2 * security/tomoyo/file.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
13 #include <linux/slab.h>
15 /* Keyword array for single path operations. */
16 static const char *tomoyo_path_keyword
[TOMOYO_MAX_PATH_OPERATION
] = {
17 [TOMOYO_TYPE_READ_WRITE
] = "read/write",
18 [TOMOYO_TYPE_EXECUTE
] = "execute",
19 [TOMOYO_TYPE_READ
] = "read",
20 [TOMOYO_TYPE_WRITE
] = "write",
21 [TOMOYO_TYPE_CREATE
] = "create",
22 [TOMOYO_TYPE_UNLINK
] = "unlink",
23 [TOMOYO_TYPE_MKDIR
] = "mkdir",
24 [TOMOYO_TYPE_RMDIR
] = "rmdir",
25 [TOMOYO_TYPE_MKFIFO
] = "mkfifo",
26 [TOMOYO_TYPE_MKSOCK
] = "mksock",
27 [TOMOYO_TYPE_MKBLOCK
] = "mkblock",
28 [TOMOYO_TYPE_MKCHAR
] = "mkchar",
29 [TOMOYO_TYPE_TRUNCATE
] = "truncate",
30 [TOMOYO_TYPE_SYMLINK
] = "symlink",
31 [TOMOYO_TYPE_REWRITE
] = "rewrite",
32 [TOMOYO_TYPE_IOCTL
] = "ioctl",
33 [TOMOYO_TYPE_CHMOD
] = "chmod",
34 [TOMOYO_TYPE_CHOWN
] = "chown",
35 [TOMOYO_TYPE_CHGRP
] = "chgrp",
36 [TOMOYO_TYPE_CHROOT
] = "chroot",
37 [TOMOYO_TYPE_MOUNT
] = "mount",
38 [TOMOYO_TYPE_UMOUNT
] = "unmount",
41 /* Keyword array for double path operations. */
42 static const char *tomoyo_path2_keyword
[TOMOYO_MAX_PATH2_OPERATION
] = {
43 [TOMOYO_TYPE_LINK
] = "link",
44 [TOMOYO_TYPE_RENAME
] = "rename",
45 [TOMOYO_TYPE_PIVOT_ROOT
] = "pivot_root",
49 * tomoyo_path2keyword - Get the name of single path operation.
51 * @operation: Type of operation.
53 * Returns the name of single path operation.
55 const char *tomoyo_path2keyword(const u8 operation
)
57 return (operation
< TOMOYO_MAX_PATH_OPERATION
)
58 ? tomoyo_path_keyword
[operation
] : NULL
;
62 * tomoyo_path22keyword - Get the name of double path operation.
64 * @operation: Type of operation.
66 * Returns the name of double path operation.
68 const char *tomoyo_path22keyword(const u8 operation
)
70 return (operation
< TOMOYO_MAX_PATH2_OPERATION
)
71 ? tomoyo_path2_keyword
[operation
] : NULL
;
75 * tomoyo_strendswith - Check whether the token ends with the given token.
77 * @name: The token to check.
78 * @tail: The token to find.
80 * Returns true if @name ends with @tail, false otherwise.
82 static bool tomoyo_strendswith(const char *name
, const char *tail
)
88 len
= strlen(name
) - strlen(tail
);
89 return len
>= 0 && !strcmp(name
+ len
, tail
);
93 * tomoyo_get_path - Get realpath.
95 * @path: Pointer to "struct path".
97 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
99 static struct tomoyo_path_info
*tomoyo_get_path(struct path
*path
)
102 struct tomoyo_path_info_with_data
*buf
= kzalloc(sizeof(*buf
),
107 /* Reserve one byte for appending "/". */
108 error
= tomoyo_realpath_from_path2(path
, buf
->body
,
109 sizeof(buf
->body
) - 2);
111 buf
->head
.name
= buf
->body
;
112 tomoyo_fill_path_info(&buf
->head
);
119 static int tomoyo_update_path2_acl(const u8 type
, const char *filename1
,
120 const char *filename2
,
121 struct tomoyo_domain_info
*const domain
,
122 const bool is_delete
);
123 static int tomoyo_update_path_acl(const u8 type
, const char *filename
,
124 struct tomoyo_domain_info
*const domain
,
125 const bool is_delete
);
128 * tomoyo_globally_readable_list is used for holding list of pathnames which
129 * are by default allowed to be open()ed for reading by any process.
131 * An entry is added by
133 * # echo 'allow_read /lib/libc-2.5.so' > \
134 * /sys/kernel/security/tomoyo/exception_policy
138 * # echo 'delete allow_read /lib/libc-2.5.so' > \
139 * /sys/kernel/security/tomoyo/exception_policy
141 * and all entries are retrieved by
143 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
145 * In the example above, any process is allowed to
146 * open("/lib/libc-2.5.so", O_RDONLY).
