diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-09-10 02:23:54 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-09-13 18:27:05 -0400 |
commit | 059d84dbb3897d4ee494a9c842c5dda54316cb47 (patch) | |
tree | 483ca0cb613b1304184b92f075b3f5283d36c723 /security/tomoyo/common.h | |
parent | d58e0da854376841ac99defeb117a83f086715c6 (diff) |
TOMOYO: Add socket operation restriction support.
This patch adds support for permission checks for PF_INET/PF_INET6/PF_UNIX
socket's bind()/listen()/connect()/send() operations.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/common.h')
-rw-r--r-- | security/tomoyo/common.h | 127 |
1 files changed, 126 insertions, 1 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 63720a328edd..d1c758e7f92b 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h | |||
@@ -23,6 +23,16 @@ | |||
23 | #include <linux/poll.h> | 23 | #include <linux/poll.h> |
24 | #include <linux/binfmts.h> | 24 | #include <linux/binfmts.h> |
25 | #include <linux/highmem.h> | 25 | #include <linux/highmem.h> |
26 | #include <linux/net.h> | ||
27 | #include <linux/inet.h> | ||
28 | #include <linux/in.h> | ||
29 | #include <linux/in6.h> | ||
30 | #include <linux/un.h> | ||
31 | #include <net/sock.h> | ||
32 | #include <net/af_unix.h> | ||
33 | #include <net/ip.h> | ||
34 | #include <net/ipv6.h> | ||
35 | #include <net/udp.h> | ||
26 | 36 | ||
27 | /********** Constants definitions. **********/ | 37 | /********** Constants definitions. **********/ |
28 | 38 | ||
@@ -34,6 +44,12 @@ | |||
34 | #define TOMOYO_HASH_BITS 8 | 44 | #define TOMOYO_HASH_BITS 8 |
35 | #define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS) | 45 | #define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS) |
36 | 46 | ||
47 | /* | ||
48 | * TOMOYO checks only SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_SEQPACKET. | ||
49 | * Therefore, we don't need SOCK_MAX. | ||
50 | */ | ||
51 | #define TOMOYO_SOCK_MAX 6 | ||
52 | |||
37 | #define TOMOYO_EXEC_TMPSIZE 4096 | 53 | #define TOMOYO_EXEC_TMPSIZE 4096 |
38 | 54 | ||
39 | /* Profile number is an integer between 0 and 255. */ | 55 | /* Profile number is an integer between 0 and 255. */ |
@@ -136,6 +152,7 @@ enum tomoyo_mode_index { | |||
136 | /* Index numbers for entry type. */ | 152 | /* Index numbers for entry type. */ |
137 | enum tomoyo_policy_id { | 153 | enum tomoyo_policy_id { |
138 | TOMOYO_ID_GROUP, | 154 | TOMOYO_ID_GROUP, |
155 | TOMOYO_ID_ADDRESS_GROUP, | ||
139 | TOMOYO_ID_PATH_GROUP, | 156 | TOMOYO_ID_PATH_GROUP, |
140 | TOMOYO_ID_NUMBER_GROUP, | 157 | TOMOYO_ID_NUMBER_GROUP, |
141 | TOMOYO_ID_TRANSITION_CONTROL, | 158 | TOMOYO_ID_TRANSITION_CONTROL, |
@@ -166,6 +183,7 @@ enum tomoyo_domain_info_flags_index { | |||
166 | enum tomoyo_group_id { | 183 | enum tomoyo_group_id { |
167 | TOMOYO_PATH_GROUP, | 184 | TOMOYO_PATH_GROUP, |
168 | TOMOYO_NUMBER_GROUP, | 185 | TOMOYO_NUMBER_GROUP, |
186 | TOMOYO_ADDRESS_GROUP, | ||
169 | TOMOYO_MAX_GROUP | 187 | TOMOYO_MAX_GROUP |
170 | }; | 188 | }; |
171 | 189 | ||
@@ -196,6 +214,8 @@ enum tomoyo_acl_entry_type_index { | |||
196 | TOMOYO_TYPE_PATH_NUMBER_ACL, | 214 | TOMOYO_TYPE_PATH_NUMBER_ACL, |
197 | TOMOYO_TYPE_MKDEV_ACL, | 215 | TOMOYO_TYPE_MKDEV_ACL, |
198 | TOMOYO_TYPE_MOUNT_ACL, | 216 | TOMOYO_TYPE_MOUNT_ACL, |
217 | TOMOYO_TYPE_INET_ACL, | ||
218 | TOMOYO_TYPE_UNIX_ACL, | ||
199 | TOMOYO_TYPE_ENV_ACL, | 219 | TOMOYO_TYPE_ENV_ACL, |
200 | }; | 220 | }; |
201 | 221 | ||
@@ -229,6 +249,15 @@ enum tomoyo_mkdev_acl_index { | |||
229 | TOMOYO_MAX_MKDEV_OPERATION | 249 | TOMOYO_MAX_MKDEV_OPERATION |
