search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
TOMOYO: Add numeric values grouping support.
[linux-2.6/kvm.git] / security / tomoyo / file.c
blob2dffe07309180cbe85cb08e479aa822b30676067
1 /*
2 * security/tomoyo/file.c
3 *
4 * Implementation of the Domain-Based Mandatory Access Control.
5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 *
8 * Version: 2.2.0 2009/04/01
9 *
10 */
11
12 #include "common.h"
13 #include <linux/slab.h>
14
15 /* Keyword array for single path operations. */
16 static const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
17 [TOMOYO_TYPE_READ_WRITE] = "read/write",
18 [TOMOYO_TYPE_EXECUTE] = "execute",
19 [TOMOYO_TYPE_READ] = "read",
20 [TOMOYO_TYPE_WRITE] = "write",
21 [TOMOYO_TYPE_CREATE] = "create",
22 [TOMOYO_TYPE_UNLINK] = "unlink",
23 [TOMOYO_TYPE_MKDIR] = "mkdir",
24 [TOMOYO_TYPE_RMDIR] = "rmdir",
25 [TOMOYO_TYPE_MKFIFO] = "mkfifo",
26 [TOMOYO_TYPE_MKSOCK] = "mksock",
27 [TOMOYO_TYPE_MKBLOCK] = "mkblock",
28 [TOMOYO_TYPE_MKCHAR] = "mkchar",
29 [TOMOYO_TYPE_TRUNCATE] = "truncate",
30 [TOMOYO_TYPE_SYMLINK] = "symlink",
31 [TOMOYO_TYPE_REWRITE] = "rewrite",
32 [TOMOYO_TYPE_IOCTL] = "ioctl",
33 [TOMOYO_TYPE_CHMOD] = "chmod",
34 [TOMOYO_TYPE_CHOWN] = "chown",
35 [TOMOYO_TYPE_CHGRP] = "chgrp",
36 [TOMOYO_TYPE_CHROOT] = "chroot",
37 [TOMOYO_TYPE_MOUNT] = "mount",
38 [TOMOYO_TYPE_UMOUNT] = "unmount",
39 };
40
41 /* Keyword array for double path operations. */
42 static const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = {
43 [TOMOYO_TYPE_LINK] = "link",
44 [TOMOYO_TYPE_RENAME] = "rename",
45 [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root",
46 };
47
48 void tomoyo_put_name_union(struct tomoyo_name_union *ptr)
49 {
50 if (!ptr)
51 return;
52 if (ptr->is_group)
53 tomoyo_put_path_group(ptr->group);
54 else
55 tomoyo_put_name(ptr->filename);
56 }
57
58 bool tomoyo_compare_name_union(const struct tomoyo_path_info *name,
59 const struct tomoyo_name_union *ptr)
60 {
61 if (ptr->is_group)
62 return tomoyo_path_matches_group(name, ptr->group, 1);
63 return tomoyo_path_matches_pattern(name, ptr->filename);
64 }
65
66 static bool tomoyo_compare_name_union_pattern(const struct tomoyo_path_info
67 *name,
68 const struct tomoyo_name_union
69 *ptr, const bool may_use_pattern)
70 {
71 if (ptr->is_group)
72 return tomoyo_path_matches_group(name, ptr->group,
73 may_use_pattern);
74 if (may_use_pattern || !ptr->filename->is_patterned)
75 return tomoyo_path_matches_pattern(name, ptr->filename);
76 return false;
77 }
78
79 void tomoyo_put_number_union(struct tomoyo_number_union *ptr)
80 {
81 if (ptr && ptr->is_group)
82 tomoyo_put_number_group(ptr->group);
83 }
84
85 bool tomoyo_compare_number_union(const unsigned long value,
86 const struct tomoyo_number_union *ptr)
87 {
88 if (ptr->is_group)
89 return tomoyo_number_matches_group(value, value, ptr->group);
90 return value >= ptr->values[0] && value <= ptr->values[1];
91 }
92
93 /**
94 * tomoyo_path2keyword - Get the name of single path operation.
95 *
96 * @operation: Type of operation.
97 *
98 * Returns the name of single path operation.
99 */
100 const char *tomoyo_path2keyword(const u8 operation)
101 {
102 return (operation < TOMOYO_MAX_PATH_OPERATION)
103 ? tomoyo_path_keyword[operation] : NULL;
104 }
105
106 /**
107 * tomoyo_path22keyword - Get the name of double path operation.
108 *
109 * @operation: Type of operation.
110 *
111 * Returns the name of double path operation.
112 */
113 const char *tomoyo_path22keyword(const u8 operation)
114 {
115 return (operation < TOMOYO_MAX_PATH2_OPERATION)
116 ? tomoyo_path2_keyword[operation] : NULL;
117 }
118
119 /**
120 * tomoyo_strendswith - Check whether the token ends with the given token.
121 *
122 * @name: The token to check.
123 * @tail: The token to find.
124 *
125 * Returns true if @name ends with @tail, false otherwise.
126 */
127 static bool tomoyo_strendswith(const char *name, const char *tail)
128 {
129 int len;
130
131 if (!name || !tail)
132 return false;
133 len = strlen(name) - strlen(tail);
134 return len >= 0 && !strcmp(name + len, tail);
135 }
136
137 /**
138 * tomoyo_get_path - Get realpath.
