common.c revision c3ef1500ec833890275172c7d063333404b64d60
1/* 2 * security/tomoyo/common.c 3 * 4 * Common functions for TOMOYO. 5 * 6 * Copyright (C) 2005-2010 NTT DATA CORPORATION 7 */ 8 9#include <linux/uaccess.h> 10#include <linux/slab.h> 11#include <linux/security.h> 12#include <linux/hardirq.h> 13#include "common.h" 14 15/* String table for functionality that takes 4 modes. */ 16static const char *tomoyo_mode_4[4] = { 17 "disabled", "learning", "permissive", "enforcing" 18}; 19/* String table for functionality that takes 2 modes. */ 20static const char *tomoyo_mode_2[4] = { 21 "disabled", "enabled", "enabled", "enabled" 22}; 23 24/* 25 * tomoyo_control_array is a static data which contains 26 * 27 * (1) functionality name used by /sys/kernel/security/tomoyo/profile . 28 * (2) initial values for "struct tomoyo_profile". 29 * (3) max values for "struct tomoyo_profile". 30 */ 31static struct { 32 const char *keyword; 33 unsigned int current_value; 34 const unsigned int max_value; 35} tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = { 36 [TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 }, 37 [TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX }, 38 [TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 }, 39}; 40 41/* 42 * tomoyo_profile is a structure which is used for holding the mode of access 43 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing. 44 * An administrator can define up to 256 profiles. 45 * The ->profile of "struct tomoyo_domain_info" is used for remembering 46 * the profile's number (0 - 255) assigned to that domain. 47 */ 48static struct tomoyo_profile { 49 unsigned int value[TOMOYO_MAX_CONTROL_INDEX]; 50 const struct tomoyo_path_info *comment; 51} *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES]; 52 53/* Permit policy management by non-root user? */ 54static bool tomoyo_manage_by_non_root; 55 56/* Utility functions. */ 57 58/** 59 * tomoyo_print_name_union - Print a tomoyo_name_union. 60 * 61 * @head: Pointer to "struct tomoyo_io_buffer". 62 * @ptr: Pointer to "struct tomoyo_name_union". 63 * 64 * Returns true on success, false otherwise. 65 */ 66static bool tomoyo_print_name_union(struct tomoyo_io_buffer *head, 67 const struct tomoyo_name_union *ptr) 68{ 69 int pos = head->read_avail; 70 if (pos && head->read_buf[pos - 1] == ' ') 71 head->read_avail--; 72 if (ptr->is_group) 73 return tomoyo_io_printf(head, " @%s", 74 ptr->group->group_name->name); 75 return tomoyo_io_printf(head, " %s", ptr->filename->name); 76} 77 78/** 79 * tomoyo_print_number_union - Print a tomoyo_number_union. 80 * 81 * @head: Pointer to "struct tomoyo_io_buffer". 82 * @ptr: Pointer to "struct tomoyo_number_union". 83 * 84 * Returns true on success, false otherwise. 85 */ 86bool tomoyo_print_number_union(struct tomoyo_io_buffer *head, 87 const struct tomoyo_number_union *ptr) 88{ 89 unsigned long min; 90 unsigned long max; 91 u8 min_type; 92 u8 max_type; 93 if (!tomoyo_io_printf(head, " ")) 94 return false; 95 if (ptr->is_group) 96 return tomoyo_io_printf(head, "@%s", 97 ptr->group->group_name->name); 98 min_type = ptr->min_type; 99 max_type = ptr->max_type; 100 min = ptr->values[0]; 101 max = ptr->values[1]; 102 switch (min_type) { 103 case TOMOYO_VALUE_TYPE_HEXADECIMAL: 104 if (!tomoyo_io_printf(head, "0x%lX", min)) 105 return false; 106 break; 107 case TOMOYO_VALUE_TYPE_OCTAL: 108 if (!tomoyo_io_printf(head, "0%lo", min)) 109 return false; 110 break; 111 default: 112 if (!tomoyo_io_printf(head, "%lu", min)) 113 return false; 114 break; 115 } 116 if (min == max && min_type == max_type) 117 return true; 118 switch (max_type) { 119 case TOMOYO_VALUE_TYPE_HEXADECIMAL: 120 return tomoyo_io_printf(head, "-0x%lX", max); 121 case TOMOYO_VALUE_TYPE_OCTAL: 122 return tomoyo_io_printf(head, "-0%lo", max); 123 default: 124 return tomoyo_io_printf(head, "-%lu", max); 125 } 126} 127 128/** 129 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure. 130 * 131 * @head: Pointer to "struct tomoyo_io_buffer". 132 * @fmt: The printf()'s format string, followed by parameters. 133 * 134 * Returns true if output was written, false otherwise. 135 * 136 * The snprintf() will truncate, but tomoyo_io_printf() won't. 137 */ 138bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) 139{ 140 va_list args; 141 int len; 142 int pos = head->read_avail; 143 int size = head->readbuf_size - pos; 144 145 if (size <= 0) 146 return false; 147 va_start(args, fmt); 148 len = vsnprintf(head->read_buf + pos, size, fmt, args); 149 va_end(args); 150 if (pos + len >= head->readbuf_size) 151 return false; 152 head->read_avail += len; 153 return true; 154} 155 156/** 157 * tomoyo_check_flags - Check mode for specified functionality. 158 * 159 * @domain: Pointer to "struct tomoyo_domain_info". 160 * @index: The functionality to check mode. 161 * 162 * TOMOYO checks only process context. 163 * This code disables TOMOYO's enforcement in case the function is called from 164 * interrupt context. 165 */ 166unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, 167 const u8 index) 168{ 169 const u8 profile = domain->profile; 170 171 if (WARN_ON(in_interrupt())) 172 return 0; 173 return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX 174#if TOMOYO_MAX_PROFILES != 256 175 && profile < TOMOYO_MAX_PROFILES 176#endif 177 && tomoyo_profile_ptr[profile] ? 178 tomoyo_profile_ptr[profile]->value[index] : 0; 179} 180 181/** 182 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode. 183 * 184 * @domain: Pointer to "struct tomoyo_domain_info". 185 * 186 * Returns true if domain policy violation warning should be printed to 187 * console. 188 */ 189bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain) 190{ 191 return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0; 192} 193 194/** 195 * tomoyo_find_or_assign_new_profile - Create a new profile. 196 * 197 * @profile: Profile number to create. 198 * 199 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. 200 */ 201static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned 202 int profile) 203{ 204 struct tomoyo_profile *ptr = NULL; 205 int i; 206 207 if (profile >= TOMOYO_MAX_PROFILES) 208 return NULL; 209 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 210 return NULL; 211 ptr = tomoyo_profile_ptr[profile]; 212 if (ptr) 213 goto ok; 214 ptr = kmalloc(sizeof(*ptr), GFP_NOFS); 215 if (!tomoyo_memory_ok(ptr)) { 216 kfree(ptr); 217 ptr = NULL; 218 goto ok; 219 } 220 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) 221 ptr->value[i] = tomoyo_control_array[i].current_value; 222 mb(); /* Avoid out-of-order execution. */ 223 tomoyo_profile_ptr[profile] = ptr; 224 ok: 225 mutex_unlock(&tomoyo_policy_lock); 226 return ptr; 227} 228 229/** 230 * tomoyo_write_profile - Write to profile table. 231 * 232 * @head: Pointer to "struct tomoyo_io_buffer". 233 * 234 * Returns 0 on success, negative value otherwise. 