4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2010 NTT DATA CORPORATION
11 #include <linux/kthread.h>
14 TOMOYO_ID_DOMAIN_INITIALIZER
,
15 TOMOYO_ID_DOMAIN_KEEPER
,
17 TOMOYO_ID_GLOBALLY_READABLE
,
26 struct tomoyo_gc_entry
{
27 struct list_head list
;
31 static LIST_HEAD(tomoyo_gc_queue
);
32 static DEFINE_MUTEX(tomoyo_gc_mutex
);
34 /* Caller holds tomoyo_policy_lock mutex. */
35 static bool tomoyo_add_to_gc(const int type
, void *element
)
37 struct tomoyo_gc_entry
*entry
= kzalloc(sizeof(*entry
), GFP_ATOMIC
);
41 entry
->element
= element
;
42 list_add(&entry
->list
, &tomoyo_gc_queue
);
46 static void tomoyo_del_allow_read
47 (struct tomoyo_globally_readable_file_entry
*ptr
)
49 tomoyo_put_name(ptr
->filename
);
52 static void tomoyo_del_file_pattern(struct tomoyo_pattern_entry
*ptr
)
54 tomoyo_put_name(ptr
->pattern
);
57 static void tomoyo_del_no_rewrite(struct tomoyo_no_rewrite_entry
*ptr
)
59 tomoyo_put_name(ptr
->pattern
);
62 static void tomoyo_del_domain_initializer
63 (struct tomoyo_domain_initializer_entry
*ptr
)
65 tomoyo_put_name(ptr
->domainname
);
66 tomoyo_put_name(ptr
->program
);
69 static void tomoyo_del_domain_keeper(struct tomoyo_domain_keeper_entry
*ptr
)
71 tomoyo_put_name(ptr
->domainname
);
72 tomoyo_put_name(ptr
->program
);
75 static void tomoyo_del_alias(struct tomoyo_alias_entry
*ptr
)
77 tomoyo_put_name(ptr
->original_name
);
78 tomoyo_put_name(ptr
->aliased_name
);
81 static void tomoyo_del_manager(struct tomoyo_policy_manager_entry
*ptr
)
83 tomoyo_put_name(ptr
->manager
);
86 static void tomoyo_del_acl(struct tomoyo_acl_info
*acl
)
89 case TOMOYO_TYPE_SINGLE_PATH_ACL
:
91 struct tomoyo_single_path_acl_record
*entry
92 = container_of(acl
, typeof(*entry
), head
);
93 tomoyo_put_name(entry
->filename
);
96 case TOMOYO_TYPE_DOUBLE_PATH_ACL
:
98 struct tomoyo_double_path_acl_record
*entry
99 = container_of(acl
, typeof(*entry
), head
);
100 tomoyo_put_name(entry
->filename1
);
101 tomoyo_put_name(entry
->filename2
);
105 printk(KERN_WARNING
"Unknown type\n");
110 static bool tomoyo_del_domain(struct tomoyo_domain_info
*domain
)
112 struct tomoyo_acl_info
*acl
;
113 struct tomoyo_acl_info
*tmp
;
115 * Since we don't protect whole execve() operation using SRCU,
116 * we need to recheck domain->users at this point.
118 * (1) Reader starts SRCU section upon execve().
119 * (2) Reader traverses tomoyo_domain_list and finds this domain.
120 * (3) Writer marks this domain as deleted.
121 * (4) Garbage collector removes this domain from tomoyo_domain_list
122 * because this domain is marked as deleted and used by nobody.
123 * (5) Reader saves reference to this domain into
124 * "struct linux_binprm"->cred->security .
125 * (6) Reader finishes SRCU section, although execve() operation has
127 * (7) Garbage collector waits for SRCU synchronization.
128 * (8) Garbage collector kfree() this domain because this domain is
130 * (9) Reader finishes execve() operation and restores this domain from
131 * "struct linux_binprm"->cred->security.
133 * By updating domain->users at (5), we can solve this race problem
134 * by rechecking domain->users at (8).
