1 /* 2 * security/tomoyo/file.c 3 * 4 * Implementation of the Domain-Based Mandatory Access Control. 5 * 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 7 * 8 * Version: 2.2.0 2009/04/01 9 * 10 */ 11 12 #include "common.h" 13 #include "tomoyo.h" 14 #include "realpath.h" 15 16 /* 17 * tomoyo_globally_readable_file_entry is a structure which is used for holding 18 * "allow_read" entries. 19 * It has following fields. 20 * 21 * (1) "list" which is linked to tomoyo_globally_readable_list . 22 * (2) "filename" is a pathname which is allowed to open(O_RDONLY). 23 * (3) "is_deleted" is a bool which is true if marked as deleted, false 24 * otherwise. 25 */ 26 struct tomoyo_globally_readable_file_entry { 27 struct list_head list; 28 const struct tomoyo_path_info *filename; 29 bool is_deleted; 30 }; 31 32 /* 33 * tomoyo_pattern_entry is a structure which is used for holding 34 * "tomoyo_pattern_list" entries. 35 * It has following fields. 36 * 37 * (1) "list" which is linked to tomoyo_pattern_list . 38 * (2) "pattern" is a pathname pattern which is used for converting pathnames 39 * to pathname patterns during learning mode. 40 * (3) "is_deleted" is a bool which is true if marked as deleted, false 41 * otherwise. 42 */ 43 struct tomoyo_pattern_entry { 44 struct list_head list; 45 const struct tomoyo_path_info *pattern; 46 bool is_deleted; 47 }; 48 49 /* 50 * tomoyo_no_rewrite_entry is a structure which is used for holding 51 * "deny_rewrite" entries. 52 * It has following fields. 53 * 54 * (1) "list" which is linked to tomoyo_no_rewrite_list . 55 * (2) "pattern" is a pathname which is by default not permitted to modify 56 * already existing content. 57 * (3) "is_deleted" is a bool which is true if marked as deleted, false 58 * otherwise. 59 */ 60 struct tomoyo_no_rewrite_entry { 61 struct list_head list; 62 const struct tomoyo_path_info *pattern; 63 bool is_deleted; 64 }; 65 66 /* Keyword array for single path operations. */ 67 static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = { 68 [TOMOYO_TYPE_READ_WRITE_ACL] = "read/write", 69 [TOMOYO_TYPE_EXECUTE_ACL] = "execute", 70 [TOMOYO_TYPE_READ_ACL] = "read", 71 [TOMOYO_TYPE_WRITE_ACL] = "write", 72 [TOMOYO_TYPE_CREATE_ACL] = "create", 73 [TOMOYO_TYPE_UNLINK_ACL] = "unlink", 74 [TOMOYO_TYPE_MKDIR_ACL] = "mkdir", 75 [TOMOYO_TYPE_RMDIR_ACL] = "rmdir", 76 [TOMOYO_TYPE_MKFIFO_ACL] = "mkfifo", 77 [TOMOYO_TYPE_MKSOCK_ACL] = "mksock", 78 [TOMOYO_TYPE_MKBLOCK_ACL] = "mkblock", 79 [TOMOYO_TYPE_MKCHAR_ACL] = "mkchar", 80 [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate", 81 [TOMOYO_TYPE_SYMLINK_ACL] = "symlink", 82 [TOMOYO_TYPE_REWRITE_ACL] = "rewrite", 83 }; 84 85 /* Keyword array for double path operations. */ 86 static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = { 87 [TOMOYO_TYPE_LINK_ACL] = "link", 88 [TOMOYO_TYPE_RENAME_ACL] = "rename", 89 }; 90 91 /** 92 * tomoyo_sp2keyword - Get the name of single path operation. 93 * 94 * @operation: Type of operation. 95 * 96 * Returns the name of single path operation. 97 */ 98 const char *tomoyo_sp2keyword(const u8 operation) 99 { 100 return (operation < TOMOYO_MAX_SINGLE_PATH_OPERATION) 101 ? tomoyo_sp_keyword[operation] : NULL; 102 } 103 104 /** 105 * tomoyo_dp2keyword - Get the name of double path operation. 106 * 107 * @operation: Type of operation. 108 * 109 * Returns the name of double path operation. 110 */ 111 const char *tomoyo_dp2keyword(const u8 operation) 112 { 113 return (operation < TOMOYO_MAX_DOUBLE_PATH_OPERATION) 114 ? tomoyo_dp_keyword[operation] : NULL; 115 } 116 117 /** 118 * tomoyo_strendswith - Check whether the token ends with the given token. 119 * 120 * @name: The token to check. 121 * @tail: The token to find. 122 * 123 * Returns true if @name ends with @tail, false otherwise. 124 */ 125 static bool tomoyo_strendswith(const char *name, const char *tail) 126 { 127 int len; 128 129 if (!name || !tail) 130 return false; 131 len = strlen(name) - strlen(tail); 132 return len >= 0 && !strcmp(name + len, tail); 133 } 134 135 /** 136 * tomoyo_get_path - Get realpath. 137 * 138 * @path: Pointer to "struct path". 139 * 140 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise. 141 */ 142 static struct tomoyo_path_info *tomoyo_get_path(struct path *path) 143 { 144 int error; 145 struct tomoyo_path_info_with_data *buf = tomoyo_alloc(sizeof(*buf)); 146 147 if (!buf) 148 return NULL; 149 /* Reserve one byte for appending "/". */ 150 error = tomoyo_realpath_from_path2(path, buf->body, 151 sizeof(buf->body) - 2); 152 if (!error) { 153 buf->head.name = buf->body; 154 tomoyo_fill_path_info(&buf->head); 155 return &buf->head; 156 } 157 tomoyo_free(buf); 158 return NULL; 159 } 160 161 /* Lock for domain->acl_info_list. */ 162 DECLARE_RWSEM(tomoyo_domain_acl_info_list_lock); 163 164 static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, 165 const char *filename2, 166 struct tomoyo_domain_info * 167 const domain, const bool is_delete); 168 static int tomoyo_update_single_path_acl(const u8 type, const char *filename, 169 struct tomoyo_domain_info * 170 const domain, const bool is_delete); 171 172 /* 173 * tomoyo_globally_readable_list is used for holding list of pathnames which 174 * are by default allowed to be open()ed for reading by any process. 