search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
TOMOYO: Use stack memory for pending entry.
[linux-2.6/libata-dev.git] / security / tomoyo / file.c
blob6651cac87625e93a254e4d5a551841bae1bda77f
1 /*
2 * security/tomoyo/file.c
3 *
4 * Implementation of the Domain-Based Mandatory Access Control.
5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 *
8 * Version: 2.2.0 2009/04/01
9 *
10 */
11
12 #include "common.h"
13 #include <linux/slab.h>
14
15 /* Keyword array for single path operations. */
16 static const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
17 [TOMOYO_TYPE_READ_WRITE] = "read/write",
18 [TOMOYO_TYPE_EXECUTE] = "execute",
19 [TOMOYO_TYPE_READ] = "read",
20 [TOMOYO_TYPE_WRITE] = "write",
21 [TOMOYO_TYPE_CREATE] = "create",
22 [TOMOYO_TYPE_UNLINK] = "unlink",
23 [TOMOYO_TYPE_MKDIR] = "mkdir",
24 [TOMOYO_TYPE_RMDIR] = "rmdir",
25 [TOMOYO_TYPE_MKFIFO] = "mkfifo",
26 [TOMOYO_TYPE_MKSOCK] = "mksock",
27 [TOMOYO_TYPE_MKBLOCK] = "mkblock",
28 [TOMOYO_TYPE_MKCHAR] = "mkchar",
29 [TOMOYO_TYPE_TRUNCATE] = "truncate",
30 [TOMOYO_TYPE_SYMLINK] = "symlink",
31 [TOMOYO_TYPE_REWRITE] = "rewrite",
32 [TOMOYO_TYPE_IOCTL] = "ioctl",
33 [TOMOYO_TYPE_CHMOD] = "chmod",
34 [TOMOYO_TYPE_CHOWN] = "chown",
35 [TOMOYO_TYPE_CHGRP] = "chgrp",
36 [TOMOYO_TYPE_CHROOT] = "chroot",
37 [TOMOYO_TYPE_MOUNT] = "mount",
38 [TOMOYO_TYPE_UMOUNT] = "unmount",
39 };
40
41 /* Keyword array for double path operations. */
42 static const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = {
43 [TOMOYO_TYPE_LINK] = "link",
44 [TOMOYO_TYPE_RENAME] = "rename",
45 [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root",
46 };
47
48 /**
49 * tomoyo_path2keyword - Get the name of single path operation.
50 *
51 * @operation: Type of operation.
52 *
53 * Returns the name of single path operation.
54 */
55 const char *tomoyo_path2keyword(const u8 operation)
56 {
57 return (operation < TOMOYO_MAX_PATH_OPERATION)
58 ? tomoyo_path_keyword[operation] : NULL;
59 }
60
61 /**
62 * tomoyo_path22keyword - Get the name of double path operation.
63 *
64 * @operation: Type of operation.
65 *
66 * Returns the name of double path operation.
67 */
68 const char *tomoyo_path22keyword(const u8 operation)
69 {
70 return (operation < TOMOYO_MAX_PATH2_OPERATION)
71 ? tomoyo_path2_keyword[operation] : NULL;
72 }
73
74 /**
75 * tomoyo_strendswith - Check whether the token ends with the given token.
76 *
77 * @name: The token to check.
78 * @tail: The token to find.
79 *
80 * Returns true if @name ends with @tail, false otherwise.
81 */
82 static bool tomoyo_strendswith(const char *name, const char *tail)
83 {
84 int len;
85
86 if (!name || !tail)
87 return false;
88 len = strlen(name) - strlen(tail);
89 return len >= 0 && !strcmp(name + len, tail);
90 }
91
92 /**
93 * tomoyo_get_path - Get realpath.
94 *
95 * @path: Pointer to "struct path".
96 *
97 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
98 */
99 static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
100 {
101 int error;
102 struct tomoyo_path_info_with_data *buf = kzalloc(sizeof(*buf),
103 GFP_NOFS);
104
105 if (!buf)
106 return NULL;
107 /* Reserve one byte for appending "/". */
108 error = tomoyo_realpath_from_path2(path, buf->body,
109 sizeof(buf->body) - 2);
110 if (!error) {
111 buf->head.name = buf->body;
112 tomoyo_fill_path_info(&buf->head);
113 return &buf->head;
114 }
115 kfree(buf);
116 return NULL;
117 }
118
119 static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
120 const char *filename2,
121 struct tomoyo_domain_info *const domain,
122 const bool is_delete);
123 static int tomoyo_update_path_acl(const u8 type, const char *filename,
124 struct tomoyo_domain_info *const domain,
125 const bool is_delete);
126
127 /*
128 * tomoyo_globally_readable_list is used for holding list of pathnames which
129 * are by default allowed to be open()ed for reading by any process.
130 *
131 * An entry is added by
132 *
133 * # echo 'allow_read /lib/libc-2.5.so' > \
134 * /sys/kernel/security/tomoyo/exception_policy
135 *
136 * and is deleted by
137 *
138 * # echo 'delete allow_read /lib/libc-2.5.so' > \
139 * /sys/kernel/security/tomoyo/exception_policy
140 *
141 * and all entries are retrieved by
142 *
143 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
144 *
145 * In the example above, any process is allowed to
146 * open("/lib/libc-2.5.so", O_RDONLY).