235 */ 236static int tomoyo_write_profile(struct tomoyo_io_buffer *head) 237{ 238 char *data = head->write_buf; 239 unsigned int i; 240 unsigned int value; 241 char *cp; 242 struct tomoyo_profile *profile; 243 unsigned long num; 244 245 cp = strchr(data, '-'); 246 if (cp) 247 *cp = '\0'; 248 if (strict_strtoul(data, 10, &num)) 249 return -EINVAL; 250 if (cp) 251 data = cp + 1; 252 profile = tomoyo_find_or_assign_new_profile(num); 253 if (!profile) 254 return -EINVAL; 255 cp = strchr(data, '='); 256 if (!cp) 257 return -EINVAL; 258 *cp = '\0'; 259 if (!strcmp(data, "COMMENT")) { 260 const struct tomoyo_path_info *old_comment = profile->comment; 261 profile->comment = tomoyo_get_name(cp + 1); 262 tomoyo_put_name(old_comment); 263 return 0; 264 } 265 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) { 266 if (strcmp(data, tomoyo_control_array[i].keyword)) 267 continue; 268 if (sscanf(cp + 1, "%u", &value) != 1) { 269 int j; 270 const char **modes; 271 switch (i) { 272 case TOMOYO_VERBOSE: 273 modes = tomoyo_mode_2; 274 break; 275 default: 276 modes = tomoyo_mode_4; 277 break; 278 } 279 for (j = 0; j < 4; j++) { 280 if (strcmp(cp + 1, modes[j])) 281 continue; 282 value = j; 283 break; 284 } 285 if (j == 4) 286 return -EINVAL; 287 } else if (value > tomoyo_control_array[i].max_value) { 288 value = tomoyo_control_array[i].max_value; 289 } 290 profile->value[i] = value; 291 return 0; 292 } 293 return -EINVAL; 294} 295 296/** 297 * tomoyo_read_profile - Read from profile table. 298 * 299 * @head: Pointer to "struct tomoyo_io_buffer". 300 * 301 * Returns 0. 302 */ 303static int tomoyo_read_profile(struct tomoyo_io_buffer *head) 304{ 305 static const int total = TOMOYO_MAX_CONTROL_INDEX + 1; 306 int step; 307 308 if (head->read_eof) 309 return 0; 310 for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total; 311 step++) { 312 const u8 index = step / total; 313 u8 type = step % total; 314 const struct tomoyo_profile *profile 315 = tomoyo_profile_ptr[index]; 316 head->read_step = step; 317 if (!profile) 318 continue; 319 if (!type) { /* Print profile' comment tag. */ 320 if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n", 321 index, profile->comment ? 322 profile->comment->name : "")) 323 break; 324 continue; 325 } 326 type--; 327 if (type < TOMOYO_MAX_CONTROL_INDEX) { 328 const unsigned int value = profile->value[type]; 329 const char **modes = NULL; 330 const char *keyword 331 = tomoyo_control_array[type].keyword; 332 switch (tomoyo_control_array[type].max_value) { 333 case 3: 334 modes = tomoyo_mode_4; 335 break; 336 case 1: 337 modes = tomoyo_mode_2; 338 break; 339 } 340 if (modes) { 341 if (!tomoyo_io_printf(head, "%u-%s=%s\n", index, 342 keyword, modes[value])) 343 break; 344 } else { 345 if (!tomoyo_io_printf(head, "%u-%s=%u\n", index, 346 keyword, value)) 347 break; 348 } 349 } 350 } 351 if (step == TOMOYO_MAX_PROFILES * total) 352 head->read_eof = true; 353 return 0; 354} 355 356/* 357 * tomoyo_policy_manager_list is used for holding list of domainnames or 358 * programs which are permitted to modify configuration via 359 * /sys/kernel/security/tomoyo/ interface. 360 * 361 * An entry is added by 362 * 363 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \ 364 * /sys/kernel/security/tomoyo/manager 365 * (if you want to specify by a domainname) 366 * 367 * or 368 * 369 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager 370 * (if you want to specify by a program's location) 371 * 372 * and is deleted by 373 * 374 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \ 375 * /sys/kernel/security/tomoyo/manager 376 * 377 * or 378 * 379 * # echo 'delete /usr/lib/ccs/editpolicy' > \ 380 * /sys/kernel/security/tomoyo/manager 381 * 382 * and all entries are retrieved by 383 * 384 * # cat /sys/kernel/security/tomoyo/manager 385 */ 386LIST_HEAD(tomoyo_policy_manager_list); 387 388/** 389 * tomoyo_update_manager_entry - Add a manager entry. 390 * 391 * @manager: The path to manager or the domainnamme. 392 * @is_delete: True if it is a delete request. 393 * 394 * Returns 0 on success, negative value otherwise. 395 * 396 * Caller holds tomoyo_read_lock(). 397 */ 398static int tomoyo_update_manager_entry(const char *manager, 399 const bool is_delete) 400{ 401 struct tomoyo_policy_manager_entry *ptr; 402 struct tomoyo_policy_manager_entry e = { }; 403 int error = is_delete ? -ENOENT : -ENOMEM; 404 405 if (tomoyo_is_domain_def(manager)) { 406 if (!tomoyo_is_correct_domain(manager)) 407 return -EINVAL; 408 e.is_domain = true; 409 } else { 410 if (!tomoyo_is_correct_path(manager, 1, -1, -1)) 411 return -EINVAL; 412 } 413 e.manager = tomoyo_get_name(manager); 414 if (!e.manager) 415 return -ENOMEM; 416 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 417 goto out; 418 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { 419 if (ptr->manager != e.manager) 420 continue; 421 ptr->is_deleted = is_delete; 422 error = 0; 423 break; 424 } 425 if (!is_delete && error) { 426 struct tomoyo_policy_manager_entry *entry = 427 tomoyo_commit_ok(&e, sizeof(e)); 428 if (entry) { 429 list_add_tail_rcu(&entry->list, 430 &tomoyo_policy_manager_list); 431 error = 0; 432 } 433 } 434 mutex_unlock(&tomoyo_policy_lock); 435 out: 436 tomoyo_put_name(e.manager); 437 return error; 438} 439 440/** 441 * tomoyo_write_manager_policy - Write manager policy. 442 * 443 * @head: Pointer to "struct tomoyo_io_buffer". 444 * 445 * Returns 0 on success, negative value otherwise. 446 * 447 * Caller holds tomoyo_read_lock(). 448 */ 449static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head) 450{ 451 char *data = head->write_buf; 452 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); 453 454 if (!strcmp(data, "manage_by_non_root")) { 455 tomoyo_manage_by_non_root = !is_delete; 456 return 0; 457 } 458 return tomoyo_update_manager_entry(data, is_delete); 459} 460 461/** 462 * tomoyo_read_manager_policy - Read manager policy. 463 * 464 * @head: Pointer to "struct tomoyo_io_buffer". 465 * 466 * Returns 0. 467 * 468 * Caller holds tomoyo_read_lock(). 469 */ 470static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head) 471{ 472 struct list_head *pos; 473 bool done = true; 474 475 if (head->read_eof) 476 return 0; 477 list_for_each_cookie(pos, head->read_var2, 478 &tomoyo_policy_manager_list) { 479 struct tomoyo_policy_manager_entry *ptr; 480 ptr = list_entry(pos, struct tomoyo_policy_manager_entry, 481 list); 482 if (ptr->is_deleted) 483 continue; 484 done = tomoyo_io_printf(head, "%s\n", ptr->manager->name); 485 if (!done) 486 break; 487 } 488 head->read_eof = done; 489 return 0; 490} 491 492/** 493 * tomoyo_is_policy_manager - Check whether the current process is a policy manager. 494 * 495 * Returns true if the current process is permitted to modify policy 496 * via /sys/kernel/security/tomoyo/ interface. 497 * 498 * Caller holds tomoyo_read_lock(). 