2 * security/tomoyo/domain.c
4 * Domain transition functions for TOMOYO.
6 * Copyright (C) 2005-2010 NTT DATA CORPORATION
10 #include <linux/binfmts.h>
11 #include <linux/slab.h>
13 /* Variables definitions.*/
15 /* The initial domain. */
16 struct tomoyo_domain_info tomoyo_kernel_domain;
19 * tomoyo_update_policy - Update an entry for exception policy.
21 * @new_entry: Pointer to "struct tomoyo_acl_info".
22 * @size: Size of @new_entry in bytes.
23 * @is_delete: True if it is a delete request.
24 * @list: Pointer to "struct list_head".
25 * @check_duplicate: Callback function to find duplicated entry.
27 * Returns 0 on success, negative value otherwise.
29 * Caller holds tomoyo_read_lock().
31 int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
32 bool is_delete, struct list_head *list,
33 bool (*check_duplicate) (const struct tomoyo_acl_head
35 const struct tomoyo_acl_head
38 int error = is_delete ? -ENOENT : -ENOMEM;
39 struct tomoyo_acl_head *entry;
41 if (mutex_lock_interruptible(&tomoyo_policy_lock))
43 list_for_each_entry_rcu(entry, list, list) {
44 if (!check_duplicate(entry, new_entry))
46 entry->is_deleted = is_delete;
50 if (error && !is_delete) {
51 entry = tomoyo_commit_ok(new_entry, size);
53 list_add_tail_rcu(&entry->list, list);
57 mutex_unlock(&tomoyo_policy_lock);
62 * tomoyo_update_domain - Update an entry for domain policy.
64 * @new_entry: Pointer to "struct tomoyo_acl_info".
65 * @size: Size of @new_entry in bytes.
66 * @is_delete: True if it is a delete request.
67 * @domain: Pointer to "struct tomoyo_domain_info".
68 * @check_duplicate: Callback function to find duplicated entry.
69 * @merge_duplicate: Callback function to merge duplicated entry.
71 * Returns 0 on success, negative value otherwise.
73 * Caller holds tomoyo_read_lock().
75 int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
76 bool is_delete, struct tomoyo_domain_info *domain,
77 bool (*check_duplicate) (const struct tomoyo_acl_info
79 const struct tomoyo_acl_info
81 bool (*merge_duplicate) (struct tomoyo_acl_info *,
82 struct tomoyo_acl_info *,
85 int error = is_delete ? -ENOENT : -ENOMEM;
86 struct tomoyo_acl_info *entry;
88 if (mutex_lock_interruptible(&tomoyo_policy_lock))
90 list_for_each_entry_rcu(entry, &domain->acl_info_list, list) {
91 if (!check_duplicate(entry, new_entry))
94 entry->is_deleted = merge_duplicate(entry, new_entry,
97 entry->is_deleted = is_delete;
101 if (error && !is_delete) {
102 entry = tomoyo_commit_ok(new_entry, size);
104 list_add_tail_rcu(&entry->list, &domain->acl_info_list);
108 mutex_unlock(&tomoyo_policy_lock);
112 void tomoyo_check_acl(struct tomoyo_request_info *r,
113 bool (*check_entry) (struct tomoyo_request_info *,
114 const struct tomoyo_acl_info *))
116 const struct tomoyo_domain_info *domain = r->domain;
117 struct tomoyo_acl_info *ptr;
119 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
120 if (ptr->is_deleted || ptr->type != r->param_type)
122 if (check_entry(r, ptr)) {
130 /* The list for "struct tomoyo_domain_info". */
131 LIST_HEAD(tomoyo_domain_list);
133 struct list_head tomoyo_policy_list[TOMOYO_MAX_POLICY];
134 struct list_head tomoyo_group_list[TOMOYO_MAX_GROUP];
137 * tomoyo_last_word - Get last component of a domainname.
139 * @domainname: Domainname to check.
141 * Returns the last word of @domainname.
143 static const char *tomoyo_last_word(const char *name)
145 const char *cp = strrchr(name, ' ');
151 static bool tomoyo_same_transition_control(const struct tomoyo_acl_head *a,
152 const struct tomoyo_acl_head *b)
154 const struct tomoyo_transition_control *p1 = container_of(a,
157 const struct tomoyo_transition_control *p2 = container_of(b,
160 return p1->type == p2->type && p1->is_last_name == p2->is_last_name
161 && p1->domainname == p2->domainname
162 && p1->program == p2->program;
166 * tomoyo_update_transition_control_entry - Update "struct tomoyo_transition_control" list.
168 * @domainname: The name of domain. Maybe NULL.
169 * @program: The name of program. Maybe NULL.
170 * @type: Type of transition.
171 * @is_delete: True if it is a delete request.
173 * Returns 0 on success, negative value otherwise.
