common.h revision 084da356f6e55ce42f1d2739178502023908c107 
1/*
2 * security/tomoyo/common.h
3 *
4 * Header file for TOMOYO.
5 *
6 * Copyright (C) 2005-2010  NTT DATA CORPORATION
7 */
8
9#ifndef _SECURITY_TOMOYO_COMMON_H
10#define _SECURITY_TOMOYO_COMMON_H
11
12#include <linux/ctype.h>
13#include <linux/string.h>
14#include <linux/mm.h>
15#include <linux/file.h>
16#include <linux/kmod.h>
17#include <linux/fs.h>
18#include <linux/sched.h>
19#include <linux/namei.h>
20#include <linux/mount.h>
21#include <linux/list.h>
22#include <linux/cred.h>
23struct linux_binprm;
24
25/********** Constants definitions. **********/
26
27/*
28 * TOMOYO uses this hash only when appending a string into the string
29 * table. Frequency of appending strings is very low. So we don't need
30 * large (e.g. 64k) hash size. 256 will be sufficient.
31 */
32#define TOMOYO_HASH_BITS  8
33#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
34
35/*
36 * This is the max length of a token.
37 *
38 * A token consists of only ASCII printable characters.
39 * Non printable characters in a token is represented in \ooo style
40 * octal string. Thus, \ itself is represented as \\.
41 */
42#define TOMOYO_MAX_PATHNAME_LEN 4000
43
44/* Profile number is an integer between 0 and 255. */
45#define TOMOYO_MAX_PROFILES 256
46
47/* Keywords for ACLs. */
48#define TOMOYO_KEYWORD_ALIAS                     "alias "
49#define TOMOYO_KEYWORD_ALLOW_READ                "allow_read "
50#define TOMOYO_KEYWORD_DELETE                    "delete "
51#define TOMOYO_KEYWORD_DENY_REWRITE              "deny_rewrite "
52#define TOMOYO_KEYWORD_FILE_PATTERN              "file_pattern "
53#define TOMOYO_KEYWORD_INITIALIZE_DOMAIN         "initialize_domain "
54#define TOMOYO_KEYWORD_KEEP_DOMAIN               "keep_domain "
55#define TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN      "no_initialize_domain "
56#define TOMOYO_KEYWORD_NO_KEEP_DOMAIN            "no_keep_domain "
57#define TOMOYO_KEYWORD_SELECT                    "select "
58#define TOMOYO_KEYWORD_USE_PROFILE               "use_profile "
59#define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ  "ignore_global_allow_read"
60/* A domain definition starts with <kernel>. */
61#define TOMOYO_ROOT_NAME                         "<kernel>"
62#define TOMOYO_ROOT_NAME_LEN                     (sizeof(TOMOYO_ROOT_NAME) - 1)
63
64/* Index numbers for Access Controls. */
65enum tomoyo_mac_index {
66	TOMOYO_MAC_FOR_FILE,  /* domain_policy.conf */
67	TOMOYO_MAX_ACCEPT_ENTRY,
68	TOMOYO_VERBOSE,
69	TOMOYO_MAX_CONTROL_INDEX
70};
71
72/* Index numbers for Access Controls. */
73enum tomoyo_acl_entry_type_index {
74	TOMOYO_TYPE_SINGLE_PATH_ACL,
75	TOMOYO_TYPE_DOUBLE_PATH_ACL,
76};
77
78/* Index numbers for File Controls. */
79
80/*
81 * TYPE_READ_WRITE_ACL is special. TYPE_READ_WRITE_ACL is automatically set
82 * if both TYPE_READ_ACL and TYPE_WRITE_ACL are set. Both TYPE_READ_ACL and
83 * TYPE_WRITE_ACL are automatically set if TYPE_READ_WRITE_ACL is set.
84 * TYPE_READ_WRITE_ACL is automatically cleared if either TYPE_READ_ACL or
85 * TYPE_WRITE_ACL is cleared. Both TYPE_READ_ACL and TYPE_WRITE_ACL are
86 * automatically cleared if TYPE_READ_WRITE_ACL is cleared.
