2 * security/tomoyo/common.c
4 * Common functions for TOMOYO.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
12 #include <linux/uaccess.h>
13 #include <linux/security.h>
14 #include <linux/hardirq.h>
17 /* Lock for protecting policy. */
18 DEFINE_MUTEX(tomoyo_policy_lock
);
20 /* Has loading policy done? */
21 bool tomoyo_policy_loaded
;
23 /* String table for functionality that takes 4 modes. */
24 static const char *tomoyo_mode_4
[4] = {
25 "disabled", "learning", "permissive", "enforcing"
27 /* String table for functionality that takes 2 modes. */
28 static const char *tomoyo_mode_2
[4] = {
29 "disabled", "enabled", "enabled", "enabled"
33 * tomoyo_control_array is a static data which contains
35 * (1) functionality name used by /sys/kernel/security/tomoyo/profile .
36 * (2) initial values for "struct tomoyo_profile".
37 * (3) max values for "struct tomoyo_profile".
41 unsigned int current_value
;
42 const unsigned int max_value
;
43 } tomoyo_control_array
[TOMOYO_MAX_CONTROL_INDEX
] = {
44 [TOMOYO_MAC_FOR_FILE
] = { "MAC_FOR_FILE", 0, 3 },
45 [TOMOYO_MAX_ACCEPT_ENTRY
] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX
},
46 [TOMOYO_VERBOSE
] = { "TOMOYO_VERBOSE", 1, 1 },
50 * tomoyo_profile is a structure which is used for holding the mode of access
51 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
52 * An administrator can define up to 256 profiles.
53 * The ->profile of "struct tomoyo_domain_info" is used for remembering
54 * the profile's number (0 - 255) assigned to that domain.
56 static struct tomoyo_profile
{
57 unsigned int value
[TOMOYO_MAX_CONTROL_INDEX
];
58 const struct tomoyo_path_info
*comment
;
59 } *tomoyo_profile_ptr
[TOMOYO_MAX_PROFILES
];
61 /* Permit policy management by non-root user? */
62 static bool tomoyo_manage_by_non_root
;
64 /* Utility functions. */
66 /* Open operation for /sys/kernel/security/tomoyo/ interface. */
67 static int tomoyo_open_control(const u8 type
, struct file
*file
);
68 /* Close /sys/kernel/security/tomoyo/ interface. */
69 static int tomoyo_close_control(struct file
*file
);
70 /* Read operation for /sys/kernel/security/tomoyo/ interface. */
71 static int tomoyo_read_control(struct file
*file
, char __user
*buffer
,
72 const int buffer_len
);
73 /* Write operation for /sys/kernel/security/tomoyo/ interface. */
74 static int tomoyo_write_control(struct file
*file
, const char __user
*buffer
,
75 const int buffer_len
);
78 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
80 * @str: Pointer to the string.
82 * Returns true if @str is a \ooo style octal value, false otherwise.
84 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
85 * This function verifies that \ooo is in valid range.
87 static inline bool tomoyo_is_byte_range(const char *str
)
89 return *str
>= '0' && *str
++ <= '3' &&
90 *str
>= '0' && *str
++ <= '7' &&
91 *str
>= '0' && *str
<= '7';
95 * tomoyo_is_alphabet_char - Check whether the character is an alphabet.
97 * @c: The character to check.
99 * Returns true if @c is an alphabet character, false otherwise.
101 static inline bool tomoyo_is_alphabet_char(const char c
)
103 return (c
>= 'A' && c
<= 'Z') || (c
>= 'a' && c
<= 'z');
107 * tomoyo_make_byte - Make byte value from three octal characters.
109 * @c1: The first character.
110 * @c2: The second character.
111 * @c3: The third character.
113 * Returns byte value.
115 static inline u8
tomoyo_make_byte(const u8 c1
, const u8 c2
, const u8 c3
)
117 return ((c1
- '0') << 6) + ((c2
- '0') << 3) + (c3
- '0');
121 * tomoyo_str_starts - Check whether the given string starts with the given keyword.
123 * @src: Pointer to pointer to the string.
124 * @find: Pointer to the keyword.
126 * Returns true if @src starts with @find, false otherwise.
128 * The @src is updated to point the first character after the @find
129 * if @src starts with @find.
131 static bool tomoyo_str_starts(char **src
, const char *find
)
133 const int len
= strlen(find
);
136 if (strncmp(tmp
, find
, len
))
144 * tomoyo_normalize_line - Format string.
146 * @buffer: The line to normalize.
148 * Leading and trailing whitespaces are removed.
149 * Multiple whitespaces are packed into single space.
153 static void tomoyo_normalize_line(unsigned char *buffer
)
155 unsigned char *sp
= buffer
;
156 unsigned char *dp
= buffer
;
159 while (tomoyo_is_invalid(*sp
))
165 while (tomoyo_is_valid(*sp
))
167 while (tomoyo_is_invalid(*sp
))
174 * tomoyo_is_correct_path - Validate a pathname.
175 * @filename: The pathname to check.
176 * @start_type: Should the pathname start with '/'?
177 * 1 = must / -1 = must not / 0 = don't care
178 * @pattern_type: Can the pathname contain a wildcard?
179 * 1 = must / -1 = must not / 0 = don't care
180 * @end_type: Should the pathname end with '/'?
181 * 1 = must / -1 = must not / 0 = don't care
182 * @function: The name of function calling me.
184 * Check whether the given filename follows the naming rules.
185 * Returns true if @filename follows the naming rules, false otherwise.
187 bool tomoyo_is_correct_path(const char *filename
, const s8 start_type
,
188 const s8 pattern_type
, const s8 end_type
,
189 const char *function
)
191 const char *const start
= filename
;
192 bool in_repetition
= false;
193 bool contains_pattern
= false;
197 const char *original_filename
= filename
;
202 if (start_type
== 1) { /* Must start with '/' */
205 } else if (start_type
== -1) { /* Must not start with '/' */
210 c
= *(filename
+ strlen(filename
) - 1);
211 if (end_type
== 1) { /* Must end with '/' */
214 } else if (end_type
== -1) { /* Must not end with '/' */
225 case '\\': /* "\\" */
237 if (pattern_type
== -1)
238 break; /* Must not contain pattern */
239 contains_pattern
= true;
241 case '{': /* "/\{" */
242 if (filename
- 3 < start
||
243 *(filename
- 3) != '/')
245 if (pattern_type
== -1)
246 break; /* Must not contain pattern */
247 contains_pattern
= true;
248 in_repetition
= true;
250 case '}': /* "\}/" */
251 if (*filename
!= '/')
255 in_repetition
= false;
257 case '0': /* "\ooo" */
262 if (d
< '0' || d
> '7')
265 if (e
< '0' || e
> '7')
267 c
= tomoyo_make_byte(c
, d
, e
);
268 if (tomoyo_is_invalid(c
))
269 continue; /* pattern is not \000 */
272 } else if (in_repetition
&& c
== '/') {
274 } else if (tomoyo_is_invalid(c
)) {
278 if (pattern_type
== 1) { /* Must contain pattern */
279 if (!contains_pattern
)
286 printk(KERN_DEBUG
"%s: Invalid pathname '%s'\n", function
,
292 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
293 * @domainname: The domainname to check.
294 * @function: The name of function calling me.
296 * Returns true if @domainname follows the naming rules, false otherwise.
