2 * security/tomoyo/common.c
4 * Common functions for TOMOYO.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
12 #include <linux/uaccess.h>
13 #include <linux/slab.h>
14 #include <linux/security.h>
15 #include <linux/hardirq.h>
18 /* Lock for protecting policy. */
19 DEFINE_MUTEX(tomoyo_policy_lock);
21 /* Has loading policy done? */
22 bool tomoyo_policy_loaded;
24 /* String table for functionality that takes 4 modes. */
25 static const char *tomoyo_mode_4[4] = {
26 "disabled", "learning", "permissive", "enforcing"
28 /* String table for functionality that takes 2 modes. */
29 static const char *tomoyo_mode_2[4] = {
30 "disabled", "enabled", "enabled", "enabled"
34 * tomoyo_control_array is a static data which contains
36 * (1) functionality name used by /sys/kernel/security/tomoyo/profile .
37 * (2) initial values for "struct tomoyo_profile".
38 * (3) max values for "struct tomoyo_profile".
42 unsigned int current_value;
43 const unsigned int max_value;
44 } tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = {
45 [TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 },
46 [TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX },
47 [TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 },
51 * tomoyo_profile is a structure which is used for holding the mode of access
52 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
53 * An administrator can define up to 256 profiles.
54 * The ->profile of "struct tomoyo_domain_info" is used for remembering
55 * the profile's number (0 - 255) assigned to that domain.
57 static struct tomoyo_profile {
58 unsigned int value[TOMOYO_MAX_CONTROL_INDEX];
59 const struct tomoyo_path_info *comment;
60 } *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES];
62 /* Permit policy management by non-root user? */
63 static bool tomoyo_manage_by_non_root;
65 /* Utility functions. */
67 /* Open operation for /sys/kernel/security/tomoyo/ interface. */
68 static int tomoyo_open_control(const u8 type, struct file *file);
69 /* Close /sys/kernel/security/tomoyo/ interface. */
70 static int tomoyo_close_control(struct file *file);
71 /* Read operation for /sys/kernel/security/tomoyo/ interface. */
72 static int tomoyo_read_control(struct file *file, char __user *buffer,
73 const int buffer_len);
74 /* Write operation for /sys/kernel/security/tomoyo/ interface. */
75 static int tomoyo_write_control(struct file *file, const char __user *buffer,
76 const int buffer_len);
79 * tomoyo_parse_name_union - Parse a tomoyo_name_union.
81 * @filename: Name or name group.
82 * @ptr: Pointer to "struct tomoyo_name_union".
84 * Returns true on success, false otherwise.
86 bool tomoyo_parse_name_union(const char *filename,
87 struct tomoyo_name_union *ptr)
89 if (!tomoyo_is_correct_path(filename, 0, 0, 0))
91 if (filename[0] == '@') {
92 ptr->group = tomoyo_get_path_group(filename + 1);
94 return ptr->group != NULL;
96 ptr->filename = tomoyo_get_name(filename);
97 ptr->is_group = false;
98 return ptr->filename != NULL;
102 * tomoyo_print_name_union - Print a tomoyo_name_union.
104 * @head: Pointer to "struct tomoyo_io_buffer".
105 * @ptr: Pointer to "struct tomoyo_name_union".
107 * Returns true on success, false otherwise.
109 static bool tomoyo_print_name_union(struct tomoyo_io_buffer *head,
110 const struct tomoyo_name_union *ptr)
112 int pos = head->read_avail;
113 if (pos && head->read_buf[pos - 1] == ' ')
116 return tomoyo_io_printf(head, " @%s",
117 ptr->group->group_name->name);
118 return tomoyo_io_printf(head, " %s", ptr->filename->name);
122 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
124 * @str: Pointer to the string.
126 * Returns true if @str is a \ooo style octal value, false otherwise.
128 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
129 * This function verifies that \ooo is in valid range.
131 static inline bool tomoyo_is_byte_range(const char *str)
133 return *str >= '0' && *str++ <= '3' &&
134 *str >= '0' && *str++ <= '7' &&
135 *str >= '0' && *str <= '7';
139 * tomoyo_is_alphabet_char - Check whether the character is an alphabet.
141 * @c: The character to check.
143 * Returns true if @c is an alphabet character, false otherwise.
145 static inline bool tomoyo_is_alphabet_char(const char c)
147 return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z');
151 * tomoyo_make_byte - Make byte value from three octal characters.
153 * @c1: The first character.
154 * @c2: The second character.
155 * @c3: The third character.
157 * Returns byte value.
159 static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3)
161 return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0');
165 * tomoyo_str_starts - Check whether the given string starts with the given keyword.
167 * @src: Pointer to pointer to the string.
168 * @find: Pointer to the keyword.
170 * Returns true if @src starts with @find, false otherwise.
172 * The @src is updated to point the first character after the @find
173 * if @src starts with @find.
175 static bool tomoyo_str_starts(char **src, const char *find)
177 const int len = strlen(find);
180 if (strncmp(tmp, find, len))
188 * tomoyo_normalize_line - Format string.
190 * @buffer: The line to normalize.
192 * Leading and trailing whitespaces are removed.
193 * Multiple whitespaces are packed into single space.
197 static void tomoyo_normalize_line(unsigned char *buffer)
199 unsigned char *sp = buffer;
200 unsigned char *dp = buffer;
203 while (tomoyo_is_invalid(*sp))
209 while (tomoyo_is_valid(*sp))
211 while (tomoyo_is_invalid(*sp))
218 * tomoyo_tokenize - Tokenize string.
220 * @buffer: The line to tokenize.
221 * @w: Pointer to "char *".
224 * Returns true on success, false otherwise.
226 bool tomoyo_tokenize(char *buffer, char *w[], size_t size)
228 int count = size / sizeof(char *);
230 for (i = 0; i < count; i++)
232 for (i = 0; i < count; i++) {
233 char *cp = strchr(buffer, ' ');
241 return i < count || !*buffer;
245 * tomoyo_is_correct_path - Validate a pathname.
246 * @filename: The pathname to check.
247 * @start_type: Should the pathname start with '/'?
248 * 1 = must / -1 = must not / 0 = don't care
249 * @pattern_type: Can the pathname contain a wildcard?
250 * 1 = must / -1 = must not / 0 = don't care
251 * @end_type: Should the pathname end with '/'?
252 * 1 = must / -1 = must not / 0 = don't care
254 * Check whether the given filename follows the naming rules.
255 * Returns true if @filename follows the naming rules, false otherwise.
