2 * security/tomoyo/mount.c
4 * Copyright (C) 2005-2010 NTT DATA CORPORATION
7 #include <linux/slab.h>
10 /* Keywords for mount restrictions. */
12 /* Allow to call 'mount --bind /source_dir /dest_dir' */
13 #define TOMOYO_MOUNT_BIND_KEYWORD "--bind"
14 /* Allow to call 'mount --move /old_dir /new_dir ' */
15 #define TOMOYO_MOUNT_MOVE_KEYWORD "--move"
16 /* Allow to call 'mount -o remount /dir ' */
17 #define TOMOYO_MOUNT_REMOUNT_KEYWORD "--remount"
18 /* Allow to call 'mount --make-unbindable /dir' */
19 #define TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD "--make-unbindable"
20 /* Allow to call 'mount --make-private /dir' */
21 #define TOMOYO_MOUNT_MAKE_PRIVATE_KEYWORD "--make-private"
22 /* Allow to call 'mount --make-slave /dir' */
23 #define TOMOYO_MOUNT_MAKE_SLAVE_KEYWORD "--make-slave"
24 /* Allow to call 'mount --make-shared /dir' */
25 #define TOMOYO_MOUNT_MAKE_SHARED_KEYWORD "--make-shared"
28 * tomoyo_mount_acl2 - Check permission for mount() operation.
30 * @r: Pointer to "struct tomoyo_request_info".
31 * @dev_name: Name of device file.
32 * @dir: Pointer to "struct path".
33 * @type: Name of filesystem type.
34 * @flags: Mount options.
36 * Returns 0 on success, negative value otherwise.
38 * Caller holds tomoyo_read_lock().
40 static int tomoyo_mount_acl2(struct tomoyo_request_info
*r
, char *dev_name
,
41 struct path
*dir
, char *type
, unsigned long flags
)
44 struct tomoyo_acl_info
*ptr
;
45 struct file_system_type
*fstype
= NULL
;
46 const char *requested_type
= NULL
;
47 const char *requested_dir_name
= NULL
;
48 const char *requested_dev_name
= NULL
;
49 struct tomoyo_path_info rtype
;
50 struct tomoyo_path_info rdev
;
51 struct tomoyo_path_info rdir
;
56 requested_type
= tomoyo_encode(type
);
59 rtype
.name
= requested_type
;
60 tomoyo_fill_path_info(&rtype
);
62 /* Get mount point. */
63 requested_dir_name
= tomoyo_realpath_from_path(dir
);
64 if (!requested_dir_name
) {
68 rdir
.name
= requested_dir_name
;
69 tomoyo_fill_path_info(&rdir
);
71 /* Compare fs name. */
72 if (!strcmp(type
, TOMOYO_MOUNT_REMOUNT_KEYWORD
)) {
73 /* dev_name is ignored. */
74 } else if (!strcmp(type
, TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD
) ||
75 !strcmp(type
, TOMOYO_MOUNT_MAKE_PRIVATE_KEYWORD
) ||
76 !strcmp(type
, TOMOYO_MOUNT_MAKE_SLAVE_KEYWORD
) ||
77 !strcmp(type
, TOMOYO_MOUNT_MAKE_SHARED_KEYWORD
)) {
78 /* dev_name is ignored. */
79 } else if (!strcmp(type
, TOMOYO_MOUNT_BIND_KEYWORD
) ||
80 !strcmp(type
, TOMOYO_MOUNT_MOVE_KEYWORD
)) {
81 need_dev
= -1; /* dev_name is a directory */
83 fstype
= get_fs_type(type
);
88 if (fstype
->fs_flags
& FS_REQUIRES_DEV
)
89 /* dev_name is a block device file. */
93 /* Get mount point or device file. */
94 if (kern_path(dev_name
, LOOKUP_FOLLOW
, &path
)) {
98 requested_dev_name
= tomoyo_realpath_from_path(&path
);
99 if (!requested_dev_name
) {
104 /* Map dev_name to "<NULL>" if no dev_name given. */
107 requested_dev_name
= tomoyo_encode(dev_name
);
108 if (!requested_dev_name
) {
113 rdev
.name
= requested_dev_name
;
114 tomoyo_fill_path_info(&rdev
);
115 r
->param_type
= TOMOYO_TYPE_MOUNT_ACL
;
116 r
->param
.mount
.need_dev
= need_dev
;
117 r
->param
.mount
.dev
= &rdev
