linux/security/tomoyo/common.c
Tejun Heo 5a0e3ad6af include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files.  percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.

percpu.h -> slab.h dependency is about to be removed.  Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability.  As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.

  http://userweb.kernel.org/~tj/misc/slabh-sweep.py

The script does the followings.

* Scan files for gfp and slab usages and update includes such that
  only the necessary includes are there.  ie. if only gfp is used,
  gfp.h, if slab is used, slab.h.

* When the script inserts a new include, it looks at the include
  blocks and try to put the new include such that its order conforms
  to its surrounding.  It's put in the include block which contains
  core kernel includes, in the same order that the rest are ordered -
  alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
  doesn't seem to be any matching order.

* If the script can't find a place to put a new include (mostly
  because the file doesn't have fitting include block), it prints out
  an error message indicating which .h file needs to be added to the
  file.

The conversion was done in the following steps.

1. The initial automatic conversion of all .c files updated slightly
   over 4000 files, deleting around 700 includes and adding ~480 gfp.h
   and ~3000 slab.h inclusions.  The script emitted errors for ~400
   files.

2. Each error was manually checked.  Some didn't need the inclusion,
   some needed manual addition while adding it to implementation .h or
   embedding .c file was more appropriate for others.  This step added
   inclusions to around 150 files.

3. The script was run again and the output was compared to the edits
   from #2 to make sure no file was left behind.

4. Several build tests were done and a couple of problems were fixed.
   e.g. lib/decompress_*.c used malloc/free() wrappers around slab
   APIs requiring slab.h to be added manually.

5. The script was run on all .h files but without automatically
   editing them as sprinkling gfp.h and slab.h inclusions around .h
   files could easily lead to inclusion dependency hell.  Most gfp.h
   inclusion directives were ignored as stuff from gfp.h was usually
   wildly available and often used in preprocessor macros.  Each
   slab.h inclusion directive was examined and added manually as
   necessary.

6. percpu.h was updated not to include slab.h.

7. Build test were done on the following configurations and failures
   were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
   distributed build env didn't work with gcov compiles) and a few
   more options had to be turned off depending on archs to make things
   build (like ipr on powerpc/64 which failed due to missing writeq).

   * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
   * powerpc and powerpc64 SMP allmodconfig
   * sparc and sparc64 SMP allmodconfig
   * ia64 SMP allmodconfig
   * s390 SMP allmodconfig
   * alpha SMP allmodconfig
   * um on x86_64 SMP allmodconfig

8. percpu.h modifications were reverted so that it could be applied as
   a separate patch and serve as bisection point.

Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.

Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-30 22:02:32 +09:00

2238 lines
57 KiB
C

/*
* security/tomoyo/common.c
*
* Common functions for TOMOYO.
*
* Copyright (C) 2005-2009 NTT DATA CORPORATION
*
* Version: 2.2.0 2009/04/01
*
*/
#include <linux/uaccess.h>
#include <linux/slab.h>
#include <linux/security.h>
#include <linux/hardirq.h>
#include "common.h"
/* Lock for protecting policy. */
DEFINE_MUTEX(tomoyo_policy_lock);
/* Has loading policy done? */
bool tomoyo_policy_loaded;
/* String table for functionality that takes 4 modes. */
static const char *tomoyo_mode_4[4] = {
"disabled", "learning", "permissive", "enforcing"
};
/* String table for functionality that takes 2 modes. */
static const char *tomoyo_mode_2[4] = {
"disabled", "enabled", "enabled", "enabled"
};
/*
* tomoyo_control_array is a static data which contains
*
* (1) functionality name used by /sys/kernel/security/tomoyo/profile .
* (2) initial values for "struct tomoyo_profile".
* (3) max values for "struct tomoyo_profile".
*/
static struct {
const char *keyword;
unsigned int current_value;
const unsigned int max_value;
} tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = {
[TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 },
[TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX },
[TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 },
};
/*
* tomoyo_profile is a structure which is used for holding the mode of access
* controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
* An administrator can define up to 256 profiles.
* The ->profile of "struct tomoyo_domain_info" is used for remembering
* the profile's number (0 - 255) assigned to that domain.
*/
static struct tomoyo_profile {
unsigned int value[TOMOYO_MAX_CONTROL_INDEX];
const struct tomoyo_path_info *comment;
} *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES];
/* Permit policy management by non-root user? */
static bool tomoyo_manage_by_non_root;
/* Utility functions. */
/* Open operation for /sys/kernel/security/tomoyo/ interface. */
static int tomoyo_open_control(const u8 type, struct file *file);
/* Close /sys/kernel/security/tomoyo/ interface. */
static int tomoyo_close_control(struct file *file);
/* Read operation for /sys/kernel/security/tomoyo/ interface. */
static int tomoyo_read_control(struct file *file, char __user *buffer,
const int buffer_len);
/* Write operation for /sys/kernel/security/tomoyo/ interface. */
static int tomoyo_write_control(struct file *file, const char __user *buffer,
const int buffer_len);
/**
* tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
*
* @str: Pointer to the string.
*
* Returns true if @str is a \ooo style octal value, false otherwise.
*
* TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
* This function verifies that \ooo is in valid range.
*/
static inline bool tomoyo_is_byte_range(const char *str)
{
return *str >= '0' && *str++ <= '3' &&
*str >= '0' && *str++ <= '7' &&
*str >= '0' && *str <= '7';
}
/**
* tomoyo_is_alphabet_char - Check whether the character is an alphabet.
*
* @c: The character to check.
*
* Returns true if @c is an alphabet character, false otherwise.
*/
static inline bool tomoyo_is_alphabet_char(const char c)
{
return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z');
}
/**
* tomoyo_make_byte - Make byte value from three octal characters.
*
* @c1: The first character.
* @c2: The second character.
* @c3: The third character.
*
* Returns byte value.
*/
static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3)
{
return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0');
}
/**
* tomoyo_str_starts - Check whether the given string starts with the given keyword.
*
* @src: Pointer to pointer to the string.
* @find: Pointer to the keyword.
*
* Returns true if @src starts with @find, false otherwise.
*
* The @src is updated to point the first character after the @find
* if @src starts with @find.
*/
static bool tomoyo_str_starts(char **src, const char *find)
{
const int len = strlen(find);
char *tmp = *src;
if (strncmp(tmp, find, len))
return false;
tmp += len;
*src = tmp;
return true;
}
/**
* tomoyo_normalize_line - Format string.
*
* @buffer: The line to normalize.
*
* Leading and trailing whitespaces are removed.
* Multiple whitespaces are packed into single space.
*
* Returns nothing.
*/
static void tomoyo_normalize_line(unsigned char *buffer)
{
unsigned char *sp = buffer;
unsigned char *dp = buffer;
bool first = true;
while (tomoyo_is_invalid(*sp))
sp++;
while (*sp) {
if (!first)
*dp++ = ' ';
first = false;
while (tomoyo_is_valid(*sp))
*dp++ = *sp++;
while (tomoyo_is_invalid(*sp))
sp++;
}
*dp = '\0';
}
/**
* tomoyo_is_correct_path - Validate a pathname.
* @filename: The pathname to check.
* @start_type: Should the pathname start with '/'?
* 1 = must / -1 = must not / 0 = don't care
* @pattern_type: Can the pathname contain a wildcard?
* 1 = must / -1 = must not / 0 = don't care
* @end_type: Should the pathname end with '/'?
* 1 = must / -1 = must not / 0 = don't care
*
* Check whether the given filename follows the naming rules.
* Returns true if @filename follows the naming rules, false otherwise.
*/
bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
const s8 pattern_type, const s8 end_type)
{
const char *const start = filename;
bool in_repetition = false;
bool contains_pattern = false;
unsigned char c;
unsigned char d;
unsigned char e;
if (!filename)
goto out;
c = *filename;
if (start_type == 1) { /* Must start with '/' */
if (c != '/')
goto out;
} else if (start_type == -1) { /* Must not start with '/' */
if (c == '/')
goto out;
}
if (c)
c = *(filename + strlen(filename) - 1);
if (end_type == 1) { /* Must end with '/' */
if (c != '/')
goto out;
} else if (end_type == -1) { /* Must not end with '/' */
if (c == '/')
goto out;
}
while (1) {
c = *filename++;
if (!c)
break;
if (c == '\\') {
c = *filename++;
switch (c) {
case '\\': /* "\\" */
continue;
case '$': /* "\$" */
case '+': /* "\+" */
case '?': /* "\?" */
case '*': /* "\*" */
case '@': /* "\@" */
case 'x': /* "\x" */
case 'X': /* "\X" */
case 'a': /* "\a" */
case 'A': /* "\A" */
case '-': /* "\-" */
if (pattern_type == -1)
break; /* Must not contain pattern */
contains_pattern = true;
continue;
case '{': /* "/\{" */
if (filename - 3 < start ||
*(filename - 3) != '/')
break;
if (pattern_type == -1)
break; /* Must not contain pattern */
contains_pattern = true;
in_repetition = true;
continue;
case '}': /* "\}/" */
if (*filename != '/')
break;
if (!in_repetition)
break;
in_repetition = false;
continue;
case '0': /* "\ooo" */
case '1':
case '2':
case '3':
d = *filename++;
if (d < '0' || d > '7')
break;
e = *filename++;
if (e < '0' || e > '7')
break;
c = tomoyo_make_byte(c, d, e);
if (tomoyo_is_invalid(c))
continue; /* pattern is not \000 */
}
goto out;
} else if (in_repetition && c == '/') {
goto out;
} else if (tomoyo_is_invalid(c)) {
goto out;
}
}
if (pattern_type == 1) { /* Must contain pattern */
if (!contains_pattern)
goto out;
}
if (in_repetition)
goto out;
return true;
out:
return false;
}
/**
* tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
* @domainname: The domainname to check.
*
* Returns true if @domainname follows the naming rules, false otherwise.
*/
bool tomoyo_is_correct_domain(const unsigned char *domainname)
{
unsigned char c;
unsigned char d;
unsigned char e;
if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME,
TOMOYO_ROOT_NAME_LEN))
goto out;
domainname += TOMOYO_ROOT_NAME_LEN;
if (!*domainname)
return true;
do {
