projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
TOMOYO: Add mount restriction.
[deliverable/linux.git] / security / tomoyo / common.c
1 /*
2 * security/tomoyo/common.c
3 *
4 * Common functions for TOMOYO.
5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 *
8 * Version: 2.2.0 2009/04/01
9 *
10 */
11
12 #include <linux/uaccess.h>
13 #include <linux/slab.h>
14 #include <linux/security.h>
15 #include <linux/hardirq.h>
16 #include "common.h"
17
18 /* Lock for protecting policy. */
19 DEFINE_MUTEX(tomoyo_policy_lock);
20
21 /* Has loading policy done? */
22 bool tomoyo_policy_loaded;
23
24 /* String table for functionality that takes 4 modes. */
25 static const char *tomoyo_mode_4[4] = {
26 "disabled", "learning", "permissive", "enforcing"
27 };
28 /* String table for functionality that takes 2 modes. */
29 static const char *tomoyo_mode_2[4] = {
30 "disabled", "enabled", "enabled", "enabled"
31 };
32
33 /*
34 * tomoyo_control_array is a static data which contains
35 *
36 * (1) functionality name used by /sys/kernel/security/tomoyo/profile .
37 * (2) initial values for "struct tomoyo_profile".
38 * (3) max values for "struct tomoyo_profile".
39 */
40 static struct {
41 const char *keyword;
42 unsigned int current_value;
43 const unsigned int max_value;
44 } tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = {
45 [TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 },
46 [TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX },
47 [TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 },
48 };
49
50 /*
51 * tomoyo_profile is a structure which is used for holding the mode of access
52 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
53 * An administrator can define up to 256 profiles.
54 * The ->profile of "struct tomoyo_domain_info" is used for remembering
55 * the profile's number (0 - 255) assigned to that domain.
56 */
57 static struct tomoyo_profile {
58 unsigned int value[TOMOYO_MAX_CONTROL_INDEX];
59 const struct tomoyo_path_info *comment;
60 } *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES];
61
62 /* Permit policy management by non-root user? */
63 static bool tomoyo_manage_by_non_root;
64
65 /* Utility functions. */
66
67 /* Open operation for /sys/kernel/security/tomoyo/ interface. */
68 static int tomoyo_open_control(const u8 type, struct file *file);
69 /* Close /sys/kernel/security/tomoyo/ interface. */
70 static int tomoyo_close_control(struct file *file);
71 /* Read operation for /sys/kernel/security/tomoyo/ interface. */
72 static int tomoyo_read_control(struct file *file, char __user *buffer,
73 const int buffer_len);
74 /* Write operation for /sys/kernel/security/tomoyo/ interface. */
75 static int tomoyo_write_control(struct file *file, const char __user *buffer,
76 const int buffer_len);
77
78 /**
79 * tomoyo_parse_name_union - Parse a tomoyo_name_union.
80 *
81 * @filename: Name or name group.
82 * @ptr: Pointer to "struct tomoyo_name_union".
83 *
84 * Returns true on success, false otherwise.
85 */
86 bool tomoyo_parse_name_union(const char *filename,
87 struct tomoyo_name_union *ptr)
88 {
89 if (!tomoyo_is_correct_path(filename, 0, 0, 0))
90 return false;
91 if (filename[0] == '@') {
92 ptr->group = tomoyo_get_path_group(filename + 1);
93 ptr->is_group = true;
94 return ptr->group != NULL;
95 }
96 ptr->filename = tomoyo_get_name(filename);
97 ptr->is_group = false;
98 return ptr->filename != NULL;
99 }
100
101 /**
102 * tomoyo_print_name_union - Print a tomoyo_name_union.
103 *
104 * @head: Pointer to "struct tomoyo_io_buffer".
105 * @ptr: Pointer to "struct tomoyo_name_union".
106 *
107 * Returns true on success, false otherwise.
108 */
109 static bool tomoyo_print_name_union(struct tomoyo_io_buffer *head,
110 const struct tomoyo_name_union *ptr)
111 {
112 int pos = head->read_avail;
113 if (pos && head->read_buf[pos - 1] == ' ')
114 head->read_avail--;
115 if (ptr->is_group)
116 return tomoyo_io_printf(head, " @%s",
117 ptr->group->group_name->name);
118 return tomoyo_io_printf(head, " %s", ptr->filename->name);
119 }
120
121 /**
122 * tomoyo_parse_ulong - Parse an "unsigned long" value.
123 *
124 * @result: Pointer to "unsigned long".
125 * @str: Pointer to string to parse.
126 *
127 * Returns value type on success, 0 otherwise.
128 *
129 * The @src is updated to point the first character after the value
130 * on success.
131 */
132 u8 tomoyo_parse_ulong(unsigned long *result, char **str)
133 {
134 const char *cp = *str;
135 char *ep;
136 int base = 10;
137 if (*cp == '0') {
138 char c = *(cp + 1);
139 if (c == 'x' || c == 'X') {
140 base = 16;
141 cp += 2;
142 } else if (c >= '0' && c <= '7') {
143 base = 8;
144 cp++;
145 }
146 }
147 *result = simple_strtoul(cp, &ep, base);
148 if (cp == ep)
149 return 0;
150 *str = ep;
151 switch (base) {
152 case 16:
153 return TOMOYO_VALUE_TYPE_HEXADECIMAL;
154 case 8:
155 return TOMOYO_VALUE_TYPE_OCTAL;
156 default:
157 return TOMOYO_VALUE_TYPE_DECIMAL;
158 }
159 }
160
161 /**
162 * tomoyo_print_ulong - Print an "unsigned long" value.
163 *
164 * @buffer: Pointer to buffer.
165 * @buffer_len: Size of @buffer.
166 * @value: An "unsigned long" value.
167 * @type: Type of @value.
168 *
169 * Returns nothing.
170 */
171 void tomoyo_print_ulong(char *buffer, const int buffer_len,
172 const unsigned long value, const u8 type)
173 {
174 if (type == TOMOYO_VALUE_TYPE_DECIMAL)
175 snprintf(buffer, buffer_len, "%lu", value);
176 else if (type == TOMOYO_VALUE_TYPE_OCTAL)
177 snprintf(buffer, buffer_len, "0%lo", value);
178 else if (type == TOMOYO_VALUE_TYPE_HEXADECIMAL)
179 snprintf(buffer, buffer_len, "0x%lX", value);
180 else
181 snprintf(buffer, buffer_len, "type(%u)", type);
182 }
183
184 /**
185 * tomoyo_print_number_union - Print a tomoyo_number_union.
186 *
187 * @head: Pointer to "struct tomoyo_io_buffer".
188 * @ptr: Pointer to "struct tomoyo_number_union".
189 *
190 * Returns true on success, false otherwise.
191 */
192 bool tomoyo_print_number_union(struct tomoyo_io_buffer *head,
193 const struct tomoyo_number_union *ptr)
194 {
195 unsigned long min;
196 unsigned long max;
197 u8 min_type;
198 u8 max_type;
199 if (!tomoyo_io_printf(head, " "))
200 return false;
201 if (ptr->is_group)
202 return tomoyo_io_printf(head, "@%s",
203 ptr->group->group_name->name);
204 min_type = ptr->min_type;
205 max_type = ptr->max_type;
206 min = ptr->values[0];
207 max = ptr->values[1];
208 switch (min_type) {
209 case TOMOYO_VALUE_TYPE_HEXADECIMAL:
210 if (!tomoyo_io_printf(head, "0x%lX", min))
211 return false;
212 break;
213 case TOMOYO_VALUE_TYPE_OCTAL:
214 if (!tomoyo_io_printf(head, "0%lo", min))
215 return false;
216 break;
217 default:
218 if (!tomoyo_io_printf(head, "%lu", min))
219 return false;
220 break;
221 }
222 if (min == max && min_type == max_type)
223 return true;
224 switch (max_type) {
225 case TOMOYO_VALUE_TYPE_HEXADECIMAL:
226 return tomoyo_io_printf(head, "-0x%lX", max);
227 case TOMOYO_VALUE_TYPE_OCTAL:
228 return tomoyo_io_printf(head, "-0%lo", max);
229 default:
230 return tomoyo_io_printf(head, "-%lu", max);
231 }
232 }
233
234 /**
235 * tomoyo_parse_number_union - Parse a tomoyo_number_union.
236 *
237 * @data: Number or number range or number group.
238 * @ptr: Pointer to "struct tomoyo_number_union".
239 *
240 * Returns true on success, false otherwise.
241 */
242 bool tomoyo_parse_number_union(char *data, struct tomoyo_number_union *num)
243 {
244 u8 type;
245 unsigned long v;
246 memset(num, 0, sizeof(*num));
247 if (data[0] == '@') {
248 if (!tomoyo_is_correct_path(data, 0, 0, 0))
249 return false;
250 num->group = tomoyo_get_number_group(data + 1);
251 num->is_group = true;
252 return num->group != NULL;
253 }
254 type = tomoyo_parse_ulong(&v, &data);
255 if (!type)
256 return false;
257 num->values[0] = v;
258 num->min_type = type;
259 if (!*data) {
260 num->values[1] = v;
261 num->max_type = type;
262 return true;
263 }
264 if (*data++ != '-')
265 return false;
266 type = tomoyo_parse_ulong(&v, &data);
267 if (!type || *data)
268 return false;
269 num->values[1] = v;
270 num->max_type = type;
271 return true;
272 }
273
274 /**
275 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
276 *
277 * @str: Pointer to the string.
278 *
279 * Returns true if @str is a \ooo style octal value, false otherwise.
280 *
281 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
282 * This function verifies that \ooo is in valid range.
283 */
284 static inline bool tomoyo_is_byte_range(const char *str)
285 {
286 return *str >= '0' && *str++ <= '3' &&
287 *str >= '0' && *str++ <= '7' &&
288 *str >= '0' && *str <= '7';
289 }
290
291 /**
292 * tomoyo_is_alphabet_char - Check whether the character is an alphabet.
293 *
294 * @c: The character to check.
295 *
296 * Returns true if @c is an alphabet character, false otherwise.
297 */
298 static inline bool tomoyo_is_alphabet_char(const char c)
299 {
300 return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z');
301 }
302
303 /**
304 * tomoyo_make_byte - Make byte value from three octal characters.
305 *
306 * @c1: The first character.
307 * @c2: The second character.
308 * @c3: The third character.
