2 * security/tomoyo/common.c
4 * Common functions for TOMOYO.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
12 #include <linux/uaccess.h>
13 #include <linux/security.h>
14 #include <linux/hardirq.h>
19 /* Lock for protecting policy. */
20 DEFINE_MUTEX(tomoyo_policy_lock
);
22 /* Has loading policy done? */
23 bool tomoyo_policy_loaded
;
25 /* String table for functionality that takes 4 modes. */
26 static const char *tomoyo_mode_4
[4] = {
27 "disabled", "learning", "permissive", "enforcing"
29 /* String table for functionality that takes 2 modes. */
30 static const char *tomoyo_mode_2
[4] = {
31 "disabled", "enabled", "enabled", "enabled"
35 * tomoyo_control_array is a static data which contains
37 * (1) functionality name used by /sys/kernel/security/tomoyo/profile .
38 * (2) initial values for "struct tomoyo_profile".
39 * (3) max values for "struct tomoyo_profile".
43 unsigned int current_value
;
44 const unsigned int max_value
;
45 } tomoyo_control_array
[TOMOYO_MAX_CONTROL_INDEX
] = {
46 [TOMOYO_MAC_FOR_FILE
] = { "MAC_FOR_FILE", 0, 3 },
47 [TOMOYO_MAX_ACCEPT_ENTRY
] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX
},
48 [TOMOYO_VERBOSE
] = { "TOMOYO_VERBOSE", 1, 1 },
52 * tomoyo_profile is a structure which is used for holding the mode of access
53 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
54 * An administrator can define up to 256 profiles.
55 * The ->profile of "struct tomoyo_domain_info" is used for remembering
56 * the profile's number (0 - 255) assigned to that domain.
58 static struct tomoyo_profile
{
59 unsigned int value
[TOMOYO_MAX_CONTROL_INDEX
];
60 const struct tomoyo_path_info
*comment
;
61 } *tomoyo_profile_ptr
[TOMOYO_MAX_PROFILES
];
63 /* Permit policy management by non-root user? */
64 static bool tomoyo_manage_by_non_root
;
66 /* Utility functions. */
68 /* Open operation for /sys/kernel/security/tomoyo/ interface. */
69 static int tomoyo_open_control(const u8 type
, struct file
*file
);
70 /* Close /sys/kernel/security/tomoyo/ interface. */
71 static int tomoyo_close_control(struct file
*file
);
72 /* Read operation for /sys/kernel/security/tomoyo/ interface. */
73 static int tomoyo_read_control(struct file
*file
, char __user
*buffer
,
74 const int buffer_len
);
75 /* Write operation for /sys/kernel/security/tomoyo/ interface. */
76 static int tomoyo_write_control(struct file
*file
, const char __user
*buffer
,
77 const int buffer_len
);
80 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
82 * @str: Pointer to the string.
84 * Returns true if @str is a \ooo style octal value, false otherwise.
86 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
87 * This function verifies that \ooo is in valid range.
89 static inline bool tomoyo_is_byte_range(const char *str
)
91 return *str
>= '0' && *str
++ <= '3' &&
92 *str
>= '0' && *str
++ <= '7' &&
93 *str
>= '0' && *str
<= '7';
97 * tomoyo_is_alphabet_char - Check whether the character is an alphabet.
99 * @c: The character to check.
101 * Returns true if @c is an alphabet character, false otherwise.
103 static inline bool tomoyo_is_alphabet_char(const char c
)
105 return (c
>= 'A' && c
<= 'Z') || (c
>= 'a' && c
<= 'z');
109 * tomoyo_make_byte - Make byte value from three octal characters.
111 * @c1: The first character.
112 * @c2: The second character.
113 * @c3: The third character.
115 * Returns byte value.
117 static inline u8
tomoyo_make_byte(const u8 c1
, const u8 c2
, const u8 c3
)
119 return ((c1
- '0') << 6) + ((c2
- '0') << 3) + (c3
- '0');
123 * tomoyo_str_starts - Check whether the given string starts with the given keyword.
125 * @src: Pointer to pointer to the string.
126 * @find: Pointer to the keyword.
128 * Returns true if @src starts with @find, false otherwise.
130 * The @src is updated to point the first character after the @find
131 * if @src starts with @find.
133 static bool tomoyo_str_starts(char **src
, const char *find
)
135 const int len
= strlen(find
);
138 if (strncmp(tmp
, find
, len
))
146 * tomoyo_normalize_line - Format string.
148 * @buffer: The line to normalize.
150 * Leading and trailing whitespaces are removed.
151 * Multiple whitespaces are packed into single space.
155 static void tomoyo_normalize_line(unsigned char *buffer
)
157 unsigned char *sp
= buffer
;
158 unsigned char *dp
= buffer
;
161 while (tomoyo_is_invalid(*sp
))
167 while (tomoyo_is_valid(*sp
))
169 while (tomoyo_is_invalid(*sp
))
176 * tomoyo_is_correct_path - Validate a pathname.
177 * @filename: The pathname to check.
178 * @start_type: Should the pathname start with '/'?
179 * 1 = must / -1 = must not / 0 = don't care
180 * @pattern_type: Can the pathname contain a wildcard?
181 * 1 = must / -1 = must not / 0 = don't care
182 * @end_type: Should the pathname end with '/'?
183 * 1 = must / -1 = must not / 0 = don't care
184 * @function: The name of function calling me.
186 * Check whether the given filename follows the naming rules.
187 * Returns true if @filename follows the naming rules, false otherwise.
189 bool tomoyo_is_correct_path(const char *filename
, const s8 start_type
,
190 const s8 pattern_type
, const s8 end_type
,
191 const char *function
)
193 const char *const start
= filename
;
194 bool in_repetition
= false;
195 bool contains_pattern
= false;
199 const char *original_filename
= filename
;
204 if (start_type
== 1) { /* Must start with '/' */
207 } else if (start_type
== -1) { /* Must not start with '/' */
212 c
= *(filename
+ strlen(filename
) - 1);
213 if (end_type
== 1) { /* Must end with '/' */
216 } else if (end_type
== -1) { /* Must not end with '/' */
227 case '\\': /* "\\" */
239 if (pattern_type
== -1)
240 break; /* Must not contain pattern */
241 contains_pattern
= true;
243 case '{': /* "/\{" */
244 if (filename
- 3 < start
||
245 *(filename
- 3) != '/')
247 if (pattern_type
== -1)
248 break; /* Must not contain pattern */
249 contains_pattern
= true;
250 in_repetition
= true;
252 case '}': /* "\}/" */
253 if (*filename
!= '/')
257 in_repetition
= false;
259 case '0': /* "\ooo" */
264 if (d
< '0' || d
> '7')
267 if (e
< '0' || e
> '7')
269 c
= tomoyo_make_byte(c
, d
, e
);
270 if (tomoyo_is_invalid(c
))
271 continue; /* pattern is not \000 */
274 } else if (in_repetition
&& c
== '/') {
276 } else if (tomoyo_is_invalid(c
)) {
280 if (pattern_type
== 1) { /* Must contain pattern */
281 if (!contains_pattern
)
288 printk(KERN_DEBUG
"%s: Invalid pathname '%s'\n", function
,
294 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
295 * @domainname: The domainname to check.
296 * @function: The name of function calling me.
298 * Returns true if @domainname follows the naming rules, false otherwise.
