common.h revision b5bc60b4ce313b6dbb42e7d32915dcf0a07c2a68 
1/*
2 * security/tomoyo/common.h
3 *
4 * Header file for TOMOYO.
5 *
6 * Copyright (C) 2005-2010  NTT DATA CORPORATION
7 */
8
9#ifndef _SECURITY_TOMOYO_COMMON_H
10#define _SECURITY_TOMOYO_COMMON_H
11
12#include <linux/ctype.h>
13#include <linux/string.h>
14#include <linux/mm.h>
15#include <linux/file.h>
16#include <linux/kmod.h>
17#include <linux/fs.h>
18#include <linux/sched.h>
19#include <linux/namei.h>
20#include <linux/mount.h>
21#include <linux/list.h>
22#include <linux/cred.h>
23#include <linux/poll.h>
24struct linux_binprm;
25
26/********** Constants definitions. **********/
27
28/*
29 * TOMOYO uses this hash only when appending a string into the string
30 * table. Frequency of appending strings is very low. So we don't need
31 * large (e.g. 64k) hash size. 256 will be sufficient.
32 */
33#define TOMOYO_HASH_BITS  8
34#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
35
36#define TOMOYO_EXEC_TMPSIZE     4096
37
38/* Profile number is an integer between 0 and 255. */
39#define TOMOYO_MAX_PROFILES 256
40
41/* Index numbers for operation mode. */
42enum tomoyo_mode_index {
43	TOMOYO_CONFIG_DISABLED,
44	TOMOYO_CONFIG_LEARNING,
45	TOMOYO_CONFIG_PERMISSIVE,
46	TOMOYO_CONFIG_ENFORCING,
47	TOMOYO_CONFIG_USE_DEFAULT = 255
48};
49
50/* Index numbers for entry type. */
51enum tomoyo_policy_id {
52	TOMOYO_ID_GROUP,
53	TOMOYO_ID_PATH_GROUP,
54	TOMOYO_ID_NUMBER_GROUP,
55	TOMOYO_ID_TRANSITION_CONTROL,
56	TOMOYO_ID_AGGREGATOR,
57	TOMOYO_ID_MANAGER,
58	TOMOYO_ID_NAME,
59	TOMOYO_ID_ACL,
60	TOMOYO_ID_DOMAIN,
61	TOMOYO_MAX_POLICY
62};
63
64/* Index numbers for group entries. */
65enum tomoyo_group_id {
66	TOMOYO_PATH_GROUP,
67	TOMOYO_NUMBER_GROUP,
68	TOMOYO_MAX_GROUP
69};
70
71/* A domain definition starts with <kernel>. */
72#define TOMOYO_ROOT_NAME                         "<kernel>"
73#define TOMOYO_ROOT_NAME_LEN                     (sizeof(TOMOYO_ROOT_NAME) - 1)
74
75/* Index numbers for type of numeric values. */
76enum tomoyo_value_type {
77	TOMOYO_VALUE_TYPE_INVALID,
78	TOMOYO_VALUE_TYPE_DECIMAL,
79	TOMOYO_VALUE_TYPE_OCTAL,
80	TOMOYO_VALUE_TYPE_HEXADECIMAL,
81};
82
83/* Index numbers for domain transition control keywords. */
84enum tomoyo_transition_type {
85	/* Do not change this order, */
86	TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE,
87	TOMOYO_TRANSITION_CONTROL_INITIALIZE,
88	TOMOYO_TRANSITION_CONTROL_NO_KEEP,
