common.h revision b5bc60b4ce313b6dbb42e7d32915dcf0a07c2a68
1/* 2 * security/tomoyo/common.h 3 * 4 * Header file for TOMOYO. 5 * 6 * Copyright (C) 2005-2010 NTT DATA CORPORATION 7 */ 8 9#ifndef _SECURITY_TOMOYO_COMMON_H 10#define _SECURITY_TOMOYO_COMMON_H 11 12#include <linux/ctype.h> 13#include <linux/string.h> 14#include <linux/mm.h> 15#include <linux/file.h> 16#include <linux/kmod.h> 17#include <linux/fs.h> 18#include <linux/sched.h> 19#include <linux/namei.h> 20#include <linux/mount.h> 21#include <linux/list.h> 22#include <linux/cred.h> 23#include <linux/poll.h> 24struct linux_binprm; 25 26/********** Constants definitions. **********/ 27 28/* 29 * TOMOYO uses this hash only when appending a string into the string 30 * table. Frequency of appending strings is very low. So we don't need 31 * large (e.g. 64k) hash size. 256 will be sufficient. 32 */ 33#define TOMOYO_HASH_BITS 8 34#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS) 35 36#define TOMOYO_EXEC_TMPSIZE 4096 37 38/* Profile number is an integer between 0 and 255. */ 39#define TOMOYO_MAX_PROFILES 256 40 41/* Index numbers for operation mode. */ 42enum tomoyo_mode_index { 43 TOMOYO_CONFIG_DISABLED, 44 TOMOYO_CONFIG_LEARNING, 45 TOMOYO_CONFIG_PERMISSIVE, 46 TOMOYO_CONFIG_ENFORCING, 47 TOMOYO_CONFIG_USE_DEFAULT = 255 48}; 49 50/* Index numbers for entry type. */ 51enum tomoyo_policy_id { 52 TOMOYO_ID_GROUP, 53 TOMOYO_ID_PATH_GROUP, 54 TOMOYO_ID_NUMBER_GROUP, 55 TOMOYO_ID_TRANSITION_CONTROL, 56 TOMOYO_ID_AGGREGATOR, 57 TOMOYO_ID_MANAGER, 58 TOMOYO_ID_NAME, 59 TOMOYO_ID_ACL, 60 TOMOYO_ID_DOMAIN, 61 TOMOYO_MAX_POLICY 62}; 63 64/* Index numbers for group entries. */ 65enum tomoyo_group_id { 66 TOMOYO_PATH_GROUP, 67 TOMOYO_NUMBER_GROUP, 68 TOMOYO_MAX_GROUP 69}; 70 71/* A domain definition starts with <kernel>. */ 72#define TOMOYO_ROOT_NAME "<kernel>" 73#define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1) 74 75/* Index numbers for type of numeric values. */ 76enum tomoyo_value_type { 77 TOMOYO_VALUE_TYPE_INVALID, 78 TOMOYO_VALUE_TYPE_DECIMAL, 79 TOMOYO_VALUE_TYPE_OCTAL, 80 TOMOYO_VALUE_TYPE_HEXADECIMAL, 81}; 82 83/* Index numbers for domain transition control keywords. */ 84enum tomoyo_transition_type { 85 /* Do not change this order, */ 86 TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE, 87 TOMOYO_TRANSITION_CONTROL_INITIALIZE, 88 TOMOYO_TRANSITION_CONTROL_NO_KEEP, 89 TOMOYO_TRANSITION_CONTROL_KEEP, 90 TOMOYO_MAX_TRANSITION_TYPE 91}; 92 93/* Index numbers for Access Controls. */ 94enum tomoyo_acl_entry_type_index { 95 TOMOYO_TYPE_PATH_ACL, 96 TOMOYO_TYPE_PATH2_ACL, 97 TOMOYO_TYPE_PATH_NUMBER_ACL, 98 TOMOYO_TYPE_MKDEV_ACL, 99 TOMOYO_TYPE_MOUNT_ACL, 100}; 101 102/* Index numbers for access controls with one pathname. */ 103enum tomoyo_path_acl_index { 104 TOMOYO_TYPE_EXECUTE, 105 TOMOYO_TYPE_READ, 106 TOMOYO_TYPE_WRITE, 107 TOMOYO_TYPE_APPEND, 108 TOMOYO_TYPE_UNLINK, 109 TOMOYO_TYPE_GETATTR, 110 TOMOYO_TYPE_RMDIR, 111 TOMOYO_TYPE_TRUNCATE, 112 TOMOYO_TYPE_SYMLINK, 113 TOMOYO_TYPE_CHROOT, 114 TOMOYO_TYPE_UMOUNT, 115 TOMOYO_MAX_PATH_OPERATION 116}; 117 118enum tomoyo_mkdev_acl_index { 119 TOMOYO_TYPE_MKBLOCK, 120 TOMOYO_TYPE_MKCHAR, 121 TOMOYO_MAX_MKDEV_OPERATION 122}; 123 124/* Index numbers