common.c revision bd03a3e4c9a9df0c6b007045fa7fc8889111a478
1/*
2 * security/tomoyo/common.c
3 *
4 * Common functions for TOMOYO.
5 *
6 * Copyright (C) 2005-2010  NTT DATA CORPORATION
7 */
8
9#include <linux/uaccess.h>
10#include <linux/slab.h>
11#include <linux/security.h>
12#include "common.h"
13
14/* String table for operation mode. */
15const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE] = {
16	[TOMOYO_CONFIG_DISABLED]   = "disabled",
17	[TOMOYO_CONFIG_LEARNING]   = "learning",
18	[TOMOYO_CONFIG_PERMISSIVE] = "permissive",
19	[TOMOYO_CONFIG_ENFORCING]  = "enforcing"
20};
21
22/* String table for /sys/kernel/security/tomoyo/profile */
23static const char *tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
24				       + TOMOYO_MAX_MAC_CATEGORY_INDEX] = {
25	[TOMOYO_MAC_FILE_EXECUTE]    = "file::execute",
26	[TOMOYO_MAC_FILE_OPEN]       = "file::open",
27	[TOMOYO_MAC_FILE_CREATE]     = "file::create",
28	[TOMOYO_MAC_FILE_UNLINK]     = "file::unlink",
29	[TOMOYO_MAC_FILE_GETATTR]    = "file::getattr",
30	[TOMOYO_MAC_FILE_MKDIR]      = "file::mkdir",
31	[TOMOYO_MAC_FILE_RMDIR]      = "file::rmdir",
32	[TOMOYO_MAC_FILE_MKFIFO]     = "file::mkfifo",
33	[TOMOYO_MAC_FILE_MKSOCK]     = "file::mksock",
34	[TOMOYO_MAC_FILE_TRUNCATE]   = "file::truncate",
35	[TOMOYO_MAC_FILE_SYMLINK]    = "file::symlink",
36	[TOMOYO_MAC_FILE_MKBLOCK]    = "file::mkblock",
37	[TOMOYO_MAC_FILE_MKCHAR]     = "file::mkchar",
38	[TOMOYO_MAC_FILE_LINK]       = "file::link",
39	[TOMOYO_MAC_FILE_RENAME]     = "file::rename",
40	[TOMOYO_MAC_FILE_CHMOD]      = "file::chmod",
41	[TOMOYO_MAC_FILE_CHOWN]      = "file::chown",
42	[TOMOYO_MAC_FILE_CHGRP]      = "file::chgrp",
43	[TOMOYO_MAC_FILE_IOCTL]      = "file::ioctl",
44	[TOMOYO_MAC_FILE_CHROOT]     = "file::chroot",
45	[TOMOYO_MAC_FILE_MOUNT]      = "file::mount",
46	[TOMOYO_MAC_FILE_UMOUNT]     = "file::unmount",
47	[TOMOYO_MAC_FILE_PIVOT_ROOT] = "file::pivot_root",
48	[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file",
49};
50
51/* String table for PREFERENCE keyword. */
52static const char * const tomoyo_pref_keywords[TOMOYO_MAX_PREF] = {
53	[TOMOYO_PREF_MAX_AUDIT_LOG]      = "max_audit_log",
54	[TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry",
55};
56
57/* Permit policy management by non-root user? */
58static bool tomoyo_manage_by_non_root;
59
60/* Utility functions. */
61
62/**
63 * tomoyo_yesno - Return "yes" or "no".
64 *
65 * @value: Bool value.
66 */
67const char *tomoyo_yesno(const unsigned int value)
68{
69	return value ? "yes" : "no";
70}
71
72/**
73 * tomoyo_addprintf - strncat()-like-snprintf().
74 *
75 * @buffer: Buffer to write to. Must be '\0'-terminated.
76 * @len:    Size of @buffer.
77 * @fmt:    The printf()'s format string, followed by parameters.
78 *
79 * Returns nothing.
80 */
81static void tomoyo_addprintf(char *buffer, int len, const char *fmt, ...)
82{
83	va_list args;
84	const int pos = strlen(buffer);
85	va_start(args, fmt);
86	vsnprintf(buffer + pos, len - pos - 1, fmt, args);
87	va_end(args);
88}
89
90/**
91 * tomoyo_flush - Flush queued string to userspace's buffer.
92 *
93 * @head:   Pointer to "struct tomoyo_io_buffer".
94 *
95 * Returns true if all data was flushed, false otherwise.
96 */
97static bool tomoyo_flush(struct tomoyo_io_buffer *head)
98{
99	while (head->r.w_pos) {
100		const char *w = head->r.w[0];
101		int len = strlen(w);
102		if (len) {
103			if (len > head->read_user_buf_avail)
104				len = head->read_user_buf_avail;
105			if (!len)
106				return false;
107			if (copy_to_user(head->read_user_buf, w, len))
108				return false;
109			head->read_user_buf_avail -= len;
110			head->read_user_buf += len;
111			w += len;
112		}
113		head->r.w[0] = w;
114		if (*w)
115			return false;
116		/* Add '\0' for audit logs and query. */
117		if (head->poll) {
118			if (!head->read_user_buf_avail ||
119			    copy_to_user(head->read_user_buf, "", 1))
120				return false;
121			head->read_user_buf_avail--;
122			head->read_user_buf++;
123		}
124		head->r.w_pos--;
125		for (len = 0; len < head->r.w_pos; len++)
126			head->r.w[len] = head->r.w[len + 1];
127	}
128	head->r.avail = 0;
129	return true;
130}
131
132/**
133 * tomoyo_set_string - Queue string to "struct tomoyo_io_buffer" structure.
134 *
135 * @head:   Pointer to "struct tomoyo_io_buffer".
136 * @string: String to print.
137 *
138 * Note that @string has to be kept valid until @head is kfree()d.
139 * This means that char[] allocated on stack memory cannot be passed to
140 * this function. Use tomoyo_io_printf() for char[] allocated on stack memory.
141 */
142static void tomoyo_set_string(struct tomoyo_io_buffer *head, const char *string)
143{
144	if (head->r.w_pos < TOMOYO_MAX_IO_READ_QUEUE) {
145		head->r.w[head->r.w_pos++] = string;
146		tomoyo_flush(head);
147	} else
148		WARN_ON(1);
149}
150
151/**
152 * tomoyo_io_printf - printf() to "struct tomoyo_io_buffer" structure.
153 *
154 * @head: Pointer to "struct tomoyo_io_buffer".
155 * @fmt:  The printf()'s format string, followed by parameters.
156 */
157void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
158{
159	va_list args;
160	int len;
161	int pos = head->r.avail;
162	int size = head->readbuf_size - pos;
163	if (size <= 0)
164		return;
165	va_start(args, fmt);
166	len = vsnprintf(head->read_buf + pos, size, fmt, args) + 1;
167	va_end(args);
168	if (pos + len >= head->readbuf_size) {
169		WARN_ON(1);
170		return;
171	}
172	head->r.avail += len;
173	tomoyo_set_string(head, head->read_buf + pos);
174}
175
176/**
177 * tomoyo_set_space - Put a space to "struct tomoyo_io_buffer" structure.
178 *
179 * @head: Pointer to "struct tomoyo_io_buffer".
180 *
181 * Returns nothing.
182 */
183static void tomoyo_set_space(struct tomoyo_io_buffer *head)
184{
185	tomoyo_set_string(head, " ");
186}
187
188/**
189 * tomoyo_set_lf - Put a line feed to "struct tomoyo_io_buffer" structure.
190 *
191 * @head: Pointer to "struct tomoyo_io_buffer".
192 *
193 * Returns nothing.
194 */
195static bool tomoyo_set_lf(struct tomoyo_io_buffer *head)
196{
197	tomoyo_set_string(head, "\n");
198	return !head->r.w_pos;
199}
200
201/**
202 * tomoyo_set_slash - Put a shash to "struct tomoyo_io_buffer" structure.
203 *
204 * @head: Pointer to "struct tomoyo_io_buffer".
205 *
206 * Returns nothing.
207 */
208static void tomoyo_set_slash(struct tomoyo_io_buffer *head)
209{
210	tomoyo_set_string(head, "/");
211}
212
213/* List of namespaces. */
214LIST_HEAD(tomoyo_namespace_list);
215/* True if namespace other than tomoyo_kernel_namespace is defined. */
216static bool tomoyo_namespace_enabled;
217
218/**
219 * tomoyo_init_policy_namespace - Initialize namespace.
220 *
221 * @ns: Pointer to "struct tomoyo_policy_namespace".
222 *
223 * Returns nothing.
224 */
225void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns)
226{
227	unsigned int idx;
228	for (idx = 0; idx < TOMOYO_MAX_ACL_GROUPS; idx++)
229		INIT_LIST_HEAD(&ns->acl_group[idx]);
230	for (idx = 0; idx < TOMOYO_MAX_GROUP; idx++)
231		INIT_LIST_HEAD(&ns->group_list[idx]);
232	for (idx = 0; idx < TOMOYO_MAX_POLICY; idx++)
233		INIT_LIST_HEAD(&ns->policy_list[idx]);
234	ns->profile_version = 20100903;
235	tomoyo_namespace_enabled = !list_empty(&tomoyo_namespace_list);
236	list_add_tail_rcu(&ns->namespace_list, &tomoyo_namespace_list);
237}
238
239/**
240 * tomoyo_print_namespace - Print namespace header.
241 *
242 * @head: Pointer to "struct tomoyo_io_buffer".
243 *
244 * Returns nothing.
245 */
246static void tomoyo_print_namespace(struct tomoyo_io_buffer *head)
247{
248	if (!tomoyo_namespace_enabled)
249		return;
250	tomoyo_set_string(head,
251			  container_of(head->r.ns,
252				       struct tomoyo_policy_namespace,
253				       namespace_list)->name);
254	tomoyo_set_space(head);
255}
256
257/**
258 * tomoyo_print_name_union - Print a tomoyo_name_union.
259 *
260 * @head: Pointer to "struct tomoyo_io_buffer".
261 * @ptr:  Pointer to "struct tomoyo_name_union".
