1 files changed, 122 insertions, 12 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 678f4ff16aa4..6d6ba09af457 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -26,16 +26,43 @@
 struct dentry;
 struct vfsmount;
-/* Temporary buffer for holding pathnames. */
+/*
+ * tomoyo_page_buffer is a structure which is used for holding a pathname
+ * obtained from "struct dentry" and "struct vfsmount" pair.
+ * As of now, it is 4096 bytes. If users complain that 4096 bytes is too small
+ * (because TOMOYO escapes non ASCII printable characters using \ooo format),
+ * we will make the buffer larger.
+ */
 struct tomoyo_page_buffer {
        char buffer[4096];
 };
-/* Structure for holding a token. */
+/*
+ * tomoyo_path_info is a structure which is used for holding a string data
+ * used by TOMOYO.
+ * This structure has several fields for supporting pattern matching.
+ *
+ * (1) "name" is the '\0' terminated string data.
+ * (2) "hash" is full_name_hash(name, strlen(name)).
+ *     This allows tomoyo_pathcmp() to compare by hash before actually compare
+ *     using strcmp().
+ * (3) "const_len" is the length of the initial segment of "name" which
+ *     consists entirely of non wildcard characters. In other words, the length
+ *     which we can compare two strings using strncmp().
+ * (4) "is_dir" is a bool which is true if "name" ends with "/",
+ *     false otherwise.
+ *     TOMOYO distinguishes directory and non-directory. A directory ends with
+ *     "/" and non-directory does not end with "/".
+ * (5) "is_patterned" is a bool which is true if "name" contains wildcard
+ *     characters, false otherwise. This allows TOMOYO to use "hash" and
+ *     strcmp() for string comparison if "is_patterned" is false.
+ * (6) "depth" is calculated using the number of "/" characters in "name".
+ *     This allows TOMOYO to avoid comparing two pathnames which never match
+ *     (e.g. whether "/var/www/html/index.html" matches "/tmp/sh-thd-\$").
+ */
 struct tomoyo_path_info {
        const char *name;
        u32 hash;          /* = full_name_hash(name, strlen(name)) */
-        u16 total_len;     /* = strlen(name)                       */
        u16 const_len;     /* = tomoyo_const_part_length(name)     */
        bool is_dir;       /* = tomoyo_strendswith(name, "/")      */
        bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
@@ -51,7 +78,20 @@ struct tomoyo_path_info {
 */
 #define TOMOYO_MAX_PATHNAME_LEN 4000
-/* Structure for holding requested pathname. */
+/*
+ * tomoyo_path_info_with_data is a structure which is used for holding a
+ * pathname obtained from "struct dentry" and "struct vfsmount" pair.
+ *
+ * "struct tomoyo_path_info_with_data" consists of "struct tomoyo_path_info"
+ * and buffer for the pathname, while "struct tomoyo_page_buffer" consists of
+ * buffer for the pathname only.
+ *
+ * "struct tomoyo_path_info_with_data" is intended to allow TOMOYO to release
+ * both "struct tomoyo_path_info" and buffer for the pathname by single kfree()
+ * so that we don't need to return two pointers to the caller. If the caller
+ * puts "struct tomoyo_path_info" on stack memory, we will be able to remove
+ * "struct tomoyo_path_info_with_data".
+ */
 struct tomoyo_path_info_with_data {
        /* Keep "head" first, for this pointer is passed to tomoyo_free(). */
        struct tomoyo_path_info head;
@@ -61,7 +101,15 @@ struct tomoyo_path_info_with_data {
 };
 /*
- * Common header for holding ACL entries.
+ * tomoyo_acl_info is a structure which is used for holding
+ *
+ *  (1) "list" which is linked to the ->acl_info_list of
+ *      "struct tomoyo_domain_info"
+ *  (2) "type" which tells
+ *      (a) type & 0x7F : type of the entry (either
+ *          "struct tomoyo_single_path_acl_record" or
+ *          "struct tomoyo_double_path_acl_record")
+ *      (b) type & 0x80 : whether the entry is marked as "deleted".
