2 * security/tomoyo/common.c
4 * Common functions for TOMOYO.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
12 #include <linux/uaccess.h>
13 #include <linux/slab.h>
14 #include <linux/security.h>
15 #include <linux/hardirq.h>
18 /* Lock for protecting policy. */
19 DEFINE_MUTEX(tomoyo_policy_lock
);
21 /* Has loading policy done? */
22 bool tomoyo_policy_loaded
;
24 /* String table for functionality that takes 4 modes. */
25 static const char *tomoyo_mode_4
[4] = {
26 "disabled", "learning", "permissive", "enforcing"
28 /* String table for functionality that takes 2 modes. */
29 static const char *tomoyo_mode_2
[4] = {
30 "disabled", "enabled", "enabled", "enabled"
34 * tomoyo_control_array is a static data which contains
36 * (1) functionality name used by /sys/kernel/security/tomoyo/profile .
37 * (2) initial values for "struct tomoyo_profile".
38 * (3) max values for "struct tomoyo_profile".
42 unsigned int current_value
;
43 const unsigned int max_value
;
44 } tomoyo_control_array
[TOMOYO_MAX_CONTROL_INDEX
] = {
45 [TOMOYO_MAC_FOR_FILE
] = { "MAC_FOR_FILE", 0, 3 },
46 [TOMOYO_MAX_ACCEPT_ENTRY
] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX
},
47 [TOMOYO_VERBOSE
] = { "TOMOYO_VERBOSE", 1, 1 },
51 * tomoyo_profile is a structure which is used for holding the mode of access
52 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
53 * An administrator can define up to 256 profiles.
54 * The ->profile of "struct tomoyo_domain_info" is used for remembering
55 * the profile's number (0 - 255) assigned to that domain.
57 static struct tomoyo_profile
{
58 unsigned int value
[TOMOYO_MAX_CONTROL_INDEX
];
59 const struct tomoyo_path_info
*comment
;
60 } *tomoyo_profile_ptr
[TOMOYO_MAX_PROFILES
];
62 /* Permit policy management by non-root user? */
63 static bool tomoyo_manage_by_non_root
;
65 /* Utility functions. */
67 /* Open operation for /sys/kernel/security/tomoyo/ interface. */
68 static int tomoyo_open_control(const u8 type
, struct file
*file
);
69 /* Close /sys/kernel/security/tomoyo/ interface. */
70 static int tomoyo_close_control(struct file
*file
);
71 /* Read operation for /sys/kernel/security/tomoyo/ interface. */
72 static int tomoyo_read_control(struct file
*file
, char __user
*buffer
,
73 const int buffer_len
);
74 /* Write operation for /sys/kernel/security/tomoyo/ interface. */
75 static int tomoyo_write_control(struct file
*file
, const char __user
*buffer
,
76 const int buffer_len
);
79 * tomoyo_parse_name_union - Parse a tomoyo_name_union.
81 * @filename: Name or name group.
82 * @ptr: Pointer to "struct tomoyo_name_union".
84 * Returns true on success, false otherwise.
86 bool tomoyo_parse_name_union(const char *filename
,
87 struct tomoyo_name_union
*ptr
)
89 if (!tomoyo_is_correct_path(filename
, 0, 0, 0))
91 if (filename
[0] == '@') {
92 ptr
->group
= tomoyo_get_path_group(filename
+ 1);
94 return ptr
->group
!= NULL
;
96 ptr
->filename
= tomoyo_get_name(filename
);
97 ptr
->is_group
= false;
98 return ptr
->filename
!= NULL
;
102 * tomoyo_print_name_union - Print a tomoyo_name_union.
104 * @head: Pointer to "struct tomoyo_io_buffer".
105 * @ptr: Pointer to "struct tomoyo_name_union".
107 * Returns true on success, false otherwise.
109 static bool tomoyo_print_name_union(struct tomoyo_io_buffer
*head
,
110 const struct tomoyo_name_union
*ptr
)
112 int pos
= head
->read_avail
;
113 if (pos
&& head
->read_buf
[pos
- 1] == ' ')
116 return tomoyo_io_printf(head
, " @%s",
117 ptr
->group
->group_name
->name
);
118 return tomoyo_io_printf(head
, " %s", ptr
->filename
->name
);
122 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
124 * @str: Pointer to the string.
126 * Returns true if @str is a \ooo style octal value, false otherwise.
128 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
129 * This function verifies that \ooo is in valid range.
131 static inline bool tomoyo_is_byte_range(const char *str
)
133 return *str
>= '0' && *str
++ <= '3' &&
134 *str
>= '0' && *str
++ <= '7' &&
135 *str
>= '0' && *str
<= '7';
139 * tomoyo_is_alphabet_char - Check whether the character is an alphabet.
141 * @c: The character to check.
143 * Returns true if @c is an alphabet character, false otherwise.
145 static inline bool tomoyo_is_alphabet_char(const char c
)
147 return (c
>= 'A' && c
<= 'Z') || (c
>= 'a' && c
<= 'z');
151 * tomoyo_make_byte - Make byte value from three octal characters.
153 * @c1: The first character.
154 * @c2: The second character.
155 * @c3: The third character.
157 * Returns byte value.
159 static inline u8
tomoyo_make_byte(const u8 c1
, const u8 c2
, const u8 c3
)
161 return ((c1
- '0') << 6) + ((c2
- '0') << 3) + (c3
- '0');
165 * tomoyo_str_starts - Check whether the given string starts with the given keyword.
167 * @src: Pointer to pointer to the string.
168 * @find: Pointer to the keyword.
170 * Returns true if @src starts with @find, false otherwise.
172 * The @src is updated to point the first character after the @find
173 * if @src starts with @find.
175 static bool tomoyo_str_starts(char **src
, const char *find
)
177 const int len
= strlen(find
);
180 if (strncmp(tmp
, find
, len
))
188 * tomoyo_normalize_line - Format string.
190 * @buffer: The line to normalize.
192 * Leading and trailing whitespaces are removed.
193 * Multiple whitespaces are packed into single space.
197 static void tomoyo_normalize_line(unsigned char *buffer
)
199 unsigned char *sp
= buffer
;
200 unsigned char *dp
= buffer
;
203 while (tomoyo_is_invalid(*sp
))
209 while (tomoyo_is_valid(*sp
))
211 while (tomoyo_is_invalid(*sp
))
218 * tomoyo_tokenize - Tokenize string.
220 * @buffer: The line to tokenize.
221 * @w: Pointer to "char *".
224 * Returns true on success, false otherwise.
226 bool tomoyo_tokenize(char *buffer
, char *w
[], size_t size
)
228 int count
= size
/ sizeof(char *);
230 for (i
= 0; i
< count
; i
++)
232 for (i
= 0; i
< count
; i
++) {
233 char *cp
= strchr(buffer
, ' ');
241 return i
< count
|| !*buffer
;
245 * tomoyo_is_correct_path - Validate a pathname.
246 * @filename: The pathname to check.
247 * @start_type: Should the pathname start with '/'?
248 * 1 = must / -1 = must not / 0 = don't care
249 * @pattern_type: Can the pathname contain a wildcard?
250 * 1 = must / -1 = must not / 0 = don't care
251 * @end_type: Should the pathname end with '/'?
252 * 1 = must / -1 = must not / 0 = don't care
254 * Check whether the given filename follows the naming rules.
255 * Returns true if @filename follows the naming rules, false otherwise.
