1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * security/tomoyo/tomoyo.c 4 * 5 * Copyright (C) 2005-2011 NTT DATA CORPORATION 6 */ 7 8 #include <linux/lsm_hooks.h> 9 #include "common.h" 10 11 /** 12 * tomoyo_cred_alloc_blank - Target for security_cred_alloc_blank(). 13 * 14 * @new: Pointer to "struct cred". 15 * @gfp: Memory allocation flags. 16 * 17 * Returns 0. 18 */ 19 static int tomoyo_cred_alloc_blank(struct cred *new, gfp_t gfp) 20 { 21 new->security = NULL; 22 return 0; 23 } 24 25 /** 26 * tomoyo_cred_prepare - Target for security_prepare_creds(). 27 * 28 * @new: Pointer to "struct cred". 29 * @old: Pointer to "struct cred". 30 * @gfp: Memory allocation flags. 31 * 32 * Returns 0. 33 */ 34 static int tomoyo_cred_prepare(struct cred *new, const struct cred *old, 35 gfp_t gfp) 36 { 37 struct tomoyo_domain_info *domain = old->security; 38 new->security = domain; 39 if (domain) 40 atomic_inc(&domain->users); 41 return 0; 42 } 43 44 /** 45 * tomoyo_cred_transfer - Target for security_transfer_creds(). 46 * 47 * @new: Pointer to "struct cred". 48 * @old: Pointer to "struct cred". 49 */ 50 static void tomoyo_cred_transfer(struct cred *new, const struct cred *old) 51 { 52 tomoyo_cred_prepare(new, old, 0); 53 } 54 55 /** 56 * tomoyo_cred_free - Target for security_cred_free(). 57 * 58 * @cred: Pointer to "struct cred". 59 */ 60 static void tomoyo_cred_free(struct cred *cred) 61 { 62 struct tomoyo_domain_info *domain = cred->security; 63 if (domain) 64 atomic_dec(&domain->users); 65 } 66 67 /** 68 * tomoyo_bprm_set_creds - Target for security_bprm_set_creds(). 69 * 70 * @bprm: Pointer to "struct linux_binprm". 71 * 72 * Returns 0 on success, negative value otherwise. 73 */ 74 static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) 75 { 76 /* 77 * Do only if this function is called for the first time of an execve 78 * operation. 79 */ 80 if (bprm->called_set_creds) 81 return 0; 82 #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER 83 /* 84 * Load policy if /sbin/tomoyo-init exists and /sbin/init is requested 85 * for the first time. 86 */ 87 if (!tomoyo_policy_loaded) 88 tomoyo_load_policy(bprm->filename); 89 #endif 90 /* 91 * Release reference to "struct tomoyo_domain_info" stored inside 92 * "bprm->cred->security". New reference to "struct tomoyo_domain_info" 93 * stored inside "bprm->cred->security" will be acquired later inside 94 * tomoyo_find_next_domain(). 95 */ 96 atomic_dec(&((struct tomoyo_domain_info *) 97 bprm->cred->security)->users); 98 /* 99 * Tell tomoyo_bprm_check_security() is called for the first time of an 100 * execve operation. 101 */ 102 bprm->cred->security = NULL; 103 return 0; 104 } 105 106 /** 107 * tomoyo_bprm_check_security - Target for security_bprm_check(). 108 * 109 * @bprm: Pointer to "struct linux_binprm". 110 * 111 * Returns 0 on success, negative value otherwise. 112 */ 113 static int tomoyo_bprm_check_security(struct linux_binprm *bprm) 114 { 115 struct tomoyo_domain_info *domain = bprm->cred->security; 116 117 /* 118 * Execute permission is checked against pathname passed to do_execve() 119 * using current domain. 120 */ 121 if (!domain) { 122 const int idx = tomoyo_read_lock(); 123 const int err = tomoyo_find_next_domain(bprm); 124 tomoyo_read_unlock(idx); 125 return err; 126 } 127 /* 128 * Read permission is checked against interpreters using next domain. 