file.c revision 2106ccd972dcd9fda7df9b181505fac1741b3508
1/* 2 * security/tomoyo/file.c 3 * 4 * Implementation of the Domain-Based Mandatory Access Control. 5 * 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 7 * 8 * Version: 2.2.0 2009/04/01 9 * 10 */ 11 12#include "common.h" 13#include <linux/slab.h> 14 15/* Keyword array for operations with one pathname. */ 16static const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = { 17 [TOMOYO_TYPE_READ_WRITE] = "read/write", 18 [TOMOYO_TYPE_EXECUTE] = "execute", 19 [TOMOYO_TYPE_READ] = "read", 20 [TOMOYO_TYPE_WRITE] = "write", 21 [TOMOYO_TYPE_UNLINK] = "unlink", 22 [TOMOYO_TYPE_RMDIR] = "rmdir", 23 [TOMOYO_TYPE_TRUNCATE] = "truncate", 24 [TOMOYO_TYPE_SYMLINK] = "symlink", 25 [TOMOYO_TYPE_REWRITE] = "rewrite", 26 [TOMOYO_TYPE_CHROOT] = "chroot", 27 [TOMOYO_TYPE_UMOUNT] = "unmount", 28}; 29 30/* Keyword array for operations with one pathname and three numbers. */ 31static const char *tomoyo_path_number3_keyword 32[TOMOYO_MAX_PATH_NUMBER3_OPERATION] = { 33 [TOMOYO_TYPE_MKBLOCK] = "mkblock", 34 [TOMOYO_TYPE_MKCHAR] = "mkchar", 35}; 36 37/* Keyword array for operations with two pathnames. */ 38static const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = { 39 [TOMOYO_TYPE_LINK] = "link", 40 [TOMOYO_TYPE_RENAME] = "rename", 41 [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root", 42}; 43 44/* Keyword array for operations with one pathname and one number. */ 45static const char *tomoyo_path_number_keyword 46[TOMOYO_MAX_PATH_NUMBER_OPERATION] = { 47 [TOMOYO_TYPE_CREATE] = "create", 48 [TOMOYO_TYPE_MKDIR] = "mkdir", 49 [TOMOYO_TYPE_MKFIFO] = "mkfifo", 50 [TOMOYO_TYPE_MKSOCK] = "mksock", 51 [TOMOYO_TYPE_IOCTL] = "ioctl", 52 [TOMOYO_TYPE_CHMOD] = "chmod", 53 [TOMOYO_TYPE_CHOWN] = "chown", 54 [TOMOYO_TYPE_CHGRP] = "chgrp", 55}; 56 57void tomoyo_put_name_union(struct tomoyo_name_union *ptr) 58{ 59 if (!ptr) 60 return; 61 if (ptr->is_group) 62 tomoyo_put_path_group(ptr->group); 63 else 64 tomoyo_put_name(ptr->filename); 65} 66 67bool tomoyo_compare_name_union(const struct tomoyo_path_info *name, 68 const struct tomoyo_name_union *ptr) 69{ 70 if (ptr->is_group) 71 return tomoyo_path_matches_group(name, ptr->group, 1); 72 return tomoyo_path_matches_pattern(name, ptr->filename); 73} 74 75static bool tomoyo_compare_name_union_pattern(const struct tomoyo_path_info 76 *name, 77 const struct tomoyo_name_union 78 *ptr, const bool may_use_pattern) 79{ 80 if (ptr->is_group) 81 return tomoyo_path_matches_group(name, ptr->group, 82 may_use_pattern); 83 if (may_use_pattern || !ptr->filename->is_patterned) 84 return tomoyo_path_matches_pattern(name, ptr->filename); 85 return false; 86} 87 88void tomoyo_put_number_union(struct tomoyo_number_union *ptr) 89{ 90 if (ptr && ptr->is_group) 91 tomoyo_put_number_group(ptr->group); 92} 93 94bool tomoyo_compare_number_union(const unsigned long value, 95 const struct tomoyo_number_union *ptr) 96{ 97 if (ptr->is_group) 98 return tomoyo_number_matches_group(value, value, ptr->group); 99 return value >= ptr->values[0] && value <= ptr->values[1]; 100} 101 102/** 103 * tomoyo_init_request_info - Initialize "struct tomoyo_request_info" members. 104 * 105 * @r: Pointer to "struct tomoyo_request_info" to initialize. 106 * @domain: Pointer to "struct tomoyo_domain_info". NULL for tomoyo_domain(). 107 * 108 * Returns mode. 109 */ 110int tomoyo_init_request_info(struct tomoyo_request_info *r, 111 struct tomoyo_domain_info *domain) 112{ 113 memset(r, 0, sizeof(*r)); 114 if (!domain) 115 domain = tomoyo_domain(); 116 r->domain = domain; 117 r->mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 118 return r->mode; 119} 120 121static void tomoyo_warn_log(struct tomoyo_request_info *r, const char *fmt, ...) 122 __attribute__ ((format(printf, 2, 3))); 123/** 124 * tomoyo_warn_log - Print warning or error message on console. 125 * 126 * @r: Pointer to "struct tomoyo_request_info". 127 * @fmt: The printf()'s format string, followed by parameters. 128 */ 129static void tomoyo_warn_log(struct tomoyo_request_info *r, const char *fmt, ...) 130{ 131 int len = PAGE_SIZE; 132 va_list args; 133 char *buffer; 134 if (!tomoyo_verbose_mode(r->domain)) 135 return; 136 while (1) { 137 int len2; 138 buffer = kmalloc(len, GFP_NOFS); 139 if (!buffer) 140 return; 141 va_start(args, fmt); 142 len2 = vsnprintf(buffer, len - 1, fmt, args); 143 va_end(args); 144 if (len2 <= len - 1) { 145 buffer[len2] = '\0'; 146 break; 147 } 148 len = len2 + 1; 149 kfree(buffer); 150 } 151 printk(KERN_WARNING "TOMOYO-%s: Access %s denied for %s\n", 152 r->mode == TOMOYO_CONFIG_ENFORCING ? "ERROR" : "WARNING", 153 buffer, tomoyo_get_last_name(r->domain)); 154 kfree(buffer); 155} 156 157/** 158 * tomoyo_path2keyword - Get the name of single path operation. 159 * 160 * @operation: Type of operation. 161 * 162 * Returns the name of single path operation. 163 */ 164const char *tomoyo_path2keyword(const u8 operation) 165{ 166 return (operation < TOMOYO_MAX_PATH_OPERATION) 167 ? tomoyo_path_keyword[operation] : NULL; 168} 169 170/** 171 * tomoyo_path_number32keyword - Get the name of path/number/number/number operations. 172 * 173 * @operation: Type of operation. 174 * 175 * Returns the name of path/number/number/number operation. 176 */ 177const char *tomoyo_path_number32keyword(const u8 operation) 178{ 179 return (operation < TOMOYO_MAX_PATH_NUMBER3_OPERATION) 180 ? tomoyo_path_number3_keyword[operation] : NULL; 181} 182 183/** 184 * tomoyo_path22keyword - Get the name of double path operation. 185 * 186 * @operation: Type of operation. 187 * 188 * Returns the name of double path operation. 189 */ 190const char *tomoyo_path22keyword(const u8 operation) 191{ 192 return (operation < TOMOYO_MAX_PATH2_OPERATION) 193 ? tomoyo_path2_keyword[operation] : NULL; 194} 195 196/** 197 * tomoyo_path_number2keyword - Get the name of path/number operations. 198 * 199 * @operation: Type of operation. 200 * 201 * Returns the name of path/number operation. 202 */ 203const char *tomoyo_path_number2keyword(const u8 operation) 204{ 205 return (operation < TOMOYO_MAX_PATH_NUMBER_OPERATION) 206 ? tomoyo_path_number_keyword[operation] : NULL; 207} 208 209/** 210 * tomoyo_strendswith - Check whether the token ends with the given token. 