common.c revision 2106ccd972dcd9fda7df9b181505fac1741b3508
1/* 2 * security/tomoyo/common.c 3 * 4 * Common functions for TOMOYO. 5 * 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 7 * 8 * Version: 2.2.0 2009/04/01 9 * 10 */ 11 12#include <linux/uaccess.h> 13#include <linux/slab.h> 14#include <linux/security.h> 15#include <linux/hardirq.h> 16#include "common.h" 17 18/* Lock for protecting policy. */ 19DEFINE_MUTEX(tomoyo_policy_lock); 20 21/* Has loading policy done? */ 22bool tomoyo_policy_loaded; 23 24/* String table for functionality that takes 4 modes. */ 25static const char *tomoyo_mode_4[4] = { 26 "disabled", "learning", "permissive", "enforcing" 27}; 28/* String table for functionality that takes 2 modes. */ 29static const char *tomoyo_mode_2[4] = { 30 "disabled", "enabled", "enabled", "enabled" 31}; 32 33/* 34 * tomoyo_control_array is a static data which contains 35 * 36 * (1) functionality name used by /sys/kernel/security/tomoyo/profile . 37 * (2) initial values for "struct tomoyo_profile". 38 * (3) max values for "struct tomoyo_profile". 39 */ 40static struct { 41 const char *keyword; 42 unsigned int current_value; 43 const unsigned int max_value; 44} tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = { 45 [TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 }, 46 [TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX }, 47 [TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 }, 48}; 49 50/* 51 * tomoyo_profile is a structure which is used for holding the mode of access 52 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing. 53 * An administrator can define up to 256 profiles. 54 * The ->profile of "struct tomoyo_domain_info" is used for remembering 55 * the profile's number (0 - 255) assigned to that domain. 56 */ 57static struct tomoyo_profile { 58 unsigned int value[TOMOYO_MAX_CONTROL_INDEX]; 59 const struct tomoyo_path_info *comment; 60} *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES]; 61 62/* Permit policy management by non-root user? */ 63static bool tomoyo_manage_by_non_root; 64 65/* Utility functions. */ 66 67/* Open operation for /sys/kernel/security/tomoyo/ interface. */ 68static int tomoyo_open_control(const u8 type, struct file *file); 69/* Close /sys/kernel/security/tomoyo/ interface. */ 70static int tomoyo_close_control(struct file *file); 71/* Read operation for /sys/kernel/security/tomoyo/ interface. */ 72static int tomoyo_read_control(struct file *file, char __user *buffer, 73 const int buffer_len); 74/* Write operation for /sys/kernel/security/tomoyo/ interface. */ 75static int tomoyo_write_control(struct file *file, const char __user *buffer, 76 const int buffer_len); 77 78/** 79 * tomoyo_parse_name_union - Parse a tomoyo_name_union. 80 * 81 * @filename: Name or name group. 82 * @ptr: Pointer to "struct tomoyo_name_union". 83 * 84 * Returns true on success, false otherwise. 85 */ 86bool tomoyo_parse_name_union(const char *filename, 87 struct tomoyo_name_union *ptr) 88{ 89 if (!tomoyo_is_correct_path(filename, 0, 0, 0)) 90 return false; 91 if (filename[0] == '@') { 92 ptr->group = tomoyo_get_path_group(filename + 1); 93 ptr->is_group = true; 94 return ptr->group != NULL; 95 } 96 ptr->filename = tomoyo_get_name(filename); 97 ptr->is_group = false; 98 return ptr->filename != NULL; 99} 100 101/** 102 * tomoyo_print_name_union - Print a tomoyo_name_union. 103 * 104 * @head: Pointer to "struct tomoyo_io_buffer". 105 * @ptr: Pointer to "struct tomoyo_name_union". 106 * 107 * Returns true on success, false otherwise. 108 */ 109static bool tomoyo_print_name_union(struct tomoyo_io_buffer *head, 110 const struct tomoyo_name_union *ptr) 111{ 112 int pos = head->read_avail; 113 if (pos && head->read_buf[pos - 1] == ' ') 114 head->read_avail--; 115 if (ptr->is_group) 116 return tomoyo_io_printf(head, " @%s", 117 ptr->group->group_name->name); 118 return tomoyo_io_printf(head, " %s", ptr->filename->name); 119} 120 121/** 122 * tomoyo_parse_ulong - Parse an "unsigned long" value. 123 * 124 * @result: Pointer to "unsigned long". 125 * @str: Pointer to string to parse. 126 * 127 * Returns value type on success, 0 otherwise. 128 * 129 * The @src is updated to point the first character after the value 130 * on success. 131 */ 132u8 tomoyo_parse_ulong(unsigned long *result, char **str) 133{ 134 const char *cp = *str; 135 char *ep; 136 int base = 10; 137 if (*cp == '0') { 138 char c = *(cp + 1); 139 if (c == 'x' || c == 'X') { 140 base = 16; 141 cp += 2; 142 } else if (c >= '0' && c <= '7') { 143 base = 8; 144 cp++; 145 } 146 } 147 *result = simple_strtoul(cp, &ep, base); 148 if (cp == ep) 149 return 0; 150 *str = ep; 151 switch (base) { 152 case 16: 153 return TOMOYO_VALUE_TYPE_HEXADECIMAL; 154 case 8: 155 return TOMOYO_VALUE_TYPE_OCTAL; 156 default: 157 return TOMOYO_VALUE_TYPE_DECIMAL; 158 } 159} 160 161/** 162 * tomoyo_print_ulong - Print an "unsigned long" value. 163 * 164 * @buffer: Pointer to buffer. 165 * @buffer_len: Size of @buffer. 166 * @value: An "unsigned long" value. 167 * @type: Type of @value. 168 * 169 * Returns nothing. 170 */ 171void tomoyo_print_ulong(char *buffer, const int buffer_len, 172 const unsigned long value, const u8 type) 173{ 174 if (type == TOMOYO_VALUE_TYPE_DECIMAL) 175 snprintf(buffer, buffer_len, "%lu", value); 176 else if (type == TOMOYO_VALUE_TYPE_OCTAL) 177 snprintf(buffer, buffer_len, "0%lo", value); 178 else if (type == TOMOYO_VALUE_TYPE_HEXADECIMAL) 179 snprintf(buffer, buffer_len, "0x%lX", value); 180 else 181 snprintf(buffer, buffer_len, "type(%u)", type); 182} 183 184/** 185 * tomoyo_print_number_union - Print a tomoyo_number_union. 186 * 187 * @head: Pointer to "struct tomoyo_io_buffer". 188 * @ptr: Pointer to "struct tomoyo_number_union". 189 * 190 * Returns true on success, false otherwise. 191 */ 192bool tomoyo_print_number_union(struct tomoyo_io_buffer *head, 193 const struct tomoyo_number_union *ptr) 194{ 195 unsigned long min; 196 unsigned long max; 197 u8 min_type; 198 u8 max_type; 199 if (!tomoyo_io_printf(head, " ")) 200 return false; 201 if (ptr->is_group) 202 return tomoyo_io_printf(head, "@%s", 203 ptr->group->group_name->name); 204 min_type = ptr->min_type; 205 max_type = ptr->max_type; 206 min = ptr->values[0]; 207 max = ptr->values[1]; 208 switch (min_type) { 209 case TOMOYO_VALUE_TYPE_HEXADECIMAL: 210 if (!tomoyo_io_printf(head, "0x%lX", min)) 211 return false; 212 break; 213 case TOMOYO_VALUE_TYPE_OCTAL: 214 if (!tomoyo_io_printf(head, "0%lo", min)) 215 return false; 216 break; 217 default: 218 if (!tomoyo_io_printf(head, "%lu", min)) 219 return false; 220 break; 221 } 222 if (min == max && min_type == max_type) 223 return true; 224 switch (max_type) { 225 case TOMOYO_VALUE_TYPE_HEXADECIMAL: 226 return tomoyo_io_printf(head, "-0x%lX", max); 227 case TOMOYO_VALUE_TYPE_OCTAL: 228 return tomoyo_io_printf(head, "-0%lo", max); 229 default: 230 return tomoyo_io_printf(head, "-%lu", max); 231 } 232} 233 234/** 235 * tomoyo_parse_number_union - Parse a tomoyo_number_union. 236 * 237 * @data: Number or number range or number group. 238 * @ptr: Pointer to "struct tomoyo_number_union". 239 * 240 * Returns true on success, false otherwise. 241 */ 242bool tomoyo_parse_number_union(char *data, struct tomoyo_number_union *num) 243{ 244 u8 type; 245 unsigned long v; 246 memset(num, 0, sizeof(*num)); 247 if (data[0] == '@') { 248 if (!tomoyo_is_correct_path(data, 0, 0, 0)) 249 return false; 250 num->group = tomoyo_get_number_group(data + 1); 251 num->is_group = true; 252 return num->group != NULL; 253 } 254 type = tomoyo_parse_ulong(&v, &data); 255 if (!type) 256 return false; 257 num->values[0] = v; 258 num->min_type = type; 259 if (!*data) { 260 num->values[1] = v; 261 num->max_type = type; 262 return true; 263 } 264 if (*data++ != '-') 265 return false; 266 type = tomoyo_parse_ulong(&v, &data); 267 if (!type || *data) 268 return false; 269 num->values[1] = v; 270 num->max_type = type; 271 return true; 272} 273 274/** 275 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value. 276 * 277 * @str: Pointer to the string. 278 * 279 * Returns true if @str is a \ooo style octal value, false otherwise. 280 * 281 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF. 282 * This function verifies that \ooo is in valid range. 283 */ 284static inline bool tomoyo_is_byte_range(const char *str) 285{ 286 return *str >= '0' && *str++ <= '3' && 287 *str >= '0' && *str++ <= '7' && 288 *str >= '0' && *str <= '7'; 289} 290 291/** 292 * tomoyo_is_alphabet_char - Check whether the character is an alphabet. 293 * 294 * @c: The character to check. 295 * 296 * Returns true if @c is an alphabet character, false otherwise. 297 */ 298static inline bool tomoyo_is_alphabet_char(const char c) 299{ 300 return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z'); 301} 302 303/** 304 * tomoyo_make_byte - Make byte value from three octal characters. 305 * 306 * @c1: The first character. 307 * @c2: The second character. 308 * @c3: The third character. 309 * 310 * Returns byte value. 311 */ 312static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3) 313{ 314 return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0'); 315} 316 317/** 318 * tomoyo_str_starts - Check whether the given string starts with the given keyword. 