262 */
263static void tomoyo_print_name_union(struct tomoyo_io_buffer *head,
264				    const struct tomoyo_name_union *ptr)
265{
266	tomoyo_set_space(head);
267	if (ptr->group) {
268		tomoyo_set_string(head, "@");
269		tomoyo_set_string(head, ptr->group->group_name->name);
270	} else {
271		tomoyo_set_string(head, ptr->filename->name);
272	}
273}
274
275/**
276 * tomoyo_print_number_union - Print a tomoyo_number_union.
277 *
278 * @head:       Pointer to "struct tomoyo_io_buffer".
279 * @ptr:        Pointer to "struct tomoyo_number_union".
280 */
281static void tomoyo_print_number_union(struct tomoyo_io_buffer *head,
282				      const struct tomoyo_number_union *ptr)
283{
284	tomoyo_set_space(head);
285	if (ptr->group) {
286		tomoyo_set_string(head, "@");
287		tomoyo_set_string(head, ptr->group->group_name->name);
288	} else {
289		int i;
290		unsigned long min = ptr->values[0];
291		const unsigned long max = ptr->values[1];
292		u8 min_type = ptr->value_type[0];
293		const u8 max_type = ptr->value_type[1];
294		char buffer[128];
295		buffer[0] = '\0';
296		for (i = 0; i < 2; i++) {
297			switch (min_type) {
298			case TOMOYO_VALUE_TYPE_HEXADECIMAL:
299				tomoyo_addprintf(buffer, sizeof(buffer),
300						 "0x%lX", min);
301				break;
302			case TOMOYO_VALUE_TYPE_OCTAL:
303				tomoyo_addprintf(buffer, sizeof(buffer),
304						 "0%lo", min);
305				break;
306			default:
307				tomoyo_addprintf(buffer, sizeof(buffer),
308						 "%lu", min);
309				break;
310			}
311			if (min == max && min_type == max_type)
312				break;
313			tomoyo_addprintf(buffer, sizeof(buffer), "-");
314			min_type = max_type;
315			min = max;
316		}
317		tomoyo_io_printf(head, "%s", buffer);
318	}
319}
320
321/**
322 * tomoyo_assign_profile - Create a new profile.
323 *
324 * @ns:      Pointer to "struct tomoyo_policy_namespace".
325 * @profile: Profile number to create.
326 *
327 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
328 */
329static struct tomoyo_profile *tomoyo_assign_profile
330(struct tomoyo_policy_namespace *ns, const unsigned int profile)
331{
332	struct tomoyo_profile *ptr;
333	struct tomoyo_profile *entry;
334	if (profile >= TOMOYO_MAX_PROFILES)
335		return NULL;
336	ptr = ns->profile_ptr[profile];
337	if (ptr)
338		return ptr;
339	entry = kzalloc(sizeof(*entry), GFP_NOFS);
340	if (mutex_lock_interruptible(&tomoyo_policy_lock))
341		goto out;
342	ptr = ns->profile_ptr[profile];
343	if (!ptr && tomoyo_memory_ok(entry)) {
344		ptr = entry;
345		ptr->default_config = TOMOYO_CONFIG_DISABLED |
346			TOMOYO_CONFIG_WANT_GRANT_LOG |
347			TOMOYO_CONFIG_WANT_REJECT_LOG;
348		memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT,
349		       sizeof(ptr->config));
350		ptr->pref[TOMOYO_PREF_MAX_AUDIT_LOG] = 1024;
351		ptr->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] = 2048;
352		mb(); /* Avoid out-of-order execution. */
353		ns->profile_ptr[profile] = ptr;
354		entry = NULL;
355	}
356	mutex_unlock(&tomoyo_policy_lock);
357 out:
358	kfree(entry);
359	return ptr;
360}
361
362/**
363 * tomoyo_profile - Find a profile.
364 *
365 * @ns:      Pointer to "struct tomoyo_policy_namespace".
366 * @profile: Profile number to find.
367 *
368 * Returns pointer to "struct tomoyo_profile".
369 */
370struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns,
371				      const u8 profile)
372{
373	static struct tomoyo_profile tomoyo_null_profile;
374	struct tomoyo_profile *ptr = ns->profile_ptr[profile];
375	if (!ptr)
376		ptr = &tomoyo_null_profile;
377	return ptr;
378}
379
380/**
381 * tomoyo_find_yesno - Find values for specified keyword.
382 *
383 * @string: String to check.
384 * @find:   Name of keyword.
385 *
386 * Returns 1 if "@find=yes" was found, 0 if "@find=no" was found, -1 otherwise.
387 */
388static s8 tomoyo_find_yesno(const char *string, const char *find)
389{
390	const char *cp = strstr(string, find);
391	if (cp) {
392		cp += strlen(find);
393		if (!strncmp(cp, "=yes", 4))
394			return 1;
395		else if (!strncmp(cp, "=no", 3))
396			return 0;
397	}
398	return -1;
399}
400
401/**
402 * tomoyo_set_uint - Set value for specified preference.
403 *
404 * @i:      Pointer to "unsigned int".
405 * @string: String to check.
406 * @find:   Name of keyword.
407 *
408 * Returns nothing.
409 */
410static void tomoyo_set_uint(unsigned int *i, const char *string,
411			    const char *find)
412{
413	const char *cp = strstr(string, find);
414	if (cp)
415		sscanf(cp + strlen(find), "=%u", i);
416}
417
418/**
419 * tomoyo_set_mode - Set mode for specified profile.
420 *
421 * @name:    Name of functionality.
422 * @value:   Mode for @name.
423 * @profile: Pointer to "struct tomoyo_profile".
424 *
425 * Returns 0 on success, negative value otherwise.
426 */
427static int tomoyo_set_mode(char *name, const char *value,
428			   struct tomoyo_profile *profile)
429{
430	u8 i;
431	u8 config;
432	if (!strcmp(name, "CONFIG")) {
433		i = TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX;
434		config = profile->default_config;
435	} else if (tomoyo_str_starts(&name, "CONFIG::")) {
436		config = 0;
437		for (i = 0; i < TOMOYO_MAX_MAC_INDEX
438			     + TOMOYO_MAX_MAC_CATEGORY_INDEX; i++) {
439			if (strcmp(name, tomoyo_mac_keywords[i]))
440				continue;
441			config = profile->config[i];
442			break;
443		}
444		if (i == TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX)
445			return -EINVAL;
446	} else {
447		return -EINVAL;
448	}
449	if (strstr(value, "use_default")) {
450		config = TOMOYO_CONFIG_USE_DEFAULT;
451	} else {
452		u8 mode;
453		for (mode = 0; mode < 4; mode++)
454			if (strstr(value, tomoyo_mode[mode]))
455				/*
456				 * Update lower 3 bits in order to distinguish
457				 * 'config' from 'TOMOYO_CONFIG_USE_DEAFULT'.
458				 */
459				config = (config & ~7) | mode;
460		if (config != TOMOYO_CONFIG_USE_DEFAULT) {
461			switch (tomoyo_find_yesno(value, "grant_log")) {
462			case 1:
463				config |= TOMOYO_CONFIG_WANT_GRANT_LOG;
464				break;
465			case 0:
466				config &= ~TOMOYO_CONFIG_WANT_GRANT_LOG;
467				break;
468			}
469			switch (tomoyo_find_yesno(value, "reject_log")) {
470			case 1:
471				config |= TOMOYO_CONFIG_WANT_REJECT_LOG;
472				break;
473			case 0:
474				config &= ~TOMOYO_CONFIG_WANT_REJECT_LOG;
475				break;
476			}
477		}
478	}
479	if (i < TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX)
480		profile->config[i] = config;
481	else if (config != TOMOYO_CONFIG_USE_DEFAULT)
482		profile->default_config = config;
483	return 0;
484}
485
486/**
487 * tomoyo_write_profile - Write profile table.
488 *
489 * @head: Pointer to "struct tomoyo_io_buffer".
490 *
491 * Returns 0 on success, negative value otherwise.
492 */
493static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
494{
495	char *data = head->write_buf;
496	unsigned int i;
497	char *cp;
498	struct tomoyo_profile *profile;
499	if (sscanf(data, "PROFILE_VERSION=%u", &head->w.ns->profile_version)
500	    == 1)
501		return 0;
502	i = simple_strtoul(data, &cp, 10);
503	if (*cp != '-')
504		return -EINVAL;
505	data = cp + 1;
506	profile = tomoyo_assign_profile(head->w.ns, i);
507	if (!profile)
508		return -EINVAL;
509	cp = strchr(data, '=');
510	if (!cp)
511		return -EINVAL;
512	*cp++ = '\0';
513	if (!strcmp(data, "COMMENT")) {
514		static DEFINE_SPINLOCK(lock);
515		const struct tomoyo_path_info *new_comment
516			= tomoyo_get_name(cp);
517		const struct tomoyo_path_info *old_comment;
518		if (!new_comment)
519			return -ENOMEM;
520		spin_lock(&lock);
521		old_comment = profile->comment;
522		profile->comment = new_comment;
523		spin_unlock(&lock);
524		tomoyo_put_name(old_comment);
525		return 0;
526	}
527	if (!strcmp(data, "PREFERENCE")) {
528		for (i = 0; i < TOMOYO_MAX_PREF; i++)
529			tomoyo_set_uint(&profile->pref[i], cp,
530					tomoyo_pref_keywords[i]);
531		return 0;
532	}
533	return tomoyo_set_mode(data, cp, profile);
534}
535
536/**
537 * tomoyo_print_config - Print mode for specified functionality.
538 *
539 * @head:   Pointer to "struct tomoyo_io_buffer".
540 * @config: Mode for that functionality.
541 *
542 * Returns nothing.
543 *
544 * Caller prints functionality's name.
545 */
546static void tomoyo_print_config(struct tomoyo_io_buffer *head, const u8 config)
547{
548	tomoyo_io_printf(head, "={ mode=%s grant_log=%s reject_log=%s }\n",
549			 tomoyo_mode[config & 3],
550			 tomoyo_yesno(config & TOMOYO_CONFIG_WANT_GRANT_LOG),
551			 tomoyo_yesno(config & TOMOYO_CONFIG_WANT_REJECT_LOG));
552}
553
554/**
555 * tomoyo_read_profile - Read profile table.
