file.c revision 937bf6133b21b16965f75223085f4314ae32b8eb
1/* 2 * security/tomoyo/file.c 3 * 4 * Implementation of the Domain-Based Mandatory Access Control. 5 * 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 7 * 8 * Version: 2.2.0 2009/04/01 9 * 10 */ 11 12#include "common.h" 13#include "tomoyo.h" 14#include "realpath.h" 15#define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE]) 16 17/* 18 * tomoyo_globally_readable_file_entry is a structure which is used for holding 19 * "allow_read" entries. 20 * It has following fields. 21 * 22 * (1) "list" which is linked to tomoyo_globally_readable_list . 23 * (2) "filename" is a pathname which is allowed to open(O_RDONLY). 24 * (3) "is_deleted" is a bool which is true if marked as deleted, false 25 * otherwise. 26 */ 27struct tomoyo_globally_readable_file_entry { 28 struct list_head list; 29 const struct tomoyo_path_info *filename; 30 bool is_deleted; 31}; 32 33/* 34 * tomoyo_pattern_entry is a structure which is used for holding 35 * "tomoyo_pattern_list" entries. 36 * It has following fields. 37 * 38 * (1) "list" which is linked to tomoyo_pattern_list . 39 * (2) "pattern" is a pathname pattern which is used for converting pathnames 40 * to pathname patterns during learning mode. 41 * (3) "is_deleted" is a bool which is true if marked as deleted, false 42 * otherwise. 43 */ 44struct tomoyo_pattern_entry { 45 struct list_head list; 46 const struct tomoyo_path_info *pattern; 47 bool is_deleted; 48}; 49 50/* 51 * tomoyo_no_rewrite_entry is a structure which is used for holding 52 * "deny_rewrite" entries. 53 * It has following fields. 54 * 55 * (1) "list" which is linked to tomoyo_no_rewrite_list . 56 * (2) "pattern" is a pathname which is by default not permitted to modify 57 * already existing content. 58 * (3) "is_deleted" is a bool which is true if marked as deleted, false 59 * otherwise. 60 */ 61struct tomoyo_no_rewrite_entry { 62 struct list_head list; 63 const struct tomoyo_path_info *pattern; 64 bool is_deleted; 65}; 66 67/* Keyword array for single path operations. */ 68static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = { 69 [TOMOYO_TYPE_READ_WRITE_ACL] = "read/write", 70 [TOMOYO_TYPE_EXECUTE_ACL] = "execute", 71 [TOMOYO_TYPE_READ_ACL] = "read", 72 [TOMOYO_TYPE_WRITE_ACL] = "write", 73 [TOMOYO_TYPE_CREATE_ACL] = "create", 74 [TOMOYO_TYPE_UNLINK_ACL] = "unlink", 75 [TOMOYO_TYPE_MKDIR_ACL] = "mkdir", 76 [TOMOYO_TYPE_RMDIR_ACL] = "rmdir", 77 [TOMOYO_TYPE_MKFIFO_ACL] = "mkfifo", 78 [TOMOYO_TYPE_MKSOCK_ACL] = "mksock", 79 [TOMOYO_TYPE_MKBLOCK_ACL] = "mkblock", 80 [TOMOYO_TYPE_MKCHAR_ACL] = "mkchar", 81 [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate", 82 [TOMOYO_TYPE_SYMLINK_ACL] = "symlink", 83 [TOMOYO_TYPE_REWRITE_ACL] = "rewrite", 84 [TOMOYO_TYPE_IOCTL_ACL] = "ioctl", 85 [TOMOYO_TYPE_CHMOD_ACL] = "chmod", 86 [TOMOYO_TYPE_CHOWN_ACL] = "chown", 87 [TOMOYO_TYPE_CHGRP_ACL] = "chgrp", 88 [TOMOYO_TYPE_CHROOT_ACL] = "chroot", 89 [TOMOYO_TYPE_MOUNT_ACL] = "mount", 90 [TOMOYO_TYPE_UMOUNT_ACL] = "unmount", 91}; 92 93/* Keyword array for double path operations. */ 94static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = { 95 [TOMOYO_TYPE_LINK_ACL] = "link", 96 [TOMOYO_TYPE_RENAME_ACL] = "rename", 97 [TOMOYO_TYPE_PIVOT_ROOT_ACL] = "pivot_root", 98}; 99 100/** 101 * tomoyo_sp2keyword - Get the name of single path operation. 102 * 103 * @operation: Type of operation. 104 * 105 * Returns the name of single path operation. 106 */ 107const char *tomoyo_sp2keyword(const u8 operation) 108{ 109 return (operation < TOMOYO_MAX_SINGLE_PATH_OPERATION) 110 ? tomoyo_sp_keyword[operation] : NULL; 111} 112 113/** 114 * tomoyo_dp2keyword - Get the name of double path operation. 115 * 116 * @operation: Type of operation. 117 * 118 * Returns the name of double path operation. 119 */ 120const char *tomoyo_dp2keyword(const u8 operation) 121{ 122 return (operation < TOMOYO_MAX_DOUBLE_PATH_OPERATION) 123 ? tomoyo_dp_keyword[operation] : NULL; 124} 125 126/** 127 * tomoyo_strendswith - Check whether the token ends with the given token. 128 * 129 * @name: The token to check. 130 * @tail: The token to find. 131 * 132 * Returns true if @name ends with @tail, false otherwise. 133 */ 134static bool tomoyo_strendswith(const char *name, const char *tail) 135{ 136 int len; 137 138 if (!name || !tail) 139 return false; 140 len = strlen(name) - strlen(tail); 141 return len >= 0 && !strcmp(name + len, tail); 142} 143 144/** 145 * tomoyo_get_path - Get realpath. 146 * 147 * @path: Pointer to "struct path". 148 * 149 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise. 150 */ 151static struct tomoyo_path_info *tomoyo_get_path(struct path *path) 152{ 153 int error; 154 struct tomoyo_path_info_with_data *buf = tomoyo_alloc(sizeof(*buf)); 155 156 if (!buf) 157 return NULL; 158 /* Reserve one byte for appending "/". */ 159 error = tomoyo_realpath_from_path2(path, buf->body, 160 sizeof(buf->body) - 2); 161 if (!error) { 162 buf->head.name = buf->body; 163 tomoyo_fill_path_info(&buf->head); 164 return &buf->head; 165 } 166 tomoyo_free(buf); 167 return NULL; 168} 169 170/* Lock for domain->acl_info_list. */ 171DECLARE_RWSEM(tomoyo_domain_acl_info_list_lock); 172 173static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, 174 const char *filename2, 175 struct tomoyo_domain_info * 176 const domain, const bool is_delete); 177static int tomoyo_update_single_path_acl(const u8 type, const char *filename, 178 struct tomoyo_domain_info * 179 const domain, const bool is_delete); 180 181/* 182 * tomoyo_globally_readable_list is used for holding list of pathnames which 183 * are by default allowed to be open()ed for reading by any process. 