2 * security/tomoyo/common.c
4 * Common functions for TOMOYO.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
12 #include <linux/uaccess.h>
13 #include <linux/slab.h>
14 #include <linux/security.h>
15 #include <linux/hardirq.h>
18 /* Lock for protecting policy. */
19 DEFINE_MUTEX(tomoyo_policy_lock
);
21 /* Has loading policy done? */
22 bool tomoyo_policy_loaded
;
24 /* String table for functionality that takes 4 modes. */
25 static const char *tomoyo_mode_4
[4] = {
26 "disabled", "learning", "permissive", "enforcing"
28 /* String table for functionality that takes 2 modes. */
29 static const char *tomoyo_mode_2
[4] = {
30 "disabled", "enabled", "enabled", "enabled"
34 * tomoyo_control_array is a static data which contains
36 * (1) functionality name used by /sys/kernel/security/tomoyo/profile .
37 * (2) initial values for "struct tomoyo_profile".
38 * (3) max values for "struct tomoyo_profile".
42 unsigned int current_value
;
43 const unsigned int max_value
;
44 } tomoyo_control_array
[TOMOYO_MAX_CONTROL_INDEX
] = {
45 [TOMOYO_MAC_FOR_FILE
] = { "MAC_FOR_FILE", 0, 3 },
46 [TOMOYO_MAX_ACCEPT_ENTRY
] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX
},
47 [TOMOYO_VERBOSE
] = { "TOMOYO_VERBOSE", 1, 1 },
51 * tomoyo_profile is a structure which is used for holding the mode of access
52 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
53 * An administrator can define up to 256 profiles.
54 * The ->profile of "struct tomoyo_domain_info" is used for remembering
55 * the profile's number (0 - 255) assigned to that domain.
57 static struct tomoyo_profile
{
58 unsigned int value
[TOMOYO_MAX_CONTROL_INDEX
];
59 const struct tomoyo_path_info
*comment
;
60 } *tomoyo_profile_ptr
[TOMOYO_MAX_PROFILES
];
62 /* Permit policy management by non-root user? */
63 static bool tomoyo_manage_by_non_root
;
65 /* Utility functions. */
67 /* Open operation for /sys/kernel/security/tomoyo/ interface. */
68 static int tomoyo_open_control(const u8 type
, struct file
*file
);
69 /* Close /sys/kernel/security/tomoyo/ interface. */
70 static int tomoyo_close_control(struct file
*file
);
71 /* Read operation for /sys/kernel/security/tomoyo/ interface. */
72 static int tomoyo_read_control(struct file
*file
, char __user
*buffer
,
73 const int buffer_len
);
74 /* Write operation for /sys/kernel/security/tomoyo/ interface. */
75 static int tomoyo_write_control(struct file
*file
, const char __user
*buffer
,
76 const int buffer_len
);
79 * tomoyo_parse_name_union - Parse a tomoyo_name_union.
81 * @filename: Name or name group.
82 * @ptr: Pointer to "struct tomoyo_name_union".
84 * Returns true on success, false otherwise.
86 bool tomoyo_parse_name_union(const char *filename
,
87 struct tomoyo_name_union
*ptr
)
89 if (!tomoyo_is_correct_path(filename
, 0, 0, 0))
91 if (filename
[0] == '@') {
92 ptr
->group
= tomoyo_get_path_group(filename
+ 1);
94 return ptr
->group
!= NULL
;
96 ptr
->filename
= tomoyo_get_name(filename
);
97 ptr
->is_group
= false;
98 return ptr
->filename
!= NULL
;
102 * tomoyo_print_name_union - Print a tomoyo_name_union.
104 * @head: Pointer to "struct tomoyo_io_buffer".
105 * @ptr: Pointer to "struct tomoyo_name_union".
107 * Returns true on success, false otherwise.
109 static bool tomoyo_print_name_union(struct tomoyo_io_buffer
*head
,
110 const struct tomoyo_name_union
*ptr
)
112 int pos
= head
->read_avail
;
113 if (pos
&& head
->read_buf
[pos
- 1] == ' ')
116 return tomoyo_io_printf(head
, " @%s",
117 ptr
->group
->group_name
->name
);
118 return tomoyo_io_printf(head
, " %s", ptr
->filename
->name
);
122 * tomoyo_parse_ulong - Parse an "unsigned long" value.
124 * @result: Pointer to "unsigned long".
125 * @str: Pointer to string to parse.
127 * Returns value type on success, 0 otherwise.
129 * The @src is updated to point the first character after the value
132 u8
tomoyo_parse_ulong(unsigned long *result
, char **str
)
134 const char *cp
= *str
;
139 if (c
== 'x' || c
== 'X') {
142 } else if (c
>= '0' && c
<= '7') {
147 *result
= simple_strtoul(cp
, &ep
, base
);
153 return TOMOYO_VALUE_TYPE_HEXADECIMAL
;
155 return TOMOYO_VALUE_TYPE_OCTAL
;
157 return TOMOYO_VALUE_TYPE_DECIMAL
;
162 * tomoyo_print_ulong - Print an "unsigned long" value.
164 * @buffer: Pointer to buffer.
165 * @buffer_len: Size of @buffer.
166 * @value: An "unsigned long" value.
167 * @type: Type of @value.
171 void tomoyo_print_ulong(char *buffer
, const int buffer_len
,
172 const unsigned long value
, const u8 type
)
174 if (type
== TOMOYO_VALUE_TYPE_DECIMAL
)
175 snprintf(buffer
, buffer_len
, "%lu", value
);
176 else if (type
== TOMOYO_VALUE_TYPE_OCTAL
)
177 snprintf(buffer
, buffer_len
, "0%lo", value
);
178 else if (type
== TOMOYO_VALUE_TYPE_HEXADECIMAL
)
179 snprintf(buffer
, buffer_len
, "0x%lX", value
);
181 snprintf(buffer
, buffer_len
, "type(%u)", type
);
185 * tomoyo_print_number_union - Print a tomoyo_number_union.
187 * @head: Pointer to "struct tomoyo_io_buffer".
188 * @ptr: Pointer to "struct tomoyo_number_union".
190 * Returns true on success, false otherwise.
192 bool tomoyo_print_number_union(struct tomoyo_io_buffer
*head
,
193 const struct tomoyo_number_union
*ptr
)
199 if (!tomoyo_io_printf(head
, " "))
202 return tomoyo_io_printf(head
, "@%s",
203 ptr
->group
->group_name
->name
);
204 min_type
= ptr
->min_type
;
205 max_type
= ptr
->max_type
;
206 min
= ptr
->values
[0];
207 max
= ptr
->values
[1];
209 case TOMOYO_VALUE_TYPE_HEXADECIMAL
:
210 if (!tomoyo_io_printf(head
, "0x%lX", min
))
213 case TOMOYO_VALUE_TYPE_OCTAL
:
214 if (!tomoyo_io_printf(head
, "0%lo", min
))
218 if (!tomoyo_io_printf(head
, "%lu", min
))
222 if (min
== max
&& min_type
== max_type
)
225 case TOMOYO_VALUE_TYPE_HEXADECIMAL
:
226 return tomoyo_io_printf(head
, "-0x%lX", max
);
227 case TOMOYO_VALUE_TYPE_OCTAL
:
228 return tomoyo_io_printf(head
, "-0%lo", max
);
230 return tomoyo_io_printf(head
, "-%lu", max
);
235 * tomoyo_parse_number_union - Parse a tomoyo_number_union.
237 * @data: Number or number range or number group.
238 * @ptr: Pointer to "struct tomoyo_number_union".
240 * Returns true on success, false otherwise.
242 bool tomoyo_parse_number_union(char *data
, struct tomoyo_number_union
*num
)
246 memset(num
, 0, sizeof(*num
));
247 if (data
[0] == '@') {
248 if (!tomoyo_is_correct_path(data
, 0, 0, 0))
250 num
->group
= tomoyo_get_number_group(data
+ 1);
251 num
->is_group
= true;
252 return num
->group
!= NULL
;
254 type
= tomoyo_parse_ulong(&v
, &data
);
258 num
->min_type
= type
;
261 num
->max_type
= type
;
266 type
= tomoyo_parse_ulong(&v
, &data
);
270 num
->max_type
= type
;
275 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
277 * @str: Pointer to the string.
