/* * security/tomoyo/common.c * * Common functions for TOMOYO. * * Copyright (C) 2005-2009 NTT DATA CORPORATION * * Version: 2.2.0 2009/04/01 * */ #include #include #include #include "realpath.h" #include "common.h" #include "tomoyo.h" /* Lock for protecting policy. */ DEFINE_MUTEX(tomoyo_policy_lock); /* Has loading policy done? */ bool tomoyo_policy_loaded; /* String table for functionality that takes 4 modes. */ static const char *tomoyo_mode_4[4] = { "disabled", "learning", "permissive", "enforcing" }; /* String table for functionality that takes 2 modes. */ static const char *tomoyo_mode_2[4] = { "disabled", "enabled", "enabled", "enabled" }; /* * tomoyo_control_array is a static data which contains * * (1) functionality name used by /sys/kernel/security/tomoyo/profile . * (2) initial values for "struct tomoyo_profile". * (3) max values for "struct tomoyo_profile". */ static struct { const char *keyword; unsigned int current_value; const unsigned int max_value; } tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = { [TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 }, [TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX }, [TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 }, }; /* * tomoyo_profile is a structure which is used for holding the mode of access * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing. * An administrator can define up to 256 profiles. * The ->profile of "struct tomoyo_domain_info" is used for remembering * the profile's number (0 - 255) assigned to that domain. */ static struct tomoyo_profile { unsigned int value[TOMOYO_MAX_CONTROL_INDEX]; const struct tomoyo_path_info *comment; } *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES]; /* Permit policy management by non-root user? */ static bool tomoyo_manage_by_non_root; /* Utility functions. */ /* Open operation for /sys/kernel/security/tomoyo/ interface. */ static int tomoyo_open_control(const u8 type, struct file *file); /* Close /sys/kernel/security/tomoyo/ interface. */ static int tomoyo_close_control(struct file *file); /* Read operation for /sys/kernel/security/tomoyo/ interface. */ static int tomoyo_read_control(struct file *file, char __user *buffer, const int buffer_len); /* Write operation for /sys/kernel/security/tomoyo/ interface. */ static int tomoyo_write_control(struct file *file, const char __user *buffer, const int buffer_len); /** * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value. * * @str: Pointer to the string. * * Returns true if @str is a \ooo style octal value, false otherwise. * * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF. * This function verifies that \ooo is in valid range. */ static inline bool tomoyo_is_byte_range(const char *str) { return *str >= '0' && *str++ <= '3' && *str >= '0' && *str++ <= '7' && *str >= '0' && *str <= '7'; } /** * tomoyo_is_alphabet_char - Check whether the character is an alphabet. * * @c: The character to check. * * Returns true if @c is an alphabet character, false otherwise. */ static inline bool tomoyo_is_alphabet_char(const char c) { return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z'); } /** * tomoyo_make_byte - Make byte value from three octal characters. * * @c1: The first character. * @c2: The second character. * @c3: The third character. * * Returns byte value. */ static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3) { return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0'); } /** * tomoyo_str_starts - Check whether the given string starts with the given keyword. * * @src: Pointer to pointer to the string. * @find: Pointer to the keyword. * * Returns true if @src starts with @find, false otherwise. * * The @src is updated to point the first character after the @find * if @src starts with @find. */ static bool tomoyo_str_starts(char **src, const char *find) { const int len = strlen(find); char *tmp = *src; if (strncmp(tmp, find, len)) return false; tmp += len; *src = tmp; return true; } /** * tomoyo_normalize_line - Format string. * * @buffer: The line to normalize. * * Leading and trailing whitespaces are removed. * Multiple whitespaces are packed into single space. * * Returns nothing. */ static void tomoyo_normalize_line(unsigned char *buffer) { unsigned char *sp = buffer; unsigned char *dp = buffer; bool first = true; while (tomoyo_is_invalid(*sp)) sp++; while (*sp) { if (!first) *dp++ = ' '; first = false; while (tomoyo_is_valid(*sp)) *dp++ = *sp++; while (tomoyo_is_invalid(*sp)) sp++; } *dp = '\0'; } /** * tomoyo_is_correct_path - Validate a pathname. * @filename: The pathname to check. * @start_type: Should the pathname start with '/'? * 1 = must / -1 = must not / 0 = don't care * @pattern_type: Can the pathname contain a wildcard? * 1 = must / -1 = must not / 0 = don't care * @end_type: Should the pathname end with '/'? * 1 = must / -1 = must not / 0 = don't care * @function: The name of function calling me. * * Check whether the given filename follows the naming rules. * Returns true if @filename follows the naming rules, false otherwise. */ bool tomoyo_is_correct_path(const char *filename, const s8 start_type, const s8 pattern_type, const s8 end_type, const char *function) { const char *const start = filename; bool in_repetition = false; bool contains_pattern = false; unsigned char c; unsigned char d; unsigned char e; const char *original_filename = filename; if (!filename) goto out; c = *filename; if (start_type == 1) { /* Must start with '/' */ if (c != '/') goto out; } else if (start_type == -1) { /* Must not start with '/' */ if (c == '/') goto out; } if (c) c = *(filename + strlen(filename) - 1); if (end_type == 1) { /* Must end with '/' */ if (c != '/') goto out; } else if (end_type == -1) { /* Must not end with '/' */ if (c == '/') goto out; } while (1) { c = *filename++; if (!c) break; if (c == '\\') { c = *filename++; switch (c) { case '\\': /* "\\" */ continue; case '$': /* "\$" */ case '+': /* "\+" */ case '?': /* "\?" */ case '*': /* "\*" */ case '@': /* "\@" */ case 'x': /* "\x" */ case 'X': /* "\X" */ case 'a': /* "\a" */ case 'A': /* "\A" */ case '-': /* "\-" */ if (pattern_type == -1) break; /* Must not contain pattern */ contains_pattern = true; continue; case '{': /* "/\{" */ if (filename - 3 < start || *(filename - 3) != '/') break; if (pattern_type == -1) break; /* Must not contain pattern */ contains_pattern = true; in_repetition = true; continue; case '}': /* "\}/" */ if (*filename != '/') break; if (!in_repetition) break; in_repetition = false; continue; case '0': /* "\ooo" */ case '1': case '2': case '3': d = *filename++; if (d < '0' || d > '7') break; e = *filename++; if (e < '0' || e > '7') break; c = tomoyo_make_byte(c, d, e); if (tomoyo_is_invalid(c)) continue; /* pattern is not \000 */ } goto out; } else if (in_repetition && c == '/') { goto out; } else if (tomoyo_is_invalid(c)) { goto out; } } if (pattern_type == 1) { /* Must contain pattern */ if (!contains_pattern) goto out; } if (in_repetition) goto out; return true; out: printk(KERN_DEBUG "%s: Invalid pathname '%s'\n", function, original_filename); return false; } /** * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules. * @domainname: The domainname to check. * @function: The name of function calling me. * * Returns true if @domainname follows the naming rules, false otherwise. */ bool tomoyo_is_correct_domain(const unsigned char *domainname, const char *function) { unsigned char c; unsigned char d; unsigned char e; const char *org_domainname = domainname; if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN)) goto out; domainname += TOMOYO_ROOT_NAME_LEN; if (!