common.c revision 8761afd49ebff8ae04c1a7888af090177441d07d
1/* 2 * security/tomoyo/common.c 3 * 4 * Common functions for TOMOYO. 5 * 6 * Copyright (C) 2005-2010 NTT DATA CORPORATION 7 */ 8 9#include <linux/uaccess.h> 10#include <linux/slab.h> 11#include <linux/security.h> 12#include "common.h" 13 14/* String table for operation mode. */ 15const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE] = { 16 [TOMOYO_CONFIG_DISABLED] = "disabled", 17 [TOMOYO_CONFIG_LEARNING] = "learning", 18 [TOMOYO_CONFIG_PERMISSIVE] = "permissive", 19 [TOMOYO_CONFIG_ENFORCING] = "enforcing" 20}; 21 22/* String table for /sys/kernel/security/tomoyo/profile */ 23const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX 24 + TOMOYO_MAX_MAC_CATEGORY_INDEX] = { 25 [TOMOYO_MAC_FILE_EXECUTE] = "execute", 26 [TOMOYO_MAC_FILE_OPEN] = "open", 27 [TOMOYO_MAC_FILE_CREATE] = "create", 28 [TOMOYO_MAC_FILE_UNLINK] = "unlink", 29 [TOMOYO_MAC_FILE_GETATTR] = "getattr", 30 [TOMOYO_MAC_FILE_MKDIR] = "mkdir", 31 [TOMOYO_MAC_FILE_RMDIR] = "rmdir", 32 [TOMOYO_MAC_FILE_MKFIFO] = "mkfifo", 33 [TOMOYO_MAC_FILE_MKSOCK] = "mksock", 34 [TOMOYO_MAC_FILE_TRUNCATE] = "truncate", 35 [TOMOYO_MAC_FILE_SYMLINK] = "symlink", 36 [TOMOYO_MAC_FILE_MKBLOCK] = "mkblock", 37 [TOMOYO_MAC_FILE_MKCHAR] = "mkchar", 38 [TOMOYO_MAC_FILE_LINK] = "link", 39 [TOMOYO_MAC_FILE_RENAME] = "rename", 40 [TOMOYO_MAC_FILE_CHMOD] = "chmod", 41 [TOMOYO_MAC_FILE_CHOWN] = "chown", 42 [TOMOYO_MAC_FILE_CHGRP] = "chgrp", 43 [TOMOYO_MAC_FILE_IOCTL] = "ioctl", 44 [TOMOYO_MAC_FILE_CHROOT] = "chroot", 45 [TOMOYO_MAC_FILE_MOUNT] = "mount", 46 [TOMOYO_MAC_FILE_UMOUNT] = "unmount", 47 [TOMOYO_MAC_FILE_PIVOT_ROOT] = "pivot_root", 48 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file", 49}; 50 51/* String table for conditions. */ 52const char * const tomoyo_condition_keyword[TOMOYO_MAX_CONDITION_KEYWORD] = { 53 [TOMOYO_TASK_UID] = "task.uid", 54 [TOMOYO_TASK_EUID] = "task.euid", 55 [TOMOYO_TASK_SUID] = "task.suid", 56 [TOMOYO_TASK_FSUID] = "task.fsuid", 57 [TOMOYO_TASK_GID] = "task.gid", 58 [TOMOYO_TASK_EGID] = "task.egid", 59 [TOMOYO_TASK_SGID] = "task.sgid", 60 [TOMOYO_TASK_FSGID] = "task.fsgid", 61 [TOMOYO_TASK_PID] = "task.pid", 62 [TOMOYO_TASK_PPID] = "task.ppid", 63 [TOMOYO_TYPE_IS_SOCKET] = "socket", 64 [TOMOYO_TYPE_IS_SYMLINK] = "symlink", 65 [TOMOYO_TYPE_IS_FILE] = "file", 66 [TOMOYO_TYPE_IS_BLOCK_DEV] = "block", 67 [TOMOYO_TYPE_IS_DIRECTORY] = "directory", 68 [TOMOYO_TYPE_IS_CHAR_DEV] = "char", 69 [TOMOYO_TYPE_IS_FIFO] = "fifo", 70 [TOMOYO_MODE_SETUID] = "setuid", 71 [TOMOYO_MODE_SETGID] = "setgid", 72 [TOMOYO_MODE_STICKY] = "sticky", 73 [TOMOYO_MODE_OWNER_READ] = "owner_read", 74 [TOMOYO_MODE_OWNER_WRITE] = "owner_write", 75 [TOMOYO_MODE_OWNER_EXECUTE] = "owner_execute", 76 [TOMOYO_MODE_GROUP_READ] = "group_read", 77 [TOMOYO_MODE_GROUP_WRITE] = "group_write", 78 [TOMOYO_MODE_GROUP_EXECUTE] = "group_execute", 79 [TOMOYO_MODE_OTHERS_READ] = "others_read", 80 [TOMOYO_MODE_OTHERS_WRITE] = "others_write", 81 [TOMOYO_MODE_OTHERS_EXECUTE] = "others_execute", 82 [TOMOYO_PATH1_UID] = "path1.uid", 83 [TOMOYO_PATH1_GID] = "path1.gid", 84 [TOMOYO_PATH1_INO] = "path1.ino", 85 [TOMOYO_PATH1_MAJOR] = "path1.major", 86 [TOMOYO_PATH1_MINOR] = "path1.minor", 87 [TOMOYO_PATH1_PERM] = "path1.perm", 88 [TOMOYO_PATH1_TYPE] = "path1.type", 89 [TOMOYO_PATH1_DEV_MAJOR] = "path1.dev_major", 90 [TOMOYO_PATH1_DEV_MINOR] = "path1.dev_minor", 91 [TOMOYO_PATH2_UID] = "path2.uid", 92 [TOMOYO_PATH2_GID] = "path2.gid", 93 [TOMOYO_PATH2_INO] = "path2.ino", 94 [TOMOYO_PATH2_MAJOR] = "path2.major", 95 [TOMOYO_PATH2_MINOR] = "path2.minor", 96 [TOMOYO_PATH2_PERM] = "path2.perm", 97 [TOMOYO_PATH2_TYPE] = "path2.type", 98 [TOMOYO_PATH2_DEV_MAJOR] = "path2.dev_major", 99 [TOMOYO_PATH2_DEV_MINOR] = "path2.dev_minor", 100 [TOMOYO_PATH1_PARENT_UID] = "path1.parent.uid", 101 [TOMOYO_PATH1_PARENT_GID] = "path1.parent.gid", 102 [TOMOYO_PATH1_PARENT_INO] = "path1.parent.ino", 103 [TOMOYO_PATH1_PARENT_PERM] = "path1.parent.perm", 104 [TOMOYO_PATH2_PARENT_UID] = "path2.parent.uid", 105 [TOMOYO_PATH2_PARENT_GID] = "path2.parent.gid", 106 [TOMOYO_PATH2_PARENT_INO] = "path2.parent.ino", 107 [TOMOYO_PATH2_PARENT_PERM] = "path2.parent.perm", 108}; 109 110/* String table for PREFERENCE keyword. */ 111static const char * const tomoyo_pref_keywords[TOMOYO_MAX_PREF] = { 112 [TOMOYO_PREF_MAX_AUDIT_LOG] = "max_audit_log", 113 [TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry", 114}; 115 116/* String table for path operation. */ 117const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = { 118 [TOMOYO_TYPE_EXECUTE] = "execute", 119 [TOMOYO_TYPE_READ] = "read", 120 [TOMOYO_TYPE_WRITE] = "write", 121 [TOMOYO_TYPE_APPEND] = "append", 122 [TOMOYO_TYPE_UNLINK] = "unlink", 123 [TOMOYO_TYPE_GETATTR] = "getattr", 124 [TOMOYO_TYPE_RMDIR] = "rmdir", 125 [TOMOYO_TYPE_TRUNCATE] = "truncate", 126 [TOMOYO_TYPE_SYMLINK] = "symlink", 127 [TOMOYO_TYPE_CHROOT] = "chroot", 128 [TOMOYO_TYPE_UMOUNT] = "unmount", 129}; 130 131/* String table for categories. */ 132static const char * const tomoyo_category_keywords 133[TOMOYO_MAX_MAC_CATEGORY_INDEX] = { 134 [TOMOYO_MAC_CATEGORY_FILE] = "file", 135}; 136 137/* Permit policy management by non-root user? */ 138static bool tomoyo_manage_by_non_root; 139 140/* Utility functions. */ 141 142/** 143 * tomoyo_yesno - Return "yes" or "no". 144 * 145 * @value: Bool value. 146 */ 147const char *tomoyo_yesno(const unsigned int value) 148{ 149 return value ? "yes" : "no"; 150} 151 152/** 153 * tomoyo_addprintf - strncat()-like-snprintf(). 154 * 155 * @buffer: Buffer to write to. Must be '\0'-terminated. 156 * @len: Size of @buffer. 157 * @fmt: The printf()'s format string, followed by parameters. 158 * 159 * Returns nothing. 160 */ 161static void tomoyo_addprintf(char *buffer, int len, const char *fmt, ...) 162{ 163 va_list args; 164 const int pos = strlen(buffer); 165 va_start(args, fmt); 166 vsnprintf(buffer + pos, len - pos - 1, fmt, args); 167 va_end(args); 168} 169 170/** 171 * tomoyo_flush - Flush queued string to userspace's buffer. 172 * 173 * @head: Pointer to "struct tomoyo_io_buffer". 174 * 175 * Returns true if all data was flushed, false otherwise. 176 */ 177static bool tomoyo_flush(struct tomoyo_io_buffer *head) 178{ 179 while (head->r.w_pos) { 180 const char *w = head->r.w[0]; 181 size_t len = strlen(w); 182 if (len) { 183 if (len > head->read_user_buf_avail) 184 len = head->read_user_buf_avail; 185 if (!len) 186 return false; 187 if (copy_to_user(head->read_user_buf, w, len)) 188 return false; 189 head->read_user_buf_avail -= len; 190 head->read_user_buf += len; 191 w += len; 192 } 193 head->r.w[0] = w; 194 if (*w) 195 return false; 196 /* Add '\0' for audit logs and query. */ 197 if (head->poll) { 198 if (!head->read_user_buf_avail || 199 copy_to_user(head->read_user_buf, "", 1)) 200 return false; 201 head->read_user_buf_avail--; 202 head->read_user_buf++; 203 } 204 head->r.w_pos--; 205 for (len = 0; len < head->r.w_pos; len++) 206 head->r.w[len] = head->r.w[len + 1]; 207 } 208 head->r.avail = 0; 209 return true; 210} 211 212/** 213 * tomoyo_set_string - Queue string to "struct tomoyo_io_buffer" structure. 214 * 215 * @head: Pointer to "struct tomoyo_io_buffer". 216 * @string: String to print. 217 * 218 * Note that @string has to be kept valid until @head is kfree()d. 219 * This means that char[] allocated on stack memory cannot be passed to 220 * this function. Use tomoyo_io_printf() for char[] allocated on stack memory. 221 */ 222static void tomoyo_set_string(struct tomoyo_io_buffer *head, const char *string) 223{ 224 if (head->r.w_pos < TOMOYO_MAX_IO_READ_QUEUE) { 225 head->r.w[head->r.w_pos++] = string; 226 tomoyo_flush(head); 227 } else 228 WARN_ON(1); 229} 230 231/** 232 * tomoyo_io_printf - printf() to "struct tomoyo_io_buffer" structure. 233 * 234 * @head: Pointer to "struct tomoyo_io_buffer". 235 * @fmt: The printf()'s format string, followed by parameters. 236 */ 237void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) 238{ 239 va_list args; 240 size_t len; 241 size_t pos = head->r.avail; 242 int size = head->readbuf_size - pos; 243 if (size <= 0) 244 return; 245 va_start(args, fmt); 246 len = vsnprintf(head->read_buf + pos, size, fmt, args) + 1; 247 va_end(args); 248 if (pos + len >= head->readbuf_size) { 249 WARN_ON(1); 250 return; 251 } 252 head->r.avail += len; 253 tomoyo_set_string(head, head->read_buf + pos); 254} 255 256/** 257 * tomoyo_set_space - Put a space to "struct tomoyo_io_buffer" structure. 258 * 259 * @head: Pointer to "struct tomoyo_io_buffer". 260 * 261 * Returns nothing. 262 */ 263static void tomoyo_set_space(struct tomoyo_io_buffer *head) 264{ 265 tomoyo_set_string(head, " "); 266} 267 268/** 269 * tomoyo_set_lf - Put a line feed to "struct tomoyo_io_buffer" structure. 270 * 271 * @head: Pointer to "struct tomoyo_io_buffer". 272 * 273 * Returns nothing. 274 */ 275static bool tomoyo_set_lf(struct tomoyo_io_buffer *head) 276{ 277 tomoyo_set_string(head, "\n"); 278 return !head->r.w_pos; 279} 280 281/** 282 * tomoyo_set_slash - Put a shash to "struct tomoyo_io_buffer" structure. 283 * 284 * @head: Pointer to "struct tomoyo_io_buffer". 285 * 286 * Returns nothing. 