2 * security/tomoyo/common.c
4 * Common functions for TOMOYO.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
12 #include <linux/uaccess.h>
13 #include <linux/security.h>
14 #include <linux/hardirq.h>
19 /* Lock for protecting policy. */
20 DEFINE_MUTEX(tomoyo_policy_lock);
22 /* Has loading policy done? */
23 bool tomoyo_policy_loaded;
25 /* String table for functionality that takes 4 modes. */
26 static const char *tomoyo_mode_4[4] = {
27 "disabled", "learning", "permissive", "enforcing"
29 /* String table for functionality that takes 2 modes. */
30 static const char *tomoyo_mode_2[4] = {
31 "disabled", "enabled", "enabled", "enabled"
35 * tomoyo_control_array is a static data which contains
37 * (1) functionality name used by /sys/kernel/security/tomoyo/profile .
38 * (2) initial values for "struct tomoyo_profile".
39 * (3) max values for "struct tomoyo_profile".
43 unsigned int current_value;
44 const unsigned int max_value;
45 } tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = {
46 [TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 },
47 [TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX },
48 [TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 },
52 * tomoyo_profile is a structure which is used for holding the mode of access
53 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
54 * An administrator can define up to 256 profiles.
55 * The ->profile of "struct tomoyo_domain_info" is used for remembering
56 * the profile's number (0 - 255) assigned to that domain.
58 static struct tomoyo_profile {
59 unsigned int value[TOMOYO_MAX_CONTROL_INDEX];
60 const struct tomoyo_path_info *comment;
61 } *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES];
63 /* Permit policy management by non-root user? */
64 static bool tomoyo_manage_by_non_root;
66 /* Utility functions. */
68 /* Open operation for /sys/kernel/security/tomoyo/ interface. */
69 static int tomoyo_open_control(const u8 type, struct file *file);
70 /* Close /sys/kernel/security/tomoyo/ interface. */
71 static int tomoyo_close_control(struct file *file);
72 /* Read operation for /sys/kernel/security/tomoyo/ interface. */
73 static int tomoyo_read_control(struct file *file, char __user *buffer,
74 const int buffer_len);
75 /* Write operation for /sys/kernel/security/tomoyo/ interface. */
76 static int tomoyo_write_control(struct file *file, const char __user *buffer,
77 const int buffer_len);
80 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
82 * @str: Pointer to the string.
84 * Returns true if @str is a \ooo style octal value, false otherwise.
86 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
87 * This function verifies that \ooo is in valid range.
89 static inline bool tomoyo_is_byte_range(const char *str)
91 return *str >= '0' && *str++ <= '3' &&
92 *str >= '0' && *str++ <= '7' &&
93 *str >= '0' && *str <= '7';
97 * tomoyo_is_alphabet_char - Check whether the character is an alphabet.
99 * @c: The character to check.
101 * Returns true if @c is an alphabet character, false otherwise.
103 static inline bool tomoyo_is_alphabet_char(const char c)
105 return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z');
109 * tomoyo_make_byte - Make byte value from three octal characters.
111 * @c1: The first character.
112 * @c2: The second character.
113 * @c3: The third character.
115 * Returns byte value.
117 static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3)
119 return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0');
123 * tomoyo_str_starts - Check whether the given string starts with the given keyword.
125 * @src: Pointer to pointer to the string.
126 * @find: Pointer to the keyword.
128 * Returns true if @src starts with @find, false otherwise.
130 * The @src is updated to point the first character after the @find
131 * if @src starts with @find.
133 static bool tomoyo_str_starts(char **src, const char *find)
135 const int len = strlen(find);
138 if (strncmp(tmp, find, len))
146 * tomoyo_normalize_line - Format string.
148 * @buffer: The line to normalize.
150 * Leading and trailing whitespaces are removed.
151 * Multiple whitespaces are packed into single space.
155 static void tomoyo_normalize_line(unsigned char *buffer)
157 unsigned char *sp = buffer;
158 unsigned char *dp = buffer;
161 while (tomoyo_is_invalid(*sp))
167 while (tomoyo_is_valid(*sp))
169 while (tomoyo_is_invalid(*sp))
176 * tomoyo_is_correct_path - Validate a pathname.
177 * @filename: The pathname to check.
178 * @start_type: Should the pathname start with '/'?
179 * 1 = must / -1 = must not / 0 = don't care
180 * @pattern_type: Can the pathname contain a wildcard?
181 * 1 = must / -1 = must not / 0 = don't care
182 * @end_type: Should the pathname end with '/'?
183 * 1 = must / -1 = must not / 0 = don't care
184 * @function: The name of function calling me.
186 * Check whether the given filename follows the naming rules.
187 * Returns true if @filename follows the naming rules, false otherwise.
189 bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
190 const s8 pattern_type, const s8 end_type,
191 const char *function)
193 const char *const start = filename;
194 bool in_repetition = false;
195 bool contains_pattern = false;
199 const char *original_filename = filename;
204 if (start_type == 1) { /* Must start with '/' */
207 } else if (start_type == -1) { /* Must not start with '/' */
212 c = *(filename + strlen(filename) - 1);
213 if (end_type == 1) { /* Must end with '/' */
216 } else if (end_type == -1) { /* Must not end with '/' */
227 case '\\': /* "\\" */
239 if (pattern_type == -1)
240 break; /* Must not contain pattern */
241 contains_pattern = true;
243 case '{': /* "/\{" */
244 if (filename - 3 < start ||
245 *(filename - 3) != '/')
247 if (pattern_type == -1)
248 break; /* Must not contain pattern */
249 contains_pattern = true;
250 in_repetition = true;
252 case '}': /* "\}/" */
253 if (*filename != '/')
257 in_repetition = false;
259 case '0': /* "\ooo" */
264 if (d < '0' || d > '7')
267 if (e < '0' || e > '7')
269 c = tomoyo_make_byte(c, d, e);
270 if (tomoyo_is_invalid(c))
271 continue; /* pattern is not \000 */
274 } else if (in_repetition && c == '/') {
276 } else if (tomoyo_is_invalid(c)) {
280 if (pattern_type == 1) { /* Must contain pattern */
281 if (!contains_pattern)
288 printk(KERN_DEBUG "%s: Invalid pathname '%s'\n", function,
294 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
295 * @domainname: The domainname to check.
296 * @function: The name of function calling me.
298 * Returns true if @domainname follows the naming rules, false otherwise.
