]>
Commit | Line | Data |
---|---|---|
26a2a1c9 KT |
1 | /* |
2 | * security/tomoyo/domain.c | |
3 | * | |
4 | * Implementation of the Domain-Based Mandatory Access Control. | |
5 | * | |
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | |
7 | * | |
39826a1e | 8 | * Version: 2.2.0 2009/04/01 |
26a2a1c9 KT |
9 | * |
10 | */ | |
11 | ||
12 | #include "common.h" | |
26a2a1c9 KT |
13 | #include <linux/binfmts.h> |
14 | ||
15 | /* Variables definitions.*/ | |
16 | ||
17 | /* The initial domain. */ | |
18 | struct tomoyo_domain_info tomoyo_kernel_domain; | |
19 | ||
c3fa109a TH |
20 | /* |
21 | * tomoyo_domain_list is used for holding list of domains. | |
22 | * The ->acl_info_list of "struct tomoyo_domain_info" is used for holding | |
23 | * permissions (e.g. "allow_read /lib/libc-2.5.so") given to each domain. | |
24 | * | |
25 | * An entry is added by | |
26 | * | |
27 | * # ( echo "<kernel>"; echo "allow_execute /sbin/init" ) > \ | |
28 | * /sys/kernel/security/tomoyo/domain_policy | |
29 | * | |
30 | * and is deleted by | |
31 | * | |
32 | * # ( echo "<kernel>"; echo "delete allow_execute /sbin/init" ) > \ | |
33 | * /sys/kernel/security/tomoyo/domain_policy | |
34 | * | |
35 | * and all entries are retrieved by | |
36 | * | |
37 | * # cat /sys/kernel/security/tomoyo/domain_policy | |
38 | * | |
39 | * A domain is added by | |
40 | * | |
41 | * # echo "<kernel>" > /sys/kernel/security/tomoyo/domain_policy | |
42 | * | |
43 | * and is deleted by | |
44 | * | |
45 | * # echo "delete <kernel>" > /sys/kernel/security/tomoyo/domain_policy | |
46 | * | |
47 | * and all domains are retrieved by | |
48 | * | |
49 | * # grep '^<kernel>' /sys/kernel/security/tomoyo/domain_policy | |
50 | * | |
51 | * Normally, a domainname is monotonically getting longer because a domainname | |
52 | * which the process will belong to if an execve() operation succeeds is | |
53 | * defined as a concatenation of "current domainname" + "pathname passed to | |
54 | * execve()". | |
55 | * See tomoyo_domain_initializer_list and tomoyo_domain_keeper_list for | |
56 | * exceptions. | |
57 | */ | |
26a2a1c9 | 58 | LIST_HEAD(tomoyo_domain_list); |
26a2a1c9 | 59 | |
26a2a1c9 KT |
60 | /** |
61 | * tomoyo_get_last_name - Get last component of a domainname. | |
62 | * | |
63 | * @domain: Pointer to "struct tomoyo_domain_info". | |
64 | * | |
65 | * Returns the last component of the domainname. | |
66 | */ | |
67 | const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain) | |
68 | { | |
69 | const char *cp0 = domain->domainname->name; | |
70 | const char *cp1 = strrchr(cp0, ' '); | |
71 | ||
72 | if (cp1) | |
73 | return cp1 + 1; | |
74 | return cp0; | |
75 | } | |
76 | ||
c3fa109a TH |
77 | /* |
78 | * tomoyo_domain_initializer_list is used for holding list of programs which | |
79 | * triggers reinitialization of domainname. Normally, a domainname is | |
80 | * monotonically getting longer. But sometimes, we restart daemon programs. | |
81 | * It would be convenient for us that "a daemon started upon system boot" and | |
82 | * "the daemon restarted from console" belong to the same domain. Thus, TOMOYO | |
83 | * provides a way to shorten domainnames. | |
84 | * | |
85 | * An entry is added by | |
86 | * | |
87 | * # echo 'initialize_domain /usr/sbin/httpd' > \ | |
88 | * /sys/kernel/security/tomoyo/exception_policy | |
89 | * | |
90 | * and is deleted by | |
91 | * | |
92 | * # echo 'delete initialize_domain /usr/sbin/httpd' > \ | |
93 | * /sys/kernel/security/tomoyo/exception_policy | |
94 | * | |
95 | * and all entries are retrieved by | |
96 | * | |
97 | * # grep ^initialize_domain /sys/kernel/security/tomoyo/exception_policy | |
98 | * | |
99 | * In the example above, /usr/sbin/httpd will belong to | |
100 | * "<kernel> /usr/sbin/httpd" domain. | |
101 | * | |
102 | * You may specify a domainname using "from" keyword. | |
103 | * "initialize_domain /usr/sbin/httpd from <kernel> /etc/rc.d/init.d/httpd" | |
104 | * will cause "/usr/sbin/httpd" executed from "<kernel> /etc/rc.d/init.d/httpd" | |
105 | * domain to belong to "<kernel> /usr/sbin/httpd" domain. | |
106 | * | |
107 | * You may add "no_" prefix to "initialize_domain". | |