298 bool tomoyo_is_correct_domain(const unsigned char *domainname
,
299 const char *function
)
304 const char *org_domainname
= domainname
;
306 if (!domainname
|| strncmp(domainname
, TOMOYO_ROOT_NAME
,
307 TOMOYO_ROOT_NAME_LEN
))
309 domainname
+= TOMOYO_ROOT_NAME_LEN
;
313 if (*domainname
++ != ' ')
315 if (*domainname
++ != '/')
317 while ((c
= *domainname
) != '\0' && c
!= ' ') {
322 case '\\': /* "\\" */
324 case '0': /* "\ooo" */
329 if (d
< '0' || d
> '7')
332 if (e
< '0' || e
> '7')
334 c
= tomoyo_make_byte(c
, d
, e
);
335 if (tomoyo_is_invalid(c
))
336 /* pattern is not \000 */
340 } else if (tomoyo_is_invalid(c
)) {
344 } while (*domainname
);
347 printk(KERN_DEBUG
"%s: Invalid domainname '%s'\n", function
,
353 * tomoyo_is_domain_def - Check whether the given token can be a domainname.
355 * @buffer: The token to check.
357 * Returns true if @buffer possibly be a domainname, false otherwise.
359 bool tomoyo_is_domain_def(const unsigned char *buffer
)
361 return !strncmp(buffer
, TOMOYO_ROOT_NAME
, TOMOYO_ROOT_NAME_LEN
);
365 * tomoyo_find_domain - Find a domain by the given name.
367 * @domainname: The domainname to find.
369 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
371 * Caller holds tomoyo_read_lock().
373 struct tomoyo_domain_info
*tomoyo_find_domain(const char *domainname
)
375 struct tomoyo_domain_info
*domain
;
376 struct tomoyo_path_info name
;
378 name
.name
= domainname
;
379 tomoyo_fill_path_info(&name
);
380 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
381 if (!domain
->is_deleted
&&
382 !tomoyo_pathcmp(&name
, domain
->domainname
))
389 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
391 * @filename: The string to evaluate.
393 * Returns the initial length without a pattern in @filename.
395 static int tomoyo_const_part_length(const char *filename
)
402 while ((c
= *filename
++) != '\0') {
409 case '\\': /* "\\" */
412 case '0': /* "\ooo" */
417 if (c
< '0' || c
> '7')
420 if (c
< '0' || c
> '7')
431 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
433 * @ptr: Pointer to "struct tomoyo_path_info" to fill in.
435 * The caller sets "struct tomoyo_path_info"->name.
437 void tomoyo_fill_path_info(struct tomoyo_path_info
*ptr
)
439 const char *name
= ptr
->name
;
440 const int len
= strlen(name
);
442 ptr
->const_len
= tomoyo_const_part_length(name
);
443 ptr
->is_dir
= len
&& (name
[len
- 1] == '/');
444 ptr
->is_patterned
= (ptr
->const_len
< len
);
445 ptr
->hash
= full_name_hash(name
, len
);
449 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
452 * @filename: The start of string to check.
453 * @filename_end: The end of string to check.
454 * @pattern: The start of pattern to compare.
455 * @pattern_end: The end of pattern to compare.
457 * Returns true if @filename matches @pattern, false otherwise.
459 static bool tomoyo_file_matches_pattern2(const char *filename
,
460 const char *filename_end
,
462 const char *pattern_end
)
464 while (filename
< filename_end
&& pattern
< pattern_end
) {
466 if (*pattern
!= '\\') {
467 if (*filename
++ != *pattern
++)
479 } else if (c
== '\\') {
480 if (filename
[1] == '\\')
482 else if (tomoyo_is_byte_range(filename
+ 1))
491 if (*++filename
!= '\\')
503 if (!tomoyo_is_alphabet_char(c
))
510 if (c
== '\\' && tomoyo_is_byte_range(filename
+ 1)
511 && strncmp(filename
+ 1, pattern
, 3) == 0) {
516 return false; /* Not matched. */
519 for (i
= 0; i
<= filename_end
- filename
; i
++) {
520 if (tomoyo_file_matches_pattern2(
521 filename
+ i
, filename_end
,
522 pattern
+ 1, pattern_end
))
525 if (c
== '.' && *pattern
== '@')
529 if (filename
[i
+ 1] == '\\')
531 else if (tomoyo_is_byte_range(filename
+ i
+ 1))
534 break; /* Bad pattern. */
536 return false; /* Not matched. */
541 while (isdigit(filename
[j
]))
543 } else if (c
== 'X') {
544 while (isxdigit(filename
[j
]))
546 } else if (c
== 'A') {
547 while (tomoyo_is_alphabet_char(filename
[j
]))
550 for (i
= 1; i
<= j
; i
++) {
551 if (tomoyo_file_matches_pattern2(
552 filename
+ i
, filename_end
,
553 pattern
+ 1, pattern_end
))
556 return false; /* Not matched or bad pattern. */
561 while (*pattern
== '\\' &&
562 (*(pattern
+ 1) == '*' || *(pattern
+ 1) == '@'))
564 return filename
== filename_end
&& pattern
== pattern_end
;
568 * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
570 * @filename: The start of string to check.
571 * @filename_end: The end of string to check.
572 * @pattern: The start of pattern to compare.
573 * @pattern_end: The end of pattern to compare.
575 * Returns true if @filename matches @pattern, false otherwise.
577 static bool tomoyo_file_matches_pattern(const char *filename
,
578 const char *filename_end
,
580 const char *pattern_end
)
582 const char *pattern_start
= pattern
;
586 while (pattern
< pattern_end
- 1) {
587 /* Split at "\-" pattern. */
588 if (*pattern
++ != '\\' || *pattern
++ != '-')
590 result
= tomoyo_file_matches_pattern2(filename
,
599 pattern_start
= pattern
;
601 result
= tomoyo_file_matches_pattern2(filename
, filename_end
,
602 pattern_start
, pattern_end
);
603 return first
? result
: !result
;
607 * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
609 * @f: The start of string to check.
610 * @p: The start of pattern to compare.
612 * Returns true if @f matches @p, false otherwise.
614 static bool tomoyo_path_matches_pattern2(const char *f
, const char *p
)
616 const char *f_delimiter
;
617 const char *p_delimiter
;
620 f_delimiter
= strchr(f
, '/');
622 f_delimiter
= f
+ strlen(f
);
623 p_delimiter
= strchr(p
, '/');
625 p_delimiter
= p
+ strlen(p
);
626 if (*p
== '\\' && *(p
+ 1) == '{')
628 if (!tomoyo_file_matches_pattern(f
, f_delimiter
, p
,
638 /* Ignore trailing "\*" and "\@" in @pattern. */
640 (*(p
+ 1) == '*' || *(p
+ 1) == '@'))
645 * The "\{" pattern is permitted only after '/' character.
646 * This guarantees that below "*(p - 1)" is safe.
647 * Also, the "\}" pattern is permitted only before '/' character
648 * so that "\{" + "\}" pair will not break the "\-" operator.
650 if (*(p
- 1) != '/' || p_delimiter
<= p
+ 3 || *p_delimiter
!= '/' ||
651 *(p_delimiter
- 1) != '}' || *(p_delimiter
- 2) != '\\')
652 return false; /* Bad pattern. */
654 /* Compare current component with pattern. */
655 if (!tomoyo_file_matches_pattern(f
, f_delimiter
, p
+ 2,
658 /* Proceed to next component. */
663 /* Continue comparison. */
664 if (tomoyo_path_matches_pattern2(f
, p_delimiter
+ 1))
666 f_delimiter
= strchr(f
, '/');
667 } while (f_delimiter
);
668 return false; /* Not matched. */
672 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
674 * @filename: The filename to check.