211 * 212 * @name: The token to check. 213 * @tail: The token to find. 214 * 215 * Returns true if @name ends with @tail, false otherwise. 216 */ 217static bool tomoyo_strendswith(const char *name, const char *tail) 218{ 219 int len; 220 221 if (!name || !tail) 222 return false; 223 len = strlen(name) - strlen(tail); 224 return len >= 0 && !strcmp(name + len, tail); 225} 226 227/** 228 * tomoyo_get_path - Get realpath. 229 * 230 * @path: Pointer to "struct path". 231 * 232 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise. 233 */ 234static struct tomoyo_path_info *tomoyo_get_path(struct path *path) 235{ 236 int error; 237 struct tomoyo_path_info_with_data *buf = kzalloc(sizeof(*buf), 238 GFP_NOFS); 239 240 if (!buf) 241 return NULL; 242 /* Reserve one byte for appending "/". */ 243 error = tomoyo_realpath_from_path2(path, buf->body, 244 sizeof(buf->body) - 2); 245 if (!error) { 246 buf->head.name = buf->body; 247 tomoyo_fill_path_info(&buf->head); 248 return &buf->head; 249 } 250 kfree(buf); 251 return NULL; 252} 253 254static int tomoyo_update_path2_acl(const u8 type, const char *filename1, 255 const char *filename2, 256 struct tomoyo_domain_info *const domain, 257 const bool is_delete); 258static int tomoyo_update_path_acl(const u8 type, const char *filename, 259 struct tomoyo_domain_info *const domain, 260 const bool is_delete); 261 262/* 263 * tomoyo_globally_readable_list is used for holding list of pathnames which 264 * are by default allowed to be open()ed for reading by any process. 265 * 266 * An entry is added by 267 * 268 * # echo 'allow_read /lib/libc-2.5.so' > \ 269 * /sys/kernel/security/tomoyo/exception_policy 270 * 271 * and is deleted by 272 * 273 * # echo 'delete allow_read /lib/libc-2.5.so' > \ 274 * /sys/kernel/security/tomoyo/exception_policy 275 * 276 * and all entries are retrieved by 277 * 278 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy 279 * 280 * In the example above, any process is allowed to 281 * open("/lib/libc-2.5.so", O_RDONLY). 282 * One exception is, if the domain which current process belongs to is marked 283 * as "ignore_global_allow_read", current process can't do so unless explicitly 284 * given "allow_read /lib/libc-2.5.so" to the domain which current process 285 * belongs to. 286 */ 287LIST_HEAD(tomoyo_globally_readable_list); 288 289/** 290 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list. 291 * 292 * @filename: Filename unconditionally permitted to open() for reading. 293 * @is_delete: True if it is a delete request. 294 * 295 * Returns 0 on success, negative value otherwise. 296 * 297 * Caller holds tomoyo_read_lock(). 298 */ 299static int tomoyo_update_globally_readable_entry(const char *filename, 300 const bool is_delete) 301{ 302 struct tomoyo_globally_readable_file_entry *ptr; 303 struct tomoyo_globally_readable_file_entry e = { }; 304 int error = is_delete ? -ENOENT : -ENOMEM; 305 306 if (!tomoyo_is_correct_path(filename, 1, 0, -1)) 307 return -EINVAL; 308 e.filename = tomoyo_get_name(filename); 309 if (!e.filename) 310 return -ENOMEM; 311 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 312 goto out; 313 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) { 314 if (ptr->filename != e.filename) 315 continue; 316 ptr->is_deleted = is_delete; 317 error = 0; 318 break; 319 } 320 if (!is_delete && error) { 321 struct tomoyo_globally_readable_file_entry *entry = 322 tomoyo_commit_ok(&e, sizeof(e)); 323 if (entry) { 324 list_add_tail_rcu(&entry->list, 325 &tomoyo_globally_readable_list); 326 error = 0; 327 } 328 } 329 mutex_unlock(&tomoyo_policy_lock); 330 out: 331 tomoyo_put_name(e.filename); 332 return error; 333} 334 335/** 336 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading. 337 * 338 * @filename: The filename to check. 339 * 340 * Returns true if any domain can open @filename for reading, false otherwise. 341 * 342 * Caller holds tomoyo_read_lock(). 343 */ 344static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info * 345 filename) 346{ 347 struct tomoyo_globally_readable_file_entry *ptr; 348 bool found = false; 349 350 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) { 351 if (!ptr->is_deleted && 352 tomoyo_path_matches_pattern(filename, ptr->filename)) { 353 found = true; 354 break; 355 } 356 } 357 return found; 358} 359 360/** 361 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list. 362 * 363 * @data: String to parse. 364 * @is_delete: True if it is a delete request. 365 * 366 * Returns 0 on success, negative value otherwise. 367 * 368 * Caller holds tomoyo_read_lock(). 369 */ 370int tomoyo_write_globally_readable_policy(char *data, const bool is_delete) 371{ 372 return tomoyo_update_globally_readable_entry(data, is_delete); 373} 374 375/** 376 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list. 377 * 378 * @head: Pointer to "struct tomoyo_io_buffer". 379 * 380 * Returns true on success, false otherwise. 381 * 382 * Caller holds tomoyo_read_lock(). 383 */ 384bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head) 385{ 386 struct list_head *pos; 387 bool done = true; 388 389 list_for_each_cookie(pos, head->read_var2, 390 &tomoyo_globally_readable_list) { 391 struct tomoyo_globally_readable_file_entry *ptr; 392 ptr = list_entry(pos, 393 struct tomoyo_globally_readable_file_entry, 394 list); 395 if (ptr->is_deleted) 396 continue; 397 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n", 398 ptr->filename->name); 399 if (!done) 400 break; 401 } 402 return done; 403} 404 405/* tomoyo_pattern_list is used for holding list of pathnames which are used for 406 * converting pathnames to pathname patterns during learning mode. 407 * 408 * An entry is added by 409 * 410 * # echo 'file_pattern /proc/\$/mounts' > \ 411 * /sys/kernel/security/tomoyo/exception_policy 412 * 413 * and is deleted by 414 * 415 * # echo 'delete file_pattern /proc/\$/mounts' > \ 416 * /sys/kernel/security/tomoyo/exception_policy 417 * 418 * and all entries are retrieved by 419 * 420 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy 421 * 422 * In the example above, if a process which belongs to a domain which is in 423 * learning mode requested open("/proc/1/mounts", O_RDONLY), 424 * "allow_read /proc/\$/mounts" is automatically added to the domain which that 425 * process belongs to. 426 * 427 * It is not a desirable behavior that we have to use /proc/\$/ instead of 428 * /proc/self/ when current process needs to access only current process's 429 * information. As of now, LSM version of TOMOYO is using __d_path() for 430 * calculating pathname. Non LSM version of TOMOYO is using its own function 431 * which pretends as if /proc/self/ is not a symlink; so that we can forbid 432 * current process from accessing other process's information. 