129 */ 130 return tomoyo_check_open_permission(domain, &bprm->file->f_path, 131 O_RDONLY); 132 } 133 134 /** 135 * tomoyo_inode_getattr - Target for security_inode_getattr(). 136 * 137 * @mnt: Pointer to "struct vfsmount". 138 * @dentry: Pointer to "struct dentry". 139 * 140 * Returns 0 on success, negative value otherwise. 141 */ 142 static int tomoyo_inode_getattr(const struct path *path) 143 { 144 return tomoyo_path_perm(TOMOYO_TYPE_GETATTR, path, NULL); 145 } 146 147 /** 148 * tomoyo_path_truncate - Target for security_path_truncate(). 149 * 150 * @path: Pointer to "struct path". 151 * 152 * Returns 0 on success, negative value otherwise. 153 */ 154 static int tomoyo_path_truncate(const struct path *path) 155 { 156 return tomoyo_path_perm(TOMOYO_TYPE_TRUNCATE, path, NULL); 157 } 158 159 /** 160 * tomoyo_path_unlink - Target for security_path_unlink(). 161 * 162 * @parent: Pointer to "struct path". 163 * @dentry: Pointer to "struct dentry". 164 * 165 * Returns 0 on success, negative value otherwise. 166 */ 167 static int tomoyo_path_unlink(const struct path *parent, struct dentry *dentry) 168 { 169 struct path path = { .mnt = parent->mnt, .dentry = dentry }; 170 return tomoyo_path_perm(TOMOYO_TYPE_UNLINK, &path, NULL); 171 } 172 173 /** 174 * tomoyo_path_mkdir - Target for security_path_mkdir(). 175 * 176 * @parent: Pointer to "struct path". 177 * @dentry: Pointer to "struct dentry". 178 * @mode: DAC permission mode. 179 * 180 * Returns 0 on success, negative value otherwise. 181 */ 182 static int tomoyo_path_mkdir(const struct path *parent, struct dentry *dentry, 183 umode_t mode) 184 { 185 struct path path = { .mnt = parent->mnt, .dentry = dentry }; 186 return tomoyo_path_number_perm(TOMOYO_TYPE_MKDIR, &path, 187 mode & S_IALLUGO); 188 } 189 190 /** 191 * tomoyo_path_rmdir - Target for security_path_rmdir(). 192 * 193 * @parent: Pointer to "struct path". 194 * @dentry: Pointer to "struct dentry". 195 * 196 * Returns 0 on success, negative value otherwise. 197 */ 198 static int tomoyo_path_rmdir(const struct path *parent, struct dentry *dentry) 199 { 200 struct path path = { .mnt = parent->mnt, .dentry = dentry }; 201 return tomoyo_path_perm(TOMOYO_TYPE_RMDIR, &path, NULL); 202 } 203 204 /** 205 * tomoyo_path_symlink - Target for security_path_symlink(). 206 * 207 * @parent: Pointer to "struct path". 208 * @dentry: Pointer to "struct dentry". 209 * @old_name: Symlink's content. 210 * 211 * Returns 0 on success, negative value otherwise. 212 */ 213 static int tomoyo_path_symlink(const struct path *parent, struct dentry *dentry, 214 const char *old_name) 215 { 216 struct path path = { .mnt = parent->mnt, .dentry = dentry }; 217 return tomoyo_path_perm(TOMOYO_TYPE_SYMLINK, &path, old_name); 218 } 219 220 /** 221 * tomoyo_path_mknod - Target for security_path_mknod(). 222 * 223 * @parent: Pointer to "struct path". 224 * @dentry: Pointer to "struct dentry". 225 * @mode: DAC permission mode. 226 * @dev: Device attributes. 227 * 228 * Returns 0 on success, negative value otherwise. 