2 * security/tomoyo/domain.c
4 * Domain transition functions for TOMOYO.
6 * Copyright (C) 2005-2010 NTT DATA CORPORATION
10 #include <linux/binfmts.h>
11 #include <linux/slab.h>
13 /* Variables definitions.*/
15 /* The initial domain. */
16 struct tomoyo_domain_info tomoyo_kernel_domain;
19 * tomoyo_update_policy - Update an entry for exception policy.
21 * @new_entry: Pointer to "struct tomoyo_acl_info".
22 * @size: Size of @new_entry in bytes.
23 * @is_delete: True if it is a delete request.
24 * @list: Pointer to "struct list_head".
25 * @check_duplicate: Callback function to find duplicated entry.
27 * Returns 0 on success, negative value otherwise.
29 * Caller holds tomoyo_read_lock().
31 int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
32 bool is_delete, struct list_head *list,
33 bool (*check_duplicate) (const struct tomoyo_acl_head
35 const struct tomoyo_acl_head
38 int error = is_delete ? -ENOENT : -ENOMEM;
39 struct tomoyo_acl_head *entry;
41 if (mutex_lock_interruptible(&tomoyo_policy_lock))
43 list_for_each_entry_rcu(entry, list, list) {
44 if (!check_duplicate(entry, new_entry))
46 entry->is_deleted = is_delete;
50 if (error && !is_delete) {
51 entry = tomoyo_commit_ok(new_entry, size);
53 list_add_tail_rcu(&entry->list, list);
57 mutex_unlock(&tomoyo_policy_lock);
62 * tomoyo_same_acl_head - Check for duplicated "struct tomoyo_acl_info" entry.
64 * @a: Pointer to "struct tomoyo_acl_info".
65 * @b: Pointer to "struct tomoyo_acl_info".
67 * Returns true if @a == @b, false otherwise.
69 static inline bool tomoyo_same_acl_head(const struct tomoyo_acl_info *a,
70 const struct tomoyo_acl_info *b)
72 return a->type == b->type;
76 * tomoyo_update_domain - Update an entry for domain policy.
78 * @new_entry: Pointer to "struct tomoyo_acl_info".
79 * @size: Size of @new_entry in bytes.
80 * @is_delete: True if it is a delete request.
81 * @domain: Pointer to "struct tomoyo_domain_info".
82 * @check_duplicate: Callback function to find duplicated entry.
83 * @merge_duplicate: Callback function to merge duplicated entry.
85 * Returns 0 on success, negative value otherwise.
87 * Caller holds tomoyo_read_lock().
89 int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
90 bool is_delete, struct tomoyo_domain_info *domain,
91 bool (*check_duplicate) (const struct tomoyo_acl_info
93 const struct tomoyo_acl_info
95 bool (*merge_duplicate) (struct tomoyo_acl_info *,
96 struct tomoyo_acl_info *,
99 int error = is_delete ? -ENOENT : -ENOMEM;
100 struct tomoyo_acl_info *entry;
102 if (mutex_lock_interruptible(&tomoyo_policy_lock))
104 list_for_each_entry_rcu(entry, &domain->acl_info_list, list) {
105 if (!tomoyo_same_acl_head(entry, new_entry) ||
106 !check_duplicate(entry, new_entry))
109 entry->is_deleted = merge_duplicate(entry, new_entry,
112 entry->is_deleted = is_delete;
116 if (error && !is_delete) {
117 entry = tomoyo_commit_ok(new_entry, size);
119 list_add_tail_rcu(&entry->list, &domain->acl_info_list);
123 mutex_unlock(&tomoyo_policy_lock);
127 void tomoyo_check_acl(struct tomoyo_request_info *r,
128 bool (*check_entry) (struct tomoyo_request_info *,
129 const struct tomoyo_acl_info *))
131 const struct tomoyo_domain_info *domain = r->domain;
132 struct tomoyo_acl_info *ptr;
134 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
135 if (ptr->is_deleted || ptr->type != r->param_type)
137 if (check_entry(r, ptr)) {
145 /* The list for "struct tomoyo_domain_info". */
146 LIST_HEAD(tomoyo_domain_list);
148 struct list_head tomoyo_policy_list[TOMOYO_MAX_POLICY];
149 struct list_head tomoyo_group_list[TOMOYO_MAX_GROUP];
152 * tomoyo_last_word - Get last component of a domainname.
154 * @domainname: Domainname to check.
156 * Returns the last word of @domainname.
158 static const char *tomoyo_last_word(const char *name)
160 const char *cp = strrchr(name, ' ');
166 static bool tomoyo_same_transition_control(const struct tomoyo_acl_head *a,
167 const struct tomoyo_acl_head *b)
169 const struct tomoyo_transition_control *p1 = container_of(a,
172 const struct tomoyo_transition_control *p2 = container_of(b,
175 return p1->type == p2->type && p1->is_last_name == p2->is_last_name
176 && p1->domainname == p2->domainname
177 && p1->program == p2->program;
181 * tomoyo_update_transition_control_entry - Update "struct tomoyo_transition_control" list.
