search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
TOMOYO: Remove usage counter for temporary memory.
[linux-2.6/libata-dev.git] / security / tomoyo / file.c
blob24af081f1af907bfdf796c578a0f045774592802
1 /*
2 * security/tomoyo/file.c
3 *
4 * Implementation of the Domain-Based Mandatory Access Control.
5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 *
8 * Version: 2.2.0 2009/04/01
9 *
10 */
11
12 #include "common.h"
13 #include "tomoyo.h"
14 #include "realpath.h"
15
16 /*
17 * tomoyo_globally_readable_file_entry is a structure which is used for holding
18 * "allow_read" entries.
19 * It has following fields.
20 *
21 * (1) "list" which is linked to tomoyo_globally_readable_list .
22 * (2) "filename" is a pathname which is allowed to open(O_RDONLY).
23 * (3) "is_deleted" is a bool which is true if marked as deleted, false
24 * otherwise.
25 */
26 struct tomoyo_globally_readable_file_entry {
27 struct list_head list;
28 const struct tomoyo_path_info *filename;
29 bool is_deleted;
30 };
31
32 /*
33 * tomoyo_pattern_entry is a structure which is used for holding
34 * "tomoyo_pattern_list" entries.
35 * It has following fields.
36 *
37 * (1) "list" which is linked to tomoyo_pattern_list .
38 * (2) "pattern" is a pathname pattern which is used for converting pathnames
39 * to pathname patterns during learning mode.
40 * (3) "is_deleted" is a bool which is true if marked as deleted, false
41 * otherwise.
42 */
43 struct tomoyo_pattern_entry {
44 struct list_head list;
45 const struct tomoyo_path_info *pattern;
46 bool is_deleted;
47 };
48
49 /*
50 * tomoyo_no_rewrite_entry is a structure which is used for holding
51 * "deny_rewrite" entries.
52 * It has following fields.
53 *
54 * (1) "list" which is linked to tomoyo_no_rewrite_list .
55 * (2) "pattern" is a pathname which is by default not permitted to modify
56 * already existing content.
57 * (3) "is_deleted" is a bool which is true if marked as deleted, false
58 * otherwise.
59 */
60 struct tomoyo_no_rewrite_entry {
61 struct list_head list;
62 const struct tomoyo_path_info *pattern;
63 bool is_deleted;
64 };
65
66 /* Keyword array for single path operations. */
67 static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = {
68 [TOMOYO_TYPE_READ_WRITE_ACL] = "read/write",
69 [TOMOYO_TYPE_EXECUTE_ACL] = "execute",
70 [TOMOYO_TYPE_READ_ACL] = "read",
71 [TOMOYO_TYPE_WRITE_ACL] = "write",
72 [TOMOYO_TYPE_CREATE_ACL] = "create",
73 [TOMOYO_TYPE_UNLINK_ACL] = "unlink",
74 [TOMOYO_TYPE_MKDIR_ACL] = "mkdir",
75 [TOMOYO_TYPE_RMDIR_ACL] = "rmdir",
76 [TOMOYO_TYPE_MKFIFO_ACL] = "mkfifo",
77 [TOMOYO_TYPE_MKSOCK_ACL] = "mksock",
78 [TOMOYO_TYPE_MKBLOCK_ACL] = "mkblock",
79 [TOMOYO_TYPE_MKCHAR_ACL] = "mkchar",
80 [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate",
81 [TOMOYO_TYPE_SYMLINK_ACL] = "symlink",
82 [TOMOYO_TYPE_REWRITE_ACL] = "rewrite",
83 [TOMOYO_TYPE_IOCTL_ACL] = "ioctl",
84 [TOMOYO_TYPE_CHMOD_ACL] = "chmod",
85 [TOMOYO_TYPE_CHOWN_ACL] = "chown",
86 [TOMOYO_TYPE_CHGRP_ACL] = "chgrp",
87 [TOMOYO_TYPE_CHROOT_ACL] = "chroot",
88 [TOMOYO_TYPE_MOUNT_ACL] = "mount",
89 [TOMOYO_TYPE_UMOUNT_ACL] = "unmount",
90 };
91
92 /* Keyword array for double path operations. */
93 static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = {
94 [TOMOYO_TYPE_LINK_ACL] = "link",
95 [TOMOYO_TYPE_RENAME_ACL] = "rename",
96 [TOMOYO_TYPE_PIVOT_ROOT_ACL] = "pivot_root",
97 };
98
99 /**
100 * tomoyo_sp2keyword - Get the name of single path operation.
101 *
102 * @operation: Type of operation.
103 *
104 * Returns the name of single path operation.
105 */
106 const char *tomoyo_sp2keyword(const u8 operation)
107 {
108 return (operation < TOMOYO_MAX_SINGLE_PATH_OPERATION)
109 ? tomoyo_sp_keyword[operation] : NULL;
110 }
111
112 /**
113 * tomoyo_dp2keyword - Get the name of double path operation.
114 *
115 * @operation: Type of operation.
116 *
117 * Returns the name of double path operation.
118 */
119 const char *tomoyo_dp2keyword(const u8 operation)
120 {
121 return (operation < TOMOYO_MAX_DOUBLE_PATH_OPERATION)
122 ? tomoyo_dp_keyword[operation] : NULL;
123 }
124
125 /**
126 * tomoyo_strendswith - Check whether the token ends with the given token.
127 *
128 * @name: The token to check.
129 * @tail: The token to find.
130 *
131 * Returns true if @name ends with @tail, false otherwise.
