2 * security/tomoyo/file.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
17 * tomoyo_globally_readable_file_entry is a structure which is used for holding
18 * "allow_read" entries.
19 * It has following fields.
21 * (1) "list" which is linked to tomoyo_globally_readable_list .
22 * (2) "filename" is a pathname which is allowed to open(O_RDONLY).
23 * (3) "is_deleted" is a bool which is true if marked as deleted, false
26 struct tomoyo_globally_readable_file_entry
{
27 struct list_head list
;
28 const struct tomoyo_path_info
*filename
;
33 * tomoyo_pattern_entry is a structure which is used for holding
34 * "tomoyo_pattern_list" entries.
35 * It has following fields.
37 * (1) "list" which is linked to tomoyo_pattern_list .
38 * (2) "pattern" is a pathname pattern which is used for converting pathnames
39 * to pathname patterns during learning mode.
40 * (3) "is_deleted" is a bool which is true if marked as deleted, false
43 struct tomoyo_pattern_entry
{
44 struct list_head list
;
45 const struct tomoyo_path_info
*pattern
;
50 * tomoyo_no_rewrite_entry is a structure which is used for holding
51 * "deny_rewrite" entries.
52 * It has following fields.
54 * (1) "list" which is linked to tomoyo_no_rewrite_list .
55 * (2) "pattern" is a pathname which is by default not permitted to modify
56 * already existing content.
57 * (3) "is_deleted" is a bool which is true if marked as deleted, false
60 struct tomoyo_no_rewrite_entry
{
61 struct list_head list
;
62 const struct tomoyo_path_info
*pattern
;
66 /* Keyword array for single path operations. */
67 static const char *tomoyo_sp_keyword
[TOMOYO_MAX_SINGLE_PATH_OPERATION
] = {
68 [TOMOYO_TYPE_READ_WRITE_ACL
] = "read/write",
69 [TOMOYO_TYPE_EXECUTE_ACL
] = "execute",
70 [TOMOYO_TYPE_READ_ACL
] = "read",
71 [TOMOYO_TYPE_WRITE_ACL
] = "write",
72 [TOMOYO_TYPE_CREATE_ACL
] = "create",
73 [TOMOYO_TYPE_UNLINK_ACL
] = "unlink",
74 [TOMOYO_TYPE_MKDIR_ACL
] = "mkdir",
75 [TOMOYO_TYPE_RMDIR_ACL
] = "rmdir",
76 [TOMOYO_TYPE_MKFIFO_ACL
] = "mkfifo",
77 [TOMOYO_TYPE_MKSOCK_ACL
] = "mksock",
78 [TOMOYO_TYPE_MKBLOCK_ACL
] = "mkblock",
79 [TOMOYO_TYPE_MKCHAR_ACL
] = "mkchar",
80 [TOMOYO_TYPE_TRUNCATE_ACL
] = "truncate",
81 [TOMOYO_TYPE_SYMLINK_ACL
] = "symlink",
82 [TOMOYO_TYPE_REWRITE_ACL
] = "rewrite",
85 /* Keyword array for double path operations. */
86 static const char *tomoyo_dp_keyword
[TOMOYO_MAX_DOUBLE_PATH_OPERATION
] = {
87 [TOMOYO_TYPE_LINK_ACL
] = "link",
88 [TOMOYO_TYPE_RENAME_ACL
] = "rename",
92 * tomoyo_sp2keyword - Get the name of single path operation.
94 * @operation: Type of operation.
96 * Returns the name of single path operation.
98 const char *tomoyo_sp2keyword(const u8 operation
)
100 return (operation
< TOMOYO_MAX_SINGLE_PATH_OPERATION
)
101 ? tomoyo_sp_keyword
[operation
] : NULL
;
105 * tomoyo_dp2keyword - Get the name of double path operation.
107 * @operation: Type of operation.
109 * Returns the name of double path operation.
111 const char *tomoyo_dp2keyword(const u8 operation
)
113 return (operation
< TOMOYO_MAX_DOUBLE_PATH_OPERATION
)
114 ? tomoyo_dp_keyword
[operation
] : NULL
;
118 * tomoyo_strendswith - Check whether the token ends with the given token.
120 * @name: The token to check.
121 * @tail: The token to find.
123 * Returns true if @name ends with @tail, false otherwise.
125 static bool tomoyo_strendswith(const char *name
, const char *tail
)
131 len
= strlen(name
) - strlen(tail
);
132 return len
>= 0 && !strcmp(name
+ len
, tail
);
136 * tomoyo_get_path - Get realpath.
138 * @path: Pointer to "struct path".