183 * @domainname: The name of domain. Maybe NULL.
184 * @program: The name of program. Maybe NULL.
185 * @type: Type of transition.
186 * @is_delete: True if it is a delete request.
188 * Returns 0 on success, negative value otherwise.
190 static int tomoyo_update_transition_control_entry(const char *domainname,
193 const bool is_delete)
195 struct tomoyo_transition_control e = { .type = type };
196 int error = is_delete ? -ENOENT : -ENOMEM;
198 if (!tomoyo_correct_path(program))
200 e.program = tomoyo_get_name(program);
205 if (!tomoyo_correct_domain(domainname)) {
206 if (!tomoyo_correct_path(domainname))
208 e.is_last_name = true;
210 e.domainname = tomoyo_get_name(domainname);
214 error = tomoyo_update_policy(&e.head, sizeof(e), is_delete,
216 [TOMOYO_ID_TRANSITION_CONTROL],
217 tomoyo_same_transition_control);
219 tomoyo_put_name(e.domainname);
220 tomoyo_put_name(e.program);
225 * tomoyo_write_transition_control - Write "struct tomoyo_transition_control" list.
227 * @data: String to parse.
228 * @is_delete: True if it is a delete request.
229 * @type: Type of this entry.
231 * Returns 0 on success, negative value otherwise.
233 int tomoyo_write_transition_control(char *data, const bool is_delete,
236 char *domainname = strstr(data, " from ");
240 } else if (type == TOMOYO_TRANSITION_CONTROL_NO_KEEP ||
241 type == TOMOYO_TRANSITION_CONTROL_KEEP) {
245 return tomoyo_update_transition_control_entry(domainname, data, type,
250 * tomoyo_transition_type - Get domain transition type.
252 * @domainname: The name of domain.
253 * @program: The name of program.
255 * Returns TOMOYO_TRANSITION_CONTROL_INITIALIZE if executing @program
256 * reinitializes domain transition, TOMOYO_TRANSITION_CONTROL_KEEP if executing
257 * @program suppresses domain transition, others otherwise.
259 * Caller holds tomoyo_read_lock().
261 static u8 tomoyo_transition_type(const struct tomoyo_path_info *domainname,
262 const struct tomoyo_path_info *program)
264 const struct tomoyo_transition_control *ptr;
265 const char *last_name = tomoyo_last_word(domainname->name);
267 for (type = 0; type < TOMOYO_MAX_TRANSITION_TYPE; type++) {
269 list_for_each_entry_rcu(ptr, &tomoyo_policy_list
270 [TOMOYO_ID_TRANSITION_CONTROL],
272 if (ptr->head.is_deleted || ptr->type != type)
274 if (ptr->domainname) {
275 if (!ptr->is_last_name) {
276 if (ptr->domainname != domainname)
280 * Use direct strcmp() since this is
283 if (strcmp(ptr->domainname->name,
289 tomoyo_pathcmp(ptr->program, program))
291 if (type == TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE) {
293 * Do not check for initialize_domain if
294 * no_initialize_domain matched.
296 type = TOMOYO_TRANSITION_CONTROL_NO_KEEP;
306 static bool tomoyo_same_aggregator(const struct tomoyo_acl_head *a,
307 const struct tomoyo_acl_head *b)
309 const struct tomoyo_aggregator *p1 = container_of(a, typeof(*p1), head);
310 const struct tomoyo_aggregator *p2 = container_of(b, typeof(*p2), head);
311 return p1->original_name == p2->original_name &&
312 p1->aggregated_name == p2->aggregated_name;
316 * tomoyo_update_aggregator_entry - Update "struct tomoyo_aggregator" list.
318 * @original_name: The original program's name.
319 * @aggregated_name: The program name to use.
320 * @is_delete: True if it is a delete request.
322 * Returns 0 on success, negative value otherwise.
324 * Caller holds tomoyo_read_lock().
326 static int tomoyo_update_aggregator_entry(const char *original_name,
327 const char *aggregated_name,
328 const bool is_delete)
330 struct tomoyo_aggregator e = { };
331 int error = is_delete ? -ENOENT : -ENOMEM;
333 if (!tomoyo_correct_path(original_name) ||
334 !tomoyo_correct_path(aggregated_name))
336 e.original_name = tomoyo_get_name(original_name);
337 e.aggregated_name = tomoyo_get_name(aggregated_name);
338 if (!e.original_name || !e.aggregated_name ||
339 e.aggregated_name->is_patterned) /* No patterns allowed. */
341 error = tomoyo_update_policy(&e.head, sizeof(e), is_delete,
342 &tomoyo_policy_list[TOMOYO_ID_AGGREGATOR],
343 tomoyo_same_aggregator);
345 tomoyo_put_name(e.original_name);
346 tomoyo_put_name(e.aggregated_name);
351 * tomoyo_write_aggregator - Write "struct tomoyo_aggregator" list.
