search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'v4l_for_2.6.34' of git://git.kernel.org/pub/scm/linux/kernel/git/mcheha...
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / security / tomoyo / file.c
blob6f3fe76a1fde6aabdd84a7998258e6b9e539aaa0
1 /*
2 * security/tomoyo/file.c
3 *
4 * Implementation of the Domain-Based Mandatory Access Control.
5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 *
8 * Version: 2.2.0 2009/04/01
9 *
10 */
11
12 #include "common.h"
13 #include <linux/slab.h>
14
15 /* Keyword array for single path operations. */
16 static const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
17 [TOMOYO_TYPE_READ_WRITE] = "read/write",
18 [TOMOYO_TYPE_EXECUTE] = "execute",
19 [TOMOYO_TYPE_READ] = "read",
20 [TOMOYO_TYPE_WRITE] = "write",
21 [TOMOYO_TYPE_CREATE] = "create",
22 [TOMOYO_TYPE_UNLINK] = "unlink",
23 [TOMOYO_TYPE_MKDIR] = "mkdir",
24 [TOMOYO_TYPE_RMDIR] = "rmdir",
25 [TOMOYO_TYPE_MKFIFO] = "mkfifo",
26 [TOMOYO_TYPE_MKSOCK] = "mksock",
27 [TOMOYO_TYPE_MKBLOCK] = "mkblock",
28 [TOMOYO_TYPE_MKCHAR] = "mkchar",
29 [TOMOYO_TYPE_TRUNCATE] = "truncate",
30 [TOMOYO_TYPE_SYMLINK] = "symlink",
31 [TOMOYO_TYPE_REWRITE] = "rewrite",
32 [TOMOYO_TYPE_IOCTL] = "ioctl",
33 [TOMOYO_TYPE_CHMOD] = "chmod",
34 [TOMOYO_TYPE_CHOWN] = "chown",
35 [TOMOYO_TYPE_CHGRP] = "chgrp",
36 [TOMOYO_TYPE_CHROOT] = "chroot",
37 [TOMOYO_TYPE_MOUNT] = "mount",
38 [TOMOYO_TYPE_UMOUNT] = "unmount",
39 };
40
41 /* Keyword array for double path operations. */
42 static const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = {
43 [TOMOYO_TYPE_LINK] = "link",
44 [TOMOYO_TYPE_RENAME] = "rename",
45 [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root",
46 };
47
48 /**
49 * tomoyo_path2keyword - Get the name of single path operation.
50 *
51 * @operation: Type of operation.
52 *
53 * Returns the name of single path operation.
54 */
55 const char *tomoyo_path2keyword(const u8 operation)
56 {
57 return (operation < TOMOYO_MAX_PATH_OPERATION)
58 ? tomoyo_path_keyword[operation] : NULL;
59 }
60
61 /**
62 * tomoyo_path22keyword - Get the name of double path operation.
63 *
64 * @operation: Type of operation.
65 *
66 * Returns the name of double path operation.
67 */
68 const char *tomoyo_path22keyword(const u8 operation)
69 {
70 return (operation < TOMOYO_MAX_PATH2_OPERATION)
71 ? tomoyo_path2_keyword[operation] : NULL;
72 }
73
74 /**
75 * tomoyo_strendswith - Check whether the token ends with the given token.
76 *
77 * @name: The token to check.
78 * @tail: The token to find.
79 *
80 * Returns true if @name ends with @tail, false otherwise.
81 */
82 static bool tomoyo_strendswith(const char *name, const char *tail)
83 {
84 int len;
85
86 if (!name || !tail)
87 return false;
88 len = strlen(name) - strlen(tail);
89 return len >= 0 && !strcmp(name + len, tail);
90 }
91
92 /**
93 * tomoyo_get_path - Get realpath.
94 *
95 * @path: Pointer to "struct path".
96 *
97 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
98 */
99 static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
100 {
101 int error;
102 struct tomoyo_path_info_with_data *buf = kzalloc(sizeof(*buf),
103 GFP_KERNEL);
104
105 if (!buf)
106 return NULL;
107 /* Reserve one byte for appending "/". */
108 error = tomoyo_realpath_from_path2(path, buf->body,
109 sizeof(buf->body) - 2);
110 if (!error) {
111 buf->head.name = buf->body;
112 tomoyo_fill_path_info(&buf->head);
113 return &buf->head;
114 }
115 kfree(buf);
116 return NULL;
117 }
118
119 static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
120 const char *filename2,
121 struct tomoyo_domain_info *const domain,
122 const bool is_delete);
123 static int tomoyo_update_path_acl(const u8 type, const char *filename,
124 struct tomoyo_domain_info *const domain,
125 const bool is_delete);
126
127 /*
128 * tomoyo_globally_readable_list is used for holding list of pathnames which
129 * are by default allowed to be open()ed for reading by any process.
130 *
131 * An entry is added by
132 *
133 * # echo 'allow_read /lib/libc-2.5.so' > \
134 * /sys/kernel/security/tomoyo/exception_policy
135 *
136 * and is deleted by
137 *
138 * # echo 'delete allow_read /lib/libc-2.5.so' > \
139 * /sys/kernel/security/tomoyo/exception_policy
140 *
141 * and all entries are retrieved by
142 *
143 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
144 *
145 * In the example above, any process is allowed to
146 * open("/lib/libc-2.5.so", O_RDONLY).
