions use tomoyo_alloc(), so the caller must call tomoyo_free() | |
154 | * if these functions didn't return NULL. | |
155 | */ | |
156 | char *tomoyo_realpath_from_path(struct path *path) | |
157 | { | |
158 | char *buf = tomoyo_alloc(sizeof(struct tomoyo_page_buffer)); | |
159 | ||
160 | BUILD_BUG_ON(sizeof(struct tomoyo_page_buffer) | |
161 | <= TOMOYO_MAX_PATHNAME_LEN - 1); | |
162 | if (!buf) | |
163 | return NULL; | |
164 | if (tomoyo_realpath_from_path2(path, buf, | |
165 | TOMOYO_MAX_PATHNAME_LEN - 1) == 0) | |
166 | return buf; | |
167 | tomoyo_free(buf); | |
168 | return NULL; | |
169 | } | |
170 | ||
171 | /** | |
172 | * tomoyo_realpath - Get realpath of a pathname. | |
173 | * | |
174 | * @pathname: The pathname to solve. | |
175 | * | |
176 | * Returns the realpath of @pathname on success, NULL otherwise. | |
177 | */ | |
178 | char *tomoyo_realpath(const char *pathname) | |
179 | { | |
e24977d4 | 180 | struct path path; |
c73bd6d4 | 181 | |
e24977d4 AV |
182 | if (pathname && kern_path(pathname, LOOKUP_FOLLOW, &path) == 0) { |
183 | char *buf = tomoyo_realpath_from_path(&path); | |
184 | path_put(&path); | |
c73bd6d4 KT |
185 | return buf; |
186 | } | |
187 | return NULL; | |
188 | } | |
189 | ||
190 | /** | |
191 | * tomoyo_realpath_nofollow - Get realpath of a pathname. | |
192 | * | |
193 | * @pathname: The pathname to solve. | |
194 | * | |
195 | * Returns the realpath of @pathname on success, NULL otherwise. | |
196 | */ | |
197 | char *tomoyo_realpath_nofollow(const char *pathname) | |
198 | { | |
e24977d4 | 199 | struct path path; |
c73bd6d4 | 200 | |
e24977d4 AV |
201 | if (pathname && kern_path(pathname, 0, &path) == 0) { |
202 | char *buf = tomoyo_realpath_from_path(&path); | |
203 | path_put(&path); | |
c73bd6d4 KT |
204 | return buf; |
205 | } | |
206 | return NULL; | |
207 | } | |
208 | ||
209 | /* Memory allocated for non-string data. */ | |
210 | static unsigned int tomoyo_allocated_memory_for_elements; | |
211 | /* Quota for holding non-string data. */ | |
212 | static unsigned int tomoyo_quota_for_elements; | |
213 | ||
214 | /** | |
cd7bec6a | 215 | * tomoyo_memory_ok - Check memory quota. |
c73bd6d4 | 216 | * |
cd7bec6a | 217 | * @ptr: Pointer to allocated memory. |
c73bd6d4 | 218 | * |
cd7bec6a | 219 | * Returns true on success, false otherwise. |
c73bd6d4 | 220 | * |
cd7bec6a TH |
221 | * Caller holds tomoyo_policy_lock. |
222 | * Memory pointed by @ptr will be zeroed on success. | |
c73bd6d4 | 223 | */ |
cd7bec6a | 224 | bool tomoyo_memory_ok(void *ptr) |
c73bd6d4 | 225 | { |
cd7bec6a TH |
226 | int allocated_len = ptr ? ksize(ptr) : 0; |
227 | bool result = false; | |
228 | if (!ptr || (tomoyo_quota_for_elements && | |
229 | tomoyo_allocated_memory_for_elements | |
230 | + allocated_len > tomoyo_quota_for_elements)) { | |
231 | printk(KERN_WARNING "ERROR: Out of memory " | |
232 | "for tomoyo_alloc_element().\n"); | |
233 | if (!tomoyo_policy_loaded) | |
234 | panic("MAC Initialization failed.\n"); | |
235 | } else { | |
236 | result = true; | |
237 | tomoyo_allocated_memory_for_elements += allocated_len; | |
238 | memset(ptr, 0, allocated_len); | |
c73bd6d4 | 239 | } |
cd7bec6a | 240 | return result; |
c73bd6d4 KT |
241 | } |
242 | ||
243 | /* Memory allocated for string data in bytes. */ | |
244 | static unsigned int tomoyo_allocated_memory_for_savename; | |
245 | /* Quota for holding string data in bytes. */ | |
246 | static unsigned int tomoyo_quota_for_savename; | |
247 | ||
248 | /* | |
249 | * TOMOYO uses this hash only when appending a string into the string | |
250 | * table. Frequency of appending strings is very low. So we don't need | |
