search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
TOMOYO: Add mount restriction.
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / security / tomoyo / file.c
blobae32cab8ec7ec7f30da6f385c34c659e77531708
1 /*
2 * security/tomoyo/file.c
3 *
4 * Implementation of the Domain-Based Mandatory Access Control.
5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 *
8 * Version: 2.2.0 2009/04/01
9 *
10 */
11
12 #include "common.h"
13 #include <linux/slab.h>
14
15 /* Keyword array for operations with one pathname. */
16 static const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
17 [TOMOYO_TYPE_READ_WRITE] = "read/write",
18 [TOMOYO_TYPE_EXECUTE] = "execute",
19 [TOMOYO_TYPE_READ] = "read",
20 [TOMOYO_TYPE_WRITE] = "write",
21 [TOMOYO_TYPE_UNLINK] = "unlink",
22 [TOMOYO_TYPE_RMDIR] = "rmdir",
23 [TOMOYO_TYPE_TRUNCATE] = "truncate",
24 [TOMOYO_TYPE_SYMLINK] = "symlink",
25 [TOMOYO_TYPE_REWRITE] = "rewrite",
26 [TOMOYO_TYPE_CHROOT] = "chroot",
27 [TOMOYO_TYPE_UMOUNT] = "unmount",
28 };
29
30 /* Keyword array for operations with one pathname and three numbers. */
31 static const char *tomoyo_path_number3_keyword
32 [TOMOYO_MAX_PATH_NUMBER3_OPERATION] = {
33 [TOMOYO_TYPE_MKBLOCK] = "mkblock",
34 [TOMOYO_TYPE_MKCHAR] = "mkchar",
35 };
36
37 /* Keyword array for operations with two pathnames. */
38 static const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = {
39 [TOMOYO_TYPE_LINK] = "link",
40 [TOMOYO_TYPE_RENAME] = "rename",
41 [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root",
42 };
43
44 /* Keyword array for operations with one pathname and one number. */
45 static const char *tomoyo_path_number_keyword
46 [TOMOYO_MAX_PATH_NUMBER_OPERATION] = {
47 [TOMOYO_TYPE_CREATE] = "create",
48 [TOMOYO_TYPE_MKDIR] = "mkdir",
49 [TOMOYO_TYPE_MKFIFO] = "mkfifo",
50 [TOMOYO_TYPE_MKSOCK] = "mksock",
51 [TOMOYO_TYPE_IOCTL] = "ioctl",
52 [TOMOYO_TYPE_CHMOD] = "chmod",
53 [TOMOYO_TYPE_CHOWN] = "chown",
54 [TOMOYO_TYPE_CHGRP] = "chgrp",
55 };
56
57 void tomoyo_put_name_union(struct tomoyo_name_union *ptr)
58 {
59 if (!ptr)
60 return;
61 if (ptr->is_group)
62 tomoyo_put_path_group(ptr->group);
63 else
64 tomoyo_put_name(ptr->filename);
65 }
66
67 bool tomoyo_compare_name_union(const struct tomoyo_path_info *name,
68 const struct tomoyo_name_union *ptr)
69 {
70 if (ptr->is_group)
71 return tomoyo_path_matches_group(name, ptr->group, 1);
72 return tomoyo_path_matches_pattern(name, ptr->filename);
73 }
74
75 static bool tomoyo_compare_name_union_pattern(const struct tomoyo_path_info
76 *name,
77 const struct tomoyo_name_union
78 *ptr, const bool may_use_pattern)
79 {
80 if (ptr->is_group)
81 return tomoyo_path_matches_group(name, ptr->group,
82 may_use_pattern);
83 if (may_use_pattern || !ptr->filename->is_patterned)
84 return tomoyo_path_matches_pattern(name, ptr->filename);
85 return false;
86 }
87
88 void tomoyo_put_number_union(struct tomoyo_number_union *ptr)
89 {
90 if (ptr && ptr->is_group)
91 tomoyo_put_number_group(ptr->group);
92 }
93
94 bool tomoyo_compare_number_union(const unsigned long value,
95 const struct tomoyo_number_union *ptr)
96 {
97 if (ptr->is_group)
98 return tomoyo_number_matches_group(value, value, ptr->group);
99 return value >= ptr->values[0] && value <= ptr->values[1];
100 }
101
102 /**
103 * tomoyo_init_request_info - Initialize "struct tomoyo_request_info" members.
104 *
105 * @r: Pointer to "struct tomoyo_request_info" to initialize.
106 * @domain: Pointer to "struct tomoyo_domain_info". NULL for tomoyo_domain().
107 *
108 * Returns mode.
109 */
110 int tomoyo_init_request_info(struct tomoyo_request_info *r,
111 struct tomoyo_domain_info *domain)
112 {
113 memset(r, 0, sizeof(*r));
114 if (!domain)
115 domain = tomoyo_domain();
116 r->domain = domain;
117 r->mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
118 return r->mode;
119 }
120
121 static void tomoyo_warn_log(struct tomoyo_request_info *r, const char *fmt, ...)
122 __attribute__ ((format(printf, 2, 3)));
123 /**
124 * tomoyo_warn_log - Print warning or error message on console.
125 *
126 * @r: Pointer to "struct tomoyo_request_info".
127 * @fmt: The printf()'s format string, followed by parameters.
128 */
129 static void tomoyo_warn_log(struct tomoyo_request_info *r, const char *fmt, ...)
130 {
131 int len = PAGE_SIZE;
132 va_list args;
133 char *buffer;
134 if (!tomoyo_verbose_mode(r->domain))
135 return;
136 while (1) {
137 int len2;
138 buffer = kmalloc(len, GFP_NOFS);
139 if (!buffer)
140 return;
141 va_start(args, fmt);
142 len2 = vsnprintf(buffer, len - 1, fmt, args);
143 va_end(args);
144 if (len2 <= len - 1) {
145 buffer[len2] = '\0';
146 break;
147 }
148 len = len2 + 1;
149 kfree(buffer);
150 }
151 printk(KERN_WARNING "TOMOYO-%s: Access %s denied for %s\n",
152 r->mode == TOMOYO_CONFIG_ENFORCING ? "ERROR" : "WARNING",
153 buffer, tomoyo_get_last_name(r->domain));
154 kfree(buffer);
155 }
156
157 /**
158 * tomoyo_path2keyword - Get the name of single path operation.
159 *
160 * @operation: Type of operation.
161 *
162 * Returns the name of single path operation.
163 */
164 const char *tomoyo_path2keyword(const u8 operation)
165 {
166 return (operation < TOMOYO_MAX_PATH_OPERATION)
167 ? tomoyo_path_keyword[operation] : NULL;
168 }
169
170 /**
171 * tomoyo_path_number32keyword - Get the name of path/number/number/number operations.
172 *
173 * @operation: Type of operation.
174 *
175 * Returns the name of path/number/number/number operation.
176 */
177 const char *tomoyo_path_number32keyword(const u8 operation)
178 {
179 return (operation < TOMOYO_MAX_PATH_NUMBER3_OPERATION)
180 ? tomoyo_path_number3_keyword[operation] : NULL;
181 }
182
183 /**
184 * tomoyo_path22keyword - Get the name of double path operation.
185 *
186 * @operation: Type of operation.
187 *
188 * Returns the name of double path operation.
