common.c revision b22b8b9fd90eecfb7133e56b4e113595f09f4492
1/* 2 * security/tomoyo/common.c 3 * 4 * Common functions for TOMOYO. 5 * 6 * Copyright (C) 2005-2010 NTT DATA CORPORATION 7 */ 8 9#include <linux/uaccess.h> 10#include <linux/slab.h> 11#include <linux/security.h> 12#include "common.h" 13 14/* String table for operation mode. */ 15const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE] = { 16 [TOMOYO_CONFIG_DISABLED] = "disabled", 17 [TOMOYO_CONFIG_LEARNING] = "learning", 18 [TOMOYO_CONFIG_PERMISSIVE] = "permissive", 19 [TOMOYO_CONFIG_ENFORCING] = "enforcing" 20}; 21 22/* String table for /sys/kernel/security/tomoyo/profile */ 23const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX 24 + TOMOYO_MAX_MAC_CATEGORY_INDEX] = { 25 [TOMOYO_MAC_FILE_EXECUTE] = "execute", 26 [TOMOYO_MAC_FILE_OPEN] = "open", 27 [TOMOYO_MAC_FILE_CREATE] = "create", 28 [TOMOYO_MAC_FILE_UNLINK] = "unlink", 29 [TOMOYO_MAC_FILE_GETATTR] = "getattr", 30 [TOMOYO_MAC_FILE_MKDIR] = "mkdir", 31 [TOMOYO_MAC_FILE_RMDIR] = "rmdir", 32 [TOMOYO_MAC_FILE_MKFIFO] = "mkfifo", 33 [TOMOYO_MAC_FILE_MKSOCK] = "mksock", 34 [TOMOYO_MAC_FILE_TRUNCATE] = "truncate", 35 [TOMOYO_MAC_FILE_SYMLINK] = "symlink", 36 [TOMOYO_MAC_FILE_MKBLOCK] = "mkblock", 37 [TOMOYO_MAC_FILE_MKCHAR] = "mkchar", 38 [TOMOYO_MAC_FILE_LINK] = "link", 39 [TOMOYO_MAC_FILE_RENAME] = "rename", 40 [TOMOYO_MAC_FILE_CHMOD] = "chmod", 41 [TOMOYO_MAC_FILE_CHOWN] = "chown", 42 [TOMOYO_MAC_FILE_CHGRP] = "chgrp", 43 [TOMOYO_MAC_FILE_IOCTL] = "ioctl", 44 [TOMOYO_MAC_FILE_CHROOT] = "chroot", 45 [TOMOYO_MAC_FILE_MOUNT] = "mount", 46 [TOMOYO_MAC_FILE_UMOUNT] = "unmount", 47 [TOMOYO_MAC_FILE_PIVOT_ROOT] = "pivot_root", 48 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file", 49}; 50 51/* String table for PREFERENCE keyword. */ 52static const char * const tomoyo_pref_keywords[TOMOYO_MAX_PREF] = { 53 [TOMOYO_PREF_MAX_AUDIT_LOG] = "max_audit_log", 54 [TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry", 55}; 56 57/* String table for path operation. */ 58const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = { 59 [TOMOYO_TYPE_EXECUTE] = "execute", 60 [TOMOYO_TYPE_READ] = "read", 61 [TOMOYO_TYPE_WRITE] = "write", 62 [TOMOYO_TYPE_APPEND] = "append", 63 [TOMOYO_TYPE_UNLINK] = "unlink", 64 [TOMOYO_TYPE_GETATTR] = "getattr", 65 [TOMOYO_TYPE_RMDIR] = "rmdir", 66 [TOMOYO_TYPE_TRUNCATE] = "truncate", 67 [TOMOYO_TYPE_SYMLINK] = "symlink", 68 [TOMOYO_TYPE_CHROOT] = "chroot", 69 [TOMOYO_TYPE_UMOUNT] = "unmount", 70}; 71 72/* String table for categories. */ 73static const char * const tomoyo_category_keywords 74[TOMOYO_MAX_MAC_CATEGORY_INDEX] = { 75 [TOMOYO_MAC_CATEGORY_FILE] = "file", 76}; 77 78/* Permit policy management by non-root user? */ 79static bool tomoyo_manage_by_non_root; 80 81/* Utility functions. */ 82 83/** 84 * tomoyo_yesno - Return "yes" or "no". 85 * 86 * @value: Bool value. 87 */ 88const char *tomoyo_yesno(const unsigned int value) 89{ 90 return value ? "yes" : "no"; 91} 92 93/** 94 * tomoyo_addprintf - strncat()-like-snprintf(). 95 * 96 * @buffer: Buffer to write to. Must be '\0'-terminated. 97 * @len: Size of @buffer. 98 * @fmt: The printf()'s format string, followed by parameters. 99 * 100 * Returns nothing. 101 */ 102static void tomoyo_addprintf(char *buffer, int len, const char *fmt, ...) 103{ 104 va_list args; 105 const int pos = strlen(buffer); 106 va_start(args, fmt); 107 vsnprintf(buffer + pos, len - pos - 1, fmt, args); 108 va_end(args); 109} 110 111/** 112 * tomoyo_flush - Flush queued string to userspace's buffer. 113 * 114 * @head: Pointer to "struct tomoyo_io_buffer". 115 * 116 * Returns true if all data was flushed, false otherwise. 117 */ 118static bool tomoyo_flush(struct tomoyo_io_buffer *head) 119{ 120 while (head->r.w_pos) { 121 const char *w = head->r.w[0]; 122 size_t len = strlen(w); 123 if (len) { 124 if (len > head->read_user_buf_avail) 125 len = head->read_user_buf_avail; 126 if (!len) 127 return false; 128 if (copy_to_user(head->read_user_buf, w, len)) 129 return false; 130 head->read_user_buf_avail -= len; 131 head->read_user_buf += len; 132 w += len; 133 } 134 head->r.w[0] = w; 135 if (*w) 136 return false; 137 /* Add '\0' for audit logs and query. */ 138 if (head->poll) { 139 if (!head->read_user_buf_avail || 140 copy_to_user(head->read_user_buf, "", 1)) 141 return false; 142 head->read_user_buf_avail--; 143 head->read_user_buf++; 144 } 145 head->r.w_pos--; 146 for (len = 0; len < head->r.w_pos; len++) 147 head->r.w[len] = head->r.w[len + 1]; 148 } 149 head->r.avail = 0; 150 return true; 151} 152 153/** 154 * tomoyo_set_string - Queue string to "struct tomoyo_io_buffer" structure. 155 * 156 * @head: Pointer to "struct tomoyo_io_buffer". 157 * @string: String to print. 158 * 159 * Note that @string has to be kept valid until @head is kfree()d. 160 * This means that char[] allocated on stack memory cannot be passed to 161 * this function. Use tomoyo_io_printf() for char[] allocated on stack memory. 162 */ 163static void tomoyo_set_string(struct tomoyo_io_buffer *head, const char *string) 164{ 165 if (head->r.w_pos < TOMOYO_MAX_IO_READ_QUEUE) { 166 head->r.w[head->r.w_pos++] = string; 167 tomoyo_flush(head); 168 } else 169 WARN_ON(1); 170} 171 172/** 173 * tomoyo_io_printf - printf() to "struct tomoyo_io_buffer" structure. 174 * 175 * @head: Pointer to "struct tomoyo_io_buffer". 176 * @fmt: The printf()'s format string, followed by parameters. 177 */ 178void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) 179{ 180 va_list args; 181 size_t len; 182 size_t pos = head->r.avail; 183 int size = head->readbuf_size - pos; 184 if (size <= 0) 185 return; 186 va_start(args, fmt); 187 len = vsnprintf(head->read_buf + pos, size, fmt, args) + 1; 188 va_end(args); 189 if (pos + len >= head->readbuf_size) { 190 WARN_ON(1); 191 return; 192 } 193 head->r.avail += len; 194 tomoyo_set_string(head, head->read_buf + pos); 195} 196 197/** 198 * tomoyo_set_space - Put a space to "struct tomoyo_io_buffer" structure. 199 * 200 * @head: Pointer to "struct tomoyo_io_buffer". 201 * 202 * Returns nothing. 203 */ 204static void tomoyo_set_space(struct tomoyo_io_buffer *head) 205{ 206 tomoyo_set_string(head, " "); 207} 208 209/** 210 * tomoyo_set_lf - Put a line feed to "struct tomoyo_io_buffer" structure. 211 * 212 * @head: Pointer to "struct tomoyo_io_buffer". 213 * 214 * Returns nothing. 215 */ 216static bool tomoyo_set_lf(struct tomoyo_io_buffer *head) 217{ 218 tomoyo_set_string(head, "\n"); 219 return !head->r.w_pos; 220} 221 222/** 223 * tomoyo_set_slash - Put a shash to "struct tomoyo_io_buffer" structure. 224 * 225 * @head: Pointer to "struct tomoyo_io_buffer". 226 * 227 * Returns nothing. 228 */ 229static void tomoyo_set_slash(struct tomoyo_io_buffer *head) 230{ 231 tomoyo_set_string(head, "/"); 232} 233 234/* List of namespaces. */ 235LIST_HEAD(tomoyo_namespace_list); 236/* True if namespace other than tomoyo_kernel_namespace is defined. */ 237static bool tomoyo_namespace_enabled; 238 239/** 240 * tomoyo_init_policy_namespace - Initialize namespace. 241 * 242 * @ns: Pointer to "struct tomoyo_policy_namespace". 243 * 244 * Returns nothing. 245 */ 246void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns) 247{ 248 unsigned int idx; 249 for (idx = 0; idx < TOMOYO_MAX_ACL_GROUPS; idx++) 250 INIT_LIST_HEAD(&ns->acl_group[idx]); 251 for (idx = 0; idx < TOMOYO_MAX_GROUP; idx++) 252 INIT_LIST_HEAD(&ns->group_list[idx]); 253 for (idx = 0; idx < TOMOYO_MAX_POLICY; idx++) 254 INIT_LIST_HEAD(&ns->policy_list[idx]); 255 ns->profile_version = 20100903; 256 tomoyo_namespace_enabled = !list_empty(&tomoyo_namespace_list); 257 list_add_tail_rcu(&ns->namespace_list, &tomoyo_namespace_list); 258} 259 260/** 261 * tomoyo_print_namespace - Print namespace header. 262 * 263 * @head: Pointer to "struct tomoyo_io_buffer". 264 * 265 * Returns nothing. 266 */ 267static void tomoyo_print_namespace(struct tomoyo_io_buffer *head) 268{ 269 if (!tomoyo_namespace_enabled) 270 return; 271 tomoyo_set_string(head, 272 container_of(head->r.ns, 273 struct tomoyo_policy_namespace, 274 namespace_list)->name); 275 tomoyo_set_space(head); 276} 277 278/** 279 * tomoyo_print_name_union - Print a tomoyo_name_union. 280 * 281 * @head: Pointer to "struct tomoyo_io_buffer". 282 * @ptr: Pointer to "struct tomoyo_name_union". 283 */ 284static void tomoyo_print_name_union(struct tomoyo_io_buffer *head, 285 const struct tomoyo_name_union *ptr) 286{ 287 tomoyo_set_space(head); 288 if (ptr->group) { 289 tomoyo_set_string(head, "@"); 290 tomoyo_set_string(head, ptr->group->group_name->name); 291 } else { 292 tomoyo_set_string(head, ptr->filename->name); 293 } 294} 295 296/** 297 * tomoyo_print_number_union - Print a tomoyo_number_union. 