181427a7e0
The original code returns a freed pointer. This function is expected to return NULL on errors. Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
2238 lines
57 KiB
C
2238 lines
57 KiB
C
/*
|
|
* security/tomoyo/common.c
|
|
*
|
|
* Common functions for TOMOYO.
|
|
*
|
|
* Copyright (C) 2005-2009 NTT DATA CORPORATION
|
|
*
|
|
* Version: 2.2.0 2009/04/01
|
|
*
|
|
*/
|
|
|
|
#include <linux/uaccess.h>
|
|
#include <linux/security.h>
|
|
#include <linux/hardirq.h>
|
|
#include "common.h"
|
|
|
|
/* Lock for protecting policy. */
|
|
DEFINE_MUTEX(tomoyo_policy_lock);
|
|
|
|
/* Has loading policy done? */
|
|
bool tomoyo_policy_loaded;
|
|
|
|
/* String table for functionality that takes 4 modes. */
|
|
static const char *tomoyo_mode_4[4] = {
|
|
"disabled", "learning", "permissive", "enforcing"
|
|
};
|
|
/* String table for functionality that takes 2 modes. */
|
|
static const char *tomoyo_mode_2[4] = {
|
|
"disabled", "enabled", "enabled", "enabled"
|
|
};
|
|
|
|
/*
|
|
* tomoyo_control_array is a static data which contains
|
|
*
|
|
* (1) functionality name used by /sys/kernel/security/tomoyo/profile .
|
|
* (2) initial values for "struct tomoyo_profile".
|
|
* (3) max values for "struct tomoyo_profile".
|
|
*/
|
|
static struct {
|
|
const char *keyword;
|
|
unsigned int current_value;
|
|
const unsigned int max_value;
|
|
} tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = {
|
|
[TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 },
|
|
[TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX },
|
|
[TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 },
|
|
};
|
|
|
|
/*
|
|
* tomoyo_profile is a structure which is used for holding the mode of access
|
|
* controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
|
|
* An administrator can define up to 256 profiles.
|
|
* The ->profile of "struct tomoyo_domain_info" is used for remembering
|
|
* the profile's number (0 - 255) assigned to that domain.
|
|
*/
|
|
static struct tomoyo_profile {
|
|
unsigned int value[TOMOYO_MAX_CONTROL_INDEX];
|
|
const struct tomoyo_path_info *comment;
|
|
} *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES];
|
|
|
|
/* Permit policy management by non-root user? */
|
|
static bool tomoyo_manage_by_non_root;
|
|
|
|
/* Utility functions. */
|
|
|
|
/* Open operation for /sys/kernel/security/tomoyo/ interface. */
|
|
static int tomoyo_open_control(const u8 type, struct file *file);
|
|
/* Close /sys/kernel/security/tomoyo/ interface. */
|
|
static int tomoyo_close_control(struct file *file);
|
|
/* Read operation for /sys/kernel/security/tomoyo/ interface. */
|
|
static int tomoyo_read_control(struct file *file, char __user *buffer,
|
|
const int buffer_len);
|
|
/* Write operation for /sys/kernel/security/tomoyo/ interface. */
|
|
static int tomoyo_write_control(struct file *file, const char __user *buffer,
|
|
const int buffer_len);
|
|
|
|
/**
|
|
* tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
|
|
*
|
|
* @str: Pointer to the string.
|
|
*
|
|
* Returns true if @str is a \ooo style octal value, false otherwise.
|
|
*
|
|
* TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
|
|
* This function verifies that \ooo is in valid range.
|
|
*/
|
|
static inline bool tomoyo_is_byte_range(const char *str)
|
|
{
|
|
return *str >= '0' && *str++ <= '3' &&
|
|
*str >= '0' && *str++ <= '7' &&
|
|
*str >= '0' && *str <= '7';
|
|
}
|
|
|
|
/**
|
|
* tomoyo_is_alphabet_char - Check whether the character is an alphabet.
|
|
*
|
|
* @c: The character to check.
|
|
*
|
|
* Returns true if @c is an alphabet character, false otherwise.
|
|
*/
|
|
static inline bool tomoyo_is_alphabet_char(const char c)
|
|
{
|
|
return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z');
|
|
}
|
|
|
|
/**
|
|
* tomoyo_make_byte - Make byte value from three octal characters.
|
|
*
|
|
* @c1: The first character.
|
|
* @c2: The second character.
|
|
* @c3: The third character.
|
|
*
|
|
* Returns byte value.
|
|
*/
|
|
static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3)
|
|
{
|
|
return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0');
|
|
}
|
|
|
|
/**
|
|
* tomoyo_str_starts - Check whether the given string starts with the given keyword.
|
|
*
|
|
* @src: Pointer to pointer to the string.
|
|
* @find: Pointer to the keyword.
|
|
*
|
|
* Returns true if @src starts with @find, false otherwise.
|
|
*
|
|
* The @src is updated to point the first character after the @find
|
|
* if @src starts with @find.
|
|
*/
|
|
static bool tomoyo_str_starts(char **src, const char *find)
|
|
{
|
|
const int len = strlen(find);
|
|
char *tmp = *src;
|
|
|
|
if (strncmp(tmp, find, len))
|
|
return false;
|
|
tmp += len;
|
|
*src = tmp;
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_normalize_line - Format string.
|
|
*
|
|
* @buffer: The line to normalize.
|
|
*
|
|
* Leading and trailing whitespaces are removed.
|
|
* Multiple whitespaces are packed into single space.
|
|
*
|
|
* Returns nothing.
|
|
*/
|
|
static void tomoyo_normalize_line(unsigned char *buffer)
|
|
{
|
|
unsigned char *sp = buffer;
|
|
unsigned char *dp = buffer;
|
|
bool first = true;
|
|
|
|
while (tomoyo_is_invalid(*sp))
|
|
sp++;
|
|
while (*sp) {
|
|
if (!first)
|
|
*dp++ = ' ';
|
|
first = false;
|
|
while (tomoyo_is_valid(*sp))
|
|
*dp++ = *sp++;
|
|
while (tomoyo_is_invalid(*sp))
|
|
sp++;
|
|
}
|
|
*dp = '\0';
|
|
}
|
|
|
|
/**
|
|
* tomoyo_is_correct_path - Validate a pathname.
|
|
* @filename: The pathname to check.
|
|
* @start_type: Should the pathname start with '/'?
|
|
* 1 = must / -1 = must not / 0 = don't care
|
|
* @pattern_type: Can the pathname contain a wildcard?
|
|
* 1 = must / -1 = must not / 0 = don't care
|
|
* @end_type: Should the pathname end with '/'?
|
|
* 1 = must / -1 = must not / 0 = don't care
|
|
*
|
|
* Check whether the given filename follows the naming rules.
|
|
* Returns true if @filename follows the naming rules, false otherwise.
|
|
*/
|
|
bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
|
|
const s8 pattern_type, const s8 end_type)
|
|
{
|
|
const char *const start = filename;
|
|
bool in_repetition = false;
|
|
bool contains_pattern = false;
|
|
unsigned char c;
|
|
unsigned char d;
|
|
unsigned char e;
|
|
|
|
if (!filename)
|
|
goto out;
|
|
c = *filename;
|
|
if (start_type == 1) { /* Must start with '/' */
|
|
if (c != '/')
|
|
goto out;
|
|
} else if (start_type == -1) { /* Must not start with '/' */
|
|
if (c == '/')
|
|
goto out;
|
|
}
|
|
if (c)
|
|
c = *(filename + strlen(filename) - 1);
|
|
if (end_type == 1) { /* Must end with '/' */
|
|
if (c != '/')
|
|
goto out;
|
|
} else if (end_type == -1) { /* Must not end with '/' */
|
|
if (c == '/')
|
|
goto out;
|
|
}
|
|
while (1) {
|
|
c = *filename++;
|
|
if (!c)
|
|
break;
|
|
if (c == '\\') {
|
|
c = *filename++;
|
|
switch (c) {
|
|
case '\\': /* "\\" */
|
|
continue;
|
|
case '$': /* "\$" */
|
|
case '+': /* "\+" */
|
|
case '?': /* "\?" */
|
|
case '*': /* "\*" */
|
|
case '@': /* "\@" */
|
|
case 'x': /* "\x" */
|
|
case 'X': /* "\X" */
|
|
case 'a': /* "\a" */
|
|
case 'A': /* "\A" */
|
|
case '-': /* "\-" */
|
|
if (pattern_type == -1)
|
|
break; /* Must not contain pattern */
|
|
contains_pattern = true;
|
|
continue;
|
|
case '{': /* "/\{" */
|
|
if (filename - 3 < start ||
|
|
*(filename - 3) != '/')
|
|
break;
|
|
if (pattern_type == -1)
|
|
break; /* Must not contain pattern */
|
|
contains_pattern = true;
|
|
in_repetition = true;
|
|
continue;
|
|
case '}': /* "\}/" */
|
|
if (*filename != '/')
|
|
break;
|
|
if (!in_repetition)
|
|
break;
|
|
in_repetition = false;
|
|
continue;
|
|
case '0': /* "\ooo" */
|
|
case '1':
|
|
case '2':
|
|
case '3':
|
|
d = *filename++;
|
|
if (d < '0' || d > '7')
|
|
break;
|
|
e = *filename++;
|
|
if (e < '0' || e > '7')
|
|
break;
|
|
c = tomoyo_make_byte(c, d, e);
|
|
if (tomoyo_is_invalid(c))
|
|
continue; /* pattern is not \000 */
|
|
}
|
|
goto out;
|
|
} else if (in_repetition && c == '/') {
|
|
goto out;
|
|
} else if (tomoyo_is_invalid(c)) {
|
|
goto out;
|
|
}
|
|
}
|
|
if (pattern_type == 1) { /* Must contain pattern */
|
|
if (!contains_pattern)
|
|
goto out;
|
|
}
|
|
if (in_repetition)
|
|
goto out;
|
|
return true;
|
|
out:
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
|
|
* @domainname: The domainname to check.
