2 * security/tomoyo/file.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
17 * tomoyo_globally_readable_file_entry is a structure which is used for holding
18 * "allow_read" entries.
19 * It has following fields.
21 * (1) "list" which is linked to tomoyo_globally_readable_list .
22 * (2) "filename" is a pathname which is allowed to open(O_RDONLY).
23 * (3) "is_deleted" is a bool which is true if marked as deleted, false
26 struct tomoyo_globally_readable_file_entry
{
27 struct list_head list
;
28 const struct tomoyo_path_info
*filename
;
33 * tomoyo_pattern_entry is a structure which is used for holding
34 * "tomoyo_pattern_list" entries.
35 * It has following fields.
37 * (1) "list" which is linked to tomoyo_pattern_list .
38 * (2) "pattern" is a pathname pattern which is used for converting pathnames
39 * to pathname patterns during learning mode.
40 * (3) "is_deleted" is a bool which is true if marked as deleted, false
43 struct tomoyo_pattern_entry
{
44 struct list_head list
;
45 const struct tomoyo_path_info
*pattern
;
50 * tomoyo_no_rewrite_entry is a structure which is used for holding
51 * "deny_rewrite" entries.
52 * It has following fields.
54 * (1) "list" which is linked to tomoyo_no_rewrite_list .
55 * (2) "pattern" is a pathname which is by default not permitted to modify
56 * already existing content.
57 * (3) "is_deleted" is a bool which is true if marked as deleted, false
60 struct tomoyo_no_rewrite_entry
{
61 struct list_head list
;
62 const struct tomoyo_path_info
*pattern
;
66 /* Keyword array for single path operations. */
67 static const char *tomoyo_sp_keyword
[TOMOYO_MAX_SINGLE_PATH_OPERATION
] = {
68 [TOMOYO_TYPE_READ_WRITE_ACL
] = "read/write",
69 [TOMOYO_TYPE_EXECUTE_ACL
] = "execute",
70 [TOMOYO_TYPE_READ_ACL
] = "read",
71 [TOMOYO_TYPE_WRITE_ACL
] = "write",
72 [TOMOYO_TYPE_CREATE_ACL
] = "create",
73 [TOMOYO_TYPE_UNLINK_ACL
] = "unlink",
74 [TOMOYO_TYPE_MKDIR_ACL
] = "mkdir",
75 [TOMOYO_TYPE_RMDIR_ACL
] = "rmdir",
76 [TOMOYO_TYPE_MKFIFO_ACL
] = "mkfifo",
77 [TOMOYO_TYPE_MKSOCK_ACL
] = "mksock",
78 [TOMOYO_TYPE_MKBLOCK_ACL
] = "mkblock",
79 [TOMOYO_TYPE_MKCHAR_ACL
] = "mkchar",
80 [TOMOYO_TYPE_TRUNCATE_ACL
] = "truncate",
81 [TOMOYO_TYPE_SYMLINK_ACL
] = "symlink",
82 [TOMOYO_TYPE_REWRITE_ACL
] = "rewrite",
83 [TOMOYO_TYPE_IOCTL_ACL
] = "ioctl",
84 [TOMOYO_TYPE_CHMOD_ACL
] = "chmod",
85 [TOMOYO_TYPE_CHOWN_ACL
] = "chown",
86 [TOMOYO_TYPE_CHGRP_ACL
] = "chgrp",
87 [TOMOYO_TYPE_CHROOT_ACL
] = "chroot",
88 [TOMOYO_TYPE_MOUNT_ACL
] = "mount",
89 [TOMOYO_TYPE_UMOUNT_ACL
] = "unmount",
92 /* Keyword array for double path operations. */
93 static const char *tomoyo_dp_keyword
[TOMOYO_MAX_DOUBLE_PATH_OPERATION
] = {
94 [TOMOYO_TYPE_LINK_ACL
] = "link",
95 [TOMOYO_TYPE_RENAME_ACL
] = "rename",
96 [TOMOYO_TYPE_PIVOT_ROOT_ACL
] = "pivot_root",
100 * tomoyo_sp2keyword - Get the name of single path operation.
102 * @operation: Type of operation.
104 * Returns the name of single path operation.
106 const char *tomoyo_sp2keyword(const u8 operation
)
108 return (operation
< TOMOYO_MAX_SINGLE_PATH_OPERATION
)
109 ? tomoyo_sp_keyword
[operation
] : NULL
;
113 * tomoyo_dp2keyword - Get the name of double path operation.
115 * @operation: Type of operation.
117 * Returns the name of double path operation.
119 const char *tomoyo_dp2keyword(const u8 operation
)
121 return (operation
< TOMOYO_MAX_DOUBLE_PATH_OPERATION
)
122 ? tomoyo_dp_keyword
[operation
] : NULL
;
126 * tomoyo_strendswith - Check whether the token ends with the given token.
128 * @name: The token to check.
129 * @tail: The token to find.
131 * Returns true if @name ends with @tail, false otherwise.