if (*domainname++ != ' ')
goto out;
if (*domainname++ != '/')
goto out;
while ((c = *domainname) != '\0' && c != ' ') {
domainname++;
if (c == '\\') {
c = *domainname++;
switch ((c)) {
case '\\': /* "\\" */
continue;
case '0': /* "\ooo" */
case '1':
case '2':
case '3':
d = *domainname++;
if (d < '0' || d > '7')
break;
e = *domainname++;
if (e < '0' || e > '7')
break;
c = tomoyo_make_byte(c, d, e);
if (tomoyo_is_invalid(c))
/* pattern is not \000 */
continue;
}
goto out;
} else if (tomoyo_is_invalid(c)) {
goto out;
}
}
} while (*domainname);
return true;
out:
return false;
}
/**
* tomoyo_is_domain_def - Check whether the given token can be a domainname.
*
* @buffer: The token to check.
*
* Returns true if @buffer possibly be a domainname, false otherwise.
*/
bool tomoyo_is_domain_def(const unsigned char *buffer)
{
return !strncmp(buffer, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN);
}
/**
* tomoyo_find_domain - Find a domain by the given name.
*
* @domainname: The domainname to find.
*
* Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
*
* Caller holds tomoyo_read_lock().
*/
struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
{
struct tomoyo_domain_info *domain;
struct tomoyo_path_info name;
name.name = domainname;
tomoyo_fill_path_info(&name);
list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
if (!domain->is_deleted &&
!tomoyo_pathcmp(&name, domain->domainname))
return domain;
}
return NULL;
}
/**
* tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
*
* @filename: The string to evaluate.
*
* Returns the initial length without a pattern in @filename.
*/
static int tomoyo_const_part_length(const char *filename)
{
char c;
int len = 0;
if (!filename)
return 0;
while ((c = *filename++) != '\0') {
if (c != '\\') {
len++;
continue;
}
c = *filename++;
switch (c) {
case '\\': /* "\\" */
len += 2;
continue;
case '0': /* "\ooo" */
case '1':
case '2':
case '3':
c = *filename++;
if (c < '0' || c > '7')
break;
c = *filename++;
if (c < '0' || c > '7')
break;
len += 4;
continue;
}
break;
}
return len;
}
/**
* tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
*
* @ptr: Pointer to "struct tomoyo_path_info" to fill in.
*
* The caller sets "struct tomoyo_path_info"->name.
*/
void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
{
const char *name = ptr->name;
const int len = strlen(name);
ptr->const_len = tomoyo_const_part_length(name);
ptr->is_dir = len && (name[len - 1] == '/');
ptr->is_patterned = (ptr->const_len < len);
ptr->hash = full_name_hash(name, len);
}
/**
* tomoyo_file_matches_pattern2 - Pattern matching without '/' character
* and "\-" pattern.
*
* @filename: The start of string to check.
* @filename_end: The end of string to check.
* @pattern: The start of pattern to compare.
* @pattern_end: The end of pattern to compare.
*
* Returns true if @filename matches @pattern, false otherwise.
*/
static bool tomoyo_file_matches_pattern2(const char *filename,
const char *filename_end,
const char *pattern,
const char *pattern_end)
{
while (filename < filename_end && pattern < pattern_end) {
char c;
if (*pattern != '\\') {
if (*filename++ != *pattern++)
return false;
continue;
}
c = *filename;
pattern++;
switch (*pattern) {
int i;
int j;
case '?':
if (c == '/') {
return false;
} else if (c == '\\') {
if (filename[1] == '\\')
filename++;
else if (tomoyo_is_byte_range(filename + 1))
filename += 3;
else
return false;
}
break;
case '\\':
if (c != '\\')
return false;
if (*++filename != '\\')
return false;
break;
case '+':
if (!isdigit(c))
return false;
break;
case 'x':
if (!isxdigit(c))
return false;
break;
case 'a':
if (!tomoyo_is_alphabet_char(c))
return false;
break;
case '0':
case '1':
case '2':
case '3':
if (c == '\\' && tomoyo_is_byte_range(filename + 1)
&& strncmp(filename + 1, pattern, 3) == 0) {
filename += 3;
pattern += 2;
break;
}
return false; /* Not matched. */
case '*':
case '@':
for (i = 0; i <= filename_end - filename; i++) {
if (tomoyo_file_matches_pattern2(
filename + i, filename_end,
pattern + 1, pattern_end))
return true;
c = filename[i];
if (c == '.' && *pattern == '@')
break;
if (c != '\\')
continue;
if (filename[i + 1] == '\\')
i++;
else if (tomoyo_is_byte_range(filename + i + 1))
i += 3;
else
break; /* Bad pattern. */
}
return false; /* Not matched. */
default:
j = 0;
c = *pattern;
if (c == '$') {
while (isdigit(filename[j]))
j++;
} else if (c == 'X') {
while (isxdigit(filename[j]))
j++;
} else if (c == 'A') {
while (tomoyo_is_alphabet_char(filename[j]))
j++;
}
for (i = 1; i <= j; i++) {
if (tomoyo_file_matches_pattern2(
filename + i, filename_end,
pattern + 1, pattern_end))
return true;
}
return false; /* Not matched or bad pattern. */
}
filename++;
pattern++;
}
while (*pattern == '\\' &&
(*(pattern + 1) == '*' || *(pattern + 1) == '@'))
pattern += 2;
return filename == filename_end && pattern == pattern_end;
}
/**
* tomoyo_file_matches_pattern - Pattern matching without without '/' character.
*
* @filename: The start of string to check.
* @filename_end: The end of string to check.
* @pattern: The start of pattern to compare.
* @pattern_end: The end of pattern to compare.
*
* Returns true if @filename matches @pattern, false otherwise.
*/
static bool tomoyo_file_matches_pattern(const char *filename,
const char *filename_end,
const char *pattern,
const char *pattern_end)
{
const char *pattern_start = pattern;
bool first = true;
bool result;
while (pattern < pattern_end - 1) {
/* Split at "\-" pattern. */
if (*pattern++ != '\\' || *pattern++ != '-')
continue;
result = tomoyo_file_matches_pattern2(filename,
filename_end,
pattern_start,
pattern - 2);
if (first)
result = !result;
if (result)
return false;
first = false;
pattern_start = pattern;
}
result = tomoyo_file_matches_pattern2(filename, filename_end,
pattern_start, pattern_end);
return first ? result : !result;
}
/**
* tomoyo_path_matches_pattern2 - Do pathname pattern matching.
*
* @f: The start of string to check.
* @p: The start of pattern to compare.
*
* Returns true if @f matches @p, false otherwise.
*/
static bool tomoyo_path_matches_pattern2(const char *f, const char *p)
{
const char *f_delimiter;
const char *p_delimiter;
while (*f && *p) {
f_delimiter = strchr(f, '/');
if (!f_delimiter)
f_delimiter = f + strlen(f);
p_delimiter = strchr(p, '/');
if (!p_delimiter)
p_delimiter = p + strlen(p);
if (*p == '\\' && *(p + 1) == '{')
goto recursive;
if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
p_delimiter))
return false;
f = f_delimiter;
if (*f)
f++;
p = p_delimiter;
if (*p)
p++;
}
/* Ignore trailing "\*" and "\@" in @pattern. */
while (*p == '\\' &&
(*(p + 1) == '*' || *(p + 1) == '@'))
p += 2;
return !*f && !*p;
recursive:
/*
* The "\{" pattern is permitted only after '/' character.
* This guarantees that below "*(p - 1)" is safe.
* Also, the "\}" pattern is permitted only before '/' character
* so that "\{" + "\}" pair will not break the "\-" operator.
*/
if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' ||
*(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\')
return false; /* Bad pattern. */
do {
/* Compare current component with pattern. */
if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2,
p_delimiter - 2))
break;
/* Proceed to next component. */
f = f_delimiter;
if (!*f)
break;
f++;
/* Continue comparison. */
if (tomoyo_path_matches_pattern2(f, p_delimiter + 1))
return true;
f_delimiter = strchr(f, '/');
} while (f_delimiter);
return false; /* Not matched. */
}
/**
* tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
*