|
|
*
|
|
* Returns true if @domainname follows the naming rules, false otherwise.
|
|
*/
|
|
bool tomoyo_is_correct_domain(const unsigned char *domainname)
|
|
{
|
|
unsigned char c;
|
|
unsigned char d;
|
|
unsigned char e;
|
|
|
|
if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME,
|
|
TOMOYO_ROOT_NAME_LEN))
|
|
goto out;
|
|
domainname += TOMOYO_ROOT_NAME_LEN;
|
|
if (!*domainname)
|
|
return true;
|
|
do {
|
|
if (*domainname++ != ' ')
|
|
goto out;
|
|
if (*domainname++ != '/')
|
|
goto out;
|
|
while ((c = *domainname) != '\0' && c != ' ') {
|
|
domainname++;
|
|
if (c == '\\') {
|
|
c = *domainname++;
|
|
switch ((c)) {
|
|
case '\\': /* "\\" */
|
|
continue;
|
|
case '0': /* "\ooo" */
|
|
case '1':
|
|
case '2':
|
|
case '3':
|
|
d = *domainname++;
|
|
if (d < '0' || d > '7')
|
|
break;
|
|
e = *domainname++;
|
|
if (e < '0' || e > '7')
|
|
break;
|
|
c = tomoyo_make_byte(c, d, e);
|
|
if (tomoyo_is_invalid(c))
|
|
/* pattern is not \000 */
|
|
continue;
|
|
}
|
|
goto out;
|
|
} else if (tomoyo_is_invalid(c)) {
|
|
goto out;
|
|
}
|
|
}
|
|
} while (*domainname);
|
|
return true;
|
|
out:
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_is_domain_def - Check whether the given token can be a domainname.
|
|
*
|
|
* @buffer: The token to check.
|
|
*
|
|
* Returns true if @buffer possibly be a domainname, false otherwise.
|
|
*/
|
|
bool tomoyo_is_domain_def(const unsigned char *buffer)
|
|
{
|
|
return !strncmp(buffer, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN);
|
|
}
|
|
|
|
/**
|
|
* tomoyo_find_domain - Find a domain by the given name.
|
|
*
|
|
* @domainname: The domainname to find.
|
|
*
|
|
* Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
|
|
{
|
|
struct tomoyo_domain_info *domain;
|
|
struct tomoyo_path_info name;
|
|
|
|
name.name = domainname;
|
|
tomoyo_fill_path_info(&name);
|
|
list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
|
|
if (!domain->is_deleted &&
|
|
!tomoyo_pathcmp(&name, domain->domainname))
|
|
return domain;
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
|
|
*
|
|
* @filename: The string to evaluate.
|
|
*
|
|
* Returns the initial length without a pattern in @filename.
|
|
*/
|
|
static int tomoyo_const_part_length(const char *filename)
|
|
{
|
|
char c;
|
|
int len = 0;
|
|
|
|
if (!filename)
|
|
return 0;
|
|
while ((c = *filename++) != '\0') {
|
|
if (c != '\\') {
|
|
len++;
|
|
continue;
|
|
}
|
|
c = *filename++;
|
|
switch (c) {
|
|
case '\\': /* "\\" */
|
|
len += 2;
|
|
continue;
|
|
case '0': /* "\ooo" */
|
|
case '1':
|
|
case '2':
|
|
case '3':
|
|
c = *filename++;
|
|
if (c < '0' || c > '7')
|
|
break;
|
|
c = *filename++;
|
|
if (c < '0' || c > '7')
|
|
break;
|
|
len += 4;
|
|
continue;
|
|
}
|
|
break;
|
|
}
|
|
return len;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
|
|
*
|
|
* @ptr: Pointer to "struct tomoyo_path_info" to fill in.
|
|
*
|
|
* The caller sets "struct tomoyo_path_info"->name.
|
|
*/
|
|
void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
|
|
{
|
|
const char *name = ptr->name;
|
|
const int len = strlen(name);
|
|
|
|
ptr->const_len = tomoyo_const_part_length(name);
|
|
ptr->is_dir = len && (name[len - 1] == '/');
|
|
ptr->is_patterned = (ptr->const_len < len);
|
|
ptr->hash = full_name_hash(name, len);
|
|
}
|
|
|
|
/**
|
|
* tomoyo_file_matches_pattern2 - Pattern matching without '/' character
|
|
* and "\-" pattern.
|
|
*
|
|
* @filename: The start of string to check.
|
|
* @filename_end: The end of string to check.
|
|
* @pattern: The start of pattern to compare.
|
|
* @pattern_end: The end of pattern to compare.
|
|
*
|
|
* Returns true if @filename matches @pattern, false otherwise.
|
|
*/
|
|
static bool tomoyo_file_matches_pattern2(const char *filename,
|
|
const char *filename_end,
|
|
const char *pattern,
|
|
const char *pattern_end)
|
|
{
|
|
while (filename < filename_end && pattern < pattern_end) {
|
|
char c;
|
|
if (*pattern != '\\') {
|
|
if (*filename++ != *pattern++)
|
|
return false;
|
|
continue;
|
|
}
|
|
c = *filename;
|
|
pattern++;
|
|
switch (*pattern) {
|
|
int i;
|
|
int j;
|
|
case '?':
|
|
if (c == '/') {
|
|
return false;
|
|
} else if (c == '\\') {
|
|
if (filename[1] == '\\')
|
|
filename++;
|
|
else if (tomoyo_is_byte_range(filename + 1))
|
|
filename += 3;
|
|
else
|
|
return false;
|
|
}
|
|
break;
|
|
case '\\':
|
|
if (c != '\\')
|
|
return false;
|
|
if (*++filename != '\\')
|
|
return false;
|
|
break;
|
|
case '+':
|
|
if (!isdigit(c))
|
|
return false;
|
|
break;
|
|
case 'x':
|
|
if (!isxdigit(c))
|
|
return false;
|
|
break;
|
|
case 'a':
|
|
if (!tomoyo_is_alphabet_char(c))
|
|
return false;
|
|
break;
|
|
case '0':
|
|
case '1':
|
|
case '2':
|
|
case '3':
|
|
if (c == '\\' && tomoyo_is_byte_range(filename + 1)
|
|
&& strncmp(filename + 1, pattern, 3) == 0) {
|
|
filename += 3;
|
|
pattern += 2;
|
|
break;
|
|
}
|
|
return false; /* Not matched. */
|
|
case '*':
|
|
case '@':
|
|
for (i = 0; i <= filename_end - filename; i++) {
|
|
if (tomoyo_file_matches_pattern2(
|
|
filename + i, filename_end,
|
|
pattern + 1, pattern_end))
|
|
return true;
|
|
c = filename[i];
|
|
if (c == '.' && *pattern == '@')
|
|
break;
|
|
if (c != '\\')
|
|
continue;
|
|
if (filename[i + 1] == '\\')
|
|
i++;
|
|
else if (tomoyo_is_byte_range(filename + i + 1))
|
|
i += 3;
|
|
else
|
|
break; /* Bad pattern. */
|
|
}
|
|
return false; /* Not matched. */
|
|
default:
|
|
j = 0;
|
|
c = *pattern;
|
|
if (c == '$') {
|
|
while (isdigit(filename[j]))
|
|
j++;
|
|
} else if (c == 'X') {
|
|
while (isxdigit(filename[j]))
|
|
j++;
|
|
} else if (c == 'A') {
|
|
while (tomoyo_is_alphabet_char(filename[j]))
|
|
j++;
|
|
}
|
|
for (i = 1; i <= j; i++) {
|
|
if (tomoyo_file_matches_pattern2(
|
|
filename + i, filename_end,
|
|
pattern + 1, pattern_end))
|
|
return true;
|
|
}
|
|
return false; /* Not matched or bad pattern. */
|
|
}
|
|
filename++;
|
|
pattern++;
|
|
}
|
|
while (*pattern == '\\' &&
|
|
(*(pattern + 1) == '*' || *(pattern + 1) == '@'))
|
|
pattern += 2;
|
|
return filename == filename_end && pattern == pattern_end;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_file_matches_pattern - Pattern matching without without '/' character.