108 | * "initialize_domain /usr/sbin/httpd" and | |
109 | * "no_initialize_domain /usr/sbin/httpd from <kernel> /etc/rc.d/init.d/httpd" | |
110 | * will cause "/usr/sbin/httpd" to belong to "<kernel> /usr/sbin/httpd" domain | |
111 | * unless executed from "<kernel> /etc/rc.d/init.d/httpd" domain. | |
112 | */ | |
26a2a1c9 | 113 | static LIST_HEAD(tomoyo_domain_initializer_list); |
26a2a1c9 KT |
114 | |
115 | /** | |
116 | * tomoyo_update_domain_initializer_entry - Update "struct tomoyo_domain_initializer_entry" list. | |
117 | * | |
118 | * @domainname: The name of domain. May be NULL. | |
119 | * @program: The name of program. | |
120 | * @is_not: True if it is "no_initialize_domain" entry. | |
121 | * @is_delete: True if it is a delete request. | |
122 | * | |
123 | * Returns 0 on success, negative value otherwise. | |
fdb8ebb7 TH |
124 | * |
125 | * Caller holds tomoyo_read_lock(). | |
26a2a1c9 KT |
126 | */ |
127 | static int tomoyo_update_domain_initializer_entry(const char *domainname, | |
128 | const char *program, | |
129 | const bool is_not, | |
130 | const bool is_delete) | |
131 | { | |
ca0b7df3 | 132 | struct tomoyo_domain_initializer_entry *entry = NULL; |
26a2a1c9 | 133 | struct tomoyo_domain_initializer_entry *ptr; |
bf24fb01 | 134 | const struct tomoyo_path_info *saved_program = NULL; |
26a2a1c9 | 135 | const struct tomoyo_path_info *saved_domainname = NULL; |
ca0b7df3 | 136 | int error = is_delete ? -ENOENT : -ENOMEM; |
26a2a1c9 KT |
137 | bool is_last_name = false; |
138 | ||
139 | if (!tomoyo_is_correct_path(program, 1, -1, -1, __func__)) | |
140 | return -EINVAL; /* No patterns allowed. */ | |
141 | if (domainname) { | |
142 | if (!tomoyo_is_domain_def(domainname) && | |
143 | tomoyo_is_correct_path(domainname, 1, -1, -1, __func__)) | |
144 | is_last_name = true; | |
145 | else if (!tomoyo_is_correct_domain(domainname, __func__)) | |
146 | return -EINVAL; | |
bf24fb01 | 147 | saved_domainname = tomoyo_get_name(domainname); |
26a2a1c9 | 148 | if (!saved_domainname) |
ca0b7df3 | 149 | goto out; |
26a2a1c9 | 150 | } |
bf24fb01 | 151 | saved_program = tomoyo_get_name(program); |
26a2a1c9 | 152 | if (!saved_program) |
ca0b7df3 TH |
153 | goto out; |
154 | if (!is_delete) | |
155 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | |
f737d95d | 156 | mutex_lock(&tomoyo_policy_lock); |
fdb8ebb7 | 157 | list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, list) { |
26a2a1c9 KT |
158 | if (ptr->is_not != is_not || |
159 | ptr->domainname != saved_domainname || | |
160 | ptr->program != saved_program) | |
161 | continue; | |
162 | ptr->is_deleted = is_delete; | |
163 | error = 0; | |
ca0b7df3 | 164 | break; |
26a2a1c9 | 165 | } |
ca0b7df3 TH |
166 | if (!is_delete && error && tomoyo_memory_ok(entry)) { |
167 | entry->domainname = saved_domainname; | |
bf24fb01 | 168 | saved_domainname = NULL; |
ca0b7df3 | 169 | entry->program = saved_program; |
bf24fb01 | 170 | saved_program = NULL; |
ca0b7df3 TH |
171 | entry->is_not = is_not; |
172 | entry->is_last_name = is_last_name; | |
173 | list_add_tail_rcu(&entry->list, | |
174 | &tomoyo_domain_initializer_list); | |
175 | entry = NULL; | |
176 | error = 0; | |
26a2a1c9 | 177 | } |
f737d95d | 178 | mutex_unlock(&tomoyo_policy_lock); |
ca0b7df3 | 179 | out: |
bf24fb01 TH |
180 | tomoyo_put_name(saved_domainname); |
181 | tomoyo_put_name(saved_program); | |
ca0b7df3 | 182 | kfree(entry); |
26a2a1c9 KT |
183 | return error; |
184 | } | |
185 | ||
186 | /** | |
187 | * tomoyo_read_domain_initializer_policy - Read "struct tomoyo_domain_initializer_entry" list. | |
188 | * | |
189 | * @head: Pointer to "struct tomoyo_io_buffer". | |
190 | * | |
191 | * Returns true on success, false otherwise. | |
fdb8ebb7 TH |
192 | * |
193 | * Caller holds tomoyo_read_lock(). | |
26a2a1c9 KT |
194 | */ |
195 | bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head) | |
196 | { | |
197 | struct list_head *pos; | |
198 | bool done = true; | |
199 | ||
26a2a1c9 KT |
200 | list_for_each_cookie(pos, head->read_var2, |
201 | &tomoyo_domain_initializer_list) { | |
202 | const char *no; | |
203 | const char *from = ""; | |
204 | const char *domain = ""; | |
