diff options
Diffstat (limited to 'security')
45 files changed, 8179 insertions, 335 deletions
diff --git a/security/Kconfig b/security/Kconfig index 9438535d7fd0..bb244774e9d7 100644 --- a/security/Kconfig +++ b/security/Kconfig | |||
@@ -55,7 +55,8 @@ config SECURITYFS | |||
55 | bool "Enable the securityfs filesystem" | 55 | bool "Enable the securityfs filesystem" |
56 | help | 56 | help |
57 | This will build the securityfs filesystem. It is currently used by | 57 | This will build the securityfs filesystem. It is currently used by |
58 | the TPM bios character driver. It is not used by SELinux or SMACK. | 58 | the TPM bios character driver and IMA, an integrity provider. It is |
59 | not used by SELinux or SMACK. | ||
59 | 60 | ||
60 | If you are unsure how to answer this question, answer N. | 61 | If you are unsure how to answer this question, answer N. |
61 | 62 | ||
@@ -134,6 +135,9 @@ config SECURITY_DEFAULT_MMAP_MIN_ADDR | |||
134 | 135 | ||
135 | source security/selinux/Kconfig | 136 | source security/selinux/Kconfig |
136 | source security/smack/Kconfig | 137 | source security/smack/Kconfig |
138 | source security/tomoyo/Kconfig | ||
139 | |||
140 | source security/integrity/ima/Kconfig | ||
137 | 141 | ||
138 | endmenu | 142 | endmenu |
139 | 143 | ||
diff --git a/security/Makefile b/security/Makefile index c05c127fff9a..fa77021d9778 100644 --- a/security/Makefile +++ b/security/Makefile | |||
@@ -5,6 +5,7 @@ | |||
5 | obj-$(CONFIG_KEYS) += keys/ | 5 | obj-$(CONFIG_KEYS) += keys/ |
6 | subdir-$(CONFIG_SECURITY_SELINUX) += selinux | 6 | subdir-$(CONFIG_SECURITY_SELINUX) += selinux |
7 | subdir-$(CONFIG_SECURITY_SMACK) += smack | 7 | subdir-$(CONFIG_SECURITY_SMACK) += smack |
8 | subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo | ||
8 | 9 | ||
9 | # always enable default capabilities | 10 | # always enable default capabilities |
10 | obj-y += commoncap.o | 11 | obj-y += commoncap.o |
@@ -15,5 +16,10 @@ obj-$(CONFIG_SECURITYFS) += inode.o | |||
15 | # Must precede capability.o in order to stack properly. | 16 | # Must precede capability.o in order to stack properly. |
16 | obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o | 17 | obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o |
17 | obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o | 18 | obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o |
19 | obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o | ||
18 | obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o | 20 | obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o |
19 | obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o | 21 | obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o |
22 | |||
23 | # Object integrity file lists | ||
24 | subdir-$(CONFIG_IMA) += integrity/ima | ||
25 | obj-$(CONFIG_IMA) += integrity/ima/built-in.o | ||
diff --git a/security/inode.c b/security/inode.c index 007ef252dde7..f3b91bfbe4cb 100644 --- a/security/inode.c +++ b/security/inode.c | |||
@@ -202,12 +202,11 @@ static int create_by_name(const char *name, mode_t mode, | |||
202 | * This function returns a pointer to a dentry if it succeeds. This | 202 | * This function returns a pointer to a dentry if it succeeds. This |
203 | * pointer must be passed to the securityfs_remove() function when the file is | 203 | * pointer must be passed to the securityfs_remove() function when the file is |
204 | * to be removed (no automatic cleanup happens if your module is unloaded, | 204 | * to be removed (no automatic cleanup happens if your module is unloaded, |
205 | * you are responsible here). If an error occurs, %NULL is returned. | 205 | * you are responsible here). If an error occurs, the function will return |
206 | * the erorr value (via ERR_PTR). | ||
206 | * | 207 | * |
207 | * If securityfs is not enabled in the kernel, the value %-ENODEV is | 208 | * If securityfs is not enabled in the kernel, the value %-ENODEV is |
208 | * returned. It is not wise to check for this value, but rather, check for | 209 | * returned. |
209 | * %NULL or !%NULL instead as to eliminate the need for #ifdef in the calling | ||
210 | * code. | ||
211 | */ | 210 | */ |
212 | struct dentry *securityfs_create_file(const char *name, mode_t mode, | 211 | struct dentry *securityfs_create_file(const char *name, mode_t mode, |
213 | struct dentry *parent, void *data, | 212 | struct dentry *parent, void *data, |
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig new file mode 100644 index 000000000000..53d9764e8f09 --- /dev/null +++ b/security/integrity/ima/Kconfig | |||
@@ -0,0 +1,55 @@ | |||
1 | # IBM Integrity Measurement Architecture | ||
2 | # | ||
3 | config IMA | ||
4 | bool "Integrity Measurement Architecture(IMA)" | ||
5 | depends on ACPI | ||
6 | select SECURITYFS | ||
7 | select CRYPTO | ||
8 | select CRYPTO_HMAC | ||
9 | select CRYPTO_MD5 | ||
10 | select CRYPTO_SHA1 | ||
11 | select TCG_TPM | ||
12 | select TCG_TIS | ||
13 | help | ||
14 | The Trusted Computing Group(TCG) runtime Integrity | ||
15 | Measurement Architecture(IMA) maintains a list of hash | ||
16 | values of executables and other sensitive system files, | ||
17 | as they are read or executed. If an attacker manages | ||
18 | to change the contents of an important system file | ||
19 | being measured, we can tell. | ||
20 | |||
21 | If your system has a TPM chip, then IMA also maintains | ||
22 | an aggregate integrity value over this list inside the | ||
23 | TPM hardware, so that the TPM can prove to a third party | ||
24 | whether or not critical system files have been modified. | ||
25 | Read <http://www.usenix.org/events/sec04/tech/sailer.html> | ||
26 | to learn more about IMA. | ||
27 | If unsure, say N. | ||
28 | |||
29 | config IMA_MEASURE_PCR_IDX | ||
30 | int | ||
31 | depends on IMA | ||
32 | range 8 14 | ||
33 | default 10 | ||
34 | help | ||
35 | IMA_MEASURE_PCR_IDX determines the TPM PCR register index | ||
36 | that IMA uses to maintain the integrity aggregate of the | ||
37 | measurement list. If unsure, use the default 10. | ||
38 | |||
39 | config IMA_AUDIT | ||
40 | bool | ||
41 | depends on IMA | ||
42 | default y | ||
43 | help | ||
44 | This option adds a kernel parameter 'ima_audit', which | ||
45 | allows informational auditing messages to be enabled | ||
46 | at boot. If this option is selected, informational integrity | ||
47 | auditing messages can be enabled with 'ima_audit=1' on | ||
48 | the kernel command line. | ||
49 | |||
50 | config IMA_LSM_RULES | ||
51 | bool | ||
52 | depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) | ||
53 | default y | ||
54 | help | ||
55 | Disabling this option will disregard LSM based policy rules. | ||
diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile new file mode 100644 index 000000000000..787c4cb916cd --- /dev/null +++ b/security/integrity/ima/Makefile | |||
@@ -0,0 +1,9 @@ | |||
1 | # | ||
2 | # Makefile for building Trusted Computing Group's(TCG) runtime Integrity | ||
3 | # Measurement Architecture(IMA). | ||
4 | # | ||
5 | |||
6 | obj-$(CONFIG_IMA) += ima.o | ||
7 | |||
8 | ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \ | ||
9 | ima_policy.o ima_iint.o ima_audit.o | ||
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h new file mode 100644 index 000000000000..165eb5397ea5 --- /dev/null +++ b/security/integrity/ima/ima.h | |||
@@ -0,0 +1,166 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2005,2006,2007,2008 IBM Corporation | ||
3 | * | ||
4 | * Authors: | ||
5 | * Reiner Sailer <sailer@watson.ibm.com> | ||
6 | * Mimi Zohar <zohar@us.ibm.com> | ||
7 | * | ||
8 | * This program is free software; you can redistribute it and/or | ||
9 | * modify it under the terms of the GNU General Public License as | ||
10 | * published by the Free Software Foundation, version 2 of the | ||
11 | * License. | ||
12 | * | ||
13 | * File: ima.h | ||
14 | * internal Integrity Measurement Architecture (IMA) definitions | ||
15 | */ | ||
16 | |||
17 | #ifndef __LINUX_IMA_H | ||
18 | #define __LINUX_IMA_H | ||
19 | |||
20 | #include <linux/types.h> | ||
21 | #include <linux/crypto.h> | ||
22 | #include <linux/security.h> | ||
23 | #include <linux/hash.h> | ||
24 | #include <linux/tpm.h> | ||
25 | #include <linux/audit.h> | ||
26 | |||
27 | enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_ASCII }; | ||
28 | enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; | ||
29 | |||
30 | /* digest size for IMA, fits SHA1 or MD5 */ | ||
31 | #define IMA_DIGEST_SIZE 20 | ||
32 | #define IMA_EVENT_NAME_LEN_MAX 255 | ||
33 | |||
34 | #define IMA_HASH_BITS 9 | ||
35 | #define IMA_MEASURE_HTABLE_SIZE (1 << IMA_HASH_BITS) | ||
36 | |||
37 | /* set during initialization */ | ||
38 | extern int ima_initialized; | ||
39 | extern int ima_used_chip; | ||
40 | extern char *ima_hash; | ||
41 | |||
42 | /* IMA inode template definition */ | ||
43 | struct ima_template_data { | ||
44 | u8 digest[IMA_DIGEST_SIZE]; /* sha1/md5 measurement hash */ | ||
45 | char file_name[IMA_EVENT_NAME_LEN_MAX + 1]; /* name + \0 */ | ||
46 | }; | ||
47 | |||
48 | struct ima_template_entry { | ||
49 | u8 digest[IMA_DIGEST_SIZE]; /* sha1 or md5 measurement hash */ | ||
50 | const char *template_name; | ||
51 | int template_len; | ||
52 | struct ima_template_data template; | ||
53 | }; | ||
54 | |||
55 | struct ima_queue_entry { | ||
56 | struct hlist_node hnext; /* place in hash collision list */ | ||
57 | struct list_head later; /* place in ima_measurements list */ | ||
58 | struct ima_template_entry *entry; | ||
59 | }; | ||
60 | extern struct list_head ima_measurements; /* list of all measurements */ | ||
61 | |||
62 | /* declarations */ | ||
63 | void integrity_audit_msg(int audit_msgno, struct inode *inode, | ||
64 | const unsigned char *fname, const char *op, | ||
65 | const char *cause, int result, int info); | ||
66 | |||
67 | /* Internal IMA function definitions */ | ||
68 | void ima_iintcache_init(void); | ||
69 | int ima_init(void); | ||
70 | void ima_cleanup(void); | ||
71 | int ima_fs_init(void); | ||
72 | void ima_fs_cleanup(void); | ||
73 | int ima_add_template_entry(struct ima_template_entry *entry, int violation, | ||
74 | const char *op, struct inode *inode); | ||
75 | int ima_calc_hash(struct file *file, char *digest); | ||
76 | int ima_calc_template_hash(int template_len, void *template, char *digest); | ||
77 | int ima_calc_boot_aggregate(char *digest); | ||
78 | void ima_add_violation(struct inode *inode, const unsigned char *filename, | ||
79 | const char *op, const char *cause); | ||
80 | |||
81 | /* | ||
82 | * used to protect h_table and sha_table | ||
83 | */ | ||
84 | extern spinlock_t ima_queue_lock; | ||
85 | |||
86 | struct ima_h_table { | ||
87 | atomic_long_t len; /* number of stored measurements in the list */ | ||
88 | atomic_long_t violations; | ||
89 | struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE]; | ||
90 | }; | ||
91 | extern struct ima_h_table ima_htable; | ||
92 | |||
93 | static inline unsigned long ima_hash_key(u8 *digest) | ||
94 | { | ||
95 | return hash_long(*digest, IMA_HASH_BITS); | ||
96 | } | ||
97 | |||
98 | /* iint cache flags */ | ||
99 | #define IMA_MEASURED 1 | ||
100 | #define IMA_IINT_DUMP_STACK 512 | ||
101 | |||
102 | /* integrity data associated with an inode */ | ||
103 | struct ima_iint_cache { | ||
104 | u64 version; /* track inode changes */ | ||
105 | unsigned long flags; | ||
106 | u8 digest[IMA_DIGEST_SIZE]; | ||
107 | struct mutex mutex; /* protects: version, flags, digest */ | ||
108 | long readcount; /* measured files readcount */ | ||
109 | long writecount; /* measured files writecount */ | ||
110 | long opencount; /* opens reference count */ | ||
111 | struct kref refcount; /* ima_iint_cache reference count */ | ||
112 | struct rcu_head rcu; | ||
113 | }; | ||
114 | |||
115 | /* LIM API function definitions */ | ||
116 | int ima_must_measure(struct ima_iint_cache *iint, struct inode *inode, | ||
117 | int mask, int function); | ||
118 | int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file); | ||
119 | void ima_store_measurement(struct ima_iint_cache *iint, struct file *file, | ||
120 | const unsigned char *filename); | ||
121 | int ima_store_template(struct ima_template_entry *entry, int violation, | ||
122 | struct inode *inode); | ||
123 | void ima_template_show(struct seq_file *m, void *e, | ||
124 | enum ima_show_type show); | ||
125 | |||
126 | /* radix tree calls to lookup, insert, delete | ||
127 | * integrity data associated with an inode. | ||
128 | */ | ||
129 | struct ima_iint_cache *ima_iint_insert(struct inode *inode); | ||
130 | struct ima_iint_cache *ima_iint_find_get(struct inode *inode); | ||
131 | struct ima_iint_cache *ima_iint_find_insert_get(struct inode *inode); | ||
132 | void ima_iint_delete(struct inode *inode); | ||
133 | void iint_free(struct kref *kref); | ||
134 | void iint_rcu_free(struct rcu_head *rcu); | ||
135 | |||
136 | /* IMA policy related functions */ | ||
137 | enum ima_hooks { PATH_CHECK = 1, FILE_MMAP, BPRM_CHECK }; | ||
138 | |||
139 | int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask); | ||
140 | void ima_init_policy(void); | ||
141 | void ima_update_policy(void); | ||
142 | int ima_parse_add_rule(char *); | ||
143 | void ima_delete_rules(void); | ||
144 | |||
145 | /* LSM based policy rules require audit */ | ||
146 | #ifdef CONFIG_IMA_LSM_RULES | ||
147 | |||
148 | #define security_filter_rule_init security_audit_rule_init | ||
149 | #define security_filter_rule_match security_audit_rule_match | ||
150 | |||
151 | #else | ||
152 | |||
153 | static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr, | ||
154 | void **lsmrule) | ||
155 | { | ||
156 | return -EINVAL; | ||
157 | } | ||
158 | |||
159 | static inline int security_filter_rule_match(u32 secid, u32 field, u32 op, | ||
160 | void *lsmrule, | ||
161 | struct audit_context *actx) | ||
162 | { | ||
163 | return -EINVAL; | ||
164 | } | ||
165 | #endif /* CONFIG_IMA_LSM_RULES */ | ||
166 | #endif | ||
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c new file mode 100644 index 000000000000..3cd58b60afd2 --- /dev/null +++ b/security/integrity/ima/ima_api.c | |||
@@ -0,0 +1,190 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2008 IBM Corporation | ||
3 | * | ||
4 | * Author: Mimi Zohar <zohar@us.ibm.com> | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or | ||
7 | * modify it under the terms of the GNU General Public License as | ||
8 | * published by the Free Software Foundation, version 2 of the | ||
9 | * License. | ||
10 | * | ||
11 | * File: ima_api.c | ||
12 | * Implements must_measure, collect_measurement, store_measurement, | ||
13 | * and store_template. | ||
14 | */ | ||
15 | #include <linux/module.h> | ||
16 | |||
17 | #include "ima.h" | ||
18 | static const char *IMA_TEMPLATE_NAME = "ima"; | ||
19 | |||
20 | /* | ||
21 | * ima_store_template - store ima template measurements | ||
22 | * | ||
23 | * Calculate the hash of a template entry, add the template entry | ||
24 | * to an ordered list of measurement entries maintained inside the kernel, | ||
25 | * and also update the aggregate integrity value (maintained inside the | ||
26 | * configured TPM PCR) over the hashes of the current list of measurement | ||
27 | * entries. | ||
28 | * | ||
29 | * Applications retrieve the current kernel-held measurement list through | ||
30 | * the securityfs entries in /sys/kernel/security/ima. The signed aggregate | ||
31 | * TPM PCR (called quote) can be retrieved using a TPM user space library | ||
32 | * and is used to validate the measurement list. | ||
33 | * | ||
34 | * Returns 0 on success, error code otherwise | ||
35 | */ | ||
36 | int ima_store_template(struct ima_template_entry *entry, | ||
37 | int violation, struct inode *inode) | ||
38 | { | ||
39 | const char *op = "add_template_measure"; | ||
40 | const char *audit_cause = "hashing_error"; | ||
41 | int result; | ||
42 | |||
43 | memset(entry->digest, 0, sizeof(entry->digest)); | ||
44 | entry->template_name = IMA_TEMPLATE_NAME; | ||
45 | entry->template_len = sizeof(entry->template); | ||
46 | |||
47 | if (!violation) { | ||
48 | result = ima_calc_template_hash(entry->template_len, | ||
49 | &entry->template, | ||
50 | entry->digest); | ||
51 | if (result < 0) { | ||
52 | integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, | ||
53 | entry->template_name, op, | ||
54 | audit_cause, result, 0); | ||
55 | return result; | ||
56 | } | ||
57 | } | ||
58 | result = ima_add_template_entry(entry, violation, op, inode); | ||
59 | return result; | ||
60 | } | ||
61 | |||
62 | /* | ||
63 | * ima_add_violation - add violation to measurement list. | ||
64 | * | ||
65 | * Violations are flagged in the measurement list with zero hash values. | ||
66 | * By extending the PCR with 0xFF's instead of with zeroes, the PCR | ||
67 | * value is invalidated. | ||
68 | */ | ||
69 | void ima_add_violation(struct inode *inode, const unsigned char *filename, | ||
70 | const char *op, const char *cause) | ||
71 | { | ||
72 | struct ima_template_entry *entry; | ||
73 | int violation = 1; | ||
74 | int result; | ||
75 | |||
76 | /* can overflow, only indicator */ | ||
77 | atomic_long_inc(&ima_htable.violations); | ||
78 | |||
79 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | ||
80 | if (!entry) { | ||
81 | result = -ENOMEM; | ||
82 | goto err_out; | ||
83 | } | ||
84 | memset(&entry->template, 0, sizeof(entry->template)); | ||
85 | strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX); | ||
86 | result = ima_store_template(entry, violation, inode); | ||
87 | if (result < 0) | ||
88 | kfree(entry); | ||
89 | err_out: | ||
90 | integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, | ||
91 | op, cause, result, 0); | ||
92 | } | ||
93 | |||
94 | /** | ||
95 | * ima_must_measure - measure decision based on policy. | ||
96 | * @inode: pointer to inode to measure | ||
97 | * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXECUTE) | ||
98 | * @function: calling function (PATH_CHECK, BPRM_CHECK, FILE_MMAP) | ||
99 | * | ||
100 | * The policy is defined in terms of keypairs: | ||
101 | * subj=, obj=, type=, func=, mask=, fsmagic= | ||
102 | * subj,obj, and type: are LSM specific. | ||
103 | * func: PATH_CHECK | BPRM_CHECK | FILE_MMAP | ||
104 | * mask: contains the permission mask | ||
105 | * fsmagic: hex value | ||
106 | * | ||
107 | * Must be called with iint->mutex held. | ||
108 | * | ||
109 | * Return 0 to measure. Return 1 if already measured. | ||
110 | * For matching a DONT_MEASURE policy, no policy, or other | ||
111 | * error, return an error code. | ||
112 | */ | ||
113 | int ima_must_measure(struct ima_iint_cache *iint, struct inode *inode, | ||
114 | int mask, int function) | ||
115 | { | ||
116 | int must_measure; | ||
117 | |||
118 | if (iint->flags & IMA_MEASURED) | ||
119 | return 1; | ||
120 | |||
121 | must_measure = ima_match_policy(inode, function, mask); | ||
122 | return must_measure ? 0 : -EACCES; | ||
123 | } | ||
124 | |||
125 | /* | ||
126 | * ima_collect_measurement - collect file measurement | ||
127 | * | ||
128 | * Calculate the file hash, if it doesn't already exist, | ||
129 | * storing the measurement and i_version in the iint. | ||
130 | * | ||
131 | * Must be called with iint->mutex held. | ||
132 | * | ||
133 | * Return 0 on success, error code otherwise | ||
134 | */ | ||
135 | int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file) | ||
136 | { | ||
137 | int result = -EEXIST; | ||
138 | |||
139 | if (!(iint->flags & IMA_MEASURED)) { | ||
140 | u64 i_version = file->f_dentry->d_inode->i_version; | ||
141 | |||
142 | memset(iint->digest, 0, IMA_DIGEST_SIZE); | ||
143 | result = ima_calc_hash(file, iint->digest); | ||
144 | if (!result) | ||
145 | iint->version = i_version; | ||
146 | } | ||
147 | return result; | ||
148 | } | ||
149 | |||
150 | /* | ||
151 | * ima_store_measurement - store file measurement | ||
152 | * | ||
153 | * Create an "ima" template and then store the template by calling | ||
154 | * ima_store_template. | ||
155 | * | ||
156 | * We only get here if the inode has not already been measured, | ||
157 | * but the measurement could already exist: | ||
158 | * - multiple copies of the same file on either the same or | ||
159 | * different filesystems. | ||
160 | * - the inode was previously flushed as well as the iint info, | ||
161 | * containing the hashing info. | ||
162 | * | ||
163 | * Must be called with iint->mutex held. | ||
164 | */ | ||
165 | void ima_store_measurement(struct ima_iint_cache *iint, struct file *file, | ||
166 | const unsigned char *filename) | ||
167 | { | ||
168 | const char *op = "add_template_measure"; | ||
169 | const char *audit_cause = "ENOMEM"; | ||
170 | int result = -ENOMEM; | ||
171 | struct inode *inode = file->f_dentry->d_inode; | ||
172 | struct ima_template_entry *entry; | ||
173 | int violation = 0; | ||
174 | |||
175 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | ||
176 | if (!entry) { | ||
177 | integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, | ||
178 | op, audit_cause, result, 0); | ||
179 | return; | ||
180 | } | ||
181 | memset(&entry->template, 0, sizeof(entry->template)); | ||
182 | memcpy(entry->template.digest, iint->digest, IMA_DIGEST_SIZE); | ||
183 | strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX); | ||
184 | |||
185 | result = ima_store_template(entry, violation, inode); | ||
186 | if (!result) | ||
187 | iint->flags |= IMA_MEASURED; | ||
188 | else | ||
189 | kfree(entry); | ||
190 | } | ||
diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/ima/ima_audit.c new file mode 100644 index 000000000000..1e082bb987be --- /dev/null +++ b/security/integrity/ima/ima_audit.c | |||
@@ -0,0 +1,81 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2008 IBM Corporation | ||
3 | * Author: Mimi Zohar <zohar@us.ibm.com> | ||
4 | * | ||
5 | * This program is free software; you can redistribute it and/or modify | ||
6 | * it under the terms of the GNU General Public License as published by | ||
7 | * the Free Software Foundation, version 2 of the License. | ||
8 | * | ||
9 | * File: integrity_audit.c | ||
10 | * Audit calls for the integrity subsystem | ||
11 | */ | ||
12 | |||
13 | #include <linux/fs.h> | ||
14 | #include <linux/audit.h> | ||
15 | #include "ima.h" | ||
16 | |||
17 | static int ima_audit; | ||
18 | |||
19 | #ifdef CONFIG_IMA_AUDIT | ||
20 | |||
21 | /* ima_audit_setup - enable informational auditing messages */ | ||
22 | static int __init ima_audit_setup(char *str) | ||
23 | { | ||
24 | unsigned long audit; | ||
25 | int rc, result = 0; | ||
26 | char *op = "ima_audit"; | ||
27 | char *cause; | ||
28 | |||
29 | rc = strict_strtoul(str, 0, &audit); | ||
30 | if (rc || audit > 1) | ||
31 | result = 1; | ||
32 | else | ||
33 | ima_audit = audit; | ||
34 | cause = ima_audit ? "enabled" : "not_enabled"; | ||
35 | integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, | ||
36 | op, cause, result, 0); | ||
37 | return 1; | ||
38 | } | ||
39 | __setup("ima_audit=", ima_audit_setup); | ||
40 | #endif | ||
41 | |||
42 | void integrity_audit_msg(int audit_msgno, struct inode *inode, | ||
43 | const unsigned char *fname, const char *op, | ||
44 | const char *cause, int result, int audit_info) | ||
45 | { | ||
46 | struct audit_buffer *ab; | ||
47 | |||
48 | if (!ima_audit && audit_info == 1) /* Skip informational messages */ | ||
49 | return; | ||
50 | |||
51 | ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno); | ||
52 | audit_log_format(ab, "integrity: pid=%d uid=%u auid=%u ses=%u", | ||
53 | current->pid, current->cred->uid, | ||
54 | audit_get_loginuid(current), | ||
55 | audit_get_sessionid(current)); | ||
56 | audit_log_task_context(ab); | ||
57 | switch (audit_msgno) { | ||
58 | case AUDIT_INTEGRITY_DATA: | ||
59 | case AUDIT_INTEGRITY_METADATA: | ||
60 | case AUDIT_INTEGRITY_PCR: | ||
61 | case AUDIT_INTEGRITY_STATUS: | ||
62 | audit_log_format(ab, " op=%s cause=%s", op, cause); | ||
63 | break; | ||
64 | case AUDIT_INTEGRITY_HASH: | ||
65 | audit_log_format(ab, " op=%s hash=%s", op, cause); | ||
66 | break; | ||
67 | default: | ||
68 | audit_log_format(ab, " op=%s", op); | ||
69 | } | ||
70 | audit_log_format(ab, " comm="); | ||
71 | audit_log_untrustedstring(ab, current->comm); | ||
72 | if (fname) { | ||
73 | audit_log_format(ab, " name="); | ||
74 | audit_log_untrustedstring(ab, fname); | ||
75 | } | ||
76 | if (inode) | ||
77 | audit_log_format(ab, " dev=%s ino=%lu", | ||
78 | inode->i_sb->s_id, inode->i_ino); | ||
79 | audit_log_format(ab, " res=%d", !result ? 0 : 1); | ||
80 | audit_log_end(ab); | ||
81 | } | ||
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c new file mode 100644 index 000000000000..50d572b74caf --- /dev/null +++ b/security/integrity/ima/ima_crypto.c | |||
@@ -0,0 +1,140 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2005,2006,2007,2008 IBM Corporation | ||
3 | * | ||
4 | * Authors: | ||
5 | * Mimi Zohar <zohar@us.ibm.com> | ||
6 | * Kylene Hall <kjhall@us.ibm.com> | ||
7 | * | ||
8 | * This program is free software; you can redistribute it and/or modify | ||
9 | * it under the terms of the GNU General Public License as published by | ||
10 | * the Free Software Foundation, version 2 of the License. | ||
11 | * | ||
12 | * File: ima_crypto.c | ||
13 | * Calculates md5/sha1 file hash, template hash, boot-aggreate hash | ||
14 | */ | ||
15 | |||
16 | #include <linux/kernel.h> | ||
17 | #include <linux/file.h> | ||
18 | #include <linux/crypto.h> | ||
19 | #include <linux/scatterlist.h> | ||
20 | #include <linux/err.h> | ||
21 | #include "ima.h" | ||
22 | |||
23 | static int init_desc(struct hash_desc *desc) | ||
24 | { | ||
25 | int rc; | ||
26 | |||
27 | desc->tfm = crypto_alloc_hash(ima_hash, 0, CRYPTO_ALG_ASYNC); | ||
28 | if (IS_ERR(desc->tfm)) { | ||
29 | pr_info("failed to load %s transform: %ld\n", | ||
30 | ima_hash, PTR_ERR(desc->tfm)); | ||
31 | rc = PTR_ERR(desc->tfm); | ||
32 | return rc; | ||
33 | } | ||
34 | desc->flags = 0; | ||
35 | rc = crypto_hash_init(desc); | ||
36 | if (rc) | ||
37 | crypto_free_hash(desc->tfm); | ||
38 | return rc; | ||
39 | } | ||
40 | |||
41 | /* | ||
42 | * Calculate the MD5/SHA1 file digest | ||
43 | */ | ||
44 | int ima_calc_hash(struct file *file, char *digest) | ||
45 | { | ||
46 | struct hash_desc desc; | ||
47 | struct scatterlist sg[1]; | ||
48 | loff_t i_size; | ||
49 | char *rbuf; | ||
50 | int rc, offset = 0; | ||
51 | |||
52 | rc = init_desc(&desc); | ||
53 | if (rc != 0) | ||
54 | return rc; | ||
55 | |||
56 | rbuf = kzalloc(PAGE_SIZE, GFP_KERNEL); | ||
57 | if (!rbuf) { | ||
58 | rc = -ENOMEM; | ||
59 | goto out; | ||
60 | } | ||
61 | i_size = i_size_read(file->f_dentry->d_inode); | ||
62 | while (offset < i_size) { | ||
63 | int rbuf_len; | ||
64 | |||
65 | rbuf_len = kernel_read(file, offset, rbuf, PAGE_SIZE); | ||
66 | if (rbuf_len < 0) { | ||
67 | rc = rbuf_len; | ||
68 | break; | ||
69 | } | ||
70 | offset += rbuf_len; | ||
71 | sg_init_one(sg, rbuf, rbuf_len); | ||
72 | |||
73 | rc = crypto_hash_update(&desc, sg, rbuf_len); | ||
74 | if (rc) | ||
75 | break; | ||
76 | } | ||
77 | kfree(rbuf); | ||
78 | if (!rc) | ||
79 | rc = crypto_hash_final(&desc, digest); | ||
80 | out: | ||
81 | crypto_free_hash(desc.tfm); | ||
82 | return rc; | ||
83 | } | ||
84 | |||
85 | /* | ||
86 | * Calculate the hash of a given template | ||
87 | */ | ||
88 | int ima_calc_template_hash(int template_len, void *template, char *digest) | ||
89 | { | ||
90 | struct hash_desc desc; | ||
91 | struct scatterlist sg[1]; | ||
92 | int rc; | ||
93 | |||
94 | rc = init_desc(&desc); | ||
95 | if (rc != 0) | ||
96 | return rc; | ||
97 | |||
98 | sg_init_one(sg, template, template_len); | ||
99 | rc = crypto_hash_update(&desc, sg, template_len); | ||
100 | if (!rc) | ||
101 | rc = crypto_hash_final(&desc, digest); | ||
102 | crypto_free_hash(desc.tfm); | ||
103 | return rc; | ||
104 | } | ||
105 | |||
106 | static void ima_pcrread(int idx, u8 *pcr) | ||
107 | { | ||
108 | if (!ima_used_chip) | ||
109 | return; | ||
110 | |||
111 | if (tpm_pcr_read(TPM_ANY_NUM, idx, pcr) != 0) | ||
112 | pr_err("Error Communicating to TPM chip\n"); | ||
113 | } | ||
114 | |||
115 | /* | ||
116 | * Calculate the boot aggregate hash | ||
117 | */ | ||
118 | int ima_calc_boot_aggregate(char *digest) | ||
119 | { | ||
120 | struct hash_desc desc; | ||
121 | struct scatterlist sg; | ||
122 | u8 pcr_i[IMA_DIGEST_SIZE]; | ||
123 | int rc, i; | ||
124 | |||
125 | rc = init_desc(&desc); | ||
126 | if (rc != 0) | ||
127 | return rc; | ||
128 | |||
129 | /* cumulative sha1 over tpm registers 0-7 */ | ||
130 | for (i = TPM_PCR0; i < TPM_PCR8; i++) { | ||
131 | ima_pcrread(i, pcr_i); | ||
132 | /* now accumulate with current aggregate */ | ||
133 | sg_init_one(&sg, pcr_i, IMA_DIGEST_SIZE); | ||
134 | rc = crypto_hash_update(&desc, &sg, IMA_DIGEST_SIZE); | ||
135 | } | ||
136 | if (!rc) | ||
137 | crypto_hash_final(&desc, digest); | ||
138 | crypto_free_hash(desc.tfm); | ||
139 | return rc; | ||
140 | } | ||
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c new file mode 100644 index 000000000000..ffbe259700b1 --- /dev/null +++ b/security/integrity/ima/ima_fs.c | |||
@@ -0,0 +1,376 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2005,2006,2007,2008 IBM Corporation | ||
3 | * | ||
4 | * Authors: | ||
5 | * Kylene Hall <kjhall@us.ibm.com> | ||
6 | * Reiner Sailer <sailer@us.ibm.com> | ||
7 | * Mimi Zohar <zohar@us.ibm.com> | ||
8 | * | ||
9 | * This program is free software; you can redistribute it and/or | ||
10 | * modify it under the terms of the GNU General Public License as | ||
11 | * published by the Free Software Foundation, version 2 of the | ||
12 | * License. | ||
13 | * | ||
14 | * File: ima_fs.c | ||
15 | * implemenents security file system for reporting | ||
16 | * current measurement list and IMA statistics | ||
17 | */ | ||
18 | #include <linux/module.h> | ||
19 | #include <linux/seq_file.h> | ||
20 | #include <linux/rculist.h> | ||
21 | #include <linux/rcupdate.h> | ||
22 | #include <linux/parser.h> | ||
23 | |||
24 | #include "ima.h" | ||
25 | |||
26 | static int valid_policy = 1; | ||
27 | #define TMPBUFLEN 12 | ||
28 | static ssize_t ima_show_htable_value(char __user *buf, size_t count, | ||
29 | loff_t *ppos, atomic_long_t *val) | ||
30 | { | ||
31 | char tmpbuf[TMPBUFLEN]; | ||
32 | ssize_t len; | ||
33 | |||
34 | len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val)); | ||
35 | return simple_read_from_buffer(buf, count, ppos, tmpbuf, len); | ||
36 | } | ||
37 | |||
38 | static ssize_t ima_show_htable_violations(struct file *filp, | ||
39 | char __user *buf, | ||
40 | size_t count, loff_t *ppos) | ||
41 | { | ||
42 | return ima_show_htable_value(buf, count, ppos, &ima_htable.violations); | ||
43 | } | ||
44 | |||
45 | static struct file_operations ima_htable_violations_ops = { | ||
46 | .read = ima_show_htable_violations | ||
47 | }; | ||
48 | |||
49 | static ssize_t ima_show_measurements_count(struct file *filp, | ||
50 | char __user *buf, | ||
51 | size_t count, loff_t *ppos) | ||
52 | { | ||
53 | return ima_show_htable_value(buf, count, ppos, &ima_htable.len); | ||
54 | |||
55 | } | ||
56 | |||
57 | static struct file_operations ima_measurements_count_ops = { | ||
58 | .read = ima_show_measurements_count | ||
59 | }; | ||
60 | |||
61 | /* returns pointer to hlist_node */ | ||
62 | static void *ima_measurements_start(struct seq_file *m, loff_t *pos) | ||
63 | { | ||
64 | loff_t l = *pos; | ||
65 | struct ima_queue_entry *qe; | ||
66 | |||
67 | /* we need a lock since pos could point beyond last element */ | ||
68 | rcu_read_lock(); | ||
69 | list_for_each_entry_rcu(qe, &ima_measurements, later) { | ||
70 | if (!l--) { | ||
71 | rcu_read_unlock(); | ||
72 | return qe; | ||
73 | } | ||
74 | } | ||
75 | rcu_read_unlock(); | ||
76 | return NULL; | ||
77 | } | ||
78 | |||
79 | static void *ima_measurements_next(struct seq_file *m, void *v, loff_t *pos) | ||
80 | { | ||
81 | struct ima_queue_entry *qe = v; | ||
82 | |||
83 | /* lock protects when reading beyond last element | ||
84 | * against concurrent list-extension | ||
85 | */ | ||
86 | rcu_read_lock(); | ||
87 | qe = list_entry(rcu_dereference(qe->later.next), | ||
88 | struct ima_queue_entry, later); | ||
89 | rcu_read_unlock(); | ||
90 | (*pos)++; | ||
91 | |||
92 | return (&qe->later == &ima_measurements) ? NULL : qe; | ||
93 | } | ||
94 | |||
95 | static void ima_measurements_stop(struct seq_file *m, void *v) | ||
96 | { | ||
97 | } | ||
98 | |||
99 | static void ima_putc(struct seq_file *m, void *data, int datalen) | ||
100 | { | ||
101 | while (datalen--) | ||
102 | seq_putc(m, *(char *)data++); | ||
103 | } | ||
104 | |||
105 | /* print format: | ||
106 | * 32bit-le=pcr# | ||
107 | * char[20]=template digest | ||
108 | * 32bit-le=template name size | ||
109 | * char[n]=template name | ||
110 | * eventdata[n]=template specific data | ||
111 | */ | ||
112 | static int ima_measurements_show(struct seq_file *m, void *v) | ||
113 | { | ||
114 | /* the list never shrinks, so we don't need a lock here */ | ||
115 | struct ima_queue_entry *qe = v; | ||
116 | struct ima_template_entry *e; | ||
117 | int namelen; | ||
118 | u32 pcr = CONFIG_IMA_MEASURE_PCR_IDX; | ||
119 | |||
120 | /* get entry */ | ||
121 | e = qe->entry; | ||
122 | if (e == NULL) | ||
123 | return -1; | ||
124 | |||
125 | /* | ||
126 | * 1st: PCRIndex | ||
127 | * PCR used is always the same (config option) in | ||
128 | * little-endian format | ||
129 | */ | ||
130 | ima_putc(m, &pcr, sizeof pcr); | ||
131 | |||
132 | /* 2nd: template digest */ | ||
133 | ima_putc(m, e->digest, IMA_DIGEST_SIZE); | ||
134 | |||
135 | /* 3rd: template name size */ | ||
136 | namelen = strlen(e->template_name); | ||
137 | ima_putc(m, &namelen, sizeof namelen); | ||
138 | |||
139 | /* 4th: template name */ | ||
140 | ima_putc(m, (void *)e->template_name, namelen); | ||
141 | |||
142 | /* 5th: template specific data */ | ||
143 | ima_template_show(m, (struct ima_template_data *)&e->template, | ||
144 | IMA_SHOW_BINARY); | ||
145 | return 0; | ||
146 | } | ||
147 | |||
148 | static struct seq_operations ima_measurments_seqops = { | ||
149 | .start = ima_measurements_start, | ||
150 | .next = ima_measurements_next, | ||
151 | .stop = ima_measurements_stop, | ||
152 | .show = ima_measurements_show | ||
153 | }; | ||
154 | |||
155 | static int ima_measurements_open(struct inode *inode, struct file *file) | ||
156 | { | ||
157 | return seq_open(file, &ima_measurments_seqops); | ||
158 | } | ||
159 | |||
160 | static struct file_operations ima_measurements_ops = { | ||
161 | .open = ima_measurements_open, | ||
162 | .read = seq_read, | ||
163 | .llseek = seq_lseek, | ||
164 | .release = seq_release, | ||
165 | }; | ||
166 | |||
167 | static void ima_print_digest(struct seq_file *m, u8 *digest) | ||
168 | { | ||
169 | int i; | ||
170 | |||
171 | for (i = 0; i < IMA_DIGEST_SIZE; i++) | ||
172 | seq_printf(m, "%02x", *(digest + i)); | ||
173 | } | ||
174 | |||
175 | void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show) | ||
176 | { | ||
177 | struct ima_template_data *entry = e; | ||
178 | int namelen; | ||
179 | |||
180 | switch (show) { | ||
181 | case IMA_SHOW_ASCII: | ||
182 | ima_print_digest(m, entry->digest); | ||
183 | seq_printf(m, " %s\n", entry->file_name); | ||
184 | break; | ||
185 | case IMA_SHOW_BINARY: | ||
186 | ima_putc(m, entry->digest, IMA_DIGEST_SIZE); | ||
187 | |||
188 | namelen = strlen(entry->file_name); | ||
189 | ima_putc(m, &namelen, sizeof namelen); | ||
190 | ima_putc(m, entry->file_name, namelen); | ||
191 | default: | ||
192 | break; | ||
193 | } | ||
194 | } | ||
195 | |||
196 | /* print in ascii */ | ||
197 | static int ima_ascii_measurements_show(struct seq_file *m, void *v) | ||
198 | { | ||
199 | /* the list never shrinks, so we don't need a lock here */ | ||
200 | struct ima_queue_entry *qe = v; | ||
201 | struct ima_template_entry *e; | ||
202 | |||
203 | /* get entry */ | ||
204 | e = qe->entry; | ||
205 | if (e == NULL) | ||
206 | return -1; | ||
207 | |||
208 | /* 1st: PCR used (config option) */ | ||
209 | seq_printf(m, "%2d ", CONFIG_IMA_MEASURE_PCR_IDX); | ||
210 | |||
211 | /* 2nd: SHA1 template hash */ | ||
212 | ima_print_digest(m, e->digest); | ||
213 | |||
214 | /* 3th: template name */ | ||
215 | seq_printf(m, " %s ", e->template_name); | ||
216 | |||
217 | /* 4th: template specific data */ | ||
218 | ima_template_show(m, (struct ima_template_data *)&e->template, | ||
219 | IMA_SHOW_ASCII); | ||
220 | return 0; | ||
221 | } | ||
222 | |||
223 | static struct seq_operations ima_ascii_measurements_seqops = { | ||
224 | .start = ima_measurements_start, | ||
225 | .next = ima_measurements_next, | ||
226 | .stop = ima_measurements_stop, | ||
227 | .show = ima_ascii_measurements_show | ||
228 | }; | ||
229 | |||
230 | static int ima_ascii_measurements_open(struct inode *inode, struct file *file) | ||
231 | { | ||
232 | return seq_open(file, &ima_ascii_measurements_seqops); | ||
233 | } | ||
234 | |||
235 | static struct file_operations ima_ascii_measurements_ops = { | ||
236 | .open = ima_ascii_measurements_open, | ||
237 | .read = seq_read, | ||
238 | .llseek = seq_lseek, | ||
239 | .release = seq_release, | ||
240 | }; | ||
241 | |||
242 | static ssize_t ima_write_policy(struct file *file, const char __user *buf, | ||
243 | size_t datalen, loff_t *ppos) | ||
244 | { | ||
245 | char *data; | ||
246 | int rc; | ||
247 | |||
248 | if (datalen >= PAGE_SIZE) | ||
249 | return -ENOMEM; | ||
250 | if (*ppos != 0) { | ||
251 | /* No partial writes. */ | ||
252 | return -EINVAL; | ||
253 | } | ||
254 | data = kmalloc(datalen + 1, GFP_KERNEL); | ||
255 | if (!data) | ||
256 | return -ENOMEM; | ||
257 | |||
258 | if (copy_from_user(data, buf, datalen)) { | ||
259 | kfree(data); | ||
260 | return -EFAULT; | ||
261 | } | ||
262 | *(data + datalen) = '\0'; | ||
263 | rc = ima_parse_add_rule(data); | ||
264 | if (rc < 0) { | ||
265 | datalen = -EINVAL; | ||
266 | valid_policy = 0; | ||
267 | } | ||
268 | |||
269 | kfree(data); | ||
270 | return datalen; | ||
271 | } | ||
272 | |||
273 | static struct dentry *ima_dir; | ||
274 | static struct dentry *binary_runtime_measurements; | ||
275 | static struct dentry *ascii_runtime_measurements; | ||
276 | static struct dentry *runtime_measurements_count; | ||
277 | static struct dentry *violations; | ||
278 | static struct dentry *ima_policy; | ||
279 | |||
280 | static atomic_t policy_opencount = ATOMIC_INIT(1); | ||
281 | /* | ||
282 | * ima_open_policy: sequentialize access to the policy file | ||
283 | */ | ||
284 | int ima_open_policy(struct inode * inode, struct file * filp) | ||
285 | { | ||
286 | if (atomic_dec_and_test(&policy_opencount)) | ||
287 | return 0; | ||
288 | return -EBUSY; | ||
289 | } | ||
290 | |||
291 | /* | ||
292 | * ima_release_policy - start using the new measure policy rules. | ||
293 | * | ||
294 | * Initially, ima_measure points to the default policy rules, now | ||
295 | * point to the new policy rules, and remove the securityfs policy file, | ||
296 | * assuming a valid policy. | ||
297 | */ | ||
298 | static int ima_release_policy(struct inode *inode, struct file *file) | ||
299 | { | ||
300 | if (!valid_policy) { | ||
301 | ima_delete_rules(); | ||
302 | valid_policy = 1; | ||
303 | atomic_set(&policy_opencount, 1); | ||
304 | return 0; | ||
305 | } | ||
306 | ima_update_policy(); | ||
307 | securityfs_remove(ima_policy); | ||
308 | ima_policy = NULL; | ||
309 | return 0; | ||
310 | } | ||
311 | |||
312 | static struct file_operations ima_measure_policy_ops = { | ||
313 | .open = ima_open_policy, | ||
314 | .write = ima_write_policy, | ||
315 | .release = ima_release_policy | ||
316 | }; | ||
317 | |||
318 | int ima_fs_init(void) | ||
319 | { | ||
320 | ima_dir = securityfs_create_dir("ima", NULL); | ||
321 | if (IS_ERR(ima_dir)) | ||
322 | return -1; | ||
323 | |||
324 | binary_runtime_measurements = | ||
325 | securityfs_create_file("binary_runtime_measurements", | ||
326 | S_IRUSR | S_IRGRP, ima_dir, NULL, | ||
327 | &ima_measurements_ops); | ||
328 | if (IS_ERR(binary_runtime_measurements)) | ||
329 | goto out; | ||
330 | |||
331 | ascii_runtime_measurements = | ||
332 | securityfs_create_file("ascii_runtime_measurements", | ||
333 | S_IRUSR | S_IRGRP, ima_dir, NULL, | ||
334 | &ima_ascii_measurements_ops); | ||
335 | if (IS_ERR(ascii_runtime_measurements)) | ||
336 | goto out; | ||
337 | |||
338 | runtime_measurements_count = | ||
339 | securityfs_create_file("runtime_measurements_count", | ||
340 | S_IRUSR | S_IRGRP, ima_dir, NULL, | ||
341 | &ima_measurements_count_ops); | ||
342 | if (IS_ERR(runtime_measurements_count)) | ||
343 | goto out; | ||
344 | |||
345 | violations = | ||
346 | securityfs_create_file("violations", S_IRUSR | S_IRGRP, | ||
347 | ima_dir, NULL, &ima_htable_violations_ops); | ||
348 | if (IS_ERR(violations)) | ||
349 | goto out; | ||
350 | |||
351 | ima_policy = securityfs_create_file("policy", | ||
352 | S_IRUSR | S_IRGRP | S_IWUSR, | ||
353 | ima_dir, NULL, | ||
354 | &ima_measure_policy_ops); | ||
355 | if (IS_ERR(ima_policy)) | ||
356 | goto out; | ||
357 | |||
358 | return 0; | ||
359 | out: | ||
360 | securityfs_remove(runtime_measurements_count); | ||
361 | securityfs_remove(ascii_runtime_measurements); | ||
362 | securityfs_remove(binary_runtime_measurements); | ||
363 | securityfs_remove(ima_dir); | ||
364 | securityfs_remove(ima_policy); | ||
365 | return -1; | ||
366 | } | ||
367 | |||
368 | void __exit ima_fs_cleanup(void) | ||
369 | { | ||
370 | securityfs_remove(violations); | ||
371 | securityfs_remove(runtime_measurements_count); | ||
372 | securityfs_remove(ascii_runtime_measurements); | ||
373 | securityfs_remove(binary_runtime_measurements); | ||
374 | securityfs_remove(ima_dir); | ||
375 | securityfs_remove(ima_policy); | ||
376 | } | ||
diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c new file mode 100644 index 000000000000..ec79f1ee992c --- /dev/null +++ b/security/integrity/ima/ima_iint.c | |||
@@ -0,0 +1,204 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2008 IBM Corporation | ||
3 | * | ||
4 | * Authors: | ||
5 | * Mimi Zohar <zohar@us.ibm.com> | ||
6 | * | ||
7 | * This program is free software; you can redistribute it and/or | ||
8 | * modify it under the terms of the GNU General Public License as | ||
9 | * published by the Free Software Foundation, version 2 of the | ||
10 | * License. | ||
11 | * | ||
12 | * File: ima_iint.c | ||
13 | * - implements the IMA hooks: ima_inode_alloc, ima_inode_free | ||
14 | * - cache integrity information associated with an inode | ||
15 | * using a radix tree. | ||
16 | */ | ||
17 | #include <linux/module.h> | ||
18 | #include <linux/spinlock.h> | ||
19 | #include <linux/radix-tree.h> | ||
20 | #include "ima.h" | ||
21 | |||
22 | #define ima_iint_delete ima_inode_free | ||
23 | |||
24 | RADIX_TREE(ima_iint_store, GFP_ATOMIC); | ||
25 | DEFINE_SPINLOCK(ima_iint_lock); | ||
26 | |||
27 | static struct kmem_cache *iint_cache __read_mostly; | ||
28 | |||
29 | /* ima_iint_find_get - return the iint associated with an inode | ||
30 | * | ||
31 | * ima_iint_find_get gets a reference to the iint. Caller must | ||
32 | * remember to put the iint reference. | ||
33 | */ | ||
34 | struct ima_iint_cache *ima_iint_find_get(struct inode *inode) | ||
35 | { | ||
36 | struct ima_iint_cache *iint; | ||
37 | |||
38 | rcu_read_lock(); | ||
39 | iint = radix_tree_lookup(&ima_iint_store, (unsigned long)inode); | ||
40 | if (!iint) | ||
41 | goto out; | ||
42 | kref_get(&iint->refcount); | ||
43 | out: | ||
44 | rcu_read_unlock(); | ||
45 | return iint; | ||
46 | } | ||
47 | |||
48 | /* Allocate memory for the iint associated with the inode | ||
49 | * from the iint_cache slab, initialize the iint, and | ||
50 | * insert it into the radix tree. | ||
51 | * | ||
52 | * On success return a pointer to the iint; on failure return NULL. | ||
53 | */ | ||
54 | struct ima_iint_cache *ima_iint_insert(struct inode *inode) | ||
55 | { | ||
56 | struct ima_iint_cache *iint = NULL; | ||
57 | int rc = 0; | ||
58 | |||
59 | if (!ima_initialized) | ||
60 | return iint; | ||
61 | iint = kmem_cache_alloc(iint_cache, GFP_KERNEL); | ||
62 | if (!iint) | ||
63 | return iint; | ||
64 | |||
65 | rc = radix_tree_preload(GFP_KERNEL); | ||
66 | if (rc < 0) | ||
67 | goto out; | ||
68 | |||
69 | spin_lock(&ima_iint_lock); | ||
70 | rc = radix_tree_insert(&ima_iint_store, (unsigned long)inode, iint); | ||
71 | spin_unlock(&ima_iint_lock); | ||
72 | out: | ||
73 | if (rc < 0) { | ||
74 | kmem_cache_free(iint_cache, iint); | ||
75 | if (rc == -EEXIST) { | ||
76 | spin_lock(&ima_iint_lock); | ||
77 | iint = radix_tree_lookup(&ima_iint_store, | ||
78 | (unsigned long)inode); | ||
79 | spin_unlock(&ima_iint_lock); | ||
80 | } else | ||
81 | iint = NULL; | ||
82 | } | ||
83 | radix_tree_preload_end(); | ||
84 | return iint; | ||
85 | } | ||
86 | |||
87 | /** | ||
88 | * ima_inode_alloc - allocate an iint associated with an inode | ||
89 | * @inode: pointer to the inode | ||
90 | * | ||
91 | * Return 0 on success, 1 on failure. | ||
92 | */ | ||
93 | int ima_inode_alloc(struct inode *inode) | ||
94 | { | ||
95 | struct ima_iint_cache *iint; | ||
96 | |||
97 | if (!ima_initialized) | ||
98 | return 0; | ||
99 | |||
100 | iint = ima_iint_insert(inode); | ||
101 | if (!iint) | ||
102 | return 1; | ||
103 | return 0; | ||
104 | } | ||
105 | |||
106 | /* ima_iint_find_insert_get - get the iint associated with an inode | ||
107 | * | ||
108 | * Most insertions are done at inode_alloc, except those allocated | ||
109 | * before late_initcall. When the iint does not exist, allocate it, | ||
110 | * initialize and insert it, and increment the iint refcount. | ||
111 | * | ||
112 | * (Can't initialize at security_initcall before any inodes are | ||
113 | * allocated, got to wait at least until proc_init.) | ||
114 | * | ||
115 | * Return the iint. | ||
116 | */ | ||
117 | struct ima_iint_cache *ima_iint_find_insert_get(struct inode *inode) | ||
118 | { | ||
119 | struct ima_iint_cache *iint = NULL; | ||
120 | |||
121 | iint = ima_iint_find_get(inode); | ||
122 | if (iint) | ||
123 | return iint; | ||
124 | |||
125 | iint = ima_iint_insert(inode); | ||
126 | if (iint) | ||
127 | kref_get(&iint->refcount); | ||
128 | |||
129 | return iint; | ||
130 | } | ||
131 | EXPORT_SYMBOL_GPL(ima_iint_find_insert_get); | ||
132 | |||
133 | /* iint_free - called when the iint refcount goes to zero */ | ||
134 | void iint_free(struct kref *kref) | ||
135 | { | ||
136 | struct ima_iint_cache *iint = container_of(kref, struct ima_iint_cache, | ||
137 | refcount); | ||
138 | iint->version = 0; | ||
139 | iint->flags = 0UL; | ||
140 | if (iint->readcount != 0) { | ||
141 | printk(KERN_INFO "%s: readcount: %ld\n", __FUNCTION__, | ||
142 | iint->readcount); | ||
143 | iint->readcount = 0; | ||
144 | } | ||
145 | if (iint->writecount != 0) { | ||
146 | printk(KERN_INFO "%s: writecount: %ld\n", __FUNCTION__, | ||
147 | iint->writecount); | ||
148 | iint->writecount = 0; | ||
149 | } | ||
150 | if (iint->opencount != 0) { | ||
151 | printk(KERN_INFO "%s: opencount: %ld\n", __FUNCTION__, | ||
152 | iint->opencount); | ||
153 | iint->opencount = 0; | ||
154 | } | ||
155 | kref_set(&iint->refcount, 1); | ||
156 | kmem_cache_free(iint_cache, iint); | ||
157 | } | ||
158 | |||
159 | void iint_rcu_free(struct rcu_head *rcu_head) | ||
160 | { | ||
161 | struct ima_iint_cache *iint = container_of(rcu_head, | ||
162 | struct ima_iint_cache, rcu); | ||
163 | kref_put(&iint->refcount, iint_free); | ||
164 | } | ||
165 | |||
166 | /** | ||
167 | * ima_iint_delete - called on integrity_inode_free | ||
168 | * @inode: pointer to the inode | ||
169 | * | ||
170 | * Free the integrity information(iint) associated with an inode. | ||
171 | */ | ||
172 | void ima_iint_delete(struct inode *inode) | ||
173 | { | ||
174 | struct ima_iint_cache *iint; | ||
175 | |||
176 | if (!ima_initialized) | ||
177 | return; | ||
178 | spin_lock(&ima_iint_lock); | ||
179 | iint = radix_tree_delete(&ima_iint_store, (unsigned long)inode); | ||
180 | spin_unlock(&ima_iint_lock); | ||
181 | if (iint) | ||
182 | call_rcu(&iint->rcu, iint_rcu_free); | ||
183 | } | ||
184 | |||
185 | static void init_once(void *foo) | ||
186 | { | ||
187 | struct ima_iint_cache *iint = foo; | ||
188 | |||
189 | memset(iint, 0, sizeof *iint); | ||
190 | iint->version = 0; | ||
191 | iint->flags = 0UL; | ||
192 | mutex_init(&iint->mutex); | ||
193 | iint->readcount = 0; | ||
194 | iint->writecount = 0; | ||
195 | iint->opencount = 0; | ||
196 | kref_set(&iint->refcount, 1); | ||
197 | } | ||
198 | |||
199 | void ima_iintcache_init(void) | ||
200 | { | ||
201 | iint_cache = | ||
202 | kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0, | ||
203 | SLAB_PANIC, init_once); | ||
204 | } | ||
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c new file mode 100644 index 000000000000..0b0bb8c978cc --- /dev/null +++ b/security/integrity/ima/ima_init.c | |||
@@ -0,0 +1,96 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2005,2006,2007,2008 IBM Corporation | ||
3 | * | ||
4 | * Authors: | ||
5 | * Reiner Sailer <sailer@watson.ibm.com> | ||
6 | * Leendert van Doorn <leendert@watson.ibm.com> | ||
7 | * Mimi Zohar <zohar@us.ibm.com> | ||
8 | * | ||
9 | * This program is free software; you can redistribute it and/or | ||
10 | * modify it under the terms of the GNU General Public License as | ||
11 | * published by the Free Software Foundation, version 2 of the | ||
12 | * License. | ||
13 | * | ||
14 | * File: ima_init.c | ||
15 | * initialization and cleanup functions | ||
16 | */ | ||