140 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
142 static struct tomoyo_path_info
*tomoyo_get_path(struct path
*path
)
145 struct tomoyo_path_info_with_data
*buf
= tomoyo_alloc(sizeof(*buf
));
149 /* Reserve one byte for appending "/". */
150 error
= tomoyo_realpath_from_path2(path
, buf
->body
,
151 sizeof(buf
->body
) - 2);
153 buf
->head
.name
= buf
->body
;
154 tomoyo_fill_path_info(&buf
->head
);
161 /* Lock for domain->acl_info_list. */
162 DECLARE_RWSEM(tomoyo_domain_acl_info_list_lock
);
164 static int tomoyo_update_double_path_acl(const u8 type
, const char *filename1
,
165 const char *filename2
,
166 struct tomoyo_domain_info
*
167 const domain
, const bool is_delete
);
168 static int tomoyo_update_single_path_acl(const u8 type
, const char *filename
,
169 struct tomoyo_domain_info
*
170 const domain
, const bool is_delete
);
173 * tomoyo_globally_readable_list is used for holding list of pathnames which
174 * are by default allowed to be open()ed for reading by any process.
176 * An entry is added by
178 * # echo 'allow_read /lib/libc-2.5.so' > \
179 * /sys/kernel/security/tomoyo/exception_policy
183 * # echo 'delete allow_read /lib/libc-2.5.so' > \
184 * /sys/kernel/security/tomoyo/exception_policy
186 * and all entries are retrieved by
188 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
190 * In the example above, any process is allowed to
191 * open("/lib/libc-2.5.so", O_RDONLY).
192 * One exception is, if the domain which current process belongs to is marked
193 * as "ignore_global_allow_read", current process can't do so unless explicitly
194 * given "allow_read /lib/libc-2.5.so" to the domain which current process
197 static LIST_HEAD(tomoyo_globally_readable_list
);
198 static DECLARE_RWSEM(tomoyo_globally_readable_list_lock
);
201 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
203 * @filename: Filename unconditionally permitted to open() for reading.
204 * @is_delete: True if it is a delete request.
206 * Returns 0 on success, negative value otherwise.
208 static int tomoyo_update_globally_readable_entry(const char *filename
,
209 const bool is_delete
)
211 struct tomoyo_globally_readable_file_entry
*new_entry
;
212 struct tomoyo_globally_readable_file_entry
*ptr
;
213 const struct tomoyo_path_info
*saved_filename
;
216 if (!tomoyo_is_correct_path(filename
, 1, 0, -1, __func__
))
218 saved_filename
= tomoyo_save_name(filename
);
221 down_write(&tomoyo_globally_readable_list_lock
);
222 list_for_each_entry(ptr
, &tomoyo_globally_readable_list
, list
) {
223 if (ptr
->filename
!= saved_filename
)
225 ptr
->is_deleted
= is_delete
;
233 new_entry
= tomoyo_alloc_element(sizeof(*new_entry
));
236 new_entry
->filename
= saved_filename
;
237 list_add_tail(&new_entry
->list
, &tomoyo_globally_readable_list
);
240 up_write(&tomoyo_globally_readable_list_lock
);
245 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
247 * @filename: The filename to check.
249 * Returns true if any domain can open @filename for reading, false otherwise.
251 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info
*
254 struct tomoyo_globally_readable_file_entry
*ptr
;
256 down_read(&tomoyo_globally_readable_list_lock
);
257 list_for_each_entry(ptr
, &tomoyo_globally_readable_list
, list
) {
258 if (!ptr
->is_deleted
&&
259 tomoyo_path_matches_pattern(filename
, ptr
->filename
)) {
264 up_read(&tomoyo_globally_readable_list_lock
);
269 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
271 * @data: String to parse.
272 * @is_delete: True if it is a delete request.
274 * Returns 0 on success, negative value otherwise.
276 int tomoyo_write_globally_readable_policy(char *data
, const bool is_delete
)
278 return tomoyo_update_globally_readable_entry(data
, is_delete
);
282 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
284 * @head: Pointer to "struct tomoyo_io_buffer".
286 * Returns true on success, false otherwise.
288 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer
*head
)
290 struct list_head
*pos
;
293 down_read(&tomoyo_globally_readable_list_lock
);
294 list_for_each_cookie(pos
, head
->read_var2
,
295 &tomoyo_globally_readable_list
) {
296 struct tomoyo_globally_readable_file_entry
*ptr
;
297 ptr
= list_entry(pos
,
298 struct tomoyo_globally_readable_file_entry
,
302 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_ALLOW_READ
"%s\n",
303 ptr
->filename
->name
);
307 up_read(&tomoyo_globally_readable_list_lock
);
311 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
312 * converting pathnames to pathname patterns during learning mode.
314 * An entry is added by
316 * # echo 'file_pattern /proc/\$/mounts' > \
317 * /sys/kernel/security/tomoyo/exception_policy
321 * # echo 'delete file_pattern /proc/\$/mounts' > \
322 * /sys/kernel/security/tomoyo/exception_policy
324 * and all entries are retrieved by
326 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
328 * In the example above, if a process which belongs to a domain which is in
329 * learning mode requested open("/proc/1/mounts", O_RDONLY),
330 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
331 * process belongs to.