205 | struct tomoyo_domain_initializer_entry *ptr; | |
206 | ptr = list_entry(pos, struct tomoyo_domain_initializer_entry, | |
207 | list); | |
208 | if (ptr->is_deleted) | |
209 | continue; | |
210 | no = ptr->is_not ? "no_" : ""; | |
211 | if (ptr->domainname) { | |
212 | from = " from "; | |
213 | domain = ptr->domainname->name; | |
214 | } | |
7d2948b1 TH |
215 | done = tomoyo_io_printf(head, |
216 | "%s" TOMOYO_KEYWORD_INITIALIZE_DOMAIN | |
217 | "%s%s%s\n", no, ptr->program->name, | |
218 | from, domain); | |
219 | if (!done) | |
26a2a1c9 | 220 | break; |
26a2a1c9 | 221 | } |
26a2a1c9 KT |
222 | return done; |
223 | } | |
224 | ||
225 | /** | |
226 | * tomoyo_write_domain_initializer_policy - Write "struct tomoyo_domain_initializer_entry" list. | |
227 | * | |
228 | * @data: String to parse. | |
229 | * @is_not: True if it is "no_initialize_domain" entry. | |
230 | * @is_delete: True if it is a delete request. | |
231 | * | |
232 | * Returns 0 on success, negative value otherwise. | |
fdb8ebb7 TH |
233 | * |
234 | * Caller holds tomoyo_read_lock(). | |
26a2a1c9 KT |
235 | */ |
236 | int tomoyo_write_domain_initializer_policy(char *data, const bool is_not, | |
237 | const bool is_delete) | |
238 | { | |
239 | char *cp = strstr(data, " from "); | |
240 | ||
241 | if (cp) { | |
242 | *cp = '\0'; | |
243 | return tomoyo_update_domain_initializer_entry(cp + 6, data, | |
244 | is_not, | |
245 | is_delete); | |
246 | } | |
247 | return tomoyo_update_domain_initializer_entry(NULL, data, is_not, | |
248 | is_delete); | |
249 | } | |
250 | ||
251 | /** | |
252 | * tomoyo_is_domain_initializer - Check whether the given program causes domainname reinitialization. | |
253 | * | |
254 | * @domainname: The name of domain. | |
255 | * @program: The name of program. | |
256 | * @last_name: The last component of @domainname. | |
257 | * | |
258 | * Returns true if executing @program reinitializes domain transition, | |
259 | * false otherwise. | |
fdb8ebb7 TH |
260 | * |
261 | * Caller holds tomoyo_read_lock(). | |
26a2a1c9 KT |
262 | */ |
263 | static bool tomoyo_is_domain_initializer(const struct tomoyo_path_info * | |
264 | domainname, | |
265 | const struct tomoyo_path_info *program, | |
266 | const struct tomoyo_path_info * | |
267 | last_name) | |
268 | { | |
269 | struct tomoyo_domain_initializer_entry *ptr; | |
270 | bool flag = false; | |
271 | ||
fdb8ebb7 | 272 | list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, list) { |
26a2a1c9 KT |
273 | if (ptr->is_deleted) |
274 | continue; | |
275 | if (ptr->domainname) { | |
276 | if (!ptr->is_last_name) { | |
277 | if (ptr->domainname != domainname) | |
278 | continue; | |
279 | } else { | |
280 | if (tomoyo_pathcmp(ptr->domainname, last_name)) | |
281 | continue; | |
282 | } | |
283 | } | |
284 | if (tomoyo_pathcmp(ptr->program, program)) | |
285 | continue; | |
286 | if (ptr->is_not) { | |
287 | flag = false; | |
288 | break; | |
289 | } | |
290 | flag = true; | |
291 | } | |
26a2a1c9 KT |
292 | return flag; |
293 | } | |
294 | ||
c3fa109a TH |
295 | /* |
296 | * tomoyo_domain_keeper_list is used for holding list of domainnames which | |
297 | * suppresses domain transition. Normally, a domainname is monotonically | |
298 | * getting longer. But sometimes, we want to suppress domain transition. | |
299 | * It would be convenient for us that programs executed from a login session | |
300 | * belong to the same domain. Thus, TOMOYO provides a way to suppress domain | |
301 | * transition. | |
302 | * | |
303 | * An entry is added by | |
304 | * | |
305 | * # echo 'keep_domain <kernel> /usr/sbin/sshd /bin/bash' > \ | |
306 | * /sys/kernel/security/tomoyo/exception_policy | |
307 | * | |
308 | * and is deleted by | |
309 | * | |
310 | * # echo 'delete keep_domain <kernel> /usr/sbin/sshd /bin/bash' > \ | |
311 | * /sys/kernel/security/tomoyo/exception_policy | |
312 | * | |
313 | * and all entries are retrieved by | |
314 | * | |
315 | * # grep ^keep_domain /sys/kernel/security/tomoyo/exception_policy | |
316 | * | |
317 | * In the example above, any process which belongs to | |
318 | * "<kernel> /usr/sbin/sshd /bin/bash" domain will remain in that domain, | |