175 * 176 * An entry is added by 177 * 178 * # echo 'allow_read /lib/libc-2.5.so' > \ 179 * /sys/kernel/security/tomoyo/exception_policy 180 * 181 * and is deleted by 182 * 183 * # echo 'delete allow_read /lib/libc-2.5.so' > \ 184 * /sys/kernel/security/tomoyo/exception_policy 185 * 186 * and all entries are retrieved by 187 * 188 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy 189 * 190 * In the example above, any process is allowed to 191 * open("/lib/libc-2.5.so", O_RDONLY). 192 * One exception is, if the domain which current process belongs to is marked 193 * as "ignore_global_allow_read", current process can't do so unless explicitly 194 * given "allow_read /lib/libc-2.5.so" to the domain which current process 195 * belongs to. 196 */ 197 static LIST_HEAD(tomoyo_globally_readable_list); 198 static DECLARE_RWSEM(tomoyo_globally_readable_list_lock); 199 200 /** 201 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list. 202 * 203 * @filename: Filename unconditionally permitted to open() for reading. 204 * @is_delete: True if it is a delete request. 205 * 206 * Returns 0 on success, negative value otherwise. 207 */ 208 static int tomoyo_update_globally_readable_entry(const char *filename, 209 const bool is_delete) 210 { 211 struct tomoyo_globally_readable_file_entry *new_entry; 212 struct tomoyo_globally_readable_file_entry *ptr; 213 const struct tomoyo_path_info *saved_filename; 214 int error = -ENOMEM; 215 216 if (!tomoyo_is_correct_path(filename, 1, 0, -1, __func__)) 217 return -EINVAL; 218 saved_filename = tomoyo_save_name(filename); 219 if (!saved_filename) 220 return -ENOMEM; 221 down_write(&tomoyo_globally_readable_list_lock); 222 list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) { 223 if (ptr->filename != saved_filename) 224 continue; 225 ptr->is_deleted = is_delete; 226 error = 0; 227 goto out; 228 } 229 if (is_delete) { 230 error = -ENOENT; 231 goto out; 232 } 233 new_entry = tomoyo_alloc_element(sizeof(*new_entry)); 234 if (!new_entry) 235 goto out; 236 new_entry->filename = saved_filename; 237 list_add_tail(&new_entry->list, &tomoyo_globally_readable_list); 238 error = 0; 239 out: 240 up_write(&tomoyo_globally_readable_list_lock); 241 return error; 242 } 243 244 /** 245 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading. 246 * 247 * @filename: The filename to check. 248 * 249 * Returns true if any domain can open @filename for reading, false otherwise. 250 */ 251 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info * 252 filename) 253 { 254 struct tomoyo_globally_readable_file_entry *ptr; 255 bool found = false; 256 down_read(&tomoyo_globally_readable_list_lock); 257 list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) { 258 if (!ptr->is_deleted && 259 tomoyo_path_matches_pattern(filename, ptr->filename)) { 260 found = true; 261 break; 262 } 263 } 264 up_read(&tomoyo_globally_readable_list_lock); 265 return found; 266 } 267 268 /** 269 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list. 270 * 271 * @data: String to parse. 272 * @is_delete: True if it is a delete request. 273 * 274 * Returns 0 on success, negative value otherwise. 275 */ 276 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete) 277 { 278 return tomoyo_update_globally_readable_entry(data, is_delete); 279 } 280 281 /** 282 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list. 283 * 284 * @head: Pointer to "struct tomoyo_io_buffer". 285 * 286 * Returns true on success, false otherwise. 287 */ 288 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head) 289 { 290 struct list_head *pos; 291 bool done = true; 292 293 down_read(&tomoyo_globally_readable_list_lock); 294 list_for_each_cookie(pos, head->read_var2, 295 &tomoyo_globally_readable_list) { 296 struct tomoyo_globally_readable_file_entry *ptr; 297 ptr = list_entry(pos, 298 struct tomoyo_globally_readable_file_entry, 299 list); 300 if (ptr->is_deleted) 301 continue; 302 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n", 303 ptr->filename->name); 304 if (!done) 305 break; 306 } 307 up_read(&tomoyo_globally_readable_list_lock); 308 return done; 309 } 310 311 /* tomoyo_pattern_list is used for holding list of pathnames which are used for 312 * converting pathnames to pathname patterns during learning mode. 313 * 314 * An entry is added by 315 * 316 * # echo 'file_pattern /proc/\$/mounts' > \ 317 * /sys/kernel/security/tomoyo/exception_policy 318 * 319 * and is deleted by 320 * 321 * # echo 'delete file_pattern /proc/\$/mounts' > \ 322 * /sys/kernel/security/tomoyo/exception_policy 323 * 324 * and all entries are retrieved by 325 * 326 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy 327 * 328 * In the example above, if a process which belongs to a domain which is in 329 * learning mode requested open("/proc/1/mounts", O_RDONLY), 330 * "allow_read /proc/\$/mounts" is automatically added to the domain which that 331 * process belongs to. 332 * 333 * It is not a desirable behavior that we have to use /proc/\$/ instead of 334 * /proc/self/ when current process needs to access only current process's 335 * information. As of now, LSM version of TOMOYO is using __d_path() for 336 * calculating pathname. Non LSM version of TOMOYO is using its own function 337 * which pretends as if /proc/self/ is not a symlink; so that we can forbid 338 * current process from accessing other process's information. 