2 * security/tomoyo/file.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
13 #include <linux/slab.h>
15 /* Keyword array for single path operations. */
16 static const char *tomoyo_path_keyword
[TOMOYO_MAX_PATH_OPERATION
] = {
17 [TOMOYO_TYPE_READ_WRITE
] = "read/write",
18 [TOMOYO_TYPE_EXECUTE
] = "execute",
19 [TOMOYO_TYPE_READ
] = "read",
20 [TOMOYO_TYPE_WRITE
] = "write",
21 [TOMOYO_TYPE_CREATE
] = "create",
22 [TOMOYO_TYPE_UNLINK
] = "unlink",
23 [TOMOYO_TYPE_MKDIR
] = "mkdir",
24 [TOMOYO_TYPE_RMDIR
] = "rmdir",
25 [TOMOYO_TYPE_MKFIFO
] = "mkfifo",
26 [TOMOYO_TYPE_MKSOCK
] = "mksock",
27 [TOMOYO_TYPE_MKBLOCK
] = "mkblock",
28 [TOMOYO_TYPE_MKCHAR
] = "mkchar",
29 [TOMOYO_TYPE_TRUNCATE
] = "truncate",
30 [TOMOYO_TYPE_SYMLINK
] = "symlink",
31 [TOMOYO_TYPE_REWRITE
] = "rewrite",
32 [TOMOYO_TYPE_IOCTL
] = "ioctl",
33 [TOMOYO_TYPE_CHMOD
] = "chmod",
34 [TOMOYO_TYPE_CHOWN
] = "chown",
35 [TOMOYO_TYPE_CHGRP
] = "chgrp",
36 [TOMOYO_TYPE_CHROOT
] = "chroot",
37 [TOMOYO_TYPE_MOUNT
] = "mount",
38 [TOMOYO_TYPE_UMOUNT
] = "unmount",
41 /* Keyword array for double path operations. */
42 static const char *tomoyo_path2_keyword
[TOMOYO_MAX_PATH2_OPERATION
] = {
43 [TOMOYO_TYPE_LINK
] = "link",
44 [TOMOYO_TYPE_RENAME
] = "rename",
45 [TOMOYO_TYPE_PIVOT_ROOT
] = "pivot_root",
48 void tomoyo_put_name_union(struct tomoyo_name_union
*ptr
)
53 tomoyo_put_path_group(ptr
->group
);
55 tomoyo_put_name(ptr
->filename
);
58 bool tomoyo_compare_name_union(const struct tomoyo_path_info
*name
,
59 const struct tomoyo_name_union
*ptr
)
62 return tomoyo_path_matches_group(name
, ptr
->group
, 1);
63 return tomoyo_path_matches_pattern(name
, ptr
->filename
);
66 static bool tomoyo_compare_name_union_pattern(const struct tomoyo_path_info
68 const struct tomoyo_name_union
69 *ptr
, const bool may_use_pattern
)
72 return tomoyo_path_matches_group(name
, ptr
->group
,
74 if (may_use_pattern
|| !ptr
->filename
->is_patterned
)
75 return tomoyo_path_matches_pattern(name
, ptr
->filename
);
79 void tomoyo_put_number_union(struct tomoyo_number_union
*ptr
)
81 if (ptr
&& ptr
->is_group
)
82 tomoyo_put_number_group(ptr
->group
);
85 bool tomoyo_compare_number_union(const unsigned long value
,
86 const struct tomoyo_number_union
*ptr
)
89 return tomoyo_number_matches_group(value
, value
, ptr
->group
);
90 return value
>= ptr
->values
[0] && value
<= ptr
->values
[1];
94 * tomoyo_path2keyword - Get the name of single path operation.
96 * @operation: Type of operation.
98 * Returns the name of single path operation.
100 const char *tomoyo_path2keyword(const u8 operation
)
102 return (operation
< TOMOYO_MAX_PATH_OPERATION
)
103 ? tomoyo_path_keyword
[operation
] : NULL
;
107 * tomoyo_path22keyword - Get the name of double path operation.
109 * @operation: Type of operation.
111 * Returns the name of double path operation.
113 const char *tomoyo_path22keyword(const u8 operation
)
115 return (operation
< TOMOYO_MAX_PATH2_OPERATION
)
116 ? tomoyo_path2_keyword
[operation
] : NULL
;
120 * tomoyo_strendswith - Check whether the token ends with the given token.
122 * @name: The token to check.
123 * @tail: The token to find.
125 * Returns true if @name ends with @tail, false otherwise.
127 static bool tomoyo_strendswith(const char *name
, const char *tail
)
133 len
= strlen(name
) - strlen(tail
);
134 return len
>= 0 && !strcmp(name
+ len
, tail
);
138 * tomoyo_get_path - Get realpath.