319 * 320 * @src: Pointer to pointer to the string. 321 * @find: Pointer to the keyword. 322 * 323 * Returns true if @src starts with @find, false otherwise. 324 * 325 * The @src is updated to point the first character after the @find 326 * if @src starts with @find. 327 */ 328static bool tomoyo_str_starts(char **src, const char *find) 329{ 330 const int len = strlen(find); 331 char *tmp = *src; 332 333 if (strncmp(tmp, find, len)) 334 return false; 335 tmp += len; 336 *src = tmp; 337 return true; 338} 339 340/** 341 * tomoyo_normalize_line - Format string. 342 * 343 * @buffer: The line to normalize. 344 * 345 * Leading and trailing whitespaces are removed. 346 * Multiple whitespaces are packed into single space. 347 * 348 * Returns nothing. 349 */ 350static void tomoyo_normalize_line(unsigned char *buffer) 351{ 352 unsigned char *sp = buffer; 353 unsigned char *dp = buffer; 354 bool first = true; 355 356 while (tomoyo_is_invalid(*sp)) 357 sp++; 358 while (*sp) { 359 if (!first) 360 *dp++ = ' '; 361 first = false; 362 while (tomoyo_is_valid(*sp)) 363 *dp++ = *sp++; 364 while (tomoyo_is_invalid(*sp)) 365 sp++; 366 } 367 *dp = '\0'; 368} 369 370/** 371 * tomoyo_tokenize - Tokenize string. 372 * 373 * @buffer: The line to tokenize. 374 * @w: Pointer to "char *". 375 * @size: Sizeof @w . 376 * 377 * Returns true on success, false otherwise. 378 */ 379bool tomoyo_tokenize(char *buffer, char *w[], size_t size) 380{ 381 int count = size / sizeof(char *); 382 int i; 383 for (i = 0; i < count; i++) 384 w[i] = ""; 385 for (i = 0; i < count; i++) { 386 char *cp = strchr(buffer, ' '); 387 if (cp) 388 *cp = '\0'; 389 w[i] = buffer; 390 if (!cp) 391 break; 392 buffer = cp + 1; 393 } 394 return i < count || !*buffer; 395} 396 397/** 398 * tomoyo_is_correct_path - Validate a pathname. 399 * @filename: The pathname to check. 400 * @start_type: Should the pathname start with '/'? 401 * 1 = must / -1 = must not / 0 = don't care 402 * @pattern_type: Can the pathname contain a wildcard? 403 * 1 = must / -1 = must not / 0 = don't care 404 * @end_type: Should the pathname end with '/'? 405 * 1 = must / -1 = must not / 0 = don't care 406 * 407 * Check whether the given filename follows the naming rules. 408 * Returns true if @filename follows the naming rules, false otherwise. 409 */ 410bool tomoyo_is_correct_path(const char *filename, const s8 start_type, 411 const s8 pattern_type, const s8 end_type) 412{ 413 const char *const start = filename; 414 bool in_repetition = false; 415 bool contains_pattern = false; 416 unsigned char c; 417 unsigned char d; 418 unsigned char e; 419 420 if (!filename) 421 goto out; 422 c = *filename; 423 if (start_type == 1) { /* Must start with '/' */ 424 if (c != '/') 425 goto out; 426 } else if (start_type == -1) { /* Must not start with '/' */ 427 if (c == '/') 428 goto out; 429 } 430 if (c) 431 c = *(filename + strlen(filename) - 1); 432 if (end_type == 1) { /* Must end with '/' */ 433 if (c != '/') 434 goto out; 435 } else if (end_type == -1) { /* Must not end with '/' */ 436 if (c == '/') 437 goto out; 438 } 439 while (1) { 440 c = *filename++; 441 if (!c) 442 break; 443 if (c == '\\') { 444 c = *filename++; 445 switch (c) { 446 case '\\': /* "\\" */ 447 continue; 448 case '$': /* "\$" */ 449 case '+': /* "\+" */ 450 case '?': /* "\?" */ 451 case '*': /* "\*" */ 452 case '@': /* "\@" */ 453 case 'x': /* "\x" */ 454 case 'X': /* "\X" */ 455 case 'a': /* "\a" */ 456 case 'A': /* "\A" */ 457 case '-': /* "\-" */ 458 if (pattern_type == -1) 459 break; /* Must not contain pattern */ 460 contains_pattern = true; 461 continue; 462 case '{': /* "/\{" */ 463 if (filename - 3 < start || 464 *(filename - 3) != '/') 465 break; 466 if (pattern_type == -1) 467 break; /* Must not contain pattern */ 468 contains_pattern = true; 469 in_repetition = true; 470 continue; 471 case '}': /* "\}/" */ 472 if (*filename != '/') 473 break; 474 if (!in_repetition) 475 break; 476 in_repetition = false; 477 continue; 478 case '0': /* "\ooo" */ 479 case '1': 480 case '2': 481 case '3': 482 d = *filename++; 483 if (d < '0' || d > '7') 484 break; 485 e = *filename++; 486 if (e < '0' || e > '7') 487 break; 488 c = tomoyo_make_byte(c, d, e); 489 if (tomoyo_is_invalid(c)) 490 continue; /* pattern is not \000 */ 491 } 492 goto out; 493 } else if (in_repetition && c == '/') { 494 goto out; 495 } else if (tomoyo_is_invalid(c)) { 496 goto out; 497 } 498 } 499 if (pattern_type == 1) { /* Must contain pattern */ 500 if (!contains_pattern) 501 goto out; 502 } 503 if (in_repetition) 504 goto out; 505 return true; 506 out: 507 return false; 508} 509 510/** 511 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules. 512 * @domainname: The domainname to check. 513 * 514 * Returns true if @domainname follows the naming rules, false otherwise. 515 */ 516bool tomoyo_is_correct_domain(const unsigned char *domainname) 517{ 518 unsigned char c; 519 unsigned char d; 520 unsigned char e; 521 522 if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME, 523 TOMOYO_ROOT_NAME_LEN)) 524 goto out; 525 domainname += TOMOYO_ROOT_NAME_LEN; 526 if (!*domainname) 527 return true; 528 do { 529 if (*domainname++ != ' ') 530 goto out; 531 if (*domainname++ != '/') 532 goto out; 533 while ((c = *domainname) != '\0' && c != ' ') { 534 domainname++; 535 if (c == '\\') { 536 c = *domainname++; 537 switch ((c)) { 538 case '\\': /* "\\" */ 539 continue; 540 case '0': /* "\ooo" */ 541 case '1': 542 case '2': 543 case '3': 544 d = *domainname++; 545 if (d < '0' || d > '7') 546 break; 547 e = *domainname++; 548 if (e < '0' || e > '7') 549 break; 550 c = tomoyo_make_byte(c, d, e); 551 if (tomoyo_is_invalid(c)) 552 /* pattern is not \000 */ 553 continue; 554 } 555 goto out; 556 } else if (tomoyo_is_invalid(c)) { 557 goto out; 558 } 559 } 560 } while (*domainname); 561 return true; 562 out: 563 return false; 564} 565 566/** 567 * tomoyo_is_domain_def - Check whether the given token can be a domainname. 568 * 569 * @buffer: The token to check. 570 * 571 * Returns true if @buffer possibly be a domainname, false otherwise. 572 */ 573bool tomoyo_is_domain_def(const unsigned char *buffer) 574{ 575 return !strncmp(buffer, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN); 576} 577 578/** 579 * tomoyo_find_domain - Find a domain by the given name. 580 * 581 * @domainname: The domainname to find. 582 * 583 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise. 584 * 585 * Caller holds tomoyo_read_lock(). 586 */ 587struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname) 588{ 589 struct tomoyo_domain_info *domain; 590 struct tomoyo_path_info name; 591 592 name.name = domainname; 593 tomoyo_fill_path_info(&name); 594 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 595 if (!domain->is_deleted && 596 !tomoyo_pathcmp(&name, domain->domainname)) 597 return domain; 598 } 599 return NULL; 600} 601 602/** 603 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token. 604 * 605 * @filename: The string to evaluate. 606 * 607 * Returns the initial length without a pattern in @filename. 608 */ 609static int tomoyo_const_part_length(const char *filename) 610{ 611 char c; 612 int len = 0; 613 614 if (!filename) 615 return 0; 616 while ((c = *filename++) != '\0') { 617 if (c != '\\') { 618 len++; 619 continue; 620 } 621 c = *filename++; 622 switch (c) { 623 case '\\': /* "\\" */ 624 len += 2; 625 continue; 626 case '0': /* "\ooo" */ 627 case '1': 628 case '2': 629 case '3': 630 c = *filename++; 631 if (c < '0' || c > '7') 632 break; 633 c = *filename++; 634 if (c < '0' || c > '7') 635 break; 636 len += 4; 637 continue; 638 } 639 break; 640 } 641 return len; 642} 643 644/** 645 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members. 646 * 647 * @ptr: Pointer to "struct tomoyo_path_info" to fill in. 648 * 649 * The caller sets "struct tomoyo_path_info"->name. 650 */ 651void tomoyo_fill_path_info(struct tomoyo_path_info *ptr) 652{ 653 const char *name = ptr->name; 654 const int len = strlen(name); 655 656 ptr->const_len = tomoyo_const_part_length(name); 657 ptr->is_dir = len && (name[len - 1] == '/'); 658 ptr->is_patterned = (ptr->const_len < len); 659 ptr->hash = full_name_hash(name, len); 660} 661 662/** 663 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character 664 * and "\-" pattern. 665 * 666 * @filename: The start of string to check. 667 * @filename_end: The end of string to check. 668 * @pattern: The start of pattern to compare. 669 * @pattern_end: The end of pattern to compare. 670 * 671 * Returns true if @filename matches @pattern, false otherwise. 