189 */
190 const char *tomoyo_path22keyword(const u8 operation)
191 {
192 return (operation < TOMOYO_MAX_PATH2_OPERATION)
193 ? tomoyo_path2_keyword[operation] : NULL;
194 }
195
196 /**
197 * tomoyo_path_number2keyword - Get the name of path/number operations.
198 *
199 * @operation: Type of operation.
200 *
201 * Returns the name of path/number operation.
202 */
203 const char *tomoyo_path_number2keyword(const u8 operation)
204 {
205 return (operation < TOMOYO_MAX_PATH_NUMBER_OPERATION)
206 ? tomoyo_path_number_keyword[operation] : NULL;
207 }
208
209 /**
210 * tomoyo_strendswith - Check whether the token ends with the given token.
211 *
212 * @name: The token to check.
213 * @tail: The token to find.
214 *
215 * Returns true if @name ends with @tail, false otherwise.
216 */
217 static bool tomoyo_strendswith(const char *name, const char *tail)
218 {
219 int len;
220
221 if (!name || !tail)
222 return false;
223 len = strlen(name) - strlen(tail);
224 return len >= 0 && !strcmp(name + len, tail);
225 }
226
227 /**
228 * tomoyo_get_path - Get realpath.
229 *
230 * @path: Pointer to "struct path".
231 *
232 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
233 */
234 static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
235 {
236 int error;
237 struct tomoyo_path_info_with_data *buf = kzalloc(sizeof(*buf),
238 GFP_NOFS);
239
240 if (!buf)
241 return NULL;
242 /* Reserve one byte for appending "/". */
243 error = tomoyo_realpath_from_path2(path, buf->body,
244 sizeof(buf->body) - 2);
245 if (!error) {
246 buf->head.name = buf->body;
247 tomoyo_fill_path_info(&buf->head);
248 return &buf->head;
249 }
250 kfree(buf);
251 return NULL;
252 }
253
254 static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
255 const char *filename2,
256 struct tomoyo_domain_info *const domain,
257 const bool is_delete);
258 static int tomoyo_update_path_acl(const u8 type, const char *filename,
259 struct tomoyo_domain_info *const domain,
260 const bool is_delete);
261
262 /*
263 * tomoyo_globally_readable_list is used for holding list of pathnames which
264 * are by default allowed to be open()ed for reading by any process.
265 *
266 * An entry is added by
267 *
268 * # echo 'allow_read /lib/libc-2.5.so' > \
269 * /sys/kernel/security/tomoyo/exception_policy
270 *
271 * and is deleted by
272 *
273 * # echo 'delete allow_read /lib/libc-2.5.so' > \
274 * /sys/kernel/security/tomoyo/exception_policy
275 *
276 * and all entries are retrieved by
277 *
278 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
279 *
280 * In the example above, any process is allowed to
281 * open("/lib/libc-2.5.so", O_RDONLY).
282 * One exception is, if the domain which current process belongs to is marked
283 * as "ignore_global_allow_read", current process can't do so unless explicitly
284 * given "allow_read /lib/libc-2.5.so" to the domain which current process
285 * belongs to.
286 */
287 LIST_HEAD(tomoyo_globally_readable_list);
288
289 /**
290 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
291 *
292 * @filename: Filename unconditionally permitted to open() for reading.
293 * @is_delete: True if it is a delete request.
294 *
295 * Returns 0 on success, negative value otherwise.
296 *
297 * Caller holds tomoyo_read_lock().
298 */
299 static int tomoyo_update_globally_readable_entry(const char *filename,
300 const bool is_delete)
301 {
302 struct tomoyo_globally_readable_file_entry *ptr;
303 struct tomoyo_globally_readable_file_entry e = { };
304 int error = is_delete ? -ENOENT : -ENOMEM;
305
306 if (!tomoyo_is_correct_path(filename, 1, 0, -1))
307 return -EINVAL;
308 e.filename = tomoyo_get_name(filename);
309 if (!e.filename)
310 return -ENOMEM;
311 if (mutex_lock_interruptible(&tomoyo_policy_lock))
312 goto out;
313 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
314 if (ptr->filename != e.filename)
315 continue;
316 ptr->is_deleted = is_delete;
317 error = 0;
318 break;
319 }
320 if (!is_delete && error) {
321 struct tomoyo_globally_readable_file_entry *entry =
322 tomoyo_commit_ok(&e, sizeof(e));
323 if (entry) {
324 list_add_tail_rcu(&entry->list,
325 &tomoyo_globally_readable_list);
326 error = 0;
327 }
328 }
329 mutex_unlock(&tomoyo_policy_lock);
330 out:
331 tomoyo_put_name(e.filename);
332 return error;
333 }
334
335 /**
336 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
337 *
338 * @filename: The filename to check.
339 *
340 * Returns true if any domain can open @filename for reading, false otherwise.
341 *
342 * Caller holds tomoyo_read_lock().
343 */
344 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
345 filename)
346 {
347 struct tomoyo_globally_readable_file_entry *ptr;
348 bool found = false;
349
350 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
351 if (!ptr->is_deleted &&
352 tomoyo_path_matches_pattern(filename, ptr->filename)) {
353 found = true;
354 break;
355 }
356 }
357 return found;
358 }
359
360 /**
361 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
362 *
363 * @data: String to parse.
364 * @is_delete: True if it is a delete request.
365 *
366 * Returns 0 on success, negative value otherwise.
367 *
368 * Caller holds tomoyo_read_lock().
369 */
370 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
371 {
372 return tomoyo_update_globally_readable_entry(data, is_delete);
373 }
374
375 /**
376 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
377 *
378 * @head: Pointer to "struct tomoyo_io_buffer".
379 *
380 * Returns true on success, false otherwise.
381 *
382 * Caller holds tomoyo_read_lock().
383 */
384 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
385 {
386 struct list_head *pos;
387 bool done = true;
388
389 list_for_each_cookie(pos, head->read_var2,
390 &tomoyo_globally_readable_list) {
391 struct tomoyo_globally_readable_file_entry *ptr;
392 ptr = list_entry(pos,
393 struct tomoyo_globally_readable_file_entry,
394 list);
395 if (ptr->is_deleted)
396 continue;
397 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n",
398 ptr->filename->name);
399 if (!done)
400 break;
401 }
402 return done;
403 }
404
405 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
406 * converting pathnames to pathname patterns during learning mode.
407 *
408 * An entry is added by
409 *
410 * # echo 'file_pattern /proc/\$/mounts' > \
411 * /sys/kernel/security/tomoyo/exception_policy
412 *
413 * and is deleted by
414 *
415 * # echo 'delete file_pattern /proc/\$/mounts' > \
416 * /sys/kernel/security/tomoyo/exception_policy
417 *
418 * and all entries are retrieved by
419 *
420 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
421 *
422 * In the example above, if a process which belongs to a domain which is in
423 * learning mode requested open("/proc/1/mounts", O_RDONLY),
424 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
425 * process belongs to.
426 *
427 * It is not a desirable behavior that we have to use /proc/\$/ instead of
428 * /proc/self/ when current process needs to access only current process's
429 * information. As of now, LSM version of TOMOYO is using __d_path() for
430 * calculating pathname. Non LSM version of TOMOYO is using its own function
431 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
432 * current process from accessing other process's information.