257 bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
258 const s8 pattern_type, const s8 end_type)
260 const char *const start = filename;
261 bool in_repetition = false;
262 bool contains_pattern = false;
270 if (start_type == 1) { /* Must start with '/' */
273 } else if (start_type == -1) { /* Must not start with '/' */
278 c = *(filename + strlen(filename) - 1);
279 if (end_type == 1) { /* Must end with '/' */
282 } else if (end_type == -1) { /* Must not end with '/' */
293 case '\\': /* "\\" */
305 if (pattern_type == -1)
306 break; /* Must not contain pattern */
307 contains_pattern = true;
309 case '{': /* "/\{" */
310 if (filename - 3 < start ||
311 *(filename - 3) != '/')
313 if (pattern_type == -1)
314 break; /* Must not contain pattern */
315 contains_pattern = true;
316 in_repetition = true;
318 case '}': /* "\}/" */
319 if (*filename != '/')
323 in_repetition = false;
325 case '0': /* "\ooo" */
330 if (d < '0' || d > '7')
333 if (e < '0' || e > '7')
335 c = tomoyo_make_byte(c, d, e);
336 if (tomoyo_is_invalid(c))
337 continue; /* pattern is not \000 */
340 } else if (in_repetition && c == '/') {
342 } else if (tomoyo_is_invalid(c)) {
346 if (pattern_type == 1) { /* Must contain pattern */
347 if (!contains_pattern)
358 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
359 * @domainname: The domainname to check.
361 * Returns true if @domainname follows the naming rules, false otherwise.
363 bool tomoyo_is_correct_domain(const unsigned char *domainname)
369 if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME,
370 TOMOYO_ROOT_NAME_LEN))
372 domainname += TOMOYO_ROOT_NAME_LEN;
376 if (*domainname++ != ' ')
378 if (*domainname++ != '/')
380 while ((c = *domainname) != '\0' && c != ' ') {
385 case '\\': /* "\\" */
387 case '0': /* "\ooo" */
392 if (d < '0' || d > '7')
395 if (e < '0' || e > '7')
397 c = tomoyo_make_byte(c, d, e);
398 if (tomoyo_is_invalid(c))
399 /* pattern is not \000 */
403 } else if (tomoyo_is_invalid(c)) {
407 } while (*domainname);
414 * tomoyo_is_domain_def - Check whether the given token can be a domainname.
416 * @buffer: The token to check.
418 * Returns true if @buffer possibly be a domainname, false otherwise.
420 bool tomoyo_is_domain_def(const unsigned char *buffer)
422 return !strncmp(buffer, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN);
426 * tomoyo_find_domain - Find a domain by the given name.
428 * @domainname: The domainname to find.
430 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
432 * Caller holds tomoyo_read_lock().
434 struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
436 struct tomoyo_domain_info *domain;
437 struct tomoyo_path_info name;
439 name.name = domainname;
440 tomoyo_fill_path_info(&name);
441 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
442 if (!domain->is_deleted &&
443 !tomoyo_pathcmp(&name, domain->domainname))
450 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
452 * @filename: The string to evaluate.
454 * Returns the initial length without a pattern in @filename.
456 static int tomoyo_const_part_length(const char *filename)
463 while ((c = *filename++) != '\0') {
470 case '\\': /* "\\" */
473 case '0': /* "\ooo" */
478 if (c < '0' || c > '7')
481 if (c < '0' || c > '7')
492 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
494 * @ptr: Pointer to "struct tomoyo_path_info" to fill in.
496 * The caller sets "struct tomoyo_path_info"->name.
498 void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
500 const char *name = ptr->name;
501 const int len = strlen(name);
503 ptr->const_len = tomoyo_const_part_length(name);
504 ptr->is_dir = len && (name[len - 1] == '/');
505 ptr->is_patterned = (ptr->const_len < len);
506 ptr->hash = full_name_hash(name, len);
510 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
513 * @filename: The start of string to check.
514 * @filename_end: The end of string to check.
515 * @pattern: The start of pattern to compare.
516 * @pattern_end: The end of pattern to compare.
518 * Returns true if @filename matches @pattern, false otherwise.
520 static bool tomoyo_file_matches_pattern2(const char *filename,
521 const char *filename_end,
523 const char *pattern_end)
525 while (filename < filename_end && pattern < pattern_end) {
527 if (*pattern != '\\') {
528 if (*filename++ != *pattern++)
540 } else if (c == '\\') {
541 if (filename[1] == '\\')
543 else if (tomoyo_is_byte_range(filename + 1))
552 if (*++filename != '\\')
564 if (!tomoyo_is_alphabet_char(c))
571 if (c == '\\' && tomoyo_is_byte_range(filename + 1)
572 && strncmp(filename + 1, pattern, 3) == 0) {
577 return false; /* Not matched. */
580 for (i = 0; i <= filename_end - filename; i++) {
581 if (tomoyo_file_matches_pattern2(
582 filename + i, filename_end,
583 pattern + 1, pattern_end))
586 if (c == '.' && *pattern == '@')
590 if (filename[i + 1] == '\\')
592 else if (tomoyo_is_byte_range(filename + i + 1))
595 break; /* Bad pattern. */
597 return false; /* Not matched. */
602 while (isdigit(filename[j]))
604 } else if (c == 'X') {
605 while (isxdigit(filename[j]))
607 } else if (c == 'A') {
608 while (tomoyo_is_alphabet_char(filename[j]))
611 for (i = 1; i <= j; i++) {
612 if (tomoyo_file_matches_pattern2(
613 filename + i, filename_end,
614 pattern + 1, pattern_end))
617 return false; /* Not matched or bad pattern. */
622 while (*pattern == '\\' &&
623 (*(pattern + 1) == '*' || *(pattern + 1) == '@'))
625 return filename == filename_end && pattern == pattern_end;
629 * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
631 * @filename: The start of string to check.
632 * @filename_end: The end of string to check.
633 * @pattern: The start of pattern to compare.
634 * @pattern_end: The end of pattern to compare.
636 * Returns true if @filename matches @pattern, false otherwise.
638 static bool tomoyo_file_matches_pattern(const char *filename,
639 const char *filename_end,
641 const char *pattern_end)
643 const char *pattern_start = pattern;
647 while (pattern < pattern_end - 1) {
648 /* Split at "\-" pattern. */
649 if (*pattern++ != '\\' || *pattern++ != '-')
651 result = tomoyo_file_matches_pattern2(filename,
660 pattern_start = pattern;
662 result = tomoyo_file_matches_pattern2(filename, filename_end,
663 pattern_start, pattern_end);
664 return first ? result : !result;
668 * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
670 * @f: The start of string to check.
671 * @p: The start of pattern to compare.
673 * Returns true if @f matches @p, false otherwise.
