1 /* 2 * security/tomoyo/common.c 3 * 4 * Common functions for TOMOYO. 5 * 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 7 * 8 * Version: 2.2.0 2009/04/01 9 * 10 */ 11 12 #include <linux/uaccess.h> 13 #include <linux/security.h> 14 #include <linux/hardirq.h> 15 #include "realpath.h" 16 #include "common.h" 17 #include "tomoyo.h" 18 19 /* Has loading policy done? */ 20 bool tomoyo_policy_loaded; 21 22 /* String table for functionality that takes 4 modes. */ 23 static const char *tomoyo_mode_4[4] = { 24 "disabled", "learning", "permissive", "enforcing" 25 }; 26 /* String table for functionality that takes 2 modes. */ 27 static const char *tomoyo_mode_2[4] = { 28 "disabled", "enabled", "enabled", "enabled" 29 }; 30 31 /* 32 * tomoyo_control_array is a static data which contains 33 * 34 * (1) functionality name used by /sys/kernel/security/tomoyo/profile . 35 * (2) initial values for "struct tomoyo_profile". 36 * (3) max values for "struct tomoyo_profile". 37 */ 38 static struct { 39 const char *keyword; 40 unsigned int current_value; 41 const unsigned int max_value; 42 } tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = { 43 [TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 }, 44 [TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX }, 45 [TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 }, 46 }; 47 48 /* 49 * tomoyo_profile is a structure which is used for holding the mode of access 50 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing. 51 * An administrator can define up to 256 profiles. 52 * The ->profile of "struct tomoyo_domain_info" is used for remembering 53 * the profile's number (0 - 255) assigned to that domain. 54 */ 55 static struct tomoyo_profile { 56 unsigned int value[TOMOYO_MAX_CONTROL_INDEX]; 57 const struct tomoyo_path_info *comment; 58 } *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES]; 59 60 /* Permit policy management by non-root user? */ 61 static bool tomoyo_manage_by_non_root; 62 63 /* Utility functions. */ 64 65 /* Open operation for /sys/kernel/security/tomoyo/ interface. */ 66 static int tomoyo_open_control(const u8 type, struct file *file); 67 /* Close /sys/kernel/security/tomoyo/ interface. */ 68 static int tomoyo_close_control(struct file *file); 69 /* Read operation for /sys/kernel/security/tomoyo/ interface. */ 70 static int tomoyo_read_control(struct file *file, char __user *buffer, 71 const int buffer_len); 72 /* Write operation for /sys/kernel/security/tomoyo/ interface. */ 73 static int tomoyo_write_control(struct file *file, const char __user *buffer, 74 const int buffer_len); 75 76 /** 77 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value. 78 * 79 * @str: Pointer to the string. 80 * 81 * Returns true if @str is a \ooo style octal value, false otherwise. 82 * 83 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF. 84 * This function verifies that \ooo is in valid range. 85 */ 86 static inline bool tomoyo_is_byte_range(const char *str) 87 { 88 return *str >= '0' && *str++ <= '3' && 89 *str >= '0' && *str++ <= '7' && 90 *str >= '0' && *str <= '7'; 91 } 92 93 /** 94 * tomoyo_is_alphabet_char - Check whether the character is an alphabet. 95 * 96 * @c: The character to check. 97 * 98 * Returns true if @c is an alphabet character, false otherwise. 99 */ 100 static inline bool tomoyo_is_alphabet_char(const char c) 101 { 102 return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z'); 103 } 104 105 /** 106 * tomoyo_make_byte - Make byte value from three octal characters. 107 * 108 * @c1: The first character. 109 * @c2: The second character. 110 * @c3: The third character. 111 * 112 * Returns byte value. 113 */ 114 static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3) 115 { 116 return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0'); 117 } 118 119 /** 120 * tomoyo_str_starts - Check whether the given string starts with the given keyword. 121 * 122 * @src: Pointer to pointer to the string. 123 * @find: Pointer to the keyword. 124 * 125 * Returns true if @src starts with @find, false otherwise. 126 * 127 * The @src is updated to point the first character after the @find 128 * if @src starts with @find. 129 */ 130 static bool tomoyo_str_starts(char **src, const char *find) 131 { 132 const int len = strlen(find); 133 char *tmp = *src; 134 135 if (strncmp(tmp, find, len)) 136 return false; 137 tmp += len; 138 *src = tmp; 139 return true; 140 } 141 142 /** 143 * tomoyo_normalize_line - Format string. 144 * 145 * @buffer: The line to normalize. 146 * 147 * Leading and trailing whitespaces are removed. 148 * Multiple whitespaces are packed into single space. 149 * 150 * Returns nothing. 151 */ 152 static void tomoyo_normalize_line(unsigned char *buffer) 153 { 154 unsigned char *sp = buffer; 155 unsigned char *dp = buffer; 156 bool first = true; 157 158 while (tomoyo_is_invalid(*sp)) 159 sp++; 160 while (*sp) { 161 if (!first) 162 *dp++ = ' '; 163 first = false; 164 while (tomoyo_is_valid(*sp)) 165 *dp++ = *sp++; 166 while (tomoyo_is_invalid(*sp)) 167 sp++; 168 } 169 *dp = '\0'; 170 } 171 172 /** 173 * tomoyo_is_correct_path - Validate a pathname. 174 * @filename: The pathname to check. 175 * @start_type: Should the pathname start with '/'? 176 * 1 = must / -1 = must not / 0 = don't care 177 * @pattern_type: Can the pathname contain a wildcard? 178 * 1 = must / -1 = must not / 0 = don't care 179 * @end_type: Should the pathname end with '/'? 180 * 1 = must / -1 = must not / 0 = don't care 181 * @function: The name of function calling me. 182 * 183 * Check whether the given filename follows the naming rules. 184 * Returns true if @filename follows the naming rules, false otherwise. 185 */ 186 bool tomoyo_is_correct_path(const char *filename, const s8 start_type, 187 const s8 pattern_type, const s8 end_type, 188 const char *function) 189 { 190 bool contains_pattern = false; 191 unsigned char c; 192 unsigned char d; 193 unsigned char e; 194 const char *original_filename = filename; 195 196 if (!filename) 197 goto out; 198 c = *filename; 199 if (start_type == 1) { /* Must start with '/' */ 200 if (c != '/') 201 goto out; 202 } else if (start_type == -1) { /* Must not start with '/' */ 203 if (c == '/') 204 goto out; 205 } 206 if (c) 207 c = *(filename + strlen(filename) - 1); 208 if (end_type == 1) { /* Must end with '/' */ 209 if (c != '/') 210 goto out; 211 } else if (end_type == -1) { /* Must not end with '/' */ 212 if (c == '/') 213 goto out; 214 } 215 while ((c = *filename++) != '\0') { 216 if (c == '\\') { 217 switch ((c = *filename++)) { 218 case '\\': /* "\\" */ 219 continue; 220 case '$': /* "\$" */ 221 case '+': /* "\+" */ 222 case '?': /* "\?" */ 223 case '*': /* "\*" */ 224 case '@': /* "\@" */ 225 case 'x': /* "\x" */ 226 case 'X': /* "\X" */ 227 case 'a': /* "\a" */ 228 case 'A': /* "\A" */ 229 case '-': /* "\-" */ 230 if (pattern_type == -1) 231 break; /* Must not contain pattern */ 232 contains_pattern = true; 233 continue; 234 case '0': /* "\ooo" */ 235 case '1': 236 case '2': 237 case '3': 238 d = *filename++; 239 if (d < '0' || d > '7') 240 break; 241 e = *filename++; 242 if (e < '0' || e > '7') 243 break; 244 c = tomoyo_make_byte(c, d, e); 245 if (tomoyo_is_invalid(c)) 246 continue; /* pattern is not \000 */ 247 } 248 goto out; 249 } else if (tomoyo_is_invalid(c)) { 250 goto out; 251 } 252 } 253 if (pattern_type == 1) { /* Must contain pattern */ 254 if (!contains_pattern) 255 goto out; 256 } 257 return true; 258 out: 259 printk(KERN_DEBUG "%s: Invalid pathname '%s'\n", function, 260 original_filename); 261 return false; 262 } 263 264 /** 265 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules. 266 * @domainname: The domainname to check. 267 * @function: The name of function calling me. 268 * 269 * Returns true if @domainname follows the naming rules, false otherwise. 270 */ 271 bool tomoyo_is_correct_domain(const unsigned char *domainname, 272 const char *function) 273 { 274 unsigned char c; 275 unsigned char d; 276 unsigned char e; 277 const char *org_domainname = domainname; 278 279 if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME, 280 TOMOYO_ROOT_NAME_LEN)) 281 goto out; 282 domainname += TOMOYO_ROOT_NAME_LEN; 283 if (!