;
118 r
->param
.mount
.dir
= &rdir
;
119 r
->param
.mount
.type
= &rtype
;
120 r
->param
.mount
.flags
= flags
;
121 list_for_each_entry_rcu(ptr
, &r
->domain
->acl_info_list
, list
) {
122 struct tomoyo_mount_acl
*acl
;
123 if (ptr
->is_deleted
|| ptr
->type
!= TOMOYO_TYPE_MOUNT_ACL
)
125 acl
= container_of(ptr
, struct tomoyo_mount_acl
, head
);
126 if (!tomoyo_compare_number_union(flags
, &acl
->flags
) ||
127 !tomoyo_compare_name_union(&rtype
, &acl
->fs_type
) ||
128 !tomoyo_compare_name_union(&rdir
, &acl
->dir_name
) ||
130 !tomoyo_compare_name_union(&rdev
, &acl
->dev_name
)))
136 error
= tomoyo_supervisor(r
, TOMOYO_KEYWORD_ALLOW_MOUNT
138 tomoyo_file_pattern(&rdev
),
139 tomoyo_file_pattern(&rdir
),
140 requested_type
, flags
);
142 kfree(requested_dev_name
);
143 kfree(requested_dir_name
);
145 put_filesystem(fstype
);
146 kfree(requested_type
);
151 * tomoyo_mount_acl - Check permission for mount() operation.
153 * @r: Pointer to "struct tomoyo_request_info".
154 * @dev_name: Name of device file.
155 * @dir: Pointer to "struct path".
156 * @type: Name of filesystem type.
157 * @flags: Mount options.
159 * Returns 0 on success, negative value otherwise.
161 * Caller holds tomoyo_read_lock().
163 static int tomoyo_mount_acl(struct tomoyo_request_info
*r
, char *dev_name
,
164 struct path
*dir
, char *type
, unsigned long flags
)
168 if ((flags
& MS_MGC_MSK
) == MS_MGC_VAL
)
169 flags
&= ~MS_MGC_MSK
;
170 switch (flags
& (MS_REMOUNT
| MS_MOVE
| MS_BIND
)) {
177 printk(KERN_WARNING
"ERROR: "
178 "%s%s%sare given for single mount operation.\n",
179 flags
& MS_REMOUNT
? "'remount' " : "",
180 flags
& MS_MOVE
? "'move' " : "",
181 flags
& MS_BIND
? "'bind' " : "");
184 switch (flags
& (MS_UNBINDABLE
| MS_PRIVATE
| MS_SLAVE
| MS_SHARED
)) {
192 printk(KERN_WARNING
"ERROR: "
193 "%s%s%s%sare given for single mount operation.\n",
194 flags
& MS_UNBINDABLE
? "'unbindable' " : "",
195 flags
& MS_PRIVATE
? "'private' " : "",
196 flags
& MS_SLAVE
? "'slave' " : "",
197 flags
& MS_SHARED
? "'shared' " : "");
200 if (flags
& MS_REMOUNT
)
201 error
= tomoyo_mount_acl(r
, dev_name
, dir
,
202 TOMOYO_MOUNT_REMOUNT_KEYWORD
,
203 flags
& ~MS_REMOUNT
);
204 else if (flags
& MS_MOVE
)
205 error
= tomoyo_mount_acl(r
, dev_name
, dir
,
206 TOMOYO_MOUNT_MOVE_KEYWORD
,
208 else if (flags
& MS_BIND
)
209 error
= tomoyo_mount_acl(r
, dev_name
, dir
,
210 TOMOYO_MOUNT_BIND_KEYWORD
,
212 else if (flags
& MS_UNBINDABLE
)
213 error
= tomoyo_mount_acl(r
, dev_name
, dir
,
214 TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD
,
215 flags
& ~MS_UNBINDABLE
);
216 else if (flags
& MS_PRIVATE
)
217 error
= tomoyo_mount_acl(r
, dev_name
, dir
,
218 TOMOYO_MOUNT_MAKE_PRIVATE_KEYWORD
,
219 flags
& ~MS_PRIVATE
);
220 else if (flags
& MS_SLAVE
)
221 error
= tomoyo_mount_acl(r
, dev_name
, dir
,
222 TOMOYO_MOUNT_MAKE_SLAVE_KEYWORD
,
224 else if (flags
& MS_SHARED
)
225 error
= tomoyo_mount_acl(r
, dev_name
, dir
,
226 TOMOYO_MOUNT_MAKE_SHARED_KEYWORD
,
230 error
= tomoyo_mount_acl2(r
, dev_name
, dir
, type
,
232 } while (error
== TOMOYO_RETRY_REQUEST
);
233 if (r
->mode
!= TOMOYO_CONFIG_ENFORCING
)
239 * tomoyo_mount_permission - Check permission for mount() operation.