287 */ 288static void tomoyo_set_slash(struct tomoyo_io_buffer *head) 289{ 290 tomoyo_set_string(head, "/"); 291} 292 293/* List of namespaces. */ 294LIST_HEAD(tomoyo_namespace_list); 295/* True if namespace other than tomoyo_kernel_namespace is defined. */ 296static bool tomoyo_namespace_enabled; 297 298/** 299 * tomoyo_init_policy_namespace - Initialize namespace. 300 * 301 * @ns: Pointer to "struct tomoyo_policy_namespace". 302 * 303 * Returns nothing. 304 */ 305void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns) 306{ 307 unsigned int idx; 308 for (idx = 0; idx < TOMOYO_MAX_ACL_GROUPS; idx++) 309 INIT_LIST_HEAD(&ns->acl_group[idx]); 310 for (idx = 0; idx < TOMOYO_MAX_GROUP; idx++) 311 INIT_LIST_HEAD(&ns->group_list[idx]); 312 for (idx = 0; idx < TOMOYO_MAX_POLICY; idx++) 313 INIT_LIST_HEAD(&ns->policy_list[idx]); 314 ns->profile_version = 20100903; 315 tomoyo_namespace_enabled = !list_empty(&tomoyo_namespace_list); 316 list_add_tail_rcu(&ns->namespace_list, &tomoyo_namespace_list); 317} 318 319/** 320 * tomoyo_print_namespace - Print namespace header. 321 * 322 * @head: Pointer to "struct tomoyo_io_buffer". 323 * 324 * Returns nothing. 325 */ 326static void tomoyo_print_namespace(struct tomoyo_io_buffer *head) 327{ 328 if (!tomoyo_namespace_enabled) 329 return; 330 tomoyo_set_string(head, 331 container_of(head->r.ns, 332 struct tomoyo_policy_namespace, 333 namespace_list)->name); 334 tomoyo_set_space(head); 335} 336 337/** 338 * tomoyo_print_name_union - Print a tomoyo_name_union. 339 * 340 * @head: Pointer to "struct tomoyo_io_buffer". 341 * @ptr: Pointer to "struct tomoyo_name_union". 342 */ 343static void tomoyo_print_name_union(struct tomoyo_io_buffer *head, 344 const struct tomoyo_name_union *ptr) 345{ 346 tomoyo_set_space(head); 347 if (ptr->group) { 348 tomoyo_set_string(head, "@"); 349 tomoyo_set_string(head, ptr->group->group_name->name); 350 } else { 351 tomoyo_set_string(head, ptr->filename->name); 352 } 353} 354 355/** 356 * tomoyo_print_number_union_nospace - Print a tomoyo_number_union without a space. 357 * 358 * @head: Pointer to "struct tomoyo_io_buffer". 359 * @ptr: Pointer to "struct tomoyo_number_union". 360 * 361 * Returns nothing. 362 */ 363static void tomoyo_print_number_union_nospace 364(struct tomoyo_io_buffer *head, const struct tomoyo_number_union *ptr) 365{ 366 if (ptr->group) { 367 tomoyo_set_string(head, "@"); 368 tomoyo_set_string(head, ptr->group->group_name->name); 369 } else { 370 int i; 371 unsigned long min = ptr->values[0]; 372 const unsigned long max = ptr->values[1]; 373 u8 min_type = ptr->value_type[0]; 374 const u8 max_type = ptr->value_type[1]; 375 char buffer[128]; 376 buffer[0] = '\0'; 377 for (i = 0; i < 2; i++) { 378 switch (min_type) { 379 case TOMOYO_VALUE_TYPE_HEXADECIMAL: 380 tomoyo_addprintf(buffer, sizeof(buffer), 381 "0x%lX", min); 382 break; 383 case TOMOYO_VALUE_TYPE_OCTAL: 384 tomoyo_addprintf(buffer, sizeof(buffer), 385 "0%lo", min); 386 break; 387 default: 388 tomoyo_addprintf(buffer, sizeof(buffer), "%lu", 389 min); 390 break; 391 } 392 if (min == max && min_type == max_type) 393 break; 394 tomoyo_addprintf(buffer, sizeof(buffer), "-"); 395 min_type = max_type; 396 min = max; 397 } 398 tomoyo_io_printf(head, "%s", buffer); 399 } 400} 401 402/** 403 * tomoyo_print_number_union - Print a tomoyo_number_union. 404 * 405 * @head: Pointer to "struct tomoyo_io_buffer". 406 * @ptr: Pointer to "struct tomoyo_number_union". 407 * 408 * Returns nothing. 409 */ 410static void tomoyo_print_number_union(struct tomoyo_io_buffer *head, 411 const struct tomoyo_number_union *ptr) 412{ 413 tomoyo_set_space(head); 414 tomoyo_print_number_union_nospace(head, ptr); 415} 416 417/** 418 * tomoyo_assign_profile - Create a new profile. 419 * 420 * @ns: Pointer to "struct tomoyo_policy_namespace". 421 * @profile: Profile number to create. 422 * 423 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. 424 */ 425static struct tomoyo_profile *tomoyo_assign_profile 426(struct tomoyo_policy_namespace *ns, const unsigned int profile) 427{ 428 struct tomoyo_profile *ptr; 429 struct tomoyo_profile *entry; 430 if (profile >= TOMOYO_MAX_PROFILES) 431 return NULL; 432 ptr = ns->profile_ptr[profile]; 433 if (ptr) 434 return ptr; 435 entry = kzalloc(sizeof(*entry), GFP_NOFS); 436 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 437 goto out; 438 ptr = ns->profile_ptr[profile]; 439 if (!ptr && tomoyo_memory_ok(entry)) { 440 ptr = entry; 441 ptr->default_config = TOMOYO_CONFIG_DISABLED | 442 TOMOYO_CONFIG_WANT_GRANT_LOG | 443 TOMOYO_CONFIG_WANT_REJECT_LOG; 444 memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT, 445 sizeof(ptr->config)); 446 ptr->pref[TOMOYO_PREF_MAX_AUDIT_LOG] = 1024; 447 ptr->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] = 2048; 448 mb(); /* Avoid out-of-order execution. */ 449 ns->profile_ptr[profile] = ptr; 450 entry = NULL; 451 } 452 mutex_unlock(&tomoyo_policy_lock); 453 out: 454 kfree(entry); 455 return ptr; 456} 457 458/** 459 * tomoyo_profile - Find a profile. 460 * 461 * @ns: Pointer to "struct tomoyo_policy_namespace". 462 * @profile: Profile number to find. 463 * 464 * Returns pointer to "struct tomoyo_profile". 465 */ 466struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns, 467 const u8 profile) 468{ 469 static struct tomoyo_profile tomoyo_null_profile; 470 struct tomoyo_profile *ptr = ns->profile_ptr[profile]; 471 if (!ptr) 472 ptr = &tomoyo_null_profile; 473 return ptr; 474} 475 476/** 477 * tomoyo_find_yesno - Find values for specified keyword. 478 * 479 * @string: String to check. 480 * @find: Name of keyword. 481 * 482 * Returns 1 if "@find=yes" was found, 0 if "@find=no" was found, -1 otherwise. 483 */ 484static s8 tomoyo_find_yesno(const char *string, const char *find) 485{ 486 const char *cp = strstr(string, find); 487 if (cp) { 488 cp += strlen(find); 489 if (!strncmp(cp, "=yes", 4)) 490 return 1; 491 else if (!strncmp(cp, "=no", 3)) 492 return 0; 493 } 494 return -1; 495} 496 497/** 498 * tomoyo_set_uint - Set value for specified preference. 499 * 500 * @i: Pointer to "unsigned int". 501 * @string: String to check. 502 * @find: Name of keyword. 503 * 504 * Returns nothing. 505 */ 506static void tomoyo_set_uint(unsigned int *i, const char *string, 507 const char *find) 508{ 509 const char *cp = strstr(string, find); 510 if (cp) 511 sscanf(cp + strlen(find), "=%u", i); 512} 513 514/** 515 * tomoyo_set_mode - Set mode for specified profile. 516 * 517 * @name: Name of functionality. 518 * @value: Mode for @name. 519 * @profile: Pointer to "struct tomoyo_profile". 520 * 521 * Returns 0 on success, negative value otherwise. 522 */ 523static int tomoyo_set_mode(char *name, const char *value, 524 struct tomoyo_profile *profile) 525{ 526 u8 i; 527 u8 config; 528 if (!strcmp(name, "CONFIG")) { 529 i = TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX; 530 config = profile->default_config; 531 } else if (tomoyo_str_starts(&name, "CONFIG::")) { 532 config = 0; 533 for (i = 0; i < TOMOYO_MAX_MAC_INDEX 534 + TOMOYO_MAX_MAC_CATEGORY_INDEX; i++) { 535 int len = 0; 536 if (i < TOMOYO_MAX_MAC_INDEX) { 537 const u8 c = tomoyo_index2category[i]; 538 const char *category = 539 tomoyo_category_keywords[c]; 540 len = strlen(category); 541 if (strncmp(name, category, len) || 542 name[len++] != ':' || name[len++] != ':') 543 continue; 544 } 545 if (strcmp(name + len, tomoyo_mac_keywords[i])) 546 continue; 547 config = profile->config[i]; 548 break; 549 } 550 if (i == TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX) 551 return -EINVAL; 552 } else { 553 return -EINVAL; 554 } 555 if (strstr(value, "use_default")) { 556 config = TOMOYO_CONFIG_USE_DEFAULT; 557 } else { 558 u8 mode; 559 for (mode = 0; mode < 4; mode++) 560 if (strstr(value, tomoyo_mode[mode])) 561 /* 562 * Update lower 3 bits in order to distinguish 563 * 'config' from 'TOMOYO_CONFIG_USE_DEAFULT'. 564 */ 565 config = (config & ~7) | mode; 566 if (config != TOMOYO_CONFIG_USE_DEFAULT) { 567 switch (tomoyo_find_yesno(value, "grant_log")) { 568 case 1: 569 config |= TOMOYO_CONFIG_WANT_GRANT_LOG; 570 break; 571 case 0: 572 config &= ~TOMOYO_CONFIG_WANT_GRANT_LOG; 573 break; 574 } 575 switch (tomoyo_find_yesno(value, "reject_log")) { 576 case 1: 577 config |= TOMOYO_CONFIG_WANT_REJECT_LOG; 578 break; 579 case 0: 580 config &= ~TOMOYO_CONFIG_WANT_REJECT_LOG; 581 break; 582 } 583 } 584 } 585 if (i < TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX) 586 profile->config[i] = config; 587 else if (config != TOMOYO_CONFIG_USE_DEFAULT) 588 profile->default_config = config; 589 return 0; 590} 591 592/** 593 * tomoyo_write_profile - Write profile table. 594 * 595 * @head: Pointer to "struct tomoyo_io_buffer". 596 * 597 * Returns 0 on success, negative value otherwise. 