257 bool tomoyo_is_correct_path(const char *filename
, const s8 start_type
,
258 const s8 pattern_type
, const s8 end_type
)
260 const char *const start
= filename
;
261 bool in_repetition
= false;
262 bool contains_pattern
= false;
270 if (start_type
== 1) { /* Must start with '/' */
273 } else if (start_type
== -1) { /* Must not start with '/' */
278 c
= *(filename
+ strlen(filename
) - 1);
279 if (end_type
== 1) { /* Must end with '/' */
282 } else if (end_type
== -1) { /* Must not end with '/' */
293 case '\\': /* "\\" */
305 if (pattern_type
== -1)
306 break; /* Must not contain pattern */
307 contains_pattern
= true;
309 case '{': /* "/\{" */
310 if (filename
- 3 < start
||
311 *(filename
- 3) != '/')
313 if (pattern_type
== -1)
314 break; /* Must not contain pattern */
315 contains_pattern
= true;
316 in_repetition
= true;
318 case '}': /* "\}/" */
319 if (*filename
!= '/')
323 in_repetition
= false;
325 case '0': /* "\ooo" */
330 if (d
< '0' || d
> '7')
333 if (e
< '0' || e
> '7')
335 c
= tomoyo_make_byte(c
, d
, e
);
336 if (tomoyo_is_invalid(c
))
337 continue; /* pattern is not \000 */
340 } else if (in_repetition
&& c
== '/') {
342 } else if (tomoyo_is_invalid(c
)) {
346 if (pattern_type
== 1) { /* Must contain pattern */
347 if (!contains_pattern
)
358 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
359 * @domainname: The domainname to check.
361 * Returns true if @domainname follows the naming rules, false otherwise.
363 bool tomoyo_is_correct_domain(const unsigned char *domainname
)
369 if (!domainname
|| strncmp(domainname
, TOMOYO_ROOT_NAME
,
370 TOMOYO_ROOT_NAME_LEN
))
372 domainname
+= TOMOYO_ROOT_NAME_LEN
;
376 if (*domainname
++ != ' ')
378 if (*domainname
++ != '/')
380 while ((c
= *domainname
) != '\0' && c
!= ' ') {
385 case '\\': /* "\\" */
387 case '0': /* "\ooo" */
392 if (d
< '0' || d
> '7')
395 if (e
< '0' || e
> '7')
397 c
= tomoyo_make_byte(c
, d
, e
);
398 if (tomoyo_is_invalid(c
))
399 /* pattern is not \000 */
403 } else if (tomoyo_is_invalid(c
)) {
407 } while (*domainname
);
414 * tomoyo_is_domain_def - Check whether the given token can be a domainname.
416 * @buffer: The token to check.
418 * Returns true if @buffer possibly be a domainname, false otherwise.
420 bool tomoyo_is_domain_def(const unsigned char *buffer
)
422 return !strncmp(buffer
, TOMOYO_ROOT_NAME
, TOMOYO_ROOT_NAME_LEN
);
426 * tomoyo_find_domain - Find a domain by the given name.
428 * @domainname: The domainname to find.
430 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
432 * Caller holds tomoyo_read_lock().
434 struct tomoyo_domain_info
*tomoyo_find_domain(const char *domainname
)
436 struct tomoyo_domain_info
*domain
;
437 struct tomoyo_path_info name
;
439 name
.name
= domainname
;
440 tomoyo_fill_path_info(&name
);
441 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
442 if (!domain
->is_deleted
&&
443 !tomoyo_pathcmp(&name
, domain
->domainname
))
450 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
452 * @filename: The string to evaluate.
454 * Returns the initial length without a pattern in @filename.
456 static int tomoyo_const_part_length(const char *filename
)
463 while ((c
= *filename
++) != '\0') {
470 case '\\': /* "\\" */
473 case '0': /* "\ooo" */
478 if (c
< '0' || c
> '7')
481 if (c
< '0' || c
> '7')
492 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
494 * @ptr: Pointer to "struct tomoyo_path_info" to fill in.
496 * The caller sets "struct tomoyo_path_info"->name.
498 void tomoyo_fill_path_info(struct tomoyo_path_info
*ptr
)
500 const char *name
= ptr
->name
;
501 const int len
= strlen(name
);
503 ptr
->const_len
= tomoyo_const_part_length(name
);
504 ptr
->is_dir
= len
&& (name
[len
- 1] == '/');
505 ptr
->is_patterned
= (ptr
->const_len
< len
);
506 ptr
->hash
= full_name_hash(name
, len
);
510 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
513 * @filename: The start of string to check.
514 * @filename_end: The end of string to check.
515 * @pattern: The start of pattern to compare.
516 * @pattern_end: The end of pattern to compare.
518 * Returns true if @filename matches @pattern, false otherwise.
520 static bool tomoyo_file_matches_pattern2(const char *filename
,
521 const char *filename_end
,
523 const char *pattern_end
)
525 while (filename
< filename_end
&& pattern
< pattern_end
) {
527 if (*pattern
!= '\\') {
528 if (*filename
++ != *pattern
++)
540 } else if (c
== '\\') {
541 if (filename
[1] == '\\')
543 else if (tomoyo_is_byte_range(filename
+ 1))
552 if (*++filename
!= '\\')
564 if (!tomoyo_is_alphabet_char(c
))
571 if (c
== '\\' && tomoyo_is_byte_range(filename
+ 1)
572 && strncmp(filename
+ 1, pattern
, 3) == 0) {
577 return false; /* Not matched. */
580 for (i
= 0; i
<= filename_end
- filename
; i
++) {
581 if (tomoyo_file_matches_pattern2(
582 filename
+ i
, filename_end
,
583 pattern
+ 1, pattern_end
))
586 if (c
== '.' && *pattern
== '@')
590 if (filename
[i
+ 1] == '\\')
592 else if (tomoyo_is_byte_range(filename
+ i
+ 1))
595 break; /* Bad pattern. */
597 return false; /* Not matched. */
602 while (isdigit(filename
[j
]))
604 } else if (c
== 'X') {
605 while (isxdigit(filename
[j
]))
607 } else if (c
== 'A') {
608 while (tomoyo_is_alphabet_char(filename
[j
]))
611 for (i
= 1; i
<= j
; i
++) {
612 if (tomoyo_file_matches_pattern2(
613 filename
+ i
, filename_end
,
614 pattern
+ 1, pattern_end
))
617 return false; /* Not matched or bad pattern. */
622 while (*pattern
== '\\' &&
623 (*(pattern
+ 1) == '*' || *(pattern
+ 1) == '@'))
625 return filename
== filename_end
&& pattern
== pattern_end
;
629 * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
631 * @filename: The start of string to check.
632 * @filename_end: The end of string to check.
633 * @pattern: The start of pattern to compare.
634 * @pattern_end: The end of pattern to compare.
636 * Returns true if @filename matches @pattern, false otherwise.
638 static bool tomoyo_file_matches_pattern(const char *filename
,
639 const char *filename_end
,
641 const char *pattern_end
)
643 const char *pattern_start
= pattern
;
647 while (pattern
< pattern_end
- 1) {
648 /* Split at "\-" pattern. */
649 if (*pattern
++ != '\\' || *pattern
++ != '-')
651 result
= tomoyo_file_matches_pattern2(filename
,
660 pattern_start
= pattern
;
662 result
= tomoyo_file_matches_pattern2(filename
, filename_end
,
663 pattern_start
, pattern_end
);
664 return first
? result
: !result
;
668 * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
670 * @f: The start of string to check.
671 * @p: The start of pattern to compare.
673 * Returns true if @f matches @p, false otherwise.
675 static bool tomoyo_path_matches_pattern2(const char *f
, const char *p
)
677 const char *f_delimiter
;
678 const char *p_delimiter
;
681 f_delimiter
= strchr(f
, '/');
683 f_delimiter
= f
+ strlen(f
);
684 p_delimiter
= strchr(p
, '/');
686 p_delimiter
= p
+ strlen(p
);
687 if (*p
== '\\' && *(p
+ 1) == '{')
689 if (!tomoyo_file_matches_pattern(f
, f_delimiter
, p
,
699 /* Ignore trailing "\*" and "\@" in @pattern. */
701 (*(p
+ 1) == '*' || *(p
+ 1) == '@'))
706 * The "\{" pattern is permitted only after '/' character.