279 * Returns true if @str is a \ooo style octal value, false otherwise.
281 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
282 * This function verifies that \ooo is in valid range.
284 static inline bool tomoyo_is_byte_range(const char *str
)
286 return *str
>= '0' && *str
++ <= '3' &&
287 *str
>= '0' && *str
++ <= '7' &&
288 *str
>= '0' && *str
<= '7';
292 * tomoyo_is_alphabet_char - Check whether the character is an alphabet.
294 * @c: The character to check.
296 * Returns true if @c is an alphabet character, false otherwise.
298 static inline bool tomoyo_is_alphabet_char(const char c
)
300 return (c
>= 'A' && c
<= 'Z') || (c
>= 'a' && c
<= 'z');
304 * tomoyo_make_byte - Make byte value from three octal characters.
306 * @c1: The first character.
307 * @c2: The second character.
308 * @c3: The third character.
310 * Returns byte value.
312 static inline u8
tomoyo_make_byte(const u8 c1
, const u8 c2
, const u8 c3
)
314 return ((c1
- '0') << 6) + ((c2
- '0') << 3) + (c3
- '0');
318 * tomoyo_str_starts - Check whether the given string starts with the given keyword.
320 * @src: Pointer to pointer to the string.
321 * @find: Pointer to the keyword.
323 * Returns true if @src starts with @find, false otherwise.
325 * The @src is updated to point the first character after the @find
326 * if @src starts with @find.
328 static bool tomoyo_str_starts(char **src
, const char *find
)
330 const int len
= strlen(find
);
333 if (strncmp(tmp
, find
, len
))
341 * tomoyo_normalize_line - Format string.
343 * @buffer: The line to normalize.
345 * Leading and trailing whitespaces are removed.
346 * Multiple whitespaces are packed into single space.
350 static void tomoyo_normalize_line(unsigned char *buffer
)
352 unsigned char *sp
= buffer
;
353 unsigned char *dp
= buffer
;
356 while (tomoyo_is_invalid(*sp
))
362 while (tomoyo_is_valid(*sp
))
364 while (tomoyo_is_invalid(*sp
))
371 * tomoyo_tokenize - Tokenize string.
373 * @buffer: The line to tokenize.
374 * @w: Pointer to "char *".
377 * Returns true on success, false otherwise.
379 bool tomoyo_tokenize(char *buffer
, char *w
[], size_t size
)
381 int count
= size
/ sizeof(char *);
383 for (i
= 0; i
< count
; i
++)
385 for (i
= 0; i
< count
; i
++) {
386 char *cp
= strchr(buffer
, ' ');
394 return i
< count
|| !*buffer
;
398 * tomoyo_is_correct_path - Validate a pathname.
399 * @filename: The pathname to check.
400 * @start_type: Should the pathname start with '/'?
401 * 1 = must / -1 = must not / 0 = don't care
402 * @pattern_type: Can the pathname contain a wildcard?
403 * 1 = must / -1 = must not / 0 = don't care
404 * @end_type: Should the pathname end with '/'?
405 * 1 = must / -1 = must not / 0 = don't care
407 * Check whether the given filename follows the naming rules.
408 * Returns true if @filename follows the naming rules, false otherwise.
410 bool tomoyo_is_correct_path(const char *filename
, const s8 start_type
,
411 const s8 pattern_type
, const s8 end_type
)
413 const char *const start
= filename
;
414 bool in_repetition
= false;
415 bool contains_pattern
= false;
423 if (start_type
== 1) { /* Must start with '/' */
426 } else if (start_type
== -1) { /* Must not start with '/' */
431 c
= *(filename
+ strlen(filename
) - 1);
432 if (end_type
== 1) { /* Must end with '/' */
435 } else if (end_type
== -1) { /* Must not end with '/' */
446 case '\\': /* "\\" */
458 if (pattern_type
== -1)
459 break; /* Must not contain pattern */
460 contains_pattern
= true;
462 case '{': /* "/\{" */
463 if (filename
- 3 < start
||
464 *(filename
- 3) != '/')
466 if (pattern_type
== -1)
467 break; /* Must not contain pattern */
468 contains_pattern
= true;
469 in_repetition
= true;
471 case '}': /* "\}/" */
472 if (*filename
!= '/')
476 in_repetition
= false;
478 case '0': /* "\ooo" */
483 if (d
< '0' || d
> '7')
486 if (e
< '0' || e
> '7')
488 c
= tomoyo_make_byte(c
, d
, e
);
489 if (tomoyo_is_invalid(c
))
490 continue; /* pattern is not \000 */
493 } else if (in_repetition
&& c
== '/') {
495 } else if (tomoyo_is_invalid(c
)) {
499 if (pattern_type
== 1) { /* Must contain pattern */
500 if (!contains_pattern
)
511 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
512 * @domainname: The domainname to check.
514 * Returns true if @domainname follows the naming rules, false otherwise.
516 bool tomoyo_is_correct_domain(const unsigned char *domainname
)
522 if (!domainname
|| strncmp(domainname
, TOMOYO_ROOT_NAME
,
523 TOMOYO_ROOT_NAME_LEN
))
525 domainname
+= TOMOYO_ROOT_NAME_LEN
;
529 if (*domainname
++ != ' ')
531 if (*domainname
++ != '/')
533 while ((c
= *domainname
) != '\0' && c
!= ' ') {
538 case '\\': /* "\\" */
540 case '0': /* "\ooo" */
545 if (d
< '0' || d
> '7')
548 if (e
< '0' || e
> '7')
550 c
= tomoyo_make_byte(c
, d
, e
);
551 if (tomoyo_is_invalid(c
))
552 /* pattern is not \000 */
556 } else if (tomoyo_is_invalid(c
)) {
560 } while (*domainname
);
567 * tomoyo_is_domain_def - Check whether the given token can be a domainname.
569 * @buffer: The token to check.
571 * Returns true if @buffer possibly be a domainname, false otherwise.
573 bool tomoyo_is_domain_def(const unsigned char *buffer
)
575 return !strncmp(buffer
, TOMOYO_ROOT_NAME
, TOMOYO_ROOT_NAME_LEN
);
579 * tomoyo_find_domain - Find a domain by the given name.
581 * @domainname: The domainname to find.
583 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
585 * Caller holds tomoyo_read_lock().
587 struct tomoyo_domain_info
*tomoyo_find_domain(const char *domainname
)
589 struct tomoyo_domain_info
*domain
;
590 struct tomoyo_path_info name
;
592 name
.name
= domainname
;
593 tomoyo_fill_path_info(&name
);
594 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
595 if (!domain
->is_deleted
&&
596 !tomoyo_pathcmp(&name
, domain
->domainname
))
603 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
605 * @filename: The string to evaluate.
607 * Returns the initial length without a pattern in @filename.
609 static int tomoyo_const_part_length(const char *filename
)
616 while ((c
= *filename
++) != '\0') {
623 case '\\': /* "\\" */
626 case '0': /* "\ooo" */
631 if (c
< '0' || c
> '7')
634 if (c
< '0' || c
> '7')
645 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
647 * @ptr: Pointer to "struct tomoyo_path_info" to fill in.
649 * The caller sets "struct tomoyo_path_info"->name.
651 void tomoyo_fill_path_info(struct tomoyo_path_info
*ptr
)
653 const char *name
= ptr
->name
;
654 const int len
= strlen(name
);
656 ptr
->const_len
= tomoyo_const_part_length(name
);
657 ptr
->is_dir
= len
&& (name
[len
- 1] == '/');
658 ptr
->is_patterned
= (ptr
->const_len
< len
);
659 ptr
->hash
= full_name_hash(name
, len
);
663 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
666 * @filename: The start of string to check.
667 * @filename_end: The end of string to check.
668 * @pattern: The start of pattern to compare.
669 * @pattern_end: The end of pattern to compare.
671 * Returns true if @filename matches @pattern, false otherwise.