300 bool tomoyo_is_correct_domain(const unsigned char *domainname,
301 const char *function)
306 const char *org_domainname = domainname;
308 if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME,
309 TOMOYO_ROOT_NAME_LEN))
311 domainname += TOMOYO_ROOT_NAME_LEN;
315 if (*domainname++ != ' ')
317 if (*domainname++ != '/')
319 while ((c = *domainname) != '\0' && c != ' ') {
324 case '\\': /* "\\" */
326 case '0': /* "\ooo" */
331 if (d < '0' || d > '7')
334 if (e < '0' || e > '7')
336 c = tomoyo_make_byte(c, d, e);
337 if (tomoyo_is_invalid(c))
338 /* pattern is not \000 */
342 } else if (tomoyo_is_invalid(c)) {
346 } while (*domainname);
349 printk(KERN_DEBUG "%s: Invalid domainname '%s'\n", function,
355 * tomoyo_is_domain_def - Check whether the given token can be a domainname.
357 * @buffer: The token to check.
359 * Returns true if @buffer possibly be a domainname, false otherwise.
361 bool tomoyo_is_domain_def(const unsigned char *buffer)
363 return !strncmp(buffer, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN);
367 * tomoyo_find_domain - Find a domain by the given name.
369 * @domainname: The domainname to find.
371 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
373 * Caller holds tomoyo_read_lock().
375 struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
377 struct tomoyo_domain_info *domain;
378 struct tomoyo_path_info name;
380 name.name = domainname;
381 tomoyo_fill_path_info(&name);
382 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
383 if (!domain->is_deleted &&
384 !tomoyo_pathcmp(&name, domain->domainname))
391 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
393 * @filename: The string to evaluate.
395 * Returns the initial length without a pattern in @filename.
397 static int tomoyo_const_part_length(const char *filename)
404 while ((c = *filename++) != '\0') {
411 case '\\': /* "\\" */
414 case '0': /* "\ooo" */
419 if (c < '0' || c > '7')
422 if (c < '0' || c > '7')
433 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
435 * @ptr: Pointer to "struct tomoyo_path_info" to fill in.
437 * The caller sets "struct tomoyo_path_info"->name.
439 void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
441 const char *name = ptr->name;
442 const int len = strlen(name);
444 ptr->const_len = tomoyo_const_part_length(name);
445 ptr->is_dir = len && (name[len - 1] == '/');
446 ptr->is_patterned = (ptr->const_len < len);
447 ptr->hash = full_name_hash(name, len);
451 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
454 * @filename: The start of string to check.
455 * @filename_end: The end of string to check.
456 * @pattern: The start of pattern to compare.
457 * @pattern_end: The end of pattern to compare.
459 * Returns true if @filename matches @pattern, false otherwise.
461 static bool tomoyo_file_matches_pattern2(const char *filename,
462 const char *filename_end,
464 const char *pattern_end)
466 while (filename < filename_end && pattern < pattern_end) {
468 if (*pattern != '\\') {
469 if (*filename++ != *pattern++)
481 } else if (c == '\\') {
482 if (filename[1] == '\\')
484 else if (tomoyo_is_byte_range(filename + 1))
493 if (*++filename != '\\')
505 if (!tomoyo_is_alphabet_char(c))
512 if (c == '\\' && tomoyo_is_byte_range(filename + 1)
513 && strncmp(filename + 1, pattern, 3) == 0) {
518 return false; /* Not matched. */
521 for (i = 0; i <= filename_end - filename; i++) {
522 if (tomoyo_file_matches_pattern2(
523 filename + i, filename_end,
524 pattern + 1, pattern_end))
527 if (c == '.' && *pattern == '@')
531 if (filename[i + 1] == '\\')
533 else if (tomoyo_is_byte_range(filename + i + 1))
536 break; /* Bad pattern. */
538 return false; /* Not matched. */
543 while (isdigit(filename[j]))
545 } else if (c == 'X') {
546 while (isxdigit(filename[j]))
548 } else if (c == 'A') {
549 while (tomoyo_is_alphabet_char(filename[j]))
552 for (i = 1; i <= j; i++) {
553 if (tomoyo_file_matches_pattern2(
554 filename + i, filename_end,
555 pattern + 1, pattern_end))
558 return false; /* Not matched or bad pattern. */
563 while (*pattern == '\\' &&
564 (*(pattern + 1) == '*' || *(pattern + 1) == '@'))
566 return filename == filename_end && pattern == pattern_end;
570 * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
572 * @filename: The start of string to check.
573 * @filename_end: The end of string to check.
574 * @pattern: The start of pattern to compare.
575 * @pattern_end: The end of pattern to compare.
577 * Returns true if @filename matches @pattern, false otherwise.
579 static bool tomoyo_file_matches_pattern(const char *filename,
580 const char *filename_end,
582 const char *pattern_end)
584 const char *pattern_start = pattern;
588 while (pattern < pattern_end - 1) {
589 /* Split at "\-" pattern. */
590 if (*pattern++ != '\\' || *pattern++ != '-')
592 result = tomoyo_file_matches_pattern2(filename,
601 pattern_start = pattern;
603 result = tomoyo_file_matches_pattern2(filename, filename_end,
604 pattern_start, pattern_end);
605 return first ? result : !result;
609 * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
611 * @f: The start of string to check.
612 * @p: The start of pattern to compare.
614 * Returns true if @f matches @p, false otherwise.
616 static bool tomoyo_path_matches_pattern2(const char *f, const char *p)
618 const char *f_delimiter;
619 const char *p_delimiter;
622 f_delimiter = strchr(f, '/');
624 f_delimiter = f + strlen(f);
625 p_delimiter = strchr(p, '/');
627 p_delimiter = p + strlen(p);
628 if (*p == '\\' && *(p + 1) == '{')
630 if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
640 /* Ignore trailing "\*" and "\@" in @pattern. */
642 (*(p + 1) == '*' || *(p + 1) == '@'))
647 * The "\{" pattern is permitted only after '/' character.
648 * This guarantees that below "*(p - 1)" is safe.
649 * Also, the "\}" pattern is permitted only before '/' character
650 * so that "\{" + "\}" pair will not break the "\-" operator.
652 if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' ||
653 *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\')
654 return false; /* Bad pattern. */
656 /* Compare current component with pattern. */
657 if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2,
660 /* Proceed to next component. */
665 /* Continue comparison. */
666 if (tomoyo_path_matches_pattern2(f, p_delimiter + 1))
668 f_delimiter = strchr(f, '/');
669 } while (f_delimiter);
670 return false; /* Not matched. */
674 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
676 * @filename: The filename to check.
677 * @pattern: The pattern to compare.
679 * Returns true if matches, false otherwise.
681 * The following patterns are available.
683 * \ooo Octal representation of a byte.
684 * \* Zero or more repetitions of characters other than '/'.
685 * \@ Zero or more repetitions of characters other than '/' or '.'.
686 * \? 1 byte character other than '/'.
687 * \$ One or more repetitions of decimal digits.