499 */ 500static bool tomoyo_is_policy_manager(void) 501{ 502 struct tomoyo_policy_manager_entry *ptr; 503 const char *exe; 504 const struct task_struct *task = current; 505 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; 506 bool found = false; 507 508 if (!tomoyo_policy_loaded) 509 return true; 510 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) 511 return false; 512 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { 513 if (!ptr->is_deleted && ptr->is_domain 514 && !tomoyo_pathcmp(domainname, ptr->manager)) { 515 found = true; 516 break; 517 } 518 } 519 if (found) 520 return true; 521 exe = tomoyo_get_exe(); 522 if (!exe) 523 return false; 524 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { 525 if (!ptr->is_deleted && !ptr->is_domain 526 && !strcmp(exe, ptr->manager->name)) { 527 found = true; 528 break; 529 } 530 } 531 if (!found) { /* Reduce error messages. */ 532 static pid_t last_pid; 533 const pid_t pid = current->pid; 534 if (last_pid != pid) { 535 printk(KERN_WARNING "%s ( %s ) is not permitted to " 536 "update policies.\n", domainname->name, exe); 537 last_pid = pid; 538 } 539 } 540 kfree(exe); 541 return found; 542} 543 544/** 545 * tomoyo_is_select_one - Parse select command. 546 * 547 * @head: Pointer to "struct tomoyo_io_buffer". 548 * @data: String to parse. 549 * 550 * Returns true on success, false otherwise. 551 * 552 * Caller holds tomoyo_read_lock(). 553 */ 554static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head, 555 const char *data) 556{ 557 unsigned int pid; 558 struct tomoyo_domain_info *domain = NULL; 559 560 if (sscanf(data, "pid=%u", &pid) == 1) { 561 struct task_struct *p; 562 rcu_read_lock(); 563 read_lock(&tasklist_lock); 564 p = find_task_by_vpid(pid); 565 if (p) 566 domain = tomoyo_real_domain(p); 567 read_unlock(&tasklist_lock); 568 rcu_read_unlock(); 569 } else if (!strncmp(data, "domain=", 7)) { 570 if (tomoyo_is_domain_def(data + 7)) 571 domain = tomoyo_find_domain(data + 7); 572 } else 573 return false; 574 head->write_var1 = domain; 575 /* Accessing read_buf is safe because head->io_sem is held. */ 576 if (!head->read_buf) 577 return true; /* Do nothing if open(O_WRONLY). */ 578 head->read_avail = 0; 579 tomoyo_io_printf(head, "# select %s\n", data); 580 head->read_single_domain = true; 581 head->read_eof = !domain; 582 if (domain) { 583 struct tomoyo_domain_info *d; 584 head->read_var1 = NULL; 585 list_for_each_entry_rcu(d, &tomoyo_domain_list, list) { 586 if (d == domain) 587 break; 588 head->read_var1 = &d->list; 589 } 590 head->read_var2 = NULL; 591 head->read_bit = 0; 592 head->read_step = 0; 593 if (domain->is_deleted) 594 tomoyo_io_printf(head, "# This is a deleted domain.\n"); 595 } 596 return true; 597} 598 599/** 600 * tomoyo_delete_domain - Delete a domain. 601 * 602 * @domainname: The name of domain. 603 * 604 * Returns 0. 605 * 606 * Caller holds tomoyo_read_lock(). 607 */ 608static int tomoyo_delete_domain(char *domainname) 609{ 610 struct tomoyo_domain_info *domain; 611 struct tomoyo_path_info name; 612 613 name.name = domainname; 614 tomoyo_fill_path_info(&name); 615 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 616 return 0; 617 /* Is there an active domain? */ 618 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 619 /* Never delete tomoyo_kernel_domain */ 620 if (domain == &tomoyo_kernel_domain) 621 continue; 622 if (domain->is_deleted || 623 tomoyo_pathcmp(domain->domainname, &name)) 624 continue; 625 domain->is_deleted = true; 626 break; 627 } 628 mutex_unlock(&tomoyo_policy_lock); 629 return 0; 630} 631 632/** 633 * tomoyo_write_domain_policy2 - Write domain policy. 634 * 635 * @head: Pointer to "struct tomoyo_io_buffer". 636 * 637 * Returns 0 on success, negative value otherwise. 638 * 639 * Caller holds tomoyo_read_lock(). 640 */ 641static int tomoyo_write_domain_policy2(char *data, 642 struct tomoyo_domain_info *domain, 643 const bool is_delete) 644{ 645 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_MOUNT)) 646 return tomoyo_write_mount_policy(data, domain, is_delete); 647 return tomoyo_write_file_policy(data, domain, is_delete); 648} 649 650/** 651 * tomoyo_write_domain_policy - Write domain policy. 652 * 653 * @head: Pointer to "struct tomoyo_io_buffer". 654 * 655 * Returns 0 on success, negative value otherwise. 656 * 657 * Caller holds tomoyo_read_lock(). 658 */ 659static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head) 660{ 661 char *data = head->write_buf; 662 struct tomoyo_domain_info *domain = head->write_var1; 663 bool is_delete = false; 664 bool is_select = false; 665 unsigned int profile; 666 667 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE)) 668 is_delete = true; 669 else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT)) 670 is_select = true; 671 if (is_select && tomoyo_is_select_one(head, data)) 672 return 0; 673 /* Don't allow updating policies by non manager programs. */ 674 if (!tomoyo_is_policy_manager()) 675 return -EPERM; 676 if (tomoyo_is_domain_def(data)) { 677 domain = NULL; 678 if (is_delete) 679 tomoyo_delete_domain(data); 680 else if (is_select) 681 domain = tomoyo_find_domain(data); 682 else 683 domain = tomoyo_find_or_assign_new_domain(data, 0); 684 head->write_var1 = domain; 685 return 0; 686 } 687 if (!domain) 688 return -EINVAL; 689 690 if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1 691 && profile < TOMOYO_MAX_PROFILES) { 692 if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded) 693 domain->profile = (u8) profile; 694 return 0; 695 } 696 if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) { 697 domain->ignore_global_allow_read = !is_delete; 698 return 0; 699 } 700 return tomoyo_write_domain_policy2(data, domain, is_delete); 701} 702 703/** 704 * tomoyo_print_path_acl - Print a single path ACL entry. 705 * 706 * @head: Pointer to "struct tomoyo_io_buffer". 707 * @ptr: Pointer to "struct tomoyo_path_acl". 708 * 709 * Returns true on success, false otherwise. 710 */ 711static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head, 712 struct tomoyo_path_acl *ptr) 713{ 714 int pos; 715 u8 bit; 716 const u16 perm = ptr->perm; 717 718 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { 719 if (!(perm & (1 << bit))) 720 continue; 721 /* Print "read/write" instead of "read" and "write". */ 722 if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE) 723 && (perm & (1 << TOMOYO_TYPE_READ_WRITE))) 724 continue; 725 pos = head->read_avail; 726 if (!tomoyo_io_printf(head, "allow_%s ", 727 tomoyo_path2keyword(bit)) || 728 !tomoyo_print_name_union(head, &ptr->name) || 729 !tomoyo_io_printf(head, "\n")) 730 goto out; 731 } 732 head->read_bit = 0; 733 return true; 734 out: 735 head->read_bit = bit; 736 head->read_avail = pos; 737 return false; 738} 739 740/** 741 * tomoyo_print_path2_acl - Print a double path ACL entry. 742 * 743 * @head: Pointer to "struct tomoyo_io_buffer". 744 * @ptr: Pointer to "struct tomoyo_path2_acl". 745 * 746 * Returns true on success, false otherwise. 