230 | }; | 250 | }; |
231 | 251 | ||
252 | /* Index numbers for socket operations. */ | ||
253 | enum tomoyo_network_acl_index { | ||
254 | TOMOYO_NETWORK_BIND, /* bind() operation. */ | ||
255 | TOMOYO_NETWORK_LISTEN, /* listen() operation. */ | ||
256 | TOMOYO_NETWORK_CONNECT, /* connect() operation. */ | ||
257 | TOMOYO_NETWORK_SEND, /* send() operation. */ | ||
258 | TOMOYO_MAX_NETWORK_OPERATION | ||
259 | }; | ||
260 | |||
232 | /* Index numbers for access controls with two pathnames. */ | 261 | /* Index numbers for access controls with two pathnames. */ |
233 | enum tomoyo_path2_acl_index { | 262 | enum tomoyo_path2_acl_index { |
234 | TOMOYO_TYPE_LINK, | 263 | TOMOYO_TYPE_LINK, |
@@ -301,6 +330,21 @@ enum tomoyo_mac_index { | |||
301 | TOMOYO_MAC_FILE_MOUNT, | 330 | TOMOYO_MAC_FILE_MOUNT, |
302 | TOMOYO_MAC_FILE_UMOUNT, | 331 | TOMOYO_MAC_FILE_UMOUNT, |
303 | TOMOYO_MAC_FILE_PIVOT_ROOT, | 332 | TOMOYO_MAC_FILE_PIVOT_ROOT, |
333 | TOMOYO_MAC_NETWORK_INET_STREAM_BIND, | ||
334 | TOMOYO_MAC_NETWORK_INET_STREAM_LISTEN, | ||
335 | TOMOYO_MAC_NETWORK_INET_STREAM_CONNECT, | ||
336 | TOMOYO_MAC_NETWORK_INET_DGRAM_BIND, | ||
337 | TOMOYO_MAC_NETWORK_INET_DGRAM_SEND, | ||
338 | TOMOYO_MAC_NETWORK_INET_RAW_BIND, | ||
339 | TOMOYO_MAC_NETWORK_INET_RAW_SEND, | ||
340 | TOMOYO_MAC_NETWORK_UNIX_STREAM_BIND, | ||
341 | TOMOYO_MAC_NETWORK_UNIX_STREAM_LISTEN, | ||
342 | TOMOYO_MAC_NETWORK_UNIX_STREAM_CONNECT, | ||
343 | TOMOYO_MAC_NETWORK_UNIX_DGRAM_BIND, | ||
344 | TOMOYO_MAC_NETWORK_UNIX_DGRAM_SEND, | ||
345 | TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_BIND, | ||
346 | TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_LISTEN, | ||
347 | TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_CONNECT, | ||
304 | TOMOYO_MAC_ENVIRON, | 348 | TOMOYO_MAC_ENVIRON, |
305 | TOMOYO_MAX_MAC_INDEX | 349 | TOMOYO_MAX_MAC_INDEX |
306 | }; | 350 | }; |
@@ -308,6 +352,7 @@ enum tomoyo_mac_index { | |||
308 | /* Index numbers for category of functionality. */ | 352 | /* Index numbers for category of functionality. */ |
309 | enum tomoyo_mac_category_index { | 353 | enum tomoyo_mac_category_index { |
310 | TOMOYO_MAC_CATEGORY_FILE, | 354 | TOMOYO_MAC_CATEGORY_FILE, |
355 | TOMOYO_MAC_CATEGORY_NETWORK, | ||
311 | TOMOYO_MAC_CATEGORY_MISC, | 356 | TOMOYO_MAC_CATEGORY_MISC, |
312 | TOMOYO_MAX_MAC_CATEGORY_INDEX | 357 | TOMOYO_MAX_MAC_CATEGORY_INDEX |
313 | }; | 358 | }; |
@@ -403,6 +448,22 @@ struct tomoyo_request_info { | |||
403 | const struct tomoyo_path_info *name; | 448 | const struct tomoyo_path_info *name; |
404 | } environ; | 449 | } environ; |
405 | struct { | 450 | struct { |
451 | const __be32 *address; | ||
452 | u16 port; | ||
453 | /* One of values smaller than TOMOYO_SOCK_MAX. */ | ||
454 | u8 protocol; | ||
455 | /* One of values in "enum tomoyo_network_acl_index". */ | ||
456 | u8 operation; | ||
457 | bool is_ipv6; | ||
458 | } inet_network; | ||
459 | struct { | ||
460 | const struct tomoyo_path_info *address; | ||
461 | /* One of values smaller than TOMOYO_SOCK_MAX. */ | ||
462 | u8 protocol; | ||
463 | /* One of values in "enum tomoyo_network_acl_index". */ | ||
464 | u8 operation; | ||
465 | } unix_network; | ||
466 | struct { | ||
406 | const struct tomoyo_path_info *type; | 467 | const struct tomoyo_path_info *type; |
407 | const struct tomoyo_path_info *dir; | 468 | const struct tomoyo_path_info *dir; |
408 | const struct tomoyo_path_info *dev; | 469 | const struct tomoyo_path_info *dev; |
@@ -448,7 +509,14 @@ struct tomoyo_number_union { | |||