598 */ 599static int tomoyo_write_profile(struct tomoyo_io_buffer *head) 600{ 601 char *data = head->write_buf; 602 unsigned int i; 603 char *cp; 604 struct tomoyo_profile *profile; 605 if (sscanf(data, "PROFILE_VERSION=%u", &head->w.ns->profile_version) 606 == 1) 607 return 0; 608 i = simple_strtoul(data, &cp, 10); 609 if (*cp != '-') 610 return -EINVAL; 611 data = cp + 1; 612 profile = tomoyo_assign_profile(head->w.ns, i); 613 if (!profile) 614 return -EINVAL; 615 cp = strchr(data, '='); 616 if (!cp) 617 return -EINVAL; 618 *cp++ = '\0'; 619 if (!strcmp(data, "COMMENT")) { 620 static DEFINE_SPINLOCK(lock); 621 const struct tomoyo_path_info *new_comment 622 = tomoyo_get_name(cp); 623 const struct tomoyo_path_info *old_comment; 624 if (!new_comment) 625 return -ENOMEM; 626 spin_lock(&lock); 627 old_comment = profile->comment; 628 profile->comment = new_comment; 629 spin_unlock(&lock); 630 tomoyo_put_name(old_comment); 631 return 0; 632 } 633 if (!strcmp(data, "PREFERENCE")) { 634 for (i = 0; i < TOMOYO_MAX_PREF; i++) 635 tomoyo_set_uint(&profile->pref[i], cp, 636 tomoyo_pref_keywords[i]); 637 return 0; 638 } 639 return tomoyo_set_mode(data, cp, profile); 640} 641 642/** 643 * tomoyo_print_config - Print mode for specified functionality. 644 * 645 * @head: Pointer to "struct tomoyo_io_buffer". 646 * @config: Mode for that functionality. 647 * 648 * Returns nothing. 649 * 650 * Caller prints functionality's name. 651 */ 652static void tomoyo_print_config(struct tomoyo_io_buffer *head, const u8 config) 653{ 654 tomoyo_io_printf(head, "={ mode=%s grant_log=%s reject_log=%s }\n", 655 tomoyo_mode[config & 3], 656 tomoyo_yesno(config & TOMOYO_CONFIG_WANT_GRANT_LOG), 657 tomoyo_yesno(config & TOMOYO_CONFIG_WANT_REJECT_LOG)); 658} 659 660/** 661 * tomoyo_read_profile - Read profile table. 662 * 663 * @head: Pointer to "struct tomoyo_io_buffer". 664 * 665 * Returns nothing. 666 */ 667static void tomoyo_read_profile(struct tomoyo_io_buffer *head) 668{ 669 u8 index; 670 struct tomoyo_policy_namespace *ns = 671 container_of(head->r.ns, typeof(*ns), namespace_list); 672 const struct tomoyo_profile *profile; 673 if (head->r.eof) 674 return; 675 next: 676 index = head->r.index; 677 profile = ns->profile_ptr[index]; 678 switch (head->r.step) { 679 case 0: 680 tomoyo_print_namespace(head); 681 tomoyo_io_printf(head, "PROFILE_VERSION=%u\n", 682 ns->profile_version); 683 head->r.step++; 684 break; 685 case 1: 686 for ( ; head->r.index < TOMOYO_MAX_PROFILES; 687 head->r.index++) 688 if (ns->profile_ptr[head->r.index]) 689 break; 690 if (head->r.index == TOMOYO_MAX_PROFILES) 691 return; 692 head->r.step++; 693 break; 694 case 2: 695 { 696 u8 i; 697 const struct tomoyo_path_info *comment = 698 profile->comment; 699 tomoyo_print_namespace(head); 700 tomoyo_io_printf(head, "%u-COMMENT=", index); 701 tomoyo_set_string(head, comment ? comment->name : ""); 702 tomoyo_set_lf(head); 703 tomoyo_io_printf(head, "%u-PREFERENCE={ ", index); 704 for (i = 0; i < TOMOYO_MAX_PREF; i++) 705 tomoyo_io_printf(head, "%s=%u ", 706 tomoyo_pref_keywords[i], 707 profile->pref[i]); 708 tomoyo_set_string(head, "}\n"); 709 head->r.step++; 710 } 711 break; 712 case 3: 713 { 714 tomoyo_print_namespace(head); 715 tomoyo_io_printf(head, "%u-%s", index, "CONFIG"); 716 tomoyo_print_config(head, profile->default_config); 717 head->r.bit = 0; 718 head->r.step++; 719 } 720 break; 721 case 4: 722 for ( ; head->r.bit < TOMOYO_MAX_MAC_INDEX 723 + TOMOYO_MAX_MAC_CATEGORY_INDEX; head->r.bit++) { 724 const u8 i = head->r.bit; 725 const u8 config = profile->config[i]; 726 if (config == TOMOYO_CONFIG_USE_DEFAULT) 727 continue; 728 tomoyo_print_namespace(head); 729 if (i < TOMOYO_MAX_MAC_INDEX) 730 tomoyo_io_printf(head, "%u-CONFIG::%s::%s", 731 index, 732 tomoyo_category_keywords 733 [tomoyo_index2category[i]], 734 tomoyo_mac_keywords[i]); 735 else 736 tomoyo_io_printf(head, "%u-CONFIG::%s", index, 737 tomoyo_mac_keywords[i]); 738 tomoyo_print_config(head, config); 739 head->r.bit++; 740 break; 741 } 742 if (head->r.bit == TOMOYO_MAX_MAC_INDEX 743 + TOMOYO_MAX_MAC_CATEGORY_INDEX) { 744 head->r.index++; 745 head->r.step = 1; 746 } 747 break; 748 } 749 if (tomoyo_flush(head)) 750 goto next; 751} 752 753static bool tomoyo_same_manager(const struct tomoyo_acl_head *a, 754 const struct tomoyo_acl_head *b) 755{ 756 return container_of(a, struct tomoyo_manager, head)->manager == 757 container_of(b, struct tomoyo_manager, head)->manager; 758} 759 760/** 761 * tomoyo_update_manager_entry - Add a manager entry. 762 * 763 * @manager: The path to manager or the domainnamme. 764 * @is_delete: True if it is a delete request. 765 * 766 * Returns 0 on success, negative value otherwise. 767 * 768 * Caller holds tomoyo_read_lock(). 769 */ 770static int tomoyo_update_manager_entry(const char *manager, 771 const bool is_delete) 772{ 773 struct tomoyo_manager e = { }; 774 struct tomoyo_acl_param param = { 775 /* .ns = &tomoyo_kernel_namespace, */ 776 .is_delete = is_delete, 777 .list = &tomoyo_kernel_namespace. 778 policy_list[TOMOYO_ID_MANAGER], 779 }; 780 int error = is_delete ? -ENOENT : -ENOMEM; 781 if (tomoyo_domain_def(manager)) { 782 if (!tomoyo_correct_domain(manager)) 783 return -EINVAL; 784 e.is_domain = true; 785 } else { 786 if (!tomoyo_correct_path(manager)) 787 return -EINVAL; 788 } 789 e.manager = tomoyo_get_name(manager); 790 if (e.manager) { 791 error = tomoyo_update_policy(&e.head, sizeof(e), ¶m, 792 tomoyo_same_manager); 793 tomoyo_put_name(e.manager); 794 } 795 return error; 796} 797 798/** 799 * tomoyo_write_manager - Write manager policy. 800 * 801 * @head: Pointer to "struct tomoyo_io_buffer". 802 * 803 * Returns 0 on success, negative value otherwise. 804 * 805 * Caller holds tomoyo_read_lock(). 806 */ 807static int tomoyo_write_manager(struct tomoyo_io_buffer *head) 808{ 809 char *data = head->write_buf; 810 811 if (!strcmp(data, "manage_by_non_root")) { 812 tomoyo_manage_by_non_root = !head->w.is_delete; 813 return 0; 814 } 815 return tomoyo_update_manager_entry(data, head->w.is_delete); 816} 817 818/** 819 * tomoyo_read_manager - Read manager policy. 820 * 821 * @head: Pointer to "struct tomoyo_io_buffer". 822 * 823 * Caller holds tomoyo_read_lock(). 824 */ 825static void tomoyo_read_manager(struct tomoyo_io_buffer *head) 826{ 827 if (head->r.eof) 828 return; 829 list_for_each_cookie(head->r.acl, &tomoyo_kernel_namespace. 830 policy_list[TOMOYO_ID_MANAGER]) { 831 struct tomoyo_manager *ptr = 832 list_entry(head->r.acl, typeof(*ptr), head.list); 833 if (ptr->head.is_deleted) 834 continue; 835 if (!tomoyo_flush(head)) 836 return; 837 tomoyo_set_string(head, ptr->manager->name); 838 tomoyo_set_lf(head); 839 } 840 head->r.eof = true; 841} 842 843/** 844 * tomoyo_manager - Check whether the current process is a policy manager. 845 * 846 * Returns true if the current process is permitted to modify policy 847 * via /sys/kernel/security/tomoyo/ interface. 848 * 849 * Caller holds tomoyo_read_lock(). 850 */ 851static bool tomoyo_manager(void) 852{ 853 struct tomoyo_manager *ptr; 854 const char *exe; 855 const struct task_struct *task = current; 856 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; 857 bool found = false; 858 859 if (!tomoyo_policy_loaded) 860 return true; 861 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) 862 return false; 863 list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace. 864 policy_list[TOMOYO_ID_MANAGER], head.list) { 865 if (!ptr->head.is_deleted && ptr->is_domain 866 && !tomoyo_pathcmp(domainname, ptr->manager)) { 867 found = true; 868 break; 869 } 870 } 871 if (found) 872 return true; 873 exe = tomoyo_get_exe(); 874 if (!exe) 875 return false; 876 list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace. 877 policy_list[TOMOYO_ID_MANAGER], head.list) { 878 if (!ptr->head.is_deleted && !ptr->is_domain 879 && !strcmp(exe, ptr->manager->name)) { 880 found = true; 881 break; 882 } 883 } 884 if (!found) { /* Reduce error messages. */ 885 static pid_t last_pid; 886 const pid_t pid = current->pid; 887 if (last_pid != pid) { 888 printk(KERN_WARNING "%s ( %s ) is not permitted to " 889 "update policies.\n", domainname->name, exe); 890 last_pid = pid; 891 } 892 } 893 kfree(exe); 894 return found; 895} 896 897/** 898 * tomoyo_select_domain - Parse select command. 899 * 900 * @head: Pointer to "struct tomoyo_io_buffer". 901 * @data: String to parse. 902 * 903 * Returns true on success, false otherwise. 904 * 905 * Caller holds tomoyo_read_lock(). 906 */ 907static bool tomoyo_select_domain(struct tomoyo_io_buffer *head, 908 const char *data) 909{ 910 unsigned int pid; 911 struct tomoyo_domain_info *domain = NULL; 912 bool global_pid = false; 913 if (strncmp(data, "select ", 7)) 914 return false; 915 data += 7; 916 if (sscanf(data, "pid=%u", &pid) == 1 || 917 (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { 918 struct task_struct *p; 919 rcu_read_lock(); 920 read_lock(&tasklist_lock); 921 if (global_pid) 922 p = find_task_by_pid_ns(pid, &init_pid_ns); 923 else 924 p = find_task_by_vpid(pid); 925 if (p) 926 domain = tomoyo_real_domain(p); 927 read_unlock(&tasklist_lock); 928 rcu_read_unlock(); 929 } else if (!strncmp(data, "domain=", 7)) { 930 if (tomoyo_domain_def(data + 7)) 931 domain = tomoyo_find_domain(data + 7); 932 } else 933 return false; 934 head->w.domain = domain; 935 /* Accessing read_buf is safe because head->io_sem is held. */ 936 if (!head->read_buf) 937 return true; /* Do nothing if open(O_WRONLY). */ 938 memset(&head->r, 0, sizeof(head->r)); 939 head->r.print_this_domain_only = true; 940 if (domain) 941 head->r.domain = &domain->list; 942 else 943 head->r.eof = 1; 944 tomoyo_io_printf(head, "# select %s\n", data); 945 if (domain && domain->is_deleted) 946 tomoyo_io_printf(head, "# This is a deleted domain.\n"); 947 return true; 948} 949 950/** 951 * tomoyo_delete_domain - Delete a domain. 