688 * \+ 1 decimal digit.
689 * \X One or more repetitions of hexadecimal digits.
690 * \x 1 hexadecimal digit.
691 * \A One or more repetitions of alphabet characters.
692 * \a 1 alphabet character.
694 * \- Subtraction operator.
696 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
699 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
700 const struct tomoyo_path_info *pattern)
702 const char *f = filename->name;
703 const char *p = pattern->name;
704 const int len = pattern->const_len;
706 /* If @pattern doesn't contain pattern, I can use strcmp(). */
707 if (!pattern->is_patterned)
708 return !tomoyo_pathcmp(filename, pattern);
709 /* Don't compare directory and non-directory. */
710 if (filename->is_dir != pattern->is_dir)
712 /* Compare the initial length without patterns. */
713 if (strncmp(f, p, len))
717 return tomoyo_path_matches_pattern2(f, p);
721 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
723 * @head: Pointer to "struct tomoyo_io_buffer".
724 * @fmt: The printf()'s format string, followed by parameters.
726 * Returns true if output was written, false otherwise.
728 * The snprintf() will truncate, but tomoyo_io_printf() won't.
730 bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
734 int pos = head->read_avail;
735 int size = head->readbuf_size - pos;
740 len = vsnprintf(head->read_buf + pos, size, fmt, args);
742 if (pos + len >= head->readbuf_size)
744 head->read_avail += len;
749 * tomoyo_get_exe - Get tomoyo_realpath() of current process.
751 * Returns the tomoyo_realpath() of current process on success, NULL otherwise.
753 * This function uses tomoyo_alloc(), so the caller must call tomoyo_free()
754 * if this function didn't return NULL.
756 static const char *tomoyo_get_exe(void)
758 struct mm_struct *mm = current->mm;
759 struct vm_area_struct *vma;
760 const char *cp = NULL;
764 down_read(&mm->mmap_sem);
765 for (vma = mm->mmap; vma; vma = vma->vm_next) {
766 if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) {
767 cp = tomoyo_realpath_from_path(&vma->vm_file->f_path);
771 up_read(&mm->mmap_sem);
776 * tomoyo_get_msg - Get warning message.
778 * @is_enforce: Is it enforcing mode?
780 * Returns "ERROR" or "WARNING".
782 const char *tomoyo_get_msg(const bool is_enforce)
791 * tomoyo_check_flags - Check mode for specified functionality.
793 * @domain: Pointer to "struct tomoyo_domain_info".
794 * @index: The functionality to check mode.
796 * TOMOYO checks only process context.
797 * This code disables TOMOYO's enforcement in case the function is called from
800 unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
803 const u8 profile = domain->profile;
805 if (WARN_ON(in_interrupt()))
807 return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX
808 #if TOMOYO_MAX_PROFILES != 256
809 && profile < TOMOYO_MAX_PROFILES
811 && tomoyo_profile_ptr[profile] ?
812 tomoyo_profile_ptr[profile]->value[index] : 0;
816 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
818 * @domain: Pointer to "struct tomoyo_domain_info".
820 * Returns true if domain policy violation warning should be printed to
823 bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain)
825 return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0;
829 * tomoyo_domain_quota_is_ok - Check for domain's quota.
831 * @domain: Pointer to "struct tomoyo_domain_info".
833 * Returns true if the domain is not exceeded quota, false otherwise.
835 * Caller holds tomoyo_read_lock().
837 bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain)
839 unsigned int count = 0;
840 struct tomoyo_acl_info *ptr;
844 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
845 if (ptr->type & TOMOYO_ACL_DELETED)
847 switch (tomoyo_acl_type2(ptr)) {
848 struct tomoyo_single_path_acl_record *acl;
851 case TOMOYO_TYPE_SINGLE_PATH_ACL:
852 acl = container_of(ptr,
853 struct tomoyo_single_path_acl_record,
855 perm = acl->perm | (((u32) acl->perm_high) << 16);
856 for (i = 0; i < TOMOYO_MAX_SINGLE_PATH_OPERATION; i++)
859 if (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))
862 case TOMOYO_TYPE_DOUBLE_PATH_ACL:
863 perm = container_of(ptr,
864 struct tomoyo_double_path_acl_record,
866 for (i = 0; i < TOMOYO_MAX_DOUBLE_PATH_OPERATION; i++)
872 if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY))
874 if (!domain->quota_warned) {
875 domain->quota_warned = true;
876 printk(KERN_WARNING "TOMOYO-WARNING: "
877 "Domain '%s' has so many ACLs to hold. "
878 "Stopped learning mode.\n", domain->domainname->name);
884 * tomoyo_find_or_assign_new_profile - Create a new profile.
886 * @profile: Profile number to create.
888 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
890 static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned
893 static DEFINE_MUTEX(lock);
894 struct tomoyo_profile *ptr = NULL;
897 if (profile >= TOMOYO_MAX_PROFILES)
900 ptr = tomoyo_profile_ptr[profile];
903 ptr = tomoyo_alloc_element(sizeof(*ptr));
906 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++)
907 ptr->value[i] = tomoyo_control_array[i].current_value;
908 mb(); /* Avoid out-of-order execution. */
909 tomoyo_profile_ptr[profile] = ptr;
916 * tomoyo_write_profile - Write to profile table.
918 * @head: Pointer to "struct tomoyo_io_buffer".
920 * Returns 0 on success, negative value otherwise.
922 static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
924 char *data = head->write_buf;
928 struct tomoyo_profile *profile;
931 cp = strchr(data, '-');
934 if (strict_strtoul(data, 10, &num))
938 profile = tomoyo_find_or_assign_new_profile(num);
941 cp = strchr(data, '=');
945 if (!strcmp(data, "COMMENT")) {
946 profile->comment = tomoyo_save_name(cp + 1);
949 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) {
950 if (strcmp(data, tomoyo_control_array[i].keyword))
952 if (sscanf(cp + 1, "%u", &value) != 1) {
957 modes = tomoyo_mode_2;
960 modes = tomoyo_mode_4;
963 for (j = 0; j < 4; j++) {
964 if (strcmp(cp + 1, modes[j]))
971 } else if (value > tomoyo_control_array[i].max_value) {
972 value = tomoyo_control_array[i].max_value;
974 profile->value[i] = value;
981 * tomoyo_read_profile - Read from profile table.
983 * @head: Pointer to "struct tomoyo_io_buffer".
987 static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
989 static const int total = TOMOYO_MAX_CONTROL_INDEX + 1;
994 for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total;
996 const u8 index = step / total;
997 u8 type = step % total;
998 const struct tomoyo_profile *profile
999 = tomoyo_profile_ptr[index];
1000 head->read_step = step;
1003 if (!type) { /* Print profile' comment tag. */
1004 if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n",
1005 index, profile->comment ?