147 * One exception is, if the domain which current process belongs to is marked
148 * as "ignore_global_allow_read", current process can't do so unless explicitly
149 * given "allow_read /lib/libc-2.5.so" to the domain which current process
150 * belongs to.
151 */
152 LIST_HEAD(tomoyo_globally_readable_list);
153
154 /**
155 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
156 *
157 * @filename: Filename unconditionally permitted to open() for reading.
158 * @is_delete: True if it is a delete request.
159 *
160 * Returns 0 on success, negative value otherwise.
161 *
162 * Caller holds tomoyo_read_lock().
163 */
164 static int tomoyo_update_globally_readable_entry(const char *filename,
165 const bool is_delete)
166 {
167 struct tomoyo_globally_readable_file_entry *entry = NULL;
168 struct tomoyo_globally_readable_file_entry *ptr;
169 const struct tomoyo_path_info *saved_filename;
170 int error = is_delete ? -ENOENT : -ENOMEM;
171
172 if (!tomoyo_is_correct_path(filename, 1, 0, -1))
173 return -EINVAL;
174 saved_filename = tomoyo_get_name(filename);
175 if (!saved_filename)
176 return -ENOMEM;
177 if (!is_delete)
178 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
179 mutex_lock(&tomoyo_policy_lock);
180 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
181 if (ptr->filename != saved_filename)
182 continue;
183 ptr->is_deleted = is_delete;
184 error = 0;
185 break;
186 }
187 if (!is_delete && error && tomoyo_memory_ok(entry)) {
188 entry->filename = saved_filename;
189 saved_filename = NULL;
190 list_add_tail_rcu(&entry->list, &tomoyo_globally_readable_list);
191 entry = NULL;
192 error = 0;
193 }
194 mutex_unlock(&tomoyo_policy_lock);
195 tomoyo_put_name(saved_filename);
196 kfree(entry);
197 return error;
198 }
199
200 /**
201 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
202 *
203 * @filename: The filename to check.
204 *
205 * Returns true if any domain can open @filename for reading, false otherwise.
206 *
207 * Caller holds tomoyo_read_lock().
208 */
209 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
210 filename)
211 {
212 struct tomoyo_globally_readable_file_entry *ptr;
213 bool found = false;
214
215 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
216 if (!ptr->is_deleted &&
217 tomoyo_path_matches_pattern(filename, ptr->filename)) {
218 found = true;
219 break;
220 }
221 }
222 return found;
223 }
224
225 /**
226 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
227 *
228 * @data: String to parse.
229 * @is_delete: True if it is a delete request.
230 *
231 * Returns 0 on success, negative value otherwise.
232 *
233 * Caller holds tomoyo_read_lock().
234 */
235 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
236 {
237 return tomoyo_update_globally_readable_entry(data, is_delete);
238 }
239
240 /**
241 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
242 *
243 * @head: Pointer to "struct tomoyo_io_buffer".
244 *
245 * Returns true on success, false otherwise.
246 *
247 * Caller holds tomoyo_read_lock().
248 */
249 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
250 {
251 struct list_head *pos;
252 bool done = true;
253
254 list_for_each_cookie(pos, head->read_var2,
255 &tomoyo_globally_readable_list) {
256 struct tomoyo_globally_readable_file_entry *ptr;
257 ptr = list_entry(pos,
258 struct tomoyo_globally_readable_file_entry,
259 list);
260 if (ptr->is_deleted)
261 continue;
262 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n",
263 ptr->filename->name);
264 if (!done)
265 break;
266 }
267 return done;
268 }
269
270 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
271 * converting pathnames to pathname patterns during learning mode.
272 *
273 * An entry is added by
274 *
275 * # echo 'file_pattern /proc/\$/mounts' > \
276 * /sys/kernel/security/tomoyo/exception_policy
277 *
278 * and is deleted by
279 *
280 * # echo 'delete file_pattern /proc/\$/mounts' > \
281 * /sys/kernel/security/tomoyo/exception_policy
282 *
283 * and all entries are retrieved by
284 *
285 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
286 *
287 * In the example above, if a process which belongs to a domain which is in
288 * learning mode requested open("/proc/1/mounts", O_RDONLY),
289 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
290 * process belongs to.
291 *
292 * It is not a desirable behavior that we have to use /proc/\$/ instead of
293 * /proc/self/ when current process needs to access only current process's
294 * information. As of now, LSM version of TOMOYO is using __d_path() for
295 * calculating pathname. Non LSM version of TOMOYO is using its own function
296 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
297 * current process from accessing other process's information.
298 */
299 LIST_HEAD(tomoyo_pattern_list);
300
301 /**
302 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
303 *
304 * @pattern: Pathname pattern.
305 * @is_delete: True if it is a delete request.
306 *
307 * Returns 0 on success, negative value otherwise.
308 *
309 * Caller holds tomoyo_read_lock().
