2 * security/tomoyo/file.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
15 #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
18 * tomoyo_globally_readable_file_entry is a structure which is used for holding
19 * "allow_read" entries.
20 * It has following fields.
22 * (1) "list" which is linked to tomoyo_globally_readable_list .
23 * (2) "filename" is a pathname which is allowed to open(O_RDONLY).
24 * (3) "is_deleted" is a bool which is true if marked as deleted, false
27 struct tomoyo_globally_readable_file_entry {
28 struct list_head list;
29 const struct tomoyo_path_info *filename;
34 * tomoyo_pattern_entry is a structure which is used for holding
35 * "tomoyo_pattern_list" entries.
36 * It has following fields.
38 * (1) "list" which is linked to tomoyo_pattern_list .
39 * (2) "pattern" is a pathname pattern which is used for converting pathnames
40 * to pathname patterns during learning mode.
41 * (3) "is_deleted" is a bool which is true if marked as deleted, false
44 struct tomoyo_pattern_entry {
45 struct list_head list;
46 const struct tomoyo_path_info *pattern;
51 * tomoyo_no_rewrite_entry is a structure which is used for holding
52 * "deny_rewrite" entries.
53 * It has following fields.
55 * (1) "list" which is linked to tomoyo_no_rewrite_list .
56 * (2) "pattern" is a pathname which is by default not permitted to modify
57 * already existing content.
58 * (3) "is_deleted" is a bool which is true if marked as deleted, false
61 struct tomoyo_no_rewrite_entry {
62 struct list_head list;
63 const struct tomoyo_path_info *pattern;
67 /* Keyword array for single path operations. */
68 static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = {
69 [TOMOYO_TYPE_READ_WRITE_ACL] = "read/write",
70 [TOMOYO_TYPE_EXECUTE_ACL] = "execute",
71 [TOMOYO_TYPE_READ_ACL] = "read",
72 [TOMOYO_TYPE_WRITE_ACL] = "write",
73 [TOMOYO_TYPE_CREATE_ACL] = "create",
74 [TOMOYO_TYPE_UNLINK_ACL] = "unlink",
75 [TOMOYO_TYPE_MKDIR_ACL] = "mkdir",
76 [TOMOYO_TYPE_RMDIR_ACL] = "rmdir",
77 [TOMOYO_TYPE_MKFIFO_ACL] = "mkfifo",
78 [TOMOYO_TYPE_MKSOCK_ACL] = "mksock",
79 [TOMOYO_TYPE_MKBLOCK_ACL] = "mkblock",
80 [TOMOYO_TYPE_MKCHAR_ACL] = "mkchar",
81 [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate",
82 [TOMOYO_TYPE_SYMLINK_ACL] = "symlink",
83 [TOMOYO_TYPE_REWRITE_ACL] = "rewrite",
84 [TOMOYO_TYPE_IOCTL_ACL] = "ioctl",
85 [TOMOYO_TYPE_CHMOD_ACL] = "chmod",
86 [TOMOYO_TYPE_CHOWN_ACL] = "chown",
87 [TOMOYO_TYPE_CHGRP_ACL] = "chgrp",
88 [TOMOYO_TYPE_CHROOT_ACL] = "chroot",
89 [TOMOYO_TYPE_MOUNT_ACL] = "mount",
90 [TOMOYO_TYPE_UMOUNT_ACL] = "unmount",
93 /* Keyword array for double path operations. */
94 static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = {
95 [TOMOYO_TYPE_LINK_ACL] = "link",
96 [TOMOYO_TYPE_RENAME_ACL] = "rename",
97 [TOMOYO_TYPE_PIVOT_ROOT_ACL] = "pivot_root",
101 * tomoyo_sp2keyword - Get the name of single path operation.
103 * @operation: Type of operation.
105 * Returns the name of single path operation.
107 const char *tomoyo_sp2keyword(const u8 operation)
109 return (operation < TOMOYO_MAX_SINGLE_PATH_OPERATION)
110 ? tomoyo_sp_keyword[operation] : NULL;
114 * tomoyo_dp2keyword - Get the name of double path operation.