89	TOMOYO_TRANSITION_CONTROL_KEEP,
90	TOMOYO_MAX_TRANSITION_TYPE
91};
92
93/* Index numbers for Access Controls. */
94enum tomoyo_acl_entry_type_index {
95	TOMOYO_TYPE_PATH_ACL,
96	TOMOYO_TYPE_PATH2_ACL,
97	TOMOYO_TYPE_PATH_NUMBER_ACL,
98	TOMOYO_TYPE_MKDEV_ACL,
99	TOMOYO_TYPE_MOUNT_ACL,
100};
101
102/* Index numbers for access controls with one pathname. */
103enum tomoyo_path_acl_index {
104	TOMOYO_TYPE_EXECUTE,
105	TOMOYO_TYPE_READ,
106	TOMOYO_TYPE_WRITE,
107	TOMOYO_TYPE_APPEND,
108	TOMOYO_TYPE_UNLINK,
109	TOMOYO_TYPE_GETATTR,
110	TOMOYO_TYPE_RMDIR,
111	TOMOYO_TYPE_TRUNCATE,
112	TOMOYO_TYPE_SYMLINK,
113	TOMOYO_TYPE_CHROOT,
114	TOMOYO_TYPE_UMOUNT,
115	TOMOYO_MAX_PATH_OPERATION
116};
117
118enum tomoyo_mkdev_acl_index {
119	TOMOYO_TYPE_MKBLOCK,
120	TOMOYO_TYPE_MKCHAR,
121	TOMOYO_MAX_MKDEV_OPERATION
122};
123
124/* Index numbers for access controls with two pathnames. */
125enum tomoyo_path2_acl_index {
126	TOMOYO_TYPE_LINK,
127	TOMOYO_TYPE_RENAME,
128	TOMOYO_TYPE_PIVOT_ROOT,
129	TOMOYO_MAX_PATH2_OPERATION
130};
131
132/* Index numbers for access controls with one pathname and one number. */
133enum tomoyo_path_number_acl_index {
134	TOMOYO_TYPE_CREATE,
135	TOMOYO_TYPE_MKDIR,
136	TOMOYO_TYPE_MKFIFO,
137	TOMOYO_TYPE_MKSOCK,
138	TOMOYO_TYPE_IOCTL,
139	TOMOYO_TYPE_CHMOD,
140	TOMOYO_TYPE_CHOWN,
141	TOMOYO_TYPE_CHGRP,
142	TOMOYO_MAX_PATH_NUMBER_OPERATION
143};
144
145/* Index numbers for /sys/kernel/security/tomoyo/ interfaces. */
146enum tomoyo_securityfs_interface_index {
147	TOMOYO_DOMAINPOLICY,
148	TOMOYO_EXCEPTIONPOLICY,
149	TOMOYO_DOMAIN_STATUS,
150	TOMOYO_PROCESS_STATUS,
151	TOMOYO_MEMINFO,
152	TOMOYO_SELFDOMAIN,
153	TOMOYO_VERSION,
154	TOMOYO_PROFILE,
155	TOMOYO_QUERY,
156	TOMOYO_MANAGER
157};
158
159/* Index numbers for special mount operations. */
160enum tomoyo_special_mount {
161	TOMOYO_MOUNT_BIND,            /* mount --bind /source /dest   */
162	TOMOYO_MOUNT_MOVE,            /* mount --move /old /new       */
163	TOMOYO_MOUNT_REMOUNT,         /* mount -o remount /dir        */
164	TOMOYO_MOUNT_MAKE_UNBINDABLE, /* mount --make-unbindable /dir */
165	TOMOYO_MOUNT_MAKE_PRIVATE,    /* mount --make-private /dir    */
166	TOMOYO_MOUNT_MAKE_SLAVE,      /* mount --make-slave /dir      */
167	TOMOYO_MOUNT_MAKE_SHARED,     /* mount --make-shared /dir     */
168	TOMOYO_MAX_SPECIAL_MOUNT
169};
170
171/* Index numbers for functionality. */
172enum tomoyo_mac_index {