133 static bool tomoyo_strendswith(const char *name
, const char *tail
)
139 len
= strlen(name
) - strlen(tail
);
140 return len
>= 0 && !strcmp(name
+ len
, tail
);
144 * tomoyo_get_path - Get realpath.
146 * @path: Pointer to "struct path".
148 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
150 static struct tomoyo_path_info
*tomoyo_get_path(struct path
*path
)
153 struct tomoyo_path_info_with_data
*buf
= kzalloc(sizeof(*buf
),
158 /* Reserve one byte for appending "/". */
159 error
= tomoyo_realpath_from_path2(path
, buf
->body
,
160 sizeof(buf
->body
) - 2);
162 buf
->head
.name
= buf
->body
;
163 tomoyo_fill_path_info(&buf
->head
);
170 static int tomoyo_update_double_path_acl(const u8 type
, const char *filename1
,
171 const char *filename2
,
172 struct tomoyo_domain_info
*
173 const domain
, const bool is_delete
);
174 static int tomoyo_update_single_path_acl(const u8 type
, const char *filename
,
175 struct tomoyo_domain_info
*
176 const domain
, const bool is_delete
);
179 * tomoyo_globally_readable_list is used for holding list of pathnames which
180 * are by default allowed to be open()ed for reading by any process.
182 * An entry is added by
184 * # echo 'allow_read /lib/libc-2.5.so' > \
185 * /sys/kernel/security/tomoyo/exception_policy
189 * # echo 'delete allow_read /lib/libc-2.5.so' > \
190 * /sys/kernel/security/tomoyo/exception_policy
192 * and all entries are retrieved by
194 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
196 * In the example above, any process is allowed to
197 * open("/lib/libc-2.5.so", O_RDONLY).
198 * One exception is, if the domain which current process belongs to is marked
199 * as "ignore_global_allow_read", current process can't do so unless explicitly
200 * given "allow_read /lib/libc-2.5.so" to the domain which current process
203 static LIST_HEAD(tomoyo_globally_readable_list
);
206 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
208 * @filename: Filename unconditionally permitted to open() for reading.
209 * @is_delete: True if it is a delete request.
211 * Returns 0 on success, negative value otherwise.
213 * Caller holds tomoyo_read_lock().
215 static int tomoyo_update_globally_readable_entry(const char *filename
,
216 const bool is_delete
)
218 struct tomoyo_globally_readable_file_entry
*new_entry
;
219 struct tomoyo_globally_readable_file_entry
*ptr
;
220 const struct tomoyo_path_info
*saved_filename
;
223 if (!tomoyo_is_correct_path(filename
, 1, 0, -1, __func__
))
225 saved_filename
= tomoyo_save_name(filename
);
228 new_entry
= kmalloc(sizeof(*new_entry
), GFP_KERNEL
);
229 mutex_lock(&tomoyo_policy_lock
);
230 list_for_each_entry_rcu(ptr
, &tomoyo_globally_readable_list
, list
) {
231 if (ptr
->filename
!= saved_filename
)
233 ptr
->is_deleted
= is_delete
;
241 if (!tomoyo_memory_ok(new_entry
))
243 new_entry
->filename
= saved_filename
;
244 list_add_tail_rcu(&new_entry
->list
, &tomoyo_globally_readable_list
);
248 mutex_unlock(&tomoyo_policy_lock
);
254 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
256 * @filename: The filename to check.
258 * Returns true if any domain can open @filename for reading, false otherwise.
260 * Caller holds tomoyo_read_lock().
262 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info
*
265 struct tomoyo_globally_readable_file_entry
*ptr
;
268 list_for_each_entry_rcu(ptr
, &tomoyo_globally_readable_list
, list
) {
269 if (!ptr
->is_deleted
&&
270 tomoyo_path_matches_pattern(filename
, ptr
->filename
)) {
279 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
281 * @data: String to parse.
282 * @is_delete: True if it is a delete request.
284 * Returns 0 on success, negative value otherwise.
286 * Caller holds tomoyo_read_lock().
288 int tomoyo_write_globally_readable_policy(char *data
, const bool is_delete
)
290 return tomoyo_update_globally_readable_entry(data
, is_delete
);
294 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
296 * @head: Pointer to "struct tomoyo_io_buffer".
298 * Returns true on success, false otherwise.
300 * Caller holds tomoyo_read_lock().
302 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer
*head
)
304 struct list_head
*pos
;
307 list_for_each_cookie(pos
, head
->read_var2
,
308 &tomoyo_globally_readable_list
) {
309 struct tomoyo_globally_readable_file_entry
*ptr
;
310 ptr
= list_entry(pos
,
311 struct tomoyo_globally_readable_file_entry
,
315 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_ALLOW_READ
"%s\n",
316 ptr
->filename
->name
);
323 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
324 * converting pathnames to pathname patterns during learning mode.