17 | #include <linux/module.h> | ||
18 | #include <linux/scatterlist.h> | ||
19 | #include <linux/err.h> | ||
20 | #include "ima.h" | ||
21 | |||
22 | /* name for boot aggregate entry */ | ||
23 | static const char *boot_aggregate_name = "boot_aggregate"; | ||
24 | int ima_used_chip; | ||
25 | |||
26 | /* Add the boot aggregate to the IMA measurement list and extend | ||
27 | * the PCR register. | ||
28 | * | ||
29 | * Calculate the boot aggregate, a SHA1 over tpm registers 0-7, | ||
30 | * assuming a TPM chip exists, and zeroes if the TPM chip does not | ||
31 | * exist. Add the boot aggregate measurement to the measurement | ||
32 | * list and extend the PCR register. | ||
33 | * | ||
34 | * If a tpm chip does not exist, indicate the core root of trust is | ||
35 | * not hardware based by invalidating the aggregate PCR value. | ||
36 | * (The aggregate PCR value is invalidated by adding one value to | ||
37 | * the measurement list and extending the aggregate PCR value with | ||
38 | * a different value.) Violations add a zero entry to the measurement | ||
39 | * list and extend the aggregate PCR value with ff...ff's. | ||
40 | */ | ||
41 | static void ima_add_boot_aggregate(void) | ||
42 | { | ||
43 | struct ima_template_entry *entry; | ||
44 | const char *op = "add_boot_aggregate"; | ||
45 | const char *audit_cause = "ENOMEM"; | ||
46 | int result = -ENOMEM; | ||
47 | int violation = 1; | ||
48 | |||
49 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | ||
50 | if (!entry) | ||
51 | goto err_out; | ||
52 | |||
53 | memset(&entry->template, 0, sizeof(entry->template)); | ||
54 | strncpy(entry->template.file_name, boot_aggregate_name, | ||
55 | IMA_EVENT_NAME_LEN_MAX); | ||
56 | if (ima_used_chip) { | ||
57 | violation = 0; | ||
58 | result = ima_calc_boot_aggregate(entry->template.digest); | ||
59 | if (result < 0) { | ||
60 | audit_cause = "hashing_error"; | ||
61 | kfree(entry); | ||
62 | goto err_out; | ||
63 | } | ||
64 | } | ||
65 | result = ima_store_template(entry, violation, NULL); | ||
66 | if (result < 0) | ||
67 | kfree(entry); | ||
68 | return; | ||
69 | err_out: | ||
70 | integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, boot_aggregate_name, op, | ||
71 | audit_cause, result, 0); | ||
72 | } | ||
73 | |||
74 | int ima_init(void) | ||
75 | { | ||
76 | u8 pcr_i[IMA_DIGEST_SIZE]; | ||
77 | int rc; | ||
78 | |||
79 | ima_used_chip = 0; | ||
80 | rc = tpm_pcr_read(TPM_ANY_NUM, 0, pcr_i); | ||
81 | if (rc == 0) | ||
82 | ima_used_chip = 1; | ||
83 | |||
84 | if (!ima_used_chip) | ||
85 | pr_info("No TPM chip found, activating TPM-bypass!\n"); | ||
86 | |||
87 | ima_add_boot_aggregate(); /* boot aggregate must be first entry */ | ||
88 | ima_init_policy(); | ||
89 | |||
90 | return ima_fs_init(); | ||
91 | } | ||
92 | |||
93 | void __exit ima_cleanup(void) | ||
94 | { | ||
95 | ima_fs_cleanup(); | ||
96 | } | ||
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c new file mode 100644 index 000000000000..f4e7266f5aee --- /dev/null +++ b/security/integrity/ima/ima_main.c | |||
@@ -0,0 +1,327 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2005,2006,2007,2008 IBM Corporation | ||
3 | * | ||
4 | * Authors: | ||
5 | * Reiner Sailer <sailer@watson.ibm.com> | ||
6 | * Serge Hallyn <serue@us.ibm.com> | ||
7 | * Kylene Hall <kylene@us.ibm.com> | ||
8 | * Mimi Zohar <zohar@us.ibm.com> | ||
9 | * | ||
10 | * This program is free software; you can redistribute it and/or | ||
11 | * modify it under the terms of the GNU General Public License as | ||
12 | * published by the Free Software Foundation, version 2 of the | ||
13 | * License. | ||
14 | * | ||
15 | * File: ima_main.c | ||
16 | * implements the IMA hooks: ima_bprm_check, ima_file_mmap, | ||
17 | * and ima_path_check. | ||
18 | */ | ||
19 | #include <linux/module.h> | ||
20 | #include <linux/file.h> | ||
21 | #include <linux/binfmts.h> | ||
22 | #include <linux/mount.h> | ||
23 | #include <linux/mman.h> | ||
24 | |||
25 | #include "ima.h" | ||
26 | |||
27 | int ima_initialized; | ||
28 | |||
29 | char *ima_hash = "sha1"; | ||
30 | static int __init hash_setup(char *str) | ||
31 | { | ||
32 | const char *op = "hash_setup"; | ||
33 | const char *hash = "sha1"; | ||
34 | int result = 0; | ||
35 | int audit_info = 0; | ||
36 | |||
37 | if (strncmp(str, "md5", 3) == 0) { | ||
38 | hash = "md5"; | ||
39 | ima_hash = str; | ||
40 | } else if (strncmp(str, "sha1", 4) != 0) { | ||
41 | hash = "invalid_hash_type"; | ||
42 | result = 1; | ||
43 | } | ||
44 | integrity_audit_msg(AUDIT_INTEGRITY_HASH, NULL, NULL, op, hash, | ||
45 | result, audit_info); | ||
46 | return 1; | ||
47 | } | ||
48 | __setup("ima_hash=", hash_setup); | ||
49 | |||
50 | /** | ||
51 | * ima_file_free - called on __fput() | ||
52 | * @file: pointer to file structure being freed | ||
53 | * | ||
54 | * Flag files that changed, based on i_version; | ||
55 | * and decrement the iint readcount/writecount. | ||
56 | */ | ||
57 | void ima_file_free(struct file *file) | ||
58 | { | ||
59 | struct inode *inode = file->f_dentry->d_inode; | ||
60 | struct ima_iint_cache *iint; | ||
61 | |||
62 | if (!ima_initialized || !S_ISREG(inode->i_mode)) | ||
63 | return; | ||
64 | iint = ima_iint_find_get(inode); | ||
65 | if (!iint) | ||
66 | return; | ||
67 | |||
68 | mutex_lock(&iint->mutex); | ||
69 | if (iint->opencount <= 0) { | ||
70 | printk(KERN_INFO | ||
71 | "%s: %s open/free imbalance (r:%ld w:%ld o:%ld f:%ld)\n", | ||
72 | __FUNCTION__, file->f_dentry->d_name.name, | ||
73 | iint->readcount, iint->writecount, | ||
74 | iint->opencount, atomic_long_read(&file->f_count)); | ||
75 | if (!(iint->flags & IMA_IINT_DUMP_STACK)) { | ||
76 | dump_stack(); | ||
77 | iint->flags |= IMA_IINT_DUMP_STACK; | ||
78 | } | ||
79 | } | ||
80 | iint->opencount--; | ||
81 | |||
82 | if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) | ||
83 | iint->readcount--; | ||
84 | |||
85 | if (file->f_mode & FMODE_WRITE) { | ||
86 | iint->writecount--; | ||
87 | if (iint->writecount == 0) { | ||
88 | if (iint->version != inode->i_version) | ||
89 | iint->flags &= ~IMA_MEASURED; | ||
90 | } | ||
91 | } | ||
92 | mutex_unlock(&iint->mutex); | ||
93 | kref_put(&iint->refcount, iint_free); | ||
94 | } | ||
95 | |||
96 | /* ima_read_write_check - reflect possible reading/writing errors in the PCR. | ||
97 | * | ||
98 | * When opening a file for read, if the file is already open for write, | ||
99 | * the file could change, resulting in a file measurement error. | ||
100 | * | ||
101 | * Opening a file for write, if the file is already open for read, results | ||
102 | * in a time of measure, time of use (ToMToU) error. | ||
103 | * | ||
104 | * In either case invalidate the PCR. | ||
105 | */ | ||
106 | enum iint_pcr_error { TOMTOU, OPEN_WRITERS }; | ||
107 | static void ima_read_write_check(enum iint_pcr_error error, | ||
108 | struct ima_iint_cache *iint, | ||
109 | struct inode *inode, | ||
110 | const unsigned char *filename) | ||
111 | { | ||
112 | switch (error) { | ||
113 | case TOMTOU: | ||
114 | if (iint->readcount > 0) | ||
115 | ima_add_violation(inode, filename, "invalid_pcr", | ||
116 | "ToMToU"); | ||
117 | break; | ||
118 | case OPEN_WRITERS: | ||
119 | if (iint->writecount > 0) | ||
120 | ima_add_violation(inode, filename, "invalid_pcr", | ||
121 | "open_writers"); | ||
122 | break; | ||
123 | } | ||
124 | } | ||
125 | |||
126 | static int get_path_measurement(struct ima_iint_cache *iint, struct file *file, | ||
127 | const unsigned char *filename) | ||
128 | { | ||
129 | int rc = 0; | ||
130 | |||
131 | if (IS_ERR(file)) { | ||
132 | pr_info("%s dentry_open failed\n", filename); | ||
133 | return rc; | ||
134 | } | ||
135 | iint->opencount++; | ||
136 | iint->readcount++; | ||
137 | |||
138 | rc = ima_collect_measurement(iint, file); | ||
139 | if (!rc) | ||
140 | ima_store_measurement(iint, file, filename); | ||
141 | return rc; | ||
142 | } | ||
143 | |||
144 | /** | ||
145 | * ima_path_check - based on policy, collect/store measurement. | ||
146 | * @path: contains a pointer to the path to be measured | ||
147 | * @mask: contains MAY_READ, MAY_WRITE or MAY_EXECUTE | ||
148 | * | ||
149 | * Measure the file being open for readonly, based on the | ||
150 | * ima_must_measure() policy decision. | ||
151 | * | ||
152 | * Keep read/write counters for all files, but only | ||
153 | * invalidate the PCR for measured files: | ||
154 | * - Opening a file for write when already open for read, | ||
155 | * results in a time of measure, time of use (ToMToU) error. | ||
156 | * - Opening a file for read when already open for write, | ||
157 | * could result in a file measurement error. | ||
158 | * | ||
159 | * Return 0 on success, an error code on failure. | ||
160 | * (Based on the results of appraise_measurement().) | ||
161 | */ | ||
162 | int ima_path_check(struct path *path, int mask) | ||
163 | { | ||
164 | struct inode *inode = path->dentry->d_inode; | ||
165 | struct ima_iint_cache *iint; | ||
166 | struct file *file = NULL; | ||
167 | int rc; | ||
168 | |||
169 | if (!ima_initialized || !S_ISREG(inode->i_mode)) | ||
170 | return 0; | ||
171 | iint = ima_iint_find_insert_get(inode); | ||
172 | if (!iint) | ||
173 | return 0; | ||
174 | |||
175 | mutex_lock(&iint->mutex); | ||
176 | iint->opencount++; | ||
177 | if ((mask & MAY_WRITE) || (mask == 0)) | ||
178 | iint->writecount++; | ||
179 | else if (mask & (MAY_READ | MAY_EXEC)) | ||
180 | iint->readcount++; | ||
181 | |||
182 | rc = ima_must_measure(iint, inode, MAY_READ, PATH_CHECK); | ||
183 | if (rc < 0) | ||
184 | goto out; | ||
185 | |||
186 | if ((mask & MAY_WRITE) || (mask == 0)) | ||
187 | ima_read_write_check(TOMTOU, iint, inode, | ||
188 | path->dentry->d_name.name); | ||
189 | |||
190 | if ((mask & (MAY_WRITE | MAY_READ | MAY_EXEC)) != MAY_READ) | ||
191 | goto out; | ||
192 | |||
193 | ima_read_write_check(OPEN_WRITERS, iint, inode, | ||
194 | path->dentry->d_name.name); | ||
195 | if (!(iint->flags & IMA_MEASURED)) { | ||
196 | struct dentry *dentry = dget(path->dentry); | ||
197 | struct vfsmount *mnt = mntget(path->mnt); | ||
198 | |||
199 | file = dentry_open(dentry, mnt, O_RDONLY, current->cred); | ||
200 | rc = get_path_measurement(iint, file, dentry->d_name.name); | ||
201 | } | ||
202 | out: | ||
203 | mutex_unlock(&iint->mutex); | ||
204 | if (file) | ||
205 | fput(file); | ||
206 | kref_put(&iint->refcount, iint_free); | ||
207 | return 0; | ||
208 | } | ||
209 | |||
210 | static int process_measurement(struct file *file, const unsigned char *filename, | ||
211 | int mask, int function) | ||
212 | { | ||
213 | struct inode *inode = file->f_dentry->d_inode; | ||
214 | struct ima_iint_cache *iint; | ||
215 | int rc; | ||
216 | |||
217 | if (!ima_initialized || !S_ISREG(inode->i_mode)) | ||
218 | return 0; | ||
219 | iint = ima_iint_find_insert_get(inode); | ||
220 | if (!iint) | ||
221 | return -ENOMEM; | ||
222 | |||
223 | mutex_lock(&iint->mutex); | ||
224 | rc = ima_must_measure(iint, inode, mask, function); | ||
225 | if (rc != 0) | ||
226 | goto out; | ||
227 | |||
228 | rc = ima_collect_measurement(iint, file); | ||
229 | if (!rc) | ||
230 | ima_store_measurement(iint, file, filename); | ||
231 | out: | ||
232 | mutex_unlock(&iint->mutex); | ||
233 | kref_put(&iint->refcount, iint_free); | ||
234 | return rc; | ||
235 | } | ||
236 | |||
237 | static void opencount_get(struct file *file) | ||
238 | { | ||
239 | struct inode *inode = file->f_dentry->d_inode; | ||
240 | struct ima_iint_cache *iint; | ||
241 | |||
242 | if (!ima_initialized || !S_ISREG(inode->i_mode)) | ||
243 | return; | ||
244 | iint = ima_iint_find_insert_get(inode); | ||
245 | if (!iint) | ||
246 | return; | ||
247 | mutex_lock(&iint->mutex); | ||
248 | iint->opencount++; | ||
249 | mutex_unlock(&iint->mutex); | ||
250 | } | ||
251 | |||
252 | /** | ||
253 | * ima_file_mmap - based on policy, collect/store measurement. | ||
254 | * @file: pointer to the file to be measured (May be NULL) | ||
255 | * @prot: contains the protection that will be applied by the kernel. | ||
256 | * | ||
257 | * Measure files being mmapped executable based on the ima_must_measure() | ||
258 | * policy decision. | ||
259 | * | ||
260 | * Return 0 on success, an error code on failure. | ||
261 | * (Based on the results of appraise_measurement().) | ||
262 | */ | ||
263 | int ima_file_mmap(struct file *file, unsigned long prot) | ||
264 | { | ||
265 | int rc; | ||
266 | |||
267 | if (!file) | ||
268 | return 0; | ||
269 | if (prot & PROT_EXEC) | ||
270 | rc = process_measurement(file, file->f_dentry->d_name.name, | ||
271 | MAY_EXEC, FILE_MMAP); | ||
272 | return 0; | ||
273 | } | ||
274 | |||
275 | /* | ||
276 | * ima_shm_check - IPC shm and shmat create/fput a file | ||
277 | * | ||
278 | * Maintain the opencount for these files to prevent unnecessary | ||
279 | * imbalance messages. | ||
280 | */ | ||
281 | void ima_shm_check(struct file *file) | ||
282 | { | ||
283 | opencount_get(file); | ||
284 | return; | ||
285 | } | ||
286 | |||
287 | /** | ||
288 | * ima_bprm_check - based on policy, collect/store measurement. | ||
289 | * @bprm: contains the linux_binprm structure | ||
290 | * | ||
291 | * The OS protects against an executable file, already open for write, | ||
292 | * from being executed in deny_write_access() and an executable file, | ||
293 | * already open for execute, from being modified in get_write_access(). | ||
294 | * So we can be certain that what we verify and measure here is actually | ||
295 | * what is being executed. | ||
296 | * | ||
297 | * Return 0 on success, an error code on failure. | ||
298 | * (Based on the results of appraise_measurement().) | ||
299 | */ | ||
300 | int ima_bprm_check(struct linux_binprm *bprm) | ||
301 | { | ||
302 | int rc; | ||
303 | |||
304 | rc = process_measurement(bprm->file, bprm->filename, | ||
305 | MAY_EXEC, BPRM_CHECK); | ||
306 | return 0; | ||
307 | } | ||
308 | |||
309 | static int __init init_ima(void) | ||
310 | { | ||
311 | int error; | ||
312 | |||
313 | ima_iintcache_init(); | ||
314 | error = ima_init(); | ||
315 | ima_initialized = 1; | ||
316 | return error; | ||
317 | } | ||
318 | |||
319 | static void __exit cleanup_ima(void) | ||
320 | { | ||
321 | ima_cleanup(); | ||
322 | } | ||
323 | |||
324 | late_initcall(init_ima); /* Start IMA after the TPM is available */ | ||
325 | |||
326 | MODULE_DESCRIPTION("Integrity Measurement Architecture"); | ||
327 | MODULE_LICENSE("GPL"); | ||
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c new file mode 100644 index 000000000000..b5291ad5ef56 --- /dev/null +++ b/security/integrity/ima/ima_policy.c | |||
@@ -0,0 +1,414 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2008 IBM Corporation | ||
3 | * Author: Mimi Zohar <zohar@us.ibm.com> | ||
4 | * | ||
5 | * This program is free software; you can redistribute it and/or modify | ||
6 | * it under the terms of the GNU General Public License as published by | ||
7 | * the Free Software Foundation, version 2 of the License. | ||
8 | * | ||
9 | * ima_policy.c | ||
10 | * - initialize default measure policy rules | ||
11 | * | ||
12 | */ | ||
13 | #include <linux/module.h> | ||
14 | #include <linux/list.h> | ||
15 | #include <linux/security.h> | ||
16 | #include <linux/magic.h> | ||
17 | #include <linux/parser.h> | ||
18 | |||
19 | #include "ima.h" | ||
20 | |||
21 | /* flags definitions */ | ||
22 | #define IMA_FUNC 0x0001 | ||
23 | #define IMA_MASK 0x0002 | ||
24 | #define IMA_FSMAGIC 0x0004 | ||
25 | #define IMA_UID 0x0008 | ||
26 | |||
27 | enum ima_action { UNKNOWN = -1, DONT_MEASURE = 0, MEASURE }; | ||
28 | |||
29 | #define MAX_LSM_RULES 6 | ||
30 | enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, | ||
31 | LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE | ||
32 | }; | ||
33 | |||
34 | struct ima_measure_rule_entry { | ||
35 | struct list_head list; | ||
36 | enum ima_action action; | ||
37 | unsigned int flags; | ||
38 | enum ima_hooks func; | ||
39 | int mask; | ||
40 | unsigned long fsmagic; | ||
41 | uid_t uid; | ||
42 | struct { | ||
43 | void *rule; /* LSM file metadata specific */ | ||
44 | int type; /* audit type */ | ||
45 | } lsm[MAX_LSM_RULES]; | ||
46 | }; | ||
47 | |||
48 | /* Without LSM specific knowledge, the default policy can only be | ||
49 | * written in terms of .action, .func, .mask, .fsmagic, and .uid | ||
50 | */ | ||
51 | static struct ima_measure_rule_entry default_rules[] = { | ||
52 | {.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC, | ||
53 | .flags = IMA_FSMAGIC}, | ||
54 | {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC}, | ||
55 | {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC}, | ||
56 | {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC}, | ||
57 | {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC, | ||
58 | .flags = IMA_FSMAGIC}, | ||
59 | {.action = DONT_MEASURE,.fsmagic = 0xF97CFF8C,.flags = IMA_FSMAGIC}, | ||
60 | {.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC, | ||
61 | .flags = IMA_FUNC | IMA_MASK}, | ||
62 | {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC, | ||
63 | .flags = IMA_FUNC | IMA_MASK}, | ||
64 | {.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0, | ||
65 | .flags = IMA_FUNC | IMA_MASK | IMA_UID} | ||
66 | }; | ||
67 | |||
68 | static LIST_HEAD(measure_default_rules); | ||
69 | static LIST_HEAD(measure_policy_rules); | ||
70 | static struct list_head *ima_measure; | ||
71 | |||
72 | static DEFINE_MUTEX(ima_measure_mutex); | ||
73 | |||
74 | /** | ||
75 | * ima_match_rules - determine whether an inode matches the measure rule. | ||
76 | * @rule: a pointer to a rule | ||
77 | * @inode: a pointer to an inode | ||
78 | * @func: LIM hook identifier | ||
79 | * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) | ||
80 | * | ||
81 | * Returns true on rule match, false on failure. | ||
82 | */ | ||
83 | static bool ima_match_rules(struct ima_measure_rule_entry *rule, | ||
84 | struct inode *inode, enum ima_hooks func, int mask) | ||
85 | { | ||
86 | struct task_struct *tsk = current; | ||
87 | int i; | ||
88 | |||
89 | if ((rule->flags & IMA_FUNC) && rule->func != func) | ||
90 | return false; | ||
91 | if ((rule->flags & IMA_MASK) && rule->mask != mask) | ||
92 | return false; | ||
93 | if ((rule->flags & IMA_FSMAGIC) | ||
94 | && rule->fsmagic != inode->i_sb->s_magic) | ||
95 | return false; | ||
96 | if ((rule->flags & IMA_UID) && rule->uid != tsk->cred->uid) | ||
97 | return false; | ||
98 | for (i = 0; i < MAX_LSM_RULES; i++) { | ||
99 | int rc; | ||
100 | u32 osid, sid; | ||
101 | |||
102 | if (!rule->lsm[i].rule) | ||
103 | continue; | ||
104 | |||
105 | switch (i) { | ||
106 | case LSM_OBJ_USER: | ||
107 | case LSM_OBJ_ROLE: | ||
108 | case LSM_OBJ_TYPE: | ||
109 | security_inode_getsecid(inode, &osid); | ||
110 | rc = security_filter_rule_match(osid, | ||
111 | rule->lsm[i].type, | ||
112 | AUDIT_EQUAL, | ||
113 | rule->lsm[i].rule, | ||
114 | NULL); | ||
115 | break; | ||
116 | case LSM_SUBJ_USER: | ||
117 | case LSM_SUBJ_ROLE: | ||
118 | case LSM_SUBJ_TYPE: | ||
119 | security_task_getsecid(tsk, &sid); | ||
120 | rc = security_filter_rule_match(sid, | ||
121 | rule->lsm[i].type, | ||
122 | AUDIT_EQUAL, | ||
123 | rule->lsm[i].rule, | ||
124 | NULL); | ||
125 | default: | ||
126 | break; | ||
127 | } | ||
128 | if (!rc) | ||
129 | return false; | ||
130 | } | ||
131 | return true; | ||
132 | } | ||
133 | |||
134 | /** | ||
135 | * ima_match_policy - decision based on LSM and other conditions | ||
136 | * @inode: pointer to an inode for which the policy decision is being made | ||
137 | * @func: IMA hook identifier | ||
138 | * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) | ||
139 | * | ||
140 | * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) | ||
141 | * conditions. | ||
142 | * | ||
143 | * (There is no need for locking when walking the policy list, | ||
144 | * as elements in the list are never deleted, nor does the list | ||
145 | * change.) | ||
146 | */ | ||
147 | int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask) | ||
148 | { | ||
149 | struct ima_measure_rule_entry *entry; | ||
150 | |||
151 | list_for_each_entry(entry, ima_measure, list) { | ||
152 | bool rc; | ||
153 | |||
154 | rc = ima_match_rules(entry, inode, func, mask); | ||
155 | if (rc) | ||
156 | return entry->action; | ||
157 | } | ||
158 | return 0; | ||
159 | } | ||
160 | |||
161 | /** | ||
162 | * ima_init_policy - initialize the default measure rules. | ||
163 | * | ||
164 | * ima_measure points to either the measure_default_rules or the | ||
165 | * the new measure_policy_rules. | ||
166 | */ | ||
167 | void ima_init_policy(void) | ||
168 | { | ||
169 | int i; | ||
170 | |||
171 | for (i = 0; i < ARRAY_SIZE(default_rules); i++) | ||
172 | list_add_tail(&default_rules[i].list, &measure_default_rules); | ||
173 | ima_measure = &measure_default_rules; | ||
174 | } | ||
175 | |||
176 | /** | ||
177 | * ima_update_policy - update default_rules with new measure rules | ||
178 | * | ||
179 | * Called on file .release to update the default rules with a complete new | ||
180 | * policy. Once updated, the policy is locked, no additional rules can be | ||
181 | * added to the policy. | ||
182 | */ | ||
183 | void ima_update_policy(void) | ||
184 | { | ||
185 | const char *op = "policy_update"; | ||
186 | const char *cause = "already exists"; | ||
187 | int result = 1; | ||
188 | int audit_info = 0; | ||
189 | |||
190 | if (ima_measure == &measure_default_rules) { | ||
191 | ima_measure = &measure_policy_rules; | ||
192 | cause = "complete"; | ||
193 | result = 0; | ||
194 | } | ||
195 | integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, | ||
196 | NULL, op, cause, result, audit_info); | ||
197 | } | ||
198 | |||
199 | enum { | ||
200 | Opt_err = -1, | ||
201 | Opt_measure = 1, Opt_dont_measure, | ||
202 | Opt_obj_user, Opt_obj_role, Opt_obj_type, | ||
203 | Opt_subj_user, Opt_subj_role, Opt_subj_type, | ||
204 | Opt_func, Opt_mask, Opt_fsmagic, Opt_uid | ||
205 | }; | ||
206 | |||
207 | static match_table_t policy_tokens = { | ||
208 | {Opt_measure, "measure"}, | ||
209 | {Opt_dont_measure, "dont_measure"}, | ||
210 | {Opt_obj_user, "obj_user=%s"}, | ||
211 | {Opt_obj_role, "obj_role=%s"}, | ||
212 | {Opt_obj_type, "obj_type=%s"}, | ||
213 | {Opt_subj_user, "subj_user=%s"}, | ||
214 | {Opt_subj_role, "subj_role=%s"}, | ||
215 | {Opt_subj_type, "subj_type=%s"}, | ||
216 | {Opt_func, "func=%s"}, | ||
217 | {Opt_mask, "mask=%s"}, | ||
218 | {Opt_fsmagic, "fsmagic=%s"}, | ||
219 | {Opt_uid, "uid=%s"}, | ||
220 | {Opt_err, NULL} | ||
221 | }; | ||
222 | |||
223 | static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry, | ||
224 | char *args, int lsm_rule, int audit_type) | ||
225 | { | ||
226 | int result; | ||
227 | |||
228 | entry->lsm[lsm_rule].type = audit_type; | ||
229 | result = security_filter_rule_init(entry->lsm[lsm_rule].type, | ||
230 | AUDIT_EQUAL, args, | ||
231 | &entry->lsm[lsm_rule].rule); | ||
232 | return result; | ||
233 | } | ||
234 | |||
235 | static int ima_parse_rule(char *rule, struct ima_measure_rule_entry *entry) | ||
236 | { | ||
237 | struct audit_buffer *ab; | ||
238 | char *p; | ||
239 | int result = 0; | ||
240 | |||
241 | ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_RULE); | ||
242 | |||
243 | entry->action = -1; | ||
244 | while ((p = strsep(&rule, " \n")) != NULL) { | ||
245 | substring_t args[MAX_OPT_ARGS]; | ||
246 | int token; | ||
247 | unsigned long lnum; | ||
248 | |||
249 | if (result < 0) | ||
250 | break; | ||
251 | if (!*p) | ||
252 | continue; | ||
253 | token = match_token(p, policy_tokens, args); | ||
254 | switch (token) { | ||
255 | case Opt_measure: | ||
256 | audit_log_format(ab, "%s ", "measure"); | ||
257 | entry->action = MEASURE; | ||
258 | break; | ||
259 | case Opt_dont_measure: | ||
260 | audit_log_format(ab, "%s ", "dont_measure"); | ||
261 | entry->action = DONT_MEASURE; | ||
262 | break; | ||
263 | case Opt_func: | ||
264 | audit_log_format(ab, "func=%s ", args[0].from); | ||
265 | if (strcmp(args[0].from, "PATH_CHECK") == 0) | ||
266 | entry->func = PATH_CHECK; | ||
267 | else if (strcmp(args[0].from, "FILE_MMAP") == 0) | ||
268 | entry->func = FILE_MMAP; | ||
269 | else if (strcmp(args[0].from, "BPRM_CHECK") == 0) | ||
270 | entry->func = BPRM_CHECK; | ||
271 | else | ||
272 | result = -EINVAL; | ||
273 | if (!result) | ||
274 | entry->flags |= IMA_FUNC; | ||
275 | break; | ||
276 | case Opt_mask: | ||
277 | audit_log_format(ab, "mask=%s ", args[0].from); | ||
278 | if ((strcmp(args[0].from, "MAY_EXEC")) == 0) | ||
279 | entry->mask = MAY_EXEC; | ||
280 | else if (strcmp(args[0].from, "MAY_WRITE") == 0) | ||
281 | entry->mask = MAY_WRITE; | ||
282 | else if (strcmp(args[0].from, "MAY_READ") == 0) | ||
283 | entry->mask = MAY_READ; | ||
284 | else if (strcmp(args[0].from, "MAY_APPEND") == 0) | ||
285 | entry->mask = MAY_APPEND; | ||
286 | else | ||
287 | result = -EINVAL; | ||
288 | if (!result) | ||
289 | entry->flags |= IMA_MASK; | ||
290 | break; | ||
291 | case Opt_fsmagic: | ||
292 | audit_log_format(ab, "fsmagic=%s ", args[0].from); | ||
293 | result = strict_strtoul(args[0].from, 16, | ||
294 | &entry->fsmagic); | ||
295 | if (!result) | ||
296 | entry->flags |= IMA_FSMAGIC; | ||
297 | break; | ||
298 | case Opt_uid: | ||
299 | audit_log_format(ab, "uid=%s ", args[0].from); | ||
300 | result = strict_strtoul(args[0].from, 10, &lnum); | ||
301 | if (!result) { | ||
302 | entry->uid = (uid_t) lnum; | ||
303 | if (entry->uid != lnum) | ||
304 | result = -EINVAL; | ||
305 | else | ||
306 | entry->flags |= IMA_UID; | ||
307 | } | ||
308 | break; | ||
309 | case Opt_obj_user: | ||
310 | audit_log_format(ab, "obj_user=%s ", args[0].from); | ||
311 | result = ima_lsm_rule_init(entry, args[0].from, | ||
312 | LSM_OBJ_USER, | ||
313 | AUDIT_OBJ_USER); | ||
314 | break; | ||
315 | case Opt_obj_role: | ||
316 | audit_log_format(ab, "obj_role=%s ", args[0].from); | ||
317 | result = ima_lsm_rule_init(entry, args[0].from, | ||
318 | LSM_OBJ_ROLE, | ||
319 | AUDIT_OBJ_ROLE); | ||
320 | break; | ||
321 | case Opt_obj_type: | ||
322 | audit_log_format(ab, "obj_type=%s ", args[0].from); | ||
323 | result = ima_lsm_rule_init(entry, args[0].from, | ||
324 | LSM_OBJ_TYPE, | ||
325 | AUDIT_OBJ_TYPE); | ||
326 | break; | ||
327 | case Opt_subj_user: | ||
328 | audit_log_format(ab, "subj_user=%s ", args[0].from); | ||
329 | result = ima_lsm_rule_init(entry, args[0].from, | ||
330 | LSM_SUBJ_USER, | ||
331 | AUDIT_SUBJ_USER); | ||
332 | break; | ||
333 | case Opt_subj_role: | ||
334 | audit_log_format(ab, "subj_role=%s ", args[0].from); | ||
335 | result = ima_lsm_rule_init(entry, args[0].from, | ||
336 | LSM_SUBJ_ROLE, | ||
337 | AUDIT_SUBJ_ROLE); | ||
338 | break; | ||
339 | case Opt_subj_type: | ||
340 | audit_log_format(ab, "subj_type=%s ", args[0].from); | ||
341 | result = ima_lsm_rule_init(entry, args[0].from, | ||
342 | LSM_SUBJ_TYPE, | ||
343 | AUDIT_SUBJ_TYPE); | ||
344 | break; | ||
345 | case Opt_err: | ||
346 | audit_log_format(ab, "UNKNOWN=%s ", p); | ||
347 | break; | ||
348 | } | ||
349 | } | ||
350 | if (entry->action == UNKNOWN) | ||
351 | result = -EINVAL; | ||
352 | |||
353 | audit_log_format(ab, "res=%d", !result ? 0 : 1); | ||
354 | audit_log_end(ab); | ||
355 | return result; | ||
356 | } | ||
357 | |||
358 | /** | ||
359 | * ima_parse_add_rule - add a rule to measure_policy_rules | ||
360 | * @rule - ima measurement policy rule | ||
361 | * | ||
362 | * Uses a mutex to protect the policy list from multiple concurrent writers. | ||
363 | * Returns 0 on success, an error code on failure. | ||
364 | */ | ||
365 | int ima_parse_add_rule(char *rule) | ||
366 | { | ||
367 | const char *op = "update_policy"; | ||
368 | struct ima_measure_rule_entry *entry; | ||
369 | int result = 0; | ||
370 | int audit_info = 0; | ||
371 | |||
372 | /* Prevent installed policy from changing */ | ||
373 | if (ima_measure != &measure_default_rules) { | ||
374 | integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, | ||
375 | NULL, op, "already exists", | ||
376 | -EACCES, audit_info); | ||
377 | return -EACCES; | ||
378 | } | ||
379 | |||
380 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); | ||
381 | if (!entry) { | ||
382 | integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, | ||
383 | NULL, op, "-ENOMEM", -ENOMEM, audit_info); | ||
384 | return -ENOMEM; | ||
385 | } | ||
386 | |||
387 | INIT_LIST_HEAD(&entry->list); | ||
388 | |||
389 | result = ima_parse_rule(rule, entry); | ||
390 | if (!result) { | ||
391 | mutex_lock(&ima_measure_mutex); | ||
392 | list_add_tail(&entry->list, &measure_policy_rules); | ||
393 | mutex_unlock(&ima_measure_mutex); | ||
394 | } else { | ||
395 | kfree(entry); | ||
396 | integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, | ||
397 | NULL, op, "invalid policy", result, | ||
398 | audit_info); | ||
399 | } | ||
400 | return result; | ||
401 | } | ||
402 | |||
403 | /* ima_delete_rules called to cleanup invalid policy */ | ||
404 | void ima_delete_rules(void) | ||
405 | { | ||
406 | struct ima_measure_rule_entry *entry, *tmp; | ||
407 | |||
408 | mutex_lock(&ima_measure_mutex); | ||
409 | list_for_each_entry_safe(entry, tmp, &measure_policy_rules, list) { | ||
410 | list_del(&entry->list); | ||
411 | kfree(entry); | ||
412 | } | ||
413 | mutex_unlock(&ima_measure_mutex); | ||
414 | } | ||
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c new file mode 100644 index 000000000000..7ec94314ac0c --- /dev/null +++ b/security/integrity/ima/ima_queue.c | |||
@@ -0,0 +1,140 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2005,2006,2007,2008 IBM Corporation | ||
3 | * | ||
4 | * Authors: | ||
5 | * Serge Hallyn <serue@us.ibm.com> | ||
6 | * Reiner Sailer <sailer@watson.ibm.com> | ||
7 | * Mimi Zohar <zohar@us.ibm.com> | ||
8 | * | ||
9 | * This program is free software; you can redistribute it and/or | ||
10 | * modify it under the terms of the GNU General Public License as | ||
11 | * published by the Free Software Foundation, version 2 of the | ||
12 | * License. | ||
13 | * | ||
14 | * File: ima_queue.c | ||
15 | * Implements queues that store template measurements and | ||
16 | * maintains aggregate over the stored measurements | ||
17 | * in the pre-configured TPM PCR (if available). | ||
18 | * The measurement list is append-only. No entry is | ||
19 | * ever removed or changed during the boot-cycle. | ||
20 | */ | ||
21 | #include <linux/module.h> | ||
22 | #include <linux/rculist.h> | ||
23 | #include "ima.h" | ||
24 | |||
25 | LIST_HEAD(ima_measurements); /* list of all measurements */ | ||
26 | |||
27 | /* key: inode (before secure-hashing a file) */ | ||
28 | struct ima_h_table ima_htable = { | ||
29 | .len = ATOMIC_LONG_INIT(0), | ||
30 | .violations = ATOMIC_LONG_INIT(0), | ||
31 | .queue[0 ... IMA_MEASURE_HTABLE_SIZE - 1] = HLIST_HEAD_INIT | ||
32 | }; | ||
33 | |||
34 | /* mutex protects atomicity of extending measurement list | ||
35 | * and extending the TPM PCR aggregate. Since tpm_extend can take | ||
36 | * long (and the tpm driver uses a mutex), we can't use the spinlock. | ||
37 | */ | ||
38 | static DEFINE_MUTEX(ima_extend_list_mutex); | ||
39 | |||
40 | /* lookup up the digest value in the hash table, and return the entry */ | ||
41 | static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value) | ||
42 | { | ||
43 | struct ima_queue_entry *qe, *ret = NULL; | ||
44 | unsigned int key; | ||
45 | struct hlist_node *pos; | ||
46 | int rc; | ||
47 | |||
48 | key = ima_hash_key(digest_value); | ||
49 | rcu_read_lock(); | ||
50 | hlist_for_each_entry_rcu(qe, pos, &ima_htable.queue[key], hnext) { | ||
51 | rc = memcmp(qe->entry->digest, digest_value, IMA_DIGEST_SIZE); | ||
52 | if (rc == 0) { | ||
53 | ret = qe; | ||
54 | break; | ||
55 | } | ||
56 | } | ||
57 | rcu_read_unlock(); | ||
58 | return ret; | ||
59 | } | ||
60 | |||
61 | /* ima_add_template_entry helper function: | ||
62 | * - Add template entry to measurement list and hash table. | ||
63 | * | ||
64 | * (Called with ima_extend_list_mutex held.) | ||
65 | */ | ||
66 | static int ima_add_digest_entry(struct ima_template_entry *entry) | ||
67 | { | ||
68 | struct ima_queue_entry *qe; | ||
69 | unsigned int key; | ||
70 | |||
71 | qe = kmalloc(sizeof(*qe), GFP_KERNEL); | ||
72 | if (qe == NULL) { | ||
73 | pr_err("OUT OF MEMORY ERROR creating queue entry.\n"); | ||
74 | return -ENOMEM; | ||
75 | } | ||
76 | qe->entry = entry; | ||
77 | |||
78 | INIT_LIST_HEAD(&qe->later); | ||
79 | list_add_tail_rcu(&qe->later, &ima_measurements); | ||
80 | |||
81 | atomic_long_inc(&ima_htable.len); | ||
82 | key = ima_hash_key(entry->digest); | ||
83 | hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]); | ||
84 | return 0; | ||
85 | } | ||
86 | |||
87 | static int ima_pcr_extend(const u8 *hash) | ||
88 | { | ||
89 | int result = 0; | ||
90 | |||
91 | if (!ima_used_chip) | ||
92 | return result; | ||
93 | |||
94 | result = tpm_pcr_extend(TPM_ANY_NUM, CONFIG_IMA_MEASURE_PCR_IDX, hash); | ||
95 | if (result != 0) | ||
96 | pr_err("Error Communicating to TPM chip\n"); | ||
97 | return result; | ||
98 | } | ||
99 | |||
100 | /* Add template entry to the measurement list and hash table, | ||
101 | * and extend the pcr. | ||
102 | */ | ||
103 | int ima_add_template_entry(struct ima_template_entry *entry, int violation, | ||
104 | const char *op, struct inode *inode) | ||
105 | { | ||
106 | u8 digest[IMA_DIGEST_SIZE]; | ||
107 | const char *audit_cause = "hash_added"; | ||
108 | int audit_info = 1; | ||
109 | int result = 0; | ||
110 | |||
111 | mutex_lock(&ima_extend_list_mutex); | ||
112 | if (!violation) { | ||
113 | memcpy(digest, entry->digest, sizeof digest); | ||
114 | if (ima_lookup_digest_entry(digest)) { | ||
115 | audit_cause = "hash_exists"; | ||
116 | goto out; | ||
117 | } | ||
118 | } | ||
119 | |||
120 | result = ima_add_digest_entry(entry); | ||
121 | if (result < 0) { | ||
122 | audit_cause = "ENOMEM"; | ||
123 | audit_info = 0; | ||
124 | goto out; | ||
125 | } | ||
126 | |||
127 | if (violation) /* invalidate pcr */ | ||
128 | memset(digest, 0xff, sizeof digest); | ||
129 | |||
130 | result = ima_pcr_extend(digest); | ||
131 | if (result != 0) { | ||
132 | audit_cause = "TPM error"; | ||
133 | audit_info = 0; | ||
134 | } | ||
135 | out: | ||
136 | mutex_unlock(&ima_extend_list_mutex); | ||
137 | integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, entry->template_name, | ||
138 | op, audit_cause, result, audit_info); | ||
139 | return result; | ||
140 | } | ||
diff --git a/security/keys/internal.h b/security/keys/internal.h index 81932abefe7b..9fb679c66b8a 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h | |||
@@ -53,6 +53,7 @@ struct key_user { | |||
53 | atomic_t nkeys; /* number of keys */ | 53 | atomic_t nkeys; /* number of keys */ |
54 | atomic_t nikeys; /* number of instantiated keys */ | 54 | atomic_t nikeys; /* number of instantiated keys */ |
55 | uid_t uid; | 55 | uid_t uid; |
56 | struct user_namespace *user_ns; | ||
56 | int qnkeys; /* number of keys allocated to this user */ | 57 | int qnkeys; /* number of keys allocated to this user */ |
57 | int qnbytes; /* number of bytes allocated to this user */ | 58 | int qnbytes; /* number of bytes allocated to this user */ |
58 | }; | 59 | }; |
@@ -61,7 +62,8 @@ extern struct rb_root key_user_tree; | |||
61 | extern spinlock_t key_user_lock; | 62 | extern spinlock_t key_user_lock; |
62 | extern struct key_user root_key_user; | 63 | extern struct key_user root_key_user; |
63 | 64 | ||
64 | extern struct key_user *key_user_lookup(uid_t uid); | 65 | extern struct key_user *key_user_lookup(uid_t uid, |
66 | struct user_namespace *user_ns); | ||
65 | extern void key_user_put(struct key_user *user); | 67 | extern void key_user_put(struct key_user *user); |
66 | 68 | ||
67 | /* | 69 | /* |
diff --git a/security/keys/key.c b/security/keys/key.c index f76c8a546fd3..4a1297d1ada4 100644 --- a/security/keys/key.c +++ b/security/keys/key.c | |||
@@ -18,6 +18,7 @@ | |||
18 | #include <linux/workqueue.h> | 18 | #include <linux/workqueue.h> |
19 | #include <linux/random.h> | 19 | #include <linux/random.h> |
20 | #include <linux/err.h> | 20 | #include <linux/err.h> |
21 | #include <linux/user_namespace.h> | ||
21 | #include "internal.h" | 22 | #include "internal.h" |
22 | 23 | ||
23 | static struct kmem_cache *key_jar; | 24 | static struct kmem_cache *key_jar; |
@@ -60,7 +61,7 @@ void __key_check(const struct key *key) | |||
60 | * get the key quota record for a user, allocating a new record if one doesn't | 61 | * get the key quota record for a user, allocating a new record if one doesn't |
61 | * already exist | 62 | * already exist |
62 | */ | 63 | */ |
63 | struct key_user *key_user_lookup(uid_t uid) | 64 | struct key_user *key_user_lookup(uid_t uid, struct user_namespace *user_ns) |
64 | { | 65 | { |
65 | struct key_user *candidate = NULL, *user; | 66 | struct key_user *candidate = NULL, *user; |
66 | struct rb_node *parent = NULL; | 67 | struct rb_node *parent = NULL; |
@@ -79,6 +80,10 @@ struct key_user *key_user_lookup(uid_t uid) | |||
79 | p = &(*p)->rb_left; | 80 | p = &(*p)->rb_left; |
80 | else if (uid > user->uid) | 81 | else if (uid > user->uid) |
81 | p = &(*p)->rb_right; | 82 | p = &(*p)->rb_right; |
83 | else if (user_ns < user->user_ns) | ||
84 | p = &(*p)->rb_left; | ||
85 | else if (user_ns > user->user_ns) | ||
86 | p = &(*p)->rb_right; | ||
82 | else | 87 | else |
83 | goto found; | 88 | goto found; |
84 | } | 89 | } |
@@ -106,6 +111,7 @@ struct key_user *key_user_lookup(uid_t uid) | |||
106 | atomic_set(&candidate->nkeys, 0); | 111 | atomic_set(&candidate->nkeys, 0); |
107 | atomic_set(&candidate->nikeys, 0); | 112 | atomic_set(&candidate->nikeys, 0); |
108 | candidate->uid = uid; | 113 | candidate->uid = uid; |
114 | candidate->user_ns = get_user_ns(user_ns); | ||
109 | candidate->qnkeys = 0; | 115 | candidate->qnkeys = 0; |
110 | candidate->qnbytes = 0; | 116 | candidate->qnbytes = 0; |
111 | spin_lock_init(&candidate->lock); | 117 | spin_lock_init(&candidate->lock); |
@@ -136,6 +142,7 @@ void key_user_put(struct key_user *user) | |||
136 | if (atomic_dec_and_lock(&user->usage, &key_user_lock)) { | 142 | if (atomic_dec_and_lock(&user->usage, &key_user_lock)) { |
137 | rb_erase(&user->node, &key_user_tree); | 143 | rb_erase(&user->node, &key_user_tree); |
138 | spin_unlock(&key_user_lock); | 144 | spin_unlock(&key_user_lock); |
145 | put_user_ns(user->user_ns); | ||
139 | 146 | ||
140 | kfree(user); | 147 | kfree(user); |
141 | } | 148 | } |
@@ -234,7 +241,7 @@ struct key *key_alloc(struct key_type *type, const char *desc, | |||
234 | quotalen = desclen + type->def_datalen; | 241 | quotalen = desclen + type->def_datalen; |
235 | 242 | ||
236 | /* get hold of the key tracking for this user */ | 243 | /* get hold of the key tracking for this user */ |
237 | user = key_user_lookup(uid); | 244 | user = key_user_lookup(uid, cred->user->user_ns); |
238 | if (!user) | 245 | if (!user) |
239 | goto no_memory_1; | 246 | goto no_memory_1; |
240 | 247 | ||
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index b1ec3b4ee17d..7f09fb897d2b 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c | |||
@@ -726,7 +726,7 @@ long keyctl_chown_key(key_serial_t id, uid_t uid, gid_t gid) | |||
726 | /* change the UID */ | 726 | /* change the UID */ |
727 | if (uid != (uid_t) -1 && uid != key->uid) { | 727 | if (uid != (uid_t) -1 && uid != key->uid) { |
728 | ret = -ENOMEM; | 728 | ret = -ENOMEM; |
729 | newowner = key_user_lookup(uid); | 729 | newowner = key_user_lookup(uid, current_user_ns()); |
730 | if (!newowner) | 730 | if (!newowner) |
731 | goto error_put; | 731 | goto error_put; |
732 | 732 | ||
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index ed851574d073..3dba81c2eba3 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c | |||
@@ -539,6 +539,9 @@ struct key *find_keyring_by_name(const char *name, bool skip_perm_check) | |||
539 | &keyring_name_hash[bucket], | 539 | &keyring_name_hash[bucket], |
540 | type_data.link | 540 | type_data.link |
541 | ) { | 541 | ) { |
542 | if (keyring->user->user_ns != current_user_ns()) | ||
543 | continue; | ||
544 | |||
542 | if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) | 545 | if (test_bit(KEY_FLAG_REVOKED, &keyring->flags)) |
543 | continue; | 546 | continue; |
544 | 547 | ||
diff --git a/security/keys/permission.c b/security/keys/permission.c index 5d9fc7b93f2e..0ed802c9e698 100644 --- a/security/keys/permission.c +++ b/security/keys/permission.c | |||
@@ -35,6 +35,9 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred, | |||
35 | 35 | ||
36 | key = key_ref_to_ptr(key_ref); | 36 | key = key_ref_to_ptr(key_ref); |
37 | 37 | ||
38 | if (key->user->user_ns != cred->user->user_ns) | ||
39 | goto use_other_perms; | ||
40 | |||
38 | /* use the second 8-bits of permissions for keys the caller owns */ | 41 | /* use the second 8-bits of permissions for keys the caller owns */ |
39 | if (key->uid == cred->fsuid) { | 42 | if (key->uid == cred->fsuid) { |
40 | kperm = key->perm >> 16; | 43 | kperm = key->perm >> 16; |
@@ -56,6 +59,8 @@ int key_task_permission(const key_ref_t key_ref, const struct cred *cred, | |||
56 | } | 59 | } |
57 | } | 60 | } |
58 | 61 | ||
62 | use_other_perms: | ||
63 | |||
59 | /* otherwise use the least-significant 8-bits */ | 64 | /* otherwise use the least-significant 8-bits */ |
60 | kperm = key->perm; | 65 | kperm = key->perm; |
61 | 66 | ||
diff --git a/security/keys/proc.c b/security/keys/proc.c index 7f508def50e3..769f9bdfd2b3 100644 --- a/security/keys/proc.c +++ b/security/keys/proc.c | |||
@@ -91,6 +91,28 @@ __initcall(key_proc_init); | |||
91 | */ | 91 | */ |
92 | #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS | 92 | #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS |
93 | 93 | ||
94 | static struct rb_node *__key_serial_next(struct rb_node *n) | ||
95 | { | ||
96 | while (n) { | ||
97 | struct key *key = rb_entry(n, struct key, serial_node); | ||
98 | if (key->user->user_ns == current_user_ns()) | ||
99 | break; | ||
100 | n = rb_next(n); | ||
101 | } | ||
102 | return n; | ||
103 | } | ||
104 | |||
105 | static struct rb_node *key_serial_next(struct rb_node *n) | ||
106 | { | ||
107 | return __key_serial_next(rb_next(n)); | ||
108 | } | ||
109 | |||
110 | static struct rb_node *key_serial_first(struct rb_root *r) | ||
111 | { | ||
112 | struct rb_node *n = rb_first(r); | ||
113 | return __key_serial_next(n); | ||
114 | } | ||
115 | |||
94 | static int proc_keys_open(struct inode *inode, struct file *file) | 116 | static int proc_keys_open(struct inode *inode, struct file *file) |
95 | { | 117 | { |
96 | return seq_open(file, &proc_keys_ops); | 118 | return seq_open(file, &proc_keys_ops); |
@@ -104,10 +126,10 @@ static void *proc_keys_start(struct seq_file *p, loff_t *_pos) | |||
104 | 126 | ||
105 | spin_lock(&key_serial_lock); | 127 | spin_lock(&key_serial_lock); |
106 | 128 | ||
107 | _p = rb_first(&key_serial_tree); | 129 | _p = key_serial_first(&key_serial_tree); |
108 | while (pos > 0 && _p) { | 130 | while (pos > 0 && _p) { |
109 | pos--; | 131 | pos--; |
110 | _p = rb_next(_p); | 132 | _p = key_serial_next(_p); |
111 | } | 133 | } |
112 | 134 | ||
113 | return _p; | 135 | return _p; |
@@ -117,7 +139,7 @@ static void *proc_keys_start(struct seq_file *p, loff_t *_pos) | |||
117 | static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos) | 139 | static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos) |
118 | { | 140 | { |
119 | (*_pos)++; | 141 | (*_pos)++; |
120 | return rb_next((struct rb_node *) v); | 142 | return key_serial_next((struct rb_node *) v); |
121 | 143 | ||
122 | } | 144 | } |
123 | 145 | ||
@@ -203,6 +225,27 @@ static int proc_keys_show(struct seq_file *m, void *v) | |||
203 | 225 | ||
204 | #endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */ | 226 | #endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */ |
205 | 227 | ||
228 | static struct rb_node *__key_user_next(struct rb_node *n) | ||
229 | { | ||
230 | while (n) { | ||
231 | struct key_user *user = rb_entry(n, struct key_user, node); | ||
232 | if (user->user_ns == current_user_ns()) | ||
233 | break; | ||
234 | n = rb_next(n); | ||
235 | } | ||
236 | return n; | ||
237 | } | ||
238 | |||
239 | static struct rb_node *key_user_next(struct rb_node *n) | ||
240 | { | ||
241 | return __key_user_next(rb_next(n)); | ||
242 | } | ||
243 | |||
244 | static struct rb_node *key_user_first(struct rb_root *r) | ||
245 | { | ||
246 | struct rb_node *n = rb_first(r); | ||
247 | return __key_user_next(n); | ||
248 | } | ||
206 | /*****************************************************************************/ | 249 | /*****************************************************************************/ |
207 | /* | 250 | /* |
208 | * implement "/proc/key-users" to provides a list of the key users | 251 | * implement "/proc/key-users" to provides a list of the key users |
@@ -220,10 +263,10 @@ static void *proc_key_users_start(struct seq_file *p, loff_t *_pos) | |||
220 | 263 | ||
221 | spin_lock(&key_user_lock); | 264 | spin_lock(&key_user_lock); |
222 | 265 | ||
223 | _p = rb_first(&key_user_tree); | 266 | _p = key_user_first(&key_user_tree); |
224 | while (pos > 0 && _p) { | 267 | while (pos > 0 && _p) { |
225 | pos--; | 268 | pos--; |
226 | _p = rb_next(_p); | 269 | _p = key_user_next(_p); |
227 | } | 270 | } |
228 | 271 | ||
229 | return _p; | 272 | return _p; |
@@ -233,7 +276,7 @@ static void *proc_key_users_start(struct seq_file *p, loff_t *_pos) | |||
233 | static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos) | 276 | static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos) |
234 | { | 277 | { |
235 | (*_pos)++; | 278 | (*_pos)++; |
236 | return rb_next((struct rb_node *) v); | 279 | return key_user_next((struct rb_node *) v); |
237 | 280 | ||
238 | } | 281 | } |
239 | 282 | ||
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c index 2f5d89e92b85..276d27882ce8 100644 --- a/security/keys/process_keys.c +++ b/security/keys/process_keys.c | |||
@@ -17,6 +17,7 @@ | |||
17 | #include <linux/fs.h> | 17 | #include <linux/fs.h> |
18 | #include <linux/err.h> | 18 | #include <linux/err.h> |
19 | #include <linux/mutex.h> | 19 | #include <linux/mutex.h> |
20 | #include <linux/user_namespace.h> | ||
20 | #include <asm/uaccess.h> | 21 | #include <asm/uaccess.h> |
21 | #include "internal.h" | 22 | #include "internal.h" |
22 | 23 | ||
@@ -34,6 +35,7 @@ struct key_user root_key_user = { | |||
34 | .nkeys = ATOMIC_INIT(2), | 35 | .nkeys = ATOMIC_INIT(2), |
35 | .nikeys = ATOMIC_INIT(2), | 36 | .nikeys = ATOMIC_INIT(2), |
36 | .uid = 0, | 37 | .uid = 0, |
38 | .user_ns = &init_user_ns, | ||
37 | }; | 39 | }; |
38 | 40 | ||
39 | /*****************************************************************************/ | 41 | /*****************************************************************************/ |
diff --git a/security/keys/request_key.c b/security/keys/request_key.c index 0e04f72ef2d4..22a31582bfaa 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c | |||
@@ -365,7 +365,7 @@ static struct key *construct_key_and_link(struct key_type *type, | |||
365 | 365 | ||
366 | kenter(""); | 366 | kenter(""); |
367 | 367 | ||
368 | user = key_user_lookup(current_fsuid()); | 368 | user = key_user_lookup(current_fsuid(), current_user_ns()); |
369 | if (!user) | 369 | if (!user) |
370 | return ERR_PTR(-ENOMEM); | 370 | return ERR_PTR(-ENOMEM); |
371 | 371 | ||
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index eb41f43e2772..7f9b5fac8779 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
@@ -88,17 +88,16 @@ struct avc_entry { | |||
88 | u32 tsid; | 88 | u32 tsid; |
89 | u16 tclass; | 89 | u16 tclass; |
90 | struct av_decision avd; | 90 | struct av_decision avd; |
91 | atomic_t used; /* used recently */ | ||
92 | }; | 91 | }; |
93 | 92 | ||
94 | struct avc_node { | 93 | struct avc_node { |
95 | struct avc_entry ae; | 94 | struct avc_entry ae; |
96 | struct list_head list; | 95 | struct hlist_node list; /* anchored in avc_cache->slots[i] */ |
97 | struct rcu_head rhead; | 96 | struct rcu_head rhead; |
98 | }; | 97 | }; |
99 | 98 | ||
100 | struct avc_cache { | 99 | struct avc_cache { |
101 | struct list_head slots[AVC_CACHE_SLOTS]; | 100 | struct hlist_head slots[AVC_CACHE_SLOTS]; /* head for avc_node->list */ |
102 | spinlock_t slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */ | 101 | spinlock_t slots_lock[AVC_CACHE_SLOTS]; /* lock for writes */ |
103 | atomic_t lru_hint; /* LRU hint for reclaim scan */ | 102 | atomic_t lru_hint; /* LRU hint for reclaim scan */ |
104 | atomic_t active_nodes; | 103 | atomic_t active_nodes; |
@@ -234,7 +233,7 @@ void __init avc_init(void) | |||
234 | int i; | 233 | int i; |
235 | 234 | ||
236 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | 235 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { |
237 | INIT_LIST_HEAD(&avc_cache.slots[i]); | 236 | INIT_HLIST_HEAD(&avc_cache.slots[i]); |
238 | spin_lock_init(&avc_cache.slots_lock[i]); | 237 | spin_lock_init(&avc_cache.slots_lock[i]); |
239 | } | 238 | } |
240 | atomic_set(&avc_cache.active_nodes, 0); | 239 | atomic_set(&avc_cache.active_nodes, 0); |
@@ -250,16 +249,20 @@ int avc_get_hash_stats(char *page) | |||
250 | { | 249 | { |
251 | int i, chain_len, max_chain_len, slots_used; | 250 | int i, chain_len, max_chain_len, slots_used; |
252 | struct avc_node *node; | 251 | struct avc_node *node; |
252 | struct hlist_head *head; | ||
253 | 253 | ||
254 | rcu_read_lock(); | 254 | rcu_read_lock(); |
255 | 255 | ||
256 | slots_used = 0; | 256 | slots_used = 0; |
257 | max_chain_len = 0; | 257 | max_chain_len = 0; |