147 * One exception is, if the domain which current process belongs to is marked
148 * as "ignore_global_allow_read", current process can't do so unless explicitly
149 * given "allow_read /lib/libc-2.5.so" to the domain which current process
150 * belongs to.
151 */
152 LIST_HEAD(tomoyo_globally_readable_list);
153
154 /**
155 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
156 *
157 * @filename: Filename unconditionally permitted to open() for reading.
158 * @is_delete: True if it is a delete request.
159 *
160 * Returns 0 on success, negative value otherwise.
161 *
162 * Caller holds tomoyo_read_lock().
163 */
164 static int tomoyo_update_globally_readable_entry(const char *filename,
165 const bool is_delete)
166 {
167 struct tomoyo_globally_readable_file_entry *ptr;
168 struct tomoyo_globally_readable_file_entry e = { };
169 int error = is_delete ? -ENOENT : -ENOMEM;
170
171 if (!tomoyo_is_correct_path(filename, 1, 0, -1))
172 return -EINVAL;
173 e.filename = tomoyo_get_name(filename);
174 if (!e.filename)
175 return -ENOMEM;
176 if (mutex_lock_interruptible(&tomoyo_policy_lock))
177 goto out;
178 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
179 if (ptr->filename != e.filename)
180 continue;
181 ptr->is_deleted = is_delete;
182 error = 0;
183 break;
184 }
185 if (!is_delete && error) {
186 struct tomoyo_globally_readable_file_entry *entry =
187 tomoyo_commit_ok(&e, sizeof(e));
188 if (entry) {
189 list_add_tail_rcu(&entry->list,
190 &tomoyo_globally_readable_list);
191 error = 0;
192 }
193 }
194 mutex_unlock(&tomoyo_policy_lock);
195 out:
196 tomoyo_put_name(e.filename);
197 return error;
198 }
199
200 /**
201 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
202 *
203 * @filename: The filename to check.
204 *
205 * Returns true if any domain can open @filename for reading, false otherwise.
206 *
207 * Caller holds tomoyo_read_lock().
208 */
209 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
210 filename)
211 {
212 struct tomoyo_globally_readable_file_entry *ptr;
213 bool found = false;
214
215 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
216 if (!ptr->is_deleted &&
217 tomoyo_path_matches_pattern(filename, ptr->filename)) {
218 found = true;
219 break;
220 }
221 }
222 return found;
223 }
224
225 /**
226 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
227 *
228 * @data: String to parse.
229 * @is_delete: True if it is a delete request.
230 *
231 * Returns 0 on success, negative value otherwise.
232 *
233 * Caller holds tomoyo_read_lock().
234 */
235 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
236 {
237 return tomoyo_update_globally_readable_entry(data, is_delete);
238 }
239
240 /**
241 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
242 *
243 * @head: Pointer to "struct tomoyo_io_buffer".
244 *
245 * Returns true on success, false otherwise.
246 *
247 * Caller holds tomoyo_read_lock().
248 */
249 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
250 {
251 struct list_head *pos;
252 bool done = true;
253
254 list_for_each_cookie(pos, head->read_var2,
255 &tomoyo_globally_readable_list) {
256 struct tomoyo_globally_readable_file_entry *ptr;
257 ptr = list_entry(pos,
258 struct tomoyo_globally_readable_file_entry,
259 list);
260 if (ptr->is_deleted)
261 continue;
262 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n",
263 ptr->filename->name);
264 if (!done)
265 break;
266 }
267 return done;
268 }
269
270 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
271 * converting pathnames to pathname patterns during learning mode.
272 *
273 * An entry is added by
274 *
275 * # echo 'file_pattern /proc/\$/mounts' > \
276 * /sys/kernel/security/tomoyo/exception_policy
277 *
278 * and is deleted by
279 *
280 * # echo 'delete file_pattern /proc/\$/mounts' > \
281 * /sys/kernel/security/tomoyo/exception_policy
282 *
283 * and all entries are retrieved by
284 *
285 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
286 *
287 * In the example above, if a process which belongs to a domain which is in
288 * learning mode requested open("/proc/1/mounts", O_RDONLY),
289 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
290 * process belongs to.
291 *
292 * It is not a desirable behavior that we have to use /proc/\$/ instead of
293 * /proc/self/ when current process needs to access only current process's
294 * information. As of now, LSM version of TOMOYO is using __d_path() for
295 * calculating pathname. Non LSM version of TOMOYO is using its own function
296 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
297 * current process from accessing other process's information.
298 */
299 LIST_HEAD(tomoyo_pattern_list);
300
301 /**
302 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
303 *
304 * @pattern: Pathname pattern.
305 * @is_delete: True if it is a delete request.
306 *
307 * Returns 0 on success, negative value otherwise.
308 *
309 * Caller holds tomoyo_read_lock().