173	TOMOYO_MAC_FILE_EXECUTE,
174	TOMOYO_MAC_FILE_OPEN,
175	TOMOYO_MAC_FILE_CREATE,
176	TOMOYO_MAC_FILE_UNLINK,
177	TOMOYO_MAC_FILE_GETATTR,
178	TOMOYO_MAC_FILE_MKDIR,
179	TOMOYO_MAC_FILE_RMDIR,
180	TOMOYO_MAC_FILE_MKFIFO,
181	TOMOYO_MAC_FILE_MKSOCK,
182	TOMOYO_MAC_FILE_TRUNCATE,
183	TOMOYO_MAC_FILE_SYMLINK,
184	TOMOYO_MAC_FILE_MKBLOCK,
185	TOMOYO_MAC_FILE_MKCHAR,
186	TOMOYO_MAC_FILE_LINK,
187	TOMOYO_MAC_FILE_RENAME,
188	TOMOYO_MAC_FILE_CHMOD,
189	TOMOYO_MAC_FILE_CHOWN,
190	TOMOYO_MAC_FILE_CHGRP,
191	TOMOYO_MAC_FILE_IOCTL,
192	TOMOYO_MAC_FILE_CHROOT,
193	TOMOYO_MAC_FILE_MOUNT,
194	TOMOYO_MAC_FILE_UMOUNT,
195	TOMOYO_MAC_FILE_PIVOT_ROOT,
196	TOMOYO_MAX_MAC_INDEX
197};
198
199/* Index numbers for category of functionality. */
200enum tomoyo_mac_category_index {
201	TOMOYO_MAC_CATEGORY_FILE,
202	TOMOYO_MAX_MAC_CATEGORY_INDEX
203};
204
205/*
206 * Retry this request. Returned by tomoyo_supervisor() if policy violation has
207 * occurred in enforcing mode and the userspace daemon decided to retry.
208 *
209 * We must choose a positive value in order to distinguish "granted" (which is
210 * 0) and "rejected" (which is a negative value) and "retry".
211 */
212#define TOMOYO_RETRY_REQUEST 1
213
214/********** Structure definitions. **********/
215
216/* Common header for holding ACL entries. */
217struct tomoyo_acl_head {
218	struct list_head list;
219	bool is_deleted;
220} __packed;
221
222/* Structure for request info. */
223struct tomoyo_request_info {
224	struct tomoyo_domain_info *domain;
225	/* For holding parameters. */
226	union {
227		struct {
228			const struct tomoyo_path_info *filename;
229			/* For using wildcards at tomoyo_find_next_domain(). */
230			const struct tomoyo_path_info *matched_path;
231			/* One of values in "enum tomoyo_path_acl_index". */
232			u8 operation;
233		} path;
234		struct {
235			const struct tomoyo_path_info *filename1;
236			const struct tomoyo_path_info *filename2;
237			/* One of values in "enum tomoyo_path2_acl_index". */
238			u8 operation;
239		} path2;
240		struct {
241			const struct tomoyo_path_info *filename;
242			unsigned int mode;
243			unsigned int major;
244			unsigned int minor;
245			/* One of values in "enum tomoyo_mkdev_acl_index". */
246			u8 operation;
247		} mkdev;
248		struct {
249			const struct tomoyo_path_info *filename;
250			unsigned long number;
251			/*
252			 * One of values in
253			 * "enum tomoyo_path_number_acl_index".
