xref: /openbmc/linux/security/tomoyo/common.c (revision 2a598d0b)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * security/tomoyo/common.c
4  *
5  * Copyright (C) 2005-2011  NTT DATA CORPORATION
6  */
7 
8 #include <linux/uaccess.h>
9 #include <linux/slab.h>
10 #include <linux/security.h>
11 #include <linux/string_helpers.h>
12 #include "common.h"
13 
14 /* String table for operation mode. */
15 const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE] = {
16 	[TOMOYO_CONFIG_DISABLED]   = "disabled",
17 	[TOMOYO_CONFIG_LEARNING]   = "learning",
18 	[TOMOYO_CONFIG_PERMISSIVE] = "permissive",
19 	[TOMOYO_CONFIG_ENFORCING]  = "enforcing"
20 };
21 
22 /* String table for /sys/kernel/security/tomoyo/profile */
23 const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
24 				       + TOMOYO_MAX_MAC_CATEGORY_INDEX] = {
25 	/* CONFIG::file group */
26 	[TOMOYO_MAC_FILE_EXECUTE]    = "execute",
27 	[TOMOYO_MAC_FILE_OPEN]       = "open",
28 	[TOMOYO_MAC_FILE_CREATE]     = "create",
29 	[TOMOYO_MAC_FILE_UNLINK]     = "unlink",
30 	[TOMOYO_MAC_FILE_GETATTR]    = "getattr",
31 	[TOMOYO_MAC_FILE_MKDIR]      = "mkdir",
32 	[TOMOYO_MAC_FILE_RMDIR]      = "rmdir",
33 	[TOMOYO_MAC_FILE_MKFIFO]     = "mkfifo",
34 	[TOMOYO_MAC_FILE_MKSOCK]     = "mksock",
35 	[TOMOYO_MAC_FILE_TRUNCATE]   = "truncate",
36 	[TOMOYO_MAC_FILE_SYMLINK]    = "symlink",
37 	[TOMOYO_MAC_FILE_MKBLOCK]    = "mkblock",
38 	[TOMOYO_MAC_FILE_MKCHAR]     = "mkchar",
39 	[TOMOYO_MAC_FILE_LINK]       = "link",
40 	[TOMOYO_MAC_FILE_RENAME]     = "rename",
41 	[TOMOYO_MAC_FILE_CHMOD]      = "chmod",
42 	[TOMOYO_MAC_FILE_CHOWN]      = "chown",
43 	[TOMOYO_MAC_FILE_CHGRP]      = "chgrp",
44 	[TOMOYO_MAC_FILE_IOCTL]      = "ioctl",
45 	[TOMOYO_MAC_FILE_CHROOT]     = "chroot",
46 	[TOMOYO_MAC_FILE_MOUNT]      = "mount",
47 	[TOMOYO_MAC_FILE_UMOUNT]     = "unmount",
48 	[TOMOYO_MAC_FILE_PIVOT_ROOT] = "pivot_root",
49 	/* CONFIG::network group */
50 	[TOMOYO_MAC_NETWORK_INET_STREAM_BIND]       = "inet_stream_bind",
51 	[TOMOYO_MAC_NETWORK_INET_STREAM_LISTEN]     = "inet_stream_listen",
52 	[TOMOYO_MAC_NETWORK_INET_STREAM_CONNECT]    = "inet_stream_connect",
53 	[TOMOYO_MAC_NETWORK_INET_DGRAM_BIND]        = "inet_dgram_bind",
54 	[TOMOYO_MAC_NETWORK_INET_DGRAM_SEND]        = "inet_dgram_send",
55 	[TOMOYO_MAC_NETWORK_INET_RAW_BIND]          = "inet_raw_bind",
56 	[TOMOYO_MAC_NETWORK_INET_RAW_SEND]          = "inet_raw_send",
57 	[TOMOYO_MAC_NETWORK_UNIX_STREAM_BIND]       = "unix_stream_bind",
58 	[TOMOYO_MAC_NETWORK_UNIX_STREAM_LISTEN]     = "unix_stream_listen",
59 	[TOMOYO_MAC_NETWORK_UNIX_STREAM_CONNECT]    = "unix_stream_connect",
60 	[TOMOYO_MAC_NETWORK_UNIX_DGRAM_BIND]        = "unix_dgram_bind",
61 	[TOMOYO_MAC_NETWORK_UNIX_DGRAM_SEND]        = "unix_dgram_send",
62 	[TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_BIND]    = "unix_seqpacket_bind",
63 	[TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_LISTEN]  = "unix_seqpacket_listen",
64 	[TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_CONNECT] = "unix_seqpacket_connect",
65 	/* CONFIG::misc group */
66 	[TOMOYO_MAC_ENVIRON] = "env",
67 	/* CONFIG group */
68 	[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file",
69 	[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_NETWORK] = "network",
70 	[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_MISC] = "misc",
71 };
72 
73 /* String table for conditions. */
74 const char * const tomoyo_condition_keyword[TOMOYO_MAX_CONDITION_KEYWORD] = {
75 	[TOMOYO_TASK_UID]             = "task.uid",
76 	[TOMOYO_TASK_EUID]            = "task.euid",
77 	[TOMOYO_TASK_SUID]            = "task.suid",
78 	[TOMOYO_TASK_FSUID]           = "task.fsuid",
79 	[TOMOYO_TASK_GID]             = "task.gid",
80 	[TOMOYO_TASK_EGID]            = "task.egid",
81 	[TOMOYO_TASK_SGID]            = "task.sgid",
82 	[TOMOYO_TASK_FSGID]           = "task.fsgid",
83 	[TOMOYO_TASK_PID]             = "task.pid",
84 	[TOMOYO_TASK_PPID]            = "task.ppid",
85 	[TOMOYO_EXEC_ARGC]            = "exec.argc",
86 	[TOMOYO_EXEC_ENVC]            = "exec.envc",
87 	[TOMOYO_TYPE_IS_SOCKET]       = "socket",
88 	[TOMOYO_TYPE_IS_SYMLINK]      = "symlink",
89 	[TOMOYO_TYPE_IS_FILE]         = "file",
90 	[TOMOYO_TYPE_IS_BLOCK_DEV]    = "block",
91 	[TOMOYO_TYPE_IS_DIRECTORY]    = "directory",
92 	[TOMOYO_TYPE_IS_CHAR_DEV]     = "char",
93 	[TOMOYO_TYPE_IS_FIFO]         = "fifo",
94 	[TOMOYO_MODE_SETUID]          = "setuid",
95 	[TOMOYO_MODE_SETGID]          = "setgid",
96 	[TOMOYO_MODE_STICKY]          = "sticky",
97 	[TOMOYO_MODE_OWNER_READ]      = "owner_read",
98 	[TOMOYO_MODE_OWNER_WRITE]     = "owner_write",
99 	[TOMOYO_MODE_OWNER_EXECUTE]   = "owner_execute",
100 	[TOMOYO_MODE_GROUP_READ]      = "group_read",
101 	[TOMOYO_MODE_GROUP_WRITE]     = "group_write",
102 	[TOMOYO_MODE_GROUP_EXECUTE]   = "group_execute",
103 	[TOMOYO_MODE_OTHERS_READ]     = "others_read",
104 	[TOMOYO_MODE_OTHERS_WRITE]    = "others_write",
105 	[TOMOYO_MODE_OTHERS_EXECUTE]  = "others_execute",
106 	[TOMOYO_EXEC_REALPATH]        = "exec.realpath",
107 	[TOMOYO_SYMLINK_TARGET]       = "symlink.target",
108 	[TOMOYO_PATH1_UID]            = "path1.uid",
109 	[TOMOYO_PATH1_GID]            = "path1.gid",
110 	[TOMOYO_PATH1_INO]            = "path1.ino",
111 	[TOMOYO_PATH1_MAJOR]          = "path1.major",
112 	[TOMOYO_PATH1_MINOR]          = "path1.minor",
113 	[TOMOYO_PATH1_PERM]           = "path1.perm",
114 	[TOMOYO_PATH1_TYPE]           = "path1.type",
115 	[TOMOYO_PATH1_DEV_MAJOR]      = "path1.dev_major",
116 	[TOMOYO_PATH1_DEV_MINOR]      = "path1.dev_minor",
117 	[TOMOYO_PATH2_UID]            = "path2.uid",
118 	[TOMOYO_PATH2_GID]            = "path2.gid",
119 	[TOMOYO_PATH2_INO]            = "path2.ino",
120 	[TOMOYO_PATH2_MAJOR]          = "path2.major",
121 	[TOMOYO_PATH2_MINOR]          = "path2.minor",
122 	[TOMOYO_PATH2_PERM]           = "path2.perm",
123 	[TOMOYO_PATH2_TYPE]           = "path2.type",
124 	[TOMOYO_PATH2_DEV_MAJOR]      = "path2.dev_major",
125 	[TOMOYO_PATH2_DEV_MINOR]      = "path2.dev_minor",
126 	[TOMOYO_PATH1_PARENT_UID]     = "path1.parent.uid",
127 	[TOMOYO_PATH1_PARENT_GID]     = "path1.parent.gid",
128 	[TOMOYO_PATH1_PARENT_INO]     = "path1.parent.ino",
129 	[TOMOYO_PATH1_PARENT_PERM]    = "path1.parent.perm",
130 	[TOMOYO_PATH2_PARENT_UID]     = "path2.parent.uid",
131 	[TOMOYO_PATH2_PARENT_GID]     = "path2.parent.gid",
132 	[TOMOYO_PATH2_PARENT_INO]     = "path2.parent.ino",
133 	[TOMOYO_PATH2_PARENT_PERM]    = "path2.parent.perm",
134 };
135 
136 /* String table for PREFERENCE keyword. */
137 static const char * const tomoyo_pref_keywords[TOMOYO_MAX_PREF] = {
138 	[TOMOYO_PREF_MAX_AUDIT_LOG]      = "max_audit_log",
139 	[TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry",
140 };
141 
142 /* String table for path operation. */
143 const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
144 	[TOMOYO_TYPE_EXECUTE]    = "execute",
145 	[TOMOYO_TYPE_READ]       = "read",
146 	[TOMOYO_TYPE_WRITE]      = "write",
147 	[TOMOYO_TYPE_APPEND]     = "append",
148 	[TOMOYO_TYPE_UNLINK]     = "unlink",
149 	[TOMOYO_TYPE_GETATTR]    = "getattr",
150 	[TOMOYO_TYPE_RMDIR]      = "rmdir",
151 	[TOMOYO_TYPE_TRUNCATE]   = "truncate",
152 	[TOMOYO_TYPE_SYMLINK]    = "symlink",
153 	[TOMOYO_TYPE_CHROOT]     = "chroot",
154 	[TOMOYO_TYPE_UMOUNT]     = "unmount",
155 };
156 
157 /* String table for socket's operation. */
158 const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION] = {
159 	[TOMOYO_NETWORK_BIND]    = "bind",
160 	[TOMOYO_NETWORK_LISTEN]  = "listen",
161 	[TOMOYO_NETWORK_CONNECT] = "connect",
162 	[TOMOYO_NETWORK_SEND]    = "send",
163 };
164 
165 /* String table for categories. */
166 static const char * const tomoyo_category_keywords
167 [TOMOYO_MAX_MAC_CATEGORY_INDEX] = {
168 	[TOMOYO_MAC_CATEGORY_FILE]    = "file",
169 	[TOMOYO_MAC_CATEGORY_NETWORK] = "network",
170 	[TOMOYO_MAC_CATEGORY_MISC]    = "misc",
171 };
172 
173 /* Permit policy management by non-root user? */
174 static bool tomoyo_manage_by_non_root;
175 
176 /* Utility functions. */
177 
178 /**
179  * tomoyo_addprintf - strncat()-like-snprintf().
180  *
181  * @buffer: Buffer to write to. Must be '\0'-terminated.
182  * @len:    Size of @buffer.
183  * @fmt:    The printf()'s format string, followed by parameters.
184  *
185  * Returns nothing.
186  */
187 static void tomoyo_addprintf(char *buffer, int len, const char *fmt, ...)
188 {
189 	va_list args;
190 	const int pos = strlen(buffer);
191 
192 	va_start(args, fmt);
193 	vsnprintf(buffer + pos, len - pos - 1, fmt, args);
194 	va_end(args);
195 }
196 
197 /**
198  * tomoyo_flush - Flush queued string to userspace's buffer.
199  *
200  * @head:   Pointer to "struct tomoyo_io_buffer".
201  *
202  * Returns true if all data was flushed, false otherwise.
203  */
204 static bool tomoyo_flush(struct tomoyo_io_buffer *head)
205 {
206 	while (head->r.w_pos) {
207 		const char *w = head->r.w[0];
208 		size_t len = strlen(w);
209 
210 		if (len) {
211 			if (len > head->read_user_buf_avail)
212 				len = head->read_user_buf_avail;
213 			if (!len)
214 				return false;
215 			if (copy_to_user(head->read_user_buf, w, len))
216 				return false;
217 			head->read_user_buf_avail -= len;
218 			head->read_user_buf += len;
219 			w += len;
220 		}
221 		head->r.w[0] = w;
222 		if (*w)
223 			return false;
224 		/* Add '\0' for audit logs and query. */
225 		if (head->poll) {
226 			if (!head->read_user_buf_avail ||
227 			    copy_to_user(head->read_user_buf, "", 1))
228 				return false;
229 			head->read_user_buf_avail--;
230 			head->read_user_buf++;
231 		}
232 		head->r.w_pos--;
233 		for (len = 0; len < head->r.w_pos; len++)
234 			head->r.w[len] = head->r.w[len + 1];
235 	}
236 	head->r.avail = 0;
237 	return true;
238 }
239 
240 /**
241  * tomoyo_set_string - Queue string to "struct tomoyo_io_buffer" structure.
242  *
243  * @head:   Pointer to "struct tomoyo_io_buffer".
244  * @string: String to print.
245  *
246  * Note that @string has to be kept valid until @head is kfree()d.
247  * This means that char[] allocated on stack memory cannot be passed to
248  * this function. Use tomoyo_io_printf() for char[] allocated on stack memory.
