aboutsummaryrefslogtreecommitdiffstats
path: root/security/tomoyo/common.h
diff options
context:
space:
mode:
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>2011-09-10 02:23:54 -0400
committerJames Morris <jmorris@namei.org>2011-09-13 18:27:05 -0400
commit059d84dbb3897d4ee494a9c842c5dda54316cb47 (patch)
tree483ca0cb613b1304184b92f075b3f5283d36c723 /security/tomoyo/common.h
parentd58e0da854376841ac99defeb117a83f086715c6 (diff)
TOMOYO: Add socket operation restriction support.
This patch adds support for permission checks for PF_INET/PF_INET6/PF_UNIX socket's bind()/listen()/connect()/send() operations. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/common.h')
-rw-r--r--security/tomoyo/common.h127
1 files changed, 126 insertions, 1 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 63720a328edd..d1c758e7f92b 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -23,6 +23,16 @@
23#include <linux/poll.h> 23#include <linux/poll.h>
24#include <linux/binfmts.h> 24#include <linux/binfmts.h>
25#include <linux/highmem.h> 25#include <linux/highmem.h>
26#include <linux/net.h>
27#include <linux/inet.h>
28#include <linux/in.h>
29#include <linux/in6.h>
30#include <linux/un.h>
31#include <net/sock.h>
32#include <net/af_unix.h>
33#include <net/ip.h>
34#include <net/ipv6.h>
35#include <net/udp.h>
26 36
27/********** Constants definitions. **********/ 37/********** Constants definitions. **********/
28 38
@@ -34,6 +44,12 @@
34#define TOMOYO_HASH_BITS 8 44#define TOMOYO_HASH_BITS 8
35#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS) 45#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
36 46
47/*
48 * TOMOYO checks only SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_SEQPACKET.
49 * Therefore, we don't need SOCK_MAX.
50 */
51#define TOMOYO_SOCK_MAX 6
52
37#define TOMOYO_EXEC_TMPSIZE 4096 53#define TOMOYO_EXEC_TMPSIZE 4096
38 54
39/* Profile number is an integer between 0 and 255. */ 55/* Profile number is an integer between 0 and 255. */
@@ -136,6 +152,7 @@ enum tomoyo_mode_index {
136/* Index numbers for entry type. */ 152/* Index numbers for entry type. */
137enum tomoyo_policy_id { 153enum tomoyo_policy_id {
138 TOMOYO_ID_GROUP, 154 TOMOYO_ID_GROUP,
155 TOMOYO_ID_ADDRESS_GROUP,
139 TOMOYO_ID_PATH_GROUP, 156 TOMOYO_ID_PATH_GROUP,
140 TOMOYO_ID_NUMBER_GROUP, 157 TOMOYO_ID_NUMBER_GROUP,
141 TOMOYO_ID_TRANSITION_CONTROL, 158 TOMOYO_ID_TRANSITION_CONTROL,
@@ -166,6 +183,7 @@ enum tomoyo_domain_info_flags_index {
166enum tomoyo_group_id { 183enum tomoyo_group_id {
167 TOMOYO_PATH_GROUP, 184 TOMOYO_PATH_GROUP,
168 TOMOYO_NUMBER_GROUP, 185 TOMOYO_NUMBER_GROUP,
186 TOMOYO_ADDRESS_GROUP,
169 TOMOYO_MAX_GROUP 187 TOMOYO_MAX_GROUP
170}; 188};
171 189
@@ -196,6 +214,8 @@ enum tomoyo_acl_entry_type_index {
196 TOMOYO_TYPE_PATH_NUMBER_ACL, 214 TOMOYO_TYPE_PATH_NUMBER_ACL,
197 TOMOYO_TYPE_MKDEV_ACL, 215 TOMOYO_TYPE_MKDEV_ACL,
198 TOMOYO_TYPE_MOUNT_ACL, 216 TOMOYO_TYPE_MOUNT_ACL,
217 TOMOYO_TYPE_INET_ACL,
218 TOMOYO_TYPE_UNIX_ACL,
199 TOMOYO_TYPE_ENV_ACL, 219 TOMOYO_TYPE_ENV_ACL,
200}; 220};
201 221
@@ -229,6 +249,15 @@ enum tomoyo_mkdev_acl_index {
229 TOMOYO_MAX_MKDEV_OPERATION 249 TOMOYO_MAX_MKDEV_OPERATION
230}; 250};
231 251
252/* Index numbers for socket operations. */
253enum tomoyo_network_acl_index {
254 TOMOYO_NETWORK_BIND, /* bind() operation. */
255 TOMOYO_NETWORK_LISTEN, /* listen() operation. */
256 TOMOYO_NETWORK_CONNECT, /* connect() operation. */
257 TOMOYO_NETWORK_SEND, /* send() operation. */
258 TOMOYO_MAX_NETWORK_OPERATION
259};
260
232/* Index numbers for access controls with two pathnames. */ 261/* Index numbers for access controls with two pathnames. */
233enum tomoyo_path2_acl_index { 262enum tomoyo_path2_acl_index {
234 TOMOYO_TYPE_LINK, 263 TOMOYO_TYPE_LINK,
@@ -301,6 +330,21 @@ enum tomoyo_mac_index {
301 TOMOYO_MAC_FILE_MOUNT, 330 TOMOYO_MAC_FILE_MOUNT,
