aboutsummaryrefslogtreecommitdiffstats
path: root/security/tomoyo/gc.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/tomoyo/gc.c')
-rw-r--r--security/tomoyo/gc.c370
1 files changed, 370 insertions, 0 deletions
diff --git a/security/tomoyo/gc.c b/security/tomoyo/gc.c
new file mode 100644
index 000000000000..ee15da39387d
--- /dev/null
+++ b/security/tomoyo/gc.c
@@ -0,0 +1,370 @@
1/*
2 * security/tomoyo/gc.c
3 *
4 * Implementation of the Domain-Based Mandatory Access Control.
5 *
6 * Copyright (C) 2005-2010 NTT DATA CORPORATION
7 *
8 */
9
10#include "common.h"
11#include <linux/kthread.h>
12
13enum tomoyo_gc_id {
14 TOMOYO_ID_DOMAIN_INITIALIZER,
15 TOMOYO_ID_DOMAIN_KEEPER,
16 TOMOYO_ID_ALIAS,
17 TOMOYO_ID_GLOBALLY_READABLE,
18 TOMOYO_ID_PATTERN,
19 TOMOYO_ID_NO_REWRITE,
20 TOMOYO_ID_MANAGER,
21 TOMOYO_ID_NAME,
22 TOMOYO_ID_ACL,
23 TOMOYO_ID_DOMAIN
24};
25
26struct tomoyo_gc_entry {
27 struct list_head list;
28 int type;
29 void *element;
30};
31static LIST_HEAD(tomoyo_gc_queue);
32static DEFINE_MUTEX(tomoyo_gc_mutex);
33
34/* Caller holds tomoyo_policy_lock mutex. */
35static bool tomoyo_add_to_gc(const int type, void *element)
36{
37 struct tomoyo_gc_entry *entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
38 if (!entry)
39 return false;
40 entry->type = type;
41 entry->element = element;
42 list_add(&entry->list, &tomoyo_gc_queue);
43 return true;
44}
45
46static void tomoyo_del_allow_read
47(struct tomoyo_globally_readable_file_entry *ptr)
48{
49 tomoyo_put_name(ptr->filename);
50}
51
52static void tomoyo_del_file_pattern(struct tomoyo_pattern_entry *ptr)
53{
54 tomoyo_put_name(ptr->pattern);
55}
56
57static void tomoyo_del_no_rewrite(struct tomoyo_no_rewrite_entry *ptr)
58{
59 tomoyo_put_name(ptr->pattern);
60}
61
62static void tomoyo_del_domain_initializer
63(struct tomoyo_domain_initializer_entry *ptr)
64{
65 tomoyo_put_name(ptr->domainname);
66 tomoyo_put_name(ptr->program);
67}
68
69static void tomoyo_del_domain_keeper(struct tomoyo_domain_keeper_entry *ptr)
70{
71 tomoyo_put_name(ptr->domainname);
72 tomoyo_put_name(ptr->program);
73}
74
75static void tomoyo_del_alias(struct tomoyo_alias_entry *ptr)
76{
77 tomoyo_put_name(ptr->original_name);
78 tomoyo_put_name(ptr->aliased_name);
79}
80
81static void tomoyo_del_manager(struct tomoyo_policy_manager_entry *ptr)
82{
83 tomoyo_put_name(ptr->manager);
84}
85
86static void tomoyo_del_acl(struct tomoyo_acl_info *acl)
87{
88 switch (acl->type) {
89 case TOMOYO_TYPE_SINGLE_PATH_ACL:
90 {
91 struct tomoyo_single_path_acl_record *entry
92 = container_of(acl, typeof(*entry), head);
93 tomoyo_put_name(entry->filename);
94 }
95 break;
96 case TOMOYO_TYPE_DOUBLE_PATH_ACL:
97 {
98 struct tomoyo_double_path_acl_record *entry
99 = container_of(acl, typeof(*entry), head);
100 tomoyo_put_name(entry->filename1);
101 tomoyo_put_name(entry->filename2);
102 }
103 break;
104 default:
105 printk(KERN_WARNING "Unknown type\n");
106 break;
107 }
108}
109
110static bool tomoyo_del_domain(struct tomoyo_domain_info *domain)
111{
112 struct tomoyo_acl_info *acl;
113 struct tomoyo_acl_info *tmp;
114 /*
115 * Since we don't protect whole execve() operation using SRCU,
116 * we need to recheck domain->users at this point.
