common.c revision 17fcfbd9d45b57f38d40e31f9d28db53f4af5c88
1/* 2 * security/tomoyo/common.c 3 * 4 * Common functions for TOMOYO. 5 * 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 7 * 8 * Version: 2.2.0 2009/04/01 9 * 10 */ 11 12#include <linux/uaccess.h> 13#include <linux/slab.h> 14#include <linux/security.h> 15#include <linux/hardirq.h> 16#include "common.h" 17 18/* Lock for protecting policy. */ 19DEFINE_MUTEX(tomoyo_policy_lock); 20 21/* Has loading policy done? */ 22bool tomoyo_policy_loaded; 23 24/* String table for functionality that takes 4 modes. */ 25static const char *tomoyo_mode_4[4] = { 26 "disabled", "learning", "permissive", "enforcing" 27}; 28/* String table for functionality that takes 2 modes. */ 29static const char *tomoyo_mode_2[4] = { 30 "disabled", "enabled", "enabled", "enabled" 31}; 32 33/* 34 * tomoyo_control_array is a static data which contains 35 * 36 * (1) functionality name used by /sys/kernel/security/tomoyo/profile . 37 * (2) initial values for "struct tomoyo_profile". 38 * (3) max values for "struct tomoyo_profile". 39 */ 40static struct { 41 const char *keyword; 42 unsigned int current_value; 43 const unsigned int max_value; 44} tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = { 45 [TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 }, 46 [TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX }, 47 [TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 }, 48}; 49 50/* 51 * tomoyo_profile is a structure which is used for holding the mode of access 52 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing. 53 * An administrator can define up to 256 profiles. 54 * The ->profile of "struct tomoyo_domain_info" is used for remembering 55 * the profile's number (0 - 255) assigned to that domain. 56 */ 57static struct tomoyo_profile { 58 unsigned int value[TOMOYO_MAX_CONTROL_INDEX]; 59 const struct tomoyo_path_info *comment; 60} *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES]; 61 62/* Permit policy management by non-root user? */ 63static bool tomoyo_manage_by_non_root; 64 65/* Utility functions. */ 66 67/* Open operation for /sys/kernel/security/tomoyo/ interface. */ 68static int tomoyo_open_control(const u8 type, struct file *file); 69/* Close /sys/kernel/security/tomoyo/ interface. */ 70static int tomoyo_close_control(struct file *file); 71/* Read operation for /sys/kernel/security/tomoyo/ interface. */ 72static int tomoyo_read_control(struct file *file, char __user *buffer, 73 const int buffer_len); 74/* Write operation for /sys/kernel/security/tomoyo/ interface. */ 75static int tomoyo_write_control(struct file *file, const char __user *buffer, 76 const int buffer_len); 77/* Check whether the domain has too many ACL entries to hold. */ 78static bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r); 79 80/** 81 * tomoyo_parse_name_union - Parse a tomoyo_name_union. 82 * 83 * @filename: Name or name group. 84 * @ptr: Pointer to "struct tomoyo_name_union". 85 * 86 * Returns true on success, false otherwise. 87 */ 88bool tomoyo_parse_name_union(const char *filename, 89 struct tomoyo_name_union *ptr) 90{ 91 if (!tomoyo_is_correct_path(filename, 0, 0, 0)) 92 return false; 93 if (filename[0] == '@') { 94 ptr->group = tomoyo_get_path_group(filename + 1); 95 ptr->is_group = true; 96 return ptr->group != NULL; 97 } 98 ptr->filename = tomoyo_get_name(filename); 99 ptr->is_group = false; 100 return ptr->filename != NULL; 101} 102 103/** 104 * tomoyo_print_name_union - Print a tomoyo_name_union. 105 * 106 * @head: Pointer to "struct tomoyo_io_buffer". 107 * @ptr: Pointer to "struct tomoyo_name_union". 108 * 109 * Returns true on success, false otherwise. 110 */ 111static bool tomoyo_print_name_union(struct tomoyo_io_buffer *head, 112 const struct tomoyo_name_union *ptr) 113{ 114 int pos = head->read_avail; 115 if (pos && head->read_buf[pos - 1] == ' ') 116 head->read_avail--; 117 if (ptr->is_group) 118 return tomoyo_io_printf(head, " @%s", 119 ptr->group->group_name->name); 120 return tomoyo_io_printf(head, " %s", ptr->filename->name); 121} 122 123/** 124 * tomoyo_parse_ulong - Parse an "unsigned long" value. 125 * 126 * @result: Pointer to "unsigned long". 127 * @str: Pointer to string to parse. 128 * 129 * Returns value type on success, 0 otherwise. 130 * 131 * The @src is updated to point the first character after the value 132 * on success. 133 */ 134u8 tomoyo_parse_ulong(unsigned long *result, char **str) 135{ 136 const char *cp = *str; 137 char *ep; 138 int base = 10; 139 if (*cp == '0') { 140 char c = *(cp + 1); 141 if (c == 'x' || c == 'X') { 142 base = 16; 143 cp += 2; 144 } else if (c >= '0' && c <= '7') { 145 base = 8; 146 cp++; 147 } 148 } 149 *result = simple_strtoul(cp, &ep, base); 150 if (cp == ep) 151 return 0; 152 *str = ep; 153 switch (base) { 154 case 16: 155 return TOMOYO_VALUE_TYPE_HEXADECIMAL; 156 case 8: 157 return TOMOYO_VALUE_TYPE_OCTAL; 158 default: 159 return TOMOYO_VALUE_TYPE_DECIMAL; 160 } 161} 162 163/** 164 * tomoyo_print_ulong - Print an "unsigned long" value. 165 * 166 * @buffer: Pointer to buffer. 167 * @buffer_len: Size of @buffer. 168 * @value: An "unsigned long" value. 169 * @type: Type of @value. 170 * 171 * Returns nothing. 172 */ 173void tomoyo_print_ulong(char *buffer, const int buffer_len, 174 const unsigned long value, const u8 type) 175{ 176 if (type == TOMOYO_VALUE_TYPE_DECIMAL) 177 snprintf(buffer, buffer_len, "%lu", value); 178 else if (type == TOMOYO_VALUE_TYPE_OCTAL) 179 snprintf(buffer, buffer_len, "0%lo", value); 180 else if (type == TOMOYO_VALUE_TYPE_HEXADECIMAL) 181 snprintf(buffer, buffer_len, "0x%lX", value); 182 else 183 snprintf(buffer, buffer_len, "type(%u)", type); 184} 185 186/** 187 * tomoyo_print_number_union - Print a tomoyo_number_union. 188 * 189 * @head: Pointer to "struct tomoyo_io_buffer". 190 * @ptr: Pointer to "struct tomoyo_number_union". 191 * 192 * Returns true on success, false otherwise. 193 */ 194bool tomoyo_print_number_union(struct tomoyo_io_buffer *head, 195 const struct tomoyo_number_union *ptr) 196{ 197 unsigned long min; 198 unsigned long max; 199 u8 min_type; 200 u8 max_type; 201 if (!tomoyo_io_printf(head, " ")) 202 return false; 203 if (ptr->is_group) 204 return tomoyo_io_printf(head, "@%s", 205 ptr->group->group_name->name); 206 min_type = ptr->min_type; 207 max_type = ptr->max_type; 208 min = ptr->values[0]; 209 max = ptr->values[1]; 210 switch (min_type) { 211 case TOMOYO_VALUE_TYPE_HEXADECIMAL: 212 if (!tomoyo_io_printf(head, "0x%lX", min)) 213 return false; 214 break; 215 case TOMOYO_VALUE_TYPE_OCTAL: 216 if (!tomoyo_io_printf(head, "0%lo", min)) 217 return false; 218 break; 219 default: 220 if (!tomoyo_io_printf(head, "%lu", min)) 221 return false; 222 break; 223 } 224 if (min == max && min_type == max_type) 225 return true; 226 switch (max_type) { 227 case TOMOYO_VALUE_TYPE_HEXADECIMAL: 228 return tomoyo_io_printf(head, "-0x%lX", max); 229 case TOMOYO_VALUE_TYPE_OCTAL: 230 return tomoyo_io_printf(head, "-0%lo", max); 231 default: 232 return tomoyo_io_printf(head, "-%lu", max); 233 } 234} 235 236/** 237 * tomoyo_parse_number_union - Parse a tomoyo_number_union. 238 * 239 * @data: Number or number range or number group. 240 * @ptr: Pointer to "struct tomoyo_number_union". 241 * 242 * Returns true on success, false otherwise. 243 */ 244bool tomoyo_parse_number_union(char *data, struct tomoyo_number_union *num) 245{ 246 u8 type; 247 unsigned long v; 248 memset(num, 0, sizeof(*num)); 249 if (data[0] == '@') { 250 if (!tomoyo_is_correct_path(data, 0, 0, 0)) 251 return false; 252 num->group = tomoyo_get_number_group(data + 1); 253 num->is_group = true; 254 return num->group != NULL; 255 } 256 type = tomoyo_parse_ulong(&v, &data); 257 if (!type) 258 return false; 259 num->values[0] = v; 260 num->min_type = type; 261 if (!*data) { 262 num->values[1] = v; 263 num->max_type = type; 264 return true; 265 } 266 if (*data++ != '-') 267 return false; 268 type = tomoyo_parse_ulong(&v, &data); 269 if (!type || *data) 270 return false; 271 num->values[1] = v; 272 num->max_type = type; 273 return true; 274} 275 276/** 277 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value. 278 * 279 * @str: Pointer to the string. 280 * 281 * Returns true if @str is a \ooo style octal value, false otherwise. 282 * 283 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF. 284 * This function verifies that \ooo is in valid range. 285 */ 286static inline bool tomoyo_is_byte_range(const char *str) 287{ 288 return *str >= '0' && *str++ <= '3' && 289 *str >= '0' && *str++ <= '7' && 290 *str >= '0' && *str <= '7'; 291} 292 293/** 294 * tomoyo_is_alphabet_char - Check whether the character is an alphabet. 295 * 296 * @c: The character to check. 297 * 298 * Returns true if @c is an alphabet character, false otherwise. 299 */ 300static inline bool tomoyo_is_alphabet_char(const char c) 301{ 302 return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z'); 303} 304 305/** 306 * tomoyo_make_byte - Make byte value from three octal characters. 307 * 308 * @c1: The first character. 309 * @c2: The second character. 310 * @c3: The third character. 311 * 312 * Returns byte value. 313 */ 314static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3) 315{ 316 return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0'); 317} 318 319/** 320 * tomoyo_str_starts - Check whether the given string starts with the given keyword. 321 * 322 * @src: Pointer to pointer to the string. 323 * @find: Pointer to the keyword. 324 * 325 * Returns true if @src starts with @find, false otherwise. 326 * 327 * The @src is updated to point the first character after the @find 328 * if @src starts with @find. 329 */ 330static bool tomoyo_str_starts(char **src, const char *find) 331{ 332 const int len = strlen(find); 333 char *tmp = *src; 334 335 if (strncmp(tmp, find, len)) 336 return false; 337 tmp += len; 338 *src = tmp; 339 return true; 340} 341 342/** 343 * tomoyo_normalize_line - Format string. 344 * 345 * @buffer: The line to normalize. 346 * 347 * Leading and trailing whitespaces are removed. 348 * Multiple whitespaces are packed into single space. 349 * 350 * Returns nothing. 351 */ 352static void tomoyo_normalize_line(unsigned char *buffer) 353{ 354 unsigned char *sp = buffer; 355 unsigned char *dp = buffer; 356 bool first = true; 357 358 while (tomoyo_is_invalid(*sp)) 359 sp++; 360 while (*sp) { 361 if (!first) 362 *dp++ = ' '; 363 first = false; 364 while (tomoyo_is_valid(*sp)) 365 *dp++ = *sp++; 366 while (tomoyo_is_invalid(*sp)) 367 sp++; 368 } 369 *dp = '\0'; 370} 371 372/** 373 * tomoyo_tokenize - Tokenize string. 374 * 375 * @buffer: The line to tokenize. 376 * @w: Pointer to "char *". 377 * @size: Sizeof @w . 378 * 379 * Returns true on success, false otherwise. 