139 *
140 * @path: Pointer to "struct path".
141 *
142 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
143 */
144 static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
145 {
146 int error;
147 struct tomoyo_path_info_with_data *buf = kzalloc(sizeof(*buf),
148 GFP_NOFS);
149
150 if (!buf)
151 return NULL;
152 /* Reserve one byte for appending "/". */
153 error = tomoyo_realpath_from_path2(path, buf->body,
154 sizeof(buf->body) - 2);
155 if (!error) {
156 buf->head.name = buf->body;
157 tomoyo_fill_path_info(&buf->head);
158 return &buf->head;
159 }
160 kfree(buf);
161 return NULL;
162 }
163
164 static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
165 const char *filename2,
166 struct tomoyo_domain_info *const domain,
167 const bool is_delete);
168 static int tomoyo_update_path_acl(const u8 type, const char *filename,
169 struct tomoyo_domain_info *const domain,
170 const bool is_delete);
171
172 /*
173 * tomoyo_globally_readable_list is used for holding list of pathnames which
174 * are by default allowed to be open()ed for reading by any process.
175 *
176 * An entry is added by
177 *
178 * # echo 'allow_read /lib/libc-2.5.so' > \
179 * /sys/kernel/security/tomoyo/exception_policy
180 *
181 * and is deleted by
182 *
183 * # echo 'delete allow_read /lib/libc-2.5.so' > \
184 * /sys/kernel/security/tomoyo/exception_policy
185 *
186 * and all entries are retrieved by
187 *
188 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
189 *
190 * In the example above, any process is allowed to
191 * open("/lib/libc-2.5.so", O_RDONLY).
192 * One exception is, if the domain which current process belongs to is marked
193 * as "ignore_global_allow_read", current process can't do so unless explicitly
194 * given "allow_read /lib/libc-2.5.so" to the domain which current process
195 * belongs to.
196 */
197 LIST_HEAD(tomoyo_globally_readable_list);
198
199 /**
200 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
201 *
202 * @filename: Filename unconditionally permitted to open() for reading.
203 * @is_delete: True if it is a delete request.
204 *
205 * Returns 0 on success, negative value otherwise.
206 *
207 * Caller holds tomoyo_read_lock().
208 */
209 static int tomoyo_update_globally_readable_entry(const char *filename,
210 const bool is_delete)
211 {
212 struct tomoyo_globally_readable_file_entry *ptr;
213 struct tomoyo_globally_readable_file_entry e = { };
214 int error = is_delete ? -ENOENT : -ENOMEM;
215
216 if (!tomoyo_is_correct_path(filename, 1, 0, -1))
217 return -EINVAL;
218 e.filename = tomoyo_get_name(filename);
219 if (!e.filename)
220 return -ENOMEM;
221 if (mutex_lock_interruptible(&tomoyo_policy_lock))
222 goto out;
223 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
224 if (ptr->filename != e.filename)
225 continue;
226 ptr->is_deleted = is_delete;
227 error = 0;
228 break;
229 }
230 if (!is_delete && error) {
231 struct tomoyo_globally_readable_file_entry *entry =
232 tomoyo_commit_ok(&e, sizeof(e));
233 if (entry) {
234 list_add_tail_rcu(&entry->list,
235 &tomoyo_globally_readable_list);
236 error = 0;
237 }
238 }
239 mutex_unlock(&tomoyo_policy_lock);
240 out:
241 tomoyo_put_name(e.filename);
242 return error;
243 }
244
245 /**
246 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
247 *
248 * @filename: The filename to check.
249 *
250 * Returns true if any domain can open @filename for reading, false otherwise.
251 *
252 * Caller holds tomoyo_read_lock().
253 */
254 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
255 filename)
256 {
257 struct tomoyo_globally_readable_file_entry *ptr;
258 bool found = false;
259
260 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
261 if (!ptr->is_deleted &&
262 tomoyo_path_matches_pattern(filename, ptr->filename)) {
263 found = true;
264 break;
265 }
266 }
267 return found;
268 }
269
270 /**
271 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
272 *
273 * @data: String to parse.
274 * @is_delete: True if it is a delete request.
275 *
276 * Returns 0 on success, negative value otherwise.
277 *
278 * Caller holds tomoyo_read_lock().
279 */
280 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
281 {
282 return tomoyo_update_globally_readable_entry(data, is_delete);
283 }
284
285 /**
286 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
287 *
288 * @head: Pointer to "struct tomoyo_io_buffer".
289 *
290 * Returns true on success, false otherwise.
291 *
292 * Caller holds tomoyo_read_lock().
293 */
294 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
295 {
296 struct list_head *pos;
297 bool done = true;
298
299 list_for_each_cookie(pos, head->read_var2,
300 &tomoyo_globally_readable_list) {
301 struct tomoyo_globally_readable_file_entry *ptr;
302 ptr = list_entry(pos,
303 struct tomoyo_globally_readable_file_entry,
304 list);
305 if (ptr->is_deleted)
306 continue;
307 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n",
308 ptr->filename->name);
309 if (!done)
310 break;
311 }
312 return done;
313 }
314
315 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
316 * converting pathnames to pathname patterns during learning mode.
