1 /* 2 * security/tomoyo/common.c 3 * 4 * Common functions for TOMOYO. 5 * 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 7 * 8 * Version: 2.2.0 2009/04/01 9 * 10 */ 11 12 #include <linux/uaccess.h> 13 #include <linux/security.h> 14 #include <linux/hardirq.h> 15 #include "realpath.h" 16 #include "common.h" 17 #include "tomoyo.h" 18 19 /* Has loading policy done? */ 20 bool tomoyo_policy_loaded; 21 22 /* String table for functionality that takes 4 modes. */ 23 static const char *tomoyo_mode_4[4] = { 24 "disabled", "learning", "permissive", "enforcing" 25 }; 26 /* String table for functionality that takes 2 modes. */ 27 static const char *tomoyo_mode_2[4] = { 28 "disabled", "enabled", "enabled", "enabled" 29 }; 30 31 /* 32 * tomoyo_control_array is a static data which contains 33 * 34 * (1) functionality name used by /sys/kernel/security/tomoyo/profile . 35 * (2) initial values for "struct tomoyo_profile". 36 * (3) max values for "struct tomoyo_profile". 37 */ 38 static struct { 39 const char *keyword; 40 unsigned int current_value; 41 const unsigned int max_value; 42 } tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = { 43 [TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 }, 44 [TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX }, 45 [TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 }, 46 }; 47 48 /* 49 * tomoyo_profile is a structure which is used for holding the mode of access 50 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing. 51 * An administrator can define up to 256 profiles. 52 * The ->profile of "struct tomoyo_domain_info" is used for remembering 53 * the profile's number (0 - 255) assigned to that domain. 54 */ 55 static struct tomoyo_profile { 56 unsigned int value[TOMOYO_MAX_CONTROL_INDEX]; 57 const struct tomoyo_path_info *comment; 58 } *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES]; 59 60 /* Permit policy management by non-root user? */ 61 static bool tomoyo_manage_by_non_root; 62 63 /* Utility functions. */ 64 65 /* Open operation for /sys/kernel/security/tomoyo/ interface. */ 66 static int tomoyo_open_control(const u8 type, struct file *file); 67 /* Close /sys/kernel/security/tomoyo/ interface. */ 68 static int tomoyo_close_control(struct file *file); 69 /* Read operation for /sys/kernel/security/tomoyo/ interface. */ 70 static int tomoyo_read_control(struct file *file, char __user *buffer, 71 const int buffer_len); 72 /* Write operation for /sys/kernel/security/tomoyo/ interface. */ 73 static int tomoyo_write_control(struct file *file, const char __user *buffer, 74 const int buffer_len); 75 76 /** 77 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value. 78 * 79 * @str: Pointer to the string. 80 * 81 * Returns true if @str is a \ooo style octal value, false otherwise. 82 * 83 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF. 84 * This function verifies that \ooo is in valid range. 85 */ 86 static inline bool tomoyo_is_byte_range(const char *str) 87 { 88 return *str >= '0' && *str++ <= '3' && 89 *str >= '0' && *str++ <= '7' && 90 *str >= '0' && *str <= '7'; 91 } 92 93 /** 94 * tomoyo_is_alphabet_char - Check whether the character is an alphabet. 95 * 96 * @c: The character to check. 97 * 98 * Returns true if @c is an alphabet character, false otherwise. 99 */ 100 static inline bool tomoyo_is_alphabet_char(const char c) 101 { 102 return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z'); 103 } 104 105 /** 106 * tomoyo_make_byte - Make byte value from three octal characters. 107 * 108 * @c1: The first character. 109 * @c2: The second character. 110 * @c3: The third character. 111 * 112 * Returns byte value. 113 */ 114 static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3) 115 { 116 return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0'); 117 } 118 119 /** 120 * tomoyo_str_starts - Check whether the given string starts with the given keyword. 121 * 122 * @src: Pointer to pointer to the string. 123 * @find: Pointer to the keyword. 124 * 125 * Returns true if @src starts with @find, false otherwise. 126 * 127 * The @src is updated to point the first character after the @find 128 * if @src starts with @find. 129 */ 130 static bool tomoyo_str_starts(char **src, const char *find) 131 { 132 const int len = strlen(find); 133 char *tmp = *src; 134 135 if (strncmp(tmp, find, len)) 136 return false; 137 tmp += len; 138 *src = tmp; 139 return true; 140 } 141 142 /** 143 * tomoyo_normalize_line - Format string. 144 * 145 * @buffer: The line to normalize. 146 * 147 * Leading and trailing whitespaces are removed. 148 * Multiple whitespaces are packed into single space. 149 * 150 * Returns nothing. 151 */ 152 static void tomoyo_normalize_line(unsigned char *buffer) 153 { 154 unsigned char *sp = buffer; 155 unsigned char *dp = buffer; 156 bool first = true; 157 158 while (tomoyo_is_invalid(*sp)) 159 sp++; 160 while (*sp) { 161 if (!first) 162 *dp++ = ' '; 163 first = false; 164 while (tomoyo_is_valid(*sp)) 165 *dp++ = *sp++; 166 while (tomoyo_is_invalid(*sp)) 167 sp++; 168 } 169 *dp = '\0'; 170 } 171 172 /** 173 * tomoyo_is_correct_path - Validate a pathname. 174 * @filename: The pathname to check. 175 * @start_type: Should the pathname start with '/'? 176 * 1 = must / -1 = must not / 0 = don't care 177 * @pattern_type: Can the pathname contain a wildcard? 178 * 1 = must / -1 = must not / 0 = don't care 179 * @end_type: Should the pathname end with '/'? 180 * 1 = must / -1 = must not / 0 = don't care 181 * @function: The name of function calling me. 182 * 183 * Check whether the given filename follows the naming rules. 184 * Returns true if @filename follows the naming rules, false otherwise. 185 */ 186 bool tomoyo_is_correct_path(const char *filename, const s8 start_type, 187 const s8 pattern_type, const s8 end_type, 188 const char *function) 189 { 190 const char *const start = filename; 191 bool in_repetition = false; 192 bool contains_pattern = false; 193 unsigned char c; 194 unsigned char d; 195 unsigned char e; 196 const char *original_filename = filename; 197 198 if (!filename) 199 goto out; 200 c = *filename; 201 if (start_type == 1) { /* Must start with '/' */ 202 if (c != '/') 203 goto out; 204 } else if (start_type == -1) { /* Must not start with '/' */ 205 if (c == '/') 206 goto out; 207 } 208 if (c) 209 c = *(filename + strlen(filename) - 1); 210 if (end_type == 1) { /* Must end with '/' */ 211 if (c != '/') 212 goto out; 213 } else if (end_type == -1) { /* Must not end with '/' */ 214 if (c == '/') 215 goto out; 216 } 217 while (1) { 218 c = *filename++; 219 if (!c) 220 break; 221 if (c == '\\') { 222 c = *filename++; 223 switch (c) { 224 case '\\': /* "\\" */ 225 continue; 226 case '$': /* "\$" */ 227 case '+': /* "\+" */ 228 case '?': /* "\?" */ 229 case '*': /* "\*" */ 230 case '@': /* "\@" */ 231 case 'x': /* "\x" */ 232 case 'X': /* "\X" */ 233 case 'a': /* "\a" */ 234 case 'A': /* "\A" */ 235 case '-': /* "\-" */ 236 if (pattern_type == -1) 237 break; /* Must not contain pattern */ 238 contains_pattern = true; 239 continue; 240 case '{': /* "/\{" */ 241 if (filename - 3 < start || 242 *(filename - 3) != '/') 243 break; 244 if (pattern_type == -1) 245 break; /* Must not contain pattern */ 246 contains_pattern = true; 247 in_repetition = true; 248 continue; 249 case '}': /* "\}/" */ 250 if (*filename != '/') 251 break; 252 if (!in_repetition) 253 break; 254 in_repetition = false; 255 continue; 256 case '0': /* "\ooo" */ 257 case '1': 258 case '2': 259 case '3': 260 d = *filename++; 261 if (d < '0' || d > '7') 262 break; 263 e = *filename++; 264 if (e < '0' || e > '7') 265 break; 266 c = tomoyo_make_byte(c, d, e); 267 if (tomoyo_is_invalid(c)) 268 continue; /* pattern is not \000 */ 269 } 270 goto out; 271 } else if (in_repetition && c == '/') { 272 goto out; 273 } else if (tomoyo_is_invalid(c)) { 274 goto out; 275 } 276 } 277 if (pattern_type == 1) { /* Must contain pattern */ 278 if (!contains_pattern) 279 goto out; 280 } 281 if (in_repetition) 282 goto out; 283 return true; 284 out: 285 printk(KERN_DEBUG "%s: Invalid pathname '%s'\n", function, 286 original_filename); 287 return false; 288 } 289 290 /** 291 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules. 292 * @domainname: The domainname to check. 