for access controls with two pathnames. */ 125enum tomoyo_path2_acl_index { 126 TOMOYO_TYPE_LINK, 127 TOMOYO_TYPE_RENAME, 128 TOMOYO_TYPE_PIVOT_ROOT, 129 TOMOYO_MAX_PATH2_OPERATION 130}; 131 132/* Index numbers for access controls with one pathname and one number. */ 133enum tomoyo_path_number_acl_index { 134 TOMOYO_TYPE_CREATE, 135 TOMOYO_TYPE_MKDIR, 136 TOMOYO_TYPE_MKFIFO, 137 TOMOYO_TYPE_MKSOCK, 138 TOMOYO_TYPE_IOCTL, 139 TOMOYO_TYPE_CHMOD, 140 TOMOYO_TYPE_CHOWN, 141 TOMOYO_TYPE_CHGRP, 142 TOMOYO_MAX_PATH_NUMBER_OPERATION 143}; 144 145/* Index numbers for /sys/kernel/security/tomoyo/ interfaces. */ 146enum tomoyo_securityfs_interface_index { 147 TOMOYO_DOMAINPOLICY, 148 TOMOYO_EXCEPTIONPOLICY, 149 TOMOYO_DOMAIN_STATUS, 150 TOMOYO_PROCESS_STATUS, 151 TOMOYO_MEMINFO, 152 TOMOYO_SELFDOMAIN, 153 TOMOYO_VERSION, 154 TOMOYO_PROFILE, 155 TOMOYO_QUERY, 156 TOMOYO_MANAGER 157}; 158 159/* Index numbers for special mount operations. */ 160enum tomoyo_special_mount { 161 TOMOYO_MOUNT_BIND, /* mount --bind /source /dest */ 162 TOMOYO_MOUNT_MOVE, /* mount --move /old /new */ 163 TOMOYO_MOUNT_REMOUNT, /* mount -o remount /dir */ 164 TOMOYO_MOUNT_MAKE_UNBINDABLE, /* mount --make-unbindable /dir */ 165 TOMOYO_MOUNT_MAKE_PRIVATE, /* mount --make-private /dir */ 166 TOMOYO_MOUNT_MAKE_SLAVE, /* mount --make-slave /dir */ 167 TOMOYO_MOUNT_MAKE_SHARED, /* mount --make-shared /dir */ 168 TOMOYO_MAX_SPECIAL_MOUNT 169}; 170 171/* Index numbers for functionality. */ 172enum tomoyo_mac_index { 173 TOMOYO_MAC_FILE_EXECUTE, 174 TOMOYO_MAC_FILE_OPEN, 175 TOMOYO_MAC_FILE_CREATE, 176 TOMOYO_MAC_FILE_UNLINK, 177 TOMOYO_MAC_FILE_GETATTR, 178 TOMOYO_MAC_FILE_MKDIR, 179 TOMOYO_MAC_FILE_RMDIR, 180 TOMOYO_MAC_FILE_MKFIFO, 181 TOMOYO_MAC_FILE_MKSOCK, 182 TOMOYO_MAC_FILE_TRUNCATE, 183 TOMOYO_MAC_FILE_SYMLINK, 184 TOMOYO_MAC_FILE_MKBLOCK, 185 TOMOYO_MAC_FILE_MKCHAR, 186 TOMOYO_MAC_FILE_LINK, 187 TOMOYO_MAC_FILE_RENAME, 188 TOMOYO_MAC_FILE_CHMOD, 189 TOMOYO_MAC_FILE_CHOWN, 190 TOMOYO_MAC_FILE_CHGRP, 191 TOMOYO_MAC_FILE_IOCTL, 192 TOMOYO_MAC_FILE_CHROOT, 193 TOMOYO_MAC_FILE_MOUNT, 194 TOMOYO_MAC_FILE_UMOUNT, 195 TOMOYO_MAC_FILE_PIVOT_ROOT, 196 TOMOYO_MAX_MAC_INDEX 197}; 198 199/* Index numbers for category of functionality. */ 200enum tomoyo_mac_category_index { 201 TOMOYO_MAC_CATEGORY_FILE, 202 TOMOYO_MAX_MAC_CATEGORY_INDEX 203}; 204 205/* 206 * Retry this request. Returned by tomoyo_supervisor() if policy violation has 207 * occurred in enforcing mode and the userspace daemon decided to retry. 208 * 209 * We must choose a positive value in order to distinguish "granted" (which is 210 * 0) and "rejected" (which is a negative value) and "retry". 211 */ 212#define TOMOYO_RETRY_REQUEST 1 213 214/********** Structure definitions. **********/ 215 216/* Common header for holding ACL entries. */ 217struct tomoyo_acl_head { 218 struct list_head list; 219 bool is_deleted; 220} __packed; 221 222/* Structure for request info. */ 223struct tomoyo_request_info { 224 struct tomoyo_domain_info *domain; 225 /* For holding parameters. */ 226 union { 227 struct { 228 const struct tomoyo_path_info *filename; 229 /* For using wildcards at tomoyo_find_next_domain(). */ 230 const struct tomoyo_path_info *matched_path; 231 /* One of values in "enum tomoyo_path_acl_index". */ 232 u8 operation; 233 } path; 234 struct { 235 const struct tomoyo_path_info *filename1; 236 const struct tomoyo_path_info *filename2; 237 /* One of values in "enum tomoyo_path2_acl_index". */ 238 u8 operation; 239 } path2; 240 struct { 241 const struct tomoyo_path_info *filename; 242 unsigned int mode; 243 unsigned int major; 244 unsigned int minor; 245 /* One of values in "enum tomoyo_mkdev_acl_index". */ 246 u8 operation; 247 } mkdev; 248 struct { 249 const struct tomoyo_path_info *filename; 250 unsigned long number; 251 /* 252 * One of values in 253 * "enum tomoyo_path_number_acl_index". 254 */ 255 u8 operation; 256 } path_number; 257 struct { 258 const struct tomoyo_path_info *type; 259 const struct tomoyo_path_info *dir; 260 const struct tomoyo_path_info *dev; 261 unsigned long flags; 262 int need_dev; 263 } mount; 264 } param; 265 u8 param_type; 266 bool granted; 267 u8 retry; 268 u8 profile; 269 u8 mode; /* One of tomoyo_mode_index . */ 270 u8 type; 271}; 272 273/* Structure for holding a token. */ 274struct tomoyo_path_info { 275 const char *name; 276 u32 hash; /* = full_name_hash(name, strlen(name)) */ 277 u16 const_len; /* = tomoyo_const_part_length(name) */ 278 bool is_dir; /* = tomoyo_strendswith(name, "/") */ 279 bool is_patterned; /* = tomoyo_path_contains_pattern(name) */ 280}; 281 282/* Structure for holding string data. */ 283struct tomoyo_name { 284 struct list_head list; 285 atomic_t users; 286 struct tomoyo_path_info entry; 287}; 288 289/* Structure for holding a word. */ 290struct tomoyo_name_union { 291 /* Either @filename or @group is NULL. */ 292 const struct tomoyo_path_info *filename; 293 struct tomoyo_group *group; 294 /* True if @group != NULL, false if @filename != NULL. */ 295 u8 is_group; 296}; 297 298/* Structure for holding a number. */ 299struct tomoyo_number_union { 300 unsigned long values[2]; 301 struct tomoyo_group *group; /* Maybe NULL. */ 302 /* One of values in "enum tomoyo_value_type". */ 303 u8 min_type; 304 u8 max_type; 305 /* True if @group != NULL, false otherwise. */ 306 u8 is_group; 307}; 308 309/* Structure for "path_group"/"number_group" directive. */ 310struct tomoyo_group { 311 struct list_head list; 312 const struct tomoyo_path_info *group_name; 313 struct list_head member_list; 314 atomic_t users; 315}; 316 317/* Structure for "path_group" directive. */ 318struct tomoyo_path_group { 319 struct tomoyo_acl_head head; 320 const struct tomoyo_path_info *member_name; 321}; 322 323/* Structure for "number_group" directive. */ 324struct tomoyo_number_group { 325 struct tomoyo_acl_head head; 326 struct tomoyo_number_union number; 327}; 328 329/* Common header for individual entries. */ 330struct tomoyo_acl_info { 331 struct list_head list; 332 bool is_deleted; 333 u8 type; /* One of values in "enum tomoyo_acl_entry_type_index". */ 334} __packed; 335 336/* Structure for domain information. */ 337struct tomoyo_domain_info { 338 struct list_head list; 339 struct list_head acl_info_list; 340 /* Name of this domain. Never NULL. */ 341 const struct tomoyo_path_info *domainname; 342 u8 profile; /* Profile number to use. */ 343 bool is_deleted; /* Delete flag. */ 344 bool quota_warned; /* Quota warnning flag. */ 345 bool transition_failed; /* Domain transition failed flag. */ 346 atomic_t users; /* Number of referring credentials. */ 347}; 348 349/* 350 * Structure for "file execute", "file read", "file write", "file append", 351 * "file unlink", "file getattr", "file rmdir", "file truncate", 352 * "file symlink", "file chroot" and "file unmount" directive. 