projects / deliverable / linux.git / blob
? search:


34d65871096c1e92096ea4c4fa40b55eaae3a383
[deliverable/linux.git] / security / tomoyo / common.c
1 /*
2 * security/tomoyo/common.c
3 *
4 * Common functions for TOMOYO.
5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 *
8 * Version: 2.2.0 2009/04/01
9 *
10 */
11
12 #include <linux/uaccess.h>
13 #include <linux/slab.h>
14 #include <linux/security.h>
15 #include <linux/hardirq.h>
16 #include "common.h"
17
18 /* Lock for protecting policy. */
19 DEFINE_MUTEX(tomoyo_policy_lock);
20
21 /* Has loading policy done? */
22 bool tomoyo_policy_loaded;
23
24 /* String table for functionality that takes 4 modes. */
25 static const char *tomoyo_mode_4[4] = {
26 "disabled", "learning", "permissive", "enforcing"
27 };
28 /* String table for functionality that takes 2 modes. */
29 static const char *tomoyo_mode_2[4] = {
30 "disabled", "enabled", "enabled", "enabled"
31 };
32
33 /*
34 * tomoyo_control_array is a static data which contains
35 *
36 * (1) functionality name used by /sys/kernel/security/tomoyo/profile .
37 * (2) initial values for "struct tomoyo_profile".
38 * (3) max values for "struct tomoyo_profile".
39 */
40 static struct {
41 const char *keyword;
42 unsigned int current_value;
43 const unsigned int max_value;
44 } tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = {
45 [TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 },
46 [TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX },
47 [TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 },
48 };
49
50 /*
51 * tomoyo_profile is a structure which is used for holding the mode of access
52 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
53 * An administrator can define up to 256 profiles.
54 * The ->profile of "struct tomoyo_domain_info" is used for remembering
55 * the profile's number (0 - 255) assigned to that domain.
56 */
57 static struct tomoyo_profile {
58 unsigned int value[TOMOYO_MAX_CONTROL_INDEX];
59 const struct tomoyo_path_info *comment;
60 } *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES];
61
62 /* Permit policy management by non-root user? */
63 static bool tomoyo_manage_by_non_root;
64
65 /* Utility functions. */
66
67 /* Open operation for /sys/kernel/security/tomoyo/ interface. */
68 static int tomoyo_open_control(const u8 type, struct file *file);
69 /* Close /sys/kernel/security/tomoyo/ interface. */
70 static int tomoyo_close_control(struct file *file);
71 /* Read operation for /sys/kernel/security/tomoyo/ interface. */
72 static int tomoyo_read_control(struct file *file, char __user *buffer,
73 const int buffer_len);
74 /* Write operation for /sys/kernel/security/tomoyo/ interface. */
75 static int tomoyo_write_control(struct file *file, const char __user *buffer,
76 const int buffer_len);
77
78 /**
79 * tomoyo_parse_name_union - Parse a tomoyo_name_union.
80 *
81 * @filename: Name or name group.
82 * @ptr: Pointer to "struct tomoyo_name_union".
83 *
84 * Returns true on success, false otherwise.
85 */
86 bool tomoyo_parse_name_union(const char *filename,
87 struct tomoyo_name_union *ptr)
88 {
89 if (!tomoyo_is_correct_path(filename, 0, 0, 0))
90 return false;
91 if (filename[0] == '@') {
92 ptr->group = tomoyo_get_path_group(filename + 1);
93 ptr->is_group = true;
94 return ptr->group != NULL;
95 }
96 ptr->filename = tomoyo_get_name(filename);
97 ptr->is_group = false;
98 return ptr->filename != NULL;
99 }
100
101 /**
102 * tomoyo_print_name_union - Print a tomoyo_name_union.
103 *
104 * @head: Pointer to "struct tomoyo_io_buffer".
105 * @ptr: Pointer to "struct tomoyo_name_union".
106 *
107 * Returns true on success, false otherwise.
108 */
109 static bool tomoyo_print_name_union(struct tomoyo_io_buffer *head,
110 const struct tomoyo_name_union *ptr)
111 {
112 int pos = head->read_avail;
113 if (pos && head->read_buf[pos - 1] == ' ')
114 head->read_avail--;
115 if (ptr->is_group)
116 return tomoyo_io_printf(head, " @%s",
117 ptr->group->group_name->name);
118 return tomoyo_io_printf(head, " %s", ptr->filename->name);
119 }
120
121 /**
122 * tomoyo_parse_ulong - Parse an "unsigned long" value.
123 *
124 * @result: Pointer to "unsigned long".
125 * @str: Pointer to string to parse.
126 *
127 * Returns value type on success, 0 otherwise.
128 *
129 * The @src is updated to point the first character after the value
130 * on success.
131 */
132 u8 tomoyo_parse_ulong(unsigned long *result, char **str)
133 {
134 const char *cp = *str;
135 char *ep;
136 int base = 10;
137 if (*cp == '0') {
138 char c = *(cp + 1);
139 if (c == 'x' || c == 'X') {
140 base = 16;
141 cp += 2;
142 } else if (c >= '0' && c <= '7') {
143 base = 8;
144 cp++;
145 }
146 }
147 *result = simple_strtoul(cp, &ep, base);
148 if (cp == ep)
149 return 0;
150 *str = ep;
151 switch (base) {
152 case 16:
153 return TOMOYO_VALUE_TYPE_HEXADECIMAL;
154 case 8:
155 return TOMOYO_VALUE_TYPE_OCTAL;
156 default:
157 return TOMOYO_VALUE_TYPE_DECIMAL;
158 }
159 }
160
161 /**
162 * tomoyo_print_ulong - Print an "unsigned long" value.
163 *
164 * @buffer: Pointer to buffer.
165 * @buffer_len: Size of @buffer.
166 * @value: An "unsigned long" value.
167 * @type: Type of @value.
168 *
169 * Returns nothing.
170 */
171 void tomoyo_print_ulong(char *buffer, const int buffer_len,
172 const unsigned long value, const u8 type)
173 {
174 if (type == TOMOYO_VALUE_TYPE_DECIMAL)
175 snprintf(buffer, buffer_len, "%lu", value);
176 else if (type == TOMOYO_VALUE_TYPE_OCTAL)
177 snprintf(buffer, buffer_len, "0%lo", value);
178 else if (type == TOMOYO_VALUE_TYPE_HEXADECIMAL)
179 snprintf(buffer, buffer_len, "0x%lX", value);
180 else
181 snprintf(buffer, buffer_len, "type(%u)", type);
182 }
183
184 /**
185 * tomoyo_print_number_union - Print a tomoyo_number_union.
186 *
187 * @head: Pointer to "struct tomoyo_io_buffer".
188 * @ptr: Pointer to "struct tomoyo_number_union".
189 *
190 * Returns true on success, false otherwise.
191 */
192 bool tomoyo_print_number_union(struct tomoyo_io_buffer *head,
193 const struct tomoyo_number_union *ptr)
194 {
195 unsigned long min;
196 unsigned long max;
197 u8 min_type;
198 u8 max_type;
199 if (!tomoyo_io_printf(head, " "))
200 return false;
201 if (ptr->is_group)
202 return tomoyo_io_printf(head, "@%s",
203 ptr->group->group_name->name);
204 min_type = ptr->min_type;
205 max_type = ptr->max_type;
206 min = ptr->values[0];
207 max = ptr->values[1];
208 switch (min_type) {
209 case TOMOYO_VALUE_TYPE_HEXADECIMAL:
210 if (!tomoyo_io_printf(head, "0x%lX", min))
211 return false;
212 break;
213 case TOMOYO_VALUE_TYPE_OCTAL:
214 if (!tomoyo_io_printf(head, "0%lo", min))
215 return false;
216 break;
217 default:
218 if (!tomoyo_io_printf(head, "%lu", min))
219 return false;
220 break;
221 }
222 if (min == max && min_type == max_type)
223 return true;
224 switch (max_type) {
225 case TOMOYO_VALUE_TYPE_HEXADECIMAL:
226 return tomoyo_io_printf(head, "-0x%lX", max);
227 case TOMOYO_VALUE_TYPE_OCTAL:
228 return tomoyo_io_printf(head, "-0%lo", max);
229 default:
230 return tomoyo_io_printf(head, "-%lu", max);
231 }
232 }
233
234 /**
235 * tomoyo_parse_number_union - Parse a tomoyo_number_union.
236 *
237 * @data: Number or number range or number group.
238 * @ptr: Pointer to "struct tomoyo_number_union".
239 *
240 * Returns true on success, false otherwise.
241 */
242 bool tomoyo_parse_number_union(char *data, struct tomoyo_number_union *num)
243 {
244 u8 type;
245 unsigned long v;
246 memset(num, 0, sizeof(*num));
247 if (data[0] == '@') {
248 if (!tomoyo_is_correct_path(data, 0, 0, 0))
249 return false;
250 num->group = tomoyo_get_number_group(data + 1);
251 num->is_group = true;
252 return num->group != NULL;
253 }
254 type = tomoyo_parse_ulong(&v, &data);
255 if (!type)
256 return false;
257 num->values[0] = v;
258 num->min_type = type;
259 if (!*data) {
260 num->values[1] = v;
261 num->max_type = type;
262 return true;
263 }
264 if (*data++ != '-')
265 return false;
266 type = tomoyo_parse_ulong(&v, &data);
267 if (!type || *data)
268 return false;
269 num->values[1] = v;
270 num->max_type = type;
271 return true;
272 }
273
274 /**
275 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
276 *
277 * @str: Pointer to the string.
278 *
279 * Returns true if @str is a \ooo style octal value, false otherwise.
280 *
281 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
282 * This function verifies that \ooo is in valid range.