747 */ 748static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer *head, 749 struct tomoyo_path2_acl *ptr) 750{ 751 int pos; 752 const u8 perm = ptr->perm; 753 u8 bit; 754 755 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) { 756 if (!(perm & (1 << bit))) 757 continue; 758 pos = head->read_avail; 759 if (!tomoyo_io_printf(head, "allow_%s ", 760 tomoyo_path22keyword(bit)) || 761 !tomoyo_print_name_union(head, &ptr->name1) || 762 !tomoyo_print_name_union(head, &ptr->name2) || 763 !tomoyo_io_printf(head, "\n")) 764 goto out; 765 } 766 head->read_bit = 0; 767 return true; 768 out: 769 head->read_bit = bit; 770 head->read_avail = pos; 771 return false; 772} 773 774/** 775 * tomoyo_print_path_number_acl - Print a path_number ACL entry. 776 * 777 * @head: Pointer to "struct tomoyo_io_buffer". 778 * @ptr: Pointer to "struct tomoyo_path_number_acl". 779 * 780 * Returns true on success, false otherwise. 781 */ 782static bool tomoyo_print_path_number_acl(struct tomoyo_io_buffer *head, 783 struct tomoyo_path_number_acl *ptr) 784{ 785 int pos; 786 u8 bit; 787 const u8 perm = ptr->perm; 788 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION; 789 bit++) { 790 if (!(perm & (1 << bit))) 791 continue; 792 pos = head->read_avail; 793 if (!tomoyo_io_printf(head, "allow_%s", 794 tomoyo_path_number2keyword(bit)) || 795 !tomoyo_print_name_union(head, &ptr->name) || 796 !tomoyo_print_number_union(head, &ptr->number) || 797 !tomoyo_io_printf(head, "\n")) 798 goto out; 799 } 800 head->read_bit = 0; 801 return true; 802 out: 803 head->read_bit = bit; 804 head->read_avail = pos; 805 return false; 806} 807 808/** 809 * tomoyo_print_path_number3_acl - Print a path_number3 ACL entry. 810 * 811 * @head: Pointer to "struct tomoyo_io_buffer". 812 * @ptr: Pointer to "struct tomoyo_path_number3_acl". 813 * 814 * Returns true on success, false otherwise. 815 */ 816static bool tomoyo_print_path_number3_acl(struct tomoyo_io_buffer *head, 817 struct tomoyo_path_number3_acl *ptr) 818{ 819 int pos; 820 u8 bit; 821 const u16 perm = ptr->perm; 822 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_NUMBER3_OPERATION; 823 bit++) { 824 if (!(perm & (1 << bit))) 825 continue; 826 pos = head->read_avail; 827 if (!tomoyo_io_printf(head, "allow_%s", 828 tomoyo_path_number32keyword(bit)) || 829 !tomoyo_print_name_union(head, &ptr->name) || 830 !tomoyo_print_number_union(head, &ptr->mode) || 831 !tomoyo_print_number_union(head, &ptr->major) || 832 !tomoyo_print_number_union(head, &ptr->minor) || 833 !tomoyo_io_printf(head, "\n")) 834 goto out; 835 } 836 head->read_bit = 0; 837 return true; 838 out: 839 head->read_bit = bit; 840 head->read_avail = pos; 841 return false; 842} 843 844/** 845 * tomoyo_print_mount_acl - Print a mount ACL entry. 846 * 847 * @head: Pointer to "struct tomoyo_io_buffer". 848 * @ptr: Pointer to "struct tomoyo_mount_acl". 849 * 850 * Returns true on success, false otherwise. 851 */ 852static bool tomoyo_print_mount_acl(struct tomoyo_io_buffer *head, 853 struct tomoyo_mount_acl *ptr) 854{ 855 const int pos = head->read_avail; 856 if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) || 857 !tomoyo_print_name_union(head, &ptr->dev_name) || 858 !tomoyo_print_name_union(head, &ptr->dir_name) || 859 !tomoyo_print_name_union(head, &ptr->fs_type) || 860 !tomoyo_print_number_union(head, &ptr->flags) || 861 !tomoyo_io_printf(head, "\n")) { 862 head->read_avail = pos; 863 return false; 864 } 865 return true; 866} 867 868/** 869 * tomoyo_print_entry - Print an ACL entry. 870 * 871 * @head: Pointer to "struct tomoyo_io_buffer". 872 * @ptr: Pointer to an ACL entry. 873 * 874 * Returns true on success, false otherwise. 875 */ 876static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, 877 struct tomoyo_acl_info *ptr) 878{ 879 const u8 acl_type = ptr->type; 880 881 if (acl_type == TOMOYO_TYPE_PATH_ACL) { 882 struct tomoyo_path_acl *acl 883 = container_of(ptr, struct tomoyo_path_acl, head); 884 return tomoyo_print_path_acl(head, acl); 885 } 886 if (acl_type == TOMOYO_TYPE_PATH2_ACL) { 887 struct tomoyo_path2_acl *acl 888 = container_of(ptr, struct tomoyo_path2_acl, head); 889 return tomoyo_print_path2_acl(head, acl); 890 } 891 if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) { 892 struct tomoyo_path_number_acl *acl 893 = container_of(ptr, struct tomoyo_path_number_acl, 894 head); 895 return tomoyo_print_path_number_acl(head, acl); 896 } 897 if (acl_type == TOMOYO_TYPE_PATH_NUMBER3_ACL) { 898 struct tomoyo_path_number3_acl *acl 899 = container_of(ptr, struct tomoyo_path_number3_acl, 900 head); 901 return tomoyo_print_path_number3_acl(head, acl); 902 } 903 if (acl_type == TOMOYO_TYPE_MOUNT_ACL) { 904 struct tomoyo_mount_acl *acl 905 = container_of(ptr, struct tomoyo_mount_acl, head); 906 return tomoyo_print_mount_acl(head, acl); 907 } 908 BUG(); /* This must not happen. */ 909 return false; 910} 911 912/** 913 * tomoyo_read_domain_policy - Read domain policy. 914 * 915 * @head: Pointer to "struct tomoyo_io_buffer". 916 * 917 * Returns 0. 918 * 919 * Caller holds tomoyo_read_lock(). 920 */ 921static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head) 922{ 923 struct list_head *dpos; 924 struct list_head *apos; 925 bool done = true; 926 927 if (head->read_eof) 928 return 0; 929 if (head->read_step == 0) 930 head->read_step = 1; 931 list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) { 932 struct tomoyo_domain_info *domain; 933 const char *quota_exceeded = ""; 934 const char *transition_failed = ""; 935 const char *ignore_global_allow_read = ""; 936 domain = list_entry(dpos, struct tomoyo_domain_info, list); 937 if (head->read_step != 1) 938 goto acl_loop; 939 if (domain->is_deleted && !head->read_single_domain) 940 continue; 941 /* Print domainname and flags. */ 942 if (domain->quota_warned) 943 quota_exceeded = "quota_exceeded\n"; 944 if (domain->transition_failed) 945 transition_failed = "transition_failed\n"; 946 if (domain->ignore_global_allow_read) 947 ignore_global_allow_read 948 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n"; 949 done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE 950 "%u\n%s%s%s\n", 951 domain->domainname->name, 952 domain->profile, quota_exceeded, 953 transition_failed, 954 ignore_global_allow_read); 955 if (!done) 956 break; 957 head->read_step = 2; 958acl_loop: 959 if (head->read_step == 3) 960 goto tail_mark; 961 /* Print ACL entries in the domain. */ 962 list_for_each_cookie(apos, head->read_var2, 963 &domain->acl_info_list) { 964 struct tomoyo_acl_info *ptr 965 = list_entry(apos, struct tomoyo_acl_info, 966 list); 967 done = tomoyo_print_entry(head, ptr); 968 if (!done) 969 break; 970 } 971 if (!done) 972 break; 973 head->read_step = 3; 974tail_mark: 975 done = tomoyo_io_printf(head, "\n"); 976 if (!done) 977 break; 978 head->read_step = 1; 979 if (head->read_single_domain) 980 break; 981 } 982 head->read_eof = done; 983 return 0; 984} 985 986/** 987 * tomoyo_write_domain_profile - Assign profile for specified domain. 