* @filename: The filename to check.
* @pattern: The pattern to compare.
*
* Returns true if matches, false otherwise.
*
* The following patterns are available.
* \\ \ itself.
* \ooo Octal representation of a byte.
* \* Zero or more repetitions of characters other than '/'.
* \@ Zero or more repetitions of characters other than '/' or '.'.
* \? 1 byte character other than '/'.
* \$ One or more repetitions of decimal digits.
* \+ 1 decimal digit.
* \X One or more repetitions of hexadecimal digits.
* \x 1 hexadecimal digit.
* \A One or more repetitions of alphabet characters.
* \a 1 alphabet character.
*
* \- Subtraction operator.
*
* /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
* /dir/dir/dir/ ).
*/
bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
const struct tomoyo_path_info *pattern)
{
const char *f = filename->name;
const char *p = pattern->name;
const int len = pattern->const_len;
/* If @pattern doesn't contain pattern, I can use strcmp(). */
if (!pattern->is_patterned)
return !tomoyo_pathcmp(filename, pattern);
/* Don't compare directory and non-directory. */
if (filename->is_dir != pattern->is_dir)
return false;
/* Compare the initial length without patterns. */
if (strncmp(f, p, len))
return false;
f += len;
p += len;
return tomoyo_path_matches_pattern2(f, p);
}
/**
* tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
*
* @head: Pointer to "struct tomoyo_io_buffer".
* @fmt: The printf()'s format string, followed by parameters.
*
* Returns true if output was written, false otherwise.
*
* The snprintf() will truncate, but tomoyo_io_printf() won't.
*/
bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
{
va_list args;
int len;
int pos = head->read_avail;
int size = head->readbuf_size - pos;
if (size <= 0)
return false;
va_start(args, fmt);
len = vsnprintf(head->read_buf + pos, size, fmt, args);
va_end(args);
if (pos + len >= head->readbuf_size)
return false;
head->read_avail += len;
return true;
}
/**
* tomoyo_get_exe - Get tomoyo_realpath() of current process.
*
* Returns the tomoyo_realpath() of current process on success, NULL otherwise.
*
* This function uses kzalloc(), so the caller must call kfree()
* if this function didn't return NULL.
*/
static const char *tomoyo_get_exe(void)
{
struct mm_struct *mm = current->mm;
struct vm_area_struct *vma;
const char *cp = NULL;
if (!mm)
return NULL;
down_read(&mm->mmap_sem);
for (vma = mm->mmap; vma; vma = vma->vm_next) {
if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) {
cp = tomoyo_realpath_from_path(&vma->vm_file->f_path);
break;
}
}
up_read(&mm->mmap_sem);
return cp;
}
/**
* tomoyo_get_msg - Get warning message.
*
* @is_enforce: Is it enforcing mode?
*
* Returns "ERROR" or "WARNING".
*/
const char *tomoyo_get_msg(const bool is_enforce)
{
if (is_enforce)
return "ERROR";
else
return "WARNING";
}
/**
* tomoyo_check_flags - Check mode for specified functionality.
*
* @domain: Pointer to "struct tomoyo_domain_info".
* @index: The functionality to check mode.
*
* TOMOYO checks only process context.
* This code disables TOMOYO's enforcement in case the function is called from
* interrupt context.
*/
unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
const u8 index)
{
const u8 profile = domain->profile;
if (WARN_ON(in_interrupt()))
return 0;
return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX
#if TOMOYO_MAX_PROFILES != 256
&& profile < TOMOYO_MAX_PROFILES
#endif
&& tomoyo_profile_ptr[profile] ?
tomoyo_profile_ptr[profile]->value[index] : 0;
}
/**
* tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
*
* @domain: Pointer to "struct tomoyo_domain_info".
*
* Returns true if domain policy violation warning should be printed to
* console.
*/
bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain)
{
return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0;
}
/**
* tomoyo_domain_quota_is_ok - Check for domain's quota.
*
* @domain: Pointer to "struct tomoyo_domain_info".
*
* Returns true if the domain is not exceeded quota, false otherwise.
*
* Caller holds tomoyo_read_lock().
*/
bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain)
{
unsigned int count = 0;
struct tomoyo_acl_info *ptr;
if (!domain)
return true;
list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
switch (ptr->type) {
struct tomoyo_path_acl *acl;
u32 perm;
u8 i;
case TOMOYO_TYPE_PATH_ACL:
acl = container_of(ptr, struct tomoyo_path_acl, head);
perm = acl->perm | (((u32) acl->perm_high) << 16);
for (i = 0; i < TOMOYO_MAX_PATH_OPERATION; i++)
if (perm & (1 << i))
count++;
if (perm & (1 << TOMOYO_TYPE_READ_WRITE))
count -= 2;
break;
case TOMOYO_TYPE_PATH2_ACL:
perm = container_of(ptr, struct tomoyo_path2_acl, head)
->perm;
for (i = 0; i < TOMOYO_MAX_PATH2_OPERATION; i++)
if (perm & (1 << i))
count++;
break;
}
}
if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY))
return true;
if (!domain->quota_warned) {
domain->quota_warned = true;
printk(KERN_WARNING "TOMOYO-WARNING: "
"Domain '%s' has so many ACLs to hold. "
"Stopped learning mode.\n", domain->domainname->name);
}
return false;
}
/**
* tomoyo_find_or_assign_new_profile - Create a new profile.
*
* @profile: Profile number to create.
*
* Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
*/
static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned
int profile)
{
static DEFINE_MUTEX(lock);
struct tomoyo_profile *ptr = NULL;
int i;
if (profile >= TOMOYO_MAX_PROFILES)
return NULL;
mutex_lock(&lock);
ptr = tomoyo_profile_ptr[profile];
if (ptr)
goto ok;
ptr = kmalloc(sizeof(*ptr), GFP_KERNEL);
if (!tomoyo_memory_ok(ptr)) {
kfree(ptr);
ptr = NULL;
goto ok;
}
for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++)
ptr->value[i] = tomoyo_control_array[i].current_value;
mb(); /* Avoid out-of-order execution. */
tomoyo_profile_ptr[profile] = ptr;
ok:
mutex_unlock(&lock);
return ptr;
}
/**
* tomoyo_write_profile - Write to profile table.
*
* @head: Pointer to "struct tomoyo_io_buffer".
*
* Returns 0 on success, negative value otherwise.
*/
static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
{
char *data = head->write_buf;
unsigned int i;
unsigned int value;
char *cp;
struct tomoyo_profile *profile;
unsigned long num;
cp = strchr(data, '-');
if (cp)
*cp = '\0';
if (strict_strtoul(data, 10, &num))
return -EINVAL;
if (cp)
data = cp + 1;
profile = tomoyo_find_or_assign_new_profile(num);
if (!profile)
return -EINVAL;
cp = strchr(data, '=');
if (!cp)
return -EINVAL;
*cp = '\0';
if (!strcmp(data, "COMMENT")) {
const struct tomoyo_path_info *old_comment = profile->comment;
profile->comment = tomoyo_get_name(cp + 1);
tomoyo_put_name(old_comment);
return 0;
}
for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) {
if (strcmp(data, tomoyo_control_array[i].keyword))
continue;
if (sscanf(cp + 1, "%u", &value) != 1) {
int j;
const char **modes;
switch (i) {
case TOMOYO_VERBOSE:
modes = tomoyo_mode_2;
break;
default:
modes = tomoyo_mode_4;
break;
}
for (j = 0; j < 4; j++) {
if (strcmp(cp + 1, modes[j]))
continue;
value = j;
break;
}
if (j == 4)
return -EINVAL;
} else if (value > tomoyo_control_array[i].max_value) {
value = tomoyo_control_array[i].max_value;
}
profile->value[i] = value;
return 0;
}
return -EINVAL;
}
/**
* tomoyo_read_profile - Read from profile table.
*
* @head: Pointer to "struct tomoyo_io_buffer".
*
* Returns 0.
*/
static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
{
static const int total = TOMOYO_MAX_CONTROL_INDEX + 1;
int step;
if (head->read_eof)
return 0;
for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total;
step++) {