672 */ 673static bool tomoyo_file_matches_pattern2(const char *filename, 674 const char *filename_end, 675 const char *pattern, 676 const char *pattern_end) 677{ 678 while (filename < filename_end && pattern < pattern_end) { 679 char c; 680 if (*pattern != '\\') { 681 if (*filename++ != *pattern++) 682 return false; 683 continue; 684 } 685 c = *filename; 686 pattern++; 687 switch (*pattern) { 688 int i; 689 int j; 690 case '?': 691 if (c == '/') { 692 return false; 693 } else if (c == '\\') { 694 if (filename[1] == '\\') 695 filename++; 696 else if (tomoyo_is_byte_range(filename + 1)) 697 filename += 3; 698 else 699 return false; 700 } 701 break; 702 case '\\': 703 if (c != '\\') 704 return false; 705 if (*++filename != '\\') 706 return false; 707 break; 708 case '+': 709 if (!isdigit(c)) 710 return false; 711 break; 712 case 'x': 713 if (!isxdigit(c)) 714 return false; 715 break; 716 case 'a': 717 if (!tomoyo_is_alphabet_char(c)) 718 return false; 719 break; 720 case '0': 721 case '1': 722 case '2': 723 case '3': 724 if (c == '\\' && tomoyo_is_byte_range(filename + 1) 725 && strncmp(filename + 1, pattern, 3) == 0) { 726 filename += 3; 727 pattern += 2; 728 break; 729 } 730 return false; /* Not matched. */ 731 case '*': 732 case '@': 733 for (i = 0; i <= filename_end - filename; i++) { 734 if (tomoyo_file_matches_pattern2( 735 filename + i, filename_end, 736 pattern + 1, pattern_end)) 737 return true; 738 c = filename[i]; 739 if (c == '.' && *pattern == '@') 740 break; 741 if (c != '\\') 742 continue; 743 if (filename[i + 1] == '\\') 744 i++; 745 else if (tomoyo_is_byte_range(filename + i + 1)) 746 i += 3; 747 else 748 break; /* Bad pattern. */ 749 } 750 return false; /* Not matched. */ 751 default: 752 j = 0; 753 c = *pattern; 754 if (c == '$') { 755 while (isdigit(filename[j])) 756 j++; 757 } else if (c == 'X') { 758 while (isxdigit(filename[j])) 759 j++; 760 } else if (c == 'A') { 761 while (tomoyo_is_alphabet_char(filename[j])) 762 j++; 763 } 764 for (i = 1; i <= j; i++) { 765 if (tomoyo_file_matches_pattern2( 766 filename + i, filename_end, 767 pattern + 1, pattern_end)) 768 return true; 769 } 770 return false; /* Not matched or bad pattern. */ 771 } 772 filename++; 773 pattern++; 774 } 775 while (*pattern == '\\' && 776 (*(pattern + 1) == '*' || *(pattern + 1) == '@')) 777 pattern += 2; 778 return filename == filename_end && pattern == pattern_end; 779} 780 781/** 782 * tomoyo_file_matches_pattern - Pattern matching without without '/' character. 783 * 784 * @filename: The start of string to check. 785 * @filename_end: The end of string to check. 786 * @pattern: The start of pattern to compare. 787 * @pattern_end: The end of pattern to compare. 788 * 789 * Returns true if @filename matches @pattern, false otherwise. 790 */ 791static bool tomoyo_file_matches_pattern(const char *filename, 792 const char *filename_end, 793 const char *pattern, 794 const char *pattern_end) 795{ 796 const char *pattern_start = pattern; 797 bool first = true; 798 bool result; 799 800 while (pattern < pattern_end - 1) { 801 /* Split at "\-" pattern. */ 802 if (*pattern++ != '\\' || *pattern++ != '-') 803 continue; 804 result = tomoyo_file_matches_pattern2(filename, 805 filename_end, 806 pattern_start, 807 pattern - 2); 808 if (first) 809 result = !result; 810 if (result) 811 return false; 812 first = false; 813 pattern_start = pattern; 814 } 815 result = tomoyo_file_matches_pattern2(filename, filename_end, 816 pattern_start, pattern_end); 817 return first ? result : !result; 818} 819 820/** 821 * tomoyo_path_matches_pattern2 - Do pathname pattern matching. 822 * 823 * @f: The start of string to check. 824 * @p: The start of pattern to compare. 825 * 826 * Returns true if @f matches @p, false otherwise. 827 */ 828static bool tomoyo_path_matches_pattern2(const char *f, const char *p) 829{ 830 const char *f_delimiter; 831 const char *p_delimiter; 832 833 while (*f && *p) { 834 f_delimiter = strchr(f, '/'); 835 if (!f_delimiter) 836 f_delimiter = f + strlen(f); 837 p_delimiter = strchr(p, '/'); 838 if (!p_delimiter) 839 p_delimiter = p + strlen(p); 840 if (*p == '\\' && *(p + 1) == '{') 841 goto recursive; 842 if (!tomoyo_file_matches_pattern(f, f_delimiter, p, 843 p_delimiter)) 844 return false; 845 f = f_delimiter; 846 if (*f) 847 f++; 848 p = p_delimiter; 849 if (*p) 850 p++; 851 } 852 /* Ignore trailing "\*" and "\@" in @pattern. */ 853 while (*p == '\\' && 854 (*(p + 1) == '*' || *(p + 1) == '@')) 855 p += 2; 856 return !*f && !*p; 857 recursive: 858 /* 859 * The "\{" pattern is permitted only after '/' character. 860 * This guarantees that below "*(p - 1)" is safe. 861 * Also, the "\}" pattern is permitted only before '/' character 862 * so that "\{" + "\}" pair will not break the "\-" operator. 863 */ 864 if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' || 865 *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\') 866 return false; /* Bad pattern. */ 867 do { 868 /* Compare current component with pattern. */ 869 if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2, 870 p_delimiter - 2)) 871 break; 872 /* Proceed to next component. */ 873 f = f_delimiter; 874 if (!*f) 875 break; 876 f++; 877 /* Continue comparison. */ 878 if (tomoyo_path_matches_pattern2(f, p_delimiter + 1)) 879 return true; 880 f_delimiter = strchr(f, '/'); 881 } while (f_delimiter); 882 return false; /* Not matched. */ 883} 884 885/** 886 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern. 887 * 888 * @filename: The filename to check. 889 * @pattern: The pattern to compare. 890 * 891 * Returns true if matches, false otherwise. 892 * 893 * The following patterns are available. 894 * \\ \ itself. 895 * \ooo Octal representation of a byte. 896 * \* Zero or more repetitions of characters other than '/'. 897 * \@ Zero or more repetitions of characters other than '/' or '.'. 898 * \? 1 byte character other than '/'. 899 * \$ One or more repetitions of decimal digits. 900 * \+ 1 decimal digit. 901 * \X One or more repetitions of hexadecimal digits. 902 * \x 1 hexadecimal digit. 903 * \A One or more repetitions of alphabet characters. 904 * \a 1 alphabet character. 905 * 906 * \- Subtraction operator. 907 * 908 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/ 909 * /dir/dir/dir/ ). 910 */ 911bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, 912 const struct tomoyo_path_info *pattern) 913{ 914 const char *f = filename->name; 915 const char *p = pattern->name; 916 const int len = pattern->const_len; 917 918 /* If @pattern doesn't contain pattern, I can use strcmp(). */ 919 if (!pattern->is_patterned) 920 return !tomoyo_pathcmp(filename, pattern); 921 /* Don't compare directory and non-directory. */ 922 if (filename->is_dir != pattern->is_dir) 923 return false; 924 /* Compare the initial length without patterns. */ 925 if (strncmp(f, p, len)) 926 return false; 927 f += len; 928 p += len; 929 return tomoyo_path_matches_pattern2(f, p); 930} 931 932/** 933 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure. 934 * 935 * @head: Pointer to "struct tomoyo_io_buffer". 936 * @fmt: The printf()'s format string, followed by parameters. 937 * 938 * Returns true if output was written, false otherwise. 939 * 940 * The snprintf() will truncate, but tomoyo_io_printf() won't. 941 */ 942bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) 943{ 944 va_list args; 945 int len; 946 int pos = head->read_avail; 947 int size = head->readbuf_size - pos; 948 949 if (size <= 0) 950 return false; 951 va_start(args, fmt); 952 len = vsnprintf(head->read_buf + pos, size, fmt, args); 953 va_end(args); 954 if (pos + len >= head->readbuf_size) 955 return false; 956 head->read_avail += len; 957 return true; 958} 959 960/** 961 * tomoyo_get_exe - Get tomoyo_realpath() of current process. 962 * 963 * Returns the tomoyo_realpath() of current process on success, NULL otherwise. 964 * 965 * This function uses kzalloc(), so the caller must call kfree() 966 * if this function didn't return NULL. 967 */ 968static const char *tomoyo_get_exe(void) 969{ 970 struct mm_struct *mm = current->mm; 971 struct vm_area_struct *vma; 972 const char *cp = NULL; 973 974 if (!mm) 975 return NULL; 976 down_read(&mm->mmap_sem); 977 for (vma = mm->mmap; vma; vma = vma->vm_next) { 978 if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) { 979 cp = tomoyo_realpath_from_path(&vma->vm_file->f_path); 980 break; 981 } 982 } 983 up_read(&mm->mmap_sem); 984 return cp; 985} 986 987/** 988 * tomoyo_check_flags - Check mode for specified functionality. 989 * 990 * @domain: Pointer to "struct tomoyo_domain_info". 991 * @index: The functionality to check mode. 992 * 993 * TOMOYO checks only process context. 994 * This code disables TOMOYO's enforcement in case the function is called from 995 * interrupt context. 996 */ 997unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, 998 const u8 index) 999{ 1000 const u8 profile = domain->profile; 1001 1002 if (WARN_ON(in_interrupt())) 1003 return 0; 1004 return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX 1005#if TOMOYO_MAX_PROFILES != 256 1006 && profile < TOMOYO_MAX_PROFILES 1007#endif 1008 && tomoyo_profile_ptr[profile] ? 1009 tomoyo_profile_ptr[profile]->value[index] : 0; 1010} 1011 1012/** 1013 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode. 1014 * 1015 * @domain: Pointer to "struct tomoyo_domain_info". 1016 * 1017 * Returns true if domain policy violation warning should be printed to 1018 * console. 1019 */ 1020bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain) 1021{ 1022 return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0; 1023} 1024 1025/** 1026 * tomoyo_domain_quota_is_ok - Check for domain's quota. 