283 */
284 static inline bool tomoyo_is_byte_range(const char *str)
285 {
286 return *str >= '0' && *str++ <= '3' &&
287 *str >= '0' && *str++ <= '7' &&
288 *str >= '0' && *str <= '7';
289 }
290
291 /**
292 * tomoyo_is_alphabet_char - Check whether the character is an alphabet.
293 *
294 * @c: The character to check.
295 *
296 * Returns true if @c is an alphabet character, false otherwise.
297 */
298 static inline bool tomoyo_is_alphabet_char(const char c)
299 {
300 return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z');
301 }
302
303 /**
304 * tomoyo_make_byte - Make byte value from three octal characters.
305 *
306 * @c1: The first character.
307 * @c2: The second character.
308 * @c3: The third character.
309 *
310 * Returns byte value.
311 */
312 static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3)
313 {
314 return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0');
315 }
316
317 /**
318 * tomoyo_str_starts - Check whether the given string starts with the given keyword.
319 *
320 * @src: Pointer to pointer to the string.
321 * @find: Pointer to the keyword.
322 *
323 * Returns true if @src starts with @find, false otherwise.
324 *
325 * The @src is updated to point the first character after the @find
326 * if @src starts with @find.
327 */
328 static bool tomoyo_str_starts(char **src, const char *find)
329 {
330 const int len = strlen(find);
331 char *tmp = *src;
332
333 if (strncmp(tmp, find, len))
334 return false;
335 tmp += len;
336 *src = tmp;
337 return true;
338 }
339
340 /**
341 * tomoyo_normalize_line - Format string.
342 *
343 * @buffer: The line to normalize.
344 *
345 * Leading and trailing whitespaces are removed.
346 * Multiple whitespaces are packed into single space.
347 *
348 * Returns nothing.
349 */
350 static void tomoyo_normalize_line(unsigned char *buffer)
351 {
352 unsigned char *sp = buffer;
353 unsigned char *dp = buffer;
354 bool first = true;
355
356 while (tomoyo_is_invalid(*sp))
357 sp++;
358 while (*sp) {
359 if (!first)
360 *dp++ = ' ';
361 first = false;
362 while (tomoyo_is_valid(*sp))
363 *dp++ = *sp++;
364 while (tomoyo_is_invalid(*sp))
365 sp++;
366 }
367 *dp = '\0';
368 }
369
370 /**
371 * tomoyo_tokenize - Tokenize string.
372 *
373 * @buffer: The line to tokenize.
374 * @w: Pointer to "char *".
375 * @size: Sizeof @w .
376 *
377 * Returns true on success, false otherwise.
378 */
379 bool tomoyo_tokenize(char *buffer, char *w[], size_t size)
380 {
381 int count = size / sizeof(char *);
382 int i;
383 for (i = 0; i < count; i++)
384 w[i] = "";
385 for (i = 0; i < count; i++) {
386 char *cp = strchr(buffer, ' ');
387 if (cp)
388 *cp = '\0';
389 w[i] = buffer;
390 if (!cp)
391 break;
392 buffer = cp + 1;
393 }
394 return i < count || !*buffer;
395 }
396
397 /**
398 * tomoyo_is_correct_path - Validate a pathname.
399 * @filename: The pathname to check.
400 * @start_type: Should the pathname start with '/'?
401 * 1 = must / -1 = must not / 0 = don't care
402 * @pattern_type: Can the pathname contain a wildcard?
403 * 1 = must / -1 = must not / 0 = don't care
404 * @end_type: Should the pathname end with '/'?
405 * 1 = must / -1 = must not / 0 = don't care
406 *
407 * Check whether the given filename follows the naming rules.
408 * Returns true if @filename follows the naming rules, false otherwise.
409 */
410 bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
411 const s8 pattern_type, const s8 end_type)
412 {
413 const char *const start = filename;
414 bool in_repetition = false;
415 bool contains_pattern = false;
416 unsigned char c;
417 unsigned char d;
418 unsigned char e;
419
420 if (!filename)
421 goto out;
422 c = *filename;
423 if (start_type == 1) { /* Must start with '/' */
424 if (c != '/')
425 goto out;
426 } else if (start_type == -1) { /* Must not start with '/' */
427 if (c == '/')
428 goto out;
429 }
430 if (c)
431 c = *(filename + strlen(filename) - 1);
432 if (end_type == 1) { /* Must end with '/' */
433 if (c != '/')
434 goto out;
435 } else if (end_type == -1) { /* Must not end with '/' */
436 if (c == '/')
437 goto out;
438 }
439 while (1) {
440 c = *filename++;
441 if (!c)
442 break;
443 if (c == '\\') {
444 c = *filename++;
445 switch (c) {
446 case '\\': /* "\\" */
447 continue;
448 case '$': /* "\$" */
449 case '+': /* "\+" */
450 case '?': /* "\?" */
451 case '*': /* "\*" */
452 case '@': /* "\@" */
453 case 'x': /* "\x" */
454 case 'X': /* "\X" */
455 case 'a': /* "\a" */
456 case 'A': /* "\A" */
457 case '-': /* "\-" */
458 if (pattern_type == -1)
459 break; /* Must not contain pattern */
460 contains_pattern = true;
461 continue;
462 case '{': /* "/\{" */
463 if (filename - 3 < start ||
464 *(filename - 3) != '/')
465 break;
466 if (pattern_type == -1)
467 break; /* Must not contain pattern */
468 contains_pattern = true;
469 in_repetition = true;
470 continue;
471 case '}': /* "\}/" */
472 if (*filename != '/')
473 break;
474 if (!in_repetition)
475 break;
476 in_repetition = false;
477 continue;
478 case '0': /* "\ooo" */
479 case '1':
480 case '2':
481 case '3':
482 d = *filename++;
483 if (d < '0' || d > '7')
484 break;
485 e = *filename++;
486 if (e < '0' || e > '7')
487 break;
488 c = tomoyo_make_byte(c, d, e);
489 if (tomoyo_is_invalid(c))
490 continue; /* pattern is not \000 */
491 }
492 goto out;
493 } else if (in_repetition && c == '/') {
494 goto out;
495 } else if (tomoyo_is_invalid(c)) {
496 goto out;
497 }
498 }
499 if (pattern_type == 1) { /* Must contain pattern */
500 if (!contains_pattern)
501 goto out;
502 }
503 if (in_repetition)
504 goto out;
505 return true;
506 out:
507 return false;
508 }
509
510 /**
511 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
512 * @domainname: The domainname to check.
513 *
514 * Returns true if @domainname follows the naming rules, false otherwise.
515 */
516 bool tomoyo_is_correct_domain(const unsigned char *domainname)
517 {
518 unsigned char c;
519 unsigned char d;
520 unsigned char e;
521
522 if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME,
523 TOMOYO_ROOT_NAME_LEN))
524 goto out;
525 domainname += TOMOYO_ROOT_NAME_LEN;
526 if (!*domainname)
527 return true;
528 do {
529 if (*domainname++ != ' ')
530 goto out;
531 if (*domainname++ != '/')
532 goto out;
533 while ((c = *domainname) != '\0' && c != ' ') {
534 domainname++;
535 if (c == '\\') {
536 c = *domainname++;
537 switch ((c)) {
538 case '\\': /* "\\" */
539 continue;
540 case '0': /* "\ooo" */
541 case '1':
542 case '2':
543 case '3':
544 d = *domainname++;
545 if (d < '0' || d > '7')
546 break;
547 e = *domainname++;
548 if (e < '0' || e > '7')
549 break;
550 c = tomoyo_make_byte(c, d, e);
551 if (tomoyo_is_invalid(c))
552 /* pattern is not \000 */
553 continue;
554 }
555 goto out;
556 } else if (tomoyo_is_invalid(c)) {
557 goto out;
558 }
559 }
560 } while (*domainname);
561 return true;
562 out:
563 return false;
564 }
565
566 /**
567 * tomoyo_is_domain_def - Check whether the given token can be a domainname.
568 *
569 * @buffer: The token to check.
570 *
571 * Returns true if @buffer possibly be a domainname, false otherwise.
572 */
573 bool tomoyo_is_domain_def(const unsigned char *buffer)
574 {
575 return !strncmp(buffer, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN);
576 }
577
578 /**
579 * tomoyo_find_domain - Find a domain by the given name.
580 *
581 * @domainname: The domainname to find.
582 *
583 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
584 *
585 * Caller holds tomoyo_read_lock().
586 */
587 struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
588 {
589 struct tomoyo_domain_info *domain;
590 struct tomoyo_path_info name;
591
592 name.name = domainname;
593 tomoyo_fill_path_info(&name);
594 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
595 if (!domain->is_deleted &&
596 !tomoyo_pathcmp(&name, domain->domainname))
597 return domain;
598 }
599 return NULL;
600 }
601
602 /**
603 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
604 *
605 * @filename: The string to evaluate.
606 *
607 * Returns the initial length without a pattern in @filename.
608 */
609 static int tomoyo_const_part_length(const char *filename)
610 {
611 char c;
612 int len = 0;
613
614 if (!filename)
615 return 0;
616 while ((c = *filename++) != '\0') {
617 if (c != '\\') {
618 len++;
619 continue;
620 }
621 c = *filename++;
622 switch (c) {
623 case '\\': /* "\\" */
624 len += 2;
625 continue;
626 case '0': /* "\ooo" */
627 case '1':
628 case '2':
629 case '3':
630 c = *filename++;
631 if (c < '0' || c > '7')
632 break;
633 c = *filename++;
634 if (c < '0' || c > '7')
635 break;
636 len += 4;
637 continue;
638 }
639 break;
640 }
641 return len;
642 }
643
644 /**
645 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
646 *
647 * @ptr: Pointer to "struct tomoyo_path_info" to fill in.
