2 * security/tomoyo/file.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
13 #include <linux/slab.h>
15 /* Keyword array for single path operations. */
16 static const char *tomoyo_path_keyword
[TOMOYO_MAX_PATH_OPERATION
] = {
17 [TOMOYO_TYPE_READ_WRITE
] = "read/write",
18 [TOMOYO_TYPE_EXECUTE
] = "execute",
19 [TOMOYO_TYPE_READ
] = "read",
20 [TOMOYO_TYPE_WRITE
] = "write",
21 [TOMOYO_TYPE_CREATE
] = "create",
22 [TOMOYO_TYPE_UNLINK
] = "unlink",
23 [TOMOYO_TYPE_MKDIR
] = "mkdir",
24 [TOMOYO_TYPE_RMDIR
] = "rmdir",
25 [TOMOYO_TYPE_MKFIFO
] = "mkfifo",
26 [TOMOYO_TYPE_MKSOCK
] = "mksock",
27 [TOMOYO_TYPE_MKBLOCK
] = "mkblock",
28 [TOMOYO_TYPE_MKCHAR
] = "mkchar",
29 [TOMOYO_TYPE_TRUNCATE
] = "truncate",
30 [TOMOYO_TYPE_SYMLINK
] = "symlink",
31 [TOMOYO_TYPE_REWRITE
] = "rewrite",
32 [TOMOYO_TYPE_IOCTL
] = "ioctl",
33 [TOMOYO_TYPE_CHMOD
] = "chmod",
34 [TOMOYO_TYPE_CHOWN
] = "chown",
35 [TOMOYO_TYPE_CHGRP
] = "chgrp",
36 [TOMOYO_TYPE_CHROOT
] = "chroot",
37 [TOMOYO_TYPE_MOUNT
] = "mount",
38 [TOMOYO_TYPE_UMOUNT
] = "unmount",
41 /* Keyword array for double path operations. */
42 static const char *tomoyo_path2_keyword
[TOMOYO_MAX_PATH2_OPERATION
] = {
43 [TOMOYO_TYPE_LINK
] = "link",
44 [TOMOYO_TYPE_RENAME
] = "rename",
45 [TOMOYO_TYPE_PIVOT_ROOT
] = "pivot_root",
49 * tomoyo_path2keyword - Get the name of single path operation.
51 * @operation: Type of operation.
53 * Returns the name of single path operation.
55 const char *tomoyo_path2keyword(const u8 operation
)
57 return (operation
< TOMOYO_MAX_PATH_OPERATION
)
58 ? tomoyo_path_keyword
[operation
] : NULL
;
62 * tomoyo_path22keyword - Get the name of double path operation.
64 * @operation: Type of operation.
66 * Returns the name of double path operation.
68 const char *tomoyo_path22keyword(const u8 operation
)
70 return (operation
< TOMOYO_MAX_PATH2_OPERATION
)
71 ? tomoyo_path2_keyword
[operation
] : NULL
;
75 * tomoyo_strendswith - Check whether the token ends with the given token.
77 * @name: The token to check.
78 * @tail: The token to find.
80 * Returns true if @name ends with @tail, false otherwise.
82 static bool tomoyo_strendswith(const char *name
, const char *tail
)
88 len
= strlen(name
) - strlen(tail
);
89 return len
>= 0 && !strcmp(name
+ len
, tail
);
93 * tomoyo_get_path - Get realpath.
95 * @path: Pointer to "struct path".
97 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
99 static struct tomoyo_path_info
*tomoyo_get_path(struct path
*path
)
102 struct tomoyo_path_info_with_data
*buf
= kzalloc(sizeof(*buf
),
107 /* Reserve one byte for appending "/". */
108 error
= tomoyo_realpath_from_path2(path
, buf
->body
,
109 sizeof(buf
->body
) - 2);
111 buf
->head
.name
= buf
->body
;
112 tomoyo_fill_path_info(&buf
->head
);
119 static int tomoyo_update_path2_acl(const u8 type
, const char *filename1
,
120 const char *filename2
,
121 struct tomoyo_domain_info
*const domain
,
122 const bool is_delete
);
123 static int tomoyo_update_path_acl(const u8 type
, const char *filename
,
124 struct tomoyo_domain_info
*const domain
,
125 const bool is_delete
);
128 * tomoyo_globally_readable_list is used for holding list of pathnames which
129 * are by default allowed to be open()ed for reading by any process.
