2 * security/tomoyo/common.c
4 * Common functions for TOMOYO.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
12 #include <linux/uaccess.h>
13 #include <linux/slab.h>
14 #include <linux/security.h>
15 #include <linux/hardirq.h>
18 /* Lock for protecting policy. */
19 DEFINE_MUTEX(tomoyo_policy_lock
);
21 /* Has loading policy done? */
22 bool tomoyo_policy_loaded
;
24 /* String table for functionality that takes 4 modes. */
25 static const char *tomoyo_mode_4
[4] = {
26 "disabled", "learning", "permissive", "enforcing"
28 /* String table for functionality that takes 2 modes. */
29 static const char *tomoyo_mode_2
[4] = {
30 "disabled", "enabled", "enabled", "enabled"
34 * tomoyo_control_array is a static data which contains
36 * (1) functionality name used by /sys/kernel/security/tomoyo/profile .
37 * (2) initial values for "struct tomoyo_profile".
38 * (3) max values for "struct tomoyo_profile".
42 unsigned int current_value
;
43 const unsigned int max_value
;
44 } tomoyo_control_array
[TOMOYO_MAX_CONTROL_INDEX
] = {
45 [TOMOYO_MAC_FOR_FILE
] = { "MAC_FOR_FILE", 0, 3 },
46 [TOMOYO_MAX_ACCEPT_ENTRY
] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX
},
47 [TOMOYO_VERBOSE
] = { "TOMOYO_VERBOSE", 1, 1 },
51 * tomoyo_profile is a structure which is used for holding the mode of access
52 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
53 * An administrator can define up to 256 profiles.
54 * The ->profile of "struct tomoyo_domain_info" is used for remembering
55 * the profile's number (0 - 255) assigned to that domain.
57 static struct tomoyo_profile
{
58 unsigned int value
[TOMOYO_MAX_CONTROL_INDEX
];
59 const struct tomoyo_path_info
*comment
;
60 } *tomoyo_profile_ptr
[TOMOYO_MAX_PROFILES
];
62 /* Permit policy management by non-root user? */
63 static bool tomoyo_manage_by_non_root
;
65 /* Utility functions. */
67 /* Open operation for /sys/kernel/security/tomoyo/ interface. */
68 static int tomoyo_open_control(const u8 type
, struct file
*file
);
69 /* Close /sys/kernel/security/tomoyo/ interface. */
70 static int tomoyo_close_control(struct file
*file
);
71 /* Read operation for /sys/kernel/security/tomoyo/ interface. */
72 static int tomoyo_read_control(struct file
*file
, char __user
*buffer
,
73 const int buffer_len
);
74 /* Write operation for /sys/kernel/security/tomoyo/ interface. */
75 static int tomoyo_write_control(struct file
*file
, const char __user
*buffer
,
76 const int buffer_len
);
79 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
81 * @str: Pointer to the string.
83 * Returns true if @str is a \ooo style octal value, false otherwise.
85 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
86 * This function verifies that \ooo is in valid range.
88 static inline bool tomoyo_is_byte_range(const char *str
)
90 return *str
>= '0' && *str
++ <= '3' &&
91 *str
>= '0' && *str
++ <= '7' &&
92 *str
>= '0' && *str
<= '7';
96 * tomoyo_is_alphabet_char - Check whether the character is an alphabet.
98 * @c: The character to check.
100 * Returns true if @c is an alphabet character, false otherwise.
102 static inline bool tomoyo_is_alphabet_char(const char c
)
104 return (c
>= 'A' && c
<= 'Z') || (c
>= 'a' && c
<= 'z');
108 * tomoyo_make_byte - Make byte value from three octal characters.
110 * @c1: The first character.
111 * @c2: The second character.
112 * @c3: The third character.
114 * Returns byte value.
116 static inline u8
tomoyo_make_byte(const u8 c1
, const u8 c2
, const u8 c3
)
118 return ((c1
- '0') << 6) + ((c2
- '0') << 3) + (c3
- '0');
122 * tomoyo_str_starts - Check whether the given string starts with the given keyword.
124 * @src: Pointer to pointer to the string.
125 * @find: Pointer to the keyword.
127 * Returns true if @src starts with @find, false otherwise.
129 * The @src is updated to point the first character after the @find
130 * if @src starts with @find.
132 static bool tomoyo_str_starts(char **src
, const char *find
)
134 const int len
= strlen(find
);
137 if (strncmp(tmp
, find
, len
))
145 * tomoyo_normalize_line - Format string.
147 * @buffer: The line to normalize.
149 * Leading and trailing whitespaces are removed.
150 * Multiple whitespaces are packed into single space.
154 static void tomoyo_normalize_line(unsigned char *buffer
)
156 unsigned char *sp
= buffer
;
157 unsigned char *dp
= buffer
;
160 while (tomoyo_is_invalid(*sp
))
166 while (tomoyo_is_valid(*sp
))
168 while (tomoyo_is_invalid(*sp
))
175 * tomoyo_is_correct_path - Validate a pathname.
176 * @filename: The pathname to check.
177 * @start_type: Should the pathname start with '/'?
178 * 1 = must / -1 = must not / 0 = don't care
179 * @pattern_type: Can the pathname contain a wildcard?
180 * 1 = must / -1 = must not / 0 = don't care
181 * @end_type: Should the pathname end with '/'?
182 * 1 = must / -1 = must not / 0 = don't care
184 * Check whether the given filename follows the naming rules.
185 * Returns true if @filename follows the naming rules, false otherwise.
187 bool tomoyo_is_correct_path(const char *filename
, const s8 start_type
,
188 const s8 pattern_type
, const s8 end_type
)
190 const char *const start
= filename
;
191 bool in_repetition
= false;
192 bool contains_pattern
= false;
200 if (start_type
== 1) { /* Must start with '/' */
203 } else if (start_type
== -1) { /* Must not start with '/' */
208 c
= *(filename
+ strlen(filename
) - 1);
209 if (end_type
== 1) { /* Must end with '/' */
212 } else if (end_type
== -1) { /* Must not end with '/' */
223 case '\\': /* "\\" */
235 if (pattern_type
== -1)
236 break; /* Must not contain pattern */
237 contains_pattern
= true;
239 case '{': /* "/\{" */
240 if (filename
- 3 < start
||
241 *(filename
- 3) != '/')
243 if (pattern_type
== -1)
244 break; /* Must not contain pattern */
245 contains_pattern
= true;
246 in_repetition
= true;
248 case '}': /* "\}/" */
249 if (*filename
!= '/')
253 in_repetition
= false;
255 case '0': /* "\ooo" */
260 if (d
< '0' || d
> '7')
263 if (e
< '0' || e
> '7')
265 c
= tomoyo_make_byte(c
, d
, e
);
266 if (tomoyo_is_invalid(c
))
267 continue; /* pattern is not \000 */
270 } else if (in_repetition
&& c
== '/') {
272 } else if (tomoyo_is_invalid(c
)) {
276 if (pattern_type
== 1) { /* Must contain pattern */
277 if (!contains_pattern
)
288 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
289 * @domainname: The domainname to check.
291 * Returns true if @domainname follows the naming rules, false otherwise.