87 */
88
89enum tomoyo_path_acl_index {
90	TOMOYO_TYPE_READ_WRITE_ACL,
91	TOMOYO_TYPE_EXECUTE_ACL,
92	TOMOYO_TYPE_READ_ACL,
93	TOMOYO_TYPE_WRITE_ACL,
94	TOMOYO_TYPE_CREATE_ACL,
95	TOMOYO_TYPE_UNLINK_ACL,
96	TOMOYO_TYPE_MKDIR_ACL,
97	TOMOYO_TYPE_RMDIR_ACL,
98	TOMOYO_TYPE_MKFIFO_ACL,
99	TOMOYO_TYPE_MKSOCK_ACL,
100	TOMOYO_TYPE_MKBLOCK_ACL,
101	TOMOYO_TYPE_MKCHAR_ACL,
102	TOMOYO_TYPE_TRUNCATE_ACL,
103	TOMOYO_TYPE_SYMLINK_ACL,
104	TOMOYO_TYPE_REWRITE_ACL,
105	TOMOYO_TYPE_IOCTL_ACL,
106	TOMOYO_TYPE_CHMOD_ACL,
107	TOMOYO_TYPE_CHOWN_ACL,
108	TOMOYO_TYPE_CHGRP_ACL,
109	TOMOYO_TYPE_CHROOT_ACL,
110	TOMOYO_TYPE_MOUNT_ACL,
111	TOMOYO_TYPE_UMOUNT_ACL,
112	TOMOYO_MAX_SINGLE_PATH_OPERATION
113};
114
115enum tomoyo_path2_acl_index {
116	TOMOYO_TYPE_LINK_ACL,
117	TOMOYO_TYPE_RENAME_ACL,
118	TOMOYO_TYPE_PIVOT_ROOT_ACL,
119	TOMOYO_MAX_DOUBLE_PATH_OPERATION
120};
121
122enum tomoyo_securityfs_interface_index {
123	TOMOYO_DOMAINPOLICY,
124	TOMOYO_EXCEPTIONPOLICY,
125	TOMOYO_DOMAIN_STATUS,
126	TOMOYO_PROCESS_STATUS,
127	TOMOYO_MEMINFO,
128	TOMOYO_SELFDOMAIN,
129	TOMOYO_VERSION,
130	TOMOYO_PROFILE,
131	TOMOYO_MANAGER
132};
133
134/********** Structure definitions. **********/
135
136/*
137 * tomoyo_page_buffer is a structure which is used for holding a pathname
138 * obtained from "struct dentry" and "struct vfsmount" pair.
139 * As of now, it is 4096 bytes. If users complain that 4096 bytes is too small
140 * (because TOMOYO escapes non ASCII printable characters using \ooo format),
141 * we will make the buffer larger.
142 */
143struct tomoyo_page_buffer {
144	char buffer[4096];
145};
146
147/*
148 * tomoyo_path_info is a structure which is used for holding a string data
149 * used by TOMOYO.
150 * This structure has several fields for supporting pattern matching.
151 *
152 * (1) "name" is the '\0' terminated string data.
153 * (2) "hash" is full_name_hash(name, strlen(name)).
154 *     This allows tomoyo_pathcmp() to compare by hash before actually compare
155 *     using strcmp().
156 * (3) "const_len" is the length of the initial segment of "name" which
157 *     consists entirely of non wildcard characters. In other words, the length
158 *     which we can compare two strings using strncmp().
159 * (4) "is_dir" is a bool which is true if "name" ends with "/",
160 *     false otherwise.
161 *     TOMOYO distinguishes directory and non-directory. A directory ends with
162 *     "/" and non-directory does not end with "/".
163 * (5) "is_patterned" is a bool which is true if "name" contains wildcard
164 *     characters, false otherwise. This allows TOMOYO to use "hash" and
165 *     strcmp() for string comparison if "is_patterned" is false.
