2 * security/tomoyo/file.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
14 /* Keyword array for single path operations. */
15 static const char *tomoyo_sp_keyword
[TOMOYO_MAX_SINGLE_PATH_OPERATION
] = {
16 [TOMOYO_TYPE_READ_WRITE_ACL
] = "read/write",
17 [TOMOYO_TYPE_EXECUTE_ACL
] = "execute",
18 [TOMOYO_TYPE_READ_ACL
] = "read",
19 [TOMOYO_TYPE_WRITE_ACL
] = "write",
20 [TOMOYO_TYPE_CREATE_ACL
] = "create",
21 [TOMOYO_TYPE_UNLINK_ACL
] = "unlink",
22 [TOMOYO_TYPE_MKDIR_ACL
] = "mkdir",
23 [TOMOYO_TYPE_RMDIR_ACL
] = "rmdir",
24 [TOMOYO_TYPE_MKFIFO_ACL
] = "mkfifo",
25 [TOMOYO_TYPE_MKSOCK_ACL
] = "mksock",
26 [TOMOYO_TYPE_MKBLOCK_ACL
] = "mkblock",
27 [TOMOYO_TYPE_MKCHAR_ACL
] = "mkchar",
28 [TOMOYO_TYPE_TRUNCATE_ACL
] = "truncate",
29 [TOMOYO_TYPE_SYMLINK_ACL
] = "symlink",
30 [TOMOYO_TYPE_REWRITE_ACL
] = "rewrite",
31 [TOMOYO_TYPE_IOCTL_ACL
] = "ioctl",
32 [TOMOYO_TYPE_CHMOD_ACL
] = "chmod",
33 [TOMOYO_TYPE_CHOWN_ACL
] = "chown",
34 [TOMOYO_TYPE_CHGRP_ACL
] = "chgrp",
35 [TOMOYO_TYPE_CHROOT_ACL
] = "chroot",
36 [TOMOYO_TYPE_MOUNT_ACL
] = "mount",
37 [TOMOYO_TYPE_UMOUNT_ACL
] = "unmount",
40 /* Keyword array for double path operations. */
41 static const char *tomoyo_dp_keyword
[TOMOYO_MAX_DOUBLE_PATH_OPERATION
] = {
42 [TOMOYO_TYPE_LINK_ACL
] = "link",
43 [TOMOYO_TYPE_RENAME_ACL
] = "rename",
44 [TOMOYO_TYPE_PIVOT_ROOT_ACL
] = "pivot_root",
48 * tomoyo_sp2keyword - Get the name of single path operation.
50 * @operation: Type of operation.
52 * Returns the name of single path operation.
54 const char *tomoyo_sp2keyword(const u8 operation
)
56 return (operation
< TOMOYO_MAX_SINGLE_PATH_OPERATION
)
57 ? tomoyo_sp_keyword
[operation
] : NULL
;
61 * tomoyo_dp2keyword - Get the name of double path operation.
63 * @operation: Type of operation.
65 * Returns the name of double path operation.
67 const char *tomoyo_dp2keyword(const u8 operation
)
69 return (operation
< TOMOYO_MAX_DOUBLE_PATH_OPERATION
)
70 ? tomoyo_dp_keyword
[operation
] : NULL
;
74 * tomoyo_strendswith - Check whether the token ends with the given token.
76 * @name: The token to check.
77 * @tail: The token to find.
79 * Returns true if @name ends with @tail, false otherwise.
81 static bool tomoyo_strendswith(const char *name
, const char *tail
)
87 len
= strlen(name
) - strlen(tail
);
88 return len
>= 0 && !strcmp(name
+ len
, tail
);
92 * tomoyo_get_path - Get realpath.
94 * @path: Pointer to "struct path".
96 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
98 static struct tomoyo_path_info
*tomoyo_get_path(struct path
*path
)
101 struct tomoyo_path_info_with_data
*buf
= kzalloc(sizeof(*buf
),
106 /* Reserve one byte for appending "/". */
107 error
= tomoyo_realpath_from_path2(path
, buf
->body
,
108 sizeof(buf
->body
) - 2);
110 buf
->head
.name
= buf
->body
;
111 tomoyo_fill_path_info(&buf
->head
);
118 static int tomoyo_update_double_path_acl(const u8 type
, const char *filename1
,
119 const char *filename2
,
120 struct tomoyo_domain_info
*
121 const domain
, const bool is_delete
);
122 static int tomoyo_update_single_path_acl(const u8 type
, const char *filename
,
123 struct tomoyo_domain_info
*
124 const domain
, const bool is_delete
);
127 * tomoyo_globally_readable_list is used for holding list of pathnames which
128 * are by default allowed to be open()ed for reading by any process.