140 * @path: Pointer to "struct path".
142 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
144 static struct tomoyo_path_info
*tomoyo_get_path(struct path
*path
)
147 struct tomoyo_path_info_with_data
*buf
= kzalloc(sizeof(*buf
),
152 /* Reserve one byte for appending "/". */
153 error
= tomoyo_realpath_from_path2(path
, buf
->body
,
154 sizeof(buf
->body
) - 2);
156 buf
->head
.name
= buf
->body
;
157 tomoyo_fill_path_info(&buf
->head
);
164 static int tomoyo_update_path2_acl(const u8 type
, const char *filename1
,
165 const char *filename2
,
166 struct tomoyo_domain_info
*const domain
,
167 const bool is_delete
);
168 static int tomoyo_update_path_acl(const u8 type
, const char *filename
,
169 struct tomoyo_domain_info
*const domain
,
170 const bool is_delete
);
173 * tomoyo_globally_readable_list is used for holding list of pathnames which
174 * are by default allowed to be open()ed for reading by any process.
176 * An entry is added by
178 * # echo 'allow_read /lib/libc-2.5.so' > \
179 * /sys/kernel/security/tomoyo/exception_policy
183 * # echo 'delete allow_read /lib/libc-2.5.so' > \
184 * /sys/kernel/security/tomoyo/exception_policy
186 * and all entries are retrieved by
188 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
190 * In the example above, any process is allowed to
191 * open("/lib/libc-2.5.so", O_RDONLY).
192 * One exception is, if the domain which current process belongs to is marked
193 * as "ignore_global_allow_read", current process can't do so unless explicitly
194 * given "allow_read /lib/libc-2.5.so" to the domain which current process
197 LIST_HEAD(tomoyo_globally_readable_list
);
200 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
202 * @filename: Filename unconditionally permitted to open() for reading.
203 * @is_delete: True if it is a delete request.
205 * Returns 0 on success, negative value otherwise.
207 * Caller holds tomoyo_read_lock().
209 static int tomoyo_update_globally_readable_entry(const char *filename
,
210 const bool is_delete
)
212 struct tomoyo_globally_readable_file_entry
*ptr
;
213 struct tomoyo_globally_readable_file_entry e
= { };
214 int error
= is_delete
? -ENOENT
: -ENOMEM
;
216 if (!tomoyo_is_correct_path(filename
, 1, 0, -1))
218 e
.filename
= tomoyo_get_name(filename
);
221 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
223 list_for_each_entry_rcu(ptr
, &tomoyo_globally_readable_list
, list
) {
224 if (ptr
->filename
!= e
.filename
)
226 ptr
->is_deleted
= is_delete
;
230 if (!is_delete
&& error
) {
231 struct tomoyo_globally_readable_file_entry
*entry
=
232 tomoyo_commit_ok(&e
, sizeof(e
));
234 list_add_tail_rcu(&entry
->list
,
235 &tomoyo_globally_readable_list
);
239 mutex_unlock(&tomoyo_policy_lock
);
241 tomoyo_put_name(e
.filename
);
246 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
248 * @filename: The filename to check.
250 * Returns true if any domain can open @filename for reading, false otherwise.
252 * Caller holds tomoyo_read_lock().
254 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info
*
257 struct tomoyo_globally_readable_file_entry
*ptr
;
260 list_for_each_entry_rcu(ptr
, &tomoyo_globally_readable_list
, list
) {
261 if (!ptr
->is_deleted
&&
262 tomoyo_path_matches_pattern(filename
, ptr
->filename
)) {
271 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
273 * @data: String to parse.
274 * @is_delete: True if it is a delete request.
276 * Returns 0 on success, negative value otherwise.
278 * Caller holds tomoyo_read_lock().
280 int tomoyo_write_globally_readable_policy(char *data
, const bool is_delete
)
282 return tomoyo_update_globally_readable_entry(data
, is_delete
);
286 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
288 * @head: Pointer to "struct tomoyo_io_buffer".
290 * Returns true on success, false otherwise.
292 * Caller holds tomoyo_read_lock().
294 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer
*head
)
296 struct list_head
*pos
;
299 list_for_each_cookie(pos
, head
->read_var2
,
300 &tomoyo_globally_readable_list
) {
301 struct tomoyo_globally_readable_file_entry
*ptr
;
302 ptr
= list_entry(pos
,
303 struct tomoyo_globally_readable_file_entry
,
307 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_ALLOW_READ
"%s\n",
308 ptr
->filename
->name
);
315 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
316 * converting pathnames to pathname patterns during learning mode.