184 * 185 * An entry is added by 186 * 187 * # echo 'allow_read /lib/libc-2.5.so' > \ 188 * /sys/kernel/security/tomoyo/exception_policy 189 * 190 * and is deleted by 191 * 192 * # echo 'delete allow_read /lib/libc-2.5.so' > \ 193 * /sys/kernel/security/tomoyo/exception_policy 194 * 195 * and all entries are retrieved by 196 * 197 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy 198 * 199 * In the example above, any process is allowed to 200 * open("/lib/libc-2.5.so", O_RDONLY). 201 * One exception is, if the domain which current process belongs to is marked 202 * as "ignore_global_allow_read", current process can't do so unless explicitly 203 * given "allow_read /lib/libc-2.5.so" to the domain which current process 204 * belongs to. 205 */ 206static LIST_HEAD(tomoyo_globally_readable_list); 207static DECLARE_RWSEM(tomoyo_globally_readable_list_lock); 208 209/** 210 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list. 211 * 212 * @filename: Filename unconditionally permitted to open() for reading. 213 * @is_delete: True if it is a delete request. 214 * 215 * Returns 0 on success, negative value otherwise. 216 */ 217static int tomoyo_update_globally_readable_entry(const char *filename, 218 const bool is_delete) 219{ 220 struct tomoyo_globally_readable_file_entry *new_entry; 221 struct tomoyo_globally_readable_file_entry *ptr; 222 const struct tomoyo_path_info *saved_filename; 223 int error = -ENOMEM; 224 225 if (!tomoyo_is_correct_path(filename, 1, 0, -1, __func__)) 226 return -EINVAL; 227 saved_filename = tomoyo_save_name(filename); 228 if (!saved_filename) 229 return -ENOMEM; 230 down_write(&tomoyo_globally_readable_list_lock); 231 list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) { 232 if (ptr->filename != saved_filename) 233 continue; 234 ptr->is_deleted = is_delete; 235 error = 0; 236 goto out; 237 } 238 if (is_delete) { 239 error = -ENOENT; 240 goto out; 241 } 242 new_entry = tomoyo_alloc_element(sizeof(*new_entry)); 243 if (!new_entry) 244 goto out; 245 new_entry->filename = saved_filename; 246 list_add_tail(&new_entry->list, &tomoyo_globally_readable_list); 247 error = 0; 248 out: 249 up_write(&tomoyo_globally_readable_list_lock); 250 return error; 251} 252 253/** 254 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading. 255 * 256 * @filename: The filename to check. 257 * 258 * Returns true if any domain can open @filename for reading, false otherwise. 259 */ 260static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info * 261 filename) 262{ 263 struct tomoyo_globally_readable_file_entry *ptr; 264 bool found = false; 265 down_read(&tomoyo_globally_readable_list_lock); 266 list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) { 267 if (!ptr->is_deleted && 268 tomoyo_path_matches_pattern(filename, ptr->filename)) { 269 found = true; 270 break; 271 } 272 } 273 up_read(&tomoyo_globally_readable_list_lock); 274 return found; 275} 276 277/** 278 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list. 279 * 280 * @data: String to parse. 281 * @is_delete: True if it is a delete request. 282 * 283 * Returns 0 on success, negative value otherwise. 284 */ 285int tomoyo_write_globally_readable_policy(char *data, const bool is_delete) 286{ 287 return tomoyo_update_globally_readable_entry(data, is_delete); 288} 289 290/** 291 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list. 292 * 293 * @head: Pointer to "struct tomoyo_io_buffer". 294 * 295 * Returns true on success, false otherwise. 296 */ 297bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head) 298{ 299 struct list_head *pos; 300 bool done = true; 301 302 down_read(&tomoyo_globally_readable_list_lock); 303 list_for_each_cookie(pos, head->read_var2, 304 &tomoyo_globally_readable_list) { 305 struct tomoyo_globally_readable_file_entry *ptr; 306 ptr = list_entry(pos, 307 struct tomoyo_globally_readable_file_entry, 308 list); 309 if (ptr->is_deleted) 310 continue; 311 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n", 312 ptr->filename->name); 313 if (!done) 314 break; 315 } 316 up_read(&tomoyo_globally_readable_list_lock); 317 return done; 318} 319 320/* tomoyo_pattern_list is used for holding list of pathnames which are used for 321 * converting pathnames to pathname patterns during learning mode. 322 * 323 * An entry is added by 324 * 325 * # echo 'file_pattern /proc/\$/mounts' > \ 326 * /sys/kernel/security/tomoyo/exception_policy 327 * 328 * and is deleted by 329 * 330 * # echo 'delete file_pattern /proc/\$/mounts' > \ 331 * /sys/kernel/security/tomoyo/exception_policy 332 * 333 * and all entries are retrieved by 334 * 335 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy 336 * 337 * In the example above, if a process which belongs to a domain which is in 338 * learning mode requested open("/proc/1/mounts", O_RDONLY), 339 * "allow_read /proc/\$/mounts" is automatically added to the domain which that 340 * process belongs to. 341 * 342 * It is not a desirable behavior that we have to use /proc/\$/ instead of 343 * /proc/self/ when current process needs to access only current process's 344 * information. As of now, LSM version of TOMOYO is using __d_path() for 345 * calculating pathname. Non LSM version of TOMOYO is using its own function 346 * which pretends as if /proc/self/ is not a symlink; so that we can forbid 347 * current process from accessing other process's information. 