common.c revision 2066a36125fcbf5220990173b9d8e8bc49ad7538
1/* 2 * security/tomoyo/common.c 3 * 4 * Common functions for TOMOYO. 5 * 6 * Copyright (C) 2005-2010 NTT DATA CORPORATION 7 */ 8 9#include <linux/uaccess.h> 10#include <linux/slab.h> 11#include <linux/security.h> 12#include "common.h" 13 14/* String table for operation mode. */ 15const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE] = { 16 [TOMOYO_CONFIG_DISABLED] = "disabled", 17 [TOMOYO_CONFIG_LEARNING] = "learning", 18 [TOMOYO_CONFIG_PERMISSIVE] = "permissive", 19 [TOMOYO_CONFIG_ENFORCING] = "enforcing" 20}; 21 22/* String table for /sys/kernel/security/tomoyo/profile */ 23const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX 24 + TOMOYO_MAX_MAC_CATEGORY_INDEX] = { 25 [TOMOYO_MAC_FILE_EXECUTE] = "execute", 26 [TOMOYO_MAC_FILE_OPEN] = "open", 27 [TOMOYO_MAC_FILE_CREATE] = "create", 28 [TOMOYO_MAC_FILE_UNLINK] = "unlink", 29 [TOMOYO_MAC_FILE_GETATTR] = "getattr", 30 [TOMOYO_MAC_FILE_MKDIR] = "mkdir", 31 [TOMOYO_MAC_FILE_RMDIR] = "rmdir", 32 [TOMOYO_MAC_FILE_MKFIFO] = "mkfifo", 33 [TOMOYO_MAC_FILE_MKSOCK] = "mksock", 34 [TOMOYO_MAC_FILE_TRUNCATE] = "truncate", 35 [TOMOYO_MAC_FILE_SYMLINK] = "symlink", 36 [TOMOYO_MAC_FILE_MKBLOCK] = "mkblock", 37 [TOMOYO_MAC_FILE_MKCHAR] = "mkchar", 38 [TOMOYO_MAC_FILE_LINK] = "link", 39 [TOMOYO_MAC_FILE_RENAME] = "rename", 40 [TOMOYO_MAC_FILE_CHMOD] = "chmod", 41 [TOMOYO_MAC_FILE_CHOWN] = "chown", 42 [TOMOYO_MAC_FILE_CHGRP] = "chgrp", 43 [TOMOYO_MAC_FILE_IOCTL] = "ioctl", 44 [TOMOYO_MAC_FILE_CHROOT] = "chroot", 45 [TOMOYO_MAC_FILE_MOUNT] = "mount", 46 [TOMOYO_MAC_FILE_UMOUNT] = "unmount", 47 [TOMOYO_MAC_FILE_PIVOT_ROOT] = "pivot_root", 48 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file", 49}; 50 51/* String table for conditions. */ 52const char * const tomoyo_condition_keyword[TOMOYO_MAX_CONDITION_KEYWORD] = { 53 [TOMOYO_TASK_UID] = "task.uid", 54 [TOMOYO_TASK_EUID] = "task.euid", 55 [TOMOYO_TASK_SUID] = "task.suid", 56 [TOMOYO_TASK_FSUID] = "task.fsuid", 57 [TOMOYO_TASK_GID] = "task.gid", 58 [TOMOYO_TASK_EGID] = "task.egid", 59 [TOMOYO_TASK_SGID] = "task.sgid", 60 [TOMOYO_TASK_FSGID] = "task.fsgid", 61 [TOMOYO_TASK_PID] = "task.pid", 62 [TOMOYO_TASK_PPID] = "task.ppid", 63}; 64 65/* String table for PREFERENCE keyword. */ 66static const char * const tomoyo_pref_keywords[TOMOYO_MAX_PREF] = { 67 [TOMOYO_PREF_MAX_AUDIT_LOG] = "max_audit_log", 68 [TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry", 69}; 70 71/* String table for path operation. */ 72const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = { 73 [TOMOYO_TYPE_EXECUTE] = "execute", 74 [TOMOYO_TYPE_READ] = "read", 75 [TOMOYO_TYPE_WRITE] = "write", 76 [TOMOYO_TYPE_APPEND] = "append", 77 [TOMOYO_TYPE_UNLINK] = "unlink", 78 [TOMOYO_TYPE_GETATTR] = "getattr", 79 [TOMOYO_TYPE_RMDIR] = "rmdir", 80 [TOMOYO_TYPE_TRUNCATE] = "truncate", 81 [TOMOYO_TYPE_SYMLINK] = "symlink", 82 [TOMOYO_TYPE_CHROOT] = "chroot", 83 [TOMOYO_TYPE_UMOUNT] = "unmount", 84}; 85 86/* String table for categories. */ 87static const char * const tomoyo_category_keywords 88[TOMOYO_MAX_MAC_CATEGORY_INDEX] = { 89 [TOMOYO_MAC_CATEGORY_FILE] = "file", 90}; 91 92/* Permit policy management by non-root user? */ 93static bool tomoyo_manage_by_non_root; 94 95/* Utility functions. */ 96 97/** 98 * tomoyo_yesno - Return "yes" or "no". 99 * 100 * @value: Bool value. 101 */ 102const char *tomoyo_yesno(const unsigned int value) 103{ 104 return value ? "yes" : "no"; 105} 106 107/** 108 * tomoyo_addprintf - strncat()-like-snprintf(). 109 * 110 * @buffer: Buffer to write to. Must be '\0'-terminated. 111 * @len: Size of @buffer. 112 * @fmt: The printf()'s format string, followed by parameters. 113 * 114 * Returns nothing. 115 */ 116static void tomoyo_addprintf(char *buffer, int len, const char *fmt, ...) 117{ 118 va_list args; 119 const int pos = strlen(buffer); 120 va_start(args, fmt); 121 vsnprintf(buffer + pos, len - pos - 1, fmt, args); 122 va_end(args); 123} 124 125/** 126 * tomoyo_flush - Flush queued string to userspace's buffer. 127 * 128 * @head: Pointer to "struct tomoyo_io_buffer". 129 * 130 * Returns true if all data was flushed, false otherwise. 131 */ 132static bool tomoyo_flush(struct tomoyo_io_buffer *head) 133{ 134 while (head->r.w_pos) { 135 const char *w = head->r.w[0]; 136 size_t len = strlen(w); 137 if (len) { 138 if (len > head->read_user_buf_avail) 139 len = head->read_user_buf_avail; 140 if (!len) 141 return false; 142 if (copy_to_user(head->read_user_buf, w, len)) 143 return false; 144 head->read_user_buf_avail -= len; 145 head->read_user_buf += len; 146 w += len; 147 } 148 head->r.w[0] = w; 149 if (*w) 150 return false; 151 /* Add '\0' for audit logs and query. */ 152 if (head->poll) { 153 if (!head->read_user_buf_avail || 154 copy_to_user(head->read_user_buf, "", 1)) 155 return false; 156 head->read_user_buf_avail--; 157 head->read_user_buf++; 158 } 159 head->r.w_pos--; 160 for (len = 0; len < head->r.w_pos; len++) 161 head->r.w[len] = head->r.w[len + 1]; 162 } 163 head->r.avail = 0; 164 return true; 165} 166 167/** 168 * tomoyo_set_string - Queue string to "struct tomoyo_io_buffer" structure. 169 * 170 * @head: Pointer to "struct tomoyo_io_buffer". 171 * @string: String to print. 172 * 173 * Note that @string has to be kept valid until @head is kfree()d. 174 * This means that char[] allocated on stack memory cannot be passed to 175 * this function. Use tomoyo_io_printf() for char[] allocated on stack memory. 176 */ 177static void tomoyo_set_string(struct tomoyo_io_buffer *head, const char *string) 178{ 179 if (head->r.w_pos < TOMOYO_MAX_IO_READ_QUEUE) { 180 head->r.w[head->r.w_pos++] = string; 181 tomoyo_flush(head); 182 } else 183 WARN_ON(1); 184} 185 186/** 187 * tomoyo_io_printf - printf() to "struct tomoyo_io_buffer" structure. 188 * 189 * @head: Pointer to "struct tomoyo_io_buffer". 190 * @fmt: The printf()'s format string, followed by parameters. 191 */ 192void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) 193{ 194 va_list args; 195 size_t len; 196 size_t pos = head->r.avail; 197 int size = head->readbuf_size - pos; 198 if (size <= 0) 199 return; 200 va_start(args, fmt); 201 len = vsnprintf(head->read_buf + pos, size, fmt, args) + 1; 202 va_end(args); 203 if (pos + len >= head->readbuf_size) { 204 WARN_ON(1); 205 return; 206 } 207 head->r.avail += len; 208 tomoyo_set_string(head, head->read_buf + pos); 209} 210 211/** 212 * tomoyo_set_space - Put a space to "struct tomoyo_io_buffer" structure. 213 * 214 * @head: Pointer to "struct tomoyo_io_buffer". 215 * 216 * Returns nothing. 217 */ 218static void tomoyo_set_space(struct tomoyo_io_buffer *head) 219{ 220 tomoyo_set_string(head, " "); 221} 222 223/** 224 * tomoyo_set_lf - Put a line feed to "struct tomoyo_io_buffer" structure. 225 * 226 * @head: Pointer to "struct tomoyo_io_buffer". 227 * 228 * Returns nothing. 229 */ 230static bool tomoyo_set_lf(struct tomoyo_io_buffer *head) 231{ 232 tomoyo_set_string(head, "\n"); 233 return !head->r.w_pos; 234} 235 236/** 237 * tomoyo_set_slash - Put a shash to "struct tomoyo_io_buffer" structure. 238 * 239 * @head: Pointer to "struct tomoyo_io_buffer". 240 * 241 * Returns nothing. 242 */ 243static void tomoyo_set_slash(struct tomoyo_io_buffer *head) 244{ 245 tomoyo_set_string(head, "/"); 246} 247 248/* List of namespaces. */ 249LIST_HEAD(tomoyo_namespace_list); 250/* True if namespace other than tomoyo_kernel_namespace is defined. */ 251static bool tomoyo_namespace_enabled; 252 253/** 254 * tomoyo_init_policy_namespace - Initialize namespace. 255 * 256 * @ns: Pointer to "struct tomoyo_policy_namespace". 257 * 258 * Returns nothing. 259 */ 260void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns) 261{ 262 unsigned int idx; 263 for (idx = 0; idx < TOMOYO_MAX_ACL_GROUPS; idx++) 264 INIT_LIST_HEAD(&ns->acl_group[idx]); 265 for (idx = 0; idx < TOMOYO_MAX_GROUP; idx++) 266 INIT_LIST_HEAD(&ns->group_list[idx]); 267 for (idx = 0; idx < TOMOYO_MAX_POLICY; idx++) 268 INIT_LIST_HEAD(&ns->policy_list[idx]); 269 ns->profile_version = 20100903; 270 tomoyo_namespace_enabled = !list_empty(&tomoyo_namespace_list); 271 list_add_tail_rcu(&ns->namespace_list, &tomoyo_namespace_list); 272} 273 274/** 275 * tomoyo_print_namespace - Print namespace header. 276 * 277 * @head: Pointer to "struct tomoyo_io_buffer". 278 * 279 * Returns nothing. 280 */ 281static void tomoyo_print_namespace(struct tomoyo_io_buffer *head) 282{ 283 if (!tomoyo_namespace_enabled) 284 return; 285 tomoyo_set_string(head, 286 container_of(head->r.ns, 287 struct tomoyo_policy_namespace, 288 namespace_list)->name); 289 tomoyo_set_space(head); 290} 291 292/** 293 * tomoyo_print_name_union - Print a tomoyo_name_union. 294 * 295 * @head: Pointer to "struct tomoyo_io_buffer". 296 * @ptr: Pointer to "struct tomoyo_name_union". 