318 * An entry is added by
320 * # echo 'file_pattern /proc/\$/mounts' > \
321 * /sys/kernel/security/tomoyo/exception_policy
325 * # echo 'delete file_pattern /proc/\$/mounts' > \
326 * /sys/kernel/security/tomoyo/exception_policy
328 * and all entries are retrieved by
330 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
332 * In the example above, if a process which belongs to a domain which is in
333 * learning mode requested open("/proc/1/mounts", O_RDONLY),
334 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
335 * process belongs to.
337 * It is not a desirable behavior that we have to use /proc/\$/ instead of
338 * /proc/self/ when current process needs to access only current process's
339 * information. As of now, LSM version of TOMOYO is using __d_path() for
340 * calculating pathname. Non LSM version of TOMOYO is using its own function
341 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
342 * current process from accessing other process's information.
344 LIST_HEAD(tomoyo_pattern_list
);
347 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
349 * @pattern: Pathname pattern.
350 * @is_delete: True if it is a delete request.
352 * Returns 0 on success, negative value otherwise.
354 * Caller holds tomoyo_read_lock().
356 static int tomoyo_update_file_pattern_entry(const char *pattern
,
357 const bool is_delete
)
359 struct tomoyo_pattern_entry
*ptr
;
360 struct tomoyo_pattern_entry e
= { .pattern
= tomoyo_get_name(pattern
) };
361 int error
= is_delete
? -ENOENT
: -ENOMEM
;
365 if (!e
.pattern
->is_patterned
)
367 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
369 list_for_each_entry_rcu(ptr
, &tomoyo_pattern_list
, list
) {
370 if (e
.pattern
!= ptr
->pattern
)
372 ptr
->is_deleted
= is_delete
;
376 if (!is_delete
&& error
) {
377 struct tomoyo_pattern_entry
*entry
=
378 tomoyo_commit_ok(&e
, sizeof(e
));
380 list_add_tail_rcu(&entry
->list
, &tomoyo_pattern_list
);
384 mutex_unlock(&tomoyo_policy_lock
);
386 tomoyo_put_name(e
.pattern
);
391 * tomoyo_get_file_pattern - Get patterned pathname.
393 * @filename: The filename to find patterned pathname.
395 * Returns pointer to pathname pattern if matched, @filename otherwise.
397 * Caller holds tomoyo_read_lock().
399 static const struct tomoyo_path_info
*
400 tomoyo_get_file_pattern(const struct tomoyo_path_info
*filename
)
402 struct tomoyo_pattern_entry
*ptr
;
403 const struct tomoyo_path_info
*pattern
= NULL
;
405 list_for_each_entry_rcu(ptr
, &tomoyo_pattern_list
, list
) {
408 if (!tomoyo_path_matches_pattern(filename
, ptr
->pattern
))
410 pattern
= ptr
->pattern
;
411 if (tomoyo_strendswith(pattern
->name
, "/\\*")) {
412 /* Do nothing. Try to find the better match. */
414 /* This would be the better match. Use this. */
424 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
426 * @data: String to parse.
427 * @is_delete: True if it is a delete request.
429 * Returns 0 on success, negative value otherwise.
431 * Caller holds tomoyo_read_lock().
433 int tomoyo_write_pattern_policy(char *data
, const bool is_delete
)
435 return tomoyo_update_file_pattern_entry(data
, is_delete
);
439 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
441 * @head: Pointer to "struct tomoyo_io_buffer".
443 * Returns true on success, false otherwise.
445 * Caller holds tomoyo_read_lock().
447 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer
*head
)
449 struct list_head
*pos
;
452 list_for_each_cookie(pos
, head
->read_var2
, &tomoyo_pattern_list
) {
453 struct tomoyo_pattern_entry
*ptr
;
454 ptr
= list_entry(pos
, struct tomoyo_pattern_entry
, list
);
457 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_FILE_PATTERN
458 "%s\n", ptr
->pattern
->name
);
466 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
467 * default forbidden to modify already written content of a file.
469 * An entry is added by
471 * # echo 'deny_rewrite /var/log/messages' > \
472 * /sys/kernel/security/tomoyo/exception_policy
476 * # echo 'delete deny_rewrite /var/log/messages' > \
477 * /sys/kernel/security/tomoyo/exception_policy
479 * and all entries are retrieved by
481 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
483 * In the example above, if a process requested to rewrite /var/log/messages ,
484 * the process can't rewrite unless the domain which that process belongs to
485 * has "allow_rewrite /var/log/messages" entry.
487 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
488 * when we want to allow rewriting already unlink()ed file. As of now,
489 * LSM version of TOMOYO is using __d_path() for calculating pathname.