310 */
311 static int tomoyo_update_file_pattern_entry(const char *pattern,
312 const bool is_delete)
313 {
314 struct tomoyo_pattern_entry *ptr;
315 struct tomoyo_pattern_entry e = { .pattern = tomoyo_get_name(pattern) };
316 int error = is_delete ? -ENOENT : -ENOMEM;
317
318 if (!e.pattern)
319 return error;
320 if (!e.pattern->is_patterned)
321 goto out;
322 if (mutex_lock_interruptible(&tomoyo_policy_lock))
323 goto out;
324 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
325 if (e.pattern != ptr->pattern)
326 continue;
327 ptr->is_deleted = is_delete;
328 error = 0;
329 break;
330 }
331 if (!is_delete && error) {
332 struct tomoyo_pattern_entry *entry =
333 tomoyo_commit_ok(&e, sizeof(e));
334 if (entry) {
335 list_add_tail_rcu(&entry->list, &tomoyo_pattern_list);
336 error = 0;
337 }
338 }
339 mutex_unlock(&tomoyo_policy_lock);
340 out:
341 tomoyo_put_name(e.pattern);
342 return error;
343 }
344
345 /**
346 * tomoyo_get_file_pattern - Get patterned pathname.
347 *
348 * @filename: The filename to find patterned pathname.
349 *
350 * Returns pointer to pathname pattern if matched, @filename otherwise.
351 *
352 * Caller holds tomoyo_read_lock().
353 */
354 static const struct tomoyo_path_info *
355 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
356 {
357 struct tomoyo_pattern_entry *ptr;
358 const struct tomoyo_path_info *pattern = NULL;
359
360 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
361 if (ptr->is_deleted)
362 continue;
363 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
364 continue;
365 pattern = ptr->pattern;
366 if (tomoyo_strendswith(pattern->name, "/\\*")) {
367 /* Do nothing. Try to find the better match. */
368 } else {
369 /* This would be the better match. Use this. */
370 break;
371 }
372 }
373 if (pattern)
374 filename = pattern;
375 return filename;
376 }
377
378 /**
379 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
380 *
381 * @data: String to parse.
382 * @is_delete: True if it is a delete request.
383 *
384 * Returns 0 on success, negative value otherwise.
385 *
386 * Caller holds tomoyo_read_lock().
387 */
388 int tomoyo_write_pattern_policy(char *data, const bool is_delete)
389 {
390 return tomoyo_update_file_pattern_entry(data, is_delete);
391 }
392
393 /**
394 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
395 *
396 * @head: Pointer to "struct tomoyo_io_buffer".
397 *
398 * Returns true on success, false otherwise.
399 *
400 * Caller holds tomoyo_read_lock().
401 */
402 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
403 {
404 struct list_head *pos;
405 bool done = true;
406
407 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) {
408 struct tomoyo_pattern_entry *ptr;
409 ptr = list_entry(pos, struct tomoyo_pattern_entry, list);
410 if (ptr->is_deleted)
411 continue;
412 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN
413 "%s\n", ptr->pattern->name);
414 if (!done)
415 break;
416 }
417 return done;
418 }
419
420 /*
421 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
422 * default forbidden to modify already written content of a file.
423 *
424 * An entry is added by
425 *
426 * # echo 'deny_rewrite /var/log/messages' > \
427 * /sys/kernel/security/tomoyo/exception_policy
428 *
429 * and is deleted by
430 *
431 * # echo 'delete deny_rewrite /var/log/messages' > \
432 * /sys/kernel/security/tomoyo/exception_policy
433 *
434 * and all entries are retrieved by
435 *
436 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
437 *
438 * In the example above, if a process requested to rewrite /var/log/messages ,
439 * the process can't rewrite unless the domain which that process belongs to
440 * has "allow_rewrite /var/log/messages" entry.
441 *
442 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
443 * when we want to allow rewriting already unlink()ed file. As of now,
444 * LSM version of TOMOYO is using __d_path() for calculating pathname.
445 * Non LSM version of TOMOYO is using its own function which doesn't append
446 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
447 * need to worry whether the file is already unlink()ed or not.
448 */
449 LIST_HEAD(tomoyo_no_rewrite_list);
450
451 /**
452 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
453 *
454 * @pattern: Pathname pattern that are not rewritable by default.
455 * @is_delete: True if it is a delete request.
456 *
457 * Returns 0 on success, negative value otherwise.
458 *
459 * Caller holds tomoyo_read_lock().
460 */
461 static int tomoyo_update_no_rewrite_entry(const char *pattern,
462 const bool is_delete)
463 {
464 struct tomoyo_no_rewrite_entry *ptr;
465 struct tomoyo_no_rewrite_entry e = { };
466 int error = is_delete ? -ENOENT : -ENOMEM;
467
468 if (!tomoyo_is_correct_path(pattern, 0, 0, 0))
469 return -EINVAL;
470 e.pattern = tomoyo_get_name(pattern);
471 if (!e.pattern)
472 return error;
473 if (mutex_lock_interruptible(&tomoyo_policy_lock))
474 goto out;
475 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
476 if (ptr->pattern != e.pattern)
477 continue;
478 ptr->is_deleted = is_delete;
479 error = 0;
480 break;
481 }
482 if (!is_delete && error) {
483 struct tomoyo_no_rewrite_entry *entry =
484 tomoyo_commit_ok(&e, sizeof(e));
485 if (entry) {
486 list_add_tail_rcu(&entry->list,
487 &tomoyo_no_rewrite_list);
488 error = 0;
489 }
490 }
491 mutex_unlock(&tomoyo_policy_lock);
492 out:
493 tomoyo_put_name(e.pattern);
494 return error;
495 }
496
497 /**
498 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
499 *
500 * @filename: Filename to check.