433 */ 434LIST_HEAD(tomoyo_pattern_list); 435 436/** 437 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list. 438 * 439 * @pattern: Pathname pattern. 440 * @is_delete: True if it is a delete request. 441 * 442 * Returns 0 on success, negative value otherwise. 443 * 444 * Caller holds tomoyo_read_lock(). 445 */ 446static int tomoyo_update_file_pattern_entry(const char *pattern, 447 const bool is_delete) 448{ 449 struct tomoyo_pattern_entry *ptr; 450 struct tomoyo_pattern_entry e = { .pattern = tomoyo_get_name(pattern) }; 451 int error = is_delete ? -ENOENT : -ENOMEM; 452 453 if (!e.pattern) 454 return error; 455 if (!e.pattern->is_patterned) 456 goto out; 457 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 458 goto out; 459 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) { 460 if (e.pattern != ptr->pattern) 461 continue; 462 ptr->is_deleted = is_delete; 463 error = 0; 464 break; 465 } 466 if (!is_delete && error) { 467 struct tomoyo_pattern_entry *entry = 468 tomoyo_commit_ok(&e, sizeof(e)); 469 if (entry) { 470 list_add_tail_rcu(&entry->list, &tomoyo_pattern_list); 471 error = 0; 472 } 473 } 474 mutex_unlock(&tomoyo_policy_lock); 475 out: 476 tomoyo_put_name(e.pattern); 477 return error; 478} 479 480/** 481 * tomoyo_get_file_pattern - Get patterned pathname. 482 * 483 * @filename: The filename to find patterned pathname. 484 * 485 * Returns pointer to pathname pattern if matched, @filename otherwise. 486 * 487 * Caller holds tomoyo_read_lock(). 488 */ 489const struct tomoyo_path_info * 490tomoyo_get_file_pattern(const struct tomoyo_path_info *filename) 491{ 492 struct tomoyo_pattern_entry *ptr; 493 const struct tomoyo_path_info *pattern = NULL; 494 495 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) { 496 if (ptr->is_deleted) 497 continue; 498 if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) 499 continue; 500 pattern = ptr->pattern; 501 if (tomoyo_strendswith(pattern->name, "/\\*")) { 502 /* Do nothing. Try to find the better match. */ 503 } else { 504 /* This would be the better match. Use this. */ 505 break; 506 } 507 } 508 if (pattern) 509 filename = pattern; 510 return filename; 511} 512 513/** 514 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list. 515 * 516 * @data: String to parse. 517 * @is_delete: True if it is a delete request. 518 * 519 * Returns 0 on success, negative value otherwise. 520 * 521 * Caller holds tomoyo_read_lock(). 522 */ 523int tomoyo_write_pattern_policy(char *data, const bool is_delete) 524{ 525 return tomoyo_update_file_pattern_entry(data, is_delete); 526} 527 528/** 529 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list. 530 * 531 * @head: Pointer to "struct tomoyo_io_buffer". 532 * 533 * Returns true on success, false otherwise. 534 * 535 * Caller holds tomoyo_read_lock(). 536 */ 537bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head) 538{ 539 struct list_head *pos; 540 bool done = true; 541 542 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) { 543 struct tomoyo_pattern_entry *ptr; 544 ptr = list_entry(pos, struct tomoyo_pattern_entry, list); 545 if (ptr->is_deleted) 546 continue; 547 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN 548 "%s\n", ptr->pattern->name); 549 if (!done) 550 break; 551 } 552 return done; 553} 554 555/* 556 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by 557 * default forbidden to modify already written content of a file. 558 * 559 * An entry is added by 560 * 561 * # echo 'deny_rewrite /var/log/messages' > \ 562 * /sys/kernel/security/tomoyo/exception_policy 563 * 564 * and is deleted by 565 * 566 * # echo 'delete deny_rewrite /var/log/messages' > \ 567 * /sys/kernel/security/tomoyo/exception_policy 568 * 569 * and all entries are retrieved by 570 * 571 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy 572 * 573 * In the example above, if a process requested to rewrite /var/log/messages , 574 * the process can't rewrite unless the domain which that process belongs to 575 * has "allow_rewrite /var/log/messages" entry. 576 * 577 * It is not a desirable behavior that we have to add "\040(deleted)" suffix 578 * when we want to allow rewriting already unlink()ed file. As of now, 579 * LSM version of TOMOYO is using __d_path() for calculating pathname. 580 * Non LSM version of TOMOYO is using its own function which doesn't append 581 * " (deleted)" suffix if the file is already unlink()ed; so that we don't 582 * need to worry whether the file is already unlink()ed or not. 583 */ 584LIST_HEAD(tomoyo_no_rewrite_list); 585 586/** 587 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list. 588 * 589 * @pattern: Pathname pattern that are not rewritable by default. 590 * @is_delete: True if it is a delete request. 591 * 592 * Returns 0 on success, negative value otherwise. 593 * 594 * Caller holds tomoyo_read_lock(). 595 */ 596static int tomoyo_update_no_rewrite_entry(const char *pattern, 597 const bool is_delete) 598{ 599 struct tomoyo_no_rewrite_entry *ptr; 600 struct tomoyo_no_rewrite_entry e = { }; 601 int error = is_delete ? -ENOENT : -ENOMEM; 602 603 if (!tomoyo_is_correct_path(pattern, 0, 0, 0)) 604 return -EINVAL; 605 e.pattern = tomoyo_get_name(pattern); 606 if (!e.pattern) 607 return error; 608 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 609 goto out; 610 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) { 611 if (ptr->pattern != e.pattern) 612 continue; 613 ptr->is_deleted = is_delete; 614 error = 0; 615 break; 616 } 617 if (!is_delete && error) { 618 struct tomoyo_no_rewrite_entry *entry = 619 tomoyo_commit_ok(&e, sizeof(e)); 620 if (entry) { 621 list_add_tail_rcu(&entry->list, 622 &tomoyo_no_rewrite_list); 623 error = 0; 624 } 625 } 626 mutex_unlock(&tomoyo_policy_lock); 627 out: 628 tomoyo_put_name(e.pattern); 629 return error; 630} 631 632/** 633 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited. 634 * 635 * @filename: Filename to check. 