common.h revision 9b244373da3eab671da6c5125482121528a9ebf3
1/* 2 * security/tomoyo/common.h 3 * 4 * Header file for TOMOYO. 5 * 6 * Copyright (C) 2005-2010 NTT DATA CORPORATION 7 */ 8 9#ifndef _SECURITY_TOMOYO_COMMON_H 10#define _SECURITY_TOMOYO_COMMON_H 11 12#include <linux/ctype.h> 13#include <linux/string.h> 14#include <linux/mm.h> 15#include <linux/file.h> 16#include <linux/kmod.h> 17#include <linux/fs.h> 18#include <linux/sched.h> 19#include <linux/namei.h> 20#include <linux/mount.h> 21#include <linux/list.h> 22#include <linux/cred.h> 23#include <linux/poll.h> 24struct linux_binprm; 25 26/********** Constants definitions. **********/ 27 28/* 29 * TOMOYO uses this hash only when appending a string into the string 30 * table. Frequency of appending strings is very low. So we don't need 31 * large (e.g. 64k) hash size. 256 will be sufficient. 32 */ 33#define TOMOYO_HASH_BITS 8 34#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS) 35 36/* 37 * This is the max length of a token. 38 * 39 * A token consists of only ASCII printable characters. 40 * Non printable characters in a token is represented in \ooo style 41 * octal string. Thus, \ itself is represented as \\. 42 */ 43#define TOMOYO_MAX_PATHNAME_LEN 4000 44 45/* Profile number is an integer between 0 and 255. */ 46#define TOMOYO_MAX_PROFILES 256 47 48enum tomoyo_mode_index { 49 TOMOYO_CONFIG_DISABLED, 50 TOMOYO_CONFIG_LEARNING, 51 TOMOYO_CONFIG_PERMISSIVE, 52 TOMOYO_CONFIG_ENFORCING 53}; 54 55/* Keywords for ACLs. */ 56#define TOMOYO_KEYWORD_ALIAS "alias " 57#define TOMOYO_KEYWORD_ALLOW_MOUNT "allow_mount " 58#define TOMOYO_KEYWORD_ALLOW_READ "allow_read " 59#define TOMOYO_KEYWORD_DELETE "delete " 60#define TOMOYO_KEYWORD_DENY_REWRITE "deny_rewrite " 61#define TOMOYO_KEYWORD_FILE_PATTERN "file_pattern " 62#define TOMOYO_KEYWORD_INITIALIZE_DOMAIN "initialize_domain " 63#define TOMOYO_KEYWORD_KEEP_DOMAIN "keep_domain " 64#define TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN "no_initialize_domain " 65#define TOMOYO_KEYWORD_NO_KEEP_DOMAIN "no_keep_domain " 66#define TOMOYO_KEYWORD_PATH_GROUP "path_group " 67#define TOMOYO_KEYWORD_NUMBER_GROUP "number_group " 68#define TOMOYO_KEYWORD_SELECT "select " 69#define TOMOYO_KEYWORD_USE_PROFILE "use_profile " 70#define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read" 71#define TOMOYO_KEYWORD_QUOTA_EXCEEDED "quota_exceeded" 72#define TOMOYO_KEYWORD_TRANSITION_FAILED "transition_failed" 73/* A domain definition starts with <kernel>. */ 74#define TOMOYO_ROOT_NAME "<kernel>" 75#define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1) 76 77/* Value type definition. */ 78#define TOMOYO_VALUE_TYPE_INVALID 0 79#define TOMOYO_VALUE_TYPE_DECIMAL 1 80#define TOMOYO_VALUE_TYPE_OCTAL 2 81#define TOMOYO_VALUE_TYPE_HEXADECIMAL 3 82 83/* Index numbers for Access Controls. */ 84enum tomoyo_mac_index { 85 TOMOYO_MAC_FOR_FILE, /* domain_policy.conf */ 86 TOMOYO_MAX_ACCEPT_ENTRY, 87 TOMOYO_VERBOSE, 88 TOMOYO_MAX_CONTROL_INDEX 89}; 90 91/* Index numbers for Access Controls. */ 92enum tomoyo_acl_entry_type_index { 93 TOMOYO_TYPE_PATH_ACL, 94 TOMOYO_TYPE_PATH2_ACL, 95 TOMOYO_TYPE_PATH_NUMBER_ACL, 96 TOMOYO_TYPE_PATH_NUMBER3_ACL, 97 TOMOYO_TYPE_MOUNT_ACL, 98}; 99 100/* Index numbers for File Controls. */ 101 102/* 103 * TOMOYO_TYPE_READ_WRITE is special. TOMOYO_TYPE_READ_WRITE is automatically 104 * set if both TOMOYO_TYPE_READ and TOMOYO_TYPE_WRITE are set. 105 * Both TOMOYO_TYPE_READ and TOMOYO_TYPE_WRITE are automatically set if 106 * TOMOYO_TYPE_READ_WRITE is set. 107 * TOMOYO_TYPE_READ_WRITE is automatically cleared if either TOMOYO_TYPE_READ 108 * or TOMOYO_TYPE_WRITE is cleared. 109 * Both TOMOYO_TYPE_READ and TOMOYO_TYPE_WRITE are automatically cleared if 110 * TOMOYO_TYPE_READ_WRITE is cleared. 111 */ 112 113enum tomoyo_path_acl_index { 114 TOMOYO_TYPE_READ_WRITE, 115 TOMOYO_TYPE_EXECUTE, 116 TOMOYO_TYPE_READ, 117 TOMOYO_TYPE_WRITE, 118 TOMOYO_TYPE_UNLINK, 119 TOMOYO_TYPE_RMDIR, 120 TOMOYO_TYPE_TRUNCATE, 121 TOMOYO_TYPE_SYMLINK, 122 TOMOYO_TYPE_REWRITE, 123 TOMOYO_TYPE_CHROOT, 124 TOMOYO_TYPE_UMOUNT, 125 TOMOYO_MAX_PATH_OPERATION 126}; 127 128enum tomoyo_path_number3_acl_index { 129 TOMOYO_TYPE_MKBLOCK, 130 TOMOYO_TYPE_MKCHAR, 131 TOMOYO_MAX_PATH_NUMBER3_OPERATION 132}; 133 134enum tomoyo_path2_acl_index { 135 TOMOYO_TYPE_LINK, 136 TOMOYO_TYPE_RENAME, 137 TOMOYO_TYPE_PIVOT_ROOT, 138 TOMOYO_MAX_PATH2_OPERATION 139}; 140 141enum tomoyo_path_number_acl_index { 142 TOMOYO_TYPE_CREATE, 143 TOMOYO_TYPE_MKDIR, 144 TOMOYO_TYPE_MKFIFO, 145 TOMOYO_TYPE_MKSOCK, 146 TOMOYO_TYPE_IOCTL, 147 TOMOYO_TYPE_CHMOD, 148 TOMOYO_TYPE_CHOWN, 149 TOMOYO_TYPE_CHGRP, 150 TOMOYO_MAX_PATH_NUMBER_OPERATION 151}; 152 153enum tomoyo_securityfs_interface_index { 154 TOMOYO_DOMAINPOLICY, 155 TOMOYO_EXCEPTIONPOLICY, 156 TOMOYO_DOMAIN_STATUS, 157 TOMOYO_PROCESS_STATUS, 158 TOMOYO_MEMINFO, 159 TOMOYO_SELFDOMAIN, 160 TOMOYO_VERSION, 161 TOMOYO_PROFILE, 162 TOMOYO_QUERY, 163 TOMOYO_MANAGER 164}; 165 166#define TOMOYO_RETRY_REQUEST 1 /* Retry this request. */ 167 168/********** Structure definitions. **********/ 169 170/* 171 * tomoyo_page_buffer is a structure which is used for holding a pathname 172 * obtained from "struct dentry" and "struct vfsmount" pair. 173 * As of now, it is 4096 bytes. If users complain that 4096 bytes is too small 174 * (because TOMOYO escapes non ASCII printable characters using \ooo format), 175 * we will make the buffer larger. 