130 * An entry is added by
132 * # echo 'allow_read /lib/libc-2.5.so' > \
133 * /sys/kernel/security/tomoyo/exception_policy
137 * # echo 'delete allow_read /lib/libc-2.5.so' > \
138 * /sys/kernel/security/tomoyo/exception_policy
140 * and all entries are retrieved by
142 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
144 * In the example above, any process is allowed to
145 * open("/lib/libc-2.5.so", O_RDONLY).
146 * One exception is, if the domain which current process belongs to is marked
147 * as "ignore_global_allow_read", current process can't do so unless explicitly
148 * given "allow_read /lib/libc-2.5.so" to the domain which current process
151 LIST_HEAD(tomoyo_globally_readable_list
);
154 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
156 * @filename: Filename unconditionally permitted to open() for reading.
157 * @is_delete: True if it is a delete request.
159 * Returns 0 on success, negative value otherwise.
161 * Caller holds tomoyo_read_lock().
163 static int tomoyo_update_globally_readable_entry(const char *filename
,
164 const bool is_delete
)
166 struct tomoyo_globally_readable_file_entry
*entry
= NULL
;
167 struct tomoyo_globally_readable_file_entry
*ptr
;
168 const struct tomoyo_path_info
*saved_filename
;
169 int error
= is_delete
? -ENOENT
: -ENOMEM
;
171 if (!tomoyo_is_correct_path(filename
, 1, 0, -1, __func__
))
173 saved_filename
= tomoyo_get_name(filename
);
177 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
178 mutex_lock(&tomoyo_policy_lock
);
179 list_for_each_entry_rcu(ptr
, &tomoyo_globally_readable_list
, list
) {
180 if (ptr
->filename
!= saved_filename
)
182 ptr
->is_deleted
= is_delete
;
186 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
187 entry
->filename
= saved_filename
;
188 saved_filename
= NULL
;
189 list_add_tail_rcu(&entry
->list
, &tomoyo_globally_readable_list
);
193 mutex_unlock(&tomoyo_policy_lock
);
194 tomoyo_put_name(saved_filename
);
200 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
202 * @filename: The filename to check.
204 * Returns true if any domain can open @filename for reading, false otherwise.
206 * Caller holds tomoyo_read_lock().
208 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info
*
211 struct tomoyo_globally_readable_file_entry
*ptr
;
214 list_for_each_entry_rcu(ptr
, &tomoyo_globally_readable_list
, list
) {
215 if (!ptr
->is_deleted
&&
216 tomoyo_path_matches_pattern(filename
, ptr
->filename
)) {
225 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
227 * @data: String to parse.
228 * @is_delete: True if it is a delete request.
230 * Returns 0 on success, negative value otherwise.
232 * Caller holds tomoyo_read_lock().
234 int tomoyo_write_globally_readable_policy(char *data
, const bool is_delete
)
236 return tomoyo_update_globally_readable_entry(data
, is_delete
);
240 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
242 * @head: Pointer to "struct tomoyo_io_buffer".
244 * Returns true on success, false otherwise.
246 * Caller holds tomoyo_read_lock().
248 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer
*head
)
250 struct list_head
*pos
;
253 list_for_each_cookie(pos
, head
->read_var2
,
254 &tomoyo_globally_readable_list
) {
255 struct tomoyo_globally_readable_file_entry
*ptr
;
256 ptr
= list_entry(pos
,
257 struct tomoyo_globally_readable_file_entry
,
261 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_ALLOW_READ
"%s\n",
262 ptr
->filename
->name
);
269 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
270 * converting pathnames to pathname patterns during learning mode.
272 * An entry is added by
274 * # echo 'file_pattern /proc/\$/mounts' > \
275 * /sys/kernel/security/tomoyo/exception_policy
279 * # echo 'delete file_pattern /proc/\$/mounts' > \
280 * /sys/kernel/security/tomoyo/exception_policy
282 * and all entries are retrieved by
284 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
286 * In the example above, if a process which belongs to a domain which is in
287 * learning mode requested open("/proc/1/mounts", O_RDONLY),
288 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
289 * process belongs to.
291 * It is not a desirable behavior that we have to use /proc/\$/ instead of
292 * /proc/self/ when current process needs to access only current process's
293 * information. As of now, LSM version of TOMOYO is using __d_path() for
294 * calculating pathname. Non LSM version of TOMOYO is using its own function
295 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
296 * current process from accessing other process's information.
298 LIST_HEAD(tomoyo_pattern_list
);
301 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
303 * @pattern: Pathname pattern.
304 * @is_delete: True if it is a delete request.
306 * Returns 0 on success, negative value otherwise.