501 *
502 * Returns true if @filename is specified by "deny_rewrite" directive,
503 * false otherwise.
504 *
505 * Caller holds tomoyo_read_lock().
506 */
507 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
508 {
509 struct tomoyo_no_rewrite_entry *ptr;
510 bool found = false;
511
512 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
513 if (ptr->is_deleted)
514 continue;
515 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
516 continue;
517 found = true;
518 break;
519 }
520 return found;
521 }
522
523 /**
524 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
525 *
526 * @data: String to parse.
527 * @is_delete: True if it is a delete request.
528 *
529 * Returns 0 on success, negative value otherwise.
530 *
531 * Caller holds tomoyo_read_lock().
532 */
533 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
534 {
535 return tomoyo_update_no_rewrite_entry(data, is_delete);
536 }
537
538 /**
539 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
540 *
541 * @head: Pointer to "struct tomoyo_io_buffer".
542 *
543 * Returns true on success, false otherwise.
544 *
545 * Caller holds tomoyo_read_lock().
546 */
547 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
548 {
549 struct list_head *pos;
550 bool done = true;
551
552 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) {
553 struct tomoyo_no_rewrite_entry *ptr;
554 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list);
555 if (ptr->is_deleted)
556 continue;
557 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE
558 "%s\n", ptr->pattern->name);
559 if (!done)
560 break;
561 }
562 return done;
563 }
564
565 /**
566 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
567 *
568 * @filename: Filename.
569 * @perm: Permission (between 1 to 7).
570 * @domain: Pointer to "struct tomoyo_domain_info".
571 * @is_delete: True if it is a delete request.
572 *
573 * Returns 0 on success, negative value otherwise.
574 *
575 * This is legacy support interface for older policy syntax.
576 * Current policy syntax uses "allow_read/write" instead of "6",
577 * "allow_read" instead of "4", "allow_write" instead of "2",
578 * "allow_execute" instead of "1".
579 *
580 * Caller holds tomoyo_read_lock().
581 */
582 static int tomoyo_update_file_acl(const char *filename, u8 perm,
583 struct tomoyo_domain_info * const domain,
584 const bool is_delete)
585 {
586 if (perm > 7 || !perm) {
587 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n",
588 __func__, perm, filename);
589 return -EINVAL;
590 }
591 if (filename[0] != '@' && tomoyo_strendswith(filename, "/"))
592 /*
593 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
594 * directory permissions.
595 */
596 return 0;
597 if (perm & 4)
598 tomoyo_update_path_acl(TOMOYO_TYPE_READ, filename, domain,
599 is_delete);
600 if (perm & 2)
601 tomoyo_update_path_acl(TOMOYO_TYPE_WRITE, filename, domain,
602 is_delete);
603 if (perm & 1)
604 tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE, filename, domain,
605 is_delete);
606 return 0;
607 }
608
609 /**
610 * tomoyo_path_acl2 - Check permission for single path operation.
611 *
612 * @domain: Pointer to "struct tomoyo_domain_info".
613 * @filename: Filename to check.
614 * @perm: Permission.
615 * @may_use_pattern: True if patterned ACL is permitted.
616 *
617 * Returns 0 on success, -EPERM otherwise.
618 *
619 * Caller holds tomoyo_read_lock().
620 */
621 static int tomoyo_path_acl2(const struct tomoyo_domain_info *domain,
622 const struct tomoyo_path_info *filename,
623 const u32 perm, const bool may_use_pattern)
624 {
625 struct tomoyo_acl_info *ptr;
626 int error = -EPERM;
627
628 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
629 struct tomoyo_path_acl *acl;
630 if (ptr->type != TOMOYO_TYPE_PATH_ACL)
631 continue;
632 acl = container_of(ptr, struct tomoyo_path_acl, head);
633 if (perm <= 0xFFFF) {
634 if (!(acl->perm & perm))
635 continue;
636 } else {
637 if (!(acl->perm_high & (perm >> 16)))
638 continue;
639 }
640 if (may_use_pattern || !acl->filename->is_patterned) {
641 if (!tomoyo_path_matches_pattern(filename,
642 acl->filename))
643 continue;
644 } else {
645 continue;
646 }
647 error = 0;
648 break;
649 }
650 return error;
651 }
652
653 /**
654 * tomoyo_check_file_acl - Check permission for opening files.
655 *
656 * @domain: Pointer to "struct tomoyo_domain_info".
657 * @filename: Filename to check.
658 * @operation: Mode ("read" or "write" or "read/write" or "execute").
