common.c 59 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303
  1. /*
  2. * security/tomoyo/common.c
  3. *
  4. * Common functions for TOMOYO.
  5. *
  6. * Copyright (C) 2005-2009 NTT DATA CORPORATION
  7. *
  8. * Version: 2.2.0 2009/04/01
  9. *
  10. */
  11. #include <linux/uaccess.h>
  12. #include <linux/security.h>
  13. #include <linux/hardirq.h>
  14. #include "realpath.h"
  15. #include "common.h"
  16. #include "tomoyo.h"
  17. /* Has loading policy done? */
  18. bool tomoyo_policy_loaded;
  19. /* String table for functionality that takes 4 modes. */
  20. static const char *tomoyo_mode_4[4] = {
  21. "disabled", "learning", "permissive", "enforcing"
  22. };
  23. /* String table for functionality that takes 2 modes. */
  24. static const char *tomoyo_mode_2[4] = {
  25. "disabled", "enabled", "enabled", "enabled"
  26. };
  27. /*
  28. * tomoyo_control_array is a static data which contains
  29. *
  30. * (1) functionality name used by /sys/kernel/security/tomoyo/profile .
  31. * (2) initial values for "struct tomoyo_profile".
  32. * (3) max values for "struct tomoyo_profile".
  33. */
  34. static struct {
  35. const char *keyword;
  36. unsigned int current_value;
  37. const unsigned int max_value;
  38. } tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = {
  39. [TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 },
  40. [TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX },
  41. [TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 },
  42. };
  43. /*
  44. * tomoyo_profile is a structure which is used for holding the mode of access
  45. * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
  46. * An administrator can define up to 256 profiles.
  47. * The ->profile of "struct tomoyo_domain_info" is used for remembering
  48. * the profile's number (0 - 255) assigned to that domain.
  49. */
  50. static struct tomoyo_profile {
  51. unsigned int value[TOMOYO_MAX_CONTROL_INDEX];
  52. const struct tomoyo_path_info *comment;
  53. } *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES];
  54. /* Permit policy management by non-root user? */
  55. static bool tomoyo_manage_by_non_root;
  56. /* Utility functions. */
  57. /* Open operation for /sys/kernel/security/tomoyo/ interface. */
  58. static int tomoyo_open_control(const u8 type, struct file *file);
  59. /* Close /sys/kernel/security/tomoyo/ interface. */
  60. static int tomoyo_close_control(struct file *file);
  61. /* Read operation for /sys/kernel/security/tomoyo/ interface. */
  62. static int tomoyo_read_control(struct file *file, char __user *buffer,
  63. const int buffer_len);
  64. /* Write operation for /sys/kernel/security/tomoyo/ interface. */
  65. static int tomoyo_write_control(struct file *file, const char __user *buffer,
  66. const int buffer_len);
  67. /**
  68. * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
  69. *
  70. * @str: Pointer to the string.
  71. *
  72. * Returns true if @str is a \ooo style octal value, false otherwise.
  73. *
  74. * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
  75. * This function verifies that \ooo is in valid range.
  76. */
  77. static inline bool tomoyo_is_byte_range(const char *str)
  78. {
  79. return *str >= '0' && *str++ <= '3' &&
  80. *str >= '0' && *str++ <= '7' &&
  81. *str >= '0' && *str <= '7';
  82. }
  83. /**
  84. * tomoyo_is_alphabet_char - Check whether the character is an alphabet.
  85. *
  86. * @c: The character to check.
  87. *
  88. * Returns true if @c is an alphabet character, false otherwise.
  89. */
  90. static inline bool tomoyo_is_alphabet_char(const char c)
  91. {
  92. return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z');
  93. }
  94. /**
  95. * tomoyo_make_byte - Make byte value from three octal characters.
  96. *
  97. * @c1: The first character.
  98. * @c2: The second character.
  99. * @c3: The third character.
  100. *
  101. * Returns byte value.
  102. */
  103. static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3)
  104. {
  105. return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0');
  106. }
  107. /**
  108. * tomoyo_str_starts - Check whether the given string starts with the given keyword.
  109. *
  110. * @src: Pointer to pointer to the string.
  111. * @find: Pointer to the keyword.
  112. *
  113. * Returns true if @src starts with @find, false otherwise.
  114. *
  115. * The @src is updated to point the first character after the @find
  116. * if @src starts with @find.
  117. */
  118. static bool tomoyo_str_starts(char **src, const char *find)
  119. {
  120. const int len = strlen(find);
  121. char *tmp = *src;
  122. if (strncmp(tmp, find, len))
  123. return false;
  124. tmp += len;
  125. *src = tmp;
  126. return true;
  127. }
  128. /**
  129. * tomoyo_normalize_line - Format string.
  130. *
  131. * @buffer: The line to normalize.
  132. *
  133. * Leading and trailing whitespaces are removed.
  134. * Multiple whitespaces are packed into single space.
  135. *
  136. * Returns nothing.
  137. */
  138. static void tomoyo_normalize_line(unsigned char *buffer)
  139. {
  140. unsigned char *sp = buffer;
  141. unsigned char *dp = buffer;
  142. bool first = true;
  143. while (tomoyo_is_invalid(*sp))
  144. sp++;
  145. while (*sp) {
  146. if (!first)
  147. *dp++ = ' ';
  148. first = false;
  149. while (tomoyo_is_valid(*sp))
  150. *dp++ = *sp++;
  151. while (tomoyo_is_invalid(*sp))
  152. sp++;
  153. }
  154. *dp = '\0';
  155. }
  156. /**
  157. * tomoyo_is_correct_path - Validate a pathname.
  158. * @filename: The pathname to check.
  159. * @start_type: Should the pathname start with '/'?
  160. * 1 = must / -1 = must not / 0 = don't care
  161. * @pattern_type: Can the pathname contain a wildcard?
  162. * 1 = must / -1 = must not / 0 = don't care
  163. * @end_type: Should the pathname end with '/'?
  164. * 1 = must / -1 = must not / 0 = don't care
  165. * @function: The name of function calling me.
  166. *
  167. * Check whether the given filename follows the naming rules.
  168. * Returns true if @filename follows the naming rules, false otherwise.
  169. */
  170. bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
  171. const s8 pattern_type, const s8 end_type,
  172. const char *function)
  173. {
  174. const char *const start = filename;
  175. bool in_repetition = false;
  176. bool contains_pattern = false;
  177. unsigned char c;
  178. unsigned char d;
  179. unsigned char e;
  180. const char *original_filename = filename;
  181. if (!filename)
  182. goto out;
  183. c = *filename;
  184. if (start_type == 1) { /* Must start with '/' */
  185. if (c != '/')
  186. goto out;
  187. } else if (start_type == -1) { /* Must not start with '/' */
  188. if (c == '/')
  189. goto out;
  190. }
  191. if (c)
  192. c = *(filename + strlen(filename) - 1);
  193. if (end_type == 1) { /* Must end with '/' */
  194. if (c != '/')
  195. goto out;
  196. } else if (end_type == -1) { /* Must not end with '/' */
  197. if (c == '/')
  198. goto out;
  199. }
  200. while (1) {
  201. c = *filename++;
  202. if (!c)
  203. break;
  204. if (c == '\\') {
  205. c = *filename++;
  206. switch (c) {
  207. case '\\': /* "\\" */
  208. continue;
  209. case '$': /* "\$" */
  210. case '+': /* "\+" */
  211. case '?': /* "\?" */
  212. case '*': /* "\*" */
  213. case '@': /* "\@" */
  214. case 'x': /* "\x" */
  215. case 'X': /* "\X" */
  216. case 'a': /* "\a" */
  217. case 'A': /* "\A" */
  218. case '-': /* "\-" */
  219. if (pattern_type == -1)
  220. break; /* Must not contain pattern */
  221. contains_pattern = true;
  222. continue;
  223. case '{': /* "/\{" */
  224. if (filename - 3 < start ||
  225. *(filename - 3) != '/')
  226. break;
  227. if (pattern_type == -1)
  228. break; /* Must not contain pattern */
  229. contains_pattern = true;
  230. in_repetition = true;
  231. continue;
  232. case '}': /* "\}/" */
  233. if (*filename != '/')
  234. break;
  235. if (!in_repetition)
  236. break;
  237. in_repetition = false;
  238. continue;
  239. case '0': /* "\ooo" */
  240. case '1':
  241. case '2':
  242. case '3':
  243. d = *filename++;
  244. if (d < '0' || d > '7')
  245. break;
  246. e = *filename++;
  247. if (e < '0' || e > '7')
  248. break;
  249. c = tomoyo_make_byte(c, d, e);
  250. if (tomoyo_is_invalid(c))
  251. continue; /* pattern is not \000 */
  252. }
  253. goto out;
  254. } else if (in_repetition && c == '/') {
  255. goto out;
  256. } else if (tomoyo_is_invalid(c)) {
  257. goto out;
  258. }
  259. }
  260. if (pattern_type == 1) { /* Must contain pattern */
  261. if (!contains_pattern)
  262. goto out;
  263. }
  264. if (in_repetition)
  265. goto out;
  266. return true;
  267. out:
  268. printk(KERN_DEBUG "%s: Invalid pathname '%s'\n", function,
  269. original_filename);
  270. return false;
  271. }
  272. /**
  273. * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
  274. * @domainname: The domainname to check.
  275. * @function: The name of function calling me.
  276. *
  277. * Returns true if @domainname follows the naming rules, false otherwise.