348 */ 349static LIST_HEAD(tomoyo_pattern_list); 350static DECLARE_RWSEM(tomoyo_pattern_list_lock); 351 352/** 353 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list. 354 * 355 * @pattern: Pathname pattern. 356 * @is_delete: True if it is a delete request. 357 * 358 * Returns 0 on success, negative value otherwise. 359 */ 360static int tomoyo_update_file_pattern_entry(const char *pattern, 361 const bool is_delete) 362{ 363 struct tomoyo_pattern_entry *new_entry; 364 struct tomoyo_pattern_entry *ptr; 365 const struct tomoyo_path_info *saved_pattern; 366 int error = -ENOMEM; 367 368 if (!tomoyo_is_correct_path(pattern, 0, 1, 0, __func__)) 369 return -EINVAL; 370 saved_pattern = tomoyo_save_name(pattern); 371 if (!saved_pattern) 372 return -ENOMEM; 373 down_write(&tomoyo_pattern_list_lock); 374 list_for_each_entry(ptr, &tomoyo_pattern_list, list) { 375 if (saved_pattern != ptr->pattern) 376 continue; 377 ptr->is_deleted = is_delete; 378 error = 0; 379 goto out; 380 } 381 if (is_delete) { 382 error = -ENOENT; 383 goto out; 384 } 385 new_entry = tomoyo_alloc_element(sizeof(*new_entry)); 386 if (!new_entry) 387 goto out; 388 new_entry->pattern = saved_pattern; 389 list_add_tail(&new_entry->list, &tomoyo_pattern_list); 390 error = 0; 391 out: 392 up_write(&tomoyo_pattern_list_lock); 393 return error; 394} 395 396/** 397 * tomoyo_get_file_pattern - Get patterned pathname. 398 * 399 * @filename: The filename to find patterned pathname. 400 * 401 * Returns pointer to pathname pattern if matched, @filename otherwise. 402 */ 403static const struct tomoyo_path_info * 404tomoyo_get_file_pattern(const struct tomoyo_path_info *filename) 405{ 406 struct tomoyo_pattern_entry *ptr; 407 const struct tomoyo_path_info *pattern = NULL; 408 409 down_read(&tomoyo_pattern_list_lock); 410 list_for_each_entry(ptr, &tomoyo_pattern_list, list) { 411 if (ptr->is_deleted) 412 continue; 413 if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) 414 continue; 415 pattern = ptr->pattern; 416 if (tomoyo_strendswith(pattern->name, "/\\*")) { 417 /* Do nothing. Try to find the better match. */ 418 } else { 419 /* This would be the better match. Use this. */ 420 break; 421 } 422 } 423 up_read(&tomoyo_pattern_list_lock); 424 if (pattern) 425 filename = pattern; 426 return filename; 427} 428 429/** 430 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list. 431 * 432 * @data: String to parse. 433 * @is_delete: True if it is a delete request. 434 * 435 * Returns 0 on success, negative value otherwise. 436 */ 437int tomoyo_write_pattern_policy(char *data, const bool is_delete) 438{ 439 return tomoyo_update_file_pattern_entry(data, is_delete); 440} 441 442/** 443 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list. 444 * 445 * @head: Pointer to "struct tomoyo_io_buffer". 446 * 447 * Returns true on success, false otherwise. 448 */ 449bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head) 450{ 451 struct list_head *pos; 452 bool done = true; 453 454 down_read(&tomoyo_pattern_list_lock); 455 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) { 456 struct tomoyo_pattern_entry *ptr; 457 ptr = list_entry(pos, struct tomoyo_pattern_entry, list); 458 if (ptr->is_deleted) 459 continue; 460 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN 461 "%s\n", ptr->pattern->name); 462 if (!done) 463 break; 464 } 465 up_read(&tomoyo_pattern_list_lock); 466 return done; 467} 468 469/* 470 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by 471 * default forbidden to modify already written content of a file. 472 * 473 * An entry is added by 474 * 475 * # echo 'deny_rewrite /var/log/messages' > \ 476 * /sys/kernel/security/tomoyo/exception_policy 477 * 478 * and is deleted by 479 * 480 * # echo 'delete deny_rewrite /var/log/messages' > \ 481 * /sys/kernel/security/tomoyo/exception_policy 482 * 483 * and all entries are retrieved by 484 * 485 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy 486 * 487 * In the example above, if a process requested to rewrite /var/log/messages , 488 * the process can't rewrite unless the domain which that process belongs to 489 * has "allow_rewrite /var/log/messages" entry. 490 * 491 * It is not a desirable behavior that we have to add "\040(deleted)" suffix 492 * when we want to allow rewriting already unlink()ed file. As of now, 493 * LSM version of TOMOYO is using __d_path() for calculating pathname. 494 * Non LSM version of TOMOYO is using its own function which doesn't append 495 * " (deleted)" suffix if the file is already unlink()ed; so that we don't 496 * need to worry whether the file is already unlink()ed or not. 497 */ 498static LIST_HEAD(tomoyo_no_rewrite_list); 499static DECLARE_RWSEM(tomoyo_no_rewrite_list_lock); 500 501/** 502 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list. 503 * 504 * @pattern: Pathname pattern that are not rewritable by default. 