2 * security/tomoyo/common.c
4 * Common functions for TOMOYO.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
12 #include <linux/uaccess.h>
13 #include <linux/security.h>
14 #include <linux/hardirq.h>
19 /* Lock for protecting policy. */
20 DEFINE_MUTEX(tomoyo_policy_lock
);
22 /* Has loading policy done? */
23 bool tomoyo_policy_loaded
;
25 /* String table for functionality that takes 4 modes. */
26 static const char *tomoyo_mode_4
[4] = {
27 "disabled", "learning", "permissive", "enforcing"
29 /* String table for functionality that takes 2 modes. */
30 static const char *tomoyo_mode_2
[4] = {
31 "disabled", "enabled", "enabled", "enabled"
35 * tomoyo_control_array is a static data which contains
37 * (1) functionality name used by /sys/kernel/security/tomoyo/profile .
38 * (2) initial values for "struct tomoyo_profile".
39 * (3) max values for "struct tomoyo_profile".
43 unsigned int current_value
;
44 const unsigned int max_value
;
45 } tomoyo_control_array
[TOMOYO_MAX_CONTROL_INDEX
] = {
46 [TOMOYO_MAC_FOR_FILE
] = { "MAC_FOR_FILE", 0, 3 },
47 [TOMOYO_MAX_ACCEPT_ENTRY
] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX
},
48 [TOMOYO_VERBOSE
] = { "TOMOYO_VERBOSE", 1, 1 },
52 * tomoyo_profile is a structure which is used for holding the mode of access
53 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
54 * An administrator can define up to 256 profiles.
55 * The ->profile of "struct tomoyo_domain_info" is used for remembering
56 * the profile's number (0 - 255) assigned to that domain.
58 static struct tomoyo_profile
{
59 unsigned int value
[TOMOYO_MAX_CONTROL_INDEX
];
60 const struct tomoyo_path_info
*comment
;
61 } *tomoyo_profile_ptr
[TOMOYO_MAX_PROFILES
];
63 /* Permit policy management by non-root user? */
64 static bool tomoyo_manage_by_non_root
;
66 /* Utility functions. */
68 /* Open operation for /sys/kernel/security/tomoyo/ interface. */
69 static int tomoyo_open_control(const u8 type
, struct file
*file
);
70 /* Close /sys/kernel/security/tomoyo/ interface. */
71 static int tomoyo_close_control(struct file
*file
);
72 /* Read operation for /sys/kernel/security/tomoyo/ interface. */
73 static int tomoyo_read_control(struct file
*file
, char __user
*buffer
,
74 const int buffer_len
);
75 /* Write operation for /sys/kernel/security/tomoyo/ interface. */
76 static int tomoyo_write_control(struct file
*file
, const char __user
*buffer
,
77 const int buffer_len
);
80 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
82 * @str: Pointer to the string.
84 * Returns true if @str is a \ooo style octal value, false otherwise.
86 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
87 * This function verifies that \ooo is in valid range.
89 static inline bool tomoyo_is_byte_range(const char *str
)
91 return *str
>= '0' && *str
++ <= '3' &&
92 *str
>= '0' && *str
++ <= '7' &&
93 *str
>= '0' && *str
<= '7';
97 * tomoyo_is_alphabet_char - Check whether the character is an alphabet.
99 * @c: The character to check.
101 * Returns true if @c is an alphabet character, false otherwise.
103 static inline bool tomoyo_is_alphabet_char(const char c
)
105 return (c
>= 'A' && c
<= 'Z') || (c
>= 'a' && c
<= 'z');
109 * tomoyo_make_byte - Make byte value from three octal characters.
111 * @c1: The first character.
112 * @c2: The second character.
113 * @c3: The third character.
115 * Returns byte value.
117 static inline u8
tomoyo_make_byte(const u8 c1
, const u8 c2
, const u8 c3
)
119 return ((c1
- '0') << 6) + ((c2
- '0') << 3) + (c3
- '0');
123 * tomoyo_str_starts - Check whether the given string starts with the given keyword.
125 * @src: Pointer to pointer to the string.
126 * @find: Pointer to the keyword.
128 * Returns true if @src starts with @find, false otherwise.
130 * The @src is updated to point the first character after the @find
131 * if @src starts with @find.
133 static bool tomoyo_str_starts(char **src
, const char *find
)
135 const int len
= strlen(find
);
138 if (strncmp(tmp
, find
, len
))
146 * tomoyo_normalize_line - Format string.
148 * @buffer: The line to normalize.
150 * Leading and trailing whitespaces are removed.
151 * Multiple whitespaces are packed into single space.
155 static void tomoyo_normalize_line(unsigned char *buffer
)
157 unsigned char *sp
= buffer
;
158 unsigned char *dp
= buffer
;
161 while (tomoyo_is_invalid(*sp
))
167 while (tomoyo_is_valid(*sp
))
169 while (tomoyo_is_invalid(*sp
))
176 * tomoyo_is_correct_path - Validate a pathname.
177 * @filename: The pathname to check.
178 * @start_type: Should the pathname start with '/'?
179 * 1 = must / -1 = must not / 0 = don't care
180 * @pattern_type: Can the pathname contain a wildcard?
181 * 1 = must / -1 = must not / 0 = don't care
182 * @end_type: Should the pathname end with '/'?
183 * 1 = must / -1 = must not / 0 = don't care
184 * @function: The name of function calling me.
186 * Check whether the given filename follows the naming rules.
187 * Returns true if @filename follows the naming rules, false otherwise.
189 bool tomoyo_is_correct_path(const char *filename
, const s8 start_type
,
190 const s8 pattern_type
, const s8 end_type
,
191 const char *function
)
193 const char *const start
= filename
;
194 bool in_repetition
= false;
195 bool contains_pattern
= false;
199 const char *original_filename
= filename
;
204 if (start_type
== 1) { /* Must start with '/' */
207 } else if (start_type
== -1) { /* Must not start with '/' */
212 c
= *(filename
+ strlen(filename
) - 1);
213 if (end_type
== 1) { /* Must end with '/' */
216 } else if (end_type
== -1) { /* Must not end with '/' */
227 case '\\': /* "\\" */
239 if (pattern_type
== -1)
240 break; /* Must not contain pattern */
241 contains_pattern
= true;
243 case '{': /* "/\{" */
244 if (filename
- 3 < start
||
245 *(filename
- 3) != '/')
247 if (pattern_type
== -1)
248 break; /* Must not contain pattern */
249 contains_pattern
= true;
250 in_repetition
= true;
252 case '}': /* "\}/" */
253 if (*filename
!= '/')
257 in_repetition
= false;
259 case '0': /* "\ooo" */
264 if (d
< '0' || d
> '7')
267 if (e
< '0' || e
> '7')
269 c
= tomoyo_make_byte(c
, d
, e
);
270 if (tomoyo_is_invalid(c
))
271 continue; /* pattern is not \000 */
274 } else if (in_repetition
&& c
== '/') {
276 } else if (tomoyo_is_invalid(c
)) {
280 if (pattern_type
== 1) { /* Must contain pattern */
281 if (!contains_pattern
)
288 printk(KERN_DEBUG
"%s: Invalid pathname '%s'\n", function
,
294 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
295 * @domainname: The domainname to check.
296 * @function: The name of function calling me.
298 * Returns true if @domainname follows the naming rules, false otherwise.