326 * An entry is added by
328 * # echo 'file_pattern /proc/\$/mounts' > \
329 * /sys/kernel/security/tomoyo/exception_policy
333 * # echo 'delete file_pattern /proc/\$/mounts' > \
334 * /sys/kernel/security/tomoyo/exception_policy
336 * and all entries are retrieved by
338 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
340 * In the example above, if a process which belongs to a domain which is in
341 * learning mode requested open("/proc/1/mounts", O_RDONLY),
342 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
343 * process belongs to.
345 * It is not a desirable behavior that we have to use /proc/\$/ instead of
346 * /proc/self/ when current process needs to access only current process's
347 * information. As of now, LSM version of TOMOYO is using __d_path() for
348 * calculating pathname. Non LSM version of TOMOYO is using its own function
349 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
350 * current process from accessing other process's information.
352 static LIST_HEAD(tomoyo_pattern_list
);
355 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
357 * @pattern: Pathname pattern.
358 * @is_delete: True if it is a delete request.
360 * Returns 0 on success, negative value otherwise.
362 * Caller holds tomoyo_read_lock().
364 static int tomoyo_update_file_pattern_entry(const char *pattern
,
365 const bool is_delete
)
367 struct tomoyo_pattern_entry
*new_entry
;
368 struct tomoyo_pattern_entry
*ptr
;
369 const struct tomoyo_path_info
*saved_pattern
;
372 if (!tomoyo_is_correct_path(pattern
, 0, 1, 0, __func__
))
374 saved_pattern
= tomoyo_save_name(pattern
);
377 new_entry
= kmalloc(sizeof(*new_entry
), GFP_KERNEL
);
378 mutex_lock(&tomoyo_policy_lock
);
379 list_for_each_entry_rcu(ptr
, &tomoyo_pattern_list
, list
) {
380 if (saved_pattern
!= ptr
->pattern
)
382 ptr
->is_deleted
= is_delete
;
390 if (!tomoyo_memory_ok(new_entry
))
392 new_entry
->pattern
= saved_pattern
;
393 list_add_tail_rcu(&new_entry
->list
, &tomoyo_pattern_list
);
397 mutex_unlock(&tomoyo_policy_lock
);
403 * tomoyo_get_file_pattern - Get patterned pathname.
405 * @filename: The filename to find patterned pathname.
407 * Returns pointer to pathname pattern if matched, @filename otherwise.
409 * Caller holds tomoyo_read_lock().
411 static const struct tomoyo_path_info
*
412 tomoyo_get_file_pattern(const struct tomoyo_path_info
*filename
)
414 struct tomoyo_pattern_entry
*ptr
;
415 const struct tomoyo_path_info
*pattern
= NULL
;
417 list_for_each_entry_rcu(ptr
, &tomoyo_pattern_list
, list
) {
420 if (!tomoyo_path_matches_pattern(filename
, ptr
->pattern
))
422 pattern
= ptr
->pattern
;
423 if (tomoyo_strendswith(pattern
->name
, "/\\*")) {
424 /* Do nothing. Try to find the better match. */
426 /* This would be the better match. Use this. */
436 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
438 * @data: String to parse.
439 * @is_delete: True if it is a delete request.
441 * Returns 0 on success, negative value otherwise.
443 * Caller holds tomoyo_read_lock().
445 int tomoyo_write_pattern_policy(char *data
, const bool is_delete
)
447 return tomoyo_update_file_pattern_entry(data
, is_delete
);
451 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
453 * @head: Pointer to "struct tomoyo_io_buffer".
455 * Returns true on success, false otherwise.
457 * Caller holds tomoyo_read_lock().
459 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer
*head
)
461 struct list_head
*pos
;
464 list_for_each_cookie(pos
, head
->read_var2
, &tomoyo_pattern_list
) {
465 struct tomoyo_pattern_entry
*ptr
;
466 ptr
= list_entry(pos
, struct tomoyo_pattern_entry
, list
);
469 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_FILE_PATTERN
470 "%s\n", ptr
->pattern
->name
);
478 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
479 * default forbidden to modify already written content of a file.
481 * An entry is added by
483 * # echo 'deny_rewrite /var/log/messages' > \
484 * /sys/kernel/security/tomoyo/exception_policy
488 * # echo 'delete deny_rewrite /var/log/messages' > \
489 * /sys/kernel/security/tomoyo/exception_policy
491 * and all entries are retrieved by
493 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
495 * In the example above, if a process requested to rewrite /var/log/messages ,
496 * the process can't rewrite unless the domain which that process belongs to
497 * has "allow_rewrite /var/log/messages" entry.
499 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
500 * when we want to allow rewriting already unlink()ed file. As of now,
501 * LSM version of TOMOYO is using __d_path() for calculating pathname.
502 * Non LSM version of TOMOYO is using its own function which doesn't append
503 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
504 * need to worry whether the file is already unlink()ed or not.
506 static LIST_HEAD(tomoyo_no_rewrite_list
);
509 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
511 * @pattern: Pathname pattern that are not rewritable by default.
512 * @is_delete: True if it is a delete request.
514 * Returns 0 on success, negative value otherwise.
516 * Caller holds tomoyo_read_lock().