636 * 637 * Returns true if @filename is specified by "deny_rewrite" directive, 638 * false otherwise. 639 * 640 * Caller holds tomoyo_read_lock(). 641 */ 642static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename) 643{ 644 struct tomoyo_no_rewrite_entry *ptr; 645 bool found = false; 646 647 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) { 648 if (ptr->is_deleted) 649 continue; 650 if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) 651 continue; 652 found = true; 653 break; 654 } 655 return found; 656} 657 658/** 659 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list. 660 * 661 * @data: String to parse. 662 * @is_delete: True if it is a delete request. 663 * 664 * Returns 0 on success, negative value otherwise. 665 * 666 * Caller holds tomoyo_read_lock(). 667 */ 668int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete) 669{ 670 return tomoyo_update_no_rewrite_entry(data, is_delete); 671} 672 673/** 674 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list. 675 * 676 * @head: Pointer to "struct tomoyo_io_buffer". 677 * 678 * Returns true on success, false otherwise. 679 * 680 * Caller holds tomoyo_read_lock(). 681 */ 682bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head) 683{ 684 struct list_head *pos; 685 bool done = true; 686 687 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) { 688 struct tomoyo_no_rewrite_entry *ptr; 689 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list); 690 if (ptr->is_deleted) 691 continue; 692 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE 693 "%s\n", ptr->pattern->name); 694 if (!done) 695 break; 696 } 697 return done; 698} 699 700/** 701 * tomoyo_update_file_acl - Update file's read/write/execute ACL. 702 * 703 * @perm: Permission (between 1 to 7). 704 * @filename: Filename. 705 * @domain: Pointer to "struct tomoyo_domain_info". 706 * @is_delete: True if it is a delete request. 707 * 708 * Returns 0 on success, negative value otherwise. 709 * 710 * This is legacy support interface for older policy syntax. 711 * Current policy syntax uses "allow_read/write" instead of "6", 712 * "allow_read" instead of "4", "allow_write" instead of "2", 713 * "allow_execute" instead of "1". 714 * 715 * Caller holds tomoyo_read_lock(). 716 */ 717static int tomoyo_update_file_acl(u8 perm, const char *filename, 718 struct tomoyo_domain_info * const domain, 719 const bool is_delete) 720{ 721 if (perm > 7 || !perm) { 722 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n", 723 __func__, perm, filename); 724 return -EINVAL; 725 } 726 if (filename[0] != '@' && tomoyo_strendswith(filename, "/")) 727 /* 728 * Only 'allow_mkdir' and 'allow_rmdir' are valid for 729 * directory permissions. 730 */ 731 return 0; 732 if (perm & 4) 733 tomoyo_update_path_acl(TOMOYO_TYPE_READ, filename, domain, 734 is_delete); 735 if (perm & 2) 736 tomoyo_update_path_acl(TOMOYO_TYPE_WRITE, filename, domain, 737 is_delete); 738 if (perm & 1) 739 tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE, filename, domain, 740 is_delete); 741 return 0; 742} 743 744/** 745 * tomoyo_path_acl - Check permission for single path operation. 746 * 747 * @r: Pointer to "struct tomoyo_request_info". 748 * @filename: Filename to check. 749 * @perm: Permission. 750 * @may_use_pattern: True if patterned ACL is permitted. 751 * 752 * Returns 0 on success, -EPERM otherwise. 753 * 754 * Caller holds tomoyo_read_lock(). 755 */ 756static int tomoyo_path_acl(const struct tomoyo_request_info *r, 757 const struct tomoyo_path_info *filename, 758 const u32 perm, const bool may_use_pattern) 759{ 760 struct tomoyo_domain_info *domain = r->domain; 761 struct tomoyo_acl_info *ptr; 762 int error = -EPERM; 763 764 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 765 struct tomoyo_path_acl *acl; 766 if (ptr->type != TOMOYO_TYPE_PATH_ACL) 767 continue; 768 acl = container_of(ptr, struct tomoyo_path_acl, head); 769 if (!(acl->perm & perm) || 770 !tomoyo_compare_name_union_pattern(filename, &acl->name, 771 may_use_pattern)) 772 continue; 773 error = 0; 774 break; 775 } 776 return error; 777} 778 779/** 780 * tomoyo_file_perm - Check permission for opening files. 781 * 782 * @r: Pointer to "struct tomoyo_request_info". 783 * @filename: Filename to check. 784 * @mode: Mode ("read" or "write" or "read/write" or "execute"). 785 * 786 * Returns 0 on success, negative value otherwise. 787 * 788 * Caller holds tomoyo_read_lock(). 789 */ 790static int tomoyo_file_perm(struct tomoyo_request_info *r, 791 const struct tomoyo_path_info *filename, 792 const u8 mode) 793{ 794 const char *msg = "<unknown>"; 795 int error = 0; 796 u32 perm = 0; 797 798 if (!filename) 799 return 0; 800 801 if (mode == 6) { 802 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE); 803 perm = 1 << TOMOYO_TYPE_READ_WRITE; 804 } else if (mode == 4) { 805 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ); 806 perm = 1 << TOMOYO_TYPE_READ; 807 } else if (mode == 2) { 808 msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE); 809 perm = 1 << TOMOYO_TYPE_WRITE; 810 } else if (mode == 1) { 811 msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE); 812 perm = 1 << TOMOYO_TYPE_EXECUTE; 813 } else 814 BUG(); 815 error = tomoyo_path_acl(r, filename, perm, mode != 1); 816 if (error && mode == 4 && !r->domain->ignore_global_allow_read 817 && tomoyo_is_globally_readable_file(filename)) 818 error = 0; 819 if (!error) 820 return 0; 821 tomoyo_warn_log(r, "%s %s", msg, filename->name); 822 if (r->mode == TOMOYO_CONFIG_ENFORCING) 823 return error; 824 if (tomoyo_domain_quota_is_ok(r)) { 825 /* Don't use patterns for execute permission. */ 826 const struct tomoyo_path_info *patterned_file = (mode != 1) ? 827 tomoyo_get_file_pattern(filename) : filename; 828 tomoyo_update_file_acl(mode, patterned_file->name, r->domain, 829 false); 830 } 831 return 0; 832} 833 834/** 835 * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list. 836 * 837 * @type: Type of operation. 838 * @filename: Filename. 839 * @domain: Pointer to "struct tomoyo_domain_info". 