353 */ 354struct tomoyo_path_acl { 355 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */ 356 u16 perm; /* Bitmask of values in "enum tomoyo_path_acl_index". */ 357 struct tomoyo_name_union name; 358}; 359 360/* 361 * Structure for "file create", "file mkdir", "file mkfifo", "file mksock", 362 * "file ioctl", "file chmod", "file chown" and "file chgrp" directive. 363 */ 364struct tomoyo_path_number_acl { 365 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_NUMBER_ACL */ 366 /* Bitmask of values in "enum tomoyo_path_number_acl_index". */ 367 u8 perm; 368 struct tomoyo_name_union name; 369 struct tomoyo_number_union number; 370}; 371 372/* Structure for "file mkblock" and "file mkchar" directive. */ 373struct tomoyo_mkdev_acl { 374 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MKDEV_ACL */ 375 u8 perm; /* Bitmask of values in "enum tomoyo_mkdev_acl_index". */ 376 struct tomoyo_name_union name; 377 struct tomoyo_number_union mode; 378 struct tomoyo_number_union major; 379 struct tomoyo_number_union minor; 380}; 381 382/* 383 * Structure for "file rename", "file link" and "file pivot_root" directive. 384 */ 385struct tomoyo_path2_acl { 386 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */ 387 u8 perm; /* Bitmask of values in "enum tomoyo_path2_acl_index". */ 388 struct tomoyo_name_union name1; 389 struct tomoyo_name_union name2; 390}; 391 392/* Structure for "file mount" directive. */ 393struct tomoyo_mount_acl { 394 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MOUNT_ACL */ 395 struct tomoyo_name_union dev_name; 396 struct tomoyo_name_union dir_name; 397 struct tomoyo_name_union fs_type; 398 struct tomoyo_number_union flags; 399}; 400 401#define TOMOYO_MAX_IO_READ_QUEUE 32 402 403/* 404 * Structure for reading/writing policy via /sys/kernel/security/tomoyo 405 * interfaces. 406 */ 407struct tomoyo_io_buffer { 408 void (*read) (struct tomoyo_io_buffer *); 409 int (*write) (struct tomoyo_io_buffer *); 410 int (*poll) (struct file *file, poll_table *wait); 411 /* Exclusive lock for this structure. */ 412 struct mutex io_sem; 413 /* Index returned by tomoyo_read_lock(). */ 414 int reader_idx; 415 char __user *read_user_buf; 416 int read_user_buf_avail; 417 struct { 418 struct list_head *domain; 419 struct list_head *group; 420 struct list_head *acl; 421 int avail; 422 int step; 423 int query_index; 424 u16 index; 425 u8 bit; 426 u8 w_pos; 427 bool eof; 428 bool print_this_domain_only; 429 bool print_execute_only; 430 const char *w[TOMOYO_MAX_IO_READ_QUEUE]; 431 } r; 432 /* The position currently writing to. */ 433 struct tomoyo_domain_info *write_var1; 434 /* Buffer for reading. */ 435 char *read_buf; 436 /* Size of read buffer. */ 437 int readbuf_size; 438 /* Buffer for writing. */ 439 char *write_buf; 440 /* Bytes available for writing. */ 441 int write_avail; 442 /* Size of write buffer. */ 443 int writebuf_size; 444 /* Type of this interface. */ 445 u8 type; 446}; 447 448/* 449 * Structure for "initialize_domain"/"no_initialize_domain"/"keep_domain"/ 450 * "no_keep_domain" keyword. 