aboutsummaryrefslogtreecommitdiffstats
path: root/security/tomoyo/common.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/tomoyo/common.h')
-rw-r--r--security/tomoyo/common.h411
1 files changed, 351 insertions, 60 deletions
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 509ced9ce698..f6aff59b0885 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -1,12 +1,9 @@
1/* 1/*
2 * security/tomoyo/common.h 2 * security/tomoyo/common.h
3 * 3 *
4 * Common functions for TOMOYO. 4 * Header file for TOMOYO.
5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 *
8 * Version: 2.2.0 2009/04/01
9 * 5 *
6 * Copyright (C) 2005-2010 NTT DATA CORPORATION
10 */ 7 */
11 8
12#ifndef _SECURITY_TOMOYO_COMMON_H 9#ifndef _SECURITY_TOMOYO_COMMON_H
@@ -22,9 +19,110 @@
22#include <linux/namei.h> 19#include <linux/namei.h>
23#include <linux/mount.h> 20#include <linux/mount.h>
24#include <linux/list.h> 21#include <linux/list.h>
22#include <linux/cred.h>
23struct linux_binprm;
24
25/********** Constants definitions. **********/
26
27/*
28 * TOMOYO uses this hash only when appending a string into the string
29 * table. Frequency of appending strings is very low. So we don't need
30 * large (e.g. 64k) hash size. 256 will be sufficient.
31 */
32#define TOMOYO_HASH_BITS 8
33#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
34
35/*
36 * This is the max length of a token.
37 *
38 * A token consists of only ASCII printable characters.
39 * Non printable characters in a token is represented in \ooo style
40 * octal string. Thus, \ itself is represented as \\.
41 */
42#define TOMOYO_MAX_PATHNAME_LEN 4000
43
44/* Profile number is an integer between 0 and 255. */
45#define TOMOYO_MAX_PROFILES 256
46
47/* Keywords for ACLs. */
48#define TOMOYO_KEYWORD_ALIAS "alias "
49#define TOMOYO_KEYWORD_ALLOW_READ "allow_read "
50#define TOMOYO_KEYWORD_DELETE "delete "
51#define TOMOYO_KEYWORD_DENY_REWRITE "deny_rewrite "
52#define TOMOYO_KEYWORD_FILE_PATTERN "file_pattern "
53#define TOMOYO_KEYWORD_INITIALIZE_DOMAIN "initialize_domain "
54#define TOMOYO_KEYWORD_KEEP_DOMAIN "keep_domain "
55#define TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN "no_initialize_domain "
56#define TOMOYO_KEYWORD_NO_KEEP_DOMAIN "no_keep_domain "
57#define TOMOYO_KEYWORD_SELECT "select "
58#define TOMOYO_KEYWORD_USE_PROFILE "use_profile "
59#define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read"
60/* A domain definition starts with <kernel>. */
61#define TOMOYO_ROOT_NAME "<kernel>"
62#define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1)
63
64/* Index numbers for Access Controls. */
65#define TOMOYO_MAC_FOR_FILE 0 /* domain_policy.conf */
66#define TOMOYO_MAX_ACCEPT_ENTRY 1
67#define TOMOYO_VERBOSE 2
68#define TOMOYO_MAX_CONTROL_INDEX 3
69
70/* Index numbers for Access Controls. */
71
72#define TOMOYO_TYPE_SINGLE_PATH_ACL 0
73#define TOMOYO_TYPE_DOUBLE_PATH_ACL 1
74
75/* Index numbers for File Controls. */
76
77/*
78 * TYPE_READ_WRITE_ACL is special. TYPE_READ_WRITE_ACL is automatically set
79 * if both TYPE_READ_ACL and TYPE_WRITE_ACL are set. Both TYPE_READ_ACL and
80 * TYPE_WRITE_ACL are automatically set if TYPE_READ_WRITE_ACL is set.
81 * TYPE_READ_WRITE_ACL is automatically cleared if either TYPE_READ_ACL or
82 * TYPE_WRITE_ACL is cleared. Both TYPE_READ_ACL and TYPE_WRITE_ACL are
83 * automatically cleared if TYPE_READ_WRITE_ACL is cleared.
