diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-07-08 00:21:37 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-07-10 21:05:32 -0400 |
commit | 2066a36125fcbf5220990173b9d8e8bc49ad7538 (patch) | |
tree | c8ea3a6d92a8b4b68cda986601336e8e8f58553e /security/tomoyo/common.h | |
parent | 5c4274f13819b40e726f6ee4ef13b4952cff5010 (diff) |
TOMOYO: Allow using UID/GID etc. of current thread as conditions.
This patch adds support for permission checks using current thread's UID/GID
etc. in addition to pathnames.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/common.h')
-rw-r--r-- | security/tomoyo/common.h | 97 |
1 files changed, 96 insertions, 1 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index beb7d0eb5222..958d433b0115 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h | |||
@@ -21,7 +21,8 @@ | |||
21 | #include <linux/list.h> | 21 | #include <linux/list.h> |
22 | #include <linux/cred.h> | 22 | #include <linux/cred.h> |
23 | #include <linux/poll.h> | 23 | #include <linux/poll.h> |
24 | struct linux_binprm; | 24 | #include <linux/binfmts.h> |
25 | #include <linux/highmem.h> | ||
25 | 26 | ||
26 | /********** Constants definitions. **********/ | 27 | /********** Constants definitions. **********/ |
27 | 28 | ||
@@ -41,6 +42,22 @@ struct linux_binprm; | |||
41 | /* Group number is an integer between 0 and 255. */ | 42 | /* Group number is an integer between 0 and 255. */ |
42 | #define TOMOYO_MAX_ACL_GROUPS 256 | 43 | #define TOMOYO_MAX_ACL_GROUPS 256 |
43 | 44 | ||
45 | /* Index numbers for "struct tomoyo_condition". */ | ||
46 | enum tomoyo_conditions_index { | ||
47 | TOMOYO_TASK_UID, /* current_uid() */ | ||
48 | TOMOYO_TASK_EUID, /* current_euid() */ | ||
49 | TOMOYO_TASK_SUID, /* current_suid() */ | ||
50 | TOMOYO_TASK_FSUID, /* current_fsuid() */ | ||
51 | TOMOYO_TASK_GID, /* current_gid() */ | ||
52 | TOMOYO_TASK_EGID, /* current_egid() */ | ||
53 | TOMOYO_TASK_SGID, /* current_sgid() */ | ||
54 | TOMOYO_TASK_FSGID, /* current_fsgid() */ | ||
55 | TOMOYO_TASK_PID, /* sys_getpid() */ | ||
56 | TOMOYO_TASK_PPID, /* sys_getppid() */ | ||
57 | TOMOYO_MAX_CONDITION_KEYWORD, | ||
58 | TOMOYO_NUMBER_UNION, | ||
59 | }; | ||
60 | |||
44 | /* Index numbers for operation mode. */ | 61 | /* Index numbers for operation mode. */ |
45 | enum tomoyo_mode_index { | 62 | enum tomoyo_mode_index { |
46 | TOMOYO_CONFIG_DISABLED, | 63 | TOMOYO_CONFIG_DISABLED, |
@@ -61,6 +78,7 @@ enum tomoyo_policy_id { | |||
61 | TOMOYO_ID_TRANSITION_CONTROL, | 78 | TOMOYO_ID_TRANSITION_CONTROL, |
62 | TOMOYO_ID_AGGREGATOR, | 79 | TOMOYO_ID_AGGREGATOR, |
63 | TOMOYO_ID_MANAGER, | 80 | TOMOYO_ID_MANAGER, |
81 | TOMOYO_ID_CONDITION, | ||
64 | TOMOYO_ID_NAME, | 82 | TOMOYO_ID_NAME, |
65 | TOMOYO_ID_ACL, | 83 | TOMOYO_ID_ACL, |
66 | TOMOYO_ID_DOMAIN, | 84 | TOMOYO_ID_DOMAIN, |
@@ -370,9 +388,32 @@ struct tomoyo_number_group { | |||
370 | struct tomoyo_number_union number; | 388 | struct tomoyo_number_union number; |
371 | }; | 389 | }; |
372 | 390 | ||
391 | /* Structure for entries which follows "struct tomoyo_condition". */ | ||
392 | struct tomoyo_condition_element { | ||
393 | /* Left hand operand. */ | ||
394 | u8 left; | ||
395 | /* Right hand operand. */ | ||
396 | u8 right; | ||
397 | /* Equation operator. True if equals or overlaps, false otherwise. */ | ||
398 | bool equals; | ||
399 | }; | ||
400 | |||
401 | /* Structure for optional arguments. */ | ||
402 | struct tomoyo_condition { | ||
403 | struct tomoyo_shared_acl_head head; | ||
404 | u32 size; /* Memory size allocated for this entry. */ | ||
405 | u16 condc; /* Number of conditions in this struct. */ | ||
406 | u16 numbers_count; /* Number of "struct tomoyo_number_union values". */ | ||
407 | /* | ||
408 | * struct tomoyo_condition_element condition[condc]; | ||
409 | * struct tomoyo_number_union values[numbers_count]; | ||
410 | */ | ||
411 | }; | ||
412 | |||
373 | /* Common header for individual entries. */ | 413 | /* Common header for individual entries. */ |
374 | struct tomoyo_acl_info { | 414 | struct tomoyo_acl_info { |
375 | struct list_head list; | 415 | struct list_head list; |
