1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * security/tomoyo/tomoyo.c 4 * 5 * Copyright (C) 2005-2011 NTT DATA CORPORATION 6 */ 7 8 #include <linux/lsm_hooks.h> 9 #include "common.h" 10 11 /** 12 * tomoyo_cred_alloc_blank - Target for security_cred_alloc_blank(). 13 * 14 * @new: Pointer to "struct cred". 15 * @gfp: Memory allocation flags. 16 * 17 * Returns 0. 18 */ 19 static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp) 20 { 21 struct tomoyo_domain_info **blob = tomoyo_cred(new); 22 23 *blob = NULL; 24 return 0; 25 } 26 27 /** 28 * tomoyo_cred_prepare - Target for security_prepare_creds(). 29 * 30 * @new: Pointer to "struct cred". 31 * @old: Pointer to "struct cred". 32 * @gfp: Memory allocation flags. 33 * 34 * Returns 0. 35 */ 36 static int tomoyo_cred_prepare(struct cred *new, const struct cred *old, 37 gfp_t gfp) 38 { 39 struct tomoyo_domain_info **old_blob = tomoyo_cred(old); 40 struct tomoyo_domain_info **new_blob = tomoyo_cred(new); 41 struct tomoyo_domain_info *domain; 42 43 domain = *old_blob; 44 *new_blob = domain; 45 46 if (domain) 47 atomic_inc(&domain->users); 48 return 0; 49 } 50 51 /** 52 * tomoyo_cred_transfer - Target for security_transfer_creds(). 53 * 54 * @new: Pointer to "struct cred". 55 * @old: Pointer to "struct cred". 56 */ 57 static void tomoyo_cred_transfer(struct cred *new, const struct cred *old) 58 { 59 tomoyo_cred_prepare(new, old, 0); 60 } 61 62 /** 63 * tomoyo_cred_free - Target for security_cred_free(). 64 * 65 * @cred: Pointer to "struct cred". 66 */ 67 static void tomoyo_cred_free(struct cred *cred) 68 { 69 struct tomoyo_domain_info **blob = tomoyo_cred(cred); 70 struct tomoyo_domain_info *domain = *blob; 71 72 if (domain) 73 atomic_dec(&domain->users); 74 } 75 76 /** 77 * tomoyo_bprm_set_creds - Target for security_bprm_set_creds(). 78 * 79 * @bprm: Pointer to "struct linux_binprm". 80 * 81 * Returns 0 on success, negative value otherwise. 82 */ 83 static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) 84 { 85 struct tomoyo_domain_info **blob; 86 struct tomoyo_domain_info *domain; 87 88 /* 89 * Do only if this function is called for the first time of an execve 90 * operation. 91 */ 92 if (bprm->called_set_creds) 93 return 0; 94 #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER 95 /* 96 * Load policy if /sbin/tomoyo-init exists and /sbin/init is requested 97 * for the first time. 98 */ 99 if (!tomoyo_policy_loaded) 100 tomoyo_load_policy(bprm->filename); 101 #endif 102 /* 103 * Release reference to "struct tomoyo_domain_info" stored inside 104 * "bprm->cred->security". New reference to "struct tomoyo_domain_info" 105 * stored inside "bprm->cred->security" will be acquired later inside 106 * tomoyo_find_next_domain(). 107 */ 108 blob = tomoyo_cred(bprm->cred); 109 domain = *blob; 110 atomic_dec(&domain->users); 111 /* 112 * Tell tomoyo_bprm_check_security() is called for the first time of an 113 * execve operation. 114 */ 115 *blob = NULL; 116 return 0; 117 } 118 119 /** 120 * tomoyo_bprm_check_security - Target for security_bprm_check(). 121 * 122 * @bprm: Pointer to "struct linux_binprm". 123 * 124 * Returns 0 on success, negative value otherwise. 125 */ 126 static int tomoyo_bprm_check_security(struct linux_binprm *bprm) 127 { 128 struct tomoyo_domain_info **blob; 129 struct tomoyo_domain_info *domain; 130 131 blob = tomoyo_cred(bprm->cred); 132 domain = *blob; 133 /* 134 * Execute permission is checked against pathname passed to do_execve() 135 * using current domain. 