History log of /security/tomoyo/
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
8fe7a268b18ebc89203c766b020b9e32f1cfeebf 20-Aug-2014 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> tomoyo: Fix pathname calculation breakage.

Commit 7177a9c4b509 ("fs: call rename2 if exists") changed
"struct inode_operations"->rename == NULL if
"struct inode_operations"->rename2 != NULL .

TOMOYO needs to check for both ->rename and ->rename2 , or
a system on (e.g.) ext4 filesystem won't boot.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
ealpath.c
77f4fa089c724adc3a87c10eb031bca91b144ac0 12-Jun-2014 Thomas Gleixner <tglx@linutronix.de> tomoyo: Use sensible time interface

There is no point in calling gettimeofday if only the seconds part of
the timespec is used. Use get_seconds() instead. It's not only the
proper interface it's also faster.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
Cc: linux-security-module@vger.kernel.org
Link: http://lkml.kernel.org/r/20140611234607.775273584@linutronix.de
udit.c
ommon.c
627bf81ac625f05060db033a0f3791521ad7bd79 01-Feb-2014 Al Viro <viro@zeniv.linux.org.uk> get rid of pointless checks for NULL ->i_op

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
ealpath.c
20b4fb485227404329e41ad15588afad3df23050 02-May-2013 Linus Torvalds <torvalds@linux-foundation.org> Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

Pull VFS updates from Al Viro,

Misc cleanups all over the place, mainly wrt /proc interfaces (switch
create_proc_entry to proc_create(), get rid of the deprecated
create_proc_read_entry() in favor of using proc_create_data() and
seq_file etc).

7kloc removed.

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (204 commits)
don't bother with deferred freeing of fdtables
proc: Move non-public stuff from linux/proc_fs.h to fs/proc/internal.h
proc: Make the PROC_I() and PDE() macros internal to procfs
proc: Supply a function to remove a proc entry by PDE
take cgroup_open() and cpuset_open() to fs/proc/base.c
ppc: Clean up scanlog
ppc: Clean up rtas_flash driver somewhat
hostap: proc: Use remove_proc_subtree()
drm: proc: Use remove_proc_subtree()
drm: proc: Use minor->index to label things, not PDE->name
drm: Constify drm_proc_list[]
zoran: Don't print proc_dir_entry data in debug
reiserfs: Don't access the proc_dir_entry in r_open(), r_start() r_show()
proc: Supply an accessor for getting the data from a PDE's parent
airo: Use remove_proc_subtree()
rtl8192u: Don't need to save device proc dir PDE
rtl8187se: Use a dir under /proc/net/r8180/
proc: Add proc_mkdir_data()
proc: Move some bits from linux/proc_fs.h to linux/{of.h,signal.h,tty.h}
proc: Move PDE_NET() to fs/proc/proc_net.c
...
e53cfda5d2c90a6dd763eb72034c775add729e40 14-Apr-2013 Al Viro <viro@zeniv.linux.org.uk> tomoyo_close_control: don't bother with return value

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
ommon.c
ommon.h
ecurityfs_if.c
505f14f7b8d446b8e4bc2a6cfc723afbbb365f65 15-Mar-2013 Lai Jiangshan <laijs@cn.fujitsu.com> tomoyo: use DEFINE_SRCU() to define tomoyo_ss

DEFINE_STATIC_SRCU() defines srcu struct and do init at build time.

Signed-off-by: Lai Jiangshan <laijs@cn.fujitsu.com>
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <james.l.morris@oracle.com>
omoyo.c
496ad9aa8ef448058e36ca7a787c61f2e63f0f54 23-Jan-2013 Al Viro <viro@zeniv.linux.org.uk> new helper: file_inode(file)

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
ecurityfs_if.c
808d4e3cfdcc52b19276175464f6dbca4df13b09 11-Oct-2012 Al Viro <viro@zeniv.linux.org.uk> consitify do_mount() arguments

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
ommon.h
ount.c
omoyo.c
2dd8ad81e31d0d36a5d448329c646ab43eb17788 09-Oct-2012 Konstantin Khlebnikov <khlebnikov@openvz.org> mm: use mm->exe_file instead of first VM_EXECUTABLE vma->vm_file

Some security modules and oprofile still uses VM_EXECUTABLE for retrieving
a task's executable file. After this patch they will use mm->exe_file
directly. mm->exe_file is protected with mm->mmap_sem, so locking stays
the same.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Acked-by: Chris Metcalf <cmetcalf@tilera.com> [arch/tile]
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> [tomoyo]
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Carsten Otte <cotte@de.ibm.com>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Eric Paris <eparis@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Cc: Jason Baron <jbaron@redhat.com>
Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
Cc: Matt Helsley <matthltc@us.ibm.com>
Cc: Nick Piggin <npiggin@kernel.dk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Robert Richter <robert.richter@amd.com>
Cc: Suresh Siddha <suresh.b.siddha@intel.com>
Cc: Venkatesh Pallipadi <venki@google.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
til.c
d2b31ca644fdc8704de3367a6a56a5c958c77f53 02-Jun-2012 Eric W. Biederman <ebiederm@xmission.com> userns: Teach security_path_chown to take kuids and kgids

Don't make the security modules deal with raw user space uid and
gids instead pass in a kuid_t and a kgid_t so that security modules
only have to deal with internal kernel uids and gids.

Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: James Morris <james.l.morris@oracle.com>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
omoyo.c
609fcd1b3a55f99667c61609895c83019b21baad 08-Feb-2012 Eric W. Biederman <ebiederm@xmission.com> userns: Convert tomoyo to use kuid and kgid where appropriate

Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
udit.c
ommon.c
ommon.h
ondition.c
ff2bb047c4bce9742e94911eeb44b4d6ff4734ab 22-May-2012 James Morris <james.l.morris@oracle.com> Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into next

Per pull request, for 3.5.
77b513dda90fd99bd1225410b25e745b74779c1c 13-May-2012 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Accept manager programs which do not start with / .

The pathname of /usr/sbin/tomoyo-editpolicy seen from Ubuntu 12.04 Live CD is
squashfs:/usr/sbin/tomoyo-editpolicy rather than /usr/sbin/tomoyo-editpolicy .
Therefore, we need to accept manager programs which do not start with / .

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <james.l.morris@oracle.com>
ommon.c
ommon.h
83d498569e9a7a4b92c4c5d3566f2d6a604f28c9 04-Apr-2012 Eric Paris <eparis@redhat.com> SELinux: rename dentry_open to file_open

dentry_open takes a file, rename it to file_open

Signed-off-by: Eric Paris <eparis@redhat.com>
omoyo.c
70834d3070c3f3015ab5c05176d54bd4a0100546 23-Mar-2012 Oleg Nesterov <oleg@redhat.com> usermodehelper: use UMH_WAIT_PROC consistently

A few call_usermodehelper() callers use the hardcoded constant instead of
the proper UMH_WAIT_PROC, fix them.

Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Lars Ellenberg <drbd-dev@lists.linbit.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Michal Januszewski <spock@gentoo.org>
Cc: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
oad_policy.c
3556485f1595e3964ba539e39ea682acbb835cee 21-Mar-2012 Linus Torvalds <torvalds@linux-foundation.org> Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates for 3.4 from James Morris:
"The main addition here is the new Yama security module from Kees Cook,
which was discussed at the Linux Security Summit last year. Its
purpose is to collect miscellaneous DAC security enhancements in one
place. This also marks a departure in policy for LSM modules, which
were previously limited to being standalone access control systems.
Chromium OS is using Yama, and I believe there are plans for Ubuntu,
at least.

This patchset also includes maintenance updates for AppArmor, TOMOYO
and others."

Fix trivial conflict in <net/sock.h> due to the jumo_label->static_key
rename.

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (38 commits)
AppArmor: Fix location of const qualifier on generated string tables
TOMOYO: Return error if fails to delete a domain
AppArmor: add const qualifiers to string arrays
AppArmor: Add ability to load extended policy
TOMOYO: Return appropriate value to poll().
AppArmor: Move path failure information into aa_get_name and rename
AppArmor: Update dfa matching routines.
AppArmor: Minor cleanup of d_namespace_path to consolidate error handling
AppArmor: Retrieve the dentry_path for error reporting when path lookup fails
AppArmor: Add const qualifiers to generated string tables
AppArmor: Fix oops in policy unpack auditing
AppArmor: Fix error returned when a path lookup is disconnected
KEYS: testing wrong bit for KEY_FLAG_REVOKED
TOMOYO: Fix mount flags checking order.
security: fix ima kconfig warning
AppArmor: Fix the error case for chroot relative path name lookup
AppArmor: fix mapping of META_READ to audit and quiet flags
AppArmor: Fix underflow in xindex calculation
AppArmor: Fix dropping of allowed operations that are force audited
AppArmor: Add mising end of structure test to caps unpacking
...
c58e0377d61e209600def7d4d9ae535ea94bc210 25-Nov-2011 Cong Wang <amwang@redhat.com> tomoyo: remove the second argument of k[un]map_atomic()

Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Cong Wang <amwang@redhat.com>
omain.c
7d7473dbdb9121dd1b5939566660d51130ecda3a 17-Mar-2012 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Return error if fails to delete a domain

Call sequence:
tomoyo_write_domain() --> tomoyo_delete_domain()

In 'tomoyo_delete_domain', return -EINTR if locking attempt is
interrupted by signal.

At present it returns success to its caller 'tomoyo_write_domain()'
even though domain is not deleted. 'tomoyo_write_domain()' assumes
domain is deleted and returns success to its caller. This is wrong behaviour.

'tomoyo_write_domain' should return error from tomoyo_delete_domain() to its
caller.

Signed-off-by: Santosh Nayak <santoshprasadnayak@gmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <james.l.morris@oracle.com>
ommon.c
6041e8346f2165679c2184cab60db768d6a26a1d 14-Mar-2012 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> TOMOYO: Return appropriate value to poll().

"struct file_operations"->poll() expects "unsigned int" return value.
All files in /sys/kernel/security/tomoyo/ directory other than
/sys/kernel/security/tomoyo/query and /sys/kernel/security/tomoyo/audit should
return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM rather than -ENOSYS.
Also, /sys/kernel/security/tomoyo/query and /sys/kernel/security/tomoyo/audit
should return POLLOUT | POLLWRNORM rather than 0 when there is no data to read.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <james.l.morris@oracle.com>
udit.c
ommon.c
ommon.h
ecurityfs_if.c
df91e49477a9be15921cb2854e1d12a3bdb5e425 29-Feb-2012 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix mount flags checking order.

Userspace can pass in arbitrary combinations of MS_* flags to mount().

If both MS_BIND and one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE are
passed, device name which should be checked for MS_BIND was not checked because
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher priority than MS_BIND.

If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name which
should not be checked for MS_REMOUNT was checked because MS_BIND/MS_MOVE had
higher priority than MS_REMOUNT.

Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND ->
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount() does.

Also, unconditionally return -EINVAL if more than one of
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE is passed so that TOMOYO will not
generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity check mount
flags passed to change_mnt_propagation()" clarified that these flags must be
exclusively passed.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <james.l.morris@oracle.com>
ount.c
25add8cf99c9ec8b8dc0acd8b9241e963fc0d29c 15-Jan-2012 Tetsuo Handa <from-tomoyo-users-en@I-love.SAKURA.ne.jp> TOMOYO: Accept \000 as a valid character.

TOMOYO 2.5 in Linux 3.2 and later handles Unix domain socket's address.
Thus, tomoyo_correct_word2() needs to accept \000 as a valid character, or
TOMOYO 2.5 cannot handle Unix domain's abstract socket address.

Reported-by: Steven Allen <steven@stebalien.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
CC: stable@vger.kernel.org [3.2+]
Signed-off-by: James Morris <jmorris@namei.org>
til.c
e7691a1ce341c80ed9504244a36b31c025217391 11-Jan-2012 Linus Torvalds <torvalds@linux-foundation.org> Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-security

* 'for-linus' of git://selinuxproject.org/~jmorris/linux-security: (32 commits)
ima: fix invalid memory reference
ima: free duplicate measurement memory
security: update security_file_mmap() docs
selinux: Casting (void *) value returned by kmalloc is useless
apparmor: fix module parameter handling
Security: tomoyo: add .gitignore file
tomoyo: add missing rcu_dereference()
apparmor: add missing rcu_dereference()
evm: prevent racing during tfm allocation
evm: key must be set once during initialization
mpi/mpi-mpow: NULL dereference on allocation failure
digsig: build dependency fix
KEYS: Give key types their own lockdep class for key->sem
TPM: fix transmit_cmd error logic
TPM: NSC and TIS drivers X86 dependency fix
TPM: Export wait_for_stat for other vendor specific drivers
TPM: Use vendor specific function for status probe
tpm_tis: add delay after aborting command
tpm_tis: Check return code from getting timeouts/durations
tpm: Introduce function to poll for result of self test
...

Fix up trivial conflict in lib/Makefile due to addition of CONFIG_MPI
and SIGSIG next to CONFIG_DQL addition.
8fcc99549522fc7a0bbaeb5755855ab0d9a59ce8 08-Jan-2012 James Morris <jmorris@namei.org> Merge branch 'next' into for-linus

Conflicts:
security/integrity/evm/evm_crypto.c

Resolved upstream fix vs. next conflict manually.