116 * @operation: Type of operation.
118 * Returns the name of double path operation.
120 const char *tomoyo_dp2keyword(const u8 operation)
122 return (operation < TOMOYO_MAX_DOUBLE_PATH_OPERATION)
123 ? tomoyo_dp_keyword[operation] : NULL;
127 * tomoyo_strendswith - Check whether the token ends with the given token.
129 * @name: The token to check.
130 * @tail: The token to find.
132 * Returns true if @name ends with @tail, false otherwise.
134 static bool tomoyo_strendswith(const char *name, const char *tail)
140 len = strlen(name) - strlen(tail);
141 return len >= 0 && !strcmp(name + len, tail);
145 * tomoyo_get_path - Get realpath.
147 * @path: Pointer to "struct path".
149 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
151 static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
154 struct tomoyo_path_info_with_data *buf = tomoyo_alloc(sizeof(*buf));
158 /* Reserve one byte for appending "/". */
159 error = tomoyo_realpath_from_path2(path, buf->body,
160 sizeof(buf->body) - 2);
162 buf->head.name = buf->body;
163 tomoyo_fill_path_info(&buf->head);
170 static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
171 const char *filename2,
172 struct tomoyo_domain_info *
173 const domain, const bool is_delete);
174 static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
175 struct tomoyo_domain_info *
176 const domain, const bool is_delete);
179 * tomoyo_globally_readable_list is used for holding list of pathnames which
180 * are by default allowed to be open()ed for reading by any process.
182 * An entry is added by
184 * # echo 'allow_read /lib/libc-2.5.so' > \
185 * /sys/kernel/security/tomoyo/exception_policy
189 * # echo 'delete allow_read /lib/libc-2.5.so' > \
190 * /sys/kernel/security/tomoyo/exception_policy
192 * and all entries are retrieved by
194 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
196 * In the example above, any process is allowed to
197 * open("/lib/libc-2.5.so", O_RDONLY).
198 * One exception is, if the domain which current process belongs to is marked
199 * as "ignore_global_allow_read", current process can't do so unless explicitly
200 * given "allow_read /lib/libc-2.5.so" to the domain which current process
203 static LIST_HEAD(tomoyo_globally_readable_list);
206 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
208 * @filename: Filename unconditionally permitted to open() for reading.
209 * @is_delete: True if it is a delete request.
211 * Returns 0 on success, negative value otherwise.
213 * Caller holds tomoyo_read_lock().
215 static int tomoyo_update_globally_readable_entry(const char *filename,
216 const bool is_delete)
218 struct tomoyo_globally_readable_file_entry *new_entry;
219 struct tomoyo_globally_readable_file_entry *ptr;
220 const struct tomoyo_path_info *saved_filename;
223 if (!tomoyo_is_correct_path(filename, 1, 0, -1, __func__))
225 saved_filename = tomoyo_save_name(filename);
228 mutex_lock(&tomoyo_policy_lock);
229 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
230 if (ptr->filename != saved_filename)
232 ptr->is_deleted = is_delete;
240 new_entry = tomoyo_alloc_element(sizeof(*new_entry));
243 new_entry->filename = saved_filename;
244 list_add_tail_rcu(&new_entry->list, &tomoyo_globally_readable_list);
247 mutex_unlock(&tomoyo_policy_lock);
252 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
254 * @filename: The filename to check.
256 * Returns true if any domain can open @filename for reading, false otherwise.
258 * Caller holds tomoyo_read_lock().
260 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
263 struct tomoyo_globally_readable_file_entry *ptr;
266 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
267 if (!ptr->is_deleted &&
268 tomoyo_path_matches_pattern(filename, ptr->filename)) {
277 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
279 * @data: String to parse.
280 * @is_delete: True if it is a delete request.
282 * Returns 0 on success, negative value otherwise.
284 * Caller holds tomoyo_read_lock().
286 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
288 return tomoyo_update_globally_readable_entry(data, is_delete);
292 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
294 * @head: Pointer to "struct tomoyo_io_buffer".
296 * Returns true on success, false otherwise.