309 *
310 * Returns byte value.
311 */
312 static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3)
313 {
314 return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0');
315 }
316
317 /**
318 * tomoyo_str_starts - Check whether the given string starts with the given keyword.
319 *
320 * @src: Pointer to pointer to the string.
321 * @find: Pointer to the keyword.
322 *
323 * Returns true if @src starts with @find, false otherwise.
324 *
325 * The @src is updated to point the first character after the @find
326 * if @src starts with @find.
327 */
328 static bool tomoyo_str_starts(char **src, const char *find)
329 {
330 const int len = strlen(find);
331 char *tmp = *src;
332
333 if (strncmp(tmp, find, len))
334 return false;
335 tmp += len;
336 *src = tmp;
337 return true;
338 }
339
340 /**
341 * tomoyo_normalize_line - Format string.
342 *
343 * @buffer: The line to normalize.
344 *
345 * Leading and trailing whitespaces are removed.
346 * Multiple whitespaces are packed into single space.
347 *
348 * Returns nothing.
349 */
350 static void tomoyo_normalize_line(unsigned char *buffer)
351 {
352 unsigned char *sp = buffer;
353 unsigned char *dp = buffer;
354 bool first = true;
355
356 while (tomoyo_is_invalid(*sp))
357 sp++;
358 while (*sp) {
359 if (!first)
360 *dp++ = ' ';
361 first = false;
362 while (tomoyo_is_valid(*sp))
363 *dp++ = *sp++;
364 while (tomoyo_is_invalid(*sp))
365 sp++;
366 }
367 *dp = '\0';
368 }
369
370 /**
371 * tomoyo_tokenize - Tokenize string.
372 *
373 * @buffer: The line to tokenize.
374 * @w: Pointer to "char *".
375 * @size: Sizeof @w .
376 *
377 * Returns true on success, false otherwise.
378 */
379 bool tomoyo_tokenize(char *buffer, char *w[], size_t size)
380 {
381 int count = size / sizeof(char *);
382 int i;
383 for (i = 0; i < count; i++)
384 w[i] = "";
385 for (i = 0; i < count; i++) {
386 char *cp = strchr(buffer, ' ');
387 if (cp)
388 *cp = '\0';
389 w[i] = buffer;
390 if (!cp)
391 break;
392 buffer = cp + 1;
393 }
394 return i < count || !*buffer;
395 }
396
397 /**
398 * tomoyo_is_correct_path - Validate a pathname.
399 * @filename: The pathname to check.
400 * @start_type: Should the pathname start with '/'?
401 * 1 = must / -1 = must not / 0 = don't care
402 * @pattern_type: Can the pathname contain a wildcard?
403 * 1 = must / -1 = must not / 0 = don't care
404 * @end_type: Should the pathname end with '/'?
405 * 1 = must / -1 = must not / 0 = don't care
406 *
407 * Check whether the given filename follows the naming rules.
408 * Returns true if @filename follows the naming rules, false otherwise.
409 */
410 bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
411 const s8 pattern_type, const s8 end_type)
412 {
413 const char *const start = filename;
414 bool in_repetition = false;
415 bool contains_pattern = false;
416 unsigned char c;
417 unsigned char d;
418 unsigned char e;
419
420 if (!filename)
421 goto out;
422 c = *filename;
423 if (start_type == 1) { /* Must start with '/' */
424 if (c != '/')
425 goto out;
426 } else if (start_type == -1) { /* Must not start with '/' */
427 if (c == '/')
428 goto out;
429 }
430 if (c)
431 c = *(filename + strlen(filename) - 1);
432 if (end_type == 1) { /* Must end with '/' */
433 if (c != '/')
434 goto out;
435 } else if (end_type == -1) { /* Must not end with '/' */
436 if (c == '/')
437 goto out;
438 }
439 while (1) {
440 c = *filename++;
441 if (!c)
442 break;
443 if (c == '\\') {
444 c = *filename++;
445 switch (c) {
446 case '\\': /* "\\" */
447 continue;
448 case '$': /* "\$" */
449 case '+': /* "\+" */
450 case '?': /* "\?" */
451 case '*': /* "\*" */
452 case '@': /* "\@" */
453 case 'x': /* "\x" */
454 case 'X': /* "\X" */
455 case 'a': /* "\a" */
456 case 'A': /* "\A" */
457 case '-': /* "\-" */
458 if (pattern_type == -1)
459 break; /* Must not contain pattern */
460 contains_pattern = true;
461 continue;
462 case '{': /* "/\{" */
463 if (filename - 3 < start ||
464 *(filename - 3) != '/')
465 break;
466 if (pattern_type == -1)
467 break; /* Must not contain pattern */
468 contains_pattern = true;
469 in_repetition = true;
470 continue;
471 case '}': /* "\}/" */
472 if (*filename != '/')
473 break;
474 if (!in_repetition)
475 break;
476 in_repetition = false;
477 continue;
478 case '0': /* "\ooo" */
479 case '1':
480 case '2':
481 case '3':
482 d = *filename++;
483 if (d < '0' || d > '7')
484 break;
485 e = *filename++;
486 if (e < '0' || e > '7')
487 break;
488 c = tomoyo_make_byte(c, d, e);
489 if (tomoyo_is_invalid(c))
490 continue; /* pattern is not \000 */
491 }
492 goto out;
493 } else if (in_repetition && c == '/') {
494 goto out;
495 } else if (tomoyo_is_invalid(c)) {
496 goto out;
497 }
498 }
499 if (pattern_type == 1) { /* Must contain pattern */
500 if (!contains_pattern)
501 goto out;
502 }
503 if (in_repetition)
504 goto out;
505 return true;
506 out:
507 return false;
508 }
509
510 /**
511 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
512 * @domainname: The domainname to check.
513 *
514 * Returns true if @domainname follows the naming rules, false otherwise.
515 */
516 bool tomoyo_is_correct_domain(const unsigned char *domainname)
517 {
518 unsigned char c;
519 unsigned char d;
520 unsigned char e;
521
522 if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME,
523 TOMOYO_ROOT_NAME_LEN))
524 goto out;
525 domainname += TOMOYO_ROOT_NAME_LEN;
526 if (!*domainname)
527 return true;
528 do {
529 if (*domainname++ != ' ')
530 goto out;
531 if (*domainname++ != '/')
532 goto out;
533 while ((c = *domainname) != '\0' && c != ' ') {
534 domainname++;
535 if (c == '\\') {
536 c = *domainname++;
537 switch ((c)) {
538 case '\\': /* "\\" */
539 continue;
540 case '0': /* "\ooo" */
541 case '1':
542 case '2':
543 case '3':
544 d = *domainname++;
545 if (d < '0' || d > '7')
546 break;
547 e = *domainname++;
548 if (e < '0' || e > '7')
549 break;
550 c = tomoyo_make_byte(c, d, e);
551 if (tomoyo_is_invalid(c))
552 /* pattern is not \000 */
553 continue;
554 }
555 goto out;
556 } else if (tomoyo_is_invalid(c)) {
557 goto out;
558 }
559 }
560 } while (*domainname);
561 return true;
562 out:
563 return false;
564 }
565
566 /**
567 * tomoyo_is_domain_def - Check whether the given token can be a domainname.
568 *
569 * @buffer: The token to check.
570 *
571 * Returns true if @buffer possibly be a domainname, false otherwise.
572 */
573 bool tomoyo_is_domain_def(const unsigned char *buffer)
574 {
575 return !strncmp(buffer, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN);
576 }
577
578 /**
579 * tomoyo_find_domain - Find a domain by the given name.
580 *
581 * @domainname: The domainname to find.
582 *
583 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
584 *
585 * Caller holds tomoyo_read_lock().
586 */
587 struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
588 {
589 struct tomoyo_domain_info *domain;
590 struct tomoyo_path_info name;
591
592 name.name = domainname;
593 tomoyo_fill_path_info(&name);
594 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
595 if (!domain->is_deleted &&
596 !tomoyo_pathcmp(&name, domain->domainname))
597 return domain;
598 }
599 return NULL;
600 }
601
602 /**
603 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
604 *
605 * @filename: The string to evaluate.
606 *
607 * Returns the initial length without a pattern in @filename.
608 */
609 static int tomoyo_const_part_length(const char *filename)
610 {
611 char c;
612 int len = 0;
613
614 if (!filename)
615 return 0;
616 while ((c = *filename++) != '\0') {
617 if (c != '\\') {
618 len++;
619 continue;
620 }
621 c = *filename++;
622 switch (c) {
623 case '\\': /* "\\" */
624 len += 2;
625 continue;
626 case '0': /* "\ooo" */
627 case '1':
628 case '2':
629 case '3':
630 c = *filename++;
631 if (c < '0' || c > '7')
632 break;
633 c = *filename++;
634 if (c < '0' || c > '7')
635 break;
636 len += 4;
637 continue;
638 }
639 break;
640 }
641 return len;
642 }
643
644 /**
645 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
646 *
647 * @ptr: Pointer to "struct tomoyo_path_info" to fill in.
648 *
649 * The caller sets "struct tomoyo_path_info"->name.
650 */
651 void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
652 {
653 const char *name = ptr->name;
654 const int len = strlen(name);
655
656 ptr->const_len = tomoyo_const_part_length(name);
657 ptr->is_dir = len && (name[len - 1] == '/');
658 ptr->is_patterned = (ptr->const_len < len);
659 ptr->hash = full_name_hash(name, len);
660 }
661
662 /**
663 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
664 * and "\-" pattern.
665 *
666 * @filename: The start of string to check.
667 * @filename_end: The end of string to check.
668 * @pattern: The start of pattern to compare.
669 * @pattern_end: The end of pattern to compare.
670 *
671 * Returns true if @filename matches @pattern, false otherwise.