Signed-off-by: James Morris <jmorris@namei.org>
cdcf116d44e78c7216ba9f8be9af1cdfca7af728 08-Dec-2011 Al Viro <viro@zeniv.linux.org.uk> switch security_path_chmod() to struct path *

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
omoyo.c
ece2ccb668046610189d88d6aaf05aeb09c988a1 07-Jan-2012 Al Viro <viro@zeniv.linux.org.uk> Merge branches 'vfsmount-guts', 'umode_t' and 'partitions' into Z
d10577a8d86a0c735488d66d32289a6d66bcfa20 07-Dec-2011 Al Viro <viro@zeniv.linux.org.uk> vfs: trim includes a bit

[folded fix for missing magic.h from Tetsuo Handa]

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
ealpath.c
04fc66e789a896e684bfdca30208e57eb832dd96 21-Nov-2011 Al Viro <viro@zeniv.linux.org.uk> switch ->path_mknod() to umode_t

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
omoyo.c
4572befe248fd0d94aedc98775e3f0ddc8a26651 21-Nov-2011 Al Viro <viro@zeniv.linux.org.uk> switch ->path_mkdir() to umode_t

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
omoyo.c
d179333f37d33533f4c77118f757b9e7835ccb7c 27-Aug-2011 Al Viro <viro@zeniv.linux.org.uk> tomoyo_mini_stat: switch to umode_t

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
udit.c
ommon.h
52ef0c042bf06f6aef382fade175075627beebc1 26-Jul-2011 Al Viro <viro@zeniv.linux.org.uk> switch securityfs_create_file() to umode_t

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
ecurityfs_if.c
910f4ecef3f67714ebff69d0bc34313e48afaed2 26-Jul-2011 Al Viro <viro@zeniv.linux.org.uk> switch security_path_chmod() to umode_t

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
omoyo.c
c5dc332eb93881fc8234d652f6e91a2825b06503 25-Nov-2011 Al Viro <viro@zeniv.linux.org.uk> tomoyo: stop including hell knows what

tomoyo/realpath.c needs exactly one include - that of common.h. It pulls
everything the thing needs, without doing ridiculous garbage such as trying
to include ../../fs/internal.h. If that alone doesn't scream "layering
violation", I don't know what does; and these days it's all for nothing,
since it fortunately does not use any symbols defined in there...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
ealpath.c
735e93c70434614bffac4a914ca1da72e37d43c0 09-Dec-2011 Greg Kroah-Hartman <gregkh@suse.de> Security: tomoyo: add .gitignore file

This adds the .gitignore file for the autogenerated TOMOYO files to keep
git from complaining after building things.

Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
gitignore
bb80d880ad2b11cd4ea5f28f815016b1548224a4 09-Dec-2011 Kees Cook <keescook@chromium.org> tomoyo: add missing rcu_dereference()

Adds a missed rcu_dereference() around real_parent.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
1418a3e5ad4d01b1d4abf2c479c50b0cedd59e3f 08-Dec-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix pathname handling of disconnected paths.

Current tomoyo_realpath_from_path() implementation returns strange pathname
when calculating pathname of a file which belongs to lazy unmounted tree.
Use local pathname rather than strange absolute pathname in that case.

Also, this patch fixes a regression by commit 02125a82 "fix apparmor
dereferencing potentially freed dentry, sanitize __d_path() API".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
ealpath.c
02125a826459a6ad142f8d91c5b6357562f96615 05-Dec-2011 Al Viro <viro@zeniv.linux.org.uk> fix apparmor dereferencing potentially freed dentry, sanitize __d_path() API

__d_path() API is asking for trouble and in case of apparmor d_namespace_path()
getting just that. The root cause is that when __d_path() misses the root
it had been told to look for, it stores the location of the most remote ancestor
in *root. Without grabbing references. Sure, at the moment of call it had
been pinned down by what we have in *path. And if we raced with umount -l, we
could have very well stopped at vfsmount/dentry that got freed as soon as
prepend_path() dropped vfsmount_lock.

It is safe to compare these pointers with pre-existing (and known to be still
alive) vfsmount and dentry, as long as all we are asking is "is it the same
address?". Dereferencing is not safe and apparmor ended up stepping into
that. d_namespace_path() really wants to examine the place where we stopped,
even if it's not connected to our namespace. As the result, it looked
at ->d_sb->s_magic of a dentry that might've been already freed by that point.
All other callers had been careful enough to avoid that, but it's really
a bad interface - it invites that kind of trouble.

The fix is fairly straightforward, even though it's bigger than I'd like:
* prepend_path() root argument becomes const.
* __d_path() is never called with NULL/NULL root. It was a kludge
to start with. Instead, we have an explicit function - d_absolute_root().
Same as __d_path(), except that it doesn't get root passed and stops where
it stops. apparmor and tomoyo are using it.
* __d_path() returns NULL on path outside of root. The main
caller is show_mountinfo() and that's precisely what we pass root for - to
skip those outside chroot jail. Those who don't want that can (and do)
use d_path().
* __d_path() root argument becomes const. Everyone agrees, I hope.
* apparmor does *NOT* try to use __d_path() or any of its variants
when it sees that path->mnt is an internal vfsmount. In that case it's
definitely not mounted anywhere and dentry_path() is exactly what we want
there. Handling of sysctl()-triggered weirdness is moved to that place.
* if apparmor is asked to do pathname relative to chroot jail
and __d_path() tells it we it's not in that jail, the sucker just calls
d_absolute_path() instead. That's the other remaining caller of __d_path(),
BTW.
* seq_path_root() does _NOT_ return -ENAMETOOLONG (it's stupid anyway -
the normal seq_file logics will take care of growing the buffer and redoing
the call of ->show() just fine). However, if it gets path not reachable
from root, it returns SEQ_SKIP. The only caller adjusted (i.e. stopped
ignoring the return value as it used to do).

Reviewed-by: John Johansen <john.johansen@canonical.com>
ACKed-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@vger.kernel.org
ealpath.c
2380078cdb7e6d520e33dcf834e0be979d542e48 03-Nov-2011 Linus Torvalds <torvalds@linux-foundation.org> Merge branch 'for-linus' of git://git.selinuxproject.org/~jmorris/linux-security

* 'for-linus' of git://git.selinuxproject.org/~jmorris/linux-security:
TOMOYO: Fix interactive judgment functionality.
59df3166ef293288d164ab3362a717743e62d20c 19-Oct-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix interactive judgment functionality.

Commit 17fcfbd9 "TOMOYO: Add interactive enforcing mode." introduced ability
to query access decision using userspace programs. It was using global PID for
reaching policy configuration of the process. However, use of PID returns stale
policy configuration when the process's subjective credentials and objective
credentials differ. Fix this problem by allowing reaching policy configuration
via query id.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
36b8d186e6cc8e32cb5227f5645a58e1bc0af190 25-Oct-2011 Linus Torvalds <torvalds@linux-foundation.org> Merge branch 'next' of git://selinuxproject.org/~jmorris/linux-security

* 'next' of git://selinuxproject.org/~jmorris/linux-security: (95 commits)
TOMOYO: Fix incomplete read after seek.
Smack: allow to access /smack/access as normal user
TOMOYO: Fix unused kernel config option.
Smack: fix: invalid length set for the result of /smack/access
Smack: compilation fix
Smack: fix for /smack/access output, use string instead of byte
Smack: domain transition protections (v3)
Smack: Provide information for UDS getsockopt(SO_PEERCRED)
Smack: Clean up comments
Smack: Repair processing of fcntl
Smack: Rule list lookup performance
Smack: check permissions from user space (v2)
TOMOYO: Fix quota and garbage collector.
TOMOYO: Remove redundant tasklist_lock.
TOMOYO: Fix domain transition failure warning.
TOMOYO: Remove tomoyo_policy_memory_lock spinlock.
TOMOYO: Simplify garbage collector.
TOMOYO: Fix make namespacecheck warnings.
target: check hex2bin result
encrypted-keys: check hex2bin result
...
e0b057b406a33501a656dc8d67ea945d7bcdad61 20-Oct-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix incomplete read after seek.

Commit f23571e8 "TOMOYO: Copy directly to userspace buffer." introduced
tomoyo_flush() that flushes data to be read as soon as possible.
tomoyo_select_domain() (which is called by write()) enqueues data which meant
to be read by next read(), but previous read()'s read buffer's size was not
cleared. As a result, since 2.6.36, sequence like

char *cp = "select global-pid=1\n";
read(fd, buf1, sizeof(buf1));
write(fd, cp, strlen(cp));
read(fd, buf2, sizeof(buf2));

causes enqueued data to be flushed to buf1 rather than buf2.
Fix this bug by clearing read buffer's size upon write() request.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
6afcb3b7393f5aa388a0d077c490ed411ab3cd27 16-Oct-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix unused kernel config option.

CONFIG_SECURITY_TOMOYO_MAX_{ACCEPT_ENTRY,AUDIT_LOG} introduced by commit
0e4ae0e0 "TOMOYO: Make several options configurable." were by error not used.

Reported-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
545a7260343bbaf11c7f1a4b8c3d9660bb9266e5 11-Oct-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix quota and garbage collector.

Commit 059d84db "TOMOYO: Add socket operation restriction support" and
commit 731d37aa "TOMOYO: Allow domain transition without execve()." forgot to
update tomoyo_domain_quota_is_ok() and tomoyo_del_acl() which results in
incorrect quota counting and memory leak.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
c.c
til.c
e2b8b25a6795488eba7bb757706b3ac725c31fac 11-Oct-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Remove redundant tasklist_lock.

rcu_read_lock() is sufficient for calling find_task_by_pid_ns()/find_task_by_vpid().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
e00fb3f7af111d1b3252f7d622213d2e22be65f5 27-Sep-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix domain transition failure warning.

Commit bd03a3e4 "TOMOYO: Add policy namespace support." introduced policy
namespace. But as of /sbin/modprobe is executed from initramfs/initrd, profiles
for target domain's namespace is not defined because /sbin/tomoyo-init is not
yet called.

Reported-by: Jamie Nguyen <jamie@tomoyolinux.co.uk>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
omain.c
a427fd14d3edf6396c4b9638dbc8e2972afaa05b 25-Sep-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Remove tomoyo_policy_memory_lock spinlock.

tomoyo_policy_lock mutex already protects it.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
c.c
emory.c
f9732ea145886786a6f8b0493bc2239e70cbacdb 25-Sep-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Simplify garbage collector.

When TOMOYO started using garbage collector at commit 847b173e "TOMOYO: Add
garbage collector.", we waited for close() before kfree(). Thus, elements to be
kfree()d were queued up using tomoyo_gc_list list.

But it turned out that tomoyo_element_linked_by_gc() tends to choke garbage
collector when certain pattern of entries are queued.

Since garbage collector is no longer waiting for close() since commit 2e503bbb
"TOMOYO: Fix lockdep warning.", we can remove tomoyo_gc_list list and
tomoyo_element_linked_by_gc() by doing sequential processing.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
ondition.c
omain.c
c.c
emory.c
778c4a4d60d932c1df6d270dcbc88365823c3963 25-Sep-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix make namespacecheck warnings.

Commit efe836ab "TOMOYO: Add built-in policy support." introduced
tomoyo_load_builtin_policy() but was by error called from nowhere.

Commit b22b8b9f "TOMOYO: Rename meminfo to stat and show more statistics."
introduced tomoyo_update_stat() but was by error not called from
tomoyo_assign_domain().

Also, mark tomoyo_io_printf() and tomoyo_path_permission() static functions,
as reported by "make namespacecheck".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
ecurityfs_if.c
6bce98edc3365a8f780ff3944ac7992544c194fe 16-Sep-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Allow specifying domain transition preference.

I got an opinion that it is difficult to use exception policy's domain
transition control directives because they need to match the pathname specified
to "file execute" directives. For example, if "file execute /bin/\*\-ls\-cat"
is given, corresponding domain transition control directive needs to be like
"no_keep_domain /bin/\*\-ls\-cat from any".

If we can specify like below, it will become more convenient.

file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls"
file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat"
file execute /bin/\*\-ls\-cat child
file execute /usr/sbin/httpd <apache> exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd"

In above examples, "keep" works as if keep_domain is specified, "child" works
as if "no_reset_domain" and "no_initialize_domain" and "no_keep_domain" are
specified, "<apache>" causes domain transition to <apache> domain upon
successful execve() operation.

Moreover, we can also allow transition to different domains based on conditions
like below example.

<kernel> /usr/sbin/sshd
file execute /bin/bash <kernel> /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
file execute /bin/bash <kernel> /usr/sbin/sshd //root-session task.uid=0
file execute /bin/bash <kernel> /usr/sbin/sshd //nonroot-session task.uid!=0

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
ondition.c
omain.c
ile.c
843d183cdd816549b73e6bd3ae07f64adddf714b 14-Sep-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Bump version.

Tell userland tools that this is TOMOYO 2.5.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
akefile
ommon.c
ommon.h
a8f7640963ada66c412314c3559c11ff6946c1a5 10-Sep-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Avoid race when retrying "file execute" permission check.

There was a race window that the pathname which is subjected to "file execute"
permission check when retrying via supervisor's decision because the pathname
was recalculated upon retry. Though, there is an inevitable race window even
without supervisor, for we have to calculate the symbolic link's pathname from
"struct linux_binprm"->filename rather than from "struct linux_binprm"->file
because we cannot back calculate the symbolic link's pathname from the
dereferenced pathname.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
omain.c
731d37aa70c7b9de3be6bf2c8287366223bf5ce5 10-Sep-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Allow domain transition without execve().

To be able to split permissions for Apache's CGI programs which are executed
without execve(), add special domain transition which is performed by writing
a TOMOYO's domainname to /sys/kernel/security/tomoyo/self_domain interface.

This is an API for TOMOYO-aware userland applications. However, since I expect
TOMOYO and other LSM modules to run in parallel, this patch does not use
/proc/self/attr/ interface in order to avoid conflicts with other LSM modules
when it became possible to run multiple LSM modules in parallel.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
ecurityfs_if.c
til.c
1f067a682a9bd252107ac6f6946b7332fde42344 10-Sep-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Allow controlling generation of access granted logs for per an entry basis.