298 * Caller holds tomoyo_read_lock().
300 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
302 struct list_head *pos;
305 list_for_each_cookie(pos, head->read_var2,
306 &tomoyo_globally_readable_list) {
307 struct tomoyo_globally_readable_file_entry *ptr;
308 ptr = list_entry(pos,
309 struct tomoyo_globally_readable_file_entry,
313 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n",
314 ptr->filename->name);
321 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
322 * converting pathnames to pathname patterns during learning mode.
324 * An entry is added by
326 * # echo 'file_pattern /proc/\$/mounts' > \
327 * /sys/kernel/security/tomoyo/exception_policy
331 * # echo 'delete file_pattern /proc/\$/mounts' > \
332 * /sys/kernel/security/tomoyo/exception_policy
334 * and all entries are retrieved by
336 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
338 * In the example above, if a process which belongs to a domain which is in
339 * learning mode requested open("/proc/1/mounts", O_RDONLY),
340 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
341 * process belongs to.
343 * It is not a desirable behavior that we have to use /proc/\$/ instead of
344 * /proc/self/ when current process needs to access only current process's
345 * information. As of now, LSM version of TOMOYO is using __d_path() for
346 * calculating pathname. Non LSM version of TOMOYO is using its own function
347 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
348 * current process from accessing other process's information.
350 static LIST_HEAD(tomoyo_pattern_list);
353 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
355 * @pattern: Pathname pattern.
356 * @is_delete: True if it is a delete request.
358 * Returns 0 on success, negative value otherwise.
360 * Caller holds tomoyo_read_lock().
362 static int tomoyo_update_file_pattern_entry(const char *pattern,
363 const bool is_delete)
365 struct tomoyo_pattern_entry *new_entry;
366 struct tomoyo_pattern_entry *ptr;
367 const struct tomoyo_path_info *saved_pattern;
370 if (!tomoyo_is_correct_path(pattern, 0, 1, 0, __func__))
372 saved_pattern = tomoyo_save_name(pattern);
375 mutex_lock(&tomoyo_policy_lock);
376 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
377 if (saved_pattern != ptr->pattern)
379 ptr->is_deleted = is_delete;
387 new_entry = tomoyo_alloc_element(sizeof(*new_entry));
390 new_entry->pattern = saved_pattern;
391 list_add_tail_rcu(&new_entry->list, &tomoyo_pattern_list);
394 mutex_unlock(&tomoyo_policy_lock);
399 * tomoyo_get_file_pattern - Get patterned pathname.
401 * @filename: The filename to find patterned pathname.
403 * Returns pointer to pathname pattern if matched, @filename otherwise.
405 * Caller holds tomoyo_read_lock().
407 static const struct tomoyo_path_info *
408 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
410 struct tomoyo_pattern_entry *ptr;
411 const struct tomoyo_path_info *pattern = NULL;
413 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
416 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
418 pattern = ptr->pattern;
419 if (tomoyo_strendswith(pattern->name, "/\\*")) {
420 /* Do nothing. Try to find the better match. */
422 /* This would be the better match. Use this. */
432 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
434 * @data: String to parse.
435 * @is_delete: True if it is a delete request.
437 * Returns 0 on success, negative value otherwise.
439 * Caller holds tomoyo_read_lock().
441 int tomoyo_write_pattern_policy(char *data, const bool is_delete)
443 return tomoyo_update_file_pattern_entry(data, is_delete);
447 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
449 * @head: Pointer to "struct tomoyo_io_buffer".
451 * Returns true on success, false otherwise.
453 * Caller holds tomoyo_read_lock().
455 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
457 struct list_head *pos;
460 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) {
461 struct tomoyo_pattern_entry *ptr;
462 ptr = list_entry(pos, struct tomoyo_pattern_entry, list);
465 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN
466 "%s\n", ptr->pattern->name);
474 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
475 * default forbidden to modify already written content of a file.