229 */ 230 static int tomoyo_path_mknod(const struct path *parent, struct dentry *dentry, 231 umode_t mode, unsigned int dev) 232 { 233 struct path path = { .mnt = parent->mnt, .dentry = dentry }; 234 int type = TOMOYO_TYPE_CREATE; 235 const unsigned int perm = mode & S_IALLUGO; 236 237 switch (mode & S_IFMT) { 238 case S_IFCHR: 239 type = TOMOYO_TYPE_MKCHAR; 240 break; 241 case S_IFBLK: 242 type = TOMOYO_TYPE_MKBLOCK; 243 break; 244 default: 245 goto no_dev; 246 } 247 return tomoyo_mkdev_perm(type, &path, perm, dev); 248 no_dev: 249 switch (mode & S_IFMT) { 250 case S_IFIFO: 251 type = TOMOYO_TYPE_MKFIFO; 252 break; 253 case S_IFSOCK: 254 type = TOMOYO_TYPE_MKSOCK; 255 break; 256 } 257 return tomoyo_path_number_perm(type, &path, perm); 258 } 259 260 /** 261 * tomoyo_path_link - Target for security_path_link(). 262 * 263 * @old_dentry: Pointer to "struct dentry". 264 * @new_dir: Pointer to "struct path". 265 * @new_dentry: Pointer to "struct dentry". 266 * 267 * Returns 0 on success, negative value otherwise. 268 */ 269 static int tomoyo_path_link(struct dentry *old_dentry, const struct path *new_dir, 270 struct dentry *new_dentry) 271 { 272 struct path path1 = { .mnt = new_dir->mnt, .dentry = old_dentry }; 273 struct path path2 = { .mnt = new_dir->mnt, .dentry = new_dentry }; 274 return tomoyo_path2_perm(TOMOYO_TYPE_LINK, &path1, &path2); 275 } 276 277 /** 278 * tomoyo_path_rename - Target for security_path_rename(). 279 * 280 * @old_parent: Pointer to "struct path". 281 * @old_dentry: Pointer to "struct dentry". 282 * @new_parent: Pointer to "struct path". 283 * @new_dentry: Pointer to "struct dentry". 284 * 285 * Returns 0 on success, negative value otherwise. 286 */ 287 static int tomoyo_path_rename(const struct path *old_parent, 288 struct dentry *old_dentry, 289 const struct path *new_parent, 290 struct dentry *new_dentry) 291 { 292 struct path path1 = { .mnt = old_parent->mnt, .dentry = old_dentry }; 293 struct path path2 = { .mnt = new_parent->mnt, .dentry = new_dentry }; 294 return tomoyo_path2_perm(TOMOYO_TYPE_RENAME, &path1, &path2); 295 } 296 297 /** 298 * tomoyo_file_fcntl - Target for security_file_fcntl(). 299 * 300 * @file: Pointer to "struct file". 301 * @cmd: Command for fcntl(). 302 * @arg: Argument for @cmd. 303 * 304 * Returns 0 on success, negative value otherwise. 305 */ 306 static int tomoyo_file_fcntl(struct file *file, unsigned int cmd, 307 unsigned long arg) 308 { 309 if (!(cmd == F_SETFL && ((arg ^ file->f_flags) & O_APPEND))) 310 return 0; 311 return tomoyo_check_open_permission(tomoyo_domain(), &file->f_path, 312 O_WRONLY | (arg & O_APPEND)); 313 } 314 315 /** 316 * tomoyo_file_open - Target for security_file_open(). 317 * 318 * @f: Pointer to "struct file". 319 * @cred: Pointer to "struct cred". 320 * 321 * Returns 0 on success, negative value otherwise. 322 */ 323 static int tomoyo_file_open(struct file *f, const struct cred *cred) 324 { 325 int flags = f->f_flags; 326 /* Don't check read permission here if called from do_execve(). */ 327 if (current->in_execve) 328 return 0; 329 return tomoyo_check_open_permission(tomoyo_domain(), &f->f_path, flags); 330 } 331 332 /** 333 * tomoyo_file_ioctl - Target for security_file_ioctl(). 334 * 335 * @file: Pointer to "struct file". 336 * @cmd: Command for ioctl(). 337 * @arg: Argument for @cmd. 338 * 339 * Returns 0 on success, negative value otherwise. 340 */ 341 static int tomoyo_file_ioctl(struct file *file, unsigned int cmd, 342 unsigned long arg) 343 { 344 return tomoyo_path_number_perm(TOMOYO_TYPE_IOCTL, &file->f_path, cmd); 345 } 346 347 /** 348 * tomoyo_path_chmod - Target for security_path_chmod(). 