490 * Non LSM version of TOMOYO is using its own function which doesn't append
491 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
492 * need to worry whether the file is already unlink()ed or not.
494 LIST_HEAD(tomoyo_no_rewrite_list
);
497 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
499 * @pattern: Pathname pattern that are not rewritable by default.
500 * @is_delete: True if it is a delete request.
502 * Returns 0 on success, negative value otherwise.
504 * Caller holds tomoyo_read_lock().
506 static int tomoyo_update_no_rewrite_entry(const char *pattern
,
507 const bool is_delete
)
509 struct tomoyo_no_rewrite_entry
*ptr
;
510 struct tomoyo_no_rewrite_entry e
= { };
511 int error
= is_delete
? -ENOENT
: -ENOMEM
;
513 if (!tomoyo_is_correct_path(pattern
, 0, 0, 0))
515 e
.pattern
= tomoyo_get_name(pattern
);
518 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
520 list_for_each_entry_rcu(ptr
, &tomoyo_no_rewrite_list
, list
) {
521 if (ptr
->pattern
!= e
.pattern
)
523 ptr
->is_deleted
= is_delete
;
527 if (!is_delete
&& error
) {
528 struct tomoyo_no_rewrite_entry
*entry
=
529 tomoyo_commit_ok(&e
, sizeof(e
));
531 list_add_tail_rcu(&entry
->list
,
532 &tomoyo_no_rewrite_list
);
536 mutex_unlock(&tomoyo_policy_lock
);
538 tomoyo_put_name(e
.pattern
);
543 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
545 * @filename: Filename to check.
547 * Returns true if @filename is specified by "deny_rewrite" directive,
550 * Caller holds tomoyo_read_lock().
552 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info
*filename
)
554 struct tomoyo_no_rewrite_entry
*ptr
;
557 list_for_each_entry_rcu(ptr
, &tomoyo_no_rewrite_list
, list
) {
560 if (!tomoyo_path_matches_pattern(filename
, ptr
->pattern
))
569 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
571 * @data: String to parse.
572 * @is_delete: True if it is a delete request.
574 * Returns 0 on success, negative value otherwise.
576 * Caller holds tomoyo_read_lock().
578 int tomoyo_write_no_rewrite_policy(char *data
, const bool is_delete
)
580 return tomoyo_update_no_rewrite_entry(data
, is_delete
);
584 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
586 * @head: Pointer to "struct tomoyo_io_buffer".
588 * Returns true on success, false otherwise.
590 * Caller holds tomoyo_read_lock().
592 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer
*head
)
594 struct list_head
*pos
;
597 list_for_each_cookie(pos
, head
->read_var2
, &tomoyo_no_rewrite_list
) {
598 struct tomoyo_no_rewrite_entry
*ptr
;
599 ptr
= list_entry(pos
, struct tomoyo_no_rewrite_entry
, list
);
602 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_DENY_REWRITE
603 "%s\n", ptr
->pattern
->name
);
611 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
613 * @filename: Filename.
614 * @perm: Permission (between 1 to 7).
615 * @domain: Pointer to "struct tomoyo_domain_info".
616 * @is_delete: True if it is a delete request.
618 * Returns 0 on success, negative value otherwise.
620 * This is legacy support interface for older policy syntax.
621 * Current policy syntax uses "allow_read/write" instead of "6",
622 * "allow_read" instead of "4", "allow_write" instead of "2",
623 * "allow_execute" instead of "1".
625 * Caller holds tomoyo_read_lock().
627 static int tomoyo_update_file_acl(const char *filename
, u8 perm
,
628 struct tomoyo_domain_info
* const domain
,
629 const bool is_delete
)
631 if (perm
> 7 || !perm
) {
632 printk(KERN_DEBUG
"%s: Invalid permission '%d %s'\n",
633 __func__
, perm
, filename
);
636 if (filename
[0] != '@' && tomoyo_strendswith(filename
, "/"))
638 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
639 * directory permissions.
643 tomoyo_update_path_acl(TOMOYO_TYPE_READ
, filename
, domain
,
646 tomoyo_update_path_acl(TOMOYO_TYPE_WRITE
, filename
, domain
,
649 tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE
, filename
, domain
,
655 * tomoyo_path_acl2 - Check permission for single path operation.
657 * @domain: Pointer to "struct tomoyo_domain_info".
658 * @filename: Filename to check.
660 * @may_use_pattern: True if patterned ACL is permitted.
662 * Returns 0 on success, -EPERM otherwise.
664 * Caller holds tomoyo_read_lock().