  278. */
  279. bool tomoyo_is_correct_domain(const unsigned char *domainname,
  280. const char *function)
  281. {
  282. unsigned char c;
  283. unsigned char d;
  284. unsigned char e;
  285. const char *org_domainname = domainname;
  286. if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME,
  287. TOMOYO_ROOT_NAME_LEN))
  288. goto out;
  289. domainname += TOMOYO_ROOT_NAME_LEN;
  290. if (!*domainname)
  291. return true;
  292. do {
  293. if (*domainname++ != ' ')
  294. goto out;
  295. if (*domainname++ != '/')
  296. goto out;
  297. while ((c = *domainname) != '\0' && c != ' ') {
  298. domainname++;
  299. if (c == '\\') {
  300. c = *domainname++;
  301. switch ((c)) {
  302. case '\\': /* "\\" */
  303. continue;
  304. case '0': /* "\ooo" */
  305. case '1':
  306. case '2':
  307. case '3':
  308. d = *domainname++;
  309. if (d < '0' || d > '7')
  310. break;
  311. e = *domainname++;
  312. if (e < '0' || e > '7')
  313. break;
  314. c = tomoyo_make_byte(c, d, e);
  315. if (tomoyo_is_invalid(c))
  316. /* pattern is not \000 */
  317. continue;
  318. }
  319. goto out;
  320. } else if (tomoyo_is_invalid(c)) {
  321. goto out;
  322. }
  323. }
  324. } while (*domainname);
  325. return true;
  326. out:
  327. printk(KERN_DEBUG "%s: Invalid domainname '%s'\n", function,
  328. org_domainname);
  329. return false;
  330. }
  331. /**
  332. * tomoyo_is_domain_def - Check whether the given token can be a domainname.
  333. *
  334. * @buffer: The token to check.
  335. *
  336. * Returns true if @buffer possibly be a domainname, false otherwise.
  337. */
  338. bool tomoyo_is_domain_def(const unsigned char *buffer)
  339. {
  340. return !strncmp(buffer, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN);
  341. }
  342. /**
  343. * tomoyo_find_domain - Find a domain by the given name.
  344. *
  345. * @domainname: The domainname to find.
  346. *
  347. * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
  348. *
  349. * Caller holds tomoyo_read_lock().
  350. */
  351. struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
  352. {
  353. struct tomoyo_domain_info *domain;
  354. struct tomoyo_path_info name;
  355. name.name = domainname;
  356. tomoyo_fill_path_info(&name);
  357. list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
  358. if (!domain->is_deleted &&
  359. !tomoyo_pathcmp(&name, domain->domainname))
  360. return domain;
  361. }
  362. return NULL;
  363. }
  364. /**
  365. * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
  366. *
  367. * @filename: The string to evaluate.
  368. *
  369. * Returns the initial length without a pattern in @filename.
  370. */
  371. static int tomoyo_const_part_length(const char *filename)
  372. {
  373. char c;
  374. int len = 0;
  375. if (!filename)
  376. return 0;
  377. while ((c = *filename++) != '\0') {
  378. if (c != '\\') {
  379. len++;
  380. continue;
  381. }
  382. c = *filename++;
  383. switch (c) {
  384. case '\\': /* "\\" */
  385. len += 2;
  386. continue;
  387. case '0': /* "\ooo" */
  388. case '1':
  389. case '2':
  390. case '3':
  391. c = *filename++;
  392. if (c < '0' || c > '7')
  393. break;
  394. c = *filename++;
  395. if (c < '0' || c > '7')
  396. break;
  397. len += 4;
  398. continue;
  399. }
  400. break;
  401. }
  402. return len;
  403. }
  404. /**
  405. * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
  406. *
  407. * @ptr: Pointer to "struct tomoyo_path_info" to fill in.
  408. *
  409. * The caller sets "struct tomoyo_path_info"->name.
  410. */
  411. void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
  412. {
  413. const char *name = ptr->name;
  414. const int len = strlen(name);
  415. ptr->const_len = tomoyo_const_part_length(name);
  416. ptr->is_dir = len && (name[len - 1] == '/');
  417. ptr->is_patterned = (ptr->const_len < len);
  418. ptr->hash = full_name_hash(name, len);
  419. }
  420. /**
  421. * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
  422. * and "\-" pattern.
  423. *
  424. * @filename: The start of string to check.
  425. * @filename_end: The end of string to check.
  426. * @pattern: The start of pattern to compare.
  427. * @pattern_end: The end of pattern to compare.
  428. *
  429. * Returns true if @filename matches @pattern, false otherwise.
  430. */
  431. static bool tomoyo_file_matches_pattern2(const char *filename,
  432. const char *filename_end,
  433. const char *pattern,
  434. const char *pattern_end)
  435. {
  436. while (filename < filename_end && pattern < pattern_end) {
  437. char c;
  438. if (*pattern != '\\') {
  439. if (*filename++ != *pattern++)
  440. return false;
  441. continue;
  442. }
  443. c = *filename;
  444. pattern++;
  445. switch (*pattern) {
  446. int i;
  447. int j;
  448. case '?':
  449. if (c == '/') {
  450. return false;
  451. } else if (c == '\\') {
  452. if (filename[1] == '\\')
  453. filename++;
  454. else if (tomoyo_is_byte_range(filename + 1))
  455. filename += 3;
  456. else
  457. return false;
  458. }
  459. break;
  460. case '\\':
  461. if (c != '\\')
  462. return false;
  463. if (*++filename != '\\')
  464. return false;
  465. break;
  466. case '+':
  467. if (!isdigit(c))
  468. return false;
  469. break;
  470. case 'x':
  471. if (!isxdigit(c))
  472. return false;
  473. break;
  474. case 'a':
  475. if (!tomoyo_is_alphabet_char(c))
  476. return false;
  477. break;
  478. case '0':
  479. case '1':
  480. case '2':
  481. case '3':
  482. if (c == '\\' && tomoyo_is_byte_range(filename + 1)
  483. && strncmp(filename + 1, pattern, 3) == 0) {
  484. filename += 3;
  485. pattern += 2;
  486. break;
  487. }
  488. return false; /* Not matched. */
  489. case '*':
  490. case '@':
  491. for (i = 0; i <= filename_end - filename; i++) {
  492. if (tomoyo_file_matches_pattern2(
  493. filename + i, filename_end,
  494. pattern + 1, pattern_end))
  495. return true;
  496. c = filename[i];
  497. if (c == '.' && *pattern == '@')
  498. break;
  499. if (c != '\\')
  500. continue;
  501. if (filename[i + 1] == '\\')
  502. i++;
  503. else if (tomoyo_is_byte_range(filename + i + 1))
  504. i += 3;
  505. else
  506. break; /* Bad pattern. */
  507. }
  508. return false; /* Not matched. */
  509. default:
  510. j = 0;
  511. c = *pattern;
  512. if (c == '$') {
  513. while (isdigit(filename[j]))
  514. j++;
  515. } else if (c == 'X') {
  516. while (isxdigit(filename[j]))
  517. j++;
  518. } else if (c == 'A') {
  519. while (tomoyo_is_alphabet_char(filename[j]))
  520. j++;
  521. }
  522. for (i = 1; i <= j; i++) {
  523. if (tomoyo_file_matches_pattern2(
  524. filename + i, filename_end,
  525. pattern + 1, pattern_end))
  526. return true;
  527. }
  528. return false; /* Not matched or bad pattern. */
  529. }
  530. filename++;
  531. pattern++;
  532. }
  533. while (*pattern == '\\' &&
  534. (*(pattern + 1) == '*' || *(pattern + 1) == '@'))
  535. pattern += 2;
  536. return filename == filename_end && pattern == pattern_end;
  537. }
  538. /**
  539. * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
  540. *
  541. * @filename: The start of string to check.
  542. * @filename_end: The end of string to check.
  543. * @pattern: The start of pattern to compare.
  544. * @pattern_end: The end of pattern to compare.
  545. *
  546. * Returns true if @filename matches @pattern, false otherwise.
  547. */
  548. static bool tomoyo_file_matches_pattern(const char *filename,
  549. const char *filename_end,
  550. const char *pattern,
  551. const char *pattern_end)
  552. {
  553. const char *pattern_start = pattern;
  554. bool first = true;
  555. bool result;
  556. while (pattern < pattern_end - 1) {
  557. /* Split at "\-" pattern. */
  558. if (*pattern++ != '\\' || *pattern++ != '-')
  559. continue;
  560. result = tomoyo_file_matches_pattern2(filename,
  561. filename_end,
  562. pattern_start,
  563. pattern - 2);
  564. if (first)
  565. result = !result;
  566. if (result)
  567. return false;
  568. first = false;
  569. pattern_start = pattern;
  570. }
  571. result = tomoyo_file_matches_pattern2(filename, filename_end,
  572. pattern_start, pattern_end);
  573. return first ? result : !result;
  574. }
  575. /**
  576. * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
  577. *
  578. * @f: The start of string to check.
  579. * @p: The start of pattern to compare.
  580. *
  581. * Returns true if @f matches @p, false otherwise.
  582. */
  583. static bool tomoyo_path_matches_pattern2(const char *f, const char *p)
  584. {
  585. const char *f_delimiter;
  586. const char *p_delimiter;
  587. while (*f && *p) {
  588. f_delimiter = strchr(f, '/');
  589. if (!f_delimiter)
  590. f_delimiter = f + strlen(f);
  591. p_delimiter = strchr(p, '/');
  592. if (!p_delimiter)
  593. p_delimiter = p + strlen(p);
  594. if (*p == '\\' && *(p + 1) == '{')
  595. goto recursive;
  596. if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
  597. p_delimiter))
  598. return false;
  599. f = f_delimiter;
  600. if (*f)
  601. f++;
  602. p = p_delimiter;
  603. if (*p)
  604. p++;
  605. }
  606. /* Ignore trailing "\*" and "\@" in @pattern. */
  607. while (*p == '\\' &&
  608. (*(p + 1) == '*' || *(p + 1) == '@'))
  609. p += 2;
  610. return !*f && !*p;
  611. recursive:
  612. /*
  613. * The "\{" pattern is permitted only after '/' character.