117 *
118 * (1) Reader starts SRCU section upon execve().
119 * (2) Reader traverses tomoyo_domain_list and finds this domain.
120 * (3) Writer marks this domain as deleted.
121 * (4) Garbage collector removes this domain from tomoyo_domain_list
122 * because this domain is marked as deleted and used by nobody.
123 * (5) Reader saves reference to this domain into
124 * "struct linux_binprm"->cred->security .
125 * (6) Reader finishes SRCU section, although execve() operation has
126 * not finished yet.
127 * (7) Garbage collector waits for SRCU synchronization.
128 * (8) Garbage collector kfree() this domain because this domain is
129 * used by nobody.
130 * (9) Reader finishes execve() operation and restores this domain from
131 * "struct linux_binprm"->cred->security.
132 *
133 * By updating domain->users at (5), we can solve this race problem
134 * by rechecking domain->users at (8).
135 */
136 if (atomic_read(&domain->users))
137 return false;
138 list_for_each_entry_safe(acl, tmp, &domain->acl_info_list, list) {
139 tomoyo_del_acl(acl);
140 tomoyo_memory_free(acl);
141 }
142 tomoyo_put_name(domain->domainname);
143 return true;
144}
145
146
147static void tomoyo_del_name(const struct tomoyo_name_entry *ptr)
148{
149}
150
151static void tomoyo_collect_entry(void)
152{
153 mutex_lock(&tomoyo_policy_lock);
154 {
155 struct tomoyo_globally_readable_file_entry *ptr;
156 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list,
157 list) {
158 if (!ptr->is_deleted)
159 continue;
160 if (tomoyo_add_to_gc(TOMOYO_ID_GLOBALLY_READABLE, ptr))
161 list_del_rcu(&ptr->list);
162 else
163 break;
164 }
165 }
166 {
167 struct tomoyo_pattern_entry *ptr;
168 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
169 if (!ptr->is_deleted)
170 continue;
171 if (tomoyo_add_to_gc(TOMOYO_ID_PATTERN, ptr))
172 list_del_rcu(&ptr->list);
173 else
174 break;
175 }
176 }
177 {
178 struct tomoyo_no_rewrite_entry *ptr;
179 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
180 if (!ptr->is_deleted)
181 continue;
182 if (tomoyo_add_to_gc(TOMOYO_ID_NO_REWRITE, ptr))
183 list_del_rcu(&ptr->list);
184 else
185 break;
186 }
187 }
188 {
189 struct tomoyo_domain_initializer_entry *ptr;
190 list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list,
191 list) {
192 if (!ptr->is_deleted)
193 continue;
194 if (tomoyo_add_to_gc(TOMOYO_ID_DOMAIN_INITIALIZER, ptr))
195 list_del_rcu(&ptr->list);
196 else
197 break;
198 }
199 }
200 {
201 struct tomoyo_domain_keeper_entry *ptr;
202 list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) {
203 if (!ptr->is_deleted)
204 continue;
205 if (tomoyo_add_to_gc(TOMOYO_ID_DOMAIN_KEEPER, ptr))
206 list_del_rcu(&ptr->list);
207 else
208 break;
209 }
210 }
211 {
212 struct tomoyo_alias_entry *ptr;
213 list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) {
214 if (!ptr->is_deleted)
215 continue;
216 if (tomoyo_add_to_gc(TOMOYO_ID_ALIAS, ptr))
217 list_del_rcu(&ptr->list);
218 else
219 break;
220 }
221 }
222 {
223 struct tomoyo_policy_manager_entry *ptr;
224 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list,
225 list) {
226 if (!ptr->is_deleted)
227 continue;
228 if (tomoyo_add_to_gc(TOMOYO_ID_MANAGER, ptr))
229 list_del_rcu(&ptr->list);
230 else
231 break;
232 }
233 }
234 {
235 struct tomoyo_domain_info *domain;
236 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
237 struct tomoyo_acl_info *acl;
238 list_for_each_entry_rcu(acl, &domain->acl_info_list,
239 list) {
240 switch (acl->type) {
241 case TOMOYO_TYPE_SINGLE_PATH_ACL:
242 if (container_of(acl,
243 struct tomoyo_single_path_acl_record,
244 head)->perm ||
245 container_of(acl,
246 struct tomoyo_single_path_acl_record,
247 head)->perm_high)
248 continue;
249 break;
250 case TOMOYO_TYPE_DOUBLE_PATH_ACL:
251 if (container_of(acl,
252 struct tomoyo_double_path_acl_record,
253 head)->perm)
254 continue;
255 break;
256 default:
257 continue;
258 }
259 if (tomoyo_add_to_gc(TOMOYO_ID_ACL, acl))
260 list_del_rcu(&acl->list);
261 else
262 break;
263 }
264 if (!domain->is_deleted || atomic_read(&domain->users))
265 continue;
266 /*
267 * Nobody is referring this domain. But somebody may
268 * refer this domain after successful execve().