310 */
311 static int tomoyo_update_file_pattern_entry(const char *pattern,
312 const bool is_delete)
313 {
314 struct tomoyo_pattern_entry *entry = NULL;
315 struct tomoyo_pattern_entry *ptr;
316 const struct tomoyo_path_info *saved_pattern;
317 int error = is_delete ? -ENOENT : -ENOMEM;
318
319 saved_pattern = tomoyo_get_name(pattern);
320 if (!saved_pattern)
321 return error;
322 if (!saved_pattern->is_patterned)
323 goto out;
324 if (!is_delete)
325 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
326 mutex_lock(&tomoyo_policy_lock);
327 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
328 if (saved_pattern != ptr->pattern)
329 continue;
330 ptr->is_deleted = is_delete;
331 error = 0;
332 break;
333 }
334 if (!is_delete && error && tomoyo_memory_ok(entry)) {
335 entry->pattern = saved_pattern;
336 saved_pattern = NULL;
337 list_add_tail_rcu(&entry->list, &tomoyo_pattern_list);
338 entry = NULL;
339 error = 0;
340 }
341 mutex_unlock(&tomoyo_policy_lock);
342 out:
343 kfree(entry);
344 tomoyo_put_name(saved_pattern);
345 return error;
346 }
347
348 /**
349 * tomoyo_get_file_pattern - Get patterned pathname.
350 *
351 * @filename: The filename to find patterned pathname.
352 *
353 * Returns pointer to pathname pattern if matched, @filename otherwise.
354 *
355 * Caller holds tomoyo_read_lock().
356 */
357 static const struct tomoyo_path_info *
358 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
359 {
360 struct tomoyo_pattern_entry *ptr;
361 const struct tomoyo_path_info *pattern = NULL;
362
363 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
364 if (ptr->is_deleted)
365 continue;
366 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
367 continue;
368 pattern = ptr->pattern;
369 if (tomoyo_strendswith(pattern->name, "/\\*")) {
370 /* Do nothing. Try to find the better match. */
371 } else {
372 /* This would be the better match. Use this. */
373 break;
374 }
375 }
376 if (pattern)
377 filename = pattern;
378 return filename;
379 }
380
381 /**
382 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
383 *
384 * @data: String to parse.
385 * @is_delete: True if it is a delete request.
386 *
387 * Returns 0 on success, negative value otherwise.
388 *
389 * Caller holds tomoyo_read_lock().
390 */
391 int tomoyo_write_pattern_policy(char *data, const bool is_delete)
392 {
393 return tomoyo_update_file_pattern_entry(data, is_delete);
394 }
395
396 /**
397 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
398 *
399 * @head: Pointer to "struct tomoyo_io_buffer".
400 *
401 * Returns true on success, false otherwise.
402 *
403 * Caller holds tomoyo_read_lock().
404 */
405 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
406 {
407 struct list_head *pos;
408 bool done = true;
409
410 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) {
411 struct tomoyo_pattern_entry *ptr;
412 ptr = list_entry(pos, struct tomoyo_pattern_entry, list);
413 if (ptr->is_deleted)
414 continue;
415 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN
416 "%s\n", ptr->pattern->name);
417 if (!done)
418 break;
419 }
420 return done;
421 }
422
423 /*
424 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
425 * default forbidden to modify already written content of a file.
426 *
427 * An entry is added by
428 *
429 * # echo 'deny_rewrite /var/log/messages' > \
430 * /sys/kernel/security/tomoyo/exception_policy
431 *
432 * and is deleted by
433 *
434 * # echo 'delete deny_rewrite /var/log/messages' > \
435 * /sys/kernel/security/tomoyo/exception_policy
436 *
437 * and all entries are retrieved by
438 *
439 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
440 *
441 * In the example above, if a process requested to rewrite /var/log/messages ,
442 * the process can't rewrite unless the domain which that process belongs to
443 * has "allow_rewrite /var/log/messages" entry.
444 *
445 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
446 * when we want to allow rewriting already unlink()ed file. As of now,
447 * LSM version of TOMOYO is using __d_path() for calculating pathname.
448 * Non LSM version of TOMOYO is using its own function which doesn't append
449 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
450 * need to worry whether the file is already unlink()ed or not.
451 */
452 LIST_HEAD(tomoyo_no_rewrite_list);
453
454 /**
455 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
456 *
457 * @pattern: Pathname pattern that are not rewritable by default.
458 * @is_delete: True if it is a delete request.
459 *
460 * Returns 0 on success, negative value otherwise.
461 *
462 * Caller holds tomoyo_read_lock().
463 */
464 static int tomoyo_update_no_rewrite_entry(const char *pattern,
465 const bool is_delete)
466 {
467 struct tomoyo_no_rewrite_entry *entry = NULL;
468 struct tomoyo_no_rewrite_entry *ptr;
469 const struct tomoyo_path_info *saved_pattern;
470 int error = is_delete ? -ENOENT : -ENOMEM;
471
472 if (!tomoyo_is_correct_path(pattern, 0, 0, 0))
473 return -EINVAL;
474 saved_pattern = tomoyo_get_name(pattern);
475 if (!saved_pattern)
476 return error;
477 if (!is_delete)
478 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
479 mutex_lock(&tomoyo_policy_lock);
480 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
481 if (ptr->pattern != saved_pattern)
482 continue;
483 ptr->is_deleted = is_delete;
484 error = 0;
485 break;
486 }
487 if (!is_delete && error && tomoyo_memory_ok(entry)) {
488 entry->pattern = saved_pattern;
489 saved_pattern = NULL;
490 list_add_tail_rcu(&entry->list, &tomoyo_no_rewrite_list);
491 entry = NULL;
492 error = 0;
493 }
494 mutex_unlock(&tomoyo_policy_lock);
495 tomoyo_put_name(saved_pattern);
496 kfree(entry);
497 return error;
498 }
499
500 /**
501 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
502 *
503 * @filename: Filename to check.