840 * @is_delete: True if it is a delete request. 841 * 842 * Returns 0 on success, negative value otherwise. 843 * 844 * Caller holds tomoyo_read_lock(). 845 */ 846static int tomoyo_update_path_acl(const u8 type, const char *filename, 847 struct tomoyo_domain_info *const domain, 848 const bool is_delete) 849{ 850 static const u16 tomoyo_rw_mask = 851 (1 << TOMOYO_TYPE_READ) | (1 << TOMOYO_TYPE_WRITE); 852 const u16 perm = 1 << type; 853 struct tomoyo_acl_info *ptr; 854 struct tomoyo_path_acl e = { 855 .head.type = TOMOYO_TYPE_PATH_ACL, 856 .perm = perm 857 }; 858 int error = is_delete ? -ENOENT : -ENOMEM; 859 860 if (type == TOMOYO_TYPE_READ_WRITE) 861 e.perm |= tomoyo_rw_mask; 862 if (!domain) 863 return -EINVAL; 864 if (!tomoyo_parse_name_union(filename, &e.name)) 865 return -EINVAL; 866 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 867 goto out; 868 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 869 struct tomoyo_path_acl *acl = 870 container_of(ptr, struct tomoyo_path_acl, head); 871 if (!tomoyo_is_same_path_acl(acl, &e)) 872 continue; 873 if (is_delete) { 874 acl->perm &= ~perm; 875 if ((acl->perm & tomoyo_rw_mask) != tomoyo_rw_mask) 876 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE); 877 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE))) 878 acl->perm &= ~tomoyo_rw_mask; 879 } else { 880 acl->perm |= perm; 881 if ((acl->perm & tomoyo_rw_mask) == tomoyo_rw_mask) 882 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE; 883 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE)) 884 acl->perm |= tomoyo_rw_mask; 885 } 886 error = 0; 887 break; 888 } 889 if (!is_delete && error) { 890 struct tomoyo_path_acl *entry = 891 tomoyo_commit_ok(&e, sizeof(e)); 892 if (entry) { 893 list_add_tail_rcu(&entry->head.list, 894 &domain->acl_info_list); 895 error = 0; 896 } 897 } 898 mutex_unlock(&tomoyo_policy_lock); 899 out: 900 tomoyo_put_name_union(&e.name); 901 return error; 902} 903 904/** 905 * tomoyo_update_path_number3_acl - Update "struct tomoyo_path_number3_acl" list. 906 * 907 * @type: Type of operation. 908 * @filename: Filename. 909 * @mode: Create mode. 910 * @major: Device major number. 911 * @minor: Device minor number. 912 * @domain: Pointer to "struct tomoyo_domain_info". 913 * @is_delete: True if it is a delete request. 914 * 915 * Returns 0 on success, negative value otherwise. 916 */ 917static inline int tomoyo_update_path_number3_acl(const u8 type, 918 const char *filename, 919 char *mode, 920 char *major, char *minor, 921 struct tomoyo_domain_info * 922 const domain, 923 const bool is_delete) 924{ 925 const u8 perm = 1 << type; 926 struct tomoyo_acl_info *ptr; 927 struct tomoyo_path_number3_acl e = { 928 .head.type = TOMOYO_TYPE_PATH_NUMBER3_ACL, 929 .perm = perm 930 }; 931 int error = is_delete ? -ENOENT : -ENOMEM; 932 if (!tomoyo_parse_name_union(filename, &e.name) || 933 !tomoyo_parse_number_union(mode, &e.mode) || 934 !tomoyo_parse_number_union(major, &e.major) || 935 !tomoyo_parse_number_union(minor, &e.minor)) 936 goto out; 937 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 938 goto out; 939 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 940 struct tomoyo_path_number3_acl *acl = 941 container_of(ptr, struct tomoyo_path_number3_acl, head); 942 if (!tomoyo_is_same_path_number3_acl(acl, &e)) 943 continue; 944 if (is_delete) 945 acl->perm &= ~perm; 946 else 947 acl->perm |= perm; 948 error = 0; 949 break; 950 } 951 if (!is_delete && error) { 952 struct tomoyo_path_number3_acl *entry = 953 tomoyo_commit_ok(&e, sizeof(e)); 954 if (entry) { 955 list_add_tail_rcu(&entry->head.list, 956 &domain->acl_info_list); 957 error = 0; 958 } 959 } 960 mutex_unlock(&tomoyo_policy_lock); 961 out: 962 tomoyo_put_name_union(&e.name); 963 tomoyo_put_number_union(&e.mode); 964 tomoyo_put_number_union(&e.major); 965 tomoyo_put_number_union(&e.minor); 966 return error; 967} 968 969/** 970 * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list. 971 * 972 * @type: Type of operation. 973 * @filename1: First filename. 974 * @filename2: Second filename. 975 * @domain: Pointer to "struct tomoyo_domain_info". 976 * @is_delete: True if it is a delete request. 977 * 978 * Returns 0 on success, negative value otherwise. 979 * 980 * Caller holds tomoyo_read_lock(). 981 */ 982static int tomoyo_update_path2_acl(const u8 type, const char *filename1, 983 const char *filename2, 984 struct tomoyo_domain_info *const domain, 985 const bool is_delete) 986{ 987 const u8 perm = 1 << type; 988 struct tomoyo_path2_acl e = { 989 .head.type = TOMOYO_TYPE_PATH2_ACL, 990 .perm = perm 991 }; 992 struct tomoyo_acl_info *ptr; 993 int error = is_delete ? -ENOENT : -ENOMEM; 994 995 if (!domain) 996 return -EINVAL; 997 if (!tomoyo_parse_name_union(filename1, &e.name1) || 998 !tomoyo_parse_name_union(filename2, &e.name2)) 999 goto out; 1000 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 1001 goto out; 1002 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 1003 struct tomoyo_path2_acl *acl = 1004 container_of(ptr, struct tomoyo_path2_acl, head); 1005 if (!tomoyo_is_same_path2_acl(acl, &e)) 1006 continue; 1007 if (is_delete) 1008 acl->perm &= ~perm; 1009 else 1010 acl->perm |= perm; 1011 error = 0; 1012 break; 1013 } 1014 if (!is_delete && error) { 1015 struct tomoyo_path2_acl *entry = 1016 tomoyo_commit_ok(&e, sizeof(e)); 1017 if (entry) { 1018 list_add_tail_rcu(&entry->head.list, 1019 &domain->acl_info_list); 1020 error = 0; 1021 } 1022 } 1023 mutex_unlock(&tomoyo_policy_lock); 1024 out: 1025 tomoyo_put_name_union(&e.name1); 1026 tomoyo_put_name_union(&e.name2); 1027 return error; 1028} 1029 1030/** 1031 * tomoyo_path_number3_acl - Check permission for path/number/number/number operation. 1032 * 1033 * @r: Pointer to "struct tomoyo_request_info". 1034 * @filename: Filename to check. 1035 * @perm: Permission. 1036 * @mode: Create mode. 1037 * @major: Device major number. 1038 * @minor: Device minor number. 1039 * 1040 * Returns 0 on success, -EPERM otherwise. 1041 * 1042 * Caller holds tomoyo_read_lock(). 