258 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | 258 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { |
259 | if (!list_empty(&avc_cache.slots[i])) { | 259 | head = &avc_cache.slots[i]; |
260 | if (!hlist_empty(head)) { | ||
261 | struct hlist_node *next; | ||
262 | |||
260 | slots_used++; | 263 | slots_used++; |
261 | chain_len = 0; | 264 | chain_len = 0; |
262 | list_for_each_entry_rcu(node, &avc_cache.slots[i], list) | 265 | hlist_for_each_entry_rcu(node, next, head, list) |
263 | chain_len++; | 266 | chain_len++; |
264 | if (chain_len > max_chain_len) | 267 | if (chain_len > max_chain_len) |
265 | max_chain_len = chain_len; | 268 | max_chain_len = chain_len; |
@@ -283,7 +286,7 @@ static void avc_node_free(struct rcu_head *rhead) | |||
283 | 286 | ||
284 | static void avc_node_delete(struct avc_node *node) | 287 | static void avc_node_delete(struct avc_node *node) |
285 | { | 288 | { |
286 | list_del_rcu(&node->list); | 289 | hlist_del_rcu(&node->list); |
287 | call_rcu(&node->rhead, avc_node_free); | 290 | call_rcu(&node->rhead, avc_node_free); |
288 | atomic_dec(&avc_cache.active_nodes); | 291 | atomic_dec(&avc_cache.active_nodes); |
289 | } | 292 | } |
@@ -297,7 +300,7 @@ static void avc_node_kill(struct avc_node *node) | |||
297 | 300 | ||
298 | static void avc_node_replace(struct avc_node *new, struct avc_node *old) | 301 | static void avc_node_replace(struct avc_node *new, struct avc_node *old) |
299 | { | 302 | { |
300 | list_replace_rcu(&old->list, &new->list); | 303 | hlist_replace_rcu(&old->list, &new->list); |
301 | call_rcu(&old->rhead, avc_node_free); | 304 | call_rcu(&old->rhead, avc_node_free); |
302 | atomic_dec(&avc_cache.active_nodes); | 305 | atomic_dec(&avc_cache.active_nodes); |
303 | } | 306 | } |
@@ -307,29 +310,31 @@ static inline int avc_reclaim_node(void) | |||
307 | struct avc_node *node; | 310 | struct avc_node *node; |
308 | int hvalue, try, ecx; | 311 | int hvalue, try, ecx; |
309 | unsigned long flags; | 312 | unsigned long flags; |
313 | struct hlist_head *head; | ||
314 | struct hlist_node *next; | ||
315 | spinlock_t *lock; | ||
310 | 316 | ||
311 | for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) { | 317 | for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) { |
312 | hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); | 318 | hvalue = atomic_inc_return(&avc_cache.lru_hint) & (AVC_CACHE_SLOTS - 1); |
319 | head = &avc_cache.slots[hvalue]; | ||
320 | lock = &avc_cache.slots_lock[hvalue]; | ||
313 | 321 | ||
314 | if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags)) | 322 | if (!spin_trylock_irqsave(lock, flags)) |
315 | continue; | 323 | continue; |
316 | 324 | ||
317 | rcu_read_lock(); | 325 | rcu_read_lock(); |
318 | list_for_each_entry(node, &avc_cache.slots[hvalue], list) { | 326 | hlist_for_each_entry(node, next, head, list) { |
319 | if (atomic_dec_and_test(&node->ae.used)) { | 327 | avc_node_delete(node); |
320 | /* Recently Unused */ | 328 | avc_cache_stats_incr(reclaims); |
321 | avc_node_delete(node); | 329 | ecx++; |
322 | avc_cache_stats_incr(reclaims); | 330 | if (ecx >= AVC_CACHE_RECLAIM) { |
323 | ecx++; | 331 | rcu_read_unlock(); |
324 | if (ecx >= AVC_CACHE_RECLAIM) { | 332 | spin_unlock_irqrestore(lock, flags); |
325 | rcu_read_unlock(); | 333 | goto out; |
326 | spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flags); | ||
327 | goto out; | ||
328 | } | ||
329 | } | 334 | } |
330 | } | 335 | } |
331 | rcu_read_unlock(); | 336 | rcu_read_unlock(); |
332 | spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flags); | 337 | spin_unlock_irqrestore(lock, flags); |
333 | } | 338 | } |
334 | out: | 339 | out: |
335 | return ecx; | 340 | return ecx; |
@@ -344,8 +349,7 @@ static struct avc_node *avc_alloc_node(void) | |||
344 | goto out; | 349 | goto out; |
345 | 350 | ||
346 | INIT_RCU_HEAD(&node->rhead); | 351 | INIT_RCU_HEAD(&node->rhead); |
347 | INIT_LIST_HEAD(&node->list); | 352 | INIT_HLIST_NODE(&node->list); |
348 | atomic_set(&node->ae.used, 1); | ||
349 | avc_cache_stats_incr(allocations); | 353 | avc_cache_stats_incr(allocations); |
350 | 354 | ||
351 | if (atomic_inc_return(&avc_cache.active_nodes) > avc_cache_threshold) | 355 | if (atomic_inc_return(&avc_cache.active_nodes) > avc_cache_threshold) |
@@ -355,21 +359,24 @@ out: | |||
355 | return node; | 359 | return node; |
356 | } | 360 | } |
357 | 361 | ||
358 | static void avc_node_populate(struct avc_node *node, u32 ssid, u32 tsid, u16 tclass, struct avc_entry *ae) | 362 | static void avc_node_populate(struct avc_node *node, u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd) |
359 | { | 363 | { |
360 | node->ae.ssid = ssid; | 364 | node->ae.ssid = ssid; |
361 | node->ae.tsid = tsid; | 365 | node->ae.tsid = tsid; |
362 | node->ae.tclass = tclass; | 366 | node->ae.tclass = tclass; |
363 | memcpy(&node->ae.avd, &ae->avd, sizeof(node->ae.avd)); | 367 | memcpy(&node->ae.avd, avd, sizeof(node->ae.avd)); |
364 | } | 368 | } |
365 | 369 | ||
366 | static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass) | 370 | static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass) |
367 | { | 371 | { |
368 | struct avc_node *node, *ret = NULL; | 372 | struct avc_node *node, *ret = NULL; |
369 | int hvalue; | 373 | int hvalue; |
374 | struct hlist_head *head; | ||
375 | struct hlist_node *next; | ||
370 | 376 | ||
371 | hvalue = avc_hash(ssid, tsid, tclass); | 377 | hvalue = avc_hash(ssid, tsid, tclass); |
372 | list_for_each_entry_rcu(node, &avc_cache.slots[hvalue], list) { | 378 | head = &avc_cache.slots[hvalue]; |
379 | hlist_for_each_entry_rcu(node, next, head, list) { | ||
373 | if (ssid == node->ae.ssid && | 380 | if (ssid == node->ae.ssid && |
374 | tclass == node->ae.tclass && | 381 | tclass == node->ae.tclass && |
375 | tsid == node->ae.tsid) { | 382 | tsid == node->ae.tsid) { |
@@ -378,15 +385,6 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass) | |||
378 | } | 385 | } |
379 | } | 386 | } |
380 | 387 | ||
381 | if (ret == NULL) { | ||
382 | /* cache miss */ | ||
383 | goto out; | ||
384 | } | ||
385 | |||
386 | /* cache hit */ | ||
387 | if (atomic_read(&ret->ae.used) != 1) | ||
388 | atomic_set(&ret->ae.used, 1); | ||
389 | out: | ||
390 | return ret; | 388 | return ret; |
391 | } | 389 | } |
392 | 390 | ||
@@ -395,30 +393,25 @@ out: | |||
395 | * @ssid: source security identifier | 393 | * @ssid: source security identifier |
396 | * @tsid: target security identifier | 394 | * @tsid: target security identifier |
397 | * @tclass: target security class | 395 | * @tclass: target security class |
398 | * @requested: requested permissions, interpreted based on @tclass | ||
399 | * | 396 | * |
400 | * Look up an AVC entry that is valid for the | 397 | * Look up an AVC entry that is valid for the |
401 | * @requested permissions between the SID pair | ||
402 | * (@ssid, @tsid), interpreting the permissions | 398 | * (@ssid, @tsid), interpreting the permissions |
403 | * based on @tclass. If a valid AVC entry exists, | 399 | * based on @tclass. If a valid AVC entry exists, |
404 | * then this function return the avc_node. | 400 | * then this function return the avc_node. |
405 | * Otherwise, this function returns NULL. | 401 | * Otherwise, this function returns NULL. |
406 | */ | 402 | */ |
407 | static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass, u32 requested) | 403 | static struct avc_node *avc_lookup(u32 ssid, u32 tsid, u16 tclass) |
408 | { | 404 | { |
409 | struct avc_node *node; | 405 | struct avc_node *node; |
410 | 406 | ||
411 | avc_cache_stats_incr(lookups); | 407 | avc_cache_stats_incr(lookups); |
412 | node = avc_search_node(ssid, tsid, tclass); | 408 | node = avc_search_node(ssid, tsid, tclass); |
413 | 409 | ||
414 | if (node && ((node->ae.avd.decided & requested) == requested)) { | 410 | if (node) |
415 | avc_cache_stats_incr(hits); | 411 | avc_cache_stats_incr(hits); |
416 | goto out; | 412 | else |
417 | } | 413 | avc_cache_stats_incr(misses); |
418 | 414 | ||
419 | node = NULL; | ||
420 | avc_cache_stats_incr(misses); | ||
421 | out: | ||
422 | return node; | 415 | return node; |
423 | } | 416 | } |
424 | 417 | ||
@@ -449,34 +442,41 @@ static int avc_latest_notif_update(int seqno, int is_insert) | |||
449 | * @ssid: source security identifier | 442 | * @ssid: source security identifier |
450 | * @tsid: target security identifier | 443 | * @tsid: target security identifier |
451 | * @tclass: target security class | 444 | * @tclass: target security class |
452 | * @ae: AVC entry | 445 | * @avd: resulting av decision |
453 | * | 446 | * |
454 | * Insert an AVC entry for the SID pair | 447 | * Insert an AVC entry for the SID pair |
455 | * (@ssid, @tsid) and class @tclass. | 448 | * (@ssid, @tsid) and class @tclass. |
456 | * The access vectors and the sequence number are | 449 | * The access vectors and the sequence number are |
457 | * normally provided by the security server in | 450 | * normally provided by the security server in |
458 | * response to a security_compute_av() call. If the | 451 | * response to a security_compute_av() call. If the |
459 | * sequence number @ae->avd.seqno is not less than the latest | 452 | * sequence number @avd->seqno is not less than the latest |
460 | * revocation notification, then the function copies | 453 | * revocation notification, then the function copies |
461 | * the access vectors into a cache entry, returns | 454 | * the access vectors into a cache entry, returns |
462 | * avc_node inserted. Otherwise, this function returns NULL. | 455 | * avc_node inserted. Otherwise, this function returns NULL. |
463 | */ | 456 | */ |
464 | static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct avc_entry *ae) | 457 | static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct av_decision *avd) |
465 | { | 458 | { |
466 | struct avc_node *pos, *node = NULL; | 459 | struct avc_node *pos, *node = NULL; |
467 | int hvalue; | 460 | int hvalue; |
468 | unsigned long flag; | 461 | unsigned long flag; |
469 | 462 | ||
470 | if (avc_latest_notif_update(ae->avd.seqno, 1)) | 463 | if (avc_latest_notif_update(avd->seqno, 1)) |
471 | goto out; | 464 | goto out; |
472 | 465 | ||
473 | node = avc_alloc_node(); | 466 | node = avc_alloc_node(); |
474 | if (node) { | 467 | if (node) { |
468 | struct hlist_head *head; | ||
469 | struct hlist_node *next; | ||
470 | spinlock_t *lock; | ||
471 | |||
475 | hvalue = avc_hash(ssid, tsid, tclass); | 472 | hvalue = avc_hash(ssid, tsid, tclass); |
476 | avc_node_populate(node, ssid, tsid, tclass, ae); | 473 | avc_node_populate(node, ssid, tsid, tclass, avd); |
474 | |||
475 | head = &avc_cache.slots[hvalue]; | ||
476 | lock = &avc_cache.slots_lock[hvalue]; | ||
477 | 477 | ||
478 | spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag); | 478 | spin_lock_irqsave(lock, flag); |
479 | list_for_each_entry(pos, &avc_cache.slots[hvalue], list) { | 479 | hlist_for_each_entry(pos, next, head, list) { |
480 | if (pos->ae.ssid == ssid && | 480 | if (pos->ae.ssid == ssid && |
481 | pos->ae.tsid == tsid && | 481 | pos->ae.tsid == tsid && |
482 | pos->ae.tclass == tclass) { | 482 | pos->ae.tclass == tclass) { |
@@ -484,9 +484,9 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct avc_en | |||
484 | goto found; | 484 | goto found; |
485 | } | 485 | } |
486 | } | 486 | } |
487 | list_add_rcu(&node->list, &avc_cache.slots[hvalue]); | 487 | hlist_add_head_rcu(&node->list, head); |
488 | found: | 488 | found: |
489 | spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flag); | 489 | spin_unlock_irqrestore(lock, flag); |
490 | } | 490 | } |
491 | out: | 491 | out: |
492 | return node; | 492 | return node; |
@@ -742,17 +742,22 @@ static inline int avc_sidcmp(u32 x, u32 y) | |||
742 | * @event : Updating event | 742 | * @event : Updating event |
743 | * @perms : Permission mask bits | 743 | * @perms : Permission mask bits |
744 | * @ssid,@tsid,@tclass : identifier of an AVC entry | 744 | * @ssid,@tsid,@tclass : identifier of an AVC entry |
745 | * @seqno : sequence number when decision was made | ||
745 | * | 746 | * |
746 | * if a valid AVC entry doesn't exist,this function returns -ENOENT. | 747 | * if a valid AVC entry doesn't exist,this function returns -ENOENT. |
747 | * if kmalloc() called internal returns NULL, this function returns -ENOMEM. | 748 | * if kmalloc() called internal returns NULL, this function returns -ENOMEM. |
748 | * otherwise, this function update the AVC entry. The original AVC-entry object | 749 | * otherwise, this function update the AVC entry. The original AVC-entry object |
749 | * will release later by RCU. | 750 | * will release later by RCU. |
750 | */ | 751 | */ |
751 | static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass) | 752 | static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass, |
753 | u32 seqno) | ||
752 | { | 754 | { |
753 | int hvalue, rc = 0; | 755 | int hvalue, rc = 0; |
754 | unsigned long flag; | 756 | unsigned long flag; |
755 | struct avc_node *pos, *node, *orig = NULL; | 757 | struct avc_node *pos, *node, *orig = NULL; |
758 | struct hlist_head *head; | ||
759 | struct hlist_node *next; | ||
760 | spinlock_t *lock; | ||
756 | 761 | ||
757 | node = avc_alloc_node(); | 762 | node = avc_alloc_node(); |
758 | if (!node) { | 763 | if (!node) { |
@@ -762,12 +767,17 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass) | |||
762 | 767 | ||
763 | /* Lock the target slot */ | 768 | /* Lock the target slot */ |
764 | hvalue = avc_hash(ssid, tsid, tclass); | 769 | hvalue = avc_hash(ssid, tsid, tclass); |
765 | spin_lock_irqsave(&avc_cache.slots_lock[hvalue], flag); | ||
766 | 770 | ||
767 | list_for_each_entry(pos, &avc_cache.slots[hvalue], list) { | 771 | head = &avc_cache.slots[hvalue]; |
772 | lock = &avc_cache.slots_lock[hvalue]; | ||
773 | |||
774 | spin_lock_irqsave(lock, flag); | ||
775 | |||
776 | hlist_for_each_entry(pos, next, head, list) { | ||
768 | if (ssid == pos->ae.ssid && | 777 | if (ssid == pos->ae.ssid && |
769 | tsid == pos->ae.tsid && | 778 | tsid == pos->ae.tsid && |
770 | tclass == pos->ae.tclass){ | 779 | tclass == pos->ae.tclass && |
780 | seqno == pos->ae.avd.seqno){ | ||
771 | orig = pos; | 781 | orig = pos; |
772 | break; | 782 | break; |
773 | } | 783 | } |
@@ -783,7 +793,7 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass) | |||
783 | * Copy and replace original node. | 793 | * Copy and replace original node. |
784 | */ | 794 | */ |
785 | 795 | ||
786 | avc_node_populate(node, ssid, tsid, tclass, &orig->ae); | 796 | avc_node_populate(node, ssid, tsid, tclass, &orig->ae.avd); |
787 | 797 | ||
788 | switch (event) { | 798 | switch (event) { |
789 | case AVC_CALLBACK_GRANT: | 799 | case AVC_CALLBACK_GRANT: |
@@ -808,7 +818,7 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass) | |||
808 | } | 818 | } |
809 | avc_node_replace(node, orig); | 819 | avc_node_replace(node, orig); |
810 | out_unlock: | 820 | out_unlock: |
811 | spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flag); | 821 | spin_unlock_irqrestore(lock, flag); |
812 | out: | 822 | out: |
813 | return rc; | 823 | return rc; |
814 | } | 824 | } |
@@ -823,18 +833,24 @@ int avc_ss_reset(u32 seqno) | |||
823 | int i, rc = 0, tmprc; | 833 | int i, rc = 0, tmprc; |
824 | unsigned long flag; | 834 | unsigned long flag; |
825 | struct avc_node *node; | 835 | struct avc_node *node; |
836 | struct hlist_head *head; | ||
837 | struct hlist_node *next; | ||
838 | spinlock_t *lock; | ||
826 | 839 | ||
827 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { | 840 | for (i = 0; i < AVC_CACHE_SLOTS; i++) { |
828 | spin_lock_irqsave(&avc_cache.slots_lock[i], flag); | 841 | head = &avc_cache.slots[i]; |
842 | lock = &avc_cache.slots_lock[i]; | ||
843 | |||
844 | spin_lock_irqsave(lock, flag); | ||
829 | /* | 845 | /* |
830 | * With preemptable RCU, the outer spinlock does not | 846 | * With preemptable RCU, the outer spinlock does not |
831 | * prevent RCU grace periods from ending. | 847 | * prevent RCU grace periods from ending. |
832 | */ | 848 | */ |
833 | rcu_read_lock(); | 849 | rcu_read_lock(); |
834 | list_for_each_entry(node, &avc_cache.slots[i], list) | 850 | hlist_for_each_entry(node, next, head, list) |
835 | avc_node_delete(node); | 851 | avc_node_delete(node); |
836 | rcu_read_unlock(); | 852 | rcu_read_unlock(); |
837 | spin_unlock_irqrestore(&avc_cache.slots_lock[i], flag); | 853 | spin_unlock_irqrestore(lock, flag); |
838 | } | 854 | } |
839 | 855 | ||
840 | for (c = avc_callbacks; c; c = c->next) { | 856 | for (c = avc_callbacks; c; c = c->next) { |
@@ -875,10 +891,10 @@ int avc_ss_reset(u32 seqno) | |||
875 | int avc_has_perm_noaudit(u32 ssid, u32 tsid, | 891 | int avc_has_perm_noaudit(u32 ssid, u32 tsid, |
876 | u16 tclass, u32 requested, | 892 | u16 tclass, u32 requested, |
877 | unsigned flags, | 893 | unsigned flags, |
878 | struct av_decision *avd) | 894 | struct av_decision *in_avd) |
879 | { | 895 | { |
880 | struct avc_node *node; | 896 | struct avc_node *node; |
881 | struct avc_entry entry, *p_ae; | 897 | struct av_decision avd_entry, *avd; |
882 | int rc = 0; | 898 | int rc = 0; |
883 | u32 denied; | 899 | u32 denied; |
884 | 900 | ||
@@ -886,29 +902,34 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid, | |||
886 | 902 | ||
887 | rcu_read_lock(); | 903 | rcu_read_lock(); |
888 | 904 | ||
889 | node = avc_lookup(ssid, tsid, tclass, requested); | 905 | node = avc_lookup(ssid, tsid, tclass); |
890 | if (!node) { | 906 | if (!node) { |
891 | rcu_read_unlock(); | 907 | rcu_read_unlock(); |
892 | rc = security_compute_av(ssid, tsid, tclass, requested, &entry.avd); | 908 | |
909 | if (in_avd) | ||
910 | avd = in_avd; | ||
911 | else | ||
912 | avd = &avd_entry; | ||
913 | |||
914 | rc = security_compute_av(ssid, tsid, tclass, requested, avd); | ||
893 | if (rc) | 915 | if (rc) |
894 | goto out; | 916 | goto out; |
895 | rcu_read_lock(); | 917 | rcu_read_lock(); |
896 | node = avc_insert(ssid, tsid, tclass, &entry); | 918 | node = avc_insert(ssid, tsid, tclass, avd); |
919 | } else { | ||
920 | if (in_avd) | ||
921 | memcpy(in_avd, &node->ae.avd, sizeof(*in_avd)); | ||
922 | avd = &node->ae.avd; | ||
897 | } | 923 | } |
898 | 924 | ||
899 | p_ae = node ? &node->ae : &entry; | 925 | denied = requested & ~(avd->allowed); |
900 | |||
901 | if (avd) | ||
902 | memcpy(avd, &p_ae->avd, sizeof(*avd)); | ||
903 | |||
904 | denied = requested & ~(p_ae->avd.allowed); | ||
905 | 926 | ||
906 | if (denied) { | 927 | if (denied) { |
907 | if (flags & AVC_STRICT) | 928 | if (flags & AVC_STRICT) |
908 | rc = -EACCES; | 929 | rc = -EACCES; |
909 | else if (!selinux_enforcing || security_permissive_sid(ssid)) | 930 | else if (!selinux_enforcing || security_permissive_sid(ssid)) |
910 | avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, | 931 | avc_update_node(AVC_CALLBACK_GRANT, requested, ssid, |
911 | tsid, tclass); | 932 | tsid, tclass, avd->seqno); |
912 | else | 933 | else |
913 | rc = -EACCES; | 934 | rc = -EACCES; |
914 | } | 935 | } |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 00815973d412..7c52ba243c64 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -89,7 +89,7 @@ | |||
89 | #define XATTR_SELINUX_SUFFIX "selinux" | 89 | #define XATTR_SELINUX_SUFFIX "selinux" |
90 | #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX | 90 | #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX |
91 | 91 | ||
92 | #define NUM_SEL_MNT_OPTS 4 | 92 | #define NUM_SEL_MNT_OPTS 5 |
93 | 93 | ||
94 | extern unsigned int policydb_loaded_version; | 94 | extern unsigned int policydb_loaded_version; |
95 | extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); | 95 | extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); |
@@ -353,6 +353,7 @@ enum { | |||
353 | Opt_fscontext = 2, | 353 | Opt_fscontext = 2, |
354 | Opt_defcontext = 3, | 354 | Opt_defcontext = 3, |
355 | Opt_rootcontext = 4, | 355 | Opt_rootcontext = 4, |
356 | Opt_labelsupport = 5, | ||
356 | }; | 357 | }; |
357 | 358 | ||
358 | static const match_table_t tokens = { | 359 | static const match_table_t tokens = { |
@@ -360,6 +361,7 @@ static const match_table_t tokens = { | |||
360 | {Opt_fscontext, FSCONTEXT_STR "%s"}, | 361 | {Opt_fscontext, FSCONTEXT_STR "%s"}, |
361 | {Opt_defcontext, DEFCONTEXT_STR "%s"}, | 362 | {Opt_defcontext, DEFCONTEXT_STR "%s"}, |
362 | {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, | 363 | {Opt_rootcontext, ROOTCONTEXT_STR "%s"}, |
364 | {Opt_labelsupport, LABELSUPP_STR}, | ||
363 | {Opt_error, NULL}, | 365 | {Opt_error, NULL}, |
364 | }; | 366 | }; |
365 | 367 | ||
@@ -431,7 +433,7 @@ static int sb_finish_set_opts(struct super_block *sb) | |||
431 | } | 433 | } |
432 | } | 434 | } |
433 | 435 | ||
434 | sbsec->initialized = 1; | 436 | sbsec->flags |= (SE_SBINITIALIZED | SE_SBLABELSUPP); |
435 | 437 | ||
436 | if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) | 438 | if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) |
437 | printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", | 439 | printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", |
@@ -441,6 +443,12 @@ static int sb_finish_set_opts(struct super_block *sb) | |||
441 | sb->s_id, sb->s_type->name, | 443 | sb->s_id, sb->s_type->name, |
442 | labeling_behaviors[sbsec->behavior-1]); | 444 | labeling_behaviors[sbsec->behavior-1]); |
443 | 445 | ||
446 | if (sbsec->behavior == SECURITY_FS_USE_GENFS || | ||
447 | sbsec->behavior == SECURITY_FS_USE_MNTPOINT || | ||
448 | sbsec->behavior == SECURITY_FS_USE_NONE || | ||
449 | sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) | ||
450 | sbsec->flags &= ~SE_SBLABELSUPP; | ||
451 | |||
444 | /* Initialize the root inode. */ | 452 | /* Initialize the root inode. */ |
445 | rc = inode_doinit_with_dentry(root_inode, root); | 453 | rc = inode_doinit_with_dentry(root_inode, root); |
446 | 454 | ||
@@ -487,23 +495,22 @@ static int selinux_get_mnt_opts(const struct super_block *sb, | |||
487 | 495 | ||
488 | security_init_mnt_opts(opts); | 496 | security_init_mnt_opts(opts); |
489 | 497 | ||
490 | if (!sbsec->initialized) | 498 | if (!(sbsec->flags & SE_SBINITIALIZED)) |
491 | return -EINVAL; | 499 | return -EINVAL; |
492 | 500 | ||
493 | if (!ss_initialized) | 501 | if (!ss_initialized) |
494 | return -EINVAL; | 502 | return -EINVAL; |
495 | 503 | ||
496 | /* | 504 | tmp = sbsec->flags & SE_MNTMASK; |
497 | * if we ever use sbsec flags for anything other than tracking mount | ||
498 | * settings this is going to need a mask | ||
499 | */ | ||
500 | tmp = sbsec->flags; | ||
501 | /* count the number of mount options for this sb */ | 505 | /* count the number of mount options for this sb */ |
502 | for (i = 0; i < 8; i++) { | 506 | for (i = 0; i < 8; i++) { |
503 | if (tmp & 0x01) | 507 | if (tmp & 0x01) |
504 | opts->num_mnt_opts++; | 508 | opts->num_mnt_opts++; |
505 | tmp >>= 1; | 509 | tmp >>= 1; |
506 | } | 510 | } |
511 | /* Check if the Label support flag is set */ | ||
512 | if (sbsec->flags & SE_SBLABELSUPP) | ||
513 | opts->num_mnt_opts++; | ||
507 | 514 | ||
508 | opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); | 515 | opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC); |
509 | if (!opts->mnt_opts) { | 516 | if (!opts->mnt_opts) { |
@@ -549,6 +556,10 @@ static int selinux_get_mnt_opts(const struct super_block *sb, | |||
549 | opts->mnt_opts[i] = context; | 556 | opts->mnt_opts[i] = context; |
550 | opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; | 557 | opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT; |
551 | } | 558 | } |
559 | if (sbsec->flags & SE_SBLABELSUPP) { | ||
560 | opts->mnt_opts[i] = NULL; | ||
561 | opts->mnt_opts_flags[i++] = SE_SBLABELSUPP; | ||
562 | } | ||
552 | 563 | ||
553 | BUG_ON(i != opts->num_mnt_opts); | 564 | BUG_ON(i != opts->num_mnt_opts); |
554 | 565 | ||
@@ -562,8 +573,10 @@ out_free: | |||
562 | static int bad_option(struct superblock_security_struct *sbsec, char flag, | 573 | static int bad_option(struct superblock_security_struct *sbsec, char flag, |
563 | u32 old_sid, u32 new_sid) | 574 | u32 old_sid, u32 new_sid) |
564 | { | 575 | { |
576 | char mnt_flags = sbsec->flags & SE_MNTMASK; | ||
577 | |||
565 | /* check if the old mount command had the same options */ | 578 | /* check if the old mount command had the same options */ |
566 | if (sbsec->initialized) | 579 | if (sbsec->flags & SE_SBINITIALIZED) |
567 | if (!(sbsec->flags & flag) || | 580 | if (!(sbsec->flags & flag) || |
568 | (old_sid != new_sid)) | 581 | (old_sid != new_sid)) |
569 | return 1; | 582 | return 1; |
@@ -571,8 +584,8 @@ static int bad_option(struct superblock_security_struct *sbsec, char flag, | |||
571 | /* check if we were passed the same options twice, | 584 | /* check if we were passed the same options twice, |
572 | * aka someone passed context=a,context=b | 585 | * aka someone passed context=a,context=b |
573 | */ | 586 | */ |
574 | if (!sbsec->initialized) | 587 | if (!(sbsec->flags & SE_SBINITIALIZED)) |
575 | if (sbsec->flags & flag) | 588 | if (mnt_flags & flag) |
576 | return 1; | 589 | return 1; |
577 | return 0; | 590 | return 0; |
578 | } | 591 | } |
@@ -626,7 +639,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
626 | * this sb does not set any security options. (The first options | 639 | * this sb does not set any security options. (The first options |
627 | * will be used for both mounts) | 640 | * will be used for both mounts) |
628 | */ | 641 | */ |
629 | if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) | 642 | if ((sbsec->flags & SE_SBINITIALIZED) && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA) |
630 | && (num_opts == 0)) | 643 | && (num_opts == 0)) |
631 | goto out; | 644 | goto out; |
632 | 645 | ||
@@ -637,6 +650,9 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
637 | */ | 650 | */ |
638 | for (i = 0; i < num_opts; i++) { | 651 | for (i = 0; i < num_opts; i++) { |
639 | u32 sid; | 652 | u32 sid; |
653 | |||
654 | if (flags[i] == SE_SBLABELSUPP) | ||
655 | continue; | ||
640 | rc = security_context_to_sid(mount_options[i], | 656 | rc = security_context_to_sid(mount_options[i], |
641 | strlen(mount_options[i]), &sid); | 657 | strlen(mount_options[i]), &sid); |
642 | if (rc) { | 658 | if (rc) { |
@@ -690,19 +706,19 @@ static int selinux_set_mnt_opts(struct super_block *sb, | |||
690 | } | 706 | } |
691 | } | 707 | } |
692 | 708 | ||
693 | if (sbsec->initialized) { | 709 | if (sbsec->flags & SE_SBINITIALIZED) { |
694 | /* previously mounted with options, but not on this attempt? */ | 710 | /* previously mounted with options, but not on this attempt? */ |
695 | if (sbsec->flags && !num_opts) | 711 | if ((sbsec->flags & SE_MNTMASK) && !num_opts) |
696 | goto out_double_mount; | 712 | goto out_double_mount; |
697 | rc = 0; | 713 | rc = 0; |
698 | goto out; | 714 | goto out; |
699 | } | 715 | } |
700 | 716 | ||
701 | if (strcmp(sb->s_type->name, "proc") == 0) | 717 | if (strcmp(sb->s_type->name, "proc") == 0) |
702 | sbsec->proc = 1; | 718 | sbsec->flags |= SE_SBPROC; |
703 | 719 | ||
704 | /* Determine the labeling behavior to use for this filesystem type. */ | 720 | /* Determine the labeling behavior to use for this filesystem type. */ |
705 | rc = security_fs_use(sbsec->proc ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); | 721 | rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid); |
706 | if (rc) { | 722 | if (rc) { |
707 | printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", | 723 | printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n", |
708 | __func__, sb->s_type->name, rc); | 724 | __func__, sb->s_type->name, rc); |
@@ -806,10 +822,10 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb, | |||
806 | } | 822 | } |
807 | 823 | ||
808 | /* how can we clone if the old one wasn't set up?? */ | 824 | /* how can we clone if the old one wasn't set up?? */ |
809 | BUG_ON(!oldsbsec->initialized); | 825 | BUG_ON(!(oldsbsec->flags & SE_SBINITIALIZED)); |
810 | 826 | ||
811 | /* if fs is reusing a sb, just let its options stand... */ | 827 | /* if fs is reusing a sb, just let its options stand... */ |
812 | if (newsbsec->initialized) | 828 | if (newsbsec->flags & SE_SBINITIALIZED) |
813 | return; | 829 | return; |
814 | 830 | ||
815 | mutex_lock(&newsbsec->lock); | 831 | mutex_lock(&newsbsec->lock); |
@@ -917,7 +933,8 @@ static int selinux_parse_opts_str(char *options, | |||
917 | goto out_err; | 933 | goto out_err; |
918 | } | 934 | } |
919 | break; | 935 | break; |
920 | 936 | case Opt_labelsupport: | |
937 | break; | ||
921 | default: | 938 | default: |
922 | rc = -EINVAL; | 939 | rc = -EINVAL; |
923 | printk(KERN_WARNING "SELinux: unknown mount option\n"); | 940 | printk(KERN_WARNING "SELinux: unknown mount option\n"); |
@@ -999,7 +1016,12 @@ static void selinux_write_opts(struct seq_file *m, | |||
999 | char *prefix; | 1016 | char *prefix; |
1000 | 1017 | ||
1001 | for (i = 0; i < opts->num_mnt_opts; i++) { | 1018 | for (i = 0; i < opts->num_mnt_opts; i++) { |
1002 | char *has_comma = strchr(opts->mnt_opts[i], ','); | 1019 | char *has_comma; |
1020 | |||
1021 | if (opts->mnt_opts[i]) | ||
1022 | has_comma = strchr(opts->mnt_opts[i], ','); | ||
1023 | else | ||
1024 | has_comma = NULL; | ||
1003 | 1025 | ||
1004 | switch (opts->mnt_opts_flags[i]) { | 1026 | switch (opts->mnt_opts_flags[i]) { |
1005 | case CONTEXT_MNT: | 1027 | case CONTEXT_MNT: |
@@ -1014,6 +1036,10 @@ static void selinux_write_opts(struct seq_file *m, | |||
1014 | case DEFCONTEXT_MNT: | 1036 | case DEFCONTEXT_MNT: |
1015 | prefix = DEFCONTEXT_STR; | 1037 | prefix = DEFCONTEXT_STR; |
1016 | break; | 1038 | break; |
1039 | case SE_SBLABELSUPP: | ||
1040 | seq_putc(m, ','); | ||
1041 | seq_puts(m, LABELSUPP_STR); | ||
1042 | continue; | ||
1017 | default: | 1043 | default: |
1018 | BUG(); | 1044 | BUG(); |
1019 | }; | 1045 | }; |
@@ -1209,7 +1235,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
1209 | goto out_unlock; | 1235 | goto out_unlock; |
1210 | 1236 | ||
1211 | sbsec = inode->i_sb->s_security; | 1237 | sbsec = inode->i_sb->s_security; |
1212 | if (!sbsec->initialized) { | 1238 | if (!(sbsec->flags & SE_SBINITIALIZED)) { |
1213 | /* Defer initialization until selinux_complete_init, | 1239 | /* Defer initialization until selinux_complete_init, |
1214 | after the initial policy is loaded and the security | 1240 | after the initial policy is loaded and the security |
1215 | server is ready to handle calls. */ | 1241 | server is ready to handle calls. */ |
@@ -1237,19 +1263,26 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
1237 | dentry = d_find_alias(inode); | 1263 | dentry = d_find_alias(inode); |
1238 | } | 1264 | } |
1239 | if (!dentry) { | 1265 | if (!dentry) { |
1240 | printk(KERN_WARNING "SELinux: %s: no dentry for dev=%s " | 1266 | /* |
1241 | "ino=%ld\n", __func__, inode->i_sb->s_id, | 1267 | * this is can be hit on boot when a file is accessed |
1242 | inode->i_ino); | 1268 | * before the policy is loaded. When we load policy we |
1269 | * may find inodes that have no dentry on the | ||
1270 | * sbsec->isec_head list. No reason to complain as these | ||
1271 | * will get fixed up the next time we go through | ||
1272 | * inode_doinit with a dentry, before these inodes could | ||
1273 | * be used again by userspace. | ||
1274 | */ | ||
1243 | goto out_unlock; | 1275 | goto out_unlock; |
1244 | } | 1276 | } |
1245 | 1277 | ||
1246 | len = INITCONTEXTLEN; | 1278 | len = INITCONTEXTLEN; |
1247 | context = kmalloc(len, GFP_NOFS); | 1279 | context = kmalloc(len+1, GFP_NOFS); |
1248 | if (!context) { | 1280 | if (!context) { |
1249 | rc = -ENOMEM; | 1281 | rc = -ENOMEM; |
1250 | dput(dentry); | 1282 | dput(dentry); |
1251 | goto out_unlock; | 1283 | goto out_unlock; |
1252 | } | 1284 | } |
1285 | context[len] = '\0'; | ||
1253 | rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, | 1286 | rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX, |
1254 | context, len); | 1287 | context, len); |
1255 | if (rc == -ERANGE) { | 1288 | if (rc == -ERANGE) { |
@@ -1262,12 +1295,13 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
1262 | } | 1295 | } |
1263 | kfree(context); | 1296 | kfree(context); |
1264 | len = rc; | 1297 | len = rc; |
1265 | context = kmalloc(len, GFP_NOFS); | 1298 | context = kmalloc(len+1, GFP_NOFS); |
1266 | if (!context) { | 1299 | if (!context) { |
1267 | rc = -ENOMEM; | 1300 | rc = -ENOMEM; |
1268 | dput(dentry); | 1301 | dput(dentry); |
1269 | goto out_unlock; | 1302 | goto out_unlock; |
1270 | } | 1303 | } |
1304 | context[len] = '\0'; | ||
1271 | rc = inode->i_op->getxattr(dentry, | 1305 | rc = inode->i_op->getxattr(dentry, |
1272 | XATTR_NAME_SELINUX, | 1306 | XATTR_NAME_SELINUX, |
1273 | context, len); | 1307 | context, len); |
@@ -1289,10 +1323,19 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
1289 | sbsec->def_sid, | 1323 | sbsec->def_sid, |
1290 | GFP_NOFS); | 1324 | GFP_NOFS); |
1291 | if (rc) { | 1325 | if (rc) { |
1292 | printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " | 1326 | char *dev = inode->i_sb->s_id; |
1293 | "returned %d for dev=%s ino=%ld\n", | 1327 | unsigned long ino = inode->i_ino; |
1294 | __func__, context, -rc, | 1328 | |
1295 | inode->i_sb->s_id, inode->i_ino); | 1329 | if (rc == -EINVAL) { |
1330 | if (printk_ratelimit()) | ||
1331 | printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " | ||
1332 | "context=%s. This indicates you may need to relabel the inode or the " | ||
1333 | "filesystem in question.\n", ino, dev, context); | ||
1334 | } else { | ||
1335 | printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " | ||
1336 | "returned %d for dev=%s ino=%ld\n", | ||
1337 | __func__, context, -rc, dev, ino); | ||
1338 | } | ||
1296 | kfree(context); | 1339 | kfree(context); |
1297 | /* Leave with the unlabeled SID */ | 1340 | /* Leave with the unlabeled SID */ |
1298 | rc = 0; | 1341 | rc = 0; |
@@ -1326,7 +1369,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
1326 | /* Default to the fs superblock SID. */ | 1369 | /* Default to the fs superblock SID. */ |
1327 | isec->sid = sbsec->sid; | 1370 | isec->sid = sbsec->sid; |
1328 | 1371 | ||
1329 | if (sbsec->proc && !S_ISLNK(inode->i_mode)) { | 1372 | if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { |
1330 | struct proc_inode *proci = PROC_I(inode); | 1373 | struct proc_inode *proci = PROC_I(inode); |
1331 | if (proci->pde) { | 1374 | if (proci->pde) { |
1332 | isec->sclass = inode_mode_to_security_class(inode->i_mode); | 1375 | isec->sclass = inode_mode_to_security_class(inode->i_mode); |
@@ -1587,7 +1630,7 @@ static int may_create(struct inode *dir, | |||
1587 | if (rc) | 1630 | if (rc) |
1588 | return rc; | 1631 | return rc; |
1589 | 1632 | ||
1590 | if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) { | 1633 | if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { |
1591 | rc = security_transition_sid(sid, dsec->sid, tclass, &newsid); | 1634 | rc = security_transition_sid(sid, dsec->sid, tclass, &newsid); |
1592 | if (rc) | 1635 | if (rc) |
1593 | return rc; | 1636 | return rc; |
@@ -1801,6 +1844,8 @@ static inline u32 open_file_to_av(struct file *file) | |||
1801 | av |= FIFO_FILE__OPEN; | 1844 | av |= FIFO_FILE__OPEN; |
1802 | else if (S_ISDIR(mode)) | 1845 | else if (S_ISDIR(mode)) |
1803 | av |= DIR__OPEN; | 1846 | av |= DIR__OPEN; |
1847 | else if (S_ISSOCK(mode)) | ||
1848 | av |= SOCK_FILE__OPEN; | ||
1804 | else | 1849 | else |
1805 | printk(KERN_ERR "SELinux: WARNING: inside %s with " | 1850 | printk(KERN_ERR "SELinux: WARNING: inside %s with " |
1806 | "unknown mode:%o\n", __func__, mode); | 1851 | "unknown mode:%o\n", __func__, mode); |
@@ -1815,7 +1860,7 @@ static int selinux_ptrace_may_access(struct task_struct *child, | |||
1815 | { | 1860 | { |
1816 | int rc; | 1861 | int rc; |
1817 | 1862 | ||
1818 | rc = secondary_ops->ptrace_may_access(child, mode); | 1863 | rc = cap_ptrace_may_access(child, mode); |
1819 | if (rc) | 1864 | if (rc) |
1820 | return rc; | 1865 | return rc; |
1821 | 1866 | ||
@@ -1832,7 +1877,7 @@ static int selinux_ptrace_traceme(struct task_struct *parent) | |||
1832 | { | 1877 | { |
1833 | int rc; | 1878 | int rc; |
1834 | 1879 | ||
1835 | rc = secondary_ops->ptrace_traceme(parent); | 1880 | rc = cap_ptrace_traceme(parent); |
1836 | if (rc) | 1881 | if (rc) |
1837 | return rc; | 1882 | return rc; |
1838 | 1883 | ||
@@ -1848,7 +1893,7 @@ static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, | |||
1848 | if (error) | 1893 | if (error) |
1849 | return error; | 1894 | return error; |
1850 | 1895 | ||
1851 | return secondary_ops->capget(target, effective, inheritable, permitted); | 1896 | return cap_capget(target, effective, inheritable, permitted); |
1852 | } | 1897 | } |
1853 | 1898 | ||
1854 | static int selinux_capset(struct cred *new, const struct cred *old, | 1899 | static int selinux_capset(struct cred *new, const struct cred *old, |
@@ -1858,7 +1903,7 @@ static int selinux_capset(struct cred *new, const struct cred *old, | |||
1858 | { | 1903 | { |
1859 | int error; | 1904 | int error; |
1860 | 1905 | ||
1861 | error = secondary_ops->capset(new, old, | 1906 | error = cap_capset(new, old, |
1862 | effective, inheritable, permitted); | 1907 | effective, inheritable, permitted); |
1863 | if (error) | 1908 | if (error) |
1864 | return error; | 1909 | return error; |
@@ -1866,12 +1911,22 @@ static int selinux_capset(struct cred *new, const struct cred *old, | |||
1866 | return cred_has_perm(old, new, PROCESS__SETCAP); | 1911 | return cred_has_perm(old, new, PROCESS__SETCAP); |
1867 | } | 1912 | } |
1868 | 1913 | ||
1914 | /* | ||
1915 | * (This comment used to live with the selinux_task_setuid hook, | ||
1916 | * which was removed). | ||
1917 | * | ||
1918 | * Since setuid only affects the current process, and since the SELinux | ||
1919 | * controls are not based on the Linux identity attributes, SELinux does not | ||
1920 | * need to control this operation. However, SELinux does control the use of | ||
1921 | * the CAP_SETUID and CAP_SETGID capabilities using the capable hook. | ||
1922 | */ | ||
1923 | |||
1869 | static int selinux_capable(struct task_struct *tsk, const struct cred *cred, | 1924 | static int selinux_capable(struct task_struct *tsk, const struct cred *cred, |
1870 | int cap, int audit) | 1925 | int cap, int audit) |
1871 | { | 1926 | { |
1872 | int rc; | 1927 | int rc; |
1873 | 1928 | ||
1874 | rc = secondary_ops->capable(tsk, cred, cap, audit); | 1929 | rc = cap_capable(tsk, cred, cap, audit); |
1875 | if (rc) | 1930 | if (rc) |
1876 | return rc; | 1931 | return rc; |
1877 | 1932 | ||
@@ -1997,7 +2052,7 @@ static int selinux_syslog(int type) | |||
1997 | { | 2052 | { |
1998 | int rc; | 2053 | int rc; |
1999 | 2054 | ||
2000 | rc = secondary_ops->syslog(type); | 2055 | rc = cap_syslog(type); |
2001 | if (rc) | 2056 | if (rc) |
2002 | return rc; | 2057 | return rc; |
2003 | 2058 | ||
@@ -2028,10 +2083,6 @@ static int selinux_syslog(int type) | |||
2028 | * mapping. 0 means there is enough memory for the allocation to | 2083 | * mapping. 0 means there is enough memory for the allocation to |
2029 | * succeed and -ENOMEM implies there is not. | 2084 | * succeed and -ENOMEM implies there is not. |
2030 | * | 2085 | * |
2031 | * Note that secondary_ops->capable and task_has_perm_noaudit return 0 | ||
2032 | * if the capability is granted, but __vm_enough_memory requires 1 if | ||
2033 | * the capability is granted. | ||
2034 | * | ||
2035 | * Do not audit the selinux permission check, as this is applied to all | 2086 | * Do not audit the selinux permission check, as this is applied to all |
2036 | * processes that allocate mappings. | 2087 | * processes that allocate mappings. |
2037 | */ | 2088 | */ |
@@ -2058,7 +2109,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
2058 | struct inode *inode = bprm->file->f_path.dentry->d_inode; | 2109 | struct inode *inode = bprm->file->f_path.dentry->d_inode; |
2059 | int rc; | 2110 | int rc; |
2060 | 2111 | ||
2061 | rc = secondary_ops->bprm_set_creds(bprm); | 2112 | rc = cap_bprm_set_creds(bprm); |
2062 | if (rc) | 2113 | if (rc) |
2063 | return rc; | 2114 | return rc; |
2064 | 2115 | ||
@@ -2156,11 +2207,6 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
2156 | return 0; | 2207 | return 0; |
2157 | } | 2208 | } |
2158 | 2209 | ||
2159 | static int selinux_bprm_check_security(struct linux_binprm *bprm) | ||
2160 | { | ||
2161 | return secondary_ops->bprm_check_security(bprm); | ||
2162 | } | ||
2163 | |||
2164 | static int selinux_bprm_secureexec(struct linux_binprm *bprm) | 2210 | static int selinux_bprm_secureexec(struct linux_binprm *bprm) |
2165 | { | 2211 | { |
2166 | const struct cred *cred = current_cred(); | 2212 | const struct cred *cred = current_cred(); |
@@ -2180,7 +2226,7 @@ static int selinux_bprm_secureexec(struct linux_binprm *bprm) | |||
2180 | PROCESS__NOATSECURE, NULL); | 2226 | PROCESS__NOATSECURE, NULL); |
2181 | } | 2227 | } |
2182 | 2228 | ||
2183 | return (atsecure || secondary_ops->bprm_secureexec(bprm)); | 2229 | return (atsecure || cap_bprm_secureexec(bprm)); |
2184 | } | 2230 | } |
2185 | 2231 | ||
2186 | extern struct vfsmount *selinuxfs_mount; | 2232 | extern struct vfsmount *selinuxfs_mount; |
@@ -2290,8 +2336,6 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm) | |||
2290 | struct rlimit *rlim, *initrlim; | 2336 | struct rlimit *rlim, *initrlim; |
2291 | int rc, i; | 2337 | int rc, i; |
2292 | 2338 | ||
2293 | secondary_ops->bprm_committing_creds(bprm); | ||
2294 | |||
2295 | new_tsec = bprm->cred->security; | 2339 | new_tsec = bprm->cred->security; |
2296 | if (new_tsec->sid == new_tsec->osid) | 2340 | if (new_tsec->sid == new_tsec->osid) |
2297 | return; | 2341 | return; |
@@ -2337,8 +2381,6 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm) | |||
2337 | int rc, i; | 2381 | int rc, i; |
2338 | unsigned long flags; | 2382 | unsigned long flags; |
2339 | 2383 | ||
2340 | secondary_ops->bprm_committed_creds(bprm); | ||
2341 | |||
2342 | osid = tsec->osid; | 2384 | osid = tsec->osid; |
2343 | sid = tsec->sid; | 2385 | sid = tsec->sid; |
2344 | 2386 | ||
@@ -2400,7 +2442,8 @@ static inline int selinux_option(char *option, int len) | |||
2400 | return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || | 2442 | return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) || |
2401 | match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || | 2443 | match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) || |
2402 | match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || | 2444 | match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) || |
2403 | match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len)); | 2445 | match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len) || |
2446 | match_prefix(LABELSUPP_STR, sizeof(LABELSUPP_STR)-1, option, len)); | ||
2404 | } | 2447 | } |
2405 | 2448 | ||
2406 | static inline void take_option(char **to, char *from, int *first, int len) | 2449 | static inline void take_option(char **to, char *from, int *first, int len) |
@@ -2513,11 +2556,6 @@ static int selinux_mount(char *dev_name, | |||
2513 | void *data) | 2556 | void *data) |
2514 | { | 2557 | { |
2515 | const struct cred *cred = current_cred(); | 2558 | const struct cred *cred = current_cred(); |
2516 | int rc; | ||
2517 | |||
2518 | rc = secondary_ops->sb_mount(dev_name, path, type, flags, data); | ||
2519 | if (rc) | ||
2520 | return rc; | ||
2521 | 2559 | ||
2522 | if (flags & MS_REMOUNT) | 2560 | if (flags & MS_REMOUNT) |
2523 | return superblock_has_perm(cred, path->mnt->mnt_sb, | 2561 | return superblock_has_perm(cred, path->mnt->mnt_sb, |
@@ -2530,11 +2568,6 @@ static int selinux_mount(char *dev_name, | |||
2530 | static int selinux_umount(struct vfsmount *mnt, int flags) | 2568 | static int selinux_umount(struct vfsmount *mnt, int flags) |
2531 | { | 2569 | { |
2532 | const struct cred *cred = current_cred(); | 2570 | const struct cred *cred = current_cred(); |
2533 | int rc; | ||
2534 | |||
2535 | rc = secondary_ops->sb_umount(mnt, flags); | ||
2536 | if (rc) | ||
2537 | return rc; | ||
2538 | 2571 | ||
2539 | return superblock_has_perm(cred, mnt->mnt_sb, | 2572 | return superblock_has_perm(cred, mnt->mnt_sb, |
2540 | FILESYSTEM__UNMOUNT, NULL); | 2573 | FILESYSTEM__UNMOUNT, NULL); |
@@ -2570,7 +2603,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | |||
2570 | sid = tsec->sid; | 2603 | sid = tsec->sid; |
2571 | newsid = tsec->create_sid; | 2604 | newsid = tsec->create_sid; |
2572 | 2605 | ||
2573 | if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) { | 2606 | if (!newsid || !(sbsec->flags & SE_SBLABELSUPP)) { |
2574 | rc = security_transition_sid(sid, dsec->sid, | 2607 | rc = security_transition_sid(sid, dsec->sid, |
2575 | inode_mode_to_security_class(inode->i_mode), | 2608 | inode_mode_to_security_class(inode->i_mode), |
2576 | &newsid); | 2609 | &newsid); |
@@ -2585,14 +2618,14 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, | |||
2585 | } | 2618 | } |
2586 | 2619 | ||
2587 | /* Possibly defer initialization to selinux_complete_init. */ | 2620 | /* Possibly defer initialization to selinux_complete_init. */ |
2588 | if (sbsec->initialized) { | 2621 | if (sbsec->flags & SE_SBINITIALIZED) { |
2589 | struct inode_security_struct *isec = inode->i_security; | 2622 | struct inode_security_struct *isec = inode->i_security; |
2590 | isec->sclass = inode_mode_to_security_class(inode->i_mode); | 2623 | isec->sclass = inode_mode_to_security_class(inode->i_mode); |
2591 | isec->sid = newsid; | 2624 | isec->sid = newsid; |
2592 | isec->initialized = 1; | 2625 | isec->initialized = 1; |
2593 | } | 2626 | } |
2594 | 2627 | ||
2595 | if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) | 2628 | if (!ss_initialized || !(sbsec->flags & SE_SBLABELSUPP)) |
2596 | return -EOPNOTSUPP; | 2629 | return -EOPNOTSUPP; |
2597 | 2630 | ||
2598 | if (name) { | 2631 | if (name) { |
@@ -2622,21 +2655,11 @@ static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int ma | |||
2622 | 2655 | ||
2623 | static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) | 2656 | static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) |
2624 | { | 2657 | { |
2625 | int rc; | ||
2626 | |||
2627 | rc = secondary_ops->inode_link(old_dentry, dir, new_dentry); | ||
2628 | if (rc) | ||
2629 | return rc; | ||
2630 | return may_link(dir, old_dentry, MAY_LINK); | 2658 | return may_link(dir, old_dentry, MAY_LINK); |
2631 | } | 2659 | } |
2632 | 2660 | ||
2633 | static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) | 2661 | static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry) |
2634 | { | 2662 | { |
2635 | int rc; | ||
2636 | |||
2637 | rc = secondary_ops->inode_unlink(dir, dentry); | ||
2638 | if (rc) | ||
2639 | return rc; | ||
2640 | return may_link(dir, dentry, MAY_UNLINK); | 2663 | return may_link(dir, dentry, MAY_UNLINK); |
2641 | } | 2664 | } |
2642 | 2665 | ||
@@ -2657,12 +2680,6 @@ static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry) | |||
2657 | 2680 | ||
2658 | static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) | 2681 | static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) |
2659 | { | 2682 | { |
2660 | int rc; | ||
2661 | |||
2662 | rc = secondary_ops->inode_mknod(dir, dentry, mode, dev); | ||
2663 | if (rc) | ||
2664 | return rc; | ||
2665 | |||
2666 | return may_create(dir, dentry, inode_mode_to_security_class(mode)); | 2683 | return may_create(dir, dentry, inode_mode_to_security_class(mode)); |
2667 | } | 2684 | } |
2668 | 2685 | ||
@@ -2682,22 +2699,13 @@ static int selinux_inode_readlink(struct dentry *dentry) | |||
2682 | static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) | 2699 | static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) |
2683 | { | 2700 | { |
2684 | const struct cred *cred = current_cred(); | 2701 | const struct cred *cred = current_cred(); |
2685 | int rc; | ||
2686 | 2702 | ||
2687 | rc = secondary_ops->inode_follow_link(dentry, nameidata); | ||
2688 | if (rc) | ||
2689 | return rc; | ||
2690 | return dentry_has_perm(cred, NULL, dentry, FILE__READ); | 2703 | return dentry_has_perm(cred, NULL, dentry, FILE__READ); |
2691 | } | 2704 | } |
2692 | 2705 | ||
2693 | static int selinux_inode_permission(struct inode *inode, int mask) | 2706 | static int selinux_inode_permission(struct inode *inode, int mask) |
2694 | { | 2707 | { |
2695 | const struct cred *cred = current_cred(); | 2708 | const struct cred *cred = current_cred(); |
2696 | int rc; | ||
2697 | |||
2698 | rc = secondary_ops->inode_permission(inode, mask); | ||
2699 | if (rc) | ||
2700 | return rc; | ||
2701 | 2709 | ||
2702 | if (!mask) { | 2710 | if (!mask) { |
2703 | /* No permission to check. Existence test. */ | 2711 | /* No permission to check. Existence test. */ |
@@ -2711,11 +2719,6 @@ static int selinux_inode_permission(struct inode *inode, int mask) | |||
2711 | static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) | 2719 | static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) |
2712 | { | 2720 | { |
2713 | const struct cred *cred = current_cred(); | 2721 | const struct cred *cred = current_cred(); |
2714 | int rc; | ||
2715 | |||
2716 | rc = secondary_ops->inode_setattr(dentry, iattr); | ||
2717 | if (rc) | ||
2718 | return rc; | ||
2719 | 2722 | ||
2720 | if (iattr->ia_valid & ATTR_FORCE) | 2723 | if (iattr->ia_valid & ATTR_FORCE) |
2721 | return 0; | 2724 | return 0; |
@@ -2769,7 +2772,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, | |||
2769 | return selinux_inode_setotherxattr(dentry, name); | 2772 | return selinux_inode_setotherxattr(dentry, name); |
2770 | 2773 | ||
2771 | sbsec = inode->i_sb->s_security; | 2774 | sbsec = inode->i_sb->s_security; |