518 static int tomoyo_update_no_rewrite_entry(const char *pattern
,
519 const bool is_delete
)
521 struct tomoyo_no_rewrite_entry
*new_entry
, *ptr
;
522 const struct tomoyo_path_info
*saved_pattern
;
525 if (!tomoyo_is_correct_path(pattern
, 0, 0, 0, __func__
))
527 saved_pattern
= tomoyo_save_name(pattern
);
530 new_entry
= kmalloc(sizeof(*new_entry
), GFP_KERNEL
);
531 mutex_lock(&tomoyo_policy_lock
);
532 list_for_each_entry_rcu(ptr
, &tomoyo_no_rewrite_list
, list
) {
533 if (ptr
->pattern
!= saved_pattern
)
535 ptr
->is_deleted
= is_delete
;
543 if (!tomoyo_memory_ok(new_entry
))
545 new_entry
->pattern
= saved_pattern
;
546 list_add_tail_rcu(&new_entry
->list
, &tomoyo_no_rewrite_list
);
550 mutex_unlock(&tomoyo_policy_lock
);
556 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
558 * @filename: Filename to check.
560 * Returns true if @filename is specified by "deny_rewrite" directive,
563 * Caller holds tomoyo_read_lock().
565 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info
*filename
)
567 struct tomoyo_no_rewrite_entry
*ptr
;
570 list_for_each_entry_rcu(ptr
, &tomoyo_no_rewrite_list
, list
) {
573 if (!tomoyo_path_matches_pattern(filename
, ptr
->pattern
))
582 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
584 * @data: String to parse.
585 * @is_delete: True if it is a delete request.
587 * Returns 0 on success, negative value otherwise.
589 * Caller holds tomoyo_read_lock().
591 int tomoyo_write_no_rewrite_policy(char *data
, const bool is_delete
)
593 return tomoyo_update_no_rewrite_entry(data
, is_delete
);
597 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
599 * @head: Pointer to "struct tomoyo_io_buffer".
601 * Returns true on success, false otherwise.
603 * Caller holds tomoyo_read_lock().
605 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer
*head
)
607 struct list_head
*pos
;
610 list_for_each_cookie(pos
, head
->read_var2
, &tomoyo_no_rewrite_list
) {
611 struct tomoyo_no_rewrite_entry
*ptr
;
612 ptr
= list_entry(pos
, struct tomoyo_no_rewrite_entry
, list
);
615 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_DENY_REWRITE
616 "%s\n", ptr
->pattern
->name
);
624 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
626 * @filename: Filename.
627 * @perm: Permission (between 1 to 7).
628 * @domain: Pointer to "struct tomoyo_domain_info".
629 * @is_delete: True if it is a delete request.
631 * Returns 0 on success, negative value otherwise.
633 * This is legacy support interface for older policy syntax.
634 * Current policy syntax uses "allow_read/write" instead of "6",
635 * "allow_read" instead of "4", "allow_write" instead of "2",
636 * "allow_execute" instead of "1".
638 * Caller holds tomoyo_read_lock().
640 static int tomoyo_update_file_acl(const char *filename
, u8 perm
,
641 struct tomoyo_domain_info
* const domain
,
642 const bool is_delete
)
644 if (perm
> 7 || !perm
) {
645 printk(KERN_DEBUG
"%s: Invalid permission '%d %s'\n",
646 __func__
, perm
, filename
);
649 if (filename
[0] != '@' && tomoyo_strendswith(filename
, "/"))
651 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
652 * directory permissions.
656 tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL
, filename
,
659 tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL
, filename
,
662 tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL
,
663 filename
, domain
, is_delete
);
668 * tomoyo_check_single_path_acl2 - Check permission for single path operation.
670 * @domain: Pointer to "struct tomoyo_domain_info".
671 * @filename: Filename to check.
673 * @may_use_pattern: True if patterned ACL is permitted.
675 * Returns 0 on success, -EPERM otherwise.
677 * Caller holds tomoyo_read_lock().
679 static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info
*
681 const struct tomoyo_path_info
*
684 const bool may_use_pattern
)
686 struct tomoyo_acl_info
*ptr
;
689 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
690 struct tomoyo_single_path_acl_record
*acl
;
691 if (tomoyo_acl_type2(ptr
) != TOMOYO_TYPE_SINGLE_PATH_ACL
)
693 acl
= container_of(ptr
, struct tomoyo_single_path_acl_record
,
695 if (perm
<= 0xFFFF) {
696 if (!(acl
->perm
& perm
))
699 if (!(acl
->perm_high
& (perm
>> 16)))
702 if (may_use_pattern
|| !acl
->filename
->is_patterned
) {
703 if (!tomoyo_path_matches_pattern(filename
,
716 * tomoyo_check_file_acl - Check permission for opening files.
718 * @domain: Pointer to "struct tomoyo_domain_info".
719 * @filename: Filename to check.
720 * @operation: Mode ("read" or "write" or "read/write" or "execute").
722 * Returns 0 on success, -EPERM otherwise.