448 | u8 value_type[2]; | 509 | u8 value_type[2]; |
449 | }; | 510 | }; |
450 | 511 | ||
451 | /* Structure for "path_group"/"number_group" directive. */ | 512 | /* Structure for holding an IP address. */ |
513 | struct tomoyo_ipaddr_union { | ||
514 | struct in6_addr ip[2]; /* Big endian. */ | ||
515 | struct tomoyo_group *group; /* Pointer to address group. */ | ||
516 | bool is_ipv6; /* Valid only if @group == NULL. */ | ||
517 | }; | ||
518 | |||
519 | /* Structure for "path_group"/"number_group"/"address_group" directive. */ | ||
452 | struct tomoyo_group { | 520 | struct tomoyo_group { |
453 | struct tomoyo_shared_acl_head head; | 521 | struct tomoyo_shared_acl_head head; |
454 | const struct tomoyo_path_info *group_name; | 522 | const struct tomoyo_path_info *group_name; |
@@ -467,6 +535,13 @@ struct tomoyo_number_group { | |||
467 | struct tomoyo_number_union number; | 535 | struct tomoyo_number_union number; |
468 | }; | 536 | }; |
469 | 537 | ||
538 | /* Structure for "address_group" directive. */ | ||
539 | struct tomoyo_address_group { | ||
540 | struct tomoyo_acl_head head; | ||
541 | /* Structure for holding an IP address. */ | ||
542 | struct tomoyo_ipaddr_union address; | ||
543 | }; | ||
544 | |||
470 | /* Subset of "struct stat". Used by conditional ACL and audit logs. */ | 545 | /* Subset of "struct stat". Used by conditional ACL and audit logs. */ |
471 | struct tomoyo_mini_stat { | 546 | struct tomoyo_mini_stat { |
472 | uid_t uid; | 547 | uid_t uid; |
@@ -650,6 +725,23 @@ struct tomoyo_env_acl { | |||
650 | const struct tomoyo_path_info *env; /* environment variable */ | 725 | const struct tomoyo_path_info *env; /* environment variable */ |
651 | }; | 726 | }; |
652 | 727 | ||
728 | /* Structure for "network inet" directive. */ | ||
729 | struct tomoyo_inet_acl { | ||
730 | struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_INET_ACL */ | ||
731 | u8 protocol; | ||
732 | u8 perm; /* Bitmask of values in "enum tomoyo_network_acl_index" */ | ||
733 | struct tomoyo_ipaddr_union address; | ||
734 | struct tomoyo_number_union port; | ||
735 | }; | ||
736 | |||
737 | /* Structure for "network unix" directive. */ | ||
738 | struct tomoyo_unix_acl { | ||
739 | struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_UNIX_ACL */ | ||
740 | u8 protocol; | ||
741 | u8 perm; /* Bitmask of values in "enum tomoyo_network_acl_index" */ | ||
742 | struct tomoyo_name_union name; | ||
743 | }; | ||
744 | |||
653 | /* Structure for holding a line from /sys/kernel/security/tomoyo/ interface. */ | 745 | /* Structure for holding a line from /sys/kernel/security/tomoyo/ interface. */ |
654 | struct tomoyo_acl_param { | 746 | struct tomoyo_acl_param { |
655 | char *data; | 747 | char *data; |
@@ -793,6 +885,8 @@ struct tomoyo_policy_namespace { | |||
793 | 885 | ||
794 | /********** Function prototypes. **********/ | 886 | /********** Function prototypes. **********/ |
795 | 887 | ||
888 | bool tomoyo_address_matches_group(const bool is_ipv6, const __be32 *address, | ||
889 | const struct tomoyo_group *group); | ||
796 | bool tomoyo_compare_number_union(const unsigned long value, | 890 | bool tomoyo_compare_number_union(const unsigned long value, |
797 | const struct tomoyo_number_union *ptr); | 891 | const struct tomoyo_number_union *ptr); |
798 | bool tomoyo_condition(struct tomoyo_request_info *r, | 892 | bool tomoyo_condition(struct tomoyo_request_info *r, |
@@ -808,6 +902,8 @@ bool tomoyo_memory_ok(void *ptr); | |||