132 */
133 static bool tomoyo_strendswith(const char *name, const char *tail)
134 {
135 int len;
136
137 if (!name || !tail)
138 return false;
139 len = strlen(name) - strlen(tail);
140 return len >= 0 && !strcmp(name + len, tail);
141 }
142
143 /**
144 * tomoyo_get_path - Get realpath.
145 *
146 * @path: Pointer to "struct path".
147 *
148 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
149 */
150 static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
151 {
152 int error;
153 struct tomoyo_path_info_with_data *buf = kzalloc(sizeof(*buf),
154 GFP_KERNEL);
155
156 if (!buf)
157 return NULL;
158 /* Reserve one byte for appending "/". */
159 error = tomoyo_realpath_from_path2(path, buf->body,
160 sizeof(buf->body) - 2);
161 if (!error) {
162 buf->head.name = buf->body;
163 tomoyo_fill_path_info(&buf->head);
164 return &buf->head;
165 }
166 kfree(buf);
167 return NULL;
168 }
169
170 static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
171 const char *filename2,
172 struct tomoyo_domain_info *
173 const domain, const bool is_delete);
174 static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
175 struct tomoyo_domain_info *
176 const domain, const bool is_delete);
177
178 /*
179 * tomoyo_globally_readable_list is used for holding list of pathnames which
180 * are by default allowed to be open()ed for reading by any process.
181 *
182 * An entry is added by
183 *
184 * # echo 'allow_read /lib/libc-2.5.so' > \
185 * /sys/kernel/security/tomoyo/exception_policy
186 *
187 * and is deleted by
188 *
189 * # echo 'delete allow_read /lib/libc-2.5.so' > \
190 * /sys/kernel/security/tomoyo/exception_policy
191 *
192 * and all entries are retrieved by
193 *
194 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
195 *
196 * In the example above, any process is allowed to
197 * open("/lib/libc-2.5.so", O_RDONLY).
198 * One exception is, if the domain which current process belongs to is marked
199 * as "ignore_global_allow_read", current process can't do so unless explicitly
200 * given "allow_read /lib/libc-2.5.so" to the domain which current process
201 * belongs to.
202 */
203 static LIST_HEAD(tomoyo_globally_readable_list);
204
205 /**
206 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
207 *
208 * @filename: Filename unconditionally permitted to open() for reading.
209 * @is_delete: True if it is a delete request.
210 *
211 * Returns 0 on success, negative value otherwise.
212 *
213 * Caller holds tomoyo_read_lock().
214 */
215 static int tomoyo_update_globally_readable_entry(const char *filename,
216 const bool is_delete)
217 {
218 struct tomoyo_globally_readable_file_entry *new_entry;
219 struct tomoyo_globally_readable_file_entry *ptr;
220 const struct tomoyo_path_info *saved_filename;
221 int error = -ENOMEM;
222
223 if (!tomoyo_is_correct_path(filename, 1, 0, -1, __func__))
224 return -EINVAL;
225 saved_filename = tomoyo_save_name(filename);
226 if (!saved_filename)
227 return -ENOMEM;
228 new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL);
229 mutex_lock(&tomoyo_policy_lock);
230 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
231 if (ptr->filename != saved_filename)
232 continue;
233 ptr->is_deleted = is_delete;
234 error = 0;
235 goto out;
236 }
237 if (is_delete) {
238 error = -ENOENT;
239 goto out;
240 }
241 if (!tomoyo_memory_ok(new_entry))
242 goto out;
243 new_entry->filename = saved_filename;
244 list_add_tail_rcu(&new_entry->list, &tomoyo_globally_readable_list);
245 new_entry = NULL;
246 error = 0;
247 out:
248 mutex_unlock(&tomoyo_policy_lock);
249 kfree(new_entry);
250 return error;
251 }
252
253 /**
254 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
255 *
256 * @filename: The filename to check.
257 *
258 * Returns true if any domain can open @filename for reading, false otherwise.
259 *
260 * Caller holds tomoyo_read_lock().
261 */
262 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
263 filename)
264 {
265 struct tomoyo_globally_readable_file_entry *ptr;
266 bool found = false;
267
268 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
269 if (!ptr->is_deleted &&
270 tomoyo_path_matches_pattern(filename, ptr->filename)) {
271 found = true;
272 break;
273 }
274 }
275 return found;
276 }
277
278 /**
279 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
280 *
281 * @data: String to parse.
282 * @is_delete: True if it is a delete request.
283 *
284 * Returns 0 on success, negative value otherwise.
285 *
286 * Caller holds tomoyo_read_lock().
287 */
288 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
289 {
290 return tomoyo_update_globally_readable_entry(data, is_delete);
291 }
292
293 /**
294 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
295 *
296 * @head: Pointer to "struct tomoyo_io_buffer".
297 *
298 * Returns true on success, false otherwise.
299 *
300 * Caller holds tomoyo_read_lock().
301 */
302 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
303 {
304 struct list_head *pos;
305 bool done = true;
306
307 list_for_each_cookie(pos, head->read_var2,
308 &tomoyo_globally_readable_list) {
309 struct tomoyo_globally_readable_file_entry *ptr;
310 ptr = list_entry(pos,
311 struct tomoyo_globally_readable_file_entry,
312 list);
313 if (ptr->is_deleted)
314 continue;
315 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n",
316 ptr->filename->name);
317 if (!done)
318 break;
319 }
320 return done;
321 }
322
323 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
324 * converting pathnames to pathname patterns during learning mode.