724 * Caller holds tomoyo_read_lock().
726 static int tomoyo_check_file_acl(const struct tomoyo_domain_info
*domain
,
727 const struct tomoyo_path_info
*filename
,
732 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
735 perm
= 1 << TOMOYO_TYPE_READ_WRITE_ACL
;
736 else if (operation
== 4)
737 perm
= 1 << TOMOYO_TYPE_READ_ACL
;
738 else if (operation
== 2)
739 perm
= 1 << TOMOYO_TYPE_WRITE_ACL
;
740 else if (operation
== 1)
741 perm
= 1 << TOMOYO_TYPE_EXECUTE_ACL
;
744 return tomoyo_check_single_path_acl2(domain
, filename
, perm
,
749 * tomoyo_check_file_perm2 - Check permission for opening files.
751 * @domain: Pointer to "struct tomoyo_domain_info".
752 * @filename: Filename to check.
753 * @perm: Mode ("read" or "write" or "read/write" or "execute").
754 * @operation: Operation name passed used for verbose mode.
755 * @mode: Access control mode.
757 * Returns 0 on success, negative value otherwise.
759 * Caller holds tomoyo_read_lock().
761 static int tomoyo_check_file_perm2(struct tomoyo_domain_info
* const domain
,
762 const struct tomoyo_path_info
*filename
,
763 const u8 perm
, const char *operation
,
766 const bool is_enforce
= (mode
== 3);
767 const char *msg
= "<unknown>";
772 error
= tomoyo_check_file_acl(domain
, filename
, perm
);
773 if (error
&& perm
== 4 &&
774 (domain
->flags
& TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ
) == 0
775 && tomoyo_is_globally_readable_file(filename
))
778 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL
);
780 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL
);
782 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL
);
784 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL
);
789 if (tomoyo_verbose_mode(domain
))
790 printk(KERN_WARNING
"TOMOYO-%s: Access '%s(%s) %s' denied "
791 "for %s\n", tomoyo_get_msg(is_enforce
), msg
, operation
,
792 filename
->name
, tomoyo_get_last_name(domain
));
795 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
796 /* Don't use patterns for execute permission. */
797 const struct tomoyo_path_info
*patterned_file
= (perm
!= 1) ?
798 tomoyo_get_file_pattern(filename
) : filename
;
799 tomoyo_update_file_acl(patterned_file
->name
, perm
,
806 * tomoyo_write_file_policy - Update file related list.
808 * @data: String to parse.
809 * @domain: Pointer to "struct tomoyo_domain_info".
810 * @is_delete: True if it is a delete request.
812 * Returns 0 on success, negative value otherwise.
814 * Caller holds tomoyo_read_lock().
816 int tomoyo_write_file_policy(char *data
, struct tomoyo_domain_info
*domain
,
817 const bool is_delete
)
819 char *filename
= strchr(data
, ' ');
827 if (sscanf(data
, "%u", &perm
) == 1)
828 return tomoyo_update_file_acl(filename
, (u8
) perm
, domain
,
830 if (strncmp(data
, "allow_", 6))
833 for (type
= 0; type
< TOMOYO_MAX_SINGLE_PATH_OPERATION
; type
++) {
834 if (strcmp(data
, tomoyo_sp_keyword
[type
]))
836 return tomoyo_update_single_path_acl(type
, filename
,
839 filename2
= strchr(filename
, ' ');
843 for (type
= 0; type
< TOMOYO_MAX_DOUBLE_PATH_OPERATION
; type
++) {
844 if (strcmp(data
, tomoyo_dp_keyword
[type
]))
846 return tomoyo_update_double_path_acl(type
, filename
, filename2
,
854 * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list.
856 * @type: Type of operation.
857 * @filename: Filename.
858 * @domain: Pointer to "struct tomoyo_domain_info".
859 * @is_delete: True if it is a delete request.
861 * Returns 0 on success, negative value otherwise.
863 * Caller holds tomoyo_read_lock().