 *
 * Packing "struct tomoyo_acl_info" allows
 * "struct tomoyo_single_path_acl_record" to embed "u16" and
@@ -81,7 +129,28 @@ struct tomoyo_acl_info {
 /* This ACL entry is deleted.           */
 #define TOMOYO_ACL_DELETED        0x80
-/* Structure for domain information. */
+/*
+ * tomoyo_domain_info is a structure which is used for holding permissions
+ * (e.g. "allow_read /lib/libc-2.5.so") given to each domain.
+ * It has following fields.
+ *
+ *  (1) "list" which is linked to tomoyo_domain_list .
+ *  (2) "acl_info_list" which is linked to "struct tomoyo_acl_info".
+ *  (3) "domainname" which holds the name of the domain.
+ *  (4) "profile" which remembers profile number assigned to this domain.
+ *  (5) "is_deleted" is a bool which is true if this domain is marked as
+ *      "deleted", false otherwise.
+ *  (6) "quota_warned" is a bool which is used for suppressing warning message
+ *      when learning mode learned too much entries.
+ *  (7) "flags" which remembers this domain's attributes.
+ *
+ * A domain's lifecycle is an analogy of files on / directory.
+ * Multiple domains with the same domainname cannot be created (as with
+ * creating files with the same filename fails with -EEXIST).
+ * If a process reached a domain, that process can reside in that domain after
+ * that domain is marked as "deleted" (as with a process can access an already
+ * open()ed file after that file was unlink()ed).
+ */
 struct tomoyo_domain_info {
        struct list_head list;
        struct list_head acl_info_list;
@@ -108,10 +177,18 @@ struct tomoyo_domain_info {
 #define TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED        2
 /*
- * Structure for "allow_read/write", "allow_execute", "allow_read",
+ * tomoyo_single_path_acl_record is a structure which is used for holding an
- * "allow_write", "allow_create", "allow_unlink", "allow_mkdir", "allow_rmdir",
+ * entry with one pathname operation (e.g. open(), mkdir()).
- * "allow_mkfifo", "allow_mksock", "allow_mkblock", "allow_mkchar",
+ * It has following fields.
- * "allow_truncate", "allow_symlink" and "allow_rewrite" directive.
+ *
+ *  (1) "head" which is a "struct tomoyo_acl_info".
+ *  (2) "perm" which is a bitmask of permitted operations.
+ *  (3) "filename" is the pathname.
+ *
+ * Directives held by this structure are "allow_read/write", "allow_execute",
+ * "allow_read", "allow_write", "allow_create", "allow_unlink", "allow_mkdir",
+ * "allow_rmdir", "allow_mkfifo", "allow_mksock", "allow_mkblock",
+ * "allow_mkchar", "allow_truncate", "allow_symlink" and "allow_rewrite".
 */
 struct tomoyo_single_path_acl_record {
        struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_SINGLE_PATH_ACL */
@@ -120,7 +197,18 @@ struct tomoyo_single_path_acl_record {
        const struct tomoyo_path_info *filename;
 };
-/* Structure for "allow_rename" and "allow_link" directive. */
+/*
+ * tomoyo_double_path_acl_record is a structure which is used for holding an
+ * entry with two pathnames operation (i.e. link() and rename()).
+ * It has following fields.
+ *
+ *  (1) "head" which is a "struct tomoyo_acl_info".
+ *  (2) "perm" which is a bitmask of permitted operations.
+ *  (3) "filename1" is the source/old pathname.
+ *  (4) "filename2" is the destination/new pathname.
+ *
+ * Directives held by this structure are "allow_rename" and "allow_link".
+ */
 struct tomoyo_double_path_acl_record {
        struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_DOUBLE_PATH_ACL */
        u8 perm;
@@ -153,7 +241,29 @@ struct tomoyo_double_path_acl_record {
 #define TOMOYO_VERBOSE                       2
 #define TOMOYO_MAX_CONTROL_INDEX             3
-/* Structure for reading/writing policy via securityfs interfaces. */
+/*
+ * tomoyo_io_buffer is a structure which is used for reading and modifying
+ * configuration via /sys/kernel/security/tomoyo/ interface.
+ * It has many fields. ->read_var1 , ->read_var2 , ->write_var1 are used as
+ * cursors.