319 | * unless explicitly specified by "initialize_domain" or "no_keep_domain". | |
320 | * | |
321 | * You may specify a program using "from" keyword. | |
322 | * "keep_domain /bin/pwd from <kernel> /usr/sbin/sshd /bin/bash" | |
323 | * will cause "/bin/pwd" executed from "<kernel> /usr/sbin/sshd /bin/bash" | |
324 | * domain to remain in "<kernel> /usr/sbin/sshd /bin/bash" domain. | |
325 | * | |
326 | * You may add "no_" prefix to "keep_domain". | |
327 | * "keep_domain <kernel> /usr/sbin/sshd /bin/bash" and | |
328 | * "no_keep_domain /usr/bin/passwd from <kernel> /usr/sbin/sshd /bin/bash" will | |
329 | * cause "/usr/bin/passwd" to belong to | |
330 | * "<kernel> /usr/sbin/sshd /bin/bash /usr/bin/passwd" domain, unless | |
331 | * explicitly specified by "initialize_domain". | |
332 | */ | |
26a2a1c9 | 333 | static LIST_HEAD(tomoyo_domain_keeper_list); |
26a2a1c9 KT |
334 | |
335 | /** | |
336 | * tomoyo_update_domain_keeper_entry - Update "struct tomoyo_domain_keeper_entry" list. | |
337 | * | |
338 | * @domainname: The name of domain. | |
339 | * @program: The name of program. May be NULL. | |
340 | * @is_not: True if it is "no_keep_domain" entry. | |
341 | * @is_delete: True if it is a delete request. | |
342 | * | |
343 | * Returns 0 on success, negative value otherwise. | |
fdb8ebb7 TH |
344 | * |
345 | * Caller holds tomoyo_read_lock(). | |
26a2a1c9 KT |
346 | */ |
347 | static int tomoyo_update_domain_keeper_entry(const char *domainname, | |
348 | const char *program, | |
349 | const bool is_not, | |
350 | const bool is_delete) | |
351 | { | |
ca0b7df3 | 352 | struct tomoyo_domain_keeper_entry *entry = NULL; |
26a2a1c9 | 353 | struct tomoyo_domain_keeper_entry *ptr; |
bf24fb01 | 354 | const struct tomoyo_path_info *saved_domainname = NULL; |
26a2a1c9 | 355 | const struct tomoyo_path_info *saved_program = NULL; |
ca0b7df3 | 356 | int error = is_delete ? -ENOENT : -ENOMEM; |
26a2a1c9 KT |
357 | bool is_last_name = false; |
358 | ||
359 | if (!tomoyo_is_domain_def(domainname) && | |
360 | tomoyo_is_correct_path(domainname, 1, -1, -1, __func__)) | |
361 | is_last_name = true; | |
362 | else if (!tomoyo_is_correct_domain(domainname, __func__)) | |
363 | return -EINVAL; | |
364 | if (program) { | |
365 | if (!tomoyo_is_correct_path(program, 1, -1, -1, __func__)) | |
366 | return -EINVAL; | |
bf24fb01 | 367 | saved_program = tomoyo_get_name(program); |
26a2a1c9 | 368 | if (!saved_program) |
ca0b7df3 | 369 | goto out; |
26a2a1c9 | 370 | } |
bf24fb01 | 371 | saved_domainname = tomoyo_get_name(domainname); |
26a2a1c9 | 372 | if (!saved_domainname) |
ca0b7df3 TH |
373 | goto out; |
374 | if (!is_delete) | |
375 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | |
f737d95d | 376 | mutex_lock(&tomoyo_policy_lock); |
fdb8ebb7 | 377 | list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) { |
26a2a1c9 KT |
378 | if (ptr->is_not != is_not || |
379 | ptr->domainname != saved_domainname || | |
380 | ptr->program != saved_program) | |
381 | continue; | |
382 | ptr->is_deleted = is_delete; | |
383 | error = 0; | |
ca0b7df3 | 384 | break; |
26a2a1c9 | 385 | } |
ca0b7df3 TH |
386 | if (!is_delete && error && tomoyo_memory_ok(entry)) { |
387 | entry->domainname = saved_domainname; | |
bf24fb01 | 388 | saved_domainname = NULL; |
ca0b7df3 | 389 | entry->program = saved_program; |
bf24fb01 | 390 | saved_program = NULL; |
ca0b7df3 TH |
391 | entry->is_not = is_not; |
392 | entry->is_last_name = is_last_name; | |
393 | list_add_tail_rcu(&entry->list, &tomoyo_domain_keeper_list); | |
394 | entry = NULL; | |
395 | error = 0; | |
26a2a1c9 | 396 | } |
f737d95d | 397 | mutex_unlock(&tomoyo_policy_lock); |
ca0b7df3 | 398 | out: |
bf24fb01 TH |
399 | tomoyo_put_name(saved_domainname); |
400 | tomoyo_put_name(saved_program); | |
ca0b7df3 | 401 | kfree(entry); |
26a2a1c9 KT |
402 | return error; |
403 | } | |
404 | ||
405 | /** | |
406 | * tomoyo_write_domain_keeper_policy - Write "struct tomoyo_domain_keeper_entry" list. | |
407 | * | |
408 | * @data: String to parse. | |
409 | * @is_not: True if it is "no_keep_domain" entry. | |
410 | * @is_delete: True if it is a delete request. | |