1006 profile->comment->name : ""))
1011 if (type < TOMOYO_MAX_CONTROL_INDEX) {
1012 const unsigned int value = profile->value[type];
1013 const char **modes = NULL;
1015 = tomoyo_control_array[type].keyword;
1016 switch (tomoyo_control_array[type].max_value) {
1018 modes = tomoyo_mode_4;
1021 modes = tomoyo_mode_2;
1025 if (!tomoyo_io_printf(head, "%u-%s=%s\n", index,
1026 keyword, modes[value]))
1029 if (!tomoyo_io_printf(head, "%u-%s=%u\n", index,
1035 if (step == TOMOYO_MAX_PROFILES * total)
1036 head->read_eof = true;
1041 * tomoyo_policy_manager_entry is a structure which is used for holding list of
1042 * domainnames or programs which are permitted to modify configuration via
1043 * /sys/kernel/security/tomoyo/ interface.
1044 * It has following fields.
1046 * (1) "list" which is linked to tomoyo_policy_manager_list .
1047 * (2) "manager" is a domainname or a program's pathname.
1048 * (3) "is_domain" is a bool which is true if "manager" is a domainname, false
1050 * (4) "is_deleted" is a bool which is true if marked as deleted, false
1053 struct tomoyo_policy_manager_entry {
1054 struct list_head list;
1055 /* A path to program or a domainname. */
1056 const struct tomoyo_path_info *manager;
1057 bool is_domain; /* True if manager is a domainname. */
1058 bool is_deleted; /* True if this entry is deleted. */
1062 * tomoyo_policy_manager_list is used for holding list of domainnames or
1063 * programs which are permitted to modify configuration via
1064 * /sys/kernel/security/tomoyo/ interface.
1066 * An entry is added by
1068 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
1069 * /sys/kernel/security/tomoyo/manager
1070 * (if you want to specify by a domainname)
1074 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
1075 * (if you want to specify by a program's location)
1079 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
1080 * /sys/kernel/security/tomoyo/manager
1084 * # echo 'delete /usr/lib/ccs/editpolicy' > \
1085 * /sys/kernel/security/tomoyo/manager
1087 * and all entries are retrieved by
1089 * # cat /sys/kernel/security/tomoyo/manager
1091 static LIST_HEAD(tomoyo_policy_manager_list);
1094 * tomoyo_update_manager_entry - Add a manager entry.
1096 * @manager: The path to manager or the domainnamme.
1097 * @is_delete: True if it is a delete request.
1099 * Returns 0 on success, negative value otherwise.
1101 * Caller holds tomoyo_read_lock().
1103 static int tomoyo_update_manager_entry(const char *manager,
1104 const bool is_delete)
1106 struct tomoyo_policy_manager_entry *new_entry;
1107 struct tomoyo_policy_manager_entry *ptr;
1108 const struct tomoyo_path_info *saved_manager;
1109 int error = -ENOMEM;
1110 bool is_domain = false;
1112 if (tomoyo_is_domain_def(manager)) {
1113 if (!tomoyo_is_correct_domain(manager, __func__))
1117 if (!tomoyo_is_correct_path(manager, 1, -1, -1, __func__))
1120 saved_manager = tomoyo_save_name(manager);
1123 mutex_lock(&tomoyo_policy_lock);
1124 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1125 if (ptr->manager != saved_manager)
1127 ptr->is_deleted = is_delete;
1135 new_entry = tomoyo_alloc_element(sizeof(*new_entry));
1138 new_entry->manager = saved_manager;
1139 new_entry->is_domain = is_domain;
1140 list_add_tail_rcu(&new_entry->list, &tomoyo_policy_manager_list);
1143 mutex_unlock(&tomoyo_policy_lock);
1148 * tomoyo_write_manager_policy - Write manager policy.
1150 * @head: Pointer to "struct tomoyo_io_buffer".
1152 * Returns 0 on success, negative value otherwise.
1154 * Caller holds tomoyo_read_lock().
1156 static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head)
1158 char *data = head->write_buf;
1159 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
1161 if (!strcmp(data, "manage_by_non_root")) {
1162 tomoyo_manage_by_non_root = !is_delete;
1165 return tomoyo_update_manager_entry(data, is_delete);
1169 * tomoyo_read_manager_policy - Read manager policy.
1171 * @head: Pointer to "struct tomoyo_io_buffer".
1175 * Caller holds tomoyo_read_lock().
1177 static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
1179 struct list_head *pos;
1184 list_for_each_cookie(pos, head->read_var2,
1185 &tomoyo_policy_manager_list) {
1186 struct tomoyo_policy_manager_entry *ptr;
1187 ptr = list_entry(pos, struct tomoyo_policy_manager_entry,
1189 if (ptr->is_deleted)
1191 done = tomoyo_io_printf(head, "%s\n", ptr->manager->name);
1195 head->read_eof = done;
1200 * tomoyo_is_policy_manager - Check whether the current process is a policy manager.
1202 * Returns true if the current process is permitted to modify policy
1203 * via /sys/kernel/security/tomoyo/ interface.
1205 * Caller holds tomoyo_read_lock().
1207 static bool tomoyo_is_policy_manager(void)
1209 struct tomoyo_policy_manager_entry *ptr;
1211 const struct task_struct *task = current;
1212 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname;
1215 if (!tomoyo_policy_loaded)
1217 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
1219 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1220 if (!ptr->is_deleted && ptr->is_domain
1221 && !tomoyo_pathcmp(domainname, ptr->manager)) {
1228 exe = tomoyo_get_exe();
1231 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1232 if (!ptr->is_deleted && !ptr->is_domain
1233 && !strcmp(exe, ptr->manager->name)) {
1238 if (!found) { /* Reduce error messages. */
1239 static pid_t last_pid;
1240 const pid_t pid = current->pid;
1241 if (last_pid != pid) {
1242 printk(KERN_WARNING "%s ( %s ) is not permitted to "
1243 "update policies.\n", domainname->name, exe);
1252 * tomoyo_is_select_one - Parse select command.
1254 * @head: Pointer to "struct tomoyo_io_buffer".
1255 * @data: String to parse.
1257 * Returns true on success, false otherwise.
1259 * Caller holds tomoyo_read_lock().