675 static bool tomoyo_path_matches_pattern2(const char *f, const char *p)
677 const char *f_delimiter;
678 const char *p_delimiter;
681 f_delimiter = strchr(f, '/');
683 f_delimiter = f + strlen(f);
684 p_delimiter = strchr(p, '/');
686 p_delimiter = p + strlen(p);
687 if (*p == '\\' && *(p + 1) == '{')
689 if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
699 /* Ignore trailing "\*" and "\@" in @pattern. */
701 (*(p + 1) == '*' || *(p + 1) == '@'))
706 * The "\{" pattern is permitted only after '/' character.
707 * This guarantees that below "*(p - 1)" is safe.
708 * Also, the "\}" pattern is permitted only before '/' character
709 * so that "\{" + "\}" pair will not break the "\-" operator.
711 if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' ||
712 *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\')
713 return false; /* Bad pattern. */
715 /* Compare current component with pattern. */
716 if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2,
719 /* Proceed to next component. */
724 /* Continue comparison. */
725 if (tomoyo_path_matches_pattern2(f, p_delimiter + 1))
727 f_delimiter = strchr(f, '/');
728 } while (f_delimiter);
729 return false; /* Not matched. */
733 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
735 * @filename: The filename to check.
736 * @pattern: The pattern to compare.
738 * Returns true if matches, false otherwise.
740 * The following patterns are available.
742 * \ooo Octal representation of a byte.
743 * \* Zero or more repetitions of characters other than '/'.
744 * \@ Zero or more repetitions of characters other than '/' or '.'.
745 * \? 1 byte character other than '/'.
746 * \$ One or more repetitions of decimal digits.
747 * \+ 1 decimal digit.
748 * \X One or more repetitions of hexadecimal digits.
749 * \x 1 hexadecimal digit.
750 * \A One or more repetitions of alphabet characters.
751 * \a 1 alphabet character.
753 * \- Subtraction operator.
755 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
758 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
759 const struct tomoyo_path_info *pattern)
761 const char *f = filename->name;
762 const char *p = pattern->name;
763 const int len = pattern->const_len;
765 /* If @pattern doesn't contain pattern, I can use strcmp(). */
766 if (!pattern->is_patterned)
767 return !tomoyo_pathcmp(filename, pattern);
768 /* Don't compare directory and non-directory. */
769 if (filename->is_dir != pattern->is_dir)
771 /* Compare the initial length without patterns. */
772 if (strncmp(f, p, len))
776 return tomoyo_path_matches_pattern2(f, p);
780 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
782 * @head: Pointer to "struct tomoyo_io_buffer".
783 * @fmt: The printf()'s format string, followed by parameters.
785 * Returns true if output was written, false otherwise.
787 * The snprintf() will truncate, but tomoyo_io_printf() won't.
789 bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
793 int pos = head->read_avail;
794 int size = head->readbuf_size - pos;
799 len = vsnprintf(head->read_buf + pos, size, fmt, args);
801 if (pos + len >= head->readbuf_size)
803 head->read_avail += len;
808 * tomoyo_get_exe - Get tomoyo_realpath() of current process.
810 * Returns the tomoyo_realpath() of current process on success, NULL otherwise.
812 * This function uses kzalloc(), so the caller must call kfree()
813 * if this function didn't return NULL.
815 static const char *tomoyo_get_exe(void)
817 struct mm_struct *mm = current->mm;
818 struct vm_area_struct *vma;
819 const char *cp = NULL;
823 down_read(&mm->mmap_sem);
824 for (vma = mm->mmap; vma; vma = vma->vm_next) {
825 if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) {
826 cp = tomoyo_realpath_from_path(&vma->vm_file->f_path);
830 up_read(&mm->mmap_sem);
835 * tomoyo_get_msg - Get warning message.
837 * @is_enforce: Is it enforcing mode?
839 * Returns "ERROR" or "WARNING".
841 const char *tomoyo_get_msg(const bool is_enforce)
850 * tomoyo_check_flags - Check mode for specified functionality.
852 * @domain: Pointer to "struct tomoyo_domain_info".
853 * @index: The functionality to check mode.
855 * TOMOYO checks only process context.
856 * This code disables TOMOYO's enforcement in case the function is called from
859 unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
862 const u8 profile = domain->profile;
864 if (WARN_ON(in_interrupt()))
866 return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX
867 #if TOMOYO_MAX_PROFILES != 256
868 && profile < TOMOYO_MAX_PROFILES
870 && tomoyo_profile_ptr[profile] ?
871 tomoyo_profile_ptr[profile]->value[index] : 0;
875 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
877 * @domain: Pointer to "struct tomoyo_domain_info".
879 * Returns true if domain policy violation warning should be printed to
882 bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain)
884 return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0;
888 * tomoyo_domain_quota_is_ok - Check for domain's quota.
890 * @domain: Pointer to "struct tomoyo_domain_info".
892 * Returns true if the domain is not exceeded quota, false otherwise.
894 * Caller holds tomoyo_read_lock().
896 bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain)
898 unsigned int count = 0;
899 struct tomoyo_acl_info *ptr;
903 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
905 struct tomoyo_path_acl *acl;
908 case TOMOYO_TYPE_PATH_ACL:
909 acl = container_of(ptr, struct tomoyo_path_acl, head);
910 perm = acl->perm | (((u32) acl->perm_high) << 16);
911 for (i = 0; i < TOMOYO_MAX_PATH_OPERATION; i++)
914 if (perm & (1 << TOMOYO_TYPE_READ_WRITE))
917 case TOMOYO_TYPE_PATH2_ACL:
918 perm = container_of(ptr, struct tomoyo_path2_acl, head)
920 for (i = 0; i < TOMOYO_MAX_PATH2_OPERATION; i++)
926 if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY))
928 if (!domain->quota_warned) {
929 domain->quota_warned = true;
930 printk(KERN_WARNING "TOMOYO-WARNING: "
931 "Domain '%s' has so many ACLs to hold. "
932 "Stopped learning mode.\n", domain->domainname->name);
938 * tomoyo_find_or_assign_new_profile - Create a new profile.
940 * @profile: Profile number to create.
942 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
944 static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned
947 struct tomoyo_profile *ptr = NULL;
950 if (profile >= TOMOYO_MAX_PROFILES)
952 if (mutex_lock_interruptible(&tomoyo_policy_lock))
954 ptr = tomoyo_profile_ptr[profile];
957 ptr = kmalloc(sizeof(*ptr), GFP_NOFS);
958 if (!tomoyo_memory_ok(ptr)) {
963 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++)
964 ptr->value[i] = tomoyo_control_array[i].current_value;
965 mb(); /* Avoid out-of-order execution. */
966 tomoyo_profile_ptr[profile] = ptr;
968 mutex_unlock(&tomoyo_policy_lock);
973 * tomoyo_write_profile - Write to profile table.