251 | * large (e.g. 64k) hash size. 256 will be sufficient. | |
252 | */ | |
024e1a49 SH |
253 | #define TOMOYO_HASH_BITS 8 |
254 | #define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS) | |
c73bd6d4 | 255 | |
c3fa109a TH |
256 | /* |
257 | * tomoyo_name_entry is a structure which is used for linking | |
258 | * "struct tomoyo_path_info" into tomoyo_name_list . | |
259 | * | |
260 | * Since tomoyo_name_list manages a list of strings which are shared by | |
261 | * multiple processes (whereas "struct tomoyo_path_info" inside | |
262 | * "struct tomoyo_path_info_with_data" is not shared), a reference counter will | |
263 | * be added to "struct tomoyo_name_entry" rather than "struct tomoyo_path_info" | |
264 | * when TOMOYO starts supporting garbage collector. | |
265 | */ | |
c73bd6d4 KT |
266 | struct tomoyo_name_entry { |
267 | struct list_head list; | |
268 | struct tomoyo_path_info entry; | |
269 | }; | |
270 | ||
c73bd6d4 | 271 | /* |
c3fa109a TH |
272 | * tomoyo_name_list is used for holding string data used by TOMOYO. |
273 | * Since same string data is likely used for multiple times (e.g. | |
274 | * "/lib/libc-2.5.so"), TOMOYO shares string data in the form of | |
275 | * "const struct tomoyo_path_info *". | |
c73bd6d4 KT |
276 | */ |
277 | static struct list_head tomoyo_name_list[TOMOYO_MAX_HASH]; | |
278 | ||
279 | /** | |
280 | * tomoyo_save_name - Allocate permanent memory for string data. | |
281 | * | |
282 | * @name: The string to store into the permernent memory. | |
283 | * | |
284 | * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise. | |
c73bd6d4 KT |
285 | */ |
286 | const struct tomoyo_path_info *tomoyo_save_name(const char *name) | |
287 | { | |
c73bd6d4 KT |
288 | static DEFINE_MUTEX(lock); |
289 | struct tomoyo_name_entry *ptr; | |
290 | unsigned int hash; | |
c73bd6d4 | 291 | int len; |
e41035a9 | 292 | int allocated_len; |
024e1a49 | 293 | struct list_head *head; |
c73bd6d4 KT |
294 | |
295 | if (!name) | |
296 | return NULL; | |
297 | len = strlen(name) + 1; | |
c73bd6d4 | 298 | hash = full_name_hash((const unsigned char *) name, len - 1); |
024e1a49 | 299 | head = &tomoyo_name_list[hash_long(hash, TOMOYO_HASH_BITS)]; |
c73bd6d4 | 300 | mutex_lock(&lock); |
024e1a49 | 301 | list_for_each_entry(ptr, head, list) { |
c73bd6d4 KT |
302 | if (hash == ptr->entry.hash && !strcmp(name, ptr->entry.name)) |
303 | goto out; | |
304 | } | |
e41035a9 TH |
305 | ptr = kzalloc(sizeof(*ptr) + len, GFP_KERNEL); |
306 | allocated_len = ptr ? ksize(ptr) : 0; | |
307 | if (!ptr || (tomoyo_quota_for_savename && | |
308 | tomoyo_allocated_memory_for_savename + allocated_len | |
309 | > tomoyo_quota_for_savename)) { | |
310 | kfree(ptr); | |
c73bd6d4 KT |
311 | printk(KERN_WARNING "ERROR: Out of memory " |
312 | "for tomoyo_save_name().\n"); | |
313 | if (!tomoyo_policy_loaded) | |
314 | panic("MAC Initialization failed.\n"); | |
315 | ptr = NULL; | |
316 | goto out; | |
317 | } | |
e41035a9 TH |
318 | tomoyo_allocated_memory_for_savename += allocated_len; |
319 | ptr->entry.name = ((char *) ptr) + sizeof(*ptr); | |
320 | memmove((char *) ptr->entry.name, name, len); | |
c73bd6d4 | 321 | tomoyo_fill_path_info(&ptr->entry); |
024e1a49 | 322 | list_add_tail(&ptr->list, head); |
c73bd6d4 KT |
323 | out: |
324 | mutex_unlock(&lock); | |
c73bd6d4 KT |
325 | return ptr ? &ptr->entry : NULL; |
326 | } | |
327 | ||
328 | /** | |
329 | * tomoyo_realpath_init - Initialize realpath related code. | |
c73bd6d4 | 330 | */ |
1581e7dd | 331 | void __init tomoyo_realpath_init(void) |
c73bd6d4 KT |
332 | { |
333 | int i; | |
334 | ||
335 | BUILD_BUG_ON(TOMOYO_MAX_PATHNAME_LEN > PATH_MAX); | |