249  */
250 static void tomoyo_set_string(struct tomoyo_io_buffer *head, const char *string)
251 {
252 	if (head->r.w_pos < TOMOYO_MAX_IO_READ_QUEUE) {
253 		head->r.w[head->r.w_pos++] = string;
254 		tomoyo_flush(head);
255 	} else
256 		WARN_ON(1);
257 }
258 
259 static void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt,
260 			     ...) __printf(2, 3);
261 
262 /**
263  * tomoyo_io_printf - printf() to "struct tomoyo_io_buffer" structure.
264  *
265  * @head: Pointer to "struct tomoyo_io_buffer".
266  * @fmt:  The printf()'s format string, followed by parameters.
267  */
268 static void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt,
269 			     ...)
270 {
271 	va_list args;
272 	size_t len;
273 	size_t pos = head->r.avail;
274 	int size = head->readbuf_size - pos;
275 
276 	if (size <= 0)
277 		return;
278 	va_start(args, fmt);
279 	len = vsnprintf(head->read_buf + pos, size, fmt, args) + 1;
280 	va_end(args);
281 	if (pos + len >= head->readbuf_size) {
282 		WARN_ON(1);
283 		return;
284 	}
285 	head->r.avail += len;
286 	tomoyo_set_string(head, head->read_buf + pos);
287 }
288 
289 /**
290  * tomoyo_set_space - Put a space to "struct tomoyo_io_buffer" structure.
291  *
292  * @head: Pointer to "struct tomoyo_io_buffer".
293  *
294  * Returns nothing.
295  */
296 static void tomoyo_set_space(struct tomoyo_io_buffer *head)
297 {
298 	tomoyo_set_string(head, " ");
299 }
300 
301 /**
302  * tomoyo_set_lf - Put a line feed to "struct tomoyo_io_buffer" structure.
303  *
304  * @head: Pointer to "struct tomoyo_io_buffer".
305  *
306  * Returns nothing.
307  */
308 static bool tomoyo_set_lf(struct tomoyo_io_buffer *head)
309 {
310 	tomoyo_set_string(head, "\n");
311 	return !head->r.w_pos;
312 }
313 
314 /**
315  * tomoyo_set_slash - Put a shash to "struct tomoyo_io_buffer" structure.
316  *
317  * @head: Pointer to "struct tomoyo_io_buffer".
318  *
319  * Returns nothing.
320  */
321 static void tomoyo_set_slash(struct tomoyo_io_buffer *head)
322 {
323 	tomoyo_set_string(head, "/");
324 }
325 
326 /* List of namespaces. */
327 LIST_HEAD(tomoyo_namespace_list);
328 /* True if namespace other than tomoyo_kernel_namespace is defined. */
329 static bool tomoyo_namespace_enabled;
330 
331 /**
332  * tomoyo_init_policy_namespace - Initialize namespace.
333  *
334  * @ns: Pointer to "struct tomoyo_policy_namespace".
335  *
336  * Returns nothing.
337  */
338 void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns)
339 {
340 	unsigned int idx;
341 
342 	for (idx = 0; idx < TOMOYO_MAX_ACL_GROUPS; idx++)
343 		INIT_LIST_HEAD(&ns->acl_group[idx]);
344 	for (idx = 0; idx < TOMOYO_MAX_GROUP; idx++)
345 		INIT_LIST_HEAD(&ns->group_list[idx]);
346 	for (idx = 0; idx < TOMOYO_MAX_POLICY; idx++)
347 		INIT_LIST_HEAD(&ns->policy_list[idx]);
348 	ns->profile_version = 20150505;
349 	tomoyo_namespace_enabled = !list_empty(&tomoyo_namespace_list);
350 	list_add_tail_rcu(&ns->namespace_list, &tomoyo_namespace_list);
351 }
352 
353 /**
354  * tomoyo_print_namespace - Print namespace header.
355  *
356  * @head: Pointer to "struct tomoyo_io_buffer".
357  *
358  * Returns nothing.
359  */
360 static void tomoyo_print_namespace(struct tomoyo_io_buffer *head)
361 {
362 	if (!tomoyo_namespace_enabled)
363 		return;
364 	tomoyo_set_string(head,
365 			  container_of(head->r.ns,
366 				       struct tomoyo_policy_namespace,
367 				       namespace_list)->name);
368 	tomoyo_set_space(head);
369 }
370 
371 /**
372  * tomoyo_print_name_union - Print a tomoyo_name_union.
373  *
374  * @head: Pointer to "struct tomoyo_io_buffer".
375  * @ptr:  Pointer to "struct tomoyo_name_union".
376  */
377 static void tomoyo_print_name_union(struct tomoyo_io_buffer *head,
378 				    const struct tomoyo_name_union *ptr)
379 {
380 	tomoyo_set_space(head);
381 	if (ptr->group) {
382 		tomoyo_set_string(head, "@");
383 		tomoyo_set_string(head, ptr->group->group_name->name);
384 	} else {
385 		tomoyo_set_string(head, ptr->filename->name);
386 	}
387 }
388 
389 /**
390  * tomoyo_print_name_union_quoted - Print a tomoyo_name_union with a quote.
391  *
392  * @head: Pointer to "struct tomoyo_io_buffer".
393  * @ptr:  Pointer to "struct tomoyo_name_union".
394  *
395  * Returns nothing.
396  */
397 static void tomoyo_print_name_union_quoted(struct tomoyo_io_buffer *head,
398 					   const struct tomoyo_name_union *ptr)
399 {
400 	if (ptr->group) {
401 		tomoyo_set_string(head, "@");
402 		tomoyo_set_string(head, ptr->group->group_name->name);
403 	} else {
404 		tomoyo_set_string(head, "\"");
405 		tomoyo_set_string(head, ptr->filename->name);
406 		tomoyo_set_string(head, "\"");
407 	}
408 }
409 
410 /**
411  * tomoyo_print_number_union_nospace - Print a tomoyo_number_union without a space.
412  *
413  * @head: Pointer to "struct tomoyo_io_buffer".
414  * @ptr:  Pointer to "struct tomoyo_number_union".
415  *
416  * Returns nothing.
417  */
418 static void tomoyo_print_number_union_nospace
419 (struct tomoyo_io_buffer *head, const struct tomoyo_number_union *ptr)
420 {
421 	if (ptr->group) {
422 		tomoyo_set_string(head, "@");
423 		tomoyo_set_string(head, ptr->group->group_name->name);
424 	} else {
425 		int i;
426 		unsigned long min = ptr->values[0];
427 		const unsigned long max = ptr->values[1];
428 		u8 min_type = ptr->value_type[0];
429 		const u8 max_type = ptr->value_type[1];
430 		char buffer[128];
431 
432 		buffer[0] = '\0';
433 		for (i = 0; i < 2; i++) {
434 			switch (min_type) {
435 			case TOMOYO_VALUE_TYPE_HEXADECIMAL:
436 				tomoyo_addprintf(buffer, sizeof(buffer),
437 						 "0x%lX", min);
438 				break;
439 			case TOMOYO_VALUE_TYPE_OCTAL:
440 				tomoyo_addprintf(buffer, sizeof(buffer),
441 						 "0%lo", min);
442 				break;
443 			default:
444 				tomoyo_addprintf(buffer, sizeof(buffer), "%lu",
445 						 min);
446 				break;
447 			}
448 			if (min == max && min_type == max_type)
449 				break;
450 			tomoyo_addprintf(buffer, sizeof(buffer), "-");
451 			min_type = max_type;
452 			min = max;
453 		}
454 		tomoyo_io_printf(head, "%s", buffer);
455 	}
456 }
457 
458 /**
459  * tomoyo_print_number_union - Print a tomoyo_number_union.
460  *
461  * @head: Pointer to "struct tomoyo_io_buffer".
462  * @ptr:  Pointer to "struct tomoyo_number_union".
463  *
464  * Returns nothing.
465  */
466 static void tomoyo_print_number_union(struct tomoyo_io_buffer *head,
467 				      const struct tomoyo_number_union *ptr)
468 {
469 	tomoyo_set_space(head);
470 	tomoyo_print_number_union_nospace(head, ptr);
471 }
472 
473 /**
474  * tomoyo_assign_profile - Create a new profile.
475  *
476  * @ns:      Pointer to "struct tomoyo_policy_namespace".
477  * @profile: Profile number to create.
478  *
479  * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
480  */
481 static struct tomoyo_profile *tomoyo_assign_profile
482 (struct tomoyo_policy_namespace *ns, const unsigned int profile)
483 {
484 	struct tomoyo_profile *ptr;
485 	struct tomoyo_profile *entry;
486 
487 	if (profile >= TOMOYO_MAX_PROFILES)
488 		return NULL;
489 	ptr = ns->profile_ptr[profile];
490 	if (ptr)
491 		return ptr;
492 	entry = kzalloc(sizeof(*entry), GFP_NOFS | __GFP_NOWARN);
493 	if (mutex_lock_interruptible(&tomoyo_policy_lock))
494 		goto out;
495 	ptr = ns->profile_ptr[profile];
496 	if (!ptr && tomoyo_memory_ok(entry)) {
497 		ptr = entry;
498 		ptr->default_config = TOMOYO_CONFIG_DISABLED |
499 			TOMOYO_CONFIG_WANT_GRANT_LOG |
500 			TOMOYO_CONFIG_WANT_REJECT_LOG;
501 		memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT,
502 		       sizeof(ptr->config));
503 		ptr->pref[TOMOYO_PREF_MAX_AUDIT_LOG] =
504 			CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG;
505 		ptr->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] =
506 			CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY;
507 		mb(); /* Avoid out-of-order execution. */
508 		ns->profile_ptr[profile] = ptr;
509 		entry = NULL;
510 	}
511 	mutex_unlock(&tomoyo_policy_lock);
512  out:
513 	kfree(entry);
514 	return ptr;
515 }
516 
517 /**
518  * tomoyo_profile - Find a profile.
519  *
520  * @ns:      Pointer to "struct tomoyo_policy_namespace".
521  * @profile: Profile number to find.
522  *
523  * Returns pointer to "struct tomoyo_profile".
524  */
525 struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns,
526 				      const u8 profile)
527 {
528 	static struct tomoyo_profile tomoyo_null_profile;
529 	struct tomoyo_profile *ptr = ns->profile_ptr[profile];
530 
531 	if (!ptr)
532 		ptr = &tomoyo_null_profile;
533 	return ptr;
534 }
535 
536 /**
537  * tomoyo_find_yesno - Find values for specified keyword.
538  *
539  * @string: String to check.
540  * @find:   Name of keyword.
541  *
542  * Returns 1 if "@find=yes" was found, 0 if "@find=no" was found, -1 otherwise.
543  */
544 static s8 tomoyo_find_yesno(const char *string, const char *find)
545 {
546 	const char *cp = strstr(string, find);
547 
548 	if (cp) {
549 		cp += strlen(find);
550 		if (!strncmp(cp, "=yes", 4))
551 			return 1;
552 		else if (!strncmp(cp, "=no", 3))
553 			return 0;
554 	}
555 	return -1;
556 }
557 
558 /**
559  * tomoyo_set_uint - Set value for specified preference.
560  *
561  * @i:      Pointer to "unsigned int".
562  * @string: String to check.
563  * @find:   Name of keyword.
564  *
565  * Returns nothing.
566  */
567 static void tomoyo_set_uint(unsigned int *i, const char *string,
568 			    const char *find)
569 {
570 	const char *cp = strstr(string, find);
571 
572 	if (cp)
573 		sscanf(cp + strlen(find), "=%u", i);
574 }
575 
576 /**
577  * tomoyo_set_mode - Set mode for specified profile.
578  *
579  * @name:    Name of functionality.
580  * @value:   Mode for @name.
581  * @profile: Pointer to "struct tomoyo_profile".
582  *
583  * Returns 0 on success, negative value otherwise.
584  */
585 static int tomoyo_set_mode(char *name, const char *value,
586 			   struct tomoyo_profile *profile)
587 {
588 	u8 i;
589 	u8 config;
590 
591 	if (!strcmp(name, "CONFIG")) {
592 		i = TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX;
593 		config = profile->default_config;
594 	} else if (tomoyo_str_starts(&name, "CONFIG::")) {
595 		config = 0;
596 		for (i = 0; i < TOMOYO_MAX_MAC_INDEX
597 			     + TOMOYO_MAX_MAC_CATEGORY_INDEX; i++) {
598 			int len = 0;
599 
600 			if (i < TOMOYO_MAX_MAC_INDEX) {
601 				const u8 c = tomoyo_index2category[i];
602 				const char *category =
603 					tomoyo_category_keywords[c];
604 
605 				len = strlen(category);
606 				if (strncmp(name, category, len) ||
607 				    name[len++] != ':' || name[len++] != ':')
608 					continue;
609 			}
610 			if (strcmp(name + len, tomoyo_mac_keywords[i]))
611 				continue;
612 			config = profile->config[i];
613 			break;
614 		}
615 		if (i == TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX)
616 			return -EINVAL;
617 	} else {
618 		return -EINVAL;
619 	}
620 	if (strstr(value, "use_default")) {
621 		config = TOMOYO_CONFIG_USE_DEFAULT;
622 	} else {
623 		u8 mode;
624 
625 		for (mode = 0; mode < 4; mode++)
626 			if (strstr(value, tomoyo_mode[mode]))
627 				/*
628 				 * Update lower 3 bits in order to distinguish
629 				 * 'config' from 'TOMOYO_CONFIG_USE_DEFAULT'.
630 				 */
631 				config = (config & ~7) | mode;
632 		if (config != TOMOYO_CONFIG_USE_DEFAULT) {
633 			switch (tomoyo_find_yesno(value, "grant_log")) {
634 			case 1:
635 				config |= TOMOYO_CONFIG_WANT_GRANT_LOG;
636 				break;
637 			case 0:
638 				config &= ~TOMOYO_CONFIG_WANT_GRANT_LOG;
639 				break;
640 			}
641 			switch (tomoyo_find_yesno(value, "reject_log")) {
642 			case 1:
643 				config |= TOMOYO_CONFIG_WANT_REJECT_LOG;
644 				break;
645 			case 0:
646 				config &= ~TOMOYO_CONFIG_WANT_REJECT_LOG;
647 				break;
648 			}
649 		}
650 	}
651 	if (i < TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX)
652 		profile->config[i] = config;
653 	else if (config != TOMOYO_CONFIG_USE_DEFAULT)
654 		profile->default_config = config;
655 	return 0;
656 }
657 
658 /**
659  * tomoyo_write_profile - Write profile table.