353 * @data: String to parse.
354 * @is_delete: True if it is a delete request.
356 * Returns 0 on success, negative value otherwise.
358 * Caller holds tomoyo_read_lock().
360 int tomoyo_write_aggregator(char *data, const bool is_delete)
362 char *cp = strchr(data, ' ');
367 return tomoyo_update_aggregator_entry(data, cp, is_delete);
371 * tomoyo_assign_domain - Create a domain.
373 * @domainname: The name of domain.
374 * @profile: Profile number to assign if the domain was newly created.
376 * Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise.
378 * Caller holds tomoyo_read_lock().
380 struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname,
383 struct tomoyo_domain_info *entry;
384 struct tomoyo_domain_info *domain = NULL;
385 const struct tomoyo_path_info *saved_domainname;
388 if (!tomoyo_correct_domain(domainname))
390 saved_domainname = tomoyo_get_name(domainname);
391 if (!saved_domainname)
393 entry = kzalloc(sizeof(*entry), GFP_NOFS);
394 if (mutex_lock_interruptible(&tomoyo_policy_lock))
396 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
397 if (domain->is_deleted ||
398 tomoyo_pathcmp(saved_domainname, domain->domainname))
403 if (!found && tomoyo_memory_ok(entry)) {
404 INIT_LIST_HEAD(&entry->acl_info_list);
405 entry->domainname = saved_domainname;
406 saved_domainname = NULL;
407 entry->profile = profile;
408 list_add_tail_rcu(&entry->list, &tomoyo_domain_list);
413 mutex_unlock(&tomoyo_policy_lock);
415 tomoyo_put_name(saved_domainname);
417 return found ? domain : NULL;
421 * tomoyo_find_next_domain - Find a domain.
423 * @bprm: Pointer to "struct linux_binprm".
425 * Returns 0 on success, negative value otherwise.
427 * Caller holds tomoyo_read_lock().
429 int tomoyo_find_next_domain(struct linux_binprm *bprm)
431 struct tomoyo_request_info r;
432 char *tmp = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS);
433 struct tomoyo_domain_info *old_domain = tomoyo_domain();
434 struct tomoyo_domain_info *domain = NULL;
435 const char *original_name = bprm->filename;
438 int retval = -ENOMEM;
439 bool need_kfree = false;
440 struct tomoyo_path_info rn = { }; /* real name */
442 mode = tomoyo_init_request_info(&r, NULL, TOMOYO_MAC_FILE_EXECUTE);
443 is_enforce = (mode == TOMOYO_CONFIG_ENFORCING);
452 /* Get symlink's pathname of program. */
454 rn.name = tomoyo_realpath_nofollow(original_name);
457 tomoyo_fill_path_info(&rn);
460 /* Check 'aggregator' directive. */
462 struct tomoyo_aggregator *ptr;
463 list_for_each_entry_rcu(ptr, &tomoyo_policy_list
464 [TOMOYO_ID_AGGREGATOR], head.list) {
465 if (ptr->head.is_deleted ||
466 !tomoyo_path_matches_pattern(&rn,
471 /* This is OK because it is read only. */
472 rn = *ptr->aggregated_name;
477 /* Check execute permission. */
478 retval = tomoyo_path_permission(&r, TOMOYO_TYPE_EXECUTE, &rn);
479 if (retval == TOMOYO_RETRY_REQUEST)
484 * To be able to specify domainnames with wildcards, use the
485 * pathname specified in the policy (which may contain
486 * wildcard) rather than the pathname passed to execve()
487 * (which never contains wildcard).
489 if (r.param.path.matched_path) {
493 /* This is OK because it is read only. */
494 rn = *r.param.path.matched_path;
497 /* Calculate domain to transit to. */
498 switch (tomoyo_transition_type(old_domain->domainname, &rn)) {
499 case TOMOYO_TRANSITION_CONTROL_INITIALIZE:
500 /* Transit to the child of tomoyo_kernel_domain domain. */
501 snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1, TOMOYO_ROOT_NAME " "
504 case TOMOYO_TRANSITION_CONTROL_KEEP:
505 /* Keep current domain. */
509 if (old_domain == &tomoyo_kernel_domain &&
510 !tomoyo_policy_loaded) {
512 * Needn't to transit from kernel domain before
513 * starting /sbin/init. But transit from kernel domain
514 * if executing initializers because they might start
519 /* Normal domain transition. */
520 snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s",
521 old_domain->domainname->name, rn.name);
525 if (domain || strlen(tmp) >= TOMOYO_EXEC_TMPSIZE - 10)
527 domain = tomoyo_find_domain(tmp);
529 domain = tomoyo_assign_domain(tmp, old_domain->profile);
533 printk(KERN_WARNING "TOMOYO-ERROR: Domain '%s' not defined.\n", tmp);
537 old_domain->transition_failed = true;
541 /* Update reference count on "struct tomoyo_domain_info". */
542 atomic_inc(&domain->users);
543 bprm->cred->security = domain;