300 bool tomoyo_is_correct_domain(const unsigned char *domainname
,
301 const char *function
)
306 const char *org_domainname
= domainname
;
308 if (!domainname
|| strncmp(domainname
, TOMOYO_ROOT_NAME
,
309 TOMOYO_ROOT_NAME_LEN
))
311 domainname
+= TOMOYO_ROOT_NAME_LEN
;
315 if (*domainname
++ != ' ')
317 if (*domainname
++ != '/')
319 while ((c
= *domainname
) != '\0' && c
!= ' ') {
324 case '\\': /* "\\" */
326 case '0': /* "\ooo" */
331 if (d
< '0' || d
> '7')
334 if (e
< '0' || e
> '7')
336 c
= tomoyo_make_byte(c
, d
, e
);
337 if (tomoyo_is_invalid(c
))
338 /* pattern is not \000 */
342 } else if (tomoyo_is_invalid(c
)) {
346 } while (*domainname
);
349 printk(KERN_DEBUG
"%s: Invalid domainname '%s'\n", function
,
355 * tomoyo_is_domain_def - Check whether the given token can be a domainname.
357 * @buffer: The token to check.
359 * Returns true if @buffer possibly be a domainname, false otherwise.
361 bool tomoyo_is_domain_def(const unsigned char *buffer
)
363 return !strncmp(buffer
, TOMOYO_ROOT_NAME
, TOMOYO_ROOT_NAME_LEN
);
367 * tomoyo_find_domain - Find a domain by the given name.
369 * @domainname: The domainname to find.
371 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
373 * Caller holds tomoyo_read_lock().
375 struct tomoyo_domain_info
*tomoyo_find_domain(const char *domainname
)
377 struct tomoyo_domain_info
*domain
;
378 struct tomoyo_path_info name
;
380 name
.name
= domainname
;
381 tomoyo_fill_path_info(&name
);
382 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
383 if (!domain
->is_deleted
&&
384 !tomoyo_pathcmp(&name
, domain
->domainname
))
391 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
393 * @filename: The string to evaluate.
395 * Returns the initial length without a pattern in @filename.
397 static int tomoyo_const_part_length(const char *filename
)
404 while ((c
= *filename
++) != '\0') {
411 case '\\': /* "\\" */
414 case '0': /* "\ooo" */
419 if (c
< '0' || c
> '7')
422 if (c
< '0' || c
> '7')
433 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
435 * @ptr: Pointer to "struct tomoyo_path_info" to fill in.
437 * The caller sets "struct tomoyo_path_info"->name.
439 void tomoyo_fill_path_info(struct tomoyo_path_info
*ptr
)
441 const char *name
= ptr
->name
;
442 const int len
= strlen(name
);
444 ptr
->const_len
= tomoyo_const_part_length(name
);
445 ptr
->is_dir
= len
&& (name
[len
- 1] == '/');
446 ptr
->is_patterned
= (ptr
->const_len
< len
);
447 ptr
->hash
= full_name_hash(name
, len
);
451 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
454 * @filename: The start of string to check.
455 * @filename_end: The end of string to check.
456 * @pattern: The start of pattern to compare.
457 * @pattern_end: The end of pattern to compare.
459 * Returns true if @filename matches @pattern, false otherwise.
461 static bool tomoyo_file_matches_pattern2(const char *filename
,
462 const char *filename_end
,
464 const char *pattern_end
)
466 while (filename
< filename_end
&& pattern
< pattern_end
) {
468 if (*pattern
!= '\\') {
469 if (*filename
++ != *pattern
++)
481 } else if (c
== '\\') {
482 if (filename
[1] == '\\')
484 else if (tomoyo_is_byte_range(filename
+ 1))
493 if (*++filename
!= '\\')
505 if (!tomoyo_is_alphabet_char(c
))
512 if (c
== '\\' && tomoyo_is_byte_range(filename
+ 1)
513 && strncmp(filename
+ 1, pattern
, 3) == 0) {
518 return false; /* Not matched. */
521 for (i
= 0; i
<= filename_end
- filename
; i
++) {
522 if (tomoyo_file_matches_pattern2(
523 filename
+ i
, filename_end
,
524 pattern
+ 1, pattern_end
))
527 if (c
== '.' && *pattern
== '@')
531 if (filename
[i
+ 1] == '\\')
533 else if (tomoyo_is_byte_range(filename
+ i
+ 1))
536 break; /* Bad pattern. */
538 return false; /* Not matched. */
543 while (isdigit(filename
[j
]))
545 } else if (c
== 'X') {
546 while (isxdigit(filename
[j
]))
548 } else if (c
== 'A') {
549 while (tomoyo_is_alphabet_char(filename
[j
]))
552 for (i
= 1; i
<= j
; i
++) {
553 if (tomoyo_file_matches_pattern2(
554 filename
+ i
, filename_end
,
555 pattern
+ 1, pattern_end
))
558 return false; /* Not matched or bad pattern. */
563 while (*pattern
== '\\' &&
564 (*(pattern
+ 1) == '*' || *(pattern
+ 1) == '@'))
566 return filename
== filename_end
&& pattern
== pattern_end
;
570 * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
572 * @filename: The start of string to check.
573 * @filename_end: The end of string to check.
574 * @pattern: The start of pattern to compare.
575 * @pattern_end: The end of pattern to compare.
577 * Returns true if @filename matches @pattern, false otherwise.
579 static bool tomoyo_file_matches_pattern(const char *filename
,
580 const char *filename_end
,
582 const char *pattern_end
)
584 const char *pattern_start
= pattern
;
588 while (pattern
< pattern_end
- 1) {
589 /* Split at "\-" pattern. */
590 if (*pattern
++ != '\\' || *pattern
++ != '-')
592 result
= tomoyo_file_matches_pattern2(filename
,
601 pattern_start
= pattern
;
603 result
= tomoyo_file_matches_pattern2(filename
, filename_end
,
604 pattern_start
, pattern_end
);
605 return first
? result
: !result
;
609 * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
611 * @f: The start of string to check.
612 * @p: The start of pattern to compare.
614 * Returns true if @f matches @p, false otherwise.
616 static bool tomoyo_path_matches_pattern2(const char *f
, const char *p
)
618 const char *f_delimiter
;
619 const char *p_delimiter
;
622 f_delimiter
= strchr(f
, '/');
624 f_delimiter
= f
+ strlen(f
);
625 p_delimiter
= strchr(p
, '/');
627 p_delimiter
= p
+ strlen(p
);
628 if (*p
== '\\' && *(p
+ 1) == '{')
630 if (!tomoyo_file_matches_pattern(f
, f_delimiter
, p
,
640 /* Ignore trailing "\*" and "\@" in @pattern. */
642 (*(p
+ 1) == '*' || *(p
+ 1) == '@'))
647 * The "\{" pattern is permitted only after '/' character.
648 * This guarantees that below "*(p - 1)" is safe.
649 * Also, the "\}" pattern is permitted only before '/' character
650 * so that "\{" + "\}" pair will not break the "\-" operator.
652 if (*(p
- 1) != '/' || p_delimiter
<= p
+ 3 || *p_delimiter
!= '/' ||
653 *(p_delimiter
- 1) != '}' || *(p_delimiter
- 2) != '\\')
654 return false; /* Bad pattern. */
656 /* Compare current component with pattern. */
657 if (!tomoyo_file_matches_pattern(f
, f_delimiter
, p
+ 2,
660 /* Proceed to next component. */
665 /* Continue comparison. */
666 if (tomoyo_path_matches_pattern2(f
, p_delimiter
+ 1))
668 f_delimiter
= strchr(f
, '/');
669 } while (f_delimiter
);
670 return false; /* Not matched. */
674 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
676 * @filename: The filename to check.
677 * @pattern: The pattern to compare.
679 * Returns true if matches, false otherwise.
681 * The following patterns are available.
683 * \ooo Octal representation of a byte.
684 * \* Zero or more repetitions of characters other than '/'.
685 * \@ Zero or more repetitions of characters other than '/' or '.'.