505 * @is_delete: True if it is a delete request. 506 * 507 * Returns 0 on success, negative value otherwise. 508 */ 509static int tomoyo_update_no_rewrite_entry(const char *pattern, 510 const bool is_delete) 511{ 512 struct tomoyo_no_rewrite_entry *new_entry, *ptr; 513 const struct tomoyo_path_info *saved_pattern; 514 int error = -ENOMEM; 515 516 if (!tomoyo_is_correct_path(pattern, 0, 0, 0, __func__)) 517 return -EINVAL; 518 saved_pattern = tomoyo_save_name(pattern); 519 if (!saved_pattern) 520 return -ENOMEM; 521 down_write(&tomoyo_no_rewrite_list_lock); 522 list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) { 523 if (ptr->pattern != saved_pattern) 524 continue; 525 ptr->is_deleted = is_delete; 526 error = 0; 527 goto out; 528 } 529 if (is_delete) { 530 error = -ENOENT; 531 goto out; 532 } 533 new_entry = tomoyo_alloc_element(sizeof(*new_entry)); 534 if (!new_entry) 535 goto out; 536 new_entry->pattern = saved_pattern; 537 list_add_tail(&new_entry->list, &tomoyo_no_rewrite_list); 538 error = 0; 539 out: 540 up_write(&tomoyo_no_rewrite_list_lock); 541 return error; 542} 543 544/** 545 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited. 546 * 547 * @filename: Filename to check. 548 * 549 * Returns true if @filename is specified by "deny_rewrite" directive, 550 * false otherwise. 551 */ 552static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename) 553{ 554 struct tomoyo_no_rewrite_entry *ptr; 555 bool found = false; 556 557 down_read(&tomoyo_no_rewrite_list_lock); 558 list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) { 559 if (ptr->is_deleted) 560 continue; 561 if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) 562 continue; 563 found = true; 564 break; 565 } 566 up_read(&tomoyo_no_rewrite_list_lock); 567 return found; 568} 569 570/** 571 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list. 572 * 573 * @data: String to parse. 574 * @is_delete: True if it is a delete request. 575 * 576 * Returns 0 on success, negative value otherwise. 577 */ 578int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete) 579{ 580 return tomoyo_update_no_rewrite_entry(data, is_delete); 581} 582 583/** 584 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list. 585 * 586 * @head: Pointer to "struct tomoyo_io_buffer". 587 * 588 * Returns true on success, false otherwise. 589 */ 590bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head) 591{ 592 struct list_head *pos; 593 bool done = true; 594 595 down_read(&tomoyo_no_rewrite_list_lock); 596 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) { 597 struct tomoyo_no_rewrite_entry *ptr; 598 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list); 599 if (ptr->is_deleted) 600 continue; 601 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE 602 "%s\n", ptr->pattern->name); 603 if (!done) 604 break; 605 } 606 up_read(&tomoyo_no_rewrite_list_lock); 607 return done; 608} 609 610/** 611 * tomoyo_update_file_acl - Update file's read/write/execute ACL. 612 * 613 * @filename: Filename. 614 * @perm: Permission (between 1 to 7). 615 * @domain: Pointer to "struct tomoyo_domain_info". 616 * @is_delete: True if it is a delete request. 617 * 618 * Returns 0 on success, negative value otherwise. 619 * 620 * This is legacy support interface for older policy syntax. 621 * Current policy syntax uses "allow_read/write" instead of "6", 622 * "allow_read" instead of "4", "allow_write" instead of "2", 623 * "allow_execute" instead of "1". 624 */ 625static int tomoyo_update_file_acl(const char *filename, u8 perm, 626 struct tomoyo_domain_info * const domain, 627 const bool is_delete) 628{ 629 if (perm > 7 || !perm) { 630 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n", 631 __func__, perm, filename); 632 return -EINVAL; 633 } 634 if (filename[0] != '@' && tomoyo_strendswith(filename, "/")) 635 /* 636 * Only 'allow_mkdir' and 'allow_rmdir' are valid for 637 * directory permissions. 638 */ 639 return 0; 640 if (perm & 4) 641 tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL, filename, 642 domain, is_delete); 643 if (perm & 2) 644 tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL, filename, 645 domain, is_delete); 646 if (perm & 1) 647 tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL, 648 filename, domain, is_delete); 649 return 0; 650} 651 652/** 653 * tomoyo_check_single_path_acl2 - Check permission for single path operation. 654 * 655 * @domain: Pointer to "struct tomoyo_domain_info". 656 * @filename: Filename to check. 657 * @perm: Permission. 658 * @may_use_pattern: True if patterned ACL is permitted. 659 * 660 * Returns 0 on success, -EPERM otherwise. 661 */ 662static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info * 663 domain, 664 const struct tomoyo_path_info * 665 filename, 666 const u32 perm, 667 const bool may_use_pattern) 668{ 669 struct tomoyo_acl_info *ptr; 670 int error = -EPERM; 671 672 down_read(&tomoyo_domain_acl_info_list_lock); 673 list_for_each_entry(ptr, &domain->acl_info_list, list) { 674 struct tomoyo_single_path_acl_record *acl; 675 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL) 676 continue; 677 acl = container_of(ptr, struct tomoyo_single_path_acl_record, 678 head); 679 if (perm <= 0xFFFF) { 680 if (!