433 */
434 LIST_HEAD(tomoyo_pattern_list);
435
436 /**
437 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
438 *
439 * @pattern: Pathname pattern.
440 * @is_delete: True if it is a delete request.
441 *
442 * Returns 0 on success, negative value otherwise.
443 *
444 * Caller holds tomoyo_read_lock().
445 */
446 static int tomoyo_update_file_pattern_entry(const char *pattern,
447 const bool is_delete)
448 {
449 struct tomoyo_pattern_entry *ptr;
450 struct tomoyo_pattern_entry e = { .pattern = tomoyo_get_name(pattern) };
451 int error = is_delete ? -ENOENT : -ENOMEM;
452
453 if (!e.pattern)
454 return error;
455 if (!e.pattern->is_patterned)
456 goto out;
457 if (mutex_lock_interruptible(&tomoyo_policy_lock))
458 goto out;
459 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
460 if (e.pattern != ptr->pattern)
461 continue;
462 ptr->is_deleted = is_delete;
463 error = 0;
464 break;
465 }
466 if (!is_delete && error) {
467 struct tomoyo_pattern_entry *entry =
468 tomoyo_commit_ok(&e, sizeof(e));
469 if (entry) {
470 list_add_tail_rcu(&entry->list, &tomoyo_pattern_list);
471 error = 0;
472 }
473 }
474 mutex_unlock(&tomoyo_policy_lock);
475 out:
476 tomoyo_put_name(e.pattern);
477 return error;
478 }
479
480 /**
481 * tomoyo_get_file_pattern - Get patterned pathname.
482 *
483 * @filename: The filename to find patterned pathname.
484 *
485 * Returns pointer to pathname pattern if matched, @filename otherwise.
486 *
487 * Caller holds tomoyo_read_lock().
488 */
489 const struct tomoyo_path_info *
490 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
491 {
492 struct tomoyo_pattern_entry *ptr;
493 const struct tomoyo_path_info *pattern = NULL;
494
495 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
496 if (ptr->is_deleted)
497 continue;
498 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
499 continue;
500 pattern = ptr->pattern;
501 if (tomoyo_strendswith(pattern->name, "/\\*")) {
502 /* Do nothing. Try to find the better match. */
503 } else {
504 /* This would be the better match. Use this. */
505 break;
506 }
507 }
508 if (pattern)
509 filename = pattern;
510 return filename;
511 }
512
513 /**
514 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
515 *
516 * @data: String to parse.
517 * @is_delete: True if it is a delete request.
518 *
519 * Returns 0 on success, negative value otherwise.
520 *
521 * Caller holds tomoyo_read_lock().
522 */
523 int tomoyo_write_pattern_policy(char *data, const bool is_delete)
524 {
525 return tomoyo_update_file_pattern_entry(data, is_delete);
526 }
527
528 /**
529 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
530 *
531 * @head: Pointer to "struct tomoyo_io_buffer".
532 *
533 * Returns true on success, false otherwise.
534 *
535 * Caller holds tomoyo_read_lock().
536 */
537 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
538 {
539 struct list_head *pos;
540 bool done = true;
541
542 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) {
543 struct tomoyo_pattern_entry *ptr;
544 ptr = list_entry(pos, struct tomoyo_pattern_entry, list);
545 if (ptr->is_deleted)
546 continue;
547 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN
548 "%s\n", ptr->pattern->name);
549 if (!done)
550 break;
551 }
552 return done;
553 }
554
555 /*
556 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
557 * default forbidden to modify already written content of a file.
558 *
559 * An entry is added by
560 *
561 * # echo 'deny_rewrite /var/log/messages' > \
562 * /sys/kernel/security/tomoyo/exception_policy
563 *
564 * and is deleted by
565 *
566 * # echo 'delete deny_rewrite /var/log/messages' > \
567 * /sys/kernel/security/tomoyo/exception_policy
568 *
569 * and all entries are retrieved by
570 *
571 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
572 *
573 * In the example above, if a process requested to rewrite /var/log/messages ,
574 * the process can't rewrite unless the domain which that process belongs to
575 * has "allow_rewrite /var/log/messages" entry.
576 *
577 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
578 * when we want to allow rewriting already unlink()ed file. As of now,
579 * LSM version of TOMOYO is using __d_path() for calculating pathname.
580 * Non LSM version of TOMOYO is using its own function which doesn't append
581 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
582 * need to worry whether the file is already unlink()ed or not.
583 */
584 LIST_HEAD(tomoyo_no_rewrite_list);
585
586 /**
587 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
588 *
589 * @pattern: Pathname pattern that are not rewritable by default.
590 * @is_delete: True if it is a delete request.
591 *
592 * Returns 0 on success, negative value otherwise.
593 *
594 * Caller holds tomoyo_read_lock().
595 */
596 static int tomoyo_update_no_rewrite_entry(const char *pattern,
597 const bool is_delete)
598 {
599 struct tomoyo_no_rewrite_entry *ptr;
600 struct tomoyo_no_rewrite_entry e = { };
601 int error = is_delete ? -ENOENT : -ENOMEM;
602
603 if (!tomoyo_is_correct_path(pattern, 0, 0, 0))
604 return -EINVAL;
605 e.pattern = tomoyo_get_name(pattern);
606 if (!e.pattern)
607 return error;
608 if (mutex_lock_interruptible(&tomoyo_policy_lock))
609 goto out;
610 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
611 if (ptr->pattern != e.pattern)
612 continue;
613 ptr->is_deleted = is_delete;
614 error = 0;
615 break;
616 }
617 if (!is_delete && error) {
618 struct tomoyo_no_rewrite_entry *entry =
619 tomoyo_commit_ok(&e, sizeof(e));
620 if (entry) {
621 list_add_tail_rcu(&entry->list,
622 &tomoyo_no_rewrite_list);
623 error = 0;
624 }
625 }
626 mutex_unlock(&tomoyo_policy_lock);
627 out:
628 tomoyo_put_name(e.pattern);
629 return error;
630 }
631
632 /**
633 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
634 *
635 * @filename: Filename to check.
636 *
637 * Returns true if @filename is specified by "deny_rewrite" directive,
638 * false otherwise.
639 *
640 * Caller holds tomoyo_read_lock().
641 */
642 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
643 {
644 struct tomoyo_no_rewrite_entry *ptr;
645 bool found = false;
646
647 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
648 if (ptr->is_deleted)
649 continue;
650 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
651 continue;
652 found = true;
653 break;
654 }
655 return found;
656 }
657
658 /**
659 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
660 *
661 * @data: String to parse.
662 * @is_delete: True if it is a delete request.
663 *
664 * Returns 0 on success, negative value otherwise.
665 *
666 * Caller holds tomoyo_read_lock().
667 */
668 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
669 {
670 return tomoyo_update_no_rewrite_entry(data, is_delete);
671 }
672
673 /**
674 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
675 *
676 * @head: Pointer to "struct tomoyo_io_buffer".
677 *
678 * Returns true on success, false otherwise.
679 *
680 * Caller holds tomoyo_read_lock().
681 */
682 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
683 {
684 struct list_head *pos;
685 bool done = true;
686
687 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) {
688 struct tomoyo_no_rewrite_entry *ptr;
689 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list);
690 if (ptr->is_deleted)
691 continue;
692 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE
693 "%s\n", ptr->pattern->name);
694 if (!done)
695 break;
696 }
697 return done;
698 }
699
700 /**
701 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
702 *
703 * @perm: Permission (between 1 to 7).