504 *
505 * Returns true if @filename is specified by "deny_rewrite" directive,
506 * false otherwise.
507 *
508 * Caller holds tomoyo_read_lock().
509 */
510 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
511 {
512 struct tomoyo_no_rewrite_entry *ptr;
513 bool found = false;
514
515 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
516 if (ptr->is_deleted)
517 continue;
518 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
519 continue;
520 found = true;
521 break;
522 }
523 return found;
524 }
525
526 /**
527 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
528 *
529 * @data: String to parse.
530 * @is_delete: True if it is a delete request.
531 *
532 * Returns 0 on success, negative value otherwise.
533 *
534 * Caller holds tomoyo_read_lock().
535 */
536 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
537 {
538 return tomoyo_update_no_rewrite_entry(data, is_delete);
539 }
540
541 /**
542 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
543 *
544 * @head: Pointer to "struct tomoyo_io_buffer".
545 *
546 * Returns true on success, false otherwise.
547 *
548 * Caller holds tomoyo_read_lock().
549 */
550 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
551 {
552 struct list_head *pos;
553 bool done = true;
554
555 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) {
556 struct tomoyo_no_rewrite_entry *ptr;
557 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list);
558 if (ptr->is_deleted)
559 continue;
560 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE
561 "%s\n", ptr->pattern->name);
562 if (!done)
563 break;
564 }
565 return done;
566 }
567
568 /**
569 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
570 *
571 * @filename: Filename.
572 * @perm: Permission (between 1 to 7).
573 * @domain: Pointer to "struct tomoyo_domain_info".
574 * @is_delete: True if it is a delete request.
575 *
576 * Returns 0 on success, negative value otherwise.
577 *
578 * This is legacy support interface for older policy syntax.
579 * Current policy syntax uses "allow_read/write" instead of "6",
580 * "allow_read" instead of "4", "allow_write" instead of "2",
581 * "allow_execute" instead of "1".
582 *
583 * Caller holds tomoyo_read_lock().
584 */
585 static int tomoyo_update_file_acl(const char *filename, u8 perm,
586 struct tomoyo_domain_info * const domain,
587 const bool is_delete)
588 {
589 if (perm > 7 || !perm) {
590 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n",
591 __func__, perm, filename);
592 return -EINVAL;
593 }
594 if (filename[0] != '@' && tomoyo_strendswith(filename, "/"))
595 /*
596 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
597 * directory permissions.
598 */
599 return 0;
600 if (perm & 4)
601 tomoyo_update_path_acl(TOMOYO_TYPE_READ, filename, domain,
602 is_delete);
603 if (perm & 2)
604 tomoyo_update_path_acl(TOMOYO_TYPE_WRITE, filename, domain,
605 is_delete);
606 if (perm & 1)
607 tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE, filename, domain,
608 is_delete);
609 return 0;
610 }
611
612 /**
613 * tomoyo_path_acl2 - Check permission for single path operation.
614 *
615 * @domain: Pointer to "struct tomoyo_domain_info".
616 * @filename: Filename to check.
617 * @perm: Permission.
618 * @may_use_pattern: True if patterned ACL is permitted.
619 *
620 * Returns 0 on success, -EPERM otherwise.
621 *
622 * Caller holds tomoyo_read_lock().
623 */
624 static int tomoyo_path_acl2(const struct tomoyo_domain_info *domain,
625 const struct tomoyo_path_info *filename,
626 const u32 perm, const bool may_use_pattern)
627 {
628 struct tomoyo_acl_info *ptr;
629 int error = -EPERM;
630
631 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
632 struct tomoyo_path_acl *acl;
633 if (ptr->type != TOMOYO_TYPE_PATH_ACL)
634 continue;
635 acl = container_of(ptr, struct tomoyo_path_acl, head);
636 if (perm <= 0xFFFF) {
637 if (!(acl->perm & perm))
638 continue;
639 } else {
640 if (!(acl->perm_high & (perm >> 16)))
641 continue;
642 }
643 if (may_use_pattern || !acl->filename->is_patterned) {
644 if (!tomoyo_path_matches_pattern(filename,
645 acl->filename))
646 continue;
647 } else {
648 continue;
649 }
650 error = 0;
651 break;
652 }
653 return error;
654 }
655
656 /**
657 * tomoyo_check_file_acl - Check permission for opening files.
658 *
659 * @domain: Pointer to "struct tomoyo_domain_info".
660 * @filename: Filename to check.
661 * @operation: Mode ("read" or "write" or "read/write" or "execute").
662 *
663 * Returns 0 on success, -EPERM otherwise.