302 TOMOYO_MAC_FILE_UMOUNT, 331 TOMOYO_MAC_FILE_UMOUNT,
303 TOMOYO_MAC_FILE_PIVOT_ROOT, 332 TOMOYO_MAC_FILE_PIVOT_ROOT,
333 TOMOYO_MAC_NETWORK_INET_STREAM_BIND,
334 TOMOYO_MAC_NETWORK_INET_STREAM_LISTEN,
335 TOMOYO_MAC_NETWORK_INET_STREAM_CONNECT,
336 TOMOYO_MAC_NETWORK_INET_DGRAM_BIND,
337 TOMOYO_MAC_NETWORK_INET_DGRAM_SEND,
338 TOMOYO_MAC_NETWORK_INET_RAW_BIND,
339 TOMOYO_MAC_NETWORK_INET_RAW_SEND,
340 TOMOYO_MAC_NETWORK_UNIX_STREAM_BIND,
341 TOMOYO_MAC_NETWORK_UNIX_STREAM_LISTEN,
342 TOMOYO_MAC_NETWORK_UNIX_STREAM_CONNECT,
343 TOMOYO_MAC_NETWORK_UNIX_DGRAM_BIND,
344 TOMOYO_MAC_NETWORK_UNIX_DGRAM_SEND,
345 TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_BIND,
346 TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_LISTEN,
347 TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_CONNECT,
304 TOMOYO_MAC_ENVIRON, 348 TOMOYO_MAC_ENVIRON,
305 TOMOYO_MAX_MAC_INDEX 349 TOMOYO_MAX_MAC_INDEX
306}; 350};
@@ -308,6 +352,7 @@ enum tomoyo_mac_index {
308/* Index numbers for category of functionality. */ 352/* Index numbers for category of functionality. */
309enum tomoyo_mac_category_index { 353enum tomoyo_mac_category_index {
310 TOMOYO_MAC_CATEGORY_FILE, 354 TOMOYO_MAC_CATEGORY_FILE,
355 TOMOYO_MAC_CATEGORY_NETWORK,
311 TOMOYO_MAC_CATEGORY_MISC, 356 TOMOYO_MAC_CATEGORY_MISC,
312 TOMOYO_MAX_MAC_CATEGORY_INDEX 357 TOMOYO_MAX_MAC_CATEGORY_INDEX
313}; 358};
@@ -403,6 +448,22 @@ struct tomoyo_request_info {
403 const struct tomoyo_path_info *name; 448 const struct tomoyo_path_info *name;
404 } environ; 449 } environ;
405 struct { 450 struct {
451 const __be32 *address;
452 u16 port;
453 /* One of values smaller than TOMOYO_SOCK_MAX. */
454 u8 protocol;
455 /* One of values in "enum tomoyo_network_acl_index". */
456 u8 operation;
457 bool is_ipv6;
458 } inet_network;
459 struct {
460 const struct tomoyo_path_info *address;
461 /* One of values smaller than TOMOYO_SOCK_MAX. */
462 u8 protocol;
463 /* One of values in "enum tomoyo_network_acl_index". */
464 u8 operation;
465 } unix_network;
466 struct {
406 const struct tomoyo_path_info *type; 467 const struct tomoyo_path_info *type;
407 const struct tomoyo_path_info *dir; 468 const struct tomoyo_path_info *dir;
408 const struct tomoyo_path_info *dev; 469 const struct tomoyo_path_info *dev;
@@ -448,7 +509,14 @@ struct tomoyo_number_union {
448 u8 value_type[2]; 509 u8 value_type[2];
449}; 510};
450 511
451/* Structure for "path_group"/"number_group" directive. */ 512/* Structure for holding an IP address. */
513struct tomoyo_ipaddr_union {
514 struct in6_addr ip[2]; /* Big endian. */
515 struct tomoyo_group *group; /* Pointer to address group. */
516 bool is_ipv6; /* Valid only if @group == NULL. */
517};
518
519/* Structure for "path_group"/"number_group"/"address_group" directive. */
452struct tomoyo_group { 520struct tomoyo_group {
453 struct tomoyo_shared_acl_head head; 521 struct tomoyo_shared_acl_head head;
454 const struct tomoyo_path_info *group_name; 522 const struct tomoyo_path_info *group_name;
@@ -467,6 +535,13 @@ struct tomoyo_number_group {
467 struct tomoyo_number_union number; 535 struct tomoyo_number_union number;
468}; 536};
469 537
538/* Structure for "address_group" directive. */
539struct tomoyo_address_group {
540 struct tomoyo_acl_head head;
541 /* Structure for holding an IP address. */
542 struct tomoyo_ipaddr_union address;
543};
544
470/* Subset of "struct stat". Used by conditional ACL and audit logs. */ 545/* Subset of "struct stat". Used by conditional ACL and audit logs. */
471struct tomoyo_mini_stat { 546struct tomoyo_mini_stat {
472 uid_t uid; 547 uid_t uid;
@@ -650,6 +725,23 @@ struct tomoyo_env_acl {
650 const struct tomoyo_path_info *env; /* environment variable */ 725 const struct tomoyo_path_info *env; /* environment variable */
651}; 726};
652 727
728/* Structure for "network inet" directive. */