136 */ 137 if (!domain) { 138 const int idx = tomoyo_read_lock(); 139 const int err = tomoyo_find_next_domain(bprm); 140 tomoyo_read_unlock(idx); 141 return err; 142 } 143 /* 144 * Read permission is checked against interpreters using next domain. 145 */ 146 return tomoyo_check_open_permission(domain, &bprm->file->f_path, 147 O_RDONLY); 148 } 149 150 /** 151 * tomoyo_inode_getattr - Target for security_inode_getattr(). 152 * 153 * @mnt: Pointer to "struct vfsmount". 154 * @dentry: Pointer to "struct dentry". 155 * 156 * Returns 0 on success, negative value otherwise. 157 */ 158 static int tomoyo_inode_getattr(const struct path *path) 159 { 160 return tomoyo_path_perm(TOMOYO_TYPE_GETATTR, path, NULL); 161 } 162 163 /** 164 * tomoyo_path_truncate - Target for security_path_truncate(). 165 * 166 * @path: Pointer to "struct path". 167 * 168 * Returns 0 on success, negative value otherwise. 169 */ 170 static int tomoyo_path_truncate(const struct path *path) 171 { 172 return tomoyo_path_perm(TOMOYO_TYPE_TRUNCATE, path, NULL); 173 } 174 175 /** 176 * tomoyo_path_unlink - Target for security_path_unlink(). 177 * 178 * @parent: Pointer to "struct path". 179 * @dentry: Pointer to "struct dentry". 180 * 181 * Returns 0 on success, negative value otherwise. 182 */ 183 static int tomoyo_path_unlink(const struct path *parent, struct dentry *dentry) 184 { 185 struct path path = { .mnt = parent->mnt, .dentry = dentry }; 186 return tomoyo_path_perm(TOMOYO_TYPE_UNLINK, &path, NULL); 187 } 188 189 /** 190 * tomoyo_path_mkdir - Target for security_path_mkdir(). 191 * 192 * @parent: Pointer to "struct path". 193 * @dentry: Pointer to "struct dentry". 194 * @mode: DAC permission mode. 195 * 196 * Returns 0 on success, negative value otherwise. 197 */ 198 static int tomoyo_path_mkdir(const struct path *parent, struct dentry *dentry, 199 umode_t mode) 200 { 201 struct path path = { .mnt = parent->mnt, .dentry = dentry }; 202 return tomoyo_path_number_perm(TOMOYO_TYPE_MKDIR, &path, 203 mode & S_IALLUGO); 204 } 205 206 /** 207 * tomoyo_path_rmdir - Target for security_path_rmdir(). 208 * 209 * @parent: Pointer to "struct path". 210 * @dentry: Pointer to "struct dentry". 211 * 212 * Returns 0 on success, negative value otherwise. 213 */ 214 static int tomoyo_path_rmdir(const struct path *parent, struct dentry *dentry) 215 { 216 struct path path = { .mnt = parent->mnt, .dentry = dentry }; 217 return tomoyo_path_perm(TOMOYO_TYPE_RMDIR, &path, NULL); 218 } 219 220 /** 221 * tomoyo_path_symlink - Target for security_path_symlink(). 222 * 223 * @parent: Pointer to "struct path". 224 * @dentry: Pointer to "struct dentry". 225 * @old_name: Symlink's content. 226 * 227 * Returns 0 on success, negative value otherwise. 228 */ 229 static int tomoyo_path_symlink(const struct path *parent, struct dentry *dentry, 230 const char *old_name) 231 { 232 struct path path = { .mnt = parent->mnt, .dentry = dentry }; 233 return tomoyo_path_perm(TOMOYO_TYPE_SYMLINK, &path, old_name); 234 } 235 236 /** 237 * tomoyo_path_mknod - Target for security_path_mknod(). 238 * 239 * @parent: Pointer to "struct path". 240 * @dentry: Pointer to "struct dentry". 241 * @mode: DAC permission mode. 242 * @dev: Device attributes. 243 * 244 * Returns 0 on success, negative value otherwise. 