131 * An entry is added by
133 * # echo 'allow_read /lib/libc-2.5.so' > \
134 * /sys/kernel/security/tomoyo/exception_policy
138 * # echo 'delete allow_read /lib/libc-2.5.so' > \
139 * /sys/kernel/security/tomoyo/exception_policy
141 * and all entries are retrieved by
143 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
145 * In the example above, any process is allowed to
146 * open("/lib/libc-2.5.so", O_RDONLY).
147 * One exception is, if the domain which current process belongs to is marked
148 * as "ignore_global_allow_read", current process can't do so unless explicitly
149 * given "allow_read /lib/libc-2.5.so" to the domain which current process
152 LIST_HEAD(tomoyo_globally_readable_list
);
155 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
157 * @filename: Filename unconditionally permitted to open() for reading.
158 * @is_delete: True if it is a delete request.
160 * Returns 0 on success, negative value otherwise.
162 * Caller holds tomoyo_read_lock().
164 static int tomoyo_update_globally_readable_entry(const char *filename
,
165 const bool is_delete
)
167 struct tomoyo_globally_readable_file_entry
*ptr
;
168 struct tomoyo_globally_readable_file_entry e
= { };
169 int error
= is_delete
? -ENOENT
: -ENOMEM
;
171 if (!tomoyo_is_correct_path(filename
, 1, 0, -1))
173 e
.filename
= tomoyo_get_name(filename
);
176 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
178 list_for_each_entry_rcu(ptr
, &tomoyo_globally_readable_list
, list
) {
179 if (ptr
->filename
!= e
.filename
)
181 ptr
->is_deleted
= is_delete
;
185 if (!is_delete
&& error
) {
186 struct tomoyo_globally_readable_file_entry
*entry
=
187 tomoyo_commit_ok(&e
, sizeof(e
));
189 list_add_tail_rcu(&entry
->list
,
190 &tomoyo_globally_readable_list
);
194 mutex_unlock(&tomoyo_policy_lock
);
196 tomoyo_put_name(e
.filename
);
201 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
203 * @filename: The filename to check.
205 * Returns true if any domain can open @filename for reading, false otherwise.
207 * Caller holds tomoyo_read_lock().
209 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info
*
212 struct tomoyo_globally_readable_file_entry
*ptr
;
215 list_for_each_entry_rcu(ptr
, &tomoyo_globally_readable_list
, list
) {
216 if (!ptr
->is_deleted
&&
217 tomoyo_path_matches_pattern(filename
, ptr
->filename
)) {
226 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
228 * @data: String to parse.
229 * @is_delete: True if it is a delete request.
231 * Returns 0 on success, negative value otherwise.
233 * Caller holds tomoyo_read_lock().
235 int tomoyo_write_globally_readable_policy(char *data
, const bool is_delete
)
237 return tomoyo_update_globally_readable_entry(data
, is_delete
);
241 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
243 * @head: Pointer to "struct tomoyo_io_buffer".
245 * Returns true on success, false otherwise.
247 * Caller holds tomoyo_read_lock().
249 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer
*head
)
251 struct list_head
*pos
;
254 list_for_each_cookie(pos
, head
->read_var2
,
255 &tomoyo_globally_readable_list
) {
256 struct tomoyo_globally_readable_file_entry
*ptr
;
257 ptr
= list_entry(pos
,
258 struct tomoyo_globally_readable_file_entry
,
262 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_ALLOW_READ
"%s\n",
263 ptr
->filename
->name
);
270 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
271 * converting pathnames to pathname patterns during learning mode.
273 * An entry is added by
275 * # echo 'file_pattern /proc/\$/mounts' > \
276 * /sys/kernel/security/tomoyo/exception_policy
280 * # echo 'delete file_pattern /proc/\$/mounts' > \
281 * /sys/kernel/security/tomoyo/exception_policy
283 * and all entries are retrieved by
285 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
287 * In the example above, if a process which belongs to a domain which is in
288 * learning mode requested open("/proc/1/mounts", O_RDONLY),
289 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
290 * process belongs to.
292 * It is not a desirable behavior that we have to use /proc/\$/ instead of
293 * /proc/self/ when current process needs to access only current process's
294 * information. As of now, LSM version of TOMOYO is using __d_path() for
295 * calculating pathname. Non LSM version of TOMOYO is using its own function
296 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
297 * current process from accessing other process's information.
299 LIST_HEAD(tomoyo_pattern_list
);
302 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
304 * @pattern: Pathname pattern.
305 * @is_delete: True if it is a delete request.
307 * Returns 0 on success, negative value otherwise.
309 * Caller holds tomoyo_read_lock().