1261 static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
1265 struct tomoyo_domain_info *domain = NULL;
1267 if (sscanf(data, "pid=%u", &pid) == 1) {
1268 struct task_struct *p;
1269 read_lock(&tasklist_lock);
1270 p = find_task_by_vpid(pid);
1272 domain = tomoyo_real_domain(p);
1273 read_unlock(&tasklist_lock);
1274 } else if (!strncmp(data, "domain=", 7)) {
1275 if (tomoyo_is_domain_def(data + 7))
1276 domain = tomoyo_find_domain(data + 7);
1279 head->write_var1 = domain;
1280 /* Accessing read_buf is safe because head->io_sem is held. */
1281 if (!head->read_buf)
1282 return true; /* Do nothing if open(O_WRONLY). */
1283 head->read_avail = 0;
1284 tomoyo_io_printf(head, "# select %s\n", data);
1285 head->read_single_domain = true;
1286 head->read_eof = !domain;
1288 struct tomoyo_domain_info *d;
1289 head->read_var1 = NULL;
1290 list_for_each_entry_rcu(d, &tomoyo_domain_list, list) {
1293 head->read_var1 = &d->list;
1295 head->read_var2 = NULL;
1297 head->read_step = 0;
1298 if (domain->is_deleted)
1299 tomoyo_io_printf(head, "# This is a deleted domain.\n");
1305 * tomoyo_delete_domain - Delete a domain.
1307 * @domainname: The name of domain.
1311 * Caller holds tomoyo_read_lock().
1313 static int tomoyo_delete_domain(char *domainname)
1315 struct tomoyo_domain_info *domain;
1316 struct tomoyo_path_info name;
1318 name.name = domainname;
1319 tomoyo_fill_path_info(&name);
1320 mutex_lock(&tomoyo_policy_lock);
1321 /* Is there an active domain? */
1322 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
1323 /* Never delete tomoyo_kernel_domain */
1324 if (domain == &tomoyo_kernel_domain)
1326 if (domain->is_deleted ||
1327 tomoyo_pathcmp(domain->domainname, &name))
1329 domain->is_deleted = true;
1332 mutex_unlock(&tomoyo_policy_lock);
1337 * tomoyo_write_domain_policy - Write domain policy.
1339 * @head: Pointer to "struct tomoyo_io_buffer".
1341 * Returns 0 on success, negative value otherwise.
1343 * Caller holds tomoyo_read_lock().
1345 static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
1347 char *data = head->write_buf;
1348 struct tomoyo_domain_info *domain = head->write_var1;
1349 bool is_delete = false;
1350 bool is_select = false;
1351 unsigned int profile;
1353 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE))
1355 else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT))
1357 if (is_select && tomoyo_is_select_one(head, data))
1359 /* Don't allow updating policies by non manager programs. */
1360 if (!tomoyo_is_policy_manager())
1362 if (tomoyo_is_domain_def(data)) {
1365 tomoyo_delete_domain(data);
1367 domain = tomoyo_find_domain(data);
1369 domain = tomoyo_find_or_assign_new_domain(data, 0);
1370 head->write_var1 = domain;
1376 if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1
1377 && profile < TOMOYO_MAX_PROFILES) {
1378 if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)
1379 domain->profile = (u8) profile;
1382 if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) {
1383 tomoyo_set_domain_flag(domain, is_delete,
1384 TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ);
1387 return tomoyo_write_file_policy(data, domain, is_delete);
1391 * tomoyo_print_single_path_acl - Print a single path ACL entry.
1393 * @head: Pointer to "struct tomoyo_io_buffer".
1394 * @ptr: Pointer to "struct tomoyo_single_path_acl_record".
1396 * Returns true on success, false otherwise.
1398 static bool tomoyo_print_single_path_acl(struct tomoyo_io_buffer *head,
1399 struct tomoyo_single_path_acl_record *
1404 const char *atmark = "";
1405 const char *filename;
1406 const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16);
1408 filename = ptr->filename->name;
1409 for (bit = head->read_bit; bit < TOMOYO_MAX_SINGLE_PATH_OPERATION;
1412 if (!(perm & (1 << bit)))
1414 /* Print "read/write" instead of "read" and "write". */
1415 if ((bit == TOMOYO_TYPE_READ_ACL ||
1416 bit == TOMOYO_TYPE_WRITE_ACL)
1417 && (perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)))
1419 msg = tomoyo_sp2keyword(bit);
1420 pos = head->read_avail;
1421 if (!tomoyo_io_printf(head, "allow_%s %s%s\n", msg,
1428 head->read_bit = bit;
1429 head->read_avail = pos;
1434 * tomoyo_print_double_path_acl - Print a double path ACL entry.
1436 * @head: Pointer to "struct tomoyo_io_buffer".
1437 * @ptr: Pointer to "struct tomoyo_double_path_acl_record".
1439 * Returns true on success, false otherwise.
1441 static bool tomoyo_print_double_path_acl(struct tomoyo_io_buffer *head,
1442 struct tomoyo_double_path_acl_record *
1446 const char *atmark1 = "";
1447 const char *atmark2 = "";
1448 const char *filename1;
1449 const char *filename2;
1450 const u8 perm = ptr->perm;
1453 filename1 = ptr->filename1->name;
1454 filename2 = ptr->filename2->name;
1455 for (bit = head->read_bit; bit < TOMOYO_MAX_DOUBLE_PATH_OPERATION;
1458 if (!(perm & (1 << bit)))
1460 msg = tomoyo_dp2keyword(bit);
1461 pos = head->read_avail;
1462 if (!tomoyo_io_printf(head, "allow_%s %s%s %s%s\n", msg,
1463 atmark1, filename1, atmark2, filename2))
1469 head->read_bit = bit;
1470 head->read_avail = pos;
1475 * tomoyo_print_entry - Print an ACL entry.
1477 * @head: Pointer to "struct tomoyo_io_buffer".
1478 * @ptr: Pointer to an ACL entry.
1480 * Returns true on success, false otherwise.
1482 static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
1483 struct tomoyo_acl_info *ptr)
1485 const u8 acl_type = tomoyo_acl_type2(ptr);
1487 if (acl_type & TOMOYO_ACL_DELETED)
1489 if (acl_type == TOMOYO_TYPE_SINGLE_PATH_ACL) {
1490 struct tomoyo_single_path_acl_record *acl
1492 struct tomoyo_single_path_acl_record,
1494 return tomoyo_print_single_path_acl(head, acl);
1496 if (acl_type == TOMOYO_TYPE_DOUBLE_PATH_ACL) {
1497 struct tomoyo_double_path_acl_record *acl
1499 struct tomoyo_double_path_acl_record,
1501 return tomoyo_print_double_path_acl(head, acl);
1503 BUG(); /* This must not happen. */
1508 * tomoyo_read_domain_policy - Read domain policy.
1510 * @head: Pointer to "struct tomoyo_io_buffer".
1514 * Caller holds tomoyo_read_lock().