308 * Caller holds tomoyo_read_lock().
310 static int tomoyo_update_file_pattern_entry(const char *pattern
,
311 const bool is_delete
)
313 struct tomoyo_pattern_entry
*entry
= NULL
;
314 struct tomoyo_pattern_entry
*ptr
;
315 const struct tomoyo_path_info
*saved_pattern
;
316 int error
= is_delete
? -ENOENT
: -ENOMEM
;
318 saved_pattern
= tomoyo_get_name(pattern
);
321 if (!saved_pattern
->is_patterned
)
324 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
325 mutex_lock(&tomoyo_policy_lock
);
326 list_for_each_entry_rcu(ptr
, &tomoyo_pattern_list
, list
) {
327 if (saved_pattern
!= ptr
->pattern
)
329 ptr
->is_deleted
= is_delete
;
333 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
334 entry
->pattern
= saved_pattern
;
335 saved_pattern
= NULL
;
336 list_add_tail_rcu(&entry
->list
, &tomoyo_pattern_list
);
340 mutex_unlock(&tomoyo_policy_lock
);
343 tomoyo_put_name(saved_pattern
);
348 * tomoyo_get_file_pattern - Get patterned pathname.
350 * @filename: The filename to find patterned pathname.
352 * Returns pointer to pathname pattern if matched, @filename otherwise.
354 * Caller holds tomoyo_read_lock().
356 static const struct tomoyo_path_info
*
357 tomoyo_get_file_pattern(const struct tomoyo_path_info
*filename
)
359 struct tomoyo_pattern_entry
*ptr
;
360 const struct tomoyo_path_info
*pattern
= NULL
;
362 list_for_each_entry_rcu(ptr
, &tomoyo_pattern_list
, list
) {
365 if (!tomoyo_path_matches_pattern(filename
, ptr
->pattern
))
367 pattern
= ptr
->pattern
;
368 if (tomoyo_strendswith(pattern
->name
, "/\\*")) {
369 /* Do nothing. Try to find the better match. */
371 /* This would be the better match. Use this. */
381 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
383 * @data: String to parse.
384 * @is_delete: True if it is a delete request.
386 * Returns 0 on success, negative value otherwise.
388 * Caller holds tomoyo_read_lock().
390 int tomoyo_write_pattern_policy(char *data
, const bool is_delete
)
392 return tomoyo_update_file_pattern_entry(data
, is_delete
);
396 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
398 * @head: Pointer to "struct tomoyo_io_buffer".
400 * Returns true on success, false otherwise.
402 * Caller holds tomoyo_read_lock().
404 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer
*head
)
406 struct list_head
*pos
;
409 list_for_each_cookie(pos
, head
->read_var2
, &tomoyo_pattern_list
) {
410 struct tomoyo_pattern_entry
*ptr
;
411 ptr
= list_entry(pos
, struct tomoyo_pattern_entry
, list
);
414 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_FILE_PATTERN
415 "%s\n", ptr
->pattern
->name
);
423 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
424 * default forbidden to modify already written content of a file.
426 * An entry is added by
428 * # echo 'deny_rewrite /var/log/messages' > \
429 * /sys/kernel/security/tomoyo/exception_policy
433 * # echo 'delete deny_rewrite /var/log/messages' > \
434 * /sys/kernel/security/tomoyo/exception_policy
436 * and all entries are retrieved by
438 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
440 * In the example above, if a process requested to rewrite /var/log/messages ,
441 * the process can't rewrite unless the domain which that process belongs to
442 * has "allow_rewrite /var/log/messages" entry.
444 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
445 * when we want to allow rewriting already unlink()ed file. As of now,
446 * LSM version of TOMOYO is using __d_path() for calculating pathname.
447 * Non LSM version of TOMOYO is using its own function which doesn't append
448 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
449 * need to worry whether the file is already unlink()ed or not.
451 LIST_HEAD(tomoyo_no_rewrite_list
);
454 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
456 * @pattern: Pathname pattern that are not rewritable by default.
457 * @is_delete: True if it is a delete request.
459 * Returns 0 on success, negative value otherwise.
461 * Caller holds tomoyo_read_lock().