245 */ 246 static int tomoyo_path_mknod(const struct path *parent, struct dentry *dentry, 247 umode_t mode, unsigned int dev) 248 { 249 struct path path = { .mnt = parent->mnt, .dentry = dentry }; 250 int type = TOMOYO_TYPE_CREATE; 251 const unsigned int perm = mode & S_IALLUGO; 252 253 switch (mode & S_IFMT) { 254 case S_IFCHR: 255 type = TOMOYO_TYPE_MKCHAR; 256 break; 257 case S_IFBLK: 258 type = TOMOYO_TYPE_MKBLOCK; 259 break; 260 default: 261 goto no_dev; 262 } 263 return tomoyo_mkdev_perm(type, &path, perm, dev); 264 no_dev: 265 switch (mode & S_IFMT) { 266 case S_IFIFO: 267 type = TOMOYO_TYPE_MKFIFO; 268 break; 269 case S_IFSOCK: 270 type = TOMOYO_TYPE_MKSOCK; 271 break; 272 } 273 return tomoyo_path_number_perm(type, &path, perm); 274 } 275 276 /** 277 * tomoyo_path_link - Target for security_path_link(). 278 * 279 * @old_dentry: Pointer to "struct dentry". 280 * @new_dir: Pointer to "struct path". 281 * @new_dentry: Pointer to "struct dentry". 282 * 283 * Returns 0 on success, negative value otherwise. 284 */ 285 static int tomoyo_path_link(struct dentry *old_dentry, const struct path *new_dir, 286 struct dentry *new_dentry) 287 { 288 struct path path1 = { .mnt = new_dir->mnt, .dentry = old_dentry }; 289 struct path path2 = { .mnt = new_dir->mnt, .dentry = new_dentry }; 290 return tomoyo_path2_perm(TOMOYO_TYPE_LINK, &path1, &path2); 291 } 292 293 /** 294 * tomoyo_path_rename - Target for security_path_rename(). 295 * 296 * @old_parent: Pointer to "struct path". 297 * @old_dentry: Pointer to "struct dentry". 298 * @new_parent: Pointer to "struct path". 299 * @new_dentry: Pointer to "struct dentry". 300 * 301 * Returns 0 on success, negative value otherwise. 302 */ 303 static int tomoyo_path_rename(const struct path *old_parent, 304 struct dentry *old_dentry, 305 const struct path *new_parent, 306 struct dentry *new_dentry) 307 { 308 struct path path1 = { .mnt = old_parent->mnt, .dentry = old_dentry }; 309 struct path path2 = { .mnt = new_parent->mnt, .dentry = new_dentry }; 310 return tomoyo_path2_perm(TOMOYO_TYPE_RENAME, &path1, &path2); 311 } 312 313 /** 314 * tomoyo_file_fcntl - Target for security_file_fcntl(). 315 * 316 * @file: Pointer to "struct file". 317 * @cmd: Command for fcntl(). 318 * @arg: Argument for @cmd. 319 * 320 * Returns 0 on success, negative value otherwise. 321 */ 322 static int tomoyo_file_fcntl(struct file *file, unsigned int cmd, 323 unsigned long arg) 324 { 325 if (!(cmd == F_SETFL && ((arg ^ file->f_flags) & O_APPEND))) 326 return 0; 327 return tomoyo_check_open_permission(tomoyo_domain(), &file->f_path, 328 O_WRONLY | (arg & O_APPEND)); 329 } 330 331 /** 332 * tomoyo_file_open - Target for security_file_open(). 333 * 334 * @f: Pointer to "struct file". 335 * @cred: Pointer to "struct cred". 336 * 337 * Returns 0 on success, negative value otherwise. 338 */ 339 static int tomoyo_file_open(struct file *f) 340 { 341 int flags = f->f_flags; 342 /* Don't check read permission here if called from do_execve(). */ 343 if (current->in_execve) 344 return 0; 345 return tomoyo_check_open_permission(tomoyo_domain(), &f->f_path, flags); 346 } 347 348 /** 349 * tomoyo_file_ioctl - Target for security_file_ioctl(). 350 * 351 * @file: Pointer to "struct file". 352 * @cmd: Command for ioctl(). 353 * @arg: Argument for @cmd. 354 * 355 * Returns 0 on success, negative value otherwise. 356 */ 357 static int tomoyo_file_ioctl(struct file *file, unsigned int cmd, 358 unsigned long arg) 359 { 360 return tomoyo_path_number_perm(TOMOYO_TYPE_IOCTL, &file->f_path, cmd); 361 } 362 363 /** 364 * tomoyo_path_chmod - Target for security_path_chmod(). 