297 */ 298static void tomoyo_print_name_union(struct tomoyo_io_buffer *head, 299 const struct tomoyo_name_union *ptr) 300{ 301 tomoyo_set_space(head); 302 if (ptr->group) { 303 tomoyo_set_string(head, "@"); 304 tomoyo_set_string(head, ptr->group->group_name->name); 305 } else { 306 tomoyo_set_string(head, ptr->filename->name); 307 } 308} 309 310/** 311 * tomoyo_print_number_union_nospace - Print a tomoyo_number_union without a space. 312 * 313 * @head: Pointer to "struct tomoyo_io_buffer". 314 * @ptr: Pointer to "struct tomoyo_number_union". 315 * 316 * Returns nothing. 317 */ 318static void tomoyo_print_number_union_nospace 319(struct tomoyo_io_buffer *head, const struct tomoyo_number_union *ptr) 320{ 321 if (ptr->group) { 322 tomoyo_set_string(head, "@"); 323 tomoyo_set_string(head, ptr->group->group_name->name); 324 } else { 325 int i; 326 unsigned long min = ptr->values[0]; 327 const unsigned long max = ptr->values[1]; 328 u8 min_type = ptr->value_type[0]; 329 const u8 max_type = ptr->value_type[1]; 330 char buffer[128]; 331 buffer[0] = '\0'; 332 for (i = 0; i < 2; i++) { 333 switch (min_type) { 334 case TOMOYO_VALUE_TYPE_HEXADECIMAL: 335 tomoyo_addprintf(buffer, sizeof(buffer), 336 "0x%lX", min); 337 break; 338 case TOMOYO_VALUE_TYPE_OCTAL: 339 tomoyo_addprintf(buffer, sizeof(buffer), 340 "0%lo", min); 341 break; 342 default: 343 tomoyo_addprintf(buffer, sizeof(buffer), "%lu", 344 min); 345 break; 346 } 347 if (min == max && min_type == max_type) 348 break; 349 tomoyo_addprintf(buffer, sizeof(buffer), "-"); 350 min_type = max_type; 351 min = max; 352 } 353 tomoyo_io_printf(head, "%s", buffer); 354 } 355} 356 357/** 358 * tomoyo_print_number_union - Print a tomoyo_number_union. 359 * 360 * @head: Pointer to "struct tomoyo_io_buffer". 361 * @ptr: Pointer to "struct tomoyo_number_union". 362 * 363 * Returns nothing. 364 */ 365static void tomoyo_print_number_union(struct tomoyo_io_buffer *head, 366 const struct tomoyo_number_union *ptr) 367{ 368 tomoyo_set_space(head); 369 tomoyo_print_number_union_nospace(head, ptr); 370} 371 372/** 373 * tomoyo_assign_profile - Create a new profile. 374 * 375 * @ns: Pointer to "struct tomoyo_policy_namespace". 376 * @profile: Profile number to create. 377 * 378 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. 379 */ 380static struct tomoyo_profile *tomoyo_assign_profile 381(struct tomoyo_policy_namespace *ns, const unsigned int profile) 382{ 383 struct tomoyo_profile *ptr; 384 struct tomoyo_profile *entry; 385 if (profile >= TOMOYO_MAX_PROFILES) 386 return NULL; 387 ptr = ns->profile_ptr[profile]; 388 if (ptr) 389 return ptr; 390 entry = kzalloc(sizeof(*entry), GFP_NOFS); 391 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 392 goto out; 393 ptr = ns->profile_ptr[profile]; 394 if (!ptr && tomoyo_memory_ok(entry)) { 395 ptr = entry; 396 ptr->default_config = TOMOYO_CONFIG_DISABLED | 397 TOMOYO_CONFIG_WANT_GRANT_LOG | 398 TOMOYO_CONFIG_WANT_REJECT_LOG; 399 memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT, 400 sizeof(ptr->config)); 401 ptr->pref[TOMOYO_PREF_MAX_AUDIT_LOG] = 1024; 402 ptr->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] = 2048; 403 mb(); /* Avoid out-of-order execution. */ 404 ns->profile_ptr[profile] = ptr; 405 entry = NULL; 406 } 407 mutex_unlock(&tomoyo_policy_lock); 408 out: 409 kfree(entry); 410 return ptr; 411} 412 413/** 414 * tomoyo_profile - Find a profile. 415 * 416 * @ns: Pointer to "struct tomoyo_policy_namespace". 417 * @profile: Profile number to find. 418 * 419 * Returns pointer to "struct tomoyo_profile". 420 */ 421struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns, 422 const u8 profile) 423{ 424 static struct tomoyo_profile tomoyo_null_profile; 425 struct tomoyo_profile *ptr = ns->profile_ptr[profile]; 426 if (!ptr) 427 ptr = &tomoyo_null_profile; 428 return ptr; 429} 430 431/** 432 * tomoyo_find_yesno - Find values for specified keyword. 433 * 434 * @string: String to check. 435 * @find: Name of keyword. 436 * 437 * Returns 1 if "@find=yes" was found, 0 if "@find=no" was found, -1 otherwise. 438 */ 439static s8 tomoyo_find_yesno(const char *string, const char *find) 440{ 441 const char *cp = strstr(string, find); 442 if (cp) { 443 cp += strlen(find); 444 if (!strncmp(cp, "=yes", 4)) 445 return 1; 446 else if (!strncmp(cp, "=no", 3)) 447 return 0; 448 } 449 return -1; 450} 451 452/** 453 * tomoyo_set_uint - Set value for specified preference. 454 * 455 * @i: Pointer to "unsigned int". 456 * @string: String to check. 457 * @find: Name of keyword. 458 * 459 * Returns nothing. 460 */ 461static void tomoyo_set_uint(unsigned int *i, const char *string, 462 const char *find) 463{ 464 const char *cp = strstr(string, find); 465 if (cp) 466 sscanf(cp + strlen(find), "=%u", i); 467} 468 469/** 470 * tomoyo_set_mode - Set mode for specified profile. 471 * 472 * @name: Name of functionality. 473 * @value: Mode for @name. 474 * @profile: Pointer to "struct tomoyo_profile". 475 * 476 * Returns 0 on success, negative value otherwise. 477 */ 478static int tomoyo_set_mode(char *name, const char *value, 479 struct tomoyo_profile *profile) 480{ 481 u8 i; 482 u8 config; 483 if (!strcmp(name, "CONFIG")) { 484 i = TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX; 485 config = profile->default_config; 486 } else if (tomoyo_str_starts(&name, "CONFIG::")) { 487 config = 0; 488 for (i = 0; i < TOMOYO_MAX_MAC_INDEX 489 + TOMOYO_MAX_MAC_CATEGORY_INDEX; i++) { 490 int len = 0; 491 if (i < TOMOYO_MAX_MAC_INDEX) { 492 const u8 c = tomoyo_index2category[i]; 493 const char *category = 494 tomoyo_category_keywords[c]; 495 len = strlen(category); 496 if (strncmp(name, category, len) || 497 name[len++] != ':' || name[len++] != ':') 498 continue; 499 } 500 if (strcmp(name + len, tomoyo_mac_keywords[i])) 501 continue; 502 config = profile->config[i]; 503 break; 504 } 505 if (i == TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX) 506 return -EINVAL; 507 } else { 508 return -EINVAL; 509 } 510 if (strstr(value, "use_default")) { 511 config = TOMOYO_CONFIG_USE_DEFAULT; 512 } else { 513 u8 mode; 514 for (mode = 0; mode < 4; mode++) 515 if (strstr(value, tomoyo_mode[mode])) 516 /* 517 * Update lower 3 bits in order to distinguish 518 * 'config' from 'TOMOYO_CONFIG_USE_DEAFULT'. 519 */ 520 config = (config & ~7) | mode; 521 if (config != TOMOYO_CONFIG_USE_DEFAULT) { 522 switch (tomoyo_find_yesno(value, "grant_log")) { 523 case 1: 524 config |= TOMOYO_CONFIG_WANT_GRANT_LOG; 525 break; 526 case 0: 527 config &= ~TOMOYO_CONFIG_WANT_GRANT_LOG; 528 break; 529 } 530 switch (tomoyo_find_yesno(value, "reject_log")) { 531 case 1: 532 config |= TOMOYO_CONFIG_WANT_REJECT_LOG; 533 break; 534 case 0: 535 config &= ~TOMOYO_CONFIG_WANT_REJECT_LOG; 536 break; 537 } 538 } 539 } 540 if (i < TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX) 541 profile->config[i] = config; 542 else if (config != TOMOYO_CONFIG_USE_DEFAULT) 543 profile->default_config = config; 544 return 0; 545} 546 547/** 548 * tomoyo_write_profile - Write profile table. 549 * 550 * @head: Pointer to "struct tomoyo_io_buffer". 551 * 552 * Returns 0 on success, negative value otherwise. 553 */ 554static int tomoyo_write_profile(struct tomoyo_io_buffer *head) 555{ 556 char *data = head->write_buf; 557 unsigned int i; 558 char *cp; 559 struct tomoyo_profile *profile; 560 if (sscanf(data, "PROFILE_VERSION=%u", &head->w.ns->profile_version) 561 == 1) 562 return 0; 563 i = simple_strtoul(data, &cp, 10); 564 if (*cp != '-') 565 return -EINVAL; 566 data = cp + 1; 567 profile = tomoyo_assign_profile(head->w.ns, i); 568 if (!profile) 569 return -EINVAL; 570 cp = strchr(data, '='); 571 if (!cp) 572 return -EINVAL; 573 *cp++ = '\0'; 574 if (!strcmp(data, "COMMENT")) { 575 static DEFINE_SPINLOCK(lock); 576 const struct tomoyo_path_info *new_comment 577 = tomoyo_get_name(cp); 578 const struct tomoyo_path_info *old_comment; 579 if (!new_comment) 580 return -ENOMEM; 581 spin_lock(&lock); 582 old_comment = profile->comment; 583 profile->comment = new_comment; 584 spin_unlock(&lock); 585 tomoyo_put_name(old_comment); 586 return 0; 587 } 588 if (!strcmp(data, "PREFERENCE")) { 589 for (i = 0; i < TOMOYO_MAX_PREF; i++) 590 tomoyo_set_uint(&profile->pref[i], cp, 591 tomoyo_pref_keywords[i]); 592 return 0; 593 } 594 return tomoyo_set_mode(data, cp, profile); 595} 596 597/** 598 * tomoyo_print_config - Print mode for specified functionality. 599 * 600 * @head: Pointer to "struct tomoyo_io_buffer". 601 * @config: Mode for that functionality. 602 * 603 * Returns nothing. 604 * 605 * Caller prints functionality's name. 606 */ 607static void tomoyo_print_config(struct tomoyo_io_buffer *head, const u8 config) 608{ 609 tomoyo_io_printf(head, "={ mode=%s grant_log=%s reject_log=%s }\n", 610 tomoyo_mode[config & 3], 611 tomoyo_yesno(config & TOMOYO_CONFIG_WANT_GRANT_LOG), 612 tomoyo_yesno(config & TOMOYO_CONFIG_WANT_REJECT_LOG)); 613} 614 615/** 616 * tomoyo_read_profile - Read profile table. 617 * 618 * @head: Pointer to "struct tomoyo_io_buffer". 619 * 620 * Returns nothing. 