*domainname) 284 return true; 285 do { 286 if (*domainname++ != ' ') 287 goto out; 288 if (*domainname++ != '/') 289 goto out; 290 while ((c = *domainname) != '\0' && c != ' ') { 291 domainname++; 292 if (c == '\\') { 293 c = *domainname++; 294 switch ((c)) { 295 case '\\': /* "\\" */ 296 continue; 297 case '0': /* "\ooo" */ 298 case '1': 299 case '2': 300 case '3': 301 d = *domainname++; 302 if (d < '0' || d > '7') 303 break; 304 e = *domainname++; 305 if (e < '0' || e > '7') 306 break; 307 c = tomoyo_make_byte(c, d, e); 308 if (tomoyo_is_invalid(c)) 309 /* pattern is not \000 */ 310 continue; 311 } 312 goto out; 313 } else if (tomoyo_is_invalid(c)) { 314 goto out; 315 } 316 } 317 } while (*domainname); 318 return true; 319 out: 320 printk(KERN_DEBUG "%s: Invalid domainname '%s'\n", function, 321 org_domainname); 322 return false; 323 } 324 325 /** 326 * tomoyo_is_domain_def - Check whether the given token can be a domainname. 327 * 328 * @buffer: The token to check. 329 * 330 * Returns true if @buffer possibly be a domainname, false otherwise. 331 */ 332 bool tomoyo_is_domain_def(const unsigned char *buffer) 333 { 334 return !strncmp(buffer, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN); 335 } 336 337 /** 338 * tomoyo_find_domain - Find a domain by the given name. 339 * 340 * @domainname: The domainname to find. 341 * 342 * Caller must call down_read(&tomoyo_domain_list_lock); or 343 * down_write(&tomoyo_domain_list_lock); . 344 * 345 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise. 346 */ 347 struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname) 348 { 349 struct tomoyo_domain_info *domain; 350 struct tomoyo_path_info name; 351 352 name.name = domainname; 353 tomoyo_fill_path_info(&name); 354 list_for_each_entry(domain, &tomoyo_domain_list, list) { 355 if (!domain->is_deleted && 356 !tomoyo_pathcmp(&name, domain->domainname)) 357 return domain; 358 } 359 return NULL; 360 } 361 362 /** 363 * tomoyo_path_depth - Evaluate the number of '/' in a string. 364 * 365 * @pathname: The string to evaluate. 366 * 367 * Returns path depth of the string. 368 * 369 * I score 2 for each of the '/' in the @pathname 370 * and score 1 if the @pathname ends with '/'. 371 */ 372 static int tomoyo_path_depth(const char *pathname) 373 { 374 int i = 0; 375 376 if (pathname) { 377 const char *ep = pathname + strlen(pathname); 378 if (pathname < ep--) { 379 if (*ep != '/') 380 i++; 381 while (pathname <= ep) 382 if (*ep-- == '/') 383 i += 2; 384 } 385 } 386 return i; 387 } 388 389 /** 390 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token. 391 * 392 * @filename: The string to evaluate. 393 * 394 * Returns the initial length without a pattern in @filename. 395 */ 396 static int tomoyo_const_part_length(const char *filename) 397 { 398 char c; 399 int len = 0; 400 401 if (!filename) 402 return 0; 403 while ((c = *filename++) != '\0') { 404 if (c != '\\') { 405 len++; 406 continue; 407 } 408 c = *filename++; 409 switch (c) { 410 case '\\': /* "\\" */ 411 len += 2; 412 continue; 413 case '0': /* "\ooo" */ 414 case '1': 415 case '2': 416 case '3': 417 c = *filename++; 418 if (c < '0' || c > '7') 419 break; 420 c = *filename++; 421 if (c < '0' || c > '7') 422 break; 423 len += 4; 424 continue; 425 } 426 break; 427 } 428 return len; 429 } 430 431 /** 432 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members. 433 * 434 * @ptr: Pointer to "struct tomoyo_path_info" to fill in. 435 * 436 * The caller sets "struct tomoyo_path_info"->name. 437 */ 438 void tomoyo_fill_path_info(struct tomoyo_path_info *ptr) 439 { 440 const char *name = ptr->name; 441 const int len = strlen(name); 442 443 ptr->const_len = tomoyo_const_part_length(name); 444 ptr->is_dir = len && (name[len - 1] == '/'); 445 ptr->is_patterned = (ptr->const_len < len); 446 ptr->hash = full_name_hash(name, len); 447 ptr->depth = tomoyo_path_depth(name); 448 } 449 450 /** 451 * tomoyo_file_matches_to_pattern2 - Pattern matching without '/' character 452 * and "\-" pattern. 453 * 454 * @filename: The start of string to check. 455 * @filename_end: The end of string to check. 456 * @pattern: The start of pattern to compare. 457 * @pattern_end: The end of pattern to compare. 458 * 459 * Returns true if @filename matches @pattern, false otherwise. 460 */ 461 static bool tomoyo_file_matches_to_pattern2(const char *filename, 462 const char *filename_end, 463 const char *pattern, 464 const char *pattern_end) 465 { 466 while (filename < filename_end && pattern < pattern_end) { 467 char c; 468 if (*pattern != '\\') { 469 if (*filename++ != *pattern++) 470 return false; 471 continue; 472 } 473 c = *filename; 474 pattern++; 475 switch (*pattern) { 476 int i; 477 int j; 478 case '?': 479 if (c == '/') { 480 return false; 481 } else if (c == '\\') { 482 if (filename[1] == '\\') 483 filename++; 484 else if (tomoyo_is_byte_range(filename + 1)) 485 filename += 3; 486 else 487 return false; 488 } 489 break; 490 case '\\': 491 if (c != '\\') 492 return false; 493 if (*++filename != '\\') 494 return false; 495 break; 496 case '+': 497 if (!isdigit(c)) 498 return false; 499 break; 500 case 'x': 501 if (!isxdigit(c)) 502 return false; 503 break; 504 case 'a': 505 if (!tomoyo_is_alphabet_char(c)) 506 return false; 507 break; 508 case '0': 509 case '1': 510 case '2': 511 case '3': 512 if (c == '\\' && tomoyo_is_byte_range(filename + 1) 513 && strncmp(filename + 1, pattern, 3) == 0) { 514 filename += 3; 515 pattern += 2; 516 break; 517 } 518 return false; /* Not matched. */ 519 case '*': 520 case '@': 521 for (i = 0; i <= filename_end - filename; i++) { 522 if (tomoyo_file_matches_to_pattern2( 523 filename + i, filename_end, 524 pattern + 1, pattern_end)) 525 return true; 526 c = filename[i]; 527 if (c == '.' && *pattern == '@') 528 break; 529 if (c != '\\') 530 continue; 531 if (filename[i + 1] == '\\') 532 i++; 533 else if (tomoyo_is_byte_range(filename + i + 1)) 534 i += 3; 535 else 536 break; /* Bad pattern. */ 537 } 538 return false; /* Not matched. */ 539 default: 540 j = 0; 541 c = *pattern; 542 if (c == '$') { 543 while (isdigit(filename[j])) 544 j++; 545 } else if (c == 'X') { 546 while (isxdigit(filename[j])) 547 j++; 548 } else if (c == 'A') { 549 while (tomoyo_is_alphabet_char(filename[j])) 550 j++; 551 } 552 for (i = 1; i <= j; i++) { 553 if (tomoyo_file_matches_to_pattern2( 554 filename + i, filename_end, 555 pattern + 1, pattern_end)) 556 return true; 557 } 558 return false; /* Not matched or bad pattern. */ 559 } 560 filename++; 561 pattern++; 562 } 563 while (*pattern == '\\' && 564 (*(pattern + 1) == '*' || *(pattern + 1) == '@')) 565 pattern += 2; 566 return filename == filename_end && pattern == pattern_end; 567 } 568 569 /** 570 * tomoyo_file_matches_to_pattern - Pattern matching without without '/' character. 571 * 572 * @filename: The start of string to check. 573 * @filename_end: The end of string to check. 574 * @pattern: The start of pattern to compare. 575 * @pattern_end: The end of pattern to compare. 576 * 577 * Returns true if @filename matches @pattern, false otherwise. 578 */ 579 static bool tomoyo_file_matches_to_pattern(const char *filename, 580 const char *filename_end, 581 const char *pattern, 582 const char *pattern_end) 583 { 584 const char *pattern_start = pattern; 585 bool first = true; 586 bool result; 587 588 while (pattern < pattern_end - 1) { 589 /* Split at "\-" pattern. */ 590 if (*pattern++ != '\\' || *pattern++ != '-') 591 continue; 592 result = tomoyo_file_matches_to_pattern2(filename, 593 filename_end, 594 pattern_start, 595 pattern - 2); 596 if (first) 597 result = !result; 598 if (result) 599 return false; 600 first = false; 601 pattern_start = pattern; 602 } 603 result = tomoyo_file_matches_to_pattern2(filename, filename_end, 604 pattern_start, pattern_end); 605 return first ? result : !result; 606 } 607 608 /** 609 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern. 610 * @filename: The filename to check. 