1027 * 1028 * @r: Pointer to "struct tomoyo_request_info". 1029 * 1030 * Returns true if the domain is not exceeded quota, false otherwise. 1031 * 1032 * Caller holds tomoyo_read_lock(). 1033 */ 1034bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r) 1035{ 1036 unsigned int count = 0; 1037 struct tomoyo_domain_info *domain = r->domain; 1038 struct tomoyo_acl_info *ptr; 1039 1040 if (r->mode != TOMOYO_CONFIG_LEARNING) 1041 return false; 1042 if (!domain) 1043 return true; 1044 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 1045 switch (ptr->type) { 1046 u16 perm; 1047 u8 i; 1048 case TOMOYO_TYPE_PATH_ACL: 1049 perm = container_of(ptr, struct tomoyo_path_acl, head) 1050 ->perm; 1051 for (i = 0; i < TOMOYO_MAX_PATH_OPERATION; i++) 1052 if (perm & (1 << i)) 1053 count++; 1054 if (perm & (1 << TOMOYO_TYPE_READ_WRITE)) 1055 count -= 2; 1056 break; 1057 case TOMOYO_TYPE_PATH2_ACL: 1058 perm = container_of(ptr, struct tomoyo_path2_acl, head) 1059 ->perm; 1060 for (i = 0; i < TOMOYO_MAX_PATH2_OPERATION; i++) 1061 if (perm & (1 << i)) 1062 count++; 1063 break; 1064 case TOMOYO_TYPE_PATH_NUMBER_ACL: 1065 perm = container_of(ptr, struct tomoyo_path_number_acl, 1066 head)->perm; 1067 for (i = 0; i < TOMOYO_MAX_PATH_NUMBER_OPERATION; i++) 1068 if (perm & (1 << i)) 1069 count++; 1070 break; 1071 case TOMOYO_TYPE_PATH_NUMBER3_ACL: 1072 perm = container_of(ptr, struct tomoyo_path_number3_acl, 1073 head)->perm; 1074 for (i = 0; i < TOMOYO_MAX_PATH_NUMBER3_OPERATION; i++) 1075 if (perm & (1 << i)) 1076 count++; 1077 break; 1078 case TOMOYO_TYPE_MOUNT_ACL: 1079 if (!container_of(ptr, struct tomoyo_mount_acl, head)-> 1080 is_deleted) 1081 count++; 1082 } 1083 } 1084 if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY)) 1085 return true; 1086 if (!domain->quota_warned) { 1087 domain->quota_warned = true; 1088 printk(KERN_WARNING "TOMOYO-WARNING: " 1089 "Domain '%s' has so many ACLs to hold. " 1090 "Stopped learning mode.\n", domain->domainname->name); 1091 } 1092 return false; 1093} 1094 1095/** 1096 * tomoyo_find_or_assign_new_profile - Create a new profile. 1097 * 1098 * @profile: Profile number to create. 1099 * 1100 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. 1101 */ 1102static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned 1103 int profile) 1104{ 1105 struct tomoyo_profile *ptr = NULL; 1106 int i; 1107 1108 if (profile >= TOMOYO_MAX_PROFILES) 1109 return NULL; 1110 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 1111 return NULL; 1112 ptr = tomoyo_profile_ptr[profile]; 1113 if (ptr) 1114 goto ok; 1115 ptr = kmalloc(sizeof(*ptr), GFP_NOFS); 1116 if (!tomoyo_memory_ok(ptr)) { 1117 kfree(ptr); 1118 ptr = NULL; 1119 goto ok; 1120 } 1121 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) 1122 ptr->value[i] = tomoyo_control_array[i].current_value; 1123 mb(); /* Avoid out-of-order execution. */ 1124 tomoyo_profile_ptr[profile] = ptr; 1125 ok: 1126 mutex_unlock(&tomoyo_policy_lock); 1127 return ptr; 1128} 1129 1130/** 1131 * tomoyo_write_profile - Write to profile table. 1132 * 1133 * @head: Pointer to "struct tomoyo_io_buffer". 1134 * 1135 * Returns 0 on success, negative value otherwise. 1136 */ 1137static int tomoyo_write_profile(struct tomoyo_io_buffer *head) 1138{ 1139 char *data = head->write_buf; 1140 unsigned int i; 1141 unsigned int value; 1142 char *cp; 1143 struct tomoyo_profile *profile; 1144 unsigned long num; 1145 1146 cp = strchr(data, '-'); 1147 if (cp) 1148 *cp = '\0'; 1149 if (strict_strtoul(data, 10, &num)) 1150 return -EINVAL; 1151 if (cp) 1152 data = cp + 1; 1153 profile = tomoyo_find_or_assign_new_profile(num); 1154 if (!profile) 1155 return -EINVAL; 1156 cp = strchr(data, '='); 1157 if (!cp) 1158 return -EINVAL; 1159 *cp = '\0'; 1160 if (!strcmp(data, "COMMENT")) { 1161 const struct tomoyo_path_info *old_comment = profile->comment; 1162 profile->comment = tomoyo_get_name(cp + 1); 1163 tomoyo_put_name(old_comment); 1164 return 0; 1165 } 1166 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) { 1167 if (strcmp(data, tomoyo_control_array[i].keyword)) 1168 continue; 1169 if (sscanf(cp + 1, "%u", &value) != 1) { 1170 int j; 1171 const char **modes; 1172 switch (i) { 1173 case TOMOYO_VERBOSE: 1174 modes = tomoyo_mode_2; 1175 break; 1176 default: 1177 modes = tomoyo_mode_4; 1178 break; 1179 } 1180 for (j = 0; j < 4; j++) { 1181 if (strcmp(cp + 1, modes[j])) 1182 continue; 1183 value = j; 1184 break; 1185 } 1186 if (j == 4) 1187 return -EINVAL; 1188 } else if (value > tomoyo_control_array[i].max_value) { 1189 value = tomoyo_control_array[i].max_value; 1190 } 1191 profile->value[i] = value; 1192 return 0; 1193 } 1194 return -EINVAL; 1195} 1196 1197/** 1198 * tomoyo_read_profile - Read from profile table. 1199 * 1200 * @head: Pointer to "struct tomoyo_io_buffer". 1201 * 1202 * Returns 0. 1203 */ 1204static int tomoyo_read_profile(struct tomoyo_io_buffer *head) 1205{ 1206 static const int total = TOMOYO_MAX_CONTROL_INDEX + 1; 1207 int step; 1208 1209 if (head->read_eof) 1210 return 0; 1211 for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total; 1212 step++) { 1213 const u8 index = step / total; 1214 u8 type = step % total; 1215 const struct tomoyo_profile *profile 1216 = tomoyo_profile_ptr[index]; 1217 head->read_step = step; 1218 if (!profile) 1219 continue; 1220 if (!type) { /* Print profile' comment tag. */ 1221 if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n", 1222 index, profile->comment ? 1223 profile->comment->name : "")) 1224 break; 1225 continue; 1226 } 1227 type--; 1228 if (type < TOMOYO_MAX_CONTROL_INDEX) { 1229 const unsigned int value = profile->value[type]; 1230 const char **modes = NULL; 1231 const char *keyword 1232 = tomoyo_control_array[type].keyword; 1233 switch (tomoyo_control_array[type].max_value) { 1234 case 3: 1235 modes = tomoyo_mode_4; 1236 break; 1237 case 1: 1238 modes = tomoyo_mode_2; 1239 break; 1240 } 1241 if (modes) { 1242 if (!tomoyo_io_printf(head, "%u-%s=%s\n", index, 1243 keyword, modes[value])) 1244 break; 1245 } else { 1246 if (!tomoyo_io_printf(head, "%u-%s=%u\n", index, 1247 keyword, value)) 1248 break; 1249 } 1250 } 1251 } 1252 if (step == TOMOYO_MAX_PROFILES * total) 1253 head->read_eof = true; 1254 return 0; 1255} 1256 1257/* 1258 * tomoyo_policy_manager_list is used for holding list of domainnames or 1259 * programs which are permitted to modify configuration via 1260 * /sys/kernel/security/tomoyo/ interface. 1261 * 1262 * An entry is added by 1263 * 1264 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \ 1265 * /sys/kernel/security/tomoyo/manager 1266 * (if you want to specify by a domainname) 1267 * 1268 * or 1269 * 1270 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager 1271 * (if you want to specify by a program's location) 1272 * 1273 * and is deleted by 1274 * 1275 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \ 1276 * /sys/kernel/security/tomoyo/manager 1277 * 1278 * or 1279 * 1280 * # echo 'delete /usr/lib/ccs/editpolicy' > \ 1281 * /sys/kernel/security/tomoyo/manager 1282 * 1283 * and all entries are retrieved by 1284 * 1285 * # cat /sys/kernel/security/tomoyo/manager 1286 */ 1287LIST_HEAD(tomoyo_policy_manager_list); 1288 1289/** 1290 * tomoyo_update_manager_entry - Add a manager entry. 1291 * 1292 * @manager: The path to manager or the domainnamme. 1293 * @is_delete: True if it is a delete request. 1294 * 1295 * Returns 0 on success, negative value otherwise. 1296 * 1297 * Caller holds tomoyo_read_lock(). 1298 */ 1299static int tomoyo_update_manager_entry(const char *manager, 1300 const bool is_delete) 1301{ 1302 struct tomoyo_policy_manager_entry *ptr; 1303 struct tomoyo_policy_manager_entry e = { }; 1304 int error = is_delete ? -ENOENT : -ENOMEM; 1305 1306 if (tomoyo_is_domain_def(manager)) { 1307 if (!tomoyo_is_correct_domain(manager)) 1308 return -EINVAL; 1309 e.is_domain = true; 1310 } else { 1311 if (!tomoyo_is_correct_path(manager, 1, -1, -1)) 1312 return -EINVAL; 1313 } 1314 e.manager = tomoyo_get_name(manager); 1315 if (!e.manager) 1316 return -ENOMEM; 1317 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 1318 goto out; 1319 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { 1320 if (ptr->manager != e.manager) 1321 continue; 1322 ptr->is_deleted = is_delete; 1323 error = 0; 1324 break; 1325 } 1326 if (!is_delete && error) { 1327 struct tomoyo_policy_manager_entry *entry = 1328 tomoyo_commit_ok(&e, sizeof(e)); 1329 if (entry) { 1330 list_add_tail_rcu(&entry->list, 1331 &tomoyo_policy_manager_list); 1332 error = 0; 1333 } 1334 } 1335 mutex_unlock(&tomoyo_policy_lock); 1336 out: 1337 tomoyo_put_name(e.manager); 1338 return error; 1339} 1340 1341/** 1342 * tomoyo_write_manager_policy - Write manager policy. 1343 * 1344 * @head: Pointer to "struct tomoyo_io_buffer". 1345 * 1346 * Returns 0 on success, negative value otherwise. 1347 * 1348 * Caller holds tomoyo_read_lock(). 1349 */ 1350static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head) 1351{ 1352 char *data = head->write_buf; 1353 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); 1354 1355 if (!strcmp(data, "manage_by_non_root")) { 1356 tomoyo_manage_by_non_root = !is_delete; 1357 return 0; 1358 } 1359 return tomoyo_update_manager_entry(data, is_delete); 1360} 1361 1362/** 1363 * tomoyo_read_manager_policy - Read manager policy. 