707 * This guarantees that below "*(p - 1)" is safe.
708 * Also, the "\}" pattern is permitted only before '/' character
709 * so that "\{" + "\}" pair will not break the "\-" operator.
711 if (*(p
- 1) != '/' || p_delimiter
<= p
+ 3 || *p_delimiter
!= '/' ||
712 *(p_delimiter
- 1) != '}' || *(p_delimiter
- 2) != '\\')
713 return false; /* Bad pattern. */
715 /* Compare current component with pattern. */
716 if (!tomoyo_file_matches_pattern(f
, f_delimiter
, p
+ 2,
719 /* Proceed to next component. */
724 /* Continue comparison. */
725 if (tomoyo_path_matches_pattern2(f
, p_delimiter
+ 1))
727 f_delimiter
= strchr(f
, '/');
728 } while (f_delimiter
);
729 return false; /* Not matched. */
733 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
735 * @filename: The filename to check.
736 * @pattern: The pattern to compare.
738 * Returns true if matches, false otherwise.
740 * The following patterns are available.
742 * \ooo Octal representation of a byte.
743 * \* Zero or more repetitions of characters other than '/'.
744 * \@ Zero or more repetitions of characters other than '/' or '.'.
745 * \? 1 byte character other than '/'.
746 * \$ One or more repetitions of decimal digits.
747 * \+ 1 decimal digit.
748 * \X One or more repetitions of hexadecimal digits.
749 * \x 1 hexadecimal digit.
750 * \A One or more repetitions of alphabet characters.
751 * \a 1 alphabet character.
753 * \- Subtraction operator.
755 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
758 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info
*filename
,
759 const struct tomoyo_path_info
*pattern
)
761 const char *f
= filename
->name
;
762 const char *p
= pattern
->name
;
763 const int len
= pattern
->const_len
;
765 /* If @pattern doesn't contain pattern, I can use strcmp(). */
766 if (!pattern
->is_patterned
)
767 return !tomoyo_pathcmp(filename
, pattern
);
768 /* Don't compare directory and non-directory. */
769 if (filename
->is_dir
!= pattern
->is_dir
)
771 /* Compare the initial length without patterns. */
772 if (strncmp(f
, p
, len
))
776 return tomoyo_path_matches_pattern2(f
, p
);
780 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
782 * @head: Pointer to "struct tomoyo_io_buffer".
783 * @fmt: The printf()'s format string, followed by parameters.
785 * Returns true if output was written, false otherwise.
787 * The snprintf() will truncate, but tomoyo_io_printf() won't.
789 bool tomoyo_io_printf(struct tomoyo_io_buffer
*head
, const char *fmt
, ...)
793 int pos
= head
->read_avail
;
794 int size
= head
->readbuf_size
- pos
;
799 len
= vsnprintf(head
->read_buf
+ pos
, size
, fmt
, args
);
801 if (pos
+ len
>= head
->readbuf_size
)
803 head
->read_avail
+= len
;
808 * tomoyo_get_exe - Get tomoyo_realpath() of current process.
810 * Returns the tomoyo_realpath() of current process on success, NULL otherwise.
812 * This function uses kzalloc(), so the caller must call kfree()
813 * if this function didn't return NULL.
815 static const char *tomoyo_get_exe(void)
817 struct mm_struct
*mm
= current
->mm
;
818 struct vm_area_struct
*vma
;
819 const char *cp
= NULL
;
823 down_read(&mm
->mmap_sem
);
824 for (vma
= mm
->mmap
; vma
; vma
= vma
->vm_next
) {
825 if ((vma
->vm_flags
& VM_EXECUTABLE
) && vma
->vm_file
) {
826 cp
= tomoyo_realpath_from_path(&vma
->vm_file
->f_path
);
830 up_read(&mm
->mmap_sem
);
835 * tomoyo_get_msg - Get warning message.
837 * @is_enforce: Is it enforcing mode?
839 * Returns "ERROR" or "WARNING".
841 const char *tomoyo_get_msg(const bool is_enforce
)
850 * tomoyo_check_flags - Check mode for specified functionality.
852 * @domain: Pointer to "struct tomoyo_domain_info".
853 * @index: The functionality to check mode.
855 * TOMOYO checks only process context.
856 * This code disables TOMOYO's enforcement in case the function is called from
859 unsigned int tomoyo_check_flags(const struct tomoyo_domain_info
*domain
,
862 const u8 profile
= domain
->profile
;
864 if (WARN_ON(in_interrupt()))
866 return tomoyo_policy_loaded
&& index
< TOMOYO_MAX_CONTROL_INDEX
867 #if TOMOYO_MAX_PROFILES != 256
868 && profile
< TOMOYO_MAX_PROFILES
870 && tomoyo_profile_ptr
[profile
] ?
871 tomoyo_profile_ptr
[profile
]->value
[index
] : 0;
875 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
877 * @domain: Pointer to "struct tomoyo_domain_info".
879 * Returns true if domain policy violation warning should be printed to
882 bool tomoyo_verbose_mode(const struct tomoyo_domain_info
*domain
)
884 return tomoyo_check_flags(domain
, TOMOYO_VERBOSE
) != 0;
888 * tomoyo_domain_quota_is_ok - Check for domain's quota.
890 * @domain: Pointer to "struct tomoyo_domain_info".
892 * Returns true if the domain is not exceeded quota, false otherwise.
894 * Caller holds tomoyo_read_lock().
896 bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info
* const domain
)
898 unsigned int count
= 0;
899 struct tomoyo_acl_info
*ptr
;
903 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
905 struct tomoyo_path_acl
*acl
;
908 case TOMOYO_TYPE_PATH_ACL
:
909 acl
= container_of(ptr
, struct tomoyo_path_acl
, head
);
910 perm
= acl
->perm
| (((u32
) acl
->perm_high
) << 16);
911 for (i
= 0; i
< TOMOYO_MAX_PATH_OPERATION
; i
++)
914 if (perm
& (1 << TOMOYO_TYPE_READ_WRITE
))
917 case TOMOYO_TYPE_PATH2_ACL
:
918 perm
= container_of(ptr
, struct tomoyo_path2_acl
, head
)
920 for (i
= 0; i
< TOMOYO_MAX_PATH2_OPERATION
; i
++)
926 if (count
< tomoyo_check_flags(domain
, TOMOYO_MAX_ACCEPT_ENTRY
))
928 if (!domain
->quota_warned
) {
929 domain
->quota_warned
= true;
930 printk(KERN_WARNING
"TOMOYO-WARNING: "
931 "Domain '%s' has so many ACLs to hold. "
932 "Stopped learning mode.\n", domain
->domainname
->name
);
938 * tomoyo_find_or_assign_new_profile - Create a new profile.
940 * @profile: Profile number to create.
942 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
944 static struct tomoyo_profile
*tomoyo_find_or_assign_new_profile(const unsigned
947 struct tomoyo_profile
*ptr
= NULL
;
950 if (profile
>= TOMOYO_MAX_PROFILES
)
952 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
954 ptr
= tomoyo_profile_ptr
[profile
];
957 ptr
= kmalloc(sizeof(*ptr
), GFP_NOFS
);
958 if (!tomoyo_memory_ok(ptr
)) {
963 for (i
= 0; i
< TOMOYO_MAX_CONTROL_INDEX
; i
++)
964 ptr
->value
[i
] = tomoyo_control_array
[i
].current_value
;
965 mb(); /* Avoid out-of-order execution. */
966 tomoyo_profile_ptr
[profile
] = ptr
;
968 mutex_unlock(&tomoyo_policy_lock
);
973 * tomoyo_write_profile - Write to profile table.