704 * @filename: Filename.
705 * @domain: Pointer to "struct tomoyo_domain_info".
706 * @is_delete: True if it is a delete request.
707 *
708 * Returns 0 on success, negative value otherwise.
709 *
710 * This is legacy support interface for older policy syntax.
711 * Current policy syntax uses "allow_read/write" instead of "6",
712 * "allow_read" instead of "4", "allow_write" instead of "2",
713 * "allow_execute" instead of "1".
714 *
715 * Caller holds tomoyo_read_lock().
716 */
717 static int tomoyo_update_file_acl(u8 perm, const char *filename,
718 struct tomoyo_domain_info * const domain,
719 const bool is_delete)
720 {
721 if (perm > 7 || !perm) {
722 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n",
723 __func__, perm, filename);
724 return -EINVAL;
725 }
726 if (filename[0] != '@' && tomoyo_strendswith(filename, "/"))
727 /*
728 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
729 * directory permissions.
730 */
731 return 0;
732 if (perm & 4)
733 tomoyo_update_path_acl(TOMOYO_TYPE_READ, filename, domain,
734 is_delete);
735 if (perm & 2)
736 tomoyo_update_path_acl(TOMOYO_TYPE_WRITE, filename, domain,
737 is_delete);
738 if (perm & 1)
739 tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE, filename, domain,
740 is_delete);
741 return 0;
742 }
743
744 /**
745 * tomoyo_path_acl - Check permission for single path operation.
746 *
747 * @r: Pointer to "struct tomoyo_request_info".
748 * @filename: Filename to check.
749 * @perm: Permission.
750 * @may_use_pattern: True if patterned ACL is permitted.
751 *
752 * Returns 0 on success, -EPERM otherwise.
753 *
754 * Caller holds tomoyo_read_lock().
755 */
756 static int tomoyo_path_acl(const struct tomoyo_request_info *r,
757 const struct tomoyo_path_info *filename,
758 const u32 perm, const bool may_use_pattern)
759 {
760 struct tomoyo_domain_info *domain = r->domain;
761 struct tomoyo_acl_info *ptr;
762 int error = -EPERM;
763
764 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
765 struct tomoyo_path_acl *acl;
766 if (ptr->type != TOMOYO_TYPE_PATH_ACL)
767 continue;
768 acl = container_of(ptr, struct tomoyo_path_acl, head);
769 if (!(acl->perm & perm) ||
770 !tomoyo_compare_name_union_pattern(filename, &acl->name,
771 may_use_pattern))
772 continue;
773 error = 0;
774 break;
775 }
776 return error;
777 }
778
779 /**
780 * tomoyo_file_perm - Check permission for opening files.
781 *
782 * @r: Pointer to "struct tomoyo_request_info".
783 * @filename: Filename to check.
784 * @mode: Mode ("read" or "write" or "read/write" or "execute").
785 *
786 * Returns 0 on success, negative value otherwise.
787 *
788 * Caller holds tomoyo_read_lock().
789 */
790 static int tomoyo_file_perm(struct tomoyo_request_info *r,
791 const struct tomoyo_path_info *filename,
792 const u8 mode)
793 {
794 const char *msg = "<unknown>";
795 int error = 0;
796 u32 perm = 0;
797
798 if (!filename)
799 return 0;
800
801 if (mode == 6) {
802 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
803 perm = 1 << TOMOYO_TYPE_READ_WRITE;
804 } else if (mode == 4) {
805 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
806 perm = 1 << TOMOYO_TYPE_READ;
807 } else if (mode == 2) {
808 msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
809 perm = 1 << TOMOYO_TYPE_WRITE;
810 } else if (mode == 1) {
811 msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
812 perm = 1 << TOMOYO_TYPE_EXECUTE;
813 } else
814 BUG();
815 error = tomoyo_path_acl(r, filename, perm, mode != 1);
816 if (error && mode == 4 && !r->domain->ignore_global_allow_read
817 && tomoyo_is_globally_readable_file(filename))
818 error = 0;
819 if (!error)
820 return 0;
821 tomoyo_warn_log(r, "%s %s", msg, filename->name);
822 if (r->mode == TOMOYO_CONFIG_ENFORCING)
823 return error;
824 if (tomoyo_domain_quota_is_ok(r)) {
825 /* Don't use patterns for execute permission. */
826 const struct tomoyo_path_info *patterned_file = (mode != 1) ?
827 tomoyo_get_file_pattern(filename) : filename;
828 tomoyo_update_file_acl(mode, patterned_file->name, r->domain,
829 false);
830 }
831 return 0;
832 }
833
834 /**
835 * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list.
836 *
837 * @type: Type of operation.
838 * @filename: Filename.
839 * @domain: Pointer to "struct tomoyo_domain_info".
840 * @is_delete: True if it is a delete request.
841 *
842 * Returns 0 on success, negative value otherwise.
843 *
844 * Caller holds tomoyo_read_lock().
845 */
846 static int tomoyo_update_path_acl(const u8 type, const char *filename,
847 struct tomoyo_domain_info *const domain,
848 const bool is_delete)
849 {
850 static const u16 tomoyo_rw_mask =
851 (1 << TOMOYO_TYPE_READ) | (1 << TOMOYO_TYPE_WRITE);
852 const u16 perm = 1 << type;
853 struct tomoyo_acl_info *ptr;
854 struct tomoyo_path_acl e = {
855 .head.type = TOMOYO_TYPE_PATH_ACL,
856 .perm = perm
857 };
858 int error = is_delete ? -ENOENT : -ENOMEM;
859
860 if (type == TOMOYO_TYPE_READ_WRITE)
861 e.perm |= tomoyo_rw_mask;
862 if (!domain)
863 return -EINVAL;
864 if (!tomoyo_parse_name_union(filename, &e.name))
865 return -EINVAL;
866 if (mutex_lock_interruptible(&tomoyo_policy_lock))
867 goto out;
868 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
869 struct tomoyo_path_acl *acl =
870 container_of(ptr, struct tomoyo_path_acl, head);
871 if (!tomoyo_is_same_path_acl(acl, &e))
872 continue;
873 if (is_delete) {
874 acl->perm &= ~perm;
875 if ((acl->perm & tomoyo_rw_mask) != tomoyo_rw_mask)
876 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE);
877 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE)))
878 acl->perm &= ~tomoyo_rw_mask;
879 } else {
880 acl->perm |= perm;
881 if ((acl->perm & tomoyo_rw_mask) == tomoyo_rw_mask)
882 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE;
883 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE))
884 acl->perm |= tomoyo_rw_mask;
885 }
886 error = 0;
887 break;
888 }
889 if (!is_delete && error) {
890 struct tomoyo_path_acl *entry =
891 tomoyo_commit_ok(&e, sizeof(e));
892 if (entry) {
893 list_add_tail_rcu(&entry->head.list,
894 &domain->acl_info_list);
895 error = 0;
896 }
897 }
898 mutex_unlock(&tomoyo_policy_lock);
899 out:
900 tomoyo_put_name_union(&e.name);
901 return error;
902 }
903
904 /**
905 * tomoyo_update_path_number3_acl - Update "struct tomoyo_path_number3_acl" list.