|
|
*
|
|
* @filename: The start of string to check.
|
|
* @filename_end: The end of string to check.
|
|
* @pattern: The start of pattern to compare.
|
|
* @pattern_end: The end of pattern to compare.
|
|
*
|
|
* Returns true if @filename matches @pattern, false otherwise.
|
|
*/
|
|
static bool tomoyo_file_matches_pattern(const char *filename,
|
|
const char *filename_end,
|
|
const char *pattern,
|
|
const char *pattern_end)
|
|
{
|
|
const char *pattern_start = pattern;
|
|
bool first = true;
|
|
bool result;
|
|
|
|
while (pattern < pattern_end - 1) {
|
|
/* Split at "\-" pattern. */
|
|
if (*pattern++ != '\\' || *pattern++ != '-')
|
|
continue;
|
|
result = tomoyo_file_matches_pattern2(filename,
|
|
filename_end,
|
|
pattern_start,
|
|
pattern - 2);
|
|
if (first)
|
|
result = !result;
|
|
if (result)
|
|
return false;
|
|
first = false;
|
|
pattern_start = pattern;
|
|
}
|
|
result = tomoyo_file_matches_pattern2(filename, filename_end,
|
|
pattern_start, pattern_end);
|
|
return first ? result : !result;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_path_matches_pattern2 - Do pathname pattern matching.
|
|
*
|
|
* @f: The start of string to check.
|
|
* @p: The start of pattern to compare.
|
|
*
|
|
* Returns true if @f matches @p, false otherwise.
|
|
*/
|
|
static bool tomoyo_path_matches_pattern2(const char *f, const char *p)
|
|
{
|
|
const char *f_delimiter;
|
|
const char *p_delimiter;
|
|
|
|
while (*f && *p) {
|
|
f_delimiter = strchr(f, '/');
|
|
if (!f_delimiter)
|
|
f_delimiter = f + strlen(f);
|
|
p_delimiter = strchr(p, '/');
|
|
if (!p_delimiter)
|
|
p_delimiter = p + strlen(p);
|
|
if (*p == '\\' && *(p + 1) == '{')
|
|
goto recursive;
|
|
if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
|
|
p_delimiter))
|
|
return false;
|
|
f = f_delimiter;
|
|
if (*f)
|
|
f++;
|
|
p = p_delimiter;
|
|
if (*p)
|
|
p++;
|
|
}
|
|
/* Ignore trailing "\*" and "\@" in @pattern. */
|
|
while (*p == '\\' &&
|
|
(*(p + 1) == '*' || *(p + 1) == '@'))
|
|
p += 2;
|
|
return !*f && !*p;
|
|
recursive:
|
|
/*
|
|
* The "\{" pattern is permitted only after '/' character.
|
|
* This guarantees that below "*(p - 1)" is safe.
|
|
* Also, the "\}" pattern is permitted only before '/' character
|
|
* so that "\{" + "\}" pair will not break the "\-" operator.
|
|
*/
|
|
if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' ||
|
|
*(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\')
|
|
return false; /* Bad pattern. */
|
|
do {
|
|
/* Compare current component with pattern. */
|
|
if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2,
|
|
p_delimiter - 2))
|
|
break;
|
|
/* Proceed to next component. */
|
|
f = f_delimiter;
|
|
if (!*f)
|
|
break;
|
|
f++;
|
|
/* Continue comparison. */
|
|
if (tomoyo_path_matches_pattern2(f, p_delimiter + 1))
|
|
return true;
|
|
f_delimiter = strchr(f, '/');
|
|
} while (f_delimiter);
|
|
return false; /* Not matched. */
|
|
}
|
|
|
|
/**
|
|
* tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
|
|
*
|
|
* @filename: The filename to check.
|
|
* @pattern: The pattern to compare.
|
|
*
|
|
* Returns true if matches, false otherwise.
|
|
*
|
|
* The following patterns are available.
|
|
* \\ \ itself.
|
|
* \ooo Octal representation of a byte.
|
|
* \* Zero or more repetitions of characters other than '/'.
|
|
* \@ Zero or more repetitions of characters other than '/' or '.'.
|
|
* \? 1 byte character other than '/'.
|
|
* \$ One or more repetitions of decimal digits.
|
|
* \+ 1 decimal digit.
|
|
* \X One or more repetitions of hexadecimal digits.
|
|
* \x 1 hexadecimal digit.
|
|
* \A One or more repetitions of alphabet characters.
|
|
* \a 1 alphabet character.
|
|
*
|
|
* \- Subtraction operator.
|
|
*
|
|
* /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
|
|
* /dir/dir/dir/ ).
|
|
*/
|
|
bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
|
|
const struct tomoyo_path_info *pattern)
|
|
{
|
|
const char *f = filename->name;
|
|
const char *p = pattern->name;
|
|
const int len = pattern->const_len;
|
|
|
|
/* If @pattern doesn't contain pattern, I can use strcmp(). */
|
|
if (!pattern->is_patterned)
|
|
return !tomoyo_pathcmp(filename, pattern);
|
|
/* Don't compare directory and non-directory. */
|
|
if (filename->is_dir != pattern->is_dir)
|
|
return false;
|
|
/* Compare the initial length without patterns. */
|
|
if (strncmp(f, p, len))
|
|
return false;
|
|
f += len;
|
|
p += len;
|
|
return tomoyo_path_matches_pattern2(f, p);
|
|
}
|
|
|
|
/**
|
|
* tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
* @fmt: The printf()'s format string, followed by parameters.
|
|
*
|
|
* Returns true if output was written, false otherwise.
|
|
*
|
|
* The snprintf() will truncate, but tomoyo_io_printf() won't.
|
|
*/
|
|
bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
|
|
{
|
|
va_list args;
|
|
int len;
|
|
int pos = head->read_avail;
|
|
int size = head->readbuf_size - pos;
|
|
|
|
if (size <= 0)
|
|
return false;
|
|
va_start(args, fmt);
|
|
len = vsnprintf(head->read_buf + pos, size, fmt, args);
|
|
va_end(args);
|
|
if (pos + len >= head->readbuf_size)
|
|
return false;
|
|
head->read_avail += len;
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_get_exe - Get tomoyo_realpath() of current process.
|
|
*
|
|
* Returns the tomoyo_realpath() of current process on success, NULL otherwise.
|
|
*
|
|
* This function uses kzalloc(), so the caller must call kfree()
|
|
* if this function didn't return NULL.
|
|
*/
|
|
static const char *tomoyo_get_exe(void)
|
|
{
|
|
struct mm_struct *mm = current->mm;
|
|
struct vm_area_struct *vma;
|
|
const char *cp = NULL;
|
|
|
|
if (!mm)
|
|
return NULL;
|
|
down_read(&mm->mmap_sem);
|
|
for (vma = mm->mmap; vma; vma = vma->vm_next) {
|
|
if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) {
|
|
cp = tomoyo_realpath_from_path(&vma->vm_file->f_path);
|
|
break;
|
|
}
|
|
}
|
|
up_read(&mm->mmap_sem);
|
|
return cp;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_get_msg - Get warning message.
|
|
*
|
|
* @is_enforce: Is it enforcing mode?
|
|
*
|
|
* Returns "ERROR" or "WARNING".
|
|
*/
|
|
const char *tomoyo_get_msg(const bool is_enforce)
|
|
{
|
|
if (is_enforce)
|
|
return "ERROR";
|
|
else
|
|
return "WARNING";
|
|
}
|
|
|
|
/**
|
|
* tomoyo_check_flags - Check mode for specified functionality.
|
|
*
|
|
* @domain: Pointer to "struct tomoyo_domain_info".
|
|
* @index: The functionality to check mode.
|
|
*
|
|
* TOMOYO checks only process context.
|
|
* This code disables TOMOYO's enforcement in case the function is called from
|
|
* interrupt context.
|
|
*/
|
|
unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
|
|
const u8 index)
|
|
{
|
|
const u8 profile = domain->profile;
|
|
|
|
if (WARN_ON(in_interrupt()))
|
|
return 0;
|
|
return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX
|
|
#if TOMOYO_MAX_PROFILES != 256
|
|
&& profile < TOMOYO_MAX_PROFILES
|
|
#endif
|
|
&& tomoyo_profile_ptr[profile] ?
|
|
tomoyo_profile_ptr[profile]->value[index] : 0;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
|
|
*
|
|
* @domain: Pointer to "struct tomoyo_domain_info".
|
|
*
|
|
* Returns true if domain policy violation warning should be printed to
|
|
* console.
|
|
*/
|
|
bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain)
|
|
{
|
|
return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_domain_quota_is_ok - Check for domain's quota.
|
|
*
|
|
* @domain: Pointer to "struct tomoyo_domain_info".