686 * \? 1 byte character other than '/'.
687 * \$ One or more repetitions of decimal digits.
688 * \+ 1 decimal digit.
689 * \X One or more repetitions of hexadecimal digits.
690 * \x 1 hexadecimal digit.
691 * \A One or more repetitions of alphabet characters.
692 * \a 1 alphabet character.
694 * \- Subtraction operator.
696 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
699 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info
*filename
,
700 const struct tomoyo_path_info
*pattern
)
702 const char *f
= filename
->name
;
703 const char *p
= pattern
->name
;
704 const int len
= pattern
->const_len
;
706 /* If @pattern doesn't contain pattern, I can use strcmp(). */
707 if (!pattern
->is_patterned
)
708 return !tomoyo_pathcmp(filename
, pattern
);
709 /* Don't compare directory and non-directory. */
710 if (filename
->is_dir
!= pattern
->is_dir
)
712 /* Compare the initial length without patterns. */
713 if (strncmp(f
, p
, len
))
717 return tomoyo_path_matches_pattern2(f
, p
);
721 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
723 * @head: Pointer to "struct tomoyo_io_buffer".
724 * @fmt: The printf()'s format string, followed by parameters.
726 * Returns true if output was written, false otherwise.
728 * The snprintf() will truncate, but tomoyo_io_printf() won't.
730 bool tomoyo_io_printf(struct tomoyo_io_buffer
*head
, const char *fmt
, ...)
734 int pos
= head
->read_avail
;
735 int size
= head
->readbuf_size
- pos
;
740 len
= vsnprintf(head
->read_buf
+ pos
, size
, fmt
, args
);
742 if (pos
+ len
>= head
->readbuf_size
)
744 head
->read_avail
+= len
;
749 * tomoyo_get_exe - Get tomoyo_realpath() of current process.
751 * Returns the tomoyo_realpath() of current process on success, NULL otherwise.
753 * This function uses tomoyo_alloc(), so the caller must call tomoyo_free()
754 * if this function didn't return NULL.
756 static const char *tomoyo_get_exe(void)
758 struct mm_struct
*mm
= current
->mm
;
759 struct vm_area_struct
*vma
;
760 const char *cp
= NULL
;
764 down_read(&mm
->mmap_sem
);
765 for (vma
= mm
->mmap
; vma
; vma
= vma
->vm_next
) {
766 if ((vma
->vm_flags
& VM_EXECUTABLE
) && vma
->vm_file
) {
767 cp
= tomoyo_realpath_from_path(&vma
->vm_file
->f_path
);
771 up_read(&mm
->mmap_sem
);
776 * tomoyo_get_msg - Get warning message.
778 * @is_enforce: Is it enforcing mode?
780 * Returns "ERROR" or "WARNING".
782 const char *tomoyo_get_msg(const bool is_enforce
)
791 * tomoyo_check_flags - Check mode for specified functionality.
793 * @domain: Pointer to "struct tomoyo_domain_info".
794 * @index: The functionality to check mode.
796 * TOMOYO checks only process context.
797 * This code disables TOMOYO's enforcement in case the function is called from
800 unsigned int tomoyo_check_flags(const struct tomoyo_domain_info
*domain
,
803 const u8 profile
= domain
->profile
;
805 if (WARN_ON(in_interrupt()))
807 return tomoyo_policy_loaded
&& index
< TOMOYO_MAX_CONTROL_INDEX
808 #if TOMOYO_MAX_PROFILES != 256
809 && profile
< TOMOYO_MAX_PROFILES
811 && tomoyo_profile_ptr
[profile
] ?
812 tomoyo_profile_ptr
[profile
]->value
[index
] : 0;
816 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
818 * @domain: Pointer to "struct tomoyo_domain_info".
820 * Returns true if domain policy violation warning should be printed to
823 bool tomoyo_verbose_mode(const struct tomoyo_domain_info
*domain
)
825 return tomoyo_check_flags(domain
, TOMOYO_VERBOSE
) != 0;
829 * tomoyo_domain_quota_is_ok - Check for domain's quota.
831 * @domain: Pointer to "struct tomoyo_domain_info".
833 * Returns true if the domain is not exceeded quota, false otherwise.
835 * Caller holds tomoyo_read_lock().
837 bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info
* const domain
)
839 unsigned int count
= 0;
840 struct tomoyo_acl_info
*ptr
;
844 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
845 if (ptr
->type
& TOMOYO_ACL_DELETED
)
847 switch (tomoyo_acl_type2(ptr
)) {
848 struct tomoyo_single_path_acl_record
*acl
;
851 case TOMOYO_TYPE_SINGLE_PATH_ACL
:
852 acl
= container_of(ptr
,
853 struct tomoyo_single_path_acl_record
,
855 perm
= acl
->perm
| (((u32
) acl
->perm_high
) << 16);
856 for (i
= 0; i
< TOMOYO_MAX_SINGLE_PATH_OPERATION
; i
++)
859 if (perm
& (1 << TOMOYO_TYPE_READ_WRITE_ACL
))
862 case TOMOYO_TYPE_DOUBLE_PATH_ACL
:
863 perm
= container_of(ptr
,
864 struct tomoyo_double_path_acl_record
,
866 for (i
= 0; i
< TOMOYO_MAX_DOUBLE_PATH_OPERATION
; i
++)
872 if (count
< tomoyo_check_flags(domain
, TOMOYO_MAX_ACCEPT_ENTRY
))
874 if (!domain
->quota_warned
) {
875 domain
->quota_warned
= true;
876 printk(KERN_WARNING
"TOMOYO-WARNING: "
877 "Domain '%s' has so many ACLs to hold. "
878 "Stopped learning mode.\n", domain
->domainname
->name
);
884 * tomoyo_find_or_assign_new_profile - Create a new profile.
886 * @profile: Profile number to create.
888 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
890 static struct tomoyo_profile
*tomoyo_find_or_assign_new_profile(const unsigned
893 static DEFINE_MUTEX(lock
);
894 struct tomoyo_profile
*ptr
= NULL
;
897 if (profile
>= TOMOYO_MAX_PROFILES
)
900 ptr
= tomoyo_profile_ptr
[profile
];
903 ptr
= kmalloc(sizeof(*ptr
), GFP_KERNEL
);
904 if (!tomoyo_memory_ok(ptr
)) {
908 for (i
= 0; i
< TOMOYO_MAX_CONTROL_INDEX
; i
++)
909 ptr
->value
[i
] = tomoyo_control_array
[i
].current_value
;
910 mb(); /* Avoid out-of-order execution. */
911 tomoyo_profile_ptr
[profile
] = ptr
;
918 * tomoyo_write_profile - Write to profile table.
920 * @head: Pointer to "struct tomoyo_io_buffer".
922 * Returns 0 on success, negative value otherwise.
924 static int tomoyo_write_profile(struct tomoyo_io_buffer
*head
)
926 char *data
= head
->write_buf
;
930 struct tomoyo_profile
*profile
;
933 cp
= strchr(data
, '-');
936 if (strict_strtoul(data
, 10, &num
))
940 profile
= tomoyo_find_or_assign_new_profile(num
);
943 cp
= strchr(data
, '=');
947 if (!strcmp(data
, "COMMENT")) {
948 profile
->comment
= tomoyo_save_name(cp
+ 1);
951 for (i
= 0; i
< TOMOYO_MAX_CONTROL_INDEX
; i
++) {
952 if (strcmp(data
, tomoyo_control_array
[i
].keyword
))
954 if (sscanf(cp
+ 1, "%u", &value
) != 1) {
959 modes
= tomoyo_mode_2
;
962 modes
= tomoyo_mode_4
;
965 for (j
= 0; j
< 4; j
++) {
966 if (strcmp(cp
+ 1, modes
[j
]))
973 } else if (value
> tomoyo_control_array
[i
].max_value
) {
974 value
= tomoyo_control_array
[i
].max_value
;
976 profile
->value
[i
] = value
;
983 * tomoyo_read_profile - Read from profile table.