906 *
907 * @type: Type of operation.
908 * @filename: Filename.
909 * @mode: Create mode.
910 * @major: Device major number.
911 * @minor: Device minor number.
912 * @domain: Pointer to "struct tomoyo_domain_info".
913 * @is_delete: True if it is a delete request.
914 *
915 * Returns 0 on success, negative value otherwise.
916 */
917 static inline int tomoyo_update_path_number3_acl(const u8 type,
918 const char *filename,
919 char *mode,
920 char *major, char *minor,
921 struct tomoyo_domain_info *
922 const domain,
923 const bool is_delete)
924 {
925 const u8 perm = 1 << type;
926 struct tomoyo_acl_info *ptr;
927 struct tomoyo_path_number3_acl e = {
928 .head.type = TOMOYO_TYPE_PATH_NUMBER3_ACL,
929 .perm = perm
930 };
931 int error = is_delete ? -ENOENT : -ENOMEM;
932 if (!tomoyo_parse_name_union(filename, &e.name) ||
933 !tomoyo_parse_number_union(mode, &e.mode) ||
934 !tomoyo_parse_number_union(major, &e.major) ||
935 !tomoyo_parse_number_union(minor, &e.minor))
936 goto out;
937 if (mutex_lock_interruptible(&tomoyo_policy_lock))
938 goto out;
939 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
940 struct tomoyo_path_number3_acl *acl =
941 container_of(ptr, struct tomoyo_path_number3_acl, head);
942 if (!tomoyo_is_same_path_number3_acl(acl, &e))
943 continue;
944 if (is_delete)
945 acl->perm &= ~perm;
946 else
947 acl->perm |= perm;
948 error = 0;
949 break;
950 }
951 if (!is_delete && error) {
952 struct tomoyo_path_number3_acl *entry =
953 tomoyo_commit_ok(&e, sizeof(e));
954 if (entry) {
955 list_add_tail_rcu(&entry->head.list,
956 &domain->acl_info_list);
957 error = 0;
958 }
959 }
960 mutex_unlock(&tomoyo_policy_lock);
961 out:
962 tomoyo_put_name_union(&e.name);
963 tomoyo_put_number_union(&e.mode);
964 tomoyo_put_number_union(&e.major);
965 tomoyo_put_number_union(&e.minor);
966 return error;
967 }
968
969 /**
970 * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list.
971 *
972 * @type: Type of operation.
973 * @filename1: First filename.
974 * @filename2: Second filename.
975 * @domain: Pointer to "struct tomoyo_domain_info".
976 * @is_delete: True if it is a delete request.
977 *
978 * Returns 0 on success, negative value otherwise.
979 *
980 * Caller holds tomoyo_read_lock().
981 */
982 static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
983 const char *filename2,
984 struct tomoyo_domain_info *const domain,
985 const bool is_delete)
986 {
987 const u8 perm = 1 << type;
988 struct tomoyo_path2_acl e = {
989 .head.type = TOMOYO_TYPE_PATH2_ACL,
990 .perm = perm
991 };
992 struct tomoyo_acl_info *ptr;
993 int error = is_delete ? -ENOENT : -ENOMEM;
994
995 if (!domain)
996 return -EINVAL;
997 if (!tomoyo_parse_name_union(filename1, &e.name1) ||
998 !tomoyo_parse_name_union(filename2, &e.name2))
999 goto out;
1000 if (mutex_lock_interruptible(&tomoyo_policy_lock))
1001 goto out;
1002 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1003 struct tomoyo_path2_acl *acl =
1004 container_of(ptr, struct tomoyo_path2_acl, head);
1005 if (!tomoyo_is_same_path2_acl(acl, &e))
1006 continue;
1007 if (is_delete)
1008 acl->perm &= ~perm;
1009 else
1010 acl->perm |= perm;
1011 error = 0;
1012 break;
1013 }
1014 if (!is_delete && error) {
1015 struct tomoyo_path2_acl *entry =
1016 tomoyo_commit_ok(&e, sizeof(e));
1017 if (entry) {
1018 list_add_tail_rcu(&entry->head.list,
1019 &domain->acl_info_list);
1020 error = 0;
1021 }
1022 }
1023 mutex_unlock(&tomoyo_policy_lock);
1024 out:
1025 tomoyo_put_name_union(&e.name1);
1026 tomoyo_put_name_union(&e.name2);
1027 return error;
1028 }
1029
1030 /**
1031 * tomoyo_path_number3_acl - Check permission for path/number/number/number operation.
1032 *
1033 * @r: Pointer to "struct tomoyo_request_info".
1034 * @filename: Filename to check.
1035 * @perm: Permission.
1036 * @mode: Create mode.
1037 * @major: Device major number.
1038 * @minor: Device minor number.
1039 *
1040 * Returns 0 on success, -EPERM otherwise.
1041 *
1042 * Caller holds tomoyo_read_lock().
1043 */
1044 static int tomoyo_path_number3_acl(struct tomoyo_request_info *r,
1045 const struct tomoyo_path_info *filename,
1046 const u16 perm, const unsigned int mode,
1047 const unsigned int major,
1048 const unsigned int minor)
1049 {
1050 struct tomoyo_domain_info *domain = r->domain;
1051 struct tomoyo_acl_info *ptr;
1052 int error = -EPERM;
1053 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1054 struct tomoyo_path_number3_acl *acl;
1055 if (ptr->type != TOMOYO_TYPE_PATH_NUMBER3_ACL)
1056 continue;
1057 acl = container_of(ptr, struct tomoyo_path_number3_acl, head);
1058 if (!tomoyo_compare_number_union(mode, &acl->mode))
1059 continue;
1060 if (!tomoyo_compare_number_union(major, &acl->major))
1061 continue;
1062 if (!tomoyo_compare_number_union(minor, &acl->minor))
1063 continue;
1064 if (!(acl->perm & perm))
1065 continue;
1066 if (!tomoyo_compare_name_union(filename, &acl->name))
1067 continue;
1068 error = 0;
1069 break;
1070 }
1071 return error;
1072 }
1073
1074 /**
1075 * tomoyo_path2_acl - Check permission for double path operation.
1076 *
1077 * @r: Pointer to "struct tomoyo_request_info".
1078 * @type: Type of operation.
1079 * @filename1: First filename to check.
1080 * @filename2: Second filename to check.
1081 *
1082 * Returns 0 on success, -EPERM otherwise.
1083 *
1084 * Caller holds tomoyo_read_lock().
1085 */
1086 static int tomoyo_path2_acl(const struct tomoyo_request_info *r, const u8 type,
1087 const struct tomoyo_path_info *filename1,
1088 const struct tomoyo_path_info *filename2)
1089 {
1090 const struct tomoyo_domain_info *domain = r->domain;
1091 struct tomoyo_acl_info *ptr;
1092 const u8 perm = 1 << type;
1093 int error = -EPERM;
1094
1095 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1096 struct tomoyo_path2_acl *acl;
1097 if (ptr->type != TOMOYO_TYPE_PATH2_ACL)
1098 continue;
1099 acl = container_of(ptr, struct tomoyo_path2_acl, head);
1100 if (!(acl->perm & perm))
1101 continue;
1102 if (!tomoyo_compare_name_union(filename1, &acl->name1))
1103 continue;
1104 if (!tomoyo_compare_name_union(filename2, &acl->name2))
1105 continue;
1106 error = 0;
1107 break;
1108 }
1109 return error;
1110 }
1111
1112 /**
1113 * tomoyo_path_permission - Check permission for single path operation.