365 * 366 * @path: Pointer to "struct path". 367 * @mode: DAC permission mode. 368 * 369 * Returns 0 on success, negative value otherwise. 370 */ 371 static int tomoyo_path_chmod(const struct path *path, umode_t mode) 372 { 373 return tomoyo_path_number_perm(TOMOYO_TYPE_CHMOD, path, 374 mode & S_IALLUGO); 375 } 376 377 /** 378 * tomoyo_path_chown - Target for security_path_chown(). 379 * 380 * @path: Pointer to "struct path". 381 * @uid: Owner ID. 382 * @gid: Group ID. 383 * 384 * Returns 0 on success, negative value otherwise. 385 */ 386 static int tomoyo_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 387 { 388 int error = 0; 389 if (uid_valid(uid)) 390 error = tomoyo_path_number_perm(TOMOYO_TYPE_CHOWN, path, 391 from_kuid(&init_user_ns, uid)); 392 if (!error && gid_valid(gid)) 393 error = tomoyo_path_number_perm(TOMOYO_TYPE_CHGRP, path, 394 from_kgid(&init_user_ns, gid)); 395 return error; 396 } 397 398 /** 399 * tomoyo_path_chroot - Target for security_path_chroot(). 400 * 401 * @path: Pointer to "struct path". 402 * 403 * Returns 0 on success, negative value otherwise. 404 */ 405 static int tomoyo_path_chroot(const struct path *path) 406 { 407 return tomoyo_path_perm(TOMOYO_TYPE_CHROOT, path, NULL); 408 } 409 410 /** 411 * tomoyo_sb_mount - Target for security_sb_mount(). 412 * 413 * @dev_name: Name of device file. Maybe NULL. 414 * @path: Pointer to "struct path". 415 * @type: Name of filesystem type. Maybe NULL. 416 * @flags: Mount options. 417 * @data: Optional data. Maybe NULL. 418 * 419 * Returns 0 on success, negative value otherwise. 420 */ 421 static int tomoyo_sb_mount(const char *dev_name, const struct path *path, 422 const char *type, unsigned long flags, void *data) 423 { 424 return tomoyo_mount_permission(dev_name, path, type, flags, data); 425 } 426 427 /** 428 * tomoyo_sb_umount - Target for security_sb_umount(). 429 * 430 * @mnt: Pointer to "struct vfsmount". 431 * @flags: Unmount options. 432 * 433 * Returns 0 on success, negative value otherwise. 434 */ 435 static int tomoyo_sb_umount(struct vfsmount *mnt, int flags) 436 { 437 struct path path = { .mnt = mnt, .dentry = mnt->mnt_root }; 438 return tomoyo_path_perm(TOMOYO_TYPE_UMOUNT, &path, NULL); 439 } 440 441 /** 442 * tomoyo_sb_pivotroot - Target for security_sb_pivotroot(). 443 * 444 * @old_path: Pointer to "struct path". 445 * @new_path: Pointer to "struct path". 446 * 447 * Returns 0 on success, negative value otherwise. 448 */ 449 static int tomoyo_sb_pivotroot(const struct path *old_path, const struct path *new_path) 450 { 451 return tomoyo_path2_perm(TOMOYO_TYPE_PIVOT_ROOT, new_path, old_path); 452 } 453 454 /** 455 * tomoyo_socket_listen - Check permission for listen(). 456 * 457 * @sock: Pointer to "struct socket". 458 * @backlog: Backlog parameter. 459 * 460 * Returns 0 on success, negative value otherwise. 461 */ 462 static int tomoyo_socket_listen(struct socket *sock, int backlog) 463 { 464 return tomoyo_socket_listen_permission(sock); 465 } 466 467 /** 468 * tomoyo_socket_connect - Check permission for connect(). 469 * 470 * @sock: Pointer to "struct socket". 471 * @addr: Pointer to "struct sockaddr". 472 * @addr_len: Size of @addr. 473 * 474 * Returns 0 on success, negative value otherwise. 475 */ 476 static int tomoyo_socket_connect(struct socket *sock, struct sockaddr *addr, 477 int addr_len) 478 { 479 return tomoyo_socket_connect_permission(sock, addr, addr_len); 480 } 481 482 /** 483 * tomoyo_socket_bind - Check permission for bind(). 