aboutsummaryrefslogtreecommitdiffstats
path: root/security/tomoyo/common.h
diff options
context:
space:
mode:
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>2011-07-08 00:21:37 -0400
committerJames Morris <jmorris@namei.org>2011-07-10 21:05:32 -0400
commit2066a36125fcbf5220990173b9d8e8bc49ad7538 (patch)
treec8ea3a6d92a8b4b68cda986601336e8e8f58553e /security/tomoyo/common.h
parent5c4274f13819b40e726f6ee4ef13b4952cff5010 (diff)
TOMOYO: Allow using UID/GID etc. of current thread as conditions.
This patch adds support for permission checks using current thread's UID/GID etc. in addition to pathnames. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/common.h')
-rw-r--r--security/tomoyo/common.h97
1 files changed, 96 insertions, 1 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index beb7d0eb5222..958d433b0115 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -21,7 +21,8 @@
21#include <linux/list.h> 21#include <linux/list.h>
22#include <linux/cred.h> 22#include <linux/cred.h>
23#include <linux/poll.h> 23#include <linux/poll.h>
24struct linux_binprm; 24#include <linux/binfmts.h>
25#include <linux/highmem.h>
25 26
26/********** Constants definitions. **********/ 27/********** Constants definitions. **********/
27 28
@@ -41,6 +42,22 @@ struct linux_binprm;
41/* Group number is an integer between 0 and 255. */ 42/* Group number is an integer between 0 and 255. */
42#define TOMOYO_MAX_ACL_GROUPS 256 43#define TOMOYO_MAX_ACL_GROUPS 256
43 44
45/* Index numbers for "struct tomoyo_condition". */
46enum tomoyo_conditions_index {
47 TOMOYO_TASK_UID, /* current_uid() */
48 TOMOYO_TASK_EUID, /* current_euid() */
49 TOMOYO_TASK_SUID, /* current_suid() */
50 TOMOYO_TASK_FSUID, /* current_fsuid() */
51 TOMOYO_TASK_GID, /* current_gid() */
52 TOMOYO_TASK_EGID, /* current_egid() */
53 TOMOYO_TASK_SGID, /* current_sgid() */
54 TOMOYO_TASK_FSGID, /* current_fsgid() */
55 TOMOYO_TASK_PID, /* sys_getpid() */
56 TOMOYO_TASK_PPID, /* sys_getppid() */
57 TOMOYO_MAX_CONDITION_KEYWORD,
58 TOMOYO_NUMBER_UNION,
59};
60
44/* Index numbers for operation mode. */ 61/* Index numbers for operation mode. */
45enum tomoyo_mode_index { 62enum tomoyo_mode_index {
46 TOMOYO_CONFIG_DISABLED, 63 TOMOYO_CONFIG_DISABLED,
@@ -61,6 +78,7 @@ enum tomoyo_policy_id {
61 TOMOYO_ID_TRANSITION_CONTROL, 78 TOMOYO_ID_TRANSITION_CONTROL,
62 TOMOYO_ID_AGGREGATOR, 79 TOMOYO_ID_AGGREGATOR,
63 TOMOYO_ID_MANAGER, 80 TOMOYO_ID_MANAGER,
81 TOMOYO_ID_CONDITION,
64 TOMOYO_ID_NAME, 82 TOMOYO_ID_NAME,
65 TOMOYO_ID_ACL, 83 TOMOYO_ID_ACL,
66 TOMOYO_ID_DOMAIN, 84 TOMOYO_ID_DOMAIN,
@@ -370,9 +388,32 @@ struct tomoyo_number_group {
370 struct tomoyo_number_union number; 388 struct tomoyo_number_union number;
371}; 389};
372 390
391/* Structure for entries which follows "struct tomoyo_condition". */
392struct tomoyo_condition_element {
393 /* Left hand operand. */
394 u8 left;
395 /* Right hand operand. */
396 u8 right;
397 /* Equation operator. True if equals or overlaps, false otherwise. */
398 bool equals;
399};
400
401/* Structure for optional arguments. */
402struct tomoyo_condition {
403 struct tomoyo_shared_acl_head head;
404 u32 size; /* Memory size allocated for this entry. */
405 u16 condc; /* Number of conditions in this struct. */
406 u16 numbers_count; /* Number of "struct tomoyo_number_union values". */
407 /*
408 * struct tomoyo_condition_element condition[condc];
409 * struct tomoyo_number_union values[numbers_count];
410 */
411};
412
373/* Common header for individual entries. */ 413/* Common header for individual entries. */
374struct tomoyo_acl_info { 414struct tomoyo_acl_info {