Add per-entry flag which controls generation of grant logs because Xen and KVM
issues ioctl requests so frequently. For example,

file ioctl /dev/null 0x5401 grant_log=no

will suppress /sys/kernel/security/tomoyo/audit even if preference says
grant_log=yes .

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
udit.c
ommon.c
ommon.h
ondition.c
omain.c
059d84dbb3897d4ee494a9c842c5dda54316cb47 10-Sep-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add socket operation restriction support.

This patch adds support for permission checks for PF_INET/PF_INET6/PF_UNIX
socket's bind()/listen()/connect()/send() operations.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
config
akefile
ommon.c
ommon.h
c.c
roup.c
etwork.c
ealpath.c
omoyo.c
til.c
d58e0da854376841ac99defeb117a83f086715c6 10-Sep-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add environment variable name restriction support.

This patch adds support for checking environment variable's names.
Although TOMOYO already provides ability to check argv[]/envp[] passed to
execve() requests,

file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar"

will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not
defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined,
administrators have to specify like

file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib"
file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL

. Since there are many environment variables whereas conditional checks are
applied as "&&", it is difficult to cover all combinations. Therefore, this
patch supports conditional checks that are applied as "||", by specifying like

file execute /bin/sh
misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib"

which means "grant execution of /bin/sh if environment variable is not defined
or is defined and its value is /system/lib".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
akefile
ommon.c
ommon.h
omain.c
nviron.c
c.c
til.c
852584157c55c1689bcf3809ea44b79870c3e409 25-Aug-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix incorrect enforce mode.

In tomoyo_get_mode() since 2.6.36, CONFIG::file::execute was by error used in
place of CONFIG::file if CONFIG::file::execute was set to other than default.
As a result, enforcing mode was not applied in a way documentation says.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
til.c
09f464bf0961aba3cd917d4939597bafb269fb95 16-Aug-2011 Oleg Nesterov <oleg@redhat.com> tomoyo: remove tomoyo_gc_thread()->daemonize()

daemonize() is only needed when a user-space task does kernel_thread().

tomoyo_gc_thread() is kthread_create()'ed and thus it doesn't need
the soon-to-be-deprecated daemonize().

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>
Acked-by: Matt Fleming <matt.fleming@intel.com>
Signed-off-by: James Morris <jmorris@namei.org>
c.c
4d81897139ffb738ee14b6f84f63f93ecda1136b 06-Aug-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix incomplete read of /sys/kernel/security/tomoyo/profile

Commit bd03a3e4 "TOMOYO: Add policy namespace support." forgot to set EOF flag
and forgot to print namespace at PREFERENCE line.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
0f2a55d5bb2372058275b0b343d90dd5d640d045 14-Jul-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Update kernel-doc.

Update comments for scripts/kernel-doc and fix some of errors reported by
scripts/checkpatch.pl .

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
udit.c
ommon.c
omain.c
ile.c
c.c
roup.c
oad_policy.c
emory.c
ount.c
ealpath.c
ecurityfs_if.c
omoyo.c
til.c
97fb35e413f256ded07b88c73b3d932ec31ea84e 08-Jul-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Enable conditional ACL.

Enable conditional ACL by passing object's pointers.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
omain.c
ile.c
ount.c
omoyo.c
5b636857fee642694e287e3a181b523b16098c93 08-Jul-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Allow using argv[]/envp[] of execve() as conditions.

This patch adds support for permission checks using argv[]/envp[] of execve()
request. Hooks are in the last patch of this pathset.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
udit.c
ommon.c
ommon.h
ondition.c
omain.c
c.c
2ca9bf453bdd478bcb6c01aa2d0bd4c2f4350563 08-Jul-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Allow using executable's realpath and symlink's target as conditions.

This patch adds support for permission checks using executable file's realpath
upon execve() and symlink's target upon symlink(). Hooks are in the last patch
of this pathset.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
udit.c
ommon.c
ommon.h
ondition.c
c.c
8761afd49ebff8ae04c1a7888af090177441d07d 08-Jul-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Allow using owner/group etc. of file objects as conditions.

This patch adds support for permission checks using file object's DAC
attributes (e.g. owner/group) when checking file's pathnames. Hooks for passing
file object's pointers are in the last patch of this pathset.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
udit.c
ommon.c
ommon.h
ondition.c
2066a36125fcbf5220990173b9d8e8bc49ad7538 08-Jul-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Allow using UID/GID etc. of current thread as conditions.

This patch adds support for permission checks using current thread's UID/GID
etc. in addition to pathnames.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
akefile
udit.c
ommon.c
ommon.h
ondition.c
omain.c
c.c
til.c
5c4274f13819b40e726f6ee4ef13b4952cff5010 07-Jul-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Remove /sys/kernel/security/tomoyo/.domain_status interface.

/sys/kernel/security/tomoyo/.domain_status can be easily emulated using
/sys/kernel/security/tomoyo/domain_policy . We can remove this interface by
updating /usr/sbin/tomoyo-setprofile utility.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
ecurityfs_if.c
ea504819122a76a236f8b95d1556f807a0a41397 30-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix wrong domainname in tomoyo_init_log().

Commit eadd99cc "TOMOYO: Add auditing interface." by error replaced
"struct tomoyo_request_info"->domain with tomoyo_domain().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
udit.c
3ddf17f08cf2f0d7ff06858eb07d1cc3db8994de 29-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Cleanup header file.

Sort by alphabetic order.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
7986cf28bc5050967a7056d6eadda7f16f84eaab 29-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix build error with CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y .

I forgot to add #ifndef in commit 0e4ae0e0 "TOMOYO: Make several options
configurable.", resulting

security/built-in.o: In function `tomoyo_bprm_set_creds':
tomoyo.c:(.text+0x4698e): undefined reference to `tomoyo_load_policy'

error.

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
omoyo.c
5b944a71a192977c1c018bbcfa0c52dca48e2368 30-Jun-2011 James Morris <jmorris@namei.org> Merge branch 'linus' into next
0e4ae0e0dec634b2ae53ac57d14141b140467dbe 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Make several options configurable.

To be able to start using enforcing mode from the early stage of boot sequence,
this patch adds support for activating access control without calling external
policy loader program. This will be useful for systems where operations which
can lead to the hijacking of the boot sequence are needed before loading the
policy. For example, you can activate immediately after loading the fixed part
of policy which will allow only operations needed for mounting a partition
which contains the variant part of policy and verifying (e.g. running GPG
check) and loading the variant part of policy. Since you can start using
enforcing mode from the beginning, you can reduce the possibility of hijacking
the boot sequence.

This patch makes several variables configurable on build time. This patch also
adds TOMOYO_loader= and TOMOYO_trigger= kernel command line option to boot the
same kernel in two different init systems (BSD-style init and systemd).

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
config
ommon.c
oad_policy.c
efe836ab2b514ae7b59528af36d452978b42d266 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add built-in policy support.

To be able to start using enforcing mode from the early stage of boot sequence,
this patch adds support for built-in policy configuration (and next patch adds
support for activating access control without calling external policy loader
program).

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
akefile
ommon.c
ommon.h
emory.c
b22b8b9fd90eecfb7133e56b4e113595f09f4492 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Rename meminfo to stat and show more statistics.

Show statistics such as last policy update time and last policy violation time
in addition to memory usage.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
udit.c
ommon.c
ommon.h
emory.c
ecurityfs_if.c
til.c
2c47ab9353242b0f061959318f83c55360b88fa4 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Cleanup part 4.

Gather string constants to one file in order to make the object size smaller.
Use unsigned type where appropriate.
read()/write() returns ssize_t.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
udit.c
ommon.c
ommon.h
omain.c
ile.c
til.c
2e503bbb435ae418aebbe4aeede1c6f2a33d6f74 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix lockdep warning.

Currently TOMOYO holds SRCU lock upon open() and releases it upon close()
because list elements stored in the "struct tomoyo_io_buffer" instances are
accessed until close() is called. However, such SRCU usage causes lockdep to
complain about leaving the kernel with SRCU lock held.

This patch solves the warning by holding/releasing SRCU upon each
read()/write(). This patch is doing something similar to calling kfree()
without calling synchronize_srcu(), by selectively deferring kfree() by keeping
track of the "struct tomoyo_io_buffer" instances.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
c.c
5625f2e3266319fd29fe4f1c76ccd3f550c79ac4 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Change pathname for non-rename()able filesystems.

TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if $PID matches current
thread's process ID in order to prevent current thread from accessing other
process's information unless needed.

But since procfs can be mounted on various locations (e.g. /proc/ /proc2/ /p/
/tmp/foo/100/p/ ), TOMOYO cannot tell that whether the numeric part in the
string returned by __d_path() represents process ID or not.

Therefore, to be able to convert from $PID to self no matter where procfs is
mounted, this patch changes pathname representations for filesystems which do
not support rename() operation (e.g. proc, sysfs, securityfs).

Examples:
/proc/self/mounts => proc:/self/mounts
/sys/kernel/security/ => sys:/kernel/security/
/dev/pts/0 => devpts:/0

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ile.c
ealpath.c
bd03a3e4c9a9df0c6b007045fa7fc8889111a478 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add policy namespace support.

Mauras Olivier reported that it is difficult to use TOMOYO in LXC environments,
for TOMOYO cannot distinguish between environments outside the container and
environments inside the container since LXC environments are created using
pivot_root(). To address this problem, this patch introduces policy namespace.

Each policy namespace has its own set of domain policy, exception policy and
profiles, which are all independent of other namespaces. This independency
allows users to develop policy without worrying interference among namespaces.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
udit.c
ommon.c
ommon.h
omain.c
ile.c
c.c
emory.c
til.c
32997144fd9925fc4d506a16990a0c405f766526 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add ACL group support.

ACL group allows administrator to globally grant not only "file read"
permission but also other permissions.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
c.c
emory.c
eadd99cc85347b4f9eb10122ac90032eb4971b02 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add auditing interface.

Add /sys/kernel/security/tomoyo/audit interface. This interface generates audit
logs in the form of domain policy so that /usr/sbin/tomoyo-auditd can reuse
audit logs for appending to /sys/kernel/security/tomoyo/domain_policy
interface.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
akefile
udit.c
ommon.c
ommon.h
ile.c
emory.c
ount.c
ecurityfs_if.c
til.c
d5ca1725ac9ba876c2dd614bb9826d0c4e13d818 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Simplify profile structure.

Remove global preference from profile structure in order to make code simpler.

Due to this structure change, printk() warnings upon policy violation are
temporarily disabled. They will be replaced by
/sys/kernel/security/tomoyo/audit by next patch.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
til.c
0d2171d711cbfca84cc0001121be8a6cc8e4d148 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Rename directives.

Convert "allow_..." style directives to "file ..." style directives.
By converting to the latter style, we can pack policy like
"file read/write/execute /path/to/file".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
a238cf5b89ed5285be8de56335665d023972f7d5 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use struct for passing ACL line.

Use structure for passing ACL line, in preparation for supporting policy
namespace and conditional parameters.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
roup.c
emory.c
ount.c
til.c
0df7e8b8f1c25c10820bdc679555f2fbfb897ca0 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Cleanup part 3.

Use common structure for ACL with "struct list_head" + "atomic_t".
Use array/struct where possible.
Remove is_group from "struct tomoyo_name_union"/"struct tomoyo_number_union".
Pass "struct file"->private_data rather than "struct file".
Update some of comments.
Bring tomoyo_same_acl_head() from common.h to domain.c .
Bring tomoyo_invalid()/tomoyo_valid() from common.h to util.c .

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
c.c
emory.c
ount.c
ecurityfs_if.c
til.c
b5bc60b4ce313b6dbb42e7d32915dcf0a07c2a68 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Cleanup part 2.

Update (or temporarily remove) comments.
Remove or replace some of #define lines.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
ile.c
ount.c
ecurityfs_if.c
7c75964f432d14062d8eccfc916aa290f56b5aab 26-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Cleanup part 1.

In order to synchronize with TOMOYO 1.8's syntax,

(1) Remove special handling for allow_read/write permission.
(2) Replace deny_rewrite/allow_rewrite permission with allow_append permission.
(3) Remove file_pattern keyword.
(4) Remove allow_read permission from exception policy.
(5) Allow creating domains in enforcing mode without calling supervisor.
(6) Add permission check for opening directory for reading.
(7) Add permission check for stat() operation.
(8) Make "cat < /sys/kernel/security/tomoyo/self_domain" behave as if
"cat /sys/kernel/security/tomoyo/self_domain".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
c.c
ount.c
omoyo.c
til.c
4e78c724d47e2342aa8fde61f6b8536f662f795f 13-Jun-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix oops in tomoyo_mount_acl().

In tomoyo_mount_acl() since 2.6.36, kern_path() was called without checking
dev_name != NULL. As a result, an unprivileged user can trigger oops by issuing
mount(NULL, "/", "ext3", 0, NULL) request.
Fix this by checking dev_name != NULL before calling kern_path(dev_name).

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: stable@kernel.org
Signed-off-by: James Morris <jmorris@namei.org>
ount.c
e77dc3460fa59be5759e9327ad882868eee9d61b 11-May-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix wrong domainname validation.

In tomoyo_correct_domain() since 2.6.36, TOMOYO was by error validating
"<kernel>" + "/foo/\" + "/bar" when "<kernel> /foo/\* /bar" was given.
As a result, legal domainnames like "<kernel> /foo/\* /bar" are rejected.

Reported-by: Hayama Yossihiro <yossi@yedo.src.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
til.c
db5ca356d8af8e43832c185ceec90850ff2ebb45 19-Apr-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix refcount leak in tomoyo_mount_acl().