380 */ 381bool tomoyo_tokenize(char *buffer, char *w[], size_t size) 382{ 383 int count = size / sizeof(char *); 384 int i; 385 for (i = 0; i < count; i++) 386 w[i] = ""; 387 for (i = 0; i < count; i++) { 388 char *cp = strchr(buffer, ' '); 389 if (cp) 390 *cp = '\0'; 391 w[i] = buffer; 392 if (!cp) 393 break; 394 buffer = cp + 1; 395 } 396 return i < count || !*buffer; 397} 398 399/** 400 * tomoyo_is_correct_path - Validate a pathname. 401 * @filename: The pathname to check. 402 * @start_type: Should the pathname start with '/'? 403 * 1 = must / -1 = must not / 0 = don't care 404 * @pattern_type: Can the pathname contain a wildcard? 405 * 1 = must / -1 = must not / 0 = don't care 406 * @end_type: Should the pathname end with '/'? 407 * 1 = must / -1 = must not / 0 = don't care 408 * 409 * Check whether the given filename follows the naming rules. 410 * Returns true if @filename follows the naming rules, false otherwise. 411 */ 412bool tomoyo_is_correct_path(const char *filename, const s8 start_type, 413 const s8 pattern_type, const s8 end_type) 414{ 415 const char *const start = filename; 416 bool in_repetition = false; 417 bool contains_pattern = false; 418 unsigned char c; 419 unsigned char d; 420 unsigned char e; 421 422 if (!filename) 423 goto out; 424 c = *filename; 425 if (start_type == 1) { /* Must start with '/' */ 426 if (c != '/') 427 goto out; 428 } else if (start_type == -1) { /* Must not start with '/' */ 429 if (c == '/') 430 goto out; 431 } 432 if (c) 433 c = *(filename + strlen(filename) - 1); 434 if (end_type == 1) { /* Must end with '/' */ 435 if (c != '/') 436 goto out; 437 } else if (end_type == -1) { /* Must not end with '/' */ 438 if (c == '/') 439 goto out; 440 } 441 while (1) { 442 c = *filename++; 443 if (!c) 444 break; 445 if (c == '\\') { 446 c = *filename++; 447 switch (c) { 448 case '\\': /* "\\" */ 449 continue; 450 case '$': /* "\$" */ 451 case '+': /* "\+" */ 452 case '?': /* "\?" */ 453 case '*': /* "\*" */ 454 case '@': /* "\@" */ 455 case 'x': /* "\x" */ 456 case 'X': /* "\X" */ 457 case 'a': /* "\a" */ 458 case 'A': /* "\A" */ 459 case '-': /* "\-" */ 460 if (pattern_type == -1) 461 break; /* Must not contain pattern */ 462 contains_pattern = true; 463 continue; 464 case '{': /* "/\{" */ 465 if (filename - 3 < start || 466 *(filename - 3) != '/') 467 break; 468 if (pattern_type == -1) 469 break; /* Must not contain pattern */ 470 contains_pattern = true; 471 in_repetition = true; 472 continue; 473 case '}': /* "\}/" */ 474 if (*filename != '/') 475 break; 476 if (!in_repetition) 477 break; 478 in_repetition = false; 479 continue; 480 case '0': /* "\ooo" */ 481 case '1': 482 case '2': 483 case '3': 484 d = *filename++; 485 if (d < '0' || d > '7') 486 break; 487 e = *filename++; 488 if (e < '0' || e > '7') 489 break; 490 c = tomoyo_make_byte(c, d, e); 491 if (tomoyo_is_invalid(c)) 492 continue; /* pattern is not \000 */ 493 } 494 goto out; 495 } else if (in_repetition && c == '/') { 496 goto out; 497 } else if (tomoyo_is_invalid(c)) { 498 goto out; 499 } 500 } 501 if (pattern_type == 1) { /* Must contain pattern */ 502 if (!contains_pattern) 503 goto out; 504 } 505 if (in_repetition) 506 goto out; 507 return true; 508 out: 509 return false; 510} 511 512/** 513 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules. 514 * @domainname: The domainname to check. 515 * 516 * Returns true if @domainname follows the naming rules, false otherwise. 517 */ 518bool tomoyo_is_correct_domain(const unsigned char *domainname) 519{ 520 unsigned char c; 521 unsigned char d; 522 unsigned char e; 523 524 if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME, 525 TOMOYO_ROOT_NAME_LEN)) 526 goto out; 527 domainname += TOMOYO_ROOT_NAME_LEN; 528 if (!*domainname) 529 return true; 530 do { 531 if (*domainname++ != ' ') 532 goto out; 533 if (*domainname++ != '/') 534 goto out; 535 while ((c = *domainname) != '\0' && c != ' ') { 536 domainname++; 537 if (c == '\\') { 538 c = *domainname++; 539 switch ((c)) { 540 case '\\': /* "\\" */ 541 continue; 542 case '0': /* "\ooo" */ 543 case '1': 544 case '2': 545 case '3': 546 d = *domainname++; 547 if (d < '0' || d > '7') 548 break; 549 e = *domainname++; 550 if (e < '0' || e > '7') 551 break; 552 c = tomoyo_make_byte(c, d, e); 553 if (tomoyo_is_invalid(c)) 554 /* pattern is not \000 */ 555 continue; 556 } 557 goto out; 558 } else if (tomoyo_is_invalid(c)) { 559 goto out; 560 } 561 } 562 } while (*domainname); 563 return true; 564 out: 565 return false; 566} 567 568/** 569 * tomoyo_is_domain_def - Check whether the given token can be a domainname. 570 * 571 * @buffer: The token to check. 572 * 573 * Returns true if @buffer possibly be a domainname, false otherwise. 574 */ 575bool tomoyo_is_domain_def(const unsigned char *buffer) 576{ 577 return !strncmp(buffer, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN); 578} 579 580/** 581 * tomoyo_find_domain - Find a domain by the given name. 582 * 583 * @domainname: The domainname to find. 584 * 585 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise. 586 * 587 * Caller holds tomoyo_read_lock(). 588 */ 589struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname) 590{ 591 struct tomoyo_domain_info *domain; 592 struct tomoyo_path_info name; 593 594 name.name = domainname; 595 tomoyo_fill_path_info(&name); 596 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 597 if (!domain->is_deleted && 598 !tomoyo_pathcmp(&name, domain->domainname)) 599 return domain; 600 } 601 return NULL; 602} 603 604/** 605 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token. 606 * 607 * @filename: The string to evaluate. 608 * 609 * Returns the initial length without a pattern in @filename. 610 */ 611static int tomoyo_const_part_length(const char *filename) 612{ 613 char c; 614 int len = 0; 615 616 if (!filename) 617 return 0; 618 while ((c = *filename++) != '\0') { 619 if (c != '\\') { 620 len++; 621 continue; 622 } 623 c = *filename++; 624 switch (c) { 625 case '\\': /* "\\" */ 626 len += 2; 627 continue; 628 case '0': /* "\ooo" */ 629 case '1': 630 case '2': 631 case '3': 632 c = *filename++; 633 if (c < '0' || c > '7') 634 break; 635 c = *filename++; 636 if (c < '0' || c > '7') 637 break; 638 len += 4; 639 continue; 640 } 641 break; 642 } 643 return len; 644} 645 646/** 647 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members. 648 * 649 * @ptr: Pointer to "struct tomoyo_path_info" to fill in. 650 * 651 * The caller sets "struct tomoyo_path_info"->name. 652 */ 653void tomoyo_fill_path_info(struct tomoyo_path_info *ptr) 654{ 655 const char *name = ptr->name; 656 const int len = strlen(name); 657 658 ptr->const_len = tomoyo_const_part_length(name); 659 ptr->is_dir = len && (name[len - 1] == '/'); 660 ptr->is_patterned = (ptr->const_len < len); 661 ptr->hash = full_name_hash(name, len); 662} 663 664/** 665 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character 666 * and "\-" pattern. 667 * 668 * @filename: The start of string to check. 669 * @filename_end: The end of string to check. 670 * @pattern: The start of pattern to compare. 671 * @pattern_end: The end of pattern to compare. 672 * 673 * Returns true if @filename matches @pattern, false otherwise. 674 */ 675static bool tomoyo_file_matches_pattern2(const char *filename, 676 const char *filename_end, 677 const char *pattern, 678 const char *pattern_end) 679{ 680 while (filename < filename_end && pattern < pattern_end) { 681 char c; 682 if (*pattern != '\\') { 683 if (*filename++ != *pattern++) 684 return false; 685 continue; 686 } 687 c = *filename; 688 pattern++; 689 switch (*pattern) { 690 int i; 691 int j; 692 case '?': 693 if (c == '/') { 694 return false; 695 } else if (c == '\\') { 696 if (filename[1] == '\\') 697 filename++; 698 else if (tomoyo_is_byte_range(filename + 1)) 699 filename += 3; 700 else 701 return false; 702 } 703 break; 704 case '\\': 705 if (c != '\\') 706 return false; 707 if (*++filename != '\\') 708 return false; 709 break; 710 case '+': 711 if (!isdigit(c)) 712 return false; 713 break; 714 case 'x': 715 if (!isxdigit(c)) 716 return false; 717 break; 718 case 'a': 719 if (!tomoyo_is_alphabet_char(c)) 720 return false; 721 break; 722 case '0': 723 case '1': 724 case '2': 725 case '3': 726 if (c == '\\' && tomoyo_is_byte_range(filename + 1) 727 && strncmp(filename + 1, pattern, 3) == 0) { 728 filename += 3; 729 pattern += 2; 730 break; 731 } 732 return false; /* Not matched. */ 733 case '*': 734 case '@': 735 for (i = 0; i <= filename_end - filename; i++) { 736 if (tomoyo_file_matches_pattern2( 737 filename + i, filename_end, 738 pattern + 1, pattern_end)) 739 return true; 740 c = filename[i]; 741 if (c == '.' && *pattern == '@') 742 break; 743 if (c != '\\') 744 continue; 745 if (filename[i + 1] == '\\') 746 i++; 747 else if (tomoyo_is_byte_range(filename + i + 1)) 748 i += 3; 749 else 750 break; /* Bad pattern. */ 751 } 752 return false; /* Not matched. */ 753 default: 754 j = 0; 755 c = *pattern; 756 if (c == '$') { 757 while (isdigit(filename[j])) 758 j++; 759 } else if (c == 'X') { 760 while (isxdigit(filename[j])) 761 j++; 762 } else if (c == 'A') { 763 while (tomoyo_is_alphabet_char(filename[j])) 764 j++; 765 } 766 for (i = 1; i <= j; i++) { 767 if (tomoyo_file_matches_pattern2( 768 filename + i, filename_end, 769 pattern + 1, pattern_end)) 770 return true; 771 } 772 return false; /* Not matched or bad pattern. */ 773 } 774 filename++; 775 pattern++; 776 } 777 while (*pattern == '\\' && 778 (*(pattern + 1) == '*' || *(pattern + 1) == '@')) 779 pattern += 2; 780 return filename == filename_end && pattern == pattern_end; 781} 782 783/** 784 * tomoyo_file_matches_pattern - Pattern matching without without '/' character. 785 * 786 * @filename: The start of string to check. 787 * @filename_end: The end of string to check. 788 * @pattern: The start of pattern to compare. 789 * @pattern_end: The end of pattern to compare. 790 * 791 * Returns true if @filename matches @pattern, false otherwise. 792 */ 793static bool tomoyo_file_matches_pattern(const char *filename, 794 const char *filename_end, 795 const char *pattern, 796 const char *pattern_end) 797{ 798 const char *pattern_start = pattern; 799 bool first = true; 800 bool result; 801 802 while (pattern < pattern_end - 1) { 803 /* Split at "\-" pattern. */ 804 if (*pattern++ != '\\' || *pattern++ != '-') 805 continue; 806 result = tomoyo_file_matches_pattern2(filename, 807 filename_end, 808 pattern_start, 809 pattern - 2); 810 if (first) 811 result = !result; 812 if (result) 813 return false; 814 first = false; 815 pattern_start = pattern; 816 } 817 result = tomoyo_file_matches_pattern2(filename, filename_end, 818 pattern_start, pattern_end); 819 return first ? result : !result; 820} 821 822/** 823 * tomoyo_path_matches_pattern2 - Do pathname pattern matching. 