648 *
649 * The caller sets "struct tomoyo_path_info"->name.
650 */
651 void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
652 {
653 const char *name = ptr->name;
654 const int len = strlen(name);
655
656 ptr->const_len = tomoyo_const_part_length(name);
657 ptr->is_dir = len && (name[len - 1] == '/');
658 ptr->is_patterned = (ptr->const_len < len);
659 ptr->hash = full_name_hash(name, len);
660 }
661
662 /**
663 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
664 * and "\-" pattern.
665 *
666 * @filename: The start of string to check.
667 * @filename_end: The end of string to check.
668 * @pattern: The start of pattern to compare.
669 * @pattern_end: The end of pattern to compare.
670 *
671 * Returns true if @filename matches @pattern, false otherwise.
672 */
673 static bool tomoyo_file_matches_pattern2(const char *filename,
674 const char *filename_end,
675 const char *pattern,
676 const char *pattern_end)
677 {
678 while (filename < filename_end && pattern < pattern_end) {
679 char c;
680 if (*pattern != '\\') {
681 if (*filename++ != *pattern++)
682 return false;
683 continue;
684 }
685 c = *filename;
686 pattern++;
687 switch (*pattern) {
688 int i;
689 int j;
690 case '?':
691 if (c == '/') {
692 return false;
693 } else if (c == '\\') {
694 if (filename[1] == '\\')
695 filename++;
696 else if (tomoyo_is_byte_range(filename + 1))
697 filename += 3;
698 else
699 return false;
700 }
701 break;
702 case '\\':
703 if (c != '\\')
704 return false;
705 if (*++filename != '\\')
706 return false;
707 break;
708 case '+':
709 if (!isdigit(c))
710 return false;
711 break;
712 case 'x':
713 if (!isxdigit(c))
714 return false;
715 break;
716 case 'a':
717 if (!tomoyo_is_alphabet_char(c))
718 return false;
719 break;
720 case '0':
721 case '1':
722 case '2':
723 case '3':
724 if (c == '\\' && tomoyo_is_byte_range(filename + 1)
725 && strncmp(filename + 1, pattern, 3) == 0) {
726 filename += 3;
727 pattern += 2;
728 break;
729 }
730 return false; /* Not matched. */
731 case '*':
732 case '@':
733 for (i = 0; i <= filename_end - filename; i++) {
734 if (tomoyo_file_matches_pattern2(
735 filename + i, filename_end,
736 pattern + 1, pattern_end))
737 return true;
738 c = filename[i];
739 if (c == '.' && *pattern == '@')
740 break;
741 if (c != '\\')
742 continue;
743 if (filename[i + 1] == '\\')
744 i++;
745 else if (tomoyo_is_byte_range(filename + i + 1))
746 i += 3;
747 else
748 break; /* Bad pattern. */
749 }
750 return false; /* Not matched. */
751 default:
752 j = 0;
753 c = *pattern;
754 if (c == '$') {
755 while (isdigit(filename[j]))
756 j++;
757 } else if (c == 'X') {
758 while (isxdigit(filename[j]))
759 j++;
760 } else if (c == 'A') {
761 while (tomoyo_is_alphabet_char(filename[j]))
762 j++;
763 }
764 for (i = 1; i <= j; i++) {
765 if (tomoyo_file_matches_pattern2(
766 filename + i, filename_end,
767 pattern + 1, pattern_end))
768 return true;
769 }
770 return false; /* Not matched or bad pattern. */
771 }
772 filename++;
773 pattern++;
774 }
775 while (*pattern == '\\' &&
776 (*(pattern + 1) == '*' || *(pattern + 1) == '@'))
777 pattern += 2;
778 return filename == filename_end && pattern == pattern_end;
779 }
780
781 /**
782 * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
783 *
784 * @filename: The start of string to check.
785 * @filename_end: The end of string to check.
786 * @pattern: The start of pattern to compare.
787 * @pattern_end: The end of pattern to compare.
788 *
789 * Returns true if @filename matches @pattern, false otherwise.
790 */
791 static bool tomoyo_file_matches_pattern(const char *filename,
792 const char *filename_end,
793 const char *pattern,
794 const char *pattern_end)
795 {
796 const char *pattern_start = pattern;
797 bool first = true;
798 bool result;
799
800 while (pattern < pattern_end - 1) {
801 /* Split at "\-" pattern. */
802 if (*pattern++ != '\\' || *pattern++ != '-')
803 continue;
804 result = tomoyo_file_matches_pattern2(filename,
805 filename_end,
806 pattern_start,
807 pattern - 2);
808 if (first)
809 result = !result;
810 if (result)
811 return false;
812 first = false;
813 pattern_start = pattern;
814 }
815 result = tomoyo_file_matches_pattern2(filename, filename_end,
816 pattern_start, pattern_end);
817 return first ? result : !result;
818 }
819
820 /**
821 * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
822 *
823 * @f: The start of string to check.
824 * @p: The start of pattern to compare.
825 *
826 * Returns true if @f matches @p, false otherwise.
827 */
828 static bool tomoyo_path_matches_pattern2(const char *f, const char *p)
829 {
830 const char *f_delimiter;
831 const char *p_delimiter;
832
833 while (*f && *p) {
834 f_delimiter = strchr(f, '/');
835 if (!f_delimiter)
836 f_delimiter = f + strlen(f);
837 p_delimiter = strchr(p, '/');
838 if (!p_delimiter)
839 p_delimiter = p + strlen(p);
840 if (*p == '\\' && *(p + 1) == '{')
841 goto recursive;
842 if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
843 p_delimiter))
844 return false;
845 f = f_delimiter;
846 if (*f)
847 f++;
848 p = p_delimiter;
849 if (*p)
850 p++;
851 }
852 /* Ignore trailing "\*" and "\@" in @pattern. */
853 while (*p == '\\' &&
854 (*(p + 1) == '*' || *(p + 1) == '@'))
855 p += 2;
856 return !*f && !*p;
857 recursive:
858 /*
859 * The "\{" pattern is permitted only after '/' character.
860 * This guarantees that below "*(p - 1)" is safe.
861 * Also, the "\}" pattern is permitted only before '/' character
862 * so that "\{" + "\}" pair will not break the "\-" operator.
863 */
864 if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' ||
865 *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\')
866 return false; /* Bad pattern. */
867 do {
868 /* Compare current component with pattern. */
869 if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2,
870 p_delimiter - 2))
871 break;
872 /* Proceed to next component. */
873 f = f_delimiter;
874 if (!*f)
875 break;
876 f++;
877 /* Continue comparison. */
878 if (tomoyo_path_matches_pattern2(f, p_delimiter + 1))
879 return true;
880 f_delimiter = strchr(f, '/');
881 } while (f_delimiter);
882 return false; /* Not matched. */
883 }
884
885 /**
886 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
887 *
888 * @filename: The filename to check.
889 * @pattern: The pattern to compare.
890 *
891 * Returns true if matches, false otherwise.
892 *
893 * The following patterns are available.
894 * \\ \ itself.
895 * \ooo Octal representation of a byte.
896 * \* Zero or more repetitions of characters other than '/'.
897 * \@ Zero or more repetitions of characters other than '/' or '.'.
898 * \? 1 byte character other than '/'.
899 * \$ One or more repetitions of decimal digits.
900 * \+ 1 decimal digit.
901 * \X One or more repetitions of hexadecimal digits.
902 * \x 1 hexadecimal digit.
903 * \A One or more repetitions of alphabet characters.
904 * \a 1 alphabet character.
905 *
906 * \- Subtraction operator.
907 *
908 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
909 * /dir/dir/dir/ ).
910 */
911 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
912 const struct tomoyo_path_info *pattern)
913 {
914 const char *f = filename->name;
915 const char *p = pattern->name;
916 const int len = pattern->const_len;
917
918 /* If @pattern doesn't contain pattern, I can use strcmp(). */
919 if (!pattern->is_patterned)
920 return !tomoyo_pathcmp(filename, pattern);
921 /* Don't compare directory and non-directory. */
922 if (filename->is_dir != pattern->is_dir)
923 return false;
924 /* Compare the initial length without patterns. */
925 if (strncmp(f, p, len))
926 return false;
927 f += len;
928 p += len;
929 return tomoyo_path_matches_pattern2(f, p);
930 }
931
932 /**
933 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
934 *
935 * @head: Pointer to "struct tomoyo_io_buffer".
936 * @fmt: The printf()'s format string, followed by parameters.
937 *
938 * Returns true if output was written, false otherwise.
939 *
940 * The snprintf() will truncate, but tomoyo_io_printf() won't.
941 */
942 bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
943 {
944 va_list args;
945 int len;
946 int pos = head->read_avail;
947 int size = head->readbuf_size - pos;
948
949 if (size <= 0)
950 return false;
951 va_start(args, fmt);
952 len = vsnprintf(head->read_buf + pos, size, fmt, args);
953 va_end(args);
954 if (pos + len >= head->readbuf_size)
955 return false;
956 head->read_avail += len;
957 return true;
958 }
959
960 /**
961 * tomoyo_get_exe - Get tomoyo_realpath() of current process.
962 *
963 * Returns the tomoyo_realpath() of current process on success, NULL otherwise.
964 *
965 * This function uses kzalloc(), so the caller must call kfree()
966 * if this function didn't return NULL.
967 */
968 static const char *tomoyo_get_exe(void)
969 {
970 struct mm_struct *mm = current->mm;
971 struct vm_area_struct *vma;
972 const char *cp = NULL;
973
974 if (!mm)
975 return NULL;
976 down_read(&mm->mmap_sem);
977 for (vma = mm->mmap; vma; vma = vma->vm_next) {
978 if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) {
979 cp = tomoyo_realpath_from_path(&vma->vm_file->f_path);
980 break;
981 }
982 }
983 up_read(&mm->mmap_sem);
984 return cp;
985 }
986
987 /**
988 * tomoyo_check_flags - Check mode for specified functionality.