  614. * This guarantees that below "*(p - 1)" is safe.
  615. * Also, the "\}" pattern is permitted only before '/' character
  616. * so that "\{" + "\}" pair will not break the "\-" operator.
  617. */
  618. if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' ||
  619. *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\')
  620. return false; /* Bad pattern. */
  621. do {
  622. /* Compare current component with pattern. */
  623. if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2,
  624. p_delimiter - 2))
  625. break;
  626. /* Proceed to next component. */
  627. f = f_delimiter;
  628. if (!*f)
  629. break;
  630. f++;
  631. /* Continue comparison. */
  632. if (tomoyo_path_matches_pattern2(f, p_delimiter + 1))
  633. return true;
  634. f_delimiter = strchr(f, '/');
  635. } while (f_delimiter);
  636. return false; /* Not matched. */
  637. }
  638. /**
  639. * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
  640. *
  641. * @filename: The filename to check.
  642. * @pattern: The pattern to compare.
  643. *
  644. * Returns true if matches, false otherwise.
  645. *
  646. * The following patterns are available.
  647. * \\ \ itself.
  648. * \ooo Octal representation of a byte.
  649. * \* Zero or more repetitions of characters other than '/'.
  650. * \@ Zero or more repetitions of characters other than '/' or '.'.
  651. * \? 1 byte character other than '/'.
  652. * \$ One or more repetitions of decimal digits.
  653. * \+ 1 decimal digit.
  654. * \X One or more repetitions of hexadecimal digits.
  655. * \x 1 hexadecimal digit.
  656. * \A One or more repetitions of alphabet characters.
  657. * \a 1 alphabet character.
  658. *
  659. * \- Subtraction operator.
  660. *
  661. * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
  662. * /dir/dir/dir/ ).
  663. */
  664. bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
  665. const struct tomoyo_path_info *pattern)
  666. {
  667. const char *f = filename->name;
  668. const char *p = pattern->name;
  669. const int len = pattern->const_len;
  670. /* If @pattern doesn't contain pattern, I can use strcmp(). */
  671. if (!pattern->is_patterned)
  672. return !tomoyo_pathcmp(filename, pattern);
  673. /* Don't compare directory and non-directory. */
  674. if (filename->is_dir != pattern->is_dir)
  675. return false;
  676. /* Compare the initial length without patterns. */
  677. if (strncmp(f, p, len))
  678. return false;
  679. f += len;
  680. p += len;
  681. return tomoyo_path_matches_pattern2(f, p);
  682. }
  683. /**
  684. * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
  685. *
  686. * @head: Pointer to "struct tomoyo_io_buffer".
  687. * @fmt: The printf()'s format string, followed by parameters.
  688. *
  689. * Returns true if output was written, false otherwise.
  690. *
  691. * The snprintf() will truncate, but tomoyo_io_printf() won't.
  692. */
  693. bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
  694. {
  695. va_list args;
  696. int len;
  697. int pos = head->read_avail;
  698. int size = head->readbuf_size - pos;
  699. if (size <= 0)
  700. return false;
  701. va_start(args, fmt);
  702. len = vsnprintf(head->read_buf + pos, size, fmt, args);
  703. va_end(args);
  704. if (pos + len >= head->readbuf_size)
  705. return false;
  706. head->read_avail += len;
  707. return true;
  708. }
  709. /**
  710. * tomoyo_get_exe - Get tomoyo_realpath() of current process.
  711. *
  712. * Returns the tomoyo_realpath() of current process on success, NULL otherwise.
  713. *
  714. * This function uses tomoyo_alloc(), so the caller must call tomoyo_free()
  715. * if this function didn't return NULL.
  716. */
  717. static const char *tomoyo_get_exe(void)
  718. {
  719. struct mm_struct *mm = current->mm;
  720. struct vm_area_struct *vma;
  721. const char *cp = NULL;
  722. if (!mm)
  723. return NULL;
  724. down_read(&mm->mmap_sem);
  725. for (vma = mm->mmap; vma; vma = vma->vm_next) {
  726. if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) {
  727. cp = tomoyo_realpath_from_path(&vma->vm_file->f_path);
  728. break;
  729. }
  730. }
  731. up_read(&mm->mmap_sem);
  732. return cp;
  733. }
  734. /**
  735. * tomoyo_get_msg - Get warning message.
  736. *
  737. * @is_enforce: Is it enforcing mode?
  738. *
  739. * Returns "ERROR" or "WARNING".
  740. */
  741. const char *tomoyo_get_msg(const bool is_enforce)
  742. {
  743. if (is_enforce)
  744. return "ERROR";
  745. else
  746. return "WARNING";
  747. }
  748. /**
  749. * tomoyo_check_flags - Check mode for specified functionality.
  750. *
  751. * @domain: Pointer to "struct tomoyo_domain_info".
  752. * @index: The functionality to check mode.
  753. *
  754. * TOMOYO checks only process context.
  755. * This code disables TOMOYO's enforcement in case the function is called from
  756. * interrupt context.
  757. */
  758. unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
  759. const u8 index)
  760. {
  761. const u8 profile = domain->profile;
  762. if (WARN_ON(in_interrupt()))
  763. return 0;
  764. return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX
  765. #if TOMOYO_MAX_PROFILES != 256
  766. && profile < TOMOYO_MAX_PROFILES
  767. #endif
  768. && tomoyo_profile_ptr[profile] ?
  769. tomoyo_profile_ptr[profile]->value[index] : 0;
  770. }
  771. /**
  772. * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
  773. *
  774. * @domain: Pointer to "struct tomoyo_domain_info".
  775. *
  776. * Returns true if domain policy violation warning should be printed to
  777. * console.
  778. */
  779. bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain)
  780. {
  781. return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0;
  782. }
  783. /**
  784. * tomoyo_domain_quota_is_ok - Check for domain's quota.
  785. *
  786. * @domain: Pointer to "struct tomoyo_domain_info".
  787. *
  788. * Returns true if the domain is not exceeded quota, false otherwise.
  789. *
  790. * Caller holds tomoyo_read_lock().
  791. */
  792. bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain)
  793. {
  794. unsigned int count = 0;
  795. struct tomoyo_acl_info *ptr;
  796. if (!domain)
  797. return true;
  798. list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
  799. if (ptr->type & TOMOYO_ACL_DELETED)
  800. continue;
  801. switch (tomoyo_acl_type2(ptr)) {
  802. struct tomoyo_single_path_acl_record *acl;
  803. u32 perm;
  804. u8 i;
  805. case TOMOYO_TYPE_SINGLE_PATH_ACL:
  806. acl = container_of(ptr,
  807. struct tomoyo_single_path_acl_record,
  808. head);
  809. perm = acl->perm | (((u32) acl->perm_high) << 16);
  810. for (i = 0; i < TOMOYO_MAX_SINGLE_PATH_OPERATION; i++)
  811. if (perm & (1 << i))
  812. count++;
  813. if (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))
  814. count -= 2;
  815. break;
  816. case TOMOYO_TYPE_DOUBLE_PATH_ACL:
  817. perm = container_of(ptr,
  818. struct tomoyo_double_path_acl_record,
  819. head)->perm;
  820. for (i = 0; i < TOMOYO_MAX_DOUBLE_PATH_OPERATION; i++)
  821. if (perm & (1 << i))
  822. count++;
  823. break;
  824. }
  825. }
  826. if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY))
  827. return true;
  828. if (!domain->quota_warned) {
  829. domain->quota_warned = true;
  830. printk(KERN_WARNING "TOMOYO-WARNING: "
  831. "Domain '%s' has so many ACLs to hold. "
  832. "Stopped learning mode.\n", domain->domainname->name);
  833. }
  834. return false;
  835. }
  836. /**
  837. * tomoyo_find_or_assign_new_profile - Create a new profile.
  838. *
  839. * @profile: Profile number to create.
  840. *
  841. * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
  842. */
  843. static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned
  844. int profile)
  845. {
  846. static DEFINE_MUTEX(lock);
  847. struct tomoyo_profile *ptr = NULL;
  848. int i;
  849. if (profile >= TOMOYO_MAX_PROFILES)
  850. return NULL;
  851. mutex_lock(&lock);
  852. ptr = tomoyo_profile_ptr[profile];
  853. if (ptr)
  854. goto ok;
  855. ptr = tomoyo_alloc_element(sizeof(*ptr));
  856. if (!ptr)
  857. goto ok;
  858. for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++)
  859. ptr->value[i] = tomoyo_control_array[i].current_value;
  860. mb(); /* Avoid out-of-order execution. */
  861. tomoyo_profile_ptr[profile] = ptr;
  862. ok:
  863. mutex_unlock(&lock);
  864. return ptr;
  865. }
  866. /**
  867. * tomoyo_write_profile - Write to profile table.
  868. *
  869. * @head: Pointer to "struct tomoyo_io_buffer".
  870. *
  871. * Returns 0 on success, negative value otherwise.