*domainname) return true; do { if (*domainname++ != ' ') goto out; if (*domainname++ != '/') goto out; while ((c = *domainname) != '\0' && c != ' ') { domainname++; if (c == '\\') { c = *domainname++; switch ((c)) { case '\\': /* "\\" */ continue; case '0': /* "\ooo" */ case '1': case '2': case '3': d = *domainname++; if (d < '0' || d > '7') break; e = *domainname++; if (e < '0' || e > '7') break; c = tomoyo_make_byte(c, d, e); if (tomoyo_is_invalid(c)) /* pattern is not \000 */ continue; } goto out; } else if (tomoyo_is_invalid(c)) { goto out; } } } while (*domainname); return true; out: printk(KERN_DEBUG "%s: Invalid domainname '%s'\n", function, org_domainname); return false; } /** * tomoyo_is_domain_def - Check whether the given token can be a domainname. * * @buffer: The token to check. * * Returns true if @buffer possibly be a domainname, false otherwise. */ bool tomoyo_is_domain_def(const unsigned char *buffer) { return !strncmp(buffer, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN); } /** * tomoyo_find_domain - Find a domain by the given name. * * @domainname: The domainname to find. * * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise. * * Caller holds tomoyo_read_lock(). */ struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname) { struct tomoyo_domain_info *domain; struct tomoyo_path_info name; name.name = domainname; tomoyo_fill_path_info(&name); list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { if (!domain->is_deleted && !tomoyo_pathcmp(&name, domain->domainname)) return domain; } return NULL; } /** * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token. * * @filename: The string to evaluate. * * Returns the initial length without a pattern in @filename. */ static int tomoyo_const_part_length(const char *filename) { char c; int len = 0; if (!filename) return 0; while ((c = *filename++) != '\0') { if (c != '\\') { len++; continue; } c = *filename++; switch (c) { case '\\': /* "\\" */ len += 2; continue; case '0': /* "\ooo" */ case '1': case '2': case '3': c = *filename++; if (c < '0' || c > '7') break; c = *filename++; if (c < '0' || c > '7') break; len += 4; continue; } break; } return len; } /** * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members. * * @ptr: Pointer to "struct tomoyo_path_info" to fill in. * * The caller sets "struct tomoyo_path_info"->name. */ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr) { const char *name = ptr->name; const int len = strlen(name); ptr->const_len = tomoyo_const_part_length(name); ptr->is_dir = len && (name[len - 1] == '/'); ptr->is_patterned = (ptr->const_len < len); ptr->hash = full_name_hash(name, len); } /** * tomoyo_file_matches_pattern2 - Pattern matching without '/' character * and "\-" pattern. * * @filename: The start of string to check. * @filename_end: The end of string to check. * @pattern: The start of pattern to compare. * @pattern_end: The end of pattern to compare. * * Returns true if @filename matches @pattern, false otherwise. */ static bool tomoyo_file_matches_pattern2(const char *filename, const char *filename_end, const char *pattern, const char *pattern_end) { while (filename < filename_end && pattern < pattern_end) { char c; if (*pattern != '\\') { if (*filename++ != *pattern++) return false; continue; } c = *filename; pattern++; switch (*pattern) { int i; int j; case '?': if (c == '/') { return false; } else if (c == '\\') { if (filename[1] == '\\') filename++; else if (tomoyo_is_byte_range(filename + 1)) filename += 3; else return false; } break; case '\\': if (c != '\\') return false; if (*++filename != '\\') return false; break; case '+': if (!isdigit(c)) return false; break; case 'x': if (!isxdigit(c)) return false; break; case 'a': if (!tomoyo_is_alphabet_char(c)) return false; break; case '0': case '1': case '2': case '3': if (c == '\\' && tomoyo_is_byte_range(filename + 1) && strncmp(filename + 1, pattern, 3) == 0) { filename += 3; pattern += 2; break; } return false; /* Not matched. */ case '*': case '@': for (i = 0; i <= filename_end - filename; i++) { if (tomoyo_file_matches_pattern2( filename + i, filename_end, pattern + 1, pattern_end)) return true; c = filename[i]; if (c == '.' && *pattern == '@') break; if (c != '\\') continue; if (filename[i + 1] == '\\') i++; else if (tomoyo_is_byte_range(filename + i + 1)) i += 3; else break; /* Bad pattern. */ } return false; /* Not matched. */ default: j = 0; c = *pattern; if (c == '$') { while (isdigit(filename[j])) j++; } else if (c == 'X') { while (isxdigit(filename[j])) j++; } else if (c == 'A') { while (tomoyo_is_alphabet_char(filename[j])) j++; } for (i = 1; i <= j; i++) { if (tomoyo_file_matches_pattern2( filename + i, filename_end, pattern + 1, pattern_end)) return true; } return false; /* Not matched or bad pattern. */ } filename++; pattern++; } while (*pattern == '\\' && (*(pattern + 1) == '*' || *(pattern + 1) == '@')) pattern += 2; return filename == filename_end && pattern == pattern_end; } /** * tomoyo_file_matches_pattern - Pattern matching without without '/' character. * * @filename: The start of string to check. * @filename_end: The end of string to check. * @pattern: The start of pattern to compare. * @pattern_end: The end of pattern to compare. * * Returns true if @filename matches @pattern, false otherwise. */ static bool tomoyo_file_matches_pattern(const char *filename, const char *filename_end, const char *pattern, const char *pattern_end) { const char *pattern_start = pattern; bool first = true; bool result; while (pattern < pattern_end - 1) { /* Split at "\-" pattern. */ if (*pattern++ != '\\' || *pattern++ != '-') continue; result = tomoyo_file_matches_pattern2(filename, filename_end, pattern_start, pattern - 2); if (first) result = !result; if (result) return false; first = false; pattern_start = pattern; } result = tomoyo_file_matches_pattern2(filename, filename_end, pattern_start, pattern_end); return first ? result : !result; } /** * tomoyo_path_matches_pattern2 - Do pathname pattern matching. * * @f: The start of string to check. * @p: The start of pattern to compare. * * Returns true if @f matches @p, false otherwise. */ static bool tomoyo_path_matches_pattern2(const char *f, const char *p) { const char *f_delimiter; const char *p_delimiter; while (*f && *p) { f_delimiter = strchr(f, '/'); if (!f_delimiter) f_delimiter = f + strlen(f); p_delimiter = strchr(p, '/'); if (!p_delimiter) p_delimiter = p + strlen(p); if (*p == '\\' && *(p + 1) == '{') goto recursive; if (!tomoyo_file_matches_pattern(f, f_delimiter, p, p_delimiter)) return false; f = f_delimiter; if (*f) f++; p = p_delimiter; if (*p) p++; } /* Ignore trailing "\*" and "\@" in @pattern. */ while (*p == '\\' && (*(p + 1) == '*' || *(p + 1) == '@')) p += 2; return !