1516 static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head)
1518 struct list_head *dpos;
1519 struct list_head *apos;
1524 if (head->read_step == 0)
1525 head->read_step = 1;
1526 list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) {
1527 struct tomoyo_domain_info *domain;
1528 const char *quota_exceeded = "";
1529 const char *transition_failed = "";
1530 const char *ignore_global_allow_read = "";
1531 domain = list_entry(dpos, struct tomoyo_domain_info, list);
1532 if (head->read_step != 1)
1534 if (domain->is_deleted && !head->read_single_domain)
1536 /* Print domainname and flags. */
1537 if (domain->quota_warned)
1538 quota_exceeded = "quota_exceeded\n";
1539 if (domain->flags & TOMOYO_DOMAIN_FLAGS_TRANSITION_FAILED)
1540 transition_failed = "transition_failed\n";
1542 TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ)
1543 ignore_global_allow_read
1544 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n";
1545 done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
1547 domain->domainname->name,
1548 domain->profile, quota_exceeded,
1550 ignore_global_allow_read);
1553 head->read_step = 2;
1555 if (head->read_step == 3)
1557 /* Print ACL entries in the domain. */
1558 list_for_each_cookie(apos, head->read_var2,
1559 &domain->acl_info_list) {
1560 struct tomoyo_acl_info *ptr
1561 = list_entry(apos, struct tomoyo_acl_info,
1563 done = tomoyo_print_entry(head, ptr);
1569 head->read_step = 3;
1571 done = tomoyo_io_printf(head, "\n");
1574 head->read_step = 1;
1575 if (head->read_single_domain)
1578 head->read_eof = done;
1583 * tomoyo_write_domain_profile - Assign profile for specified domain.
1585 * @head: Pointer to "struct tomoyo_io_buffer".
1587 * Returns 0 on success, -EINVAL otherwise.
1589 * This is equivalent to doing
1591 * ( echo "select " $domainname; echo "use_profile " $profile ) |
1592 * /usr/lib/ccs/loadpolicy -d
1594 * Caller holds tomoyo_read_lock().
1596 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head)
1598 char *data = head->write_buf;
1599 char *cp = strchr(data, ' ');
1600 struct tomoyo_domain_info *domain;
1601 unsigned long profile;
1606 domain = tomoyo_find_domain(cp + 1);
1607 if (strict_strtoul(data, 10, &profile))
1609 if (domain && profile < TOMOYO_MAX_PROFILES
1610 && (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded))
1611 domain->profile = (u8) profile;
1616 * tomoyo_read_domain_profile - Read only domainname and profile.
1618 * @head: Pointer to "struct tomoyo_io_buffer".
1620 * Returns list of profile number and domainname pairs.
1622 * This is equivalent to doing
1624 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
1625 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
1626 * domainname = $0; } else if ( $1 == "use_profile" ) {
1627 * print $2 " " domainname; domainname = ""; } } ; '
1629 * Caller holds tomoyo_read_lock().
1631 static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head)
1633 struct list_head *pos;
1638 list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) {
1639 struct tomoyo_domain_info *domain;
1640 domain = list_entry(pos, struct tomoyo_domain_info, list);
1641 if (domain->is_deleted)
1643 done = tomoyo_io_printf(head, "%u %s\n", domain->profile,
1644 domain->domainname->name);
1648 head->read_eof = done;
1653 * tomoyo_write_pid: Specify PID to obtain domainname.
1655 * @head: Pointer to "struct tomoyo_io_buffer".
1659 static int tomoyo_write_pid(struct tomoyo_io_buffer *head)
1662 /* No error check. */
1663 strict_strtoul(head->write_buf, 10, &pid);
1664 head->read_step = (int) pid;
1665 head->read_eof = false;
1670 * tomoyo_read_pid - Get domainname of the specified PID.
1672 * @head: Pointer to "struct tomoyo_io_buffer".
1674 * Returns the domainname which the specified PID is in on success,
1675 * empty string otherwise.
1676 * The PID is specified by tomoyo_write_pid() so that the user can obtain
1677 * using read()/write() interface rather than sysctl() interface.
1679 static int tomoyo_read_pid(struct tomoyo_io_buffer *head)
1681 if (head->read_avail == 0 && !head->read_eof) {
1682 const int pid = head->read_step;
1683 struct task_struct *p;
1684 struct tomoyo_domain_info *domain = NULL;
1685 read_lock(&tasklist_lock);
1686 p = find_task_by_vpid(pid);
1688 domain = tomoyo_real_domain(p);
1689 read_unlock(&tasklist_lock);
1691 tomoyo_io_printf(head, "%d %u %s", pid, domain->profile,
1692 domain->domainname->name);
1693 head->read_eof = true;
1699 * tomoyo_write_exception_policy - Write exception policy.
1701 * @head: Pointer to "struct tomoyo_io_buffer".
1703 * Returns 0 on success, negative value otherwise.
1705 * Caller holds tomoyo_read_lock().
1707 static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head)
1709 char *data = head->write_buf;
1710 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
1712 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN))
1713 return tomoyo_write_domain_keeper_policy(data, false,
1715 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN))
1716 return tomoyo_write_domain_keeper_policy(data, true, is_delete);
1717 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN))
1718 return tomoyo_write_domain_initializer_policy(data, false,
1720 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN))
1721 return tomoyo_write_domain_initializer_policy(data, true,
1723 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS))
1724 return tomoyo_write_alias_policy(data, is_delete);
1725 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ))
1726 return tomoyo_write_globally_readable_policy(data, is_delete);
1727 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN))
1728 return tomoyo_write_pattern_policy(data, is_delete);
1729 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE))
1730 return tomoyo_write_no_rewrite_policy(data, is_delete);
1735 * tomoyo_read_exception_policy - Read exception policy.
1737 * @head: Pointer to "struct tomoyo_io_buffer".
1739 * Returns 0 on success, -EINVAL otherwise.
1741 * Caller holds tomoyo_read_lock().
1743 static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head)
1745 if (!head->read_eof) {
1746 switch (head->read_step) {
1748 head->read_var2 = NULL;
1749 head->read_step = 1;
1751 if (!tomoyo_read_domain_keeper_policy(head))
1753 head->read_var2 = NULL;
1754 head->read_step = 2;
1756 if (!tomoyo_read_globally_readable_policy(head))
1758 head->read_var2 = NULL;
1759 head->read_step = 3;
1761 head->read_var2 = NULL;
1762 head->read_step = 4;
1764 if (!tomoyo_read_domain_initializer_policy(head))
1766 head->read_var2 = NULL;
1767 head->read_step = 5;
1769 if (!tomoyo_read_alias_policy(head))
1771 head->read_var2 = NULL;
1772 head->read_step = 6;
1774 head->read_var2 = NULL;
1775 head->read_step = 7;
1777 if (!tomoyo_read_file_pattern(head))
1779 head->read_var2 = NULL;
1780 head->read_step = 8;
1782 if (!tomoyo_read_no_rewrite_policy(head))
1784 head->read_var2 = NULL;
1785 head->read_step = 9;
1787 head->read_eof = true;
1796 /* path to policy loader */
1797 static const char *tomoyo_loader = "/sbin/tomoyo-init";
1800 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
1802 * Returns true if /sbin/tomoyo-init exists, false otherwise.