293 * @function: The name of function calling me. 294 * 295 * Returns true if @domainname follows the naming rules, false otherwise. 296 */ 297 bool tomoyo_is_correct_domain(const unsigned char *domainname, 298 const char *function) 299 { 300 unsigned char c; 301 unsigned char d; 302 unsigned char e; 303 const char *org_domainname = domainname; 304 305 if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME, 306 TOMOYO_ROOT_NAME_LEN)) 307 goto out; 308 domainname += TOMOYO_ROOT_NAME_LEN; 309 if (!*domainname) 310 return true; 311 do { 312 if (*domainname++ != ' ') 313 goto out; 314 if (*domainname++ != '/') 315 goto out; 316 while ((c = *domainname) != '\0' && c != ' ') { 317 domainname++; 318 if (c == '\\') { 319 c = *domainname++; 320 switch ((c)) { 321 case '\\': /* "\\" */ 322 continue; 323 case '0': /* "\ooo" */ 324 case '1': 325 case '2': 326 case '3': 327 d = *domainname++; 328 if (d < '0' || d > '7') 329 break; 330 e = *domainname++; 331 if (e < '0' || e > '7') 332 break; 333 c = tomoyo_make_byte(c, d, e); 334 if (tomoyo_is_invalid(c)) 335 /* pattern is not \000 */ 336 continue; 337 } 338 goto out; 339 } else if (tomoyo_is_invalid(c)) { 340 goto out; 341 } 342 } 343 } while (*domainname); 344 return true; 345 out: 346 printk(KERN_DEBUG "%s: Invalid domainname '%s'\n", function, 347 org_domainname); 348 return false; 349 } 350 351 /** 352 * tomoyo_is_domain_def - Check whether the given token can be a domainname. 353 * 354 * @buffer: The token to check. 355 * 356 * Returns true if @buffer possibly be a domainname, false otherwise. 357 */ 358 bool tomoyo_is_domain_def(const unsigned char *buffer) 359 { 360 return !strncmp(buffer, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN); 361 } 362 363 /** 364 * tomoyo_find_domain - Find a domain by the given name. 365 * 366 * @domainname: The domainname to find. 367 * 368 * Caller must call down_read(&tomoyo_domain_list_lock); or 369 * down_write(&tomoyo_domain_list_lock); . 370 * 371 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise. 372 */ 373 struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname) 374 { 375 struct tomoyo_domain_info *domain; 376 struct tomoyo_path_info name; 377 378 name.name = domainname; 379 tomoyo_fill_path_info(&name); 380 list_for_each_entry(domain, &tomoyo_domain_list, list) { 381 if (!domain->is_deleted && 382 !tomoyo_pathcmp(&name, domain->domainname)) 383 return domain; 384 } 385 return NULL; 386 } 387 388 /** 389 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token. 390 * 391 * @filename: The string to evaluate. 392 * 393 * Returns the initial length without a pattern in @filename. 394 */ 395 static int tomoyo_const_part_length(const char *filename) 396 { 397 char c; 398 int len = 0; 399 400 if (!filename) 401 return 0; 402 while ((c = *filename++) != '\0') { 403 if (c != '\\') { 404 len++; 405 continue; 406 } 407 c = *filename++; 408 switch (c) { 409 case '\\': /* "\\" */ 410 len += 2; 411 continue; 412 case '0': /* "\ooo" */ 413 case '1': 414 case '2': 415 case '3': 416 c = *filename++; 417 if (c < '0' || c > '7') 418 break; 419 c = *filename++; 420 if (c < '0' || c > '7') 421 break; 422 len += 4; 423 continue; 424 } 425 break; 426 } 427 return len; 428 } 429 430 /** 431 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members. 432 * 433 * @ptr: Pointer to "struct tomoyo_path_info" to fill in. 434 * 435 * The caller sets "struct tomoyo_path_info"->name. 436 */ 437 void tomoyo_fill_path_info(struct tomoyo_path_info *ptr) 438 { 439 const char *name = ptr->name; 440 const int len = strlen(name); 441 442 ptr->const_len = tomoyo_const_part_length(name); 443 ptr->is_dir = len && (name[len - 1] == '/'); 444 ptr->is_patterned = (ptr->const_len < len); 445 ptr->hash = full_name_hash(name, len); 446 } 447 448 /** 449 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character 450 * and "\-" pattern. 451 * 452 * @filename: The start of string to check. 453 * @filename_end: The end of string to check. 454 * @pattern: The start of pattern to compare. 455 * @pattern_end: The end of pattern to compare. 456 * 457 * Returns true if @filename matches @pattern, false otherwise. 458 */ 459 static bool tomoyo_file_matches_pattern2(const char *filename, 460 const char *filename_end, 461 const char *pattern, 462 const char *pattern_end) 463 { 464 while (filename < filename_end && pattern < pattern_end) { 465 char c; 466 if (*pattern != '\\') { 467 if (*filename++ != *pattern++) 468 return false; 469 continue; 470 } 471 c = *filename; 472 pattern++; 473 switch (*pattern) { 474 int i; 475 int j; 476 case '?': 477 if (c == '/') { 478 return false; 479 } else if (c == '\\') { 480 if (filename[1] == '\\') 481 filename++; 482 else if (tomoyo_is_byte_range(filename + 1)) 483 filename += 3; 484 else 485 return false; 486 } 487 break; 488 case '\\': 489 if (c != '\\') 490 return false; 491 if (*++filename != '\\') 492 return false; 493 break; 494 case '+': 495 if (!isdigit(c)) 496 return false; 497 break; 498 case 'x': 499 if (!isxdigit(c)) 500 return false; 501 break; 502 case 'a': 503 if (!tomoyo_is_alphabet_char(c)) 504 return false; 505 break; 506 case '0': 507 case '1': 508 case '2': 509 case '3': 510 if (c == '\\' && tomoyo_is_byte_range(filename + 1) 511 && strncmp(filename + 1, pattern, 3) == 0) { 512 filename += 3; 513 pattern += 2; 514 break; 515 } 516 return false; /* Not matched. */ 517 case '*': 518 case '@': 519 for (i = 0; i <= filename_end - filename; i++) { 520 if (tomoyo_file_matches_pattern2( 521 filename + i, filename_end, 522 pattern + 1, pattern_end)) 523 return true; 524 c = filename[i]; 525 if (c == '.' && *pattern == '@') 526 break; 527 if (c != '\\') 528 continue; 529 if (filename[i + 1] == '\\') 530 i++; 531 else if (tomoyo_is_byte_range(filename + i + 1)) 532 i += 3; 533 else 534 break; /* Bad pattern. */ 535 } 536 return false; /* Not matched. */ 537 default: 538 j = 0; 539 c = *pattern; 540 if (c == '$') { 541 while (isdigit(filename[j])) 542 j++; 543 } else if (c == 'X') { 544 while (isxdigit(filename[j])) 545 j++; 546 } else if (c == 'A') { 547 while (tomoyo_is_alphabet_char(filename[j])) 548 j++; 549 } 550 for (i = 1; i <= j; i++) { 551 if (tomoyo_file_matches_pattern2( 552 filename + i, filename_end, 553 pattern + 1, pattern_end)) 554 return true; 555 } 556 return false; /* Not matched or bad pattern. */ 557 } 558 filename++; 559 pattern++; 560 } 561 while (*pattern == '\\' && 562 (*(pattern + 1) == '*' || *(pattern + 1) == '@')) 563 pattern += 2; 564 return filename == filename_end && pattern == pattern_end; 565 } 566 567 /** 568 * tomoyo_file_matches_pattern - Pattern matching without without '/' character. 569 * 570 * @filename: The start of string to check. 571 * @filename_end: The end of string to check. 572 * @pattern: The start of pattern to compare. 573 * @pattern_end: The end of pattern to compare. 574 * 575 * Returns true if @filename matches @pattern, false otherwise. 576 */ 577 static bool tomoyo_file_matches_pattern(const char *filename, 578 const char *filename_end, 579 const char *pattern, 580 const char *pattern_end) 581 { 582 const char *pattern_start = pattern; 583 bool first = true; 584 bool result; 585 586 while (pattern < pattern_end - 1) { 587 /* Split at "\-" pattern. */ 588 if (*pattern++ != '\\' || *pattern++ != '-') 589 continue; 590 result = tomoyo_file_matches_pattern2(filename, 591 filename_end, 592 pattern_start, 593 pattern - 2); 594 if (first) 595 result = !result; 596 if (result) 597 return false; 598 first = false; 599 pattern_start = pattern; 600 } 601 result = tomoyo_file_matches_pattern2(filename, filename_end, 602 pattern_start, pattern_end); 603 return first ? result : !result; 604 } 605 606 /** 607 * tomoyo_path_matches_pattern2 - Do pathname pattern matching. 608 * 609 * @f: The start of string to check. 610 * @p: The start of pattern to compare. 611 * 612 * Returns true if @f matches @p, false otherwise. 613 */ 614 static bool tomoyo_path_matches_pattern2(const char *f, const char *p) 615 { 616 const char *f_delimiter; 617 const char *p_delimiter; 618 619 while (*f && *p) { 620 f_delimiter = strchr(f, '/'); 621 if (!f_delimiter) 622 f_delimiter = f + strlen(f); 623 p_delimiter = strchr(p, '/'); 624 if (!p_delimiter) 625 p_delimiter = p + strlen(p); 626 if (*p == '\\' && *(p + 1) == '{') 627 goto recursive; 628 if (!tomoyo_file_matches_pattern(f, f_delimiter, p, 629 p_delimiter)) 630 return false; 631 f = f_delimiter; 632 if (*f) 633 f++; 634 p = p_delimiter; 635 if (*p) 636 p++; 637 } 638 /* Ignore trailing "\*" and "\@" in @pattern. */ 639 while (*p == '\\' && 640 (*(p + 1) == '*' || *(p + 1) == '@')) 641 p += 2; 642 return !