333 * It is not a desirable behavior that we have to use /proc/\$/ instead of
334 * /proc/self/ when current process needs to access only current process's
335 * information. As of now, LSM version of TOMOYO is using __d_path() for
336 * calculating pathname. Non LSM version of TOMOYO is using its own function
337 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
338 * current process from accessing other process's information.
340 static LIST_HEAD(tomoyo_pattern_list
);
341 static DECLARE_RWSEM(tomoyo_pattern_list_lock
);
344 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
346 * @pattern: Pathname pattern.
347 * @is_delete: True if it is a delete request.
349 * Returns 0 on success, negative value otherwise.
351 static int tomoyo_update_file_pattern_entry(const char *pattern
,
352 const bool is_delete
)
354 struct tomoyo_pattern_entry
*new_entry
;
355 struct tomoyo_pattern_entry
*ptr
;
356 const struct tomoyo_path_info
*saved_pattern
;
359 if (!tomoyo_is_correct_path(pattern
, 0, 1, 0, __func__
))
361 saved_pattern
= tomoyo_save_name(pattern
);
364 down_write(&tomoyo_pattern_list_lock
);
365 list_for_each_entry(ptr
, &tomoyo_pattern_list
, list
) {
366 if (saved_pattern
!= ptr
->pattern
)
368 ptr
->is_deleted
= is_delete
;
376 new_entry
= tomoyo_alloc_element(sizeof(*new_entry
));
379 new_entry
->pattern
= saved_pattern
;
380 list_add_tail(&new_entry
->list
, &tomoyo_pattern_list
);
383 up_write(&tomoyo_pattern_list_lock
);
388 * tomoyo_get_file_pattern - Get patterned pathname.
390 * @filename: The filename to find patterned pathname.
392 * Returns pointer to pathname pattern if matched, @filename otherwise.
394 static const struct tomoyo_path_info
*
395 tomoyo_get_file_pattern(const struct tomoyo_path_info
*filename
)
397 struct tomoyo_pattern_entry
*ptr
;
398 const struct tomoyo_path_info
*pattern
= NULL
;
400 down_read(&tomoyo_pattern_list_lock
);
401 list_for_each_entry(ptr
, &tomoyo_pattern_list
, list
) {
404 if (!tomoyo_path_matches_pattern(filename
, ptr
->pattern
))
406 pattern
= ptr
->pattern
;
407 if (tomoyo_strendswith(pattern
->name
, "/\\*")) {
408 /* Do nothing. Try to find the better match. */
410 /* This would be the better match. Use this. */
414 up_read(&tomoyo_pattern_list_lock
);
421 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
423 * @data: String to parse.
424 * @is_delete: True if it is a delete request.
426 * Returns 0 on success, negative value otherwise.
428 int tomoyo_write_pattern_policy(char *data
, const bool is_delete
)
430 return tomoyo_update_file_pattern_entry(data
, is_delete
);
434 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
436 * @head: Pointer to "struct tomoyo_io_buffer".
438 * Returns true on success, false otherwise.
440 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer
*head
)
442 struct list_head
*pos
;
445 down_read(&tomoyo_pattern_list_lock
);
446 list_for_each_cookie(pos
, head
->read_var2
, &tomoyo_pattern_list
) {
447 struct tomoyo_pattern_entry
*ptr
;
448 ptr
= list_entry(pos
, struct tomoyo_pattern_entry
, list
);
451 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_FILE_PATTERN
452 "%s\n", ptr
->pattern
->name
);
456 up_read(&tomoyo_pattern_list_lock
);
461 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
462 * default forbidden to modify already written content of a file.
464 * An entry is added by
466 * # echo 'deny_rewrite /var/log/messages' > \
467 * /sys/kernel/security/tomoyo/exception_policy
471 * # echo 'delete deny_rewrite /var/log/messages' > \
472 * /sys/kernel/security/tomoyo/exception_policy
474 * and all entries are retrieved by
476 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
478 * In the example above, if a process requested to rewrite /var/log/messages ,
479 * the process can't rewrite unless the domain which that process belongs to
480 * has "allow_rewrite /var/log/messages" entry.
482 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
483 * when we want to allow rewriting already unlink()ed file. As of now,
484 * LSM version of TOMOYO is using __d_path() for calculating pathname.
485 * Non LSM version of TOMOYO is using its own function which doesn't append
486 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
487 * need to worry whether the file is already unlink()ed or not.
489 static LIST_HEAD(tomoyo_no_rewrite_list
);
490 static DECLARE_RWSEM(tomoyo_no_rewrite_list_lock
);
493 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
495 * @pattern: Pathname pattern that are not rewritable by default.
496 * @is_delete: True if it is a delete request.