84 */
85
86#define TOMOYO_TYPE_READ_WRITE_ACL 0
87#define TOMOYO_TYPE_EXECUTE_ACL 1
88#define TOMOYO_TYPE_READ_ACL 2
89#define TOMOYO_TYPE_WRITE_ACL 3
90#define TOMOYO_TYPE_CREATE_ACL 4
91#define TOMOYO_TYPE_UNLINK_ACL 5
92#define TOMOYO_TYPE_MKDIR_ACL 6
93#define TOMOYO_TYPE_RMDIR_ACL 7
94#define TOMOYO_TYPE_MKFIFO_ACL 8
95#define TOMOYO_TYPE_MKSOCK_ACL 9
96#define TOMOYO_TYPE_MKBLOCK_ACL 10
97#define TOMOYO_TYPE_MKCHAR_ACL 11
98#define TOMOYO_TYPE_TRUNCATE_ACL 12
99#define TOMOYO_TYPE_SYMLINK_ACL 13
100#define TOMOYO_TYPE_REWRITE_ACL 14
101#define TOMOYO_TYPE_IOCTL_ACL 15
102#define TOMOYO_TYPE_CHMOD_ACL 16
103#define TOMOYO_TYPE_CHOWN_ACL 17
104#define TOMOYO_TYPE_CHGRP_ACL 18
105#define TOMOYO_TYPE_CHROOT_ACL 19
106#define TOMOYO_TYPE_MOUNT_ACL 20
107#define TOMOYO_TYPE_UMOUNT_ACL 21
108#define TOMOYO_MAX_SINGLE_PATH_OPERATION 22
109
110#define TOMOYO_TYPE_LINK_ACL 0
111#define TOMOYO_TYPE_RENAME_ACL 1
112#define TOMOYO_TYPE_PIVOT_ROOT_ACL 2
113#define TOMOYO_MAX_DOUBLE_PATH_OPERATION 3
114
115#define TOMOYO_DOMAINPOLICY 0
116#define TOMOYO_EXCEPTIONPOLICY 1
117#define TOMOYO_DOMAIN_STATUS 2
118#define TOMOYO_PROCESS_STATUS 3
119#define TOMOYO_MEMINFO 4
120#define TOMOYO_SELFDOMAIN 5
121#define TOMOYO_VERSION 6
122#define TOMOYO_PROFILE 7
123#define TOMOYO_MANAGER 8
25 124
26struct dentry; 125/********** Structure definitions. **********/
27struct vfsmount;
28 126
29/* 127/*
30 * tomoyo_page_buffer is a structure which is used for holding a pathname 128 * tomoyo_page_buffer is a structure which is used for holding a pathname
@@ -66,13 +164,14 @@ struct tomoyo_path_info {
66}; 164};
67 165
68/* 166/*
69 * This is the max length of a token. 167 * tomoyo_name_entry is a structure which is used for linking
70 * 168 * "struct tomoyo_path_info" into tomoyo_name_list .
71 * A token consists of only ASCII printable characters.
72 * Non printable characters in a token is represented in \ooo style
73 * octal string. Thus, \ itself is represented as \\.
74 */ 169 */
75#define TOMOYO_MAX_PATHNAME_LEN 4000 170struct tomoyo_name_entry {
171 struct list_head list;
172 atomic_t users;
173 struct tomoyo_path_info entry;
174};
76 175
77/* 176/*
78 * tomoyo_path_info_with_data is a structure which is used for holding a 177 * tomoyo_path_info_with_data is a structure which is used for holding a
@@ -155,9 +254,6 @@ struct tomoyo_domain_info {
155 bool transition_failed; /* Domain transition failed flag. */ 254 bool transition_failed; /* Domain transition failed flag. */
156}; 255};
157 256
158/* Profile number is an integer between 0 and 255. */
159#define TOMOYO_MAX_PROFILES 256
160
161/* 257/*
162 * tomoyo_single_path_acl_record is a structure which is used for holding an 258 * tomoyo_single_path_acl_record is a structure which is used for holding an
163 * entry with one pathname operation (e.g. open(), mkdir()). 259 * entry with one pathname operation (e.g. open(), mkdir()).
