search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
TOMOYO: Add ACL group support.
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / security / tomoyo / domain.c
blobaf5f325e2f33127605a7a58222c7ca49ccde2a53
1 /*
2 * security/tomoyo/domain.c
3 *
4 * Domain transition functions for TOMOYO.
5 *
6 * Copyright (C) 2005-2010 NTT DATA CORPORATION
7 */
8
9 #include "common.h"
10 #include <linux/binfmts.h>
11 #include <linux/slab.h>
12
13 /* Variables definitions.*/
14
15 /* The global ACL referred by "use_group" keyword. */
16 struct list_head tomoyo_acl_group[TOMOYO_MAX_ACL_GROUPS];
17
18 /* The initial domain. */
19 struct tomoyo_domain_info tomoyo_kernel_domain;
20
21 /**
22 * tomoyo_update_policy - Update an entry for exception policy.
23 *
24 * @new_entry: Pointer to "struct tomoyo_acl_info".
25 * @size: Size of @new_entry in bytes.
26 * @param: Pointer to "struct tomoyo_acl_param".
27 * @check_duplicate: Callback function to find duplicated entry.
28 *
29 * Returns 0 on success, negative value otherwise.
30 *
31 * Caller holds tomoyo_read_lock().
32 */
33 int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
34 struct tomoyo_acl_param *param,
35 bool (*check_duplicate) (const struct tomoyo_acl_head
36 *,
37 const struct tomoyo_acl_head
38 *))
39 {
40 int error = param->is_delete ? -ENOENT : -ENOMEM;
41 struct tomoyo_acl_head *entry;
42 struct list_head *list = param->list;
43
44 if (mutex_lock_interruptible(&tomoyo_policy_lock))
45 return -ENOMEM;
46 list_for_each_entry_rcu(entry, list, list) {
47 if (!check_duplicate(entry, new_entry))
48 continue;
49 entry->is_deleted = param->is_delete;
50 error = 0;
51 break;
52 }
53 if (error && !param->is_delete) {
54 entry = tomoyo_commit_ok(new_entry, size);
55 if (entry) {
56 list_add_tail_rcu(&entry->list, list);
57 error = 0;
58 }
59 }
60 mutex_unlock(&tomoyo_policy_lock);
61 return error;
62 }
63
64 /**
65 * tomoyo_same_acl_head - Check for duplicated "struct tomoyo_acl_info" entry.
66 *
67 * @a: Pointer to "struct tomoyo_acl_info".
68 * @b: Pointer to "struct tomoyo_acl_info".
69 *
70 * Returns true if @a == @b, false otherwise.
71 */
72 static inline bool tomoyo_same_acl_head(const struct tomoyo_acl_info *a,
73 const struct tomoyo_acl_info *b)
74 {
75 return a->type == b->type;
76 }
77
78 /**
79 * tomoyo_update_domain - Update an entry for domain policy.
80 *
81 * @new_entry: Pointer to "struct tomoyo_acl_info".
82 * @size: Size of @new_entry in bytes.
83 * @param: Pointer to "struct tomoyo_acl_param".
84 * @check_duplicate: Callback function to find duplicated entry.
85 * @merge_duplicate: Callback function to merge duplicated entry.
86 *
87 * Returns 0 on success, negative value otherwise.
88 *
89 * Caller holds tomoyo_read_lock().
