2 * security/tomoyo/file.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
17 * tomoyo_globally_readable_file_entry is a structure which is used for holding
18 * "allow_read" entries.
19 * It has following fields.
21 * (1) "list" which is linked to tomoyo_globally_readable_list .
22 * (2) "filename" is a pathname which is allowed to open(O_RDONLY).
23 * (3) "is_deleted" is a bool which is true if marked as deleted, false
26 struct tomoyo_globally_readable_file_entry
{
27 struct list_head list
;
28 const struct tomoyo_path_info
*filename
;
33 * tomoyo_pattern_entry is a structure which is used for holding
34 * "tomoyo_pattern_list" entries.
35 * It has following fields.
37 * (1) "list" which is linked to tomoyo_pattern_list .
38 * (2) "pattern" is a pathname pattern which is used for converting pathnames
39 * to pathname patterns during learning mode.
40 * (3) "is_deleted" is a bool which is true if marked as deleted, false
43 struct tomoyo_pattern_entry
{
44 struct list_head list
;
45 const struct tomoyo_path_info
*pattern
;
50 * tomoyo_no_rewrite_entry is a structure which is used for holding
51 * "deny_rewrite" entries.
52 * It has following fields.
54 * (1) "list" which is linked to tomoyo_no_rewrite_list .
55 * (2) "pattern" is a pathname which is by default not permitted to modify
56 * already existing content.
57 * (3) "is_deleted" is a bool which is true if marked as deleted, false
60 struct tomoyo_no_rewrite_entry
{
61 struct list_head list
;
62 const struct tomoyo_path_info
*pattern
;
66 /* Keyword array for single path operations. */
67 static const char *tomoyo_sp_keyword
[TOMOYO_MAX_SINGLE_PATH_OPERATION
] = {
68 [TOMOYO_TYPE_READ_WRITE_ACL
] = "read/write",
69 [TOMOYO_TYPE_EXECUTE_ACL
] = "execute",
70 [TOMOYO_TYPE_READ_ACL
] = "read",
71 [TOMOYO_TYPE_WRITE_ACL
] = "write",
72 [TOMOYO_TYPE_CREATE_ACL
] = "create",
73 [TOMOYO_TYPE_UNLINK_ACL
] = "unlink",
74 [TOMOYO_TYPE_MKDIR_ACL
] = "mkdir",
75 [TOMOYO_TYPE_RMDIR_ACL
] = "rmdir",
76 [TOMOYO_TYPE_MKFIFO_ACL
] = "mkfifo",
77 [TOMOYO_TYPE_MKSOCK_ACL
] = "mksock",
78 [TOMOYO_TYPE_MKBLOCK_ACL
] = "mkblock",
79 [TOMOYO_TYPE_MKCHAR_ACL
] = "mkchar",
80 [TOMOYO_TYPE_TRUNCATE_ACL
] = "truncate",
81 [TOMOYO_TYPE_SYMLINK_ACL
] = "symlink",
82 [TOMOYO_TYPE_REWRITE_ACL
] = "rewrite",
83 [TOMOYO_TYPE_IOCTL_ACL
] = "ioctl",
84 [TOMOYO_TYPE_CHMOD_ACL
] = "chmod",
85 [TOMOYO_TYPE_CHOWN_ACL
] = "chown",
86 [TOMOYO_TYPE_CHGRP_ACL
] = "chgrp",
87 [TOMOYO_TYPE_CHROOT_ACL
] = "chroot",
88 [TOMOYO_TYPE_MOUNT_ACL
] = "mount",
89 [TOMOYO_TYPE_UMOUNT_ACL
] = "unmount",
92 /* Keyword array for double path operations. */
93 static const char *tomoyo_dp_keyword
[TOMOYO_MAX_DOUBLE_PATH_OPERATION
] = {
94 [TOMOYO_TYPE_LINK_ACL
] = "link",
95 [TOMOYO_TYPE_RENAME_ACL
] = "rename",
96 [TOMOYO_TYPE_PIVOT_ROOT_ACL
] = "pivot_root",
100 * tomoyo_sp2keyword - Get the name of single path operation.
102 * @operation: Type of operation.
104 * Returns the name of single path operation.
106 const char *tomoyo_sp2keyword(const u8 operation
)
108 return (operation
< TOMOYO_MAX_SINGLE_PATH_OPERATION
)
109 ? tomoyo_sp_keyword
[operation
] : NULL
;
113 * tomoyo_dp2keyword - Get the name of double path operation.
115 * @operation: Type of operation.
117 * Returns the name of double path operation.
119 const char *tomoyo_dp2keyword(const u8 operation
)
121 return (operation
< TOMOYO_MAX_DOUBLE_PATH_OPERATION
)
122 ? tomoyo_dp_keyword
[operation
] : NULL
;
126 * tomoyo_strendswith - Check whether the token ends with the given token.