*f && !*p; 643 recursive: 644 /* 645 * The "\{" pattern is permitted only after '/' character. 646 * This guarantees that below "*(p - 1)" is safe. 647 * Also, the "\}" pattern is permitted only before '/' character 648 * so that "\{" + "\}" pair will not break the "\-" operator. 649 */ 650 if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' || 651 *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\') 652 return false; /* Bad pattern. */ 653 do { 654 /* Compare current component with pattern. */ 655 if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2, 656 p_delimiter - 2)) 657 break; 658 /* Proceed to next component. */ 659 f = f_delimiter; 660 if (!*f) 661 break; 662 f++; 663 /* Continue comparison. */ 664 if (tomoyo_path_matches_pattern2(f, p_delimiter + 1)) 665 return true; 666 f_delimiter = strchr(f, '/'); 667 } while (f_delimiter); 668 return false; /* Not matched. */ 669 } 670 671 /** 672 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern. 673 * 674 * @filename: The filename to check. 675 * @pattern: The pattern to compare. 676 * 677 * Returns true if matches, false otherwise. 678 * 679 * The following patterns are available. 680 * \\ \ itself. 681 * \ooo Octal representation of a byte. 682 * \* Zero or more repetitions of characters other than '/'. 683 * \@ Zero or more repetitions of characters other than '/' or '.'. 684 * \? 1 byte character other than '/'. 685 * \$ One or more repetitions of decimal digits. 686 * \+ 1 decimal digit. 687 * \X One or more repetitions of hexadecimal digits. 688 * \x 1 hexadecimal digit. 689 * \A One or more repetitions of alphabet characters. 690 * \a 1 alphabet character. 691 * 692 * \- Subtraction operator. 693 * 694 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/ 695 * /dir/dir/dir/ ). 696 */ 697 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, 698 const struct tomoyo_path_info *pattern) 699 { 700 const char *f = filename->name; 701 const char *p = pattern->name; 702 const int len = pattern->const_len; 703 704 /* If @pattern doesn't contain pattern, I can use strcmp(). */ 705 if (!pattern->is_patterned) 706 return !tomoyo_pathcmp(filename, pattern); 707 /* Don't compare directory and non-directory. */ 708 if (filename->is_dir != pattern->is_dir) 709 return false; 710 /* Compare the initial length without patterns. */ 711 if (strncmp(f, p, len)) 712 return false; 713 f += len; 714 p += len; 715 return tomoyo_path_matches_pattern2(f, p); 716 } 717 718 /** 719 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure. 720 * 721 * @head: Pointer to "struct tomoyo_io_buffer". 722 * @fmt: The printf()'s format string, followed by parameters. 723 * 724 * Returns true if output was written, false otherwise. 725 * 726 * The snprintf() will truncate, but tomoyo_io_printf() won't. 727 */ 728 bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) 729 { 730 va_list args; 731 int len; 732 int pos = head->read_avail; 733 int size = head->readbuf_size - pos; 734 735 if (size <= 0) 736 return false; 737 va_start(args, fmt); 738 len = vsnprintf(head->read_buf + pos, size, fmt, args); 739 va_end(args); 740 if (pos + len >= head->readbuf_size) 741 return false; 742 head->read_avail += len; 743 return true; 744 } 745 746 /** 747 * tomoyo_get_exe - Get tomoyo_realpath() of current process. 748 * 749 * Returns the tomoyo_realpath() of current process on success, NULL otherwise. 750 * 751 * This function uses tomoyo_alloc(), so the caller must call tomoyo_free() 752 * if this function didn't return NULL. 753 */ 754 static const char *tomoyo_get_exe(void) 755 { 756 struct mm_struct *mm = current->mm; 757 struct vm_area_struct *vma; 758 const char *cp = NULL; 759 760 if (!mm) 761 return NULL; 762 down_read(&mm->mmap_sem); 763 for (vma = mm->mmap; vma; vma = vma->vm_next) { 764 if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) { 765 cp = tomoyo_realpath_from_path(&vma->vm_file->f_path); 766 break; 767 } 768 } 769 up_read(&mm->mmap_sem); 770 return cp; 771 } 772 773 /** 774 * tomoyo_get_msg - Get warning message. 775 * 776 * @is_enforce: Is it enforcing mode? 777 * 778 * Returns "ERROR" or "WARNING". 779 */ 780 const char *tomoyo_get_msg(const bool is_enforce) 781 { 782 if (is_enforce) 783 return "ERROR"; 784 else 785 return "WARNING"; 786 } 787 788 /** 789 * tomoyo_check_flags - Check mode for specified functionality. 790 * 791 * @domain: Pointer to "struct tomoyo_domain_info". 792 * @index: The functionality to check mode. 793 * 794 * TOMOYO checks only process context. 795 * This code disables TOMOYO's enforcement in case the function is called from 796 * interrupt context. 797 */ 798 unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, 799 const u8 index) 800 { 801 const u8 profile = domain->profile; 802 803 if (WARN_ON(in_interrupt())) 804 return 0; 805 return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX 806 #if TOMOYO_MAX_PROFILES != 256 807 && profile < TOMOYO_MAX_PROFILES 808 #endif 809 && tomoyo_profile_ptr[profile] ? 810 tomoyo_profile_ptr[profile]->value[index] : 0; 811 } 812 813 /** 814 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode. 815 * 816 * @domain: Pointer to "struct tomoyo_domain_info". 817 * 818 * Returns true if domain policy violation warning should be printed to 819 * console. 820 */ 821 bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain) 822 { 823 return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0; 824 } 825 826 /** 827 * tomoyo_domain_quota_is_ok - Check for domain's quota. 828 * 829 * @domain: Pointer to "struct tomoyo_domain_info". 830 * 831 * Returns true if the domain is not exceeded quota, false otherwise. 832 */ 833 bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain) 834 { 835 unsigned int count = 0; 836 struct tomoyo_acl_info *ptr; 837 838 if (!domain) 839 return true; 840 down_read(&tomoyo_domain_acl_info_list_lock); 841 list_for_each_entry(ptr, &domain->acl_info_list, list) { 842 if (ptr->type & TOMOYO_ACL_DELETED) 843 continue; 844 switch (tomoyo_acl_type2(ptr)) { 845 struct tomoyo_single_path_acl_record *acl1; 846 struct tomoyo_double_path_acl_record *acl2; 847 u16 perm; 848 case TOMOYO_TYPE_SINGLE_PATH_ACL: 849 acl1 = container_of(ptr, 850 struct tomoyo_single_path_acl_record, 851 head); 852 perm = acl1->perm; 853 if (perm & (1 << TOMOYO_TYPE_EXECUTE_ACL)) 854 count++; 855 if (perm & 856 ((1 << TOMOYO_TYPE_READ_ACL) | 857 (1 << TOMOYO_TYPE_WRITE_ACL))) 858 count++; 859 if (perm & (1 << TOMOYO_TYPE_CREATE_ACL)) 860 count++; 861 if (perm & (1 << TOMOYO_TYPE_UNLINK_ACL)) 862 count++; 863 if (perm & (1 << TOMOYO_TYPE_MKDIR_ACL)) 864 count++; 865 if (perm & (1 << TOMOYO_TYPE_RMDIR_ACL)) 866 count++; 867 if (perm & (1 << TOMOYO_TYPE_MKFIFO_ACL)) 868 count++; 869 if (perm & (1 << TOMOYO_TYPE_MKSOCK_ACL)) 870 count++; 871 if (perm & (1 << TOMOYO_TYPE_MKBLOCK_ACL)) 872 count++; 873 if (perm & (1 << TOMOYO_TYPE_MKCHAR_ACL)) 874 count++; 875 if (perm & (1 << TOMOYO_TYPE_TRUNCATE_ACL)) 876 count++; 877 if (perm & (1 << TOMOYO_TYPE_SYMLINK_ACL)) 878 count++; 879 if (perm & (1 << TOMOYO_TYPE_REWRITE_ACL)) 880 count++; 881 break; 882 case TOMOYO_TYPE_DOUBLE_PATH_ACL: 883 acl2 = container_of(ptr, 884 struct tomoyo_double_path_acl_record, 885 head); 886 perm = acl2->perm; 887 if (perm & (1 << TOMOYO_TYPE_LINK_ACL)) 888 count++; 889 if (perm & (1 << TOMOYO_TYPE_RENAME_ACL)) 890 count++; 891 break; 892 } 893 } 894 up_read(&tomoyo_domain_acl_info_list_lock); 895 if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY)) 896 return true; 897 if (!domain->quota_warned) { 898 domain->quota_warned = true; 899 printk(KERN_WARNING "TOMOYO-WARNING: " 900 "Domain '%s' has so many ACLs to hold. " 901 "Stopped learning mode.\n", domain->domainname->name); 902 } 903 return false; 904 } 905 906 /** 907 * tomoyo_find_or_assign_new_profile - Create a new profile. 908 * 909 * @profile: Profile number to create. 910 * 911 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. 