projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
TOMOYO: Use common code for domain transition control.
[deliverable/linux.git] / security / tomoyo / domain.c
1 /*
2 * security/tomoyo/domain.c
3 *
4 * Domain transition functions for TOMOYO.
5 *
6 * Copyright (C) 2005-2010 NTT DATA CORPORATION
7 */
8
9 #include "common.h"
10 #include <linux/binfmts.h>
11 #include <linux/slab.h>
12
13 /* Variables definitions.*/
14
15 /* The initial domain. */
16 struct tomoyo_domain_info tomoyo_kernel_domain;
17
18 /**
19 * tomoyo_update_policy - Update an entry for exception policy.
20 *
21 * @new_entry: Pointer to "struct tomoyo_acl_info".
22 * @size: Size of @new_entry in bytes.
23 * @is_delete: True if it is a delete request.
24 * @list: Pointer to "struct list_head".
25 * @check_duplicate: Callback function to find duplicated entry.
26 *
27 * Returns 0 on success, negative value otherwise.
28 *
29 * Caller holds tomoyo_read_lock().
30 */
31 int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
32 bool is_delete, struct list_head *list,
33 bool (*check_duplicate) (const struct tomoyo_acl_head
34 *,
35 const struct tomoyo_acl_head
36 *))
37 {
38 int error = is_delete ? -ENOENT : -ENOMEM;
39 struct tomoyo_acl_head *entry;
40
41 if (mutex_lock_interruptible(&tomoyo_policy_lock))
42 return -ENOMEM;
43 list_for_each_entry_rcu(entry, list, list) {
44 if (!check_duplicate(entry, new_entry))
45 continue;
46 entry->is_deleted = is_delete;
47 error = 0;
48 break;
49 }
50 if (error && !is_delete) {
51 entry = tomoyo_commit_ok(new_entry, size);
52 if (entry) {
53 list_add_tail_rcu(&entry->list, list);
54 error = 0;
55 }
56 }
57 mutex_unlock(&tomoyo_policy_lock);
58 return error;
59 }
60
61 /**
62 * tomoyo_update_domain - Update an entry for domain policy.
63 *
64 * @new_entry: Pointer to "struct tomoyo_acl_info".
65 * @size: Size of @new_entry in bytes.
66 * @is_delete: True if it is a delete request.
67 * @domain: Pointer to "struct tomoyo_domain_info".
68 * @check_duplicate: Callback function to find duplicated entry.
69 * @merge_duplicate: Callback function to merge duplicated entry.
70 *
71 * Returns 0 on success, negative value otherwise.
72 *
73 * Caller holds tomoyo_read_lock().
74 */
75 int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
76 bool is_delete, struct tomoyo_domain_info *domain,
77 bool (*check_duplicate) (const struct tomoyo_acl_info
78 *,
79 const struct tomoyo_acl_info
80 *),
81 bool (*merge_duplicate) (struct tomoyo_acl_info *,
82 struct tomoyo_acl_info *,
83 const bool))
84 {
85 int error = is_delete ? -ENOENT : -ENOMEM;
86 struct tomoyo_acl_info *entry;
87
88 if (mutex_lock_interruptible(&tomoyo_policy_lock))
89 return error;
90 list_for_each_entry_rcu(entry, &domain->acl_info_list, list) {
91 if (!check_duplicate(entry, new_entry))
92 continue;
93 if (merge_duplicate)
94 entry->is_deleted = merge_duplicate(entry, new_entry,
95 is_delete);
96 else
97 entry->is_deleted = is_delete;
98 error = 0;
99 break;
100 }
101 if (error && !is_delete) {
102 entry = tomoyo_commit_ok(new_entry, size);
103 if (entry) {
104 list_add_tail_rcu(&entry->list, &domain->acl_info_list);
105 error = 0;
106 }
107 }
108 mutex_unlock(&tomoyo_policy_lock);
109 return error;
110 }
111
112 void tomoyo_check_acl(struct tomoyo_request_info *r,
113 bool (*check_entry) (const struct tomoyo_request_info *,
114 const struct tomoyo_acl_info *))
115 {
116 const struct tomoyo_domain_info *domain = r->domain;
117 struct tomoyo_acl_info *ptr;
118
119 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
120 if (ptr->is_deleted || ptr->type != r->param_type)
121 continue;
122 if (check_entry(r, ptr)) {
123 r->granted = true;
124 return;
125 }
126 }
127 r->granted = false;
128 }
129
130 /* The list for "struct tomoyo_domain_info". */
131 LIST_HEAD(tomoyo_domain_list);
132
133 struct list_head tomoyo_policy_list[TOMOYO_MAX_POLICY];
134 struct list_head tomoyo_group_list[TOMOYO_MAX_GROUP];
135
136 /**
137 * tomoyo_get_last_name - Get last component of a domainname.