(acl->perm & perm)) 681 continue; 682 } else { 683 if (!(acl->perm_high & (perm >> 16))) 684 continue; 685 } 686 if (may_use_pattern || !acl->filename->is_patterned) { 687 if (!tomoyo_path_matches_pattern(filename, 688 acl->filename)) 689 continue; 690 } else { 691 continue; 692 } 693 error = 0; 694 break; 695 } 696 up_read(&tomoyo_domain_acl_info_list_lock); 697 return error; 698} 699 700/** 701 * tomoyo_check_file_acl - Check permission for opening files. 702 * 703 * @domain: Pointer to "struct tomoyo_domain_info". 704 * @filename: Filename to check. 705 * @operation: Mode ("read" or "write" or "read/write" or "execute"). 706 * 707 * Returns 0 on success, -EPERM otherwise. 708 */ 709static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain, 710 const struct tomoyo_path_info *filename, 711 const u8 operation) 712{ 713 u32 perm = 0; 714 715 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 716 return 0; 717 if (operation == 6) 718 perm = 1 << TOMOYO_TYPE_READ_WRITE_ACL; 719 else if (operation == 4) 720 perm = 1 << TOMOYO_TYPE_READ_ACL; 721 else if (operation == 2) 722 perm = 1 << TOMOYO_TYPE_WRITE_ACL; 723 else if (operation == 1) 724 perm = 1 << TOMOYO_TYPE_EXECUTE_ACL; 725 else 726 BUG(); 727 return tomoyo_check_single_path_acl2(domain, filename, perm, 728 operation != 1); 729} 730 731/** 732 * tomoyo_check_file_perm2 - Check permission for opening files. 733 * 734 * @domain: Pointer to "struct tomoyo_domain_info". 735 * @filename: Filename to check. 736 * @perm: Mode ("read" or "write" or "read/write" or "execute"). 737 * @operation: Operation name passed used for verbose mode. 738 * @mode: Access control mode. 739 * 740 * Returns 0 on success, negative value otherwise. 741 */ 742static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain, 743 const struct tomoyo_path_info *filename, 744 const u8 perm, const char *operation, 745 const u8 mode) 746{ 747 const bool is_enforce = (mode == 3); 748 const char *msg = "<unknown>"; 749 int error = 0; 750 751 if (!filename) 752 return 0; 753 error = tomoyo_check_file_acl(domain, filename, perm); 754 if (error && perm == 4 && 755 (domain->flags & TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ) == 0 756 && tomoyo_is_globally_readable_file(filename)) 757 error = 0; 758 if (perm == 6) 759 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL); 760 else if (perm == 4) 761 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL); 762 else if (perm == 2) 763 msg = tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL); 764 else if (perm == 1) 765 msg = tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL); 766 else 767 BUG(); 768 if (!error) 769 return 0; 770 if (tomoyo_verbose_mode(domain)) 771 printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied " 772 "for %s\n", tomoyo_get_msg(is_enforce), msg, operation, 773 filename->name, tomoyo_get_last_name(domain)); 774 if (is_enforce) 775 return error; 776 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { 777 /* Don't use patterns for execute permission. */ 778 const struct tomoyo_path_info *patterned_file = (perm != 1) ? 779 tomoyo_get_file_pattern(filename) : filename; 780 tomoyo_update_file_acl(patterned_file->name, perm, 781 domain, false); 782 } 783 return 0; 784} 785 786/** 787 * tomoyo_write_file_policy - Update file related list. 788 * 789 * @data: String to parse. 790 * @domain: Pointer to "struct tomoyo_domain_info". 791 * @is_delete: True if it is a delete request. 792 * 793 * Returns 0 on success, negative value otherwise. 794 */ 795int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, 796 const bool is_delete) 797{ 798 char *filename = strchr(data, ' '); 799 char *filename2; 800 unsigned int perm; 801 u8 type; 802 803 if (!filename) 804 return -EINVAL; 805 *filename++ = '\0'; 806 if (sscanf(data, "%u", &perm) == 1) 807 return tomoyo_update_file_acl(filename, (u8) perm, domain, 808 is_delete); 809 if (strncmp(data, "allow_", 6)) 810 goto out; 811 data += 6; 812 for (type = 0; type < TOMOYO_MAX_SINGLE_PATH_OPERATION; type++) { 813 if (strcmp(data, tomoyo_sp_keyword[type])) 814 continue; 815 return tomoyo_update_single_path_acl(type, filename, 816 domain, is_delete); 817 } 818 filename2 = strchr(filename, ' '); 819 if (!filename2) 820 goto out; 821 *filename2++ = '\0'; 822 for (type = 0; type < TOMOYO_MAX_DOUBLE_PATH_OPERATION; type++) { 823 if (strcmp(data, tomoyo_dp_keyword[type])) 824 continue; 825 return tomoyo_update_double_path_acl(type, filename, filename2, 826 domain, is_delete); 827 } 828 out: 829 return -EINVAL; 830} 831 832/** 833 * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list. 834 * 835 * @type: Type of operation. 836 * @filename: Filename. 837 * @domain: Pointer to "struct tomoyo_domain_info". 838 * @is_delete: True if it is a delete request. 839 * 840 * Returns 0 on success, negative value otherwise. 