672 */
673 static bool tomoyo_file_matches_pattern2(const char *filename,
674 const char *filename_end,
675 const char *pattern,
676 const char *pattern_end)
677 {
678 while (filename < filename_end && pattern < pattern_end) {
679 char c;
680 if (*pattern != '\\') {
681 if (*filename++ != *pattern++)
682 return false;
683 continue;
684 }
685 c = *filename;
686 pattern++;
687 switch (*pattern) {
688 int i;
689 int j;
690 case '?':
691 if (c == '/') {
692 return false;
693 } else if (c == '\\') {
694 if (filename[1] == '\\')
695 filename++;
696 else if (tomoyo_is_byte_range(filename + 1))
697 filename += 3;
698 else
699 return false;
700 }
701 break;
702 case '\\':
703 if (c != '\\')
704 return false;
705 if (*++filename != '\\')
706 return false;
707 break;
708 case '+':
709 if (!isdigit(c))
710 return false;
711 break;
712 case 'x':
713 if (!isxdigit(c))
714 return false;
715 break;
716 case 'a':
717 if (!tomoyo_is_alphabet_char(c))
718 return false;
719 break;
720 case '0':
721 case '1':
722 case '2':
723 case '3':
724 if (c == '\\' && tomoyo_is_byte_range(filename + 1)
725 && strncmp(filename + 1, pattern, 3) == 0) {
726 filename += 3;
727 pattern += 2;
728 break;
729 }
730 return false; /* Not matched. */
731 case '*':
732 case '@':
733 for (i = 0; i <= filename_end - filename; i++) {
734 if (tomoyo_file_matches_pattern2(
735 filename + i, filename_end,
736 pattern + 1, pattern_end))
737 return true;
738 c = filename[i];
739 if (c == '.' && *pattern == '@')
740 break;
741 if (c != '\\')
742 continue;
743 if (filename[i + 1] == '\\')
744 i++;
745 else if (tomoyo_is_byte_range(filename + i + 1))
746 i += 3;
747 else
748 break; /* Bad pattern. */
749 }
750 return false; /* Not matched. */
751 default:
752 j = 0;
753 c = *pattern;
754 if (c == '$') {
755 while (isdigit(filename[j]))
756 j++;
757 } else if (c == 'X') {
758 while (isxdigit(filename[j]))
759 j++;
760 } else if (c == 'A') {
761 while (tomoyo_is_alphabet_char(filename[j]))
762 j++;
763 }
764 for (i = 1; i <= j; i++) {
765 if (tomoyo_file_matches_pattern2(
766 filename + i, filename_end,
767 pattern + 1, pattern_end))
768 return true;
769 }
770 return false; /* Not matched or bad pattern. */
771 }
772 filename++;
773 pattern++;
774 }
775 while (*pattern == '\\' &&
776 (*(pattern + 1) == '*' || *(pattern + 1) == '@'))
777 pattern += 2;
778 return filename == filename_end && pattern == pattern_end;
779 }
780
781 /**
782 * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
783 *
784 * @filename: The start of string to check.
785 * @filename_end: The end of string to check.
786 * @pattern: The start of pattern to compare.
787 * @pattern_end: The end of pattern to compare.
788 *
789 * Returns true if @filename matches @pattern, false otherwise.
790 */
791 static bool tomoyo_file_matches_pattern(const char *filename,
792 const char *filename_end,
793 const char *pattern,
794 const char *pattern_end)
795 {
796 const char *pattern_start = pattern;
797 bool first = true;
798 bool result;
799
800 while (pattern < pattern_end - 1) {
801 /* Split at "\-" pattern. */
802 if (*pattern++ != '\\' || *pattern++ != '-')
803 continue;
804 result = tomoyo_file_matches_pattern2(filename,
805 filename_end,
806 pattern_start,
807 pattern - 2);
808 if (first)
809 result = !result;
810 if (result)
811 return false;
812 first = false;
813 pattern_start = pattern;
814 }
815 result = tomoyo_file_matches_pattern2(filename, filename_end,
816 pattern_start, pattern_end);
817 return first ? result : !result;
818 }
819
820 /**
821 * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
822 *
823 * @f: The start of string to check.
824 * @p: The start of pattern to compare.
825 *
826 * Returns true if @f matches @p, false otherwise.
827 */
828 static bool tomoyo_path_matches_pattern2(const char *f, const char *p)
829 {
830 const char *f_delimiter;
831 const char *p_delimiter;
832
833 while (*f && *p) {
834 f_delimiter = strchr(f, '/');
835 if (!f_delimiter)
836 f_delimiter = f + strlen(f);
837 p_delimiter = strchr(p, '/');
838 if (!p_delimiter)
839 p_delimiter = p + strlen(p);
840 if (*p == '\\' && *(p + 1) == '{')
841 goto recursive;
842 if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
843 p_delimiter))
844 return false;
845 f = f_delimiter;
846 if (*f)
847 f++;
848 p = p_delimiter;
849 if (*p)
850 p++;
851 }
852 /* Ignore trailing "\*" and "\@" in @pattern. */
853 while (*p == '\\' &&
854 (*(p + 1) == '*' || *(p + 1) == '@'))
855 p += 2;
856 return !*f && !*p;
857 recursive:
858 /*
859 * The "\{" pattern is permitted only after '/' character.
860 * This guarantees that below "*(p - 1)" is safe.
861 * Also, the "\}" pattern is permitted only before '/' character
862 * so that "\{" + "\}" pair will not break the "\-" operator.
863 */
864 if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' ||
865 *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\')
866 return false; /* Bad pattern. */
867 do {
868 /* Compare current component with pattern. */
869 if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2,
870 p_delimiter - 2))
871 break;
872 /* Proceed to next component. */
873 f = f_delimiter;
874 if (!*f)
875 break;
876 f++;
877 /* Continue comparison. */
878 if (tomoyo_path_matches_pattern2(f, p_delimiter + 1))
879 return true;
880 f_delimiter = strchr(f, '/');
881 } while (f_delimiter);
882 return false; /* Not matched. */
883 }
884
885 /**
886 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
887 *
888 * @filename: The filename to check.
889 * @pattern: The pattern to compare.
890 *
891 * Returns true if matches, false otherwise.
892 *
893 * The following patterns are available.
894 * \\ \ itself.
895 * \ooo Octal representation of a byte.
896 * \* Zero or more repetitions of characters other than '/'.
897 * \@ Zero or more repetitions of characters other than '/' or '.'.
898 * \? 1 byte character other than '/'.
899 * \$ One or more repetitions of decimal digits.
900 * \+ 1 decimal digit.
901 * \X One or more repetitions of hexadecimal digits.
902 * \x 1 hexadecimal digit.
903 * \A One or more repetitions of alphabet characters.
904 * \a 1 alphabet character.
905 *
906 * \- Subtraction operator.
907 *
908 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
909 * /dir/dir/dir/ ).
910 */
911 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
912 const struct tomoyo_path_info *pattern)
913 {
914 const char *f = filename->name;
915 const char *p = pattern->name;
916 const int len = pattern->const_len;
917
918 /* If @pattern doesn't contain pattern, I can use strcmp(). */
919 if (!pattern->is_patterned)
920 return !tomoyo_pathcmp(filename, pattern);
921 /* Don't compare directory and non-directory. */
922 if (filename->is_dir != pattern->is_dir)
923 return false;
924 /* Compare the initial length without patterns. */
925 if (strncmp(f, p, len))
926 return false;
927 f += len;
928 p += len;
929 return tomoyo_path_matches_pattern2(f, p);
930 }
931
932 /**
933 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
934 *
935 * @head: Pointer to "struct tomoyo_io_buffer".
936 * @fmt: The printf()'s format string, followed by parameters.
937 *
938 * Returns true if output was written, false otherwise.
939 *
940 * The snprintf() will truncate, but tomoyo_io_printf() won't.
941 */
942 bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
943 {
944 va_list args;
945 int len;
946 int pos = head->read_avail;
947 int size = head->readbuf_size - pos;
948
949 if (size <= 0)
950 return false;
951 va_start(args, fmt);
952 len = vsnprintf(head->read_buf + pos, size, fmt, args);
953 va_end(args);
954 if (pos + len >= head->readbuf_size)
955 return false;
956 head->read_avail += len;
957 return true;
958 }
959
960 /**
961 * tomoyo_get_exe - Get tomoyo_realpath() of current process.
962 *
963 * Returns the tomoyo_realpath() of current process on success, NULL otherwise.
964 *
965 * This function uses kzalloc(), so the caller must call kfree()
966 * if this function didn't return NULL.
967 */
968 static const char *tomoyo_get_exe(void)
969 {
970 struct mm_struct *mm = current->mm;
971 struct vm_area_struct *vma;
972 const char *cp = NULL;
973
974 if (!mm)
975 return NULL;
976 down_read(&mm->mmap_sem);
977 for (vma = mm->mmap; vma; vma = vma->vm_next) {
978 if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) {
979 cp = tomoyo_realpath_from_path(&vma->vm_file->f_path);
980 break;
981 }
982 }
983 up_read(&mm->mmap_sem);
984 return cp;
985 }
986
987 /**
988 * tomoyo_check_flags - Check mode for specified functionality.
989 *
990 * @domain: Pointer to "struct tomoyo_domain_info".
991 * @index: The functionality to check mode.
992 *
993 * TOMOYO checks only process context.
994 * This code disables TOMOYO's enforcement in case the function is called from
995 * interrupt context.
996 */
997 unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
998 const u8 index)
999 {
1000 const u8 profile = domain->profile;
1001
1002 if (WARN_ON(in_interrupt()))
1003 return 0;
1004 return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX
1005 #if TOMOYO_MAX_PROFILES != 256
1006 && profile < TOMOYO_MAX_PROFILES
1007 #endif
1008 && tomoyo_profile_ptr[profile] ?
1009 tomoyo_profile_ptr[profile]->value[index] : 0;
1010 }
1011
1012 /**
1013 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
1014 *
1015 * @domain: Pointer to "struct tomoyo_domain_info".
1016 *
1017 * Returns true if domain policy violation warning should be printed to
1018 * console.
1019 */
1020 bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain)
1021 {
1022 return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0;
1023 }
1024
1025 /**
1026 * tomoyo_domain_quota_is_ok - Check for domain's quota.
1027 *
1028 * @r: Pointer to "struct tomoyo_request_info".
1029 *
1030 * Returns true if the domain is not exceeded quota, false otherwise.
1031 *
1032 * Caller holds tomoyo_read_lock().