666 static int tomoyo_path_acl2(const struct tomoyo_domain_info
*domain
,
667 const struct tomoyo_path_info
*filename
,
668 const u32 perm
, const bool may_use_pattern
)
670 struct tomoyo_acl_info
*ptr
;
673 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
674 struct tomoyo_path_acl
*acl
;
675 if (ptr
->type
!= TOMOYO_TYPE_PATH_ACL
)
677 acl
= container_of(ptr
, struct tomoyo_path_acl
, head
);
678 if (perm
<= 0xFFFF) {
679 if (!(acl
->perm
& perm
))
682 if (!(acl
->perm_high
& (perm
>> 16)))
685 if (!tomoyo_compare_name_union_pattern(filename
, &acl
->name
,
695 * tomoyo_check_file_acl - Check permission for opening files.
697 * @domain: Pointer to "struct tomoyo_domain_info".
698 * @filename: Filename to check.
699 * @operation: Mode ("read" or "write" or "read/write" or "execute").
701 * Returns 0 on success, -EPERM otherwise.
703 * Caller holds tomoyo_read_lock().
705 static int tomoyo_check_file_acl(const struct tomoyo_domain_info
*domain
,
706 const struct tomoyo_path_info
*filename
,
711 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
714 perm
= 1 << TOMOYO_TYPE_READ_WRITE
;
715 else if (operation
== 4)
716 perm
= 1 << TOMOYO_TYPE_READ
;
717 else if (operation
== 2)
718 perm
= 1 << TOMOYO_TYPE_WRITE
;
719 else if (operation
== 1)
720 perm
= 1 << TOMOYO_TYPE_EXECUTE
;
723 return tomoyo_path_acl2(domain
, filename
, perm
, operation
!= 1);
727 * tomoyo_check_file_perm2 - Check permission for opening files.
729 * @domain: Pointer to "struct tomoyo_domain_info".
730 * @filename: Filename to check.
731 * @perm: Mode ("read" or "write" or "read/write" or "execute").
732 * @operation: Operation name passed used for verbose mode.
733 * @mode: Access control mode.
735 * Returns 0 on success, negative value otherwise.
737 * Caller holds tomoyo_read_lock().
739 static int tomoyo_check_file_perm2(struct tomoyo_domain_info
* const domain
,
740 const struct tomoyo_path_info
*filename
,
741 const u8 perm
, const char *operation
,
744 const bool is_enforce
= (mode
== 3);
745 const char *msg
= "<unknown>";
750 error
= tomoyo_check_file_acl(domain
, filename
, perm
);
751 if (error
&& perm
== 4 && !domain
->ignore_global_allow_read
752 && tomoyo_is_globally_readable_file(filename
))
755 msg
= tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE
);
757 msg
= tomoyo_path2keyword(TOMOYO_TYPE_READ
);
759 msg
= tomoyo_path2keyword(TOMOYO_TYPE_WRITE
);
761 msg
= tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE
);
766 if (tomoyo_verbose_mode(domain
))
767 printk(KERN_WARNING
"TOMOYO-%s: Access '%s(%s) %s' denied "
768 "for %s\n", tomoyo_get_msg(is_enforce
), msg
, operation
,
769 filename
->name
, tomoyo_get_last_name(domain
));
772 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
773 /* Don't use patterns for execute permission. */
774 const struct tomoyo_path_info
*patterned_file
= (perm
!= 1) ?
775 tomoyo_get_file_pattern(filename
) : filename
;
776 tomoyo_update_file_acl(patterned_file
->name
, perm
,
783 * tomoyo_write_file_policy - Update file related list.
785 * @data: String to parse.
786 * @domain: Pointer to "struct tomoyo_domain_info".
787 * @is_delete: True if it is a delete request.
789 * Returns 0 on success, negative value otherwise.
791 * Caller holds tomoyo_read_lock().
793 int tomoyo_write_file_policy(char *data
, struct tomoyo_domain_info
*domain
,
794 const bool is_delete
)
796 char *filename
= strchr(data
, ' ');
804 if (sscanf(data
, "%u", &perm
) == 1)
805 return tomoyo_update_file_acl(filename
, (u8
) perm
, domain
,
807 if (strncmp(data
, "allow_", 6))
810 for (type
= 0; type
< TOMOYO_MAX_PATH_OPERATION
; type
++) {
811 if (strcmp(data
, tomoyo_path_keyword
[type
]))
813 return tomoyo_update_path_acl(type
, filename
, domain
,
816 filename2
= strchr(filename
, ' ');
820 for (type
= 0; type
< TOMOYO_MAX_PATH2_OPERATION
; type
++) {
821 if (strcmp(data
, tomoyo_path2_keyword
[type
]))
823 return tomoyo_update_path2_acl(type
, filename
, filename2
,
831 * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list.
833 * @type: Type of operation.
834 * @filename: Filename.