865 static int tomoyo_update_single_path_acl(const u8 type
, const char *filename
,
866 struct tomoyo_domain_info
*
867 const domain
, const bool is_delete
)
869 static const u32 rw_mask
=
870 (1 << TOMOYO_TYPE_READ_ACL
) | (1 << TOMOYO_TYPE_WRITE_ACL
);
871 const struct tomoyo_path_info
*saved_filename
;
872 struct tomoyo_acl_info
*ptr
;
873 struct tomoyo_single_path_acl_record
*acl
;
875 const u32 perm
= 1 << type
;
879 if (!tomoyo_is_correct_path(filename
, 0, 0, 0, __func__
))
881 saved_filename
= tomoyo_save_name(filename
);
884 mutex_lock(&tomoyo_policy_lock
);
887 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
888 if (tomoyo_acl_type1(ptr
) != TOMOYO_TYPE_SINGLE_PATH_ACL
)
890 acl
= container_of(ptr
, struct tomoyo_single_path_acl_record
,
892 if (acl
->filename
!= saved_filename
)
894 /* Special case. Clear all bits if marked as deleted. */
895 if (ptr
->type
& TOMOYO_ACL_DELETED
)
900 acl
->perm_high
|= (perm
>> 16);
901 if ((acl
->perm
& rw_mask
) == rw_mask
)
902 acl
->perm
|= 1 << TOMOYO_TYPE_READ_WRITE_ACL
;
903 else if (acl
->perm
& (1 << TOMOYO_TYPE_READ_WRITE_ACL
))
904 acl
->perm
|= rw_mask
;
905 ptr
->type
&= ~TOMOYO_ACL_DELETED
;
909 /* Not found. Append it to the tail. */
910 acl
= kmalloc(sizeof(*acl
), GFP_KERNEL
);
911 if (!tomoyo_memory_ok(acl
)) {
916 acl
->head
.type
= TOMOYO_TYPE_SINGLE_PATH_ACL
;
920 acl
->perm_high
= (perm
>> 16);
921 if (perm
== (1 << TOMOYO_TYPE_READ_WRITE_ACL
))
922 acl
->perm
|= rw_mask
;
923 acl
->filename
= saved_filename
;
924 list_add_tail_rcu(&acl
->head
.list
, &domain
->acl_info_list
);
929 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
930 if (tomoyo_acl_type2(ptr
) != TOMOYO_TYPE_SINGLE_PATH_ACL
)
932 acl
= container_of(ptr
, struct tomoyo_single_path_acl_record
,
934 if (acl
->filename
!= saved_filename
)
939 acl
->perm_high
&= ~(perm
>> 16);
940 if ((acl
->perm
& rw_mask
) != rw_mask
)
941 acl
->perm
&= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL
);
942 else if (!(acl
->perm
& (1 << TOMOYO_TYPE_READ_WRITE_ACL
)))
943 acl
->perm
&= ~rw_mask
;
944 if (!acl
->perm
&& !acl
->perm_high
)
945 ptr
->type
|= TOMOYO_ACL_DELETED
;
950 mutex_unlock(&tomoyo_policy_lock
);
955 * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list.
957 * @type: Type of operation.
958 * @filename1: First filename.
959 * @filename2: Second filename.
960 * @domain: Pointer to "struct tomoyo_domain_info".
961 * @is_delete: True if it is a delete request.
963 * Returns 0 on success, negative value otherwise.
965 * Caller holds tomoyo_read_lock().
967 static int tomoyo_update_double_path_acl(const u8 type
, const char *filename1
,
968 const char *filename2
,
969 struct tomoyo_domain_info
*
970 const domain
, const bool is_delete
)
972 const struct tomoyo_path_info
*saved_filename1
;
973 const struct tomoyo_path_info
*saved_filename2
;
974 struct tomoyo_acl_info
*ptr
;
975 struct tomoyo_double_path_acl_record
*acl
;
977 const u8 perm
= 1 << type
;
981 if (!tomoyo_is_correct_path(filename1
, 0, 0, 0, __func__
) ||
982 !tomoyo_is_correct_path(filename2
, 0, 0, 0, __func__
))
984 saved_filename1
= tomoyo_save_name(filename1
);
985 saved_filename2
= tomoyo_save_name(filename2
);
986 if (!saved_filename1
|| !saved_filename2
)
988 mutex_lock(&tomoyo_policy_lock
);
991 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
992 if (tomoyo_acl_type1(ptr
) != TOMOYO_TYPE_DOUBLE_PATH_ACL
)
994 acl
= container_of(ptr
, struct tomoyo_double_path_acl_record
,
996 if (acl
->filename1
!= saved_filename1
||
997 acl
->filename2
!= saved_filename2
)
999 /* Special case. Clear all bits if marked as deleted. */
1000 if (ptr
->type
& TOMOYO_ACL_DELETED
)
1003 ptr
->type
&= ~TOMOYO_ACL_DELETED
;
1007 /* Not found. Append it to the tail. */
1008 acl
= kmalloc(sizeof(*acl
), GFP_KERNEL
);
1009 if (!tomoyo_memory_ok(acl
)) {
1014 acl
->head
.type
= TOMOYO_TYPE_DOUBLE_PATH_ACL
;
1016 acl
->filename1
= saved_filename1
;
1017 acl
->filename2
= saved_filename2
;
1018 list_add_tail_rcu(&acl
->head
.list
, &domain
->acl_info_list
);
1023 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
1024 if (tomoyo_acl_type2(ptr
) != TOMOYO_TYPE_DOUBLE_PATH_ACL
)
1026 acl
= container_of(ptr
, struct tomoyo_double_path_acl_record
,
1028 if (acl
->filename1
!= saved_filename1
||
1029 acl
->filename2
!= saved_filename2
)
1033 ptr
->type
|= TOMOYO_ACL_DELETED
;
1038 mutex_unlock(&tomoyo_policy_lock
);
1043 * tomoyo_check_single_path_acl - Check permission for single path operation.
1045 * @domain: Pointer to "struct tomoyo_domain_info".