673 static bool tomoyo_file_matches_pattern2(const char *filename
,
674 const char *filename_end
,
676 const char *pattern_end
)
678 while (filename
< filename_end
&& pattern
< pattern_end
) {
680 if (*pattern
!= '\\') {
681 if (*filename
++ != *pattern
++)
693 } else if (c
== '\\') {
694 if (filename
[1] == '\\')
696 else if (tomoyo_is_byte_range(filename
+ 1))
705 if (*++filename
!= '\\')
717 if (!tomoyo_is_alphabet_char(c
))
724 if (c
== '\\' && tomoyo_is_byte_range(filename
+ 1)
725 && strncmp(filename
+ 1, pattern
, 3) == 0) {
730 return false; /* Not matched. */
733 for (i
= 0; i
<= filename_end
- filename
; i
++) {
734 if (tomoyo_file_matches_pattern2(
735 filename
+ i
, filename_end
,
736 pattern
+ 1, pattern_end
))
739 if (c
== '.' && *pattern
== '@')
743 if (filename
[i
+ 1] == '\\')
745 else if (tomoyo_is_byte_range(filename
+ i
+ 1))
748 break; /* Bad pattern. */
750 return false; /* Not matched. */
755 while (isdigit(filename
[j
]))
757 } else if (c
== 'X') {
758 while (isxdigit(filename
[j
]))
760 } else if (c
== 'A') {
761 while (tomoyo_is_alphabet_char(filename
[j
]))
764 for (i
= 1; i
<= j
; i
++) {
765 if (tomoyo_file_matches_pattern2(
766 filename
+ i
, filename_end
,
767 pattern
+ 1, pattern_end
))
770 return false; /* Not matched or bad pattern. */
775 while (*pattern
== '\\' &&
776 (*(pattern
+ 1) == '*' || *(pattern
+ 1) == '@'))
778 return filename
== filename_end
&& pattern
== pattern_end
;
782 * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
784 * @filename: The start of string to check.
785 * @filename_end: The end of string to check.
786 * @pattern: The start of pattern to compare.
787 * @pattern_end: The end of pattern to compare.
789 * Returns true if @filename matches @pattern, false otherwise.
791 static bool tomoyo_file_matches_pattern(const char *filename
,
792 const char *filename_end
,
794 const char *pattern_end
)
796 const char *pattern_start
= pattern
;
800 while (pattern
< pattern_end
- 1) {
801 /* Split at "\-" pattern. */
802 if (*pattern
++ != '\\' || *pattern
++ != '-')
804 result
= tomoyo_file_matches_pattern2(filename
,
813 pattern_start
= pattern
;
815 result
= tomoyo_file_matches_pattern2(filename
, filename_end
,
816 pattern_start
, pattern_end
);
817 return first
? result
: !result
;
821 * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
823 * @f: The start of string to check.
824 * @p: The start of pattern to compare.
826 * Returns true if @f matches @p, false otherwise.
828 static bool tomoyo_path_matches_pattern2(const char *f
, const char *p
)
830 const char *f_delimiter
;
831 const char *p_delimiter
;
834 f_delimiter
= strchr(f
, '/');
836 f_delimiter
= f
+ strlen(f
);
837 p_delimiter
= strchr(p
, '/');
839 p_delimiter
= p
+ strlen(p
);
840 if (*p
== '\\' && *(p
+ 1) == '{')
842 if (!tomoyo_file_matches_pattern(f
, f_delimiter
, p
,
852 /* Ignore trailing "\*" and "\@" in @pattern. */
854 (*(p
+ 1) == '*' || *(p
+ 1) == '@'))
859 * The "\{" pattern is permitted only after '/' character.
860 * This guarantees that below "*(p - 1)" is safe.
861 * Also, the "\}" pattern is permitted only before '/' character
862 * so that "\{" + "\}" pair will not break the "\-" operator.
864 if (*(p
- 1) != '/' || p_delimiter
<= p
+ 3 || *p_delimiter
!= '/' ||
865 *(p_delimiter
- 1) != '}' || *(p_delimiter
- 2) != '\\')
866 return false; /* Bad pattern. */
868 /* Compare current component with pattern. */
869 if (!tomoyo_file_matches_pattern(f
, f_delimiter
, p
+ 2,
872 /* Proceed to next component. */
877 /* Continue comparison. */
878 if (tomoyo_path_matches_pattern2(f
, p_delimiter
+ 1))
880 f_delimiter
= strchr(f
, '/');
881 } while (f_delimiter
);
882 return false; /* Not matched. */
886 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
888 * @filename: The filename to check.
889 * @pattern: The pattern to compare.
891 * Returns true if matches, false otherwise.
893 * The following patterns are available.
895 * \ooo Octal representation of a byte.
896 * \* Zero or more repetitions of characters other than '/'.
897 * \@ Zero or more repetitions of characters other than '/' or '.'.
898 * \? 1 byte character other than '/'.
899 * \$ One or more repetitions of decimal digits.
900 * \+ 1 decimal digit.
901 * \X One or more repetitions of hexadecimal digits.
902 * \x 1 hexadecimal digit.
903 * \A One or more repetitions of alphabet characters.
904 * \a 1 alphabet character.
906 * \- Subtraction operator.
908 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
911 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info
*filename
,
912 const struct tomoyo_path_info
*pattern
)
914 const char *f
= filename
->name
;
915 const char *p
= pattern
->name
;
916 const int len
= pattern
->const_len
;
918 /* If @pattern doesn't contain pattern, I can use strcmp(). */
919 if (!pattern
->is_patterned
)
920 return !tomoyo_pathcmp(filename
, pattern
);
921 /* Don't compare directory and non-directory. */
922 if (filename
->is_dir
!= pattern
->is_dir
)
924 /* Compare the initial length without patterns. */
925 if (strncmp(f
, p
, len
))
929 return tomoyo_path_matches_pattern2(f
, p
);
933 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
935 * @head: Pointer to "struct tomoyo_io_buffer".
936 * @fmt: The printf()'s format string, followed by parameters.
938 * Returns true if output was written, false otherwise.
940 * The snprintf() will truncate, but tomoyo_io_printf() won't.
942 bool tomoyo_io_printf(struct tomoyo_io_buffer
*head
, const char *fmt
, ...)
946 int pos
= head
->read_avail
;
947 int size
= head
->readbuf_size
- pos
;
952 len
= vsnprintf(head
->read_buf
+ pos
, size
, fmt
, args
);
954 if (pos
+ len
>= head
->readbuf_size
)
956 head
->read_avail
+= len
;
961 * tomoyo_get_exe - Get tomoyo_realpath() of current process.
963 * Returns the tomoyo_realpath() of current process on success, NULL otherwise.
965 * This function uses kzalloc(), so the caller must call kfree()
966 * if this function didn't return NULL.
968 static const char *tomoyo_get_exe(void)
970 struct mm_struct
*mm
= current
->mm
;
971 struct vm_area_struct
*vma
;
972 const char *cp
= NULL
;
976 down_read(&mm
->mmap_sem
);
977 for (vma
= mm
->mmap
; vma
; vma
= vma
->vm_next
) {
978 if ((vma
->vm_flags
& VM_EXECUTABLE
) && vma
->vm_file
) {
979 cp
= tomoyo_realpath_from_path(&vma
->vm_file
->f_path
);
983 up_read(&mm
->mmap_sem
);
988 * tomoyo_check_flags - Check mode for specified functionality.
990 * @domain: Pointer to "struct tomoyo_domain_info".
991 * @index: The functionality to check mode.
993 * TOMOYO checks only process context.
994 * This code disables TOMOYO's enforcement in case the function is called from
997 unsigned int tomoyo_check_flags(const struct tomoyo_domain_info
*domain
,
1000 const u8 profile
= domain
->profile
;
1002 if (WARN_ON(in_interrupt()))
1004 return tomoyo_policy_loaded
&& index
< TOMOYO_MAX_CONTROL_INDEX
1005 #if TOMOYO_MAX_PROFILES != 256
1006 && profile
< TOMOYO_MAX_PROFILES
1008 && tomoyo_profile_ptr
[profile
] ?
1009 tomoyo_profile_ptr
[profile
]->value
[index
] : 0;
1013 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
1015 * @domain: Pointer to "struct tomoyo_domain_info".
1017 * Returns true if domain policy violation warning should be printed to
1020 bool tomoyo_verbose_mode(const struct tomoyo_domain_info
*domain
)
1022 return tomoyo_check_flags(domain
, TOMOYO_VERBOSE
) != 0;
1026 * tomoyo_domain_quota_is_ok - Check for domain's quota.
1028 * @r: Pointer to "struct tomoyo_request_info".