+ *
+ * Since the content of /sys/kernel/security/tomoyo/domain_policy is a list of
+ * "struct tomoyo_domain_info" entries and each "struct tomoyo_domain_info"
+ * entry has a list of "struct tomoyo_acl_info", we need two cursors when
+ * reading (one is for traversing tomoyo_domain_list and the other is for
+ * traversing "struct tomoyo_acl_info"->acl_info_list ).
+ *
+ * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with
+ * "select ", TOMOYO seeks the cursor ->read_var1 and ->write_var1 to the
+ * domain with the domainname specified by the rest of that line (NULL is set
+ * if seek failed).
+ * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with
+ * "delete ", TOMOYO deletes an entry or a domain specified by the rest of that
+ * line (->write_var1 is set to NULL if a domain was deleted).
+ * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with
+ * neither "select " nor "delete ", an entry or a domain specified by that line
+ * is appended.
+ */
 struct tomoyo_io_buffer {
        int (*read) (struct tomoyo_io_buffer *);
        int (*write) (struct tomoyo_io_buffer *);

diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 678f4ff16aa4..6d6ba09af457 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h
@@ -26,16 +26,43 @@
26	struct dentry;	26	struct dentry;
27	struct vfsmount;	27	struct vfsmount;
28		28
29	/* Temporary buffer for holding pathnames. */	29	/*
		30	* tomoyo_page_buffer is a structure which is used for holding a pathname
		31	* obtained from "struct dentry" and "struct vfsmount" pair.
		32	* As of now, it is 4096 bytes. If users complain that 4096 bytes is too small
		33	* (because TOMOYO escapes non ASCII printable characters using \ooo format),
		34	* we will make the buffer larger.
		35	*/
30	struct tomoyo_page_buffer {	36	struct tomoyo_page_buffer {
31	char buffer[4096];	37	char buffer[4096];
32	};	38	};
33		39
34	/* Structure for holding a token. */	40	/*
		41	* tomoyo_path_info is a structure which is used for holding a string data
		42	* used by TOMOYO.
		43	* This structure has several fields for supporting pattern matching.
		44	*
		45	* (1) "name" is the '\0' terminated string data.
		46	* (2) "hash" is full_name_hash(name, strlen(name)).
		47	* This allows tomoyo_pathcmp() to compare by hash before actually compare
		48	* using strcmp().
		49	* (3) "const_len" is the length of the initial segment of "name" which
		50	* consists entirely of non wildcard characters. In other words, the length
		51	* which we can compare two strings using strncmp().
		52	* (4) "is_dir" is a bool which is true if "name" ends with "/",
		53	* false otherwise.
		54	* TOMOYO distinguishes directory and non-directory. A directory ends with
		55	* "/" and non-directory does not end with "/".
		56	* (5) "is_patterned" is a bool which is true if "name" contains wildcard
		57	* characters, false otherwise. This allows TOMOYO to use "hash" and
		58	* strcmp() for string comparison if "is_patterned" is false.
		59	* (6) "depth" is calculated using the number of "/" characters in "name".
		60	* This allows TOMOYO to avoid comparing two pathnames which never match
		61	* (e.g. whether "/var/www/html/index.html" matches "/tmp/sh-thd-\$").
		62	*/
35	struct tomoyo_path_info {	63	struct tomoyo_path_info {
36	const char *name;	64	const char *name;
37	u32 hash; /* = full_name_hash(name, strlen(name)) */	65	u32 hash; /* = full_name_hash(name, strlen(name)) */
38	u16 total_len; /* = strlen(name) */
39	u16 const_len; /* = tomoyo_const_part_length(name) */	66	u16 const_len; /* = tomoyo_const_part_length(name) */
40	bool is_dir; /* = tomoyo_strendswith(name, "/") */	67	bool is_dir; /* = tomoyo_strendswith(name, "/") */
41	bool is_patterned; /* = tomoyo_path_contains_pattern(name) */	68	bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
@@ -51,7 +78,20 @@ struct tomoyo_path_info {
51	*/	78	*/
52	#define TOMOYO_MAX_PATHNAME_LEN 4000	79	#define TOMOYO_MAX_PATHNAME_LEN 4000
53		80
54	/* Structure for holding requested pathname. */	81	/*
		82	* tomoyo_path_info_with_data is a structure which is used for holding a
		83	* pathname obtained from "struct dentry" and "struct vfsmount" pair.