985 * @head: Pointer to "struct tomoyo_io_buffer".
989 static int tomoyo_read_profile(struct tomoyo_io_buffer
*head
)
991 static const int total
= TOMOYO_MAX_CONTROL_INDEX
+ 1;
996 for (step
= head
->read_step
; step
< TOMOYO_MAX_PROFILES
* total
;
998 const u8 index
= step
/ total
;
999 u8 type
= step
% total
;
1000 const struct tomoyo_profile
*profile
1001 = tomoyo_profile_ptr
[index
];
1002 head
->read_step
= step
;
1005 if (!type
) { /* Print profile' comment tag. */
1006 if (!tomoyo_io_printf(head
, "%u-COMMENT=%s\n",
1007 index
, profile
->comment
?
1008 profile
->comment
->name
: ""))
1013 if (type
< TOMOYO_MAX_CONTROL_INDEX
) {
1014 const unsigned int value
= profile
->value
[type
];
1015 const char **modes
= NULL
;
1017 = tomoyo_control_array
[type
].keyword
;
1018 switch (tomoyo_control_array
[type
].max_value
) {
1020 modes
= tomoyo_mode_4
;
1023 modes
= tomoyo_mode_2
;
1027 if (!tomoyo_io_printf(head
, "%u-%s=%s\n", index
,
1028 keyword
, modes
[value
]))
1031 if (!tomoyo_io_printf(head
, "%u-%s=%u\n", index
,
1037 if (step
== TOMOYO_MAX_PROFILES
* total
)
1038 head
->read_eof
= true;
1043 * tomoyo_policy_manager_entry is a structure which is used for holding list of
1044 * domainnames or programs which are permitted to modify configuration via
1045 * /sys/kernel/security/tomoyo/ interface.
1046 * It has following fields.
1048 * (1) "list" which is linked to tomoyo_policy_manager_list .
1049 * (2) "manager" is a domainname or a program's pathname.
1050 * (3) "is_domain" is a bool which is true if "manager" is a domainname, false
1052 * (4) "is_deleted" is a bool which is true if marked as deleted, false
1055 struct tomoyo_policy_manager_entry
{
1056 struct list_head list
;
1057 /* A path to program or a domainname. */
1058 const struct tomoyo_path_info
*manager
;
1059 bool is_domain
; /* True if manager is a domainname. */
1060 bool is_deleted
; /* True if this entry is deleted. */
1064 * tomoyo_policy_manager_list is used for holding list of domainnames or
1065 * programs which are permitted to modify configuration via
1066 * /sys/kernel/security/tomoyo/ interface.
1068 * An entry is added by
1070 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
1071 * /sys/kernel/security/tomoyo/manager
1072 * (if you want to specify by a domainname)
1076 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
1077 * (if you want to specify by a program's location)
1081 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
1082 * /sys/kernel/security/tomoyo/manager
1086 * # echo 'delete /usr/lib/ccs/editpolicy' > \
1087 * /sys/kernel/security/tomoyo/manager
1089 * and all entries are retrieved by
1091 * # cat /sys/kernel/security/tomoyo/manager
1093 static LIST_HEAD(tomoyo_policy_manager_list
);
1096 * tomoyo_update_manager_entry - Add a manager entry.
1098 * @manager: The path to manager or the domainnamme.
1099 * @is_delete: True if it is a delete request.
1101 * Returns 0 on success, negative value otherwise.
1103 * Caller holds tomoyo_read_lock().
1105 static int tomoyo_update_manager_entry(const char *manager
,
1106 const bool is_delete
)
1108 struct tomoyo_policy_manager_entry
*new_entry
;
1109 struct tomoyo_policy_manager_entry
*ptr
;
1110 const struct tomoyo_path_info
*saved_manager
;
1111 int error
= -ENOMEM
;
1112 bool is_domain
= false;
1114 if (tomoyo_is_domain_def(manager
)) {
1115 if (!tomoyo_is_correct_domain(manager
, __func__
))
1119 if (!tomoyo_is_correct_path(manager
, 1, -1, -1, __func__
))
1122 saved_manager
= tomoyo_save_name(manager
);
1125 new_entry
= kmalloc(sizeof(*new_entry
), GFP_KERNEL
);
1126 mutex_lock(&tomoyo_policy_lock
);
1127 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1128 if (ptr
->manager
!= saved_manager
)
1130 ptr
->is_deleted
= is_delete
;
1138 if (!tomoyo_memory_ok(new_entry
))
1140 new_entry
->manager
= saved_manager
;
1141 new_entry
->is_domain
= is_domain
;
1142 list_add_tail_rcu(&new_entry
->list
, &tomoyo_policy_manager_list
);
1146 mutex_unlock(&tomoyo_policy_lock
);
1152 * tomoyo_write_manager_policy - Write manager policy.
1154 * @head: Pointer to "struct tomoyo_io_buffer".
1156 * Returns 0 on success, negative value otherwise.
1158 * Caller holds tomoyo_read_lock().
1160 static int tomoyo_write_manager_policy(struct tomoyo_io_buffer
*head
)
1162 char *data
= head
->write_buf
;
1163 bool is_delete
= tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
);
1165 if (!strcmp(data
, "manage_by_non_root")) {
1166 tomoyo_manage_by_non_root
= !is_delete
;
1169 return tomoyo_update_manager_entry(data
, is_delete
);
1173 * tomoyo_read_manager_policy - Read manager policy.
1175 * @head: Pointer to "struct tomoyo_io_buffer".
1179 * Caller holds tomoyo_read_lock().
1181 static int tomoyo_read_manager_policy(struct tomoyo_io_buffer
*head
)
1183 struct list_head
*pos
;
1188 list_for_each_cookie(pos
, head
->read_var2
,
1189 &tomoyo_policy_manager_list
) {
1190 struct tomoyo_policy_manager_entry
*ptr
;
1191 ptr
= list_entry(pos
, struct tomoyo_policy_manager_entry
,
1193 if (ptr
->is_deleted
)
1195 done
= tomoyo_io_printf(head
, "%s\n", ptr
->manager
->name
);
1199 head
->read_eof
= done
;
1204 * tomoyo_is_policy_manager - Check whether the current process is a policy manager.
1206 * Returns true if the current process is permitted to modify policy
1207 * via /sys/kernel/security/tomoyo/ interface.
1209 * Caller holds tomoyo_read_lock().
1211 static bool tomoyo_is_policy_manager(void)
1213 struct tomoyo_policy_manager_entry
*ptr
;
1215 const struct task_struct
*task
= current
;
1216 const struct tomoyo_path_info
*domainname
= tomoyo_domain()->domainname
;
1219 if (!tomoyo_policy_loaded
)
1221 if (!tomoyo_manage_by_non_root
&& (task
->cred
->uid
|| task
->cred
->euid
))
1223 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1224 if (!ptr
->is_deleted
&& ptr
->is_domain
1225 && !tomoyo_pathcmp(domainname
, ptr
->manager
)) {
1232 exe
= tomoyo_get_exe();
1235 list_for_each_entry_rcu(ptr
, &tomoyo_policy_manager_list
, list
) {
1236 if (!ptr
->is_deleted
&& !ptr
->is_domain
1237 && !strcmp(exe
, ptr
->manager
->name
)) {
1242 if (!found
) { /* Reduce error messages. */
1243 static pid_t last_pid
;
1244 const pid_t pid
= current
->pid
;
1245 if (last_pid
!= pid
) {
1246 printk(KERN_WARNING
"%s ( %s ) is not permitted to "
1247 "update policies.\n", domainname
->name
, exe
);
1256 * tomoyo_is_select_one - Parse select command.
