security/tomoyo/mount.c

   1 /*
   2  * security/tomoyo/mount.c
   3  *
   4  * Copyright (C) 2005-2010  NTT DATA CORPORATION
   5  */
   6
   7 #include <linux/slab.h>
   8 #include "common.h"
   9
  10 /* Keywords for mount restrictions. */
  11
  12 /* Allow to call 'mount --bind /source_dir /dest_dir' */
  13 #define TOMOYO_MOUNT_BIND_KEYWORD                        "--bind"
  14 /* Allow to call 'mount --move /old_dir    /new_dir ' */
  15 #define TOMOYO_MOUNT_MOVE_KEYWORD                        "--move"
  16 /* Allow to call 'mount -o remount /dir             ' */
  17 #define TOMOYO_MOUNT_REMOUNT_KEYWORD                     "--remount"
  18 /* Allow to call 'mount --make-unbindable /dir'       */
  19 #define TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD             "--make-unbindable"
  20 /* Allow to call 'mount --make-private /dir'          */
  21 #define TOMOYO_MOUNT_MAKE_PRIVATE_KEYWORD                "--make-private"
  22 /* Allow to call 'mount --make-slave /dir'            */
  23 #define TOMOYO_MOUNT_MAKE_SLAVE_KEYWORD                  "--make-slave"
  24 /* Allow to call 'mount --make-shared /dir'           */
  25 #define TOMOYO_MOUNT_MAKE_SHARED_KEYWORD                 "--make-shared"
  26
  27 /**
  28  * tomoyo_mount_acl2 - Check permission for mount() operation.
  29  *
  30  * @r:        Pointer to "struct tomoyo_request_info".
  31  * @dev_name: Name of device file.
  32  * @dir:      Pointer to "struct path".
  33  * @type:     Name of filesystem type.
  34  * @flags:    Mount options.
  35  *
  36  * Returns 0 on success, negative value otherwise.
  37  *
  38  * Caller holds tomoyo_read_lock().
  39  */
  40 static int tomoyo_mount_acl2(struct tomoyo_request_info *r, char *dev_name,
  41                              struct path *dir, char *type, unsigned long flags)
  42 {
  43         struct path path;
  44         struct tomoyo_acl_info *ptr;
  45         struct file_system_type *fstype = NULL;
  46         const char *requested_type = NULL;
  47         const char *requested_dir_name = NULL;
  48         const char *requested_dev_name = NULL;
  49         struct tomoyo_path_info rtype;
  50         struct tomoyo_path_info rdev;
  51         struct tomoyo_path_info rdir;
  52         int need_dev = 0;
  53         int error = -ENOMEM;
  54
  55         /* Get fstype. */
  56         requested_type = tomoyo_encode(type);
  57         if (!requested_type)
  58                 goto out;
  59         rtype.name = requested_type;
  60         tomoyo_fill_path_info(&rtype);
  61
  62         /* Get mount point. */
  63         requested_dir_name = tomoyo_realpath_from_path(dir);
  64         if (!requested_dir_name) {
  65                 error = -ENOMEM;
  66                 goto out;
  67         }
  68         rdir.name = requested_dir_name;
  69         tomoyo_fill_path_info(&rdir);
  70
  71         /* Compare fs name. */
  72         if (!strcmp(type, TOMOYO_MOUNT_REMOUNT_KEYWORD)) {
  73                 /* dev_name is ignored. */
  74         } else if (!strcmp(type, TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD) ||
  75                    !strcmp(type, TOMOYO_MOUNT_MAKE_PRIVATE_KEYWORD) ||
  76                    !strcmp(type, TOMOYO_MOUNT_MAKE_SLAVE_KEYWORD) ||
  77                    !strcmp(type, TOMOYO_MOUNT_MAKE_SHARED_KEYWORD)) {
  78                 /* dev_name is ignored. */
  79         } else if (!strcmp(type, TOMOYO_MOUNT_BIND_KEYWORD) ||
  80                    !strcmp(type, TOMOYO_MOUNT_MOVE_KEYWORD)) {
  81                 need_dev = -1; /* dev_name is a directory */
  82         } else {
  83                 fstype = get_fs_type(type);
  84                 if (!fstype) {
  85                         error = -ENODEV;
  86                         goto out;
  87                 }
  88                 if (fstype->fs_flags & FS_REQUIRES_DEV)
  89                         /* dev_name is a block device file. */
  90                         need_dev = 1;
  91         }
  92         if (need_dev) {
  93                 /* Get mount point or device file. */
  94                 if (kern_path(dev_name, LOOKUP_FOLLOW, &path)) {
  95                         error = -ENOENT;
  96                         goto out;
  97                 }
  98                 requested_dev_name = tomoyo_realpath_from_path(&path);
  99                 if (!requested_dev_name) {
 100                         error = -ENOENT;
 101                         goto out;
 102                 }
 103         } else {
 104                 /* Map dev_name to "<NULL>" if no dev_name given. */
 105                 if (!dev_name)
 106                         dev_name = "<NULL>";
 107                 requested_dev_name = tomoyo_encode(dev_name);
 108                 if (!requested_dev_name) {
 109                         error = -ENOMEM;
 110                         goto out;
 111                 }
 112         }
 113         rdev.name = requested_dev_name;
 114         tomoyo_fill_path_info(&rdev);
 115         r->param_type = TOMOYO_TYPE_MOUNT_ACL;
 116         r->param.mount.need_dev = need_dev;
 117         r->param.mount.dev = &rdev;
 118         r->param.mount.dir = &rdir;
 119         r->param.mount.type = &rtype;
 120         r->param.mount.flags = flags;
 121         list_for_each_entry_rcu(ptr, &r->domain->acl_info_list, list) {
 122                 struct tomoyo_mount_acl *acl;
 123                 if (ptr->is_deleted || ptr->type != TOMOYO_TYPE_MOUNT_ACL)