824 * 825 * @f: The start of string to check. 826 * @p: The start of pattern to compare. 827 * 828 * Returns true if @f matches @p, false otherwise. 829 */ 830static bool tomoyo_path_matches_pattern2(const char *f, const char *p) 831{ 832 const char *f_delimiter; 833 const char *p_delimiter; 834 835 while (*f && *p) { 836 f_delimiter = strchr(f, '/'); 837 if (!f_delimiter) 838 f_delimiter = f + strlen(f); 839 p_delimiter = strchr(p, '/'); 840 if (!p_delimiter) 841 p_delimiter = p + strlen(p); 842 if (*p == '\\' && *(p + 1) == '{') 843 goto recursive; 844 if (!tomoyo_file_matches_pattern(f, f_delimiter, p, 845 p_delimiter)) 846 return false; 847 f = f_delimiter; 848 if (*f) 849 f++; 850 p = p_delimiter; 851 if (*p) 852 p++; 853 } 854 /* Ignore trailing "\*" and "\@" in @pattern. */ 855 while (*p == '\\' && 856 (*(p + 1) == '*' || *(p + 1) == '@')) 857 p += 2; 858 return !*f && !*p; 859 recursive: 860 /* 861 * The "\{" pattern is permitted only after '/' character. 862 * This guarantees that below "*(p - 1)" is safe. 863 * Also, the "\}" pattern is permitted only before '/' character 864 * so that "\{" + "\}" pair will not break the "\-" operator. 865 */ 866 if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' || 867 *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\') 868 return false; /* Bad pattern. */ 869 do { 870 /* Compare current component with pattern. */ 871 if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2, 872 p_delimiter - 2)) 873 break; 874 /* Proceed to next component. */ 875 f = f_delimiter; 876 if (!*f) 877 break; 878 f++; 879 /* Continue comparison. */ 880 if (tomoyo_path_matches_pattern2(f, p_delimiter + 1)) 881 return true; 882 f_delimiter = strchr(f, '/'); 883 } while (f_delimiter); 884 return false; /* Not matched. */ 885} 886 887/** 888 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern. 889 * 890 * @filename: The filename to check. 891 * @pattern: The pattern to compare. 892 * 893 * Returns true if matches, false otherwise. 894 * 895 * The following patterns are available. 896 * \\ \ itself. 897 * \ooo Octal representation of a byte. 898 * \* Zero or more repetitions of characters other than '/'. 899 * \@ Zero or more repetitions of characters other than '/' or '.'. 900 * \? 1 byte character other than '/'. 901 * \$ One or more repetitions of decimal digits. 902 * \+ 1 decimal digit. 903 * \X One or more repetitions of hexadecimal digits. 904 * \x 1 hexadecimal digit. 905 * \A One or more repetitions of alphabet characters. 906 * \a 1 alphabet character. 907 * 908 * \- Subtraction operator. 909 * 910 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/ 911 * /dir/dir/dir/ ). 912 */ 913bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, 914 const struct tomoyo_path_info *pattern) 915{ 916 const char *f = filename->name; 917 const char *p = pattern->name; 918 const int len = pattern->const_len; 919 920 /* If @pattern doesn't contain pattern, I can use strcmp(). */ 921 if (!pattern->is_patterned) 922 return !tomoyo_pathcmp(filename, pattern); 923 /* Don't compare directory and non-directory. */ 924 if (filename->is_dir != pattern->is_dir) 925 return false; 926 /* Compare the initial length without patterns. */ 927 if (strncmp(f, p, len)) 928 return false; 929 f += len; 930 p += len; 931 return tomoyo_path_matches_pattern2(f, p); 932} 933 934/** 935 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure. 936 * 937 * @head: Pointer to "struct tomoyo_io_buffer". 938 * @fmt: The printf()'s format string, followed by parameters. 939 * 940 * Returns true if output was written, false otherwise. 941 * 942 * The snprintf() will truncate, but tomoyo_io_printf() won't. 943 */ 944bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) 945{ 946 va_list args; 947 int len; 948 int pos = head->read_avail; 949 int size = head->readbuf_size - pos; 950 951 if (size <= 0) 952 return false; 953 va_start(args, fmt); 954 len = vsnprintf(head->read_buf + pos, size, fmt, args); 955 va_end(args); 956 if (pos + len >= head->readbuf_size) 957 return false; 958 head->read_avail += len; 959 return true; 960} 961 962/** 963 * tomoyo_get_exe - Get tomoyo_realpath() of current process. 964 * 965 * Returns the tomoyo_realpath() of current process on success, NULL otherwise. 966 * 967 * This function uses kzalloc(), so the caller must call kfree() 968 * if this function didn't return NULL. 969 */ 970static const char *tomoyo_get_exe(void) 971{ 972 struct mm_struct *mm = current->mm; 973 struct vm_area_struct *vma; 974 const char *cp = NULL; 975 976 if (!mm) 977 return NULL; 978 down_read(&mm->mmap_sem); 979 for (vma = mm->mmap; vma; vma = vma->vm_next) { 980 if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) { 981 cp = tomoyo_realpath_from_path(&vma->vm_file->f_path); 982 break; 983 } 984 } 985 up_read(&mm->mmap_sem); 986 return cp; 987} 988 989/** 990 * tomoyo_check_flags - Check mode for specified functionality. 991 * 992 * @domain: Pointer to "struct tomoyo_domain_info". 993 * @index: The functionality to check mode. 994 * 995 * TOMOYO checks only process context. 996 * This code disables TOMOYO's enforcement in case the function is called from 997 * interrupt context. 998 */ 999unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, 1000 const u8 index) 1001{ 1002 const u8 profile = domain->profile; 1003 1004 if (WARN_ON(in_interrupt())) 1005 return 0; 1006 return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX 1007#if TOMOYO_MAX_PROFILES != 256 1008 && profile < TOMOYO_MAX_PROFILES 1009#endif 1010 && tomoyo_profile_ptr[profile] ? 1011 tomoyo_profile_ptr[profile]->value[index] : 0; 1012} 1013 1014/** 1015 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode. 1016 * 1017 * @domain: Pointer to "struct tomoyo_domain_info". 1018 * 1019 * Returns true if domain policy violation warning should be printed to 1020 * console. 1021 */ 1022bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain) 1023{ 1024 return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0; 1025} 1026 1027/** 1028 * tomoyo_domain_quota_is_ok - Check for domain's quota. 1029 * 1030 * @r: Pointer to "struct tomoyo_request_info". 1031 * 1032 * Returns true if the domain is not exceeded quota, false otherwise. 1033 * 1034 * Caller holds tomoyo_read_lock(). 1035 */ 1036static bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r) 1037{ 1038 unsigned int count = 0; 1039 struct tomoyo_domain_info *domain = r->domain; 1040 struct tomoyo_acl_info *ptr; 1041 1042 if (r->mode != TOMOYO_CONFIG_LEARNING) 1043 return false; 1044 if (!domain) 1045 return true; 1046 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 1047 switch (ptr->type) { 1048 u16 perm; 1049 u8 i; 1050 case TOMOYO_TYPE_PATH_ACL: 1051 perm = container_of(ptr, struct tomoyo_path_acl, head) 1052 ->perm; 1053 for (i = 0; i < TOMOYO_MAX_PATH_OPERATION; i++) 1054 if (perm & (1 << i)) 1055 count++; 1056 if (perm & (1 << TOMOYO_TYPE_READ_WRITE)) 1057 count -= 2; 1058 break; 1059 case TOMOYO_TYPE_PATH2_ACL: 1060 perm = container_of(ptr, struct tomoyo_path2_acl, head) 1061 ->perm; 1062 for (i = 0; i < TOMOYO_MAX_PATH2_OPERATION; i++) 1063 if (perm & (1 << i)) 1064 count++; 1065 break; 1066 case TOMOYO_TYPE_PATH_NUMBER_ACL: 1067 perm = container_of(ptr, struct tomoyo_path_number_acl, 1068 head)->perm; 1069 for (i = 0; i < TOMOYO_MAX_PATH_NUMBER_OPERATION; i++) 1070 if (perm & (1 << i)) 1071 count++; 1072 break; 1073 case TOMOYO_TYPE_PATH_NUMBER3_ACL: 1074 perm = container_of(ptr, struct tomoyo_path_number3_acl, 1075 head)->perm; 1076 for (i = 0; i < TOMOYO_MAX_PATH_NUMBER3_OPERATION; i++) 1077 if (perm & (1 << i)) 1078 count++; 1079 break; 1080 case TOMOYO_TYPE_MOUNT_ACL: 1081 if (!container_of(ptr, struct tomoyo_mount_acl, head)-> 1082 is_deleted) 1083 count++; 1084 } 1085 } 1086 if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY)) 1087 return true; 1088 if (!domain->quota_warned) { 1089 domain->quota_warned = true; 1090 printk(KERN_WARNING "TOMOYO-WARNING: " 1091 "Domain '%s' has so many ACLs to hold. " 1092 "Stopped learning mode.\n", domain->domainname->name); 1093 } 1094 return false; 1095} 1096 1097/** 1098 * tomoyo_find_or_assign_new_profile - Create a new profile. 1099 * 1100 * @profile: Profile number to create. 1101 * 1102 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. 1103 */ 1104static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned 1105 int profile) 1106{ 1107 struct tomoyo_profile *ptr = NULL; 1108 int i; 1109 1110 if (profile >= TOMOYO_MAX_PROFILES) 1111 return NULL; 1112 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 1113 return NULL; 1114 ptr = tomoyo_profile_ptr[profile]; 1115 if (ptr) 1116 goto ok; 1117 ptr = kmalloc(sizeof(*ptr), GFP_NOFS); 1118 if (!tomoyo_memory_ok(ptr)) { 1119 kfree(ptr); 1120 ptr = NULL; 1121 goto ok; 1122 } 1123 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) 1124 ptr->value[i] = tomoyo_control_array[i].current_value; 1125 mb(); /* Avoid out-of-order execution. */ 1126 tomoyo_profile_ptr[profile] = ptr; 1127 ok: 1128 mutex_unlock(&tomoyo_policy_lock); 1129 return ptr; 1130} 1131 1132/** 1133 * tomoyo_write_profile - Write to profile table. 1134 * 1135 * @head: Pointer to "struct tomoyo_io_buffer". 1136 * 1137 * Returns 0 on success, negative value otherwise. 1138 */ 1139static int tomoyo_write_profile(struct tomoyo_io_buffer *head) 1140{ 1141 char *data = head->write_buf; 1142 unsigned int i; 1143 unsigned int value; 1144 char *cp; 1145 struct tomoyo_profile *profile; 1146 unsigned long num; 1147 1148 cp = strchr(data, '-'); 1149 if (cp) 1150 *cp = '\0'; 1151 if (strict_strtoul(data, 10, &num)) 1152 return -EINVAL; 1153 if (cp) 1154 data = cp + 1; 1155 profile = tomoyo_find_or_assign_new_profile(num); 1156 if (!profile) 1157 return -EINVAL; 1158 cp = strchr(data, '='); 1159 if (!cp) 1160 return -EINVAL; 1161 *cp = '\0'; 1162 if (!strcmp(data, "COMMENT")) { 1163 const struct tomoyo_path_info *old_comment = profile->comment; 1164 profile->comment = tomoyo_get_name(cp + 1); 1165 tomoyo_put_name(old_comment); 1166 return 0; 1167 } 1168 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) { 1169 if (strcmp(data, tomoyo_control_array[i].keyword)) 1170 continue; 1171 if (sscanf(cp + 1, "%u", &value) != 1) { 1172 int j; 1173 const char **modes; 1174 switch (i) { 1175 case TOMOYO_VERBOSE: 1176 modes = tomoyo_mode_2; 1177 break; 1178 default: 1179 modes = tomoyo_mode_4; 1180 break; 1181 } 1182 for (j = 0; j < 4; j++) { 1183 if (strcmp(cp + 1, modes[j])) 1184 continue; 1185 value = j; 1186 break; 1187 } 1188 if (j == 4) 1189 return -EINVAL; 1190 } else if (value > tomoyo_control_array[i].max_value) { 1191 value = tomoyo_control_array[i].max_value; 1192 } 1193 profile->value[i] = value; 1194 return 0; 1195 } 1196 return -EINVAL; 1197} 1198 1199/** 1200 * tomoyo_read_profile - Read from profile table. 