138 *
139 * @domain: Pointer to "struct tomoyo_domain_info".
140 *
141 * Returns the last component of the domainname.
142 */
143 const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain)
144 {
145 const char *cp0 = domain->domainname->name;
146 const char *cp1 = strrchr(cp0, ' ');
147
148 if (cp1)
149 return cp1 + 1;
150 return cp0;
151 }
152
153 static bool tomoyo_same_transition_control_entry(const struct tomoyo_acl_head *
154 a,
155 const struct tomoyo_acl_head *
156 b)
157 {
158 const struct tomoyo_transition_control *p1 = container_of(a,
159 typeof(*p1),
160 head);
161 const struct tomoyo_transition_control *p2 = container_of(b,
162 typeof(*p2),
163 head);
164 return p1->type == p2->type && p1->is_last_name == p2->is_last_name
165 && p1->domainname == p2->domainname
166 && p1->program == p2->program;
167 }
168
169 /**
170 * tomoyo_update_transition_control_entry - Update "struct tomoyo_transition_control" list.
171 *
172 * @domainname: The name of domain. Maybe NULL.
173 * @program: The name of program. Maybe NULL.
174 * @type: Type of transition.
175 * @is_delete: True if it is a delete request.
176 *
177 * Returns 0 on success, negative value otherwise.
178 */
179 static int tomoyo_update_transition_control_entry(const char *domainname,
180 const char *program,
181 const u8 type,
182 const bool is_delete)
183 {
184 struct tomoyo_transition_control e = { .type = type };
185 int error = is_delete ? -ENOENT : -ENOMEM;
186 if (program) {
187 if (!tomoyo_correct_path(program))
188 return -EINVAL;
189 e.program = tomoyo_get_name(program);
190 if (!e.program)
191 goto out;
192 }
193 if (domainname) {
194 if (!tomoyo_correct_domain(domainname)) {
195 if (!tomoyo_correct_path(domainname))
196 goto out;
197 e.is_last_name = true;
198 }
199 e.domainname = tomoyo_get_name(domainname);
200 if (!e.domainname)
201 goto out;
202 }
203 error = tomoyo_update_policy(&e.head, sizeof(e), is_delete,
204 &tomoyo_policy_list
205 [TOMOYO_ID_TRANSITION_CONTROL],
206 tomoyo_same_transition_control_entry);
207 out:
208 tomoyo_put_name(e.domainname);
209 tomoyo_put_name(e.program);
210 return error;
211 }
212
213 /**
214 * tomoyo_write_transition_control - Write "struct tomoyo_transition_control" list.
215 *
216 * @data: String to parse.
217 * @is_delete: True if it is a delete request.
218 * @type: Type of this entry.
219 *
220 * Returns 0 on success, negative value otherwise.
221 */
222 int tomoyo_write_transition_control(char *data, const bool is_delete,
223 const u8 type)
224 {
225 char *domainname = strstr(data, " from ");
226 if (domainname) {
227 *domainname = '\0';
228 domainname += 6;
229 } else if (type == TOMOYO_TRANSITION_CONTROL_NO_KEEP ||
230 type == TOMOYO_TRANSITION_CONTROL_KEEP) {
231 domainname = data;
232 data = NULL;
233 }
234 return tomoyo_update_transition_control_entry(domainname, data, type,
235 is_delete);
236 }
237
238 /**
239 * tomoyo_transition_type - Get domain transition type.
240 *
241 * @domainname: The name of domain.
242 * @program: The name of program.
243 *
244 * Returns TOMOYO_TRANSITION_CONTROL_INITIALIZE if executing @program
245 * reinitializes domain transition, TOMOYO_TRANSITION_CONTROL_KEEP if executing
246 * @program suppresses domain transition, others otherwise.
247 *
248 * Caller holds tomoyo_read_lock().
249 */
250 static u8 tomoyo_transition_type(const struct tomoyo_path_info *domainname,
251 const struct tomoyo_path_info *program)
252 {
253 const struct tomoyo_transition_control *ptr;
254 const char *last_name = tomoyo_last_word(domainname->name);
255 u8 type;
256 for (type = 0; type < TOMOYO_MAX_TRANSITION_TYPE; type++) {
257 next:
258 list_for_each_entry_rcu(ptr, &tomoyo_policy_list
259 [TOMOYO_ID_TRANSITION_CONTROL],
260 head.list) {
261 if (ptr->head.is_deleted || ptr->type != type)
262 continue;
263 if (ptr->domainname) {
264 if (!ptr->is_last_name) {
265 if (ptr->domainname != domainname)
266 continue;
267 } else {
268 /*
269 * Use direct strcmp() since this is
270 * unlikely used.