621 */ 622static void tomoyo_read_profile(struct tomoyo_io_buffer *head) 623{ 624 u8 index; 625 struct tomoyo_policy_namespace *ns = 626 container_of(head->r.ns, typeof(*ns), namespace_list); 627 const struct tomoyo_profile *profile; 628 if (head->r.eof) 629 return; 630 next: 631 index = head->r.index; 632 profile = ns->profile_ptr[index]; 633 switch (head->r.step) { 634 case 0: 635 tomoyo_print_namespace(head); 636 tomoyo_io_printf(head, "PROFILE_VERSION=%u\n", 637 ns->profile_version); 638 head->r.step++; 639 break; 640 case 1: 641 for ( ; head->r.index < TOMOYO_MAX_PROFILES; 642 head->r.index++) 643 if (ns->profile_ptr[head->r.index]) 644 break; 645 if (head->r.index == TOMOYO_MAX_PROFILES) 646 return; 647 head->r.step++; 648 break; 649 case 2: 650 { 651 u8 i; 652 const struct tomoyo_path_info *comment = 653 profile->comment; 654 tomoyo_print_namespace(head); 655 tomoyo_io_printf(head, "%u-COMMENT=", index); 656 tomoyo_set_string(head, comment ? comment->name : ""); 657 tomoyo_set_lf(head); 658 tomoyo_io_printf(head, "%u-PREFERENCE={ ", index); 659 for (i = 0; i < TOMOYO_MAX_PREF; i++) 660 tomoyo_io_printf(head, "%s=%u ", 661 tomoyo_pref_keywords[i], 662 profile->pref[i]); 663 tomoyo_set_string(head, "}\n"); 664 head->r.step++; 665 } 666 break; 667 case 3: 668 { 669 tomoyo_print_namespace(head); 670 tomoyo_io_printf(head, "%u-%s", index, "CONFIG"); 671 tomoyo_print_config(head, profile->default_config); 672 head->r.bit = 0; 673 head->r.step++; 674 } 675 break; 676 case 4: 677 for ( ; head->r.bit < TOMOYO_MAX_MAC_INDEX 678 + TOMOYO_MAX_MAC_CATEGORY_INDEX; head->r.bit++) { 679 const u8 i = head->r.bit; 680 const u8 config = profile->config[i]; 681 if (config == TOMOYO_CONFIG_USE_DEFAULT) 682 continue; 683 tomoyo_print_namespace(head); 684 if (i < TOMOYO_MAX_MAC_INDEX) 685 tomoyo_io_printf(head, "%u-CONFIG::%s::%s", 686 index, 687 tomoyo_category_keywords 688 [tomoyo_index2category[i]], 689 tomoyo_mac_keywords[i]); 690 else 691 tomoyo_io_printf(head, "%u-CONFIG::%s", index, 692 tomoyo_mac_keywords[i]); 693 tomoyo_print_config(head, config); 694 head->r.bit++; 695 break; 696 } 697 if (head->r.bit == TOMOYO_MAX_MAC_INDEX 698 + TOMOYO_MAX_MAC_CATEGORY_INDEX) { 699 head->r.index++; 700 head->r.step = 1; 701 } 702 break; 703 } 704 if (tomoyo_flush(head)) 705 goto next; 706} 707 708static bool tomoyo_same_manager(const struct tomoyo_acl_head *a, 709 const struct tomoyo_acl_head *b) 710{ 711 return container_of(a, struct tomoyo_manager, head)->manager == 712 container_of(b, struct tomoyo_manager, head)->manager; 713} 714 715/** 716 * tomoyo_update_manager_entry - Add a manager entry. 717 * 718 * @manager: The path to manager or the domainnamme. 719 * @is_delete: True if it is a delete request. 720 * 721 * Returns 0 on success, negative value otherwise. 722 * 723 * Caller holds tomoyo_read_lock(). 724 */ 725static int tomoyo_update_manager_entry(const char *manager, 726 const bool is_delete) 727{ 728 struct tomoyo_manager e = { }; 729 struct tomoyo_acl_param param = { 730 /* .ns = &tomoyo_kernel_namespace, */ 731 .is_delete = is_delete, 732 .list = &tomoyo_kernel_namespace. 733 policy_list[TOMOYO_ID_MANAGER], 734 }; 735 int error = is_delete ? -ENOENT : -ENOMEM; 736 if (tomoyo_domain_def(manager)) { 737 if (!tomoyo_correct_domain(manager)) 738 return -EINVAL; 739 e.is_domain = true; 740 } else { 741 if (!tomoyo_correct_path(manager)) 742 return -EINVAL; 743 } 744 e.manager = tomoyo_get_name(manager); 745 if (e.manager) { 746 error = tomoyo_update_policy(&e.head, sizeof(e), ¶m, 747 tomoyo_same_manager); 748 tomoyo_put_name(e.manager); 749 } 750 return error; 751} 752 753/** 754 * tomoyo_write_manager - Write manager policy. 755 * 756 * @head: Pointer to "struct tomoyo_io_buffer". 757 * 758 * Returns 0 on success, negative value otherwise. 759 * 760 * Caller holds tomoyo_read_lock(). 761 */ 762static int tomoyo_write_manager(struct tomoyo_io_buffer *head) 763{ 764 char *data = head->write_buf; 765 766 if (!strcmp(data, "manage_by_non_root")) { 767 tomoyo_manage_by_non_root = !head->w.is_delete; 768 return 0; 769 } 770 return tomoyo_update_manager_entry(data, head->w.is_delete); 771} 772 773/** 774 * tomoyo_read_manager - Read manager policy. 775 * 776 * @head: Pointer to "struct tomoyo_io_buffer". 777 * 778 * Caller holds tomoyo_read_lock(). 779 */ 780static void tomoyo_read_manager(struct tomoyo_io_buffer *head) 781{ 782 if (head->r.eof) 783 return; 784 list_for_each_cookie(head->r.acl, &tomoyo_kernel_namespace. 785 policy_list[TOMOYO_ID_MANAGER]) { 786 struct tomoyo_manager *ptr = 787 list_entry(head->r.acl, typeof(*ptr), head.list); 788 if (ptr->head.is_deleted) 789 continue; 790 if (!tomoyo_flush(head)) 791 return; 792 tomoyo_set_string(head, ptr->manager->name); 793 tomoyo_set_lf(head); 794 } 795 head->r.eof = true; 796} 797 798/** 799 * tomoyo_manager - Check whether the current process is a policy manager. 800 * 801 * Returns true if the current process is permitted to modify policy 802 * via /sys/kernel/security/tomoyo/ interface. 803 * 804 * Caller holds tomoyo_read_lock(). 805 */ 806static bool tomoyo_manager(void) 807{ 808 struct tomoyo_manager *ptr; 809 const char *exe; 810 const struct task_struct *task = current; 811 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; 812 bool found = false; 813 814 if (!tomoyo_policy_loaded) 815 return true; 816 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) 817 return false; 818 list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace. 819 policy_list[TOMOYO_ID_MANAGER], head.list) { 820 if (!ptr->head.is_deleted && ptr->is_domain 821 && !tomoyo_pathcmp(domainname, ptr->manager)) { 822 found = true; 823 break; 824 } 825 } 826 if (found) 827 return true; 828 exe = tomoyo_get_exe(); 829 if (!exe) 830 return false; 831 list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace. 832 policy_list[TOMOYO_ID_MANAGER], head.list) { 833 if (!ptr->head.is_deleted && !ptr->is_domain 834 && !strcmp(exe, ptr->manager->name)) { 835 found = true; 836 break; 837 } 838 } 839 if (!found) { /* Reduce error messages. */ 840 static pid_t last_pid; 841 const pid_t pid = current->pid; 842 if (last_pid != pid) { 843 printk(KERN_WARNING "%s ( %s ) is not permitted to " 844 "update policies.\n", domainname->name, exe); 845 last_pid = pid; 846 } 847 } 848 kfree(exe); 849 return found; 850} 851 852/** 853 * tomoyo_select_domain - Parse select command. 854 * 855 * @head: Pointer to "struct tomoyo_io_buffer". 856 * @data: String to parse. 857 * 858 * Returns true on success, false otherwise. 859 * 860 * Caller holds tomoyo_read_lock(). 861 */ 862static bool tomoyo_select_domain(struct tomoyo_io_buffer *head, 863 const char *data) 864{ 865 unsigned int pid; 866 struct tomoyo_domain_info *domain = NULL; 867 bool global_pid = false; 868 if (strncmp(data, "select ", 7)) 869 return false; 870 data += 7; 871 if (sscanf(data, "pid=%u", &pid) == 1 || 872 (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { 873 struct task_struct *p; 874 rcu_read_lock(); 875 read_lock(&tasklist_lock); 876 if (global_pid) 877 p = find_task_by_pid_ns(pid, &init_pid_ns); 878 else 879 p = find_task_by_vpid(pid); 880 if (p) 881 domain = tomoyo_real_domain(p); 882 read_unlock(&tasklist_lock); 883 rcu_read_unlock(); 884 } else if (!strncmp(data, "domain=", 7)) { 885 if (tomoyo_domain_def(data + 7)) 886 domain = tomoyo_find_domain(data + 7); 887 } else 888 return false; 889 head->w.domain = domain; 890 /* Accessing read_buf is safe because head->io_sem is held. */ 891 if (!head->read_buf) 892 return true; /* Do nothing if open(O_WRONLY). */ 893 memset(&head->r, 0, sizeof(head->r)); 894 head->r.print_this_domain_only = true; 895 if (domain) 896 head->r.domain = &domain->list; 897 else 898 head->r.eof = 1; 899 tomoyo_io_printf(head, "# select %s\n", data); 900 if (domain && domain->is_deleted) 901 tomoyo_io_printf(head, "# This is a deleted domain.\n"); 902 return true; 903} 904 905/** 906 * tomoyo_delete_domain - Delete a domain. 907 * 908 * @domainname: The name of domain. 909 * 910 * Returns 0. 911 * 912 * Caller holds tomoyo_read_lock(). 913 */ 914static int tomoyo_delete_domain(char *domainname) 915{ 916 struct tomoyo_domain_info *domain; 917 struct tomoyo_path_info name; 918 919 name.name = domainname; 920 tomoyo_fill_path_info(&name); 921 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 922 return 0; 923 /* Is there an active domain? */ 924 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 925 /* Never delete tomoyo_kernel_domain */ 926 if (domain == &tomoyo_kernel_domain) 927 continue; 928 if (domain->is_deleted || 929 tomoyo_pathcmp(domain->domainname, &name)) 930 continue; 931 domain->is_deleted = true; 932 break; 933 } 934 mutex_unlock(&tomoyo_policy_lock); 935 return 0; 936} 937 938/** 939 * tomoyo_write_domain2 - Write domain policy. 940 * 941 * @ns: Pointer to "struct tomoyo_policy_namespace". 942 * @list: Pointer to "struct list_head". 943 * @data: Policy to be interpreted. 944 * @is_delete: True if it is a delete request. 945 * 946 * Returns 0 on success, negative value otherwise. 947 * 948 * Caller holds tomoyo_read_lock(). 