300 bool tomoyo_is_correct_domain(const unsigned char *domainname
,
301 const char *function
)
306 const char *org_domainname
= domainname
;
308 if (!domainname
|| strncmp(domainname
, TOMOYO_ROOT_NAME
,
309 TOMOYO_ROOT_NAME_LEN
))
311 domainname
+= TOMOYO_ROOT_NAME_LEN
;
315 if (*domainname
++ != ' ')
317 if (*domainname
++ != '/')
319 while ((c
= *domainname
) != '\0' && c
!= ' ') {
324 case '\\': /* "\\" */
326 case '0': /* "\ooo" */
331 if (d
< '0' || d
> '7')
334 if (e
< '0' || e
> '7')
336 c
= tomoyo_make_byte(c
, d
, e
);
337 if (tomoyo_is_invalid(c
))
338 /* pattern is not \000 */
342 } else if (tomoyo_is_invalid(c
)) {
346 } while (*domainname
);
349 printk(KERN_DEBUG
"%s: Invalid domainname '%s'\n", function
,
355 * tomoyo_is_domain_def - Check whether the given token can be a domainname.
357 * @buffer: The token to check.
359 * Returns true if @buffer possibly be a domainname, false otherwise.
361 bool tomoyo_is_domain_def(const unsigned char *buffer
)
363 return !strncmp(buffer
, TOMOYO_ROOT_NAME
, TOMOYO_ROOT_NAME_LEN
);
367 * tomoyo_find_domain - Find a domain by the given name.
369 * @domainname: The domainname to find.
371 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
373 * Caller holds tomoyo_read_lock().
375 struct tomoyo_domain_info
*tomoyo_find_domain(const char *domainname
)
377 struct tomoyo_domain_info
*domain
;
378 struct tomoyo_path_info name
;
380 name
.name
= domainname
;
381 tomoyo_fill_path_info(&name
);
382 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
383 if (!domain
->is_deleted
&&
384 !tomoyo_pathcmp(&name
, domain
->domainname
))
391 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
393 * @filename: The string to evaluate.
395 * Returns the initial length without a pattern in @filename.
397 static int tomoyo_const_part_length(const char *filename
)
404 while ((c
= *filename
++) != '\0') {
411 case '\\': /* "\\" */
414 case '0': /* "\ooo" */
419 if (c
< '0' || c
> '7')
422 if (c
< '0' || c
> '7')
433 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
435 * @ptr: Pointer to "struct tomoyo_path_info" to fill in.
437 * The caller sets "struct tomoyo_path_info"->name.
439 void tomoyo_fill_path_info(struct tomoyo_path_info
*ptr
)
441 const char *name
= ptr
->name
;
442 const int len
= strlen(name
);
444 ptr
->const_len
= tomoyo_const_part_length(name
);
445 ptr
->is_dir
= len
&& (name
[len
- 1] == '/');
446 ptr
->is_patterned
= (ptr
->const_len
< len
);
447 ptr
->hash
= full_name_hash(name
, len
);
451 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
454 * @filename: The start of string to check.
455 * @filename_end: The end of string to check.
456 * @pattern: The start of pattern to compare.
457 * @pattern_end: The end of pattern to compare.
459 * Returns true if @filename matches @pattern, false otherwise.
461 static bool tomoyo_file_matches_pattern2(const char *filename
,
462 const char *filename_end
,
464 const char *pattern_end
)
466 while (filename
< filename_end
&& pattern
< pattern_end
) {
468 if (*pattern
!= '\\') {
469 if (*filename
++ != *pattern
++)
481 } else if (c
== '\\') {
482 if (filename
[1] == '\\')
484 else if (tomoyo_is_byte_range(filename
+ 1))
493 if (*++filename
!= '\\')
505 if (!tomoyo_is_alphabet_char(c
))
512 if (c
== '\\' && tomoyo_is_byte_range(filename
+ 1)
513 && strncmp(filename
+ 1, pattern
, 3) == 0) {
518 return false; /* Not matched. */
521 for (i
= 0; i
<= filename_end
- filename
; i
++) {
522 if (tomoyo_file_matches_pattern2(
523 filename
+ i
, filename_end
,
524 pattern
+ 1, pattern_end
))
527 if (c
== '.' && *pattern
== '@')
531 if (filename
[i
+ 1] == '\\')
533 else if (tomoyo_is_byte_range(filename
+ i
+ 1))
536 break; /* Bad pattern. */
538 return false; /* Not matched. */
543 while (isdigit(filename
[j
]))
545 } else if (c
== 'X') {
546 while (isxdigit(filename
[j
]))
548 } else if (c
== 'A') {
549 while (tomoyo_is_alphabet_char(filename
[j
]))
552 for (i
= 1; i
<= j
; i
++) {
553 if (tomoyo_file_matches_pattern2(
554 filename
+ i
, filename_end
,
555 pattern
+ 1, pattern_end
))
558 return false; /* Not matched or bad pattern. */
563 while (*pattern
== '\\' &&
564 (*(pattern
+ 1) == '*' || *(pattern
+ 1) == '@'))
566 return filename
== filename_end
&& pattern
== pattern_end
;
570 * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
572 * @filename: The start of string to check.
573 * @filename_end: The end of string to check.
574 * @pattern: The start of pattern to compare.
575 * @pattern_end: The end of pattern to compare.
577 * Returns true if @filename matches @pattern, false otherwise.
579 static bool tomoyo_file_matches_pattern(const char *filename
,
580 const char *filename_end
,
582 const char *pattern_end
)
584 const char *pattern_start
= pattern
;
588 while (pattern
< pattern_end
- 1) {
589 /* Split at "\-" pattern. */
590 if (*pattern
++ != '\\' || *pattern
++ != '-')
592 result
= tomoyo_file_matches_pattern2(filename
,
601 pattern_start
= pattern
;
603 result
= tomoyo_file_matches_pattern2(filename
, filename_end
,
604 pattern_start
, pattern_end
);
605 return first
? result
: !result
;
609 * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
611 * @f: The start of string to check.
612 * @p: The start of pattern to compare.
614 * Returns true if @f matches @p, false otherwise.
616 static bool tomoyo_path_matches_pattern2(const char *f
, const char *p
)
618 const char *f_delimiter
;
619 const char *p_delimiter
;
622 f_delimiter
= strchr(f
, '/');
624 f_delimiter
= f
+ strlen(f
);
625 p_delimiter
= strchr(p
, '/');
627 p_delimiter
= p
+ strlen(p
);
628 if (*p
== '\\' && *(p
+ 1) == '{')
630 if (!tomoyo_file_matches_pattern(f
, f_delimiter
, p
,
640 /* Ignore trailing "\*" and "\@" in @pattern. */
642 (*(p
+ 1) == '*' || *(p
+ 1) == '@'))
647 * The "\{" pattern is permitted only after '/' character.
648 * This guarantees that below "*(p - 1)" is safe.
649 * Also, the "\}" pattern is permitted only before '/' character
650 * so that "\{" + "\}" pair will not break the "\-" operator.
652 if (*(p
- 1) != '/' || p_delimiter
<= p
+ 3 || *p_delimiter
!= '/' ||
653 *(p_delimiter
- 1) != '}' || *(p_delimiter
- 2) != '\\')
654 return false; /* Bad pattern. */
656 /* Compare current component with pattern. */
657 if (!tomoyo_file_matches_pattern(f
, f_delimiter
, p
+ 2,
660 /* Proceed to next component. */
665 /* Continue comparison. */
666 if (tomoyo_path_matches_pattern2(f
, p_delimiter
+ 1))
668 f_delimiter
= strchr(f
, '/');
669 } while (f_delimiter
);
670 return false; /* Not matched. */
674 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
676 * @filename: The filename to check.
677 * @pattern: The pattern to compare.
679 * Returns true if matches, false otherwise.
681 * The following patterns are available.
683 * \ooo Octal representation of a byte.
684 * \* Zero or more repetitions of characters other than '/'.