463 static int tomoyo_update_no_rewrite_entry(const char *pattern
,
464 const bool is_delete
)
466 struct tomoyo_no_rewrite_entry
*entry
= NULL
;
467 struct tomoyo_no_rewrite_entry
*ptr
;
468 const struct tomoyo_path_info
*saved_pattern
;
469 int error
= is_delete
? -ENOENT
: -ENOMEM
;
471 if (!tomoyo_is_correct_path(pattern
, 0, 0, 0, __func__
))
473 saved_pattern
= tomoyo_get_name(pattern
);
477 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
478 mutex_lock(&tomoyo_policy_lock
);
479 list_for_each_entry_rcu(ptr
, &tomoyo_no_rewrite_list
, list
) {
480 if (ptr
->pattern
!= saved_pattern
)
482 ptr
->is_deleted
= is_delete
;
486 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
487 entry
->pattern
= saved_pattern
;
488 saved_pattern
= NULL
;
489 list_add_tail_rcu(&entry
->list
, &tomoyo_no_rewrite_list
);
493 mutex_unlock(&tomoyo_policy_lock
);
494 tomoyo_put_name(saved_pattern
);
500 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
502 * @filename: Filename to check.
504 * Returns true if @filename is specified by "deny_rewrite" directive,
507 * Caller holds tomoyo_read_lock().
509 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info
*filename
)
511 struct tomoyo_no_rewrite_entry
*ptr
;
514 list_for_each_entry_rcu(ptr
, &tomoyo_no_rewrite_list
, list
) {
517 if (!tomoyo_path_matches_pattern(filename
, ptr
->pattern
))
526 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
528 * @data: String to parse.
529 * @is_delete: True if it is a delete request.
531 * Returns 0 on success, negative value otherwise.
533 * Caller holds tomoyo_read_lock().
535 int tomoyo_write_no_rewrite_policy(char *data
, const bool is_delete
)
537 return tomoyo_update_no_rewrite_entry(data
, is_delete
);
541 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
543 * @head: Pointer to "struct tomoyo_io_buffer".
545 * Returns true on success, false otherwise.
547 * Caller holds tomoyo_read_lock().
549 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer
*head
)
551 struct list_head
*pos
;
554 list_for_each_cookie(pos
, head
->read_var2
, &tomoyo_no_rewrite_list
) {
555 struct tomoyo_no_rewrite_entry
*ptr
;
556 ptr
= list_entry(pos
, struct tomoyo_no_rewrite_entry
, list
);
559 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_DENY_REWRITE
560 "%s\n", ptr
->pattern
->name
);
568 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
570 * @filename: Filename.
571 * @perm: Permission (between 1 to 7).
572 * @domain: Pointer to "struct tomoyo_domain_info".
573 * @is_delete: True if it is a delete request.
575 * Returns 0 on success, negative value otherwise.
577 * This is legacy support interface for older policy syntax.
578 * Current policy syntax uses "allow_read/write" instead of "6",
579 * "allow_read" instead of "4", "allow_write" instead of "2",
580 * "allow_execute" instead of "1".
582 * Caller holds tomoyo_read_lock().
584 static int tomoyo_update_file_acl(const char *filename
, u8 perm
,
585 struct tomoyo_domain_info
* const domain
,
586 const bool is_delete
)
588 if (perm
> 7 || !perm
) {
589 printk(KERN_DEBUG
"%s: Invalid permission '%d %s'\n",
590 __func__
, perm
, filename
);
593 if (filename
[0] != '@' && tomoyo_strendswith(filename
, "/"))
595 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
596 * directory permissions.
600 tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL
, filename
,
603 tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL
, filename
,
606 tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL
,
607 filename
, domain
, is_delete
);
612 * tomoyo_check_single_path_acl2 - Check permission for single path operation.
614 * @domain: Pointer to "struct tomoyo_domain_info".
615 * @filename: Filename to check.
617 * @may_use_pattern: True if patterned ACL is permitted.
619 * Returns 0 on success, -EPERM otherwise.
621 * Caller holds tomoyo_read_lock().
623 static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info
*
625 const struct tomoyo_path_info
*
628 const bool may_use_pattern
)
630 struct tomoyo_acl_info
*ptr
;
633 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
634 struct tomoyo_single_path_acl_record
*acl
;
635 if (ptr
->type
!= TOMOYO_TYPE_SINGLE_PATH_ACL
)
637 acl
= container_of(ptr
, struct tomoyo_single_path_acl_record
,
639 if (perm
<= 0xFFFF) {
640 if (!(acl
->perm
& perm
))
643 if (!(acl
->perm_high
& (perm
>> 16)))
646 if (may_use_pattern
|| !acl
->filename
->is_patterned
) {
647 if (!tomoyo_path_matches_pattern(filename
,
660 * tomoyo_check_file_acl - Check permission for opening files.
662 * @domain: Pointer to "struct tomoyo_domain_info".
663 * @filename: Filename to check.
664 * @operation: Mode ("read" or "write" or "read/write" or "execute").
666 * Returns 0 on success, -EPERM otherwise.
668 * Caller holds tomoyo_read_lock().