912 */ 913 static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned 914 int profile) 915 { 916 static DEFINE_MUTEX(lock); 917 struct tomoyo_profile *ptr = NULL; 918 int i; 919 920 if (profile >= TOMOYO_MAX_PROFILES) 921 return NULL; 922 mutex_lock(&lock); 923 ptr = tomoyo_profile_ptr[profile]; 924 if (ptr) 925 goto ok; 926 ptr = tomoyo_alloc_element(sizeof(*ptr)); 927 if (!ptr) 928 goto ok; 929 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) 930 ptr->value[i] = tomoyo_control_array[i].current_value; 931 mb(); /* Avoid out-of-order execution. */ 932 tomoyo_profile_ptr[profile] = ptr; 933 ok: 934 mutex_unlock(&lock); 935 return ptr; 936 } 937 938 /** 939 * tomoyo_write_profile - Write to profile table. 940 * 941 * @head: Pointer to "struct tomoyo_io_buffer". 942 * 943 * Returns 0 on success, negative value otherwise. 944 */ 945 static int tomoyo_write_profile(struct tomoyo_io_buffer *head) 946 { 947 char *data = head->write_buf; 948 unsigned int i; 949 unsigned int value; 950 char *cp; 951 struct tomoyo_profile *profile; 952 unsigned long num; 953 954 cp = strchr(data, '-'); 955 if (cp) 956 *cp = '\0'; 957 if (strict_strtoul(data, 10, &num)) 958 return -EINVAL; 959 if (cp) 960 data = cp + 1; 961 profile = tomoyo_find_or_assign_new_profile(num); 962 if (!profile) 963 return -EINVAL; 964 cp = strchr(data, '='); 965 if (!cp) 966 return -EINVAL; 967 *cp = '\0'; 968 if (!strcmp(data, "COMMENT")) { 969 profile->comment = tomoyo_save_name(cp + 1); 970 return 0; 971 } 972 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) { 973 if (strcmp(data, tomoyo_control_array[i].keyword)) 974 continue; 975 if (sscanf(cp + 1, "%u", &value) != 1) { 976 int j; 977 const char **modes; 978 switch (i) { 979 case TOMOYO_VERBOSE: 980 modes = tomoyo_mode_2; 981 break; 982 default: 983 modes = tomoyo_mode_4; 984 break; 985 } 986 for (j = 0; j < 4; j++) { 987 if (strcmp(cp + 1, modes[j])) 988 continue; 989 value = j; 990 break; 991 } 992 if (j == 4) 993 return -EINVAL; 994 } else if (value > tomoyo_control_array[i].max_value) { 995 value = tomoyo_control_array[i].max_value; 996 } 997 profile->value[i] = value; 998 return 0; 999 } 1000 return -EINVAL; 1001 } 1002 1003 /** 1004 * tomoyo_read_profile - Read from profile table. 1005 * 1006 * @head: Pointer to "struct tomoyo_io_buffer". 1007 * 1008 * Returns 0. 1009 */ 1010 static int tomoyo_read_profile(struct tomoyo_io_buffer *head) 1011 { 1012 static const int total = TOMOYO_MAX_CONTROL_INDEX + 1; 1013 int step; 1014 1015 if (head->read_eof) 1016 return 0; 1017 for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total; 1018 step++) { 1019 const u8 index = step / total; 1020 u8 type = step % total; 1021 const struct tomoyo_profile *profile 1022 = tomoyo_profile_ptr[index]; 1023 head->read_step = step; 1024 if (!profile) 1025 continue; 1026 if (!type) { /* Print profile' comment tag. */ 1027 if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n", 1028 index, profile->comment ? 1029 profile->comment->name : "")) 1030 break; 1031 continue; 1032 } 1033 type--; 1034 if (type < TOMOYO_MAX_CONTROL_INDEX) { 1035 const unsigned int value = profile->value[type]; 1036 const char **modes = NULL; 1037 const char *keyword 1038 = tomoyo_control_array[type].keyword; 1039 switch (tomoyo_control_array[type].max_value) { 1040 case 3: 1041 modes = tomoyo_mode_4; 1042 break; 1043 case 1: 1044 modes = tomoyo_mode_2; 1045 break; 1046 } 1047 if (modes) { 1048 if (!tomoyo_io_printf(head, "%u-%s=%s\n", index, 1049 keyword, modes[value])) 1050 break; 1051 } else { 1052 if (!tomoyo_io_printf(head, "%u-%s=%u\n", index, 1053 keyword, value)) 1054 break; 1055 } 1056 } 1057 } 1058 if (step == TOMOYO_MAX_PROFILES * total) 1059 head->read_eof = true; 1060 return 0; 1061 } 1062 1063 /* 1064 * tomoyo_policy_manager_entry is a structure which is used for holding list of 1065 * domainnames or programs which are permitted to modify configuration via 1066 * /sys/kernel/security/tomoyo/ interface. 1067 * It has following fields. 1068 * 1069 * (1) "list" which is linked to tomoyo_policy_manager_list . 1070 * (2) "manager" is a domainname or a program's pathname. 1071 * (3) "is_domain" is a bool which is true if "manager" is a domainname, false 1072 * otherwise. 1073 * (4) "is_deleted" is a bool which is true if marked as deleted, false 1074 * otherwise. 1075 */ 1076 struct tomoyo_policy_manager_entry { 1077 struct list_head list; 1078 /* A path to program or a domainname. */ 1079 const struct tomoyo_path_info *manager; 1080 bool is_domain; /* True if manager is a domainname. */ 1081 bool is_deleted; /* True if this entry is deleted. */ 1082 }; 1083 1084 /* 1085 * tomoyo_policy_manager_list is used for holding list of domainnames or 1086 * programs which are permitted to modify configuration via 1087 * /sys/kernel/security/tomoyo/ interface. 1088 * 1089 * An entry is added by 1090 * 1091 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \ 1092 * /sys/kernel/security/tomoyo/manager 1093 * (if you want to specify by a domainname) 1094 * 1095 * or 1096 * 1097 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager 1098 * (if you want to specify by a program's location) 1099 * 1100 * and is deleted by 1101 * 1102 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \ 1103 * /sys/kernel/security/tomoyo/manager 1104 * 1105 * or 1106 * 1107 * # echo 'delete /usr/lib/ccs/editpolicy' > \ 1108 * /sys/kernel/security/tomoyo/manager 1109 * 1110 * and all entries are retrieved by 1111 * 1112 * # cat /sys/kernel/security/tomoyo/manager 1113 */ 1114 static LIST_HEAD(tomoyo_policy_manager_list); 1115 static DECLARE_RWSEM(tomoyo_policy_manager_list_lock); 1116 1117 /** 1118 * tomoyo_update_manager_entry - Add a manager entry. 1119 * 1120 * @manager: The path to manager or the domainnamme. 1121 * @is_delete: True if it is a delete request. 1122 * 1123 * Returns 0 on success, negative value otherwise. 1124 */ 1125 static int tomoyo_update_manager_entry(const char *manager, 1126 const bool is_delete) 1127 { 1128 struct tomoyo_policy_manager_entry *new_entry; 1129 struct tomoyo_policy_manager_entry *ptr; 1130 const struct tomoyo_path_info *saved_manager; 1131 int error = -ENOMEM; 1132 bool is_domain = false; 1133 1134 if (tomoyo_is_domain_def(manager)) { 1135 if (!tomoyo_is_correct_domain(manager, __func__)) 1136 return -EINVAL; 1137 is_domain = true; 1138 } else { 1139 if (!tomoyo_is_correct_path(manager, 1, -1, -1, __func__)) 1140 return -EINVAL; 1141 } 1142 saved_manager = tomoyo_save_name(manager); 1143 if (!saved_manager) 1144 return -ENOMEM; 1145 down_write(&tomoyo_policy_manager_list_lock); 1146 list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) { 1147 if (ptr->manager != saved_manager) 1148 continue; 1149 ptr->is_deleted = is_delete; 1150 error = 0; 1151 goto out; 1152 } 1153 if (is_delete) { 1154 error = -ENOENT; 1155 goto out; 1156 } 1157 new_entry = tomoyo_alloc_element(sizeof(*new_entry)); 1158 if (!new_entry) 1159 goto out; 1160 new_entry->manager = saved_manager; 1161 new_entry->is_domain = is_domain; 1162 list_add_tail(&new_entry->list, &tomoyo_policy_manager_list); 1163 error = 0; 1164 out: 1165 up_write(&tomoyo_policy_manager_list_lock); 1166 return error; 1167 } 1168 1169 /** 1170 * tomoyo_write_manager_policy - Write manager policy. 1171 * 1172 * @head: Pointer to "struct tomoyo_io_buffer". 1173 * 1174 * Returns 0 on success, negative value otherwise. 1175 */ 1176 static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head) 1177 { 1178 char *data = head->write_buf; 1179 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); 1180 1181 if (!strcmp(data, "manage_by_non_root")) { 1182 tomoyo_manage_by_non_root = !is_delete; 1183 return 0; 1184 } 1185 return tomoyo_update_manager_entry(data, is_delete); 1186 } 1187 1188 /** 1189 * tomoyo_read_manager_policy - Read manager policy. 1190 * 1191 * @head: Pointer to "struct tomoyo_io_buffer". 1192 * 1193 * Returns 0. 1194 */ 1195 static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head) 1196 { 1197 struct list_head *pos; 1198 bool done = true; 1199 1200 if (head->read_eof) 1201 return 0; 1202 down_read(&tomoyo_policy_manager_list_lock); 1203 list_for_each_cookie(pos, head->read_var2, 1204 &tomoyo_policy_manager_list) { 1205 struct tomoyo_policy_manager_entry *ptr; 1206 ptr = list_entry(pos, struct tomoyo_policy_manager_entry, 1207 list); 1208 if (ptr->is_deleted) 1209 continue; 1210 done = tomoyo_io_printf(head, "%s\n", ptr->manager->name); 1211 if (!done) 1212 break; 1213 } 1214 up_read(&tomoyo_policy_manager_list_lock); 1215 head->read_eof = done; 1216 return 0; 1217 } 1218 1219 /** 1220 * tomoyo_is_policy_manager - Check whether the current process is a policy manager. 