349 * 350 * @path: Pointer to "struct path". 351 * @mode: DAC permission mode. 352 * 353 * Returns 0 on success, negative value otherwise. 354 */ 355 static int tomoyo_path_chmod(const struct path *path, umode_t mode) 356 { 357 return tomoyo_path_number_perm(TOMOYO_TYPE_CHMOD, path, 358 mode & S_IALLUGO); 359 } 360 361 /** 362 * tomoyo_path_chown - Target for security_path_chown(). 363 * 364 * @path: Pointer to "struct path". 365 * @uid: Owner ID. 366 * @gid: Group ID. 367 * 368 * Returns 0 on success, negative value otherwise. 369 */ 370 static int tomoyo_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 371 { 372 int error = 0; 373 if (uid_valid(uid)) 374 error = tomoyo_path_number_perm(TOMOYO_TYPE_CHOWN, path, 375 from_kuid(&init_user_ns, uid)); 376 if (!error && gid_valid(gid)) 377 error = tomoyo_path_number_perm(TOMOYO_TYPE_CHGRP, path, 378 from_kgid(&init_user_ns, gid)); 379 return error; 380 } 381 382 /** 383 * tomoyo_path_chroot - Target for security_path_chroot(). 384 * 385 * @path: Pointer to "struct path". 386 * 387 * Returns 0 on success, negative value otherwise. 388 */ 389 static int tomoyo_path_chroot(const struct path *path) 390 { 391 return tomoyo_path_perm(TOMOYO_TYPE_CHROOT, path, NULL); 392 } 393 394 /** 395 * tomoyo_sb_mount - Target for security_sb_mount(). 396 * 397 * @dev_name: Name of device file. Maybe NULL. 398 * @path: Pointer to "struct path". 399 * @type: Name of filesystem type. Maybe NULL. 400 * @flags: Mount options. 401 * @data: Optional data. Maybe NULL. 402 * 403 * Returns 0 on success, negative value otherwise. 404 */ 405 static int tomoyo_sb_mount(const char *dev_name, const struct path *path, 406 const char *type, unsigned long flags, void *data) 407 { 408 return tomoyo_mount_permission(dev_name, path, type, flags, data); 409 } 410 411 /** 412 * tomoyo_sb_umount - Target for security_sb_umount(). 413 * 414 * @mnt: Pointer to "struct vfsmount". 415 * @flags: Unmount options. 416 * 417 * Returns 0 on success, negative value otherwise. 418 */ 419 static int tomoyo_sb_umount(struct vfsmount *mnt, int flags) 420 { 421 struct path path = { .mnt = mnt, .dentry = mnt->mnt_root }; 422 return tomoyo_path_perm(TOMOYO_TYPE_UMOUNT, &path, NULL); 423 } 424 425 /** 426 * tomoyo_sb_pivotroot - Target for security_sb_pivotroot(). 427 * 428 * @old_path: Pointer to "struct path". 429 * @new_path: Pointer to "struct path". 430 * 431 * Returns 0 on success, negative value otherwise. 432 */ 433 static int tomoyo_sb_pivotroot(const struct path *old_path, const struct path *new_path) 434 { 435 return tomoyo_path2_perm(TOMOYO_TYPE_PIVOT_ROOT, new_path, old_path); 436 } 437 438 /** 439 * tomoyo_socket_listen - Check permission for listen(). 440 * 441 * @sock: Pointer to "struct socket". 442 * @backlog: Backlog parameter. 443 * 444 * Returns 0 on success, negative value otherwise. 445 */ 446 static int tomoyo_socket_listen(struct socket *sock, int backlog) 447 { 448 return tomoyo_socket_listen_permission(sock); 449 } 450 451 /** 452 * tomoyo_socket_connect - Check permission for connect(). 453 * 454 * @sock: Pointer to "struct socket". 455 * @addr: Pointer to "struct sockaddr". 456 * @addr_len: Size of @addr. 457 * 458 * Returns 0 on success, negative value otherwise. 