1201 * 1202 * @head: Pointer to "struct tomoyo_io_buffer". 1203 * 1204 * Returns 0. 1205 */ 1206static int tomoyo_read_profile(struct tomoyo_io_buffer *head) 1207{ 1208 static const int total = TOMOYO_MAX_CONTROL_INDEX + 1; 1209 int step; 1210 1211 if (head->read_eof) 1212 return 0; 1213 for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total; 1214 step++) { 1215 const u8 index = step / total; 1216 u8 type = step % total; 1217 const struct tomoyo_profile *profile 1218 = tomoyo_profile_ptr[index]; 1219 head->read_step = step; 1220 if (!profile) 1221 continue; 1222 if (!type) { /* Print profile' comment tag. */ 1223 if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n", 1224 index, profile->comment ? 1225 profile->comment->name : "")) 1226 break; 1227 continue; 1228 } 1229 type--; 1230 if (type < TOMOYO_MAX_CONTROL_INDEX) { 1231 const unsigned int value = profile->value[type]; 1232 const char **modes = NULL; 1233 const char *keyword 1234 = tomoyo_control_array[type].keyword; 1235 switch (tomoyo_control_array[type].max_value) { 1236 case 3: 1237 modes = tomoyo_mode_4; 1238 break; 1239 case 1: 1240 modes = tomoyo_mode_2; 1241 break; 1242 } 1243 if (modes) { 1244 if (!tomoyo_io_printf(head, "%u-%s=%s\n", index, 1245 keyword, modes[value])) 1246 break; 1247 } else { 1248 if (!tomoyo_io_printf(head, "%u-%s=%u\n", index, 1249 keyword, value)) 1250 break; 1251 } 1252 } 1253 } 1254 if (step == TOMOYO_MAX_PROFILES * total) 1255 head->read_eof = true; 1256 return 0; 1257} 1258 1259/* 1260 * tomoyo_policy_manager_list is used for holding list of domainnames or 1261 * programs which are permitted to modify configuration via 1262 * /sys/kernel/security/tomoyo/ interface. 1263 * 1264 * An entry is added by 1265 * 1266 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \ 1267 * /sys/kernel/security/tomoyo/manager 1268 * (if you want to specify by a domainname) 1269 * 1270 * or 1271 * 1272 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager 1273 * (if you want to specify by a program's location) 1274 * 1275 * and is deleted by 1276 * 1277 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \ 1278 * /sys/kernel/security/tomoyo/manager 1279 * 1280 * or 1281 * 1282 * # echo 'delete /usr/lib/ccs/editpolicy' > \ 1283 * /sys/kernel/security/tomoyo/manager 1284 * 1285 * and all entries are retrieved by 1286 * 1287 * # cat /sys/kernel/security/tomoyo/manager 1288 */ 1289LIST_HEAD(tomoyo_policy_manager_list); 1290 1291/** 1292 * tomoyo_update_manager_entry - Add a manager entry. 1293 * 1294 * @manager: The path to manager or the domainnamme. 1295 * @is_delete: True if it is a delete request. 1296 * 1297 * Returns 0 on success, negative value otherwise. 1298 * 1299 * Caller holds tomoyo_read_lock(). 1300 */ 1301static int tomoyo_update_manager_entry(const char *manager, 1302 const bool is_delete) 1303{ 1304 struct tomoyo_policy_manager_entry *ptr; 1305 struct tomoyo_policy_manager_entry e = { }; 1306 int error = is_delete ? -ENOENT : -ENOMEM; 1307 1308 if (tomoyo_is_domain_def(manager)) { 1309 if (!tomoyo_is_correct_domain(manager)) 1310 return -EINVAL; 1311 e.is_domain = true; 1312 } else { 1313 if (!tomoyo_is_correct_path(manager, 1, -1, -1)) 1314 return -EINVAL; 1315 } 1316 e.manager = tomoyo_get_name(manager); 1317 if (!e.manager) 1318 return -ENOMEM; 1319 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 1320 goto out; 1321 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { 1322 if (ptr->manager != e.manager) 1323 continue; 1324 ptr->is_deleted = is_delete; 1325 error = 0; 1326 break; 1327 } 1328 if (!is_delete && error) { 1329 struct tomoyo_policy_manager_entry *entry = 1330 tomoyo_commit_ok(&e, sizeof(e)); 1331 if (entry) { 1332 list_add_tail_rcu(&entry->list, 1333 &tomoyo_policy_manager_list); 1334 error = 0; 1335 } 1336 } 1337 mutex_unlock(&tomoyo_policy_lock); 1338 out: 1339 tomoyo_put_name(e.manager); 1340 return error; 1341} 1342 1343/** 1344 * tomoyo_write_manager_policy - Write manager policy. 1345 * 1346 * @head: Pointer to "struct tomoyo_io_buffer". 1347 * 1348 * Returns 0 on success, negative value otherwise. 1349 * 1350 * Caller holds tomoyo_read_lock(). 1351 */ 1352static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head) 1353{ 1354 char *data = head->write_buf; 1355 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); 1356 1357 if (!strcmp(data, "manage_by_non_root")) { 1358 tomoyo_manage_by_non_root = !is_delete; 1359 return 0; 1360 } 1361 return tomoyo_update_manager_entry(data, is_delete); 1362} 1363 1364/** 1365 * tomoyo_read_manager_policy - Read manager policy. 1366 * 1367 * @head: Pointer to "struct tomoyo_io_buffer". 1368 * 1369 * Returns 0. 1370 * 1371 * Caller holds tomoyo_read_lock(). 1372 */ 1373static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head) 1374{ 1375 struct list_head *pos; 1376 bool done = true; 1377 1378 if (head->read_eof) 1379 return 0; 1380 list_for_each_cookie(pos, head->read_var2, 1381 &tomoyo_policy_manager_list) { 1382 struct tomoyo_policy_manager_entry *ptr; 1383 ptr = list_entry(pos, struct tomoyo_policy_manager_entry, 1384 list); 1385 if (ptr->is_deleted) 1386 continue; 1387 done = tomoyo_io_printf(head, "%s\n", ptr->manager->name); 1388 if (!done) 1389 break; 1390 } 1391 head->read_eof = done; 1392 return 0; 1393} 1394 1395/** 1396 * tomoyo_is_policy_manager - Check whether the current process is a policy manager. 1397 * 1398 * Returns true if the current process is permitted to modify policy 1399 * via /sys/kernel/security/tomoyo/ interface. 1400 * 1401 * Caller holds tomoyo_read_lock(). 1402 */ 1403static bool tomoyo_is_policy_manager(void) 1404{ 1405 struct tomoyo_policy_manager_entry *ptr; 1406 const char *exe; 1407 const struct task_struct *task = current; 1408 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; 1409 bool found = false; 1410 1411 if (!tomoyo_policy_loaded) 1412 return true; 1413 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) 1414 return false; 1415 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { 1416 if (!ptr->is_deleted && ptr->is_domain 1417 && !tomoyo_pathcmp(domainname, ptr->manager)) { 1418 found = true; 1419 break; 1420 } 1421 } 1422 if (found) 1423 return true; 1424 exe = tomoyo_get_exe(); 1425 if (!exe) 1426 return false; 1427 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { 1428 if (!ptr->is_deleted && !ptr->is_domain 1429 && !strcmp(exe, ptr->manager->name)) { 1430 found = true; 1431 break; 1432 } 1433 } 1434 if (!found) { /* Reduce error messages. */ 1435 static pid_t last_pid; 1436 const pid_t pid = current->pid; 1437 if (last_pid != pid) { 1438 printk(KERN_WARNING "%s ( %s ) is not permitted to " 1439 "update policies.\n", domainname->name, exe); 1440 last_pid = pid; 1441 } 1442 } 1443 kfree(exe); 1444 return found; 1445} 1446 1447/** 1448 * tomoyo_is_select_one - Parse select command. 1449 * 1450 * @head: Pointer to "struct tomoyo_io_buffer". 1451 * @data: String to parse. 1452 * 1453 * Returns true on success, false otherwise. 1454 * 1455 * Caller holds tomoyo_read_lock(). 1456 */ 1457static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head, 1458 const char *data) 1459{ 1460 unsigned int pid; 1461 struct tomoyo_domain_info *domain = NULL; 1462 1463 if (sscanf(data, "pid=%u", &pid) == 1) { 1464 struct task_struct *p; 1465 rcu_read_lock(); 1466 read_lock(&tasklist_lock); 1467 p = find_task_by_vpid(pid); 1468 if (p) 1469 domain = tomoyo_real_domain(p); 1470 read_unlock(&tasklist_lock); 1471 rcu_read_unlock(); 1472 } else if (!strncmp(data, "domain=", 7)) { 1473 if (tomoyo_is_domain_def(data + 7)) 1474 domain = tomoyo_find_domain(data + 7); 1475 } else 1476 return false; 1477 head->write_var1 = domain; 1478 /* Accessing read_buf is safe because head->io_sem is held. */ 1479 if (!head->read_buf) 1480 return true; /* Do nothing if open(O_WRONLY). */ 1481 head->read_avail = 0; 1482 tomoyo_io_printf(head, "# select %s\n", data); 1483 head->read_single_domain = true; 1484 head->read_eof = !domain; 1485 if (domain) { 1486 struct tomoyo_domain_info *d; 1487 head->read_var1 = NULL; 1488 list_for_each_entry_rcu(d, &tomoyo_domain_list, list) { 1489 if (d == domain) 1490 break; 1491 head->read_var1 = &d->list; 1492 } 1493 head->read_var2 = NULL; 1494 head->read_bit = 0; 1495 head->read_step = 0; 1496 if (domain->is_deleted) 1497 tomoyo_io_printf(head, "# This is a deleted domain.\n"); 1498 } 1499 return true; 1500} 1501 1502/** 1503 * tomoyo_delete_domain - Delete a domain. 1504 * 1505 * @domainname: The name of domain. 1506 * 1507 * Returns 0. 1508 * 1509 * Caller holds tomoyo_read_lock(). 1510 */ 1511static int tomoyo_delete_domain(char *domainname) 1512{ 1513 struct tomoyo_domain_info *domain; 1514 struct tomoyo_path_info name; 1515 1516 name.name = domainname; 1517 tomoyo_fill_path_info(&name); 1518 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 1519 return 0; 1520 /* Is there an active domain? */ 1521 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 1522 /* Never delete tomoyo_kernel_domain */ 1523 if (domain == &tomoyo_kernel_domain) 1524 continue; 1525 if (domain->is_deleted || 1526 tomoyo_pathcmp(domain->domainname, &name)) 1527 continue; 1528 domain->is_deleted = true; 1529 break; 1530 } 1531 mutex_unlock(&tomoyo_policy_lock); 1532 return 0; 1533} 1534 1535/** 1536 * tomoyo_write_domain_policy2 - Write domain policy. 1537 * 1538 * @head: Pointer to "struct tomoyo_io_buffer". 1539 * 1540 * Returns 0 on success, negative value otherwise. 1541 * 1542 * Caller holds tomoyo_read_lock(). 1543 */ 1544static int tomoyo_write_domain_policy2(char *data, 1545 struct tomoyo_domain_info *domain, 1546 const bool is_delete) 1547{ 1548 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_MOUNT)) 1549 return tomoyo_write_mount_policy(data, domain, is_delete); 1550 return tomoyo_write_file_policy(data, domain, is_delete); 1551} 1552 1553/** 1554 * tomoyo_write_domain_policy - Write domain policy. 1555 * 1556 * @head: Pointer to "struct tomoyo_io_buffer". 1557 * 1558 * Returns 0 on success, negative value otherwise. 1559 * 1560 * Caller holds tomoyo_read_lock(). 