975 * @head: Pointer to "struct tomoyo_io_buffer".
977 * Returns 0 on success, negative value otherwise.
979 static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
981 char *data = head->write_buf;
985 struct tomoyo_profile *profile;
988 cp = strchr(data, '-');
991 if (strict_strtoul(data, 10, &num))
995 profile = tomoyo_find_or_assign_new_profile(num);
998 cp = strchr(data, '=');
1002 if (!strcmp(data, "COMMENT")) {
1003 const struct tomoyo_path_info *old_comment = profile->comment;
1004 profile->comment = tomoyo_get_name(cp + 1);
1005 tomoyo_put_name(old_comment);
1008 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) {
1009 if (strcmp(data, tomoyo_control_array[i].keyword))
1011 if (sscanf(cp + 1, "%u", &value) != 1) {
1015 case TOMOYO_VERBOSE:
1016 modes = tomoyo_mode_2;
1019 modes = tomoyo_mode_4;
1022 for (j = 0; j < 4; j++) {
1023 if (strcmp(cp + 1, modes[j]))
1030 } else if (value > tomoyo_control_array[i].max_value) {
1031 value = tomoyo_control_array[i].max_value;
1033 profile->value[i] = value;
1040 * tomoyo_read_profile - Read from profile table.
1042 * @head: Pointer to "struct tomoyo_io_buffer".
1046 static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
1048 static const int total = TOMOYO_MAX_CONTROL_INDEX + 1;
1053 for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total;
1055 const u8 index = step / total;
1056 u8 type = step % total;
1057 const struct tomoyo_profile *profile
1058 = tomoyo_profile_ptr[index];
1059 head->read_step = step;
1062 if (!type) { /* Print profile' comment tag. */
1063 if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n",
1064 index, profile->comment ?
1065 profile->comment->name : ""))
1070 if (type < TOMOYO_MAX_CONTROL_INDEX) {
1071 const unsigned int value = profile->value[type];
1072 const char **modes = NULL;
1074 = tomoyo_control_array[type].keyword;
1075 switch (tomoyo_control_array[type].max_value) {
1077 modes = tomoyo_mode_4;
1080 modes = tomoyo_mode_2;
1084 if (!tomoyo_io_printf(head, "%u-%s=%s\n", index,
1085 keyword, modes[value]))
1088 if (!tomoyo_io_printf(head, "%u-%s=%u\n", index,
1094 if (step == TOMOYO_MAX_PROFILES * total)
1095 head->read_eof = true;
1100 * tomoyo_policy_manager_list is used for holding list of domainnames or
1101 * programs which are permitted to modify configuration via
1102 * /sys/kernel/security/tomoyo/ interface.
1104 * An entry is added by
1106 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
1107 * /sys/kernel/security/tomoyo/manager
1108 * (if you want to specify by a domainname)
1112 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
1113 * (if you want to specify by a program's location)
1117 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
1118 * /sys/kernel/security/tomoyo/manager
1122 * # echo 'delete /usr/lib/ccs/editpolicy' > \
1123 * /sys/kernel/security/tomoyo/manager
1125 * and all entries are retrieved by
1127 * # cat /sys/kernel/security/tomoyo/manager
1129 LIST_HEAD(tomoyo_policy_manager_list);
1132 * tomoyo_update_manager_entry - Add a manager entry.
1134 * @manager: The path to manager or the domainnamme.
1135 * @is_delete: True if it is a delete request.
1137 * Returns 0 on success, negative value otherwise.
1139 * Caller holds tomoyo_read_lock().
1141 static int tomoyo_update_manager_entry(const char *manager,
1142 const bool is_delete)
1144 struct tomoyo_policy_manager_entry *ptr;
1145 struct tomoyo_policy_manager_entry e = { };
1146 int error = is_delete ? -ENOENT : -ENOMEM;
1148 if (tomoyo_is_domain_def(manager)) {
1149 if (!tomoyo_is_correct_domain(manager))
1153 if (!tomoyo_is_correct_path(manager, 1, -1, -1))
1156 e.manager = tomoyo_get_name(manager);
1159 if (mutex_lock_interruptible(&tomoyo_policy_lock))
1161 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1162 if (ptr->manager != e.manager)
1164 ptr->is_deleted = is_delete;
1168 if (!is_delete && error) {
1169 struct tomoyo_policy_manager_entry *entry =
1170 tomoyo_commit_ok(&e, sizeof(e));
1172 list_add_tail_rcu(&entry->list,
1173 &tomoyo_policy_manager_list);
1177 mutex_unlock(&tomoyo_policy_lock);
1179 tomoyo_put_name(e.manager);
1184 * tomoyo_write_manager_policy - Write manager policy.
1186 * @head: Pointer to "struct tomoyo_io_buffer".
1188 * Returns 0 on success, negative value otherwise.
1190 * Caller holds tomoyo_read_lock().
1192 static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head)
1194 char *data = head->write_buf;
1195 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
1197 if (!strcmp(data, "manage_by_non_root")) {
1198 tomoyo_manage_by_non_root = !is_delete;
1201 return tomoyo_update_manager_entry(data, is_delete);
1205 * tomoyo_read_manager_policy - Read manager policy.
1207 * @head: Pointer to "struct tomoyo_io_buffer".
1211 * Caller holds tomoyo_read_lock().
1213 static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
1215 struct list_head *pos;
1220 list_for_each_cookie(pos, head->read_var2,
1221 &tomoyo_policy_manager_list) {
1222 struct tomoyo_policy_manager_entry *ptr;
1223 ptr = list_entry(pos, struct tomoyo_policy_manager_entry,
1225 if (ptr->is_deleted)
1227 done = tomoyo_io_printf(head, "%s\n", ptr->manager->name);
1231 head->read_eof = done;
1236 * tomoyo_is_policy_manager - Check whether the current process is a policy manager.
1238 * Returns true if the current process is permitted to modify policy
1239 * via /sys/kernel/security/tomoyo/ interface.
1241 * Caller holds tomoyo_read_lock().
1243 static bool tomoyo_is_policy_manager(void)
1245 struct tomoyo_policy_manager_entry *ptr;
1247 const struct task_struct *task = current;
1248 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname;
1251 if (!tomoyo_policy_loaded)
1253 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
1255 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1256 if (!ptr->is_deleted && ptr->is_domain
1257 && !tomoyo_pathcmp(domainname, ptr->manager)) {
1264 exe = tomoyo_get_exe();
1267 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1268 if (!ptr->is_deleted && !ptr->is_domain
1269 && !strcmp(exe, ptr->manager->name)) {
1274 if (!found) { /* Reduce error messages. */
1275 static pid_t last_pid;
1276 const pid_t pid = current->pid;
1277 if (last_pid != pid) {
1278 printk(KERN_WARNING "%s ( %s ) is not permitted to "
1279 "update policies.\n", domainname->name, exe);
1288 * tomoyo_is_select_one - Parse select command.