1364 * 1365 * @head: Pointer to "struct tomoyo_io_buffer". 1366 * 1367 * Returns 0. 1368 * 1369 * Caller holds tomoyo_read_lock(). 1370 */ 1371static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head) 1372{ 1373 struct list_head *pos; 1374 bool done = true; 1375 1376 if (head->read_eof) 1377 return 0; 1378 list_for_each_cookie(pos, head->read_var2, 1379 &tomoyo_policy_manager_list) { 1380 struct tomoyo_policy_manager_entry *ptr; 1381 ptr = list_entry(pos, struct tomoyo_policy_manager_entry, 1382 list); 1383 if (ptr->is_deleted) 1384 continue; 1385 done = tomoyo_io_printf(head, "%s\n", ptr->manager->name); 1386 if (!done) 1387 break; 1388 } 1389 head->read_eof = done; 1390 return 0; 1391} 1392 1393/** 1394 * tomoyo_is_policy_manager - Check whether the current process is a policy manager. 1395 * 1396 * Returns true if the current process is permitted to modify policy 1397 * via /sys/kernel/security/tomoyo/ interface. 1398 * 1399 * Caller holds tomoyo_read_lock(). 1400 */ 1401static bool tomoyo_is_policy_manager(void) 1402{ 1403 struct tomoyo_policy_manager_entry *ptr; 1404 const char *exe; 1405 const struct task_struct *task = current; 1406 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; 1407 bool found = false; 1408 1409 if (!tomoyo_policy_loaded) 1410 return true; 1411 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) 1412 return false; 1413 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { 1414 if (!ptr->is_deleted && ptr->is_domain 1415 && !tomoyo_pathcmp(domainname, ptr->manager)) { 1416 found = true; 1417 break; 1418 } 1419 } 1420 if (found) 1421 return true; 1422 exe = tomoyo_get_exe(); 1423 if (!exe) 1424 return false; 1425 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { 1426 if (!ptr->is_deleted && !ptr->is_domain 1427 && !strcmp(exe, ptr->manager->name)) { 1428 found = true; 1429 break; 1430 } 1431 } 1432 if (!found) { /* Reduce error messages. */ 1433 static pid_t last_pid; 1434 const pid_t pid = current->pid; 1435 if (last_pid != pid) { 1436 printk(KERN_WARNING "%s ( %s ) is not permitted to " 1437 "update policies.\n", domainname->name, exe); 1438 last_pid = pid; 1439 } 1440 } 1441 kfree(exe); 1442 return found; 1443} 1444 1445/** 1446 * tomoyo_is_select_one - Parse select command. 1447 * 1448 * @head: Pointer to "struct tomoyo_io_buffer". 1449 * @data: String to parse. 1450 * 1451 * Returns true on success, false otherwise. 1452 * 1453 * Caller holds tomoyo_read_lock(). 1454 */ 1455static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head, 1456 const char *data) 1457{ 1458 unsigned int pid; 1459 struct tomoyo_domain_info *domain = NULL; 1460 1461 if (sscanf(data, "pid=%u", &pid) == 1) { 1462 struct task_struct *p; 1463 rcu_read_lock(); 1464 read_lock(&tasklist_lock); 1465 p = find_task_by_vpid(pid); 1466 if (p) 1467 domain = tomoyo_real_domain(p); 1468 read_unlock(&tasklist_lock); 1469 rcu_read_unlock(); 1470 } else if (!strncmp(data, "domain=", 7)) { 1471 if (tomoyo_is_domain_def(data + 7)) 1472 domain = tomoyo_find_domain(data + 7); 1473 } else 1474 return false; 1475 head->write_var1 = domain; 1476 /* Accessing read_buf is safe because head->io_sem is held. */ 1477 if (!head->read_buf) 1478 return true; /* Do nothing if open(O_WRONLY). */ 1479 head->read_avail = 0; 1480 tomoyo_io_printf(head, "# select %s\n", data); 1481 head->read_single_domain = true; 1482 head->read_eof = !domain; 1483 if (domain) { 1484 struct tomoyo_domain_info *d; 1485 head->read_var1 = NULL; 1486 list_for_each_entry_rcu(d, &tomoyo_domain_list, list) { 1487 if (d == domain) 1488 break; 1489 head->read_var1 = &d->list; 1490 } 1491 head->read_var2 = NULL; 1492 head->read_bit = 0; 1493 head->read_step = 0; 1494 if (domain->is_deleted) 1495 tomoyo_io_printf(head, "# This is a deleted domain.\n"); 1496 } 1497 return true; 1498} 1499 1500/** 1501 * tomoyo_delete_domain - Delete a domain. 1502 * 1503 * @domainname: The name of domain. 1504 * 1505 * Returns 0. 1506 * 1507 * Caller holds tomoyo_read_lock(). 1508 */ 1509static int tomoyo_delete_domain(char *domainname) 1510{ 1511 struct tomoyo_domain_info *domain; 1512 struct tomoyo_path_info name; 1513 1514 name.name = domainname; 1515 tomoyo_fill_path_info(&name); 1516 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 1517 return 0; 1518 /* Is there an active domain? */ 1519 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 1520 /* Never delete tomoyo_kernel_domain */ 1521 if (domain == &tomoyo_kernel_domain) 1522 continue; 1523 if (domain->is_deleted || 1524 tomoyo_pathcmp(domain->domainname, &name)) 1525 continue; 1526 domain->is_deleted = true; 1527 break; 1528 } 1529 mutex_unlock(&tomoyo_policy_lock); 1530 return 0; 1531} 1532 1533/** 1534 * tomoyo_write_domain_policy - Write domain policy. 1535 * 1536 * @head: Pointer to "struct tomoyo_io_buffer". 1537 * 1538 * Returns 0 on success, negative value otherwise. 1539 * 1540 * Caller holds tomoyo_read_lock(). 1541 */ 1542static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head) 1543{ 1544 char *data = head->write_buf; 1545 struct tomoyo_domain_info *domain = head->write_var1; 1546 bool is_delete = false; 1547 bool is_select = false; 1548 unsigned int profile; 1549 1550 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE)) 1551 is_delete = true; 1552 else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT)) 1553 is_select = true; 1554 if (is_select && tomoyo_is_select_one(head, data)) 1555 return 0; 1556 /* Don't allow updating policies by non manager programs. */ 1557 if (!tomoyo_is_policy_manager()) 1558 return -EPERM; 1559 if (tomoyo_is_domain_def(data)) { 1560 domain = NULL; 1561 if (is_delete) 1562 tomoyo_delete_domain(data); 1563 else if (is_select) 1564 domain = tomoyo_find_domain(data); 1565 else 1566 domain = tomoyo_find_or_assign_new_domain(data, 0); 1567 head->write_var1 = domain; 1568 return 0; 1569 } 1570 if (!domain) 1571 return -EINVAL; 1572 1573 if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1 1574 && profile < TOMOYO_MAX_PROFILES) { 1575 if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded) 1576 domain->profile = (u8) profile; 1577 return 0; 1578 } 1579 if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) { 1580 domain->ignore_global_allow_read = !is_delete; 1581 return 0; 1582 } 1583 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_MOUNT)) 1584 return tomoyo_write_mount_policy(data, domain, is_delete); 1585 return tomoyo_write_file_policy(data, domain, is_delete); 1586} 1587 1588/** 1589 * tomoyo_print_path_acl - Print a single path ACL entry. 1590 * 1591 * @head: Pointer to "struct tomoyo_io_buffer". 1592 * @ptr: Pointer to "struct tomoyo_path_acl". 1593 * 1594 * Returns true on success, false otherwise. 1595 */ 1596static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head, 1597 struct tomoyo_path_acl *ptr) 1598{ 1599 int pos; 1600 u8 bit; 1601 const u16 perm = ptr->perm; 1602 1603 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { 1604 if (!(perm & (1 << bit))) 1605 continue; 1606 /* Print "read/write" instead of "read" and "write". */ 1607 if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE) 1608 && (perm & (1 << TOMOYO_TYPE_READ_WRITE))) 1609 continue; 1610 pos = head->read_avail; 1611 if (!tomoyo_io_printf(head, "allow_%s ", 1612 tomoyo_path2keyword(bit)) || 1613 !tomoyo_print_name_union(head, &ptr->name) || 1614 !tomoyo_io_printf(head, "\n")) 1615 goto out; 1616 } 1617 head->read_bit = 0; 1618 return true; 1619 out: 1620 head->read_bit = bit; 1621 head->read_avail = pos; 1622 return false; 1623} 1624 1625/** 1626 * tomoyo_print_path2_acl - Print a double path ACL entry. 1627 * 1628 * @head: Pointer to "struct tomoyo_io_buffer". 1629 * @ptr: Pointer to "struct tomoyo_path2_acl". 1630 * 1631 * Returns true on success, false otherwise. 1632 */ 1633static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer *head, 1634 struct tomoyo_path2_acl *ptr) 1635{ 1636 int pos; 1637 const u8 perm = ptr->perm; 1638 u8 bit; 1639 1640 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) { 1641 if (!(perm & (1 << bit))) 1642 continue; 1643 pos = head->read_avail; 1644 if (!tomoyo_io_printf(head, "allow_%s ", 1645 tomoyo_path22keyword(bit)) || 1646 !tomoyo_print_name_union(head, &ptr->name1) || 1647 !tomoyo_print_name_union(head, &ptr->name2) || 1648 !tomoyo_io_printf(head, "\n")) 1649 goto out; 1650 } 1651 head->read_bit = 0; 1652 return true; 1653 out: 1654 head->read_bit = bit; 1655 head->read_avail = pos; 1656 return false; 1657} 1658 1659/** 1660 * tomoyo_print_path_number_acl - Print a path_number ACL entry. 1661 * 1662 * @head: Pointer to "struct tomoyo_io_buffer". 1663 * @ptr: Pointer to "struct tomoyo_path_number_acl". 1664 * 1665 * Returns true on success, false otherwise. 1666 */ 1667static bool tomoyo_print_path_number_acl(struct tomoyo_io_buffer *head, 1668 struct tomoyo_path_number_acl *ptr) 1669{ 1670 int pos; 1671 u8 bit; 1672 const u8 perm = ptr->perm; 1673 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION; 1674 bit++) { 1675 if (!