90 */
91 int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
92 struct tomoyo_acl_param *param,
93 bool (*check_duplicate) (const struct tomoyo_acl_info
94 *,
95 const struct tomoyo_acl_info
96 *),
97 bool (*merge_duplicate) (struct tomoyo_acl_info *,
98 struct tomoyo_acl_info *,
99 const bool))
100 {
101 const bool is_delete = param->is_delete;
102 int error = is_delete ? -ENOENT : -ENOMEM;
103 struct tomoyo_acl_info *entry;
104 struct list_head * const list = param->list;
105
106 if (mutex_lock_interruptible(&tomoyo_policy_lock))
107 return error;
108 list_for_each_entry_rcu(entry, list, list) {
109 if (!tomoyo_same_acl_head(entry, new_entry) ||
110 !check_duplicate(entry, new_entry))
111 continue;
112 if (merge_duplicate)
113 entry->is_deleted = merge_duplicate(entry, new_entry,
114 is_delete);
115 else
116 entry->is_deleted = is_delete;
117 error = 0;
118 break;
119 }
120 if (error && !is_delete) {
121 entry = tomoyo_commit_ok(new_entry, size);
122 if (entry) {
123 list_add_tail_rcu(&entry->list, list);
124 error = 0;
125 }
126 }
127 mutex_unlock(&tomoyo_policy_lock);
128 return error;
129 }
130
131 /**
132 * tomoyo_check_acl - Do permission check.
133 *
134 * @r: Pointer to "struct tomoyo_request_info".
135 * @check_entry: Callback function to check type specific parameters.
136 *
137 * Returns 0 on success, negative value otherwise.
138 *
139 * Caller holds tomoyo_read_lock().
140 */
141 void tomoyo_check_acl(struct tomoyo_request_info *r,
142 bool (*check_entry) (struct tomoyo_request_info *,
143 const struct tomoyo_acl_info *))
144 {
145 const struct tomoyo_domain_info *domain = r->domain;
146 struct tomoyo_acl_info *ptr;
147 bool retried = false;
148 const struct list_head *list = &domain->acl_info_list;
149
150 retry:
151 list_for_each_entry_rcu(ptr, list, list) {
152 if (ptr->is_deleted || ptr->type != r->param_type)
153 continue;
154 if (check_entry(r, ptr)) {
155 r->granted = true;
156 return;
157 }
158 }
159 if (!retried) {
160 retried = true;
161 list = &tomoyo_acl_group[domain->group];
162 goto retry;
163 }
164 r->granted = false;
165 }
166
167 /* The list for "struct tomoyo_domain_info". */
168 LIST_HEAD(tomoyo_domain_list);
169
170 struct list_head tomoyo_policy_list[TOMOYO_MAX_POLICY];
171 struct list_head tomoyo_group_list[TOMOYO_MAX_GROUP];
172
173 /**
174 * tomoyo_last_word - Get last component of a domainname.
175 *
176 * @domainname: Domainname to check.
177 *
178 * Returns the last word of @domainname.
179 */
180 static const char *tomoyo_last_word(const char *name)
181 {
182 const char *cp = strrchr(name, ' ');
183 if (cp)
184 return cp + 1;
185 return name;
186 }
187
188 /**
189 * tomoyo_same_transition_control - Check for duplicated "struct tomoyo_transition_control" entry.
190 *
191 * @a: Pointer to "struct tomoyo_acl_head".
192 * @b: Pointer to "struct tomoyo_acl_head".
193 *
194 * Returns true if @a == @b, false otherwise.
195 */
196 static bool tomoyo_same_transition_control(const struct tomoyo_acl_head *a,
197 const struct tomoyo_acl_head *b)
198 {
199 const struct tomoyo_transition_control *p1 = container_of(a,
200 typeof(*p1),
201 head);
202 const struct tomoyo_transition_control *p2 = container_of(b,
203 typeof(*p2),
204 head);
205 return p1->type == p2->type && p1->is_last_name == p2->is_last_name
206 && p1->domainname == p2->domainname
207 && p1->program == p2->program;
208 }
209
210 /**
211 * tomoyo_write_transition_control - Write "struct tomoyo_transition_control" list.
212 *
213 * @param: Pointer to "struct tomoyo_acl_param".
214 * @type: Type of this entry.
215 *
216 * Returns 0 on success, negative value otherwise.