293 bool tomoyo_is_correct_domain(const unsigned char *domainname
)
299 if (!domainname
|| strncmp(domainname
, TOMOYO_ROOT_NAME
,
300 TOMOYO_ROOT_NAME_LEN
))
302 domainname
+= TOMOYO_ROOT_NAME_LEN
;
306 if (*domainname
++ != ' ')
308 if (*domainname
++ != '/')
310 while ((c
= *domainname
) != '\0' && c
!= ' ') {
315 case '\\': /* "\\" */
317 case '0': /* "\ooo" */
322 if (d
< '0' || d
> '7')
325 if (e
< '0' || e
> '7')
327 c
= tomoyo_make_byte(c
, d
, e
);
328 if (tomoyo_is_invalid(c
))
329 /* pattern is not \000 */
333 } else if (tomoyo_is_invalid(c
)) {
337 } while (*domainname
);
344 * tomoyo_is_domain_def - Check whether the given token can be a domainname.
346 * @buffer: The token to check.
348 * Returns true if @buffer possibly be a domainname, false otherwise.
350 bool tomoyo_is_domain_def(const unsigned char *buffer
)
352 return !strncmp(buffer
, TOMOYO_ROOT_NAME
, TOMOYO_ROOT_NAME_LEN
);
356 * tomoyo_find_domain - Find a domain by the given name.
358 * @domainname: The domainname to find.
360 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
362 * Caller holds tomoyo_read_lock().
364 struct tomoyo_domain_info
*tomoyo_find_domain(const char *domainname
)
366 struct tomoyo_domain_info
*domain
;
367 struct tomoyo_path_info name
;
369 name
.name
= domainname
;
370 tomoyo_fill_path_info(&name
);
371 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
372 if (!domain
->is_deleted
&&
373 !tomoyo_pathcmp(&name
, domain
->domainname
))
380 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
382 * @filename: The string to evaluate.
384 * Returns the initial length without a pattern in @filename.
386 static int tomoyo_const_part_length(const char *filename
)
393 while ((c
= *filename
++) != '\0') {
400 case '\\': /* "\\" */
403 case '0': /* "\ooo" */
408 if (c
< '0' || c
> '7')
411 if (c
< '0' || c
> '7')
422 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
424 * @ptr: Pointer to "struct tomoyo_path_info" to fill in.
426 * The caller sets "struct tomoyo_path_info"->name.
428 void tomoyo_fill_path_info(struct tomoyo_path_info
*ptr
)
430 const char *name
= ptr
->name
;
431 const int len
= strlen(name
);
433 ptr
->const_len
= tomoyo_const_part_length(name
);
434 ptr
->is_dir
= len
&& (name
[len
- 1] == '/');
435 ptr
->is_patterned
= (ptr
->const_len
< len
);
436 ptr
->hash
= full_name_hash(name
, len
);
440 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
443 * @filename: The start of string to check.
444 * @filename_end: The end of string to check.
445 * @pattern: The start of pattern to compare.
446 * @pattern_end: The end of pattern to compare.
448 * Returns true if @filename matches @pattern, false otherwise.
450 static bool tomoyo_file_matches_pattern2(const char *filename
,
451 const char *filename_end
,
453 const char *pattern_end
)
455 while (filename
< filename_end
&& pattern
< pattern_end
) {
457 if (*pattern
!= '\\') {
458 if (*filename
++ != *pattern
++)
470 } else if (c
== '\\') {
471 if (filename
[1] == '\\')
473 else if (tomoyo_is_byte_range(filename
+ 1))
482 if (*++filename
!= '\\')
494 if (!tomoyo_is_alphabet_char(c
))
501 if (c
== '\\' && tomoyo_is_byte_range(filename
+ 1)
502 && strncmp(filename
+ 1, pattern
, 3) == 0) {
507 return false; /* Not matched. */
510 for (i
= 0; i
<= filename_end
- filename
; i
++) {
511 if (tomoyo_file_matches_pattern2(
512 filename
+ i
, filename_end
,
513 pattern
+ 1, pattern_end
))
516 if (c
== '.' && *pattern
== '@')
520 if (filename
[i
+ 1] == '\\')
522 else if (tomoyo_is_byte_range(filename
+ i
+ 1))
525 break; /* Bad pattern. */
527 return false; /* Not matched. */
532 while (isdigit(filename
[j
]))
534 } else if (c
== 'X') {
535 while (isxdigit(filename
[j
]))
537 } else if (c
== 'A') {
538 while (tomoyo_is_alphabet_char(filename
[j
]))
541 for (i
= 1; i
<= j
; i
++) {
542 if (tomoyo_file_matches_pattern2(
543 filename
+ i
, filename_end
,
544 pattern
+ 1, pattern_end
))
547 return false; /* Not matched or bad pattern. */
552 while (*pattern
== '\\' &&
553 (*(pattern
+ 1) == '*' || *(pattern
+ 1) == '@'))
555 return filename
== filename_end
&& pattern
== pattern_end
;
559 * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
561 * @filename: The start of string to check.
562 * @filename_end: The end of string to check.
563 * @pattern: The start of pattern to compare.
564 * @pattern_end: The end of pattern to compare.
566 * Returns true if @filename matches @pattern, false otherwise.
568 static bool tomoyo_file_matches_pattern(const char *filename
,
569 const char *filename_end
,
571 const char *pattern_end
)
573 const char *pattern_start
= pattern
;
577 while (pattern
< pattern_end
- 1) {
578 /* Split at "\-" pattern. */
579 if (*pattern
++ != '\\' || *pattern
++ != '-')
581 result
= tomoyo_file_matches_pattern2(filename
,
590 pattern_start
= pattern
;
592 result
= tomoyo_file_matches_pattern2(filename
, filename_end
,
593 pattern_start
, pattern_end
);
594 return first
? result
: !result
;
598 * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
600 * @f: The start of string to check.
601 * @p: The start of pattern to compare.
603 * Returns true if @f matches @p, false otherwise.
605 static bool tomoyo_path_matches_pattern2(const char *f
, const char *p
)
607 const char *f_delimiter
;
608 const char *p_delimiter
;
611 f_delimiter
= strchr(f
, '/');
613 f_delimiter
= f
+ strlen(f
);
614 p_delimiter
= strchr(p
, '/');
616 p_delimiter
= p
+ strlen(p
);
617 if (*p
== '\\' && *(p
+ 1) == '{')
619 if (!tomoyo_file_matches_pattern(f
, f_delimiter
, p
,
629 /* Ignore trailing "\*" and "\@" in @pattern. */
631 (*(p
+ 1) == '*' || *(p
+ 1) == '@'))
636 * The "\{" pattern is permitted only after '/' character.
637 * This guarantees that below "*(p - 1)" is safe.
638 * Also, the "\}" pattern is permitted only before '/' character
639 * so that "\{" + "\}" pair will not break the "\-" operator.
641 if (*(p
- 1) != '/' || p_delimiter
<= p
+ 3 || *p_delimiter
!= '/' ||
642 *(p_delimiter
- 1) != '}' || *(p_delimiter
- 2) != '\\')
643 return false; /* Bad pattern. */
645 /* Compare current component with pattern. */
646 if (!tomoyo_file_matches_pattern(f
, f_delimiter
, p
+ 2,
649 /* Proceed to next component. */
654 /* Continue comparison. */
655 if (tomoyo_path_matches_pattern2(f
, p_delimiter
+ 1))
657 f_delimiter
= strchr(f
, '/');
658 } while (f_delimiter
);
659 return false; /* Not matched. */
663 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
665 * @filename: The filename to check.
666 * @pattern: The pattern to compare.
668 * Returns true if matches, false otherwise.
670 * The following patterns are available.
672 * \ooo Octal representation of a byte.