269 * We recheck domain->users after SRCU synchronization.
270 */
271 if (tomoyo_add_to_gc(TOMOYO_ID_DOMAIN, domain))
272 list_del_rcu(&domain->list);
273 else
274 break;
275 }
276 }
277 mutex_unlock(&tomoyo_policy_lock);
278 mutex_lock(&tomoyo_name_list_lock);
279 {
280 int i;
281 for (i = 0; i < TOMOYO_MAX_HASH; i++) {
282 struct tomoyo_name_entry *ptr;
283 list_for_each_entry_rcu(ptr, &tomoyo_name_list[i],
284 list) {
285 if (atomic_read(&ptr->users))
286 continue;
287 if (tomoyo_add_to_gc(TOMOYO_ID_NAME, ptr))
288 list_del_rcu(&ptr->list);
289 else {
290 i = TOMOYO_MAX_HASH;
291 break;
292 }
293 }
294 }
295 }
296 mutex_unlock(&tomoyo_name_list_lock);
297}
298
299static void tomoyo_kfree_entry(void)
300{
301 struct tomoyo_gc_entry *p;
302 struct tomoyo_gc_entry *tmp;
303
304 list_for_each_entry_safe(p, tmp, &tomoyo_gc_queue, list) {
305 switch (p->type) {
306 case TOMOYO_ID_DOMAIN_INITIALIZER:
307 tomoyo_del_domain_initializer(p->element);
308 break;
309 case TOMOYO_ID_DOMAIN_KEEPER:
310 tomoyo_del_domain_keeper(p->element);
311 break;
312 case TOMOYO_ID_ALIAS:
313 tomoyo_del_alias(p->element);
314 break;
315 case TOMOYO_ID_GLOBALLY_READABLE:
316 tomoyo_del_allow_read(p->element);
317 break;
318 case TOMOYO_ID_PATTERN:
319 tomoyo_del_file_pattern(p->element);
320 break;
321 case TOMOYO_ID_NO_REWRITE:
322 tomoyo_del_no_rewrite(p->element);
323 break;
324 case TOMOYO_ID_MANAGER:
325 tomoyo_del_manager(p->element);
326 break;
327 case TOMOYO_ID_NAME:
328 tomoyo_del_name(p->element);
329 break;
330 case TOMOYO_ID_ACL:
331 tomoyo_del_acl(p->element);
332 break;
333 case TOMOYO_ID_DOMAIN:
334 if (!tomoyo_del_domain(p->element))
335 continue;
336 break;
337 default:
338 printk(KERN_WARNING "Unknown type\n");
339 break;
340 }
341 tomoyo_memory_free(p->element);
342 list_del(&p->list);
343 kfree(p);
344 }
345}
346
347static int tomoyo_gc_thread(void *unused)
348{
349 daemonize("GC for TOMOYO");
350 if (mutex_trylock(&tomoyo_gc_mutex)) {
351 int i;
352 for (i = 0; i < 10; i++) {
353 tomoyo_collect_entry();
354 if (list_empty(&tomoyo_gc_queue))
355 break;
356 synchronize_srcu(&tomoyo_ss);
357 tomoyo_kfree_entry();
358 }
359 mutex_unlock(&tomoyo_gc_mutex);
360 }
361 do_exit(0);
362}
363
364void tomoyo_run_gc(void)
365{
366 struct task_struct *task = kthread_create(tomoyo_gc_thread, NULL,
367 "GC for TOMOYO");
368 if (!IS_ERR(task))
369 wake_up_process(task);
370}