*f && !*p; recursive: /* * The "\{" pattern is permitted only after '/' character. * This guarantees that below "*(p - 1)" is safe. * Also, the "\}" pattern is permitted only before '/' character * so that "\{" + "\}" pair will not break the "\-" operator. */ if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' || *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\') return false; /* Bad pattern. */ do { /* Compare current component with pattern. */ if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2, p_delimiter - 2)) break; /* Proceed to next component. */ f = f_delimiter; if (!*f) break; f++; /* Continue comparison. */ if (tomoyo_path_matches_pattern2(f, p_delimiter + 1)) return true; f_delimiter = strchr(f, '/'); } while (f_delimiter); return false; /* Not matched. */ } /** * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern. * * @filename: The filename to check. * @pattern: The pattern to compare. * * Returns true if matches, false otherwise. * * The following patterns are available. * \\ \ itself. * \ooo Octal representation of a byte. * \* Zero or more repetitions of characters other than '/'. * \@ Zero or more repetitions of characters other than '/' or '.'. * \? 1 byte character other than '/'. * \$ One or more repetitions of decimal digits. * \+ 1 decimal digit. * \X One or more repetitions of hexadecimal digits. * \x 1 hexadecimal digit. * \A One or more repetitions of alphabet characters. * \a 1 alphabet character. * * \- Subtraction operator. * * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/ * /dir/dir/dir/ ). */ bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, const struct tomoyo_path_info *pattern) { const char *f = filename->name; const char *p = pattern->name; const int len = pattern->const_len; /* If @pattern doesn't contain pattern, I can use strcmp(). */ if (!pattern->is_patterned) return !tomoyo_pathcmp(filename, pattern); /* Don't compare directory and non-directory. */ if (filename->is_dir != pattern->is_dir) return false; /* Compare the initial length without patterns. */ if (strncmp(f, p, len)) return false; f += len; p += len; return tomoyo_path_matches_pattern2(f, p); } /** * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure. * * @head: Pointer to "struct tomoyo_io_buffer". * @fmt: The printf()'s format string, followed by parameters. * * Returns true if output was written, false otherwise. * * The snprintf() will truncate, but tomoyo_io_printf() won't. */ bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) { va_list args; int len; int pos = head->read_avail; int size = head->readbuf_size - pos; if (size <= 0) return false; va_start(args, fmt); len = vsnprintf(head->read_buf + pos, size, fmt, args); va_end(args); if (pos + len >= head->readbuf_size) return false; head->read_avail += len; return true; } /** * tomoyo_get_exe - Get tomoyo_realpath() of current process. * * Returns the tomoyo_realpath() of current process on success, NULL otherwise. * * This function uses tomoyo_alloc(), so the caller must call tomoyo_free() * if this function didn't return NULL. */ static const char *tomoyo_get_exe(void) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma; const char *cp = NULL; if (!mm) return NULL; down_read(&mm->mmap_sem); for (vma = mm->mmap; vma; vma = vma->vm_next) { if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) { cp = tomoyo_realpath_from_path(&vma->vm_file->f_path); break; } } up_read(&mm->mmap_sem); return cp; } /** * tomoyo_get_msg - Get warning message. * * @is_enforce: Is it enforcing mode? * * Returns "ERROR" or "WARNING". */ const char *tomoyo_get_msg(const bool is_enforce) { if (is_enforce) return "ERROR"; else return "WARNING"; } /** * tomoyo_check_flags - Check mode for specified functionality. * * @domain: Pointer to "struct tomoyo_domain_info". * @index: The functionality to check mode. * * TOMOYO checks only process context. * This code disables TOMOYO's enforcement in case the function is called from * interrupt context. */ unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, const u8 index) { const u8 profile = domain->profile; if (WARN_ON(in_interrupt())) return 0; return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX #if TOMOYO_MAX_PROFILES != 256 && profile < TOMOYO_MAX_PROFILES #endif && tomoyo_profile_ptr[profile] ? tomoyo_profile_ptr[profile]->value[index] : 0; } /** * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode. * * @domain: Pointer to "struct tomoyo_domain_info". * * Returns true if domain policy violation warning should be printed to * console. */ bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain) { return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0; } /** * tomoyo_domain_quota_is_ok - Check for domain's quota. * * @domain: Pointer to "struct tomoyo_domain_info". * * Returns true if the domain is not exceeded quota, false otherwise. * * Caller holds tomoyo_read_lock(). */ bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain) { unsigned int count = 0; struct tomoyo_acl_info *ptr; if (!domain) return true; list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { if (ptr->type & TOMOYO_ACL_DELETED) continue; switch (tomoyo_acl_type2(ptr)) { struct tomoyo_single_path_acl_record *acl; u32 perm; u8 i; case TOMOYO_TYPE_SINGLE_PATH_ACL: acl = container_of(ptr, struct tomoyo_single_path_acl_record, head); perm = acl->perm | (((u32) acl->perm_high) << 16); for (i = 0; i < TOMOYO_MAX_SINGLE_PATH_OPERATION; i++) if (perm & (1 << i)) count++; if (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)) count -= 2; break; case TOMOYO_TYPE_DOUBLE_PATH_ACL: perm = container_of(ptr, struct tomoyo_double_path_acl_record, head)->perm; for (i = 0; i < TOMOYO_MAX_DOUBLE_PATH_OPERATION; i++) if (perm & (1 << i)) count++; break; } } if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY)) return true; if (!domain->quota_warned) { domain->quota_warned = true; printk(KERN_WARNING "TOMOYO-WARNING: " "Domain '%s' has so many ACLs to hold. " "Stopped learning mode.