1043 */ 1044static int tomoyo_path_number3_acl(struct tomoyo_request_info *r, 1045 const struct tomoyo_path_info *filename, 1046 const u16 perm, const unsigned int mode, 1047 const unsigned int major, 1048 const unsigned int minor) 1049{ 1050 struct tomoyo_domain_info *domain = r->domain; 1051 struct tomoyo_acl_info *ptr; 1052 int error = -EPERM; 1053 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 1054 struct tomoyo_path_number3_acl *acl; 1055 if (ptr->type != TOMOYO_TYPE_PATH_NUMBER3_ACL) 1056 continue; 1057 acl = container_of(ptr, struct tomoyo_path_number3_acl, head); 1058 if (!tomoyo_compare_number_union(mode, &acl->mode)) 1059 continue; 1060 if (!tomoyo_compare_number_union(major, &acl->major)) 1061 continue; 1062 if (!tomoyo_compare_number_union(minor, &acl->minor)) 1063 continue; 1064 if (!(acl->perm & perm)) 1065 continue; 1066 if (!tomoyo_compare_name_union(filename, &acl->name)) 1067 continue; 1068 error = 0; 1069 break; 1070 } 1071 return error; 1072} 1073 1074/** 1075 * tomoyo_path2_acl - Check permission for double path operation. 1076 * 1077 * @r: Pointer to "struct tomoyo_request_info". 1078 * @type: Type of operation. 1079 * @filename1: First filename to check. 1080 * @filename2: Second filename to check. 1081 * 1082 * Returns 0 on success, -EPERM otherwise. 1083 * 1084 * Caller holds tomoyo_read_lock(). 1085 */ 1086static int tomoyo_path2_acl(const struct tomoyo_request_info *r, const u8 type, 1087 const struct tomoyo_path_info *filename1, 1088 const struct tomoyo_path_info *filename2) 1089{ 1090 const struct tomoyo_domain_info *domain = r->domain; 1091 struct tomoyo_acl_info *ptr; 1092 const u8 perm = 1 << type; 1093 int error = -EPERM; 1094 1095 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 1096 struct tomoyo_path2_acl *acl; 1097 if (ptr->type != TOMOYO_TYPE_PATH2_ACL) 1098 continue; 1099 acl = container_of(ptr, struct tomoyo_path2_acl, head); 1100 if (!(acl->perm & perm)) 1101 continue; 1102 if (!tomoyo_compare_name_union(filename1, &acl->name1)) 1103 continue; 1104 if (!tomoyo_compare_name_union(filename2, &acl->name2)) 1105 continue; 1106 error = 0; 1107 break; 1108 } 1109 return error; 1110} 1111 1112/** 1113 * tomoyo_path_permission - Check permission for single path operation. 1114 * 1115 * @r: Pointer to "struct tomoyo_request_info". 1116 * @operation: Type of operation. 1117 * @filename: Filename to check. 1118 * 1119 * Returns 0 on success, negative value otherwise. 1120 * 1121 * Caller holds tomoyo_read_lock(). 1122 */ 1123static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation, 1124 const struct tomoyo_path_info *filename) 1125{ 1126 int error; 1127 1128 next: 1129 error = tomoyo_path_acl(r, filename, 1 << operation, 1); 1130 if (!error) 1131 goto ok; 1132 tomoyo_warn_log(r, "%s %s", tomoyo_path2keyword(operation), 1133 filename->name); 1134 if (tomoyo_domain_quota_is_ok(r)) { 1135 const char *name = tomoyo_get_file_pattern(filename)->name; 1136 tomoyo_update_path_acl(operation, name, r->domain, false); 1137 } 1138 if (r->mode != TOMOYO_CONFIG_ENFORCING) 1139 error = 0; 1140 ok: 1141 /* 1142 * Since "allow_truncate" doesn't imply "allow_rewrite" permission, 1143 * we need to check "allow_rewrite" permission if the filename is 1144 * specified by "deny_rewrite" keyword. 1145 */ 1146 if (!error && operation == TOMOYO_TYPE_TRUNCATE && 1147 tomoyo_is_no_rewrite_file(filename)) { 1148 operation = TOMOYO_TYPE_REWRITE; 1149 goto next; 1150 } 1151 return error; 1152} 1153 1154/** 1155 * tomoyo_path_number_acl - Check permission for ioctl/chmod/chown/chgrp operation. 1156 * 1157 * @r: Pointer to "struct tomoyo_request_info". 1158 * @type: Operation. 1159 * @filename: Filename to check. 1160 * @number: Number. 1161 * 1162 * Returns 0 on success, -EPERM otherwise. 1163 * 1164 * Caller holds tomoyo_read_lock(). 1165 */ 1166static int tomoyo_path_number_acl(struct tomoyo_request_info *r, const u8 type, 1167 const struct tomoyo_path_info *filename, 1168 const unsigned long number) 1169{ 1170 struct tomoyo_domain_info *domain = r->domain; 1171 struct tomoyo_acl_info *ptr; 1172 const u8 perm = 1 << type; 1173 int error = -EPERM; 1174 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 1175 struct tomoyo_path_number_acl *acl; 1176 if (ptr->type != TOMOYO_TYPE_PATH_NUMBER_ACL) 1177 continue; 1178 acl = container_of(ptr, struct tomoyo_path_number_acl, 1179 head); 1180 if (!(acl->perm & perm) || 1181 !tomoyo_compare_number_union(number, &acl->number) || 1182 !tomoyo_compare_name_union(filename, &acl->name)) 1183 continue; 1184 error = 0; 1185 break; 1186 } 1187 return error; 1188} 1189 1190/** 1191 * tomoyo_update_path_number_acl - Update ioctl/chmod/chown/chgrp ACL. 1192 * 1193 * @type: Type of operation. 1194 * @filename: Filename. 1195 * @number: Number. 1196 * @domain: Pointer to "struct tomoyo_domain_info". 1197 * @is_delete: True if it is a delete request. 1198 * 1199 * Returns 0 on success, negative value otherwise. 1200 */ 1201static inline int tomoyo_update_path_number_acl(const u8 type, 1202 const char *filename, 1203 char *number, 1204 struct tomoyo_domain_info * 1205 const domain, 1206 const bool is_delete) 1207{ 1208 const u8 perm = 1 << type; 1209 struct tomoyo_acl_info *ptr; 1210 struct tomoyo_path_number_acl e = { 1211 .head.type = TOMOYO_TYPE_PATH_NUMBER_ACL, 1212 .perm = perm 1213 }; 1214 int error = is_delete ? -ENOENT : -ENOMEM; 1215 if (!domain) 1216 return -EINVAL; 1217 if (!tomoyo_parse_name_union(filename, &e.name)) 1218 return -EINVAL; 1219 if (!tomoyo_parse_number_union(number, &e.number)) 1220 goto out; 1221 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 1222 goto out; 1223 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 1224 struct tomoyo_path_number_acl *acl = 1225 container_of(ptr, struct tomoyo_path_number_acl, head); 1226 if (!tomoyo_is_same_path_number_acl(acl, &e)) 1227 continue; 1228 if (is_delete) 1229 acl->perm &= ~perm; 1230 else 1231 acl->perm |= perm; 1232 error = 0; 1233 break; 1234 } 1235 if (!is_delete && error) { 1236 struct tomoyo_path_number_acl *entry = 1237 tomoyo_commit_ok(&e, sizeof(e)); 1238 if (entry) { 1239 list_add_tail_rcu(&entry->head.list, 1240 &domain->acl_info_list); 1241 error = 0; 1242 } 1243 } 1244 mutex_unlock(&tomoyo_policy_lock); 1245 out: 1246 tomoyo_put_name_union(&e.name); 1247 tomoyo_put_number_union(&e.number); 1248 return error; 1249} 1250 1251/** 1252 * tomoyo_path_number_perm2 - Check permission for "create", "mkdir", "mkfifo", "mksock", "ioctl", "chmod", "chown", "chgrp". 