In tomoyo_mount_acl() since 2.6.36, reference to device file (e.g. /dev/sda1)
was leaking.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ount.c
d4ab4e6a23f805abb8fc3cc34525eec3788aeca1 19-Apr-2011 James Morris <jmorris@namei.org> Merge branch 'master'; commit 'v2.6.39-rc3' into next
c0fa797ae6cd02ff87c0bfe0d509368a3b45640e 02-Apr-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix infinite loop bug when reading /sys/kernel/security/tomoyo/audit

In tomoyo_flush(), head->r.w[0] holds pointer to string data to be printed.
But head->r.w[0] was updated only when the string data was partially
printed (because head->r.w[0] will be updated by head->r.w[1] later if
completely printed). However, regarding /sys/kernel/security/tomoyo/query ,
an additional '\0' is printed after the string data was completely printed.
But if free space for read buffer became 0 before printing the additional '\0',
tomoyo_flush() was returning without updating head->r.w[0]. As a result,
tomoyo_flush() forever reprints already printed string data.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
e4f5f26d8336318a5aa0858223c81cf29fcf5f68 02-Apr-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Don't add / for allow_unmount permission check.

"mount --bind /path/to/file1 /path/to/file2" is legal. Therefore,
"umount /path/to/file2" is also legal. Do not automatically append trailing '/'
if pathname to be unmounted does not end with '/'.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ile.c
2a086e5d3a23570735f75b784d29b93068070833 02-Apr-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix race on updating profile's comment line.

In tomoyo_write_profile() since 2.6.34, a lock was by error missing when
replacing profile's comment line. If multiple threads attempted

echo '0-COMMENT=comment' > /sys/kernel/security/tomoyo/profile

in parallel, garbage collector will fail to kfree() the old value.
Protect the replacement using a lock. Also, keep the old value rather than
replace with empty string when out of memory error has occurred.

Signed-off-by: Xiaochen Wang <wangxiaochen0@gmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
25985edcedea6396277003854657b5f3cb31a628 31-Mar-2011 Lucas De Marchi <lucas.demarchi@profusion.mobi> Fix common misspellings

Fixes generated by 'codespell' and manually reviewed.

Signed-off-by: Lucas De Marchi <lucas.demarchi@profusion.mobi>
oad_policy.c
cfc64fd91fabed099a4c3df58559f4b7efe9bcce 30-Mar-2011 Xiaochen Wang <wangxiaochen0@gmail.com> tomoyo: fix memory leak in tomoyo_commit_ok()

When memory used for policy exceeds the quota, tomoyo_memory_ok() return false.
In this case, tomoyo_commit_ok() must call kfree() before returning NULL.
This bug exists since 2.6.35.

Signed-off-by: Xiaochen Wang <wangxiaochen0@gmail.com>
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
emory.c
eae61f3c829439f8f9121b5cd48a14be04df451f 02-Mar-2011 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix memory leak upon file open.

In tomoyo_check_open_permission() since 2.6.36, TOMOYO was by error
recalculating already calculated pathname when checking allow_rewrite
permission. As a result, memory will leak whenever a file is opened for writing
without O_APPEND flag. Also, performance will degrade because TOMOYO is
calculating pathname regardless of profile configuration.
This patch fixes the leak and performance degrade.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ile.c
da5029563a0a026c64821b09e8e7b4fd81d3fe1b 07-Jan-2011 Nick Piggin <npiggin@kernel.dk> fs: dcache scale d_unhashed

Protect d_unhashed(dentry) condition with d_lock. This means keeping
DCACHE_UNHASHED bit in synch with hash manipulations.

Signed-off-by: Nick Piggin <npiggin@kernel.dk>
ealpath.c
be148247cfbe2422f5709e77d9c3e10b8a6394da 10-Oct-2010 Christoph Hellwig <hch@infradead.org> fs: take dcache_lock inside __d_path

All callers take dcache_lock just around the call to __d_path, so
take the lock into it in preparation of getting rid of dcache_lock.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
ealpath.c
9f1c1d426b0402b25cd0d7ca719ffc8e20e46d5f 08-Oct-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Print URL information before panic().

Configuration files for TOMOYO 2.3 are not compatible with TOMOYO 2.2.
But current panic() message is too unfriendly and is confusing users.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
68eda8f59081c74a51d037cc29893bd7c9b3c2d8 08-Aug-2010 Dan Carpenter <error27@gmail.com> tomoyo: cleanup. don't store bogus pointer

If domain is NULL then &domain->list is a bogus address. Let's leave
head->r.domain NULL instead of saving an unusable pointer.

This is just a cleanup. The current code always checks head->r.eof
before dereferencing head->r.domain.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
ommon.c
c8da96e87d349e9035345293093ecc74792fb96a 26-Sep-2010 Ben Hutchings <ben@decadent.org.uk> TOMOYO: Don't abuse sys_getpid(), sys_getppid()

System call entry functions sys_*() are never to be called from
general kernel code. The fact that they aren't declared in header
files should have been a clue. These functions also don't exist on
Alpha since it has sys_getxpid() instead.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
484ca79c653121d3c79fffb86e1deea724f2e20b 29-Jul-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use pathname specified by policy rather than execve()

Commit c9e69318 "TOMOYO: Allow wildcard for execute permission." changed execute
permission and domainname to accept wildcards. But tomoyo_find_next_domain()
was using pathname passed to execve() rather than pathname specified by the
execute permission. As a result, processes were not able to transit to domains
which contain wildcards in their domainnames.

This patch passes pathname specified by the execute permission back to
tomoyo_find_next_domain() so that processes can transit to domains which
contain wildcards in their domainnames.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
omain.c
ile.c
roup.c
ount.c
e6f6a4cc955d626ed26562d98de5766bf1f73526 27-Jul-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Update version to 2.3.0

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
7e3d199a4009a4094a955282daf5ecd43f2c8152 27-Jul-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Fix quota check.

Commit d74725b9 "TOMOYO: Use callback for updating entries." broke
tomoyo_domain_quota_is_ok() by counting deleted entries. It needs to
count non-deleted entries.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
til.c
7e2deb7ce8f662bce877dbfd3b0053e9559c25a3 08-Jul-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Explicitly set file_operations->llseek pointer.

TOMOYO does not deal offset pointer. Thus seek operation makes
no sense. Changing default seek operation from default_llseek()
to no_llseek() might break some applications. Thus, explicitly
set noop_llseek().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ecurityfs_if.c
0849e3ba53c3ef603dffa9758a73e07ed186a937 24-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add missing poll() hook.

Commit 1dae08c "TOMOYO: Add interactive enforcing mode." forgot to register
poll() hook. As a result, /usr/sbin/tomoyo-queryd was doing busy loop.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
ecurityfs_if.c
e2bf69077acefee5247bb661faac2552d29ba7ba 25-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Rename symbols.

Use shorter name in order to make it easier to fit 80 columns limit.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
c.c
emory.c
ount.c
til.c
8e5686874bcb882f69d5c04e6b38dc92b97facea 25-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Small cleanup.

Split tomoyo_write_profile() into several functions.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
f23571e866309a2048030ef6a5f0725cf139d4c9 24-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Copy directly to userspace buffer.

When userspace program reads policy from /sys/kernel/security/tomoyo/
interface, TOMOYO uses line buffered mode. A line has at least one word.

Commit 006dacc "TOMOYO: Support longer pathname." changed a word's max length
from 4000 bytes to max kmalloc()able bytes. By that commit, a line's max length
changed from 8192 bytes to more than max kmalloc()able bytes.

Max number of words in a line remains finite. This patch changes the way of
buffering so that all words in a line are firstly directly copied to userspace
buffer as much as possible and are secondly queued for next read request.
Words queued are guaranteed to be valid until /sys/kernel/security/tomoyo/
interface is close()d.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
emory.c
5db5a39b6462c8360c9178b28f4b07c320dfca1c 23-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use common code for policy reading.

tomoyo_print_..._acl() are similar. Merge them.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
063821c8160568b3390044390c8328e36c5696ad 23-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Allow reading only execute permission.

Policy editor needs to know allow_execute entries in order to build domain
transition tree. Reading all entries is slow. Thus, allow reading only
allow_execute entries.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
475e6fa3d340e75a454ea09191a29e52e2ee6e71 24-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Change list iterator.

Change list_for_each_cookie to

(1) start from current position rather than next position
(2) remove temporary cursor
(3) check that srcu_read_lock() is held

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
5448ec4f5062ef75ce74f8d7784d4cea9c46ad00 21-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use common code for domain transition control.

Use common code for "initialize_domain"/"no_initialize_domain"/"keep_domain"/
"no_keep_domain" keywords.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
c.c
emory.c
til.c
0617c7ff34dc9b1d641640c3953274bb2dbe21a6 21-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Remove alias keyword.

Some programs behave differently depending on argv[0] passed to execve().
TOMOYO has "alias" keyword in order to allow administrators to define different
domains if requested pathname passed to execve() is a symlink. But "alias"
keyword is incomplete because this keyword assumes that requested pathname and
argv[0] are identical. Thus, remove "alias" keyword (by this patch) and add
syntax for checking argv[0] (by future patches).

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
c.c
ealpath.c
7c2ea22e3c5463627ca98924cd65cb9e480dc29c 17-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Merge path_group and number_group.

Use common code for "path_group" and "number_group".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
akefile
ommon.c
ommon.h
c.c
roup.c
emory.c
umber_group.c
ath_group.c
til.c
31845e8c6d3f4f26702e567c667277f9fd1f73a3 17-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Aggregate reader functions.

Now lists are accessible via array index. Aggregate reader functions using index.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
umber_group.c
ath_group.c
a230f9e7121cbcbfe23bd5a630abf6b53cece555 17-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use array of "struct list_head".

Assign list id and make the lists as array of "struct list_head".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
c.c
emory.c
umber_group.c
ath_group.c
a98aa4debe2728abb3353e35fc5d110dcc0d7f0d 17-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Merge tomoyo_path_group and tomoyo_number_group

"struct tomoyo_path_group" and "struct tomoyo_number_group" are identical.
Rename tomoyo_path_group/tomoyo_number_group to tomoyo_group and
tomoyo_path_group_member to tomoyo_path_group and
tomoyo_number_group_member to tomoyo_unmber_group.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
ile.c
c.c
umber_group.c
ath_group.c
e79acf0ef45e0b54aed47ebea7f25c540d3f527e 16-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Pass "struct list_head" rather than "void *".

Pass "struct list_head" to tomoyo_add_to_gc() and bring
list_del_rcu() to tomoyo_add_to_gc().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
c.c
8fbe71f0e0ac28a39e4a93694c34d670c2f31e88 16-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Make read function to void.

Read functions do not fail. Make them from int to void.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
emory.c
cb917cf517075a357ce43b74e8a5a57f2c69a734 16-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Merge functions.

Embed tomoyo_path_number_perm2() into tomoyo_path_number_perm().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ile.c
71c282362d0672235c5205a7db1f3ac3fcf32981 16-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Remove wrapper function for reading keyword.

Keyword strings are read-only. We can directly access them to reduce code size.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
ile.c
d795ef9e751b72c94600c91e31bdaef55987a9f6 16-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Loosen parameter check for mount operation.

If invalid combination of mount flags are given, it will be rejected later.
Thus, no need for TOMOYO to reject invalid combination of mount flags.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ount.c
75093152a97ee0ec281895b4f6229ff3c481fd64 16-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Rename symbols.

Use shorter name in order to make it easier to fix 80 columns limit.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
c.c
ount.c
umber_group.c
ath_group.c
omoyo.c
til.c
99a852596beb26cc449ca1a79834c107ef4080e1 16-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use callback for permission check.

We can use callback function since parameters are passed via
"const struct tomoyo_request_info".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
omain.c
ile.c
ount.c
cf6e9a6468ec82a94cbc707b607452ec4454182c 16-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Pass parameters via structure.

To make it possible to use callback function, pass parameters via
"struct tomoyo_request_info".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
ile.c
ount.c
05336dee9f5a23c042e5938b42f996dd35e31ee6 16-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use common code for open and mkdir etc.

tomoyo_file_perm() and tomoyo_path_permission() are similar.
We can embed tomoyo_file_perm() into tomoyo_path_permission().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
omain.c
ile.c
d2f8b2348f3406652ee00ee7221441bd36fe0195 15-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use common code for garbage collection.

Use common code for elements using "struct list_head" + "bool" structure.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
c.c
36f5e1ffbf2bb951105ae4e261bcc1de3eaf510c 15-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use callback for updating entries.

Use common code for elements using "struct list_head" + "bool" structure.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
umber_group.c
ath_group.c
82e0f001a4c1112dcff9cafa9812a33889ad9b8a 15-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use common structure for list element.

Use common "struct list_head" + "bool" structure.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
c.c
umber_group.c
ath_group.c
237ab459f12cb98eadd3fe7b85343e183a1076a4 12-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use callback for updating entries.

Use common "struct list_head" + "bool" + "u8" structure and
use common code for elements using that structure.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
c.c
ount.c
til.c
57c2590fb7fd38bd52708ff2716a577d0c2b3c5a 03-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Update profile structure.

This patch allows users to change access control mode for per-operation basis.
This feature comes from non LSM version of TOMOYO which is designed for
permitting users to use SELinux and TOMOYO at the same time.

SELinux does not care filename in a directory whereas TOMOYO does. Change of
filename can change how the file is used. For example, renaming index.txt to
.htaccess will change how the file is used. Thus, letting SELinux to enforce
read()/write()/mmap() etc. restriction and letting TOMOYO to enforce rename()
restriction is an example usage of this feature.

What is unfortunate for me is that currently LSM does not allow users to use
SELinux and LSM version of TOMOYO at the same time...

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
ount.c
til.c
1084307ca097745ed6e40a192329b133a49271ac 03-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add pathname aggregation support.

This patch allows users to aggregate programs which provide similar
functionality (e.g. /usr/bin/vi and /usr/bin/emacs ).