325 *
326 * An entry is added by
327 *
328 * # echo 'file_pattern /proc/\$/mounts' > \
329 * /sys/kernel/security/tomoyo/exception_policy
330 *
331 * and is deleted by
332 *
333 * # echo 'delete file_pattern /proc/\$/mounts' > \
334 * /sys/kernel/security/tomoyo/exception_policy
335 *
336 * and all entries are retrieved by
337 *
338 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
339 *
340 * In the example above, if a process which belongs to a domain which is in
341 * learning mode requested open("/proc/1/mounts", O_RDONLY),
342 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
343 * process belongs to.
344 *
345 * It is not a desirable behavior that we have to use /proc/\$/ instead of
346 * /proc/self/ when current process needs to access only current process's
347 * information. As of now, LSM version of TOMOYO is using __d_path() for
348 * calculating pathname. Non LSM version of TOMOYO is using its own function
349 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
350 * current process from accessing other process's information.
351 */
352 static LIST_HEAD(tomoyo_pattern_list);
353
354 /**
355 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
356 *
357 * @pattern: Pathname pattern.
358 * @is_delete: True if it is a delete request.
359 *
360 * Returns 0 on success, negative value otherwise.
361 *
362 * Caller holds tomoyo_read_lock().
363 */
364 static int tomoyo_update_file_pattern_entry(const char *pattern,
365 const bool is_delete)
366 {
367 struct tomoyo_pattern_entry *new_entry;
368 struct tomoyo_pattern_entry *ptr;
369 const struct tomoyo_path_info *saved_pattern;
370 int error = -ENOMEM;
371
372 if (!tomoyo_is_correct_path(pattern, 0, 1, 0, __func__))
373 return -EINVAL;
374 saved_pattern = tomoyo_save_name(pattern);
375 if (!saved_pattern)
376 return -ENOMEM;
377 new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL);
378 mutex_lock(&tomoyo_policy_lock);
379 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
380 if (saved_pattern != ptr->pattern)
381 continue;
382 ptr->is_deleted = is_delete;
383 error = 0;
384 goto out;
385 }
386 if (is_delete) {
387 error = -ENOENT;
388 goto out;
389 }
390 if (!tomoyo_memory_ok(new_entry))
391 goto out;
392 new_entry->pattern = saved_pattern;
393 list_add_tail_rcu(&new_entry->list, &tomoyo_pattern_list);
394 new_entry = NULL;
395 error = 0;
396 out:
397 mutex_unlock(&tomoyo_policy_lock);
398 kfree(new_entry);
399 return error;
400 }
401
402 /**
403 * tomoyo_get_file_pattern - Get patterned pathname.
404 *
405 * @filename: The filename to find patterned pathname.
406 *
407 * Returns pointer to pathname pattern if matched, @filename otherwise.
408 *
409 * Caller holds tomoyo_read_lock().
410 */
411 static const struct tomoyo_path_info *
412 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
413 {
414 struct tomoyo_pattern_entry *ptr;
415 const struct tomoyo_path_info *pattern = NULL;
416
417 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
418 if (ptr->is_deleted)
419 continue;
420 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
421 continue;
422 pattern = ptr->pattern;
423 if (tomoyo_strendswith(pattern->name, "/\\*")) {
424 /* Do nothing. Try to find the better match. */
425 } else {
426 /* This would be the better match. Use this. */
427 break;
428 }
429 }
430 if (pattern)
431 filename = pattern;
432 return filename;
433 }
434
435 /**
436 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
437 *
438 * @data: String to parse.
439 * @is_delete: True if it is a delete request.
440 *
441 * Returns 0 on success, negative value otherwise.
442 *
443 * Caller holds tomoyo_read_lock().
444 */
445 int tomoyo_write_pattern_policy(char *data, const bool is_delete)
446 {
447 return tomoyo_update_file_pattern_entry(data, is_delete);
448 }
449
450 /**
451 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
452 *
453 * @head: Pointer to "struct tomoyo_io_buffer".
454 *
455 * Returns true on success, false otherwise.
456 *
457 * Caller holds tomoyo_read_lock().
458 */
459 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
460 {
461 struct list_head *pos;
462 bool done = true;
463
464 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) {
465 struct tomoyo_pattern_entry *ptr;
466 ptr = list_entry(pos, struct tomoyo_pattern_entry, list);
467 if (ptr->is_deleted)
468 continue;
469 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN
470 "%s\n", ptr->pattern->name);
471 if (!done)
472 break;
473 }
474 return done;
475 }
476
477 /*
478 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
479 * default forbidden to modify already written content of a file.
480 *
481 * An entry is added by
482 *
483 * # echo 'deny_rewrite /var/log/messages' > \
484 * /sys/kernel/security/tomoyo/exception_policy
485 *
486 * and is deleted by
487 *
488 * # echo 'delete deny_rewrite /var/log/messages' > \
489 * /sys/kernel/security/tomoyo/exception_policy
490 *
491 * and all entries are retrieved by
492 *
493 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
494 *
495 * In the example above, if a process requested to rewrite /var/log/messages ,
496 * the process can't rewrite unless the domain which that process belongs to
497 * has "allow_rewrite /var/log/messages" entry.
498 *
499 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
500 * when we want to allow rewriting already unlink()ed file. As of now,
501 * LSM version of TOMOYO is using __d_path() for calculating pathname.
502 * Non LSM version of TOMOYO is using its own function which doesn't append
503 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
504 * need to worry whether the file is already unlink()ed or not.
505 */
506 static LIST_HEAD(tomoyo_no_rewrite_list);
507
508 /**
509 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
510 *
511 * @pattern: Pathname pattern that are not rewritable by default.