835 * @domain: Pointer to "struct tomoyo_domain_info".
836 * @is_delete: True if it is a delete request.
838 * Returns 0 on success, negative value otherwise.
840 * Caller holds tomoyo_read_lock().
842 static int tomoyo_update_path_acl(const u8 type
, const char *filename
,
843 struct tomoyo_domain_info
*const domain
,
844 const bool is_delete
)
846 static const u32 tomoyo_rw_mask
=
847 (1 << TOMOYO_TYPE_READ
) | (1 << TOMOYO_TYPE_WRITE
);
848 const u32 perm
= 1 << type
;
849 struct tomoyo_acl_info
*ptr
;
850 struct tomoyo_path_acl e
= {
851 .head
.type
= TOMOYO_TYPE_PATH_ACL
,
852 .perm_high
= perm
>> 16,
855 int error
= is_delete
? -ENOENT
: -ENOMEM
;
857 if (type
== TOMOYO_TYPE_READ_WRITE
)
858 e
.perm
|= tomoyo_rw_mask
;
861 if (!tomoyo_parse_name_union(filename
, &e
.name
))
863 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
865 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
866 struct tomoyo_path_acl
*acl
=
867 container_of(ptr
, struct tomoyo_path_acl
, head
);
868 if (!tomoyo_is_same_path_acl(acl
, &e
))
874 acl
->perm_high
&= ~(perm
>> 16);
875 if ((acl
->perm
& tomoyo_rw_mask
) != tomoyo_rw_mask
)
876 acl
->perm
&= ~(1 << TOMOYO_TYPE_READ_WRITE
);
877 else if (!(acl
->perm
& (1 << TOMOYO_TYPE_READ_WRITE
)))
878 acl
->perm
&= ~tomoyo_rw_mask
;
883 acl
->perm_high
|= (perm
>> 16);
884 if ((acl
->perm
& tomoyo_rw_mask
) == tomoyo_rw_mask
)
885 acl
->perm
|= 1 << TOMOYO_TYPE_READ_WRITE
;
886 else if (acl
->perm
& (1 << TOMOYO_TYPE_READ_WRITE
))
887 acl
->perm
|= tomoyo_rw_mask
;
892 if (!is_delete
&& error
) {
893 struct tomoyo_path_acl
*entry
=
894 tomoyo_commit_ok(&e
, sizeof(e
));
896 list_add_tail_rcu(&entry
->head
.list
,
897 &domain
->acl_info_list
);
901 mutex_unlock(&tomoyo_policy_lock
);
903 tomoyo_put_name_union(&e
.name
);
908 * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list.
910 * @type: Type of operation.
911 * @filename1: First filename.
912 * @filename2: Second filename.
913 * @domain: Pointer to "struct tomoyo_domain_info".
914 * @is_delete: True if it is a delete request.
916 * Returns 0 on success, negative value otherwise.
918 * Caller holds tomoyo_read_lock().
920 static int tomoyo_update_path2_acl(const u8 type
, const char *filename1
,
921 const char *filename2
,
922 struct tomoyo_domain_info
*const domain
,
923 const bool is_delete
)
925 const u8 perm
= 1 << type
;
926 struct tomoyo_path2_acl e
= {
927 .head
.type
= TOMOYO_TYPE_PATH2_ACL
,
930 struct tomoyo_acl_info
*ptr
;
931 int error
= is_delete
? -ENOENT
: -ENOMEM
;
935 if (!tomoyo_parse_name_union(filename1
, &e
.name1
) ||
936 !tomoyo_parse_name_union(filename2
, &e
.name2
))
938 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
940 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
941 struct tomoyo_path2_acl
*acl
=
942 container_of(ptr
, struct tomoyo_path2_acl
, head
);
943 if (!tomoyo_is_same_path2_acl(acl
, &e
))
952 if (!is_delete
&& error
) {
953 struct tomoyo_path2_acl
*entry
=
954 tomoyo_commit_ok(&e
, sizeof(e
));
956 list_add_tail_rcu(&entry
->head
.list
,
957 &domain
->acl_info_list
);
961 mutex_unlock(&tomoyo_policy_lock
);
963 tomoyo_put_name_union(&e
.name1
);
964 tomoyo_put_name_union(&e
.name2
);
969 * tomoyo_path_acl - Check permission for single path operation.
971 * @domain: Pointer to "struct tomoyo_domain_info".
972 * @type: Type of operation.
973 * @filename: Filename to check.
975 * Returns 0 on success, negative value otherwise.
977 * Caller holds tomoyo_read_lock().