311 static int tomoyo_update_file_pattern_entry(const char *pattern
,
312 const bool is_delete
)
314 struct tomoyo_pattern_entry
*ptr
;
315 struct tomoyo_pattern_entry e
= { .pattern
= tomoyo_get_name(pattern
) };
316 int error
= is_delete
? -ENOENT
: -ENOMEM
;
320 if (!e
.pattern
->is_patterned
)
322 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
324 list_for_each_entry_rcu(ptr
, &tomoyo_pattern_list
, list
) {
325 if (e
.pattern
!= ptr
->pattern
)
327 ptr
->is_deleted
= is_delete
;
331 if (!is_delete
&& error
) {
332 struct tomoyo_pattern_entry
*entry
=
333 tomoyo_commit_ok(&e
, sizeof(e
));
335 list_add_tail_rcu(&entry
->list
, &tomoyo_pattern_list
);
339 mutex_unlock(&tomoyo_policy_lock
);
341 tomoyo_put_name(e
.pattern
);
346 * tomoyo_get_file_pattern - Get patterned pathname.
348 * @filename: The filename to find patterned pathname.
350 * Returns pointer to pathname pattern if matched, @filename otherwise.
352 * Caller holds tomoyo_read_lock().
354 static const struct tomoyo_path_info
*
355 tomoyo_get_file_pattern(const struct tomoyo_path_info
*filename
)
357 struct tomoyo_pattern_entry
*ptr
;
358 const struct tomoyo_path_info
*pattern
= NULL
;
360 list_for_each_entry_rcu(ptr
, &tomoyo_pattern_list
, list
) {
363 if (!tomoyo_path_matches_pattern(filename
, ptr
->pattern
))
365 pattern
= ptr
->pattern
;
366 if (tomoyo_strendswith(pattern
->name
, "/\\*")) {
367 /* Do nothing. Try to find the better match. */
369 /* This would be the better match. Use this. */
379 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
381 * @data: String to parse.
382 * @is_delete: True if it is a delete request.
384 * Returns 0 on success, negative value otherwise.
386 * Caller holds tomoyo_read_lock().
388 int tomoyo_write_pattern_policy(char *data
, const bool is_delete
)
390 return tomoyo_update_file_pattern_entry(data
, is_delete
);
394 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
396 * @head: Pointer to "struct tomoyo_io_buffer".
398 * Returns true on success, false otherwise.
400 * Caller holds tomoyo_read_lock().
402 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer
*head
)
404 struct list_head
*pos
;
407 list_for_each_cookie(pos
, head
->read_var2
, &tomoyo_pattern_list
) {
408 struct tomoyo_pattern_entry
*ptr
;
409 ptr
= list_entry(pos
, struct tomoyo_pattern_entry
, list
);
412 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_FILE_PATTERN
413 "%s\n", ptr
->pattern
->name
);
421 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
422 * default forbidden to modify already written content of a file.
424 * An entry is added by
426 * # echo 'deny_rewrite /var/log/messages' > \
427 * /sys/kernel/security/tomoyo/exception_policy
431 * # echo 'delete deny_rewrite /var/log/messages' > \
432 * /sys/kernel/security/tomoyo/exception_policy
434 * and all entries are retrieved by
436 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
438 * In the example above, if a process requested to rewrite /var/log/messages ,
439 * the process can't rewrite unless the domain which that process belongs to
440 * has "allow_rewrite /var/log/messages" entry.
442 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
443 * when we want to allow rewriting already unlink()ed file. As of now,
444 * LSM version of TOMOYO is using __d_path() for calculating pathname.
445 * Non LSM version of TOMOYO is using its own function which doesn't append
446 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
447 * need to worry whether the file is already unlink()ed or not.
449 LIST_HEAD(tomoyo_no_rewrite_list
);
452 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
454 * @pattern: Pathname pattern that are not rewritable by default.
455 * @is_delete: True if it is a delete request.
457 * Returns 0 on success, negative value otherwise.
459 * Caller holds tomoyo_read_lock().
461 static int tomoyo_update_no_rewrite_entry(const char *pattern
,
462 const bool is_delete
)
464 struct tomoyo_no_rewrite_entry
*ptr
;
465 struct tomoyo_no_rewrite_entry e
= { };
466 int error
= is_delete
? -ENOENT
: -ENOMEM
;
468 if (!tomoyo_is_correct_path(pattern
, 0, 0, 0))
470 e
.pattern
= tomoyo_get_name(pattern
);
473 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
475 list_for_each_entry_rcu(ptr
, &tomoyo_no_rewrite_list
, list
) {
476 if (ptr
->pattern
!= e
.pattern
)
478 ptr
->is_deleted
= is_delete
;
482 if (!is_delete
&& error
) {
483 struct tomoyo_no_rewrite_entry
*entry
=
484 tomoyo_commit_ok(&e
, sizeof(e
));
486 list_add_tail_rcu(&entry
->list
,
487 &tomoyo_no_rewrite_list
);
491 mutex_unlock(&tomoyo_policy_lock
);
493 tomoyo_put_name(e
.pattern
);
498 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
500 * @filename: Filename to check.