298 * 299 * @head: Pointer to "struct tomoyo_io_buffer". 300 * @ptr: Pointer to "struct tomoyo_number_union". 301 */ 302static void tomoyo_print_number_union(struct tomoyo_io_buffer *head, 303 const struct tomoyo_number_union *ptr) 304{ 305 tomoyo_set_space(head); 306 if (ptr->group) { 307 tomoyo_set_string(head, "@"); 308 tomoyo_set_string(head, ptr->group->group_name->name); 309 } else { 310 int i; 311 unsigned long min = ptr->values[0]; 312 const unsigned long max = ptr->values[1]; 313 u8 min_type = ptr->value_type[0]; 314 const u8 max_type = ptr->value_type[1]; 315 char buffer[128]; 316 buffer[0] = '\0'; 317 for (i = 0; i < 2; i++) { 318 switch (min_type) { 319 case TOMOYO_VALUE_TYPE_HEXADECIMAL: 320 tomoyo_addprintf(buffer, sizeof(buffer), 321 "0x%lX", min); 322 break; 323 case TOMOYO_VALUE_TYPE_OCTAL: 324 tomoyo_addprintf(buffer, sizeof(buffer), 325 "0%lo", min); 326 break; 327 default: 328 tomoyo_addprintf(buffer, sizeof(buffer), 329 "%lu", min); 330 break; 331 } 332 if (min == max && min_type == max_type) 333 break; 334 tomoyo_addprintf(buffer, sizeof(buffer), "-"); 335 min_type = max_type; 336 min = max; 337 } 338 tomoyo_io_printf(head, "%s", buffer); 339 } 340} 341 342/** 343 * tomoyo_assign_profile - Create a new profile. 344 * 345 * @ns: Pointer to "struct tomoyo_policy_namespace". 346 * @profile: Profile number to create. 347 * 348 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. 349 */ 350static struct tomoyo_profile *tomoyo_assign_profile 351(struct tomoyo_policy_namespace *ns, const unsigned int profile) 352{ 353 struct tomoyo_profile *ptr; 354 struct tomoyo_profile *entry; 355 if (profile >= TOMOYO_MAX_PROFILES) 356 return NULL; 357 ptr = ns->profile_ptr[profile]; 358 if (ptr) 359 return ptr; 360 entry = kzalloc(sizeof(*entry), GFP_NOFS); 361 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 362 goto out; 363 ptr = ns->profile_ptr[profile]; 364 if (!ptr && tomoyo_memory_ok(entry)) { 365 ptr = entry; 366 ptr->default_config = TOMOYO_CONFIG_DISABLED | 367 TOMOYO_CONFIG_WANT_GRANT_LOG | 368 TOMOYO_CONFIG_WANT_REJECT_LOG; 369 memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT, 370 sizeof(ptr->config)); 371 ptr->pref[TOMOYO_PREF_MAX_AUDIT_LOG] = 1024; 372 ptr->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] = 2048; 373 mb(); /* Avoid out-of-order execution. */ 374 ns->profile_ptr[profile] = ptr; 375 entry = NULL; 376 } 377 mutex_unlock(&tomoyo_policy_lock); 378 out: 379 kfree(entry); 380 return ptr; 381} 382 383/** 384 * tomoyo_profile - Find a profile. 385 * 386 * @ns: Pointer to "struct tomoyo_policy_namespace". 387 * @profile: Profile number to find. 388 * 389 * Returns pointer to "struct tomoyo_profile". 390 */ 391struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns, 392 const u8 profile) 393{ 394 static struct tomoyo_profile tomoyo_null_profile; 395 struct tomoyo_profile *ptr = ns->profile_ptr[profile]; 396 if (!ptr) 397 ptr = &tomoyo_null_profile; 398 return ptr; 399} 400 401/** 402 * tomoyo_find_yesno - Find values for specified keyword. 403 * 404 * @string: String to check. 405 * @find: Name of keyword. 406 * 407 * Returns 1 if "@find=yes" was found, 0 if "@find=no" was found, -1 otherwise. 408 */ 409static s8 tomoyo_find_yesno(const char *string, const char *find) 410{ 411 const char *cp = strstr(string, find); 412 if (cp) { 413 cp += strlen(find); 414 if (!strncmp(cp, "=yes", 4)) 415 return 1; 416 else if (!strncmp(cp, "=no", 3)) 417 return 0; 418 } 419 return -1; 420} 421 422/** 423 * tomoyo_set_uint - Set value for specified preference. 424 * 425 * @i: Pointer to "unsigned int". 426 * @string: String to check. 427 * @find: Name of keyword. 428 * 429 * Returns nothing. 430 */ 431static void tomoyo_set_uint(unsigned int *i, const char *string, 432 const char *find) 433{ 434 const char *cp = strstr(string, find); 435 if (cp) 436 sscanf(cp + strlen(find), "=%u", i); 437} 438 439/** 440 * tomoyo_set_mode - Set mode for specified profile. 441 * 442 * @name: Name of functionality. 443 * @value: Mode for @name. 444 * @profile: Pointer to "struct tomoyo_profile". 445 * 446 * Returns 0 on success, negative value otherwise. 447 */ 448static int tomoyo_set_mode(char *name, const char *value, 449 struct tomoyo_profile *profile) 450{ 451 u8 i; 452 u8 config; 453 if (!strcmp(name, "CONFIG")) { 454 i = TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX; 455 config = profile->default_config; 456 } else if (tomoyo_str_starts(&name, "CONFIG::")) { 457 config = 0; 458 for (i = 0; i < TOMOYO_MAX_MAC_INDEX 459 + TOMOYO_MAX_MAC_CATEGORY_INDEX; i++) { 460 int len = 0; 461 if (i < TOMOYO_MAX_MAC_INDEX) { 462 const u8 c = tomoyo_index2category[i]; 463 const char *category = 464 tomoyo_category_keywords[c]; 465 len = strlen(category); 466 if (strncmp(name, category, len) || 467 name[len++] != ':' || name[len++] != ':') 468 continue; 469 } 470 if (strcmp(name + len, tomoyo_mac_keywords[i])) 471 continue; 472 config = profile->config[i]; 473 break; 474 } 475 if (i == TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX) 476 return -EINVAL; 477 } else { 478 return -EINVAL; 479 } 480 if (strstr(value, "use_default")) { 481 config = TOMOYO_CONFIG_USE_DEFAULT; 482 } else { 483 u8 mode; 484 for (mode = 0; mode < 4; mode++) 485 if (strstr(value, tomoyo_mode[mode])) 486 /* 487 * Update lower 3 bits in order to distinguish 488 * 'config' from 'TOMOYO_CONFIG_USE_DEAFULT'. 489 */ 490 config = (config & ~7) | mode; 491 if (config != TOMOYO_CONFIG_USE_DEFAULT) { 492 switch (tomoyo_find_yesno(value, "grant_log")) { 493 case 1: 494 config |= TOMOYO_CONFIG_WANT_GRANT_LOG; 495 break; 496 case 0: 497 config &= ~TOMOYO_CONFIG_WANT_GRANT_LOG; 498 break; 499 } 500 switch (tomoyo_find_yesno(value, "reject_log")) { 501 case 1: 502 config |= TOMOYO_CONFIG_WANT_REJECT_LOG; 503 break; 504 case 0: 505 config &= ~TOMOYO_CONFIG_WANT_REJECT_LOG; 506 break; 507 } 508 } 509 } 510 if (i < TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX) 511 profile->config[i] = config; 512 else if (config != TOMOYO_CONFIG_USE_DEFAULT) 513 profile->default_config = config; 514 return 0; 515} 516 517/** 518 * tomoyo_write_profile - Write profile table. 519 * 520 * @head: Pointer to "struct tomoyo_io_buffer". 521 * 522 * Returns 0 on success, negative value otherwise. 523 */ 524static int tomoyo_write_profile(struct tomoyo_io_buffer *head) 525{ 526 char *data = head->write_buf; 527 unsigned int i; 528 char *cp; 529 struct tomoyo_profile *profile; 530 if (sscanf(data, "PROFILE_VERSION=%u", &head->w.ns->profile_version) 531 == 1) 532 return 0; 533 i = simple_strtoul(data, &cp, 10); 534 if (*cp != '-') 535 return -EINVAL; 536 data = cp + 1; 537 profile = tomoyo_assign_profile(head->w.ns, i); 538 if (!profile) 539 return -EINVAL; 540 cp = strchr(data, '='); 541 if (!cp) 542 return -EINVAL; 543 *cp++ = '\0'; 544 if (!strcmp(data, "COMMENT")) { 545 static DEFINE_SPINLOCK(lock); 546 const struct tomoyo_path_info *new_comment 547 = tomoyo_get_name(cp); 548 const struct tomoyo_path_info *old_comment; 549 if (!new_comment) 550 return -ENOMEM; 551 spin_lock(&lock); 552 old_comment = profile->comment; 553 profile->comment = new_comment; 554 spin_unlock(&lock); 555 tomoyo_put_name(old_comment); 556 return 0; 557 } 558 if (!strcmp(data, "PREFERENCE")) { 559 for (i = 0; i < TOMOYO_MAX_PREF; i++) 560 tomoyo_set_uint(&profile->pref[i], cp, 561 tomoyo_pref_keywords[i]); 562 return 0; 563 } 564 return tomoyo_set_mode(data, cp, profile); 565} 566 567/** 568 * tomoyo_print_config - Print mode for specified functionality. 569 * 570 * @head: Pointer to "struct tomoyo_io_buffer". 571 * @config: Mode for that functionality. 572 * 573 * Returns nothing. 574 * 575 * Caller prints functionality's name. 576 */ 577static void tomoyo_print_config(struct tomoyo_io_buffer *head, const u8 config) 578{ 579 tomoyo_io_printf(head, "={ mode=%s grant_log=%s reject_log=%s }\n", 580 tomoyo_mode[config & 3], 581 tomoyo_yesno(config & TOMOYO_CONFIG_WANT_GRANT_LOG), 582 tomoyo_yesno(config & TOMOYO_CONFIG_WANT_REJECT_LOG)); 583} 584 585/** 586 * tomoyo_read_profile - Read profile table. 587 * 588 * @head: Pointer to "struct tomoyo_io_buffer". 589 * 590 * Returns nothing. 