		84	*
		85	* "struct tomoyo_path_info_with_data" consists of "struct tomoyo_path_info"
		86	* and buffer for the pathname, while "struct tomoyo_page_buffer" consists of
		87	* buffer for the pathname only.
		88	*
		89	* "struct tomoyo_path_info_with_data" is intended to allow TOMOYO to release
		90	* both "struct tomoyo_path_info" and buffer for the pathname by single kfree()
		91	* so that we don't need to return two pointers to the caller. If the caller
		92	* puts "struct tomoyo_path_info" on stack memory, we will be able to remove
		93	* "struct tomoyo_path_info_with_data".
		94	*/
55	struct tomoyo_path_info_with_data {	95	struct tomoyo_path_info_with_data {
56	/* Keep "head" first, for this pointer is passed to tomoyo_free(). */	96	/* Keep "head" first, for this pointer is passed to tomoyo_free(). */
57	struct tomoyo_path_info head;	97	struct tomoyo_path_info head;
@@ -61,7 +101,15 @@ struct tomoyo_path_info_with_data {
61	};	101	};
62		102
63	/*	103	/*
64	* Common header for holding ACL entries.	104	* tomoyo_acl_info is a structure which is used for holding
		105	*
		106	* (1) "list" which is linked to the ->acl_info_list of
		107	* "struct tomoyo_domain_info"
		108	* (2) "type" which tells
		109	* (a) type & 0x7F : type of the entry (either
		110	* "struct tomoyo_single_path_acl_record" or
		111	* "struct tomoyo_double_path_acl_record")
		112	* (b) type & 0x80 : whether the entry is marked as "deleted".
65	*	113	*
66	* Packing "struct tomoyo_acl_info" allows	114	* Packing "struct tomoyo_acl_info" allows
67	* "struct tomoyo_single_path_acl_record" to embed "u16" and	115	* "struct tomoyo_single_path_acl_record" to embed "u16" and
@@ -81,7 +129,28 @@ struct tomoyo_acl_info {
81	/* This ACL entry is deleted. */	129	/* This ACL entry is deleted. */
82	#define TOMOYO_ACL_DELETED 0x80	130	#define TOMOYO_ACL_DELETED 0x80
83		131
84	/* Structure for domain information. */	132	/*
		133	* tomoyo_domain_info is a structure which is used for holding permissions
		134	* (e.g. "allow_read /lib/libc-2.5.so") given to each domain.
		135	* It has following fields.
		136	*
		137	* (1) "list" which is linked to tomoyo_domain_list .
		138	* (2) "acl_info_list" which is linked to "struct tomoyo_acl_info".
		139	* (3) "domainname" which holds the name of the domain.
		140	* (4) "profile" which remembers profile number assigned to this domain.
		141	* (5) "is_deleted" is a bool which is true if this domain is marked as
		142	* "deleted", false otherwise.
		143	* (6) "quota_warned" is a bool which is used for suppressing warning message
		144	* when learning mode learned too much entries.
		145	* (7) "flags" which remembers this domain's attributes.
		146	*
		147	* A domain's lifecycle is an analogy of files on / directory.
		148	* Multiple domains with the same domainname cannot be created (as with
		149	* creating files with the same filename fails with -EEXIST).
		150	* If a process reached a domain, that process can reside in that domain after
		151	* that domain is marked as "deleted" (as with a process can access an already
		152	* open()ed file after that file was unlink()ed).
		153	*/
85	struct tomoyo_domain_info {	154	struct tomoyo_domain_info {
86	struct list_head list;	155	struct list_head list;
87	struct list_head acl_info_list;	156	struct list_head acl_info_list;
@@ -108,10 +177,18 @@ struct tomoyo_domain_info {
108	#define TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED 2	177	#define TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED 2
109		178
110	/*	179	/*
111	* Structure for "allow_read/write", "allow_execute", "allow_read",	180	* tomoyo_single_path_acl_record is a structure which is used for holding an
112	* "allow_write", "allow_create", "allow_unlink", "allow_mkdir", "allow_rmdir",	181	* entry with one pathname operation (e.g. open(), mkdir()).