952 * 953 * @domainname: The name of domain. 954 * 955 * Returns 0. 956 * 957 * Caller holds tomoyo_read_lock(). 958 */ 959static int tomoyo_delete_domain(char *domainname) 960{ 961 struct tomoyo_domain_info *domain; 962 struct tomoyo_path_info name; 963 964 name.name = domainname; 965 tomoyo_fill_path_info(&name); 966 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 967 return 0; 968 /* Is there an active domain? */ 969 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 970 /* Never delete tomoyo_kernel_domain */ 971 if (domain == &tomoyo_kernel_domain) 972 continue; 973 if (domain->is_deleted || 974 tomoyo_pathcmp(domain->domainname, &name)) 975 continue; 976 domain->is_deleted = true; 977 break; 978 } 979 mutex_unlock(&tomoyo_policy_lock); 980 return 0; 981} 982 983/** 984 * tomoyo_write_domain2 - Write domain policy. 985 * 986 * @ns: Pointer to "struct tomoyo_policy_namespace". 987 * @list: Pointer to "struct list_head". 988 * @data: Policy to be interpreted. 989 * @is_delete: True if it is a delete request. 990 * 991 * Returns 0 on success, negative value otherwise. 992 * 993 * Caller holds tomoyo_read_lock(). 994 */ 995static int tomoyo_write_domain2(struct tomoyo_policy_namespace *ns, 996 struct list_head *list, char *data, 997 const bool is_delete) 998{ 999 struct tomoyo_acl_param param = { 1000 .ns = ns, 1001 .list = list, 1002 .data = data, 1003 .is_delete = is_delete, 1004 }; 1005 static const struct { 1006 const char *keyword; 1007 int (*write) (struct tomoyo_acl_param *); 1008 } tomoyo_callback[1] = { 1009 { "file ", tomoyo_write_file }, 1010 }; 1011 u8 i; 1012 for (i = 0; i < 1; i++) { 1013 if (!tomoyo_str_starts(¶m.data, 1014 tomoyo_callback[i].keyword)) 1015 continue; 1016 return tomoyo_callback[i].write(¶m); 1017 } 1018 return -EINVAL; 1019} 1020 1021/* String table for domain flags. */ 1022const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS] = { 1023 [TOMOYO_DIF_QUOTA_WARNED] = "quota_exceeded\n", 1024 [TOMOYO_DIF_TRANSITION_FAILED] = "transition_failed\n", 1025}; 1026 1027/** 1028 * tomoyo_write_domain - Write domain policy. 1029 * 1030 * @head: Pointer to "struct tomoyo_io_buffer". 1031 * 1032 * Returns 0 on success, negative value otherwise. 1033 * 1034 * Caller holds tomoyo_read_lock(). 1035 */ 1036static int tomoyo_write_domain(struct tomoyo_io_buffer *head) 1037{ 1038 char *data = head->write_buf; 1039 struct tomoyo_policy_namespace *ns; 1040 struct tomoyo_domain_info *domain = head->w.domain; 1041 const bool is_delete = head->w.is_delete; 1042 bool is_select = !is_delete && tomoyo_str_starts(&data, "select "); 1043 unsigned int profile; 1044 if (*data == '<') { 1045 domain = NULL; 1046 if (is_delete) 1047 tomoyo_delete_domain(data); 1048 else if (is_select) 1049 domain = tomoyo_find_domain(data); 1050 else 1051 domain = tomoyo_assign_domain(data, false); 1052 head->w.domain = domain; 1053 return 0; 1054 } 1055 if (!domain) 1056 return -EINVAL; 1057 ns = domain->ns; 1058 if (sscanf(data, "use_profile %u", &profile) == 1 1059 && profile < TOMOYO_MAX_PROFILES) { 1060 if (!tomoyo_policy_loaded || ns->profile_ptr[profile]) 1061 domain->profile = (u8) profile; 1062 return 0; 1063 } 1064 if (sscanf(data, "use_group %u\n", &profile) == 1 1065 && profile < TOMOYO_MAX_ACL_GROUPS) { 1066 if (!is_delete) 1067 domain->group = (u8) profile; 1068 return 0; 1069 } 1070 for (profile = 0; profile < TOMOYO_MAX_DOMAIN_INFO_FLAGS; profile++) { 1071 const char *cp = tomoyo_dif[profile]; 1072 if (strncmp(data, cp, strlen(cp) - 1)) 1073 continue; 1074 domain->flags[profile] = !is_delete; 1075 return 0; 1076 } 1077 return tomoyo_write_domain2(ns, &domain->acl_info_list, data, 1078 is_delete); 1079} 1080 1081/** 1082 * tomoyo_print_condition - Print condition part. 1083 * 1084 * @head: Pointer to "struct tomoyo_io_buffer". 1085 * @cond: Pointer to "struct tomoyo_condition". 1086 * 1087 * Returns true on success, false otherwise. 1088 */ 1089static bool tomoyo_print_condition(struct tomoyo_io_buffer *head, 1090 const struct tomoyo_condition *cond) 1091{ 1092 switch (head->r.cond_step) { 1093 case 0: 1094 head->r.cond_index = 0; 1095 head->r.cond_step++; 1096 /* fall through */ 1097 case 1: 1098 { 1099 const u16 condc = cond->condc; 1100 const struct tomoyo_condition_element *condp = 1101 (typeof(condp)) (cond + 1); 1102 const struct tomoyo_number_union *numbers_p = 1103 (typeof(numbers_p)) (condp + condc); 1104 u16 skip; 1105 for (skip = 0; skip < head->r.cond_index; skip++) { 1106 const u8 left = condp->left; 1107 const u8 right = condp->right; 1108 condp++; 1109 switch (left) { 1110 case TOMOYO_NUMBER_UNION: 1111 numbers_p++; 1112 break; 1113 } 1114 switch (right) { 1115 case TOMOYO_NUMBER_UNION: 1116 numbers_p++; 1117 break; 1118 } 1119 } 1120 while (head->r.cond_index < condc) { 1121 const u8 match = condp->equals; 1122 const u8 left = condp->left; 1123 const u8 right = condp->right; 1124 if (!tomoyo_flush(head)) 1125 return false; 1126 condp++; 1127 head->r.cond_index++; 1128 tomoyo_set_space(head); 1129 switch (left) { 1130 case TOMOYO_NUMBER_UNION: 1131 tomoyo_print_number_union_nospace 1132 (head, numbers_p++); 1133 break; 1134 default: 1135 tomoyo_set_string(head, 1136 tomoyo_condition_keyword[left]); 1137 break; 1138 } 1139 tomoyo_set_string(head, match ? "=" : "!="); 1140 switch (right) { 1141 case TOMOYO_NUMBER_UNION: 1142 tomoyo_print_number_union_nospace 1143 (head, numbers_p++); 1144 break; 1145 default: 1146 tomoyo_set_string(head, 1147 tomoyo_condition_keyword[right]); 1148 break; 1149 } 1150 } 1151 } 1152 head->r.cond_step++; 1153 /* fall through */ 1154 case 2: 1155 if (!tomoyo_flush(head)) 1156 break; 1157 head->r.cond_step++; 1158 /* fall through */ 1159 case 3: 1160 tomoyo_set_lf(head); 1161 return true; 1162 } 1163 return false; 1164} 1165 1166/** 1167 * tomoyo_set_group - Print "acl_group " header keyword and category name. 1168 * 1169 * @head: Pointer to "struct tomoyo_io_buffer". 1170 * @category: Category name. 1171 * 1172 * Returns nothing. 1173 */ 1174static void tomoyo_set_group(struct tomoyo_io_buffer *head, 1175 const char *category) 1176{ 1177 if (head->type == TOMOYO_EXCEPTIONPOLICY) { 1178 tomoyo_print_namespace(head); 1179 tomoyo_io_printf(head, "acl_group %u ", 1180 head->r.acl_group_index); 1181 } 1182 tomoyo_set_string(head, category); 1183} 1184 1185/** 1186 * tomoyo_print_entry - Print an ACL entry. 1187 * 1188 * @head: Pointer to "struct tomoyo_io_buffer". 1189 * @acl: Pointer to an ACL entry. 1190 * 1191 * Returns true on success, false otherwise. 1192 */ 1193static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, 1194 struct tomoyo_acl_info *acl) 1195{ 1196 const u8 acl_type = acl->type; 1197 bool first = true; 1198 u8 bit; 1199 1200 if (head->r.print_cond_part) 1201 goto print_cond_part; 1202 if (acl->is_deleted) 1203 return true; 1204 if (!tomoyo_flush(head)) 1205 return false; 1206 else if (acl_type == TOMOYO_TYPE_PATH_ACL) { 1207 struct tomoyo_path_acl *ptr = 1208 container_of(acl, typeof(*ptr), head); 1209 const u16 perm = ptr->perm; 1210 for (bit = 0; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { 1211 if (!(perm & (1 << bit))) 1212 continue; 1213 if (head->r.print_transition_related_only && 1214 bit != TOMOYO_TYPE_EXECUTE) 1215 continue; 1216 if (first) { 1217 tomoyo_set_group(head, "file "); 1218 first = false; 1219 } else { 1220 tomoyo_set_slash(head); 1221 } 1222 tomoyo_set_string(head, tomoyo_path_keyword[bit]); 1223 } 1224 if (first) 1225 return true; 1226 tomoyo_print_name_union(head, &ptr->name); 1227 } else if (head->r.print_transition_related_only) { 1228 return true; 1229 } else if (acl_type == TOMOYO_TYPE_PATH2_ACL) { 1230 struct tomoyo_path2_acl *ptr = 1231 container_of(acl, typeof(*ptr), head); 1232 const u8 perm = ptr->perm; 1233 for (bit = 0; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) { 1234 if (!(perm & (1 << bit))) 1235 continue; 1236 if (first) { 1237 tomoyo_set_group(head, "file "); 1238 first = false; 1239 } else { 1240 tomoyo_set_slash(head); 1241 } 1242 tomoyo_set_string(head, tomoyo_mac_keywords 1243 [tomoyo_pp2mac[bit]]); 1244 } 1245 if (first) 1246 return true; 1247 tomoyo_print_name_union(head, &ptr->name1); 1248 tomoyo_print_name_union(head, &ptr->name2); 1249 } else if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) { 1250 struct tomoyo_path_number_acl *ptr = 1251 container_of(acl, typeof(*ptr), head); 1252 const u8 perm = ptr->perm; 1253 for (bit = 0; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION; bit++) { 1254 if (!(perm & (1 << bit))) 1255 continue; 1256 if (first) { 1257 tomoyo_set_group(head, "file "); 1258 first = false; 1259 } else { 1260 tomoyo_set_slash(head); 1261 } 1262 tomoyo_set_string(head, tomoyo_mac_keywords 1263 [tomoyo_pn2mac[bit]]); 1264 } 1265 if (first) 1266 return true; 1267 tomoyo_print_name_union(head, &ptr->name); 1268 tomoyo_print_number_union(head, &ptr->number); 1269 } else if (acl_type == TOMOYO_TYPE_MKDEV_ACL) { 1270 struct tomoyo_mkdev_acl *ptr = 1271 container_of(acl, typeof(*ptr), head); 1272 const u8 perm = ptr->perm; 1273 for (bit = 0; bit < TOMOYO_MAX_MKDEV_OPERATION; bit++) { 1274 if (!