  872. */
  873. static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
  874. {
  875. char *data = head->write_buf;
  876. unsigned int i;
  877. unsigned int value;
  878. char *cp;
  879. struct tomoyo_profile *profile;
  880. unsigned long num;
  881. cp = strchr(data, '-');
  882. if (cp)
  883. *cp = '\0';
  884. if (strict_strtoul(data, 10, &num))
  885. return -EINVAL;
  886. if (cp)
  887. data = cp + 1;
  888. profile = tomoyo_find_or_assign_new_profile(num);
  889. if (!profile)
  890. return -EINVAL;
  891. cp = strchr(data, '=');
  892. if (!cp)
  893. return -EINVAL;
  894. *cp = '\0';
  895. if (!strcmp(data, "COMMENT")) {
  896. profile->comment = tomoyo_save_name(cp + 1);
  897. return 0;
  898. }
  899. for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) {
  900. if (strcmp(data, tomoyo_control_array[i].keyword))
  901. continue;
  902. if (sscanf(cp + 1, "%u", &value) != 1) {
  903. int j;
  904. const char **modes;
  905. switch (i) {
  906. case TOMOYO_VERBOSE:
  907. modes = tomoyo_mode_2;
  908. break;
  909. default:
  910. modes = tomoyo_mode_4;
  911. break;
  912. }
  913. for (j = 0; j < 4; j++) {
  914. if (strcmp(cp + 1, modes[j]))
  915. continue;
  916. value = j;
  917. break;
  918. }
  919. if (j == 4)
  920. return -EINVAL;
  921. } else if (value > tomoyo_control_array[i].max_value) {
  922. value = tomoyo_control_array[i].max_value;
  923. }
  924. profile->value[i] = value;
  925. return 0;
  926. }
  927. return -EINVAL;
  928. }
  929. /**
  930. * tomoyo_read_profile - Read from profile table.
  931. *
  932. * @head: Pointer to "struct tomoyo_io_buffer".
  933. *
  934. * Returns 0.
  935. */
  936. static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
  937. {
  938. static const int total = TOMOYO_MAX_CONTROL_INDEX + 1;
  939. int step;
  940. if (head->read_eof)
  941. return 0;
  942. for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total;
  943. step++) {
  944. const u8 index = step / total;
  945. u8 type = step % total;
  946. const struct tomoyo_profile *profile
  947. = tomoyo_profile_ptr[index];
  948. head->read_step = step;
  949. if (!profile)
  950. continue;
  951. if (!type) { /* Print profile' comment tag. */
  952. if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n",
  953. index, profile->comment ?
  954. profile->comment->name : ""))
  955. break;
  956. continue;
  957. }
  958. type--;
  959. if (type < TOMOYO_MAX_CONTROL_INDEX) {
  960. const unsigned int value = profile->value[type];
  961. const char **modes = NULL;
  962. const char *keyword
  963. = tomoyo_control_array[type].keyword;
  964. switch (tomoyo_control_array[type].max_value) {
  965. case 3:
  966. modes = tomoyo_mode_4;
  967. break;
  968. case 1:
  969. modes = tomoyo_mode_2;
  970. break;
  971. }
  972. if (modes) {
  973. if (!tomoyo_io_printf(head, "%u-%s=%s\n", index,
  974. keyword, modes[value]))
  975. break;
  976. } else {
  977. if (!tomoyo_io_printf(head, "%u-%s=%u\n", index,
  978. keyword, value))
  979. break;
  980. }
  981. }
  982. }
  983. if (step == TOMOYO_MAX_PROFILES * total)
  984. head->read_eof = true;
  985. return 0;
  986. }
  987. /*
  988. * tomoyo_policy_manager_entry is a structure which is used for holding list of
  989. * domainnames or programs which are permitted to modify configuration via
  990. * /sys/kernel/security/tomoyo/ interface.
  991. * It has following fields.
  992. *
  993. * (1) "list" which is linked to tomoyo_policy_manager_list .
  994. * (2) "manager" is a domainname or a program's pathname.
  995. * (3) "is_domain" is a bool which is true if "manager" is a domainname, false
  996. * otherwise.
  997. * (4) "is_deleted" is a bool which is true if marked as deleted, false
  998. * otherwise.
  999. */
  1000. struct tomoyo_policy_manager_entry {
  1001. struct list_head list;
  1002. /* A path to program or a domainname. */
  1003. const struct tomoyo_path_info *manager;
  1004. bool is_domain; /* True if manager is a domainname. */
  1005. bool is_deleted; /* True if this entry is deleted. */
  1006. };
  1007. /*
  1008. * tomoyo_policy_manager_list is used for holding list of domainnames or
  1009. * programs which are permitted to modify configuration via
  1010. * /sys/kernel/security/tomoyo/ interface.
  1011. *
  1012. * An entry is added by
  1013. *
  1014. * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
  1015. * /sys/kernel/security/tomoyo/manager
  1016. * (if you want to specify by a domainname)
  1017. *
  1018. * or
  1019. *
  1020. * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
  1021. * (if you want to specify by a program's location)
  1022. *
  1023. * and is deleted by
  1024. *
  1025. * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
  1026. * /sys/kernel/security/tomoyo/manager
  1027. *
  1028. * or
  1029. *
  1030. * # echo 'delete /usr/lib/ccs/editpolicy' > \
  1031. * /sys/kernel/security/tomoyo/manager
  1032. *
  1033. * and all entries are retrieved by
  1034. *
  1035. * # cat /sys/kernel/security/tomoyo/manager
  1036. */
  1037. static LIST_HEAD(tomoyo_policy_manager_list);
  1038. static DECLARE_RWSEM(tomoyo_policy_manager_list_lock);
  1039. /**
  1040. * tomoyo_update_manager_entry - Add a manager entry.
  1041. *
  1042. * @manager: The path to manager or the domainnamme.
  1043. * @is_delete: True if it is a delete request.
  1044. *
  1045. * Returns 0 on success, negative value otherwise.
  1046. *
  1047. * Caller holds tomoyo_read_lock().
  1048. */
  1049. static int tomoyo_update_manager_entry(const char *manager,
  1050. const bool is_delete)
  1051. {
  1052. struct tomoyo_policy_manager_entry *new_entry;
  1053. struct tomoyo_policy_manager_entry *ptr;
  1054. const struct tomoyo_path_info *saved_manager;
  1055. int error = -ENOMEM;
  1056. bool is_domain = false;
  1057. if (tomoyo_is_domain_def(manager)) {
  1058. if (!tomoyo_is_correct_domain(manager, __func__))
  1059. return -EINVAL;
  1060. is_domain = true;
  1061. } else {
  1062. if (!tomoyo_is_correct_path(manager, 1, -1, -1, __func__))
  1063. return -EINVAL;
  1064. }
  1065. saved_manager = tomoyo_save_name(manager);
  1066. if (!saved_manager)
  1067. return -ENOMEM;
  1068. down_write(&tomoyo_policy_manager_list_lock);
  1069. list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
  1070. if (ptr->manager != saved_manager)
  1071. continue;
  1072. ptr->is_deleted = is_delete;
  1073. error = 0;
  1074. goto out;
  1075. }
  1076. if (is_delete) {
  1077. error = -ENOENT;
  1078. goto out;
  1079. }
  1080. new_entry = tomoyo_alloc_element(sizeof(*new_entry));
  1081. if (!new_entry)
  1082. goto out;
  1083. new_entry->manager = saved_manager;
  1084. new_entry->is_domain = is_domain;
  1085. list_add_tail_rcu(&new_entry->list, &tomoyo_policy_manager_list);
  1086. error = 0;
  1087. out:
  1088. up_write(&tomoyo_policy_manager_list_lock);
  1089. return error;
  1090. }
  1091. /**
  1092. * tomoyo_write_manager_policy - Write manager policy.
  1093. *
  1094. * @head: Pointer to "struct tomoyo_io_buffer".
  1095. *
  1096. * Returns 0 on success, negative value otherwise.
  1097. *
  1098. * Caller holds tomoyo_read_lock().
  1099. */
  1100. static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head)
  1101. {
  1102. char *data = head->write_buf;
  1103. bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
  1104. if (!strcmp(data, "manage_by_non_root")) {
  1105. tomoyo_manage_by_non_root = !is_delete;
  1106. return 0;
  1107. }
  1108. return tomoyo_update_manager_entry(data, is_delete);
  1109. }
  1110. /**
  1111. * tomoyo_read_manager_policy - Read manager policy.
  1112. *
  1113. * @head: Pointer to "struct tomoyo_io_buffer".
  1114. *
  1115. * Returns 0.
  1116. *
  1117. * Caller holds tomoyo_read_lock().
  1118. */
  1119. static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
  1120. {
  1121. struct list_head *pos;
  1122. bool done = true;
  1123. if (head->read_eof)
  1124. return 0;
  1125. list_for_each_cookie(pos, head->read_var2,
  1126. &tomoyo_policy_manager_list) {
  1127. struct tomoyo_policy_manager_entry *ptr;
  1128. ptr = list_entry(pos, struct tomoyo_policy_manager_entry,
  1129. list);
  1130. if (ptr->is_deleted)
  1131. continue;
  1132. done = tomoyo_io_printf(head, "%s\n", ptr->manager->name);
  1133. if (!done)
  1134. break;
  1135. }
  1136. head->read_eof = done;
  1137. return 0;
  1138. }
  1139. /**
  1140. * tomoyo_is_policy_manager - Check whether the current process is a policy manager.
  1141. *
  1142. * Returns true if the current process is permitted to modify policy
  1143. * via /sys/kernel/security/tomoyo/ interface.
  1144. *
  1145. * Caller holds tomoyo_read_lock().