@@ -204,29 +300,6 @@ struct tomoyo_double_path_acl_record {
204 const struct tomoyo_path_info *filename2; 300 const struct tomoyo_path_info *filename2;
205}; 301};
206 302
207/* Keywords for ACLs. */
208#define TOMOYO_KEYWORD_ALIAS "alias "
209#define TOMOYO_KEYWORD_ALLOW_READ "allow_read "
210#define TOMOYO_KEYWORD_DELETE "delete "
211#define TOMOYO_KEYWORD_DENY_REWRITE "deny_rewrite "
212#define TOMOYO_KEYWORD_FILE_PATTERN "file_pattern "
213#define TOMOYO_KEYWORD_INITIALIZE_DOMAIN "initialize_domain "
214#define TOMOYO_KEYWORD_KEEP_DOMAIN "keep_domain "
215#define TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN "no_initialize_domain "
216#define TOMOYO_KEYWORD_NO_KEEP_DOMAIN "no_keep_domain "
217#define TOMOYO_KEYWORD_SELECT "select "
218#define TOMOYO_KEYWORD_USE_PROFILE "use_profile "
219#define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read"
220/* A domain definition starts with <kernel>. */
221#define TOMOYO_ROOT_NAME "<kernel>"
222#define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1)
223
224/* Index numbers for Access Controls. */
225#define TOMOYO_MAC_FOR_FILE 0 /* domain_policy.conf */
226#define TOMOYO_MAX_ACCEPT_ENTRY 1
227#define TOMOYO_VERBOSE 2
228#define TOMOYO_MAX_CONTROL_INDEX 3
229
230/* 303/*
231 * tomoyo_io_buffer is a structure which is used for reading and modifying 304 * tomoyo_io_buffer is a structure which is used for reading and modifying
232 * configuration via /sys/kernel/security/tomoyo/ interface. 305 * configuration via /sys/kernel/security/tomoyo/ interface.
@@ -285,6 +358,149 @@ struct tomoyo_io_buffer {
285 int writebuf_size; 358 int writebuf_size;
286}; 359};
287 360
361/*
362 * tomoyo_globally_readable_file_entry is a structure which is used for holding
363 * "allow_read" entries.
364 * It has following fields.
365 *
366 * (1) "list" which is linked to tomoyo_globally_readable_list .
367 * (2) "filename" is a pathname which is allowed to open(O_RDONLY).
368 * (3) "is_deleted" is a bool which is true if marked as deleted, false
369 * otherwise.
370 */
371struct tomoyo_globally_readable_file_entry {
372 struct list_head list;
373 const struct tomoyo_path_info *filename;
374 bool is_deleted;
375};
376
377/*
378 * tomoyo_pattern_entry is a structure which is used for holding
379 * "tomoyo_pattern_list" entries.
380 * It has following fields.
381 *
382 * (1) "list" which is linked to tomoyo_pattern_list .
383 * (2) "pattern" is a pathname pattern which is used for converting pathnames
384 * to pathname patterns during learning mode.
385 * (3) "is_deleted" is a bool which is true if marked as deleted, false
386 * otherwise.
387 */
388struct tomoyo_pattern_entry {
389 struct list_head list;
390 const struct tomoyo_path_info *pattern;
391 bool is_deleted;
392};
393
394/*
395 * tomoyo_no_rewrite_entry is a structure which is used for holding
396 * "deny_rewrite" entries.
397 * It has following fields.
398 *
399 * (1) "list" which is linked to tomoyo_no_rewrite_list .
400 * (2) "pattern" is a pathname which is by default not permitted to modify
401 * already existing content.
402 * (3) "is_deleted" is a bool which is true if marked as deleted, false
403 * otherwise.
404 */
405struct tomoyo_no_rewrite_entry {
406 struct list_head list;
407 const struct tomoyo_path_info *pattern;
408 bool is_deleted;
409};
410
411/*
412 * tomoyo_domain_initializer_entry is a structure which is used for holding
413 * "initialize_domain" and "no_initialize_domain" entries.
414 * It has following fields.
415 *
416 * (1) "list" which is linked to tomoyo_domain_initializer_list .
417 * (2) "domainname" which is "a domainname" or "the last component of a
418 * domainname". This field is NULL if "from" clause is not specified.
419 * (3) "program" which is a program's pathname.
420 * (4) "is_deleted" is a bool which is true if marked as deleted, false
421 * otherwise.
422 * (5) "is_not" is a bool which is true if "no_initialize_domain", false
423 * otherwise.
424 * (6) "is_last_name" is a bool which is true if "domainname" is "the last
425 * component of a domainname", false otherwise.