975 * @head: Pointer to "struct tomoyo_io_buffer".
977 * Returns 0 on success, negative value otherwise.
979 static int tomoyo_write_profile(struct tomoyo_io_buffer
*head
)
981 char *data
= head
->write_buf
;
985 struct tomoyo_profile
*profile
;
988 cp
= strchr(data
, '-');
991 if (strict_strtoul(data
, 10, &num
))
995 profile
= tomoyo_find_or_assign_new_profile(num
);
998 cp
= strchr(data
, '=');
1002 if (!strcmp(data
, "COMMENT")) {
1003 const struct tomoyo_path_info
*old_comment
= profile
->comment
;
1004 profile
->comment
= tomoyo_get_name(cp
+ 1);
1005 tomoyo_put_name(old_comment
);
1008 for (i
= 0; i
< TOMOYO_MAX_CONTROL_INDEX
; i
++) {
1009 if (strcmp(data
, tomoyo_control_array
[i
].keyword
))
1011 if (sscanf(cp
+ 1, "%u", &value
) != 1) {
1015 case TOMOYO_VERBOSE
:
1016 modes
= tomoyo_mode_2
;
1019 modes
= tomoyo_mode_4
;
1022 for (j
= 0; j
< 4; j
++) {
1023 if (strcmp(cp
+ 1, modes
[j
]))
1030 } else if (value
> tomoyo_control_array
[i
].max_value
) {
1031 value
= tomoyo_control_array
[i
].max_value
;
1033 profile
->value
[i
] = value
;
1040 * tomoyo_read_profile - Read from profile table.
1042 * @head: Pointer to "struct tomoyo_io_buffer".
1046 static int tomoyo_read_profile(struct tomoyo_io_buffer
*head
)
1048 static const int total
= TOMOYO_MAX_CONTROL_INDEX
+ 1;
1053 for (step
= head
->read_step
; step
< TOMOYO_MAX_PROFILES
* total
;
1055 const u8 index
= step
/ total
;
1056 u8 type
= step
% total
;
1057 const struct tomoyo_profile
*profile
1058 = tomoyo_profile_ptr
[index
];
1059 head
->read_step
= step
;
1062 if (!type
) { /* Print profile' comment tag. */
1063 if (!tomoyo_io_printf(head
, "%u-COMMENT=%s\n",
1064 index
, profile
->comment
?
1065 profile
->comment
->name
: ""))
1070 if (type
< TOMOYO_MAX_CONTROL_INDEX
) {
1071 const unsigned int value
= profile
->value
[type
];
1072 const char **modes
= NULL
;
1074 = tomoyo_control_array
[type
].keyword
;
1075 switch (tomoyo_control_array
[type
].max_value
) {
1077 modes
= tomoyo_mode_4
;
1080 modes
= tomoyo_mode_2
;
1084 if (!tomoyo_io_printf(head
, "%u-%s=%s\n", index
,
1085 keyword
, modes
[value
]))
1088 if (!tomoyo_io_printf(head
, "%u-%s=%u\n", index
,
1094 if (step
== TOMOYO_MAX_PROFILES
* total
)
1095 head
->read_eof
= true;
1100 * tomoyo_policy_manager_list is used for holding list of domainnames or
1101 * programs which are permitted to modify configuration via
1102 * /sys/kernel/security/tomoyo/ interface.
1104 * An entry is added by
1106 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
1107 * /sys/kernel/security/tomoyo/manager
1108 * (if you want to specify by a domainname)
1112 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
1113 * (if you want to specify by a program's location)
1117 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
1118 * /sys/kernel/security/tomoyo/manager
1122 * # echo 'delete /usr/lib/ccs/editpolicy' > \
1123 * /sys/kernel/security/tomoyo/manager
1125 * and all entries are retrieved by
1127 * # cat /sys/kernel/security/tomoyo/manager
1129 LIST_HEAD(tomoyo_policy_manager_list
);
1132 * tomoyo_update_manager_entry - Add a manager entry.
1134 * @manager: The path to manager or the domainnamme.
1135 * @is_delete: True if it is a delete request.
1137 * Returns 0 on success, negative value otherwise.
1139 * Caller holds tomoyo_read_lock().
1141 static int tomoyo_update_manager_entry(const char *manager
,
1142 const bool is_delete
)
1144 struct tomoyo_policy_manager_entry
*ptr
;
1145 struct tomoyo_policy_manager_entry e
= { };
1146 int error
= is_delete
? -ENOENT
: -ENOMEM
;
1148 if (tomoyo_is_domain_def(manager
)) {
1149 if (!tomoyo_is_correct_domain(manager
))
1153 if (!tomoyo_is_correct_path(manager
, 1, -1, -1))
1156 e
.manager
= tomoyo_get_name(manager
);
1159 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
1161 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1162 if (ptr
->manager
!= e
.manager
)
1164 ptr
->is_deleted
= is_delete
;
1168 if (!is_delete
&& error
) {
1169 struct tomoyo_policy_manager_entry
*entry
=
1170 tomoyo_commit_ok(&e
, sizeof(e
));
1172 list_add_tail_rcu(&entry
->list
,
1173 &tomoyo_policy_manager_list
);
1177 mutex_unlock(&tomoyo_policy_lock
);
1179 tomoyo_put_name(e
.manager
);
1184 * tomoyo_write_manager_policy - Write manager policy.
1186 * @head: Pointer to "struct tomoyo_io_buffer".
1188 * Returns 0 on success, negative value otherwise.
1190 * Caller holds tomoyo_read_lock().
1192 static int tomoyo_write_manager_policy(struct tomoyo_io_buffer
*head
)
1194 char *data
= head
->write_buf
;
1195 bool is_delete
= tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
);
1197 if (!strcmp(data
, "manage_by_non_root")) {
1198 tomoyo_manage_by_non_root
= !is_delete
;
1201 return tomoyo_update_manager_entry(data
, is_delete
);
1205 * tomoyo_read_manager_policy - Read manager policy.
1207 * @head: Pointer to "struct tomoyo_io_buffer".
1211 * Caller holds tomoyo_read_lock().
1213 static int tomoyo_read_manager_policy(struct tomoyo_io_buffer
*head
)
1215 struct list_head
*pos
;
1220 list_for_each_cookie(pos
, head
->read_var2
,
1221 &tomoyo_policy_manager_list
) {
1222 struct tomoyo_policy_manager_entry
*ptr
;
1223 ptr
= list_entry(pos
, struct tomoyo_policy_manager_entry
,
1225 if (ptr
->is_deleted
)
1227 done
= tomoyo_io_printf(head
, "%s\n", ptr
->manager
->name
);
1231 head
->read_eof
= done
;
1236 * tomoyo_is_policy_manager - Check whether the current process is a policy manager.
1238 * Returns true if the current process is permitted to modify policy
1239 * via /sys/kernel/security/tomoyo/ interface.
1241 * Caller holds tomoyo_read_lock().
1243 static bool tomoyo_is_policy_manager(void)
1245 struct tomoyo_policy_manager_entry
*ptr
;
1247 const struct task_struct
*task
= current
;
1248 const struct tomoyo_path_info
*domainname
= tomoyo_domain()->domainname
;
1251 if (!tomoyo_policy_loaded
)
1253 if (!tomoyo_manage_by_non_root
&& (task
->cred
->uid
|| task
->cred
->euid
))
1255 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1256 if (!ptr
->is_deleted
&& ptr
->is_domain
1257 && !tomoyo_pathcmp(domainname
, ptr
->manager
)) {
1264 exe
= tomoyo_get_exe();
1267 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1268 if (!ptr
->is_deleted
&& !ptr
->is_domain
1269 && !strcmp(exe
, ptr
->manager
->name
)) {
1274 if (!found
) { /* Reduce error messages. */
1275 static pid_t last_pid
;
1276 const pid_t pid
= current
->pid
;
1277 if (last_pid
!= pid
) {
1278 printk(KERN_WARNING
"%s ( %s ) is not permitted to "
1279 "update policies.\n", domainname
->name
, exe
);
1288 * tomoyo_is_select_one - Parse select command.