(perm & (1 << bit))) 1676 continue; 1677 pos = head->read_avail; 1678 if (!tomoyo_io_printf(head, "allow_%s", 1679 tomoyo_path_number2keyword(bit)) || 1680 !tomoyo_print_name_union(head, &ptr->name) || 1681 !tomoyo_print_number_union(head, &ptr->number) || 1682 !tomoyo_io_printf(head, "\n")) 1683 goto out; 1684 } 1685 head->read_bit = 0; 1686 return true; 1687 out: 1688 head->read_bit = bit; 1689 head->read_avail = pos; 1690 return false; 1691} 1692 1693/** 1694 * tomoyo_print_path_number3_acl - Print a path_number3 ACL entry. 1695 * 1696 * @head: Pointer to "struct tomoyo_io_buffer". 1697 * @ptr: Pointer to "struct tomoyo_path_number3_acl". 1698 * 1699 * Returns true on success, false otherwise. 1700 */ 1701static bool tomoyo_print_path_number3_acl(struct tomoyo_io_buffer *head, 1702 struct tomoyo_path_number3_acl *ptr) 1703{ 1704 int pos; 1705 u8 bit; 1706 const u16 perm = ptr->perm; 1707 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_NUMBER3_OPERATION; 1708 bit++) { 1709 if (!(perm & (1 << bit))) 1710 continue; 1711 pos = head->read_avail; 1712 if (!tomoyo_io_printf(head, "allow_%s", 1713 tomoyo_path_number32keyword(bit)) || 1714 !tomoyo_print_name_union(head, &ptr->name) || 1715 !tomoyo_print_number_union(head, &ptr->mode) || 1716 !tomoyo_print_number_union(head, &ptr->major) || 1717 !tomoyo_print_number_union(head, &ptr->minor) || 1718 !tomoyo_io_printf(head, "\n")) 1719 goto out; 1720 } 1721 head->read_bit = 0; 1722 return true; 1723 out: 1724 head->read_bit = bit; 1725 head->read_avail = pos; 1726 return false; 1727} 1728 1729/** 1730 * tomoyo_print_mount_acl - Print a mount ACL entry. 1731 * 1732 * @head: Pointer to "struct tomoyo_io_buffer". 1733 * @ptr: Pointer to "struct tomoyo_mount_acl". 1734 * 1735 * Returns true on success, false otherwise. 1736 */ 1737static bool tomoyo_print_mount_acl(struct tomoyo_io_buffer *head, 1738 struct tomoyo_mount_acl *ptr) 1739{ 1740 const int pos = head->read_avail; 1741 if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) || 1742 !tomoyo_print_name_union(head, &ptr->dev_name) || 1743 !tomoyo_print_name_union(head, &ptr->dir_name) || 1744 !tomoyo_print_name_union(head, &ptr->fs_type) || 1745 !tomoyo_print_number_union(head, &ptr->flags) || 1746 !tomoyo_io_printf(head, "\n")) { 1747 head->read_avail = pos; 1748 return false; 1749 } 1750 return true; 1751} 1752 1753/** 1754 * tomoyo_print_entry - Print an ACL entry. 1755 * 1756 * @head: Pointer to "struct tomoyo_io_buffer". 1757 * @ptr: Pointer to an ACL entry. 1758 * 1759 * Returns true on success, false otherwise. 1760 */ 1761static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, 1762 struct tomoyo_acl_info *ptr) 1763{ 1764 const u8 acl_type = ptr->type; 1765 1766 if (acl_type == TOMOYO_TYPE_PATH_ACL) { 1767 struct tomoyo_path_acl *acl 1768 = container_of(ptr, struct tomoyo_path_acl, head); 1769 return tomoyo_print_path_acl(head, acl); 1770 } 1771 if (acl_type == TOMOYO_TYPE_PATH2_ACL) { 1772 struct tomoyo_path2_acl *acl 1773 = container_of(ptr, struct tomoyo_path2_acl, head); 1774 return tomoyo_print_path2_acl(head, acl); 1775 } 1776 if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) { 1777 struct tomoyo_path_number_acl *acl 1778 = container_of(ptr, struct tomoyo_path_number_acl, 1779 head); 1780 return tomoyo_print_path_number_acl(head, acl); 1781 } 1782 if (acl_type == TOMOYO_TYPE_PATH_NUMBER3_ACL) { 1783 struct tomoyo_path_number3_acl *acl 1784 = container_of(ptr, struct tomoyo_path_number3_acl, 1785 head); 1786 return tomoyo_print_path_number3_acl(head, acl); 1787 } 1788 if (acl_type == TOMOYO_TYPE_MOUNT_ACL) { 1789 struct tomoyo_mount_acl *acl 1790 = container_of(ptr, struct tomoyo_mount_acl, head); 1791 return tomoyo_print_mount_acl(head, acl); 1792 } 1793 BUG(); /* This must not happen. */ 1794 return false; 1795} 1796 1797/** 1798 * tomoyo_read_domain_policy - Read domain policy. 1799 * 1800 * @head: Pointer to "struct tomoyo_io_buffer". 1801 * 1802 * Returns 0. 1803 * 1804 * Caller holds tomoyo_read_lock(). 1805 */ 1806static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head) 1807{ 1808 struct list_head *dpos; 1809 struct list_head *apos; 1810 bool done = true; 1811 1812 if (head->read_eof) 1813 return 0; 1814 if (head->read_step == 0) 1815 head->read_step = 1; 1816 list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) { 1817 struct tomoyo_domain_info *domain; 1818 const char *quota_exceeded = ""; 1819 const char *transition_failed = ""; 1820 const char *ignore_global_allow_read = ""; 1821 domain = list_entry(dpos, struct tomoyo_domain_info, list); 1822 if (head->read_step != 1) 1823 goto acl_loop; 1824 if (domain->is_deleted && !head->read_single_domain) 1825 continue; 1826 /* Print domainname and flags. */ 1827 if (domain->quota_warned) 1828 quota_exceeded = "quota_exceeded\n"; 1829 if (domain->transition_failed) 1830 transition_failed = "transition_failed\n"; 1831 if (domain->ignore_global_allow_read) 1832 ignore_global_allow_read 1833 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n"; 1834 done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE 1835 "%u\n%s%s%s\n", 1836 domain->domainname->name, 1837 domain->profile, quota_exceeded, 1838 transition_failed, 1839 ignore_global_allow_read); 1840 if (!done) 1841 break; 1842 head->read_step = 2; 1843acl_loop: 1844 if (head->read_step == 3) 1845 goto tail_mark; 1846 /* Print ACL entries in the domain. */ 1847 list_for_each_cookie(apos, head->read_var2, 1848 &domain->acl_info_list) { 1849 struct tomoyo_acl_info *ptr 1850 = list_entry(apos, struct tomoyo_acl_info, 1851 list); 1852 done = tomoyo_print_entry(head, ptr); 1853 if (!done) 1854 break; 1855 } 1856 if (!done) 1857 break; 1858 head->read_step = 3; 1859tail_mark: 1860 done = tomoyo_io_printf(head, "\n"); 1861 if (!done) 1862 break; 1863 head->read_step = 1; 1864 if (head->read_single_domain) 1865 break; 1866 } 1867 head->read_eof = done; 1868 return 0; 1869} 1870 1871/** 1872 * tomoyo_write_domain_profile - Assign profile for specified domain. 1873 * 1874 * @head: Pointer to "struct tomoyo_io_buffer". 1875 * 1876 * Returns 0 on success, -EINVAL otherwise. 1877 * 1878 * This is equivalent to doing 1879 * 1880 * ( echo "select " $domainname; echo "use_profile " $profile ) | 1881 * /usr/lib/ccs/loadpolicy -d 1882 * 1883 * Caller holds tomoyo_read_lock(). 1884 */ 1885static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head) 1886{ 1887 char *data = head->write_buf; 1888 char *cp = strchr(data, ' '); 1889 struct tomoyo_domain_info *domain; 1890 unsigned long profile; 1891 1892 if (!cp) 1893 return -EINVAL; 1894 *cp = '\0'; 1895 domain = tomoyo_find_domain(cp + 1); 1896 if (strict_strtoul(data, 10, &profile)) 1897 return -EINVAL; 1898 if (domain && profile < TOMOYO_MAX_PROFILES 1899 && (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)) 1900 domain->profile = (u8) profile; 1901 return 0; 1902} 1903 1904/** 1905 * tomoyo_read_domain_profile - Read only domainname and profile. 1906 * 1907 * @head: Pointer to "struct tomoyo_io_buffer". 1908 * 1909 * Returns list of profile number and domainname pairs. 1910 * 1911 * This is equivalent to doing 1912 * 1913 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy | 1914 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" ) 1915 * domainname = $0; } else if ( $1 == "use_profile" ) { 1916 * print $2 " " domainname; domainname = ""; } } ; ' 1917 * 1918 * Caller holds tomoyo_read_lock(). 1919 */ 1920static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head) 1921{ 1922 struct list_head *pos; 1923 bool done = true; 1924 1925 if (head->read_eof) 1926 return 0; 1927 list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) { 1928 struct tomoyo_domain_info *domain; 1929 domain = list_entry(pos, struct tomoyo_domain_info, list); 1930 if (domain->is_deleted) 1931 continue; 1932 done = tomoyo_io_printf(head, "%u %s\n", domain->profile, 1933 domain->domainname->name); 1934 if (!done) 1935 break; 1936 } 1937 head->read_eof = done; 1938 return 0; 1939} 1940 1941/** 1942 * tomoyo_write_pid: Specify PID to obtain domainname. 1943 * 1944 * @head: Pointer to "struct tomoyo_io_buffer". 1945 * 1946 * Returns 0. 1947 */ 1948static int tomoyo_write_pid(struct tomoyo_io_buffer *head) 1949{ 1950 unsigned long pid; 1951 /* No error check. */ 1952 strict_strtoul(head->write_buf, 10, &pid); 1953 head->read_step = (int) pid; 1954 head->read_eof = false; 1955 return 0; 1956} 1957 1958/** 1959 * tomoyo_read_pid - Get domainname of the specified PID. 1960 * 1961 * @head: Pointer to "struct tomoyo_io_buffer". 1962 * 1963 * Returns the domainname which the specified PID is in on success, 1964 * empty string otherwise. 1965 * The PID is specified by tomoyo_write_pid() so that the user can obtain 1966 * using read()/write() interface rather than sysctl() interface. 