317 *
318 * An entry is added by
319 *
320 * # echo 'file_pattern /proc/\$/mounts' > \
321 * /sys/kernel/security/tomoyo/exception_policy
322 *
323 * and is deleted by
324 *
325 * # echo 'delete file_pattern /proc/\$/mounts' > \
326 * /sys/kernel/security/tomoyo/exception_policy
327 *
328 * and all entries are retrieved by
329 *
330 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
331 *
332 * In the example above, if a process which belongs to a domain which is in
333 * learning mode requested open("/proc/1/mounts", O_RDONLY),
334 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
335 * process belongs to.
336 *
337 * It is not a desirable behavior that we have to use /proc/\$/ instead of
338 * /proc/self/ when current process needs to access only current process's
339 * information. As of now, LSM version of TOMOYO is using __d_path() for
340 * calculating pathname. Non LSM version of TOMOYO is using its own function
341 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
342 * current process from accessing other process's information.
343 */
344 LIST_HEAD(tomoyo_pattern_list);
345
346 /**
347 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
348 *
349 * @pattern: Pathname pattern.
350 * @is_delete: True if it is a delete request.
351 *
352 * Returns 0 on success, negative value otherwise.
353 *
354 * Caller holds tomoyo_read_lock().
355 */
356 static int tomoyo_update_file_pattern_entry(const char *pattern,
357 const bool is_delete)
358 {
359 struct tomoyo_pattern_entry *ptr;
360 struct tomoyo_pattern_entry e = { .pattern = tomoyo_get_name(pattern) };
361 int error = is_delete ? -ENOENT : -ENOMEM;
362
363 if (!e.pattern)
364 return error;
365 if (!e.pattern->is_patterned)
366 goto out;
367 if (mutex_lock_interruptible(&tomoyo_policy_lock))
368 goto out;
369 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
370 if (e.pattern != ptr->pattern)
371 continue;
372 ptr->is_deleted = is_delete;
373 error = 0;
374 break;
375 }
376 if (!is_delete && error) {
377 struct tomoyo_pattern_entry *entry =
378 tomoyo_commit_ok(&e, sizeof(e));
379 if (entry) {
380 list_add_tail_rcu(&entry->list, &tomoyo_pattern_list);
381 error = 0;
382 }
383 }
384 mutex_unlock(&tomoyo_policy_lock);
385 out:
386 tomoyo_put_name(e.pattern);
387 return error;
388 }
389
390 /**
391 * tomoyo_get_file_pattern - Get patterned pathname.
392 *
393 * @filename: The filename to find patterned pathname.
394 *
395 * Returns pointer to pathname pattern if matched, @filename otherwise.
396 *
397 * Caller holds tomoyo_read_lock().
398 */
399 static const struct tomoyo_path_info *
400 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
401 {
402 struct tomoyo_pattern_entry *ptr;
403 const struct tomoyo_path_info *pattern = NULL;
404
405 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
406 if (ptr->is_deleted)
407 continue;
408 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
409 continue;
410 pattern = ptr->pattern;
411 if (tomoyo_strendswith(pattern->name, "/\\*")) {
412 /* Do nothing. Try to find the better match. */
413 } else {
414 /* This would be the better match. Use this. */
415 break;
416 }
417 }
418 if (pattern)
419 filename = pattern;
420 return filename;
421 }
422
423 /**
424 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
425 *
426 * @data: String to parse.
427 * @is_delete: True if it is a delete request.
428 *
429 * Returns 0 on success, negative value otherwise.
430 *
431 * Caller holds tomoyo_read_lock().
432 */
433 int tomoyo_write_pattern_policy(char *data, const bool is_delete)
434 {
435 return tomoyo_update_file_pattern_entry(data, is_delete);
436 }
437
438 /**
439 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
440 *
441 * @head: Pointer to "struct tomoyo_io_buffer".
442 *
443 * Returns true on success, false otherwise.
444 *
445 * Caller holds tomoyo_read_lock().
446 */
447 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
448 {
449 struct list_head *pos;
450 bool done = true;
451
452 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) {
453 struct tomoyo_pattern_entry *ptr;
454 ptr = list_entry(pos, struct tomoyo_pattern_entry, list);
455 if (ptr->is_deleted)
456 continue;
457 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN
458 "%s\n", ptr->pattern->name);
459 if (!done)
460 break;
461 }
462 return done;
463 }
464
465 /*
466 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
467 * default forbidden to modify already written content of a file.
468 *
469 * An entry is added by
470 *
471 * # echo 'deny_rewrite /var/log/messages' > \
472 * /sys/kernel/security/tomoyo/exception_policy
473 *
474 * and is deleted by
475 *
476 * # echo 'delete deny_rewrite /var/log/messages' > \
477 * /sys/kernel/security/tomoyo/exception_policy
478 *
479 * and all entries are retrieved by
480 *
481 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
482 *
483 * In the example above, if a process requested to rewrite /var/log/messages ,
484 * the process can't rewrite unless the domain which that process belongs to
485 * has "allow_rewrite /var/log/messages" entry.
486 *
487 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
488 * when we want to allow rewriting already unlink()ed file. As of now,
489 * LSM version of TOMOYO is using __d_path() for calculating pathname.