2772 | if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT) | 2775 | if (!(sbsec->flags & SE_SBLABELSUPP)) |
2773 | return -EOPNOTSUPP; | 2776 | return -EOPNOTSUPP; |
2774 | 2777 | ||
2775 | if (!is_owner_or_cap(inode)) | 2778 | if (!is_owner_or_cap(inode)) |
@@ -2931,16 +2934,6 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t | |||
2931 | return len; | 2934 | return len; |
2932 | } | 2935 | } |
2933 | 2936 | ||
2934 | static int selinux_inode_need_killpriv(struct dentry *dentry) | ||
2935 | { | ||
2936 | return secondary_ops->inode_need_killpriv(dentry); | ||
2937 | } | ||
2938 | |||
2939 | static int selinux_inode_killpriv(struct dentry *dentry) | ||
2940 | { | ||
2941 | return secondary_ops->inode_killpriv(dentry); | ||
2942 | } | ||
2943 | |||
2944 | static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) | 2937 | static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) |
2945 | { | 2938 | { |
2946 | struct inode_security_struct *isec = inode->i_security; | 2939 | struct inode_security_struct *isec = inode->i_security; |
@@ -3078,18 +3071,13 @@ static int selinux_file_mprotect(struct vm_area_struct *vma, | |||
3078 | unsigned long prot) | 3071 | unsigned long prot) |
3079 | { | 3072 | { |
3080 | const struct cred *cred = current_cred(); | 3073 | const struct cred *cred = current_cred(); |
3081 | int rc; | ||
3082 | |||
3083 | rc = secondary_ops->file_mprotect(vma, reqprot, prot); | ||
3084 | if (rc) | ||
3085 | return rc; | ||
3086 | 3074 | ||
3087 | if (selinux_checkreqprot) | 3075 | if (selinux_checkreqprot) |
3088 | prot = reqprot; | 3076 | prot = reqprot; |
3089 | 3077 | ||
3090 | #ifndef CONFIG_PPC32 | 3078 | #ifndef CONFIG_PPC32 |
3091 | if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { | 3079 | if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) { |
3092 | rc = 0; | 3080 | int rc = 0; |
3093 | if (vma->vm_start >= vma->vm_mm->start_brk && | 3081 | if (vma->vm_start >= vma->vm_mm->start_brk && |
3094 | vma->vm_end <= vma->vm_mm->brk) { | 3082 | vma->vm_end <= vma->vm_mm->brk) { |
3095 | rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); | 3083 | rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP); |
@@ -3239,12 +3227,6 @@ static int selinux_dentry_open(struct file *file, const struct cred *cred) | |||
3239 | 3227 | ||
3240 | static int selinux_task_create(unsigned long clone_flags) | 3228 | static int selinux_task_create(unsigned long clone_flags) |
3241 | { | 3229 | { |
3242 | int rc; | ||
3243 | |||
3244 | rc = secondary_ops->task_create(clone_flags); | ||
3245 | if (rc) | ||
3246 | return rc; | ||
3247 | |||
3248 | return current_has_perm(current, PROCESS__FORK); | 3230 | return current_has_perm(current, PROCESS__FORK); |
3249 | } | 3231 | } |
3250 | 3232 | ||
@@ -3278,14 +3260,6 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old, | |||
3278 | } | 3260 | } |
3279 | 3261 | ||
3280 | /* | 3262 | /* |
3281 | * commit new credentials | ||
3282 | */ | ||
3283 | static void selinux_cred_commit(struct cred *new, const struct cred *old) | ||
3284 | { | ||
3285 | secondary_ops->cred_commit(new, old); | ||
3286 | } | ||
3287 | |||
3288 | /* | ||
3289 | * set the security data for a kernel service | 3263 | * set the security data for a kernel service |
3290 | * - all the creation contexts are set to unlabelled | 3264 | * - all the creation contexts are set to unlabelled |
3291 | */ | 3265 | */ |
@@ -3329,29 +3303,6 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) | |||
3329 | return 0; | 3303 | return 0; |
3330 | } | 3304 | } |
3331 | 3305 | ||
3332 | static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) | ||
3333 | { | ||
3334 | /* Since setuid only affects the current process, and | ||
3335 | since the SELinux controls are not based on the Linux | ||
3336 | identity attributes, SELinux does not need to control | ||
3337 | this operation. However, SELinux does control the use | ||
3338 | of the CAP_SETUID and CAP_SETGID capabilities using the | ||
3339 | capable hook. */ | ||
3340 | return 0; | ||
3341 | } | ||
3342 | |||
3343 | static int selinux_task_fix_setuid(struct cred *new, const struct cred *old, | ||
3344 | int flags) | ||
3345 | { | ||
3346 | return secondary_ops->task_fix_setuid(new, old, flags); | ||
3347 | } | ||
3348 | |||
3349 | static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) | ||
3350 | { | ||
3351 | /* See the comment for setuid above. */ | ||
3352 | return 0; | ||
3353 | } | ||
3354 | |||
3355 | static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) | 3306 | static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) |
3356 | { | 3307 | { |
3357 | return current_has_perm(p, PROCESS__SETPGID); | 3308 | return current_has_perm(p, PROCESS__SETPGID); |
@@ -3372,17 +3323,11 @@ static void selinux_task_getsecid(struct task_struct *p, u32 *secid) | |||
3372 | *secid = task_sid(p); | 3323 | *secid = task_sid(p); |
3373 | } | 3324 | } |
3374 | 3325 | ||
3375 | static int selinux_task_setgroups(struct group_info *group_info) | ||
3376 | { | ||
3377 | /* See the comment for setuid above. */ | ||
3378 | return 0; | ||
3379 | } | ||
3380 | |||
3381 | static int selinux_task_setnice(struct task_struct *p, int nice) | 3326 | static int selinux_task_setnice(struct task_struct *p, int nice) |
3382 | { | 3327 | { |
3383 | int rc; | 3328 | int rc; |
3384 | 3329 | ||
3385 | rc = secondary_ops->task_setnice(p, nice); | 3330 | rc = cap_task_setnice(p, nice); |
3386 | if (rc) | 3331 | if (rc) |
3387 | return rc; | 3332 | return rc; |
3388 | 3333 | ||
@@ -3393,7 +3338,7 @@ static int selinux_task_setioprio(struct task_struct *p, int ioprio) | |||
3393 | { | 3338 | { |
3394 | int rc; | 3339 | int rc; |
3395 | 3340 | ||
3396 | rc = secondary_ops->task_setioprio(p, ioprio); | 3341 | rc = cap_task_setioprio(p, ioprio); |
3397 | if (rc) | 3342 | if (rc) |
3398 | return rc; | 3343 | return rc; |
3399 | 3344 | ||
@@ -3408,11 +3353,6 @@ static int selinux_task_getioprio(struct task_struct *p) | |||
3408 | static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) | 3353 | static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) |
3409 | { | 3354 | { |
3410 | struct rlimit *old_rlim = current->signal->rlim + resource; | 3355 | struct rlimit *old_rlim = current->signal->rlim + resource; |
3411 | int rc; | ||
3412 | |||
3413 | rc = secondary_ops->task_setrlimit(resource, new_rlim); | ||
3414 | if (rc) | ||
3415 | return rc; | ||
3416 | 3356 | ||
3417 | /* Control the ability to change the hard limit (whether | 3357 | /* Control the ability to change the hard limit (whether |
3418 | lowering or raising it), so that the hard limit can | 3358 | lowering or raising it), so that the hard limit can |
@@ -3428,7 +3368,7 @@ static int selinux_task_setscheduler(struct task_struct *p, int policy, struct s | |||
3428 | { | 3368 | { |
3429 | int rc; | 3369 | int rc; |
3430 | 3370 | ||
3431 | rc = secondary_ops->task_setscheduler(p, policy, lp); | 3371 | rc = cap_task_setscheduler(p, policy, lp); |
3432 | if (rc) | 3372 | if (rc) |
3433 | return rc; | 3373 | return rc; |
3434 | 3374 | ||
@@ -3451,10 +3391,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, | |||
3451 | u32 perm; | 3391 | u32 perm; |
3452 | int rc; | 3392 | int rc; |
3453 | 3393 | ||
3454 | rc = secondary_ops->task_kill(p, info, sig, secid); | ||
3455 | if (rc) | ||
3456 | return rc; | ||
3457 | |||
3458 | if (!sig) | 3394 | if (!sig) |
3459 | perm = PROCESS__SIGNULL; /* null signal; existence test */ | 3395 | perm = PROCESS__SIGNULL; /* null signal; existence test */ |
3460 | else | 3396 | else |
@@ -3467,18 +3403,6 @@ static int selinux_task_kill(struct task_struct *p, struct siginfo *info, | |||
3467 | return rc; | 3403 | return rc; |
3468 | } | 3404 | } |
3469 | 3405 | ||
3470 | static int selinux_task_prctl(int option, | ||
3471 | unsigned long arg2, | ||
3472 | unsigned long arg3, | ||
3473 | unsigned long arg4, | ||
3474 | unsigned long arg5) | ||
3475 | { | ||
3476 | /* The current prctl operations do not appear to require | ||
3477 | any SELinux controls since they merely observe or modify | ||
3478 | the state of the current process. */ | ||
3479 | return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5); | ||
3480 | } | ||
3481 | |||
3482 | static int selinux_task_wait(struct task_struct *p) | 3406 | static int selinux_task_wait(struct task_struct *p) |
3483 | { | 3407 | { |
3484 | return task_has_perm(p, current, PROCESS__SIGCHLD); | 3408 | return task_has_perm(p, current, PROCESS__SIGCHLD); |
@@ -4047,10 +3971,6 @@ static int selinux_socket_unix_stream_connect(struct socket *sock, | |||
4047 | struct avc_audit_data ad; | 3971 | struct avc_audit_data ad; |
4048 | int err; | 3972 | int err; |
4049 | 3973 | ||
4050 | err = secondary_ops->unix_stream_connect(sock, other, newsk); | ||
4051 | if (err) | ||
4052 | return err; | ||
4053 | |||
4054 | isec = SOCK_INODE(sock)->i_security; | 3974 | isec = SOCK_INODE(sock)->i_security; |
4055 | other_isec = SOCK_INODE(other)->i_security; | 3975 | other_isec = SOCK_INODE(other)->i_security; |
4056 | 3976 | ||
@@ -4844,7 +4764,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) | |||
4844 | { | 4764 | { |
4845 | int err; | 4765 | int err; |
4846 | 4766 | ||
4847 | err = secondary_ops->netlink_send(sk, skb); | 4767 | err = cap_netlink_send(sk, skb); |
4848 | if (err) | 4768 | if (err) |
4849 | return err; | 4769 | return err; |
4850 | 4770 | ||
@@ -4859,7 +4779,7 @@ static int selinux_netlink_recv(struct sk_buff *skb, int capability) | |||
4859 | int err; | 4779 | int err; |
4860 | struct avc_audit_data ad; | 4780 | struct avc_audit_data ad; |
4861 | 4781 | ||
4862 | err = secondary_ops->netlink_recv(skb, capability); | 4782 | err = cap_netlink_recv(skb, capability); |
4863 | if (err) | 4783 | if (err) |
4864 | return err; | 4784 | return err; |
4865 | 4785 | ||
@@ -5167,11 +5087,6 @@ static int selinux_shm_shmat(struct shmid_kernel *shp, | |||
5167 | char __user *shmaddr, int shmflg) | 5087 | char __user *shmaddr, int shmflg) |
5168 | { | 5088 | { |
5169 | u32 perms; | 5089 | u32 perms; |
5170 | int rc; | ||
5171 | |||
5172 | rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg); | ||
5173 | if (rc) | ||
5174 | return rc; | ||
5175 | 5090 | ||
5176 | if (shmflg & SHM_RDONLY) | 5091 | if (shmflg & SHM_RDONLY) |
5177 | perms = SHM__READ; | 5092 | perms = SHM__READ; |
@@ -5581,7 +5496,6 @@ static struct security_operations selinux_ops = { | |||
5581 | .netlink_recv = selinux_netlink_recv, | 5496 | .netlink_recv = selinux_netlink_recv, |
5582 | 5497 | ||
5583 | .bprm_set_creds = selinux_bprm_set_creds, | 5498 | .bprm_set_creds = selinux_bprm_set_creds, |
5584 | .bprm_check_security = selinux_bprm_check_security, | ||
5585 | .bprm_committing_creds = selinux_bprm_committing_creds, | 5499 | .bprm_committing_creds = selinux_bprm_committing_creds, |
5586 | .bprm_committed_creds = selinux_bprm_committed_creds, | 5500 | .bprm_committed_creds = selinux_bprm_committed_creds, |
5587 | .bprm_secureexec = selinux_bprm_secureexec, | 5501 | .bprm_secureexec = selinux_bprm_secureexec, |
@@ -5623,8 +5537,6 @@ static struct security_operations selinux_ops = { | |||
5623 | .inode_getsecurity = selinux_inode_getsecurity, | 5537 | .inode_getsecurity = selinux_inode_getsecurity, |
5624 | .inode_setsecurity = selinux_inode_setsecurity, | 5538 | .inode_setsecurity = selinux_inode_setsecurity, |
5625 | .inode_listsecurity = selinux_inode_listsecurity, | 5539 | .inode_listsecurity = selinux_inode_listsecurity, |
5626 | .inode_need_killpriv = selinux_inode_need_killpriv, | ||
5627 | .inode_killpriv = selinux_inode_killpriv, | ||
5628 | .inode_getsecid = selinux_inode_getsecid, | 5540 | .inode_getsecid = selinux_inode_getsecid, |
5629 | 5541 | ||
5630 | .file_permission = selinux_file_permission, | 5542 | .file_permission = selinux_file_permission, |
@@ -5644,17 +5556,12 @@ static struct security_operations selinux_ops = { | |||
5644 | .task_create = selinux_task_create, | 5556 | .task_create = selinux_task_create, |
5645 | .cred_free = selinux_cred_free, | 5557 | .cred_free = selinux_cred_free, |
5646 | .cred_prepare = selinux_cred_prepare, | 5558 | .cred_prepare = selinux_cred_prepare, |
5647 | .cred_commit = selinux_cred_commit, | ||
5648 | .kernel_act_as = selinux_kernel_act_as, | 5559 | .kernel_act_as = selinux_kernel_act_as, |
5649 | .kernel_create_files_as = selinux_kernel_create_files_as, | 5560 | .kernel_create_files_as = selinux_kernel_create_files_as, |
5650 | .task_setuid = selinux_task_setuid, | ||
5651 | .task_fix_setuid = selinux_task_fix_setuid, | ||
5652 | .task_setgid = selinux_task_setgid, | ||
5653 | .task_setpgid = selinux_task_setpgid, | 5561 | .task_setpgid = selinux_task_setpgid, |
5654 | .task_getpgid = selinux_task_getpgid, | 5562 | .task_getpgid = selinux_task_getpgid, |
5655 | .task_getsid = selinux_task_getsid, | 5563 | .task_getsid = selinux_task_getsid, |
5656 | .task_getsecid = selinux_task_getsecid, | 5564 | .task_getsecid = selinux_task_getsecid, |
5657 | .task_setgroups = selinux_task_setgroups, | ||
5658 | .task_setnice = selinux_task_setnice, | 5565 | .task_setnice = selinux_task_setnice, |
5659 | .task_setioprio = selinux_task_setioprio, | 5566 | .task_setioprio = selinux_task_setioprio, |
5660 | .task_getioprio = selinux_task_getioprio, | 5567 | .task_getioprio = selinux_task_getioprio, |
@@ -5664,7 +5571,6 @@ static struct security_operations selinux_ops = { | |||
5664 | .task_movememory = selinux_task_movememory, | 5571 | .task_movememory = selinux_task_movememory, |
5665 | .task_kill = selinux_task_kill, | 5572 | .task_kill = selinux_task_kill, |
5666 | .task_wait = selinux_task_wait, | 5573 | .task_wait = selinux_task_wait, |
5667 | .task_prctl = selinux_task_prctl, | ||
5668 | .task_to_inode = selinux_task_to_inode, | 5574 | .task_to_inode = selinux_task_to_inode, |
5669 | 5575 | ||
5670 | .ipc_permission = selinux_ipc_permission, | 5576 | .ipc_permission = selinux_ipc_permission, |
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index c0c885427b91..31df1d7c1aee 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h | |||
@@ -24,6 +24,7 @@ | |||
24 | S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod") | 24 | S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod") |
25 | S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open") | 25 | S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open") |
26 | S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open") | 26 | S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open") |
27 | S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open") | ||
27 | S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open") | 28 | S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open") |
28 | S_(SECCLASS_FD, FD__USE, "use") | 29 | S_(SECCLASS_FD, FD__USE, "use") |
29 | S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto") | 30 | S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto") |
@@ -152,6 +153,7 @@ | |||
152 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write") | 153 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write") |
153 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay") | 154 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay") |
154 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv") | 155 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv") |
156 | S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit") | ||
155 | S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read") | 157 | S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read") |
156 | S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write") | 158 | S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write") |
157 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") | 159 | S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") |
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index 0ba79fe00e11..d645192ee950 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h | |||
@@ -174,6 +174,7 @@ | |||
174 | #define SOCK_FILE__SWAPON 0x00004000UL | 174 | #define SOCK_FILE__SWAPON 0x00004000UL |
175 | #define SOCK_FILE__QUOTAON 0x00008000UL | 175 | #define SOCK_FILE__QUOTAON 0x00008000UL |
176 | #define SOCK_FILE__MOUNTON 0x00010000UL | 176 | #define SOCK_FILE__MOUNTON 0x00010000UL |
177 | #define SOCK_FILE__OPEN 0x00020000UL | ||
177 | #define FIFO_FILE__IOCTL 0x00000001UL | 178 | #define FIFO_FILE__IOCTL 0x00000001UL |
178 | #define FIFO_FILE__READ 0x00000002UL | 179 | #define FIFO_FILE__READ 0x00000002UL |
179 | #define FIFO_FILE__WRITE 0x00000004UL | 180 | #define FIFO_FILE__WRITE 0x00000004UL |
@@ -707,6 +708,7 @@ | |||
707 | #define NETLINK_AUDIT_SOCKET__NLMSG_WRITE 0x00800000UL | 708 | #define NETLINK_AUDIT_SOCKET__NLMSG_WRITE 0x00800000UL |
708 | #define NETLINK_AUDIT_SOCKET__NLMSG_RELAY 0x01000000UL | 709 | #define NETLINK_AUDIT_SOCKET__NLMSG_RELAY 0x01000000UL |
709 | #define NETLINK_AUDIT_SOCKET__NLMSG_READPRIV 0x02000000UL | 710 | #define NETLINK_AUDIT_SOCKET__NLMSG_READPRIV 0x02000000UL |
711 | #define NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT 0x04000000UL | ||
710 | #define NETLINK_IP6FW_SOCKET__IOCTL 0x00000001UL | 712 | #define NETLINK_IP6FW_SOCKET__IOCTL 0x00000001UL |
711 | #define NETLINK_IP6FW_SOCKET__READ 0x00000002UL | 713 | #define NETLINK_IP6FW_SOCKET__READ 0x00000002UL |
712 | #define NETLINK_IP6FW_SOCKET__WRITE 0x00000004UL | 714 | #define NETLINK_IP6FW_SOCKET__WRITE 0x00000004UL |
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 3cc45168f674..c4e062336ef3 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h | |||
@@ -60,9 +60,7 @@ struct superblock_security_struct { | |||
60 | u32 def_sid; /* default SID for labeling */ | 60 | u32 def_sid; /* default SID for labeling */ |
61 | u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ | 61 | u32 mntpoint_sid; /* SECURITY_FS_USE_MNTPOINT context for files */ |
62 | unsigned int behavior; /* labeling behavior */ | 62 | unsigned int behavior; /* labeling behavior */ |
63 | unsigned char initialized; /* initialization flag */ | ||
64 | unsigned char flags; /* which mount options were specified */ | 63 | unsigned char flags; /* which mount options were specified */ |
65 | unsigned char proc; /* proc fs */ | ||
66 | struct mutex lock; | 64 | struct mutex lock; |
67 | struct list_head isec_head; | 65 | struct list_head isec_head; |
68 | spinlock_t isec_lock; | 66 | spinlock_t isec_lock; |
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 72447370bc95..5c3434f7626f 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
@@ -37,15 +37,23 @@ | |||
37 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_BOUNDARY | 37 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_BOUNDARY |
38 | #endif | 38 | #endif |
39 | 39 | ||
40 | /* Mask for just the mount related flags */ | ||
41 | #define SE_MNTMASK 0x0f | ||
42 | /* Super block security struct flags for mount options */ | ||
40 | #define CONTEXT_MNT 0x01 | 43 | #define CONTEXT_MNT 0x01 |
41 | #define FSCONTEXT_MNT 0x02 | 44 | #define FSCONTEXT_MNT 0x02 |
42 | #define ROOTCONTEXT_MNT 0x04 | 45 | #define ROOTCONTEXT_MNT 0x04 |
43 | #define DEFCONTEXT_MNT 0x08 | 46 | #define DEFCONTEXT_MNT 0x08 |
47 | /* Non-mount related flags */ | ||
48 | #define SE_SBINITIALIZED 0x10 | ||
49 | #define SE_SBPROC 0x20 | ||
50 | #define SE_SBLABELSUPP 0x40 | ||
44 | 51 | ||
45 | #define CONTEXT_STR "context=" | 52 | #define CONTEXT_STR "context=" |
46 | #define FSCONTEXT_STR "fscontext=" | 53 | #define FSCONTEXT_STR "fscontext=" |
47 | #define ROOTCONTEXT_STR "rootcontext=" | 54 | #define ROOTCONTEXT_STR "rootcontext=" |
48 | #define DEFCONTEXT_STR "defcontext=" | 55 | #define DEFCONTEXT_STR "defcontext=" |
56 | #define LABELSUPP_STR "seclabel" | ||
49 | 57 | ||
50 | struct netlbl_lsm_secattr; | 58 | struct netlbl_lsm_secattr; |
51 | 59 | ||
@@ -80,7 +88,6 @@ int security_policycap_supported(unsigned int req_cap); | |||
80 | #define SEL_VEC_MAX 32 | 88 | #define SEL_VEC_MAX 32 |
81 | struct av_decision { | 89 | struct av_decision { |
82 | u32 allowed; | 90 | u32 allowed; |
83 | u32 decided; | ||
84 | u32 auditallow; | 91 | u32 auditallow; |
85 | u32 auditdeny; | 92 | u32 auditdeny; |
86 | u32 seqno; | 93 | u32 seqno; |
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c index 4ed7bab89c59..c6875fd3b9d6 100644 --- a/security/selinux/nlmsgtab.c +++ b/security/selinux/nlmsgtab.c | |||
@@ -113,7 +113,7 @@ static struct nlmsg_perm nlmsg_audit_perms[] = | |||
113 | { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, | 113 | { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, |
114 | { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, | 114 | { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, |
115 | { AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, | 115 | { AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, |
116 | { AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, | 116 | { AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT }, |
117 | }; | 117 | }; |
118 | 118 | ||
119 | 119 | ||
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 01ec6d2c6b97..d3c8b982cfb0 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -595,7 +595,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size) | |||
595 | 595 | ||
596 | length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, | 596 | length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, |
597 | "%x %x %x %x %u", | 597 | "%x %x %x %x %u", |
598 | avd.allowed, avd.decided, | 598 | avd.allowed, 0xffffffff, |
599 | avd.auditallow, avd.auditdeny, | 599 | avd.auditallow, avd.auditdeny, |
600 | avd.seqno); | 600 | avd.seqno); |
601 | out2: | 601 | out2: |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index c65e4fe4a0f1..deeec6c013ae 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -407,7 +407,6 @@ static int context_struct_compute_av(struct context *scontext, | |||
407 | * Initialize the access vectors to the default values. | 407 | * Initialize the access vectors to the default values. |
408 | */ | 408 | */ |
409 | avd->allowed = 0; | 409 | avd->allowed = 0; |
410 | avd->decided = 0xffffffff; | ||
411 | avd->auditallow = 0; | 410 | avd->auditallow = 0; |
412 | avd->auditdeny = 0xffffffff; | 411 | avd->auditdeny = 0xffffffff; |
413 | avd->seqno = latest_granting; | 412 | avd->seqno = latest_granting; |
@@ -743,7 +742,6 @@ int security_compute_av(u32 ssid, | |||
743 | 742 | ||
744 | if (!ss_initialized) { | 743 | if (!ss_initialized) { |
745 | avd->allowed = 0xffffffff; | 744 | avd->allowed = 0xffffffff; |
746 | avd->decided = 0xffffffff; | ||
747 | avd->auditallow = 0; | 745 | avd->auditallow = 0; |
748 | avd->auditdeny = 0xffffffff; | 746 | avd->auditdeny = 0xffffffff; |
749 | avd->seqno = latest_granting; | 747 | avd->seqno = latest_granting; |
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 2e0b83e77ffe..cfa19ca125e3 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c | |||
@@ -162,8 +162,8 @@ int smk_access(char *subject_label, char *object_label, int request) | |||
162 | 162 | ||
163 | /** | 163 | /** |
164 | * smk_curacc - determine if current has a specific access to an object | 164 | * smk_curacc - determine if current has a specific access to an object |
165 | * @object_label: a pointer to the object's Smack label | 165 | * @obj_label: a pointer to the object's Smack label |
166 | * @request: the access requested, in "MAY" format | 166 | * @mode: the access requested, in "MAY" format |
167 | * | 167 | * |
168 | * This function checks the current subject label/object label pair | 168 | * This function checks the current subject label/object label pair |
169 | * in the access rule list and returns 0 if the access is permitted, | 169 | * in the access rule list and returns 0 if the access is permitted, |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index e7ded1326b0f..84b62b5e9e2c 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
@@ -91,6 +91,7 @@ struct inode_smack *new_inode_smack(char *smack) | |||
91 | /** | 91 | /** |
92 | * smack_ptrace_may_access - Smack approval on PTRACE_ATTACH | 92 | * smack_ptrace_may_access - Smack approval on PTRACE_ATTACH |
93 | * @ctp: child task pointer | 93 | * @ctp: child task pointer |
94 | * @mode: ptrace attachment mode | ||
94 | * | 95 | * |
95 | * Returns 0 if access is OK, an error code otherwise | 96 | * Returns 0 if access is OK, an error code otherwise |
96 | * | 97 | * |
@@ -203,9 +204,8 @@ static void smack_sb_free_security(struct super_block *sb) | |||
203 | 204 | ||
204 | /** | 205 | /** |
205 | * smack_sb_copy_data - copy mount options data for processing | 206 | * smack_sb_copy_data - copy mount options data for processing |
206 | * @type: file system type | ||
207 | * @orig: where to start | 207 | * @orig: where to start |
208 | * @smackopts | 208 | * @smackopts: mount options string |
209 | * | 209 | * |
210 | * Returns 0 on success or -ENOMEM on error. | 210 | * Returns 0 on success or -ENOMEM on error. |
211 | * | 211 | * |
@@ -331,7 +331,7 @@ static int smack_sb_statfs(struct dentry *dentry) | |||
331 | /** | 331 | /** |
332 | * smack_sb_mount - Smack check for mounting | 332 | * smack_sb_mount - Smack check for mounting |
333 | * @dev_name: unused | 333 | * @dev_name: unused |
334 | * @nd: mount point | 334 | * @path: mount point |
335 | * @type: unused | 335 | * @type: unused |
336 | * @flags: unused | 336 | * @flags: unused |
337 | * @data: unused | 337 | * @data: unused |
@@ -370,7 +370,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags) | |||
370 | 370 | ||
371 | /** | 371 | /** |
372 | * smack_inode_alloc_security - allocate an inode blob | 372 | * smack_inode_alloc_security - allocate an inode blob |
373 | * @inode - the inode in need of a blob | 373 | * @inode: the inode in need of a blob |
374 | * | 374 | * |
375 | * Returns 0 if it gets a blob, -ENOMEM otherwise | 375 | * Returns 0 if it gets a blob, -ENOMEM otherwise |
376 | */ | 376 | */ |
@@ -384,7 +384,7 @@ static int smack_inode_alloc_security(struct inode *inode) | |||
384 | 384 | ||
385 | /** | 385 | /** |
386 | * smack_inode_free_security - free an inode blob | 386 | * smack_inode_free_security - free an inode blob |
387 | * @inode - the inode with a blob | 387 | * @inode: the inode with a blob |
388 | * | 388 | * |
389 | * Clears the blob pointer in inode | 389 | * Clears the blob pointer in inode |
390 | */ | 390 | */ |
@@ -538,7 +538,6 @@ static int smack_inode_rename(struct inode *old_inode, | |||
538 | * smack_inode_permission - Smack version of permission() | 538 | * smack_inode_permission - Smack version of permission() |
539 | * @inode: the inode in question | 539 | * @inode: the inode in question |
540 | * @mask: the access requested | 540 | * @mask: the access requested |
541 | * @nd: unused | ||
542 | * | 541 | * |
543 | * This is the important Smack hook. | 542 | * This is the important Smack hook. |
544 | * | 543 | * |
@@ -701,8 +700,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name) | |||
701 | * @inode: the object | 700 | * @inode: the object |
702 | * @name: attribute name | 701 | * @name: attribute name |
703 | * @buffer: where to put the result | 702 | * @buffer: where to put the result |
704 | * @size: size of the buffer | 703 | * @alloc: unused |
705 | * @err: unused | ||
706 | * | 704 | * |
707 | * Returns the size of the attribute or an error code | 705 | * Returns the size of the attribute or an error code |
708 | */ | 706 | */ |
@@ -864,7 +862,7 @@ static int smack_file_ioctl(struct file *file, unsigned int cmd, | |||
864 | /** | 862 | /** |
865 | * smack_file_lock - Smack check on file locking | 863 | * smack_file_lock - Smack check on file locking |
866 | * @file: the object | 864 | * @file: the object |
867 | * @cmd unused | 865 | * @cmd: unused |
868 | * | 866 | * |
869 | * Returns 0 if current has write access, error code otherwise | 867 | * Returns 0 if current has write access, error code otherwise |
870 | */ | 868 | */ |
@@ -1003,8 +1001,8 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old, | |||
1003 | return 0; | 1001 | return 0; |
1004 | } | 1002 | } |
1005 | 1003 | ||
1006 | /* | 1004 | /** |
1007 | * commit new credentials | 1005 | * smack_cred_commit - commit new credentials |
1008 | * @new: the new credentials | 1006 | * @new: the new credentials |
1009 | * @old: the original credentials | 1007 | * @old: the original credentials |
1010 | */ | 1008 | */ |
@@ -1014,8 +1012,8 @@ static void smack_cred_commit(struct cred *new, const struct cred *old) | |||
1014 | 1012 | ||
1015 | /** | 1013 | /** |
1016 | * smack_kernel_act_as - Set the subjective context in a set of credentials | 1014 | * smack_kernel_act_as - Set the subjective context in a set of credentials |
1017 | * @new points to the set of credentials to be modified. | 1015 | * @new: points to the set of credentials to be modified. |
1018 | * @secid specifies the security ID to be set | 1016 | * @secid: specifies the security ID to be set |
1019 | * | 1017 | * |
1020 | * Set the security data for a kernel service. | 1018 | * Set the security data for a kernel service. |
1021 | */ | 1019 | */ |
@@ -1032,8 +1030,8 @@ static int smack_kernel_act_as(struct cred *new, u32 secid) | |||
1032 | 1030 | ||
1033 | /** | 1031 | /** |
1034 | * smack_kernel_create_files_as - Set the file creation label in a set of creds | 1032 | * smack_kernel_create_files_as - Set the file creation label in a set of creds |
1035 | * @new points to the set of credentials to be modified | 1033 | * @new: points to the set of credentials to be modified |
1036 | * @inode points to the inode to use as a reference | 1034 | * @inode: points to the inode to use as a reference |
1037 | * | 1035 | * |
1038 | * Set the file creation context in a set of credentials to the same | 1036 | * Set the file creation context in a set of credentials to the same |
1039 | * as the objective context of the specified inode | 1037 | * as the objective context of the specified inode |
@@ -1242,7 +1240,7 @@ static int smack_task_wait(struct task_struct *p) | |||
1242 | /** | 1240 | /** |
1243 | * smack_task_to_inode - copy task smack into the inode blob | 1241 | * smack_task_to_inode - copy task smack into the inode blob |
1244 | * @p: task to copy from | 1242 | * @p: task to copy from |
1245 | * inode: inode to copy to | 1243 | * @inode: inode to copy to |
1246 | * | 1244 | * |
1247 | * Sets the smack pointer in the inode security blob | 1245 | * Sets the smack pointer in the inode security blob |
1248 | */ | 1246 | */ |
@@ -1260,7 +1258,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode) | |||
1260 | * smack_sk_alloc_security - Allocate a socket blob | 1258 | * smack_sk_alloc_security - Allocate a socket blob |
1261 | * @sk: the socket | 1259 | * @sk: the socket |
1262 | * @family: unused | 1260 | * @family: unused |
1263 | * @priority: memory allocation priority | 1261 | * @gfp_flags: memory allocation flags |
1264 | * | 1262 | * |
1265 | * Assign Smack pointers to current | 1263 | * Assign Smack pointers to current |
1266 | * | 1264 | * |
@@ -1974,7 +1972,7 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) | |||
1974 | 1972 | ||
1975 | /** | 1973 | /** |
1976 | * smack_ipc_getsecid - Extract smack security id | 1974 | * smack_ipc_getsecid - Extract smack security id |
1977 | * @ipcp: the object permissions | 1975 | * @ipp: the object permissions |
1978 | * @secid: where result will be saved | 1976 | * @secid: where result will be saved |
1979 | */ | 1977 | */ |
1980 | static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) | 1978 | static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) |
@@ -2251,7 +2249,7 @@ static int smack_unix_may_send(struct socket *sock, struct socket *other) | |||
2251 | /** | 2249 | /** |
2252 | * smack_socket_sendmsg - Smack check based on destination host | 2250 | * smack_socket_sendmsg - Smack check based on destination host |
2253 | * @sock: the socket | 2251 | * @sock: the socket |
2254 | * @msghdr: the message | 2252 | * @msg: the message |
2255 | * @size: the size of the message | 2253 | * @size: the size of the message |
2256 | * | 2254 | * |
2257 | * Return 0 if the current subject can write to the destination | 2255 | * Return 0 if the current subject can write to the destination |
@@ -2292,8 +2290,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, | |||
2292 | 2290 | ||
2293 | 2291 | ||
2294 | /** | 2292 | /** |
2295 | * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat | 2293 | * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack |
2296 | * pair to smack | ||
2297 | * @sap: netlabel secattr | 2294 | * @sap: netlabel secattr |
2298 | * @sip: where to put the result | 2295 | * @sip: where to put the result |
2299 | * | 2296 | * |
@@ -2414,7 +2411,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | |||
2414 | * @sock: the socket | 2411 | * @sock: the socket |
2415 | * @optval: user's destination | 2412 | * @optval: user's destination |
2416 | * @optlen: size thereof | 2413 | * @optlen: size thereof |
2417 | * @len: max thereoe | 2414 | * @len: max thereof |
2418 | * | 2415 | * |
2419 | * returns zero on success, an error code otherwise | 2416 | * returns zero on success, an error code otherwise |
2420 | */ | 2417 | */ |
@@ -2749,7 +2746,7 @@ static void smack_audit_rule_free(void *vrule) | |||
2749 | 2746 | ||
2750 | #endif /* CONFIG_AUDIT */ | 2747 | #endif /* CONFIG_AUDIT */ |
2751 | 2748 | ||
2752 | /* | 2749 | /** |
2753 | * smack_secid_to_secctx - return the smack label for a secid | 2750 | * smack_secid_to_secctx - return the smack label for a secid |
2754 | * @secid: incoming integer | 2751 | * @secid: incoming integer |
2755 | * @secdata: destination | 2752 | * @secdata: destination |
@@ -2766,7 +2763,7 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) | |||
2766 | return 0; | 2763 | return 0; |
2767 | } | 2764 | } |
2768 | 2765 | ||
2769 | /* | 2766 | /** |
2770 | * smack_secctx_to_secid - return the secid for a smack label | 2767 | * smack_secctx_to_secid - return the secid for a smack label |
2771 | * @secdata: smack label | 2768 | * @secdata: smack label |
2772 | * @seclen: how long result is | 2769 | * @seclen: how long result is |
@@ -2780,11 +2777,10 @@ static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) | |||
2780 | return 0; | 2777 | return 0; |
2781 | } | 2778 | } |
2782 | 2779 | ||
2783 | /* | 2780 | /** |
2784 | * smack_release_secctx - don't do anything. | 2781 | * smack_release_secctx - don't do anything. |
2785 | * @key_ref: unused | 2782 | * @secdata: unused |
2786 | * @context: unused | 2783 | * @seclen: unused |
2787 | * @perm: unused | ||
2788 | * | 2784 | * |
2789 | * Exists to make sure nothing gets done, and properly | 2785 | * Exists to make sure nothing gets done, and properly |
2790 | */ | 2786 | */ |
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 51f0efc50dab..a1b57e4dba3e 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
@@ -245,7 +245,7 @@ out: | |||
245 | 245 | ||
246 | /** | 246 | /** |
247 | * smk_write_load - write() for /smack/load | 247 | * smk_write_load - write() for /smack/load |
248 | * @filp: file pointer, not actually used | 248 | * @file: file pointer, not actually used |
249 | * @buf: where to get the data from | 249 | * @buf: where to get the data from |
250 | * @count: bytes sent | 250 | * @count: bytes sent |
251 | * @ppos: where to start - must be 0 | 251 | * @ppos: where to start - must be 0 |
@@ -402,6 +402,7 @@ static void smk_cipso_doi(void) | |||
402 | 402 | ||
403 | /** | 403 | /** |
404 | * smk_unlbl_ambient - initialize the unlabeled domain | 404 | * smk_unlbl_ambient - initialize the unlabeled domain |
405 | * @oldambient: previous domain string | ||
405 | */ | 406 | */ |
406 | static void smk_unlbl_ambient(char *oldambient) | 407 | static void smk_unlbl_ambient(char *oldambient) |
407 | { | 408 | { |
@@ -513,7 +514,7 @@ static int smk_open_cipso(struct inode *inode, struct file *file) | |||
513 | 514 | ||
514 | /** | 515 | /** |
515 | * smk_write_cipso - write() for /smack/cipso | 516 | * smk_write_cipso - write() for /smack/cipso |
516 | * @filp: file pointer, not actually used | 517 | * @file: file pointer, not actually used |
517 | * @buf: where to get the data from | 518 | * @buf: where to get the data from |
518 | * @count: bytes sent | 519 | * @count: bytes sent |
519 | * @ppos: where to start | 520 | * @ppos: where to start |
@@ -733,7 +734,7 @@ static void smk_netlbladdr_insert(struct smk_netlbladdr *new) | |||
733 | 734 | ||
734 | /** | 735 | /** |
735 | * smk_write_netlbladdr - write() for /smack/netlabel | 736 | * smk_write_netlbladdr - write() for /smack/netlabel |
736 | * @filp: file pointer, not actually used | 737 | * @file: file pointer, not actually used |
737 | * @buf: where to get the data from | 738 | * @buf: where to get the data from |
738 | * @count: bytes sent | 739 | * @count: bytes sent |
739 | * @ppos: where to start | 740 | * @ppos: where to start |
@@ -884,7 +885,7 @@ static ssize_t smk_read_doi(struct file *filp, char __user *buf, | |||
884 | 885 | ||
885 | /** | 886 | /** |
886 | * smk_write_doi - write() for /smack/doi | 887 | * smk_write_doi - write() for /smack/doi |
887 | * @filp: file pointer, not actually used | 888 | * @file: file pointer, not actually used |
888 | * @buf: where to get the data from | 889 | * @buf: where to get the data from |
889 | * @count: bytes sent | 890 | * @count: bytes sent |
890 | * @ppos: where to start | 891 | * @ppos: where to start |
@@ -949,7 +950,7 @@ static ssize_t smk_read_direct(struct file *filp, char __user *buf, | |||
949 | 950 | ||
950 | /** | 951 | /** |
951 | * smk_write_direct - write() for /smack/direct | 952 | * smk_write_direct - write() for /smack/direct |
952 | * @filp: file pointer, not actually used | 953 | * @file: file pointer, not actually used |
953 | * @buf: where to get the data from | 954 | * @buf: where to get the data from |
954 | * @count: bytes sent | 955 | * @count: bytes sent |
955 | * @ppos: where to start | 956 | * @ppos: where to start |
@@ -1024,7 +1025,7 @@ static ssize_t smk_read_ambient(struct file *filp, char __user *buf, | |||
1024 | 1025 | ||
1025 | /** | 1026 | /** |
1026 | * smk_write_ambient - write() for /smack/ambient | 1027 | * smk_write_ambient - write() for /smack/ambient |
1027 | * @filp: file pointer, not actually used | 1028 | * @file: file pointer, not actually used |
1028 | * @buf: where to get the data from | 1029 | * @buf: where to get the data from |
1029 | * @count: bytes sent | 1030 | * @count: bytes sent |
1030 | * @ppos: where to start | 1031 | * @ppos: where to start |
@@ -1099,7 +1100,7 @@ static ssize_t smk_read_onlycap(struct file *filp, char __user *buf, | |||
1099 | 1100 | ||
1100 | /** | 1101 | /** |
1101 | * smk_write_onlycap - write() for /smack/onlycap | 1102 | * smk_write_onlycap - write() for /smack/onlycap |
1102 | * @filp: file pointer, not actually used | 1103 | * @file: file pointer, not actually used |
1103 | * @buf: where to get the data from | 1104 | * @buf: where to get the data from |
1104 | * @count: bytes sent | 1105 | * @count: bytes sent |
1105 | * @ppos: where to start | 1106 | * @ppos: where to start |
diff --git a/security/tomoyo/Kconfig b/security/tomoyo/Kconfig new file mode 100644 index 000000000000..c8f385793235 --- /dev/null +++ b/security/tomoyo/Kconfig | |||
@@ -0,0 +1,11 @@ | |||
1 | config SECURITY_TOMOYO | ||
2 | bool "TOMOYO Linux Support" | ||
3 | depends on SECURITY | ||
4 | select SECURITYFS | ||
5 | select SECURITY_PATH | ||
6 | default n | ||
7 | help | ||
8 | This selects TOMOYO Linux, pathname-based access control. | ||
9 | Required userspace tools and further information may be | ||
10 | found at <http://tomoyo.sourceforge.jp/>. | ||
11 | If you are unsure how to answer this question, answer N. | ||
diff --git a/security/tomoyo/Makefile b/security/tomoyo/Makefile new file mode 100644 index 000000000000..10ccd686b290 --- /dev/null +++ b/security/tomoyo/Makefile | |||
@@ -0,0 +1 @@ | |||
obj-y = common.o realpath.o tomoyo.o domain.o file.o | |||
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c new file mode 100644 index 000000000000..92cea656ad21 --- /dev/null +++ b/security/tomoyo/common.c | |||
@@ -0,0 +1,2206 @@ | |||
1 | /* | ||
2 | * security/tomoyo/common.c | ||
3 | * | ||
4 | * Common functions for TOMOYO. | ||
5 | * | ||
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | ||
7 | * | ||
8 | * Version: 2.2.0-pre 2009/02/01 | ||
9 | * | ||
10 | */ | ||
11 | |||
12 | #include <linux/uaccess.h> | ||
13 | #include <linux/security.h> | ||
14 | #include <linux/hardirq.h> | ||
15 | #include "realpath.h" | ||
16 | #include "common.h" | ||
17 | #include "tomoyo.h" | ||
18 | |||
19 | /* Has loading policy done? */ | ||
20 | bool tomoyo_policy_loaded; | ||
21 | |||
22 | /* String table for functionality that takes 4 modes. */ | ||
23 | static const char *tomoyo_mode_4[4] = { | ||
24 | "disabled", "learning", "permissive", "enforcing" | ||
25 | }; | ||
26 | /* String table for functionality that takes 2 modes. */ | ||
27 | static const char *tomoyo_mode_2[4] = { | ||
28 | "disabled", "enabled", "enabled", "enabled" | ||
29 | }; | ||
30 | |||
31 | /* Table for profile. */ | ||
32 | static struct { | ||
33 | const char *keyword; | ||
34 | unsigned int current_value; | ||
35 | const unsigned int max_value; | ||
36 | } tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = { | ||
37 | [TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 }, | ||
38 | [TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX }, | ||
39 | [TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 }, | ||
40 | }; | ||
41 | |||
42 | /* Profile table. Memory is allocated as needed. */ | ||
43 | static struct tomoyo_profile { | ||
44 | unsigned int value[TOMOYO_MAX_CONTROL_INDEX]; | ||
45 | const struct tomoyo_path_info *comment; | ||
46 | } *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES]; | ||
47 | |||
48 | /* Permit policy management by non-root user? */ | ||
49 | static bool tomoyo_manage_by_non_root; | ||
50 | |||
51 | /* Utility functions. */ | ||
52 | |||
53 | /* Open operation for /sys/kernel/security/tomoyo/ interface. */ | ||
54 | static int tomoyo_open_control(const u8 type, struct file *file); | ||
55 | /* Close /sys/kernel/security/tomoyo/ interface. */ | ||
56 | static int tomoyo_close_control(struct file *file); | ||
57 | /* Read operation for /sys/kernel/security/tomoyo/ interface. */ | ||
58 | static int tomoyo_read_control(struct file *file, char __user *buffer, | ||
59 | const int buffer_len); | ||
60 | /* Write operation for /sys/kernel/security/tomoyo/ interface. */ | ||
61 | static int tomoyo_write_control(struct file *file, const char __user *buffer, | ||
62 | const int buffer_len); | ||
63 | |||
64 | /** | ||
65 | * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value. | ||
66 | * | ||
67 | * @str: Pointer to the string. | ||
68 | * | ||
69 | * Returns true if @str is a \ooo style octal value, false otherwise. | ||
70 | * | ||
71 | * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF. | ||
72 | * This function verifies that \ooo is in valid range. | ||
73 | */ | ||
74 | static inline bool tomoyo_is_byte_range(const char *str) | ||
75 | { | ||
76 | return *str >= '0' && *str++ <= '3' && | ||
77 | *str >= '0' && *str++ <= '7' && | ||
78 | *str >= '0' && *str <= '7'; | ||
79 | } | ||
80 | |||
81 | /** | ||
82 | * tomoyo_is_alphabet_char - Check whether the character is an alphabet. | ||
83 | * | ||
84 | * @c: The character to check. | ||
85 | * | ||
86 | * Returns true if @c is an alphabet character, false otherwise. | ||
87 | */ | ||
88 | static inline bool tomoyo_is_alphabet_char(const char c) | ||
89 | { | ||
90 | return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z'); | ||
91 | } | ||
92 | |||
93 | /** | ||
94 | * tomoyo_make_byte - Make byte value from three octal characters. | ||
95 | * | ||
96 | * @c1: The first character. | ||
97 | * @c2: The second character. | ||
98 | * @c3: The third character. | ||
99 | * | ||
100 | * Returns byte value. | ||
101 | */ | ||
102 | static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3) | ||
103 | { | ||
104 | return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0'); | ||
105 | } | ||
106 | |||
107 | /** | ||
108 | * tomoyo_str_starts - Check whether the given string starts with the given keyword. | ||
109 | * | ||
110 | * @src: Pointer to pointer to the string. | ||
111 | * @find: Pointer to the keyword. | ||
112 | * | ||
113 | * Returns true if @src starts with @find, false otherwise. | ||
114 | * | ||
115 | * The @src is updated to point the first character after the @find | ||
116 | * if @src starts with @find. | ||
117 | */ | ||
118 | static bool tomoyo_str_starts(char **src, const char *find) | ||
119 | { | ||
120 | const int len = strlen(find); | ||
121 | char *tmp = *src; | ||
122 | |||
123 | if (strncmp(tmp, find, len)) | ||
124 | return false; | ||
125 | tmp += len; | ||
126 | *src = tmp; | ||
127 | return true; | ||
128 | } | ||
129 | |||
130 | /** | ||
131 | * tomoyo_normalize_line - Format string. | ||
132 | * | ||
133 | * @buffer: The line to normalize. | ||
134 | * | ||
135 | * Leading and trailing whitespaces are removed. | ||
136 | * Multiple whitespaces are packed into single space. | ||
137 | * | ||
138 | * Returns nothing. | ||
139 | */ | ||
140 | static void tomoyo_normalize_line(unsigned char *buffer) | ||
141 | { | ||
142 | unsigned char *sp = buffer; | ||
143 | unsigned char *dp = buffer; | ||
144 | bool first = true; | ||
145 | |||
146 | while (tomoyo_is_invalid(*sp)) | ||
147 | sp++; | ||
148 | while (*sp) { | ||
149 | if (!first) | ||
150 | *dp++ = ' '; | ||
151 | first = false; | ||
152 | while (tomoyo_is_valid(*sp)) | ||
153 | *dp++ = *sp++; | ||
154 | while (tomoyo_is_invalid(*sp)) | ||
155 | sp++; | ||
156 | } | ||
157 | *dp = '\0'; | ||
158 | } | ||
159 | |||
160 | /** | ||
161 | * tomoyo_is_correct_path - Validate a pathname. | ||
162 | * @filename: The pathname to check. | ||
163 | * @start_type: Should the pathname start with '/'? | ||
164 | * 1 = must / -1 = must not / 0 = don't care | ||
165 | * @pattern_type: Can the pathname contain a wildcard? | ||
166 | * 1 = must / -1 = must not / 0 = don't care | ||
167 | * @end_type: Should the pathname end with '/'? | ||
168 | * 1 = must / -1 = must not / 0 = don't care | ||
169 | * @function: The name of function calling me. | ||
170 | * | ||
171 | * Check whether the given filename follows the naming rules. | ||
172 | * Returns true if @filename follows the naming rules, false otherwise. | ||
173 | */ | ||
174 | bool tomoyo_is_correct_path(const char *filename, const s8 start_type, | ||
175 | const s8 pattern_type, const s8 end_type, | ||
176 | const char *function) | ||
177 | { | ||
178 | bool contains_pattern = false; | ||
179 | unsigned char c; | ||
180 | unsigned char d; | ||
181 | unsigned char e; | ||
182 | const char *original_filename = filename; | ||
183 | |||
184 | if (!filename) | ||
185 | goto out; | ||
186 | c = *filename; | ||
187 | if (start_type == 1) { /* Must start with '/' */ | ||
188 | if (c != '/') | ||
189 | goto out; | ||
190 | } else if (start_type == -1) { /* Must not start with '/' */ | ||
191 | if (c == '/') | ||
192 | goto out; | ||
193 | } | ||
194 | if (c) | ||
195 | c = *(filename + strlen(filename) - 1); | ||
196 | if (end_type == 1) { /* Must end with '/' */ | ||
197 | if (c != '/') | ||
198 | goto out; | ||
199 | } else if (end_type == -1) { /* Must not end with '/' */ | ||
200 | if (c == '/') | ||
201 | goto out; | ||
202 | } | ||
203 | while ((c = *filename++) != '\0') { | ||
204 | if (c == '\\') { | ||
205 | switch ((c = *filename++)) { | ||
206 | case '\\': /* "\\" */ | ||
207 | continue; | ||
208 | case '$': /* "\$" */ | ||
209 | case '+': /* "\+" */ | ||
210 | case '?': /* "\?" */ | ||
211 | case '*': /* "\*" */ | ||
212 | case '@': /* "\@" */ | ||
213 | case 'x': /* "\x" */ | ||
214 | case 'X': /* "\X" */ | ||
215 | case 'a': /* "\a" */ | ||
216 | case 'A': /* "\A" */ | ||
217 | case '-': /* "\-" */ | ||
218 | if (pattern_type == -1) | ||
219 | break; /* Must not contain pattern */ | ||
220 | contains_pattern = true; | ||
221 | continue; | ||
222 | case '0': /* "\ooo" */ | ||
223 | case '1': | ||
224 | case '2': | ||
225 | case '3': | ||
226 | d = *filename++; | ||
227 | if (d < '0' || d > '7') | ||
228 | break; | ||
229 | e = *filename++; | ||
230 | if (e < '0' || e > '7') | ||
231 | break; | ||
232 | c = tomoyo_make_byte(c, d, e); | ||
233 | if (tomoyo_is_invalid(c)) | ||
234 | continue; /* pattern is not \000 */ | ||
235 | } | ||
236 | goto out; | ||
237 | } else if (tomoyo_is_invalid(c)) { | ||
238 | goto out; | ||
239 | } | ||
240 | } | ||
241 | if (pattern_type == 1) { /* Must contain pattern */ | ||
242 | if (!contains_pattern) | ||
243 | goto out; | ||
244 | } | ||
245 | return true; | ||
246 | out: | ||
247 | printk(KERN_DEBUG "%s: Invalid pathname '%s'\n", function, | ||
248 | original_filename); | ||
249 | return false; | ||
250 | } | ||
251 | |||
252 | /** | ||
253 | * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules. | ||
254 | * @domainname: The domainname to check. | ||
255 | * @function: The name of function calling me. | ||
256 | * | ||
257 | * Returns true if @domainname follows the naming rules, false otherwise. | ||
258 | */ | ||
259 | bool tomoyo_is_correct_domain(const unsigned char *domainname, | ||
260 | const char *function) | ||
261 | { | ||
262 | unsigned char c; | ||
263 | unsigned char d; | ||
264 | unsigned char e; | ||
265 | const char *org_domainname = domainname; | ||
266 | |||
267 | if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME, | ||
268 | TOMOYO_ROOT_NAME_LEN)) | ||
269 | goto out; | ||