660  *
661  * @head: Pointer to "struct tomoyo_io_buffer".
662  *
663  * Returns 0 on success, negative value otherwise.
664  */
665 static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
666 {
667 	char *data = head->write_buf;
668 	unsigned int i;
669 	char *cp;
670 	struct tomoyo_profile *profile;
671 
672 	if (sscanf(data, "PROFILE_VERSION=%u", &head->w.ns->profile_version)
673 	    == 1)
674 		return 0;
675 	i = simple_strtoul(data, &cp, 10);
676 	if (*cp != '-')
677 		return -EINVAL;
678 	data = cp + 1;
679 	profile = tomoyo_assign_profile(head->w.ns, i);
680 	if (!profile)
681 		return -EINVAL;
682 	cp = strchr(data, '=');
683 	if (!cp)
684 		return -EINVAL;
685 	*cp++ = '\0';
686 	if (!strcmp(data, "COMMENT")) {
687 		static DEFINE_SPINLOCK(lock);
688 		const struct tomoyo_path_info *new_comment
689 			= tomoyo_get_name(cp);
690 		const struct tomoyo_path_info *old_comment;
691 
692 		if (!new_comment)
693 			return -ENOMEM;
694 		spin_lock(&lock);
695 		old_comment = profile->comment;
696 		profile->comment = new_comment;
697 		spin_unlock(&lock);
698 		tomoyo_put_name(old_comment);
699 		return 0;
700 	}
701 	if (!strcmp(data, "PREFERENCE")) {
702 		for (i = 0; i < TOMOYO_MAX_PREF; i++)
703 			tomoyo_set_uint(&profile->pref[i], cp,
704 					tomoyo_pref_keywords[i]);
705 		return 0;
706 	}
707 	return tomoyo_set_mode(data, cp, profile);
708 }
709 
710 /**
711  * tomoyo_print_config - Print mode for specified functionality.
712  *
713  * @head:   Pointer to "struct tomoyo_io_buffer".
714  * @config: Mode for that functionality.
715  *
716  * Returns nothing.
717  *
718  * Caller prints functionality's name.
719  */
720 static void tomoyo_print_config(struct tomoyo_io_buffer *head, const u8 config)
721 {
722 	tomoyo_io_printf(head, "={ mode=%s grant_log=%s reject_log=%s }\n",
723 			 tomoyo_mode[config & 3],
724 			 str_yes_no(config & TOMOYO_CONFIG_WANT_GRANT_LOG),
725 			 str_yes_no(config & TOMOYO_CONFIG_WANT_REJECT_LOG));
726 }
727 
728 /**
729  * tomoyo_read_profile - Read profile table.
730  *
731  * @head: Pointer to "struct tomoyo_io_buffer".
732  *
733  * Returns nothing.
734  */
735 static void tomoyo_read_profile(struct tomoyo_io_buffer *head)
736 {
737 	u8 index;
738 	struct tomoyo_policy_namespace *ns =
739 		container_of(head->r.ns, typeof(*ns), namespace_list);
740 	const struct tomoyo_profile *profile;
741 
742 	if (head->r.eof)
743 		return;
744  next:
745 	index = head->r.index;
746 	profile = ns->profile_ptr[index];
747 	switch (head->r.step) {
748 	case 0:
749 		tomoyo_print_namespace(head);
750 		tomoyo_io_printf(head, "PROFILE_VERSION=%u\n",
751 				 ns->profile_version);
752 		head->r.step++;
753 		break;
754 	case 1:
755 		for ( ; head->r.index < TOMOYO_MAX_PROFILES;
756 		      head->r.index++)
757 			if (ns->profile_ptr[head->r.index])
758 				break;
759 		if (head->r.index == TOMOYO_MAX_PROFILES) {
760 			head->r.eof = true;
761 			return;
762 		}
763 		head->r.step++;
764 		break;
765 	case 2:
766 		{
767 			u8 i;
768 			const struct tomoyo_path_info *comment =
769 				profile->comment;
770 
771 			tomoyo_print_namespace(head);
772 			tomoyo_io_printf(head, "%u-COMMENT=", index);
773 			tomoyo_set_string(head, comment ? comment->name : "");
774 			tomoyo_set_lf(head);
775 			tomoyo_print_namespace(head);
776 			tomoyo_io_printf(head, "%u-PREFERENCE={ ", index);
777 			for (i = 0; i < TOMOYO_MAX_PREF; i++)
778 				tomoyo_io_printf(head, "%s=%u ",
779 						 tomoyo_pref_keywords[i],
780 						 profile->pref[i]);
781 			tomoyo_set_string(head, "}\n");
782 			head->r.step++;
783 		}
784 		break;
785 	case 3:
786 		{
787 			tomoyo_print_namespace(head);
788 			tomoyo_io_printf(head, "%u-%s", index, "CONFIG");
789 			tomoyo_print_config(head, profile->default_config);
790 			head->r.bit = 0;
791 			head->r.step++;
792 		}
793 		break;
794 	case 4:
795 		for ( ; head->r.bit < TOMOYO_MAX_MAC_INDEX
796 			      + TOMOYO_MAX_MAC_CATEGORY_INDEX; head->r.bit++) {
797 			const u8 i = head->r.bit;
798 			const u8 config = profile->config[i];
799 
800 			if (config == TOMOYO_CONFIG_USE_DEFAULT)
801 				continue;
802 			tomoyo_print_namespace(head);
803 			if (i < TOMOYO_MAX_MAC_INDEX)
804 				tomoyo_io_printf(head, "%u-CONFIG::%s::%s",
805 						 index,
806 						 tomoyo_category_keywords
807 						 [tomoyo_index2category[i]],
808 						 tomoyo_mac_keywords[i]);
809 			else
810 				tomoyo_io_printf(head, "%u-CONFIG::%s", index,
811 						 tomoyo_mac_keywords[i]);
812 			tomoyo_print_config(head, config);
813 			head->r.bit++;
814 			break;
815 		}
816 		if (head->r.bit == TOMOYO_MAX_MAC_INDEX
817 		    + TOMOYO_MAX_MAC_CATEGORY_INDEX) {
818 			head->r.index++;
819 			head->r.step = 1;
820 		}
821 		break;
822 	}
823 	if (tomoyo_flush(head))
824 		goto next;
825 }
826 
827 /**
828  * tomoyo_same_manager - Check for duplicated "struct tomoyo_manager" entry.
829  *
830  * @a: Pointer to "struct tomoyo_acl_head".
831  * @b: Pointer to "struct tomoyo_acl_head".
832  *
833  * Returns true if @a == @b, false otherwise.
834  */
835 static bool tomoyo_same_manager(const struct tomoyo_acl_head *a,
836 				const struct tomoyo_acl_head *b)
837 {
838 	return container_of(a, struct tomoyo_manager, head)->manager ==
839 		container_of(b, struct tomoyo_manager, head)->manager;
840 }
841 
842 /**
843  * tomoyo_update_manager_entry - Add a manager entry.
844  *
845  * @manager:   The path to manager or the domainnamme.
846  * @is_delete: True if it is a delete request.
847  *
848  * Returns 0 on success, negative value otherwise.
849  *
850  * Caller holds tomoyo_read_lock().
851  */
852 static int tomoyo_update_manager_entry(const char *manager,
853 				       const bool is_delete)
854 {
855 	struct tomoyo_manager e = { };
856 	struct tomoyo_acl_param param = {
857 		/* .ns = &tomoyo_kernel_namespace, */
858 		.is_delete = is_delete,
859 		.list = &tomoyo_kernel_namespace.policy_list[TOMOYO_ID_MANAGER],
860 	};
861 	int error = is_delete ? -ENOENT : -ENOMEM;
862 
863 	if (!tomoyo_correct_domain(manager) &&
864 	    !tomoyo_correct_word(manager))
865 		return -EINVAL;
866 	e.manager = tomoyo_get_name(manager);
867 	if (e.manager) {
868 		error = tomoyo_update_policy(&e.head, sizeof(e), &param,
869 					     tomoyo_same_manager);
870 		tomoyo_put_name(e.manager);
871 	}
872 	return error;
873 }
874 
875 /**
876  * tomoyo_write_manager - Write manager policy.
877  *
878  * @head: Pointer to "struct tomoyo_io_buffer".
879  *
880  * Returns 0 on success, negative value otherwise.
881  *
882  * Caller holds tomoyo_read_lock().
883  */
884 static int tomoyo_write_manager(struct tomoyo_io_buffer *head)
885 {
886 	char *data = head->write_buf;
887 
888 	if (!strcmp(data, "manage_by_non_root")) {
889 		tomoyo_manage_by_non_root = !head->w.is_delete;
890 		return 0;
891 	}
892 	return tomoyo_update_manager_entry(data, head->w.is_delete);
893 }
894 
895 /**
896  * tomoyo_read_manager - Read manager policy.
897  *
898  * @head: Pointer to "struct tomoyo_io_buffer".
899  *
900  * Caller holds tomoyo_read_lock().
901  */
902 static void tomoyo_read_manager(struct tomoyo_io_buffer *head)
903 {
904 	if (head->r.eof)
905 		return;
906 	list_for_each_cookie(head->r.acl, &tomoyo_kernel_namespace.policy_list[TOMOYO_ID_MANAGER]) {
907 		struct tomoyo_manager *ptr =
908 			list_entry(head->r.acl, typeof(*ptr), head.list);
909 
910 		if (ptr->head.is_deleted)
911 			continue;
912 		if (!tomoyo_flush(head))
913 			return;
914 		tomoyo_set_string(head, ptr->manager->name);
915 		tomoyo_set_lf(head);
916 	}
917 	head->r.eof = true;
918 }
919 
920 /**
921  * tomoyo_manager - Check whether the current process is a policy manager.
922  *
923  * Returns true if the current process is permitted to modify policy
924  * via /sys/kernel/security/tomoyo/ interface.
925  *
926  * Caller holds tomoyo_read_lock().
927  */
928 static bool tomoyo_manager(void)
929 {
930 	struct tomoyo_manager *ptr;
931 	const char *exe;
932 	const struct task_struct *task = current;
933 	const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname;
934 	bool found = IS_ENABLED(CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING);
935 
936 	if (!tomoyo_policy_loaded)
937 		return true;
938 	if (!tomoyo_manage_by_non_root &&
939 	    (!uid_eq(task->cred->uid,  GLOBAL_ROOT_UID) ||
940 	     !uid_eq(task->cred->euid, GLOBAL_ROOT_UID)))
941 		return false;
942 	exe = tomoyo_get_exe();
943 	if (!exe)
944 		return false;
945 	list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace.policy_list[TOMOYO_ID_MANAGER], head.list,
946 				srcu_read_lock_held(&tomoyo_ss)) {
947 		if (!ptr->head.is_deleted &&
948 		    (!tomoyo_pathcmp(domainname, ptr->manager) ||
949 		     !strcmp(exe, ptr->manager->name))) {
950 			found = true;
951 			break;
952 		}
953 	}
954 	if (!found) { /* Reduce error messages. */
955 		static pid_t last_pid;
956 		const pid_t pid = current->pid;
957 
958 		if (last_pid != pid) {
959 			pr_warn("%s ( %s ) is not permitted to update policies.\n",
960 				domainname->name, exe);
961 			last_pid = pid;
962 		}
963 	}
964 	kfree(exe);
965 	return found;
966 }
967 
968 static struct tomoyo_domain_info *tomoyo_find_domain_by_qid
969 (unsigned int serial);
970 
971 /**
972  * tomoyo_select_domain - Parse select command.
973  *
974  * @head: Pointer to "struct tomoyo_io_buffer".
975  * @data: String to parse.
976  *
977  * Returns true on success, false otherwise.
978  *
979  * Caller holds tomoyo_read_lock().
980  */
981 static bool tomoyo_select_domain(struct tomoyo_io_buffer *head,
982 				 const char *data)
983 {
984 	unsigned int pid;
985 	struct tomoyo_domain_info *domain = NULL;
986 	bool global_pid = false;
987 
988 	if (strncmp(data, "select ", 7))
989 		return false;
990 	data += 7;
991 	if (sscanf(data, "pid=%u", &pid) == 1 ||
992 	    (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) {
993 		struct task_struct *p;
994 
995 		rcu_read_lock();
996 		if (global_pid)
997 			p = find_task_by_pid_ns(pid, &init_pid_ns);
998 		else
999 			p = find_task_by_vpid(pid);
1000 		if (p)
1001 			domain = tomoyo_task(p)->domain_info;
1002 		rcu_read_unlock();
1003 	} else if (!strncmp(data, "domain=", 7)) {
1004 		if (tomoyo_domain_def(data + 7))
1005 			domain = tomoyo_find_domain(data + 7);
1006 	} else if (sscanf(data, "Q=%u", &pid) == 1) {
1007 		domain = tomoyo_find_domain_by_qid(pid);
1008 	} else
1009 		return false;
1010 	head->w.domain = domain;
1011 	/* Accessing read_buf is safe because head->io_sem is held. */
1012 	if (!head->read_buf)
1013 		return true; /* Do nothing if open(O_WRONLY). */
1014 	memset(&head->r, 0, sizeof(head->r));
1015 	head->r.print_this_domain_only = true;
1016 	if (domain)
1017 		head->r.domain = &domain->list;
1018 	else
1019 		head->r.eof = true;
1020 	tomoyo_io_printf(head, "# select %s\n", data);
1021 	if (domain && domain->is_deleted)
1022 		tomoyo_io_printf(head, "# This is a deleted domain.\n");
1023 	return true;
1024 }
1025 
1026 /**
1027  * tomoyo_same_task_acl - Check for duplicated "struct tomoyo_task_acl" entry.
1028  *
1029  * @a: Pointer to "struct tomoyo_acl_info".
1030  * @b: Pointer to "struct tomoyo_acl_info".
1031  *
1032  * Returns true if @a == @b, false otherwise.
1033  */
1034 static bool tomoyo_same_task_acl(const struct tomoyo_acl_info *a,
1035 				 const struct tomoyo_acl_info *b)
1036 {
1037 	const struct tomoyo_task_acl *p1 = container_of(a, typeof(*p1), head);
1038 	const struct tomoyo_task_acl *p2 = container_of(b, typeof(*p2), head);
1039 
1040 	return p1->domainname == p2->domainname;
1041 }
1042 
1043 /**
1044  * tomoyo_write_task - Update task related list.