979 static int tomoyo_path_acl(struct tomoyo_domain_info
*domain
, const u8 type
,
980 const struct tomoyo_path_info
*filename
)
982 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
984 return tomoyo_path_acl2(domain
, filename
, 1 << type
, 1);
988 * tomoyo_path2_acl - Check permission for double path operation.
990 * @domain: Pointer to "struct tomoyo_domain_info".
991 * @type: Type of operation.
992 * @filename1: First filename to check.
993 * @filename2: Second filename to check.
995 * Returns 0 on success, -EPERM otherwise.
997 * Caller holds tomoyo_read_lock().
999 static int tomoyo_path2_acl(const struct tomoyo_domain_info
*domain
,
1001 const struct tomoyo_path_info
*filename1
,
1002 const struct tomoyo_path_info
*filename2
)
1004 struct tomoyo_acl_info
*ptr
;
1005 const u8 perm
= 1 << type
;
1008 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
1010 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
1011 struct tomoyo_path2_acl
*acl
;
1012 if (ptr
->type
!= TOMOYO_TYPE_PATH2_ACL
)
1014 acl
= container_of(ptr
, struct tomoyo_path2_acl
, head
);
1015 if (!(acl
->perm
& perm
))
1017 if (!tomoyo_compare_name_union(filename1
, &acl
->name1
))
1019 if (!tomoyo_compare_name_union(filename2
, &acl
->name2
))
1028 * tomoyo_path_permission2 - Check permission for single path operation.
1030 * @domain: Pointer to "struct tomoyo_domain_info".
1031 * @operation: Type of operation.
1032 * @filename: Filename to check.
1033 * @mode: Access control mode.
1035 * Returns 0 on success, negative value otherwise.
1037 * Caller holds tomoyo_read_lock().
1039 static int tomoyo_path_permission2(struct tomoyo_domain_info
*const domain
,
1041 const struct tomoyo_path_info
*filename
,
1046 const bool is_enforce
= (mode
== 3);
1051 error
= tomoyo_path_acl(domain
, operation
, filename
);
1052 msg
= tomoyo_path2keyword(operation
);
1055 if (tomoyo_verbose_mode(domain
))
1056 printk(KERN_WARNING
"TOMOYO-%s: Access '%s %s' denied for %s\n",
1057 tomoyo_get_msg(is_enforce
), msg
, filename
->name
,
1058 tomoyo_get_last_name(domain
));
1059 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
1060 const char *name
= tomoyo_get_file_pattern(filename
)->name
;
1061 tomoyo_update_path_acl(operation
, name
, domain
, false);
1067 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1068 * we need to check "allow_rewrite" permission if the filename is
1069 * specified by "deny_rewrite" keyword.
1071 if (!error
&& operation
== TOMOYO_TYPE_TRUNCATE
&&
1072 tomoyo_is_no_rewrite_file(filename
)) {
1073 operation
= TOMOYO_TYPE_REWRITE
;
1080 * tomoyo_check_exec_perm - Check permission for "execute".
1082 * @domain: Pointer to "struct tomoyo_domain_info".
1083 * @filename: Check permission for "execute".
1085 * Returns 0 on success, negativevalue otherwise.
1087 * Caller holds tomoyo_read_lock().
1089 int tomoyo_check_exec_perm(struct tomoyo_domain_info
*domain
,
1090 const struct tomoyo_path_info
*filename
)
1092 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1096 return tomoyo_check_file_perm2(domain
, filename
, 1, "do_execve", mode
);
1100 * tomoyo_check_open_permission - Check permission for "read" and "write".
1102 * @domain: Pointer to "struct tomoyo_domain_info".
1103 * @path: Pointer to "struct path".
1104 * @flag: Flags for open().
1106 * Returns 0 on success, negative value otherwise.
1108 int tomoyo_check_open_permission(struct tomoyo_domain_info
*domain
,
1109 struct path
*path
, const int flag
)
1111 const u8 acc_mode
= ACC_MODE(flag
);
1112 int error
= -ENOMEM
;
1113 struct tomoyo_path_info
*buf
;
1114 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1115 const bool is_enforce
= (mode
== 3);
1118 if (!mode
|| !path
->mnt
)
1122 if (path
->dentry
->d_inode
&& S_ISDIR(path
->dentry
->d_inode
->i_mode
))
1124 * I don't check directories here because mkdir() and rmdir()
1128 idx
= tomoyo_read_lock();
1129 buf
= tomoyo_get_path(path
);
1134 * If the filename is specified by "deny_rewrite" keyword,
1135 * we need to check "allow_rewrite" permission when the filename is not
1136 * opened for append mode or the filename is truncated at open time.