1046 * @type: Type of operation.
1047 * @filename: Filename to check.
1049 * Returns 0 on success, negative value otherwise.
1051 * Caller holds tomoyo_read_lock().
1053 static int tomoyo_check_single_path_acl(struct tomoyo_domain_info
*domain
,
1055 const struct tomoyo_path_info
*filename
)
1057 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
1059 return tomoyo_check_single_path_acl2(domain
, filename
, 1 << type
, 1);
1063 * tomoyo_check_double_path_acl - Check permission for double path operation.
1065 * @domain: Pointer to "struct tomoyo_domain_info".
1066 * @type: Type of operation.
1067 * @filename1: First filename to check.
1068 * @filename2: Second filename to check.
1070 * Returns 0 on success, -EPERM otherwise.
1072 * Caller holds tomoyo_read_lock().
1074 static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info
*domain
,
1076 const struct tomoyo_path_info
*
1078 const struct tomoyo_path_info
*
1081 struct tomoyo_acl_info
*ptr
;
1082 const u8 perm
= 1 << type
;
1085 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
1087 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
1088 struct tomoyo_double_path_acl_record
*acl
;
1089 if (tomoyo_acl_type2(ptr
) != TOMOYO_TYPE_DOUBLE_PATH_ACL
)
1091 acl
= container_of(ptr
, struct tomoyo_double_path_acl_record
,
1093 if (!(acl
->perm
& perm
))
1095 if (!tomoyo_path_matches_pattern(filename1
, acl
->filename1
))
1097 if (!tomoyo_path_matches_pattern(filename2
, acl
->filename2
))
1106 * tomoyo_check_single_path_permission2 - Check permission for single path operation.
1108 * @domain: Pointer to "struct tomoyo_domain_info".
1109 * @operation: Type of operation.
1110 * @filename: Filename to check.
1111 * @mode: Access control mode.
1113 * Returns 0 on success, negative value otherwise.
1115 * Caller holds tomoyo_read_lock().
1117 static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info
*
1118 const domain
, u8 operation
,
1119 const struct tomoyo_path_info
*
1120 filename
, const u8 mode
)
1124 const bool is_enforce
= (mode
== 3);
1129 error
= tomoyo_check_single_path_acl(domain
, operation
, filename
);
1130 msg
= tomoyo_sp2keyword(operation
);
1133 if (tomoyo_verbose_mode(domain
))
1134 printk(KERN_WARNING
"TOMOYO-%s: Access '%s %s' denied for %s\n",
1135 tomoyo_get_msg(is_enforce
), msg
, filename
->name
,
1136 tomoyo_get_last_name(domain
));
1137 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
1138 const char *name
= tomoyo_get_file_pattern(filename
)->name
;
1139 tomoyo_update_single_path_acl(operation
, name
, domain
, false);
1145 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1146 * we need to check "allow_rewrite" permission if the filename is
1147 * specified by "deny_rewrite" keyword.
1149 if (!error
&& operation
== TOMOYO_TYPE_TRUNCATE_ACL
&&
1150 tomoyo_is_no_rewrite_file(filename
)) {
1151 operation
= TOMOYO_TYPE_REWRITE_ACL
;
1158 * tomoyo_check_exec_perm - Check permission for "execute".
1160 * @domain: Pointer to "struct tomoyo_domain_info".
1161 * @filename: Check permission for "execute".
1163 * Returns 0 on success, negativevalue otherwise.
1165 * Caller holds tomoyo_read_lock().
1167 int tomoyo_check_exec_perm(struct tomoyo_domain_info
*domain
,
1168 const struct tomoyo_path_info
*filename
)
1170 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1174 return tomoyo_check_file_perm2(domain
, filename
, 1, "do_execve", mode
);
1178 * tomoyo_check_open_permission - Check permission for "read" and "write".
1180 * @domain: Pointer to "struct tomoyo_domain_info".
1181 * @path: Pointer to "struct path".
1182 * @flag: Flags for open().
1184 * Returns 0 on success, negative value otherwise.
1186 int tomoyo_check_open_permission(struct tomoyo_domain_info
*domain
,
1187 struct path
*path
, const int flag
)
1189 const u8 acc_mode
= ACC_MODE(flag
);
1190 int error
= -ENOMEM
;
1191 struct tomoyo_path_info
*buf
;
1192 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1193 const bool is_enforce
= (mode
== 3);
1196 if (!mode
|| !path
->mnt
)
1200 if (path
->dentry
->d_inode
&& S_ISDIR(path
->dentry
->d_inode
->i_mode
))
1202 * I don't check directories here because mkdir() and rmdir()
1206 idx
= tomoyo_read_lock();
1207 buf
= tomoyo_get_path(path
);
1212 * If the filename is specified by "deny_rewrite" keyword,
1213 * we need to check "allow_rewrite" permission when the filename is not
1214 * opened for append mode or the filename is truncated at open time.