  1146. */
  1147. static bool tomoyo_is_policy_manager(void)
  1148. {
  1149. struct tomoyo_policy_manager_entry *ptr;
  1150. const char *exe;
  1151. const struct task_struct *task = current;
  1152. const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname;
  1153. bool found = false;
  1154. if (!tomoyo_policy_loaded)
  1155. return true;
  1156. if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
  1157. return false;
  1158. list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
  1159. if (!ptr->is_deleted && ptr->is_domain
  1160. && !tomoyo_pathcmp(domainname, ptr->manager)) {
  1161. found = true;
  1162. break;
  1163. }
  1164. }
  1165. if (found)
  1166. return true;
  1167. exe = tomoyo_get_exe();
  1168. if (!exe)
  1169. return false;
  1170. list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
  1171. if (!ptr->is_deleted && !ptr->is_domain
  1172. && !strcmp(exe, ptr->manager->name)) {
  1173. found = true;
  1174. break;
  1175. }
  1176. }
  1177. if (!found) { /* Reduce error messages. */
  1178. static pid_t last_pid;
  1179. const pid_t pid = current->pid;
  1180. if (last_pid != pid) {
  1181. printk(KERN_WARNING "%s ( %s ) is not permitted to "
  1182. "update policies.\n", domainname->name, exe);
  1183. last_pid = pid;
  1184. }
  1185. }
  1186. tomoyo_free(exe);
  1187. return found;
  1188. }
  1189. /**
  1190. * tomoyo_is_select_one - Parse select command.
  1191. *
  1192. * @head: Pointer to "struct tomoyo_io_buffer".
  1193. * @data: String to parse.
  1194. *
  1195. * Returns true on success, false otherwise.
  1196. *
  1197. * Caller holds tomoyo_read_lock().
  1198. */
  1199. static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
  1200. const char *data)
  1201. {
  1202. unsigned int pid;
  1203. struct tomoyo_domain_info *domain = NULL;
  1204. if (sscanf(data, "pid=%u", &pid) == 1) {
  1205. struct task_struct *p;
  1206. read_lock(&tasklist_lock);
  1207. p = find_task_by_vpid(pid);
  1208. if (p)
  1209. domain = tomoyo_real_domain(p);
  1210. read_unlock(&tasklist_lock);
  1211. } else if (!strncmp(data, "domain=", 7)) {
  1212. if (tomoyo_is_domain_def(data + 7))
  1213. domain = tomoyo_find_domain(data + 7);
  1214. } else
  1215. return false;
  1216. head->write_var1 = domain;
  1217. /* Accessing read_buf is safe because head->io_sem is held. */
  1218. if (!head->read_buf)
  1219. return true; /* Do nothing if open(O_WRONLY). */
  1220. head->read_avail = 0;
  1221. tomoyo_io_printf(head, "# select %s\n", data);
  1222. head->read_single_domain = true;
  1223. head->read_eof = !domain;
  1224. if (domain) {
  1225. struct tomoyo_domain_info *d;
  1226. head->read_var1 = NULL;
  1227. list_for_each_entry_rcu(d, &tomoyo_domain_list, list) {
  1228. if (d == domain)
  1229. break;
  1230. head->read_var1 = &d->list;
  1231. }
  1232. head->read_var2 = NULL;
  1233. head->read_bit = 0;
  1234. head->read_step = 0;
  1235. if (domain->is_deleted)
  1236. tomoyo_io_printf(head, "# This is a deleted domain.\n");
  1237. }
  1238. return true;
  1239. }
  1240. /**
  1241. * tomoyo_delete_domain - Delete a domain.
  1242. *
  1243. * @domainname: The name of domain.
  1244. *
  1245. * Returns 0.
  1246. *
  1247. * Caller holds tomoyo_read_lock().
  1248. */
  1249. static int tomoyo_delete_domain(char *domainname)
  1250. {
  1251. struct tomoyo_domain_info *domain;
  1252. struct tomoyo_path_info name;
  1253. name.name = domainname;
  1254. tomoyo_fill_path_info(&name);
  1255. down_write(&tomoyo_domain_list_lock);
  1256. /* Is there an active domain? */
  1257. list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
  1258. /* Never delete tomoyo_kernel_domain */
  1259. if (domain == &tomoyo_kernel_domain)
  1260. continue;
  1261. if (domain->is_deleted ||
  1262. tomoyo_pathcmp(domain->domainname, &name))
  1263. continue;
  1264. domain->is_deleted = true;
  1265. break;
  1266. }
  1267. up_write(&tomoyo_domain_list_lock);
  1268. return 0;
  1269. }
  1270. /**
  1271. * tomoyo_write_domain_policy - Write domain policy.
  1272. *
  1273. * @head: Pointer to "struct tomoyo_io_buffer".
  1274. *
  1275. * Returns 0 on success, negative value otherwise.
  1276. *
  1277. * Caller holds tomoyo_read_lock().
  1278. */
  1279. static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
  1280. {
  1281. char *data = head->write_buf;
  1282. struct tomoyo_domain_info *domain = head->write_var1;
  1283. bool is_delete = false;
  1284. bool is_select = false;
  1285. unsigned int profile;
  1286. if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE))
  1287. is_delete = true;
  1288. else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT))
  1289. is_select = true;
  1290. if (is_select && tomoyo_is_select_one(head, data))
  1291. return 0;
  1292. /* Don't allow updating policies by non manager programs. */
  1293. if (!tomoyo_is_policy_manager())
  1294. return -EPERM;
  1295. if (tomoyo_is_domain_def(data)) {
  1296. domain = NULL;
  1297. if (is_delete)
  1298. tomoyo_delete_domain(data);
  1299. else if (is_select)
  1300. domain = tomoyo_find_domain(data);
  1301. else
  1302. domain = tomoyo_find_or_assign_new_domain(data, 0);
  1303. head->write_var1 = domain;
  1304. return 0;
  1305. }
  1306. if (!domain)
  1307. return -EINVAL;
  1308. if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1
  1309. && profile < TOMOYO_MAX_PROFILES) {
  1310. if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)
  1311. domain->profile = (u8) profile;
  1312. return 0;
  1313. }
  1314. if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) {
  1315. tomoyo_set_domain_flag(domain, is_delete,
  1316. TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ);
  1317. return 0;
  1318. }
  1319. return tomoyo_write_file_policy(data, domain, is_delete);
  1320. }
  1321. /**
  1322. * tomoyo_print_single_path_acl - Print a single path ACL entry.
  1323. *
  1324. * @head: Pointer to "struct tomoyo_io_buffer".
  1325. * @ptr: Pointer to "struct tomoyo_single_path_acl_record".
  1326. *
  1327. * Returns true on success, false otherwise.
  1328. */
  1329. static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head,
  1330. struct tomoyo_single_path_acl_record *
  1331. ptr)
  1332. {
  1333. int pos;
  1334. u8 bit;
  1335. const char *atmark = "";
  1336. const char *filename;
  1337. const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16);
  1338. filename = ptr->filename->name;
  1339. for (bit = head->read_bit; bit < TOMOYO_MAX_SINGLE_PATH_OPERATION;
  1340. bit++) {
  1341. const char *msg;
  1342. if (!(perm & (1 << bit)))
  1343. continue;
  1344. /* Print "read/write" instead of "read" and "write". */
  1345. if ((bit == TOMOYO_TYPE_READ_ACL ||
  1346. bit == TOMOYO_TYPE_WRITE_ACL)
  1347. && (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)))
  1348. continue;
  1349. msg = tomoyo_sp2keyword(bit);
  1350. pos = head->read_avail;
  1351. if (!tomoyo_io_printf(head, "allow_%s %s%s\n", msg,
  1352. atmark, filename))
  1353. goto out;
  1354. }
  1355. head->read_bit = 0;
  1356. return true;
  1357. out:
  1358. head->read_bit = bit;
  1359. head->read_avail = pos;
  1360. return false;
  1361. }
  1362. /**
  1363. * tomoyo_print_double_path_acl - Print a double path ACL entry.
  1364. *
  1365. * @head: Pointer to "struct tomoyo_io_buffer".
  1366. * @ptr: Pointer to "struct tomoyo_double_path_acl_record".
  1367. *
  1368. * Returns true on success, false otherwise.
  1369. */
  1370. static bool tomoyo_print_double_path_acl(struct tomoyo_io_buffer *head,
  1371. struct tomoyo_double_path_acl_record *
  1372. ptr)
  1373. {
  1374. int pos;
  1375. const char *atmark1 = "";
  1376. const char *atmark2 = "";
  1377. const char *filename1;
  1378. const char *filename2;
  1379. const u8 perm = ptr->perm;
  1380. u8 bit;
  1381. filename1 = ptr->filename1->name;
  1382. filename2 = ptr->filename2->name;
  1383. for (bit = head->read_bit; bit < TOMOYO_MAX_DOUBLE_PATH_OPERATION;
  1384. bit++) {
  1385. const char *msg;
  1386. if (!(perm & (1 << bit)))
  1387. continue;
  1388. msg = tomoyo_dp2keyword(bit);
  1389. pos = head->read_avail;
  1390. if (!tomoyo_io_printf(head, "allow_%s %s%s %s%s\n", msg,
  1391. atmark1, filename1, atmark2, filename2))
  1392. goto out;
  1393. }
  1394. head->read_bit = 0;
  1395. return true;
  1396. out:
  1397. head->read_bit = bit;
  1398. head->read_avail = pos;
  1399. return false;
  1400. }
  1401. /**
  1402. * tomoyo_print_entry - Print an ACL entry.
  1403. *
  1404. * @head: Pointer to "struct tomoyo_io_buffer".
  1405. * @ptr: Pointer to an ACL entry.
  1406. *
  1407. * Returns true on success, false otherwise.