217 */
218 int tomoyo_write_transition_control(struct tomoyo_acl_param *param,
219 const u8 type)
220 {
221 struct tomoyo_transition_control e = { .type = type };
222 int error = param->is_delete ? -ENOENT : -ENOMEM;
223 char *program = param->data;
224 char *domainname = strstr(program, " from ");
225 if (domainname) {
226 *domainname = '\0';
227 domainname += 6;
228 } else if (type == TOMOYO_TRANSITION_CONTROL_NO_KEEP ||
229 type == TOMOYO_TRANSITION_CONTROL_KEEP) {
230 domainname = program;
231 program = NULL;
232 }
233 if (program && strcmp(program, "any")) {
234 if (!tomoyo_correct_path(program))
235 return -EINVAL;
236 e.program = tomoyo_get_name(program);
237 if (!e.program)
238 goto out;
239 }
240 if (domainname && strcmp(domainname, "any")) {
241 if (!tomoyo_correct_domain(domainname)) {
242 if (!tomoyo_correct_path(domainname))
243 goto out;
244 e.is_last_name = true;
245 }
246 e.domainname = tomoyo_get_name(domainname);
247 if (!e.domainname)
248 goto out;
249 }
250 param->list = &tomoyo_policy_list[TOMOYO_ID_TRANSITION_CONTROL];
251 error = tomoyo_update_policy(&e.head, sizeof(e), param,
252 tomoyo_same_transition_control);
253 out:
254 tomoyo_put_name(e.domainname);
255 tomoyo_put_name(e.program);
256 return error;
257 }
258
259 /**
260 * tomoyo_transition_type - Get domain transition type.
261 *
262 * @domainname: The name of domain.
263 * @program: The name of program.
264 *
265 * Returns TOMOYO_TRANSITION_CONTROL_INITIALIZE if executing @program
266 * reinitializes domain transition, TOMOYO_TRANSITION_CONTROL_KEEP if executing
267 * @program suppresses domain transition, others otherwise.
268 *
269 * Caller holds tomoyo_read_lock().
270 */
271 static u8 tomoyo_transition_type(const struct tomoyo_path_info *domainname,
272 const struct tomoyo_path_info *program)
273 {
274 const struct tomoyo_transition_control *ptr;
275 const char *last_name = tomoyo_last_word(domainname->name);
276 u8 type;
277 for (type = 0; type < TOMOYO_MAX_TRANSITION_TYPE; type++) {
278 next:
279 list_for_each_entry_rcu(ptr, &tomoyo_policy_list
280 [TOMOYO_ID_TRANSITION_CONTROL],
281 head.list) {
282 if (ptr->head.is_deleted || ptr->type != type)
283 continue;
284 if (ptr->domainname) {
285 if (!ptr->is_last_name) {
286 if (ptr->domainname != domainname)
287 continue;
288 } else {
289 /*
290 * Use direct strcmp() since this is
291 * unlikely used.
292 */
293 if (strcmp(ptr->domainname->name,
294 last_name))
295 continue;
296 }
297 }
298 if (ptr->program &&
299 tomoyo_pathcmp(ptr->program, program))
300 continue;
301 if (type == TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE) {
302 /*
303 * Do not check for initialize_domain if
304 * no_initialize_domain matched.
305 */
306 type = TOMOYO_TRANSITION_CONTROL_NO_KEEP;
307 goto next;
308 }
309 goto done;
310 }
311 }
312 done:
313 return type;
314 }
315
316 /**
317 * tomoyo_same_aggregator - Check for duplicated "struct tomoyo_aggregator" entry.
318 *
319 * @a: Pointer to "struct tomoyo_acl_head".
320 * @b: Pointer to "struct tomoyo_acl_head".
321 *
322 * Returns true if @a == @b, false otherwise.
323 */
324 static bool tomoyo_same_aggregator(const struct tomoyo_acl_head *a,
325 const struct tomoyo_acl_head *b)
326 {
327 const struct tomoyo_aggregator *p1 = container_of(a, typeof(*p1),
328 head);
329 const struct tomoyo_aggregator *p2 = container_of(b, typeof(*p2),
330 head);
331 return p1->original_name == p2->original_name &&
332 p1->aggregated_name == p2->aggregated_name;
333 }
334
335 /**
336 * tomoyo_write_aggregator - Write "struct tomoyo_aggregator" list.