611 * @pattern: The pattern to compare. 612 * 613 * Returns true if matches, false otherwise. 614 * 615 * The following patterns are available. 616 * \\ \ itself. 617 * \ooo Octal representation of a byte. 618 * \* More than or equals to 0 character other than '/'. 619 * \@ More than or equals to 0 character other than '/' or '.'. 620 * \? 1 byte character other than '/'. 621 * \$ More than or equals to 1 decimal digit. 622 * \+ 1 decimal digit. 623 * \X More than or equals to 1 hexadecimal digit. 624 * \x 1 hexadecimal digit. 625 * \A More than or equals to 1 alphabet character. 626 * \a 1 alphabet character. 627 * \- Subtraction operator. 628 */ 629 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, 630 const struct tomoyo_path_info *pattern) 631 { 632 /* 633 if (!filename || !pattern) 634 return false; 635 */ 636 const char *f = filename->name; 637 const char *p = pattern->name; 638 const int len = pattern->const_len; 639 640 /* If @pattern doesn't contain pattern, I can use strcmp(). */ 641 if (!pattern->is_patterned) 642 return !tomoyo_pathcmp(filename, pattern); 643 /* Dont compare if the number of '/' differs. */ 644 if (filename->depth != pattern->depth) 645 return false; 646 /* Compare the initial length without patterns. */ 647 if (strncmp(f, p, len)) 648 return false; 649 f += len; 650 p += len; 651 /* Main loop. Compare each directory component. */ 652 while (*f && *p) { 653 const char *f_delimiter = strchr(f, '/'); 654 const char *p_delimiter = strchr(p, '/'); 655 if (!f_delimiter) 656 f_delimiter = f + strlen(f); 657 if (!p_delimiter) 658 p_delimiter = p + strlen(p); 659 if (!tomoyo_file_matches_to_pattern(f, f_delimiter, 660 p, p_delimiter)) 661 return false; 662 f = f_delimiter; 663 if (*f) 664 f++; 665 p = p_delimiter; 666 if (*p) 667 p++; 668 } 669 /* Ignore trailing "\*" and "\@" in @pattern. */ 670 while (*p == '\\' && 671 (*(p + 1) == '*' || *(p + 1) == '@')) 672 p += 2; 673 return !*f && !*p; 674 } 675 676 /** 677 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure. 678 * 679 * @head: Pointer to "struct tomoyo_io_buffer". 680 * @fmt: The printf()'s format string, followed by parameters. 681 * 682 * Returns true if output was written, false otherwise. 683 * 684 * The snprintf() will truncate, but tomoyo_io_printf() won't. 685 */ 686 bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) 687 { 688 va_list args; 689 int len; 690 int pos = head->read_avail; 691 int size = head->readbuf_size - pos; 692 693 if (size <= 0) 694 return false; 695 va_start(args, fmt); 696 len = vsnprintf(head->read_buf + pos, size, fmt, args); 697 va_end(args); 698 if (pos + len >= head->readbuf_size) 699 return false; 700 head->read_avail += len; 701 return true; 702 } 703 704 /** 705 * tomoyo_get_exe - Get tomoyo_realpath() of current process. 706 * 707 * Returns the tomoyo_realpath() of current process on success, NULL otherwise. 708 * 709 * This function uses tomoyo_alloc(), so the caller must call tomoyo_free() 710 * if this function didn't return NULL. 711 */ 712 static const char *tomoyo_get_exe(void) 713 { 714 struct mm_struct *mm = current->mm; 715 struct vm_area_struct *vma; 716 const char *cp = NULL; 717 718 if (!mm) 719 return NULL; 720 down_read(&mm->mmap_sem); 721 for (vma = mm->mmap; vma; vma = vma->vm_next) { 722 if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) { 723 cp = tomoyo_realpath_from_path(&vma->vm_file->f_path); 724 break; 725 } 726 } 727 up_read(&mm->mmap_sem); 728 return cp; 729 } 730 731 /** 732 * tomoyo_get_msg - Get warning message. 733 * 734 * @is_enforce: Is it enforcing mode? 735 * 736 * Returns "ERROR" or "WARNING". 737 */ 738 const char *tomoyo_get_msg(const bool is_enforce) 739 { 740 if (is_enforce) 741 return "ERROR"; 742 else 743 return "WARNING"; 744 } 745 746 /** 747 * tomoyo_check_flags - Check mode for specified functionality. 748 * 749 * @domain: Pointer to "struct tomoyo_domain_info". 750 * @index: The functionality to check mode. 751 * 752 * TOMOYO checks only process context. 753 * This code disables TOMOYO's enforcement in case the function is called from 754 * interrupt context. 755 */ 756 unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, 757 const u8 index) 758 { 759 const u8 profile = domain->profile; 760 761 if (WARN_ON(in_interrupt())) 762 return 0; 763 return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX 764 #if TOMOYO_MAX_PROFILES != 256 765 && profile < TOMOYO_MAX_PROFILES 766 #endif 767 && tomoyo_profile_ptr[profile] ? 768 tomoyo_profile_ptr[profile]->value[index] : 0; 769 } 770 771 /** 772 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode. 773 * 774 * @domain: Pointer to "struct tomoyo_domain_info". 775 * 776 * Returns true if domain policy violation warning should be printed to 777 * console. 778 */ 779 bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain) 780 { 781 return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0; 782 } 783 784 /** 785 * tomoyo_domain_quota_is_ok - Check for domain's quota. 786 * 787 * @domain: Pointer to "struct tomoyo_domain_info". 788 * 789 * Returns true if the domain is not exceeded quota, false otherwise. 790 */ 791 bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain) 792 { 793 unsigned int count = 0; 794 struct tomoyo_acl_info *ptr; 795 796 if (!domain) 797 return true; 798 down_read(&tomoyo_domain_acl_info_list_lock); 799 list_for_each_entry(ptr, &domain->acl_info_list, list) { 800 if (ptr->type & TOMOYO_ACL_DELETED) 801 continue; 802 switch (tomoyo_acl_type2(ptr)) { 803 struct tomoyo_single_path_acl_record *acl1; 804 struct tomoyo_double_path_acl_record *acl2; 805 u16 perm; 806 case TOMOYO_TYPE_SINGLE_PATH_ACL: 807 acl1 = container_of(ptr, 808 struct tomoyo_single_path_acl_record, 809 head); 810 perm = acl1->perm; 811 if (perm & (1 << TOMOYO_TYPE_EXECUTE_ACL)) 812 count++; 813 if (perm & 814 ((1 << TOMOYO_TYPE_READ_ACL) | 815 (1 << TOMOYO_TYPE_WRITE_ACL))) 816 count++; 817 if (perm & (1 << TOMOYO_TYPE_CREATE_ACL)) 818 count++; 819 if (perm & (1 << TOMOYO_TYPE_UNLINK_ACL)) 820 count++; 821 if (perm & (1 << TOMOYO_TYPE_MKDIR_ACL)) 822 count++; 823 if (perm & (1 << TOMOYO_TYPE_RMDIR_ACL)) 824 count++; 825 if (perm & (1 << TOMOYO_TYPE_MKFIFO_ACL)) 826 count++; 827 if (perm & (1 << TOMOYO_TYPE_MKSOCK_ACL)) 828 count++; 829 if (perm & (1 << TOMOYO_TYPE_MKBLOCK_ACL)) 830 count++; 831 if (perm & (1 << TOMOYO_TYPE_MKCHAR_ACL)) 832 count++; 833 if (perm & (1 << TOMOYO_TYPE_TRUNCATE_ACL)) 834 count++; 835 if (perm & (1 << TOMOYO_TYPE_SYMLINK_ACL)) 836 count++; 837 if (perm & (1 << TOMOYO_TYPE_REWRITE_ACL)) 838 count++; 839 break; 840 case TOMOYO_TYPE_DOUBLE_PATH_ACL: 841 acl2 = container_of(ptr, 842 struct tomoyo_double_path_acl_record, 843 head); 844 perm = acl2->perm; 845 if (perm & (1 << TOMOYO_TYPE_LINK_ACL)) 846 count++; 847 if (perm & (1 << TOMOYO_TYPE_RENAME_ACL)) 848 count++; 849 break; 850 } 851 } 852 up_read(&tomoyo_domain_acl_info_list_lock); 853 if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY)) 854 return true; 855 if (!domain->quota_warned) { 856 domain->quota_warned = true; 857 printk(KERN_WARNING "TOMOYO-WARNING: " 858 "Domain '%s' has so many ACLs to hold. " 859 "Stopped learning mode.\n", domain->domainname->name); 860 } 861 return false; 862 } 863 864 /** 865 * tomoyo_find_or_assign_new_profile - Create a new profile. 866 * 867 * @profile: Profile number to create. 868 * 869 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. 870 */ 871 static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned 872 int profile) 873 { 874 static DEFINE_MUTEX(lock); 875 struct tomoyo_profile *ptr = NULL; 876 int i; 877 878 if (profile >= TOMOYO_MAX_PROFILES) 879 return NULL; 880 mutex_lock(&lock); 881 ptr = tomoyo_profile_ptr[profile]; 882 if (ptr) 883 goto ok; 884 ptr = tomoyo_alloc_element(sizeof(*ptr)); 885 if (!ptr) 886 goto ok; 887 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) 888 ptr->value[i] = tomoyo_control_array[i].current_value; 889 mb(); /* Avoid out-of-order execution. */ 890 tomoyo_profile_ptr[profile] = ptr; 891 ok: 892 mutex_unlock(&lock); 893 return ptr; 894 } 895 896 /** 897 * tomoyo_write_profile - Write to profile table. 