675 * @pattern: The pattern to compare.
677 * Returns true if matches, false otherwise.
679 * The following patterns are available.
681 * \ooo Octal representation of a byte.
682 * \* Zero or more repetitions of characters other than '/'.
683 * \@ Zero or more repetitions of characters other than '/' or '.'.
684 * \? 1 byte character other than '/'.
685 * \$ One or more repetitions of decimal digits.
686 * \+ 1 decimal digit.
687 * \X One or more repetitions of hexadecimal digits.
688 * \x 1 hexadecimal digit.
689 * \A One or more repetitions of alphabet characters.
690 * \a 1 alphabet character.
692 * \- Subtraction operator.
694 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
697 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info
*filename
,
698 const struct tomoyo_path_info
*pattern
)
700 const char *f
= filename
->name
;
701 const char *p
= pattern
->name
;
702 const int len
= pattern
->const_len
;
704 /* If @pattern doesn't contain pattern, I can use strcmp(). */
705 if (!pattern
->is_patterned
)
706 return !tomoyo_pathcmp(filename
, pattern
);
707 /* Don't compare directory and non-directory. */
708 if (filename
->is_dir
!= pattern
->is_dir
)
710 /* Compare the initial length without patterns. */
711 if (strncmp(f
, p
, len
))
715 return tomoyo_path_matches_pattern2(f
, p
);
719 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
721 * @head: Pointer to "struct tomoyo_io_buffer".
722 * @fmt: The printf()'s format string, followed by parameters.
724 * Returns true if output was written, false otherwise.
726 * The snprintf() will truncate, but tomoyo_io_printf() won't.
728 bool tomoyo_io_printf(struct tomoyo_io_buffer
*head
, const char *fmt
, ...)
732 int pos
= head
->read_avail
;
733 int size
= head
->readbuf_size
- pos
;
738 len
= vsnprintf(head
->read_buf
+ pos
, size
, fmt
, args
);
740 if (pos
+ len
>= head
->readbuf_size
)
742 head
->read_avail
+= len
;
747 * tomoyo_get_exe - Get tomoyo_realpath() of current process.
749 * Returns the tomoyo_realpath() of current process on success, NULL otherwise.
751 * This function uses kzalloc(), so the caller must call kfree()
752 * if this function didn't return NULL.
754 static const char *tomoyo_get_exe(void)
756 struct mm_struct
*mm
= current
->mm
;
757 struct vm_area_struct
*vma
;
758 const char *cp
= NULL
;
762 down_read(&mm
->mmap_sem
);
763 for (vma
= mm
->mmap
; vma
; vma
= vma
->vm_next
) {
764 if ((vma
->vm_flags
& VM_EXECUTABLE
) && vma
->vm_file
) {
765 cp
= tomoyo_realpath_from_path(&vma
->vm_file
->f_path
);
769 up_read(&mm
->mmap_sem
);
774 * tomoyo_get_msg - Get warning message.
776 * @is_enforce: Is it enforcing mode?
778 * Returns "ERROR" or "WARNING".
780 const char *tomoyo_get_msg(const bool is_enforce
)
789 * tomoyo_check_flags - Check mode for specified functionality.
791 * @domain: Pointer to "struct tomoyo_domain_info".
792 * @index: The functionality to check mode.
794 * TOMOYO checks only process context.
795 * This code disables TOMOYO's enforcement in case the function is called from
798 unsigned int tomoyo_check_flags(const struct tomoyo_domain_info
*domain
,
801 const u8 profile
= domain
->profile
;
803 if (WARN_ON(in_interrupt()))
805 return tomoyo_policy_loaded
&& index
< TOMOYO_MAX_CONTROL_INDEX
806 #if TOMOYO_MAX_PROFILES != 256
807 && profile
< TOMOYO_MAX_PROFILES
809 && tomoyo_profile_ptr
[profile
] ?
810 tomoyo_profile_ptr
[profile
]->value
[index
] : 0;
814 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
816 * @domain: Pointer to "struct tomoyo_domain_info".
818 * Returns true if domain policy violation warning should be printed to
821 bool tomoyo_verbose_mode(const struct tomoyo_domain_info
*domain
)
823 return tomoyo_check_flags(domain
, TOMOYO_VERBOSE
) != 0;
827 * tomoyo_domain_quota_is_ok - Check for domain's quota.
829 * @domain: Pointer to "struct tomoyo_domain_info".
831 * Returns true if the domain is not exceeded quota, false otherwise.
833 * Caller holds tomoyo_read_lock().
835 bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info
* const domain
)
837 unsigned int count
= 0;
838 struct tomoyo_acl_info
*ptr
;
842 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
844 struct tomoyo_path_acl
*acl
;
847 case TOMOYO_TYPE_PATH_ACL
:
848 acl
= container_of(ptr
, struct tomoyo_path_acl
, head
);
849 perm
= acl
->perm
| (((u32
) acl
->perm_high
) << 16);
850 for (i
= 0; i
< TOMOYO_MAX_PATH_OPERATION
; i
++)
853 if (perm
& (1 << TOMOYO_TYPE_READ_WRITE
))
856 case TOMOYO_TYPE_PATH2_ACL
:
857 perm
= container_of(ptr
, struct tomoyo_path2_acl
, head
)
859 for (i
= 0; i
< TOMOYO_MAX_PATH2_OPERATION
; i
++)
865 if (count
< tomoyo_check_flags(domain
, TOMOYO_MAX_ACCEPT_ENTRY
))
867 if (!domain
->quota_warned
) {
868 domain
->quota_warned
= true;
869 printk(KERN_WARNING
"TOMOYO-WARNING: "
870 "Domain '%s' has so many ACLs to hold. "
871 "Stopped learning mode.\n", domain
->domainname
->name
);
877 * tomoyo_find_or_assign_new_profile - Create a new profile.
879 * @profile: Profile number to create.
881 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
883 static struct tomoyo_profile
*tomoyo_find_or_assign_new_profile(const unsigned
886 static DEFINE_MUTEX(lock
);
887 struct tomoyo_profile
*ptr
= NULL
;
890 if (profile
>= TOMOYO_MAX_PROFILES
)
893 ptr
= tomoyo_profile_ptr
[profile
];
896 ptr
= kmalloc(sizeof(*ptr
), GFP_KERNEL
);
897 if (!tomoyo_memory_ok(ptr
)) {
901 for (i
= 0; i
< TOMOYO_MAX_CONTROL_INDEX
; i
++)
902 ptr
->value
[i
] = tomoyo_control_array
[i
].current_value
;
903 mb(); /* Avoid out-of-order execution. */
904 tomoyo_profile_ptr
[profile
] = ptr
;
911 * tomoyo_write_profile - Write to profile table.
913 * @head: Pointer to "struct tomoyo_io_buffer".
915 * Returns 0 on success, negative value otherwise.