1290 * @head: Pointer to "struct tomoyo_io_buffer".
1291 * @data: String to parse.
1293 * Returns true on success, false otherwise.
1295 * Caller holds tomoyo_read_lock().
1297 static bool tomoyo_is_select_one(struct tomoyo_io_buffer
*head
,
1301 struct tomoyo_domain_info
*domain
= NULL
;
1303 if (sscanf(data
, "pid=%u", &pid
) == 1) {
1304 struct task_struct
*p
;
1306 read_lock(&tasklist_lock
);
1307 p
= find_task_by_vpid(pid
);
1309 domain
= tomoyo_real_domain(p
);
1310 read_unlock(&tasklist_lock
);
1312 } else if (!strncmp(data
, "domain=", 7)) {
1313 if (tomoyo_is_domain_def(data
+ 7))
1314 domain
= tomoyo_find_domain(data
+ 7);
1317 head
->write_var1
= domain
;
1318 /* Accessing read_buf is safe because head->io_sem is held. */
1319 if (!head
->read_buf
)
1320 return true; /* Do nothing if open(O_WRONLY). */
1321 head
->read_avail
= 0;
1322 tomoyo_io_printf(head
, "# select %s\n", data
);
1323 head
->read_single_domain
= true;
1324 head
->read_eof
= !domain
;
1326 struct tomoyo_domain_info
*d
;
1327 head
->read_var1
= NULL
;
1328 list_for_each_entry_rcu(d
, &tomoyo_domain_list
, list
) {
1331 head
->read_var1
= &d
->list
;
1333 head
->read_var2
= NULL
;
1335 head
->read_step
= 0;
1336 if (domain
->is_deleted
)
1337 tomoyo_io_printf(head
, "# This is a deleted domain.\n");
1343 * tomoyo_delete_domain - Delete a domain.
1345 * @domainname: The name of domain.
1349 * Caller holds tomoyo_read_lock().
1351 static int tomoyo_delete_domain(char *domainname
)
1353 struct tomoyo_domain_info
*domain
;
1354 struct tomoyo_path_info name
;
1356 name
.name
= domainname
;
1357 tomoyo_fill_path_info(&name
);
1358 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
1360 /* Is there an active domain? */
1361 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
1362 /* Never delete tomoyo_kernel_domain */
1363 if (domain
== &tomoyo_kernel_domain
)
1365 if (domain
->is_deleted
||
1366 tomoyo_pathcmp(domain
->domainname
, &name
))
1368 domain
->is_deleted
= true;
1371 mutex_unlock(&tomoyo_policy_lock
);
1376 * tomoyo_write_domain_policy - Write domain policy.
1378 * @head: Pointer to "struct tomoyo_io_buffer".
1380 * Returns 0 on success, negative value otherwise.
1382 * Caller holds tomoyo_read_lock().
1384 static int tomoyo_write_domain_policy(struct tomoyo_io_buffer
*head
)
1386 char *data
= head
->write_buf
;
1387 struct tomoyo_domain_info
*domain
= head
->write_var1
;
1388 bool is_delete
= false;
1389 bool is_select
= false;
1390 unsigned int profile
;
1392 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
))
1394 else if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_SELECT
))
1396 if (is_select
&& tomoyo_is_select_one(head
, data
))
1398 /* Don't allow updating policies by non manager programs. */
1399 if (!tomoyo_is_policy_manager())
1401 if (tomoyo_is_domain_def(data
)) {
1404 tomoyo_delete_domain(data
);
1406 domain
= tomoyo_find_domain(data
);
1408 domain
= tomoyo_find_or_assign_new_domain(data
, 0);
1409 head
->write_var1
= domain
;
1415 if (sscanf(data
, TOMOYO_KEYWORD_USE_PROFILE
"%u", &profile
) == 1
1416 && profile
< TOMOYO_MAX_PROFILES
) {
1417 if (tomoyo_profile_ptr
[profile
] || !tomoyo_policy_loaded
)
1418 domain
->profile
= (u8
) profile
;
1421 if (!strcmp(data
, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ
)) {
1422 domain
->ignore_global_allow_read
= !is_delete
;
1425 return tomoyo_write_file_policy(data
, domain
, is_delete
);
1429 * tomoyo_print_path_acl - Print a single path ACL entry.
1431 * @head: Pointer to "struct tomoyo_io_buffer".
1432 * @ptr: Pointer to "struct tomoyo_path_acl".
1434 * Returns true on success, false otherwise.
1436 static bool tomoyo_print_path_acl(struct tomoyo_io_buffer
*head
,
1437 struct tomoyo_path_acl
*ptr
)
1441 const u32 perm
= ptr
->perm
| (((u32
) ptr
->perm_high
) << 16);
1443 for (bit
= head
->read_bit
; bit
< TOMOYO_MAX_PATH_OPERATION
; bit
++) {
1444 if (!(perm
& (1 << bit
)))
1446 /* Print "read/write" instead of "read" and "write". */
1447 if ((bit
== TOMOYO_TYPE_READ
|| bit
== TOMOYO_TYPE_WRITE
)
1448 && (perm
& (1 << TOMOYO_TYPE_READ_WRITE
)))
1450 pos
= head
->read_avail
;
1451 if (!tomoyo_io_printf(head
, "allow_%s ",
1452 tomoyo_path2keyword(bit
)) ||
1453 !tomoyo_print_name_union(head
, &ptr
->name
) ||
1454 !tomoyo_io_printf(head
, "\n"))
1460 head
->read_bit
= bit
;
1461 head
->read_avail
= pos
;
1466 * tomoyo_print_path2_acl - Print a double path ACL entry.
1468 * @head: Pointer to "struct tomoyo_io_buffer".
1469 * @ptr: Pointer to "struct tomoyo_path2_acl".
1471 * Returns true on success, false otherwise.
1473 static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer
*head
,
1474 struct tomoyo_path2_acl
*ptr
)
1477 const u8 perm
= ptr
->perm
;
1480 for (bit
= head
->read_bit
; bit
< TOMOYO_MAX_PATH2_OPERATION
; bit
++) {
1481 if (!(perm
& (1 << bit
)))
1483 pos
= head
->read_avail
;
1484 if (!tomoyo_io_printf(head
, "allow_%s ",
1485 tomoyo_path22keyword(bit
)) ||
1486 !tomoyo_print_name_union(head
, &ptr
->name1
) ||
1487 !tomoyo_print_name_union(head
, &ptr
->name2
) ||
1488 !tomoyo_io_printf(head
, "\n"))
1494 head
->read_bit
= bit
;
1495 head
->read_avail
= pos
;
1500 * tomoyo_print_entry - Print an ACL entry.
1502 * @head: Pointer to "struct tomoyo_io_buffer".
1503 * @ptr: Pointer to an ACL entry.
1505 * Returns true on success, false otherwise.