498 * Returns 0 on success, negative value otherwise.
500 static int tomoyo_update_no_rewrite_entry(const char *pattern
,
501 const bool is_delete
)
503 struct tomoyo_no_rewrite_entry
*new_entry
, *ptr
;
504 const struct tomoyo_path_info
*saved_pattern
;
507 if (!tomoyo_is_correct_path(pattern
, 0, 0, 0, __func__
))
509 saved_pattern
= tomoyo_save_name(pattern
);
512 down_write(&tomoyo_no_rewrite_list_lock
);
513 list_for_each_entry(ptr
, &tomoyo_no_rewrite_list
, list
) {
514 if (ptr
->pattern
!= saved_pattern
)
516 ptr
->is_deleted
= is_delete
;
524 new_entry
= tomoyo_alloc_element(sizeof(*new_entry
));
527 new_entry
->pattern
= saved_pattern
;
528 list_add_tail(&new_entry
->list
, &tomoyo_no_rewrite_list
);
531 up_write(&tomoyo_no_rewrite_list_lock
);
536 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
538 * @filename: Filename to check.
540 * Returns true if @filename is specified by "deny_rewrite" directive,
543 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info
*filename
)
545 struct tomoyo_no_rewrite_entry
*ptr
;
548 down_read(&tomoyo_no_rewrite_list_lock
);
549 list_for_each_entry(ptr
, &tomoyo_no_rewrite_list
, list
) {
552 if (!tomoyo_path_matches_pattern(filename
, ptr
->pattern
))
557 up_read(&tomoyo_no_rewrite_list_lock
);
562 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
564 * @data: String to parse.
565 * @is_delete: True if it is a delete request.
567 * Returns 0 on success, negative value otherwise.
569 int tomoyo_write_no_rewrite_policy(char *data
, const bool is_delete
)
571 return tomoyo_update_no_rewrite_entry(data
, is_delete
);
575 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
577 * @head: Pointer to "struct tomoyo_io_buffer".
579 * Returns true on success, false otherwise.
581 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer
*head
)
583 struct list_head
*pos
;
586 down_read(&tomoyo_no_rewrite_list_lock
);
587 list_for_each_cookie(pos
, head
->read_var2
, &tomoyo_no_rewrite_list
) {
588 struct tomoyo_no_rewrite_entry
*ptr
;
589 ptr
= list_entry(pos
, struct tomoyo_no_rewrite_entry
, list
);
592 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_DENY_REWRITE
593 "%s\n", ptr
->pattern
->name
);
597 up_read(&tomoyo_no_rewrite_list_lock
);
602 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
604 * @filename: Filename.
605 * @perm: Permission (between 1 to 7).
606 * @domain: Pointer to "struct tomoyo_domain_info".
607 * @is_delete: True if it is a delete request.
609 * Returns 0 on success, negative value otherwise.
611 * This is legacy support interface for older policy syntax.
612 * Current policy syntax uses "allow_read/write" instead of "6",
613 * "allow_read" instead of "4", "allow_write" instead of "2",
614 * "allow_execute" instead of "1".
616 static int tomoyo_update_file_acl(const char *filename
, u8 perm
,
617 struct tomoyo_domain_info
* const domain
,
618 const bool is_delete
)
620 if (perm
> 7 || !perm
) {
621 printk(KERN_DEBUG
"%s: Invalid permission '%d %s'\n",
622 __func__
, perm
, filename
);
625 if (filename
[0] != '@' && tomoyo_strendswith(filename
, "/"))
627 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
628 * directory permissions.
632 tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL
, filename
,
635 tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL
, filename
,
638 tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL
,
639 filename
, domain
, is_delete
);
644 * tomoyo_check_single_path_acl2 - Check permission for single path operation.
646 * @domain: Pointer to "struct tomoyo_domain_info".
647 * @filename: Filename to check.
649 * @may_use_pattern: True if patterned ACL is permitted.
651 * Returns 0 on success, -EPERM otherwise.
653 static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info
*
655 const struct tomoyo_path_info
*
658 const bool may_use_pattern
)
660 struct tomoyo_acl_info
*ptr
;
663 down_read(&tomoyo_domain_acl_info_list_lock
);
664 list_for_each_entry(ptr
, &domain
->acl_info_list
, list
) {
665 struct tomoyo_single_path_acl_record
*acl
;
666 if (tomoyo_acl_type2(ptr
) != TOMOYO_TYPE_SINGLE_PATH_ACL
)
668 acl
= container_of(ptr
, struct tomoyo_single_path_acl_record
,
670 if (!(acl
->perm
& perm
))
672 if (may_use_pattern
|| !acl
->filename
->is_patterned
) {
673 if (!tomoyo_path_matches_pattern(filename
,
682 up_read(&tomoyo_domain_acl_info_list_lock
);
687 * tomoyo_check_file_acl - Check permission for opening files.