989 *
990 * @domain: Pointer to "struct tomoyo_domain_info".
991 * @index: The functionality to check mode.
992 *
993 * TOMOYO checks only process context.
994 * This code disables TOMOYO's enforcement in case the function is called from
995 * interrupt context.
996 */
997 unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
998 const u8 index)
999 {
1000 const u8 profile = domain->profile;
1001
1002 if (WARN_ON(in_interrupt()))
1003 return 0;
1004 return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX
1005 #if TOMOYO_MAX_PROFILES != 256
1006 && profile < TOMOYO_MAX_PROFILES
1007 #endif
1008 && tomoyo_profile_ptr[profile] ?
1009 tomoyo_profile_ptr[profile]->value[index] : 0;
1010 }
1011
1012 /**
1013 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
1014 *
1015 * @domain: Pointer to "struct tomoyo_domain_info".
1016 *
1017 * Returns true if domain policy violation warning should be printed to
1018 * console.
1019 */
1020 bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain)
1021 {
1022 return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0;
1023 }
1024
1025 /**
1026 * tomoyo_domain_quota_is_ok - Check for domain's quota.
1027 *
1028 * @r: Pointer to "struct tomoyo_request_info".
1029 *
1030 * Returns true if the domain is not exceeded quota, false otherwise.
1031 *
1032 * Caller holds tomoyo_read_lock().
1033 */
1034 bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r)
1035 {
1036 unsigned int count = 0;
1037 struct tomoyo_domain_info *domain = r->domain;
1038 struct tomoyo_acl_info *ptr;
1039
1040 if (r->mode != TOMOYO_CONFIG_LEARNING)
1041 return false;
1042 if (!domain)
1043 return true;
1044 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1045 switch (ptr->type) {
1046 struct tomoyo_path_acl *acl;
1047 u32 perm;
1048 u8 i;
1049 case TOMOYO_TYPE_PATH_ACL:
1050 acl = container_of(ptr, struct tomoyo_path_acl, head);
1051 perm = acl->perm | (((u32) acl->perm_high) << 16);
1052 for (i = 0; i < TOMOYO_MAX_PATH_OPERATION; i++)
1053 if (perm & (1 << i))
1054 count++;
1055 if (perm & (1 << TOMOYO_TYPE_READ_WRITE))
1056 count -= 2;
1057 break;
1058 case TOMOYO_TYPE_PATH2_ACL:
1059 perm = container_of(ptr, struct tomoyo_path2_acl, head)
1060 ->perm;
1061 for (i = 0; i < TOMOYO_MAX_PATH2_OPERATION; i++)
1062 if (perm & (1 << i))
1063 count++;
1064 break;
1065 }
1066 }
1067 if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY))
1068 return true;
1069 if (!domain->quota_warned) {
1070 domain->quota_warned = true;
1071 printk(KERN_WARNING "TOMOYO-WARNING: "
1072 "Domain '%s' has so many ACLs to hold. "
1073 "Stopped learning mode.\n", domain->domainname->name);
1074 }
1075 return false;
1076 }
1077
1078 /**
1079 * tomoyo_find_or_assign_new_profile - Create a new profile.
1080 *
1081 * @profile: Profile number to create.
1082 *
1083 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
1084 */
1085 static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned
1086 int profile)
1087 {
1088 struct tomoyo_profile *ptr = NULL;
1089 int i;
1090
1091 if (profile >= TOMOYO_MAX_PROFILES)
1092 return NULL;
1093 if (mutex_lock_interruptible(&tomoyo_policy_lock))
1094 return NULL;
1095 ptr = tomoyo_profile_ptr[profile];
1096 if (ptr)
1097 goto ok;
1098 ptr = kmalloc(sizeof(*ptr), GFP_NOFS);
1099 if (!tomoyo_memory_ok(ptr)) {
1100 kfree(ptr);
1101 ptr = NULL;
1102 goto ok;
1103 }
1104 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++)
1105 ptr->value[i] = tomoyo_control_array[i].current_value;
1106 mb(); /* Avoid out-of-order execution. */
1107 tomoyo_profile_ptr[profile] = ptr;
1108 ok:
1109 mutex_unlock(&tomoyo_policy_lock);
1110 return ptr;
1111 }
1112
1113 /**
1114 * tomoyo_write_profile - Write to profile table.
1115 *
1116 * @head: Pointer to "struct tomoyo_io_buffer".
1117 *
1118 * Returns 0 on success, negative value otherwise.
1119 */
1120 static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
1121 {
1122 char *data = head->write_buf;
1123 unsigned int i;
1124 unsigned int value;
1125 char *cp;
1126 struct tomoyo_profile *profile;
1127 unsigned long num;
1128
1129 cp = strchr(data, '-');
1130 if (cp)
1131 *cp = '\0';
1132 if (strict_strtoul(data, 10, &num))
1133 return -EINVAL;
1134 if (cp)
1135 data = cp + 1;
1136 profile = tomoyo_find_or_assign_new_profile(num);
1137 if (!profile)
1138 return -EINVAL;
1139 cp = strchr(data, '=');
1140 if (!cp)
1141 return -EINVAL;
1142 *cp = '\0';
1143 if (!strcmp(data, "COMMENT")) {
1144 const struct tomoyo_path_info *old_comment = profile->comment;
1145 profile->comment = tomoyo_get_name(cp + 1);
1146 tomoyo_put_name(old_comment);
1147 return 0;
1148 }
1149 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) {
1150 if (strcmp(data, tomoyo_control_array[i].keyword))
1151 continue;
1152 if (sscanf(cp + 1, "%u", &value) != 1) {
1153 int j;
1154 const char **modes;
1155 switch (i) {
1156 case TOMOYO_VERBOSE:
1157 modes = tomoyo_mode_2;
1158 break;
1159 default:
1160 modes = tomoyo_mode_4;
1161 break;
1162 }
1163 for (j = 0; j < 4; j++) {
1164 if (strcmp(cp + 1, modes[j]))
1165 continue;
1166 value = j;
1167 break;
1168 }
1169 if (j == 4)
1170 return -EINVAL;
1171 } else if (value > tomoyo_control_array[i].max_value) {
1172 value = tomoyo_control_array[i].max_value;
1173 }
1174 profile->value[i] = value;
1175 return 0;
1176 }
1177 return -EINVAL;
1178 }
1179
1180 /**
1181 * tomoyo_read_profile - Read from profile table.
1182 *
1183 * @head: Pointer to "struct tomoyo_io_buffer".
1184 *
1185 * Returns 0.
1186 */
1187 static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
1188 {
1189 static const int total = TOMOYO_MAX_CONTROL_INDEX + 1;
1190 int step;
1191
1192 if (head->read_eof)
1193 return 0;
1194 for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total;
1195 step++) {
1196 const u8 index = step / total;
1197 u8 type = step % total;
1198 const struct tomoyo_profile *profile
1199 = tomoyo_profile_ptr[index];
1200 head->read_step = step;
1201 if (!profile)
1202 continue;
1203 if (!type) { /* Print profile' comment tag. */
1204 if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n",
1205 index, profile->comment ?
1206 profile->comment->name : ""))
1207 break;
1208 continue;
1209 }
1210 type--;
1211 if (type < TOMOYO_MAX_CONTROL_INDEX) {
1212 const unsigned int value = profile->value[type];
1213 const char **modes = NULL;
1214 const char *keyword
1215 = tomoyo_control_array[type].keyword;
1216 switch (tomoyo_control_array[type].max_value) {
1217 case 3:
1218 modes = tomoyo_mode_4;
1219 break;
1220 case 1:
1221 modes = tomoyo_mode_2;
1222 break;
1223 }
1224 if (modes) {
1225 if (!tomoyo_io_printf(head, "%u-%s=%s\n", index,
1226 keyword, modes[value]))
1227 break;
1228 } else {
1229 if (!tomoyo_io_printf(head, "%u-%s=%u\n", index,
1230 keyword, value))
1231 break;
1232 }
1233 }
1234 }
1235 if (step == TOMOYO_MAX_PROFILES * total)
1236 head->read_eof = true;
1237 return 0;
1238 }
1239
1240 /*
1241 * tomoyo_policy_manager_list is used for holding list of domainnames or
1242 * programs which are permitted to modify configuration via
1243 * /sys/kernel/security/tomoyo/ interface.
1244 *
1245 * An entry is added by
1246 *
1247 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
1248 * /sys/kernel/security/tomoyo/manager
1249 * (if you want to specify by a domainname)
1250 *
1251 * or
1252 *
1253 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
1254 * (if you want to specify by a program's location)
1255 *
1256 * and is deleted by
1257 *
1258 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
1259 * /sys/kernel/security/tomoyo/manager
1260 *
1261 * or
1262 *
1263 * # echo 'delete /usr/lib/ccs/editpolicy' > \
1264 * /sys/kernel/security/tomoyo/manager
1265 *
1266 * and all entries are retrieved by
1267 *
1268 * # cat /sys/kernel/security/tomoyo/manager
1269 */
1270 LIST_HEAD(tomoyo_policy_manager_list);
1271
1272 /**
1273 * tomoyo_update_manager_entry - Add a manager entry.
1274 *
1275 * @manager: The path to manager or the domainnamme.
1276 * @is_delete: True if it is a delete request.
1277 *
1278 * Returns 0 on success, negative value otherwise.
1279 *
1280 * Caller holds tomoyo_read_lock().