949 */ 950static int tomoyo_write_domain2(struct tomoyo_policy_namespace *ns, 951 struct list_head *list, char *data, 952 const bool is_delete) 953{ 954 struct tomoyo_acl_param param = { 955 .ns = ns, 956 .list = list, 957 .data = data, 958 .is_delete = is_delete, 959 }; 960 static const struct { 961 const char *keyword; 962 int (*write) (struct tomoyo_acl_param *); 963 } tomoyo_callback[1] = { 964 { "file ", tomoyo_write_file }, 965 }; 966 u8 i; 967 for (i = 0; i < 1; i++) { 968 if (!tomoyo_str_starts(¶m.data, 969 tomoyo_callback[i].keyword)) 970 continue; 971 return tomoyo_callback[i].write(¶m); 972 } 973 return -EINVAL; 974} 975 976/* String table for domain flags. */ 977const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS] = { 978 [TOMOYO_DIF_QUOTA_WARNED] = "quota_exceeded\n", 979 [TOMOYO_DIF_TRANSITION_FAILED] = "transition_failed\n", 980}; 981 982/** 983 * tomoyo_write_domain - Write domain policy. 984 * 985 * @head: Pointer to "struct tomoyo_io_buffer". 986 * 987 * Returns 0 on success, negative value otherwise. 988 * 989 * Caller holds tomoyo_read_lock(). 990 */ 991static int tomoyo_write_domain(struct tomoyo_io_buffer *head) 992{ 993 char *data = head->write_buf; 994 struct tomoyo_policy_namespace *ns; 995 struct tomoyo_domain_info *domain = head->w.domain; 996 const bool is_delete = head->w.is_delete; 997 bool is_select = !is_delete && tomoyo_str_starts(&data, "select "); 998 unsigned int profile; 999 if (*data == '<') { 1000 domain = NULL; 1001 if (is_delete) 1002 tomoyo_delete_domain(data); 1003 else if (is_select) 1004 domain = tomoyo_find_domain(data); 1005 else 1006 domain = tomoyo_assign_domain(data, false); 1007 head->w.domain = domain; 1008 return 0; 1009 } 1010 if (!domain) 1011 return -EINVAL; 1012 ns = domain->ns; 1013 if (sscanf(data, "use_profile %u", &profile) == 1 1014 && profile < TOMOYO_MAX_PROFILES) { 1015 if (!tomoyo_policy_loaded || ns->profile_ptr[profile]) 1016 domain->profile = (u8) profile; 1017 return 0; 1018 } 1019 if (sscanf(data, "use_group %u\n", &profile) == 1 1020 && profile < TOMOYO_MAX_ACL_GROUPS) { 1021 if (!is_delete) 1022 domain->group = (u8) profile; 1023 return 0; 1024 } 1025 for (profile = 0; profile < TOMOYO_MAX_DOMAIN_INFO_FLAGS; profile++) { 1026 const char *cp = tomoyo_dif[profile]; 1027 if (strncmp(data, cp, strlen(cp) - 1)) 1028 continue; 1029 domain->flags[profile] = !is_delete; 1030 return 0; 1031 } 1032 return tomoyo_write_domain2(ns, &domain->acl_info_list, data, 1033 is_delete); 1034} 1035 1036/** 1037 * tomoyo_print_condition - Print condition part. 1038 * 1039 * @head: Pointer to "struct tomoyo_io_buffer". 1040 * @cond: Pointer to "struct tomoyo_condition". 1041 * 1042 * Returns true on success, false otherwise. 1043 */ 1044static bool tomoyo_print_condition(struct tomoyo_io_buffer *head, 1045 const struct tomoyo_condition *cond) 1046{ 1047 switch (head->r.cond_step) { 1048 case 0: 1049 head->r.cond_index = 0; 1050 head->r.cond_step++; 1051 /* fall through */ 1052 case 1: 1053 { 1054 const u16 condc = cond->condc; 1055 const struct tomoyo_condition_element *condp = 1056 (typeof(condp)) (cond + 1); 1057 const struct tomoyo_number_union *numbers_p = 1058 (typeof(numbers_p)) (condp + condc); 1059 u16 skip; 1060 for (skip = 0; skip < head->r.cond_index; skip++) { 1061 const u8 left = condp->left; 1062 const u8 right = condp->right; 1063 condp++; 1064 switch (left) { 1065 case TOMOYO_NUMBER_UNION: 1066 numbers_p++; 1067 break; 1068 } 1069 switch (right) { 1070 case TOMOYO_NUMBER_UNION: 1071 numbers_p++; 1072 break; 1073 } 1074 } 1075 while (head->r.cond_index < condc) { 1076 const u8 match = condp->equals; 1077 const u8 left = condp->left; 1078 const u8 right = condp->right; 1079 if (!tomoyo_flush(head)) 1080 return false; 1081 condp++; 1082 head->r.cond_index++; 1083 tomoyo_set_space(head); 1084 switch (left) { 1085 case TOMOYO_NUMBER_UNION: 1086 tomoyo_print_number_union_nospace 1087 (head, numbers_p++); 1088 break; 1089 default: 1090 tomoyo_set_string(head, 1091 tomoyo_condition_keyword[left]); 1092 break; 1093 } 1094 tomoyo_set_string(head, match ? "=" : "!="); 1095 switch (right) { 1096 case TOMOYO_NUMBER_UNION: 1097 tomoyo_print_number_union_nospace 1098 (head, numbers_p++); 1099 break; 1100 default: 1101 tomoyo_set_string(head, 1102 tomoyo_condition_keyword[right]); 1103 break; 1104 } 1105 } 1106 } 1107 head->r.cond_step++; 1108 /* fall through */ 1109 case 2: 1110 if (!tomoyo_flush(head)) 1111 break; 1112 head->r.cond_step++; 1113 /* fall through */ 1114 case 3: 1115 tomoyo_set_lf(head); 1116 return true; 1117 } 1118 return false; 1119} 1120 1121/** 1122 * tomoyo_set_group - Print "acl_group " header keyword and category name. 1123 * 1124 * @head: Pointer to "struct tomoyo_io_buffer". 1125 * @category: Category name. 1126 * 1127 * Returns nothing. 1128 */ 1129static void tomoyo_set_group(struct tomoyo_io_buffer *head, 1130 const char *category) 1131{ 1132 if (head->type == TOMOYO_EXCEPTIONPOLICY) { 1133 tomoyo_print_namespace(head); 1134 tomoyo_io_printf(head, "acl_group %u ", 1135 head->r.acl_group_index); 1136 } 1137 tomoyo_set_string(head, category); 1138} 1139 1140/** 1141 * tomoyo_print_entry - Print an ACL entry. 1142 * 1143 * @head: Pointer to "struct tomoyo_io_buffer". 1144 * @acl: Pointer to an ACL entry. 1145 * 1146 * Returns true on success, false otherwise. 1147 */ 1148static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, 1149 struct tomoyo_acl_info *acl) 1150{ 1151 const u8 acl_type = acl->type; 1152 bool first = true; 1153 u8 bit; 1154 1155 if (head->r.print_cond_part) 1156 goto print_cond_part; 1157 if (acl->is_deleted) 1158 return true; 1159 if (!tomoyo_flush(head)) 1160 return false; 1161 else if (acl_type == TOMOYO_TYPE_PATH_ACL) { 1162 struct tomoyo_path_acl *ptr = 1163 container_of(acl, typeof(*ptr), head); 1164 const u16 perm = ptr->perm; 1165 for (bit = 0; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { 1166 if (!(perm & (1 << bit))) 1167 continue; 1168 if (head->r.print_transition_related_only && 1169 bit != TOMOYO_TYPE_EXECUTE) 1170 continue; 1171 if (first) { 1172 tomoyo_set_group(head, "file "); 1173 first = false; 1174 } else { 1175 tomoyo_set_slash(head); 1176 } 1177 tomoyo_set_string(head, tomoyo_path_keyword[bit]); 1178 } 1179 if (first) 1180 return true; 1181 tomoyo_print_name_union(head, &ptr->name); 1182 } else if (head->r.print_transition_related_only) { 1183 return true; 1184 } else if (acl_type == TOMOYO_TYPE_PATH2_ACL) { 1185 struct tomoyo_path2_acl *ptr = 1186 container_of(acl, typeof(*ptr), head); 1187 const u8 perm = ptr->perm; 1188 for (bit = 0; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) { 1189 if (!(perm & (1 << bit))) 1190 continue; 1191 if (first) { 1192 tomoyo_set_group(head, "file "); 1193 first = false; 1194 } else { 1195 tomoyo_set_slash(head); 1196 } 1197 tomoyo_set_string(head, tomoyo_mac_keywords 1198 [tomoyo_pp2mac[bit]]); 1199 } 1200 if (first) 1201 return true; 1202 tomoyo_print_name_union(head, &ptr->name1); 1203 tomoyo_print_name_union(head, &ptr->name2); 1204 } else if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) { 1205 struct tomoyo_path_number_acl *ptr = 1206 container_of(acl, typeof(*ptr), head); 1207 const u8 perm = ptr->perm; 1208 for (bit = 0; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION; bit++) { 1209 if (!(perm & (1 << bit))) 1210 continue; 1211 if (first) { 1212 tomoyo_set_group(head, "file "); 1213 first = false; 1214 } else { 1215 tomoyo_set_slash(head); 1216 } 1217 tomoyo_set_string(head, tomoyo_mac_keywords 1218 [tomoyo_pn2mac[bit]]); 1219 } 1220 if (first) 1221 return true; 1222 tomoyo_print_name_union(head, &ptr->name); 1223 tomoyo_print_number_union(head, &ptr->number); 1224 } else if (acl_type == TOMOYO_TYPE_MKDEV_ACL) { 1225 struct tomoyo_mkdev_acl *ptr = 1226 container_of(acl, typeof(*ptr), head); 1227 const u8 perm = ptr->perm; 1228 for (bit = 0; bit < TOMOYO_MAX_MKDEV_OPERATION; bit++) { 1229 if (!(perm & (1 << bit))) 1230 continue; 1231 if (first) { 1232 tomoyo_set_group(head, "file "); 1233 first = false; 1234 } else { 1235 tomoyo_set_slash(head); 1236 } 1237 tomoyo_set_string(head, tomoyo_mac_keywords 1238 [tomoyo_pnnn2mac[bit]]); 1239 } 1240 if (first) 1241 return true; 1242 tomoyo_print_name_union(head, &ptr->name); 1243 tomoyo_print_number_union(head, &ptr->mode); 1244 tomoyo_print_number_union(head, &ptr->major); 1245 tomoyo_print_number_union(head, &ptr->minor); 1246 } else if (acl_type == TOMOYO_TYPE_MOUNT_ACL) { 1247 struct tomoyo_mount_acl *ptr = 1248 container_of(acl, typeof(*ptr), head); 1249 tomoyo_set_group(head, "file mount"); 1250 tomoyo_print_name_union(head, &ptr->dev_name); 1251 tomoyo_print_name_union(head, &ptr->dir_name); 1252 tomoyo_print_name_union(head, &ptr->fs_type); 1253 tomoyo_print_number_union(head, &ptr->flags); 1254 } 1255 if (acl->cond) { 1256 head->r.print_cond_part = true; 1257 head->r.cond_step = 0; 1258 if (!tomoyo_flush(head)) 1259 return false; 1260print_cond_part: 1261 if (!tomoyo_print_condition(head, acl->cond)) 1262 return false; 1263 head->r.print_cond_part = false; 1264 } else { 1265 tomoyo_set_lf(head); 1266 } 1267 return true; 1268} 1269 1270/** 1271 * tomoyo_read_domain2 - Read domain policy. 