const u8 index = step / total;
u8 type = step % total;
const struct tomoyo_profile *profile
= tomoyo_profile_ptr[index];
head->read_step = step;
if (!profile)
continue;
if (!type) { /* Print profile' comment tag. */
if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n",
index, profile->comment ?
profile->comment->name : ""))
break;
continue;
}
type--;
if (type < TOMOYO_MAX_CONTROL_INDEX) {
const unsigned int value = profile->value[type];
const char **modes = NULL;
const char *keyword
= tomoyo_control_array[type].keyword;
switch (tomoyo_control_array[type].max_value) {
case 3:
modes = tomoyo_mode_4;
break;
case 1:
modes = tomoyo_mode_2;
break;
}
if (modes) {
if (!tomoyo_io_printf(head, "%u-%s=%s\n", index,
keyword, modes[value]))
break;
} else {
if (!tomoyo_io_printf(head, "%u-%s=%u\n", index,
keyword, value))
break;
}
}
}
if (step == TOMOYO_MAX_PROFILES * total)
head->read_eof = true;
return 0;
}
/*
* tomoyo_policy_manager_list is used for holding list of domainnames or
* programs which are permitted to modify configuration via
* /sys/kernel/security/tomoyo/ interface.
*
* An entry is added by
*
* # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
* /sys/kernel/security/tomoyo/manager
* (if you want to specify by a domainname)
*
* or
*
* # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
* (if you want to specify by a program's location)
*
* and is deleted by
*
* # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
* /sys/kernel/security/tomoyo/manager
*
* or
*
* # echo 'delete /usr/lib/ccs/editpolicy' > \
* /sys/kernel/security/tomoyo/manager
*
* and all entries are retrieved by
*
* # cat /sys/kernel/security/tomoyo/manager
*/
LIST_HEAD(tomoyo_policy_manager_list);
/**
* tomoyo_update_manager_entry - Add a manager entry.
*
* @manager: The path to manager or the domainnamme.
* @is_delete: True if it is a delete request.
*
* Returns 0 on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_update_manager_entry(const char *manager,
const bool is_delete)
{
struct tomoyo_policy_manager_entry *entry = NULL;
struct tomoyo_policy_manager_entry *ptr;
const struct tomoyo_path_info *saved_manager;
int error = is_delete ? -ENOENT : -ENOMEM;
bool is_domain = false;
if (tomoyo_is_domain_def(manager)) {
if (!tomoyo_is_correct_domain(manager))
return -EINVAL;
is_domain = true;
} else {
if (!tomoyo_is_correct_path(manager, 1, -1, -1))
return -EINVAL;
}
saved_manager = tomoyo_get_name(manager);
if (!saved_manager)
return -ENOMEM;
if (!is_delete)
entry = kmalloc(sizeof(*entry), GFP_KERNEL);
mutex_lock(&tomoyo_policy_lock);
list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
if (ptr->manager != saved_manager)
continue;
ptr->is_deleted = is_delete;
error = 0;
break;
}
if (!is_delete && error && tomoyo_memory_ok(entry)) {
entry->manager = saved_manager;
saved_manager = NULL;
entry->is_domain = is_domain;
list_add_tail_rcu(&entry->list, &tomoyo_policy_manager_list);
entry = NULL;
error = 0;
}
mutex_unlock(&tomoyo_policy_lock);
tomoyo_put_name(saved_manager);
kfree(entry);
return error;
}
/**
* tomoyo_write_manager_policy - Write manager policy.
*
* @head: Pointer to "struct tomoyo_io_buffer".
*
* Returns 0 on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head)
{
char *data = head->write_buf;
bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
if (!strcmp(data, "manage_by_non_root")) {
tomoyo_manage_by_non_root = !is_delete;
return 0;
}
return tomoyo_update_manager_entry(data, is_delete);
}
/**
* tomoyo_read_manager_policy - Read manager policy.
*
* @head: Pointer to "struct tomoyo_io_buffer".
*
* Returns 0.
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
{
struct list_head *pos;
bool done = true;
if (head->read_eof)
return 0;
list_for_each_cookie(pos, head->read_var2,
&tomoyo_policy_manager_list) {
struct tomoyo_policy_manager_entry *ptr;
ptr = list_entry(pos, struct tomoyo_policy_manager_entry,
list);
if (ptr->is_deleted)
continue;
done = tomoyo_io_printf(head, "%s\n", ptr->manager->name);
if (!done)
break;
}
head->read_eof = done;
return 0;
}
/**
* tomoyo_is_policy_manager - Check whether the current process is a policy manager.
*
* Returns true if the current process is permitted to modify policy
* via /sys/kernel/security/tomoyo/ interface.
*
* Caller holds tomoyo_read_lock().
*/
static bool tomoyo_is_policy_manager(void)
{
struct tomoyo_policy_manager_entry *ptr;
const char *exe;
const struct task_struct *task = current;
const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname;
bool found = false;
if (!tomoyo_policy_loaded)
return true;
if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
return false;
list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
if (!ptr->is_deleted && ptr->is_domain
&& !tomoyo_pathcmp(domainname, ptr->manager)) {
found = true;
break;
}
}
if (found)
return true;
exe = tomoyo_get_exe();
if (!exe)
return false;
list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
if (!ptr->is_deleted && !ptr->is_domain
&& !strcmp(exe, ptr->manager->name)) {
found = true;
break;
}
}
if (!found) { /* Reduce error messages. */
static pid_t last_pid;
const pid_t pid = current->pid;
if (last_pid != pid) {
printk(KERN_WARNING "%s ( %s ) is not permitted to "
"update policies.\n", domainname->name, exe);
last_pid = pid;
}
}
kfree(exe);
return found;
}
/**
* tomoyo_is_select_one - Parse select command.
*
* @head: Pointer to "struct tomoyo_io_buffer".
* @data: String to parse.
*
* Returns true on success, false otherwise.
*
* Caller holds tomoyo_read_lock().
*/
static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
const char *data)
{
unsigned int pid;
struct tomoyo_domain_info *domain = NULL;
if (sscanf(data, "pid=%u", &pid) == 1) {
struct task_struct *p;
rcu_read_lock();
read_lock(&tasklist_lock);
p = find_task_by_vpid(pid);
if (p)
domain = tomoyo_real_domain(p);
read_unlock(&tasklist_lock);
rcu_read_unlock();
} else if (!strncmp(data, "domain=", 7)) {
if (tomoyo_is_domain_def(data + 7))
domain = tomoyo_find_domain(data + 7);
} else
return false;
head->write_var1 = domain;
/* Accessing read_buf is safe because head->io_sem is held. */
if (!head->read_buf)
return true; /* Do nothing if open(O_WRONLY). */
head->read_avail = 0;
tomoyo_io_printf(head, "# select %s\n", data);
head->read_single_domain = true;
head->read_eof = !domain;
if (domain) {
struct tomoyo_domain_info *d;
head->read_var1 = NULL;
list_for_each_entry_rcu(d, &tomoyo_domain_list, list) {
if (d == domain)
break;
head->read_var1 = &d->list;
}
head->read_var2 = NULL;
head->read_bit = 0;
head->read_step = 0;
if (domain->is_deleted)
tomoyo_io_printf(head, "# This is a deleted domain.\n");
}
return true;
}
/**
* tomoyo_delete_domain - Delete a domain.
*
* @domainname: The name of domain.
*
* Returns 0.
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_delete_domain(char *domainname)
{
struct tomoyo_domain_info *domain;
struct tomoyo_path_info name;
name.name = domainname;
tomoyo_fill_path_info(&name);
mutex_lock(&tomoyo_policy_lock);
/* Is there an active domain? */
list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
/* Never delete tomoyo_kernel_domain */
if (domain == &tomoyo_kernel_domain)
continue;
if (domain->is_deleted ||
tomoyo_pathcmp(domain->domainname, &name))
continue;
domain->is_deleted = true;
break;
}
mutex_unlock(&tomoyo_policy_lock);
return 0;
}
/**
* tomoyo_write_domain_policy - Write domain policy.
*
* @head: Pointer to "struct tomoyo_io_buffer".
*
* Returns 0 on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
{
char *data = head->write_buf;