 124                         continue;
 125                 acl = container_of(ptr, struct tomoyo_mount_acl, head);
 126                 if (!tomoyo_compare_number_union(flags, &acl->flags) ||
 127                     !tomoyo_compare_name_union(&rtype, &acl->fs_type) ||
 128                     !tomoyo_compare_name_union(&rdir, &acl->dir_name) ||
 129                     (need_dev &&
 130                      !tomoyo_compare_name_union(&rdev, &acl->dev_name)))
 131                         continue;
 132                 error = 0;
 133                 break;
 134         }
 135         if (error)
 136                 error = tomoyo_supervisor(r, TOMOYO_KEYWORD_ALLOW_MOUNT
 137                                           "%s %s %s 0x%lX\n",
 138                                           tomoyo_file_pattern(&rdev),
 139                                           tomoyo_file_pattern(&rdir),
 140                                           requested_type, flags);
 141  out:
 142         kfree(requested_dev_name);
 143         kfree(requested_dir_name);
 144         if (fstype)
 145                 put_filesystem(fstype);
 146         kfree(requested_type);
 147         return error;
 148 }
 149
 150 /**
 151  * tomoyo_mount_acl - Check permission for mount() operation.
 152  *
 153  * @r:        Pointer to "struct tomoyo_request_info".
 154  * @dev_name: Name of device file.
 155  * @dir:      Pointer to "struct path".
 156  * @type:     Name of filesystem type.
 157  * @flags:    Mount options.
 158  *
 159  * Returns 0 on success, negative value otherwise.
 160  *
 161  * Caller holds tomoyo_read_lock().
 162  */
 163 static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name,
 164                             struct path *dir, char *type, unsigned long flags)
 165 {
 166         int error;
 167         error = -EPERM;
 168         if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
 169                 flags &= ~MS_MGC_MSK;
 170         switch (flags & (MS_REMOUNT | MS_MOVE | MS_BIND)) {
 171         case MS_REMOUNT:
 172         case MS_MOVE:
 173         case MS_BIND:
 174         case 0:
 175                 break;
 176         default:
 177                 printk(KERN_WARNING "ERROR: "
 178                        "%s%s%sare given for single mount operation.\n",
 179                        flags & MS_REMOUNT ? "'remount' " : "",
 180                        flags & MS_MOVE    ? "'move' " : "",
 181                        flags & MS_BIND    ? "'bind' " : "");
 182                 return -EINVAL;
 183         }
 184         switch (flags & (MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED)) {
 185         case MS_UNBINDABLE:
 186         case MS_PRIVATE:
 187         case MS_SLAVE:
 188         case MS_SHARED:
 189         case 0:
 190                 break;
 191         default:
 192                 printk(KERN_WARNING "ERROR: "
 193                        "%s%s%s%sare given for single mount operation.\n",
 194                        flags & MS_UNBINDABLE ? "'unbindable' " : "",
 195                        flags & MS_PRIVATE    ? "'private' " : "",
 196                        flags & MS_SLAVE      ? "'slave' " : "",
 197                        flags & MS_SHARED     ? "'shared' " : "");
 198                 return -EINVAL;
 199         }
 200         if (flags & MS_REMOUNT)
 201                 error = tomoyo_mount_acl(r, dev_name, dir,
 202                                       TOMOYO_MOUNT_REMOUNT_KEYWORD,
 203                                       flags & ~MS_REMOUNT);
 204         else if (flags & MS_MOVE)
 205                 error = tomoyo_mount_acl(r, dev_name, dir,
 206                                       TOMOYO_MOUNT_MOVE_KEYWORD,
 207                                       flags & ~MS_MOVE);
 208         else if (flags & MS_BIND)
 209                 error = tomoyo_mount_acl(r, dev_name, dir,
 210                                       TOMOYO_MOUNT_BIND_KEYWORD,
 211                                       flags & ~MS_BIND);
 212         else if (flags & MS_UNBINDABLE)
 213                 error = tomoyo_mount_acl(r, dev_name, dir,
 214                                       TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD,
 215                                       flags & ~MS_UNBINDABLE);
 216         else if (flags & MS_PRIVATE)
 217                 error = tomoyo_mount_acl(r, dev_name, dir,
 218                                       TOMOYO_MOUNT_MAKE_PRIVATE_KEYWORD,
 219                                       flags & ~MS_PRIVATE);
 220         else if (flags & MS_SLAVE)
 221                 error = tomoyo_mount_acl(r, dev_name, dir,
 222                                       TOMOYO_MOUNT_MAKE_SLAVE_KEYWORD,
 223                                       flags & ~MS_SLAVE);
 224         else if (flags & MS_SHARED)
 225                 error = tomoyo_mount_acl(r, dev_name, dir,
 226                                       TOMOYO_MOUNT_MAKE_SHARED_KEYWORD,
 227                                       flags & ~MS_SHARED);
 228         else
 229                 do {
 230                         error = tomoyo_mount_acl2(r, dev_name, dir, type,
 231                                                   flags);
 232                 } while (error == TOMOYO_RETRY_REQUEST);
 233         if (r->mode != TOMOYO_CONFIG_ENFORCING)
 234                 error = 0;
 235         return error;
 236 }
 237
 238 /**
 239  * tomoyo_mount_permission - Check permission for mount() operation.