898 * 899 * @head: Pointer to "struct tomoyo_io_buffer". 900 * 901 * Returns 0 on success, negative value otherwise. 902 */ 903 static int tomoyo_write_profile(struct tomoyo_io_buffer *head) 904 { 905 char *data = head->write_buf; 906 unsigned int i; 907 unsigned int value; 908 char *cp; 909 struct tomoyo_profile *profile; 910 unsigned long num; 911 912 cp = strchr(data, '-'); 913 if (cp) 914 *cp = '\0'; 915 if (strict_strtoul(data, 10, &num)) 916 return -EINVAL; 917 if (cp) 918 data = cp + 1; 919 profile = tomoyo_find_or_assign_new_profile(num); 920 if (!profile) 921 return -EINVAL; 922 cp = strchr(data, '='); 923 if (!cp) 924 return -EINVAL; 925 *cp = '\0'; 926 if (!strcmp(data, "COMMENT")) { 927 profile->comment = tomoyo_save_name(cp + 1); 928 return 0; 929 } 930 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) { 931 if (strcmp(data, tomoyo_control_array[i].keyword)) 932 continue; 933 if (sscanf(cp + 1, "%u", &value) != 1) { 934 int j; 935 const char **modes; 936 switch (i) { 937 case TOMOYO_VERBOSE: 938 modes = tomoyo_mode_2; 939 break; 940 default: 941 modes = tomoyo_mode_4; 942 break; 943 } 944 for (j = 0; j < 4; j++) { 945 if (strcmp(cp + 1, modes[j])) 946 continue; 947 value = j; 948 break; 949 } 950 if (j == 4) 951 return -EINVAL; 952 } else if (value > tomoyo_control_array[i].max_value) { 953 value = tomoyo_control_array[i].max_value; 954 } 955 profile->value[i] = value; 956 return 0; 957 } 958 return -EINVAL; 959 } 960 961 /** 962 * tomoyo_read_profile - Read from profile table. 963 * 964 * @head: Pointer to "struct tomoyo_io_buffer". 965 * 966 * Returns 0. 967 */ 968 static int tomoyo_read_profile(struct tomoyo_io_buffer *head) 969 { 970 static const int total = TOMOYO_MAX_CONTROL_INDEX + 1; 971 int step; 972 973 if (head->read_eof) 974 return 0; 975 for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total; 976 step++) { 977 const u8 index = step / total; 978 u8 type = step % total; 979 const struct tomoyo_profile *profile 980 = tomoyo_profile_ptr[index]; 981 head->read_step = step; 982 if (!profile) 983 continue; 984 if (!type) { /* Print profile' comment tag. */ 985 if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n", 986 index, profile->comment ? 987 profile->comment->name : "")) 988 break; 989 continue; 990 } 991 type--; 992 if (type < TOMOYO_MAX_CONTROL_INDEX) { 993 const unsigned int value = profile->value[type]; 994 const char **modes = NULL; 995 const char *keyword 996 = tomoyo_control_array[type].keyword; 997 switch (tomoyo_control_array[type].max_value) { 998 case 3: 999 modes = tomoyo_mode_4; 1000 break; 1001 case 1: 1002 modes = tomoyo_mode_2; 1003 break; 1004 } 1005 if (modes) { 1006 if (!tomoyo_io_printf(head, "%u-%s=%s\n", index, 1007 keyword, modes[value])) 1008 break; 1009 } else { 1010 if (!tomoyo_io_printf(head, "%u-%s=%u\n", index, 1011 keyword, value)) 1012 break; 1013 } 1014 } 1015 } 1016 if (step == TOMOYO_MAX_PROFILES * total) 1017 head->read_eof = true; 1018 return 0; 1019 } 1020 1021 /* 1022 * tomoyo_policy_manager_entry is a structure which is used for holding list of 1023 * domainnames or programs which are permitted to modify configuration via 1024 * /sys/kernel/security/tomoyo/ interface. 1025 * It has following fields. 1026 * 1027 * (1) "list" which is linked to tomoyo_policy_manager_list . 1028 * (2) "manager" is a domainname or a program's pathname. 1029 * (3) "is_domain" is a bool which is true if "manager" is a domainname, false 1030 * otherwise. 1031 * (4) "is_deleted" is a bool which is true if marked as deleted, false 1032 * otherwise. 1033 */ 1034 struct tomoyo_policy_manager_entry { 1035 struct list_head list; 1036 /* A path to program or a domainname. */ 1037 const struct tomoyo_path_info *manager; 1038 bool is_domain; /* True if manager is a domainname. */ 1039 bool is_deleted; /* True if this entry is deleted. */ 1040 }; 1041 1042 /* 1043 * tomoyo_policy_manager_list is used for holding list of domainnames or 1044 * programs which are permitted to modify configuration via 1045 * /sys/kernel/security/tomoyo/ interface. 1046 * 1047 * An entry is added by 1048 * 1049 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \ 1050 * /sys/kernel/security/tomoyo/manager 1051 * (if you want to specify by a domainname) 1052 * 1053 * or 1054 * 1055 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager 1056 * (if you want to specify by a program's location) 1057 * 1058 * and is deleted by 1059 * 1060 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \ 1061 * /sys/kernel/security/tomoyo/manager 1062 * 1063 * or 1064 * 1065 * # echo 'delete /usr/lib/ccs/editpolicy' > \ 1066 * /sys/kernel/security/tomoyo/manager 1067 * 1068 * and all entries are retrieved by 1069 * 1070 * # cat /sys/kernel/security/tomoyo/manager 1071 */ 1072 static LIST_HEAD(tomoyo_policy_manager_list); 1073 static DECLARE_RWSEM(tomoyo_policy_manager_list_lock); 1074 1075 /** 1076 * tomoyo_update_manager_entry - Add a manager entry. 1077 * 1078 * @manager: The path to manager or the domainnamme. 1079 * @is_delete: True if it is a delete request. 1080 * 1081 * Returns 0 on success, negative value otherwise. 1082 */ 1083 static int tomoyo_update_manager_entry(const char *manager, 1084 const bool is_delete) 1085 { 1086 struct tomoyo_policy_manager_entry *new_entry; 1087 struct tomoyo_policy_manager_entry *ptr; 1088 const struct tomoyo_path_info *saved_manager; 1089 int error = -ENOMEM; 1090 bool is_domain = false; 1091 1092 if (tomoyo_is_domain_def(manager)) { 1093 if (!tomoyo_is_correct_domain(manager, __func__)) 1094 return -EINVAL; 1095 is_domain = true; 1096 } else { 1097 if (!tomoyo_is_correct_path(manager, 1, -1, -1, __func__)) 1098 return -EINVAL; 1099 } 1100 saved_manager = tomoyo_save_name(manager); 1101 if (!saved_manager) 1102 return -ENOMEM; 1103 down_write(&tomoyo_policy_manager_list_lock); 1104 list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) { 1105 if (ptr->manager != saved_manager) 1106 continue; 1107 ptr->is_deleted = is_delete; 1108 error = 0; 1109 goto out; 1110 } 1111 if (is_delete) { 1112 error = -ENOENT; 1113 goto out; 1114 } 1115 new_entry = tomoyo_alloc_element(sizeof(*new_entry)); 1116 if (!new_entry) 1117 goto out; 1118 new_entry->manager = saved_manager; 1119 new_entry->is_domain = is_domain; 1120 list_add_tail(&new_entry->list, &tomoyo_policy_manager_list); 1121 error = 0; 1122 out: 1123 up_write(&tomoyo_policy_manager_list_lock); 1124 return error; 1125 } 1126 1127 /** 1128 * tomoyo_write_manager_policy - Write manager policy. 1129 * 1130 * @head: Pointer to "struct tomoyo_io_buffer". 1131 * 1132 * Returns 0 on success, negative value otherwise. 1133 */ 1134 static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head) 1135 { 1136 char *data = head->write_buf; 1137 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); 1138 1139 if (!strcmp(data, "manage_by_non_root")) { 1140 tomoyo_manage_by_non_root = !is_delete; 1141 return 0; 1142 } 1143 return tomoyo_update_manager_entry(data, is_delete); 1144 } 1145 1146 /** 1147 * tomoyo_read_manager_policy - Read manager policy. 1148 * 1149 * @head: Pointer to "struct tomoyo_io_buffer". 1150 * 1151 * Returns 0. 1152 */ 1153 static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head) 1154 { 1155 struct list_head *pos; 1156 bool done = true; 1157 1158 if (head->read_eof) 1159 return 0; 1160 down_read(&tomoyo_policy_manager_list_lock); 1161 list_for_each_cookie(pos, head->read_var2, 1162 &tomoyo_policy_manager_list) { 1163 struct tomoyo_policy_manager_entry *ptr; 1164 ptr = list_entry(pos, struct tomoyo_policy_manager_entry, 1165 list); 1166 if (ptr->is_deleted) 1167 continue; 1168 done = tomoyo_io_printf(head, "%s\n", ptr->manager->name); 1169 if (!done) 1170 break; 1171 } 1172 up_read(&tomoyo_policy_manager_list_lock); 1173 head->read_eof = done; 1174 return 0; 1175 } 1176 1177 /** 1178 * tomoyo_is_policy_manager - Check whether the current process is a policy manager. 