689 * @domain: Pointer to "struct tomoyo_domain_info".
690 * @filename: Filename to check.
691 * @operation: Mode ("read" or "write" or "read/write" or "execute").
693 * Returns 0 on success, -EPERM otherwise.
695 static int tomoyo_check_file_acl(const struct tomoyo_domain_info
*domain
,
696 const struct tomoyo_path_info
*filename
,
701 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
704 perm
= 1 << TOMOYO_TYPE_READ_WRITE_ACL
;
705 else if (operation
== 4)
706 perm
= 1 << TOMOYO_TYPE_READ_ACL
;
707 else if (operation
== 2)
708 perm
= 1 << TOMOYO_TYPE_WRITE_ACL
;
709 else if (operation
== 1)
710 perm
= 1 << TOMOYO_TYPE_EXECUTE_ACL
;
713 return tomoyo_check_single_path_acl2(domain
, filename
, perm
,
718 * tomoyo_check_file_perm2 - Check permission for opening files.
720 * @domain: Pointer to "struct tomoyo_domain_info".
721 * @filename: Filename to check.
722 * @perm: Mode ("read" or "write" or "read/write" or "execute").
723 * @operation: Operation name passed used for verbose mode.
724 * @mode: Access control mode.
726 * Returns 0 on success, negative value otherwise.
728 static int tomoyo_check_file_perm2(struct tomoyo_domain_info
* const domain
,
729 const struct tomoyo_path_info
*filename
,
730 const u8 perm
, const char *operation
,
733 const bool is_enforce
= (mode
== 3);
734 const char *msg
= "<unknown>";
739 error
= tomoyo_check_file_acl(domain
, filename
, perm
);
740 if (error
&& perm
== 4 &&
741 (domain
->flags
& TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ
) == 0
742 && tomoyo_is_globally_readable_file(filename
))
745 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL
);
747 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL
);
749 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL
);
751 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL
);
756 if (tomoyo_verbose_mode(domain
))
757 printk(KERN_WARNING
"TOMOYO-%s: Access '%s(%s) %s' denied "
758 "for %s\n", tomoyo_get_msg(is_enforce
), msg
, operation
,
759 filename
->name
, tomoyo_get_last_name(domain
));
762 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
763 /* Don't use patterns for execute permission. */
764 const struct tomoyo_path_info
*patterned_file
= (perm
!= 1) ?
765 tomoyo_get_file_pattern(filename
) : filename
;
766 tomoyo_update_file_acl(patterned_file
->name
, perm
,
773 * tomoyo_write_file_policy - Update file related list.
775 * @data: String to parse.
776 * @domain: Pointer to "struct tomoyo_domain_info".
777 * @is_delete: True if it is a delete request.
779 * Returns 0 on success, negative value otherwise.
781 int tomoyo_write_file_policy(char *data
, struct tomoyo_domain_info
*domain
,
782 const bool is_delete
)
784 char *filename
= strchr(data
, ' ');
792 if (sscanf(data
, "%u", &perm
) == 1)
793 return tomoyo_update_file_acl(filename
, (u8
) perm
, domain
,
795 if (strncmp(data
, "allow_", 6))
798 for (type
= 0; type
< TOMOYO_MAX_SINGLE_PATH_OPERATION
; type
++) {
799 if (strcmp(data
, tomoyo_sp_keyword
[type
]))
801 return tomoyo_update_single_path_acl(type
, filename
,
804 filename2
= strchr(filename
, ' ');
808 for (type
= 0; type
< TOMOYO_MAX_DOUBLE_PATH_OPERATION
; type
++) {
809 if (strcmp(data
, tomoyo_dp_keyword
[type
]))
811 return tomoyo_update_double_path_acl(type
, filename
, filename2
,
819 * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list.
821 * @type: Type of operation.
822 * @filename: Filename.
823 * @domain: Pointer to "struct tomoyo_domain_info".
824 * @is_delete: True if it is a delete request.
826 * Returns 0 on success, negative value otherwise.