128 * @name: The token to check.
129 * @tail: The token to find.
131 * Returns true if @name ends with @tail, false otherwise.
133 static bool tomoyo_strendswith(const char *name
, const char *tail
)
139 len
= strlen(name
) - strlen(tail
);
140 return len
>= 0 && !strcmp(name
+ len
, tail
);
144 * tomoyo_get_path - Get realpath.
146 * @path: Pointer to "struct path".
148 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
150 static struct tomoyo_path_info
*tomoyo_get_path(struct path
*path
)
153 struct tomoyo_path_info_with_data
*buf
= kzalloc(sizeof(*buf
),
158 /* Reserve one byte for appending "/". */
159 error
= tomoyo_realpath_from_path2(path
, buf
->body
,
160 sizeof(buf
->body
) - 2);
162 buf
->head
.name
= buf
->body
;
163 tomoyo_fill_path_info(&buf
->head
);
170 static int tomoyo_update_double_path_acl(const u8 type
, const char *filename1
,
171 const char *filename2
,
172 struct tomoyo_domain_info
*
173 const domain
, const bool is_delete
);
174 static int tomoyo_update_single_path_acl(const u8 type
, const char *filename
,
175 struct tomoyo_domain_info
*
176 const domain
, const bool is_delete
);
179 * tomoyo_globally_readable_list is used for holding list of pathnames which
180 * are by default allowed to be open()ed for reading by any process.
182 * An entry is added by
184 * # echo 'allow_read /lib/libc-2.5.so' > \
185 * /sys/kernel/security/tomoyo/exception_policy
189 * # echo 'delete allow_read /lib/libc-2.5.so' > \
190 * /sys/kernel/security/tomoyo/exception_policy
192 * and all entries are retrieved by
194 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
196 * In the example above, any process is allowed to
197 * open("/lib/libc-2.5.so", O_RDONLY).
198 * One exception is, if the domain which current process belongs to is marked
199 * as "ignore_global_allow_read", current process can't do so unless explicitly
200 * given "allow_read /lib/libc-2.5.so" to the domain which current process
203 static LIST_HEAD(tomoyo_globally_readable_list
);
206 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
208 * @filename: Filename unconditionally permitted to open() for reading.
209 * @is_delete: True if it is a delete request.
211 * Returns 0 on success, negative value otherwise.
213 * Caller holds tomoyo_read_lock().
215 static int tomoyo_update_globally_readable_entry(const char *filename
,
216 const bool is_delete
)
218 struct tomoyo_globally_readable_file_entry
*entry
= NULL
;
219 struct tomoyo_globally_readable_file_entry
*ptr
;
220 const struct tomoyo_path_info
*saved_filename
;
221 int error
= is_delete
? -ENOENT
: -ENOMEM
;
223 if (!tomoyo_is_correct_path(filename
, 1, 0, -1, __func__
))
225 saved_filename
= tomoyo_save_name(filename
);
229 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
230 mutex_lock(&tomoyo_policy_lock
);
231 list_for_each_entry_rcu(ptr
, &tomoyo_globally_readable_list
, list
) {
232 if (ptr
->filename
!= saved_filename
)
234 ptr
->is_deleted
= is_delete
;
238 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
239 entry
->filename
= saved_filename
;
240 list_add_tail_rcu(&entry
->list
, &tomoyo_globally_readable_list
);
244 mutex_unlock(&tomoyo_policy_lock
);
250 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
252 * @filename: The filename to check.
254 * Returns true if any domain can open @filename for reading, false otherwise.
256 * Caller holds tomoyo_read_lock().
258 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info
*
261 struct tomoyo_globally_readable_file_entry
*ptr
;
264 list_for_each_entry_rcu(ptr
, &tomoyo_globally_readable_list
, list
) {
265 if (!ptr
->is_deleted
&&
266 tomoyo_path_matches_pattern(filename
, ptr
->filename
)) {
275 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
277 * @data: String to parse.
278 * @is_delete: True if it is a delete request.
280 * Returns 0 on success, negative value otherwise.
282 * Caller holds tomoyo_read_lock().
284 int tomoyo_write_globally_readable_policy(char *data
, const bool is_delete
)
286 return tomoyo_update_globally_readable_entry(data
, is_delete
);
290 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
292 * @head: Pointer to "struct tomoyo_io_buffer".
294 * Returns true on success, false otherwise.
296 * Caller holds tomoyo_read_lock().
298 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer
*head
)
300 struct list_head
*pos
;
303 list_for_each_cookie(pos
, head
->read_var2
,
304 &tomoyo_globally_readable_list
) {
305 struct tomoyo_globally_readable_file_entry
*ptr
;
306 ptr
= list_entry(pos
,
307 struct tomoyo_globally_readable_file_entry
,
311 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_ALLOW_READ
"%s\n",
312 ptr
->filename
->name
);
319 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
320 * converting pathnames to pathname patterns during learning mode.