477 * An entry is added by
479 * # echo 'deny_rewrite /var/log/messages' > \
480 * /sys/kernel/security/tomoyo/exception_policy
484 * # echo 'delete deny_rewrite /var/log/messages' > \
485 * /sys/kernel/security/tomoyo/exception_policy
487 * and all entries are retrieved by
489 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
491 * In the example above, if a process requested to rewrite /var/log/messages ,
492 * the process can't rewrite unless the domain which that process belongs to
493 * has "allow_rewrite /var/log/messages" entry.
495 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
496 * when we want to allow rewriting already unlink()ed file. As of now,
497 * LSM version of TOMOYO is using __d_path() for calculating pathname.
498 * Non LSM version of TOMOYO is using its own function which doesn't append
499 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
500 * need to worry whether the file is already unlink()ed or not.
502 static LIST_HEAD(tomoyo_no_rewrite_list);
505 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
507 * @pattern: Pathname pattern that are not rewritable by default.
508 * @is_delete: True if it is a delete request.
510 * Returns 0 on success, negative value otherwise.
512 * Caller holds tomoyo_read_lock().
514 static int tomoyo_update_no_rewrite_entry(const char *pattern,
515 const bool is_delete)
517 struct tomoyo_no_rewrite_entry *new_entry, *ptr;
518 const struct tomoyo_path_info *saved_pattern;
521 if (!tomoyo_is_correct_path(pattern, 0, 0, 0, __func__))
523 saved_pattern = tomoyo_save_name(pattern);
526 mutex_lock(&tomoyo_policy_lock);
527 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
528 if (ptr->pattern != saved_pattern)
530 ptr->is_deleted = is_delete;
538 new_entry = tomoyo_alloc_element(sizeof(*new_entry));
541 new_entry->pattern = saved_pattern;
542 list_add_tail_rcu(&new_entry->list, &tomoyo_no_rewrite_list);
545 mutex_unlock(&tomoyo_policy_lock);
550 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
552 * @filename: Filename to check.
554 * Returns true if @filename is specified by "deny_rewrite" directive,
557 * Caller holds tomoyo_read_lock().
559 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
561 struct tomoyo_no_rewrite_entry *ptr;
564 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
567 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
576 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
578 * @data: String to parse.
579 * @is_delete: True if it is a delete request.
581 * Returns 0 on success, negative value otherwise.
583 * Caller holds tomoyo_read_lock().
585 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
587 return tomoyo_update_no_rewrite_entry(data, is_delete);
591 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
593 * @head: Pointer to "struct tomoyo_io_buffer".
595 * Returns true on success, false otherwise.
597 * Caller holds tomoyo_read_lock().
599 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
601 struct list_head *pos;
604 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) {
605 struct tomoyo_no_rewrite_entry *ptr;
606 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list);
609 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE
610 "%s\n", ptr->pattern->name);
618 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
620 * @filename: Filename.
621 * @perm: Permission (between 1 to 7).
622 * @domain: Pointer to "struct tomoyo_domain_info".
623 * @is_delete: True if it is a delete request.
625 * Returns 0 on success, negative value otherwise.
627 * This is legacy support interface for older policy syntax.
628 * Current policy syntax uses "allow_read/write" instead of "6",
629 * "allow_read" instead of "4", "allow_write" instead of "2",
630 * "allow_execute" instead of "1".
632 * Caller holds tomoyo_read_lock().
634 static int tomoyo_update_file_acl(const char *filename, u8 perm,
635 struct tomoyo_domain_info * const domain,
636 const bool is_delete)
638 if (perm > 7 || !perm) {
639 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n",
640 __func__, perm, filename);
643 if (filename[0] != '@' && tomoyo_strendswith(filename, "/"))
645 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
646 * directory permissions.
650 tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL, filename,
653 tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL, filename,
656 tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL,
657 filename, domain, is_delete);
662 * tomoyo_check_single_path_acl2 - Check permission for single path operation.
664 * @domain: Pointer to "struct tomoyo_domain_info".
665 * @filename: Filename to check.
667 * @may_use_pattern: True if patterned ACL is permitted.
669 * Returns 0 on success, -EPERM otherwise.
671 * Caller holds tomoyo_read_lock().
