diff options
author | Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | 2011-06-26 10:20:23 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2011-06-28 19:31:21 -0400 |
commit | 5625f2e3266319fd29fe4f1c76ccd3f550c79ac4 (patch) | |
tree | 190e96d956213b22da705872094ebdf5272af972 /security | |
parent | bd03a3e4c9a9df0c6b007045fa7fc8889111a478 (diff) |
TOMOYO: Change pathname for non-rename()able filesystems.
TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if $PID matches current
thread's process ID in order to prevent current thread from accessing other
process's information unless needed.
But since procfs can be mounted on various locations (e.g. /proc/ /proc2/ /p/
/tmp/foo/100/p/ ), TOMOYO cannot tell that whether the numeric part in the
string returned by __d_path() represents process ID or not.
Therefore, to be able to convert from $PID to self no matter where procfs is
mounted, this patch changes pathname representations for filesystems which do
not support rename() operation (e.g. proc, sysfs, securityfs).
Examples:
/proc/self/mounts => proc:/self/mounts
/sys/kernel/security/ => sys:/kernel/security/
/dev/pts/0 => devpts:/0
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/tomoyo/file.c | 12 | ||||
-rw-r--r-- | security/tomoyo/realpath.c | 222 |
2 files changed, 180 insertions, 54 deletions
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 323ddc73a125..8410f28a35e0 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c | |||
@@ -712,7 +712,7 @@ int tomoyo_path_number_perm(const u8 type, struct path *path, | |||
712 | int idx; | 712 | int idx; |
713 | 713 | ||
714 | if (tomoyo_init_request_info(&r, NULL, tomoyo_pn2mac[type]) | 714 | if (tomoyo_init_request_info(&r, NULL, tomoyo_pn2mac[type]) |
715 | == TOMOYO_CONFIG_DISABLED || !path->mnt || !path->dentry) | 715 | == TOMOYO_CONFIG_DISABLED || !path->dentry) |
716 | return 0; | 716 | return 0; |
717 | idx = tomoyo_read_lock(); | 717 | idx = tomoyo_read_lock(); |
718 | if (!tomoyo_get_realpath(&buf, path)) | 718 | if (!tomoyo_get_realpath(&buf, path)) |
@@ -753,8 +753,6 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | |||
753 | struct tomoyo_request_info r; | 753 | struct tomoyo_request_info r; |
754 | int idx; | 754 | int idx; |
755 | 755 | ||
756 | if (!path->mnt) | ||
757 | return 0; | ||
758 | buf.name = NULL; | 756 | buf.name = NULL; |
759 | r.mode = TOMOYO_CONFIG_DISABLED; | 757 | r.mode = TOMOYO_CONFIG_DISABLED; |
760 | idx = tomoyo_read_lock(); | 758 | idx = tomoyo_read_lock(); |
@@ -798,8 +796,6 @@ int tomoyo_path_perm(const u8 operation, struct path *path) | |||
798 | bool is_enforce; | 796 | bool is_enforce; |
799 | int idx; | 797 | int idx; |
800 | 798 | ||
801 | if (!path->mnt) | ||
802 | return 0; | ||
803 | if (tomoyo_init_request_info(&r, NULL, tomoyo_p2mac[operation]) | 799 | if (tomoyo_init_request_info(&r, NULL, tomoyo_p2mac[operation]) |
804 | == TOMOYO_CONFIG_DISABLED) | 800 | == TOMOYO_CONFIG_DISABLED) |
805 | return 0; | 801 | return 0; |
@@ -842,8 +838,7 @@ int tomoyo_mkdev_perm(const u8 operation, struct path *path, | |||
842 | struct tomoyo_path_info buf; | 838 | struct tomoyo_path_info buf; |
843 | int idx; | 839 | int idx; |
844 | 840 | ||
845 | if (!path->mnt || | 841 | if (tomoyo_init_request_info(&r, NULL, tomoyo_pnnn2mac[operation]) |
846 | tomoyo_init_request_info(&r, NULL, tomoyo_pnnn2mac[operation]) | ||
847 | == TOMOYO_CONFIG_DISABLED) | 842 | == TOMOYO_CONFIG_DISABLED) |
848 | return 0; | 843 | return 0; |
849 | idx = tomoyo_read_lock(); | 844 | idx = tomoyo_read_lock(); |