1258 * @head: Pointer to "struct tomoyo_io_buffer".
1259 * @data: String to parse.
1261 * Returns true on success, false otherwise.
1263 * Caller holds tomoyo_read_lock().
1265 static bool tomoyo_is_select_one(struct tomoyo_io_buffer
*head
,
1269 struct tomoyo_domain_info
*domain
= NULL
;
1271 if (sscanf(data
, "pid=%u", &pid
) == 1) {
1272 struct task_struct
*p
;
1273 read_lock(&tasklist_lock
);
1274 p
= find_task_by_vpid(pid
);
1276 domain
= tomoyo_real_domain(p
);
1277 read_unlock(&tasklist_lock
);
1278 } else if (!strncmp(data
, "domain=", 7)) {
1279 if (tomoyo_is_domain_def(data
+ 7))
1280 domain
= tomoyo_find_domain(data
+ 7);
1283 head
->write_var1
= domain
;
1284 /* Accessing read_buf is safe because head->io_sem is held. */
1285 if (!head
->read_buf
)
1286 return true; /* Do nothing if open(O_WRONLY). */
1287 head
->read_avail
= 0;
1288 tomoyo_io_printf(head
, "# select %s\n", data
);
1289 head
->read_single_domain
= true;
1290 head
->read_eof
= !domain
;
1292 struct tomoyo_domain_info
*d
;
1293 head
->read_var1
= NULL
;
1294 list_for_each_entry_rcu(d
, &tomoyo_domain_list
, list
) {
1297 head
->read_var1
= &d
->list
;
1299 head
->read_var2
= NULL
;
1301 head
->read_step
= 0;
1302 if (domain
->is_deleted
)
1303 tomoyo_io_printf(head
, "# This is a deleted domain.\n");
1309 * tomoyo_delete_domain - Delete a domain.
1311 * @domainname: The name of domain.
1315 * Caller holds tomoyo_read_lock().
1317 static int tomoyo_delete_domain(char *domainname
)
1319 struct tomoyo_domain_info
*domain
;
1320 struct tomoyo_path_info name
;
1322 name
.name
= domainname
;
1323 tomoyo_fill_path_info(&name
);
1324 mutex_lock(&tomoyo_policy_lock
);
1325 /* Is there an active domain? */
1326 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
1327 /* Never delete tomoyo_kernel_domain */
1328 if (domain
== &tomoyo_kernel_domain
)
1330 if (domain
->is_deleted
||
1331 tomoyo_pathcmp(domain
->domainname
, &name
))
1333 domain
->is_deleted
= true;
1336 mutex_unlock(&tomoyo_policy_lock
);
1341 * tomoyo_write_domain_policy - Write domain policy.
1343 * @head: Pointer to "struct tomoyo_io_buffer".
1345 * Returns 0 on success, negative value otherwise.
1347 * Caller holds tomoyo_read_lock().
1349 static int tomoyo_write_domain_policy(struct tomoyo_io_buffer
*head
)
1351 char *data
= head
->write_buf
;
1352 struct tomoyo_domain_info
*domain
= head
->write_var1
;
1353 bool is_delete
= false;
1354 bool is_select
= false;
1355 unsigned int profile
;
1357 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
))
1359 else if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_SELECT
))
1361 if (is_select
&& tomoyo_is_select_one(head
, data
))
1363 /* Don't allow updating policies by non manager programs. */
1364 if (!tomoyo_is_policy_manager())
1366 if (tomoyo_is_domain_def(data
)) {
1369 tomoyo_delete_domain(data
);
1371 domain
= tomoyo_find_domain(data
);
1373 domain
= tomoyo_find_or_assign_new_domain(data
, 0);
1374 head
->write_var1
= domain
;
1380 if (sscanf(data
, TOMOYO_KEYWORD_USE_PROFILE
"%u", &profile
) == 1
1381 && profile
< TOMOYO_MAX_PROFILES
) {
1382 if (tomoyo_profile_ptr
[profile
] || !tomoyo_policy_loaded
)
1383 domain
->profile
= (u8
) profile
;
1386 if (!strcmp(data
, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ
)) {
1387 tomoyo_set_domain_flag(domain
, is_delete
,
1388 TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ
);
1391 return tomoyo_write_file_policy(data
, domain
, is_delete
);
1395 * tomoyo_print_single_path_acl - Print a single path ACL entry.
1397 * @head: Pointer to "struct tomoyo_io_buffer".
1398 * @ptr: Pointer to "struct tomoyo_single_path_acl_record".
1400 * Returns true on success, false otherwise.
1402 static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer
*head
,
1403 struct tomoyo_single_path_acl_record
*
1408 const char *atmark
= "";
1409 const char *filename
;
1410 const u32 perm
= ptr
->perm
| (((u32
) ptr
->perm_high
) << 16);
1412 filename
= ptr
->filename
->name
;
1413 for (bit
= head
->read_bit
; bit
< TOMOYO_MAX_SINGLE_PATH_OPERATION
;
1416 if (!(perm
& (1 << bit
)))
1418 /* Print "read/write" instead of "read" and "write". */
1419 if ((bit
== TOMOYO_TYPE_READ_ACL
||
1420 bit
== TOMOYO_TYPE_WRITE_ACL
)
1421 && (perm
& (1 << TOMOYO_TYPE_READ_WRITE_ACL
)))
1423 msg
= tomoyo_sp2keyword(bit
);
1424 pos
= head
->read_avail
;
1425 if (!tomoyo_io_printf(head
, "allow_%s %s%s\n", msg
,
1432 head
->read_bit
= bit
;
1433 head
->read_avail
= pos
;
1438 * tomoyo_print_double_path_acl - Print a double path ACL entry.
1440 * @head: Pointer to "struct tomoyo_io_buffer".
1441 * @ptr: Pointer to "struct tomoyo_double_path_acl_record".
1443 * Returns true on success, false otherwise.
1445 static bool tomoyo_print_double_path_acl(struct tomoyo_io_buffer
*head
,
1446 struct tomoyo_double_path_acl_record
*
1450 const char *atmark1
= "";
1451 const char *atmark2
= "";
1452 const char *filename1
;
1453 const char *filename2
;
1454 const u8 perm
= ptr
->perm
;
1457 filename1
= ptr
->filename1
->name
;
1458 filename2
= ptr
->filename2
->name
;
1459 for (bit
= head
->read_bit
; bit
< TOMOYO_MAX_DOUBLE_PATH_OPERATION
;
1462 if (!(perm
& (1 << bit
)))
1464 msg
= tomoyo_dp2keyword(bit
);
1465 pos
= head
->read_avail
;
1466 if (!tomoyo_io_printf(head
, "allow_%s %s%s %s%s\n", msg
,
1467 atmark1
, filename1
, atmark2
, filename2
))
1473 head
->read_bit
= bit
;
1474 head
->read_avail
= pos
;
1479 * tomoyo_print_entry - Print an ACL entry.
1481 * @head: Pointer to "struct tomoyo_io_buffer".
1482 * @ptr: Pointer to an ACL entry.
1484 * Returns true on success, false otherwise.