1281 */
1282 static int tomoyo_update_manager_entry(const char *manager,
1283 const bool is_delete)
1284 {
1285 struct tomoyo_policy_manager_entry *ptr;
1286 struct tomoyo_policy_manager_entry e = { };
1287 int error = is_delete ? -ENOENT : -ENOMEM;
1288
1289 if (tomoyo_is_domain_def(manager)) {
1290 if (!tomoyo_is_correct_domain(manager))
1291 return -EINVAL;
1292 e.is_domain = true;
1293 } else {
1294 if (!tomoyo_is_correct_path(manager, 1, -1, -1))
1295 return -EINVAL;
1296 }
1297 e.manager = tomoyo_get_name(manager);
1298 if (!e.manager)
1299 return -ENOMEM;
1300 if (mutex_lock_interruptible(&tomoyo_policy_lock))
1301 goto out;
1302 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1303 if (ptr->manager != e.manager)
1304 continue;
1305 ptr->is_deleted = is_delete;
1306 error = 0;
1307 break;
1308 }
1309 if (!is_delete && error) {
1310 struct tomoyo_policy_manager_entry *entry =
1311 tomoyo_commit_ok(&e, sizeof(e));
1312 if (entry) {
1313 list_add_tail_rcu(&entry->list,
1314 &tomoyo_policy_manager_list);
1315 error = 0;
1316 }
1317 }
1318 mutex_unlock(&tomoyo_policy_lock);
1319 out:
1320 tomoyo_put_name(e.manager);
1321 return error;
1322 }
1323
1324 /**
1325 * tomoyo_write_manager_policy - Write manager policy.
1326 *
1327 * @head: Pointer to "struct tomoyo_io_buffer".
1328 *
1329 * Returns 0 on success, negative value otherwise.
1330 *
1331 * Caller holds tomoyo_read_lock().
1332 */
1333 static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head)
1334 {
1335 char *data = head->write_buf;
1336 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
1337
1338 if (!strcmp(data, "manage_by_non_root")) {
1339 tomoyo_manage_by_non_root = !is_delete;
1340 return 0;
1341 }
1342 return tomoyo_update_manager_entry(data, is_delete);
1343 }
1344
1345 /**
1346 * tomoyo_read_manager_policy - Read manager policy.
1347 *
1348 * @head: Pointer to "struct tomoyo_io_buffer".
1349 *
1350 * Returns 0.
1351 *
1352 * Caller holds tomoyo_read_lock().
1353 */
1354 static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
1355 {
1356 struct list_head *pos;
1357 bool done = true;
1358
1359 if (head->read_eof)
1360 return 0;
1361 list_for_each_cookie(pos, head->read_var2,
1362 &tomoyo_policy_manager_list) {
1363 struct tomoyo_policy_manager_entry *ptr;
1364 ptr = list_entry(pos, struct tomoyo_policy_manager_entry,
1365 list);
1366 if (ptr->is_deleted)
1367 continue;
1368 done = tomoyo_io_printf(head, "%s\n", ptr->manager->name);
1369 if (!done)
1370 break;
1371 }
1372 head->read_eof = done;
1373 return 0;
1374 }
1375
1376 /**
1377 * tomoyo_is_policy_manager - Check whether the current process is a policy manager.
1378 *
1379 * Returns true if the current process is permitted to modify policy
1380 * via /sys/kernel/security/tomoyo/ interface.
1381 *
1382 * Caller holds tomoyo_read_lock().
1383 */
1384 static bool tomoyo_is_policy_manager(void)
1385 {
1386 struct tomoyo_policy_manager_entry *ptr;
1387 const char *exe;
1388 const struct task_struct *task = current;
1389 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname;
1390 bool found = false;
1391
1392 if (!tomoyo_policy_loaded)
1393 return true;
1394 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
1395 return false;
1396 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1397 if (!ptr->is_deleted && ptr->is_domain
1398 && !tomoyo_pathcmp(domainname, ptr->manager)) {
1399 found = true;
1400 break;
1401 }
1402 }
1403 if (found)
1404 return true;
1405 exe = tomoyo_get_exe();
1406 if (!exe)
1407 return false;
1408 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1409 if (!ptr->is_deleted && !ptr->is_domain
1410 && !strcmp(exe, ptr->manager->name)) {
1411 found = true;
1412 break;
1413 }
1414 }
1415 if (!found) { /* Reduce error messages. */
1416 static pid_t last_pid;
1417 const pid_t pid = current->pid;
1418 if (last_pid != pid) {
1419 printk(KERN_WARNING "%s ( %s ) is not permitted to "
1420 "update policies.\n", domainname->name, exe);
1421 last_pid = pid;
1422 }
1423 }
1424 kfree(exe);
1425 return found;
1426 }
1427
1428 /**
1429 * tomoyo_is_select_one - Parse select command.
1430 *
1431 * @head: Pointer to "struct tomoyo_io_buffer".
1432 * @data: String to parse.
1433 *
1434 * Returns true on success, false otherwise.
1435 *
1436 * Caller holds tomoyo_read_lock().
1437 */
1438 static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
1439 const char *data)
1440 {
1441 unsigned int pid;
1442 struct tomoyo_domain_info *domain = NULL;
1443
1444 if (sscanf(data, "pid=%u", &pid) == 1) {
1445 struct task_struct *p;
1446 rcu_read_lock();
1447 read_lock(&tasklist_lock);
1448 p = find_task_by_vpid(pid);
1449 if (p)
1450 domain = tomoyo_real_domain(p);
1451 read_unlock(&tasklist_lock);
1452 rcu_read_unlock();
1453 } else if (!strncmp(data, "domain=", 7)) {
1454 if (tomoyo_is_domain_def(data + 7))
1455 domain = tomoyo_find_domain(data + 7);
1456 } else
1457 return false;
1458 head->write_var1 = domain;
1459 /* Accessing read_buf is safe because head->io_sem is held. */
1460 if (!head->read_buf)
1461 return true; /* Do nothing if open(O_WRONLY). */
1462 head->read_avail = 0;
1463 tomoyo_io_printf(head, "# select %s\n", data);
1464 head->read_single_domain = true;
1465 head->read_eof = !domain;
1466 if (domain) {
1467 struct tomoyo_domain_info *d;
1468 head->read_var1 = NULL;
1469 list_for_each_entry_rcu(d, &tomoyo_domain_list, list) {
1470 if (d == domain)
1471 break;
1472 head->read_var1 = &d->list;
1473 }
1474 head->read_var2 = NULL;
1475 head->read_bit = 0;
1476 head->read_step = 0;
1477 if (domain->is_deleted)
1478 tomoyo_io_printf(head, "# This is a deleted domain.\n");
1479 }
1480 return true;
1481 }
1482
1483 /**
1484 * tomoyo_delete_domain - Delete a domain.
1485 *
1486 * @domainname: The name of domain.
1487 *
1488 * Returns 0.
1489 *
1490 * Caller holds tomoyo_read_lock().
1491 */
1492 static int tomoyo_delete_domain(char *domainname)
1493 {
1494 struct tomoyo_domain_info *domain;
1495 struct tomoyo_path_info name;
1496
1497 name.name = domainname;
1498 tomoyo_fill_path_info(&name);
1499 if (mutex_lock_interruptible(&tomoyo_policy_lock))
1500 return 0;
1501 /* Is there an active domain? */
1502 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
1503 /* Never delete tomoyo_kernel_domain */
1504 if (domain == &tomoyo_kernel_domain)
1505 continue;
1506 if (domain->is_deleted ||
1507 tomoyo_pathcmp(domain->domainname, &name))
1508 continue;
1509 domain->is_deleted = true;
1510 break;
1511 }
1512 mutex_unlock(&tomoyo_policy_lock);
1513 return 0;
1514 }
1515
1516 /**
1517 * tomoyo_write_domain_policy - Write domain policy.
1518 *
1519 * @head: Pointer to "struct tomoyo_io_buffer".
1520 *
1521 * Returns 0 on success, negative value otherwise.
1522 *
1523 * Caller holds tomoyo_read_lock().
1524 */
1525 static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
1526 {
1527 char *data = head->write_buf;
1528 struct tomoyo_domain_info *domain = head->write_var1;
1529 bool is_delete = false;
1530 bool is_select = false;
1531 unsigned int profile;
1532
1533 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE))
1534 is_delete = true;
1535 else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT))
1536 is_select = true;
1537 if (is_select && tomoyo_is_select_one(head, data))
1538 return 0;
1539 /* Don't allow updating policies by non manager programs. */
1540 if (!tomoyo_is_policy_manager())
1541 return -EPERM;
1542 if (tomoyo_is_domain_def(data)) {
1543 domain = NULL;
1544 if (is_delete)
1545 tomoyo_delete_domain(data);
1546 else if (is_select)
1547 domain = tomoyo_find_domain(data);
1548 else
1549 domain = tomoyo_find_or_assign_new_domain(data, 0);
1550 head->write_var1 = domain;
1551 return 0;
1552 }
1553 if (!domain)
1554 return -EINVAL;
1555
1556 if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1
1557 && profile < TOMOYO_MAX_PROFILES) {
1558 if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)
1559 domain->profile = (u8) profile;
1560 return 0;
1561 }
1562 if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) {
1563 domain->ignore_global_allow_read = !is_delete;
1564 return 0;
1565 }
1566 return tomoyo_write_file_policy(data, domain, is_delete);
1567 }
1568
1569 /**
1570 * tomoyo_print_path_acl - Print a single path ACL entry.
1571 *
1572 * @head: Pointer to "struct tomoyo_io_buffer".
1573 * @ptr: Pointer to "struct tomoyo_path_acl".
1574 *
1575 * Returns true on success, false otherwise.