1030 * Returns true if the domain is not exceeded quota, false otherwise.
1032 * Caller holds tomoyo_read_lock().
1034 bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info
*r
)
1036 unsigned int count
= 0;
1037 struct tomoyo_domain_info
*domain
= r
->domain
;
1038 struct tomoyo_acl_info
*ptr
;
1040 if (r
->mode
!= TOMOYO_CONFIG_LEARNING
)
1044 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
1045 switch (ptr
->type
) {
1046 struct tomoyo_path_acl
*acl
;
1049 case TOMOYO_TYPE_PATH_ACL
:
1050 acl
= container_of(ptr
, struct tomoyo_path_acl
, head
);
1051 perm
= acl
->perm
| (((u32
) acl
->perm_high
) << 16);
1052 for (i
= 0; i
< TOMOYO_MAX_PATH_OPERATION
; i
++)
1053 if (perm
& (1 << i
))
1055 if (perm
& (1 << TOMOYO_TYPE_READ_WRITE
))
1058 case TOMOYO_TYPE_PATH2_ACL
:
1059 perm
= container_of(ptr
, struct tomoyo_path2_acl
, head
)
1061 for (i
= 0; i
< TOMOYO_MAX_PATH2_OPERATION
; i
++)
1062 if (perm
& (1 << i
))
1067 if (count
< tomoyo_check_flags(domain
, TOMOYO_MAX_ACCEPT_ENTRY
))
1069 if (!domain
->quota_warned
) {
1070 domain
->quota_warned
= true;
1071 printk(KERN_WARNING
"TOMOYO-WARNING: "
1072 "Domain '%s' has so many ACLs to hold. "
1073 "Stopped learning mode.\n", domain
->domainname
->name
);
1079 * tomoyo_find_or_assign_new_profile - Create a new profile.
1081 * @profile: Profile number to create.
1083 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
1085 static struct tomoyo_profile
*tomoyo_find_or_assign_new_profile(const unsigned
1088 struct tomoyo_profile
*ptr
= NULL
;
1091 if (profile
>= TOMOYO_MAX_PROFILES
)
1093 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
1095 ptr
= tomoyo_profile_ptr
[profile
];
1098 ptr
= kmalloc(sizeof(*ptr
), GFP_NOFS
);
1099 if (!tomoyo_memory_ok(ptr
)) {
1104 for (i
= 0; i
< TOMOYO_MAX_CONTROL_INDEX
; i
++)
1105 ptr
->value
[i
] = tomoyo_control_array
[i
].current_value
;
1106 mb(); /* Avoid out-of-order execution. */
1107 tomoyo_profile_ptr
[profile
] = ptr
;
1109 mutex_unlock(&tomoyo_policy_lock
);
1114 * tomoyo_write_profile - Write to profile table.
1116 * @head: Pointer to "struct tomoyo_io_buffer".
1118 * Returns 0 on success, negative value otherwise.
1120 static int tomoyo_write_profile(struct tomoyo_io_buffer
*head
)
1122 char *data
= head
->write_buf
;
1126 struct tomoyo_profile
*profile
;
1129 cp
= strchr(data
, '-');
1132 if (strict_strtoul(data
, 10, &num
))
1136 profile
= tomoyo_find_or_assign_new_profile(num
);
1139 cp
= strchr(data
, '=');
1143 if (!strcmp(data
, "COMMENT")) {
1144 const struct tomoyo_path_info
*old_comment
= profile
->comment
;
1145 profile
->comment
= tomoyo_get_name(cp
+ 1);
1146 tomoyo_put_name(old_comment
);
1149 for (i
= 0; i
< TOMOYO_MAX_CONTROL_INDEX
; i
++) {
1150 if (strcmp(data
, tomoyo_control_array
[i
].keyword
))
1152 if (sscanf(cp
+ 1, "%u", &value
) != 1) {
1156 case TOMOYO_VERBOSE
:
1157 modes
= tomoyo_mode_2
;
1160 modes
= tomoyo_mode_4
;
1163 for (j
= 0; j
< 4; j
++) {
1164 if (strcmp(cp
+ 1, modes
[j
]))
1171 } else if (value
> tomoyo_control_array
[i
].max_value
) {
1172 value
= tomoyo_control_array
[i
].max_value
;
1174 profile
->value
[i
] = value
;
1181 * tomoyo_read_profile - Read from profile table.
1183 * @head: Pointer to "struct tomoyo_io_buffer".
1187 static int tomoyo_read_profile(struct tomoyo_io_buffer
*head
)
1189 static const int total
= TOMOYO_MAX_CONTROL_INDEX
+ 1;
1194 for (step
= head
->read_step
; step
< TOMOYO_MAX_PROFILES
* total
;
1196 const u8 index
= step
/ total
;
1197 u8 type
= step
% total
;
1198 const struct tomoyo_profile
*profile
1199 = tomoyo_profile_ptr
[index
];
1200 head
->read_step
= step
;
1203 if (!type
) { /* Print profile' comment tag. */
1204 if (!tomoyo_io_printf(head
, "%u-COMMENT=%s\n",
1205 index
, profile
->comment
?
1206 profile
->comment
->name
: ""))
1211 if (type
< TOMOYO_MAX_CONTROL_INDEX
) {
1212 const unsigned int value
= profile
->value
[type
];
1213 const char **modes
= NULL
;
1215 = tomoyo_control_array
[type
].keyword
;
1216 switch (tomoyo_control_array
[type
].max_value
) {
1218 modes
= tomoyo_mode_4
;
1221 modes
= tomoyo_mode_2
;
1225 if (!tomoyo_io_printf(head
, "%u-%s=%s\n", index
,
1226 keyword
, modes
[value
]))
1229 if (!tomoyo_io_printf(head
, "%u-%s=%u\n", index
,
1235 if (step
== TOMOYO_MAX_PROFILES
* total
)
1236 head
->read_eof
= true;
1241 * tomoyo_policy_manager_list is used for holding list of domainnames or
1242 * programs which are permitted to modify configuration via
1243 * /sys/kernel/security/tomoyo/ interface.
1245 * An entry is added by
1247 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
1248 * /sys/kernel/security/tomoyo/manager
1249 * (if you want to specify by a domainname)
1253 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
1254 * (if you want to specify by a program's location)
1258 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
1259 * /sys/kernel/security/tomoyo/manager
1263 * # echo 'delete /usr/lib/ccs/editpolicy' > \
1264 * /sys/kernel/security/tomoyo/manager
1266 * and all entries are retrieved by
1268 * # cat /sys/kernel/security/tomoyo/manager
1270 LIST_HEAD(tomoyo_policy_manager_list
);
1273 * tomoyo_update_manager_entry - Add a manager entry.
1275 * @manager: The path to manager or the domainnamme.
1276 * @is_delete: True if it is a delete request.
1278 * Returns 0 on success, negative value otherwise.
1280 * Caller holds tomoyo_read_lock().
1282 static int tomoyo_update_manager_entry(const char *manager
,
1283 const bool is_delete
)
1285 struct tomoyo_policy_manager_entry
*ptr
;
1286 struct tomoyo_policy_manager_entry e
= { };
1287 int error
= is_delete
? -ENOENT
: -ENOMEM
;
1289 if (tomoyo_is_domain_def(manager
)) {
1290 if (!tomoyo_is_correct_domain(manager
))
1294 if (!tomoyo_is_correct_path(manager
, 1, -1, -1))
1297 e
.manager
= tomoyo_get_name(manager
);
1300 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
1302 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1303 if (ptr
->manager
!= e
.manager
)
1305 ptr
->is_deleted
= is_delete
;
1309 if (!is_delete
&& error
) {
1310 struct tomoyo_policy_manager_entry
*entry
=
1311 tomoyo_commit_ok(&e
, sizeof(e
));
1313 list_add_tail_rcu(&entry
->list
,
1314 &tomoyo_policy_manager_list
);
1318 mutex_unlock(&tomoyo_policy_lock
);
1320 tomoyo_put_name(e
.manager
);
1325 * tomoyo_write_manager_policy - Write manager policy.
1327 * @head: Pointer to "struct tomoyo_io_buffer".
1329 * Returns 0 on success, negative value otherwise.
1331 * Caller holds tomoyo_read_lock().