841 */ 842static int tomoyo_update_single_path_acl(const u8 type, const char *filename, 843 struct tomoyo_domain_info * 844 const domain, const bool is_delete) 845{ 846 static const u32 rw_mask = 847 (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL); 848 const struct tomoyo_path_info *saved_filename; 849 struct tomoyo_acl_info *ptr; 850 struct tomoyo_single_path_acl_record *acl; 851 int error = -ENOMEM; 852 const u32 perm = 1 << type; 853 854 if (!domain) 855 return -EINVAL; 856 if (!tomoyo_is_correct_path(filename, 0, 0, 0, __func__)) 857 return -EINVAL; 858 saved_filename = tomoyo_save_name(filename); 859 if (!saved_filename) 860 return -ENOMEM; 861 down_write(&tomoyo_domain_acl_info_list_lock); 862 if (is_delete) 863 goto delete; 864 list_for_each_entry(ptr, &domain->acl_info_list, list) { 865 if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL) 866 continue; 867 acl = container_of(ptr, struct tomoyo_single_path_acl_record, 868 head); 869 if (acl->filename != saved_filename) 870 continue; 871 /* Special case. Clear all bits if marked as deleted. */ 872 if (ptr->type & TOMOYO_ACL_DELETED) 873 acl->perm = 0; 874 if (perm <= 0xFFFF) 875 acl->perm |= perm; 876 else 877 acl->perm_high |= (perm >> 16); 878 if ((acl->perm & rw_mask) == rw_mask) 879 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL; 880 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)) 881 acl->perm |= rw_mask; 882 ptr->type &= ~TOMOYO_ACL_DELETED; 883 error = 0; 884 goto out; 885 } 886 /* Not found. Append it to the tail. */ 887 acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_SINGLE_PATH_ACL); 888 if (!acl) 889 goto out; 890 if (perm <= 0xFFFF) 891 acl->perm = perm; 892 else 893 acl->perm_high = (perm >> 16); 894 if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL)) 895 acl->perm |= rw_mask; 896 acl->filename = saved_filename; 897 list_add_tail(&acl->head.list, &domain->acl_info_list); 898 error = 0; 899 goto out; 900 delete: 901 error = -ENOENT; 902 list_for_each_entry(ptr, &domain->acl_info_list, list) { 903 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL) 904 continue; 905 acl = container_of(ptr, struct tomoyo_single_path_acl_record, 906 head); 907 if (acl->filename != saved_filename) 908 continue; 909 if (perm <= 0xFFFF) 910 acl->perm &= ~perm; 911 else 912 acl->perm_high &= ~(perm >> 16); 913 if ((acl->perm & rw_mask) != rw_mask) 914 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL); 915 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))) 916 acl->perm &= ~rw_mask; 917 if (!acl->perm && !acl->perm_high) 918 ptr->type |= TOMOYO_ACL_DELETED; 919 error = 0; 920 break; 921 } 922 out: 923 up_write(&tomoyo_domain_acl_info_list_lock); 924 return error; 925} 926 927/** 928 * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list. 929 * 930 * @type: Type of operation. 931 * @filename1: First filename. 932 * @filename2: Second filename. 933 * @domain: Pointer to "struct tomoyo_domain_info". 934 * @is_delete: True if it is a delete request. 935 * 936 * Returns 0 on success, negative value otherwise. 937 */ 938static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, 939 const char *filename2, 940 struct tomoyo_domain_info * 941 const domain, const bool is_delete) 942{ 943 const struct tomoyo_path_info *saved_filename1; 944 const struct tomoyo_path_info *saved_filename2; 945 struct tomoyo_acl_info *ptr; 946 struct tomoyo_double_path_acl_record *acl; 947 int error = -ENOMEM; 948 const u8 perm = 1 << type; 949 950 if (!domain) 951 return -EINVAL; 952 if (!tomoyo_is_correct_path(filename1, 0, 0, 0, __func__) || 953 !tomoyo_is_correct_path(filename2, 0, 0, 0, __func__)) 954 return -EINVAL; 955 saved_filename1 = tomoyo_save_name(filename1); 956 saved_filename2 = tomoyo_save_name(filename2); 957 if (!saved_filename1 || !saved_filename2) 958 return -ENOMEM; 959 down_write(&tomoyo_domain_acl_info_list_lock); 960 if (is_delete) 961 goto delete; 962 list_for_each_entry(ptr, &domain->acl_info_list, list) { 963 if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL) 964 continue; 965 acl = container_of(ptr, struct tomoyo_double_path_acl_record, 966 head); 967 if (acl->filename1 != saved_filename1 || 968 acl->filename2 != saved_filename2) 969 continue; 970 /* Special case. Clear all bits if marked as deleted. */ 971 if (ptr->type & TOMOYO_ACL_DELETED) 972 acl->perm = 0; 973 acl->perm |= perm; 974 ptr->type &= ~TOMOYO_ACL_DELETED; 975 error = 0; 976 goto out; 977 } 978 /* Not found. Append it to the tail. */ 979 acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_DOUBLE_PATH_ACL); 980 if (!acl) 981 goto out; 982 acl->perm = perm; 983 acl->filename1 = saved_filename1; 984 acl->filename2 = saved_filename2; 985 list_add_tail(&acl->head.list, &domain->acl_info_list); 986 error = 0; 987 goto out; 988 delete: 989 error = -ENOENT; 990 list_for_each_entry(ptr, &domain->acl_info_list, list) { 991 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL) 992 continue; 993 acl = container_of(ptr, struct tomoyo_double_path_acl_record, 994 head); 995 if (acl->filename1 != saved_filename1 || 996 acl->filename2 != saved_filename2) 997 continue; 998 acl->perm &= ~perm; 999 if (!acl->perm) 1000 ptr->type |= TOMOYO_ACL_DELETED; 1001 error = 0; 1002 break; 1003 } 1004 out: 1005 up_write(&tomoyo_domain_acl_info_list_lock); 1006 return error; 1007} 1008 1009/** 1010 * tomoyo_check_single_path_acl - Check permission for single path operation. 1011 * 1012 * @domain: Pointer to "struct tomoyo_domain_info". 1013 * @type: Type of operation. 