175 static int tomoyo_update_transition_control_entry(const char *domainname,
178 const bool is_delete)
180 struct tomoyo_transition_control e = { .type = type };
181 int error = is_delete ? -ENOENT : -ENOMEM;
183 if (!tomoyo_correct_path(program))
185 e.program = tomoyo_get_name(program);
190 if (!tomoyo_correct_domain(domainname)) {
191 if (!tomoyo_correct_path(domainname))
193 e.is_last_name = true;
195 e.domainname = tomoyo_get_name(domainname);
199 error = tomoyo_update_policy(&e.head, sizeof(e), is_delete,
201 [TOMOYO_ID_TRANSITION_CONTROL],
202 tomoyo_same_transition_control);
204 tomoyo_put_name(e.domainname);
205 tomoyo_put_name(e.program);
210 * tomoyo_write_transition_control - Write "struct tomoyo_transition_control" list.
212 * @data: String to parse.
213 * @is_delete: True if it is a delete request.
214 * @type: Type of this entry.
216 * Returns 0 on success, negative value otherwise.
218 int tomoyo_write_transition_control(char *data, const bool is_delete,
221 char *domainname = strstr(data, " from ");
225 } else if (type == TOMOYO_TRANSITION_CONTROL_NO_KEEP ||
226 type == TOMOYO_TRANSITION_CONTROL_KEEP) {
230 return tomoyo_update_transition_control_entry(domainname, data, type,
235 * tomoyo_transition_type - Get domain transition type.
237 * @domainname: The name of domain.
238 * @program: The name of program.
240 * Returns TOMOYO_TRANSITION_CONTROL_INITIALIZE if executing @program
241 * reinitializes domain transition, TOMOYO_TRANSITION_CONTROL_KEEP if executing
242 * @program suppresses domain transition, others otherwise.
244 * Caller holds tomoyo_read_lock().
246 static u8 tomoyo_transition_type(const struct tomoyo_path_info *domainname,
247 const struct tomoyo_path_info *program)
249 const struct tomoyo_transition_control *ptr;
250 const char *last_name = tomoyo_last_word(domainname->name);
252 for (type = 0; type < TOMOYO_MAX_TRANSITION_TYPE; type++) {
254 list_for_each_entry_rcu(ptr, &tomoyo_policy_list
255 [TOMOYO_ID_TRANSITION_CONTROL],
257 if (ptr->head.is_deleted || ptr->type != type)
259 if (ptr->domainname) {
260 if (!ptr->is_last_name) {
261 if (ptr->domainname != domainname)
265 * Use direct strcmp() since this is
268 if (strcmp(ptr->domainname->name,
274 tomoyo_pathcmp(ptr->program, program))
276 if (type == TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE) {
278 * Do not check for initialize_domain if
279 * no_initialize_domain matched.
281 type = TOMOYO_TRANSITION_CONTROL_NO_KEEP;
291 static bool tomoyo_same_aggregator(const struct tomoyo_acl_head *a,
292 const struct tomoyo_acl_head *b)
294 const struct tomoyo_aggregator *p1 = container_of(a, typeof(*p1), head);
295 const struct tomoyo_aggregator *p2 = container_of(b, typeof(*p2), head);
296 return p1->original_name == p2->original_name &&
297 p1->aggregated_name == p2->aggregated_name;
301 * tomoyo_update_aggregator_entry - Update "struct tomoyo_aggregator" list.
303 * @original_name: The original program's name.
304 * @aggregated_name: The program name to use.
305 * @is_delete: True if it is a delete request.
307 * Returns 0 on success, negative value otherwise.
309 * Caller holds tomoyo_read_lock().
311 static int tomoyo_update_aggregator_entry(const char *original_name,
312 const char *aggregated_name,
313 const bool is_delete)
315 struct tomoyo_aggregator e = { };
316 int error = is_delete ? -ENOENT : -ENOMEM;
318 if (!tomoyo_correct_path(original_name) ||
319 !tomoyo_correct_path(aggregated_name))
321 e.original_name = tomoyo_get_name(original_name);
322 e.aggregated_name = tomoyo_get_name(aggregated_name);
323 if (!e.original_name || !e.aggregated_name ||
324 e.aggregated_name->is_patterned) /* No patterns allowed. */
326 error = tomoyo_update_policy(&e.head, sizeof(e), is_delete,
327 &tomoyo_policy_list[TOMOYO_ID_AGGREGATOR],
328 tomoyo_same_aggregator);
330 tomoyo_put_name(e.original_name);
331 tomoyo_put_name(e.aggregated_name);
336 * tomoyo_write_aggregator - Write "struct tomoyo_aggregator" list.
338 * @data: String to parse.
339 * @is_delete: True if it is a delete request.
341 * Returns 0 on success, negative value otherwise.
343 * Caller holds tomoyo_read_lock().