556 *
557 * @head: Pointer to "struct tomoyo_io_buffer".
558 *
559 * Returns nothing.
560 */
561static void tomoyo_read_profile(struct tomoyo_io_buffer *head)
562{
563	u8 index;
564	struct tomoyo_policy_namespace *ns =
565		container_of(head->r.ns, typeof(*ns), namespace_list);
566	const struct tomoyo_profile *profile;
567	if (head->r.eof)
568		return;
569 next:
570	index = head->r.index;
571	profile = ns->profile_ptr[index];
572	switch (head->r.step) {
573	case 0:
574		tomoyo_print_namespace(head);
575		tomoyo_io_printf(head, "PROFILE_VERSION=%u\n",
576				 ns->profile_version);
577		head->r.step++;
578		break;
579	case 1:
580		for ( ; head->r.index < TOMOYO_MAX_PROFILES;
581		      head->r.index++)
582			if (ns->profile_ptr[head->r.index])
583				break;
584		if (head->r.index == TOMOYO_MAX_PROFILES)
585			return;
586		head->r.step++;
587		break;
588	case 2:
589		{
590			u8 i;
591			const struct tomoyo_path_info *comment =
592				profile->comment;
593			tomoyo_print_namespace(head);
594			tomoyo_io_printf(head, "%u-COMMENT=", index);
595			tomoyo_set_string(head, comment ? comment->name : "");
596			tomoyo_set_lf(head);
597			tomoyo_io_printf(head, "%u-PREFERENCE={ ", index);
598			for (i = 0; i < TOMOYO_MAX_PREF; i++)
599				tomoyo_io_printf(head, "%s=%u ",
600						 tomoyo_pref_keywords[i],
601						 profile->pref[i]);
602			tomoyo_set_string(head, "}\n");
603			head->r.step++;
604		}
605		break;
606	case 3:
607		{
608			tomoyo_print_namespace(head);
609			tomoyo_io_printf(head, "%u-%s", index, "CONFIG");
610			tomoyo_print_config(head, profile->default_config);
611			head->r.bit = 0;
612			head->r.step++;
613		}
614		break;
615	case 4:
616		for ( ; head->r.bit < TOMOYO_MAX_MAC_INDEX
617			      + TOMOYO_MAX_MAC_CATEGORY_INDEX; head->r.bit++) {
618			const u8 i = head->r.bit;
619			const u8 config = profile->config[i];
620			if (config == TOMOYO_CONFIG_USE_DEFAULT)
621				continue;
622			tomoyo_print_namespace(head);
623			tomoyo_io_printf(head, "%u-%s%s", index, "CONFIG::",
624					 tomoyo_mac_keywords[i]);
625			tomoyo_print_config(head, config);
626			head->r.bit++;
627			break;
628		}
629		if (head->r.bit == TOMOYO_MAX_MAC_INDEX
630		    + TOMOYO_MAX_MAC_CATEGORY_INDEX) {
631			head->r.index++;
632			head->r.step = 1;
633		}
634		break;
635	}
636	if (tomoyo_flush(head))
637		goto next;
638}
639
640static bool tomoyo_same_manager(const struct tomoyo_acl_head *a,
641				const struct tomoyo_acl_head *b)
642{
643	return container_of(a, struct tomoyo_manager, head)->manager ==
644		container_of(b, struct tomoyo_manager, head)->manager;
645}
646
647/**
648 * tomoyo_update_manager_entry - Add a manager entry.
649 *
650 * @manager:   The path to manager or the domainnamme.
651 * @is_delete: True if it is a delete request.
652 *
653 * Returns 0 on success, negative value otherwise.
654 *
655 * Caller holds tomoyo_read_lock().
656 */
657static int tomoyo_update_manager_entry(const char *manager,
658				       const bool is_delete)
659{
660	struct tomoyo_manager e = { };
661	struct tomoyo_acl_param param = {
662		/* .ns = &tomoyo_kernel_namespace, */
663		.is_delete = is_delete,
664		.list = &tomoyo_kernel_namespace.
665		policy_list[TOMOYO_ID_MANAGER],
666	};
667	int error = is_delete ? -ENOENT : -ENOMEM;
668	if (tomoyo_domain_def(manager)) {
669		if (!tomoyo_correct_domain(manager))
670			return -EINVAL;
671		e.is_domain = true;
672	} else {
673		if (!tomoyo_correct_path(manager))
674			return -EINVAL;
675	}
676	e.manager = tomoyo_get_name(manager);
677	if (e.manager) {
678		error = tomoyo_update_policy(&e.head, sizeof(e), &param,
679					     tomoyo_same_manager);
680		tomoyo_put_name(e.manager);
681	}
682	return error;
683}
684
685/**
686 * tomoyo_write_manager - Write manager policy.
687 *
688 * @head: Pointer to "struct tomoyo_io_buffer".
689 *
690 * Returns 0 on success, negative value otherwise.
691 *
692 * Caller holds tomoyo_read_lock().
693 */
694static int tomoyo_write_manager(struct tomoyo_io_buffer *head)
695{
696	char *data = head->write_buf;
697
698	if (!strcmp(data, "manage_by_non_root")) {
699		tomoyo_manage_by_non_root = !head->w.is_delete;
700		return 0;
701	}
702	return tomoyo_update_manager_entry(data, head->w.is_delete);
703}
704
705/**
706 * tomoyo_read_manager - Read manager policy.
707 *
708 * @head: Pointer to "struct tomoyo_io_buffer".
709 *
710 * Caller holds tomoyo_read_lock().
711 */
712static void tomoyo_read_manager(struct tomoyo_io_buffer *head)
713{
714	if (head->r.eof)
715		return;
716	list_for_each_cookie(head->r.acl, &tomoyo_kernel_namespace.
717			     policy_list[TOMOYO_ID_MANAGER]) {
718		struct tomoyo_manager *ptr =
719			list_entry(head->r.acl, typeof(*ptr), head.list);
720		if (ptr->head.is_deleted)
721			continue;
722		if (!tomoyo_flush(head))
723			return;
724		tomoyo_set_string(head, ptr->manager->name);
725		tomoyo_set_lf(head);
726	}
727	head->r.eof = true;
728}
729
730/**
731 * tomoyo_manager - Check whether the current process is a policy manager.
732 *
733 * Returns true if the current process is permitted to modify policy
734 * via /sys/kernel/security/tomoyo/ interface.
735 *
736 * Caller holds tomoyo_read_lock().
737 */
738static bool tomoyo_manager(void)
739{
740	struct tomoyo_manager *ptr;
741	const char *exe;
742	const struct task_struct *task = current;
743	const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname;
744	bool found = false;
745
746	if (!tomoyo_policy_loaded)
747		return true;
748	if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
749		return false;
750	list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace.
751				policy_list[TOMOYO_ID_MANAGER], head.list) {
752		if (!ptr->head.is_deleted && ptr->is_domain
753		    && !tomoyo_pathcmp(domainname, ptr->manager)) {
754			found = true;
755			break;
756		}
757	}
758	if (found)
759		return true;
760	exe = tomoyo_get_exe();
761	if (!exe)
762		return false;
763	list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace.
764				policy_list[TOMOYO_ID_MANAGER], head.list) {
765		if (!ptr->head.is_deleted && !ptr->is_domain
766		    && !strcmp(exe, ptr->manager->name)) {
767			found = true;
768			break;
769		}
770	}
771	if (!found) { /* Reduce error messages. */
772		static pid_t last_pid;
773		const pid_t pid = current->pid;
774		if (last_pid != pid) {
775			printk(KERN_WARNING "%s ( %s ) is not permitted to "
776			       "update policies.\n", domainname->name, exe);
777			last_pid = pid;
778		}
779	}
780	kfree(exe);
781	return found;
782}
783
784/**
785 * tomoyo_select_domain - Parse select command.
786 *
787 * @head: Pointer to "struct tomoyo_io_buffer".
788 * @data: String to parse.
789 *
790 * Returns true on success, false otherwise.
791 *
792 * Caller holds tomoyo_read_lock().
793 */
794static bool tomoyo_select_domain(struct tomoyo_io_buffer *head,
795				 const char *data)
796{
797	unsigned int pid;
798	struct tomoyo_domain_info *domain = NULL;
799	bool global_pid = false;
800	if (strncmp(data, "select ", 7))
801		return false;
802	data += 7;
803	if (sscanf(data, "pid=%u", &pid) == 1 ||
804	    (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) {
805		struct task_struct *p;
806		rcu_read_lock();
807		read_lock(&tasklist_lock);
808		if (global_pid)
809			p = find_task_by_pid_ns(pid, &init_pid_ns);
810		else
811			p = find_task_by_vpid(pid);
812		if (p)
813			domain = tomoyo_real_domain(p);
814		read_unlock(&tasklist_lock);
815		rcu_read_unlock();
816	} else if (!strncmp(data, "domain=", 7)) {
817		if (tomoyo_domain_def(data + 7))
818			domain = tomoyo_find_domain(data + 7);
819	} else
820		return false;
821	head->w.domain = domain;
822	/* Accessing read_buf is safe because head->io_sem is held. */
823	if (!head->read_buf)
824		return true; /* Do nothing if open(O_WRONLY). */
825	memset(&head->r, 0, sizeof(head->r));
826	head->r.print_this_domain_only = true;
827	if (domain)
828		head->r.domain = &domain->list;
829	else
830		head->r.eof = 1;
831	tomoyo_io_printf(head, "# select %s\n", data);
832	if (domain && domain->is_deleted)
833		tomoyo_io_printf(head, "# This is a deleted domain.\n");
834	return true;
835}
836
837/**
838 * tomoyo_delete_domain - Delete a domain.
839 *
840 * @domainname: The name of domain.
841 *
842 * Returns 0.
843 *
844 * Caller holds tomoyo_read_lock().