254			 */
255			u8 operation;
256		} path_number;
257		struct {
258			const struct tomoyo_path_info *type;
259			const struct tomoyo_path_info *dir;
260			const struct tomoyo_path_info *dev;
261			unsigned long flags;
262			int need_dev;
263		} mount;
264	} param;
265	u8 param_type;
266	bool granted;
267	u8 retry;
268	u8 profile;
269	u8 mode; /* One of tomoyo_mode_index . */
270	u8 type;
271};
272
273/* Structure for holding a token. */
274struct tomoyo_path_info {
275	const char *name;
276	u32 hash;          /* = full_name_hash(name, strlen(name)) */
277	u16 const_len;     /* = tomoyo_const_part_length(name)     */
278	bool is_dir;       /* = tomoyo_strendswith(name, "/")      */
279	bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
280};
281
282/* Structure for holding string data. */
283struct tomoyo_name {
284	struct list_head list;
285	atomic_t users;
286	struct tomoyo_path_info entry;
287};
288
289/* Structure for holding a word. */
290struct tomoyo_name_union {
291	/* Either @filename or @group is NULL. */
292	const struct tomoyo_path_info *filename;
293	struct tomoyo_group *group;
294	/* True if @group != NULL, false if @filename != NULL. */
295	u8 is_group;
296};
297
298/* Structure for holding a number. */
299struct tomoyo_number_union {
300	unsigned long values[2];
301	struct tomoyo_group *group; /* Maybe NULL. */
302	/* One of values in "enum tomoyo_value_type". */
303	u8 min_type;
304	u8 max_type;
305	/* True if @group != NULL, false otherwise. */
306	u8 is_group;
307};
308
309/* Structure for "path_group"/"number_group" directive. */
310struct tomoyo_group {
311	struct list_head list;
312	const struct tomoyo_path_info *group_name;
313	struct list_head member_list;
314	atomic_t users;
315};
316
317/* Structure for "path_group" directive. */
318struct tomoyo_path_group {
319	struct tomoyo_acl_head head;
320	const struct tomoyo_path_info *member_name;
321};
322
323/* Structure for "number_group" directive. */
324struct tomoyo_number_group {
325	struct tomoyo_acl_head head;
326	struct tomoyo_number_union number;
327};
328
329/* Common header for individual entries. */
330struct tomoyo_acl_info {
331	struct list_head list;
332	bool is_deleted;
333	u8 type; /* One of values in "enum tomoyo_acl_entry_type_index". */
334} __packed;
335
336/* Structure for domain information. */
337struct tomoyo_domain_info {
338	struct list_head list;
339	struct list_head acl_info_list;
340	/* Name of this domain. Never NULL.          */
341	const struct tomoyo_path_info *domainname;
342	u8 profile;        /* Profile number to use. */
343	bool is_deleted;   /* Delete flag.           */
344	bool quota_warned; /* Quota warnning flag.   */
345	bool transition_failed; /* Domain transition failed flag. */
346	atomic_t users; /* Number of referring credentials. */
347};
348
349/*
350 * Structure for "file execute", "file read", "file write", "file append",
351 * "file unlink", "file getattr", "file rmdir", "file truncate",
352 * "file symlink", "file chroot" and "file unmount" directive.
353 */
354struct tomoyo_path_acl {
355	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */
356	u16 perm; /* Bitmask of values in "enum tomoyo_path_acl_index". */
357	struct tomoyo_name_union name;
358};
359
360/*
361 * Structure for "file create", "file mkdir", "file mkfifo", "file mksock",
362 * "file ioctl", "file chmod", "file chown" and "file chgrp" directive.
363 */
364struct tomoyo_path_number_acl {
365	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_NUMBER_ACL */
366	/* Bitmask of values in "enum tomoyo_path_number_acl_index". */
367	u8 perm;
368	struct tomoyo_name_union name;
369	struct tomoyo_number_union number;
370};
371
372/* Structure for "file mkblock" and "file mkchar" directive. */
373struct tomoyo_mkdev_acl {
374	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MKDEV_ACL */
375	u8 perm; /* Bitmask of values in "enum tomoyo_mkdev_acl_index". */
376	struct tomoyo_name_union name;
377	struct tomoyo_number_union mode;
378	struct tomoyo_number_union major;
379	struct tomoyo_number_union minor;
380};
381
382/*
383 * Structure for "file rename", "file link" and "file pivot_root" directive.