664 *
665 * Caller holds tomoyo_read_lock().
666 */
667 static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
668 const struct tomoyo_path_info *filename,
669 const u8 operation)
670 {
671 u32 perm = 0;
672
673 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
674 return 0;
675 if (operation == 6)
676 perm = 1 << TOMOYO_TYPE_READ_WRITE;
677 else if (operation == 4)
678 perm = 1 << TOMOYO_TYPE_READ;
679 else if (operation == 2)
680 perm = 1 << TOMOYO_TYPE_WRITE;
681 else if (operation == 1)
682 perm = 1 << TOMOYO_TYPE_EXECUTE;
683 else
684 BUG();
685 return tomoyo_path_acl2(domain, filename, perm, operation != 1);
686 }
687
688 /**
689 * tomoyo_check_file_perm2 - Check permission for opening files.
690 *
691 * @domain: Pointer to "struct tomoyo_domain_info".
692 * @filename: Filename to check.
693 * @perm: Mode ("read" or "write" or "read/write" or "execute").
694 * @operation: Operation name passed used for verbose mode.
695 * @mode: Access control mode.
696 *
697 * Returns 0 on success, negative value otherwise.
698 *
699 * Caller holds tomoyo_read_lock().
700 */
701 static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
702 const struct tomoyo_path_info *filename,
703 const u8 perm, const char *operation,
704 const u8 mode)
705 {
706 const bool is_enforce = (mode == 3);
707 const char *msg = "<unknown>";
708 int error = 0;
709
710 if (!filename)
711 return 0;
712 error = tomoyo_check_file_acl(domain, filename, perm);
713 if (error && perm == 4 && !domain->ignore_global_allow_read
714 && tomoyo_is_globally_readable_file(filename))
715 error = 0;
716 if (perm == 6)
717 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
718 else if (perm == 4)
719 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
720 else if (perm == 2)
721 msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
722 else if (perm == 1)
723 msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
724 else
725 BUG();
726 if (!error)
727 return 0;
728 if (tomoyo_verbose_mode(domain))
729 printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied "
730 "for %s\n", tomoyo_get_msg(is_enforce), msg, operation,
731 filename->name, tomoyo_get_last_name(domain));
732 if (is_enforce)
733 return error;
734 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
735 /* Don't use patterns for execute permission. */
736 const struct tomoyo_path_info *patterned_file = (perm != 1) ?
737 tomoyo_get_file_pattern(filename) : filename;
738 tomoyo_update_file_acl(patterned_file->name, perm,
739 domain, false);
740 }
741 return 0;
742 }
743
744 /**
745 * tomoyo_write_file_policy - Update file related list.
746 *
747 * @data: String to parse.
748 * @domain: Pointer to "struct tomoyo_domain_info".
749 * @is_delete: True if it is a delete request.
750 *
751 * Returns 0 on success, negative value otherwise.
752 *
753 * Caller holds tomoyo_read_lock().
754 */
755 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
756 const bool is_delete)
757 {
758 char *filename = strchr(data, ' ');
759 char *filename2;
760 unsigned int perm;
761 u8 type;
762
763 if (!filename)
764 return -EINVAL;
765 *filename++ = '\0';
766 if (sscanf(data, "%u", &perm) == 1)
767 return tomoyo_update_file_acl(filename, (u8) perm, domain,
768 is_delete);
769 if (strncmp(data, "allow_", 6))
770 goto out;
771 data += 6;
772 for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) {
773 if (strcmp(data, tomoyo_path_keyword[type]))
774 continue;
775 return tomoyo_update_path_acl(type, filename, domain,
776 is_delete);
777 }
778 filename2 = strchr(filename, ' ');
779 if (!filename2)
780 goto out;
781 *filename2++ = '\0';
782 for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) {
783 if (strcmp(data, tomoyo_path2_keyword[type]))
784 continue;
785 return tomoyo_update_path2_acl(type, filename, filename2,
786 domain, is_delete);
787 }
788 out:
789 return -EINVAL;
790 }
791
792 /**
793 * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list.
794 *
795 * @type: Type of operation.
796 * @filename: Filename.
797 * @domain: Pointer to "struct tomoyo_domain_info".
798 * @is_delete: True if it is a delete request.
799 *
800 * Returns 0 on success, negative value otherwise.
801 *
802 * Caller holds tomoyo_read_lock().