322 * An entry is added by
324 * # echo 'file_pattern /proc/\$/mounts' > \
325 * /sys/kernel/security/tomoyo/exception_policy
329 * # echo 'delete file_pattern /proc/\$/mounts' > \
330 * /sys/kernel/security/tomoyo/exception_policy
332 * and all entries are retrieved by
334 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
336 * In the example above, if a process which belongs to a domain which is in
337 * learning mode requested open("/proc/1/mounts", O_RDONLY),
338 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
339 * process belongs to.
341 * It is not a desirable behavior that we have to use /proc/\$/ instead of
342 * /proc/self/ when current process needs to access only current process's
343 * information. As of now, LSM version of TOMOYO is using __d_path() for
344 * calculating pathname. Non LSM version of TOMOYO is using its own function
345 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
346 * current process from accessing other process's information.
348 static LIST_HEAD(tomoyo_pattern_list
);
351 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
353 * @pattern: Pathname pattern.
354 * @is_delete: True if it is a delete request.
356 * Returns 0 on success, negative value otherwise.
358 * Caller holds tomoyo_read_lock().
360 static int tomoyo_update_file_pattern_entry(const char *pattern
,
361 const bool is_delete
)
363 struct tomoyo_pattern_entry
*entry
= NULL
;
364 struct tomoyo_pattern_entry
*ptr
;
365 const struct tomoyo_path_info
*saved_pattern
;
366 int error
= is_delete
? -ENOENT
: -ENOMEM
;
368 saved_pattern
= tomoyo_save_name(pattern
);
371 if (!saved_pattern
->is_patterned
)
374 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
375 mutex_lock(&tomoyo_policy_lock
);
376 list_for_each_entry_rcu(ptr
, &tomoyo_pattern_list
, list
) {
377 if (saved_pattern
!= ptr
->pattern
)
379 ptr
->is_deleted
= is_delete
;
383 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
384 entry
->pattern
= saved_pattern
;
385 list_add_tail_rcu(&entry
->list
, &tomoyo_pattern_list
);
389 mutex_unlock(&tomoyo_policy_lock
);
396 * tomoyo_get_file_pattern - Get patterned pathname.
398 * @filename: The filename to find patterned pathname.
400 * Returns pointer to pathname pattern if matched, @filename otherwise.
402 * Caller holds tomoyo_read_lock().
404 static const struct tomoyo_path_info
*
405 tomoyo_get_file_pattern(const struct tomoyo_path_info
*filename
)
407 struct tomoyo_pattern_entry
*ptr
;
408 const struct tomoyo_path_info
*pattern
= NULL
;
410 list_for_each_entry_rcu(ptr
, &tomoyo_pattern_list
, list
) {
413 if (!tomoyo_path_matches_pattern(filename
, ptr
->pattern
))
415 pattern
= ptr
->pattern
;
416 if (tomoyo_strendswith(pattern
->name
, "/\\*")) {
417 /* Do nothing. Try to find the better match. */
419 /* This would be the better match. Use this. */
429 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
431 * @data: String to parse.
432 * @is_delete: True if it is a delete request.
434 * Returns 0 on success, negative value otherwise.
436 * Caller holds tomoyo_read_lock().
438 int tomoyo_write_pattern_policy(char *data
, const bool is_delete
)
440 return tomoyo_update_file_pattern_entry(data
, is_delete
);
444 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
446 * @head: Pointer to "struct tomoyo_io_buffer".
448 * Returns true on success, false otherwise.
450 * Caller holds tomoyo_read_lock().
452 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer
*head
)
454 struct list_head
*pos
;
457 list_for_each_cookie(pos
, head
->read_var2
, &tomoyo_pattern_list
) {
458 struct tomoyo_pattern_entry
*ptr
;
459 ptr
= list_entry(pos
, struct tomoyo_pattern_entry
, list
);
462 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_FILE_PATTERN
463 "%s\n", ptr
->pattern
->name
);
471 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
472 * default forbidden to modify already written content of a file.
474 * An entry is added by
476 * # echo 'deny_rewrite /var/log/messages' > \
477 * /sys/kernel/security/tomoyo/exception_policy
481 * # echo 'delete deny_rewrite /var/log/messages' > \
482 * /sys/kernel/security/tomoyo/exception_policy
484 * and all entries are retrieved by
486 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
488 * In the example above, if a process requested to rewrite /var/log/messages ,
489 * the process can't rewrite unless the domain which that process belongs to
490 * has "allow_rewrite /var/log/messages" entry.
492 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
493 * when we want to allow rewriting already unlink()ed file. As of now,
494 * LSM version of TOMOYO is using __d_path() for calculating pathname.