1333 static int tomoyo_write_manager_policy(struct tomoyo_io_buffer
*head
)
1335 char *data
= head
->write_buf
;
1336 bool is_delete
= tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
);
1338 if (!strcmp(data
, "manage_by_non_root")) {
1339 tomoyo_manage_by_non_root
= !is_delete
;
1342 return tomoyo_update_manager_entry(data
, is_delete
);
1346 * tomoyo_read_manager_policy - Read manager policy.
1348 * @head: Pointer to "struct tomoyo_io_buffer".
1352 * Caller holds tomoyo_read_lock().
1354 static int tomoyo_read_manager_policy(struct tomoyo_io_buffer
*head
)
1356 struct list_head
*pos
;
1361 list_for_each_cookie(pos
, head
->read_var2
,
1362 &tomoyo_policy_manager_list
) {
1363 struct tomoyo_policy_manager_entry
*ptr
;
1364 ptr
= list_entry(pos
, struct tomoyo_policy_manager_entry
,
1366 if (ptr
->is_deleted
)
1368 done
= tomoyo_io_printf(head
, "%s\n", ptr
->manager
->name
);
1372 head
->read_eof
= done
;
1377 * tomoyo_is_policy_manager - Check whether the current process is a policy manager.
1379 * Returns true if the current process is permitted to modify policy
1380 * via /sys/kernel/security/tomoyo/ interface.
1382 * Caller holds tomoyo_read_lock().
1384 static bool tomoyo_is_policy_manager(void)
1386 struct tomoyo_policy_manager_entry
*ptr
;
1388 const struct task_struct
*task
= current
;
1389 const struct tomoyo_path_info
*domainname
= tomoyo_domain()->domainname
;
1392 if (!tomoyo_policy_loaded
)
1394 if (!tomoyo_manage_by_non_root
&& (task
->cred
->uid
|| task
->cred
->euid
))
1396 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1397 if (!ptr
->is_deleted
&& ptr
->is_domain
1398 && !tomoyo_pathcmp(domainname
, ptr
->manager
)) {
1405 exe
= tomoyo_get_exe();
1408 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1409 if (!ptr
->is_deleted
&& !ptr
->is_domain
1410 && !strcmp(exe
, ptr
->manager
->name
)) {
1415 if (!found
) { /* Reduce error messages. */
1416 static pid_t last_pid
;
1417 const pid_t pid
= current
->pid
;
1418 if (last_pid
!= pid
) {
1419 printk(KERN_WARNING
"%s ( %s ) is not permitted to "
1420 "update policies.\n", domainname
->name
, exe
);
1429 * tomoyo_is_select_one - Parse select command.
1431 * @head: Pointer to "struct tomoyo_io_buffer".
1432 * @data: String to parse.
1434 * Returns true on success, false otherwise.
1436 * Caller holds tomoyo_read_lock().
1438 static bool tomoyo_is_select_one(struct tomoyo_io_buffer
*head
,
1442 struct tomoyo_domain_info
*domain
= NULL
;
1444 if (sscanf(data
, "pid=%u", &pid
) == 1) {
1445 struct task_struct
*p
;
1447 read_lock(&tasklist_lock
);
1448 p
= find_task_by_vpid(pid
);
1450 domain
= tomoyo_real_domain(p
);
1451 read_unlock(&tasklist_lock
);
1453 } else if (!strncmp(data
, "domain=", 7)) {
1454 if (tomoyo_is_domain_def(data
+ 7))
1455 domain
= tomoyo_find_domain(data
+ 7);
1458 head
->write_var1
= domain
;
1459 /* Accessing read_buf is safe because head->io_sem is held. */
1460 if (!head
->read_buf
)
1461 return true; /* Do nothing if open(O_WRONLY). */
1462 head
->read_avail
= 0;
1463 tomoyo_io_printf(head
, "# select %s\n", data
);
1464 head
->read_single_domain
= true;
1465 head
->read_eof
= !domain
;
1467 struct tomoyo_domain_info
*d
;
1468 head
->read_var1
= NULL
;
1469 list_for_each_entry_rcu(d
, &tomoyo_domain_list
, list
) {
1472 head
->read_var1
= &d
->list
;
1474 head
->read_var2
= NULL
;
1476 head
->read_step
= 0;
1477 if (domain
->is_deleted
)
1478 tomoyo_io_printf(head
, "# This is a deleted domain.\n");
1484 * tomoyo_delete_domain - Delete a domain.
1486 * @domainname: The name of domain.
1490 * Caller holds tomoyo_read_lock().
1492 static int tomoyo_delete_domain(char *domainname
)
1494 struct tomoyo_domain_info
*domain
;
1495 struct tomoyo_path_info name
;
1497 name
.name
= domainname
;
1498 tomoyo_fill_path_info(&name
);
1499 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
1501 /* Is there an active domain? */
1502 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
1503 /* Never delete tomoyo_kernel_domain */
1504 if (domain
== &tomoyo_kernel_domain
)
1506 if (domain
->is_deleted
||
1507 tomoyo_pathcmp(domain
->domainname
, &name
))
1509 domain
->is_deleted
= true;
1512 mutex_unlock(&tomoyo_policy_lock
);
1517 * tomoyo_write_domain_policy - Write domain policy.
1519 * @head: Pointer to "struct tomoyo_io_buffer".
1521 * Returns 0 on success, negative value otherwise.
1523 * Caller holds tomoyo_read_lock().
1525 static int tomoyo_write_domain_policy(struct tomoyo_io_buffer
*head
)
1527 char *data
= head
->write_buf
;
1528 struct tomoyo_domain_info
*domain
= head
->write_var1
;
1529 bool is_delete
= false;
1530 bool is_select
= false;
1531 unsigned int profile
;
1533 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
))
1535 else if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_SELECT
))
1537 if (is_select
&& tomoyo_is_select_one(head
, data
))
1539 /* Don't allow updating policies by non manager programs. */
1540 if (!tomoyo_is_policy_manager())
1542 if (tomoyo_is_domain_def(data
)) {
1545 tomoyo_delete_domain(data
);
1547 domain
= tomoyo_find_domain(data
);
1549 domain
= tomoyo_find_or_assign_new_domain(data
, 0);
1550 head
->write_var1
= domain
;
1556 if (sscanf(data
, TOMOYO_KEYWORD_USE_PROFILE
"%u", &profile
) == 1
1557 && profile
< TOMOYO_MAX_PROFILES
) {
1558 if (tomoyo_profile_ptr
[profile
] || !tomoyo_policy_loaded
)
1559 domain
->profile
= (u8
) profile
;
1562 if (!strcmp(data
, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ
)) {
1563 domain
->ignore_global_allow_read
= !is_delete
;
1566 return tomoyo_write_file_policy(data
, domain
, is_delete
);
1570 * tomoyo_print_path_acl - Print a single path ACL entry.
1572 * @head: Pointer to "struct tomoyo_io_buffer".
1573 * @ptr: Pointer to "struct tomoyo_path_acl".
1575 * Returns true on success, false otherwise.
1577 static bool tomoyo_print_path_acl(struct tomoyo_io_buffer
*head
,
1578 struct tomoyo_path_acl
*ptr
)
1582 const u32 perm
= ptr
->perm
| (((u32
) ptr
->perm_high
) << 16);
1584 for (bit
= head
->read_bit
; bit
< TOMOYO_MAX_PATH_OPERATION
; bit
++) {
1585 if (!(perm
& (1 << bit
)))
1587 /* Print "read/write" instead of "read" and "write". */
1588 if ((bit
== TOMOYO_TYPE_READ
|| bit
== TOMOYO_TYPE_WRITE
)
1589 && (perm
& (1 << TOMOYO_TYPE_READ_WRITE
)))
1591 pos
= head
->read_avail
;
1592 if (!tomoyo_io_printf(head
, "allow_%s ",
1593 tomoyo_path2keyword(bit
)) ||
1594 !tomoyo_print_name_union(head
, &ptr
->name
) ||
1595 !tomoyo_io_printf(head
, "\n"))
1601 head
->read_bit
= bit
;
1602 head
->read_avail
= pos
;
1607 * tomoyo_print_path2_acl - Print a double path ACL entry.
1609 * @head: Pointer to "struct tomoyo_io_buffer".
1610 * @ptr: Pointer to "struct tomoyo_path2_acl".
1612 * Returns true on success, false otherwise.