1272 * 1273 * @head: Pointer to "struct tomoyo_io_buffer". 1274 * @list: Pointer to "struct list_head". 1275 * 1276 * Caller holds tomoyo_read_lock(). 1277 * 1278 * Returns true on success, false otherwise. 1279 */ 1280static bool tomoyo_read_domain2(struct tomoyo_io_buffer *head, 1281 struct list_head *list) 1282{ 1283 list_for_each_cookie(head->r.acl, list) { 1284 struct tomoyo_acl_info *ptr = 1285 list_entry(head->r.acl, typeof(*ptr), list); 1286 if (!tomoyo_print_entry(head, ptr)) 1287 return false; 1288 } 1289 head->r.acl = NULL; 1290 return true; 1291} 1292 1293/** 1294 * tomoyo_read_domain - Read domain policy. 1295 * 1296 * @head: Pointer to "struct tomoyo_io_buffer". 1297 * 1298 * Caller holds tomoyo_read_lock(). 1299 */ 1300static void tomoyo_read_domain(struct tomoyo_io_buffer *head) 1301{ 1302 if (head->r.eof) 1303 return; 1304 list_for_each_cookie(head->r.domain, &tomoyo_domain_list) { 1305 struct tomoyo_domain_info *domain = 1306 list_entry(head->r.domain, typeof(*domain), list); 1307 switch (head->r.step) { 1308 u8 i; 1309 case 0: 1310 if (domain->is_deleted && 1311 !head->r.print_this_domain_only) 1312 continue; 1313 /* Print domainname and flags. */ 1314 tomoyo_set_string(head, domain->domainname->name); 1315 tomoyo_set_lf(head); 1316 tomoyo_io_printf(head, "use_profile %u\n", 1317 domain->profile); 1318 tomoyo_io_printf(head, "use_group %u\n", 1319 domain->group); 1320 for (i = 0; i < TOMOYO_MAX_DOMAIN_INFO_FLAGS; i++) 1321 if (domain->flags[i]) 1322 tomoyo_set_string(head, tomoyo_dif[i]); 1323 head->r.step++; 1324 tomoyo_set_lf(head); 1325 /* fall through */ 1326 case 1: 1327 if (!tomoyo_read_domain2(head, &domain->acl_info_list)) 1328 return; 1329 head->r.step++; 1330 if (!tomoyo_set_lf(head)) 1331 return; 1332 /* fall through */ 1333 case 2: 1334 head->r.step = 0; 1335 if (head->r.print_this_domain_only) 1336 goto done; 1337 } 1338 } 1339 done: 1340 head->r.eof = true; 1341} 1342 1343/** 1344 * tomoyo_write_pid: Specify PID to obtain domainname. 1345 * 1346 * @head: Pointer to "struct tomoyo_io_buffer". 1347 * 1348 * Returns 0. 1349 */ 1350static int tomoyo_write_pid(struct tomoyo_io_buffer *head) 1351{ 1352 head->r.eof = false; 1353 return 0; 1354} 1355 1356/** 1357 * tomoyo_read_pid - Get domainname of the specified PID. 1358 * 1359 * @head: Pointer to "struct tomoyo_io_buffer". 1360 * 1361 * Returns the domainname which the specified PID is in on success, 1362 * empty string otherwise. 1363 * The PID is specified by tomoyo_write_pid() so that the user can obtain 1364 * using read()/write() interface rather than sysctl() interface. 1365 */ 1366static void tomoyo_read_pid(struct tomoyo_io_buffer *head) 1367{ 1368 char *buf = head->write_buf; 1369 bool global_pid = false; 1370 unsigned int pid; 1371 struct task_struct *p; 1372 struct tomoyo_domain_info *domain = NULL; 1373 1374 /* Accessing write_buf is safe because head->io_sem is held. */ 1375 if (!buf) { 1376 head->r.eof = true; 1377 return; /* Do nothing if open(O_RDONLY). */ 1378 } 1379 if (head->r.w_pos || head->r.eof) 1380 return; 1381 head->r.eof = true; 1382 if (tomoyo_str_starts(&buf, "global-pid ")) 1383 global_pid = true; 1384 pid = (unsigned int) simple_strtoul(buf, NULL, 10); 1385 rcu_read_lock(); 1386 read_lock(&tasklist_lock); 1387 if (global_pid) 1388 p = find_task_by_pid_ns(pid, &init_pid_ns); 1389 else 1390 p = find_task_by_vpid(pid); 1391 if (p) 1392 domain = tomoyo_real_domain(p); 1393 read_unlock(&tasklist_lock); 1394 rcu_read_unlock(); 1395 if (!domain) 1396 return; 1397 tomoyo_io_printf(head, "%u %u ", pid, domain->profile); 1398 tomoyo_set_string(head, domain->domainname->name); 1399} 1400 1401static const char *tomoyo_transition_type[TOMOYO_MAX_TRANSITION_TYPE] = { 1402 [TOMOYO_TRANSITION_CONTROL_NO_RESET] = "no_reset_domain ", 1403 [TOMOYO_TRANSITION_CONTROL_RESET] = "reset_domain ", 1404 [TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE] = "no_initialize_domain ", 1405 [TOMOYO_TRANSITION_CONTROL_INITIALIZE] = "initialize_domain ", 1406 [TOMOYO_TRANSITION_CONTROL_NO_KEEP] = "no_keep_domain ", 1407 [TOMOYO_TRANSITION_CONTROL_KEEP] = "keep_domain ", 1408}; 1409 1410static const char *tomoyo_group_name[TOMOYO_MAX_GROUP] = { 1411 [TOMOYO_PATH_GROUP] = "path_group ", 1412 [TOMOYO_NUMBER_GROUP] = "number_group ", 1413}; 1414 1415/** 1416 * tomoyo_write_exception - Write exception policy. 1417 * 1418 * @head: Pointer to "struct tomoyo_io_buffer". 1419 * 1420 * Returns 0 on success, negative value otherwise. 1421 * 1422 * Caller holds tomoyo_read_lock(). 1423 */ 1424static int tomoyo_write_exception(struct tomoyo_io_buffer *head) 1425{ 1426 const bool is_delete = head->w.is_delete; 1427 struct tomoyo_acl_param param = { 1428 .ns = head->w.ns, 1429 .is_delete = is_delete, 1430 .data = head->write_buf, 1431 }; 1432 u8 i; 1433 if (tomoyo_str_starts(¶m.data, "aggregator ")) 1434 return tomoyo_write_aggregator(¶m); 1435 for (i = 0; i < TOMOYO_MAX_TRANSITION_TYPE; i++) 1436 if (tomoyo_str_starts(¶m.data, tomoyo_transition_type[i])) 1437 return tomoyo_write_transition_control(¶m, i); 1438 for (i = 0; i < TOMOYO_MAX_GROUP; i++) 1439 if (tomoyo_str_starts(¶m.data, tomoyo_group_name[i])) 1440 return tomoyo_write_group(¶m, i); 1441 if (tomoyo_str_starts(¶m.data, "acl_group ")) { 1442 unsigned int group; 1443 char *data; 1444 group = simple_strtoul(param.data, &data, 10); 1445 if (group < TOMOYO_MAX_ACL_GROUPS && *data++ == ' ') 1446 return tomoyo_write_domain2 1447 (head->w.ns, &head->w.ns->acl_group[group], 1448 data, is_delete); 1449 } 1450 return -EINVAL; 1451} 1452 1453/** 1454 * tomoyo_read_group - Read "struct tomoyo_path_group"/"struct tomoyo_number_group" list. 1455 * 1456 * @head: Pointer to "struct tomoyo_io_buffer". 1457 * @idx: Index number. 1458 * 1459 * Returns true on success, false otherwise. 1460 * 1461 * Caller holds tomoyo_read_lock(). 1462 */ 1463static bool tomoyo_read_group(struct tomoyo_io_buffer *head, const int idx) 1464{ 1465 struct tomoyo_policy_namespace *ns = 1466 container_of(head->r.ns, typeof(*ns), namespace_list); 1467 struct list_head *list = &ns->group_list[idx]; 1468 list_for_each_cookie(head->r.group, list) { 1469 struct tomoyo_group *group = 1470 list_entry(head->r.group, typeof(*group), head.list); 1471 list_for_each_cookie(head->r.acl, &group->member_list) { 1472 struct tomoyo_acl_head *ptr = 1473 list_entry(head->r.acl, typeof(*ptr), list); 1474 if (ptr->is_deleted) 1475 continue; 1476 if (!tomoyo_flush(head)) 1477 return false; 1478 tomoyo_print_namespace(head); 1479 tomoyo_set_string(head, tomoyo_group_name[idx]); 1480 tomoyo_set_string(head, group->group_name->name); 1481 if (idx == TOMOYO_PATH_GROUP) { 1482 tomoyo_set_space(head); 1483 tomoyo_set_string(head, container_of 1484 (ptr, struct tomoyo_path_group, 1485 head)->member_name->name); 1486 } else if (idx == TOMOYO_NUMBER_GROUP) { 1487 tomoyo_print_number_union(head, &container_of 1488 (ptr, 1489 struct tomoyo_number_group, 1490 head)->number); 1491 } 1492 tomoyo_set_lf(head); 1493 } 1494 head->r.acl = NULL; 1495 } 1496 head->r.group = NULL; 1497 return true; 1498} 1499 1500/** 1501 * tomoyo_read_policy - Read "struct tomoyo_..._entry" list. 1502 * 1503 * @head: Pointer to "struct tomoyo_io_buffer". 1504 * @idx: Index number. 1505 * 1506 * Returns true on success, false otherwise. 1507 * 1508 * Caller holds tomoyo_read_lock(). 1509 */ 1510static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx) 1511{ 1512 struct tomoyo_policy_namespace *ns = 1513 container_of(head->r.ns, typeof(*ns), namespace_list); 1514 struct list_head *list = &ns->policy_list[idx]; 1515 list_for_each_cookie(head->r.acl, list) { 1516 struct tomoyo_acl_head *acl = 1517 container_of(head->r.acl, typeof(*acl), list); 1518 if (acl->is_deleted) 1519 continue; 1520 if (!tomoyo_flush(head)) 1521 return false; 1522 switch (idx) { 1523 case TOMOYO_ID_TRANSITION_CONTROL: 1524 { 1525 struct tomoyo_transition_control *ptr = 1526 container_of(acl, typeof(*ptr), head); 1527 tomoyo_print_namespace(head); 1528 tomoyo_set_string(head, tomoyo_transition_type 1529 [ptr->type]); 1530 tomoyo_set_string(head, ptr->program ? 1531 ptr->program->name : "any"); 1532 tomoyo_set_string(head, " from "); 1533 tomoyo_set_string(head, ptr->domainname ? 1534 ptr->domainname->name : 1535 "any"); 1536 } 1537 break; 1538 case TOMOYO_ID_AGGREGATOR: 1539 { 1540 struct tomoyo_aggregator *ptr = 1541 container_of(acl, typeof(*ptr), head); 1542 tomoyo_print_namespace(head); 1543 tomoyo_set_string(head, "aggregator "); 1544 tomoyo_set_string(head, 1545 ptr->original_name->name); 1546 tomoyo_set_space(head); 1547 tomoyo_set_string(head, 1548 ptr->aggregated_name->name); 1549 } 1550 break; 1551 default: 1552 continue; 1553 } 1554 tomoyo_set_lf(head); 1555 } 1556 head->r.acl = NULL; 1557 return true; 1558} 1559 1560/** 1561 * tomoyo_read_exception - Read exception policy. 1562 * 1563 * @head: Pointer to "struct tomoyo_io_buffer". 