673 * \* Zero or more repetitions of characters other than '/'.
674 * \@ Zero or more repetitions of characters other than '/' or '.'.
675 * \? 1 byte character other than '/'.
676 * \$ One or more repetitions of decimal digits.
677 * \+ 1 decimal digit.
678 * \X One or more repetitions of hexadecimal digits.
679 * \x 1 hexadecimal digit.
680 * \A One or more repetitions of alphabet characters.
681 * \a 1 alphabet character.
683 * \- Subtraction operator.
685 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
688 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info
*filename
,
689 const struct tomoyo_path_info
*pattern
)
691 const char *f
= filename
->name
;
692 const char *p
= pattern
->name
;
693 const int len
= pattern
->const_len
;
695 /* If @pattern doesn't contain pattern, I can use strcmp(). */
696 if (!pattern
->is_patterned
)
697 return !tomoyo_pathcmp(filename
, pattern
);
698 /* Don't compare directory and non-directory. */
699 if (filename
->is_dir
!= pattern
->is_dir
)
701 /* Compare the initial length without patterns. */
702 if (strncmp(f
, p
, len
))
706 return tomoyo_path_matches_pattern2(f
, p
);
710 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
712 * @head: Pointer to "struct tomoyo_io_buffer".
713 * @fmt: The printf()'s format string, followed by parameters.
715 * Returns true if output was written, false otherwise.
717 * The snprintf() will truncate, but tomoyo_io_printf() won't.
719 bool tomoyo_io_printf(struct tomoyo_io_buffer
*head
, const char *fmt
, ...)
723 int pos
= head
->read_avail
;
724 int size
= head
->readbuf_size
- pos
;
729 len
= vsnprintf(head
->read_buf
+ pos
, size
, fmt
, args
);
731 if (pos
+ len
>= head
->readbuf_size
)
733 head
->read_avail
+= len
;
738 * tomoyo_get_exe - Get tomoyo_realpath() of current process.
740 * Returns the tomoyo_realpath() of current process on success, NULL otherwise.
742 * This function uses kzalloc(), so the caller must call kfree()
743 * if this function didn't return NULL.
745 static const char *tomoyo_get_exe(void)
747 struct mm_struct
*mm
= current
->mm
;
748 struct vm_area_struct
*vma
;
749 const char *cp
= NULL
;
753 down_read(&mm
->mmap_sem
);
754 for (vma
= mm
->mmap
; vma
; vma
= vma
->vm_next
) {
755 if ((vma
->vm_flags
& VM_EXECUTABLE
) && vma
->vm_file
) {
756 cp
= tomoyo_realpath_from_path(&vma
->vm_file
->f_path
);
760 up_read(&mm
->mmap_sem
);
765 * tomoyo_get_msg - Get warning message.
767 * @is_enforce: Is it enforcing mode?
769 * Returns "ERROR" or "WARNING".
771 const char *tomoyo_get_msg(const bool is_enforce
)
780 * tomoyo_check_flags - Check mode for specified functionality.
782 * @domain: Pointer to "struct tomoyo_domain_info".
783 * @index: The functionality to check mode.
785 * TOMOYO checks only process context.
786 * This code disables TOMOYO's enforcement in case the function is called from
789 unsigned int tomoyo_check_flags(const struct tomoyo_domain_info
*domain
,
792 const u8 profile
= domain
->profile
;
794 if (WARN_ON(in_interrupt()))
796 return tomoyo_policy_loaded
&& index
< TOMOYO_MAX_CONTROL_INDEX
797 #if TOMOYO_MAX_PROFILES != 256
798 && profile
< TOMOYO_MAX_PROFILES
800 && tomoyo_profile_ptr
[profile
] ?
801 tomoyo_profile_ptr
[profile
]->value
[index
] : 0;
805 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
807 * @domain: Pointer to "struct tomoyo_domain_info".
809 * Returns true if domain policy violation warning should be printed to
812 bool tomoyo_verbose_mode(const struct tomoyo_domain_info
*domain
)
814 return tomoyo_check_flags(domain
, TOMOYO_VERBOSE
) != 0;
818 * tomoyo_domain_quota_is_ok - Check for domain's quota.
820 * @domain: Pointer to "struct tomoyo_domain_info".
822 * Returns true if the domain is not exceeded quota, false otherwise.
824 * Caller holds tomoyo_read_lock().
826 bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info
* const domain
)
828 unsigned int count
= 0;
829 struct tomoyo_acl_info
*ptr
;
833 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
835 struct tomoyo_path_acl
*acl
;
838 case TOMOYO_TYPE_PATH_ACL
:
839 acl
= container_of(ptr
, struct tomoyo_path_acl
, head
);
840 perm
= acl
->perm
| (((u32
) acl
->perm_high
) << 16);
841 for (i
= 0; i
< TOMOYO_MAX_PATH_OPERATION
; i
++)
844 if (perm
& (1 << TOMOYO_TYPE_READ_WRITE
))
847 case TOMOYO_TYPE_PATH2_ACL
:
848 perm
= container_of(ptr
, struct tomoyo_path2_acl
, head
)
850 for (i
= 0; i
< TOMOYO_MAX_PATH2_OPERATION
; i
++)
856 if (count
< tomoyo_check_flags(domain
, TOMOYO_MAX_ACCEPT_ENTRY
))
858 if (!domain
->quota_warned
) {
859 domain
->quota_warned
= true;
860 printk(KERN_WARNING
"TOMOYO-WARNING: "
861 "Domain '%s' has so many ACLs to hold. "
862 "Stopped learning mode.\n", domain
->domainname
->name
);
868 * tomoyo_find_or_assign_new_profile - Create a new profile.
870 * @profile: Profile number to create.
872 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
874 static struct tomoyo_profile
*tomoyo_find_or_assign_new_profile(const unsigned
877 struct tomoyo_profile
*ptr
= NULL
;
880 if (profile
>= TOMOYO_MAX_PROFILES
)
882 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
884 ptr
= tomoyo_profile_ptr
[profile
];
887 ptr
= kmalloc(sizeof(*ptr
), GFP_NOFS
);
888 if (!tomoyo_memory_ok(ptr
)) {
893 for (i
= 0; i
< TOMOYO_MAX_CONTROL_INDEX
; i
++)
894 ptr
->value
[i
] = tomoyo_control_array
[i
].current_value
;
895 mb(); /* Avoid out-of-order execution. */
896 tomoyo_profile_ptr
[profile
] = ptr
;
898 mutex_unlock(&tomoyo_policy_lock
);
903 * tomoyo_write_profile - Write to profile table.
905 * @head: Pointer to "struct tomoyo_io_buffer".
907 * Returns 0 on success, negative value otherwise.
909 static int tomoyo_write_profile(struct tomoyo_io_buffer
*head
)
911 char *data
= head
->write_buf
;
915 struct tomoyo_profile
*profile
;
918 cp
= strchr(data
, '-');
921 if (strict_strtoul(data
, 10, &num
))
925 profile
= tomoyo_find_or_assign_new_profile(num
);
928 cp
= strchr(data
, '=');
932 if (!strcmp(data
, "COMMENT")) {
933 const struct tomoyo_path_info
*old_comment
= profile
->comment
;
934 profile
->comment
= tomoyo_get_name(cp
+ 1);
935 tomoyo_put_name(old_comment
);
938 for (i
= 0; i
< TOMOYO_MAX_CONTROL_INDEX
; i
++) {
939 if (strcmp(data
, tomoyo_control_array
[i
].keyword
))
941 if (sscanf(cp
+ 1, "%u", &value
) != 1) {
946 modes
= tomoyo_mode_2
;
949 modes
= tomoyo_mode_4
;
952 for (j
= 0; j
< 4; j
++) {
953 if (strcmp(cp
+ 1, modes
[j
]))
960 } else if (value
> tomoyo_control_array
[i
].max_value
) {
961 value
= tomoyo_control_array
[i
].max_value
;
963 profile
->value
[i
] = value
;
970 * tomoyo_read_profile - Read from profile table.