1614 static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer
*head
,
1615 struct tomoyo_path2_acl
*ptr
)
1618 const u8 perm
= ptr
->perm
;
1621 for (bit
= head
->read_bit
; bit
< TOMOYO_MAX_PATH2_OPERATION
; bit
++) {
1622 if (!(perm
& (1 << bit
)))
1624 pos
= head
->read_avail
;
1625 if (!tomoyo_io_printf(head
, "allow_%s ",
1626 tomoyo_path22keyword(bit
)) ||
1627 !tomoyo_print_name_union(head
, &ptr
->name1
) ||
1628 !tomoyo_print_name_union(head
, &ptr
->name2
) ||
1629 !tomoyo_io_printf(head
, "\n"))
1635 head
->read_bit
= bit
;
1636 head
->read_avail
= pos
;
1641 * tomoyo_print_entry - Print an ACL entry.
1643 * @head: Pointer to "struct tomoyo_io_buffer".
1644 * @ptr: Pointer to an ACL entry.
1646 * Returns true on success, false otherwise.
1648 static bool tomoyo_print_entry(struct tomoyo_io_buffer
*head
,
1649 struct tomoyo_acl_info
*ptr
)
1651 const u8 acl_type
= ptr
->type
;
1653 if (acl_type
== TOMOYO_TYPE_PATH_ACL
) {
1654 struct tomoyo_path_acl
*acl
1655 = container_of(ptr
, struct tomoyo_path_acl
, head
);
1656 return tomoyo_print_path_acl(head
, acl
);
1658 if (acl_type
== TOMOYO_TYPE_PATH2_ACL
) {
1659 struct tomoyo_path2_acl
*acl
1660 = container_of(ptr
, struct tomoyo_path2_acl
, head
);
1661 return tomoyo_print_path2_acl(head
, acl
);
1663 BUG(); /* This must not happen. */
1668 * tomoyo_read_domain_policy - Read domain policy.
1670 * @head: Pointer to "struct tomoyo_io_buffer".
1674 * Caller holds tomoyo_read_lock().
1676 static int tomoyo_read_domain_policy(struct tomoyo_io_buffer
*head
)
1678 struct list_head
*dpos
;
1679 struct list_head
*apos
;
1684 if (head
->read_step
== 0)
1685 head
->read_step
= 1;
1686 list_for_each_cookie(dpos
, head
->read_var1
, &tomoyo_domain_list
) {
1687 struct tomoyo_domain_info
*domain
;
1688 const char *quota_exceeded
= "";
1689 const char *transition_failed
= "";
1690 const char *ignore_global_allow_read
= "";
1691 domain
= list_entry(dpos
, struct tomoyo_domain_info
, list
);
1692 if (head
->read_step
!= 1)
1694 if (domain
->is_deleted
&& !head
->read_single_domain
)
1696 /* Print domainname and flags. */
1697 if (domain
->quota_warned
)
1698 quota_exceeded
= "quota_exceeded\n";
1699 if (domain
->transition_failed
)
1700 transition_failed
= "transition_failed\n";
1701 if (domain
->ignore_global_allow_read
)
1702 ignore_global_allow_read
1703 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ
"\n";
1704 done
= tomoyo_io_printf(head
, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
1706 domain
->domainname
->name
,
1707 domain
->profile
, quota_exceeded
,
1709 ignore_global_allow_read
);
1712 head
->read_step
= 2;
1714 if (head
->read_step
== 3)
1716 /* Print ACL entries in the domain. */
1717 list_for_each_cookie(apos
, head
->read_var2
,
1718 &domain
->acl_info_list
) {
1719 struct tomoyo_acl_info
*ptr
1720 = list_entry(apos
, struct tomoyo_acl_info
,
1722 done
= tomoyo_print_entry(head
, ptr
);
1728 head
->read_step
= 3;
1730 done
= tomoyo_io_printf(head
, "\n");
1733 head
->read_step
= 1;
1734 if (head
->read_single_domain
)
1737 head
->read_eof
= done
;
1742 * tomoyo_write_domain_profile - Assign profile for specified domain.
1744 * @head: Pointer to "struct tomoyo_io_buffer".
1746 * Returns 0 on success, -EINVAL otherwise.
1748 * This is equivalent to doing
1750 * ( echo "select " $domainname; echo "use_profile " $profile ) |
1751 * /usr/lib/ccs/loadpolicy -d
1753 * Caller holds tomoyo_read_lock().
1755 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer
*head
)
1757 char *data
= head
->write_buf
;
1758 char *cp
= strchr(data
, ' ');
1759 struct tomoyo_domain_info
*domain
;
1760 unsigned long profile
;
1765 domain
= tomoyo_find_domain(cp
+ 1);
1766 if (strict_strtoul(data
, 10, &profile
))
1768 if (domain
&& profile
< TOMOYO_MAX_PROFILES
1769 && (tomoyo_profile_ptr
[profile
] || !tomoyo_policy_loaded
))
1770 domain
->profile
= (u8
) profile
;
1775 * tomoyo_read_domain_profile - Read only domainname and profile.
1777 * @head: Pointer to "struct tomoyo_io_buffer".
1779 * Returns list of profile number and domainname pairs.
1781 * This is equivalent to doing
1783 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
1784 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
1785 * domainname = $0; } else if ( $1 == "use_profile" ) {
1786 * print $2 " " domainname; domainname = ""; } } ; '
1788 * Caller holds tomoyo_read_lock().
1790 static int tomoyo_read_domain_profile(struct tomoyo_io_buffer
*head
)
1792 struct list_head
*pos
;
1797 list_for_each_cookie(pos
, head
->read_var1
, &tomoyo_domain_list
) {
1798 struct tomoyo_domain_info
*domain
;
1799 domain
= list_entry(pos
, struct tomoyo_domain_info
, list
);
1800 if (domain
->is_deleted
)
1802 done
= tomoyo_io_printf(head
, "%u %s\n", domain
->profile
,
1803 domain
->domainname
->name
);
1807 head
->read_eof
= done
;
1812 * tomoyo_write_pid: Specify PID to obtain domainname.
1814 * @head: Pointer to "struct tomoyo_io_buffer".
1818 static int tomoyo_write_pid(struct tomoyo_io_buffer
*head
)
1821 /* No error check. */
1822 strict_strtoul(head
->write_buf
, 10, &pid
);
1823 head
->read_step
= (int) pid
;
1824 head
->read_eof
= false;
1829 * tomoyo_read_pid - Get domainname of the specified PID.
1831 * @head: Pointer to "struct tomoyo_io_buffer".
1833 * Returns the domainname which the specified PID is in on success,
1834 * empty string otherwise.
1835 * The PID is specified by tomoyo_write_pid() so that the user can obtain
1836 * using read()/write() interface rather than sysctl() interface.
1838 static int tomoyo_read_pid(struct tomoyo_io_buffer
*head
)
1840 if (head
->read_avail
== 0 && !head
->read_eof
) {
1841 const int pid
= head
->read_step
;
1842 struct task_struct
*p
;
1843 struct tomoyo_domain_info
*domain
= NULL
;
1845 read_lock(&tasklist_lock
);
1846 p
= find_task_by_vpid(pid
);
1848 domain
= tomoyo_real_domain(p
);
1849 read_unlock(&tasklist_lock
);
1852 tomoyo_io_printf(head
, "%d %u %s", pid
, domain
->profile
,
1853 domain
->domainname
->name
);
1854 head
->read_eof
= true;
1860 * tomoyo_write_exception_policy - Write exception policy.
1862 * @head: Pointer to "struct tomoyo_io_buffer".
1864 * Returns 0 on success, negative value otherwise.
1866 * Caller holds tomoyo_read_lock().