459 */ 460 static int tomoyo_socket_connect(struct socket *sock, struct sockaddr *addr, 461 int addr_len) 462 { 463 return tomoyo_socket_connect_permission(sock, addr, addr_len); 464 } 465 466 /** 467 * tomoyo_socket_bind - Check permission for bind(). 468 * 469 * @sock: Pointer to "struct socket". 470 * @addr: Pointer to "struct sockaddr". 471 * @addr_len: Size of @addr. 472 * 473 * Returns 0 on success, negative value otherwise. 474 */ 475 static int tomoyo_socket_bind(struct socket *sock, struct sockaddr *addr, 476 int addr_len) 477 { 478 return tomoyo_socket_bind_permission(sock, addr, addr_len); 479 } 480 481 /** 482 * tomoyo_socket_sendmsg - Check permission for sendmsg(). 483 * 484 * @sock: Pointer to "struct socket". 485 * @msg: Pointer to "struct msghdr". 486 * @size: Size of message. 487 * 488 * Returns 0 on success, negative value otherwise. 489 */ 490 static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg, 491 int size) 492 { 493 return tomoyo_socket_sendmsg_permission(sock, msg, size); 494 } 495 496 /* 497 * tomoyo_security_ops is a "struct security_operations" which is used for 498 * registering TOMOYO. 499 */ 500 static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = { 501 LSM_HOOK_INIT(cred_alloc_blank, tomoyo_cred_alloc_blank), 502 LSM_HOOK_INIT(cred_prepare, tomoyo_cred_prepare), 503 LSM_HOOK_INIT(cred_transfer, tomoyo_cred_transfer), 504 LSM_HOOK_INIT(cred_free, tomoyo_cred_free), 505 LSM_HOOK_INIT(bprm_set_creds, tomoyo_bprm_set_creds), 506 LSM_HOOK_INIT(bprm_check_security, tomoyo_bprm_check_security), 507 LSM_HOOK_INIT(file_fcntl, tomoyo_file_fcntl), 508 LSM_HOOK_INIT(file_open, tomoyo_file_open), 509 LSM_HOOK_INIT(path_truncate, tomoyo_path_truncate), 510 LSM_HOOK_INIT(path_unlink, tomoyo_path_unlink), 511 LSM_HOOK_INIT(path_mkdir, tomoyo_path_mkdir), 512 LSM_HOOK_INIT(path_rmdir, tomoyo_path_rmdir), 513 LSM_HOOK_INIT(path_symlink, tomoyo_path_symlink), 514 LSM_HOOK_INIT(path_mknod, tomoyo_path_mknod), 515 LSM_HOOK_INIT(path_link, tomoyo_path_link), 516 LSM_HOOK_INIT(path_rename, tomoyo_path_rename), 517 LSM_HOOK_INIT(inode_getattr, tomoyo_inode_getattr), 518 LSM_HOOK_INIT(file_ioctl, tomoyo_file_ioctl), 519 LSM_HOOK_INIT(path_chmod, tomoyo_path_chmod), 520 LSM_HOOK_INIT(path_chown, tomoyo_path_chown), 521 LSM_HOOK_INIT(path_chroot, tomoyo_path_chroot), 522 LSM_HOOK_INIT(sb_mount, tomoyo_sb_mount), 523 LSM_HOOK_INIT(sb_umount, tomoyo_sb_umount), 524 LSM_HOOK_INIT(sb_pivotroot, tomoyo_sb_pivotroot), 525 LSM_HOOK_INIT(socket_bind, tomoyo_socket_bind), 526 LSM_HOOK_INIT(socket_connect, tomoyo_socket_connect), 527 LSM_HOOK_INIT(socket_listen, tomoyo_socket_listen), 528 LSM_HOOK_INIT(socket_sendmsg, tomoyo_socket_sendmsg), 529 }; 530 531 /* Lock for GC. */ 532 DEFINE_SRCU(tomoyo_ss); 533 534 /** 535 * tomoyo_init - Register TOMOYO Linux as a LSM module. 536 * 537 * Returns 0. 538 */ 539 static int __init tomoyo_init(void) 540 { 541 struct cred *cred = (struct cred *) current_cred(); 542 543 if (!security_module_enable("tomoyo")) 544 return 0; 545 /* register ourselves with the security framework */ 546 security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); 547 printk(KERN_INFO "TOMOYO Linux initialized\n"); 548 cred->security = &tomoyo_kernel_domain; 549 tomoyo_mm_init(); 550 return 0; 551 } 552 553 security_initcall(tomoyo_init); 554