917 static int tomoyo_write_profile(struct tomoyo_io_buffer
*head
)
919 char *data
= head
->write_buf
;
923 struct tomoyo_profile
*profile
;
926 cp
= strchr(data
, '-');
929 if (strict_strtoul(data
, 10, &num
))
933 profile
= tomoyo_find_or_assign_new_profile(num
);
936 cp
= strchr(data
, '=');
940 if (!strcmp(data
, "COMMENT")) {
941 const struct tomoyo_path_info
*old_comment
= profile
->comment
;
942 profile
->comment
= tomoyo_get_name(cp
+ 1);
943 tomoyo_put_name(old_comment
);
946 for (i
= 0; i
< TOMOYO_MAX_CONTROL_INDEX
; i
++) {
947 if (strcmp(data
, tomoyo_control_array
[i
].keyword
))
949 if (sscanf(cp
+ 1, "%u", &value
) != 1) {
954 modes
= tomoyo_mode_2
;
957 modes
= tomoyo_mode_4
;
960 for (j
= 0; j
< 4; j
++) {
961 if (strcmp(cp
+ 1, modes
[j
]))
968 } else if (value
> tomoyo_control_array
[i
].max_value
) {
969 value
= tomoyo_control_array
[i
].max_value
;
971 profile
->value
[i
] = value
;
978 * tomoyo_read_profile - Read from profile table.
980 * @head: Pointer to "struct tomoyo_io_buffer".
984 static int tomoyo_read_profile(struct tomoyo_io_buffer
*head
)
986 static const int total
= TOMOYO_MAX_CONTROL_INDEX
+ 1;
991 for (step
= head
->read_step
; step
< TOMOYO_MAX_PROFILES
* total
;
993 const u8 index
= step
/ total
;
994 u8 type
= step
% total
;
995 const struct tomoyo_profile
*profile
996 = tomoyo_profile_ptr
[index
];
997 head
->read_step
= step
;
1000 if (!type
) { /* Print profile' comment tag. */
1001 if (!tomoyo_io_printf(head
, "%u-COMMENT=%s\n",
1002 index
, profile
->comment
?
1003 profile
->comment
->name
: ""))
1008 if (type
< TOMOYO_MAX_CONTROL_INDEX
) {
1009 const unsigned int value
= profile
->value
[type
];
1010 const char **modes
= NULL
;
1012 = tomoyo_control_array
[type
].keyword
;
1013 switch (tomoyo_control_array
[type
].max_value
) {
1015 modes
= tomoyo_mode_4
;
1018 modes
= tomoyo_mode_2
;
1022 if (!tomoyo_io_printf(head
, "%u-%s=%s\n", index
,
1023 keyword
, modes
[value
]))
1026 if (!tomoyo_io_printf(head
, "%u-%s=%u\n", index
,
1032 if (step
== TOMOYO_MAX_PROFILES
* total
)
1033 head
->read_eof
= true;
1038 * tomoyo_policy_manager_list is used for holding list of domainnames or
1039 * programs which are permitted to modify configuration via
1040 * /sys/kernel/security/tomoyo/ interface.
1042 * An entry is added by
1044 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
1045 * /sys/kernel/security/tomoyo/manager
1046 * (if you want to specify by a domainname)
1050 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
1051 * (if you want to specify by a program's location)
1055 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
1056 * /sys/kernel/security/tomoyo/manager
1060 * # echo 'delete /usr/lib/ccs/editpolicy' > \
1061 * /sys/kernel/security/tomoyo/manager
1063 * and all entries are retrieved by
1065 * # cat /sys/kernel/security/tomoyo/manager
1067 LIST_HEAD(tomoyo_policy_manager_list
);
1070 * tomoyo_update_manager_entry - Add a manager entry.
1072 * @manager: The path to manager or the domainnamme.
1073 * @is_delete: True if it is a delete request.
1075 * Returns 0 on success, negative value otherwise.
1077 * Caller holds tomoyo_read_lock().
1079 static int tomoyo_update_manager_entry(const char *manager
,
1080 const bool is_delete
)
1082 struct tomoyo_policy_manager_entry
*entry
= NULL
;
1083 struct tomoyo_policy_manager_entry
*ptr
;
1084 const struct tomoyo_path_info
*saved_manager
;
1085 int error
= is_delete
? -ENOENT
: -ENOMEM
;
1086 bool is_domain
= false;
1088 if (tomoyo_is_domain_def(manager
)) {
1089 if (!tomoyo_is_correct_domain(manager
, __func__
))
1093 if (!tomoyo_is_correct_path(manager
, 1, -1, -1, __func__
))
1096 saved_manager
= tomoyo_get_name(manager
);
1100 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
1101 mutex_lock(&tomoyo_policy_lock
);
1102 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1103 if (ptr
->manager
!= saved_manager
)
1105 ptr
->is_deleted
= is_delete
;
1109 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
1110 entry
->manager
= saved_manager
;
1111 saved_manager
= NULL
;
1112 entry
->is_domain
= is_domain
;
1113 list_add_tail_rcu(&entry
->list
, &tomoyo_policy_manager_list
);
1117 mutex_unlock(&tomoyo_policy_lock
);
1118 tomoyo_put_name(saved_manager
);
1124 * tomoyo_write_manager_policy - Write manager policy.
1126 * @head: Pointer to "struct tomoyo_io_buffer".
1128 * Returns 0 on success, negative value otherwise.
1130 * Caller holds tomoyo_read_lock().
1132 static int tomoyo_write_manager_policy(struct tomoyo_io_buffer
*head
)
1134 char *data
= head
->write_buf
;
1135 bool is_delete
= tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
);
1137 if (!strcmp(data
, "manage_by_non_root")) {
1138 tomoyo_manage_by_non_root
= !is_delete
;
1141 return tomoyo_update_manager_entry(data
, is_delete
);
1145 * tomoyo_read_manager_policy - Read manager policy.
1147 * @head: Pointer to "struct tomoyo_io_buffer".
1151 * Caller holds tomoyo_read_lock().
1153 static int tomoyo_read_manager_policy(struct tomoyo_io_buffer
*head
)
1155 struct list_head
*pos
;
1160 list_for_each_cookie(pos
, head
->read_var2
,
1161 &tomoyo_policy_manager_list
) {
1162 struct tomoyo_policy_manager_entry
*ptr
;
1163 ptr
= list_entry(pos
, struct tomoyo_policy_manager_entry
,
1165 if (ptr
->is_deleted
)
1167 done
= tomoyo_io_printf(head
, "%s\n", ptr
->manager
->name
);
1171 head
->read_eof
= done
;
1176 * tomoyo_is_policy_manager - Check whether the current process is a policy manager.
1178 * Returns true if the current process is permitted to modify policy
1179 * via /sys/kernel/security/tomoyo/ interface.
1181 * Caller holds tomoyo_read_lock().
1183 static bool tomoyo_is_policy_manager(void)
1185 struct tomoyo_policy_manager_entry
*ptr
;
1187 const struct task_struct
*task
= current
;
1188 const struct tomoyo_path_info
*domainname
= tomoyo_domain()->domainname
;
1191 if (!tomoyo_policy_loaded
)
1193 if (!tomoyo_manage_by_non_root
&& (task
->cred
->uid
|| task
->cred
->euid
))
1195 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1196 if (!ptr
->is_deleted
&& ptr
->is_domain
1197 && !tomoyo_pathcmp(domainname
, ptr
->manager
)) {
1204 exe
= tomoyo_get_exe();
1207 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1208 if (!ptr
->is_deleted
&& !ptr
->is_domain
1209 && !strcmp(exe
, ptr
->manager
->name
)) {
1214 if (!found
) { /* Reduce error messages. */
1215 static pid_t last_pid
;
1216 const pid_t pid
= current
->pid
;
1217 if (last_pid
!= pid
) {
1218 printk(KERN_WARNING
"%s ( %s ) is not permitted to "
1219 "update policies.\n", domainname
->name
, exe
);
1228 * tomoyo_is_select_one - Parse select command.
1230 * @head: Pointer to "struct tomoyo_io_buffer".
1231 * @data: String to parse.
1233 * Returns true on success, false otherwise.