828 static int tomoyo_update_single_path_acl(const u8 type
, const char *filename
,
829 struct tomoyo_domain_info
*
830 const domain
, const bool is_delete
)
832 static const u16 rw_mask
=
833 (1 << TOMOYO_TYPE_READ_ACL
) | (1 << TOMOYO_TYPE_WRITE_ACL
);
834 const struct tomoyo_path_info
*saved_filename
;
835 struct tomoyo_acl_info
*ptr
;
836 struct tomoyo_single_path_acl_record
*acl
;
838 const u16 perm
= 1 << type
;
842 if (!tomoyo_is_correct_path(filename
, 0, 0, 0, __func__
))
844 saved_filename
= tomoyo_save_name(filename
);
847 down_write(&tomoyo_domain_acl_info_list_lock
);
850 list_for_each_entry(ptr
, &domain
->acl_info_list
, list
) {
851 if (tomoyo_acl_type1(ptr
) != TOMOYO_TYPE_SINGLE_PATH_ACL
)
853 acl
= container_of(ptr
, struct tomoyo_single_path_acl_record
,
855 if (acl
->filename
!= saved_filename
)
857 /* Special case. Clear all bits if marked as deleted. */
858 if (ptr
->type
& TOMOYO_ACL_DELETED
)
861 if ((acl
->perm
& rw_mask
) == rw_mask
)
862 acl
->perm
|= 1 << TOMOYO_TYPE_READ_WRITE_ACL
;
863 else if (acl
->perm
& (1 << TOMOYO_TYPE_READ_WRITE_ACL
))
864 acl
->perm
|= rw_mask
;
865 ptr
->type
&= ~TOMOYO_ACL_DELETED
;
869 /* Not found. Append it to the tail. */
870 acl
= tomoyo_alloc_acl_element(TOMOYO_TYPE_SINGLE_PATH_ACL
);
874 if (perm
== (1 << TOMOYO_TYPE_READ_WRITE_ACL
))
875 acl
->perm
|= rw_mask
;
876 acl
->filename
= saved_filename
;
877 list_add_tail(&acl
->head
.list
, &domain
->acl_info_list
);
882 list_for_each_entry(ptr
, &domain
->acl_info_list
, list
) {
883 if (tomoyo_acl_type2(ptr
) != TOMOYO_TYPE_SINGLE_PATH_ACL
)
885 acl
= container_of(ptr
, struct tomoyo_single_path_acl_record
,
887 if (acl
->filename
!= saved_filename
)
890 if ((acl
->perm
& rw_mask
) != rw_mask
)
891 acl
->perm
&= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL
);
892 else if (!(acl
->perm
& (1 << TOMOYO_TYPE_READ_WRITE_ACL
)))
893 acl
->perm
&= ~rw_mask
;
895 ptr
->type
|= TOMOYO_ACL_DELETED
;
900 up_write(&tomoyo_domain_acl_info_list_lock
);
905 * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list.
907 * @type: Type of operation.
908 * @filename1: First filename.
909 * @filename2: Second filename.
910 * @domain: Pointer to "struct tomoyo_domain_info".
911 * @is_delete: True if it is a delete request.
913 * Returns 0 on success, negative value otherwise.
915 static int tomoyo_update_double_path_acl(const u8 type
, const char *filename1
,
916 const char *filename2
,
917 struct tomoyo_domain_info
*
918 const domain
, const bool is_delete
)
920 const struct tomoyo_path_info
*saved_filename1
;
921 const struct tomoyo_path_info
*saved_filename2
;
922 struct tomoyo_acl_info
*ptr
;
923 struct tomoyo_double_path_acl_record
*acl
;
925 const u8 perm
= 1 << type
;
929 if (!tomoyo_is_correct_path(filename1
, 0, 0, 0, __func__
) ||
930 !tomoyo_is_correct_path(filename2
, 0, 0, 0, __func__
))
932 saved_filename1
= tomoyo_save_name(filename1
);
933 saved_filename2
= tomoyo_save_name(filename2
);
934 if (!saved_filename1
|| !saved_filename2
)
936 down_write(&tomoyo_domain_acl_info_list_lock
);
939 list_for_each_entry(ptr
, &domain
->acl_info_list
, list
) {
940 if (tomoyo_acl_type1(ptr
) != TOMOYO_TYPE_DOUBLE_PATH_ACL
)
942 acl
= container_of(ptr
, struct tomoyo_double_path_acl_record
,
944 if (acl
->filename1
!= saved_filename1
||
945 acl
->filename2
!= saved_filename2
)
947 /* Special case. Clear all bits if marked as deleted. */
948 if (ptr
->type
& TOMOYO_ACL_DELETED
)
951 ptr
->type
&= ~TOMOYO_ACL_DELETED
;
955 /* Not found. Append it to the tail. */
956 acl
= tomoyo_alloc_acl_element(TOMOYO_TYPE_DOUBLE_PATH_ACL
);
960 acl
->filename1
= saved_filename1
;
961 acl
->filename2
= saved_filename2
;
962 list_add_tail(&acl
->head
.list
, &domain
->acl_info_list
);
967 list_for_each_entry(ptr
, &domain
->acl_info_list
, list
) {
968 if (tomoyo_acl_type2(ptr
) != TOMOYO_TYPE_DOUBLE_PATH_ACL
)
970 acl
= container_of(ptr
, struct tomoyo_double_path_acl_record
,
972 if (acl
->filename1
!= saved_filename1
||
973 acl
->filename2
!= saved_filename2
)
977 ptr
->type
|= TOMOYO_ACL_DELETED
;
982 up_write(&tomoyo_domain_acl_info_list_lock
);
987 * tomoyo_check_single_path_acl - Check permission for single path operation.