490 * Non LSM version of TOMOYO is using its own function which doesn't append
491 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
492 * need to worry whether the file is already unlink()ed or not.
493 */
494 LIST_HEAD(tomoyo_no_rewrite_list);
495
496 /**
497 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
498 *
499 * @pattern: Pathname pattern that are not rewritable by default.
500 * @is_delete: True if it is a delete request.
501 *
502 * Returns 0 on success, negative value otherwise.
503 *
504 * Caller holds tomoyo_read_lock().
505 */
506 static int tomoyo_update_no_rewrite_entry(const char *pattern,
507 const bool is_delete)
508 {
509 struct tomoyo_no_rewrite_entry *ptr;
510 struct tomoyo_no_rewrite_entry e = { };
511 int error = is_delete ? -ENOENT : -ENOMEM;
512
513 if (!tomoyo_is_correct_path(pattern, 0, 0, 0))
514 return -EINVAL;
515 e.pattern = tomoyo_get_name(pattern);
516 if (!e.pattern)
517 return error;
518 if (mutex_lock_interruptible(&tomoyo_policy_lock))
519 goto out;
520 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
521 if (ptr->pattern != e.pattern)
522 continue;
523 ptr->is_deleted = is_delete;
524 error = 0;
525 break;
526 }
527 if (!is_delete && error) {
528 struct tomoyo_no_rewrite_entry *entry =
529 tomoyo_commit_ok(&e, sizeof(e));
530 if (entry) {
531 list_add_tail_rcu(&entry->list,
532 &tomoyo_no_rewrite_list);
533 error = 0;
534 }
535 }
536 mutex_unlock(&tomoyo_policy_lock);
537 out:
538 tomoyo_put_name(e.pattern);
539 return error;
540 }
541
542 /**
543 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
544 *
545 * @filename: Filename to check.
546 *
547 * Returns true if @filename is specified by "deny_rewrite" directive,
548 * false otherwise.
549 *
550 * Caller holds tomoyo_read_lock().
551 */
552 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
553 {
554 struct tomoyo_no_rewrite_entry *ptr;
555 bool found = false;
556
557 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
558 if (ptr->is_deleted)
559 continue;
560 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
561 continue;
562 found = true;
563 break;
564 }
565 return found;
566 }
567
568 /**
569 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
570 *
571 * @data: String to parse.
572 * @is_delete: True if it is a delete request.
573 *
574 * Returns 0 on success, negative value otherwise.
575 *
576 * Caller holds tomoyo_read_lock().
577 */
578 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
579 {
580 return tomoyo_update_no_rewrite_entry(data, is_delete);
581 }
582
583 /**
584 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
585 *
586 * @head: Pointer to "struct tomoyo_io_buffer".
587 *
588 * Returns true on success, false otherwise.
589 *
590 * Caller holds tomoyo_read_lock().
591 */
592 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
593 {
594 struct list_head *pos;
595 bool done = true;
596
597 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) {
598 struct tomoyo_no_rewrite_entry *ptr;
599 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list);
600 if (ptr->is_deleted)
601 continue;
602 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE
603 "%s\n", ptr->pattern->name);
604 if (!done)
605 break;
606 }
607 return done;
608 }
609
610 /**
611 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
612 *
613 * @filename: Filename.
614 * @perm: Permission (between 1 to 7).
615 * @domain: Pointer to "struct tomoyo_domain_info".
616 * @is_delete: True if it is a delete request.
617 *
618 * Returns 0 on success, negative value otherwise.
619 *
620 * This is legacy support interface for older policy syntax.
621 * Current policy syntax uses "allow_read/write" instead of "6",
622 * "allow_read" instead of "4", "allow_write" instead of "2",
623 * "allow_execute" instead of "1".
624 *
625 * Caller holds tomoyo_read_lock().
626 */
627 static int tomoyo_update_file_acl(const char *filename, u8 perm,
628 struct tomoyo_domain_info * const domain,
629 const bool is_delete)
630 {
631 if (perm > 7 || !perm) {
632 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n",
633 __func__, perm, filename);
634 return -EINVAL;
635 }
636 if (filename[0] != '@' && tomoyo_strendswith(filename, "/"))
637 /*
638 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
639 * directory permissions.
640 */
641 return 0;
642 if (perm & 4)
643 tomoyo_update_path_acl(TOMOYO_TYPE_READ, filename, domain,
644 is_delete);
645 if (perm & 2)
646 tomoyo_update_path_acl(TOMOYO_TYPE_WRITE, filename, domain,
647 is_delete);
648 if (perm & 1)
649 tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE, filename, domain,
650 is_delete);
651 return 0;
652 }
653
654 /**
655 * tomoyo_path_acl2 - Check permission for single path operation.
656 *
657 * @domain: Pointer to "struct tomoyo_domain_info".
658 * @filename: Filename to check.
659 * @perm: Permission.
660 * @may_use_pattern: True if patterned ACL is permitted.
661 *
662 * Returns 0 on success, -EPERM otherwise.
663 *
664 * Caller holds tomoyo_read_lock().