685 * \@ Zero or more repetitions of characters other than '/' or '.'.
686 * \? 1 byte character other than '/'.
687 * \$ One or more repetitions of decimal digits.
688 * \+ 1 decimal digit.
689 * \X One or more repetitions of hexadecimal digits.
690 * \x 1 hexadecimal digit.
691 * \A One or more repetitions of alphabet characters.
692 * \a 1 alphabet character.
694 * \- Subtraction operator.
696 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
699 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info
*filename
,
700 const struct tomoyo_path_info
*pattern
)
702 const char *f
= filename
->name
;
703 const char *p
= pattern
->name
;
704 const int len
= pattern
->const_len
;
706 /* If @pattern doesn't contain pattern, I can use strcmp(). */
707 if (!pattern
->is_patterned
)
708 return !tomoyo_pathcmp(filename
, pattern
);
709 /* Don't compare directory and non-directory. */
710 if (filename
->is_dir
!= pattern
->is_dir
)
712 /* Compare the initial length without patterns. */
713 if (strncmp(f
, p
, len
))
717 return tomoyo_path_matches_pattern2(f
, p
);
721 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
723 * @head: Pointer to "struct tomoyo_io_buffer".
724 * @fmt: The printf()'s format string, followed by parameters.
726 * Returns true if output was written, false otherwise.
728 * The snprintf() will truncate, but tomoyo_io_printf() won't.
730 bool tomoyo_io_printf(struct tomoyo_io_buffer
*head
, const char *fmt
, ...)
734 int pos
= head
->read_avail
;
735 int size
= head
->readbuf_size
- pos
;
740 len
= vsnprintf(head
->read_buf
+ pos
, size
, fmt
, args
);
742 if (pos
+ len
>= head
->readbuf_size
)
744 head
->read_avail
+= len
;
749 * tomoyo_get_exe - Get tomoyo_realpath() of current process.
751 * Returns the tomoyo_realpath() of current process on success, NULL otherwise.
753 * This function uses kzalloc(), so the caller must call kfree()
754 * if this function didn't return NULL.
756 static const char *tomoyo_get_exe(void)
758 struct mm_struct
*mm
= current
->mm
;
759 struct vm_area_struct
*vma
;
760 const char *cp
= NULL
;
764 down_read(&mm
->mmap_sem
);
765 for (vma
= mm
->mmap
; vma
; vma
= vma
->vm_next
) {
766 if ((vma
->vm_flags
& VM_EXECUTABLE
) && vma
->vm_file
) {
767 cp
= tomoyo_realpath_from_path(&vma
->vm_file
->f_path
);
771 up_read(&mm
->mmap_sem
);
776 * tomoyo_get_msg - Get warning message.
778 * @is_enforce: Is it enforcing mode?
780 * Returns "ERROR" or "WARNING".
782 const char *tomoyo_get_msg(const bool is_enforce
)
791 * tomoyo_check_flags - Check mode for specified functionality.
793 * @domain: Pointer to "struct tomoyo_domain_info".
794 * @index: The functionality to check mode.
796 * TOMOYO checks only process context.
797 * This code disables TOMOYO's enforcement in case the function is called from
800 unsigned int tomoyo_check_flags(const struct tomoyo_domain_info
*domain
,
803 const u8 profile
= domain
->profile
;
805 if (WARN_ON(in_interrupt()))
807 return tomoyo_policy_loaded
&& index
< TOMOYO_MAX_CONTROL_INDEX
808 #if TOMOYO_MAX_PROFILES != 256
809 && profile
< TOMOYO_MAX_PROFILES
811 && tomoyo_profile_ptr
[profile
] ?
812 tomoyo_profile_ptr
[profile
]->value
[index
] : 0;
816 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
818 * @domain: Pointer to "struct tomoyo_domain_info".
820 * Returns true if domain policy violation warning should be printed to
823 bool tomoyo_verbose_mode(const struct tomoyo_domain_info
*domain
)
825 return tomoyo_check_flags(domain
, TOMOYO_VERBOSE
) != 0;
829 * tomoyo_domain_quota_is_ok - Check for domain's quota.
831 * @domain: Pointer to "struct tomoyo_domain_info".
833 * Returns true if the domain is not exceeded quota, false otherwise.
835 * Caller holds tomoyo_read_lock().
837 bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info
* const domain
)
839 unsigned int count
= 0;
840 struct tomoyo_acl_info
*ptr
;
844 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
846 struct tomoyo_single_path_acl_record
*acl
;
849 case TOMOYO_TYPE_SINGLE_PATH_ACL
:
850 acl
= container_of(ptr
,
851 struct tomoyo_single_path_acl_record
,
853 perm
= acl
->perm
| (((u32
) acl
->perm_high
) << 16);
854 for (i
= 0; i
< TOMOYO_MAX_SINGLE_PATH_OPERATION
; i
++)
857 if (perm
& (1 << TOMOYO_TYPE_READ_WRITE_ACL
))
860 case TOMOYO_TYPE_DOUBLE_PATH_ACL
:
861 perm
= container_of(ptr
,
862 struct tomoyo_double_path_acl_record
,
864 for (i
= 0; i
< TOMOYO_MAX_DOUBLE_PATH_OPERATION
; i
++)
870 if (count
< tomoyo_check_flags(domain
, TOMOYO_MAX_ACCEPT_ENTRY
))
872 if (!domain
->quota_warned
) {
873 domain
->quota_warned
= true;
874 printk(KERN_WARNING
"TOMOYO-WARNING: "
875 "Domain '%s' has so many ACLs to hold. "
876 "Stopped learning mode.\n", domain
->domainname
->name
);
882 * tomoyo_find_or_assign_new_profile - Create a new profile.
884 * @profile: Profile number to create.
886 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
888 static struct tomoyo_profile
*tomoyo_find_or_assign_new_profile(const unsigned
891 static DEFINE_MUTEX(lock
);
892 struct tomoyo_profile
*ptr
= NULL
;
895 if (profile
>= TOMOYO_MAX_PROFILES
)
898 ptr
= tomoyo_profile_ptr
[profile
];
901 ptr
= kmalloc(sizeof(*ptr
), GFP_KERNEL
);
902 if (!tomoyo_memory_ok(ptr
)) {
906 for (i
= 0; i
< TOMOYO_MAX_CONTROL_INDEX
; i
++)
907 ptr
->value
[i
] = tomoyo_control_array
[i
].current_value
;
908 mb(); /* Avoid out-of-order execution. */
909 tomoyo_profile_ptr
[profile
] = ptr
;
916 * tomoyo_write_profile - Write to profile table.
918 * @head: Pointer to "struct tomoyo_io_buffer".
920 * Returns 0 on success, negative value otherwise.
922 static int tomoyo_write_profile(struct tomoyo_io_buffer
*head
)
924 char *data
= head
->write_buf
;
928 struct tomoyo_profile
*profile
;
931 cp
= strchr(data
, '-');
934 if (strict_strtoul(data
, 10, &num
))
938 profile
= tomoyo_find_or_assign_new_profile(num
);
941 cp
= strchr(data
, '=');
945 if (!strcmp(data
, "COMMENT")) {
946 const struct tomoyo_path_info
*old_comment
= profile
->comment
;
947 profile
->comment
= tomoyo_get_name(cp
+ 1);
948 tomoyo_put_name(old_comment
);
951 for (i
= 0; i
< TOMOYO_MAX_CONTROL_INDEX
; i
++) {
952 if (strcmp(data
, tomoyo_control_array
[i
].keyword
))
954 if (sscanf(cp
+ 1, "%u", &value
) != 1) {
959 modes
= tomoyo_mode_2
;
962 modes
= tomoyo_mode_4
;
965 for (j
= 0; j
< 4; j
++) {
966 if (strcmp(cp
+ 1, modes
[j
]))
973 } else if (value
> tomoyo_control_array
[i
].max_value
) {
974 value
= tomoyo_control_array
[i
].max_value
;
976 profile
->value
[i
] = value
;
983 * tomoyo_read_profile - Read from profile table.