337 *
338 * @param: Pointer to "struct tomoyo_acl_param".
339 *
340 * Returns 0 on success, negative value otherwise.
341 *
342 * Caller holds tomoyo_read_lock().
343 */
344 int tomoyo_write_aggregator(struct tomoyo_acl_param *param)
345 {
346 struct tomoyo_aggregator e = { };
347 int error = param->is_delete ? -ENOENT : -ENOMEM;
348 const char *original_name = tomoyo_read_token(param);
349 const char *aggregated_name = tomoyo_read_token(param);
350 if (!tomoyo_correct_word(original_name) ||
351 !tomoyo_correct_path(aggregated_name))
352 return -EINVAL;
353 e.original_name = tomoyo_get_name(original_name);
354 e.aggregated_name = tomoyo_get_name(aggregated_name);
355 if (!e.original_name || !e.aggregated_name ||
356 e.aggregated_name->is_patterned) /* No patterns allowed. */
357 goto out;
358 param->list = &tomoyo_policy_list[TOMOYO_ID_AGGREGATOR];
359 error = tomoyo_update_policy(&e.head, sizeof(e), param,
360 tomoyo_same_aggregator);
361 out:
362 tomoyo_put_name(e.original_name);
363 tomoyo_put_name(e.aggregated_name);
364 return error;
365 }
366
367 /**
368 * tomoyo_assign_domain - Create a domain.
369 *
370 * @domainname: The name of domain.
371 * @profile: Profile number to assign if the domain was newly created.
372 *
373 * Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise.
374 *
375 * Caller holds tomoyo_read_lock().
376 */
377 struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname,
378 const u8 profile)
379 {
380 struct tomoyo_domain_info *entry;
381 struct tomoyo_domain_info *domain = NULL;
382 const struct tomoyo_path_info *saved_domainname;
383 bool found = false;
384
385 if (!tomoyo_correct_domain(domainname))
386 return NULL;
387 saved_domainname = tomoyo_get_name(domainname);
388 if (!saved_domainname)
389 return NULL;
390 entry = kzalloc(sizeof(*entry), GFP_NOFS);
391 if (mutex_lock_interruptible(&tomoyo_policy_lock))
392 goto out;
393 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
394 if (domain->is_deleted ||
395 tomoyo_pathcmp(saved_domainname, domain->domainname))
396 continue;
397 found = true;
398 break;
399 }
400 if (!found && tomoyo_memory_ok(entry)) {
401 INIT_LIST_HEAD(&entry->acl_info_list);
402 entry->domainname = saved_domainname;
403 saved_domainname = NULL;
404 entry->profile = profile;
405 list_add_tail_rcu(&entry->list, &tomoyo_domain_list);
406 domain = entry;
407 entry = NULL;
408 found = true;
409 }
410 mutex_unlock(&tomoyo_policy_lock);
411 out:
412 tomoyo_put_name(saved_domainname);
413 kfree(entry);
414 return found ? domain : NULL;
415 }
416
417 /**
418 * tomoyo_find_next_domain - Find a domain.
419 *
420 * @bprm: Pointer to "struct linux_binprm".
421 *
422 * Returns 0 on success, negative value otherwise.
423 *
424 * Caller holds tomoyo_read_lock().