384 */
385struct tomoyo_path2_acl {
386	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */
387	u8 perm; /* Bitmask of values in "enum tomoyo_path2_acl_index". */
388	struct tomoyo_name_union name1;
389	struct tomoyo_name_union name2;
390};
391
392/* Structure for "file mount" directive. */
393struct tomoyo_mount_acl {
394	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MOUNT_ACL */
395	struct tomoyo_name_union dev_name;
396	struct tomoyo_name_union dir_name;
397	struct tomoyo_name_union fs_type;
398	struct tomoyo_number_union flags;
399};
400
401#define TOMOYO_MAX_IO_READ_QUEUE 32
402
403/*
404 * Structure for reading/writing policy via /sys/kernel/security/tomoyo
405 * interfaces.
406 */
407struct tomoyo_io_buffer {
408	void (*read) (struct tomoyo_io_buffer *);
409	int (*write) (struct tomoyo_io_buffer *);
410	int (*poll) (struct file *file, poll_table *wait);
411	/* Exclusive lock for this structure.   */
412	struct mutex io_sem;
413	/* Index returned by tomoyo_read_lock(). */
414	int reader_idx;
415	char __user *read_user_buf;
416	int read_user_buf_avail;
417	struct {
418		struct list_head *domain;
419		struct list_head *group;
420		struct list_head *acl;
421		int avail;
422		int step;
423		int query_index;
424		u16 index;
425		u8 bit;
426		u8 w_pos;
427		bool eof;
428		bool print_this_domain_only;
429		bool print_execute_only;
430		const char *w[TOMOYO_MAX_IO_READ_QUEUE];
431	} r;
432	/* The position currently writing to.   */
433	struct tomoyo_domain_info *write_var1;
434	/* Buffer for reading.                  */
435	char *read_buf;
436	/* Size of read buffer.                 */
437	int readbuf_size;
438	/* Buffer for writing.                  */
439	char *write_buf;
440	/* Bytes available for writing.         */
441	int write_avail;
442	/* Size of write buffer.                */
443	int writebuf_size;
444	/* Type of this interface.              */
445	u8 type;
446};
447
448/*
449 * Structure for "initialize_domain"/"no_initialize_domain"/"keep_domain"/
450 * "no_keep_domain" keyword.
451 */
452struct tomoyo_transition_control {
453	struct tomoyo_acl_head head;
454	u8 type; /* One of values in "enum tomoyo_transition_type".  */
455	/* True if the domainname is tomoyo_get_last_name(). */
456	bool is_last_name;
457	const struct tomoyo_path_info *domainname; /* Maybe NULL */
458	const struct tomoyo_path_info *program;    /* Maybe NULL */
459};
460
461/* Structure for "aggregator" keyword. */
462struct tomoyo_aggregator {
463	struct tomoyo_acl_head head;
464	const struct tomoyo_path_info *original_name;
465	const struct tomoyo_path_info *aggregated_name;
466};
467
468/* Structure for policy manager. */
469struct tomoyo_manager {
470	struct tomoyo_acl_head head;
471	bool is_domain;  /* True if manager is a domainname. */
472	/* A path to program or a domainname. */
473	const struct tomoyo_path_info *manager;
474};
475
476struct tomoyo_preference {
477	unsigned int learning_max_entry;
478	bool enforcing_verbose;
479	bool learning_verbose;
480	bool permissive_verbose;
481};
482
483/* Structure for /sys/kernel/security/tomnoyo/profile interface. */
484struct tomoyo_profile {
485	const struct tomoyo_path_info *comment;
486	struct tomoyo_preference *learning;
487	struct tomoyo_preference *permissive;
488	struct tomoyo_preference *enforcing;
489	struct tomoyo_preference preference;
490	u8 default_config;
491	u8 config[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX];
492};
493
494/********** Function prototypes. **********/
495
496bool tomoyo_str_starts(char **src, const char *find);
497const char *tomoyo_get_exe(void);
498void tomoyo_normalize_line(unsigned char *buffer);
499void tomoyo_warn_log(struct tomoyo_request_info *r, const char *fmt, ...)