988 * 989 * @head: Pointer to "struct tomoyo_io_buffer". 990 * 991 * Returns 0 on success, -EINVAL otherwise. 992 * 993 * This is equivalent to doing 994 * 995 * ( echo "select " $domainname; echo "use_profile " $profile ) | 996 * /usr/lib/ccs/loadpolicy -d 997 * 998 * Caller holds tomoyo_read_lock(). 999 */ 1000static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head) 1001{ 1002 char *data = head->write_buf; 1003 char *cp = strchr(data, ' '); 1004 struct tomoyo_domain_info *domain; 1005 unsigned long profile; 1006 1007 if (!cp) 1008 return -EINVAL; 1009 *cp = '\0'; 1010 domain = tomoyo_find_domain(cp + 1); 1011 if (strict_strtoul(data, 10, &profile)) 1012 return -EINVAL; 1013 if (domain && profile < TOMOYO_MAX_PROFILES 1014 && (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)) 1015 domain->profile = (u8) profile; 1016 return 0; 1017} 1018 1019/** 1020 * tomoyo_read_domain_profile - Read only domainname and profile. 1021 * 1022 * @head: Pointer to "struct tomoyo_io_buffer". 1023 * 1024 * Returns list of profile number and domainname pairs. 1025 * 1026 * This is equivalent to doing 1027 * 1028 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy | 1029 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" ) 1030 * domainname = $0; } else if ( $1 == "use_profile" ) { 1031 * print $2 " " domainname; domainname = ""; } } ; ' 1032 * 1033 * Caller holds tomoyo_read_lock(). 1034 */ 1035static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head) 1036{ 1037 struct list_head *pos; 1038 bool done = true; 1039 1040 if (head->read_eof) 1041 return 0; 1042 list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) { 1043 struct tomoyo_domain_info *domain; 1044 domain = list_entry(pos, struct tomoyo_domain_info, list); 1045 if (domain->is_deleted) 1046 continue; 1047 done = tomoyo_io_printf(head, "%u %s\n", domain->profile, 1048 domain->domainname->name); 1049 if (!done) 1050 break; 1051 } 1052 head->read_eof = done; 1053 return 0; 1054} 1055 1056/** 1057 * tomoyo_write_pid: Specify PID to obtain domainname. 1058 * 1059 * @head: Pointer to "struct tomoyo_io_buffer". 1060 * 1061 * Returns 0. 1062 */ 1063static int tomoyo_write_pid(struct tomoyo_io_buffer *head) 1064{ 1065 unsigned long pid; 1066 /* No error check. */ 1067 strict_strtoul(head->write_buf, 10, &pid); 1068 head->read_step = (int) pid; 1069 head->read_eof = false; 1070 return 0; 1071} 1072 1073/** 1074 * tomoyo_read_pid - Get domainname of the specified PID. 1075 * 1076 * @head: Pointer to "struct tomoyo_io_buffer". 1077 * 1078 * Returns the domainname which the specified PID is in on success, 1079 * empty string otherwise. 1080 * The PID is specified by tomoyo_write_pid() so that the user can obtain 1081 * using read()/write() interface rather than sysctl() interface. 1082 */ 1083static int tomoyo_read_pid(struct tomoyo_io_buffer *head) 1084{ 1085 if (head->read_avail == 0 && !head->read_eof) { 1086 const int pid = head->read_step; 1087 struct task_struct *p; 1088 struct tomoyo_domain_info *domain = NULL; 1089 rcu_read_lock(); 1090 read_lock(&tasklist_lock); 1091 p = find_task_by_vpid(pid); 1092 if (p) 1093 domain = tomoyo_real_domain(p); 1094 read_unlock(&tasklist_lock); 1095 rcu_read_unlock(); 1096 if (domain) 1097 tomoyo_io_printf(head, "%d %u %s", pid, domain->profile, 1098 domain->domainname->name); 1099 head->read_eof = true; 1100 } 1101 return 0; 1102} 1103 1104/** 1105 * tomoyo_write_exception_policy - Write exception policy. 1106 * 1107 * @head: Pointer to "struct tomoyo_io_buffer". 1108 * 1109 * Returns 0 on success, negative value otherwise. 1110 * 1111 * Caller holds tomoyo_read_lock(). 1112 */ 1113static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head) 1114{ 1115 char *data = head->write_buf; 1116 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); 1117 1118 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN)) 1119 return tomoyo_write_domain_keeper_policy(data, false, 1120 is_delete); 1121 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN)) 1122 return tomoyo_write_domain_keeper_policy(data, true, is_delete); 1123 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN)) 1124 return tomoyo_write_domain_initializer_policy(data, false, 1125 is_delete); 1126 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN)) 1127 return tomoyo_write_domain_initializer_policy(data, true, 1128 is_delete); 1129 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS)) 1130 return tomoyo_write_alias_policy(data, is_delete); 1131 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ)) 1132 return tomoyo_write_globally_readable_policy(data, is_delete); 1133 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN)) 1134 return tomoyo_write_pattern_policy(data, is_delete); 1135 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE)) 1136 return tomoyo_write_no_rewrite_policy(data, is_delete); 1137 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_PATH_GROUP)) 1138 return tomoyo_write_path_group_policy(data, is_delete); 1139 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NUMBER_GROUP)) 1140 return tomoyo_write_number_group_policy(data, is_delete); 1141 return -EINVAL; 1142} 1143 1144/** 1145 * tomoyo_read_exception_policy - Read exception policy. 1146 * 1147 * @head: Pointer to "struct tomoyo_io_buffer". 1148 * 1149 * Returns 0 on success, -EINVAL otherwise. 1150 * 1151 * Caller holds tomoyo_read_lock(). 1152 */ 1153static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head) 1154{ 1155 if (!head->read_eof) { 1156 switch (head->read_step) { 1157 case 0: 1158 head->read_var2 = NULL; 1159 head->read_step = 1; 1160 case 1: 1161 if (!tomoyo_read_domain_keeper_policy(head)) 1162 break; 1163 head->read_var2 = NULL; 1164 head->read_step = 2; 1165 case 2: 1166 if (!tomoyo_read_globally_readable_policy(head)) 1167 break; 1168 head->read_var2 = NULL; 1169 head->read_step = 3; 1170 case 3: 1171 head->read_var2 = NULL; 1172 head->read_step = 4; 1173 case 4: 1174 if (!tomoyo_read_domain_initializer_policy(head)) 1175 break; 1176 head->read_var2 = NULL; 1177 head->read_step = 5; 1178 case 5: 1179 if (!tomoyo_read_alias_policy(head)) 1180 break; 1181 head->read_var2 = NULL; 1182 head->read_step = 6; 1183 case 6: 1184 head->read_var2 = NULL; 1185 head->read_step = 7; 1186 case 7: 1187 if (!tomoyo_read_file_pattern(head)) 1188 break; 1189 head->read_var2 = NULL; 1190 head->read_step = 8; 1191 case 8: 1192 if (!tomoyo_read_no_rewrite_policy(head)) 1193 break; 1194 head->read_var2 = NULL; 1195 head->read_step = 9; 1196 case 9: 1197 if (!tomoyo_read_path_group_policy(head)) 1198 break; 1199 head->read_var1 = NULL; 1200 head->read_var2 = NULL; 1201 head->read_step = 10; 1202 case 10: 1203 if (!tomoyo_read_number_group_policy(head)) 1204 break; 1205 head->read_var1 = NULL; 1206 head->read_var2 = NULL; 1207 head->read_step = 11; 1208 case 11: 1209 head->read_eof = true; 1210 break; 1211 default: 1212 return -EINVAL; 1213 } 1214 } 1215 return 0; 1216} 1217 1218/** 1219 * tomoyo_print_header - Get header line of audit log. 1220 * 1221 * @r: Pointer to "struct tomoyo_request_info". 