1576 */
1577 static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head,
1578 struct tomoyo_path_acl *ptr)
1579 {
1580 int pos;
1581 u8 bit;
1582 const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16);
1583
1584 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
1585 if (!(perm & (1 << bit)))
1586 continue;
1587 /* Print "read/write" instead of "read" and "write". */
1588 if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE)
1589 && (perm & (1 << TOMOYO_TYPE_READ_WRITE)))
1590 continue;
1591 pos = head->read_avail;
1592 if (!tomoyo_io_printf(head, "allow_%s ",
1593 tomoyo_path2keyword(bit)) ||
1594 !tomoyo_print_name_union(head, &ptr->name) ||
1595 !tomoyo_io_printf(head, "\n"))
1596 goto out;
1597 }
1598 head->read_bit = 0;
1599 return true;
1600 out:
1601 head->read_bit = bit;
1602 head->read_avail = pos;
1603 return false;
1604 }
1605
1606 /**
1607 * tomoyo_print_path2_acl - Print a double path ACL entry.
1608 *
1609 * @head: Pointer to "struct tomoyo_io_buffer".
1610 * @ptr: Pointer to "struct tomoyo_path2_acl".
1611 *
1612 * Returns true on success, false otherwise.
1613 */
1614 static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer *head,
1615 struct tomoyo_path2_acl *ptr)
1616 {
1617 int pos;
1618 const u8 perm = ptr->perm;
1619 u8 bit;
1620
1621 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) {
1622 if (!(perm & (1 << bit)))
1623 continue;
1624 pos = head->read_avail;
1625 if (!tomoyo_io_printf(head, "allow_%s ",
1626 tomoyo_path22keyword(bit)) ||
1627 !tomoyo_print_name_union(head, &ptr->name1) ||
1628 !tomoyo_print_name_union(head, &ptr->name2) ||
1629 !tomoyo_io_printf(head, "\n"))
1630 goto out;
1631 }
1632 head->read_bit = 0;
1633 return true;
1634 out:
1635 head->read_bit = bit;
1636 head->read_avail = pos;
1637 return false;
1638 }
1639
1640 /**
1641 * tomoyo_print_entry - Print an ACL entry.
1642 *
1643 * @head: Pointer to "struct tomoyo_io_buffer".
1644 * @ptr: Pointer to an ACL entry.
1645 *
1646 * Returns true on success, false otherwise.
1647 */
1648 static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
1649 struct tomoyo_acl_info *ptr)
1650 {
1651 const u8 acl_type = ptr->type;
1652
1653 if (acl_type == TOMOYO_TYPE_PATH_ACL) {
1654 struct tomoyo_path_acl *acl
1655 = container_of(ptr, struct tomoyo_path_acl, head);
1656 return tomoyo_print_path_acl(head, acl);
1657 }
1658 if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
1659 struct tomoyo_path2_acl *acl
1660 = container_of(ptr, struct tomoyo_path2_acl, head);
1661 return tomoyo_print_path2_acl(head, acl);
1662 }
1663 BUG(); /* This must not happen. */
1664 return false;
1665 }
1666
1667 /**
1668 * tomoyo_read_domain_policy - Read domain policy.
1669 *
1670 * @head: Pointer to "struct tomoyo_io_buffer".
1671 *
1672 * Returns 0.
1673 *
1674 * Caller holds tomoyo_read_lock().
1675 */
1676 static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head)
1677 {
1678 struct list_head *dpos;
1679 struct list_head *apos;
1680 bool done = true;
1681
1682 if (head->read_eof)
1683 return 0;
1684 if (head->read_step == 0)
1685 head->read_step = 1;
1686 list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) {
1687 struct tomoyo_domain_info *domain;
1688 const char *quota_exceeded = "";
1689 const char *transition_failed = "";
1690 const char *ignore_global_allow_read = "";
1691 domain = list_entry(dpos, struct tomoyo_domain_info, list);
1692 if (head->read_step != 1)
1693 goto acl_loop;
1694 if (domain->is_deleted && !head->read_single_domain)
1695 continue;
1696 /* Print domainname and flags. */
1697 if (domain->quota_warned)
1698 quota_exceeded = "quota_exceeded\n";
1699 if (domain->transition_failed)
1700 transition_failed = "transition_failed\n";
1701 if (domain->ignore_global_allow_read)
1702 ignore_global_allow_read
1703 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n";
1704 done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
1705 "%u\n%s%s%s\n",
1706 domain->domainname->name,
1707 domain->profile, quota_exceeded,
1708 transition_failed,
1709 ignore_global_allow_read);
1710 if (!done)
1711 break;
1712 head->read_step = 2;
1713 acl_loop:
1714 if (head->read_step == 3)
1715 goto tail_mark;
1716 /* Print ACL entries in the domain. */
1717 list_for_each_cookie(apos, head->read_var2,
1718 &domain->acl_info_list) {
1719 struct tomoyo_acl_info *ptr
1720 = list_entry(apos, struct tomoyo_acl_info,
1721 list);
1722 done = tomoyo_print_entry(head, ptr);
1723 if (!done)
1724 break;
1725 }
1726 if (!done)
1727 break;
1728 head->read_step = 3;
1729 tail_mark:
1730 done = tomoyo_io_printf(head, "\n");
1731 if (!done)
1732 break;
1733 head->read_step = 1;
1734 if (head->read_single_domain)
1735 break;
1736 }
1737 head->read_eof = done;
1738 return 0;
1739 }
1740
1741 /**
1742 * tomoyo_write_domain_profile - Assign profile for specified domain.
1743 *
1744 * @head: Pointer to "struct tomoyo_io_buffer".
1745 *
1746 * Returns 0 on success, -EINVAL otherwise.
1747 *
1748 * This is equivalent to doing
1749 *
1750 * ( echo "select " $domainname; echo "use_profile " $profile ) |
1751 * /usr/lib/ccs/loadpolicy -d
1752 *
1753 * Caller holds tomoyo_read_lock().
1754 */
1755 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head)
1756 {
1757 char *data = head->write_buf;
1758 char *cp = strchr(data, ' ');
1759 struct tomoyo_domain_info *domain;
1760 unsigned long profile;
1761
1762 if (!cp)
1763 return -EINVAL;
1764 *cp = '\0';
1765 domain = tomoyo_find_domain(cp + 1);
1766 if (strict_strtoul(data, 10, &profile))
1767 return -EINVAL;
1768 if (domain && profile < TOMOYO_MAX_PROFILES
1769 && (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded))
1770 domain->profile = (u8) profile;
1771 return 0;
1772 }
1773
1774 /**
1775 * tomoyo_read_domain_profile - Read only domainname and profile.
1776 *
1777 * @head: Pointer to "struct tomoyo_io_buffer".
1778 *
1779 * Returns list of profile number and domainname pairs.
1780 *
1781 * This is equivalent to doing
1782 *
1783 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
1784 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
1785 * domainname = $0; } else if ( $1 == "use_profile" ) {
1786 * print $2 " " domainname; domainname = ""; } } ; '
1787 *
1788 * Caller holds tomoyo_read_lock().
1789 */
1790 static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head)
1791 {
1792 struct list_head *pos;
1793 bool done = true;
1794
1795 if (head->read_eof)
1796 return 0;
1797 list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) {
1798 struct tomoyo_domain_info *domain;
1799 domain = list_entry(pos, struct tomoyo_domain_info, list);
1800 if (domain->is_deleted)
1801 continue;
1802 done = tomoyo_io_printf(head, "%u %s\n", domain->profile,
1803 domain->domainname->name);
1804 if (!done)
1805 break;
1806 }
1807 head->read_eof = done;
1808 return 0;
1809 }
1810
1811 /**
1812 * tomoyo_write_pid: Specify PID to obtain domainname.
1813 *
1814 * @head: Pointer to "struct tomoyo_io_buffer".
1815 *
1816 * Returns 0.
1817 */
1818 static int tomoyo_write_pid(struct tomoyo_io_buffer *head)
1819 {
1820 unsigned long pid;
1821 /* No error check. */
1822 strict_strtoul(head->write_buf, 10, &pid);
1823 head->read_step = (int) pid;
1824 head->read_eof = false;
1825 return 0;
1826 }
1827
1828 /**
1829 * tomoyo_read_pid - Get domainname of the specified PID.
1830 *
1831 * @head: Pointer to "struct tomoyo_io_buffer".
1832 *
1833 * Returns the domainname which the specified PID is in on success,
1834 * empty string otherwise.
1835 * The PID is specified by tomoyo_write_pid() so that the user can obtain
1836 * using read()/write() interface rather than sysctl() interface.
1837 */
1838 static int tomoyo_read_pid(struct tomoyo_io_buffer *head)
1839 {
1840 if (head->read_avail == 0 && !head->read_eof) {
1841 const int pid = head->read_step;
1842 struct task_struct *p;
1843 struct tomoyo_domain_info *domain = NULL;
1844 rcu_read_lock();
1845 read_lock(&tasklist_lock);
1846 p = find_task_by_vpid(pid);
1847 if (p)
1848 domain = tomoyo_real_domain(p);
1849 read_unlock(&tasklist_lock);
1850 rcu_read_unlock();
1851 if (domain)
1852 tomoyo_io_printf(head, "%d %u %s", pid, domain->profile,
1853 domain->domainname->name);
1854 head->read_eof = true;
1855 }
1856 return 0;
1857 }
1858
1859 /**
1860 * tomoyo_write_exception_policy - Write exception policy.
1861 *
1862 * @head: Pointer to "struct tomoyo_io_buffer".
1863 *
1864 * Returns 0 on success, negative value otherwise.
1865 *
1866 * Caller holds tomoyo_read_lock().