1221 * 1222 * Returns true if the current process is permitted to modify policy 1223 * via /sys/kernel/security/tomoyo/ interface. 1224 */ 1225 static bool tomoyo_is_policy_manager(void) 1226 { 1227 struct tomoyo_policy_manager_entry *ptr; 1228 const char *exe; 1229 const struct task_struct *task = current; 1230 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; 1231 bool found = false; 1232 1233 if (!tomoyo_policy_loaded) 1234 return true; 1235 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) 1236 return false; 1237 down_read(&tomoyo_policy_manager_list_lock); 1238 list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) { 1239 if (!ptr->is_deleted && ptr->is_domain 1240 && !tomoyo_pathcmp(domainname, ptr->manager)) { 1241 found = true; 1242 break; 1243 } 1244 } 1245 up_read(&tomoyo_policy_manager_list_lock); 1246 if (found) 1247 return true; 1248 exe = tomoyo_get_exe(); 1249 if (!exe) 1250 return false; 1251 down_read(&tomoyo_policy_manager_list_lock); 1252 list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) { 1253 if (!ptr->is_deleted && !ptr->is_domain 1254 && !strcmp(exe, ptr->manager->name)) { 1255 found = true; 1256 break; 1257 } 1258 } 1259 up_read(&tomoyo_policy_manager_list_lock); 1260 if (!found) { /* Reduce error messages. */ 1261 static pid_t last_pid; 1262 const pid_t pid = current->pid; 1263 if (last_pid != pid) { 1264 printk(KERN_WARNING "%s ( %s ) is not permitted to " 1265 "update policies.\n", domainname->name, exe); 1266 last_pid = pid; 1267 } 1268 } 1269 tomoyo_free(exe); 1270 return found; 1271 } 1272 1273 /** 1274 * tomoyo_is_select_one - Parse select command. 1275 * 1276 * @head: Pointer to "struct tomoyo_io_buffer". 1277 * @data: String to parse. 1278 * 1279 * Returns true on success, false otherwise. 1280 */ 1281 static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head, 1282 const char *data) 1283 { 1284 unsigned int pid; 1285 struct tomoyo_domain_info *domain = NULL; 1286 1287 if (sscanf(data, "pid=%u", &pid) == 1) { 1288 struct task_struct *p; 1289 read_lock(&tasklist_lock); 1290 p = find_task_by_vpid(pid); 1291 if (p) 1292 domain = tomoyo_real_domain(p); 1293 read_unlock(&tasklist_lock); 1294 } else if (!strncmp(data, "domain=", 7)) { 1295 if (tomoyo_is_domain_def(data + 7)) { 1296 down_read(&tomoyo_domain_list_lock); 1297 domain = tomoyo_find_domain(data + 7); 1298 up_read(&tomoyo_domain_list_lock); 1299 } 1300 } else 1301 return false; 1302 head->write_var1 = domain; 1303 /* Accessing read_buf is safe because head->io_sem is held. */ 1304 if (!head->read_buf) 1305 return true; /* Do nothing if open(O_WRONLY). */ 1306 head->read_avail = 0; 1307 tomoyo_io_printf(head, "# select %s\n", data); 1308 head->read_single_domain = true; 1309 head->read_eof = !domain; 1310 if (domain) { 1311 struct tomoyo_domain_info *d; 1312 head->read_var1 = NULL; 1313 down_read(&tomoyo_domain_list_lock); 1314 list_for_each_entry(d, &tomoyo_domain_list, list) { 1315 if (d == domain) 1316 break; 1317 head->read_var1 = &d->list; 1318 } 1319 up_read(&tomoyo_domain_list_lock); 1320 head->read_var2 = NULL; 1321 head->read_bit = 0; 1322 head->read_step = 0; 1323 if (domain->is_deleted) 1324 tomoyo_io_printf(head, "# This is a deleted domain.\n"); 1325 } 1326 return true; 1327 } 1328 1329 /** 1330 * tomoyo_delete_domain - Delete a domain. 1331 * 1332 * @domainname: The name of domain. 1333 * 1334 * Returns 0. 1335 */ 1336 static int tomoyo_delete_domain(char *domainname) 1337 { 1338 struct tomoyo_domain_info *domain; 1339 struct tomoyo_path_info name; 1340 1341 name.name = domainname; 1342 tomoyo_fill_path_info(&name); 1343 down_write(&tomoyo_domain_list_lock); 1344 /* Is there an active domain? */ 1345 list_for_each_entry(domain, &tomoyo_domain_list, list) { 1346 /* Never delete tomoyo_kernel_domain */ 1347 if (domain == &tomoyo_kernel_domain) 1348 continue; 1349 if (domain->is_deleted || 1350 tomoyo_pathcmp(domain->domainname, &name)) 1351 continue; 1352 domain->is_deleted = true; 1353 break; 1354 } 1355 up_write(&tomoyo_domain_list_lock); 1356 return 0; 1357 } 1358 1359 /** 1360 * tomoyo_write_domain_policy - Write domain policy. 1361 * 1362 * @head: Pointer to "struct tomoyo_io_buffer". 1363 * 1364 * Returns 0 on success, negative value otherwise. 1365 */ 1366 static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head) 1367 { 1368 char *data = head->write_buf; 1369 struct tomoyo_domain_info *domain = head->write_var1; 1370 bool is_delete = false; 1371 bool is_select = false; 1372 unsigned int profile; 1373 1374 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE)) 1375 is_delete = true; 1376 else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT)) 1377 is_select = true; 1378 if (is_select && tomoyo_is_select_one(head, data)) 1379 return 0; 1380 /* Don't allow updating policies by non manager programs. */ 1381 if (!tomoyo_is_policy_manager()) 1382 return -EPERM; 1383 if (tomoyo_is_domain_def(data)) { 1384 domain = NULL; 1385 if (is_delete) 1386 tomoyo_delete_domain(data); 1387 else if (is_select) { 1388 down_read(&tomoyo_domain_list_lock); 1389 domain = tomoyo_find_domain(data); 1390 up_read(&tomoyo_domain_list_lock); 1391 } else 1392 domain = tomoyo_find_or_assign_new_domain(data, 0); 1393 head->write_var1 = domain; 1394 return 0; 1395 } 1396 if (!domain) 1397 return -EINVAL; 1398 1399 if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1 1400 && profile < TOMOYO_MAX_PROFILES) { 1401 if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded) 1402 domain->profile = (u8) profile; 1403 return 0; 1404 } 1405 if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) { 1406 tomoyo_set_domain_flag(domain, is_delete, 1407 TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ); 1408 return 0; 1409 } 1410 return tomoyo_write_file_policy(data, domain, is_delete); 1411 } 1412 1413 /** 1414 * tomoyo_print_single_path_acl - Print a single path ACL entry. 1415 * 1416 * @head: Pointer to "struct tomoyo_io_buffer". 1417 * @ptr: Pointer to "struct tomoyo_single_path_acl_record". 1418 * 1419 * Returns true on success, false otherwise. 1420 */ 1421 static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head, 1422 struct tomoyo_single_path_acl_record * 1423 ptr) 1424 { 1425 int pos; 1426 u8 bit; 1427 const char *atmark = ""; 1428 const char *filename; 1429 const u16 perm = ptr->perm; 1430 1431 filename = ptr->filename->name; 1432 for (bit = head->read_bit; bit < TOMOYO_MAX_SINGLE_PATH_OPERATION; 1433 bit++) { 1434 const char *msg; 1435 if (!(perm & (1 << bit))) 1436 continue; 1437 /* Print "read/write" instead of "read" and "write". */ 1438 if ((bit == TOMOYO_TYPE_READ_ACL || 1439 bit == TOMOYO_TYPE_WRITE_ACL) 1440 && (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))) 1441 continue; 1442 msg = tomoyo_sp2keyword(bit); 1443 pos = head->read_avail; 1444 if (!tomoyo_io_printf(head, "allow_%s %s%s\n", msg, 1445 atmark, filename)) 1446 goto out; 1447 } 1448 head->read_bit = 0; 1449 return true; 1450 out: 1451 head->read_bit = bit; 1452 head->read_avail = pos; 1453 return false; 1454 } 1455 1456 /** 1457 * tomoyo_print_double_path_acl - Print a double path ACL entry. 1458 * 1459 * @head: Pointer to "struct tomoyo_io_buffer". 1460 * @ptr: Pointer to "struct tomoyo_double_path_acl_record". 1461 * 1462 * Returns true on success, false otherwise. 1463 */ 1464 static bool tomoyo_print_double_path_acl(struct tomoyo_io_buffer *head, 1465 struct tomoyo_double_path_acl_record * 1466 ptr) 1467 { 1468 int pos; 1469 const char *atmark1 = ""; 1470 const char *atmark2 = ""; 1471 const char *filename1; 1472 const char *filename2; 1473 const u8 perm = ptr->perm; 1474 u8 bit; 1475 1476 filename1 = ptr->filename1->name; 1477 filename2 = ptr->filename2->name; 1478 for (bit = head->read_bit; bit < TOMOYO_MAX_DOUBLE_PATH_OPERATION; 1479 bit++) { 1480 const char *msg; 1481 if (!