  1408. */
  1409. static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
  1410. struct tomoyo_acl_info *ptr)
  1411. {
  1412. const u8 acl_type = tomoyo_acl_type2(ptr);
  1413. if (acl_type & TOMOYO_ACL_DELETED)
  1414. return true;
  1415. if (acl_type == TOMOYO_TYPE_SINGLE_PATH_ACL) {
  1416. struct tomoyo_single_path_acl_record *acl
  1417. = container_of(ptr,
  1418. struct tomoyo_single_path_acl_record,
  1419. head);
  1420. return tomoyo_print_single_path_acl(head, acl);
  1421. }
  1422. if (acl_type == TOMOYO_TYPE_DOUBLE_PATH_ACL) {
  1423. struct tomoyo_double_path_acl_record *acl
  1424. = container_of(ptr,
  1425. struct tomoyo_double_path_acl_record,
  1426. head);
  1427. return tomoyo_print_double_path_acl(head, acl);
  1428. }
  1429. BUG(); /* This must not happen. */
  1430. return false;
  1431. }
  1432. /**
  1433. * tomoyo_read_domain_policy - Read domain policy.
  1434. *
  1435. * @head: Pointer to "struct tomoyo_io_buffer".
  1436. *
  1437. * Returns 0.
  1438. *
  1439. * Caller holds tomoyo_read_lock().
  1440. */
  1441. static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head)
  1442. {
  1443. struct list_head *dpos;
  1444. struct list_head *apos;
  1445. bool done = true;
  1446. if (head->read_eof)
  1447. return 0;
  1448. if (head->read_step == 0)
  1449. head->read_step = 1;
  1450. list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) {
  1451. struct tomoyo_domain_info *domain;
  1452. const char *quota_exceeded = "";
  1453. const char *transition_failed = "";
  1454. const char *ignore_global_allow_read = "";
  1455. domain = list_entry(dpos, struct tomoyo_domain_info, list);
  1456. if (head->read_step != 1)
  1457. goto acl_loop;
  1458. if (domain->is_deleted && !head->read_single_domain)
  1459. continue;
  1460. /* Print domainname and flags. */
  1461. if (domain->quota_warned)
  1462. quota_exceeded = "quota_exceeded\n";
  1463. if (domain->flags & TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED)
  1464. transition_failed = "transition_failed\n";
  1465. if (domain->flags &
  1466. TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ)
  1467. ignore_global_allow_read
  1468. = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n";
  1469. done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
  1470. "%u\n%s%s%s\n",
  1471. domain->domainname->name,
  1472. domain->profile, quota_exceeded,
  1473. transition_failed,
  1474. ignore_global_allow_read);
  1475. if (!done)
  1476. break;
  1477. head->read_step = 2;
  1478. acl_loop:
  1479. if (head->read_step == 3)
  1480. goto tail_mark;
  1481. /* Print ACL entries in the domain. */
  1482. list_for_each_cookie(apos, head->read_var2,
  1483. &domain->acl_info_list) {
  1484. struct tomoyo_acl_info *ptr
  1485. = list_entry(apos, struct tomoyo_acl_info,
  1486. list);
  1487. done = tomoyo_print_entry(head, ptr);
  1488. if (!done)
  1489. break;
  1490. }
  1491. if (!done)
  1492. break;
  1493. head->read_step = 3;
  1494. tail_mark:
  1495. done = tomoyo_io_printf(head, "\n");
  1496. if (!done)
  1497. break;
  1498. head->read_step = 1;
  1499. if (head->read_single_domain)
  1500. break;
  1501. }
  1502. head->read_eof = done;
  1503. return 0;
  1504. }
  1505. /**
  1506. * tomoyo_write_domain_profile - Assign profile for specified domain.
  1507. *
  1508. * @head: Pointer to "struct tomoyo_io_buffer".
  1509. *
  1510. * Returns 0 on success, -EINVAL otherwise.
  1511. *
  1512. * This is equivalent to doing
  1513. *
  1514. * ( echo "select " $domainname; echo "use_profile " $profile ) |
  1515. * /usr/lib/ccs/loadpolicy -d
  1516. *
  1517. * Caller holds tomoyo_read_lock().
  1518. */
  1519. static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head)
  1520. {
  1521. char *data = head->write_buf;
  1522. char *cp = strchr(data, ' ');
  1523. struct tomoyo_domain_info *domain;
  1524. unsigned long profile;
  1525. if (!cp)
  1526. return -EINVAL;
  1527. *cp = '\0';
  1528. domain = tomoyo_find_domain(cp + 1);
  1529. if (strict_strtoul(data, 10, &profile))
  1530. return -EINVAL;
  1531. if (domain && profile < TOMOYO_MAX_PROFILES
  1532. && (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded))
  1533. domain->profile = (u8) profile;
  1534. return 0;
  1535. }
  1536. /**
  1537. * tomoyo_read_domain_profile - Read only domainname and profile.
  1538. *
  1539. * @head: Pointer to "struct tomoyo_io_buffer".
  1540. *
  1541. * Returns list of profile number and domainname pairs.
  1542. *
  1543. * This is equivalent to doing
  1544. *
  1545. * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
  1546. * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
  1547. * domainname = $0; } else if ( $1 == "use_profile" ) {
  1548. * print $2 " " domainname; domainname = ""; } } ; '
  1549. *
  1550. * Caller holds tomoyo_read_lock().
  1551. */
  1552. static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head)
  1553. {
  1554. struct list_head *pos;
  1555. bool done = true;
  1556. if (head->read_eof)
  1557. return 0;
  1558. list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) {
  1559. struct tomoyo_domain_info *domain;
  1560. domain = list_entry(pos, struct tomoyo_domain_info, list);
  1561. if (domain->is_deleted)
  1562. continue;
  1563. done = tomoyo_io_printf(head, "%u %s\n", domain->profile,
  1564. domain->domainname->name);
  1565. if (!done)
  1566. break;
  1567. }
  1568. head->read_eof = done;
  1569. return 0;
  1570. }
  1571. /**
  1572. * tomoyo_write_pid: Specify PID to obtain domainname.
  1573. *
  1574. * @head: Pointer to "struct tomoyo_io_buffer".
  1575. *
  1576. * Returns 0.
  1577. */
  1578. static int tomoyo_write_pid(struct tomoyo_io_buffer *head)
  1579. {
  1580. unsigned long pid;
  1581. /* No error check. */
  1582. strict_strtoul(head->write_buf, 10, &pid);
  1583. head->read_step = (int) pid;
  1584. head->read_eof = false;
  1585. return 0;
  1586. }
  1587. /**
  1588. * tomoyo_read_pid - Get domainname of the specified PID.
  1589. *
  1590. * @head: Pointer to "struct tomoyo_io_buffer".
  1591. *
  1592. * Returns the domainname which the specified PID is in on success,
  1593. * empty string otherwise.
  1594. * The PID is specified by tomoyo_write_pid() so that the user can obtain
  1595. * using read()/write() interface rather than sysctl() interface.
  1596. */
  1597. static int tomoyo_read_pid(struct tomoyo_io_buffer *head)
  1598. {
  1599. if (head->read_avail == 0 && !head->read_eof) {
  1600. const int pid = head->read_step;
  1601. struct task_struct *p;
  1602. struct tomoyo_domain_info *domain = NULL;
  1603. read_lock(&tasklist_lock);
  1604. p = find_task_by_vpid(pid);
  1605. if (p)
  1606. domain = tomoyo_real_domain(p);
  1607. read_unlock(&tasklist_lock);
  1608. if (domain)
  1609. tomoyo_io_printf(head, "%d %u %s", pid, domain->profile,
  1610. domain->domainname->name);
  1611. head->read_eof = true;
  1612. }
  1613. return 0;
  1614. }
  1615. /**
  1616. * tomoyo_write_exception_policy - Write exception policy.
  1617. *
  1618. * @head: Pointer to "struct tomoyo_io_buffer".
  1619. *
  1620. * Returns 0 on success, negative value otherwise.
  1621. *
  1622. * Caller holds tomoyo_read_lock().
  1623. */
  1624. static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head)
  1625. {
  1626. char *data = head->write_buf;
  1627. bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
  1628. if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN))
  1629. return tomoyo_write_domain_keeper_policy(data, false,
  1630. is_delete);
  1631. if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN))
  1632. return tomoyo_write_domain_keeper_policy(data, true, is_delete);
  1633. if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN))
  1634. return tomoyo_write_domain_initializer_policy(data, false,
  1635. is_delete);
  1636. if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN))
  1637. return tomoyo_write_domain_initializer_policy(data, true,
  1638. is_delete);
  1639. if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS))
  1640. return tomoyo_write_alias_policy(data, is_delete);
  1641. if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ))
  1642. return tomoyo_write_globally_readable_policy(data, is_delete);
  1643. if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN))
  1644. return tomoyo_write_pattern_policy(data, is_delete);
  1645. if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE))
  1646. return tomoyo_write_no_rewrite_policy(data, is_delete);
  1647. return -EINVAL;
  1648. }
  1649. /**
  1650. * tomoyo_read_exception_policy - Read exception policy.
  1651. *
  1652. * @head: Pointer to "struct tomoyo_io_buffer".
  1653. *
  1654. * Returns 0 on success, -EINVAL otherwise.
  1655. *
  1656. * Caller holds tomoyo_read_lock().