147 * One exception is, if the domain which current process belongs to is marked
148 * as "ignore_global_allow_read", current process can't do so unless explicitly
149 * given "allow_read /lib/libc-2.5.so" to the domain which current process
152 LIST_HEAD(tomoyo_globally_readable_list
);
155 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
157 * @filename: Filename unconditionally permitted to open() for reading.
158 * @is_delete: True if it is a delete request.
160 * Returns 0 on success, negative value otherwise.
162 * Caller holds tomoyo_read_lock().
164 static int tomoyo_update_globally_readable_entry(const char *filename
,
165 const bool is_delete
)
167 struct tomoyo_globally_readable_file_entry
*entry
= NULL
;
168 struct tomoyo_globally_readable_file_entry
*ptr
;
169 const struct tomoyo_path_info
*saved_filename
;
170 int error
= is_delete
? -ENOENT
: -ENOMEM
;
172 if (!tomoyo_is_correct_path(filename
, 1, 0, -1))
174 saved_filename
= tomoyo_get_name(filename
);
178 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
179 mutex_lock(&tomoyo_policy_lock
);
180 list_for_each_entry_rcu(ptr
, &tomoyo_globally_readable_list
, list
) {
181 if (ptr
->filename
!= saved_filename
)
183 ptr
->is_deleted
= is_delete
;
187 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
188 entry
->filename
= saved_filename
;
189 saved_filename
= NULL
;
190 list_add_tail_rcu(&entry
->list
, &tomoyo_globally_readable_list
);
194 mutex_unlock(&tomoyo_policy_lock
);
195 tomoyo_put_name(saved_filename
);
201 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
203 * @filename: The filename to check.
205 * Returns true if any domain can open @filename for reading, false otherwise.
207 * Caller holds tomoyo_read_lock().
209 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info
*
212 struct tomoyo_globally_readable_file_entry
*ptr
;
215 list_for_each_entry_rcu(ptr
, &tomoyo_globally_readable_list
, list
) {
216 if (!ptr
->is_deleted
&&
217 tomoyo_path_matches_pattern(filename
, ptr
->filename
)) {
226 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
228 * @data: String to parse.
229 * @is_delete: True if it is a delete request.
231 * Returns 0 on success, negative value otherwise.
233 * Caller holds tomoyo_read_lock().
235 int tomoyo_write_globally_readable_policy(char *data
, const bool is_delete
)
237 return tomoyo_update_globally_readable_entry(data
, is_delete
);
241 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
243 * @head: Pointer to "struct tomoyo_io_buffer".
245 * Returns true on success, false otherwise.
247 * Caller holds tomoyo_read_lock().
249 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer
*head
)
251 struct list_head
*pos
;
254 list_for_each_cookie(pos
, head
->read_var2
,
255 &tomoyo_globally_readable_list
) {
256 struct tomoyo_globally_readable_file_entry
*ptr
;
257 ptr
= list_entry(pos
,
258 struct tomoyo_globally_readable_file_entry
,
262 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_ALLOW_READ
"%s\n",
263 ptr
->filename
->name
);
270 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
271 * converting pathnames to pathname patterns during learning mode.
273 * An entry is added by
275 * # echo 'file_pattern /proc/\$/mounts' > \
276 * /sys/kernel/security/tomoyo/exception_policy
280 * # echo 'delete file_pattern /proc/\$/mounts' > \
281 * /sys/kernel/security/tomoyo/exception_policy
283 * and all entries are retrieved by
285 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
287 * In the example above, if a process which belongs to a domain which is in
288 * learning mode requested open("/proc/1/mounts", O_RDONLY),
289 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
290 * process belongs to.
292 * It is not a desirable behavior that we have to use /proc/\$/ instead of
293 * /proc/self/ when current process needs to access only current process's
294 * information. As of now, LSM version of TOMOYO is using __d_path() for
295 * calculating pathname. Non LSM version of TOMOYO is using its own function
296 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
297 * current process from accessing other process's information.
299 LIST_HEAD(tomoyo_pattern_list
);
302 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
304 * @pattern: Pathname pattern.
305 * @is_delete: True if it is a delete request.
307 * Returns 0 on success, negative value otherwise.
309 * Caller holds tomoyo_read_lock().