502 * Returns true if @filename is specified by "deny_rewrite" directive,
505 * Caller holds tomoyo_read_lock().
507 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info
*filename
)
509 struct tomoyo_no_rewrite_entry
*ptr
;
512 list_for_each_entry_rcu(ptr
, &tomoyo_no_rewrite_list
, list
) {
515 if (!tomoyo_path_matches_pattern(filename
, ptr
->pattern
))
524 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
526 * @data: String to parse.
527 * @is_delete: True if it is a delete request.
529 * Returns 0 on success, negative value otherwise.
531 * Caller holds tomoyo_read_lock().
533 int tomoyo_write_no_rewrite_policy(char *data
, const bool is_delete
)
535 return tomoyo_update_no_rewrite_entry(data
, is_delete
);
539 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
541 * @head: Pointer to "struct tomoyo_io_buffer".
543 * Returns true on success, false otherwise.
545 * Caller holds tomoyo_read_lock().
547 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer
*head
)
549 struct list_head
*pos
;
552 list_for_each_cookie(pos
, head
->read_var2
, &tomoyo_no_rewrite_list
) {
553 struct tomoyo_no_rewrite_entry
*ptr
;
554 ptr
= list_entry(pos
, struct tomoyo_no_rewrite_entry
, list
);
557 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_DENY_REWRITE
558 "%s\n", ptr
->pattern
->name
);
566 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
568 * @filename: Filename.
569 * @perm: Permission (between 1 to 7).
570 * @domain: Pointer to "struct tomoyo_domain_info".
571 * @is_delete: True if it is a delete request.
573 * Returns 0 on success, negative value otherwise.
575 * This is legacy support interface for older policy syntax.
576 * Current policy syntax uses "allow_read/write" instead of "6",
577 * "allow_read" instead of "4", "allow_write" instead of "2",
578 * "allow_execute" instead of "1".
580 * Caller holds tomoyo_read_lock().
582 static int tomoyo_update_file_acl(const char *filename
, u8 perm
,
583 struct tomoyo_domain_info
* const domain
,
584 const bool is_delete
)
586 if (perm
> 7 || !perm
) {
587 printk(KERN_DEBUG
"%s: Invalid permission '%d %s'\n",
588 __func__
, perm
, filename
);
591 if (filename
[0] != '@' && tomoyo_strendswith(filename
, "/"))
593 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
594 * directory permissions.
598 tomoyo_update_path_acl(TOMOYO_TYPE_READ
, filename
, domain
,
601 tomoyo_update_path_acl(TOMOYO_TYPE_WRITE
, filename
, domain
,
604 tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE
, filename
, domain
,
610 * tomoyo_path_acl2 - Check permission for single path operation.
612 * @domain: Pointer to "struct tomoyo_domain_info".
613 * @filename: Filename to check.
615 * @may_use_pattern: True if patterned ACL is permitted.
617 * Returns 0 on success, -EPERM otherwise.
619 * Caller holds tomoyo_read_lock().
621 static int tomoyo_path_acl2(const struct tomoyo_domain_info
*domain
,
622 const struct tomoyo_path_info
*filename
,
623 const u32 perm
, const bool may_use_pattern
)
625 struct tomoyo_acl_info
*ptr
;
628 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
629 struct tomoyo_path_acl
*acl
;
630 if (ptr
->type
!= TOMOYO_TYPE_PATH_ACL
)
632 acl
= container_of(ptr
, struct tomoyo_path_acl
, head
);
633 if (perm
<= 0xFFFF) {
634 if (!(acl
->perm
& perm
))
637 if (!(acl
->perm_high
& (perm
>> 16)))
640 if (may_use_pattern
|| !acl
->filename
->is_patterned
) {
641 if (!tomoyo_path_matches_pattern(filename
,
654 * tomoyo_check_file_acl - Check permission for opening files.
656 * @domain: Pointer to "struct tomoyo_domain_info".
657 * @filename: Filename to check.
658 * @operation: Mode ("read" or "write" or "read/write" or "execute").
660 * Returns 0 on success, -EPERM otherwise.
662 * Caller holds tomoyo_read_lock().