591 */ 592static void tomoyo_read_profile(struct tomoyo_io_buffer *head) 593{ 594 u8 index; 595 struct tomoyo_policy_namespace *ns = 596 container_of(head->r.ns, typeof(*ns), namespace_list); 597 const struct tomoyo_profile *profile; 598 if (head->r.eof) 599 return; 600 next: 601 index = head->r.index; 602 profile = ns->profile_ptr[index]; 603 switch (head->r.step) { 604 case 0: 605 tomoyo_print_namespace(head); 606 tomoyo_io_printf(head, "PROFILE_VERSION=%u\n", 607 ns->profile_version); 608 head->r.step++; 609 break; 610 case 1: 611 for ( ; head->r.index < TOMOYO_MAX_PROFILES; 612 head->r.index++) 613 if (ns->profile_ptr[head->r.index]) 614 break; 615 if (head->r.index == TOMOYO_MAX_PROFILES) 616 return; 617 head->r.step++; 618 break; 619 case 2: 620 { 621 u8 i; 622 const struct tomoyo_path_info *comment = 623 profile->comment; 624 tomoyo_print_namespace(head); 625 tomoyo_io_printf(head, "%u-COMMENT=", index); 626 tomoyo_set_string(head, comment ? comment->name : ""); 627 tomoyo_set_lf(head); 628 tomoyo_io_printf(head, "%u-PREFERENCE={ ", index); 629 for (i = 0; i < TOMOYO_MAX_PREF; i++) 630 tomoyo_io_printf(head, "%s=%u ", 631 tomoyo_pref_keywords[i], 632 profile->pref[i]); 633 tomoyo_set_string(head, "}\n"); 634 head->r.step++; 635 } 636 break; 637 case 3: 638 { 639 tomoyo_print_namespace(head); 640 tomoyo_io_printf(head, "%u-%s", index, "CONFIG"); 641 tomoyo_print_config(head, profile->default_config); 642 head->r.bit = 0; 643 head->r.step++; 644 } 645 break; 646 case 4: 647 for ( ; head->r.bit < TOMOYO_MAX_MAC_INDEX 648 + TOMOYO_MAX_MAC_CATEGORY_INDEX; head->r.bit++) { 649 const u8 i = head->r.bit; 650 const u8 config = profile->config[i]; 651 if (config == TOMOYO_CONFIG_USE_DEFAULT) 652 continue; 653 tomoyo_print_namespace(head); 654 if (i < TOMOYO_MAX_MAC_INDEX) 655 tomoyo_io_printf(head, "%u-CONFIG::%s::%s", 656 index, 657 tomoyo_category_keywords 658 [tomoyo_index2category[i]], 659 tomoyo_mac_keywords[i]); 660 else 661 tomoyo_io_printf(head, "%u-CONFIG::%s", index, 662 tomoyo_mac_keywords[i]); 663 tomoyo_print_config(head, config); 664 head->r.bit++; 665 break; 666 } 667 if (head->r.bit == TOMOYO_MAX_MAC_INDEX 668 + TOMOYO_MAX_MAC_CATEGORY_INDEX) { 669 head->r.index++; 670 head->r.step = 1; 671 } 672 break; 673 } 674 if (tomoyo_flush(head)) 675 goto next; 676} 677 678static bool tomoyo_same_manager(const struct tomoyo_acl_head *a, 679 const struct tomoyo_acl_head *b) 680{ 681 return container_of(a, struct tomoyo_manager, head)->manager == 682 container_of(b, struct tomoyo_manager, head)->manager; 683} 684 685/** 686 * tomoyo_update_manager_entry - Add a manager entry. 687 * 688 * @manager: The path to manager or the domainnamme. 689 * @is_delete: True if it is a delete request. 690 * 691 * Returns 0 on success, negative value otherwise. 692 * 693 * Caller holds tomoyo_read_lock(). 694 */ 695static int tomoyo_update_manager_entry(const char *manager, 696 const bool is_delete) 697{ 698 struct tomoyo_manager e = { }; 699 struct tomoyo_acl_param param = { 700 /* .ns = &tomoyo_kernel_namespace, */ 701 .is_delete = is_delete, 702 .list = &tomoyo_kernel_namespace. 703 policy_list[TOMOYO_ID_MANAGER], 704 }; 705 int error = is_delete ? -ENOENT : -ENOMEM; 706 if (tomoyo_domain_def(manager)) { 707 if (!tomoyo_correct_domain(manager)) 708 return -EINVAL; 709 e.is_domain = true; 710 } else { 711 if (!tomoyo_correct_path(manager)) 712 return -EINVAL; 713 } 714 e.manager = tomoyo_get_name(manager); 715 if (e.manager) { 716 error = tomoyo_update_policy(&e.head, sizeof(e), ¶m, 717 tomoyo_same_manager); 718 tomoyo_put_name(e.manager); 719 } 720 return error; 721} 722 723/** 724 * tomoyo_write_manager - Write manager policy. 725 * 726 * @head: Pointer to "struct tomoyo_io_buffer". 727 * 728 * Returns 0 on success, negative value otherwise. 729 * 730 * Caller holds tomoyo_read_lock(). 731 */ 732static int tomoyo_write_manager(struct tomoyo_io_buffer *head) 733{ 734 char *data = head->write_buf; 735 736 if (!strcmp(data, "manage_by_non_root")) { 737 tomoyo_manage_by_non_root = !head->w.is_delete; 738 return 0; 739 } 740 return tomoyo_update_manager_entry(data, head->w.is_delete); 741} 742 743/** 744 * tomoyo_read_manager - Read manager policy. 745 * 746 * @head: Pointer to "struct tomoyo_io_buffer". 747 * 748 * Caller holds tomoyo_read_lock(). 749 */ 750static void tomoyo_read_manager(struct tomoyo_io_buffer *head) 751{ 752 if (head->r.eof) 753 return; 754 list_for_each_cookie(head->r.acl, &tomoyo_kernel_namespace. 755 policy_list[TOMOYO_ID_MANAGER]) { 756 struct tomoyo_manager *ptr = 757 list_entry(head->r.acl, typeof(*ptr), head.list); 758 if (ptr->head.is_deleted) 759 continue; 760 if (!tomoyo_flush(head)) 761 return; 762 tomoyo_set_string(head, ptr->manager->name); 763 tomoyo_set_lf(head); 764 } 765 head->r.eof = true; 766} 767 768/** 769 * tomoyo_manager - Check whether the current process is a policy manager. 770 * 771 * Returns true if the current process is permitted to modify policy 772 * via /sys/kernel/security/tomoyo/ interface. 773 * 774 * Caller holds tomoyo_read_lock(). 775 */ 776static bool tomoyo_manager(void) 777{ 778 struct tomoyo_manager *ptr; 779 const char *exe; 780 const struct task_struct *task = current; 781 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; 782 bool found = false; 783 784 if (!tomoyo_policy_loaded) 785 return true; 786 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) 787 return false; 788 list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace. 789 policy_list[TOMOYO_ID_MANAGER], head.list) { 790 if (!ptr->head.is_deleted && ptr->is_domain 791 && !tomoyo_pathcmp(domainname, ptr->manager)) { 792 found = true; 793 break; 794 } 795 } 796 if (found) 797 return true; 798 exe = tomoyo_get_exe(); 799 if (!exe) 800 return false; 801 list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace. 802 policy_list[TOMOYO_ID_MANAGER], head.list) { 803 if (!ptr->head.is_deleted && !ptr->is_domain 804 && !strcmp(exe, ptr->manager->name)) { 805 found = true; 806 break; 807 } 808 } 809 if (!found) { /* Reduce error messages. */ 810 static pid_t last_pid; 811 const pid_t pid = current->pid; 812 if (last_pid != pid) { 813 printk(KERN_WARNING "%s ( %s ) is not permitted to " 814 "update policies.\n", domainname->name, exe); 815 last_pid = pid; 816 } 817 } 818 kfree(exe); 819 return found; 820} 821 822/** 823 * tomoyo_select_domain - Parse select command. 824 * 825 * @head: Pointer to "struct tomoyo_io_buffer". 826 * @data: String to parse. 827 * 828 * Returns true on success, false otherwise. 829 * 830 * Caller holds tomoyo_read_lock(). 831 */ 832static bool tomoyo_select_domain(struct tomoyo_io_buffer *head, 833 const char *data) 834{ 835 unsigned int pid; 836 struct tomoyo_domain_info *domain = NULL; 837 bool global_pid = false; 838 if (strncmp(data, "select ", 7)) 839 return false; 840 data += 7; 841 if (sscanf(data, "pid=%u", &pid) == 1 || 842 (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { 843 struct task_struct *p; 844 rcu_read_lock(); 845 read_lock(&tasklist_lock); 846 if (global_pid) 847 p = find_task_by_pid_ns(pid, &init_pid_ns); 848 else 849 p = find_task_by_vpid(pid); 850 if (p) 851 domain = tomoyo_real_domain(p); 852 read_unlock(&tasklist_lock); 853 rcu_read_unlock(); 854 } else if (!strncmp(data, "domain=", 7)) { 855 if (tomoyo_domain_def(data + 7)) 856 domain = tomoyo_find_domain(data + 7); 857 } else 858 return false; 859 head->w.domain = domain; 860 /* Accessing read_buf is safe because head->io_sem is held. */ 861 if (!head->read_buf) 862 return true; /* Do nothing if open(O_WRONLY). */ 863 memset(&head->r, 0, sizeof(head->r)); 864 head->r.print_this_domain_only = true; 865 if (domain) 866 head->r.domain = &domain->list; 867 else 868 head->r.eof = 1; 869 tomoyo_io_printf(head, "# select %s\n", data); 870 if (domain && domain->is_deleted) 871 tomoyo_io_printf(head, "# This is a deleted domain.\n"); 872 return true; 873} 874 875/** 876 * tomoyo_delete_domain - Delete a domain. 877 * 878 * @domainname: The name of domain. 879 * 880 * Returns 0. 881 * 882 * Caller holds tomoyo_read_lock(). 883 */ 884static int tomoyo_delete_domain(char *domainname) 885{ 886 struct tomoyo_domain_info *domain; 887 struct tomoyo_path_info name; 888 889 name.name = domainname; 890 tomoyo_fill_path_info(&name); 891 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 892 return 0; 893 /* Is there an active domain? */ 894 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 895 /* Never delete tomoyo_kernel_domain */ 896 if (domain == &tomoyo_kernel_domain) 897 continue; 898 if (domain->is_deleted || 899 tomoyo_pathcmp(domain->domainname, &name)) 900 continue; 901 domain->is_deleted = true; 902 break; 903 } 904 mutex_unlock(&tomoyo_policy_lock); 905 return 0; 906} 907 908/** 909 * tomoyo_write_domain2 - Write domain policy. 910 * 911 * @ns: Pointer to "struct tomoyo_policy_namespace". 912 * @list: Pointer to "struct list_head". 913 * @data: Policy to be interpreted. 914 * @is_delete: True if it is a delete request. 915 * 916 * Returns 0 on success, negative value otherwise. 