451 */ 452struct tomoyo_transition_control { 453 struct tomoyo_acl_head head; 454 u8 type; /* One of values in "enum tomoyo_transition_type". */ 455 /* True if the domainname is tomoyo_get_last_name(). */ 456 bool is_last_name; 457 const struct tomoyo_path_info *domainname; /* Maybe NULL */ 458 const struct tomoyo_path_info *program; /* Maybe NULL */ 459}; 460 461/* Structure for "aggregator" keyword. */ 462struct tomoyo_aggregator { 463 struct tomoyo_acl_head head; 464 const struct tomoyo_path_info *original_name; 465 const struct tomoyo_path_info *aggregated_name; 466}; 467 468/* Structure for policy manager. */ 469struct tomoyo_manager { 470 struct tomoyo_acl_head head; 471 bool is_domain; /* True if manager is a domainname. */ 472 /* A path to program or a domainname. */ 473 const struct tomoyo_path_info *manager; 474}; 475 476struct tomoyo_preference { 477 unsigned int learning_max_entry; 478 bool enforcing_verbose; 479 bool learning_verbose; 480 bool permissive_verbose; 481}; 482 483/* Structure for /sys/kernel/security/tomnoyo/profile interface. */ 484struct tomoyo_profile { 485 const struct tomoyo_path_info *comment; 486 struct tomoyo_preference *learning; 487 struct tomoyo_preference *permissive; 488 struct tomoyo_preference *enforcing; 489 struct tomoyo_preference preference; 490 u8 default_config; 491 u8 config[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX]; 492}; 493 494/********** Function prototypes. **********/ 495 496bool tomoyo_str_starts(char **src, const char *find); 497const char *tomoyo_get_exe(void); 498void tomoyo_normalize_line(unsigned char *buffer); 499void tomoyo_warn_log(struct tomoyo_request_info *r, const char *fmt, ...) 500 __attribute__ ((format(printf, 2, 3))); 501void tomoyo_check_profile(void); 502int tomoyo_open_control(const u8 type, struct file *file); 503int tomoyo_close_control(struct file *file); 504int tomoyo_poll_control(struct file *file, poll_table *wait); 505int tomoyo_read_control(struct file *file, char __user *buffer, 506 const int buffer_len); 507int tomoyo_write_control(struct file *file, const char __user *buffer, 508 const int buffer_len); 509bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r); 510void tomoyo_warn_oom(const char *function); 511const struct tomoyo_path_info * 512tomoyo_compare_name_union(const struct tomoyo_path_info *name, 513 const struct tomoyo_name_union *ptr); 514bool tomoyo_compare_number_union(const unsigned long value, 515 const struct tomoyo_number_union *ptr); 516int tomoyo_get_mode(const u8 profile, const u8 index); 517void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) 518 __attribute__ ((format(printf, 2, 3))); 519bool tomoyo_correct_domain(const unsigned char *domainname); 520bool tomoyo_correct_path(const char *filename); 521bool tomoyo_correct_word(const char *string); 522bool tomoyo_domain_def(const unsigned char *buffer); 523bool tomoyo_parse_name_union(const char *filename, 524 struct tomoyo_name_union *ptr); 525const