512 * @is_delete: True if it is a delete request.
513 *
514 * Returns 0 on success, negative value otherwise.
515 *
516 * Caller holds tomoyo_read_lock().
517 */
518 static int tomoyo_update_no_rewrite_entry(const char *pattern,
519 const bool is_delete)
520 {
521 struct tomoyo_no_rewrite_entry *new_entry, *ptr;
522 const struct tomoyo_path_info *saved_pattern;
523 int error = -ENOMEM;
524
525 if (!tomoyo_is_correct_path(pattern, 0, 0, 0, __func__))
526 return -EINVAL;
527 saved_pattern = tomoyo_save_name(pattern);
528 if (!saved_pattern)
529 return -ENOMEM;
530 new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL);
531 mutex_lock(&tomoyo_policy_lock);
532 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
533 if (ptr->pattern != saved_pattern)
534 continue;
535 ptr->is_deleted = is_delete;
536 error = 0;
537 goto out;
538 }
539 if (is_delete) {
540 error = -ENOENT;
541 goto out;
542 }
543 if (!tomoyo_memory_ok(new_entry))
544 goto out;
545 new_entry->pattern = saved_pattern;
546 list_add_tail_rcu(&new_entry->list, &tomoyo_no_rewrite_list);
547 new_entry = NULL;
548 error = 0;
549 out:
550 mutex_unlock(&tomoyo_policy_lock);
551 kfree(new_entry);
552 return error;
553 }
554
555 /**
556 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
557 *
558 * @filename: Filename to check.
559 *
560 * Returns true if @filename is specified by "deny_rewrite" directive,
561 * false otherwise.
562 *
563 * Caller holds tomoyo_read_lock().
564 */
565 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
566 {
567 struct tomoyo_no_rewrite_entry *ptr;
568 bool found = false;
569
570 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
571 if (ptr->is_deleted)
572 continue;
573 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
574 continue;
575 found = true;
576 break;
577 }
578 return found;
579 }
580
581 /**
582 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
583 *
584 * @data: String to parse.
585 * @is_delete: True if it is a delete request.
586 *
587 * Returns 0 on success, negative value otherwise.
588 *
589 * Caller holds tomoyo_read_lock().
590 */
591 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
592 {
593 return tomoyo_update_no_rewrite_entry(data, is_delete);
594 }
595
596 /**
597 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
598 *
599 * @head: Pointer to "struct tomoyo_io_buffer".
600 *
601 * Returns true on success, false otherwise.
602 *
603 * Caller holds tomoyo_read_lock().
604 */
605 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
606 {
607 struct list_head *pos;
608 bool done = true;
609
610 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) {
611 struct tomoyo_no_rewrite_entry *ptr;
612 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list);
613 if (ptr->is_deleted)
614 continue;
615 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE
616 "%s\n", ptr->pattern->name);
617 if (!done)
618 break;
619 }
620 return done;
621 }
622
623 /**
624 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
625 *
626 * @filename: Filename.
627 * @perm: Permission (between 1 to 7).
628 * @domain: Pointer to "struct tomoyo_domain_info".
629 * @is_delete: True if it is a delete request.
630 *
631 * Returns 0 on success, negative value otherwise.
632 *
633 * This is legacy support interface for older policy syntax.
634 * Current policy syntax uses "allow_read/write" instead of "6",
635 * "allow_read" instead of "4", "allow_write" instead of "2",
636 * "allow_execute" instead of "1".
637 *
638 * Caller holds tomoyo_read_lock().
639 */
640 static int tomoyo_update_file_acl(const char *filename, u8 perm,
641 struct tomoyo_domain_info * const domain,
642 const bool is_delete)
643 {
644 if (perm > 7 || !perm) {
645 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n",
646 __func__, perm, filename);
647 return -EINVAL;
648 }
649 if (filename[0] != '@' && tomoyo_strendswith(filename, "/"))
650 /*
651 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
652 * directory permissions.
653 */
654 return 0;
655 if (perm & 4)
656 tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL, filename,
657 domain, is_delete);
658 if (perm & 2)
659 tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL, filename,
660 domain, is_delete);
661 if (perm & 1)
662 tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL,
663 filename, domain, is_delete);
664 return 0;
665 }
666
667 /**
668 * tomoyo_check_single_path_acl2 - Check permission for single path operation.
669 *
670 * @domain: Pointer to "struct tomoyo_domain_info".
671 * @filename: Filename to check.
672 * @perm: Permission.
673 * @may_use_pattern: True if patterned ACL is permitted.
674 *
675 * Returns 0 on success, -EPERM otherwise.
676 *
677 * Caller holds tomoyo_read_lock().
678 */
679 static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info *
680 domain,
681 const struct tomoyo_path_info *
682 filename,
683 const u32 perm,
684 const bool may_use_pattern)
685 {
686 struct tomoyo_acl_info *ptr;
687 int error = -EPERM;
688
689 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
690 struct tomoyo_single_path_acl_record *acl;
691 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
692 continue;
693 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
694 head);
695 if (perm <= 0xFFFF) {
696 if (!(acl->perm & perm))
697 continue;
698 } else {
699 if (!(acl->perm_high & (perm >> 16)))
700 continue;
701 }
702 if (may_use_pattern || !acl->filename->is_patterned) {
703 if (!tomoyo_path_matches_pattern(filename,
704 acl->filename))
705 continue;
706 } else {
707 continue;
708 }
709 error = 0;
710 break;
711 }
712 return error;
713 }
714
715 /**
716 * tomoyo_check_file_acl - Check permission for opening files.