311 static int tomoyo_update_file_pattern_entry(const char *pattern
,
312 const bool is_delete
)
314 struct tomoyo_pattern_entry
*entry
= NULL
;
315 struct tomoyo_pattern_entry
*ptr
;
316 const struct tomoyo_path_info
*saved_pattern
;
317 int error
= is_delete
? -ENOENT
: -ENOMEM
;
319 saved_pattern
= tomoyo_get_name(pattern
);
322 if (!saved_pattern
->is_patterned
)
325 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
326 mutex_lock(&tomoyo_policy_lock
);
327 list_for_each_entry_rcu(ptr
, &tomoyo_pattern_list
, list
) {
328 if (saved_pattern
!= ptr
->pattern
)
330 ptr
->is_deleted
= is_delete
;
334 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
335 entry
->pattern
= saved_pattern
;
336 saved_pattern
= NULL
;
337 list_add_tail_rcu(&entry
->list
, &tomoyo_pattern_list
);
341 mutex_unlock(&tomoyo_policy_lock
);
344 tomoyo_put_name(saved_pattern
);
349 * tomoyo_get_file_pattern - Get patterned pathname.
351 * @filename: The filename to find patterned pathname.
353 * Returns pointer to pathname pattern if matched, @filename otherwise.
355 * Caller holds tomoyo_read_lock().
357 static const struct tomoyo_path_info
*
358 tomoyo_get_file_pattern(const struct tomoyo_path_info
*filename
)
360 struct tomoyo_pattern_entry
*ptr
;
361 const struct tomoyo_path_info
*pattern
= NULL
;
363 list_for_each_entry_rcu(ptr
, &tomoyo_pattern_list
, list
) {
366 if (!tomoyo_path_matches_pattern(filename
, ptr
->pattern
))
368 pattern
= ptr
->pattern
;
369 if (tomoyo_strendswith(pattern
->name
, "/\\*")) {
370 /* Do nothing. Try to find the better match. */
372 /* This would be the better match. Use this. */
382 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
384 * @data: String to parse.
385 * @is_delete: True if it is a delete request.
387 * Returns 0 on success, negative value otherwise.
389 * Caller holds tomoyo_read_lock().
391 int tomoyo_write_pattern_policy(char *data
, const bool is_delete
)
393 return tomoyo_update_file_pattern_entry(data
, is_delete
);
397 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
399 * @head: Pointer to "struct tomoyo_io_buffer".
401 * Returns true on success, false otherwise.
403 * Caller holds tomoyo_read_lock().
405 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer
*head
)
407 struct list_head
*pos
;
410 list_for_each_cookie(pos
, head
->read_var2
, &tomoyo_pattern_list
) {
411 struct tomoyo_pattern_entry
*ptr
;
412 ptr
= list_entry(pos
, struct tomoyo_pattern_entry
, list
);
415 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_FILE_PATTERN
416 "%s\n", ptr
->pattern
->name
);
424 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
425 * default forbidden to modify already written content of a file.
427 * An entry is added by
429 * # echo 'deny_rewrite /var/log/messages' > \
430 * /sys/kernel/security/tomoyo/exception_policy
434 * # echo 'delete deny_rewrite /var/log/messages' > \
435 * /sys/kernel/security/tomoyo/exception_policy
437 * and all entries are retrieved by
439 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
441 * In the example above, if a process requested to rewrite /var/log/messages ,
442 * the process can't rewrite unless the domain which that process belongs to
443 * has "allow_rewrite /var/log/messages" entry.
445 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
446 * when we want to allow rewriting already unlink()ed file. As of now,
447 * LSM version of TOMOYO is using __d_path() for calculating pathname.
448 * Non LSM version of TOMOYO is using its own function which doesn't append
449 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
450 * need to worry whether the file is already unlink()ed or not.
452 LIST_HEAD(tomoyo_no_rewrite_list
);
455 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
457 * @pattern: Pathname pattern that are not rewritable by default.
458 * @is_delete: True if it is a delete request.
460 * Returns 0 on success, negative value otherwise.
462 * Caller holds tomoyo_read_lock().
464 static int tomoyo_update_no_rewrite_entry(const char *pattern
,
465 const bool is_delete
)
467 struct tomoyo_no_rewrite_entry
*entry
= NULL
;
468 struct tomoyo_no_rewrite_entry
*ptr
;
469 const struct tomoyo_path_info
*saved_pattern
;
470 int error
= is_delete
? -ENOENT
: -ENOMEM
;
472 if (!tomoyo_is_correct_path(pattern
, 0, 0, 0))
474 saved_pattern
= tomoyo_get_name(pattern
);
478 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
479 mutex_lock(&tomoyo_policy_lock
);
480 list_for_each_entry_rcu(ptr
, &tomoyo_no_rewrite_list
, list
) {
481 if (ptr
->pattern
!= saved_pattern
)
483 ptr
->is_deleted
= is_delete
;
487 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
488 entry
->pattern
= saved_pattern
;
489 saved_pattern
= NULL
;
490 list_add_tail_rcu(&entry
->list
, &tomoyo_no_rewrite_list
);
494 mutex_unlock(&tomoyo_policy_lock
);
495 tomoyo_put_name(saved_pattern
);
501 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
503 * @filename: Filename to check.