1507 static bool tomoyo_print_entry(struct tomoyo_io_buffer
*head
,
1508 struct tomoyo_acl_info
*ptr
)
1510 const u8 acl_type
= ptr
->type
;
1512 if (acl_type
== TOMOYO_TYPE_PATH_ACL
) {
1513 struct tomoyo_path_acl
*acl
1514 = container_of(ptr
, struct tomoyo_path_acl
, head
);
1515 return tomoyo_print_path_acl(head
, acl
);
1517 if (acl_type
== TOMOYO_TYPE_PATH2_ACL
) {
1518 struct tomoyo_path2_acl
*acl
1519 = container_of(ptr
, struct tomoyo_path2_acl
, head
);
1520 return tomoyo_print_path2_acl(head
, acl
);
1522 BUG(); /* This must not happen. */
1527 * tomoyo_read_domain_policy - Read domain policy.
1529 * @head: Pointer to "struct tomoyo_io_buffer".
1533 * Caller holds tomoyo_read_lock().
1535 static int tomoyo_read_domain_policy(struct tomoyo_io_buffer
*head
)
1537 struct list_head
*dpos
;
1538 struct list_head
*apos
;
1543 if (head
->read_step
== 0)
1544 head
->read_step
= 1;
1545 list_for_each_cookie(dpos
, head
->read_var1
, &tomoyo_domain_list
) {
1546 struct tomoyo_domain_info
*domain
;
1547 const char *quota_exceeded
= "";
1548 const char *transition_failed
= "";
1549 const char *ignore_global_allow_read
= "";
1550 domain
= list_entry(dpos
, struct tomoyo_domain_info
, list
);
1551 if (head
->read_step
!= 1)
1553 if (domain
->is_deleted
&& !head
->read_single_domain
)
1555 /* Print domainname and flags. */
1556 if (domain
->quota_warned
)
1557 quota_exceeded
= "quota_exceeded\n";
1558 if (domain
->transition_failed
)
1559 transition_failed
= "transition_failed\n";
1560 if (domain
->ignore_global_allow_read
)
1561 ignore_global_allow_read
1562 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ
"\n";
1563 done
= tomoyo_io_printf(head
, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
1565 domain
->domainname
->name
,
1566 domain
->profile
, quota_exceeded
,
1568 ignore_global_allow_read
);
1571 head
->read_step
= 2;
1573 if (head
->read_step
== 3)
1575 /* Print ACL entries in the domain. */
1576 list_for_each_cookie(apos
, head
->read_var2
,
1577 &domain
->acl_info_list
) {
1578 struct tomoyo_acl_info
*ptr
1579 = list_entry(apos
, struct tomoyo_acl_info
,
1581 done
= tomoyo_print_entry(head
, ptr
);
1587 head
->read_step
= 3;
1589 done
= tomoyo_io_printf(head
, "\n");
1592 head
->read_step
= 1;
1593 if (head
->read_single_domain
)
1596 head
->read_eof
= done
;
1601 * tomoyo_write_domain_profile - Assign profile for specified domain.
1603 * @head: Pointer to "struct tomoyo_io_buffer".
1605 * Returns 0 on success, -EINVAL otherwise.
1607 * This is equivalent to doing
1609 * ( echo "select " $domainname; echo "use_profile " $profile ) |
1610 * /usr/lib/ccs/loadpolicy -d
1612 * Caller holds tomoyo_read_lock().
1614 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer
*head
)
1616 char *data
= head
->write_buf
;
1617 char *cp
= strchr(data
, ' ');
1618 struct tomoyo_domain_info
*domain
;
1619 unsigned long profile
;
1624 domain
= tomoyo_find_domain(cp
+ 1);
1625 if (strict_strtoul(data
, 10, &profile
))
1627 if (domain
&& profile
< TOMOYO_MAX_PROFILES
1628 && (tomoyo_profile_ptr
[profile
] || !tomoyo_policy_loaded
))
1629 domain
->profile
= (u8
) profile
;
1634 * tomoyo_read_domain_profile - Read only domainname and profile.
1636 * @head: Pointer to "struct tomoyo_io_buffer".
1638 * Returns list of profile number and domainname pairs.
1640 * This is equivalent to doing
1642 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
1643 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
1644 * domainname = $0; } else if ( $1 == "use_profile" ) {
1645 * print $2 " " domainname; domainname = ""; } } ; '
1647 * Caller holds tomoyo_read_lock().
1649 static int tomoyo_read_domain_profile(struct tomoyo_io_buffer
*head
)
1651 struct list_head
*pos
;
1656 list_for_each_cookie(pos
, head
->read_var1
, &tomoyo_domain_list
) {
1657 struct tomoyo_domain_info
*domain
;
1658 domain
= list_entry(pos
, struct tomoyo_domain_info
, list
);
1659 if (domain
->is_deleted
)
1661 done
= tomoyo_io_printf(head
, "%u %s\n", domain
->profile
,
1662 domain
->domainname
->name
);
1666 head
->read_eof
= done
;
1671 * tomoyo_write_pid: Specify PID to obtain domainname.
1673 * @head: Pointer to "struct tomoyo_io_buffer".
1677 static int tomoyo_write_pid(struct tomoyo_io_buffer
*head
)
1680 /* No error check. */
1681 strict_strtoul(head
->write_buf
, 10, &pid
);
1682 head
->read_step
= (int) pid
;
1683 head
->read_eof
= false;
1688 * tomoyo_read_pid - Get domainname of the specified PID.
1690 * @head: Pointer to "struct tomoyo_io_buffer".
1692 * Returns the domainname which the specified PID is in on success,
1693 * empty string otherwise.
1694 * The PID is specified by tomoyo_write_pid() so that the user can obtain
1695 * using read()/write() interface rather than sysctl() interface.
1697 static int tomoyo_read_pid(struct tomoyo_io_buffer
*head
)
1699 if (head
->read_avail
== 0 && !head
->read_eof
) {
1700 const int pid
= head
->read_step
;
1701 struct task_struct
*p
;
1702 struct tomoyo_domain_info
*domain
= NULL
;
1704 read_lock(&tasklist_lock
);
1705 p
= find_task_by_vpid(pid
);
1707 domain
= tomoyo_real_domain(p
);
1708 read_unlock(&tasklist_lock
);
1711 tomoyo_io_printf(head
, "%d %u %s", pid
, domain
->profile
,
1712 domain
->domainname
->name
);
1713 head
->read_eof
= true;
1719 * tomoyo_write_exception_policy - Write exception policy.
1721 * @head: Pointer to "struct tomoyo_io_buffer".
1723 * Returns 0 on success, negative value otherwise.
1725 * Caller holds tomoyo_read_lock().
1727 static int tomoyo_write_exception_policy(struct tomoyo_io_buffer
*head
)
1729 char *data
= head
->write_buf
;
1730 bool is_delete
= tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
);
1732 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_KEEP_DOMAIN
))
1733 return tomoyo_write_domain_keeper_policy(data
, false,
1735 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_NO_KEEP_DOMAIN
))
1736 return tomoyo_write_domain_keeper_policy(data
, true, is_delete
);
1737 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_INITIALIZE_DOMAIN
))
1738 return tomoyo_write_domain_initializer_policy(data
, false,
1740 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN
))
1741 return tomoyo_write_domain_initializer_policy(data
, true,
1743 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_ALIAS
))
1744 return tomoyo_write_alias_policy(data
, is_delete
);
1745 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_ALLOW_READ
))
1746 return tomoyo_write_globally_readable_policy(data
, is_delete
);
1747 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_FILE_PATTERN
))
1748 return tomoyo_write_pattern_policy(data
, is_delete
);
1749 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DENY_REWRITE
))
1750 return tomoyo_write_no_rewrite_policy(data
, is_delete
);
1751 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_PATH_GROUP
))
1752 return tomoyo_write_path_group_policy(data
, is_delete
);
1757 * tomoyo_read_exception_policy - Read exception policy.
1759 * @head: Pointer to "struct tomoyo_io_buffer".
1761 * Returns 0 on success, -EINVAL otherwise.