339 */ 340 static LIST_HEAD(tomoyo_pattern_list); 341 static DECLARE_RWSEM(tomoyo_pattern_list_lock); 342 343 /** 344 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list. 345 * 346 * @pattern: Pathname pattern. 347 * @is_delete: True if it is a delete request. 348 * 349 * Returns 0 on success, negative value otherwise. 350 */ 351 static int tomoyo_update_file_pattern_entry(const char *pattern, 352 const bool is_delete) 353 { 354 struct tomoyo_pattern_entry *new_entry; 355 struct tomoyo_pattern_entry *ptr; 356 const struct tomoyo_path_info *saved_pattern; 357 int error = -ENOMEM; 358 359 if (!tomoyo_is_correct_path(pattern, 0, 1, 0, __func__)) 360 return -EINVAL; 361 saved_pattern = tomoyo_save_name(pattern); 362 if (!saved_pattern) 363 return -ENOMEM; 364 down_write(&tomoyo_pattern_list_lock); 365 list_for_each_entry(ptr, &tomoyo_pattern_list, list) { 366 if (saved_pattern != ptr->pattern) 367 continue; 368 ptr->is_deleted = is_delete; 369 error = 0; 370 goto out; 371 } 372 if (is_delete) { 373 error = -ENOENT; 374 goto out; 375 } 376 new_entry = tomoyo_alloc_element(sizeof(*new_entry)); 377 if (!new_entry) 378 goto out; 379 new_entry->pattern = saved_pattern; 380 list_add_tail(&new_entry->list, &tomoyo_pattern_list); 381 error = 0; 382 out: 383 up_write(&tomoyo_pattern_list_lock); 384 return error; 385 } 386 387 /** 388 * tomoyo_get_file_pattern - Get patterned pathname. 389 * 390 * @filename: The filename to find patterned pathname. 391 * 392 * Returns pointer to pathname pattern if matched, @filename otherwise. 393 */ 394 static const struct tomoyo_path_info * 395 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename) 396 { 397 struct tomoyo_pattern_entry *ptr; 398 const struct tomoyo_path_info *pattern = NULL; 399 400 down_read(&tomoyo_pattern_list_lock); 401 list_for_each_entry(ptr, &tomoyo_pattern_list, list) { 402 if (ptr->is_deleted) 403 continue; 404 if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) 405 continue; 406 pattern = ptr->pattern; 407 if (tomoyo_strendswith(pattern->name, "/\\*")) { 408 /* Do nothing. Try to find the better match. */ 409 } else { 410 /* This would be the better match. Use this. */ 411 break; 412 } 413 } 414 up_read(&tomoyo_pattern_list_lock); 415 if (pattern) 416 filename = pattern; 417 return filename; 418 } 419 420 /** 421 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list. 422 * 423 * @data: String to parse. 424 * @is_delete: True if it is a delete request. 425 * 426 * Returns 0 on success, negative value otherwise. 427 */ 428 int tomoyo_write_pattern_policy(char *data, const bool is_delete) 429 { 430 return tomoyo_update_file_pattern_entry(data, is_delete); 431 } 432 433 /** 434 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list. 435 * 436 * @head: Pointer to "struct tomoyo_io_buffer". 437 * 438 * Returns true on success, false otherwise. 439 */ 440 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head) 441 { 442 struct list_head *pos; 443 bool done = true; 444 445 down_read(&tomoyo_pattern_list_lock); 446 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) { 447 struct tomoyo_pattern_entry *ptr; 448 ptr = list_entry(pos, struct tomoyo_pattern_entry, list); 449 if (ptr->is_deleted) 450 continue; 451 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN 452 "%s\n", ptr->pattern->name); 453 if (!done) 454 break; 455 } 456 up_read(&tomoyo_pattern_list_lock); 457 return done; 458 } 459 460 /* 461 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by 462 * default forbidden to modify already written content of a file. 463 * 464 * An entry is added by 465 * 466 * # echo 'deny_rewrite /var/log/messages' > \ 467 * /sys/kernel/security/tomoyo/exception_policy 468 * 469 * and is deleted by 470 * 471 * # echo 'delete deny_rewrite /var/log/messages' > \ 472 * /sys/kernel/security/tomoyo/exception_policy 473 * 474 * and all entries are retrieved by 475 * 476 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy 477 * 478 * In the example above, if a process requested to rewrite /var/log/messages , 479 * the process can't rewrite unless the domain which that process belongs to 480 * has "allow_rewrite /var/log/messages" entry. 481 * 482 * It is not a desirable behavior that we have to add "\040(deleted)" suffix 483 * when we want to allow rewriting already unlink()ed file. As of now, 484 * LSM version of TOMOYO is using __d_path() for calculating pathname. 