166 */
167struct tomoyo_path_info {
168	const char *name;
169	u32 hash;          /* = full_name_hash(name, strlen(name)) */
170	u16 const_len;     /* = tomoyo_const_part_length(name)     */
171	bool is_dir;       /* = tomoyo_strendswith(name, "/")      */
172	bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
173};
174
175/*
176 * tomoyo_name_entry is a structure which is used for linking
177 * "struct tomoyo_path_info" into tomoyo_name_list .
178 */
179struct tomoyo_name_entry {
180	struct list_head list;
181	atomic_t users;
182	struct tomoyo_path_info entry;
183};
184
185/*
186 * tomoyo_path_info_with_data is a structure which is used for holding a
187 * pathname obtained from "struct dentry" and "struct vfsmount" pair.
188 *
189 * "struct tomoyo_path_info_with_data" consists of "struct tomoyo_path_info"
190 * and buffer for the pathname, while "struct tomoyo_page_buffer" consists of
191 * buffer for the pathname only.
192 *
193 * "struct tomoyo_path_info_with_data" is intended to allow TOMOYO to release
194 * both "struct tomoyo_path_info" and buffer for the pathname by single kfree()
195 * so that we don't need to return two pointers to the caller. If the caller
196 * puts "struct tomoyo_path_info" on stack memory, we will be able to remove
197 * "struct tomoyo_path_info_with_data".
198 */
199struct tomoyo_path_info_with_data {
200	/* Keep "head" first, for this pointer is passed to kfree(). */
201	struct tomoyo_path_info head;
202	char barrier1[16]; /* Safeguard for overrun. */
203	char body[TOMOYO_MAX_PATHNAME_LEN];
204	char barrier2[16]; /* Safeguard for overrun. */
205};
206
207/*
208 * tomoyo_acl_info is a structure which is used for holding
209 *
210 *  (1) "list" which is linked to the ->acl_info_list of
211 *      "struct tomoyo_domain_info"
212 *  (2) "type" which tells type of the entry (either
213 *      "struct tomoyo_single_path_acl_record" or
214 *      "struct tomoyo_double_path_acl_record").
215 *
216 * Packing "struct tomoyo_acl_info" allows
217 * "struct tomoyo_single_path_acl_record" to embed "u8" + "u16" and
218 * "struct tomoyo_double_path_acl_record" to embed "u8"
219 * without enlarging their structure size.
220 */
221struct tomoyo_acl_info {
222	struct list_head list;
223	u8 type;
224} __packed;
225
226/*
227 * tomoyo_domain_info is a structure which is used for holding permissions
228 * (e.g. "allow_read /lib/libc-2.5.so") given to each domain.
229 * It has following fields.
230 *
231 *  (1) "list" which is linked to tomoyo_domain_list .
232 *  (2) "acl_info_list" which is linked to "struct tomoyo_acl_info".
233 *  (3) "domainname" which holds the name of the domain.
234 *  (4) "profile" which remembers profile number assigned to this domain.
235 *  (5) "is_deleted" is a bool which is true if this domain is marked as
236 *      "deleted", false otherwise.
237 *  (6) "quota_warned" is a bool which is used for suppressing warning message
238 *      when learning mode learned too much entries.
239 *  (7) "ignore_global_allow_read" is a bool which is true if this domain
240 *      should ignore "allow_read" directive in exception policy.
241 *  (8) "transition_failed" is a bool which is set to true when this domain was
242 *      unable to create a new domain at tomoyo_find_next_domain() because the
243 *      name of the domain to be created was too long or it could not allocate
244 *      memory. If set to true, more than one process continued execve()
245 *      without domain transition.
246 *  (9) "users" is an atomic_t that holds how many "struct cred"->security
247 *      are referring this "struct tomoyo_domain_info". If is_deleted == true
248 *      and users == 0, this struct will be kfree()d upon next garbage
249 *      collection.
250 *
251 * A domain's lifecycle is an analogy of files on / directory.
252 * Multiple domains with the same domainname cannot be created (as with
253 * creating files with the same filename fails with -EEXIST).