@@ -884,8 +879,7 @@ int tomoyo_path2_perm(const u8 operation, struct path *path1, | |||
884 | struct tomoyo_request_info r; | 879 | struct tomoyo_request_info r; |
885 | int idx; | 880 | int idx; |
886 | 881 | ||
887 | if (!path1->mnt || !path2->mnt || | 882 | if (tomoyo_init_request_info(&r, NULL, tomoyo_pp2mac[operation]) |
888 | tomoyo_init_request_info(&r, NULL, tomoyo_pp2mac[operation]) | ||
889 | == TOMOYO_CONFIG_DISABLED) | 883 | == TOMOYO_CONFIG_DISABLED) |
890 | return 0; | 884 | return 0; |
891 | buf1.name = NULL; | 885 | buf1.name = NULL; |
diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c index d1e05b047715..1a785777118b 100644 --- a/security/tomoyo/realpath.c +++ b/security/tomoyo/realpath.c | |||
@@ -70,6 +70,161 @@ char *tomoyo_encode(const char *str) | |||
70 | } | 70 | } |
71 | 71 | ||
72 | /** | 72 | /** |
73 | * tomoyo_get_absolute_path - Get the path of a dentry but ignores chroot'ed root. | ||
74 | * | ||
75 | * @path: Pointer to "struct path". | ||
76 | * @buffer: Pointer to buffer to return value in. | ||
77 | * @buflen: Sizeof @buffer. | ||
78 | * | ||
79 | * Returns the buffer on success, an error code otherwise. | ||
80 | * | ||
81 | * If dentry is a directory, trailing '/' is appended. | ||
82 | */ | ||
83 | static char *tomoyo_get_absolute_path(struct path *path, char * const buffer, | ||
84 | const int buflen) | ||
85 | { | ||
86 | char *pos = ERR_PTR(-ENOMEM); | ||
87 | if (buflen >= 256) { | ||
88 | struct path ns_root = { }; | ||
89 | /* go to whatever namespace root we are under */ | ||
90 | pos = __d_path(path, &ns_root, buffer, buflen - 1); | ||
91 | if (!IS_ERR(pos) && *pos == '/' && pos[1]) { | ||
92 | struct inode *inode = path->dentry->d_inode; | ||
93 | if (inode && S_ISDIR(inode->i_mode)) { | ||
94 | buffer[buflen - 2] = '/'; | ||
95 | buffer[buflen - 1] = '\0'; | ||
96 | } | ||
97 | } | ||
98 | } | ||
99 | return pos; | ||
100 | } | ||
101 | |||
102 | /** | ||
103 | * tomoyo_get_dentry_path - Get the path of a dentry. | ||
104 | * | ||
105 | * @dentry: Pointer to "struct dentry". | ||
106 | * @buffer: Pointer to buffer to return value in. | ||
107 | * @buflen: Sizeof @buffer. | ||
108 | * | ||
109 | * Returns the buffer on success, an error code otherwise. | ||
110 | * | ||
111 | * If dentry is a directory, trailing '/' is appended. | ||
112 | */ | ||
113 | static char *tomoyo_get_dentry_path(struct dentry *dentry, char * const buffer, | ||
114 | const int buflen) | ||
115 | { | ||
116 | char *pos = ERR_PTR(-ENOMEM); | ||
117 | if (buflen >= 256) { | ||
118 | pos = dentry_path_raw(dentry, buffer, buflen - 1); | ||
119 | if (!IS_ERR(pos) && *pos == '/' && pos[1]) { | ||
120 | struct inode *inode = dentry->d_inode; | ||
121 | if (inode && S_ISDIR(inode->i_mode)) { | ||
122 | buffer[buflen - 2] = '/'; | ||
123 | buffer[buflen - 1] = '\0'; | ||
124 | } | ||
125 | } | ||
126 | } | ||
127 | return pos; | ||
128 | } | ||
129 | |||
130 | /** | ||
131 | * tomoyo_get_local_path - Get the path of a dentry. | ||
132 | * | ||
133 | * @dentry: Pointer to "struct dentry". | ||
134 | * @buffer: Pointer to buffer to return value in. | ||
135 | * @buflen: Sizeof @buffer. | ||
136 | * | ||
137 | * Returns the buffer on success, an error code otherwise. | ||
138 | */ | ||
139 | static char *tomoyo_get_local_path(struct dentry *dentry, char * const buffer, | ||
140 | const int buflen) | ||
141 | { | ||
142 | struct super_block *sb = dentry->d_sb; | ||
143 | char *pos = tomoyo_get_dentry_path(dentry, buffer, buflen); | ||
144 | if (IS_ERR(pos)) | ||
145 | return pos; | ||
146 | /* Convert from $PID to self if $PID is current thread. */ | ||