985 * @head: Pointer to "struct tomoyo_io_buffer".
989 static int tomoyo_read_profile(struct tomoyo_io_buffer
*head
)
991 static const int total
= TOMOYO_MAX_CONTROL_INDEX
+ 1;
996 for (step
= head
->read_step
; step
< TOMOYO_MAX_PROFILES
* total
;
998 const u8 index
= step
/ total
;
999 u8 type
= step
% total
;
1000 const struct tomoyo_profile
*profile
1001 = tomoyo_profile_ptr
[index
];
1002 head
->read_step
= step
;
1005 if (!type
) { /* Print profile' comment tag. */
1006 if (!tomoyo_io_printf(head
, "%u-COMMENT=%s\n",
1007 index
, profile
->comment
?
1008 profile
->comment
->name
: ""))
1013 if (type
< TOMOYO_MAX_CONTROL_INDEX
) {
1014 const unsigned int value
= profile
->value
[type
];
1015 const char **modes
= NULL
;
1017 = tomoyo_control_array
[type
].keyword
;
1018 switch (tomoyo_control_array
[type
].max_value
) {
1020 modes
= tomoyo_mode_4
;
1023 modes
= tomoyo_mode_2
;
1027 if (!tomoyo_io_printf(head
, "%u-%s=%s\n", index
,
1028 keyword
, modes
[value
]))
1031 if (!tomoyo_io_printf(head
, "%u-%s=%u\n", index
,
1037 if (step
== TOMOYO_MAX_PROFILES
* total
)
1038 head
->read_eof
= true;
1043 * tomoyo_policy_manager_entry is a structure which is used for holding list of
1044 * domainnames or programs which are permitted to modify configuration via
1045 * /sys/kernel/security/tomoyo/ interface.
1046 * It has following fields.
1048 * (1) "list" which is linked to tomoyo_policy_manager_list .
1049 * (2) "manager" is a domainname or a program's pathname.
1050 * (3) "is_domain" is a bool which is true if "manager" is a domainname, false
1052 * (4) "is_deleted" is a bool which is true if marked as deleted, false
1055 struct tomoyo_policy_manager_entry
{
1056 struct list_head list
;
1057 /* A path to program or a domainname. */
1058 const struct tomoyo_path_info
*manager
;
1059 bool is_domain
; /* True if manager is a domainname. */
1060 bool is_deleted
; /* True if this entry is deleted. */
1064 * tomoyo_policy_manager_list is used for holding list of domainnames or
1065 * programs which are permitted to modify configuration via
1066 * /sys/kernel/security/tomoyo/ interface.
1068 * An entry is added by
1070 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
1071 * /sys/kernel/security/tomoyo/manager
1072 * (if you want to specify by a domainname)
1076 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
1077 * (if you want to specify by a program's location)
1081 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
1082 * /sys/kernel/security/tomoyo/manager
1086 * # echo 'delete /usr/lib/ccs/editpolicy' > \
1087 * /sys/kernel/security/tomoyo/manager
1089 * and all entries are retrieved by
1091 * # cat /sys/kernel/security/tomoyo/manager
1093 static LIST_HEAD(tomoyo_policy_manager_list
);
1096 * tomoyo_update_manager_entry - Add a manager entry.
1098 * @manager: The path to manager or the domainnamme.
1099 * @is_delete: True if it is a delete request.
1101 * Returns 0 on success, negative value otherwise.
1103 * Caller holds tomoyo_read_lock().
1105 static int tomoyo_update_manager_entry(const char *manager
,
1106 const bool is_delete
)
1108 struct tomoyo_policy_manager_entry
*entry
= NULL
;
1109 struct tomoyo_policy_manager_entry
*ptr
;
1110 const struct tomoyo_path_info
*saved_manager
;
1111 int error
= is_delete
? -ENOENT
: -ENOMEM
;
1112 bool is_domain
= false;
1114 if (tomoyo_is_domain_def(manager
)) {
1115 if (!tomoyo_is_correct_domain(manager
, __func__
))
1119 if (!tomoyo_is_correct_path(manager
, 1, -1, -1, __func__
))
1122 saved_manager
= tomoyo_get_name(manager
);
1126 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
1127 mutex_lock(&tomoyo_policy_lock
);
1128 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1129 if (ptr
->manager
!= saved_manager
)
1131 ptr
->is_deleted
= is_delete
;
1135 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
1136 entry
->manager
= saved_manager
;
1137 saved_manager
= NULL
;
1138 entry
->is_domain
= is_domain
;
1139 list_add_tail_rcu(&entry
->list
, &tomoyo_policy_manager_list
);
1143 mutex_unlock(&tomoyo_policy_lock
);
1144 tomoyo_put_name(saved_manager
);
1150 * tomoyo_write_manager_policy - Write manager policy.
1152 * @head: Pointer to "struct tomoyo_io_buffer".
1154 * Returns 0 on success, negative value otherwise.
1156 * Caller holds tomoyo_read_lock().
1158 static int tomoyo_write_manager_policy(struct tomoyo_io_buffer
*head
)
1160 char *data
= head
->write_buf
;
1161 bool is_delete
= tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
);
1163 if (!strcmp(data
, "manage_by_non_root")) {
1164 tomoyo_manage_by_non_root
= !is_delete
;
1167 return tomoyo_update_manager_entry(data
, is_delete
);
1171 * tomoyo_read_manager_policy - Read manager policy.
1173 * @head: Pointer to "struct tomoyo_io_buffer".
1177 * Caller holds tomoyo_read_lock().
1179 static int tomoyo_read_manager_policy(struct tomoyo_io_buffer
*head
)
1181 struct list_head
*pos
;
1186 list_for_each_cookie(pos
, head
->read_var2
,
1187 &tomoyo_policy_manager_list
) {
1188 struct tomoyo_policy_manager_entry
*ptr
;
1189 ptr
= list_entry(pos
, struct tomoyo_policy_manager_entry
,
1191 if (ptr
->is_deleted
)
1193 done
= tomoyo_io_printf(head
, "%s\n", ptr
->manager
->name
);
1197 head
->read_eof
= done
;
1202 * tomoyo_is_policy_manager - Check whether the current process is a policy manager.
1204 * Returns true if the current process is permitted to modify policy
1205 * via /sys/kernel/security/tomoyo/ interface.
1207 * Caller holds tomoyo_read_lock().
1209 static bool tomoyo_is_policy_manager(void)
1211 struct tomoyo_policy_manager_entry
*ptr
;
1213 const struct task_struct
*task
= current
;
1214 const struct tomoyo_path_info
*domainname
= tomoyo_domain()->domainname
;
1217 if (!tomoyo_policy_loaded
)
1219 if (!tomoyo_manage_by_non_root
&& (task
->cred
->uid
|| task
->cred
->euid
))
1221 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1222 if (!ptr
->is_deleted
&& ptr
->is_domain
1223 && !tomoyo_pathcmp(domainname
, ptr
->manager
)) {
1230 exe
= tomoyo_get_exe();
1233 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1234 if (!ptr
->is_deleted
&& !ptr
->is_domain
1235 && !strcmp(exe
, ptr
->manager
->name
)) {
1240 if (!found
) { /* Reduce error messages. */
1241 static pid_t last_pid
;
1242 const pid_t pid
= current
->pid
;
1243 if (last_pid
!= pid
) {
1244 printk(KERN_WARNING
"%s ( %s ) is not permitted to "
1245 "update policies.\n", domainname
->name
, exe
);
1254 * tomoyo_is_select_one - Parse select command.