917 * 918 * Caller holds tomoyo_read_lock(). 919 */ 920static int tomoyo_write_domain2(struct tomoyo_policy_namespace *ns, 921 struct list_head *list, char *data, 922 const bool is_delete) 923{ 924 struct tomoyo_acl_param param = { 925 .ns = ns, 926 .list = list, 927 .data = data, 928 .is_delete = is_delete, 929 }; 930 static const struct { 931 const char *keyword; 932 int (*write) (struct tomoyo_acl_param *); 933 } tomoyo_callback[1] = { 934 { "file ", tomoyo_write_file }, 935 }; 936 u8 i; 937 for (i = 0; i < 1; i++) { 938 if (!tomoyo_str_starts(¶m.data, 939 tomoyo_callback[i].keyword)) 940 continue; 941 return tomoyo_callback[i].write(¶m); 942 } 943 return -EINVAL; 944} 945 946/* String table for domain flags. */ 947const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS] = { 948 [TOMOYO_DIF_QUOTA_WARNED] = "quota_exceeded\n", 949 [TOMOYO_DIF_TRANSITION_FAILED] = "transition_failed\n", 950}; 951 952/** 953 * tomoyo_write_domain - Write domain policy. 954 * 955 * @head: Pointer to "struct tomoyo_io_buffer". 956 * 957 * Returns 0 on success, negative value otherwise. 958 * 959 * Caller holds tomoyo_read_lock(). 960 */ 961static int tomoyo_write_domain(struct tomoyo_io_buffer *head) 962{ 963 char *data = head->write_buf; 964 struct tomoyo_policy_namespace *ns; 965 struct tomoyo_domain_info *domain = head->w.domain; 966 const bool is_delete = head->w.is_delete; 967 bool is_select = !is_delete && tomoyo_str_starts(&data, "select "); 968 unsigned int profile; 969 if (*data == '<') { 970 domain = NULL; 971 if (is_delete) 972 tomoyo_delete_domain(data); 973 else if (is_select) 974 domain = tomoyo_find_domain(data); 975 else 976 domain = tomoyo_assign_domain(data, false); 977 head->w.domain = domain; 978 return 0; 979 } 980 if (!domain) 981 return -EINVAL; 982 ns = domain->ns; 983 if (sscanf(data, "use_profile %u", &profile) == 1 984 && profile < TOMOYO_MAX_PROFILES) { 985 if (!tomoyo_policy_loaded || ns->profile_ptr[profile]) 986 domain->profile = (u8) profile; 987 return 0; 988 } 989 if (sscanf(data, "use_group %u\n", &profile) == 1 990 && profile < TOMOYO_MAX_ACL_GROUPS) { 991 if (!is_delete) 992 domain->group = (u8) profile; 993 return 0; 994 } 995 for (profile = 0; profile < TOMOYO_MAX_DOMAIN_INFO_FLAGS; profile++) { 996 const char *cp = tomoyo_dif[profile]; 997 if (strncmp(data, cp, strlen(cp) - 1)) 998 continue; 999 domain->flags[profile] = !is_delete; 1000 return 0; 1001 } 1002 return tomoyo_write_domain2(ns, &domain->acl_info_list, data, 1003 is_delete); 1004} 1005 1006/** 1007 * tomoyo_set_group - Print "acl_group " header keyword and category name. 1008 * 1009 * @head: Pointer to "struct tomoyo_io_buffer". 1010 * @category: Category name. 1011 * 1012 * Returns nothing. 1013 */ 1014static void tomoyo_set_group(struct tomoyo_io_buffer *head, 1015 const char *category) 1016{ 1017 if (head->type == TOMOYO_EXCEPTIONPOLICY) { 1018 tomoyo_print_namespace(head); 1019 tomoyo_io_printf(head, "acl_group %u ", 1020 head->r.acl_group_index); 1021 } 1022 tomoyo_set_string(head, category); 1023} 1024 1025/** 1026 * tomoyo_print_entry - Print an ACL entry. 1027 * 1028 * @head: Pointer to "struct tomoyo_io_buffer". 1029 * @acl: Pointer to an ACL entry. 1030 * 1031 * Returns true on success, false otherwise. 1032 */ 1033static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, 1034 struct tomoyo_acl_info *acl) 1035{ 1036 const u8 acl_type = acl->type; 1037 bool first = true; 1038 u8 bit; 1039 1040 if (acl->is_deleted) 1041 return true; 1042 if (!tomoyo_flush(head)) 1043 return false; 1044 else if (acl_type == TOMOYO_TYPE_PATH_ACL) { 1045 struct tomoyo_path_acl *ptr = 1046 container_of(acl, typeof(*ptr), head); 1047 const u16 perm = ptr->perm; 1048 for (bit = 0; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { 1049 if (!(perm & (1 << bit))) 1050 continue; 1051 if (head->r.print_transition_related_only && 1052 bit != TOMOYO_TYPE_EXECUTE) 1053 continue; 1054 if (first) { 1055 tomoyo_set_group(head, "file "); 1056 first = false; 1057 } else { 1058 tomoyo_set_slash(head); 1059 } 1060 tomoyo_set_string(head, tomoyo_path_keyword[bit]); 1061 } 1062 if (first) 1063 return true; 1064 tomoyo_print_name_union(head, &ptr->name); 1065 } else if (head->r.print_transition_related_only) { 1066 return true; 1067 } else if (acl_type == TOMOYO_TYPE_PATH2_ACL) { 1068 struct tomoyo_path2_acl *ptr = 1069 container_of(acl, typeof(*ptr), head); 1070 const u8 perm = ptr->perm; 1071 for (bit = 0; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) { 1072 if (!(perm & (1 << bit))) 1073 continue; 1074 if (first) { 1075 tomoyo_set_group(head, "file "); 1076 first = false; 1077 } else { 1078 tomoyo_set_slash(head); 1079 } 1080 tomoyo_set_string(head, tomoyo_mac_keywords 1081 [tomoyo_pp2mac[bit]]); 1082 } 1083 if (first) 1084 return true; 1085 tomoyo_print_name_union(head, &ptr->name1); 1086 tomoyo_print_name_union(head, &ptr->name2); 1087 } else if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) { 1088 struct tomoyo_path_number_acl *ptr = 1089 container_of(acl, typeof(*ptr), head); 1090 const u8 perm = ptr->perm; 1091 for (bit = 0; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION; bit++) { 1092 if (!(perm & (1 << bit))) 1093 continue; 1094 if (first) { 1095 tomoyo_set_group(head, "file "); 1096 first = false; 1097 } else { 1098 tomoyo_set_slash(head); 1099 } 1100 tomoyo_set_string(head, tomoyo_mac_keywords 1101 [tomoyo_pn2mac[bit]]); 1102 } 1103 if (first) 1104 return true; 1105 tomoyo_print_name_union(head, &ptr->name); 1106 tomoyo_print_number_union(head, &ptr->number); 1107 } else if (acl_type == TOMOYO_TYPE_MKDEV_ACL) { 1108 struct tomoyo_mkdev_acl *ptr = 1109 container_of(acl, typeof(*ptr), head); 1110 const u8 perm = ptr->perm; 1111 for (bit = 0; bit < TOMOYO_MAX_MKDEV_OPERATION; bit++) { 1112 if (!(perm & (1 << bit))) 1113 continue; 1114 if (first) { 1115 tomoyo_set_group(head, "file "); 1116 first = false; 1117 } else { 1118 tomoyo_set_slash(head); 1119 } 1120 tomoyo_set_string(head, tomoyo_mac_keywords 1121 [tomoyo_pnnn2mac[bit]]); 1122 } 1123 if (first) 1124 return true; 1125 tomoyo_print_name_union(head, &ptr->name); 1126 tomoyo_print_number_union(head, &ptr->mode); 1127 tomoyo_print_number_union(head, &ptr->major); 1128 tomoyo_print_number_union(head, &ptr->minor); 1129 } else if (acl_type == TOMOYO_TYPE_MOUNT_ACL) { 1130 struct tomoyo_mount_acl *ptr = 1131 container_of(acl, typeof(*ptr), head); 1132 tomoyo_set_group(head, "file mount"); 1133 tomoyo_print_name_union(head, &ptr->dev_name); 1134 tomoyo_print_name_union(head, &ptr->dir_name); 1135 tomoyo_print_name_union(head, &ptr->fs_type); 1136 tomoyo_print_number_union(head, &ptr->flags); 1137 } 1138 tomoyo_set_lf(head); 1139 return true; 1140} 1141 1142/** 1143 * tomoyo_read_domain2 - Read domain policy. 1144 * 1145 * @head: Pointer to "struct tomoyo_io_buffer". 1146 * @list: Pointer to "struct list_head". 1147 * 1148 * Caller holds tomoyo_read_lock(). 1149 * 1150 * Returns true on success, false otherwise. 1151 */ 1152static bool tomoyo_read_domain2(struct tomoyo_io_buffer *head, 1153 struct list_head *list) 1154{ 1155 list_for_each_cookie(head->r.acl, list) { 1156 struct tomoyo_acl_info *ptr = 1157 list_entry(head->r.acl, typeof(*ptr), list); 1158 if (!tomoyo_print_entry(head, ptr)) 1159 return false; 1160 } 1161 head->r.acl = NULL; 1162 return true; 1163} 1164 1165/** 1166 * tomoyo_read_domain - Read domain policy. 1167 * 1168 * @head: Pointer to "struct tomoyo_io_buffer". 1169 * 1170 * Caller holds tomoyo_read_lock(). 1171 */ 1172static void tomoyo_read_domain(struct tomoyo_io_buffer *head) 1173{ 1174 if (head->r.eof) 1175 return; 1176 list_for_each_cookie(head->r.domain, &tomoyo_domain_list) { 1177 struct tomoyo_domain_info *domain = 1178 list_entry(head->r.domain, typeof(*domain), list); 1179 switch (head->r.step) { 1180 u8 i; 1181 case 0: 1182 if (domain->is_deleted && 1183 !head->r.print_this_domain_only) 1184 continue; 1185 /* Print domainname and flags. */ 1186 tomoyo_set_string(head, domain->domainname->name); 1187 tomoyo_set_lf(head); 1188 tomoyo_io_printf(head, "use_profile %u\n", 1189 domain->profile); 1190 tomoyo_io_printf(head, "use_group %u\n", 1191 domain->group); 1192 for (i = 0; i < TOMOYO_MAX_DOMAIN_INFO_FLAGS; i++) 1193 if (domain->flags[i]) 1194 tomoyo_set_string(head, tomoyo_dif[i]); 1195 head->r.step++; 1196 tomoyo_set_lf(head); 1197 /* fall through */ 1198 case 1: 1199 if (!tomoyo_read_domain2(head, &domain->acl_info_list)) 1200 return; 1201 head->r.step++; 1202 if (!tomoyo_set_lf(head)) 1203 return; 1204 /* fall through */ 1205 case 2: 1206 head->r.step = 0; 1207 if (head->r.print_this_domain_only) 1208 goto done; 1209 } 1210 } 1211 done: 1212 head->r.eof = true; 1213} 1214 1215/** 1216 * tomoyo_write_domain_profile - Assign profile for specified domain. 