665 */
666 static int tomoyo_path_acl2(const struct tomoyo_domain_info *domain,
667 const struct tomoyo_path_info *filename,
668 const u32 perm, const bool may_use_pattern)
669 {
670 struct tomoyo_acl_info *ptr;
671 int error = -EPERM;
672
673 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
674 struct tomoyo_path_acl *acl;
675 if (ptr->type != TOMOYO_TYPE_PATH_ACL)
676 continue;
677 acl = container_of(ptr, struct tomoyo_path_acl, head);
678 if (perm <= 0xFFFF) {
679 if (!(acl->perm & perm))
680 continue;
681 } else {
682 if (!(acl->perm_high & (perm >> 16)))
683 continue;
684 }
685 if (!tomoyo_compare_name_union_pattern(filename, &acl->name,
686 may_use_pattern))
687 continue;
688 error = 0;
689 break;
690 }
691 return error;
692 }
693
694 /**
695 * tomoyo_check_file_acl - Check permission for opening files.
696 *
697 * @domain: Pointer to "struct tomoyo_domain_info".
698 * @filename: Filename to check.
699 * @operation: Mode ("read" or "write" or "read/write" or "execute").
700 *
701 * Returns 0 on success, -EPERM otherwise.
702 *
703 * Caller holds tomoyo_read_lock().
704 */
705 static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
706 const struct tomoyo_path_info *filename,
707 const u8 operation)
708 {
709 u32 perm = 0;
710
711 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
712 return 0;
713 if (operation == 6)
714 perm = 1 << TOMOYO_TYPE_READ_WRITE;
715 else if (operation == 4)
716 perm = 1 << TOMOYO_TYPE_READ;
717 else if (operation == 2)
718 perm = 1 << TOMOYO_TYPE_WRITE;
719 else if (operation == 1)
720 perm = 1 << TOMOYO_TYPE_EXECUTE;
721 else
722 BUG();
723 return tomoyo_path_acl2(domain, filename, perm, operation != 1);
724 }
725
726 /**
727 * tomoyo_check_file_perm2 - Check permission for opening files.
728 *
729 * @domain: Pointer to "struct tomoyo_domain_info".
730 * @filename: Filename to check.
731 * @perm: Mode ("read" or "write" or "read/write" or "execute").
732 * @operation: Operation name passed used for verbose mode.
733 * @mode: Access control mode.
734 *
735 * Returns 0 on success, negative value otherwise.
736 *
737 * Caller holds tomoyo_read_lock().
738 */
739 static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
740 const struct tomoyo_path_info *filename,
741 const u8 perm, const char *operation,
742 const u8 mode)
743 {
744 const bool is_enforce = (mode == 3);
745 const char *msg = "<unknown>";
746 int error = 0;
747
748 if (!filename)
749 return 0;
750 error = tomoyo_check_file_acl(domain, filename, perm);
751 if (error && perm == 4 && !domain->ignore_global_allow_read
752 && tomoyo_is_globally_readable_file(filename))
753 error = 0;
754 if (perm == 6)
755 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
756 else if (perm == 4)
757 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
758 else if (perm == 2)
759 msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
760 else if (perm == 1)
761 msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
762 else
763 BUG();
764 if (!error)
765 return 0;
766 if (tomoyo_verbose_mode(domain))
767 printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied "
768 "for %s\n", tomoyo_get_msg(is_enforce), msg, operation,
769 filename->name, tomoyo_get_last_name(domain));
770 if (is_enforce)
771 return error;
772 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
773 /* Don't use patterns for execute permission. */
774 const struct tomoyo_path_info *patterned_file = (perm != 1) ?
775 tomoyo_get_file_pattern(filename) : filename;
776 tomoyo_update_file_acl(patterned_file->name, perm,
777 domain, false);
778 }
779 return 0;
780 }
781
782 /**
783 * tomoyo_write_file_policy - Update file related list.
784 *
785 * @data: String to parse.
786 * @domain: Pointer to "struct tomoyo_domain_info".
787 * @is_delete: True if it is a delete request.
788 *
789 * Returns 0 on success, negative value otherwise.
790 *
791 * Caller holds tomoyo_read_lock().
792 */
793 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
794 const bool is_delete)
795 {
796 char *filename = strchr(data, ' ');
797 char *filename2;
798 unsigned int perm;
799 u8 type;
800
801 if (!filename)
802 return -EINVAL;
803 *filename++ = '\0';
804 if (sscanf(data, "%u", &perm) == 1)
805 return tomoyo_update_file_acl(filename, (u8) perm, domain,
806 is_delete);
807 if (strncmp(data, "allow_", 6))
808 goto out;
809 data += 6;
810 for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) {
811 if (strcmp(data, tomoyo_path_keyword[type]))
812 continue;
813 return tomoyo_update_path_acl(type, filename, domain,
814 is_delete);
815 }
816 filename2 = strchr(filename, ' ');
817 if (!filename2)
818 goto out;
819 *filename2++ = '\0';
820 for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) {
821 if (strcmp(data, tomoyo_path2_keyword[type]))
822 continue;
823 return tomoyo_update_path2_acl(type, filename, filename2,
824 domain, is_delete);
825 }
826 out:
827 return -EINVAL;
828 }
829
830 /**
831 * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list.
832 *
833 * @type: Type of operation.
834 * @filename: Filename.
835 * @domain: Pointer to "struct tomoyo_domain_info".
836 * @is_delete: True if it is a delete request.