673 static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info *
675 const struct tomoyo_path_info *
678 const bool may_use_pattern)
680 struct tomoyo_acl_info *ptr;
683 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
684 struct tomoyo_single_path_acl_record *acl;
685 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
687 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
689 if (perm <= 0xFFFF) {
690 if (!(acl->perm & perm))
693 if (!(acl->perm_high & (perm >> 16)))
696 if (may_use_pattern || !acl->filename->is_patterned) {
697 if (!tomoyo_path_matches_pattern(filename,
710 * tomoyo_check_file_acl - Check permission for opening files.
712 * @domain: Pointer to "struct tomoyo_domain_info".
713 * @filename: Filename to check.
714 * @operation: Mode ("read" or "write" or "read/write" or "execute").
716 * Returns 0 on success, -EPERM otherwise.
718 * Caller holds tomoyo_read_lock().
720 static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
721 const struct tomoyo_path_info *filename,
726 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
729 perm = 1 << TOMOYO_TYPE_READ_WRITE_ACL;
730 else if (operation == 4)
731 perm = 1 << TOMOYO_TYPE_READ_ACL;
732 else if (operation == 2)
733 perm = 1 << TOMOYO_TYPE_WRITE_ACL;
734 else if (operation == 1)
735 perm = 1 << TOMOYO_TYPE_EXECUTE_ACL;
738 return tomoyo_check_single_path_acl2(domain, filename, perm,
743 * tomoyo_check_file_perm2 - Check permission for opening files.
745 * @domain: Pointer to "struct tomoyo_domain_info".
746 * @filename: Filename to check.
747 * @perm: Mode ("read" or "write" or "read/write" or "execute").
748 * @operation: Operation name passed used for verbose mode.
749 * @mode: Access control mode.
751 * Returns 0 on success, negative value otherwise.
753 * Caller holds tomoyo_read_lock().
755 static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
756 const struct tomoyo_path_info *filename,
757 const u8 perm, const char *operation,
760 const bool is_enforce = (mode == 3);
761 const char *msg = "<unknown>";
766 error = tomoyo_check_file_acl(domain, filename, perm);
767 if (error && perm == 4 &&
768 (domain->flags & TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ) == 0
769 && tomoyo_is_globally_readable_file(filename))
772 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL);
774 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL);
776 msg = tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL);
778 msg = tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL);
783 if (tomoyo_verbose_mode(domain))
784 printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied "
785 "for %s\n", tomoyo_get_msg(is_enforce), msg, operation,
786 filename->name, tomoyo_get_last_name(domain));
789 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
790 /* Don't use patterns for execute permission. */
791 const struct tomoyo_path_info *patterned_file = (perm != 1) ?
792 tomoyo_get_file_pattern(filename) : filename;
793 tomoyo_update_file_acl(patterned_file->name, perm,
800 * tomoyo_write_file_policy - Update file related list.
802 * @data: String to parse.
803 * @domain: Pointer to "struct tomoyo_domain_info".
804 * @is_delete: True if it is a delete request.
806 * Returns 0 on success, negative value otherwise.
808 * Caller holds tomoyo_read_lock().
810 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
811 const bool is_delete)
813 char *filename = strchr(data, ' ');
821 if (sscanf(data, "%u", &perm) == 1)
822 return tomoyo_update_file_acl(filename, (u8) perm, domain,
824 if (strncmp(data, "allow_", 6))
827 for (type = 0; type < TOMOYO_MAX_SINGLE_PATH_OPERATION; type++) {
828 if (strcmp(data, tomoyo_sp_keyword[type]))
830 return tomoyo_update_single_path_acl(type, filename,
833 filename2 = strchr(filename, ' ');
837 for (type = 0; type < TOMOYO_MAX_DOUBLE_PATH_OPERATION; type++) {
838 if (strcmp(data, tomoyo_dp_keyword[type]))
840 return tomoyo_update_double_path_acl(type, filename, filename2,
848 * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list.
850 * @type: Type of operation.
851 * @filename: Filename.
852 * @domain: Pointer to "struct tomoyo_domain_info".
853 * @is_delete: True if it is a delete request.
855 * Returns 0 on success, negative value otherwise.