254 * If a process reached a domain, that process can reside in that domain after
255 * that domain is marked as "deleted" (as with a process can access an already
256 * open()ed file after that file was unlink()ed).
257 */
258struct tomoyo_domain_info {
259	struct list_head list;
260	struct list_head acl_info_list;
261	/* Name of this domain. Never NULL.          */
262	const struct tomoyo_path_info *domainname;
263	u8 profile;        /* Profile number to use. */
264	bool is_deleted;   /* Delete flag.           */
265	bool quota_warned; /* Quota warnning flag.   */
266	bool ignore_global_allow_read; /* Ignore "allow_read" flag. */
267	bool transition_failed; /* Domain transition failed flag. */
268	atomic_t users; /* Number of referring credentials. */
269};
270
271/*
272 * tomoyo_single_path_acl_record is a structure which is used for holding an
273 * entry with one pathname operation (e.g. open(), mkdir()).
274 * It has following fields.
275 *
276 *  (1) "head" which is a "struct tomoyo_acl_info".
277 *  (2) "perm" which is a bitmask of permitted operations.
278 *  (3) "filename" is the pathname.
279 *
280 * Directives held by this structure are "allow_read/write", "allow_execute",
281 * "allow_read", "allow_write", "allow_create", "allow_unlink", "allow_mkdir",
282 * "allow_rmdir", "allow_mkfifo", "allow_mksock", "allow_mkblock",
283 * "allow_mkchar", "allow_truncate", "allow_symlink", "allow_rewrite",
284 * "allow_chmod", "allow_chown", "allow_chgrp", "allow_chroot", "allow_mount"
285 * and "allow_unmount".
286 */
287struct tomoyo_single_path_acl_record {
288	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_SINGLE_PATH_ACL */
289	u8 perm_high;
290	u16 perm;
291	/* Pointer to single pathname. */
292	const struct tomoyo_path_info *filename;
293};
294
295/*
296 * tomoyo_double_path_acl_record is a structure which is used for holding an
297 * entry with two pathnames operation (i.e. link(), rename() and pivot_root()).
298 * It has following fields.
299 *
300 *  (1) "head" which is a "struct tomoyo_acl_info".
301 *  (2) "perm" which is a bitmask of permitted operations.
302 *  (3) "filename1" is the source/old pathname.
303 *  (4) "filename2" is the destination/new pathname.
304 *
305 * Directives held by this structure are "allow_rename", "allow_link" and
306 * "allow_pivot_root".
307 */
308struct tomoyo_double_path_acl_record {
309	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_DOUBLE_PATH_ACL */
310	u8 perm;
311	/* Pointer to single pathname. */
312	const struct tomoyo_path_info *filename1;
313	/* Pointer to single pathname. */
314	const struct tomoyo_path_info *filename2;
315};
316
317/*
318 * tomoyo_io_buffer is a structure which is used for reading and modifying
319 * configuration via /sys/kernel/security/tomoyo/ interface.
320 * It has many fields. ->read_var1 , ->read_var2 , ->write_var1 are used as
321 * cursors.
322 *
323 * Since the content of /sys/kernel/security/tomoyo/domain_policy is a list of
324 * "struct tomoyo_domain_info" entries and each "struct tomoyo_domain_info"
325 * entry has a list of "struct tomoyo_acl_info", we need two cursors when
326 * reading (one is for traversing tomoyo_domain_list and the other is for
327 * traversing "struct tomoyo_acl_info"->acl_info_list ).
328 *
329 * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with
330 * "select ", TOMOYO seeks the cursor ->read_var1 and ->write_var1 to the
331 * domain with the domainname specified by the rest of that line (NULL is set
332 * if seek failed).
333 * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with
334 * "delete ", TOMOYO deletes an entry or a domain specified by the rest of that
335 * line (->write_var1 is set to NULL if a domain was deleted).
336 * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with
337 * neither "select " nor "delete ", an entry or a domain specified by that line
338 * is appended.