(perm & (1 << bit))) 1275 continue; 1276 if (first) { 1277 tomoyo_set_group(head, "file "); 1278 first = false; 1279 } else { 1280 tomoyo_set_slash(head); 1281 } 1282 tomoyo_set_string(head, tomoyo_mac_keywords 1283 [tomoyo_pnnn2mac[bit]]); 1284 } 1285 if (first) 1286 return true; 1287 tomoyo_print_name_union(head, &ptr->name); 1288 tomoyo_print_number_union(head, &ptr->mode); 1289 tomoyo_print_number_union(head, &ptr->major); 1290 tomoyo_print_number_union(head, &ptr->minor); 1291 } else if (acl_type == TOMOYO_TYPE_MOUNT_ACL) { 1292 struct tomoyo_mount_acl *ptr = 1293 container_of(acl, typeof(*ptr), head); 1294 tomoyo_set_group(head, "file mount"); 1295 tomoyo_print_name_union(head, &ptr->dev_name); 1296 tomoyo_print_name_union(head, &ptr->dir_name); 1297 tomoyo_print_name_union(head, &ptr->fs_type); 1298 tomoyo_print_number_union(head, &ptr->flags); 1299 } 1300 if (acl->cond) { 1301 head->r.print_cond_part = true; 1302 head->r.cond_step = 0; 1303 if (!tomoyo_flush(head)) 1304 return false; 1305print_cond_part: 1306 if (!tomoyo_print_condition(head, acl->cond)) 1307 return false; 1308 head->r.print_cond_part = false; 1309 } else { 1310 tomoyo_set_lf(head); 1311 } 1312 return true; 1313} 1314 1315/** 1316 * tomoyo_read_domain2 - Read domain policy. 1317 * 1318 * @head: Pointer to "struct tomoyo_io_buffer". 1319 * @list: Pointer to "struct list_head". 1320 * 1321 * Caller holds tomoyo_read_lock(). 1322 * 1323 * Returns true on success, false otherwise. 1324 */ 1325static bool tomoyo_read_domain2(struct tomoyo_io_buffer *head, 1326 struct list_head *list) 1327{ 1328 list_for_each_cookie(head->r.acl, list) { 1329 struct tomoyo_acl_info *ptr = 1330 list_entry(head->r.acl, typeof(*ptr), list); 1331 if (!tomoyo_print_entry(head, ptr)) 1332 return false; 1333 } 1334 head->r.acl = NULL; 1335 return true; 1336} 1337 1338/** 1339 * tomoyo_read_domain - Read domain policy. 1340 * 1341 * @head: Pointer to "struct tomoyo_io_buffer". 1342 * 1343 * Caller holds tomoyo_read_lock(). 1344 */ 1345static void tomoyo_read_domain(struct tomoyo_io_buffer *head) 1346{ 1347 if (head->r.eof) 1348 return; 1349 list_for_each_cookie(head->r.domain, &tomoyo_domain_list) { 1350 struct tomoyo_domain_info *domain = 1351 list_entry(head->r.domain, typeof(*domain), list); 1352 switch (head->r.step) { 1353 u8 i; 1354 case 0: 1355 if (domain->is_deleted && 1356 !head->r.print_this_domain_only) 1357 continue; 1358 /* Print domainname and flags. */ 1359 tomoyo_set_string(head, domain->domainname->name); 1360 tomoyo_set_lf(head); 1361 tomoyo_io_printf(head, "use_profile %u\n", 1362 domain->profile); 1363 tomoyo_io_printf(head, "use_group %u\n", 1364 domain->group); 1365 for (i = 0; i < TOMOYO_MAX_DOMAIN_INFO_FLAGS; i++) 1366 if (domain->flags[i]) 1367 tomoyo_set_string(head, tomoyo_dif[i]); 1368 head->r.step++; 1369 tomoyo_set_lf(head); 1370 /* fall through */ 1371 case 1: 1372 if (!tomoyo_read_domain2(head, &domain->acl_info_list)) 1373 return; 1374 head->r.step++; 1375 if (!tomoyo_set_lf(head)) 1376 return; 1377 /* fall through */ 1378 case 2: 1379 head->r.step = 0; 1380 if (head->r.print_this_domain_only) 1381 goto done; 1382 } 1383 } 1384 done: 1385 head->r.eof = true; 1386} 1387 1388/** 1389 * tomoyo_write_pid: Specify PID to obtain domainname. 1390 * 1391 * @head: Pointer to "struct tomoyo_io_buffer". 1392 * 1393 * Returns 0. 1394 */ 1395static int tomoyo_write_pid(struct tomoyo_io_buffer *head) 1396{ 1397 head->r.eof = false; 1398 return 0; 1399} 1400 1401/** 1402 * tomoyo_read_pid - Get domainname of the specified PID. 1403 * 1404 * @head: Pointer to "struct tomoyo_io_buffer". 1405 * 1406 * Returns the domainname which the specified PID is in on success, 1407 * empty string otherwise. 1408 * The PID is specified by tomoyo_write_pid() so that the user can obtain 1409 * using read()/write() interface rather than sysctl() interface. 1410 */ 1411static void tomoyo_read_pid(struct tomoyo_io_buffer *head) 1412{ 1413 char *buf = head->write_buf; 1414 bool global_pid = false; 1415 unsigned int pid; 1416 struct task_struct *p; 1417 struct tomoyo_domain_info *domain = NULL; 1418 1419 /* Accessing write_buf is safe because head->io_sem is held. */ 1420 if (!buf) { 1421 head->r.eof = true; 1422 return; /* Do nothing if open(O_RDONLY). */ 1423 } 1424 if (head->r.w_pos || head->r.eof) 1425 return; 1426 head->r.eof = true; 1427 if (tomoyo_str_starts(&buf, "global-pid ")) 1428 global_pid = true; 1429 pid = (unsigned int) simple_strtoul(buf, NULL, 10); 1430 rcu_read_lock(); 1431 read_lock(&tasklist_lock); 1432 if (global_pid) 1433 p = find_task_by_pid_ns(pid, &init_pid_ns); 1434 else 1435 p = find_task_by_vpid(pid); 1436 if (p) 1437 domain = tomoyo_real_domain(p); 1438 read_unlock(&tasklist_lock); 1439 rcu_read_unlock(); 1440 if (!domain) 1441 return; 1442 tomoyo_io_printf(head, "%u %u ", pid, domain->profile); 1443 tomoyo_set_string(head, domain->domainname->name); 1444} 1445 1446static const char *tomoyo_transition_type[TOMOYO_MAX_TRANSITION_TYPE] = { 1447 [TOMOYO_TRANSITION_CONTROL_NO_RESET] = "no_reset_domain ", 1448 [TOMOYO_TRANSITION_CONTROL_RESET] = "reset_domain ", 1449 [TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE] = "no_initialize_domain ", 1450 [TOMOYO_TRANSITION_CONTROL_INITIALIZE] = "initialize_domain ", 1451 [TOMOYO_TRANSITION_CONTROL_NO_KEEP] = "no_keep_domain ", 1452 [TOMOYO_TRANSITION_CONTROL_KEEP] = "keep_domain ", 1453}; 1454 1455static const char *tomoyo_group_name[TOMOYO_MAX_GROUP] = { 1456 [TOMOYO_PATH_GROUP] = "path_group ", 1457 [TOMOYO_NUMBER_GROUP] = "number_group ", 1458}; 1459 1460/** 1461 * tomoyo_write_exception - Write exception policy. 1462 * 1463 * @head: Pointer to "struct tomoyo_io_buffer". 1464 * 1465 * Returns 0 on success, negative value otherwise. 1466 * 1467 * Caller holds tomoyo_read_lock(). 1468 */ 1469static int tomoyo_write_exception(struct tomoyo_io_buffer *head) 1470{ 1471 const bool is_delete = head->w.is_delete; 1472 struct tomoyo_acl_param param = { 1473 .ns = head->w.ns, 1474 .is_delete = is_delete, 1475 .data = head->write_buf, 1476 }; 1477 u8 i; 1478 if (tomoyo_str_starts(¶m.data, "aggregator ")) 1479 return tomoyo_write_aggregator(¶m); 1480 for (i = 0; i < TOMOYO_MAX_TRANSITION_TYPE; i++) 1481 if (tomoyo_str_starts(¶m.data, tomoyo_transition_type[i])) 1482 return tomoyo_write_transition_control(¶m, i); 1483 for (i = 0; i < TOMOYO_MAX_GROUP; i++) 1484 if (tomoyo_str_starts(¶m.data, tomoyo_group_name[i])) 1485 return tomoyo_write_group(¶m, i); 1486 if (tomoyo_str_starts(¶m.data, "acl_group ")) { 1487 unsigned int group; 1488 char *data; 1489 group = simple_strtoul(param.data, &data, 10); 1490 if (group < TOMOYO_MAX_ACL_GROUPS && *data++ == ' ') 1491 return tomoyo_write_domain2 1492 (head->w.ns, &head->w.ns->acl_group[group], 1493 data, is_delete); 1494 } 1495 return -EINVAL; 1496} 1497 1498/** 1499 * tomoyo_read_group - Read "struct tomoyo_path_group"/"struct tomoyo_number_group" list. 1500 * 1501 * @head: Pointer to "struct tomoyo_io_buffer". 1502 * @idx: Index number. 1503 * 1504 * Returns true on success, false otherwise. 1505 * 1506 * Caller holds tomoyo_read_lock(). 1507 */ 1508static bool tomoyo_read_group(struct tomoyo_io_buffer *head, const int idx) 1509{ 1510 struct tomoyo_policy_namespace *ns = 1511 container_of(head->r.ns, typeof(*ns), namespace_list); 1512 struct list_head *list = &ns->group_list[idx]; 1513 list_for_each_cookie(head->r.group, list) { 1514 struct tomoyo_group *group = 1515 list_entry(head->r.group, typeof(*group), head.list); 1516 list_for_each_cookie(head->r.acl, &group->member_list) { 1517 struct tomoyo_acl_head *ptr = 1518 list_entry(head->r.acl, typeof(*ptr), list); 1519 if (ptr->is_deleted) 1520 continue; 1521 if (!tomoyo_flush(head)) 1522 return false; 1523 tomoyo_print_namespace(head); 1524 tomoyo_set_string(head, tomoyo_group_name[idx]); 1525 tomoyo_set_string(head, group->group_name->name); 1526 if (idx == TOMOYO_PATH_GROUP) { 1527 tomoyo_set_space(head); 1528 tomoyo_set_string(head, container_of 1529 (ptr, struct tomoyo_path_group, 1530 head)->member_name->name); 1531 } else if (idx == TOMOYO_NUMBER_GROUP) { 1532 tomoyo_print_number_union(head, &container_of 1533 (ptr, 1534 struct tomoyo_number_group, 1535 head)->number); 1536 } 1537 tomoyo_set_lf(head); 1538 } 1539 head->r.acl = NULL; 1540 } 1541 head->r.group = NULL; 1542 return true; 1543} 1544 1545/** 1546 * tomoyo_read_policy - Read "struct tomoyo_..._entry" list. 1547 * 1548 * @head: Pointer to "struct tomoyo_io_buffer". 1549 * @idx: Index number. 1550 * 1551 * Returns true on success, false otherwise. 1552 * 1553 * Caller holds tomoyo_read_lock(). 1554 */ 1555static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx) 1556{ 1557 struct tomoyo_policy_namespace *ns = 1558 container_of(head->r.ns, typeof(*ns), namespace_list); 1559 struct list_head *list = &ns->policy_list[idx]; 1560 list_for_each_cookie(head->r.acl, list) { 1561 struct tomoyo_acl_head *acl = 1562 container_of(head->r.acl, typeof(*acl), list); 1563 if (acl->is_deleted) 1564 continue; 1565 if (!tomoyo_flush(head)) 1566 return false; 1567 switch (idx) { 1568 case TOMOYO_ID_TRANSITION_CONTROL: 1569 { 1570 struct tomoyo_transition_control *ptr = 1571 container_of(acl, typeof(*ptr), head); 1572 tomoyo_print_namespace(head); 1573 tomoyo_set_string(head, tomoyo_transition_type 1574 [ptr->type]); 1575 tomoyo_set_string(head, ptr->program ? 