271 */
272 if (strcmp(ptr->domainname->name,
273 last_name))
274 continue;
275 }
276 }
277 if (ptr->program &&
278 tomoyo_pathcmp(ptr->program, program))
279 continue;
280 if (type == TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE) {
281 /*
282 * Do not check for initialize_domain if
283 * no_initialize_domain matched.
284 */
285 type = TOMOYO_TRANSITION_CONTROL_NO_KEEP;
286 goto next;
287 }
288 goto done;
289 }
290 }
291 done:
292 return type;
293 }
294
295 static bool tomoyo_same_aggregator_entry(const struct tomoyo_acl_head *a,
296 const struct tomoyo_acl_head *b)
297 {
298 const struct tomoyo_aggregator_entry *p1 = container_of(a, typeof(*p1),
299 head);
300 const struct tomoyo_aggregator_entry *p2 = container_of(b, typeof(*p2),
301 head);
302 return p1->original_name == p2->original_name &&
303 p1->aggregated_name == p2->aggregated_name;
304 }
305
306 /**
307 * tomoyo_update_aggregator_entry - Update "struct tomoyo_aggregator_entry" list.
308 *
309 * @original_name: The original program's name.
310 * @aggregated_name: The program name to use.
311 * @is_delete: True if it is a delete request.
312 *
313 * Returns 0 on success, negative value otherwise.
314 *
315 * Caller holds tomoyo_read_lock().
316 */
317 static int tomoyo_update_aggregator_entry(const char *original_name,
318 const char *aggregated_name,
319 const bool is_delete)
320 {
321 struct tomoyo_aggregator_entry e = { };
322 int error = is_delete ? -ENOENT : -ENOMEM;
323
324 if (!tomoyo_correct_path(original_name) ||
325 !tomoyo_correct_path(aggregated_name))
326 return -EINVAL;
327 e.original_name = tomoyo_get_name(original_name);
328 e.aggregated_name = tomoyo_get_name(aggregated_name);
329 if (!e.original_name || !e.aggregated_name ||
330 e.aggregated_name->is_patterned) /* No patterns allowed. */
331 goto out;
332 error = tomoyo_update_policy(&e.head, sizeof(e), is_delete,
333 &tomoyo_policy_list[TOMOYO_ID_AGGREGATOR],
334 tomoyo_same_aggregator_entry);
335 out:
336 tomoyo_put_name(e.original_name);
337 tomoyo_put_name(e.aggregated_name);
338 return error;
339 }
340
341 /**
342 * tomoyo_write_aggregator_policy - Write "struct tomoyo_aggregator_entry" list.
343 *
344 * @data: String to parse.
345 * @is_delete: True if it is a delete request.
346 *
347 * Returns 0 on success, negative value otherwise.
348 *
349 * Caller holds tomoyo_read_lock().
350 */
351 int tomoyo_write_aggregator_policy(char *data, const bool is_delete)
352 {
353 char *cp = strchr(data, ' ');
354
355 if (!cp)
356 return -EINVAL;
357 *cp++ = '\0';
358 return tomoyo_update_aggregator_entry(data, cp, is_delete);
359 }
360
361 /**
362 * tomoyo_find_or_assign_new_domain - Create a domain.
363 *
364 * @domainname: The name of domain.
365 * @profile: Profile number to assign if the domain was newly created.
366 *
367 * Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise.
368 *
369 * Caller holds tomoyo_read_lock().
370 */
371 struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char *
372 domainname,
373 const u8 profile)
374 {
375 struct tomoyo_domain_info *entry;
376 struct tomoyo_domain_info *domain = NULL;
377 const struct tomoyo_path_info *saved_domainname;
378 bool found = false;
379
380 if (!tomoyo_correct_domain(domainname))
381 return NULL;
382 saved_domainname = tomoyo_get_name(domainname);
383 if (!saved_domainname)
384 return NULL;
385 entry = kzalloc(sizeof(*entry), GFP_NOFS);
386 if (mutex_lock_interruptible(&tomoyo_policy_lock))
387 goto out;
388 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
389 if (domain->is_deleted ||
390 tomoyo_pathcmp(saved_domainname, domain->domainname))
391 continue;
392 found = true;
393 break;
394 }
395 if (!found && tomoyo_memory_ok(entry)) {
396 INIT_LIST_HEAD(&entry->acl_info_list);
397 entry->domainname = saved_domainname;
398 saved_domainname = NULL;
399 entry->profile = profile;
400 list_add_tail_rcu(&entry->list, &tomoyo_domain_list);
401 domain = entry;
402 entry = NULL;
403 found = true;
404 }
405 mutex_unlock(&tomoyo_policy_lock);
406 out:
407 tomoyo_put_name(saved_domainname);
408 kfree(entry);
409 return found ? domain : NULL;
410 }
411
412 /**
413 * tomoyo_find_next_domain - Find a domain.