270 | domainname += TOMOYO_ROOT_NAME_LEN; | ||
271 | if (!*domainname) | ||
272 | return true; | ||
273 | do { | ||
274 | if (*domainname++ != ' ') | ||
275 | goto out; | ||
276 | if (*domainname++ != '/') | ||
277 | goto out; | ||
278 | while ((c = *domainname) != '\0' && c != ' ') { | ||
279 | domainname++; | ||
280 | if (c == '\\') { | ||
281 | c = *domainname++; | ||
282 | switch ((c)) { | ||
283 | case '\\': /* "\\" */ | ||
284 | continue; | ||
285 | case '0': /* "\ooo" */ | ||
286 | case '1': | ||
287 | case '2': | ||
288 | case '3': | ||
289 | d = *domainname++; | ||
290 | if (d < '0' || d > '7') | ||
291 | break; | ||
292 | e = *domainname++; | ||
293 | if (e < '0' || e > '7') | ||
294 | break; | ||
295 | c = tomoyo_make_byte(c, d, e); | ||
296 | if (tomoyo_is_invalid(c)) | ||
297 | /* pattern is not \000 */ | ||
298 | continue; | ||
299 | } | ||
300 | goto out; | ||
301 | } else if (tomoyo_is_invalid(c)) { | ||
302 | goto out; | ||
303 | } | ||
304 | } | ||
305 | } while (*domainname); | ||
306 | return true; | ||
307 | out: | ||
308 | printk(KERN_DEBUG "%s: Invalid domainname '%s'\n", function, | ||
309 | org_domainname); | ||
310 | return false; | ||
311 | } | ||
312 | |||
313 | /** | ||
314 | * tomoyo_is_domain_def - Check whether the given token can be a domainname. | ||
315 | * | ||
316 | * @buffer: The token to check. | ||
317 | * | ||
318 | * Returns true if @buffer possibly be a domainname, false otherwise. | ||
319 | */ | ||
320 | bool tomoyo_is_domain_def(const unsigned char *buffer) | ||
321 | { | ||
322 | return !strncmp(buffer, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN); | ||
323 | } | ||
324 | |||
325 | /** | ||
326 | * tomoyo_find_domain - Find a domain by the given name. | ||
327 | * | ||
328 | * @domainname: The domainname to find. | ||
329 | * | ||
330 | * Caller must call down_read(&tomoyo_domain_list_lock); or | ||
331 | * down_write(&tomoyo_domain_list_lock); . | ||
332 | * | ||
333 | * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise. | ||
334 | */ | ||
335 | struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname) | ||
336 | { | ||
337 | struct tomoyo_domain_info *domain; | ||
338 | struct tomoyo_path_info name; | ||
339 | |||
340 | name.name = domainname; | ||
341 | tomoyo_fill_path_info(&name); | ||
342 | list_for_each_entry(domain, &tomoyo_domain_list, list) { | ||
343 | if (!domain->is_deleted && | ||
344 | !tomoyo_pathcmp(&name, domain->domainname)) | ||
345 | return domain; | ||
346 | } | ||
347 | return NULL; | ||
348 | } | ||
349 | |||
350 | /** | ||
351 | * tomoyo_path_depth - Evaluate the number of '/' in a string. | ||
352 | * | ||
353 | * @pathname: The string to evaluate. | ||
354 | * | ||
355 | * Returns path depth of the string. | ||
356 | * | ||
357 | * I score 2 for each of the '/' in the @pathname | ||
358 | * and score 1 if the @pathname ends with '/'. | ||
359 | */ | ||
360 | static int tomoyo_path_depth(const char *pathname) | ||
361 | { | ||
362 | int i = 0; | ||
363 | |||
364 | if (pathname) { | ||
365 | const char *ep = pathname + strlen(pathname); | ||
366 | if (pathname < ep--) { | ||
367 | if (*ep != '/') | ||
368 | i++; | ||
369 | while (pathname <= ep) | ||
370 | if (*ep-- == '/') | ||
371 | i += 2; | ||
372 | } | ||
373 | } | ||
374 | return i; | ||
375 | } | ||
376 | |||
377 | /** | ||
378 | * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token. | ||
379 | * | ||
380 | * @filename: The string to evaluate. | ||
381 | * | ||
382 | * Returns the initial length without a pattern in @filename. | ||
383 | */ | ||
384 | static int tomoyo_const_part_length(const char *filename) | ||
385 | { | ||
386 | char c; | ||
387 | int len = 0; | ||
388 | |||
389 | if (!filename) | ||
390 | return 0; | ||
391 | while ((c = *filename++) != '\0') { | ||
392 | if (c != '\\') { | ||
393 | len++; | ||
394 | continue; | ||
395 | } | ||
396 | c = *filename++; | ||
397 | switch (c) { | ||
398 | case '\\': /* "\\" */ | ||
399 | len += 2; | ||
400 | continue; | ||
401 | case '0': /* "\ooo" */ | ||
402 | case '1': | ||
403 | case '2': | ||
404 | case '3': | ||
405 | c = *filename++; | ||
406 | if (c < '0' || c > '7') | ||
407 | break; | ||
408 | c = *filename++; | ||
409 | if (c < '0' || c > '7') | ||
410 | break; | ||
411 | len += 4; | ||
412 | continue; | ||
413 | } | ||
414 | break; | ||
415 | } | ||
416 | return len; | ||
417 | } | ||
418 | |||
419 | /** | ||
420 | * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members. | ||
421 | * | ||
422 | * @ptr: Pointer to "struct tomoyo_path_info" to fill in. | ||
423 | * | ||
424 | * The caller sets "struct tomoyo_path_info"->name. | ||
425 | */ | ||
426 | void tomoyo_fill_path_info(struct tomoyo_path_info *ptr) | ||
427 | { | ||
428 | const char *name = ptr->name; | ||
429 | const int len = strlen(name); | ||
430 | |||
431 | ptr->total_len = len; | ||
432 | ptr->const_len = tomoyo_const_part_length(name); | ||
433 | ptr->is_dir = len && (name[len - 1] == '/'); | ||
434 | ptr->is_patterned = (ptr->const_len < len); | ||
435 | ptr->hash = full_name_hash(name, len); | ||
436 | ptr->depth = tomoyo_path_depth(name); | ||
437 | } | ||
438 | |||
439 | /** | ||
440 | * tomoyo_file_matches_to_pattern2 - Pattern matching without '/' character | ||
441 | * and "\-" pattern. | ||
442 | * | ||
443 | * @filename: The start of string to check. | ||
444 | * @filename_end: The end of string to check. | ||
445 | * @pattern: The start of pattern to compare. | ||
446 | * @pattern_end: The end of pattern to compare. | ||
447 | * | ||
448 | * Returns true if @filename matches @pattern, false otherwise. | ||
449 | */ | ||
450 | static bool tomoyo_file_matches_to_pattern2(const char *filename, | ||
451 | const char *filename_end, | ||
452 | const char *pattern, | ||
453 | const char *pattern_end) | ||
454 | { | ||
455 | while (filename < filename_end && pattern < pattern_end) { | ||
456 | char c; | ||
457 | if (*pattern != '\\') { | ||
458 | if (*filename++ != *pattern++) | ||
459 | return false; | ||
460 | continue; | ||
461 | } | ||
462 | c = *filename; | ||
463 | pattern++; | ||
464 | switch (*pattern) { | ||
465 | int i; | ||
466 | int j; | ||
467 | case '?': | ||
468 | if (c == '/') { | ||
469 | return false; | ||
470 | } else if (c == '\\') { | ||
471 | if (filename[1] == '\\') | ||
472 | filename++; | ||
473 | else if (tomoyo_is_byte_range(filename + 1)) | ||
474 | filename += 3; | ||
475 | else | ||
476 | return false; | ||
477 | } | ||
478 | break; | ||
479 | case '\\': | ||
480 | if (c != '\\') | ||
481 | return false; | ||
482 | if (*++filename != '\\') | ||
483 | return false; | ||
484 | break; | ||
485 | case '+': | ||
486 | if (!isdigit(c)) | ||
487 | return false; | ||
488 | break; | ||
489 | case 'x': | ||
490 | if (!isxdigit(c)) | ||
491 | return false; | ||
492 | break; | ||
493 | case 'a': | ||
494 | if (!tomoyo_is_alphabet_char(c)) | ||
495 | return false; | ||
496 | break; | ||
497 | case '0': | ||
498 | case '1': | ||
499 | case '2': | ||
500 | case '3': | ||
501 | if (c == '\\' && tomoyo_is_byte_range(filename + 1) | ||
502 | && strncmp(filename + 1, pattern, 3) == 0) { | ||
503 | filename += 3; | ||
504 | pattern += 2; | ||
505 | break; | ||
506 | } | ||
507 | return false; /* Not matched. */ | ||
508 | case '*': | ||
509 | case '@': | ||
510 | for (i = 0; i <= filename_end - filename; i++) { | ||
511 | if (tomoyo_file_matches_to_pattern2( | ||
512 | filename + i, filename_end, | ||
513 | pattern + 1, pattern_end)) | ||
514 | return true; | ||
515 | c = filename[i]; | ||
516 | if (c == '.' && *pattern == '@') | ||
517 | break; | ||
518 | if (c != '\\') | ||
519 | continue; | ||
520 | if (filename[i + 1] == '\\') | ||
521 | i++; | ||
522 | else if (tomoyo_is_byte_range(filename + i + 1)) | ||
523 | i += 3; | ||
524 | else | ||
525 | break; /* Bad pattern. */ | ||
526 | } | ||
527 | return false; /* Not matched. */ | ||
528 | default: | ||
529 | j = 0; | ||
530 | c = *pattern; | ||
531 | if (c == '$') { | ||
532 | while (isdigit(filename[j])) | ||
533 | j++; | ||
534 | } else if (c == 'X') { | ||
535 | while (isxdigit(filename[j])) | ||
536 | j++; | ||
537 | } else if (c == 'A') { | ||
538 | while (tomoyo_is_alphabet_char(filename[j])) | ||
539 | j++; | ||
540 | } | ||
541 | for (i = 1; i <= j; i++) { | ||
542 | if (tomoyo_file_matches_to_pattern2( | ||
543 | filename + i, filename_end, | ||
544 | pattern + 1, pattern_end)) | ||
545 | return true; | ||
546 | } | ||
547 | return false; /* Not matched or bad pattern. */ | ||
548 | } | ||
549 | filename++; | ||
550 | pattern++; | ||
551 | } | ||
552 | while (*pattern == '\\' && | ||
553 | (*(pattern + 1) == '*' || *(pattern + 1) == '@')) | ||
554 | pattern += 2; | ||
555 | return filename == filename_end && pattern == pattern_end; | ||
556 | } | ||
557 | |||
558 | /** | ||
559 | * tomoyo_file_matches_to_pattern - Pattern matching without without '/' character. | ||
560 | * | ||
561 | * @filename: The start of string to check. | ||
562 | * @filename_end: The end of string to check. | ||
563 | * @pattern: The start of pattern to compare. | ||
564 | * @pattern_end: The end of pattern to compare. | ||
565 | * | ||
566 | * Returns true if @filename matches @pattern, false otherwise. | ||
567 | */ | ||
568 | static bool tomoyo_file_matches_to_pattern(const char *filename, | ||
569 | const char *filename_end, | ||
570 | const char *pattern, | ||
571 | const char *pattern_end) | ||
572 | { | ||
573 | const char *pattern_start = pattern; | ||
574 | bool first = true; | ||
575 | bool result; | ||
576 | |||
577 | while (pattern < pattern_end - 1) { | ||
578 | /* Split at "\-" pattern. */ | ||
579 | if (*pattern++ != '\\' || *pattern++ != '-') | ||
580 | continue; | ||
581 | result = tomoyo_file_matches_to_pattern2(filename, | ||
582 | filename_end, | ||
583 | pattern_start, | ||
584 | pattern - 2); | ||
585 | if (first) | ||
586 | result = !result; | ||
587 | if (result) | ||
588 | return false; | ||
589 | first = false; | ||
590 | pattern_start = pattern; | ||
591 | } | ||
592 | result = tomoyo_file_matches_to_pattern2(filename, filename_end, | ||
593 | pattern_start, pattern_end); | ||
594 | return first ? result : !result; | ||
595 | } | ||
596 | |||
597 | /** | ||
598 | * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern. | ||
599 | * @filename: The filename to check. | ||
600 | * @pattern: The pattern to compare. | ||
601 | * | ||
602 | * Returns true if matches, false otherwise. | ||
603 | * | ||
604 | * The following patterns are available. | ||
605 | * \\ \ itself. | ||
606 | * \ooo Octal representation of a byte. | ||
607 | * \* More than or equals to 0 character other than '/'. | ||
608 | * \@ More than or equals to 0 character other than '/' or '.'. | ||
609 | * \? 1 byte character other than '/'. | ||
610 | * \$ More than or equals to 1 decimal digit. | ||
611 | * \+ 1 decimal digit. | ||
612 | * \X More than or equals to 1 hexadecimal digit. | ||
613 | * \x 1 hexadecimal digit. | ||
614 | * \A More than or equals to 1 alphabet character. | ||
615 | * \a 1 alphabet character. | ||
616 | * \- Subtraction operator. | ||
617 | */ | ||
618 | bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, | ||
619 | const struct tomoyo_path_info *pattern) | ||
620 | { | ||
621 | /* | ||
622 | if (!filename || !pattern) | ||
623 | return false; | ||
624 | */ | ||
625 | const char *f = filename->name; | ||
626 | const char *p = pattern->name; | ||
627 | const int len = pattern->const_len; | ||
628 | |||
629 | /* If @pattern doesn't contain pattern, I can use strcmp(). */ | ||
630 | if (!pattern->is_patterned) | ||
631 | return !tomoyo_pathcmp(filename, pattern); | ||
632 | /* Dont compare if the number of '/' differs. */ | ||
633 | if (filename->depth != pattern->depth) | ||
634 | return false; | ||
635 | /* Compare the initial length without patterns. */ | ||
636 | if (strncmp(f, p, len)) | ||
637 | return false; | ||
638 | f += len; | ||
639 | p += len; | ||
640 | /* Main loop. Compare each directory component. */ | ||
641 | while (*f && *p) { | ||
642 | const char *f_delimiter = strchr(f, '/'); | ||
643 | const char *p_delimiter = strchr(p, '/'); | ||
644 | if (!f_delimiter) | ||
645 | f_delimiter = f + strlen(f); | ||
646 | if (!p_delimiter) | ||
647 | p_delimiter = p + strlen(p); | ||
648 | if (!tomoyo_file_matches_to_pattern(f, f_delimiter, | ||
649 | p, p_delimiter)) | ||
650 | return false; | ||
651 | f = f_delimiter; | ||
652 | if (*f) | ||
653 | f++; | ||
654 | p = p_delimiter; | ||
655 | if (*p) | ||
656 | p++; | ||
657 | } | ||
658 | /* Ignore trailing "\*" and "\@" in @pattern. */ | ||
659 | while (*p == '\\' && | ||
660 | (*(p + 1) == '*' || *(p + 1) == '@')) | ||
661 | p += 2; | ||
662 | return !*f && !*p; | ||
663 | } | ||
664 | |||
665 | /** | ||
666 | * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure. | ||
667 | * | ||
668 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
669 | * @fmt: The printf()'s format string, followed by parameters. | ||
670 | * | ||
671 | * Returns true if output was written, false otherwise. | ||
672 | * | ||
673 | * The snprintf() will truncate, but tomoyo_io_printf() won't. | ||
674 | */ | ||
675 | bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) | ||
676 | { | ||
677 | va_list args; | ||
678 | int len; | ||
679 | int pos = head->read_avail; | ||
680 | int size = head->readbuf_size - pos; | ||
681 | |||
682 | if (size <= 0) | ||
683 | return false; | ||
684 | va_start(args, fmt); | ||
685 | len = vsnprintf(head->read_buf + pos, size, fmt, args); | ||
686 | va_end(args); | ||
687 | if (pos + len >= head->readbuf_size) | ||
688 | return false; | ||
689 | head->read_avail += len; | ||
690 | return true; | ||
691 | } | ||
692 | |||
693 | /** | ||
694 | * tomoyo_get_exe - Get tomoyo_realpath() of current process. | ||
695 | * | ||
696 | * Returns the tomoyo_realpath() of current process on success, NULL otherwise. | ||
697 | * | ||
698 | * This function uses tomoyo_alloc(), so the caller must call tomoyo_free() | ||
699 | * if this function didn't return NULL. | ||
700 | */ | ||
701 | static const char *tomoyo_get_exe(void) | ||
702 | { | ||
703 | struct mm_struct *mm = current->mm; | ||
704 | struct vm_area_struct *vma; | ||
705 | const char *cp = NULL; | ||
706 | |||
707 | if (!mm) | ||
708 | return NULL; | ||
709 | down_read(&mm->mmap_sem); | ||
710 | for (vma = mm->mmap; vma; vma = vma->vm_next) { | ||
711 | if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) { | ||
712 | cp = tomoyo_realpath_from_path(&vma->vm_file->f_path); | ||
713 | break; | ||
714 | } | ||
715 | } | ||
716 | up_read(&mm->mmap_sem); | ||
717 | return cp; | ||
718 | } | ||
719 | |||
720 | /** | ||
721 | * tomoyo_get_msg - Get warning message. | ||
722 | * | ||
723 | * @is_enforce: Is it enforcing mode? | ||
724 | * | ||
725 | * Returns "ERROR" or "WARNING". | ||
726 | */ | ||
727 | const char *tomoyo_get_msg(const bool is_enforce) | ||
728 | { | ||
729 | if (is_enforce) | ||
730 | return "ERROR"; | ||
731 | else | ||
732 | return "WARNING"; | ||
733 | } | ||
734 | |||
735 | /** | ||
736 | * tomoyo_check_flags - Check mode for specified functionality. | ||
737 | * | ||
738 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
739 | * @index: The functionality to check mode. | ||
740 | * | ||
741 | * TOMOYO checks only process context. | ||
742 | * This code disables TOMOYO's enforcement in case the function is called from | ||
743 | * interrupt context. | ||
744 | */ | ||
745 | unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, | ||
746 | const u8 index) | ||
747 | { | ||
748 | const u8 profile = domain->profile; | ||
749 | |||
750 | if (WARN_ON(in_interrupt())) | ||
751 | return 0; | ||
752 | return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX | ||
753 | #if TOMOYO_MAX_PROFILES != 256 | ||
754 | && profile < TOMOYO_MAX_PROFILES | ||
755 | #endif | ||
756 | && tomoyo_profile_ptr[profile] ? | ||
757 | tomoyo_profile_ptr[profile]->value[index] : 0; | ||
758 | } | ||
759 | |||
760 | /** | ||
761 | * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode. | ||
762 | * | ||
763 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
764 | * | ||
765 | * Returns true if domain policy violation warning should be printed to | ||
766 | * console. | ||
767 | */ | ||
768 | bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain) | ||
769 | { | ||
770 | return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0; | ||
771 | } | ||
772 | |||
773 | /** | ||
774 | * tomoyo_domain_quota_is_ok - Check for domain's quota. | ||
775 | * | ||
776 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
777 | * | ||
778 | * Returns true if the domain is not exceeded quota, false otherwise. | ||
779 | */ | ||
780 | bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain) | ||
781 | { | ||
782 | unsigned int count = 0; | ||
783 | struct tomoyo_acl_info *ptr; | ||
784 | |||
785 | if (!domain) | ||
786 | return true; | ||
787 | down_read(&tomoyo_domain_acl_info_list_lock); | ||
788 | list_for_each_entry(ptr, &domain->acl_info_list, list) { | ||
789 | if (ptr->type & TOMOYO_ACL_DELETED) | ||
790 | continue; | ||
791 | switch (tomoyo_acl_type2(ptr)) { | ||
792 | struct tomoyo_single_path_acl_record *acl1; | ||
793 | struct tomoyo_double_path_acl_record *acl2; | ||
794 | u16 perm; | ||
795 | case TOMOYO_TYPE_SINGLE_PATH_ACL: | ||
796 | acl1 = container_of(ptr, | ||
797 | struct tomoyo_single_path_acl_record, | ||
798 | head); | ||
799 | perm = acl1->perm; | ||
800 | if (perm & (1 << TOMOYO_TYPE_EXECUTE_ACL)) | ||
801 | count++; | ||
802 | if (perm & | ||
803 | ((1 << TOMOYO_TYPE_READ_ACL) | | ||
804 | (1 << TOMOYO_TYPE_WRITE_ACL))) | ||
805 | count++; | ||
806 | if (perm & (1 << TOMOYO_TYPE_CREATE_ACL)) | ||
807 | count++; | ||
808 | if (perm & (1 << TOMOYO_TYPE_UNLINK_ACL)) | ||
809 | count++; | ||
810 | if (perm & (1 << TOMOYO_TYPE_MKDIR_ACL)) | ||
811 | count++; | ||
812 | if (perm & (1 << TOMOYO_TYPE_RMDIR_ACL)) | ||
813 | count++; | ||
814 | if (perm & (1 << TOMOYO_TYPE_MKFIFO_ACL)) | ||
815 | count++; | ||
816 | if (perm & (1 << TOMOYO_TYPE_MKSOCK_ACL)) | ||
817 | count++; | ||
818 | if (perm & (1 << TOMOYO_TYPE_MKBLOCK_ACL)) | ||
819 | count++; | ||
820 | if (perm & (1 << TOMOYO_TYPE_MKCHAR_ACL)) | ||
821 | count++; | ||
822 | if (perm & (1 << TOMOYO_TYPE_TRUNCATE_ACL)) | ||
823 | count++; | ||
824 | if (perm & (1 << TOMOYO_TYPE_SYMLINK_ACL)) | ||
825 | count++; | ||
826 | if (perm & (1 << TOMOYO_TYPE_REWRITE_ACL)) | ||
827 | count++; | ||
828 | break; | ||
829 | case TOMOYO_TYPE_DOUBLE_PATH_ACL: | ||
830 | acl2 = container_of(ptr, | ||
831 | struct tomoyo_double_path_acl_record, | ||
832 | head); | ||
833 | perm = acl2->perm; | ||
834 | if (perm & (1 << TOMOYO_TYPE_LINK_ACL)) | ||
835 | count++; | ||
836 | if (perm & (1 << TOMOYO_TYPE_RENAME_ACL)) | ||
837 | count++; | ||
838 | break; | ||
839 | } | ||
840 | } | ||
841 | up_read(&tomoyo_domain_acl_info_list_lock); | ||
842 | if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY)) | ||
843 | return true; | ||
844 | if (!domain->quota_warned) { | ||
845 | domain->quota_warned = true; | ||
846 | printk(KERN_WARNING "TOMOYO-WARNING: " | ||
847 | "Domain '%s' has so many ACLs to hold. " | ||
848 | "Stopped learning mode.\n", domain->domainname->name); | ||
849 | } | ||
850 | return false; | ||
851 | } | ||
852 | |||
853 | /** | ||
854 | * tomoyo_find_or_assign_new_profile - Create a new profile. | ||
855 | * | ||
856 | * @profile: Profile number to create. | ||
857 | * | ||
858 | * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. | ||
859 | */ | ||
860 | static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned | ||
861 | int profile) | ||
862 | { | ||
863 | static DEFINE_MUTEX(lock); | ||
864 | struct tomoyo_profile *ptr = NULL; | ||
865 | int i; | ||
866 | |||
867 | if (profile >= TOMOYO_MAX_PROFILES) | ||
868 | return NULL; | ||
869 | /***** EXCLUSIVE SECTION START *****/ | ||
870 | mutex_lock(&lock); | ||
871 | ptr = tomoyo_profile_ptr[profile]; | ||
872 | if (ptr) | ||
873 | goto ok; | ||
874 | ptr = tomoyo_alloc_element(sizeof(*ptr)); | ||
875 | if (!ptr) | ||
876 | goto ok; | ||
877 | for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) | ||
878 | ptr->value[i] = tomoyo_control_array[i].current_value; | ||
879 | mb(); /* Avoid out-of-order execution. */ | ||
880 | tomoyo_profile_ptr[profile] = ptr; | ||
881 | ok: | ||
882 | mutex_unlock(&lock); | ||
883 | /***** EXCLUSIVE SECTION END *****/ | ||
884 | return ptr; | ||
885 | } | ||
886 | |||
887 | /** | ||
888 | * tomoyo_write_profile - Write to profile table. | ||
889 | * | ||
890 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
891 | * | ||
892 | * Returns 0 on success, negative value otherwise. | ||
893 | */ | ||
894 | static int tomoyo_write_profile(struct tomoyo_io_buffer *head) | ||
895 | { | ||
896 | char *data = head->write_buf; | ||
897 | unsigned int i; | ||
898 | unsigned int value; | ||
899 | char *cp; | ||
900 | struct tomoyo_profile *profile; | ||
901 | unsigned long num; | ||
902 | |||
903 | cp = strchr(data, '-'); | ||
904 | if (cp) | ||
905 | *cp = '\0'; | ||
906 | if (strict_strtoul(data, 10, &num)) | ||
907 | return -EINVAL; | ||
908 | if (cp) | ||
909 | data = cp + 1; | ||
910 | profile = tomoyo_find_or_assign_new_profile(num); | ||
911 | if (!profile) | ||
912 | return -EINVAL; | ||
913 | cp = strchr(data, '='); | ||
914 | if (!cp) | ||
915 | return -EINVAL; | ||
916 | *cp = '\0'; | ||
917 | if (!strcmp(data, "COMMENT")) { | ||
918 | profile->comment = tomoyo_save_name(cp + 1); | ||
919 | return 0; | ||
920 | } | ||
921 | for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) { | ||
922 | if (strcmp(data, tomoyo_control_array[i].keyword)) | ||
923 | continue; | ||
924 | if (sscanf(cp + 1, "%u", &value) != 1) { | ||
925 | int j; | ||
926 | const char **modes; | ||
927 | switch (i) { | ||
928 | case TOMOYO_VERBOSE: | ||
929 | modes = tomoyo_mode_2; | ||
930 | break; | ||
931 | default: | ||
932 | modes = tomoyo_mode_4; | ||
933 | break; | ||
934 | } | ||
935 | for (j = 0; j < 4; j++) { | ||
936 | if (strcmp(cp + 1, modes[j])) | ||
937 | continue; | ||
938 | value = j; | ||
939 | break; | ||
940 | } | ||
941 | if (j == 4) | ||
942 | return -EINVAL; | ||
943 | } else if (value > tomoyo_control_array[i].max_value) { | ||
944 | value = tomoyo_control_array[i].max_value; | ||
945 | } | ||
946 | profile->value[i] = value; | ||
947 | return 0; | ||
948 | } | ||
949 | return -EINVAL; | ||
950 | } | ||
951 | |||
952 | /** | ||
953 | * tomoyo_read_profile - Read from profile table. | ||
954 | * | ||
955 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
956 | * | ||
957 | * Returns 0. | ||
958 | */ | ||
959 | static int tomoyo_read_profile(struct tomoyo_io_buffer *head) | ||
960 | { | ||
961 | static const int total = TOMOYO_MAX_CONTROL_INDEX + 1; | ||
962 | int step; | ||
963 | |||
964 | if (head->read_eof) | ||
965 | return 0; | ||
966 | for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total; | ||
967 | step++) { | ||
968 | const u8 index = step / total; | ||
969 | u8 type = step % total; | ||
970 | const struct tomoyo_profile *profile | ||
971 | = tomoyo_profile_ptr[index]; | ||
972 | head->read_step = step; | ||
973 | if (!profile) | ||
974 | continue; | ||
975 | if (!type) { /* Print profile' comment tag. */ | ||
976 | if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n", | ||
977 | index, profile->comment ? | ||
978 | profile->comment->name : "")) | ||
979 | break; | ||
980 | continue; | ||
981 | } | ||
982 | type--; | ||
983 | if (type < TOMOYO_MAX_CONTROL_INDEX) { | ||
984 | const unsigned int value = profile->value[type]; | ||
985 | const char **modes = NULL; | ||
986 | const char *keyword | ||
987 | = tomoyo_control_array[type].keyword; | ||
988 | switch (tomoyo_control_array[type].max_value) { | ||
989 | case 3: | ||
990 | modes = tomoyo_mode_4; | ||
991 | break; | ||
992 | case 1: | ||
993 | modes = tomoyo_mode_2; | ||
994 | break; | ||
995 | } | ||
996 | if (modes) { | ||
997 | if (!tomoyo_io_printf(head, "%u-%s=%s\n", index, | ||
998 | keyword, modes[value])) | ||
999 | break; | ||
1000 | } else { | ||
1001 | if (!tomoyo_io_printf(head, "%u-%s=%u\n", index, | ||
1002 | keyword, value)) | ||
1003 | break; | ||
1004 | } | ||
1005 | } | ||
1006 | } | ||
1007 | if (step == TOMOYO_MAX_PROFILES * total) | ||
1008 | head->read_eof = true; | ||
1009 | return 0; | ||
1010 | } | ||
1011 | |||
1012 | /* Structure for policy manager. */ | ||
1013 | struct tomoyo_policy_manager_entry { | ||
1014 | struct list_head list; | ||
1015 | /* A path to program or a domainname. */ | ||
1016 | const struct tomoyo_path_info *manager; | ||
1017 | bool is_domain; /* True if manager is a domainname. */ | ||
1018 | bool is_deleted; /* True if this entry is deleted. */ | ||
1019 | }; | ||
1020 | |||
1021 | /* The list for "struct tomoyo_policy_manager_entry". */ | ||
1022 | static LIST_HEAD(tomoyo_policy_manager_list); | ||
1023 | static DECLARE_RWSEM(tomoyo_policy_manager_list_lock); | ||
1024 | |||
1025 | /** | ||
1026 | * tomoyo_update_manager_entry - Add a manager entry. | ||
1027 | * | ||
1028 | * @manager: The path to manager or the domainnamme. | ||
1029 | * @is_delete: True if it is a delete request. | ||
1030 | * | ||
1031 | * Returns 0 on success, negative value otherwise. | ||
1032 | */ | ||
1033 | static int tomoyo_update_manager_entry(const char *manager, | ||
1034 | const bool is_delete) | ||
1035 | { | ||
1036 | struct tomoyo_policy_manager_entry *new_entry; | ||
1037 | struct tomoyo_policy_manager_entry *ptr; | ||
1038 | const struct tomoyo_path_info *saved_manager; | ||
1039 | int error = -ENOMEM; | ||
1040 | bool is_domain = false; | ||
1041 | |||
1042 | if (tomoyo_is_domain_def(manager)) { | ||
1043 | if (!tomoyo_is_correct_domain(manager, __func__)) | ||
1044 | return -EINVAL; | ||
1045 | is_domain = true; | ||
1046 | } else { | ||
1047 | if (!tomoyo_is_correct_path(manager, 1, -1, -1, __func__)) | ||
1048 | return -EINVAL; | ||
1049 | } | ||
1050 | saved_manager = tomoyo_save_name(manager); | ||
1051 | if (!saved_manager) | ||
1052 | return -ENOMEM; | ||
1053 | /***** EXCLUSIVE SECTION START *****/ | ||
1054 | down_write(&tomoyo_policy_manager_list_lock); | ||
1055 | list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) { | ||
1056 | if (ptr->manager != saved_manager) | ||
1057 | continue; | ||
1058 | ptr->is_deleted = is_delete; | ||
1059 | error = 0; | ||
1060 | goto out; | ||
1061 | } | ||
1062 | if (is_delete) { | ||
1063 | error = -ENOENT; | ||
1064 | goto out; | ||
1065 | } | ||
1066 | new_entry = tomoyo_alloc_element(sizeof(*new_entry)); | ||
1067 | if (!new_entry) | ||
1068 | goto out; | ||
1069 | new_entry->manager = saved_manager; | ||
1070 | new_entry->is_domain = is_domain; | ||
1071 | list_add_tail(&new_entry->list, &tomoyo_policy_manager_list); | ||
1072 | error = 0; | ||
1073 | out: | ||
1074 | up_write(&tomoyo_policy_manager_list_lock); | ||
1075 | /***** EXCLUSIVE SECTION END *****/ | ||
1076 | return error; | ||
1077 | } | ||
1078 | |||
1079 | /** | ||
1080 | * tomoyo_write_manager_policy - Write manager policy. | ||
1081 | * | ||
1082 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1083 | * | ||
1084 | * Returns 0 on success, negative value otherwise. | ||
1085 | */ | ||
1086 | static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head) | ||
1087 | { | ||
1088 | char *data = head->write_buf; | ||
1089 | bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); | ||
1090 | |||
1091 | if (!strcmp(data, "manage_by_non_root")) { | ||
1092 | tomoyo_manage_by_non_root = !is_delete; | ||
1093 | return 0; | ||
1094 | } | ||
1095 | return tomoyo_update_manager_entry(data, is_delete); | ||
1096 | } | ||
1097 | |||
1098 | /** | ||
1099 | * tomoyo_read_manager_policy - Read manager policy. | ||
1100 | * | ||
1101 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1102 | * | ||
1103 | * Returns 0. | ||
1104 | */ | ||
1105 | static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head) | ||
1106 | { | ||
1107 | struct list_head *pos; | ||
1108 | bool done = true; | ||
1109 | |||
1110 | if (head->read_eof) | ||
1111 | return 0; | ||
1112 | down_read(&tomoyo_policy_manager_list_lock); | ||
1113 | list_for_each_cookie(pos, head->read_var2, | ||
1114 | &tomoyo_policy_manager_list) { | ||
1115 | struct tomoyo_policy_manager_entry *ptr; | ||
1116 | ptr = list_entry(pos, struct tomoyo_policy_manager_entry, | ||
1117 | list); | ||
1118 | if (ptr->is_deleted) | ||
1119 | continue; | ||
1120 | if (!tomoyo_io_printf(head, "%s\n", ptr->manager->name)) { | ||
1121 | done = false; | ||
1122 | break; | ||
1123 | } | ||
1124 | } | ||
1125 | up_read(&tomoyo_policy_manager_list_lock); | ||
1126 | head->read_eof = done; | ||
1127 | return 0; | ||
1128 | } | ||
1129 | |||
1130 | /** | ||
1131 | * tomoyo_is_policy_manager - Check whether the current process is a policy manager. | ||
1132 | * | ||
1133 | * Returns true if the current process is permitted to modify policy | ||
1134 | * via /sys/kernel/security/tomoyo/ interface. | ||
1135 | */ | ||
1136 | static bool tomoyo_is_policy_manager(void) | ||
1137 | { | ||
1138 | struct tomoyo_policy_manager_entry *ptr; | ||
1139 | const char *exe; | ||
1140 | const struct task_struct *task = current; | ||
1141 | const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; | ||
1142 | bool found = false; | ||
1143 | |||
1144 | if (!tomoyo_policy_loaded) | ||
1145 | return true; | ||
1146 | if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) | ||
1147 | return false; | ||
1148 | down_read(&tomoyo_policy_manager_list_lock); | ||
1149 | list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) { | ||
1150 | if (!ptr->is_deleted && ptr->is_domain | ||
1151 | && !tomoyo_pathcmp(domainname, ptr->manager)) { | ||
1152 | found = true; | ||
1153 | break; | ||
1154 | } | ||
1155 | } | ||
1156 | up_read(&tomoyo_policy_manager_list_lock); | ||
1157 | if (found) | ||
1158 | return true; | ||
1159 | exe = tomoyo_get_exe(); | ||
1160 | if (!exe) | ||
1161 | return false; | ||
1162 | down_read(&tomoyo_policy_manager_list_lock); | ||
1163 | list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) { | ||
1164 | if (!ptr->is_deleted && !ptr->is_domain | ||
1165 | && !strcmp(exe, ptr->manager->name)) { | ||
1166 | found = true; | ||
1167 | break; | ||
1168 | } | ||
1169 | } | ||
1170 | up_read(&tomoyo_policy_manager_list_lock); | ||
1171 | if (!found) { /* Reduce error messages. */ | ||
1172 | static pid_t last_pid; | ||
1173 | const pid_t pid = current->pid; | ||
1174 | if (last_pid != pid) { | ||
1175 | printk(KERN_WARNING "%s ( %s ) is not permitted to " | ||
1176 | "update policies.\n", domainname->name, exe); | ||
1177 | last_pid = pid; | ||
1178 | } | ||
1179 | } | ||
1180 | tomoyo_free(exe); | ||
1181 | return found; | ||
1182 | } | ||
1183 | |||
1184 | /** | ||
1185 | * tomoyo_is_select_one - Parse select command. | ||
1186 | * | ||
1187 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1188 | * @data: String to parse. | ||
1189 | * | ||
1190 | * Returns true on success, false otherwise. | ||
1191 | */ | ||
1192 | static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head, | ||
1193 | const char *data) | ||
1194 | { | ||
1195 | unsigned int pid; | ||
1196 | struct tomoyo_domain_info *domain = NULL; | ||
1197 | |||
1198 | if (sscanf(data, "pid=%u", &pid) == 1) { | ||
1199 | struct task_struct *p; | ||
1200 | /***** CRITICAL SECTION START *****/ | ||
1201 | read_lock(&tasklist_lock); | ||
1202 | p = find_task_by_vpid(pid); | ||
1203 | if (p) | ||
1204 | domain = tomoyo_real_domain(p); | ||
1205 | read_unlock(&tasklist_lock); | ||
1206 | /***** CRITICAL SECTION END *****/ | ||
1207 | } else if (!strncmp(data, "domain=", 7)) { | ||
1208 | if (tomoyo_is_domain_def(data + 7)) { | ||
1209 | down_read(&tomoyo_domain_list_lock); | ||
1210 | domain = tomoyo_find_domain(data + 7); | ||
1211 | up_read(&tomoyo_domain_list_lock); | ||
1212 | } | ||
1213 | } else | ||
1214 | return false; | ||
1215 | head->write_var1 = domain; | ||
1216 | /* Accessing read_buf is safe because head->io_sem is held. */ | ||
1217 | if (!head->read_buf) | ||
1218 | return true; /* Do nothing if open(O_WRONLY). */ | ||
1219 | head->read_avail = 0; | ||
1220 | tomoyo_io_printf(head, "# select %s\n", data); | ||
1221 | head->read_single_domain = true; | ||
1222 | head->read_eof = !domain; | ||
1223 | if (domain) { | ||
1224 | struct tomoyo_domain_info *d; | ||
1225 | head->read_var1 = NULL; | ||
1226 | down_read(&tomoyo_domain_list_lock); | ||
1227 | list_for_each_entry(d, &tomoyo_domain_list, list) { | ||
1228 | if (d == domain) | ||
1229 | break; | ||
1230 | head->read_var1 = &d->list; | ||
1231 | } | ||
1232 | up_read(&tomoyo_domain_list_lock); | ||
1233 | head->read_var2 = NULL; | ||
1234 | head->read_bit = 0; | ||
1235 | head->read_step = 0; | ||
1236 | if (domain->is_deleted) | ||
1237 | tomoyo_io_printf(head, "# This is a deleted domain.\n"); | ||
1238 | } | ||
1239 | return true; | ||
1240 | } | ||
1241 | |||
1242 | /** | ||
1243 | * tomoyo_write_domain_policy - Write domain policy. | ||
1244 | * | ||
1245 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1246 | * | ||
1247 | * Returns 0 on success, negative value otherwise. | ||
1248 | */ | ||
1249 | static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head) | ||
1250 | { | ||
1251 | char *data = head->write_buf; | ||
1252 | struct tomoyo_domain_info *domain = head->write_var1; | ||
1253 | bool is_delete = false; | ||
1254 | bool is_select = false; | ||
1255 | bool is_undelete = false; | ||
1256 | unsigned int profile; | ||
1257 | |||
1258 | if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE)) | ||
1259 | is_delete = true; | ||
1260 | else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT)) | ||
1261 | is_select = true; | ||
1262 | else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_UNDELETE)) | ||
1263 | is_undelete = true; | ||
1264 | if (is_select && tomoyo_is_select_one(head, data)) | ||
1265 | return 0; | ||
1266 | /* Don't allow updating policies by non manager programs. */ | ||
1267 | if (!tomoyo_is_policy_manager()) | ||
1268 | return -EPERM; | ||
1269 | if (tomoyo_is_domain_def(data)) { | ||
1270 | domain = NULL; | ||
1271 | if (is_delete) | ||
1272 | tomoyo_delete_domain(data); | ||
1273 | else if (is_select) { | ||
1274 | down_read(&tomoyo_domain_list_lock); | ||
1275 | domain = tomoyo_find_domain(data); | ||
1276 | up_read(&tomoyo_domain_list_lock); | ||
1277 | } else if (is_undelete) | ||
1278 | domain = tomoyo_undelete_domain(data); | ||
1279 | else | ||
1280 | domain = tomoyo_find_or_assign_new_domain(data, 0); | ||
1281 | head->write_var1 = domain; | ||
1282 | return 0; | ||
1283 | } | ||
1284 | if (!domain) | ||
1285 | return -EINVAL; | ||
1286 | |||
1287 | if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1 | ||
1288 | && profile < TOMOYO_MAX_PROFILES) { | ||
1289 | if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded) | ||
1290 | domain->profile = (u8) profile; | ||
1291 | return 0; | ||
1292 | } | ||
1293 | if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) { | ||
1294 | tomoyo_set_domain_flag(domain, is_delete, | ||
1295 | TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ); | ||
1296 | return 0; | ||
1297 | } | ||
1298 | return tomoyo_write_file_policy(data, domain, is_delete); | ||
1299 | } | ||
1300 | |||
1301 | /** | ||
1302 | * tomoyo_print_single_path_acl - Print a single path ACL entry. | ||
1303 | * | ||
1304 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1305 | * @ptr: Pointer to "struct tomoyo_single_path_acl_record". | ||
1306 | * | ||
1307 | * Returns true on success, false otherwise. | ||
1308 | */ | ||
1309 | static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head, | ||
1310 | struct tomoyo_single_path_acl_record * | ||
1311 | ptr) | ||
1312 | { | ||
1313 | int pos; | ||
1314 | u8 bit; | ||
1315 | const char *atmark = ""; | ||
1316 | const char *filename; | ||
1317 | const u16 perm = ptr->perm; | ||
1318 | |||
1319 | filename = ptr->filename->name; | ||
1320 | for (bit = head->read_bit; bit < TOMOYO_MAX_SINGLE_PATH_OPERATION; | ||
1321 | bit++) { | ||
1322 | const char *msg; | ||
1323 | if (!(perm & (1 << bit))) | ||
1324 | continue; | ||
1325 | /* Print "read/write" instead of "read" and "write". */ | ||
1326 | if ((bit == TOMOYO_TYPE_READ_ACL || | ||
1327 | bit == TOMOYO_TYPE_WRITE_ACL) | ||
1328 | && (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))) | ||
1329 | continue; | ||
1330 | msg = tomoyo_sp2keyword(bit); | ||
1331 | pos = head->read_avail; | ||
1332 | if (!tomoyo_io_printf(head, "allow_%s %s%s\n", msg, | ||
1333 | atmark, filename)) | ||
1334 | goto out; | ||
1335 | } | ||
1336 | head->read_bit = 0; | ||
1337 | return true; | ||
1338 | out: | ||
1339 | head->read_bit = bit; | ||
1340 | head->read_avail = pos; | ||
1341 | return false; | ||
1342 | } | ||
1343 | |||
1344 | /** | ||
1345 | * tomoyo_print_double_path_acl - Print a double path ACL entry. | ||
1346 | * | ||
1347 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1348 | * @ptr: Pointer to "struct tomoyo_double_path_acl_record". | ||
1349 | * | ||
1350 | * Returns true on success, false otherwise. | ||
1351 | */ | ||
1352 | static bool tomoyo_print_double_path_acl(struct tomoyo_io_buffer *head, | ||
1353 | struct tomoyo_double_path_acl_record * | ||
1354 | ptr) | ||
1355 | { | ||
1356 | int pos; | ||
1357 | const char *atmark1 = ""; | ||
1358 | const char *atmark2 = ""; | ||
1359 | const char *filename1; | ||
1360 | const char *filename2; | ||
1361 | const u8 perm = ptr->perm; | ||
1362 | u8 bit; | ||
1363 | |||
1364 | filename1 = ptr->filename1->name; | ||
1365 | filename2 = ptr->filename2->name; | ||
1366 | for (bit = head->read_bit; bit < TOMOYO_MAX_DOUBLE_PATH_OPERATION; | ||
1367 | bit++) { | ||
1368 | const char *msg; | ||
1369 | if (!(perm & (1 << bit))) | ||
1370 | continue; | ||
1371 | msg = tomoyo_dp2keyword(bit); | ||
1372 | pos = head->read_avail; | ||
1373 | if (!tomoyo_io_printf(head, "allow_%s %s%s %s%s\n", msg, | ||
1374 | atmark1, filename1, atmark2, filename2)) | ||
1375 | goto out; | ||
1376 | } | ||
1377 | head->read_bit = 0; | ||
1378 | return true; | ||
1379 | out: | ||
1380 | head->read_bit = bit; | ||
1381 | head->read_avail = pos; | ||
1382 | return false; | ||
1383 | } | ||
1384 | |||
1385 | /** | ||
1386 | * tomoyo_print_entry - Print an ACL entry. | ||
1387 | * | ||
1388 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1389 | * @ptr: Pointer to an ACL entry. | ||
1390 | * | ||
1391 | * Returns true on success, false otherwise. | ||
1392 | */ | ||
1393 | static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, | ||
1394 | struct tomoyo_acl_info *ptr) | ||
1395 | { | ||
1396 | const u8 acl_type = tomoyo_acl_type2(ptr); | ||
1397 | |||
1398 | if (acl_type & TOMOYO_ACL_DELETED) | ||
1399 | return true; | ||
1400 | if (acl_type == TOMOYO_TYPE_SINGLE_PATH_ACL) { | ||
1401 | struct tomoyo_single_path_acl_record *acl | ||
1402 | = container_of(ptr, | ||
1403 | struct tomoyo_single_path_acl_record, | ||
1404 | head); | ||
1405 | return tomoyo_print_single_path_acl(head, acl); | ||
1406 | } | ||
1407 | if (acl_type == TOMOYO_TYPE_DOUBLE_PATH_ACL) { | ||
1408 | struct tomoyo_double_path_acl_record *acl | ||
1409 | = container_of(ptr, | ||
1410 | struct tomoyo_double_path_acl_record, | ||
1411 | head); | ||
1412 | return tomoyo_print_double_path_acl(head, acl); | ||
1413 | } | ||
1414 | BUG(); /* This must not happen. */ | ||
1415 | return false; | ||
1416 | } | ||
1417 | |||
1418 | /** | ||
1419 | * tomoyo_read_domain_policy - Read domain policy. | ||
1420 | * | ||
1421 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1422 | * | ||
1423 | * Returns 0. | ||
1424 | */ | ||
1425 | static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head) | ||
1426 | { | ||
1427 | struct list_head *dpos; | ||
1428 | struct list_head *apos; | ||
1429 | bool done = true; | ||
1430 | |||
1431 | if (head->read_eof) | ||
1432 | return 0; | ||
1433 | if (head->read_step == 0) | ||
1434 | head->read_step = 1; | ||
1435 | down_read(&tomoyo_domain_list_lock); | ||
1436 | list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) { | ||
1437 | struct tomoyo_domain_info *domain; | ||
1438 | const char *quota_exceeded = ""; | ||
1439 | const char *transition_failed = ""; | ||
1440 | const char *ignore_global_allow_read = ""; | ||
1441 | domain = list_entry(dpos, struct tomoyo_domain_info, list); | ||
1442 | if (head->read_step != 1) | ||
1443 | goto acl_loop; | ||
1444 | if (domain->is_deleted && !head->read_single_domain) | ||
1445 | continue; | ||
1446 | /* Print domainname and flags. */ | ||
1447 | if (domain->quota_warned) | ||
1448 | quota_exceeded = "quota_exceeded\n"; | ||
1449 | if (domain->flags & TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED) | ||
1450 | transition_failed = "transition_failed\n"; | ||
1451 | if (domain->flags & | ||
1452 | TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ) | ||
1453 | ignore_global_allow_read | ||
1454 | = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n"; | ||
1455 | if (!tomoyo_io_printf(head, | ||
1456 | "%s\n" TOMOYO_KEYWORD_USE_PROFILE "%u\n" | ||
1457 | "%s%s%s\n", domain->domainname->name, | ||
1458 | domain->profile, quota_exceeded, | ||
1459 | transition_failed, | ||
1460 | ignore_global_allow_read)) { | ||
1461 | done = false; | ||
1462 | break; | ||
1463 | } | ||
1464 | head->read_step = 2; | ||
1465 | acl_loop: | ||
1466 | if (head->read_step == 3) | ||
1467 | goto tail_mark; | ||
1468 | /* Print ACL entries in the domain. */ | ||
1469 | down_read(&tomoyo_domain_acl_info_list_lock); | ||
1470 | list_for_each_cookie(apos, head->read_var2, | ||
1471 | &domain->acl_info_list) { | ||
1472 | struct tomoyo_acl_info *ptr | ||
1473 | = list_entry(apos, struct tomoyo_acl_info, | ||
1474 | list); | ||
1475 | if (!tomoyo_print_entry(head, ptr)) { | ||
1476 | done = false; | ||
1477 | break; | ||
1478 | } | ||
1479 | } | ||
1480 | up_read(&tomoyo_domain_acl_info_list_lock); | ||
1481 | if (!done) | ||
1482 | break; | ||
1483 | head->read_step = 3; | ||
1484 | tail_mark: | ||
1485 | if (!tomoyo_io_printf(head, "\n")) { | ||
1486 | done = false; | ||
1487 | break; | ||
1488 | } | ||
1489 | head->read_step = 1; | ||
1490 | if (head->read_single_domain) | ||
1491 | break; | ||
1492 | } | ||
1493 | up_read(&tomoyo_domain_list_lock); | ||
1494 | head->read_eof = done; | ||
1495 | return 0; | ||
1496 | } | ||
1497 | |||
1498 | /** | ||
1499 | * tomoyo_write_domain_profile - Assign profile for specified domain. | ||
1500 | * | ||
1501 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1502 | * | ||
1503 | * Returns 0 on success, -EINVAL otherwise. | ||
1504 | * | ||
1505 | * This is equivalent to doing | ||
1506 | * | ||
1507 | * ( echo "select " $domainname; echo "use_profile " $profile ) | | ||
1508 | * /usr/lib/ccs/loadpolicy -d | ||
1509 | */ | ||
1510 | static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head) | ||
1511 | { | ||
1512 | char *data = head->write_buf; | ||
1513 | char *cp = strchr(data, ' '); | ||
1514 | struct tomoyo_domain_info *domain; | ||
1515 | unsigned long profile; | ||
1516 | |||
1517 | if (!cp) | ||
1518 | return -EINVAL; | ||
1519 | *cp = '\0'; | ||
1520 | down_read(&tomoyo_domain_list_lock); | ||
1521 | domain = tomoyo_find_domain(cp + 1); | ||
1522 | up_read(&tomoyo_domain_list_lock); | ||
1523 | if (strict_strtoul(data, 10, &profile)) | ||
1524 | return -EINVAL; | ||
1525 | if (domain && profile < TOMOYO_MAX_PROFILES | ||
1526 | && (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)) | ||
1527 | domain->profile = (u8) profile; | ||
1528 | return 0; | ||
1529 | } | ||
1530 | |||
1531 | /** | ||
1532 | * tomoyo_read_domain_profile - Read only domainname and profile. | ||
1533 | * | ||
1534 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1535 | * | ||
1536 | * Returns list of profile number and domainname pairs. | ||
1537 | * | ||
1538 | * This is equivalent to doing | ||
1539 | * | ||
1540 | * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy | | ||
1541 | * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" ) | ||
1542 | * domainname = $0; } else if ( $1 == "use_profile" ) { | ||
1543 | * print $2 " " domainname; domainname = ""; } } ; ' | ||
1544 | */ | ||
1545 | static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head) | ||
1546 | { | ||
1547 | struct list_head *pos; | ||
1548 | bool done = true; | ||
1549 | |||
1550 | if (head->read_eof) | ||
1551 | return 0; | ||
1552 | down_read(&tomoyo_domain_list_lock); | ||
1553 | list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) { | ||
1554 | struct tomoyo_domain_info *domain; | ||
1555 | domain = list_entry(pos, struct tomoyo_domain_info, list); | ||
1556 | if (domain->is_deleted) | ||
1557 | continue; | ||
1558 | if (!tomoyo_io_printf(head, "%u %s\n", domain->profile, | ||
1559 | domain->domainname->name)) { | ||
1560 | done = false; | ||
1561 | break; | ||
1562 | } | ||
1563 | } | ||
1564 | up_read(&tomoyo_domain_list_lock); | ||
1565 | head->read_eof = done; | ||
1566 | return 0; | ||
1567 | } | ||
1568 | |||
1569 | /** | ||
1570 | * tomoyo_write_pid: Specify PID to obtain domainname. | ||
1571 | * | ||
1572 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1573 | * | ||
1574 | * Returns 0. | ||
1575 | */ | ||
1576 | static int tomoyo_write_pid(struct tomoyo_io_buffer *head) | ||
1577 | { | ||
1578 | unsigned long pid; | ||
1579 | /* No error check. */ | ||
1580 | strict_strtoul(head->write_buf, 10, &pid); | ||
1581 | head->read_step = (int) pid; | ||
1582 | head->read_eof = false; | ||
1583 | return 0; | ||
1584 | } | ||
1585 | |||
1586 | /** | ||
1587 | * tomoyo_read_pid - Get domainname of the specified PID. | ||
1588 | * | ||
1589 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1590 | * | ||
1591 | * Returns the domainname which the specified PID is in on success, | ||
1592 | * empty string otherwise. | ||
1593 | * The PID is specified by tomoyo_write_pid() so that the user can obtain | ||
1594 | * using read()/write() interface rather than sysctl() interface. | ||
1595 | */ | ||
1596 | static int tomoyo_read_pid(struct tomoyo_io_buffer *head) | ||
1597 | { | ||
1598 | if (head->read_avail == 0 && !head->read_eof) { | ||
1599 | const int pid = head->read_step; | ||
1600 | struct task_struct *p; | ||
1601 | struct tomoyo_domain_info *domain = NULL; | ||
1602 | /***** CRITICAL SECTION START *****/ | ||
1603 | read_lock(&tasklist_lock); | ||
1604 | p = find_task_by_vpid(pid); | ||
1605 | if (p) | ||
1606 | domain = tomoyo_real_domain(p); | ||
1607 | read_unlock(&tasklist_lock); | ||
1608 | /***** CRITICAL SECTION END *****/ | ||
1609 | if (domain) | ||
1610 | tomoyo_io_printf(head, "%d %u %s", pid, domain->profile, | ||
1611 | domain->domainname->name); | ||
1612 | head->read_eof = true; | ||
1613 | } | ||
1614 | return 0; | ||
1615 | } | ||
1616 | |||
1617 | /** | ||
1618 | * tomoyo_write_exception_policy - Write exception policy. | ||
1619 | * | ||
1620 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1621 | * | ||
1622 | * Returns 0 on success, negative value otherwise. | ||
1623 | */ | ||
1624 | static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head) | ||
1625 | { | ||
1626 | char *data = head->write_buf; | ||
1627 | bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); | ||
1628 | |||
1629 | if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN)) | ||
1630 | return tomoyo_write_domain_keeper_policy(data, false, | ||
1631 | is_delete); | ||
1632 | if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN)) | ||
1633 | return tomoyo_write_domain_keeper_policy(data, true, is_delete); | ||
1634 | if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN)) | ||
1635 | return tomoyo_write_domain_initializer_policy(data, false, | ||
1636 | is_delete); | ||
1637 | if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN)) | ||
1638 | return tomoyo_write_domain_initializer_policy(data, true, | ||
1639 | is_delete); | ||
1640 | if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS)) | ||
1641 | return tomoyo_write_alias_policy(data, is_delete); | ||
1642 | if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ)) | ||
1643 | return tomoyo_write_globally_readable_policy(data, is_delete); | ||
1644 | if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN)) | ||
1645 | return tomoyo_write_pattern_policy(data, is_delete); | ||
1646 | if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE)) | ||
1647 | return tomoyo_write_no_rewrite_policy(data, is_delete); | ||
1648 | return -EINVAL; | ||
1649 | } | ||
1650 | |||
1651 | /** | ||
1652 | * tomoyo_read_exception_policy - Read exception policy. | ||
1653 | * | ||
1654 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1655 | * | ||
1656 | * Returns 0 on success, -EINVAL otherwise. | ||
1657 | */ | ||
1658 | static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head) | ||
1659 | { | ||
1660 | if (!head->read_eof) { | ||
1661 | switch (head->read_step) { | ||
1662 | case 0: | ||
1663 | head->read_var2 = NULL; | ||
1664 | head->read_step = 1; | ||
1665 | case 1: | ||
1666 | if (!tomoyo_read_domain_keeper_policy(head)) | ||
1667 | break; | ||
1668 | head->read_var2 = NULL; | ||
1669 | head->read_step = 2; | ||
1670 | case 2: | ||
1671 | if (!tomoyo_read_globally_readable_policy(head)) | ||
1672 | break; | ||
1673 | head->read_var2 = NULL; | ||
1674 | head->read_step = 3; | ||
1675 | case 3: | ||
1676 | head->read_var2 = NULL; | ||
1677 | head->read_step = 4; | ||
1678 | case 4: | ||
1679 | if (!tomoyo_read_domain_initializer_policy(head)) | ||
1680 | break; | ||
1681 | head->read_var2 = NULL; | ||
1682 | head->read_step = 5; | ||
1683 | case 5: | ||