|
|
*
|
|
* Returns true if the domain is not exceeded quota, false otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain)
|
|
{
|
|
unsigned int count = 0;
|
|
struct tomoyo_acl_info *ptr;
|
|
|
|
if (!domain)
|
|
return true;
|
|
list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
|
|
switch (ptr->type) {
|
|
struct tomoyo_path_acl *acl;
|
|
u32 perm;
|
|
u8 i;
|
|
case TOMOYO_TYPE_PATH_ACL:
|
|
acl = container_of(ptr, struct tomoyo_path_acl, head);
|
|
perm = acl->perm | (((u32) acl->perm_high) << 16);
|
|
for (i = 0; i < TOMOYO_MAX_PATH_OPERATION; i++)
|
|
if (perm & (1 << i))
|
|
count++;
|
|
if (perm & (1 << TOMOYO_TYPE_READ_WRITE))
|
|
count -= 2;
|
|
break;
|
|
case TOMOYO_TYPE_PATH2_ACL:
|
|
perm = container_of(ptr, struct tomoyo_path2_acl, head)
|
|
->perm;
|
|
for (i = 0; i < TOMOYO_MAX_PATH2_OPERATION; i++)
|
|
if (perm & (1 << i))
|
|
count++;
|
|
break;
|
|
}
|
|
}
|
|
if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY))
|
|
return true;
|
|
if (!domain->quota_warned) {
|
|
domain->quota_warned = true;
|
|
printk(KERN_WARNING "TOMOYO-WARNING: "
|
|
"Domain '%s' has so many ACLs to hold. "
|
|
"Stopped learning mode.\n", domain->domainname->name);
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_find_or_assign_new_profile - Create a new profile.
|
|
*
|
|
* @profile: Profile number to create.
|
|
*
|
|
* Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
|
|
*/
|
|
static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned
|
|
int profile)
|
|
{
|
|
static DEFINE_MUTEX(lock);
|
|
struct tomoyo_profile *ptr = NULL;
|
|
int i;
|
|
|
|
if (profile >= TOMOYO_MAX_PROFILES)
|
|
return NULL;
|
|
mutex_lock(&lock);
|
|
ptr = tomoyo_profile_ptr[profile];
|
|
if (ptr)
|
|
goto ok;
|
|
ptr = kmalloc(sizeof(*ptr), GFP_KERNEL);
|
|
if (!tomoyo_memory_ok(ptr)) {
|
|
kfree(ptr);
|
|
ptr = NULL;
|
|
goto ok;
|
|
}
|
|
for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++)
|
|
ptr->value[i] = tomoyo_control_array[i].current_value;
|
|
mb(); /* Avoid out-of-order execution. */
|
|
tomoyo_profile_ptr[profile] = ptr;
|
|
ok:
|
|
mutex_unlock(&lock);
|
|
return ptr;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_write_profile - Write to profile table.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
*
|
|
* Returns 0 on success, negative value otherwise.
|
|
*/
|
|
static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
|
|
{
|
|
char *data = head->write_buf;
|
|
unsigned int i;
|
|
unsigned int value;
|
|
char *cp;
|
|
struct tomoyo_profile *profile;
|
|
unsigned long num;
|
|
|
|
cp = strchr(data, '-');
|
|
if (cp)
|
|
*cp = '\0';
|
|
if (strict_strtoul(data, 10, &num))
|
|
return -EINVAL;
|
|
if (cp)
|
|
data = cp + 1;
|
|
profile = tomoyo_find_or_assign_new_profile(num);
|
|
if (!profile)
|
|
return -EINVAL;
|
|
cp = strchr(data, '=');
|
|
if (!cp)
|
|
return -EINVAL;
|
|
*cp = '\0';
|
|
if (!strcmp(data, "COMMENT")) {
|
|
const struct tomoyo_path_info *old_comment = profile->comment;
|
|
profile->comment = tomoyo_get_name(cp + 1);
|
|
tomoyo_put_name(old_comment);
|
|
return 0;
|
|
}
|
|
for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) {
|
|
if (strcmp(data, tomoyo_control_array[i].keyword))
|
|
continue;
|
|
if (sscanf(cp + 1, "%u", &value) != 1) {
|
|
int j;
|
|
const char **modes;
|
|
switch (i) {
|
|
case TOMOYO_VERBOSE:
|
|
modes = tomoyo_mode_2;
|
|
break;
|
|
default:
|
|
modes = tomoyo_mode_4;
|
|
break;
|
|
}
|
|
for (j = 0; j < 4; j++) {
|
|
if (strcmp(cp + 1, modes[j]))
|
|
continue;
|
|
value = j;
|
|
break;
|
|
}
|
|
if (j == 4)
|
|
return -EINVAL;
|
|
} else if (value > tomoyo_control_array[i].max_value) {
|
|
value = tomoyo_control_array[i].max_value;
|
|
}
|
|
profile->value[i] = value;
|
|
return 0;
|
|
}
|
|
return -EINVAL;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_read_profile - Read from profile table.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
*
|
|
* Returns 0.
|
|
*/
|
|
static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
|
|
{
|
|
static const int total = TOMOYO_MAX_CONTROL_INDEX + 1;
|
|
int step;
|
|
|
|
if (head->read_eof)
|
|
return 0;
|
|
for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total;
|
|
step++) {
|
|
const u8 index = step / total;
|
|
u8 type = step % total;
|
|
const struct tomoyo_profile *profile
|
|
= tomoyo_profile_ptr[index];
|
|
head->read_step = step;
|
|
if (!profile)
|
|
continue;
|
|
if (!type) { /* Print profile' comment tag. */
|
|
if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n",
|
|
index, profile->comment ?
|
|
profile->comment->name : ""))
|
|
break;
|
|
continue;
|
|
}
|
|
type--;
|
|
if (type < TOMOYO_MAX_CONTROL_INDEX) {
|
|
const unsigned int value = profile->value[type];
|
|
const char **modes = NULL;
|
|
const char *keyword
|
|
= tomoyo_control_array[type].keyword;
|
|
switch (tomoyo_control_array[type].max_value) {
|
|
case 3:
|
|
modes = tomoyo_mode_4;
|
|
break;
|
|
case 1:
|
|
modes = tomoyo_mode_2;
|
|
break;
|
|
}
|
|
if (modes) {
|
|
if (!tomoyo_io_printf(head, "%u-%s=%s\n", index,
|
|
keyword, modes[value]))
|
|
break;
|
|
} else {
|
|
if (!tomoyo_io_printf(head, "%u-%s=%u\n", index,
|
|
keyword, value))
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
if (step == TOMOYO_MAX_PROFILES * total)
|
|
head->read_eof = true;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* tomoyo_policy_manager_list is used for holding list of domainnames or
|
|
* programs which are permitted to modify configuration via
|
|
* /sys/kernel/security/tomoyo/ interface.
|
|
*
|
|
* An entry is added by
|
|
*
|
|
* # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
|
|
* /sys/kernel/security/tomoyo/manager
|
|
* (if you want to specify by a domainname)
|
|
*
|
|
* or
|
|
*
|
|
* # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
|
|
* (if you want to specify by a program's location)
|
|
*
|
|
* and is deleted by
|
|
*
|
|
* # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
|
|
* /sys/kernel/security/tomoyo/manager
|
|
*
|
|
* or
|
|
*
|
|
* # echo 'delete /usr/lib/ccs/editpolicy' > \
|
|
* /sys/kernel/security/tomoyo/manager
|
|
*
|
|
* and all entries are retrieved by
|
|
*
|
|
* # cat /sys/kernel/security/tomoyo/manager
|
|
*/
|
|
LIST_HEAD(tomoyo_policy_manager_list);
|
|
|
|
/**
|
|
* tomoyo_update_manager_entry - Add a manager entry.
|
|
*
|
|
* @manager: The path to manager or the domainnamme.
|
|
* @is_delete: True if it is a delete request.