\n", domain->domainname->name); } return false; } /** * tomoyo_find_or_assign_new_profile - Create a new profile. * * @profile: Profile number to create. * * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. */ static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned int profile) { static DEFINE_MUTEX(lock); struct tomoyo_profile *ptr = NULL; int i; if (profile >= TOMOYO_MAX_PROFILES) return NULL; mutex_lock(&lock); ptr = tomoyo_profile_ptr[profile]; if (ptr) goto ok; ptr = tomoyo_alloc_element(sizeof(*ptr)); if (!ptr) goto ok; for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) ptr->value[i] = tomoyo_control_array[i].current_value; mb(); /* Avoid out-of-order execution. */ tomoyo_profile_ptr[profile] = ptr; ok: mutex_unlock(&lock); return ptr; } /** * tomoyo_write_profile - Write to profile table. * * @head: Pointer to "struct tomoyo_io_buffer". * * Returns 0 on success, negative value otherwise. */ static int tomoyo_write_profile(struct tomoyo_io_buffer *head) { char *data = head->write_buf; unsigned int i; unsigned int value; char *cp; struct tomoyo_profile *profile; unsigned long num; cp = strchr(data, '-'); if (cp) *cp = '\0'; if (strict_strtoul(data, 10, &num)) return -EINVAL; if (cp) data = cp + 1; profile = tomoyo_find_or_assign_new_profile(num); if (!profile) return -EINVAL; cp = strchr(data, '='); if (!cp) return -EINVAL; *cp = '\0'; if (!strcmp(data, "COMMENT")) { profile->comment = tomoyo_save_name(cp + 1); return 0; } for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) { if (strcmp(data, tomoyo_control_array[i].keyword)) continue; if (sscanf(cp + 1, "%u", &value) != 1) { int j; const char **modes; switch (i) { case TOMOYO_VERBOSE: modes = tomoyo_mode_2; break; default: modes = tomoyo_mode_4; break; } for (j = 0; j < 4; j++) { if (strcmp(cp + 1, modes[j])) continue; value = j; break; } if (j == 4) return -EINVAL; } else if (value > tomoyo_control_array[i].max_value) { value = tomoyo_control_array[i].max_value; } profile->value[i] = value; return 0; } return -EINVAL; } /** * tomoyo_read_profile - Read from profile table. * * @head: Pointer to "struct tomoyo_io_buffer". * * Returns 0. */ static int tomoyo_read_profile(struct tomoyo_io_buffer *head) { static const int total = TOMOYO_MAX_CONTROL_INDEX + 1; int step; if (head->read_eof) return 0; for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total; step++) { const u8 index = step / total; u8 type = step % total; const struct tomoyo_profile *profile = tomoyo_profile_ptr[index]; head->read_step = step; if (!profile) continue; if (!type) { /* Print profile' comment tag. */ if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n", index, profile->comment ? profile->comment->name : "")) break; continue; } type--; if (type < TOMOYO_MAX_CONTROL_INDEX) { const unsigned int value = profile->value[type]; const char **modes = NULL; const char *keyword = tomoyo_control_array[type].keyword; switch (tomoyo_control_array[type].max_value) { case 3: modes = tomoyo_mode_4; break; case 1: modes = tomoyo_mode_2; break; } if (modes) { if (!tomoyo_io_printf(head, "%u-%s=%s\n", index, keyword, modes[value])) break; } else { if (!tomoyo_io_printf(head, "%u-%s=%u\n", index, keyword, value)) break; } } } if (step == TOMOYO_MAX_PROFILES * total) head->read_eof = true; return 0; } /* * tomoyo_policy_manager_entry is a structure which is used for holding list of * domainnames or programs which are permitted to modify configuration via * /sys/kernel/security/tomoyo/ interface. * It has following fields. * * (1) "list" which is linked to tomoyo_policy_manager_list . * (2) "manager" is a domainname or a program's pathname. * (3) "is_domain" is a bool which is true if "manager" is a domainname, false * otherwise. * (4) "is_deleted" is a bool which is true if marked as deleted, false * otherwise. */ struct tomoyo_policy_manager_entry { struct list_head list; /* A path to program or a domainname. */ const struct tomoyo_path_info *manager; bool is_domain; /* True if manager is a domainname. */ bool is_deleted; /* True if this entry is deleted. */ }; /* * tomoyo_policy_manager_list is used for holding list of domainnames or * programs which are permitted to modify configuration via * /sys/kernel/security/tomoyo/ interface. * * An entry is added by * * # echo ' /sbin/mingetty /bin/login /bin/bash' > \ * /sys/kernel/security/tomoyo/manager * (if you want to specify by a domainname) * * or * * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager * (if you want to specify by a program's location) * * and is deleted by * * # echo 'delete /sbin/mingetty /bin/login /bin/bash' > \ * /sys/kernel/security/tomoyo/manager * * or * * # echo 'delete /usr/lib/ccs/editpolicy' > \ * /sys/kernel/security/tomoyo/manager * * and all entries are retrieved by * * # cat /sys/kernel/security/tomoyo/manager */ static LIST_HEAD(tomoyo_policy_manager_list); /** * tomoyo_update_manager_entry - Add a manager entry. * * @manager: The path to manager or the domainnamme. * @is_delete: True if it is a delete request. * * Returns 0 on success, negative value otherwise. * * Caller holds tomoyo_read_lock(). */ static int tomoyo_update_manager_entry(const char *manager, const bool is_delete) { struct tomoyo_policy_manager_entry *new_entry; struct tomoyo_policy_manager_entry *ptr; const struct tomoyo_path_info *saved_manager; int error = -ENOMEM; bool is_domain = false; if (tomoyo_is_domain_def(manager)) { if (!tomoyo_is_correct_domain(manager, __func__)) return -EINVAL; is_domain = true; } else { if (!tomoyo_is_correct_path(manager, 1, -1, -1, __func__)) return -EINVAL; } saved_manager = tomoyo_save_name(manager); if (!saved_manager) return -ENOMEM; mutex_lock(&tomoyo_policy_lock); list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { if (ptr->manager != saved_manager) continue; ptr->is_deleted = is_delete; error = 0; goto out; } if (is_delete) { error = -ENOENT; goto out; } new_entry = tomoyo_alloc_element(sizeof(*new_entry)); if (!new_entry) goto out; new_entry->manager = saved_manager; new_entry->is_domain = is_domain; list_add_tail_rcu(&new_entry->list, &tomoyo_policy_manager_list); error = 0; out: mutex_unlock(&tomoyo_policy_lock); return error; } /** * tomoyo_write_manager_policy - Write manager policy. * * @head: Pointer to "struct tomoyo_io_buffer". * * Returns 0 on success, negative value otherwise. * * Caller holds tomoyo_read_lock(). */ static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head) { char *data = head->write_buf; bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); if (!strcmp(data, "manage_by_non_root")) { tomoyo_manage_by_non_root = !is_delete; return 0; } return tomoyo_update_manager_entry(data, is_delete); } /** * tomoyo_read_manager_policy - Read manager policy. * * @head: Pointer to "struct tomoyo_io_buffer". * * Returns 0. * * Caller holds tomoyo_read_lock(). */ static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head) { struct list_head *pos; bool done = true; if (head->read_eof) return 0; list_for_each_cookie(pos, head->read_var2, &tomoyo_policy_manager_list) { struct tomoyo_policy_manager_entry *ptr; ptr = list_entry(pos, struct tomoyo_policy_manager_entry, list); if (ptr->is_deleted) continue; done = tomoyo_io_printf(head, "%s\n", ptr->manager->name); if (!done) break; } head->read_eof = done; return 0; } /** * tomoyo_is_policy_manager - Check whether the current process is a policy manager. * * Returns true if the current process is permitted to modify policy * via /sys/kernel/security/tomoyo/ interface. * * Caller holds tomoyo_read_lock(). */ static bool tomoyo_is_policy_manager(void) { struct tomoyo_policy_manager_entry *ptr; const char *exe; const struct task_struct *task = current; const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; bool found = false; if (!tomoyo_policy_loaded) return true; if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) return false; list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { if (!ptr->is_deleted && ptr->is_domain && !tomoyo_pathcmp(domainname, ptr->manager)) { found = true; break; } } if (found) return true; exe = tomoyo_get_exe(); if (!exe) return false; list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) { if (!ptr->is_deleted && !ptr->is_domain && !strcmp(exe, ptr->manager->name)) { found = true; break; } } if (!found) { /* Reduce error messages. */ static pid_t last_pid; const pid_t pid = current->pid; if (last_pid != pid) { printk(KERN_WARNING "%s ( %s ) is not permitted to " "update policies.\n", domainname->name, exe); last_pid = pid; } } tomoyo_free(exe); return found; } /** * tomoyo_is_select_one - Parse select command. * * @head: Pointer to "struct tomoyo_io_buffer". * @data: String to parse. * * Returns true on success, false otherwise. * * Caller holds tomoyo_read_lock(). */ static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head, const char *data) { unsigned int pid; struct tomoyo_domain_info *domain = NULL; if (sscanf(data, "pid=%u", &pid) == 1) { struct task_struct *p; read_lock(&tasklist_lock); p = find_task_by_vpid(pid); if (p) domain = tomoyo_real_domain(p); read_unlock(&tasklist_lock); } else if (!strncmp(data, "domain=", 7)) { if (tomoyo_is_domain_def(data + 7)) domain = tomoyo_find_domain(data + 7); } else return false; head->write_var1 = domain; /* Accessing read_buf is safe because head->io_sem is held. */ if (!head->read_buf) return true; /* Do nothing if open(O_WRONLY). */ head->read_avail = 0; tomoyo_io_printf(head, "# select %s\n", data); head->read_single_domain = true; head->read_eof = !domain; if (domain) { struct tomoyo_domain_info *d; head->read_var1 = NULL; list_for_each_entry_rcu(d, &tomoyo_domain_list, list) { if (d == domain) break; head->read_var1 = &d->list; } head->read_var2 = NULL; head->read_bit = 0; head->read_step = 0; if (domain->is_deleted) tomoyo_io_printf(head, "# This is a deleted domain.\n"); } return true; } /** * tomoyo_delete_domain - Delete a domain. * * @domainname: The name of domain. * * Returns 0. * * Caller holds tomoyo_read_lock(). */ static int tomoyo_delete_domain(char *domainname) { struct tomoyo_domain_info *domain; struct tomoyo_path_info name; name.name = domainname; tomoyo_fill_path_info(&name); mutex_lock(&tomoyo_policy_lock); /* Is there an active domain? */ list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { /* Never delete tomoyo_kernel_domain */ if (domain == &tomoyo_kernel_domain) continue; if (domain->is_deleted || tomoyo_pathcmp(domain->domainname, &name)) continue; domain->is_deleted = true; break; } mutex_unlock(&tomoyo_policy_lock); return 0; } /** * tomoyo_write_domain_policy - Write domain policy. * * @head: Pointer to "struct tomoyo_io_buffer". * * Returns 0 on success, negative value otherwise. * * Caller holds tomoyo_read_lock(). */ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head) { char *data = head->write_buf; struct tomoyo_domain_info *domain = head->write_var1; bool is_delete = false; bool is_select = false; unsigned int profile; if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE)) is_delete = true; else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT)) is_select = true; if (is_select && tomoyo_is_select_one(head, data)) return 0; /* Don't allow updating policies by non manager programs. */ if (!tomoyo_is_policy_manager()) return -EPERM; if (tomoyo_is_domain_def(data)) { domain = NULL; if (is_delete) tomoyo_delete_domain(data); else if (is_select) domain = tomoyo_find_domain(data); else domain = tomoyo_find_or_assign_new_domain(data, 0); head->write_var1 = domain; return 0; } if (!domain) return -EINVAL; if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1 && profile < TOMOYO_MAX_PROFILES) { if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded) domain->profile = (u8) profile; return 0; } if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) { tomoyo_set_domain_flag(domain, is_delete, TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ); return 0; } return tomoyo_write_file_policy(data, domain, is_delete); } /** * tomoyo_print_single_path_acl - Print a single path ACL entry. * * @head: Pointer to "struct tomoyo_io_buffer". * @ptr: Pointer to "struct tomoyo_single_path_acl_record". * * Returns true on success, false otherwise. */ static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head, struct tomoyo_single_path_acl_record * ptr) { int pos; u8 bit; const char *atmark = ""; const char *filename; const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16); filename = ptr->filename->name; for (bit = head->read_bit; bit < TOMOYO_MAX_SINGLE_PATH_OPERATION; bit++) { const char *msg; if (!(perm & (1 << bit))) continue; /* Print "read/write" instead of "read" and "write". */ if ((bit == TOMOYO_TYPE_READ_ACL || bit == TOMOYO_TYPE_WRITE_ACL) && (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))) continue; msg = tomoyo_sp2keyword(bit); pos = head->read_avail; if (!tomoyo_io_printf(head, "allow_%s %s%s\n", msg, atmark, filename)) goto out; } head->read_bit = 0; return true; out: head->read_bit = bit; head->read_avail = pos; return false; } /** * tomoyo_print_double_path_acl - Print a double path ACL entry. * * @head: Pointer to "struct tomoyo_io_buffer". * @ptr: Pointer to "struct tomoyo_double_path_acl_record". * * Returns true on success, false otherwise. */ static bool tomoyo_print_double_path_acl(struct tomoyo_io_buffer *head, struct tomoyo_double_path_acl_record * ptr) { int pos; const char *atmark1 = ""; const char *atmark2 = ""; const char *filename1; const char *filename2; const u8 perm = ptr->perm; u8 bit; filename1 = ptr->filename1->name; filename2 = ptr->filename2->name; for (bit = head->read_bit; bit < TOMOYO_MAX_DOUBLE_PATH_OPERATION; bit++) { const char *msg; if (!