1804 static bool tomoyo_policy_loader_exists(void)
1807 * Don't activate MAC if the policy loader doesn't exist.
1808 * If the initrd includes /sbin/init but real-root-dev has not
1809 * mounted on / yet, activating MAC will block the system since
1810 * policies are not loaded yet.
1811 * Thus, let do_execve() call this function everytime.
1815 if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
1816 printk(KERN_INFO "Not activating Mandatory Access Control now "
1817 "since %s doesn't exist.\n", tomoyo_loader);
1825 * tomoyo_load_policy - Run external policy loader to load policy.
1827 * @filename: The program about to start.
1829 * This function checks whether @filename is /sbin/init , and if so
1830 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
1831 * and then continues invocation of /sbin/init.
1832 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
1833 * writes to /sys/kernel/security/tomoyo/ interfaces.
1837 void tomoyo_load_policy(const char *filename)
1842 if (tomoyo_policy_loaded)
1845 * Check filename is /sbin/init or /sbin/tomoyo-start.
1846 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
1848 * You can create /sbin/tomoyo-start by
1849 * "ln -s /bin/true /sbin/tomoyo-start".
1851 if (strcmp(filename, "/sbin/init") &&
1852 strcmp(filename, "/sbin/tomoyo-start"))
1854 if (!tomoyo_policy_loader_exists())
1857 printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
1859 argv[0] = (char *) tomoyo_loader;
1862 envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
1864 call_usermodehelper(argv[0], argv, envp, 1);
1866 printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n");
1867 printk(KERN_INFO "Mandatory Access Control activated.\n");
1868 tomoyo_policy_loaded = true;
1869 { /* Check all profiles currently assigned to domains are defined. */
1870 struct tomoyo_domain_info *domain;
1871 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
1872 const u8 profile = domain->profile;
1873 if (tomoyo_profile_ptr[profile])
1875 panic("Profile %u (used by '%s') not defined.\n",
1876 profile, domain->domainname->name);
1882 * tomoyo_read_version: Get version.
1884 * @head: Pointer to "struct tomoyo_io_buffer".
1886 * Returns version information.
1888 static int tomoyo_read_version(struct tomoyo_io_buffer *head)
1890 if (!head->read_eof) {
1891 tomoyo_io_printf(head, "2.2.0");
1892 head->read_eof = true;
1898 * tomoyo_read_self_domain - Get the current process's domainname.
1900 * @head: Pointer to "struct tomoyo_io_buffer".
1902 * Returns the current process's domainname.
1904 static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head)
1906 if (!head->read_eof) {
1908 * tomoyo_domain()->domainname != NULL
1909 * because every process belongs to a domain and
1910 * the domain's name cannot be NULL.
1912 tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name);
1913 head->read_eof = true;
1919 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
1921 * @type: Type of interface.
1922 * @file: Pointer to "struct file".
1924 * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
1926 * Caller acquires tomoyo_read_lock().
1928 static int tomoyo_open_control(const u8 type, struct file *file)
1930 struct tomoyo_io_buffer *head = tomoyo_alloc(sizeof(*head));
1934 mutex_init(&head->io_sem);
1936 case TOMOYO_DOMAINPOLICY:
1937 /* /sys/kernel/security/tomoyo/domain_policy */
1938 head->write = tomoyo_write_domain_policy;
1939 head->read = tomoyo_read_domain_policy;
1941 case TOMOYO_EXCEPTIONPOLICY:
1942 /* /sys/kernel/security/tomoyo/exception_policy */
1943 head->write = tomoyo_write_exception_policy;
1944 head->read = tomoyo_read_exception_policy;
1946 case TOMOYO_SELFDOMAIN:
1947 /* /sys/kernel/security/tomoyo/self_domain */
1948 head->read = tomoyo_read_self_domain;
1950 case TOMOYO_DOMAIN_STATUS:
1951 /* /sys/kernel/security/tomoyo/.domain_status */
1952 head->write = tomoyo_write_domain_profile;
1953 head->read = tomoyo_read_domain_profile;
1955 case TOMOYO_PROCESS_STATUS:
1956 /* /sys/kernel/security/tomoyo/.process_status */
1957 head->write = tomoyo_write_pid;
1958 head->read = tomoyo_read_pid;
1960 case TOMOYO_VERSION:
1961 /* /sys/kernel/security/tomoyo/version */
1962 head->read = tomoyo_read_version;
1963 head->readbuf_size = 128;
1965 case TOMOYO_MEMINFO:
1966 /* /sys/kernel/security/tomoyo/meminfo */
1967 head->write = tomoyo_write_memory_quota;
1968 head->read = tomoyo_read_memory_counter;
1969 head->readbuf_size = 512;
1971 case TOMOYO_PROFILE:
1972 /* /sys/kernel/security/tomoyo/profile */
1973 head->write = tomoyo_write_profile;
1974 head->read = tomoyo_read_profile;
1976 case TOMOYO_MANAGER:
1977 /* /sys/kernel/security/tomoyo/manager */
1978 head->write = tomoyo_write_manager_policy;
1979 head->read = tomoyo_read_manager_policy;
1982 if (!(file->f_mode & FMODE_READ)) {
1984 * No need to allocate read_buf since it is not opened
1989 if (!head->readbuf_size)
1990 head->readbuf_size = 4096 * 2;
1991 head->read_buf = tomoyo_alloc(head->readbuf_size);
1992 if (!head->read_buf) {
1997 if (!(file->f_mode & FMODE_WRITE)) {
1999 * No need to allocate write_buf since it is not opened
2003 } else if (head->write) {
2004 head->writebuf_size = 4096 * 2;
2005 head->write_buf = tomoyo_alloc(head->writebuf_size);
2006 if (!head->write_buf) {
2007 tomoyo_free(head->read_buf);
2012 head->reader_idx = tomoyo_read_lock();
2013 file->private_data = head;
2015 * Call the handler now if the file is
2016 * /sys/kernel/security/tomoyo/self_domain
2017 * so that the user can use
2018 * cat < /sys/kernel/security/tomoyo/self_domain"
2019 * to know the current process's domainname.
2021 if (type == TOMOYO_SELFDOMAIN)
2022 tomoyo_read_control(file, NULL, 0);
2027 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
2029 * @file: Pointer to "struct file".