416 | struct tomoyo_condition *cond; /* Maybe NULL. */ | ||
376 | bool is_deleted; | 417 | bool is_deleted; |
377 | u8 type; /* One of values in "enum tomoyo_acl_entry_type_index". */ | 418 | u8 type; /* One of values in "enum tomoyo_acl_entry_type_index". */ |
378 | } __packed; | 419 | } __packed; |
@@ -475,12 +516,15 @@ struct tomoyo_io_buffer { | |||
475 | unsigned int step; | 516 | unsigned int step; |
476 | unsigned int query_index; | 517 | unsigned int query_index; |
477 | u16 index; | 518 | u16 index; |
519 | u16 cond_index; | ||
478 | u8 acl_group_index; | 520 | u8 acl_group_index; |
521 | u8 cond_step; | ||
479 | u8 bit; | 522 | u8 bit; |
480 | u8 w_pos; | 523 | u8 w_pos; |
481 | bool eof; | 524 | bool eof; |
482 | bool print_this_domain_only; | 525 | bool print_this_domain_only; |
483 | bool print_transition_related_only; | 526 | bool print_transition_related_only; |
527 | bool print_cond_part; | ||
484 | const char *w[TOMOYO_MAX_IO_READ_QUEUE]; | 528 | const char *w[TOMOYO_MAX_IO_READ_QUEUE]; |
485 | } r; | 529 | } r; |
486 | struct { | 530 | struct { |
@@ -586,6 +630,8 @@ struct tomoyo_policy_namespace { | |||
586 | 630 | ||
587 | bool tomoyo_compare_number_union(const unsigned long value, | 631 | bool tomoyo_compare_number_union(const unsigned long value, |
588 | const struct tomoyo_number_union *ptr); | 632 | const struct tomoyo_number_union *ptr); |
633 | bool tomoyo_condition(struct tomoyo_request_info *r, | ||
634 | const struct tomoyo_condition *cond); | ||
589 | bool tomoyo_correct_domain(const unsigned char *domainname); | 635 | bool tomoyo_correct_domain(const unsigned char *domainname); |
590 | bool tomoyo_correct_path(const char *filename); | 636 | bool tomoyo_correct_path(const char *filename); |
591 | bool tomoyo_correct_word(const char *string); | 637 | bool tomoyo_correct_word(const char *string); |
@@ -664,6 +710,7 @@ ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, | |||
664 | const int buffer_len); | 710 | const int buffer_len); |
665 | ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, | 711 | ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, |
666 | const char __user *buffer, const int buffer_len); | 712 | const char __user *buffer, const int buffer_len); |
713 | struct tomoyo_condition *tomoyo_get_condition(struct tomoyo_acl_param *param); | ||
667 | struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname, | 714 | struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname, |
668 | const bool transit); | 715 | const bool transit); |
669 | struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname); | 716 | struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname); |
@@ -675,6 +722,7 @@ struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns, | |||
675 | const u8 profile); | 722 | const u8 profile); |
676 | unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, | 723 | unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, |
677 | const u8 index); | 724 | const u8 index); |
725 | u8 tomoyo_parse_ulong(unsigned long *result, char **str); | ||
678 | void *tomoyo_commit_ok(void *data, const unsigned int size); | 726 | void *tomoyo_commit_ok(void *data, const unsigned int size); |
679 | void __init tomoyo_load_builtin_policy(void); | 727 | void __init tomoyo_load_builtin_policy(void); |
680 | void __init tomoyo_mm_init(void); | 728 | void __init tomoyo_mm_init(void); |
@@ -683,6 +731,7 @@ void tomoyo_check_acl(struct tomoyo_request_info *r, | |||
683 | const struct tomoyo_acl_info *)); | 731 | const struct tomoyo_acl_info *)); |
684 | void tomoyo_check_profile(void); | 732 | void tomoyo_check_profile(void); |
685 | void tomoyo_convert_time(time_t time, struct tomoyo_time *stamp); | 733 | void tomoyo_convert_time(time_t time, struct tomoyo_time *stamp); |
734 | void tomoyo_del_condition(struct list_head *element); | ||
686 | void tomoyo_fill_path_info(struct tomoyo_path_info *ptr); | 735 | void tomoyo_fill_path_info(struct tomoyo_path_info *ptr); |
687 | void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns); | 736 | void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns); |