1045  *
1046  * @param: Pointer to "struct tomoyo_acl_param".
1047  *
1048  * Returns 0 on success, negative value otherwise.
1049  *
1050  * Caller holds tomoyo_read_lock().
1051  */
1052 static int tomoyo_write_task(struct tomoyo_acl_param *param)
1053 {
1054 	int error = -EINVAL;
1055 
1056 	if (tomoyo_str_starts(&param->data, "manual_domain_transition ")) {
1057 		struct tomoyo_task_acl e = {
1058 			.head.type = TOMOYO_TYPE_MANUAL_TASK_ACL,
1059 			.domainname = tomoyo_get_domainname(param),
1060 		};
1061 
1062 		if (e.domainname)
1063 			error = tomoyo_update_domain(&e.head, sizeof(e), param,
1064 						     tomoyo_same_task_acl,
1065 						     NULL);
1066 		tomoyo_put_name(e.domainname);
1067 	}
1068 	return error;
1069 }
1070 
1071 /**
1072  * tomoyo_delete_domain - Delete a domain.
1073  *
1074  * @domainname: The name of domain.
1075  *
1076  * Returns 0 on success, negative value otherwise.
1077  *
1078  * Caller holds tomoyo_read_lock().
1079  */
1080 static int tomoyo_delete_domain(char *domainname)
1081 {
1082 	struct tomoyo_domain_info *domain;
1083 	struct tomoyo_path_info name;
1084 
1085 	name.name = domainname;
1086 	tomoyo_fill_path_info(&name);
1087 	if (mutex_lock_interruptible(&tomoyo_policy_lock))
1088 		return -EINTR;
1089 	/* Is there an active domain? */
1090 	list_for_each_entry_rcu(domain, &tomoyo_domain_list, list,
1091 				srcu_read_lock_held(&tomoyo_ss)) {
1092 		/* Never delete tomoyo_kernel_domain */
1093 		if (domain == &tomoyo_kernel_domain)
1094 			continue;
1095 		if (domain->is_deleted ||
1096 		    tomoyo_pathcmp(domain->domainname, &name))
1097 			continue;
1098 		domain->is_deleted = true;
1099 		break;
1100 	}
1101 	mutex_unlock(&tomoyo_policy_lock);
1102 	return 0;
1103 }
1104 
1105 /**
1106  * tomoyo_write_domain2 - Write domain policy.
1107  *
1108  * @ns:        Pointer to "struct tomoyo_policy_namespace".
1109  * @list:      Pointer to "struct list_head".
1110  * @data:      Policy to be interpreted.
1111  * @is_delete: True if it is a delete request.
1112  *
1113  * Returns 0 on success, negative value otherwise.
1114  *
1115  * Caller holds tomoyo_read_lock().
1116  */
1117 static int tomoyo_write_domain2(struct tomoyo_policy_namespace *ns,
1118 				struct list_head *list, char *data,
1119 				const bool is_delete)
1120 {
1121 	struct tomoyo_acl_param param = {
1122 		.ns = ns,
1123 		.list = list,
1124 		.data = data,
1125 		.is_delete = is_delete,
1126 	};
1127 	static const struct {
1128 		const char *keyword;
1129 		int (*write)(struct tomoyo_acl_param *param);
1130 	} tomoyo_callback[5] = {
1131 		{ "file ", tomoyo_write_file },
1132 		{ "network inet ", tomoyo_write_inet_network },
1133 		{ "network unix ", tomoyo_write_unix_network },
1134 		{ "misc ", tomoyo_write_misc },
1135 		{ "task ", tomoyo_write_task },
1136 	};
1137 	u8 i;
1138 
1139 	for (i = 0; i < ARRAY_SIZE(tomoyo_callback); i++) {
1140 		if (!tomoyo_str_starts(&param.data,
1141 				       tomoyo_callback[i].keyword))
1142 			continue;
1143 		return tomoyo_callback[i].write(&param);
1144 	}
1145 	return -EINVAL;
1146 }
1147 
1148 /* String table for domain flags. */
1149 const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS] = {
1150 	[TOMOYO_DIF_QUOTA_WARNED]      = "quota_exceeded\n",
1151 	[TOMOYO_DIF_TRANSITION_FAILED] = "transition_failed\n",
1152 };
1153 
1154 /**
1155  * tomoyo_write_domain - Write domain policy.
1156  *
1157  * @head: Pointer to "struct tomoyo_io_buffer".
1158  *
1159  * Returns 0 on success, negative value otherwise.
1160  *
1161  * Caller holds tomoyo_read_lock().
1162  */
1163 static int tomoyo_write_domain(struct tomoyo_io_buffer *head)
1164 {
1165 	char *data = head->write_buf;
1166 	struct tomoyo_policy_namespace *ns;
1167 	struct tomoyo_domain_info *domain = head->w.domain;
1168 	const bool is_delete = head->w.is_delete;
1169 	bool is_select = !is_delete && tomoyo_str_starts(&data, "select ");
1170 	unsigned int idx;
1171 
1172 	if (*data == '<') {
1173 		int ret = 0;
1174 
1175 		domain = NULL;
1176 		if (is_delete)
1177 			ret = tomoyo_delete_domain(data);
1178 		else if (is_select)
1179 			domain = tomoyo_find_domain(data);
1180 		else
1181 			domain = tomoyo_assign_domain(data, false);
1182 		head->w.domain = domain;
1183 		return ret;
1184 	}
1185 	if (!domain)
1186 		return -EINVAL;
1187 	ns = domain->ns;
1188 	if (sscanf(data, "use_profile %u", &idx) == 1
1189 	    && idx < TOMOYO_MAX_PROFILES) {
1190 		if (!tomoyo_policy_loaded || ns->profile_ptr[idx])
1191 			if (!is_delete)
1192 				domain->profile = (u8) idx;
1193 		return 0;
1194 	}
1195 	if (sscanf(data, "use_group %u\n", &idx) == 1
1196 	    && idx < TOMOYO_MAX_ACL_GROUPS) {
1197 		if (!is_delete)
1198 			set_bit(idx, domain->group);
1199 		else
1200 			clear_bit(idx, domain->group);
1201 		return 0;
1202 	}
1203 	for (idx = 0; idx < TOMOYO_MAX_DOMAIN_INFO_FLAGS; idx++) {
1204 		const char *cp = tomoyo_dif[idx];
1205 
1206 		if (strncmp(data, cp, strlen(cp) - 1))
1207 			continue;
1208 		domain->flags[idx] = !is_delete;
1209 		return 0;
1210 	}
1211 	return tomoyo_write_domain2(ns, &domain->acl_info_list, data,
1212 				    is_delete);
1213 }
1214 
1215 /**
1216  * tomoyo_print_condition - Print condition part.
1217  *
1218  * @head: Pointer to "struct tomoyo_io_buffer".
1219  * @cond: Pointer to "struct tomoyo_condition".
1220  *
1221  * Returns true on success, false otherwise.
1222  */
1223 static bool tomoyo_print_condition(struct tomoyo_io_buffer *head,
1224 				   const struct tomoyo_condition *cond)
1225 {
1226 	switch (head->r.cond_step) {
1227 	case 0:
1228 		head->r.cond_index = 0;
1229 		head->r.cond_step++;
1230 		if (cond->transit) {
1231 			tomoyo_set_space(head);
1232 			tomoyo_set_string(head, cond->transit->name);
1233 		}
1234 		fallthrough;
1235 	case 1:
1236 		{
1237 			const u16 condc = cond->condc;
1238 			const struct tomoyo_condition_element *condp =
1239 				(typeof(condp)) (cond + 1);
1240 			const struct tomoyo_number_union *numbers_p =
1241 				(typeof(numbers_p)) (condp + condc);
1242 			const struct tomoyo_name_union *names_p =
1243 				(typeof(names_p))
1244 				(numbers_p + cond->numbers_count);
1245 			const struct tomoyo_argv *argv =
1246 				(typeof(argv)) (names_p + cond->names_count);
1247 			const struct tomoyo_envp *envp =
1248 				(typeof(envp)) (argv + cond->argc);
1249 			u16 skip;
1250 
1251 			for (skip = 0; skip < head->r.cond_index; skip++) {
1252 				const u8 left = condp->left;
1253 				const u8 right = condp->right;
1254 
1255 				condp++;
1256 				switch (left) {
1257 				case TOMOYO_ARGV_ENTRY:
1258 					argv++;
1259 					continue;
1260 				case TOMOYO_ENVP_ENTRY:
1261 					envp++;
1262 					continue;
1263 				case TOMOYO_NUMBER_UNION:
1264 					numbers_p++;
1265 					break;
1266 				}
1267 				switch (right) {
1268 				case TOMOYO_NAME_UNION:
1269 					names_p++;
1270 					break;
1271 				case TOMOYO_NUMBER_UNION:
1272 					numbers_p++;
1273 					break;
1274 				}
1275 			}
1276 			while (head->r.cond_index < condc) {
1277 				const u8 match = condp->equals;
1278 				const u8 left = condp->left;
1279 				const u8 right = condp->right;
1280 
1281 				if (!tomoyo_flush(head))
1282 					return false;
1283 				condp++;
1284 				head->r.cond_index++;
1285 				tomoyo_set_space(head);
1286 				switch (left) {
1287 				case TOMOYO_ARGV_ENTRY:
1288 					tomoyo_io_printf(head,
1289 							 "exec.argv[%lu]%s=\"",
1290 							 argv->index, argv->is_not ? "!" : "");
1291 					tomoyo_set_string(head,
1292 							  argv->value->name);
1293 					tomoyo_set_string(head, "\"");
1294 					argv++;
1295 					continue;
1296 				case TOMOYO_ENVP_ENTRY:
1297 					tomoyo_set_string(head,
1298 							  "exec.envp[\"");
1299 					tomoyo_set_string(head,
1300 							  envp->name->name);
1301 					tomoyo_io_printf(head, "\"]%s=", envp->is_not ? "!" : "");
1302 					if (envp->value) {
1303 						tomoyo_set_string(head, "\"");
1304 						tomoyo_set_string(head, envp->value->name);
1305 						tomoyo_set_string(head, "\"");
1306 					} else {
1307 						tomoyo_set_string(head,
1308 								  "NULL");
1309 					}
1310 					envp++;
1311 					continue;
1312 				case TOMOYO_NUMBER_UNION:
1313 					tomoyo_print_number_union_nospace
1314 						(head, numbers_p++);
1315 					break;
1316 				default:
1317 					tomoyo_set_string(head,
1318 					       tomoyo_condition_keyword[left]);
1319 					break;
1320 				}
1321 				tomoyo_set_string(head, match ? "=" : "!=");
1322 				switch (right) {
1323 				case TOMOYO_NAME_UNION:
1324 					tomoyo_print_name_union_quoted
1325 						(head, names_p++);
1326 					break;
1327 				case TOMOYO_NUMBER_UNION:
1328 					tomoyo_print_number_union_nospace
1329 						(head, numbers_p++);
1330 					break;
1331 				default:
1332 					tomoyo_set_string(head,
1333 					  tomoyo_condition_keyword[right]);
1334 					break;
1335 				}
1336 			}
1337 		}
1338 		head->r.cond_step++;
1339 		fallthrough;
1340 	case 2:
1341 		if (!tomoyo_flush(head))
1342 			break;
1343 		head->r.cond_step++;
1344 		fallthrough;
1345 	case 3:
1346 		if (cond->grant_log != TOMOYO_GRANTLOG_AUTO)
1347 			tomoyo_io_printf(head, " grant_log=%s",
1348 					 str_yes_no(cond->grant_log ==
1349 						    TOMOYO_GRANTLOG_YES));
1350 		tomoyo_set_lf(head);
1351 		return true;
1352 	}
1353 	return false;
1354 }
1355 
1356 /**
1357  * tomoyo_set_group - Print "acl_group " header keyword and category name.
1358  *
1359  * @head:     Pointer to "struct tomoyo_io_buffer".
1360  * @category: Category name.
1361  *
1362  * Returns nothing.
1363  */
1364 static void tomoyo_set_group(struct tomoyo_io_buffer *head,
1365 			     const char *category)
1366 {
1367 	if (head->type == TOMOYO_EXCEPTIONPOLICY) {
1368 		tomoyo_print_namespace(head);
1369 		tomoyo_io_printf(head, "acl_group %u ",
1370 				 head->r.acl_group_index);
1371 	}
1372 	tomoyo_set_string(head, category);
1373 }
1374 
1375 /**
1376  * tomoyo_print_entry - Print an ACL entry.
1377  *
1378  * @head: Pointer to "struct tomoyo_io_buffer".
1379  * @acl:  Pointer to an ACL entry.
1380  *
1381  * Returns true on success, false otherwise.