 240  *
 241  * @dev_name:  Name of device file.
 242  * @path:      Pointer to "struct path".
 243  * @type:      Name of filesystem type. May be NULL.
 244  * @flags:     Mount options.
 245  * @data_page: Optional data. May be NULL.
 246  *
 247  * Returns 0 on success, negative value otherwise.
 248  */
 249 int tomoyo_mount_permission(char *dev_name, struct path *path, char *type,
 250                             unsigned long flags, void *data_page)
 251 {
 252         struct tomoyo_request_info r;
 253         int error;
 254         int idx;
 255
 256         if (tomoyo_init_request_info(&r, NULL, TOMOYO_MAC_FILE_MOUNT)
 257             == TOMOYO_CONFIG_DISABLED)
 258                 return 0;
 259         if (!type)
 260                 type = "<NULL>";
 261         idx = tomoyo_read_lock();
 262         error = tomoyo_mount_acl(&r, dev_name, path, type, flags);
 263         tomoyo_read_unlock(idx);
 264         return error;
 265 }
 266
 267 static bool tomoyo_same_mount_acl(const struct tomoyo_acl_info *a,
 268                                   const struct tomoyo_acl_info *b)
 269 {
 270         const struct tomoyo_mount_acl *p1 = container_of(a, typeof(*p1), head);
 271         const struct tomoyo_mount_acl *p2 = container_of(b, typeof(*p2), head);
 272         return tomoyo_is_same_acl_head(&p1->head, &p2->head) &&
 273                 tomoyo_is_same_name_union(&p1->dev_name, &p2->dev_name) &&
 274                 tomoyo_is_same_name_union(&p1->dir_name, &p2->dir_name) &&
 275                 tomoyo_is_same_name_union(&p1->fs_type, &p2->fs_type) &&
 276                 tomoyo_is_same_number_union(&p1->flags, &p2->flags);
 277 }
 278
 279 /**
 280  * tomoyo_write_mount_policy - Write "struct tomoyo_mount_acl" list.
 281  *
 282  * @data:      String to parse.
 283  * @domain:    Pointer to "struct tomoyo_domain_info".
 284  * @is_delete: True if it is a delete request.
 285  *
 286  * Returns 0 on success, negative value otherwise.
 287  *
 288  * Caller holds tomoyo_read_lock().
 289  */
 290 int tomoyo_write_mount_policy(char *data, struct tomoyo_domain_info *domain,
 291                               const bool is_delete)
 292 {
 293         struct tomoyo_mount_acl e = { .head.type = TOMOYO_TYPE_MOUNT_ACL };
 294         int error = is_delete ? -ENOENT : -ENOMEM;
 295         char *w[4];
 296         if (!tomoyo_tokenize(data, w, sizeof(w)) || !w[3][0])
 297                 return -EINVAL;
 298         if (!tomoyo_parse_name_union(w[0], &e.dev_name) ||
 299             !tomoyo_parse_name_union(w[1], &e.dir_name) ||
 300             !tomoyo_parse_name_union(w[2], &e.fs_type) ||
 301             !tomoyo_parse_number_union(w[3], &e.flags))
 302                 goto out;
 303         error = tomoyo_update_domain(&e.head, sizeof(e), is_delete, domain,
 304                                      tomoyo_same_mount_acl, NULL);
 305  out:
 306         tomoyo_put_name_union(&e.dev_name);
 307         tomoyo_put_name_union(&e.dir_name);
 308         tomoyo_put_name_union(&e.fs_type);
 309         tomoyo_put_number_union(&e.flags);
 310         return error;
 311 }