688 | void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) | 737 | void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) |
@@ -706,6 +755,8 @@ void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt, | |||
706 | /********** External variable definitions. **********/ | 755 | /********** External variable definitions. **********/ |
707 | 756 | ||
708 | extern bool tomoyo_policy_loaded; | 757 | extern bool tomoyo_policy_loaded; |
758 | extern const char * const tomoyo_condition_keyword | ||
759 | [TOMOYO_MAX_CONDITION_KEYWORD]; | ||
709 | extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS]; | 760 | extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS]; |
710 | extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX | 761 | extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX |
711 | + TOMOYO_MAX_MAC_CATEGORY_INDEX]; | 762 | + TOMOYO_MAX_MAC_CATEGORY_INDEX]; |
@@ -715,6 +766,7 @@ extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX]; | |||
715 | extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION]; | 766 | extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION]; |
716 | extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION]; | 767 | extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION]; |
717 | extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION]; | 768 | extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION]; |
769 | extern struct list_head tomoyo_condition_list; | ||
718 | extern struct list_head tomoyo_domain_list; | 770 | extern struct list_head tomoyo_domain_list; |
719 | extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH]; | 771 | extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH]; |
720 | extern struct list_head tomoyo_namespace_list; | 772 | extern struct list_head tomoyo_namespace_list; |
@@ -750,6 +802,36 @@ static inline void tomoyo_read_unlock(int idx) | |||
750 | } | 802 | } |
751 | 803 | ||
752 | /** | 804 | /** |
805 | * tomoyo_sys_getppid - Copy of getppid(). | ||
806 | * | ||
807 | * Returns parent process's PID. | ||
808 | * | ||
809 | * Alpha does not have getppid() defined. To be able to build this module on | ||
810 | * Alpha, I have to copy getppid() from kernel/timer.c. | ||
811 | */ | ||
812 | static inline pid_t tomoyo_sys_getppid(void) | ||
813 | { | ||
814 | pid_t pid; | ||
815 | rcu_read_lock(); | ||
816 | pid = task_tgid_vnr(current->real_parent); | ||
817 | rcu_read_unlock(); | ||
818 | return pid; | ||
819 | } | ||
820 | |||
821 | /** | ||
822 | * tomoyo_sys_getpid - Copy of getpid(). | ||
823 | * | ||
824 | * Returns current thread's PID. | ||
825 | * | ||
826 | * Alpha does not have getpid() defined. To be able to build this module on | ||
827 | * Alpha, I have to copy getpid() from kernel/timer.c. | ||
828 | */ | ||
829 | static inline pid_t tomoyo_sys_getpid(void) | ||
830 | { | ||
831 | return task_tgid_vnr(current); | ||
832 | } | ||
833 | |||
834 | /** | ||
753 | * tomoyo_pathcmp - strcmp() for "struct tomoyo_path_info" structure. | 835 | * tomoyo_pathcmp - strcmp() for "struct tomoyo_path_info" structure. |
754 | * | 836 | * |
755 | * @a: Pointer to "struct tomoyo_path_info". | 837 | * @a: Pointer to "struct tomoyo_path_info". |
@@ -780,6 +862,19 @@ static inline void tomoyo_put_name(const struct tomoyo_path_info *name) | |||
780 | } | 862 | } |
781 | 863 | ||
782 | /** | 864 | /** |
865 | * tomoyo_put_condition - Drop reference on "struct tomoyo_condition". | ||
866 | * | ||
867 | * @cond: Pointer to "struct tomoyo_condition". Maybe NULL. | ||
868 | * | ||
869 | * Returns nothing. | ||
870 | */ | ||
871 | static inline void tomoyo_put_condition(struct tomoyo_condition *cond) | ||
872 | { | ||
873 | if (cond) | ||
874 | atomic_dec(&cond->head.users); | ||
875 | } | ||
876 | |||
877 | /** | ||
783 | * tomoyo_put_group - Drop reference on "struct tomoyo_group". | 878 | * tomoyo_put_group - Drop reference on "struct tomoyo_group". |
784 | * | 879 | * |
785 | * @group: Pointer to "struct tomoyo_group". Maybe NULL. | 880 | * @group: Pointer to "struct tomoyo_group". Maybe NULL. |