  1657. */
  1658. static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head)
  1659. {
  1660. if (!head->read_eof) {
  1661. switch (head->read_step) {
  1662. case 0:
  1663. head->read_var2 = NULL;
  1664. head->read_step = 1;
  1665. case 1:
  1666. if (!tomoyo_read_domain_keeper_policy(head))
  1667. break;
  1668. head->read_var2 = NULL;
  1669. head->read_step = 2;
  1670. case 2:
  1671. if (!tomoyo_read_globally_readable_policy(head))
  1672. break;
  1673. head->read_var2 = NULL;
  1674. head->read_step = 3;
  1675. case 3:
  1676. head->read_var2 = NULL;
  1677. head->read_step = 4;
  1678. case 4:
  1679. if (!tomoyo_read_domain_initializer_policy(head))
  1680. break;
  1681. head->read_var2 = NULL;
  1682. head->read_step = 5;
  1683. case 5:
  1684. if (!tomoyo_read_alias_policy(head))
  1685. break;
  1686. head->read_var2 = NULL;
  1687. head->read_step = 6;
  1688. case 6:
  1689. head->read_var2 = NULL;
  1690. head->read_step = 7;
  1691. case 7:
  1692. if (!tomoyo_read_file_pattern(head))
  1693. break;
  1694. head->read_var2 = NULL;
  1695. head->read_step = 8;
  1696. case 8:
  1697. if (!tomoyo_read_no_rewrite_policy(head))
  1698. break;
  1699. head->read_var2 = NULL;
  1700. head->read_step = 9;
  1701. case 9:
  1702. head->read_eof = true;
  1703. break;
  1704. default:
  1705. return -EINVAL;
  1706. }
  1707. }
  1708. return 0;
  1709. }
  1710. /* path to policy loader */
  1711. static const char *tomoyo_loader = "/sbin/tomoyo-init";
  1712. /**
  1713. * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
  1714. *
  1715. * Returns true if /sbin/tomoyo-init exists, false otherwise.
  1716. */
  1717. static bool tomoyo_policy_loader_exists(void)
  1718. {
  1719. /*
  1720. * Don't activate MAC if the policy loader doesn't exist.
  1721. * If the initrd includes /sbin/init but real-root-dev has not
  1722. * mounted on / yet, activating MAC will block the system since
  1723. * policies are not loaded yet.
  1724. * Thus, let do_execve() call this function everytime.
  1725. */
  1726. struct path path;
  1727. if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
  1728. printk(KERN_INFO "Not activating Mandatory Access Control now "
  1729. "since %s doesn't exist.\n", tomoyo_loader);
  1730. return false;
  1731. }
  1732. path_put(&path);
  1733. return true;
  1734. }
  1735. /**
  1736. * tomoyo_load_policy - Run external policy loader to load policy.
  1737. *
  1738. * @filename: The program about to start.
  1739. *
  1740. * This function checks whether @filename is /sbin/init , and if so
  1741. * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
  1742. * and then continues invocation of /sbin/init.
  1743. * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
  1744. * writes to /sys/kernel/security/tomoyo/ interfaces.
  1745. *
  1746. * Returns nothing.
  1747. */
  1748. void tomoyo_load_policy(const char *filename)
  1749. {
  1750. char *argv[2];
  1751. char *envp[3];
  1752. if (tomoyo_policy_loaded)
  1753. return;
  1754. /*
  1755. * Check filename is /sbin/init or /sbin/tomoyo-start.
  1756. * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
  1757. * be passed.
  1758. * You can create /sbin/tomoyo-start by
  1759. * "ln -s /bin/true /sbin/tomoyo-start".
  1760. */
  1761. if (strcmp(filename, "/sbin/init") &&
  1762. strcmp(filename, "/sbin/tomoyo-start"))
  1763. return;
  1764. if (!tomoyo_policy_loader_exists())
  1765. return;
  1766. printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
  1767. tomoyo_loader);
  1768. argv[0] = (char *) tomoyo_loader;
  1769. argv[1] = NULL;
  1770. envp[0] = "HOME=/";
  1771. envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
  1772. envp[2] = NULL;
  1773. call_usermodehelper(argv[0], argv, envp, 1);
  1774. printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n");
  1775. printk(KERN_INFO "Mandatory Access Control activated.\n");
  1776. tomoyo_policy_loaded = true;
  1777. { /* Check all profiles currently assigned to domains are defined. */
  1778. struct tomoyo_domain_info *domain;
  1779. list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
  1780. const u8 profile = domain->profile;
  1781. if (tomoyo_profile_ptr[profile])
  1782. continue;
  1783. panic("Profile %u (used by '%s') not defined.\n",
  1784. profile, domain->domainname->name);
  1785. }
  1786. }
  1787. }
  1788. /**
  1789. * tomoyo_read_version: Get version.
  1790. *
  1791. * @head: Pointer to "struct tomoyo_io_buffer".
  1792. *
  1793. * Returns version information.
  1794. */
  1795. static int tomoyo_read_version(struct tomoyo_io_buffer *head)
  1796. {
  1797. if (!head->read_eof) {
  1798. tomoyo_io_printf(head, "2.2.0");
  1799. head->read_eof = true;
  1800. }
  1801. return 0;
  1802. }
  1803. /**
  1804. * tomoyo_read_self_domain - Get the current process's domainname.
  1805. *
  1806. * @head: Pointer to "struct tomoyo_io_buffer".
  1807. *
  1808. * Returns the current process's domainname.
  1809. */
  1810. static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head)
  1811. {
  1812. if (!head->read_eof) {
  1813. /*
  1814. * tomoyo_domain()->domainname != NULL
  1815. * because every process belongs to a domain and
  1816. * the domain's name cannot be NULL.
  1817. */
  1818. tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name);
  1819. head->read_eof = true;
  1820. }
  1821. return 0;
  1822. }
  1823. /**
  1824. * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
  1825. *
  1826. * @type: Type of interface.
  1827. * @file: Pointer to "struct file".
  1828. *
  1829. * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
  1830. *
  1831. * Caller acquires tomoyo_read_lock().
  1832. */
  1833. static int tomoyo_open_control(const u8 type, struct file *file)
  1834. {
  1835. struct tomoyo_io_buffer *head = tomoyo_alloc(sizeof(*head));
  1836. if (!head)
  1837. return -ENOMEM;
  1838. mutex_init(&head->io_sem);
  1839. switch (type) {
  1840. case TOMOYO_DOMAINPOLICY:
  1841. /* /sys/kernel/security/tomoyo/domain_policy */
  1842. head->write = tomoyo_write_domain_policy;
  1843. head->read = tomoyo_read_domain_policy;
  1844. break;
  1845. case TOMOYO_EXCEPTIONPOLICY:
  1846. /* /sys/kernel/security/tomoyo/exception_policy */
  1847. head->write = tomoyo_write_exception_policy;
  1848. head->read = tomoyo_read_exception_policy;
  1849. break;
  1850. case TOMOYO_SELFDOMAIN:
  1851. /* /sys/kernel/security/tomoyo/self_domain */
  1852. head->read = tomoyo_read_self_domain;
  1853. break;
  1854. case TOMOYO_DOMAIN_STATUS:
  1855. /* /sys/kernel/security/tomoyo/.domain_status */
  1856. head->write = tomoyo_write_domain_profile;
  1857. head->read = tomoyo_read_domain_profile;
  1858. break;
  1859. case TOMOYO_PROCESS_STATUS:
  1860. /* /sys/kernel/security/tomoyo/.process_status */
  1861. head->write = tomoyo_write_pid;
  1862. head->read = tomoyo_read_pid;
  1863. break;
  1864. case TOMOYO_VERSION:
  1865. /* /sys/kernel/security/tomoyo/version */
  1866. head->read = tomoyo_read_version;
  1867. head->readbuf_size = 128;
  1868. break;
  1869. case TOMOYO_MEMINFO:
  1870. /* /sys/kernel/security/tomoyo/meminfo */
  1871. head->write = tomoyo_write_memory_quota;
  1872. head->read = tomoyo_read_memory_counter;
  1873. head->readbuf_size = 512;
  1874. break;
  1875. case TOMOYO_PROFILE:
  1876. /* /sys/kernel/security/tomoyo/profile */
  1877. head->write = tomoyo_write_profile;
  1878. head->read = tomoyo_read_profile;
  1879. break;
  1880. case TOMOYO_MANAGER:
  1881. /* /sys/kernel/security/tomoyo/manager */
  1882. head->write = tomoyo_write_manager_policy;
  1883. head->read = tomoyo_read_manager_policy;
  1884. break;
  1885. }
  1886. if (!(file->f_mode & FMODE_READ)) {
  1887. /*
  1888. * No need to allocate read_buf since it is not opened
  1889. * for reading.
  1890. */
  1891. head->read = NULL;
  1892. } else {
  1893. if (!head->readbuf_size)
  1894. head->readbuf_size = 4096 * 2;
  1895. head->read_buf = tomoyo_alloc(head->readbuf_size);
  1896. if (!head->read_buf) {
  1897. tomoyo_free(head);
  1898. return -ENOMEM;
  1899. }
  1900. }
  1901. if (!(file->f_mode & FMODE_WRITE)) {
  1902. /*
  1903. * No need to allocate write_buf since it is not opened
  1904. * for writing.
  1905. */
  1906. head->write = NULL;
  1907. } else if (head->write) {
  1908. head->writebuf_size = 4096 * 2;
  1909. head->write_buf = tomoyo_alloc(head->writebuf_size);
  1910. if (!head->write_buf) {
  1911. tomoyo_free(head->read_buf);
  1912. tomoyo_free(head);
  1913. return -ENOMEM;
  1914. }
  1915. }
  1916. head->reader_idx = tomoyo_read_lock();
  1917. file->private_data = head;
  1918. /*
  1919. * Call the handler now if the file is
  1920. * /sys/kernel/security/tomoyo/self_domain
  1921. * so that the user can use
  1922. * cat < /sys/kernel/security/tomoyo/self_domain"
  1923. * to know the current process's domainname.
  1924. */
  1925. if (type == TOMOYO_SELFDOMAIN)
  1926. tomoyo_read_control(file, NULL, 0);
  1927. return 0;
  1928. }
  1929. /**
  1930. * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
  1931. *
  1932. * @file: Pointer to "struct file".
  1933. * @buffer: Poiner to buffer to write to.
  1934. * @buffer_len: Size of @buffer.
  1935. *
  1936. * Returns bytes read on success, negative value otherwise.