411 | * | |
fdb8ebb7 | 412 | * Caller holds tomoyo_read_lock(). |
26a2a1c9 KT |
413 | */ |
414 | int tomoyo_write_domain_keeper_policy(char *data, const bool is_not, | |
415 | const bool is_delete) | |
416 | { | |
417 | char *cp = strstr(data, " from "); | |
418 | ||
419 | if (cp) { | |
420 | *cp = '\0'; | |
421 | return tomoyo_update_domain_keeper_entry(cp + 6, data, is_not, | |
422 | is_delete); | |
423 | } | |
424 | return tomoyo_update_domain_keeper_entry(data, NULL, is_not, is_delete); | |
425 | } | |
426 | ||
427 | /** | |
428 | * tomoyo_read_domain_keeper_policy - Read "struct tomoyo_domain_keeper_entry" list. | |
429 | * | |
430 | * @head: Pointer to "struct tomoyo_io_buffer". | |
431 | * | |
432 | * Returns true on success, false otherwise. | |
fdb8ebb7 TH |
433 | * |
434 | * Caller holds tomoyo_read_lock(). | |
26a2a1c9 KT |
435 | */ |
436 | bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head) | |
437 | { | |
438 | struct list_head *pos; | |
33043cbb | 439 | bool done = true; |
26a2a1c9 | 440 | |
26a2a1c9 KT |
441 | list_for_each_cookie(pos, head->read_var2, |
442 | &tomoyo_domain_keeper_list) { | |
443 | struct tomoyo_domain_keeper_entry *ptr; | |
444 | const char *no; | |
445 | const char *from = ""; | |
446 | const char *program = ""; | |
447 | ||
448 | ptr = list_entry(pos, struct tomoyo_domain_keeper_entry, list); | |
449 | if (ptr->is_deleted) | |
450 | continue; | |
451 | no = ptr->is_not ? "no_" : ""; | |
452 | if (ptr->program) { | |
453 | from = " from "; | |
454 | program = ptr->program->name; | |
455 | } | |
7d2948b1 TH |
456 | done = tomoyo_io_printf(head, |
457 | "%s" TOMOYO_KEYWORD_KEEP_DOMAIN | |
458 | "%s%s%s\n", no, program, from, | |
459 | ptr->domainname->name); | |
460 | if (!done) | |
26a2a1c9 | 461 | break; |
26a2a1c9 | 462 | } |
26a2a1c9 KT |
463 | return done; |
464 | } | |
465 | ||
466 | /** | |
467 | * tomoyo_is_domain_keeper - Check whether the given program causes domain transition suppression. | |
468 | * | |
469 | * @domainname: The name of domain. | |
470 | * @program: The name of program. | |
471 | * @last_name: The last component of @domainname. | |
472 | * | |
473 | * Returns true if executing @program supresses domain transition, | |
474 | * false otherwise. | |
fdb8ebb7 TH |
475 | * |
476 | * Caller holds tomoyo_read_lock(). | |
26a2a1c9 KT |
477 | */ |
478 | static bool tomoyo_is_domain_keeper(const struct tomoyo_path_info *domainname, | |
479 | const struct tomoyo_path_info *program, | |
480 | const struct tomoyo_path_info *last_name) | |
481 | { | |
482 | struct tomoyo_domain_keeper_entry *ptr; | |
483 | bool flag = false; | |
484 | ||
fdb8ebb7 | 485 | list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) { |
26a2a1c9 KT |
486 | if (ptr->is_deleted) |
487 | continue; | |
488 | if (!ptr->is_last_name) { | |
489 | if (ptr->domainname != domainname) | |
490 | continue; | |
491 | } else { | |
492 | if (tomoyo_pathcmp(ptr->domainname, last_name)) | |
493 | continue; | |
494 | } | |
495 | if (ptr->program && tomoyo_pathcmp(ptr->program, program)) | |
496 | continue; | |
497 | if (ptr->is_not) { | |
498 | flag = false; | |
499 | break; | |
500 | } | |
501 | flag = true; | |
502 | } | |
26a2a1c9 KT |
503 | return flag; |
504 | } | |
505 | ||
c3fa109a TH |
506 | /* |
507 | * tomoyo_alias_list is used for holding list of symlink's pathnames which are | |
508 | * allowed to be passed to an execve() request. Normally, the domainname which | |
509 | * the current process will belong to after execve() succeeds is calculated | |
510 | * using dereferenced pathnames. But some programs behave differently depending | |
511 | * on the name passed to argv[0]. For busybox, calculating domainname using | |
512 | * dereferenced pathnames will cause all programs in the busybox to belong to | |
513 | * the same domain. Thus, TOMOYO provides a way to allow use of symlink's | |
514 | * pathname for checking execve()'s permission and calculating domainname which | |
515 | * the current process will belong to after execve() succeeds. | |
516 | * | |
517 | * An entry is added by | |
518 | * | |
519 | * # echo 'alias /bin/busybox /bin/cat' > \ | |