845 */
846static int tomoyo_delete_domain(char *domainname)
847{
848	struct tomoyo_domain_info *domain;
849	struct tomoyo_path_info name;
850
851	name.name = domainname;
852	tomoyo_fill_path_info(&name);
853	if (mutex_lock_interruptible(&tomoyo_policy_lock))
854		return 0;
855	/* Is there an active domain? */
856	list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
857		/* Never delete tomoyo_kernel_domain */
858		if (domain == &tomoyo_kernel_domain)
859			continue;
860		if (domain->is_deleted ||
861		    tomoyo_pathcmp(domain->domainname, &name))
862			continue;
863		domain->is_deleted = true;
864		break;
865	}
866	mutex_unlock(&tomoyo_policy_lock);
867	return 0;
868}
869
870/**
871 * tomoyo_write_domain2 - Write domain policy.
872 *
873 * @ns:        Pointer to "struct tomoyo_policy_namespace".
874 * @list:      Pointer to "struct list_head".
875 * @data:      Policy to be interpreted.
876 * @is_delete: True if it is a delete request.
877 *
878 * Returns 0 on success, negative value otherwise.
879 *
880 * Caller holds tomoyo_read_lock().
881 */
882static int tomoyo_write_domain2(struct tomoyo_policy_namespace *ns,
883				struct list_head *list, char *data,
884				const bool is_delete)
885{
886	struct tomoyo_acl_param param = {
887		.ns = ns,
888		.list = list,
889		.data = data,
890		.is_delete = is_delete,
891	};
892	static const struct {
893		const char *keyword;
894		int (*write) (struct tomoyo_acl_param *);
895	} tomoyo_callback[1] = {
896		{ "file ", tomoyo_write_file },
897	};
898	u8 i;
899	for (i = 0; i < 1; i++) {
900		if (!tomoyo_str_starts(&param.data,
901				       tomoyo_callback[i].keyword))
902			continue;
903		return tomoyo_callback[i].write(&param);
904	}
905	return -EINVAL;
906}
907
908/**
909 * tomoyo_write_domain - Write domain policy.
910 *
911 * @head: Pointer to "struct tomoyo_io_buffer".
912 *
913 * Returns 0 on success, negative value otherwise.
914 *
915 * Caller holds tomoyo_read_lock().
916 */
917static int tomoyo_write_domain(struct tomoyo_io_buffer *head)
918{
919	char *data = head->write_buf;
920	struct tomoyo_policy_namespace *ns;
921	struct tomoyo_domain_info *domain = head->w.domain;
922	const bool is_delete = head->w.is_delete;
923	bool is_select = !is_delete && tomoyo_str_starts(&data, "select ");
924	unsigned int profile;
925	if (*data == '<') {
926		domain = NULL;
927		if (is_delete)
928			tomoyo_delete_domain(data);
929		else if (is_select)
930			domain = tomoyo_find_domain(data);
931		else
932			domain = tomoyo_assign_domain(data, false);
933		head->w.domain = domain;
934		return 0;
935	}
936	if (!domain)
937		return -EINVAL;
938	ns = domain->ns;
939	if (sscanf(data, "use_profile %u", &profile) == 1
940	    && profile < TOMOYO_MAX_PROFILES) {
941		if (!tomoyo_policy_loaded || ns->profile_ptr[profile])
942			domain->profile = (u8) profile;
943		return 0;
944	}
945	if (sscanf(data, "use_group %u\n", &profile) == 1
946	    && profile < TOMOYO_MAX_ACL_GROUPS) {
947		if (!is_delete)
948			domain->group = (u8) profile;
949		return 0;
950	}
951	if (!strcmp(data, "quota_exceeded")) {
952		domain->quota_warned = !is_delete;
953		return 0;
954	}
955	if (!strcmp(data, "transition_failed")) {
956		domain->transition_failed = !is_delete;
957		return 0;
958	}
959	return tomoyo_write_domain2(ns, &domain->acl_info_list, data,
960				    is_delete);
961}
962
963/**
964 * tomoyo_set_group - Print "acl_group " header keyword and category name.
965 *
966 * @head:     Pointer to "struct tomoyo_io_buffer".
967 * @category: Category name.
968 *
969 * Returns nothing.
970 */
971static void tomoyo_set_group(struct tomoyo_io_buffer *head,
972			     const char *category)
973{
974	if (head->type == TOMOYO_EXCEPTIONPOLICY) {
975		tomoyo_print_namespace(head);
976		tomoyo_io_printf(head, "acl_group %u ",
977				 head->r.acl_group_index);
978	}
979	tomoyo_set_string(head, category);
980}
981
982/**
983 * tomoyo_print_entry - Print an ACL entry.
984 *
985 * @head: Pointer to "struct tomoyo_io_buffer".
986 * @acl:  Pointer to an ACL entry.
987 *
988 * Returns true on success, false otherwise.
989 */
990static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
991			       struct tomoyo_acl_info *acl)
992{
993	const u8 acl_type = acl->type;
994	bool first = true;
995	u8 bit;
996
997	if (acl->is_deleted)
998		return true;
999	if (!tomoyo_flush(head))
1000		return false;
1001	else if (acl_type == TOMOYO_TYPE_PATH_ACL) {
1002		struct tomoyo_path_acl *ptr =
1003			container_of(acl, typeof(*ptr), head);
1004		const u16 perm = ptr->perm;
1005		for (bit = 0; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
1006			if (!(perm & (1 << bit)))
1007				continue;
1008			if (head->r.print_transition_related_only &&
1009			    bit != TOMOYO_TYPE_EXECUTE)
1010				continue;
1011			if (first) {
1012				tomoyo_set_group(head, "file ");
1013				first = false;
1014			} else {
1015				tomoyo_set_slash(head);
1016			}
1017			tomoyo_set_string(head, tomoyo_path_keyword[bit]);
1018		}
1019		if (first)
1020			return true;
1021		tomoyo_print_name_union(head, &ptr->name);
1022	} else if (head->r.print_transition_related_only) {
1023		return true;
1024	} else if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
1025		struct tomoyo_path2_acl *ptr =
1026			container_of(acl, typeof(*ptr), head);
1027		const u8 perm = ptr->perm;
1028		for (bit = 0; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) {
1029			if (!(perm & (1 << bit)))
1030				continue;
1031			if (first) {
1032				tomoyo_set_group(head, "file ");
1033				first = false;
1034			} else {
1035				tomoyo_set_slash(head);
1036			}
1037			tomoyo_set_string(head, tomoyo_mac_keywords
1038					  [tomoyo_pp2mac[bit]]);
1039		}
1040		if (first)
1041			return true;
1042		tomoyo_print_name_union(head, &ptr->name1);
1043		tomoyo_print_name_union(head, &ptr->name2);
1044	} else if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) {
1045		struct tomoyo_path_number_acl *ptr =
1046			container_of(acl, typeof(*ptr), head);
1047		const u8 perm = ptr->perm;
1048		for (bit = 0; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION; bit++) {
1049			if (!(perm & (1 << bit)))
1050				continue;
1051			if (first) {
1052				tomoyo_set_group(head, "file ");
1053				first = false;
1054			} else {
1055				tomoyo_set_slash(head);
1056			}
1057			tomoyo_set_string(head, tomoyo_mac_keywords
1058					  [tomoyo_pn2mac[bit]]);
1059		}
1060		if (first)
1061			return true;
1062		tomoyo_print_name_union(head, &ptr->name);
1063		tomoyo_print_number_union(head, &ptr->number);
1064	} else if (acl_type == TOMOYO_TYPE_MKDEV_ACL) {
1065		struct tomoyo_mkdev_acl *ptr =
1066			container_of(acl, typeof(*ptr), head);
1067		const u8 perm = ptr->perm;
1068		for (bit = 0; bit < TOMOYO_MAX_MKDEV_OPERATION; bit++) {
1069			if (!(perm & (1 << bit)))
1070				continue;
1071			if (first) {
1072				tomoyo_set_group(head, "file ");
1073				first = false;
1074			} else {
1075				tomoyo_set_slash(head);
1076			}
1077			tomoyo_set_string(head, tomoyo_mac_keywords
1078					  [tomoyo_pnnn2mac[bit]]);
1079		}
1080		if (first)
1081			return true;
1082		tomoyo_print_name_union(head, &ptr->name);
1083		tomoyo_print_number_union(head, &ptr->mode);
1084		tomoyo_print_number_union(head, &ptr->major);
1085		tomoyo_print_number_union(head, &ptr->minor);
1086	} else if (acl_type == TOMOYO_TYPE_MOUNT_ACL) {
1087		struct tomoyo_mount_acl *ptr =
1088			container_of(acl, typeof(*ptr), head);
1089		tomoyo_set_group(head, "file mount");
1090		tomoyo_print_name_union(head, &ptr->dev_name);
1091		tomoyo_print_name_union(head, &ptr->dir_name);
1092		tomoyo_print_name_union(head, &ptr->fs_type);
1093		tomoyo_print_number_union(head, &ptr->flags);
1094	}
1095	tomoyo_set_lf(head);
1096	return true;
1097}
1098
1099/**
1100 * tomoyo_read_domain2 - Read domain policy.
1101 *
1102 * @head: Pointer to "struct tomoyo_io_buffer".
1103 * @list: Pointer to "struct list_head".
1104 *
1105 * Caller holds tomoyo_read_lock().
1106 *
1107 * Returns true on success, false otherwise.
1108 */
1109static bool tomoyo_read_domain2(struct tomoyo_io_buffer *head,
1110				struct list_head *list)
1111{
1112	list_for_each_cookie(head->r.acl, list) {
1113		struct tomoyo_acl_info *ptr =
1114			list_entry(head->r.acl, typeof(*ptr), list);
1115		if (!tomoyo_print_entry(head, ptr))
1116			return false;
1117	}
1118	head->r.acl = NULL;
1119	return true;
1120}
1121
1122/**
1123 * tomoyo_read_domain - Read domain policy.
1124 *
1125 * @head: Pointer to "struct tomoyo_io_buffer".
1126 *
1127 * Caller holds tomoyo_read_lock().