729struct tomoyo_inet_acl {
730 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_INET_ACL */
731 u8 protocol;
732 u8 perm; /* Bitmask of values in "enum tomoyo_network_acl_index" */
733 struct tomoyo_ipaddr_union address;
734 struct tomoyo_number_union port;
735};
736
737/* Structure for "network unix" directive. */
738struct tomoyo_unix_acl {
739 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_UNIX_ACL */
740 u8 protocol;
741 u8 perm; /* Bitmask of values in "enum tomoyo_network_acl_index" */
742 struct tomoyo_name_union name;
743};
744
653/* Structure for holding a line from /sys/kernel/security/tomoyo/ interface. */ 745/* Structure for holding a line from /sys/kernel/security/tomoyo/ interface. */
654struct tomoyo_acl_param { 746struct tomoyo_acl_param {
655 char *data; 747 char *data;
@@ -793,6 +885,8 @@ struct tomoyo_policy_namespace {
793 885
794/********** Function prototypes. **********/ 886/********** Function prototypes. **********/
795 887
888bool tomoyo_address_matches_group(const bool is_ipv6, const __be32 *address,
889 const struct tomoyo_group *group);
796bool tomoyo_compare_number_union(const unsigned long value, 890bool tomoyo_compare_number_union(const unsigned long value,
797 const struct tomoyo_number_union *ptr); 891 const struct tomoyo_number_union *ptr);
798bool tomoyo_condition(struct tomoyo_request_info *r, 892bool tomoyo_condition(struct tomoyo_request_info *r,
@@ -808,6 +902,8 @@ bool tomoyo_memory_ok(void *ptr);
808bool tomoyo_number_matches_group(const unsigned long min, 902bool tomoyo_number_matches_group(const unsigned long min,
809 const unsigned long max, 903 const unsigned long max,
810 const struct tomoyo_group *group); 904 const struct tomoyo_group *group);
905bool tomoyo_parse_ipaddr_union(struct tomoyo_acl_param *param,
906 struct tomoyo_ipaddr_union *ptr);
811bool tomoyo_parse_name_union(struct tomoyo_acl_param *param, 907bool tomoyo_parse_name_union(struct tomoyo_acl_param *param,
812 struct tomoyo_name_union *ptr); 908 struct tomoyo_name_union *ptr);
813bool tomoyo_parse_number_union(struct tomoyo_acl_param *param, 909bool tomoyo_parse_number_union(struct tomoyo_acl_param *param,
@@ -817,6 +913,7 @@ bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
817bool tomoyo_permstr(const char *string, const char *keyword); 913bool tomoyo_permstr(const char *string, const char *keyword);
818bool tomoyo_str_starts(char **src, const char *find); 914bool tomoyo_str_starts(char **src, const char *find);
819char *tomoyo_encode(const char *str); 915char *tomoyo_encode(const char *str);
916char *tomoyo_encode2(const char *str, int str_len);
820char *tomoyo_init_log(struct tomoyo_request_info *r, int len, const char *fmt, 917char *tomoyo_init_log(struct tomoyo_request_info *r, int len, const char *fmt,
821 va_list args); 918 va_list args);
822char *tomoyo_read_token(struct tomoyo_acl_param *param); 919char *tomoyo_read_token(struct tomoyo_acl_param *param);
@@ -855,6 +952,13 @@ int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
855 const struct tomoyo_path_info *filename); 952 const struct tomoyo_path_info *filename);
856int tomoyo_poll_control(struct file *file, poll_table *wait); 953int tomoyo_poll_control(struct file *file, poll_table *wait);
857int tomoyo_poll_log(struct file *file, poll_table *wait); 954int tomoyo_poll_log(struct file *file, poll_table *wait);
955int tomoyo_socket_bind_permission(struct socket *sock, struct sockaddr *addr,
956 int addr_len);
957int tomoyo_socket_connect_permission(struct socket *sock,
958 struct sockaddr *addr, int addr_len);
959int tomoyo_socket_listen_permission(struct socket *sock);
960int tomoyo_socket_sendmsg_permission(struct socket *sock, struct msghdr *msg,
961 int size);
858int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) 962int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...)