484 * 485 * @sock: Pointer to "struct socket". 486 * @addr: Pointer to "struct sockaddr". 487 * @addr_len: Size of @addr. 488 * 489 * Returns 0 on success, negative value otherwise. 490 */ 491 static int tomoyo_socket_bind(struct socket *sock, struct sockaddr *addr, 492 int addr_len) 493 { 494 return tomoyo_socket_bind_permission(sock, addr, addr_len); 495 } 496 497 /** 498 * tomoyo_socket_sendmsg - Check permission for sendmsg(). 499 * 500 * @sock: Pointer to "struct socket". 501 * @msg: Pointer to "struct msghdr". 502 * @size: Size of message. 503 * 504 * Returns 0 on success, negative value otherwise. 505 */ 506 static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg, 507 int size) 508 { 509 return tomoyo_socket_sendmsg_permission(sock, msg, size); 510 } 511 512 struct lsm_blob_sizes tomoyo_blob_sizes __lsm_ro_after_init = { 513 .lbs_cred = sizeof(struct tomoyo_domain_info *), 514 }; 515 516 /* 517 * tomoyo_security_ops is a "struct security_operations" which is used for 518 * registering TOMOYO. 519 */ 520 static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = { 521 LSM_HOOK_INIT(cred_alloc_blank, tomoyo_cred_alloc_blank), 522 LSM_HOOK_INIT(cred_prepare, tomoyo_cred_prepare), 523 LSM_HOOK_INIT(cred_transfer, tomoyo_cred_transfer), 524 LSM_HOOK_INIT(cred_free, tomoyo_cred_free), 525 LSM_HOOK_INIT(bprm_set_creds, tomoyo_bprm_set_creds), 526 LSM_HOOK_INIT(bprm_check_security, tomoyo_bprm_check_security), 527 LSM_HOOK_INIT(file_fcntl, tomoyo_file_fcntl), 528 LSM_HOOK_INIT(file_open, tomoyo_file_open), 529 LSM_HOOK_INIT(path_truncate, tomoyo_path_truncate), 530 LSM_HOOK_INIT(path_unlink, tomoyo_path_unlink), 531 LSM_HOOK_INIT(path_mkdir, tomoyo_path_mkdir), 532 LSM_HOOK_INIT(path_rmdir, tomoyo_path_rmdir), 533 LSM_HOOK_INIT(path_symlink, tomoyo_path_symlink), 534 LSM_HOOK_INIT(path_mknod, tomoyo_path_mknod), 535 LSM_HOOK_INIT(path_link, tomoyo_path_link), 536 LSM_HOOK_INIT(path_rename, tomoyo_path_rename), 537 LSM_HOOK_INIT(inode_getattr, tomoyo_inode_getattr), 538 LSM_HOOK_INIT(file_ioctl, tomoyo_file_ioctl), 539 LSM_HOOK_INIT(path_chmod, tomoyo_path_chmod), 540 LSM_HOOK_INIT(path_chown, tomoyo_path_chown), 541 LSM_HOOK_INIT(path_chroot, tomoyo_path_chroot), 542 LSM_HOOK_INIT(sb_mount, tomoyo_sb_mount), 543 LSM_HOOK_INIT(sb_umount, tomoyo_sb_umount), 544 LSM_HOOK_INIT(sb_pivotroot, tomoyo_sb_pivotroot), 545 LSM_HOOK_INIT(socket_bind, tomoyo_socket_bind), 546 LSM_HOOK_INIT(socket_connect, tomoyo_socket_connect), 547 LSM_HOOK_INIT(socket_listen, tomoyo_socket_listen), 548 LSM_HOOK_INIT(socket_sendmsg, tomoyo_socket_sendmsg), 549 }; 550 551 /* Lock for GC. */ 552 DEFINE_SRCU(tomoyo_ss); 553 554 int tomoyo_enabled __lsm_ro_after_init = 1; 555 556 /** 557 * tomoyo_init - Register TOMOYO Linux as a LSM module. 558 * 559 * Returns 0. 560 */ 561 static int __init tomoyo_init(void) 562 { 563 struct cred *cred = (struct cred *) current_cred(); 564 struct tomoyo_domain_info **blob; 565 566 /* register ourselves with the security framework */ 567 security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); 568 printk(KERN_INFO "TOMOYO Linux initialized\n"); 569 lsm_early_cred(cred); 570 blob = tomoyo_cred(cred); 571 *blob = &tomoyo_kernel_domain; 572 tomoyo_mm_init(); 573 574 return 0; 575 } 576 577 DEFINE_LSM(tomoyo) = { 578 .name = "tomoyo", 579 .enabled = &tomoyo_enabled, 580 .flags = LSM_FLAG_LEGACY_MAJOR, 581 .blobs = &tomoyo_blob_sizes, 582 .init = tomoyo_init, 583 }; 584