485 * Non LSM version of TOMOYO is using its own function which doesn't append 486 * " (deleted)" suffix if the file is already unlink()ed; so that we don't 487 * need to worry whether the file is already unlink()ed or not. 488 */ 489 static LIST_HEAD(tomoyo_no_rewrite_list); 490 static DECLARE_RWSEM(tomoyo_no_rewrite_list_lock); 491 492 /** 493 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list. 494 * 495 * @pattern: Pathname pattern that are not rewritable by default. 496 * @is_delete: True if it is a delete request. 497 * 498 * Returns 0 on success, negative value otherwise. 499 */ 500 static int tomoyo_update_no_rewrite_entry(const char *pattern, 501 const bool is_delete) 502 { 503 struct tomoyo_no_rewrite_entry *new_entry, *ptr; 504 const struct tomoyo_path_info *saved_pattern; 505 int error = -ENOMEM; 506 507 if (!tomoyo_is_correct_path(pattern, 0, 0, 0, __func__)) 508 return -EINVAL; 509 saved_pattern = tomoyo_save_name(pattern); 510 if (!saved_pattern) 511 return -ENOMEM; 512 down_write(&tomoyo_no_rewrite_list_lock); 513 list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) { 514 if (ptr->pattern != saved_pattern) 515 continue; 516 ptr->is_deleted = is_delete; 517 error = 0; 518 goto out; 519 } 520 if (is_delete) { 521 error = -ENOENT; 522 goto out; 523 } 524 new_entry = tomoyo_alloc_element(sizeof(*new_entry)); 525 if (!new_entry) 526 goto out; 527 new_entry->pattern = saved_pattern; 528 list_add_tail(&new_entry->list, &tomoyo_no_rewrite_list); 529 error = 0; 530 out: 531 up_write(&tomoyo_no_rewrite_list_lock); 532 return error; 533 } 534 535 /** 536 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited. 537 * 538 * @filename: Filename to check. 539 * 540 * Returns true if @filename is specified by "deny_rewrite" directive, 541 * false otherwise. 542 */ 543 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename) 544 { 545 struct tomoyo_no_rewrite_entry *ptr; 546 bool found = false; 547 548 down_read(&tomoyo_no_rewrite_list_lock); 549 list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) { 550 if (ptr->is_deleted) 551 continue; 552 if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) 553 continue; 554 found = true; 555 break; 556 } 557 up_read(&tomoyo_no_rewrite_list_lock); 558 return found; 559 } 560 561 /** 562 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list. 563 * 564 * @data: String to parse. 565 * @is_delete: True if it is a delete request. 566 * 567 * Returns 0 on success, negative value otherwise. 568 */ 569 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete) 570 { 571 return tomoyo_update_no_rewrite_entry(data, is_delete); 572 } 573 574 /** 575 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list. 576 * 577 * @head: Pointer to "struct tomoyo_io_buffer". 578 * 579 * Returns true on success, false otherwise. 580 */ 581 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head) 582 { 583 struct list_head *pos; 584 bool done = true; 585 586 down_read(&tomoyo_no_rewrite_list_lock); 587 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) { 588 struct tomoyo_no_rewrite_entry *ptr; 589 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list); 590 if (ptr->is_deleted) 591 continue; 592 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE 593 "%s\n", ptr->pattern->name); 594 if (!done) 595 break; 596 } 597 up_read(&tomoyo_no_rewrite_list_lock); 598 return done; 599 } 600 601 /** 602 * tomoyo_update_file_acl - Update file's read/write/execute ACL. 603 * 604 * @filename: Filename. 605 * @perm: Permission (between 1 to 7). 606 * @domain: Pointer to "struct tomoyo_domain_info". 607 * @is_delete: True if it is a delete request. 608 * 609 * Returns 0 on success, negative value otherwise. 610 * 611 * This is legacy support interface for older policy syntax. 612 * Current policy syntax uses "allow_read/write" instead of "6", 613 * "allow_read" instead of "4", "allow_write" instead of "2", 614 * "allow_execute" instead of "1". 615 */ 616 static int tomoyo_update_file_acl(const char *filename, u8 perm, 617 struct tomoyo_domain_info * const domain, 618 const bool is_delete) 619 { 620 if (perm > 7 || !perm) { 621 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n", 622 __func__, perm, filename); 623 return -EINVAL; 624 } 625 if (filename[0] != '@' && tomoyo_strendswith(filename, "/")) 626 /* 627 * Only 'allow_mkdir' and 'allow_rmdir' are valid for 628 * directory permissions. 629 */ 630 return 0; 631 if (perm & 4) 632 tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL, filename, 633 domain, is_delete); 634 if (perm & 2) 635 tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL, filename, 636 domain, is_delete); 637 if (perm & 1) 638 tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL, 639 filename, domain, is_delete); 640 return 0; 641 } 642 643 /** 644 * tomoyo_check_single_path_acl2 - Check permission for single path operation. 645 * 646 * @domain: Pointer to "struct tomoyo_domain_info". 647 * @filename: Filename to check. 648 * @perm: Permission. 649 * @may_use_pattern: True if patterned ACL is permitted. 650 * 651 * Returns 0 on success, -EPERM otherwise. 