1564 * 1565 * Caller holds tomoyo_read_lock(). 1566 */ 1567static void tomoyo_read_exception(struct tomoyo_io_buffer *head) 1568{ 1569 struct tomoyo_policy_namespace *ns = 1570 container_of(head->r.ns, typeof(*ns), namespace_list); 1571 if (head->r.eof) 1572 return; 1573 while (head->r.step < TOMOYO_MAX_POLICY && 1574 tomoyo_read_policy(head, head->r.step)) 1575 head->r.step++; 1576 if (head->r.step < TOMOYO_MAX_POLICY) 1577 return; 1578 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP && 1579 tomoyo_read_group(head, head->r.step - TOMOYO_MAX_POLICY)) 1580 head->r.step++; 1581 if (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP) 1582 return; 1583 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP 1584 + TOMOYO_MAX_ACL_GROUPS) { 1585 head->r.acl_group_index = head->r.step - TOMOYO_MAX_POLICY 1586 - TOMOYO_MAX_GROUP; 1587 if (!tomoyo_read_domain2(head, &ns->acl_group 1588 [head->r.acl_group_index])) 1589 return; 1590 head->r.step++; 1591 } 1592 head->r.eof = true; 1593} 1594 1595/* Wait queue for kernel -> userspace notification. */ 1596static DECLARE_WAIT_QUEUE_HEAD(tomoyo_query_wait); 1597/* Wait queue for userspace -> kernel notification. */ 1598static DECLARE_WAIT_QUEUE_HEAD(tomoyo_answer_wait); 1599 1600/* Structure for query. */ 1601struct tomoyo_query { 1602 struct list_head list; 1603 char *query; 1604 size_t query_len; 1605 unsigned int serial; 1606 u8 timer; 1607 u8 answer; 1608 u8 retry; 1609}; 1610 1611/* The list for "struct tomoyo_query". */ 1612static LIST_HEAD(tomoyo_query_list); 1613 1614/* Lock for manipulating tomoyo_query_list. */ 1615static DEFINE_SPINLOCK(tomoyo_query_list_lock); 1616 1617/* 1618 * Number of "struct file" referring /sys/kernel/security/tomoyo/query 1619 * interface. 1620 */ 1621static atomic_t tomoyo_query_observers = ATOMIC_INIT(0); 1622 1623/** 1624 * tomoyo_add_entry - Add an ACL to current thread's domain. Used by learning mode. 1625 * 1626 * @domain: Pointer to "struct tomoyo_domain_info". 1627 * @header: Lines containing ACL. 1628 * 1629 * Returns nothing. 1630 */ 1631static void tomoyo_add_entry(struct tomoyo_domain_info *domain, char *header) 1632{ 1633 char *buffer; 1634 char *cp = strchr(header, '\n'); 1635 int len; 1636 if (!cp) 1637 return; 1638 cp = strchr(cp + 1, '\n'); 1639 if (!cp) 1640 return; 1641 *cp++ = '\0'; 1642 len = strlen(cp) + 1; 1643 buffer = kmalloc(len, GFP_NOFS); 1644 if (!buffer) 1645 return; 1646 snprintf(buffer, len - 1, "%s", cp); 1647 tomoyo_normalize_line(buffer); 1648 if (!tomoyo_write_domain2(domain->ns, &domain->acl_info_list, buffer, 1649 false)) 1650 tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); 1651 kfree(buffer); 1652} 1653 1654/** 1655 * tomoyo_supervisor - Ask for the supervisor's decision. 1656 * 1657 * @r: Pointer to "struct tomoyo_request_info". 1658 * @fmt: The printf()'s format string, followed by parameters. 1659 * 1660 * Returns 0 if the supervisor decided to permit the access request which 1661 * violated the policy in enforcing mode, TOMOYO_RETRY_REQUEST if the 1662 * supervisor decided to retry the access request which violated the policy in 1663 * enforcing mode, 0 if it is not in enforcing mode, -EPERM otherwise. 1664 */ 1665int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) 1666{ 1667 va_list args; 1668 int error; 1669 int len; 1670 static unsigned int tomoyo_serial; 1671 struct tomoyo_query entry = { }; 1672 bool quota_exceeded = false; 1673 va_start(args, fmt); 1674 len = vsnprintf((char *) &len, 1, fmt, args) + 1; 1675 va_end(args); 1676 /* Write /sys/kernel/security/tomoyo/audit. */ 1677 va_start(args, fmt); 1678 tomoyo_write_log2(r, len, fmt, args); 1679 va_end(args); 1680 /* Nothing more to do if granted. */ 1681 if (r->granted) 1682 return 0; 1683 if (r->mode) 1684 tomoyo_update_stat(r->mode); 1685 switch (r->mode) { 1686 case TOMOYO_CONFIG_ENFORCING: 1687 error = -EPERM; 1688 if (atomic_read(&tomoyo_query_observers)) 1689 break; 1690 goto out; 1691 case TOMOYO_CONFIG_LEARNING: 1692 error = 0; 1693 /* Check max_learning_entry parameter. */ 1694 if (tomoyo_domain_quota_is_ok(r)) 1695 break; 1696 /* fall through */ 1697 default: 1698 return 0; 1699 } 1700 /* Get message. */ 1701 va_start(args, fmt); 1702 entry.query = tomoyo_init_log(r, len, fmt, args); 1703 va_end(args); 1704 if (!entry.query) 1705 goto out; 1706 entry.query_len = strlen(entry.query) + 1; 1707 if (!error) { 1708 tomoyo_add_entry(r->domain, entry.query); 1709 goto out; 1710 } 1711 len = tomoyo_round2(entry.query_len); 1712 spin_lock(&tomoyo_query_list_lock); 1713 if (tomoyo_memory_quota[TOMOYO_MEMORY_QUERY] && 1714 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] + len 1715 >= tomoyo_memory_quota[TOMOYO_MEMORY_QUERY]) { 1716 quota_exceeded = true; 1717 } else { 1718 entry.serial = tomoyo_serial++; 1719 entry.retry = r->retry; 1720 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] += len; 1721 list_add_tail(&entry.list, &tomoyo_query_list); 1722 } 1723 spin_unlock(&tomoyo_query_list_lock); 1724 if (quota_exceeded) 1725 goto out; 1726 /* Give 10 seconds for supervisor's opinion. */ 1727 while (entry.timer < 10) { 1728 wake_up_all(&tomoyo_query_wait); 1729 if (wait_event_interruptible_timeout 1730 (tomoyo_answer_wait, entry.answer || 1731 !atomic_read(&tomoyo_query_observers), HZ)) 1732 break; 1733 else 1734 entry.timer++; 1735 } 1736 spin_lock(&tomoyo_query_list_lock); 1737 list_del(&entry.list); 1738 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] -= len; 1739 spin_unlock(&tomoyo_query_list_lock); 1740 switch (entry.answer) { 1741 case 3: /* Asked to retry by administrator. */ 1742 error = TOMOYO_RETRY_REQUEST; 1743 r->retry++; 1744 break; 1745 case 1: 1746 /* Granted by administrator. */ 1747 error = 0; 1748 break; 1749 default: 1750 /* Timed out or rejected by administrator. */ 1751 break; 1752 } 1753out: 1754 kfree(entry.query); 1755 return error; 1756} 1757 1758/** 1759 * tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query. 1760 * 1761 * @file: Pointer to "struct file". 1762 * @wait: Pointer to "poll_table". 1763 * 1764 * Returns POLLIN | POLLRDNORM when ready to read, 0 otherwise. 1765 * 1766 * Waits for access requests which violated policy in enforcing mode. 1767 */ 1768static int tomoyo_poll_query(struct file *file, poll_table *wait) 1769{ 1770 struct list_head *tmp; 1771 bool found = false; 1772 u8 i; 1773 for (i = 0; i < 2; i++) { 1774 spin_lock(&tomoyo_query_list_lock); 1775 list_for_each(tmp, &tomoyo_query_list) { 1776 struct tomoyo_query *ptr = 1777 list_entry(tmp, typeof(*ptr), list); 1778 if (ptr->answer) 1779 continue; 1780 found = true; 1781 break; 1782 } 1783 spin_unlock(&tomoyo_query_list_lock); 1784 if (found) 1785 return POLLIN | POLLRDNORM; 1786 if (i) 1787 break; 1788 poll_wait(file, &tomoyo_query_wait, wait); 1789 } 1790 return 0; 1791} 1792 1793/** 1794 * tomoyo_read_query - Read access requests which violated policy in enforcing mode. 1795 * 1796 * @head: Pointer to "struct tomoyo_io_buffer". 1797 */ 1798static void tomoyo_read_query(struct tomoyo_io_buffer *head) 1799{ 1800 struct list_head *tmp; 1801 unsigned int pos = 0; 1802 size_t len = 0; 1803 char *buf; 1804 if (head->r.w_pos) 1805 return; 1806 if (head->read_buf) { 1807 kfree(head->read_buf); 1808 head->read_buf = NULL; 1809 } 1810 spin_lock(&tomoyo_query_list_lock); 1811 list_for_each(tmp, &tomoyo_query_list) { 1812 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1813 if (ptr->answer) 1814 continue; 1815 if (pos++ != head->r.query_index) 1816 continue; 1817 len = ptr->query_len; 1818 break; 1819 } 1820 spin_unlock(&tomoyo_query_list_lock); 1821 if (!len) { 1822 head->r.query_index = 0; 1823 return; 1824 } 1825 buf = kzalloc(len + 32, GFP_NOFS); 1826 if (!buf) 1827 return; 1828 pos = 0; 1829 spin_lock(&tomoyo_query_list_lock); 1830 list_for_each(tmp, &tomoyo_query_list) { 1831 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1832 if (ptr->answer) 1833 continue; 1834 if (pos++ != head->r.query_index) 1835 continue; 1836 /* 1837 * Some query can be skipped because tomoyo_query_list 1838 * can change, but I don't care. 1839 */ 1840 if (len == ptr->query_len) 1841 snprintf(buf, len + 31, "Q%u-%hu\n%s", ptr->serial, 1842 ptr->retry, ptr->query); 1843 break; 1844 } 1845 spin_unlock(&tomoyo_query_list_lock); 1846 if (buf[0]) { 1847 head->read_buf = buf; 1848 head->r.w[head->r.w_pos++] = buf; 1849 head->r.query_index++; 1850 } else { 1851 kfree(buf); 1852 } 1853} 1854 1855/** 1856 * tomoyo_write_answer - Write the supervisor's decision. 1857 * 1858 * @head: Pointer to "struct tomoyo_io_buffer". 1859 * 1860 * Returns 0 on success, -EINVAL otherwise. 