670 static int tomoyo_check_file_acl(const struct tomoyo_domain_info
*domain
,
671 const struct tomoyo_path_info
*filename
,
676 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
679 perm
= 1 << TOMOYO_TYPE_READ_WRITE_ACL
;
680 else if (operation
== 4)
681 perm
= 1 << TOMOYO_TYPE_READ_ACL
;
682 else if (operation
== 2)
683 perm
= 1 << TOMOYO_TYPE_WRITE_ACL
;
684 else if (operation
== 1)
685 perm
= 1 << TOMOYO_TYPE_EXECUTE_ACL
;
688 return tomoyo_check_single_path_acl2(domain
, filename
, perm
,
693 * tomoyo_check_file_perm2 - Check permission for opening files.
695 * @domain: Pointer to "struct tomoyo_domain_info".
696 * @filename: Filename to check.
697 * @perm: Mode ("read" or "write" or "read/write" or "execute").
698 * @operation: Operation name passed used for verbose mode.
699 * @mode: Access control mode.
701 * Returns 0 on success, negative value otherwise.
703 * Caller holds tomoyo_read_lock().
705 static int tomoyo_check_file_perm2(struct tomoyo_domain_info
* const domain
,
706 const struct tomoyo_path_info
*filename
,
707 const u8 perm
, const char *operation
,
710 const bool is_enforce
= (mode
== 3);
711 const char *msg
= "<unknown>";
716 error
= tomoyo_check_file_acl(domain
, filename
, perm
);
717 if (error
&& perm
== 4 && !domain
->ignore_global_allow_read
718 && tomoyo_is_globally_readable_file(filename
))
721 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL
);
723 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL
);
725 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL
);
727 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL
);
732 if (tomoyo_verbose_mode(domain
))
733 printk(KERN_WARNING
"TOMOYO-%s: Access '%s(%s) %s' denied "
734 "for %s\n", tomoyo_get_msg(is_enforce
), msg
, operation
,
735 filename
->name
, tomoyo_get_last_name(domain
));
738 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
739 /* Don't use patterns for execute permission. */
740 const struct tomoyo_path_info
*patterned_file
= (perm
!= 1) ?
741 tomoyo_get_file_pattern(filename
) : filename
;
742 tomoyo_update_file_acl(patterned_file
->name
, perm
,
749 * tomoyo_write_file_policy - Update file related list.
751 * @data: String to parse.
752 * @domain: Pointer to "struct tomoyo_domain_info".
753 * @is_delete: True if it is a delete request.
755 * Returns 0 on success, negative value otherwise.
757 * Caller holds tomoyo_read_lock().
759 int tomoyo_write_file_policy(char *data
, struct tomoyo_domain_info
*domain
,
760 const bool is_delete
)
762 char *filename
= strchr(data
, ' ');
770 if (sscanf(data
, "%u", &perm
) == 1)
771 return tomoyo_update_file_acl(filename
, (u8
) perm
, domain
,
773 if (strncmp(data
, "allow_", 6))
776 for (type
= 0; type
< TOMOYO_MAX_SINGLE_PATH_OPERATION
; type
++) {
777 if (strcmp(data
, tomoyo_sp_keyword
[type
]))
779 return tomoyo_update_single_path_acl(type
, filename
,
782 filename2
= strchr(filename
, ' ');
786 for (type
= 0; type
< TOMOYO_MAX_DOUBLE_PATH_OPERATION
; type
++) {
787 if (strcmp(data
, tomoyo_dp_keyword
[type
]))
789 return tomoyo_update_double_path_acl(type
, filename
, filename2
,
797 * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list.
799 * @type: Type of operation.
800 * @filename: Filename.
801 * @domain: Pointer to "struct tomoyo_domain_info".
802 * @is_delete: True if it is a delete request.
804 * Returns 0 on success, negative value otherwise.
806 * Caller holds tomoyo_read_lock().