505 * Returns true if @filename is specified by "deny_rewrite" directive,
508 * Caller holds tomoyo_read_lock().
510 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info
*filename
)
512 struct tomoyo_no_rewrite_entry
*ptr
;
515 list_for_each_entry_rcu(ptr
, &tomoyo_no_rewrite_list
, list
) {
518 if (!tomoyo_path_matches_pattern(filename
, ptr
->pattern
))
527 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
529 * @data: String to parse.
530 * @is_delete: True if it is a delete request.
532 * Returns 0 on success, negative value otherwise.
534 * Caller holds tomoyo_read_lock().
536 int tomoyo_write_no_rewrite_policy(char *data
, const bool is_delete
)
538 return tomoyo_update_no_rewrite_entry(data
, is_delete
);
542 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
544 * @head: Pointer to "struct tomoyo_io_buffer".
546 * Returns true on success, false otherwise.
548 * Caller holds tomoyo_read_lock().
550 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer
*head
)
552 struct list_head
*pos
;
555 list_for_each_cookie(pos
, head
->read_var2
, &tomoyo_no_rewrite_list
) {
556 struct tomoyo_no_rewrite_entry
*ptr
;
557 ptr
= list_entry(pos
, struct tomoyo_no_rewrite_entry
, list
);
560 done
= tomoyo_io_printf(head
, TOMOYO_KEYWORD_DENY_REWRITE
561 "%s\n", ptr
->pattern
->name
);
569 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
571 * @filename: Filename.
572 * @perm: Permission (between 1 to 7).
573 * @domain: Pointer to "struct tomoyo_domain_info".
574 * @is_delete: True if it is a delete request.
576 * Returns 0 on success, negative value otherwise.
578 * This is legacy support interface for older policy syntax.
579 * Current policy syntax uses "allow_read/write" instead of "6",
580 * "allow_read" instead of "4", "allow_write" instead of "2",
581 * "allow_execute" instead of "1".
583 * Caller holds tomoyo_read_lock().
585 static int tomoyo_update_file_acl(const char *filename
, u8 perm
,
586 struct tomoyo_domain_info
* const domain
,
587 const bool is_delete
)
589 if (perm
> 7 || !perm
) {
590 printk(KERN_DEBUG
"%s: Invalid permission '%d %s'\n",
591 __func__
, perm
, filename
);
594 if (filename
[0] != '@' && tomoyo_strendswith(filename
, "/"))
596 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
597 * directory permissions.
601 tomoyo_update_path_acl(TOMOYO_TYPE_READ
, filename
, domain
,
604 tomoyo_update_path_acl(TOMOYO_TYPE_WRITE
, filename
, domain
,
607 tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE
, filename
, domain
,
613 * tomoyo_path_acl2 - Check permission for single path operation.
615 * @domain: Pointer to "struct tomoyo_domain_info".
616 * @filename: Filename to check.
618 * @may_use_pattern: True if patterned ACL is permitted.
620 * Returns 0 on success, -EPERM otherwise.
622 * Caller holds tomoyo_read_lock().
624 static int tomoyo_path_acl2(const struct tomoyo_domain_info
*domain
,
625 const struct tomoyo_path_info
*filename
,
626 const u32 perm
, const bool may_use_pattern
)
628 struct tomoyo_acl_info
*ptr
;
631 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
632 struct tomoyo_path_acl
*acl
;
633 if (ptr
->type
!= TOMOYO_TYPE_PATH_ACL
)
635 acl
= container_of(ptr
, struct tomoyo_path_acl
, head
);
636 if (perm
<= 0xFFFF) {
637 if (!(acl
->perm
& perm
))
640 if (!(acl
->perm_high
& (perm
>> 16)))
643 if (may_use_pattern
|| !acl
->filename
->is_patterned
) {
644 if (!tomoyo_path_matches_pattern(filename
,
657 * tomoyo_check_file_acl - Check permission for opening files.
659 * @domain: Pointer to "struct tomoyo_domain_info".
660 * @filename: Filename to check.
661 * @operation: Mode ("read" or "write" or "read/write" or "execute").
663 * Returns 0 on success, -EPERM otherwise.
665 * Caller holds tomoyo_read_lock().