1576 ptr->program->name : "any"); 1577 tomoyo_set_string(head, " from "); 1578 tomoyo_set_string(head, ptr->domainname ? 1579 ptr->domainname->name : 1580 "any"); 1581 } 1582 break; 1583 case TOMOYO_ID_AGGREGATOR: 1584 { 1585 struct tomoyo_aggregator *ptr = 1586 container_of(acl, typeof(*ptr), head); 1587 tomoyo_print_namespace(head); 1588 tomoyo_set_string(head, "aggregator "); 1589 tomoyo_set_string(head, 1590 ptr->original_name->name); 1591 tomoyo_set_space(head); 1592 tomoyo_set_string(head, 1593 ptr->aggregated_name->name); 1594 } 1595 break; 1596 default: 1597 continue; 1598 } 1599 tomoyo_set_lf(head); 1600 } 1601 head->r.acl = NULL; 1602 return true; 1603} 1604 1605/** 1606 * tomoyo_read_exception - Read exception policy. 1607 * 1608 * @head: Pointer to "struct tomoyo_io_buffer". 1609 * 1610 * Caller holds tomoyo_read_lock(). 1611 */ 1612static void tomoyo_read_exception(struct tomoyo_io_buffer *head) 1613{ 1614 struct tomoyo_policy_namespace *ns = 1615 container_of(head->r.ns, typeof(*ns), namespace_list); 1616 if (head->r.eof) 1617 return; 1618 while (head->r.step < TOMOYO_MAX_POLICY && 1619 tomoyo_read_policy(head, head->r.step)) 1620 head->r.step++; 1621 if (head->r.step < TOMOYO_MAX_POLICY) 1622 return; 1623 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP && 1624 tomoyo_read_group(head, head->r.step - TOMOYO_MAX_POLICY)) 1625 head->r.step++; 1626 if (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP) 1627 return; 1628 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP 1629 + TOMOYO_MAX_ACL_GROUPS) { 1630 head->r.acl_group_index = head->r.step - TOMOYO_MAX_POLICY 1631 - TOMOYO_MAX_GROUP; 1632 if (!tomoyo_read_domain2(head, &ns->acl_group 1633 [head->r.acl_group_index])) 1634 return; 1635 head->r.step++; 1636 } 1637 head->r.eof = true; 1638} 1639 1640/* Wait queue for kernel -> userspace notification. */ 1641static DECLARE_WAIT_QUEUE_HEAD(tomoyo_query_wait); 1642/* Wait queue for userspace -> kernel notification. */ 1643static DECLARE_WAIT_QUEUE_HEAD(tomoyo_answer_wait); 1644 1645/* Structure for query. */ 1646struct tomoyo_query { 1647 struct list_head list; 1648 char *query; 1649 size_t query_len; 1650 unsigned int serial; 1651 u8 timer; 1652 u8 answer; 1653 u8 retry; 1654}; 1655 1656/* The list for "struct tomoyo_query". */ 1657static LIST_HEAD(tomoyo_query_list); 1658 1659/* Lock for manipulating tomoyo_query_list. */ 1660static DEFINE_SPINLOCK(tomoyo_query_list_lock); 1661 1662/* 1663 * Number of "struct file" referring /sys/kernel/security/tomoyo/query 1664 * interface. 1665 */ 1666static atomic_t tomoyo_query_observers = ATOMIC_INIT(0); 1667 1668/** 1669 * tomoyo_add_entry - Add an ACL to current thread's domain. Used by learning mode. 1670 * 1671 * @domain: Pointer to "struct tomoyo_domain_info". 1672 * @header: Lines containing ACL. 1673 * 1674 * Returns nothing. 1675 */ 1676static void tomoyo_add_entry(struct tomoyo_domain_info *domain, char *header) 1677{ 1678 char *buffer; 1679 char *cp = strchr(header, '\n'); 1680 int len; 1681 if (!cp) 1682 return; 1683 cp = strchr(cp + 1, '\n'); 1684 if (!cp) 1685 return; 1686 *cp++ = '\0'; 1687 len = strlen(cp) + 1; 1688 buffer = kmalloc(len, GFP_NOFS); 1689 if (!buffer) 1690 return; 1691 snprintf(buffer, len - 1, "%s", cp); 1692 tomoyo_normalize_line(buffer); 1693 if (!tomoyo_write_domain2(domain->ns, &domain->acl_info_list, buffer, 1694 false)) 1695 tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); 1696 kfree(buffer); 1697} 1698 1699/** 1700 * tomoyo_supervisor - Ask for the supervisor's decision. 1701 * 1702 * @r: Pointer to "struct tomoyo_request_info". 1703 * @fmt: The printf()'s format string, followed by parameters. 1704 * 1705 * Returns 0 if the supervisor decided to permit the access request which 1706 * violated the policy in enforcing mode, TOMOYO_RETRY_REQUEST if the 1707 * supervisor decided to retry the access request which violated the policy in 1708 * enforcing mode, 0 if it is not in enforcing mode, -EPERM otherwise. 1709 */ 1710int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) 1711{ 1712 va_list args; 1713 int error; 1714 int len; 1715 static unsigned int tomoyo_serial; 1716 struct tomoyo_query entry = { }; 1717 bool quota_exceeded = false; 1718 va_start(args, fmt); 1719 len = vsnprintf((char *) &len, 1, fmt, args) + 1; 1720 va_end(args); 1721 /* Write /sys/kernel/security/tomoyo/audit. */ 1722 va_start(args, fmt); 1723 tomoyo_write_log2(r, len, fmt, args); 1724 va_end(args); 1725 /* Nothing more to do if granted. */ 1726 if (r->granted) 1727 return 0; 1728 if (r->mode) 1729 tomoyo_update_stat(r->mode); 1730 switch (r->mode) { 1731 case TOMOYO_CONFIG_ENFORCING: 1732 error = -EPERM; 1733 if (atomic_read(&tomoyo_query_observers)) 1734 break; 1735 goto out; 1736 case TOMOYO_CONFIG_LEARNING: 1737 error = 0; 1738 /* Check max_learning_entry parameter. */ 1739 if (tomoyo_domain_quota_is_ok(r)) 1740 break; 1741 /* fall through */ 1742 default: 1743 return 0; 1744 } 1745 /* Get message. */ 1746 va_start(args, fmt); 1747 entry.query = tomoyo_init_log(r, len, fmt, args); 1748 va_end(args); 1749 if (!entry.query) 1750 goto out; 1751 entry.query_len = strlen(entry.query) + 1; 1752 if (!error) { 1753 tomoyo_add_entry(r->domain, entry.query); 1754 goto out; 1755 } 1756 len = tomoyo_round2(entry.query_len); 1757 spin_lock(&tomoyo_query_list_lock); 1758 if (tomoyo_memory_quota[TOMOYO_MEMORY_QUERY] && 1759 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] + len 1760 >= tomoyo_memory_quota[TOMOYO_MEMORY_QUERY]) { 1761 quota_exceeded = true; 1762 } else { 1763 entry.serial = tomoyo_serial++; 1764 entry.retry = r->retry; 1765 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] += len; 1766 list_add_tail(&entry.list, &tomoyo_query_list); 1767 } 1768 spin_unlock(&tomoyo_query_list_lock); 1769 if (quota_exceeded) 1770 goto out; 1771 /* Give 10 seconds for supervisor's opinion. */ 1772 while (entry.timer < 10) { 1773 wake_up_all(&tomoyo_query_wait); 1774 if (wait_event_interruptible_timeout 1775 (tomoyo_answer_wait, entry.answer || 1776 !atomic_read(&tomoyo_query_observers), HZ)) 1777 break; 1778 else 1779 entry.timer++; 1780 } 1781 spin_lock(&tomoyo_query_list_lock); 1782 list_del(&entry.list); 1783 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] -= len; 1784 spin_unlock(&tomoyo_query_list_lock); 1785 switch (entry.answer) { 1786 case 3: /* Asked to retry by administrator. */ 1787 error = TOMOYO_RETRY_REQUEST; 1788 r->retry++; 1789 break; 1790 case 1: 1791 /* Granted by administrator. */ 1792 error = 0; 1793 break; 1794 default: 1795 /* Timed out or rejected by administrator. */ 1796 break; 1797 } 1798out: 1799 kfree(entry.query); 1800 return error; 1801} 1802 1803/** 1804 * tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query. 1805 * 1806 * @file: Pointer to "struct file". 1807 * @wait: Pointer to "poll_table". 1808 * 1809 * Returns POLLIN | POLLRDNORM when ready to read, 0 otherwise. 1810 * 1811 * Waits for access requests which violated policy in enforcing mode. 1812 */ 1813static int tomoyo_poll_query(struct file *file, poll_table *wait) 1814{ 1815 struct list_head *tmp; 1816 bool found = false; 1817 u8 i; 1818 for (i = 0; i < 2; i++) { 1819 spin_lock(&tomoyo_query_list_lock); 1820 list_for_each(tmp, &tomoyo_query_list) { 1821 struct tomoyo_query *ptr = 1822 list_entry(tmp, typeof(*ptr), list); 1823 if (ptr->answer) 1824 continue; 1825 found = true; 1826 break; 1827 } 1828 spin_unlock(&tomoyo_query_list_lock); 1829 if (found) 1830 return POLLIN | POLLRDNORM; 1831 if (i) 1832 break; 1833 poll_wait(file, &tomoyo_query_wait, wait); 1834 } 1835 return 0; 1836} 1837 1838/** 1839 * tomoyo_read_query - Read access requests which violated policy in enforcing mode. 1840 * 1841 * @head: Pointer to "struct tomoyo_io_buffer". 1842 */ 1843static void tomoyo_read_query(struct tomoyo_io_buffer *head) 1844{ 1845 struct list_head *tmp; 1846 unsigned int pos = 0; 1847 size_t len = 0; 1848 char *buf; 1849 if (head->r.w_pos) 1850 return; 1851 if (head->read_buf) { 1852 kfree(head->read_buf); 1853 head->read_buf = NULL; 1854 } 1855 spin_lock(&tomoyo_query_list_lock); 1856 list_for_each(tmp, &tomoyo_query_list) { 1857 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1858 if (ptr->answer) 1859 continue; 1860 if (pos++ != head->r.query_index) 1861 continue; 1862 len = ptr->query_len; 1863 break; 1864 } 1865 spin_unlock(&tomoyo_query_list_lock); 1866 if (!len) { 1867 head->r.query_index = 0; 1868 return; 1869 } 1870 buf = kzalloc(len + 32, GFP_NOFS); 1871 if (!buf) 1872 return; 1873 pos = 0; 1874 spin_lock(&tomoyo_query_list_lock); 1875 list_for_each(tmp, &tomoyo_query_list) { 1876 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1877 if (ptr->answer) 1878 continue; 1879 if (pos++ != head->r.query_index) 1880 continue; 1881 /* 1882 * Some query can be skipped because tomoyo_query_list 1883 * can change, but I don't care. 1884 */ 1885 if (len == ptr->query_len) 1886 snprintf(buf, len + 31, "Q%u-%hu\n%s", ptr->serial, 1887 ptr->retry, ptr->query); 1888 break; 1889 } 1890 spin_unlock(&tomoyo_query_list_lock); 1891 if (buf[0]) { 1892 head->read_buf = buf; 1893 head->r.w[head->r.w_pos++] = buf; 1894 head->r.query_index++; 1895 } else { 1896 kfree(buf); 1897 } 1898} 1899 1900/** 1901 * tomoyo_write_answer - Write the supervisor's decision. 