989 * @domain: Pointer to "struct tomoyo_domain_info".
990 * @type: Type of operation.
991 * @filename: Filename to check.
993 * Returns 0 on success, negative value otherwise.
995 static int tomoyo_check_single_path_acl(struct tomoyo_domain_info
*domain
,
997 const struct tomoyo_path_info
*filename
)
999 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
1001 return tomoyo_check_single_path_acl2(domain
, filename
, 1 << type
, 1);
1005 * tomoyo_check_double_path_acl - Check permission for double path operation.
1007 * @domain: Pointer to "struct tomoyo_domain_info".
1008 * @type: Type of operation.
1009 * @filename1: First filename to check.
1010 * @filename2: Second filename to check.
1012 * Returns 0 on success, -EPERM otherwise.
1014 static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info
*domain
,
1016 const struct tomoyo_path_info
*
1018 const struct tomoyo_path_info
*
1021 struct tomoyo_acl_info
*ptr
;
1022 const u8 perm
= 1 << type
;
1025 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
1027 down_read(&tomoyo_domain_acl_info_list_lock
);
1028 list_for_each_entry(ptr
, &domain
->acl_info_list
, list
) {
1029 struct tomoyo_double_path_acl_record
*acl
;
1030 if (tomoyo_acl_type2(ptr
) != TOMOYO_TYPE_DOUBLE_PATH_ACL
)
1032 acl
= container_of(ptr
, struct tomoyo_double_path_acl_record
,
1034 if (!(acl
->perm
& perm
))
1036 if (!tomoyo_path_matches_pattern(filename1
, acl
->filename1
))
1038 if (!tomoyo_path_matches_pattern(filename2
, acl
->filename2
))
1043 up_read(&tomoyo_domain_acl_info_list_lock
);
1048 * tomoyo_check_single_path_permission2 - Check permission for single path operation.
1050 * @domain: Pointer to "struct tomoyo_domain_info".
1051 * @operation: Type of operation.
1052 * @filename: Filename to check.
1053 * @mode: Access control mode.
1055 * Returns 0 on success, negative value otherwise.
1057 static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info
*
1058 const domain
, u8 operation
,
1059 const struct tomoyo_path_info
*
1060 filename
, const u8 mode
)
1064 const bool is_enforce
= (mode
== 3);
1069 error
= tomoyo_check_single_path_acl(domain
, operation
, filename
);
1070 msg
= tomoyo_sp2keyword(operation
);
1073 if (tomoyo_verbose_mode(domain
))
1074 printk(KERN_WARNING
"TOMOYO-%s: Access '%s %s' denied for %s\n",
1075 tomoyo_get_msg(is_enforce
), msg
, filename
->name
,
1076 tomoyo_get_last_name(domain
));
1077 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
1078 const char *name
= tomoyo_get_file_pattern(filename
)->name
;
1079 tomoyo_update_single_path_acl(operation
, name
, domain
, false);
1085 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1086 * we need to check "allow_rewrite" permission if the filename is
1087 * specified by "deny_rewrite" keyword.
1089 if (!error
&& operation
== TOMOYO_TYPE_TRUNCATE_ACL
&&
1090 tomoyo_is_no_rewrite_file(filename
)) {
1091 operation
= TOMOYO_TYPE_REWRITE_ACL
;
1098 * tomoyo_check_exec_perm - Check permission for "execute".
1100 * @domain: Pointer to "struct tomoyo_domain_info".
1101 * @filename: Check permission for "execute".
1103 * Returns 0 on success, negativevalue otherwise.
1105 int tomoyo_check_exec_perm(struct tomoyo_domain_info
*domain
,
1106 const struct tomoyo_path_info
*filename
)
1108 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1112 return tomoyo_check_file_perm2(domain
, filename
, 1, "do_execve", mode
);
1116 * tomoyo_check_open_permission - Check permission for "read" and "write".
1118 * @domain: Pointer to "struct tomoyo_domain_info".
1119 * @path: Pointer to "struct path".
1120 * @flag: Flags for open().
1122 * Returns 0 on success, negative value otherwise.
1124 int tomoyo_check_open_permission(struct tomoyo_domain_info
*domain
,
1125 struct path
*path
, const int flag
)
1127 const u8 acc_mode
= ACC_MODE(flag
);
1128 int error
= -ENOMEM
;
1129 struct tomoyo_path_info
*buf
;
1130 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1131 const bool is_enforce
= (mode
== 3);
1133 if (!mode
|| !path
->mnt
)
1137 if (path
->dentry
->d_inode
&& S_ISDIR(path
->dentry
->d_inode
->i_mode
))
1139 * I don't check directories here because mkdir() and rmdir()
1143 buf
= tomoyo_get_path(path
);
1148 * If the filename is specified by "deny_rewrite" keyword,
1149 * we need to check "allow_rewrite" permission when the filename is not
1150 * opened for append mode or the filename is truncated at open time.