667 static int tomoyo_check_file_acl(const struct tomoyo_domain_info
*domain
,
668 const struct tomoyo_path_info
*filename
,
673 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
676 perm
= 1 << TOMOYO_TYPE_READ_WRITE
;
677 else if (operation
== 4)
678 perm
= 1 << TOMOYO_TYPE_READ
;
679 else if (operation
== 2)
680 perm
= 1 << TOMOYO_TYPE_WRITE
;
681 else if (operation
== 1)
682 perm
= 1 << TOMOYO_TYPE_EXECUTE
;
685 return tomoyo_path_acl2(domain
, filename
, perm
, operation
!= 1);
689 * tomoyo_check_file_perm2 - Check permission for opening files.
691 * @domain: Pointer to "struct tomoyo_domain_info".
692 * @filename: Filename to check.
693 * @perm: Mode ("read" or "write" or "read/write" or "execute").
694 * @operation: Operation name passed used for verbose mode.
695 * @mode: Access control mode.
697 * Returns 0 on success, negative value otherwise.
699 * Caller holds tomoyo_read_lock().
701 static int tomoyo_check_file_perm2(struct tomoyo_domain_info
* const domain
,
702 const struct tomoyo_path_info
*filename
,
703 const u8 perm
, const char *operation
,
706 const bool is_enforce
= (mode
== 3);
707 const char *msg
= "<unknown>";
712 error
= tomoyo_check_file_acl(domain
, filename
, perm
);
713 if (error
&& perm
== 4 && !domain
->ignore_global_allow_read
714 && tomoyo_is_globally_readable_file(filename
))
717 msg
= tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE
);
719 msg
= tomoyo_path2keyword(TOMOYO_TYPE_READ
);
721 msg
= tomoyo_path2keyword(TOMOYO_TYPE_WRITE
);
723 msg
= tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE
);
728 if (tomoyo_verbose_mode(domain
))
729 printk(KERN_WARNING
"TOMOYO-%s: Access '%s(%s) %s' denied "
730 "for %s\n", tomoyo_get_msg(is_enforce
), msg
, operation
,
731 filename
->name
, tomoyo_get_last_name(domain
));
734 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
735 /* Don't use patterns for execute permission. */
736 const struct tomoyo_path_info
*patterned_file
= (perm
!= 1) ?
737 tomoyo_get_file_pattern(filename
) : filename
;
738 tomoyo_update_file_acl(patterned_file
->name
, perm
,
745 * tomoyo_write_file_policy - Update file related list.
747 * @data: String to parse.
748 * @domain: Pointer to "struct tomoyo_domain_info".
749 * @is_delete: True if it is a delete request.
751 * Returns 0 on success, negative value otherwise.
753 * Caller holds tomoyo_read_lock().
755 int tomoyo_write_file_policy(char *data
, struct tomoyo_domain_info
*domain
,
756 const bool is_delete
)
758 char *filename
= strchr(data
, ' ');
766 if (sscanf(data
, "%u", &perm
) == 1)
767 return tomoyo_update_file_acl(filename
, (u8
) perm
, domain
,
769 if (strncmp(data
, "allow_", 6))
772 for (type
= 0; type
< TOMOYO_MAX_PATH_OPERATION
; type
++) {
773 if (strcmp(data
, tomoyo_path_keyword
[type
]))
775 return tomoyo_update_path_acl(type
, filename
, domain
,
778 filename2
= strchr(filename
, ' ');
782 for (type
= 0; type
< TOMOYO_MAX_PATH2_OPERATION
; type
++) {
783 if (strcmp(data
, tomoyo_path2_keyword
[type
]))
785 return tomoyo_update_path2_acl(type
, filename
, filename2
,
793 * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list.
795 * @type: Type of operation.
796 * @filename: Filename.
797 * @domain: Pointer to "struct tomoyo_domain_info".
798 * @is_delete: True if it is a delete request.
800 * Returns 0 on success, negative value otherwise.
802 * Caller holds tomoyo_read_lock().