659 *
660 * Returns 0 on success, -EPERM otherwise.
661 *
662 * Caller holds tomoyo_read_lock().
663 */
664 static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
665 const struct tomoyo_path_info *filename,
666 const u8 operation)
667 {
668 u32 perm = 0;
669
670 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
671 return 0;
672 if (operation == 6)
673 perm = 1 << TOMOYO_TYPE_READ_WRITE;
674 else if (operation == 4)
675 perm = 1 << TOMOYO_TYPE_READ;
676 else if (operation == 2)
677 perm = 1 << TOMOYO_TYPE_WRITE;
678 else if (operation == 1)
679 perm = 1 << TOMOYO_TYPE_EXECUTE;
680 else
681 BUG();
682 return tomoyo_path_acl2(domain, filename, perm, operation != 1);
683 }
684
685 /**
686 * tomoyo_check_file_perm2 - Check permission for opening files.
687 *
688 * @domain: Pointer to "struct tomoyo_domain_info".
689 * @filename: Filename to check.
690 * @perm: Mode ("read" or "write" or "read/write" or "execute").
691 * @operation: Operation name passed used for verbose mode.
692 * @mode: Access control mode.
693 *
694 * Returns 0 on success, negative value otherwise.
695 *
696 * Caller holds tomoyo_read_lock().
697 */
698 static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
699 const struct tomoyo_path_info *filename,
700 const u8 perm, const char *operation,
701 const u8 mode)
702 {
703 const bool is_enforce = (mode == 3);
704 const char *msg = "<unknown>";
705 int error = 0;
706
707 if (!filename)
708 return 0;
709 error = tomoyo_check_file_acl(domain, filename, perm);
710 if (error && perm == 4 && !domain->ignore_global_allow_read
711 && tomoyo_is_globally_readable_file(filename))
712 error = 0;
713 if (perm == 6)
714 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
715 else if (perm == 4)
716 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
717 else if (perm == 2)
718 msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
719 else if (perm == 1)
720 msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
721 else
722 BUG();
723 if (!error)
724 return 0;
725 if (tomoyo_verbose_mode(domain))
726 printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied "
727 "for %s\n", tomoyo_get_msg(is_enforce), msg, operation,
728 filename->name, tomoyo_get_last_name(domain));
729 if (is_enforce)
730 return error;
731 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
732 /* Don't use patterns for execute permission. */
733 const struct tomoyo_path_info *patterned_file = (perm != 1) ?
734 tomoyo_get_file_pattern(filename) : filename;
735 tomoyo_update_file_acl(patterned_file->name, perm,
736 domain, false);
737 }
738 return 0;
739 }
740
741 /**
742 * tomoyo_write_file_policy - Update file related list.
743 *
744 * @data: String to parse.
745 * @domain: Pointer to "struct tomoyo_domain_info".
746 * @is_delete: True if it is a delete request.
747 *
748 * Returns 0 on success, negative value otherwise.
749 *
750 * Caller holds tomoyo_read_lock().
751 */
752 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
753 const bool is_delete)
754 {
755 char *filename = strchr(data, ' ');
756 char *filename2;
757 unsigned int perm;
758 u8 type;
759
760 if (!filename)
761 return -EINVAL;
762 *filename++ = '\0';
763 if (sscanf(data, "%u", &perm) == 1)
764 return tomoyo_update_file_acl(filename, (u8) perm, domain,
765 is_delete);
766 if (strncmp(data, "allow_", 6))
767 goto out;
768 data += 6;
769 for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) {
770 if (strcmp(data, tomoyo_path_keyword[type]))
771 continue;
772 return tomoyo_update_path_acl(type, filename, domain,
773 is_delete);
774 }
775 filename2 = strchr(filename, ' ');
776 if (!filename2)
777 goto out;
778 *filename2++ = '\0';
779 for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) {
780 if (strcmp(data, tomoyo_path2_keyword[type]))
781 continue;
782 return tomoyo_update_path2_acl(type, filename, filename2,
783 domain, is_delete);
784 }
785 out:
786 return -EINVAL;
787 }
788
789 /**
790 * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list.
791 *
792 * @type: Type of operation.
793 * @filename: Filename.
794 * @domain: Pointer to "struct tomoyo_domain_info".
795 * @is_delete: True if it is a delete request.
796 *
797 * Returns 0 on success, negative value otherwise.
798 *
799 * Caller holds tomoyo_read_lock().