857 * Caller holds tomoyo_read_lock().
859 static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
860 struct tomoyo_domain_info *
861 const domain, const bool is_delete)
863 static const u32 rw_mask =
864 (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL);
865 const struct tomoyo_path_info *saved_filename;
866 struct tomoyo_acl_info *ptr;
867 struct tomoyo_single_path_acl_record *acl;
869 const u32 perm = 1 << type;
873 if (!tomoyo_is_correct_path(filename, 0, 0, 0, __func__))
875 saved_filename = tomoyo_save_name(filename);
878 mutex_lock(&tomoyo_policy_lock);
881 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
882 if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
884 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
886 if (acl->filename != saved_filename)
888 /* Special case. Clear all bits if marked as deleted. */
889 if (ptr->type & TOMOYO_ACL_DELETED)
894 acl->perm_high |= (perm >> 16);
895 if ((acl->perm & rw_mask) == rw_mask)
896 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL;
897 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))
898 acl->perm |= rw_mask;
899 ptr->type &= ~TOMOYO_ACL_DELETED;
903 /* Not found. Append it to the tail. */
904 acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_SINGLE_PATH_ACL);
910 acl->perm_high = (perm >> 16);
911 if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL))
912 acl->perm |= rw_mask;
913 acl->filename = saved_filename;
914 list_add_tail_rcu(&acl->head.list, &domain->acl_info_list);
919 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
920 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
922 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
924 if (acl->filename != saved_filename)
929 acl->perm_high &= ~(perm >> 16);
930 if ((acl->perm & rw_mask) != rw_mask)
931 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL);
932 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)))
933 acl->perm &= ~rw_mask;
934 if (!acl->perm && !acl->perm_high)
935 ptr->type |= TOMOYO_ACL_DELETED;
940 mutex_unlock(&tomoyo_policy_lock);
945 * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list.
947 * @type: Type of operation.
948 * @filename1: First filename.
949 * @filename2: Second filename.
950 * @domain: Pointer to "struct tomoyo_domain_info".
951 * @is_delete: True if it is a delete request.
953 * Returns 0 on success, negative value otherwise.
955 * Caller holds tomoyo_read_lock().
957 static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
958 const char *filename2,
959 struct tomoyo_domain_info *
960 const domain, const bool is_delete)
962 const struct tomoyo_path_info *saved_filename1;
963 const struct tomoyo_path_info *saved_filename2;
964 struct tomoyo_acl_info *ptr;
965 struct tomoyo_double_path_acl_record *acl;
967 const u8 perm = 1 << type;
971 if (!tomoyo_is_correct_path(filename1, 0, 0, 0, __func__) ||
972 !tomoyo_is_correct_path(filename2, 0, 0, 0, __func__))
974 saved_filename1 = tomoyo_save_name(filename1);
975 saved_filename2 = tomoyo_save_name(filename2);
976 if (!saved_filename1 || !saved_filename2)
978 mutex_lock(&tomoyo_policy_lock);
981 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
982 if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
984 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
986 if (acl->filename1 != saved_filename1 ||
987 acl->filename2 != saved_filename2)
989 /* Special case. Clear all bits if marked as deleted. */
990 if (ptr->type & TOMOYO_ACL_DELETED)
993 ptr->type &= ~TOMOYO_ACL_DELETED;
997 /* Not found. Append it to the tail. */
998 acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_DOUBLE_PATH_ACL);
1002 acl->filename1 = saved_filename1;
1003 acl->filename2 = saved_filename2;
1004 list_add_tail_rcu(&acl->head.list, &domain->acl_info_list);
1009 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1010 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
1012 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
1014 if (acl->filename1 != saved_filename1 ||
1015 acl->filename2 != saved_filename2)
1019 ptr->type |= TOMOYO_ACL_DELETED;
1024 mutex_unlock(&tomoyo_policy_lock);
1029 * tomoyo_check_single_path_acl - Check permission for single path operation.
1031 * @domain: Pointer to "struct tomoyo_domain_info".
1032 * @type: Type of operation.
1033 * @filename: Filename to check.