1128 */
1129static void tomoyo_read_domain(struct tomoyo_io_buffer *head)
1130{
1131	if (head->r.eof)
1132		return;
1133	list_for_each_cookie(head->r.domain, &tomoyo_domain_list) {
1134		struct tomoyo_domain_info *domain =
1135			list_entry(head->r.domain, typeof(*domain), list);
1136		switch (head->r.step) {
1137		case 0:
1138			if (domain->is_deleted &&
1139			    !head->r.print_this_domain_only)
1140				continue;
1141			/* Print domainname and flags. */
1142			tomoyo_set_string(head, domain->domainname->name);
1143			tomoyo_set_lf(head);
1144			tomoyo_io_printf(head, "use_profile %u\n",
1145					 domain->profile);
1146			tomoyo_io_printf(head, "use_group %u\n",
1147					 domain->group);
1148			if (domain->quota_warned)
1149				tomoyo_set_string(head, "quota_exceeded\n");
1150			if (domain->transition_failed)
1151				tomoyo_set_string(head, "transition_failed\n");
1152			head->r.step++;
1153			tomoyo_set_lf(head);
1154			/* fall through */
1155		case 1:
1156			if (!tomoyo_read_domain2(head, &domain->acl_info_list))
1157				return;
1158			head->r.step++;
1159			if (!tomoyo_set_lf(head))
1160				return;
1161			/* fall through */
1162		case 2:
1163			head->r.step = 0;
1164			if (head->r.print_this_domain_only)
1165				goto done;
1166		}
1167	}
1168 done:
1169	head->r.eof = true;
1170}
1171
1172/**
1173 * tomoyo_write_domain_profile - Assign profile for specified domain.
1174 *
1175 * @head: Pointer to "struct tomoyo_io_buffer".
1176 *
1177 * Returns 0 on success, -EINVAL otherwise.
1178 *
1179 * This is equivalent to doing
1180 *
1181 *     ( echo "select " $domainname; echo "use_profile " $profile ) |
1182 *     /usr/sbin/tomoyo-loadpolicy -d
1183 *
1184 * Caller holds tomoyo_read_lock().
1185 */
1186static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head)
1187{
1188	char *data = head->write_buf;
1189	char *cp = strchr(data, ' ');
1190	struct tomoyo_domain_info *domain;
1191	unsigned long profile;
1192
1193	if (!cp)
1194		return -EINVAL;
1195	*cp = '\0';
1196	domain = tomoyo_find_domain(cp + 1);
1197	if (strict_strtoul(data, 10, &profile))
1198		return -EINVAL;
1199	if (domain && (!tomoyo_policy_loaded ||
1200		       head->w.ns->profile_ptr[(u8) profile]))
1201		domain->profile = (u8) profile;
1202	return 0;
1203}
1204
1205/**
1206 * tomoyo_read_domain_profile - Read only domainname and profile.
1207 *
1208 * @head: Pointer to "struct tomoyo_io_buffer".
1209 *
1210 * Returns list of profile number and domainname pairs.
1211 *
1212 * This is equivalent to doing
1213 *
1214 *     grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
1215 *     awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
1216 *     domainname = $0; } else if ( $1 == "use_profile" ) {
1217 *     print $2 " " domainname; domainname = ""; } } ; '
1218 *
1219 * Caller holds tomoyo_read_lock().
1220 */
1221static void tomoyo_read_domain_profile(struct tomoyo_io_buffer *head)
1222{
1223	if (head->r.eof)
1224		return;
1225	list_for_each_cookie(head->r.domain, &tomoyo_domain_list) {
1226		struct tomoyo_domain_info *domain =
1227			list_entry(head->r.domain, typeof(*domain), list);
1228		if (domain->is_deleted)
1229			continue;
1230		if (!tomoyo_flush(head))
1231			return;
1232		tomoyo_io_printf(head, "%u ", domain->profile);
1233		tomoyo_set_string(head, domain->domainname->name);
1234		tomoyo_set_lf(head);
1235	}
1236	head->r.eof = true;
1237}
1238
1239/**
1240 * tomoyo_write_pid: Specify PID to obtain domainname.
1241 *
1242 * @head: Pointer to "struct tomoyo_io_buffer".
1243 *
1244 * Returns 0.
1245 */
1246static int tomoyo_write_pid(struct tomoyo_io_buffer *head)
1247{
1248	head->r.eof = false;
1249	return 0;
1250}
1251
1252/**
1253 * tomoyo_read_pid - Get domainname of the specified PID.
1254 *
1255 * @head: Pointer to "struct tomoyo_io_buffer".
1256 *
1257 * Returns the domainname which the specified PID is in on success,
1258 * empty string otherwise.
1259 * The PID is specified by tomoyo_write_pid() so that the user can obtain
1260 * using read()/write() interface rather than sysctl() interface.
1261 */
1262static void tomoyo_read_pid(struct tomoyo_io_buffer *head)
1263{
1264	char *buf = head->write_buf;
1265	bool global_pid = false;
1266	unsigned int pid;
1267	struct task_struct *p;
1268	struct tomoyo_domain_info *domain = NULL;
1269
1270	/* Accessing write_buf is safe because head->io_sem is held. */
1271	if (!buf) {
1272		head->r.eof = true;
1273		return; /* Do nothing if open(O_RDONLY). */
1274	}
1275	if (head->r.w_pos || head->r.eof)
1276		return;
1277	head->r.eof = true;
1278	if (tomoyo_str_starts(&buf, "global-pid "))
1279		global_pid = true;
1280	pid = (unsigned int) simple_strtoul(buf, NULL, 10);
1281	rcu_read_lock();
1282	read_lock(&tasklist_lock);
1283	if (global_pid)
1284		p = find_task_by_pid_ns(pid, &init_pid_ns);
1285	else
1286		p = find_task_by_vpid(pid);
1287	if (p)
1288		domain = tomoyo_real_domain(p);
1289	read_unlock(&tasklist_lock);
1290	rcu_read_unlock();
1291	if (!domain)
1292		return;
1293	tomoyo_io_printf(head, "%u %u ", pid, domain->profile);
1294	tomoyo_set_string(head, domain->domainname->name);
1295}
1296
1297static const char *tomoyo_transition_type[TOMOYO_MAX_TRANSITION_TYPE] = {
1298	[TOMOYO_TRANSITION_CONTROL_NO_RESET]      = "no_reset_domain ",
1299	[TOMOYO_TRANSITION_CONTROL_RESET]         = "reset_domain ",
1300	[TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE] = "no_initialize_domain ",
1301	[TOMOYO_TRANSITION_CONTROL_INITIALIZE]    = "initialize_domain ",
1302	[TOMOYO_TRANSITION_CONTROL_NO_KEEP]       = "no_keep_domain ",
1303	[TOMOYO_TRANSITION_CONTROL_KEEP]          = "keep_domain ",
1304};
1305
1306static const char *tomoyo_group_name[TOMOYO_MAX_GROUP] = {
1307	[TOMOYO_PATH_GROUP]   = "path_group ",
1308	[TOMOYO_NUMBER_GROUP] = "number_group ",
1309};
1310
1311/**
1312 * tomoyo_write_exception - Write exception policy.
1313 *
1314 * @head: Pointer to "struct tomoyo_io_buffer".
1315 *
1316 * Returns 0 on success, negative value otherwise.
1317 *
1318 * Caller holds tomoyo_read_lock().
1319 */
1320static int tomoyo_write_exception(struct tomoyo_io_buffer *head)
1321{
1322	const bool is_delete = head->w.is_delete;
1323	struct tomoyo_acl_param param = {
1324		.ns = head->w.ns,
1325		.is_delete = is_delete,
1326		.data = head->write_buf,
1327	};
1328	u8 i;
1329	if (tomoyo_str_starts(&param.data, "aggregator "))
1330		return tomoyo_write_aggregator(&param);
1331	for (i = 0; i < TOMOYO_MAX_TRANSITION_TYPE; i++)
1332		if (tomoyo_str_starts(&param.data, tomoyo_transition_type[i]))
1333			return tomoyo_write_transition_control(&param, i);
1334	for (i = 0; i < TOMOYO_MAX_GROUP; i++)
1335		if (tomoyo_str_starts(&param.data, tomoyo_group_name[i]))
1336			return tomoyo_write_group(&param, i);
1337	if (tomoyo_str_starts(&param.data, "acl_group ")) {
1338		unsigned int group;
1339		char *data;
1340		group = simple_strtoul(param.data, &data, 10);
1341		if (group < TOMOYO_MAX_ACL_GROUPS && *data++ == ' ')
1342			return tomoyo_write_domain2
1343				(head->w.ns, &head->w.ns->acl_group[group],
1344				 data, is_delete);
1345	}
1346	return -EINVAL;
1347}
1348
1349/**
1350 * tomoyo_read_group - Read "struct tomoyo_path_group"/"struct tomoyo_number_group" list.
1351 *
1352 * @head: Pointer to "struct tomoyo_io_buffer".
1353 * @idx:  Index number.
1354 *
1355 * Returns true on success, false otherwise.
1356 *
1357 * Caller holds tomoyo_read_lock().
1358 */
1359static bool tomoyo_read_group(struct tomoyo_io_buffer *head, const int idx)
1360{
1361	struct tomoyo_policy_namespace *ns =
1362		container_of(head->r.ns, typeof(*ns), namespace_list);
1363	struct list_head *list = &ns->group_list[idx];
1364	list_for_each_cookie(head->r.group, list) {
1365		struct tomoyo_group *group =
1366			list_entry(head->r.group, typeof(*group), head.list);
1367		list_for_each_cookie(head->r.acl, &group->member_list) {
1368			struct tomoyo_acl_head *ptr =
1369				list_entry(head->r.acl, typeof(*ptr), list);
1370			if (ptr->is_deleted)
1371				continue;
1372			if (!tomoyo_flush(head))
1373				return false;
1374			tomoyo_print_namespace(head);
1375			tomoyo_set_string(head, tomoyo_group_name[idx]);
1376			tomoyo_set_string(head, group->group_name->name);
1377			if (idx == TOMOYO_PATH_GROUP) {
1378				tomoyo_set_space(head);
1379				tomoyo_set_string(head, container_of
1380					       (ptr, struct tomoyo_path_group,
1381						head)->member_name->name);
1382			} else if (idx == TOMOYO_NUMBER_GROUP) {
1383				tomoyo_print_number_union(head, &container_of
1384							  (ptr,
1385						   struct tomoyo_number_group,
1386							   head)->number);
1387			}
1388			tomoyo_set_lf(head);
1389		}
1390		head->r.acl = NULL;
1391	}
1392	head->r.group = NULL;
1393	return true;
1394}
1395
1396/**
1397 * tomoyo_read_policy - Read "struct tomoyo_..._entry" list.