1763 * Caller holds tomoyo_read_lock().
1765 static int tomoyo_read_exception_policy(struct tomoyo_io_buffer
*head
)
1767 if (!head
->read_eof
) {
1768 switch (head
->read_step
) {
1770 head
->read_var2
= NULL
;
1771 head
->read_step
= 1;
1773 if (!tomoyo_read_domain_keeper_policy(head
))
1775 head
->read_var2
= NULL
;
1776 head
->read_step
= 2;
1778 if (!tomoyo_read_globally_readable_policy(head
))
1780 head
->read_var2
= NULL
;
1781 head
->read_step
= 3;
1783 head
->read_var2
= NULL
;
1784 head
->read_step
= 4;
1786 if (!tomoyo_read_domain_initializer_policy(head
))
1788 head
->read_var2
= NULL
;
1789 head
->read_step
= 5;
1791 if (!tomoyo_read_alias_policy(head
))
1793 head
->read_var2
= NULL
;
1794 head
->read_step
= 6;
1796 head
->read_var2
= NULL
;
1797 head
->read_step
= 7;
1799 if (!tomoyo_read_file_pattern(head
))
1801 head
->read_var2
= NULL
;
1802 head
->read_step
= 8;
1804 if (!tomoyo_read_no_rewrite_policy(head
))
1806 head
->read_var2
= NULL
;
1807 head
->read_step
= 9;
1809 if (!tomoyo_read_path_group_policy(head
))
1811 head
->read_var1
= NULL
;
1812 head
->read_var2
= NULL
;
1813 head
->read_step
= 10;
1815 head
->read_eof
= true;
1824 /* path to policy loader */
1825 static const char *tomoyo_loader
= "/sbin/tomoyo-init";
1828 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
1830 * Returns true if /sbin/tomoyo-init exists, false otherwise.
1832 static bool tomoyo_policy_loader_exists(void)
1835 * Don't activate MAC if the policy loader doesn't exist.
1836 * If the initrd includes /sbin/init but real-root-dev has not
1837 * mounted on / yet, activating MAC will block the system since
1838 * policies are not loaded yet.
1839 * Thus, let do_execve() call this function everytime.
1843 if (kern_path(tomoyo_loader
, LOOKUP_FOLLOW
, &path
)) {
1844 printk(KERN_INFO
"Not activating Mandatory Access Control now "
1845 "since %s doesn't exist.\n", tomoyo_loader
);
1853 * tomoyo_load_policy - Run external policy loader to load policy.
1855 * @filename: The program about to start.
1857 * This function checks whether @filename is /sbin/init , and if so
1858 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
1859 * and then continues invocation of /sbin/init.
1860 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
1861 * writes to /sys/kernel/security/tomoyo/ interfaces.
1865 void tomoyo_load_policy(const char *filename
)
1870 if (tomoyo_policy_loaded
)
1873 * Check filename is /sbin/init or /sbin/tomoyo-start.
1874 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
1876 * You can create /sbin/tomoyo-start by
1877 * "ln -s /bin/true /sbin/tomoyo-start".
1879 if (strcmp(filename
, "/sbin/init") &&
1880 strcmp(filename
, "/sbin/tomoyo-start"))
1882 if (!tomoyo_policy_loader_exists())
1885 printk(KERN_INFO
"Calling %s to load policy. Please wait.\n",
1887 argv
[0] = (char *) tomoyo_loader
;
1890 envp
[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
1892 call_usermodehelper(argv
[0], argv
, envp
, 1);
1894 printk(KERN_INFO
"TOMOYO: 2.2.0 2009/04/01\n");
1895 printk(KERN_INFO
"Mandatory Access Control activated.\n");
1896 tomoyo_policy_loaded
= true;
1897 { /* Check all profiles currently assigned to domains are defined. */
1898 struct tomoyo_domain_info
*domain
;
1899 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
1900 const u8 profile
= domain
->profile
;
1901 if (tomoyo_profile_ptr
[profile
])
1903 panic("Profile %u (used by '%s') not defined.\n",
1904 profile
, domain
->domainname
->name
);
1910 * tomoyo_read_version: Get version.
1912 * @head: Pointer to "struct tomoyo_io_buffer".
1914 * Returns version information.
1916 static int tomoyo_read_version(struct tomoyo_io_buffer
*head
)
1918 if (!head
->read_eof
) {
1919 tomoyo_io_printf(head
, "2.2.0");
1920 head
->read_eof
= true;
1926 * tomoyo_read_self_domain - Get the current process's domainname.
1928 * @head: Pointer to "struct tomoyo_io_buffer".
1930 * Returns the current process's domainname.
1932 static int tomoyo_read_self_domain(struct tomoyo_io_buffer
*head
)
1934 if (!head
->read_eof
) {
1936 * tomoyo_domain()->domainname != NULL
1937 * because every process belongs to a domain and
1938 * the domain's name cannot be NULL.
1940 tomoyo_io_printf(head
, "%s", tomoyo_domain()->domainname
->name
);
1941 head
->read_eof
= true;
1947 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
1949 * @type: Type of interface.
1950 * @file: Pointer to "struct file".
1952 * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
1954 * Caller acquires tomoyo_read_lock().
1956 static int tomoyo_open_control(const u8 type
, struct file
*file
)
1958 struct tomoyo_io_buffer
*head
= kzalloc(sizeof(*head
), GFP_NOFS
);
1962 mutex_init(&head
->io_sem
);
1964 case TOMOYO_DOMAINPOLICY
:
1965 /* /sys/kernel/security/tomoyo/domain_policy */
1966 head
->write
= tomoyo_write_domain_policy
;
1967 head
->read
= tomoyo_read_domain_policy
;
1969 case TOMOYO_EXCEPTIONPOLICY
:
1970 /* /sys/kernel/security/tomoyo/exception_policy */
1971 head
->write
= tomoyo_write_exception_policy
;
1972 head
->read
= tomoyo_read_exception_policy
;
1974 case TOMOYO_SELFDOMAIN
:
1975 /* /sys/kernel/security/tomoyo/self_domain */
1976 head
->read
= tomoyo_read_self_domain
;
1978 case TOMOYO_DOMAIN_STATUS
:
1979 /* /sys/kernel/security/tomoyo/.domain_status */
1980 head
->write
= tomoyo_write_domain_profile
;
1981 head
->read
= tomoyo_read_domain_profile
;
1983 case TOMOYO_PROCESS_STATUS
:
1984 /* /sys/kernel/security/tomoyo/.process_status */
1985 head
->write
= tomoyo_write_pid
;
1986 head
->read
= tomoyo_read_pid
;
1988 case TOMOYO_VERSION
:
1989 /* /sys/kernel/security/tomoyo/version */
1990 head
->read
= tomoyo_read_version
;
1991 head
->readbuf_size
= 128;
1993 case TOMOYO_MEMINFO
:
1994 /* /sys/kernel/security/tomoyo/meminfo */
1995 head
->write
= tomoyo_write_memory_quota
;
1996 head
->read
= tomoyo_read_memory_counter
;
1997 head
->readbuf_size
= 512;
1999 case TOMOYO_PROFILE
:
2000 /* /sys/kernel/security/tomoyo/profile */
2001 head
->write
= tomoyo_write_profile
;
2002 head
->read
= tomoyo_read_profile
;
2004 case TOMOYO_MANAGER
:
2005 /* /sys/kernel/security/tomoyo/manager */
2006 head
->write
= tomoyo_write_manager_policy
;
2007 head
->read
= tomoyo_read_manager_policy
;
2010 if (!(file
->f_mode
& FMODE_READ
)) {
2012 * No need to allocate read_buf since it is not opened
2017 if (!head
->readbuf_size
)
2018 head
->readbuf_size
= 4096 * 2;
2019 head
->read_buf
= kzalloc(head
->readbuf_size
, GFP_NOFS
);
2020 if (!head
->read_buf
) {
2025 if (!(file
->f_mode
& FMODE_WRITE
)) {
2027 * No need to allocate write_buf since it is not opened
2031 } else if (head
->write
) {
2032 head
->writebuf_size
= 4096 * 2;
2033 head
->write_buf
= kzalloc(head
->writebuf_size
, GFP_NOFS
);
2034 if (!head
->write_buf
) {
2035 kfree(head
->read_buf
);
2040 head
->reader_idx
= tomoyo_read_lock();
2041 file
->private_data
= head
;
2043 * Call the handler now if the file is
2044 * /sys/kernel/security/tomoyo/self_domain
2045 * so that the user can use
2046 * cat < /sys/kernel/security/tomoyo/self_domain"
2047 * to know the current process's domainname.