664 static int tomoyo_check_file_acl(const struct tomoyo_domain_info
*domain
,
665 const struct tomoyo_path_info
*filename
,
670 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
673 perm
= 1 << TOMOYO_TYPE_READ_WRITE
;
674 else if (operation
== 4)
675 perm
= 1 << TOMOYO_TYPE_READ
;
676 else if (operation
== 2)
677 perm
= 1 << TOMOYO_TYPE_WRITE
;
678 else if (operation
== 1)
679 perm
= 1 << TOMOYO_TYPE_EXECUTE
;
682 return tomoyo_path_acl2(domain
, filename
, perm
, operation
!= 1);
686 * tomoyo_check_file_perm2 - Check permission for opening files.
688 * @domain: Pointer to "struct tomoyo_domain_info".
689 * @filename: Filename to check.
690 * @perm: Mode ("read" or "write" or "read/write" or "execute").
691 * @operation: Operation name passed used for verbose mode.
692 * @mode: Access control mode.
694 * Returns 0 on success, negative value otherwise.
696 * Caller holds tomoyo_read_lock().
698 static int tomoyo_check_file_perm2(struct tomoyo_domain_info
* const domain
,
699 const struct tomoyo_path_info
*filename
,
700 const u8 perm
, const char *operation
,
703 const bool is_enforce
= (mode
== 3);
704 const char *msg
= "<unknown>";
709 error
= tomoyo_check_file_acl(domain
, filename
, perm
);
710 if (error
&& perm
== 4 && !domain
->ignore_global_allow_read
711 && tomoyo_is_globally_readable_file(filename
))
714 msg
= tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE
);
716 msg
= tomoyo_path2keyword(TOMOYO_TYPE_READ
);
718 msg
= tomoyo_path2keyword(TOMOYO_TYPE_WRITE
);
720 msg
= tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE
);
725 if (tomoyo_verbose_mode(domain
))
726 printk(KERN_WARNING
"TOMOYO-%s: Access '%s(%s) %s' denied "
727 "for %s\n", tomoyo_get_msg(is_enforce
), msg
, operation
,
728 filename
->name
, tomoyo_get_last_name(domain
));
731 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
732 /* Don't use patterns for execute permission. */
733 const struct tomoyo_path_info
*patterned_file
= (perm
!= 1) ?
734 tomoyo_get_file_pattern(filename
) : filename
;
735 tomoyo_update_file_acl(patterned_file
->name
, perm
,
742 * tomoyo_write_file_policy - Update file related list.
744 * @data: String to parse.
745 * @domain: Pointer to "struct tomoyo_domain_info".
746 * @is_delete: True if it is a delete request.
748 * Returns 0 on success, negative value otherwise.
750 * Caller holds tomoyo_read_lock().
752 int tomoyo_write_file_policy(char *data
, struct tomoyo_domain_info
*domain
,
753 const bool is_delete
)
755 char *filename
= strchr(data
, ' ');
763 if (sscanf(data
, "%u", &perm
) == 1)
764 return tomoyo_update_file_acl(filename
, (u8
) perm
, domain
,
766 if (strncmp(data
, "allow_", 6))
769 for (type
= 0; type
< TOMOYO_MAX_PATH_OPERATION
; type
++) {
770 if (strcmp(data
, tomoyo_path_keyword
[type
]))
772 return tomoyo_update_path_acl(type
, filename
, domain
,
775 filename2
= strchr(filename
, ' ');
779 for (type
= 0; type
< TOMOYO_MAX_PATH2_OPERATION
; type
++) {
780 if (strcmp(data
, tomoyo_path2_keyword
[type
]))
782 return tomoyo_update_path2_acl(type
, filename
, filename2
,
790 * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list.
792 * @type: Type of operation.
793 * @filename: Filename.
794 * @domain: Pointer to "struct tomoyo_domain_info".
795 * @is_delete: True if it is a delete request.
797 * Returns 0 on success, negative value otherwise.
799 * Caller holds tomoyo_read_lock().