800 */
801 static int tomoyo_update_path_acl(const u8 type, const char *filename,
802 struct tomoyo_domain_info *const domain,
803 const bool is_delete)
804 {
805 static const u32 tomoyo_rw_mask =
806 (1 << TOMOYO_TYPE_READ) | (1 << TOMOYO_TYPE_WRITE);
807 const u32 perm = 1 << type;
808 struct tomoyo_acl_info *ptr;
809 struct tomoyo_path_acl e = {
810 .head.type = TOMOYO_TYPE_PATH_ACL,
811 .perm_high = perm >> 16,
812 .perm = perm
813 };
814 int error = is_delete ? -ENOENT : -ENOMEM;
815
816 if (type == TOMOYO_TYPE_READ_WRITE)
817 e.perm |= tomoyo_rw_mask;
818 if (!domain)
819 return -EINVAL;
820 if (!tomoyo_is_correct_path(filename, 0, 0, 0))
821 return -EINVAL;
822 e.filename = tomoyo_get_name(filename);
823 if (!e.filename)
824 return -ENOMEM;
825 if (mutex_lock_interruptible(&tomoyo_policy_lock))
826 goto out;
827 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
828 struct tomoyo_path_acl *acl =
829 container_of(ptr, struct tomoyo_path_acl, head);
830 if (ptr->type != TOMOYO_TYPE_PATH_ACL)
831 continue;
832 if (acl->filename != e.filename)
833 continue;
834 if (is_delete) {
835 if (perm <= 0xFFFF)
836 acl->perm &= ~perm;
837 else
838 acl->perm_high &= ~(perm >> 16);
839 if ((acl->perm & tomoyo_rw_mask) != tomoyo_rw_mask)
840 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE);
841 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE)))
842 acl->perm &= ~tomoyo_rw_mask;
843 } else {
844 if (perm <= 0xFFFF)
845 acl->perm |= perm;
846 else
847 acl->perm_high |= (perm >> 16);
848 if ((acl->perm & tomoyo_rw_mask) == tomoyo_rw_mask)
849 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE;
850 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE))
851 acl->perm |= tomoyo_rw_mask;
852 }
853 error = 0;
854 break;
855 }
856 if (!is_delete && error) {
857 struct tomoyo_path_acl *entry =
858 tomoyo_commit_ok(&e, sizeof(e));
859 if (entry) {
860 list_add_tail_rcu(&entry->head.list,
861 &domain->acl_info_list);
862 error = 0;
863 }
864 }
865 mutex_unlock(&tomoyo_policy_lock);
866 out:
867 tomoyo_put_name(e.filename);
868 return error;
869 }
870
871 /**
872 * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list.
873 *
874 * @type: Type of operation.
875 * @filename1: First filename.
876 * @filename2: Second filename.
877 * @domain: Pointer to "struct tomoyo_domain_info".
878 * @is_delete: True if it is a delete request.
879 *
880 * Returns 0 on success, negative value otherwise.
881 *
882 * Caller holds tomoyo_read_lock().
883 */
884 static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
885 const char *filename2,
886 struct tomoyo_domain_info *const domain,
887 const bool is_delete)
888 {
889 const u8 perm = 1 << type;
890 struct tomoyo_path2_acl e = {
891 .head.type = TOMOYO_TYPE_PATH2_ACL,
892 .perm = perm
893 };
894 struct tomoyo_acl_info *ptr;
895 int error = is_delete ? -ENOENT : -ENOMEM;
896
897 if (!domain)
898 return -EINVAL;
899 if (!tomoyo_is_correct_path(filename1, 0, 0, 0) ||
900 !tomoyo_is_correct_path(filename2, 0, 0, 0))
901 return -EINVAL;
902 e.filename1 = tomoyo_get_name(filename1);
903 e.filename2 = tomoyo_get_name(filename2);
904 if (!e.filename1 || !e.filename2)
905 goto out;
906 if (mutex_lock_interruptible(&tomoyo_policy_lock))
907 goto out;
908 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
909 struct tomoyo_path2_acl *acl =
910 container_of(ptr, struct tomoyo_path2_acl, head);
911 if (ptr->type != TOMOYO_TYPE_PATH2_ACL)
912 continue;
913 if (acl->filename1 != e.filename1 ||
914 acl->filename2 != e.filename2)
915 continue;
916 if (is_delete)
917 acl->perm &= ~perm;
918 else
919 acl->perm |= perm;
920 error = 0;
921 break;
922 }
923 if (!is_delete && error) {
924 struct tomoyo_path2_acl *entry =
925 tomoyo_commit_ok(&e, sizeof(e));
926 if (entry) {
927 list_add_tail_rcu(&entry->head.list,
928 &domain->acl_info_list);
929 error = 0;
930 }
931 }
932 mutex_unlock(&tomoyo_policy_lock);
933 out:
934 tomoyo_put_name(e.filename1);
935 tomoyo_put_name(e.filename2);
936 return error;
937 }
938
939 /**
940 * tomoyo_path_acl - Check permission for single path operation.
941 *
942 * @domain: Pointer to "struct tomoyo_domain_info".
943 * @type: Type of operation.
944 * @filename: Filename to check.
945 *
946 * Returns 0 on success, negative value otherwise.
947 *
948 * Caller holds tomoyo_read_lock().
949 */
950 static int tomoyo_path_acl(struct tomoyo_domain_info *domain, const u8 type,
951 const struct tomoyo_path_info *filename)
952 {
953 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
954 return 0;
955 return tomoyo_path_acl2(domain, filename, 1 << type, 1);
956 }
957
958 /**
959 * tomoyo_path2_acl - Check permission for double path operation.
960 *
961 * @domain: Pointer to "struct tomoyo_domain_info".
962 * @type: Type of operation.
963 * @filename1: First filename to check.
964 * @filename2: Second filename to check.