1222 * 1223 * Returns string representation. 1224 * 1225 * This function uses kmalloc(), so caller must kfree() if this function 1226 * didn't return NULL. 1227 */ 1228static char *tomoyo_print_header(struct tomoyo_request_info *r) 1229{ 1230 static const char *tomoyo_mode_4[4] = { 1231 "disabled", "learning", "permissive", "enforcing" 1232 }; 1233 struct timeval tv; 1234 const pid_t gpid = task_pid_nr(current); 1235 static const int tomoyo_buffer_len = 4096; 1236 char *buffer = kmalloc(tomoyo_buffer_len, GFP_NOFS); 1237 if (!buffer) 1238 return NULL; 1239 do_gettimeofday(&tv); 1240 snprintf(buffer, tomoyo_buffer_len - 1, 1241 "#timestamp=%lu profile=%u mode=%s (global-pid=%u)" 1242 " task={ pid=%u ppid=%u uid=%u gid=%u euid=%u" 1243 " egid=%u suid=%u sgid=%u fsuid=%u fsgid=%u }", 1244 tv.tv_sec, r->profile, tomoyo_mode_4[r->mode], gpid, 1245 (pid_t) sys_getpid(), (pid_t) sys_getppid(), 1246 current_uid(), current_gid(), current_euid(), 1247 current_egid(), current_suid(), current_sgid(), 1248 current_fsuid(), current_fsgid()); 1249 return buffer; 1250} 1251 1252/** 1253 * tomoyo_init_audit_log - Allocate buffer for audit logs. 1254 * 1255 * @len: Required size. 1256 * @r: Pointer to "struct tomoyo_request_info". 1257 * 1258 * Returns pointer to allocated memory. 1259 * 1260 * The @len is updated to add the header lines' size on success. 1261 * 1262 * This function uses kzalloc(), so caller must kfree() if this function 1263 * didn't return NULL. 1264 */ 1265static char *tomoyo_init_audit_log(int *len, struct tomoyo_request_info *r) 1266{ 1267 char *buf = NULL; 1268 const char *header; 1269 const char *domainname; 1270 if (!r->domain) 1271 r->domain = tomoyo_domain(); 1272 domainname = r->domain->domainname->name; 1273 header = tomoyo_print_header(r); 1274 if (!header) 1275 return NULL; 1276 *len += strlen(domainname) + strlen(header) + 10; 1277 buf = kzalloc(*len, GFP_NOFS); 1278 if (buf) 1279 snprintf(buf, (*len) - 1, "%s\n%s\n", header, domainname); 1280 kfree(header); 1281 return buf; 1282} 1283 1284/* Wait queue for tomoyo_query_list. */ 1285static DECLARE_WAIT_QUEUE_HEAD(tomoyo_query_wait); 1286 1287/* Lock for manipulating tomoyo_query_list. */ 1288static DEFINE_SPINLOCK(tomoyo_query_list_lock); 1289 1290/* Structure for query. */ 1291struct tomoyo_query_entry { 1292 struct list_head list; 1293 char *query; 1294 int query_len; 1295 unsigned int serial; 1296 int timer; 1297 int answer; 1298}; 1299 1300/* The list for "struct tomoyo_query_entry". */ 1301static LIST_HEAD(tomoyo_query_list); 1302 1303/* 1304 * Number of "struct file" referring /sys/kernel/security/tomoyo/query 1305 * interface. 1306 */ 1307static atomic_t tomoyo_query_observers = ATOMIC_INIT(0); 1308 1309/** 1310 * tomoyo_supervisor - Ask for the supervisor's decision. 1311 * 1312 * @r: Pointer to "struct tomoyo_request_info". 1313 * @fmt: The printf()'s format string, followed by parameters. 1314 * 1315 * Returns 0 if the supervisor decided to permit the access request which 1316 * violated the policy in enforcing mode, TOMOYO_RETRY_REQUEST if the 1317 * supervisor decided to retry the access request which violated the policy in 1318 * enforcing mode, 0 if it is not in enforcing mode, -EPERM otherwise. 1319 */ 1320int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) 1321{ 1322 va_list args; 1323 int error = -EPERM; 1324 int pos; 1325 int len; 1326 static unsigned int tomoyo_serial; 1327 struct tomoyo_query_entry *tomoyo_query_entry = NULL; 1328 bool quota_exceeded = false; 1329 char *header; 1330 switch (r->mode) { 1331 char *buffer; 1332 case TOMOYO_CONFIG_LEARNING: 1333 if (!tomoyo_domain_quota_is_ok(r)) 1334 return 0; 1335 va_start(args, fmt); 1336 len = vsnprintf((char *) &pos, sizeof(pos) - 1, fmt, args) + 4; 1337 va_end(args); 1338 buffer = kmalloc(len, GFP_NOFS); 1339 if (!buffer) 1340 return 0; 1341 va_start(args, fmt); 1342 vsnprintf(buffer, len - 1, fmt, args); 1343 va_end(args); 1344 tomoyo_normalize_line(buffer); 1345 tomoyo_write_domain_policy2(buffer, r->domain, false); 1346 kfree(buffer); 1347 /* fall through */ 1348 case TOMOYO_CONFIG_PERMISSIVE: 1349 return 0; 1350 } 1351 if (!r->domain) 1352 r->domain = tomoyo_domain(); 1353 if (!atomic_read(&tomoyo_query_observers)) 1354 return -EPERM; 1355 va_start(args, fmt); 1356 len = vsnprintf((char *) &pos, sizeof(pos) - 1, fmt, args) + 32; 1357 va_end(args); 1358 header = tomoyo_init_audit_log(&len, r); 1359 if (!header) 1360 goto out; 1361 tomoyo_query_entry = kzalloc(sizeof(*tomoyo_query_entry), GFP_NOFS); 1362 if (!tomoyo_query_entry) 1363 goto out; 1364 tomoyo_query_entry->query = kzalloc(len, GFP_NOFS); 1365 if (!tomoyo_query_entry->query) 1366 goto out; 1367 len = ksize(tomoyo_query_entry->query); 1368 INIT_LIST_HEAD(&tomoyo_query_entry->list); 1369 spin_lock(&tomoyo_query_list_lock); 1370 if (tomoyo_quota_for_query && tomoyo_query_memory_size + len + 1371 sizeof(*tomoyo_query_entry) >= tomoyo_quota_for_query) { 1372 quota_exceeded = true; 1373 } else { 1374 tomoyo_query_memory_size += len + sizeof(*tomoyo_query_entry); 1375 tomoyo_query_entry->serial = tomoyo_serial++; 1376 } 1377 spin_unlock(&tomoyo_query_list_lock); 1378 if (quota_exceeded) 1379 goto out; 1380 pos = snprintf(tomoyo_query_entry->query, len - 1, "Q%u-%hu\n%s", 1381 tomoyo_query_entry->serial, r->retry, header); 1382 kfree(header); 1383 header = NULL; 1384 va_start(args, fmt); 1385 vsnprintf(tomoyo_query_entry->query + pos, len - 1 - pos, fmt, args); 1386 tomoyo_query_entry->query_len = strlen(tomoyo_query_entry->query) + 1; 1387 va_end(args); 1388 spin_lock(&tomoyo_query_list_lock); 1389 list_add_tail(&tomoyo_query_entry->list, &tomoyo_query_list); 1390 spin_unlock(&tomoyo_query_list_lock); 1391 /* Give 10 seconds for supervisor's opinion. */ 1392 for (tomoyo_query_entry->timer = 0; 1393 atomic_read(&tomoyo_query_observers) && tomoyo_query_entry->timer < 100; 1394 tomoyo_query_entry->timer++) { 1395 wake_up(&tomoyo_query_wait); 1396 set_current_state(TASK_INTERRUPTIBLE); 1397 schedule_timeout(HZ / 10); 1398 if (tomoyo_query_entry->answer) 1399 break; 1400 } 1401 spin_lock(&tomoyo_query_list_lock); 1402 list_del(&tomoyo_query_entry->list); 1403 tomoyo_query_memory_size -= len + sizeof(*tomoyo_query_entry); 1404 spin_unlock(&tomoyo_query_list_lock); 1405 switch (tomoyo_query_entry->answer) { 1406 case 3: /* Asked to retry by administrator. */ 1407 error = TOMOYO_RETRY_REQUEST; 1408 r->retry++; 1409 break; 1410 case 1: 1411 /* Granted by administrator. */ 1412 error = 0; 1413 break; 1414 case 0: 1415 /* Timed out. */ 1416 break; 1417 default: 1418 /* Rejected by administrator. */ 1419 break; 1420 } 1421 out: 1422 if (tomoyo_query_entry) 1423 kfree(tomoyo_query_entry->query); 1424 kfree(tomoyo_query_entry); 1425 kfree(header); 1426 return error; 1427} 1428 1429/** 1430 * tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query. 