1861 */ 1862static int tomoyo_write_answer(struct tomoyo_io_buffer *head) 1863{ 1864 char *data = head->write_buf; 1865 struct list_head *tmp; 1866 unsigned int serial; 1867 unsigned int answer; 1868 spin_lock(&tomoyo_query_list_lock); 1869 list_for_each(tmp, &tomoyo_query_list) { 1870 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1871 ptr->timer = 0; 1872 } 1873 spin_unlock(&tomoyo_query_list_lock); 1874 if (sscanf(data, "A%u=%u", &serial, &answer) != 2) 1875 return -EINVAL; 1876 spin_lock(&tomoyo_query_list_lock); 1877 list_for_each(tmp, &tomoyo_query_list) { 1878 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1879 if (ptr->serial != serial) 1880 continue; 1881 if (!ptr->answer) 1882 ptr->answer = answer; 1883 break; 1884 } 1885 spin_unlock(&tomoyo_query_list_lock); 1886 return 0; 1887} 1888 1889/** 1890 * tomoyo_read_version: Get version. 1891 * 1892 * @head: Pointer to "struct tomoyo_io_buffer". 1893 * 1894 * Returns version information. 1895 */ 1896static void tomoyo_read_version(struct tomoyo_io_buffer *head) 1897{ 1898 if (!head->r.eof) { 1899 tomoyo_io_printf(head, "2.4.0"); 1900 head->r.eof = true; 1901 } 1902} 1903 1904/** 1905 * tomoyo_read_self_domain - Get the current process's domainname. 1906 * 1907 * @head: Pointer to "struct tomoyo_io_buffer". 1908 * 1909 * Returns the current process's domainname. 1910 */ 1911static void tomoyo_read_self_domain(struct tomoyo_io_buffer *head) 1912{ 1913 if (!head->r.eof) { 1914 /* 1915 * tomoyo_domain()->domainname != NULL 1916 * because every process belongs to a domain and 1917 * the domain's name cannot be NULL. 1918 */ 1919 tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name); 1920 head->r.eof = true; 1921 } 1922} 1923 1924/* String table for /sys/kernel/security/tomoyo/stat interface. */ 1925static const char * const tomoyo_policy_headers[TOMOYO_MAX_POLICY_STAT] = { 1926 [TOMOYO_STAT_POLICY_UPDATES] = "update:", 1927 [TOMOYO_STAT_POLICY_LEARNING] = "violation in learning mode:", 1928 [TOMOYO_STAT_POLICY_PERMISSIVE] = "violation in permissive mode:", 1929 [TOMOYO_STAT_POLICY_ENFORCING] = "violation in enforcing mode:", 1930}; 1931 1932/* String table for /sys/kernel/security/tomoyo/stat interface. */ 1933static const char * const tomoyo_memory_headers[TOMOYO_MAX_MEMORY_STAT] = { 1934 [TOMOYO_MEMORY_POLICY] = "policy:", 1935 [TOMOYO_MEMORY_AUDIT] = "audit log:", 1936 [TOMOYO_MEMORY_QUERY] = "query message:", 1937}; 1938 1939/* Timestamp counter for last updated. */ 1940static unsigned int tomoyo_stat_updated[TOMOYO_MAX_POLICY_STAT]; 1941/* Counter for number of updates. */ 1942static unsigned int tomoyo_stat_modified[TOMOYO_MAX_POLICY_STAT]; 1943 1944/** 1945 * tomoyo_update_stat - Update statistic counters. 1946 * 1947 * @index: Index for policy type. 1948 * 1949 * Returns nothing. 1950 */ 1951void tomoyo_update_stat(const u8 index) 1952{ 1953 struct timeval tv; 1954 do_gettimeofday(&tv); 1955 /* 1956 * I don't use atomic operations because race condition is not fatal. 1957 */ 1958 tomoyo_stat_updated[index]++; 1959 tomoyo_stat_modified[index] = tv.tv_sec; 1960} 1961 1962/** 1963 * tomoyo_read_stat - Read statistic data. 1964 * 1965 * @head: Pointer to "struct tomoyo_io_buffer". 1966 * 1967 * Returns nothing. 1968 */ 1969static void tomoyo_read_stat(struct tomoyo_io_buffer *head) 1970{ 1971 u8 i; 1972 unsigned int total = 0; 1973 if (head->r.eof) 1974 return; 1975 for (i = 0; i < TOMOYO_MAX_POLICY_STAT; i++) { 1976 tomoyo_io_printf(head, "Policy %-30s %10u", 1977 tomoyo_policy_headers[i], 1978 tomoyo_stat_updated[i]); 1979 if (tomoyo_stat_modified[i]) { 1980 struct tomoyo_time stamp; 1981 tomoyo_convert_time(tomoyo_stat_modified[i], &stamp); 1982 tomoyo_io_printf(head, " (Last: %04u/%02u/%02u " 1983 "%02u:%02u:%02u)", 1984 stamp.year, stamp.month, stamp.day, 1985 stamp.hour, stamp.min, stamp.sec); 1986 } 1987 tomoyo_set_lf(head); 1988 } 1989 for (i = 0; i < TOMOYO_MAX_MEMORY_STAT; i++) { 1990 unsigned int used = tomoyo_memory_used[i]; 1991 total += used; 1992 tomoyo_io_printf(head, "Memory used by %-22s %10u", 1993 tomoyo_memory_headers[i], used); 1994 used = tomoyo_memory_quota[i]; 1995 if (used) 1996 tomoyo_io_printf(head, " (Quota: %10u)", used); 1997 tomoyo_set_lf(head); 1998 } 1999 tomoyo_io_printf(head, "Total memory used: %10u\n", 2000 total); 2001 head->r.eof = true; 2002} 2003 2004/** 2005 * tomoyo_write_stat - Set memory quota. 2006 * 2007 * @head: Pointer to "struct tomoyo_io_buffer". 2008 * 2009 * Returns 0. 2010 */ 2011static int tomoyo_write_stat(struct tomoyo_io_buffer *head) 2012{ 2013 char *data = head->write_buf; 2014 u8 i; 2015 if (tomoyo_str_starts(&data, "Memory used by ")) 2016 for (i = 0; i < TOMOYO_MAX_MEMORY_STAT; i++) 2017 if (tomoyo_str_starts(&data, tomoyo_memory_headers[i])) 2018 sscanf(data, "%u", &tomoyo_memory_quota[i]); 2019 return 0; 2020} 2021 2022/** 2023 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface. 2024 * 2025 * @type: Type of interface. 2026 * @file: Pointer to "struct file". 2027 * 2028 * Returns 0 on success, negative value otherwise. 2029 */ 2030int tomoyo_open_control(const u8 type, struct file *file) 2031{ 2032 struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS); 2033 2034 if (!head) 2035 return -ENOMEM; 2036 mutex_init(&head->io_sem); 2037 head->type = type; 2038 switch (type) { 2039 case TOMOYO_DOMAINPOLICY: 2040 /* /sys/kernel/security/tomoyo/domain_policy */ 2041 head->write = tomoyo_write_domain; 2042 head->read = tomoyo_read_domain; 2043 break; 2044 case TOMOYO_EXCEPTIONPOLICY: 2045 /* /sys/kernel/security/tomoyo/exception_policy */ 2046 head->write = tomoyo_write_exception; 2047 head->read = tomoyo_read_exception; 2048 break; 2049 case TOMOYO_AUDIT: 2050 /* /sys/kernel/security/tomoyo/audit */ 2051 head->poll = tomoyo_poll_log; 2052 head->read = tomoyo_read_log; 2053 break; 2054 case TOMOYO_SELFDOMAIN: 2055 /* /sys/kernel/security/tomoyo/self_domain */ 2056 head->read = tomoyo_read_self_domain; 2057 break; 2058 case TOMOYO_PROCESS_STATUS: 2059 /* /sys/kernel/security/tomoyo/.process_status */ 2060 head->write = tomoyo_write_pid; 2061 head->read = tomoyo_read_pid; 2062 break; 2063 case TOMOYO_VERSION: 2064 /* /sys/kernel/security/tomoyo/version */ 2065 head->read = tomoyo_read_version; 2066 head->readbuf_size = 128; 2067 break; 2068 case TOMOYO_STAT: 2069 /* /sys/kernel/security/tomoyo/stat */ 2070 head->write = tomoyo_write_stat; 2071 head->read = tomoyo_read_stat; 2072 head->readbuf_size = 1024; 2073 break; 2074 case TOMOYO_PROFILE: 2075 /* /sys/kernel/security/tomoyo/profile */ 2076 head->write = tomoyo_write_profile; 2077 head->read = tomoyo_read_profile; 2078 break; 2079 case TOMOYO_QUERY: /* /sys/kernel/security/tomoyo/query */ 2080 head->poll = tomoyo_poll_query; 2081 head->write = tomoyo_write_answer; 2082 head->read = tomoyo_read_query; 2083 break; 2084 case TOMOYO_MANAGER: 2085 /* /sys/kernel/security/tomoyo/manager */ 2086 head->write = tomoyo_write_manager; 2087 head->read = tomoyo_read_manager; 2088 break; 2089 } 2090 if (!(file->f_mode & FMODE_READ)) { 2091 /* 2092 * No need to allocate read_buf since it is not opened 2093 * for reading. 2094 */ 2095 head->read = NULL; 2096 head->poll = NULL; 2097 } else if (!head->poll) { 2098 /* Don't allocate read_buf for poll() access. */ 2099 if (!head->readbuf_size) 2100 head->readbuf_size = 4096 * 2; 2101 head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS); 2102 if (!head->read_buf) { 2103 kfree(head); 2104 return -ENOMEM; 2105 } 2106 } 2107 if (!(file->f_mode & FMODE_WRITE)) { 2108 /* 2109 * No need to allocate write_buf since it is not opened 2110 * for writing. 2111 */ 2112 head->write = NULL; 2113 } else if (head->write) { 2114 head->writebuf_size = 4096 * 2; 2115 head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS); 2116 if (!head->write_buf) { 2117 kfree(head->read_buf); 2118 kfree(head); 2119 return -ENOMEM; 2120 } 2121 } 2122 /* 2123 * If the file is /sys/kernel/security/tomoyo/query , increment the 2124 * observer counter. 2125 * The obserber counter is used by tomoyo_supervisor() to see if 2126 * there is some process monitoring /sys/kernel/security/tomoyo/query. 2127 */ 2128 if (type == TOMOYO_QUERY) 2129 atomic_inc(&tomoyo_query_observers); 2130 file->private_data = head; 2131 tomoyo_notify_gc(head, true); 2132 return 0; 2133} 2134 2135/** 2136 * tomoyo_poll_control - poll() for /sys/kernel/security/tomoyo/ interface. 2137 * 2138 * @file: Pointer to "struct file". 2139 * @wait: Pointer to "poll_table". 2140 * 2141 * Waits for read readiness. 2142 * /sys/kernel/security/tomoyo/query is handled by /usr/sbin/tomoyo-queryd and 2143 * /sys/kernel/security/tomoyo/audit is handled by /usr/sbin/tomoyo-auditd. 2144 */ 2145int tomoyo_poll_control(struct file *file, poll_table *wait) 2146{ 2147 struct tomoyo_io_buffer *head = file->private_data; 2148 if (!head->poll) 2149 return -ENOSYS; 2150 return head->poll(file, wait); 2151} 2152 2153/** 2154 * tomoyo_set_namespace_cursor - Set namespace to read. 2155 * 2156 * @head: Pointer to "struct tomoyo_io_buffer". 2157 * 2158 * Returns nothing. 2159 */ 2160static inline void tomoyo_set_namespace_cursor(struct tomoyo_io_buffer *head) 2161{ 2162 struct list_head *ns; 2163 if (head->type != TOMOYO_EXCEPTIONPOLICY && 2164 head->type != TOMOYO_PROFILE) 2165 return; 2166 /* 2167 * If this is the first read, or reading previous namespace finished 2168 * and has more namespaces to read, update the namespace cursor. 