1179 * 1180 * Returns true if the current process is permitted to modify policy 1181 * via /sys/kernel/security/tomoyo/ interface. 1182 */ 1183 static bool tomoyo_is_policy_manager(void) 1184 { 1185 struct tomoyo_policy_manager_entry *ptr; 1186 const char *exe; 1187 const struct task_struct *task = current; 1188 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; 1189 bool found = false; 1190 1191 if (!tomoyo_policy_loaded) 1192 return true; 1193 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) 1194 return false; 1195 down_read(&tomoyo_policy_manager_list_lock); 1196 list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) { 1197 if (!ptr->is_deleted && ptr->is_domain 1198 && !tomoyo_pathcmp(domainname, ptr->manager)) { 1199 found = true; 1200 break; 1201 } 1202 } 1203 up_read(&tomoyo_policy_manager_list_lock); 1204 if (found) 1205 return true; 1206 exe = tomoyo_get_exe(); 1207 if (!exe) 1208 return false; 1209 down_read(&tomoyo_policy_manager_list_lock); 1210 list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) { 1211 if (!ptr->is_deleted && !ptr->is_domain 1212 && !strcmp(exe, ptr->manager->name)) { 1213 found = true; 1214 break; 1215 } 1216 } 1217 up_read(&tomoyo_policy_manager_list_lock); 1218 if (!found) { /* Reduce error messages. */ 1219 static pid_t last_pid; 1220 const pid_t pid = current->pid; 1221 if (last_pid != pid) { 1222 printk(KERN_WARNING "%s ( %s ) is not permitted to " 1223 "update policies.\n", domainname->name, exe); 1224 last_pid = pid; 1225 } 1226 } 1227 tomoyo_free(exe); 1228 return found; 1229 } 1230 1231 /** 1232 * tomoyo_is_select_one - Parse select command. 1233 * 1234 * @head: Pointer to "struct tomoyo_io_buffer". 1235 * @data: String to parse. 1236 * 1237 * Returns true on success, false otherwise. 1238 */ 1239 static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head, 1240 const char *data) 1241 { 1242 unsigned int pid; 1243 struct tomoyo_domain_info *domain = NULL; 1244 1245 if (sscanf(data, "pid=%u", &pid) == 1) { 1246 struct task_struct *p; 1247 read_lock(&tasklist_lock); 1248 p = find_task_by_vpid(pid); 1249 if (p) 1250 domain = tomoyo_real_domain(p); 1251 read_unlock(&tasklist_lock); 1252 } else if (!strncmp(data, "domain=", 7)) { 1253 if (tomoyo_is_domain_def(data + 7)) { 1254 down_read(&tomoyo_domain_list_lock); 1255 domain = tomoyo_find_domain(data + 7); 1256 up_read(&tomoyo_domain_list_lock); 1257 } 1258 } else 1259 return false; 1260 head->write_var1 = domain; 1261 /* Accessing read_buf is safe because head->io_sem is held. */ 1262 if (!head->read_buf) 1263 return true; /* Do nothing if open(O_WRONLY). */ 1264 head->read_avail = 0; 1265 tomoyo_io_printf(head, "# select %s\n", data); 1266 head->read_single_domain = true; 1267 head->read_eof = !domain; 1268 if (domain) { 1269 struct tomoyo_domain_info *d; 1270 head->read_var1 = NULL; 1271 down_read(&tomoyo_domain_list_lock); 1272 list_for_each_entry(d, &tomoyo_domain_list, list) { 1273 if (d == domain) 1274 break; 1275 head->read_var1 = &d->list; 1276 } 1277 up_read(&tomoyo_domain_list_lock); 1278 head->read_var2 = NULL; 1279 head->read_bit = 0; 1280 head->read_step = 0; 1281 if (domain->is_deleted) 1282 tomoyo_io_printf(head, "# This is a deleted domain.\n"); 1283 } 1284 return true; 1285 } 1286 1287 /** 1288 * tomoyo_write_domain_policy - Write domain policy. 1289 * 1290 * @head: Pointer to "struct tomoyo_io_buffer". 1291 * 1292 * Returns 0 on success, negative value otherwise. 1293 */ 1294 static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head) 1295 { 1296 char *data = head->write_buf; 1297 struct tomoyo_domain_info *domain = head->write_var1; 1298 bool is_delete = false; 1299 bool is_select = false; 1300 unsigned int profile; 1301 1302 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE)) 1303 is_delete = true; 1304 else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT)) 1305 is_select = true; 1306 if (is_select && tomoyo_is_select_one(head, data)) 1307 return 0; 1308 /* Don't allow updating policies by non manager programs. */ 1309 if (!tomoyo_is_policy_manager()) 1310 return -EPERM; 1311 if (tomoyo_is_domain_def(data)) { 1312 domain = NULL; 1313 if (is_delete) 1314 tomoyo_delete_domain(data); 1315 else if (is_select) { 1316 down_read(&tomoyo_domain_list_lock); 1317 domain = tomoyo_find_domain(data); 1318 up_read(&tomoyo_domain_list_lock); 1319 } else 1320 domain = tomoyo_find_or_assign_new_domain(data, 0); 1321 head->write_var1 = domain; 1322 return 0; 1323 } 1324 if (!domain) 1325 return -EINVAL; 1326 1327 if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1 1328 && profile < TOMOYO_MAX_PROFILES) { 1329 if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded) 1330 domain->profile = (u8) profile; 1331 return 0; 1332 } 1333 if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) { 1334 tomoyo_set_domain_flag(domain, is_delete, 1335 TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ); 1336 return 0; 1337 } 1338 return tomoyo_write_file_policy(data, domain, is_delete); 1339 } 1340 1341 /** 1342 * tomoyo_print_single_path_acl - Print a single path ACL entry. 1343 * 1344 * @head: Pointer to "struct tomoyo_io_buffer". 1345 * @ptr: Pointer to "struct tomoyo_single_path_acl_record". 1346 * 1347 * Returns true on success, false otherwise. 1348 */ 1349 static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head, 1350 struct tomoyo_single_path_acl_record * 1351 ptr) 1352 { 1353 int pos; 1354 u8 bit; 1355 const char *atmark = ""; 1356 const char *filename; 1357 const u16 perm = ptr->perm; 1358 1359 filename = ptr->filename->name; 1360 for (bit = head->read_bit; bit < TOMOYO_MAX_SINGLE_PATH_OPERATION; 1361 bit++) { 1362 const char *msg; 1363 if (!(perm & (1 << bit))) 1364 continue; 1365 /* Print "read/write" instead of "read" and "write". */ 1366 if ((bit == TOMOYO_TYPE_READ_ACL || 1367 bit == TOMOYO_TYPE_WRITE_ACL) 1368 && (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))) 1369 continue; 1370 msg = tomoyo_sp2keyword(bit); 1371 pos = head->read_avail; 1372 if (!tomoyo_io_printf(head, "allow_%s %s%s\n", msg, 1373 atmark, filename)) 1374 goto out; 1375 } 1376 head->read_bit = 0; 1377 return true; 1378 out: 1379 head->read_bit = bit; 1380 head->read_avail = pos; 1381 return false; 1382 } 1383 1384 /** 1385 * tomoyo_print_double_path_acl - Print a double path ACL entry. 1386 * 1387 * @head: Pointer to "struct tomoyo_io_buffer". 1388 * @ptr: Pointer to "struct tomoyo_double_path_acl_record". 1389 * 1390 * Returns true on success, false otherwise. 1391 */ 1392 static bool tomoyo_print_double_path_acl(struct tomoyo_io_buffer *head, 1393 struct tomoyo_double_path_acl_record * 1394 ptr) 1395 { 1396 int pos; 1397 const char *atmark1 = ""; 1398 const char *atmark2 = ""; 1399 const char *filename1; 1400 const char *filename2; 1401 const u8 perm = ptr->perm; 1402 u8 bit; 1403 1404 filename1 = ptr->filename1->name; 1405 filename2 = ptr->filename2->name; 1406 for (bit = head->read_bit; bit < TOMOYO_MAX_DOUBLE_PATH_OPERATION; 1407 bit++) { 1408 const char *msg; 1409 if (!(perm & (1 << bit))) 1410 continue; 1411 msg = tomoyo_dp2keyword(bit); 1412 pos = head->read_avail; 1413 if (!tomoyo_io_printf(head, "allow_%s %s%s %s%s\n", msg, 1414 atmark1, filename1, atmark2, filename2)) 1415 goto out; 1416 } 1417 head->read_bit = 0; 1418 return true; 1419 out: 1420 head->read_bit = bit; 1421 head->read_avail = pos; 1422 return false; 1423 } 1424 1425 /** 1426 * tomoyo_print_entry - Print an ACL entry. 1427 * 1428 * @head: Pointer to "struct tomoyo_io_buffer". 1429 * @ptr: Pointer to an ACL entry. 1430 * 1431 * Returns true on success, false otherwise. 