1382  */
1383 static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
1384 			       struct tomoyo_acl_info *acl)
1385 {
1386 	const u8 acl_type = acl->type;
1387 	bool first = true;
1388 	u8 bit;
1389 
1390 	if (head->r.print_cond_part)
1391 		goto print_cond_part;
1392 	if (acl->is_deleted)
1393 		return true;
1394 	if (!tomoyo_flush(head))
1395 		return false;
1396 	else if (acl_type == TOMOYO_TYPE_PATH_ACL) {
1397 		struct tomoyo_path_acl *ptr =
1398 			container_of(acl, typeof(*ptr), head);
1399 		const u16 perm = ptr->perm;
1400 
1401 		for (bit = 0; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
1402 			if (!(perm & (1 << bit)))
1403 				continue;
1404 			if (head->r.print_transition_related_only &&
1405 			    bit != TOMOYO_TYPE_EXECUTE)
1406 				continue;
1407 			if (first) {
1408 				tomoyo_set_group(head, "file ");
1409 				first = false;
1410 			} else {
1411 				tomoyo_set_slash(head);
1412 			}
1413 			tomoyo_set_string(head, tomoyo_path_keyword[bit]);
1414 		}
1415 		if (first)
1416 			return true;
1417 		tomoyo_print_name_union(head, &ptr->name);
1418 	} else if (acl_type == TOMOYO_TYPE_MANUAL_TASK_ACL) {
1419 		struct tomoyo_task_acl *ptr =
1420 			container_of(acl, typeof(*ptr), head);
1421 
1422 		tomoyo_set_group(head, "task ");
1423 		tomoyo_set_string(head, "manual_domain_transition ");
1424 		tomoyo_set_string(head, ptr->domainname->name);
1425 	} else if (head->r.print_transition_related_only) {
1426 		return true;
1427 	} else if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
1428 		struct tomoyo_path2_acl *ptr =
1429 			container_of(acl, typeof(*ptr), head);
1430 		const u8 perm = ptr->perm;
1431 
1432 		for (bit = 0; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) {
1433 			if (!(perm & (1 << bit)))
1434 				continue;
1435 			if (first) {
1436 				tomoyo_set_group(head, "file ");
1437 				first = false;
1438 			} else {
1439 				tomoyo_set_slash(head);
1440 			}
1441 			tomoyo_set_string(head, tomoyo_mac_keywords
1442 					  [tomoyo_pp2mac[bit]]);
1443 		}
1444 		if (first)
1445 			return true;
1446 		tomoyo_print_name_union(head, &ptr->name1);
1447 		tomoyo_print_name_union(head, &ptr->name2);
1448 	} else if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) {
1449 		struct tomoyo_path_number_acl *ptr =
1450 			container_of(acl, typeof(*ptr), head);
1451 		const u8 perm = ptr->perm;
1452 
1453 		for (bit = 0; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION; bit++) {
1454 			if (!(perm & (1 << bit)))
1455 				continue;
1456 			if (first) {
1457 				tomoyo_set_group(head, "file ");
1458 				first = false;
1459 			} else {
1460 				tomoyo_set_slash(head);
1461 			}
1462 			tomoyo_set_string(head, tomoyo_mac_keywords
1463 					  [tomoyo_pn2mac[bit]]);
1464 		}
1465 		if (first)
1466 			return true;
1467 		tomoyo_print_name_union(head, &ptr->name);
1468 		tomoyo_print_number_union(head, &ptr->number);
1469 	} else if (acl_type == TOMOYO_TYPE_MKDEV_ACL) {
1470 		struct tomoyo_mkdev_acl *ptr =
1471 			container_of(acl, typeof(*ptr), head);
1472 		const u8 perm = ptr->perm;
1473 
1474 		for (bit = 0; bit < TOMOYO_MAX_MKDEV_OPERATION; bit++) {
1475 			if (!(perm & (1 << bit)))
1476 				continue;
1477 			if (first) {
1478 				tomoyo_set_group(head, "file ");
1479 				first = false;
1480 			} else {
1481 				tomoyo_set_slash(head);
1482 			}
1483 			tomoyo_set_string(head, tomoyo_mac_keywords
1484 					  [tomoyo_pnnn2mac[bit]]);
1485 		}
1486 		if (first)
1487 			return true;
1488 		tomoyo_print_name_union(head, &ptr->name);
1489 		tomoyo_print_number_union(head, &ptr->mode);
1490 		tomoyo_print_number_union(head, &ptr->major);
1491 		tomoyo_print_number_union(head, &ptr->minor);
1492 	} else if (acl_type == TOMOYO_TYPE_INET_ACL) {
1493 		struct tomoyo_inet_acl *ptr =
1494 			container_of(acl, typeof(*ptr), head);
1495 		const u8 perm = ptr->perm;
1496 
1497 		for (bit = 0; bit < TOMOYO_MAX_NETWORK_OPERATION; bit++) {
1498 			if (!(perm & (1 << bit)))
1499 				continue;
1500 			if (first) {
1501 				tomoyo_set_group(head, "network inet ");
1502 				tomoyo_set_string(head, tomoyo_proto_keyword
1503 						  [ptr->protocol]);
1504 				tomoyo_set_space(head);
1505 				first = false;
1506 			} else {
1507 				tomoyo_set_slash(head);
1508 			}
1509 			tomoyo_set_string(head, tomoyo_socket_keyword[bit]);
1510 		}
1511 		if (first)
1512 			return true;
1513 		tomoyo_set_space(head);
1514 		if (ptr->address.group) {
1515 			tomoyo_set_string(head, "@");
1516 			tomoyo_set_string(head, ptr->address.group->group_name
1517 					  ->name);
1518 		} else {
1519 			char buf[128];
1520 
1521 			tomoyo_print_ip(buf, sizeof(buf), &ptr->address);
1522 			tomoyo_io_printf(head, "%s", buf);
1523 		}
1524 		tomoyo_print_number_union(head, &ptr->port);
1525 	} else if (acl_type == TOMOYO_TYPE_UNIX_ACL) {
1526 		struct tomoyo_unix_acl *ptr =
1527 			container_of(acl, typeof(*ptr), head);
1528 		const u8 perm = ptr->perm;
1529 
1530 		for (bit = 0; bit < TOMOYO_MAX_NETWORK_OPERATION; bit++) {
1531 			if (!(perm & (1 << bit)))
1532 				continue;
1533 			if (first) {
1534 				tomoyo_set_group(head, "network unix ");
1535 				tomoyo_set_string(head, tomoyo_proto_keyword
1536 						  [ptr->protocol]);
1537 				tomoyo_set_space(head);
1538 				first = false;
1539 			} else {
1540 				tomoyo_set_slash(head);
1541 			}
1542 			tomoyo_set_string(head, tomoyo_socket_keyword[bit]);
1543 		}
1544 		if (first)
1545 			return true;
1546 		tomoyo_print_name_union(head, &ptr->name);
1547 	} else if (acl_type == TOMOYO_TYPE_MOUNT_ACL) {
1548 		struct tomoyo_mount_acl *ptr =
1549 			container_of(acl, typeof(*ptr), head);
1550 
1551 		tomoyo_set_group(head, "file mount");
1552 		tomoyo_print_name_union(head, &ptr->dev_name);
1553 		tomoyo_print_name_union(head, &ptr->dir_name);
1554 		tomoyo_print_name_union(head, &ptr->fs_type);
1555 		tomoyo_print_number_union(head, &ptr->flags);
1556 	} else if (acl_type == TOMOYO_TYPE_ENV_ACL) {
1557 		struct tomoyo_env_acl *ptr =
1558 			container_of(acl, typeof(*ptr), head);
1559 
1560 		tomoyo_set_group(head, "misc env ");
1561 		tomoyo_set_string(head, ptr->env->name);
1562 	}
1563 	if (acl->cond) {
1564 		head->r.print_cond_part = true;
1565 		head->r.cond_step = 0;
1566 		if (!tomoyo_flush(head))
1567 			return false;
1568 print_cond_part:
1569 		if (!tomoyo_print_condition(head, acl->cond))
1570 			return false;
1571 		head->r.print_cond_part = false;
1572 	} else {
1573 		tomoyo_set_lf(head);
1574 	}
1575 	return true;
1576 }
1577 
1578 /**
1579  * tomoyo_read_domain2 - Read domain policy.
1580  *
1581  * @head: Pointer to "struct tomoyo_io_buffer".
1582  * @list: Pointer to "struct list_head".
1583  *
1584  * Caller holds tomoyo_read_lock().
1585  *
1586  * Returns true on success, false otherwise.
1587  */
1588 static bool tomoyo_read_domain2(struct tomoyo_io_buffer *head,
1589 				struct list_head *list)
1590 {
1591 	list_for_each_cookie(head->r.acl, list) {
1592 		struct tomoyo_acl_info *ptr =
1593 			list_entry(head->r.acl, typeof(*ptr), list);
1594 
1595 		if (!tomoyo_print_entry(head, ptr))
1596 			return false;
1597 	}
1598 	head->r.acl = NULL;
1599 	return true;
1600 }
1601 
1602 /**
1603  * tomoyo_read_domain - Read domain policy.
1604  *
1605  * @head: Pointer to "struct tomoyo_io_buffer".
1606  *
1607  * Caller holds tomoyo_read_lock().
1608  */
1609 static void tomoyo_read_domain(struct tomoyo_io_buffer *head)
1610 {
1611 	if (head->r.eof)
1612 		return;
1613 	list_for_each_cookie(head->r.domain, &tomoyo_domain_list) {
1614 		struct tomoyo_domain_info *domain =
1615 			list_entry(head->r.domain, typeof(*domain), list);
1616 		u8 i;
1617 
1618 		switch (head->r.step) {
1619 		case 0:
1620 			if (domain->is_deleted &&
1621 			    !head->r.print_this_domain_only)
1622 				continue;
1623 			/* Print domainname and flags. */
1624 			tomoyo_set_string(head, domain->domainname->name);
1625 			tomoyo_set_lf(head);
1626 			tomoyo_io_printf(head, "use_profile %u\n",
1627 					 domain->profile);
1628 			for (i = 0; i < TOMOYO_MAX_DOMAIN_INFO_FLAGS; i++)
1629 				if (domain->flags[i])
1630 					tomoyo_set_string(head, tomoyo_dif[i]);
1631 			head->r.index = 0;
1632 			head->r.step++;
1633 			fallthrough;
1634 		case 1:
1635 			while (head->r.index < TOMOYO_MAX_ACL_GROUPS) {
1636 				i = head->r.index++;
1637 				if (!test_bit(i, domain->group))
1638 					continue;
1639 				tomoyo_io_printf(head, "use_group %u\n", i);
1640 				if (!tomoyo_flush(head))
1641 					return;
1642 			}
1643 			head->r.index = 0;
1644 			head->r.step++;
1645 			tomoyo_set_lf(head);
1646 			fallthrough;
1647 		case 2:
1648 			if (!tomoyo_read_domain2(head, &domain->acl_info_list))
1649 				return;
1650 			head->r.step++;
1651 			if (!tomoyo_set_lf(head))
1652 				return;
1653 			fallthrough;
1654 		case 3:
1655 			head->r.step = 0;
1656 			if (head->r.print_this_domain_only)
1657 				goto done;
1658 		}
1659 	}
1660  done:
1661 	head->r.eof = true;
1662 }
1663 
1664 /**
1665  * tomoyo_write_pid: Specify PID to obtain domainname.
1666  *
1667  * @head: Pointer to "struct tomoyo_io_buffer".
1668  *
1669  * Returns 0.
1670  */
1671 static int tomoyo_write_pid(struct tomoyo_io_buffer *head)
1672 {
1673 	head->r.eof = false;
1674 	return 0;
1675 }
1676 
1677 /**
1678  * tomoyo_read_pid - Get domainname of the specified PID.
1679  *
1680  * @head: Pointer to "struct tomoyo_io_buffer".
1681  *
1682  * Returns the domainname which the specified PID is in on success,
1683  * empty string otherwise.
1684  * The PID is specified by tomoyo_write_pid() so that the user can obtain
1685  * using read()/write() interface rather than sysctl() interface.
1686  */
1687 static void tomoyo_read_pid(struct tomoyo_io_buffer *head)
1688 {
1689 	char *buf = head->write_buf;
1690 	bool global_pid = false;
1691 	unsigned int pid;
1692 	struct task_struct *p;
1693 	struct tomoyo_domain_info *domain = NULL;
1694 
1695 	/* Accessing write_buf is safe because head->io_sem is held. */
1696 	if (!buf) {
1697 		head->r.eof = true;
1698 		return; /* Do nothing if open(O_RDONLY). */
1699 	}
1700 	if (head->r.w_pos || head->r.eof)
1701 		return;
1702 	head->r.eof = true;
1703 	if (tomoyo_str_starts(&buf, "global-pid "))
1704 		global_pid = true;
1705 	if (kstrtouint(buf, 10, &pid))
1706 		return;
1707 	rcu_read_lock();
1708 	if (global_pid)
1709 		p = find_task_by_pid_ns(pid, &init_pid_ns);
1710 	else
1711 		p = find_task_by_vpid(pid);
1712 	if (p)
1713 		domain = tomoyo_task(p)->domain_info;
1714 	rcu_read_unlock();
1715 	if (!domain)
1716 		return;
1717 	tomoyo_io_printf(head, "%u %u ", pid, domain->profile);
1718 	tomoyo_set_string(head, domain->domainname->name);
1719 }
1720 
1721 /* String table for domain transition control keywords. */
1722 static const char *tomoyo_transition_type[TOMOYO_MAX_TRANSITION_TYPE] = {
1723 	[TOMOYO_TRANSITION_CONTROL_NO_RESET]      = "no_reset_domain ",
1724 	[TOMOYO_TRANSITION_CONTROL_RESET]         = "reset_domain ",
1725 	[TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE] = "no_initialize_domain ",
1726 	[TOMOYO_TRANSITION_CONTROL_INITIALIZE]    = "initialize_domain ",
1727 	[TOMOYO_TRANSITION_CONTROL_NO_KEEP]       = "no_keep_domain ",
1728 	[TOMOYO_TRANSITION_CONTROL_KEEP]          = "keep_domain ",
1729 };
1730 
1731 /* String table for grouping keywords. */
1732 static const char *tomoyo_group_name[TOMOYO_MAX_GROUP] = {
1733 	[TOMOYO_PATH_GROUP]    = "path_group ",
1734 	[TOMOYO_NUMBER_GROUP]  = "number_group ",
1735 	[TOMOYO_ADDRESS_GROUP] = "address_group ",
1736 };
1737 
1738 /**
1739  * tomoyo_write_exception - Write exception policy.
1740  *
1741  * @head: Pointer to "struct tomoyo_io_buffer".
1742  *
1743  * Returns 0 on success, negative value otherwise.
1744  *
1745  * Caller holds tomoyo_read_lock().
1746  */
1747 static int tomoyo_write_exception(struct tomoyo_io_buffer *head)
1748 {
1749 	const bool is_delete = head->w.is_delete;
1750 	struct tomoyo_acl_param param = {
1751 		.ns = head->w.ns,
1752 		.is_delete = is_delete,
1753 		.data = head->write_buf,
1754 	};
1755 	u8 i;
1756 
1757 	if (tomoyo_str_starts(&param.data, "aggregator "))
1758 		return tomoyo_write_aggregator(&param);
1759 	for (i = 0; i < TOMOYO_MAX_TRANSITION_TYPE; i++)
1760 		if (tomoyo_str_starts(&param.data, tomoyo_transition_type[i]))
1761 			return tomoyo_write_transition_control(&param, i);
1762 	for (i = 0; i < TOMOYO_MAX_GROUP; i++)
1763 		if (tomoyo_str_starts(&param.data, tomoyo_group_name[i]))
1764 			return tomoyo_write_group(&param, i);
1765 	if (tomoyo_str_starts(&param.data, "acl_group ")) {
1766 		unsigned int group;
1767 		char *data;
1768 
1769 		group = simple_strtoul(param.data, &data, 10);
1770 		if (group < TOMOYO_MAX_ACL_GROUPS && *data++ == ' ')
1771 			return tomoyo_write_domain2
1772 				(head->w.ns, &head->w.ns->acl_group[group],
1773 				 data, is_delete);
1774 	}
1775 	return -EINVAL;
1776 }
1777 
1778 /**
1779  * tomoyo_read_group - Read "struct tomoyo_path_group"/"struct tomoyo_number_group"/"struct tomoyo_address_group" list.