1256 * @head: Pointer to "struct tomoyo_io_buffer".
1257 * @data: String to parse.
1259 * Returns true on success, false otherwise.
1261 * Caller holds tomoyo_read_lock().
1263 static bool tomoyo_is_select_one(struct tomoyo_io_buffer
*head
,
1267 struct tomoyo_domain_info
*domain
= NULL
;
1269 if (sscanf(data
, "pid=%u", &pid
) == 1) {
1270 struct task_struct
*p
;
1271 read_lock(&tasklist_lock
);
1272 p
= find_task_by_vpid(pid
);
1274 domain
= tomoyo_real_domain(p
);
1275 read_unlock(&tasklist_lock
);
1276 } else if (!strncmp(data
, "domain=", 7)) {
1277 if (tomoyo_is_domain_def(data
+ 7))
1278 domain
= tomoyo_find_domain(data
+ 7);
1281 head
->write_var1
= domain
;
1282 /* Accessing read_buf is safe because head->io_sem is held. */
1283 if (!head
->read_buf
)
1284 return true; /* Do nothing if open(O_WRONLY). */
1285 head
->read_avail
= 0;
1286 tomoyo_io_printf(head
, "# select %s\n", data
);
1287 head
->read_single_domain
= true;
1288 head
->read_eof
= !domain
;
1290 struct tomoyo_domain_info
*d
;
1291 head
->read_var1
= NULL
;
1292 list_for_each_entry_rcu(d
, &tomoyo_domain_list
, list
) {
1295 head
->read_var1
= &d
->list
;
1297 head
->read_var2
= NULL
;
1299 head
->read_step
= 0;
1300 if (domain
->is_deleted
)
1301 tomoyo_io_printf(head
, "# This is a deleted domain.\n");
1307 * tomoyo_delete_domain - Delete a domain.
1309 * @domainname: The name of domain.
1313 * Caller holds tomoyo_read_lock().
1315 static int tomoyo_delete_domain(char *domainname
)
1317 struct tomoyo_domain_info
*domain
;
1318 struct tomoyo_path_info name
;
1320 name
.name
= domainname
;
1321 tomoyo_fill_path_info(&name
);
1322 mutex_lock(&tomoyo_policy_lock
);
1323 /* Is there an active domain? */
1324 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
1325 /* Never delete tomoyo_kernel_domain */
1326 if (domain
== &tomoyo_kernel_domain
)
1328 if (domain
->is_deleted
||
1329 tomoyo_pathcmp(domain
->domainname
, &name
))
1331 domain
->is_deleted
= true;
1334 mutex_unlock(&tomoyo_policy_lock
);
1339 * tomoyo_write_domain_policy - Write domain policy.
1341 * @head: Pointer to "struct tomoyo_io_buffer".
1343 * Returns 0 on success, negative value otherwise.
1345 * Caller holds tomoyo_read_lock().
1347 static int tomoyo_write_domain_policy(struct tomoyo_io_buffer
*head
)
1349 char *data
= head
->write_buf
;
1350 struct tomoyo_domain_info
*domain
= head
->write_var1
;
1351 bool is_delete
= false;
1352 bool is_select
= false;
1353 unsigned int profile
;
1355 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
))
1357 else if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_SELECT
))
1359 if (is_select
&& tomoyo_is_select_one(head
, data
))
1361 /* Don't allow updating policies by non manager programs. */
1362 if (!tomoyo_is_policy_manager())
1364 if (tomoyo_is_domain_def(data
)) {
1367 tomoyo_delete_domain(data
);
1369 domain
= tomoyo_find_domain(data
);
1371 domain
= tomoyo_find_or_assign_new_domain(data
, 0);
1372 head
->write_var1
= domain
;
1378 if (sscanf(data
, TOMOYO_KEYWORD_USE_PROFILE
"%u", &profile
) == 1
1379 && profile
< TOMOYO_MAX_PROFILES
) {
1380 if (tomoyo_profile_ptr
[profile
] || !tomoyo_policy_loaded
)
1381 domain
->profile
= (u8
) profile
;
1384 if (!strcmp(data
, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ
)) {
1385 domain
->ignore_global_allow_read
= !is_delete
;
1388 return tomoyo_write_file_policy(data
, domain
, is_delete
);
1392 * tomoyo_print_single_path_acl - Print a single path ACL entry.
1394 * @head: Pointer to "struct tomoyo_io_buffer".
1395 * @ptr: Pointer to "struct tomoyo_single_path_acl_record".
1397 * Returns true on success, false otherwise.
1399 static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer
*head
,
1400 struct tomoyo_single_path_acl_record
*
1405 const char *atmark
= "";
1406 const char *filename
;
1407 const u32 perm
= ptr
->perm
| (((u32
) ptr
->perm_high
) << 16);
1409 filename
= ptr
->filename
->name
;
1410 for (bit
= head
->read_bit
; bit
< TOMOYO_MAX_SINGLE_PATH_OPERATION
;
1413 if (!(perm
& (1 << bit
)))
1415 /* Print "read/write" instead of "read" and "write". */
1416 if ((bit
== TOMOYO_TYPE_READ_ACL
||
1417 bit
== TOMOYO_TYPE_WRITE_ACL
)
1418 && (perm
& (1 << TOMOYO_TYPE_READ_WRITE_ACL
)))
1420 msg
= tomoyo_sp2keyword(bit
);
1421 pos
= head
->read_avail
;
1422 if (!tomoyo_io_printf(head
, "allow_%s %s%s\n", msg
,
1429 head
->read_bit
= bit
;
1430 head
->read_avail
= pos
;
1435 * tomoyo_print_double_path_acl - Print a double path ACL entry.
1437 * @head: Pointer to "struct tomoyo_io_buffer".
1438 * @ptr: Pointer to "struct tomoyo_double_path_acl_record".
1440 * Returns true on success, false otherwise.
1442 static bool tomoyo_print_double_path_acl(struct tomoyo_io_buffer
*head
,
1443 struct tomoyo_double_path_acl_record
*
1447 const char *atmark1
= "";
1448 const char *atmark2
= "";
1449 const char *filename1
;
1450 const char *filename2
;
1451 const u8 perm
= ptr
->perm
;
1454 filename1
= ptr
->filename1
->name
;
1455 filename2
= ptr
->filename2
->name
;
1456 for (bit
= head
->read_bit
; bit
< TOMOYO_MAX_DOUBLE_PATH_OPERATION
;
1459 if (!(perm
& (1 << bit
)))
1461 msg
= tomoyo_dp2keyword(bit
);
1462 pos
= head
->read_avail
;
1463 if (!tomoyo_io_printf(head
, "allow_%s %s%s %s%s\n", msg
,
1464 atmark1
, filename1
, atmark2
, filename2
))
1470 head
->read_bit
= bit
;
1471 head
->read_avail
= pos
;
1476 * tomoyo_print_entry - Print an ACL entry.
1478 * @head: Pointer to "struct tomoyo_io_buffer".
1479 * @ptr: Pointer to an ACL entry.
1481 * Returns true on success, false otherwise.