1902 * 1903 * @head: Pointer to "struct tomoyo_io_buffer". 1904 * 1905 * Returns 0 on success, -EINVAL otherwise. 1906 */ 1907static int tomoyo_write_answer(struct tomoyo_io_buffer *head) 1908{ 1909 char *data = head->write_buf; 1910 struct list_head *tmp; 1911 unsigned int serial; 1912 unsigned int answer; 1913 spin_lock(&tomoyo_query_list_lock); 1914 list_for_each(tmp, &tomoyo_query_list) { 1915 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1916 ptr->timer = 0; 1917 } 1918 spin_unlock(&tomoyo_query_list_lock); 1919 if (sscanf(data, "A%u=%u", &serial, &answer) != 2) 1920 return -EINVAL; 1921 spin_lock(&tomoyo_query_list_lock); 1922 list_for_each(tmp, &tomoyo_query_list) { 1923 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1924 if (ptr->serial != serial) 1925 continue; 1926 if (!ptr->answer) 1927 ptr->answer = answer; 1928 break; 1929 } 1930 spin_unlock(&tomoyo_query_list_lock); 1931 return 0; 1932} 1933 1934/** 1935 * tomoyo_read_version: Get version. 1936 * 1937 * @head: Pointer to "struct tomoyo_io_buffer". 1938 * 1939 * Returns version information. 1940 */ 1941static void tomoyo_read_version(struct tomoyo_io_buffer *head) 1942{ 1943 if (!head->r.eof) { 1944 tomoyo_io_printf(head, "2.4.0"); 1945 head->r.eof = true; 1946 } 1947} 1948 1949/** 1950 * tomoyo_read_self_domain - Get the current process's domainname. 1951 * 1952 * @head: Pointer to "struct tomoyo_io_buffer". 1953 * 1954 * Returns the current process's domainname. 1955 */ 1956static void tomoyo_read_self_domain(struct tomoyo_io_buffer *head) 1957{ 1958 if (!head->r.eof) { 1959 /* 1960 * tomoyo_domain()->domainname != NULL 1961 * because every process belongs to a domain and 1962 * the domain's name cannot be NULL. 1963 */ 1964 tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name); 1965 head->r.eof = true; 1966 } 1967} 1968 1969/* String table for /sys/kernel/security/tomoyo/stat interface. */ 1970static const char * const tomoyo_policy_headers[TOMOYO_MAX_POLICY_STAT] = { 1971 [TOMOYO_STAT_POLICY_UPDATES] = "update:", 1972 [TOMOYO_STAT_POLICY_LEARNING] = "violation in learning mode:", 1973 [TOMOYO_STAT_POLICY_PERMISSIVE] = "violation in permissive mode:", 1974 [TOMOYO_STAT_POLICY_ENFORCING] = "violation in enforcing mode:", 1975}; 1976 1977/* String table for /sys/kernel/security/tomoyo/stat interface. */ 1978static const char * const tomoyo_memory_headers[TOMOYO_MAX_MEMORY_STAT] = { 1979 [TOMOYO_MEMORY_POLICY] = "policy:", 1980 [TOMOYO_MEMORY_AUDIT] = "audit log:", 1981 [TOMOYO_MEMORY_QUERY] = "query message:", 1982}; 1983 1984/* Timestamp counter for last updated. */ 1985static unsigned int tomoyo_stat_updated[TOMOYO_MAX_POLICY_STAT]; 1986/* Counter for number of updates. */ 1987static unsigned int tomoyo_stat_modified[TOMOYO_MAX_POLICY_STAT]; 1988 1989/** 1990 * tomoyo_update_stat - Update statistic counters. 1991 * 1992 * @index: Index for policy type. 1993 * 1994 * Returns nothing. 1995 */ 1996void tomoyo_update_stat(const u8 index) 1997{ 1998 struct timeval tv; 1999 do_gettimeofday(&tv); 2000 /* 2001 * I don't use atomic operations because race condition is not fatal. 2002 */ 2003 tomoyo_stat_updated[index]++; 2004 tomoyo_stat_modified[index] = tv.tv_sec; 2005} 2006 2007/** 2008 * tomoyo_read_stat - Read statistic data. 2009 * 2010 * @head: Pointer to "struct tomoyo_io_buffer". 2011 * 2012 * Returns nothing. 2013 */ 2014static void tomoyo_read_stat(struct tomoyo_io_buffer *head) 2015{ 2016 u8 i; 2017 unsigned int total = 0; 2018 if (head->r.eof) 2019 return; 2020 for (i = 0; i < TOMOYO_MAX_POLICY_STAT; i++) { 2021 tomoyo_io_printf(head, "Policy %-30s %10u", 2022 tomoyo_policy_headers[i], 2023 tomoyo_stat_updated[i]); 2024 if (tomoyo_stat_modified[i]) { 2025 struct tomoyo_time stamp; 2026 tomoyo_convert_time(tomoyo_stat_modified[i], &stamp); 2027 tomoyo_io_printf(head, " (Last: %04u/%02u/%02u " 2028 "%02u:%02u:%02u)", 2029 stamp.year, stamp.month, stamp.day, 2030 stamp.hour, stamp.min, stamp.sec); 2031 } 2032 tomoyo_set_lf(head); 2033 } 2034 for (i = 0; i < TOMOYO_MAX_MEMORY_STAT; i++) { 2035 unsigned int used = tomoyo_memory_used[i]; 2036 total += used; 2037 tomoyo_io_printf(head, "Memory used by %-22s %10u", 2038 tomoyo_memory_headers[i], used); 2039 used = tomoyo_memory_quota[i]; 2040 if (used) 2041 tomoyo_io_printf(head, " (Quota: %10u)", used); 2042 tomoyo_set_lf(head); 2043 } 2044 tomoyo_io_printf(head, "Total memory used: %10u\n", 2045 total); 2046 head->r.eof = true; 2047} 2048 2049/** 2050 * tomoyo_write_stat - Set memory quota. 2051 * 2052 * @head: Pointer to "struct tomoyo_io_buffer". 2053 * 2054 * Returns 0. 2055 */ 2056static int tomoyo_write_stat(struct tomoyo_io_buffer *head) 2057{ 2058 char *data = head->write_buf; 2059 u8 i; 2060 if (tomoyo_str_starts(&data, "Memory used by ")) 2061 for (i = 0; i < TOMOYO_MAX_MEMORY_STAT; i++) 2062 if (tomoyo_str_starts(&data, tomoyo_memory_headers[i])) 2063 sscanf(data, "%u", &tomoyo_memory_quota[i]); 2064 return 0; 2065} 2066 2067/** 2068 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface. 2069 * 2070 * @type: Type of interface. 2071 * @file: Pointer to "struct file". 2072 * 2073 * Returns 0 on success, negative value otherwise. 2074 */ 2075int tomoyo_open_control(const u8 type, struct file *file) 2076{ 2077 struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS); 2078 2079 if (!head) 2080 return -ENOMEM; 2081 mutex_init(&head->io_sem); 2082 head->type = type; 2083 switch (type) { 2084 case TOMOYO_DOMAINPOLICY: 2085 /* /sys/kernel/security/tomoyo/domain_policy */ 2086 head->write = tomoyo_write_domain; 2087 head->read = tomoyo_read_domain; 2088 break; 2089 case TOMOYO_EXCEPTIONPOLICY: 2090 /* /sys/kernel/security/tomoyo/exception_policy */ 2091 head->write = tomoyo_write_exception; 2092 head->read = tomoyo_read_exception; 2093 break; 2094 case TOMOYO_AUDIT: 2095 /* /sys/kernel/security/tomoyo/audit */ 2096 head->poll = tomoyo_poll_log; 2097 head->read = tomoyo_read_log; 2098 break; 2099 case TOMOYO_SELFDOMAIN: 2100 /* /sys/kernel/security/tomoyo/self_domain */ 2101 head->read = tomoyo_read_self_domain; 2102 break; 2103 case TOMOYO_PROCESS_STATUS: 2104 /* /sys/kernel/security/tomoyo/.process_status */ 2105 head->write = tomoyo_write_pid; 2106 head->read = tomoyo_read_pid; 2107 break; 2108 case TOMOYO_VERSION: 2109 /* /sys/kernel/security/tomoyo/version */ 2110 head->read = tomoyo_read_version; 2111 head->readbuf_size = 128; 2112 break; 2113 case TOMOYO_STAT: 2114 /* /sys/kernel/security/tomoyo/stat */ 2115 head->write = tomoyo_write_stat; 2116 head->read = tomoyo_read_stat; 2117 head->readbuf_size = 1024; 2118 break; 2119 case TOMOYO_PROFILE: 2120 /* /sys/kernel/security/tomoyo/profile */ 2121 head->write = tomoyo_write_profile; 2122 head->read = tomoyo_read_profile; 2123 break; 2124 case TOMOYO_QUERY: /* /sys/kernel/security/tomoyo/query */ 2125 head->poll = tomoyo_poll_query; 2126 head->write = tomoyo_write_answer; 2127 head->read = tomoyo_read_query; 2128 break; 2129 case TOMOYO_MANAGER: 2130 /* /sys/kernel/security/tomoyo/manager */ 2131 head->write = tomoyo_write_manager; 2132 head->read = tomoyo_read_manager; 2133 break; 2134 } 2135 if (!(file->f_mode & FMODE_READ)) { 2136 /* 2137 * No need to allocate read_buf since it is not opened 2138 * for reading. 2139 */ 2140 head->read = NULL; 2141 head->poll = NULL; 2142 } else if (!head->poll) { 2143 /* Don't allocate read_buf for poll() access. */ 2144 if (!head->readbuf_size) 2145 head->readbuf_size = 4096 * 2; 2146 head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS); 2147 if (!head->read_buf) { 2148 kfree(head); 2149 return -ENOMEM; 2150 } 2151 } 2152 if (!(file->f_mode & FMODE_WRITE)) { 2153 /* 2154 * No need to allocate write_buf since it is not opened 2155 * for writing. 2156 */ 2157 head->write = NULL; 2158 } else if (head->write) { 2159 head->writebuf_size = 4096 * 2; 2160 head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS); 2161 if (!head->write_buf) { 2162 kfree(head->read_buf); 2163 kfree(head); 2164 return -ENOMEM; 2165 } 2166 } 2167 /* 2168 * If the file is /sys/kernel/security/tomoyo/query , increment the 2169 * observer counter. 2170 * The obserber counter is used by tomoyo_supervisor() to see if 2171 * there is some process monitoring /sys/kernel/security/tomoyo/query. 2172 */ 2173 if (type == TOMOYO_QUERY) 2174 atomic_inc(&tomoyo_query_observers); 2175 file->private_data = head; 2176 tomoyo_notify_gc(head, true); 2177 return 0; 2178} 2179 2180/** 2181 * tomoyo_poll_control - poll() for /sys/kernel/security/tomoyo/ interface. 2182 * 2183 * @file: Pointer to "struct file". 2184 * @wait: Pointer to "poll_table". 2185 * 2186 * Waits for read readiness. 2187 * /sys/kernel/security/tomoyo/query is handled by /usr/sbin/tomoyo-queryd and 2188 * /sys/kernel/security/tomoyo/audit is handled by /usr/sbin/tomoyo-auditd. 2189 */ 2190int tomoyo_poll_control(struct file *file, poll_table *wait) 2191{ 2192 struct tomoyo_io_buffer *head = file->private_data; 2193 if (!head->poll) 2194 return -ENOSYS; 2195 return head->poll(file, wait); 2196} 2197 2198/** 2199 * tomoyo_set_namespace_cursor - Set namespace to read. 2200 * 2201 * @head: Pointer to "struct tomoyo_io_buffer". 2202 * 2203 * Returns nothing. 