1684 | if (!tomoyo_read_alias_policy(head)) | ||
1685 | break; | ||
1686 | head->read_var2 = NULL; | ||
1687 | head->read_step = 6; | ||
1688 | case 6: | ||
1689 | head->read_var2 = NULL; | ||
1690 | head->read_step = 7; | ||
1691 | case 7: | ||
1692 | if (!tomoyo_read_file_pattern(head)) | ||
1693 | break; | ||
1694 | head->read_var2 = NULL; | ||
1695 | head->read_step = 8; | ||
1696 | case 8: | ||
1697 | if (!tomoyo_read_no_rewrite_policy(head)) | ||
1698 | break; | ||
1699 | head->read_var2 = NULL; | ||
1700 | head->read_step = 9; | ||
1701 | case 9: | ||
1702 | head->read_eof = true; | ||
1703 | break; | ||
1704 | default: | ||
1705 | return -EINVAL; | ||
1706 | } | ||
1707 | } | ||
1708 | return 0; | ||
1709 | } | ||
1710 | |||
1711 | /* path to policy loader */ | ||
1712 | static const char *tomoyo_loader = "/sbin/tomoyo-init"; | ||
1713 | |||
1714 | /** | ||
1715 | * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists. | ||
1716 | * | ||
1717 | * Returns true if /sbin/tomoyo-init exists, false otherwise. | ||
1718 | */ | ||
1719 | static bool tomoyo_policy_loader_exists(void) | ||
1720 | { | ||
1721 | /* | ||
1722 | * Don't activate MAC if the policy loader doesn't exist. | ||
1723 | * If the initrd includes /sbin/init but real-root-dev has not | ||
1724 | * mounted on / yet, activating MAC will block the system since | ||
1725 | * policies are not loaded yet. | ||
1726 | * Thus, let do_execve() call this function everytime. | ||
1727 | */ | ||
1728 | struct nameidata nd; | ||
1729 | |||
1730 | if (path_lookup(tomoyo_loader, LOOKUP_FOLLOW, &nd)) { | ||
1731 | printk(KERN_INFO "Not activating Mandatory Access Control now " | ||
1732 | "since %s doesn't exist.\n", tomoyo_loader); | ||
1733 | return false; | ||
1734 | } | ||
1735 | path_put(&nd.path); | ||
1736 | return true; | ||
1737 | } | ||
1738 | |||
1739 | /** | ||
1740 | * tomoyo_load_policy - Run external policy loader to load policy. | ||
1741 | * | ||
1742 | * @filename: The program about to start. | ||
1743 | * | ||
1744 | * This function checks whether @filename is /sbin/init , and if so | ||
1745 | * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init | ||
1746 | * and then continues invocation of /sbin/init. | ||
1747 | * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and | ||
1748 | * writes to /sys/kernel/security/tomoyo/ interfaces. | ||
1749 | * | ||
1750 | * Returns nothing. | ||
1751 | */ | ||
1752 | void tomoyo_load_policy(const char *filename) | ||
1753 | { | ||
1754 | char *argv[2]; | ||
1755 | char *envp[3]; | ||
1756 | |||
1757 | if (tomoyo_policy_loaded) | ||
1758 | return; | ||
1759 | /* | ||
1760 | * Check filename is /sbin/init or /sbin/tomoyo-start. | ||
1761 | * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't | ||
1762 | * be passed. | ||
1763 | * You can create /sbin/tomoyo-start by | ||
1764 | * "ln -s /bin/true /sbin/tomoyo-start". | ||
1765 | */ | ||
1766 | if (strcmp(filename, "/sbin/init") && | ||
1767 | strcmp(filename, "/sbin/tomoyo-start")) | ||
1768 | return; | ||
1769 | if (!tomoyo_policy_loader_exists()) | ||
1770 | return; | ||
1771 | |||
1772 | printk(KERN_INFO "Calling %s to load policy. Please wait.\n", | ||
1773 | tomoyo_loader); | ||
1774 | argv[0] = (char *) tomoyo_loader; | ||
1775 | argv[1] = NULL; | ||
1776 | envp[0] = "HOME=/"; | ||
1777 | envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin"; | ||
1778 | envp[2] = NULL; | ||
1779 | call_usermodehelper(argv[0], argv, envp, 1); | ||
1780 | |||
1781 | printk(KERN_INFO "TOMOYO: 2.2.0-pre 2009/02/01\n"); | ||
1782 | printk(KERN_INFO "Mandatory Access Control activated.\n"); | ||
1783 | tomoyo_policy_loaded = true; | ||
1784 | { /* Check all profiles currently assigned to domains are defined. */ | ||
1785 | struct tomoyo_domain_info *domain; | ||
1786 | down_read(&tomoyo_domain_list_lock); | ||
1787 | list_for_each_entry(domain, &tomoyo_domain_list, list) { | ||
1788 | const u8 profile = domain->profile; | ||
1789 | if (tomoyo_profile_ptr[profile]) | ||
1790 | continue; | ||
1791 | panic("Profile %u (used by '%s') not defined.\n", | ||
1792 | profile, domain->domainname->name); | ||
1793 | } | ||
1794 | up_read(&tomoyo_domain_list_lock); | ||
1795 | } | ||
1796 | } | ||
1797 | |||
1798 | /** | ||
1799 | * tomoyo_read_version: Get version. | ||
1800 | * | ||
1801 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1802 | * | ||
1803 | * Returns version information. | ||
1804 | */ | ||
1805 | static int tomoyo_read_version(struct tomoyo_io_buffer *head) | ||
1806 | { | ||
1807 | if (!head->read_eof) { | ||
1808 | tomoyo_io_printf(head, "2.2.0-pre"); | ||
1809 | head->read_eof = true; | ||
1810 | } | ||
1811 | return 0; | ||
1812 | } | ||
1813 | |||
1814 | /** | ||
1815 | * tomoyo_read_self_domain - Get the current process's domainname. | ||
1816 | * | ||
1817 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
1818 | * | ||
1819 | * Returns the current process's domainname. | ||
1820 | */ | ||
1821 | static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head) | ||
1822 | { | ||
1823 | if (!head->read_eof) { | ||
1824 | /* | ||
1825 | * tomoyo_domain()->domainname != NULL | ||
1826 | * because every process belongs to a domain and | ||
1827 | * the domain's name cannot be NULL. | ||
1828 | */ | ||
1829 | tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name); | ||
1830 | head->read_eof = true; | ||
1831 | } | ||
1832 | return 0; | ||
1833 | } | ||
1834 | |||
1835 | /** | ||
1836 | * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface. | ||
1837 | * | ||
1838 | * @type: Type of interface. | ||
1839 | * @file: Pointer to "struct file". | ||
1840 | * | ||
1841 | * Associates policy handler and returns 0 on success, -ENOMEM otherwise. | ||
1842 | */ | ||
1843 | static int tomoyo_open_control(const u8 type, struct file *file) | ||
1844 | { | ||
1845 | struct tomoyo_io_buffer *head = tomoyo_alloc(sizeof(*head)); | ||
1846 | |||
1847 | if (!head) | ||
1848 | return -ENOMEM; | ||
1849 | mutex_init(&head->io_sem); | ||
1850 | switch (type) { | ||
1851 | case TOMOYO_DOMAINPOLICY: | ||
1852 | /* /sys/kernel/security/tomoyo/domain_policy */ | ||
1853 | head->write = tomoyo_write_domain_policy; | ||
1854 | head->read = tomoyo_read_domain_policy; | ||
1855 | break; | ||
1856 | case TOMOYO_EXCEPTIONPOLICY: | ||
1857 | /* /sys/kernel/security/tomoyo/exception_policy */ | ||
1858 | head->write = tomoyo_write_exception_policy; | ||
1859 | head->read = tomoyo_read_exception_policy; | ||
1860 | break; | ||
1861 | case TOMOYO_SELFDOMAIN: | ||
1862 | /* /sys/kernel/security/tomoyo/self_domain */ | ||
1863 | head->read = tomoyo_read_self_domain; | ||
1864 | break; | ||
1865 | case TOMOYO_DOMAIN_STATUS: | ||
1866 | /* /sys/kernel/security/tomoyo/.domain_status */ | ||
1867 | head->write = tomoyo_write_domain_profile; | ||
1868 | head->read = tomoyo_read_domain_profile; | ||
1869 | break; | ||
1870 | case TOMOYO_PROCESS_STATUS: | ||
1871 | /* /sys/kernel/security/tomoyo/.process_status */ | ||
1872 | head->write = tomoyo_write_pid; | ||
1873 | head->read = tomoyo_read_pid; | ||
1874 | break; | ||
1875 | case TOMOYO_VERSION: | ||
1876 | /* /sys/kernel/security/tomoyo/version */ | ||
1877 | head->read = tomoyo_read_version; | ||
1878 | head->readbuf_size = 128; | ||
1879 | break; | ||
1880 | case TOMOYO_MEMINFO: | ||
1881 | /* /sys/kernel/security/tomoyo/meminfo */ | ||
1882 | head->write = tomoyo_write_memory_quota; | ||
1883 | head->read = tomoyo_read_memory_counter; | ||
1884 | head->readbuf_size = 512; | ||
1885 | break; | ||
1886 | case TOMOYO_PROFILE: | ||
1887 | /* /sys/kernel/security/tomoyo/profile */ | ||
1888 | head->write = tomoyo_write_profile; | ||
1889 | head->read = tomoyo_read_profile; | ||
1890 | break; | ||
1891 | case TOMOYO_MANAGER: | ||
1892 | /* /sys/kernel/security/tomoyo/manager */ | ||
1893 | head->write = tomoyo_write_manager_policy; | ||
1894 | head->read = tomoyo_read_manager_policy; | ||
1895 | break; | ||
1896 | } | ||
1897 | if (!(file->f_mode & FMODE_READ)) { | ||
1898 | /* | ||
1899 | * No need to allocate read_buf since it is not opened | ||
1900 | * for reading. | ||
1901 | */ | ||
1902 | head->read = NULL; | ||
1903 | } else { | ||
1904 | if (!head->readbuf_size) | ||
1905 | head->readbuf_size = 4096 * 2; | ||
1906 | head->read_buf = tomoyo_alloc(head->readbuf_size); | ||
1907 | if (!head->read_buf) { | ||
1908 | tomoyo_free(head); | ||
1909 | return -ENOMEM; | ||
1910 | } | ||
1911 | } | ||
1912 | if (!(file->f_mode & FMODE_WRITE)) { | ||
1913 | /* | ||
1914 | * No need to allocate write_buf since it is not opened | ||
1915 | * for writing. | ||
1916 | */ | ||
1917 | head->write = NULL; | ||
1918 | } else if (head->write) { | ||
1919 | head->writebuf_size = 4096 * 2; | ||
1920 | head->write_buf = tomoyo_alloc(head->writebuf_size); | ||
1921 | if (!head->write_buf) { | ||
1922 | tomoyo_free(head->read_buf); | ||
1923 | tomoyo_free(head); | ||
1924 | return -ENOMEM; | ||
1925 | } | ||
1926 | } | ||
1927 | file->private_data = head; | ||
1928 | /* | ||
1929 | * Call the handler now if the file is | ||
1930 | * /sys/kernel/security/tomoyo/self_domain | ||
1931 | * so that the user can use | ||
1932 | * cat < /sys/kernel/security/tomoyo/self_domain" | ||
1933 | * to know the current process's domainname. | ||
1934 | */ | ||
1935 | if (type == TOMOYO_SELFDOMAIN) | ||
1936 | tomoyo_read_control(file, NULL, 0); | ||
1937 | return 0; | ||
1938 | } | ||
1939 | |||
1940 | /** | ||
1941 | * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. | ||
1942 | * | ||
1943 | * @file: Pointer to "struct file". | ||
1944 | * @buffer: Poiner to buffer to write to. | ||
1945 | * @buffer_len: Size of @buffer. | ||
1946 | * | ||
1947 | * Returns bytes read on success, negative value otherwise. | ||
1948 | */ | ||
1949 | static int tomoyo_read_control(struct file *file, char __user *buffer, | ||
1950 | const int buffer_len) | ||
1951 | { | ||
1952 | int len = 0; | ||
1953 | struct tomoyo_io_buffer *head = file->private_data; | ||
1954 | char *cp; | ||
1955 | |||
1956 | if (!head->read) | ||
1957 | return -ENOSYS; | ||
1958 | if (mutex_lock_interruptible(&head->io_sem)) | ||
1959 | return -EINTR; | ||
1960 | /* Call the policy handler. */ | ||
1961 | len = head->read(head); | ||
1962 | if (len < 0) | ||
1963 | goto out; | ||
1964 | /* Write to buffer. */ | ||
1965 | len = head->read_avail; | ||
1966 | if (len > buffer_len) | ||
1967 | len = buffer_len; | ||
1968 | if (!len) | ||
1969 | goto out; | ||
1970 | /* head->read_buf changes by some functions. */ | ||
1971 | cp = head->read_buf; | ||
1972 | if (copy_to_user(buffer, cp, len)) { | ||
1973 | len = -EFAULT; | ||
1974 | goto out; | ||
1975 | } | ||
1976 | head->read_avail -= len; | ||
1977 | memmove(cp, cp + len, head->read_avail); | ||
1978 | out: | ||
1979 | mutex_unlock(&head->io_sem); | ||
1980 | return len; | ||
1981 | } | ||
1982 | |||
1983 | /** | ||
1984 | * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. | ||
1985 | * | ||
1986 | * @file: Pointer to "struct file". | ||
1987 | * @buffer: Pointer to buffer to read from. | ||
1988 | * @buffer_len: Size of @buffer. | ||
1989 | * | ||
1990 | * Returns @buffer_len on success, negative value otherwise. | ||
1991 | */ | ||
1992 | static int tomoyo_write_control(struct file *file, const char __user *buffer, | ||
1993 | const int buffer_len) | ||
1994 | { | ||
1995 | struct tomoyo_io_buffer *head = file->private_data; | ||
1996 | int error = buffer_len; | ||
1997 | int avail_len = buffer_len; | ||
1998 | char *cp0 = head->write_buf; | ||
1999 | |||
2000 | if (!head->write) | ||
2001 | return -ENOSYS; | ||
2002 | if (!access_ok(VERIFY_READ, buffer, buffer_len)) | ||
2003 | return -EFAULT; | ||
2004 | /* Don't allow updating policies by non manager programs. */ | ||
2005 | if (head->write != tomoyo_write_pid && | ||
2006 | head->write != tomoyo_write_domain_policy && | ||
2007 | !tomoyo_is_policy_manager()) | ||
2008 | return -EPERM; | ||
2009 | if (mutex_lock_interruptible(&head->io_sem)) | ||
2010 | return -EINTR; | ||
2011 | /* Read a line and dispatch it to the policy handler. */ | ||
2012 | while (avail_len > 0) { | ||
2013 | char c; | ||
2014 | if (head->write_avail >= head->writebuf_size - 1) { | ||
2015 | error = -ENOMEM; | ||
2016 | break; | ||
2017 | } else if (get_user(c, buffer)) { | ||
2018 | error = -EFAULT; | ||
2019 | break; | ||
2020 | } | ||
2021 | buffer++; | ||
2022 | avail_len--; | ||
2023 | cp0[head->write_avail++] = c; | ||
2024 | if (c != '\n') | ||
2025 | continue; | ||
2026 | cp0[head->write_avail - 1] = '\0'; | ||
2027 | head->write_avail = 0; | ||
2028 | tomoyo_normalize_line(cp0); | ||
2029 | head->write(head); | ||
2030 | } | ||
2031 | mutex_unlock(&head->io_sem); | ||
2032 | return error; | ||
2033 | } | ||
2034 | |||
2035 | /** | ||
2036 | * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. | ||
2037 | * | ||
2038 | * @file: Pointer to "struct file". | ||
2039 | * | ||
2040 | * Releases memory and returns 0. | ||
2041 | */ | ||
2042 | static int tomoyo_close_control(struct file *file) | ||
2043 | { | ||
2044 | struct tomoyo_io_buffer *head = file->private_data; | ||
2045 | |||
2046 | /* Release memory used for policy I/O. */ | ||
2047 | tomoyo_free(head->read_buf); | ||
2048 | head->read_buf = NULL; | ||
2049 | tomoyo_free(head->write_buf); | ||
2050 | head->write_buf = NULL; | ||
2051 | tomoyo_free(head); | ||
2052 | head = NULL; | ||
2053 | file->private_data = NULL; | ||
2054 | return 0; | ||
2055 | } | ||
2056 | |||
2057 | /** | ||
2058 | * tomoyo_alloc_acl_element - Allocate permanent memory for ACL entry. | ||
2059 | * | ||
2060 | * @acl_type: Type of ACL entry. | ||
2061 | * | ||
2062 | * Returns pointer to the ACL entry on success, NULL otherwise. | ||
2063 | */ | ||
2064 | void *tomoyo_alloc_acl_element(const u8 acl_type) | ||
2065 | { | ||
2066 | int len; | ||
2067 | struct tomoyo_acl_info *ptr; | ||
2068 | |||
2069 | switch (acl_type) { | ||
2070 | case TOMOYO_TYPE_SINGLE_PATH_ACL: | ||
2071 | len = sizeof(struct tomoyo_single_path_acl_record); | ||
2072 | break; | ||
2073 | case TOMOYO_TYPE_DOUBLE_PATH_ACL: | ||
2074 | len = sizeof(struct tomoyo_double_path_acl_record); | ||
2075 | break; | ||
2076 | default: | ||
2077 | return NULL; | ||
2078 | } | ||
2079 | ptr = tomoyo_alloc_element(len); | ||
2080 | if (!ptr) | ||
2081 | return NULL; | ||
2082 | ptr->type = acl_type; | ||
2083 | return ptr; | ||
2084 | } | ||
2085 | |||
2086 | /** | ||
2087 | * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface. | ||
2088 | * | ||
2089 | * @inode: Pointer to "struct inode". | ||
2090 | * @file: Pointer to "struct file". | ||
2091 | * | ||
2092 | * Returns 0 on success, negative value otherwise. | ||
2093 | */ | ||
2094 | static int tomoyo_open(struct inode *inode, struct file *file) | ||
2095 | { | ||
2096 | const int key = ((u8 *) file->f_path.dentry->d_inode->i_private) | ||
2097 | - ((u8 *) NULL); | ||
2098 | return tomoyo_open_control(key, file); | ||
2099 | } | ||
2100 | |||
2101 | /** | ||
2102 | * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface. | ||
2103 | * | ||
2104 | * @inode: Pointer to "struct inode". | ||
2105 | * @file: Pointer to "struct file". | ||
2106 | * | ||
2107 | * Returns 0 on success, negative value otherwise. | ||
2108 | */ | ||
2109 | static int tomoyo_release(struct inode *inode, struct file *file) | ||
2110 | { | ||
2111 | return tomoyo_close_control(file); | ||
2112 | } | ||
2113 | |||
2114 | /** | ||
2115 | * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface. | ||
2116 | * | ||
2117 | * @file: Pointer to "struct file". | ||
2118 | * @buf: Pointer to buffer. | ||
2119 | * @count: Size of @buf. | ||
2120 | * @ppos: Unused. | ||
2121 | * | ||
2122 | * Returns bytes read on success, negative value otherwise. | ||
2123 | */ | ||
2124 | static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count, | ||
2125 | loff_t *ppos) | ||
2126 | { | ||
2127 | return tomoyo_read_control(file, buf, count); | ||
2128 | } | ||
2129 | |||
2130 | /** | ||
2131 | * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface. | ||
2132 | * | ||
2133 | * @file: Pointer to "struct file". | ||
2134 | * @buf: Pointer to buffer. | ||
2135 | * @count: Size of @buf. | ||
2136 | * @ppos: Unused. | ||
2137 | * | ||
2138 | * Returns @count on success, negative value otherwise. | ||
2139 | */ | ||
2140 | static ssize_t tomoyo_write(struct file *file, const char __user *buf, | ||
2141 | size_t count, loff_t *ppos) | ||
2142 | { | ||
2143 | return tomoyo_write_control(file, buf, count); | ||
2144 | } | ||
2145 | |||
2146 | /* Operations for /sys/kernel/security/tomoyo/ interface. */ | ||
2147 | static const struct file_operations tomoyo_operations = { | ||
2148 | .open = tomoyo_open, | ||
2149 | .release = tomoyo_release, | ||
2150 | .read = tomoyo_read, | ||
2151 | .write = tomoyo_write, | ||
2152 | }; | ||
2153 | |||
2154 | /** | ||
2155 | * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory. | ||
2156 | * | ||
2157 | * @name: The name of the interface file. | ||
2158 | * @mode: The permission of the interface file. | ||
2159 | * @parent: The parent directory. | ||
2160 | * @key: Type of interface. | ||
2161 | * | ||
2162 | * Returns nothing. | ||
2163 | */ | ||
2164 | static void __init tomoyo_create_entry(const char *name, const mode_t mode, | ||
2165 | struct dentry *parent, const u8 key) | ||
2166 | { | ||
2167 | securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key, | ||
2168 | &tomoyo_operations); | ||
2169 | } | ||
2170 | |||
2171 | /** | ||
2172 | * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface. | ||
2173 | * | ||
2174 | * Returns 0. | ||
2175 | */ | ||
2176 | static int __init tomoyo_initerface_init(void) | ||
2177 | { | ||
2178 | struct dentry *tomoyo_dir; | ||
2179 | |||
2180 | /* Don't create securityfs entries unless registered. */ | ||
2181 | if (current_cred()->security != &tomoyo_kernel_domain) | ||
2182 | return 0; | ||
2183 | |||
2184 | tomoyo_dir = securityfs_create_dir("tomoyo", NULL); | ||
2185 | tomoyo_create_entry("domain_policy", 0600, tomoyo_dir, | ||
2186 | TOMOYO_DOMAINPOLICY); | ||
2187 | tomoyo_create_entry("exception_policy", 0600, tomoyo_dir, | ||
2188 | TOMOYO_EXCEPTIONPOLICY); | ||
2189 | tomoyo_create_entry("self_domain", 0400, tomoyo_dir, | ||
2190 | TOMOYO_SELFDOMAIN); | ||
2191 | tomoyo_create_entry(".domain_status", 0600, tomoyo_dir, | ||
2192 | TOMOYO_DOMAIN_STATUS); | ||
2193 | tomoyo_create_entry(".process_status", 0600, tomoyo_dir, | ||
2194 | TOMOYO_PROCESS_STATUS); | ||
2195 | tomoyo_create_entry("meminfo", 0600, tomoyo_dir, | ||
2196 | TOMOYO_MEMINFO); | ||
2197 | tomoyo_create_entry("profile", 0600, tomoyo_dir, | ||
2198 | TOMOYO_PROFILE); | ||
2199 | tomoyo_create_entry("manager", 0600, tomoyo_dir, | ||
2200 | TOMOYO_MANAGER); | ||
2201 | tomoyo_create_entry("version", 0400, tomoyo_dir, | ||
2202 | TOMOYO_VERSION); | ||
2203 | return 0; | ||
2204 | } | ||
2205 | |||
2206 | fs_initcall(tomoyo_initerface_init); | ||
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h new file mode 100644 index 000000000000..6dcb7cc0ed1d --- /dev/null +++ b/security/tomoyo/common.h | |||
@@ -0,0 +1,359 @@ | |||
1 | /* | ||
2 | * security/tomoyo/common.h | ||
3 | * | ||
4 | * Common functions for TOMOYO. | ||
5 | * | ||
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | ||
7 | * | ||
8 | * Version: 2.2.0-pre 2009/02/01 | ||
9 | * | ||
10 | */ | ||
11 | |||
12 | #ifndef _SECURITY_TOMOYO_COMMON_H | ||
13 | #define _SECURITY_TOMOYO_COMMON_H | ||
14 | |||
15 | #include <linux/ctype.h> | ||
16 | #include <linux/string.h> | ||
17 | #include <linux/mm.h> | ||
18 | #include <linux/file.h> | ||
19 | #include <linux/kmod.h> | ||
20 | #include <linux/fs.h> | ||
21 | #include <linux/sched.h> | ||
22 | #include <linux/namei.h> | ||
23 | #include <linux/mount.h> | ||
24 | #include <linux/list.h> | ||
25 | |||
26 | struct dentry; | ||
27 | struct vfsmount; | ||
28 | |||
29 | /* Temporary buffer for holding pathnames. */ | ||
30 | struct tomoyo_page_buffer { | ||
31 | char buffer[4096]; | ||
32 | }; | ||
33 | |||
34 | /* Structure for holding a token. */ | ||
35 | struct tomoyo_path_info { | ||
36 | const char *name; | ||
37 | u32 hash; /* = full_name_hash(name, strlen(name)) */ | ||
38 | u16 total_len; /* = strlen(name) */ | ||
39 | u16 const_len; /* = tomoyo_const_part_length(name) */ | ||
40 | bool is_dir; /* = tomoyo_strendswith(name, "/") */ | ||
41 | bool is_patterned; /* = tomoyo_path_contains_pattern(name) */ | ||
42 | u16 depth; /* = tomoyo_path_depth(name) */ | ||
43 | }; | ||
44 | |||
45 | /* | ||
46 | * This is the max length of a token. | ||
47 | * | ||
48 | * A token consists of only ASCII printable characters. | ||
49 | * Non printable characters in a token is represented in \ooo style | ||
50 | * octal string. Thus, \ itself is represented as \\. | ||
51 | */ | ||
52 | #define TOMOYO_MAX_PATHNAME_LEN 4000 | ||
53 | |||
54 | /* Structure for holding requested pathname. */ | ||
55 | struct tomoyo_path_info_with_data { | ||
56 | /* Keep "head" first, for this pointer is passed to tomoyo_free(). */ | ||
57 | struct tomoyo_path_info head; | ||
58 | char bariier1[16]; /* Safeguard for overrun. */ | ||
59 | char body[TOMOYO_MAX_PATHNAME_LEN]; | ||
60 | char barrier2[16]; /* Safeguard for overrun. */ | ||
61 | }; | ||
62 | |||
63 | /* | ||
64 | * Common header for holding ACL entries. | ||
65 | * | ||
66 | * Packing "struct tomoyo_acl_info" allows | ||
67 | * "struct tomoyo_single_path_acl_record" to embed "u16" and | ||
68 | * "struct tomoyo_double_path_acl_record" to embed "u8" | ||
69 | * without enlarging their structure size. | ||
70 | */ | ||
71 | struct tomoyo_acl_info { | ||
72 | struct list_head list; | ||
73 | /* | ||
74 | * Type of this ACL entry. | ||
75 | * | ||
76 | * MSB is is_deleted flag. | ||
77 | */ | ||
78 | u8 type; | ||
79 | } __packed; | ||
80 | |||
81 | /* This ACL entry is deleted. */ | ||
82 | #define TOMOYO_ACL_DELETED 0x80 | ||
83 | |||
84 | /* Structure for domain information. */ | ||
85 | struct tomoyo_domain_info { | ||
86 | struct list_head list; | ||
87 | struct list_head acl_info_list; | ||
88 | /* Name of this domain. Never NULL. */ | ||
89 | const struct tomoyo_path_info *domainname; | ||
90 | u8 profile; /* Profile number to use. */ | ||
91 | u8 is_deleted; /* Delete flag. | ||
92 | 0 = active. | ||
93 | 1 = deleted but undeletable. | ||
94 | 255 = deleted and no longer undeletable. */ | ||
95 | bool quota_warned; /* Quota warnning flag. */ | ||
96 | /* DOMAIN_FLAGS_*. Use tomoyo_set_domain_flag() to modify. */ | ||
97 | u8 flags; | ||
98 | }; | ||
99 | |||
100 | /* Profile number is an integer between 0 and 255. */ | ||
101 | #define TOMOYO_MAX_PROFILES 256 | ||
102 | |||
103 | /* Ignore "allow_read" directive in exception policy. */ | ||
104 | #define TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ 1 | ||
105 | /* | ||
106 | * This domain was unable to create a new domain at tomoyo_find_next_domain() | ||
107 | * because the name of the domain to be created was too long or | ||
108 | * it could not allocate memory. | ||
109 | * More than one process continued execve() without domain transition. | ||
110 | */ | ||
111 | #define TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED 2 | ||
112 | |||
113 | /* | ||
114 | * Structure for "allow_read/write", "allow_execute", "allow_read", | ||
115 | * "allow_write", "allow_create", "allow_unlink", "allow_mkdir", "allow_rmdir", | ||
116 | * "allow_mkfifo", "allow_mksock", "allow_mkblock", "allow_mkchar", | ||
117 | * "allow_truncate", "allow_symlink" and "allow_rewrite" directive. | ||
118 | */ | ||
119 | struct tomoyo_single_path_acl_record { | ||
120 | struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_SINGLE_PATH_ACL */ | ||
121 | u16 perm; | ||
122 | /* Pointer to single pathname. */ | ||
123 | const struct tomoyo_path_info *filename; | ||
124 | }; | ||
125 | |||
126 | /* Structure for "allow_rename" and "allow_link" directive. */ | ||
127 | struct tomoyo_double_path_acl_record { | ||
128 | struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_DOUBLE_PATH_ACL */ | ||
129 | u8 perm; | ||
130 | /* Pointer to single pathname. */ | ||
131 | const struct tomoyo_path_info *filename1; | ||
132 | /* Pointer to single pathname. */ | ||
133 | const struct tomoyo_path_info *filename2; | ||
134 | }; | ||
135 | |||
136 | /* Keywords for ACLs. */ | ||
137 | #define TOMOYO_KEYWORD_ALIAS "alias " | ||
138 | #define TOMOYO_KEYWORD_ALLOW_READ "allow_read " | ||
139 | #define TOMOYO_KEYWORD_DELETE "delete " | ||
140 | #define TOMOYO_KEYWORD_DENY_REWRITE "deny_rewrite " | ||
141 | #define TOMOYO_KEYWORD_FILE_PATTERN "file_pattern " | ||
142 | #define TOMOYO_KEYWORD_INITIALIZE_DOMAIN "initialize_domain " | ||
143 | #define TOMOYO_KEYWORD_KEEP_DOMAIN "keep_domain " | ||
144 | #define TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN "no_initialize_domain " | ||
145 | #define TOMOYO_KEYWORD_NO_KEEP_DOMAIN "no_keep_domain " | ||
146 | #define TOMOYO_KEYWORD_SELECT "select " | ||
147 | #define TOMOYO_KEYWORD_UNDELETE "undelete " | ||
148 | #define TOMOYO_KEYWORD_USE_PROFILE "use_profile " | ||
149 | #define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read" | ||
150 | /* A domain definition starts with <kernel>. */ | ||
151 | #define TOMOYO_ROOT_NAME "<kernel>" | ||
152 | #define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1) | ||
153 | |||
154 | /* Index numbers for Access Controls. */ | ||
155 | #define TOMOYO_MAC_FOR_FILE 0 /* domain_policy.conf */ | ||
156 | #define TOMOYO_MAX_ACCEPT_ENTRY 1 | ||
157 | #define TOMOYO_VERBOSE 2 | ||
158 | #define TOMOYO_MAX_CONTROL_INDEX 3 | ||
159 | |||
160 | /* Structure for reading/writing policy via securityfs interfaces. */ | ||
161 | struct tomoyo_io_buffer { | ||
162 | int (*read) (struct tomoyo_io_buffer *); | ||
163 | int (*write) (struct tomoyo_io_buffer *); | ||
164 | /* Exclusive lock for this structure. */ | ||
165 | struct mutex io_sem; | ||
166 | /* The position currently reading from. */ | ||
167 | struct list_head *read_var1; | ||
168 | /* Extra variables for reading. */ | ||
169 | struct list_head *read_var2; | ||
170 | /* The position currently writing to. */ | ||
171 | struct tomoyo_domain_info *write_var1; | ||
172 | /* The step for reading. */ | ||
173 | int read_step; | ||
174 | /* Buffer for reading. */ | ||
175 | char *read_buf; | ||
176 | /* EOF flag for reading. */ | ||
177 | bool read_eof; | ||
178 | /* Read domain ACL of specified PID? */ | ||
179 | bool read_single_domain; | ||
180 | /* Extra variable for reading. */ | ||
181 | u8 read_bit; | ||
182 | /* Bytes available for reading. */ | ||
183 | int read_avail; | ||
184 | /* Size of read buffer. */ | ||
185 | int readbuf_size; | ||
186 | /* Buffer for writing. */ | ||
187 | char *write_buf; | ||
188 | /* Bytes available for writing. */ | ||
189 | int write_avail; | ||
190 | /* Size of write buffer. */ | ||
191 | int writebuf_size; | ||
192 | }; | ||
193 | |||
194 | /* Check whether the domain has too many ACL entries to hold. */ | ||
195 | bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain); | ||
196 | /* Transactional sprintf() for policy dump. */ | ||
197 | bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) | ||
198 | __attribute__ ((format(printf, 2, 3))); | ||
199 | /* Check whether the domainname is correct. */ | ||
200 | bool tomoyo_is_correct_domain(const unsigned char *domainname, | ||
201 | const char *function); | ||
202 | /* Check whether the token is correct. */ | ||
203 | bool tomoyo_is_correct_path(const char *filename, const s8 start_type, | ||
204 | const s8 pattern_type, const s8 end_type, | ||
205 | const char *function); | ||
206 | /* Check whether the token can be a domainname. */ | ||
207 | bool tomoyo_is_domain_def(const unsigned char *buffer); | ||
208 | /* Check whether the given filename matches the given pattern. */ | ||
209 | bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, | ||
210 | const struct tomoyo_path_info *pattern); | ||
211 | /* Read "alias" entry in exception policy. */ | ||
212 | bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head); | ||
213 | /* | ||
214 | * Read "initialize_domain" and "no_initialize_domain" entry | ||
215 | * in exception policy. | ||
216 | */ | ||
217 | bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head); | ||
218 | /* Read "keep_domain" and "no_keep_domain" entry in exception policy. */ | ||
219 | bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head); | ||
220 | /* Read "file_pattern" entry in exception policy. */ | ||
221 | bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head); | ||
222 | /* Read "allow_read" entry in exception policy. */ | ||
223 | bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head); | ||
224 | /* Read "deny_rewrite" entry in exception policy. */ | ||
225 | bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head); | ||
226 | /* Write domain policy violation warning message to console? */ | ||
227 | bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain); | ||
228 | /* Convert double path operation to operation name. */ | ||
229 | const char *tomoyo_dp2keyword(const u8 operation); | ||
230 | /* Get the last component of the given domainname. */ | ||
231 | const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain); | ||
232 | /* Get warning message. */ | ||
233 | const char *tomoyo_get_msg(const bool is_enforce); | ||
234 | /* Convert single path operation to operation name. */ | ||
235 | const char *tomoyo_sp2keyword(const u8 operation); | ||
236 | /* Delete a domain. */ | ||
237 | int tomoyo_delete_domain(char *data); | ||
238 | /* Create "alias" entry in exception policy. */ | ||
239 | int tomoyo_write_alias_policy(char *data, const bool is_delete); | ||
240 | /* | ||
241 | * Create "initialize_domain" and "no_initialize_domain" entry | ||
242 | * in exception policy. | ||
243 | */ | ||
244 | int tomoyo_write_domain_initializer_policy(char *data, const bool is_not, | ||
245 | const bool is_delete); | ||
246 | /* Create "keep_domain" and "no_keep_domain" entry in exception policy. */ | ||
247 | int tomoyo_write_domain_keeper_policy(char *data, const bool is_not, | ||
248 | const bool is_delete); | ||
249 | /* | ||
250 | * Create "allow_read/write", "allow_execute", "allow_read", "allow_write", | ||
251 | * "allow_create", "allow_unlink", "allow_mkdir", "allow_rmdir", | ||
252 | * "allow_mkfifo", "allow_mksock", "allow_mkblock", "allow_mkchar", | ||
253 | * "allow_truncate", "allow_symlink", "allow_rewrite", "allow_rename" and | ||
254 | * "allow_link" entry in domain policy. | ||
255 | */ | ||
256 | int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, | ||
257 | const bool is_delete); | ||
258 | /* Create "allow_read" entry in exception policy. */ | ||
259 | int tomoyo_write_globally_readable_policy(char *data, const bool is_delete); | ||
260 | /* Create "deny_rewrite" entry in exception policy. */ | ||
261 | int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete); | ||
262 | /* Create "file_pattern" entry in exception policy. */ | ||
263 | int tomoyo_write_pattern_policy(char *data, const bool is_delete); | ||
264 | /* Find a domain by the given name. */ | ||
265 | struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname); | ||
266 | /* Find or create a domain by the given name. */ | ||
267 | struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * | ||
268 | domainname, | ||
269 | const u8 profile); | ||
270 | /* Undelete a domain. */ | ||
271 | struct tomoyo_domain_info *tomoyo_undelete_domain(const char *domainname); | ||
272 | /* Check mode for specified functionality. */ | ||
273 | unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, | ||
274 | const u8 index); | ||
275 | /* Allocate memory for structures. */ | ||
276 | void *tomoyo_alloc_acl_element(const u8 acl_type); | ||
277 | /* Fill in "struct tomoyo_path_info" members. */ | ||
278 | void tomoyo_fill_path_info(struct tomoyo_path_info *ptr); | ||
279 | /* Run policy loader when /sbin/init starts. */ | ||
280 | void tomoyo_load_policy(const char *filename); | ||
281 | /* Change "struct tomoyo_domain_info"->flags. */ | ||
282 | void tomoyo_set_domain_flag(struct tomoyo_domain_info *domain, | ||
283 | const bool is_delete, const u8 flags); | ||
284 | |||
285 | /* strcmp() for "struct tomoyo_path_info" structure. */ | ||
286 | static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a, | ||
287 | const struct tomoyo_path_info *b) | ||
288 | { | ||
289 | return a->hash != b->hash || strcmp(a->name, b->name); | ||
290 | } | ||
291 | |||
292 | /* Get type of an ACL entry. */ | ||
293 | static inline u8 tomoyo_acl_type1(struct tomoyo_acl_info *ptr) | ||
294 | { | ||
295 | return ptr->type & ~TOMOYO_ACL_DELETED; | ||
296 | } | ||
297 | |||
298 | /* Get type of an ACL entry. */ | ||
299 | static inline u8 tomoyo_acl_type2(struct tomoyo_acl_info *ptr) | ||
300 | { | ||
301 | return ptr->type; | ||
302 | } | ||
303 | |||
304 | /** | ||
305 | * tomoyo_is_valid - Check whether the character is a valid char. | ||
306 | * | ||
307 | * @c: The character to check. | ||
308 | * | ||
309 | * Returns true if @c is a valid character, false otherwise. | ||
310 | */ | ||
311 | static inline bool tomoyo_is_valid(const unsigned char c) | ||
312 | { | ||
313 | return c > ' ' && c < 127; | ||
314 | } | ||
315 | |||
316 | /** | ||
317 | * tomoyo_is_invalid - Check whether the character is an invalid char. | ||
318 | * | ||
319 | * @c: The character to check. | ||
320 | * | ||
321 | * Returns true if @c is an invalid character, false otherwise. | ||
322 | */ | ||
323 | static inline bool tomoyo_is_invalid(const unsigned char c) | ||
324 | { | ||
325 | return c && (c <= ' ' || c >= 127); | ||
326 | } | ||
327 | |||
328 | /* The list for "struct tomoyo_domain_info". */ | ||
329 | extern struct list_head tomoyo_domain_list; | ||
330 | extern struct rw_semaphore tomoyo_domain_list_lock; | ||
331 | |||
332 | /* Lock for domain->acl_info_list. */ | ||
333 | extern struct rw_semaphore tomoyo_domain_acl_info_list_lock; | ||
334 | |||
335 | /* Has /sbin/init started? */ | ||
336 | extern bool tomoyo_policy_loaded; | ||
337 | |||
338 | /* The kernel's domain. */ | ||
339 | extern struct tomoyo_domain_info tomoyo_kernel_domain; | ||
340 | |||
341 | /** | ||
342 | * list_for_each_cookie - iterate over a list with cookie. | ||
343 | * @pos: the &struct list_head to use as a loop cursor. | ||
344 | * @cookie: the &struct list_head to use as a cookie. | ||
345 | * @head: the head for your list. | ||
346 | * | ||
347 | * Same with list_for_each() except that this primitive uses @cookie | ||
348 | * so that we can continue iteration. | ||
349 | * @cookie must be NULL when iteration starts, and @cookie will become | ||
350 | * NULL when iteration finishes. | ||
351 | */ | ||
352 | #define list_for_each_cookie(pos, cookie, head) \ | ||
353 | for (({ if (!cookie) \ | ||
354 | cookie = head; }), \ | ||
355 | pos = (cookie)->next; \ | ||
356 | prefetch(pos->next), pos != (head) || ((cookie) = NULL); \ | ||
357 | (cookie) = pos, pos = pos->next) | ||
358 | |||
359 | #endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */ | ||
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c new file mode 100644 index 000000000000..093a756030bd --- /dev/null +++ b/security/tomoyo/domain.c | |||
@@ -0,0 +1,878 @@ | |||
1 | /* | ||
2 | * security/tomoyo/domain.c | ||
3 | * | ||
4 | * Implementation of the Domain-Based Mandatory Access Control. | ||
5 | * | ||
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | ||
7 | * | ||
8 | * Version: 2.2.0-pre 2009/02/01 | ||
9 | * | ||
10 | */ | ||
11 | |||
12 | #include "common.h" | ||
13 | #include "tomoyo.h" | ||
14 | #include "realpath.h" | ||
15 | #include <linux/binfmts.h> | ||
16 | |||
17 | /* Variables definitions.*/ | ||
18 | |||
19 | /* The initial domain. */ | ||
20 | struct tomoyo_domain_info tomoyo_kernel_domain; | ||
21 | |||
22 | /* The list for "struct tomoyo_domain_info". */ | ||
23 | LIST_HEAD(tomoyo_domain_list); | ||
24 | DECLARE_RWSEM(tomoyo_domain_list_lock); | ||
25 | |||
26 | /* Structure for "initialize_domain" and "no_initialize_domain" keyword. */ | ||
27 | struct tomoyo_domain_initializer_entry { | ||
28 | struct list_head list; | ||
29 | const struct tomoyo_path_info *domainname; /* This may be NULL */ | ||
30 | const struct tomoyo_path_info *program; | ||
31 | bool is_deleted; | ||
32 | bool is_not; /* True if this entry is "no_initialize_domain". */ | ||
33 | /* True if the domainname is tomoyo_get_last_name(). */ | ||
34 | bool is_last_name; | ||
35 | }; | ||
36 | |||
37 | /* Structure for "keep_domain" and "no_keep_domain" keyword. */ | ||
38 | struct tomoyo_domain_keeper_entry { | ||
39 | struct list_head list; | ||
40 | const struct tomoyo_path_info *domainname; | ||
41 | const struct tomoyo_path_info *program; /* This may be NULL */ | ||
42 | bool is_deleted; | ||
43 | bool is_not; /* True if this entry is "no_keep_domain". */ | ||
44 | /* True if the domainname is tomoyo_get_last_name(). */ | ||
45 | bool is_last_name; | ||
46 | }; | ||
47 | |||
48 | /* Structure for "alias" keyword. */ | ||
49 | struct tomoyo_alias_entry { | ||
50 | struct list_head list; | ||
51 | const struct tomoyo_path_info *original_name; | ||
52 | const struct tomoyo_path_info *aliased_name; | ||
53 | bool is_deleted; | ||
54 | }; | ||
55 | |||
56 | /** | ||
57 | * tomoyo_set_domain_flag - Set or clear domain's attribute flags. | ||
58 | * | ||
59 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
60 | * @is_delete: True if it is a delete request. | ||
61 | * @flags: Flags to set or clear. | ||
62 | * | ||
63 | * Returns nothing. | ||
64 | */ | ||
65 | void tomoyo_set_domain_flag(struct tomoyo_domain_info *domain, | ||
66 | const bool is_delete, const u8 flags) | ||
67 | { | ||
68 | /* We need to serialize because this is bitfield operation. */ | ||
69 | static DEFINE_SPINLOCK(lock); | ||
70 | /***** CRITICAL SECTION START *****/ | ||
71 | spin_lock(&lock); | ||
72 | if (!is_delete) | ||
73 | domain->flags |= flags; | ||
74 | else | ||
75 | domain->flags &= ~flags; | ||
76 | spin_unlock(&lock); | ||
77 | /***** CRITICAL SECTION END *****/ | ||
78 | } | ||
79 | |||
80 | /** | ||
81 | * tomoyo_get_last_name - Get last component of a domainname. | ||
82 | * | ||
83 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
84 | * | ||
85 | * Returns the last component of the domainname. | ||
86 | */ | ||
87 | const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain) | ||
88 | { | ||
89 | const char *cp0 = domain->domainname->name; | ||
90 | const char *cp1 = strrchr(cp0, ' '); | ||
91 | |||
92 | if (cp1) | ||
93 | return cp1 + 1; | ||
94 | return cp0; | ||
95 | } | ||
96 | |||
97 | /* The list for "struct tomoyo_domain_initializer_entry". */ | ||
98 | static LIST_HEAD(tomoyo_domain_initializer_list); | ||
99 | static DECLARE_RWSEM(tomoyo_domain_initializer_list_lock); | ||
100 | |||
101 | /** | ||
102 | * tomoyo_update_domain_initializer_entry - Update "struct tomoyo_domain_initializer_entry" list. | ||
103 | * | ||
104 | * @domainname: The name of domain. May be NULL. | ||
105 | * @program: The name of program. | ||
106 | * @is_not: True if it is "no_initialize_domain" entry. | ||
107 | * @is_delete: True if it is a delete request. | ||
108 | * | ||
109 | * Returns 0 on success, negative value otherwise. | ||
110 | */ | ||
111 | static int tomoyo_update_domain_initializer_entry(const char *domainname, | ||
112 | const char *program, | ||
113 | const bool is_not, | ||
114 | const bool is_delete) | ||
115 | { | ||
116 | struct tomoyo_domain_initializer_entry *new_entry; | ||
117 | struct tomoyo_domain_initializer_entry *ptr; | ||
118 | const struct tomoyo_path_info *saved_program; | ||
119 | const struct tomoyo_path_info *saved_domainname = NULL; | ||
120 | int error = -ENOMEM; | ||
121 | bool is_last_name = false; | ||
122 | |||
123 | if (!tomoyo_is_correct_path(program, 1, -1, -1, __func__)) | ||
124 | return -EINVAL; /* No patterns allowed. */ | ||
125 | if (domainname) { | ||
126 | if (!tomoyo_is_domain_def(domainname) && | ||
127 | tomoyo_is_correct_path(domainname, 1, -1, -1, __func__)) | ||
128 | is_last_name = true; | ||
129 | else if (!tomoyo_is_correct_domain(domainname, __func__)) | ||
130 | return -EINVAL; | ||
131 | saved_domainname = tomoyo_save_name(domainname); | ||
132 | if (!saved_domainname) | ||
133 | return -ENOMEM; | ||
134 | } | ||
135 | saved_program = tomoyo_save_name(program); | ||
136 | if (!saved_program) | ||
137 | return -ENOMEM; | ||
138 | /***** EXCLUSIVE SECTION START *****/ | ||
139 | down_write(&tomoyo_domain_initializer_list_lock); | ||
140 | list_for_each_entry(ptr, &tomoyo_domain_initializer_list, list) { | ||
141 | if (ptr->is_not != is_not || | ||
142 | ptr->domainname != saved_domainname || | ||
143 | ptr->program != saved_program) | ||
144 | continue; | ||
145 | ptr->is_deleted = is_delete; | ||
146 | error = 0; | ||
147 | goto out; | ||
148 | } | ||
149 | if (is_delete) { | ||
150 | error = -ENOENT; | ||
151 | goto out; | ||
152 | } | ||
153 | new_entry = tomoyo_alloc_element(sizeof(*new_entry)); | ||
154 | if (!new_entry) | ||
155 | goto out; | ||
156 | new_entry->domainname = saved_domainname; | ||
157 | new_entry->program = saved_program; | ||
158 | new_entry->is_not = is_not; | ||
159 | new_entry->is_last_name = is_last_name; | ||
160 | list_add_tail(&new_entry->list, &tomoyo_domain_initializer_list); | ||
161 | error = 0; | ||
162 | out: | ||
163 | up_write(&tomoyo_domain_initializer_list_lock); | ||
164 | /***** EXCLUSIVE SECTION END *****/ | ||
165 | return error; | ||
166 | } | ||
167 | |||
168 | /** | ||
169 | * tomoyo_read_domain_initializer_policy - Read "struct tomoyo_domain_initializer_entry" list. | ||
170 | * | ||
171 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
172 | * | ||
173 | * Returns true on success, false otherwise. | ||
174 | */ | ||
175 | bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head) | ||
176 | { | ||
177 | struct list_head *pos; | ||
178 | bool done = true; | ||
179 | |||
180 | down_read(&tomoyo_domain_initializer_list_lock); | ||
181 | list_for_each_cookie(pos, head->read_var2, | ||
182 | &tomoyo_domain_initializer_list) { | ||
183 | const char *no; | ||
184 | const char *from = ""; | ||
185 | const char *domain = ""; | ||
186 | struct tomoyo_domain_initializer_entry *ptr; | ||
187 | ptr = list_entry(pos, struct tomoyo_domain_initializer_entry, | ||
188 | list); | ||
189 | if (ptr->is_deleted) | ||
190 | continue; | ||
191 | no = ptr->is_not ? "no_" : ""; | ||
192 | if (ptr->domainname) { | ||
193 | from = " from "; | ||
194 | domain = ptr->domainname->name; | ||
195 | } | ||
196 | if (!tomoyo_io_printf(head, | ||
197 | "%s" TOMOYO_KEYWORD_INITIALIZE_DOMAIN | ||
198 | "%s%s%s\n", no, ptr->program->name, from, | ||
199 | domain)) { | ||
200 | done = false; | ||
201 | break; | ||
202 | } | ||
203 | } | ||
204 | up_read(&tomoyo_domain_initializer_list_lock); | ||
205 | return done; | ||
206 | } | ||
207 | |||
208 | /** | ||
209 | * tomoyo_write_domain_initializer_policy - Write "struct tomoyo_domain_initializer_entry" list. | ||
210 | * | ||
211 | * @data: String to parse. | ||
212 | * @is_not: True if it is "no_initialize_domain" entry. | ||
213 | * @is_delete: True if it is a delete request. | ||
214 | * | ||
215 | * Returns 0 on success, negative value otherwise. | ||
216 | */ | ||
217 | int tomoyo_write_domain_initializer_policy(char *data, const bool is_not, | ||
218 | const bool is_delete) | ||
219 | { | ||
220 | char *cp = strstr(data, " from "); | ||
221 | |||
222 | if (cp) { | ||
223 | *cp = '\0'; | ||
224 | return tomoyo_update_domain_initializer_entry(cp + 6, data, | ||
225 | is_not, | ||
226 | is_delete); | ||
227 | } | ||
228 | return tomoyo_update_domain_initializer_entry(NULL, data, is_not, | ||
229 | is_delete); | ||
230 | } | ||
231 | |||
232 | /** | ||
233 | * tomoyo_is_domain_initializer - Check whether the given program causes domainname reinitialization. | ||
234 | * | ||
235 | * @domainname: The name of domain. | ||
236 | * @program: The name of program. | ||
237 | * @last_name: The last component of @domainname. | ||
238 | * | ||
239 | * Returns true if executing @program reinitializes domain transition, | ||
240 | * false otherwise. | ||
241 | */ | ||
242 | static bool tomoyo_is_domain_initializer(const struct tomoyo_path_info * | ||
243 | domainname, | ||
244 | const struct tomoyo_path_info *program, | ||
245 | const struct tomoyo_path_info * | ||
246 | last_name) | ||
247 | { | ||
248 | struct tomoyo_domain_initializer_entry *ptr; | ||
249 | bool flag = false; | ||
250 | |||
251 | down_read(&tomoyo_domain_initializer_list_lock); | ||
252 | list_for_each_entry(ptr, &tomoyo_domain_initializer_list, list) { | ||
253 | if (ptr->is_deleted) | ||
254 | continue; | ||
255 | if (ptr->domainname) { | ||
256 | if (!ptr->is_last_name) { | ||
257 | if (ptr->domainname != domainname) | ||
258 | continue; | ||
259 | } else { | ||
260 | if (tomoyo_pathcmp(ptr->domainname, last_name)) | ||
261 | continue; | ||
262 | } | ||
263 | } | ||
264 | if (tomoyo_pathcmp(ptr->program, program)) | ||
265 | continue; | ||
266 | if (ptr->is_not) { | ||
267 | flag = false; | ||
268 | break; | ||
269 | } | ||
270 | flag = true; | ||
271 | } | ||
272 | up_read(&tomoyo_domain_initializer_list_lock); | ||
273 | return flag; | ||
274 | } | ||
275 | |||
276 | /* The list for "struct tomoyo_domain_keeper_entry". */ | ||
277 | static LIST_HEAD(tomoyo_domain_keeper_list); | ||
278 | static DECLARE_RWSEM(tomoyo_domain_keeper_list_lock); | ||
279 | |||
280 | /** | ||
281 | * tomoyo_update_domain_keeper_entry - Update "struct tomoyo_domain_keeper_entry" list. | ||
282 | * | ||
283 | * @domainname: The name of domain. | ||
284 | * @program: The name of program. May be NULL. | ||
285 | * @is_not: True if it is "no_keep_domain" entry. | ||
286 | * @is_delete: True if it is a delete request. | ||
287 | * | ||
288 | * Returns 0 on success, negative value otherwise. | ||
289 | */ | ||
290 | static int tomoyo_update_domain_keeper_entry(const char *domainname, | ||
291 | const char *program, | ||
292 | const bool is_not, | ||
293 | const bool is_delete) | ||
294 | { | ||
295 | struct tomoyo_domain_keeper_entry *new_entry; | ||
296 | struct tomoyo_domain_keeper_entry *ptr; | ||
297 | const struct tomoyo_path_info *saved_domainname; | ||
298 | const struct tomoyo_path_info *saved_program = NULL; | ||
299 | static DEFINE_MUTEX(lock); | ||
300 | int error = -ENOMEM; | ||
301 | bool is_last_name = false; | ||
302 | |||
303 | if (!tomoyo_is_domain_def(domainname) && | ||
304 | tomoyo_is_correct_path(domainname, 1, -1, -1, __func__)) | ||
305 | is_last_name = true; | ||
306 | else if (!tomoyo_is_correct_domain(domainname, __func__)) | ||
307 | return -EINVAL; | ||
308 | if (program) { | ||
309 | if (!tomoyo_is_correct_path(program, 1, -1, -1, __func__)) | ||
310 | return -EINVAL; | ||
311 | saved_program = tomoyo_save_name(program); | ||
312 | if (!saved_program) | ||
313 | return -ENOMEM; | ||
314 | } | ||
315 | saved_domainname = tomoyo_save_name(domainname); | ||
316 | if (!saved_domainname) | ||
317 | return -ENOMEM; | ||
318 | /***** EXCLUSIVE SECTION START *****/ | ||
319 | down_write(&tomoyo_domain_keeper_list_lock); | ||
320 | list_for_each_entry(ptr, &tomoyo_domain_keeper_list, list) { | ||
321 | if (ptr->is_not != is_not || | ||
322 | ptr->domainname != saved_domainname || | ||
323 | ptr->program != saved_program) | ||
324 | continue; | ||
325 | ptr->is_deleted = is_delete; | ||
326 | error = 0; | ||
327 | goto out; | ||
328 | } | ||
329 | if (is_delete) { | ||
330 | error = -ENOENT; | ||
331 | goto out; | ||
332 | } | ||
333 | new_entry = tomoyo_alloc_element(sizeof(*new_entry)); | ||
334 | if (!new_entry) | ||
335 | goto out; | ||
336 | new_entry->domainname = saved_domainname; | ||
337 | new_entry->program = saved_program; | ||
338 | new_entry->is_not = is_not; | ||
339 | new_entry->is_last_name = is_last_name; | ||
340 | list_add_tail(&new_entry->list, &tomoyo_domain_keeper_list); | ||
341 | error = 0; | ||
342 | out: | ||
343 | up_write(&tomoyo_domain_keeper_list_lock); | ||
344 | /***** EXCLUSIVE SECTION END *****/ | ||
345 | return error; | ||
346 | } | ||
347 | |||
348 | /** | ||
349 | * tomoyo_write_domain_keeper_policy - Write "struct tomoyo_domain_keeper_entry" list. | ||
350 | * | ||
351 | * @data: String to parse. | ||
352 | * @is_not: True if it is "no_keep_domain" entry. | ||
353 | * @is_delete: True if it is a delete request. | ||
354 | * | ||
355 | */ | ||
356 | int tomoyo_write_domain_keeper_policy(char *data, const bool is_not, | ||
357 | const bool is_delete) | ||
358 | { | ||
359 | char *cp = strstr(data, " from "); | ||
360 | |||
361 | if (cp) { | ||
362 | *cp = '\0'; | ||
363 | return tomoyo_update_domain_keeper_entry(cp + 6, data, is_not, | ||
364 | is_delete); | ||
365 | } | ||
366 | return tomoyo_update_domain_keeper_entry(data, NULL, is_not, is_delete); | ||
367 | } | ||
368 | |||
369 | /** | ||
370 | * tomoyo_read_domain_keeper_policy - Read "struct tomoyo_domain_keeper_entry" list. | ||
371 | * | ||
372 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
373 | * | ||
374 | * Returns true on success, false otherwise. | ||
375 | */ | ||
376 | bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head) | ||
377 | { | ||
378 | struct list_head *pos; | ||
379 | bool done = true; | ||
380 | |||
381 | down_read(&tomoyo_domain_keeper_list_lock); | ||
382 | list_for_each_cookie(pos, head->read_var2, | ||
383 | &tomoyo_domain_keeper_list) { | ||
384 | struct tomoyo_domain_keeper_entry *ptr; | ||
385 | const char *no; | ||
386 | const char *from = ""; | ||