495 * Non LSM version of TOMOYO is using its own function which doesn't append
496 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
497 * need to worry whether the file is already unlink()ed or not.
499 static LIST_HEAD(tomoyo_no_rewrite_list
);
502 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
504 * @pattern: Pathname pattern that are not rewritable by default.
505 * @is_delete: True if it is a delete request.
507 * Returns 0 on success, negative value otherwise.
509 * Caller holds tomoyo_read_lock().
511 static int tomoyo_update_no_rewrite_entry(const char *pattern
,
512 const bool is_delete
)
514 struct tomoyo_no_rewrite_entry
*entry
= NULL
;
515 struct tomoyo_no_rewrite_entry
*ptr
;
516 const struct tomoyo_path_info
*saved_pattern
;
517 int error
= is_delete
? -ENOENT
: -ENOMEM
;
519 if (!tomoyo_is_correct_path(pattern
, 0, 0, 0, __func__
))
521 saved_pattern
= tomoyo_save_name(pattern
);
525 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
526 mutex_lock(&tomoyo_policy_lock
);
527 list_for_each_entry_rcu(ptr
, &tomoyo_no_rewrite_list
, list
) {
528 if (ptr
->pattern
!= saved_pattern
)
530 ptr
->is_deleted
= is_delete
;
534 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
535 entry
->pattern
= saved_pattern
;
536 list_add_tail_rcu(&entry
->list
, &tomoyo_no_rewrite_list
);
540 mutex_unlock(&tomoyo_policy_lock
);
546 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
548 * @filename: Filename to check.
550 * Returns true if @filename is specified by "deny_rewrite" directive,
553 * Caller holds tomoyo_read_lock().
555 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info
*filename
)
557 struct tomoyo_no_rewrite_entry
*ptr
;
560 list_for_each_entry_rcu(ptr
, &tomoyo_no_rewrite_list
, list
) {
563 if (!tomoyo_path_matches_pattern(filename
, ptr
->pattern
))
572 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
574 * @data: String to parse.
575 * @is_delete: True if it is a delete request.
577 * Returns 0 on success, negative value otherwise.
579 * Caller holds tomoyo_read_lock().
581 int tomoyo_write_no_rewrite_policy(char *data
, const bool is_delete
)
583 return tomoyo_update_no_rewrite_entry(data
, is_delete
);
587 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
589 * @head: Pointer to "struct tomoyo_io_buffer".
591 * Returns true on success, false otherwise.
593 * Caller holds tomoyo_read_lock().
595 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer
*head
)
597 struct list_head
*pos
;
600 list_for_each_cookie(pos
, head
->read_var2
, &tomoyo_no_rewrite_list
) {
601 struct tomoyo_no_rewrite_entry
*ptr
;
602 ptr
= list_entry(pos
, struct tomoyo_no_rewrite_entry
, list
);
605 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_DENY_REWRITE
606 "%s\n", ptr
->pattern
->name
);
614 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
616 * @filename: Filename.
617 * @perm: Permission (between 1 to 7).
618 * @domain: Pointer to "struct tomoyo_domain_info".
619 * @is_delete: True if it is a delete request.
621 * Returns 0 on success, negative value otherwise.
623 * This is legacy support interface for older policy syntax.
624 * Current policy syntax uses "allow_read/write" instead of "6",
625 * "allow_read" instead of "4", "allow_write" instead of "2",
626 * "allow_execute" instead of "1".
628 * Caller holds tomoyo_read_lock().
630 static int tomoyo_update_file_acl(const char *filename
, u8 perm
,
631 struct tomoyo_domain_info
* const domain
,
632 const bool is_delete
)
634 if (perm
> 7 || !perm
) {
635 printk(KERN_DEBUG
"%s: Invalid permission '%d %s'\n",
636 __func__
, perm
, filename
);
639 if (filename
[0] != '@' && tomoyo_strendswith(filename
, "/"))
641 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
642 * directory permissions.
646 tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL
, filename
,
649 tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL
, filename
,
652 tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL
,
653 filename
, domain
, is_delete
);
658 * tomoyo_check_single_path_acl2 - Check permission for single path operation.
660 * @domain: Pointer to "struct tomoyo_domain_info".
661 * @filename: Filename to check.
663 * @may_use_pattern: True if patterned ACL is permitted.
665 * Returns 0 on success, -EPERM otherwise.
667 * Caller holds tomoyo_read_lock().
669 static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info
*
671 const struct tomoyo_path_info
*
674 const bool may_use_pattern
)
676 struct tomoyo_acl_info
*ptr
;
679 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
680 struct tomoyo_single_path_acl_record
*acl
;
681 if (ptr
->type
!= TOMOYO_TYPE_SINGLE_PATH_ACL
)
683 acl
= container_of(ptr
, struct tomoyo_single_path_acl_record
,
685 if (perm
<= 0xFFFF) {
686 if (!(acl
->perm
& perm
))
689 if (!(acl
->perm_high
& (perm
>> 16)))
692 if (may_use_pattern
|| !acl
->filename
->is_patterned
) {
693 if (!tomoyo_path_matches_pattern(filename
,
706 * tomoyo_check_file_acl - Check permission for opening files.