717 *
718 * @domain: Pointer to "struct tomoyo_domain_info".
719 * @filename: Filename to check.
720 * @operation: Mode ("read" or "write" or "read/write" or "execute").
721 *
722 * Returns 0 on success, -EPERM otherwise.
723 *
724 * Caller holds tomoyo_read_lock().
725 */
726 static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
727 const struct tomoyo_path_info *filename,
728 const u8 operation)
729 {
730 u32 perm = 0;
731
732 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
733 return 0;
734 if (operation == 6)
735 perm = 1 << TOMOYO_TYPE_READ_WRITE_ACL;
736 else if (operation == 4)
737 perm = 1 << TOMOYO_TYPE_READ_ACL;
738 else if (operation == 2)
739 perm = 1 << TOMOYO_TYPE_WRITE_ACL;
740 else if (operation == 1)
741 perm = 1 << TOMOYO_TYPE_EXECUTE_ACL;
742 else
743 BUG();
744 return tomoyo_check_single_path_acl2(domain, filename, perm,
745 operation != 1);
746 }
747
748 /**
749 * tomoyo_check_file_perm2 - Check permission for opening files.
750 *
751 * @domain: Pointer to "struct tomoyo_domain_info".
752 * @filename: Filename to check.
753 * @perm: Mode ("read" or "write" or "read/write" or "execute").
754 * @operation: Operation name passed used for verbose mode.
755 * @mode: Access control mode.
756 *
757 * Returns 0 on success, negative value otherwise.
758 *
759 * Caller holds tomoyo_read_lock().
760 */
761 static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
762 const struct tomoyo_path_info *filename,
763 const u8 perm, const char *operation,
764 const u8 mode)
765 {
766 const bool is_enforce = (mode == 3);
767 const char *msg = "<unknown>";
768 int error = 0;
769
770 if (!filename)
771 return 0;
772 error = tomoyo_check_file_acl(domain, filename, perm);
773 if (error && perm == 4 &&
774 (domain->flags & TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ) == 0
775 && tomoyo_is_globally_readable_file(filename))
776 error = 0;
777 if (perm == 6)
778 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL);
779 else if (perm == 4)
780 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL);
781 else if (perm == 2)
782 msg = tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL);
783 else if (perm == 1)
784 msg = tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL);
785 else
786 BUG();
787 if (!error)
788 return 0;
789 if (tomoyo_verbose_mode(domain))
790 printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied "
791 "for %s\n", tomoyo_get_msg(is_enforce), msg, operation,
792 filename->name, tomoyo_get_last_name(domain));
793 if (is_enforce)
794 return error;
795 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
796 /* Don't use patterns for execute permission. */
797 const struct tomoyo_path_info *patterned_file = (perm != 1) ?
798 tomoyo_get_file_pattern(filename) : filename;
799 tomoyo_update_file_acl(patterned_file->name, perm,
800 domain, false);
801 }
802 return 0;
803 }
804
805 /**
806 * tomoyo_write_file_policy - Update file related list.
807 *
808 * @data: String to parse.
809 * @domain: Pointer to "struct tomoyo_domain_info".
810 * @is_delete: True if it is a delete request.
811 *
812 * Returns 0 on success, negative value otherwise.
813 *
814 * Caller holds tomoyo_read_lock().
815 */
816 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
817 const bool is_delete)
818 {
819 char *filename = strchr(data, ' ');
820 char *filename2;
821 unsigned int perm;
822 u8 type;
823
824 if (!filename)
825 return -EINVAL;
826 *filename++ = '\0';
827 if (sscanf(data, "%u", &perm) == 1)
828 return tomoyo_update_file_acl(filename, (u8) perm, domain,
829 is_delete);
830 if (strncmp(data, "allow_", 6))
831 goto out;
832 data += 6;
833 for (type = 0; type < TOMOYO_MAX_SINGLE_PATH_OPERATION; type++) {
834 if (strcmp(data, tomoyo_sp_keyword[type]))
835 continue;
836 return tomoyo_update_single_path_acl(type, filename,
837 domain, is_delete);
838 }
839 filename2 = strchr(filename, ' ');
840 if (!filename2)
841 goto out;
842 *filename2++ = '\0';
843 for (type = 0; type < TOMOYO_MAX_DOUBLE_PATH_OPERATION; type++) {
844 if (strcmp(data, tomoyo_dp_keyword[type]))
845 continue;
846 return tomoyo_update_double_path_acl(type, filename, filename2,
847 domain, is_delete);
848 }
849 out:
850 return -EINVAL;
851 }
852
853 /**
854 * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list.
855 *
856 * @type: Type of operation.
857 * @filename: Filename.
858 * @domain: Pointer to "struct tomoyo_domain_info".
859 * @is_delete: True if it is a delete request.
860 *
861 * Returns 0 on success, negative value otherwise.
862 *
863 * Caller holds tomoyo_read_lock().