1290 * @head: Pointer to "struct tomoyo_io_buffer".
1291 * @data: String to parse.
1293 * Returns true on success, false otherwise.
1295 * Caller holds tomoyo_read_lock().
1297 static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
1301 struct tomoyo_domain_info *domain = NULL;
1303 if (sscanf(data, "pid=%u", &pid) == 1) {
1304 struct task_struct *p;
1306 read_lock(&tasklist_lock);
1307 p = find_task_by_vpid(pid);
1309 domain = tomoyo_real_domain(p);
1310 read_unlock(&tasklist_lock);
1312 } else if (!strncmp(data, "domain=", 7)) {
1313 if (tomoyo_is_domain_def(data + 7))
1314 domain = tomoyo_find_domain(data + 7);
1317 head->write_var1 = domain;
1318 /* Accessing read_buf is safe because head->io_sem is held. */
1319 if (!head->read_buf)
1320 return true; /* Do nothing if open(O_WRONLY). */
1321 head->read_avail = 0;
1322 tomoyo_io_printf(head, "# select %s\n", data);
1323 head->read_single_domain = true;
1324 head->read_eof = !domain;
1326 struct tomoyo_domain_info *d;
1327 head->read_var1 = NULL;
1328 list_for_each_entry_rcu(d, &tomoyo_domain_list, list) {
1331 head->read_var1 = &d->list;
1333 head->read_var2 = NULL;
1335 head->read_step = 0;
1336 if (domain->is_deleted)
1337 tomoyo_io_printf(head, "# This is a deleted domain.\n");
1343 * tomoyo_delete_domain - Delete a domain.
1345 * @domainname: The name of domain.
1349 * Caller holds tomoyo_read_lock().
1351 static int tomoyo_delete_domain(char *domainname)
1353 struct tomoyo_domain_info *domain;
1354 struct tomoyo_path_info name;
1356 name.name = domainname;
1357 tomoyo_fill_path_info(&name);
1358 if (mutex_lock_interruptible(&tomoyo_policy_lock))
1360 /* Is there an active domain? */
1361 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
1362 /* Never delete tomoyo_kernel_domain */
1363 if (domain == &tomoyo_kernel_domain)
1365 if (domain->is_deleted ||
1366 tomoyo_pathcmp(domain->domainname, &name))
1368 domain->is_deleted = true;
1371 mutex_unlock(&tomoyo_policy_lock);
1376 * tomoyo_write_domain_policy - Write domain policy.
1378 * @head: Pointer to "struct tomoyo_io_buffer".
1380 * Returns 0 on success, negative value otherwise.
1382 * Caller holds tomoyo_read_lock().
1384 static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
1386 char *data = head->write_buf;
1387 struct tomoyo_domain_info *domain = head->write_var1;
1388 bool is_delete = false;
1389 bool is_select = false;
1390 unsigned int profile;
1392 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE))
1394 else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT))
1396 if (is_select && tomoyo_is_select_one(head, data))
1398 /* Don't allow updating policies by non manager programs. */
1399 if (!tomoyo_is_policy_manager())
1401 if (tomoyo_is_domain_def(data)) {
1404 tomoyo_delete_domain(data);
1406 domain = tomoyo_find_domain(data);
1408 domain = tomoyo_find_or_assign_new_domain(data, 0);
1409 head->write_var1 = domain;
1415 if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1
1416 && profile < TOMOYO_MAX_PROFILES) {
1417 if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)
1418 domain->profile = (u8) profile;
1421 if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) {
1422 domain->ignore_global_allow_read = !is_delete;
1425 return tomoyo_write_file_policy(data, domain, is_delete);
1429 * tomoyo_print_path_acl - Print a single path ACL entry.
1431 * @head: Pointer to "struct tomoyo_io_buffer".
1432 * @ptr: Pointer to "struct tomoyo_path_acl".
1434 * Returns true on success, false otherwise.
1436 static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head,
1437 struct tomoyo_path_acl *ptr)
1441 const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16);
1443 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
1444 if (!(perm & (1 << bit)))
1446 /* Print "read/write" instead of "read" and "write". */
1447 if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE)
1448 && (perm & (1 << TOMOYO_TYPE_READ_WRITE)))
1450 pos = head->read_avail;
1451 if (!tomoyo_io_printf(head, "allow_%s ",
1452 tomoyo_path2keyword(bit)) ||
1453 !tomoyo_print_name_union(head, &ptr->name) ||
1454 !tomoyo_io_printf(head, "\n"))
1460 head->read_bit = bit;
1461 head->read_avail = pos;
1466 * tomoyo_print_path2_acl - Print a double path ACL entry.
1468 * @head: Pointer to "struct tomoyo_io_buffer".
1469 * @ptr: Pointer to "struct tomoyo_path2_acl".
1471 * Returns true on success, false otherwise.
1473 static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer *head,
1474 struct tomoyo_path2_acl *ptr)
1477 const u8 perm = ptr->perm;
1480 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) {
1481 if (!(perm & (1 << bit)))
1483 pos = head->read_avail;
1484 if (!tomoyo_io_printf(head, "allow_%s ",
1485 tomoyo_path22keyword(bit)) ||
1486 !tomoyo_print_name_union(head, &ptr->name1) ||
1487 !tomoyo_print_name_union(head, &ptr->name2) ||
1488 !tomoyo_io_printf(head, "\n"))
1494 head->read_bit = bit;
1495 head->read_avail = pos;
1500 * tomoyo_print_entry - Print an ACL entry.
1502 * @head: Pointer to "struct tomoyo_io_buffer".
1503 * @ptr: Pointer to an ACL entry.
1505 * Returns true on success, false otherwise.
1507 static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
1508 struct tomoyo_acl_info *ptr)
1510 const u8 acl_type = ptr->type;
1512 if (acl_type == TOMOYO_TYPE_PATH_ACL) {
1513 struct tomoyo_path_acl *acl
1514 = container_of(ptr, struct tomoyo_path_acl, head);
1515 return tomoyo_print_path_acl(head, acl);
1517 if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
1518 struct tomoyo_path2_acl *acl
1519 = container_of(ptr, struct tomoyo_path2_acl, head);
1520 return tomoyo_print_path2_acl(head, acl);
1522 BUG(); /* This must not happen. */
1527 * tomoyo_read_domain_policy - Read domain policy.