1014 * @filename: Filename to check. 1015 * 1016 * Returns 0 on success, negative value otherwise. 1017 */ 1018static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain, 1019 const u8 type, 1020 const struct tomoyo_path_info *filename) 1021{ 1022 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 1023 return 0; 1024 return tomoyo_check_single_path_acl2(domain, filename, 1 << type, 1); 1025} 1026 1027/** 1028 * tomoyo_check_double_path_acl - Check permission for double path operation. 1029 * 1030 * @domain: Pointer to "struct tomoyo_domain_info". 1031 * @type: Type of operation. 1032 * @filename1: First filename to check. 1033 * @filename2: Second filename to check. 1034 * 1035 * Returns 0 on success, -EPERM otherwise. 1036 */ 1037static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain, 1038 const u8 type, 1039 const struct tomoyo_path_info * 1040 filename1, 1041 const struct tomoyo_path_info * 1042 filename2) 1043{ 1044 struct tomoyo_acl_info *ptr; 1045 const u8 perm = 1 << type; 1046 int error = -EPERM; 1047 1048 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 1049 return 0; 1050 down_read(&tomoyo_domain_acl_info_list_lock); 1051 list_for_each_entry(ptr, &domain->acl_info_list, list) { 1052 struct tomoyo_double_path_acl_record *acl; 1053 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL) 1054 continue; 1055 acl = container_of(ptr, struct tomoyo_double_path_acl_record, 1056 head); 1057 if (!(acl->perm & perm)) 1058 continue; 1059 if (!tomoyo_path_matches_pattern(filename1, acl->filename1)) 1060 continue; 1061 if (!tomoyo_path_matches_pattern(filename2, acl->filename2)) 1062 continue; 1063 error = 0; 1064 break; 1065 } 1066 up_read(&tomoyo_domain_acl_info_list_lock); 1067 return error; 1068} 1069 1070/** 1071 * tomoyo_check_single_path_permission2 - Check permission for single path operation. 1072 * 1073 * @domain: Pointer to "struct tomoyo_domain_info". 1074 * @operation: Type of operation. 1075 * @filename: Filename to check. 1076 * @mode: Access control mode. 1077 * 1078 * Returns 0 on success, negative value otherwise. 1079 */ 1080static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info * 1081 const domain, u8 operation, 1082 const struct tomoyo_path_info * 1083 filename, const u8 mode) 1084{ 1085 const char *msg; 1086 int error; 1087 const bool is_enforce = (mode == 3); 1088 1089 if (!mode) 1090 return 0; 1091 next: 1092 error = tomoyo_check_single_path_acl(domain, operation, filename); 1093 msg = tomoyo_sp2keyword(operation); 1094 if (!error) 1095 goto ok; 1096 if (tomoyo_verbose_mode(domain)) 1097 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n", 1098 tomoyo_get_msg(is_enforce), msg, filename->name, 1099 tomoyo_get_last_name(domain)); 1100 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { 1101 const char *name = tomoyo_get_file_pattern(filename)->name; 1102 tomoyo_update_single_path_acl(operation, name, domain, false); 1103 } 1104 if (!is_enforce) 1105 error = 0; 1106 ok: 1107 /* 1108 * Since "allow_truncate" doesn't imply "allow_rewrite" permission, 1109 * we need to check "allow_rewrite" permission if the filename is 1110 * specified by "deny_rewrite" keyword. 1111 */ 1112 if (!error && operation == TOMOYO_TYPE_TRUNCATE_ACL && 1113 tomoyo_is_no_rewrite_file(filename)) { 1114 operation = TOMOYO_TYPE_REWRITE_ACL; 1115 goto next; 1116 } 1117 return error; 1118} 1119 1120/** 1121 * tomoyo_check_file_perm - Check permission for sysctl()'s "read" and "write". 1122 * 1123 * @domain: Pointer to "struct tomoyo_domain_info". 1124 * @filename: Filename to check. 1125 * @perm: Mode ("read" or "write" or "read/write"). 1126 * Returns 0 on success, negative value otherwise. 1127 */ 1128int tomoyo_check_file_perm(struct tomoyo_domain_info *domain, 1129 const char *filename, const u8 perm) 1130{ 1131 struct tomoyo_path_info name; 1132 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1133 1134 if (!mode) 1135 return 0; 1136 name.name = filename; 1137 tomoyo_fill_path_info(&name); 1138 return tomoyo_check_file_perm2(domain, &name, perm, "sysctl", mode); 1139} 1140 1141/** 1142 * tomoyo_check_exec_perm - Check permission for "execute". 1143 * 1144 * @domain: Pointer to "struct tomoyo_domain_info". 1145 * @filename: Check permission for "execute". 1146 * 1147 * Returns 0 on success, negativevalue otherwise. 1148 */ 1149int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, 1150 const struct tomoyo_path_info *filename) 1151{ 1152 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1153 1154 if (!mode) 1155 return 0; 1156 return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode); 1157} 1158 1159/** 1160 * tomoyo_check_open_permission - Check permission for "read" and "write". 1161 * 1162 * @domain: Pointer to "struct tomoyo_domain_info". 1163 * @path: Pointer to "struct path". 1164 * @flag: Flags for open(). 1165 * 1166 * Returns 0 on success, negative value otherwise. 