1235 * Caller holds tomoyo_read_lock().
1237 static bool tomoyo_is_select_one(struct tomoyo_io_buffer
*head
,
1241 struct tomoyo_domain_info
*domain
= NULL
;
1243 if (sscanf(data
, "pid=%u", &pid
) == 1) {
1244 struct task_struct
*p
;
1245 read_lock(&tasklist_lock
);
1246 p
= find_task_by_vpid(pid
);
1248 domain
= tomoyo_real_domain(p
);
1249 read_unlock(&tasklist_lock
);
1250 } else if (!strncmp(data
, "domain=", 7)) {
1251 if (tomoyo_is_domain_def(data
+ 7))
1252 domain
= tomoyo_find_domain(data
+ 7);
1255 head
->write_var1
= domain
;
1256 /* Accessing read_buf is safe because head->io_sem is held. */
1257 if (!head
->read_buf
)
1258 return true; /* Do nothing if open(O_WRONLY). */
1259 head
->read_avail
= 0;
1260 tomoyo_io_printf(head
, "# select %s\n", data
);
1261 head
->read_single_domain
= true;
1262 head
->read_eof
= !domain
;
1264 struct tomoyo_domain_info
*d
;
1265 head
->read_var1
= NULL
;
1266 list_for_each_entry_rcu(d
, &tomoyo_domain_list
, list
) {
1269 head
->read_var1
= &d
->list
;
1271 head
->read_var2
= NULL
;
1273 head
->read_step
= 0;
1274 if (domain
->is_deleted
)
1275 tomoyo_io_printf(head
, "# This is a deleted domain.\n");
1281 * tomoyo_delete_domain - Delete a domain.
1283 * @domainname: The name of domain.
1287 * Caller holds tomoyo_read_lock().
1289 static int tomoyo_delete_domain(char *domainname
)
1291 struct tomoyo_domain_info
*domain
;
1292 struct tomoyo_path_info name
;
1294 name
.name
= domainname
;
1295 tomoyo_fill_path_info(&name
);
1296 mutex_lock(&tomoyo_policy_lock
);
1297 /* Is there an active domain? */
1298 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
1299 /* Never delete tomoyo_kernel_domain */
1300 if (domain
== &tomoyo_kernel_domain
)
1302 if (domain
->is_deleted
||
1303 tomoyo_pathcmp(domain
->domainname
, &name
))
1305 domain
->is_deleted
= true;
1308 mutex_unlock(&tomoyo_policy_lock
);
1313 * tomoyo_write_domain_policy - Write domain policy.
1315 * @head: Pointer to "struct tomoyo_io_buffer".
1317 * Returns 0 on success, negative value otherwise.
1319 * Caller holds tomoyo_read_lock().
1321 static int tomoyo_write_domain_policy(struct tomoyo_io_buffer
*head
)
1323 char *data
= head
->write_buf
;
1324 struct tomoyo_domain_info
*domain
= head
->write_var1
;
1325 bool is_delete
= false;
1326 bool is_select
= false;
1327 unsigned int profile
;
1329 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
))
1331 else if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_SELECT
))
1333 if (is_select
&& tomoyo_is_select_one(head
, data
))
1335 /* Don't allow updating policies by non manager programs. */
1336 if (!tomoyo_is_policy_manager())
1338 if (tomoyo_is_domain_def(data
)) {
1341 tomoyo_delete_domain(data
);
1343 domain
= tomoyo_find_domain(data
);
1345 domain
= tomoyo_find_or_assign_new_domain(data
, 0);
1346 head
->write_var1
= domain
;
1352 if (sscanf(data
, TOMOYO_KEYWORD_USE_PROFILE
"%u", &profile
) == 1
1353 && profile
< TOMOYO_MAX_PROFILES
) {
1354 if (tomoyo_profile_ptr
[profile
] || !tomoyo_policy_loaded
)
1355 domain
->profile
= (u8
) profile
;
1358 if (!strcmp(data
, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ
)) {
1359 domain
->ignore_global_allow_read
= !is_delete
;
1362 return tomoyo_write_file_policy(data
, domain
, is_delete
);
1366 * tomoyo_print_path_acl - Print a single path ACL entry.
1368 * @head: Pointer to "struct tomoyo_io_buffer".
1369 * @ptr: Pointer to "struct tomoyo_path_acl".
1371 * Returns true on success, false otherwise.
1373 static bool tomoyo_print_path_acl(struct tomoyo_io_buffer
*head
,
1374 struct tomoyo_path_acl
*ptr
)
1378 const char *atmark
= "";
1379 const char *filename
;
1380 const u32 perm
= ptr
->perm
| (((u32
) ptr
->perm_high
) << 16);
1382 filename
= ptr
->filename
->name
;
1383 for (bit
= head
->read_bit
; bit
< TOMOYO_MAX_PATH_OPERATION
; bit
++) {
1385 if (!(perm
& (1 << bit
)))
1387 /* Print "read/write" instead of "read" and "write". */
1388 if ((bit
== TOMOYO_TYPE_READ
|| bit
== TOMOYO_TYPE_WRITE
)
1389 && (perm
& (1 << TOMOYO_TYPE_READ_WRITE
)))
1391 msg
= tomoyo_path2keyword(bit
);
1392 pos
= head
->read_avail
;
1393 if (!tomoyo_io_printf(head
, "allow_%s %s%s\n", msg
,
1400 head
->read_bit
= bit
;
1401 head
->read_avail
= pos
;
1406 * tomoyo_print_path2_acl - Print a double path ACL entry.
1408 * @head: Pointer to "struct tomoyo_io_buffer".
1409 * @ptr: Pointer to "struct tomoyo_path2_acl".
1411 * Returns true on success, false otherwise.
1413 static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer
*head
,
1414 struct tomoyo_path2_acl
*ptr
)
1417 const char *atmark1
= "";
1418 const char *atmark2
= "";
1419 const char *filename1
;
1420 const char *filename2
;
1421 const u8 perm
= ptr
->perm
;
1424 filename1
= ptr
->filename1
->name
;
1425 filename2
= ptr
->filename2
->name
;
1426 for (bit
= head
->read_bit
; bit
< TOMOYO_MAX_PATH2_OPERATION
; bit
++) {
1428 if (!(perm
& (1 << bit
)))
1430 msg
= tomoyo_path22keyword(bit
);
1431 pos
= head
->read_avail
;
1432 if (!tomoyo_io_printf(head
, "allow_%s %s%s %s%s\n", msg
,
1433 atmark1
, filename1
, atmark2
, filename2
))
1439 head
->read_bit
= bit
;
1440 head
->read_avail
= pos
;
1445 * tomoyo_print_entry - Print an ACL entry.
1447 * @head: Pointer to "struct tomoyo_io_buffer".
1448 * @ptr: Pointer to an ACL entry.
1450 * Returns true on success, false otherwise.
1452 static bool tomoyo_print_entry(struct tomoyo_io_buffer
*head
,
1453 struct tomoyo_acl_info
*ptr
)
1455 const u8 acl_type
= ptr
->type
;
1457 if (acl_type
== TOMOYO_TYPE_PATH_ACL
) {
1458 struct tomoyo_path_acl
*acl
1459 = container_of(ptr
, struct tomoyo_path_acl
, head
);
1460 return tomoyo_print_path_acl(head
, acl
);
1462 if (acl_type
== TOMOYO_TYPE_PATH2_ACL
) {
1463 struct tomoyo_path2_acl
*acl
1464 = container_of(ptr
, struct tomoyo_path2_acl
, head
);
1465 return tomoyo_print_path2_acl(head
, acl
);
1467 BUG(); /* This must not happen. */
1472 * tomoyo_read_domain_policy - Read domain policy.