1033 */
1034 bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r)
1035 {
1036 unsigned int count = 0;
1037 struct tomoyo_domain_info *domain = r->domain;
1038 struct tomoyo_acl_info *ptr;
1039
1040 if (r->mode != TOMOYO_CONFIG_LEARNING)
1041 return false;
1042 if (!domain)
1043 return true;
1044 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1045 switch (ptr->type) {
1046 u16 perm;
1047 u8 i;
1048 case TOMOYO_TYPE_PATH_ACL:
1049 perm = container_of(ptr, struct tomoyo_path_acl, head)
1050 ->perm;
1051 for (i = 0; i < TOMOYO_MAX_PATH_OPERATION; i++)
1052 if (perm & (1 << i))
1053 count++;
1054 if (perm & (1 << TOMOYO_TYPE_READ_WRITE))
1055 count -= 2;
1056 break;
1057 case TOMOYO_TYPE_PATH2_ACL:
1058 perm = container_of(ptr, struct tomoyo_path2_acl, head)
1059 ->perm;
1060 for (i = 0; i < TOMOYO_MAX_PATH2_OPERATION; i++)
1061 if (perm & (1 << i))
1062 count++;
1063 break;
1064 case TOMOYO_TYPE_PATH_NUMBER_ACL:
1065 perm = container_of(ptr, struct tomoyo_path_number_acl,
1066 head)->perm;
1067 for (i = 0; i < TOMOYO_MAX_PATH_NUMBER_OPERATION; i++)
1068 if (perm & (1 << i))
1069 count++;
1070 break;
1071 case TOMOYO_TYPE_PATH_NUMBER3_ACL:
1072 perm = container_of(ptr, struct tomoyo_path_number3_acl,
1073 head)->perm;
1074 for (i = 0; i < TOMOYO_MAX_PATH_NUMBER3_OPERATION; i++)
1075 if (perm & (1 << i))
1076 count++;
1077 break;
1078 case TOMOYO_TYPE_MOUNT_ACL:
1079 if (!container_of(ptr, struct tomoyo_mount_acl, head)->
1080 is_deleted)
1081 count++;
1082 }
1083 }
1084 if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY))
1085 return true;
1086 if (!domain->quota_warned) {
1087 domain->quota_warned = true;
1088 printk(KERN_WARNING "TOMOYO-WARNING: "
1089 "Domain '%s' has so many ACLs to hold. "
1090 "Stopped learning mode.\n", domain->domainname->name);
1091 }
1092 return false;
1093 }
1094
1095 /**
1096 * tomoyo_find_or_assign_new_profile - Create a new profile.
1097 *
1098 * @profile: Profile number to create.
1099 *
1100 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
1101 */
1102 static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned
1103 int profile)
1104 {
1105 struct tomoyo_profile *ptr = NULL;
1106 int i;
1107
1108 if (profile >= TOMOYO_MAX_PROFILES)
1109 return NULL;
1110 if (mutex_lock_interruptible(&tomoyo_policy_lock))
1111 return NULL;
1112 ptr = tomoyo_profile_ptr[profile];
1113 if (ptr)
1114 goto ok;
1115 ptr = kmalloc(sizeof(*ptr), GFP_NOFS);
1116 if (!tomoyo_memory_ok(ptr)) {
1117 kfree(ptr);
1118 ptr = NULL;
1119 goto ok;
1120 }
1121 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++)
1122 ptr->value[i] = tomoyo_control_array[i].current_value;
1123 mb(); /* Avoid out-of-order execution. */
1124 tomoyo_profile_ptr[profile] = ptr;
1125 ok:
1126 mutex_unlock(&tomoyo_policy_lock);
1127 return ptr;
1128 }
1129
1130 /**
1131 * tomoyo_write_profile - Write to profile table.
1132 *
1133 * @head: Pointer to "struct tomoyo_io_buffer".
1134 *
1135 * Returns 0 on success, negative value otherwise.
1136 */
1137 static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
1138 {
1139 char *data = head->write_buf;
1140 unsigned int i;
1141 unsigned int value;
1142 char *cp;
1143 struct tomoyo_profile *profile;
1144 unsigned long num;
1145
1146 cp = strchr(data, '-');
1147 if (cp)
1148 *cp = '\0';
1149 if (strict_strtoul(data, 10, &num))
1150 return -EINVAL;
1151 if (cp)
1152 data = cp + 1;
1153 profile = tomoyo_find_or_assign_new_profile(num);
1154 if (!profile)
1155 return -EINVAL;
1156 cp = strchr(data, '=');
1157 if (!cp)
1158 return -EINVAL;
1159 *cp = '\0';
1160 if (!strcmp(data, "COMMENT")) {
1161 const struct tomoyo_path_info *old_comment = profile->comment;
1162 profile->comment = tomoyo_get_name(cp + 1);
1163 tomoyo_put_name(old_comment);
1164 return 0;
1165 }
1166 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) {
1167 if (strcmp(data, tomoyo_control_array[i].keyword))
1168 continue;
1169 if (sscanf(cp + 1, "%u", &value) != 1) {
1170 int j;
1171 const char **modes;
1172 switch (i) {
1173 case TOMOYO_VERBOSE:
1174 modes = tomoyo_mode_2;
1175 break;
1176 default:
1177 modes = tomoyo_mode_4;
1178 break;
1179 }
1180 for (j = 0; j < 4; j++) {
1181 if (strcmp(cp + 1, modes[j]))
1182 continue;
1183 value = j;
1184 break;
1185 }
1186 if (j == 4)
1187 return -EINVAL;
1188 } else if (value > tomoyo_control_array[i].max_value) {
1189 value = tomoyo_control_array[i].max_value;
1190 }
1191 profile->value[i] = value;
1192 return 0;
1193 }
1194 return -EINVAL;
1195 }
1196
1197 /**
1198 * tomoyo_read_profile - Read from profile table.
1199 *
1200 * @head: Pointer to "struct tomoyo_io_buffer".
1201 *
1202 * Returns 0.
1203 */
1204 static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
1205 {
1206 static const int total = TOMOYO_MAX_CONTROL_INDEX + 1;
1207 int step;
1208
1209 if (head->read_eof)
1210 return 0;
1211 for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total;
1212 step++) {
1213 const u8 index = step / total;
1214 u8 type = step % total;
1215 const struct tomoyo_profile *profile
1216 = tomoyo_profile_ptr[index];
1217 head->read_step = step;
1218 if (!profile)
1219 continue;
1220 if (!type) { /* Print profile' comment tag. */
1221 if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n",
1222 index, profile->comment ?
1223 profile->comment->name : ""))
1224 break;
1225 continue;
1226 }
1227 type--;
1228 if (type < TOMOYO_MAX_CONTROL_INDEX) {
1229 const unsigned int value = profile->value[type];
1230 const char **modes = NULL;
1231 const char *keyword
1232 = tomoyo_control_array[type].keyword;
1233 switch (tomoyo_control_array[type].max_value) {
1234 case 3:
1235 modes = tomoyo_mode_4;
1236 break;
1237 case 1:
1238 modes = tomoyo_mode_2;
1239 break;
1240 }
1241 if (modes) {
1242 if (!tomoyo_io_printf(head, "%u-%s=%s\n", index,
1243 keyword, modes[value]))
1244 break;
1245 } else {
1246 if (!tomoyo_io_printf(head, "%u-%s=%u\n", index,
1247 keyword, value))
1248 break;
1249 }
1250 }
1251 }
1252 if (step == TOMOYO_MAX_PROFILES * total)
1253 head->read_eof = true;
1254 return 0;
1255 }
1256
1257 /*
1258 * tomoyo_policy_manager_list is used for holding list of domainnames or
1259 * programs which are permitted to modify configuration via
1260 * /sys/kernel/security/tomoyo/ interface.
1261 *
1262 * An entry is added by
1263 *
1264 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
1265 * /sys/kernel/security/tomoyo/manager
1266 * (if you want to specify by a domainname)
1267 *
1268 * or
1269 *
1270 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
1271 * (if you want to specify by a program's location)
1272 *
1273 * and is deleted by
1274 *
1275 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
1276 * /sys/kernel/security/tomoyo/manager
1277 *
1278 * or
1279 *
1280 * # echo 'delete /usr/lib/ccs/editpolicy' > \
1281 * /sys/kernel/security/tomoyo/manager
1282 *
1283 * and all entries are retrieved by
1284 *
1285 * # cat /sys/kernel/security/tomoyo/manager
1286 */
1287 LIST_HEAD(tomoyo_policy_manager_list);
1288
1289 /**
1290 * tomoyo_update_manager_entry - Add a manager entry.
1291 *
1292 * @manager: The path to manager or the domainnamme.
1293 * @is_delete: True if it is a delete request.
1294 *
1295 * Returns 0 on success, negative value otherwise.
1296 *
1297 * Caller holds tomoyo_read_lock().
1298 */
1299 static int tomoyo_update_manager_entry(const char *manager,
1300 const bool is_delete)
1301 {
1302 struct tomoyo_policy_manager_entry *ptr;
1303 struct tomoyo_policy_manager_entry e = { };
1304 int error = is_delete ? -ENOENT : -ENOMEM;
1305
1306 if (tomoyo_is_domain_def(manager)) {
1307 if (!tomoyo_is_correct_domain(manager))
1308 return -EINVAL;
1309 e.is_domain = true;
1310 } else {
1311 if (!tomoyo_is_correct_path(manager, 1, -1, -1))
1312 return -EINVAL;
1313 }
1314 e.manager = tomoyo_get_name(manager);
1315 if (!e.manager)
1316 return -ENOMEM;
1317 if (mutex_lock_interruptible(&tomoyo_policy_lock))
1318 goto out;
1319 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1320 if (ptr->manager != e.manager)
1321 continue;
1322 ptr->is_deleted = is_delete;
1323 error = 0;
1324 break;
1325 }
1326 if (!is_delete && error) {
1327 struct tomoyo_policy_manager_entry *entry =
1328 tomoyo_commit_ok(&e, sizeof(e));
1329 if (entry) {
1330 list_add_tail_rcu(&entry->list,
1331 &tomoyo_policy_manager_list);
1332 error = 0;
1333 }
1334 }
1335 mutex_unlock(&tomoyo_policy_lock);
1336 out:
1337 tomoyo_put_name(e.manager);
1338 return error;
1339 }
1340
1341 /**
1342 * tomoyo_write_manager_policy - Write manager policy.
1343 *
1344 * @head: Pointer to "struct tomoyo_io_buffer".
1345 *
1346 * Returns 0 on success, negative value otherwise.
1347 *
1348 * Caller holds tomoyo_read_lock().
1349 */
1350 static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head)
1351 {
1352 char *data = head->write_buf;
1353 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
1354
1355 if (!strcmp(data, "manage_by_non_root")) {
1356 tomoyo_manage_by_non_root = !is_delete;
1357 return 0;
1358 }
1359 return tomoyo_update_manager_entry(data, is_delete);
1360 }
1361
1362 /**
1363 * tomoyo_read_manager_policy - Read manager policy.