1432 */ 1433 static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, 1434 struct tomoyo_acl_info *ptr) 1435 { 1436 const u8 acl_type = tomoyo_acl_type2(ptr); 1437 1438 if (acl_type & TOMOYO_ACL_DELETED) 1439 return true; 1440 if (acl_type == TOMOYO_TYPE_SINGLE_PATH_ACL) { 1441 struct tomoyo_single_path_acl_record *acl 1442 = container_of(ptr, 1443 struct tomoyo_single_path_acl_record, 1444 head); 1445 return tomoyo_print_single_path_acl(head, acl); 1446 } 1447 if (acl_type == TOMOYO_TYPE_DOUBLE_PATH_ACL) { 1448 struct tomoyo_double_path_acl_record *acl 1449 = container_of(ptr, 1450 struct tomoyo_double_path_acl_record, 1451 head); 1452 return tomoyo_print_double_path_acl(head, acl); 1453 } 1454 BUG(); /* This must not happen. */ 1455 return false; 1456 } 1457 1458 /** 1459 * tomoyo_read_domain_policy - Read domain policy. 1460 * 1461 * @head: Pointer to "struct tomoyo_io_buffer". 1462 * 1463 * Returns 0. 1464 */ 1465 static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head) 1466 { 1467 struct list_head *dpos; 1468 struct list_head *apos; 1469 bool done = true; 1470 1471 if (head->read_eof) 1472 return 0; 1473 if (head->read_step == 0) 1474 head->read_step = 1; 1475 down_read(&tomoyo_domain_list_lock); 1476 list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) { 1477 struct tomoyo_domain_info *domain; 1478 const char *quota_exceeded = ""; 1479 const char *transition_failed = ""; 1480 const char *ignore_global_allow_read = ""; 1481 domain = list_entry(dpos, struct tomoyo_domain_info, list); 1482 if (head->read_step != 1) 1483 goto acl_loop; 1484 if (domain->is_deleted && !head->read_single_domain) 1485 continue; 1486 /* Print domainname and flags. */ 1487 if (domain->quota_warned) 1488 quota_exceeded = "quota_exceeded\n"; 1489 if (domain->flags & TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED) 1490 transition_failed = "transition_failed\n"; 1491 if (domain->flags & 1492 TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ) 1493 ignore_global_allow_read 1494 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n"; 1495 done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE 1496 "%u\n%s%s%s\n", 1497 domain->domainname->name, 1498 domain->profile, quota_exceeded, 1499 transition_failed, 1500 ignore_global_allow_read); 1501 if (!done) 1502 break; 1503 head->read_step = 2; 1504 acl_loop: 1505 if (head->read_step == 3) 1506 goto tail_mark; 1507 /* Print ACL entries in the domain. */ 1508 down_read(&tomoyo_domain_acl_info_list_lock); 1509 list_for_each_cookie(apos, head->read_var2, 1510 &domain->acl_info_list) { 1511 struct tomoyo_acl_info *ptr 1512 = list_entry(apos, struct tomoyo_acl_info, 1513 list); 1514 done = tomoyo_print_entry(head, ptr); 1515 if (!done) 1516 break; 1517 } 1518 up_read(&tomoyo_domain_acl_info_list_lock); 1519 if (!done) 1520 break; 1521 head->read_step = 3; 1522 tail_mark: 1523 done = tomoyo_io_printf(head, "\n"); 1524 if (!done) 1525 break; 1526 head->read_step = 1; 1527 if (head->read_single_domain) 1528 break; 1529 } 1530 up_read(&tomoyo_domain_list_lock); 1531 head->read_eof = done; 1532 return 0; 1533 } 1534 1535 /** 1536 * tomoyo_write_domain_profile - Assign profile for specified domain. 1537 * 1538 * @head: Pointer to "struct tomoyo_io_buffer". 1539 * 1540 * Returns 0 on success, -EINVAL otherwise. 1541 * 1542 * This is equivalent to doing 1543 * 1544 * ( echo "select " $domainname; echo "use_profile " $profile ) | 1545 * /usr/lib/ccs/loadpolicy -d 1546 */ 1547 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head) 1548 { 1549 char *data = head->write_buf; 1550 char *cp = strchr(data, ' '); 1551 struct tomoyo_domain_info *domain; 1552 unsigned long profile; 1553 1554 if (!cp) 1555 return -EINVAL; 1556 *cp = '\0'; 1557 down_read(&tomoyo_domain_list_lock); 1558 domain = tomoyo_find_domain(cp + 1); 1559 up_read(&tomoyo_domain_list_lock); 1560 if (strict_strtoul(data, 10, &profile)) 1561 return -EINVAL; 1562 if (domain && profile < TOMOYO_MAX_PROFILES 1563 && (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)) 1564 domain->profile = (u8) profile; 1565 return 0; 1566 } 1567 1568 /** 1569 * tomoyo_read_domain_profile - Read only domainname and profile. 1570 * 1571 * @head: Pointer to "struct tomoyo_io_buffer". 1572 * 1573 * Returns list of profile number and domainname pairs. 1574 * 1575 * This is equivalent to doing 1576 * 1577 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy | 1578 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" ) 1579 * domainname = $0; } else if ( $1 == "use_profile" ) { 1580 * print $2 " " domainname; domainname = ""; } } ; ' 1581 */ 1582 static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head) 1583 { 1584 struct list_head *pos; 1585 bool done = true; 1586 1587 if (head->read_eof) 1588 return 0; 1589 down_read(&tomoyo_domain_list_lock); 1590 list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) { 1591 struct tomoyo_domain_info *domain; 1592 domain = list_entry(pos, struct tomoyo_domain_info, list); 1593 if (domain->is_deleted) 1594 continue; 1595 done = tomoyo_io_printf(head, "%u %s\n", domain->profile, 1596 domain->domainname->name); 1597 if (!done) 1598 break; 1599 } 1600 up_read(&tomoyo_domain_list_lock); 1601 head->read_eof = done; 1602 return 0; 1603 } 1604 1605 /** 1606 * tomoyo_write_pid: Specify PID to obtain domainname. 1607 * 1608 * @head: Pointer to "struct tomoyo_io_buffer". 1609 * 1610 * Returns 0. 1611 */ 1612 static int tomoyo_write_pid(struct tomoyo_io_buffer *head) 1613 { 1614 unsigned long pid; 1615 /* No error check. */ 1616 strict_strtoul(head->write_buf, 10, &pid); 1617 head->read_step = (int) pid; 1618 head->read_eof = false; 1619 return 0; 1620 } 1621 1622 /** 1623 * tomoyo_read_pid - Get domainname of the specified PID. 1624 * 1625 * @head: Pointer to "struct tomoyo_io_buffer". 1626 * 1627 * Returns the domainname which the specified PID is in on success, 1628 * empty string otherwise. 1629 * The PID is specified by tomoyo_write_pid() so that the user can obtain 1630 * using read()/write() interface rather than sysctl() interface. 1631 */ 1632 static int tomoyo_read_pid(struct tomoyo_io_buffer *head) 1633 { 1634 if (head->read_avail == 0 && !head->read_eof) { 1635 const int pid = head->read_step; 1636 struct task_struct *p; 1637 struct tomoyo_domain_info *domain = NULL; 1638 read_lock(&tasklist_lock); 1639 p = find_task_by_vpid(pid); 1640 if (p) 1641 domain = tomoyo_real_domain(p); 1642 read_unlock(&tasklist_lock); 1643 if (domain) 1644 tomoyo_io_printf(head, "%d %u %s", pid, domain->profile, 1645 domain->domainname->name); 1646 head->read_eof = true; 1647 } 1648 return 0; 1649 } 1650 1651 /** 1652 * tomoyo_write_exception_policy - Write exception policy. 1653 * 1654 * @head: Pointer to "struct tomoyo_io_buffer". 1655 * 1656 * Returns 0 on success, negative value otherwise. 1657 */ 1658 static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head) 1659 { 1660 char *data = head->write_buf; 1661 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); 1662 1663 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN)) 1664 return tomoyo_write_domain_keeper_policy(data, false, 1665 is_delete); 1666 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN)) 1667 return tomoyo_write_domain_keeper_policy(data, true, is_delete); 1668 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN)) 1669 return tomoyo_write_domain_initializer_policy(data, false, 1670 is_delete); 1671 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN)) 1672 return tomoyo_write_domain_initializer_policy(data, true, 1673 is_delete); 1674 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS)) 1675 return tomoyo_write_alias_policy(data, is_delete); 1676 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ)) 1677 return tomoyo_write_globally_readable_policy(data, is_delete); 1678 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN)) 1679 return tomoyo_write_pattern_policy(data, is_delete); 1680 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE)) 1681 return tomoyo_write_no_rewrite_policy(data, is_delete); 1682 return -EINVAL; 1683 } 1684 1685 /** 1686 * tomoyo_read_exception_policy - Read exception policy. 1687 * 1688 * @head: Pointer to "struct tomoyo_io_buffer". 1689 * 1690 * Returns 0 on success, -EINVAL otherwise. 