  1937. *
  1938. * Caller holds tomoyo_read_lock().
  1939. */
  1940. static int tomoyo_read_control(struct file *file, char __user *buffer,
  1941. const int buffer_len)
  1942. {
  1943. int len = 0;
  1944. struct tomoyo_io_buffer *head = file->private_data;
  1945. char *cp;
  1946. if (!head->read)
  1947. return -ENOSYS;
  1948. if (mutex_lock_interruptible(&head->io_sem))
  1949. return -EINTR;
  1950. /* Call the policy handler. */
  1951. len = head->read(head);
  1952. if (len < 0)
  1953. goto out;
  1954. /* Write to buffer. */
  1955. len = head->read_avail;
  1956. if (len > buffer_len)
  1957. len = buffer_len;
  1958. if (!len)
  1959. goto out;
  1960. /* head->read_buf changes by some functions. */
  1961. cp = head->read_buf;
  1962. if (copy_to_user(buffer, cp, len)) {
  1963. len = -EFAULT;
  1964. goto out;
  1965. }
  1966. head->read_avail -= len;
  1967. memmove(cp, cp + len, head->read_avail);
  1968. out:
  1969. mutex_unlock(&head->io_sem);
  1970. return len;
  1971. }
  1972. /**
  1973. * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
  1974. *
  1975. * @file: Pointer to "struct file".
  1976. * @buffer: Pointer to buffer to read from.
  1977. * @buffer_len: Size of @buffer.
  1978. *
  1979. * Returns @buffer_len on success, negative value otherwise.
  1980. *
  1981. * Caller holds tomoyo_read_lock().
  1982. */
  1983. static int tomoyo_write_control(struct file *file, const char __user *buffer,
  1984. const int buffer_len)
  1985. {
  1986. struct tomoyo_io_buffer *head = file->private_data;
  1987. int error = buffer_len;
  1988. int avail_len = buffer_len;
  1989. char *cp0 = head->write_buf;
  1990. if (!head->write)
  1991. return -ENOSYS;
  1992. if (!access_ok(VERIFY_READ, buffer, buffer_len))
  1993. return -EFAULT;
  1994. /* Don't allow updating policies by non manager programs. */
  1995. if (head->write != tomoyo_write_pid &&
  1996. head->write != tomoyo_write_domain_policy &&
  1997. !tomoyo_is_policy_manager())
  1998. return -EPERM;
  1999. if (mutex_lock_interruptible(&head->io_sem))
  2000. return -EINTR;
  2001. /* Read a line and dispatch it to the policy handler. */
  2002. while (avail_len > 0) {
  2003. char c;
  2004. if (head->write_avail >= head->writebuf_size - 1) {
  2005. error = -ENOMEM;
  2006. break;
  2007. } else if (get_user(c, buffer)) {
  2008. error = -EFAULT;
  2009. break;
  2010. }
  2011. buffer++;
  2012. avail_len--;
  2013. cp0[head->write_avail++] = c;
  2014. if (c != '\n')
  2015. continue;
  2016. cp0[head->write_avail - 1] = '\0';
  2017. head->write_avail = 0;
  2018. tomoyo_normalize_line(cp0);
  2019. head->write(head);
  2020. }
  2021. mutex_unlock(&head->io_sem);
  2022. return error;
  2023. }
  2024. /**
  2025. * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
  2026. *
  2027. * @file: Pointer to "struct file".
  2028. *
  2029. * Releases memory and returns 0.
  2030. *
  2031. * Caller looses tomoyo_read_lock().
  2032. */
  2033. static int tomoyo_close_control(struct file *file)
  2034. {
  2035. struct tomoyo_io_buffer *head = file->private_data;
  2036. tomoyo_read_unlock(head->reader_idx);
  2037. /* Release memory used for policy I/O. */
  2038. tomoyo_free(head->read_buf);
  2039. head->read_buf = NULL;
  2040. tomoyo_free(head->write_buf);
  2041. head->write_buf = NULL;
  2042. tomoyo_free(head);
  2043. head = NULL;
  2044. file->private_data = NULL;
  2045. return 0;
  2046. }
  2047. /**
  2048. * tomoyo_alloc_acl_element - Allocate permanent memory for ACL entry.
  2049. *
  2050. * @acl_type: Type of ACL entry.
  2051. *
  2052. * Returns pointer to the ACL entry on success, NULL otherwise.
  2053. */
  2054. void *tomoyo_alloc_acl_element(const u8 acl_type)
  2055. {
  2056. int len;
  2057. struct tomoyo_acl_info *ptr;
  2058. switch (acl_type) {
  2059. case TOMOYO_TYPE_SINGLE_PATH_ACL:
  2060. len = sizeof(struct tomoyo_single_path_acl_record);
  2061. break;
  2062. case TOMOYO_TYPE_DOUBLE_PATH_ACL:
  2063. len = sizeof(struct tomoyo_double_path_acl_record);
  2064. break;
  2065. default:
  2066. return NULL;
  2067. }
  2068. ptr = tomoyo_alloc_element(len);
  2069. if (!ptr)
  2070. return NULL;
  2071. ptr->type = acl_type;
  2072. return ptr;
  2073. }
  2074. /**
  2075. * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
  2076. *
  2077. * @inode: Pointer to "struct inode".
  2078. * @file: Pointer to "struct file".
  2079. *
  2080. * Returns 0 on success, negative value otherwise.
  2081. */
  2082. static int tomoyo_open(struct inode *inode, struct file *file)
  2083. {
  2084. const int key = ((u8 *) file->f_path.dentry->d_inode->i_private)
  2085. - ((u8 *) NULL);
  2086. return tomoyo_open_control(key, file);
  2087. }
  2088. /**
  2089. * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
  2090. *
  2091. * @inode: Pointer to "struct inode".
  2092. * @file: Pointer to "struct file".
  2093. *
  2094. * Returns 0 on success, negative value otherwise.
  2095. */
  2096. static int tomoyo_release(struct inode *inode, struct file *file)
  2097. {
  2098. return tomoyo_close_control(file);
  2099. }
  2100. /**
  2101. * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
  2102. *
  2103. * @file: Pointer to "struct file".
  2104. * @buf: Pointer to buffer.
  2105. * @count: Size of @buf.
  2106. * @ppos: Unused.
  2107. *
  2108. * Returns bytes read on success, negative value otherwise.
  2109. */
  2110. static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count,
  2111. loff_t *ppos)
  2112. {
  2113. return tomoyo_read_control(file, buf, count);
  2114. }
  2115. /**
  2116. * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
  2117. *
  2118. * @file: Pointer to "struct file".
  2119. * @buf: Pointer to buffer.
  2120. * @count: Size of @buf.
  2121. * @ppos: Unused.
  2122. *
  2123. * Returns @count on success, negative value otherwise.
  2124. */
  2125. static ssize_t tomoyo_write(struct file *file, const char __user *buf,
  2126. size_t count, loff_t *ppos)
  2127. {
  2128. return tomoyo_write_control(file, buf, count);
  2129. }
  2130. /*
  2131. * tomoyo_operations is a "struct file_operations" which is used for handling
  2132. * /sys/kernel/security/tomoyo/ interface.
  2133. *
  2134. * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
  2135. * See tomoyo_io_buffer for internals.
  2136. */
  2137. static const struct file_operations tomoyo_operations = {
  2138. .open = tomoyo_open,
  2139. .release = tomoyo_release,
  2140. .read = tomoyo_read,
  2141. .write = tomoyo_write,
  2142. };
  2143. /**
  2144. * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
  2145. *
  2146. * @name: The name of the interface file.
  2147. * @mode: The permission of the interface file.
  2148. * @parent: The parent directory.
  2149. * @key: Type of interface.
  2150. *
  2151. * Returns nothing.
  2152. */
  2153. static void __init tomoyo_create_entry(const char *name, const mode_t mode,
  2154. struct dentry *parent, const u8 key)
  2155. {
  2156. securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key,
  2157. &tomoyo_operations);
  2158. }
  2159. /**
  2160. * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
  2161. *
  2162. * Returns 0.
  2163. */
  2164. static int __init tomoyo_initerface_init(void)
  2165. {
  2166. struct dentry *tomoyo_dir;
  2167. /* Don't create securityfs entries unless registered. */
  2168. if (current_cred()->security != &tomoyo_kernel_domain)
  2169. return 0;
  2170. tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
  2171. tomoyo_create_entry("domain_policy", 0600, tomoyo_dir,
  2172. TOMOYO_DOMAINPOLICY);
  2173. tomoyo_create_entry("exception_policy", 0600, tomoyo_dir,
  2174. TOMOYO_EXCEPTIONPOLICY);
  2175. tomoyo_create_entry("self_domain", 0400, tomoyo_dir,
  2176. TOMOYO_SELFDOMAIN);
  2177. tomoyo_create_entry(".domain_status", 0600, tomoyo_dir,
  2178. TOMOYO_DOMAIN_STATUS);
  2179. tomoyo_create_entry(".process_status", 0600, tomoyo_dir,
  2180. TOMOYO_PROCESS_STATUS);
  2181. tomoyo_create_entry("meminfo", 0600, tomoyo_dir,
  2182. TOMOYO_MEMINFO);
  2183. tomoyo_create_entry("profile", 0600, tomoyo_dir,
  2184. TOMOYO_PROFILE);
  2185. tomoyo_create_entry("manager", 0600, tomoyo_dir,
  2186. TOMOYO_MANAGER);
  2187. tomoyo_create_entry("version", 0400, tomoyo_dir,
  2188. TOMOYO_VERSION);
  2189. return 0;
  2190. }
  2191. fs_initcall(tomoyo_initerface_init);