1529 * @head: Pointer to "struct tomoyo_io_buffer".
1533 * Caller holds tomoyo_read_lock().
1535 static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head)
1537 struct list_head *dpos;
1538 struct list_head *apos;
1543 if (head->read_step == 0)
1544 head->read_step = 1;
1545 list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) {
1546 struct tomoyo_domain_info *domain;
1547 const char *quota_exceeded = "";
1548 const char *transition_failed = "";
1549 const char *ignore_global_allow_read = "";
1550 domain = list_entry(dpos, struct tomoyo_domain_info, list);
1551 if (head->read_step != 1)
1553 if (domain->is_deleted && !head->read_single_domain)
1555 /* Print domainname and flags. */
1556 if (domain->quota_warned)
1557 quota_exceeded = "quota_exceeded\n";
1558 if (domain->transition_failed)
1559 transition_failed = "transition_failed\n";
1560 if (domain->ignore_global_allow_read)
1561 ignore_global_allow_read
1562 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n";
1563 done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
1565 domain->domainname->name,
1566 domain->profile, quota_exceeded,
1568 ignore_global_allow_read);
1571 head->read_step = 2;
1573 if (head->read_step == 3)
1575 /* Print ACL entries in the domain. */
1576 list_for_each_cookie(apos, head->read_var2,
1577 &domain->acl_info_list) {
1578 struct tomoyo_acl_info *ptr
1579 = list_entry(apos, struct tomoyo_acl_info,
1581 done = tomoyo_print_entry(head, ptr);
1587 head->read_step = 3;
1589 done = tomoyo_io_printf(head, "\n");
1592 head->read_step = 1;
1593 if (head->read_single_domain)
1596 head->read_eof = done;
1601 * tomoyo_write_domain_profile - Assign profile for specified domain.
1603 * @head: Pointer to "struct tomoyo_io_buffer".
1605 * Returns 0 on success, -EINVAL otherwise.
1607 * This is equivalent to doing
1609 * ( echo "select " $domainname; echo "use_profile " $profile ) |
1610 * /usr/lib/ccs/loadpolicy -d
1612 * Caller holds tomoyo_read_lock().
1614 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head)
1616 char *data = head->write_buf;
1617 char *cp = strchr(data, ' ');
1618 struct tomoyo_domain_info *domain;
1619 unsigned long profile;
1624 domain = tomoyo_find_domain(cp + 1);
1625 if (strict_strtoul(data, 10, &profile))
1627 if (domain && profile < TOMOYO_MAX_PROFILES
1628 && (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded))
1629 domain->profile = (u8) profile;
1634 * tomoyo_read_domain_profile - Read only domainname and profile.
1636 * @head: Pointer to "struct tomoyo_io_buffer".
1638 * Returns list of profile number and domainname pairs.
1640 * This is equivalent to doing
1642 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
1643 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
1644 * domainname = $0; } else if ( $1 == "use_profile" ) {
1645 * print $2 " " domainname; domainname = ""; } } ; '
1647 * Caller holds tomoyo_read_lock().
1649 static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head)
1651 struct list_head *pos;
1656 list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) {
1657 struct tomoyo_domain_info *domain;
1658 domain = list_entry(pos, struct tomoyo_domain_info, list);
1659 if (domain->is_deleted)
1661 done = tomoyo_io_printf(head, "%u %s\n", domain->profile,
1662 domain->domainname->name);
1666 head->read_eof = done;
1671 * tomoyo_write_pid: Specify PID to obtain domainname.
1673 * @head: Pointer to "struct tomoyo_io_buffer".
1677 static int tomoyo_write_pid(struct tomoyo_io_buffer *head)
1680 /* No error check. */
1681 strict_strtoul(head->write_buf, 10, &pid);
1682 head->read_step = (int) pid;
1683 head->read_eof = false;
1688 * tomoyo_read_pid - Get domainname of the specified PID.
1690 * @head: Pointer to "struct tomoyo_io_buffer".
1692 * Returns the domainname which the specified PID is in on success,
1693 * empty string otherwise.
1694 * The PID is specified by tomoyo_write_pid() so that the user can obtain
1695 * using read()/write() interface rather than sysctl() interface.
1697 static int tomoyo_read_pid(struct tomoyo_io_buffer *head)
1699 if (head->read_avail == 0 && !head->read_eof) {
1700 const int pid = head->read_step;
1701 struct task_struct *p;
1702 struct tomoyo_domain_info *domain = NULL;
1704 read_lock(&tasklist_lock);
1705 p = find_task_by_vpid(pid);
1707 domain = tomoyo_real_domain(p);
1708 read_unlock(&tasklist_lock);
1711 tomoyo_io_printf(head, "%d %u %s", pid, domain->profile,
1712 domain->domainname->name);
1713 head->read_eof = true;
1719 * tomoyo_write_exception_policy - Write exception policy.
1721 * @head: Pointer to "struct tomoyo_io_buffer".
1723 * Returns 0 on success, negative value otherwise.
1725 * Caller holds tomoyo_read_lock().
1727 static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head)
1729 char *data = head->write_buf;
1730 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
1732 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN))
1733 return tomoyo_write_domain_keeper_policy(data, false,
1735 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN))
1736 return tomoyo_write_domain_keeper_policy(data, true, is_delete);
1737 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN))
1738 return tomoyo_write_domain_initializer_policy(data, false,
1740 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN))
1741 return tomoyo_write_domain_initializer_policy(data, true,
1743 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS))
1744 return tomoyo_write_alias_policy(data, is_delete);
1745 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ))
1746 return tomoyo_write_globally_readable_policy(data, is_delete);
1747 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN))
1748 return tomoyo_write_pattern_policy(data, is_delete);
1749 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE))
1750 return tomoyo_write_no_rewrite_policy(data, is_delete);
1751 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_PATH_GROUP))
1752 return tomoyo_write_path_group_policy(data, is_delete);
1757 * tomoyo_read_exception_policy - Read exception policy.
1759 * @head: Pointer to "struct tomoyo_io_buffer".
1761 * Returns 0 on success, -EINVAL otherwise.
1763 * Caller holds tomoyo_read_lock().