1114 *
1115 * @r: Pointer to "struct tomoyo_request_info".
1116 * @operation: Type of operation.
1117 * @filename: Filename to check.
1118 *
1119 * Returns 0 on success, negative value otherwise.
1120 *
1121 * Caller holds tomoyo_read_lock().
1122 */
1123 static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
1124 const struct tomoyo_path_info *filename)
1125 {
1126 int error;
1127
1128 next:
1129 error = tomoyo_path_acl(r, filename, 1 << operation, 1);
1130 if (!error)
1131 goto ok;
1132 tomoyo_warn_log(r, "%s %s", tomoyo_path2keyword(operation),
1133 filename->name);
1134 if (tomoyo_domain_quota_is_ok(r)) {
1135 const char *name = tomoyo_get_file_pattern(filename)->name;
1136 tomoyo_update_path_acl(operation, name, r->domain, false);
1137 }
1138 if (r->mode != TOMOYO_CONFIG_ENFORCING)
1139 error = 0;
1140 ok:
1141 /*
1142 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1143 * we need to check "allow_rewrite" permission if the filename is
1144 * specified by "deny_rewrite" keyword.
1145 */
1146 if (!error && operation == TOMOYO_TYPE_TRUNCATE &&
1147 tomoyo_is_no_rewrite_file(filename)) {
1148 operation = TOMOYO_TYPE_REWRITE;
1149 goto next;
1150 }
1151 return error;
1152 }
1153
1154 /**
1155 * tomoyo_path_number_acl - Check permission for ioctl/chmod/chown/chgrp operation.
1156 *
1157 * @r: Pointer to "struct tomoyo_request_info".
1158 * @type: Operation.
1159 * @filename: Filename to check.
1160 * @number: Number.
1161 *
1162 * Returns 0 on success, -EPERM otherwise.
1163 *
1164 * Caller holds tomoyo_read_lock().
1165 */
1166 static int tomoyo_path_number_acl(struct tomoyo_request_info *r, const u8 type,
1167 const struct tomoyo_path_info *filename,
1168 const unsigned long number)
1169 {
1170 struct tomoyo_domain_info *domain = r->domain;
1171 struct tomoyo_acl_info *ptr;
1172 const u8 perm = 1 << type;
1173 int error = -EPERM;
1174 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1175 struct tomoyo_path_number_acl *acl;
1176 if (ptr->type != TOMOYO_TYPE_PATH_NUMBER_ACL)
1177 continue;
1178 acl = container_of(ptr, struct tomoyo_path_number_acl,
1179 head);
1180 if (!(acl->perm & perm) ||
1181 !tomoyo_compare_number_union(number, &acl->number) ||
1182 !tomoyo_compare_name_union(filename, &acl->name))
1183 continue;
1184 error = 0;
1185 break;
1186 }
1187 return error;
1188 }
1189
1190 /**
1191 * tomoyo_update_path_number_acl - Update ioctl/chmod/chown/chgrp ACL.
1192 *
1193 * @type: Type of operation.
1194 * @filename: Filename.
1195 * @number: Number.
1196 * @domain: Pointer to "struct tomoyo_domain_info".
1197 * @is_delete: True if it is a delete request.
1198 *
1199 * Returns 0 on success, negative value otherwise.
1200 */
1201 static inline int tomoyo_update_path_number_acl(const u8 type,
1202 const char *filename,
1203 char *number,
1204 struct tomoyo_domain_info *
1205 const domain,
1206 const bool is_delete)
1207 {
1208 const u8 perm = 1 << type;
1209 struct tomoyo_acl_info *ptr;
1210 struct tomoyo_path_number_acl e = {
1211 .head.type = TOMOYO_TYPE_PATH_NUMBER_ACL,
1212 .perm = perm
1213 };
1214 int error = is_delete ? -ENOENT : -ENOMEM;
1215 if (!domain)
1216 return -EINVAL;
1217 if (!tomoyo_parse_name_union(filename, &e.name))
1218 return -EINVAL;
1219 if (!tomoyo_parse_number_union(number, &e.number))
1220 goto out;
1221 if (mutex_lock_interruptible(&tomoyo_policy_lock))
1222 goto out;
1223 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1224 struct tomoyo_path_number_acl *acl =
1225 container_of(ptr, struct tomoyo_path_number_acl, head);
1226 if (!tomoyo_is_same_path_number_acl(acl, &e))
1227 continue;
1228 if (is_delete)
1229 acl->perm &= ~perm;
1230 else
1231 acl->perm |= perm;
1232 error = 0;
1233 break;
1234 }
1235 if (!is_delete && error) {
1236 struct tomoyo_path_number_acl *entry =
1237 tomoyo_commit_ok(&e, sizeof(e));
1238 if (entry) {
1239 list_add_tail_rcu(&entry->head.list,
1240 &domain->acl_info_list);
1241 error = 0;
1242 }
1243 }
1244 mutex_unlock(&tomoyo_policy_lock);
1245 out:
1246 tomoyo_put_name_union(&e.name);
1247 tomoyo_put_number_union(&e.number);
1248 return error;
1249 }
1250
1251 /**
1252 * tomoyo_path_number_perm2 - Check permission for "create", "mkdir", "mkfifo", "mksock", "ioctl", "chmod", "chown", "chgrp".
1253 *
1254 * @r: Pointer to "strct tomoyo_request_info".
1255 * @filename: Filename to check.
1256 * @number: Number.
1257 *
1258 * Returns 0 on success, negative value otherwise.
1259 *
1260 * Caller holds tomoyo_read_lock().
1261 */
1262 static int tomoyo_path_number_perm2(struct tomoyo_request_info *r,
1263 const u8 type,
1264 const struct tomoyo_path_info *filename,
1265 const unsigned long number)
1266 {
1267 char buffer[64];
1268 int error;
1269 u8 radix;
1270
1271 if (!filename)
1272 return 0;
1273 switch (type) {
1274 case TOMOYO_TYPE_CREATE:
1275 case TOMOYO_TYPE_MKDIR:
1276 case TOMOYO_TYPE_MKFIFO:
1277 case TOMOYO_TYPE_MKSOCK:
1278 case TOMOYO_TYPE_CHMOD:
1279 radix = TOMOYO_VALUE_TYPE_OCTAL;
1280 break;
1281 case TOMOYO_TYPE_IOCTL:
1282 radix = TOMOYO_VALUE_TYPE_HEXADECIMAL;
1283 break;
1284 default:
1285 radix = TOMOYO_VALUE_TYPE_DECIMAL;
1286 break;
1287 }
1288 tomoyo_print_ulong(buffer, sizeof(buffer), number, radix);
1289 error = tomoyo_path_number_acl(r, type, filename, number);
1290 if (!error)
1291 return 0;
1292 tomoyo_warn_log(r, "%s %s %s", tomoyo_path_number2keyword(type),
1293 filename->name, buffer);
1294 if (tomoyo_domain_quota_is_ok(r))
1295 tomoyo_update_path_number_acl(type,
1296 tomoyo_get_file_pattern(filename)
1297 ->name, buffer, r->domain, false);
1298 if (r->mode != TOMOYO_CONFIG_ENFORCING)
1299 error = 0;
1300 return error;
1301 }
1302
1303 /**
1304 * tomoyo_path_number_perm - Check permission for "create", "mkdir", "mkfifo", "mksock", "ioctl", "chmod", "chown", "chgrp".