176 */ 177struct tomoyo_page_buffer { 178 char buffer[4096]; 179}; 180 181/* 182 * tomoyo_request_info is a structure which is used for holding 183 * 184 * (1) Domain information of current process. 185 * (2) How many retries are made for this request. 186 * (3) Profile number used for this request. 187 * (4) Access control mode of the profile. 188 */ 189struct tomoyo_request_info { 190 struct tomoyo_domain_info *domain; 191 u8 retry; 192 u8 profile; 193 u8 mode; /* One of tomoyo_mode_index . */ 194}; 195 196/* 197 * tomoyo_path_info is a structure which is used for holding a string data 198 * used by TOMOYO. 199 * This structure has several fields for supporting pattern matching. 200 * 201 * (1) "name" is the '\0' terminated string data. 202 * (2) "hash" is full_name_hash(name, strlen(name)). 203 * This allows tomoyo_pathcmp() to compare by hash before actually compare 204 * using strcmp(). 205 * (3) "const_len" is the length of the initial segment of "name" which 206 * consists entirely of non wildcard characters. In other words, the length 207 * which we can compare two strings using strncmp(). 208 * (4) "is_dir" is a bool which is true if "name" ends with "/", 209 * false otherwise. 210 * TOMOYO distinguishes directory and non-directory. A directory ends with 211 * "/" and non-directory does not end with "/". 212 * (5) "is_patterned" is a bool which is true if "name" contains wildcard 213 * characters, false otherwise. This allows TOMOYO to use "hash" and 214 * strcmp() for string comparison if "is_patterned" is false. 215 */ 216struct tomoyo_path_info { 217 const char *name; 218 u32 hash; /* = full_name_hash(name, strlen(name)) */ 219 u16 const_len; /* = tomoyo_const_part_length(name) */ 220 bool is_dir; /* = tomoyo_strendswith(name, "/") */ 221 bool is_patterned; /* = tomoyo_path_contains_pattern(name) */ 222}; 223 224/* 225 * tomoyo_name_entry is a structure which is used for linking 226 * "struct tomoyo_path_info" into tomoyo_name_list . 227 */ 228struct tomoyo_name_entry { 229 struct list_head list; 230 atomic_t users; 231 struct tomoyo_path_info entry; 232}; 233 234/* 235 * tomoyo_path_info_with_data is a structure which is used for holding a 236 * pathname obtained from "struct dentry" and "struct vfsmount" pair. 237 * 238 * "struct tomoyo_path_info_with_data" consists of "struct tomoyo_path_info" 239 * and buffer for the pathname, while "struct tomoyo_page_buffer" consists of 240 * buffer for the pathname only. 241 * 242 * "struct tomoyo_path_info_with_data" is intended to allow TOMOYO to release 243 * both "struct tomoyo_path_info" and buffer for the pathname by single kfree() 244 * so that we don't need to return two pointers to the caller. If the caller 245 * puts "struct tomoyo_path_info" on stack memory, we will be able to remove 246 * "struct tomoyo_path_info_with_data". 247 */ 248struct tomoyo_path_info_with_data { 249 /* Keep "head" first, for this pointer is passed to kfree(). */ 250 struct tomoyo_path_info head; 251 char barrier1[16]; /* Safeguard for overrun. */ 252 char body[TOMOYO_MAX_PATHNAME_LEN]; 253 char barrier2[16]; /* Safeguard for overrun. */ 254}; 255 256struct tomoyo_name_union { 257 const struct tomoyo_path_info *filename; 258 struct tomoyo_path_group *group; 259 u8 is_group; 260}; 261 262struct tomoyo_number_union { 263 unsigned long values[2]; 264 struct tomoyo_number_group *group; 265 u8 min_type; 266 u8 max_type; 267 u8 is_group; 268}; 269 270/* Structure for "path_group" directive. */ 271struct tomoyo_path_group { 272 struct list_head list; 273 const struct tomoyo_path_info *group_name; 274 struct list_head member_list; 275 atomic_t users; 276}; 277 278/* Structure for "number_group" directive. */ 279struct tomoyo_number_group { 280 struct list_head list; 281 const struct tomoyo_path_info *group_name; 282 struct list_head member_list; 283 atomic_t users; 284}; 285 286/* Structure for "path_group" directive. */ 287struct tomoyo_path_group_member { 288 struct list_head list; 289 bool is_deleted; 290 const struct tomoyo_path_info *member_name; 291}; 292 293/* Structure for "number_group" directive. */ 294struct tomoyo_number_group_member { 295 struct list_head list; 296 bool is_deleted; 297 struct tomoyo_number_union number; 298}; 299 300/* 301 * tomoyo_acl_info is a structure which is used for holding 302 * 303 * (1) "list" which is linked to the ->acl_info_list of 304 * "struct tomoyo_domain_info" 305 * (2) "type" which tells type of the entry (either 306 * "struct tomoyo_path_acl" or "struct tomoyo_path2_acl"). 307 * 308 * Packing "struct tomoyo_acl_info" allows 309 * "struct tomoyo_path_acl" to embed "u8" + "u16" and 310 * "struct tomoyo_path2_acl" to embed "u8" 311 * without enlarging their structure size. 312 */ 313struct tomoyo_acl_info { 314 struct list_head list; 315 u8 type; 316} __packed; 317 318/* 319 * tomoyo_domain_info is a structure which is used for holding permissions 320 * (e.g. "allow_read /lib/libc-2.5.so") given to each domain. 321 * It has following fields. 322 * 323 * (1) "list" which is linked to tomoyo_domain_list . 