803 */
804 static int tomoyo_update_path_acl(const u8 type, const char *filename,
805 struct tomoyo_domain_info *const domain,
806 const bool is_delete)
807 {
808 static const u32 rw_mask =
809 (1 << TOMOYO_TYPE_READ) | (1 << TOMOYO_TYPE_WRITE);
810 const struct tomoyo_path_info *saved_filename;
811 struct tomoyo_acl_info *ptr;
812 struct tomoyo_path_acl *entry = NULL;
813 int error = is_delete ? -ENOENT : -ENOMEM;
814 const u32 perm = 1 << type;
815
816 if (!domain)
817 return -EINVAL;
818 if (!tomoyo_is_correct_path(filename, 0, 0, 0))
819 return -EINVAL;
820 saved_filename = tomoyo_get_name(filename);
821 if (!saved_filename)
822 return -ENOMEM;
823 if (!is_delete)
824 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
825 mutex_lock(&tomoyo_policy_lock);
826 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
827 struct tomoyo_path_acl *acl =
828 container_of(ptr, struct tomoyo_path_acl, head);
829 if (ptr->type != TOMOYO_TYPE_PATH_ACL)
830 continue;
831 if (acl->filename != saved_filename)
832 continue;
833 if (is_delete) {
834 if (perm <= 0xFFFF)
835 acl->perm &= ~perm;
836 else
837 acl->perm_high &= ~(perm >> 16);
838 if ((acl->perm & rw_mask) != rw_mask)
839 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE);
840 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE)))
841 acl->perm &= ~rw_mask;
842 } else {
843 if (perm <= 0xFFFF)
844 acl->perm |= perm;
845 else
846 acl->perm_high |= (perm >> 16);
847 if ((acl->perm & rw_mask) == rw_mask)
848 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE;
849 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE))
850 acl->perm |= rw_mask;
851 }
852 error = 0;
853 break;
854 }
855 if (!is_delete && error && tomoyo_memory_ok(entry)) {
856 entry->head.type = TOMOYO_TYPE_PATH_ACL;
857 if (perm <= 0xFFFF)
858 entry->perm = perm;
859 else
860 entry->perm_high = (perm >> 16);
861 if (perm == (1 << TOMOYO_TYPE_READ_WRITE))
862 entry->perm |= rw_mask;
863 entry->filename = saved_filename;
864 saved_filename = NULL;
865 list_add_tail_rcu(&entry->head.list, &domain->acl_info_list);
866 entry = NULL;
867 error = 0;
868 }
869 mutex_unlock(&tomoyo_policy_lock);
870 kfree(entry);
871 tomoyo_put_name(saved_filename);
872 return error;
873 }
874
875 /**
876 * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list.
877 *
878 * @type: Type of operation.
879 * @filename1: First filename.
880 * @filename2: Second filename.
881 * @domain: Pointer to "struct tomoyo_domain_info".
882 * @is_delete: True if it is a delete request.
883 *
884 * Returns 0 on success, negative value otherwise.
885 *
886 * Caller holds tomoyo_read_lock().
887 */
888 static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
889 const char *filename2,
890 struct tomoyo_domain_info *const domain,
891 const bool is_delete)
892 {
893 const struct tomoyo_path_info *saved_filename1;
894 const struct tomoyo_path_info *saved_filename2;
895 struct tomoyo_acl_info *ptr;
896 struct tomoyo_path2_acl *entry = NULL;
897 int error = is_delete ? -ENOENT : -ENOMEM;
898 const u8 perm = 1 << type;
899
900 if (!domain)
901 return -EINVAL;
902 if (!tomoyo_is_correct_path(filename1, 0, 0, 0) ||
903 !tomoyo_is_correct_path(filename2, 0, 0, 0))
904 return -EINVAL;
905 saved_filename1 = tomoyo_get_name(filename1);
906 saved_filename2 = tomoyo_get_name(filename2);
907 if (!saved_filename1 || !saved_filename2)
908 goto out;
909 if (!is_delete)
910 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
911 mutex_lock(&tomoyo_policy_lock);
912 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
913 struct tomoyo_path2_acl *acl =
914 container_of(ptr, struct tomoyo_path2_acl, head);
915 if (ptr->type != TOMOYO_TYPE_PATH2_ACL)
916 continue;
917 if (acl->filename1 != saved_filename1 ||
918 acl->filename2 != saved_filename2)
919 continue;
920 if (is_delete)
921 acl->perm &= ~perm;
922 else
923 acl->perm |= perm;
924 error = 0;
925 break;
926 }
927 if (!is_delete && error && tomoyo_memory_ok(entry)) {
928 entry->head.type = TOMOYO_TYPE_PATH2_ACL;
929 entry->perm = perm;
930 entry->filename1 = saved_filename1;
931 saved_filename1 = NULL;
932 entry->filename2 = saved_filename2;
933 saved_filename2 = NULL;
934 list_add_tail_rcu(&entry->head.list, &domain->acl_info_list);
935 entry = NULL;
936 error = 0;
937 }
938 mutex_unlock(&tomoyo_policy_lock);
939 out:
940 tomoyo_put_name(saved_filename1);
941 tomoyo_put_name(saved_filename2);
942 kfree(entry);
943 return error;
944 }
945
946 /**
947 * tomoyo_path_acl - Check permission for single path operation.
948 *
949 * @domain: Pointer to "struct tomoyo_domain_info".
950 * @type: Type of operation.
951 * @filename: Filename to check.
952 *
953 * Returns 0 on success, negative value otherwise.
954 *
955 * Caller holds tomoyo_read_lock().
956 */
957 static int tomoyo_path_acl(struct tomoyo_domain_info *domain, const u8 type,
958 const struct tomoyo_path_info *filename)
959 {
960 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
961 return 0;
962 return tomoyo_path_acl2(domain, filename, 1 << type, 1);
963 }
964
965 /**
966 * tomoyo_path2_acl - Check permission for double path operation.
967 *
968 * @domain: Pointer to "struct tomoyo_domain_info".