1305 *
1306 * @type: Type of operation.
1307 * @path: Pointer to "struct path".
1308 * @number: Number.
1309 *
1310 * Returns 0 on success, negative value otherwise.
1311 */
1312 int tomoyo_path_number_perm(const u8 type, struct path *path,
1313 unsigned long number)
1314 {
1315 struct tomoyo_request_info r;
1316 int error = -ENOMEM;
1317 struct tomoyo_path_info *buf;
1318 int idx;
1319
1320 if (tomoyo_init_request_info(&r, NULL) == TOMOYO_CONFIG_DISABLED ||
1321 !path->mnt || !path->dentry)
1322 return 0;
1323 idx = tomoyo_read_lock();
1324 buf = tomoyo_get_path(path);
1325 if (!buf)
1326 goto out;
1327 if (type == TOMOYO_TYPE_MKDIR && !buf->is_dir) {
1328 /*
1329 * tomoyo_get_path() reserves space for appending "/."
1330 */
1331 strcat((char *) buf->name, "/");
1332 tomoyo_fill_path_info(buf);
1333 }
1334 error = tomoyo_path_number_perm2(&r, type, buf, number);
1335 out:
1336 kfree(buf);
1337 tomoyo_read_unlock(idx);
1338 if (r.mode != TOMOYO_CONFIG_ENFORCING)
1339 error = 0;
1340 return error;
1341 }
1342
1343 /**
1344 * tomoyo_check_exec_perm - Check permission for "execute".
1345 *
1346 * @domain: Pointer to "struct tomoyo_domain_info".
1347 * @filename: Check permission for "execute".
1348 *
1349 * Returns 0 on success, negativevalue otherwise.
1350 *
1351 * Caller holds tomoyo_read_lock().
1352 */
1353 int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
1354 const struct tomoyo_path_info *filename)
1355 {
1356 struct tomoyo_request_info r;
1357
1358 if (tomoyo_init_request_info(&r, NULL) == TOMOYO_CONFIG_DISABLED)
1359 return 0;
1360 return tomoyo_file_perm(&r, filename, 1);
1361 }
1362
1363 /**
1364 * tomoyo_check_open_permission - Check permission for "read" and "write".
1365 *
1366 * @domain: Pointer to "struct tomoyo_domain_info".
1367 * @path: Pointer to "struct path".
1368 * @flag: Flags for open().
1369 *
1370 * Returns 0 on success, negative value otherwise.
1371 */
1372 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1373 struct path *path, const int flag)
1374 {
1375 const u8 acc_mode = ACC_MODE(flag);
1376 int error = -ENOMEM;
1377 struct tomoyo_path_info *buf;
1378 struct tomoyo_request_info r;
1379 int idx;
1380
1381 if (tomoyo_init_request_info(&r, domain) == TOMOYO_CONFIG_DISABLED ||
1382 !path->mnt)
1383 return 0;
1384 if (acc_mode == 0)
1385 return 0;
1386 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode))
1387 /*
1388 * I don't check directories here because mkdir() and rmdir()
1389 * don't call me.
1390 */
1391 return 0;
1392 idx = tomoyo_read_lock();
1393 buf = tomoyo_get_path(path);
1394 if (!buf)
1395 goto out;
1396 error = 0;
1397 /*
1398 * If the filename is specified by "deny_rewrite" keyword,
1399 * we need to check "allow_rewrite" permission when the filename is not
1400 * opened for append mode or the filename is truncated at open time.
1401 */
1402 if ((acc_mode & MAY_WRITE) &&
1403 ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
1404 (tomoyo_is_no_rewrite_file(buf))) {
1405 error = tomoyo_path_permission(&r, TOMOYO_TYPE_REWRITE, buf);
1406 }
1407 if (!error)
1408 error = tomoyo_file_perm(&r, buf, acc_mode);
1409 if (!error && (flag & O_TRUNC))
1410 error = tomoyo_path_permission(&r, TOMOYO_TYPE_TRUNCATE, buf);
1411 out:
1412 kfree(buf);
1413 tomoyo_read_unlock(idx);
1414 if (r.mode != TOMOYO_CONFIG_ENFORCING)
1415 error = 0;
1416 return error;
1417 }
1418
1419 /**
1420 * tomoyo_path_perm - Check permission for "unlink", "rmdir", "truncate", "symlink", "rewrite", "chroot" and "unmount".
1421 *
1422 * @operation: Type of operation.
1423 * @path: Pointer to "struct path".
1424 *
1425 * Returns 0 on success, negative value otherwise.
1426 */
1427 int tomoyo_path_perm(const u8 operation, struct path *path)
1428 {
1429 int error = -ENOMEM;
1430 struct tomoyo_path_info *buf;
1431 struct tomoyo_request_info r;
1432 int idx;
1433
1434 if (tomoyo_init_request_info(&r, NULL) == TOMOYO_CONFIG_DISABLED ||
1435 !path->mnt)
1436 return 0;
1437 idx = tomoyo_read_lock();
1438 buf = tomoyo_get_path(path);
1439 if (!buf)
1440 goto out;
1441 switch (operation) {
1442 case TOMOYO_TYPE_REWRITE:
1443 if (!tomoyo_is_no_rewrite_file(buf)) {
1444 error = 0;
1445 goto out;
1446 }
1447 break;
1448 case TOMOYO_TYPE_RMDIR:
1449 case TOMOYO_TYPE_CHROOT:
1450 if (!buf->is_dir) {
1451 /*
1452 * tomoyo_get_path() reserves space for appending "/."
1453 */
1454 strcat((char *) buf->name, "/");
1455 tomoyo_fill_path_info(buf);
1456 }
1457 }
1458 error = tomoyo_path_permission(&r, operation, buf);
1459 out:
1460 kfree(buf);
1461 tomoyo_read_unlock(idx);
1462 if (r.mode != TOMOYO_CONFIG_ENFORCING)
1463 error = 0;
1464 return error;
1465 }
1466
1467 /**
1468 * tomoyo_path_number3_perm2 - Check permission for path/number/number/number operation.
1469 *
1470 * @r: Pointer to "struct tomoyo_request_info".
1471 * @operation: Type of operation.
1472 * @filename: Filename to check.
1473 * @mode: Create mode.
1474 * @dev: Device number.
1475 *
1476 * Returns 0 on success, negative value otherwise.
1477 *
1478 * Caller holds tomoyo_read_lock().