2204 */ 2205static inline void tomoyo_set_namespace_cursor(struct tomoyo_io_buffer *head) 2206{ 2207 struct list_head *ns; 2208 if (head->type != TOMOYO_EXCEPTIONPOLICY && 2209 head->type != TOMOYO_PROFILE) 2210 return; 2211 /* 2212 * If this is the first read, or reading previous namespace finished 2213 * and has more namespaces to read, update the namespace cursor. 2214 */ 2215 ns = head->r.ns; 2216 if (!ns || (head->r.eof && ns->next != &tomoyo_namespace_list)) { 2217 /* Clearing is OK because tomoyo_flush() returned true. */ 2218 memset(&head->r, 0, sizeof(head->r)); 2219 head->r.ns = ns ? ns->next : tomoyo_namespace_list.next; 2220 } 2221} 2222 2223/** 2224 * tomoyo_has_more_namespace - Check for unread namespaces. 2225 * 2226 * @head: Pointer to "struct tomoyo_io_buffer". 2227 * 2228 * Returns true if we have more entries to print, false otherwise. 2229 */ 2230static inline bool tomoyo_has_more_namespace(struct tomoyo_io_buffer *head) 2231{ 2232 return (head->type == TOMOYO_EXCEPTIONPOLICY || 2233 head->type == TOMOYO_PROFILE) && head->r.eof && 2234 head->r.ns->next != &tomoyo_namespace_list; 2235} 2236 2237/** 2238 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. 2239 * 2240 * @head: Pointer to "struct tomoyo_io_buffer". 2241 * @buffer: Poiner to buffer to write to. 2242 * @buffer_len: Size of @buffer. 2243 * 2244 * Returns bytes read on success, negative value otherwise. 2245 */ 2246ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, 2247 const int buffer_len) 2248{ 2249 int len; 2250 int idx; 2251 2252 if (!head->read) 2253 return -ENOSYS; 2254 if (mutex_lock_interruptible(&head->io_sem)) 2255 return -EINTR; 2256 head->read_user_buf = buffer; 2257 head->read_user_buf_avail = buffer_len; 2258 idx = tomoyo_read_lock(); 2259 if (tomoyo_flush(head)) 2260 /* Call the policy handler. */ 2261 do { 2262 tomoyo_set_namespace_cursor(head); 2263 head->read(head); 2264 } while (tomoyo_flush(head) && 2265 tomoyo_has_more_namespace(head)); 2266 tomoyo_read_unlock(idx); 2267 len = head->read_user_buf - buffer; 2268 mutex_unlock(&head->io_sem); 2269 return len; 2270} 2271 2272/** 2273 * tomoyo_parse_policy - Parse a policy line. 2274 * 2275 * @head: Poiter to "struct tomoyo_io_buffer". 2276 * @line: Line to parse. 2277 * 2278 * Returns 0 on success, negative value otherwise. 2279 * 2280 * Caller holds tomoyo_read_lock(). 2281 */ 2282static int tomoyo_parse_policy(struct tomoyo_io_buffer *head, char *line) 2283{ 2284 /* Delete request? */ 2285 head->w.is_delete = !strncmp(line, "delete ", 7); 2286 if (head->w.is_delete) 2287 memmove(line, line + 7, strlen(line + 7) + 1); 2288 /* Selecting namespace to update. */ 2289 if (head->type == TOMOYO_EXCEPTIONPOLICY || 2290 head->type == TOMOYO_PROFILE) { 2291 if (*line == '<') { 2292 char *cp = strchr(line, ' '); 2293 if (cp) { 2294 *cp++ = '\0'; 2295 head->w.ns = tomoyo_assign_namespace(line); 2296 memmove(line, cp, strlen(cp) + 1); 2297 } else 2298 head->w.ns = NULL; 2299 } else 2300 head->w.ns = &tomoyo_kernel_namespace; 2301 /* Don't allow updating if namespace is invalid. */ 2302 if (!head->w.ns) 2303 return -ENOENT; 2304 } 2305 /* Do the update. */ 2306 return head->write(head); 2307} 2308 2309/** 2310 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. 2311 * 2312 * @head: Pointer to "struct tomoyo_io_buffer". 2313 * @buffer: Pointer to buffer to read from. 2314 * @buffer_len: Size of @buffer. 2315 * 2316 * Returns @buffer_len on success, negative value otherwise. 2317 */ 2318ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, 2319 const char __user *buffer, const int buffer_len) 2320{ 2321 int error = buffer_len; 2322 size_t avail_len = buffer_len; 2323 char *cp0 = head->write_buf; 2324 int idx; 2325 if (!head->write) 2326 return -ENOSYS; 2327 if (!access_ok(VERIFY_READ, buffer, buffer_len)) 2328 return -EFAULT; 2329 if (mutex_lock_interruptible(&head->io_sem)) 2330 return -EINTR; 2331 idx = tomoyo_read_lock(); 2332 /* Read a line and dispatch it to the policy handler. */ 2333 while (avail_len > 0) { 2334 char c; 2335 if (head->w.avail >= head->writebuf_size - 1) { 2336 const int len = head->writebuf_size * 2; 2337 char *cp = kzalloc(len, GFP_NOFS); 2338 if (!cp) { 2339 error = -ENOMEM; 2340 break; 2341 } 2342 memmove(cp, cp0, head->w.avail); 2343 kfree(cp0); 2344 head->write_buf = cp; 2345 cp0 = cp; 2346 head->writebuf_size = len; 2347 } 2348 if (get_user(c, buffer)) { 2349 error = -EFAULT; 2350 break; 2351 } 2352 buffer++; 2353 avail_len--; 2354 cp0[head->w.avail++] = c; 2355 if (c != '\n') 2356 continue; 2357 cp0[head->w.avail - 1] = '\0'; 2358 head->w.avail = 0; 2359 tomoyo_normalize_line(cp0); 2360 if (!strcmp(cp0, "reset")) { 2361 head->w.ns = &tomoyo_kernel_namespace; 2362 head->w.domain = NULL; 2363 memset(&head->r, 0, sizeof(head->r)); 2364 continue; 2365 } 2366 /* Don't allow updating policies by non manager programs. */ 2367 switch (head->type) { 2368 case TOMOYO_PROCESS_STATUS: 2369 /* This does not write anything. */ 2370 break; 2371 case TOMOYO_DOMAINPOLICY: 2372 if (tomoyo_select_domain(head, cp0)) 2373 continue; 2374 /* fall through */ 2375 case TOMOYO_EXCEPTIONPOLICY: 2376 if (!strcmp(cp0, "select transition_only")) { 2377 head->r.print_transition_related_only = true; 2378 continue; 2379 } 2380 /* fall through */ 2381 default: 2382 if (!tomoyo_manager()) { 2383 error = -EPERM; 2384 goto out; 2385 } 2386 } 2387 switch (tomoyo_parse_policy(head, cp0)) { 2388 case -EPERM: 2389 error = -EPERM; 2390 goto out; 2391 case 0: 2392 switch (head->type) { 2393 case TOMOYO_DOMAINPOLICY: 2394 case TOMOYO_EXCEPTIONPOLICY: 2395 case TOMOYO_STAT: 2396 case TOMOYO_PROFILE: 2397 case TOMOYO_MANAGER: 2398 tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); 2399 break; 2400 default: 2401 break; 2402 } 2403 break; 2404 } 2405 } 2406out: 2407 tomoyo_read_unlock(idx); 2408 mutex_unlock(&head->io_sem); 2409 return error; 2410} 2411 2412/** 2413 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. 2414 * 2415 * @head: Pointer to "struct tomoyo_io_buffer". 2416 * 2417 * Returns 0. 2418 */ 2419int tomoyo_close_control(struct tomoyo_io_buffer *head) 2420{ 2421 /* 2422 * If the file is /sys/kernel/security/tomoyo/query , decrement the 2423 * observer counter. 2424 */ 2425 if (head->type == TOMOYO_QUERY && 2426 atomic_dec_and_test(&tomoyo_query_observers)) 2427 wake_up_all(&tomoyo_answer_wait); 2428 tomoyo_notify_gc(head, false); 2429 return 0; 2430} 2431 2432/** 2433 * tomoyo_check_profile - Check all profiles currently assigned to domains are defined. 2434 */ 2435void tomoyo_check_profile(void) 2436{ 2437 struct tomoyo_domain_info *domain; 2438 const int idx = tomoyo_read_lock(); 2439 tomoyo_policy_loaded = true; 2440 printk(KERN_INFO "TOMOYO: 2.4.0\n"); 2441 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 2442 const u8 profile = domain->profile; 2443 const struct tomoyo_policy_namespace *ns = domain->ns; 2444 if (ns->profile_version != 20100903) 2445 printk(KERN_ERR 2446 "Profile version %u is not supported.\n", 2447 ns->profile_version); 2448 else if (!ns->profile_ptr[profile]) 2449 printk(KERN_ERR 2450 "Profile %u (used by '%s') is not defined.\n", 2451 profile, domain->domainname->name); 2452 else 2453 continue; 2454 printk(KERN_ERR 2455 "Userland tools for TOMOYO 2.4 must be installed and " 2456 "policy must be initialized.\n"); 2457 printk(KERN_ERR "Please see http://tomoyo.sourceforge.jp/2.4/ " 2458 "for more information.\n"); 2459 panic("STOP!"); 2460 } 2461 tomoyo_read_unlock(idx); 2462 printk(KERN_INFO "Mandatory Access Control activated.\n"); 2463} 2464 2465/** 2466 * tomoyo_load_builtin_policy - Load built-in policy. 2467 * 2468 * Returns nothing. 2469 */ 2470void __init tomoyo_load_builtin_policy(void) 2471{ 2472 /* 2473 * This include file is manually created and contains built-in policy 2474 * named "tomoyo_builtin_profile", "tomoyo_builtin_exception_policy", 2475 * "tomoyo_builtin_domain_policy", "tomoyo_builtin_manager", 2476 * "tomoyo_builtin_stat" in the form of "static char [] __initdata". 2477 */ 2478#include "builtin-policy.h" 2479 u8 i; 2480 const int idx = tomoyo_read_lock(); 2481 for (i = 0; i < 5; i++) { 2482 struct tomoyo_io_buffer head = { }; 2483 char *start = ""; 2484 switch (i) { 2485 case 0: 2486 start = tomoyo_builtin_profile; 2487 head.type = TOMOYO_PROFILE; 2488 head.write = tomoyo_write_profile; 2489 break; 2490 case 1: 2491 start = tomoyo_builtin_exception_policy; 2492 head.type = TOMOYO_EXCEPTIONPOLICY; 2493 head.write = tomoyo_write_exception; 2494 break; 2495 case 2: 2496 start = tomoyo_builtin_domain_policy; 2497 head.type = TOMOYO_DOMAINPOLICY; 2498 head.write = tomoyo_write_domain; 2499 break; 2500 case 3: 2501 start = tomoyo_builtin_manager; 2502 head.type = TOMOYO_MANAGER; 2503 head.write = tomoyo_write_manager; 2504 break; 2505 case 4: 2506 start = tomoyo_builtin_stat; 2507 head.type = TOMOYO_STAT; 2508 head.write = tomoyo_write_stat; 2509 break; 2510 } 2511 while (1) { 2512 char *end = strchr(start, '\n'); 2513 if (!end) 2514 break; 2515 *end = '\0'; 2516 tomoyo_normalize_line(start); 2517 head.write_buf = start; 2518 tomoyo_parse_policy(&head, start); 2519 start = end + 1; 2520 } 2521 } 2522 tomoyo_read_unlock(idx); 2523#ifdef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER 2524 tomoyo_check_profile(); 2525#endif 2526} 2527