972 * @head: Pointer to "struct tomoyo_io_buffer".
976 static int tomoyo_read_profile(struct tomoyo_io_buffer
*head
)
978 static const int total
= TOMOYO_MAX_CONTROL_INDEX
+ 1;
983 for (step
= head
->read_step
; step
< TOMOYO_MAX_PROFILES
* total
;
985 const u8 index
= step
/ total
;
986 u8 type
= step
% total
;
987 const struct tomoyo_profile
*profile
988 = tomoyo_profile_ptr
[index
];
989 head
->read_step
= step
;
992 if (!type
) { /* Print profile' comment tag. */
993 if (!tomoyo_io_printf(head
, "%u-COMMENT=%s\n",
994 index
, profile
->comment
?
995 profile
->comment
->name
: ""))
1000 if (type
< TOMOYO_MAX_CONTROL_INDEX
) {
1001 const unsigned int value
= profile
->value
[type
];
1002 const char **modes
= NULL
;
1004 = tomoyo_control_array
[type
].keyword
;
1005 switch (tomoyo_control_array
[type
].max_value
) {
1007 modes
= tomoyo_mode_4
;
1010 modes
= tomoyo_mode_2
;
1014 if (!tomoyo_io_printf(head
, "%u-%s=%s\n", index
,
1015 keyword
, modes
[value
]))
1018 if (!tomoyo_io_printf(head
, "%u-%s=%u\n", index
,
1024 if (step
== TOMOYO_MAX_PROFILES
* total
)
1025 head
->read_eof
= true;
1030 * tomoyo_policy_manager_list is used for holding list of domainnames or
1031 * programs which are permitted to modify configuration via
1032 * /sys/kernel/security/tomoyo/ interface.
1034 * An entry is added by
1036 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
1037 * /sys/kernel/security/tomoyo/manager
1038 * (if you want to specify by a domainname)
1042 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
1043 * (if you want to specify by a program's location)
1047 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
1048 * /sys/kernel/security/tomoyo/manager
1052 * # echo 'delete /usr/lib/ccs/editpolicy' > \
1053 * /sys/kernel/security/tomoyo/manager
1055 * and all entries are retrieved by
1057 * # cat /sys/kernel/security/tomoyo/manager
1059 LIST_HEAD(tomoyo_policy_manager_list
);
1062 * tomoyo_update_manager_entry - Add a manager entry.
1064 * @manager: The path to manager or the domainnamme.
1065 * @is_delete: True if it is a delete request.
1067 * Returns 0 on success, negative value otherwise.
1069 * Caller holds tomoyo_read_lock().
1071 static int tomoyo_update_manager_entry(const char *manager
,
1072 const bool is_delete
)
1074 struct tomoyo_policy_manager_entry
*entry
= NULL
;
1075 struct tomoyo_policy_manager_entry
*ptr
;
1076 const struct tomoyo_path_info
*saved_manager
;
1077 int error
= is_delete
? -ENOENT
: -ENOMEM
;
1078 bool is_domain
= false;
1080 if (tomoyo_is_domain_def(manager
)) {
1081 if (!tomoyo_is_correct_domain(manager
))
1085 if (!tomoyo_is_correct_path(manager
, 1, -1, -1))
1088 saved_manager
= tomoyo_get_name(manager
);
1092 entry
= kmalloc(sizeof(*entry
), GFP_NOFS
);
1093 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
1095 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1096 if (ptr
->manager
!= saved_manager
)
1098 ptr
->is_deleted
= is_delete
;
1102 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
1103 entry
->manager
= saved_manager
;
1104 saved_manager
= NULL
;
1105 entry
->is_domain
= is_domain
;
1106 list_add_tail_rcu(&entry
->list
, &tomoyo_policy_manager_list
);
1110 mutex_unlock(&tomoyo_policy_lock
);
1112 tomoyo_put_name(saved_manager
);
1118 * tomoyo_write_manager_policy - Write manager policy.
1120 * @head: Pointer to "struct tomoyo_io_buffer".
1122 * Returns 0 on success, negative value otherwise.
1124 * Caller holds tomoyo_read_lock().
1126 static int tomoyo_write_manager_policy(struct tomoyo_io_buffer
*head
)
1128 char *data
= head
->write_buf
;
1129 bool is_delete
= tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
);
1131 if (!strcmp(data
, "manage_by_non_root")) {
1132 tomoyo_manage_by_non_root
= !is_delete
;
1135 return tomoyo_update_manager_entry(data
, is_delete
);
1139 * tomoyo_read_manager_policy - Read manager policy.
1141 * @head: Pointer to "struct tomoyo_io_buffer".
1145 * Caller holds tomoyo_read_lock().
1147 static int tomoyo_read_manager_policy(struct tomoyo_io_buffer
*head
)
1149 struct list_head
*pos
;
1154 list_for_each_cookie(pos
, head
->read_var2
,
1155 &tomoyo_policy_manager_list
) {
1156 struct tomoyo_policy_manager_entry
*ptr
;
1157 ptr
= list_entry(pos
, struct tomoyo_policy_manager_entry
,
1159 if (ptr
->is_deleted
)
1161 done
= tomoyo_io_printf(head
, "%s\n", ptr
->manager
->name
);
1165 head
->read_eof
= done
;
1170 * tomoyo_is_policy_manager - Check whether the current process is a policy manager.
1172 * Returns true if the current process is permitted to modify policy
1173 * via /sys/kernel/security/tomoyo/ interface.
1175 * Caller holds tomoyo_read_lock().
1177 static bool tomoyo_is_policy_manager(void)
1179 struct tomoyo_policy_manager_entry
*ptr
;
1181 const struct task_struct
*task
= current
;
1182 const struct tomoyo_path_info
*domainname
= tomoyo_domain()->domainname
;
1185 if (!tomoyo_policy_loaded
)
1187 if (!tomoyo_manage_by_non_root
&& (task
->cred
->uid
|| task
->cred
->euid
))
1189 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1190 if (!ptr
->is_deleted
&& ptr
->is_domain
1191 && !tomoyo_pathcmp(domainname
, ptr
->manager
)) {
1198 exe
= tomoyo_get_exe();
1201 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1202 if (!ptr
->is_deleted
&& !ptr
->is_domain
1203 && !strcmp(exe
, ptr
->manager
->name
)) {
1208 if (!found
) { /* Reduce error messages. */
1209 static pid_t last_pid
;
1210 const pid_t pid
= current
->pid
;
1211 if (last_pid
!= pid
) {
1212 printk(KERN_WARNING
"%s ( %s ) is not permitted to "
1213 "update policies.\n", domainname
->name
, exe
);
1222 * tomoyo_is_select_one - Parse select command.
1224 * @head: Pointer to "struct tomoyo_io_buffer".
1225 * @data: String to parse.
1227 * Returns true on success, false otherwise.
1229 * Caller holds tomoyo_read_lock().