804 static int tomoyo_update_path_acl(const u8 type
, const char *filename
,
805 struct tomoyo_domain_info
*const domain
,
806 const bool is_delete
)
808 static const u32 rw_mask
=
809 (1 << TOMOYO_TYPE_READ
) | (1 << TOMOYO_TYPE_WRITE
);
810 const struct tomoyo_path_info
*saved_filename
;
811 struct tomoyo_acl_info
*ptr
;
812 struct tomoyo_path_acl
*entry
= NULL
;
813 int error
= is_delete
? -ENOENT
: -ENOMEM
;
814 const u32 perm
= 1 << type
;
818 if (!tomoyo_is_correct_path(filename
, 0, 0, 0))
820 saved_filename
= tomoyo_get_name(filename
);
824 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
825 mutex_lock(&tomoyo_policy_lock
);
826 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
827 struct tomoyo_path_acl
*acl
=
828 container_of(ptr
, struct tomoyo_path_acl
, head
);
829 if (ptr
->type
!= TOMOYO_TYPE_PATH_ACL
)
831 if (acl
->filename
!= saved_filename
)
837 acl
->perm_high
&= ~(perm
>> 16);
838 if ((acl
->perm
& rw_mask
) != rw_mask
)
839 acl
->perm
&= ~(1 << TOMOYO_TYPE_READ_WRITE
);
840 else if (!(acl
->perm
& (1 << TOMOYO_TYPE_READ_WRITE
)))
841 acl
->perm
&= ~rw_mask
;
846 acl
->perm_high
|= (perm
>> 16);
847 if ((acl
->perm
& rw_mask
) == rw_mask
)
848 acl
->perm
|= 1 << TOMOYO_TYPE_READ_WRITE
;
849 else if (acl
->perm
& (1 << TOMOYO_TYPE_READ_WRITE
))
850 acl
->perm
|= rw_mask
;
855 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
856 entry
->head
.type
= TOMOYO_TYPE_PATH_ACL
;
860 entry
->perm_high
= (perm
>> 16);
861 if (perm
== (1 << TOMOYO_TYPE_READ_WRITE
))
862 entry
->perm
|= rw_mask
;
863 entry
->filename
= saved_filename
;
864 saved_filename
= NULL
;
865 list_add_tail_rcu(&entry
->head
.list
, &domain
->acl_info_list
);
869 mutex_unlock(&tomoyo_policy_lock
);
871 tomoyo_put_name(saved_filename
);
876 * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list.
878 * @type: Type of operation.
879 * @filename1: First filename.
880 * @filename2: Second filename.
881 * @domain: Pointer to "struct tomoyo_domain_info".
882 * @is_delete: True if it is a delete request.
884 * Returns 0 on success, negative value otherwise.
886 * Caller holds tomoyo_read_lock().
888 static int tomoyo_update_path2_acl(const u8 type
, const char *filename1
,
889 const char *filename2
,
890 struct tomoyo_domain_info
*const domain
,
891 const bool is_delete
)
893 const struct tomoyo_path_info
*saved_filename1
;
894 const struct tomoyo_path_info
*saved_filename2
;
895 struct tomoyo_acl_info
*ptr
;
896 struct tomoyo_path2_acl
*entry
= NULL
;
897 int error
= is_delete
? -ENOENT
: -ENOMEM
;
898 const u8 perm
= 1 << type
;
902 if (!tomoyo_is_correct_path(filename1
, 0, 0, 0) ||
903 !tomoyo_is_correct_path(filename2
, 0, 0, 0))
905 saved_filename1
= tomoyo_get_name(filename1
);
906 saved_filename2
= tomoyo_get_name(filename2
);
907 if (!saved_filename1
|| !saved_filename2
)
910 entry
= kmalloc(sizeof(*entry
), GFP_KERNEL
);
911 mutex_lock(&tomoyo_policy_lock
);
912 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
913 struct tomoyo_path2_acl
*acl
=
914 container_of(ptr
, struct tomoyo_path2_acl
, head
);
915 if (ptr
->type
!= TOMOYO_TYPE_PATH2_ACL
)
917 if (acl
->filename1
!= saved_filename1
||
918 acl
->filename2
!= saved_filename2
)
927 if (!is_delete
&& error
&& tomoyo_memory_ok(entry
)) {
928 entry
->head
.type
= TOMOYO_TYPE_PATH2_ACL
;
930 entry
->filename1
= saved_filename1
;
931 saved_filename1
= NULL
;
932 entry
->filename2
= saved_filename2
;
933 saved_filename2
= NULL
;
934 list_add_tail_rcu(&entry
->head
.list
, &domain
->acl_info_list
);
938 mutex_unlock(&tomoyo_policy_lock
);
940 tomoyo_put_name(saved_filename1
);
941 tomoyo_put_name(saved_filename2
);
947 * tomoyo_path_acl - Check permission for single path operation.
949 * @domain: Pointer to "struct tomoyo_domain_info".
950 * @type: Type of operation.
951 * @filename: Filename to check.
953 * Returns 0 on success, negative value otherwise.
955 * Caller holds tomoyo_read_lock().
957 static int tomoyo_path_acl(struct tomoyo_domain_info
*domain
, const u8 type
,
958 const struct tomoyo_path_info
*filename
)
960 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
962 return tomoyo_path_acl2(domain
, filename
, 1 << type
, 1);
966 * tomoyo_path2_acl - Check permission for double path operation.
968 * @domain: Pointer to "struct tomoyo_domain_info".
969 * @type: Type of operation.