387 | const char *program = ""; | ||
388 | |||
389 | ptr = list_entry(pos, struct tomoyo_domain_keeper_entry, list); | ||
390 | if (ptr->is_deleted) | ||
391 | continue; | ||
392 | no = ptr->is_not ? "no_" : ""; | ||
393 | if (ptr->program) { | ||
394 | from = " from "; | ||
395 | program = ptr->program->name; | ||
396 | } | ||
397 | if (!tomoyo_io_printf(head, | ||
398 | "%s" TOMOYO_KEYWORD_KEEP_DOMAIN | ||
399 | "%s%s%s\n", no, program, from, | ||
400 | ptr->domainname->name)) { | ||
401 | done = false; | ||
402 | break; | ||
403 | } | ||
404 | } | ||
405 | up_read(&tomoyo_domain_keeper_list_lock); | ||
406 | return done; | ||
407 | } | ||
408 | |||
409 | /** | ||
410 | * tomoyo_is_domain_keeper - Check whether the given program causes domain transition suppression. | ||
411 | * | ||
412 | * @domainname: The name of domain. | ||
413 | * @program: The name of program. | ||
414 | * @last_name: The last component of @domainname. | ||
415 | * | ||
416 | * Returns true if executing @program supresses domain transition, | ||
417 | * false otherwise. | ||
418 | */ | ||
419 | static bool tomoyo_is_domain_keeper(const struct tomoyo_path_info *domainname, | ||
420 | const struct tomoyo_path_info *program, | ||
421 | const struct tomoyo_path_info *last_name) | ||
422 | { | ||
423 | struct tomoyo_domain_keeper_entry *ptr; | ||
424 | bool flag = false; | ||
425 | |||
426 | down_read(&tomoyo_domain_keeper_list_lock); | ||
427 | list_for_each_entry(ptr, &tomoyo_domain_keeper_list, list) { | ||
428 | if (ptr->is_deleted) | ||
429 | continue; | ||
430 | if (!ptr->is_last_name) { | ||
431 | if (ptr->domainname != domainname) | ||
432 | continue; | ||
433 | } else { | ||
434 | if (tomoyo_pathcmp(ptr->domainname, last_name)) | ||
435 | continue; | ||
436 | } | ||
437 | if (ptr->program && tomoyo_pathcmp(ptr->program, program)) | ||
438 | continue; | ||
439 | if (ptr->is_not) { | ||
440 | flag = false; | ||
441 | break; | ||
442 | } | ||
443 | flag = true; | ||
444 | } | ||
445 | up_read(&tomoyo_domain_keeper_list_lock); | ||
446 | return flag; | ||
447 | } | ||
448 | |||
449 | /* The list for "struct tomoyo_alias_entry". */ | ||
450 | static LIST_HEAD(tomoyo_alias_list); | ||
451 | static DECLARE_RWSEM(tomoyo_alias_list_lock); | ||
452 | |||
453 | /** | ||
454 | * tomoyo_update_alias_entry - Update "struct tomoyo_alias_entry" list. | ||
455 | * | ||
456 | * @original_name: The original program's real name. | ||
457 | * @aliased_name: The symbolic program's symbolic link's name. | ||
458 | * @is_delete: True if it is a delete request. | ||
459 | * | ||
460 | * Returns 0 on success, negative value otherwise. | ||
461 | */ | ||
462 | static int tomoyo_update_alias_entry(const char *original_name, | ||
463 | const char *aliased_name, | ||
464 | const bool is_delete) | ||
465 | { | ||
466 | struct tomoyo_alias_entry *new_entry; | ||
467 | struct tomoyo_alias_entry *ptr; | ||
468 | const struct tomoyo_path_info *saved_original_name; | ||
469 | const struct tomoyo_path_info *saved_aliased_name; | ||
470 | int error = -ENOMEM; | ||
471 | |||
472 | if (!tomoyo_is_correct_path(original_name, 1, -1, -1, __func__) || | ||
473 | !tomoyo_is_correct_path(aliased_name, 1, -1, -1, __func__)) | ||
474 | return -EINVAL; /* No patterns allowed. */ | ||
475 | saved_original_name = tomoyo_save_name(original_name); | ||
476 | saved_aliased_name = tomoyo_save_name(aliased_name); | ||
477 | if (!saved_original_name || !saved_aliased_name) | ||
478 | return -ENOMEM; | ||
479 | /***** EXCLUSIVE SECTION START *****/ | ||
480 | down_write(&tomoyo_alias_list_lock); | ||
481 | list_for_each_entry(ptr, &tomoyo_alias_list, list) { | ||
482 | if (ptr->original_name != saved_original_name || | ||
483 | ptr->aliased_name != saved_aliased_name) | ||
484 | continue; | ||
485 | ptr->is_deleted = is_delete; | ||
486 | error = 0; | ||
487 | goto out; | ||
488 | } | ||
489 | if (is_delete) { | ||
490 | error = -ENOENT; | ||
491 | goto out; | ||
492 | } | ||
493 | new_entry = tomoyo_alloc_element(sizeof(*new_entry)); | ||
494 | if (!new_entry) | ||
495 | goto out; | ||
496 | new_entry->original_name = saved_original_name; | ||
497 | new_entry->aliased_name = saved_aliased_name; | ||
498 | list_add_tail(&new_entry->list, &tomoyo_alias_list); | ||
499 | error = 0; | ||
500 | out: | ||
501 | up_write(&tomoyo_alias_list_lock); | ||
502 | /***** EXCLUSIVE SECTION END *****/ | ||
503 | return error; | ||
504 | } | ||
505 | |||
506 | /** | ||
507 | * tomoyo_read_alias_policy - Read "struct tomoyo_alias_entry" list. | ||
508 | * | ||
509 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
510 | * | ||
511 | * Returns true on success, false otherwise. | ||
512 | */ | ||
513 | bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head) | ||
514 | { | ||
515 | struct list_head *pos; | ||
516 | bool done = true; | ||
517 | |||
518 | down_read(&tomoyo_alias_list_lock); | ||
519 | list_for_each_cookie(pos, head->read_var2, &tomoyo_alias_list) { | ||
520 | struct tomoyo_alias_entry *ptr; | ||
521 | |||
522 | ptr = list_entry(pos, struct tomoyo_alias_entry, list); | ||
523 | if (ptr->is_deleted) | ||
524 | continue; | ||
525 | if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALIAS "%s %s\n", | ||
526 | ptr->original_name->name, | ||
527 | ptr->aliased_name->name)) { | ||
528 | done = false; | ||
529 | break; | ||
530 | } | ||
531 | } | ||
532 | up_read(&tomoyo_alias_list_lock); | ||
533 | return done; | ||
534 | } | ||
535 | |||
536 | /** | ||
537 | * tomoyo_write_alias_policy - Write "struct tomoyo_alias_entry" list. | ||
538 | * | ||
539 | * @data: String to parse. | ||
540 | * @is_delete: True if it is a delete request. | ||
541 | * | ||
542 | * Returns 0 on success, negative value otherwise. | ||
543 | */ | ||
544 | int tomoyo_write_alias_policy(char *data, const bool is_delete) | ||
545 | { | ||
546 | char *cp = strchr(data, ' '); | ||
547 | |||
548 | if (!cp) | ||
549 | return -EINVAL; | ||
550 | *cp++ = '\0'; | ||
551 | return tomoyo_update_alias_entry(data, cp, is_delete); | ||
552 | } | ||
553 | |||
554 | /* Domain create/delete/undelete handler. */ | ||
555 | |||
556 | /* #define TOMOYO_DEBUG_DOMAIN_UNDELETE */ | ||
557 | |||
558 | /** | ||
559 | * tomoyo_delete_domain - Delete a domain. | ||
560 | * | ||
561 | * @domainname: The name of domain. | ||
562 | * | ||
563 | * Returns 0. | ||
564 | */ | ||
565 | int tomoyo_delete_domain(char *domainname) | ||
566 | { | ||
567 | struct tomoyo_domain_info *domain; | ||
568 | struct tomoyo_path_info name; | ||
569 | |||
570 | name.name = domainname; | ||
571 | tomoyo_fill_path_info(&name); | ||
572 | /***** EXCLUSIVE SECTION START *****/ | ||
573 | down_write(&tomoyo_domain_list_lock); | ||
574 | #ifdef TOMOYO_DEBUG_DOMAIN_UNDELETE | ||
575 | printk(KERN_DEBUG "tomoyo_delete_domain %s\n", domainname); | ||
576 | list_for_each_entry(domain, &tomoyo_domain_list, list) { | ||
577 | if (tomoyo_pathcmp(domain->domainname, &name)) | ||
578 | continue; | ||
579 | printk(KERN_DEBUG "List: %p %u\n", domain, domain->is_deleted); | ||
580 | } | ||
581 | #endif | ||
582 | /* Is there an active domain? */ | ||
583 | list_for_each_entry(domain, &tomoyo_domain_list, list) { | ||
584 | struct tomoyo_domain_info *domain2; | ||
585 | /* Never delete tomoyo_kernel_domain */ | ||
586 | if (domain == &tomoyo_kernel_domain) | ||
587 | continue; | ||
588 | if (domain->is_deleted || | ||
589 | tomoyo_pathcmp(domain->domainname, &name)) | ||
590 | continue; | ||
591 | /* Mark already deleted domains as non undeletable. */ | ||
592 | list_for_each_entry(domain2, &tomoyo_domain_list, list) { | ||
593 | if (!domain2->is_deleted || | ||
594 | tomoyo_pathcmp(domain2->domainname, &name)) | ||
595 | continue; | ||
596 | #ifdef TOMOYO_DEBUG_DOMAIN_UNDELETE | ||
597 | if (domain2->is_deleted != 255) | ||
598 | printk(KERN_DEBUG | ||
599 | "Marked %p as non undeletable\n", | ||
600 | domain2); | ||
601 | #endif | ||
602 | domain2->is_deleted = 255; | ||
603 | } | ||
604 | /* Delete and mark active domain as undeletable. */ | ||
605 | domain->is_deleted = 1; | ||
606 | #ifdef TOMOYO_DEBUG_DOMAIN_UNDELETE | ||
607 | printk(KERN_DEBUG "Marked %p as undeletable\n", domain); | ||
608 | #endif | ||
609 | break; | ||
610 | } | ||
611 | up_write(&tomoyo_domain_list_lock); | ||
612 | /***** EXCLUSIVE SECTION END *****/ | ||
613 | return 0; | ||
614 | } | ||
615 | |||
616 | /** | ||
617 | * tomoyo_undelete_domain - Undelete a domain. | ||
618 | * | ||
619 | * @domainname: The name of domain. | ||
620 | * | ||
621 | * Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise. | ||
622 | */ | ||
623 | struct tomoyo_domain_info *tomoyo_undelete_domain(const char *domainname) | ||
624 | { | ||
625 | struct tomoyo_domain_info *domain; | ||
626 | struct tomoyo_domain_info *candidate_domain = NULL; | ||
627 | struct tomoyo_path_info name; | ||
628 | |||
629 | name.name = domainname; | ||
630 | tomoyo_fill_path_info(&name); | ||
631 | /***** EXCLUSIVE SECTION START *****/ | ||
632 | down_write(&tomoyo_domain_list_lock); | ||
633 | #ifdef TOMOYO_DEBUG_DOMAIN_UNDELETE | ||
634 | printk(KERN_DEBUG "tomoyo_undelete_domain %s\n", domainname); | ||
635 | list_for_each_entry(domain, &tomoyo_domain_list, list) { | ||
636 | if (tomoyo_pathcmp(domain->domainname, &name)) | ||
637 | continue; | ||
638 | printk(KERN_DEBUG "List: %p %u\n", domain, domain->is_deleted); | ||
639 | } | ||
640 | #endif | ||
641 | list_for_each_entry(domain, &tomoyo_domain_list, list) { | ||
642 | if (tomoyo_pathcmp(&name, domain->domainname)) | ||
643 | continue; | ||
644 | if (!domain->is_deleted) { | ||
645 | /* This domain is active. I can't undelete. */ | ||
646 | candidate_domain = NULL; | ||
647 | #ifdef TOMOYO_DEBUG_DOMAIN_UNDELETE | ||
648 | printk(KERN_DEBUG "%p is active. I can't undelete.\n", | ||
649 | domain); | ||
650 | #endif | ||
651 | break; | ||
652 | } | ||
653 | /* Is this domain undeletable? */ | ||
654 | if (domain->is_deleted == 1) | ||
655 | candidate_domain = domain; | ||
656 | } | ||
657 | if (candidate_domain) { | ||
658 | candidate_domain->is_deleted = 0; | ||
659 | #ifdef TOMOYO_DEBUG_DOMAIN_UNDELETE | ||
660 | printk(KERN_DEBUG "%p was undeleted.\n", candidate_domain); | ||
661 | #endif | ||
662 | } | ||
663 | up_write(&tomoyo_domain_list_lock); | ||
664 | /***** EXCLUSIVE SECTION END *****/ | ||
665 | return candidate_domain; | ||
666 | } | ||
667 | |||
668 | /** | ||
669 | * tomoyo_find_or_assign_new_domain - Create a domain. | ||
670 | * | ||
671 | * @domainname: The name of domain. | ||
672 | * @profile: Profile number to assign if the domain was newly created. | ||
673 | * | ||
674 | * Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise. | ||
675 | */ | ||
676 | struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * | ||
677 | domainname, | ||
678 | const u8 profile) | ||
679 | { | ||
680 | struct tomoyo_domain_info *domain = NULL; | ||
681 | const struct tomoyo_path_info *saved_domainname; | ||
682 | |||
683 | /***** EXCLUSIVE SECTION START *****/ | ||
684 | down_write(&tomoyo_domain_list_lock); | ||
685 | domain = tomoyo_find_domain(domainname); | ||
686 | if (domain) | ||
687 | goto out; | ||
688 | if (!tomoyo_is_correct_domain(domainname, __func__)) | ||
689 | goto out; | ||
690 | saved_domainname = tomoyo_save_name(domainname); | ||
691 | if (!saved_domainname) | ||
692 | goto out; | ||
693 | /* Can I reuse memory of deleted domain? */ | ||
694 | list_for_each_entry(domain, &tomoyo_domain_list, list) { | ||
695 | struct task_struct *p; | ||
696 | struct tomoyo_acl_info *ptr; | ||
697 | bool flag; | ||
698 | if (!domain->is_deleted || | ||
699 | domain->domainname != saved_domainname) | ||
700 | continue; | ||
701 | flag = false; | ||
702 | /***** CRITICAL SECTION START *****/ | ||
703 | read_lock(&tasklist_lock); | ||
704 | for_each_process(p) { | ||
705 | if (tomoyo_real_domain(p) != domain) | ||
706 | continue; | ||
707 | flag = true; | ||
708 | break; | ||
709 | } | ||
710 | read_unlock(&tasklist_lock); | ||
711 | /***** CRITICAL SECTION END *****/ | ||
712 | if (flag) | ||
713 | continue; | ||
714 | #ifdef TOMOYO_DEBUG_DOMAIN_UNDELETE | ||
715 | printk(KERN_DEBUG "Reusing %p %s\n", domain, | ||
716 | domain->domainname->name); | ||
717 | #endif | ||
718 | list_for_each_entry(ptr, &domain->acl_info_list, list) { | ||
719 | ptr->type |= TOMOYO_ACL_DELETED; | ||
720 | } | ||
721 | tomoyo_set_domain_flag(domain, true, domain->flags); | ||
722 | domain->profile = profile; | ||
723 | domain->quota_warned = false; | ||
724 | mb(); /* Avoid out-of-order execution. */ | ||
725 | domain->is_deleted = 0; | ||
726 | goto out; | ||
727 | } | ||
728 | /* No memory reusable. Create using new memory. */ | ||
729 | domain = tomoyo_alloc_element(sizeof(*domain)); | ||
730 | if (domain) { | ||
731 | INIT_LIST_HEAD(&domain->acl_info_list); | ||
732 | domain->domainname = saved_domainname; | ||
733 | domain->profile = profile; | ||
734 | list_add_tail(&domain->list, &tomoyo_domain_list); | ||
735 | } | ||
736 | out: | ||
737 | up_write(&tomoyo_domain_list_lock); | ||
738 | /***** EXCLUSIVE SECTION END *****/ | ||
739 | return domain; | ||
740 | } | ||
741 | |||
742 | /** | ||
743 | * tomoyo_find_next_domain - Find a domain. | ||
744 | * | ||
745 | * @bprm: Pointer to "struct linux_binprm". | ||
746 | * @next_domain: Pointer to pointer to "struct tomoyo_domain_info". | ||
747 | * | ||
748 | * Returns 0 on success, negative value otherwise. | ||
749 | */ | ||
750 | int tomoyo_find_next_domain(struct linux_binprm *bprm, | ||
751 | struct tomoyo_domain_info **next_domain) | ||
752 | { | ||
753 | /* | ||
754 | * This function assumes that the size of buffer returned by | ||
755 | * tomoyo_realpath() = TOMOYO_MAX_PATHNAME_LEN. | ||
756 | */ | ||
757 | struct tomoyo_page_buffer *tmp = tomoyo_alloc(sizeof(*tmp)); | ||
758 | struct tomoyo_domain_info *old_domain = tomoyo_domain(); | ||
759 | struct tomoyo_domain_info *domain = NULL; | ||
760 | const char *old_domain_name = old_domain->domainname->name; | ||
761 | const char *original_name = bprm->filename; | ||
762 | char *new_domain_name = NULL; | ||
763 | char *real_program_name = NULL; | ||
764 | char *symlink_program_name = NULL; | ||
765 | const u8 mode = tomoyo_check_flags(old_domain, TOMOYO_MAC_FOR_FILE); | ||
766 | const bool is_enforce = (mode == 3); | ||
767 | int retval = -ENOMEM; | ||
768 | struct tomoyo_path_info r; /* real name */ | ||
769 | struct tomoyo_path_info s; /* symlink name */ | ||
770 | struct tomoyo_path_info l; /* last name */ | ||
771 | static bool initialized; | ||
772 | |||
773 | if (!tmp) | ||
774 | goto out; | ||
775 | |||
776 | if (!initialized) { | ||
777 | /* | ||
778 | * Built-in initializers. This is needed because policies are | ||
779 | * not loaded until starting /sbin/init. | ||
780 | */ | ||
781 | tomoyo_update_domain_initializer_entry(NULL, "/sbin/hotplug", | ||
782 | false, false); | ||
783 | tomoyo_update_domain_initializer_entry(NULL, "/sbin/modprobe", | ||
784 | false, false); | ||
785 | initialized = true; | ||
786 | } | ||
787 | |||
788 | /* Get tomoyo_realpath of program. */ | ||
789 | retval = -ENOENT; | ||
790 | /* I hope tomoyo_realpath() won't fail with -ENOMEM. */ | ||
791 | real_program_name = tomoyo_realpath(original_name); | ||
792 | if (!real_program_name) | ||
793 | goto out; | ||
794 | /* Get tomoyo_realpath of symbolic link. */ | ||
795 | symlink_program_name = tomoyo_realpath_nofollow(original_name); | ||
796 | if (!symlink_program_name) | ||
797 | goto out; | ||
798 | |||
799 | r.name = real_program_name; | ||
800 | tomoyo_fill_path_info(&r); | ||
801 | s.name = symlink_program_name; | ||
802 | tomoyo_fill_path_info(&s); | ||
803 | l.name = tomoyo_get_last_name(old_domain); | ||
804 | tomoyo_fill_path_info(&l); | ||
805 | |||
806 | /* Check 'alias' directive. */ | ||
807 | if (tomoyo_pathcmp(&r, &s)) { | ||
808 | struct tomoyo_alias_entry *ptr; | ||
809 | /* Is this program allowed to be called via symbolic links? */ | ||
810 | down_read(&tomoyo_alias_list_lock); | ||
811 | list_for_each_entry(ptr, &tomoyo_alias_list, list) { | ||
812 | if (ptr->is_deleted || | ||
813 | tomoyo_pathcmp(&r, ptr->original_name) || | ||
814 | tomoyo_pathcmp(&s, ptr->aliased_name)) | ||
815 | continue; | ||
816 | memset(real_program_name, 0, TOMOYO_MAX_PATHNAME_LEN); | ||
817 | strncpy(real_program_name, ptr->aliased_name->name, | ||
818 | TOMOYO_MAX_PATHNAME_LEN - 1); | ||
819 | tomoyo_fill_path_info(&r); | ||
820 | break; | ||
821 | } | ||
822 | up_read(&tomoyo_alias_list_lock); | ||
823 | } | ||
824 | |||
825 | /* Check execute permission. */ | ||
826 | retval = tomoyo_check_exec_perm(old_domain, &r, tmp); | ||
827 | if (retval < 0) | ||
828 | goto out; | ||
829 | |||
830 | new_domain_name = tmp->buffer; | ||
831 | if (tomoyo_is_domain_initializer(old_domain->domainname, &r, &l)) { | ||
832 | /* Transit to the child of tomoyo_kernel_domain domain. */ | ||
833 | snprintf(new_domain_name, TOMOYO_MAX_PATHNAME_LEN + 1, | ||
834 | TOMOYO_ROOT_NAME " " "%s", real_program_name); | ||
835 | } else if (old_domain == &tomoyo_kernel_domain && | ||
836 | !tomoyo_policy_loaded) { | ||
837 | /* | ||
838 | * Needn't to transit from kernel domain before starting | ||
839 | * /sbin/init. But transit from kernel domain if executing | ||
840 | * initializers because they might start before /sbin/init. | ||
841 | */ | ||
842 | domain = old_domain; | ||
843 | } else if (tomoyo_is_domain_keeper(old_domain->domainname, &r, &l)) { | ||
844 | /* Keep current domain. */ | ||
845 | domain = old_domain; | ||
846 | } else { | ||
847 | /* Normal domain transition. */ | ||
848 | snprintf(new_domain_name, TOMOYO_MAX_PATHNAME_LEN + 1, | ||
849 | "%s %s", old_domain_name, real_program_name); | ||
850 | } | ||
851 | if (domain || strlen(new_domain_name) >= TOMOYO_MAX_PATHNAME_LEN) | ||
852 | goto done; | ||
853 | down_read(&tomoyo_domain_list_lock); | ||
854 | domain = tomoyo_find_domain(new_domain_name); | ||
855 | up_read(&tomoyo_domain_list_lock); | ||
856 | if (domain) | ||
857 | goto done; | ||
858 | if (is_enforce) | ||
859 | goto done; | ||
860 | domain = tomoyo_find_or_assign_new_domain(new_domain_name, | ||
861 | old_domain->profile); | ||
862 | done: | ||
863 | if (domain) | ||
864 | goto out; | ||
865 | printk(KERN_WARNING "TOMOYO-ERROR: Domain '%s' not defined.\n", | ||
866 | new_domain_name); | ||
867 | if (is_enforce) | ||
868 | retval = -EPERM; | ||
869 | else | ||
870 | tomoyo_set_domain_flag(old_domain, false, | ||
871 | TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED); | ||
872 | out: | ||
873 | tomoyo_free(real_program_name); | ||
874 | tomoyo_free(symlink_program_name); | ||
875 | *next_domain = domain ? domain : old_domain; | ||
876 | tomoyo_free(tmp); | ||
877 | return retval; | ||
878 | } | ||
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c new file mode 100644 index 000000000000..65f50c1c5ee9 --- /dev/null +++ b/security/tomoyo/file.c | |||
@@ -0,0 +1,1241 @@ | |||
1 | /* | ||
2 | * security/tomoyo/file.c | ||
3 | * | ||
4 | * Implementation of the Domain-Based Mandatory Access Control. | ||
5 | * | ||
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | ||
7 | * | ||
8 | * Version: 2.2.0-pre 2009/02/01 | ||
9 | * | ||
10 | */ | ||
11 | |||
12 | #include "common.h" | ||
13 | #include "tomoyo.h" | ||
14 | #include "realpath.h" | ||
15 | #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE]) | ||
16 | |||
17 | /* Structure for "allow_read" keyword. */ | ||
18 | struct tomoyo_globally_readable_file_entry { | ||
19 | struct list_head list; | ||
20 | const struct tomoyo_path_info *filename; | ||
21 | bool is_deleted; | ||
22 | }; | ||
23 | |||
24 | /* Structure for "file_pattern" keyword. */ | ||
25 | struct tomoyo_pattern_entry { | ||
26 | struct list_head list; | ||
27 | const struct tomoyo_path_info *pattern; | ||
28 | bool is_deleted; | ||
29 | }; | ||
30 | |||
31 | /* Structure for "deny_rewrite" keyword. */ | ||
32 | struct tomoyo_no_rewrite_entry { | ||
33 | struct list_head list; | ||
34 | const struct tomoyo_path_info *pattern; | ||
35 | bool is_deleted; | ||
36 | }; | ||
37 | |||
38 | /* Keyword array for single path operations. */ | ||
39 | static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = { | ||
40 | [TOMOYO_TYPE_READ_WRITE_ACL] = "read/write", | ||
41 | [TOMOYO_TYPE_EXECUTE_ACL] = "execute", | ||
42 | [TOMOYO_TYPE_READ_ACL] = "read", | ||
43 | [TOMOYO_TYPE_WRITE_ACL] = "write", | ||
44 | [TOMOYO_TYPE_CREATE_ACL] = "create", | ||
45 | [TOMOYO_TYPE_UNLINK_ACL] = "unlink", | ||
46 | [TOMOYO_TYPE_MKDIR_ACL] = "mkdir", | ||
47 | [TOMOYO_TYPE_RMDIR_ACL] = "rmdir", | ||
48 | [TOMOYO_TYPE_MKFIFO_ACL] = "mkfifo", | ||
49 | [TOMOYO_TYPE_MKSOCK_ACL] = "mksock", | ||
50 | [TOMOYO_TYPE_MKBLOCK_ACL] = "mkblock", | ||
51 | [TOMOYO_TYPE_MKCHAR_ACL] = "mkchar", | ||
52 | [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate", | ||
53 | [TOMOYO_TYPE_SYMLINK_ACL] = "symlink", | ||
54 | [TOMOYO_TYPE_REWRITE_ACL] = "rewrite", | ||
55 | }; | ||
56 | |||
57 | /* Keyword array for double path operations. */ | ||
58 | static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = { | ||
59 | [TOMOYO_TYPE_LINK_ACL] = "link", | ||
60 | [TOMOYO_TYPE_RENAME_ACL] = "rename", | ||
61 | }; | ||
62 | |||
63 | /** | ||
64 | * tomoyo_sp2keyword - Get the name of single path operation. | ||
65 | * | ||
66 | * @operation: Type of operation. | ||
67 | * | ||
68 | * Returns the name of single path operation. | ||
69 | */ | ||
70 | const char *tomoyo_sp2keyword(const u8 operation) | ||
71 | { | ||
72 | return (operation < TOMOYO_MAX_SINGLE_PATH_OPERATION) | ||
73 | ? tomoyo_sp_keyword[operation] : NULL; | ||
74 | } | ||
75 | |||
76 | /** | ||
77 | * tomoyo_dp2keyword - Get the name of double path operation. | ||
78 | * | ||
79 | * @operation: Type of operation. | ||
80 | * | ||
81 | * Returns the name of double path operation. | ||
82 | */ | ||
83 | const char *tomoyo_dp2keyword(const u8 operation) | ||
84 | { | ||
85 | return (operation < TOMOYO_MAX_DOUBLE_PATH_OPERATION) | ||
86 | ? tomoyo_dp_keyword[operation] : NULL; | ||
87 | } | ||
88 | |||
89 | /** | ||
90 | * tomoyo_strendswith - Check whether the token ends with the given token. | ||
91 | * | ||
92 | * @name: The token to check. | ||
93 | * @tail: The token to find. | ||
94 | * | ||
95 | * Returns true if @name ends with @tail, false otherwise. | ||
96 | */ | ||
97 | static bool tomoyo_strendswith(const char *name, const char *tail) | ||
98 | { | ||
99 | int len; | ||
100 | |||
101 | if (!name || !tail) | ||
102 | return false; | ||
103 | len = strlen(name) - strlen(tail); | ||
104 | return len >= 0 && !strcmp(name + len, tail); | ||
105 | } | ||
106 | |||
107 | /** | ||
108 | * tomoyo_get_path - Get realpath. | ||
109 | * | ||
110 | * @path: Pointer to "struct path". | ||
111 | * | ||
112 | * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise. | ||
113 | */ | ||
114 | static struct tomoyo_path_info *tomoyo_get_path(struct path *path) | ||
115 | { | ||
116 | int error; | ||
117 | struct tomoyo_path_info_with_data *buf = tomoyo_alloc(sizeof(*buf)); | ||
118 | |||
119 | if (!buf) | ||
120 | return NULL; | ||
121 | /* Reserve one byte for appending "/". */ | ||
122 | error = tomoyo_realpath_from_path2(path, buf->body, | ||
123 | sizeof(buf->body) - 2); | ||
124 | if (!error) { | ||
125 | buf->head.name = buf->body; | ||
126 | tomoyo_fill_path_info(&buf->head); | ||
127 | return &buf->head; | ||
128 | } | ||
129 | tomoyo_free(buf); | ||
130 | return NULL; | ||
131 | } | ||
132 | |||
133 | /* Lock for domain->acl_info_list. */ | ||
134 | DECLARE_RWSEM(tomoyo_domain_acl_info_list_lock); | ||
135 | |||
136 | static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, | ||
137 | const char *filename2, | ||
138 | struct tomoyo_domain_info * | ||
139 | const domain, const bool is_delete); | ||
140 | static int tomoyo_update_single_path_acl(const u8 type, const char *filename, | ||
141 | struct tomoyo_domain_info * | ||
142 | const domain, const bool is_delete); | ||
143 | |||
144 | /* The list for "struct tomoyo_globally_readable_file_entry". */ | ||
145 | static LIST_HEAD(tomoyo_globally_readable_list); | ||
146 | static DECLARE_RWSEM(tomoyo_globally_readable_list_lock); | ||
147 | |||
148 | /** | ||
149 | * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list. | ||
150 | * | ||
151 | * @filename: Filename unconditionally permitted to open() for reading. | ||
152 | * @is_delete: True if it is a delete request. | ||
153 | * | ||
154 | * Returns 0 on success, negative value otherwise. | ||
155 | */ | ||
156 | static int tomoyo_update_globally_readable_entry(const char *filename, | ||
157 | const bool is_delete) | ||
158 | { | ||
159 | struct tomoyo_globally_readable_file_entry *new_entry; | ||
160 | struct tomoyo_globally_readable_file_entry *ptr; | ||
161 | const struct tomoyo_path_info *saved_filename; | ||
162 | int error = -ENOMEM; | ||
163 | |||
164 | if (!tomoyo_is_correct_path(filename, 1, 0, -1, __func__)) | ||
165 | return -EINVAL; | ||
166 | saved_filename = tomoyo_save_name(filename); | ||
167 | if (!saved_filename) | ||
168 | return -ENOMEM; | ||
169 | /***** EXCLUSIVE SECTION START *****/ | ||
170 | down_write(&tomoyo_globally_readable_list_lock); | ||
171 | list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) { | ||
172 | if (ptr->filename != saved_filename) | ||
173 | continue; | ||
174 | ptr->is_deleted = is_delete; | ||
175 | error = 0; | ||
176 | goto out; | ||
177 | } | ||
178 | if (is_delete) { | ||
179 | error = -ENOENT; | ||
180 | goto out; | ||
181 | } | ||
182 | new_entry = tomoyo_alloc_element(sizeof(*new_entry)); | ||
183 | if (!new_entry) | ||
184 | goto out; | ||
185 | new_entry->filename = saved_filename; | ||
186 | list_add_tail(&new_entry->list, &tomoyo_globally_readable_list); | ||
187 | error = 0; | ||
188 | out: | ||
189 | up_write(&tomoyo_globally_readable_list_lock); | ||
190 | /***** EXCLUSIVE SECTION END *****/ | ||
191 | return error; | ||
192 | } | ||
193 | |||
194 | /** | ||
195 | * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading. | ||
196 | * | ||
197 | * @filename: The filename to check. | ||
198 | * | ||
199 | * Returns true if any domain can open @filename for reading, false otherwise. | ||
200 | */ | ||
201 | static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info * | ||
202 | filename) | ||
203 | { | ||
204 | struct tomoyo_globally_readable_file_entry *ptr; | ||
205 | bool found = false; | ||
206 | down_read(&tomoyo_globally_readable_list_lock); | ||
207 | list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) { | ||
208 | if (!ptr->is_deleted && | ||
209 | tomoyo_path_matches_pattern(filename, ptr->filename)) { | ||
210 | found = true; | ||
211 | break; | ||
212 | } | ||
213 | } | ||
214 | up_read(&tomoyo_globally_readable_list_lock); | ||
215 | return found; | ||
216 | } | ||
217 | |||
218 | /** | ||
219 | * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list. | ||
220 | * | ||
221 | * @data: String to parse. | ||
222 | * @is_delete: True if it is a delete request. | ||
223 | * | ||
224 | * Returns 0 on success, negative value otherwise. | ||
225 | */ | ||
226 | int tomoyo_write_globally_readable_policy(char *data, const bool is_delete) | ||
227 | { | ||
228 | return tomoyo_update_globally_readable_entry(data, is_delete); | ||
229 | } | ||
230 | |||
231 | /** | ||
232 | * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list. | ||
233 | * | ||
234 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
235 | * | ||
236 | * Returns true on success, false otherwise. | ||
237 | */ | ||
238 | bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head) | ||
239 | { | ||
240 | struct list_head *pos; | ||
241 | bool done = true; | ||
242 | |||
243 | down_read(&tomoyo_globally_readable_list_lock); | ||
244 | list_for_each_cookie(pos, head->read_var2, | ||
245 | &tomoyo_globally_readable_list) { | ||
246 | struct tomoyo_globally_readable_file_entry *ptr; | ||
247 | ptr = list_entry(pos, | ||
248 | struct tomoyo_globally_readable_file_entry, | ||
249 | list); | ||
250 | if (ptr->is_deleted) | ||
251 | continue; | ||
252 | if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n", | ||
253 | ptr->filename->name)) { | ||
254 | done = false; | ||
255 | break; | ||
256 | } | ||
257 | } | ||
258 | up_read(&tomoyo_globally_readable_list_lock); | ||
259 | return done; | ||
260 | } | ||
261 | |||
262 | /* The list for "struct tomoyo_pattern_entry". */ | ||
263 | static LIST_HEAD(tomoyo_pattern_list); | ||
264 | static DECLARE_RWSEM(tomoyo_pattern_list_lock); | ||
265 | |||
266 | /** | ||
267 | * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list. | ||
268 | * | ||
269 | * @pattern: Pathname pattern. | ||
270 | * @is_delete: True if it is a delete request. | ||
271 | * | ||
272 | * Returns 0 on success, negative value otherwise. | ||
273 | */ | ||
274 | static int tomoyo_update_file_pattern_entry(const char *pattern, | ||
275 | const bool is_delete) | ||
276 | { | ||
277 | struct tomoyo_pattern_entry *new_entry; | ||
278 | struct tomoyo_pattern_entry *ptr; | ||
279 | const struct tomoyo_path_info *saved_pattern; | ||
280 | int error = -ENOMEM; | ||
281 | |||
282 | if (!tomoyo_is_correct_path(pattern, 0, 1, 0, __func__)) | ||
283 | return -EINVAL; | ||
284 | saved_pattern = tomoyo_save_name(pattern); | ||
285 | if (!saved_pattern) | ||
286 | return -ENOMEM; | ||
287 | /***** EXCLUSIVE SECTION START *****/ | ||
288 | down_write(&tomoyo_pattern_list_lock); | ||
289 | list_for_each_entry(ptr, &tomoyo_pattern_list, list) { | ||
290 | if (saved_pattern != ptr->pattern) | ||
291 | continue; | ||
292 | ptr->is_deleted = is_delete; | ||
293 | error = 0; | ||
294 | goto out; | ||
295 | } | ||
296 | if (is_delete) { | ||
297 | error = -ENOENT; | ||
298 | goto out; | ||
299 | } | ||
300 | new_entry = tomoyo_alloc_element(sizeof(*new_entry)); | ||
301 | if (!new_entry) | ||
302 | goto out; | ||
303 | new_entry->pattern = saved_pattern; | ||
304 | list_add_tail(&new_entry->list, &tomoyo_pattern_list); | ||
305 | error = 0; | ||
306 | out: | ||
307 | up_write(&tomoyo_pattern_list_lock); | ||
308 | /***** EXCLUSIVE SECTION END *****/ | ||
309 | return error; | ||
310 | } | ||
311 | |||
312 | /** | ||
313 | * tomoyo_get_file_pattern - Get patterned pathname. | ||
314 | * | ||
315 | * @filename: The filename to find patterned pathname. | ||
316 | * | ||
317 | * Returns pointer to pathname pattern if matched, @filename otherwise. | ||
318 | */ | ||
319 | static const struct tomoyo_path_info * | ||
320 | tomoyo_get_file_pattern(const struct tomoyo_path_info *filename) | ||
321 | { | ||
322 | struct tomoyo_pattern_entry *ptr; | ||
323 | const struct tomoyo_path_info *pattern = NULL; | ||
324 | |||
325 | down_read(&tomoyo_pattern_list_lock); | ||
326 | list_for_each_entry(ptr, &tomoyo_pattern_list, list) { | ||
327 | if (ptr->is_deleted) | ||
328 | continue; | ||
329 | if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) | ||
330 | continue; | ||
331 | pattern = ptr->pattern; | ||
332 | if (tomoyo_strendswith(pattern->name, "/\\*")) { | ||
333 | /* Do nothing. Try to find the better match. */ | ||
334 | } else { | ||
335 | /* This would be the better match. Use this. */ | ||
336 | break; | ||
337 | } | ||
338 | } | ||
339 | up_read(&tomoyo_pattern_list_lock); | ||
340 | if (pattern) | ||
341 | filename = pattern; | ||
342 | return filename; | ||
343 | } | ||
344 | |||
345 | /** | ||
346 | * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list. | ||
347 | * | ||
348 | * @data: String to parse. | ||
349 | * @is_delete: True if it is a delete request. | ||
350 | * | ||
351 | * Returns 0 on success, negative value otherwise. | ||
352 | */ | ||
353 | int tomoyo_write_pattern_policy(char *data, const bool is_delete) | ||
354 | { | ||
355 | return tomoyo_update_file_pattern_entry(data, is_delete); | ||
356 | } | ||
357 | |||
358 | /** | ||
359 | * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list. | ||
360 | * | ||
361 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
362 | * | ||
363 | * Returns true on success, false otherwise. | ||
364 | */ | ||
365 | bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head) | ||
366 | { | ||
367 | struct list_head *pos; | ||
368 | bool done = true; | ||
369 | |||
370 | down_read(&tomoyo_pattern_list_lock); | ||
371 | list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) { | ||
372 | struct tomoyo_pattern_entry *ptr; | ||
373 | ptr = list_entry(pos, struct tomoyo_pattern_entry, list); | ||
374 | if (ptr->is_deleted) | ||
375 | continue; | ||
376 | if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN "%s\n", | ||
377 | ptr->pattern->name)) { | ||
378 | done = false; | ||
379 | break; | ||
380 | } | ||
381 | } | ||
382 | up_read(&tomoyo_pattern_list_lock); | ||
383 | return done; | ||
384 | } | ||
385 | |||
386 | /* The list for "struct tomoyo_no_rewrite_entry". */ | ||
387 | static LIST_HEAD(tomoyo_no_rewrite_list); | ||
388 | static DECLARE_RWSEM(tomoyo_no_rewrite_list_lock); | ||
389 | |||
390 | /** | ||
391 | * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list. | ||
392 | * | ||
393 | * @pattern: Pathname pattern that are not rewritable by default. | ||
394 | * @is_delete: True if it is a delete request. | ||
395 | * | ||
396 | * Returns 0 on success, negative value otherwise. | ||
397 | */ | ||
398 | static int tomoyo_update_no_rewrite_entry(const char *pattern, | ||
399 | const bool is_delete) | ||
400 | { | ||
401 | struct tomoyo_no_rewrite_entry *new_entry, *ptr; | ||
402 | const struct tomoyo_path_info *saved_pattern; | ||
403 | int error = -ENOMEM; | ||
404 | |||
405 | if (!tomoyo_is_correct_path(pattern, 0, 0, 0, __func__)) | ||
406 | return -EINVAL; | ||
407 | saved_pattern = tomoyo_save_name(pattern); | ||
408 | if (!saved_pattern) | ||
409 | return -ENOMEM; | ||
410 | /***** EXCLUSIVE SECTION START *****/ | ||
411 | down_write(&tomoyo_no_rewrite_list_lock); | ||
412 | list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) { | ||
413 | if (ptr->pattern != saved_pattern) | ||
414 | continue; | ||
415 | ptr->is_deleted = is_delete; | ||
416 | error = 0; | ||
417 | goto out; | ||
418 | } | ||
419 | if (is_delete) { | ||
420 | error = -ENOENT; | ||
421 | goto out; | ||
422 | } | ||
423 | new_entry = tomoyo_alloc_element(sizeof(*new_entry)); | ||
424 | if (!new_entry) | ||
425 | goto out; | ||
426 | new_entry->pattern = saved_pattern; | ||
427 | list_add_tail(&new_entry->list, &tomoyo_no_rewrite_list); | ||
428 | error = 0; | ||
429 | out: | ||
430 | up_write(&tomoyo_no_rewrite_list_lock); | ||
431 | /***** EXCLUSIVE SECTION END *****/ | ||
432 | return error; | ||
433 | } | ||
434 | |||
435 | /** | ||
436 | * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited. | ||
437 | * | ||
438 | * @filename: Filename to check. | ||
439 | * | ||
440 | * Returns true if @filename is specified by "deny_rewrite" directive, | ||
441 | * false otherwise. | ||
442 | */ | ||
443 | static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename) | ||
444 | { | ||
445 | struct tomoyo_no_rewrite_entry *ptr; | ||
446 | bool found = false; | ||
447 | |||
448 | down_read(&tomoyo_no_rewrite_list_lock); | ||
449 | list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) { | ||
450 | if (ptr->is_deleted) | ||
451 | continue; | ||
452 | if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) | ||
453 | continue; | ||
454 | found = true; | ||
455 | break; | ||
456 | } | ||
457 | up_read(&tomoyo_no_rewrite_list_lock); | ||
458 | return found; | ||
459 | } | ||
460 | |||
461 | /** | ||
462 | * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list. | ||
463 | * | ||
464 | * @data: String to parse. | ||
465 | * @is_delete: True if it is a delete request. | ||
466 | * | ||
467 | * Returns 0 on success, negative value otherwise. | ||
468 | */ | ||
469 | int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete) | ||
470 | { | ||
471 | return tomoyo_update_no_rewrite_entry(data, is_delete); | ||
472 | } | ||
473 | |||
474 | /** | ||
475 | * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list. | ||
476 | * | ||
477 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
478 | * | ||
479 | * Returns true on success, false otherwise. | ||
480 | */ | ||
481 | bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head) | ||
482 | { | ||
483 | struct list_head *pos; | ||
484 | bool done = true; | ||
485 | |||
486 | down_read(&tomoyo_no_rewrite_list_lock); | ||
487 | list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) { | ||
488 | struct tomoyo_no_rewrite_entry *ptr; | ||
489 | ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list); | ||
490 | if (ptr->is_deleted) | ||
491 | continue; | ||
492 | if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE "%s\n", | ||
493 | ptr->pattern->name)) { | ||
494 | done = false; | ||
495 | break; | ||
496 | } | ||
497 | } | ||
498 | up_read(&tomoyo_no_rewrite_list_lock); | ||
499 | return done; | ||
500 | } | ||
501 | |||
502 | /** | ||
503 | * tomoyo_update_file_acl - Update file's read/write/execute ACL. | ||
504 | * | ||
505 | * @filename: Filename. | ||
506 | * @perm: Permission (between 1 to 7). | ||
507 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
508 | * @is_delete: True if it is a delete request. | ||
509 | * | ||
510 | * Returns 0 on success, negative value otherwise. | ||
511 | * | ||
512 | * This is legacy support interface for older policy syntax. | ||
513 | * Current policy syntax uses "allow_read/write" instead of "6", | ||
514 | * "allow_read" instead of "4", "allow_write" instead of "2", | ||
515 | * "allow_execute" instead of "1". | ||
516 | */ | ||
517 | static int tomoyo_update_file_acl(const char *filename, u8 perm, | ||
518 | struct tomoyo_domain_info * const domain, | ||
519 | const bool is_delete) | ||
520 | { | ||
521 | if (perm > 7 || !perm) { | ||
522 | printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n", | ||
523 | __func__, perm, filename); | ||
524 | return -EINVAL; | ||
525 | } | ||
526 | if (filename[0] != '@' && tomoyo_strendswith(filename, "/")) | ||
527 | /* | ||
528 | * Only 'allow_mkdir' and 'allow_rmdir' are valid for | ||
529 | * directory permissions. | ||
530 | */ | ||
531 | return 0; | ||
532 | if (perm & 4) | ||
533 | tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL, filename, | ||
534 | domain, is_delete); | ||
535 | if (perm & 2) | ||
536 | tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL, filename, | ||
537 | domain, is_delete); | ||
538 | if (perm & 1) | ||
539 | tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL, | ||
540 | filename, domain, is_delete); | ||
541 | return 0; | ||
542 | } | ||
543 | |||
544 | /** | ||
545 | * tomoyo_check_single_path_acl2 - Check permission for single path operation. | ||
546 | * | ||
547 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
548 | * @filename: Filename to check. | ||
549 | * @perm: Permission. | ||
550 | * @may_use_pattern: True if patterned ACL is permitted. | ||
551 | * | ||
552 | * Returns 0 on success, -EPERM otherwise. | ||
553 | */ | ||
554 | static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info * | ||
555 | domain, | ||
556 | const struct tomoyo_path_info * | ||
557 | filename, | ||
558 | const u16 perm, | ||
559 | const bool may_use_pattern) | ||
560 | { | ||
561 | struct tomoyo_acl_info *ptr; | ||
562 | int error = -EPERM; | ||
563 | |||
564 | down_read(&tomoyo_domain_acl_info_list_lock); | ||
565 | list_for_each_entry(ptr, &domain->acl_info_list, list) { | ||
566 | struct tomoyo_single_path_acl_record *acl; | ||
567 | if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL) | ||
568 | continue; | ||
569 | acl = container_of(ptr, struct tomoyo_single_path_acl_record, | ||
570 | head); | ||
571 | if (!(acl->perm & perm)) | ||
572 | continue; | ||
573 | if (may_use_pattern || !acl->filename->is_patterned) { | ||
574 | if (!tomoyo_path_matches_pattern(filename, | ||
575 | acl->filename)) | ||
576 | continue; | ||
577 | } else { | ||
578 | continue; | ||
579 | } | ||
580 | error = 0; | ||
581 | break; | ||
582 | } | ||
583 | up_read(&tomoyo_domain_acl_info_list_lock); | ||
584 | return error; | ||
585 | } | ||
586 | |||
587 | /** | ||
588 | * tomoyo_check_file_acl - Check permission for opening files. | ||
589 | * | ||
590 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
591 | * @filename: Filename to check. | ||
592 | * @operation: Mode ("read" or "write" or "read/write" or "execute"). | ||
593 | * | ||
594 | * Returns 0 on success, -EPERM otherwise. | ||
595 | */ | ||
596 | static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain, | ||
597 | const struct tomoyo_path_info *filename, | ||
598 | const u8 operation) | ||
599 | { | ||
600 | u16 perm = 0; | ||
601 | |||
602 | if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) | ||
603 | return 0; | ||
604 | if (operation == 6) | ||
605 | perm = 1 << TOMOYO_TYPE_READ_WRITE_ACL; | ||
606 | else if (operation == 4) | ||
607 | perm = 1 << TOMOYO_TYPE_READ_ACL; | ||
608 | else if (operation == 2) | ||
609 | perm = 1 << TOMOYO_TYPE_WRITE_ACL; | ||
610 | else if (operation == 1) | ||
611 | perm = 1 << TOMOYO_TYPE_EXECUTE_ACL; | ||
612 | else | ||
613 | BUG(); | ||
614 | return tomoyo_check_single_path_acl2(domain, filename, perm, | ||
615 | operation != 1); | ||
616 | } | ||
617 | |||
618 | /** | ||
619 | * tomoyo_check_file_perm2 - Check permission for opening files. | ||
620 | * | ||
621 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
622 | * @filename: Filename to check. | ||
623 | * @perm: Mode ("read" or "write" or "read/write" or "execute"). | ||
624 | * @operation: Operation name passed used for verbose mode. | ||
625 | * @mode: Access control mode. | ||
626 | * | ||
627 | * Returns 0 on success, negative value otherwise. | ||
628 | */ | ||
629 | static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain, | ||
630 | const struct tomoyo_path_info *filename, | ||
631 | const u8 perm, const char *operation, | ||
632 | const u8 mode) | ||
633 | { | ||
634 | const bool is_enforce = (mode == 3); | ||
635 | const char *msg = "<unknown>"; | ||
636 | int error = 0; | ||
637 | |||
638 | if (!filename) | ||
639 | return 0; | ||
640 | error = tomoyo_check_file_acl(domain, filename, perm); | ||
641 | if (error && perm == 4 && | ||
642 | (domain->flags & TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ) == 0 | ||
643 | && tomoyo_is_globally_readable_file(filename)) | ||
644 | error = 0; | ||
645 | if (perm == 6) | ||
646 | msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL); | ||
647 | else if (perm == 4) | ||
648 | msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL); | ||
649 | else if (perm == 2) | ||
650 | msg = tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL); | ||
651 | else if (perm == 1) | ||
652 | msg = tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL); | ||
653 | else | ||
654 | BUG(); | ||
655 | if (!error) | ||
656 | return 0; | ||
657 | if (tomoyo_verbose_mode(domain)) | ||
658 | printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied " | ||
659 | "for %s\n", tomoyo_get_msg(is_enforce), msg, operation, | ||
660 | filename->name, tomoyo_get_last_name(domain)); | ||
661 | if (is_enforce) | ||
662 | return error; | ||
663 | if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { | ||
664 | /* Don't use patterns for execute permission. */ | ||
665 | const struct tomoyo_path_info *patterned_file = (perm != 1) ? | ||
666 | tomoyo_get_file_pattern(filename) : filename; | ||
667 | tomoyo_update_file_acl(patterned_file->name, perm, | ||
668 | domain, false); | ||
669 | } | ||
670 | return 0; | ||
671 | } | ||
672 | |||
673 | /** | ||
674 | * tomoyo_write_file_policy - Update file related list. | ||
675 | * | ||
676 | * @data: String to parse. | ||
677 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
678 | * @is_delete: True if it is a delete request. | ||
679 | * | ||
680 | * Returns 0 on success, negative value otherwise. | ||
681 | */ | ||
682 | int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, | ||
683 | const bool is_delete) | ||
684 | { | ||
685 | char *filename = strchr(data, ' '); | ||
686 | char *filename2; | ||
687 | unsigned int perm; | ||
688 | u8 type; | ||
689 | |||
690 | if (!filename) | ||
691 | return -EINVAL; | ||
692 | *filename++ = '\0'; | ||
693 | if (sscanf(data, "%u", &perm) == 1) | ||
694 | return tomoyo_update_file_acl(filename, (u8) perm, domain, | ||
695 | is_delete); | ||
696 | if (strncmp(data, "allow_", 6)) | ||
697 | goto out; | ||
698 | data += 6; | ||
699 | for (type = 0; type < TOMOYO_MAX_SINGLE_PATH_OPERATION; type++) { | ||
700 | if (strcmp(data, tomoyo_sp_keyword[type])) | ||
701 | continue; | ||
702 | return tomoyo_update_single_path_acl(type, filename, | ||
703 | domain, is_delete); | ||
704 | } | ||
705 | filename2 = strchr(filename, ' '); | ||
706 | if (!filename2) | ||
707 | goto out; | ||
708 | *filename2++ = '\0'; | ||
709 | for (type = 0; type < TOMOYO_MAX_DOUBLE_PATH_OPERATION; type++) { | ||
710 | if (strcmp(data, tomoyo_dp_keyword[type])) | ||
711 | continue; | ||
712 | return tomoyo_update_double_path_acl(type, filename, filename2, | ||
713 | domain, is_delete); | ||
714 | } | ||
715 | out: | ||
716 | return -EINVAL; | ||
717 | } | ||
718 | |||
719 | /** | ||
720 | * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list. | ||
721 | * | ||
722 | * @type: Type of operation. | ||
723 | * @filename: Filename. | ||
724 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
725 | * @is_delete: True if it is a delete request. | ||
726 | * | ||
727 | * Returns 0 on success, negative value otherwise. | ||
728 | */ | ||
729 | static int tomoyo_update_single_path_acl(const u8 type, const char *filename, | ||
730 | struct tomoyo_domain_info * | ||
731 | const domain, const bool is_delete) | ||
732 | { | ||
733 | static const u16 rw_mask = | ||
734 | (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL); | ||
735 | const struct tomoyo_path_info *saved_filename; | ||
736 | struct tomoyo_acl_info *ptr; | ||
737 | struct tomoyo_single_path_acl_record *acl; | ||
738 | int error = -ENOMEM; | ||
739 | const u16 perm = 1 << type; | ||
740 | |||
741 | if (!domain) | ||
742 | return -EINVAL; | ||
743 | if (!tomoyo_is_correct_path(filename, 0, 0, 0, __func__)) | ||
744 | return -EINVAL; | ||
745 | saved_filename = tomoyo_save_name(filename); | ||
746 | if (!saved_filename) | ||
747 | return -ENOMEM; | ||
748 | /***** EXCLUSIVE SECTION START *****/ | ||
749 | down_write(&tomoyo_domain_acl_info_list_lock); | ||
750 | if (is_delete) | ||
751 | goto delete; | ||
752 | list_for_each_entry(ptr, &domain->acl_info_list, list) { | ||
753 | if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL) | ||
754 | continue; | ||
755 | acl = container_of(ptr, struct tomoyo_single_path_acl_record, | ||
756 | head); | ||
757 | if (acl->filename != saved_filename) | ||
758 | continue; | ||
759 | /* Special case. Clear all bits if marked as deleted. */ | ||
760 | if (ptr->type & TOMOYO_ACL_DELETED) | ||
761 | acl->perm = 0; | ||
762 | acl->perm |= perm; | ||
763 | if ((acl->perm & rw_mask) == rw_mask) | ||
764 | acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL; | ||
765 | else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)) | ||
766 | acl->perm |= rw_mask; | ||
767 | ptr->type &= ~TOMOYO_ACL_DELETED; | ||
768 | error = 0; | ||
769 | goto out; | ||
770 | } | ||
771 | /* Not found. Append it to the tail. */ | ||
772 | acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_SINGLE_PATH_ACL); | ||
773 | if (!acl) | ||
774 | goto out; | ||
775 | acl->perm = perm; | ||
776 | if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL)) | ||
777 | acl->perm |= rw_mask; | ||
778 | acl->filename = saved_filename; | ||
779 | list_add_tail(&acl->head.list, &domain->acl_info_list); | ||
780 | error = 0; | ||
781 | goto out; | ||
782 | delete: | ||
783 | error = -ENOENT; | ||
784 | list_for_each_entry(ptr, &domain->acl_info_list, list) { | ||
785 | if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL) | ||
786 | continue; | ||
787 | acl = container_of(ptr, struct tomoyo_single_path_acl_record, | ||
788 | head); | ||
789 | if (acl->filename != saved_filename) | ||
790 | continue; | ||
791 | acl->perm &= ~perm; | ||
792 | if ((acl->perm & rw_mask) != rw_mask) | ||
793 | acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL); | ||
794 | else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))) | ||
795 | acl->perm &= ~rw_mask; | ||
796 | if (!acl->perm) | ||
797 | ptr->type |= TOMOYO_ACL_DELETED; | ||
798 | error = 0; | ||
799 | break; | ||
800 | } | ||
801 | out: | ||
802 | up_write(&tomoyo_domain_acl_info_list_lock); | ||
803 | /***** EXCLUSIVE SECTION END *****/ | ||
804 | return error; | ||
805 | } | ||
806 | |||
807 | /** | ||
808 | * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list. | ||
809 | * | ||
810 | * @type: Type of operation. | ||
811 | * @filename1: First filename. | ||
812 | * @filename2: Second filename. | ||
813 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
814 | * @is_delete: True if it is a delete request. | ||
815 | * | ||
816 | * Returns 0 on success, negative value otherwise. | ||
817 | */ | ||
818 | static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, | ||
819 | const char *filename2, | ||
820 | struct tomoyo_domain_info * | ||
821 | const domain, const bool is_delete) | ||
822 | { | ||
823 | const struct tomoyo_path_info *saved_filename1; | ||
824 | const struct tomoyo_path_info *saved_filename2; | ||
825 | struct tomoyo_acl_info *ptr; | ||
826 | struct tomoyo_double_path_acl_record *acl; | ||
827 | int error = -ENOMEM; | ||
828 | const u8 perm = 1 << type; | ||
829 | |||
830 | if (!domain) | ||
831 | return -EINVAL; | ||
832 | if (!tomoyo_is_correct_path(filename1, 0, 0, 0, __func__) || | ||