(perm & (1 << bit))) 1482 continue; 1483 msg = tomoyo_dp2keyword(bit); 1484 pos = head->read_avail; 1485 if (!tomoyo_io_printf(head, "allow_%s %s%s %s%s\n", msg, 1486 atmark1, filename1, atmark2, filename2)) 1487 goto out; 1488 } 1489 head->read_bit = 0; 1490 return true; 1491 out: 1492 head->read_bit = bit; 1493 head->read_avail = pos; 1494 return false; 1495 } 1496 1497 /** 1498 * tomoyo_print_entry - Print an ACL entry. 1499 * 1500 * @head: Pointer to "struct tomoyo_io_buffer". 1501 * @ptr: Pointer to an ACL entry. 1502 * 1503 * Returns true on success, false otherwise. 1504 */ 1505 static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, 1506 struct tomoyo_acl_info *ptr) 1507 { 1508 const u8 acl_type = tomoyo_acl_type2(ptr); 1509 1510 if (acl_type & TOMOYO_ACL_DELETED) 1511 return true; 1512 if (acl_type == TOMOYO_TYPE_SINGLE_PATH_ACL) { 1513 struct tomoyo_single_path_acl_record *acl 1514 = container_of(ptr, 1515 struct tomoyo_single_path_acl_record, 1516 head); 1517 return tomoyo_print_single_path_acl(head, acl); 1518 } 1519 if (acl_type == TOMOYO_TYPE_DOUBLE_PATH_ACL) { 1520 struct tomoyo_double_path_acl_record *acl 1521 = container_of(ptr, 1522 struct tomoyo_double_path_acl_record, 1523 head); 1524 return tomoyo_print_double_path_acl(head, acl); 1525 } 1526 BUG(); /* This must not happen. */ 1527 return false; 1528 } 1529 1530 /** 1531 * tomoyo_read_domain_policy - Read domain policy. 1532 * 1533 * @head: Pointer to "struct tomoyo_io_buffer". 1534 * 1535 * Returns 0. 1536 */ 1537 static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head) 1538 { 1539 struct list_head *dpos; 1540 struct list_head *apos; 1541 bool done = true; 1542 1543 if (head->read_eof) 1544 return 0; 1545 if (head->read_step == 0) 1546 head->read_step = 1; 1547 down_read(&tomoyo_domain_list_lock); 1548 list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) { 1549 struct tomoyo_domain_info *domain; 1550 const char *quota_exceeded = ""; 1551 const char *transition_failed = ""; 1552 const char *ignore_global_allow_read = ""; 1553 domain = list_entry(dpos, struct tomoyo_domain_info, list); 1554 if (head->read_step != 1) 1555 goto acl_loop; 1556 if (domain->is_deleted && !head->read_single_domain) 1557 continue; 1558 /* Print domainname and flags. */ 1559 if (domain->quota_warned) 1560 quota_exceeded = "quota_exceeded\n"; 1561 if (domain->flags & TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED) 1562 transition_failed = "transition_failed\n"; 1563 if (domain->flags & 1564 TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ) 1565 ignore_global_allow_read 1566 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n"; 1567 done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE 1568 "%u\n%s%s%s\n", 1569 domain->domainname->name, 1570 domain->profile, quota_exceeded, 1571 transition_failed, 1572 ignore_global_allow_read); 1573 if (!done) 1574 break; 1575 head->read_step = 2; 1576 acl_loop: 1577 if (head->read_step == 3) 1578 goto tail_mark; 1579 /* Print ACL entries in the domain. */ 1580 down_read(&tomoyo_domain_acl_info_list_lock); 1581 list_for_each_cookie(apos, head->read_var2, 1582 &domain->acl_info_list) { 1583 struct tomoyo_acl_info *ptr 1584 = list_entry(apos, struct tomoyo_acl_info, 1585 list); 1586 done = tomoyo_print_entry(head, ptr); 1587 if (!done) 1588 break; 1589 } 1590 up_read(&tomoyo_domain_acl_info_list_lock); 1591 if (!done) 1592 break; 1593 head->read_step = 3; 1594 tail_mark: 1595 done = tomoyo_io_printf(head, "\n"); 1596 if (!done) 1597 break; 1598 head->read_step = 1; 1599 if (head->read_single_domain) 1600 break; 1601 } 1602 up_read(&tomoyo_domain_list_lock); 1603 head->read_eof = done; 1604 return 0; 1605 } 1606 1607 /** 1608 * tomoyo_write_domain_profile - Assign profile for specified domain. 1609 * 1610 * @head: Pointer to "struct tomoyo_io_buffer". 1611 * 1612 * Returns 0 on success, -EINVAL otherwise. 1613 * 1614 * This is equivalent to doing 1615 * 1616 * ( echo "select " $domainname; echo "use_profile " $profile ) | 1617 * /usr/lib/ccs/loadpolicy -d 1618 */ 1619 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head) 1620 { 1621 char *data = head->write_buf; 1622 char *cp = strchr(data, ' '); 1623 struct tomoyo_domain_info *domain; 1624 unsigned long profile; 1625 1626 if (!cp) 1627 return -EINVAL; 1628 *cp = '\0'; 1629 down_read(&tomoyo_domain_list_lock); 1630 domain = tomoyo_find_domain(cp + 1); 1631 up_read(&tomoyo_domain_list_lock); 1632 if (strict_strtoul(data, 10, &profile)) 1633 return -EINVAL; 1634 if (domain && profile < TOMOYO_MAX_PROFILES 1635 && (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)) 1636 domain->profile = (u8) profile; 1637 return 0; 1638 } 1639 1640 /** 1641 * tomoyo_read_domain_profile - Read only domainname and profile. 1642 * 1643 * @head: Pointer to "struct tomoyo_io_buffer". 1644 * 1645 * Returns list of profile number and domainname pairs. 1646 * 1647 * This is equivalent to doing 1648 * 1649 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy | 1650 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" ) 1651 * domainname = $0; } else if ( $1 == "use_profile" ) { 1652 * print $2 " " domainname; domainname = ""; } } ; ' 1653 */ 1654 static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head) 1655 { 1656 struct list_head *pos; 1657 bool done = true; 1658 1659 if (head->read_eof) 1660 return 0; 1661 down_read(&tomoyo_domain_list_lock); 1662 list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) { 1663 struct tomoyo_domain_info *domain; 1664 domain = list_entry(pos, struct tomoyo_domain_info, list); 1665 if (domain->is_deleted) 1666 continue; 1667 done = tomoyo_io_printf(head, "%u %s\n", domain->profile, 1668 domain->domainname->name); 1669 if (!done) 1670 break; 1671 } 1672 up_read(&tomoyo_domain_list_lock); 1673 head->read_eof = done; 1674 return 0; 1675 } 1676 1677 /** 1678 * tomoyo_write_pid: Specify PID to obtain domainname. 1679 * 1680 * @head: Pointer to "struct tomoyo_io_buffer". 1681 * 1682 * Returns 0. 1683 */ 1684 static int tomoyo_write_pid(struct tomoyo_io_buffer *head) 1685 { 1686 unsigned long pid; 1687 /* No error check. */ 1688 strict_strtoul(head->write_buf, 10, &pid); 1689 head->read_step = (int) pid; 1690 head->read_eof = false; 1691 return 0; 1692 } 1693 1694 /** 1695 * tomoyo_read_pid - Get domainname of the specified PID. 1696 * 1697 * @head: Pointer to "struct tomoyo_io_buffer". 1698 * 1699 * Returns the domainname which the specified PID is in on success, 1700 * empty string otherwise. 1701 * The PID is specified by tomoyo_write_pid() so that the user can obtain 1702 * using read()/write() interface rather than sysctl() interface. 1703 */ 1704 static int tomoyo_read_pid(struct tomoyo_io_buffer *head) 1705 { 1706 if (head->read_avail == 0 && !head->read_eof) { 1707 const int pid = head->read_step; 1708 struct task_struct *p; 1709 struct tomoyo_domain_info *domain = NULL; 1710 read_lock(&tasklist_lock); 1711 p = find_task_by_vpid(pid); 1712 if (p) 1713 domain = tomoyo_real_domain(p); 1714 read_unlock(&tasklist_lock); 1715 if (domain) 1716 tomoyo_io_printf(head, "%d %u %s", pid, domain->profile, 1717 domain->domainname->name); 1718 head->read_eof = true; 1719 } 1720 return 0; 1721 } 1722 1723 /** 1724 * tomoyo_write_exception_policy - Write exception policy. 1725 * 1726 * @head: Pointer to "struct tomoyo_io_buffer". 1727 * 1728 * Returns 0 on success, negative value otherwise. 1729 */ 1730 static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head) 1731 { 1732 char *data = head->write_buf; 1733 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); 1734 1735 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN)) 1736 return tomoyo_write_domain_keeper_policy(data, false, 1737 is_delete); 1738 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN)) 1739 return tomoyo_write_domain_keeper_policy(data, true, is_delete); 1740 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN)) 1741 return tomoyo_write_domain_initializer_policy(data, false, 1742 is_delete); 1743 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN)) 1744 return tomoyo_write_domain_initializer_policy(data, true, 1745 is_delete); 1746 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS)) 1747 return tomoyo_write_alias_policy(data, is_delete); 1748 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ)) 1749 return tomoyo_write_globally_readable_policy(data, is_delete); 1750 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN)) 1751 return tomoyo_write_pattern_policy(data, is_delete); 1752 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE)) 1753 return tomoyo_write_no_rewrite_policy(data, is_delete); 1754 return -EINVAL; 1755 } 1756 1757 /** 1758 * tomoyo_read_exception_policy - Read exception policy. 