1483 static bool tomoyo_print_entry(struct tomoyo_io_buffer
*head
,
1484 struct tomoyo_acl_info
*ptr
)
1486 const u8 acl_type
= ptr
->type
;
1488 if (acl_type
== TOMOYO_TYPE_SINGLE_PATH_ACL
) {
1489 struct tomoyo_single_path_acl_record
*acl
1491 struct tomoyo_single_path_acl_record
,
1493 return tomoyo_print_single_path_acl(head
, acl
);
1495 if (acl_type
== TOMOYO_TYPE_DOUBLE_PATH_ACL
) {
1496 struct tomoyo_double_path_acl_record
*acl
1498 struct tomoyo_double_path_acl_record
,
1500 return tomoyo_print_double_path_acl(head
, acl
);
1502 BUG(); /* This must not happen. */
1507 * tomoyo_read_domain_policy - Read domain policy.
1509 * @head: Pointer to "struct tomoyo_io_buffer".
1513 * Caller holds tomoyo_read_lock().
1515 static int tomoyo_read_domain_policy(struct tomoyo_io_buffer
*head
)
1517 struct list_head
*dpos
;
1518 struct list_head
*apos
;
1523 if (head
->read_step
== 0)
1524 head
->read_step
= 1;
1525 list_for_each_cookie(dpos
, head
->read_var1
, &tomoyo_domain_list
) {
1526 struct tomoyo_domain_info
*domain
;
1527 const char *quota_exceeded
= "";
1528 const char *transition_failed
= "";
1529 const char *ignore_global_allow_read
= "";
1530 domain
= list_entry(dpos
, struct tomoyo_domain_info
, list
);
1531 if (head
->read_step
!= 1)
1533 if (domain
->is_deleted
&& !head
->read_single_domain
)
1535 /* Print domainname and flags. */
1536 if (domain
->quota_warned
)
1537 quota_exceeded
= "quota_exceeded\n";
1538 if (domain
->transition_failed
)
1539 transition_failed
= "transition_failed\n";
1540 if (domain
->ignore_global_allow_read
)
1541 ignore_global_allow_read
1542 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ
"\n";
1543 done
= tomoyo_io_printf(head
, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
1545 domain
->domainname
->name
,
1546 domain
->profile
, quota_exceeded
,
1548 ignore_global_allow_read
);
1551 head
->read_step
= 2;
1553 if (head
->read_step
== 3)
1555 /* Print ACL entries in the domain. */
1556 list_for_each_cookie(apos
, head
->read_var2
,
1557 &domain
->acl_info_list
) {
1558 struct tomoyo_acl_info
*ptr
1559 = list_entry(apos
, struct tomoyo_acl_info
,
1561 done
= tomoyo_print_entry(head
, ptr
);
1567 head
->read_step
= 3;
1569 done
= tomoyo_io_printf(head
, "\n");
1572 head
->read_step
= 1;
1573 if (head
->read_single_domain
)
1576 head
->read_eof
= done
;
1581 * tomoyo_write_domain_profile - Assign profile for specified domain.
1583 * @head: Pointer to "struct tomoyo_io_buffer".
1585 * Returns 0 on success, -EINVAL otherwise.
1587 * This is equivalent to doing
1589 * ( echo "select " $domainname; echo "use_profile " $profile ) |
1590 * /usr/lib/ccs/loadpolicy -d
1592 * Caller holds tomoyo_read_lock().
1594 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer
*head
)
1596 char *data
= head
->write_buf
;
1597 char *cp
= strchr(data
, ' ');
1598 struct tomoyo_domain_info
*domain
;
1599 unsigned long profile
;
1604 domain
= tomoyo_find_domain(cp
+ 1);
1605 if (strict_strtoul(data
, 10, &profile
))
1607 if (domain
&& profile
< TOMOYO_MAX_PROFILES
1608 && (tomoyo_profile_ptr
[profile
] || !tomoyo_policy_loaded
))
1609 domain
->profile
= (u8
) profile
;
1614 * tomoyo_read_domain_profile - Read only domainname and profile.
1616 * @head: Pointer to "struct tomoyo_io_buffer".
1618 * Returns list of profile number and domainname pairs.
1620 * This is equivalent to doing
1622 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
1623 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
1624 * domainname = $0; } else if ( $1 == "use_profile" ) {
1625 * print $2 " " domainname; domainname = ""; } } ; '
1627 * Caller holds tomoyo_read_lock().
1629 static int tomoyo_read_domain_profile(struct tomoyo_io_buffer
*head
)
1631 struct list_head
*pos
;
1636 list_for_each_cookie(pos
, head
->read_var1
, &tomoyo_domain_list
) {
1637 struct tomoyo_domain_info
*domain
;
1638 domain
= list_entry(pos
, struct tomoyo_domain_info
, list
);
1639 if (domain
->is_deleted
)
1641 done
= tomoyo_io_printf(head
, "%u %s\n", domain
->profile
,
1642 domain
->domainname
->name
);
1646 head
->read_eof
= done
;
1651 * tomoyo_write_pid: Specify PID to obtain domainname.
1653 * @head: Pointer to "struct tomoyo_io_buffer".
1657 static int tomoyo_write_pid(struct tomoyo_io_buffer
*head
)
1660 /* No error check. */
1661 strict_strtoul(head
->write_buf
, 10, &pid
);
1662 head
->read_step
= (int) pid
;
1663 head
->read_eof
= false;
1668 * tomoyo_read_pid - Get domainname of the specified PID.
1670 * @head: Pointer to "struct tomoyo_io_buffer".
1672 * Returns the domainname which the specified PID is in on success,
1673 * empty string otherwise.
1674 * The PID is specified by tomoyo_write_pid() so that the user can obtain
1675 * using read()/write() interface rather than sysctl() interface.
1677 static int tomoyo_read_pid(struct tomoyo_io_buffer
*head
)
1679 if (head
->read_avail
== 0 && !head
->read_eof
) {
1680 const int pid
= head
->read_step
;
1681 struct task_struct
*p
;
1682 struct tomoyo_domain_info
*domain
= NULL
;
1683 read_lock(&tasklist_lock
);
1684 p
= find_task_by_vpid(pid
);
1686 domain
= tomoyo_real_domain(p
);
1687 read_unlock(&tasklist_lock
);
1689 tomoyo_io_printf(head
, "%d %u %s", pid
, domain
->profile
,
1690 domain
->domainname
->name
);
1691 head
->read_eof
= true;
1697 * tomoyo_write_exception_policy - Write exception policy.
1699 * @head: Pointer to "struct tomoyo_io_buffer".
1701 * Returns 0 on success, negative value otherwise.
1703 * Caller holds tomoyo_read_lock().
1705 static int tomoyo_write_exception_policy(struct tomoyo_io_buffer
*head
)
1707 char *data
= head
->write_buf
;
1708 bool is_delete
= tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
);
1710 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_KEEP_DOMAIN
))
1711 return tomoyo_write_domain_keeper_policy(data
, false,
1713 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_NO_KEEP_DOMAIN
))
1714 return tomoyo_write_domain_keeper_policy(data
, true, is_delete
);
1715 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_INITIALIZE_DOMAIN
))
1716 return tomoyo_write_domain_initializer_policy(data
, false,
1718 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN
))
1719 return tomoyo_write_domain_initializer_policy(data
, true,
1721 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_ALIAS
))
1722 return tomoyo_write_alias_policy(data
, is_delete
);
1723 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_ALLOW_READ
))
1724 return tomoyo_write_globally_readable_policy(data
, is_delete
);
1725 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_FILE_PATTERN
))
1726 return tomoyo_write_pattern_policy(data
, is_delete
);
1727 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DENY_REWRITE
))
1728 return tomoyo_write_no_rewrite_policy(data
, is_delete
);
1733 * tomoyo_read_exception_policy - Read exception policy.
1735 * @head: Pointer to "struct tomoyo_io_buffer".