1231 static bool tomoyo_is_select_one(struct tomoyo_io_buffer
*head
,
1235 struct tomoyo_domain_info
*domain
= NULL
;
1237 if (sscanf(data
, "pid=%u", &pid
) == 1) {
1238 struct task_struct
*p
;
1240 read_lock(&tasklist_lock
);
1241 p
= find_task_by_vpid(pid
);
1243 domain
= tomoyo_real_domain(p
);
1244 read_unlock(&tasklist_lock
);
1246 } else if (!strncmp(data
, "domain=", 7)) {
1247 if (tomoyo_is_domain_def(data
+ 7))
1248 domain
= tomoyo_find_domain(data
+ 7);
1251 head
->write_var1
= domain
;
1252 /* Accessing read_buf is safe because head->io_sem is held. */
1253 if (!head
->read_buf
)
1254 return true; /* Do nothing if open(O_WRONLY). */
1255 head
->read_avail
= 0;
1256 tomoyo_io_printf(head
, "# select %s\n", data
);
1257 head
->read_single_domain
= true;
1258 head
->read_eof
= !domain
;
1260 struct tomoyo_domain_info
*d
;
1261 head
->read_var1
= NULL
;
1262 list_for_each_entry_rcu(d
, &tomoyo_domain_list
, list
) {
1265 head
->read_var1
= &d
->list
;
1267 head
->read_var2
= NULL
;
1269 head
->read_step
= 0;
1270 if (domain
->is_deleted
)
1271 tomoyo_io_printf(head
, "# This is a deleted domain.\n");
1277 * tomoyo_delete_domain - Delete a domain.
1279 * @domainname: The name of domain.
1283 * Caller holds tomoyo_read_lock().
1285 static int tomoyo_delete_domain(char *domainname
)
1287 struct tomoyo_domain_info
*domain
;
1288 struct tomoyo_path_info name
;
1290 name
.name
= domainname
;
1291 tomoyo_fill_path_info(&name
);
1292 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
1294 /* Is there an active domain? */
1295 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
1296 /* Never delete tomoyo_kernel_domain */
1297 if (domain
== &tomoyo_kernel_domain
)
1299 if (domain
->is_deleted
||
1300 tomoyo_pathcmp(domain
->domainname
, &name
))
1302 domain
->is_deleted
= true;
1305 mutex_unlock(&tomoyo_policy_lock
);
1310 * tomoyo_write_domain_policy - Write domain policy.
1312 * @head: Pointer to "struct tomoyo_io_buffer".
1314 * Returns 0 on success, negative value otherwise.
1316 * Caller holds tomoyo_read_lock().
1318 static int tomoyo_write_domain_policy(struct tomoyo_io_buffer
*head
)
1320 char *data
= head
->write_buf
;
1321 struct tomoyo_domain_info
*domain
= head
->write_var1
;
1322 bool is_delete
= false;
1323 bool is_select
= false;
1324 unsigned int profile
;
1326 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
))
1328 else if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_SELECT
))
1330 if (is_select
&& tomoyo_is_select_one(head
, data
))
1332 /* Don't allow updating policies by non manager programs. */
1333 if (!tomoyo_is_policy_manager())
1335 if (tomoyo_is_domain_def(data
)) {
1338 tomoyo_delete_domain(data
);
1340 domain
= tomoyo_find_domain(data
);
1342 domain
= tomoyo_find_or_assign_new_domain(data
, 0);
1343 head
->write_var1
= domain
;
1349 if (sscanf(data
, TOMOYO_KEYWORD_USE_PROFILE
"%u", &profile
) == 1
1350 && profile
< TOMOYO_MAX_PROFILES
) {
1351 if (tomoyo_profile_ptr
[profile
] || !tomoyo_policy_loaded
)
1352 domain
->profile
= (u8
) profile
;
1355 if (!strcmp(data
, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ
)) {
1356 domain
->ignore_global_allow_read
= !is_delete
;
1359 return tomoyo_write_file_policy(data
, domain
, is_delete
);
1363 * tomoyo_print_path_acl - Print a single path ACL entry.
1365 * @head: Pointer to "struct tomoyo_io_buffer".
1366 * @ptr: Pointer to "struct tomoyo_path_acl".
1368 * Returns true on success, false otherwise.
1370 static bool tomoyo_print_path_acl(struct tomoyo_io_buffer
*head
,
1371 struct tomoyo_path_acl
*ptr
)
1375 const char *filename
;
1376 const u32 perm
= ptr
->perm
| (((u32
) ptr
->perm_high
) << 16);
1378 filename
= ptr
->filename
->name
;
1379 for (bit
= head
->read_bit
; bit
< TOMOYO_MAX_PATH_OPERATION
; bit
++) {
1381 if (!(perm
& (1 << bit
)))
1383 /* Print "read/write" instead of "read" and "write". */
1384 if ((bit
== TOMOYO_TYPE_READ
|| bit
== TOMOYO_TYPE_WRITE
)
1385 && (perm
& (1 << TOMOYO_TYPE_READ_WRITE
)))
1387 msg
= tomoyo_path2keyword(bit
);
1388 pos
= head
->read_avail
;
1389 if (!tomoyo_io_printf(head
, "allow_%s %s\n", msg
, filename
))
1395 head
->read_bit
= bit
;
1396 head
->read_avail
= pos
;
1401 * tomoyo_print_path2_acl - Print a double path ACL entry.
1403 * @head: Pointer to "struct tomoyo_io_buffer".
1404 * @ptr: Pointer to "struct tomoyo_path2_acl".
1406 * Returns true on success, false otherwise.
1408 static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer
*head
,
1409 struct tomoyo_path2_acl
*ptr
)
1412 const char *filename1
;
1413 const char *filename2
;
1414 const u8 perm
= ptr
->perm
;
1417 filename1
= ptr
->filename1
->name
;
1418 filename2
= ptr
->filename2
->name
;
1419 for (bit
= head
->read_bit
; bit
< TOMOYO_MAX_PATH2_OPERATION
; bit
++) {
1421 if (!(perm
& (1 << bit
)))
1423 msg
= tomoyo_path22keyword(bit
);
1424 pos
= head
->read_avail
;
1425 if (!tomoyo_io_printf(head
, "allow_%s %s %s\n", msg
,
1426 filename1
, filename2
))
1432 head
->read_bit
= bit
;
1433 head
->read_avail
= pos
;
1438 * tomoyo_print_entry - Print an ACL entry.
1440 * @head: Pointer to "struct tomoyo_io_buffer".
1441 * @ptr: Pointer to an ACL entry.
1443 * Returns true on success, false otherwise.
1445 static bool tomoyo_print_entry(struct tomoyo_io_buffer
*head
,
1446 struct tomoyo_acl_info
*ptr
)
1448 const u8 acl_type
= ptr
->type
;
1450 if (acl_type
== TOMOYO_TYPE_PATH_ACL
) {
1451 struct tomoyo_path_acl
*acl
1452 = container_of(ptr
, struct tomoyo_path_acl
, head
);
1453 return tomoyo_print_path_acl(head
, acl
);
1455 if (acl_type
== TOMOYO_TYPE_PATH2_ACL
) {
1456 struct tomoyo_path2_acl
*acl
1457 = container_of(ptr
, struct tomoyo_path2_acl
, head
);
1458 return tomoyo_print_path2_acl(head
, acl
);
1460 BUG(); /* This must not happen. */
1465 * tomoyo_read_domain_policy - Read domain policy.