339 */
340struct tomoyo_io_buffer {
341	int (*read) (struct tomoyo_io_buffer *);
342	int (*write) (struct tomoyo_io_buffer *);
343	/* Exclusive lock for this structure.   */
344	struct mutex io_sem;
345	/* Index returned by tomoyo_read_lock(). */
346	int reader_idx;
347	/* The position currently reading from. */
348	struct list_head *read_var1;
349	/* Extra variables for reading.         */
350	struct list_head *read_var2;
351	/* The position currently writing to.   */
352	struct tomoyo_domain_info *write_var1;
353	/* The step for reading.                */
354	int read_step;
355	/* Buffer for reading.                  */
356	char *read_buf;
357	/* EOF flag for reading.                */
358	bool read_eof;
359	/* Read domain ACL of specified PID?    */
360	bool read_single_domain;
361	/* Extra variable for reading.          */
362	u8 read_bit;
363	/* Bytes available for reading.         */
364	int read_avail;
365	/* Size of read buffer.                 */
366	int readbuf_size;
367	/* Buffer for writing.                  */
368	char *write_buf;
369	/* Bytes available for writing.         */
370	int write_avail;
371	/* Size of write buffer.                */
372	int writebuf_size;
373};
374
375/*
376 * tomoyo_globally_readable_file_entry is a structure which is used for holding
377 * "allow_read" entries.
378 * It has following fields.
379 *
380 *  (1) "list" which is linked to tomoyo_globally_readable_list .
381 *  (2) "filename" is a pathname which is allowed to open(O_RDONLY).
382 *  (3) "is_deleted" is a bool which is true if marked as deleted, false
383 *      otherwise.
384 */
385struct tomoyo_globally_readable_file_entry {
386	struct list_head list;
387	const struct tomoyo_path_info *filename;
388	bool is_deleted;
389};
390
391/*
392 * tomoyo_pattern_entry is a structure which is used for holding
393 * "tomoyo_pattern_list" entries.
394 * It has following fields.
395 *
396 *  (1) "list" which is linked to tomoyo_pattern_list .
397 *  (2) "pattern" is a pathname pattern which is used for converting pathnames
398 *      to pathname patterns during learning mode.
399 *  (3) "is_deleted" is a bool which is true if marked as deleted, false
400 *      otherwise.
401 */
402struct tomoyo_pattern_entry {
403	struct list_head list;
404	const struct tomoyo_path_info *pattern;
405	bool is_deleted;
406};
407
408/*
409 * tomoyo_no_rewrite_entry is a structure which is used for holding
410 * "deny_rewrite" entries.
411 * It has following fields.
412 *
413 *  (1) "list" which is linked to tomoyo_no_rewrite_list .
414 *  (2) "pattern" is a pathname which is by default not permitted to modify
415 *      already existing content.
416 *  (3) "is_deleted" is a bool which is true if marked as deleted, false
417 *      otherwise.
418 */
419struct tomoyo_no_rewrite_entry {
420	struct list_head list;
421	const struct tomoyo_path_info *pattern;
422	bool is_deleted;
423};
424
425/*
426 * tomoyo_domain_initializer_entry is a structure which is used for holding
427 * "initialize_domain" and "no_initialize_domain" entries.
428 * It has following fields.
429 *
430 *  (1) "list" which is linked to tomoyo_domain_initializer_list .
431 *  (2) "domainname" which is "a domainname" or "the last component of a
432 *      domainname". This field is NULL if "from" clause is not specified.
433 *  (3) "program" which is a program's pathname.
434 *  (4) "is_deleted" is a bool which is true if marked as deleted, false
435 *      otherwise.
436 *  (5) "is_not" is a bool which is true if "no_initialize_domain", false
437 *      otherwise.
438 *  (6) "is_last_name" is a bool which is true if "domainname" is "the last
439 *      component of a domainname", false otherwise.