struct tomoyo_domain_info *domain = head->write_var1;
bool is_delete = false;
bool is_select = false;
unsigned int profile;
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE))
is_delete = true;
else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT))
is_select = true;
if (is_select && tomoyo_is_select_one(head, data))
return 0;
/* Don't allow updating policies by non manager programs. */
if (!tomoyo_is_policy_manager())
return -EPERM;
if (tomoyo_is_domain_def(data)) {
domain = NULL;
if (is_delete)
tomoyo_delete_domain(data);
else if (is_select)
domain = tomoyo_find_domain(data);
else
domain = tomoyo_find_or_assign_new_domain(data, 0);
head->write_var1 = domain;
return 0;
}
if (!domain)
return -EINVAL;
if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1
&& profile < TOMOYO_MAX_PROFILES) {
if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)
domain->profile = (u8) profile;
return 0;
}
if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) {
domain->ignore_global_allow_read = !is_delete;
return 0;
}
return tomoyo_write_file_policy(data, domain, is_delete);
}
/**
* tomoyo_print_path_acl - Print a single path ACL entry.
*
* @head: Pointer to "struct tomoyo_io_buffer".
* @ptr: Pointer to "struct tomoyo_path_acl".
*
* Returns true on success, false otherwise.
*/
static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head,
struct tomoyo_path_acl *ptr)
{
int pos;
u8 bit;
const char *atmark = "";
const char *filename;
const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16);
filename = ptr->filename->name;
for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
const char *msg;
if (!(perm & (1 << bit)))
continue;
/* Print "read/write" instead of "read" and "write". */
if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE)
&& (perm & (1 << TOMOYO_TYPE_READ_WRITE)))
continue;
msg = tomoyo_path2keyword(bit);
pos = head->read_avail;
if (!tomoyo_io_printf(head, "allow_%s %s%s\n", msg,
atmark, filename))
goto out;
}
head->read_bit = 0;
return true;
out:
head->read_bit = bit;
head->read_avail = pos;
return false;
}
/**
* tomoyo_print_path2_acl - Print a double path ACL entry.
*
* @head: Pointer to "struct tomoyo_io_buffer".
* @ptr: Pointer to "struct tomoyo_path2_acl".
*
* Returns true on success, false otherwise.
*/
static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer *head,
struct tomoyo_path2_acl *ptr)
{
int pos;
const char *atmark1 = "";
const char *atmark2 = "";
const char *filename1;
const char *filename2;
const u8 perm = ptr->perm;
u8 bit;
filename1 = ptr->filename1->name;
filename2 = ptr->filename2->name;
for (bit = head->read_bit; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) {
const char *msg;
if (!(perm & (1 << bit)))
continue;
msg = tomoyo_path22keyword(bit);
pos = head->read_avail;
if (!tomoyo_io_printf(head, "allow_%s %s%s %s%s\n", msg,
atmark1, filename1, atmark2, filename2))
goto out;
}
head->read_bit = 0;
return true;
out:
head->read_bit = bit;
head->read_avail = pos;
return false;
}
/**
* tomoyo_print_entry - Print an ACL entry.
*
* @head: Pointer to "struct tomoyo_io_buffer".
* @ptr: Pointer to an ACL entry.
*
* Returns true on success, false otherwise.
*/
static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
struct tomoyo_acl_info *ptr)
{
const u8 acl_type = ptr->type;
if (acl_type == TOMOYO_TYPE_PATH_ACL) {
struct tomoyo_path_acl *acl
= container_of(ptr, struct tomoyo_path_acl, head);
return tomoyo_print_path_acl(head, acl);
}
if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
struct tomoyo_path2_acl *acl
= container_of(ptr, struct tomoyo_path2_acl, head);
return tomoyo_print_path2_acl(head, acl);
}
BUG(); /* This must not happen. */
return false;
}
/**
* tomoyo_read_domain_policy - Read domain policy.
*
* @head: Pointer to "struct tomoyo_io_buffer".
*
* Returns 0.
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head)
{
struct list_head *dpos;
struct list_head *apos;
bool done = true;
if (head->read_eof)
return 0;
if (head->read_step == 0)
head->read_step = 1;
list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) {
struct tomoyo_domain_info *domain;
const char *quota_exceeded = "";
const char *transition_failed = "";
const char *ignore_global_allow_read = "";
domain = list_entry(dpos, struct tomoyo_domain_info, list);
if (head->read_step != 1)
goto acl_loop;
if (domain->is_deleted && !head->read_single_domain)
continue;
/* Print domainname and flags. */
if (domain->quota_warned)
quota_exceeded = "quota_exceeded\n";
if (domain->transition_failed)
transition_failed = "transition_failed\n";
if (domain->ignore_global_allow_read)
ignore_global_allow_read
= TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n";
done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
"%u\n%s%s%s\n",
domain->domainname->name,
domain->profile, quota_exceeded,
transition_failed,
ignore_global_allow_read);
if (!done)
break;
head->read_step = 2;
acl_loop:
if (head->read_step == 3)
goto tail_mark;
/* Print ACL entries in the domain. */
list_for_each_cookie(apos, head->read_var2,
&domain->acl_info_list) {
struct tomoyo_acl_info *ptr
= list_entry(apos, struct tomoyo_acl_info,
list);
done = tomoyo_print_entry(head, ptr);
if (!done)
break;
}
if (!done)
break;
head->read_step = 3;
tail_mark:
done = tomoyo_io_printf(head, "\n");
if (!done)
break;
head->read_step = 1;
if (head->read_single_domain)
break;
}
head->read_eof = done;
return 0;
}
/**
* tomoyo_write_domain_profile - Assign profile for specified domain.
*
* @head: Pointer to "struct tomoyo_io_buffer".
*
* Returns 0 on success, -EINVAL otherwise.
*
* This is equivalent to doing
*
* ( echo "select " $domainname; echo "use_profile " $profile ) |
* /usr/lib/ccs/loadpolicy -d
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head)
{
char *data = head->write_buf;
char *cp = strchr(data, ' ');
struct tomoyo_domain_info *domain;
unsigned long profile;
if (!cp)
return -EINVAL;
*cp = '\0';
domain = tomoyo_find_domain(cp + 1);
if (strict_strtoul(data, 10, &profile))
return -EINVAL;
if (domain && profile < TOMOYO_MAX_PROFILES
&& (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded))
domain->profile = (u8) profile;
return 0;
}
/**
* tomoyo_read_domain_profile - Read only domainname and profile.
*
* @head: Pointer to "struct tomoyo_io_buffer".
*
* Returns list of profile number and domainname pairs.
*
* This is equivalent to doing
*
* grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
* awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
* domainname = $0; } else if ( $1 == "use_profile" ) {
* print $2 " " domainname; domainname = ""; } } ; '
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head)
{
struct list_head *pos;
bool done = true;
if (head->read_eof)
return 0;
list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) {
struct tomoyo_domain_info *domain;
domain = list_entry(pos, struct tomoyo_domain_info, list);
if (domain->is_deleted)
continue;
done = tomoyo_io_printf(head, "%u %s\n", domain->profile,
domain->domainname->name);
if (!done)
break;
}
head->read_eof = done;
return 0;
}
/**
* tomoyo_write_pid: Specify PID to obtain domainname.
*
* @head: Pointer to "struct tomoyo_io_buffer".
*
* Returns 0.
*/
static int tomoyo_write_pid(struct tomoyo_io_buffer *head)
{
unsigned long pid;
/* No error check. */
strict_strtoul(head->write_buf, 10, &pid);
head->read_step = (int) pid;
head->read_eof = false;
return 0;
}
/**
* tomoyo_read_pid - Get domainname of the specified PID.
*
* @head: Pointer to "struct tomoyo_io_buffer".
*