808 | bool tomoyo_number_matches_group(const unsigned long min, | 902 | bool tomoyo_number_matches_group(const unsigned long min, |
809 | const unsigned long max, | 903 | const unsigned long max, |
810 | const struct tomoyo_group *group); | 904 | const struct tomoyo_group *group); |
905 | bool tomoyo_parse_ipaddr_union(struct tomoyo_acl_param *param, | ||
906 | struct tomoyo_ipaddr_union *ptr); | ||
811 | bool tomoyo_parse_name_union(struct tomoyo_acl_param *param, | 907 | bool tomoyo_parse_name_union(struct tomoyo_acl_param *param, |
812 | struct tomoyo_name_union *ptr); | 908 | struct tomoyo_name_union *ptr); |
813 | bool tomoyo_parse_number_union(struct tomoyo_acl_param *param, | 909 | bool tomoyo_parse_number_union(struct tomoyo_acl_param *param, |
@@ -817,6 +913,7 @@ bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, | |||
817 | bool tomoyo_permstr(const char *string, const char *keyword); | 913 | bool tomoyo_permstr(const char *string, const char *keyword); |
818 | bool tomoyo_str_starts(char **src, const char *find); | 914 | bool tomoyo_str_starts(char **src, const char *find); |
819 | char *tomoyo_encode(const char *str); | 915 | char *tomoyo_encode(const char *str); |
916 | char *tomoyo_encode2(const char *str, int str_len); | ||
820 | char *tomoyo_init_log(struct tomoyo_request_info *r, int len, const char *fmt, | 917 | char *tomoyo_init_log(struct tomoyo_request_info *r, int len, const char *fmt, |
821 | va_list args); | 918 | va_list args); |
822 | char *tomoyo_read_token(struct tomoyo_acl_param *param); | 919 | char *tomoyo_read_token(struct tomoyo_acl_param *param); |
@@ -855,6 +952,13 @@ int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation, | |||
855 | const struct tomoyo_path_info *filename); | 952 | const struct tomoyo_path_info *filename); |
856 | int tomoyo_poll_control(struct file *file, poll_table *wait); | 953 | int tomoyo_poll_control(struct file *file, poll_table *wait); |
857 | int tomoyo_poll_log(struct file *file, poll_table *wait); | 954 | int tomoyo_poll_log(struct file *file, poll_table *wait); |
955 | int tomoyo_socket_bind_permission(struct socket *sock, struct sockaddr *addr, | ||
956 | int addr_len); | ||
957 | int tomoyo_socket_connect_permission(struct socket *sock, | ||
958 | struct sockaddr *addr, int addr_len); | ||
959 | int tomoyo_socket_listen_permission(struct socket *sock); | ||
960 | int tomoyo_socket_sendmsg_permission(struct socket *sock, struct msghdr *msg, | ||
961 | int size); | ||
858 | int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) | 962 | int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) |
859 | __printf(2, 3); | 963 | __printf(2, 3); |
860 | int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size, | 964 | int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size, |
@@ -874,8 +978,10 @@ int tomoyo_write_aggregator(struct tomoyo_acl_param *param); | |||
874 | int tomoyo_write_file(struct tomoyo_acl_param *param); | 978 | int tomoyo_write_file(struct tomoyo_acl_param *param); |
875 | int tomoyo_write_group(struct tomoyo_acl_param *param, const u8 type); | 979 | int tomoyo_write_group(struct tomoyo_acl_param *param, const u8 type); |
876 | int tomoyo_write_misc(struct tomoyo_acl_param *param); | 980 | int tomoyo_write_misc(struct tomoyo_acl_param *param); |
981 | int tomoyo_write_inet_network(struct tomoyo_acl_param *param); | ||
877 | int tomoyo_write_transition_control(struct tomoyo_acl_param *param, | 982 | int tomoyo_write_transition_control(struct tomoyo_acl_param *param, |
878 | const u8 type); | 983 | const u8 type); |