1765 static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head)
1767 if (!head->read_eof) {
1768 switch (head->read_step) {
1770 head->read_var2 = NULL;
1771 head->read_step = 1;
1773 if (!tomoyo_read_domain_keeper_policy(head))
1775 head->read_var2 = NULL;
1776 head->read_step = 2;
1778 if (!tomoyo_read_globally_readable_policy(head))
1780 head->read_var2 = NULL;
1781 head->read_step = 3;
1783 head->read_var2 = NULL;
1784 head->read_step = 4;
1786 if (!tomoyo_read_domain_initializer_policy(head))
1788 head->read_var2 = NULL;
1789 head->read_step = 5;
1791 if (!tomoyo_read_alias_policy(head))
1793 head->read_var2 = NULL;
1794 head->read_step = 6;
1796 head->read_var2 = NULL;
1797 head->read_step = 7;
1799 if (!tomoyo_read_file_pattern(head))
1801 head->read_var2 = NULL;
1802 head->read_step = 8;
1804 if (!tomoyo_read_no_rewrite_policy(head))
1806 head->read_var2 = NULL;
1807 head->read_step = 9;
1809 if (!tomoyo_read_path_group_policy(head))
1811 head->read_var1 = NULL;
1812 head->read_var2 = NULL;
1813 head->read_step = 10;
1815 head->read_eof = true;
1824 /* path to policy loader */
1825 static const char *tomoyo_loader = "/sbin/tomoyo-init";
1828 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
1830 * Returns true if /sbin/tomoyo-init exists, false otherwise.
1832 static bool tomoyo_policy_loader_exists(void)
1835 * Don't activate MAC if the policy loader doesn't exist.
1836 * If the initrd includes /sbin/init but real-root-dev has not
1837 * mounted on / yet, activating MAC will block the system since
1838 * policies are not loaded yet.
1839 * Thus, let do_execve() call this function everytime.
1843 if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
1844 printk(KERN_INFO "Not activating Mandatory Access Control now "
1845 "since %s doesn't exist.\n", tomoyo_loader);
1853 * tomoyo_load_policy - Run external policy loader to load policy.
1855 * @filename: The program about to start.
1857 * This function checks whether @filename is /sbin/init , and if so
1858 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
1859 * and then continues invocation of /sbin/init.
1860 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
1861 * writes to /sys/kernel/security/tomoyo/ interfaces.
1865 void tomoyo_load_policy(const char *filename)
1870 if (tomoyo_policy_loaded)
1873 * Check filename is /sbin/init or /sbin/tomoyo-start.
1874 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
1876 * You can create /sbin/tomoyo-start by
1877 * "ln -s /bin/true /sbin/tomoyo-start".
1879 if (strcmp(filename, "/sbin/init") &&
1880 strcmp(filename, "/sbin/tomoyo-start"))
1882 if (!tomoyo_policy_loader_exists())
1885 printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
1887 argv[0] = (char *) tomoyo_loader;
1890 envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
1892 call_usermodehelper(argv[0], argv, envp, 1);
1894 printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n");
1895 printk(KERN_INFO "Mandatory Access Control activated.\n");
1896 tomoyo_policy_loaded = true;
1897 { /* Check all profiles currently assigned to domains are defined. */
1898 struct tomoyo_domain_info *domain;
1899 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
1900 const u8 profile = domain->profile;
1901 if (tomoyo_profile_ptr[profile])
1903 panic("Profile %u (used by '%s') not defined.\n",
1904 profile, domain->domainname->name);
1910 * tomoyo_read_version: Get version.
1912 * @head: Pointer to "struct tomoyo_io_buffer".
1914 * Returns version information.
1916 static int tomoyo_read_version(struct tomoyo_io_buffer *head)
1918 if (!head->read_eof) {
1919 tomoyo_io_printf(head, "2.2.0");
1920 head->read_eof = true;
1926 * tomoyo_read_self_domain - Get the current process's domainname.
1928 * @head: Pointer to "struct tomoyo_io_buffer".
1930 * Returns the current process's domainname.
1932 static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head)
1934 if (!head->read_eof) {
1936 * tomoyo_domain()->domainname != NULL
1937 * because every process belongs to a domain and
1938 * the domain's name cannot be NULL.
1940 tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name);
1941 head->read_eof = true;
1947 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
1949 * @type: Type of interface.
1950 * @file: Pointer to "struct file".
1952 * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
1954 * Caller acquires tomoyo_read_lock().
1956 static int tomoyo_open_control(const u8 type, struct file *file)
1958 struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS);
1962 mutex_init(&head->io_sem);
1964 case TOMOYO_DOMAINPOLICY:
1965 /* /sys/kernel/security/tomoyo/domain_policy */
1966 head->write = tomoyo_write_domain_policy;
1967 head->read = tomoyo_read_domain_policy;
1969 case TOMOYO_EXCEPTIONPOLICY:
1970 /* /sys/kernel/security/tomoyo/exception_policy */
1971 head->write = tomoyo_write_exception_policy;
1972 head->read = tomoyo_read_exception_policy;
1974 case TOMOYO_SELFDOMAIN:
1975 /* /sys/kernel/security/tomoyo/self_domain */
1976 head->read = tomoyo_read_self_domain;
1978 case TOMOYO_DOMAIN_STATUS:
1979 /* /sys/kernel/security/tomoyo/.domain_status */
1980 head->write = tomoyo_write_domain_profile;
1981 head->read = tomoyo_read_domain_profile;
1983 case TOMOYO_PROCESS_STATUS:
1984 /* /sys/kernel/security/tomoyo/.process_status */
1985 head->write = tomoyo_write_pid;
1986 head->read = tomoyo_read_pid;
1988 case TOMOYO_VERSION:
1989 /* /sys/kernel/security/tomoyo/version */
1990 head->read = tomoyo_read_version;
1991 head->readbuf_size = 128;
1993 case TOMOYO_MEMINFO:
1994 /* /sys/kernel/security/tomoyo/meminfo */
1995 head->write = tomoyo_write_memory_quota;
1996 head->read = tomoyo_read_memory_counter;
1997 head->readbuf_size = 512;
1999 case TOMOYO_PROFILE:
2000 /* /sys/kernel/security/tomoyo/profile */
2001 head->write = tomoyo_write_profile;
2002 head->read = tomoyo_read_profile;
2004 case TOMOYO_MANAGER:
2005 /* /sys/kernel/security/tomoyo/manager */
2006 head->write = tomoyo_write_manager_policy;
2007 head->read = tomoyo_read_manager_policy;
2010 if (!(file->f_mode & FMODE_READ)) {
2012 * No need to allocate read_buf since it is not opened
2017 if (!head->readbuf_size)
2018 head->readbuf_size = 4096 * 2;
2019 head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS);
2020 if (!head->read_buf) {
2025 if (!(file->f_mode & FMODE_WRITE)) {
2027 * No need to allocate write_buf since it is not opened
2031 } else if (head->write) {
2032 head->writebuf_size = 4096 * 2;
2033 head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS);
2034 if (!head->write_buf) {
2035 kfree(head->read_buf);
2040 head->reader_idx = tomoyo_read_lock();
2041 file->private_data = head;
2043 * Call the handler now if the file is
2044 * /sys/kernel/security/tomoyo/self_domain
2045 * so that the user can use
2046 * cat < /sys/kernel/security/tomoyo/self_domain"
2047 * to know the current process's domainname.