struct tomoyo_path_info * 526tomoyo_path_matches_group(const struct tomoyo_path_info *pathname, 527 const struct tomoyo_group *group); 528bool tomoyo_number_matches_group(const unsigned long min, 529 const unsigned long max, 530 const struct tomoyo_group *group); 531bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, 532 const struct tomoyo_path_info *pattern); 533bool tomoyo_parse_number_union(char *data, struct tomoyo_number_union *num); 534bool tomoyo_tokenize(char *buffer, char *w[], size_t size); 535bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain); 536int tomoyo_init_request_info(struct tomoyo_request_info *r, 537 struct tomoyo_domain_info *domain, 538 const u8 index); 539int tomoyo_mount_permission(char *dev_name, struct path *path, 540 const char *type, unsigned long flags, 541 void *data_page); 542int tomoyo_write_aggregator(char *data, const bool is_delete); 543int tomoyo_write_transition_control(char *data, const bool is_delete, 544 const u8 type); 545int tomoyo_write_file(char *data, struct tomoyo_domain_info *domain, 546 const bool is_delete); 547int tomoyo_write_mount(char *data, struct tomoyo_domain_info *domain, 548 const bool is_delete); 549int tomoyo_write_group(char *data, const bool is_delete, const u8 type); 550int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) 551 __attribute__ ((format(printf, 2, 3))); 552struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname); 553struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname, 554 const u8 profile); 555struct tomoyo_profile *tomoyo_profile(const u8 profile); 556struct tomoyo_group *tomoyo_get_group(const char *group_name, const u8 type); 557unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, 558 const u8 index); 559void tomoyo_fill_path_info(struct tomoyo_path_info *ptr); 560void tomoyo_load_policy(const char *filename); 561void tomoyo_put_number_union(struct tomoyo_number_union *ptr); 562char *tomoyo_encode(const char *str); 563char *tomoyo_realpath_nofollow(const char *pathname); 564char *tomoyo_realpath_from_path(struct path *path); 565bool tomoyo_memory_ok(void *ptr); 566void *tomoyo_commit_ok(void *data, const unsigned int size); 567const struct tomoyo_path_info *tomoyo_get_name(const char *name); 568void tomoyo_read_memory_counter(struct tomoyo_io_buffer *head); 569int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head); 570void __init tomoyo_mm_init(void); 571int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation, 572 const struct tomoyo_path_info *filename); 573int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, 574 struct path *path, const int flag); 575int tomoyo_path_number_perm(const u8 operation, struct path *path, 576 unsigned long number); 577int tomoyo_mkdev_perm(const u8 operation, struct path *path, 578 const unsigned int mode, unsigned int dev); 579int tomoyo_path_perm(const u8 operation, struct path *path); 580int tomoyo_path2_perm(const u8 operation, struct path *path1, 581 struct path *path2); 582int tomoyo_find_next_domain(struct linux_binprm *bprm); 583void tomoyo_print_ulong(char *buffer, const int buffer_len, 584 const unsigned long value, const u8 type); 585void tomoyo_put_name_union(struct tomoyo_name_union *ptr); 