* Returns the domainname which the specified PID is in on success,
* empty string otherwise.
* The PID is specified by tomoyo_write_pid() so that the user can obtain
* using read()/write() interface rather than sysctl() interface.
*/
static int tomoyo_read_pid(struct tomoyo_io_buffer *head)
{
if (head->read_avail == 0 && !head->read_eof) {
const int pid = head->read_step;
struct task_struct *p;
struct tomoyo_domain_info *domain = NULL;
rcu_read_lock();
read_lock(&tasklist_lock);
p = find_task_by_vpid(pid);
if (p)
domain = tomoyo_real_domain(p);
read_unlock(&tasklist_lock);
rcu_read_unlock();
if (domain)
tomoyo_io_printf(head, "%d %u %s", pid, domain->profile,
domain->domainname->name);
head->read_eof = true;
}
return 0;
}
/**
* tomoyo_write_exception_policy - Write exception policy.
*
* @head: Pointer to "struct tomoyo_io_buffer".
*
* Returns 0 on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head)
{
char *data = head->write_buf;
bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN))
return tomoyo_write_domain_keeper_policy(data, false,
is_delete);
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN))
return tomoyo_write_domain_keeper_policy(data, true, is_delete);
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN))
return tomoyo_write_domain_initializer_policy(data, false,
is_delete);
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN))
return tomoyo_write_domain_initializer_policy(data, true,
is_delete);
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS))
return tomoyo_write_alias_policy(data, is_delete);
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ))
return tomoyo_write_globally_readable_policy(data, is_delete);
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN))
return tomoyo_write_pattern_policy(data, is_delete);
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE))
return tomoyo_write_no_rewrite_policy(data, is_delete);
return -EINVAL;
}
/**
* tomoyo_read_exception_policy - Read exception policy.
*
* @head: Pointer to "struct tomoyo_io_buffer".
*
* Returns 0 on success, -EINVAL otherwise.
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head)
{
if (!head->read_eof) {
switch (head->read_step) {
case 0:
head->read_var2 = NULL;
head->read_step = 1;
case 1:
if (!tomoyo_read_domain_keeper_policy(head))
break;
head->read_var2 = NULL;
head->read_step = 2;
case 2:
if (!tomoyo_read_globally_readable_policy(head))
break;
head->read_var2 = NULL;
head->read_step = 3;
case 3:
head->read_var2 = NULL;
head->read_step = 4;
case 4:
if (!tomoyo_read_domain_initializer_policy(head))
break;
head->read_var2 = NULL;
head->read_step = 5;
case 5:
if (!tomoyo_read_alias_policy(head))
break;
head->read_var2 = NULL;
head->read_step = 6;
case 6:
head->read_var2 = NULL;
head->read_step = 7;
case 7:
if (!tomoyo_read_file_pattern(head))
break;
head->read_var2 = NULL;
head->read_step = 8;
case 8:
if (!tomoyo_read_no_rewrite_policy(head))
break;
head->read_var2 = NULL;
head->read_step = 9;
case 9:
head->read_eof = true;
break;
default:
return -EINVAL;
}
}
return 0;
}
/* path to policy loader */
static const char *tomoyo_loader = "/sbin/tomoyo-init";
/**
* tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
*
* Returns true if /sbin/tomoyo-init exists, false otherwise.
*/
static bool tomoyo_policy_loader_exists(void)
{
/*
* Don't activate MAC if the policy loader doesn't exist.
* If the initrd includes /sbin/init but real-root-dev has not
* mounted on / yet, activating MAC will block the system since
* policies are not loaded yet.
* Thus, let do_execve() call this function everytime.
*/
struct path path;
if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
printk(KERN_INFO "Not activating Mandatory Access Control now "
"since %s doesn't exist.\n", tomoyo_loader);
return false;
}
path_put(&path);
return true;
}
/**
* tomoyo_load_policy - Run external policy loader to load policy.
*
* @filename: The program about to start.
*
* This function checks whether @filename is /sbin/init , and if so
* invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
* and then continues invocation of /sbin/init.
* /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
* writes to /sys/kernel/security/tomoyo/ interfaces.
*
* Returns nothing.
*/
void tomoyo_load_policy(const char *filename)
{
char *argv[2];
char *envp[3];
if (tomoyo_policy_loaded)
return;
/*
* Check filename is /sbin/init or /sbin/tomoyo-start.
* /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
* be passed.
* You can create /sbin/tomoyo-start by
* "ln -s /bin/true /sbin/tomoyo-start".
*/
if (strcmp(filename, "/sbin/init") &&
strcmp(filename, "/sbin/tomoyo-start"))
return;
if (!tomoyo_policy_loader_exists())
return;
printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
tomoyo_loader);
argv[0] = (char *) tomoyo_loader;
argv[1] = NULL;
envp[0] = "HOME=/";
envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
envp[2] = NULL;
call_usermodehelper(argv[0], argv, envp, 1);
printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n");
printk(KERN_INFO "Mandatory Access Control activated.\n");
tomoyo_policy_loaded = true;
{ /* Check all profiles currently assigned to domains are defined. */
struct tomoyo_domain_info *domain;
list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
const u8 profile = domain->profile;
if (tomoyo_profile_ptr[profile])
continue;
panic("Profile %u (used by '%s') not defined.\n",
profile, domain->domainname->name);
}
}
}
/**
* tomoyo_read_version: Get version.
*
* @head: Pointer to "struct tomoyo_io_buffer".
*
* Returns version information.
*/
static int tomoyo_read_version(struct tomoyo_io_buffer *head)
{
if (!head->read_eof) {
tomoyo_io_printf(head, "2.2.0");
head->read_eof = true;
}
return 0;
}
/**
* tomoyo_read_self_domain - Get the current process's domainname.
*
* @head: Pointer to "struct tomoyo_io_buffer".
*
* Returns the current process's domainname.
*/
static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head)
{
if (!head->read_eof) {
/*
* tomoyo_domain()->domainname != NULL
* because every process belongs to a domain and
* the domain's name cannot be NULL.
*/
tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name);
head->read_eof = true;
}
return 0;
}
/**
* tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
*
* @type: Type of interface.
* @file: Pointer to "struct file".
*
* Associates policy handler and returns 0 on success, -ENOMEM otherwise.
*
* Caller acquires tomoyo_read_lock().
*/
static int tomoyo_open_control(const u8 type, struct file *file)
{
struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_KERNEL);
if (!head)
return -ENOMEM;
mutex_init(&head->io_sem);
switch (type) {
case TOMOYO_DOMAINPOLICY:
/* /sys/kernel/security/tomoyo/domain_policy */
head->write = tomoyo_write_domain_policy;
head->read = tomoyo_read_domain_policy;
break;
case TOMOYO_EXCEPTIONPOLICY:
/* /sys/kernel/security/tomoyo/exception_policy */
head->write = tomoyo_write_exception_policy;
head->read = tomoyo_read_exception_policy;
break;
case TOMOYO_SELFDOMAIN:
/* /sys/kernel/security/tomoyo/self_domain */
head->read = tomoyo_read_self_domain;
break;
case TOMOYO_DOMAIN_STATUS:
/* /sys/kernel/security/tomoyo/.domain_status */
head->write = tomoyo_write_domain_profile;
head->read = tomoyo_read_domain_profile;
break;
case TOMOYO_PROCESS_STATUS:
/* /sys/kernel/security/tomoyo/.process_status */
head->write = tomoyo_write_pid;
head->read = tomoyo_read_pid;
break;
case TOMOYO_VERSION:
/* /sys/kernel/security/tomoyo/version */
head->read = tomoyo_read_version;
head->readbuf_size = 128;