1035 * Returns 0 on success, negative value otherwise.
1037 * Caller holds tomoyo_read_lock().
1039 static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain,
1041 const struct tomoyo_path_info *filename)
1043 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
1045 return tomoyo_check_single_path_acl2(domain, filename, 1 << type, 1);
1049 * tomoyo_check_double_path_acl - Check permission for double path operation.
1051 * @domain: Pointer to "struct tomoyo_domain_info".
1052 * @type: Type of operation.
1053 * @filename1: First filename to check.
1054 * @filename2: Second filename to check.
1056 * Returns 0 on success, -EPERM otherwise.
1058 * Caller holds tomoyo_read_lock().
1060 static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
1062 const struct tomoyo_path_info *
1064 const struct tomoyo_path_info *
1067 struct tomoyo_acl_info *ptr;
1068 const u8 perm = 1 << type;
1071 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
1073 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1074 struct tomoyo_double_path_acl_record *acl;
1075 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
1077 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
1079 if (!(acl->perm & perm))
1081 if (!tomoyo_path_matches_pattern(filename1, acl->filename1))
1083 if (!tomoyo_path_matches_pattern(filename2, acl->filename2))
1092 * tomoyo_check_single_path_permission2 - Check permission for single path operation.
1094 * @domain: Pointer to "struct tomoyo_domain_info".
1095 * @operation: Type of operation.
1096 * @filename: Filename to check.
1097 * @mode: Access control mode.
1099 * Returns 0 on success, negative value otherwise.
1101 * Caller holds tomoyo_read_lock().
1103 static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
1104 const domain, u8 operation,
1105 const struct tomoyo_path_info *
1106 filename, const u8 mode)
1110 const bool is_enforce = (mode == 3);
1115 error = tomoyo_check_single_path_acl(domain, operation, filename);
1116 msg = tomoyo_sp2keyword(operation);
1119 if (tomoyo_verbose_mode(domain))
1120 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n",
1121 tomoyo_get_msg(is_enforce), msg, filename->name,
1122 tomoyo_get_last_name(domain));
1123 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1124 const char *name = tomoyo_get_file_pattern(filename)->name;
1125 tomoyo_update_single_path_acl(operation, name, domain, false);
1131 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1132 * we need to check "allow_rewrite" permission if the filename is
1133 * specified by "deny_rewrite" keyword.
1135 if (!error && operation == TOMOYO_TYPE_TRUNCATE_ACL &&
1136 tomoyo_is_no_rewrite_file(filename)) {
1137 operation = TOMOYO_TYPE_REWRITE_ACL;
1144 * tomoyo_check_exec_perm - Check permission for "execute".
1146 * @domain: Pointer to "struct tomoyo_domain_info".
1147 * @filename: Check permission for "execute".
1149 * Returns 0 on success, negativevalue otherwise.
1151 * Caller holds tomoyo_read_lock().
1153 int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
1154 const struct tomoyo_path_info *filename)
1156 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1160 return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode);
1164 * tomoyo_check_open_permission - Check permission for "read" and "write".
1166 * @domain: Pointer to "struct tomoyo_domain_info".
1167 * @path: Pointer to "struct path".
1168 * @flag: Flags for open().
1170 * Returns 0 on success, negative value otherwise.
1172 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1173 struct path *path, const int flag)
1175 const u8 acc_mode = ACC_MODE(flag);
1176 int error = -ENOMEM;
1177 struct tomoyo_path_info *buf;
1178 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1179 const bool is_enforce = (mode == 3);
1182 if (!mode || !path->mnt)
1186 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode))
1188 * I don't check directories here because mkdir() and rmdir()
1192 idx = tomoyo_read_lock();
1193 buf = tomoyo_get_path(path);
1198 * If the filename is specified by "deny_rewrite" keyword,
1199 * we need to check "allow_rewrite" permission when the filename is not
1200 * opened for append mode or the filename is truncated at open time.