375 struct list_head list; 415 struct list_head list;
416 struct tomoyo_condition *cond; /* Maybe NULL. */
376 bool is_deleted; 417 bool is_deleted;
377 u8 type; /* One of values in "enum tomoyo_acl_entry_type_index". */ 418 u8 type; /* One of values in "enum tomoyo_acl_entry_type_index". */
378} __packed; 419} __packed;
@@ -475,12 +516,15 @@ struct tomoyo_io_buffer {
475 unsigned int step; 516 unsigned int step;
476 unsigned int query_index; 517 unsigned int query_index;
477 u16 index; 518 u16 index;
519 u16 cond_index;
478 u8 acl_group_index; 520 u8 acl_group_index;
521 u8 cond_step;
479 u8 bit; 522 u8 bit;
480 u8 w_pos; 523 u8 w_pos;
481 bool eof; 524 bool eof;
482 bool print_this_domain_only; 525 bool print_this_domain_only;
483 bool print_transition_related_only; 526 bool print_transition_related_only;
527 bool print_cond_part;
484 const char *w[TOMOYO_MAX_IO_READ_QUEUE]; 528 const char *w[TOMOYO_MAX_IO_READ_QUEUE];
485 } r; 529 } r;
486 struct { 530 struct {
@@ -586,6 +630,8 @@ struct tomoyo_policy_namespace {
586 630
587bool tomoyo_compare_number_union(const unsigned long value, 631bool tomoyo_compare_number_union(const unsigned long value,
588 const struct tomoyo_number_union *ptr); 632 const struct tomoyo_number_union *ptr);
633bool tomoyo_condition(struct tomoyo_request_info *r,
634 const struct tomoyo_condition *cond);
589bool tomoyo_correct_domain(const unsigned char *domainname); 635bool tomoyo_correct_domain(const unsigned char *domainname);
590bool tomoyo_correct_path(const char *filename); 636bool tomoyo_correct_path(const char *filename);
591bool tomoyo_correct_word(const char *string); 637bool tomoyo_correct_word(const char *string);
@@ -664,6 +710,7 @@ ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
664 const int buffer_len); 710 const int buffer_len);
665ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, 711ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
666 const char __user *buffer, const int buffer_len); 712 const char __user *buffer, const int buffer_len);
713struct tomoyo_condition *tomoyo_get_condition(struct tomoyo_acl_param *param);
667struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname, 714struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname,
668 const bool transit); 715 const bool transit);
669struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname); 716struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname);
@@ -675,6 +722,7 @@ struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns,
675 const u8 profile); 722 const u8 profile);
676unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, 723unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
677 const u8 index); 724 const u8 index);
725u8 tomoyo_parse_ulong(unsigned long *result, char **str);
678void *tomoyo_commit_ok(void *data, const unsigned int size); 726void *tomoyo_commit_ok(void *data, const unsigned int size);
679void __init tomoyo_load_builtin_policy(void); 727void __init tomoyo_load_builtin_policy(void);
680void __init tomoyo_mm_init(void); 728void __init tomoyo_mm_init(void);
@@ -683,6 +731,7 @@ void tomoyo_check_acl(struct tomoyo_request_info *r,
683 const struct tomoyo_acl_info *)); 731 const struct tomoyo_acl_info *));
684void tomoyo_check_profile(void); 732void tomoyo_check_profile(void);
685void tomoyo_convert_time(time_t time, struct tomoyo_time *stamp); 733void tomoyo_convert_time(time_t time, struct tomoyo_time *stamp);
734void tomoyo_del_condition(struct list_head *element);
686void tomoyo_fill_path_info(struct tomoyo_path_info *ptr); 735void tomoyo_fill_path_info(struct tomoyo_path_info *ptr);