1691 */ 1692 static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head) 1693 { 1694 if (!head->read_eof) { 1695 switch (head->read_step) { 1696 case 0: 1697 head->read_var2 = NULL; 1698 head->read_step = 1; 1699 case 1: 1700 if (!tomoyo_read_domain_keeper_policy(head)) 1701 break; 1702 head->read_var2 = NULL; 1703 head->read_step = 2; 1704 case 2: 1705 if (!tomoyo_read_globally_readable_policy(head)) 1706 break; 1707 head->read_var2 = NULL; 1708 head->read_step = 3; 1709 case 3: 1710 head->read_var2 = NULL; 1711 head->read_step = 4; 1712 case 4: 1713 if (!tomoyo_read_domain_initializer_policy(head)) 1714 break; 1715 head->read_var2 = NULL; 1716 head->read_step = 5; 1717 case 5: 1718 if (!tomoyo_read_alias_policy(head)) 1719 break; 1720 head->read_var2 = NULL; 1721 head->read_step = 6; 1722 case 6: 1723 head->read_var2 = NULL; 1724 head->read_step = 7; 1725 case 7: 1726 if (!tomoyo_read_file_pattern(head)) 1727 break; 1728 head->read_var2 = NULL; 1729 head->read_step = 8; 1730 case 8: 1731 if (!tomoyo_read_no_rewrite_policy(head)) 1732 break; 1733 head->read_var2 = NULL; 1734 head->read_step = 9; 1735 case 9: 1736 head->read_eof = true; 1737 break; 1738 default: 1739 return -EINVAL; 1740 } 1741 } 1742 return 0; 1743 } 1744 1745 /* path to policy loader */ 1746 static const char *tomoyo_loader = "/sbin/tomoyo-init"; 1747 1748 /** 1749 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists. 1750 * 1751 * Returns true if /sbin/tomoyo-init exists, false otherwise. 1752 */ 1753 static bool tomoyo_policy_loader_exists(void) 1754 { 1755 /* 1756 * Don't activate MAC if the policy loader doesn't exist. 1757 * If the initrd includes /sbin/init but real-root-dev has not 1758 * mounted on / yet, activating MAC will block the system since 1759 * policies are not loaded yet. 1760 * Thus, let do_execve() call this function everytime. 1761 */ 1762 struct path path; 1763 1764 if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) { 1765 printk(KERN_INFO "Not activating Mandatory Access Control now " 1766 "since %s doesn't exist.\n", tomoyo_loader); 1767 return false; 1768 } 1769 path_put(&path); 1770 return true; 1771 } 1772 1773 /** 1774 * tomoyo_load_policy - Run external policy loader to load policy. 1775 * 1776 * @filename: The program about to start. 1777 * 1778 * This function checks whether @filename is /sbin/init , and if so 1779 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init 1780 * and then continues invocation of /sbin/init. 1781 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and 1782 * writes to /sys/kernel/security/tomoyo/ interfaces. 1783 * 1784 * Returns nothing. 1785 */ 1786 void tomoyo_load_policy(const char *filename) 1787 { 1788 char *argv[2]; 1789 char *envp[3]; 1790 1791 if (tomoyo_policy_loaded) 1792 return; 1793 /* 1794 * Check filename is /sbin/init or /sbin/tomoyo-start. 1795 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't 1796 * be passed. 1797 * You can create /sbin/tomoyo-start by 1798 * "ln -s /bin/true /sbin/tomoyo-start". 1799 */ 1800 if (strcmp(filename, "/sbin/init") && 1801 strcmp(filename, "/sbin/tomoyo-start")) 1802 return; 1803 if (!tomoyo_policy_loader_exists()) 1804 return; 1805 1806 printk(KERN_INFO "Calling %s to load policy. Please wait.\n", 1807 tomoyo_loader); 1808 argv[0] = (char *) tomoyo_loader; 1809 argv[1] = NULL; 1810 envp[0] = "HOME=/"; 1811 envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin"; 1812 envp[2] = NULL; 1813 call_usermodehelper(argv[0], argv, envp, 1); 1814 1815 printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n"); 1816 printk(KERN_INFO "Mandatory Access Control activated.\n"); 1817 tomoyo_policy_loaded = true; 1818 { /* Check all profiles currently assigned to domains are defined. */ 1819 struct tomoyo_domain_info *domain; 1820 down_read(&tomoyo_domain_list_lock); 1821 list_for_each_entry(domain, &tomoyo_domain_list, list) { 1822 const u8 profile = domain->profile; 1823 if (tomoyo_profile_ptr[profile]) 1824 continue; 1825 panic("Profile %u (used by '%s') not defined.\n", 1826 profile, domain->domainname->name); 1827 } 1828 up_read(&tomoyo_domain_list_lock); 1829 } 1830 } 1831 1832 /** 1833 * tomoyo_read_version: Get version. 1834 * 1835 * @head: Pointer to "struct tomoyo_io_buffer". 1836 * 1837 * Returns version information. 1838 */ 1839 static int tomoyo_read_version(struct tomoyo_io_buffer *head) 1840 { 1841 if (!head->read_eof) { 1842 tomoyo_io_printf(head, "2.2.0"); 1843 head->read_eof = true; 1844 } 1845 return 0; 1846 } 1847 1848 /** 1849 * tomoyo_read_self_domain - Get the current process's domainname. 1850 * 1851 * @head: Pointer to "struct tomoyo_io_buffer". 1852 * 1853 * Returns the current process's domainname. 1854 */ 1855 static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head) 1856 { 1857 if (!head->read_eof) { 1858 /* 1859 * tomoyo_domain()->domainname != NULL 1860 * because every process belongs to a domain and 1861 * the domain's name cannot be NULL. 1862 */ 1863 tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name); 1864 head->read_eof = true; 1865 } 1866 return 0; 1867 } 1868 1869 /** 1870 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface. 1871 * 1872 * @type: Type of interface. 1873 * @file: Pointer to "struct file". 1874 * 1875 * Associates policy handler and returns 0 on success, -ENOMEM otherwise. 1876 */ 1877 static int tomoyo_open_control(const u8 type, struct file *file) 1878 { 1879 struct tomoyo_io_buffer *head = tomoyo_alloc(sizeof(*head)); 1880 1881 if (!head) 1882 return -ENOMEM; 1883 mutex_init(&head->io_sem); 1884 switch (type) { 1885 case TOMOYO_DOMAINPOLICY: 1886 /* /sys/kernel/security/tomoyo/domain_policy */ 1887 head->write = tomoyo_write_domain_policy; 1888 head->read = tomoyo_read_domain_policy; 1889 break; 1890 case TOMOYO_EXCEPTIONPOLICY: 1891 /* /sys/kernel/security/tomoyo/exception_policy */ 1892 head->write = tomoyo_write_exception_policy; 1893 head->read = tomoyo_read_exception_policy; 1894 break; 1895 case TOMOYO_SELFDOMAIN: 1896 /* /sys/kernel/security/tomoyo/self_domain */ 1897 head->read = tomoyo_read_self_domain; 1898 break; 1899 case TOMOYO_DOMAIN_STATUS: 1900 /* /sys/kernel/security/tomoyo/.domain_status */ 1901 head->write = tomoyo_write_domain_profile; 1902 head->read = tomoyo_read_domain_profile; 1903 break; 1904 case TOMOYO_PROCESS_STATUS: 1905 /* /sys/kernel/security/tomoyo/.process_status */ 1906 head->write = tomoyo_write_pid; 1907 head->read = tomoyo_read_pid; 1908 break; 1909 case TOMOYO_VERSION: 1910 /* /sys/kernel/security/tomoyo/version */ 1911 head->read = tomoyo_read_version; 1912 head->readbuf_size = 128; 1913 break; 1914 case TOMOYO_MEMINFO: 1915 /* /sys/kernel/security/tomoyo/meminfo */ 1916 head->write = tomoyo_write_memory_quota; 1917 head->read = tomoyo_read_memory_counter; 1918 head->readbuf_size = 512; 1919 break; 1920 case TOMOYO_PROFILE: 1921 /* /sys/kernel/security/tomoyo/profile */ 1922 head->write = tomoyo_write_profile; 1923 head->read = tomoyo_read_profile; 1924 break; 1925 case TOMOYO_MANAGER: 1926 /* /sys/kernel/security/tomoyo/manager */ 1927 head->write = tomoyo_write_manager_policy; 1928 head->read = tomoyo_read_manager_policy; 1929 break; 1930 } 1931 if (!(file->f_mode & FMODE_READ)) { 1932 /* 1933 * No need to allocate read_buf since it is not opened 1934 * for reading. 1935 */ 1936 head->read = NULL; 1937 } else { 1938 if (!head->readbuf_size) 1939 head->readbuf_size = 4096 * 2; 1940 head->read_buf = tomoyo_alloc(head->readbuf_size); 1941 if (!head->read_buf) { 1942 tomoyo_free(head); 1943 return -ENOMEM; 1944 } 1945 } 1946 if (!(file->f_mode & FMODE_WRITE)) { 1947 /* 1948 * No need to allocate write_buf since it is not opened 1949 * for writing. 1950 */ 1951 head->write = NULL; 1952 } else if (head->write) { 1953 head->writebuf_size = 4096 * 2; 1954 head->write_buf = tomoyo_alloc(head->writebuf_size); 1955 if (!head->write_buf) { 1956 tomoyo_free(head->read_buf); 1957 tomoyo_free(head); 1958 return -ENOMEM; 1959 } 1960 } 1961 file->private_data = head; 1962 /* 1963 * Call the handler now if the file is 1964 * /sys/kernel/security/tomoyo/self_domain 1965 * so that the user can use 1966 * cat < /sys/kernel/security/tomoyo/self_domain" 1967 * to know the current process's domainname. 