147 | if (sb->s_magic == PROC_SUPER_MAGIC && *pos == '/') { | ||
148 | char *ep; | ||
149 | const pid_t pid = (pid_t) simple_strtoul(pos + 1, &ep, 10); | ||
150 | if (*ep == '/' && pid && pid == | ||
151 | task_tgid_nr_ns(current, sb->s_fs_info)) { | ||
152 | pos = ep - 5; | ||
153 | if (pos < buffer) | ||
154 | goto out; | ||
155 | memmove(pos, "/self", 5); | ||
156 | } | ||
157 | goto prepend_filesystem_name; | ||
158 | } | ||
159 | /* Use filesystem name for unnamed devices. */ | ||
160 | if (!MAJOR(sb->s_dev)) | ||
161 | goto prepend_filesystem_name; | ||
162 | { | ||
163 | struct inode *inode = sb->s_root->d_inode; | ||
164 | /* | ||
165 | * Use filesystem name if filesystem does not support rename() | ||
166 | * operation. | ||
167 | */ | ||
168 | if (inode->i_op && !inode->i_op->rename) | ||
169 | goto prepend_filesystem_name; | ||
170 | } | ||
171 | /* Prepend device name. */ | ||
172 | { | ||
173 | char name[64]; | ||
174 | int name_len; | ||
175 | const dev_t dev = sb->s_dev; | ||
176 | name[sizeof(name) - 1] = '\0'; | ||
177 | snprintf(name, sizeof(name) - 1, "dev(%u,%u):", MAJOR(dev), | ||
178 | MINOR(dev)); | ||
179 | name_len = strlen(name); | ||
180 | pos -= name_len; | ||
181 | if (pos < buffer) | ||
182 | goto out; | ||
183 | memmove(pos, name, name_len); | ||
184 | return pos; | ||
185 | } | ||
186 | /* Prepend filesystem name. */ | ||
187 | prepend_filesystem_name: | ||
188 | { | ||
189 | const char *name = sb->s_type->name; | ||
190 | const int name_len = strlen(name); | ||
191 | pos -= name_len + 1; | ||
192 | if (pos < buffer) | ||
193 | goto out; | ||
194 | memmove(pos, name, name_len); | ||
195 | pos[name_len] = ':'; | ||
196 | } | ||
197 | return pos; | ||
198 | out: | ||
199 | return ERR_PTR(-ENOMEM); | ||
200 | } | ||
201 | |||
202 | /** | ||
203 | * tomoyo_get_socket_name - Get the name of a socket. | ||
204 | * | ||
205 | * @path: Pointer to "struct path". | ||
206 | * @buffer: Pointer to buffer to return value in. | ||
207 | * @buflen: Sizeof @buffer. | ||
208 | * | ||
209 | * Returns the buffer. | ||
210 | */ | ||
211 | static char *tomoyo_get_socket_name(struct path *path, char * const buffer, | ||
212 | const int buflen) | ||
213 | { | ||
214 | struct inode *inode = path->dentry->d_inode; | ||
215 | struct socket *sock = inode ? SOCKET_I(inode) : NULL; | ||
216 | struct sock *sk = sock ? sock->sk : NULL; | ||
217 | if (sk) { | ||
218 | snprintf(buffer, buflen, "socket:[family=%u:type=%u:" | ||
219 | "protocol=%u]", sk->sk_family, sk->sk_type, | ||
220 | sk->sk_protocol); | ||
221 | } else { | ||
222 | snprintf(buffer, buflen, "socket:[unknown]"); | ||
223 | } | ||
224 | return buffer; | ||
225 | } | ||
226 | |||
227 | /** | ||
73 | * tomoyo_realpath_from_path - Returns realpath(3) of the given pathname but ignores chroot'ed root. | 228 | * tomoyo_realpath_from_path - Returns realpath(3) of the given pathname but ignores chroot'ed root. |
74 | * | 229 | * |
75 | * @path: Pointer to "struct path". | 230 | * @path: Pointer to "struct path". |
@@ -90,55 +245,42 @@ char *tomoyo_realpath_from_path(struct path *path) | |||
90 | char *name = NULL; | 245 | char *name = NULL; |
91 | unsigned int buf_len = PAGE_SIZE / 2; | 246 | unsigned int buf_len = PAGE_SIZE / 2; |
92 | struct dentry *dentry = path->dentry; | 247 | struct dentry *dentry = path->dentry; |
93 | bool is_dir; | 248 | struct super_block *sb; |
94 | if (!dentry) | 249 | if (!dentry) |
95 | return NULL; | 250 | return NULL; |
96 | is_dir = dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode); | 251 | sb = dentry->d_sb; |