1486 static bool tomoyo_print_entry(struct tomoyo_io_buffer
*head
,
1487 struct tomoyo_acl_info
*ptr
)
1489 const u8 acl_type
= tomoyo_acl_type2(ptr
);
1491 if (acl_type
& TOMOYO_ACL_DELETED
)
1493 if (acl_type
== TOMOYO_TYPE_SINGLE_PATH_ACL
) {
1494 struct tomoyo_single_path_acl_record
*acl
1496 struct tomoyo_single_path_acl_record
,
1498 return tomoyo_print_single_path_acl(head
, acl
);
1500 if (acl_type
== TOMOYO_TYPE_DOUBLE_PATH_ACL
) {
1501 struct tomoyo_double_path_acl_record
*acl
1503 struct tomoyo_double_path_acl_record
,
1505 return tomoyo_print_double_path_acl(head
, acl
);
1507 BUG(); /* This must not happen. */
1512 * tomoyo_read_domain_policy - Read domain policy.
1514 * @head: Pointer to "struct tomoyo_io_buffer".
1518 * Caller holds tomoyo_read_lock().
1520 static int tomoyo_read_domain_policy(struct tomoyo_io_buffer
*head
)
1522 struct list_head
*dpos
;
1523 struct list_head
*apos
;
1528 if (head
->read_step
== 0)
1529 head
->read_step
= 1;
1530 list_for_each_cookie(dpos
, head
->read_var1
, &tomoyo_domain_list
) {
1531 struct tomoyo_domain_info
*domain
;
1532 const char *quota_exceeded
= "";
1533 const char *transition_failed
= "";
1534 const char *ignore_global_allow_read
= "";
1535 domain
= list_entry(dpos
, struct tomoyo_domain_info
, list
);
1536 if (head
->read_step
!= 1)
1538 if (domain
->is_deleted
&& !head
->read_single_domain
)
1540 /* Print domainname and flags. */
1541 if (domain
->quota_warned
)
1542 quota_exceeded
= "quota_exceeded\n";
1543 if (domain
->flags
& TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED
)
1544 transition_failed
= "transition_failed\n";
1546 TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ
)
1547 ignore_global_allow_read
1548 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ
"\n";
1549 done
= tomoyo_io_printf(head
, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
1551 domain
->domainname
->name
,
1552 domain
->profile
, quota_exceeded
,
1554 ignore_global_allow_read
);
1557 head
->read_step
= 2;
1559 if (head
->read_step
== 3)
1561 /* Print ACL entries in the domain. */
1562 list_for_each_cookie(apos
, head
->read_var2
,
1563 &domain
->acl_info_list
) {
1564 struct tomoyo_acl_info
*ptr
1565 = list_entry(apos
, struct tomoyo_acl_info
,
1567 done
= tomoyo_print_entry(head
, ptr
);
1573 head
->read_step
= 3;
1575 done
= tomoyo_io_printf(head
, "\n");
1578 head
->read_step
= 1;
1579 if (head
->read_single_domain
)
1582 head
->read_eof
= done
;
1587 * tomoyo_write_domain_profile - Assign profile for specified domain.
1589 * @head: Pointer to "struct tomoyo_io_buffer".
1591 * Returns 0 on success, -EINVAL otherwise.
1593 * This is equivalent to doing
1595 * ( echo "select " $domainname; echo "use_profile " $profile ) |
1596 * /usr/lib/ccs/loadpolicy -d
1598 * Caller holds tomoyo_read_lock().
1600 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer
*head
)
1602 char *data
= head
->write_buf
;
1603 char *cp
= strchr(data
, ' ');
1604 struct tomoyo_domain_info
*domain
;
1605 unsigned long profile
;
1610 domain
= tomoyo_find_domain(cp
+ 1);
1611 if (strict_strtoul(data
, 10, &profile
))
1613 if (domain
&& profile
< TOMOYO_MAX_PROFILES
1614 && (tomoyo_profile_ptr
[profile
] || !tomoyo_policy_loaded
))
1615 domain
->profile
= (u8
) profile
;
1620 * tomoyo_read_domain_profile - Read only domainname and profile.
1622 * @head: Pointer to "struct tomoyo_io_buffer".
1624 * Returns list of profile number and domainname pairs.
1626 * This is equivalent to doing
1628 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
1629 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
1630 * domainname = $0; } else if ( $1 == "use_profile" ) {
1631 * print $2 " " domainname; domainname = ""; } } ; '
1633 * Caller holds tomoyo_read_lock().
1635 static int tomoyo_read_domain_profile(struct tomoyo_io_buffer
*head
)
1637 struct list_head
*pos
;
1642 list_for_each_cookie(pos
, head
->read_var1
, &tomoyo_domain_list
) {
1643 struct tomoyo_domain_info
*domain
;
1644 domain
= list_entry(pos
, struct tomoyo_domain_info
, list
);
1645 if (domain
->is_deleted
)
1647 done
= tomoyo_io_printf(head
, "%u %s\n", domain
->profile
,
1648 domain
->domainname
->name
);
1652 head
->read_eof
= done
;
1657 * tomoyo_write_pid: Specify PID to obtain domainname.
1659 * @head: Pointer to "struct tomoyo_io_buffer".
1663 static int tomoyo_write_pid(struct tomoyo_io_buffer
*head
)
1666 /* No error check. */
1667 strict_strtoul(head
->write_buf
, 10, &pid
);
1668 head
->read_step
= (int) pid
;
1669 head
->read_eof
= false;
1674 * tomoyo_read_pid - Get domainname of the specified PID.
1676 * @head: Pointer to "struct tomoyo_io_buffer".
1678 * Returns the domainname which the specified PID is in on success,
1679 * empty string otherwise.
1680 * The PID is specified by tomoyo_write_pid() so that the user can obtain
1681 * using read()/write() interface rather than sysctl() interface.
1683 static int tomoyo_read_pid(struct tomoyo_io_buffer
*head
)
1685 if (head
->read_avail
== 0 && !head
->read_eof
) {
1686 const int pid
= head
->read_step
;
1687 struct task_struct
*p
;
1688 struct tomoyo_domain_info
*domain
= NULL
;
1689 read_lock(&tasklist_lock
);
1690 p
= find_task_by_vpid(pid
);
1692 domain
= tomoyo_real_domain(p
);
1693 read_unlock(&tasklist_lock
);
1695 tomoyo_io_printf(head
, "%d %u %s", pid
, domain
->profile
,
1696 domain
->domainname
->name
);
1697 head
->read_eof
= true;
1703 * tomoyo_write_exception_policy - Write exception policy.
1705 * @head: Pointer to "struct tomoyo_io_buffer".
1707 * Returns 0 on success, negative value otherwise.
1709 * Caller holds tomoyo_read_lock().
1711 static int tomoyo_write_exception_policy(struct tomoyo_io_buffer
*head
)
1713 char *data
= head
->write_buf
;
1714 bool is_delete
= tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DELETE
);
1716 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_KEEP_DOMAIN
))
1717 return tomoyo_write_domain_keeper_policy(data
, false,
1719 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_NO_KEEP_DOMAIN
))
1720 return tomoyo_write_domain_keeper_policy(data
, true, is_delete
);
1721 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_INITIALIZE_DOMAIN
))
1722 return tomoyo_write_domain_initializer_policy(data
, false,
1724 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN
))
1725 return tomoyo_write_domain_initializer_policy(data
, true,
1727 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_ALIAS
))
1728 return tomoyo_write_alias_policy(data
, is_delete
);
1729 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_ALLOW_READ
))
1730 return tomoyo_write_globally_readable_policy(data
, is_delete
);
1731 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_FILE_PATTERN
))
1732 return tomoyo_write_pattern_policy(data
, is_delete
);
1733 if (tomoyo_str_starts(&data
, TOMOYO_KEYWORD_DENY_REWRITE
))
1734 return tomoyo_write_no_rewrite_policy(data
, is_delete
);
1739 * tomoyo_read_exception_policy - Read exception policy.
1741 * @head: Pointer to "struct tomoyo_io_buffer".