324 * (2) "acl_info_list" which is linked to "struct tomoyo_acl_info". 325 * (3) "domainname" which holds the name of the domain. 326 * (4) "profile" which remembers profile number assigned to this domain. 327 * (5) "is_deleted" is a bool which is true if this domain is marked as 328 * "deleted", false otherwise. 329 * (6) "quota_warned" is a bool which is used for suppressing warning message 330 * when learning mode learned too much entries. 331 * (7) "ignore_global_allow_read" is a bool which is true if this domain 332 * should ignore "allow_read" directive in exception policy. 333 * (8) "transition_failed" is a bool which is set to true when this domain was 334 * unable to create a new domain at tomoyo_find_next_domain() because the 335 * name of the domain to be created was too long or it could not allocate 336 * memory. If set to true, more than one process continued execve() 337 * without domain transition. 338 * (9) "users" is an atomic_t that holds how many "struct cred"->security 339 * are referring this "struct tomoyo_domain_info". If is_deleted == true 340 * and users == 0, this struct will be kfree()d upon next garbage 341 * collection. 342 * 343 * A domain's lifecycle is an analogy of files on / directory. 344 * Multiple domains with the same domainname cannot be created (as with 345 * creating files with the same filename fails with -EEXIST). 346 * If a process reached a domain, that process can reside in that domain after 347 * that domain is marked as "deleted" (as with a process can access an already 348 * open()ed file after that file was unlink()ed). 349 */ 350struct tomoyo_domain_info { 351 struct list_head list; 352 struct list_head acl_info_list; 353 /* Name of this domain. Never NULL. */ 354 const struct tomoyo_path_info *domainname; 355 u8 profile; /* Profile number to use. */ 356 bool is_deleted; /* Delete flag. */ 357 bool quota_warned; /* Quota warnning flag. */ 358 bool ignore_global_allow_read; /* Ignore "allow_read" flag. */ 359 bool transition_failed; /* Domain transition failed flag. */ 360 atomic_t users; /* Number of referring credentials. */ 361}; 362 363/* 364 * tomoyo_path_acl is a structure which is used for holding an 365 * entry with one pathname operation (e.g. open(), mkdir()). 366 * It has following fields. 367 * 368 * (1) "head" which is a "struct tomoyo_acl_info". 369 * (2) "perm" which is a bitmask of permitted operations. 370 * (3) "name" is the pathname. 371 * 372 * Directives held by this structure are "allow_read/write", "allow_execute", 373 * "allow_read", "allow_write", "allow_unlink", "allow_rmdir", 374 * "allow_truncate", "allow_symlink", "allow_rewrite", "allow_chroot" and 375 * "allow_unmount". 376 */ 377struct tomoyo_path_acl { 378 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */ 379 u16 perm; 380 struct tomoyo_name_union name; 381}; 382 383/* 384 * tomoyo_path_number_acl is a structure which is used for holding an 385 * entry with one pathname and one number operation. 386 * It has following fields. 387 * 388 * (1) "head" which is a "struct tomoyo_acl_info". 389 * (2) "perm" which is a bitmask of permitted operations. 390 * (3) "name" is the pathname. 391 * (4) "number" is the numeric value. 392 * 393 * Directives held by this structure are "allow_create", "allow_mkdir", 394 * "allow_ioctl", "allow_mkfifo", "allow_mksock", "allow_chmod", "allow_chown" 395 * and "allow_chgrp". 396 * 397 */ 398struct tomoyo_path_number_acl { 399 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_NUMBER_ACL */ 400 u8 perm; 401 struct tomoyo_name_union name; 402 struct tomoyo_number_union number; 403}; 404 405/* 406 * tomoyo_path_number3_acl is a structure which is used for holding an 407 * entry with one pathname and three numbers operation. 408 * It has following fields. 409 * 410 * (1) "head" which is a "struct tomoyo_acl_info". 411 * (2) "perm" which is a bitmask of permitted operations. 412 * (3) "mode" is the create mode. 413 * (4) "major" is the major number of device node. 414 * (5) "minor" is the minor number of device node. 415 * 416 * Directives held by this structure are "allow_mkchar", "allow_mkblock". 417 * 418 */ 419struct tomoyo_path_number3_acl { 420 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_NUMBER3_ACL */ 421 u8 perm; 422 struct tomoyo_name_union name; 423 struct tomoyo_number_union mode; 424 struct tomoyo_number_union major; 425 struct tomoyo_number_union minor; 426}; 427 428/* 429 * tomoyo_path2_acl is a structure which is used for holding an 430 * entry with two pathnames operation (i.e. link(), rename() and pivot_root()). 431 * It has following fields. 432 * 433 * (1) "head" which is a "struct tomoyo_acl_info". 434 * (2) "perm" which is a bitmask of permitted operations. 435 * (3) "name1" is the source/old pathname. 436 * (4) "name2" is the destination/new pathname. 437 * 438 * Directives held by this structure are "allow_rename", "allow_link" and 439 * "allow_pivot_root". 440 */ 441struct tomoyo_path2_acl { 442 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */ 443 u8 perm; 444 struct tomoyo_name_union name1; 445 struct tomoyo_name_union name2; 446}; 447 448/* 449 * tomoyo_mount_acl is a structure which is used for holding an 450 * entry for mount operation. 451 * It has following fields. 