984 | int tomoyo_write_unix_network(struct tomoyo_acl_param *param); | ||
879 | ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, | 985 | ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, |
880 | const int buffer_len); | 986 | const int buffer_len); |
881 | ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, | 987 | ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, |
@@ -911,6 +1017,8 @@ void tomoyo_load_policy(const char *filename); | |||
911 | void tomoyo_memory_free(void *ptr); | 1017 | void tomoyo_memory_free(void *ptr); |
912 | void tomoyo_normalize_line(unsigned char *buffer); | 1018 | void tomoyo_normalize_line(unsigned char *buffer); |
913 | void tomoyo_notify_gc(struct tomoyo_io_buffer *head, const bool is_register); | 1019 | void tomoyo_notify_gc(struct tomoyo_io_buffer *head, const bool is_register); |
1020 | void tomoyo_print_ip(char *buf, const unsigned int size, | ||
1021 | const struct tomoyo_ipaddr_union *ptr); | ||
914 | void tomoyo_print_ulong(char *buffer, const int buffer_len, | 1022 | void tomoyo_print_ulong(char *buffer, const int buffer_len, |
915 | const unsigned long value, const u8 type); | 1023 | const unsigned long value, const u8 type); |
916 | void tomoyo_put_name_union(struct tomoyo_name_union *ptr); | 1024 | void tomoyo_put_name_union(struct tomoyo_name_union *ptr); |
@@ -933,6 +1041,8 @@ extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX | |||
933 | + TOMOYO_MAX_MAC_CATEGORY_INDEX]; | 1041 | + TOMOYO_MAX_MAC_CATEGORY_INDEX]; |
934 | extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE]; | 1042 | extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE]; |
935 | extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION]; | 1043 | extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION]; |
1044 | extern const char * const tomoyo_proto_keyword[TOMOYO_SOCK_MAX]; | ||
1045 | extern const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION]; | ||
936 | extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX]; | 1046 | extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX]; |
937 | extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION]; | 1047 | extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION]; |
938 | extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION]; | 1048 | extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION]; |
@@ -1112,6 +1222,21 @@ static inline bool tomoyo_same_number_union | |||
1112 | } | 1222 | } |
1113 | 1223 | ||
1114 | /** | 1224 | /** |
1225 | * tomoyo_same_ipaddr_union - Check for duplicated "struct tomoyo_ipaddr_union" entry. | ||
1226 | * | ||
1227 | * @a: Pointer to "struct tomoyo_ipaddr_union". | ||
1228 | * @b: Pointer to "struct tomoyo_ipaddr_union". | ||
1229 | * | ||
1230 | * Returns true if @a == @b, false otherwise. | ||
1231 | */ | ||
1232 | static inline bool tomoyo_same_ipaddr_union | ||
1233 | (const struct tomoyo_ipaddr_union *a, const struct tomoyo_ipaddr_union *b) | ||
1234 | { | ||
1235 | return !memcmp(a->ip, b->ip, sizeof(a->ip)) && a->group == b->group && | ||
1236 | a->is_ipv6 == b->is_ipv6; | ||
1237 | } | ||
1238 | |||
1239 | /** | ||
1115 | * tomoyo_current_namespace - Get "struct tomoyo_policy_namespace" for current thread. | 1240 | * tomoyo_current_namespace - Get "struct tomoyo_policy_namespace" for current thread. |
1116 | * | 1241 | * |
1117 | * Returns pointer to "struct tomoyo_policy_namespace" for current thread. | 1242 | * Returns pointer to "struct tomoyo_policy_namespace" for current thread. |