837 *
838 * Returns 0 on success, negative value otherwise.
839 *
840 * Caller holds tomoyo_read_lock().
841 */
842 static int tomoyo_update_path_acl(const u8 type, const char *filename,
843 struct tomoyo_domain_info *const domain,
844 const bool is_delete)
845 {
846 static const u32 tomoyo_rw_mask =
847 (1 << TOMOYO_TYPE_READ) | (1 << TOMOYO_TYPE_WRITE);
848 const u32 perm = 1 << type;
849 struct tomoyo_acl_info *ptr;
850 struct tomoyo_path_acl e = {
851 .head.type = TOMOYO_TYPE_PATH_ACL,
852 .perm_high = perm >> 16,
853 .perm = perm
854 };
855 int error = is_delete ? -ENOENT : -ENOMEM;
856
857 if (type == TOMOYO_TYPE_READ_WRITE)
858 e.perm |= tomoyo_rw_mask;
859 if (!domain)
860 return -EINVAL;
861 if (!tomoyo_parse_name_union(filename, &e.name))
862 return -EINVAL;
863 if (mutex_lock_interruptible(&tomoyo_policy_lock))
864 goto out;
865 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
866 struct tomoyo_path_acl *acl =
867 container_of(ptr, struct tomoyo_path_acl, head);
868 if (!tomoyo_is_same_path_acl(acl, &e))
869 continue;
870 if (is_delete) {
871 if (perm <= 0xFFFF)
872 acl->perm &= ~perm;
873 else
874 acl->perm_high &= ~(perm >> 16);
875 if ((acl->perm & tomoyo_rw_mask) != tomoyo_rw_mask)
876 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE);
877 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE)))
878 acl->perm &= ~tomoyo_rw_mask;
879 } else {
880 if (perm <= 0xFFFF)
881 acl->perm |= perm;
882 else
883 acl->perm_high |= (perm >> 16);
884 if ((acl->perm & tomoyo_rw_mask) == tomoyo_rw_mask)
885 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE;
886 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE))
887 acl->perm |= tomoyo_rw_mask;
888 }
889 error = 0;
890 break;
891 }
892 if (!is_delete && error) {
893 struct tomoyo_path_acl *entry =
894 tomoyo_commit_ok(&e, sizeof(e));
895 if (entry) {
896 list_add_tail_rcu(&entry->head.list,
897 &domain->acl_info_list);
898 error = 0;
899 }
900 }
901 mutex_unlock(&tomoyo_policy_lock);
902 out:
903 tomoyo_put_name_union(&e.name);
904 return error;
905 }
906
907 /**
908 * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list.
909 *
910 * @type: Type of operation.
911 * @filename1: First filename.
912 * @filename2: Second filename.
913 * @domain: Pointer to "struct tomoyo_domain_info".
914 * @is_delete: True if it is a delete request.
915 *
916 * Returns 0 on success, negative value otherwise.
917 *
918 * Caller holds tomoyo_read_lock().
919 */
920 static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
921 const char *filename2,
922 struct tomoyo_domain_info *const domain,
923 const bool is_delete)
924 {
925 const u8 perm = 1 << type;
926 struct tomoyo_path2_acl e = {
927 .head.type = TOMOYO_TYPE_PATH2_ACL,
928 .perm = perm
929 };
930 struct tomoyo_acl_info *ptr;
931 int error = is_delete ? -ENOENT : -ENOMEM;
932
933 if (!domain)
934 return -EINVAL;
935 if (!tomoyo_parse_name_union(filename1, &e.name1) ||
936 !tomoyo_parse_name_union(filename2, &e.name2))
937 goto out;
938 if (mutex_lock_interruptible(&tomoyo_policy_lock))
939 goto out;
940 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
941 struct tomoyo_path2_acl *acl =
942 container_of(ptr, struct tomoyo_path2_acl, head);
943 if (!tomoyo_is_same_path2_acl(acl, &e))
944 continue;
945 if (is_delete)
946 acl->perm &= ~perm;
947 else
948 acl->perm |= perm;
949 error = 0;
950 break;
951 }
952 if (!is_delete && error) {
953 struct tomoyo_path2_acl *entry =
954 tomoyo_commit_ok(&e, sizeof(e));
955 if (entry) {
956 list_add_tail_rcu(&entry->head.list,
957 &domain->acl_info_list);
958 error = 0;
959 }
960 }
961 mutex_unlock(&tomoyo_policy_lock);
962 out:
963 tomoyo_put_name_union(&e.name1);
964 tomoyo_put_name_union(&e.name2);
965 return error;
966 }
967
968 /**
969 * tomoyo_path_acl - Check permission for single path operation.
970 *
971 * @domain: Pointer to "struct tomoyo_domain_info".
972 * @type: Type of operation.
973 * @filename: Filename to check.
974 *
975 * Returns 0 on success, negative value otherwise.
976 *
977 * Caller holds tomoyo_read_lock().
978 */
979 static int tomoyo_path_acl(struct tomoyo_domain_info *domain, const u8 type,
980 const struct tomoyo_path_info *filename)
981 {
982 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
983 return 0;
984 return tomoyo_path_acl2(domain, filename, 1 << type, 1);
985 }
986
987 /**
988 * tomoyo_path2_acl - Check permission for double path operation.