452 * 453 * (1) "head" which is a "struct tomoyo_acl_info". 454 * (2) "is_deleted" is boolean. 455 * (3) "dev_name" is the device name. 456 * (4) "dir_name" is the mount point. 457 * (5) "flags" is the mount flags. 458 * 459 * Directives held by this structure are "allow_rename", "allow_link" and 460 * "allow_pivot_root". 461 */ 462struct tomoyo_mount_acl { 463 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MOUNT_ACL */ 464 bool is_deleted; 465 struct tomoyo_name_union dev_name; 466 struct tomoyo_name_union dir_name; 467 struct tomoyo_name_union fs_type; 468 struct tomoyo_number_union flags; 469}; 470 471/* 472 * tomoyo_io_buffer is a structure which is used for reading and modifying 473 * configuration via /sys/kernel/security/tomoyo/ interface. 474 * It has many fields. ->read_var1 , ->read_var2 , ->write_var1 are used as 475 * cursors. 476 * 477 * Since the content of /sys/kernel/security/tomoyo/domain_policy is a list of 478 * "struct tomoyo_domain_info" entries and each "struct tomoyo_domain_info" 479 * entry has a list of "struct tomoyo_acl_info", we need two cursors when 480 * reading (one is for traversing tomoyo_domain_list and the other is for 481 * traversing "struct tomoyo_acl_info"->acl_info_list ). 482 * 483 * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with 484 * "select ", TOMOYO seeks the cursor ->read_var1 and ->write_var1 to the 485 * domain with the domainname specified by the rest of that line (NULL is set 486 * if seek failed). 487 * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with 488 * "delete ", TOMOYO deletes an entry or a domain specified by the rest of that 489 * line (->write_var1 is set to NULL if a domain was deleted). 490 * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with 491 * neither "select " nor "delete ", an entry or a domain specified by that line 492 * is appended. 493 */ 494struct tomoyo_io_buffer { 495 int (*read) (struct tomoyo_io_buffer *); 496 int (*write) (struct tomoyo_io_buffer *); 497 int (*poll) (struct file *file, poll_table *wait); 498 /* Exclusive lock for this structure. */ 499 struct mutex io_sem; 500 /* Index returned by tomoyo_read_lock(). */ 501 int reader_idx; 502 /* The position currently reading from. */ 503 struct list_head *read_var1; 504 /* Extra variables for reading. */ 505 struct list_head *read_var2; 506 /* The position currently writing to. */ 507 struct tomoyo_domain_info *write_var1; 508 /* The step for reading. */ 509 int read_step; 510 /* Buffer for reading. */ 511 char *read_buf; 512 /* EOF flag for reading. */ 513 bool read_eof; 514 /* Read domain ACL of specified PID? */ 515 bool read_single_domain; 516 /* Extra variable for reading. */ 517 u8 read_bit; 518 /* Bytes available for reading. */ 519 int read_avail; 520 /* Size of read buffer. */ 521 int readbuf_size; 522 /* Buffer for writing. */ 523 char *write_buf; 524 /* Bytes available for writing. */ 525 int write_avail; 526 /* Size of write buffer. */ 527 int writebuf_size; 528 /* Type of this interface. */ 529 u8 type; 530}; 531 532/* 533 * tomoyo_globally_readable_file_entry is a structure which is used for holding 534 * "allow_read" entries. 535 * It has following fields. 536 * 537 * (1) "list" which is linked to tomoyo_globally_readable_list . 538 * (2) "filename" is a pathname which is allowed to open(O_RDONLY). 539 * (3) "is_deleted" is a bool which is true if marked as deleted, false 540 * otherwise. 541 */ 542struct tomoyo_globally_readable_file_entry { 543 struct list_head list; 544 const struct tomoyo_path_info *filename; 545 bool is_deleted; 546}; 547 548/* 549 * tomoyo_pattern_entry is a structure which is used for holding 550 * "tomoyo_pattern_list" entries. 551 * It has following fields. 552 * 553 * (1) "list" which is linked to tomoyo_pattern_list . 554 * (2) "pattern" is a pathname pattern which is used for converting pathnames 555 * to pathname patterns during learning mode. 556 * (3) "is_deleted" is a bool which is true if marked as deleted, false 557 * otherwise. 558 */ 559struct tomoyo_pattern_entry { 560 struct list_head list; 561 const struct tomoyo_path_info *pattern; 562 bool is_deleted; 563}; 564 565/* 566 * tomoyo_no_rewrite_entry is a structure which is used for holding 567 * "deny_rewrite" entries. 568 * It has following fields. 569 * 570 * (1) "list" which is linked to tomoyo_no_rewrite_list . 571 * (2) "pattern" is a pathname which is by default not permitted to modify 572 * already existing content. 573 * (3) "is_deleted" is a bool which is true if marked as deleted, false 574 * otherwise. 575 */ 576struct tomoyo_no_rewrite_entry { 577 struct list_head list; 578 const struct tomoyo_path_info *pattern; 579 bool is_deleted; 580}; 581 582/* 583 * tomoyo_domain_initializer_entry is a structure which is used for holding 584 * "initialize_domain" and "no_initialize_domain" entries. 585 * It has following fields. 586 * 587 * (1) "list" which is linked to tomoyo_domain_initializer_list . 588 * (2) "domainname" which is "a domainname" or "the last component of a 589 * domainname". This field is NULL if "from" clause is not specified. 590 * (3) "program" which is a program's pathname. 591 * (4) "is_deleted" is a bool which is true if marked as deleted, false 592 * otherwise. 