808 static int tomoyo_update_single_path_acl(const u8 type
, const char *filename
,
809 struct tomoyo_domain_info
*
810 const domain
, const bool is_delete
)
812 static const u32 rw_mask
=
813 (1 << TOMOYO_TYPE_READ_ACL
) | (1 << TOMOYO_TYPE_WRITE_ACL
);
814 const struct tomoyo_path_info
*saved_filename
;
815 struct tomoyo_acl_info
*ptr
;
816 struct tomoyo_single_path_acl_record
*entry
= NULL
;
817 int error
= is_delete
? -ENOENT
: -ENOMEM
;
818 const u32 perm
= 1 << type
;
822 if (!tomoyo_is_correct_path(filename
, 0, 0, 0, __func__
))
824 saved_filename
= tomoyo_get_name(filename
);
828 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
829 mutex_lock(&tomoyo_policy_lock
);
830 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
831 struct tomoyo_single_path_acl_record
*acl
=
832 container_of(ptr
, struct tomoyo_single_path_acl_record
,
834 if (ptr
->type
!= TOMOYO_TYPE_SINGLE_PATH_ACL
)
836 if (acl
->filename
!= saved_filename
)
842 acl
->perm_high
&= ~(perm
>> 16);
843 if ((acl
->perm
& rw_mask
) != rw_mask
)
844 acl
->perm
&= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL
);
845 else if (!(acl
->perm
&
846 (1 << TOMOYO_TYPE_READ_WRITE_ACL
)))
847 acl
->perm
&= ~rw_mask
;
852 acl
->perm_high
|= (perm
>> 16);
853 if ((acl
->perm
& rw_mask
) == rw_mask
)
854 acl
->perm
|= 1 << TOMOYO_TYPE_READ_WRITE_ACL
;
855 else if (acl
->perm
& (1 << TOMOYO_TYPE_READ_WRITE_ACL
))
856 acl
->perm
|= rw_mask
;
861 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
862 entry
->head
.type
= TOMOYO_TYPE_SINGLE_PATH_ACL
;
866 entry
->perm_high
= (perm
>> 16);
867 if (perm
== (1 << TOMOYO_TYPE_READ_WRITE_ACL
))
868 entry
->perm
|= rw_mask
;
869 entry
->filename
= saved_filename
;
870 saved_filename
= NULL
;
871 list_add_tail_rcu(&entry
->head
.list
, &domain
->acl_info_list
);
875 mutex_unlock(&tomoyo_policy_lock
);
877 tomoyo_put_name(saved_filename
);
882 * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list.
884 * @type: Type of operation.
885 * @filename1: First filename.
886 * @filename2: Second filename.
887 * @domain: Pointer to "struct tomoyo_domain_info".
888 * @is_delete: True if it is a delete request.
890 * Returns 0 on success, negative value otherwise.
892 * Caller holds tomoyo_read_lock().
894 static int tomoyo_update_double_path_acl(const u8 type
, const char *filename1
,
895 const char *filename2
,
896 struct tomoyo_domain_info
*
897 const domain
, const bool is_delete
)
899 const struct tomoyo_path_info
*saved_filename1
;
900 const struct tomoyo_path_info
*saved_filename2
;
901 struct tomoyo_acl_info
*ptr
;
902 struct tomoyo_double_path_acl_record
*entry
= NULL
;
903 int error
= is_delete
? -ENOENT
: -ENOMEM
;
904 const u8 perm
= 1 << type
;
908 if (!tomoyo_is_correct_path(filename1
, 0, 0, 0, __func__
) ||
909 !tomoyo_is_correct_path(filename2
, 0, 0, 0, __func__
))
911 saved_filename1
= tomoyo_get_name(filename1
);
912 saved_filename2
= tomoyo_get_name(filename2
);
913 if (!saved_filename1
|| !saved_filename2
)
916 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
917 mutex_lock(&tomoyo_policy_lock
);
918 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
919 struct tomoyo_double_path_acl_record
*acl
=
920 container_of(ptr
, struct tomoyo_double_path_acl_record
,
922 if (ptr
->type
!= TOMOYO_TYPE_DOUBLE_PATH_ACL
)
924 if (acl
->filename1
!= saved_filename1
||
925 acl
->filename2
!= saved_filename2
)
934 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
935 entry
->head
.type
= TOMOYO_TYPE_DOUBLE_PATH_ACL
;
937 entry
->filename1
= saved_filename1
;
938 saved_filename1
= NULL
;
939 entry
->filename2
= saved_filename2
;
940 saved_filename2
= NULL
;
941 list_add_tail_rcu(&entry
->head
.list
, &domain
->acl_info_list
);
945 mutex_unlock(&tomoyo_policy_lock
);
947 tomoyo_put_name(saved_filename1
);
948 tomoyo_put_name(saved_filename2
);
954 * tomoyo_check_single_path_acl - Check permission for single path operation.
956 * @domain: Pointer to "struct tomoyo_domain_info".
957 * @type: Type of operation.
958 * @filename: Filename to check.
960 * Returns 0 on success, negative value otherwise.
962 * Caller holds tomoyo_read_lock().
964 static int tomoyo_check_single_path_acl(struct tomoyo_domain_info
*domain
,
966 const struct tomoyo_path_info
*filename
)
968 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
970 return tomoyo_check_single_path_acl2(domain
, filename
, 1 << type
, 1);
974 * tomoyo_check_double_path_acl - Check permission for double path operation.
976 * @domain: Pointer to "struct tomoyo_domain_info".
977 * @type: Type of operation.