1217 * 1218 * @head: Pointer to "struct tomoyo_io_buffer". 1219 * 1220 * Returns 0 on success, -EINVAL otherwise. 1221 * 1222 * This is equivalent to doing 1223 * 1224 * ( echo "select " $domainname; echo "use_profile " $profile ) | 1225 * /usr/sbin/tomoyo-loadpolicy -d 1226 * 1227 * Caller holds tomoyo_read_lock(). 1228 */ 1229static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head) 1230{ 1231 char *data = head->write_buf; 1232 char *cp = strchr(data, ' '); 1233 struct tomoyo_domain_info *domain; 1234 unsigned long profile; 1235 1236 if (!cp) 1237 return -EINVAL; 1238 *cp = '\0'; 1239 domain = tomoyo_find_domain(cp + 1); 1240 if (strict_strtoul(data, 10, &profile)) 1241 return -EINVAL; 1242 if (domain && (!tomoyo_policy_loaded || 1243 head->w.ns->profile_ptr[(u8) profile])) 1244 domain->profile = (u8) profile; 1245 return 0; 1246} 1247 1248/** 1249 * tomoyo_read_domain_profile - Read only domainname and profile. 1250 * 1251 * @head: Pointer to "struct tomoyo_io_buffer". 1252 * 1253 * Returns list of profile number and domainname pairs. 1254 * 1255 * This is equivalent to doing 1256 * 1257 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy | 1258 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" ) 1259 * domainname = $0; } else if ( $1 == "use_profile" ) { 1260 * print $2 " " domainname; domainname = ""; } } ; ' 1261 * 1262 * Caller holds tomoyo_read_lock(). 1263 */ 1264static void tomoyo_read_domain_profile(struct tomoyo_io_buffer *head) 1265{ 1266 if (head->r.eof) 1267 return; 1268 list_for_each_cookie(head->r.domain, &tomoyo_domain_list) { 1269 struct tomoyo_domain_info *domain = 1270 list_entry(head->r.domain, typeof(*domain), list); 1271 if (domain->is_deleted) 1272 continue; 1273 if (!tomoyo_flush(head)) 1274 return; 1275 tomoyo_io_printf(head, "%u ", domain->profile); 1276 tomoyo_set_string(head, domain->domainname->name); 1277 tomoyo_set_lf(head); 1278 } 1279 head->r.eof = true; 1280} 1281 1282/** 1283 * tomoyo_write_pid: Specify PID to obtain domainname. 1284 * 1285 * @head: Pointer to "struct tomoyo_io_buffer". 1286 * 1287 * Returns 0. 1288 */ 1289static int tomoyo_write_pid(struct tomoyo_io_buffer *head) 1290{ 1291 head->r.eof = false; 1292 return 0; 1293} 1294 1295/** 1296 * tomoyo_read_pid - Get domainname of the specified PID. 1297 * 1298 * @head: Pointer to "struct tomoyo_io_buffer". 1299 * 1300 * Returns the domainname which the specified PID is in on success, 1301 * empty string otherwise. 1302 * The PID is specified by tomoyo_write_pid() so that the user can obtain 1303 * using read()/write() interface rather than sysctl() interface. 1304 */ 1305static void tomoyo_read_pid(struct tomoyo_io_buffer *head) 1306{ 1307 char *buf = head->write_buf; 1308 bool global_pid = false; 1309 unsigned int pid; 1310 struct task_struct *p; 1311 struct tomoyo_domain_info *domain = NULL; 1312 1313 /* Accessing write_buf is safe because head->io_sem is held. */ 1314 if (!buf) { 1315 head->r.eof = true; 1316 return; /* Do nothing if open(O_RDONLY). */ 1317 } 1318 if (head->r.w_pos || head->r.eof) 1319 return; 1320 head->r.eof = true; 1321 if (tomoyo_str_starts(&buf, "global-pid ")) 1322 global_pid = true; 1323 pid = (unsigned int) simple_strtoul(buf, NULL, 10); 1324 rcu_read_lock(); 1325 read_lock(&tasklist_lock); 1326 if (global_pid) 1327 p = find_task_by_pid_ns(pid, &init_pid_ns); 1328 else 1329 p = find_task_by_vpid(pid); 1330 if (p) 1331 domain = tomoyo_real_domain(p); 1332 read_unlock(&tasklist_lock); 1333 rcu_read_unlock(); 1334 if (!domain) 1335 return; 1336 tomoyo_io_printf(head, "%u %u ", pid, domain->profile); 1337 tomoyo_set_string(head, domain->domainname->name); 1338} 1339 1340static const char *tomoyo_transition_type[TOMOYO_MAX_TRANSITION_TYPE] = { 1341 [TOMOYO_TRANSITION_CONTROL_NO_RESET] = "no_reset_domain ", 1342 [TOMOYO_TRANSITION_CONTROL_RESET] = "reset_domain ", 1343 [TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE] = "no_initialize_domain ", 1344 [TOMOYO_TRANSITION_CONTROL_INITIALIZE] = "initialize_domain ", 1345 [TOMOYO_TRANSITION_CONTROL_NO_KEEP] = "no_keep_domain ", 1346 [TOMOYO_TRANSITION_CONTROL_KEEP] = "keep_domain ", 1347}; 1348 1349static const char *tomoyo_group_name[TOMOYO_MAX_GROUP] = { 1350 [TOMOYO_PATH_GROUP] = "path_group ", 1351 [TOMOYO_NUMBER_GROUP] = "number_group ", 1352}; 1353 1354/** 1355 * tomoyo_write_exception - Write exception policy. 1356 * 1357 * @head: Pointer to "struct tomoyo_io_buffer". 1358 * 1359 * Returns 0 on success, negative value otherwise. 1360 * 1361 * Caller holds tomoyo_read_lock(). 1362 */ 1363static int tomoyo_write_exception(struct tomoyo_io_buffer *head) 1364{ 1365 const bool is_delete = head->w.is_delete; 1366 struct tomoyo_acl_param param = { 1367 .ns = head->w.ns, 1368 .is_delete = is_delete, 1369 .data = head->write_buf, 1370 }; 1371 u8 i; 1372 if (tomoyo_str_starts(¶m.data, "aggregator ")) 1373 return tomoyo_write_aggregator(¶m); 1374 for (i = 0; i < TOMOYO_MAX_TRANSITION_TYPE; i++) 1375 if (tomoyo_str_starts(¶m.data, tomoyo_transition_type[i])) 1376 return tomoyo_write_transition_control(¶m, i); 1377 for (i = 0; i < TOMOYO_MAX_GROUP; i++) 1378 if (tomoyo_str_starts(¶m.data, tomoyo_group_name[i])) 1379 return tomoyo_write_group(¶m, i); 1380 if (tomoyo_str_starts(¶m.data, "acl_group ")) { 1381 unsigned int group; 1382 char *data; 1383 group = simple_strtoul(param.data, &data, 10); 1384 if (group < TOMOYO_MAX_ACL_GROUPS && *data++ == ' ') 1385 return tomoyo_write_domain2 1386 (head->w.ns, &head->w.ns->acl_group[group], 1387 data, is_delete); 1388 } 1389 return -EINVAL; 1390} 1391 1392/** 1393 * tomoyo_read_group - Read "struct tomoyo_path_group"/"struct tomoyo_number_group" list. 1394 * 1395 * @head: Pointer to "struct tomoyo_io_buffer". 1396 * @idx: Index number. 1397 * 1398 * Returns true on success, false otherwise. 1399 * 1400 * Caller holds tomoyo_read_lock(). 1401 */ 1402static bool tomoyo_read_group(struct tomoyo_io_buffer *head, const int idx) 1403{ 1404 struct tomoyo_policy_namespace *ns = 1405 container_of(head->r.ns, typeof(*ns), namespace_list); 1406 struct list_head *list = &ns->group_list[idx]; 1407 list_for_each_cookie(head->r.group, list) { 1408 struct tomoyo_group *group = 1409 list_entry(head->r.group, typeof(*group), head.list); 1410 list_for_each_cookie(head->r.acl, &group->member_list) { 1411 struct tomoyo_acl_head *ptr = 1412 list_entry(head->r.acl, typeof(*ptr), list); 1413 if (ptr->is_deleted) 1414 continue; 1415 if (!tomoyo_flush(head)) 1416 return false; 1417 tomoyo_print_namespace(head); 1418 tomoyo_set_string(head, tomoyo_group_name[idx]); 1419 tomoyo_set_string(head, group->group_name->name); 1420 if (idx == TOMOYO_PATH_GROUP) { 1421 tomoyo_set_space(head); 1422 tomoyo_set_string(head, container_of 1423 (ptr, struct tomoyo_path_group, 1424 head)->member_name->name); 1425 } else if (idx == TOMOYO_NUMBER_GROUP) { 1426 tomoyo_print_number_union(head, &container_of 1427 (ptr, 1428 struct tomoyo_number_group, 1429 head)->number); 1430 } 1431 tomoyo_set_lf(head); 1432 } 1433 head->r.acl = NULL; 1434 } 1435 head->r.group = NULL; 1436 return true; 1437} 1438 1439/** 1440 * tomoyo_read_policy - Read "struct tomoyo_..._entry" list. 1441 * 1442 * @head: Pointer to "struct tomoyo_io_buffer". 1443 * @idx: Index number. 1444 * 1445 * Returns true on success, false otherwise. 1446 * 1447 * Caller holds tomoyo_read_lock(). 1448 */ 1449static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx) 1450{ 1451 struct tomoyo_policy_namespace *ns = 1452 container_of(head->r.ns, typeof(*ns), namespace_list); 1453 struct list_head *list = &ns->policy_list[idx]; 1454 list_for_each_cookie(head->r.acl, list) { 1455 struct tomoyo_acl_head *acl = 1456 container_of(head->r.acl, typeof(*acl), list); 1457 if (acl->is_deleted) 1458 continue; 1459 if (!tomoyo_flush(head)) 1460 return false; 1461 switch (idx) { 1462 case TOMOYO_ID_TRANSITION_CONTROL: 1463 { 1464 struct tomoyo_transition_control *ptr = 1465 container_of(acl, typeof(*ptr), head); 1466 tomoyo_print_namespace(head); 1467 tomoyo_set_string(head, tomoyo_transition_type 1468 [ptr->type]); 1469 tomoyo_set_string(head, ptr->program ? 1470 ptr->program->name : "any"); 1471 tomoyo_set_string(head, " from "); 1472 tomoyo_set_string(head, ptr->domainname ? 