989 *
990 * @domain: Pointer to "struct tomoyo_domain_info".
991 * @type: Type of operation.
992 * @filename1: First filename to check.
993 * @filename2: Second filename to check.
994 *
995 * Returns 0 on success, -EPERM otherwise.
996 *
997 * Caller holds tomoyo_read_lock().
998 */
999 static int tomoyo_path2_acl(const struct tomoyo_domain_info *domain,
1000 const u8 type,
1001 const struct tomoyo_path_info *filename1,
1002 const struct tomoyo_path_info *filename2)
1003 {
1004 struct tomoyo_acl_info *ptr;
1005 const u8 perm = 1 << type;
1006 int error = -EPERM;
1007
1008 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
1009 return 0;
1010 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1011 struct tomoyo_path2_acl *acl;
1012 if (ptr->type != TOMOYO_TYPE_PATH2_ACL)
1013 continue;
1014 acl = container_of(ptr, struct tomoyo_path2_acl, head);
1015 if (!(acl->perm & perm))
1016 continue;
1017 if (!tomoyo_compare_name_union(filename1, &acl->name1))
1018 continue;
1019 if (!tomoyo_compare_name_union(filename2, &acl->name2))
1020 continue;
1021 error = 0;
1022 break;
1023 }
1024 return error;
1025 }
1026
1027 /**
1028 * tomoyo_path_permission2 - Check permission for single path operation.
1029 *
1030 * @domain: Pointer to "struct tomoyo_domain_info".
1031 * @operation: Type of operation.
1032 * @filename: Filename to check.
1033 * @mode: Access control mode.
1034 *
1035 * Returns 0 on success, negative value otherwise.
1036 *
1037 * Caller holds tomoyo_read_lock().
1038 */
1039 static int tomoyo_path_permission2(struct tomoyo_domain_info *const domain,
1040 u8 operation,
1041 const struct tomoyo_path_info *filename,
1042 const u8 mode)
1043 {
1044 const char *msg;
1045 int error;
1046 const bool is_enforce = (mode == 3);
1047
1048 if (!mode)
1049 return 0;
1050 next:
1051 error = tomoyo_path_acl(domain, operation, filename);
1052 msg = tomoyo_path2keyword(operation);
1053 if (!error)
1054 goto ok;
1055 if (tomoyo_verbose_mode(domain))
1056 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n",
1057 tomoyo_get_msg(is_enforce), msg, filename->name,
1058 tomoyo_get_last_name(domain));
1059 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1060 const char *name = tomoyo_get_file_pattern(filename)->name;
1061 tomoyo_update_path_acl(operation, name, domain, false);
1062 }
1063 if (!is_enforce)
1064 error = 0;
1065 ok:
1066 /*
1067 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1068 * we need to check "allow_rewrite" permission if the filename is
1069 * specified by "deny_rewrite" keyword.
1070 */
1071 if (!error && operation == TOMOYO_TYPE_TRUNCATE &&
1072 tomoyo_is_no_rewrite_file(filename)) {
1073 operation = TOMOYO_TYPE_REWRITE;
1074 goto next;
1075 }
1076 return error;
1077 }
1078
1079 /**
1080 * tomoyo_check_exec_perm - Check permission for "execute".
1081 *
1082 * @domain: Pointer to "struct tomoyo_domain_info".
1083 * @filename: Check permission for "execute".
1084 *
1085 * Returns 0 on success, negativevalue otherwise.
1086 *
1087 * Caller holds tomoyo_read_lock().
1088 */
1089 int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
1090 const struct tomoyo_path_info *filename)
1091 {
1092 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1093
1094 if (!mode)
1095 return 0;
1096 return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode);
1097 }
1098
1099 /**
1100 * tomoyo_check_open_permission - Check permission for "read" and "write".
1101 *
1102 * @domain: Pointer to "struct tomoyo_domain_info".
1103 * @path: Pointer to "struct path".
1104 * @flag: Flags for open().
1105 *
1106 * Returns 0 on success, negative value otherwise.
1107 */
1108 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1109 struct path *path, const int flag)
1110 {
1111 const u8 acc_mode = ACC_MODE(flag);
1112 int error = -ENOMEM;
1113 struct tomoyo_path_info *buf;
1114 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1115 const bool is_enforce = (mode == 3);
1116 int idx;
1117
1118 if (!mode || !path->mnt)
1119 return 0;
1120 if (acc_mode == 0)
1121 return 0;
1122 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode))
1123 /*
1124 * I don't check directories here because mkdir() and rmdir()
1125 * don't call me.
1126 */
1127 return 0;
1128 idx = tomoyo_read_lock();
1129 buf = tomoyo_get_path(path);
1130 if (!buf)
1131 goto out;
1132 error = 0;
1133 /*
1134 * If the filename is specified by "deny_rewrite" keyword,
1135 * we need to check "allow_rewrite" permission when the filename is not
1136 * opened for append mode or the filename is truncated at open time.