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
c.c
3f629636320dfa65804779a3fc333f3147f3b064 03-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Allow wildcard for execute permission.

Some applications create and execute programs dynamically. We need to accept
wildcard for execute permission because such programs contain random suffix
in their filenames. This patch loosens up regulation of string parameters.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
umber_group.c
ath_group.c
til.c
c8c57e842720d8cc92ac8607f2d1c16d92314573 03-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Support longer pathname.

Allow pathnames longer than 4000 bytes.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
omain.c
ile.c
emory.c
ount.c
ealpath.c
9b244373da3eab671da6c5125482121528a9ebf3 03-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Several fixes for TOMOYO's management programs.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
ath_group.c
ea0d3ab239fba48d6e998b19c28d78f765963007 02-Jun-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> LSM: Remove unused arguments from security_path_truncate().

When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks
where vfsmount is available." was proposed, regarding security_path_truncate(),
only "struct file *" argument (which AppArmor wanted to use) was removed.
But length and time_attrs arguments are not used by TOMOYO nor AppArmor.
Thus, let's remove these arguments.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: James Morris <jmorris@namei.org>
omoyo.c
c3ef1500ec833890275172c7d063333404b64d60 17-May-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Split files into some pieces.

security/tomoyo/common.c became too large to read.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
akefile
ommon.c
ommon.h
omain.c
ile.c
oad_policy.c
emory.c
ealpath.c
ecurityfs_if.c
omoyo.c
til.c
17fcfbd9d45b57f38d40e31f9d28db53f4af5c88 17-May-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add interactive enforcing mode.

Since the behavior of the system is restricted by policy, we may need to update
policy when you update packages.

We need to update policy in the following cases.

* The pathname of files has changed.
* The dependency of files has changed.
* The access permissions required has increased.

The ideal way to update policy is to rebuild from the scratch using learning
mode. But it is not desirable to change from enforcing mode to other mode if
the system has once entered in production state. Suppose MAC could support
per-application enforcing mode, the MAC becomes useless if an application that
is not running in enforcing mode was cracked. For example, the whole system
becomes vulnerable if only HTTP server application is running in learning mode
to rebuild policy for the application. So, in TOMOYO Linux, updating policy is
done while the system is running in enforcing mode.

This patch implements "interactive enforcing mode" which allows administrators
to judge whether to accept policy violation in enforcing mode or not.
A demo movie is available at http://www.youtube.com/watch?v=b9q1Jo25LPA .

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
ount.c
ealpath.c
2106ccd972dcd9fda7df9b181505fac1741b3508 17-May-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add mount restriction.

mount(2) has three string and one numeric parameters.
Split mount restriction code from security/tomoyo/file.c .

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
akefile
ommon.c
ommon.h
ile.c
c.c
ount.c
omoyo.c
a1f9bb6a375a8dbf7797ffbd6739c46b338a77f7 17-May-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Split file access control functions by type of parameters.

Check numeric parameters for operations that deal them
(e.g. chmod/chown/ioctl).

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
ile.c
c.c
omoyo.c
cb0abe6a5b58499bd4bc1403f4987af9ead0642c 17-May-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use structure for passing common arguments.

Use "struct tomoyo_request_info" instead of passing individual arguments.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
omoyo.c
4c3e9e2ded48bcf696a45945ea7d25bb15b873fd 17-May-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add numeric values grouping support.

This patch adds numeric values grouping support, which is useful for grouping
numeric values such as file's UID, DAC's mode, ioctl()'s cmd number.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
akefile
ommon.c
ommon.h
ile.c
c.c
umber_group.c
7762fbfffdbce8191f5236d5053b290035d3d749 10-May-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add pathname grouping support.

This patch adds pathname grouping support, which is useful for grouping
pathnames that cannot be represented using /\{dir\}/ pattern.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
akefile
ommon.c
ommon.h
ile.c
c.c
ath_group.c
9e4b50e93786d00c703f16ed46e6a4029c0dfdd1 05-May-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use stack memory for pending entry.

Use stack memory for pending entry to reduce kmalloc() which will be kfree()d.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
ealpath.c
292823814261e085cdcef06b6b691e6c2563fbd4 05-May-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use mutex_lock_interruptible.

Some of TOMOYO's functions may sleep after mutex_lock(). If OOM-killer selected
a process which is waiting at mutex_lock(), the to-be-killed process can't be
killed. Thus, replace mutex_lock() with mutex_lock_interruptible() so that the
to-be-killed process can immediately return from TOMOYO's functions.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
c.c
ealpath.c
0ffbe2699cda6afbe08501098dff8a8c2fe6ae09 06-May-2010 James Morris <jmorris@namei.org> Merge branch 'master' into next
4e5d6f7ec3833c0da9cf34fa5c53c6058c5908b6 28-Apr-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use GFP_NOFS rather than GFP_KERNEL.

In Ubuntu, security_path_*() hooks are exported to Unionfs. Thus, prepare for
being called from inside VFS functions because I'm not sure whether it is safe
to use GFP_KERNEL or not.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
omain.c
ile.c
ealpath.c
d25d6fa1a95f465ff1ec4458ca15e30b2c8dffec 30-Mar-2010 James Morris <jmorris@namei.org> Merge branch 'master' into next
5a0e3ad6af8660be21ca98a971cd00f331318c05 24-Mar-2010 Tejun Heo <tj@kernel.org> include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h

percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.

percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.

http://userweb.kernel.org/~tj/misc/slabh-sweep.py

The script does the followings.

* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.

* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.

* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.

The conversion was done in the following steps.

1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.

2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.

3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.

4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.

5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.

6. percpu.h was updated not to include slab.h.

7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).

* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig

8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.

Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.

Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
ommon.c
omain.c
ile.c
c.c
ealpath.c
181427a7e01beab76c789414334375839f026128 13-Mar-2010 Dan Carpenter <error27@gmail.com> tomoyo: fix potential use after free

The original code returns a freed pointer. This function is expected to
return NULL on errors.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
c43a7523470dc2d9947fa114a0b54317975d4c04 08-Mar-2010 James Morris <jmorris@namei.org> Merge branch 'next-queue' into next
0f2cc4ecd81dc1917a041dc93db0ada28f8356fa 04-Mar-2010 Linus Torvalds <torvalds@linux-foundation.org> Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: (52 commits)
init: Open /dev/console from rootfs
mqueue: fix typo "failues" -> "failures"
mqueue: only set error codes if they are really necessary
mqueue: simplify do_open() error handling
mqueue: apply mathematics distributivity on mq_bytes calculation
mqueue: remove unneeded info->messages initialization
mqueue: fix mq_open() file descriptor leak on user-space processes
fix race in d_splice_alias()
set S_DEAD on unlink() and non-directory rename() victims
vfs: add NOFOLLOW flag to umount(2)
get rid of ->mnt_parent in tomoyo/realpath
hppfs can use existing proc_mnt, no need for do_kern_mount() in there
Mirror MS_KERNMOUNT in ->mnt_flags
get rid of useless vfsmount_lock use in put_mnt_ns()
Take vfsmount_lock to fs/internal.h
get rid of insanity with namespace roots in tomoyo
take check for new events in namespace (guts of mounts_poll()) to namespace.c
Don't mess with generic_permission() under ->d_lock in hpfs
sanitize const/signedness for udf
nilfs: sanitize const/signedness in dealing with ->d_name.name
...

Fix up fairly trivial (famous last words...) conflicts in
drivers/infiniband/core/uverbs_main.c and security/tomoyo/realpath.c
440b3c6c160f7d0a985f24ad1f4c24e00ee2d936 05-Feb-2010 Al Viro <viro@zeniv.linux.org.uk> get rid of ->mnt_parent in tomoyo/realpath

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
ealpath.c
37afdc7960ab493f827b5df9dc1b71b63b44331c 05-Feb-2010 Al Viro <viro@zeniv.linux.org.uk> get rid of insanity with namespace roots in tomoyo

passing *any* namespace root to __d_path() as root is equivalent
to just passing it {NULL, NULL}; no need to bother with finding
the root of our namespace in there.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
ealpath.c
b380de9e54ec354ccac55fd9a611ffe28b4daa76 01-Mar-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Remove unused variables.

Variable "atmark" is currently unused.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
b4ccebdd37ff70d349321a198f416ba737a5e833 28-Feb-2010 James Morris <jmorris@namei.org> Merge branch 'next' into for-linus
1fcdc7c527010b144d3951f9ce25faedf264933c 25-Feb-2010 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> TOMOYO: Protect find_task_by_vpid() with RCU.

Holding tasklist_lock is no longer sufficient for find_task_by_vpid().
Explicit rcu_read_lock() is required.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
--
security/tomoyo/common.c | 4 ++++
1 file changed, 4 insertions(+)
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
170800088666963de1111d62fb503889c8c82eda 16-Feb-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Remove __func__ from tomoyo_is_correct_path/domain

__func__ is used for only debug printk(). We can remove it.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
97d6931ead3e89a764cdaa3ad0924037367f0d34 16-Feb-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Remove unneeded parameter.

tomoyo_path_perm() tomoyo_path2_perm() and tomoyo_check_rewrite_permission()
always receive tomoyo_domain(). We can move it from caller to callee.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
ile.c
omoyo.c
7ef612331fb219620cc1abfc2446bb027d388aa0 16-Feb-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use shorter names.

Use shorter name to reduce newlines needed for 80 columns limit.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
ile.c
c.c
omoyo.c
084da356f6e55ce42f1d2739178502023908c107 15-Feb-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use enum for index numbers.

Use enum to declare index numbers.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
847b173ea3d6f50936823d07f2245059bf44713b 11-Feb-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add garbage collector.

This patch adds garbage collector support to TOMOYO.
Elements are protected by "struct srcu_struct tomoyo_ss".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
akefile
ommon.c
ommon.h
omain.c
ile.c
c.c
ealpath.c
ec8e6a4e062e2edebef91e930c20572c9f4c0dda 11-Feb-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add refcounter on domain structure.

Add refcounter to "struct tomoyo_domain_info" since garbage collector needs to
determine whether this struct is referred by "struct cred"->security or not.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
omain.c
omoyo.c
76bb0895d038be7bcdb6ccfcd2dd7deb30371d6b 11-Feb-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Merge headers.

Gather structures and constants scattered around security/tomoyo/ directory.
This is for preparation for adding garbage collector since garbage collector
needs to know structures and constants which TOMOYO uses.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
ealpath.c
ealpath.h
omoyo.c
omoyo.h
bf24fb016c861b7f52be0c36c4cedd3e89afa2e2 11-Feb-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add refcounter on string data.

Add refcounter to "struct tomoyo_name_entry" and replace tomoyo_save_name()
with tomoyo_get_name()/tomoyo_put_name() pair so that we can kfree() when
garbage collector is added.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
omain.c
ile.c
ealpath.c
ealpath.h
ca0b7df3374c5566468c17f26fa2dfd3fe3c6a37 07-Feb-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Reduce lines by using common path for addition and deletion.

Since the codes for adding an entry and removing an entry are similar, we can
save some lines by using "if (is_delete) { ... } else { ... }" branches.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
omain.c
ile.c
ea13ddbad0eb4be9cdc406cd7e0804fa4011f6e4 02-Feb-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Extract bitfield

Since list elements are rounded up to kmalloc() size rather than sizeof(int),
saving one byte by using bitfields is no longer helpful.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
8e2d39a1665e680c095545993aac2fcac6916eb9 26-Jan-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Remove usage counter for temporary memory.

TOMOYO was using own memory usage counter for detecting memory leak.
But as kernel 2.6.31 introduced memory leak detection mechanism
( CONFIG_DEBUG_KMEMLEAK ), we no longer need to have own counter.

We remove usage counter for memory used for permission checks, but we keep
usage counter for memory used for policy so that we can apply quota.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
ealpath.c
ealpath.h
2457552d1e6f3183cd93f81c49a8da5fe8bb0e42 17-Jan-2010 James Morris <jmorris@namei.org> Merge branch 'master' into next
6d125529c6cbfe570ce3bf9a0728548f087499da 24-Dec-2009 Al Viro <viro@zeniv.linux.org.uk> Fix ACC_MODE() for real

commit 5300990c0370e804e49d9a59d928c5d53fb73487 had stepped on a rather
nasty mess: definitions of ACC_MODE used to be different. Fixed the
resulting breakage, converting them to variant that takes O_... value;
all callers have that and it actually simplifies life (see tomoyo part
of changes).

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
omoyo.c
cd7bec6ad80188394a8ea857ff1aa3512fc2282a 04-Jan-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Remove memory pool for list elements.

Currently, TOMOYO allocates memory for list elements from memory pool allocated
by kmalloc(PAGE_SIZE). But that makes it difficult to kfree() when garbage
collector is added. Thus, remove memory pool and use kmalloc(sizeof()).

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
ealpath.c
ealpath.h
e41035a996356c257183e53a70abfb46fa84908b 04-Jan-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Remove memory pool for string data.

Currently, TOMOYO allocates memory for string data from memory pool allocated
by kmalloc(PAGE_SIZE). But that makes it difficult to kfree() when garbage
collector is added. Thus, remove memory pool and use kmalloc(strlen()).

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ealpath.c
f737d95ddfea4df68a36ffc9231db4bf34b06d13 03-Jan-2010 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Replace rw_semaphore by mutex.

Since readers no longer use down_read(), writers no longer
need to use rw_semaphore. Replace individual rw_semaphore by
single mutex.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
5300990c0370e804e49d9a59d928c5d53fb73487 19-Dec-2009 Al Viro <viro@zeniv.linux.org.uk> Sanitize f_flags helpers

* pull ACC_MODE to fs.h; we have several copies all over the place
* nightmarish expression calculating f_mode by f_flags deserves a helper
too (OPEN_FMODE(flags))

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
ile.c
fdb8ebb729bbb640e64028a4f579a02ebc405727 08-Dec-2009 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Use RCU primitives for list operation

Replace list operation with RCU primitives and replace
down_read()/up_read() with srcu_read_lock()/srcu_read_unlock().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
ealpath.c
omoyo.c
67fa4880c5e059428392ca6f7c2f9c38e8546fea 09-Dec-2009 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> TOMOYO: Compare filesystem by magic number rather than by name.