969 * @type: Type of operation.
970 * @filename1: First filename to check.
971 * @filename2: Second filename to check.
972 *
973 * Returns 0 on success, -EPERM otherwise.
974 *
975 * Caller holds tomoyo_read_lock().
976 */
977 static int tomoyo_path2_acl(const struct tomoyo_domain_info *domain,
978 const u8 type,
979 const struct tomoyo_path_info *filename1,
980 const struct tomoyo_path_info *filename2)
981 {
982 struct tomoyo_acl_info *ptr;
983 const u8 perm = 1 << type;
984 int error = -EPERM;
985
986 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
987 return 0;
988 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
989 struct tomoyo_path2_acl *acl;
990 if (ptr->type != TOMOYO_TYPE_PATH2_ACL)
991 continue;
992 acl = container_of(ptr, struct tomoyo_path2_acl, head);
993 if (!(acl->perm & perm))
994 continue;
995 if (!tomoyo_path_matches_pattern(filename1, acl->filename1))
996 continue;
997 if (!tomoyo_path_matches_pattern(filename2, acl->filename2))
998 continue;
999 error = 0;
1000 break;
1001 }
1002 return error;
1003 }
1004
1005 /**
1006 * tomoyo_path_permission2 - Check permission for single path operation.
1007 *
1008 * @domain: Pointer to "struct tomoyo_domain_info".
1009 * @operation: Type of operation.
1010 * @filename: Filename to check.
1011 * @mode: Access control mode.
1012 *
1013 * Returns 0 on success, negative value otherwise.
1014 *
1015 * Caller holds tomoyo_read_lock().
1016 */
1017 static int tomoyo_path_permission2(struct tomoyo_domain_info *const domain,
1018 u8 operation,
1019 const struct tomoyo_path_info *filename,
1020 const u8 mode)
1021 {
1022 const char *msg;
1023 int error;
1024 const bool is_enforce = (mode == 3);
1025
1026 if (!mode)
1027 return 0;
1028 next:
1029 error = tomoyo_path_acl(domain, operation, filename);
1030 msg = tomoyo_path2keyword(operation);
1031 if (!error)
1032 goto ok;
1033 if (tomoyo_verbose_mode(domain))
1034 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n",
1035 tomoyo_get_msg(is_enforce), msg, filename->name,
1036 tomoyo_get_last_name(domain));
1037 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1038 const char *name = tomoyo_get_file_pattern(filename)->name;
1039 tomoyo_update_path_acl(operation, name, domain, false);
1040 }
1041 if (!is_enforce)
1042 error = 0;
1043 ok:
1044 /*
1045 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1046 * we need to check "allow_rewrite" permission if the filename is
1047 * specified by "deny_rewrite" keyword.
1048 */
1049 if (!error && operation == TOMOYO_TYPE_TRUNCATE &&
1050 tomoyo_is_no_rewrite_file(filename)) {
1051 operation = TOMOYO_TYPE_REWRITE;
1052 goto next;
1053 }
1054 return error;
1055 }
1056
1057 /**
1058 * tomoyo_check_exec_perm - Check permission for "execute".
1059 *
1060 * @domain: Pointer to "struct tomoyo_domain_info".
1061 * @filename: Check permission for "execute".
1062 *
1063 * Returns 0 on success, negativevalue otherwise.
1064 *
1065 * Caller holds tomoyo_read_lock().
1066 */
1067 int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
1068 const struct tomoyo_path_info *filename)
1069 {
1070 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1071
1072 if (!mode)
1073 return 0;
1074 return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode);
1075 }
1076
1077 /**
1078 * tomoyo_check_open_permission - Check permission for "read" and "write".
1079 *
1080 * @domain: Pointer to "struct tomoyo_domain_info".
1081 * @path: Pointer to "struct path".
1082 * @flag: Flags for open().
1083 *
1084 * Returns 0 on success, negative value otherwise.
1085 */
1086 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1087 struct path *path, const int flag)
1088 {
1089 const u8 acc_mode = ACC_MODE(flag);
1090 int error = -ENOMEM;
1091 struct tomoyo_path_info *buf;
1092 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1093 const bool is_enforce = (mode == 3);
1094 int idx;
1095
1096 if (!mode || !path->mnt)
1097 return 0;
1098 if (acc_mode == 0)
1099 return 0;
1100 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode))
1101 /*
1102 * I don't check directories here because mkdir() and rmdir()
1103 * don't call me.
1104 */
1105 return 0;
1106 idx = tomoyo_read_lock();
1107 buf = tomoyo_get_path(path);
1108 if (!buf)
1109 goto out;
1110 error = 0;
1111 /*
1112 * If the filename is specified by "deny_rewrite" keyword,
1113 * we need to check "allow_rewrite" permission when the filename is not
1114 * opened for append mode or the filename is truncated at open time.
1115 */
1116 if ((acc_mode & MAY_WRITE) &&
1117 ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
1118 (tomoyo_is_no_rewrite_file(buf))) {
1119 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE,
1120 buf, mode);
1121 }
1122 if (!error)
1123 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open",
1124 mode);
1125 if (!error && (flag & O_TRUNC))
1126 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_TRUNCATE,
1127 buf, mode);
1128 out:
1129 kfree(buf);
1130 tomoyo_read_unlock(idx);
1131 if (!is_enforce)
1132 error = 0;
1133 return error;
1134 }
1135
1136 /**
1137 * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1138 *
1139 * @operation: Type of operation.