1759 * 1760 * @head: Pointer to "struct tomoyo_io_buffer". 1761 * 1762 * Returns 0 on success, -EINVAL otherwise. 1763 */ 1764 static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head) 1765 { 1766 if (!head->read_eof) { 1767 switch (head->read_step) { 1768 case 0: 1769 head->read_var2 = NULL; 1770 head->read_step = 1; 1771 case 1: 1772 if (!tomoyo_read_domain_keeper_policy(head)) 1773 break; 1774 head->read_var2 = NULL; 1775 head->read_step = 2; 1776 case 2: 1777 if (!tomoyo_read_globally_readable_policy(head)) 1778 break; 1779 head->read_var2 = NULL; 1780 head->read_step = 3; 1781 case 3: 1782 head->read_var2 = NULL; 1783 head->read_step = 4; 1784 case 4: 1785 if (!tomoyo_read_domain_initializer_policy(head)) 1786 break; 1787 head->read_var2 = NULL; 1788 head->read_step = 5; 1789 case 5: 1790 if (!tomoyo_read_alias_policy(head)) 1791 break; 1792 head->read_var2 = NULL; 1793 head->read_step = 6; 1794 case 6: 1795 head->read_var2 = NULL; 1796 head->read_step = 7; 1797 case 7: 1798 if (!tomoyo_read_file_pattern(head)) 1799 break; 1800 head->read_var2 = NULL; 1801 head->read_step = 8; 1802 case 8: 1803 if (!tomoyo_read_no_rewrite_policy(head)) 1804 break; 1805 head->read_var2 = NULL; 1806 head->read_step = 9; 1807 case 9: 1808 head->read_eof = true; 1809 break; 1810 default: 1811 return -EINVAL; 1812 } 1813 } 1814 return 0; 1815 } 1816 1817 /* path to policy loader */ 1818 static const char *tomoyo_loader = "/sbin/tomoyo-init"; 1819 1820 /** 1821 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists. 1822 * 1823 * Returns true if /sbin/tomoyo-init exists, false otherwise. 1824 */ 1825 static bool tomoyo_policy_loader_exists(void) 1826 { 1827 /* 1828 * Don't activate MAC if the policy loader doesn't exist. 1829 * If the initrd includes /sbin/init but real-root-dev has not 1830 * mounted on / yet, activating MAC will block the system since 1831 * policies are not loaded yet. 1832 * Thus, let do_execve() call this function everytime. 1833 */ 1834 struct path path; 1835 1836 if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) { 1837 printk(KERN_INFO "Not activating Mandatory Access Control now " 1838 "since %s doesn't exist.\n", tomoyo_loader); 1839 return false; 1840 } 1841 path_put(&path); 1842 return true; 1843 } 1844 1845 /** 1846 * tomoyo_load_policy - Run external policy loader to load policy. 1847 * 1848 * @filename: The program about to start. 1849 * 1850 * This function checks whether @filename is /sbin/init , and if so 1851 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init 1852 * and then continues invocation of /sbin/init. 1853 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and 1854 * writes to /sys/kernel/security/tomoyo/ interfaces. 1855 * 1856 * Returns nothing. 1857 */ 1858 void tomoyo_load_policy(const char *filename) 1859 { 1860 char *argv[2]; 1861 char *envp[3]; 1862 1863 if (tomoyo_policy_loaded) 1864 return; 1865 /* 1866 * Check filename is /sbin/init or /sbin/tomoyo-start. 1867 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't 1868 * be passed. 1869 * You can create /sbin/tomoyo-start by 1870 * "ln -s /bin/true /sbin/tomoyo-start". 1871 */ 1872 if (strcmp(filename, "/sbin/init") && 1873 strcmp(filename, "/sbin/tomoyo-start")) 1874 return; 1875 if (!tomoyo_policy_loader_exists()) 1876 return; 1877 1878 printk(KERN_INFO "Calling %s to load policy. Please wait.\n", 1879 tomoyo_loader); 1880 argv[0] = (char *) tomoyo_loader; 1881 argv[1] = NULL; 1882 envp[0] = "HOME=/"; 1883 envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin"; 1884 envp[2] = NULL; 1885 call_usermodehelper(argv[0], argv, envp, 1); 1886 1887 printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n"); 1888 printk(KERN_INFO "Mandatory Access Control activated.\n"); 1889 tomoyo_policy_loaded = true; 1890 { /* Check all profiles currently assigned to domains are defined. */ 1891 struct tomoyo_domain_info *domain; 1892 down_read(&tomoyo_domain_list_lock); 1893 list_for_each_entry(domain, &tomoyo_domain_list, list) { 1894 const u8 profile = domain->profile; 1895 if (tomoyo_profile_ptr[profile]) 1896 continue; 1897 panic("Profile %u (used by '%s') not defined.\n", 1898 profile, domain->domainname->name); 1899 } 1900 up_read(&tomoyo_domain_list_lock); 1901 } 1902 } 1903 1904 /** 1905 * tomoyo_read_version: Get version. 1906 * 1907 * @head: Pointer to "struct tomoyo_io_buffer". 1908 * 1909 * Returns version information. 1910 */ 1911 static int tomoyo_read_version(struct tomoyo_io_buffer *head) 1912 { 1913 if (!head->read_eof) { 1914 tomoyo_io_printf(head, "2.2.0"); 1915 head->read_eof = true; 1916 } 1917 return 0; 1918 } 1919 1920 /** 1921 * tomoyo_read_self_domain - Get the current process's domainname. 1922 * 1923 * @head: Pointer to "struct tomoyo_io_buffer". 1924 * 1925 * Returns the current process's domainname. 1926 */ 1927 static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head) 1928 { 1929 if (!head->read_eof) { 1930 /* 1931 * tomoyo_domain()->domainname != NULL 1932 * because every process belongs to a domain and 1933 * the domain's name cannot be NULL. 1934 */ 1935 tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name); 1936 head->read_eof = true; 1937 } 1938 return 0; 1939 } 1940 1941 /** 1942 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface. 1943 * 1944 * @type: Type of interface. 1945 * @file: Pointer to "struct file". 1946 * 1947 * Associates policy handler and returns 0 on success, -ENOMEM otherwise. 1948 */ 1949 static int tomoyo_open_control(const u8 type, struct file *file) 1950 { 1951 struct tomoyo_io_buffer *head = tomoyo_alloc(sizeof(*head)); 1952 1953 if (!head) 1954 return -ENOMEM; 1955 mutex_init(&head->io_sem); 1956 switch (type) { 1957 case TOMOYO_DOMAINPOLICY: 1958 /* /sys/kernel/security/tomoyo/domain_policy */ 1959 head->write = tomoyo_write_domain_policy; 1960 head->read = tomoyo_read_domain_policy; 1961 break; 1962 case TOMOYO_EXCEPTIONPOLICY: 1963 /* /sys/kernel/security/tomoyo/exception_policy */ 1964 head->write = tomoyo_write_exception_policy; 1965 head->read = tomoyo_read_exception_policy; 1966 break; 1967 case TOMOYO_SELFDOMAIN: 1968 /* /sys/kernel/security/tomoyo/self_domain */ 1969 head->read = tomoyo_read_self_domain; 1970 break; 1971 case TOMOYO_DOMAIN_STATUS: 1972 /* /sys/kernel/security/tomoyo/.domain_status */ 1973 head->write = tomoyo_write_domain_profile; 1974 head->read = tomoyo_read_domain_profile; 1975 break; 1976 case TOMOYO_PROCESS_STATUS: 1977 /* /sys/kernel/security/tomoyo/.process_status */ 1978 head->write = tomoyo_write_pid; 1979 head->read = tomoyo_read_pid; 1980 break; 1981 case TOMOYO_VERSION: 1982 /* /sys/kernel/security/tomoyo/version */ 1983 head->read = tomoyo_read_version; 1984 head->readbuf_size = 128; 1985 break; 1986 case TOMOYO_MEMINFO: 1987 /* /sys/kernel/security/tomoyo/meminfo */ 1988 head->write = tomoyo_write_memory_quota; 1989 head->read = tomoyo_read_memory_counter; 1990 head->readbuf_size = 512; 1991 break; 1992 case TOMOYO_PROFILE: 1993 /* /sys/kernel/security/tomoyo/profile */ 1994 head->write = tomoyo_write_profile; 1995 head->read = tomoyo_read_profile; 1996 break; 1997 case TOMOYO_MANAGER: 1998 /* /sys/kernel/security/tomoyo/manager */ 1999 head->write = tomoyo_write_manager_policy; 2000 head->read = tomoyo_read_manager_policy; 2001 break; 2002 } 2003 if (!(file->f_mode & FMODE_READ)) { 2004 /* 2005 * No need to allocate read_buf since it is not opened 2006 * for reading. 2007 */ 2008 head->read = NULL; 2009 } else { 2010 if (!head->readbuf_size) 2011 head->readbuf_size = 4096 * 2; 2012 head->read_buf = tomoyo_alloc(head->readbuf_size); 2013 if (!head->read_buf) { 2014 tomoyo_free(head); 2015 return -ENOMEM; 2016 } 2017 } 2018 if (!(file->f_mode & FMODE_WRITE)) { 2019 /* 2020 * No need to allocate write_buf since it is not opened 2021 * for writing. 