1364 *
1365 * @head: Pointer to "struct tomoyo_io_buffer".
1366 *
1367 * Returns 0.
1368 *
1369 * Caller holds tomoyo_read_lock().
1370 */
1371 static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
1372 {
1373 struct list_head *pos;
1374 bool done = true;
1375
1376 if (head->read_eof)
1377 return 0;
1378 list_for_each_cookie(pos, head->read_var2,
1379 &tomoyo_policy_manager_list) {
1380 struct tomoyo_policy_manager_entry *ptr;
1381 ptr = list_entry(pos, struct tomoyo_policy_manager_entry,
1382 list);
1383 if (ptr->is_deleted)
1384 continue;
1385 done = tomoyo_io_printf(head, "%s\n", ptr->manager->name);
1386 if (!done)
1387 break;
1388 }
1389 head->read_eof = done;
1390 return 0;
1391 }
1392
1393 /**
1394 * tomoyo_is_policy_manager - Check whether the current process is a policy manager.
1395 *
1396 * Returns true if the current process is permitted to modify policy
1397 * via /sys/kernel/security/tomoyo/ interface.
1398 *
1399 * Caller holds tomoyo_read_lock().
1400 */
1401 static bool tomoyo_is_policy_manager(void)
1402 {
1403 struct tomoyo_policy_manager_entry *ptr;
1404 const char *exe;
1405 const struct task_struct *task = current;
1406 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname;
1407 bool found = false;
1408
1409 if (!tomoyo_policy_loaded)
1410 return true;
1411 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
1412 return false;
1413 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1414 if (!ptr->is_deleted && ptr->is_domain
1415 && !tomoyo_pathcmp(domainname, ptr->manager)) {
1416 found = true;
1417 break;
1418 }
1419 }
1420 if (found)
1421 return true;
1422 exe = tomoyo_get_exe();
1423 if (!exe)
1424 return false;
1425 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1426 if (!ptr->is_deleted && !ptr->is_domain
1427 && !strcmp(exe, ptr->manager->name)) {
1428 found = true;
1429 break;
1430 }
1431 }
1432 if (!found) { /* Reduce error messages. */
1433 static pid_t last_pid;
1434 const pid_t pid = current->pid;
1435 if (last_pid != pid) {
1436 printk(KERN_WARNING "%s ( %s ) is not permitted to "
1437 "update policies.\n", domainname->name, exe);
1438 last_pid = pid;
1439 }
1440 }
1441 kfree(exe);
1442 return found;
1443 }
1444
1445 /**
1446 * tomoyo_is_select_one - Parse select command.
1447 *
1448 * @head: Pointer to "struct tomoyo_io_buffer".
1449 * @data: String to parse.
1450 *
1451 * Returns true on success, false otherwise.
1452 *
1453 * Caller holds tomoyo_read_lock().
1454 */
1455 static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
1456 const char *data)
1457 {
1458 unsigned int pid;
1459 struct tomoyo_domain_info *domain = NULL;
1460
1461 if (sscanf(data, "pid=%u", &pid) == 1) {
1462 struct task_struct *p;
1463 rcu_read_lock();
1464 read_lock(&tasklist_lock);
1465 p = find_task_by_vpid(pid);
1466 if (p)
1467 domain = tomoyo_real_domain(p);
1468 read_unlock(&tasklist_lock);
1469 rcu_read_unlock();
1470 } else if (!strncmp(data, "domain=", 7)) {
1471 if (tomoyo_is_domain_def(data + 7))
1472 domain = tomoyo_find_domain(data + 7);
1473 } else
1474 return false;
1475 head->write_var1 = domain;
1476 /* Accessing read_buf is safe because head->io_sem is held. */
1477 if (!head->read_buf)
1478 return true; /* Do nothing if open(O_WRONLY). */
1479 head->read_avail = 0;
1480 tomoyo_io_printf(head, "# select %s\n", data);
1481 head->read_single_domain = true;
1482 head->read_eof = !domain;
1483 if (domain) {
1484 struct tomoyo_domain_info *d;
1485 head->read_var1 = NULL;
1486 list_for_each_entry_rcu(d, &tomoyo_domain_list, list) {
1487 if (d == domain)
1488 break;
1489 head->read_var1 = &d->list;
1490 }
1491 head->read_var2 = NULL;
1492 head->read_bit = 0;
1493 head->read_step = 0;
1494 if (domain->is_deleted)
1495 tomoyo_io_printf(head, "# This is a deleted domain.\n");
1496 }
1497 return true;
1498 }
1499
1500 /**
1501 * tomoyo_delete_domain - Delete a domain.
1502 *
1503 * @domainname: The name of domain.
1504 *
1505 * Returns 0.
1506 *
1507 * Caller holds tomoyo_read_lock().
1508 */
1509 static int tomoyo_delete_domain(char *domainname)
1510 {
1511 struct tomoyo_domain_info *domain;
1512 struct tomoyo_path_info name;
1513
1514 name.name = domainname;
1515 tomoyo_fill_path_info(&name);
1516 if (mutex_lock_interruptible(&tomoyo_policy_lock))
1517 return 0;
1518 /* Is there an active domain? */
1519 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
1520 /* Never delete tomoyo_kernel_domain */
1521 if (domain == &tomoyo_kernel_domain)
1522 continue;
1523 if (domain->is_deleted ||
1524 tomoyo_pathcmp(domain->domainname, &name))
1525 continue;
1526 domain->is_deleted = true;
1527 break;
1528 }
1529 mutex_unlock(&tomoyo_policy_lock);
1530 return 0;
1531 }
1532
1533 /**
1534 * tomoyo_write_domain_policy - Write domain policy.
1535 *
1536 * @head: Pointer to "struct tomoyo_io_buffer".
1537 *
1538 * Returns 0 on success, negative value otherwise.
1539 *
1540 * Caller holds tomoyo_read_lock().
1541 */
1542 static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
1543 {
1544 char *data = head->write_buf;
1545 struct tomoyo_domain_info *domain = head->write_var1;
1546 bool is_delete = false;
1547 bool is_select = false;
1548 unsigned int profile;
1549
1550 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE))
1551 is_delete = true;
1552 else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT))
1553 is_select = true;
1554 if (is_select && tomoyo_is_select_one(head, data))
1555 return 0;
1556 /* Don't allow updating policies by non manager programs. */
1557 if (!tomoyo_is_policy_manager())
1558 return -EPERM;
1559 if (tomoyo_is_domain_def(data)) {
1560 domain = NULL;
1561 if (is_delete)
1562 tomoyo_delete_domain(data);
1563 else if (is_select)
1564 domain = tomoyo_find_domain(data);
1565 else
1566 domain = tomoyo_find_or_assign_new_domain(data, 0);
1567 head->write_var1 = domain;
1568 return 0;
1569 }
1570 if (!domain)
1571 return -EINVAL;
1572
1573 if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1
1574 && profile < TOMOYO_MAX_PROFILES) {
1575 if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)
1576 domain->profile = (u8) profile;
1577 return 0;
1578 }
1579 if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) {
1580 domain->ignore_global_allow_read = !is_delete;
1581 return 0;
1582 }
1583 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_MOUNT))
1584 return tomoyo_write_mount_policy(data, domain, is_delete);
1585 return tomoyo_write_file_policy(data, domain, is_delete);
1586 }
1587
1588 /**
1589 * tomoyo_print_path_acl - Print a single path ACL entry.
1590 *
1591 * @head: Pointer to "struct tomoyo_io_buffer".
1592 * @ptr: Pointer to "struct tomoyo_path_acl".
1593 *
1594 * Returns true on success, false otherwise.
1595 */
1596 static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head,
1597 struct tomoyo_path_acl *ptr)
1598 {
1599 int pos;
1600 u8 bit;
1601 const u16 perm = ptr->perm;
1602
1603 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
1604 if (!(perm & (1 << bit)))
1605 continue;
1606 /* Print "read/write" instead of "read" and "write". */
1607 if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE)
1608 && (perm & (1 << TOMOYO_TYPE_READ_WRITE)))
1609 continue;
1610 pos = head->read_avail;
1611 if (!tomoyo_io_printf(head, "allow_%s ",
1612 tomoyo_path2keyword(bit)) ||
1613 !tomoyo_print_name_union(head, &ptr->name) ||
1614 !tomoyo_io_printf(head, "\n"))
1615 goto out;
1616 }
1617 head->read_bit = 0;
1618 return true;
1619 out:
1620 head->read_bit = bit;
1621 head->read_avail = pos;
1622 return false;
1623 }
1624
1625 /**
1626 * tomoyo_print_path2_acl - Print a double path ACL entry.
1627 *
1628 * @head: Pointer to "struct tomoyo_io_buffer".
1629 * @ptr: Pointer to "struct tomoyo_path2_acl".
1630 *
1631 * Returns true on success, false otherwise.
1632 */
1633 static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer *head,
1634 struct tomoyo_path2_acl *ptr)
1635 {
1636 int pos;
1637 const u8 perm = ptr->perm;
1638 u8 bit;
1639
1640 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) {
1641 if (!(perm & (1 << bit)))
1642 continue;
1643 pos = head->read_avail;
1644 if (!tomoyo_io_printf(head, "allow_%s ",
1645 tomoyo_path22keyword(bit)) ||
1646 !tomoyo_print_name_union(head, &ptr->name1) ||
1647 !tomoyo_print_name_union(head, &ptr->name2) ||
1648 !tomoyo_io_printf(head, "\n"))
1649 goto out;
1650 }
1651 head->read_bit = 0;
1652 return true;
1653 out:
1654 head->read_bit = bit;
1655 head->read_avail = pos;
1656 return false;
1657 }
1658
1659 /**
1660 * tomoyo_print_path_number_acl - Print a path_number ACL entry.
1661 *
1662 * @head: Pointer to "struct tomoyo_io_buffer".
1663 * @ptr: Pointer to "struct tomoyo_path_number_acl".
1664 *
1665 * Returns true on success, false otherwise.