|
|
*
|
|
* Returns 0 on success, negative value otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static int tomoyo_update_manager_entry(const char *manager,
|
|
const bool is_delete)
|
|
{
|
|
struct tomoyo_policy_manager_entry *entry = NULL;
|
|
struct tomoyo_policy_manager_entry *ptr;
|
|
const struct tomoyo_path_info *saved_manager;
|
|
int error = is_delete ? -ENOENT : -ENOMEM;
|
|
bool is_domain = false;
|
|
|
|
if (tomoyo_is_domain_def(manager)) {
|
|
if (!tomoyo_is_correct_domain(manager))
|
|
return -EINVAL;
|
|
is_domain = true;
|
|
} else {
|
|
if (!tomoyo_is_correct_path(manager, 1, -1, -1))
|
|
return -EINVAL;
|
|
}
|
|
saved_manager = tomoyo_get_name(manager);
|
|
if (!saved_manager)
|
|
return -ENOMEM;
|
|
if (!is_delete)
|
|
entry = kmalloc(sizeof(*entry), GFP_KERNEL);
|
|
mutex_lock(&tomoyo_policy_lock);
|
|
list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
|
|
if (ptr->manager != saved_manager)
|
|
continue;
|
|
ptr->is_deleted = is_delete;
|
|
error = 0;
|
|
break;
|
|
}
|
|
if (!is_delete && error && tomoyo_memory_ok(entry)) {
|
|
entry->manager = saved_manager;
|
|
saved_manager = NULL;
|
|
entry->is_domain = is_domain;
|
|
list_add_tail_rcu(&entry->list, &tomoyo_policy_manager_list);
|
|
entry = NULL;
|
|
error = 0;
|
|
}
|
|
mutex_unlock(&tomoyo_policy_lock);
|
|
tomoyo_put_name(saved_manager);
|
|
kfree(entry);
|
|
return error;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_write_manager_policy - Write manager policy.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
*
|
|
* Returns 0 on success, negative value otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head)
|
|
{
|
|
char *data = head->write_buf;
|
|
bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
|
|
|
|
if (!strcmp(data, "manage_by_non_root")) {
|
|
tomoyo_manage_by_non_root = !is_delete;
|
|
return 0;
|
|
}
|
|
return tomoyo_update_manager_entry(data, is_delete);
|
|
}
|
|
|
|
/**
|
|
* tomoyo_read_manager_policy - Read manager policy.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
*
|
|
* Returns 0.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
|
|
{
|
|
struct list_head *pos;
|
|
bool done = true;
|
|
|
|
if (head->read_eof)
|
|
return 0;
|
|
list_for_each_cookie(pos, head->read_var2,
|
|
&tomoyo_policy_manager_list) {
|
|
struct tomoyo_policy_manager_entry *ptr;
|
|
ptr = list_entry(pos, struct tomoyo_policy_manager_entry,
|
|
list);
|
|
if (ptr->is_deleted)
|
|
continue;
|
|
done = tomoyo_io_printf(head, "%s\n", ptr->manager->name);
|
|
if (!done)
|
|
break;
|
|
}
|
|
head->read_eof = done;
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_is_policy_manager - Check whether the current process is a policy manager.
|
|
*
|
|
* Returns true if the current process is permitted to modify policy
|
|
* via /sys/kernel/security/tomoyo/ interface.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static bool tomoyo_is_policy_manager(void)
|
|
{
|
|
struct tomoyo_policy_manager_entry *ptr;
|
|
const char *exe;
|
|
const struct task_struct *task = current;
|
|
const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname;
|
|
bool found = false;
|
|
|
|
if (!tomoyo_policy_loaded)
|
|
return true;
|
|
if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
|
|
return false;
|
|
list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
|
|
if (!ptr->is_deleted && ptr->is_domain
|
|
&& !tomoyo_pathcmp(domainname, ptr->manager)) {
|
|
found = true;
|
|
break;
|
|
}
|
|
}
|
|
if (found)
|
|
return true;
|
|
exe = tomoyo_get_exe();
|
|
if (!exe)
|
|
return false;
|
|
list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
|
|
if (!ptr->is_deleted && !ptr->is_domain
|
|
&& !strcmp(exe, ptr->manager->name)) {
|
|
found = true;
|
|
break;
|
|
}
|
|
}
|
|
if (!found) { /* Reduce error messages. */
|
|
static pid_t last_pid;
|
|
const pid_t pid = current->pid;
|
|
if (last_pid != pid) {
|
|
printk(KERN_WARNING "%s ( %s ) is not permitted to "
|
|
"update policies.\n", domainname->name, exe);
|
|
last_pid = pid;
|
|
}
|
|
}
|
|
kfree(exe);
|
|
return found;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_is_select_one - Parse select command.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
* @data: String to parse.
|
|
*
|
|
* Returns true on success, false otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
|
|
const char *data)
|
|
{
|
|
unsigned int pid;
|
|
struct tomoyo_domain_info *domain = NULL;
|
|
|
|
if (sscanf(data, "pid=%u", &pid) == 1) {
|
|
struct task_struct *p;
|
|
rcu_read_lock();
|
|
read_lock(&tasklist_lock);
|
|
p = find_task_by_vpid(pid);
|
|
if (p)
|
|
domain = tomoyo_real_domain(p);
|
|
read_unlock(&tasklist_lock);
|
|
rcu_read_unlock();
|
|
} else if (!strncmp(data, "domain=", 7)) {
|
|
if (tomoyo_is_domain_def(data + 7))
|
|
domain = tomoyo_find_domain(data + 7);
|
|
} else
|
|
return false;
|
|
head->write_var1 = domain;
|
|
/* Accessing read_buf is safe because head->io_sem is held. */
|
|
if (!head->read_buf)
|
|
return true; /* Do nothing if open(O_WRONLY). */
|
|
head->read_avail = 0;
|
|
tomoyo_io_printf(head, "# select %s\n", data);
|
|
head->read_single_domain = true;
|
|
head->read_eof = !domain;
|
|
if (domain) {
|
|
struct tomoyo_domain_info *d;
|
|
head->read_var1 = NULL;
|
|
list_for_each_entry_rcu(d, &tomoyo_domain_list, list) {
|
|
if (d == domain)
|
|
break;
|
|
head->read_var1 = &d->list;
|
|
}
|
|
head->read_var2 = NULL;
|
|
head->read_bit = 0;
|
|
head->read_step = 0;
|
|
if (domain->is_deleted)
|
|
tomoyo_io_printf(head, "# This is a deleted domain.\n");
|
|
}
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_delete_domain - Delete a domain.
|
|
*
|
|
* @domainname: The name of domain.
|
|
*
|
|
* Returns 0.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static int tomoyo_delete_domain(char *domainname)
|
|
{
|
|
struct tomoyo_domain_info *domain;
|
|
struct tomoyo_path_info name;
|
|
|
|
name.name = domainname;
|
|
tomoyo_fill_path_info(&name);
|
|
mutex_lock(&tomoyo_policy_lock);
|
|
/* Is there an active domain? */
|
|
list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
|
|
/* Never delete tomoyo_kernel_domain */
|
|
if (domain == &tomoyo_kernel_domain)
|
|
continue;
|
|
if (domain->is_deleted ||
|
|
tomoyo_pathcmp(domain->domainname, &name))
|
|
continue;
|
|
domain->is_deleted = true;
|
|
break;
|
|
}
|
|
mutex_unlock(&tomoyo_policy_lock);
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_write_domain_policy - Write domain policy.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
*
|
|
* Returns 0 on success, negative value otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
|
|
{
|
|
char *data = head->write_buf;
|
|
struct tomoyo_domain_info *domain = head->write_var1;
|
|
bool is_delete = false;
|
|
bool is_select = false;
|
|
unsigned int profile;
|
|
|
|
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE))
|
|
is_delete = true;
|
|
else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT))
|
|
is_select = true;
|
|
if (is_select && tomoyo_is_select_one(head, data))
|
|
return 0;
|
|
/* Don't allow updating policies by non manager programs. */
|
|
if (!tomoyo_is_policy_manager())
|
|
return -EPERM;
|
|
if (tomoyo_is_domain_def(data)) {
|
|
domain = NULL;
|
|
if (is_delete)
|
|
tomoyo_delete_domain(data);
|
|
else if (is_select)
|
|
domain = tomoyo_find_domain(data);
|
|
else
|
|
domain = tomoyo_find_or_assign_new_domain(data, 0);
|
|
head->write_var1 = domain;
|
|
return 0;
|
|
}
|
|
if (!domain)
|
|
return -EINVAL;
|
|
|
|
if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1
|
|
&& profile < TOMOYO_MAX_PROFILES) {
|
|
if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)
|
|
domain->profile = (u8) profile;
|
|
return 0;
|
|
}
|
|
if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) {
|
|
domain->ignore_global_allow_read = !is_delete;
|
|
return 0;
|
|
}
|
|
return tomoyo_write_file_policy(data, domain, is_delete);
|
|
}
|
|
|
|
/**
|
|
* tomoyo_print_path_acl - Print a single path ACL entry.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
* @ptr: Pointer to "struct tomoyo_path_acl".
|
|
*
|
|
* Returns true on success, false otherwise.
|
|
*/
|
|
static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head,
|
|
struct tomoyo_path_acl *ptr)
|
|
{
|
|
int pos;
|
|
u8 bit;
|
|
const char *atmark = "";
|
|
const char *filename;
|
|
const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16);
|
|
|
|
filename = ptr->filename->name;
|
|
for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
|
|
const char *msg;
|
|
if (!(perm & (1 << bit)))
|
|
continue;
|
|
/* Print "read/write" instead of "read" and "write". */
|
|
if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE)
|
|
&& (perm & (1 << TOMOYO_TYPE_READ_WRITE)))
|
|
continue;
|
|
msg = tomoyo_path2keyword(bit);
|
|
pos = head->read_avail;
|
|
if (!tomoyo_io_printf(head, "allow_%s %s%s\n", msg,
|
|
atmark, filename))
|
|
goto out;
|
|
}
|
|
head->read_bit = 0;
|
|
return true;
|
|
out:
|
|
head->read_bit = bit;
|
|
head->read_avail = pos;
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_print_path2_acl - Print a double path ACL entry.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
* @ptr: Pointer to "struct tomoyo_path2_acl".
|
|
*
|
|
* Returns true on success, false otherwise.