864 */
865 static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
866 struct tomoyo_domain_info *
867 const domain, const bool is_delete)
868 {
869 static const u32 rw_mask =
870 (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL);
871 const struct tomoyo_path_info *saved_filename;
872 struct tomoyo_acl_info *ptr;
873 struct tomoyo_single_path_acl_record *acl;
874 int error = -ENOMEM;
875 const u32 perm = 1 << type;
876
877 if (!domain)
878 return -EINVAL;
879 if (!tomoyo_is_correct_path(filename, 0, 0, 0, __func__))
880 return -EINVAL;
881 saved_filename = tomoyo_save_name(filename);
882 if (!saved_filename)
883 return -ENOMEM;
884 mutex_lock(&tomoyo_policy_lock);
885 if (is_delete)
886 goto delete;
887 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
888 if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
889 continue;
890 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
891 head);
892 if (acl->filename != saved_filename)
893 continue;
894 /* Special case. Clear all bits if marked as deleted. */
895 if (ptr->type & TOMOYO_ACL_DELETED)
896 acl->perm = 0;
897 if (perm <= 0xFFFF)
898 acl->perm |= perm;
899 else
900 acl->perm_high |= (perm >> 16);
901 if ((acl->perm & rw_mask) == rw_mask)
902 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL;
903 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))
904 acl->perm |= rw_mask;
905 ptr->type &= ~TOMOYO_ACL_DELETED;
906 error = 0;
907 goto out;
908 }
909 /* Not found. Append it to the tail. */
910 acl = kmalloc(sizeof(*acl), GFP_KERNEL);
911 if (!tomoyo_memory_ok(acl)) {
912 kfree(acl);
913 acl = NULL;
914 goto out;
915 }
916 acl->head.type = TOMOYO_TYPE_SINGLE_PATH_ACL;
917 if (perm <= 0xFFFF)
918 acl->perm = perm;
919 else
920 acl->perm_high = (perm >> 16);
921 if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL))
922 acl->perm |= rw_mask;
923 acl->filename = saved_filename;
924 list_add_tail_rcu(&acl->head.list, &domain->acl_info_list);
925 error = 0;
926 goto out;
927 delete:
928 error = -ENOENT;
929 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
930 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
931 continue;
932 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
933 head);
934 if (acl->filename != saved_filename)
935 continue;
936 if (perm <= 0xFFFF)
937 acl->perm &= ~perm;
938 else
939 acl->perm_high &= ~(perm >> 16);
940 if ((acl->perm & rw_mask) != rw_mask)
941 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL);
942 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)))
943 acl->perm &= ~rw_mask;
944 if (!acl->perm && !acl->perm_high)
945 ptr->type |= TOMOYO_ACL_DELETED;
946 error = 0;
947 break;
948 }
949 out:
950 mutex_unlock(&tomoyo_policy_lock);
951 return error;
952 }
953
954 /**
955 * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list.
956 *
957 * @type: Type of operation.
958 * @filename1: First filename.
959 * @filename2: Second filename.
960 * @domain: Pointer to "struct tomoyo_domain_info".
961 * @is_delete: True if it is a delete request.
962 *
963 * Returns 0 on success, negative value otherwise.
964 *
965 * Caller holds tomoyo_read_lock().
966 */
967 static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
968 const char *filename2,
969 struct tomoyo_domain_info *
970 const domain, const bool is_delete)
971 {
972 const struct tomoyo_path_info *saved_filename1;
973 const struct tomoyo_path_info *saved_filename2;
974 struct tomoyo_acl_info *ptr;
975 struct tomoyo_double_path_acl_record *acl;
976 int error = -ENOMEM;
977 const u8 perm = 1 << type;
978
979 if (!domain)
980 return -EINVAL;
981 if (!tomoyo_is_correct_path(filename1, 0, 0, 0, __func__) ||
982 !tomoyo_is_correct_path(filename2, 0, 0, 0, __func__))
983 return -EINVAL;
984 saved_filename1 = tomoyo_save_name(filename1);
985 saved_filename2 = tomoyo_save_name(filename2);
986 if (!saved_filename1 || !saved_filename2)
987 return -ENOMEM;
988 mutex_lock(&tomoyo_policy_lock);
989 if (is_delete)
990 goto delete;
991 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
992 if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
993 continue;
994 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
995 head);
996 if (acl->filename1 != saved_filename1 ||
997 acl->filename2 != saved_filename2)
998 continue;
999 /* Special case. Clear all bits if marked as deleted. */
1000 if (ptr->type & TOMOYO_ACL_DELETED)
1001 acl->perm = 0;
1002 acl->perm |= perm;
1003 ptr->type &= ~TOMOYO_ACL_DELETED;
1004 error = 0;
1005 goto out;
1006 }
1007 /* Not found. Append it to the tail. */
1008 acl = kmalloc(sizeof(*acl), GFP_KERNEL);
1009 if (!tomoyo_memory_ok(acl)) {
1010 kfree(acl);
1011 acl = NULL;
1012 goto out;
1013 }
1014 acl->head.type = TOMOYO_TYPE_DOUBLE_PATH_ACL;
1015 acl->perm = perm;
1016 acl->filename1 = saved_filename1;
1017 acl->filename2 = saved_filename2;
1018 list_add_tail_rcu(&acl->head.list, &domain->acl_info_list);
1019 error = 0;
1020 goto out;
1021 delete:
1022 error = -ENOENT;
1023 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1024 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
1025 continue;
1026 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
1027 head);
1028 if (acl->filename1 != saved_filename1 ||
1029 acl->filename2 != saved_filename2)
1030 continue;
1031 acl->perm &= ~perm;
1032 if (!acl->perm)
1033 ptr->type |= TOMOYO_ACL_DELETED;
1034 error = 0;
1035 break;
1036 }
1037 out:
1038 mutex_unlock(&tomoyo_policy_lock);
1039 return error;
1040 }
1041
1042 /**
1043 * tomoyo_check_single_path_acl - Check permission for single path operation.
1044 *
1045 * @domain: Pointer to "struct tomoyo_domain_info".
1046 * @type: Type of operation.
1047 * @filename: Filename to check.
1048 *
1049 * Returns 0 on success, negative value otherwise.