426 */
427struct tomoyo_domain_initializer_entry {
428 struct list_head list;
429 const struct tomoyo_path_info *domainname; /* This may be NULL */
430 const struct tomoyo_path_info *program;
431 bool is_deleted;
432 bool is_not; /* True if this entry is "no_initialize_domain". */
433 /* True if the domainname is tomoyo_get_last_name(). */
434 bool is_last_name;
435};
436
437/*
438 * tomoyo_domain_keeper_entry is a structure which is used for holding
439 * "keep_domain" and "no_keep_domain" entries.
440 * It has following fields.
441 *
442 * (1) "list" which is linked to tomoyo_domain_keeper_list .
443 * (2) "domainname" which is "a domainname" or "the last component of a
444 * domainname".
445 * (3) "program" which is a program's pathname.
446 * This field is NULL if "from" clause is not specified.
447 * (4) "is_deleted" is a bool which is true if marked as deleted, false
448 * otherwise.
449 * (5) "is_not" is a bool which is true if "no_initialize_domain", false
450 * otherwise.
451 * (6) "is_last_name" is a bool which is true if "domainname" is "the last
452 * component of a domainname", false otherwise.
453 */
454struct tomoyo_domain_keeper_entry {
455 struct list_head list;
456 const struct tomoyo_path_info *domainname;
457 const struct tomoyo_path_info *program; /* This may be NULL */
458 bool is_deleted;
459 bool is_not; /* True if this entry is "no_keep_domain". */
460 /* True if the domainname is tomoyo_get_last_name(). */
461 bool is_last_name;
462};
463
464/*
465 * tomoyo_alias_entry is a structure which is used for holding "alias" entries.
466 * It has following fields.
467 *
468 * (1) "list" which is linked to tomoyo_alias_list .
469 * (2) "original_name" which is a dereferenced pathname.
470 * (3) "aliased_name" which is a symlink's pathname.
471 * (4) "is_deleted" is a bool which is true if marked as deleted, false
472 * otherwise.
473 */
474struct tomoyo_alias_entry {
475 struct list_head list;
476 const struct tomoyo_path_info *original_name;
477 const struct tomoyo_path_info *aliased_name;
478 bool is_deleted;
479};
480
481/*
482 * tomoyo_policy_manager_entry is a structure which is used for holding list of
483 * domainnames or programs which are permitted to modify configuration via
484 * /sys/kernel/security/tomoyo/ interface.
485 * It has following fields.
486 *
487 * (1) "list" which is linked to tomoyo_policy_manager_list .
488 * (2) "manager" is a domainname or a program's pathname.
489 * (3) "is_domain" is a bool which is true if "manager" is a domainname, false
490 * otherwise.
491 * (4) "is_deleted" is a bool which is true if marked as deleted, false
492 * otherwise.
493 */
494struct tomoyo_policy_manager_entry {
495 struct list_head list;
496 /* A path to program or a domainname. */
497 const struct tomoyo_path_info *manager;
498 bool is_domain; /* True if manager is a domainname. */
499 bool is_deleted; /* True if this entry is deleted. */
500};
501
502/********** Function prototypes. **********/
503
288/* Check whether the domain has too many ACL entries to hold. */ 504/* Check whether the domain has too many ACL entries to hold. */
289bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain); 505bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain);
290/* Transactional sprintf() for policy dump. */ 506/* Transactional sprintf() for policy dump. */
@@ -367,6 +583,85 @@ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr);
367/* Run policy loader when /sbin/init starts. */ 583/* Run policy loader when /sbin/init starts. */
368void tomoyo_load_policy(const char *filename); 584void tomoyo_load_policy(const char *filename);
369 585
586/* Convert binary string to ascii string. */
587int tomoyo_encode(char *buffer, int buflen, const char *str);
588
589/* Returns realpath(3) of the given pathname but ignores chroot'ed root. */
590int tomoyo_realpath_from_path2(struct path *path, char *newname,
591 int newname_len);
592
593/*
594 * Returns realpath(3) of the given pathname but ignores chroot'ed root.
595 * These functions use kzalloc(), so the caller must call kfree()
596 * if these functions didn't return NULL.
597 */
598char *tomoyo_realpath(const char *pathname);
599/*
600 * Same with tomoyo_realpath() except that it doesn't follow the final symlink.