708 * @domain: Pointer to "struct tomoyo_domain_info".
709 * @filename: Filename to check.
710 * @operation: Mode ("read" or "write" or "read/write" or "execute").
712 * Returns 0 on success, -EPERM otherwise.
714 * Caller holds tomoyo_read_lock().
716 static int tomoyo_check_file_acl(const struct tomoyo_domain_info
*domain
,
717 const struct tomoyo_path_info
*filename
,
722 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
725 perm
= 1 << TOMOYO_TYPE_READ_WRITE_ACL
;
726 else if (operation
== 4)
727 perm
= 1 << TOMOYO_TYPE_READ_ACL
;
728 else if (operation
== 2)
729 perm
= 1 << TOMOYO_TYPE_WRITE_ACL
;
730 else if (operation
== 1)
731 perm
= 1 << TOMOYO_TYPE_EXECUTE_ACL
;
734 return tomoyo_check_single_path_acl2(domain
, filename
, perm
,
739 * tomoyo_check_file_perm2 - Check permission for opening files.
741 * @domain: Pointer to "struct tomoyo_domain_info".
742 * @filename: Filename to check.
743 * @perm: Mode ("read" or "write" or "read/write" or "execute").
744 * @operation: Operation name passed used for verbose mode.
745 * @mode: Access control mode.
747 * Returns 0 on success, negative value otherwise.
749 * Caller holds tomoyo_read_lock().
751 static int tomoyo_check_file_perm2(struct tomoyo_domain_info
* const domain
,
752 const struct tomoyo_path_info
*filename
,
753 const u8 perm
, const char *operation
,
756 const bool is_enforce
= (mode
== 3);
757 const char *msg
= "<unknown>";
762 error
= tomoyo_check_file_acl(domain
, filename
, perm
);
763 if (error
&& perm
== 4 && !domain
->ignore_global_allow_read
764 && tomoyo_is_globally_readable_file(filename
))
767 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL
);
769 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL
);
771 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL
);
773 msg
= tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL
);
778 if (tomoyo_verbose_mode(domain
))
779 printk(KERN_WARNING
"TOMOYO-%s: Access '%s(%s) %s' denied "
780 "for %s\n", tomoyo_get_msg(is_enforce
), msg
, operation
,
781 filename
->name
, tomoyo_get_last_name(domain
));
784 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
785 /* Don't use patterns for execute permission. */
786 const struct tomoyo_path_info
*patterned_file
= (perm
!= 1) ?
787 tomoyo_get_file_pattern(filename
) : filename
;
788 tomoyo_update_file_acl(patterned_file
->name
, perm
,
795 * tomoyo_write_file_policy - Update file related list.
797 * @data: String to parse.
798 * @domain: Pointer to "struct tomoyo_domain_info".
799 * @is_delete: True if it is a delete request.
801 * Returns 0 on success, negative value otherwise.
803 * Caller holds tomoyo_read_lock().
805 int tomoyo_write_file_policy(char *data
, struct tomoyo_domain_info
*domain
,
806 const bool is_delete
)
808 char *filename
= strchr(data
, ' ');
816 if (sscanf(data
, "%u", &perm
) == 1)
817 return tomoyo_update_file_acl(filename
, (u8
) perm
, domain
,
819 if (strncmp(data
, "allow_", 6))
822 for (type
= 0; type
< TOMOYO_MAX_SINGLE_PATH_OPERATION
; type
++) {
823 if (strcmp(data
, tomoyo_sp_keyword
[type
]))
825 return tomoyo_update_single_path_acl(type
, filename
,
828 filename2
= strchr(filename
, ' ');
832 for (type
= 0; type
< TOMOYO_MAX_DOUBLE_PATH_OPERATION
; type
++) {
833 if (strcmp(data
, tomoyo_dp_keyword
[type
]))
835 return tomoyo_update_double_path_acl(type
, filename
, filename2
,
843 * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list.
845 * @type: Type of operation.
846 * @filename: Filename.
847 * @domain: Pointer to "struct tomoyo_domain_info".
848 * @is_delete: True if it is a delete request.
850 * Returns 0 on success, negative value otherwise.
852 * Caller holds tomoyo_read_lock().