1780  *
1781  * @head: Pointer to "struct tomoyo_io_buffer".
1782  * @idx:  Index number.
1783  *
1784  * Returns true on success, false otherwise.
1785  *
1786  * Caller holds tomoyo_read_lock().
1787  */
1788 static bool tomoyo_read_group(struct tomoyo_io_buffer *head, const int idx)
1789 {
1790 	struct tomoyo_policy_namespace *ns =
1791 		container_of(head->r.ns, typeof(*ns), namespace_list);
1792 	struct list_head *list = &ns->group_list[idx];
1793 
1794 	list_for_each_cookie(head->r.group, list) {
1795 		struct tomoyo_group *group =
1796 			list_entry(head->r.group, typeof(*group), head.list);
1797 
1798 		list_for_each_cookie(head->r.acl, &group->member_list) {
1799 			struct tomoyo_acl_head *ptr =
1800 				list_entry(head->r.acl, typeof(*ptr), list);
1801 
1802 			if (ptr->is_deleted)
1803 				continue;
1804 			if (!tomoyo_flush(head))
1805 				return false;
1806 			tomoyo_print_namespace(head);
1807 			tomoyo_set_string(head, tomoyo_group_name[idx]);
1808 			tomoyo_set_string(head, group->group_name->name);
1809 			if (idx == TOMOYO_PATH_GROUP) {
1810 				tomoyo_set_space(head);
1811 				tomoyo_set_string(head, container_of
1812 					       (ptr, struct tomoyo_path_group,
1813 						head)->member_name->name);
1814 			} else if (idx == TOMOYO_NUMBER_GROUP) {
1815 				tomoyo_print_number_union(head, &container_of
1816 							  (ptr,
1817 						   struct tomoyo_number_group,
1818 							   head)->number);
1819 			} else if (idx == TOMOYO_ADDRESS_GROUP) {
1820 				char buffer[128];
1821 				struct tomoyo_address_group *member =
1822 					container_of(ptr, typeof(*member),
1823 						     head);
1824 
1825 				tomoyo_print_ip(buffer, sizeof(buffer),
1826 						&member->address);
1827 				tomoyo_io_printf(head, " %s", buffer);
1828 			}
1829 			tomoyo_set_lf(head);
1830 		}
1831 		head->r.acl = NULL;
1832 	}
1833 	head->r.group = NULL;
1834 	return true;
1835 }
1836 
1837 /**
1838  * tomoyo_read_policy - Read "struct tomoyo_..._entry" list.
1839  *
1840  * @head: Pointer to "struct tomoyo_io_buffer".
1841  * @idx:  Index number.
1842  *
1843  * Returns true on success, false otherwise.
1844  *
1845  * Caller holds tomoyo_read_lock().
1846  */
1847 static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx)
1848 {
1849 	struct tomoyo_policy_namespace *ns =
1850 		container_of(head->r.ns, typeof(*ns), namespace_list);
1851 	struct list_head *list = &ns->policy_list[idx];
1852 
1853 	list_for_each_cookie(head->r.acl, list) {
1854 		struct tomoyo_acl_head *acl =
1855 			container_of(head->r.acl, typeof(*acl), list);
1856 		if (acl->is_deleted)
1857 			continue;
1858 		if (!tomoyo_flush(head))
1859 			return false;
1860 		switch (idx) {
1861 		case TOMOYO_ID_TRANSITION_CONTROL:
1862 			{
1863 				struct tomoyo_transition_control *ptr =
1864 					container_of(acl, typeof(*ptr), head);
1865 
1866 				tomoyo_print_namespace(head);
1867 				tomoyo_set_string(head, tomoyo_transition_type
1868 						  [ptr->type]);
1869 				tomoyo_set_string(head, ptr->program ?
1870 						  ptr->program->name : "any");
1871 				tomoyo_set_string(head, " from ");
1872 				tomoyo_set_string(head, ptr->domainname ?
1873 						  ptr->domainname->name :
1874 						  "any");
1875 			}
1876 			break;
1877 		case TOMOYO_ID_AGGREGATOR:
1878 			{
1879 				struct tomoyo_aggregator *ptr =
1880 					container_of(acl, typeof(*ptr), head);
1881 
1882 				tomoyo_print_namespace(head);
1883 				tomoyo_set_string(head, "aggregator ");
1884 				tomoyo_set_string(head,
1885 						  ptr->original_name->name);
1886 				tomoyo_set_space(head);
1887 				tomoyo_set_string(head,
1888 					       ptr->aggregated_name->name);
1889 			}
1890 			break;
1891 		default:
1892 			continue;
1893 		}
1894 		tomoyo_set_lf(head);
1895 	}
1896 	head->r.acl = NULL;
1897 	return true;
1898 }
1899 
1900 /**
1901  * tomoyo_read_exception - Read exception policy.
1902  *
1903  * @head: Pointer to "struct tomoyo_io_buffer".
1904  *
1905  * Caller holds tomoyo_read_lock().
1906  */
1907 static void tomoyo_read_exception(struct tomoyo_io_buffer *head)
1908 {
1909 	struct tomoyo_policy_namespace *ns =
1910 		container_of(head->r.ns, typeof(*ns), namespace_list);
1911 
1912 	if (head->r.eof)
1913 		return;
1914 	while (head->r.step < TOMOYO_MAX_POLICY &&
1915 	       tomoyo_read_policy(head, head->r.step))
1916 		head->r.step++;
1917 	if (head->r.step < TOMOYO_MAX_POLICY)
1918 		return;
1919 	while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP &&
1920 	       tomoyo_read_group(head, head->r.step - TOMOYO_MAX_POLICY))
1921 		head->r.step++;
1922 	if (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP)
1923 		return;
1924 	while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP
1925 	       + TOMOYO_MAX_ACL_GROUPS) {
1926 		head->r.acl_group_index = head->r.step - TOMOYO_MAX_POLICY
1927 			- TOMOYO_MAX_GROUP;
1928 		if (!tomoyo_read_domain2(head, &ns->acl_group
1929 					 [head->r.acl_group_index]))
1930 			return;
1931 		head->r.step++;
1932 	}
1933 	head->r.eof = true;
1934 }
1935 
1936 /* Wait queue for kernel -> userspace notification. */
1937 static DECLARE_WAIT_QUEUE_HEAD(tomoyo_query_wait);
1938 /* Wait queue for userspace -> kernel notification. */
1939 static DECLARE_WAIT_QUEUE_HEAD(tomoyo_answer_wait);
1940 
1941 /* Structure for query. */
1942 struct tomoyo_query {
1943 	struct list_head list;
1944 	struct tomoyo_domain_info *domain;
1945 	char *query;
1946 	size_t query_len;
1947 	unsigned int serial;
1948 	u8 timer;
1949 	u8 answer;
1950 	u8 retry;
1951 };
1952 
1953 /* The list for "struct tomoyo_query". */
1954 static LIST_HEAD(tomoyo_query_list);
1955 
1956 /* Lock for manipulating tomoyo_query_list. */
1957 static DEFINE_SPINLOCK(tomoyo_query_list_lock);
1958 
1959 /*
1960  * Number of "struct file" referring /sys/kernel/security/tomoyo/query
1961  * interface.
1962  */
1963 static atomic_t tomoyo_query_observers = ATOMIC_INIT(0);
1964 
1965 /**
1966  * tomoyo_truncate - Truncate a line.
1967  *
1968  * @str: String to truncate.
1969  *
1970  * Returns length of truncated @str.
1971  */
1972 static int tomoyo_truncate(char *str)
1973 {
1974 	char *start = str;
1975 
1976 	while (*(unsigned char *) str > (unsigned char) ' ')
1977 		str++;
1978 	*str = '\0';
1979 	return strlen(start) + 1;
1980 }
1981 
1982 /**
1983  * tomoyo_add_entry - Add an ACL to current thread's domain. Used by learning mode.
1984  *
1985  * @domain: Pointer to "struct tomoyo_domain_info".
1986  * @header: Lines containing ACL.
1987  *
1988  * Returns nothing.
1989  */
1990 static void tomoyo_add_entry(struct tomoyo_domain_info *domain, char *header)
1991 {
1992 	char *buffer;
1993 	char *realpath = NULL;
1994 	char *argv0 = NULL;
1995 	char *symlink = NULL;
1996 	char *cp = strchr(header, '\n');
1997 	int len;
1998 
1999 	if (!cp)
2000 		return;
2001 	cp = strchr(cp + 1, '\n');
2002 	if (!cp)
2003 		return;
2004 	*cp++ = '\0';
2005 	len = strlen(cp) + 1;
2006 	/* strstr() will return NULL if ordering is wrong. */
2007 	if (*cp == 'f') {
2008 		argv0 = strstr(header, " argv[]={ \"");
2009 		if (argv0) {
2010 			argv0 += 10;
2011 			len += tomoyo_truncate(argv0) + 14;
2012 		}
2013 		realpath = strstr(header, " exec={ realpath=\"");
2014 		if (realpath) {
2015 			realpath += 8;
2016 			len += tomoyo_truncate(realpath) + 6;
2017 		}
2018 		symlink = strstr(header, " symlink.target=\"");
2019 		if (symlink)
2020 			len += tomoyo_truncate(symlink + 1) + 1;
2021 	}
2022 	buffer = kmalloc(len, GFP_NOFS);
2023 	if (!buffer)
2024 		return;
2025 	snprintf(buffer, len - 1, "%s", cp);
2026 	if (realpath)
2027 		tomoyo_addprintf(buffer, len, " exec.%s", realpath);
2028 	if (argv0)
2029 		tomoyo_addprintf(buffer, len, " exec.argv[0]=%s", argv0);
2030 	if (symlink)
2031 		tomoyo_addprintf(buffer, len, "%s", symlink);
2032 	tomoyo_normalize_line(buffer);
2033 	if (!tomoyo_write_domain2(domain->ns, &domain->acl_info_list, buffer,
2034 				  false))
2035 		tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES);
2036 	kfree(buffer);
2037 }
2038 
2039 /**
2040  * tomoyo_supervisor - Ask for the supervisor's decision.
2041  *
2042  * @r:   Pointer to "struct tomoyo_request_info".
2043  * @fmt: The printf()'s format string, followed by parameters.
2044  *
2045  * Returns 0 if the supervisor decided to permit the access request which
2046  * violated the policy in enforcing mode, TOMOYO_RETRY_REQUEST if the
2047  * supervisor decided to retry the access request which violated the policy in
2048  * enforcing mode, 0 if it is not in enforcing mode, -EPERM otherwise.
2049  */
2050 int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...)
2051 {
2052 	va_list args;
2053 	int error;
2054 	int len;
2055 	static unsigned int tomoyo_serial;
2056 	struct tomoyo_query entry = { };
2057 	bool quota_exceeded = false;
2058 
2059 	va_start(args, fmt);
2060 	len = vsnprintf(NULL, 0, fmt, args) + 1;
2061 	va_end(args);
2062 	/* Write /sys/kernel/security/tomoyo/audit. */
2063 	va_start(args, fmt);
2064 	tomoyo_write_log2(r, len, fmt, args);
2065 	va_end(args);
2066 	/* Nothing more to do if granted. */
2067 	if (r->granted)
2068 		return 0;
2069 	if (r->mode)
2070 		tomoyo_update_stat(r->mode);
2071 	switch (r->mode) {
2072 	case TOMOYO_CONFIG_ENFORCING:
2073 		error = -EPERM;
2074 		if (atomic_read(&tomoyo_query_observers))
2075 			break;
2076 		goto out;
2077 	case TOMOYO_CONFIG_LEARNING:
2078 		error = 0;
2079 		/* Check max_learning_entry parameter. */
2080 		if (tomoyo_domain_quota_is_ok(r))
2081 			break;
2082 		fallthrough;
2083 	default:
2084 		return 0;
2085 	}
2086 	/* Get message. */
2087 	va_start(args, fmt);
2088 	entry.query = tomoyo_init_log(r, len, fmt, args);
2089 	va_end(args);
2090 	if (!entry.query)
2091 		goto out;
2092 	entry.query_len = strlen(entry.query) + 1;
2093 	if (!error) {
2094 		tomoyo_add_entry(r->domain, entry.query);
2095 		goto out;
2096 	}
2097 	len = kmalloc_size_roundup(entry.query_len);
2098 	entry.domain = r->domain;
2099 	spin_lock(&tomoyo_query_list_lock);
2100 	if (tomoyo_memory_quota[TOMOYO_MEMORY_QUERY] &&
2101 	    tomoyo_memory_used[TOMOYO_MEMORY_QUERY] + len
2102 	    >= tomoyo_memory_quota[TOMOYO_MEMORY_QUERY]) {
2103 		quota_exceeded = true;
2104 	} else {
2105 		entry.serial = tomoyo_serial++;
2106 		entry.retry = r->retry;
2107 		tomoyo_memory_used[TOMOYO_MEMORY_QUERY] += len;
2108 		list_add_tail(&entry.list, &tomoyo_query_list);
2109 	}
2110 	spin_unlock(&tomoyo_query_list_lock);
2111 	if (quota_exceeded)
2112 		goto out;
2113 	/* Give 10 seconds for supervisor's opinion. */
2114 	while (entry.timer < 10) {
2115 		wake_up_all(&tomoyo_query_wait);
2116 		if (wait_event_interruptible_timeout
2117 		    (tomoyo_answer_wait, entry.answer ||
2118 		     !atomic_read(&tomoyo_query_observers), HZ))
2119 			break;
2120 		entry.timer++;
2121 	}
2122 	spin_lock(&tomoyo_query_list_lock);
2123 	list_del(&entry.list);
2124 	tomoyo_memory_used[TOMOYO_MEMORY_QUERY] -= len;
2125 	spin_unlock(&tomoyo_query_list_lock);
2126 	switch (entry.answer) {
2127 	case 3: /* Asked to retry by administrator. */
2128 		error = TOMOYO_RETRY_REQUEST;
2129 		r->retry++;
2130 		break;
2131 	case 1:
2132 		/* Granted by administrator. */
2133 		error = 0;
2134 		break;
2135 	default:
2136 		/* Timed out or rejected by administrator. */
2137 		break;
2138 	}
2139 out:
2140 	kfree(entry.query);
2141 	return error;
2142 }
2143 
2144 /**
2145  * tomoyo_find_domain_by_qid - Get domain by query id.