500     __attribute__ ((format(printf, 2, 3)));
501void tomoyo_check_profile(void);
502int tomoyo_open_control(const u8 type, struct file *file);
503int tomoyo_close_control(struct file *file);
504int tomoyo_poll_control(struct file *file, poll_table *wait);
505int tomoyo_read_control(struct file *file, char __user *buffer,
506			const int buffer_len);
507int tomoyo_write_control(struct file *file, const char __user *buffer,
508			 const int buffer_len);
509bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r);
510void tomoyo_warn_oom(const char *function);
511const struct tomoyo_path_info *
512tomoyo_compare_name_union(const struct tomoyo_path_info *name,
513			  const struct tomoyo_name_union *ptr);
514bool tomoyo_compare_number_union(const unsigned long value,
515				 const struct tomoyo_number_union *ptr);
516int tomoyo_get_mode(const u8 profile, const u8 index);
517void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
518	__attribute__ ((format(printf, 2, 3)));
519bool tomoyo_correct_domain(const unsigned char *domainname);
520bool tomoyo_correct_path(const char *filename);
521bool tomoyo_correct_word(const char *string);
522bool tomoyo_domain_def(const unsigned char *buffer);
523bool tomoyo_parse_name_union(const char *filename,
524			     struct tomoyo_name_union *ptr);
525const struct tomoyo_path_info *
526tomoyo_path_matches_group(const struct tomoyo_path_info *pathname,
527			  const struct tomoyo_group *group);
528bool tomoyo_number_matches_group(const unsigned long min,
529				 const unsigned long max,
530				 const struct tomoyo_group *group);
531bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
532				 const struct tomoyo_path_info *pattern);
533bool tomoyo_parse_number_union(char *data, struct tomoyo_number_union *num);
534bool tomoyo_tokenize(char *buffer, char *w[], size_t size);
535bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain);
536int tomoyo_init_request_info(struct tomoyo_request_info *r,
537			     struct tomoyo_domain_info *domain,
538			     const u8 index);
539int tomoyo_mount_permission(char *dev_name, struct path *path,
540			    const char *type, unsigned long flags,
541			    void *data_page);
542int tomoyo_write_aggregator(char *data, const bool is_delete);
543int tomoyo_write_transition_control(char *data, const bool is_delete,
544				    const u8 type);
545int tomoyo_write_file(char *data, struct tomoyo_domain_info *domain,
546		      const bool is_delete);
547int tomoyo_write_mount(char *data, struct tomoyo_domain_info *domain,
548		       const bool is_delete);
549int tomoyo_write_group(char *data, const bool is_delete, const u8 type);
550int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...)
551     __attribute__ ((format(printf, 2, 3)));
552struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname);
553struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname,
554						const u8 profile);
555struct tomoyo_profile *tomoyo_profile(const u8 profile);
556struct tomoyo_group *tomoyo_get_group(const char *group_name, const u8 type);
557unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
558				const u8 index);
559void tomoyo_fill_path_info(struct tomoyo_path_info *ptr);
560void tomoyo_load_policy(const char *filename);
561void tomoyo_put_number_union(struct tomoyo_number_union *ptr);
562char *tomoyo_encode(const char *str);
563char *tomoyo_realpath_nofollow(const char *pathname);
564char *tomoyo_realpath_from_path(struct path *path);
565bool tomoyo_memory_ok(void *ptr);
566void *tomoyo_commit_ok(void *data, const unsigned int size);
567const struct tomoyo_path_info *tomoyo_get_name(const char *name);
568void tomoyo_read_memory_counter(struct tomoyo_io_buffer *head);
569int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head);
570void __init tomoyo_mm_init(void);
571int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