|
|
*/
|
|
static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer *head,
|
|
struct tomoyo_path2_acl *ptr)
|
|
{
|
|
int pos;
|
|
const char *atmark1 = "";
|
|
const char *atmark2 = "";
|
|
const char *filename1;
|
|
const char *filename2;
|
|
const u8 perm = ptr->perm;
|
|
u8 bit;
|
|
|
|
filename1 = ptr->filename1->name;
|
|
filename2 = ptr->filename2->name;
|
|
for (bit = head->read_bit; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) {
|
|
const char *msg;
|
|
if (!(perm & (1 << bit)))
|
|
continue;
|
|
msg = tomoyo_path22keyword(bit);
|
|
pos = head->read_avail;
|
|
if (!tomoyo_io_printf(head, "allow_%s %s%s %s%s\n", msg,
|
|
atmark1, filename1, atmark2, filename2))
|
|
goto out;
|
|
}
|
|
head->read_bit = 0;
|
|
return true;
|
|
out:
|
|
head->read_bit = bit;
|
|
head->read_avail = pos;
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_print_entry - Print an ACL entry.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
* @ptr: Pointer to an ACL entry.
|
|
*
|
|
* Returns true on success, false otherwise.
|
|
*/
|
|
static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
|
|
struct tomoyo_acl_info *ptr)
|
|
{
|
|
const u8 acl_type = ptr->type;
|
|
|
|
if (acl_type == TOMOYO_TYPE_PATH_ACL) {
|
|
struct tomoyo_path_acl *acl
|
|
= container_of(ptr, struct tomoyo_path_acl, head);
|
|
return tomoyo_print_path_acl(head, acl);
|
|
}
|
|
if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
|
|
struct tomoyo_path2_acl *acl
|
|
= container_of(ptr, struct tomoyo_path2_acl, head);
|
|
return tomoyo_print_path2_acl(head, acl);
|
|
}
|
|
BUG(); /* This must not happen. */
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_read_domain_policy - Read domain policy.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
*
|
|
* Returns 0.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head)
|
|
{
|
|
struct list_head *dpos;
|
|
struct list_head *apos;
|
|
bool done = true;
|
|
|
|
if (head->read_eof)
|
|
return 0;
|
|
if (head->read_step == 0)
|
|
head->read_step = 1;
|
|
list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) {
|
|
struct tomoyo_domain_info *domain;
|
|
const char *quota_exceeded = "";
|
|
const char *transition_failed = "";
|
|
const char *ignore_global_allow_read = "";
|
|
domain = list_entry(dpos, struct tomoyo_domain_info, list);
|
|
if (head->read_step != 1)
|
|
goto acl_loop;
|
|
if (domain->is_deleted && !head->read_single_domain)
|
|
continue;
|
|
/* Print domainname and flags. */
|
|
if (domain->quota_warned)
|
|
quota_exceeded = "quota_exceeded\n";
|
|
if (domain->transition_failed)
|
|
transition_failed = "transition_failed\n";
|
|
if (domain->ignore_global_allow_read)
|
|
ignore_global_allow_read
|
|
= TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n";
|
|
done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
|
|
"%u\n%s%s%s\n",
|
|
domain->domainname->name,
|
|
domain->profile, quota_exceeded,
|
|
transition_failed,
|
|
ignore_global_allow_read);
|
|
if (!done)
|
|
break;
|
|
head->read_step = 2;
|
|
acl_loop:
|
|
if (head->read_step == 3)
|
|
goto tail_mark;
|
|
/* Print ACL entries in the domain. */
|
|
list_for_each_cookie(apos, head->read_var2,
|
|
&domain->acl_info_list) {
|
|
struct tomoyo_acl_info *ptr
|
|
= list_entry(apos, struct tomoyo_acl_info,
|
|
list);
|
|
done = tomoyo_print_entry(head, ptr);
|
|
if (!done)
|
|
break;
|
|
}
|
|
if (!done)
|
|
break;
|
|
head->read_step = 3;
|
|
tail_mark:
|
|
done = tomoyo_io_printf(head, "\n");
|
|
if (!done)
|
|
break;
|
|
head->read_step = 1;
|
|
if (head->read_single_domain)
|
|
break;
|
|
}
|
|
head->read_eof = done;
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_write_domain_profile - Assign profile for specified domain.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
*
|
|
* Returns 0 on success, -EINVAL otherwise.
|
|
*
|
|
* This is equivalent to doing
|
|
*
|
|
* ( echo "select " $domainname; echo "use_profile " $profile ) |
|
|
* /usr/lib/ccs/loadpolicy -d
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head)
|
|
{
|
|
char *data = head->write_buf;
|
|
char *cp = strchr(data, ' ');
|
|
struct tomoyo_domain_info *domain;
|
|
unsigned long profile;
|
|
|
|
if (!cp)
|
|
return -EINVAL;
|
|
*cp = '\0';
|
|
domain = tomoyo_find_domain(cp + 1);
|
|
if (strict_strtoul(data, 10, &profile))
|
|
return -EINVAL;
|
|
if (domain && profile < TOMOYO_MAX_PROFILES
|
|
&& (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded))
|
|
domain->profile = (u8) profile;
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_read_domain_profile - Read only domainname and profile.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
*
|
|
* Returns list of profile number and domainname pairs.
|
|
*
|
|
* This is equivalent to doing
|
|
*
|
|
* grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
|
|
* awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
|
|
* domainname = $0; } else if ( $1 == "use_profile" ) {
|
|
* print $2 " " domainname; domainname = ""; } } ; '
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head)
|
|
{
|
|
struct list_head *pos;
|
|
bool done = true;
|
|
|
|
if (head->read_eof)
|
|
return 0;
|
|
list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) {
|
|
struct tomoyo_domain_info *domain;
|
|
domain = list_entry(pos, struct tomoyo_domain_info, list);
|
|
if (domain->is_deleted)
|
|
continue;
|
|
done = tomoyo_io_printf(head, "%u %s\n", domain->profile,
|
|
domain->domainname->name);
|
|
if (!done)
|
|
break;
|
|
}
|
|
head->read_eof = done;
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_write_pid: Specify PID to obtain domainname.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
*
|
|
* Returns 0.
|
|
*/
|
|
static int tomoyo_write_pid(struct tomoyo_io_buffer *head)
|
|
{
|
|
unsigned long pid;
|
|
/* No error check. */
|
|
strict_strtoul(head->write_buf, 10, &pid);
|
|
head->read_step = (int) pid;
|
|
head->read_eof = false;
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_read_pid - Get domainname of the specified PID.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
*
|
|
* Returns the domainname which the specified PID is in on success,
|
|
* empty string otherwise.
|
|
* The PID is specified by tomoyo_write_pid() so that the user can obtain
|
|
* using read()/write() interface rather than sysctl() interface.
|
|
*/
|
|
static int tomoyo_read_pid(struct tomoyo_io_buffer *head)
|
|
{
|
|
if (head->read_avail == 0 && !head->read_eof) {
|
|
const int pid = head->read_step;
|
|
struct task_struct *p;
|
|
struct tomoyo_domain_info *domain = NULL;
|
|
rcu_read_lock();
|
|
read_lock(&tasklist_lock);
|
|
p = find_task_by_vpid(pid);
|
|
if (p)
|
|
domain = tomoyo_real_domain(p);
|
|
read_unlock(&tasklist_lock);
|
|
rcu_read_unlock();
|
|
if (domain)
|
|
tomoyo_io_printf(head, "%d %u %s", pid, domain->profile,
|
|
domain->domainname->name);
|
|
head->read_eof = true;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_write_exception_policy - Write exception policy.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
*
|
|
* Returns 0 on success, negative value otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head)
|
|
{
|
|
char *data = head->write_buf;
|
|
bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
|
|
|
|
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN))
|
|
return tomoyo_write_domain_keeper_policy(data, false,
|
|
is_delete);
|
|
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN))
|
|
return tomoyo_write_domain_keeper_policy(data, true, is_delete);
|
|
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN))
|
|
return tomoyo_write_domain_initializer_policy(data, false,
|
|
is_delete);
|
|
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN))
|
|
return tomoyo_write_domain_initializer_policy(data, true,
|
|
is_delete);
|
|
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS))
|
|
return tomoyo_write_alias_policy(data, is_delete);
|
|
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ))
|
|
return tomoyo_write_globally_readable_policy(data, is_delete);
|
|
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN))
|
|
return tomoyo_write_pattern_policy(data, is_delete);
|
|
if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE))
|
|
return tomoyo_write_no_rewrite_policy(data, is_delete);
|
|
return -EINVAL;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_read_exception_policy - Read exception policy.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
*
|
|
* Returns 0 on success, -EINVAL otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head)
|
|
{
|
|
if (!head->read_eof) {
|
|
switch (head->read_step) {
|
|
case 0:
|
|
head->read_var2 = NULL;
|
|
head->read_step = 1;
|
|
case 1:
|
|
if (!tomoyo_read_domain_keeper_policy(head))
|
|
break;
|
|
head->read_var2 = NULL;
|
|
head->read_step = 2;
|
|
case 2:
|
|
if (!tomoyo_read_globally_readable_policy(head))
|
|
break;
|
|
head->read_var2 = NULL;
|
|
head->read_step = 3;
|
|
case 3:
|
|
head->read_var2 = NULL;
|
|
head->read_step = 4;
|
|
case 4:
|
|
if (!tomoyo_read_domain_initializer_policy(head))
|
|
break;
|
|
head->read_var2 = NULL;
|
|
head->read_step = 5;
|
|
case 5:
|
|
if (!tomoyo_read_alias_policy(head))
|
|
break;
|
|
head->read_var2 = NULL;
|
|
head->read_step = 6;
|
|
case 6:
|
|
head->read_var2 = NULL;
|
|
head->read_step = 7;
|
|
case 7:
|
|
if (!tomoyo_read_file_pattern(head))
|
|
break;
|
|
head->read_var2 = NULL;
|
|
head->read_step = 8;
|
|
case 8:
|
|
if (!tomoyo_read_no_rewrite_policy(head))
|
|
break;
|
|
head->read_var2 = NULL;
|
|
head->read_step = 9;
|
|
case 9:
|
|
head->read_eof = true;
|
|
break;
|
|
default:
|
|
return -EINVAL;
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/* path to policy loader */
|
|
static const char *tomoyo_loader = "/sbin/tomoyo-init";
|
|
|
|
/**
|
|
* tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
|
|
*
|
|
* Returns true if /sbin/tomoyo-init exists, false otherwise.