1743 * Returns 0 on success, -EINVAL otherwise.
1745 * Caller holds tomoyo_read_lock().
1747 static int tomoyo_read_exception_policy(struct tomoyo_io_buffer
*head
)
1749 if (!head
->read_eof
) {
1750 switch (head
->read_step
) {
1752 head
->read_var2
= NULL
;
1753 head
->read_step
= 1;
1755 if (!tomoyo_read_domain_keeper_policy(head
))
1757 head
->read_var2
= NULL
;
1758 head
->read_step
= 2;
1760 if (!tomoyo_read_globally_readable_policy(head
))
1762 head
->read_var2
= NULL
;
1763 head
->read_step
= 3;
1765 head
->read_var2
= NULL
;
1766 head
->read_step
= 4;
1768 if (!tomoyo_read_domain_initializer_policy(head
))
1770 head
->read_var2
= NULL
;
1771 head
->read_step
= 5;
1773 if (!tomoyo_read_alias_policy(head
))
1775 head
->read_var2
= NULL
;
1776 head
->read_step
= 6;
1778 head
->read_var2
= NULL
;
1779 head
->read_step
= 7;
1781 if (!tomoyo_read_file_pattern(head
))
1783 head
->read_var2
= NULL
;
1784 head
->read_step
= 8;
1786 if (!tomoyo_read_no_rewrite_policy(head
))
1788 head
->read_var2
= NULL
;
1789 head
->read_step
= 9;
1791 head
->read_eof
= true;
1800 /* path to policy loader */
1801 static const char *tomoyo_loader
= "/sbin/tomoyo-init";
1804 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
1806 * Returns true if /sbin/tomoyo-init exists, false otherwise.
1808 static bool tomoyo_policy_loader_exists(void)
1811 * Don't activate MAC if the policy loader doesn't exist.
1812 * If the initrd includes /sbin/init but real-root-dev has not
1813 * mounted on / yet, activating MAC will block the system since
1814 * policies are not loaded yet.
1815 * Thus, let do_execve() call this function everytime.
1819 if (kern_path(tomoyo_loader
, LOOKUP_FOLLOW
, &path
)) {
1820 printk(KERN_INFO
"Not activating Mandatory Access Control now "
1821 "since %s doesn't exist.\n", tomoyo_loader
);
1829 * tomoyo_load_policy - Run external policy loader to load policy.
1831 * @filename: The program about to start.
1833 * This function checks whether @filename is /sbin/init , and if so
1834 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
1835 * and then continues invocation of /sbin/init.
1836 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
1837 * writes to /sys/kernel/security/tomoyo/ interfaces.
1841 void tomoyo_load_policy(const char *filename
)
1846 if (tomoyo_policy_loaded
)
1849 * Check filename is /sbin/init or /sbin/tomoyo-start.
1850 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
1852 * You can create /sbin/tomoyo-start by
1853 * "ln -s /bin/true /sbin/tomoyo-start".
1855 if (strcmp(filename
, "/sbin/init") &&
1856 strcmp(filename
, "/sbin/tomoyo-start"))
1858 if (!tomoyo_policy_loader_exists())
1861 printk(KERN_INFO
"Calling %s to load policy. Please wait.\n",
1863 argv
[0] = (char *) tomoyo_loader
;
1866 envp
[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
1868 call_usermodehelper(argv
[0], argv
, envp
, 1);
1870 printk(KERN_INFO
"TOMOYO: 2.2.0 2009/04/01\n");
1871 printk(KERN_INFO
"Mandatory Access Control activated.\n");
1872 tomoyo_policy_loaded
= true;
1873 { /* Check all profiles currently assigned to domains are defined. */
1874 struct tomoyo_domain_info
*domain
;
1875 list_for_each_entry_rcu(domain
, &tomoyo_domain_list
, list
) {
1876 const u8 profile
= domain
->profile
;
1877 if (tomoyo_profile_ptr
[profile
])
1879 panic("Profile %u (used by '%s') not defined.\n",
1880 profile
, domain
->domainname
->name
);
1886 * tomoyo_read_version: Get version.
1888 * @head: Pointer to "struct tomoyo_io_buffer".
1890 * Returns version information.
1892 static int tomoyo_read_version(struct tomoyo_io_buffer
*head
)
1894 if (!head
->read_eof
) {
1895 tomoyo_io_printf(head
, "2.2.0");
1896 head
->read_eof
= true;
1902 * tomoyo_read_self_domain - Get the current process's domainname.
1904 * @head: Pointer to "struct tomoyo_io_buffer".
1906 * Returns the current process's domainname.
1908 static int tomoyo_read_self_domain(struct tomoyo_io_buffer
*head
)
1910 if (!head
->read_eof
) {
1912 * tomoyo_domain()->domainname != NULL
1913 * because every process belongs to a domain and
1914 * the domain's name cannot be NULL.
1916 tomoyo_io_printf(head
, "%s", tomoyo_domain()->domainname
->name
);
1917 head
->read_eof
= true;
1923 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
1925 * @type: Type of interface.
1926 * @file: Pointer to "struct file".
1928 * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
1930 * Caller acquires tomoyo_read_lock().
1932 static int tomoyo_open_control(const u8 type
, struct file
*file
)
1934 struct tomoyo_io_buffer
*head
= tomoyo_alloc(sizeof(*head
));
1938 mutex_init(&head
->io_sem
);
1940 case TOMOYO_DOMAINPOLICY
:
1941 /* /sys/kernel/security/tomoyo/domain_policy */
1942 head
->write
= tomoyo_write_domain_policy
;
1943 head
->read
= tomoyo_read_domain_policy
;
1945 case TOMOYO_EXCEPTIONPOLICY
:
1946 /* /sys/kernel/security/tomoyo/exception_policy */
1947 head
->write
= tomoyo_write_exception_policy
;
1948 head
->read
= tomoyo_read_exception_policy
;
1950 case TOMOYO_SELFDOMAIN
:
1951 /* /sys/kernel/security/tomoyo/self_domain */
1952 head
->read
= tomoyo_read_self_domain
;
1954 case TOMOYO_DOMAIN_STATUS
:
1955 /* /sys/kernel/security/tomoyo/.domain_status */
1956 head
->write
= tomoyo_write_domain_profile
;
1957 head
->read
= tomoyo_read_domain_profile
;
1959 case TOMOYO_PROCESS_STATUS
:
1960 /* /sys/kernel/security/tomoyo/.process_status */
1961 head
->write
= tomoyo_write_pid
;
1962 head
->read
= tomoyo_read_pid
;
1964 case TOMOYO_VERSION
:
1965 /* /sys/kernel/security/tomoyo/version */
1966 head
->read
= tomoyo_read_version
;
1967 head
->readbuf_size
= 128;
1969 case TOMOYO_MEMINFO
:
1970 /* /sys/kernel/security/tomoyo/meminfo */
1971 head
->write
= tomoyo_write_memory_quota
;
1972 head
->read
= tomoyo_read_memory_counter
;
1973 head
->readbuf_size
= 512;
1975 case TOMOYO_PROFILE
:
1976 /* /sys/kernel/security/tomoyo/profile */
1977 head
->write
= tomoyo_write_profile
;
1978 head
->read
= tomoyo_read_profile
;
1980 case TOMOYO_MANAGER
:
1981 /* /sys/kernel/security/tomoyo/manager */
1982 head
->write
= tomoyo_write_manager_policy
;
1983 head
->read
= tomoyo_read_manager_policy
;
1986 if (!(file
->f_mode
& FMODE_READ
)) {
1988 * No need to allocate read_buf since it is not opened
1993 if (!head
->readbuf_size
)
1994 head
->readbuf_size
= 4096 * 2;
1995 head
->read_buf
= tomoyo_alloc(head
->readbuf_size
);
1996 if (!head
->read_buf
) {
2001 if (!(file
->f_mode
& FMODE_WRITE
)) {
2003 * No need to allocate write_buf since it is not opened
2007 } else if (head
->write
) {
2008 head
->writebuf_size
= 4096 * 2;
2009 head
->write_buf
= tomoyo_alloc(head
->writebuf_size
);
2010 if (!head
->write_buf
) {
2011 tomoyo_free(head
->read_buf
);
2016 head
->reader_idx
= tomoyo_read_lock();
2017 file
->private_data
= head
;
2019 * Call the handler now if the file is
2020 * /sys/kernel/security/tomoyo/self_domain
2021 * so that the user can use
2022 * cat < /sys/kernel/security/tomoyo/self_domain"
2023 * to know the current process's domainname.