1473 ptr->domainname->name : 1474 "any"); 1475 } 1476 break; 1477 case TOMOYO_ID_AGGREGATOR: 1478 { 1479 struct tomoyo_aggregator *ptr = 1480 container_of(acl, typeof(*ptr), head); 1481 tomoyo_print_namespace(head); 1482 tomoyo_set_string(head, "aggregator "); 1483 tomoyo_set_string(head, 1484 ptr->original_name->name); 1485 tomoyo_set_space(head); 1486 tomoyo_set_string(head, 1487 ptr->aggregated_name->name); 1488 } 1489 break; 1490 default: 1491 continue; 1492 } 1493 tomoyo_set_lf(head); 1494 } 1495 head->r.acl = NULL; 1496 return true; 1497} 1498 1499/** 1500 * tomoyo_read_exception - Read exception policy. 1501 * 1502 * @head: Pointer to "struct tomoyo_io_buffer". 1503 * 1504 * Caller holds tomoyo_read_lock(). 1505 */ 1506static void tomoyo_read_exception(struct tomoyo_io_buffer *head) 1507{ 1508 struct tomoyo_policy_namespace *ns = 1509 container_of(head->r.ns, typeof(*ns), namespace_list); 1510 if (head->r.eof) 1511 return; 1512 while (head->r.step < TOMOYO_MAX_POLICY && 1513 tomoyo_read_policy(head, head->r.step)) 1514 head->r.step++; 1515 if (head->r.step < TOMOYO_MAX_POLICY) 1516 return; 1517 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP && 1518 tomoyo_read_group(head, head->r.step - TOMOYO_MAX_POLICY)) 1519 head->r.step++; 1520 if (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP) 1521 return; 1522 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP 1523 + TOMOYO_MAX_ACL_GROUPS) { 1524 head->r.acl_group_index = head->r.step - TOMOYO_MAX_POLICY 1525 - TOMOYO_MAX_GROUP; 1526 if (!tomoyo_read_domain2(head, &ns->acl_group 1527 [head->r.acl_group_index])) 1528 return; 1529 head->r.step++; 1530 } 1531 head->r.eof = true; 1532} 1533 1534/* Wait queue for kernel -> userspace notification. */ 1535static DECLARE_WAIT_QUEUE_HEAD(tomoyo_query_wait); 1536/* Wait queue for userspace -> kernel notification. */ 1537static DECLARE_WAIT_QUEUE_HEAD(tomoyo_answer_wait); 1538 1539/* Structure for query. */ 1540struct tomoyo_query { 1541 struct list_head list; 1542 char *query; 1543 size_t query_len; 1544 unsigned int serial; 1545 u8 timer; 1546 u8 answer; 1547 u8 retry; 1548}; 1549 1550/* The list for "struct tomoyo_query". */ 1551static LIST_HEAD(tomoyo_query_list); 1552 1553/* Lock for manipulating tomoyo_query_list. */ 1554static DEFINE_SPINLOCK(tomoyo_query_list_lock); 1555 1556/* 1557 * Number of "struct file" referring /sys/kernel/security/tomoyo/query 1558 * interface. 1559 */ 1560static atomic_t tomoyo_query_observers = ATOMIC_INIT(0); 1561 1562/** 1563 * tomoyo_add_entry - Add an ACL to current thread's domain. Used by learning mode. 1564 * 1565 * @domain: Pointer to "struct tomoyo_domain_info". 1566 * @header: Lines containing ACL. 1567 * 1568 * Returns nothing. 1569 */ 1570static void tomoyo_add_entry(struct tomoyo_domain_info *domain, char *header) 1571{ 1572 char *buffer; 1573 char *cp = strchr(header, '\n'); 1574 int len; 1575 if (!cp) 1576 return; 1577 cp = strchr(cp + 1, '\n'); 1578 if (!cp) 1579 return; 1580 *cp++ = '\0'; 1581 len = strlen(cp) + 1; 1582 buffer = kmalloc(len, GFP_NOFS); 1583 if (!buffer) 1584 return; 1585 snprintf(buffer, len - 1, "%s", cp); 1586 tomoyo_normalize_line(buffer); 1587 if (!tomoyo_write_domain2(domain->ns, &domain->acl_info_list, buffer, 1588 false)) 1589 tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); 1590 kfree(buffer); 1591} 1592 1593/** 1594 * tomoyo_supervisor - Ask for the supervisor's decision. 1595 * 1596 * @r: Pointer to "struct tomoyo_request_info". 1597 * @fmt: The printf()'s format string, followed by parameters. 1598 * 1599 * Returns 0 if the supervisor decided to permit the access request which 1600 * violated the policy in enforcing mode, TOMOYO_RETRY_REQUEST if the 1601 * supervisor decided to retry the access request which violated the policy in 1602 * enforcing mode, 0 if it is not in enforcing mode, -EPERM otherwise. 1603 */ 1604int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) 1605{ 1606 va_list args; 1607 int error; 1608 int len; 1609 static unsigned int tomoyo_serial; 1610 struct tomoyo_query entry = { }; 1611 bool quota_exceeded = false; 1612 va_start(args, fmt); 1613 len = vsnprintf((char *) &len, 1, fmt, args) + 1; 1614 va_end(args); 1615 /* Write /sys/kernel/security/tomoyo/audit. */ 1616 va_start(args, fmt); 1617 tomoyo_write_log2(r, len, fmt, args); 1618 va_end(args); 1619 /* Nothing more to do if granted. */ 1620 if (r->granted) 1621 return 0; 1622 if (r->mode) 1623 tomoyo_update_stat(r->mode); 1624 switch (r->mode) { 1625 case TOMOYO_CONFIG_ENFORCING: 1626 error = -EPERM; 1627 if (atomic_read(&tomoyo_query_observers)) 1628 break; 1629 goto out; 1630 case TOMOYO_CONFIG_LEARNING: 1631 error = 0; 1632 /* Check max_learning_entry parameter. */ 1633 if (tomoyo_domain_quota_is_ok(r)) 1634 break; 1635 /* fall through */ 1636 default: 1637 return 0; 1638 } 1639 /* Get message. */ 1640 va_start(args, fmt); 1641 entry.query = tomoyo_init_log(r, len, fmt, args); 1642 va_end(args); 1643 if (!entry.query) 1644 goto out; 1645 entry.query_len = strlen(entry.query) + 1; 1646 if (!error) { 1647 tomoyo_add_entry(r->domain, entry.query); 1648 goto out; 1649 } 1650 len = tomoyo_round2(entry.query_len); 1651 spin_lock(&tomoyo_query_list_lock); 1652 if (tomoyo_memory_quota[TOMOYO_MEMORY_QUERY] && 1653 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] + len 1654 >= tomoyo_memory_quota[TOMOYO_MEMORY_QUERY]) { 1655 quota_exceeded = true; 1656 } else { 1657 entry.serial = tomoyo_serial++; 1658 entry.retry = r->retry; 1659 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] += len; 1660 list_add_tail(&entry.list, &tomoyo_query_list); 1661 } 1662 spin_unlock(&tomoyo_query_list_lock); 1663 if (quota_exceeded) 1664 goto out; 1665 /* Give 10 seconds for supervisor's opinion. */ 1666 while (entry.timer < 10) { 1667 wake_up_all(&tomoyo_query_wait); 1668 if (wait_event_interruptible_timeout 1669 (tomoyo_answer_wait, entry.answer || 1670 !atomic_read(&tomoyo_query_observers), HZ)) 1671 break; 1672 else 1673 entry.timer++; 1674 } 1675 spin_lock(&tomoyo_query_list_lock); 1676 list_del(&entry.list); 1677 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] -= len; 1678 spin_unlock(&tomoyo_query_list_lock); 1679 switch (entry.answer) { 1680 case 3: /* Asked to retry by administrator. */ 1681 error = TOMOYO_RETRY_REQUEST; 1682 r->retry++; 1683 break; 1684 case 1: 1685 /* Granted by administrator. */ 1686 error = 0; 1687 break; 1688 default: 1689 /* Timed out or rejected by administrator. */ 1690 break; 1691 } 1692out: 1693 kfree(entry.query); 1694 return error; 1695} 1696 1697/** 1698 * tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query. 1699 * 1700 * @file: Pointer to "struct file". 1701 * @wait: Pointer to "poll_table". 1702 * 1703 * Returns POLLIN | POLLRDNORM when ready to read, 0 otherwise. 1704 * 1705 * Waits for access requests which violated policy in enforcing mode. 1706 */ 1707static int tomoyo_poll_query(struct file *file, poll_table *wait) 1708{ 1709 struct list_head *tmp; 1710 bool found = false; 1711 u8 i; 1712 for (i = 0; i < 2; i++) { 1713 spin_lock(&tomoyo_query_list_lock); 1714 list_for_each(tmp, &tomoyo_query_list) { 1715 struct tomoyo_query *ptr = 1716 list_entry(tmp, typeof(*ptr), list); 1717 if (ptr->answer) 1718 continue; 1719 found = true; 1720 break; 1721 } 1722 spin_unlock(&tomoyo_query_list_lock); 1723 if (found) 1724 return POLLIN | POLLRDNORM; 1725 if (i) 1726 break; 1727 poll_wait(file, &tomoyo_query_wait, wait); 1728 } 1729 return 0; 1730} 1731 1732/** 1733 * tomoyo_read_query - Read access requests which violated policy in enforcing mode. 1734 * 1735 * @head: Pointer to "struct tomoyo_io_buffer". 1736 */ 1737static void tomoyo_read_query(struct tomoyo_io_buffer *head) 1738{ 1739 struct list_head *tmp; 1740 unsigned int pos = 0; 1741 size_t len = 0; 1742 char *buf; 1743 if (head->r.w_pos) 1744 return; 1745 if (head->read_buf) { 1746 kfree(head->read_buf); 1747 head->read_buf = NULL; 1748 } 1749 spin_lock(&tomoyo_query_list_lock); 1750 list_for_each(tmp, &tomoyo_query_list) { 1751 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1752 if (ptr->answer) 1753 continue; 1754 if (pos++ != head->r.query_index) 1755 continue; 1756 len = ptr->query_len; 1757 break; 1758 } 1759 spin_unlock(&tomoyo_query_list_lock); 1760 if (!len) { 1761 head->r.query_index = 0; 1762 return; 1763 } 1764 buf = kzalloc(len + 32, GFP_NOFS); 1765 if (!buf) 1766 return; 1767 pos = 0; 1768 spin_lock(&tomoyo_query_list_lock); 1769 list_for_each(tmp, &tomoyo_query_list) { 1770 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1771 if (ptr->answer) 1772 continue; 1773 if (pos++ != head->r.query_index) 1774 continue; 1775 /* 1776 * Some query can be skipped because tomoyo_query_list 1777 * can change, but I don't care. 1778 */ 1779 if (len == ptr->query_len) 1780 snprintf(buf, len + 31, "Q%u-%hu\n%s", ptr->serial, 1781 ptr->retry, ptr->query); 1782 break; 1783 } 1784 spin_unlock(&tomoyo_query_list_lock); 1785 if (buf[0]) { 1786 head->read_buf = buf; 1787 head->r.w[head->r.w_pos++] = buf; 1788 head->r.query_index++; 1789 } else { 1790 kfree(buf); 1791 } 1792} 1793 1794/** 1795 * tomoyo_write_answer - Write the supervisor's decision. 