2146  *
2147  * @serial: Query ID assigned by tomoyo_supervisor().
2148  *
2149  * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
2150  */
2151 static struct tomoyo_domain_info *tomoyo_find_domain_by_qid
2152 (unsigned int serial)
2153 {
2154 	struct tomoyo_query *ptr;
2155 	struct tomoyo_domain_info *domain = NULL;
2156 
2157 	spin_lock(&tomoyo_query_list_lock);
2158 	list_for_each_entry(ptr, &tomoyo_query_list, list) {
2159 		if (ptr->serial != serial)
2160 			continue;
2161 		domain = ptr->domain;
2162 		break;
2163 	}
2164 	spin_unlock(&tomoyo_query_list_lock);
2165 	return domain;
2166 }
2167 
2168 /**
2169  * tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query.
2170  *
2171  * @file: Pointer to "struct file".
2172  * @wait: Pointer to "poll_table".
2173  *
2174  * Returns EPOLLIN | EPOLLRDNORM when ready to read, 0 otherwise.
2175  *
2176  * Waits for access requests which violated policy in enforcing mode.
2177  */
2178 static __poll_t tomoyo_poll_query(struct file *file, poll_table *wait)
2179 {
2180 	if (!list_empty(&tomoyo_query_list))
2181 		return EPOLLIN | EPOLLRDNORM;
2182 	poll_wait(file, &tomoyo_query_wait, wait);
2183 	if (!list_empty(&tomoyo_query_list))
2184 		return EPOLLIN | EPOLLRDNORM;
2185 	return 0;
2186 }
2187 
2188 /**
2189  * tomoyo_read_query - Read access requests which violated policy in enforcing mode.
2190  *
2191  * @head: Pointer to "struct tomoyo_io_buffer".
2192  */
2193 static void tomoyo_read_query(struct tomoyo_io_buffer *head)
2194 {
2195 	struct list_head *tmp;
2196 	unsigned int pos = 0;
2197 	size_t len = 0;
2198 	char *buf;
2199 
2200 	if (head->r.w_pos)
2201 		return;
2202 	kfree(head->read_buf);
2203 	head->read_buf = NULL;
2204 	spin_lock(&tomoyo_query_list_lock);
2205 	list_for_each(tmp, &tomoyo_query_list) {
2206 		struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list);
2207 
2208 		if (pos++ != head->r.query_index)
2209 			continue;
2210 		len = ptr->query_len;
2211 		break;
2212 	}
2213 	spin_unlock(&tomoyo_query_list_lock);
2214 	if (!len) {
2215 		head->r.query_index = 0;
2216 		return;
2217 	}
2218 	buf = kzalloc(len + 32, GFP_NOFS);
2219 	if (!buf)
2220 		return;
2221 	pos = 0;
2222 	spin_lock(&tomoyo_query_list_lock);
2223 	list_for_each(tmp, &tomoyo_query_list) {
2224 		struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list);
2225 
2226 		if (pos++ != head->r.query_index)
2227 			continue;
2228 		/*
2229 		 * Some query can be skipped because tomoyo_query_list
2230 		 * can change, but I don't care.
2231 		 */
2232 		if (len == ptr->query_len)
2233 			snprintf(buf, len + 31, "Q%u-%hu\n%s", ptr->serial,
2234 				 ptr->retry, ptr->query);
2235 		break;
2236 	}
2237 	spin_unlock(&tomoyo_query_list_lock);
2238 	if (buf[0]) {
2239 		head->read_buf = buf;
2240 		head->r.w[head->r.w_pos++] = buf;
2241 		head->r.query_index++;
2242 	} else {
2243 		kfree(buf);
2244 	}
2245 }
2246 
2247 /**
2248  * tomoyo_write_answer - Write the supervisor's decision.
2249  *
2250  * @head: Pointer to "struct tomoyo_io_buffer".
2251  *
2252  * Returns 0 on success, -EINVAL otherwise.
2253  */
2254 static int tomoyo_write_answer(struct tomoyo_io_buffer *head)
2255 {
2256 	char *data = head->write_buf;
2257 	struct list_head *tmp;
2258 	unsigned int serial;
2259 	unsigned int answer;
2260 
2261 	spin_lock(&tomoyo_query_list_lock);
2262 	list_for_each(tmp, &tomoyo_query_list) {
2263 		struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list);
2264 
2265 		ptr->timer = 0;
2266 	}
2267 	spin_unlock(&tomoyo_query_list_lock);
2268 	if (sscanf(data, "A%u=%u", &serial, &answer) != 2)
2269 		return -EINVAL;
2270 	spin_lock(&tomoyo_query_list_lock);
2271 	list_for_each(tmp, &tomoyo_query_list) {
2272 		struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list);
2273 
2274 		if (ptr->serial != serial)
2275 			continue;
2276 		ptr->answer = answer;
2277 		/* Remove from tomoyo_query_list. */
2278 		if (ptr->answer)
2279 			list_del_init(&ptr->list);
2280 		break;
2281 	}
2282 	spin_unlock(&tomoyo_query_list_lock);
2283 	return 0;
2284 }
2285 
2286 /**
2287  * tomoyo_read_version: Get version.
2288  *
2289  * @head: Pointer to "struct tomoyo_io_buffer".
2290  *
2291  * Returns version information.
2292  */
2293 static void tomoyo_read_version(struct tomoyo_io_buffer *head)
2294 {
2295 	if (!head->r.eof) {
2296 		tomoyo_io_printf(head, "2.6.0");
2297 		head->r.eof = true;
2298 	}
2299 }
2300 
2301 /* String table for /sys/kernel/security/tomoyo/stat interface. */
2302 static const char * const tomoyo_policy_headers[TOMOYO_MAX_POLICY_STAT] = {
2303 	[TOMOYO_STAT_POLICY_UPDATES]    = "update:",
2304 	[TOMOYO_STAT_POLICY_LEARNING]   = "violation in learning mode:",
2305 	[TOMOYO_STAT_POLICY_PERMISSIVE] = "violation in permissive mode:",
2306 	[TOMOYO_STAT_POLICY_ENFORCING]  = "violation in enforcing mode:",
2307 };
2308 
2309 /* String table for /sys/kernel/security/tomoyo/stat interface. */
2310 static const char * const tomoyo_memory_headers[TOMOYO_MAX_MEMORY_STAT] = {
2311 	[TOMOYO_MEMORY_POLICY] = "policy:",
2312 	[TOMOYO_MEMORY_AUDIT]  = "audit log:",
2313 	[TOMOYO_MEMORY_QUERY]  = "query message:",
2314 };
2315 
2316 /* Counter for number of updates. */
2317 static atomic_t tomoyo_stat_updated[TOMOYO_MAX_POLICY_STAT];
2318 /* Timestamp counter for last updated. */
2319 static time64_t tomoyo_stat_modified[TOMOYO_MAX_POLICY_STAT];
2320 
2321 /**
2322  * tomoyo_update_stat - Update statistic counters.
2323  *
2324  * @index: Index for policy type.
2325  *
2326  * Returns nothing.
2327  */
2328 void tomoyo_update_stat(const u8 index)
2329 {
2330 	atomic_inc(&tomoyo_stat_updated[index]);
2331 	tomoyo_stat_modified[index] = ktime_get_real_seconds();
2332 }
2333 
2334 /**
2335  * tomoyo_read_stat - Read statistic data.
2336  *
2337  * @head: Pointer to "struct tomoyo_io_buffer".
2338  *
2339  * Returns nothing.
2340  */
2341 static void tomoyo_read_stat(struct tomoyo_io_buffer *head)
2342 {
2343 	u8 i;
2344 	unsigned int total = 0;
2345 
2346 	if (head->r.eof)
2347 		return;
2348 	for (i = 0; i < TOMOYO_MAX_POLICY_STAT; i++) {
2349 		tomoyo_io_printf(head, "Policy %-30s %10u",
2350 				 tomoyo_policy_headers[i],
2351 				 atomic_read(&tomoyo_stat_updated[i]));
2352 		if (tomoyo_stat_modified[i]) {
2353 			struct tomoyo_time stamp;
2354 
2355 			tomoyo_convert_time(tomoyo_stat_modified[i], &stamp);
2356 			tomoyo_io_printf(head, " (Last: %04u/%02u/%02u %02u:%02u:%02u)",
2357 					 stamp.year, stamp.month, stamp.day,
2358 					 stamp.hour, stamp.min, stamp.sec);
2359 		}
2360 		tomoyo_set_lf(head);
2361 	}
2362 	for (i = 0; i < TOMOYO_MAX_MEMORY_STAT; i++) {
2363 		unsigned int used = tomoyo_memory_used[i];
2364 
2365 		total += used;
2366 		tomoyo_io_printf(head, "Memory used by %-22s %10u",
2367 				 tomoyo_memory_headers[i], used);
2368 		used = tomoyo_memory_quota[i];
2369 		if (used)
2370 			tomoyo_io_printf(head, " (Quota: %10u)", used);
2371 		tomoyo_set_lf(head);
2372 	}
2373 	tomoyo_io_printf(head, "Total memory used:                    %10u\n",
2374 			 total);
2375 	head->r.eof = true;
2376 }
2377 
2378 /**
2379  * tomoyo_write_stat - Set memory quota.
2380  *
2381  * @head: Pointer to "struct tomoyo_io_buffer".
2382  *
2383  * Returns 0.
2384  */
2385 static int tomoyo_write_stat(struct tomoyo_io_buffer *head)
2386 {
2387 	char *data = head->write_buf;
2388 	u8 i;
2389 
2390 	if (tomoyo_str_starts(&data, "Memory used by "))
2391 		for (i = 0; i < TOMOYO_MAX_MEMORY_STAT; i++)
2392 			if (tomoyo_str_starts(&data, tomoyo_memory_headers[i]))
2393 				sscanf(data, "%u", &tomoyo_memory_quota[i]);
2394 	return 0;
2395 }
2396 
2397 /**
2398  * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
2399  *
2400  * @type: Type of interface.
2401  * @file: Pointer to "struct file".
2402  *
2403  * Returns 0 on success, negative value otherwise.
2404  */
2405 int tomoyo_open_control(const u8 type, struct file *file)
2406 {
2407 	struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS);
2408 
2409 	if (!head)
2410 		return -ENOMEM;
2411 	mutex_init(&head->io_sem);
2412 	head->type = type;
2413 	switch (type) {
2414 	case TOMOYO_DOMAINPOLICY:
2415 		/* /sys/kernel/security/tomoyo/domain_policy */
2416 		head->write = tomoyo_write_domain;
2417 		head->read = tomoyo_read_domain;
2418 		break;
2419 	case TOMOYO_EXCEPTIONPOLICY:
2420 		/* /sys/kernel/security/tomoyo/exception_policy */
2421 		head->write = tomoyo_write_exception;
2422 		head->read = tomoyo_read_exception;
2423 		break;
2424 	case TOMOYO_AUDIT:
2425 		/* /sys/kernel/security/tomoyo/audit */
2426 		head->poll = tomoyo_poll_log;
2427 		head->read = tomoyo_read_log;
2428 		break;
2429 	case TOMOYO_PROCESS_STATUS:
2430 		/* /sys/kernel/security/tomoyo/.process_status */
2431 		head->write = tomoyo_write_pid;
2432 		head->read = tomoyo_read_pid;
2433 		break;
2434 	case TOMOYO_VERSION:
2435 		/* /sys/kernel/security/tomoyo/version */
2436 		head->read = tomoyo_read_version;
2437 		head->readbuf_size = 128;
2438 		break;
2439 	case TOMOYO_STAT:
2440 		/* /sys/kernel/security/tomoyo/stat */
2441 		head->write = tomoyo_write_stat;
2442 		head->read = tomoyo_read_stat;
2443 		head->readbuf_size = 1024;
2444 		break;
2445 	case TOMOYO_PROFILE:
2446 		/* /sys/kernel/security/tomoyo/profile */
2447 		head->write = tomoyo_write_profile;
2448 		head->read = tomoyo_read_profile;
2449 		break;
2450 	case TOMOYO_QUERY: /* /sys/kernel/security/tomoyo/query */
2451 		head->poll = tomoyo_poll_query;
2452 		head->write = tomoyo_write_answer;
2453 		head->read = tomoyo_read_query;
2454 		break;
2455 	case TOMOYO_MANAGER:
2456 		/* /sys/kernel/security/tomoyo/manager */
2457 		head->write = tomoyo_write_manager;
2458 		head->read = tomoyo_read_manager;
2459 		break;
2460 	}
2461 	if (!(file->f_mode & FMODE_READ)) {
2462 		/*
2463 		 * No need to allocate read_buf since it is not opened
2464 		 * for reading.
2465 		 */
2466 		head->read = NULL;
2467 		head->poll = NULL;
2468 	} else if (!head->poll) {
2469 		/* Don't allocate read_buf for poll() access. */
2470 		if (!head->readbuf_size)
2471 			head->readbuf_size = 4096 * 2;
2472 		head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS);
2473 		if (!head->read_buf) {
2474 			kfree(head);
2475 			return -ENOMEM;
2476 		}
2477 	}
2478 	if (!(file->f_mode & FMODE_WRITE)) {
2479 		/*
2480 		 * No need to allocate write_buf since it is not opened
2481 		 * for writing.
2482 		 */
2483 		head->write = NULL;
2484 	} else if (head->write) {
2485 		head->writebuf_size = 4096 * 2;
2486 		head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS);
2487 		if (!head->write_buf) {
2488 			kfree(head->read_buf);
2489 			kfree(head);
2490 			return -ENOMEM;
2491 		}
2492 	}
2493 	/*
2494 	 * If the file is /sys/kernel/security/tomoyo/query , increment the
2495 	 * observer counter.
2496 	 * The obserber counter is used by tomoyo_supervisor() to see if
2497 	 * there is some process monitoring /sys/kernel/security/tomoyo/query.