1431 * 1432 * @file: Pointer to "struct file". 1433 * @wait: Pointer to "poll_table". 1434 * 1435 * Returns POLLIN | POLLRDNORM when ready to read, 0 otherwise. 1436 * 1437 * Waits for access requests which violated policy in enforcing mode. 1438 */ 1439static int tomoyo_poll_query(struct file *file, poll_table *wait) 1440{ 1441 struct list_head *tmp; 1442 bool found = false; 1443 u8 i; 1444 for (i = 0; i < 2; i++) { 1445 spin_lock(&tomoyo_query_list_lock); 1446 list_for_each(tmp, &tomoyo_query_list) { 1447 struct tomoyo_query_entry *ptr 1448 = list_entry(tmp, struct tomoyo_query_entry, 1449 list); 1450 if (ptr->answer) 1451 continue; 1452 found = true; 1453 break; 1454 } 1455 spin_unlock(&tomoyo_query_list_lock); 1456 if (found) 1457 return POLLIN | POLLRDNORM; 1458 if (i) 1459 break; 1460 poll_wait(file, &tomoyo_query_wait, wait); 1461 } 1462 return 0; 1463} 1464 1465/** 1466 * tomoyo_read_query - Read access requests which violated policy in enforcing mode. 1467 * 1468 * @head: Pointer to "struct tomoyo_io_buffer". 1469 * 1470 * Returns 0. 1471 */ 1472static int tomoyo_read_query(struct tomoyo_io_buffer *head) 1473{ 1474 struct list_head *tmp; 1475 int pos = 0; 1476 int len = 0; 1477 char *buf; 1478 if (head->read_avail) 1479 return 0; 1480 if (head->read_buf) { 1481 kfree(head->read_buf); 1482 head->read_buf = NULL; 1483 head->readbuf_size = 0; 1484 } 1485 spin_lock(&tomoyo_query_list_lock); 1486 list_for_each(tmp, &tomoyo_query_list) { 1487 struct tomoyo_query_entry *ptr 1488 = list_entry(tmp, struct tomoyo_query_entry, list); 1489 if (ptr->answer) 1490 continue; 1491 if (pos++ != head->read_step) 1492 continue; 1493 len = ptr->query_len; 1494 break; 1495 } 1496 spin_unlock(&tomoyo_query_list_lock); 1497 if (!len) { 1498 head->read_step = 0; 1499 return 0; 1500 } 1501 buf = kzalloc(len, GFP_NOFS); 1502 if (!buf) 1503 return 0; 1504 pos = 0; 1505 spin_lock(&tomoyo_query_list_lock); 1506 list_for_each(tmp, &tomoyo_query_list) { 1507 struct tomoyo_query_entry *ptr 1508 = list_entry(tmp, struct tomoyo_query_entry, list); 1509 if (ptr->answer) 1510 continue; 1511 if (pos++ != head->read_step) 1512 continue; 1513 /* 1514 * Some query can be skipped because tomoyo_query_list 1515 * can change, but I don't care. 1516 */ 1517 if (len == ptr->query_len) 1518 memmove(buf, ptr->query, len); 1519 break; 1520 } 1521 spin_unlock(&tomoyo_query_list_lock); 1522 if (buf[0]) { 1523 head->read_avail = len; 1524 head->readbuf_size = head->read_avail; 1525 head->read_buf = buf; 1526 head->read_step++; 1527 } else { 1528 kfree(buf); 1529 } 1530 return 0; 1531} 1532 1533/** 1534 * tomoyo_write_answer - Write the supervisor's decision. 1535 * 1536 * @head: Pointer to "struct tomoyo_io_buffer". 1537 * 1538 * Returns 0 on success, -EINVAL otherwise. 1539 */ 1540static int tomoyo_write_answer(struct tomoyo_io_buffer *head) 1541{ 1542 char *data = head->write_buf; 1543 struct list_head *tmp; 1544 unsigned int serial; 1545 unsigned int answer; 1546 spin_lock(&tomoyo_query_list_lock); 1547 list_for_each(tmp, &tomoyo_query_list) { 1548 struct tomoyo_query_entry *ptr 1549 = list_entry(tmp, struct tomoyo_query_entry, list); 1550 ptr->timer = 0; 1551 } 1552 spin_unlock(&tomoyo_query_list_lock); 1553 if (sscanf(data, "A%u=%u", &serial, &answer) != 2) 1554 return -EINVAL; 1555 spin_lock(&tomoyo_query_list_lock); 1556 list_for_each(tmp, &tomoyo_query_list) { 1557 struct tomoyo_query_entry *ptr 1558 = list_entry(tmp, struct tomoyo_query_entry, list); 1559 if (ptr->serial != serial) 1560 continue; 1561 if (!ptr->answer) 1562 ptr->answer = answer; 1563 break; 1564 } 1565 spin_unlock(&tomoyo_query_list_lock); 1566 return 0; 1567} 1568 1569/** 1570 * tomoyo_read_version: Get version. 1571 * 1572 * @head: Pointer to "struct tomoyo_io_buffer". 1573 * 1574 * Returns version information. 1575 */ 1576static int tomoyo_read_version(struct tomoyo_io_buffer *head) 1577{ 1578 if (!head->read_eof) { 1579 tomoyo_io_printf(head, "2.2.0"); 1580 head->read_eof = true; 1581 } 1582 return 0; 1583} 1584 1585/** 1586 * tomoyo_read_self_domain - Get the current process's domainname. 1587 * 1588 * @head: Pointer to "struct tomoyo_io_buffer". 1589 * 1590 * Returns the current process's domainname. 1591 */ 1592static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head) 1593{ 1594 if (!head->read_eof) { 1595 /* 1596 * tomoyo_domain()->domainname != NULL 1597 * because every process belongs to a domain and 1598 * the domain's name cannot be NULL. 1599 */ 1600 tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name); 1601 head->read_eof = true; 1602 } 1603 return 0; 1604} 1605 1606/** 1607 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface. 1608 * 1609 * @type: Type of interface. 1610 * @file: Pointer to "struct file". 1611 * 1612 * Associates policy handler and returns 0 on success, -ENOMEM otherwise. 1613 * 1614 * Caller acquires tomoyo_read_lock(). 1615 */ 1616int tomoyo_open_control(const u8 type, struct file *file) 1617{ 1618 struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS); 1619 1620 if (!head) 1621 return -ENOMEM; 1622 mutex_init(&head->io_sem); 1623 head->type = type; 1624 switch (type) { 1625 case TOMOYO_DOMAINPOLICY: 1626 /* /sys/kernel/security/tomoyo/domain_policy */ 1627 head->write = tomoyo_write_domain_policy; 1628 head->read = tomoyo_read_domain_policy; 1629 break; 1630 case TOMOYO_EXCEPTIONPOLICY: 1631 /* /sys/kernel/security/tomoyo/exception_policy */ 1632 head->write = tomoyo_write_exception_policy; 1633 head->read = tomoyo_read_exception_policy; 1634 break; 1635 case TOMOYO_SELFDOMAIN: 1636 /* /sys/kernel/security/tomoyo/self_domain */ 1637 head->read = tomoyo_read_self_domain; 1638 break; 1639 case TOMOYO_DOMAIN_STATUS: 1640 /* /sys/kernel/security/tomoyo/.domain_status */ 1641 head->write = tomoyo_write_domain_profile; 1642 head->read = tomoyo_read_domain_profile; 1643 break; 1644 case TOMOYO_PROCESS_STATUS: 1645 /* /sys/kernel/security/tomoyo/.process_status */ 1646 head->write = tomoyo_write_pid; 1647 head->read = tomoyo_read_pid; 1648 break; 1649 case TOMOYO_VERSION: 1650 /* /sys/kernel/security/tomoyo/version */ 1651 head->read = tomoyo_read_version; 1652 head->readbuf_size = 128; 1653 break; 1654 case TOMOYO_MEMINFO: 1655 /* /sys/kernel/security/tomoyo/meminfo */ 1656 head->write = tomoyo_write_memory_quota; 1657 head->read = tomoyo_read_memory_counter; 1658 head->readbuf_size = 512; 1659 break; 1660 case TOMOYO_PROFILE: 1661 /* /sys/kernel/security/tomoyo/profile */ 1662 head->write = tomoyo_write_profile; 1663 head->read = tomoyo_read_profile; 1664 break; 1665 case TOMOYO_QUERY: /* /sys/kernel/security/tomoyo/query */ 1666 head->poll = tomoyo_poll_query; 1667 head->write = tomoyo_write_answer; 1668 head->read = tomoyo_read_query; 1669 break; 1670 case TOMOYO_MANAGER: 1671 /* /sys/kernel/security/tomoyo/manager */ 1672 head->write = tomoyo_write_manager_policy; 1673 head->read = tomoyo_read_manager_policy; 1674 break; 1675 } 1676 if (!