2169 */ 2170 ns = head->r.ns; 2171 if (!ns || (head->r.eof && ns->next != &tomoyo_namespace_list)) { 2172 /* Clearing is OK because tomoyo_flush() returned true. */ 2173 memset(&head->r, 0, sizeof(head->r)); 2174 head->r.ns = ns ? ns->next : tomoyo_namespace_list.next; 2175 } 2176} 2177 2178/** 2179 * tomoyo_has_more_namespace - Check for unread namespaces. 2180 * 2181 * @head: Pointer to "struct tomoyo_io_buffer". 2182 * 2183 * Returns true if we have more entries to print, false otherwise. 2184 */ 2185static inline bool tomoyo_has_more_namespace(struct tomoyo_io_buffer *head) 2186{ 2187 return (head->type == TOMOYO_EXCEPTIONPOLICY || 2188 head->type == TOMOYO_PROFILE) && head->r.eof && 2189 head->r.ns->next != &tomoyo_namespace_list; 2190} 2191 2192/** 2193 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. 2194 * 2195 * @head: Pointer to "struct tomoyo_io_buffer". 2196 * @buffer: Poiner to buffer to write to. 2197 * @buffer_len: Size of @buffer. 2198 * 2199 * Returns bytes read on success, negative value otherwise. 2200 */ 2201ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, 2202 const int buffer_len) 2203{ 2204 int len; 2205 int idx; 2206 2207 if (!head->read) 2208 return -ENOSYS; 2209 if (mutex_lock_interruptible(&head->io_sem)) 2210 return -EINTR; 2211 head->read_user_buf = buffer; 2212 head->read_user_buf_avail = buffer_len; 2213 idx = tomoyo_read_lock(); 2214 if (tomoyo_flush(head)) 2215 /* Call the policy handler. */ 2216 do { 2217 tomoyo_set_namespace_cursor(head); 2218 head->read(head); 2219 } while (tomoyo_flush(head) && 2220 tomoyo_has_more_namespace(head)); 2221 tomoyo_read_unlock(idx); 2222 len = head->read_user_buf - buffer; 2223 mutex_unlock(&head->io_sem); 2224 return len; 2225} 2226 2227/** 2228 * tomoyo_parse_policy - Parse a policy line. 2229 * 2230 * @head: Poiter to "struct tomoyo_io_buffer". 2231 * @line: Line to parse. 2232 * 2233 * Returns 0 on success, negative value otherwise. 2234 * 2235 * Caller holds tomoyo_read_lock(). 2236 */ 2237static int tomoyo_parse_policy(struct tomoyo_io_buffer *head, char *line) 2238{ 2239 /* Delete request? */ 2240 head->w.is_delete = !strncmp(line, "delete ", 7); 2241 if (head->w.is_delete) 2242 memmove(line, line + 7, strlen(line + 7) + 1); 2243 /* Selecting namespace to update. */ 2244 if (head->type == TOMOYO_EXCEPTIONPOLICY || 2245 head->type == TOMOYO_PROFILE) { 2246 if (*line == '<') { 2247 char *cp = strchr(line, ' '); 2248 if (cp) { 2249 *cp++ = '\0'; 2250 head->w.ns = tomoyo_assign_namespace(line); 2251 memmove(line, cp, strlen(cp) + 1); 2252 } else 2253 head->w.ns = NULL; 2254 } else 2255 head->w.ns = &tomoyo_kernel_namespace; 2256 /* Don't allow updating if namespace is invalid. */ 2257 if (!head->w.ns) 2258 return -ENOENT; 2259 } 2260 /* Do the update. */ 2261 return head->write(head); 2262} 2263 2264/** 2265 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. 2266 * 2267 * @head: Pointer to "struct tomoyo_io_buffer". 2268 * @buffer: Pointer to buffer to read from. 2269 * @buffer_len: Size of @buffer. 2270 * 2271 * Returns @buffer_len on success, negative value otherwise. 2272 */ 2273ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, 2274 const char __user *buffer, const int buffer_len) 2275{ 2276 int error = buffer_len; 2277 size_t avail_len = buffer_len; 2278 char *cp0 = head->write_buf; 2279 int idx; 2280 if (!head->write) 2281 return -ENOSYS; 2282 if (!access_ok(VERIFY_READ, buffer, buffer_len)) 2283 return -EFAULT; 2284 if (mutex_lock_interruptible(&head->io_sem)) 2285 return -EINTR; 2286 idx = tomoyo_read_lock(); 2287 /* Read a line and dispatch it to the policy handler. */ 2288 while (avail_len > 0) { 2289 char c; 2290 if (head->w.avail >= head->writebuf_size - 1) { 2291 const int len = head->writebuf_size * 2; 2292 char *cp = kzalloc(len, GFP_NOFS); 2293 if (!cp) { 2294 error = -ENOMEM; 2295 break; 2296 } 2297 memmove(cp, cp0, head->w.avail); 2298 kfree(cp0); 2299 head->write_buf = cp; 2300 cp0 = cp; 2301 head->writebuf_size = len; 2302 } 2303 if (get_user(c, buffer)) { 2304 error = -EFAULT; 2305 break; 2306 } 2307 buffer++; 2308 avail_len--; 2309 cp0[head->w.avail++] = c; 2310 if (c != '\n') 2311 continue; 2312 cp0[head->w.avail - 1] = '\0'; 2313 head->w.avail = 0; 2314 tomoyo_normalize_line(cp0); 2315 if (!strcmp(cp0, "reset")) { 2316 head->w.ns = &tomoyo_kernel_namespace; 2317 head->w.domain = NULL; 2318 memset(&head->r, 0, sizeof(head->r)); 2319 continue; 2320 } 2321 /* Don't allow updating policies by non manager programs. */ 2322 switch (head->type) { 2323 case TOMOYO_PROCESS_STATUS: 2324 /* This does not write anything. */ 2325 break; 2326 case TOMOYO_DOMAINPOLICY: 2327 if (tomoyo_select_domain(head, cp0)) 2328 continue; 2329 /* fall through */ 2330 case TOMOYO_EXCEPTIONPOLICY: 2331 if (!strcmp(cp0, "select transition_only")) { 2332 head->r.print_transition_related_only = true; 2333 continue; 2334 } 2335 /* fall through */ 2336 default: 2337 if (!tomoyo_manager()) { 2338 error = -EPERM; 2339 goto out; 2340 } 2341 } 2342 switch (tomoyo_parse_policy(head, cp0)) { 2343 case -EPERM: 2344 error = -EPERM; 2345 goto out; 2346 case 0: 2347 switch (head->type) { 2348 case TOMOYO_DOMAINPOLICY: 2349 case TOMOYO_EXCEPTIONPOLICY: 2350 case TOMOYO_STAT: 2351 case TOMOYO_PROFILE: 2352 case TOMOYO_MANAGER: 2353 tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); 2354 break; 2355 default: 2356 break; 2357 } 2358 break; 2359 } 2360 } 2361out: 2362 tomoyo_read_unlock(idx); 2363 mutex_unlock(&head->io_sem); 2364 return error; 2365} 2366 2367/** 2368 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. 2369 * 2370 * @head: Pointer to "struct tomoyo_io_buffer". 2371 * 2372 * Returns 0. 2373 */ 2374int tomoyo_close_control(struct tomoyo_io_buffer *head) 2375{ 2376 /* 2377 * If the file is /sys/kernel/security/tomoyo/query , decrement the 2378 * observer counter. 2379 */ 2380 if (head->type == TOMOYO_QUERY && 2381 atomic_dec_and_test(&tomoyo_query_observers)) 2382 wake_up_all(&tomoyo_answer_wait); 2383 tomoyo_notify_gc(head, false); 2384 return 0; 2385} 2386 2387/** 2388 * tomoyo_check_profile - Check all profiles currently assigned to domains are defined. 2389 */ 2390void tomoyo_check_profile(void) 2391{ 2392 struct tomoyo_domain_info *domain; 2393 const int idx = tomoyo_read_lock(); 2394 tomoyo_policy_loaded = true; 2395 printk(KERN_INFO "TOMOYO: 2.4.0\n"); 2396 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 2397 const u8 profile = domain->profile; 2398 const struct tomoyo_policy_namespace *ns = domain->ns; 2399 if (ns->profile_version != 20100903) 2400 printk(KERN_ERR 2401 "Profile version %u is not supported.\n", 2402 ns->profile_version); 2403 else if (!ns->profile_ptr[profile]) 2404 printk(KERN_ERR 2405 "Profile %u (used by '%s') is not defined.\n", 2406 profile, domain->domainname->name); 2407 else 2408 continue; 2409 printk(KERN_ERR 2410 "Userland tools for TOMOYO 2.4 must be installed and " 2411 "policy must be initialized.\n"); 2412 printk(KERN_ERR "Please see http://tomoyo.sourceforge.jp/2.4/ " 2413 "for more information.\n"); 2414 panic("STOP!"); 2415 } 2416 tomoyo_read_unlock(idx); 2417 printk(KERN_INFO "Mandatory Access Control activated.\n"); 2418} 2419 2420/** 2421 * tomoyo_load_builtin_policy - Load built-in policy. 2422 * 2423 * Returns nothing. 2424 */ 2425void __init tomoyo_load_builtin_policy(void) 2426{ 2427 /* 2428 * This include file is manually created and contains built-in policy 2429 * named "tomoyo_builtin_profile", "tomoyo_builtin_exception_policy", 2430 * "tomoyo_builtin_domain_policy", "tomoyo_builtin_manager", 2431 * "tomoyo_builtin_stat" in the form of "static char [] __initdata". 2432 */ 2433#include "builtin-policy.h" 2434 u8 i; 2435 const int idx = tomoyo_read_lock(); 2436 for (i = 0; i < 5; i++) { 2437 struct tomoyo_io_buffer head = { }; 2438 char *start = ""; 2439 switch (i) { 2440 case 0: 2441 start = tomoyo_builtin_profile; 2442 head.type = TOMOYO_PROFILE; 2443 head.write = tomoyo_write_profile; 2444 break; 2445 case 1: 2446 start = tomoyo_builtin_exception_policy; 2447 head.type = TOMOYO_EXCEPTIONPOLICY; 2448 head.write = tomoyo_write_exception; 2449 break; 2450 case 2: 2451 start = tomoyo_builtin_domain_policy; 2452 head.type = TOMOYO_DOMAINPOLICY; 2453 head.write = tomoyo_write_domain; 2454 break; 2455 case 3: 2456 start = tomoyo_builtin_manager; 2457 head.type = TOMOYO_MANAGER; 2458 head.write = tomoyo_write_manager; 2459 break; 2460 case 4: 2461 start = tomoyo_builtin_stat; 2462 head.type = TOMOYO_STAT; 2463 head.write = tomoyo_write_stat; 2464 break; 2465 } 2466 while (1) { 2467 char *end = strchr(start, '\n'); 2468 if (!end) 2469 break; 2470 *end = '\0'; 2471 tomoyo_normalize_line(start); 2472 head.write_buf = start; 2473 tomoyo_parse_policy(&head, start); 2474 start = end + 1; 2475 } 2476 } 2477 tomoyo_read_unlock(idx); 2478#ifdef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER 2479 tomoyo_check_profile(); 2480#endif 2481} 2482