1467 * @head: Pointer to "struct tomoyo_io_buffer".
1471 * Caller holds tomoyo_read_lock().
1473 static int tomoyo_read_domain_policy(struct tomoyo_io_buffer
*head
)
1475 struct list_head
*dpos
;
1476 struct list_head
*apos
;
1481 if (head
->read_step
== 0)
1482 head
->read_step
= 1;
1483 list_for_each_cookie(dpos
, head
->read_var1
, &tomoyo_domain_list
) {
1484 struct tomoyo_domain_info
*domain
;
1485 const char *quota_exceeded
= "";
1486 const char *transition_failed
= "";
1487 const char *ignore_global_allow_read
= "";
1488 domain
= list_entry(dpos
, struct tomoyo_domain_info
, list
);
1489 if (head
->read_step
!= 1)
1491 if (domain
->is_deleted
&& !head
->read_single_domain
)
1493 /* Print domainname and flags. */
1494 if (domain
->quota_warned
)
1495 quota_exceeded
= "quota_exceeded\n";
1496 if (domain
->transition_failed
)
1497 transition_failed
= "transition_failed\n";
1498 if (domain
->ignore_global_allow_read
)
1499 ignore_global_allow_read
1500 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ
"\n";
1501 done
= tomoyo_io_printf(head
, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
1503 domain
->domainname
->name
,
1504 domain
->profile
, quota_exceeded
,
1506 ignore_global_allow_read
);
1509 head
->read_step
= 2;
1511 if (head
->read_step
== 3)
1513 /* Print ACL entries in the domain. */
1514 list_for_each_cookie(apos
, head
->read_var2
,
1515 &domain
->acl_info_list
) {
1516 struct tomoyo_acl_info
*ptr
1517 = list_entry(apos
, struct tomoyo_acl_info
,
1519 done
= tomoyo_print_entry(head
, ptr
);
1525 head
->read_step
= 3;
1527 done
= tomoyo_io_printf(head
, "\n");
1530 head
->read_step
= 1;
1531 if (head
->read_single_domain
)
1534 head
->read_eof
= done
;
1539 * tomoyo_write_domain_profile - Assign profile for specified domain.
1541 * @head: Pointer to "struct tomoyo_io_buffer".
1543 * Returns 0 on success, -EINVAL otherwise.
1545 * This is equivalent to doing
1547 * ( echo "select " $domainname; echo "use_profile " $profile ) |
1548 * /usr/lib/ccs/loadpolicy -d
1550 * Caller holds tomoyo_read_lock().
1552 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer
*head
)
1554 char *data
= head
->write_buf
;
1555 char *cp
= strchr(data
, ' ');
1556 struct tomoyo_domain_info
*domain
;
1557 unsigned long profile
;
1562 domain
= tomoyo_find_domain(cp
+ 1);
1563 if (strict_strtoul(data
, 10, &profile
))
1565 if (domain
&& profile
< TOMOYO_MAX_PROFILES
1566 && (tomoyo_profile_ptr
[profile
] || !tomoyo_policy_loaded
))
1567 domain
->profile
= (u8
) profile
;
1572 * tomoyo_read_domain_profile - Read only domainname and profile.
1574 * @head: Pointer to "struct tomoyo_io_buffer".
1576 * Returns list of profile number and domainname pairs.
1578 * This is equivalent to doing
1580 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
1581 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
1582 * domainname = $0; } else if ( $1 == "use_profile" ) {
1583 * print $2 " " domainname; domainname = ""; } } ; '
1585 * Caller holds tomoyo_read_lock().
1587 static int tomoyo_read_domain_profile(struct tomoyo_io_buffer
*head
)
1589 struct list_head
*pos
;
1594 list_for_each_cookie(pos
, head
->read_var1
, &tomoyo_domain_list
) {
1595 struct tomoyo_domain_info
*domain
;
1596 domain
= list_entry(pos
, struct tomoyo_domain_info
, list
);
1597 if (domain
->is_deleted
)
1599 done
= tomoyo_io_printf(head
, "%u %s\n", domain
->profile
,
1600 domain
->domainname
->name
);
1604 head
->read_eof
= done
;
1609 * tomoyo_write_pid: Specify PID to obtain domainname.
1611 * @head: Pointer to "struct tomoyo_io_buffer".
1615 static int tomoyo_write_pid(struct tomoyo_io_buffer
*head
)
1618 /* No error check. */
1619 strict_strtoul(head
->write_buf
, 10, &pid
);
1620 head
->read_step
= (int) pid
;
1621 head
->read_eof
= false;
1626 * tomoyo_read_pid - Get domainname of the specified PID.
1628 * @head: Pointer to "struct tomoyo_io_buffer".
1630 * Returns the domainname which the specified PID is in on success,
1631 * empty string otherwise.
1632 * The PID is specified by tomoyo_write_pid() so that the user can obtain
1633 * using read()/write() interface rather than sysctl() interface.
1635 static int tomoyo_read_pid(struct tomoyo_io_buffer
*head
)
1637 if (head
->read_avail
== 0 && !head
->read_eof
) {
1638 const int pid
= head
->read_step
;
1639 struct task_struct
*p
;
1640 struct tomoyo_domain_info
*domain
= NULL
;
1642 read_lock(&tasklist_lock
);
1643 p
= find_task_by_vpid(pid
);
1645 domain
= tomoyo_real_domain(p
);
1646 read_unlock(&tasklist_lock
);
1649 tomoyo_io_printf(head
, "%d %u %s", pid
, domain
->profile
,
1650 domain
->domainname
->name
);
1651 head
->read_eof
= true;
1657 * tomoyo_write_exception_policy - Write exception policy.
1659 * @head: Pointer to "struct tomoyo_io_buffer".
1661 * Returns 0 on success, negative value otherwise.
1663 * Caller holds tomoyo_read_lock().
1665 static int tomoyo_write_exception_policy(struct tomoyo_io_buffer
*head
)
1667 char *data
= head
->write_buf
;
1668 bool is_delete
= tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
);
1670 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_KEEP_DOMAIN
))
1671 return tomoyo_write_domain_keeper_policy(data
, false,
1673 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_NO_KEEP_DOMAIN
))
1674 return tomoyo_write_domain_keeper_policy(data
, true, is_delete
);
1675 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_INITIALIZE_DOMAIN
))
1676 return tomoyo_write_domain_initializer_policy(data
, false,
1678 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN
))
1679 return tomoyo_write_domain_initializer_policy(data
, true,
1681 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_ALIAS
))
1682 return tomoyo_write_alias_policy(data
, is_delete
);
1683 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_ALLOW_READ
))
1684 return tomoyo_write_globally_readable_policy(data
, is_delete
);
1685 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_FILE_PATTERN
))
1686 return tomoyo_write_pattern_policy(data
, is_delete
);
1687 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DENY_REWRITE
))
1688 return tomoyo_write_no_rewrite_policy(data
, is_delete
);
1693 * tomoyo_read_exception_policy - Read exception policy.
1695 * @head: Pointer to "struct tomoyo_io_buffer".
1697 * Returns 0 on success, -EINVAL otherwise.
1699 * Caller holds tomoyo_read_lock().