1666 */
1667 static bool tomoyo_print_path_number_acl(struct tomoyo_io_buffer *head,
1668 struct tomoyo_path_number_acl *ptr)
1669 {
1670 int pos;
1671 u8 bit;
1672 const u8 perm = ptr->perm;
1673 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION;
1674 bit++) {
1675 if (!(perm & (1 << bit)))
1676 continue;
1677 pos = head->read_avail;
1678 if (!tomoyo_io_printf(head, "allow_%s",
1679 tomoyo_path_number2keyword(bit)) ||
1680 !tomoyo_print_name_union(head, &ptr->name) ||
1681 !tomoyo_print_number_union(head, &ptr->number) ||
1682 !tomoyo_io_printf(head, "\n"))
1683 goto out;
1684 }
1685 head->read_bit = 0;
1686 return true;
1687 out:
1688 head->read_bit = bit;
1689 head->read_avail = pos;
1690 return false;
1691 }
1692
1693 /**
1694 * tomoyo_print_path_number3_acl - Print a path_number3 ACL entry.
1695 *
1696 * @head: Pointer to "struct tomoyo_io_buffer".
1697 * @ptr: Pointer to "struct tomoyo_path_number3_acl".
1698 *
1699 * Returns true on success, false otherwise.
1700 */
1701 static bool tomoyo_print_path_number3_acl(struct tomoyo_io_buffer *head,
1702 struct tomoyo_path_number3_acl *ptr)
1703 {
1704 int pos;
1705 u8 bit;
1706 const u16 perm = ptr->perm;
1707 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_NUMBER3_OPERATION;
1708 bit++) {
1709 if (!(perm & (1 << bit)))
1710 continue;
1711 pos = head->read_avail;
1712 if (!tomoyo_io_printf(head, "allow_%s",
1713 tomoyo_path_number32keyword(bit)) ||
1714 !tomoyo_print_name_union(head, &ptr->name) ||
1715 !tomoyo_print_number_union(head, &ptr->mode) ||
1716 !tomoyo_print_number_union(head, &ptr->major) ||
1717 !tomoyo_print_number_union(head, &ptr->minor) ||
1718 !tomoyo_io_printf(head, "\n"))
1719 goto out;
1720 }
1721 head->read_bit = 0;
1722 return true;
1723 out:
1724 head->read_bit = bit;
1725 head->read_avail = pos;
1726 return false;
1727 }
1728
1729 /**
1730 * tomoyo_print_mount_acl - Print a mount ACL entry.
1731 *
1732 * @head: Pointer to "struct tomoyo_io_buffer".
1733 * @ptr: Pointer to "struct tomoyo_mount_acl".
1734 *
1735 * Returns true on success, false otherwise.
1736 */
1737 static bool tomoyo_print_mount_acl(struct tomoyo_io_buffer *head,
1738 struct tomoyo_mount_acl *ptr)
1739 {
1740 const int pos = head->read_avail;
1741 if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) ||
1742 !tomoyo_print_name_union(head, &ptr->dev_name) ||
1743 !tomoyo_print_name_union(head, &ptr->dir_name) ||
1744 !tomoyo_print_name_union(head, &ptr->fs_type) ||
1745 !tomoyo_print_number_union(head, &ptr->flags) ||
1746 !tomoyo_io_printf(head, "\n")) {
1747 head->read_avail = pos;
1748 return false;
1749 }
1750 return true;
1751 }
1752
1753 /**
1754 * tomoyo_print_entry - Print an ACL entry.
1755 *
1756 * @head: Pointer to "struct tomoyo_io_buffer".
1757 * @ptr: Pointer to an ACL entry.
1758 *
1759 * Returns true on success, false otherwise.
1760 */
1761 static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
1762 struct tomoyo_acl_info *ptr)
1763 {
1764 const u8 acl_type = ptr->type;
1765
1766 if (acl_type == TOMOYO_TYPE_PATH_ACL) {
1767 struct tomoyo_path_acl *acl
1768 = container_of(ptr, struct tomoyo_path_acl, head);
1769 return tomoyo_print_path_acl(head, acl);
1770 }
1771 if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
1772 struct tomoyo_path2_acl *acl
1773 = container_of(ptr, struct tomoyo_path2_acl, head);
1774 return tomoyo_print_path2_acl(head, acl);
1775 }
1776 if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) {
1777 struct tomoyo_path_number_acl *acl
1778 = container_of(ptr, struct tomoyo_path_number_acl,
1779 head);
1780 return tomoyo_print_path_number_acl(head, acl);
1781 }
1782 if (acl_type == TOMOYO_TYPE_PATH_NUMBER3_ACL) {
1783 struct tomoyo_path_number3_acl *acl
1784 = container_of(ptr, struct tomoyo_path_number3_acl,
1785 head);
1786 return tomoyo_print_path_number3_acl(head, acl);
1787 }
1788 if (acl_type == TOMOYO_TYPE_MOUNT_ACL) {
1789 struct tomoyo_mount_acl *acl
1790 = container_of(ptr, struct tomoyo_mount_acl, head);
1791 return tomoyo_print_mount_acl(head, acl);
1792 }
1793 BUG(); /* This must not happen. */
1794 return false;
1795 }
1796
1797 /**
1798 * tomoyo_read_domain_policy - Read domain policy.
1799 *
1800 * @head: Pointer to "struct tomoyo_io_buffer".
1801 *
1802 * Returns 0.
1803 *
1804 * Caller holds tomoyo_read_lock().
1805 */
1806 static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head)
1807 {
1808 struct list_head *dpos;
1809 struct list_head *apos;
1810 bool done = true;
1811
1812 if (head->read_eof)
1813 return 0;
1814 if (head->read_step == 0)
1815 head->read_step = 1;
1816 list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) {
1817 struct tomoyo_domain_info *domain;
1818 const char *quota_exceeded = "";
1819 const char *transition_failed = "";
1820 const char *ignore_global_allow_read = "";
1821 domain = list_entry(dpos, struct tomoyo_domain_info, list);
1822 if (head->read_step != 1)
1823 goto acl_loop;
1824 if (domain->is_deleted && !head->read_single_domain)
1825 continue;
1826 /* Print domainname and flags. */
1827 if (domain->quota_warned)
1828 quota_exceeded = "quota_exceeded\n";
1829 if (domain->transition_failed)
1830 transition_failed = "transition_failed\n";
1831 if (domain->ignore_global_allow_read)
1832 ignore_global_allow_read
1833 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n";
1834 done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
1835 "%u\n%s%s%s\n",
1836 domain->domainname->name,
1837 domain->profile, quota_exceeded,
1838 transition_failed,
1839 ignore_global_allow_read);
1840 if (!done)
1841 break;
1842 head->read_step = 2;
1843 acl_loop:
1844 if (head->read_step == 3)
1845 goto tail_mark;
1846 /* Print ACL entries in the domain. */
1847 list_for_each_cookie(apos, head->read_var2,
1848 &domain->acl_info_list) {
1849 struct tomoyo_acl_info *ptr
1850 = list_entry(apos, struct tomoyo_acl_info,
1851 list);
1852 done = tomoyo_print_entry(head, ptr);
1853 if (!done)
1854 break;
1855 }
1856 if (!done)
1857 break;
1858 head->read_step = 3;
1859 tail_mark:
1860 done = tomoyo_io_printf(head, "\n");
1861 if (!done)
1862 break;
1863 head->read_step = 1;
1864 if (head->read_single_domain)
1865 break;
1866 }
1867 head->read_eof = done;
1868 return 0;
1869 }
1870
1871 /**
1872 * tomoyo_write_domain_profile - Assign profile for specified domain.
1873 *
1874 * @head: Pointer to "struct tomoyo_io_buffer".
1875 *
1876 * Returns 0 on success, -EINVAL otherwise.
1877 *
1878 * This is equivalent to doing
1879 *
1880 * ( echo "select " $domainname; echo "use_profile " $profile ) |
1881 * /usr/lib/ccs/loadpolicy -d
1882 *
1883 * Caller holds tomoyo_read_lock().
1884 */
1885 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head)
1886 {
1887 char *data = head->write_buf;
1888 char *cp = strchr(data, ' ');
1889 struct tomoyo_domain_info *domain;
1890 unsigned long profile;
1891
1892 if (!cp)
1893 return -EINVAL;
1894 *cp = '\0';
1895 domain = tomoyo_find_domain(cp + 1);
1896 if (strict_strtoul(data, 10, &profile))
1897 return -EINVAL;
1898 if (domain && profile < TOMOYO_MAX_PROFILES
1899 && (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded))
1900 domain->profile = (u8) profile;
1901 return 0;
1902 }
1903
1904 /**
1905 * tomoyo_read_domain_profile - Read only domainname and profile.
1906 *
1907 * @head: Pointer to "struct tomoyo_io_buffer".
1908 *
1909 * Returns list of profile number and domainname pairs.
1910 *
1911 * This is equivalent to doing
1912 *
1913 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
1914 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
1915 * domainname = $0; } else if ( $1 == "use_profile" ) {
1916 * print $2 " " domainname; domainname = ""; } } ; '
1917 *
1918 * Caller holds tomoyo_read_lock().
1919 */
1920 static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head)
1921 {
1922 struct list_head *pos;
1923 bool done = true;
1924
1925 if (head->read_eof)
1926 return 0;
1927 list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) {
1928 struct tomoyo_domain_info *domain;
1929 domain = list_entry(pos, struct tomoyo_domain_info, list);
1930 if (domain->is_deleted)
1931 continue;
1932 done = tomoyo_io_printf(head, "%u %s\n", domain->profile,
1933 domain->domainname->name);
1934 if (!done)
1935 break;
1936 }
1937 head->read_eof = done;
1938 return 0;
1939 }
1940
1941 /**
1942 * tomoyo_write_pid: Specify PID to obtain domainname.
1943 *
1944 * @head: Pointer to "struct tomoyo_io_buffer".
1945 *
1946 * Returns 0.
1947 */
1948 static int tomoyo_write_pid(struct tomoyo_io_buffer *head)
1949 {
1950 unsigned long pid;
1951 /* No error check. */
1952 strict_strtoul(head->write_buf, 10, &pid);
1953 head->read_step = (int) pid;
1954 head->read_eof = false;
1955 return 0;
1956 }
1957
1958 /**
1959 * tomoyo_read_pid - Get domainname of the specified PID.
1960 *
1961 * @head: Pointer to "struct tomoyo_io_buffer".
1962 *
1963 * Returns the domainname which the specified PID is in on success,
1964 * empty string otherwise.