440 */
441struct tomoyo_domain_initializer_entry {
442	struct list_head list;
443	const struct tomoyo_path_info *domainname;    /* This may be NULL */
444	const struct tomoyo_path_info *program;
445	bool is_deleted;
446	bool is_not;       /* True if this entry is "no_initialize_domain".  */
447	/* True if the domainname is tomoyo_get_last_name(). */
448	bool is_last_name;
449};
450
451/*
452 * tomoyo_domain_keeper_entry is a structure which is used for holding
453 * "keep_domain" and "no_keep_domain" entries.
454 * It has following fields.
455 *
456 *  (1) "list" which is linked to tomoyo_domain_keeper_list .
457 *  (2) "domainname" which is "a domainname" or "the last component of a
458 *      domainname".
459 *  (3) "program" which is a program's pathname.
460 *      This field is NULL if "from" clause is not specified.
461 *  (4) "is_deleted" is a bool which is true if marked as deleted, false
462 *      otherwise.
463 *  (5) "is_not" is a bool which is true if "no_initialize_domain", false
464 *      otherwise.
465 *  (6) "is_last_name" is a bool which is true if "domainname" is "the last
466 *      component of a domainname", false otherwise.
467 */
468struct tomoyo_domain_keeper_entry {
469	struct list_head list;
470	const struct tomoyo_path_info *domainname;
471	const struct tomoyo_path_info *program;       /* This may be NULL */
472	bool is_deleted;
473	bool is_not;       /* True if this entry is "no_keep_domain".        */
474	/* True if the domainname is tomoyo_get_last_name(). */
475	bool is_last_name;
476};
477
478/*
479 * tomoyo_alias_entry is a structure which is used for holding "alias" entries.
480 * It has following fields.
481 *
482 *  (1) "list" which is linked to tomoyo_alias_list .
483 *  (2) "original_name" which is a dereferenced pathname.
484 *  (3) "aliased_name" which is a symlink's pathname.
485 *  (4) "is_deleted" is a bool which is true if marked as deleted, false
486 *      otherwise.
487 */
488struct tomoyo_alias_entry {
489	struct list_head list;
490	const struct tomoyo_path_info *original_name;
491	const struct tomoyo_path_info *aliased_name;
492	bool is_deleted;
493};
494
495/*
496 * tomoyo_policy_manager_entry is a structure which is used for holding list of
497 * domainnames or programs which are permitted to modify configuration via
498 * /sys/kernel/security/tomoyo/ interface.
499 * It has following fields.
500 *
501 *  (1) "list" which is linked to tomoyo_policy_manager_list .
502 *  (2) "manager" is a domainname or a program's pathname.
503 *  (3) "is_domain" is a bool which is true if "manager" is a domainname, false
504 *      otherwise.
505 *  (4) "is_deleted" is a bool which is true if marked as deleted, false
506 *      otherwise.
507 */
508struct tomoyo_policy_manager_entry {
509	struct list_head list;
510	/* A path to program or a domainname. */
511	const struct tomoyo_path_info *manager;
512	bool is_domain;  /* True if manager is a domainname. */
513	bool is_deleted; /* True if this entry is deleted. */
514};
515
516/********** Function prototypes. **********/
517
518/* Check whether the domain has too many ACL entries to hold. */
519bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain);
520/* Transactional sprintf() for policy dump. */
521bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
522	__attribute__ ((format(printf, 2, 3)));
523/* Check whether the domainname is correct. */
524bool tomoyo_is_correct_domain(const unsigned char *domainname,
525			      const char *function);
526/* Check whether the token is correct. */
527bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
528			    const s8 pattern_type, const s8 end_type,
529			    const char *function);
530/* Check whether the token can be a domainname. */
531bool tomoyo_is_domain_def(const unsigned char *buffer);
532/* Check whether the given filename matches the given pattern. */
533bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
534				 const struct tomoyo_path_info *pattern);
535/* Read "alias" entry in exception policy. */
536bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head);
537/*
538 * Read "initialize_domain" and "no_initialize_domain" entry
539 * in exception policy.