586void tomoyo_run_gc(void); 587void tomoyo_memory_free(void *ptr); 588int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size, 589 bool is_delete, struct tomoyo_domain_info *domain, 590 bool (*check_duplicate) (const struct tomoyo_acl_info 591 *, 592 const struct tomoyo_acl_info 593 *), 594 bool (*merge_duplicate) (struct tomoyo_acl_info *, 595 struct tomoyo_acl_info *, 596 const bool)); 597int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size, 598 bool is_delete, struct list_head *list, 599 bool (*check_duplicate) (const struct tomoyo_acl_head 600 *, 601 const struct tomoyo_acl_head 602 *)); 603void tomoyo_check_acl(struct tomoyo_request_info *r, 604 bool (*check_entry) (struct tomoyo_request_info *, 605 const struct tomoyo_acl_info *)); 606 607/********** External variable definitions. **********/ 608 609/* Lock for GC. */ 610extern struct srcu_struct tomoyo_ss; 611 612/* The list for "struct tomoyo_domain_info". */ 613extern struct list_head tomoyo_domain_list; 614 615extern struct list_head tomoyo_policy_list[TOMOYO_MAX_POLICY]; 616extern struct list_head tomoyo_group_list[TOMOYO_MAX_GROUP]; 617extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH]; 618 619/* Lock for protecting policy. */ 620extern struct mutex tomoyo_policy_lock; 621 622/* Has /sbin/init started? */ 623extern bool tomoyo_policy_loaded; 624 625/* The kernel's domain. */ 626extern struct tomoyo_domain_info tomoyo_kernel_domain; 627 628extern const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION]; 629extern const char *tomoyo_mkdev_keyword[TOMOYO_MAX_MKDEV_OPERATION]; 630extern const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION]; 631extern const char *tomoyo_path_number_keyword[TOMOYO_MAX_PATH_NUMBER_OPERATION]; 632 633extern unsigned int tomoyo_quota_for_query; 634extern unsigned int tomoyo_query_memory_size; 635 636/********** Inlined functions. **********/ 637 638/** 639 * tomoyo_read_lock - Take lock for protecting policy. 640 * 641 * Returns index number for tomoyo_read_unlock(). 642 */ 643static inline int tomoyo_read_lock(void) 644{ 645 return srcu_read_lock(&tomoyo_ss); 646} 647 648/** 649 * tomoyo_read_unlock - Release lock for protecting policy. 650 * 651 * @idx: Index number returned by tomoyo_read_lock(). 652 * 653 * Returns nothing. 654 */ 655static inline void tomoyo_read_unlock(int idx) 656{ 657 srcu_read_unlock(&tomoyo_ss, idx); 658} 659 660/** 661 * tomoyo_pathcmp - strcmp() for "struct tomoyo_path_info" structure. 662 * 663 * @a: Pointer to "struct tomoyo_path_info". 664 * @b: Pointer to "struct tomoyo_path_info". 665 * 666 * Returns true if @a == @b, false otherwise. 667 */ 668static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a, 669 const struct tomoyo_path_info *b) 670{ 671 return a->hash != b->hash || strcmp(a->name, b->name); 672} 673 674/** 675 * tomoyo_valid - Check whether the character is a valid char. 676 * 677 * @c: The character to check. 678 * 679 * Returns true if @c is a valid character, false otherwise. 680 */ 681static inline bool tomoyo_valid(const unsigned char c) 682{ 683 return c > ' ' && c < 127; 684} 685 686/** 687 * tomoyo_invalid - Check whether the character is an invalid char. 688 * 689 * @c: The character to check. 