1967 */ 1968static int tomoyo_read_pid(struct tomoyo_io_buffer *head) 1969{ 1970 if (head->read_avail == 0 && !head->read_eof) { 1971 const int pid = head->read_step; 1972 struct task_struct *p; 1973 struct tomoyo_domain_info *domain = NULL; 1974 rcu_read_lock(); 1975 read_lock(&tasklist_lock); 1976 p = find_task_by_vpid(pid); 1977 if (p) 1978 domain = tomoyo_real_domain(p); 1979 read_unlock(&tasklist_lock); 1980 rcu_read_unlock(); 1981 if (domain) 1982 tomoyo_io_printf(head, "%d %u %s", pid, domain->profile, 1983 domain->domainname->name); 1984 head->read_eof = true; 1985 } 1986 return 0; 1987} 1988 1989/** 1990 * tomoyo_write_exception_policy - Write exception policy. 1991 * 1992 * @head: Pointer to "struct tomoyo_io_buffer". 1993 * 1994 * Returns 0 on success, negative value otherwise. 1995 * 1996 * Caller holds tomoyo_read_lock(). 1997 */ 1998static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head) 1999{ 2000 char *data = head->write_buf; 2001 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); 2002 2003 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN)) 2004 return tomoyo_write_domain_keeper_policy(data, false, 2005 is_delete); 2006 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN)) 2007 return tomoyo_write_domain_keeper_policy(data, true, is_delete); 2008 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN)) 2009 return tomoyo_write_domain_initializer_policy(data, false, 2010 is_delete); 2011 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN)) 2012 return tomoyo_write_domain_initializer_policy(data, true, 2013 is_delete); 2014 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS)) 2015 return tomoyo_write_alias_policy(data, is_delete); 2016 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ)) 2017 return tomoyo_write_globally_readable_policy(data, is_delete); 2018 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN)) 2019 return tomoyo_write_pattern_policy(data, is_delete); 2020 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE)) 2021 return tomoyo_write_no_rewrite_policy(data, is_delete); 2022 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_PATH_GROUP)) 2023 return tomoyo_write_path_group_policy(data, is_delete); 2024 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NUMBER_GROUP)) 2025 return tomoyo_write_number_group_policy(data, is_delete); 2026 return -EINVAL; 2027} 2028 2029/** 2030 * tomoyo_read_exception_policy - Read exception policy. 2031 * 2032 * @head: Pointer to "struct tomoyo_io_buffer". 2033 * 2034 * Returns 0 on success, -EINVAL otherwise. 2035 * 2036 * Caller holds tomoyo_read_lock(). 2037 */ 2038static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head) 2039{ 2040 if (!head->read_eof) { 2041 switch (head->read_step) { 2042 case 0: 2043 head->read_var2 = NULL; 2044 head->read_step = 1; 2045 case 1: 2046 if (!tomoyo_read_domain_keeper_policy(head)) 2047 break; 2048 head->read_var2 = NULL; 2049 head->read_step = 2; 2050 case 2: 2051 if (!tomoyo_read_globally_readable_policy(head)) 2052 break; 2053 head->read_var2 = NULL; 2054 head->read_step = 3; 2055 case 3: 2056 head->read_var2 = NULL; 2057 head->read_step = 4; 2058 case 4: 2059 if (!tomoyo_read_domain_initializer_policy(head)) 2060 break; 2061 head->read_var2 = NULL; 2062 head->read_step = 5; 2063 case 5: 2064 if (!tomoyo_read_alias_policy(head)) 2065 break; 2066 head->read_var2 = NULL; 2067 head->read_step = 6; 2068 case 6: 2069 head->read_var2 = NULL; 2070 head->read_step = 7; 2071 case 7: 2072 if (!tomoyo_read_file_pattern(head)) 2073 break; 2074 head->read_var2 = NULL; 2075 head->read_step = 8; 2076 case 8: 2077 if (!tomoyo_read_no_rewrite_policy(head)) 2078 break; 2079 head->read_var2 = NULL; 2080 head->read_step = 9; 2081 case 9: 2082 if (!tomoyo_read_path_group_policy(head)) 2083 break; 2084 head->read_var1 = NULL; 2085 head->read_var2 = NULL; 2086 head->read_step = 10; 2087 case 10: 2088 if (!tomoyo_read_number_group_policy(head)) 2089 break; 2090 head->read_var1 = NULL; 2091 head->read_var2 = NULL; 2092 head->read_step = 11; 2093 case 11: 2094 head->read_eof = true; 2095 break; 2096 default: 2097 return -EINVAL; 2098 } 2099 } 2100 return 0; 2101} 2102 2103/* path to policy loader */ 2104static const char *tomoyo_loader = "/sbin/tomoyo-init"; 2105 2106/** 2107 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists. 2108 * 2109 * Returns true if /sbin/tomoyo-init exists, false otherwise. 2110 */ 2111static bool tomoyo_policy_loader_exists(void) 2112{ 2113 /* 2114 * Don't activate MAC if the policy loader doesn't exist. 2115 * If the initrd includes /sbin/init but real-root-dev has not 2116 * mounted on / yet, activating MAC will block the system since 2117 * policies are not loaded yet. 2118 * Thus, let do_execve() call this function everytime. 2119 */ 2120 struct path path; 2121 2122 if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) { 2123 printk(KERN_INFO "Not activating Mandatory Access Control now " 2124 "since %s doesn't exist.\n", tomoyo_loader); 2125 return false; 2126 } 2127 path_put(&path); 2128 return true; 2129} 2130 2131/** 2132 * tomoyo_load_policy - Run external policy loader to load policy. 2133 * 2134 * @filename: The program about to start. 2135 * 2136 * This function checks whether @filename is /sbin/init , and if so 2137 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init 2138 * and then continues invocation of /sbin/init. 2139 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and 2140 * writes to /sys/kernel/security/tomoyo/ interfaces. 2141 * 2142 * Returns nothing. 2143 */ 2144void tomoyo_load_policy(const char *filename) 2145{ 2146 char *argv[2]; 2147 char *envp[3]; 2148 2149 if (tomoyo_policy_loaded) 2150 return; 2151 /* 2152 * Check filename is /sbin/init or /sbin/tomoyo-start. 2153 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't 2154 * be passed. 2155 * You can create /sbin/tomoyo-start by 2156 * "ln -s /bin/true /sbin/tomoyo-start". 2157 */ 2158 if (strcmp(filename, "/sbin/init") && 2159 strcmp(filename, "/sbin/tomoyo-start")) 2160 return; 2161 if (!tomoyo_policy_loader_exists()) 2162 return; 2163 2164 printk(KERN_INFO "Calling %s to load policy. Please wait.\n", 2165 tomoyo_loader); 2166 argv[0] = (char *) tomoyo_loader; 2167 argv[1] = NULL; 2168 envp[0] = "HOME=/"; 2169 envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin"; 2170 envp[2] = NULL; 2171 call_usermodehelper(argv[0], argv, envp, 1); 2172 2173 printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n"); 2174 printk(KERN_INFO "Mandatory Access Control activated.\n"); 2175 tomoyo_policy_loaded = true; 2176 { /* Check all profiles currently assigned to domains are defined. */ 2177 struct tomoyo_domain_info *domain; 2178 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 2179 const u8 profile = domain->profile; 2180 if (tomoyo_profile_ptr[profile]) 2181 continue; 2182 panic("Profile %u (used by '%s') not defined.\n", 2183 profile, domain->domainname->name); 2184 } 2185 } 2186} 2187 2188/** 2189 * tomoyo_read_version: Get version. 2190 * 2191 * @head: Pointer to "struct tomoyo_io_buffer". 2192 * 2193 * Returns version information. 2194 */ 2195static int tomoyo_read_version(struct tomoyo_io_buffer *head) 2196{ 2197 if (!head->read_eof) { 2198 tomoyo_io_printf(head, "2.2.0"); 2199 head->read_eof = true; 2200 } 2201 return 0; 2202} 2203 2204/** 2205 * tomoyo_read_self_domain - Get the current process's domainname. 2206 * 2207 * @head: Pointer to "struct tomoyo_io_buffer". 2208 * 2209 * Returns the current process's domainname. 2210 */ 2211static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head) 2212{ 2213 if (!head->read_eof) { 2214 /* 2215 * tomoyo_domain()->domainname != NULL 2216 * because every process belongs to a domain and 2217 * the domain's name cannot be NULL. 2218 */ 2219 tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name); 2220 head->read_eof = true; 2221 } 2222 return 0; 2223} 2224 2225/** 2226 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface. 2227 * 2228 * @type: Type of interface. 2229 * @file: Pointer to "struct file". 2230 * 2231 * Associates policy handler and returns 0 on success, -ENOMEM otherwise. 2232 * 2233 * Caller acquires tomoyo_read_lock(). 2234 */ 2235static int tomoyo_open_control(const u8 type, struct file *file) 2236{ 2237 struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS); 2238 2239 if (!head) 2240 return -ENOMEM; 2241 mutex_init(&head->io_sem); 2242 switch (type) { 2243 case TOMOYO_DOMAINPOLICY: 2244 /* /sys/kernel/security/tomoyo/domain_policy */ 2245 head->write = tomoyo_write_domain_policy; 2246 head->read = tomoyo_read_domain_policy; 2247 break; 2248 case TOMOYO_EXCEPTIONPOLICY: 2249 /* /sys/kernel/security/tomoyo/exception_policy */ 2250 head->write = tomoyo_write_exception_policy; 2251 head->read = tomoyo_read_exception_policy; 2252 break; 2253 case TOMOYO_SELFDOMAIN: 2254 /* /sys/kernel/security/tomoyo/self_domain */ 2255 head->read = tomoyo_read_self_domain; 2256 break; 2257 case TOMOYO_DOMAIN_STATUS: 2258 /* /sys/kernel/security/tomoyo/.domain_status */ 2259 head->write = tomoyo_write_domain_profile; 2260 head->read = tomoyo_read_domain_profile; 2261 break; 2262 case TOMOYO_PROCESS_STATUS: 2263 /* /sys/kernel/security/tomoyo/.process_status */ 2264 head->write = tomoyo_write_pid; 2265 head->read = tomoyo_read_pid; 2266 break; 2267 case TOMOYO_VERSION: 2268 /* /sys/kernel/security/tomoyo/version */ 2269 head->read = tomoyo_read_version; 2270 head->readbuf_size = 128; 2271 break; 2272 case TOMOYO_MEMINFO: 2273 /* /sys/kernel/security/tomoyo/meminfo */ 2274 head->write = tomoyo_write_memory_quota; 2275 head->read = tomoyo_read_memory_counter; 2276 head->readbuf_size = 512; 2277 break; 2278 case TOMOYO_PROFILE: 2279 /* /sys/kernel/security/tomoyo/profile */ 2280 head->write = tomoyo_write_profile; 2281 head->read = tomoyo_read_profile; 2282 break; 2283 case TOMOYO_MANAGER: 2284 /* /sys/kernel/security/tomoyo/manager */ 2285 head->write = tomoyo_write_manager_policy; 2286 head->read = tomoyo_read_manager_policy; 2287 break; 2288 } 2289 if (!