859 __printf(2, 3); 963 __printf(2, 3);
860int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size, 964int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
@@ -874,8 +978,10 @@ int tomoyo_write_aggregator(struct tomoyo_acl_param *param);
874int tomoyo_write_file(struct tomoyo_acl_param *param); 978int tomoyo_write_file(struct tomoyo_acl_param *param);
875int tomoyo_write_group(struct tomoyo_acl_param *param, const u8 type); 979int tomoyo_write_group(struct tomoyo_acl_param *param, const u8 type);
876int tomoyo_write_misc(struct tomoyo_acl_param *param); 980int tomoyo_write_misc(struct tomoyo_acl_param *param);
981int tomoyo_write_inet_network(struct tomoyo_acl_param *param);
877int tomoyo_write_transition_control(struct tomoyo_acl_param *param, 982int tomoyo_write_transition_control(struct tomoyo_acl_param *param,
878 const u8 type); 983 const u8 type);
984int tomoyo_write_unix_network(struct tomoyo_acl_param *param);
879ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, 985ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
880 const int buffer_len); 986 const int buffer_len);
881ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, 987ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
@@ -911,6 +1017,8 @@ void tomoyo_load_policy(const char *filename);
911void tomoyo_memory_free(void *ptr); 1017void tomoyo_memory_free(void *ptr);
912void tomoyo_normalize_line(unsigned char *buffer); 1018void tomoyo_normalize_line(unsigned char *buffer);
913void tomoyo_notify_gc(struct tomoyo_io_buffer *head, const bool is_register); 1019void tomoyo_notify_gc(struct tomoyo_io_buffer *head, const bool is_register);
1020void tomoyo_print_ip(char *buf, const unsigned int size,
1021 const struct tomoyo_ipaddr_union *ptr);
914void tomoyo_print_ulong(char *buffer, const int buffer_len, 1022void tomoyo_print_ulong(char *buffer, const int buffer_len,
915 const unsigned long value, const u8 type); 1023 const unsigned long value, const u8 type);
916void tomoyo_put_name_union(struct tomoyo_name_union *ptr); 1024void tomoyo_put_name_union(struct tomoyo_name_union *ptr);
@@ -933,6 +1041,8 @@ extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
933 + TOMOYO_MAX_MAC_CATEGORY_INDEX]; 1041 + TOMOYO_MAX_MAC_CATEGORY_INDEX];
934extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE]; 1042extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
935extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION]; 1043extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
1044extern const char * const tomoyo_proto_keyword[TOMOYO_SOCK_MAX];
1045extern const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION];
936extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX]; 1046extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX];
937extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION]; 1047extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];
938extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION]; 1048extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION];
@@ -1112,6 +1222,21 @@ static inline bool tomoyo_same_number_union
1112} 1222}
1113 1223
1114/** 1224/**
1225 * tomoyo_same_ipaddr_union - Check for duplicated "struct tomoyo_ipaddr_union" entry.
1226 *
1227 * @a: Pointer to "struct tomoyo_ipaddr_union".
1228 * @b: Pointer to "struct tomoyo_ipaddr_union".
1229 *
1230 * Returns true if @a == @b, false otherwise.
1231 */
1232static inline bool tomoyo_same_ipaddr_union
1233(const struct tomoyo_ipaddr_union *a, const struct tomoyo_ipaddr_union *b)
1234{
1235 return !memcmp(a->ip, b->ip, sizeof(a->ip)) && a->group == b->group &&
1236 a->is_ipv6 == b->is_ipv6;
1237}
1238
1239/**
1115 * tomoyo_current_namespace - Get "struct tomoyo_policy_namespace" for current thread. 1240 * tomoyo_current_namespace - Get "struct tomoyo_policy_namespace" for current thread.
1116 * 1241 *
1117 * Returns pointer to "struct tomoyo_policy_namespace" for current thread. 1242 * Returns pointer to "struct tomoyo_policy_namespace" for current thread.