1701 static int tomoyo_read_exception_policy(struct tomoyo_io_buffer
*head
)
1703 if (!head
->read_eof
) {
1704 switch (head
->read_step
) {
1706 head
->read_var2
= NULL
;
1707 head
->read_step
= 1;
1709 if (!tomoyo_read_domain_keeper_policy(head
))
1711 head
->read_var2
= NULL
;
1712 head
->read_step
= 2;
1714 if (!tomoyo_read_globally_readable_policy(head
))
1716 head
->read_var2
= NULL
;
1717 head
->read_step
= 3;
1719 head
->read_var2
= NULL
;
1720 head
->read_step
= 4;
1722 if (!tomoyo_read_domain_initializer_policy(head
))
1724 head
->read_var2
= NULL
;
1725 head
->read_step
= 5;
1727 if (!tomoyo_read_alias_policy(head
))
1729 head
->read_var2
= NULL
;
1730 head
->read_step
= 6;
1732 head
->read_var2
= NULL
;
1733 head
->read_step
= 7;
1735 if (!tomoyo_read_file_pattern(head
))
1737 head
->read_var2
= NULL
;
1738 head
->read_step
= 8;
1740 if (!tomoyo_read_no_rewrite_policy(head
))
1742 head
->read_var2
= NULL
;
1743 head
->read_step
= 9;
1745 head
->read_eof
= true;
1754 /* path to policy loader */
1755 static const char *tomoyo_loader
= "/sbin/tomoyo-init";
1758 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
1760 * Returns true if /sbin/tomoyo-init exists, false otherwise.
1762 static bool tomoyo_policy_loader_exists(void)
1765 * Don't activate MAC if the policy loader doesn't exist.
1766 * If the initrd includes /sbin/init but real-root-dev has not
1767 * mounted on / yet, activating MAC will block the system since
1768 * policies are not loaded yet.
1769 * Thus, let do_execve() call this function everytime.
1773 if (kern_path(tomoyo_loader
, LOOKUP_FOLLOW
, &path
)) {
1774 printk(KERN_INFO
"Not activating Mandatory Access Control now "
1775 "since %s doesn't exist.\n", tomoyo_loader
);
1783 * tomoyo_load_policy - Run external policy loader to load policy.
1785 * @filename: The program about to start.
1787 * This function checks whether @filename is /sbin/init , and if so
1788 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
1789 * and then continues invocation of /sbin/init.
1790 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
1791 * writes to /sys/kernel/security/tomoyo/ interfaces.
1795 void tomoyo_load_policy(const char *filename
)
1800 if (tomoyo_policy_loaded
)
1803 * Check filename is /sbin/init or /sbin/tomoyo-start.
1804 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
1806 * You can create /sbin/tomoyo-start by
1807 * "ln -s /bin/true /sbin/tomoyo-start".
1809 if (strcmp(filename
, "/sbin/init") &&
1810 strcmp(filename
, "/sbin/tomoyo-start"))
1812 if (!tomoyo_policy_loader_exists())
1815 printk(KERN_INFO
"Calling %s to load policy. Please wait.\n",
1817 argv
[0] = (char *) tomoyo_loader
;
1820 envp
[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
1822 call_usermodehelper(argv
[0], argv
, envp
, 1);
1824 printk(KERN_INFO
"TOMOYO: 2.2.0 2009/04/01\n");
1825 printk(KERN_INFO
"Mandatory Access Control activated.\n");
1826 tomoyo_policy_loaded
= true;
1827 { /* Check all profiles currently assigned to domains are defined. */
1828 struct tomoyo_domain_info
*domain
;
1829 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
1830 const u8 profile
= domain
->profile
;
1831 if (tomoyo_profile_ptr
[profile
])
1833 panic("Profile %u (used by '%s') not defined.\n",
1834 profile
, domain
->domainname
->name
);
1840 * tomoyo_read_version: Get version.
1842 * @head: Pointer to "struct tomoyo_io_buffer".
1844 * Returns version information.
1846 static int tomoyo_read_version(struct tomoyo_io_buffer
*head
)
1848 if (!head
->read_eof
) {
1849 tomoyo_io_printf(head
, "2.2.0");
1850 head
->read_eof
= true;
1856 * tomoyo_read_self_domain - Get the current process's domainname.
1858 * @head: Pointer to "struct tomoyo_io_buffer".
1860 * Returns the current process's domainname.
1862 static int tomoyo_read_self_domain(struct tomoyo_io_buffer
*head
)
1864 if (!head
->read_eof
) {
1866 * tomoyo_domain()->domainname != NULL
1867 * because every process belongs to a domain and
1868 * the domain's name cannot be NULL.
1870 tomoyo_io_printf(head
, "%s", tomoyo_domain()->domainname
->name
);
1871 head
->read_eof
= true;
1877 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
1879 * @type: Type of interface.
1880 * @file: Pointer to "struct file".
1882 * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
1884 * Caller acquires tomoyo_read_lock().
1886 static int tomoyo_open_control(const u8 type
, struct file
*file
)
1888 struct tomoyo_io_buffer
*head
= kzalloc(sizeof(*head
), GFP_NOFS
);
1892 mutex_init(&head
->io_sem
);
1894 case TOMOYO_DOMAINPOLICY
:
1895 /* /sys/kernel/security/tomoyo/domain_policy */
1896 head
->write
= tomoyo_write_domain_policy
;
1897 head
->read
= tomoyo_read_domain_policy
;
1899 case TOMOYO_EXCEPTIONPOLICY
:
1900 /* /sys/kernel/security/tomoyo/exception_policy */
1901 head
->write
= tomoyo_write_exception_policy
;
1902 head
->read
= tomoyo_read_exception_policy
;
1904 case TOMOYO_SELFDOMAIN
:
1905 /* /sys/kernel/security/tomoyo/self_domain */
1906 head
->read
= tomoyo_read_self_domain
;
1908 case TOMOYO_DOMAIN_STATUS
:
1909 /* /sys/kernel/security/tomoyo/.domain_status */
1910 head
->write
= tomoyo_write_domain_profile
;
1911 head
->read
= tomoyo_read_domain_profile
;
1913 case TOMOYO_PROCESS_STATUS
:
1914 /* /sys/kernel/security/tomoyo/.process_status */
1915 head
->write
= tomoyo_write_pid
;
1916 head
->read
= tomoyo_read_pid
;
1918 case TOMOYO_VERSION
:
1919 /* /sys/kernel/security/tomoyo/version */
1920 head
->read
= tomoyo_read_version
;
1921 head
->readbuf_size
= 128;
1923 case TOMOYO_MEMINFO
:
1924 /* /sys/kernel/security/tomoyo/meminfo */
1925 head
->write
= tomoyo_write_memory_quota
;
1926 head
->read
= tomoyo_read_memory_counter
;
1927 head
->readbuf_size
= 512;
1929 case TOMOYO_PROFILE
:
1930 /* /sys/kernel/security/tomoyo/profile */
1931 head
->write
= tomoyo_write_profile
;
1932 head
->read
= tomoyo_read_profile
;
1934 case TOMOYO_MANAGER
:
1935 /* /sys/kernel/security/tomoyo/manager */
1936 head
->write
= tomoyo_write_manager_policy
;
1937 head
->read
= tomoyo_read_manager_policy
;
1940 if (!(file
->f_mode
& FMODE_READ
)) {
1942 * No need to allocate read_buf since it is not opened
1947 if (!head
->readbuf_size
)
1948 head
->readbuf_size
= 4096 * 2;
1949 head
->read_buf
= kzalloc(head
->readbuf_size
, GFP_NOFS
);
1950 if (!head
->read_buf
) {
1955 if (!(file
->f_mode
& FMODE_WRITE
)) {
1957 * No need to allocate write_buf since it is not opened
1961 } else if (head
->write
) {
1962 head
->writebuf_size
= 4096 * 2;
1963 head
->write_buf
= kzalloc(head
->writebuf_size
, GFP_NOFS
);
1964 if (!head
->write_buf
) {
1965 kfree(head
->read_buf
);
1970 head
->reader_idx
= tomoyo_read_lock();
1971 file
->private_data
= head
;
1973 * Call the handler now if the file is
1974 * /sys/kernel/security/tomoyo/self_domain
1975 * so that the user can use
1976 * cat < /sys/kernel/security/tomoyo/self_domain"
1977 * to know the current process's domainname.