(perm & (1 << bit))) continue; msg = tomoyo_dp2keyword(bit); pos = head->read_avail; if (!tomoyo_io_printf(head, "allow_%s %s%s %s%s\n", msg, atmark1, filename1, atmark2, filename2)) goto out; } head->read_bit = 0; return true; out: head->read_bit = bit; head->read_avail = pos; return false; } /** * tomoyo_print_entry - Print an ACL entry. * * @head: Pointer to "struct tomoyo_io_buffer". * @ptr: Pointer to an ACL entry. * * Returns true on success, false otherwise. */ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, struct tomoyo_acl_info *ptr) { const u8 acl_type = tomoyo_acl_type2(ptr); if (acl_type & TOMOYO_ACL_DELETED) return true; if (acl_type == TOMOYO_TYPE_SINGLE_PATH_ACL) { struct tomoyo_single_path_acl_record *acl = container_of(ptr, struct tomoyo_single_path_acl_record, head); return tomoyo_print_single_path_acl(head, acl); } if (acl_type == TOMOYO_TYPE_DOUBLE_PATH_ACL) { struct tomoyo_double_path_acl_record *acl = container_of(ptr, struct tomoyo_double_path_acl_record, head); return tomoyo_print_double_path_acl(head, acl); } BUG(); /* This must not happen. */ return false; } /** * tomoyo_read_domain_policy - Read domain policy. * * @head: Pointer to "struct tomoyo_io_buffer". * * Returns 0. * * Caller holds tomoyo_read_lock(). */ static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head) { struct list_head *dpos; struct list_head *apos; bool done = true; if (head->read_eof) return 0; if (head->read_step == 0) head->read_step = 1; list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) { struct tomoyo_domain_info *domain; const char *quota_exceeded = ""; const char *transition_failed = ""; const char *ignore_global_allow_read = ""; domain = list_entry(dpos, struct tomoyo_domain_info, list); if (head->read_step != 1) goto acl_loop; if (domain->is_deleted && !head->read_single_domain) continue; /* Print domainname and flags. */ if (domain->quota_warned) quota_exceeded = "quota_exceeded\n"; if (domain->flags & TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED) transition_failed = "transition_failed\n"; if (domain->flags & TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ) ignore_global_allow_read = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n"; done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE "%u\n%s%s%s\n", domain->domainname->name, domain->profile, quota_exceeded, transition_failed, ignore_global_allow_read); if (!done) break; head->read_step = 2; acl_loop: if (head->read_step == 3) goto tail_mark; /* Print ACL entries in the domain. */ list_for_each_cookie(apos, head->read_var2, &domain->acl_info_list) { struct tomoyo_acl_info *ptr = list_entry(apos, struct tomoyo_acl_info, list); done = tomoyo_print_entry(head, ptr); if (!done) break; } if (!done) break; head->read_step = 3; tail_mark: done = tomoyo_io_printf(head, "\n"); if (!done) break; head->read_step = 1; if (head->read_single_domain) break; } head->read_eof = done; return 0; } /** * tomoyo_write_domain_profile - Assign profile for specified domain. * * @head: Pointer to "struct tomoyo_io_buffer". * * Returns 0 on success, -EINVAL otherwise. * * This is equivalent to doing * * ( echo "select " $domainname; echo "use_profile " $profile ) | * /usr/lib/ccs/loadpolicy -d * * Caller holds tomoyo_read_lock(). */ static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head) { char *data = head->write_buf; char *cp = strchr(data, ' '); struct tomoyo_domain_info *domain; unsigned long profile; if (!cp) return -EINVAL; *cp = '\0'; domain = tomoyo_find_domain(cp + 1); if (strict_strtoul(data, 10, &profile)) return -EINVAL; if (domain && profile < TOMOYO_MAX_PROFILES && (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)) domain->profile = (u8) profile; return 0; } /** * tomoyo_read_domain_profile - Read only domainname and profile. * * @head: Pointer to "struct tomoyo_io_buffer". * * Returns list of profile number and domainname pairs. * * This is equivalent to doing * * grep -A 1 '^' /sys/kernel/security/tomoyo/domain_policy | * awk ' { if ( domainname == "" ) { if ( $1 == "" ) * domainname = $0; } else if ( $1 == "use_profile" ) { * print $2 " " domainname; domainname = ""; } } ; ' * * Caller holds tomoyo_read_lock(). */ static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head) { struct list_head *pos; bool done = true; if (head->read_eof) return 0; list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) { struct tomoyo_domain_info *domain; domain = list_entry(pos, struct tomoyo_domain_info, list); if (domain->is_deleted) continue; done = tomoyo_io_printf(head, "%u %s\n", domain->profile, domain->domainname->name); if (!done) break; } head->read_eof = done; return 0; } /** * tomoyo_write_pid: Specify PID to obtain domainname. * * @head: Pointer to "struct tomoyo_io_buffer". * * Returns 0. */ static int tomoyo_write_pid(struct tomoyo_io_buffer *head) { unsigned long pid; /* No error check. */ strict_strtoul(head->write_buf, 10, &pid); head->read_step = (int) pid; head->read_eof = false; return 0; } /** * tomoyo_read_pid - Get domainname of the specified PID. * * @head: Pointer to "struct tomoyo_io_buffer". * * Returns the domainname which the specified PID is in on success, * empty string otherwise. * The PID is specified by tomoyo_write_pid() so that the user can obtain * using read()/write() interface rather than sysctl() interface. */ static int tomoyo_read_pid(struct tomoyo_io_buffer *head) { if (head->read_avail == 0 && !head->read_eof) { const int pid = head->read_step; struct task_struct *p; struct tomoyo_domain_info *domain = NULL; read_lock(&tasklist_lock); p = find_task_by_vpid(pid); if (p) domain = tomoyo_real_domain(p); read_unlock(&tasklist_lock); if (domain) tomoyo_io_printf(head, "%d %u %s", pid, domain->profile, domain->domainname->name); head->read_eof = true; } return 0; } /** * tomoyo_write_exception_policy - Write exception policy. * * @head: Pointer to "struct tomoyo_io_buffer". * * Returns 0 on success, negative value otherwise. * * Caller holds tomoyo_read_lock(). */ static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head) { char *data = head->write_buf; bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN)) return tomoyo_write_domain_keeper_policy(data, false, is_delete); if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN)) return tomoyo_write_domain_keeper_policy(data, true, is_delete); if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN)) return tomoyo_write_domain_initializer_policy(data, false, is_delete); if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN)) return tomoyo_write_domain_initializer_policy(data, true, is_delete); if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS)) return tomoyo_write_alias_policy(data, is_delete); if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ)) return tomoyo_write_globally_readable_policy(data, is_delete); if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN)) return tomoyo_write_pattern_policy(data, is_delete); if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE)) return tomoyo_write_no_rewrite_policy(data, is_delete); return -EINVAL; } /** * tomoyo_read_exception_policy - Read exception policy. * * @head: Pointer to "struct tomoyo_io_buffer". * * Returns 0 on success, -EINVAL otherwise. * * Caller holds tomoyo_read_lock(). */ static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head) { if (!head->read_eof) { switch (head->read_step) { case 0: head->read_var2 = NULL; head->read_step = 1; case 1: if (!tomoyo_read_domain_keeper_policy(head)) break; head->read_var2 = NULL; head->read_step = 2; case 2: if (!tomoyo_read_globally_readable_policy(head)) break; head->read_var2 = NULL; head->read_step = 3; case 3: head->read_var2 = NULL; head->read_step = 4; case 4: if (!tomoyo_read_domain_initializer_policy(head)) break; head->read_var2 = NULL; head->read_step = 5; case 5: if (!tomoyo_read_alias_policy(head)) break; head->read_var2 = NULL; head->read_step = 6; case 6: head->read_var2 = NULL; head->read_step = 7; case 7: if (!tomoyo_read_file_pattern(head)) break; head->read_var2 = NULL; head->read_step = 8; case 8: if (!tomoyo_read_no_rewrite_policy(head)) break; head->read_var2 = NULL; head->read_step = 9; case 9: head->read_eof = true; break; default: return -EINVAL; } } return 0; } /* path to policy loader */ static const char *tomoyo_loader = "/sbin/tomoyo-init"; /** * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists. * * Returns true if /sbin/tomoyo-init exists, false otherwise. */ static bool tomoyo_policy_loader_exists(void) { /* * Don't activate MAC if the policy loader doesn't exist. * If the initrd includes /sbin/init but real-root-dev has not * mounted on / yet, activating MAC will block the system since * policies are not loaded yet. * Thus, let do_execve() call this function everytime. */ struct path path; if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) { printk(KERN_INFO "Not activating Mandatory Access Control now " "since %s doesn't exist.\n", tomoyo_loader); return false; } path_put(&path); return true; } /** * tomoyo_load_policy - Run external policy loader to load policy. * * @filename: The program about to start. * * This function checks whether @filename is /sbin/init , and if so * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init * and then continues invocation of /sbin/init. * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and * writes to /sys/kernel/security/tomoyo/ interfaces. * * Returns nothing. */ void tomoyo_load_policy(const char *filename) { char *argv[2]; char *envp[3]; if (tomoyo_policy_loaded) return; /* * Check filename is /sbin/init or /sbin/tomoyo-start. * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't * be passed. * You can create /sbin/tomoyo-start by * "ln -s /bin/true /sbin/tomoyo-start". */ if (strcmp(filename, "/sbin/init") && strcmp(filename, "/sbin/tomoyo-start")) return; if (!tomoyo_policy_loader_exists()) return; printk(KERN_INFO "Calling %s to load policy. Please wait.\n", tomoyo_loader); argv[0] = (char *) tomoyo_loader; argv[1] = NULL; envp[0] = "HOME=/"; envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin"; envp[2] = NULL; call_usermodehelper(argv[0], argv, envp, 1); printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n"); printk(KERN_INFO "Mandatory Access Control activated.\n"); tomoyo_policy_loaded = true; { /* Check all profiles currently assigned to domains are defined. */ struct tomoyo_domain_info *domain; list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { const u8 profile = domain->profile; if (tomoyo_profile_ptr[profile]) continue; panic("Profile %u (used by '%s') not defined.\n", profile, domain->domainname->name); } } } /** * tomoyo_read_version: Get version. * * @head: Pointer to "struct tomoyo_io_buffer". * * Returns version information. */ static int tomoyo_read_version(struct tomoyo_io_buffer *head) { if (!head->read_eof) { tomoyo_io_printf(head, "2.2.0"); head->read_eof = true; } return 0; } /** * tomoyo_read_self_domain - Get the current process's domainname. * * @head: Pointer to "struct tomoyo_io_buffer". * * Returns the current process's domainname. */ static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head) { if (!head->read_eof) { /* * tomoyo_domain()->domainname != NULL * because every process belongs to a domain and * the domain's name cannot be NULL. */ tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name); head->read_eof = true; } return 0; } /** * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface. * * @type: Type of interface. * @file: Pointer to "struct file". * * Associates policy handler and returns 0 on success, -ENOMEM otherwise. * * Caller acquires tomoyo_read_lock(). */ static int tomoyo_open_control(const u8 type, struct file *file) { struct tomoyo_io_buffer *head = tomoyo_alloc(sizeof(*head)); if (!head) return -ENOMEM; mutex_init(&head->io_sem); switch (type) { case TOMOYO_DOMAINPOLICY: /* /sys/kernel/security/tomoyo/domain_policy */ head->write = tomoyo_write_domain_policy; head->read = tomoyo_read_domain_policy; break; case TOMOYO_EXCEPTIONPOLICY: /* /sys/kernel/security/tomoyo/exception_policy */ head->write = tomoyo_write_exception_policy; head->read = tomoyo_read_exception_policy; break; case TOMOYO_SELFDOMAIN: /* /sys/kernel/security/tomoyo/self_domain */ head->read = tomoyo_read_self_domain; break; case TOMOYO_DOMAIN_STATUS: /* /sys/kernel/security/tomoyo/.domain_status */ head->write = tomoyo_write_domain_profile; head->read = tomoyo_read_domain_profile; break; case TOMOYO_PROCESS_STATUS: /* /sys/kernel/security/tomoyo/.process_status */ head->write = tomoyo_write_pid; head->read = tomoyo_read_pid; break; case TOMOYO_VERSION: /* /sys/kernel/security/tomoyo/version */ head->read = tomoyo_read_version; head->readbuf_size = 128; break; case TOMOYO_MEMINFO: /* /sys/kernel/security/tomoyo/meminfo */ head->write = tomoyo_write_memory_quota; head->read = tomoyo_read_memory_counter; head->readbuf_size = 512; break; case TOMOYO_PROFILE: /* /sys/kernel/security/tomoyo/profile */ head->write = tomoyo_write_profile; head->read = tomoyo_read_profile; break; case TOMOYO_MANAGER: /* /sys/kernel/security/tomoyo/manager */ head->write = tomoyo_write_manager_policy; head->read = tomoyo_read_manager_policy; break; } if (!(file->f_mode & FMODE_READ)) { /* * No need to allocate read_buf since it is not opened * for reading. */ head->read = NULL; } else { if (!head->readbuf_size) head->readbuf_size = 4096 * 2; head->read_buf = tomoyo_alloc(head->readbuf_size); if (!head->read_buf) { tomoyo_free(head); return -ENOMEM; } } if (!