1050 *
1051 * Caller holds tomoyo_read_lock().
1052 */
1053 static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain,
1054 const u8 type,
1055 const struct tomoyo_path_info *filename)
1056 {
1057 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
1058 return 0;
1059 return tomoyo_check_single_path_acl2(domain, filename, 1 << type, 1);
1060 }
1061
1062 /**
1063 * tomoyo_check_double_path_acl - Check permission for double path operation.
1064 *
1065 * @domain: Pointer to "struct tomoyo_domain_info".
1066 * @type: Type of operation.
1067 * @filename1: First filename to check.
1068 * @filename2: Second filename to check.
1069 *
1070 * Returns 0 on success, -EPERM otherwise.
1071 *
1072 * Caller holds tomoyo_read_lock().
1073 */
1074 static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
1075 const u8 type,
1076 const struct tomoyo_path_info *
1077 filename1,
1078 const struct tomoyo_path_info *
1079 filename2)
1080 {
1081 struct tomoyo_acl_info *ptr;
1082 const u8 perm = 1 << type;
1083 int error = -EPERM;
1084
1085 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
1086 return 0;
1087 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1088 struct tomoyo_double_path_acl_record *acl;
1089 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
1090 continue;
1091 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
1092 head);
1093 if (!(acl->perm & perm))
1094 continue;
1095 if (!tomoyo_path_matches_pattern(filename1, acl->filename1))
1096 continue;
1097 if (!tomoyo_path_matches_pattern(filename2, acl->filename2))
1098 continue;
1099 error = 0;
1100 break;
1101 }
1102 return error;
1103 }
1104
1105 /**
1106 * tomoyo_check_single_path_permission2 - Check permission for single path operation.
1107 *
1108 * @domain: Pointer to "struct tomoyo_domain_info".
1109 * @operation: Type of operation.
1110 * @filename: Filename to check.
1111 * @mode: Access control mode.
1112 *
1113 * Returns 0 on success, negative value otherwise.
1114 *
1115 * Caller holds tomoyo_read_lock().
1116 */
1117 static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
1118 const domain, u8 operation,
1119 const struct tomoyo_path_info *
1120 filename, const u8 mode)
1121 {
1122 const char *msg;
1123 int error;
1124 const bool is_enforce = (mode == 3);
1125
1126 if (!mode)
1127 return 0;
1128 next:
1129 error = tomoyo_check_single_path_acl(domain, operation, filename);
1130 msg = tomoyo_sp2keyword(operation);
1131 if (!error)
1132 goto ok;
1133 if (tomoyo_verbose_mode(domain))
1134 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n",
1135 tomoyo_get_msg(is_enforce), msg, filename->name,
1136 tomoyo_get_last_name(domain));
1137 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1138 const char *name = tomoyo_get_file_pattern(filename)->name;
1139 tomoyo_update_single_path_acl(operation, name, domain, false);
1140 }
1141 if (!is_enforce)
1142 error = 0;
1143 ok:
1144 /*
1145 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1146 * we need to check "allow_rewrite" permission if the filename is
1147 * specified by "deny_rewrite" keyword.
1148 */
1149 if (!error && operation == TOMOYO_TYPE_TRUNCATE_ACL &&
1150 tomoyo_is_no_rewrite_file(filename)) {
1151 operation = TOMOYO_TYPE_REWRITE_ACL;
1152 goto next;
1153 }
1154 return error;
1155 }
1156
1157 /**
1158 * tomoyo_check_exec_perm - Check permission for "execute".
1159 *
1160 * @domain: Pointer to "struct tomoyo_domain_info".
1161 * @filename: Check permission for "execute".
1162 *
1163 * Returns 0 on success, negativevalue otherwise.
1164 *
1165 * Caller holds tomoyo_read_lock().
1166 */
1167 int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
1168 const struct tomoyo_path_info *filename)
1169 {
1170 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1171
1172 if (!mode)
1173 return 0;
1174 return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode);
1175 }
1176
1177 /**
1178 * tomoyo_check_open_permission - Check permission for "read" and "write".
1179 *
1180 * @domain: Pointer to "struct tomoyo_domain_info".
1181 * @path: Pointer to "struct path".
1182 * @flag: Flags for open().
1183 *
1184 * Returns 0 on success, negative value otherwise.
1185 */
1186 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1187 struct path *path, const int flag)
1188 {
1189 const u8 acc_mode = ACC_MODE(flag);
1190 int error = -ENOMEM;
1191 struct tomoyo_path_info *buf;
1192 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1193 const bool is_enforce = (mode == 3);
1194 int idx;
1195
1196 if (!mode || !path->mnt)
1197 return 0;
1198 if (acc_mode == 0)
1199 return 0;
1200 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode))
1201 /*
1202 * I don't check directories here because mkdir() and rmdir()
1203 * don't call me.
1204 */
1205 return 0;
1206 idx = tomoyo_read_lock();
1207 buf = tomoyo_get_path(path);
1208 if (!buf)
1209 goto out;
1210 error = 0;
1211 /*
1212 * If the filename is specified by "deny_rewrite" keyword,
1213 * we need to check "allow_rewrite" permission when the filename is not
1214 * opened for append mode or the filename is truncated at open time.