2022 */ 2023 head->write = NULL; 2024 } else if (head->write) { 2025 head->writebuf_size = 4096 * 2; 2026 head->write_buf = tomoyo_alloc(head->writebuf_size); 2027 if (!head->write_buf) { 2028 tomoyo_free(head->read_buf); 2029 tomoyo_free(head); 2030 return -ENOMEM; 2031 } 2032 } 2033 file->private_data = head; 2034 /* 2035 * Call the handler now if the file is 2036 * /sys/kernel/security/tomoyo/self_domain 2037 * so that the user can use 2038 * cat < /sys/kernel/security/tomoyo/self_domain" 2039 * to know the current process's domainname. 2040 */ 2041 if (type == TOMOYO_SELFDOMAIN) 2042 tomoyo_read_control(file, NULL, 0); 2043 return 0; 2044 } 2045 2046 /** 2047 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. 2048 * 2049 * @file: Pointer to "struct file". 2050 * @buffer: Poiner to buffer to write to. 2051 * @buffer_len: Size of @buffer. 2052 * 2053 * Returns bytes read on success, negative value otherwise. 2054 */ 2055 static int tomoyo_read_control(struct file *file, char __user *buffer, 2056 const int buffer_len) 2057 { 2058 int len = 0; 2059 struct tomoyo_io_buffer *head = file->private_data; 2060 char *cp; 2061 2062 if (!head->read) 2063 return -ENOSYS; 2064 if (mutex_lock_interruptible(&head->io_sem)) 2065 return -EINTR; 2066 /* Call the policy handler. */ 2067 len = head->read(head); 2068 if (len < 0) 2069 goto out; 2070 /* Write to buffer. */ 2071 len = head->read_avail; 2072 if (len > buffer_len) 2073 len = buffer_len; 2074 if (!len) 2075 goto out; 2076 /* head->read_buf changes by some functions. */ 2077 cp = head->read_buf; 2078 if (copy_to_user(buffer, cp, len)) { 2079 len = -EFAULT; 2080 goto out; 2081 } 2082 head->read_avail -= len; 2083 memmove(cp, cp + len, head->read_avail); 2084 out: 2085 mutex_unlock(&head->io_sem); 2086 return len; 2087 } 2088 2089 /** 2090 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. 2091 * 2092 * @file: Pointer to "struct file". 2093 * @buffer: Pointer to buffer to read from. 2094 * @buffer_len: Size of @buffer. 2095 * 2096 * Returns @buffer_len on success, negative value otherwise. 2097 */ 2098 static int tomoyo_write_control(struct file *file, const char __user *buffer, 2099 const int buffer_len) 2100 { 2101 struct tomoyo_io_buffer *head = file->private_data; 2102 int error = buffer_len; 2103 int avail_len = buffer_len; 2104 char *cp0 = head->write_buf; 2105 2106 if (!head->write) 2107 return -ENOSYS; 2108 if (!access_ok(VERIFY_READ, buffer, buffer_len)) 2109 return -EFAULT; 2110 /* Don't allow updating policies by non manager programs. */ 2111 if (head->write != tomoyo_write_pid && 2112 head->write != tomoyo_write_domain_policy && 2113 !tomoyo_is_policy_manager()) 2114 return -EPERM; 2115 if (mutex_lock_interruptible(&head->io_sem)) 2116 return -EINTR; 2117 /* Read a line and dispatch it to the policy handler. */ 2118 while (avail_len > 0) { 2119 char c; 2120 if (head->write_avail >= head->writebuf_size - 1) { 2121 error = -ENOMEM; 2122 break; 2123 } else if (get_user(c, buffer)) { 2124 error = -EFAULT; 2125 break; 2126 } 2127 buffer++; 2128 avail_len--; 2129 cp0[head->write_avail++] = c; 2130 if (c != '\n') 2131 continue; 2132 cp0[head->write_avail - 1] = '\0'; 2133 head->write_avail = 0; 2134 tomoyo_normalize_line(cp0); 2135 head->write(head); 2136 } 2137 mutex_unlock(&head->io_sem); 2138 return error; 2139 } 2140 2141 /** 2142 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. 2143 * 2144 * @file: Pointer to "struct file". 2145 * 2146 * Releases memory and returns 0. 2147 */ 2148 static int tomoyo_close_control(struct file *file) 2149 { 2150 struct tomoyo_io_buffer *head = file->private_data; 2151 2152 /* Release memory used for policy I/O. */ 2153 tomoyo_free(head->read_buf); 2154 head->read_buf = NULL; 2155 tomoyo_free(head->write_buf); 2156 head->write_buf = NULL; 2157 tomoyo_free(head); 2158 head = NULL; 2159 file->private_data = NULL; 2160 return 0; 2161 } 2162 2163 /** 2164 * tomoyo_alloc_acl_element - Allocate permanent memory for ACL entry. 2165 * 2166 * @acl_type: Type of ACL entry. 2167 * 2168 * Returns pointer to the ACL entry on success, NULL otherwise. 2169 */ 2170 void *tomoyo_alloc_acl_element(const u8 acl_type) 2171 { 2172 int len; 2173 struct tomoyo_acl_info *ptr; 2174 2175 switch (acl_type) { 2176 case TOMOYO_TYPE_SINGLE_PATH_ACL: 2177 len = sizeof(struct tomoyo_single_path_acl_record); 2178 break; 2179 case TOMOYO_TYPE_DOUBLE_PATH_ACL: 2180 len = sizeof(struct tomoyo_double_path_acl_record); 2181 break; 2182 default: 2183 return NULL; 2184 } 2185 ptr = tomoyo_alloc_element(len); 2186 if (!ptr) 2187 return NULL; 2188 ptr->type = acl_type; 2189 return ptr; 2190 } 2191 2192 /** 2193 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface. 2194 * 2195 * @inode: Pointer to "struct inode". 2196 * @file: Pointer to "struct file". 2197 * 2198 * Returns 0 on success, negative value otherwise. 2199 */ 2200 static int tomoyo_open(struct inode *inode, struct file *file) 2201 { 2202 const int key = ((u8 *) file->f_path.dentry->d_inode->i_private) 2203 - ((u8 *) NULL); 2204 return tomoyo_open_control(key, file); 2205 } 2206 2207 /** 2208 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface. 2209 * 2210 * @inode: Pointer to "struct inode". 2211 * @file: Pointer to "struct file". 2212 * 2213 * Returns 0 on success, negative value otherwise. 2214 */ 2215 static int tomoyo_release(struct inode *inode, struct file *file) 2216 { 2217 return tomoyo_close_control(file); 2218 } 2219 2220 /** 2221 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface. 2222 * 2223 * @file: Pointer to "struct file". 2224 * @buf: Pointer to buffer. 2225 * @count: Size of @buf. 2226 * @ppos: Unused. 2227 * 2228 * Returns bytes read on success, negative value otherwise. 2229 */ 2230 static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count, 2231 loff_t *ppos) 2232 { 2233 return tomoyo_read_control(file, buf, count); 2234 } 2235 2236 /** 2237 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface. 2238 * 2239 * @file: Pointer to "struct file". 2240 * @buf: Pointer to buffer. 2241 * @count: Size of @buf. 2242 * @ppos: Unused. 2243 * 2244 * Returns @count on success, negative value otherwise. 2245 */ 2246 static ssize_t tomoyo_write(struct file *file, const char __user *buf, 2247 size_t count, loff_t *ppos) 2248 { 2249 return tomoyo_write_control(file, buf, count); 2250 } 2251 2252 /* 2253 * tomoyo_operations is a "struct file_operations" which is used for handling 2254 * /sys/kernel/security/tomoyo/ interface. 2255 * 2256 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR). 2257 * See tomoyo_io_buffer for internals. 2258 */ 2259 static const struct file_operations tomoyo_operations = { 2260 .open = tomoyo_open, 2261 .release = tomoyo_release, 2262 .read = tomoyo_read, 2263 .write = tomoyo_write, 2264 }; 2265 2266 /** 2267 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory. 2268 * 2269 * @name: The name of the interface file. 2270 * @mode: The permission of the interface file. 2271 * @parent: The parent directory. 2272 * @key: Type of interface. 2273 * 2274 * Returns nothing. 2275 */ 2276 static void __init tomoyo_create_entry(const char *name, const mode_t mode, 2277 struct dentry *parent, const u8 key) 2278 { 2279 securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key, 2280 &tomoyo_operations); 2281 } 2282 2283 /** 2284 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface. 2285 * 2286 * Returns 0. 2287 */ 2288 static int __init tomoyo_initerface_init(void) 2289 { 2290 struct dentry *tomoyo_dir; 2291 2292 /* Don't create securityfs entries unless registered. */ 2293 if (current_cred()->security != &tomoyo_kernel_domain) 2294 return 0; 2295 2296 tomoyo_dir = securityfs_create_dir("tomoyo", NULL); 2297 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir, 2298 TOMOYO_DOMAINPOLICY); 2299 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir, 2300 TOMOYO_EXCEPTIONPOLICY); 2301 tomoyo_create_entry("self_domain", 0400, tomoyo_dir, 2302 TOMOYO_SELFDOMAIN); 2303 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir, 2304 TOMOYO_DOMAIN_STATUS); 2305 tomoyo_create_entry(".process_status", 0600, tomoyo_dir, 2306 TOMOYO_PROCESS_STATUS); 2307 tomoyo_create_entry("meminfo", 0600, tomoyo_dir, 2308 TOMOYO_MEMINFO); 2309 tomoyo_create_entry("profile", 0600, tomoyo_dir, 2310 TOMOYO_PROFILE); 2311 tomoyo_create_entry("manager", 0600, tomoyo_dir, 2312 TOMOYO_MANAGER); 2313 tomoyo_create_entry("version", 0400, tomoyo_dir, 2314 TOMOYO_VERSION); 2315 return 0; 2316 } 2317 2318 fs_initcall(tomoyo_initerface_init); 2319