1398 *
1399 * @head: Pointer to "struct tomoyo_io_buffer".
1400 * @idx:  Index number.
1401 *
1402 * Returns true on success, false otherwise.
1403 *
1404 * Caller holds tomoyo_read_lock().
1405 */
1406static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx)
1407{
1408	struct tomoyo_policy_namespace *ns =
1409		container_of(head->r.ns, typeof(*ns), namespace_list);
1410	struct list_head *list = &ns->policy_list[idx];
1411	list_for_each_cookie(head->r.acl, list) {
1412		struct tomoyo_acl_head *acl =
1413			container_of(head->r.acl, typeof(*acl), list);
1414		if (acl->is_deleted)
1415			continue;
1416		if (!tomoyo_flush(head))
1417			return false;
1418		switch (idx) {
1419		case TOMOYO_ID_TRANSITION_CONTROL:
1420			{
1421				struct tomoyo_transition_control *ptr =
1422					container_of(acl, typeof(*ptr), head);
1423				tomoyo_print_namespace(head);
1424				tomoyo_set_string(head, tomoyo_transition_type
1425						  [ptr->type]);
1426				tomoyo_set_string(head, ptr->program ?
1427						  ptr->program->name : "any");
1428				tomoyo_set_string(head, " from ");
1429				tomoyo_set_string(head, ptr->domainname ?
1430						  ptr->domainname->name :
1431						  "any");
1432			}
1433			break;
1434		case TOMOYO_ID_AGGREGATOR:
1435			{
1436				struct tomoyo_aggregator *ptr =
1437					container_of(acl, typeof(*ptr), head);
1438				tomoyo_print_namespace(head);
1439				tomoyo_set_string(head, "aggregator ");
1440				tomoyo_set_string(head,
1441						  ptr->original_name->name);
1442				tomoyo_set_space(head);
1443				tomoyo_set_string(head,
1444					       ptr->aggregated_name->name);
1445			}
1446			break;
1447		default:
1448			continue;
1449		}
1450		tomoyo_set_lf(head);
1451	}
1452	head->r.acl = NULL;
1453	return true;
1454}
1455
1456/**
1457 * tomoyo_read_exception - Read exception policy.
1458 *
1459 * @head: Pointer to "struct tomoyo_io_buffer".
1460 *
1461 * Caller holds tomoyo_read_lock().
1462 */
1463static void tomoyo_read_exception(struct tomoyo_io_buffer *head)
1464{
1465	struct tomoyo_policy_namespace *ns =
1466		container_of(head->r.ns, typeof(*ns), namespace_list);
1467	if (head->r.eof)
1468		return;
1469	while (head->r.step < TOMOYO_MAX_POLICY &&
1470	       tomoyo_read_policy(head, head->r.step))
1471		head->r.step++;
1472	if (head->r.step < TOMOYO_MAX_POLICY)
1473		return;
1474	while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP &&
1475	       tomoyo_read_group(head, head->r.step - TOMOYO_MAX_POLICY))
1476		head->r.step++;
1477	if (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP)
1478		return;
1479	while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP
1480	       + TOMOYO_MAX_ACL_GROUPS) {
1481		head->r.acl_group_index = head->r.step - TOMOYO_MAX_POLICY
1482			- TOMOYO_MAX_GROUP;
1483		if (!tomoyo_read_domain2(head, &ns->acl_group
1484					 [head->r.acl_group_index]))
1485			return;
1486		head->r.step++;
1487	}
1488	head->r.eof = true;
1489}
1490
1491/* Wait queue for kernel -> userspace notification. */
1492static DECLARE_WAIT_QUEUE_HEAD(tomoyo_query_wait);
1493/* Wait queue for userspace -> kernel notification. */
1494static DECLARE_WAIT_QUEUE_HEAD(tomoyo_answer_wait);
1495
1496/* Structure for query. */
1497struct tomoyo_query {
1498	struct list_head list;
1499	char *query;
1500	size_t query_len;
1501	unsigned int serial;
1502	u8 timer;
1503	u8 answer;
1504	u8 retry;
1505};
1506
1507/* The list for "struct tomoyo_query". */
1508static LIST_HEAD(tomoyo_query_list);
1509
1510/* Lock for manipulating tomoyo_query_list. */
1511static DEFINE_SPINLOCK(tomoyo_query_list_lock);
1512
1513/*
1514 * Number of "struct file" referring /sys/kernel/security/tomoyo/query
1515 * interface.
1516 */
1517static atomic_t tomoyo_query_observers = ATOMIC_INIT(0);
1518
1519/**
1520 * tomoyo_add_entry - Add an ACL to current thread's domain. Used by learning mode.
1521 *
1522 * @domain: Pointer to "struct tomoyo_domain_info".
1523 * @header: Lines containing ACL.
1524 *
1525 * Returns nothing.
1526 */
1527static void tomoyo_add_entry(struct tomoyo_domain_info *domain, char *header)
1528{
1529	char *buffer;
1530	char *cp = strchr(header, '\n');
1531	int len;
1532	if (!cp)
1533		return;
1534	cp = strchr(cp + 1, '\n');
1535	if (!cp)
1536		return;
1537	*cp++ = '\0';
1538	len = strlen(cp) + 1;
1539	buffer = kmalloc(len, GFP_NOFS);
1540	if (!buffer)
1541		return;
1542	snprintf(buffer, len - 1, "%s", cp);
1543	tomoyo_normalize_line(buffer);
1544	tomoyo_write_domain2(domain->ns, &domain->acl_info_list, buffer,
1545			     false);
1546	kfree(buffer);
1547}
1548
1549/**
1550 * tomoyo_supervisor - Ask for the supervisor's decision.
1551 *
1552 * @r:   Pointer to "struct tomoyo_request_info".
1553 * @fmt: The printf()'s format string, followed by parameters.
1554 *
1555 * Returns 0 if the supervisor decided to permit the access request which
1556 * violated the policy in enforcing mode, TOMOYO_RETRY_REQUEST if the
1557 * supervisor decided to retry the access request which violated the policy in
1558 * enforcing mode, 0 if it is not in enforcing mode, -EPERM otherwise.
1559 */
1560int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...)
1561{
1562	va_list args;
1563	int error;
1564	int len;
1565	static unsigned int tomoyo_serial;
1566	struct tomoyo_query entry = { };
1567	bool quota_exceeded = false;
1568	va_start(args, fmt);
1569	len = vsnprintf((char *) &len, 1, fmt, args) + 1;
1570	va_end(args);
1571	/* Write /sys/kernel/security/tomoyo/audit. */
1572	va_start(args, fmt);
1573	tomoyo_write_log2(r, len, fmt, args);
1574	va_end(args);
1575	/* Nothing more to do if granted. */
1576	if (r->granted)
1577		return 0;
1578	switch (r->mode) {
1579	case TOMOYO_CONFIG_ENFORCING:
1580		error = -EPERM;
1581		if (atomic_read(&tomoyo_query_observers))
1582			break;
1583		goto out;
1584	case TOMOYO_CONFIG_LEARNING:
1585		error = 0;
1586		/* Check max_learning_entry parameter. */
1587		if (tomoyo_domain_quota_is_ok(r))
1588			break;
1589		/* fall through */
1590	default:
1591		return 0;
1592	}
1593	/* Get message. */
1594	va_start(args, fmt);
1595	entry.query = tomoyo_init_log(r, len, fmt, args);
1596	va_end(args);
1597	if (!entry.query)
1598		goto out;
1599	entry.query_len = strlen(entry.query) + 1;
1600	if (!error) {
1601		tomoyo_add_entry(r->domain, entry.query);
1602		goto out;
1603	}
1604	len = tomoyo_round2(entry.query_len);
1605	spin_lock(&tomoyo_query_list_lock);
1606	if (tomoyo_memory_quota[TOMOYO_MEMORY_QUERY] &&
1607	    tomoyo_memory_used[TOMOYO_MEMORY_QUERY] + len
1608	    >= tomoyo_memory_quota[TOMOYO_MEMORY_QUERY]) {
1609		quota_exceeded = true;
1610	} else {
1611		entry.serial = tomoyo_serial++;
1612		entry.retry = r->retry;
1613		tomoyo_memory_used[TOMOYO_MEMORY_QUERY] += len;
1614		list_add_tail(&entry.list, &tomoyo_query_list);
1615	}
1616	spin_unlock(&tomoyo_query_list_lock);
1617	if (quota_exceeded)
1618		goto out;
1619	/* Give 10 seconds for supervisor's opinion. */
1620	while (entry.timer < 10) {
1621		wake_up_all(&tomoyo_query_wait);
1622		if (wait_event_interruptible_timeout
1623		    (tomoyo_answer_wait, entry.answer ||
1624		     !atomic_read(&tomoyo_query_observers), HZ))
1625			break;
1626		else
1627			entry.timer++;
1628	}
1629	spin_lock(&tomoyo_query_list_lock);
1630	list_del(&entry.list);
1631	tomoyo_memory_used[TOMOYO_MEMORY_QUERY] -= len;
1632	spin_unlock(&tomoyo_query_list_lock);
1633	switch (entry.answer) {
1634	case 3: /* Asked to retry by administrator. */
1635		error = TOMOYO_RETRY_REQUEST;
1636		r->retry++;
1637		break;
1638	case 1:
1639		/* Granted by administrator. */
1640		error = 0;
1641		break;
1642	default:
1643		/* Timed out or rejected by administrator. */
1644		break;
1645	}
1646out:
1647	kfree(entry.query);
1648	return error;
1649}
1650
1651/**
1652 * tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query.
1653 *
1654 * @file: Pointer to "struct file".
1655 * @wait: Pointer to "poll_table".
1656 *
1657 * Returns POLLIN | POLLRDNORM when ready to read, 0 otherwise.