520 | * /sys/kernel/security/tomoyo/exception_policy | |
521 | * | |
522 | * and is deleted by | |
523 | * | |
524 | * # echo 'delete alias /bin/busybox /bin/cat' > \ | |
525 | * /sys/kernel/security/tomoyo/exception_policy | |
526 | * | |
527 | * and all entries are retrieved by | |
528 | * | |
529 | * # grep ^alias /sys/kernel/security/tomoyo/exception_policy | |
530 | * | |
531 | * In the example above, if /bin/cat is a symlink to /bin/busybox and execution | |
532 | * of /bin/cat is requested, permission is checked for /bin/cat rather than | |
533 | * /bin/busybox and domainname which the current process will belong to after | |
534 | * execve() succeeds is calculated using /bin/cat rather than /bin/busybox . | |
535 | */ | |
26a2a1c9 | 536 | static LIST_HEAD(tomoyo_alias_list); |
26a2a1c9 KT |
537 | |
538 | /** | |
539 | * tomoyo_update_alias_entry - Update "struct tomoyo_alias_entry" list. | |
540 | * | |
541 | * @original_name: The original program's real name. | |
542 | * @aliased_name: The symbolic program's symbolic link's name. | |
543 | * @is_delete: True if it is a delete request. | |
544 | * | |
545 | * Returns 0 on success, negative value otherwise. | |
fdb8ebb7 TH |
546 | * |
547 | * Caller holds tomoyo_read_lock(). | |
26a2a1c9 KT |
548 | */ |
549 | static int tomoyo_update_alias_entry(const char *original_name, | |
550 | const char *aliased_name, | |
551 | const bool is_delete) | |
552 | { | |
ca0b7df3 | 553 | struct tomoyo_alias_entry *entry = NULL; |
26a2a1c9 KT |
554 | struct tomoyo_alias_entry *ptr; |
555 | const struct tomoyo_path_info *saved_original_name; | |
556 | const struct tomoyo_path_info *saved_aliased_name; | |
ca0b7df3 | 557 | int error = is_delete ? -ENOENT : -ENOMEM; |
26a2a1c9 KT |
558 | |
559 | if (!tomoyo_is_correct_path(original_name, 1, -1, -1, __func__) || | |
560 | !tomoyo_is_correct_path(aliased_name, 1, -1, -1, __func__)) | |
561 | return -EINVAL; /* No patterns allowed. */ | |
bf24fb01 TH |
562 | saved_original_name = tomoyo_get_name(original_name); |
563 | saved_aliased_name = tomoyo_get_name(aliased_name); | |
26a2a1c9 | 564 | if (!saved_original_name || !saved_aliased_name) |
ca0b7df3 TH |
565 | goto out; |
566 | if (!is_delete) | |
567 | entry = kmalloc(sizeof(*entry), GFP_KERNEL); | |
f737d95d | 568 | mutex_lock(&tomoyo_policy_lock); |
fdb8ebb7 | 569 | list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) { |
26a2a1c9 KT |
570 | if (ptr->original_name != saved_original_name || |
571 | ptr->aliased_name != saved_aliased_name) | |
572 | continue; | |
573 | ptr->is_deleted = is_delete; | |
574 | error = 0; | |
ca0b7df3 | 575 | break; |
26a2a1c9 | 576 | } |
ca0b7df3 TH |
577 | if (!is_delete && error && tomoyo_memory_ok(entry)) { |
578 | entry->original_name = saved_original_name; | |
bf24fb01 | 579 | saved_original_name = NULL; |
ca0b7df3 | 580 | entry->aliased_name = saved_aliased_name; |
bf24fb01 | 581 | saved_aliased_name = NULL; |
ca0b7df3 TH |
582 | list_add_tail_rcu(&entry->list, &tomoyo_alias_list); |
583 | entry = NULL; | |
584 | error = 0; | |
26a2a1c9 | 585 | } |
f737d95d | 586 | mutex_unlock(&tomoyo_policy_lock); |
ca0b7df3 | 587 | out: |
bf24fb01 TH |
588 | tomoyo_put_name(saved_original_name); |
589 | tomoyo_put_name(saved_aliased_name); | |
ca0b7df3 | 590 | kfree(entry); |
26a2a1c9 KT |
591 | return error; |
592 | } | |
593 | ||
594 | /** | |
595 | * tomoyo_read_alias_policy - Read "struct tomoyo_alias_entry" list. | |
596 | * | |
597 | * @head: Pointer to "struct tomoyo_io_buffer". | |
598 | * | |
599 | * Returns true on success, false otherwise. | |
fdb8ebb7 TH |
600 | * |
601 | * Caller holds tomoyo_read_lock(). | |
26a2a1c9 KT |
602 | */ |
603 | bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head) | |
604 | { | |
605 | struct list_head *pos; | |
606 | bool done = true; | |
607 | ||
26a2a1c9 KT |
608 | list_for_each_cookie(pos, head->read_var2, &tomoyo_alias_list) { |
609 | struct tomoyo_alias_entry *ptr; | |
610 | ||
611 | ptr = list_entry(pos, struct tomoyo_alias_entry, list); | |
612 | if (ptr->is_deleted) | |
613 | continue; | |
7d2948b1 TH |
614 | done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALIAS "%s %s\n", |