1796 * 1797 * @head: Pointer to "struct tomoyo_io_buffer". 1798 * 1799 * Returns 0 on success, -EINVAL otherwise. 1800 */ 1801static int tomoyo_write_answer(struct tomoyo_io_buffer *head) 1802{ 1803 char *data = head->write_buf; 1804 struct list_head *tmp; 1805 unsigned int serial; 1806 unsigned int answer; 1807 spin_lock(&tomoyo_query_list_lock); 1808 list_for_each(tmp, &tomoyo_query_list) { 1809 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1810 ptr->timer = 0; 1811 } 1812 spin_unlock(&tomoyo_query_list_lock); 1813 if (sscanf(data, "A%u=%u", &serial, &answer) != 2) 1814 return -EINVAL; 1815 spin_lock(&tomoyo_query_list_lock); 1816 list_for_each(tmp, &tomoyo_query_list) { 1817 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1818 if (ptr->serial != serial) 1819 continue; 1820 if (!ptr->answer) 1821 ptr->answer = answer; 1822 break; 1823 } 1824 spin_unlock(&tomoyo_query_list_lock); 1825 return 0; 1826} 1827 1828/** 1829 * tomoyo_read_version: Get version. 1830 * 1831 * @head: Pointer to "struct tomoyo_io_buffer". 1832 * 1833 * Returns version information. 1834 */ 1835static void tomoyo_read_version(struct tomoyo_io_buffer *head) 1836{ 1837 if (!head->r.eof) { 1838 tomoyo_io_printf(head, "2.4.0"); 1839 head->r.eof = true; 1840 } 1841} 1842 1843/** 1844 * tomoyo_read_self_domain - Get the current process's domainname. 1845 * 1846 * @head: Pointer to "struct tomoyo_io_buffer". 1847 * 1848 * Returns the current process's domainname. 1849 */ 1850static void tomoyo_read_self_domain(struct tomoyo_io_buffer *head) 1851{ 1852 if (!head->r.eof) { 1853 /* 1854 * tomoyo_domain()->domainname != NULL 1855 * because every process belongs to a domain and 1856 * the domain's name cannot be NULL. 1857 */ 1858 tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name); 1859 head->r.eof = true; 1860 } 1861} 1862 1863/* String table for /sys/kernel/security/tomoyo/stat interface. */ 1864static const char * const tomoyo_policy_headers[TOMOYO_MAX_POLICY_STAT] = { 1865 [TOMOYO_STAT_POLICY_UPDATES] = "update:", 1866 [TOMOYO_STAT_POLICY_LEARNING] = "violation in learning mode:", 1867 [TOMOYO_STAT_POLICY_PERMISSIVE] = "violation in permissive mode:", 1868 [TOMOYO_STAT_POLICY_ENFORCING] = "violation in enforcing mode:", 1869}; 1870 1871/* String table for /sys/kernel/security/tomoyo/stat interface. */ 1872static const char * const tomoyo_memory_headers[TOMOYO_MAX_MEMORY_STAT] = { 1873 [TOMOYO_MEMORY_POLICY] = "policy:", 1874 [TOMOYO_MEMORY_AUDIT] = "audit log:", 1875 [TOMOYO_MEMORY_QUERY] = "query message:", 1876}; 1877 1878/* Timestamp counter for last updated. */ 1879static unsigned int tomoyo_stat_updated[TOMOYO_MAX_POLICY_STAT]; 1880/* Counter for number of updates. */ 1881static unsigned int tomoyo_stat_modified[TOMOYO_MAX_POLICY_STAT]; 1882 1883/** 1884 * tomoyo_update_stat - Update statistic counters. 1885 * 1886 * @index: Index for policy type. 1887 * 1888 * Returns nothing. 1889 */ 1890void tomoyo_update_stat(const u8 index) 1891{ 1892 struct timeval tv; 1893 do_gettimeofday(&tv); 1894 /* 1895 * I don't use atomic operations because race condition is not fatal. 1896 */ 1897 tomoyo_stat_updated[index]++; 1898 tomoyo_stat_modified[index] = tv.tv_sec; 1899} 1900 1901/** 1902 * tomoyo_read_stat - Read statistic data. 1903 * 1904 * @head: Pointer to "struct tomoyo_io_buffer". 1905 * 1906 * Returns nothing. 1907 */ 1908static void tomoyo_read_stat(struct tomoyo_io_buffer *head) 1909{ 1910 u8 i; 1911 unsigned int total = 0; 1912 if (head->r.eof) 1913 return; 1914 for (i = 0; i < TOMOYO_MAX_POLICY_STAT; i++) { 1915 tomoyo_io_printf(head, "Policy %-30s %10u", 1916 tomoyo_policy_headers[i], 1917 tomoyo_stat_updated[i]); 1918 if (tomoyo_stat_modified[i]) { 1919 struct tomoyo_time stamp; 1920 tomoyo_convert_time(tomoyo_stat_modified[i], &stamp); 1921 tomoyo_io_printf(head, " (Last: %04u/%02u/%02u " 1922 "%02u:%02u:%02u)", 1923 stamp.year, stamp.month, stamp.day, 1924 stamp.hour, stamp.min, stamp.sec); 1925 } 1926 tomoyo_set_lf(head); 1927 } 1928 for (i = 0; i < TOMOYO_MAX_MEMORY_STAT; i++) { 1929 unsigned int used = tomoyo_memory_used[i]; 1930 total += used; 1931 tomoyo_io_printf(head, "Memory used by %-22s %10u", 1932 tomoyo_memory_headers[i], used); 1933 used = tomoyo_memory_quota[i]; 1934 if (used) 1935 tomoyo_io_printf(head, " (Quota: %10u)", used); 1936 tomoyo_set_lf(head); 1937 } 1938 tomoyo_io_printf(head, "Total memory used: %10u\n", 1939 total); 1940 head->r.eof = true; 1941} 1942 1943/** 1944 * tomoyo_write_stat - Set memory quota. 1945 * 1946 * @head: Pointer to "struct tomoyo_io_buffer". 1947 * 1948 * Returns 0. 1949 */ 1950static int tomoyo_write_stat(struct tomoyo_io_buffer *head) 1951{ 1952 char *data = head->write_buf; 1953 u8 i; 1954 if (tomoyo_str_starts(&data, "Memory used by ")) 1955 for (i = 0; i < TOMOYO_MAX_MEMORY_STAT; i++) 1956 if (tomoyo_str_starts(&data, tomoyo_memory_headers[i])) 1957 sscanf(data, "%u", &tomoyo_memory_quota[i]); 1958 return 0; 1959} 1960 1961/** 1962 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface. 1963 * 1964 * @type: Type of interface. 1965 * @file: Pointer to "struct file". 1966 * 1967 * Returns 0 on success, negative value otherwise. 1968 */ 1969int tomoyo_open_control(const u8 type, struct file *file) 1970{ 1971 struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS); 1972 1973 if (!head) 1974 return -ENOMEM; 1975 mutex_init(&head->io_sem); 1976 head->type = type; 1977 switch (type) { 1978 case TOMOYO_DOMAINPOLICY: 1979 /* /sys/kernel/security/tomoyo/domain_policy */ 1980 head->write = tomoyo_write_domain; 1981 head->read = tomoyo_read_domain; 1982 break; 1983 case TOMOYO_EXCEPTIONPOLICY: 1984 /* /sys/kernel/security/tomoyo/exception_policy */ 1985 head->write = tomoyo_write_exception; 1986 head->read = tomoyo_read_exception; 1987 break; 1988 case TOMOYO_AUDIT: 1989 /* /sys/kernel/security/tomoyo/audit */ 1990 head->poll = tomoyo_poll_log; 1991 head->read = tomoyo_read_log; 1992 break; 1993 case TOMOYO_SELFDOMAIN: 1994 /* /sys/kernel/security/tomoyo/self_domain */ 1995 head->read = tomoyo_read_self_domain; 1996 break; 1997 case TOMOYO_DOMAIN_STATUS: 1998 /* /sys/kernel/security/tomoyo/.domain_status */ 1999 head->write = tomoyo_write_domain_profile; 2000 head->read = tomoyo_read_domain_profile; 2001 break; 2002 case TOMOYO_PROCESS_STATUS: 2003 /* /sys/kernel/security/tomoyo/.process_status */ 2004 head->write = tomoyo_write_pid; 2005 head->read = tomoyo_read_pid; 2006 break; 2007 case TOMOYO_VERSION: 2008 /* /sys/kernel/security/tomoyo/version */ 2009 head->read = tomoyo_read_version; 2010 head->readbuf_size = 128; 2011 break; 2012 case TOMOYO_STAT: 2013 /* /sys/kernel/security/tomoyo/stat */ 2014 head->write = tomoyo_write_stat; 2015 head->read = tomoyo_read_stat; 2016 head->readbuf_size = 1024; 2017 break; 2018 case TOMOYO_PROFILE: 2019 /* /sys/kernel/security/tomoyo/profile */ 2020 head->write = tomoyo_write_profile; 2021 head->read = tomoyo_read_profile; 2022 break; 2023 case TOMOYO_QUERY: /* /sys/kernel/security/tomoyo/query */ 2024 head->poll = tomoyo_poll_query; 2025 head->write = tomoyo_write_answer; 2026 head->read = tomoyo_read_query; 2027 break; 2028 case TOMOYO_MANAGER: 2029 /* /sys/kernel/security/tomoyo/manager */ 2030 head->write = tomoyo_write_manager; 2031 head->read = tomoyo_read_manager; 2032 break; 2033 } 2034 if (!(file->f_mode & FMODE_READ)) { 2035 /* 2036 * No need to allocate read_buf since it is not opened 2037 * for reading. 2038 */ 2039 head->read = NULL; 2040 head->poll = NULL; 2041 } else if (!head->poll) { 2042 /* Don't allocate read_buf for poll() access. */ 2043 if (!head->readbuf_size) 2044 head->readbuf_size = 4096 * 2; 2045 head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS); 2046 if (!head->read_buf) { 2047 kfree(head); 2048 return -ENOMEM; 2049 } 2050 } 2051 if (!(file->f_mode & FMODE_WRITE)) { 2052 /* 2053 * No need to allocate write_buf since it is not opened 2054 * for writing. 2055 */ 2056 head->write = NULL; 2057 } else if (head->write) { 2058 head->writebuf_size = 4096 * 2; 2059 head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS); 2060 if (!head->write_buf) { 2061 kfree(head->read_buf); 2062 kfree(head); 2063 return -ENOMEM; 2064 } 2065 } 2066 /* 2067 * If the file is /sys/kernel/security/tomoyo/query , increment the 2068 * observer counter. 