1658 *
1659 * Waits for access requests which violated policy in enforcing mode.
1660 */
1661static int tomoyo_poll_query(struct file *file, poll_table *wait)
1662{
1663	struct list_head *tmp;
1664	bool found = false;
1665	u8 i;
1666	for (i = 0; i < 2; i++) {
1667		spin_lock(&tomoyo_query_list_lock);
1668		list_for_each(tmp, &tomoyo_query_list) {
1669			struct tomoyo_query *ptr =
1670				list_entry(tmp, typeof(*ptr), list);
1671			if (ptr->answer)
1672				continue;
1673			found = true;
1674			break;
1675		}
1676		spin_unlock(&tomoyo_query_list_lock);
1677		if (found)
1678			return POLLIN | POLLRDNORM;
1679		if (i)
1680			break;
1681		poll_wait(file, &tomoyo_query_wait, wait);
1682	}
1683	return 0;
1684}
1685
1686/**
1687 * tomoyo_read_query - Read access requests which violated policy in enforcing mode.
1688 *
1689 * @head: Pointer to "struct tomoyo_io_buffer".
1690 */
1691static void tomoyo_read_query(struct tomoyo_io_buffer *head)
1692{
1693	struct list_head *tmp;
1694	int pos = 0;
1695	int len = 0;
1696	char *buf;
1697	if (head->r.w_pos)
1698		return;
1699	if (head->read_buf) {
1700		kfree(head->read_buf);
1701		head->read_buf = NULL;
1702	}
1703	spin_lock(&tomoyo_query_list_lock);
1704	list_for_each(tmp, &tomoyo_query_list) {
1705		struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list);
1706		if (ptr->answer)
1707			continue;
1708		if (pos++ != head->r.query_index)
1709			continue;
1710		len = ptr->query_len;
1711		break;
1712	}
1713	spin_unlock(&tomoyo_query_list_lock);
1714	if (!len) {
1715		head->r.query_index = 0;
1716		return;
1717	}
1718	buf = kzalloc(len + 32, GFP_NOFS);
1719	if (!buf)
1720		return;
1721	pos = 0;
1722	spin_lock(&tomoyo_query_list_lock);
1723	list_for_each(tmp, &tomoyo_query_list) {
1724		struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list);
1725		if (ptr->answer)
1726			continue;
1727		if (pos++ != head->r.query_index)
1728			continue;
1729		/*
1730		 * Some query can be skipped because tomoyo_query_list
1731		 * can change, but I don't care.
1732		 */
1733		if (len == ptr->query_len)
1734			snprintf(buf, len + 31, "Q%u-%hu\n%s", ptr->serial,
1735				 ptr->retry, ptr->query);
1736		break;
1737	}
1738	spin_unlock(&tomoyo_query_list_lock);
1739	if (buf[0]) {
1740		head->read_buf = buf;
1741		head->r.w[head->r.w_pos++] = buf;
1742		head->r.query_index++;
1743	} else {
1744		kfree(buf);
1745	}
1746}
1747
1748/**
1749 * tomoyo_write_answer - Write the supervisor's decision.
1750 *
1751 * @head: Pointer to "struct tomoyo_io_buffer".
1752 *
1753 * Returns 0 on success, -EINVAL otherwise.
1754 */
1755static int tomoyo_write_answer(struct tomoyo_io_buffer *head)
1756{
1757	char *data = head->write_buf;
1758	struct list_head *tmp;
1759	unsigned int serial;
1760	unsigned int answer;
1761	spin_lock(&tomoyo_query_list_lock);
1762	list_for_each(tmp, &tomoyo_query_list) {
1763		struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list);
1764		ptr->timer = 0;
1765	}
1766	spin_unlock(&tomoyo_query_list_lock);
1767	if (sscanf(data, "A%u=%u", &serial, &answer) != 2)
1768		return -EINVAL;
1769	spin_lock(&tomoyo_query_list_lock);
1770	list_for_each(tmp, &tomoyo_query_list) {
1771		struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list);
1772		if (ptr->serial != serial)
1773			continue;
1774		if (!ptr->answer)
1775			ptr->answer = answer;
1776		break;
1777	}
1778	spin_unlock(&tomoyo_query_list_lock);
1779	return 0;
1780}
1781
1782/**
1783 * tomoyo_read_version: Get version.
1784 *
1785 * @head: Pointer to "struct tomoyo_io_buffer".
1786 *
1787 * Returns version information.
1788 */
1789static void tomoyo_read_version(struct tomoyo_io_buffer *head)
1790{
1791	if (!head->r.eof) {
1792		tomoyo_io_printf(head, "2.4.0");
1793		head->r.eof = true;
1794	}
1795}
1796
1797/**
1798 * tomoyo_read_self_domain - Get the current process's domainname.
1799 *
1800 * @head: Pointer to "struct tomoyo_io_buffer".
1801 *
1802 * Returns the current process's domainname.
1803 */
1804static void tomoyo_read_self_domain(struct tomoyo_io_buffer *head)
1805{
1806	if (!head->r.eof) {
1807		/*
1808		 * tomoyo_domain()->domainname != NULL
1809		 * because every process belongs to a domain and
1810		 * the domain's name cannot be NULL.
1811		 */
1812		tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name);
1813		head->r.eof = true;
1814	}
1815}
1816
1817/**
1818 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
1819 *
1820 * @type: Type of interface.
1821 * @file: Pointer to "struct file".
1822 *
1823 * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
1824 *
1825 * Caller acquires tomoyo_read_lock().
1826 */
1827int tomoyo_open_control(const u8 type, struct file *file)
1828{
1829	struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS);
1830
1831	if (!head)
1832		return -ENOMEM;
1833	mutex_init(&head->io_sem);
1834	head->type = type;
1835	switch (type) {
1836	case TOMOYO_DOMAINPOLICY:
1837		/* /sys/kernel/security/tomoyo/domain_policy */
1838		head->write = tomoyo_write_domain;
1839		head->read = tomoyo_read_domain;
1840		break;
1841	case TOMOYO_EXCEPTIONPOLICY:
1842		/* /sys/kernel/security/tomoyo/exception_policy */
1843		head->write = tomoyo_write_exception;
1844		head->read = tomoyo_read_exception;
1845		break;
1846	case TOMOYO_AUDIT:
1847		/* /sys/kernel/security/tomoyo/audit */
1848		head->poll = tomoyo_poll_log;
1849		head->read = tomoyo_read_log;
1850		break;
1851	case TOMOYO_SELFDOMAIN:
1852		/* /sys/kernel/security/tomoyo/self_domain */
1853		head->read = tomoyo_read_self_domain;
1854		break;
1855	case TOMOYO_DOMAIN_STATUS:
1856		/* /sys/kernel/security/tomoyo/.domain_status */
1857		head->write = tomoyo_write_domain_profile;
1858		head->read = tomoyo_read_domain_profile;
1859		break;
1860	case TOMOYO_PROCESS_STATUS:
1861		/* /sys/kernel/security/tomoyo/.process_status */
1862		head->write = tomoyo_write_pid;
1863		head->read = tomoyo_read_pid;
1864		break;
1865	case TOMOYO_VERSION:
1866		/* /sys/kernel/security/tomoyo/version */
1867		head->read = tomoyo_read_version;
1868		head->readbuf_size = 128;
1869		break;
1870	case TOMOYO_MEMINFO:
1871		/* /sys/kernel/security/tomoyo/meminfo */
1872		head->write = tomoyo_write_memory_quota;
1873		head->read = tomoyo_read_memory_counter;
1874		head->readbuf_size = 512;
1875		break;
1876	case TOMOYO_PROFILE:
1877		/* /sys/kernel/security/tomoyo/profile */
1878		head->write = tomoyo_write_profile;
1879		head->read = tomoyo_read_profile;
1880		break;
1881	case TOMOYO_QUERY: /* /sys/kernel/security/tomoyo/query */
1882		head->poll = tomoyo_poll_query;
1883		head->write = tomoyo_write_answer;
1884		head->read = tomoyo_read_query;
1885		break;
1886	case TOMOYO_MANAGER:
1887		/* /sys/kernel/security/tomoyo/manager */
1888		head->write = tomoyo_write_manager;
1889		head->read = tomoyo_read_manager;
1890		break;
1891	}
1892	if (!(file->f_mode & FMODE_READ)) {
1893		/*
1894		 * No need to allocate read_buf since it is not opened
1895		 * for reading.
1896		 */
1897		head->read = NULL;
1898		head->poll = NULL;
1899	} else if (!head->poll) {
1900		/* Don't allocate read_buf for poll() access. */
1901		if (!head->readbuf_size)
1902			head->readbuf_size = 4096 * 2;
1903		head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS);
1904		if (!head->read_buf) {
1905			kfree(head);
1906			return -ENOMEM;
1907		}
1908	}
1909	if (!(file->f_mode & FMODE_WRITE)) {
1910		/*
1911		 * No need to allocate write_buf since it is not opened
1912		 * for writing.
1913		 */
1914		head->write = NULL;
1915	} else if (head->write) {
1916		head->writebuf_size = 4096 * 2;
1917		head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS);
1918		if (!head->write_buf) {
1919			kfree(head->read_buf);
1920			kfree(head);
1921			return -ENOMEM;
1922		}
1923	}
1924	if (type != TOMOYO_QUERY && type != TOMOYO_AUDIT)
1925		head->reader_idx = tomoyo_read_lock();
1926	file->private_data = head;
1927	/*
1928	 * If the file is /sys/kernel/security/tomoyo/query , increment the
1929	 * observer counter.
1930	 * The obserber counter is used by tomoyo_supervisor() to see if
1931	 * there is some process monitoring /sys/kernel/security/tomoyo/query.
1932	 */
1933	if (type == TOMOYO_QUERY)
1934		atomic_inc(&tomoyo_query_observers);
1935	return 0;
1936}
1937
1938/**
1939 * tomoyo_poll_control - poll() for /sys/kernel/security/tomoyo/ interface.
1940 *
1941 * @file: Pointer to "struct file".
1942 * @wait: Pointer to "poll_table".