1965 * The PID is specified by tomoyo_write_pid() so that the user can obtain
1966 * using read()/write() interface rather than sysctl() interface.
1967 */
1968 static int tomoyo_read_pid(struct tomoyo_io_buffer *head)
1969 {
1970 if (head->read_avail == 0 && !head->read_eof) {
1971 const int pid = head->read_step;
1972 struct task_struct *p;
1973 struct tomoyo_domain_info *domain = NULL;
1974 rcu_read_lock();
1975 read_lock(&tasklist_lock);
1976 p = find_task_by_vpid(pid);
1977 if (p)
1978 domain = tomoyo_real_domain(p);
1979 read_unlock(&tasklist_lock);
1980 rcu_read_unlock();
1981 if (domain)
1982 tomoyo_io_printf(head, "%d %u %s", pid, domain->profile,
1983 domain->domainname->name);
1984 head->read_eof = true;
1985 }
1986 return 0;
1987 }
1988
1989 /**
1990 * tomoyo_write_exception_policy - Write exception policy.
1991 *
1992 * @head: Pointer to "struct tomoyo_io_buffer".
1993 *
1994 * Returns 0 on success, negative value otherwise.
1995 *
1996 * Caller holds tomoyo_read_lock().
1997 */
1998 static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head)
1999 {
2000 char *data = head->write_buf;
2001 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
2002
2003 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN))
2004 return tomoyo_write_domain_keeper_policy(data, false,
2005 is_delete);
2006 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN))
2007 return tomoyo_write_domain_keeper_policy(data, true, is_delete);
2008 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN))
2009 return tomoyo_write_domain_initializer_policy(data, false,
2010 is_delete);
2011 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN))
2012 return tomoyo_write_domain_initializer_policy(data, true,
2013 is_delete);
2014 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS))
2015 return tomoyo_write_alias_policy(data, is_delete);
2016 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ))
2017 return tomoyo_write_globally_readable_policy(data, is_delete);
2018 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN))
2019 return tomoyo_write_pattern_policy(data, is_delete);
2020 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE))
2021 return tomoyo_write_no_rewrite_policy(data, is_delete);
2022 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_PATH_GROUP))
2023 return tomoyo_write_path_group_policy(data, is_delete);
2024 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NUMBER_GROUP))
2025 return tomoyo_write_number_group_policy(data, is_delete);
2026 return -EINVAL;
2027 }
2028
2029 /**
2030 * tomoyo_read_exception_policy - Read exception policy.
2031 *
2032 * @head: Pointer to "struct tomoyo_io_buffer".
2033 *
2034 * Returns 0 on success, -EINVAL otherwise.
2035 *
2036 * Caller holds tomoyo_read_lock().
2037 */
2038 static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head)
2039 {
2040 if (!head->read_eof) {
2041 switch (head->read_step) {
2042 case 0:
2043 head->read_var2 = NULL;
2044 head->read_step = 1;
2045 case 1:
2046 if (!tomoyo_read_domain_keeper_policy(head))
2047 break;
2048 head->read_var2 = NULL;
2049 head->read_step = 2;
2050 case 2:
2051 if (!tomoyo_read_globally_readable_policy(head))
2052 break;
2053 head->read_var2 = NULL;
2054 head->read_step = 3;
2055 case 3:
2056 head->read_var2 = NULL;
2057 head->read_step = 4;
2058 case 4:
2059 if (!tomoyo_read_domain_initializer_policy(head))
2060 break;
2061 head->read_var2 = NULL;
2062 head->read_step = 5;
2063 case 5:
2064 if (!tomoyo_read_alias_policy(head))
2065 break;
2066 head->read_var2 = NULL;
2067 head->read_step = 6;
2068 case 6:
2069 head->read_var2 = NULL;
2070 head->read_step = 7;
2071 case 7:
2072 if (!tomoyo_read_file_pattern(head))
2073 break;
2074 head->read_var2 = NULL;
2075 head->read_step = 8;
2076 case 8:
2077 if (!tomoyo_read_no_rewrite_policy(head))
2078 break;
2079 head->read_var2 = NULL;
2080 head->read_step = 9;
2081 case 9:
2082 if (!tomoyo_read_path_group_policy(head))
2083 break;
2084 head->read_var1 = NULL;
2085 head->read_var2 = NULL;
2086 head->read_step = 10;
2087 case 10:
2088 if (!tomoyo_read_number_group_policy(head))
2089 break;
2090 head->read_var1 = NULL;
2091 head->read_var2 = NULL;
2092 head->read_step = 11;
2093 case 11:
2094 head->read_eof = true;
2095 break;
2096 default:
2097 return -EINVAL;
2098 }
2099 }
2100 return 0;
2101 }
2102
2103 /* path to policy loader */
2104 static const char *tomoyo_loader = "/sbin/tomoyo-init";
2105
2106 /**
2107 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
2108 *
2109 * Returns true if /sbin/tomoyo-init exists, false otherwise.
2110 */
2111 static bool tomoyo_policy_loader_exists(void)
2112 {
2113 /*
2114 * Don't activate MAC if the policy loader doesn't exist.
2115 * If the initrd includes /sbin/init but real-root-dev has not
2116 * mounted on / yet, activating MAC will block the system since
2117 * policies are not loaded yet.
2118 * Thus, let do_execve() call this function everytime.
2119 */
2120 struct path path;
2121
2122 if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
2123 printk(KERN_INFO "Not activating Mandatory Access Control now "
2124 "since %s doesn't exist.\n", tomoyo_loader);
2125 return false;
2126 }
2127 path_put(&path);
2128 return true;
2129 }
2130
2131 /**
2132 * tomoyo_load_policy - Run external policy loader to load policy.
2133 *
2134 * @filename: The program about to start.
2135 *
2136 * This function checks whether @filename is /sbin/init , and if so
2137 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
2138 * and then continues invocation of /sbin/init.
2139 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
2140 * writes to /sys/kernel/security/tomoyo/ interfaces.
2141 *
2142 * Returns nothing.
2143 */
2144 void tomoyo_load_policy(const char *filename)
2145 {
2146 char *argv[2];
2147 char *envp[3];
2148
2149 if (tomoyo_policy_loaded)
2150 return;
2151 /*
2152 * Check filename is /sbin/init or /sbin/tomoyo-start.
2153 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
2154 * be passed.
2155 * You can create /sbin/tomoyo-start by
2156 * "ln -s /bin/true /sbin/tomoyo-start".
2157 */
2158 if (strcmp(filename, "/sbin/init") &&
2159 strcmp(filename, "/sbin/tomoyo-start"))
2160 return;
2161 if (!tomoyo_policy_loader_exists())
2162 return;
2163
2164 printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
2165 tomoyo_loader);
2166 argv[0] = (char *) tomoyo_loader;
2167 argv[1] = NULL;
2168 envp[0] = "HOME=/";
2169 envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
2170 envp[2] = NULL;
2171 call_usermodehelper(argv[0], argv, envp, 1);
2172
2173 printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n");
2174 printk(KERN_INFO "Mandatory Access Control activated.\n");
2175 tomoyo_policy_loaded = true;
2176 { /* Check all profiles currently assigned to domains are defined. */
2177 struct tomoyo_domain_info *domain;
2178 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
2179 const u8 profile = domain->profile;
2180 if (tomoyo_profile_ptr[profile])
2181 continue;
2182 panic("Profile %u (used by '%s') not defined.\n",
2183 profile, domain->domainname->name);
2184 }
2185 }
2186 }
2187
2188 /**
2189 * tomoyo_read_version: Get version.
2190 *
2191 * @head: Pointer to "struct tomoyo_io_buffer".
2192 *
2193 * Returns version information.
2194 */
2195 static int tomoyo_read_version(struct tomoyo_io_buffer *head)
2196 {
2197 if (!head->read_eof) {
2198 tomoyo_io_printf(head, "2.2.0");
2199 head->read_eof = true;
2200 }
2201 return 0;
2202 }
2203
2204 /**
2205 * tomoyo_read_self_domain - Get the current process's domainname.
2206 *
2207 * @head: Pointer to "struct tomoyo_io_buffer".
2208 *
2209 * Returns the current process's domainname.
2210 */
2211 static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head)
2212 {
2213 if (!head->read_eof) {
2214 /*
2215 * tomoyo_domain()->domainname != NULL
2216 * because every process belongs to a domain and
2217 * the domain's name cannot be NULL.
2218 */
2219 tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name);
2220 head->read_eof = true;
2221 }
2222 return 0;
2223 }
2224
2225 /**
2226 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
2227 *
2228 * @type: Type of interface.
2229 * @file: Pointer to "struct file".
2230 *
2231 * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
2232 *
2233 * Caller acquires tomoyo_read_lock().
2234 */
2235 static int tomoyo_open_control(const u8 type, struct file *file)
2236 {
2237 struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS);
2238
2239 if (!head)
2240 return -ENOMEM;
2241 mutex_init(&head->io_sem);
2242 switch (type) {
2243 case TOMOYO_DOMAINPOLICY:
2244 /* /sys/kernel/security/tomoyo/domain_policy */
2245 head->write = tomoyo_write_domain_policy;
2246 head->read = tomoyo_read_domain_policy;
2247 break;
2248 case TOMOYO_EXCEPTIONPOLICY:
2249 /* /sys/kernel/security/tomoyo/exception_policy */
2250 head->write = tomoyo_write_exception_policy;
2251 head->read = tomoyo_read_exception_policy;
2252 break;
2253 case TOMOYO_SELFDOMAIN:
2254 /* /sys/kernel/security/tomoyo/self_domain */
2255 head->read = tomoyo_read_self_domain;
2256 break;
2257 case TOMOYO_DOMAIN_STATUS:
2258 /* /sys/kernel/security/tomoyo/.domain_status */
2259 head->write = tomoyo_write_domain_profile;
2260 head->read = tomoyo_read_domain_profile;
2261 break;
2262 case TOMOYO_PROCESS_STATUS:
2263 /* /sys/kernel/security/tomoyo/.process_status */
2264 head->write = tomoyo_write_pid;
2265 head->read = tomoyo_read_pid;
2266 break;
2267 case TOMOYO_VERSION:
2268 /* /sys/kernel/security/tomoyo/version */
2269 head->read = tomoyo_read_version;
2270 head->readbuf_size = 128;
2271 break;
2272 case TOMOYO_MEMINFO:
2273 /* /sys/kernel/security/tomoyo/meminfo */
2274 head->write = tomoyo_write_memory_quota;
2275 head->read = tomoyo_read_memory_counter;
2276 head->readbuf_size = 512;
2277 break;
2278 case TOMOYO_PROFILE:
2279 /* /sys/kernel/security/tomoyo/profile */
2280 head->write = tomoyo_write_profile;
2281 head->read = tomoyo_read_profile;
2282 break;
2283 case TOMOYO_MANAGER:
2284 /* /sys/kernel/security/tomoyo/manager */
2285 head->write = tomoyo_write_manager_policy;
2286 head->read = tomoyo_read_manager_policy;
2287 break;
2288 }
2289 if (!(file->f_mode & FMODE_READ)) {
2290 /*
2291 * No need to allocate read_buf since it is not opened
2292 * for reading.