615 | ptr->original_name->name, | |
616 | ptr->aliased_name->name); | |
617 | if (!done) | |
26a2a1c9 | 618 | break; |
26a2a1c9 | 619 | } |
26a2a1c9 KT |
620 | return done; |
621 | } | |
622 | ||
623 | /** | |
624 | * tomoyo_write_alias_policy - Write "struct tomoyo_alias_entry" list. | |
625 | * | |
626 | * @data: String to parse. | |
627 | * @is_delete: True if it is a delete request. | |
628 | * | |
629 | * Returns 0 on success, negative value otherwise. | |
fdb8ebb7 TH |
630 | * |
631 | * Caller holds tomoyo_read_lock(). | |
26a2a1c9 KT |
632 | */ |
633 | int tomoyo_write_alias_policy(char *data, const bool is_delete) | |
634 | { | |
635 | char *cp = strchr(data, ' '); | |
636 | ||
637 | if (!cp) | |
638 | return -EINVAL; | |
639 | *cp++ = '\0'; | |
640 | return tomoyo_update_alias_entry(data, cp, is_delete); | |
641 | } | |
642 | ||
26a2a1c9 KT |
643 | /** |
644 | * tomoyo_find_or_assign_new_domain - Create a domain. | |
645 | * | |
646 | * @domainname: The name of domain. | |
647 | * @profile: Profile number to assign if the domain was newly created. | |
648 | * | |
649 | * Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise. | |
fdb8ebb7 TH |
650 | * |
651 | * Caller holds tomoyo_read_lock(). | |
26a2a1c9 KT |
652 | */ |
653 | struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * | |
654 | domainname, | |
655 | const u8 profile) | |
656 | { | |
ca0b7df3 | 657 | struct tomoyo_domain_info *entry; |
cd7bec6a | 658 | struct tomoyo_domain_info *domain; |
26a2a1c9 | 659 | const struct tomoyo_path_info *saved_domainname; |
ca0b7df3 | 660 | bool found = false; |
26a2a1c9 | 661 | |
26a2a1c9 | 662 | if (!tomoyo_is_correct_domain(domainname, __func__)) |
ca0b7df3 | 663 | return NULL; |
bf24fb01 | 664 | saved_domainname = tomoyo_get_name(domainname); |
26a2a1c9 | 665 | if (!saved_domainname) |
ca0b7df3 TH |
666 | return NULL; |
667 | entry = kzalloc(sizeof(*entry), GFP_KERNEL); | |
668 | mutex_lock(&tomoyo_policy_lock); | |
669 | list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { | |
670 | if (domain->is_deleted || | |
671 | tomoyo_pathcmp(saved_domainname, domain->domainname)) | |
672 | continue; | |
673 | found = true; | |
674 | break; | |
675 | } | |
676 | if (!found && tomoyo_memory_ok(entry)) { | |
677 | INIT_LIST_HEAD(&entry->acl_info_list); | |
678 | entry->domainname = saved_domainname; | |
bf24fb01 | 679 | saved_domainname = NULL; |
ca0b7df3 TH |
680 | entry->profile = profile; |
681 | list_add_tail_rcu(&entry->list, &tomoyo_domain_list); | |
682 | domain = entry; | |
683 | entry = NULL; | |
684 | found = true; | |
26a2a1c9 | 685 | } |
f737d95d | 686 | mutex_unlock(&tomoyo_policy_lock); |
bf24fb01 | 687 | tomoyo_put_name(saved_domainname); |
ca0b7df3 TH |
688 | kfree(entry); |
689 | return found ? domain : NULL; | |
26a2a1c9 KT |
690 | } |
691 | ||
692 | /** | |
693 | * tomoyo_find_next_domain - Find a domain. | |
694 | * | |
56f8c9bc | 695 | * @bprm: Pointer to "struct linux_binprm". |
26a2a1c9 KT |
696 | * |
697 | * Returns 0 on success, negative value otherwise. | |
fdb8ebb7 TH |
698 | * |
699 | * Caller holds tomoyo_read_lock(). | |
26a2a1c9 | 700 | */ |
56f8c9bc | 701 | int tomoyo_find_next_domain(struct linux_binprm *bprm) |
26a2a1c9 KT |
702 | { |
703 | /* | |
704 | * This function assumes that the size of buffer returned by | |
705 | * tomoyo_realpath() = TOMOYO_MAX_PATHNAME_LEN. | |
706 | */ | |
8e2d39a1 | 707 | struct tomoyo_page_buffer *tmp = kzalloc(sizeof(*tmp), GFP_KERNEL); |
26a2a1c9 KT |
708 | struct tomoyo_domain_info *old_domain = tomoyo_domain(); |
709 | struct tomoyo_domain_info *domain = NULL; | |
710 | const char *old_domain_name = old_domain->domainname->name; | |
711 | const char *original_name = bprm->filename; | |
712 | char *new_domain_name = NULL; | |
713 | char *real_program_name = NULL; | |
714 | char *symlink_program_name = NULL; | |
715 | const u8 mode = tomoyo_check_flags(old_domain, TOMOYO_MAC_FOR_FILE); | |
716 | const bool is_enforce = (mode == 3); | |
717 | int retval = -ENOMEM; | |
718 | struct tomoyo_path_info r; /* real name */ | |
719 | struct tomoyo_path_info s; /* symlink name */ | |
720 | struct tomoyo_path_info l; /* last name */ | |