345 int tomoyo_write_aggregator(char *data, const bool is_delete)
347 char *cp = strchr(data, ' ');
352 return tomoyo_update_aggregator_entry(data, cp, is_delete);
356 * tomoyo_assign_domain - Create a domain.
358 * @domainname: The name of domain.
359 * @profile: Profile number to assign if the domain was newly created.
361 * Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise.
363 * Caller holds tomoyo_read_lock().
365 struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname,
368 struct tomoyo_domain_info *entry;
369 struct tomoyo_domain_info *domain = NULL;
370 const struct tomoyo_path_info *saved_domainname;
373 if (!tomoyo_correct_domain(domainname))
375 saved_domainname = tomoyo_get_name(domainname);
376 if (!saved_domainname)
378 entry = kzalloc(sizeof(*entry), GFP_NOFS);
379 if (mutex_lock_interruptible(&tomoyo_policy_lock))
381 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
382 if (domain->is_deleted ||
383 tomoyo_pathcmp(saved_domainname, domain->domainname))
388 if (!found && tomoyo_memory_ok(entry)) {
389 INIT_LIST_HEAD(&entry->acl_info_list);
390 entry->domainname = saved_domainname;
391 saved_domainname = NULL;
392 entry->profile = profile;
393 list_add_tail_rcu(&entry->list, &tomoyo_domain_list);
398 mutex_unlock(&tomoyo_policy_lock);
400 tomoyo_put_name(saved_domainname);
402 return found ? domain : NULL;
406 * tomoyo_find_next_domain - Find a domain.
408 * @bprm: Pointer to "struct linux_binprm".
410 * Returns 0 on success, negative value otherwise.
412 * Caller holds tomoyo_read_lock().
414 int tomoyo_find_next_domain(struct linux_binprm *bprm)
416 struct tomoyo_request_info r;
417 char *tmp = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS);
418 struct tomoyo_domain_info *old_domain = tomoyo_domain();
419 struct tomoyo_domain_info *domain = NULL;
420 const char *original_name = bprm->filename;
423 int retval = -ENOMEM;
424 bool need_kfree = false;
425 struct tomoyo_path_info rn = { }; /* real name */
427 mode = tomoyo_init_request_info(&r, NULL, TOMOYO_MAC_FILE_EXECUTE);
428 is_enforce = (mode == TOMOYO_CONFIG_ENFORCING);
437 /* Get symlink's pathname of program. */
439 rn.name = tomoyo_realpath_nofollow(original_name);
442 tomoyo_fill_path_info(&rn);
445 /* Check 'aggregator' directive. */
447 struct tomoyo_aggregator *ptr;
448 list_for_each_entry_rcu(ptr, &tomoyo_policy_list
449 [TOMOYO_ID_AGGREGATOR], head.list) {
450 if (ptr->head.is_deleted ||
451 !tomoyo_path_matches_pattern(&rn,
456 /* This is OK because it is read only. */
457 rn = *ptr->aggregated_name;
462 /* Check execute permission. */
463 retval = tomoyo_path_permission(&r, TOMOYO_TYPE_EXECUTE, &rn);
464 if (retval == TOMOYO_RETRY_REQUEST)
469 * To be able to specify domainnames with wildcards, use the
470 * pathname specified in the policy (which may contain
471 * wildcard) rather than the pathname passed to execve()
472 * (which never contains wildcard).
474 if (r.param.path.matched_path) {
478 /* This is OK because it is read only. */
479 rn = *r.param.path.matched_path;
482 /* Calculate domain to transit to. */
483 switch (tomoyo_transition_type(old_domain->domainname, &rn)) {
484 case TOMOYO_TRANSITION_CONTROL_INITIALIZE:
485 /* Transit to the child of tomoyo_kernel_domain domain. */
486 snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1, TOMOYO_ROOT_NAME " "
489 case TOMOYO_TRANSITION_CONTROL_KEEP:
490 /* Keep current domain. */
494 if (old_domain == &tomoyo_kernel_domain &&
495 !tomoyo_policy_loaded) {
497 * Needn't to transit from kernel domain before
498 * starting /sbin/init. But transit from kernel domain
499 * if executing initializers because they might start
504 /* Normal domain transition. */
505 snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s",
506 old_domain->domainname->name, rn.name);
510 if (domain || strlen(tmp) >= TOMOYO_EXEC_TMPSIZE - 10)
512 domain = tomoyo_find_domain(tmp);
516 int error = tomoyo_supervisor(&r, "# wants to create domain\n"
518 if (error == TOMOYO_RETRY_REQUEST)
523 domain = tomoyo_assign_domain(tmp, old_domain->profile);
527 printk(KERN_WARNING "TOMOYO-ERROR: Domain '%s' not defined.\n", tmp);
531 old_domain->transition_failed = true;
535 /* Update reference count on "struct tomoyo_domain_info". */
536 atomic_inc(&domain->users);
537 bprm->cred->security = domain;