593 * (5) "is_not" is a bool which is true if "no_initialize_domain", false 594 * otherwise. 595 * (6) "is_last_name" is a bool which is true if "domainname" is "the last 596 * component of a domainname", false otherwise. 597 */ 598struct tomoyo_domain_initializer_entry { 599 struct list_head list; 600 const struct tomoyo_path_info *domainname; /* This may be NULL */ 601 const struct tomoyo_path_info *program; 602 bool is_deleted; 603 bool is_not; /* True if this entry is "no_initialize_domain". */ 604 /* True if the domainname is tomoyo_get_last_name(). */ 605 bool is_last_name; 606}; 607 608/* 609 * tomoyo_domain_keeper_entry is a structure which is used for holding 610 * "keep_domain" and "no_keep_domain" entries. 611 * It has following fields. 612 * 613 * (1) "list" which is linked to tomoyo_domain_keeper_list . 614 * (2) "domainname" which is "a domainname" or "the last component of a 615 * domainname". 616 * (3) "program" which is a program's pathname. 617 * This field is NULL if "from" clause is not specified. 618 * (4) "is_deleted" is a bool which is true if marked as deleted, false 619 * otherwise. 620 * (5) "is_not" is a bool which is true if "no_initialize_domain", false 621 * otherwise. 622 * (6) "is_last_name" is a bool which is true if "domainname" is "the last 623 * component of a domainname", false otherwise. 624 */ 625struct tomoyo_domain_keeper_entry { 626 struct list_head list; 627 const struct tomoyo_path_info *domainname; 628 const struct tomoyo_path_info *program; /* This may be NULL */ 629 bool is_deleted; 630 bool is_not; /* True if this entry is "no_keep_domain". */ 631 /* True if the domainname is tomoyo_get_last_name(). */ 632 bool is_last_name; 633}; 634 635/* 636 * tomoyo_alias_entry is a structure which is used for holding "alias" entries. 637 * It has following fields. 638 * 639 * (1) "list" which is linked to tomoyo_alias_list . 640 * (2) "original_name" which is a dereferenced pathname. 641 * (3) "aliased_name" which is a symlink's pathname. 642 * (4) "is_deleted" is a bool which is true if marked as deleted, false 643 * otherwise. 644 */ 645struct tomoyo_alias_entry { 646 struct list_head list; 647 const struct tomoyo_path_info *original_name; 648 const struct tomoyo_path_info *aliased_name; 649 bool is_deleted; 650}; 651 652/* 653 * tomoyo_policy_manager_entry is a structure which is used for holding list of 654 * domainnames or programs which are permitted to modify configuration via 655 * /sys/kernel/security/tomoyo/ interface. 656 * It has following fields. 657 * 658 * (1) "list" which is linked to tomoyo_policy_manager_list . 659 * (2) "manager" is a domainname or a program's pathname. 660 * (3) "is_domain" is a bool which is true if "manager" is a domainname, false 661 * otherwise. 662 * (4) "is_deleted" is a bool which is true if marked as deleted, false 663 * otherwise. 664 */ 665struct tomoyo_policy_manager_entry { 666 struct list_head list; 667 /* A path to program or a domainname. */ 668 const struct tomoyo_path_info *manager; 669 bool is_domain; /* True if manager is a domainname. */ 670 bool is_deleted; /* True if this entry is deleted. */ 671}; 672 673/********** Function prototypes. **********/ 674 675extern asmlinkage long sys_getpid(void); 676extern asmlinkage long sys_getppid(void); 677 678/* Check whether the given string starts with the given keyword. */ 679bool tomoyo_str_starts(char **src, const char *find); 680/* Get tomoyo_realpath() of current process. */ 681const char *tomoyo_get_exe(void); 682/* Format string. */ 683void tomoyo_normalize_line(unsigned char *buffer); 684/* Print warning or error message on console. */ 685void tomoyo_warn_log(struct tomoyo_request_info *r, const char *fmt, ...) 686 __attribute__ ((format(printf, 2, 3))); 687/* Check all profiles currently assigned to domains are defined. */ 688void tomoyo_check_profile(void); 689/* Open operation for /sys/kernel/security/tomoyo/ interface. */ 690int tomoyo_open_control(const u8 type, struct file *file); 691/* Close /sys/kernel/security/tomoyo/ interface. */ 692int tomoyo_close_control(struct file *file); 693/* Read operation for /sys/kernel/security/tomoyo/ interface. */ 694int tomoyo_read_control(struct file *file, char __user *buffer, 695 const int buffer_len); 696/* Write operation for /sys/kernel/security/tomoyo/ interface. */ 697int tomoyo_write_control(struct file *file, const char __user *buffer, 698 const int buffer_len); 699/* Check whether the domain has too many ACL entries to hold. */ 700bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r); 701/* Print out of memory warning message. */ 702void tomoyo_warn_oom(const char *function); 703/* Check whether the given name matches the given name_union. */ 704bool tomoyo_compare_name_union(const struct tomoyo_path_info *name, 705 const struct tomoyo_name_union *ptr); 706/* Check whether the given number matches the given number_union. */ 707bool tomoyo_compare_number_union(const unsigned long value, 708 const struct tomoyo_number_union *ptr); 709/* Transactional sprintf() for policy dump. */ 710bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) 711 __attribute__ ((format(printf, 2, 3))); 712/* Check whether the domainname is correct. */ 713bool tomoyo_is_correct_domain(const unsigned char *domainname); 714/* Check