Please apply below one after merging 1557d33007f63dd96e5d15f33af389378e5f2e54
(Merge git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/sysctl-2.6).
----------
[PATCH for 2.6.33] TOMOYO: Compare filesystem by magic number rather than by name.

We can use magic number for checking whether the filesystem is procfs or not.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ealpath.c
1ad1f10cd915744bbe52b19423653b38287d827d 09-Dec-2009 James Morris <jmorris@namei.org> Merge branch 'master' into next
1557d33007f63dd96e5d15f33af389378e5f2e54 08-Dec-2009 Linus Torvalds <torvalds@linux-foundation.org> Merge git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/sysctl-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/sysctl-2.6: (43 commits)
security/tomoyo: Remove now unnecessary handling of security_sysctl.
security/tomoyo: Add a special case to handle accesses through the internal proc mount.
sysctl: Drop & in front of every proc_handler.
sysctl: Remove CTL_NONE and CTL_UNNUMBERED
sysctl: kill dead ctl_handler definitions.
sysctl: Remove the last of the generic binary sysctl support
sysctl net: Remove unused binary sysctl code
sysctl security/tomoyo: Don't look at ctl_name
sysctl arm: Remove binary sysctl support
sysctl x86: Remove dead binary sysctl support
sysctl sh: Remove dead binary sysctl support
sysctl powerpc: Remove dead binary sysctl support
sysctl ia64: Remove dead binary sysctl support
sysctl s390: Remove dead sysctl binary support
sysctl frv: Remove dead binary sysctl support
sysctl mips/lasat: Remove dead binary sysctl support
sysctl drivers: Remove dead binary sysctl support
sysctl crypto: Remove dead binary sysctl support
sysctl security/keys: Remove dead binary sysctl support
sysctl kernel: Remove binary sysctl logic
...
937bf6133b21b16965f75223085f4314ae32b8eb 02-Dec-2009 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add rest of file operation restrictions.

LSM hooks for chmod()/chown()/chroot() are now ready.
This patch utilizes these hooks.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
ile.c
omoyo.c
omoyo.h
7539cf4b92be4aecc573ea962135f246a7a33401 24-Nov-2009 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Add recursive directory matching operator support.

TOMOYO 1.7.1 has recursive directory matching operator support.
I want to add it to TOMOYO for Linux 2.6.33 .
----------
[PATCH] TOMOYO: Add recursive directory matching operator support.

This patch introduces new operator /\{dir\}/ which matches
'/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/ /dir/dir/dir/ ).

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
c656ae95d1c5c8ed5763356263ace2d03087efec 20-Nov-2009 Eric W. Biederman <ebiederm@xmission.com> security/tomoyo: Remove now unnecessary handling of security_sysctl.

Now that sys_sysctl is an emulation on top of proc sys all sysctl
operations look like normal filesystem operations and we don't need
to use the special sysctl hook to authenticate them.

Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
ile.c
omoyo.c
omoyo.h
a4054b6b20e9c2cca63715a319759bf8d37d82fc 20-Nov-2009 Eric W. Biederman <ebiederm@xmission.com> security/tomoyo: Add a special case to handle accesses through the internal proc mount.

With the change of sys_sysctl going through the internal proc mount we no
longer need to handle security_sysctl in tomoyo as we have valid pathnames
for all sysctl accesses. There is one slight caveat to that in that
all of the paths from the internal mount look like
"/sys/net/ipv4/ip_local_port_range" instead of
"/proc/sys/net/ipv4/ip_local_port_range" so tomoyo needs to add the
"/proc" portion manually when resolving to full path names to get what it expects.

This change teaches tomoyo perform that modification.

Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
ealpath.c
86b1bc68e2f4244e4ea5db5458df9d19259fbb30 09-Nov-2009 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> sysctl security/tomoyo: Don't look at ctl_name

ctl_name field was removed. Always use procname field.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
omoyo.c
024e1a49411a1a7363e65db48edf1b09e9ee68ad 28-Oct-2009 Stephen Hemminger <shemminger@vyatta.com> tomoyo: improve hash bucket dispersion

When examining the network device name hash, it was discovered that
the low order bits of full_name_hash() are not very well dispersed
across the possible values. When used by filesystem code, this is handled
by folding with the function hash_long().

The only other non-filesystem usage of full_name_hash() at this time
appears to be in TOMOYO. This patch should fix that.

I do not use TOMOYO at this time, so this patch is build tested only.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ealpath.c
ee18d64c1f632043a02e6f5ba5e045bb26a5465f 02-Sep-2009 David Howells <dhowells@redhat.com> KEYS: Add a keyctl to install a process's session keyring on its parent [try #6]

Add a keyctl to install a process's session keyring onto its parent. This
replaces the parent's session keyring. Because the COW credential code does
not permit one process to change another process's credentials directly, the
change is deferred until userspace next starts executing again. Normally this
will be after a wait*() syscall.

To support this, three new security hooks have been provided:
cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in
the blank security creds and key_session_to_parent() - which asks the LSM if
the process may replace its parent's session keyring.

The replacement may only happen if the process has the same ownership details
as its parent, and the process has LINK permission on the session keyring, and
the session keyring is owned by the process, and the LSM permits it.

Note that this requires alteration to each architecture's notify_resume path.
This has been done for all arches barring blackfin, m68k* and xtensa, all of
which need assembly alteration to support TIF_NOTIFY_RESUME. This allows the
replacement to be performed at the point the parent process resumes userspace
execution.

This allows the userspace AFS pioctl emulation to fully emulate newpag() and
the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to
alter the parent process's PAG membership. However, since kAFS doesn't use
PAGs per se, but rather dumps the keys into the session keyring, the session
keyring of the parent must be replaced if, for example, VIOCSETTOK is passed
the newpag flag.

This can be tested with the following program:

#include <stdio.h>
#include <stdlib.h>
#include <keyutils.h>

#define KEYCTL_SESSION_TO_PARENT 18

#define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0)

int main(int argc, char **argv)
{
key_serial_t keyring, key;
long ret;

keyring = keyctl_join_session_keyring(argv[1]);
OSERROR(keyring, "keyctl_join_session_keyring");

key = add_key("user", "a", "b", 1, keyring);
OSERROR(key, "add_key");

ret = keyctl(KEYCTL_SESSION_TO_PARENT);
OSERROR(ret, "KEYCTL_SESSION_TO_PARENT");

return 0;
}

Compiled and linked with -lkeyutils, you should see something like:

[dhowells@andromeda ~]$ keyctl show
Session Keyring
-3 --alswrv 4043 4043 keyring: _ses
355907932 --alswrv 4043 -1 \_ keyring: _uid.4043
[dhowells@andromeda ~]$ /tmp/newpag
[dhowells@andromeda ~]$ keyctl show
Session Keyring
-3 --alswrv 4043 4043 keyring: _ses
1055658746 --alswrv 4043 4043 \_ user: a
[dhowells@andromeda ~]$ /tmp/newpag hello
[dhowells@andromeda ~]$ keyctl show
Session Keyring
-3 --alswrv 4043 4043 keyring: hello
340417692 --alswrv 4043 4043 \_ user: a

Where the test program creates a new session keyring, sticks a user key named
'a' into it and then installs it on its parent.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
omoyo.c
56f8c9bc410deb55f21698e6a0d59f559ae1d794 19-Jun-2009 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> TOMOYO: Remove next_domain from tomoyo_find_next_domain().

We can update bprm->cred->security inside tomoyo_find_next_domain().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
omain.c
omoyo.c
omoyo.h
ccf135f509abdbf607e9a68f08ddeee2c66dc36e 19-Jun-2009 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> TOMOYO: Move tomoyo_delete_domain().

We can mark tomoyo_delete_domain() as a "static" function
by moving it from domain.c to common.c .

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
c3fa109a5894077d1eaf8731ea741a15dd117b3c 07-Jun-2009 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> TOMOYO: Add description of lists and structures.

This patch adds some descriptions of lists and structures.
This patch contains no code changes.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
ealpath.c
omoyo.c
5bf1692f65c12a8aa359dc883468284ffc3c4587 05-Jun-2009 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> TOMOYO: Remove unused field.

TOMOYO 2.2.0 is not using total_len field of "struct tomoyo_path_info".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
0b4ec6e4e01d98e55ae325a41304cccd87fa4c0f 09-Jun-2009 James Morris <jmorris@namei.org> Merge branch 'master' into next
bcb86975dbcc24f820f1a37918d53914af29ace7 04-Jun-2009 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> TOMOYO: Remove unused parameter.

TOMOYO 2.2.0 does not check argv[] and envp[] upon execve().
We don't need to pass "struct tomoyo_page_buffer".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
omain.c
ile.c
omoyo.h
7d2948b1248109dbc7f4aaf9867c54b1912d494c 02-Jun-2009 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Simplify policy reader.

We can directly assign the result of tomoyo_io_printf() to done flag.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
omain.c
ile.c
ab588ccadc80f6ef5495e83e176e88c5c0fc2d0e 02-Jun-2009 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> TOMOYO: Remove redundant markers.

Remove '/***** START/STOP *****/' markers.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
omain.c
ile.c
ealpath.c
fe67e6f2d6df371b58ba721954d45a196df5e8b8 02-Jun-2009 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> TOMOYO: Remove unused mutex.

I forgot to remove on TOMOYO's 15th posting.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
omain.c
fbeb4a9c20d00e2550156f9e5a34473fbde59de2 02-Jun-2009 Serge E. Hallyn <serue@us.ibm.com> tomoyo: avoid get+put of task_struct

Use task_cred_xxx(task, security) in tomoyo_real_domain() to
avoid a get+put of the target cred.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
omoyo.h
b1338d199dda6681d9af0297928af0a7eb9cba7b 25-May-2009 Herton Ronaldo Krzesinski <herton@mandriva.com.br> tomoyo: add missing call to cap_bprm_set_creds

cap_bprm_set_creds() has to be called from security_bprm_set_creds().
TOMOYO forgot to call cap_bprm_set_creds() from tomoyo_bprm_set_creds()
and suid executables were not being working.

Make sure we call cap_bprm_set_creds() with TOMOYO, to set credentials
properly inside tomoyo_bprm_set_creds().

Signed-off-by: Herton Ronaldo Krzesinski <herton@mandriva.com.br>
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
omoyo.c
e24977d45f45d1675e050dc1a0aaf4bfc4ca9866 03-Apr-2009 Al Viro <viro@zeniv.linux.org.uk> Reduce path_lookup() abuses

... use kern_path() where possible

[folded a fix from rdd]

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
ommon.c
ealpath.c
39826a1e17c1957bd7b5cd7815b83940e5e3a230 08-Apr-2009 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> tomoyo: version bump to 2.2.0.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
ile.c
ealpath.c
ealpath.h
omoyo.c
omoyo.h
a0558fc3491c0494feb8472cf6c0119e43fd9484 06-Apr-2009 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> tomoyo: remove "undelete domain" command.

Since TOMOYO's policy management tools does not use the "undelete domain"
command, we decided to remove that command.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
omain.c
5ad4e53bd5406ee214ddc5a41f03f779b8b2d526 30-Mar-2009 Al Viro <viro@zeniv.linux.org.uk> Get rid of indirect include of fs_struct.h

Don't pull it in sched.h; very few files actually need it and those
can include directly. sched.h itself only needs forward declaration
of struct fs_struct;

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
ealpath.c
a106cbfd1f3703402fc2d95d97e7a054102250f0 27-Mar-2009 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> TOMOYO: Fix a typo.

Fix a typo.

Reported-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.h
1581e7ddbdd97443a134e1a0cc9d81256baf77a4 21-Feb-2009 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Do not call tomoyo_realpath_init unless registered.

tomoyo_realpath_init() is unconditionally called by security_initcall().
But nobody will use realpath related functions if TOMOYO is not registered.

So, let tomoyo_init() call tomoyo_realpath_init().

This patch saves 4KB of memory allocation if TOMOYO is not registered.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ealpath.c
ealpath.h
omoyo.c
e5a3b95f581da62e2054ef79d3be2d383e9ed664 14-Feb-2009 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> TOMOYO: Don't create securityfs entries unless registered.

TOMOYO should not create /sys/kernel/security/tomoyo/ interface unless
TOMOYO is registered.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
33043cbb9fd49a957089f5948fe814764d7abbd6 13-Feb-2009 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> TOMOYO: Fix exception policy read failure.

Due to wrong initialization, "cat /sys/kernel/security/tomoyo/exception_policy"
returned nothing.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
omain.c
35d50e60e8b12e4adc2fa317343a176d87294a72 12-Feb-2009 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> tomoyo: fix sparse warning

Fix sparse warning.

$ make C=2 SUBDIRS=security/tomoyo CF="-D__cold__="
CHECK security/tomoyo/common.c
CHECK security/tomoyo/realpath.c
CHECK security/tomoyo/tomoyo.c
security/tomoyo/tomoyo.c:110:8: warning: symbol 'buf' shadows an earlier one
security/tomoyo/tomoyo.c:100:7: originally declared here

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
omoyo.c
00d7d6f840ddc947237307e022de5e75ded4105f 05-Feb-2009 Kentaro Takeda <takedakn@nttdata.co.jp> Kconfig and Makefile

TOMOYO uses LSM hooks for pathname based access control and securityfs support.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
config
akefile
f7433243770c77979c396b4c7449a10e9b3521db 05-Feb-2009 Kentaro Takeda <takedakn@nttdata.co.jp> LSM adapter functions.