1868 static int tomoyo_write_exception_policy(struct tomoyo_io_buffer
*head
)
1870 char *data
= head
->write_buf
;
1871 bool is_delete
= tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
);
1873 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_KEEP_DOMAIN
))
1874 return tomoyo_write_domain_keeper_policy(data
, false,
1876 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_NO_KEEP_DOMAIN
))
1877 return tomoyo_write_domain_keeper_policy(data
, true, is_delete
);
1878 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_INITIALIZE_DOMAIN
))
1879 return tomoyo_write_domain_initializer_policy(data
, false,
1881 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN
))
1882 return tomoyo_write_domain_initializer_policy(data
, true,
1884 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_ALIAS
))
1885 return tomoyo_write_alias_policy(data
, is_delete
);
1886 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_ALLOW_READ
))
1887 return tomoyo_write_globally_readable_policy(data
, is_delete
);
1888 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_FILE_PATTERN
))
1889 return tomoyo_write_pattern_policy(data
, is_delete
);
1890 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DENY_REWRITE
))
1891 return tomoyo_write_no_rewrite_policy(data
, is_delete
);
1892 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_PATH_GROUP
))
1893 return tomoyo_write_path_group_policy(data
, is_delete
);
1894 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_NUMBER_GROUP
))
1895 return tomoyo_write_number_group_policy(data
, is_delete
);
1900 * tomoyo_read_exception_policy - Read exception policy.
1902 * @head: Pointer to "struct tomoyo_io_buffer".
1904 * Returns 0 on success, -EINVAL otherwise.
1906 * Caller holds tomoyo_read_lock().
1908 static int tomoyo_read_exception_policy(struct tomoyo_io_buffer
*head
)
1910 if (!head
->read_eof
) {
1911 switch (head
->read_step
) {
1913 head
->read_var2
= NULL
;
1914 head
->read_step
= 1;
1916 if (!tomoyo_read_domain_keeper_policy(head
))
1918 head
->read_var2
= NULL
;
1919 head
->read_step
= 2;
1921 if (!tomoyo_read_globally_readable_policy(head
))
1923 head
->read_var2
= NULL
;
1924 head
->read_step
= 3;
1926 head
->read_var2
= NULL
;
1927 head
->read_step
= 4;
1929 if (!tomoyo_read_domain_initializer_policy(head
))
1931 head
->read_var2
= NULL
;
1932 head
->read_step
= 5;
1934 if (!tomoyo_read_alias_policy(head
))
1936 head
->read_var2
= NULL
;
1937 head
->read_step
= 6;
1939 head
->read_var2
= NULL
;
1940 head
->read_step
= 7;
1942 if (!tomoyo_read_file_pattern(head
))
1944 head
->read_var2
= NULL
;
1945 head
->read_step
= 8;
1947 if (!tomoyo_read_no_rewrite_policy(head
))
1949 head
->read_var2
= NULL
;
1950 head
->read_step
= 9;
1952 if (!tomoyo_read_path_group_policy(head
))
1954 head
->read_var1
= NULL
;
1955 head
->read_var2
= NULL
;
1956 head
->read_step
= 10;
1958 if (!tomoyo_read_number_group_policy(head
))
1960 head
->read_var1
= NULL
;
1961 head
->read_var2
= NULL
;
1962 head
->read_step
= 11;
1964 head
->read_eof
= true;
1973 /* path to policy loader */
1974 static const char *tomoyo_loader
= "/sbin/tomoyo-init";
1977 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
1979 * Returns true if /sbin/tomoyo-init exists, false otherwise.
1981 static bool tomoyo_policy_loader_exists(void)
1984 * Don't activate MAC if the policy loader doesn't exist.
1985 * If the initrd includes /sbin/init but real-root-dev has not
1986 * mounted on / yet, activating MAC will block the system since
1987 * policies are not loaded yet.
1988 * Thus, let do_execve() call this function everytime.
1992 if (kern_path(tomoyo_loader
, LOOKUP_FOLLOW
, &path
)) {
1993 printk(KERN_INFO
"Not activating Mandatory Access Control now "
1994 "since %s doesn't exist.\n", tomoyo_loader
);
2002 * tomoyo_load_policy - Run external policy loader to load policy.
2004 * @filename: The program about to start.
2006 * This function checks whether @filename is /sbin/init , and if so
2007 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
2008 * and then continues invocation of /sbin/init.
2009 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
2010 * writes to /sys/kernel/security/tomoyo/ interfaces.
2014 void tomoyo_load_policy(const char *filename
)
2019 if (tomoyo_policy_loaded
)
2022 * Check filename is /sbin/init or /sbin/tomoyo-start.
2023 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
2025 * You can create /sbin/tomoyo-start by
2026 * "ln -s /bin/true /sbin/tomoyo-start".
2028 if (strcmp(filename
, "/sbin/init") &&
2029 strcmp(filename
, "/sbin/tomoyo-start"))
2031 if (!tomoyo_policy_loader_exists())
2034 printk(KERN_INFO
"Calling %s to load policy. Please wait.\n",
2036 argv
[0] = (char *) tomoyo_loader
;
2039 envp
[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
2041 call_usermodehelper(argv
[0], argv
, envp
, 1);
2043 printk(KERN_INFO
"TOMOYO: 2.2.0 2009/04/01\n");
2044 printk(KERN_INFO
"Mandatory Access Control activated.\n");
2045 tomoyo_policy_loaded
= true;
2046 { /* Check all profiles currently assigned to domains are defined. */
2047 struct tomoyo_domain_info
*domain
;
2048 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
2049 const u8 profile
= domain
->profile
;
2050 if (tomoyo_profile_ptr
[profile
])
2052 panic("Profile %u (used by '%s') not defined.\n",
2053 profile
, domain
->domainname
->name
);
2059 * tomoyo_read_version: Get version.
2061 * @head: Pointer to "struct tomoyo_io_buffer".
2063 * Returns version information.
2065 static int tomoyo_read_version(struct tomoyo_io_buffer
*head
)
2067 if (!head
->read_eof
) {
2068 tomoyo_io_printf(head
, "2.2.0");
2069 head
->read_eof
= true;
2075 * tomoyo_read_self_domain - Get the current process's domainname.
2077 * @head: Pointer to "struct tomoyo_io_buffer".
2079 * Returns the current process's domainname.
2081 static int tomoyo_read_self_domain(struct tomoyo_io_buffer
*head
)
2083 if (!head
->read_eof
) {
2085 * tomoyo_domain()->domainname != NULL
2086 * because every process belongs to a domain and
2087 * the domain's name cannot be NULL.
2089 tomoyo_io_printf(head
, "%s", tomoyo_domain()->domainname
->name
);
2090 head
->read_eof
= true;
2096 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
2098 * @type: Type of interface.
2099 * @file: Pointer to "struct file".
2101 * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
2103 * Caller acquires tomoyo_read_lock().
2105 static int tomoyo_open_control(const u8 type
, struct file
*file
)
2107 struct tomoyo_io_buffer
*head
= kzalloc(sizeof(*head
), GFP_NOFS
);
2111 mutex_init(&head
->io_sem
);
2113 case TOMOYO_DOMAINPOLICY
:
2114 /* /sys/kernel/security/tomoyo/domain_policy */
2115 head
->write
= tomoyo_write_domain_policy
;
2116 head
->read
= tomoyo_read_domain_policy
;
2118 case TOMOYO_EXCEPTIONPOLICY
:
2119 /* /sys/kernel/security/tomoyo/exception_policy */
2120 head
->write
= tomoyo_write_exception_policy
;
2121 head
->read
= tomoyo_read_exception_policy
;
2123 case TOMOYO_SELFDOMAIN
:
2124 /* /sys/kernel/security/tomoyo/self_domain */
2125 head
->read
= tomoyo_read_self_domain
;
2127 case TOMOYO_DOMAIN_STATUS
:
2128 /* /sys/kernel/security/tomoyo/.domain_status */
2129 head
->write
= tomoyo_write_domain_profile
;
2130 head
->read
= tomoyo_read_domain_profile
;
2132 case TOMOYO_PROCESS_STATUS
:
2133 /* /sys/kernel/security/tomoyo/.process_status */
2134 head
->write
= tomoyo_write_pid
;
2135 head
->read
= tomoyo_read_pid
;
2137 case TOMOYO_VERSION
:
2138 /* /sys/kernel/security/tomoyo/version */
2139 head
->read
= tomoyo_read_version
;
2140 head
->readbuf_size
= 128;
2142 case TOMOYO_MEMINFO
:
2143 /* /sys/kernel/security/tomoyo/meminfo */
2144 head
->write
= tomoyo_write_memory_quota
;
2145 head
->read
= tomoyo_read_memory_counter
;
2146 head
->readbuf_size
= 512;
2148 case TOMOYO_PROFILE
:
2149 /* /sys/kernel/security/tomoyo/profile */
2150 head
->write
= tomoyo_write_profile
;
2151 head
->read
= tomoyo_read_profile
;
2153 case TOMOYO_MANAGER
:
2154 /* /sys/kernel/security/tomoyo/manager */
2155 head
->write
= tomoyo_write_manager_policy
;
2156 head
->read
= tomoyo_read_manager_policy
;
2159 if (!(file
->f_mode
& FMODE_READ
)) {
2161 * No need to allocate read_buf since it is not opened
2166 if (!head
->readbuf_size
)
2167 head
->readbuf_size
= 4096 * 2;
2168 head
->read_buf
= kzalloc(head
->readbuf_size
, GFP_NOFS
);
2169 if (!head
->read_buf
) {
2174 if (!(file
->f_mode
& FMODE_WRITE
)) {
2176 * No need to allocate write_buf since it is not opened
2180 } else if (head
->write
) {
2181 head
->writebuf_size
= 4096 * 2;
2182 head
->write_buf
= kzalloc(head
->writebuf_size
, GFP_NOFS
);
2183 if (!head
->write_buf
) {
2184 kfree(head
->read_buf
);
2189 head
->reader_idx
= tomoyo_read_lock();
2190 file
->private_data
= head
;
2192 * Call the handler now if the file is
2193 * /sys/kernel/security/tomoyo/self_domain
2194 * so that the user can use
2195 * cat < /sys/kernel/security/tomoyo/self_domain"
2196 * to know the current process's domainname.