1867 */
1868 static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head)
1869 {
1870 char *data = head->write_buf;
1871 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
1872
1873 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN))
1874 return tomoyo_write_domain_keeper_policy(data, false,
1875 is_delete);
1876 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN))
1877 return tomoyo_write_domain_keeper_policy(data, true, is_delete);
1878 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN))
1879 return tomoyo_write_domain_initializer_policy(data, false,
1880 is_delete);
1881 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN))
1882 return tomoyo_write_domain_initializer_policy(data, true,
1883 is_delete);
1884 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS))
1885 return tomoyo_write_alias_policy(data, is_delete);
1886 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ))
1887 return tomoyo_write_globally_readable_policy(data, is_delete);
1888 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN))
1889 return tomoyo_write_pattern_policy(data, is_delete);
1890 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE))
1891 return tomoyo_write_no_rewrite_policy(data, is_delete);
1892 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_PATH_GROUP))
1893 return tomoyo_write_path_group_policy(data, is_delete);
1894 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NUMBER_GROUP))
1895 return tomoyo_write_number_group_policy(data, is_delete);
1896 return -EINVAL;
1897 }
1898
1899 /**
1900 * tomoyo_read_exception_policy - Read exception policy.
1901 *
1902 * @head: Pointer to "struct tomoyo_io_buffer".
1903 *
1904 * Returns 0 on success, -EINVAL otherwise.
1905 *
1906 * Caller holds tomoyo_read_lock().
1907 */
1908 static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head)
1909 {
1910 if (!head->read_eof) {
1911 switch (head->read_step) {
1912 case 0:
1913 head->read_var2 = NULL;
1914 head->read_step = 1;
1915 case 1:
1916 if (!tomoyo_read_domain_keeper_policy(head))
1917 break;
1918 head->read_var2 = NULL;
1919 head->read_step = 2;
1920 case 2:
1921 if (!tomoyo_read_globally_readable_policy(head))
1922 break;
1923 head->read_var2 = NULL;
1924 head->read_step = 3;
1925 case 3:
1926 head->read_var2 = NULL;
1927 head->read_step = 4;
1928 case 4:
1929 if (!tomoyo_read_domain_initializer_policy(head))
1930 break;
1931 head->read_var2 = NULL;
1932 head->read_step = 5;
1933 case 5:
1934 if (!tomoyo_read_alias_policy(head))
1935 break;
1936 head->read_var2 = NULL;
1937 head->read_step = 6;
1938 case 6:
1939 head->read_var2 = NULL;
1940 head->read_step = 7;
1941 case 7:
1942 if (!tomoyo_read_file_pattern(head))
1943 break;
1944 head->read_var2 = NULL;
1945 head->read_step = 8;
1946 case 8:
1947 if (!tomoyo_read_no_rewrite_policy(head))
1948 break;
1949 head->read_var2 = NULL;
1950 head->read_step = 9;
1951 case 9:
1952 if (!tomoyo_read_path_group_policy(head))
1953 break;
1954 head->read_var1 = NULL;
1955 head->read_var2 = NULL;
1956 head->read_step = 10;
1957 case 10:
1958 if (!tomoyo_read_number_group_policy(head))
1959 break;
1960 head->read_var1 = NULL;
1961 head->read_var2 = NULL;
1962 head->read_step = 11;
1963 case 11:
1964 head->read_eof = true;
1965 break;
1966 default:
1967 return -EINVAL;
1968 }
1969 }
1970 return 0;
1971 }
1972
1973 /* path to policy loader */
1974 static const char *tomoyo_loader = "/sbin/tomoyo-init";
1975
1976 /**
1977 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
1978 *
1979 * Returns true if /sbin/tomoyo-init exists, false otherwise.
1980 */
1981 static bool tomoyo_policy_loader_exists(void)
1982 {
1983 /*
1984 * Don't activate MAC if the policy loader doesn't exist.
1985 * If the initrd includes /sbin/init but real-root-dev has not
1986 * mounted on / yet, activating MAC will block the system since
1987 * policies are not loaded yet.
1988 * Thus, let do_execve() call this function everytime.
1989 */
1990 struct path path;
1991
1992 if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
1993 printk(KERN_INFO "Not activating Mandatory Access Control now "
1994 "since %s doesn't exist.\n", tomoyo_loader);
1995 return false;
1996 }
1997 path_put(&path);
1998 return true;
1999 }
2000
2001 /**
2002 * tomoyo_load_policy - Run external policy loader to load policy.
2003 *
2004 * @filename: The program about to start.
2005 *
2006 * This function checks whether @filename is /sbin/init , and if so
2007 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
2008 * and then continues invocation of /sbin/init.
2009 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
2010 * writes to /sys/kernel/security/tomoyo/ interfaces.
2011 *
2012 * Returns nothing.
2013 */
2014 void tomoyo_load_policy(const char *filename)
2015 {
2016 char *argv[2];
2017 char *envp[3];
2018
2019 if (tomoyo_policy_loaded)
2020 return;
2021 /*
2022 * Check filename is /sbin/init or /sbin/tomoyo-start.
2023 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
2024 * be passed.
2025 * You can create /sbin/tomoyo-start by
2026 * "ln -s /bin/true /sbin/tomoyo-start".
2027 */
2028 if (strcmp(filename, "/sbin/init") &&
2029 strcmp(filename, "/sbin/tomoyo-start"))
2030 return;
2031 if (!tomoyo_policy_loader_exists())
2032 return;
2033
2034 printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
2035 tomoyo_loader);
2036 argv[0] = (char *) tomoyo_loader;
2037 argv[1] = NULL;
2038 envp[0] = "HOME=/";
2039 envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
2040 envp[2] = NULL;
2041 call_usermodehelper(argv[0], argv, envp, 1);
2042
2043 printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n");
2044 printk(KERN_INFO "Mandatory Access Control activated.\n");
2045 tomoyo_policy_loaded = true;
2046 { /* Check all profiles currently assigned to domains are defined. */
2047 struct tomoyo_domain_info *domain;
2048 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
2049 const u8 profile = domain->profile;
2050 if (tomoyo_profile_ptr[profile])
2051 continue;
2052 panic("Profile %u (used by '%s') not defined.\n",
2053 profile, domain->domainname->name);
2054 }
2055 }
2056 }
2057
2058 /**
2059 * tomoyo_read_version: Get version.
2060 *
2061 * @head: Pointer to "struct tomoyo_io_buffer".
2062 *
2063 * Returns version information.
2064 */
2065 static int tomoyo_read_version(struct tomoyo_io_buffer *head)
2066 {
2067 if (!head->read_eof) {
2068 tomoyo_io_printf(head, "2.2.0");
2069 head->read_eof = true;
2070 }
2071 return 0;
2072 }
2073
2074 /**
2075 * tomoyo_read_self_domain - Get the current process's domainname.
2076 *
2077 * @head: Pointer to "struct tomoyo_io_buffer".
2078 *
2079 * Returns the current process's domainname.
2080 */
2081 static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head)
2082 {
2083 if (!head->read_eof) {
2084 /*
2085 * tomoyo_domain()->domainname != NULL
2086 * because every process belongs to a domain and
2087 * the domain's name cannot be NULL.
2088 */
2089 tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name);
2090 head->read_eof = true;
2091 }
2092 return 0;
2093 }
2094
2095 /**
2096 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
2097 *
2098 * @type: Type of interface.
2099 * @file: Pointer to "struct file".
2100 *
2101 * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
2102 *
2103 * Caller acquires tomoyo_read_lock().
2104 */
2105 static int tomoyo_open_control(const u8 type, struct file *file)
2106 {
2107 struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS);
2108
2109 if (!head)
2110 return -ENOMEM;
2111 mutex_init(&head->io_sem);
2112 switch (type) {
2113 case TOMOYO_DOMAINPOLICY:
2114 /* /sys/kernel/security/tomoyo/domain_policy */
2115 head->write = tomoyo_write_domain_policy;
2116 head->read = tomoyo_read_domain_policy;
2117 break;
2118 case TOMOYO_EXCEPTIONPOLICY:
2119 /* /sys/kernel/security/tomoyo/exception_policy */
2120 head->write = tomoyo_write_exception_policy;
2121 head->read = tomoyo_read_exception_policy;
2122 break;
2123 case TOMOYO_SELFDOMAIN:
2124 /* /sys/kernel/security/tomoyo/self_domain */
2125 head->read = tomoyo_read_self_domain;
2126 break;
2127 case TOMOYO_DOMAIN_STATUS:
2128 /* /sys/kernel/security/tomoyo/.domain_status */
2129 head->write = tomoyo_write_domain_profile;
2130 head->read = tomoyo_read_domain_profile;
2131 break;
2132 case TOMOYO_PROCESS_STATUS:
2133 /* /sys/kernel/security/tomoyo/.process_status */
2134 head->write = tomoyo_write_pid;
2135 head->read = tomoyo_read_pid;
2136 break;
2137 case TOMOYO_VERSION:
2138 /* /sys/kernel/security/tomoyo/version */
2139 head->read = tomoyo_read_version;
2140 head->readbuf_size = 128;
2141 break;
2142 case TOMOYO_MEMINFO:
2143 /* /sys/kernel/security/tomoyo/meminfo */
2144 head->write = tomoyo_write_memory_quota;
2145 head->read = tomoyo_read_memory_counter;
2146 head->readbuf_size = 512;
2147 break;
2148 case TOMOYO_PROFILE:
2149 /* /sys/kernel/security/tomoyo/profile */
2150 head->write = tomoyo_write_profile;
2151 head->read = tomoyo_read_profile;
2152 break;
2153 case TOMOYO_MANAGER:
2154 /* /sys/kernel/security/tomoyo/manager */
2155 head->write = tomoyo_write_manager_policy;
2156 head->read = tomoyo_read_manager_policy;
2157 break;
2158 }
2159 if (!(file->f_mode & FMODE_READ)) {
2160 /*
2161 * No need to allocate read_buf since it is not opened
2162 * for reading.