113	* "allow_mkfifo", "allow_mksock", "allow_mkblock", "allow_mkchar",	182	* It has following fields.
114	* "allow_truncate", "allow_symlink" and "allow_rewrite" directive.	183	*
		184	* (1) "head" which is a "struct tomoyo_acl_info".
		185	* (2) "perm" which is a bitmask of permitted operations.
		186	* (3) "filename" is the pathname.
		187	*
		188	* Directives held by this structure are "allow_read/write", "allow_execute",
		189	* "allow_read", "allow_write", "allow_create", "allow_unlink", "allow_mkdir",
		190	* "allow_rmdir", "allow_mkfifo", "allow_mksock", "allow_mkblock",
		191	* "allow_mkchar", "allow_truncate", "allow_symlink" and "allow_rewrite".
115	*/	192	*/
116	struct tomoyo_single_path_acl_record {	193	struct tomoyo_single_path_acl_record {
117	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_SINGLE_PATH_ACL */	194	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_SINGLE_PATH_ACL */
@@ -120,7 +197,18 @@ struct tomoyo_single_path_acl_record {
120	const struct tomoyo_path_info *filename;	197	const struct tomoyo_path_info *filename;
121	};	198	};
122		199
123	/* Structure for "allow_rename" and "allow_link" directive. */	200	/*
		201	* tomoyo_double_path_acl_record is a structure which is used for holding an
		202	* entry with two pathnames operation (i.e. link() and rename()).
		203	* It has following fields.
		204	*
		205	* (1) "head" which is a "struct tomoyo_acl_info".
		206	* (2) "perm" which is a bitmask of permitted operations.
		207	* (3) "filename1" is the source/old pathname.
		208	* (4) "filename2" is the destination/new pathname.
		209	*
		210	* Directives held by this structure are "allow_rename" and "allow_link".
		211	*/
124	struct tomoyo_double_path_acl_record {	212	struct tomoyo_double_path_acl_record {
125	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_DOUBLE_PATH_ACL */	213	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_DOUBLE_PATH_ACL */
126	u8 perm;	214	u8 perm;
@@ -153,7 +241,29 @@ struct tomoyo_double_path_acl_record {
153	#define TOMOYO_VERBOSE 2	241	#define TOMOYO_VERBOSE 2
154	#define TOMOYO_MAX_CONTROL_INDEX 3	242	#define TOMOYO_MAX_CONTROL_INDEX 3
155		243
156	/* Structure for reading/writing policy via securityfs interfaces. */	244	/*
		245	* tomoyo_io_buffer is a structure which is used for reading and modifying
		246	* configuration via /sys/kernel/security/tomoyo/ interface.
		247	* It has many fields. ->read_var1 , ->read_var2 , ->write_var1 are used as
		248	* cursors.
		249	*
		250	* Since the content of /sys/kernel/security/tomoyo/domain_policy is a list of
		251	* "struct tomoyo_domain_info" entries and each "struct tomoyo_domain_info"
		252	* entry has a list of "struct tomoyo_acl_info", we need two cursors when
		253	* reading (one is for traversing tomoyo_domain_list and the other is for
		254	* traversing "struct tomoyo_acl_info"->acl_info_list ).
		255	*
		256	* If a line written to /sys/kernel/security/tomoyo/domain_policy starts with
		257	* "select ", TOMOYO seeks the cursor ->read_var1 and ->write_var1 to the
		258	* domain with the domainname specified by the rest of that line (NULL is set
		259	* if seek failed).
		260	* If a line written to /sys/kernel/security/tomoyo/domain_policy starts with
		261	* "delete ", TOMOYO deletes an entry or a domain specified by the rest of that
		262	* line (->write_var1 is set to NULL if a domain was deleted).
		263	* If a line written to /sys/kernel/security/tomoyo/domain_policy starts with
		264	* neither "select " nor "delete ", an entry or a domain specified by that line
		265	* is appended.
		266	*/
157	struct tomoyo_io_buffer {	267	struct tomoyo_io_buffer {
158	int (read) (struct tomoyo_io_buffer );	268	int (read) (struct tomoyo_io_buffer );
159	int (write) (struct tomoyo_io_buffer );	269	int (write) (struct tomoyo_io_buffer );