425 */
426 int tomoyo_find_next_domain(struct linux_binprm *bprm)
427 {
428 struct tomoyo_request_info r;
429 char *tmp = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS);
430 struct tomoyo_domain_info *old_domain = tomoyo_domain();
431 struct tomoyo_domain_info *domain = NULL;
432 const char *original_name = bprm->filename;
433 u8 mode;
434 bool is_enforce;
435 int retval = -ENOMEM;
436 bool need_kfree = false;
437 struct tomoyo_path_info rn = { }; /* real name */
438
439 mode = tomoyo_init_request_info(&r, NULL, TOMOYO_MAC_FILE_EXECUTE);
440 is_enforce = (mode == TOMOYO_CONFIG_ENFORCING);
441 if (!tmp)
442 goto out;
443
444 retry:
445 if (need_kfree) {
446 kfree(rn.name);
447 need_kfree = false;
448 }
449 /* Get symlink's pathname of program. */
450 retval = -ENOENT;
451 rn.name = tomoyo_realpath_nofollow(original_name);
452 if (!rn.name)
453 goto out;
454 tomoyo_fill_path_info(&rn);
455 need_kfree = true;
456
457 /* Check 'aggregator' directive. */
458 {
459 struct tomoyo_aggregator *ptr;
460 list_for_each_entry_rcu(ptr, &tomoyo_policy_list
461 [TOMOYO_ID_AGGREGATOR], head.list) {
462 if (ptr->head.is_deleted ||
463 !tomoyo_path_matches_pattern(&rn,
464 ptr->original_name))
465 continue;
466 kfree(rn.name);
467 need_kfree = false;
468 /* This is OK because it is read only. */
469 rn = *ptr->aggregated_name;
470 break;
471 }
472 }
473
474 /* Check execute permission. */
475 retval = tomoyo_path_permission(&r, TOMOYO_TYPE_EXECUTE, &rn);
476 if (retval == TOMOYO_RETRY_REQUEST)
477 goto retry;
478 if (retval < 0)
479 goto out;
480 /*
481 * To be able to specify domainnames with wildcards, use the
482 * pathname specified in the policy (which may contain
483 * wildcard) rather than the pathname passed to execve()
484 * (which never contains wildcard).
485 */
486 if (r.param.path.matched_path) {
487 if (need_kfree)
488 kfree(rn.name);
489 need_kfree = false;
490 /* This is OK because it is read only. */
491 rn = *r.param.path.matched_path;
492 }
493
494 /* Calculate domain to transit to. */
495 switch (tomoyo_transition_type(old_domain->domainname, &rn)) {
496 case TOMOYO_TRANSITION_CONTROL_INITIALIZE:
497 /* Transit to the child of tomoyo_kernel_domain domain. */
498 snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1, TOMOYO_ROOT_NAME " "
499 "%s", rn.name);
500 break;
501 case TOMOYO_TRANSITION_CONTROL_KEEP:
502 /* Keep current domain. */
503 domain = old_domain;
504 break;
505 default:
506 if (old_domain == &tomoyo_kernel_domain &&
507 !tomoyo_policy_loaded) {
508 /*
509 * Needn't to transit from kernel domain before
510 * starting /sbin/init. But transit from kernel domain
511 * if executing initializers because they might start
512 * before /sbin/init.
513 */
514 domain = old_domain;
515 } else {
516 /* Normal domain transition. */
517 snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s",
518 old_domain->domainname->name, rn.name);
519 }
520 break;
521 }
522 if (domain || strlen(tmp) >= TOMOYO_EXEC_TMPSIZE - 10)
523 goto done;
524 domain = tomoyo_find_domain(tmp);
525 if (!domain)
526 domain = tomoyo_assign_domain(tmp, old_domain->profile);
527 done:
528 if (domain)
529 goto out;
530 printk(KERN_WARNING "TOMOYO-ERROR: Domain '%s' not defined.\n", tmp);
531 if (is_enforce)
532 retval = -EPERM;
533 else
534 old_domain->transition_failed = true;
535 out:
536 if (!domain)
537 domain = old_domain;
538 /* Update reference count on "struct tomoyo_domain_info". */
539 atomic_inc(&domain->users);
540 bprm->cred->security = domain;
541 if (need_kfree)
542 kfree(rn.name);
543 kfree(tmp);
544 return retval;
545 }
Linux 2.6 ibm-acpi/thinkpad-acpi driver git tree