1152 if ((acc_mode
& MAY_WRITE
) &&
1153 ((flag
& O_TRUNC
) || !(flag
& O_APPEND
)) &&
1154 (tomoyo_is_no_rewrite_file(buf
))) {
1155 error
= tomoyo_check_single_path_permission2(domain
,
1156 TOMOYO_TYPE_REWRITE_ACL
,
1160 error
= tomoyo_check_file_perm2(domain
, buf
, acc_mode
, "open",
1162 if (!error
&& (flag
& O_TRUNC
))
1163 error
= tomoyo_check_single_path_permission2(domain
,
1164 TOMOYO_TYPE_TRUNCATE_ACL
,
1174 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate" and "symlink".
1176 * @domain: Pointer to "struct tomoyo_domain_info".
1177 * @operation: Type of operation.
1178 * @path: Pointer to "struct path".
1180 * Returns 0 on success, negative value otherwise.
1182 int tomoyo_check_1path_perm(struct tomoyo_domain_info
*domain
,
1183 const u8 operation
, struct path
*path
)
1185 int error
= -ENOMEM
;
1186 struct tomoyo_path_info
*buf
;
1187 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1188 const bool is_enforce
= (mode
== 3);
1190 if (!mode
|| !path
->mnt
)
1192 buf
= tomoyo_get_path(path
);
1195 switch (operation
) {
1196 case TOMOYO_TYPE_MKDIR_ACL
:
1197 case TOMOYO_TYPE_RMDIR_ACL
:
1200 * tomoyo_get_path() reserves space for appending "/."
1202 strcat((char *) buf
->name
, "/");
1203 tomoyo_fill_path_info(buf
);
1206 error
= tomoyo_check_single_path_permission2(domain
, operation
, buf
,
1216 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1218 * @domain: Pointer to "struct tomoyo_domain_info".
1219 * @filp: Pointer to "struct file".
1221 * Returns 0 on success, negative value otherwise.
1223 int tomoyo_check_rewrite_permission(struct tomoyo_domain_info
*domain
,
1226 int error
= -ENOMEM
;
1227 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1228 const bool is_enforce
= (mode
== 3);
1229 struct tomoyo_path_info
*buf
;
1231 if (!mode
|| !filp
->f_path
.mnt
)
1233 buf
= tomoyo_get_path(&filp
->f_path
);
1236 if (!tomoyo_is_no_rewrite_file(buf
)) {
1240 error
= tomoyo_check_single_path_permission2(domain
,
1241 TOMOYO_TYPE_REWRITE_ACL
,
1251 * tomoyo_check_2path_perm - Check permission for "rename" and "link".
1253 * @domain: Pointer to "struct tomoyo_domain_info".
1254 * @operation: Type of operation.
1255 * @path1: Pointer to "struct path".
1256 * @path2: Pointer to "struct path".
1258 * Returns 0 on success, negative value otherwise.
1260 int tomoyo_check_2path_perm(struct tomoyo_domain_info
* const domain
,
1261 const u8 operation
, struct path
*path1
,
1264 int error
= -ENOMEM
;
1265 struct tomoyo_path_info
*buf1
, *buf2
;
1266 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1267 const bool is_enforce
= (mode
== 3);
1270 if (!mode
|| !path1
->mnt
|| !path2
->mnt
)
1272 buf1
= tomoyo_get_path(path1
);
1273 buf2
= tomoyo_get_path(path2
);
1277 struct dentry
*dentry
= path1
->dentry
;
1278 if (dentry
->d_inode
&& S_ISDIR(dentry
->d_inode
->i_mode
)) {
1280 * tomoyo_get_path() reserves space for appending "/."
1282 if (!buf1
->is_dir
) {
1283 strcat((char *) buf1
->name
, "/");
1284 tomoyo_fill_path_info(buf1
);
1286 if (!buf2
->is_dir
) {
1287 strcat((char *) buf2
->name
, "/");
1288 tomoyo_fill_path_info(buf2
);
1292 error
= tomoyo_check_double_path_acl(domain
, operation
, buf1
, buf2
);
1293 msg
= tomoyo_dp2keyword(operation
);
1296 if (tomoyo_verbose_mode(domain
))
1297 printk(KERN_WARNING
"TOMOYO-%s: Access '%s %s %s' "
1298 "denied for %s\n", tomoyo_get_msg(is_enforce
),
1299 msg
, buf1
->name
, buf2
->name
,
1300 tomoyo_get_last_name(domain
));
1301 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
1302 const char *name1
= tomoyo_get_file_pattern(buf1
)->name
;
1303 const char *name2
= tomoyo_get_file_pattern(buf2
)->name
;
1304 tomoyo_update_double_path_acl(operation
, name1
, name2
, domain
,