2163 */
2164 head->read = NULL;
2165 } else {
2166 if (!head->readbuf_size)
2167 head->readbuf_size = 4096 * 2;
2168 head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS);
2169 if (!head->read_buf) {
2170 kfree(head);
2171 return -ENOMEM;
2172 }
2173 }
2174 if (!(file->f_mode & FMODE_WRITE)) {
2175 /*
2176 * No need to allocate write_buf since it is not opened
2177 * for writing.
2178 */
2179 head->write = NULL;
2180 } else if (head->write) {
2181 head->writebuf_size = 4096 * 2;
2182 head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS);
2183 if (!head->write_buf) {
2184 kfree(head->read_buf);
2185 kfree(head);
2186 return -ENOMEM;
2187 }
2188 }
2189 head->reader_idx = tomoyo_read_lock();
2190 file->private_data = head;
2191 /*
2192 * Call the handler now if the file is
2193 * /sys/kernel/security/tomoyo/self_domain
2194 * so that the user can use
2195 * cat < /sys/kernel/security/tomoyo/self_domain"
2196 * to know the current process's domainname.
2197 */
2198 if (type == TOMOYO_SELFDOMAIN)
2199 tomoyo_read_control(file, NULL, 0);
2200 return 0;
2201 }
2202
2203 /**
2204 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
2205 *
2206 * @file: Pointer to "struct file".
2207 * @buffer: Poiner to buffer to write to.
2208 * @buffer_len: Size of @buffer.
2209 *
2210 * Returns bytes read on success, negative value otherwise.
2211 *
2212 * Caller holds tomoyo_read_lock().
2213 */
2214 static int tomoyo_read_control(struct file *file, char __user *buffer,
2215 const int buffer_len)
2216 {
2217 int len = 0;
2218 struct tomoyo_io_buffer *head = file->private_data;
2219 char *cp;
2220
2221 if (!head->read)
2222 return -ENOSYS;
2223 if (mutex_lock_interruptible(&head->io_sem))
2224 return -EINTR;
2225 /* Call the policy handler. */
2226 len = head->read(head);
2227 if (len < 0)
2228 goto out;
2229 /* Write to buffer. */
2230 len = head->read_avail;
2231 if (len > buffer_len)
2232 len = buffer_len;
2233 if (!len)
2234 goto out;
2235 /* head->read_buf changes by some functions. */
2236 cp = head->read_buf;
2237 if (copy_to_user(buffer, cp, len)) {
2238 len = -EFAULT;
2239 goto out;
2240 }
2241 head->read_avail -= len;
2242 memmove(cp, cp + len, head->read_avail);
2243 out:
2244 mutex_unlock(&head->io_sem);
2245 return len;
2246 }
2247
2248 /**
2249 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
2250 *
2251 * @file: Pointer to "struct file".
2252 * @buffer: Pointer to buffer to read from.
2253 * @buffer_len: Size of @buffer.
2254 *
2255 * Returns @buffer_len on success, negative value otherwise.
2256 *
2257 * Caller holds tomoyo_read_lock().
2258 */
2259 static int tomoyo_write_control(struct file *file, const char __user *buffer,
2260 const int buffer_len)
2261 {
2262 struct tomoyo_io_buffer *head = file->private_data;
2263 int error = buffer_len;
2264 int avail_len = buffer_len;
2265 char *cp0 = head->write_buf;
2266
2267 if (!head->write)
2268 return -ENOSYS;
2269 if (!access_ok(VERIFY_READ, buffer, buffer_len))
2270 return -EFAULT;
2271 /* Don't allow updating policies by non manager programs. */
2272 if (head->write != tomoyo_write_pid &&
2273 head->write != tomoyo_write_domain_policy &&
2274 !tomoyo_is_policy_manager())
2275 return -EPERM;
2276 if (mutex_lock_interruptible(&head->io_sem))
2277 return -EINTR;
2278 /* Read a line and dispatch it to the policy handler. */
2279 while (avail_len > 0) {
2280 char c;
2281 if (head->write_avail >= head->writebuf_size - 1) {
2282 error = -ENOMEM;
2283 break;
2284 } else if (get_user(c, buffer)) {
2285 error = -EFAULT;
2286 break;
2287 }
2288 buffer++;
2289 avail_len--;
2290 cp0[head->write_avail++] = c;
2291 if (c != '\n')
2292 continue;
2293 cp0[head->write_avail - 1] = '\0';
2294 head->write_avail = 0;
2295 tomoyo_normalize_line(cp0);
2296 head->write(head);
2297 }
2298 mutex_unlock(&head->io_sem);
2299 return error;
2300 }
2301
2302 /**
2303 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
2304 *
2305 * @file: Pointer to "struct file".
2306 *
2307 * Releases memory and returns 0.
2308 *
2309 * Caller looses tomoyo_read_lock().
2310 */
2311 static int tomoyo_close_control(struct file *file)
2312 {
2313 struct tomoyo_io_buffer *head = file->private_data;
2314 const bool is_write = !!head->write_buf;
2315
2316 tomoyo_read_unlock(head->reader_idx);
2317 /* Release memory used for policy I/O. */
2318 kfree(head->read_buf);
2319 head->read_buf = NULL;
2320 kfree(head->write_buf);
2321 head->write_buf = NULL;
2322 kfree(head);
2323 head = NULL;
2324 file->private_data = NULL;
2325 if (is_write)
2326 tomoyo_run_gc();
2327 return 0;
2328 }
2329
2330 /**
2331 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
2332 *
2333 * @inode: Pointer to "struct inode".
2334 * @file: Pointer to "struct file".
2335 *
2336 * Returns 0 on success, negative value otherwise.
2337 */
2338 static int tomoyo_open(struct inode *inode, struct file *file)
2339 {
2340 const int key = ((u8 *) file->f_path.dentry->d_inode->i_private)
2341 - ((u8 *) NULL);
2342 return tomoyo_open_control(key, file);
2343 }
2344
2345 /**
2346 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
2347 *
2348 * @inode: Pointer to "struct inode".
2349 * @file: Pointer to "struct file".
2350 *
2351 * Returns 0 on success, negative value otherwise.
2352 */
2353 static int tomoyo_release(struct inode *inode, struct file *file)
2354 {
2355 return tomoyo_close_control(file);
2356 }
2357
2358 /**
2359 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
2360 *
2361 * @file: Pointer to "struct file".
2362 * @buf: Pointer to buffer.
2363 * @count: Size of @buf.
2364 * @ppos: Unused.
2365 *
2366 * Returns bytes read on success, negative value otherwise.
2367 */
2368 static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count,
2369 loff_t *ppos)
2370 {
2371 return tomoyo_read_control(file, buf, count);
2372 }
2373
2374 /**
2375 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
2376 *
2377 * @file: Pointer to "struct file".
2378 * @buf: Pointer to buffer.
2379 * @count: Size of @buf.
2380 * @ppos: Unused.
2381 *
2382 * Returns @count on success, negative value otherwise.
2383 */
2384 static ssize_t tomoyo_write(struct file *file, const char __user *buf,
2385 size_t count, loff_t *ppos)
2386 {
2387 return tomoyo_write_control(file, buf, count);
2388 }
2389
2390 /*
2391 * tomoyo_operations is a "struct file_operations" which is used for handling
2392 * /sys/kernel/security/tomoyo/ interface.
2393 *
2394 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
2395 * See tomoyo_io_buffer for internals.
2396 */
2397 static const struct file_operations tomoyo_operations = {
2398 .open = tomoyo_open,
2399 .release = tomoyo_release,
2400 .read = tomoyo_read,
2401 .write = tomoyo_write,
2402 };
2403
2404 /**
2405 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
2406 *
2407 * @name: The name of the interface file.
2408 * @mode: The permission of the interface file.
2409 * @parent: The parent directory.
2410 * @key: Type of interface.
2411 *
2412 * Returns nothing.
2413 */
2414 static void __init tomoyo_create_entry(const char *name, const mode_t mode,
2415 struct dentry *parent, const u8 key)
2416 {
2417 securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key,
2418 &tomoyo_operations);
2419 }
2420
2421 /**
2422 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
2423 *
2424 * Returns 0.
2425 */
2426 static int __init tomoyo_initerface_init(void)
2427 {
2428 struct dentry *tomoyo_dir;
2429
2430 /* Don't create securityfs entries unless registered. */
2431 if (current_cred()->security != &tomoyo_kernel_domain)
2432 return 0;
2433
2434 tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
2435 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir,
2436 TOMOYO_DOMAINPOLICY);
2437 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir,
2438 TOMOYO_EXCEPTIONPOLICY);
2439 tomoyo_create_entry("self_domain", 0400, tomoyo_dir,
2440 TOMOYO_SELFDOMAIN);
2441 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir,
2442 TOMOYO_DOMAIN_STATUS);
2443 tomoyo_create_entry(".process_status", 0600, tomoyo_dir,
2444 TOMOYO_PROCESS_STATUS);
2445 tomoyo_create_entry("meminfo", 0600, tomoyo_dir,
2446 TOMOYO_MEMINFO);
2447 tomoyo_create_entry("profile", 0600, tomoyo_dir,
2448 TOMOYO_PROFILE);
2449 tomoyo_create_entry("manager", 0600, tomoyo_dir,
2450 TOMOYO_MANAGER);
2451 tomoyo_create_entry("version", 0400, tomoyo_dir,
2452 TOMOYO_VERSION);
2453 return 0;
2454 }
2455
2456 fs_initcall(tomoyo_initerface_init);
Linux kernel - Deliverables
This page took 0.078807 seconds and 4 git commands to generate.