2198 if (type
== TOMOYO_SELFDOMAIN
)
2199 tomoyo_read_control(file
, NULL
, 0);
2204 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
2206 * @file: Pointer to "struct file".
2207 * @buffer: Poiner to buffer to write to.
2208 * @buffer_len: Size of @buffer.
2210 * Returns bytes read on success, negative value otherwise.
2212 * Caller holds tomoyo_read_lock().
2214 static int tomoyo_read_control(struct file
*file
, char __user
*buffer
,
2215 const int buffer_len
)
2218 struct tomoyo_io_buffer
*head
= file
->private_data
;
2223 if (mutex_lock_interruptible(&head
->io_sem
))
2225 /* Call the policy handler. */
2226 len
= head
->read(head
);
2229 /* Write to buffer. */
2230 len
= head
->read_avail
;
2231 if (len
> buffer_len
)
2235 /* head->read_buf changes by some functions. */
2236 cp
= head
->read_buf
;
2237 if (copy_to_user(buffer
, cp
, len
)) {
2241 head
->read_avail
-= len
;
2242 memmove(cp
, cp
+ len
, head
->read_avail
);
2244 mutex_unlock(&head
->io_sem
);
2249 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
2251 * @file: Pointer to "struct file".
2252 * @buffer: Pointer to buffer to read from.
2253 * @buffer_len: Size of @buffer.
2255 * Returns @buffer_len on success, negative value otherwise.
2257 * Caller holds tomoyo_read_lock().
2259 static int tomoyo_write_control(struct file
*file
, const char __user
*buffer
,
2260 const int buffer_len
)
2262 struct tomoyo_io_buffer
*head
= file
->private_data
;
2263 int error
= buffer_len
;
2264 int avail_len
= buffer_len
;
2265 char *cp0
= head
->write_buf
;
2269 if (!access_ok(VERIFY_READ
, buffer
, buffer_len
))
2271 /* Don't allow updating policies by non manager programs. */
2272 if (head
->write
!= tomoyo_write_pid
&&
2273 head
->write
!= tomoyo_write_domain_policy
&&
2274 !tomoyo_is_policy_manager())
2276 if (mutex_lock_interruptible(&head
->io_sem
))
2278 /* Read a line and dispatch it to the policy handler. */
2279 while (avail_len
> 0) {
2281 if (head
->write_avail
>= head
->writebuf_size
- 1) {
2284 } else if (get_user(c
, buffer
)) {
2290 cp0
[head
->write_avail
++] = c
;
2293 cp0
[head
->write_avail
- 1] = '\0';
2294 head
->write_avail
= 0;
2295 tomoyo_normalize_line(cp0
);
2298 mutex_unlock(&head
->io_sem
);
2303 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
2305 * @file: Pointer to "struct file".
2307 * Releases memory and returns 0.
2309 * Caller looses tomoyo_read_lock().
2311 static int tomoyo_close_control(struct file
*file
)
2313 struct tomoyo_io_buffer
*head
= file
->private_data
;
2314 const bool is_write
= !!head
->write_buf
;
2316 tomoyo_read_unlock(head
->reader_idx
);
2317 /* Release memory used for policy I/O. */
2318 kfree(head
->read_buf
);
2319 head
->read_buf
= NULL
;
2320 kfree(head
->write_buf
);
2321 head
->write_buf
= NULL
;
2324 file
->private_data
= NULL
;
2331 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
2333 * @inode: Pointer to "struct inode".
2334 * @file: Pointer to "struct file".
2336 * Returns 0 on success, negative value otherwise.
2338 static int tomoyo_open(struct inode
*inode
, struct file
*file
)
2340 const int key
= ((u8
*) file
->f_path
.dentry
->d_inode
->i_private
)
2342 return tomoyo_open_control(key
, file
);
2346 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
2348 * @inode: Pointer to "struct inode".
2349 * @file: Pointer to "struct file".
2351 * Returns 0 on success, negative value otherwise.
2353 static int tomoyo_release(struct inode
*inode
, struct file
*file
)
2355 return tomoyo_close_control(file
);
2359 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
2361 * @file: Pointer to "struct file".
2362 * @buf: Pointer to buffer.
2363 * @count: Size of @buf.
2366 * Returns bytes read on success, negative value otherwise.
2368 static ssize_t
tomoyo_read(struct file
*file
, char __user
*buf
, size_t count
,
2371 return tomoyo_read_control(file
, buf
, count
);
2375 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
2377 * @file: Pointer to "struct file".
2378 * @buf: Pointer to buffer.
2379 * @count: Size of @buf.
2382 * Returns @count on success, negative value otherwise.
2384 static ssize_t
tomoyo_write(struct file
*file
, const char __user
*buf
,
2385 size_t count
, loff_t
*ppos
)
2387 return tomoyo_write_control(file
, buf
, count
);
2391 * tomoyo_operations is a "struct file_operations" which is used for handling
2392 * /sys/kernel/security/tomoyo/ interface.
2394 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
2395 * See tomoyo_io_buffer for internals.
2397 static const struct file_operations tomoyo_operations
= {
2398 .open
= tomoyo_open
,
2399 .release
= tomoyo_release
,
2400 .read
= tomoyo_read
,
2401 .write
= tomoyo_write
,
2405 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
2407 * @name: The name of the interface file.
2408 * @mode: The permission of the interface file.
2409 * @parent: The parent directory.
2410 * @key: Type of interface.
2414 static void __init
tomoyo_create_entry(const char *name
, const mode_t mode
,
2415 struct dentry
*parent
, const u8 key
)
2417 securityfs_create_file(name
, mode
, parent
, ((u8
*) NULL
) + key
,
2418 &tomoyo_operations
);
2422 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
2426 static int __init
tomoyo_initerface_init(void)
2428 struct dentry
*tomoyo_dir
;
2430 /* Don't create securityfs entries unless registered. */
2431 if (current_cred()->security
!= &tomoyo_kernel_domain
)
2434 tomoyo_dir
= securityfs_create_dir("tomoyo", NULL
);
2435 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir
,
2436 TOMOYO_DOMAINPOLICY
);
2437 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir
,
2438 TOMOYO_EXCEPTIONPOLICY
);
2439 tomoyo_create_entry("self_domain", 0400, tomoyo_dir
,
2441 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir
,
2442 TOMOYO_DOMAIN_STATUS
);
2443 tomoyo_create_entry(".process_status", 0600, tomoyo_dir
,
2444 TOMOYO_PROCESS_STATUS
);
2445 tomoyo_create_entry("meminfo", 0600, tomoyo_dir
,
2447 tomoyo_create_entry("profile", 0600, tomoyo_dir
,
2449 tomoyo_create_entry("manager", 0600, tomoyo_dir
,
2451 tomoyo_create_entry("version", 0400, tomoyo_dir
,
2456 fs_initcall(tomoyo_initerface_init
);