1561 */ 1562static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head) 1563{ 1564 char *data = head->write_buf; 1565 struct tomoyo_domain_info *domain = head->write_var1; 1566 bool is_delete = false; 1567 bool is_select = false; 1568 unsigned int profile; 1569 1570 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE)) 1571 is_delete = true; 1572 else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT)) 1573 is_select = true; 1574 if (is_select && tomoyo_is_select_one(head, data)) 1575 return 0; 1576 /* Don't allow updating policies by non manager programs. */ 1577 if (!tomoyo_is_policy_manager()) 1578 return -EPERM; 1579 if (tomoyo_is_domain_def(data)) { 1580 domain = NULL; 1581 if (is_delete) 1582 tomoyo_delete_domain(data); 1583 else if (is_select) 1584 domain = tomoyo_find_domain(data); 1585 else 1586 domain = tomoyo_find_or_assign_new_domain(data, 0); 1587 head->write_var1 = domain; 1588 return 0; 1589 } 1590 if (!domain) 1591 return -EINVAL; 1592 1593 if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1 1594 && profile < TOMOYO_MAX_PROFILES) { 1595 if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded) 1596 domain->profile = (u8) profile; 1597 return 0; 1598 } 1599 if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) { 1600 domain->ignore_global_allow_read = !is_delete; 1601 return 0; 1602 } 1603 return tomoyo_write_domain_policy2(data, domain, is_delete); 1604} 1605 1606/** 1607 * tomoyo_print_path_acl - Print a single path ACL entry. 1608 * 1609 * @head: Pointer to "struct tomoyo_io_buffer". 1610 * @ptr: Pointer to "struct tomoyo_path_acl". 1611 * 1612 * Returns true on success, false otherwise. 1613 */ 1614static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head, 1615 struct tomoyo_path_acl *ptr) 1616{ 1617 int pos; 1618 u8 bit; 1619 const u16 perm = ptr->perm; 1620 1621 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { 1622 if (!(perm & (1 << bit))) 1623 continue; 1624 /* Print "read/write" instead of "read" and "write". */ 1625 if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE) 1626 && (perm & (1 << TOMOYO_TYPE_READ_WRITE))) 1627 continue; 1628 pos = head->read_avail; 1629 if (!tomoyo_io_printf(head, "allow_%s ", 1630 tomoyo_path2keyword(bit)) || 1631 !tomoyo_print_name_union(head, &ptr->name) || 1632 !tomoyo_io_printf(head, "\n")) 1633 goto out; 1634 } 1635 head->read_bit = 0; 1636 return true; 1637 out: 1638 head->read_bit = bit; 1639 head->read_avail = pos; 1640 return false; 1641} 1642 1643/** 1644 * tomoyo_print_path2_acl - Print a double path ACL entry. 1645 * 1646 * @head: Pointer to "struct tomoyo_io_buffer". 1647 * @ptr: Pointer to "struct tomoyo_path2_acl". 1648 * 1649 * Returns true on success, false otherwise. 1650 */ 1651static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer *head, 1652 struct tomoyo_path2_acl *ptr) 1653{ 1654 int pos; 1655 const u8 perm = ptr->perm; 1656 u8 bit; 1657 1658 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) { 1659 if (!(perm & (1 << bit))) 1660 continue; 1661 pos = head->read_avail; 1662 if (!tomoyo_io_printf(head, "allow_%s ", 1663 tomoyo_path22keyword(bit)) || 1664 !tomoyo_print_name_union(head, &ptr->name1) || 1665 !tomoyo_print_name_union(head, &ptr->name2) || 1666 !tomoyo_io_printf(head, "\n")) 1667 goto out; 1668 } 1669 head->read_bit = 0; 1670 return true; 1671 out: 1672 head->read_bit = bit; 1673 head->read_avail = pos; 1674 return false; 1675} 1676 1677/** 1678 * tomoyo_print_path_number_acl - Print a path_number ACL entry. 1679 * 1680 * @head: Pointer to "struct tomoyo_io_buffer". 1681 * @ptr: Pointer to "struct tomoyo_path_number_acl". 1682 * 1683 * Returns true on success, false otherwise. 1684 */ 1685static bool tomoyo_print_path_number_acl(struct tomoyo_io_buffer *head, 1686 struct tomoyo_path_number_acl *ptr) 1687{ 1688 int pos; 1689 u8 bit; 1690 const u8 perm = ptr->perm; 1691 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION; 1692 bit++) { 1693 if (!(perm & (1 << bit))) 1694 continue; 1695 pos = head->read_avail; 1696 if (!tomoyo_io_printf(head, "allow_%s", 1697 tomoyo_path_number2keyword(bit)) || 1698 !tomoyo_print_name_union(head, &ptr->name) || 1699 !tomoyo_print_number_union(head, &ptr->number) || 1700 !tomoyo_io_printf(head, "\n")) 1701 goto out; 1702 } 1703 head->read_bit = 0; 1704 return true; 1705 out: 1706 head->read_bit = bit; 1707 head->read_avail = pos; 1708 return false; 1709} 1710 1711/** 1712 * tomoyo_print_path_number3_acl - Print a path_number3 ACL entry. 1713 * 1714 * @head: Pointer to "struct tomoyo_io_buffer". 1715 * @ptr: Pointer to "struct tomoyo_path_number3_acl". 1716 * 1717 * Returns true on success, false otherwise. 1718 */ 1719static bool tomoyo_print_path_number3_acl(struct tomoyo_io_buffer *head, 1720 struct tomoyo_path_number3_acl *ptr) 1721{ 1722 int pos; 1723 u8 bit; 1724 const u16 perm = ptr->perm; 1725 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_NUMBER3_OPERATION; 1726 bit++) { 1727 if (!(perm & (1 << bit))) 1728 continue; 1729 pos = head->read_avail; 1730 if (!tomoyo_io_printf(head, "allow_%s", 1731 tomoyo_path_number32keyword(bit)) || 1732 !tomoyo_print_name_union(head, &ptr->name) || 1733 !tomoyo_print_number_union(head, &ptr->mode) || 1734 !tomoyo_print_number_union(head, &ptr->major) || 1735 !tomoyo_print_number_union(head, &ptr->minor) || 1736 !tomoyo_io_printf(head, "\n")) 1737 goto out; 1738 } 1739 head->read_bit = 0; 1740 return true; 1741 out: 1742 head->read_bit = bit; 1743 head->read_avail = pos; 1744 return false; 1745} 1746 1747/** 1748 * tomoyo_print_mount_acl - Print a mount ACL entry. 1749 * 1750 * @head: Pointer to "struct tomoyo_io_buffer". 1751 * @ptr: Pointer to "struct tomoyo_mount_acl". 1752 * 1753 * Returns true on success, false otherwise. 1754 */ 1755static bool tomoyo_print_mount_acl(struct tomoyo_io_buffer *head, 1756 struct tomoyo_mount_acl *ptr) 1757{ 1758 const int pos = head->read_avail; 1759 if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) || 1760 !tomoyo_print_name_union(head, &ptr->dev_name) || 1761 !tomoyo_print_name_union(head, &ptr->dir_name) || 1762 !tomoyo_print_name_union(head, &ptr->fs_type) || 1763 !tomoyo_print_number_union(head, &ptr->flags) || 1764 !tomoyo_io_printf(head, "\n")) { 1765 head->read_avail = pos; 1766 return false; 1767 } 1768 return true; 1769} 1770 1771/** 1772 * tomoyo_print_entry - Print an ACL entry. 1773 * 1774 * @head: Pointer to "struct tomoyo_io_buffer". 1775 * @ptr: Pointer to an ACL entry. 1776 * 1777 * Returns true on success, false otherwise. 1778 */ 1779static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, 1780 struct tomoyo_acl_info *ptr) 1781{ 1782 const u8 acl_type = ptr->type; 1783 1784 if (acl_type == TOMOYO_TYPE_PATH_ACL) { 1785 struct tomoyo_path_acl *acl 1786 = container_of(ptr, struct tomoyo_path_acl, head); 1787 return tomoyo_print_path_acl(head, acl); 1788 } 1789 if (acl_type == TOMOYO_TYPE_PATH2_ACL) { 1790 struct tomoyo_path2_acl *acl 1791 = container_of(ptr, struct tomoyo_path2_acl, head); 1792 return tomoyo_print_path2_acl(head, acl); 1793 } 1794 if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) { 1795 struct tomoyo_path_number_acl *acl 1796 = container_of(ptr, struct tomoyo_path_number_acl, 1797 head); 1798 return tomoyo_print_path_number_acl(head, acl); 1799 } 1800 if (acl_type == TOMOYO_TYPE_PATH_NUMBER3_ACL) { 1801 struct tomoyo_path_number3_acl *acl 1802 = container_of(ptr, struct tomoyo_path_number3_acl, 1803 head); 1804 return tomoyo_print_path_number3_acl(head, acl); 1805 } 1806 if (acl_type == TOMOYO_TYPE_MOUNT_ACL) { 1807 struct tomoyo_mount_acl *acl 1808 = container_of(ptr, struct tomoyo_mount_acl, head); 1809 return tomoyo_print_mount_acl(head, acl); 1810 } 1811 BUG(); /* This must not happen. */ 1812 return false; 1813} 1814 1815/** 1816 * tomoyo_read_domain_policy - Read domain policy. 1817 * 1818 * @head: Pointer to "struct tomoyo_io_buffer". 1819 * 1820 * Returns 0. 1821 * 1822 * Caller holds tomoyo_read_lock(). 1823 */ 1824static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head) 1825{ 1826 struct list_head *dpos; 1827 struct list_head *apos; 1828 bool done = true; 1829 1830 if (head->read_eof) 1831 return 0; 1832 if (head->read_step == 0) 1833 head->read_step = 1; 1834 list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) { 1835 struct tomoyo_domain_info *domain; 1836 const char *quota_exceeded = ""; 1837 const char *transition_failed = ""; 1838 const char *ignore_global_allow_read = ""; 1839 domain = list_entry(dpos, struct tomoyo_domain_info, list); 1840 if (head->read_step != 1) 1841 goto acl_loop; 1842 if (domain->is_deleted && !head->read_single_domain) 1843 continue; 1844 /* Print domainname and flags. */ 1845 if (domain->quota_warned) 1846 quota_exceeded = "quota_exceeded\n"; 1847 if (domain->transition_failed) 1848 transition_failed = "transition_failed\n"; 1849 if (domain->ignore_global_allow_read) 1850 ignore_global_allow_read 1851 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n"; 1852 done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE 1853 "%u\n%s%s%s\n", 1854 domain->domainname->name, 1855 domain->profile, quota_exceeded, 1856 transition_failed, 1857 ignore_global_allow_read); 1858 if (!done) 1859 break; 1860 head->read_step = 2; 1861acl_loop: 1862 if (head->read_step == 3) 1863 goto tail_mark; 1864 /* Print ACL entries in the domain. */ 1865 list_for_each_cookie(apos, head->read_var2, 1866 &domain->acl_info_list) { 1867 struct tomoyo_acl_info *ptr 1868 = list_entry(apos, struct tomoyo_acl_info, 1869 list); 1870 done = tomoyo_print_entry(head, ptr); 1871 if (!done) 1872 break; 1873 } 1874 if (!done) 1875 break; 1876 head->read_step = 3; 1877tail_mark: 1878 done = tomoyo_io_printf(head, "\n"); 1879 if (!done) 1880 break; 1881 head->read_step = 1; 1882 if (head->read_single_domain) 1883 break; 1884 } 1885 head->read_eof = done; 1886 return 0; 1887} 1888 1889/** 1890 * tomoyo_write_domain_profile - Assign profile for specified domain. 1891 * 1892 * @head: Pointer to "struct tomoyo_io_buffer". 1893 * 1894 * Returns 0 on success, -EINVAL otherwise. 1895 * 1896 * This is equivalent to doing 1897 * 1898 * ( echo "select " $domainname; echo "use_profile " $profile ) | 1899 * /usr/lib/ccs/loadpolicy -d 1900 * 1901 * Caller holds tomoyo_read_lock(). 1902 */ 1903static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head) 1904{ 1905 char *data = head->write_buf; 1906 char *cp = strchr(data, ' '); 1907 struct tomoyo_domain_info *domain; 1908 unsigned long profile; 1909 1910 if (!cp) 1911 return -EINVAL; 1912 *cp = '\0'; 1913 domain = tomoyo_find_domain(cp + 1); 1914 if (strict_strtoul(data, 10, &profile)) 1915 return -EINVAL; 1916 if (domain && profile < TOMOYO_MAX_PROFILES 1917 && (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)) 1918 domain->profile = (u8) profile; 1919 return 0; 1920} 1921 1922/** 1923 * tomoyo_read_domain_profile - Read only domainname and profile. 1924 * 1925 * @head: Pointer to "struct tomoyo_io_buffer". 1926 * 1927 * Returns list of profile number and domainname pairs. 1928 * 1929 * This is equivalent to doing 1930 * 1931 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy | 1932 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" ) 1933 * domainname = $0; } else if ( $1 == "use_profile" ) { 1934 * print $2 " " domainname; domainname = ""; } } ; ' 1935 * 1936 * Caller holds tomoyo_read_lock(). 1937 */ 1938static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head) 1939{ 1940 struct list_head *pos; 1941 bool done = true; 1942 1943 if (head->read_eof) 1944 return 0; 1945 list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) { 1946 struct tomoyo_domain_info *domain; 1947 domain = list_entry(pos, struct tomoyo_domain_info, list); 1948 if (domain->is_deleted) 1949 continue; 1950 done = tomoyo_io_printf(head, "%u %s\n", domain->profile, 1951 domain->domainname->name); 1952 if (!done) 1953 break; 1954 } 1955 head->read_eof = done; 1956 return 0; 1957} 1958 1959/** 1960 * tomoyo_write_pid: Specify PID to obtain domainname. 1961 * 1962 * @head: Pointer to "struct tomoyo_io_buffer". 1963 * 1964 * Returns 0. 1965 */ 1966static int tomoyo_write_pid(struct tomoyo_io_buffer *head) 1967{ 1968 unsigned long pid; 1969 /* No error check. */ 1970 strict_strtoul(head->write_buf, 10, &pid); 1971 head->read_step = (int) pid; 1972 head->read_eof = false; 1973 return 0; 1974} 1975 1976/** 1977 * tomoyo_read_pid - Get domainname of the specified PID. 1978 * 1979 * @head: Pointer to "struct tomoyo_io_buffer". 1980 * 1981 * Returns the domainname which the specified PID is in on success, 1982 * empty string otherwise. 1983 * The PID is specified by tomoyo_write_pid() so that the user can obtain 1984 * using read()/write() interface rather than sysctl() interface. 1985 */ 1986static int tomoyo_read_pid(struct tomoyo_io_buffer *head) 1987{ 1988 if (head->read_avail == 0 && !head->read_eof) { 1989 const int pid = head->read_step; 1990 struct task_struct *p; 1991 struct tomoyo_domain_info *domain = NULL; 1992 rcu_read_lock(); 1993 read_lock(&tasklist_lock); 1994 p = find_task_by_vpid(pid); 1995 if (p) 1996 domain = tomoyo_real_domain(p); 1997 read_unlock(&tasklist_lock); 1998 rcu_read_unlock(); 1999 if (domain) 2000 tomoyo_io_printf(head, "%d %u %s", pid, domain->profile, 2001 domain->domainname->name); 2002 head->read_eof = true; 2003 } 2004 return 0; 2005} 2006 2007/** 2008 * tomoyo_write_exception_policy - Write exception policy. 2009 * 2010 * @head: Pointer to "struct tomoyo_io_buffer". 2011 * 2012 * Returns 0 on success, negative value otherwise. 2013 * 2014 * Caller holds tomoyo_read_lock(). 2015 */ 2016static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head) 2017{ 2018 char *data = head->write_buf; 2019 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); 2020 2021 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN)) 2022 return tomoyo_write_domain_keeper_policy(data, false, 2023 is_delete); 2024 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN)) 2025 return tomoyo_write_domain_keeper_policy(data, true, is_delete); 2026 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN)) 2027 return tomoyo_write_domain_initializer_policy(data, false, 2028 is_delete); 2029 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN)) 2030 return tomoyo_write_domain_initializer_policy(data, true, 2031 is_delete); 2032 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS)) 2033 return tomoyo_write_alias_policy(data, is_delete); 2034 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ)) 2035 return tomoyo_write_globally_readable_policy(data, is_delete); 2036 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN)) 2037 return tomoyo_write_pattern_policy(data, is_delete); 2038 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE)) 2039 return tomoyo_write_no_rewrite_policy(data, is_delete); 2040 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_PATH_GROUP)) 2041 return tomoyo_write_path_group_policy(data, is_delete); 2042 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NUMBER_GROUP)) 2043 return tomoyo_write_number_group_policy(data, is_delete); 2044 return -EINVAL; 2045} 2046 2047/** 2048 * tomoyo_read_exception_policy - Read exception policy. 2049 * 2050 * @head: Pointer to "struct tomoyo_io_buffer". 2051 * 2052 * Returns 0 on success, -EINVAL otherwise. 2053 * 2054 * Caller holds tomoyo_read_lock(). 2055 */ 2056static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head) 2057{ 2058 if (!head->read_eof) { 2059 switch (head->read_step) { 2060 case 0: 2061 head->read_var2 = NULL; 2062 head->read_step = 1; 2063 case 1: 2064 if (!tomoyo_read_domain_keeper_policy(head)) 2065 break; 2066 head->read_var2 = NULL; 2067 head->read_step = 2; 2068 case 2: 2069 if (!tomoyo_read_globally_readable_policy(head)) 2070 break; 2071 head->read_var2 = NULL; 2072 head->read_step = 3; 2073 case 3: 2074 head->read_var2 = NULL; 2075 head->read_step = 4; 2076 case 4: 2077 if (!tomoyo_read_domain_initializer_policy(head)) 2078 break; 2079 head->read_var2 = NULL; 2080 head->read_step = 5; 2081 case 5: 2082 if (!tomoyo_read_alias_policy(head)) 2083 break; 2084 head->read_var2 = NULL; 2085 head->read_step = 6; 2086 case 6: 2087 head->read_var2 = NULL; 2088 head->read_step = 7; 2089 case 7: 2090 if (!tomoyo_read_file_pattern(head)) 2091 break; 2092 head->read_var2 = NULL; 2093 head->read_step = 8; 2094 case 8: 2095 if (!tomoyo_read_no_rewrite_policy(head)) 2096 break; 2097 head->read_var2 = NULL; 2098 head->read_step = 9; 2099 case 9: 2100 if (!tomoyo_read_path_group_policy(head)) 2101 break; 2102 head->read_var1 = NULL; 2103 head->read_var2 = NULL; 2104 head->read_step = 10; 2105 case 10: 2106 if (!tomoyo_read_number_group_policy(head)) 2107 break; 2108 head->read_var1 = NULL; 2109 head->read_var2 = NULL; 2110 head->read_step = 11; 2111 case 11: 2112 head->read_eof = true; 2113 break; 2114 default: 2115 return -EINVAL; 2116 } 2117 } 2118 return 0; 2119} 2120 2121/* path to policy loader */ 2122static const char *tomoyo_loader = "/sbin/tomoyo-init"; 2123 2124/** 2125 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists. 2126 * 2127 * Returns true if /sbin/tomoyo-init exists, false otherwise. 2128 */ 2129static bool tomoyo_policy_loader_exists(void) 2130{ 2131 /* 2132 * Don't activate MAC if the policy loader doesn't exist. 2133 * If the initrd includes /sbin/init but real-root-dev has not 2134 * mounted on / yet, activating MAC will block the system since 2135 * policies are not loaded yet. 2136 * Thus, let do_execve() call this function everytime. 2137 */ 2138 struct path path; 2139 2140 if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) { 2141 printk(KERN_INFO "Not activating Mandatory Access Control now " 2142 "since %s doesn't exist.\n", tomoyo_loader); 2143 return false; 2144 } 2145 path_put(&path); 2146 return true; 2147} 2148 2149/** 2150 * tomoyo_load_policy - Run external policy loader to load policy. 2151 * 2152 * @filename: The program about to start. 2153 * 2154 * This function checks whether @filename is /sbin/init , and if so 2155 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init 2156 * and then continues invocation of /sbin/init. 2157 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and 2158 * writes to /sys/kernel/security/tomoyo/ interfaces. 2159 * 2160 * Returns nothing. 2161 */ 2162void tomoyo_load_policy(const char *filename) 2163{ 2164 char *argv[2]; 2165 char *envp[3]; 2166 2167 if (tomoyo_policy_loaded) 2168 return; 2169 /* 2170 * Check filename is /sbin/init or /sbin/tomoyo-start. 2171 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't 2172 * be passed. 2173 * You can create /sbin/tomoyo-start by 2174 * "ln -s /bin/true /sbin/tomoyo-start". 2175 */ 2176 if (strcmp(filename, "/sbin/init") && 2177 strcmp(filename, "/sbin/tomoyo-start")) 2178 return; 2179 if (!tomoyo_policy_loader_exists()) 2180 return; 2181 2182 printk(KERN_INFO "Calling %s to load policy. Please wait.\n", 2183 tomoyo_loader); 2184 argv[0] = (char *) tomoyo_loader; 2185 argv[1] = NULL; 2186 envp[0] = "HOME=/"; 2187 envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin"; 2188 envp[2] = NULL; 2189 call_usermodehelper(argv[0], argv, envp, 1); 2190 2191 printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n"); 2192 printk(KERN_INFO "Mandatory Access Control activated.\n"); 2193 tomoyo_policy_loaded = true; 2194 { /* Check all profiles currently assigned to domains are defined. */ 2195 struct tomoyo_domain_info *domain; 2196 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 2197 const u8 profile = domain->profile; 2198 if (tomoyo_profile_ptr[profile]) 2199 continue; 2200 panic("Profile %u (used by '%s') not defined.\n", 2201 profile, domain->domainname->name); 2202 } 2203 } 2204} 2205 2206/** 2207 * tomoyo_print_header - Get header line of audit log. 2208 * 2209 * @r: Pointer to "struct tomoyo_request_info". 2210 * 2211 * Returns string representation. 2212 * 2213 * This function uses kmalloc(), so caller must kfree() if this function 2214 * didn't return NULL. 2215 */ 2216static char *tomoyo_print_header(struct tomoyo_request_info *r) 2217{ 2218 static const char *tomoyo_mode_4[4] = { 2219 "disabled", "learning", "permissive", "enforcing" 2220 }; 2221 struct timeval tv; 2222 const pid_t gpid = task_pid_nr(current); 2223 static const int tomoyo_buffer_len = 4096; 2224 char *buffer = kmalloc(tomoyo_buffer_len, GFP_NOFS); 2225 if (!buffer) 2226 return NULL; 2227 do_gettimeofday(&tv); 2228 snprintf(buffer, tomoyo_buffer_len - 1, 2229 "#timestamp=%lu profile=%u mode=%s (global-pid=%u)" 2230 " task={ pid=%u ppid=%u uid=%u gid=%u euid=%u" 2231 " egid=%u suid=%u sgid=%u fsuid=%u fsgid=%u }", 2232 tv.tv_sec, r->profile, tomoyo_mode_4[r->mode], gpid, 2233 (pid_t) sys_getpid(), (pid_t) sys_getppid(), 2234 current_uid(), current_gid(), current_euid(), 2235 current_egid(), current_suid(), current_sgid(), 2236 current_fsuid(), current_fsgid()); 2237 return buffer; 2238} 2239 2240/** 2241 * tomoyo_init_audit_log - Allocate buffer for audit logs. 2242 * 2243 * @len: Required size. 2244 * @r: Pointer to "struct tomoyo_request_info". 2245 * 2246 * Returns pointer to allocated memory. 2247 * 2248 * The @len is updated to add the header lines' size on success. 2249 * 2250 * This function uses kzalloc(), so caller must kfree() if this function 2251 * didn't return NULL. 2252 */ 2253static char *tomoyo_init_audit_log(int *len, struct tomoyo_request_info *r) 2254{ 2255 char *buf = NULL; 2256 const char *header; 2257 const char *domainname; 2258 if (!r->domain) 2259 r->domain = tomoyo_domain(); 2260 domainname = r->domain->domainname->name; 2261 header = tomoyo_print_header(r); 2262 if (!header) 2263 return NULL; 2264 *len += strlen(domainname) + strlen(header) + 10; 2265 buf = kzalloc(*len, GFP_NOFS); 2266 if (buf) 2267 snprintf(buf, (*len) - 1, "%s\n%s\n", header, domainname); 2268 kfree(header); 2269 return buf; 2270} 2271 2272/* Wait queue for tomoyo_query_list. */ 2273static DECLARE_WAIT_QUEUE_HEAD(tomoyo_query_wait); 2274 2275/* Lock for manipulating tomoyo_query_list. */ 2276static DEFINE_SPINLOCK(tomoyo_query_list_lock); 2277 2278/* Structure for query. */ 2279struct tomoyo_query_entry { 2280 struct list_head list; 2281 char *query; 2282 int query_len; 2283 unsigned int serial; 2284 int timer; 2285 int answer; 2286}; 2287 2288/* The list for "struct tomoyo_query_entry". */ 2289static LIST_HEAD(tomoyo_query_list); 2290 2291/* 2292 * Number of "struct file" referring /sys/kernel/security/tomoyo/query 2293 * interface. 2294 */ 2295static atomic_t tomoyo_query_observers = ATOMIC_INIT(0); 2296 2297/** 2298 * tomoyo_supervisor - Ask for the supervisor's decision. 2299 * 2300 * @r: Pointer to "struct tomoyo_request_info". 2301 * @fmt: The printf()'s format string, followed by parameters. 2302 * 2303 * Returns 0 if the supervisor decided to permit the access request which 2304 * violated the policy in enforcing mode, TOMOYO_RETRY_REQUEST if the 2305 * supervisor decided to retry the access request which violated the policy in 2306 * enforcing mode, 0 if it is not in enforcing mode, -EPERM otherwise. 2307 */ 2308int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) 2309{ 2310 va_list args; 2311 int error = -EPERM; 2312 int pos; 2313 int len; 2314 static unsigned int tomoyo_serial; 2315 struct tomoyo_query_entry *tomoyo_query_entry = NULL; 2316 bool quota_exceeded = false; 2317 char *header; 2318 switch (r->mode) { 2319 char *buffer; 2320 case TOMOYO_CONFIG_LEARNING: 2321 if (!tomoyo_domain_quota_is_ok(r)) 2322 return 0; 2323 va_start(args, fmt); 2324 len = vsnprintf((char *) &pos, sizeof(pos) - 1, fmt, args) + 4; 2325 va_end(args); 2326 buffer = kmalloc(len, GFP_NOFS); 2327 if (!buffer) 2328 return 0; 2329 va_start(args, fmt); 2330 vsnprintf(buffer, len - 1, fmt, args); 2331 va_end(args); 2332 tomoyo_normalize_line(buffer); 2333 tomoyo_write_domain_policy2(buffer, r->domain, false); 2334 kfree(buffer); 2335 /* fall through */ 2336 case TOMOYO_CONFIG_PERMISSIVE: 2337 return 0; 2338 } 2339 if (!r->domain) 2340 r->domain = tomoyo_domain(); 2341 if (!atomic_read(&tomoyo_query_observers)) 2342 return -EPERM; 2343 va_start(args, fmt); 2344 len = vsnprintf((char *) &pos, sizeof(pos) - 1, fmt, args) + 32; 2345 va_end(args); 2346 header = tomoyo_init_audit_log(&len, r); 2347 if (!header) 2348 goto out; 2349 tomoyo_query_entry = kzalloc(sizeof(*tomoyo_query_entry), GFP_NOFS); 2350 if (!tomoyo_query_entry) 2351 goto out; 2352 tomoyo_query_entry->query = kzalloc(len, GFP_NOFS); 2353 if (!tomoyo_query_entry->query) 2354 goto out; 2355 len = ksize(tomoyo_query_entry->query); 2356 INIT_LIST_HEAD(&tomoyo_query_entry->list); 2357 spin_lock(&tomoyo_query_list_lock); 2358 if (tomoyo_quota_for_query && tomoyo_query_memory_size + len + 2359 sizeof(*tomoyo_query_entry) >= tomoyo_quota_for_query) { 2360 quota_exceeded = true; 2361 } else { 2362 tomoyo_query_memory_size += len + sizeof(*tomoyo_query_entry); 2363 tomoyo_query_entry->serial = tomoyo_serial++; 2364 } 2365 spin_unlock(&tomoyo_query_list_lock); 2366 if (quota_exceeded) 2367 goto out; 2368 pos = snprintf(tomoyo_query_entry->query, len - 1, "Q%u-%hu\n%s", 2369 tomoyo_query_entry->serial, r->retry, header); 2370 kfree(header); 2371 header = NULL; 2372 va_start(args, fmt); 2373 vsnprintf(tomoyo_query_entry->query + pos, len - 1 - pos, fmt, args); 2374 tomoyo_query_entry->query_len = strlen(tomoyo_query_entry->query) + 1; 2375 va_end(args); 2376 spin_lock(&tomoyo_query_list_lock); 2377 list_add_tail(&tomoyo_query_entry->list, &tomoyo_query_list); 2378 spin_unlock(&tomoyo_query_list_lock); 2379 /* Give 10 seconds for supervisor's opinion. */ 2380 for (tomoyo_query_entry->timer = 0; 2381 atomic_read(&tomoyo_query_observers) && tomoyo_query_entry->timer < 100; 2382 tomoyo_query_entry->timer++) { 2383 wake_up(&tomoyo_query_wait); 2384 set_current_state(TASK_INTERRUPTIBLE); 2385 schedule_timeout(HZ / 10); 2386 if (tomoyo_query_entry->answer) 2387 break; 2388 } 2389 spin_lock(&tomoyo_query_list_lock); 2390 list_del(&tomoyo_query_entry->list); 2391 tomoyo_query_memory_size -= len + sizeof(*tomoyo_query_entry); 2392 spin_unlock(&tomoyo_query_list_lock); 2393 switch (tomoyo_query_entry->answer) { 2394 case 3: /* Asked to retry by administrator. */ 2395 error = TOMOYO_RETRY_REQUEST; 2396 r->retry++; 2397 break; 2398 case 1: 2399 /* Granted by administrator. */ 2400 error = 0; 2401 break; 2402 case 0: 2403 /* Timed out. */ 2404 break; 2405 default: 2406 /* Rejected by administrator. */ 2407 break; 2408 } 2409 out: 2410 if (tomoyo_query_entry) 2411 kfree(tomoyo_query_entry->query); 2412 kfree(tomoyo_query_entry); 2413 kfree(header); 2414 return error; 2415} 2416 2417/** 2418 * tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query. 2419 * 2420 * @file: Pointer to "struct file". 2421 * @wait: Pointer to "poll_table". 2422 * 2423 * Returns POLLIN | POLLRDNORM when ready to read, 0 otherwise. 2424 * 2425 * Waits for access requests which violated policy in enforcing mode. 2426 */ 2427static int tomoyo_poll_query(struct file *file, poll_table *wait) 2428{ 2429 struct list_head *tmp; 2430 bool found = false; 2431 u8 i; 2432 for (i = 0; i < 2; i++) { 2433 spin_lock(&tomoyo_query_list_lock); 2434 list_for_each(tmp, &tomoyo_query_list) { 2435 struct tomoyo_query_entry *ptr 2436 = list_entry(tmp, struct tomoyo_query_entry, 2437 list); 2438 if (ptr->answer) 2439 continue; 2440 found = true; 2441 break; 2442 } 2443 spin_unlock(&tomoyo_query_list_lock); 2444 if (found) 2445 return POLLIN | POLLRDNORM; 2446 if (i) 2447 break; 2448 poll_wait(file, &tomoyo_query_wait, wait); 2449 } 2450 return 0; 2451} 2452 2453/** 2454 * tomoyo_read_query - Read access requests which violated policy in enforcing mode. 2455 * 2456 * @head: Pointer to "struct tomoyo_io_buffer". 2457 * 2458 * Returns 0. 2459 */ 2460static int tomoyo_read_query(struct tomoyo_io_buffer *head) 2461{ 2462 struct list_head *tmp; 2463 int pos = 0; 2464 int len = 0; 2465 char *buf; 2466 if (head->read_avail) 2467 return 0; 2468 if (head->read_buf) { 2469 kfree(head->read_buf); 2470 head->read_buf = NULL; 2471 head->readbuf_size = 0; 2472 } 2473 spin_lock(&tomoyo_query_list_lock); 2474 list_for_each(tmp, &tomoyo_query_list) { 2475 struct tomoyo_query_entry *ptr 2476 = list_entry(tmp, struct tomoyo_query_entry, list); 2477 if (ptr->answer) 2478 continue; 2479 if (pos++ != head->read_step) 2480 continue; 2481 len = ptr->query_len; 2482 break; 2483 } 2484 spin_unlock(&tomoyo_query_list_lock); 2485 if (!len) { 2486 head->read_step = 0; 2487 return 0; 2488 } 2489 buf = kzalloc(len, GFP_NOFS); 2490 if (!buf) 2491 return 0; 2492 pos = 0; 2493 spin_lock(&tomoyo_query_list_lock); 2494 list_for_each(tmp, &tomoyo_query_list) { 2495 struct tomoyo_query_entry *ptr 2496 = list_entry(tmp, struct tomoyo_query_entry, list); 2497 if (ptr->answer) 2498 continue; 2499 if (pos++ != head->read_step) 2500 continue; 2501 /* 2502 * Some query can be skipped because tomoyo_query_list 2503 * can change, but I don't care. 2504 */ 2505 if (len == ptr->query_len) 2506 memmove(buf, ptr->query, len); 2507 break; 2508 } 2509 spin_unlock(&tomoyo_query_list_lock); 2510 if (buf[0]) { 2511 head->read_avail = len; 2512 head->readbuf_size = head->read_avail; 2513 head->read_buf = buf; 2514 head->read_step++; 2515 } else { 2516 kfree(buf); 2517 } 2518 return 0; 2519} 2520 2521/** 2522 * tomoyo_write_answer - Write the supervisor's decision. 2523 * 2524 * @head: Pointer to "struct tomoyo_io_buffer". 2525 * 2526 * Returns 0 on success, -EINVAL otherwise. 2527 */ 2528static int tomoyo_write_answer(struct tomoyo_io_buffer *head) 2529{ 2530 char *data = head->write_buf; 2531 struct list_head *tmp; 2532 unsigned int serial; 2533 unsigned int answer; 2534 spin_lock(&tomoyo_query_list_lock); 2535 list_for_each(tmp, &tomoyo_query_list) { 2536 struct tomoyo_query_entry *ptr 2537 = list_entry(tmp, struct tomoyo_query_entry, list); 2538 ptr->timer = 0; 2539 } 2540 spin_unlock(&tomoyo_query_list_lock); 2541 if (sscanf(data, "A%u=%u", &serial, &answer) != 2) 2542 return -EINVAL; 2543 spin_lock(&tomoyo_query_list_lock); 2544 list_for_each(tmp, &tomoyo_query_list) { 2545 struct tomoyo_query_entry *ptr 2546 = list_entry(tmp, struct tomoyo_query_entry, list); 2547 if (ptr->serial != serial) 2548 continue; 2549 if (!ptr->answer) 2550 ptr->answer = answer; 2551 break; 2552 } 2553 spin_unlock(&tomoyo_query_list_lock); 2554 return 0; 2555} 2556 2557/** 2558 * tomoyo_read_version: Get version. 2559 * 2560 * @head: Pointer to "struct tomoyo_io_buffer". 2561 * 2562 * Returns version information. 2563 */ 2564static int tomoyo_read_version(struct tomoyo_io_buffer *head) 2565{ 2566 if (!head->read_eof) { 2567 tomoyo_io_printf(head, "2.2.0"); 2568 head->read_eof = true; 2569 } 2570 return 0; 2571} 2572 2573/** 2574 * tomoyo_read_self_domain - Get the current process's domainname. 2575 * 2576 * @head: Pointer to "struct tomoyo_io_buffer". 2577 * 2578 * Returns the current process's domainname. 2579 */ 2580static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head) 2581{ 2582 if (!head->read_eof) { 2583 /* 2584 * tomoyo_domain()->domainname != NULL 2585 * because every process belongs to a domain and 2586 * the domain's name cannot be NULL. 2587 */ 2588 tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name); 2589 head->read_eof = true; 2590 } 2591 return 0; 2592} 2593 2594/** 2595 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface. 2596 * 2597 * @type: Type of interface. 2598 * @file: Pointer to "struct file". 2599 * 2600 * Associates policy handler and returns 0 on success, -ENOMEM otherwise. 2601 * 2602 * Caller acquires tomoyo_read_lock(). 2603 */ 2604static int tomoyo_open_control(const u8 type, struct file *file) 2605{ 2606 struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS); 2607 2608 if (!head) 2609 return -ENOMEM; 2610 mutex_init(&head->io_sem); 2611 head->type = type; 2612 switch (type) { 2613 case TOMOYO_DOMAINPOLICY: 2614 /* /sys/kernel/security/tomoyo/domain_policy */ 2615 head->write = tomoyo_write_domain_policy; 2616 head->read = tomoyo_read_domain_policy; 2617 break; 2618 case TOMOYO_EXCEPTIONPOLICY: 2619 /* /sys/kernel/security/tomoyo/exception_policy */ 2620 head->write = tomoyo_write_exception_policy; 2621 head->read = tomoyo_read_exception_policy; 2622 break; 2623 case TOMOYO_SELFDOMAIN: 2624 /* /sys/kernel/security/tomoyo/self_domain */ 2625 head->read = tomoyo_read_self_domain; 2626 break; 2627 case TOMOYO_DOMAIN_STATUS: 2628 /* /sys/kernel/security/tomoyo/.domain_status */ 2629 head->write = tomoyo_write_domain_profile; 2630 head->read = tomoyo_read_domain_profile; 2631 break; 2632 case TOMOYO_PROCESS_STATUS: 2633 /* /sys/kernel/security/tomoyo/.process_status */ 2634 head->write = tomoyo_write_pid; 2635 head->read = tomoyo_read_pid; 2636 break; 2637 case TOMOYO_VERSION: 2638 /* /sys/kernel/security/tomoyo/version */ 2639 head->read = tomoyo_read_version; 2640 head->readbuf_size = 128; 2641 break; 2642 case TOMOYO_MEMINFO: 2643 /* /sys/kernel/security/tomoyo/meminfo */ 2644 head->write = tomoyo_write_memory_quota; 2645 head->read = tomoyo_read_memory_counter; 2646 head->readbuf_size = 512; 2647 break; 2648 case TOMOYO_PROFILE: 2649 /* /sys/kernel/security/tomoyo/profile */ 2650 head->write = tomoyo_write_profile; 2651 head->read = tomoyo_read_profile; 2652 break; 2653 case TOMOYO_QUERY: /* /sys/kernel/security/tomoyo/query */ 2654 head->poll = tomoyo_poll_query; 2655 head->write = tomoyo_write_answer; 2656 head->read = tomoyo_read_query; 2657 break; 2658 case TOMOYO_MANAGER: 2659 /* /sys/kernel/security/tomoyo/manager */ 2660 head->write = tomoyo_write_manager_policy; 2661 head->read = tomoyo_read_manager_policy; 2662 break; 2663 } 2664 if (!