540 */
541bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head);
542/* Read "keep_domain" and "no_keep_domain" entry in exception policy. */
543bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head);
544/* Read "file_pattern" entry in exception policy. */
545bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head);
546/* Read "allow_read" entry in exception policy. */
547bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head);
548/* Read "deny_rewrite" entry in exception policy. */
549bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head);
550/* Write domain policy violation warning message to console? */
551bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain);
552/* Convert double path operation to operation name. */
553const char *tomoyo_dp2keyword(const u8 operation);
554/* Get the last component of the given domainname. */
555const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain);
556/* Get warning message. */
557const char *tomoyo_get_msg(const bool is_enforce);
558/* Convert single path operation to operation name. */
559const char *tomoyo_sp2keyword(const u8 operation);
560/* Create "alias" entry in exception policy. */
561int tomoyo_write_alias_policy(char *data, const bool is_delete);
562/*
563 * Create "initialize_domain" and "no_initialize_domain" entry
564 * in exception policy.
565 */
566int tomoyo_write_domain_initializer_policy(char *data, const bool is_not,
567					   const bool is_delete);
568/* Create "keep_domain" and "no_keep_domain" entry in exception policy. */
569int tomoyo_write_domain_keeper_policy(char *data, const bool is_not,
570				      const bool is_delete);
571/*
572 * Create "allow_read/write", "allow_execute", "allow_read", "allow_write",
573 * "allow_create", "allow_unlink", "allow_mkdir", "allow_rmdir",
574 * "allow_mkfifo", "allow_mksock", "allow_mkblock", "allow_mkchar",
575 * "allow_truncate", "allow_symlink", "allow_rewrite", "allow_rename" and
576 * "allow_link" entry in domain policy.
577 */
578int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
579			     const bool is_delete);
580/* Create "allow_read" entry in exception policy. */
581int tomoyo_write_globally_readable_policy(char *data, const bool is_delete);
582/* Create "deny_rewrite" entry in exception policy. */
583int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete);
584/* Create "file_pattern" entry in exception policy. */
585int tomoyo_write_pattern_policy(char *data, const bool is_delete);
586/* Find a domain by the given name. */
587struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname);
588/* Find or create a domain by the given name. */
589struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char *
590							    domainname,
591							    const u8 profile);
592/* Check mode for specified functionality. */
593unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
594				const u8 index);
595/* Fill in "struct tomoyo_path_info" members. */
596void tomoyo_fill_path_info(struct tomoyo_path_info *ptr);
597/* Run policy loader when /sbin/init starts. */
598void tomoyo_load_policy(const char *filename);
599
600/* Convert binary string to ascii string. */
601int tomoyo_encode(char *buffer, int buflen, const char *str);
602
603/* Returns realpath(3) of the given pathname but ignores chroot'ed root. */
604int tomoyo_realpath_from_path2(struct path *path, char *newname,
605			       int newname_len);
606
607/*
608 * Returns realpath(3) of the given pathname but ignores chroot'ed root.
609 * These functions use kzalloc(), so the caller must call kfree()
610 * if these functions didn't return NULL.
611 */
612char *tomoyo_realpath(const char *pathname);
613/*
614 * Same with tomoyo_realpath() except that it doesn't follow the final symlink.
615 */
616char *tomoyo_realpath_nofollow(const char *pathname);
617/* Same with tomoyo_realpath() except that the pathname is already solved. */
618char *tomoyo_realpath_from_path(struct path *path);
619
620/* Check memory quota. */
621bool tomoyo_memory_ok(void *ptr);
622
623/*
624 * Keep the given name on the RAM.
625 * The RAM is shared, so NEVER try to modify or kfree() the returned name.