1943 *
1944 * Waits for read readiness.
1945 * /sys/kernel/security/tomoyo/query is handled by /usr/sbin/tomoyo-queryd and
1946 * /sys/kernel/security/tomoyo/audit is handled by /usr/sbin/tomoyo-auditd.
1947 */
1948int tomoyo_poll_control(struct file *file, poll_table *wait)
1949{
1950	struct tomoyo_io_buffer *head = file->private_data;
1951	if (!head->poll)
1952		return -ENOSYS;
1953	return head->poll(file, wait);
1954}
1955
1956/**
1957 * tomoyo_set_namespace_cursor - Set namespace to read.
1958 *
1959 * @head: Pointer to "struct tomoyo_io_buffer".
1960 *
1961 * Returns nothing.
1962 */
1963static inline void tomoyo_set_namespace_cursor(struct tomoyo_io_buffer *head)
1964{
1965	struct list_head *ns;
1966	if (head->type != TOMOYO_EXCEPTIONPOLICY &&
1967	    head->type != TOMOYO_PROFILE)
1968		return;
1969	/*
1970	 * If this is the first read, or reading previous namespace finished
1971	 * and has more namespaces to read, update the namespace cursor.
1972	 */
1973	ns = head->r.ns;
1974	if (!ns || (head->r.eof && ns->next != &tomoyo_namespace_list)) {
1975		/* Clearing is OK because tomoyo_flush() returned true. */
1976		memset(&head->r, 0, sizeof(head->r));
1977		head->r.ns = ns ? ns->next : tomoyo_namespace_list.next;
1978	}
1979}
1980
1981/**
1982 * tomoyo_has_more_namespace - Check for unread namespaces.
1983 *
1984 * @head: Pointer to "struct tomoyo_io_buffer".
1985 *
1986 * Returns true if we have more entries to print, false otherwise.
1987 */
1988static inline bool tomoyo_has_more_namespace(struct tomoyo_io_buffer *head)
1989{
1990	return (head->type == TOMOYO_EXCEPTIONPOLICY ||
1991		head->type == TOMOYO_PROFILE) && head->r.eof &&
1992		head->r.ns->next != &tomoyo_namespace_list;
1993}
1994
1995/**
1996 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
1997 *
1998 * @head:       Pointer to "struct tomoyo_io_buffer".
1999 * @buffer:     Poiner to buffer to write to.
2000 * @buffer_len: Size of @buffer.
2001 *
2002 * Returns bytes read on success, negative value otherwise.
2003 *
2004 * Caller holds tomoyo_read_lock().
2005 */
2006int tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
2007			const int buffer_len)
2008{
2009	int len;
2010
2011	if (!head->read)
2012		return -ENOSYS;
2013	if (mutex_lock_interruptible(&head->io_sem))
2014		return -EINTR;
2015	head->read_user_buf = buffer;
2016	head->read_user_buf_avail = buffer_len;
2017	if (tomoyo_flush(head))
2018		/* Call the policy handler. */
2019		do {
2020			tomoyo_set_namespace_cursor(head);
2021			head->read(head);
2022		} while (tomoyo_flush(head) &&
2023			 tomoyo_has_more_namespace(head));
2024	len = head->read_user_buf - buffer;
2025	mutex_unlock(&head->io_sem);
2026	return len;
2027}
2028
2029/**
2030 * tomoyo_parse_policy - Parse a policy line.
2031 *
2032 * @head: Poiter to "struct tomoyo_io_buffer".
2033 * @line: Line to parse.
2034 *
2035 * Returns 0 on success, negative value otherwise.
2036 *
2037 * Caller holds tomoyo_read_lock().
2038 */
2039static int tomoyo_parse_policy(struct tomoyo_io_buffer *head, char *line)
2040{
2041	/* Delete request? */
2042	head->w.is_delete = !strncmp(line, "delete ", 7);
2043	if (head->w.is_delete)
2044		memmove(line, line + 7, strlen(line + 7) + 1);
2045	/* Selecting namespace to update. */
2046	if (head->type == TOMOYO_EXCEPTIONPOLICY ||
2047	    head->type == TOMOYO_PROFILE) {
2048		if (*line == '<') {
2049			char *cp = strchr(line, ' ');
2050			if (cp) {
2051				*cp++ = '\0';
2052				head->w.ns = tomoyo_assign_namespace(line);
2053				memmove(line, cp, strlen(cp) + 1);
2054			} else
2055				head->w.ns = NULL;
2056		} else
2057			head->w.ns = &tomoyo_kernel_namespace;
2058		/* Don't allow updating if namespace is invalid. */
2059		if (!head->w.ns)
2060			return -ENOENT;
2061	}
2062	/* Do the update. */
2063	return head->write(head);
2064}
2065
2066/**
2067 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
2068 *
2069 * @head:       Pointer to "struct tomoyo_io_buffer".
2070 * @buffer:     Pointer to buffer to read from.
2071 * @buffer_len: Size of @buffer.
2072 *
2073 * Returns @buffer_len on success, negative value otherwise.
2074 *
2075 * Caller holds tomoyo_read_lock().
2076 */
2077int tomoyo_write_control(struct tomoyo_io_buffer *head,
2078			 const char __user *buffer, const int buffer_len)
2079{
2080	int error = buffer_len;
2081	size_t avail_len = buffer_len;
2082	char *cp0 = head->write_buf;
2083	if (!head->write)
2084		return -ENOSYS;
2085	if (!access_ok(VERIFY_READ, buffer, buffer_len))
2086		return -EFAULT;
2087	if (mutex_lock_interruptible(&head->io_sem))
2088		return -EINTR;
2089	/* Read a line and dispatch it to the policy handler. */
2090	while (avail_len > 0) {
2091		char c;
2092		if (head->w.avail >= head->writebuf_size - 1) {
2093			const int len = head->writebuf_size * 2;
2094			char *cp = kzalloc(len, GFP_NOFS);
2095			if (!cp) {
2096				error = -ENOMEM;
2097				break;
2098			}
2099			memmove(cp, cp0, head->w.avail);
2100			kfree(cp0);
2101			head->write_buf = cp;
2102			cp0 = cp;
2103			head->writebuf_size = len;
2104		}
2105		if (get_user(c, buffer)) {
2106			error = -EFAULT;
2107			break;
2108		}
2109		buffer++;
2110		avail_len--;
2111		cp0[head->w.avail++] = c;
2112		if (c != '\n')
2113			continue;
2114		cp0[head->w.avail - 1] = '\0';
2115		head->w.avail = 0;
2116		tomoyo_normalize_line(cp0);
2117		if (!strcmp(cp0, "reset")) {
2118			head->w.ns = &tomoyo_kernel_namespace;
2119			head->w.domain = NULL;
2120			memset(&head->r, 0, sizeof(head->r));
2121			continue;
2122		}
2123		/* Don't allow updating policies by non manager programs. */
2124		switch (head->type) {
2125		case TOMOYO_PROCESS_STATUS:
2126			/* This does not write anything. */
2127			break;
2128		case TOMOYO_DOMAINPOLICY:
2129			if (tomoyo_select_domain(head, cp0))
2130				continue;
2131			/* fall through */
2132		case TOMOYO_EXCEPTIONPOLICY:
2133			if (!strcmp(cp0, "select transition_only")) {
2134				head->r.print_transition_related_only = true;
2135				continue;
2136			}
2137			/* fall through */
2138		default:
2139			if (!tomoyo_manager()) {
2140				error = -EPERM;
2141				goto out;
2142			}
2143		}
2144		switch (tomoyo_parse_policy(head, cp0)) {
2145		case -EPERM:
2146			error = -EPERM;
2147			goto out;
2148		}
2149	}
2150out:
2151	mutex_unlock(&head->io_sem);
2152	return error;
2153}
2154
2155/**
2156 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
2157 *
2158 * @head: Pointer to "struct tomoyo_io_buffer".
2159 *
2160 * Releases memory and returns 0.
2161 *
2162 * Caller looses tomoyo_read_lock().
2163 */
2164int tomoyo_close_control(struct tomoyo_io_buffer *head)
2165{
2166	const bool is_write = !!head->write_buf;
2167
2168	/*
2169	 * If the file is /sys/kernel/security/tomoyo/query , decrement the
2170	 * observer counter.
2171	 */
2172	if (head->type == TOMOYO_QUERY)
2173		atomic_dec(&tomoyo_query_observers);
2174	else if (head->type != TOMOYO_AUDIT)
2175		tomoyo_read_unlock(head->reader_idx);
2176	/* Release memory used for policy I/O. */
2177	kfree(head->read_buf);
2178	head->read_buf = NULL;
2179	kfree(head->write_buf);
2180	head->write_buf = NULL;
2181	kfree(head);
2182	if (is_write)
2183		tomoyo_run_gc();
2184	return 0;
2185}
2186
2187/**
2188 * tomoyo_check_profile - Check all profiles currently assigned to domains are defined.
2189 */
2190void tomoyo_check_profile(void)
2191{
2192	struct tomoyo_domain_info *domain;
2193	const int idx = tomoyo_read_lock();
2194	tomoyo_policy_loaded = true;
2195	printk(KERN_INFO "TOMOYO: 2.4.0\n");
2196	list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
2197		const u8 profile = domain->profile;
2198		const struct tomoyo_policy_namespace *ns = domain->ns;
2199		if (ns->profile_version != 20100903)
2200			printk(KERN_ERR
2201			       "Profile version %u is not supported.\n",
2202			       ns->profile_version);
2203		else if (!ns->profile_ptr[profile])
2204			printk(KERN_ERR
2205			       "Profile %u (used by '%s') is not defined.\n",
2206			       profile, domain->domainname->name);
2207		else
2208			continue;
2209		printk(KERN_ERR
2210		       "Userland tools for TOMOYO 2.4 must be installed and "
2211		       "policy must be initialized.\n");
2212		printk(KERN_ERR "Please see http://tomoyo.sourceforge.jp/2.4/ "
2213		       "for more information.\n");
2214		panic("STOP!");
2215	}
2216	tomoyo_read_unlock(idx);
2217	printk(KERN_INFO "Mandatory Access Control activated.\n");
2218}
2219