1474 * @head: Pointer to "struct tomoyo_io_buffer".
1478 * Caller holds tomoyo_read_lock().
1480 static int tomoyo_read_domain_policy(struct tomoyo_io_buffer
*head
)
1482 struct list_head
*dpos
;
1483 struct list_head
*apos
;
1488 if (head
->read_step
== 0)
1489 head
->read_step
= 1;
1490 list_for_each_cookie(dpos
, head
->read_var1
, &tomoyo_domain_list
) {
1491 struct tomoyo_domain_info
*domain
;
1492 const char *quota_exceeded
= "";
1493 const char *transition_failed
= "";
1494 const char *ignore_global_allow_read
= "";
1495 domain
= list_entry(dpos
, struct tomoyo_domain_info
, list
);
1496 if (head
->read_step
!= 1)
1498 if (domain
->is_deleted
&& !head
->read_single_domain
)
1500 /* Print domainname and flags. */
1501 if (domain
->quota_warned
)
1502 quota_exceeded
= "quota_exceeded\n";
1503 if (domain
->transition_failed
)
1504 transition_failed
= "transition_failed\n";
1505 if (domain
->ignore_global_allow_read
)
1506 ignore_global_allow_read
1507 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ
"\n";
1508 done
= tomoyo_io_printf(head
, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
1510 domain
->domainname
->name
,
1511 domain
->profile
, quota_exceeded
,
1513 ignore_global_allow_read
);
1516 head
->read_step
= 2;
1518 if (head
->read_step
== 3)
1520 /* Print ACL entries in the domain. */
1521 list_for_each_cookie(apos
, head
->read_var2
,
1522 &domain
->acl_info_list
) {
1523 struct tomoyo_acl_info
*ptr
1524 = list_entry(apos
, struct tomoyo_acl_info
,
1526 done
= tomoyo_print_entry(head
, ptr
);
1532 head
->read_step
= 3;
1534 done
= tomoyo_io_printf(head
, "\n");
1537 head
->read_step
= 1;
1538 if (head
->read_single_domain
)
1541 head
->read_eof
= done
;
1546 * tomoyo_write_domain_profile - Assign profile for specified domain.
1548 * @head: Pointer to "struct tomoyo_io_buffer".
1550 * Returns 0 on success, -EINVAL otherwise.
1552 * This is equivalent to doing
1554 * ( echo "select " $domainname; echo "use_profile " $profile ) |
1555 * /usr/lib/ccs/loadpolicy -d
1557 * Caller holds tomoyo_read_lock().
1559 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer
*head
)
1561 char *data
= head
->write_buf
;
1562 char *cp
= strchr(data
, ' ');
1563 struct tomoyo_domain_info
*domain
;
1564 unsigned long profile
;
1569 domain
= tomoyo_find_domain(cp
+ 1);
1570 if (strict_strtoul(data
, 10, &profile
))
1572 if (domain
&& profile
< TOMOYO_MAX_PROFILES
1573 && (tomoyo_profile_ptr
[profile
] || !tomoyo_policy_loaded
))
1574 domain
->profile
= (u8
) profile
;
1579 * tomoyo_read_domain_profile - Read only domainname and profile.
1581 * @head: Pointer to "struct tomoyo_io_buffer".
1583 * Returns list of profile number and domainname pairs.
1585 * This is equivalent to doing
1587 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
1588 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
1589 * domainname = $0; } else if ( $1 == "use_profile" ) {
1590 * print $2 " " domainname; domainname = ""; } } ; '
1592 * Caller holds tomoyo_read_lock().
1594 static int tomoyo_read_domain_profile(struct tomoyo_io_buffer
*head
)
1596 struct list_head
*pos
;
1601 list_for_each_cookie(pos
, head
->read_var1
, &tomoyo_domain_list
) {
1602 struct tomoyo_domain_info
*domain
;
1603 domain
= list_entry(pos
, struct tomoyo_domain_info
, list
);
1604 if (domain
->is_deleted
)
1606 done
= tomoyo_io_printf(head
, "%u %s\n", domain
->profile
,
1607 domain
->domainname
->name
);
1611 head
->read_eof
= done
;
1616 * tomoyo_write_pid: Specify PID to obtain domainname.
1618 * @head: Pointer to "struct tomoyo_io_buffer".
1622 static int tomoyo_write_pid(struct tomoyo_io_buffer
*head
)
1625 /* No error check. */
1626 strict_strtoul(head
->write_buf
, 10, &pid
);
1627 head
->read_step
= (int) pid
;
1628 head
->read_eof
= false;
1633 * tomoyo_read_pid - Get domainname of the specified PID.
1635 * @head: Pointer to "struct tomoyo_io_buffer".
1637 * Returns the domainname which the specified PID is in on success,
1638 * empty string otherwise.
1639 * The PID is specified by tomoyo_write_pid() so that the user can obtain
1640 * using read()/write() interface rather than sysctl() interface.
1642 static int tomoyo_read_pid(struct tomoyo_io_buffer
*head
)
1644 if (head
->read_avail
== 0 && !head
->read_eof
) {
1645 const int pid
= head
->read_step
;
1646 struct task_struct
*p
;
1647 struct tomoyo_domain_info
*domain
= NULL
;
1648 read_lock(&tasklist_lock
);
1649 p
= find_task_by_vpid(pid
);
1651 domain
= tomoyo_real_domain(p
);
1652 read_unlock(&tasklist_lock
);
1654 tomoyo_io_printf(head
, "%d %u %s", pid
, domain
->profile
,
1655 domain
->domainname
->name
);
1656 head
->read_eof
= true;
1662 * tomoyo_write_exception_policy - Write exception policy.
1664 * @head: Pointer to "struct tomoyo_io_buffer".
1666 * Returns 0 on success, negative value otherwise.
1668 * Caller holds tomoyo_read_lock().
1670 static int tomoyo_write_exception_policy(struct tomoyo_io_buffer
*head
)
1672 char *data
= head
->write_buf
;
1673 bool is_delete
= tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
);
1675 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_KEEP_DOMAIN
))
1676 return tomoyo_write_domain_keeper_policy(data
, false,
1678 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_NO_KEEP_DOMAIN
))
1679 return tomoyo_write_domain_keeper_policy(data
, true, is_delete
);
1680 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_INITIALIZE_DOMAIN
))
1681 return tomoyo_write_domain_initializer_policy(data
, false,
1683 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN
))
1684 return tomoyo_write_domain_initializer_policy(data
, true,
1686 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_ALIAS
))
1687 return tomoyo_write_alias_policy(data
, is_delete
);
1688 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_ALLOW_READ
))
1689 return tomoyo_write_globally_readable_policy(data
, is_delete
);
1690 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_FILE_PATTERN
))
1691 return tomoyo_write_pattern_policy(data
, is_delete
);
1692 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DENY_REWRITE
))
1693 return tomoyo_write_no_rewrite_policy(data
, is_delete
);
1698 * tomoyo_read_exception_policy - Read exception policy.
1700 * @head: Pointer to "struct tomoyo_io_buffer".
1702 * Returns 0 on success, -EINVAL otherwise.
1704 * Caller holds tomoyo_read_lock().