1215 */
1216 if ((acc_mode & MAY_WRITE) &&
1217 ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
1218 (tomoyo_is_no_rewrite_file(buf))) {
1219 error = tomoyo_check_single_path_permission2(domain,
1220 TOMOYO_TYPE_REWRITE_ACL,
1221 buf, mode);
1222 }
1223 if (!error)
1224 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open",
1225 mode);
1226 if (!error && (flag & O_TRUNC))
1227 error = tomoyo_check_single_path_permission2(domain,
1228 TOMOYO_TYPE_TRUNCATE_ACL,
1229 buf, mode);
1230 out:
1231 kfree(buf);
1232 tomoyo_read_unlock(idx);
1233 if (!is_enforce)
1234 error = 0;
1235 return error;
1236 }
1237
1238 /**
1239 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1240 *
1241 * @domain: Pointer to "struct tomoyo_domain_info".
1242 * @operation: Type of operation.
1243 * @path: Pointer to "struct path".
1244 *
1245 * Returns 0 on success, negative value otherwise.
1246 */
1247 int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
1248 const u8 operation, struct path *path)
1249 {
1250 int error = -ENOMEM;
1251 struct tomoyo_path_info *buf;
1252 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1253 const bool is_enforce = (mode == 3);
1254 int idx;
1255
1256 if (!mode || !path->mnt)
1257 return 0;
1258 idx = tomoyo_read_lock();
1259 buf = tomoyo_get_path(path);
1260 if (!buf)
1261 goto out;
1262 switch (operation) {
1263 case TOMOYO_TYPE_MKDIR_ACL:
1264 case TOMOYO_TYPE_RMDIR_ACL:
1265 case TOMOYO_TYPE_CHROOT_ACL:
1266 if (!buf->is_dir) {
1267 /*
1268 * tomoyo_get_path() reserves space for appending "/."
1269 */
1270 strcat((char *) buf->name, "/");
1271 tomoyo_fill_path_info(buf);
1272 }
1273 }
1274 error = tomoyo_check_single_path_permission2(domain, operation, buf,
1275 mode);
1276 out:
1277 kfree(buf);
1278 tomoyo_read_unlock(idx);
1279 if (!is_enforce)
1280 error = 0;
1281 return error;
1282 }
1283
1284 /**
1285 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1286 *
1287 * @domain: Pointer to "struct tomoyo_domain_info".
1288 * @filp: Pointer to "struct file".
1289 *
1290 * Returns 0 on success, negative value otherwise.
1291 */
1292 int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
1293 struct file *filp)
1294 {
1295 int error = -ENOMEM;
1296 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1297 const bool is_enforce = (mode == 3);
1298 struct tomoyo_path_info *buf;
1299 int idx;
1300
1301 if (!mode || !filp->f_path.mnt)
1302 return 0;
1303
1304 idx = tomoyo_read_lock();
1305 buf = tomoyo_get_path(&filp->f_path);
1306 if (!buf)
1307 goto out;
1308 if (!tomoyo_is_no_rewrite_file(buf)) {
1309 error = 0;
1310 goto out;
1311 }
1312 error = tomoyo_check_single_path_permission2(domain,
1313 TOMOYO_TYPE_REWRITE_ACL,
1314 buf, mode);
1315 out:
1316 kfree(buf);
1317 tomoyo_read_unlock(idx);
1318 if (!is_enforce)
1319 error = 0;
1320 return error;
1321 }
1322
1323 /**
1324 * tomoyo_check_2path_perm - Check permission for "rename", "link" and "pivot_root".
1325 *
1326 * @domain: Pointer to "struct tomoyo_domain_info".
1327 * @operation: Type of operation.
1328 * @path1: Pointer to "struct path".
1329 * @path2: Pointer to "struct path".
1330 *
1331 * Returns 0 on success, negative value otherwise.
1332 */
1333 int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain,
1334 const u8 operation, struct path *path1,
1335 struct path *path2)
1336 {
1337 int error = -ENOMEM;
1338 struct tomoyo_path_info *buf1, *buf2;
1339 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1340 const bool is_enforce = (mode == 3);
1341 const char *msg;
1342 int idx;
1343
1344 if (!mode || !path1->mnt || !path2->mnt)
1345 return 0;
1346 idx = tomoyo_read_lock();
1347 buf1 = tomoyo_get_path(path1);
1348 buf2 = tomoyo_get_path(path2);
1349 if (!buf1 || !buf2)
1350 goto out;
1351 {
1352 struct dentry *dentry = path1->dentry;
1353 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) {
1354 /*
1355 * tomoyo_get_path() reserves space for appending "/."
1356 */
1357 if (!buf1->is_dir) {
1358 strcat((char *) buf1->name, "/");
1359 tomoyo_fill_path_info(buf1);
1360 }
1361 if (!buf2->is_dir) {
1362 strcat((char *) buf2->name, "/");
1363 tomoyo_fill_path_info(buf2);
1364 }
1365 }
1366 }
1367 error = tomoyo_check_double_path_acl(domain, operation, buf1, buf2);
1368 msg = tomoyo_dp2keyword(operation);
1369 if (!error)
1370 goto out;
1371 if (tomoyo_verbose_mode(domain))
1372 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' "
1373 "denied for %s\n", tomoyo_get_msg(is_enforce),
1374 msg, buf1->name, buf2->name,
1375 tomoyo_get_last_name(domain));
1376 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1377 const char *name1 = tomoyo_get_file_pattern(buf1)->name;
1378 const char *name2 = tomoyo_get_file_pattern(buf2)->name;
1379 tomoyo_update_double_path_acl(operation, name1, name2, domain,
1380 false);
1381 }
1382 out:
1383 kfree(buf1);
1384 kfree(buf2);
1385 tomoyo_read_unlock(idx);
1386 if (!is_enforce)
1387 error = 0;
1388 return error;
1389 }
Linux 2.6 libata-dev (mirror)