1140 * @path: Pointer to "struct path".
1141 *
1142 * Returns 0 on success, negative value otherwise.
1143 */
1144 int tomoyo_path_perm(const u8 operation, struct path *path)
1145 {
1146 int error = -ENOMEM;
1147 struct tomoyo_path_info *buf;
1148 struct tomoyo_domain_info *domain = tomoyo_domain();
1149 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1150 const bool is_enforce = (mode == 3);
1151 int idx;
1152
1153 if (!mode || !path->mnt)
1154 return 0;
1155 idx = tomoyo_read_lock();
1156 buf = tomoyo_get_path(path);
1157 if (!buf)
1158 goto out;
1159 switch (operation) {
1160 case TOMOYO_TYPE_MKDIR:
1161 case TOMOYO_TYPE_RMDIR:
1162 case TOMOYO_TYPE_CHROOT:
1163 if (!buf->is_dir) {
1164 /*
1165 * tomoyo_get_path() reserves space for appending "/."
1166 */
1167 strcat((char *) buf->name, "/");
1168 tomoyo_fill_path_info(buf);
1169 }
1170 }
1171 error = tomoyo_path_permission2(domain, operation, buf, mode);
1172 out:
1173 kfree(buf);
1174 tomoyo_read_unlock(idx);
1175 if (!is_enforce)
1176 error = 0;
1177 return error;
1178 }
1179
1180 /**
1181 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1182 *
1183 * @filp: Pointer to "struct file".
1184 *
1185 * Returns 0 on success, negative value otherwise.
1186 */
1187 int tomoyo_check_rewrite_permission(struct file *filp)
1188 {
1189 int error = -ENOMEM;
1190 struct tomoyo_domain_info *domain = tomoyo_domain();
1191 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1192 const bool is_enforce = (mode == 3);
1193 struct tomoyo_path_info *buf;
1194 int idx;
1195
1196 if (!mode || !filp->f_path.mnt)
1197 return 0;
1198
1199 idx = tomoyo_read_lock();
1200 buf = tomoyo_get_path(&filp->f_path);
1201 if (!buf)
1202 goto out;
1203 if (!tomoyo_is_no_rewrite_file(buf)) {
1204 error = 0;
1205 goto out;
1206 }
1207 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE, buf, mode);
1208 out:
1209 kfree(buf);
1210 tomoyo_read_unlock(idx);
1211 if (!is_enforce)
1212 error = 0;
1213 return error;
1214 }
1215
1216 /**
1217 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root".
1218 *
1219 * @operation: Type of operation.
1220 * @path1: Pointer to "struct path".
1221 * @path2: Pointer to "struct path".
1222 *
1223 * Returns 0 on success, negative value otherwise.
1224 */
1225 int tomoyo_path2_perm(const u8 operation, struct path *path1,
1226 struct path *path2)
1227 {
1228 int error = -ENOMEM;
1229 struct tomoyo_path_info *buf1, *buf2;
1230 struct tomoyo_domain_info *domain = tomoyo_domain();
1231 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1232 const bool is_enforce = (mode == 3);
1233 const char *msg;
1234 int idx;
1235
1236 if (!mode || !path1->mnt || !path2->mnt)
1237 return 0;
1238 idx = tomoyo_read_lock();
1239 buf1 = tomoyo_get_path(path1);
1240 buf2 = tomoyo_get_path(path2);
1241 if (!buf1 || !buf2)
1242 goto out;
1243 {
1244 struct dentry *dentry = path1->dentry;
1245 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) {
1246 /*
1247 * tomoyo_get_path() reserves space for appending "/."
1248 */
1249 if (!buf1->is_dir) {
1250 strcat((char *) buf1->name, "/");
1251 tomoyo_fill_path_info(buf1);
1252 }
1253 if (!buf2->is_dir) {
1254 strcat((char *) buf2->name, "/");
1255 tomoyo_fill_path_info(buf2);
1256 }
1257 }
1258 }
1259 error = tomoyo_path2_acl(domain, operation, buf1, buf2);
1260 msg = tomoyo_path22keyword(operation);
1261 if (!error)
1262 goto out;
1263 if (tomoyo_verbose_mode(domain))
1264 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' "
1265 "denied for %s\n", tomoyo_get_msg(is_enforce),
1266 msg, buf1->name, buf2->name,
1267 tomoyo_get_last_name(domain));
1268 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1269 const char *name1 = tomoyo_get_file_pattern(buf1)->name;
1270 const char *name2 = tomoyo_get_file_pattern(buf2)->name;
1271 tomoyo_update_path2_acl(operation, name1, name2, domain,
1272 false);
1273 }
1274 out:
1275 kfree(buf1);
1276 kfree(buf2);
1277 tomoyo_read_unlock(idx);
1278 if (!is_enforce)
1279 error = 0;
1280 return error;
1281 }
Linux 2.6 ibm-acpi/thinkpad-acpi driver git tree