whether the token is correct. */ 715bool tomoyo_is_correct_path(const char *filename, const s8 start_type, 716 const s8 pattern_type, const s8 end_type); 717/* Check whether the token can be a domainname. */ 718bool tomoyo_is_domain_def(const unsigned char *buffer); 719bool tomoyo_parse_name_union(const char *filename, 720 struct tomoyo_name_union *ptr); 721/* Check whether the given filename matches the given path_group. */ 722bool tomoyo_path_matches_group(const struct tomoyo_path_info *pathname, 723 const struct tomoyo_path_group *group, 724 const bool may_use_pattern); 725/* Check whether the given value matches the given number_group. */ 726bool tomoyo_number_matches_group(const unsigned long min, 727 const unsigned long max, 728 const struct tomoyo_number_group *group); 729/* Check whether the given filename matches the given pattern. */ 730bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, 731 const struct tomoyo_path_info *pattern); 732 733bool tomoyo_print_number_union(struct tomoyo_io_buffer *head, 734 const struct tomoyo_number_union *ptr); 735bool tomoyo_parse_number_union(char *data, struct tomoyo_number_union *num); 736 737/* Read "alias" entry in exception policy. */ 738bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head); 739/* 740 * Read "initialize_domain" and "no_initialize_domain" entry 741 * in exception policy. 742 */ 743bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head); 744/* Read "keep_domain" and "no_keep_domain" entry in exception policy. */ 745bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head); 746/* Read "file_pattern" entry in exception policy. */ 747bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head); 748/* Read "path_group" entry in exception policy. */ 749bool tomoyo_read_path_group_policy(struct tomoyo_io_buffer *head); 750/* Read "number_group" entry in exception policy. */ 751bool tomoyo_read_number_group_policy(struct tomoyo_io_buffer *head); 752/* Read "allow_read" entry in exception policy. */ 753bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head); 754/* Read "deny_rewrite" entry in exception policy. */ 755bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head); 756/* Tokenize a line. */ 757bool tomoyo_tokenize(char *buffer, char *w[], size_t size); 758/* Write domain policy violation warning message to console? */ 759bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain); 760/* Convert double path operation to operation name. */ 761const char *tomoyo_path22keyword(const u8 operation); 762const char *tomoyo_path_number2keyword(const u8 operation); 763const char *tomoyo_path_number32keyword(const u8 operation); 764/* Get the last component of the given domainname. */ 765const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain); 766/* Convert single path operation to operation name. */ 767const char *tomoyo_path2keyword(const u8 operation); 768/* Fill "struct tomoyo_request_info". */ 769int tomoyo_init_request_info(struct tomoyo_request_info *r, 770 struct tomoyo_domain_info *domain); 771/* Check permission for mount operation. */ 772int tomoyo_mount_permission(char *dev_name, struct path *path, char *type, 773 unsigned long flags, void *data_page); 774/* Create "alias" entry in exception policy. */ 775int tomoyo_write_alias_policy(char *data, const bool is_delete); 776/* 777 * Create "initialize_domain" and "no_initialize_domain" entry 778 * in exception policy. 779 */ 780int tomoyo_write_domain_initializer_policy(char *data, const bool is_not, 781 const bool is_delete); 782/* Create "keep_domain" and "no_keep_domain" entry in exception policy. */ 783int tomoyo_write_domain_keeper_policy(char *data, const bool is_not, 784 const bool is_delete); 785/* 786 * Create "allow_read/write", "allow_execute", "allow_read", "allow_write", 787 * "allow_create", "allow_unlink", "allow_mkdir", "allow_rmdir", 788 * "allow_mkfifo", "allow_mksock", "allow_mkblock", "allow_mkchar", 789 * "allow_truncate", "allow_symlink", "allow_rewrite", "allow_rename" and 790 * "allow_link" entry in domain policy. 791 */ 792int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, 793 const bool is_delete); 794/* Create "allow_read" entry in exception policy. */ 795int tomoyo_write_globally_readable_policy(char *data, const bool is_delete); 796/* Create "allow_mount" entry in domain policy. */ 797int tomoyo_write_mount_policy(char *data, struct tomoyo_domain_info *domain, 798 const bool is_delete); 799/* Create "deny_rewrite" entry in exception policy. */ 800int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete); 801/* Create "file_pattern" entry in exception policy. */ 802int tomoyo_write_pattern_policy(char *data, const bool is_delete); 803/* Create "path_group" entry in exception policy. */ 804int tomoyo_write_path_group_policy(char *data, const bool is_delete); 805int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) 806 __attribute__ ((format(printf, 2, 3))); 807/* Create "number_group" entry in exception policy. */ 808int tomoyo_write_number_group_policy(char *data, const bool is_delete); 809/* Find a domain by the given name. */ 810struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname); 811/* Find or create a domain by the given name. */ 812struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * 813 domainname, 814 const u8 profile); 815/* Allocate memory for "struct tomoyo_path_group". */ 816struct tomoyo_path_group *tomoyo_get_path_group(const char *group_name); 817struct tomoyo_number_group *tomoyo_get_number_group(const char *group_name); 818 819/* Check mode for specified functionality. */ 820unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, 821 const u8 index); 822/* Fill in "struct tomoyo_path_info" members. */ 823void tomoyo_fill_path_info(struct tomoyo_path_info *ptr); 824/* Run policy loader when /sbin/init starts. */ 825void tomoyo_load_policy(const char *filename); 826 827void tomoyo_put_number_union(struct tomoyo_number_union *ptr); 828 829/* Convert binary string to ascii string. */ 830int tomoyo_encode(char *buffer, int buflen, const char *str); 831 832/* Returns realpath(3) of the given pathname but ignores chroot'ed root. */ 833int tomoyo_realpath_from_path2(struct path *path, char *newname, 834 int newname_len); 835 836/* 837 * Returns realpath(3) of the given pathname but ignores chroot'ed root. 838 * These functions use kzalloc(), so the caller must call kfree() 839 * if these functions didn't return NULL. 840 */ 841char *tomoyo_realpath(const char *pathname); 842/* 843 * Same with tomoyo_realpath() except that it doesn't follow the final symlink. 844 */ 845char *tomoyo_realpath_nofollow(const char *pathname); 846/* Same with tomoyo_realpath() except that the pathname is already solved. */ 847char *tomoyo_realpath_from_path(struct path *path); 848/* Get patterned pathname. */ 849const char *tomoyo_file_pattern(const struct tomoyo_path_info *filename); 850 851/* Check memory quota. */ 852bool tomoyo_memory_ok(void *ptr); 853void *tomoyo_commit_ok(void *data, const unsigned int size); 854 855/* 856 * Keep the given name on the RAM. 857 * The RAM is shared, so NEVER try to modify or kfree() the returned name. 858 */ 859const struct tomoyo_path_info *tomoyo_get_name(const char *name); 860 861/* Check for memory usage. */ 862int tomoyo_read_memory_counter(struct tomoyo_io_buffer *head); 863 864/* Set memory quota. */ 865int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head); 866 867/* Initialize mm related code. */ 868void __init tomoyo_mm_init(void); 869int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, 870 const struct tomoyo_path_info *filename); 871int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, 872 struct path *path, const int flag); 873int tomoyo_path_number_perm(const u8 operation, struct path *path, 874 unsigned long number); 875int tomoyo_path_number3_perm(const u8 operation, struct path *path, 876 const unsigned int mode, unsigned int dev); 877int tomoyo_path_perm(const u8 operation, struct path *path); 878int tomoyo_path2_perm(const u8 operation, struct path *path1, 879 struct path *path2); 880int tomoyo_find_next_domain(struct linux_binprm *bprm); 881 882void tomoyo_print_ulong(char *buffer, const int buffer_len, 883 const unsigned long value, const u8 type); 884 885/* Drop refcount on tomoyo_name_union. */ 886void tomoyo_put_name_union(struct tomoyo_name_union *ptr); 887 888/* Run garbage collector. */ 889void tomoyo_run_gc(void); 890 891void tomoyo_memory_free(void *ptr); 892 893/********** External variable definitions. **********/ 894 895/* Lock for GC. */ 896extern struct srcu_struct tomoyo_ss; 897 898/* The list for "struct tomoyo_domain_info". */ 899extern struct list_head tomoyo_domain_list; 900 901extern struct list_head tomoyo_path_group_list; 902extern struct list_head tomoyo_number_group_list; 903extern struct list_head tomoyo_domain_initializer_list; 904extern struct list_head tomoyo_domain_keeper_list; 905extern struct list_head tomoyo_alias_list; 906extern struct list_head tomoyo_globally_readable_list; 907extern struct list_head tomoyo_pattern_list; 908extern struct list_head tomoyo_no_rewrite_list; 909extern struct list_head tomoyo_policy_manager_list; 910extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH]; 911 912/* Lock for protecting policy. */ 913extern struct mutex tomoyo_policy_lock; 914 915/* Has /sbin/init started? */ 916extern bool tomoyo_policy_loaded; 917 918/* The kernel's domain. */ 919extern struct tomoyo_domain_info tomoyo_kernel_domain; 920 921extern unsigned int tomoyo_quota_for_query; 922extern unsigned int tomoyo_query_memory_size; 923 924/********** Inlined functions. **********/ 925 926static inline int tomoyo_read_lock(void) 927{ 928 return srcu_read_lock(&tomoyo_ss); 929} 930 931static inline void tomoyo_read_unlock(int idx) 932{ 933 srcu_read_unlock(&tomoyo_ss, idx); 934} 935 936/* strcmp() for "struct tomoyo_path_info" structure. */ 937static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a, 938 const struct tomoyo_path_info *b) 939{ 940 return a->hash != b->hash || strcmp(a->name, b->name); 941} 942 943/** 944 * tomoyo_is_valid - Check whether the character is a valid char. 945 * 946 * @c: The character to check. 947 * 948 * Returns true if @c is a valid character, false otherwise. 949 */ 950static inline bool tomoyo_is_valid(const unsigned char c) 951{ 952 return c > ' ' && c < 127; 953} 954 955/** 956 * tomoyo_is_invalid - Check whether the character is an invalid char. 957 * 958 * @c: The character to check. 