1216 if ((acc_mode
& MAY_WRITE
) &&
1217 ((flag
& O_TRUNC
) || !(flag
& O_APPEND
)) &&
1218 (tomoyo_is_no_rewrite_file(buf
))) {
1219 error
= tomoyo_check_single_path_permission2(domain
,
1220 TOMOYO_TYPE_REWRITE_ACL
,
1224 error
= tomoyo_check_file_perm2(domain
, buf
, acc_mode
, "open",
1226 if (!error
&& (flag
& O_TRUNC
))
1227 error
= tomoyo_check_single_path_permission2(domain
,
1228 TOMOYO_TYPE_TRUNCATE_ACL
,
1232 tomoyo_read_unlock(idx
);
1239 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1241 * @domain: Pointer to "struct tomoyo_domain_info".
1242 * @operation: Type of operation.
1243 * @path: Pointer to "struct path".
1245 * Returns 0 on success, negative value otherwise.
1247 int tomoyo_check_1path_perm(struct tomoyo_domain_info
*domain
,
1248 const u8 operation
, struct path
*path
)
1250 int error
= -ENOMEM
;
1251 struct tomoyo_path_info
*buf
;
1252 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1253 const bool is_enforce
= (mode
== 3);
1256 if (!mode
|| !path
->mnt
)
1258 idx
= tomoyo_read_lock();
1259 buf
= tomoyo_get_path(path
);
1262 switch (operation
) {
1263 case TOMOYO_TYPE_MKDIR_ACL
:
1264 case TOMOYO_TYPE_RMDIR_ACL
:
1265 case TOMOYO_TYPE_CHROOT_ACL
:
1268 * tomoyo_get_path() reserves space for appending "/."
1270 strcat((char *) buf
->name
, "/");
1271 tomoyo_fill_path_info(buf
);
1274 error
= tomoyo_check_single_path_permission2(domain
, operation
, buf
,
1278 tomoyo_read_unlock(idx
);
1285 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1287 * @domain: Pointer to "struct tomoyo_domain_info".
1288 * @filp: Pointer to "struct file".
1290 * Returns 0 on success, negative value otherwise.
1292 int tomoyo_check_rewrite_permission(struct tomoyo_domain_info
*domain
,
1295 int error
= -ENOMEM
;
1296 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1297 const bool is_enforce
= (mode
== 3);
1298 struct tomoyo_path_info
*buf
;
1301 if (!mode
|| !filp
->f_path
.mnt
)
1304 idx
= tomoyo_read_lock();
1305 buf
= tomoyo_get_path(&filp
->f_path
);
1308 if (!tomoyo_is_no_rewrite_file(buf
)) {
1312 error
= tomoyo_check_single_path_permission2(domain
,
1313 TOMOYO_TYPE_REWRITE_ACL
,
1317 tomoyo_read_unlock(idx
);
1324 * tomoyo_check_2path_perm - Check permission for "rename", "link" and "pivot_root".
1326 * @domain: Pointer to "struct tomoyo_domain_info".
1327 * @operation: Type of operation.
1328 * @path1: Pointer to "struct path".
1329 * @path2: Pointer to "struct path".
1331 * Returns 0 on success, negative value otherwise.
1333 int tomoyo_check_2path_perm(struct tomoyo_domain_info
* const domain
,
1334 const u8 operation
, struct path
*path1
,
1337 int error
= -ENOMEM
;
1338 struct tomoyo_path_info
*buf1
, *buf2
;
1339 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1340 const bool is_enforce
= (mode
== 3);
1344 if (!mode
|| !path1
->mnt
|| !path2
->mnt
)
1346 idx
= tomoyo_read_lock();
1347 buf1
= tomoyo_get_path(path1
);
1348 buf2
= tomoyo_get_path(path2
);
1352 struct dentry
*dentry
= path1
->dentry
;
1353 if (dentry
->d_inode
&& S_ISDIR(dentry
->d_inode
->i_mode
)) {
1355 * tomoyo_get_path() reserves space for appending "/."
1357 if (!buf1
->is_dir
) {
1358 strcat((char *) buf1
->name
, "/");
1359 tomoyo_fill_path_info(buf1
);
1361 if (!buf2
->is_dir
) {
1362 strcat((char *) buf2
->name
, "/");
1363 tomoyo_fill_path_info(buf2
);
1367 error
= tomoyo_check_double_path_acl(domain
, operation
, buf1
, buf2
);
1368 msg
= tomoyo_dp2keyword(operation
);
1371 if (tomoyo_verbose_mode(domain
))
1372 printk(KERN_WARNING
"TOMOYO-%s: Access '%s %s %s' "
1373 "denied for %s\n", tomoyo_get_msg(is_enforce
),
1374 msg
, buf1
->name
, buf2
->name
,
1375 tomoyo_get_last_name(domain
));
1376 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
1377 const char *name1
= tomoyo_get_file_pattern(buf1
)->name
;
1378 const char *name2
= tomoyo_get_file_pattern(buf2
)->name
;
1379 tomoyo_update_double_path_acl(operation
, name1
, name2
, domain
,
1385 tomoyo_read_unlock(idx
);