1479 */
1480 static int tomoyo_path_number3_perm2(struct tomoyo_request_info *r,
1481 const u8 operation,
1482 const struct tomoyo_path_info *filename,
1483 const unsigned int mode,
1484 const unsigned int dev)
1485 {
1486 int error;
1487 const unsigned int major = MAJOR(dev);
1488 const unsigned int minor = MINOR(dev);
1489
1490 error = tomoyo_path_number3_acl(r, filename, 1 << operation, mode,
1491 major, minor);
1492 if (!error)
1493 return 0;
1494 tomoyo_warn_log(r, "%s %s 0%o %u %u",
1495 tomoyo_path_number32keyword(operation),
1496 filename->name, mode, major, minor);
1497 if (tomoyo_domain_quota_is_ok(r)) {
1498 char mode_buf[64];
1499 char major_buf[64];
1500 char minor_buf[64];
1501 memset(mode_buf, 0, sizeof(mode_buf));
1502 memset(major_buf, 0, sizeof(major_buf));
1503 memset(minor_buf, 0, sizeof(minor_buf));
1504 snprintf(mode_buf, sizeof(mode_buf) - 1, "0%o", mode);
1505 snprintf(major_buf, sizeof(major_buf) - 1, "%u", major);
1506 snprintf(minor_buf, sizeof(minor_buf) - 1, "%u", minor);
1507 tomoyo_update_path_number3_acl(operation,
1508 tomoyo_get_file_pattern(filename)
1509 ->name, mode_buf, major_buf,
1510 minor_buf, r->domain, false);
1511 }
1512 if (r->mode != TOMOYO_CONFIG_ENFORCING)
1513 error = 0;
1514 return error;
1515 }
1516
1517 /**
1518 * tomoyo_path_number3_perm - Check permission for "mkblock" and "mkchar".
1519 *
1520 * @operation: Type of operation. (TOMOYO_TYPE_MKCHAR or TOMOYO_TYPE_MKBLOCK)
1521 * @path: Pointer to "struct path".
1522 * @mode: Create mode.
1523 * @dev: Device number.
1524 *
1525 * Returns 0 on success, negative value otherwise.
1526 */
1527 int tomoyo_path_number3_perm(const u8 operation, struct path *path,
1528 const unsigned int mode, unsigned int dev)
1529 {
1530 struct tomoyo_request_info r;
1531 int error = -ENOMEM;
1532 struct tomoyo_path_info *buf;
1533 int idx;
1534
1535 if (tomoyo_init_request_info(&r, NULL) == TOMOYO_CONFIG_DISABLED ||
1536 !path->mnt)
1537 return 0;
1538 idx = tomoyo_read_lock();
1539 error = -ENOMEM;
1540 buf = tomoyo_get_path(path);
1541 if (buf) {
1542 error = tomoyo_path_number3_perm2(&r, operation, buf, mode,
1543 new_decode_dev(dev));
1544 kfree(buf);
1545 }
1546 tomoyo_read_unlock(idx);
1547 if (r.mode != TOMOYO_CONFIG_ENFORCING)
1548 error = 0;
1549 return error;
1550 }
1551
1552 /**
1553 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root".
1554 *
1555 * @operation: Type of operation.
1556 * @path1: Pointer to "struct path".
1557 * @path2: Pointer to "struct path".
1558 *
1559 * Returns 0 on success, negative value otherwise.
1560 */
1561 int tomoyo_path2_perm(const u8 operation, struct path *path1,
1562 struct path *path2)
1563 {
1564 int error = -ENOMEM;
1565 struct tomoyo_path_info *buf1;
1566 struct tomoyo_path_info *buf2;
1567 struct tomoyo_request_info r;
1568 int idx;
1569
1570 if (tomoyo_init_request_info(&r, NULL) == TOMOYO_CONFIG_DISABLED ||
1571 !path1->mnt || !path2->mnt)
1572 return 0;
1573 idx = tomoyo_read_lock();
1574 buf1 = tomoyo_get_path(path1);
1575 buf2 = tomoyo_get_path(path2);
1576 if (!buf1 || !buf2)
1577 goto out;
1578 {
1579 struct dentry *dentry = path1->dentry;
1580 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) {
1581 /*
1582 * tomoyo_get_path() reserves space for appending "/."
1583 */
1584 if (!buf1->is_dir) {
1585 strcat((char *) buf1->name, "/");
1586 tomoyo_fill_path_info(buf1);
1587 }
1588 if (!buf2->is_dir) {
1589 strcat((char *) buf2->name, "/");
1590 tomoyo_fill_path_info(buf2);
1591 }
1592 }
1593 }
1594 error = tomoyo_path2_acl(&r, operation, buf1, buf2);
1595 if (!error)
1596 goto out;
1597 tomoyo_warn_log(&r, "%s %s %s", tomoyo_path22keyword(operation),
1598 buf1->name, buf2->name);
1599 if (tomoyo_domain_quota_is_ok(&r)) {
1600 const char *name1 = tomoyo_get_file_pattern(buf1)->name;
1601 const char *name2 = tomoyo_get_file_pattern(buf2)->name;
1602 tomoyo_update_path2_acl(operation, name1, name2, r.domain,
1603 false);
1604 }
1605 out:
1606 kfree(buf1);
1607 kfree(buf2);
1608 tomoyo_read_unlock(idx);
1609 if (r.mode != TOMOYO_CONFIG_ENFORCING)
1610 error = 0;
1611 return error;
1612 }
1613
1614 /**
1615 * tomoyo_write_file_policy - Update file related list.
1616 *
1617 * @data: String to parse.
1618 * @domain: Pointer to "struct tomoyo_domain_info".
1619 * @is_delete: True if it is a delete request.
1620 *
1621 * Returns 0 on success, negative value otherwise.
1622 *
1623 * Caller holds tomoyo_read_lock().
1624 */
1625 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
1626 const bool is_delete)
1627 {
1628 char *w[5];
1629 u8 type;
1630 if (!tomoyo_tokenize(data, w, sizeof(w)) || !w[1][0])
1631 return -EINVAL;
1632 if (strncmp(w[0], "allow_", 6)) {
1633 unsigned int perm;
1634 if (sscanf(w[0], "%u", &perm) == 1)
1635 return tomoyo_update_file_acl((u8) perm, w[1], domain,
1636 is_delete);
1637 goto out;
1638 }
1639 w[0] += 6;
1640 for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) {
1641 if (strcmp(w[0], tomoyo_path_keyword[type]))
1642 continue;
1643 return tomoyo_update_path_acl(type, w[1], domain, is_delete);
1644 }
1645 if (!w[2][0])
1646 goto out;
1647 for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) {
1648 if (strcmp(w[0], tomoyo_path2_keyword[type]))
1649 continue;
1650 return tomoyo_update_path2_acl(type, w[1], w[2], domain,
1651 is_delete);
1652 }
1653 for (type = 0; type < TOMOYO_MAX_PATH_NUMBER_OPERATION; type++) {
1654 if (strcmp(w[0], tomoyo_path_number_keyword[type]))
1655 continue;
1656 return tomoyo_update_path_number_acl(type, w[1], w[2], domain,
1657 is_delete);
1658 }
1659 if (!w[3][0] || !w[4][0])
1660 goto out;
1661 for (type = 0; type < TOMOYO_MAX_PATH_NUMBER3_OPERATION; type++) {
1662 if (strcmp(w[0], tomoyo_path_number3_keyword[type]))
1663 continue;
1664 return tomoyo_update_path_number3_acl(type, w[1], w[2], w[3],
1665 w[4], domain, is_delete);
1666 }
1667 out:
1668 return -EINVAL;
1669 }
Linux 2.6 ibm-acpi/thinkpad-acpi driver git tree