833 | !tomoyo_is_correct_path(filename2, 0, 0, 0, __func__)) | ||
834 | return -EINVAL; | ||
835 | saved_filename1 = tomoyo_save_name(filename1); | ||
836 | saved_filename2 = tomoyo_save_name(filename2); | ||
837 | if (!saved_filename1 || !saved_filename2) | ||
838 | return -ENOMEM; | ||
839 | /***** EXCLUSIVE SECTION START *****/ | ||
840 | down_write(&tomoyo_domain_acl_info_list_lock); | ||
841 | if (is_delete) | ||
842 | goto delete; | ||
843 | list_for_each_entry(ptr, &domain->acl_info_list, list) { | ||
844 | if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL) | ||
845 | continue; | ||
846 | acl = container_of(ptr, struct tomoyo_double_path_acl_record, | ||
847 | head); | ||
848 | if (acl->filename1 != saved_filename1 || | ||
849 | acl->filename2 != saved_filename2) | ||
850 | continue; | ||
851 | /* Special case. Clear all bits if marked as deleted. */ | ||
852 | if (ptr->type & TOMOYO_ACL_DELETED) | ||
853 | acl->perm = 0; | ||
854 | acl->perm |= perm; | ||
855 | ptr->type &= ~TOMOYO_ACL_DELETED; | ||
856 | error = 0; | ||
857 | goto out; | ||
858 | } | ||
859 | /* Not found. Append it to the tail. */ | ||
860 | acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_DOUBLE_PATH_ACL); | ||
861 | if (!acl) | ||
862 | goto out; | ||
863 | acl->perm = perm; | ||
864 | acl->filename1 = saved_filename1; | ||
865 | acl->filename2 = saved_filename2; | ||
866 | list_add_tail(&acl->head.list, &domain->acl_info_list); | ||
867 | error = 0; | ||
868 | goto out; | ||
869 | delete: | ||
870 | error = -ENOENT; | ||
871 | list_for_each_entry(ptr, &domain->acl_info_list, list) { | ||
872 | if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL) | ||
873 | continue; | ||
874 | acl = container_of(ptr, struct tomoyo_double_path_acl_record, | ||
875 | head); | ||
876 | if (acl->filename1 != saved_filename1 || | ||
877 | acl->filename2 != saved_filename2) | ||
878 | continue; | ||
879 | acl->perm &= ~perm; | ||
880 | if (!acl->perm) | ||
881 | ptr->type |= TOMOYO_ACL_DELETED; | ||
882 | error = 0; | ||
883 | break; | ||
884 | } | ||
885 | out: | ||
886 | up_write(&tomoyo_domain_acl_info_list_lock); | ||
887 | /***** EXCLUSIVE SECTION END *****/ | ||
888 | return error; | ||
889 | } | ||
890 | |||
891 | /** | ||
892 | * tomoyo_check_single_path_acl - Check permission for single path operation. | ||
893 | * | ||
894 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
895 | * @type: Type of operation. | ||
896 | * @filename: Filename to check. | ||
897 | * | ||
898 | * Returns 0 on success, negative value otherwise. | ||
899 | */ | ||
900 | static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain, | ||
901 | const u8 type, | ||
902 | const struct tomoyo_path_info *filename) | ||
903 | { | ||
904 | if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) | ||
905 | return 0; | ||
906 | return tomoyo_check_single_path_acl2(domain, filename, 1 << type, 1); | ||
907 | } | ||
908 | |||
909 | /** | ||
910 | * tomoyo_check_double_path_acl - Check permission for double path operation. | ||
911 | * | ||
912 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
913 | * @type: Type of operation. | ||
914 | * @filename1: First filename to check. | ||
915 | * @filename2: Second filename to check. | ||
916 | * | ||
917 | * Returns 0 on success, -EPERM otherwise. | ||
918 | */ | ||
919 | static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain, | ||
920 | const u8 type, | ||
921 | const struct tomoyo_path_info * | ||
922 | filename1, | ||
923 | const struct tomoyo_path_info * | ||
924 | filename2) | ||
925 | { | ||
926 | struct tomoyo_acl_info *ptr; | ||
927 | const u8 perm = 1 << type; | ||
928 | int error = -EPERM; | ||
929 | |||
930 | if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) | ||
931 | return 0; | ||
932 | down_read(&tomoyo_domain_acl_info_list_lock); | ||
933 | list_for_each_entry(ptr, &domain->acl_info_list, list) { | ||
934 | struct tomoyo_double_path_acl_record *acl; | ||
935 | if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL) | ||
936 | continue; | ||
937 | acl = container_of(ptr, struct tomoyo_double_path_acl_record, | ||
938 | head); | ||
939 | if (!(acl->perm & perm)) | ||
940 | continue; | ||
941 | if (!tomoyo_path_matches_pattern(filename1, acl->filename1)) | ||
942 | continue; | ||
943 | if (!tomoyo_path_matches_pattern(filename2, acl->filename2)) | ||
944 | continue; | ||
945 | error = 0; | ||
946 | break; | ||
947 | } | ||
948 | up_read(&tomoyo_domain_acl_info_list_lock); | ||
949 | return error; | ||
950 | } | ||
951 | |||
952 | /** | ||
953 | * tomoyo_check_single_path_permission2 - Check permission for single path operation. | ||
954 | * | ||
955 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
956 | * @operation: Type of operation. | ||
957 | * @filename: Filename to check. | ||
958 | * @mode: Access control mode. | ||
959 | * | ||
960 | * Returns 0 on success, negative value otherwise. | ||
961 | */ | ||
962 | static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info * | ||
963 | const domain, u8 operation, | ||
964 | const struct tomoyo_path_info * | ||
965 | filename, const u8 mode) | ||
966 | { | ||
967 | const char *msg; | ||
968 | int error; | ||
969 | const bool is_enforce = (mode == 3); | ||
970 | |||
971 | if (!mode) | ||
972 | return 0; | ||
973 | next: | ||
974 | error = tomoyo_check_single_path_acl(domain, operation, filename); | ||
975 | msg = tomoyo_sp2keyword(operation); | ||
976 | if (!error) | ||
977 | goto ok; | ||
978 | if (tomoyo_verbose_mode(domain)) | ||
979 | printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n", | ||
980 | tomoyo_get_msg(is_enforce), msg, filename->name, | ||
981 | tomoyo_get_last_name(domain)); | ||
982 | if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { | ||
983 | const char *name = tomoyo_get_file_pattern(filename)->name; | ||
984 | tomoyo_update_single_path_acl(operation, name, domain, false); | ||
985 | } | ||
986 | if (!is_enforce) | ||
987 | error = 0; | ||
988 | ok: | ||
989 | /* | ||
990 | * Since "allow_truncate" doesn't imply "allow_rewrite" permission, | ||
991 | * we need to check "allow_rewrite" permission if the filename is | ||
992 | * specified by "deny_rewrite" keyword. | ||
993 | */ | ||
994 | if (!error && operation == TOMOYO_TYPE_TRUNCATE_ACL && | ||
995 | tomoyo_is_no_rewrite_file(filename)) { | ||
996 | operation = TOMOYO_TYPE_REWRITE_ACL; | ||
997 | goto next; | ||
998 | } | ||
999 | return error; | ||
1000 | } | ||
1001 | |||
1002 | /** | ||
1003 | * tomoyo_check_file_perm - Check permission for sysctl()'s "read" and "write". | ||
1004 | * | ||
1005 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
1006 | * @filename: Filename to check. | ||
1007 | * @perm: Mode ("read" or "write" or "read/write"). | ||
1008 | * Returns 0 on success, negative value otherwise. | ||
1009 | */ | ||
1010 | int tomoyo_check_file_perm(struct tomoyo_domain_info *domain, | ||
1011 | const char *filename, const u8 perm) | ||
1012 | { | ||
1013 | struct tomoyo_path_info name; | ||
1014 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); | ||
1015 | |||
1016 | if (!mode) | ||
1017 | return 0; | ||
1018 | name.name = filename; | ||
1019 | tomoyo_fill_path_info(&name); | ||
1020 | return tomoyo_check_file_perm2(domain, &name, perm, "sysctl", mode); | ||
1021 | } | ||
1022 | |||
1023 | /** | ||
1024 | * tomoyo_check_exec_perm - Check permission for "execute". | ||
1025 | * | ||
1026 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
1027 | * @filename: Check permission for "execute". | ||
1028 | * @tmp: Buffer for temporary use. | ||
1029 | * | ||
1030 | * Returns 0 on success, negativevalue otherwise. | ||
1031 | */ | ||
1032 | int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, | ||
1033 | const struct tomoyo_path_info *filename, | ||
1034 | struct tomoyo_page_buffer *tmp) | ||
1035 | { | ||
1036 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); | ||
1037 | |||
1038 | if (!mode) | ||
1039 | return 0; | ||
1040 | return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode); | ||
1041 | } | ||
1042 | |||
1043 | /** | ||
1044 | * tomoyo_check_open_permission - Check permission for "read" and "write". | ||
1045 | * | ||
1046 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
1047 | * @path: Pointer to "struct path". | ||
1048 | * @flag: Flags for open(). | ||
1049 | * | ||
1050 | * Returns 0 on success, negative value otherwise. | ||
1051 | */ | ||
1052 | int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | ||
1053 | struct path *path, const int flag) | ||
1054 | { | ||
1055 | const u8 acc_mode = ACC_MODE(flag); | ||
1056 | int error = -ENOMEM; | ||
1057 | struct tomoyo_path_info *buf; | ||
1058 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); | ||
1059 | const bool is_enforce = (mode == 3); | ||
1060 | |||
1061 | if (!mode || !path->mnt) | ||
1062 | return 0; | ||
1063 | if (acc_mode == 0) | ||
1064 | return 0; | ||
1065 | if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode)) | ||
1066 | /* | ||
1067 | * I don't check directories here because mkdir() and rmdir() | ||
1068 | * don't call me. | ||
1069 | */ | ||
1070 | return 0; | ||
1071 | buf = tomoyo_get_path(path); | ||
1072 | if (!buf) | ||
1073 | goto out; | ||
1074 | error = 0; | ||
1075 | /* | ||
1076 | * If the filename is specified by "deny_rewrite" keyword, | ||
1077 | * we need to check "allow_rewrite" permission when the filename is not | ||
1078 | * opened for append mode or the filename is truncated at open time. | ||
1079 | */ | ||
1080 | if ((acc_mode & MAY_WRITE) && | ||
1081 | ((flag & O_TRUNC) || !(flag & O_APPEND)) && | ||
1082 | (tomoyo_is_no_rewrite_file(buf))) { | ||
1083 | error = tomoyo_check_single_path_permission2(domain, | ||
1084 | TOMOYO_TYPE_REWRITE_ACL, | ||
1085 | buf, mode); | ||
1086 | } | ||
1087 | if (!error) | ||
1088 | error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open", | ||
1089 | mode); | ||
1090 | if (!error && (flag & O_TRUNC)) | ||
1091 | error = tomoyo_check_single_path_permission2(domain, | ||
1092 | TOMOYO_TYPE_TRUNCATE_ACL, | ||
1093 | buf, mode); | ||
1094 | out: | ||
1095 | tomoyo_free(buf); | ||
1096 | if (!is_enforce) | ||
1097 | error = 0; | ||
1098 | return error; | ||
1099 | } | ||
1100 | |||
1101 | /** | ||
1102 | * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate" and "symlink". | ||
1103 | * | ||
1104 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
1105 | * @operation: Type of operation. | ||
1106 | * @path: Pointer to "struct path". | ||
1107 | * | ||
1108 | * Returns 0 on success, negative value otherwise. | ||
1109 | */ | ||
1110 | int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain, | ||
1111 | const u8 operation, struct path *path) | ||
1112 | { | ||
1113 | int error = -ENOMEM; | ||
1114 | struct tomoyo_path_info *buf; | ||
1115 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); | ||
1116 | const bool is_enforce = (mode == 3); | ||
1117 | |||
1118 | if (!mode || !path->mnt) | ||
1119 | return 0; | ||
1120 | buf = tomoyo_get_path(path); | ||
1121 | if (!buf) | ||
1122 | goto out; | ||
1123 | switch (operation) { | ||
1124 | case TOMOYO_TYPE_MKDIR_ACL: | ||
1125 | case TOMOYO_TYPE_RMDIR_ACL: | ||
1126 | if (!buf->is_dir) { | ||
1127 | /* | ||
1128 | * tomoyo_get_path() reserves space for appending "/." | ||
1129 | */ | ||
1130 | strcat((char *) buf->name, "/"); | ||
1131 | tomoyo_fill_path_info(buf); | ||
1132 | } | ||
1133 | } | ||
1134 | error = tomoyo_check_single_path_permission2(domain, operation, buf, | ||
1135 | mode); | ||
1136 | out: | ||
1137 | tomoyo_free(buf); | ||
1138 | if (!is_enforce) | ||
1139 | error = 0; | ||
1140 | return error; | ||
1141 | } | ||
1142 | |||
1143 | /** | ||
1144 | * tomoyo_check_rewrite_permission - Check permission for "rewrite". | ||
1145 | * | ||
1146 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
1147 | * @filp: Pointer to "struct file". | ||
1148 | * | ||
1149 | * Returns 0 on success, negative value otherwise. | ||
1150 | */ | ||
1151 | int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, | ||
1152 | struct file *filp) | ||
1153 | { | ||
1154 | int error = -ENOMEM; | ||
1155 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); | ||
1156 | const bool is_enforce = (mode == 3); | ||
1157 | struct tomoyo_path_info *buf; | ||
1158 | |||
1159 | if (!mode || !filp->f_path.mnt) | ||
1160 | return 0; | ||
1161 | buf = tomoyo_get_path(&filp->f_path); | ||
1162 | if (!buf) | ||
1163 | goto out; | ||
1164 | if (!tomoyo_is_no_rewrite_file(buf)) { | ||
1165 | error = 0; | ||
1166 | goto out; | ||
1167 | } | ||
1168 | error = tomoyo_check_single_path_permission2(domain, | ||
1169 | TOMOYO_TYPE_REWRITE_ACL, | ||
1170 | buf, mode); | ||
1171 | out: | ||
1172 | tomoyo_free(buf); | ||
1173 | if (!is_enforce) | ||
1174 | error = 0; | ||
1175 | return error; | ||
1176 | } | ||
1177 | |||
1178 | /** | ||
1179 | * tomoyo_check_2path_perm - Check permission for "rename" and "link". | ||
1180 | * | ||
1181 | * @domain: Pointer to "struct tomoyo_domain_info". | ||
1182 | * @operation: Type of operation. | ||
1183 | * @path1: Pointer to "struct path". | ||
1184 | * @path2: Pointer to "struct path". | ||
1185 | * | ||
1186 | * Returns 0 on success, negative value otherwise. | ||
1187 | */ | ||
1188 | int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain, | ||
1189 | const u8 operation, struct path *path1, | ||
1190 | struct path *path2) | ||
1191 | { | ||
1192 | int error = -ENOMEM; | ||
1193 | struct tomoyo_path_info *buf1, *buf2; | ||
1194 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); | ||
1195 | const bool is_enforce = (mode == 3); | ||
1196 | const char *msg; | ||
1197 | |||
1198 | if (!mode || !path1->mnt || !path2->mnt) | ||
1199 | return 0; | ||
1200 | buf1 = tomoyo_get_path(path1); | ||
1201 | buf2 = tomoyo_get_path(path2); | ||
1202 | if (!buf1 || !buf2) | ||
1203 | goto out; | ||
1204 | { | ||
1205 | struct dentry *dentry = path1->dentry; | ||
1206 | if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) { | ||
1207 | /* | ||
1208 | * tomoyo_get_path() reserves space for appending "/." | ||
1209 | */ | ||
1210 | if (!buf1->is_dir) { | ||
1211 | strcat((char *) buf1->name, "/"); | ||
1212 | tomoyo_fill_path_info(buf1); | ||
1213 | } | ||
1214 | if (!buf2->is_dir) { | ||
1215 | strcat((char *) buf2->name, "/"); | ||
1216 | tomoyo_fill_path_info(buf2); | ||
1217 | } | ||
1218 | } | ||
1219 | } | ||
1220 | error = tomoyo_check_double_path_acl(domain, operation, buf1, buf2); | ||
1221 | msg = tomoyo_dp2keyword(operation); | ||
1222 | if (!error) | ||
1223 | goto out; | ||
1224 | if (tomoyo_verbose_mode(domain)) | ||
1225 | printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' " | ||
1226 | "denied for %s\n", tomoyo_get_msg(is_enforce), | ||
1227 | msg, buf1->name, buf2->name, | ||
1228 | tomoyo_get_last_name(domain)); | ||
1229 | if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { | ||
1230 | const char *name1 = tomoyo_get_file_pattern(buf1)->name; | ||
1231 | const char *name2 = tomoyo_get_file_pattern(buf2)->name; | ||
1232 | tomoyo_update_double_path_acl(operation, name1, name2, domain, | ||
1233 | false); | ||
1234 | } | ||
1235 | out: | ||
1236 | tomoyo_free(buf1); | ||
1237 | tomoyo_free(buf2); | ||
1238 | if (!is_enforce) | ||
1239 | error = 0; | ||
1240 | return error; | ||
1241 | } | ||
diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c new file mode 100644 index 000000000000..d47f16b844b2 --- /dev/null +++ b/security/tomoyo/realpath.c | |||
@@ -0,0 +1,482 @@ | |||
1 | /* | ||
2 | * security/tomoyo/realpath.c | ||
3 | * | ||
4 | * Get the canonicalized absolute pathnames. The basis for TOMOYO. | ||
5 | * | ||
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | ||
7 | * | ||
8 | * Version: 2.2.0-pre 2009/02/01 | ||
9 | * | ||
10 | */ | ||
11 | |||
12 | #include <linux/types.h> | ||
13 | #include <linux/mount.h> | ||
14 | #include <linux/mnt_namespace.h> | ||
15 | #include "common.h" | ||
16 | #include "realpath.h" | ||
17 | |||
18 | /** | ||
19 | * tomoyo_encode: Convert binary string to ascii string. | ||
20 | * | ||
21 | * @buffer: Buffer for ASCII string. | ||
22 | * @buflen: Size of @buffer. | ||
23 | * @str: Binary string. | ||
24 | * | ||
25 | * Returns 0 on success, -ENOMEM otherwise. | ||
26 | */ | ||
27 | int tomoyo_encode(char *buffer, int buflen, const char *str) | ||
28 | { | ||
29 | while (1) { | ||
30 | const unsigned char c = *(unsigned char *) str++; | ||
31 | |||
32 | if (tomoyo_is_valid(c)) { | ||
33 | if (--buflen <= 0) | ||
34 | break; | ||
35 | *buffer++ = (char) c; | ||
36 | if (c != '\\') | ||
37 | continue; | ||
38 | if (--buflen <= 0) | ||
39 | break; | ||
40 | *buffer++ = (char) c; | ||
41 | continue; | ||
42 | } | ||
43 | if (!c) { | ||
44 | if (--buflen <= 0) | ||
45 | break; | ||
46 | *buffer = '\0'; | ||
47 | return 0; | ||
48 | } | ||
49 | buflen -= 4; | ||
50 | if (buflen <= 0) | ||
51 | break; | ||
52 | *buffer++ = '\\'; | ||
53 | *buffer++ = (c >> 6) + '0'; | ||
54 | *buffer++ = ((c >> 3) & 7) + '0'; | ||
55 | *buffer++ = (c & 7) + '0'; | ||
56 | } | ||
57 | return -ENOMEM; | ||
58 | } | ||
59 | |||
60 | /** | ||
61 | * tomoyo_realpath_from_path2 - Returns realpath(3) of the given dentry but ignores chroot'ed root. | ||
62 | * | ||
63 | * @path: Pointer to "struct path". | ||
64 | * @newname: Pointer to buffer to return value in. | ||
65 | * @newname_len: Size of @newname. | ||
66 | * | ||
67 | * Returns 0 on success, negative value otherwise. | ||
68 | * | ||
69 | * If dentry is a directory, trailing '/' is appended. | ||
70 | * Characters out of 0x20 < c < 0x7F range are converted to | ||
71 | * \ooo style octal string. | ||
72 | * Character \ is converted to \\ string. | ||
73 | */ | ||
74 | int tomoyo_realpath_from_path2(struct path *path, char *newname, | ||
75 | int newname_len) | ||
76 | { | ||
77 | int error = -ENOMEM; | ||
78 | struct dentry *dentry = path->dentry; | ||
79 | char *sp; | ||
80 | |||
81 | if (!dentry || !path->mnt || !newname || newname_len <= 2048) | ||
82 | return -EINVAL; | ||
83 | if (dentry->d_op && dentry->d_op->d_dname) { | ||
84 | /* For "socket:[\$]" and "pipe:[\$]". */ | ||
85 | static const int offset = 1536; | ||
86 | sp = dentry->d_op->d_dname(dentry, newname + offset, | ||
87 | newname_len - offset); | ||
88 | } else { | ||
89 | /* Taken from d_namespace_path(). */ | ||
90 | struct path root; | ||
91 | struct path ns_root = { }; | ||
92 | struct path tmp; | ||
93 | |||
94 | read_lock(¤t->fs->lock); | ||
95 | root = current->fs->root; | ||
96 | path_get(&root); | ||
97 | read_unlock(¤t->fs->lock); | ||
98 | spin_lock(&vfsmount_lock); | ||
99 | if (root.mnt && root.mnt->mnt_ns) | ||
100 | ns_root.mnt = mntget(root.mnt->mnt_ns->root); | ||
101 | if (ns_root.mnt) | ||
102 | ns_root.dentry = dget(ns_root.mnt->mnt_root); | ||
103 | spin_unlock(&vfsmount_lock); | ||
104 | spin_lock(&dcache_lock); | ||
105 | tmp = ns_root; | ||
106 | sp = __d_path(path, &tmp, newname, newname_len); | ||
107 | spin_unlock(&dcache_lock); | ||
108 | path_put(&root); | ||
109 | path_put(&ns_root); | ||
110 | } | ||
111 | if (IS_ERR(sp)) | ||
112 | error = PTR_ERR(sp); | ||
113 | else | ||
114 | error = tomoyo_encode(newname, sp - newname, sp); | ||
115 | /* Append trailing '/' if dentry is a directory. */ | ||
116 | if (!error && dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode) | ||
117 | && *newname) { | ||
118 | sp = newname + strlen(newname); | ||
119 | if (*(sp - 1) != '/') { | ||
120 | if (sp < newname + newname_len - 4) { | ||
121 | *sp++ = '/'; | ||
122 | *sp = '\0'; | ||
123 | } else { | ||
124 | error = -ENOMEM; | ||
125 | } | ||
126 | } | ||
127 | } | ||
128 | if (error) | ||
129 | printk(KERN_WARNING "tomoyo_realpath: Pathname too long.\n"); | ||
130 | return error; | ||
131 | } | ||
132 | |||
133 | /** | ||
134 | * tomoyo_realpath_from_path - Returns realpath(3) of the given pathname but ignores chroot'ed root. | ||
135 | * | ||
136 | * @path: Pointer to "struct path". | ||
137 | * | ||
138 | * Returns the realpath of the given @path on success, NULL otherwise. | ||
139 | * | ||
140 | * These functions use tomoyo_alloc(), so the caller must call tomoyo_free() | ||
141 | * if these functions didn't return NULL. | ||
142 | */ | ||
143 | char *tomoyo_realpath_from_path(struct path *path) | ||
144 | { | ||
145 | char *buf = tomoyo_alloc(sizeof(struct tomoyo_page_buffer)); | ||
146 | |||
147 | BUILD_BUG_ON(sizeof(struct tomoyo_page_buffer) | ||
148 | <= TOMOYO_MAX_PATHNAME_LEN - 1); | ||
149 | if (!buf) | ||
150 | return NULL; | ||
151 | if (tomoyo_realpath_from_path2(path, buf, | ||
152 | TOMOYO_MAX_PATHNAME_LEN - 1) == 0) | ||
153 | return buf; | ||
154 | tomoyo_free(buf); | ||
155 | return NULL; | ||
156 | } | ||
157 | |||
158 | /** | ||
159 | * tomoyo_realpath - Get realpath of a pathname. | ||
160 | * | ||
161 | * @pathname: The pathname to solve. | ||
162 | * | ||
163 | * Returns the realpath of @pathname on success, NULL otherwise. | ||
164 | */ | ||
165 | char *tomoyo_realpath(const char *pathname) | ||
166 | { | ||
167 | struct nameidata nd; | ||
168 | |||
169 | if (pathname && path_lookup(pathname, LOOKUP_FOLLOW, &nd) == 0) { | ||
170 | char *buf = tomoyo_realpath_from_path(&nd.path); | ||
171 | path_put(&nd.path); | ||
172 | return buf; | ||
173 | } | ||
174 | return NULL; | ||
175 | } | ||
176 | |||
177 | /** | ||
178 | * tomoyo_realpath_nofollow - Get realpath of a pathname. | ||
179 | * | ||
180 | * @pathname: The pathname to solve. | ||
181 | * | ||
182 | * Returns the realpath of @pathname on success, NULL otherwise. | ||
183 | */ | ||
184 | char *tomoyo_realpath_nofollow(const char *pathname) | ||
185 | { | ||
186 | struct nameidata nd; | ||
187 | |||
188 | if (pathname && path_lookup(pathname, 0, &nd) == 0) { | ||
189 | char *buf = tomoyo_realpath_from_path(&nd.path); | ||
190 | path_put(&nd.path); | ||
191 | return buf; | ||
192 | } | ||
193 | return NULL; | ||
194 | } | ||
195 | |||
196 | /* Memory allocated for non-string data. */ | ||
197 | static unsigned int tomoyo_allocated_memory_for_elements; | ||
198 | /* Quota for holding non-string data. */ | ||
199 | static unsigned int tomoyo_quota_for_elements; | ||
200 | |||
201 | /** | ||
202 | * tomoyo_alloc_element - Allocate permanent memory for structures. | ||
203 | * | ||
204 | * @size: Size in bytes. | ||
205 | * | ||
206 | * Returns pointer to allocated memory on success, NULL otherwise. | ||
207 | * | ||
208 | * Memory has to be zeroed. | ||
209 | * The RAM is chunked, so NEVER try to kfree() the returned pointer. | ||
210 | */ | ||
211 | void *tomoyo_alloc_element(const unsigned int size) | ||
212 | { | ||
213 | static char *buf; | ||
214 | static DEFINE_MUTEX(lock); | ||
215 | static unsigned int buf_used_len = PATH_MAX; | ||
216 | char *ptr = NULL; | ||
217 | /*Assumes sizeof(void *) >= sizeof(long) is true. */ | ||
218 | const unsigned int word_aligned_size | ||
219 | = roundup(size, max(sizeof(void *), sizeof(long))); | ||
220 | if (word_aligned_size > PATH_MAX) | ||
221 | return NULL; | ||
222 | /***** EXCLUSIVE SECTION START *****/ | ||
223 | mutex_lock(&lock); | ||
224 | if (buf_used_len + word_aligned_size > PATH_MAX) { | ||
225 | if (!tomoyo_quota_for_elements || | ||
226 | tomoyo_allocated_memory_for_elements | ||
227 | + PATH_MAX <= tomoyo_quota_for_elements) | ||
228 | ptr = kzalloc(PATH_MAX, GFP_KERNEL); | ||
229 | if (!ptr) { | ||
230 | printk(KERN_WARNING "ERROR: Out of memory " | ||
231 | "for tomoyo_alloc_element().\n"); | ||
232 | if (!tomoyo_policy_loaded) | ||
233 | panic("MAC Initialization failed.\n"); | ||
234 | } else { | ||
235 | buf = ptr; | ||
236 | tomoyo_allocated_memory_for_elements += PATH_MAX; | ||
237 | buf_used_len = word_aligned_size; | ||
238 | ptr = buf; | ||
239 | } | ||
240 | } else if (word_aligned_size) { | ||
241 | int i; | ||
242 | ptr = buf + buf_used_len; | ||
243 | buf_used_len += word_aligned_size; | ||
244 | for (i = 0; i < word_aligned_size; i++) { | ||
245 | if (!ptr[i]) | ||
246 | continue; | ||
247 | printk(KERN_ERR "WARNING: Reserved memory was tainted! " | ||
248 | "The system might go wrong.\n"); | ||
249 | ptr[i] = '\0'; | ||
250 | } | ||
251 | } | ||
252 | mutex_unlock(&lock); | ||
253 | /***** EXCLUSIVE SECTION END *****/ | ||
254 | return ptr; | ||
255 | } | ||
256 | |||
257 | /* Memory allocated for string data in bytes. */ | ||
258 | static unsigned int tomoyo_allocated_memory_for_savename; | ||
259 | /* Quota for holding string data in bytes. */ | ||
260 | static unsigned int tomoyo_quota_for_savename; | ||
261 | |||
262 | /* | ||
263 | * TOMOYO uses this hash only when appending a string into the string | ||
264 | * table. Frequency of appending strings is very low. So we don't need | ||
265 | * large (e.g. 64k) hash size. 256 will be sufficient. | ||
266 | */ | ||
267 | #define TOMOYO_MAX_HASH 256 | ||
268 | |||
269 | /* Structure for string data. */ | ||
270 | struct tomoyo_name_entry { | ||
271 | struct list_head list; | ||
272 | struct tomoyo_path_info entry; | ||
273 | }; | ||
274 | |||
275 | /* Structure for available memory region. */ | ||
276 | struct tomoyo_free_memory_block_list { | ||
277 | struct list_head list; | ||
278 | char *ptr; /* Pointer to a free area. */ | ||
279 | int len; /* Length of the area. */ | ||
280 | }; | ||
281 | |||
282 | /* | ||
283 | * The list for "struct tomoyo_name_entry". | ||
284 | * | ||
285 | * This list is updated only inside tomoyo_save_name(), thus | ||
286 | * no global mutex exists. | ||
287 | */ | ||
288 | static struct list_head tomoyo_name_list[TOMOYO_MAX_HASH]; | ||
289 | |||
290 | /** | ||
291 | * tomoyo_save_name - Allocate permanent memory for string data. | ||
292 | * | ||
293 | * @name: The string to store into the permernent memory. | ||
294 | * | ||
295 | * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise. | ||
296 | * | ||
297 | * The RAM is shared, so NEVER try to modify or kfree() the returned name. | ||
298 | */ | ||
299 | const struct tomoyo_path_info *tomoyo_save_name(const char *name) | ||
300 | { | ||
301 | static LIST_HEAD(fmb_list); | ||
302 | static DEFINE_MUTEX(lock); | ||
303 | struct tomoyo_name_entry *ptr; | ||
304 | unsigned int hash; | ||
305 | /* fmb contains available size in bytes. | ||
306 | fmb is removed from the fmb_list when fmb->len becomes 0. */ | ||
307 | struct tomoyo_free_memory_block_list *fmb; | ||
308 | int len; | ||
309 | char *cp; | ||
310 | |||
311 | if (!name) | ||
312 | return NULL; | ||
313 | len = strlen(name) + 1; | ||
314 | if (len > TOMOYO_MAX_PATHNAME_LEN) { | ||
315 | printk(KERN_WARNING "ERROR: Name too long " | ||
316 | "for tomoyo_save_name().\n"); | ||
317 | return NULL; | ||
318 | } | ||
319 | hash = full_name_hash((const unsigned char *) name, len - 1); | ||
320 | /***** EXCLUSIVE SECTION START *****/ | ||
321 | mutex_lock(&lock); | ||
322 | list_for_each_entry(ptr, &tomoyo_name_list[hash % TOMOYO_MAX_HASH], | ||
323 | list) { | ||
324 | if (hash == ptr->entry.hash && !strcmp(name, ptr->entry.name)) | ||
325 | goto out; | ||
326 | } | ||
327 | list_for_each_entry(fmb, &fmb_list, list) { | ||
328 | if (len <= fmb->len) | ||
329 | goto ready; | ||
330 | } | ||
331 | if (!tomoyo_quota_for_savename || | ||
332 | tomoyo_allocated_memory_for_savename + PATH_MAX | ||
333 | <= tomoyo_quota_for_savename) | ||
334 | cp = kzalloc(PATH_MAX, GFP_KERNEL); | ||
335 | else | ||
336 | cp = NULL; | ||
337 | fmb = kzalloc(sizeof(*fmb), GFP_KERNEL); | ||
338 | if (!cp || !fmb) { | ||
339 | kfree(cp); | ||
340 | kfree(fmb); | ||
341 | printk(KERN_WARNING "ERROR: Out of memory " | ||
342 | "for tomoyo_save_name().\n"); | ||
343 | if (!tomoyo_policy_loaded) | ||
344 | panic("MAC Initialization failed.\n"); | ||
345 | ptr = NULL; | ||
346 | goto out; | ||
347 | } | ||
348 | tomoyo_allocated_memory_for_savename += PATH_MAX; | ||
349 | list_add(&fmb->list, &fmb_list); | ||
350 | fmb->ptr = cp; | ||
351 | fmb->len = PATH_MAX; | ||
352 | ready: | ||
353 | ptr = tomoyo_alloc_element(sizeof(*ptr)); | ||
354 | if (!ptr) | ||
355 | goto out; | ||
356 | ptr->entry.name = fmb->ptr; | ||
357 | memmove(fmb->ptr, name, len); | ||
358 | tomoyo_fill_path_info(&ptr->entry); | ||
359 | fmb->ptr += len; | ||
360 | fmb->len -= len; | ||
361 | list_add_tail(&ptr->list, &tomoyo_name_list[hash % TOMOYO_MAX_HASH]); | ||
362 | if (fmb->len == 0) { | ||
363 | list_del(&fmb->list); | ||
364 | kfree(fmb); | ||
365 | } | ||
366 | out: | ||
367 | mutex_unlock(&lock); | ||
368 | /***** EXCLUSIVE SECTION END *****/ | ||
369 | return ptr ? &ptr->entry : NULL; | ||
370 | } | ||
371 | |||
372 | /** | ||
373 | * tomoyo_realpath_init - Initialize realpath related code. | ||
374 | */ | ||
375 | void __init tomoyo_realpath_init(void) | ||
376 | { | ||
377 | int i; | ||
378 | |||
379 | BUILD_BUG_ON(TOMOYO_MAX_PATHNAME_LEN > PATH_MAX); | ||
380 | for (i = 0; i < TOMOYO_MAX_HASH; i++) | ||
381 | INIT_LIST_HEAD(&tomoyo_name_list[i]); | ||
382 | INIT_LIST_HEAD(&tomoyo_kernel_domain.acl_info_list); | ||
383 | tomoyo_kernel_domain.domainname = tomoyo_save_name(TOMOYO_ROOT_NAME); | ||
384 | list_add_tail(&tomoyo_kernel_domain.list, &tomoyo_domain_list); | ||
385 | down_read(&tomoyo_domain_list_lock); | ||
386 | if (tomoyo_find_domain(TOMOYO_ROOT_NAME) != &tomoyo_kernel_domain) | ||
387 | panic("Can't register tomoyo_kernel_domain"); | ||
388 | up_read(&tomoyo_domain_list_lock); | ||
389 | } | ||
390 | |||
391 | /* Memory allocated for temporary purpose. */ | ||
392 | static atomic_t tomoyo_dynamic_memory_size; | ||
393 | |||
394 | /** | ||
395 | * tomoyo_alloc - Allocate memory for temporary purpose. | ||
396 | * | ||
397 | * @size: Size in bytes. | ||
398 | * | ||
399 | * Returns pointer to allocated memory on success, NULL otherwise. | ||
400 | */ | ||
401 | void *tomoyo_alloc(const size_t size) | ||
402 | { | ||
403 | void *p = kzalloc(size, GFP_KERNEL); | ||
404 | if (p) | ||
405 | atomic_add(ksize(p), &tomoyo_dynamic_memory_size); | ||
406 | return p; | ||
407 | } | ||
408 | |||
409 | /** | ||
410 | * tomoyo_free - Release memory allocated by tomoyo_alloc(). | ||
411 | * | ||
412 | * @p: Pointer returned by tomoyo_alloc(). May be NULL. | ||
413 | * | ||
414 | * Returns nothing. | ||
415 | */ | ||
416 | void tomoyo_free(const void *p) | ||
417 | { | ||
418 | if (p) { | ||
419 | atomic_sub(ksize(p), &tomoyo_dynamic_memory_size); | ||
420 | kfree(p); | ||
421 | } | ||
422 | } | ||
423 | |||
424 | /** | ||
425 | * tomoyo_read_memory_counter - Check for memory usage in bytes. | ||
426 | * | ||
427 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
428 | * | ||
429 | * Returns memory usage. | ||
430 | */ | ||
431 | int tomoyo_read_memory_counter(struct tomoyo_io_buffer *head) | ||
432 | { | ||
433 | if (!head->read_eof) { | ||
434 | const unsigned int shared | ||
435 | = tomoyo_allocated_memory_for_savename; | ||
436 | const unsigned int private | ||
437 | = tomoyo_allocated_memory_for_elements; | ||
438 | const unsigned int dynamic | ||
439 | = atomic_read(&tomoyo_dynamic_memory_size); | ||
440 | char buffer[64]; | ||
441 | |||
442 | memset(buffer, 0, sizeof(buffer)); | ||
443 | if (tomoyo_quota_for_savename) | ||
444 | snprintf(buffer, sizeof(buffer) - 1, | ||
445 | " (Quota: %10u)", | ||
446 | tomoyo_quota_for_savename); | ||
447 | else | ||
448 | buffer[0] = '\0'; | ||
449 | tomoyo_io_printf(head, "Shared: %10u%s\n", shared, buffer); | ||
450 | if (tomoyo_quota_for_elements) | ||
451 | snprintf(buffer, sizeof(buffer) - 1, | ||
452 | " (Quota: %10u)", | ||
453 | tomoyo_quota_for_elements); | ||
454 | else | ||
455 | buffer[0] = '\0'; | ||
456 | tomoyo_io_printf(head, "Private: %10u%s\n", private, buffer); | ||
457 | tomoyo_io_printf(head, "Dynamic: %10u\n", dynamic); | ||
458 | tomoyo_io_printf(head, "Total: %10u\n", | ||
459 | shared + private + dynamic); | ||
460 | head->read_eof = true; | ||
461 | } | ||
462 | return 0; | ||
463 | } | ||
464 | |||
465 | /** | ||
466 | * tomoyo_write_memory_quota - Set memory quota. | ||
467 | * | ||
468 | * @head: Pointer to "struct tomoyo_io_buffer". | ||
469 | * | ||
470 | * Returns 0. | ||
471 | */ | ||
472 | int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head) | ||
473 | { | ||
474 | char *data = head->write_buf; | ||
475 | unsigned int size; | ||
476 | |||
477 | if (sscanf(data, "Shared: %u", &size) == 1) | ||
478 | tomoyo_quota_for_savename = size; | ||
479 | else if (sscanf(data, "Private: %u", &size) == 1) | ||
480 | tomoyo_quota_for_elements = size; | ||
481 | return 0; | ||
482 | } | ||
diff --git a/security/tomoyo/realpath.h b/security/tomoyo/realpath.h new file mode 100644 index 000000000000..7ec9fc9cbc07 --- /dev/null +++ b/security/tomoyo/realpath.h | |||
@@ -0,0 +1,66 @@ | |||
1 | /* | ||
2 | * security/tomoyo/realpath.h | ||
3 | * | ||
4 | * Get the canonicalized absolute pathnames. The basis for TOMOYO. | ||
5 | * | ||
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | ||
7 | * | ||
8 | * Version: 2.2.0-pre 2009/02/01 | ||
9 | * | ||
10 | */ | ||
11 | |||
12 | #ifndef _SECURITY_TOMOYO_REALPATH_H | ||
13 | #define _SECURITY_TOMOYO_REALPATH_H | ||
14 | |||
15 | struct path; | ||
16 | struct tomoyo_path_info; | ||
17 | struct tomoyo_io_buffer; | ||
18 | |||
19 | /* Convert binary string to ascii string. */ | ||
20 | int tomoyo_encode(char *buffer, int buflen, const char *str); | ||
21 | |||
22 | /* Returns realpath(3) of the given pathname but ignores chroot'ed root. */ | ||
23 | int tomoyo_realpath_from_path2(struct path *path, char *newname, | ||
24 | int newname_len); | ||
25 | |||
26 | /* | ||
27 | * Returns realpath(3) of the given pathname but ignores chroot'ed root. | ||
28 | * These functions use tomoyo_alloc(), so the caller must call tomoyo_free() | ||
29 | * if these functions didn't return NULL. | ||
30 | */ | ||
31 | char *tomoyo_realpath(const char *pathname); | ||
32 | /* | ||
33 | * Same with tomoyo_realpath() except that it doesn't follow the final symlink. | ||
34 | */ | ||
35 | char *tomoyo_realpath_nofollow(const char *pathname); | ||
36 | /* Same with tomoyo_realpath() except that the pathname is already solved. */ | ||
37 | char *tomoyo_realpath_from_path(struct path *path); | ||
38 | |||
39 | /* | ||
40 | * Allocate memory for ACL entry. | ||
41 | * The RAM is chunked, so NEVER try to kfree() the returned pointer. | ||
42 | */ | ||
43 | void *tomoyo_alloc_element(const unsigned int size); | ||
44 | |||
45 | /* | ||
46 | * Keep the given name on the RAM. | ||
47 | * The RAM is shared, so NEVER try to modify or kfree() the returned name. | ||
48 | */ | ||
49 | const struct tomoyo_path_info *tomoyo_save_name(const char *name); | ||
50 | |||
51 | /* Allocate memory for temporary use (e.g. permission checks). */ | ||
52 | void *tomoyo_alloc(const size_t size); | ||
53 | |||
54 | /* Free memory allocated by tomoyo_alloc(). */ | ||
55 | void tomoyo_free(const void *p); | ||
56 | |||
57 | /* Check for memory usage. */ | ||
58 | int tomoyo_read_memory_counter(struct tomoyo_io_buffer *head); | ||
59 | |||
60 | /* Set memory quota. */ | ||
61 | int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head); | ||
62 | |||
63 | /* Initialize realpath related code. */ | ||
64 | void __init tomoyo_realpath_init(void); | ||
65 | |||
66 | #endif /* !defined(_SECURITY_TOMOYO_REALPATH_H) */ | ||
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c new file mode 100644 index 000000000000..3eeeae12c4dc --- /dev/null +++ b/security/tomoyo/tomoyo.c | |||
@@ -0,0 +1,294 @@ | |||
1 | /* | ||
2 | * security/tomoyo/tomoyo.c | ||
3 | * | ||
4 | * LSM hooks for TOMOYO Linux. | ||
5 | * | ||
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | ||
7 | * | ||
8 | * Version: 2.2.0-pre 2009/02/01 | ||
9 | * | ||
10 | */ | ||
11 | |||
12 | #include <linux/security.h> | ||
13 | #include "common.h" | ||
14 | #include "tomoyo.h" | ||
15 | #include "realpath.h" | ||
16 | |||
17 | static int tomoyo_cred_prepare(struct cred *new, const struct cred *old, | ||
18 | gfp_t gfp) | ||
19 | { | ||
20 | /* | ||
21 | * Since "struct tomoyo_domain_info *" is a sharable pointer, | ||
22 | * we don't need to duplicate. | ||
23 | */ | ||
24 | new->security = old->security; | ||
25 | return 0; | ||
26 | } | ||
27 | |||
28 | static int tomoyo_bprm_set_creds(struct linux_binprm *bprm) | ||
29 | { | ||
30 | /* | ||
31 | * Do only if this function is called for the first time of an execve | ||
32 | * operation. | ||
33 | */ | ||
34 | if (bprm->cred_prepared) | ||
35 | return 0; | ||
36 | /* | ||
37 | * Load policy if /sbin/tomoyo-init exists and /sbin/init is requested | ||
38 | * for the first time. | ||
39 | */ | ||
40 | if (!tomoyo_policy_loaded) | ||
41 | tomoyo_load_policy(bprm->filename); | ||
42 | /* | ||
43 | * Tell tomoyo_bprm_check_security() is called for the first time of an | ||
44 | * execve operation. | ||
45 | */ | ||
46 | bprm->cred->security = NULL; | ||
47 | return 0; | ||
48 | } | ||
49 | |||
50 | static int tomoyo_bprm_check_security(struct linux_binprm *bprm) | ||
51 | { | ||
52 | struct tomoyo_domain_info *domain = bprm->cred->security; | ||
53 | |||
54 | /* | ||
55 | * Execute permission is checked against pathname passed to do_execve() | ||
56 | * using current domain. | ||
57 | */ | ||
58 | if (!domain) { | ||
59 | struct tomoyo_domain_info *next_domain = NULL; | ||
60 | int retval = tomoyo_find_next_domain(bprm, &next_domain); | ||
61 | |||
62 | if (!retval) | ||
63 | bprm->cred->security = next_domain; | ||
64 | return retval; | ||
65 | } | ||
66 | /* | ||
67 | * Read permission is checked against interpreters using next domain. | ||
68 | * '1' is the result of open_to_namei_flags(O_RDONLY). | ||
69 | */ | ||
70 | return tomoyo_check_open_permission(domain, &bprm->file->f_path, 1); | ||
71 | } | ||
72 | |||
73 | #ifdef CONFIG_SYSCTL | ||
74 | |||
75 | static int tomoyo_prepend(char **buffer, int *buflen, const char *str) | ||
76 | { | ||
77 | int namelen = strlen(str); | ||
78 | |||
79 | if (*buflen < namelen) | ||
80 | return -ENOMEM; | ||
81 | *buflen -= namelen; | ||
82 | *buffer -= namelen; | ||
83 | memcpy(*buffer, str, namelen); | ||
84 | return 0; | ||
85 | } | ||
86 | |||
87 | /** | ||
88 | * tomoyo_sysctl_path - return the realpath of a ctl_table. | ||
89 | * @table: pointer to "struct ctl_table". | ||
90 | * | ||
91 | * Returns realpath(3) of the @table on success. | ||
92 | * Returns NULL on failure. | ||
93 | * | ||
94 | * This function uses tomoyo_alloc(), so the caller must call tomoyo_free() | ||
95 | * if this function didn't return NULL. | ||
96 | */ | ||
97 | static char *tomoyo_sysctl_path(struct ctl_table *table) | ||
98 | { | ||
99 | int buflen = TOMOYO_MAX_PATHNAME_LEN; | ||
100 | char *buf = tomoyo_alloc(buflen); | ||
101 | char *end = buf + buflen; | ||
102 | int error = -ENOMEM; | ||
103 | |||
104 | if (!buf) | ||
105 | return NULL; | ||
106 | |||
107 | *--end = '\0'; | ||
108 | buflen--; | ||
109 | while (table) { | ||
110 | char num[32]; | ||
111 | const char *sp = table->procname; | ||
112 | |||
113 | if (!sp) { | ||
114 | memset(num, 0, sizeof(num)); | ||
115 | snprintf(num, sizeof(num) - 1, "=%d=", table->ctl_name); | ||
116 | sp = num; | ||
117 | } | ||
118 | if (tomoyo_prepend(&end, &buflen, sp) || | ||
119 | tomoyo_prepend(&end, &buflen, "/")) | ||
120 | goto out; | ||
121 | table = table->parent; | ||
122 | } | ||
123 | if (tomoyo_prepend(&end, &buflen, "/proc/sys")) | ||
124 | goto out; | ||
125 | error = tomoyo_encode(buf, end - buf, end); | ||
126 | out: | ||
127 | if (!error) | ||
128 | return buf; | ||
129 | tomoyo_free(buf); | ||
130 | return NULL; | ||
131 | } | ||
132 | |||
133 | static int tomoyo_sysctl(struct ctl_table *table, int op) | ||
134 | { | ||
135 | int error; | ||
136 | char *name; | ||
137 | |||
138 | op &= MAY_READ | MAY_WRITE; | ||
139 | if (!op) | ||
140 | return 0; | ||
141 | name = tomoyo_sysctl_path(table); | ||
142 | if (!name) | ||
143 | return -ENOMEM; | ||
144 | error = tomoyo_check_file_perm(tomoyo_domain(), name, op); | ||
145 | tomoyo_free(name); | ||
146 | return error; | ||
147 | } | ||
148 | #endif | ||
149 | |||
150 | static int tomoyo_path_truncate(struct path *path, loff_t length, | ||
151 | unsigned int time_attrs) | ||
152 | { | ||
153 | return tomoyo_check_1path_perm(tomoyo_domain(), | ||
154 | TOMOYO_TYPE_TRUNCATE_ACL, | ||
155 | path); | ||
156 | } | ||
157 | |||
158 | static int tomoyo_path_unlink(struct path *parent, struct dentry *dentry) | ||
159 | { | ||
160 | struct path path = { parent->mnt, dentry }; | ||
161 | return tomoyo_check_1path_perm(tomoyo_domain(), | ||
162 | TOMOYO_TYPE_UNLINK_ACL, | ||
163 | &path); | ||
164 | } | ||
165 | |||
166 | static int tomoyo_path_mkdir(struct path *parent, struct dentry *dentry, | ||
167 | int mode) | ||
168 | { | ||
169 | struct path path = { parent->mnt, dentry }; | ||
170 | return tomoyo_check_1path_perm(tomoyo_domain(), | ||
171 | TOMOYO_TYPE_MKDIR_ACL, | ||
172 | &path); | ||
173 | } | ||
174 | |||
175 | static int tomoyo_path_rmdir(struct path *parent, struct dentry *dentry) | ||
176 | { | ||
177 | struct path path = { parent->mnt, dentry }; | ||
178 | return tomoyo_check_1path_perm(tomoyo_domain(), | ||
179 | TOMOYO_TYPE_RMDIR_ACL, | ||
180 | &path); | ||
181 | } | ||
182 | |||
183 | static int tomoyo_path_symlink(struct path *parent, struct dentry *dentry, | ||
184 | const char *old_name) | ||
185 | { | ||
186 | struct path path = { parent->mnt, dentry }; | ||
187 | return tomoyo_check_1path_perm(tomoyo_domain(), | ||
188 | TOMOYO_TYPE_SYMLINK_ACL, | ||
189 | &path); | ||
190 | } | ||
191 | |||
192 | static int tomoyo_path_mknod(struct path *parent, struct dentry *dentry, | ||
193 | int mode, unsigned int dev) | ||
194 | { | ||
195 | struct path path = { parent->mnt, dentry }; | ||
196 | int type = TOMOYO_TYPE_CREATE_ACL; | ||
197 | |||
198 | switch (mode & S_IFMT) { | ||
199 | case S_IFCHR: | ||
200 | type = TOMOYO_TYPE_MKCHAR_ACL; | ||
201 | break; | ||
202 | case S_IFBLK: | ||
203 | type = TOMOYO_TYPE_MKBLOCK_ACL; | ||
204 | break; | ||
205 | case S_IFIFO: | ||
206 | type = TOMOYO_TYPE_MKFIFO_ACL; | ||
207 | break; | ||
208 | case S_IFSOCK: | ||
209 | type = TOMOYO_TYPE_MKSOCK_ACL; | ||
210 | break; | ||
211 | } | ||
212 | return tomoyo_check_1path_perm(tomoyo_domain(), | ||
213 | type, &path); | ||
214 | } | ||
215 | |||
216 | static int tomoyo_path_link(struct dentry *old_dentry, struct path *new_dir, | ||
217 | struct dentry *new_dentry) | ||
218 | { | ||
219 | struct path path1 = { new_dir->mnt, old_dentry }; | ||
220 | struct path path2 = { new_dir->mnt, new_dentry }; | ||
221 | return tomoyo_check_2path_perm(tomoyo_domain(), | ||
222 | TOMOYO_TYPE_LINK_ACL, | ||
223 | &path1, &path2); | ||
224 | } | ||
225 | |||
226 | static int tomoyo_path_rename(struct path *old_parent, | ||
227 | struct dentry *old_dentry, | ||
228 | struct path *new_parent, | ||
229 | struct dentry *new_dentry) | ||
230 | { | ||
231 | struct path path1 = { old_parent->mnt, old_dentry }; | ||
232 | struct path path2 = { new_parent->mnt, new_dentry }; | ||
233 | return tomoyo_check_2path_perm(tomoyo_domain(), | ||
234 | TOMOYO_TYPE_RENAME_ACL, | ||
235 | &path1, &path2); | ||
236 | } | ||
237 | |||
238 | static int tomoyo_file_fcntl(struct file *file, unsigned int cmd, | ||
239 | unsigned long arg) | ||
240 | { | ||
241 | if (cmd == F_SETFL && ((arg ^ file->f_flags) & O_APPEND)) | ||
242 | return tomoyo_check_rewrite_permission(tomoyo_domain(), file); | ||
243 | return 0; | ||
244 | } | ||
245 | |||
246 | static int tomoyo_dentry_open(struct file *f, const struct cred *cred) | ||
247 | { | ||
248 | int flags = f->f_flags; | ||
249 | |||
250 | if ((flags + 1) & O_ACCMODE) | ||
251 | flags++; | ||
252 | flags |= f->f_flags & (O_APPEND | O_TRUNC); | ||
253 | /* Don't check read permission here if called from do_execve(). */ | ||
254 | if (current->in_execve) | ||
255 | return 0; | ||
256 | return tomoyo_check_open_permission(tomoyo_domain(), &f->f_path, flags); | ||
257 | } | ||
258 | |||
259 | static struct security_operations tomoyo_security_ops = { | ||
260 | .name = "tomoyo", | ||
261 | .cred_prepare = tomoyo_cred_prepare, | ||
262 | .bprm_set_creds = tomoyo_bprm_set_creds, | ||
263 | .bprm_check_security = tomoyo_bprm_check_security, | ||
264 | #ifdef CONFIG_SYSCTL | ||
265 | .sysctl = tomoyo_sysctl, | ||
266 | #endif | ||
267 | .file_fcntl = tomoyo_file_fcntl, | ||
268 | .dentry_open = tomoyo_dentry_open, | ||
269 | .path_truncate = tomoyo_path_truncate, | ||
270 | .path_unlink = tomoyo_path_unlink, | ||
271 | .path_mkdir = tomoyo_path_mkdir, | ||
272 | .path_rmdir = tomoyo_path_rmdir, | ||
273 | .path_symlink = tomoyo_path_symlink, | ||
274 | .path_mknod = tomoyo_path_mknod, | ||
275 | .path_link = tomoyo_path_link, | ||
276 | .path_rename = tomoyo_path_rename, | ||
277 | }; | ||
278 | |||
279 | static int __init tomoyo_init(void) | ||
280 | { | ||
281 | struct cred *cred = (struct cred *) current_cred(); | ||
282 | |||
283 | if (!security_module_enable(&tomoyo_security_ops)) | ||
284 | return 0; | ||
285 | /* register ourselves with the security framework */ | ||
286 | if (register_security(&tomoyo_security_ops)) | ||
287 | panic("Failure registering TOMOYO Linux"); | ||
288 | printk(KERN_INFO "TOMOYO Linux initialized\n"); | ||
289 | cred->security = &tomoyo_kernel_domain; | ||
290 | tomoyo_realpath_init(); | ||
291 | return 0; | ||
292 | } | ||
293 | |||
294 | security_initcall(tomoyo_init); | ||
diff --git a/security/tomoyo/tomoyo.h b/security/tomoyo/tomoyo.h new file mode 100644 index 000000000000..a0c8f6e0bea4 --- /dev/null +++ b/security/tomoyo/tomoyo.h | |||
@@ -0,0 +1,106 @@ | |||
1 | /* | ||
2 | * security/tomoyo/tomoyo.h | ||
3 | * | ||
4 | * Implementation of the Domain-Based Mandatory Access Control. | ||
5 | * | ||
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | ||
7 | * | ||
8 | * Version: 2.2.0-pre 2009/02/01 | ||
9 | * | ||
10 | */ | ||
11 | |||
12 | #ifndef _SECURITY_TOMOYO_TOMOYO_H | ||
13 | #define _SECURITY_TOMOYO_TOMOYO_H | ||
14 | |||
15 | struct tomoyo_path_info; | ||
16 | struct path; | ||
17 | struct inode; | ||
18 | struct linux_binprm; | ||
19 | struct pt_regs; | ||
20 | struct tomoyo_page_buffer; | ||
21 | |||
22 | int tomoyo_check_file_perm(struct tomoyo_domain_info *domain, | ||
23 | const char *filename, const u8 perm); | ||
24 | int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, | ||
25 | const struct tomoyo_path_info *filename, | ||
26 | struct tomoyo_page_buffer *buf); | ||
27 | int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | ||
28 | struct path *path, const int flag); | ||
29 | int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain, | ||
30 | const u8 operation, struct path *path); | ||
31 | int tomoyo_check_2path_perm(struct tomoyo_domain_info *domain, | ||
32 | const u8 operation, struct path *path1, | ||
33 | struct path *path2); | ||
34 | int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, | ||
35 | struct file *filp); | ||
36 | int tomoyo_find_next_domain(struct linux_binprm *bprm, | ||
37 | struct tomoyo_domain_info **next_domain); | ||
38 | |||
39 | /* Index numbers for Access Controls. */ | ||
40 | |||
41 | #define TOMOYO_TYPE_SINGLE_PATH_ACL 0 | ||
42 | #define TOMOYO_TYPE_DOUBLE_PATH_ACL 1 | ||
43 | |||
44 | /* Index numbers for File Controls. */ | ||
45 | |||
46 | /* | ||
47 | * TYPE_READ_WRITE_ACL is special. TYPE_READ_WRITE_ACL is automatically set | ||
48 | * if both TYPE_READ_ACL and TYPE_WRITE_ACL are set. Both TYPE_READ_ACL and | ||
49 | * TYPE_WRITE_ACL are automatically set if TYPE_READ_WRITE_ACL is set. | ||
50 | * TYPE_READ_WRITE_ACL is automatically cleared if either TYPE_READ_ACL or | ||
51 | * TYPE_WRITE_ACL is cleared. Both TYPE_READ_ACL and TYPE_WRITE_ACL are | ||
52 | * automatically cleared if TYPE_READ_WRITE_ACL is cleared. | ||
53 | */ | ||
54 | |||
55 | #define TOMOYO_TYPE_READ_WRITE_ACL 0 | ||
56 | #define TOMOYO_TYPE_EXECUTE_ACL 1 | ||
57 | #define TOMOYO_TYPE_READ_ACL 2 | ||
58 | #define TOMOYO_TYPE_WRITE_ACL 3 | ||
59 | #define TOMOYO_TYPE_CREATE_ACL 4 | ||
60 | #define TOMOYO_TYPE_UNLINK_ACL 5 | ||
61 | #define TOMOYO_TYPE_MKDIR_ACL 6 | ||
62 | #define TOMOYO_TYPE_RMDIR_ACL 7 | ||
63 | #define TOMOYO_TYPE_MKFIFO_ACL 8 | ||
64 | #define TOMOYO_TYPE_MKSOCK_ACL 9 | ||
65 | #define TOMOYO_TYPE_MKBLOCK_ACL 10 | ||
66 | #define TOMOYO_TYPE_MKCHAR_ACL 11 | ||
67 | #define TOMOYO_TYPE_TRUNCATE_ACL 12 | ||
68 | #define TOMOYO_TYPE_SYMLINK_ACL 13 | ||
69 | #define TOMOYO_TYPE_REWRITE_ACL 14 | ||
70 | #define TOMOYO_MAX_SINGLE_PATH_OPERATION 15 | ||
71 | |||
72 | #define TOMOYO_TYPE_LINK_ACL 0 | ||
73 | #define TOMOYO_TYPE_RENAME_ACL 1 | ||
74 | #define TOMOYO_MAX_DOUBLE_PATH_OPERATION 2 | ||
75 | |||
76 | #define TOMOYO_DOMAINPOLICY 0 | ||
77 | #define TOMOYO_EXCEPTIONPOLICY 1 | ||
78 | #define TOMOYO_DOMAIN_STATUS 2 | ||
79 | #define TOMOYO_PROCESS_STATUS 3 | ||
80 | #define TOMOYO_MEMINFO 4 | ||
81 | #define TOMOYO_SELFDOMAIN 5 | ||
82 | #define TOMOYO_VERSION 6 | ||
83 | #define TOMOYO_PROFILE 7 | ||
84 | #define TOMOYO_MANAGER 8 | ||
85 | |||
86 | extern struct tomoyo_domain_info tomoyo_kernel_domain; | ||
87 | |||
88 | static inline struct tomoyo_domain_info *tomoyo_domain(void) | ||
89 | { | ||
90 | return current_cred()->security; | ||
91 | } | ||
92 | |||
93 | /* Caller holds tasklist_lock spinlock. */ | ||
94 | static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct | ||
95 | *task) | ||
96 | { | ||
97 | /***** CRITICAL SECTION START *****/ | ||
98 | const struct cred *cred = get_task_cred(task); | ||
99 | struct tomoyo_domain_info *domain = cred->security; | ||
100 | |||
101 | put_cred(cred); | ||
102 | return domain; | ||
103 | /***** CRITICAL SECTION END *****/ | ||
104 | } | ||
105 | |||
106 | #endif /* !defined(_SECURITY_TOMOYO_TOMOYO_H) */ | ||