854 static int tomoyo_update_single_path_acl(const u8 type
, const char *filename
,
855 struct tomoyo_domain_info
*
856 const domain
, const bool is_delete
)
858 static const u32 rw_mask
=
859 (1 << TOMOYO_TYPE_READ_ACL
) | (1 << TOMOYO_TYPE_WRITE_ACL
);
860 const struct tomoyo_path_info
*saved_filename
;
861 struct tomoyo_acl_info
*ptr
;
862 struct tomoyo_single_path_acl_record
*entry
= NULL
;
863 int error
= is_delete
? -ENOENT
: -ENOMEM
;
864 const u32 perm
= 1 << type
;
868 if (!tomoyo_is_correct_path(filename
, 0, 0, 0, __func__
))
870 saved_filename
= tomoyo_save_name(filename
);
874 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
875 mutex_lock(&tomoyo_policy_lock
);
876 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
877 struct tomoyo_single_path_acl_record
*acl
=
878 container_of(ptr
, struct tomoyo_single_path_acl_record
,
880 if (ptr
->type
!= TOMOYO_TYPE_SINGLE_PATH_ACL
)
882 if (acl
->filename
!= saved_filename
)
888 acl
->perm_high
&= ~(perm
>> 16);
889 if ((acl
->perm
& rw_mask
) != rw_mask
)
890 acl
->perm
&= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL
);
891 else if (!(acl
->perm
&
892 (1 << TOMOYO_TYPE_READ_WRITE_ACL
)))
893 acl
->perm
&= ~rw_mask
;
898 acl
->perm_high
|= (perm
>> 16);
899 if ((acl
->perm
& rw_mask
) == rw_mask
)
900 acl
->perm
|= 1 << TOMOYO_TYPE_READ_WRITE_ACL
;
901 else if (acl
->perm
& (1 << TOMOYO_TYPE_READ_WRITE_ACL
))
902 acl
->perm
|= rw_mask
;
907 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
908 entry
->head
.type
= TOMOYO_TYPE_SINGLE_PATH_ACL
;
912 entry
->perm_high
= (perm
>> 16);
913 if (perm
== (1 << TOMOYO_TYPE_READ_WRITE_ACL
))
914 entry
->perm
|= rw_mask
;
915 entry
->filename
= saved_filename
;
916 list_add_tail_rcu(&entry
->head
.list
, &domain
->acl_info_list
);
920 mutex_unlock(&tomoyo_policy_lock
);
926 * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list.
928 * @type: Type of operation.
929 * @filename1: First filename.
930 * @filename2: Second filename.
931 * @domain: Pointer to "struct tomoyo_domain_info".
932 * @is_delete: True if it is a delete request.
934 * Returns 0 on success, negative value otherwise.
936 * Caller holds tomoyo_read_lock().
938 static int tomoyo_update_double_path_acl(const u8 type
, const char *filename1
,
939 const char *filename2
,
940 struct tomoyo_domain_info
*
941 const domain
, const bool is_delete
)
943 const struct tomoyo_path_info
*saved_filename1
;
944 const struct tomoyo_path_info
*saved_filename2
;
945 struct tomoyo_acl_info
*ptr
;
946 struct tomoyo_double_path_acl_record
*entry
= NULL
;
947 int error
= is_delete
? -ENOENT
: -ENOMEM
;
948 const u8 perm
= 1 << type
;
952 if (!tomoyo_is_correct_path(filename1
, 0, 0, 0, __func__
) ||
953 !tomoyo_is_correct_path(filename2
, 0, 0, 0, __func__
))
955 saved_filename1
= tomoyo_save_name(filename1
);
956 saved_filename2
= tomoyo_save_name(filename2
);
957 if (!saved_filename1
|| !saved_filename2
)
960 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
961 mutex_lock(&tomoyo_policy_lock
);
962 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
963 struct tomoyo_double_path_acl_record
*acl
=
964 container_of(ptr
, struct tomoyo_double_path_acl_record
,
966 if (ptr
->type
!= TOMOYO_TYPE_DOUBLE_PATH_ACL
)
968 if (acl
->filename1
!= saved_filename1
||
969 acl
->filename2
!= saved_filename2
)
978 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
979 entry
->head
.type
= TOMOYO_TYPE_DOUBLE_PATH_ACL
;
981 entry
->filename1
= saved_filename1
;
982 entry
->filename2
= saved_filename2
;
983 list_add_tail_rcu(&entry
->head
.list
, &domain
->acl_info_list
);
987 mutex_unlock(&tomoyo_policy_lock
);
994 * tomoyo_check_single_path_acl - Check permission for single path operation.
996 * @domain: Pointer to "struct tomoyo_domain_info".
997 * @type: Type of operation.
998 * @filename: Filename to check.
1000 * Returns 0 on success, negative value otherwise.
1002 * Caller holds tomoyo_read_lock().
1004 static int tomoyo_check_single_path_acl(struct tomoyo_domain_info
*domain
,
1006 const struct tomoyo_path_info
*filename
)
1008 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
1010 return tomoyo_check_single_path_acl2(domain
, filename
, 1 << type
, 1);
1014 * tomoyo_check_double_path_acl - Check permission for double path operation.