97 | while (1) { | 252 | while (1) { |
98 | struct path ns_root = { .mnt = NULL, .dentry = NULL }; | ||
99 | char *pos; | 253 | char *pos; |
254 | struct inode *inode; | ||
100 | buf_len <<= 1; | 255 | buf_len <<= 1; |
101 | kfree(buf); | 256 | kfree(buf); |
102 | buf = kmalloc(buf_len, GFP_NOFS); | 257 | buf = kmalloc(buf_len, GFP_NOFS); |
103 | if (!buf) | 258 | if (!buf) |
104 | break; | 259 | break; |
260 | /* To make sure that pos is '\0' terminated. */ | ||
261 | buf[buf_len - 1] = '\0'; | ||
105 | /* Get better name for socket. */ | 262 | /* Get better name for socket. */ |
106 | if (dentry->d_sb && dentry->d_sb->s_magic == SOCKFS_MAGIC) { | 263 | if (sb->s_magic == SOCKFS_MAGIC) { |
107 | struct inode *inode = dentry->d_inode; | 264 | pos = tomoyo_get_socket_name(path, buf, buf_len - 1); |
108 | struct socket *sock = inode ? SOCKET_I(inode) : NULL; | 265 | goto encode; |
109 | struct sock *sk = sock ? sock->sk : NULL; | ||
110 | if (sk) { | ||
111 | snprintf(buf, buf_len - 1, "socket:[family=%u:" | ||
112 | "type=%u:protocol=%u]", sk->sk_family, | ||
113 | sk->sk_type, sk->sk_protocol); | ||
114 | } else { | ||
115 | snprintf(buf, buf_len - 1, "socket:[unknown]"); | ||
116 | } | ||
117 | name = tomoyo_encode(buf); | ||
118 | break; | ||
119 | } | 266 | } |
120 | /* For "socket:[\$]" and "pipe:[\$]". */ | 267 | /* For "pipe:[\$]". */ |
121 | if (dentry->d_op && dentry->d_op->d_dname) { | 268 | if (dentry->d_op && dentry->d_op->d_dname) { |
122 | pos = dentry->d_op->d_dname(dentry, buf, buf_len - 1); | 269 | pos = dentry->d_op->d_dname(dentry, buf, buf_len - 1); |
123 | if (IS_ERR(pos)) | 270 | goto encode; |
124 | continue; | ||
125 | name = tomoyo_encode(pos); | ||
126 | break; | ||
127 | } | ||
128 | /* If we don't have a vfsmount, we can't calculate. */ | ||
129 | if (!path->mnt) | ||
130 | break; | ||
131 | /* go to whatever namespace root we are under */ | ||
132 | pos = __d_path(path, &ns_root, buf, buf_len); | ||
133 | /* Prepend "/proc" prefix if using internal proc vfs mount. */ | ||
134 | if (!IS_ERR(pos) && (path->mnt->mnt_flags & MNT_INTERNAL) && | ||
135 | (path->mnt->mnt_sb->s_magic == PROC_SUPER_MAGIC)) { | ||
136 | pos -= 5; | ||
137 | if (pos >= buf) | ||
138 | memcpy(pos, "/proc", 5); | ||
139 | else | ||
140 | pos = ERR_PTR(-ENOMEM); | ||
141 | } | 271 | } |
272 | inode = sb->s_root->d_inode; | ||
273 | /* | ||
274 | * Get local name for filesystems without rename() operation | ||
275 | * or dentry without vfsmount. | ||
276 | */ | ||
277 | if (!path->mnt || (inode->i_op && !inode->i_op->rename)) | ||
278 | pos = tomoyo_get_local_path(path->dentry, buf, | ||
279 | buf_len - 1); | ||
280 | /* Get absolute name for the rest. */ | ||
281 | else | ||
282 | pos = tomoyo_get_absolute_path(path, buf, buf_len - 1); | ||
283 | encode: | ||
142 | if (IS_ERR(pos)) | 284 | if (IS_ERR(pos)) |
143 | continue; | 285 | continue; |
144 | name = tomoyo_encode(pos); | 286 | name = tomoyo_encode(pos); |
@@ -147,16 +289,6 @@ char *tomoyo_realpath_from_path(struct path *path) | |||
147 | kfree(buf); | 289 | kfree(buf); |
148 | if (!name) | 290 | if (!name) |
149 | tomoyo_warn_oom(__func__); | 291 | tomoyo_warn_oom(__func__); |
150 | else if (is_dir && *name) { | ||
151 | /* Append trailing '/' if dentry is a directory. */ | ||
152 | char *pos = name + strlen(name) - 1; | ||
153 | if (*pos != '/') | ||
154 | /* | ||
155 | * This is OK because tomoyo_encode() reserves space | ||
156 | * for appending "/". | ||
157 | */ | ||
158 | *++pos = '/'; | ||
159 | } | ||
160 | return name; | 292 | return name; |
161 | } | 293 | } |
162 | 294 | ||