2025 if (type
== TOMOYO_SELFDOMAIN
)
2026 tomoyo_read_control(file
, NULL
, 0);
2031 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
2033 * @file: Pointer to "struct file".
2034 * @buffer: Poiner to buffer to write to.
2035 * @buffer_len: Size of @buffer.
2037 * Returns bytes read on success, negative value otherwise.
2039 * Caller holds tomoyo_read_lock().
2041 static int tomoyo_read_control(struct file
*file
, char __user
*buffer
,
2042 const int buffer_len
)
2045 struct tomoyo_io_buffer
*head
= file
->private_data
;
2050 if (mutex_lock_interruptible(&head
->io_sem
))
2052 /* Call the policy handler. */
2053 len
= head
->read(head
);
2056 /* Write to buffer. */
2057 len
= head
->read_avail
;
2058 if (len
> buffer_len
)
2062 /* head->read_buf changes by some functions. */
2063 cp
= head
->read_buf
;
2064 if (copy_to_user(buffer
, cp
, len
)) {
2068 head
->read_avail
-= len
;
2069 memmove(cp
, cp
+ len
, head
->read_avail
);
2071 mutex_unlock(&head
->io_sem
);
2076 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
2078 * @file: Pointer to "struct file".
2079 * @buffer: Pointer to buffer to read from.
2080 * @buffer_len: Size of @buffer.
2082 * Returns @buffer_len on success, negative value otherwise.
2084 * Caller holds tomoyo_read_lock().
2086 static int tomoyo_write_control(struct file
*file
, const char __user
*buffer
,
2087 const int buffer_len
)
2089 struct tomoyo_io_buffer
*head
= file
->private_data
;
2090 int error
= buffer_len
;
2091 int avail_len
= buffer_len
;
2092 char *cp0
= head
->write_buf
;
2096 if (!access_ok(VERIFY_READ
, buffer
, buffer_len
))
2098 /* Don't allow updating policies by non manager programs. */
2099 if (head
->write
!= tomoyo_write_pid
&&
2100 head
->write
!= tomoyo_write_domain_policy
&&
2101 !tomoyo_is_policy_manager())
2103 if (mutex_lock_interruptible(&head
->io_sem
))
2105 /* Read a line and dispatch it to the policy handler. */
2106 while (avail_len
> 0) {
2108 if (head
->write_avail
>= head
->writebuf_size
- 1) {
2111 } else if (get_user(c
, buffer
)) {
2117 cp0
[head
->write_avail
++] = c
;
2120 cp0
[head
->write_avail
- 1] = '\0';
2121 head
->write_avail
= 0;
2122 tomoyo_normalize_line(cp0
);
2125 mutex_unlock(&head
->io_sem
);
2130 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
2132 * @file: Pointer to "struct file".
2134 * Releases memory and returns 0.
2136 * Caller looses tomoyo_read_lock().
2138 static int tomoyo_close_control(struct file
*file
)
2140 struct tomoyo_io_buffer
*head
= file
->private_data
;
2142 tomoyo_read_unlock(head
->reader_idx
);
2143 /* Release memory used for policy I/O. */
2144 tomoyo_free(head
->read_buf
);
2145 head
->read_buf
= NULL
;
2146 tomoyo_free(head
->write_buf
);
2147 head
->write_buf
= NULL
;
2150 file
->private_data
= NULL
;
2155 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
2157 * @inode: Pointer to "struct inode".
2158 * @file: Pointer to "struct file".
2160 * Returns 0 on success, negative value otherwise.
2162 static int tomoyo_open(struct inode
*inode
, struct file
*file
)
2164 const int key
= ((u8
*) file
->f_path
.dentry
->d_inode
->i_private
)
2166 return tomoyo_open_control(key
, file
);
2170 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
2172 * @inode: Pointer to "struct inode".
2173 * @file: Pointer to "struct file".
2175 * Returns 0 on success, negative value otherwise.
2177 static int tomoyo_release(struct inode
*inode
, struct file
*file
)
2179 return tomoyo_close_control(file
);
2183 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
2185 * @file: Pointer to "struct file".
2186 * @buf: Pointer to buffer.
2187 * @count: Size of @buf.
2190 * Returns bytes read on success, negative value otherwise.
2192 static ssize_t
tomoyo_read(struct file
*file
, char __user
*buf
, size_t count
,
2195 return tomoyo_read_control(file
, buf
, count
);
2199 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
2201 * @file: Pointer to "struct file".
2202 * @buf: Pointer to buffer.
2203 * @count: Size of @buf.
2206 * Returns @count on success, negative value otherwise.
2208 static ssize_t
tomoyo_write(struct file
*file
, const char __user
*buf
,
2209 size_t count
, loff_t
*ppos
)
2211 return tomoyo_write_control(file
, buf
, count
);
2215 * tomoyo_operations is a "struct file_operations" which is used for handling
2216 * /sys/kernel/security/tomoyo/ interface.
2218 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
2219 * See tomoyo_io_buffer for internals.
2221 static const struct file_operations tomoyo_operations
= {
2222 .open
= tomoyo_open
,
2223 .release
= tomoyo_release
,
2224 .read
= tomoyo_read
,
2225 .write
= tomoyo_write
,
2229 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
2231 * @name: The name of the interface file.
2232 * @mode: The permission of the interface file.
2233 * @parent: The parent directory.
2234 * @key: Type of interface.
2238 static void __init
tomoyo_create_entry(const char *name
, const mode_t mode
,
2239 struct dentry
*parent
, const u8 key
)
2241 securityfs_create_file(name
, mode
, parent
, ((u8
*) NULL
) + key
,
2242 &tomoyo_operations
);
2246 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
2250 static int __init
tomoyo_initerface_init(void)
2252 struct dentry
*tomoyo_dir
;
2254 /* Don't create securityfs entries unless registered. */
2255 if (current_cred()->security
!= &tomoyo_kernel_domain
)
2258 tomoyo_dir
= securityfs_create_dir("tomoyo", NULL
);
2259 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir
,
2260 TOMOYO_DOMAINPOLICY
);
2261 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir
,
2262 TOMOYO_EXCEPTIONPOLICY
);
2263 tomoyo_create_entry("self_domain", 0400, tomoyo_dir
,
2265 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir
,
2266 TOMOYO_DOMAIN_STATUS
);
2267 tomoyo_create_entry(".process_status", 0600, tomoyo_dir
,
2268 TOMOYO_PROCESS_STATUS
);
2269 tomoyo_create_entry("meminfo", 0600, tomoyo_dir
,
2271 tomoyo_create_entry("profile", 0600, tomoyo_dir
,
2273 tomoyo_create_entry("manager", 0600, tomoyo_dir
,
2275 tomoyo_create_entry("version", 0400, tomoyo_dir
,
2280 fs_initcall(tomoyo_initerface_init
);