1016 * @domain: Pointer to "struct tomoyo_domain_info".
1017 * @type: Type of operation.
1018 * @filename1: First filename to check.
1019 * @filename2: Second filename to check.
1021 * Returns 0 on success, -EPERM otherwise.
1023 * Caller holds tomoyo_read_lock().
1025 static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info
*domain
,
1027 const struct tomoyo_path_info
*
1029 const struct tomoyo_path_info
*
1032 struct tomoyo_acl_info
*ptr
;
1033 const u8 perm
= 1 << type
;
1036 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
1038 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
1039 struct tomoyo_double_path_acl_record
*acl
;
1040 if (ptr
->type
!= TOMOYO_TYPE_DOUBLE_PATH_ACL
)
1042 acl
= container_of(ptr
, struct tomoyo_double_path_acl_record
,
1044 if (!(acl
->perm
& perm
))
1046 if (!tomoyo_path_matches_pattern(filename1
, acl
->filename1
))
1048 if (!tomoyo_path_matches_pattern(filename2
, acl
->filename2
))
1057 * tomoyo_check_single_path_permission2 - Check permission for single path operation.
1059 * @domain: Pointer to "struct tomoyo_domain_info".
1060 * @operation: Type of operation.
1061 * @filename: Filename to check.
1062 * @mode: Access control mode.
1064 * Returns 0 on success, negative value otherwise.
1066 * Caller holds tomoyo_read_lock().
1068 static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info
*
1069 const domain
, u8 operation
,
1070 const struct tomoyo_path_info
*
1071 filename
, const u8 mode
)
1075 const bool is_enforce
= (mode
== 3);
1080 error
= tomoyo_check_single_path_acl(domain
, operation
, filename
);
1081 msg
= tomoyo_sp2keyword(operation
);
1084 if (tomoyo_verbose_mode(domain
))
1085 printk(KERN_WARNING
"TOMOYO-%s: Access '%s %s' denied for %s\n",
1086 tomoyo_get_msg(is_enforce
), msg
, filename
->name
,
1087 tomoyo_get_last_name(domain
));
1088 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
1089 const char *name
= tomoyo_get_file_pattern(filename
)->name
;
1090 tomoyo_update_single_path_acl(operation
, name
, domain
, false);
1096 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1097 * we need to check "allow_rewrite" permission if the filename is
1098 * specified by "deny_rewrite" keyword.
1100 if (!error
&& operation
== TOMOYO_TYPE_TRUNCATE_ACL
&&
1101 tomoyo_is_no_rewrite_file(filename
)) {
1102 operation
= TOMOYO_TYPE_REWRITE_ACL
;
1109 * tomoyo_check_exec_perm - Check permission for "execute".
1111 * @domain: Pointer to "struct tomoyo_domain_info".
1112 * @filename: Check permission for "execute".
1114 * Returns 0 on success, negativevalue otherwise.
1116 * Caller holds tomoyo_read_lock().
1118 int tomoyo_check_exec_perm(struct tomoyo_domain_info
*domain
,
1119 const struct tomoyo_path_info
*filename
)
1121 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1125 return tomoyo_check_file_perm2(domain
, filename
, 1, "do_execve", mode
);
1129 * tomoyo_check_open_permission - Check permission for "read" and "write".
1131 * @domain: Pointer to "struct tomoyo_domain_info".
1132 * @path: Pointer to "struct path".
1133 * @flag: Flags for open().
1135 * Returns 0 on success, negative value otherwise.
1137 int tomoyo_check_open_permission(struct tomoyo_domain_info
*domain
,
1138 struct path
*path
, const int flag
)
1140 const u8 acc_mode
= ACC_MODE(flag
);
1141 int error
= -ENOMEM
;
1142 struct tomoyo_path_info
*buf
;
1143 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1144 const bool is_enforce
= (mode
== 3);
1147 if (!mode
|| !path
->mnt
)
1151 if (path
->dentry
->d_inode
&& S_ISDIR(path
->dentry
->d_inode
->i_mode
))
1153 * I don't check directories here because mkdir() and rmdir()
1157 idx
= tomoyo_read_lock();
1158 buf
= tomoyo_get_path(path
);
1163 * If the filename is specified by "deny_rewrite" keyword,
1164 * we need to check "allow_rewrite" permission when the filename is not
1165 * opened for append mode or the filename is truncated at open time.