2049 if (type
== TOMOYO_SELFDOMAIN
)
2050 tomoyo_read_control(file
, NULL
, 0);
2055 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
2057 * @file: Pointer to "struct file".
2058 * @buffer: Poiner to buffer to write to.
2059 * @buffer_len: Size of @buffer.
2061 * Returns bytes read on success, negative value otherwise.
2063 * Caller holds tomoyo_read_lock().
2065 static int tomoyo_read_control(struct file
*file
, char __user
*buffer
,
2066 const int buffer_len
)
2069 struct tomoyo_io_buffer
*head
= file
->private_data
;
2074 if (mutex_lock_interruptible(&head
->io_sem
))
2076 /* Call the policy handler. */
2077 len
= head
->read(head
);
2080 /* Write to buffer. */
2081 len
= head
->read_avail
;
2082 if (len
> buffer_len
)
2086 /* head->read_buf changes by some functions. */
2087 cp
= head
->read_buf
;
2088 if (copy_to_user(buffer
, cp
, len
)) {
2092 head
->read_avail
-= len
;
2093 memmove(cp
, cp
+ len
, head
->read_avail
);
2095 mutex_unlock(&head
->io_sem
);
2100 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
2102 * @file: Pointer to "struct file".
2103 * @buffer: Pointer to buffer to read from.
2104 * @buffer_len: Size of @buffer.
2106 * Returns @buffer_len on success, negative value otherwise.
2108 * Caller holds tomoyo_read_lock().
2110 static int tomoyo_write_control(struct file
*file
, const char __user
*buffer
,
2111 const int buffer_len
)
2113 struct tomoyo_io_buffer
*head
= file
->private_data
;
2114 int error
= buffer_len
;
2115 int avail_len
= buffer_len
;
2116 char *cp0
= head
->write_buf
;
2120 if (!access_ok(VERIFY_READ
, buffer
, buffer_len
))
2122 /* Don't allow updating policies by non manager programs. */
2123 if (head
->write
!= tomoyo_write_pid
&&
2124 head
->write
!= tomoyo_write_domain_policy
&&
2125 !tomoyo_is_policy_manager())
2127 if (mutex_lock_interruptible(&head
->io_sem
))
2129 /* Read a line and dispatch it to the policy handler. */
2130 while (avail_len
> 0) {
2132 if (head
->write_avail
>= head
->writebuf_size
- 1) {
2135 } else if (get_user(c
, buffer
)) {
2141 cp0
[head
->write_avail
++] = c
;
2144 cp0
[head
->write_avail
- 1] = '\0';
2145 head
->write_avail
= 0;
2146 tomoyo_normalize_line(cp0
);
2149 mutex_unlock(&head
->io_sem
);
2154 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
2156 * @file: Pointer to "struct file".
2158 * Releases memory and returns 0.
2160 * Caller looses tomoyo_read_lock().
2162 static int tomoyo_close_control(struct file
*file
)
2164 struct tomoyo_io_buffer
*head
= file
->private_data
;
2165 const bool is_write
= !!head
->write_buf
;
2167 tomoyo_read_unlock(head
->reader_idx
);
2168 /* Release memory used for policy I/O. */
2169 kfree(head
->read_buf
);
2170 head
->read_buf
= NULL
;
2171 kfree(head
->write_buf
);
2172 head
->write_buf
= NULL
;
2175 file
->private_data
= NULL
;
2182 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
2184 * @inode: Pointer to "struct inode".
2185 * @file: Pointer to "struct file".
2187 * Returns 0 on success, negative value otherwise.
2189 static int tomoyo_open(struct inode
*inode
, struct file
*file
)
2191 const int key
= ((u8
*) file
->f_path
.dentry
->d_inode
->i_private
)
2193 return tomoyo_open_control(key
, file
);
2197 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
2199 * @inode: Pointer to "struct inode".
2200 * @file: Pointer to "struct file".
2202 * Returns 0 on success, negative value otherwise.
2204 static int tomoyo_release(struct inode
*inode
, struct file
*file
)
2206 return tomoyo_close_control(file
);
2210 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
2212 * @file: Pointer to "struct file".
2213 * @buf: Pointer to buffer.
2214 * @count: Size of @buf.
2217 * Returns bytes read on success, negative value otherwise.
2219 static ssize_t
tomoyo_read(struct file
*file
, char __user
*buf
, size_t count
,
2222 return tomoyo_read_control(file
, buf
, count
);
2226 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
2228 * @file: Pointer to "struct file".
2229 * @buf: Pointer to buffer.
2230 * @count: Size of @buf.
2233 * Returns @count on success, negative value otherwise.
2235 static ssize_t
tomoyo_write(struct file
*file
, const char __user
*buf
,
2236 size_t count
, loff_t
*ppos
)
2238 return tomoyo_write_control(file
, buf
, count
);
2242 * tomoyo_operations is a "struct file_operations" which is used for handling
2243 * /sys/kernel/security/tomoyo/ interface.
2245 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
2246 * See tomoyo_io_buffer for internals.
2248 static const struct file_operations tomoyo_operations
= {
2249 .open
= tomoyo_open
,
2250 .release
= tomoyo_release
,
2251 .read
= tomoyo_read
,
2252 .write
= tomoyo_write
,
2256 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
2258 * @name: The name of the interface file.
2259 * @mode: The permission of the interface file.
2260 * @parent: The parent directory.
2261 * @key: Type of interface.
2265 static void __init
tomoyo_create_entry(const char *name
, const mode_t mode
,
2266 struct dentry
*parent
, const u8 key
)
2268 securityfs_create_file(name
, mode
, parent
, ((u8
*) NULL
) + key
,
2269 &tomoyo_operations
);
2273 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
2277 static int __init
tomoyo_initerface_init(void)
2279 struct dentry
*tomoyo_dir
;
2281 /* Don't create securityfs entries unless registered. */
2282 if (current_cred()->security
!= &tomoyo_kernel_domain
)
2285 tomoyo_dir
= securityfs_create_dir("tomoyo", NULL
);
2286 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir
,
2287 TOMOYO_DOMAINPOLICY
);
2288 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir
,
2289 TOMOYO_EXCEPTIONPOLICY
);
2290 tomoyo_create_entry("self_domain", 0400, tomoyo_dir
,
2292 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir
,
2293 TOMOYO_DOMAIN_STATUS
);
2294 tomoyo_create_entry(".process_status", 0600, tomoyo_dir
,
2295 TOMOYO_PROCESS_STATUS
);
2296 tomoyo_create_entry("meminfo", 0600, tomoyo_dir
,
2298 tomoyo_create_entry("profile", 0600, tomoyo_dir
,
2300 tomoyo_create_entry("manager", 0600, tomoyo_dir
,
2302 tomoyo_create_entry("version", 0400, tomoyo_dir
,
2307 fs_initcall(tomoyo_initerface_init
);