801 static int tomoyo_update_path_acl(const u8 type
, const char *filename
,
802 struct tomoyo_domain_info
*const domain
,
803 const bool is_delete
)
805 static const u32 tomoyo_rw_mask
=
806 (1 << TOMOYO_TYPE_READ
) | (1 << TOMOYO_TYPE_WRITE
);
807 const u32 perm
= 1 << type
;
808 struct tomoyo_acl_info
*ptr
;
809 struct tomoyo_path_acl e
= {
810 .head
.type
= TOMOYO_TYPE_PATH_ACL
,
811 .perm_high
= perm
>> 16,
814 int error
= is_delete
? -ENOENT
: -ENOMEM
;
816 if (type
== TOMOYO_TYPE_READ_WRITE
)
817 e
.perm
|= tomoyo_rw_mask
;
820 if (!tomoyo_is_correct_path(filename
, 0, 0, 0))
822 e
.filename
= tomoyo_get_name(filename
);
825 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
827 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
828 struct tomoyo_path_acl
*acl
=
829 container_of(ptr
, struct tomoyo_path_acl
, head
);
830 if (ptr
->type
!= TOMOYO_TYPE_PATH_ACL
)
832 if (acl
->filename
!= e
.filename
)
838 acl
->perm_high
&= ~(perm
>> 16);
839 if ((acl
->perm
& tomoyo_rw_mask
) != tomoyo_rw_mask
)
840 acl
->perm
&= ~(1 << TOMOYO_TYPE_READ_WRITE
);
841 else if (!(acl
->perm
& (1 << TOMOYO_TYPE_READ_WRITE
)))
842 acl
->perm
&= ~tomoyo_rw_mask
;
847 acl
->perm_high
|= (perm
>> 16);
848 if ((acl
->perm
& tomoyo_rw_mask
) == tomoyo_rw_mask
)
849 acl
->perm
|= 1 << TOMOYO_TYPE_READ_WRITE
;
850 else if (acl
->perm
& (1 << TOMOYO_TYPE_READ_WRITE
))
851 acl
->perm
|= tomoyo_rw_mask
;
856 if (!is_delete
&& error
) {
857 struct tomoyo_path_acl
*entry
=
858 tomoyo_commit_ok(&e
, sizeof(e
));
860 list_add_tail_rcu(&entry
->head
.list
,
861 &domain
->acl_info_list
);
865 mutex_unlock(&tomoyo_policy_lock
);
867 tomoyo_put_name(e
.filename
);
872 * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list.
874 * @type: Type of operation.
875 * @filename1: First filename.
876 * @filename2: Second filename.
877 * @domain: Pointer to "struct tomoyo_domain_info".
878 * @is_delete: True if it is a delete request.
880 * Returns 0 on success, negative value otherwise.
882 * Caller holds tomoyo_read_lock().
884 static int tomoyo_update_path2_acl(const u8 type
, const char *filename1
,
885 const char *filename2
,
886 struct tomoyo_domain_info
*const domain
,
887 const bool is_delete
)
889 const u8 perm
= 1 << type
;
890 struct tomoyo_path2_acl e
= {
891 .head
.type
= TOMOYO_TYPE_PATH2_ACL
,
894 struct tomoyo_acl_info
*ptr
;
895 int error
= is_delete
? -ENOENT
: -ENOMEM
;
899 if (!tomoyo_is_correct_path(filename1
, 0, 0, 0) ||
900 !tomoyo_is_correct_path(filename2
, 0, 0, 0))
902 e
.filename1
= tomoyo_get_name(filename1
);
903 e
.filename2
= tomoyo_get_name(filename2
);
904 if (!e
.filename1
|| !e
.filename2
)
906 if (mutex_lock_interruptible(&tomoyo_policy_lock
))
908 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
909 struct tomoyo_path2_acl
*acl
=
910 container_of(ptr
, struct tomoyo_path2_acl
, head
);
911 if (ptr
->type
!= TOMOYO_TYPE_PATH2_ACL
)
913 if (acl
->filename1
!= e
.filename1
||
914 acl
->filename2
!= e
.filename2
)
923 if (!is_delete
&& error
) {
924 struct tomoyo_path2_acl
*entry
=
925 tomoyo_commit_ok(&e
, sizeof(e
));
927 list_add_tail_rcu(&entry
->head
.list
,
928 &domain
->acl_info_list
);
932 mutex_unlock(&tomoyo_policy_lock
);
934 tomoyo_put_name(e
.filename1
);
935 tomoyo_put_name(e
.filename2
);
940 * tomoyo_path_acl - Check permission for single path operation.
942 * @domain: Pointer to "struct tomoyo_domain_info".
943 * @type: Type of operation.
944 * @filename: Filename to check.
946 * Returns 0 on success, negative value otherwise.
948 * Caller holds tomoyo_read_lock().
950 static int tomoyo_path_acl(struct tomoyo_domain_info
*domain
, const u8 type
,
951 const struct tomoyo_path_info
*filename
)
953 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
955 return tomoyo_path_acl2(domain
, filename
, 1 << type
, 1);
959 * tomoyo_path2_acl - Check permission for double path operation.