2293 */
2294 head->read = NULL;
2295 } else {
2296 if (!head->readbuf_size)
2297 head->readbuf_size = 4096 * 2;
2298 head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS);
2299 if (!head->read_buf) {
2300 kfree(head);
2301 return -ENOMEM;
2302 }
2303 }
2304 if (!(file->f_mode & FMODE_WRITE)) {
2305 /*
2306 * No need to allocate write_buf since it is not opened
2307 * for writing.
2308 */
2309 head->write = NULL;
2310 } else if (head->write) {
2311 head->writebuf_size = 4096 * 2;
2312 head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS);
2313 if (!head->write_buf) {
2314 kfree(head->read_buf);
2315 kfree(head);
2316 return -ENOMEM;
2317 }
2318 }
2319 head->reader_idx = tomoyo_read_lock();
2320 file->private_data = head;
2321 /*
2322 * Call the handler now if the file is
2323 * /sys/kernel/security/tomoyo/self_domain
2324 * so that the user can use
2325 * cat < /sys/kernel/security/tomoyo/self_domain"
2326 * to know the current process's domainname.
2327 */
2328 if (type == TOMOYO_SELFDOMAIN)
2329 tomoyo_read_control(file, NULL, 0);
2330 return 0;
2331 }
2332
2333 /**
2334 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
2335 *
2336 * @file: Pointer to "struct file".
2337 * @buffer: Poiner to buffer to write to.
2338 * @buffer_len: Size of @buffer.
2339 *
2340 * Returns bytes read on success, negative value otherwise.
2341 *
2342 * Caller holds tomoyo_read_lock().
2343 */
2344 static int tomoyo_read_control(struct file *file, char __user *buffer,
2345 const int buffer_len)
2346 {
2347 int len = 0;
2348 struct tomoyo_io_buffer *head = file->private_data;
2349 char *cp;
2350
2351 if (!head->read)
2352 return -ENOSYS;
2353 if (mutex_lock_interruptible(&head->io_sem))
2354 return -EINTR;
2355 /* Call the policy handler. */
2356 len = head->read(head);
2357 if (len < 0)
2358 goto out;
2359 /* Write to buffer. */
2360 len = head->read_avail;
2361 if (len > buffer_len)
2362 len = buffer_len;
2363 if (!len)
2364 goto out;
2365 /* head->read_buf changes by some functions. */
2366 cp = head->read_buf;
2367 if (copy_to_user(buffer, cp, len)) {
2368 len = -EFAULT;
2369 goto out;
2370 }
2371 head->read_avail -= len;
2372 memmove(cp, cp + len, head->read_avail);
2373 out:
2374 mutex_unlock(&head->io_sem);
2375 return len;
2376 }
2377
2378 /**
2379 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
2380 *
2381 * @file: Pointer to "struct file".
2382 * @buffer: Pointer to buffer to read from.
2383 * @buffer_len: Size of @buffer.
2384 *
2385 * Returns @buffer_len on success, negative value otherwise.
2386 *
2387 * Caller holds tomoyo_read_lock().
2388 */
2389 static int tomoyo_write_control(struct file *file, const char __user *buffer,
2390 const int buffer_len)
2391 {
2392 struct tomoyo_io_buffer *head = file->private_data;
2393 int error = buffer_len;
2394 int avail_len = buffer_len;
2395 char *cp0 = head->write_buf;
2396
2397 if (!head->write)
2398 return -ENOSYS;
2399 if (!access_ok(VERIFY_READ, buffer, buffer_len))
2400 return -EFAULT;
2401 /* Don't allow updating policies by non manager programs. */
2402 if (head->write != tomoyo_write_pid &&
2403 head->write != tomoyo_write_domain_policy &&
2404 !tomoyo_is_policy_manager())
2405 return -EPERM;
2406 if (mutex_lock_interruptible(&head->io_sem))
2407 return -EINTR;
2408 /* Read a line and dispatch it to the policy handler. */
2409 while (avail_len > 0) {
2410 char c;
2411 if (head->write_avail >= head->writebuf_size - 1) {
2412 error = -ENOMEM;
2413 break;
2414 } else if (get_user(c, buffer)) {
2415 error = -EFAULT;
2416 break;
2417 }
2418 buffer++;
2419 avail_len--;
2420 cp0[head->write_avail++] = c;
2421 if (c != '\n')
2422 continue;
2423 cp0[head->write_avail - 1] = '\0';
2424 head->write_avail = 0;
2425 tomoyo_normalize_line(cp0);
2426 head->write(head);
2427 }
2428 mutex_unlock(&head->io_sem);
2429 return error;
2430 }
2431
2432 /**
2433 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
2434 *
2435 * @file: Pointer to "struct file".
2436 *
2437 * Releases memory and returns 0.
2438 *
2439 * Caller looses tomoyo_read_lock().
2440 */
2441 static int tomoyo_close_control(struct file *file)
2442 {
2443 struct tomoyo_io_buffer *head = file->private_data;
2444 const bool is_write = !!head->write_buf;
2445
2446 tomoyo_read_unlock(head->reader_idx);
2447 /* Release memory used for policy I/O. */
2448 kfree(head->read_buf);
2449 head->read_buf = NULL;
2450 kfree(head->write_buf);
2451 head->write_buf = NULL;
2452 kfree(head);
2453 head = NULL;
2454 file->private_data = NULL;
2455 if (is_write)
2456 tomoyo_run_gc();
2457 return 0;
2458 }
2459
2460 /**
2461 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
2462 *
2463 * @inode: Pointer to "struct inode".
2464 * @file: Pointer to "struct file".
2465 *
2466 * Returns 0 on success, negative value otherwise.
2467 */
2468 static int tomoyo_open(struct inode *inode, struct file *file)
2469 {
2470 const int key = ((u8 *) file->f_path.dentry->d_inode->i_private)
2471 - ((u8 *) NULL);
2472 return tomoyo_open_control(key, file);
2473 }
2474
2475 /**
2476 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
2477 *
2478 * @inode: Pointer to "struct inode".
2479 * @file: Pointer to "struct file".
2480 *
2481 * Returns 0 on success, negative value otherwise.
2482 */
2483 static int tomoyo_release(struct inode *inode, struct file *file)
2484 {
2485 return tomoyo_close_control(file);
2486 }
2487
2488 /**
2489 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
2490 *
2491 * @file: Pointer to "struct file".
2492 * @buf: Pointer to buffer.
2493 * @count: Size of @buf.
2494 * @ppos: Unused.
2495 *
2496 * Returns bytes read on success, negative value otherwise.
2497 */
2498 static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count,
2499 loff_t *ppos)
2500 {
2501 return tomoyo_read_control(file, buf, count);
2502 }
2503
2504 /**
2505 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
2506 *
2507 * @file: Pointer to "struct file".
2508 * @buf: Pointer to buffer.
2509 * @count: Size of @buf.
2510 * @ppos: Unused.
2511 *
2512 * Returns @count on success, negative value otherwise.
2513 */
2514 static ssize_t tomoyo_write(struct file *file, const char __user *buf,
2515 size_t count, loff_t *ppos)
2516 {
2517 return tomoyo_write_control(file, buf, count);
2518 }
2519
2520 /*
2521 * tomoyo_operations is a "struct file_operations" which is used for handling
2522 * /sys/kernel/security/tomoyo/ interface.
2523 *
2524 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
2525 * See tomoyo_io_buffer for internals.
2526 */
2527 static const struct file_operations tomoyo_operations = {
2528 .open = tomoyo_open,
2529 .release = tomoyo_release,
2530 .read = tomoyo_read,
2531 .write = tomoyo_write,
2532 };
2533
2534 /**
2535 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
2536 *
2537 * @name: The name of the interface file.
2538 * @mode: The permission of the interface file.
2539 * @parent: The parent directory.
2540 * @key: Type of interface.
2541 *
2542 * Returns nothing.
2543 */
2544 static void __init tomoyo_create_entry(const char *name, const mode_t mode,
2545 struct dentry *parent, const u8 key)
2546 {
2547 securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key,
2548 &tomoyo_operations);
2549 }
2550
2551 /**
2552 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
2553 *
2554 * Returns 0.
2555 */
2556 static int __init tomoyo_initerface_init(void)
2557 {
2558 struct dentry *tomoyo_dir;
2559
2560 /* Don't create securityfs entries unless registered. */
2561 if (current_cred()->security != &tomoyo_kernel_domain)
2562 return 0;
2563
2564 tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
2565 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir,
2566 TOMOYO_DOMAINPOLICY);
2567 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir,
2568 TOMOYO_EXCEPTIONPOLICY);
2569 tomoyo_create_entry("self_domain", 0400, tomoyo_dir,
2570 TOMOYO_SELFDOMAIN);
2571 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir,
2572 TOMOYO_DOMAIN_STATUS);
2573 tomoyo_create_entry(".process_status", 0600, tomoyo_dir,
2574 TOMOYO_PROCESS_STATUS);
2575 tomoyo_create_entry("meminfo", 0600, tomoyo_dir,
2576 TOMOYO_MEMINFO);
2577 tomoyo_create_entry("profile", 0600, tomoyo_dir,
2578 TOMOYO_PROFILE);
2579 tomoyo_create_entry("manager", 0600, tomoyo_dir,
2580 TOMOYO_MANAGER);
2581 tomoyo_create_entry("version", 0400, tomoyo_dir,
2582 TOMOYO_VERSION);
2583 return 0;
2584 }
2585
2586 fs_initcall(tomoyo_initerface_init);
Linux kernel - Deliverables
This page took 0.088661 seconds and 5 git commands to generate.