2069 * The obserber counter is used by tomoyo_supervisor() to see if 2070 * there is some process monitoring /sys/kernel/security/tomoyo/query. 2071 */ 2072 if (type == TOMOYO_QUERY) 2073 atomic_inc(&tomoyo_query_observers); 2074 file->private_data = head; 2075 tomoyo_notify_gc(head, true); 2076 return 0; 2077} 2078 2079/** 2080 * tomoyo_poll_control - poll() for /sys/kernel/security/tomoyo/ interface. 2081 * 2082 * @file: Pointer to "struct file". 2083 * @wait: Pointer to "poll_table". 2084 * 2085 * Waits for read readiness. 2086 * /sys/kernel/security/tomoyo/query is handled by /usr/sbin/tomoyo-queryd and 2087 * /sys/kernel/security/tomoyo/audit is handled by /usr/sbin/tomoyo-auditd. 2088 */ 2089int tomoyo_poll_control(struct file *file, poll_table *wait) 2090{ 2091 struct tomoyo_io_buffer *head = file->private_data; 2092 if (!head->poll) 2093 return -ENOSYS; 2094 return head->poll(file, wait); 2095} 2096 2097/** 2098 * tomoyo_set_namespace_cursor - Set namespace to read. 2099 * 2100 * @head: Pointer to "struct tomoyo_io_buffer". 2101 * 2102 * Returns nothing. 2103 */ 2104static inline void tomoyo_set_namespace_cursor(struct tomoyo_io_buffer *head) 2105{ 2106 struct list_head *ns; 2107 if (head->type != TOMOYO_EXCEPTIONPOLICY && 2108 head->type != TOMOYO_PROFILE) 2109 return; 2110 /* 2111 * If this is the first read, or reading previous namespace finished 2112 * and has more namespaces to read, update the namespace cursor. 2113 */ 2114 ns = head->r.ns; 2115 if (!ns || (head->r.eof && ns->next != &tomoyo_namespace_list)) { 2116 /* Clearing is OK because tomoyo_flush() returned true. */ 2117 memset(&head->r, 0, sizeof(head->r)); 2118 head->r.ns = ns ? ns->next : tomoyo_namespace_list.next; 2119 } 2120} 2121 2122/** 2123 * tomoyo_has_more_namespace - Check for unread namespaces. 2124 * 2125 * @head: Pointer to "struct tomoyo_io_buffer". 2126 * 2127 * Returns true if we have more entries to print, false otherwise. 2128 */ 2129static inline bool tomoyo_has_more_namespace(struct tomoyo_io_buffer *head) 2130{ 2131 return (head->type == TOMOYO_EXCEPTIONPOLICY || 2132 head->type == TOMOYO_PROFILE) && head->r.eof && 2133 head->r.ns->next != &tomoyo_namespace_list; 2134} 2135 2136/** 2137 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. 2138 * 2139 * @head: Pointer to "struct tomoyo_io_buffer". 2140 * @buffer: Poiner to buffer to write to. 2141 * @buffer_len: Size of @buffer. 2142 * 2143 * Returns bytes read on success, negative value otherwise. 2144 */ 2145ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, 2146 const int buffer_len) 2147{ 2148 int len; 2149 int idx; 2150 2151 if (!head->read) 2152 return -ENOSYS; 2153 if (mutex_lock_interruptible(&head->io_sem)) 2154 return -EINTR; 2155 head->read_user_buf = buffer; 2156 head->read_user_buf_avail = buffer_len; 2157 idx = tomoyo_read_lock(); 2158 if (tomoyo_flush(head)) 2159 /* Call the policy handler. */ 2160 do { 2161 tomoyo_set_namespace_cursor(head); 2162 head->read(head); 2163 } while (tomoyo_flush(head) && 2164 tomoyo_has_more_namespace(head)); 2165 tomoyo_read_unlock(idx); 2166 len = head->read_user_buf - buffer; 2167 mutex_unlock(&head->io_sem); 2168 return len; 2169} 2170 2171/** 2172 * tomoyo_parse_policy - Parse a policy line. 2173 * 2174 * @head: Poiter to "struct tomoyo_io_buffer". 2175 * @line: Line to parse. 2176 * 2177 * Returns 0 on success, negative value otherwise. 2178 * 2179 * Caller holds tomoyo_read_lock(). 2180 */ 2181static int tomoyo_parse_policy(struct tomoyo_io_buffer *head, char *line) 2182{ 2183 /* Delete request? */ 2184 head->w.is_delete = !strncmp(line, "delete ", 7); 2185 if (head->w.is_delete) 2186 memmove(line, line + 7, strlen(line + 7) + 1); 2187 /* Selecting namespace to update. */ 2188 if (head->type == TOMOYO_EXCEPTIONPOLICY || 2189 head->type == TOMOYO_PROFILE) { 2190 if (*line == '<') { 2191 char *cp = strchr(line, ' '); 2192 if (cp) { 2193 *cp++ = '\0'; 2194 head->w.ns = tomoyo_assign_namespace(line); 2195 memmove(line, cp, strlen(cp) + 1); 2196 } else 2197 head->w.ns = NULL; 2198 } else 2199 head->w.ns = &tomoyo_kernel_namespace; 2200 /* Don't allow updating if namespace is invalid. */ 2201 if (!head->w.ns) 2202 return -ENOENT; 2203 } 2204 /* Do the update. */ 2205 return head->write(head); 2206} 2207 2208/** 2209 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. 2210 * 2211 * @head: Pointer to "struct tomoyo_io_buffer". 2212 * @buffer: Pointer to buffer to read from. 2213 * @buffer_len: Size of @buffer. 2214 * 2215 * Returns @buffer_len on success, negative value otherwise. 2216 */ 2217ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, 2218 const char __user *buffer, const int buffer_len) 2219{ 2220 int error = buffer_len; 2221 size_t avail_len = buffer_len; 2222 char *cp0 = head->write_buf; 2223 int idx; 2224 if (!head->write) 2225 return -ENOSYS; 2226 if (!access_ok(VERIFY_READ, buffer, buffer_len)) 2227 return -EFAULT; 2228 if (mutex_lock_interruptible(&head->io_sem)) 2229 return -EINTR; 2230 idx = tomoyo_read_lock(); 2231 /* Read a line and dispatch it to the policy handler. */ 2232 while (avail_len > 0) { 2233 char c; 2234 if (head->w.avail >= head->writebuf_size - 1) { 2235 const int len = head->writebuf_size * 2; 2236 char *cp = kzalloc(len, GFP_NOFS); 2237 if (!cp) { 2238 error = -ENOMEM; 2239 break; 2240 } 2241 memmove(cp, cp0, head->w.avail); 2242 kfree(cp0); 2243 head->write_buf = cp; 2244 cp0 = cp; 2245 head->writebuf_size = len; 2246 } 2247 if (get_user(c, buffer)) { 2248 error = -EFAULT; 2249 break; 2250 } 2251 buffer++; 2252 avail_len--; 2253 cp0[head->w.avail++] = c; 2254 if (c != '\n') 2255 continue; 2256 cp0[head->w.avail - 1] = '\0'; 2257 head->w.avail = 0; 2258 tomoyo_normalize_line(cp0); 2259 if (!strcmp(cp0, "reset")) { 2260 head->w.ns = &tomoyo_kernel_namespace; 2261 head->w.domain = NULL; 2262 memset(&head->r, 0, sizeof(head->r)); 2263 continue; 2264 } 2265 /* Don't allow updating policies by non manager programs. */ 2266 switch (head->type) { 2267 case TOMOYO_PROCESS_STATUS: 2268 /* This does not write anything. */ 2269 break; 2270 case TOMOYO_DOMAINPOLICY: 2271 if (tomoyo_select_domain(head, cp0)) 2272 continue; 2273 /* fall through */ 2274 case TOMOYO_EXCEPTIONPOLICY: 2275 if (!strcmp(cp0, "select transition_only")) { 2276 head->r.print_transition_related_only = true; 2277 continue; 2278 } 2279 /* fall through */ 2280 default: 2281 if (!tomoyo_manager()) { 2282 error = -EPERM; 2283 goto out; 2284 } 2285 } 2286 switch (tomoyo_parse_policy(head, cp0)) { 2287 case -EPERM: 2288 error = -EPERM; 2289 goto out; 2290 case 0: 2291 switch (head->type) { 2292 case TOMOYO_DOMAINPOLICY: 2293 case TOMOYO_EXCEPTIONPOLICY: 2294 case TOMOYO_DOMAIN_STATUS: 2295 case TOMOYO_STAT: 2296 case TOMOYO_PROFILE: 2297 case TOMOYO_MANAGER: 2298 tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); 2299 break; 2300 default: 2301 break; 2302 } 2303 break; 2304 } 2305 } 2306out: 2307 tomoyo_read_unlock(idx); 2308 mutex_unlock(&head->io_sem); 2309 return error; 2310} 2311 2312/** 2313 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. 2314 * 2315 * @head: Pointer to "struct tomoyo_io_buffer". 2316 * 2317 * Returns 0. 2318 */ 2319int tomoyo_close_control(struct tomoyo_io_buffer *head) 2320{ 2321 /* 2322 * If the file is /sys/kernel/security/tomoyo/query , decrement the 2323 * observer counter. 2324 */ 2325 if (head->type == TOMOYO_QUERY && 2326 atomic_dec_and_test(&tomoyo_query_observers)) 2327 wake_up_all(&tomoyo_answer_wait); 2328 tomoyo_notify_gc(head, false); 2329 return 0; 2330} 2331 2332/** 2333 * tomoyo_check_profile - Check all profiles currently assigned to domains are defined. 2334 */ 2335void tomoyo_check_profile(void) 2336{ 2337 struct tomoyo_domain_info *domain; 2338 const int idx = tomoyo_read_lock(); 2339 tomoyo_policy_loaded = true; 2340 printk(KERN_INFO "TOMOYO: 2.4.0\n"); 2341 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 2342 const u8 profile = domain->profile; 2343 const struct tomoyo_policy_namespace *ns = domain->ns; 2344 if (ns->profile_version != 20100903) 2345 printk(KERN_ERR 2346 "Profile version %u is not supported.\n", 2347 ns->profile_version); 2348 else if (!ns->profile_ptr[profile]) 2349 printk(KERN_ERR 2350 "Profile %u (used by '%s') is not defined.\n", 2351 profile, domain->domainname->name); 2352 else 2353 continue; 2354 printk(KERN_ERR 2355 "Userland tools for TOMOYO 2.4 must be installed and " 2356 "policy must be initialized.\n"); 2357 printk(KERN_ERR "Please see http://tomoyo.sourceforge.jp/2.4/ " 2358 "for more information.\n"); 2359 panic("STOP!"); 2360 } 2361 tomoyo_read_unlock(idx); 2362 printk(KERN_INFO "Mandatory Access Control activated.\n"); 2363} 2364