2498 	 */
2499 	if (type == TOMOYO_QUERY)
2500 		atomic_inc(&tomoyo_query_observers);
2501 	file->private_data = head;
2502 	tomoyo_notify_gc(head, true);
2503 	return 0;
2504 }
2505 
2506 /**
2507  * tomoyo_poll_control - poll() for /sys/kernel/security/tomoyo/ interface.
2508  *
2509  * @file: Pointer to "struct file".
2510  * @wait: Pointer to "poll_table". Maybe NULL.
2511  *
2512  * Returns EPOLLIN | EPOLLRDNORM | EPOLLOUT | EPOLLWRNORM if ready to read/write,
2513  * EPOLLOUT | EPOLLWRNORM otherwise.
2514  */
2515 __poll_t tomoyo_poll_control(struct file *file, poll_table *wait)
2516 {
2517 	struct tomoyo_io_buffer *head = file->private_data;
2518 
2519 	if (head->poll)
2520 		return head->poll(file, wait) | EPOLLOUT | EPOLLWRNORM;
2521 	return EPOLLIN | EPOLLRDNORM | EPOLLOUT | EPOLLWRNORM;
2522 }
2523 
2524 /**
2525  * tomoyo_set_namespace_cursor - Set namespace to read.
2526  *
2527  * @head: Pointer to "struct tomoyo_io_buffer".
2528  *
2529  * Returns nothing.
2530  */
2531 static inline void tomoyo_set_namespace_cursor(struct tomoyo_io_buffer *head)
2532 {
2533 	struct list_head *ns;
2534 
2535 	if (head->type != TOMOYO_EXCEPTIONPOLICY &&
2536 	    head->type != TOMOYO_PROFILE)
2537 		return;
2538 	/*
2539 	 * If this is the first read, or reading previous namespace finished
2540 	 * and has more namespaces to read, update the namespace cursor.
2541 	 */
2542 	ns = head->r.ns;
2543 	if (!ns || (head->r.eof && ns->next != &tomoyo_namespace_list)) {
2544 		/* Clearing is OK because tomoyo_flush() returned true. */
2545 		memset(&head->r, 0, sizeof(head->r));
2546 		head->r.ns = ns ? ns->next : tomoyo_namespace_list.next;
2547 	}
2548 }
2549 
2550 /**
2551  * tomoyo_has_more_namespace - Check for unread namespaces.
2552  *
2553  * @head: Pointer to "struct tomoyo_io_buffer".
2554  *
2555  * Returns true if we have more entries to print, false otherwise.
2556  */
2557 static inline bool tomoyo_has_more_namespace(struct tomoyo_io_buffer *head)
2558 {
2559 	return (head->type == TOMOYO_EXCEPTIONPOLICY ||
2560 		head->type == TOMOYO_PROFILE) && head->r.eof &&
2561 		head->r.ns->next != &tomoyo_namespace_list;
2562 }
2563 
2564 /**
2565  * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
2566  *
2567  * @head:       Pointer to "struct tomoyo_io_buffer".
2568  * @buffer:     Pointer to buffer to write to.
2569  * @buffer_len: Size of @buffer.
2570  *
2571  * Returns bytes read on success, negative value otherwise.
2572  */
2573 ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
2574 			    const int buffer_len)
2575 {
2576 	int len;
2577 	int idx;
2578 
2579 	if (!head->read)
2580 		return -EINVAL;
2581 	if (mutex_lock_interruptible(&head->io_sem))
2582 		return -EINTR;
2583 	head->read_user_buf = buffer;
2584 	head->read_user_buf_avail = buffer_len;
2585 	idx = tomoyo_read_lock();
2586 	if (tomoyo_flush(head))
2587 		/* Call the policy handler. */
2588 		do {
2589 			tomoyo_set_namespace_cursor(head);
2590 			head->read(head);
2591 		} while (tomoyo_flush(head) &&
2592 			 tomoyo_has_more_namespace(head));
2593 	tomoyo_read_unlock(idx);
2594 	len = head->read_user_buf - buffer;
2595 	mutex_unlock(&head->io_sem);
2596 	return len;
2597 }
2598 
2599 /**
2600  * tomoyo_parse_policy - Parse a policy line.
2601  *
2602  * @head: Pointer to "struct tomoyo_io_buffer".
2603  * @line: Line to parse.
2604  *
2605  * Returns 0 on success, negative value otherwise.
2606  *
2607  * Caller holds tomoyo_read_lock().
2608  */
2609 static int tomoyo_parse_policy(struct tomoyo_io_buffer *head, char *line)
2610 {
2611 	/* Delete request? */
2612 	head->w.is_delete = !strncmp(line, "delete ", 7);
2613 	if (head->w.is_delete)
2614 		memmove(line, line + 7, strlen(line + 7) + 1);
2615 	/* Selecting namespace to update. */
2616 	if (head->type == TOMOYO_EXCEPTIONPOLICY ||
2617 	    head->type == TOMOYO_PROFILE) {
2618 		if (*line == '<') {
2619 			char *cp = strchr(line, ' ');
2620 
2621 			if (cp) {
2622 				*cp++ = '\0';
2623 				head->w.ns = tomoyo_assign_namespace(line);
2624 				memmove(line, cp, strlen(cp) + 1);
2625 			} else
2626 				head->w.ns = NULL;
2627 		} else
2628 			head->w.ns = &tomoyo_kernel_namespace;
2629 		/* Don't allow updating if namespace is invalid. */
2630 		if (!head->w.ns)
2631 			return -ENOENT;
2632 	}
2633 	/* Do the update. */
2634 	return head->write(head);
2635 }
2636 
2637 /**
2638  * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
2639  *
2640  * @head:       Pointer to "struct tomoyo_io_buffer".
2641  * @buffer:     Pointer to buffer to read from.
2642  * @buffer_len: Size of @buffer.
2643  *
2644  * Returns @buffer_len on success, negative value otherwise.
2645  */
2646 ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
2647 			     const char __user *buffer, const int buffer_len)
2648 {
2649 	int error = buffer_len;
2650 	size_t avail_len = buffer_len;
2651 	char *cp0 = head->write_buf;
2652 	int idx;
2653 
2654 	if (!head->write)
2655 		return -EINVAL;
2656 	if (mutex_lock_interruptible(&head->io_sem))
2657 		return -EINTR;
2658 	head->read_user_buf_avail = 0;
2659 	idx = tomoyo_read_lock();
2660 	/* Read a line and dispatch it to the policy handler. */
2661 	while (avail_len > 0) {
2662 		char c;
2663 
2664 		if (head->w.avail >= head->writebuf_size - 1) {
2665 			const int len = head->writebuf_size * 2;
2666 			char *cp = kzalloc(len, GFP_NOFS);
2667 
2668 			if (!cp) {
2669 				error = -ENOMEM;
2670 				break;
2671 			}
2672 			memmove(cp, cp0, head->w.avail);
2673 			kfree(cp0);
2674 			head->write_buf = cp;
2675 			cp0 = cp;
2676 			head->writebuf_size = len;
2677 		}
2678 		if (get_user(c, buffer)) {
2679 			error = -EFAULT;
2680 			break;
2681 		}
2682 		buffer++;
2683 		avail_len--;
2684 		cp0[head->w.avail++] = c;
2685 		if (c != '\n')
2686 			continue;
2687 		cp0[head->w.avail - 1] = '\0';
2688 		head->w.avail = 0;
2689 		tomoyo_normalize_line(cp0);
2690 		if (!strcmp(cp0, "reset")) {
2691 			head->w.ns = &tomoyo_kernel_namespace;
2692 			head->w.domain = NULL;
2693 			memset(&head->r, 0, sizeof(head->r));
2694 			continue;
2695 		}
2696 		/* Don't allow updating policies by non manager programs. */
2697 		switch (head->type) {
2698 		case TOMOYO_PROCESS_STATUS:
2699 			/* This does not write anything. */
2700 			break;
2701 		case TOMOYO_DOMAINPOLICY:
2702 			if (tomoyo_select_domain(head, cp0))
2703 				continue;
2704 			fallthrough;
2705 		case TOMOYO_EXCEPTIONPOLICY:
2706 			if (!strcmp(cp0, "select transition_only")) {
2707 				head->r.print_transition_related_only = true;
2708 				continue;
2709 			}
2710 			fallthrough;
2711 		default:
2712 			if (!tomoyo_manager()) {
2713 				error = -EPERM;
2714 				goto out;
2715 			}
2716 		}
2717 		switch (tomoyo_parse_policy(head, cp0)) {
2718 		case -EPERM:
2719 			error = -EPERM;
2720 			goto out;
2721 		case 0:
2722 			switch (head->type) {
2723 			case TOMOYO_DOMAINPOLICY:
2724 			case TOMOYO_EXCEPTIONPOLICY:
2725 			case TOMOYO_STAT:
2726 			case TOMOYO_PROFILE:
2727 			case TOMOYO_MANAGER:
2728 				tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES);
2729 				break;
2730 			default:
2731 				break;
2732 			}
2733 			break;
2734 		}
2735 	}
2736 out:
2737 	tomoyo_read_unlock(idx);
2738 	mutex_unlock(&head->io_sem);
2739 	return error;
2740 }
2741 
2742 /**
2743  * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
2744  *
2745  * @head: Pointer to "struct tomoyo_io_buffer".
2746  */
2747 void tomoyo_close_control(struct tomoyo_io_buffer *head)
2748 {
2749 	/*
2750 	 * If the file is /sys/kernel/security/tomoyo/query , decrement the
2751 	 * observer counter.
2752 	 */
2753 	if (head->type == TOMOYO_QUERY &&
2754 	    atomic_dec_and_test(&tomoyo_query_observers))
2755 		wake_up_all(&tomoyo_answer_wait);
2756 	tomoyo_notify_gc(head, false);
2757 }
2758 
2759 /**
2760  * tomoyo_check_profile - Check all profiles currently assigned to domains are defined.
2761  */
2762 void tomoyo_check_profile(void)
2763 {
2764 	struct tomoyo_domain_info *domain;
2765 	const int idx = tomoyo_read_lock();
2766 
2767 	tomoyo_policy_loaded = true;
2768 	pr_info("TOMOYO: 2.6.0\n");
2769 	list_for_each_entry_rcu(domain, &tomoyo_domain_list, list,
2770 				srcu_read_lock_held(&tomoyo_ss)) {
2771 		const u8 profile = domain->profile;
2772 		struct tomoyo_policy_namespace *ns = domain->ns;
2773 
2774 		if (ns->profile_version == 20110903) {
2775 			pr_info_once("Converting profile version from %u to %u.\n",
2776 				     20110903, 20150505);
2777 			ns->profile_version = 20150505;
2778 		}
2779 		if (ns->profile_version != 20150505)
2780 			pr_err("Profile version %u is not supported.\n",
2781 			       ns->profile_version);
2782 		else if (!ns->profile_ptr[profile])
2783 			pr_err("Profile %u (used by '%s') is not defined.\n",
2784 			       profile, domain->domainname->name);
2785 		else
2786 			continue;
2787 		pr_err("Userland tools for TOMOYO 2.6 must be installed and policy must be initialized.\n");
2788 		pr_err("Please see https://tomoyo.osdn.jp/2.6/ for more information.\n");
2789 		panic("STOP!");
2790 	}
2791 	tomoyo_read_unlock(idx);
2792 	pr_info("Mandatory Access Control activated.\n");
2793 }
2794 
2795 /**
2796  * tomoyo_load_builtin_policy - Load built-in policy.
2797  *
2798  * Returns nothing.
2799  */
2800 void __init tomoyo_load_builtin_policy(void)
2801 {
2802 #ifdef CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING
2803 	static char tomoyo_builtin_profile[] __initdata =
2804 		"PROFILE_VERSION=20150505\n"
2805 		"0-CONFIG={ mode=learning grant_log=no reject_log=yes }\n";
2806 	static char tomoyo_builtin_exception_policy[] __initdata =
2807 		"aggregator proc:/self/exe /proc/self/exe\n";
2808 	static char tomoyo_builtin_domain_policy[] __initdata = "";
2809 	static char tomoyo_builtin_manager[] __initdata = "";
2810 	static char tomoyo_builtin_stat[] __initdata = "";
2811 #else
2812 	/*
2813 	 * This include file is manually created and contains built-in policy
2814 	 * named "tomoyo_builtin_profile", "tomoyo_builtin_exception_policy",
2815 	 * "tomoyo_builtin_domain_policy", "tomoyo_builtin_manager",
2816 	 * "tomoyo_builtin_stat" in the form of "static char [] __initdata".
2817 	 */
2818 #include "builtin-policy.h"
2819 #endif
2820 	u8 i;
2821 	const int idx = tomoyo_read_lock();
2822 
2823 	for (i = 0; i < 5; i++) {
2824 		struct tomoyo_io_buffer head = { };
2825 		char *start = "";
2826 
2827 		switch (i) {
2828 		case 0:
2829 			start = tomoyo_builtin_profile;
2830 			head.type = TOMOYO_PROFILE;
2831 			head.write = tomoyo_write_profile;
2832 			break;
2833 		case 1:
2834 			start = tomoyo_builtin_exception_policy;
2835 			head.type = TOMOYO_EXCEPTIONPOLICY;
2836 			head.write = tomoyo_write_exception;
2837 			break;
2838 		case 2:
2839 			start = tomoyo_builtin_domain_policy;
2840 			head.type = TOMOYO_DOMAINPOLICY;
2841 			head.write = tomoyo_write_domain;
2842 			break;
2843 		case 3:
2844 			start = tomoyo_builtin_manager;
2845 			head.type = TOMOYO_MANAGER;
2846 			head.write = tomoyo_write_manager;
2847 			break;
2848 		case 4:
2849 			start = tomoyo_builtin_stat;
2850 			head.type = TOMOYO_STAT;
2851 			head.write = tomoyo_write_stat;
2852 			break;
2853 		}
2854 		while (1) {
2855 			char *end = strchr(start, '\n');
2856 
2857 			if (!end)
2858 				break;
2859 			*end = '\0';
2860 			tomoyo_normalize_line(start);
2861 			head.write_buf = start;
2862 			tomoyo_parse_policy(&head, start);
2863 			start = end + 1;
2864 		}
2865 	}
2866 	tomoyo_read_unlock(idx);
2867 #ifdef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
2868 	tomoyo_check_profile();
2869 #endif
2870 }
2871