1253 * 1254 * @r: Pointer to "strct tomoyo_request_info". 1255 * @filename: Filename to check. 1256 * @number: Number. 1257 * 1258 * Returns 0 on success, negative value otherwise. 1259 * 1260 * Caller holds tomoyo_read_lock(). 1261 */ 1262static int tomoyo_path_number_perm2(struct tomoyo_request_info *r, 1263 const u8 type, 1264 const struct tomoyo_path_info *filename, 1265 const unsigned long number) 1266{ 1267 char buffer[64]; 1268 int error; 1269 u8 radix; 1270 1271 if (!filename) 1272 return 0; 1273 switch (type) { 1274 case TOMOYO_TYPE_CREATE: 1275 case TOMOYO_TYPE_MKDIR: 1276 case TOMOYO_TYPE_MKFIFO: 1277 case TOMOYO_TYPE_MKSOCK: 1278 case TOMOYO_TYPE_CHMOD: 1279 radix = TOMOYO_VALUE_TYPE_OCTAL; 1280 break; 1281 case TOMOYO_TYPE_IOCTL: 1282 radix = TOMOYO_VALUE_TYPE_HEXADECIMAL; 1283 break; 1284 default: 1285 radix = TOMOYO_VALUE_TYPE_DECIMAL; 1286 break; 1287 } 1288 tomoyo_print_ulong(buffer, sizeof(buffer), number, radix); 1289 error = tomoyo_path_number_acl(r, type, filename, number); 1290 if (!error) 1291 return 0; 1292 tomoyo_warn_log(r, "%s %s %s", tomoyo_path_number2keyword(type), 1293 filename->name, buffer); 1294 if (tomoyo_domain_quota_is_ok(r)) 1295 tomoyo_update_path_number_acl(type, 1296 tomoyo_get_file_pattern(filename) 1297 ->name, buffer, r->domain, false); 1298 if (r->mode != TOMOYO_CONFIG_ENFORCING) 1299 error = 0; 1300 return error; 1301} 1302 1303/** 1304 * tomoyo_path_number_perm - Check permission for "create", "mkdir", "mkfifo", "mksock", "ioctl", "chmod", "chown", "chgrp". 1305 * 1306 * @type: Type of operation. 1307 * @path: Pointer to "struct path". 1308 * @number: Number. 1309 * 1310 * Returns 0 on success, negative value otherwise. 1311 */ 1312int tomoyo_path_number_perm(const u8 type, struct path *path, 1313 unsigned long number) 1314{ 1315 struct tomoyo_request_info r; 1316 int error = -ENOMEM; 1317 struct tomoyo_path_info *buf; 1318 int idx; 1319 1320 if (tomoyo_init_request_info(&r, NULL) == TOMOYO_CONFIG_DISABLED || 1321 !path->mnt || !path->dentry) 1322 return 0; 1323 idx = tomoyo_read_lock(); 1324 buf = tomoyo_get_path(path); 1325 if (!buf) 1326 goto out; 1327 if (type == TOMOYO_TYPE_MKDIR && !buf->is_dir) { 1328 /* 1329 * tomoyo_get_path() reserves space for appending "/." 1330 */ 1331 strcat((char *) buf->name, "/"); 1332 tomoyo_fill_path_info(buf); 1333 } 1334 error = tomoyo_path_number_perm2(&r, type, buf, number); 1335 out: 1336 kfree(buf); 1337 tomoyo_read_unlock(idx); 1338 if (r.mode != TOMOYO_CONFIG_ENFORCING) 1339 error = 0; 1340 return error; 1341} 1342 1343/** 1344 * tomoyo_check_exec_perm - Check permission for "execute". 1345 * 1346 * @domain: Pointer to "struct tomoyo_domain_info". 1347 * @filename: Check permission for "execute". 1348 * 1349 * Returns 0 on success, negativevalue otherwise. 1350 * 1351 * Caller holds tomoyo_read_lock(). 1352 */ 1353int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, 1354 const struct tomoyo_path_info *filename) 1355{ 1356 struct tomoyo_request_info r; 1357 1358 if (tomoyo_init_request_info(&r, NULL) == TOMOYO_CONFIG_DISABLED) 1359 return 0; 1360 return tomoyo_file_perm(&r, filename, 1); 1361} 1362 1363/** 1364 * tomoyo_check_open_permission - Check permission for "read" and "write". 1365 * 1366 * @domain: Pointer to "struct tomoyo_domain_info". 1367 * @path: Pointer to "struct path". 1368 * @flag: Flags for open(). 1369 * 1370 * Returns 0 on success, negative value otherwise. 1371 */ 1372int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, 1373 struct path *path, const int flag) 1374{ 1375 const u8 acc_mode = ACC_MODE(flag); 1376 int error = -ENOMEM; 1377 struct tomoyo_path_info *buf; 1378 struct tomoyo_request_info r; 1379 int idx; 1380 1381 if (tomoyo_init_request_info(&r, domain) == TOMOYO_CONFIG_DISABLED || 1382 !path->mnt) 1383 return 0; 1384 if (acc_mode == 0) 1385 return 0; 1386 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode)) 1387 /* 1388 * I don't check directories here because mkdir() and rmdir() 1389 * don't call me. 1390 */ 1391 return 0; 1392 idx = tomoyo_read_lock(); 1393 buf = tomoyo_get_path(path); 1394 if (!buf) 1395 goto out; 1396 error = 0; 1397 /* 1398 * If the filename is specified by "deny_rewrite" keyword, 1399 * we need to check "allow_rewrite" permission when the filename is not 1400 * opened for append mode or the filename is truncated at open time. 1401 */ 1402 if ((acc_mode & MAY_WRITE) && 1403 ((flag & O_TRUNC) || !(flag & O_APPEND)) && 1404 (tomoyo_is_no_rewrite_file(buf))) { 1405 error = tomoyo_path_permission(&r, TOMOYO_TYPE_REWRITE, buf); 1406 } 1407 if (!error) 1408 error = tomoyo_file_perm(&r, buf, acc_mode); 1409 if (!error && (flag & O_TRUNC)) 1410 error = tomoyo_path_permission(&r, TOMOYO_TYPE_TRUNCATE, buf); 1411 out: 1412 kfree(buf); 1413 tomoyo_read_unlock(idx); 1414 if (r.mode != TOMOYO_CONFIG_ENFORCING) 1415 error = 0; 1416 return error; 1417} 1418 1419/** 1420 * tomoyo_path_perm - Check permission for "unlink", "rmdir", "truncate", "symlink", "rewrite", "chroot" and "unmount". 1421 * 1422 * @operation: Type of operation. 1423 * @path: Pointer to "struct path". 1424 * 1425 * Returns 0 on success, negative value otherwise. 1426 */ 1427int tomoyo_path_perm(const u8 operation, struct path *path) 1428{ 1429 int error = -ENOMEM; 1430 struct tomoyo_path_info *buf; 1431 struct tomoyo_request_info r; 1432 int idx; 1433 1434 if (tomoyo_init_request_info(&r, NULL) == TOMOYO_CONFIG_DISABLED || 1435 !path->mnt) 1436 return 0; 1437 idx = tomoyo_read_lock(); 1438 buf = tomoyo_get_path(path); 1439 if (!buf) 1440 goto out; 1441 switch (operation) { 1442 case TOMOYO_TYPE_REWRITE: 1443 if (!tomoyo_is_no_rewrite_file(buf)) { 1444 error = 0; 1445 goto out; 1446 } 1447 break; 1448 case TOMOYO_TYPE_RMDIR: 1449 case TOMOYO_TYPE_CHROOT: 1450 if (!buf->is_dir) { 1451 /* 1452 * tomoyo_get_path() reserves space for appending "/." 1453 */ 1454 strcat((char *) buf->name, "/"); 1455 tomoyo_fill_path_info(buf); 1456 } 1457 } 1458 error = tomoyo_path_permission(&r, operation, buf); 1459 out: 1460 kfree(buf); 1461 tomoyo_read_unlock(idx); 1462 if (r.mode != TOMOYO_CONFIG_ENFORCING) 1463 error = 0; 1464 return error; 1465} 1466 1467/** 1468 * tomoyo_path_number3_perm2 - Check permission for path/number/number/number operation. 