961 * @domain: Pointer to "struct tomoyo_domain_info".
962 * @type: Type of operation.
963 * @filename1: First filename to check.
964 * @filename2: Second filename to check.
966 * Returns 0 on success, -EPERM otherwise.
968 * Caller holds tomoyo_read_lock().
970 static int tomoyo_path2_acl(const struct tomoyo_domain_info
*domain
,
972 const struct tomoyo_path_info
*filename1
,
973 const struct tomoyo_path_info
*filename2
)
975 struct tomoyo_acl_info
*ptr
;
976 const u8 perm
= 1 << type
;
979 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
981 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
982 struct tomoyo_path2_acl
*acl
;
983 if (ptr
->type
!= TOMOYO_TYPE_PATH2_ACL
)
985 acl
= container_of(ptr
, struct tomoyo_path2_acl
, head
);
986 if (!(acl
->perm
& perm
))
988 if (!tomoyo_path_matches_pattern(filename1
, acl
->filename1
))
990 if (!tomoyo_path_matches_pattern(filename2
, acl
->filename2
))
999 * tomoyo_path_permission2 - Check permission for single path operation.
1001 * @domain: Pointer to "struct tomoyo_domain_info".
1002 * @operation: Type of operation.
1003 * @filename: Filename to check.
1004 * @mode: Access control mode.
1006 * Returns 0 on success, negative value otherwise.
1008 * Caller holds tomoyo_read_lock().
1010 static int tomoyo_path_permission2(struct tomoyo_domain_info
*const domain
,
1012 const struct tomoyo_path_info
*filename
,
1017 const bool is_enforce
= (mode
== 3);
1022 error
= tomoyo_path_acl(domain
, operation
, filename
);
1023 msg
= tomoyo_path2keyword(operation
);
1026 if (tomoyo_verbose_mode(domain
))
1027 printk(KERN_WARNING
"TOMOYO-%s: Access '%s %s' denied for %s\n",
1028 tomoyo_get_msg(is_enforce
), msg
, filename
->name
,
1029 tomoyo_get_last_name(domain
));
1030 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
1031 const char *name
= tomoyo_get_file_pattern(filename
)->name
;
1032 tomoyo_update_path_acl(operation
, name
, domain
, false);
1038 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1039 * we need to check "allow_rewrite" permission if the filename is
1040 * specified by "deny_rewrite" keyword.
1042 if (!error
&& operation
== TOMOYO_TYPE_TRUNCATE
&&
1043 tomoyo_is_no_rewrite_file(filename
)) {
1044 operation
= TOMOYO_TYPE_REWRITE
;
1051 * tomoyo_check_exec_perm - Check permission for "execute".
1053 * @domain: Pointer to "struct tomoyo_domain_info".
1054 * @filename: Check permission for "execute".
1056 * Returns 0 on success, negativevalue otherwise.
1058 * Caller holds tomoyo_read_lock().
1060 int tomoyo_check_exec_perm(struct tomoyo_domain_info
*domain
,
1061 const struct tomoyo_path_info
*filename
)
1063 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1067 return tomoyo_check_file_perm2(domain
, filename
, 1, "do_execve", mode
);
1071 * tomoyo_check_open_permission - Check permission for "read" and "write".
1073 * @domain: Pointer to "struct tomoyo_domain_info".
1074 * @path: Pointer to "struct path".
1075 * @flag: Flags for open().
1077 * Returns 0 on success, negative value otherwise.
1079 int tomoyo_check_open_permission(struct tomoyo_domain_info
*domain
,
1080 struct path
*path
, const int flag
)
1082 const u8 acc_mode
= ACC_MODE(flag
);
1083 int error
= -ENOMEM
;
1084 struct tomoyo_path_info
*buf
;
1085 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1086 const bool is_enforce
= (mode
== 3);
1089 if (!mode
|| !path
->mnt
)
1093 if (path
->dentry
->d_inode
&& S_ISDIR(path
->dentry
->d_inode
->i_mode
))
1095 * I don't check directories here because mkdir() and rmdir()
1099 idx
= tomoyo_read_lock();
1100 buf
= tomoyo_get_path(path
);
1105 * If the filename is specified by "deny_rewrite" keyword,
1106 * we need to check "allow_rewrite" permission when the filename is not
1107 * opened for append mode or the filename is truncated at open time.