690 * 691 * Returns true if @c is an invalid character, false otherwise. 692 */ 693static inline bool tomoyo_invalid(const unsigned char c) 694{ 695 return c && (c <= ' ' || c >= 127); 696} 697 698/** 699 * tomoyo_put_name - Drop reference on "struct tomoyo_name". 700 * 701 * @name: Pointer to "struct tomoyo_path_info". Maybe NULL. 702 * 703 * Returns nothing. 704 */ 705static inline void tomoyo_put_name(const struct tomoyo_path_info *name) 706{ 707 if (name) { 708 struct tomoyo_name *ptr = 709 container_of(name, typeof(*ptr), entry); 710 atomic_dec(&ptr->users); 711 } 712} 713 714/** 715 * tomoyo_put_group - Drop reference on "struct tomoyo_group". 716 * 717 * @group: Pointer to "struct tomoyo_group". Maybe NULL. 718 * 719 * Returns nothing. 720 */ 721static inline void tomoyo_put_group(struct tomoyo_group *group) 722{ 723 if (group) 724 atomic_dec(&group->users); 725} 726 727/** 728 * tomoyo_domain - Get "struct tomoyo_domain_info" for current thread. 729 * 730 * Returns pointer to "struct tomoyo_domain_info" for current thread. 731 */ 732static inline struct tomoyo_domain_info *tomoyo_domain(void) 733{ 734 return current_cred()->security; 735} 736 737/** 738 * tomoyo_real_domain - Get "struct tomoyo_domain_info" for specified thread. 739 * 740 * @task: Pointer to "struct task_struct". 741 * 742 * Returns pointer to "struct tomoyo_security" for specified thread. 743 */ 744static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct 745 *task) 746{ 747 return task_cred_xxx(task, security); 748} 749 750static inline bool tomoyo_same_acl_head(const struct tomoyo_acl_info *p1, 751 const struct tomoyo_acl_info *p2) 752{ 753 return p1->type == p2->type; 754} 755 756/** 757 * tomoyo_same_name_union - Check for duplicated "struct tomoyo_name_union" entry. 758 * 759 * @a: Pointer to "struct tomoyo_name_union". 760 * @b: Pointer to "struct tomoyo_name_union". 761 * 762 * Returns true if @a == @b, false otherwise. 763 */ 764static inline bool tomoyo_same_name_union 765(const struct tomoyo_name_union *a, const struct tomoyo_name_union *b) 766{ 767 return a->filename == b->filename && a->group == b->group && 768 a->is_group == b->is_group; 769} 770 771/** 772 * tomoyo_same_number_union - Check for duplicated "struct tomoyo_number_union" entry. 773 * 774 * @a: Pointer to "struct tomoyo_number_union". 775 * @b: Pointer to "struct tomoyo_number_union". 776 * 777 * Returns true if @a == @b, false otherwise. 778 */ 779static inline bool tomoyo_same_number_union 780(const struct tomoyo_number_union *a, const struct tomoyo_number_union *b) 781{ 782 return a->values[0] == b->values[0] && a->values[1] == b->values[1] && 783 a->group == b->group && a->min_type == b->min_type && 784 a->max_type == b->max_type && a->is_group == b->is_group; 785} 786 787/** 788 * list_for_each_cookie - iterate over a list with cookie. 789 * @pos: the &struct list_head to use as a loop cursor. 790 * @head: the head for your list. 791 */ 792#define list_for_each_cookie(pos, head) \ 793 if (!pos) \ 794 pos = srcu_dereference((head)->next, &tomoyo_ss); \ 795 for ( ; pos != (head); pos = srcu_dereference(pos->next, &tomoyo_ss)) 796 797#endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */ 798