2049 if (type == TOMOYO_SELFDOMAIN)
2050 tomoyo_read_control(file, NULL, 0);
2055 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
2057 * @file: Pointer to "struct file".
2058 * @buffer: Poiner to buffer to write to.
2059 * @buffer_len: Size of @buffer.
2061 * Returns bytes read on success, negative value otherwise.
2063 * Caller holds tomoyo_read_lock().
2065 static int tomoyo_read_control(struct file *file, char __user *buffer,
2066 const int buffer_len)
2069 struct tomoyo_io_buffer *head = file->private_data;
2074 if (mutex_lock_interruptible(&head->io_sem))
2076 /* Call the policy handler. */
2077 len = head->read(head);
2080 /* Write to buffer. */
2081 len = head->read_avail;
2082 if (len > buffer_len)
2086 /* head->read_buf changes by some functions. */
2087 cp = head->read_buf;
2088 if (copy_to_user(buffer, cp, len)) {
2092 head->read_avail -= len;
2093 memmove(cp, cp + len, head->read_avail);
2095 mutex_unlock(&head->io_sem);
2100 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
2102 * @file: Pointer to "struct file".
2103 * @buffer: Pointer to buffer to read from.
2104 * @buffer_len: Size of @buffer.
2106 * Returns @buffer_len on success, negative value otherwise.
2108 * Caller holds tomoyo_read_lock().
2110 static int tomoyo_write_control(struct file *file, const char __user *buffer,
2111 const int buffer_len)
2113 struct tomoyo_io_buffer *head = file->private_data;
2114 int error = buffer_len;
2115 int avail_len = buffer_len;
2116 char *cp0 = head->write_buf;
2120 if (!access_ok(VERIFY_READ, buffer, buffer_len))
2122 /* Don't allow updating policies by non manager programs. */
2123 if (head->write != tomoyo_write_pid &&
2124 head->write != tomoyo_write_domain_policy &&
2125 !tomoyo_is_policy_manager())
2127 if (mutex_lock_interruptible(&head->io_sem))
2129 /* Read a line and dispatch it to the policy handler. */
2130 while (avail_len > 0) {
2132 if (head->write_avail >= head->writebuf_size - 1) {
2135 } else if (get_user(c, buffer)) {
2141 cp0[head->write_avail++] = c;
2144 cp0[head->write_avail - 1] = '\0';
2145 head->write_avail = 0;
2146 tomoyo_normalize_line(cp0);
2149 mutex_unlock(&head->io_sem);
2154 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
2156 * @file: Pointer to "struct file".
2158 * Releases memory and returns 0.
2160 * Caller looses tomoyo_read_lock().
2162 static int tomoyo_close_control(struct file *file)
2164 struct tomoyo_io_buffer *head = file->private_data;
2165 const bool is_write = !!head->write_buf;
2167 tomoyo_read_unlock(head->reader_idx);
2168 /* Release memory used for policy I/O. */
2169 kfree(head->read_buf);
2170 head->read_buf = NULL;
2171 kfree(head->write_buf);
2172 head->write_buf = NULL;
2175 file->private_data = NULL;
2182 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
2184 * @inode: Pointer to "struct inode".
2185 * @file: Pointer to "struct file".
2187 * Returns 0 on success, negative value otherwise.
2189 static int tomoyo_open(struct inode *inode, struct file *file)
2191 const int key = ((u8 *) file->f_path.dentry->d_inode->i_private)
2193 return tomoyo_open_control(key, file);
2197 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
2199 * @inode: Pointer to "struct inode".
2200 * @file: Pointer to "struct file".
2202 * Returns 0 on success, negative value otherwise.
2204 static int tomoyo_release(struct inode *inode, struct file *file)
2206 return tomoyo_close_control(file);
2210 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
2212 * @file: Pointer to "struct file".
2213 * @buf: Pointer to buffer.
2214 * @count: Size of @buf.
2217 * Returns bytes read on success, negative value otherwise.
2219 static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count,
2222 return tomoyo_read_control(file, buf, count);
2226 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
2228 * @file: Pointer to "struct file".
2229 * @buf: Pointer to buffer.
2230 * @count: Size of @buf.
2233 * Returns @count on success, negative value otherwise.
2235 static ssize_t tomoyo_write(struct file *file, const char __user *buf,
2236 size_t count, loff_t *ppos)
2238 return tomoyo_write_control(file, buf, count);
2242 * tomoyo_operations is a "struct file_operations" which is used for handling
2243 * /sys/kernel/security/tomoyo/ interface.
2245 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
2246 * See tomoyo_io_buffer for internals.
2248 static const struct file_operations tomoyo_operations = {
2249 .open = tomoyo_open,
2250 .release = tomoyo_release,
2251 .read = tomoyo_read,
2252 .write = tomoyo_write,
2256 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
2258 * @name: The name of the interface file.
2259 * @mode: The permission of the interface file.
2260 * @parent: The parent directory.
2261 * @key: Type of interface.
2265 static void __init tomoyo_create_entry(const char *name, const mode_t mode,
2266 struct dentry *parent, const u8 key)
2268 securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key,
2269 &tomoyo_operations);
2273 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
2277 static int __init tomoyo_initerface_init(void)
2279 struct dentry *tomoyo_dir;
2281 /* Don't create securityfs entries unless registered. */
2282 if (current_cred()->security != &tomoyo_kernel_domain)
2285 tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
2286 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir,
2287 TOMOYO_DOMAINPOLICY);
2288 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir,
2289 TOMOYO_EXCEPTIONPOLICY);
2290 tomoyo_create_entry("self_domain", 0400, tomoyo_dir,
2292 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir,
2293 TOMOYO_DOMAIN_STATUS);
2294 tomoyo_create_entry(".process_status", 0600, tomoyo_dir,
2295 TOMOYO_PROCESS_STATUS);
2296 tomoyo_create_entry("meminfo", 0600, tomoyo_dir,
2298 tomoyo_create_entry("profile", 0600, tomoyo_dir,
2300 tomoyo_create_entry("manager", 0600, tomoyo_dir,
2302 tomoyo_create_entry("version", 0400, tomoyo_dir,
2307 fs_initcall(tomoyo_initerface_init);
projects / platform / adaptation / renesas_rcar / renesas_kernel.git / blob