1109 if ((acc_mode
& MAY_WRITE
) &&
1110 ((flag
& O_TRUNC
) || !(flag
& O_APPEND
)) &&
1111 (tomoyo_is_no_rewrite_file(buf
))) {
1112 error
= tomoyo_path_permission2(domain
, TOMOYO_TYPE_REWRITE
,
1116 error
= tomoyo_check_file_perm2(domain
, buf
, acc_mode
, "open",
1118 if (!error
&& (flag
& O_TRUNC
))
1119 error
= tomoyo_path_permission2(domain
, TOMOYO_TYPE_TRUNCATE
,
1123 tomoyo_read_unlock(idx
);
1130 * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1132 * @operation: Type of operation.
1133 * @path: Pointer to "struct path".
1135 * Returns 0 on success, negative value otherwise.
1137 int tomoyo_path_perm(const u8 operation
, struct path
*path
)
1139 int error
= -ENOMEM
;
1140 struct tomoyo_path_info
*buf
;
1141 struct tomoyo_domain_info
*domain
= tomoyo_domain();
1142 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1143 const bool is_enforce
= (mode
== 3);
1146 if (!mode
|| !path
->mnt
)
1148 idx
= tomoyo_read_lock();
1149 buf
= tomoyo_get_path(path
);
1152 switch (operation
) {
1153 case TOMOYO_TYPE_MKDIR
:
1154 case TOMOYO_TYPE_RMDIR
:
1155 case TOMOYO_TYPE_CHROOT
:
1158 * tomoyo_get_path() reserves space for appending "/."
1160 strcat((char *) buf
->name
, "/");
1161 tomoyo_fill_path_info(buf
);
1164 error
= tomoyo_path_permission2(domain
, operation
, buf
, mode
);
1167 tomoyo_read_unlock(idx
);
1174 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1176 * @filp: Pointer to "struct file".
1178 * Returns 0 on success, negative value otherwise.
1180 int tomoyo_check_rewrite_permission(struct file
*filp
)
1182 int error
= -ENOMEM
;
1183 struct tomoyo_domain_info
*domain
= tomoyo_domain();
1184 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1185 const bool is_enforce
= (mode
== 3);
1186 struct tomoyo_path_info
*buf
;
1189 if (!mode
|| !filp
->f_path
.mnt
)
1192 idx
= tomoyo_read_lock();
1193 buf
= tomoyo_get_path(&filp
->f_path
);
1196 if (!tomoyo_is_no_rewrite_file(buf
)) {
1200 error
= tomoyo_path_permission2(domain
, TOMOYO_TYPE_REWRITE
, buf
, mode
);
1203 tomoyo_read_unlock(idx
);
1210 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root".
1212 * @operation: Type of operation.
1213 * @path1: Pointer to "struct path".
1214 * @path2: Pointer to "struct path".
1216 * Returns 0 on success, negative value otherwise.
1218 int tomoyo_path2_perm(const u8 operation
, struct path
*path1
,
1221 int error
= -ENOMEM
;
1222 struct tomoyo_path_info
*buf1
, *buf2
;
1223 struct tomoyo_domain_info
*domain
= tomoyo_domain();
1224 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1225 const bool is_enforce
= (mode
== 3);
1229 if (!mode
|| !path1
->mnt
|| !path2
->mnt
)
1231 idx
= tomoyo_read_lock();
1232 buf1
= tomoyo_get_path(path1
);
1233 buf2
= tomoyo_get_path(path2
);
1237 struct dentry
*dentry
= path1
->dentry
;
1238 if (dentry
->d_inode
&& S_ISDIR(dentry
->d_inode
->i_mode
)) {
1240 * tomoyo_get_path() reserves space for appending "/."
1242 if (!buf1
->is_dir
) {
1243 strcat((char *) buf1
->name
, "/");
1244 tomoyo_fill_path_info(buf1
);
1246 if (!buf2
->is_dir
) {
1247 strcat((char *) buf2
->name
, "/");
1248 tomoyo_fill_path_info(buf2
);
1252 error
= tomoyo_path2_acl(domain
, operation
, buf1
, buf2
);
1253 msg
= tomoyo_path22keyword(operation
);
1256 if (tomoyo_verbose_mode(domain
))
1257 printk(KERN_WARNING
"TOMOYO-%s: Access '%s %s %s' "
1258 "denied for %s\n", tomoyo_get_msg(is_enforce
),
1259 msg
, buf1
->name
, buf2
->name
,
1260 tomoyo_get_last_name(domain
));
1261 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
1262 const char *name1
= tomoyo_get_file_pattern(buf1
)->name
;
1263 const char *name2
= tomoyo_get_file_pattern(buf2
)->name
;
1264 tomoyo_update_path2_acl(operation
, name1
, name2
, domain
,
1270 tomoyo_read_unlock(idx
);