336 | for (i = 0; i < TOMOYO_MAX_HASH; i++) | |
337 | INIT_LIST_HEAD(&tomoyo_name_list[i]); | |
338 | INIT_LIST_HEAD(&tomoyo_kernel_domain.acl_info_list); | |
339 | tomoyo_kernel_domain.domainname = tomoyo_save_name(TOMOYO_ROOT_NAME); | |
fdb8ebb7 TH |
340 | /* |
341 | * tomoyo_read_lock() is not needed because this function is | |
342 | * called before the first "delete" request. | |
343 | */ | |
344 | list_add_tail_rcu(&tomoyo_kernel_domain.list, &tomoyo_domain_list); | |
c73bd6d4 KT |
345 | if (tomoyo_find_domain(TOMOYO_ROOT_NAME) != &tomoyo_kernel_domain) |
346 | panic("Can't register tomoyo_kernel_domain"); | |
c73bd6d4 KT |
347 | } |
348 | ||
c73bd6d4 KT |
349 | /* Memory allocated for temporary purpose. */ |
350 | static atomic_t tomoyo_dynamic_memory_size; | |
351 | ||
352 | /** | |
353 | * tomoyo_alloc - Allocate memory for temporary purpose. | |
354 | * | |
355 | * @size: Size in bytes. | |
356 | * | |
357 | * Returns pointer to allocated memory on success, NULL otherwise. | |
358 | */ | |
359 | void *tomoyo_alloc(const size_t size) | |
360 | { | |
361 | void *p = kzalloc(size, GFP_KERNEL); | |
362 | if (p) | |
363 | atomic_add(ksize(p), &tomoyo_dynamic_memory_size); | |
364 | return p; | |
365 | } | |
366 | ||
367 | /** | |
368 | * tomoyo_free - Release memory allocated by tomoyo_alloc(). | |
369 | * | |
370 | * @p: Pointer returned by tomoyo_alloc(). May be NULL. | |
371 | * | |
372 | * Returns nothing. | |
373 | */ | |
374 | void tomoyo_free(const void *p) | |
375 | { | |
376 | if (p) { | |
377 | atomic_sub(ksize(p), &tomoyo_dynamic_memory_size); | |
378 | kfree(p); | |
379 | } | |
380 | } | |
381 | ||
382 | /** | |
383 | * tomoyo_read_memory_counter - Check for memory usage in bytes. | |
384 | * | |
385 | * @head: Pointer to "struct tomoyo_io_buffer". | |
386 | * | |
387 | * Returns memory usage. | |
388 | */ | |
389 | int tomoyo_read_memory_counter(struct tomoyo_io_buffer *head) | |
390 | { | |
391 | if (!head->read_eof) { | |
392 | const unsigned int shared | |
393 | = tomoyo_allocated_memory_for_savename; | |
394 | const unsigned int private | |
395 | = tomoyo_allocated_memory_for_elements; | |
396 | const unsigned int dynamic | |
397 | = atomic_read(&tomoyo_dynamic_memory_size); | |
398 | char buffer[64]; | |
399 | ||
400 | memset(buffer, 0, sizeof(buffer)); | |
401 | if (tomoyo_quota_for_savename) | |
402 | snprintf(buffer, sizeof(buffer) - 1, | |
403 | " (Quota: %10u)", | |
404 | tomoyo_quota_for_savename); | |
405 | else | |
406 | buffer[0] = '\0'; | |
407 | tomoyo_io_printf(head, "Shared: %10u%s\n", shared, buffer); | |
408 | if (tomoyo_quota_for_elements) | |
409 | snprintf(buffer, sizeof(buffer) - 1, | |
410 | " (Quota: %10u)", | |
411 | tomoyo_quota_for_elements); | |
412 | else | |
413 | buffer[0] = '\0'; | |
414 | tomoyo_io_printf(head, "Private: %10u%s\n", private, buffer); | |
415 | tomoyo_io_printf(head, "Dynamic: %10u\n", dynamic); | |
416 | tomoyo_io_printf(head, "Total: %10u\n", | |
417 | shared + private + dynamic); | |
418 | head->read_eof = true; | |
419 | } | |
420 | return 0; | |
421 | } | |
422 | ||
423 | /** | |
424 | * tomoyo_write_memory_quota - Set memory quota. | |
425 | * | |
426 | * @head: Pointer to "struct tomoyo_io_buffer". | |
427 | * | |
428 | * Returns 0. | |
429 | */ | |
430 | int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head) | |
431 | { | |
432 | char *data = head->write_buf; | |
433 | unsigned int size; | |
434 | ||
435 | if (sscanf(data, "Shared: %u", &size) == 1) | |
436 | tomoyo_quota_for_savename = size; | |
437 | else if (sscanf(data, "Private: %u", &size) == 1) | |
438 | tomoyo_quota_for_elements = size; | |
439 | return 0; | |
440 | } |