1138 if ((acc_mode
& MAY_WRITE
) &&
1139 ((flag
& O_TRUNC
) || !(flag
& O_APPEND
)) &&
1140 (tomoyo_is_no_rewrite_file(buf
))) {
1141 error
= tomoyo_path_permission2(domain
, TOMOYO_TYPE_REWRITE
,
1145 error
= tomoyo_check_file_perm2(domain
, buf
, acc_mode
, "open",
1147 if (!error
&& (flag
& O_TRUNC
))
1148 error
= tomoyo_path_permission2(domain
, TOMOYO_TYPE_TRUNCATE
,
1152 tomoyo_read_unlock(idx
);
1159 * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1161 * @operation: Type of operation.
1162 * @path: Pointer to "struct path".
1164 * Returns 0 on success, negative value otherwise.
1166 int tomoyo_path_perm(const u8 operation
, struct path
*path
)
1168 int error
= -ENOMEM
;
1169 struct tomoyo_path_info
*buf
;
1170 struct tomoyo_domain_info
*domain
= tomoyo_domain();
1171 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1172 const bool is_enforce
= (mode
== 3);
1175 if (!mode
|| !path
->mnt
)
1177 idx
= tomoyo_read_lock();
1178 buf
= tomoyo_get_path(path
);
1181 switch (operation
) {
1182 case TOMOYO_TYPE_MKDIR
:
1183 case TOMOYO_TYPE_RMDIR
:
1184 case TOMOYO_TYPE_CHROOT
:
1187 * tomoyo_get_path() reserves space for appending "/."
1189 strcat((char *) buf
->name
, "/");
1190 tomoyo_fill_path_info(buf
);
1193 error
= tomoyo_path_permission2(domain
, operation
, buf
, mode
);
1196 tomoyo_read_unlock(idx
);
1203 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1205 * @filp: Pointer to "struct file".
1207 * Returns 0 on success, negative value otherwise.
1209 int tomoyo_check_rewrite_permission(struct file
*filp
)
1211 int error
= -ENOMEM
;
1212 struct tomoyo_domain_info
*domain
= tomoyo_domain();
1213 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1214 const bool is_enforce
= (mode
== 3);
1215 struct tomoyo_path_info
*buf
;
1218 if (!mode
|| !filp
->f_path
.mnt
)
1221 idx
= tomoyo_read_lock();
1222 buf
= tomoyo_get_path(&filp
->f_path
);
1225 if (!tomoyo_is_no_rewrite_file(buf
)) {
1229 error
= tomoyo_path_permission2(domain
, TOMOYO_TYPE_REWRITE
, buf
, mode
);
1232 tomoyo_read_unlock(idx
);
1239 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root".
1241 * @operation: Type of operation.
1242 * @path1: Pointer to "struct path".
1243 * @path2: Pointer to "struct path".
1245 * Returns 0 on success, negative value otherwise.
1247 int tomoyo_path2_perm(const u8 operation
, struct path
*path1
,
1250 int error
= -ENOMEM
;
1251 struct tomoyo_path_info
*buf1
, *buf2
;
1252 struct tomoyo_domain_info
*domain
= tomoyo_domain();
1253 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1254 const bool is_enforce
= (mode
== 3);
1258 if (!mode
|| !path1
->mnt
|| !path2
->mnt
)
1260 idx
= tomoyo_read_lock();
1261 buf1
= tomoyo_get_path(path1
);
1262 buf2
= tomoyo_get_path(path2
);
1266 struct dentry
*dentry
= path1
->dentry
;
1267 if (dentry
->d_inode
&& S_ISDIR(dentry
->d_inode
->i_mode
)) {
1269 * tomoyo_get_path() reserves space for appending "/."
1271 if (!buf1
->is_dir
) {
1272 strcat((char *) buf1
->name
, "/");
1273 tomoyo_fill_path_info(buf1
);
1275 if (!buf2
->is_dir
) {
1276 strcat((char *) buf2
->name
, "/");
1277 tomoyo_fill_path_info(buf2
);
1281 error
= tomoyo_path2_acl(domain
, operation
, buf1
, buf2
);
1282 msg
= tomoyo_path22keyword(operation
);
1285 if (tomoyo_verbose_mode(domain
))
1286 printk(KERN_WARNING
"TOMOYO-%s: Access '%s %s %s' "
1287 "denied for %s\n", tomoyo_get_msg(is_enforce
),
1288 msg
, buf1
->name
, buf2
->name
,
1289 tomoyo_get_last_name(domain
));
1290 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
1291 const char *name1
= tomoyo_get_file_pattern(buf1
)->name
;
1292 const char *name2
= tomoyo_get_file_pattern(buf2
)->name
;
1293 tomoyo_update_path2_acl(operation
, name1
, name2
, domain
,
1299 tomoyo_read_unlock(idx
);