DAC's permissions and TOMOYO's permissions are not one-to-one mapping.

Regarding DAC, there are "read", "write", "execute" permissions.
Regarding TOMOYO, there are "allow_read", "allow_write", "allow_read/write",
"allow_execute", "allow_create", "allow_unlink", "allow_mkdir", "allow_rmdir",
"allow_mkfifo", "allow_mksock", "allow_mkblock", "allow_mkchar",
"allow_truncate", "allow_symlink", "allow_rewrite", "allow_link",
"allow_rename" permissions.

+----------------------------------+----------------------------------+
| requested operation | required TOMOYO's permission |
+----------------------------------+----------------------------------+
| sys_open(O_RDONLY) | allow_read |
+----------------------------------+----------------------------------+
| sys_open(O_WRONLY) | allow_write |
+----------------------------------+----------------------------------+
| sys_open(O_RDWR) | allow_read/write |
+----------------------------------+----------------------------------+
| open_exec() from do_execve() | allow_execute |
+----------------------------------+----------------------------------+
| open_exec() from !do_execve() | allow_read |
+----------------------------------+----------------------------------+
| sys_read() | (none) |
+----------------------------------+----------------------------------+
| sys_write() | (none) |
+----------------------------------+----------------------------------+
| sys_mmap() | (none) |
+----------------------------------+----------------------------------+
| sys_uselib() | allow_read |
+----------------------------------+----------------------------------+
| sys_open(O_CREAT) | allow_create |
+----------------------------------+----------------------------------+
| sys_open(O_TRUNC) | allow_truncate |
+----------------------------------+----------------------------------+
| sys_truncate() | allow_truncate |
+----------------------------------+----------------------------------+
| sys_ftruncate() | allow_truncate |
+----------------------------------+----------------------------------+
| sys_open() without O_APPEND | allow_rewrite |
+----------------------------------+----------------------------------+
| setfl() without O_APPEND | allow_rewrite |
+----------------------------------+----------------------------------+
| sys_sysctl() for writing | allow_write |
+----------------------------------+----------------------------------+
| sys_sysctl() for reading | allow_read |
+----------------------------------+----------------------------------+
| sys_unlink() | allow_unlink |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFREG) | allow_create |
+----------------------------------+----------------------------------+
| sys_mknod(0) | allow_create |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFIFO) | allow_mkfifo |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFSOCK) | allow_mksock |
+----------------------------------+----------------------------------+
| sys_bind(AF_UNIX) | allow_mksock |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFBLK) | allow_mkblock |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFCHR) | allow_mkchar |
+----------------------------------+----------------------------------+
| sys_symlink() | allow_symlink |
+----------------------------------+----------------------------------+
| sys_mkdir() | allow_mkdir |
+----------------------------------+----------------------------------+
| sys_rmdir() | allow_rmdir |
+----------------------------------+----------------------------------+
| sys_link() | allow_link |
+----------------------------------+----------------------------------+
| sys_rename() | allow_rename |
+----------------------------------+----------------------------------+

TOMOYO requires "allow_execute" permission of a pathname passed to do_execve()
but does not require "allow_read" permission of that pathname.
Let's consider 3 patterns (statically linked, dynamically linked,
shell script). This description is to some degree simplified.

$ cat hello.c
#include <stdio.h>
int main() {
printf("Hello\n");
return 0;
}
$ cat hello.sh
#! /bin/sh
echo "Hello"
$ gcc -static -o hello-static hello.c
$ gcc -o hello-dynamic hello.c
$ chmod 755 hello.sh

Case 1 -- Executing hello-static from bash.

(1) The bash process calls fork() and the child process requests
do_execve("hello-static").

(2) The kernel checks "allow_execute hello-static" from "bash" domain.

(3) The kernel calculates "bash hello-static" as the domain to transit to.

(4) The kernel overwrites the child process by "hello-static".

(5) The child process transits to "bash hello-static" domain.

(6) The "hello-static" starts and finishes.

Case 2 -- Executing hello-dynamic from bash.

(1) The bash process calls fork() and the child process requests
do_execve("hello-dynamic").

(2) The kernel checks "allow_execute hello-dynamic" from "bash" domain.

(3) The kernel calculates "bash hello-dynamic" as the domain to transit to.

(4) The kernel checks "allow_read ld-linux.so" from "bash hello-dynamic"
domain. I think permission to access ld-linux.so should be charged
hello-dynamic program, for "hello-dynamic needs ld-linux.so" is not
a fault of bash program.

(5) The kernel overwrites the child process by "hello-dynamic".

(6) The child process transits to "bash hello-dynamic" domain.

(7) The "hello-dynamic" starts and finishes.

Case 3 -- Executing hello.sh from bash.

(1) The bash process calls fork() and the child process requests
do_execve("hello.sh").

(2) The kernel checks "allow_execute hello.sh" from "bash" domain.

(3) The kernel calculates "bash hello.sh" as the domain to transit to.

(4) The kernel checks "allow_read /bin/sh" from "bash hello.sh" domain.
I think permission to access /bin/sh should be charged hello.sh program,
for "hello.sh needs /bin/sh" is not a fault of bash program.

(5) The kernel overwrites the child process by "/bin/sh".

(6) The child process transits to "bash hello.sh" domain.

(7) The "/bin/sh" requests open("hello.sh").

(8) The kernel checks "allow_read hello.sh" from "bash hello.sh" domain.

(9) The "/bin/sh" starts and finishes.

Whether a file is interpreted as a program or not depends on an application.
The kernel cannot know whether the file is interpreted as a program or not.
Thus, TOMOYO treats "hello-static" "hello-dynamic" "ld-linux.so" "hello.sh"
"/bin/sh" equally as merely files; no distinction between executable and
non-executable. Therefore, TOMOYO doesn't check DAC's execute permission.
TOMOYO checks "allow_read" permission instead.

Calling do_execve() is a bold gesture that an old program's instance (i.e.
current process) is ready to be overwritten by a new program and is ready to
transfer control to the new program. To split purview of programs, TOMOYO
requires "allow_execute" permission of the new program against the old
program's instance and performs domain transition. If do_execve() succeeds,
the old program is no longer responsible against the consequence of the new
program's behavior. Only the new program is responsible for all consequences.

But TOMOYO doesn't require "allow_read" permission of the new program.
If TOMOYO requires "allow_read" permission of the new program, TOMOYO will
allow an attacker (who hijacked the old program's instance) to open the new
program and steal data from the new program. Requiring "allow_read" permission
will widen purview of the old program.

Not requiring "allow_read" permission of the new program against the old
program's instance is my design for reducing purview of the old program.
To be able to know whether the current process is in do_execve() or not,
I want to add in_execve flag to "task_struct".

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
omoyo.c
omoyo.h
26a2a1c9eb88d9aca8891575b3b986812e073872 05-Feb-2009 Kentaro Takeda <takedakn@nttdata.co.jp> Domain transition handler.

This file controls domain creation/deletion/transition.

Every process belongs to a domain in TOMOYO Linux.
Domain transition occurs when execve(2) is called
and the domain is expressed as 'process invocation history',
such as '<kernel> /sbin/init /etc/init.d/rc'.
Domain information is stored in current->cred->security field.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
omain.c
b69a54ee582373d76e4b5560970db5b8c618b12a 05-Feb-2009 Kentaro Takeda <takedakn@nttdata.co.jp> File operation restriction part.

This file controls file related operations of TOMOYO Linux.

tomoyo/tomoyo.c calls the following six functions in this file.
Each function handles the following access types.

* tomoyo_check_file_perm
sysctl()'s "read" and "write".

* tomoyo_check_exec_perm
"execute".

* tomoyo_check_open_permission
open(2) for "read" and "write".

* tomoyo_check_1path_perm
"create", "unlink", "mkdir", "rmdir", "mkfifo",
"mksock", "mkblock", "mkchar", "truncate" and "symlink".

* tomoyo_check_2path_perm
"rename" and "unlink".

* tomoyo_check_rewrite_permission
"rewrite".
("rewrite" are operations which may lose already recorded data of a file,
i.e. open(!O_APPEND) || open(O_TRUNC) || truncate() || ftruncate())

The functions which actually checks ACLs are the following three functions.
Each function handles the following access types.
ACL directive is expressed by "allow_<access type>".

* tomoyo_check_file_acl
Open() operation and execve() operation.
("read", "write", "read/write" and "execute")

* tomoyo_check_single_write_acl
Directory modification operations with 1 pathname.
("create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock",
"mkblock", "mkchar", "truncate", "symlink" and "rewrite")

* tomoyo_check_double_write_acl
Directory modification operations with 2 pathname.
("link" and "rename")

Also, this file contains handlers of some utility directives
for file related operations.

* "allow_read": specifies globally (for all domains) readable files.
* "path_group": specifies pathname macro.
* "deny_rewrite": restricts rewrite operation.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ile.c
9590837b89aaa4523209ac91c52db5ea0d9142fd 05-Feb-2009 Kentaro Takeda <takedakn@nttdata.co.jp> Common functions for TOMOYO Linux.

This file contains common functions (e.g. policy I/O, pattern matching).

-------------------- About pattern matching --------------------

Since TOMOYO Linux is a name based access control, TOMOYO Linux seriously
considers "safe" string representation.

TOMOYO Linux's string manipulation functions make reviewers feel crazy,
but there are reasons why TOMOYO Linux needs its own string manipulation
functions.

----- Part 1 : preconditions -----

People definitely want to use wild card.

To support pattern matching, we have to support wild card characters.

In a typical Linux system, filenames are likely consists of only alphabets,
numbers, and some characters (e.g. + - ~ . / ).
But theoretically, the Linux kernel accepts all characters but NUL character
(which is used as a terminator of a string).

Some Linux systems can have filenames which contain * ? ** etc.

Therefore, we have to somehow modify string so that we can distinguish
wild card characters and normal characters.

It might be possible for some application's configuration files to restrict
acceptable characters.
It is impossible for kernel to restrict acceptable characters.

We can't accept approaches which will cause troubles for applications.

----- Part 2 : commonly used approaches -----

Text formatted strings separated by space character (0x20) and new line
character (0x0A) is more preferable for users over array of NUL-terminated
string.

Thus, people use text formatted configuration files separated by space
character and new line.

We sometimes need to handle non-printable characters.

Thus, people use \ character (0x5C) as escape character and represent
non-printable characters using octal or hexadecimal format.

At this point, we remind (at least) 3 approaches.

(1) Shell glob style expression
(2) POSIX regular expression (UNIX style regular expression)
(3) Maverick wild card expression

On the surface, (1) and (2) sound good choices. But they have a big pitfall.
All meta-characters in (1) and (2) are legal characters for representing
a pathname, and users easily write incorrect expression. What is worse, users
unlikely notice incorrect expressions because characters used for regular
pathnames unlikely contain meta-characters. This incorrect use of
meta-characters in pathname representation reveals vulnerability
(e.g. unexpected results) only when irregular pathname is specified.

The authors of TOMOYO Linux think that approaches which adds some character
for interpreting meta-characters as normal characters (i.e. (1) and (2)) are
not suitable for security use.

Therefore, the authors of TOMOYO Linux propose (3).

----- Part 3: consideration points -----

We need to solve encoding problem.

A single character can be represented in several ways using encodings.

For Japanese language, there are "ShiftJIS", "ISO-2022-JP", "EUC-JP",
"UTF-8" and more.

Some languages (e.g. Japanese language) supports multi-byte characters
(where a single character is represented using several bytes).

Some multi-byte characters may match the escape character.

For Japanese language, some characters in "ShiftJIS" encoding match
\ character, and bothering Web's CGI developers.

It is important that the kernel string is not bothered by encoding problem.

Linus said, "I really would expect that kernel strings don't have
an encoding. They're just C strings: a NUL-terminated stream of bytes."
http://lkml.org/lkml/2007/11/6/142

Yes. The kernel strings are just C strings.
We are talking about how to store and carry "kernel strings" safely.

If we store "kernel string" into policy file as-is, the "kernel string" will
be interpreted differently depending on application's encoding settings.
One application may interpret "kernel string" as "UTF-8",
another application may interpret "kernel string" as "ShiftJIS".

Therefore, we propose to represent strings using ASCII encoding.
In this way, we are no longer bothered by encoding problems.

We need to avoid information loss caused by display.

It is difficult to input and display non-printable characters, but we have to
be able to handle such characters because the kernel string is a C string.

If we use only ASCII printable characters (from 0x21 to 0x7E) and space
character (0x20) and new line character (0x0A), it is easy to input from
keyboard and display on all terminals which is running Linux.

Therefore, we propose to represent strings using only characters which value
is one of "from 0x21 to 0x7E", "0x20", "0x0A".

We need to consider ease of splitting strings from a line.

If we use an approach which uses "\ " for representing a space character
within a string, we have to count the string from the beginning to check
whether this space character is accompanied with \ character or not.
As a result, we cannot monotonically split a line using space character.

If we use an approach which uses "\040" for representing a space character
within a string, we can monotonically split a line using space character.

If we use an approach which uses NUL character as a delimiter, we cannot
use string manipulation functions for splitting strings from a line.

Therefore, we propose that we represent space character as "\040".

We need to avoid wrong designations (incorrect use of special characters).

Not all users can understand and utilize POSIX's regular expressions
correctly and perfectly.

If a character acts as a wild card by default, the user will get unexpected
result if that user didn't know the meaning of that character.

Therefore, we propose that all characters but \ character act as
a normal character and let the user add \ character to make a character
act as a wild card.

In this way, users needn't to know all wild card characters beforehand.
They can learn when they encountered an unseen wild card character
for their first time.

----- Part 4: supported wild card expressions -----

At this point, we have wild card expressions listed below.