652 */ 653 static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info * 654 domain, 655 const struct tomoyo_path_info * 656 filename, 657 const u16 perm, 658 const bool may_use_pattern) 659 { 660 struct tomoyo_acl_info *ptr; 661 int error = -EPERM; 662 663 down_read(&tomoyo_domain_acl_info_list_lock); 664 list_for_each_entry(ptr, &domain->acl_info_list, list) { 665 struct tomoyo_single_path_acl_record *acl; 666 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL) 667 continue; 668 acl = container_of(ptr, struct tomoyo_single_path_acl_record, 669 head); 670 if (!(acl->perm & perm)) 671 continue; 672 if (may_use_pattern || !acl->filename->is_patterned) { 673 if (!tomoyo_path_matches_pattern(filename, 674 acl->filename)) 675 continue; 676 } else { 677 continue; 678 } 679 error = 0; 680 break; 681 } 682 up_read(&tomoyo_domain_acl_info_list_lock); 683 return error; 684 } 685 686 /** 687 * tomoyo_check_file_acl - Check permission for opening files. 688 * 689 * @domain: Pointer to "struct tomoyo_domain_info". 690 * @filename: Filename to check. 691 * @operation: Mode ("read" or "write" or "read/write" or "execute"). 692 * 693 * Returns 0 on success, -EPERM otherwise. 694 */ 695 static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain, 696 const struct tomoyo_path_info *filename, 697 const u8 operation) 698 { 699 u16 perm = 0; 700 701 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 702 return 0; 703 if (operation == 6) 704 perm = 1 << TOMOYO_TYPE_READ_WRITE_ACL; 705 else if (operation == 4) 706 perm = 1 << TOMOYO_TYPE_READ_ACL; 707 else if (operation == 2) 708 perm = 1 << TOMOYO_TYPE_WRITE_ACL; 709 else if (operation == 1) 710 perm = 1 << TOMOYO_TYPE_EXECUTE_ACL; 711 else 712 BUG(); 713 return tomoyo_check_single_path_acl2(domain, filename, perm, 714 operation != 1); 715 } 716 717 /** 718 * tomoyo_check_file_perm2 - Check permission for opening files. 719 * 720 * @domain: Pointer to "struct tomoyo_domain_info". 721 * @filename: Filename to check. 722 * @perm: Mode ("read" or "write" or "read/write" or "execute"). 723 * @operation: Operation name passed used for verbose mode. 724 * @mode: Access control mode. 725 * 726 * Returns 0 on success, negative value otherwise. 727 */ 728 static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain, 729 const struct tomoyo_path_info *filename, 730 const u8 perm, const char *operation, 731 const u8 mode) 732 { 733 const bool is_enforce = (mode == 3); 734 const char *msg = "<unknown>"; 735 int error = 0; 736 737 if (!filename) 738 return 0; 739 error = tomoyo_check_file_acl(domain, filename, perm); 740 if (error && perm == 4 && 741 (domain->flags & TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ) == 0 742 && tomoyo_is_globally_readable_file(filename)) 743 error = 0; 744 if (perm == 6) 745 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL); 746 else if (perm == 4) 747 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL); 748 else if (perm == 2) 749 msg = tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL); 750 else if (perm == 1) 751 msg = tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL); 752 else 753 BUG(); 754 if (!error) 755 return 0; 756 if (tomoyo_verbose_mode(domain)) 757 printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied " 758 "for %s\n", tomoyo_get_msg(is_enforce), msg, operation, 759 filename->name, tomoyo_get_last_name(domain)); 760 if (is_enforce) 761 return error; 762 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { 763 /* Don't use patterns for execute permission. */ 764 const struct tomoyo_path_info *patterned_file = (perm != 1) ? 765 tomoyo_get_file_pattern(filename) : filename; 766 tomoyo_update_file_acl(patterned_file->name, perm, 767 domain, false); 768 } 769 return 0; 770 } 771 772 /** 773 * tomoyo_write_file_policy - Update file related list. 774 * 775 * @data: String to parse. 776 * @domain: Pointer to "struct tomoyo_domain_info". 777 * @is_delete: True if it is a delete request. 778 * 779 * Returns 0 on success, negative value otherwise. 780 */ 781 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, 782 const bool is_delete) 783 { 784 char *filename = strchr(data, ' '); 785 char *filename2; 786 unsigned int perm; 787 u8 type; 788 789 if (!filename) 790 return -EINVAL; 791 *filename++ = '\0'; 792 if (sscanf(data, "%u", &perm) == 1) 793 return tomoyo_update_file_acl(filename, (u8) perm, domain, 794 is_delete); 795 if (strncmp(data, "allow_", 6)) 796 goto out; 797 data += 6; 798 for (type = 0; type < TOMOYO_MAX_SINGLE_PATH_OPERATION; type++) { 799 if (strcmp(data, tomoyo_sp_keyword[type])) 800 continue; 801 return tomoyo_update_single_path_acl(type, filename, 802 domain, is_delete); 803 } 804 filename2 = strchr(filename, ' '); 805 if (!filename2) 806 goto out; 807 *filename2++ = '\0'; 808 for (type = 0; type < TOMOYO_MAX_DOUBLE_PATH_OPERATION; type++) { 809 if (strcmp(data, tomoyo_dp_keyword[type])) 810 continue; 811 return tomoyo_update_double_path_acl(type, filename, filename2, 812 domain, is_delete); 813 } 814 out: 815 return -EINVAL; 816 } 817 818 /** 819 * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list. 820 * 821 * @type: Type of operation. 822 * @filename: Filename. 