1137 */
1138 if ((acc_mode & MAY_WRITE) &&
1139 ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
1140 (tomoyo_is_no_rewrite_file(buf))) {
1141 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE,
1142 buf, mode);
1143 }
1144 if (!error)
1145 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open",
1146 mode);
1147 if (!error && (flag & O_TRUNC))
1148 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_TRUNCATE,
1149 buf, mode);
1150 out:
1151 kfree(buf);
1152 tomoyo_read_unlock(idx);
1153 if (!is_enforce)
1154 error = 0;
1155 return error;
1156 }
1157
1158 /**
1159 * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1160 *
1161 * @operation: Type of operation.
1162 * @path: Pointer to "struct path".
1163 *
1164 * Returns 0 on success, negative value otherwise.
1165 */
1166 int tomoyo_path_perm(const u8 operation, struct path *path)
1167 {
1168 int error = -ENOMEM;
1169 struct tomoyo_path_info *buf;
1170 struct tomoyo_domain_info *domain = tomoyo_domain();
1171 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1172 const bool is_enforce = (mode == 3);
1173 int idx;
1174
1175 if (!mode || !path->mnt)
1176 return 0;
1177 idx = tomoyo_read_lock();
1178 buf = tomoyo_get_path(path);
1179 if (!buf)
1180 goto out;
1181 switch (operation) {
1182 case TOMOYO_TYPE_MKDIR:
1183 case TOMOYO_TYPE_RMDIR:
1184 case TOMOYO_TYPE_CHROOT:
1185 if (!buf->is_dir) {
1186 /*
1187 * tomoyo_get_path() reserves space for appending "/."
1188 */
1189 strcat((char *) buf->name, "/");
1190 tomoyo_fill_path_info(buf);
1191 }
1192 }
1193 error = tomoyo_path_permission2(domain, operation, buf, mode);
1194 out:
1195 kfree(buf);
1196 tomoyo_read_unlock(idx);
1197 if (!is_enforce)
1198 error = 0;
1199 return error;
1200 }
1201
1202 /**
1203 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1204 *
1205 * @filp: Pointer to "struct file".
1206 *
1207 * Returns 0 on success, negative value otherwise.
1208 */
1209 int tomoyo_check_rewrite_permission(struct file *filp)
1210 {
1211 int error = -ENOMEM;
1212 struct tomoyo_domain_info *domain = tomoyo_domain();
1213 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1214 const bool is_enforce = (mode == 3);
1215 struct tomoyo_path_info *buf;
1216 int idx;
1217
1218 if (!mode || !filp->f_path.mnt)
1219 return 0;
1220
1221 idx = tomoyo_read_lock();
1222 buf = tomoyo_get_path(&filp->f_path);
1223 if (!buf)
1224 goto out;
1225 if (!tomoyo_is_no_rewrite_file(buf)) {
1226 error = 0;
1227 goto out;
1228 }
1229 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE, buf, mode);
1230 out:
1231 kfree(buf);
1232 tomoyo_read_unlock(idx);
1233 if (!is_enforce)
1234 error = 0;
1235 return error;
1236 }
1237
1238 /**
1239 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root".
1240 *
1241 * @operation: Type of operation.
1242 * @path1: Pointer to "struct path".
1243 * @path2: Pointer to "struct path".
1244 *
1245 * Returns 0 on success, negative value otherwise.
1246 */
1247 int tomoyo_path2_perm(const u8 operation, struct path *path1,
1248 struct path *path2)
1249 {
1250 int error = -ENOMEM;
1251 struct tomoyo_path_info *buf1, *buf2;
1252 struct tomoyo_domain_info *domain = tomoyo_domain();
1253 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1254 const bool is_enforce = (mode == 3);
1255 const char *msg;
1256 int idx;
1257
1258 if (!mode || !path1->mnt || !path2->mnt)
1259 return 0;
1260 idx = tomoyo_read_lock();
1261 buf1 = tomoyo_get_path(path1);
1262 buf2 = tomoyo_get_path(path2);
1263 if (!buf1 || !buf2)
1264 goto out;
1265 {
1266 struct dentry *dentry = path1->dentry;
1267 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) {
1268 /*
1269 * tomoyo_get_path() reserves space for appending "/."
1270 */
1271 if (!buf1->is_dir) {
1272 strcat((char *) buf1->name, "/");
1273 tomoyo_fill_path_info(buf1);
1274 }
1275 if (!buf2->is_dir) {
1276 strcat((char *) buf2->name, "/");
1277 tomoyo_fill_path_info(buf2);
1278 }
1279 }
1280 }
1281 error = tomoyo_path2_acl(domain, operation, buf1, buf2);
1282 msg = tomoyo_path22keyword(operation);
1283 if (!error)
1284 goto out;
1285 if (tomoyo_verbose_mode(domain))
1286 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' "
1287 "denied for %s\n", tomoyo_get_msg(is_enforce),
1288 msg, buf1->name, buf2->name,
1289 tomoyo_get_last_name(domain));
1290 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1291 const char *name1 = tomoyo_get_file_pattern(buf1)->name;
1292 const char *name2 = tomoyo_get_file_pattern(buf2)->name;
1293 tomoyo_update_path2_acl(operation, name1, name2, domain,
1294 false);
1295 }
1296 out:
1297 kfree(buf1);
1298 kfree(buf2);
1299 tomoyo_read_unlock(idx);
1300 if (!is_enforce)
1301 error = 0;
1302 return error;
1303 }
kernel-based virtual machine