241 * @dev_name: Name of device file.
242 * @path: Pointer to "struct path".
243 * @type: Name of filesystem type. May be NULL.
244 * @flags: Mount options.
245 * @data_page: Optional data. May be NULL.
247 * Returns 0 on success, negative value otherwise.
249 int tomoyo_mount_permission(char *dev_name
, struct path
*path
, char *type
,
250 unsigned long flags
, void *data_page
)
252 struct tomoyo_request_info r
;
256 if (tomoyo_init_request_info(&r
, NULL
, TOMOYO_MAC_FILE_MOUNT
)
257 == TOMOYO_CONFIG_DISABLED
)
261 idx
= tomoyo_read_lock();
262 error
= tomoyo_mount_acl(&r
, dev_name
, path
, type
, flags
);
263 tomoyo_read_unlock(idx
);
267 static bool tomoyo_same_mount_acl(const struct tomoyo_acl_info
*a
,
268 const struct tomoyo_acl_info
*b
)
270 const struct tomoyo_mount_acl
*p1
= container_of(a
, typeof(*p1
), head
);
271 const struct tomoyo_mount_acl
*p2
= container_of(b
, typeof(*p2
), head
);
272 return tomoyo_is_same_acl_head(&p1
->head
, &p2
->head
) &&
273 tomoyo_is_same_name_union(&p1
->dev_name
, &p2
->dev_name
) &&
274 tomoyo_is_same_name_union(&p1
->dir_name
, &p2
->dir_name
) &&
275 tomoyo_is_same_name_union(&p1
->fs_type
, &p2
->fs_type
) &&
276 tomoyo_is_same_number_union(&p1
->flags
, &p2
->flags
);
280 * tomoyo_write_mount_policy - Write "struct tomoyo_mount_acl" list.
282 * @data: String to parse.
283 * @domain: Pointer to "struct tomoyo_domain_info".
284 * @is_delete: True if it is a delete request.
286 * Returns 0 on success, negative value otherwise.
288 * Caller holds tomoyo_read_lock().
290 int tomoyo_write_mount_policy(char *data
, struct tomoyo_domain_info
*domain
,
291 const bool is_delete
)
293 struct tomoyo_mount_acl e
= { .head
.type
= TOMOYO_TYPE_MOUNT_ACL
};
294 int error
= is_delete
? -ENOENT
: -ENOMEM
;
296 if (!tomoyo_tokenize(data
, w
, sizeof(w
)) || !w
[3][0])
298 if (!tomoyo_parse_name_union(w
[0], &e
.dev_name
) ||
299 !tomoyo_parse_name_union(w
[1], &e
.dir_name
) ||
300 !tomoyo_parse_name_union(w
[2], &e
.fs_type
) ||
301 !tomoyo_parse_number_union(w
[3], &e
.flags
))
303 error
= tomoyo_update_domain(&e
.head
, sizeof(e
), is_delete
, domain
,
304 tomoyo_same_mount_acl
, NULL
);
306 tomoyo_put_name_union(&e
.dev_name
);
307 tomoyo_put_name_union(&e
.dir_name
);
308 tomoyo_put_name_union(&e
.fs_type
);
309 tomoyo_put_number_union(&e
.flags
);