1968 */ 1969 if (type == TOMOYO_SELFDOMAIN) 1970 tomoyo_read_control(file, NULL, 0); 1971 return 0; 1972 } 1973 1974 /** 1975 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. 1976 * 1977 * @file: Pointer to "struct file". 1978 * @buffer: Poiner to buffer to write to. 1979 * @buffer_len: Size of @buffer. 1980 * 1981 * Returns bytes read on success, negative value otherwise. 1982 */ 1983 static int tomoyo_read_control(struct file *file, char __user *buffer, 1984 const int buffer_len) 1985 { 1986 int len = 0; 1987 struct tomoyo_io_buffer *head = file->private_data; 1988 char *cp; 1989 1990 if (!head->read) 1991 return -ENOSYS; 1992 if (mutex_lock_interruptible(&head->io_sem)) 1993 return -EINTR; 1994 /* Call the policy handler. */ 1995 len = head->read(head); 1996 if (len < 0) 1997 goto out; 1998 /* Write to buffer. */ 1999 len = head->read_avail; 2000 if (len > buffer_len) 2001 len = buffer_len; 2002 if (!len) 2003 goto out; 2004 /* head->read_buf changes by some functions. */ 2005 cp = head->read_buf; 2006 if (copy_to_user(buffer, cp, len)) { 2007 len = -EFAULT; 2008 goto out; 2009 } 2010 head->read_avail -= len; 2011 memmove(cp, cp + len, head->read_avail); 2012 out: 2013 mutex_unlock(&head->io_sem); 2014 return len; 2015 } 2016 2017 /** 2018 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. 2019 * 2020 * @file: Pointer to "struct file". 2021 * @buffer: Pointer to buffer to read from. 2022 * @buffer_len: Size of @buffer. 2023 * 2024 * Returns @buffer_len on success, negative value otherwise. 2025 */ 2026 static int tomoyo_write_control(struct file *file, const char __user *buffer, 2027 const int buffer_len) 2028 { 2029 struct tomoyo_io_buffer *head = file->private_data; 2030 int error = buffer_len; 2031 int avail_len = buffer_len; 2032 char *cp0 = head->write_buf; 2033 2034 if (!head->write) 2035 return -ENOSYS; 2036 if (!access_ok(VERIFY_READ, buffer, buffer_len)) 2037 return -EFAULT; 2038 /* Don't allow updating policies by non manager programs. */ 2039 if (head->write != tomoyo_write_pid && 2040 head->write != tomoyo_write_domain_policy && 2041 !tomoyo_is_policy_manager()) 2042 return -EPERM; 2043 if (mutex_lock_interruptible(&head->io_sem)) 2044 return -EINTR; 2045 /* Read a line and dispatch it to the policy handler. */ 2046 while (avail_len > 0) { 2047 char c; 2048 if (head->write_avail >= head->writebuf_size - 1) { 2049 error = -ENOMEM; 2050 break; 2051 } else if (get_user(c, buffer)) { 2052 error = -EFAULT; 2053 break; 2054 } 2055 buffer++; 2056 avail_len--; 2057 cp0[head->write_avail++] = c; 2058 if (c != '\n') 2059 continue; 2060 cp0[head->write_avail - 1] = '\0'; 2061 head->write_avail = 0; 2062 tomoyo_normalize_line(cp0); 2063 head->write(head); 2064 } 2065 mutex_unlock(&head->io_sem); 2066 return error; 2067 } 2068 2069 /** 2070 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. 2071 * 2072 * @file: Pointer to "struct file". 2073 * 2074 * Releases memory and returns 0. 2075 */ 2076 static int tomoyo_close_control(struct file *file) 2077 { 2078 struct tomoyo_io_buffer *head = file->private_data; 2079 2080 /* Release memory used for policy I/O. */ 2081 tomoyo_free(head->read_buf); 2082 head->read_buf = NULL; 2083 tomoyo_free(head->write_buf); 2084 head->write_buf = NULL; 2085 tomoyo_free(head); 2086 head = NULL; 2087 file->private_data = NULL; 2088 return 0; 2089 } 2090 2091 /** 2092 * tomoyo_alloc_acl_element - Allocate permanent memory for ACL entry. 2093 * 2094 * @acl_type: Type of ACL entry. 2095 * 2096 * Returns pointer to the ACL entry on success, NULL otherwise. 2097 */ 2098 void *tomoyo_alloc_acl_element(const u8 acl_type) 2099 { 2100 int len; 2101 struct tomoyo_acl_info *ptr; 2102 2103 switch (acl_type) { 2104 case TOMOYO_TYPE_SINGLE_PATH_ACL: 2105 len = sizeof(struct tomoyo_single_path_acl_record); 2106 break; 2107 case TOMOYO_TYPE_DOUBLE_PATH_ACL: 2108 len = sizeof(struct tomoyo_double_path_acl_record); 2109 break; 2110 default: 2111 return NULL; 2112 } 2113 ptr = tomoyo_alloc_element(len); 2114 if (!ptr) 2115 return NULL; 2116 ptr->type = acl_type; 2117 return ptr; 2118 } 2119 2120 /** 2121 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface. 2122 * 2123 * @inode: Pointer to "struct inode". 2124 * @file: Pointer to "struct file". 2125 * 2126 * Returns 0 on success, negative value otherwise. 2127 */ 2128 static int tomoyo_open(struct inode *inode, struct file *file) 2129 { 2130 const int key = ((u8 *) file->f_path.dentry->d_inode->i_private) 2131 - ((u8 *) NULL); 2132 return tomoyo_open_control(key, file); 2133 } 2134 2135 /** 2136 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface. 2137 * 2138 * @inode: Pointer to "struct inode". 2139 * @file: Pointer to "struct file". 2140 * 2141 * Returns 0 on success, negative value otherwise. 2142 */ 2143 static int tomoyo_release(struct inode *inode, struct file *file) 2144 { 2145 return tomoyo_close_control(file); 2146 } 2147 2148 /** 2149 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface. 2150 * 2151 * @file: Pointer to "struct file". 2152 * @buf: Pointer to buffer. 2153 * @count: Size of @buf. 2154 * @ppos: Unused. 2155 * 2156 * Returns bytes read on success, negative value otherwise. 2157 */ 2158 static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count, 2159 loff_t *ppos) 2160 { 2161 return tomoyo_read_control(file, buf, count); 2162 } 2163 2164 /** 2165 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface. 2166 * 2167 * @file: Pointer to "struct file". 2168 * @buf: Pointer to buffer. 2169 * @count: Size of @buf. 2170 * @ppos: Unused. 2171 * 2172 * Returns @count on success, negative value otherwise. 2173 */ 2174 static ssize_t tomoyo_write(struct file *file, const char __user *buf, 2175 size_t count, loff_t *ppos) 2176 { 2177 return tomoyo_write_control(file, buf, count); 2178 } 2179 2180 /* 2181 * tomoyo_operations is a "struct file_operations" which is used for handling 2182 * /sys/kernel/security/tomoyo/ interface. 2183 * 2184 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR). 2185 * See tomoyo_io_buffer for internals. 2186 */ 2187 static const struct file_operations tomoyo_operations = { 2188 .open = tomoyo_open, 2189 .release = tomoyo_release, 2190 .read = tomoyo_read, 2191 .write = tomoyo_write, 2192 }; 2193 2194 /** 2195 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory. 2196 * 2197 * @name: The name of the interface file. 2198 * @mode: The permission of the interface file. 2199 * @parent: The parent directory. 2200 * @key: Type of interface. 2201 * 2202 * Returns nothing. 2203 */ 2204 static void __init tomoyo_create_entry(const char *name, const mode_t mode, 2205 struct dentry *parent, const u8 key) 2206 { 2207 securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key, 2208 &tomoyo_operations); 2209 } 2210 2211 /** 2212 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface. 2213 * 2214 * Returns 0. 2215 */ 2216 static int __init tomoyo_initerface_init(void) 2217 { 2218 struct dentry *tomoyo_dir; 2219 2220 /* Don't create securityfs entries unless registered. */ 2221 if (current_cred()->security != &tomoyo_kernel_domain) 2222 return 0; 2223 2224 tomoyo_dir = securityfs_create_dir("tomoyo", NULL); 2225 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir, 2226 TOMOYO_DOMAINPOLICY); 2227 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir, 2228 TOMOYO_EXCEPTIONPOLICY); 2229 tomoyo_create_entry("self_domain", 0400, tomoyo_dir, 2230 TOMOYO_SELFDOMAIN); 2231 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir, 2232 TOMOYO_DOMAIN_STATUS); 2233 tomoyo_create_entry(".process_status", 0600, tomoyo_dir, 2234 TOMOYO_PROCESS_STATUS); 2235 tomoyo_create_entry("meminfo", 0600, tomoyo_dir, 2236 TOMOYO_MEMINFO); 2237 tomoyo_create_entry("profile", 0600, tomoyo_dir, 2238 TOMOYO_PROFILE); 2239 tomoyo_create_entry("manager", 0600, tomoyo_dir, 2240 TOMOYO_MANAGER); 2241 tomoyo_create_entry("version", 0400, tomoyo_dir, 2242 TOMOYO_VERSION); 2243 return 0; 2244 } 2245 2246 fs_initcall(tomoyo_initerface_init); 2247