1979 if (type
== TOMOYO_SELFDOMAIN
)
1980 tomoyo_read_control(file
, NULL
, 0);
1985 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
1987 * @file: Pointer to "struct file".
1988 * @buffer: Poiner to buffer to write to.
1989 * @buffer_len: Size of @buffer.
1991 * Returns bytes read on success, negative value otherwise.
1993 * Caller holds tomoyo_read_lock().
1995 static int tomoyo_read_control(struct file
*file
, char __user
*buffer
,
1996 const int buffer_len
)
1999 struct tomoyo_io_buffer
*head
= file
->private_data
;
2004 if (mutex_lock_interruptible(&head
->io_sem
))
2006 /* Call the policy handler. */
2007 len
= head
->read(head
);
2010 /* Write to buffer. */
2011 len
= head
->read_avail
;
2012 if (len
> buffer_len
)
2016 /* head->read_buf changes by some functions. */
2017 cp
= head
->read_buf
;
2018 if (copy_to_user(buffer
, cp
, len
)) {
2022 head
->read_avail
-= len
;
2023 memmove(cp
, cp
+ len
, head
->read_avail
);
2025 mutex_unlock(&head
->io_sem
);
2030 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
2032 * @file: Pointer to "struct file".
2033 * @buffer: Pointer to buffer to read from.
2034 * @buffer_len: Size of @buffer.
2036 * Returns @buffer_len on success, negative value otherwise.
2038 * Caller holds tomoyo_read_lock().
2040 static int tomoyo_write_control(struct file
*file
, const char __user
*buffer
,
2041 const int buffer_len
)
2043 struct tomoyo_io_buffer
*head
= file
->private_data
;
2044 int error
= buffer_len
;
2045 int avail_len
= buffer_len
;
2046 char *cp0
= head
->write_buf
;
2050 if (!access_ok(VERIFY_READ
, buffer
, buffer_len
))
2052 /* Don't allow updating policies by non manager programs. */
2053 if (head
->write
!= tomoyo_write_pid
&&
2054 head
->write
!= tomoyo_write_domain_policy
&&
2055 !tomoyo_is_policy_manager())
2057 if (mutex_lock_interruptible(&head
->io_sem
))
2059 /* Read a line and dispatch it to the policy handler. */
2060 while (avail_len
> 0) {
2062 if (head
->write_avail
>= head
->writebuf_size
- 1) {
2065 } else if (get_user(c
, buffer
)) {
2071 cp0
[head
->write_avail
++] = c
;
2074 cp0
[head
->write_avail
- 1] = '\0';
2075 head
->write_avail
= 0;
2076 tomoyo_normalize_line(cp0
);
2079 mutex_unlock(&head
->io_sem
);
2084 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
2086 * @file: Pointer to "struct file".
2088 * Releases memory and returns 0.
2090 * Caller looses tomoyo_read_lock().
2092 static int tomoyo_close_control(struct file
*file
)
2094 struct tomoyo_io_buffer
*head
= file
->private_data
;
2095 const bool is_write
= !!head
->write_buf
;
2097 tomoyo_read_unlock(head
->reader_idx
);
2098 /* Release memory used for policy I/O. */
2099 kfree(head
->read_buf
);
2100 head
->read_buf
= NULL
;
2101 kfree(head
->write_buf
);
2102 head
->write_buf
= NULL
;
2105 file
->private_data
= NULL
;
2112 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
2114 * @inode: Pointer to "struct inode".
2115 * @file: Pointer to "struct file".
2117 * Returns 0 on success, negative value otherwise.
2119 static int tomoyo_open(struct inode
*inode
, struct file
*file
)
2121 const int key
= ((u8
*) file
->f_path
.dentry
->d_inode
->i_private
)
2123 return tomoyo_open_control(key
, file
);
2127 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
2129 * @inode: Pointer to "struct inode".
2130 * @file: Pointer to "struct file".
2132 * Returns 0 on success, negative value otherwise.
2134 static int tomoyo_release(struct inode
*inode
, struct file
*file
)
2136 return tomoyo_close_control(file
);
2140 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
2142 * @file: Pointer to "struct file".
2143 * @buf: Pointer to buffer.
2144 * @count: Size of @buf.
2147 * Returns bytes read on success, negative value otherwise.
2149 static ssize_t
tomoyo_read(struct file
*file
, char __user
*buf
, size_t count
,
2152 return tomoyo_read_control(file
, buf
, count
);
2156 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
2158 * @file: Pointer to "struct file".
2159 * @buf: Pointer to buffer.
2160 * @count: Size of @buf.
2163 * Returns @count on success, negative value otherwise.
2165 static ssize_t
tomoyo_write(struct file
*file
, const char __user
*buf
,
2166 size_t count
, loff_t
*ppos
)
2168 return tomoyo_write_control(file
, buf
, count
);
2172 * tomoyo_operations is a "struct file_operations" which is used for handling
2173 * /sys/kernel/security/tomoyo/ interface.
2175 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
2176 * See tomoyo_io_buffer for internals.
2178 static const struct file_operations tomoyo_operations
= {
2179 .open
= tomoyo_open
,
2180 .release
= tomoyo_release
,
2181 .read
= tomoyo_read
,
2182 .write
= tomoyo_write
,
2186 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
2188 * @name: The name of the interface file.
2189 * @mode: The permission of the interface file.
2190 * @parent: The parent directory.
2191 * @key: Type of interface.
2195 static void __init
tomoyo_create_entry(const char *name
, const mode_t mode
,
2196 struct dentry
*parent
, const u8 key
)
2198 securityfs_create_file(name
, mode
, parent
, ((u8
*) NULL
) + key
,
2199 &tomoyo_operations
);
2203 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
2207 static int __init
tomoyo_initerface_init(void)
2209 struct dentry
*tomoyo_dir
;
2211 /* Don't create securityfs entries unless registered. */
2212 if (current_cred()->security
!= &tomoyo_kernel_domain
)
2215 tomoyo_dir
= securityfs_create_dir("tomoyo", NULL
);
2216 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir
,
2217 TOMOYO_DOMAINPOLICY
);
2218 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir
,
2219 TOMOYO_EXCEPTIONPOLICY
);
2220 tomoyo_create_entry("self_domain", 0400, tomoyo_dir
,
2222 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir
,
2223 TOMOYO_DOMAIN_STATUS
);
2224 tomoyo_create_entry(".process_status", 0600, tomoyo_dir
,
2225 TOMOYO_PROCESS_STATUS
);
2226 tomoyo_create_entry("meminfo", 0600, tomoyo_dir
,
2228 tomoyo_create_entry("profile", 0600, tomoyo_dir
,
2230 tomoyo_create_entry("manager", 0600, tomoyo_dir
,
2232 tomoyo_create_entry("version", 0400, tomoyo_dir
,
2237 fs_initcall(tomoyo_initerface_init
);