|
|
*/
|
|
static bool tomoyo_policy_loader_exists(void)
|
|
{
|
|
/*
|
|
* Don't activate MAC if the policy loader doesn't exist.
|
|
* If the initrd includes /sbin/init but real-root-dev has not
|
|
* mounted on / yet, activating MAC will block the system since
|
|
* policies are not loaded yet.
|
|
* Thus, let do_execve() call this function everytime.
|
|
*/
|
|
struct path path;
|
|
|
|
if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
|
|
printk(KERN_INFO "Not activating Mandatory Access Control now "
|
|
"since %s doesn't exist.\n", tomoyo_loader);
|
|
return false;
|
|
}
|
|
path_put(&path);
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_load_policy - Run external policy loader to load policy.
|
|
*
|
|
* @filename: The program about to start.
|
|
*
|
|
* This function checks whether @filename is /sbin/init , and if so
|
|
* invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
|
|
* and then continues invocation of /sbin/init.
|
|
* /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
|
|
* writes to /sys/kernel/security/tomoyo/ interfaces.
|
|
*
|
|
* Returns nothing.
|
|
*/
|
|
void tomoyo_load_policy(const char *filename)
|
|
{
|
|
char *argv[2];
|
|
char *envp[3];
|
|
|
|
if (tomoyo_policy_loaded)
|
|
return;
|
|
/*
|
|
* Check filename is /sbin/init or /sbin/tomoyo-start.
|
|
* /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
|
|
* be passed.
|
|
* You can create /sbin/tomoyo-start by
|
|
* "ln -s /bin/true /sbin/tomoyo-start".
|
|
*/
|
|
if (strcmp(filename, "/sbin/init") &&
|
|
strcmp(filename, "/sbin/tomoyo-start"))
|
|
return;
|
|
if (!tomoyo_policy_loader_exists())
|
|
return;
|
|
|
|
printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
|
|
tomoyo_loader);
|
|
argv[0] = (char *) tomoyo_loader;
|
|
argv[1] = NULL;
|
|
envp[0] = "HOME=/";
|
|
envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
|
|
envp[2] = NULL;
|
|
call_usermodehelper(argv[0], argv, envp, 1);
|
|
|
|
printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n");
|
|
printk(KERN_INFO "Mandatory Access Control activated.\n");
|
|
tomoyo_policy_loaded = true;
|
|
{ /* Check all profiles currently assigned to domains are defined. */
|
|
struct tomoyo_domain_info *domain;
|
|
list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
|
|
const u8 profile = domain->profile;
|
|
if (tomoyo_profile_ptr[profile])
|
|
continue;
|
|
panic("Profile %u (used by '%s') not defined.\n",
|
|
profile, domain->domainname->name);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* tomoyo_read_version: Get version.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
*
|
|
* Returns version information.
|
|
*/
|
|
static int tomoyo_read_version(struct tomoyo_io_buffer *head)
|
|
{
|
|
if (!head->read_eof) {
|
|
tomoyo_io_printf(head, "2.2.0");
|
|
head->read_eof = true;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_read_self_domain - Get the current process's domainname.
|
|
*
|
|
* @head: Pointer to "struct tomoyo_io_buffer".
|
|
*
|
|
* Returns the current process's domainname.
|
|
*/
|
|
static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head)
|
|
{
|
|
if (!head->read_eof) {
|
|
/*
|
|
* tomoyo_domain()->domainname != NULL
|
|
* because every process belongs to a domain and
|
|
* the domain's name cannot be NULL.
|
|
*/
|
|
tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name);
|
|
head->read_eof = true;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
|
|
*
|
|
* @type: Type of interface.
|
|
* @file: Pointer to "struct file".
|
|
*
|
|
* Associates policy handler and returns 0 on success, -ENOMEM otherwise.
|
|
*
|
|
* Caller acquires tomoyo_read_lock().
|
|
*/
|
|
static int tomoyo_open_control(const u8 type, struct file *file)
|
|
{
|
|
struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_KERNEL);
|
|
|
|
if (!head)
|
|
return -ENOMEM;
|
|
mutex_init(&head->io_sem);
|
|
switch (type) {
|
|
case TOMOYO_DOMAINPOLICY:
|
|
/* /sys/kernel/security/tomoyo/domain_policy */
|
|
head->write = tomoyo_write_domain_policy;
|
|
head->read = tomoyo_read_domain_policy;
|
|
break;
|
|
case TOMOYO_EXCEPTIONPOLICY:
|
|
/* /sys/kernel/security/tomoyo/exception_policy */
|
|
head->write = tomoyo_write_exception_policy;
|
|
head->read = tomoyo_read_exception_policy;
|
|
break;
|
|
case TOMOYO_SELFDOMAIN:
|
|
/* /sys/kernel/security/tomoyo/self_domain */
|
|
head->read = tomoyo_read_self_domain;
|
|
break;
|
|
case TOMOYO_DOMAIN_STATUS:
|
|
/* /sys/kernel/security/tomoyo/.domain_status */
|
|
head->write = tomoyo_write_domain_profile;
|
|
head->read = tomoyo_read_domain_profile;
|
|
break;
|
|
case TOMOYO_PROCESS_STATUS:
|
|
/* /sys/kernel/security/tomoyo/.process_status */
|
|
head->write = tomoyo_write_pid;
|
|
head->read = tomoyo_read_pid;
|
|
break;
|
|
case TOMOYO_VERSION:
|
|
/* /sys/kernel/security/tomoyo/version */
|
|
head->read = tomoyo_read_version;
|
|
head->readbuf_size = 128;
|
|
break;
|
|
case TOMOYO_MEMINFO:
|
|
/* /sys/kernel/security/tomoyo/meminfo */
|
|
head->write = tomoyo_write_memory_quota;
|
|
head->read = tomoyo_read_memory_counter;
|
|
head->readbuf_size = 512;
|
|
break;
|
|
case TOMOYO_PROFILE:
|
|
/* /sys/kernel/security/tomoyo/profile */
|
|
head->write = tomoyo_write_profile;
|
|
head->read = tomoyo_read_profile;
|
|
break;
|
|
case TOMOYO_MANAGER:
|
|
/* /sys/kernel/security/tomoyo/manager */
|
|
head->write = tomoyo_write_manager_policy;
|
|
head->read = tomoyo_read_manager_policy;
|
|
break;
|
|
}
|
|
if (!(file->f_mode & FMODE_READ)) {
|
|
/*
|
|
* No need to allocate read_buf since it is not opened
|
|
* for reading.
|
|
*/
|
|
head->read = NULL;
|
|
} else {
|
|
if (!head->readbuf_size)
|
|
head->readbuf_size = 4096 * 2;
|
|
head->read_buf = kzalloc(head->readbuf_size, GFP_KERNEL);
|
|
if (!head->read_buf) {
|
|
kfree(head);
|
|
return -ENOMEM;
|
|
}
|
|
}
|
|
if (!(file->f_mode & FMODE_WRITE)) {
|
|
/*
|
|
* No need to allocate write_buf since it is not opened
|
|
* for writing.
|
|
*/
|
|
head->write = NULL;
|
|
} else if (head->write) {
|
|
head->writebuf_size = 4096 * 2;
|
|
head->write_buf = kzalloc(head->writebuf_size, GFP_KERNEL);
|
|
if (!head->write_buf) {
|
|
kfree(head->read_buf);
|
|
kfree(head);
|
|
return -ENOMEM;
|
|
}
|
|
}
|
|
head->reader_idx = tomoyo_read_lock();
|
|
file->private_data = head;
|
|
/*
|
|
* Call the handler now if the file is
|
|
* /sys/kernel/security/tomoyo/self_domain
|
|
* so that the user can use
|
|
* cat < /sys/kernel/security/tomoyo/self_domain"
|
|
* to know the current process's domainname.