(file->f_mode & FMODE_WRITE)) { /* * No need to allocate write_buf since it is not opened * for writing. */ head->write = NULL; } else if (head->write) { head->writebuf_size = 4096 * 2; head->write_buf = tomoyo_alloc(head->writebuf_size); if (!head->write_buf) { tomoyo_free(head->read_buf); tomoyo_free(head); return -ENOMEM; } } head->reader_idx = tomoyo_read_lock(); file->private_data = head; /* * Call the handler now if the file is * /sys/kernel/security/tomoyo/self_domain * so that the user can use * cat < /sys/kernel/security/tomoyo/self_domain" * to know the current process's domainname. */ if (type == TOMOYO_SELFDOMAIN) tomoyo_read_control(file, NULL, 0); return 0; } /** * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. * * @file: Pointer to "struct file". * @buffer: Poiner to buffer to write to. * @buffer_len: Size of @buffer. * * Returns bytes read on success, negative value otherwise. * * Caller holds tomoyo_read_lock(). */ static int tomoyo_read_control(struct file *file, char __user *buffer, const int buffer_len) { int len = 0; struct tomoyo_io_buffer *head = file->private_data; char *cp; if (!head->read) return -ENOSYS; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; /* Call the policy handler. */ len = head->read(head); if (len < 0) goto out; /* Write to buffer. */ len = head->read_avail; if (len > buffer_len) len = buffer_len; if (!len) goto out; /* head->read_buf changes by some functions. */ cp = head->read_buf; if (copy_to_user(buffer, cp, len)) { len = -EFAULT; goto out; } head->read_avail -= len; memmove(cp, cp + len, head->read_avail); out: mutex_unlock(&head->io_sem); return len; } /** * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. * * @file: Pointer to "struct file". * @buffer: Pointer to buffer to read from. * @buffer_len: Size of @buffer. * * Returns @buffer_len on success, negative value otherwise. * * Caller holds tomoyo_read_lock(). */ static int tomoyo_write_control(struct file *file, const char __user *buffer, const int buffer_len) { struct tomoyo_io_buffer *head = file->private_data; int error = buffer_len; int avail_len = buffer_len; char *cp0 = head->write_buf; if (!head->write) return -ENOSYS; if (!access_ok(VERIFY_READ, buffer, buffer_len)) return -EFAULT; /* Don't allow updating policies by non manager programs. */ if (head->write != tomoyo_write_pid && head->write != tomoyo_write_domain_policy && !tomoyo_is_policy_manager()) return -EPERM; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; /* Read a line and dispatch it to the policy handler. */ while (avail_len > 0) { char c; if (head->write_avail >= head->writebuf_size - 1) { error = -ENOMEM; break; } else if (get_user(c, buffer)) { error = -EFAULT; break; } buffer++; avail_len--; cp0[head->write_avail++] = c; if (c != '\n') continue; cp0[head->write_avail - 1] = '\0'; head->write_avail = 0; tomoyo_normalize_line(cp0); head->write(head); } mutex_unlock(&head->io_sem); return error; } /** * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. * * @file: Pointer to "struct file". * * Releases memory and returns 0. * * Caller looses tomoyo_read_lock(). */ static int tomoyo_close_control(struct file *file) { struct tomoyo_io_buffer *head = file->private_data; tomoyo_read_unlock(head->reader_idx); /* Release memory used for policy I/O. */ tomoyo_free(head->read_buf); head->read_buf = NULL; tomoyo_free(head->write_buf); head->write_buf = NULL; tomoyo_free(head); head = NULL; file->private_data = NULL; return 0; } /** * tomoyo_alloc_acl_element - Allocate permanent memory for ACL entry. * * @acl_type: Type of ACL entry. * * Returns pointer to the ACL entry on success, NULL otherwise. */ void *tomoyo_alloc_acl_element(const u8 acl_type) { int len; struct tomoyo_acl_info *ptr; switch (acl_type) { case TOMOYO_TYPE_SINGLE_PATH_ACL: len = sizeof(struct tomoyo_single_path_acl_record); break; case TOMOYO_TYPE_DOUBLE_PATH_ACL: len = sizeof(struct tomoyo_double_path_acl_record); break; default: return NULL; } ptr = tomoyo_alloc_element(len); if (!ptr) return NULL; ptr->type = acl_type; return ptr; } /** * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface. * * @inode: Pointer to "struct inode". * @file: Pointer to "struct file". * * Returns 0 on success, negative value otherwise. */ static int tomoyo_open(struct inode *inode, struct file *file) { const int key = ((u8 *) file->f_path.dentry->d_inode->i_private) - ((u8 *) NULL); return tomoyo_open_control(key, file); } /** * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface. * * @inode: Pointer to "struct inode". * @file: Pointer to "struct file". * * Returns 0 on success, negative value otherwise. */ static int tomoyo_release(struct inode *inode, struct file *file) { return tomoyo_close_control(file); } /** * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface. * * @file: Pointer to "struct file". * @buf: Pointer to buffer. * @count: Size of @buf. * @ppos: Unused. * * Returns bytes read on success, negative value otherwise. */ static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count, loff_t *ppos) { return tomoyo_read_control(file, buf, count); } /** * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface. * * @file: Pointer to "struct file". * @buf: Pointer to buffer. * @count: Size of @buf. * @ppos: Unused. * * Returns @count on success, negative value otherwise. */ static ssize_t tomoyo_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { return tomoyo_write_control(file, buf, count); } /* * tomoyo_operations is a "struct file_operations" which is used for handling * /sys/kernel/security/tomoyo/ interface. * * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR). * See tomoyo_io_buffer for internals. */ static const struct file_operations tomoyo_operations = { .open = tomoyo_open, .release = tomoyo_release, .read = tomoyo_read, .write = tomoyo_write, }; /** * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory. * * @name: The name of the interface file. * @mode: The permission of the interface file. * @parent: The parent directory. * @key: Type of interface. * * Returns nothing. */ static void __init tomoyo_create_entry(const char *name, const mode_t mode, struct dentry *parent, const u8 key) { securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key, &tomoyo_operations); } /** * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface. * * Returns 0. */ static int __init tomoyo_initerface_init(void) { struct dentry *tomoyo_dir; /* Don't create securityfs entries unless registered. */ if (current_cred()->security != &tomoyo_kernel_domain) return 0; tomoyo_dir = securityfs_create_dir("tomoyo", NULL); tomoyo_create_entry("domain_policy", 0600, tomoyo_dir, TOMOYO_DOMAINPOLICY); tomoyo_create_entry("exception_policy", 0600, tomoyo_dir, TOMOYO_EXCEPTIONPOLICY); tomoyo_create_entry("self_domain", 0400, tomoyo_dir, TOMOYO_SELFDOMAIN); tomoyo_create_entry(".domain_status", 0600, tomoyo_dir, TOMOYO_DOMAIN_STATUS); tomoyo_create_entry(".process_status", 0600, tomoyo_dir, TOMOYO_PROCESS_STATUS); tomoyo_create_entry("meminfo", 0600, tomoyo_dir, TOMOYO_MEMINFO); tomoyo_create_entry("profile", 0600, tomoyo_dir, TOMOYO_PROFILE); tomoyo_create_entry("manager", 0600, tomoyo_dir, TOMOYO_MANAGER); tomoyo_create_entry("version", 0400, tomoyo_dir, TOMOYO_VERSION); return 0; } fs_initcall(tomoyo_initerface_init);