1737 * Returns 0 on success, -EINVAL otherwise.
1739 * Caller holds tomoyo_read_lock().
1741 static int tomoyo_read_exception_policy(struct tomoyo_io_buffer
*head
)
1743 if (!head
->read_eof
) {
1744 switch (head
->read_step
) {
1746 head
->read_var2
= NULL
;
1747 head
->read_step
= 1;
1749 if (!tomoyo_read_domain_keeper_policy(head
))
1751 head
->read_var2
= NULL
;
1752 head
->read_step
= 2;
1754 if (!tomoyo_read_globally_readable_policy(head
))
1756 head
->read_var2
= NULL
;
1757 head
->read_step
= 3;
1759 head
->read_var2
= NULL
;
1760 head
->read_step
= 4;
1762 if (!tomoyo_read_domain_initializer_policy(head
))
1764 head
->read_var2
= NULL
;
1765 head
->read_step
= 5;
1767 if (!tomoyo_read_alias_policy(head
))
1769 head
->read_var2
= NULL
;
1770 head
->read_step
= 6;
1772 head
->read_var2
= NULL
;
1773 head
->read_step
= 7;
1775 if (!tomoyo_read_file_pattern(head
))
1777 head
->read_var2
= NULL
;
1778 head
->read_step
= 8;
1780 if (!tomoyo_read_no_rewrite_policy(head
))
1782 head
->read_var2
= NULL
;
1783 head
->read_step
= 9;
1785 head
->read_eof
= true;
1794 /* path to policy loader */
1795 static const char *tomoyo_loader
= "/sbin/tomoyo-init";
1798 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
1800 * Returns true if /sbin/tomoyo-init exists, false otherwise.
1802 static bool tomoyo_policy_loader_exists(void)
1805 * Don't activate MAC if the policy loader doesn't exist.
1806 * If the initrd includes /sbin/init but real-root-dev has not
1807 * mounted on / yet, activating MAC will block the system since
1808 * policies are not loaded yet.
1809 * Thus, let do_execve() call this function everytime.
1813 if (kern_path(tomoyo_loader
, LOOKUP_FOLLOW
, &path
)) {
1814 printk(KERN_INFO
"Not activating Mandatory Access Control now "
1815 "since %s doesn't exist.\n", tomoyo_loader
);
1823 * tomoyo_load_policy - Run external policy loader to load policy.
1825 * @filename: The program about to start.
1827 * This function checks whether @filename is /sbin/init , and if so
1828 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
1829 * and then continues invocation of /sbin/init.
1830 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
1831 * writes to /sys/kernel/security/tomoyo/ interfaces.
1835 void tomoyo_load_policy(const char *filename
)
1840 if (tomoyo_policy_loaded
)
1843 * Check filename is /sbin/init or /sbin/tomoyo-start.
1844 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
1846 * You can create /sbin/tomoyo-start by
1847 * "ln -s /bin/true /sbin/tomoyo-start".
1849 if (strcmp(filename
, "/sbin/init") &&
1850 strcmp(filename
, "/sbin/tomoyo-start"))
1852 if (!tomoyo_policy_loader_exists())
1855 printk(KERN_INFO
"Calling %s to load policy. Please wait.\n",
1857 argv
[0] = (char *) tomoyo_loader
;
1860 envp
[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
1862 call_usermodehelper(argv
[0], argv
, envp
, 1);
1864 printk(KERN_INFO
"TOMOYO: 2.2.0 2009/04/01\n");
1865 printk(KERN_INFO
"Mandatory Access Control activated.\n");
1866 tomoyo_policy_loaded
= true;
1867 { /* Check all profiles currently assigned to domains are defined. */
1868 struct tomoyo_domain_info
*domain
;
1869 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
1870 const u8 profile
= domain
->profile
;
1871 if (tomoyo_profile_ptr
[profile
])
1873 panic("Profile %u (used by '%s') not defined.\n",
1874 profile
, domain
->domainname
->name
);
1880 * tomoyo_read_version: Get version.
1882 * @head: Pointer to "struct tomoyo_io_buffer".
1884 * Returns version information.
1886 static int tomoyo_read_version(struct tomoyo_io_buffer
*head
)
1888 if (!head
->read_eof
) {
1889 tomoyo_io_printf(head
, "2.2.0");
1890 head
->read_eof
= true;
1896 * tomoyo_read_self_domain - Get the current process's domainname.
1898 * @head: Pointer to "struct tomoyo_io_buffer".
1900 * Returns the current process's domainname.
1902 static int tomoyo_read_self_domain(struct tomoyo_io_buffer
*head
)
1904 if (!head
->read_eof
) {
1906 * tomoyo_domain()->domainname != NULL
1907 * because every process belongs to a domain and
1908 * the domain's name cannot be NULL.
1910 tomoyo_io_printf(head
, "%s", tomoyo_domain()->domainname
->name
);
1911 head
->read_eof
= true;
1917 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
1919 * @type: Type of interface.
1920 * @file: Pointer to "struct file".
1922 * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
1924 * Caller acquires tomoyo_read_lock().
1926 static int tomoyo_open_control(const u8 type
, struct file
*file
)
1928 struct tomoyo_io_buffer
*head
= kzalloc(sizeof(*head
), GFP_KERNEL
);
1932 mutex_init(&head
->io_sem
);
1934 case TOMOYO_DOMAINPOLICY
:
1935 /* /sys/kernel/security/tomoyo/domain_policy */
1936 head
->write
= tomoyo_write_domain_policy
;
1937 head
->read
= tomoyo_read_domain_policy
;
1939 case TOMOYO_EXCEPTIONPOLICY
:
1940 /* /sys/kernel/security/tomoyo/exception_policy */
1941 head
->write
= tomoyo_write_exception_policy
;
1942 head
->read
= tomoyo_read_exception_policy
;
1944 case TOMOYO_SELFDOMAIN
:
1945 /* /sys/kernel/security/tomoyo/self_domain */
1946 head
->read
= tomoyo_read_self_domain
;
1948 case TOMOYO_DOMAIN_STATUS
:
1949 /* /sys/kernel/security/tomoyo/.domain_status */
1950 head
->write
= tomoyo_write_domain_profile
;
1951 head
->read
= tomoyo_read_domain_profile
;
1953 case TOMOYO_PROCESS_STATUS
:
1954 /* /sys/kernel/security/tomoyo/.process_status */
1955 head
->write
= tomoyo_write_pid
;
1956 head
->read
= tomoyo_read_pid
;
1958 case TOMOYO_VERSION
:
1959 /* /sys/kernel/security/tomoyo/version */
1960 head
->read
= tomoyo_read_version
;
1961 head
->readbuf_size
= 128;
1963 case TOMOYO_MEMINFO
:
1964 /* /sys/kernel/security/tomoyo/meminfo */
1965 head
->write
= tomoyo_write_memory_quota
;
1966 head
->read
= tomoyo_read_memory_counter
;
1967 head
->readbuf_size
= 512;
1969 case TOMOYO_PROFILE
:
1970 /* /sys/kernel/security/tomoyo/profile */
1971 head
->write
= tomoyo_write_profile
;
1972 head
->read
= tomoyo_read_profile
;
1974 case TOMOYO_MANAGER
:
1975 /* /sys/kernel/security/tomoyo/manager */
1976 head
->write
= tomoyo_write_manager_policy
;
1977 head
->read
= tomoyo_read_manager_policy
;
1980 if (!(file
->f_mode
& FMODE_READ
)) {
1982 * No need to allocate read_buf since it is not opened
1987 if (!head
->readbuf_size
)
1988 head
->readbuf_size
= 4096 * 2;
1989 head
->read_buf
= kzalloc(head
->readbuf_size
, GFP_KERNEL
);
1990 if (!head
->read_buf
) {
1995 if (!(file
->f_mode
& FMODE_WRITE
)) {
1997 * No need to allocate write_buf since it is not opened
2001 } else if (head
->write
) {
2002 head
->writebuf_size
= 4096 * 2;
2003 head
->write_buf
= kzalloc(head
->writebuf_size
, GFP_KERNEL
);
2004 if (!head
->write_buf
) {
2005 kfree(head
->read_buf
);
2010 head
->reader_idx
= tomoyo_read_lock();
2011 file
->private_data
= head
;
2013 * Call the handler now if the file is
2014 * /sys/kernel/security/tomoyo/self_domain
2015 * so that the user can use
2016 * cat < /sys/kernel/security/tomoyo/self_domain"
2017 * to know the current process's domainname.