970 * @filename1: First filename to check.
971 * @filename2: Second filename to check.
973 * Returns 0 on success, -EPERM otherwise.
975 * Caller holds tomoyo_read_lock().
977 static int tomoyo_path2_acl(const struct tomoyo_domain_info
*domain
,
979 const struct tomoyo_path_info
*filename1
,
980 const struct tomoyo_path_info
*filename2
)
982 struct tomoyo_acl_info
*ptr
;
983 const u8 perm
= 1 << type
;
986 if (!tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
))
988 list_for_each_entry_rcu(ptr
, &domain
->acl_info_list
, list
) {
989 struct tomoyo_path2_acl
*acl
;
990 if (ptr
->type
!= TOMOYO_TYPE_PATH2_ACL
)
992 acl
= container_of(ptr
, struct tomoyo_path2_acl
, head
);
993 if (!(acl
->perm
& perm
))
995 if (!tomoyo_path_matches_pattern(filename1
, acl
->filename1
))
997 if (!tomoyo_path_matches_pattern(filename2
, acl
->filename2
))
1006 * tomoyo_path_permission2 - Check permission for single path operation.
1008 * @domain: Pointer to "struct tomoyo_domain_info".
1009 * @operation: Type of operation.
1010 * @filename: Filename to check.
1011 * @mode: Access control mode.
1013 * Returns 0 on success, negative value otherwise.
1015 * Caller holds tomoyo_read_lock().
1017 static int tomoyo_path_permission2(struct tomoyo_domain_info
*const domain
,
1019 const struct tomoyo_path_info
*filename
,
1024 const bool is_enforce
= (mode
== 3);
1029 error
= tomoyo_path_acl(domain
, operation
, filename
);
1030 msg
= tomoyo_path2keyword(operation
);
1033 if (tomoyo_verbose_mode(domain
))
1034 printk(KERN_WARNING
"TOMOYO-%s: Access '%s %s' denied for %s\n",
1035 tomoyo_get_msg(is_enforce
), msg
, filename
->name
,
1036 tomoyo_get_last_name(domain
));
1037 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
1038 const char *name
= tomoyo_get_file_pattern(filename
)->name
;
1039 tomoyo_update_path_acl(operation
, name
, domain
, false);
1045 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1046 * we need to check "allow_rewrite" permission if the filename is
1047 * specified by "deny_rewrite" keyword.
1049 if (!error
&& operation
== TOMOYO_TYPE_TRUNCATE
&&
1050 tomoyo_is_no_rewrite_file(filename
)) {
1051 operation
= TOMOYO_TYPE_REWRITE
;
1058 * tomoyo_check_exec_perm - Check permission for "execute".
1060 * @domain: Pointer to "struct tomoyo_domain_info".
1061 * @filename: Check permission for "execute".
1063 * Returns 0 on success, negativevalue otherwise.
1065 * Caller holds tomoyo_read_lock().
1067 int tomoyo_check_exec_perm(struct tomoyo_domain_info
*domain
,
1068 const struct tomoyo_path_info
*filename
)
1070 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1074 return tomoyo_check_file_perm2(domain
, filename
, 1, "do_execve", mode
);
1078 * tomoyo_check_open_permission - Check permission for "read" and "write".
1080 * @domain: Pointer to "struct tomoyo_domain_info".
1081 * @path: Pointer to "struct path".
1082 * @flag: Flags for open().
1084 * Returns 0 on success, negative value otherwise.
1086 int tomoyo_check_open_permission(struct tomoyo_domain_info
*domain
,
1087 struct path
*path
, const int flag
)
1089 const u8 acc_mode
= ACC_MODE(flag
);
1090 int error
= -ENOMEM
;
1091 struct tomoyo_path_info
*buf
;
1092 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1093 const bool is_enforce
= (mode
== 3);
1096 if (!mode
|| !path
->mnt
)
1100 if (path
->dentry
->d_inode
&& S_ISDIR(path
->dentry
->d_inode
->i_mode
))
1102 * I don't check directories here because mkdir() and rmdir()
1106 idx
= tomoyo_read_lock();
1107 buf
= tomoyo_get_path(path
);
1112 * If the filename is specified by "deny_rewrite" keyword,
1113 * we need to check "allow_rewrite" permission when the filename is not
1114 * opened for append mode or the filename is truncated at open time.