break;
case TOMOYO_MEMINFO:
/* /sys/kernel/security/tomoyo/meminfo */
head->write = tomoyo_write_memory_quota;
head->read = tomoyo_read_memory_counter;
head->readbuf_size = 512;
break;
case TOMOYO_PROFILE:
/* /sys/kernel/security/tomoyo/profile */
head->write = tomoyo_write_profile;
head->read = tomoyo_read_profile;
break;
case TOMOYO_MANAGER:
/* /sys/kernel/security/tomoyo/manager */
head->write = tomoyo_write_manager_policy;
head->read = tomoyo_read_manager_policy;
break;
}
if (!(file->f_mode & FMODE_READ)) {
/*
* No need to allocate read_buf since it is not opened
* for reading.
*/
head->read = NULL;
} else {
if (!head->readbuf_size)
head->readbuf_size = 4096 * 2;
head->read_buf = kzalloc(head->readbuf_size, GFP_KERNEL);
if (!head->read_buf) {
kfree(head);
return -ENOMEM;
}
}
if (!(file->f_mode & FMODE_WRITE)) {
/*
* No need to allocate write_buf since it is not opened
* for writing.
*/
head->write = NULL;
} else if (head->write) {
head->writebuf_size = 4096 * 2;
head->write_buf = kzalloc(head->writebuf_size, GFP_KERNEL);
if (!head->write_buf) {
kfree(head->read_buf);
kfree(head);
return -ENOMEM;
}
}
head->reader_idx = tomoyo_read_lock();
file->private_data = head;
/*
* Call the handler now if the file is
* /sys/kernel/security/tomoyo/self_domain
* so that the user can use
* cat < /sys/kernel/security/tomoyo/self_domain"
* to know the current process's domainname.
*/
if (type == TOMOYO_SELFDOMAIN)
tomoyo_read_control(file, NULL, 0);
return 0;
}
/**
* tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
*
* @file: Pointer to "struct file".
* @buffer: Poiner to buffer to write to.
* @buffer_len: Size of @buffer.
*
* Returns bytes read on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_read_control(struct file *file, char __user *buffer,
const int buffer_len)
{
int len = 0;
struct tomoyo_io_buffer *head = file->private_data;
char *cp;
if (!head->read)
return -ENOSYS;
if (mutex_lock_interruptible(&head->io_sem))
return -EINTR;
/* Call the policy handler. */
len = head->read(head);
if (len < 0)
goto out;
/* Write to buffer. */
len = head->read_avail;
if (len > buffer_len)
len = buffer_len;
if (!len)
goto out;
/* head->read_buf changes by some functions. */
cp = head->read_buf;
if (copy_to_user(buffer, cp, len)) {
len = -EFAULT;
goto out;
}
head->read_avail -= len;
memmove(cp, cp + len, head->read_avail);
out:
mutex_unlock(&head->io_sem);
return len;
}
/**
* tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
*
* @file: Pointer to "struct file".
* @buffer: Pointer to buffer to read from.
* @buffer_len: Size of @buffer.
*
* Returns @buffer_len on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_write_control(struct file *file, const char __user *buffer,
const int buffer_len)
{
struct tomoyo_io_buffer *head = file->private_data;
int error = buffer_len;
int avail_len = buffer_len;
char *cp0 = head->write_buf;
if (!head->write)
return -ENOSYS;
if (!access_ok(VERIFY_READ, buffer, buffer_len))
return -EFAULT;
/* Don't allow updating policies by non manager programs. */
if (head->write != tomoyo_write_pid &&
head->write != tomoyo_write_domain_policy &&
!tomoyo_is_policy_manager())
return -EPERM;
if (mutex_lock_interruptible(&head->io_sem))
return -EINTR;
/* Read a line and dispatch it to the policy handler. */
while (avail_len > 0) {
char c;
if (head->write_avail >= head->writebuf_size - 1) {
error = -ENOMEM;
break;
} else if (get_user(c, buffer)) {
error = -EFAULT;
break;
}
buffer++;
avail_len--;
cp0[head->write_avail++] = c;
if (c != '\n')
continue;
cp0[head->write_avail - 1] = '\0';
head->write_avail = 0;
tomoyo_normalize_line(cp0);
head->write(head);
}
mutex_unlock(&head->io_sem);
return error;
}
/**
* tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
*
* @file: Pointer to "struct file".
*
* Releases memory and returns 0.
*
* Caller looses tomoyo_read_lock().
*/
static int tomoyo_close_control(struct file *file)
{
struct tomoyo_io_buffer *head = file->private_data;
const bool is_write = !!head->write_buf;
tomoyo_read_unlock(head->reader_idx);
/* Release memory used for policy I/O. */
kfree(head->read_buf);
head->read_buf = NULL;
kfree(head->write_buf);
head->write_buf = NULL;
kfree(head);
head = NULL;
file->private_data = NULL;
if (is_write)
tomoyo_run_gc();
return 0;
}
/**
* tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
*
* @inode: Pointer to "struct inode".
* @file: Pointer to "struct file".
*
* Returns 0 on success, negative value otherwise.
*/
static int tomoyo_open(struct inode *inode, struct file *file)
{
const int key = ((u8 *) file->f_path.dentry->d_inode->i_private)
- ((u8 *) NULL);
return tomoyo_open_control(key, file);
}
/**
* tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
*
* @inode: Pointer to "struct inode".
* @file: Pointer to "struct file".
*
* Returns 0 on success, negative value otherwise.
*/
static int tomoyo_release(struct inode *inode, struct file *file)
{
return tomoyo_close_control(file);
}
/**
* tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
*
* @file: Pointer to "struct file".
* @buf: Pointer to buffer.
* @count: Size of @buf.
* @ppos: Unused.
*
* Returns bytes read on success, negative value otherwise.
*/
static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count,
loff_t *ppos)
{
return tomoyo_read_control(file, buf, count);
}
/**
* tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
*
* @file: Pointer to "struct file".
* @buf: Pointer to buffer.
* @count: Size of @buf.
* @ppos: Unused.
*
* Returns @count on success, negative value otherwise.
*/
static ssize_t tomoyo_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
return tomoyo_write_control(file, buf, count);
}
/*
* tomoyo_operations is a "struct file_operations" which is used for handling
* /sys/kernel/security/tomoyo/ interface.
*
* Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
* See tomoyo_io_buffer for internals.
*/
static const struct file_operations tomoyo_operations = {
.open = tomoyo_open,
.release = tomoyo_release,
.read = tomoyo_read,
.write = tomoyo_write,
};
/**
* tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
*
* @name: The name of the interface file.
* @mode: The permission of the interface file.
* @parent: The parent directory.
* @key: Type of interface.
*
* Returns nothing.
*/
static void __init tomoyo_create_entry(const char *name, const mode_t mode,
struct dentry *parent, const u8 key)
{
securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key,
&tomoyo_operations);
}
/**
* tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
*
* Returns 0.
*/
static int __init tomoyo_initerface_init(void)
{
struct dentry *tomoyo_dir;
/* Don't create securityfs entries unless registered. */
if (current_cred()->security != &tomoyo_kernel_domain)
return 0;
tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
tomoyo_create_entry("domain_policy", 0600, tomoyo_dir,
TOMOYO_DOMAINPOLICY);
tomoyo_create_entry("exception_policy", 0600, tomoyo_dir,
TOMOYO_EXCEPTIONPOLICY);
tomoyo_create_entry("self_domain", 0400, tomoyo_dir,
TOMOYO_SELFDOMAIN);
tomoyo_create_entry(".domain_status", 0600, tomoyo_dir,
TOMOYO_DOMAIN_STATUS);
tomoyo_create_entry(".process_status", 0600, tomoyo_dir,
TOMOYO_PROCESS_STATUS);
tomoyo_create_entry("meminfo", 0600, tomoyo_dir,
TOMOYO_MEMINFO);
tomoyo_create_entry("profile", 0600, tomoyo_dir,
TOMOYO_PROFILE);
tomoyo_create_entry("manager", 0600, tomoyo_dir,
TOMOYO_MANAGER);
tomoyo_create_entry("version", 0400, tomoyo_dir,
TOMOYO_VERSION);
return 0;
}
fs_initcall(tomoyo_initerface_init);