978 * @filename1: First filename to check.
979 * @filename2: Second filename to check.
981 * Returns 0 on success, -EPERM otherwise.
983 * Caller holds tomoyo_read_lock().
985 static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info
*domain
,
987 const struct tomoyo_path_info
*
989 const struct tomoyo_path_info
*
992 struct tomoyo_acl_info
*ptr
;
993 const u8 perm
= 1 << type
;
996 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
998 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
999 struct tomoyo_double_path_acl_record
*acl
;
1000 if (ptr
->type
!= TOMOYO_TYPE_DOUBLE_PATH_ACL
)
1002 acl
= container_of(ptr
, struct tomoyo_double_path_acl_record
,
1004 if (!(acl
->perm
& perm
))
1006 if (!tomoyo_path_matches_pattern(filename1
, acl
->filename1
))
1008 if (!tomoyo_path_matches_pattern(filename2
, acl
->filename2
))
1017 * tomoyo_check_single_path_permission2 - Check permission for single path operation.
1019 * @domain: Pointer to "struct tomoyo_domain_info".
1020 * @operation: Type of operation.
1021 * @filename: Filename to check.
1022 * @mode: Access control mode.
1024 * Returns 0 on success, negative value otherwise.
1026 * Caller holds tomoyo_read_lock().
1028 static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info
*
1029 const domain
, u8 operation
,
1030 const struct tomoyo_path_info
*
1031 filename
, const u8 mode
)
1035 const bool is_enforce
= (mode
== 3);
1040 error
= tomoyo_check_single_path_acl(domain
, operation
, filename
);
1041 msg
= tomoyo_sp2keyword(operation
);
1044 if (tomoyo_verbose_mode(domain
))
1045 printk(KERN_WARNING
"TOMOYO-%s: Access '%s %s' denied for %s\n",
1046 tomoyo_get_msg(is_enforce
), msg
, filename
->name
,
1047 tomoyo_get_last_name(domain
));
1048 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
1049 const char *name
= tomoyo_get_file_pattern(filename
)->name
;
1050 tomoyo_update_single_path_acl(operation
, name
, domain
, false);
1056 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1057 * we need to check "allow_rewrite" permission if the filename is
1058 * specified by "deny_rewrite" keyword.
1060 if (!error
&& operation
== TOMOYO_TYPE_TRUNCATE_ACL
&&
1061 tomoyo_is_no_rewrite_file(filename
)) {
1062 operation
= TOMOYO_TYPE_REWRITE_ACL
;
1069 * tomoyo_check_exec_perm - Check permission for "execute".
1071 * @domain: Pointer to "struct tomoyo_domain_info".
1072 * @filename: Check permission for "execute".
1074 * Returns 0 on success, negativevalue otherwise.
1076 * Caller holds tomoyo_read_lock().
1078 int tomoyo_check_exec_perm(struct tomoyo_domain_info
*domain
,
1079 const struct tomoyo_path_info
*filename
)
1081 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1085 return tomoyo_check_file_perm2(domain
, filename
, 1, "do_execve", mode
);
1089 * tomoyo_check_open_permission - Check permission for "read" and "write".
1091 * @domain: Pointer to "struct tomoyo_domain_info".
1092 * @path: Pointer to "struct path".
1093 * @flag: Flags for open().
1095 * Returns 0 on success, negative value otherwise.
1097 int tomoyo_check_open_permission(struct tomoyo_domain_info
*domain
,
1098 struct path
*path
, const int flag
)
1100 const u8 acc_mode
= ACC_MODE(flag
);
1101 int error
= -ENOMEM
;
1102 struct tomoyo_path_info
*buf
;
1103 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1104 const bool is_enforce
= (mode
== 3);
1107 if (!mode
|| !path
->mnt
)
1111 if (path
->dentry
->d_inode
&& S_ISDIR(path
->dentry
->d_inode
->i_mode
))
1113 * I don't check directories here because mkdir() and rmdir()
1117 idx
= tomoyo_read_lock();
1118 buf
= tomoyo_get_path(path
);
1123 * If the filename is specified by "deny_rewrite" keyword,
1124 * we need to check "allow_rewrite" permission when the filename is not
1125 * opened for append mode or the filename is truncated at open time.
1127 if ((acc_mode
& MAY_WRITE
) &&
1128 ((flag
& O_TRUNC
) || !(flag
& O_APPEND
)) &&
1129 (tomoyo_is_no_rewrite_file(buf
))) {
1130 error
= tomoyo_check_single_path_permission2(domain
,
1131 TOMOYO_TYPE_REWRITE_ACL
,
1135 error
= tomoyo_check_file_perm2(domain
, buf
, acc_mode
, "open",
1137 if (!error
&& (flag
& O_TRUNC
))
1138 error
= tomoyo_check_single_path_permission2(domain
,
1139 TOMOYO_TYPE_TRUNCATE_ACL
,
1143 tomoyo_read_unlock(idx
);
1150 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1152 * @domain: Pointer to "struct tomoyo_domain_info".