1469 * 1470 * @r: Pointer to "struct tomoyo_request_info". 1471 * @operation: Type of operation. 1472 * @filename: Filename to check. 1473 * @mode: Create mode. 1474 * @dev: Device number. 1475 * 1476 * Returns 0 on success, negative value otherwise. 1477 * 1478 * Caller holds tomoyo_read_lock(). 1479 */ 1480static int tomoyo_path_number3_perm2(struct tomoyo_request_info *r, 1481 const u8 operation, 1482 const struct tomoyo_path_info *filename, 1483 const unsigned int mode, 1484 const unsigned int dev) 1485{ 1486 int error; 1487 const unsigned int major = MAJOR(dev); 1488 const unsigned int minor = MINOR(dev); 1489 1490 error = tomoyo_path_number3_acl(r, filename, 1 << operation, mode, 1491 major, minor); 1492 if (!error) 1493 return 0; 1494 tomoyo_warn_log(r, "%s %s 0%o %u %u", 1495 tomoyo_path_number32keyword(operation), 1496 filename->name, mode, major, minor); 1497 if (tomoyo_domain_quota_is_ok(r)) { 1498 char mode_buf[64]; 1499 char major_buf[64]; 1500 char minor_buf[64]; 1501 memset(mode_buf, 0, sizeof(mode_buf)); 1502 memset(major_buf, 0, sizeof(major_buf)); 1503 memset(minor_buf, 0, sizeof(minor_buf)); 1504 snprintf(mode_buf, sizeof(mode_buf) - 1, "0%o", mode); 1505 snprintf(major_buf, sizeof(major_buf) - 1, "%u", major); 1506 snprintf(minor_buf, sizeof(minor_buf) - 1, "%u", minor); 1507 tomoyo_update_path_number3_acl(operation, 1508 tomoyo_get_file_pattern(filename) 1509 ->name, mode_buf, major_buf, 1510 minor_buf, r->domain, false); 1511 } 1512 if (r->mode != TOMOYO_CONFIG_ENFORCING) 1513 error = 0; 1514 return error; 1515} 1516 1517/** 1518 * tomoyo_path_number3_perm - Check permission for "mkblock" and "mkchar". 1519 * 1520 * @operation: Type of operation. (TOMOYO_TYPE_MKCHAR or TOMOYO_TYPE_MKBLOCK) 1521 * @path: Pointer to "struct path". 1522 * @mode: Create mode. 1523 * @dev: Device number. 1524 * 1525 * Returns 0 on success, negative value otherwise. 1526 */ 1527int tomoyo_path_number3_perm(const u8 operation, struct path *path, 1528 const unsigned int mode, unsigned int dev) 1529{ 1530 struct tomoyo_request_info r; 1531 int error = -ENOMEM; 1532 struct tomoyo_path_info *buf; 1533 int idx; 1534 1535 if (tomoyo_init_request_info(&r, NULL) == TOMOYO_CONFIG_DISABLED || 1536 !path->mnt) 1537 return 0; 1538 idx = tomoyo_read_lock(); 1539 error = -ENOMEM; 1540 buf = tomoyo_get_path(path); 1541 if (buf) { 1542 error = tomoyo_path_number3_perm2(&r, operation, buf, mode, 1543 new_decode_dev(dev)); 1544 kfree(buf); 1545 } 1546 tomoyo_read_unlock(idx); 1547 if (r.mode != TOMOYO_CONFIG_ENFORCING) 1548 error = 0; 1549 return error; 1550} 1551 1552/** 1553 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root". 1554 * 1555 * @operation: Type of operation. 1556 * @path1: Pointer to "struct path". 1557 * @path2: Pointer to "struct path". 1558 * 1559 * Returns 0 on success, negative value otherwise. 1560 */ 1561int tomoyo_path2_perm(const u8 operation, struct path *path1, 1562 struct path *path2) 1563{ 1564 int error = -ENOMEM; 1565 struct tomoyo_path_info *buf1; 1566 struct tomoyo_path_info *buf2; 1567 struct tomoyo_request_info r; 1568 int idx; 1569 1570 if (tomoyo_init_request_info(&r, NULL) == TOMOYO_CONFIG_DISABLED || 1571 !path1->mnt || !path2->mnt) 1572 return 0; 1573 idx = tomoyo_read_lock(); 1574 buf1 = tomoyo_get_path(path1); 1575 buf2 = tomoyo_get_path(path2); 1576 if (!buf1 || !buf2) 1577 goto out; 1578 { 1579 struct dentry *dentry = path1->dentry; 1580 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) { 1581 /* 1582 * tomoyo_get_path() reserves space for appending "/." 1583 */ 1584 if (!buf1->is_dir) { 1585 strcat((char *) buf1->name, "/"); 1586 tomoyo_fill_path_info(buf1); 1587 } 1588 if (!buf2->is_dir) { 1589 strcat((char *) buf2->name, "/"); 1590 tomoyo_fill_path_info(buf2); 1591 } 1592 } 1593 } 1594 error = tomoyo_path2_acl(&r, operation, buf1, buf2); 1595 if (!error) 1596 goto out; 1597 tomoyo_warn_log(&r, "%s %s %s", tomoyo_path22keyword(operation), 1598 buf1->name, buf2->name); 1599 if (tomoyo_domain_quota_is_ok(&r)) { 1600 const char *name1 = tomoyo_get_file_pattern(buf1)->name; 1601 const char *name2 = tomoyo_get_file_pattern(buf2)->name; 1602 tomoyo_update_path2_acl(operation, name1, name2, r.domain, 1603 false); 1604 } 1605 out: 1606 kfree(buf1); 1607 kfree(buf2); 1608 tomoyo_read_unlock(idx); 1609 if (r.mode != TOMOYO_CONFIG_ENFORCING) 1610 error = 0; 1611 return error; 1612} 1613 1614/** 1615 * tomoyo_write_file_policy - Update file related list. 1616 * 1617 * @data: String to parse. 1618 * @domain: Pointer to "struct tomoyo_domain_info". 1619 * @is_delete: True if it is a delete request. 1620 * 1621 * Returns 0 on success, negative value otherwise. 1622 * 1623 * Caller holds tomoyo_read_lock(). 1624 */ 1625int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, 1626 const bool is_delete) 1627{ 1628 char *w[5]; 1629 u8 type; 1630 if (!tomoyo_tokenize(data, w, sizeof(w)) || !w[1][0]) 1631 return -EINVAL; 1632 if (strncmp(w[0], "allow_", 6)) { 1633 unsigned int perm; 1634 if (sscanf(w[0], "%u", &perm) == 1) 1635 return tomoyo_update_file_acl((u8) perm, w[1], domain, 1636 is_delete); 1637 goto out; 1638 } 1639 w[0] += 6; 1640 for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) { 1641 if (strcmp(w[0], tomoyo_path_keyword[type])) 1642 continue; 1643 return tomoyo_update_path_acl(type, w[1], domain, is_delete); 1644 } 1645 if (!w[2][0]) 1646 goto out; 1647 for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) { 1648 if (strcmp(w[0], tomoyo_path2_keyword[type])) 1649 continue; 1650 return tomoyo_update_path2_acl(type, w[1], w[2], domain, 1651 is_delete); 1652 } 1653 for (type = 0; type < TOMOYO_MAX_PATH_NUMBER_OPERATION; type++) { 1654 if (strcmp(w[0], tomoyo_path_number_keyword[type])) 1655 continue; 1656 return tomoyo_update_path_number_acl(type, w[1], w[2], domain, 1657 is_delete); 1658 } 1659 if (!w[3][0] || !w[4][0]) 1660 goto out; 1661 for (type = 0; type < TOMOYO_MAX_PATH_NUMBER3_OPERATION; type++) { 1662 if (strcmp(w[0], tomoyo_path_number3_keyword[type])) 1663 continue; 1664 return tomoyo_update_path_number3_acl(type, w[1], w[2], w[3], 1665 w[4], domain, is_delete); 1666 } 1667 out: 1668 return -EINVAL; 1669} 1670