1706 static int tomoyo_read_exception_policy(struct tomoyo_io_buffer
*head
)
1708 if (!head
->read_eof
) {
1709 switch (head
->read_step
) {
1711 head
->read_var2
= NULL
;
1712 head
->read_step
= 1;
1714 if (!tomoyo_read_domain_keeper_policy(head
))
1716 head
->read_var2
= NULL
;
1717 head
->read_step
= 2;
1719 if (!tomoyo_read_globally_readable_policy(head
))
1721 head
->read_var2
= NULL
;
1722 head
->read_step
= 3;
1724 head
->read_var2
= NULL
;
1725 head
->read_step
= 4;
1727 if (!tomoyo_read_domain_initializer_policy(head
))
1729 head
->read_var2
= NULL
;
1730 head
->read_step
= 5;
1732 if (!tomoyo_read_alias_policy(head
))
1734 head
->read_var2
= NULL
;
1735 head
->read_step
= 6;
1737 head
->read_var2
= NULL
;
1738 head
->read_step
= 7;
1740 if (!tomoyo_read_file_pattern(head
))
1742 head
->read_var2
= NULL
;
1743 head
->read_step
= 8;
1745 if (!tomoyo_read_no_rewrite_policy(head
))
1747 head
->read_var2
= NULL
;
1748 head
->read_step
= 9;
1750 head
->read_eof
= true;
1759 /* path to policy loader */
1760 static const char *tomoyo_loader
= "/sbin/tomoyo-init";
1763 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
1765 * Returns true if /sbin/tomoyo-init exists, false otherwise.
1767 static bool tomoyo_policy_loader_exists(void)
1770 * Don't activate MAC if the policy loader doesn't exist.
1771 * If the initrd includes /sbin/init but real-root-dev has not
1772 * mounted on / yet, activating MAC will block the system since
1773 * policies are not loaded yet.
1774 * Thus, let do_execve() call this function everytime.
1778 if (kern_path(tomoyo_loader
, LOOKUP_FOLLOW
, &path
)) {
1779 printk(KERN_INFO
"Not activating Mandatory Access Control now "
1780 "since %s doesn't exist.\n", tomoyo_loader
);
1788 * tomoyo_load_policy - Run external policy loader to load policy.
1790 * @filename: The program about to start.
1792 * This function checks whether @filename is /sbin/init , and if so
1793 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
1794 * and then continues invocation of /sbin/init.
1795 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
1796 * writes to /sys/kernel/security/tomoyo/ interfaces.
1800 void tomoyo_load_policy(const char *filename
)
1805 if (tomoyo_policy_loaded
)
1808 * Check filename is /sbin/init or /sbin/tomoyo-start.
1809 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
1811 * You can create /sbin/tomoyo-start by
1812 * "ln -s /bin/true /sbin/tomoyo-start".
1814 if (strcmp(filename
, "/sbin/init") &&
1815 strcmp(filename
, "/sbin/tomoyo-start"))
1817 if (!tomoyo_policy_loader_exists())
1820 printk(KERN_INFO
"Calling %s to load policy. Please wait.\n",
1822 argv
[0] = (char *) tomoyo_loader
;
1825 envp
[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
1827 call_usermodehelper(argv
[0], argv
, envp
, 1);
1829 printk(KERN_INFO
"TOMOYO: 2.2.0 2009/04/01\n");
1830 printk(KERN_INFO
"Mandatory Access Control activated.\n");
1831 tomoyo_policy_loaded
= true;
1832 { /* Check all profiles currently assigned to domains are defined. */
1833 struct tomoyo_domain_info
*domain
;
1834 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
1835 const u8 profile
= domain
->profile
;
1836 if (tomoyo_profile_ptr
[profile
])
1838 panic("Profile %u (used by '%s') not defined.\n",
1839 profile
, domain
->domainname
->name
);
1845 * tomoyo_read_version: Get version.
1847 * @head: Pointer to "struct tomoyo_io_buffer".
1849 * Returns version information.
1851 static int tomoyo_read_version(struct tomoyo_io_buffer
*head
)
1853 if (!head
->read_eof
) {
1854 tomoyo_io_printf(head
, "2.2.0");
1855 head
->read_eof
= true;
1861 * tomoyo_read_self_domain - Get the current process's domainname.
1863 * @head: Pointer to "struct tomoyo_io_buffer".
1865 * Returns the current process's domainname.
1867 static int tomoyo_read_self_domain(struct tomoyo_io_buffer
*head
)
1869 if (!head
->read_eof
) {
1871 * tomoyo_domain()->domainname != NULL
1872 * because every process belongs to a domain and
1873 * the domain's name cannot be NULL.
1875 tomoyo_io_printf(head
, "%s", tomoyo_domain()->domainname
->name
);
1876 head
->read_eof
= true;
1882 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
1884 * @type: Type of interface.
1885 * @file: Pointer to "struct file".
1887 * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
1889 * Caller acquires tomoyo_read_lock().
1891 static int tomoyo_open_control(const u8 type
, struct file
*file
)
1893 struct tomoyo_io_buffer
*head
= kzalloc(sizeof(*head
), GFP_KERNEL
);
1897 mutex_init(&head
->io_sem
);
1899 case TOMOYO_DOMAINPOLICY
:
1900 /* /sys/kernel/security/tomoyo/domain_policy */
1901 head
->write
= tomoyo_write_domain_policy
;
1902 head
->read
= tomoyo_read_domain_policy
;
1904 case TOMOYO_EXCEPTIONPOLICY
:
1905 /* /sys/kernel/security/tomoyo/exception_policy */
1906 head
->write
= tomoyo_write_exception_policy
;
1907 head
->read
= tomoyo_read_exception_policy
;
1909 case TOMOYO_SELFDOMAIN
:
1910 /* /sys/kernel/security/tomoyo/self_domain */
1911 head
->read
= tomoyo_read_self_domain
;
1913 case TOMOYO_DOMAIN_STATUS
:
1914 /* /sys/kernel/security/tomoyo/.domain_status */
1915 head
->write
= tomoyo_write_domain_profile
;
1916 head
->read
= tomoyo_read_domain_profile
;
1918 case TOMOYO_PROCESS_STATUS
:
1919 /* /sys/kernel/security/tomoyo/.process_status */
1920 head
->write
= tomoyo_write_pid
;
1921 head
->read
= tomoyo_read_pid
;
1923 case TOMOYO_VERSION
:
1924 /* /sys/kernel/security/tomoyo/version */
1925 head
->read
= tomoyo_read_version
;
1926 head
->readbuf_size
= 128;
1928 case TOMOYO_MEMINFO
:
1929 /* /sys/kernel/security/tomoyo/meminfo */
1930 head
->write
= tomoyo_write_memory_quota
;
1931 head
->read
= tomoyo_read_memory_counter
;
1932 head
->readbuf_size
= 512;
1934 case TOMOYO_PROFILE
:
1935 /* /sys/kernel/security/tomoyo/profile */
1936 head
->write
= tomoyo_write_profile
;
1937 head
->read
= tomoyo_read_profile
;
1939 case TOMOYO_MANAGER
:
1940 /* /sys/kernel/security/tomoyo/manager */
1941 head
->write
= tomoyo_write_manager_policy
;
1942 head
->read
= tomoyo_read_manager_policy
;
1945 if (!(file
->f_mode
& FMODE_READ
)) {
1947 * No need to allocate read_buf since it is not opened
1952 if (!head
->readbuf_size
)
1953 head
->readbuf_size
= 4096 * 2;
1954 head
->read_buf
= kzalloc(head
->readbuf_size
, GFP_KERNEL
);
1955 if (!head
->read_buf
) {
1960 if (!(file
->f_mode
& FMODE_WRITE
)) {
1962 * No need to allocate write_buf since it is not opened
1966 } else if (head
->write
) {
1967 head
->writebuf_size
= 4096 * 2;
1968 head
->write_buf
= kzalloc(head
->writebuf_size
, GFP_KERNEL
);
1969 if (!head
->write_buf
) {
1970 kfree(head
->read_buf
);
1975 head
->reader_idx
= tomoyo_read_lock();
1976 file
->private_data
= head
;
1978 * Call the handler now if the file is
1979 * /sys/kernel/security/tomoyo/self_domain
1980 * so that the user can use
1981 * cat < /sys/kernel/security/tomoyo/self_domain"
1982 * to know the current process's domainname.