572			   const struct tomoyo_path_info *filename);
573int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
574				 struct path *path, const int flag);
575int tomoyo_path_number_perm(const u8 operation, struct path *path,
576			    unsigned long number);
577int tomoyo_mkdev_perm(const u8 operation, struct path *path,
578		      const unsigned int mode, unsigned int dev);
579int tomoyo_path_perm(const u8 operation, struct path *path);
580int tomoyo_path2_perm(const u8 operation, struct path *path1,
581		      struct path *path2);
582int tomoyo_find_next_domain(struct linux_binprm *bprm);
583void tomoyo_print_ulong(char *buffer, const int buffer_len,
584			const unsigned long value, const u8 type);
585void tomoyo_put_name_union(struct tomoyo_name_union *ptr);
586void tomoyo_run_gc(void);
587void tomoyo_memory_free(void *ptr);
588int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
589			 bool is_delete, struct tomoyo_domain_info *domain,
590			 bool (*check_duplicate) (const struct tomoyo_acl_info
591						  *,
592						  const struct tomoyo_acl_info
593						  *),
594			 bool (*merge_duplicate) (struct tomoyo_acl_info *,
595						  struct tomoyo_acl_info *,
596						  const bool));
597int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
598			 bool is_delete, struct list_head *list,
599			 bool (*check_duplicate) (const struct tomoyo_acl_head
600						  *,
601						  const struct tomoyo_acl_head
602						  *));
603void tomoyo_check_acl(struct tomoyo_request_info *r,
604		      bool (*check_entry) (struct tomoyo_request_info *,
605					   const struct tomoyo_acl_info *));
606
607/********** External variable definitions. **********/
608
609/* Lock for GC. */
610extern struct srcu_struct tomoyo_ss;
611
612/* The list for "struct tomoyo_domain_info". */
613extern struct list_head tomoyo_domain_list;
614
615extern struct list_head tomoyo_policy_list[TOMOYO_MAX_POLICY];
616extern struct list_head tomoyo_group_list[TOMOYO_MAX_GROUP];
617extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH];
618
619/* Lock for protecting policy. */
620extern struct mutex tomoyo_policy_lock;
621
622/* Has /sbin/init started? */
623extern bool tomoyo_policy_loaded;
624
625/* The kernel's domain. */
626extern struct tomoyo_domain_info tomoyo_kernel_domain;
627
628extern const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
629extern const char *tomoyo_mkdev_keyword[TOMOYO_MAX_MKDEV_OPERATION];
630extern const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION];
631extern const char *tomoyo_path_number_keyword[TOMOYO_MAX_PATH_NUMBER_OPERATION];
632
633extern unsigned int tomoyo_quota_for_query;
634extern unsigned int tomoyo_query_memory_size;
635
636/********** Inlined functions. **********/
637
638/**
639 * tomoyo_read_lock - Take lock for protecting policy.
640 *
641 * Returns index number for tomoyo_read_unlock().
642 */
643static inline int tomoyo_read_lock(void)
644{
645	return srcu_read_lock(&tomoyo_ss);
646}
647
648/**
649 * tomoyo_read_unlock - Release lock for protecting policy.
650 *
651 * @idx: Index number returned by tomoyo_read_lock().
652 *
653 * Returns nothing.
654 */
655static inline void tomoyo_read_unlock(int idx)
656{
657	srcu_read_unlock(&tomoyo_ss, idx);
658}
659
660/**
661 * tomoyo_pathcmp - strcmp() for "struct tomoyo_path_info" structure.
662 *
663 * @a: Pointer to "struct tomoyo_path_info".
664 * @b: Pointer to "struct tomoyo_path_info".
665 *
666 * Returns true if @a == @b, false otherwise.
667 */
668static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a,
669				  const struct tomoyo_path_info *b)
670{
671	return a->hash != b->hash || strcmp(a->name, b->name);
672}
673
674/**
675 * tomoyo_valid - Check whether the character is a valid char.
676 *
677 * @c: The character to check.
678 *
679 * Returns true if @c is a valid character, false otherwise.