721 | static bool initialized; | |
722 | ||
723 | if (!tmp) | |
724 | goto out; | |
725 | ||
726 | if (!initialized) { | |
727 | /* | |
728 | * Built-in initializers. This is needed because policies are | |
729 | * not loaded until starting /sbin/init. | |
730 | */ | |
731 | tomoyo_update_domain_initializer_entry(NULL, "/sbin/hotplug", | |
732 | false, false); | |
733 | tomoyo_update_domain_initializer_entry(NULL, "/sbin/modprobe", | |
734 | false, false); | |
735 | initialized = true; | |
736 | } | |
737 | ||
738 | /* Get tomoyo_realpath of program. */ | |
739 | retval = -ENOENT; | |
740 | /* I hope tomoyo_realpath() won't fail with -ENOMEM. */ | |
741 | real_program_name = tomoyo_realpath(original_name); | |
742 | if (!real_program_name) | |
743 | goto out; | |
744 | /* Get tomoyo_realpath of symbolic link. */ | |
745 | symlink_program_name = tomoyo_realpath_nofollow(original_name); | |
746 | if (!symlink_program_name) | |
747 | goto out; | |
748 | ||
749 | r.name = real_program_name; | |
750 | tomoyo_fill_path_info(&r); | |
751 | s.name = symlink_program_name; | |
752 | tomoyo_fill_path_info(&s); | |
753 | l.name = tomoyo_get_last_name(old_domain); | |
754 | tomoyo_fill_path_info(&l); | |
755 | ||
756 | /* Check 'alias' directive. */ | |
757 | if (tomoyo_pathcmp(&r, &s)) { | |
758 | struct tomoyo_alias_entry *ptr; | |
759 | /* Is this program allowed to be called via symbolic links? */ | |
fdb8ebb7 | 760 | list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) { |
26a2a1c9 KT |
761 | if (ptr->is_deleted || |
762 | tomoyo_pathcmp(&r, ptr->original_name) || | |
763 | tomoyo_pathcmp(&s, ptr->aliased_name)) | |
764 | continue; | |
765 | memset(real_program_name, 0, TOMOYO_MAX_PATHNAME_LEN); | |
766 | strncpy(real_program_name, ptr->aliased_name->name, | |
767 | TOMOYO_MAX_PATHNAME_LEN - 1); | |
768 | tomoyo_fill_path_info(&r); | |
769 | break; | |
770 | } | |
26a2a1c9 KT |
771 | } |
772 | ||
773 | /* Check execute permission. */ | |
bcb86975 | 774 | retval = tomoyo_check_exec_perm(old_domain, &r); |
26a2a1c9 KT |
775 | if (retval < 0) |
776 | goto out; | |
777 | ||
778 | new_domain_name = tmp->buffer; | |
779 | if (tomoyo_is_domain_initializer(old_domain->domainname, &r, &l)) { | |
780 | /* Transit to the child of tomoyo_kernel_domain domain. */ | |
781 | snprintf(new_domain_name, TOMOYO_MAX_PATHNAME_LEN + 1, | |
782 | TOMOYO_ROOT_NAME " " "%s", real_program_name); | |
783 | } else if (old_domain == &tomoyo_kernel_domain && | |
784 | !tomoyo_policy_loaded) { | |
785 | /* | |
786 | * Needn't to transit from kernel domain before starting | |
787 | * /sbin/init. But transit from kernel domain if executing | |
788 | * initializers because they might start before /sbin/init. | |
789 | */ | |
790 | domain = old_domain; | |
791 | } else if (tomoyo_is_domain_keeper(old_domain->domainname, &r, &l)) { | |
792 | /* Keep current domain. */ | |
793 | domain = old_domain; | |
794 | } else { | |
795 | /* Normal domain transition. */ | |
796 | snprintf(new_domain_name, TOMOYO_MAX_PATHNAME_LEN + 1, | |
797 | "%s %s", old_domain_name, real_program_name); | |
798 | } | |
799 | if (domain || strlen(new_domain_name) >= TOMOYO_MAX_PATHNAME_LEN) | |
800 | goto done; | |
26a2a1c9 | 801 | domain = tomoyo_find_domain(new_domain_name); |
26a2a1c9 KT |
802 | if (domain) |
803 | goto done; | |
804 | if (is_enforce) | |
805 | goto done; | |
806 | domain = tomoyo_find_or_assign_new_domain(new_domain_name, | |
807 | old_domain->profile); | |
808 | done: | |
809 | if (domain) | |
810 | goto out; | |
811 | printk(KERN_WARNING "TOMOYO-ERROR: Domain '%s' not defined.\n", | |
812 | new_domain_name); | |
813 | if (is_enforce) | |
814 | retval = -EPERM; | |
815 | else | |
ea13ddba | 816 | old_domain->transition_failed = true; |
26a2a1c9 | 817 | out: |
56f8c9bc TH |
818 | if (!domain) |
819 | domain = old_domain; | |
ec8e6a4e TH |
820 | /* Update reference count on "struct tomoyo_domain_info". */ |
821 | atomic_inc(&domain->users); | |
56f8c9bc | 822 | bprm->cred->security = domain; |
8e2d39a1 TH |
823 | kfree(real_program_name); |
824 | kfree(symlink_program_name); | |
825 | kfree(tmp); | |
26a2a1c9 KT |
826 | return retval; |
827 | } |