+-----------+--------------------------------------------------------------+
| Wild card | Meaning and example |
+-----------+--------------------------------------------------------------+
| \* | More than or equals to 0 character other than '/'. |
| | /var/log/samba/\* |
+-----------+--------------------------------------------------------------+
| \@ | More than or equals to 0 character other than '/' or '.'. |
| | /var/www/html/\@.html |
+-----------+--------------------------------------------------------------+
| \? | 1 byte character other than '/'. |
| | /tmp/mail.\?\?\?\?\?\? |
+-----------+--------------------------------------------------------------+
| \$ | More than or equals to 1 decimal digit. |
| | /proc/\$/cmdline |
+-----------+--------------------------------------------------------------+
| \+ | 1 decimal digit. |
| | /var/tmp/my_work.\+ |
+-----------+--------------------------------------------------------------+
| \X | More than or equals to 1 hexadecimal digit. |
| | /var/tmp/my-work.\X |
+-----------+--------------------------------------------------------------+
| \x | 1 hexadecimal digit. |
| | /tmp/my-work.\x |
+-----------+--------------------------------------------------------------+
| \A | More than or equals to 1 alphabet character. |
| | /var/log/my-work/\$-\A-\$.log |
+-----------+--------------------------------------------------------------+
| \a | 1 alphabet character. |
| | /home/users/\a/\*/public_html/\*.html |
+-----------+--------------------------------------------------------------+
| \- | Pathname subtraction operator. |
| | +---------------------+------------------------------------+ |
| | | Example | Meaning | |
| | +---------------------+------------------------------------+ |
| | | /etc/\* | All files in /etc/ directory. | |
| | +---------------------+------------------------------------+ |
| | | /etc/\*\-\*shadow\* | /etc/\* other than /etc/\*shadow\* | |
| | +---------------------+------------------------------------+ |
| | | /\*\-proc\-sys/ | /\*/ other than /proc/ /sys/ | |
| | +---------------------+------------------------------------+ |
+-----------+--------------------------------------------------------------+

+----------------+---------------------------------------------------------+
| Representation | Meaning and example |
+----------------+---------------------------------------------------------+
| \\ | backslash character itself. |
+----------------+---------------------------------------------------------+
| \ooo | 1 byte character. |
| | ooo is 001 <= ooo <= 040 || 177 <= ooo <= 377. |
| | |
| | \040 for space character. |
| | \177 for del character. |
| | |
+----------------+---------------------------------------------------------+

----- Part 5: Advantages -----

We can obtain extensibility.

Since our proposed approach adds \ to a character to interpret as a wild
card, we can introduce new wild card in future while maintaining backward
compatibility.

We can process monotonically.

Since our proposed approach separates strings using a space character,
we can split strings using existing string manipulation functions.

We can reliably analyze access logs.

It is guaranteed that a string doesn't contain space character (0x20) and
new line character (0x0A).

It is guaranteed that a string won't be converted by FTP and won't be damaged
by a terminal's settings.

It is guaranteed that a string won't be affected by encoding converters
(except encodings which insert NUL character (e.g. UTF-16)).

----- Part 6: conclusion -----

TOMOYO Linux is using its own encoding with reasons described above.
There is a disadvantage that we need to introduce a series of new string
manipulation functions. But TOMOYO Linux's encoding is useful for all users
(including audit and AppArmor) who want to perform pattern matching and
safely exchange string information between the kernel and the userspace.

-------------------- About policy interface --------------------

TOMOYO Linux creates the following files on securityfs (normally
mounted on /sys/kernel/security) as interfaces between kernel and
userspace. These files are for TOMOYO Linux management tools *only*,
not for general programs.

* profile
* exception_policy
* domain_policy
* manager
* meminfo
* self_domain
* version
* .domain_status
* .process_status

** /sys/kernel/security/tomoyo/profile **

This file is used to read or write profiles.

"profile" means a running mode of process. A profile lists up
functions and their modes in "$number-$variable=$value" format. The
$number is profile number between 0 and 255. Each domain is assigned
one profile. To assign profile to domains, use "ccs-setprofile" or
"ccs-editpolicy" or "ccs-loadpolicy" commands.

(Example)
[root@tomoyo]# cat /sys/kernel/security/tomoyo/profile
0-COMMENT=-----Disabled Mode-----
0-MAC_FOR_FILE=disabled
0-MAX_ACCEPT_ENTRY=2048
0-TOMOYO_VERBOSE=disabled
1-COMMENT=-----Learning Mode-----
1-MAC_FOR_FILE=learning
1-MAX_ACCEPT_ENTRY=2048
1-TOMOYO_VERBOSE=disabled
2-COMMENT=-----Permissive Mode-----
2-MAC_FOR_FILE=permissive
2-MAX_ACCEPT_ENTRY=2048
2-TOMOYO_VERBOSE=enabled
3-COMMENT=-----Enforcing Mode-----
3-MAC_FOR_FILE=enforcing
3-MAX_ACCEPT_ENTRY=2048
3-TOMOYO_VERBOSE=enabled

- MAC_FOR_FILE:
Specifies access control level regarding file access requests.
- MAX_ACCEPT_ENTRY:
Limits the max number of ACL entries that are automatically appended
during learning mode. Default is 2048.
- TOMOYO_VERBOSE:
Specifies whether to print domain policy violation messages or not.

** /sys/kernel/security/tomoyo/manager **

This file is used to read or append the list of programs or domains
that can write to /sys/kernel/security/tomoyo interface. By default,
only processes with both UID = 0 and EUID = 0 can modify policy via
/sys/kernel/security/tomoyo interface. You can use keyword
"manage_by_non_root" to allow policy modification by non root user.

(Example)
[root@tomoyo]# cat /sys/kernel/security/tomoyo/manager
/usr/lib/ccs/loadpolicy
/usr/lib/ccs/editpolicy
/usr/lib/ccs/setlevel
/usr/lib/ccs/setprofile
/usr/lib/ccs/ld-watch
/usr/lib/ccs/ccs-queryd

** /sys/kernel/security/tomoyo/exception_policy **

This file is used to read and write system global settings. Each line
has a directive and operand pair. Directives are listed below.

- initialize_domain:
To initialize domain transition when specific program is executed,
use initialize_domain directive.
* initialize_domain "program" from "domain"
* initialize_domain "program" from "the last program part of domain"
* initialize_domain "program"
If the part "from" and after is not given, the entry is applied to
all domain. If the "domain" doesn't start with "<kernel>", the entry
is applied to all domain whose domainname ends with "the last program
part of domain".
This directive is intended to aggregate domain transitions for daemon
program and program that are invoked by the kernel on demand, by
transiting to different domain.

- keep_domain
To prevent domain transition when program is executed from specific
domain, use keep_domain directive.
* keep_domain "program" from "domain"
* keep_domain "program" from "the last program part of domain"
* keep_domain "domain"
* keep_domain "the last program part of domain"
If the part "from" and before is not given, this entry is applied to
all program. If the "domain" doesn't start with "<kernel>", the entry
is applied to all domain whose domainname ends with "the last program
part of domain".
This directive is intended to reduce total number of domains and
memory usage by suppressing unneeded domain transitions.
To declare domain keepers, use keep_domain directive followed by
domain definition.
Any process that belongs to any domain declared with this directive,
the process stays at the same domain unless any program registered
with initialize_domain directive is executed.

In order to control domain transition in detail, you can use
no_keep_domain/no_initialize_domain keywrods.

- alias:
To allow executing programs using the name of symbolic links, use
alias keyword followed by dereferenced pathname and reference
pathname. For example, /sbin/pidof is a symbolic link to
/sbin/killall5 . In normal case, if /sbin/pidof is executed, the
domain is defined as if /sbin/killall5 is executed. By specifying
"alias /sbin/killall5 /sbin/pidof", you can run /sbin/pidof in the
domain for /sbin/pidof .
(Example)
alias /sbin/killall5 /sbin/pidof

- allow_read:
To grant unconditionally readable permissions, use allow_read keyword
followed by canonicalized file. This keyword is intended to reduce
size of domain policy by granting read access to library files such
as GLIBC and locale files. Exception is, if ignore_global_allow_read
keyword is given to a domain, entries specified by this keyword are
ignored.
(Example)
allow_read /lib/libc-2.5.so

- file_pattern:
To declare pathname pattern, use file_pattern keyword followed by
pathname pattern. The pathname pattern must be a canonicalized
Pathname. This keyword is not applicable to neither granting execute
permissions nor domain definitions.
For example, canonicalized pathname that contains a process ID
(i.e. /proc/PID/ files) needs to be grouped in order to make access
control work well.
(Example)
file_pattern /proc/\$/cmdline

- path_group
To declare pathname group, use path_group keyword followed by name of
the group and pathname pattern. For example, if you want to group all
files under home directory, you can define
path_group HOME-DIR-FILE /home/\*/\*
path_group HOME-DIR-FILE /home/\*/\*/\*
path_group HOME-DIR-FILE /home/\*/\*/\*/\*
in the exception policy and use like
allow_read @HOME-DIR-FILE
to grant file access permission.

- deny_rewrite:
To deny overwriting already written contents of file (such as log
files) by default, use deny_rewrite keyword followed by pathname
pattern. Files whose pathname match the patterns are not permitted to
open for writing without append mode or truncate unless the pathnames
are explicitly granted using allow_rewrite keyword in domain policy.
(Example)
deny_rewrite /var/log/\*

- aggregator
To deal multiple programs as a single program, use aggregator keyword
followed by name of original program and aggregated program. This
keyword is intended to aggregate similar programs.
For example, /usr/bin/tac and /bin/cat are similar. By specifying
"aggregator /usr/bin/tac /bin/cat", you can run /usr/bin/tac in the
domain for /bin/cat .
For example, /usr/sbin/logrotate for Fedora Core 3 generates programs
like /tmp/logrotate.\?\?\?\?\?\? and run them, but TOMOYO Linux
doesn't allow using patterns for granting execute permission and
defining domains. By specifying
"aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp", you can
run /tmp/logrotate.\?\?\?\?\?\? as if /tmp/logrotate.tmp is running.

** /sys/kernel/security/tomoyo/domain_policy **

This file contains definition of all domains and permissions that are
granted to each domain.

Lines from the next line to a domain definition ( any lines starting
with "<kernel>") to the previous line to the next domain definitions
are interpreted as access permissions for that domain.

** /sys/kernel/security/tomoyo/meminfo **

This file is to show the total RAM used to keep policy in the kernel
by TOMOYO Linux in bytes.
(Example)
[root@tomoyo]# cat /sys/kernel/security/tomoyo/meminfo
Shared: 61440
Private: 69632
Dynamic: 768
Total: 131840

You can set memory quota by writing to this file.
(Example)
[root@tomoyo]# echo Shared: 2097152 > /sys/kernel/security/tomoyo/meminfo
[root@tomoyo]# echo Private: 2097152 > /sys/kernel/security/tomoyo/meminfo

** /sys/kernel/security/tomoyo/self_domain **

This file is to show the name of domain the caller process belongs to.
(Example)
[root@etch]# cat /sys/kernel/security/tomoyo/self_domain
<kernel> /usr/sbin/sshd /bin/zsh /bin/cat

** /sys/kernel/security/tomoyo/version **

This file is used for getting TOMOYO Linux's version.
(Example)
[root@etch]# cat /sys/kernel/security/tomoyo/version
2.2.0-pre

** /sys/kernel/security/tomoyo/.domain_status **

This is a view (of a DBMS) that contains only profile number and
domainnames of domain so that "ccs-setprofile" command can do
line-oriented processing easily.

** /sys/kernel/security/tomoyo/.process_status **

This file is used by "ccs-ccstree" command to show "list of processes
currently running" and "domains which each process belongs to" and
"profile number which the domain is currently assigned" like "pstree"
command. This file is writable by programs that aren't registered as
policy manager.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ommon.c
ommon.h
c73bd6d473ceb5d643d3afd7e75b7dc2e6918558 05-Feb-2009 Kentaro Takeda <takedakn@nttdata.co.jp> Memory and pathname management functions.

TOMOYO Linux performs pathname based access control.
To remove factors that make pathname based access control difficult
(e.g. symbolic links, "..", "//" etc.), TOMOYO Linux derives realpath
of requested pathname from "struct dentry" and "struct vfsmount".

The maximum length of string data is limited to 4000 including trailing '\0'.
Since TOMOYO Linux uses '\ooo' style representation for non ASCII printable
characters, maybe TOMOYO Linux should be able to support 16336 (which means
(NAME_MAX * (PATH_MAX / (NAME_MAX + 1)) * 4 + (PATH_MAX / (NAME_MAX + 1)))
including trailing '\0'), but I think 4000 is enough for practical use.

TOMOYO uses only 0x21 - 0x7E (as printable characters) and 0x20 (as word
delimiter) and 0x0A (as line delimiter).
0x01 - 0x20 and 0x80 - 0xFF is handled in \ooo style representation.
The reason to use \ooo is to guarantee that "%s" won't damage logs.
Userland program can request

open("/tmp/file granted.\nAccess /tmp/file ", O_WRONLY | O_CREAT, 0600)

and logging such crazy pathname using "Access %s denied.\n" format will cause
"fabrication of logs" like

Access /tmp/file granted.
Access /tmp/file denied.

TOMOYO converts such characters to \ooo so that the logs will become

Access /tmp/file\040granted.\012Access\040/tmp/file denied.

and the administrator can read the logs safely using /bin/cat .
Likewise, a crazy request like

open("/tmp/\x01\x02\x03\x04\x05\x06\x07\x08\x09", O_WRONLY | O_CREAT, 0600)

will be processed safely by converting to

Access /tmp/\001\002\003\004\005\006\007\010\011 denied.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
ealpath.c
ealpath.h