687void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns); 736void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns);
688void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) 737void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
@@ -706,6 +755,8 @@ void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt,
706/********** External variable definitions. **********/ 755/********** External variable definitions. **********/
707 756
708extern bool tomoyo_policy_loaded; 757extern bool tomoyo_policy_loaded;
758extern const char * const tomoyo_condition_keyword
759[TOMOYO_MAX_CONDITION_KEYWORD];
709extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS]; 760extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
710extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX 761extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
711 + TOMOYO_MAX_MAC_CATEGORY_INDEX]; 762 + TOMOYO_MAX_MAC_CATEGORY_INDEX];
@@ -715,6 +766,7 @@ extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX];
715extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION]; 766extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];
716extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION]; 767extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION];
717extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION]; 768extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION];
769extern struct list_head tomoyo_condition_list;
718extern struct list_head tomoyo_domain_list; 770extern struct list_head tomoyo_domain_list;
719extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH]; 771extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH];
720extern struct list_head tomoyo_namespace_list; 772extern struct list_head tomoyo_namespace_list;
@@ -750,6 +802,36 @@ static inline void tomoyo_read_unlock(int idx)
750} 802}
751 803
752/** 804/**
805 * tomoyo_sys_getppid - Copy of getppid().
806 *
807 * Returns parent process's PID.
808 *
809 * Alpha does not have getppid() defined. To be able to build this module on
810 * Alpha, I have to copy getppid() from kernel/timer.c.
811 */
812static inline pid_t tomoyo_sys_getppid(void)
813{
814 pid_t pid;
815 rcu_read_lock();
816 pid = task_tgid_vnr(current->real_parent);
817 rcu_read_unlock();
818 return pid;
819}
820
821/**
822 * tomoyo_sys_getpid - Copy of getpid().
823 *
824 * Returns current thread's PID.
825 *
826 * Alpha does not have getpid() defined. To be able to build this module on
827 * Alpha, I have to copy getpid() from kernel/timer.c.
828 */
829static inline pid_t tomoyo_sys_getpid(void)
830{
831 return task_tgid_vnr(current);
832}
833
834/**
753 * tomoyo_pathcmp - strcmp() for "struct tomoyo_path_info" structure. 835 * tomoyo_pathcmp - strcmp() for "struct tomoyo_path_info" structure.
754 * 836 *
755 * @a: Pointer to "struct tomoyo_path_info". 837 * @a: Pointer to "struct tomoyo_path_info".
@@ -780,6 +862,19 @@ static inline void tomoyo_put_name(const struct tomoyo_path_info *name)
780} 862}
781 863
782/** 864/**
865 * tomoyo_put_condition - Drop reference on "struct tomoyo_condition".
866 *
867 * @cond: Pointer to "struct tomoyo_condition". Maybe NULL.
868 *
869 * Returns nothing.
870 */
871static inline void tomoyo_put_condition(struct tomoyo_condition *cond)
872{
873 if (cond)
874 atomic_dec(&cond->head.users);
875}
876
877/**
783 * tomoyo_put_group - Drop reference on "struct tomoyo_group". 878 * tomoyo_put_group - Drop reference on "struct tomoyo_group".
784 * 879 *
785 * @group: Pointer to "struct tomoyo_group". Maybe NULL. 880 * @group: Pointer to "struct tomoyo_group". Maybe NULL.