823 * @domain: Pointer to "struct tomoyo_domain_info". 824 * @is_delete: True if it is a delete request. 825 * 826 * Returns 0 on success, negative value otherwise. 827 */ 828 static int tomoyo_update_single_path_acl(const u8 type, const char *filename, 829 struct tomoyo_domain_info * 830 const domain, const bool is_delete) 831 { 832 static const u16 rw_mask = 833 (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL); 834 const struct tomoyo_path_info *saved_filename; 835 struct tomoyo_acl_info *ptr; 836 struct tomoyo_single_path_acl_record *acl; 837 int error = -ENOMEM; 838 const u16 perm = 1 << type; 839 840 if (!domain) 841 return -EINVAL; 842 if (!tomoyo_is_correct_path(filename, 0, 0, 0, __func__)) 843 return -EINVAL; 844 saved_filename = tomoyo_save_name(filename); 845 if (!saved_filename) 846 return -ENOMEM; 847 down_write(&tomoyo_domain_acl_info_list_lock); 848 if (is_delete) 849 goto delete; 850 list_for_each_entry(ptr, &domain->acl_info_list, list) { 851 if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL) 852 continue; 853 acl = container_of(ptr, struct tomoyo_single_path_acl_record, 854 head); 855 if (acl->filename != saved_filename) 856 continue; 857 /* Special case. Clear all bits if marked as deleted. */ 858 if (ptr->type & TOMOYO_ACL_DELETED) 859 acl->perm = 0; 860 acl->perm |= perm; 861 if ((acl->perm & rw_mask) == rw_mask) 862 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL; 863 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)) 864 acl->perm |= rw_mask; 865 ptr->type &= ~TOMOYO_ACL_DELETED; 866 error = 0; 867 goto out; 868 } 869 /* Not found. Append it to the tail. */ 870 acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_SINGLE_PATH_ACL); 871 if (!acl) 872 goto out; 873 acl->perm = perm; 874 if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL)) 875 acl->perm |= rw_mask; 876 acl->filename = saved_filename; 877 list_add_tail(&acl->head.list, &domain->acl_info_list); 878 error = 0; 879 goto out; 880 delete: 881 error = -ENOENT; 882 list_for_each_entry(ptr, &domain->acl_info_list, list) { 883 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL) 884 continue; 885 acl = container_of(ptr, struct tomoyo_single_path_acl_record, 886 head); 887 if (acl->filename != saved_filename) 888 continue; 889 acl->perm &= ~perm; 890 if ((acl->perm & rw_mask) != rw_mask) 891 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL); 892 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))) 893 acl->perm &= ~rw_mask; 894 if (!acl->perm) 895 ptr->type |= TOMOYO_ACL_DELETED; 896 error = 0; 897 break; 898 } 899 out: 900 up_write(&tomoyo_domain_acl_info_list_lock); 901 return error; 902 } 903 904 /** 905 * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list. 906 * 907 * @type: Type of operation. 908 * @filename1: First filename. 909 * @filename2: Second filename. 910 * @domain: Pointer to "struct tomoyo_domain_info". 911 * @is_delete: True if it is a delete request. 912 * 913 * Returns 0 on success, negative value otherwise. 914 */ 915 static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, 916 const char *filename2, 917 struct tomoyo_domain_info * 918 const domain, const bool is_delete) 919 { 920 const struct tomoyo_path_info *saved_filename1; 921 const struct tomoyo_path_info *saved_filename2; 922 struct tomoyo_acl_info *ptr; 923 struct tomoyo_double_path_acl_record *acl; 924 int error = -ENOMEM; 925 const u8 perm = 1 << type; 926 927 if (!domain) 928 return -EINVAL; 929 if (!tomoyo_is_correct_path(filename1, 0, 0, 0, __func__) || 930 !tomoyo_is_correct_path(filename2, 0, 0, 0, __func__)) 931 return -EINVAL; 932 saved_filename1 = tomoyo_save_name(filename1); 933 saved_filename2 = tomoyo_save_name(filename2); 934 if (!saved_filename1 || !saved_filename2) 935 return -ENOMEM; 936 down_write(&tomoyo_domain_acl_info_list_lock); 937 if (is_delete) 938 goto delete; 939 list_for_each_entry(ptr, &domain->acl_info_list, list) { 940 if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL) 941 continue; 942 acl = container_of(ptr, struct tomoyo_double_path_acl_record, 943 head); 944 if (acl->filename1 != saved_filename1 || 945 acl->filename2 != saved_filename2) 946 continue; 947 /* Special case. Clear all bits if marked as deleted. */ 948 if (ptr->type & TOMOYO_ACL_DELETED) 949 acl->perm = 0; 950 acl->perm |= perm; 951 ptr->type &= ~TOMOYO_ACL_DELETED; 952 error = 0; 953 goto out; 954 } 955 /* Not found. Append it to the tail. */ 956 acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_DOUBLE_PATH_ACL); 957 if (!acl) 958 goto out; 959 acl->perm = perm; 960 acl->filename1 = saved_filename1; 961 acl->filename2 = saved_filename2; 962 list_add_tail(&acl->head.list, &domain->acl_info_list); 963 error = 0; 964 goto out; 965 delete: 966 error = -ENOENT; 967 list_for_each_entry(ptr, &domain->acl_info_list, list) { 968 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL) 969 continue; 970 acl = container_of(ptr, struct tomoyo_double_path_acl_record, 971 head); 972 if (acl->filename1 != saved_filename1 || 973 acl->filename2 != saved_filename2) 974 continue; 975 acl->perm &= ~perm; 976 if (!acl->perm) 977 ptr->type |= TOMOYO_ACL_DELETED; 978 error = 0; 979 break; 980 } 981 out: 982 up_write(&tomoyo_domain_acl_info_list_lock); 983 return error; 984 } 985 986 /** 987 * tomoyo_check_single_path_acl - Check permission for single path operation. 