626 */
627const struct tomoyo_path_info *tomoyo_get_name(const char *name);
628
629/* Check for memory usage. */
630int tomoyo_read_memory_counter(struct tomoyo_io_buffer *head);
631
632/* Set memory quota. */
633int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head);
634
635/* Initialize realpath related code. */
636void __init tomoyo_realpath_init(void);
637int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
638			   const struct tomoyo_path_info *filename);
639int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
640				 struct path *path, const int flag);
641int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
642			    const u8 operation, struct path *path);
643int tomoyo_check_2path_perm(struct tomoyo_domain_info *domain,
644			    const u8 operation, struct path *path1,
645			    struct path *path2);
646int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
647				    struct file *filp);
648int tomoyo_find_next_domain(struct linux_binprm *bprm);
649
650/* Run garbage collector. */
651void tomoyo_run_gc(void);
652
653void tomoyo_memory_free(void *ptr);
654
655/********** External variable definitions. **********/
656
657/* Lock for GC. */
658extern struct srcu_struct tomoyo_ss;
659
660/* The list for "struct tomoyo_domain_info". */
661extern struct list_head tomoyo_domain_list;
662
663extern struct list_head tomoyo_domain_initializer_list;
664extern struct list_head tomoyo_domain_keeper_list;
665extern struct list_head tomoyo_alias_list;
666extern struct list_head tomoyo_globally_readable_list;
667extern struct list_head tomoyo_pattern_list;
668extern struct list_head tomoyo_no_rewrite_list;
669extern struct list_head tomoyo_policy_manager_list;
670extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH];
671extern struct mutex tomoyo_name_list_lock;
672
673/* Lock for protecting policy. */
674extern struct mutex tomoyo_policy_lock;
675
676/* Has /sbin/init started? */
677extern bool tomoyo_policy_loaded;
678
679/* The kernel's domain. */
680extern struct tomoyo_domain_info tomoyo_kernel_domain;
681
682/********** Inlined functions. **********/
683
684static inline int tomoyo_read_lock(void)
685{
686	return srcu_read_lock(&tomoyo_ss);
687}
688
689static inline void tomoyo_read_unlock(int idx)
690{
691	srcu_read_unlock(&tomoyo_ss, idx);
692}
693
694/* strcmp() for "struct tomoyo_path_info" structure. */
695static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a,
696				  const struct tomoyo_path_info *b)
697{
698	return a->hash != b->hash || strcmp(a->name, b->name);
699}
700
701/**
702 * tomoyo_is_valid - Check whether the character is a valid char.
703 *
704 * @c: The character to check.
705 *
706 * Returns true if @c is a valid character, false otherwise.
707 */
708static inline bool tomoyo_is_valid(const unsigned char c)
709{
710	return c > ' ' && c < 127;
711}
712
713/**
714 * tomoyo_is_invalid - Check whether the character is an invalid char.
715 *
716 * @c: The character to check.
717 *
718 * Returns true if @c is an invalid character, false otherwise.
719 */
720static inline bool tomoyo_is_invalid(const unsigned char c)
721{
722	return c && (c <= ' ' || c >= 127);
723}
724
725static inline void tomoyo_put_name(const struct tomoyo_path_info *name)
726{
727	if (name) {
728		struct tomoyo_name_entry *ptr =
729			container_of(name, struct tomoyo_name_entry, entry);
730		atomic_dec(&ptr->users);
731	}
732}
733
734static inline struct tomoyo_domain_info *tomoyo_domain(void)
735{
736	return current_cred()->security;
737}
738
739static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
740							    *task)
741{
742	return task_cred_xxx(task, security);
743}
744
745/**
746 * list_for_each_cookie - iterate over a list with cookie.
747 * @pos:        the &struct list_head to use as a loop cursor.
748 * @cookie:     the &struct list_head to use as a cookie.
749 * @head:       the head for your list.
750 *
751 * Same with list_for_each_rcu() except that this primitive uses @cookie
752 * so that we can continue iteration.
753 * @cookie must be NULL when iteration starts, and @cookie will become
754 * NULL when iteration finishes.
755 */
756#define list_for_each_cookie(pos, cookie, head)				\
757	for (({ if (!cookie)						\
758				     cookie = head; }),			\
759		     pos = rcu_dereference((cookie)->next);		\
760	     prefetch(pos->next), pos != (head) || ((cookie) = NULL);	\
761	     (cookie) = pos, pos = rcu_dereference(pos->next))
762
763#endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */
764