2019 if (type
== TOMOYO_SELFDOMAIN
)
2020 tomoyo_read_control(file
, NULL
, 0);
2025 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
2027 * @file: Pointer to "struct file".
2028 * @buffer: Poiner to buffer to write to.
2029 * @buffer_len: Size of @buffer.
2031 * Returns bytes read on success, negative value otherwise.
2033 * Caller holds tomoyo_read_lock().
2035 static int tomoyo_read_control(struct file
*file
, char __user
*buffer
,
2036 const int buffer_len
)
2039 struct tomoyo_io_buffer
*head
= file
->private_data
;
2044 if (mutex_lock_interruptible(&head
->io_sem
))
2046 /* Call the policy handler. */
2047 len
= head
->read(head
);
2050 /* Write to buffer. */
2051 len
= head
->read_avail
;
2052 if (len
> buffer_len
)
2056 /* head->read_buf changes by some functions. */
2057 cp
= head
->read_buf
;
2058 if (copy_to_user(buffer
, cp
, len
)) {
2062 head
->read_avail
-= len
;
2063 memmove(cp
, cp
+ len
, head
->read_avail
);
2065 mutex_unlock(&head
->io_sem
);
2070 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
2072 * @file: Pointer to "struct file".
2073 * @buffer: Pointer to buffer to read from.
2074 * @buffer_len: Size of @buffer.
2076 * Returns @buffer_len on success, negative value otherwise.
2078 * Caller holds tomoyo_read_lock().
2080 static int tomoyo_write_control(struct file
*file
, const char __user
*buffer
,
2081 const int buffer_len
)
2083 struct tomoyo_io_buffer
*head
= file
->private_data
;
2084 int error
= buffer_len
;
2085 int avail_len
= buffer_len
;
2086 char *cp0
= head
->write_buf
;
2090 if (!access_ok(VERIFY_READ
, buffer
, buffer_len
))
2092 /* Don't allow updating policies by non manager programs. */
2093 if (head
->write
!= tomoyo_write_pid
&&
2094 head
->write
!= tomoyo_write_domain_policy
&&
2095 !tomoyo_is_policy_manager())
2097 if (mutex_lock_interruptible(&head
->io_sem
))
2099 /* Read a line and dispatch it to the policy handler. */
2100 while (avail_len
> 0) {
2102 if (head
->write_avail
>= head
->writebuf_size
- 1) {
2105 } else if (get_user(c
, buffer
)) {
2111 cp0
[head
->write_avail
++] = c
;
2114 cp0
[head
->write_avail
- 1] = '\0';
2115 head
->write_avail
= 0;
2116 tomoyo_normalize_line(cp0
);
2119 mutex_unlock(&head
->io_sem
);
2124 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
2126 * @file: Pointer to "struct file".
2128 * Releases memory and returns 0.
2130 * Caller looses tomoyo_read_lock().
2132 static int tomoyo_close_control(struct file
*file
)
2134 struct tomoyo_io_buffer
*head
= file
->private_data
;
2136 tomoyo_read_unlock(head
->reader_idx
);
2137 /* Release memory used for policy I/O. */
2138 kfree(head
->read_buf
);
2139 head
->read_buf
= NULL
;
2140 kfree(head
->write_buf
);
2141 head
->write_buf
= NULL
;
2144 file
->private_data
= NULL
;
2149 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
2151 * @inode: Pointer to "struct inode".
2152 * @file: Pointer to "struct file".
2154 * Returns 0 on success, negative value otherwise.
2156 static int tomoyo_open(struct inode
*inode
, struct file
*file
)
2158 const int key
= ((u8
*) file
->f_path
.dentry
->d_inode
->i_private
)
2160 return tomoyo_open_control(key
, file
);
2164 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
2166 * @inode: Pointer to "struct inode".
2167 * @file: Pointer to "struct file".
2169 * Returns 0 on success, negative value otherwise.
2171 static int tomoyo_release(struct inode
*inode
, struct file
*file
)
2173 return tomoyo_close_control(file
);
2177 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
2179 * @file: Pointer to "struct file".
2180 * @buf: Pointer to buffer.
2181 * @count: Size of @buf.
2184 * Returns bytes read on success, negative value otherwise.
2186 static ssize_t
tomoyo_read(struct file
*file
, char __user
*buf
, size_t count
,
2189 return tomoyo_read_control(file
, buf
, count
);
2193 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
2195 * @file: Pointer to "struct file".
2196 * @buf: Pointer to buffer.
2197 * @count: Size of @buf.
2200 * Returns @count on success, negative value otherwise.
2202 static ssize_t
tomoyo_write(struct file
*file
, const char __user
*buf
,
2203 size_t count
, loff_t
*ppos
)
2205 return tomoyo_write_control(file
, buf
, count
);
2209 * tomoyo_operations is a "struct file_operations" which is used for handling
2210 * /sys/kernel/security/tomoyo/ interface.
2212 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
2213 * See tomoyo_io_buffer for internals.
2215 static const struct file_operations tomoyo_operations
= {
2216 .open
= tomoyo_open
,
2217 .release
= tomoyo_release
,
2218 .read
= tomoyo_read
,
2219 .write
= tomoyo_write
,
2223 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
2225 * @name: The name of the interface file.
2226 * @mode: The permission of the interface file.
2227 * @parent: The parent directory.
2228 * @key: Type of interface.
2232 static void __init
tomoyo_create_entry(const char *name
, const mode_t mode
,
2233 struct dentry
*parent
, const u8 key
)
2235 securityfs_create_file(name
, mode
, parent
, ((u8
*) NULL
) + key
,
2236 &tomoyo_operations
);
2240 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
2244 static int __init
tomoyo_initerface_init(void)
2246 struct dentry
*tomoyo_dir
;
2248 /* Don't create securityfs entries unless registered. */
2249 if (current_cred()->security
!= &tomoyo_kernel_domain
)
2252 tomoyo_dir
= securityfs_create_dir("tomoyo", NULL
);
2253 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir
,
2254 TOMOYO_DOMAINPOLICY
);
2255 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir
,
2256 TOMOYO_EXCEPTIONPOLICY
);
2257 tomoyo_create_entry("self_domain", 0400, tomoyo_dir
,
2259 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir
,
2260 TOMOYO_DOMAIN_STATUS
);
2261 tomoyo_create_entry(".process_status", 0600, tomoyo_dir
,
2262 TOMOYO_PROCESS_STATUS
);
2263 tomoyo_create_entry("meminfo", 0600, tomoyo_dir
,
2265 tomoyo_create_entry("profile", 0600, tomoyo_dir
,
2267 tomoyo_create_entry("manager", 0600, tomoyo_dir
,
2269 tomoyo_create_entry("version", 0400, tomoyo_dir
,
2274 fs_initcall(tomoyo_initerface_init
);