959 * 960 * Returns true if @c is an invalid character, false otherwise. 961 */ 962static inline bool tomoyo_is_invalid(const unsigned char c) 963{ 964 return c && (c <= ' ' || c >= 127); 965} 966 967static inline void tomoyo_put_name(const struct tomoyo_path_info *name) 968{ 969 if (name) { 970 struct tomoyo_name_entry *ptr = 971 container_of(name, struct tomoyo_name_entry, entry); 972 atomic_dec(&ptr->users); 973 } 974} 975 976static inline void tomoyo_put_path_group(struct tomoyo_path_group *group) 977{ 978 if (group) 979 atomic_dec(&group->users); 980} 981 982static inline void tomoyo_put_number_group(struct tomoyo_number_group *group) 983{ 984 if (group) 985 atomic_dec(&group->users); 986} 987 988static inline struct tomoyo_domain_info *tomoyo_domain(void) 989{ 990 return current_cred()->security; 991} 992 993static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct 994 *task) 995{ 996 return task_cred_xxx(task, security); 997} 998 999static inline bool tomoyo_is_same_acl_head(const struct tomoyo_acl_info *p1, 1000 const struct tomoyo_acl_info *p2) 1001{ 1002 return p1->type == p2->type; 1003} 1004 1005static inline bool tomoyo_is_same_name_union 1006(const struct tomoyo_name_union *p1, const struct tomoyo_name_union *p2) 1007{ 1008 return p1->filename == p2->filename && p1->group == p2->group && 1009 p1->is_group == p2->is_group; 1010} 1011 1012static inline bool tomoyo_is_same_number_union 1013(const struct tomoyo_number_union *p1, const struct tomoyo_number_union *p2) 1014{ 1015 return p1->values[0] == p2->values[0] && p1->values[1] == p2->values[1] 1016 && p1->group == p2->group && p1->min_type == p2->min_type && 1017 p1->max_type == p2->max_type && p1->is_group == p2->is_group; 1018} 1019 1020static inline bool tomoyo_is_same_path_acl(const struct tomoyo_path_acl *p1, 1021 const struct tomoyo_path_acl *p2) 1022{ 1023 return tomoyo_is_same_acl_head(&p1->head, &p2->head) && 1024 tomoyo_is_same_name_union(&p1->name, &p2->name); 1025} 1026 1027static inline bool tomoyo_is_same_path_number3_acl 1028(const struct tomoyo_path_number3_acl *p1, 1029 const struct tomoyo_path_number3_acl *p2) 1030{ 1031 return tomoyo_is_same_acl_head(&p1->head, &p2->head) 1032 && tomoyo_is_same_name_union(&p1->name, &p2->name) 1033 && tomoyo_is_same_number_union(&p1->mode, &p2->mode) 1034 && tomoyo_is_same_number_union(&p1->major, &p2->major) 1035 && tomoyo_is_same_number_union(&p1->minor, &p2->minor); 1036} 1037 1038 1039static inline bool tomoyo_is_same_path2_acl(const struct tomoyo_path2_acl *p1, 1040 const struct tomoyo_path2_acl *p2) 1041{ 1042 return tomoyo_is_same_acl_head(&p1->head, &p2->head) && 1043 tomoyo_is_same_name_union(&p1->name1, &p2->name1) && 1044 tomoyo_is_same_name_union(&p1->name2, &p2->name2); 1045} 1046 1047static inline bool tomoyo_is_same_path_number_acl 1048(const struct tomoyo_path_number_acl *p1, 1049 const struct tomoyo_path_number_acl *p2) 1050{ 1051 return tomoyo_is_same_acl_head(&p1->head, &p2->head) 1052 && tomoyo_is_same_name_union(&p1->name, &p2->name) 1053 && tomoyo_is_same_number_union(&p1->number, &p2->number); 1054} 1055 1056static inline bool tomoyo_is_same_mount_acl(const struct tomoyo_mount_acl *p1, 1057 const struct tomoyo_mount_acl *p2) 1058{ 1059 return tomoyo_is_same_acl_head(&p1->head, &p2->head) && 1060 tomoyo_is_same_name_union(&p1->dev_name, &p2->dev_name) && 1061 tomoyo_is_same_name_union(&p1->dir_name, &p2->dir_name) && 1062 tomoyo_is_same_name_union(&p1->fs_type, &p2->fs_type) && 1063 tomoyo_is_same_number_union(&p1->flags, &p2->flags); 1064} 1065 1066static inline bool tomoyo_is_same_domain_initializer_entry 1067(const struct tomoyo_domain_initializer_entry *p1, 1068 const struct tomoyo_domain_initializer_entry *p2) 1069{ 1070 return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name 1071 && p1->domainname == p2->domainname 1072 && p1->program == p2->program; 1073} 1074 1075static inline bool tomoyo_is_same_domain_keeper_entry 1076(const struct tomoyo_domain_keeper_entry *p1, 1077 const struct tomoyo_domain_keeper_entry *p2) 1078{ 1079 return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name 1080 && p1->domainname == p2->domainname 1081 && p1->program == p2->program; 1082} 1083 1084static inline bool tomoyo_is_same_alias_entry 1085(const struct tomoyo_alias_entry *p1, const struct tomoyo_alias_entry *p2) 1086{ 1087 return p1->original_name == p2->original_name && 1088 p1->aliased_name == p2->aliased_name; 1089} 1090 1091/** 1092 * list_for_each_cookie - iterate over a list with cookie. 1093 * @pos: the &struct list_head to use as a loop cursor. 1094 * @cookie: the &struct list_head to use as a cookie. 1095 * @head: the head for your list. 1096 * 1097 * Same with list_for_each_rcu() except that this primitive uses @cookie 1098 * so that we can continue iteration. 1099 * @cookie must be NULL when iteration starts, and @cookie will become 1100 * NULL when iteration finishes. 1101 */ 1102#define list_for_each_cookie(pos, cookie, head) \ 1103 for (({ if (!cookie) \ 1104 cookie = head; }), \ 1105 pos = rcu_dereference((cookie)->next); \ 1106 prefetch(pos->next), pos != (head) || ((cookie) = NULL); \ 1107 (cookie) = pos, pos = rcu_dereference(pos->next)) 1108 1109#endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */ 1110