414 *
415 * @bprm: Pointer to "struct linux_binprm".
416 *
417 * Returns 0 on success, negative value otherwise.
418 *
419 * Caller holds tomoyo_read_lock().
420 */
421 int tomoyo_find_next_domain(struct linux_binprm *bprm)
422 {
423 struct tomoyo_request_info r;
424 char *tmp = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS);
425 struct tomoyo_domain_info *old_domain = tomoyo_domain();
426 struct tomoyo_domain_info *domain = NULL;
427 const char *original_name = bprm->filename;
428 u8 mode;
429 bool is_enforce;
430 int retval = -ENOMEM;
431 bool need_kfree = false;
432 struct tomoyo_path_info rn = { }; /* real name */
433 struct tomoyo_path_info ln; /* last name */
434
435 ln.name = tomoyo_get_last_name(old_domain);
436 tomoyo_fill_path_info(&ln);
437 mode = tomoyo_init_request_info(&r, NULL, TOMOYO_MAC_FILE_EXECUTE);
438 is_enforce = (mode == TOMOYO_CONFIG_ENFORCING);
439 if (!tmp)
440 goto out;
441
442 retry:
443 if (need_kfree) {
444 kfree(rn.name);
445 need_kfree = false;
446 }
447 /* Get symlink's pathname of program. */
448 retval = -ENOENT;
449 rn.name = tomoyo_realpath_nofollow(original_name);
450 if (!rn.name)
451 goto out;
452 tomoyo_fill_path_info(&rn);
453 need_kfree = true;
454
455 /* Check 'aggregator' directive. */
456 {
457 struct tomoyo_aggregator_entry *ptr;
458 list_for_each_entry_rcu(ptr, &tomoyo_policy_list
459 [TOMOYO_ID_AGGREGATOR], head.list) {
460 if (ptr->head.is_deleted ||
461 !tomoyo_path_matches_pattern(&rn,
462 ptr->original_name))
463 continue;
464 kfree(rn.name);
465 need_kfree = false;
466 /* This is OK because it is read only. */
467 rn = *ptr->aggregated_name;
468 break;
469 }
470 }
471
472 /* Check execute permission. */
473 retval = tomoyo_path_permission(&r, TOMOYO_TYPE_EXECUTE, &rn);
474 if (retval == TOMOYO_RETRY_REQUEST)
475 goto retry;
476 if (retval < 0)
477 goto out;
478
479 /* Calculate domain to transit to. */
480 switch (tomoyo_transition_type(old_domain->domainname, &rn)) {
481 case TOMOYO_TRANSITION_CONTROL_INITIALIZE:
482 /* Transit to the child of tomoyo_kernel_domain domain. */
483 snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1, TOMOYO_ROOT_NAME " "
484 "%s", rn.name);
485 break;
486 case TOMOYO_TRANSITION_CONTROL_KEEP:
487 /* Keep current domain. */
488 domain = old_domain;
489 break;
490 default:
491 if (old_domain == &tomoyo_kernel_domain &&
492 !tomoyo_policy_loaded) {
493 /*
494 * Needn't to transit from kernel domain before
495 * starting /sbin/init. But transit from kernel domain
496 * if executing initializers because they might start
497 * before /sbin/init.
498 */
499 domain = old_domain;
500 } else {
501 /* Normal domain transition. */
502 snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s",
503 old_domain->domainname->name, rn.name);
504 }
505 break;
506 }
507 if (domain || strlen(tmp) >= TOMOYO_EXEC_TMPSIZE - 10)
508 goto done;
509 domain = tomoyo_find_domain(tmp);
510 if (domain)
511 goto done;
512 if (is_enforce) {
513 int error = tomoyo_supervisor(&r, "# wants to create domain\n"
514 "%s\n", tmp);
515 if (error == TOMOYO_RETRY_REQUEST)
516 goto retry;
517 if (error < 0)
518 goto done;
519 }
520 domain = tomoyo_find_or_assign_new_domain(tmp, old_domain->profile);
521 done:
522 if (domain)
523 goto out;
524 printk(KERN_WARNING "TOMOYO-ERROR: Domain '%s' not defined.\n", tmp);
525 if (is_enforce)
526 retval = -EPERM;
527 else
528 old_domain->transition_failed = true;
529 out:
530 if (!domain)
531 domain = old_domain;
532 /* Update reference count on "struct tomoyo_domain_info". */
533 atomic_inc(&domain->users);
534 bprm->cred->security = domain;
535 if (need_kfree)
536 kfree(rn.name);
537 kfree(tmp);
538 return retval;
539 }
Linux kernel - Deliverables
This page took 0.041733 seconds and 6 git commands to generate.