136 if (atomic_read(&domain
->users
))
138 list_for_each_entry_safe(acl
, tmp
, &domain
->acl_info_list
, list
) {
140 tomoyo_memory_free(acl
);
142 tomoyo_put_name(domain
->domainname
);
147 static void tomoyo_del_name(const struct tomoyo_name_entry
*ptr
)
151 static void tomoyo_collect_entry(void)
153 mutex_lock(&tomoyo_policy_lock
);
155 struct tomoyo_globally_readable_file_entry
*ptr
;
156 list_for_each_entry_rcu(ptr
, &tomoyo_globally_readable_list
,
158 if (!ptr
->is_deleted
)
160 if (tomoyo_add_to_gc(TOMOYO_ID_GLOBALLY_READABLE
, ptr
))
161 list_del_rcu(&ptr
->list
);
167 struct tomoyo_pattern_entry
*ptr
;
168 list_for_each_entry_rcu(ptr
, &tomoyo_pattern_list
, list
) {
169 if (!ptr
->is_deleted
)
171 if (tomoyo_add_to_gc(TOMOYO_ID_PATTERN
, ptr
))
172 list_del_rcu(&ptr
->list
);
178 struct tomoyo_no_rewrite_entry
*ptr
;
179 list_for_each_entry_rcu(ptr
, &tomoyo_no_rewrite_list
, list
) {
180 if (!ptr
->is_deleted
)
182 if (tomoyo_add_to_gc(TOMOYO_ID_NO_REWRITE
, ptr
))
183 list_del_rcu(&ptr
->list
);
189 struct tomoyo_domain_initializer_entry
*ptr
;
190 list_for_each_entry_rcu(ptr
, &tomoyo_domain_initializer_list
,
192 if (!ptr
->is_deleted
)
194 if (tomoyo_add_to_gc(TOMOYO_ID_DOMAIN_INITIALIZER
, ptr
))
195 list_del_rcu(&ptr
->list
);
201 struct tomoyo_domain_keeper_entry
*ptr
;
202 list_for_each_entry_rcu(ptr
, &tomoyo_domain_keeper_list
, list
) {
203 if (!ptr
->is_deleted
)
205 if (tomoyo_add_to_gc(TOMOYO_ID_DOMAIN_KEEPER
, ptr
))
206 list_del_rcu(&ptr
->list
);
212 struct tomoyo_alias_entry
*ptr
;
213 list_for_each_entry_rcu(ptr
, &tomoyo_alias_list
, list
) {
214 if (!ptr
->is_deleted
)
216 if (tomoyo_add_to_gc(TOMOYO_ID_ALIAS
, ptr
))
217 list_del_rcu(&ptr
->list
);
223 struct tomoyo_policy_manager_entry
*ptr
;
224 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
,
226 if (!ptr
->is_deleted
)
228 if (tomoyo_add_to_gc(TOMOYO_ID_MANAGER
, ptr
))
229 list_del_rcu(&ptr
->list
);
235 struct tomoyo_domain_info
*domain
;
236 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
237 struct tomoyo_acl_info
*acl
;
238 list_for_each_entry_rcu(acl
, &domain
->acl_info_list
,
241 case TOMOYO_TYPE_SINGLE_PATH_ACL
:
242 if (container_of(acl
,
243 struct tomoyo_single_path_acl_record
,
246 struct tomoyo_single_path_acl_record
,
250 case TOMOYO_TYPE_DOUBLE_PATH_ACL
:
251 if (container_of(acl
,
252 struct tomoyo_double_path_acl_record
,
259 if (tomoyo_add_to_gc(TOMOYO_ID_ACL
, acl
))
260 list_del_rcu(&acl
->list
);
264 if (!domain
->is_deleted
|| atomic_read(&domain
->users
))
267 * Nobody is referring this domain. But somebody may
268 * refer this domain after successful execve().
269 * We recheck domain->users after SRCU synchronization.
271 if (tomoyo_add_to_gc(TOMOYO_ID_DOMAIN
, domain
))
272 list_del_rcu(&domain
->list
);
277 mutex_unlock(&tomoyo_policy_lock
);
278 mutex_lock(&tomoyo_name_list_lock
);
281 for (i
= 0; i
< TOMOYO_MAX_HASH
; i
++) {
282 struct tomoyo_name_entry
*ptr
;
283 list_for_each_entry_rcu(ptr
, &tomoyo_name_list
[i
],
285 if (atomic_read(&ptr
->users
))
287 if (tomoyo_add_to_gc(TOMOYO_ID_NAME
, ptr
))
288 list_del_rcu(&ptr
->list
);
296 mutex_unlock(&tomoyo_name_list_lock
);
299 static void tomoyo_kfree_entry(void)
301 struct tomoyo_gc_entry
*p
;
302 struct tomoyo_gc_entry
*tmp
;
304 list_for_each_entry_safe(p
, tmp
, &tomoyo_gc_queue
, list
) {
306 case TOMOYO_ID_DOMAIN_INITIALIZER
:
307 tomoyo_del_domain_initializer(p
->element
);
309 case TOMOYO_ID_DOMAIN_KEEPER
:
310 tomoyo_del_domain_keeper(p
->element
);
312 case TOMOYO_ID_ALIAS
:
313 tomoyo_del_alias(p
->element
);
315 case TOMOYO_ID_GLOBALLY_READABLE
:
316 tomoyo_del_allow_read(p
->element
);
318 case TOMOYO_ID_PATTERN
:
319 tomoyo_del_file_pattern(p
->element
);
321 case TOMOYO_ID_NO_REWRITE
:
322 tomoyo_del_no_rewrite(p
->element
);
324 case TOMOYO_ID_MANAGER
:
325 tomoyo_del_manager(p
->element
);
328 tomoyo_del_name(p
->element
);
331 tomoyo_del_acl(p
->element
);
333 case TOMOYO_ID_DOMAIN
:
334 if (!tomoyo_del_domain(p
->element
))
338 printk(KERN_WARNING
"Unknown type\n");
341 tomoyo_memory_free(p
->element
);
347 static int tomoyo_gc_thread(void *unused
)
349 daemonize("GC for TOMOYO");
350 if (mutex_trylock(&tomoyo_gc_mutex
)) {
352 for (i
= 0; i
< 10; i
++) {
353 tomoyo_collect_entry();
354 if (list_empty(&tomoyo_gc_queue
))
356 synchronize_srcu(&tomoyo_ss
);
357 tomoyo_kfree_entry();
359 mutex_unlock(&tomoyo_gc_mutex
);
364 void tomoyo_run_gc(void)
366 struct task_struct
*task
= kthread_create(tomoyo_gc_thread
, NULL
,
369 wake_up_process(task
);