(file->f_mode & FMODE_READ)) { 2290 /* 2291 * No need to allocate read_buf since it is not opened 2292 * for reading. 2293 */ 2294 head->read = NULL; 2295 } else { 2296 if (!head->readbuf_size) 2297 head->readbuf_size = 4096 * 2; 2298 head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS); 2299 if (!head->read_buf) { 2300 kfree(head); 2301 return -ENOMEM; 2302 } 2303 } 2304 if (!(file->f_mode & FMODE_WRITE)) { 2305 /* 2306 * No need to allocate write_buf since it is not opened 2307 * for writing. 2308 */ 2309 head->write = NULL; 2310 } else if (head->write) { 2311 head->writebuf_size = 4096 * 2; 2312 head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS); 2313 if (!head->write_buf) { 2314 kfree(head->read_buf); 2315 kfree(head); 2316 return -ENOMEM; 2317 } 2318 } 2319 head->reader_idx = tomoyo_read_lock(); 2320 file->private_data = head; 2321 /* 2322 * Call the handler now if the file is 2323 * /sys/kernel/security/tomoyo/self_domain 2324 * so that the user can use 2325 * cat < /sys/kernel/security/tomoyo/self_domain" 2326 * to know the current process's domainname. 2327 */ 2328 if (type == TOMOYO_SELFDOMAIN) 2329 tomoyo_read_control(file, NULL, 0); 2330 return 0; 2331} 2332 2333/** 2334 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. 2335 * 2336 * @file: Pointer to "struct file". 2337 * @buffer: Poiner to buffer to write to. 2338 * @buffer_len: Size of @buffer. 2339 * 2340 * Returns bytes read on success, negative value otherwise. 2341 * 2342 * Caller holds tomoyo_read_lock(). 2343 */ 2344static int tomoyo_read_control(struct file *file, char __user *buffer, 2345 const int buffer_len) 2346{ 2347 int len = 0; 2348 struct tomoyo_io_buffer *head = file->private_data; 2349 char *cp; 2350 2351 if (!head->read) 2352 return -ENOSYS; 2353 if (mutex_lock_interruptible(&head->io_sem)) 2354 return -EINTR; 2355 /* Call the policy handler. */ 2356 len = head->read(head); 2357 if (len < 0) 2358 goto out; 2359 /* Write to buffer. */ 2360 len = head->read_avail; 2361 if (len > buffer_len) 2362 len = buffer_len; 2363 if (!len) 2364 goto out; 2365 /* head->read_buf changes by some functions. */ 2366 cp = head->read_buf; 2367 if (copy_to_user(buffer, cp, len)) { 2368 len = -EFAULT; 2369 goto out; 2370 } 2371 head->read_avail -= len; 2372 memmove(cp, cp + len, head->read_avail); 2373 out: 2374 mutex_unlock(&head->io_sem); 2375 return len; 2376} 2377 2378/** 2379 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. 2380 * 2381 * @file: Pointer to "struct file". 2382 * @buffer: Pointer to buffer to read from. 2383 * @buffer_len: Size of @buffer. 2384 * 2385 * Returns @buffer_len on success, negative value otherwise. 2386 * 2387 * Caller holds tomoyo_read_lock(). 2388 */ 2389static int tomoyo_write_control(struct file *file, const char __user *buffer, 2390 const int buffer_len) 2391{ 2392 struct tomoyo_io_buffer *head = file->private_data; 2393 int error = buffer_len; 2394 int avail_len = buffer_len; 2395 char *cp0 = head->write_buf; 2396 2397 if (!head->write) 2398 return -ENOSYS; 2399 if (!access_ok(VERIFY_READ, buffer, buffer_len)) 2400 return -EFAULT; 2401 /* Don't allow updating policies by non manager programs. */ 2402 if (head->write != tomoyo_write_pid && 2403 head->write != tomoyo_write_domain_policy && 2404 !tomoyo_is_policy_manager()) 2405 return -EPERM; 2406 if (mutex_lock_interruptible(&head->io_sem)) 2407 return -EINTR; 2408 /* Read a line and dispatch it to the policy handler. */ 2409 while (avail_len > 0) { 2410 char c; 2411 if (head->write_avail >= head->writebuf_size - 1) { 2412 error = -ENOMEM; 2413 break; 2414 } else if (get_user(c, buffer)) { 2415 error = -EFAULT; 2416 break; 2417 } 2418 buffer++; 2419 avail_len--; 2420 cp0[head->write_avail++] = c; 2421 if (c != '\n') 2422 continue; 2423 cp0[head->write_avail - 1] = '\0'; 2424 head->write_avail = 0; 2425 tomoyo_normalize_line(cp0); 2426 head->write(head); 2427 } 2428 mutex_unlock(&head->io_sem); 2429 return error; 2430} 2431 2432/** 2433 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. 2434 * 2435 * @file: Pointer to "struct file". 2436 * 2437 * Releases memory and returns 0. 2438 * 2439 * Caller looses tomoyo_read_lock(). 2440 */ 2441static int tomoyo_close_control(struct file *file) 2442{ 2443 struct tomoyo_io_buffer *head = file->private_data; 2444 const bool is_write = !!head->write_buf; 2445 2446 tomoyo_read_unlock(head->reader_idx); 2447 /* Release memory used for policy I/O. */ 2448 kfree(head->read_buf); 2449 head->read_buf = NULL; 2450 kfree(head->write_buf); 2451 head->write_buf = NULL; 2452 kfree(head); 2453 head = NULL; 2454 file->private_data = NULL; 2455 if (is_write) 2456 tomoyo_run_gc(); 2457 return 0; 2458} 2459 2460/** 2461 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface. 2462 * 2463 * @inode: Pointer to "struct inode". 2464 * @file: Pointer to "struct file". 2465 * 2466 * Returns 0 on success, negative value otherwise. 2467 */ 2468static int tomoyo_open(struct inode *inode, struct file *file) 2469{ 2470 const int key = ((u8 *) file->f_path.dentry->d_inode->i_private) 2471 - ((u8 *) NULL); 2472 return tomoyo_open_control(key, file); 2473} 2474 2475/** 2476 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface. 2477 * 2478 * @inode: Pointer to "struct inode". 2479 * @file: Pointer to "struct file". 2480 * 2481 * Returns 0 on success, negative value otherwise. 2482 */ 2483static int tomoyo_release(struct inode *inode, struct file *file) 2484{ 2485 return tomoyo_close_control(file); 2486} 2487 2488/** 2489 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface. 2490 * 2491 * @file: Pointer to "struct file". 2492 * @buf: Pointer to buffer. 2493 * @count: Size of @buf. 2494 * @ppos: Unused. 2495 * 2496 * Returns bytes read on success, negative value otherwise. 2497 */ 2498static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count, 2499 loff_t *ppos) 2500{ 2501 return tomoyo_read_control(file, buf, count); 2502} 2503 2504/** 2505 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface. 2506 * 2507 * @file: Pointer to "struct file". 2508 * @buf: Pointer to buffer. 2509 * @count: Size of @buf. 2510 * @ppos: Unused. 2511 * 2512 * Returns @count on success, negative value otherwise. 2513 */ 2514static ssize_t tomoyo_write(struct file *file, const char __user *buf, 2515 size_t count, loff_t *ppos) 2516{ 2517 return tomoyo_write_control(file, buf, count); 2518} 2519 2520/* 2521 * tomoyo_operations is a "struct file_operations" which is used for handling 2522 * /sys/kernel/security/tomoyo/ interface. 2523 * 2524 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR). 2525 * See tomoyo_io_buffer for internals. 2526 */ 2527static const struct file_operations tomoyo_operations = { 2528 .open = tomoyo_open, 2529 .release = tomoyo_release, 2530 .read = tomoyo_read, 2531 .write = tomoyo_write, 2532}; 2533 2534/** 2535 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory. 2536 * 2537 * @name: The name of the interface file. 2538 * @mode: The permission of the interface file. 2539 * @parent: The parent directory. 2540 * @key: Type of interface. 2541 * 2542 * Returns nothing. 2543 */ 2544static void __init tomoyo_create_entry(const char *name, const mode_t mode, 2545 struct dentry *parent, const u8 key) 2546{ 2547 securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key, 2548 &tomoyo_operations); 2549} 2550 2551/** 2552 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface. 2553 * 2554 * Returns 0. 2555 */ 2556static int __init tomoyo_initerface_init(void) 2557{ 2558 struct dentry *tomoyo_dir; 2559 2560 /* Don't create securityfs entries unless registered. */ 2561 if (current_cred()->security != &tomoyo_kernel_domain) 2562 return 0; 2563 2564 tomoyo_dir = securityfs_create_dir("tomoyo", NULL); 2565 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir, 2566 TOMOYO_DOMAINPOLICY); 2567 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir, 2568 TOMOYO_EXCEPTIONPOLICY); 2569 tomoyo_create_entry("self_domain", 0400, tomoyo_dir, 2570 TOMOYO_SELFDOMAIN); 2571 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir, 2572 TOMOYO_DOMAIN_STATUS); 2573 tomoyo_create_entry(".process_status", 0600, tomoyo_dir, 2574 TOMOYO_PROCESS_STATUS); 2575 tomoyo_create_entry("meminfo", 0600, tomoyo_dir, 2576 TOMOYO_MEMINFO); 2577 tomoyo_create_entry("profile", 0600, tomoyo_dir, 2578 TOMOYO_PROFILE); 2579 tomoyo_create_entry("manager", 0600, tomoyo_dir, 2580 TOMOYO_MANAGER); 2581 tomoyo_create_entry("version", 0400, tomoyo_dir, 2582 TOMOYO_VERSION); 2583 return 0; 2584} 2585 2586fs_initcall(tomoyo_initerface_init); 2587