1167 if ((acc_mode
& MAY_WRITE
) &&
1168 ((flag
& O_TRUNC
) || !(flag
& O_APPEND
)) &&
1169 (tomoyo_is_no_rewrite_file(buf
))) {
1170 error
= tomoyo_check_single_path_permission2(domain
,
1171 TOMOYO_TYPE_REWRITE_ACL
,
1175 error
= tomoyo_check_file_perm2(domain
, buf
, acc_mode
, "open",
1177 if (!error
&& (flag
& O_TRUNC
))
1178 error
= tomoyo_check_single_path_permission2(domain
,
1179 TOMOYO_TYPE_TRUNCATE_ACL
,
1183 tomoyo_read_unlock(idx
);
1190 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1192 * @domain: Pointer to "struct tomoyo_domain_info".
1193 * @operation: Type of operation.
1194 * @path: Pointer to "struct path".
1196 * Returns 0 on success, negative value otherwise.
1198 int tomoyo_check_1path_perm(struct tomoyo_domain_info
*domain
,
1199 const u8 operation
, struct path
*path
)
1201 int error
= -ENOMEM
;
1202 struct tomoyo_path_info
*buf
;
1203 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1204 const bool is_enforce
= (mode
== 3);
1207 if (!mode
|| !path
->mnt
)
1209 idx
= tomoyo_read_lock();
1210 buf
= tomoyo_get_path(path
);
1213 switch (operation
) {
1214 case TOMOYO_TYPE_MKDIR_ACL
:
1215 case TOMOYO_TYPE_RMDIR_ACL
:
1216 case TOMOYO_TYPE_CHROOT_ACL
:
1219 * tomoyo_get_path() reserves space for appending "/."
1221 strcat((char *) buf
->name
, "/");
1222 tomoyo_fill_path_info(buf
);
1225 error
= tomoyo_check_single_path_permission2(domain
, operation
, buf
,
1229 tomoyo_read_unlock(idx
);
1236 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1238 * @domain: Pointer to "struct tomoyo_domain_info".
1239 * @filp: Pointer to "struct file".
1241 * Returns 0 on success, negative value otherwise.
1243 int tomoyo_check_rewrite_permission(struct tomoyo_domain_info
*domain
,
1246 int error
= -ENOMEM
;
1247 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1248 const bool is_enforce
= (mode
== 3);
1249 struct tomoyo_path_info
*buf
;
1252 if (!mode
|| !filp
->f_path
.mnt
)
1255 idx
= tomoyo_read_lock();
1256 buf
= tomoyo_get_path(&filp
->f_path
);
1259 if (!tomoyo_is_no_rewrite_file(buf
)) {
1263 error
= tomoyo_check_single_path_permission2(domain
,
1264 TOMOYO_TYPE_REWRITE_ACL
,
1268 tomoyo_read_unlock(idx
);
1275 * tomoyo_check_2path_perm - Check permission for "rename", "link" and "pivot_root".
1277 * @domain: Pointer to "struct tomoyo_domain_info".
1278 * @operation: Type of operation.
1279 * @path1: Pointer to "struct path".
1280 * @path2: Pointer to "struct path".
1282 * Returns 0 on success, negative value otherwise.
1284 int tomoyo_check_2path_perm(struct tomoyo_domain_info
* const domain
,
1285 const u8 operation
, struct path
*path1
,
1288 int error
= -ENOMEM
;
1289 struct tomoyo_path_info
*buf1
, *buf2
;
1290 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1291 const bool is_enforce
= (mode
== 3);
1295 if (!mode
|| !path1
->mnt
|| !path2
->mnt
)
1297 idx
= tomoyo_read_lock();
1298 buf1
= tomoyo_get_path(path1
);
1299 buf2
= tomoyo_get_path(path2
);
1303 struct dentry
*dentry
= path1
->dentry
;
1304 if (dentry
->d_inode
&& S_ISDIR(dentry
->d_inode
->i_mode
)) {
1306 * tomoyo_get_path() reserves space for appending "/."
1308 if (!buf1
->is_dir
) {
1309 strcat((char *) buf1
->name
, "/");
1310 tomoyo_fill_path_info(buf1
);
1312 if (!buf2
->is_dir
) {
1313 strcat((char *) buf2
->name
, "/");
1314 tomoyo_fill_path_info(buf2
);
1318 error
= tomoyo_check_double_path_acl(domain
, operation
, buf1
, buf2
);
1319 msg
= tomoyo_dp2keyword(operation
);
1322 if (tomoyo_verbose_mode(domain
))
1323 printk(KERN_WARNING
"TOMOYO-%s: Access '%s %s %s' "
1324 "denied for %s\n", tomoyo_get_msg(is_enforce
),
1325 msg
, buf1
->name
, buf2
->name
,
1326 tomoyo_get_last_name(domain
));
1327 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
1328 const char *name1
= tomoyo_get_file_pattern(buf1
)->name
;
1329 const char *name2
= tomoyo_get_file_pattern(buf2
)->name
;
1330 tomoyo_update_double_path_acl(operation
, name1
, name2
, domain
,
1336 tomoyo_read_unlock(idx
);