(file->f_mode & FMODE_READ)) { 1677 /* 1678 * No need to allocate read_buf since it is not opened 1679 * for reading. 1680 */ 1681 head->read = NULL; 1682 head->poll = NULL; 1683 } else if (!head->poll) { 1684 /* Don't allocate read_buf for poll() access. */ 1685 if (!head->readbuf_size) 1686 head->readbuf_size = 4096 * 2; 1687 head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS); 1688 if (!head->read_buf) { 1689 kfree(head); 1690 return -ENOMEM; 1691 } 1692 } 1693 if (!(file->f_mode & FMODE_WRITE)) { 1694 /* 1695 * No need to allocate write_buf since it is not opened 1696 * for writing. 1697 */ 1698 head->write = NULL; 1699 } else if (head->write) { 1700 head->writebuf_size = 4096 * 2; 1701 head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS); 1702 if (!head->write_buf) { 1703 kfree(head->read_buf); 1704 kfree(head); 1705 return -ENOMEM; 1706 } 1707 } 1708 if (type != TOMOYO_QUERY) 1709 head->reader_idx = tomoyo_read_lock(); 1710 file->private_data = head; 1711 /* 1712 * Call the handler now if the file is 1713 * /sys/kernel/security/tomoyo/self_domain 1714 * so that the user can use 1715 * cat < /sys/kernel/security/tomoyo/self_domain" 1716 * to know the current process's domainname. 1717 */ 1718 if (type == TOMOYO_SELFDOMAIN) 1719 tomoyo_read_control(file, NULL, 0); 1720 /* 1721 * If the file is /sys/kernel/security/tomoyo/query , increment the 1722 * observer counter. 1723 * The obserber counter is used by tomoyo_supervisor() to see if 1724 * there is some process monitoring /sys/kernel/security/tomoyo/query. 1725 */ 1726 else if (type == TOMOYO_QUERY) 1727 atomic_inc(&tomoyo_query_observers); 1728 return 0; 1729} 1730 1731/** 1732 * tomoyo_poll_control - poll() for /sys/kernel/security/tomoyo/ interface. 1733 * 1734 * @file: Pointer to "struct file". 1735 * @wait: Pointer to "poll_table". 1736 * 1737 * Waits for read readiness. 1738 * /sys/kernel/security/tomoyo/query is handled by /usr/sbin/tomoyo-queryd . 1739 */ 1740int tomoyo_poll_control(struct file *file, poll_table *wait) 1741{ 1742 struct tomoyo_io_buffer *head = file->private_data; 1743 if (!head->poll) 1744 return -ENOSYS; 1745 return head->poll(file, wait); 1746} 1747 1748/** 1749 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. 1750 * 1751 * @file: Pointer to "struct file". 1752 * @buffer: Poiner to buffer to write to. 1753 * @buffer_len: Size of @buffer. 1754 * 1755 * Returns bytes read on success, negative value otherwise. 1756 * 1757 * Caller holds tomoyo_read_lock(). 1758 */ 1759int tomoyo_read_control(struct file *file, char __user *buffer, 1760 const int buffer_len) 1761{ 1762 int len = 0; 1763 struct tomoyo_io_buffer *head = file->private_data; 1764 char *cp; 1765 1766 if (!head->read) 1767 return -ENOSYS; 1768 if (mutex_lock_interruptible(&head->io_sem)) 1769 return -EINTR; 1770 /* Call the policy handler. */ 1771 len = head->read(head); 1772 if (len < 0) 1773 goto out; 1774 /* Write to buffer. */ 1775 len = head->read_avail; 1776 if (len > buffer_len) 1777 len = buffer_len; 1778 if (!len) 1779 goto out; 1780 /* head->read_buf changes by some functions. */ 1781 cp = head->read_buf; 1782 if (copy_to_user(buffer, cp, len)) { 1783 len = -EFAULT; 1784 goto out; 1785 } 1786 head->read_avail -= len; 1787 memmove(cp, cp + len, head->read_avail); 1788 out: 1789 mutex_unlock(&head->io_sem); 1790 return len; 1791} 1792 1793/** 1794 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. 1795 * 1796 * @file: Pointer to "struct file". 1797 * @buffer: Pointer to buffer to read from. 1798 * @buffer_len: Size of @buffer. 1799 * 1800 * Returns @buffer_len on success, negative value otherwise. 1801 * 1802 * Caller holds tomoyo_read_lock(). 1803 */ 1804int tomoyo_write_control(struct file *file, const char __user *buffer, 1805 const int buffer_len) 1806{ 1807 struct tomoyo_io_buffer *head = file->private_data; 1808 int error = buffer_len; 1809 int avail_len = buffer_len; 1810 char *cp0 = head->write_buf; 1811 1812 if (!head->write) 1813 return -ENOSYS; 1814 if (!access_ok(VERIFY_READ, buffer, buffer_len)) 1815 return -EFAULT; 1816 /* Don't allow updating policies by non manager programs. */ 1817 if (head->write != tomoyo_write_pid && 1818 head->write != tomoyo_write_domain_policy && 1819 !tomoyo_is_policy_manager()) 1820 return -EPERM; 1821 if (mutex_lock_interruptible(&head->io_sem)) 1822 return -EINTR; 1823 /* Read a line and dispatch it to the policy handler. */ 1824 while (avail_len > 0) { 1825 char c; 1826 if (head->write_avail >= head->writebuf_size - 1) { 1827 error = -ENOMEM; 1828 break; 1829 } else if (get_user(c, buffer)) { 1830 error = -EFAULT; 1831 break; 1832 } 1833 buffer++; 1834 avail_len--; 1835 cp0[head->write_avail++] = c; 1836 if (c != '\n') 1837 continue; 1838 cp0[head->write_avail - 1] = '\0'; 1839 head->write_avail = 0; 1840 tomoyo_normalize_line(cp0); 1841 head->write(head); 1842 } 1843 mutex_unlock(&head->io_sem); 1844 return error; 1845} 1846 1847/** 1848 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. 1849 * 1850 * @file: Pointer to "struct file". 1851 * 1852 * Releases memory and returns 0. 1853 * 1854 * Caller looses tomoyo_read_lock(). 1855 */ 1856int tomoyo_close_control(struct file *file) 1857{ 1858 struct tomoyo_io_buffer *head = file->private_data; 1859 const bool is_write = !!head->write_buf; 1860 1861 /* 1862 * If the file is /sys/kernel/security/tomoyo/query , decrement the 1863 * observer counter. 1864 */ 1865 if (head->type == TOMOYO_QUERY) 1866 atomic_dec(&tomoyo_query_observers); 1867 else 1868 tomoyo_read_unlock(head->reader_idx); 1869 /* Release memory used for policy I/O. */ 1870 kfree(head->read_buf); 1871 head->read_buf = NULL; 1872 kfree(head->write_buf); 1873 head->write_buf = NULL; 1874 kfree(head); 1875 head = NULL; 1876 file->private_data = NULL; 1877 if (is_write) 1878 tomoyo_run_gc(); 1879 return 0; 1880} 1881 1882/** 1883 * tomoyo_check_profile - Check all profiles currently assigned to domains are defined. 1884 */ 1885void tomoyo_check_profile(void) 1886{ 1887 struct tomoyo_domain_info *domain; 1888 const int idx = tomoyo_read_lock(); 1889 tomoyo_policy_loaded = true; 1890 /* Check all profiles currently assigned to domains are defined. */ 1891 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 1892 const u8 profile = domain->profile; 1893 if (tomoyo_profile_ptr[profile]) 1894 continue; 1895 panic("Profile %u (used by '%s') not defined.\n", 1896 profile, domain->domainname->name); 1897 } 1898 tomoyo_read_unlock(idx); 1899 printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n"); 1900 printk(KERN_INFO "Mandatory Access Control activated.\n"); 1901} 1902