988 * 989 * @domain: Pointer to "struct tomoyo_domain_info". 990 * @type: Type of operation. 991 * @filename: Filename to check. 992 * 993 * Returns 0 on success, negative value otherwise. 994 */ 995 static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain, 996 const u8 type, 997 const struct tomoyo_path_info *filename) 998 { 999 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 1000 return 0; 1001 return tomoyo_check_single_path_acl2(domain, filename, 1 << type, 1); 1002 } 1003 1004 /** 1005 * tomoyo_check_double_path_acl - Check permission for double path operation. 1006 * 1007 * @domain: Pointer to "struct tomoyo_domain_info". 1008 * @type: Type of operation. 1009 * @filename1: First filename to check. 1010 * @filename2: Second filename to check. 1011 * 1012 * Returns 0 on success, -EPERM otherwise. 1013 */ 1014 static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain, 1015 const u8 type, 1016 const struct tomoyo_path_info * 1017 filename1, 1018 const struct tomoyo_path_info * 1019 filename2) 1020 { 1021 struct tomoyo_acl_info *ptr; 1022 const u8 perm = 1 << type; 1023 int error = -EPERM; 1024 1025 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 1026 return 0; 1027 down_read(&tomoyo_domain_acl_info_list_lock); 1028 list_for_each_entry(ptr, &domain->acl_info_list, list) { 1029 struct tomoyo_double_path_acl_record *acl; 1030 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL) 1031 continue; 1032 acl = container_of(ptr, struct tomoyo_double_path_acl_record, 1033 head); 1034 if (!(acl->perm & perm)) 1035 continue; 1036 if (!tomoyo_path_matches_pattern(filename1, acl->filename1)) 1037 continue; 1038 if (!tomoyo_path_matches_pattern(filename2, acl->filename2)) 1039 continue; 1040 error = 0; 1041 break; 1042 } 1043 up_read(&tomoyo_domain_acl_info_list_lock); 1044 return error; 1045 } 1046 1047 /** 1048 * tomoyo_check_single_path_permission2 - Check permission for single path operation. 1049 * 1050 * @domain: Pointer to "struct tomoyo_domain_info". 1051 * @operation: Type of operation. 1052 * @filename: Filename to check. 1053 * @mode: Access control mode. 1054 * 1055 * Returns 0 on success, negative value otherwise. 1056 */ 1057 static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info * 1058 const domain, u8 operation, 1059 const struct tomoyo_path_info * 1060 filename, const u8 mode) 1061 { 1062 const char *msg; 1063 int error; 1064 const bool is_enforce = (mode == 3); 1065 1066 if (!mode) 1067 return 0; 1068 next: 1069 error = tomoyo_check_single_path_acl(domain, operation, filename); 1070 msg = tomoyo_sp2keyword(operation); 1071 if (!error) 1072 goto ok; 1073 if (tomoyo_verbose_mode(domain)) 1074 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n", 1075 tomoyo_get_msg(is_enforce), msg, filename->name, 1076 tomoyo_get_last_name(domain)); 1077 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { 1078 const char *name = tomoyo_get_file_pattern(filename)->name; 1079 tomoyo_update_single_path_acl(operation, name, domain, false); 1080 } 1081 if (!is_enforce) 1082 error = 0; 1083 ok: 1084 /* 1085 * Since "allow_truncate" doesn't imply "allow_rewrite" permission, 1086 * we need to check "allow_rewrite" permission if the filename is 1087 * specified by "deny_rewrite" keyword. 1088 */ 1089 if (!error && operation == TOMOYO_TYPE_TRUNCATE_ACL && 1090 tomoyo_is_no_rewrite_file(filename)) { 1091 operation = TOMOYO_TYPE_REWRITE_ACL; 1092 goto next; 1093 } 1094 return error; 1095 } 1096 1097 /** 1098 * tomoyo_check_exec_perm - Check permission for "execute". 1099 * 1100 * @domain: Pointer to "struct tomoyo_domain_info". 1101 * @filename: Check permission for "execute". 1102 * 1103 * Returns 0 on success, negativevalue otherwise. 1104 */ 1105 int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, 1106 const struct tomoyo_path_info *filename) 1107 { 1108 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1109 1110 if (!mode) 1111 return 0; 1112 return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode); 1113 } 1114 1115 /** 1116 * tomoyo_check_open_permission - Check permission for "read" and "write". 1117 * 1118 * @domain: Pointer to "struct tomoyo_domain_info". 1119 * @path: Pointer to "struct path". 1120 * @flag: Flags for open(). 1121 * 1122 * Returns 0 on success, negative value otherwise. 1123 */ 1124 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, 1125 struct path *path, const int flag) 1126 { 1127 const u8 acc_mode = ACC_MODE(flag); 1128 int error = -ENOMEM; 1129 struct tomoyo_path_info *buf; 1130 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1131 const bool is_enforce = (mode == 3); 1132 1133 if (!mode || !path->mnt) 1134 return 0; 1135 if (acc_mode == 0) 1136 return 0; 1137 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode)) 1138 /* 1139 * I don't check directories here because mkdir() and rmdir() 1140 * don't call me. 1141 */ 1142 return 0; 1143 buf = tomoyo_get_path(path); 1144 if (!buf) 1145 goto out; 1146 error = 0; 1147 /* 1148 * If the filename is specified by "deny_rewrite" keyword, 1149 * we need to check "allow_rewrite" permission when the filename is not 1150 * opened for append mode or the filename is truncated at open time. 1151 */ 1152 if ((acc_mode & MAY_WRITE) && 1153 ((flag & O_TRUNC) || !