1116 if ((acc_mode
& MAY_WRITE
) &&
1117 ((flag
& O_TRUNC
) || !(flag
& O_APPEND
)) &&
1118 (tomoyo_is_no_rewrite_file(buf
))) {
1119 error
= tomoyo_path_permission2(domain
, TOMOYO_TYPE_REWRITE
,
1123 error
= tomoyo_check_file_perm2(domain
, buf
, acc_mode
, "open",
1125 if (!error
&& (flag
& O_TRUNC
))
1126 error
= tomoyo_path_permission2(domain
, TOMOYO_TYPE_TRUNCATE
,
1130 tomoyo_read_unlock(idx
);
1137 * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1139 * @operation: Type of operation.
1140 * @path: Pointer to "struct path".
1142 * Returns 0 on success, negative value otherwise.
1144 int tomoyo_path_perm(const u8 operation
, struct path
*path
)
1146 int error
= -ENOMEM
;
1147 struct tomoyo_path_info
*buf
;
1148 struct tomoyo_domain_info
*domain
= tomoyo_domain();
1149 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1150 const bool is_enforce
= (mode
== 3);
1153 if (!mode
|| !path
->mnt
)
1155 idx
= tomoyo_read_lock();
1156 buf
= tomoyo_get_path(path
);
1159 switch (operation
) {
1160 case TOMOYO_TYPE_MKDIR
:
1161 case TOMOYO_TYPE_RMDIR
:
1162 case TOMOYO_TYPE_CHROOT
:
1165 * tomoyo_get_path() reserves space for appending "/."
1167 strcat((char *) buf
->name
, "/");
1168 tomoyo_fill_path_info(buf
);
1171 error
= tomoyo_path_permission2(domain
, operation
, buf
, mode
);
1174 tomoyo_read_unlock(idx
);
1181 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1183 * @filp: Pointer to "struct file".
1185 * Returns 0 on success, negative value otherwise.
1187 int tomoyo_check_rewrite_permission(struct file
*filp
)
1189 int error
= -ENOMEM
;
1190 struct tomoyo_domain_info
*domain
= tomoyo_domain();
1191 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1192 const bool is_enforce
= (mode
== 3);
1193 struct tomoyo_path_info
*buf
;
1196 if (!mode
|| !filp
->f_path
.mnt
)
1199 idx
= tomoyo_read_lock();
1200 buf
= tomoyo_get_path(&filp
->f_path
);
1203 if (!tomoyo_is_no_rewrite_file(buf
)) {
1207 error
= tomoyo_path_permission2(domain
, TOMOYO_TYPE_REWRITE
, buf
, mode
);
1210 tomoyo_read_unlock(idx
);
1217 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root".
1219 * @operation: Type of operation.
1220 * @path1: Pointer to "struct path".
1221 * @path2: Pointer to "struct path".
1223 * Returns 0 on success, negative value otherwise.
1225 int tomoyo_path2_perm(const u8 operation
, struct path
*path1
,
1228 int error
= -ENOMEM
;
1229 struct tomoyo_path_info
*buf1
, *buf2
;
1230 struct tomoyo_domain_info
*domain
= tomoyo_domain();
1231 const u8 mode
= tomoyo_check_flags(domain
, TOMOYO_MAC_FOR_FILE
);
1232 const bool is_enforce
= (mode
== 3);
1236 if (!mode
|| !path1
->mnt
|| !path2
->mnt
)
1238 idx
= tomoyo_read_lock();
1239 buf1
= tomoyo_get_path(path1
);
1240 buf2
= tomoyo_get_path(path2
);
1244 struct dentry
*dentry
= path1
->dentry
;
1245 if (dentry
->d_inode
&& S_ISDIR(dentry
->d_inode
->i_mode
)) {
1247 * tomoyo_get_path() reserves space for appending "/."
1249 if (!buf1
->is_dir
) {
1250 strcat((char *) buf1
->name
, "/");
1251 tomoyo_fill_path_info(buf1
);
1253 if (!buf2
->is_dir
) {
1254 strcat((char *) buf2
->name
, "/");
1255 tomoyo_fill_path_info(buf2
);
1259 error
= tomoyo_path2_acl(domain
, operation
, buf1
, buf2
);
1260 msg
= tomoyo_path22keyword(operation
);
1263 if (tomoyo_verbose_mode(domain
))
1264 printk(KERN_WARNING
"TOMOYO-%s: Access '%s %s %s' "
1265 "denied for %s\n", tomoyo_get_msg(is_enforce
),
1266 msg
, buf1
->name
, buf2
->name
,
1267 tomoyo_get_last_name(domain
));
1268 if (mode
== 1 && tomoyo_domain_quota_is_ok(domain
)) {
1269 const char *name1
= tomoyo_get_file_pattern(buf1
)->name
;
1270 const char *name2
= tomoyo_get_file_pattern(buf2
)->name
;
1271 tomoyo_update_path2_acl(operation
, name1
, name2
, domain
,
1277 tomoyo_read_unlock(idx
);