965 *
966 * Returns 0 on success, -EPERM otherwise.
967 *
968 * Caller holds tomoyo_read_lock().
969 */
970 static int tomoyo_path2_acl(const struct tomoyo_domain_info *domain,
971 const u8 type,
972 const struct tomoyo_path_info *filename1,
973 const struct tomoyo_path_info *filename2)
974 {
975 struct tomoyo_acl_info *ptr;
976 const u8 perm = 1 << type;
977 int error = -EPERM;
978
979 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
980 return 0;
981 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
982 struct tomoyo_path2_acl *acl;
983 if (ptr->type != TOMOYO_TYPE_PATH2_ACL)
984 continue;
985 acl = container_of(ptr, struct tomoyo_path2_acl, head);
986 if (!(acl->perm & perm))
987 continue;
988 if (!tomoyo_path_matches_pattern(filename1, acl->filename1))
989 continue;
990 if (!tomoyo_path_matches_pattern(filename2, acl->filename2))
991 continue;
992 error = 0;
993 break;
994 }
995 return error;
996 }
997
998 /**
999 * tomoyo_path_permission2 - Check permission for single path operation.
1000 *
1001 * @domain: Pointer to "struct tomoyo_domain_info".
1002 * @operation: Type of operation.
1003 * @filename: Filename to check.
1004 * @mode: Access control mode.
1005 *
1006 * Returns 0 on success, negative value otherwise.
1007 *
1008 * Caller holds tomoyo_read_lock().
1009 */
1010 static int tomoyo_path_permission2(struct tomoyo_domain_info *const domain,
1011 u8 operation,
1012 const struct tomoyo_path_info *filename,
1013 const u8 mode)
1014 {
1015 const char *msg;
1016 int error;
1017 const bool is_enforce = (mode == 3);
1018
1019 if (!mode)
1020 return 0;
1021 next:
1022 error = tomoyo_path_acl(domain, operation, filename);
1023 msg = tomoyo_path2keyword(operation);
1024 if (!error)
1025 goto ok;
1026 if (tomoyo_verbose_mode(domain))
1027 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n",
1028 tomoyo_get_msg(is_enforce), msg, filename->name,
1029 tomoyo_get_last_name(domain));
1030 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1031 const char *name = tomoyo_get_file_pattern(filename)->name;
1032 tomoyo_update_path_acl(operation, name, domain, false);
1033 }
1034 if (!is_enforce)
1035 error = 0;
1036 ok:
1037 /*
1038 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1039 * we need to check "allow_rewrite" permission if the filename is
1040 * specified by "deny_rewrite" keyword.
1041 */
1042 if (!error && operation == TOMOYO_TYPE_TRUNCATE &&
1043 tomoyo_is_no_rewrite_file(filename)) {
1044 operation = TOMOYO_TYPE_REWRITE;
1045 goto next;
1046 }
1047 return error;
1048 }
1049
1050 /**
1051 * tomoyo_check_exec_perm - Check permission for "execute".
1052 *
1053 * @domain: Pointer to "struct tomoyo_domain_info".
1054 * @filename: Check permission for "execute".
1055 *
1056 * Returns 0 on success, negativevalue otherwise.
1057 *
1058 * Caller holds tomoyo_read_lock().
1059 */
1060 int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
1061 const struct tomoyo_path_info *filename)
1062 {
1063 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1064
1065 if (!mode)
1066 return 0;
1067 return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode);
1068 }
1069
1070 /**
1071 * tomoyo_check_open_permission - Check permission for "read" and "write".
1072 *
1073 * @domain: Pointer to "struct tomoyo_domain_info".
1074 * @path: Pointer to "struct path".
1075 * @flag: Flags for open().
1076 *
1077 * Returns 0 on success, negative value otherwise.
1078 */
1079 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1080 struct path *path, const int flag)
1081 {
1082 const u8 acc_mode = ACC_MODE(flag);
1083 int error = -ENOMEM;
1084 struct tomoyo_path_info *buf;
1085 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1086 const bool is_enforce = (mode == 3);
1087 int idx;
1088
1089 if (!mode || !path->mnt)
1090 return 0;
1091 if (acc_mode == 0)
1092 return 0;
1093 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode))
1094 /*
1095 * I don't check directories here because mkdir() and rmdir()
1096 * don't call me.
1097 */
1098 return 0;
1099 idx = tomoyo_read_lock();
1100 buf = tomoyo_get_path(path);
1101 if (!buf)
1102 goto out;
1103 error = 0;
1104 /*
1105 * If the filename is specified by "deny_rewrite" keyword,
1106 * we need to check "allow_rewrite" permission when the filename is not
1107 * opened for append mode or the filename is truncated at open time.
1108 */
1109 if ((acc_mode & MAY_WRITE) &&
1110 ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
1111 (tomoyo_is_no_rewrite_file(buf))) {
1112 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE,
1113 buf, mode);
1114 }
1115 if (!error)
1116 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open",
1117 mode);
1118 if (!error && (flag & O_TRUNC))
1119 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_TRUNCATE,
1120 buf, mode);
1121 out:
1122 kfree(buf);
1123 tomoyo_read_unlock(idx);
1124 if (!is_enforce)
1125 error = 0;
1126 return error;
1127 }
1128
1129 /**
1130 * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1131 *
1132 * @operation: Type of operation.