(flag & O_APPEND)) && 1154 (tomoyo_is_no_rewrite_file(buf))) { 1155 error = tomoyo_check_single_path_permission2(domain, 1156 TOMOYO_TYPE_REWRITE_ACL, 1157 buf, mode); 1158 } 1159 if (!error) 1160 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open", 1161 mode); 1162 if (!error && (flag & O_TRUNC)) 1163 error = tomoyo_check_single_path_permission2(domain, 1164 TOMOYO_TYPE_TRUNCATE_ACL, 1165 buf, mode); 1166 out: 1167 tomoyo_free(buf); 1168 if (!is_enforce) 1169 error = 0; 1170 return error; 1171 } 1172 1173 /** 1174 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate" and "symlink". 1175 * 1176 * @domain: Pointer to "struct tomoyo_domain_info". 1177 * @operation: Type of operation. 1178 * @path: Pointer to "struct path". 1179 * 1180 * Returns 0 on success, negative value otherwise. 1181 */ 1182 int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain, 1183 const u8 operation, struct path *path) 1184 { 1185 int error = -ENOMEM; 1186 struct tomoyo_path_info *buf; 1187 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1188 const bool is_enforce = (mode == 3); 1189 1190 if (!mode || !path->mnt) 1191 return 0; 1192 buf = tomoyo_get_path(path); 1193 if (!buf) 1194 goto out; 1195 switch (operation) { 1196 case TOMOYO_TYPE_MKDIR_ACL: 1197 case TOMOYO_TYPE_RMDIR_ACL: 1198 if (!buf->is_dir) { 1199 /* 1200 * tomoyo_get_path() reserves space for appending "/." 1201 */ 1202 strcat((char *) buf->name, "/"); 1203 tomoyo_fill_path_info(buf); 1204 } 1205 } 1206 error = tomoyo_check_single_path_permission2(domain, operation, buf, 1207 mode); 1208 out: 1209 tomoyo_free(buf); 1210 if (!is_enforce) 1211 error = 0; 1212 return error; 1213 } 1214 1215 /** 1216 * tomoyo_check_rewrite_permission - Check permission for "rewrite". 1217 * 1218 * @domain: Pointer to "struct tomoyo_domain_info". 1219 * @filp: Pointer to "struct file". 1220 * 1221 * Returns 0 on success, negative value otherwise. 1222 */ 1223 int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, 1224 struct file *filp) 1225 { 1226 int error = -ENOMEM; 1227 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1228 const bool is_enforce = (mode == 3); 1229 struct tomoyo_path_info *buf; 1230 1231 if (!mode || !filp->f_path.mnt) 1232 return 0; 1233 buf = tomoyo_get_path(&filp->f_path); 1234 if (!buf) 1235 goto out; 1236 if (!tomoyo_is_no_rewrite_file(buf)) { 1237 error = 0; 1238 goto out; 1239 } 1240 error = tomoyo_check_single_path_permission2(domain, 1241 TOMOYO_TYPE_REWRITE_ACL, 1242 buf, mode); 1243 out: 1244 tomoyo_free(buf); 1245 if (!is_enforce) 1246 error = 0; 1247 return error; 1248 } 1249 1250 /** 1251 * tomoyo_check_2path_perm - Check permission for "rename" and "link". 1252 * 1253 * @domain: Pointer to "struct tomoyo_domain_info". 1254 * @operation: Type of operation. 1255 * @path1: Pointer to "struct path". 1256 * @path2: Pointer to "struct path". 1257 * 1258 * Returns 0 on success, negative value otherwise. 1259 */ 1260 int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain, 1261 const u8 operation, struct path *path1, 1262 struct path *path2) 1263 { 1264 int error = -ENOMEM; 1265 struct tomoyo_path_info *buf1, *buf2; 1266 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1267 const bool is_enforce = (mode == 3); 1268 const char *msg; 1269 1270 if (!mode || !path1->mnt || !path2->mnt) 1271 return 0; 1272 buf1 = tomoyo_get_path(path1); 1273 buf2 = tomoyo_get_path(path2); 1274 if (!buf1 || !buf2) 1275 goto out; 1276 { 1277 struct dentry *dentry = path1->dentry; 1278 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) { 1279 /* 1280 * tomoyo_get_path() reserves space for appending "/." 1281 */ 1282 if (!buf1->is_dir) { 1283 strcat((char *) buf1->name, "/"); 1284 tomoyo_fill_path_info(buf1); 1285 } 1286 if (!buf2->is_dir) { 1287 strcat((char *) buf2->name, "/"); 1288 tomoyo_fill_path_info(buf2); 1289 } 1290 } 1291 } 1292 error = tomoyo_check_double_path_acl(domain, operation, buf1, buf2); 1293 msg = tomoyo_dp2keyword(operation); 1294 if (!error) 1295 goto out; 1296 if (tomoyo_verbose_mode(domain)) 1297 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' " 1298 "denied for %s\n", tomoyo_get_msg(is_enforce), 1299 msg, buf1->name, buf2->name, 1300 tomoyo_get_last_name(domain)); 1301 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { 1302 const char *name1 = tomoyo_get_file_pattern(buf1)->name; 1303 const char *name2 = tomoyo_get_file_pattern(buf2)->name; 1304 tomoyo_update_double_path_acl(operation, name1, name2, domain, 1305 false); 1306 } 1307 out: 1308 tomoyo_free(buf1); 1309 tomoyo_free(buf2); 1310 if (!is_enforce) 1311 error = 0; 1312 return error; 1313 } 1314