1153 * @operation: Type of operation.
1154 * @path: Pointer to "struct path".
1156 * Returns 0 on success, negative value otherwise.
1158 int tomoyo_check_1path_perm(struct tomoyo_domain_info
*domain
,
1159 const u8 operation
, struct path
*path
)
1161 int error
= -ENOMEM
;
1162 struct tomoyo_path_info
*buf
;
1163 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1164 const bool is_enforce
= (mode
== 3);
1167 if (!mode
|| !path
->mnt
)
1169 idx
= tomoyo_read_lock();
1170 buf
= tomoyo_get_path(path
);
1173 switch (operation
) {
1174 case TOMOYO_TYPE_MKDIR_ACL
:
1175 case TOMOYO_TYPE_RMDIR_ACL
:
1176 case TOMOYO_TYPE_CHROOT_ACL
:
1179 * tomoyo_get_path() reserves space for appending "/."
1181 strcat((char *) buf
->name
, "/");
1182 tomoyo_fill_path_info(buf
);
1185 error
= tomoyo_check_single_path_permission2(domain
, operation
, buf
,
1189 tomoyo_read_unlock(idx
);
1196 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1198 * @domain: Pointer to "struct tomoyo_domain_info".
1199 * @filp: Pointer to "struct file".
1201 * Returns 0 on success, negative value otherwise.
1203 int tomoyo_check_rewrite_permission(struct tomoyo_domain_info
*domain
,
1206 int error
= -ENOMEM
;
1207 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1208 const bool is_enforce
= (mode
== 3);
1209 struct tomoyo_path_info
*buf
;
1212 if (!mode
|| !filp
->f_path
.mnt
)
1215 idx
= tomoyo_read_lock();
1216 buf
= tomoyo_get_path(&filp
->f_path
);
1219 if (!tomoyo_is_no_rewrite_file(buf
)) {
1223 error
= tomoyo_check_single_path_permission2(domain
,
1224 TOMOYO_TYPE_REWRITE_ACL
,
1228 tomoyo_read_unlock(idx
);
1235 * tomoyo_check_2path_perm - Check permission for "rename", "link" and "pivot_root".
1237 * @domain: Pointer to "struct tomoyo_domain_info".
1238 * @operation: Type of operation.
1239 * @path1: Pointer to "struct path".
1240 * @path2: Pointer to "struct path".
1242 * Returns 0 on success, negative value otherwise.
1244 int tomoyo_check_2path_perm(struct tomoyo_domain_info
* const domain
,
1245 const u8 operation
, struct path
*path1
,
1248 int error
= -ENOMEM
;
1249 struct tomoyo_path_info
*buf1
, *buf2
;
1250 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1251 const bool is_enforce
= (mode
== 3);
1255 if (!mode
|| !path1
->mnt
|| !path2
->mnt
)
1257 idx
= tomoyo_read_lock();
1258 buf1
= tomoyo_get_path(path1
);
1259 buf2
= tomoyo_get_path(path2
);
1263 struct dentry
*dentry
= path1
->dentry
;
1264 if (dentry
->d_inode
&& S_ISDIR(dentry
->d_inode
->i_mode
)) {
1266 * tomoyo_get_path() reserves space for appending "/."
1268 if (!buf1
->is_dir
) {
1269 strcat((char *) buf1
->name
, "/");
1270 tomoyo_fill_path_info(buf1
);
1272 if (!buf2
->is_dir
) {
1273 strcat((char *) buf2
->name
, "/");
1274 tomoyo_fill_path_info(buf2
);
1278 error
= tomoyo_check_double_path_acl(domain
, operation
, buf1
, buf2
);
1279 msg
= tomoyo_dp2keyword(operation
);
1282 if (tomoyo_verbose_mode(domain
))
1283 printk(KERN_WARNING
"TOMOYO-%s: Access '%s %s %s' "
1284 "denied for %s\n", tomoyo_get_msg(is_enforce
),
1285 msg
, buf1
->name
, buf2
->name
,
1286 tomoyo_get_last_name(domain
));
1287 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
1288 const char *name1
= tomoyo_get_file_pattern(buf1
)->name
;
1289 const char *name2
= tomoyo_get_file_pattern(buf2
)->name
;
1290 tomoyo_update_double_path_acl(operation
, name1
, name2
, domain
,
1296 tomoyo_read_unlock(idx
);