2030 * @buffer: Poiner to buffer to write to.
2031 * @buffer_len: Size of @buffer.
2033 * Returns bytes read on success, negative value otherwise.
2035 * Caller holds tomoyo_read_lock().
2037 static int tomoyo_read_control(struct file *file, char __user *buffer,
2038 const int buffer_len)
2041 struct tomoyo_io_buffer *head = file->private_data;
2046 if (mutex_lock_interruptible(&head->io_sem))
2048 /* Call the policy handler. */
2049 len = head->read(head);
2052 /* Write to buffer. */
2053 len = head->read_avail;
2054 if (len > buffer_len)
2058 /* head->read_buf changes by some functions. */
2059 cp = head->read_buf;
2060 if (copy_to_user(buffer, cp, len)) {
2064 head->read_avail -= len;
2065 memmove(cp, cp + len, head->read_avail);
2067 mutex_unlock(&head->io_sem);
2072 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
2074 * @file: Pointer to "struct file".
2075 * @buffer: Pointer to buffer to read from.
2076 * @buffer_len: Size of @buffer.
2078 * Returns @buffer_len on success, negative value otherwise.
2080 * Caller holds tomoyo_read_lock().
2082 static int tomoyo_write_control(struct file *file, const char __user *buffer,
2083 const int buffer_len)
2085 struct tomoyo_io_buffer *head = file->private_data;
2086 int error = buffer_len;
2087 int avail_len = buffer_len;
2088 char *cp0 = head->write_buf;
2092 if (!access_ok(VERIFY_READ, buffer, buffer_len))
2094 /* Don't allow updating policies by non manager programs. */
2095 if (head->write != tomoyo_write_pid &&
2096 head->write != tomoyo_write_domain_policy &&
2097 !tomoyo_is_policy_manager())
2099 if (mutex_lock_interruptible(&head->io_sem))
2101 /* Read a line and dispatch it to the policy handler. */
2102 while (avail_len > 0) {
2104 if (head->write_avail >= head->writebuf_size - 1) {
2107 } else if (get_user(c, buffer)) {
2113 cp0[head->write_avail++] = c;
2116 cp0[head->write_avail - 1] = '\0';
2117 head->write_avail = 0;
2118 tomoyo_normalize_line(cp0);
2121 mutex_unlock(&head->io_sem);
2126 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
2128 * @file: Pointer to "struct file".
2130 * Releases memory and returns 0.
2132 * Caller looses tomoyo_read_lock().
2134 static int tomoyo_close_control(struct file *file)
2136 struct tomoyo_io_buffer *head = file->private_data;
2138 tomoyo_read_unlock(head->reader_idx);
2139 /* Release memory used for policy I/O. */
2140 tomoyo_free(head->read_buf);
2141 head->read_buf = NULL;
2142 tomoyo_free(head->write_buf);
2143 head->write_buf = NULL;
2146 file->private_data = NULL;
2151 * tomoyo_alloc_acl_element - Allocate permanent memory for ACL entry.
2153 * @acl_type: Type of ACL entry.
2155 * Returns pointer to the ACL entry on success, NULL otherwise.
2157 void *tomoyo_alloc_acl_element(const u8 acl_type)
2160 struct tomoyo_acl_info *ptr;
2163 case TOMOYO_TYPE_SINGLE_PATH_ACL:
2164 len = sizeof(struct tomoyo_single_path_acl_record);
2166 case TOMOYO_TYPE_DOUBLE_PATH_ACL:
2167 len = sizeof(struct tomoyo_double_path_acl_record);
2172 ptr = tomoyo_alloc_element(len);
2175 ptr->type = acl_type;
2180 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
2182 * @inode: Pointer to "struct inode".
2183 * @file: Pointer to "struct file".
2185 * Returns 0 on success, negative value otherwise.
2187 static int tomoyo_open(struct inode *inode, struct file *file)
2189 const int key = ((u8 *) file->f_path.dentry->d_inode->i_private)
2191 return tomoyo_open_control(key, file);
2195 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
2197 * @inode: Pointer to "struct inode".
2198 * @file: Pointer to "struct file".
2200 * Returns 0 on success, negative value otherwise.
2202 static int tomoyo_release(struct inode *inode, struct file *file)
2204 return tomoyo_close_control(file);
2208 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
2210 * @file: Pointer to "struct file".
2211 * @buf: Pointer to buffer.
2212 * @count: Size of @buf.
2215 * Returns bytes read on success, negative value otherwise.
2217 static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count,
2220 return tomoyo_read_control(file, buf, count);
2224 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
2226 * @file: Pointer to "struct file".
2227 * @buf: Pointer to buffer.
2228 * @count: Size of @buf.
2231 * Returns @count on success, negative value otherwise.
2233 static ssize_t tomoyo_write(struct file *file, const char __user *buf,
2234 size_t count, loff_t *ppos)
2236 return tomoyo_write_control(file, buf, count);
2240 * tomoyo_operations is a "struct file_operations" which is used for handling
2241 * /sys/kernel/security/tomoyo/ interface.
2243 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
2244 * See tomoyo_io_buffer for internals.
2246 static const struct file_operations tomoyo_operations = {
2247 .open = tomoyo_open,
2248 .release = tomoyo_release,
2249 .read = tomoyo_read,
2250 .write = tomoyo_write,
2254 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
2256 * @name: The name of the interface file.
2257 * @mode: The permission of the interface file.
2258 * @parent: The parent directory.
2259 * @key: Type of interface.
2263 static void __init tomoyo_create_entry(const char *name, const mode_t mode,
2264 struct dentry *parent, const u8 key)
2266 securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key,
2267 &tomoyo_operations);
2271 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
2275 static int __init tomoyo_initerface_init(void)
2277 struct dentry *tomoyo_dir;
2279 /* Don't create securityfs entries unless registered. */
2280 if (current_cred()->security != &tomoyo_kernel_domain)
2283 tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
2284 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir,
2285 TOMOYO_DOMAINPOLICY);
2286 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir,
2287 TOMOYO_EXCEPTIONPOLICY);
2288 tomoyo_create_entry("self_domain", 0400, tomoyo_dir,
2290 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir,
2291 TOMOYO_DOMAIN_STATUS);
2292 tomoyo_create_entry(".process_status", 0600, tomoyo_dir,
2293 TOMOYO_PROCESS_STATUS);
2294 tomoyo_create_entry("meminfo", 0600, tomoyo_dir,
2296 tomoyo_create_entry("profile", 0600, tomoyo_dir,
2298 tomoyo_create_entry("manager", 0600, tomoyo_dir,
2300 tomoyo_create_entry("version", 0400, tomoyo_dir,
2305 fs_initcall(tomoyo_initerface_init);