1202 if ((acc_mode & MAY_WRITE) &&
1203 ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
1204 (tomoyo_is_no_rewrite_file(buf))) {
1205 error = tomoyo_check_single_path_permission2(domain,
1206 TOMOYO_TYPE_REWRITE_ACL,
1210 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open",
1212 if (!error && (flag & O_TRUNC))
1213 error = tomoyo_check_single_path_permission2(domain,
1214 TOMOYO_TYPE_TRUNCATE_ACL,
1218 tomoyo_read_unlock(idx);
1225 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1227 * @domain: Pointer to "struct tomoyo_domain_info".
1228 * @operation: Type of operation.
1229 * @path: Pointer to "struct path".
1231 * Returns 0 on success, negative value otherwise.
1233 int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
1234 const u8 operation, struct path *path)
1236 int error = -ENOMEM;
1237 struct tomoyo_path_info *buf;
1238 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1239 const bool is_enforce = (mode == 3);
1242 if (!mode || !path->mnt)
1244 idx = tomoyo_read_lock();
1245 buf = tomoyo_get_path(path);
1248 switch (operation) {
1249 case TOMOYO_TYPE_MKDIR_ACL:
1250 case TOMOYO_TYPE_RMDIR_ACL:
1251 case TOMOYO_TYPE_CHROOT_ACL:
1254 * tomoyo_get_path() reserves space for appending "/."
1256 strcat((char *) buf->name, "/");
1257 tomoyo_fill_path_info(buf);
1260 error = tomoyo_check_single_path_permission2(domain, operation, buf,
1264 tomoyo_read_unlock(idx);
1271 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1273 * @domain: Pointer to "struct tomoyo_domain_info".
1274 * @filp: Pointer to "struct file".
1276 * Returns 0 on success, negative value otherwise.
1278 int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
1281 int error = -ENOMEM;
1282 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1283 const bool is_enforce = (mode == 3);
1284 struct tomoyo_path_info *buf;
1287 if (!mode || !filp->f_path.mnt)
1290 idx = tomoyo_read_lock();
1291 buf = tomoyo_get_path(&filp->f_path);
1294 if (!tomoyo_is_no_rewrite_file(buf)) {
1298 error = tomoyo_check_single_path_permission2(domain,
1299 TOMOYO_TYPE_REWRITE_ACL,
1303 tomoyo_read_unlock(idx);
1310 * tomoyo_check_2path_perm - Check permission for "rename", "link" and "pivot_root".
1312 * @domain: Pointer to "struct tomoyo_domain_info".
1313 * @operation: Type of operation.
1314 * @path1: Pointer to "struct path".
1315 * @path2: Pointer to "struct path".
1317 * Returns 0 on success, negative value otherwise.
1319 int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain,
1320 const u8 operation, struct path *path1,
1323 int error = -ENOMEM;
1324 struct tomoyo_path_info *buf1, *buf2;
1325 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1326 const bool is_enforce = (mode == 3);
1330 if (!mode || !path1->mnt || !path2->mnt)
1332 idx = tomoyo_read_lock();
1333 buf1 = tomoyo_get_path(path1);
1334 buf2 = tomoyo_get_path(path2);
1338 struct dentry *dentry = path1->dentry;
1339 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) {
1341 * tomoyo_get_path() reserves space for appending "/."
1343 if (!buf1->is_dir) {
1344 strcat((char *) buf1->name, "/");
1345 tomoyo_fill_path_info(buf1);
1347 if (!buf2->is_dir) {
1348 strcat((char *) buf2->name, "/");
1349 tomoyo_fill_path_info(buf2);
1353 error = tomoyo_check_double_path_acl(domain, operation, buf1, buf2);
1354 msg = tomoyo_dp2keyword(operation);
1357 if (tomoyo_verbose_mode(domain))
1358 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' "
1359 "denied for %s\n", tomoyo_get_msg(is_enforce),
1360 msg, buf1->name, buf2->name,
1361 tomoyo_get_last_name(domain));
1362 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1363 const char *name1 = tomoyo_get_file_pattern(buf1)->name;
1364 const char *name2 = tomoyo_get_file_pattern(buf2)->name;
1365 tomoyo_update_double_path_acl(operation, name1, name2, domain,
1371 tomoyo_read_unlock(idx);