1133 * @path: Pointer to "struct path".
1134 *
1135 * Returns 0 on success, negative value otherwise.
1136 */
1137 int tomoyo_path_perm(const u8 operation, struct path *path)
1138 {
1139 int error = -ENOMEM;
1140 struct tomoyo_path_info *buf;
1141 struct tomoyo_domain_info *domain = tomoyo_domain();
1142 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1143 const bool is_enforce = (mode == 3);
1144 int idx;
1145
1146 if (!mode || !path->mnt)
1147 return 0;
1148 idx = tomoyo_read_lock();
1149 buf = tomoyo_get_path(path);
1150 if (!buf)
1151 goto out;
1152 switch (operation) {
1153 case TOMOYO_TYPE_MKDIR:
1154 case TOMOYO_TYPE_RMDIR:
1155 case TOMOYO_TYPE_CHROOT:
1156 if (!buf->is_dir) {
1157 /*
1158 * tomoyo_get_path() reserves space for appending "/."
1159 */
1160 strcat((char *) buf->name, "/");
1161 tomoyo_fill_path_info(buf);
1162 }
1163 }
1164 error = tomoyo_path_permission2(domain, operation, buf, mode);
1165 out:
1166 kfree(buf);
1167 tomoyo_read_unlock(idx);
1168 if (!is_enforce)
1169 error = 0;
1170 return error;
1171 }
1172
1173 /**
1174 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1175 *
1176 * @filp: Pointer to "struct file".
1177 *
1178 * Returns 0 on success, negative value otherwise.
1179 */
1180 int tomoyo_check_rewrite_permission(struct file *filp)
1181 {
1182 int error = -ENOMEM;
1183 struct tomoyo_domain_info *domain = tomoyo_domain();
1184 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1185 const bool is_enforce = (mode == 3);
1186 struct tomoyo_path_info *buf;
1187 int idx;
1188
1189 if (!mode || !filp->f_path.mnt)
1190 return 0;
1191
1192 idx = tomoyo_read_lock();
1193 buf = tomoyo_get_path(&filp->f_path);
1194 if (!buf)
1195 goto out;
1196 if (!tomoyo_is_no_rewrite_file(buf)) {
1197 error = 0;
1198 goto out;
1199 }
1200 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE, buf, mode);
1201 out:
1202 kfree(buf);
1203 tomoyo_read_unlock(idx);
1204 if (!is_enforce)
1205 error = 0;
1206 return error;
1207 }
1208
1209 /**
1210 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root".
1211 *
1212 * @operation: Type of operation.
1213 * @path1: Pointer to "struct path".
1214 * @path2: Pointer to "struct path".
1215 *
1216 * Returns 0 on success, negative value otherwise.
1217 */
1218 int tomoyo_path2_perm(const u8 operation, struct path *path1,
1219 struct path *path2)
1220 {
1221 int error = -ENOMEM;
1222 struct tomoyo_path_info *buf1, *buf2;
1223 struct tomoyo_domain_info *domain = tomoyo_domain();
1224 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1225 const bool is_enforce = (mode == 3);
1226 const char *msg;
1227 int idx;
1228
1229 if (!mode || !path1->mnt || !path2->mnt)
1230 return 0;
1231 idx = tomoyo_read_lock();
1232 buf1 = tomoyo_get_path(path1);
1233 buf2 = tomoyo_get_path(path2);
1234 if (!buf1 || !buf2)
1235 goto out;
1236 {
1237 struct dentry *dentry = path1->dentry;
1238 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) {
1239 /*
1240 * tomoyo_get_path() reserves space for appending "/."
1241 */
1242 if (!buf1->is_dir) {
1243 strcat((char *) buf1->name, "/");
1244 tomoyo_fill_path_info(buf1);
1245 }
1246 if (!buf2->is_dir) {
1247 strcat((char *) buf2->name, "/");
1248 tomoyo_fill_path_info(buf2);
1249 }
1250 }
1251 }
1252 error = tomoyo_path2_acl(domain, operation, buf1, buf2);
1253 msg = tomoyo_path22keyword(operation);
1254 if (!error)
1255 goto out;
1256 if (tomoyo_verbose_mode(domain))
1257 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' "
1258 "denied for %s\n", tomoyo_get_msg(is_enforce),
1259 msg, buf1->name, buf2->name,
1260 tomoyo_get_last_name(domain));
1261 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1262 const char *name1 = tomoyo_get_file_pattern(buf1)->name;
1263 const char *name2 = tomoyo_get_file_pattern(buf2)->name;
1264 tomoyo_update_path2_acl(operation, name1, name2, domain,
1265 false);
1266 }
1267 out:
1268 kfree(buf1);
1269 kfree(buf2);
1270 tomoyo_read_unlock(idx);
1271 if (!is_enforce)
1272 error = 0;
1273 return error;
1274 }
Linux 2.6 libata-dev (mirror)