1984 if (type
== TOMOYO_SELFDOMAIN
)
1985 tomoyo_read_control(file
, NULL
, 0);
1990 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
1992 * @file: Pointer to "struct file".
1993 * @buffer: Poiner to buffer to write to.
1994 * @buffer_len: Size of @buffer.
1996 * Returns bytes read on success, negative value otherwise.
1998 * Caller holds tomoyo_read_lock().
2000 static int tomoyo_read_control(struct file
*file
, char __user
*buffer
,
2001 const int buffer_len
)
2004 struct tomoyo_io_buffer
*head
= file
->private_data
;
2009 if (mutex_lock_interruptible(&head
->io_sem
))
2011 /* Call the policy handler. */
2012 len
= head
->read(head
);
2015 /* Write to buffer. */
2016 len
= head
->read_avail
;
2017 if (len
> buffer_len
)
2021 /* head->read_buf changes by some functions. */
2022 cp
= head
->read_buf
;
2023 if (copy_to_user(buffer
, cp
, len
)) {
2027 head
->read_avail
-= len
;
2028 memmove(cp
, cp
+ len
, head
->read_avail
);
2030 mutex_unlock(&head
->io_sem
);
2035 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
2037 * @file: Pointer to "struct file".
2038 * @buffer: Pointer to buffer to read from.
2039 * @buffer_len: Size of @buffer.
2041 * Returns @buffer_len on success, negative value otherwise.
2043 * Caller holds tomoyo_read_lock().
2045 static int tomoyo_write_control(struct file
*file
, const char __user
*buffer
,
2046 const int buffer_len
)
2048 struct tomoyo_io_buffer
*head
= file
->private_data
;
2049 int error
= buffer_len
;
2050 int avail_len
= buffer_len
;
2051 char *cp0
= head
->write_buf
;
2055 if (!access_ok(VERIFY_READ
, buffer
, buffer_len
))
2057 /* Don't allow updating policies by non manager programs. */
2058 if (head
->write
!= tomoyo_write_pid
&&
2059 head
->write
!= tomoyo_write_domain_policy
&&
2060 !tomoyo_is_policy_manager())
2062 if (mutex_lock_interruptible(&head
->io_sem
))
2064 /* Read a line and dispatch it to the policy handler. */
2065 while (avail_len
> 0) {
2067 if (head
->write_avail
>= head
->writebuf_size
- 1) {
2070 } else if (get_user(c
, buffer
)) {
2076 cp0
[head
->write_avail
++] = c
;
2079 cp0
[head
->write_avail
- 1] = '\0';
2080 head
->write_avail
= 0;
2081 tomoyo_normalize_line(cp0
);
2084 mutex_unlock(&head
->io_sem
);
2089 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
2091 * @file: Pointer to "struct file".
2093 * Releases memory and returns 0.
2095 * Caller looses tomoyo_read_lock().
2097 static int tomoyo_close_control(struct file
*file
)
2099 struct tomoyo_io_buffer
*head
= file
->private_data
;
2100 const bool is_write
= !!head
->write_buf
;
2102 tomoyo_read_unlock(head
->reader_idx
);
2103 /* Release memory used for policy I/O. */
2104 kfree(head
->read_buf
);
2105 head
->read_buf
= NULL
;
2106 kfree(head
->write_buf
);
2107 head
->write_buf
= NULL
;
2110 file
->private_data
= NULL
;
2117 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
2119 * @inode: Pointer to "struct inode".
2120 * @file: Pointer to "struct file".
2122 * Returns 0 on success, negative value otherwise.
2124 static int tomoyo_open(struct inode
*inode
, struct file
*file
)
2126 const int key
= ((u8
*) file
->f_path
.dentry
->d_inode
->i_private
)
2128 return tomoyo_open_control(key
, file
);
2132 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
2134 * @inode: Pointer to "struct inode".
2135 * @file: Pointer to "struct file".
2137 * Returns 0 on success, negative value otherwise.
2139 static int tomoyo_release(struct inode
*inode
, struct file
*file
)
2141 return tomoyo_close_control(file
);
2145 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
2147 * @file: Pointer to "struct file".
2148 * @buf: Pointer to buffer.
2149 * @count: Size of @buf.
2152 * Returns bytes read on success, negative value otherwise.
2154 static ssize_t
tomoyo_read(struct file
*file
, char __user
*buf
, size_t count
,
2157 return tomoyo_read_control(file
, buf
, count
);
2161 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
2163 * @file: Pointer to "struct file".
2164 * @buf: Pointer to buffer.
2165 * @count: Size of @buf.
2168 * Returns @count on success, negative value otherwise.
2170 static ssize_t
tomoyo_write(struct file
*file
, const char __user
*buf
,
2171 size_t count
, loff_t
*ppos
)
2173 return tomoyo_write_control(file
, buf
, count
);
2177 * tomoyo_operations is a "struct file_operations" which is used for handling
2178 * /sys/kernel/security/tomoyo/ interface.
2180 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
2181 * See tomoyo_io_buffer for internals.
2183 static const struct file_operations tomoyo_operations
= {
2184 .open
= tomoyo_open
,
2185 .release
= tomoyo_release
,
2186 .read
= tomoyo_read
,
2187 .write
= tomoyo_write
,
2191 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
2193 * @name: The name of the interface file.
2194 * @mode: The permission of the interface file.
2195 * @parent: The parent directory.
2196 * @key: Type of interface.
2200 static void __init
tomoyo_create_entry(const char *name
, const mode_t mode
,
2201 struct dentry
*parent
, const u8 key
)
2203 securityfs_create_file(name
, mode
, parent
, ((u8
*) NULL
) + key
,
2204 &tomoyo_operations
);
2208 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
2212 static int __init
tomoyo_initerface_init(void)
2214 struct dentry
*tomoyo_dir
;
2216 /* Don't create securityfs entries unless registered. */
2217 if (current_cred()->security
!= &tomoyo_kernel_domain
)
2220 tomoyo_dir
= securityfs_create_dir("tomoyo", NULL
);
2221 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir
,
2222 TOMOYO_DOMAINPOLICY
);
2223 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir
,
2224 TOMOYO_EXCEPTIONPOLICY
);
2225 tomoyo_create_entry("self_domain", 0400, tomoyo_dir
,
2227 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir
,
2228 TOMOYO_DOMAIN_STATUS
);
2229 tomoyo_create_entry(".process_status", 0600, tomoyo_dir
,
2230 TOMOYO_PROCESS_STATUS
);
2231 tomoyo_create_entry("meminfo", 0600, tomoyo_dir
,
2233 tomoyo_create_entry("profile", 0600, tomoyo_dir
,
2235 tomoyo_create_entry("manager", 0600, tomoyo_dir
,
2237 tomoyo_create_entry("version", 0400, tomoyo_dir
,
2242 fs_initcall(tomoyo_initerface_init
);