(file->f_mode & FMODE_READ)) { 2665 /* 2666 * No need to allocate read_buf since it is not opened 2667 * for reading. 2668 */ 2669 head->read = NULL; 2670 head->poll = NULL; 2671 } else if (!head->poll) { 2672 /* Don't allocate read_buf for poll() access. */ 2673 if (!head->readbuf_size) 2674 head->readbuf_size = 4096 * 2; 2675 head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS); 2676 if (!head->read_buf) { 2677 kfree(head); 2678 return -ENOMEM; 2679 } 2680 } 2681 if (!(file->f_mode & FMODE_WRITE)) { 2682 /* 2683 * No need to allocate write_buf since it is not opened 2684 * for writing. 2685 */ 2686 head->write = NULL; 2687 } else if (head->write) { 2688 head->writebuf_size = 4096 * 2; 2689 head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS); 2690 if (!head->write_buf) { 2691 kfree(head->read_buf); 2692 kfree(head); 2693 return -ENOMEM; 2694 } 2695 } 2696 if (type != TOMOYO_QUERY) 2697 head->reader_idx = tomoyo_read_lock(); 2698 file->private_data = head; 2699 /* 2700 * Call the handler now if the file is 2701 * /sys/kernel/security/tomoyo/self_domain 2702 * so that the user can use 2703 * cat < /sys/kernel/security/tomoyo/self_domain" 2704 * to know the current process's domainname. 2705 */ 2706 if (type == TOMOYO_SELFDOMAIN) 2707 tomoyo_read_control(file, NULL, 0); 2708 /* 2709 * If the file is /sys/kernel/security/tomoyo/query , increment the 2710 * observer counter. 2711 * The obserber counter is used by tomoyo_supervisor() to see if 2712 * there is some process monitoring /sys/kernel/security/tomoyo/query. 2713 */ 2714 else if (type == TOMOYO_QUERY) 2715 atomic_inc(&tomoyo_query_observers); 2716 return 0; 2717} 2718 2719/** 2720 * tomoyo_poll_control - poll() for /sys/kernel/security/tomoyo/ interface. 2721 * 2722 * @file: Pointer to "struct file". 2723 * @wait: Pointer to "poll_table". 2724 * 2725 * Waits for read readiness. 2726 * /sys/kernel/security/tomoyo/query is handled by /usr/sbin/tomoyo-queryd . 2727 */ 2728int tomoyo_poll_control(struct file *file, poll_table *wait) 2729{ 2730 struct tomoyo_io_buffer *head = file->private_data; 2731 if (!head->poll) 2732 return -ENOSYS; 2733 return head->poll(file, wait); 2734} 2735 2736/** 2737 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. 2738 * 2739 * @file: Pointer to "struct file". 2740 * @buffer: Poiner to buffer to write to. 2741 * @buffer_len: Size of @buffer. 2742 * 2743 * Returns bytes read on success, negative value otherwise. 2744 * 2745 * Caller holds tomoyo_read_lock(). 2746 */ 2747static int tomoyo_read_control(struct file *file, char __user *buffer, 2748 const int buffer_len) 2749{ 2750 int len = 0; 2751 struct tomoyo_io_buffer *head = file->private_data; 2752 char *cp; 2753 2754 if (!head->read) 2755 return -ENOSYS; 2756 if (mutex_lock_interruptible(&head->io_sem)) 2757 return -EINTR; 2758 /* Call the policy handler. */ 2759 len = head->read(head); 2760 if (len < 0) 2761 goto out; 2762 /* Write to buffer. */ 2763 len = head->read_avail; 2764 if (len > buffer_len) 2765 len = buffer_len; 2766 if (!len) 2767 goto out; 2768 /* head->read_buf changes by some functions. */ 2769 cp = head->read_buf; 2770 if (copy_to_user(buffer, cp, len)) { 2771 len = -EFAULT; 2772 goto out; 2773 } 2774 head->read_avail -= len; 2775 memmove(cp, cp + len, head->read_avail); 2776 out: 2777 mutex_unlock(&head->io_sem); 2778 return len; 2779} 2780 2781/** 2782 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. 2783 * 2784 * @file: Pointer to "struct file". 2785 * @buffer: Pointer to buffer to read from. 2786 * @buffer_len: Size of @buffer. 2787 * 2788 * Returns @buffer_len on success, negative value otherwise. 2789 * 2790 * Caller holds tomoyo_read_lock(). 2791 */ 2792static int tomoyo_write_control(struct file *file, const char __user *buffer, 2793 const int buffer_len) 2794{ 2795 struct tomoyo_io_buffer *head = file->private_data; 2796 int error = buffer_len; 2797 int avail_len = buffer_len; 2798 char *cp0 = head->write_buf; 2799 2800 if (!head->write) 2801 return -ENOSYS; 2802 if (!access_ok(VERIFY_READ, buffer, buffer_len)) 2803 return -EFAULT; 2804 /* Don't allow updating policies by non manager programs. */ 2805 if (head->write != tomoyo_write_pid && 2806 head->write != tomoyo_write_domain_policy && 2807 !tomoyo_is_policy_manager()) 2808 return -EPERM; 2809 if (mutex_lock_interruptible(&head->io_sem)) 2810 return -EINTR; 2811 /* Read a line and dispatch it to the policy handler. */ 2812 while (avail_len > 0) { 2813 char c; 2814 if (head->write_avail >= head->writebuf_size - 1) { 2815 error = -ENOMEM; 2816 break; 2817 } else if (get_user(c, buffer)) { 2818 error = -EFAULT; 2819 break; 2820 } 2821 buffer++; 2822 avail_len--; 2823 cp0[head->write_avail++] = c; 2824 if (c != '\n') 2825 continue; 2826 cp0[head->write_avail - 1] = '\0'; 2827 head->write_avail = 0; 2828 tomoyo_normalize_line(cp0); 2829 head->write(head); 2830 } 2831 mutex_unlock(&head->io_sem); 2832 return error; 2833} 2834 2835/** 2836 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. 2837 * 2838 * @file: Pointer to "struct file". 2839 * 2840 * Releases memory and returns 0. 2841 * 2842 * Caller looses tomoyo_read_lock(). 2843 */ 2844static int tomoyo_close_control(struct file *file) 2845{ 2846 struct tomoyo_io_buffer *head = file->private_data; 2847 const bool is_write = !!head->write_buf; 2848 2849 /* 2850 * If the file is /sys/kernel/security/tomoyo/query , decrement the 2851 * observer counter. 2852 */ 2853 if (head->type == TOMOYO_QUERY) 2854 atomic_dec(&tomoyo_query_observers); 2855 else 2856 tomoyo_read_unlock(head->reader_idx); 2857 /* Release memory used for policy I/O. */ 2858 kfree(head->read_buf); 2859 head->read_buf = NULL; 2860 kfree(head->write_buf); 2861 head->write_buf = NULL; 2862 kfree(head); 2863 head = NULL; 2864 file->private_data = NULL; 2865 if (is_write) 2866 tomoyo_run_gc(); 2867 return 0; 2868} 2869 2870/** 2871 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface. 2872 * 2873 * @inode: Pointer to "struct inode". 2874 * @file: Pointer to "struct file". 2875 * 2876 * Returns 0 on success, negative value otherwise. 2877 */ 2878static int tomoyo_open(struct inode *inode, struct file *file) 2879{ 2880 const int key = ((u8 *) file->f_path.dentry->d_inode->i_private) 2881 - ((u8 *) NULL); 2882 return tomoyo_open_control(key, file); 2883} 2884 2885/** 2886 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface. 2887 * 2888 * @inode: Pointer to "struct inode". 2889 * @file: Pointer to "struct file". 2890 * 2891 * Returns 0 on success, negative value otherwise. 2892 */ 2893static int tomoyo_release(struct inode *inode, struct file *file) 2894{ 2895 return tomoyo_close_control(file); 2896} 2897 2898/** 2899 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface. 2900 * 2901 * @file: Pointer to "struct file". 2902 * @buf: Pointer to buffer. 2903 * @count: Size of @buf. 2904 * @ppos: Unused. 2905 * 2906 * Returns bytes read on success, negative value otherwise. 2907 */ 2908static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count, 2909 loff_t *ppos) 2910{ 2911 return tomoyo_read_control(file, buf, count); 2912} 2913 2914/** 2915 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface. 2916 * 2917 * @file: Pointer to "struct file". 2918 * @buf: Pointer to buffer. 2919 * @count: Size of @buf. 2920 * @ppos: Unused. 2921 * 2922 * Returns @count on success, negative value otherwise. 2923 */ 2924static ssize_t tomoyo_write(struct file *file, const char __user *buf, 2925 size_t count, loff_t *ppos) 2926{ 2927 return tomoyo_write_control(file, buf, count); 2928} 2929 2930/* 2931 * tomoyo_operations is a "struct file_operations" which is used for handling 2932 * /sys/kernel/security/tomoyo/ interface. 2933 * 2934 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR). 2935 * See tomoyo_io_buffer for internals. 2936 */ 2937static const struct file_operations tomoyo_operations = { 2938 .open = tomoyo_open, 2939 .release = tomoyo_release, 2940 .read = tomoyo_read, 2941 .write = tomoyo_write, 2942}; 2943 2944/** 2945 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory. 2946 * 2947 * @name: The name of the interface file. 2948 * @mode: The permission of the interface file. 2949 * @parent: The parent directory. 2950 * @key: Type of interface. 2951 * 2952 * Returns nothing. 2953 */ 2954static void __init tomoyo_create_entry(const char *name, const mode_t mode, 2955 struct dentry *parent, const u8 key) 2956{ 2957 securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key, 2958 &tomoyo_operations); 2959} 2960 2961/** 2962 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface. 2963 * 2964 * Returns 0. 2965 */ 2966static int __init tomoyo_initerface_init(void) 2967{ 2968 struct dentry *tomoyo_dir; 2969 2970 /* Don't create securityfs entries unless registered. */ 2971 if (current_cred()->security != &tomoyo_kernel_domain) 2972 return 0; 2973 2974 tomoyo_dir = securityfs_create_dir("tomoyo", NULL); 2975 tomoyo_create_entry("query", 0600, tomoyo_dir, 2976 TOMOYO_QUERY); 2977 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir, 2978 TOMOYO_DOMAINPOLICY); 2979 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir, 2980 TOMOYO_EXCEPTIONPOLICY); 2981 tomoyo_create_entry("self_domain", 0400, tomoyo_dir, 2982 TOMOYO_SELFDOMAIN); 2983 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir, 2984 TOMOYO_DOMAIN_STATUS); 2985 tomoyo_create_entry(".process_status", 0600, tomoyo_dir, 2986 TOMOYO_PROCESS_STATUS); 2987 tomoyo_create_entry("meminfo", 0600, tomoyo_dir, 2988 TOMOYO_MEMINFO); 2989 tomoyo_create_entry("profile", 0600, tomoyo_dir, 2990 TOMOYO_PROFILE); 2991 tomoyo_create_entry("manager", 0600, tomoyo_dir, 2992 TOMOYO_MANAGER); 2993 tomoyo_create_entry("version", 0400, tomoyo_dir, 2994 TOMOYO_VERSION); 2995 return 0; 2996} 2997 2998fs_initcall(tomoyo_initerface_init); 2999