1167 */ 1168int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, 1169 struct path *path, const int flag) 1170{ 1171 const u8 acc_mode = ACC_MODE(flag); 1172 int error = -ENOMEM; 1173 struct tomoyo_path_info *buf; 1174 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1175 const bool is_enforce = (mode == 3); 1176 1177 if (!mode || !path->mnt) 1178 return 0; 1179 if (acc_mode == 0) 1180 return 0; 1181 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode)) 1182 /* 1183 * I don't check directories here because mkdir() and rmdir() 1184 * don't call me. 1185 */ 1186 return 0; 1187 buf = tomoyo_get_path(path); 1188 if (!buf) 1189 goto out; 1190 error = 0; 1191 /* 1192 * If the filename is specified by "deny_rewrite" keyword, 1193 * we need to check "allow_rewrite" permission when the filename is not 1194 * opened for append mode or the filename is truncated at open time. 1195 */ 1196 if ((acc_mode & MAY_WRITE) && 1197 ((flag & O_TRUNC) || !(flag & O_APPEND)) && 1198 (tomoyo_is_no_rewrite_file(buf))) { 1199 error = tomoyo_check_single_path_permission2(domain, 1200 TOMOYO_TYPE_REWRITE_ACL, 1201 buf, mode); 1202 } 1203 if (!error) 1204 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open", 1205 mode); 1206 if (!error && (flag & O_TRUNC)) 1207 error = tomoyo_check_single_path_permission2(domain, 1208 TOMOYO_TYPE_TRUNCATE_ACL, 1209 buf, mode); 1210 out: 1211 tomoyo_free(buf); 1212 if (!is_enforce) 1213 error = 0; 1214 return error; 1215} 1216 1217/** 1218 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount". 1219 * 1220 * @domain: Pointer to "struct tomoyo_domain_info". 1221 * @operation: Type of operation. 1222 * @path: Pointer to "struct path". 1223 * 1224 * Returns 0 on success, negative value otherwise. 1225 */ 1226int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain, 1227 const u8 operation, struct path *path) 1228{ 1229 int error = -ENOMEM; 1230 struct tomoyo_path_info *buf; 1231 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1232 const bool is_enforce = (mode == 3); 1233 1234 if (!mode || !path->mnt) 1235 return 0; 1236 buf = tomoyo_get_path(path); 1237 if (!buf) 1238 goto out; 1239 switch (operation) { 1240 case TOMOYO_TYPE_MKDIR_ACL: 1241 case TOMOYO_TYPE_RMDIR_ACL: 1242 case TOMOYO_TYPE_CHROOT_ACL: 1243 if (!buf->is_dir) { 1244 /* 1245 * tomoyo_get_path() reserves space for appending "/." 1246 */ 1247 strcat((char *) buf->name, "/"); 1248 tomoyo_fill_path_info(buf); 1249 } 1250 } 1251 error = tomoyo_check_single_path_permission2(domain, operation, buf, 1252 mode); 1253 out: 1254 tomoyo_free(buf); 1255 if (!is_enforce) 1256 error = 0; 1257 return error; 1258} 1259 1260/** 1261 * tomoyo_check_rewrite_permission - Check permission for "rewrite". 1262 * 1263 * @domain: Pointer to "struct tomoyo_domain_info". 1264 * @filp: Pointer to "struct file". 1265 * 1266 * Returns 0 on success, negative value otherwise. 1267 */ 1268int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, 1269 struct file *filp) 1270{ 1271 int error = -ENOMEM; 1272 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1273 const bool is_enforce = (mode == 3); 1274 struct tomoyo_path_info *buf; 1275 1276 if (!mode || !filp->f_path.mnt) 1277 return 0; 1278 buf = tomoyo_get_path(&filp->f_path); 1279 if (!buf) 1280 goto out; 1281 if (!tomoyo_is_no_rewrite_file(buf)) { 1282 error = 0; 1283 goto out; 1284 } 1285 error = tomoyo_check_single_path_permission2(domain, 1286 TOMOYO_TYPE_REWRITE_ACL, 1287 buf, mode); 1288 out: 1289 tomoyo_free(buf); 1290 if (!is_enforce) 1291 error = 0; 1292 return error; 1293} 1294 1295/** 1296 * tomoyo_check_2path_perm - Check permission for "rename", "link" and "pivot_root". 1297 * 1298 * @domain: Pointer to "struct tomoyo_domain_info". 1299 * @operation: Type of operation. 1300 * @path1: Pointer to "struct path". 1301 * @path2: Pointer to "struct path". 1302 * 1303 * Returns 0 on success, negative value otherwise. 1304 */ 1305int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain, 1306 const u8 operation, struct path *path1, 1307 struct path *path2) 1308{ 1309 int error = -ENOMEM; 1310 struct tomoyo_path_info *buf1, *buf2; 1311 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1312 const bool is_enforce = (mode == 3); 1313 const char *msg; 1314 1315 if (!mode || !path1->mnt || !path2->mnt) 1316 return 0; 1317 buf1 = tomoyo_get_path(path1); 1318 buf2 = tomoyo_get_path(path2); 1319 if (!buf1 || !buf2) 1320 goto out; 1321 { 1322 struct dentry *dentry = path1->dentry; 1323 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) { 1324 /* 1325 * tomoyo_get_path() reserves space for appending "/." 1326 */ 1327 if (!buf1->is_dir) { 1328 strcat((char *) buf1->name, "/"); 1329 tomoyo_fill_path_info(buf1); 1330 } 1331 if (!buf2->is_dir) { 1332 strcat((char *) buf2->name, "/"); 1333 tomoyo_fill_path_info(buf2); 1334 } 1335 } 1336 } 1337 error = tomoyo_check_double_path_acl(domain, operation, buf1, buf2); 1338 msg = tomoyo_dp2keyword(operation); 1339 if (!error) 1340 goto out; 1341 if (tomoyo_verbose_mode(domain)) 1342 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' " 1343 "denied for %s\n", tomoyo_get_msg(is_enforce), 1344 msg, buf1->name, buf2->name, 1345 tomoyo_get_last_name(domain)); 1346 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { 1347 const char *name1 = tomoyo_get_file_pattern(buf1)->name; 1348 const char *name2 = tomoyo_get_file_pattern(buf2)->name; 1349 tomoyo_update_double_path_acl(operation, name1, name2, domain, 1350 false); 1351 } 1352 out: 1353 tomoyo_free(buf1); 1354 tomoyo_free(buf2); 1355 if (!is_enforce) 1356 error = 0; 1357 return error; 1358} 1359