680 */
681static inline bool tomoyo_valid(const unsigned char c)
682{
683	return c > ' ' && c < 127;
684}
685
686/**
687 * tomoyo_invalid - Check whether the character is an invalid char.
688 *
689 * @c: The character to check.
690 *
691 * Returns true if @c is an invalid character, false otherwise.
692 */
693static inline bool tomoyo_invalid(const unsigned char c)
694{
695	return c && (c <= ' ' || c >= 127);
696}
697
698/**
699 * tomoyo_put_name - Drop reference on "struct tomoyo_name".
700 *
701 * @name: Pointer to "struct tomoyo_path_info". Maybe NULL.
702 *
703 * Returns nothing.
704 */
705static inline void tomoyo_put_name(const struct tomoyo_path_info *name)
706{
707	if (name) {
708		struct tomoyo_name *ptr =
709			container_of(name, typeof(*ptr), entry);
710		atomic_dec(&ptr->users);
711	}
712}
713
714/**
715 * tomoyo_put_group - Drop reference on "struct tomoyo_group".
716 *
717 * @group: Pointer to "struct tomoyo_group". Maybe NULL.
718 *
719 * Returns nothing.
720 */
721static inline void tomoyo_put_group(struct tomoyo_group *group)
722{
723	if (group)
724		atomic_dec(&group->users);
725}
726
727/**
728 * tomoyo_domain - Get "struct tomoyo_domain_info" for current thread.
729 *
730 * Returns pointer to "struct tomoyo_domain_info" for current thread.
731 */
732static inline struct tomoyo_domain_info *tomoyo_domain(void)
733{
734	return current_cred()->security;
735}
736
737/**
738 * tomoyo_real_domain - Get "struct tomoyo_domain_info" for specified thread.
739 *
740 * @task: Pointer to "struct task_struct".
741 *
742 * Returns pointer to "struct tomoyo_security" for specified thread.
743 */
744static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
745							    *task)
746{
747	return task_cred_xxx(task, security);
748}
749
750static inline bool tomoyo_same_acl_head(const struct tomoyo_acl_info *p1,
751					const struct tomoyo_acl_info *p2)
752{
753	return p1->type == p2->type;
754}
755
756/**
757 * tomoyo_same_name_union - Check for duplicated "struct tomoyo_name_union" entry.
758 *
759 * @a: Pointer to "struct tomoyo_name_union".
760 * @b: Pointer to "struct tomoyo_name_union".
761 *
762 * Returns true if @a == @b, false otherwise.
763 */
764static inline bool tomoyo_same_name_union
765(const struct tomoyo_name_union *a, const struct tomoyo_name_union *b)
766{
767	return a->filename == b->filename && a->group == b->group &&
768		a->is_group == b->is_group;
769}
770
771/**
772 * tomoyo_same_number_union - Check for duplicated "struct tomoyo_number_union" entry.
773 *
774 * @a: Pointer to "struct tomoyo_number_union".
775 * @b: Pointer to "struct tomoyo_number_union".
776 *
777 * Returns true if @a == @b, false otherwise.
778 */
779static inline bool tomoyo_same_number_union
780(const struct tomoyo_number_union *a, const struct tomoyo_number_union *b)
781{
782	return a->values[0] == b->values[0] && a->values[1] == b->values[1] &&
783		a->group == b->group && a->min_type == b->min_type &&
784		a->max_type == b->max_type && a->is_group == b->is_group;
785}
786
787/**
788 * list_for_each_cookie - iterate over a list with cookie.
789 * @pos:        the &struct list_head to use as a loop cursor.
790 * @head:       the head for your list.
791 */
792#define list_for_each_cookie(pos, head)					\
793	if (!pos)							\
794		pos =  srcu_dereference((head)->next, &tomoyo_ss);	\
795	for ( ; pos != (head); pos = srcu_dereference(pos->next, &tomoyo_ss))
796
797#endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */
798