|
|
*/
|
|
if (type == TOMOYO_SELFDOMAIN)
|
|
tomoyo_read_control(file, NULL, 0);
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
|
|
*
|
|
* @file: Pointer to "struct file".
|
|
* @buffer: Poiner to buffer to write to.
|
|
* @buffer_len: Size of @buffer.
|
|
*
|
|
* Returns bytes read on success, negative value otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static int tomoyo_read_control(struct file *file, char __user *buffer,
|
|
const int buffer_len)
|
|
{
|
|
int len = 0;
|
|
struct tomoyo_io_buffer *head = file->private_data;
|
|
char *cp;
|
|
|
|
if (!head->read)
|
|
return -ENOSYS;
|
|
if (mutex_lock_interruptible(&head->io_sem))
|
|
return -EINTR;
|
|
/* Call the policy handler. */
|
|
len = head->read(head);
|
|
if (len < 0)
|
|
goto out;
|
|
/* Write to buffer. */
|
|
len = head->read_avail;
|
|
if (len > buffer_len)
|
|
len = buffer_len;
|
|
if (!len)
|
|
goto out;
|
|
/* head->read_buf changes by some functions. */
|
|
cp = head->read_buf;
|
|
if (copy_to_user(buffer, cp, len)) {
|
|
len = -EFAULT;
|
|
goto out;
|
|
}
|
|
head->read_avail -= len;
|
|
memmove(cp, cp + len, head->read_avail);
|
|
out:
|
|
mutex_unlock(&head->io_sem);
|
|
return len;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
|
|
*
|
|
* @file: Pointer to "struct file".
|
|
* @buffer: Pointer to buffer to read from.
|
|
* @buffer_len: Size of @buffer.
|
|
*
|
|
* Returns @buffer_len on success, negative value otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static int tomoyo_write_control(struct file *file, const char __user *buffer,
|
|
const int buffer_len)
|
|
{
|
|
struct tomoyo_io_buffer *head = file->private_data;
|
|
int error = buffer_len;
|
|
int avail_len = buffer_len;
|
|
char *cp0 = head->write_buf;
|
|
|
|
if (!head->write)
|
|
return -ENOSYS;
|
|
if (!access_ok(VERIFY_READ, buffer, buffer_len))
|
|
return -EFAULT;
|
|
/* Don't allow updating policies by non manager programs. */
|
|
if (head->write != tomoyo_write_pid &&
|
|
head->write != tomoyo_write_domain_policy &&
|
|
!tomoyo_is_policy_manager())
|
|
return -EPERM;
|
|
if (mutex_lock_interruptible(&head->io_sem))
|
|
return -EINTR;
|
|
/* Read a line and dispatch it to the policy handler. */
|
|
while (avail_len > 0) {
|
|
char c;
|
|
if (head->write_avail >= head->writebuf_size - 1) {
|
|
error = -ENOMEM;
|
|
break;
|
|
} else if (get_user(c, buffer)) {
|
|
error = -EFAULT;
|
|
break;
|
|
}
|
|
buffer++;
|
|
avail_len--;
|
|
cp0[head->write_avail++] = c;
|
|
if (c != '\n')
|
|
continue;
|
|
cp0[head->write_avail - 1] = '\0';
|
|
head->write_avail = 0;
|
|
tomoyo_normalize_line(cp0);
|
|
head->write(head);
|
|
}
|
|
mutex_unlock(&head->io_sem);
|
|
return error;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
|
|
*
|
|
* @file: Pointer to "struct file".
|
|
*
|
|
* Releases memory and returns 0.
|
|
*
|
|
* Caller looses tomoyo_read_lock().
|
|
*/
|
|
static int tomoyo_close_control(struct file *file)
|
|
{
|
|
struct tomoyo_io_buffer *head = file->private_data;
|
|
const bool is_write = !!head->write_buf;
|
|
|
|
tomoyo_read_unlock(head->reader_idx);
|
|
/* Release memory used for policy I/O. */
|
|
kfree(head->read_buf);
|
|
head->read_buf = NULL;
|
|
kfree(head->write_buf);
|
|
head->write_buf = NULL;
|
|
kfree(head);
|
|
head = NULL;
|
|
file->private_data = NULL;
|
|
if (is_write)
|
|
tomoyo_run_gc();
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
|
|
*
|
|
* @inode: Pointer to "struct inode".
|
|
* @file: Pointer to "struct file".
|
|
*
|
|
* Returns 0 on success, negative value otherwise.
|
|
*/
|
|
static int tomoyo_open(struct inode *inode, struct file *file)
|
|
{
|
|
const int key = ((u8 *) file->f_path.dentry->d_inode->i_private)
|
|
- ((u8 *) NULL);
|
|
return tomoyo_open_control(key, file);
|
|
}
|
|
|
|
/**
|
|
* tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
|
|
*
|
|
* @inode: Pointer to "struct inode".
|
|
* @file: Pointer to "struct file".
|
|
*
|
|
* Returns 0 on success, negative value otherwise.
|
|
*/
|
|
static int tomoyo_release(struct inode *inode, struct file *file)
|
|
{
|
|
return tomoyo_close_control(file);
|
|
}
|
|
|
|
/**
|
|
* tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
|
|
*
|
|
* @file: Pointer to "struct file".
|
|
* @buf: Pointer to buffer.
|
|
* @count: Size of @buf.
|
|
* @ppos: Unused.
|
|
*
|
|
* Returns bytes read on success, negative value otherwise.
|
|
*/
|
|
static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count,
|
|
loff_t *ppos)
|
|
{
|
|
return tomoyo_read_control(file, buf, count);
|
|
}
|
|
|
|
/**
|
|
* tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
|
|
*
|
|
* @file: Pointer to "struct file".
|
|
* @buf: Pointer to buffer.
|
|
* @count: Size of @buf.
|
|
* @ppos: Unused.
|
|
*
|
|
* Returns @count on success, negative value otherwise.
|
|
*/
|
|
static ssize_t tomoyo_write(struct file *file, const char __user *buf,
|
|
size_t count, loff_t *ppos)
|
|
{
|
|
return tomoyo_write_control(file, buf, count);
|
|
}
|
|
|
|
/*
|
|
* tomoyo_operations is a "struct file_operations" which is used for handling
|
|
* /sys/kernel/security/tomoyo/ interface.
|
|
*
|
|
* Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
|
|
* See tomoyo_io_buffer for internals.
|
|
*/
|
|
static const struct file_operations tomoyo_operations = {
|
|
.open = tomoyo_open,
|
|
.release = tomoyo_release,
|
|
.read = tomoyo_read,
|
|
.write = tomoyo_write,
|
|
};
|
|
|
|
/**
|
|
* tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
|
|
*
|
|
* @name: The name of the interface file.
|
|
* @mode: The permission of the interface file.
|
|
* @parent: The parent directory.
|
|
* @key: Type of interface.
|
|
*
|
|
* Returns nothing.
|
|
*/
|
|
static void __init tomoyo_create_entry(const char *name, const mode_t mode,
|
|
struct dentry *parent, const u8 key)
|
|
{
|
|
securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key,
|
|
&tomoyo_operations);
|
|
}
|
|
|
|
/**
|
|
* tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
|
|
*
|
|
* Returns 0.
|
|
*/
|
|
static int __init tomoyo_initerface_init(void)
|
|
{
|
|
struct dentry *tomoyo_dir;
|
|
|
|
/* Don't create securityfs entries unless registered. */
|
|
if (current_cred()->security != &tomoyo_kernel_domain)
|
|
return 0;
|
|
|
|
tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
|
|
tomoyo_create_entry("domain_policy", 0600, tomoyo_dir,
|
|
TOMOYO_DOMAINPOLICY);
|
|
tomoyo_create_entry("exception_policy", 0600, tomoyo_dir,
|
|
TOMOYO_EXCEPTIONPOLICY);
|
|
tomoyo_create_entry("self_domain", 0400, tomoyo_dir,
|
|
TOMOYO_SELFDOMAIN);
|
|
tomoyo_create_entry(".domain_status", 0600, tomoyo_dir,
|
|
TOMOYO_DOMAIN_STATUS);
|
|
tomoyo_create_entry(".process_status", 0600, tomoyo_dir,
|
|
TOMOYO_PROCESS_STATUS);
|
|
tomoyo_create_entry("meminfo", 0600, tomoyo_dir,
|
|
TOMOYO_MEMINFO);
|
|
tomoyo_create_entry("profile", 0600, tomoyo_dir,
|
|
TOMOYO_PROFILE);
|
|
tomoyo_create_entry("manager", 0600, tomoyo_dir,
|
|
TOMOYO_MANAGER);
|
|
tomoyo_create_entry("version", 0400, tomoyo_dir,
|
|
TOMOYO_VERSION);
|
|
return 0;
|
|
}
|
|
|
|
fs_initcall(tomoyo_initerface_init);
|