601 */
602char *tomoyo_realpath_nofollow(const char *pathname);
603/* Same with tomoyo_realpath() except that the pathname is already solved. */
604char *tomoyo_realpath_from_path(struct path *path);
605
606/* Check memory quota. */
607bool tomoyo_memory_ok(void *ptr);
608
609/*
610 * Keep the given name on the RAM.
611 * The RAM is shared, so NEVER try to modify or kfree() the returned name.
612 */
613const struct tomoyo_path_info *tomoyo_get_name(const char *name);
614
615/* Check for memory usage. */
616int tomoyo_read_memory_counter(struct tomoyo_io_buffer *head);
617
618/* Set memory quota. */
619int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head);
620
621/* Initialize realpath related code. */
622void __init tomoyo_realpath_init(void);
623int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
624 const struct tomoyo_path_info *filename);
625int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
626 struct path *path, const int flag);
627int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
628 const u8 operation, struct path *path);
629int tomoyo_check_2path_perm(struct tomoyo_domain_info *domain,
630 const u8 operation, struct path *path1,
631 struct path *path2);
632int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
633 struct file *filp);
634int tomoyo_find_next_domain(struct linux_binprm *bprm);
635
636/********** External variable definitions. **********/
637
638/* Lock for GC. */
639extern struct srcu_struct tomoyo_ss;
640
641/* The list for "struct tomoyo_domain_info". */
642extern struct list_head tomoyo_domain_list;
643
644/* Lock for protecting policy. */
645extern struct mutex tomoyo_policy_lock;
646
647/* Has /sbin/init started? */
648extern bool tomoyo_policy_loaded;
649
650/* The kernel's domain. */
651extern struct tomoyo_domain_info tomoyo_kernel_domain;
652
653/********** Inlined functions. **********/
654
655static inline int tomoyo_read_lock(void)
656{
657 return srcu_read_lock(&tomoyo_ss);
658}
659
660static inline void tomoyo_read_unlock(int idx)
661{
662 srcu_read_unlock(&tomoyo_ss, idx);
663}
664
370/* strcmp() for "struct tomoyo_path_info" structure. */ 665/* strcmp() for "struct tomoyo_path_info" structure. */
371static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a, 666static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a,
372 const struct tomoyo_path_info *b) 667 const struct tomoyo_path_info *b)
@@ -398,17 +693,25 @@ static inline bool tomoyo_is_invalid(const unsigned char c)
398 return c && (c <= ' ' || c >= 127); 693 return c && (c <= ' ' || c >= 127);
399} 694}
400 695
401/* The list for "struct tomoyo_domain_info". */ 696static inline void tomoyo_put_name(const struct tomoyo_path_info *name)
402extern struct list_head tomoyo_domain_list; 697{
403 698 if (name) {
404/* Lock for protecting policy. */ 699 struct tomoyo_name_entry *ptr =
405extern struct mutex tomoyo_policy_lock; 700 container_of(name, struct tomoyo_name_entry, entry);
701 atomic_dec(&ptr->users);
702 }
703}
406 704
407/* Has /sbin/init started? */ 705static inline struct tomoyo_domain_info *tomoyo_domain(void)
408extern bool tomoyo_policy_loaded; 706{
707 return current_cred()->security;
708}
409 709
410/* The kernel's domain. */ 710static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
411extern struct tomoyo_domain_info tomoyo_kernel_domain; 711 *task)
712{
713 return task_cred_xxx(task, security);
714}
412 715
413/** 716/**
414 * list_for_each_cookie - iterate over a list with cookie. 717 * list_for_each_cookie - iterate over a list with cookie.
@@ -428,16 +731,4 @@ extern struct tomoyo_domain_info tomoyo_kernel_domain;
428 prefetch(pos->next), pos != (head) || ((cookie) = NULL); \ 731 prefetch(pos->next), pos != (head) || ((cookie) = NULL); \
429 (cookie) = pos, pos = rcu_dereference(pos->next)) 732 (cookie) = pos, pos = rcu_dereference(pos->next))
430 733
431extern struct srcu_struct tomoyo_ss;
432
433static inline int tomoyo_read_lock(void)
434{
435 return srcu_read_lock(&tomoyo_ss);
436}
437
438static inline void tomoyo_read_unlock(int idx)
439{
440 srcu_read_unlock(&tomoyo_ss, idx);
441}
442
443#endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */ 734#endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */