2 * security/tomoyo/file.c
4 * Pathname restriction functions.
6 * Copyright (C) 2005-2010 NTT DATA CORPORATION
10 #include <linux/slab.h>
12 /* Keyword array for operations with one pathname. */
13 const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
14 [TOMOYO_TYPE_READ_WRITE] = "read/write",
15 [TOMOYO_TYPE_EXECUTE] = "execute",
16 [TOMOYO_TYPE_READ] = "read",
17 [TOMOYO_TYPE_WRITE] = "write",
18 [TOMOYO_TYPE_UNLINK] = "unlink",
19 [TOMOYO_TYPE_RMDIR] = "rmdir",
20 [TOMOYO_TYPE_TRUNCATE] = "truncate",
21 [TOMOYO_TYPE_SYMLINK] = "symlink",
22 [TOMOYO_TYPE_REWRITE] = "rewrite",
23 [TOMOYO_TYPE_CHROOT] = "chroot",
24 [TOMOYO_TYPE_UMOUNT] = "unmount",
27 /* Keyword array for operations with one pathname and three numbers. */
28 const char *tomoyo_mkdev_keyword[TOMOYO_MAX_MKDEV_OPERATION] = {
29 [TOMOYO_TYPE_MKBLOCK] = "mkblock",
30 [TOMOYO_TYPE_MKCHAR] = "mkchar",
33 /* Keyword array for operations with two pathnames. */
34 const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = {
35 [TOMOYO_TYPE_LINK] = "link",
36 [TOMOYO_TYPE_RENAME] = "rename",
37 [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root",
40 /* Keyword array for operations with one pathname and one number. */
41 const char *tomoyo_path_number_keyword[TOMOYO_MAX_PATH_NUMBER_OPERATION] = {
42 [TOMOYO_TYPE_CREATE] = "create",
43 [TOMOYO_TYPE_MKDIR] = "mkdir",
44 [TOMOYO_TYPE_MKFIFO] = "mkfifo",
45 [TOMOYO_TYPE_MKSOCK] = "mksock",
46 [TOMOYO_TYPE_IOCTL] = "ioctl",
47 [TOMOYO_TYPE_CHMOD] = "chmod",
48 [TOMOYO_TYPE_CHOWN] = "chown",
49 [TOMOYO_TYPE_CHGRP] = "chgrp",
52 static const u8 tomoyo_p2mac[TOMOYO_MAX_PATH_OPERATION] = {
53 [TOMOYO_TYPE_READ_WRITE] = TOMOYO_MAC_FILE_OPEN,
54 [TOMOYO_TYPE_EXECUTE] = TOMOYO_MAC_FILE_EXECUTE,
55 [TOMOYO_TYPE_READ] = TOMOYO_MAC_FILE_OPEN,
56 [TOMOYO_TYPE_WRITE] = TOMOYO_MAC_FILE_OPEN,
57 [TOMOYO_TYPE_UNLINK] = TOMOYO_MAC_FILE_UNLINK,
58 [TOMOYO_TYPE_RMDIR] = TOMOYO_MAC_FILE_RMDIR,
59 [TOMOYO_TYPE_TRUNCATE] = TOMOYO_MAC_FILE_TRUNCATE,
60 [TOMOYO_TYPE_SYMLINK] = TOMOYO_MAC_FILE_SYMLINK,
61 [TOMOYO_TYPE_REWRITE] = TOMOYO_MAC_FILE_REWRITE,
62 [TOMOYO_TYPE_CHROOT] = TOMOYO_MAC_FILE_CHROOT,
63 [TOMOYO_TYPE_UMOUNT] = TOMOYO_MAC_FILE_UMOUNT,
66 static const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION] = {
67 [TOMOYO_TYPE_MKBLOCK] = TOMOYO_MAC_FILE_MKBLOCK,
68 [TOMOYO_TYPE_MKCHAR] = TOMOYO_MAC_FILE_MKCHAR,
71 static const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION] = {
72 [TOMOYO_TYPE_LINK] = TOMOYO_MAC_FILE_LINK,
73 [TOMOYO_TYPE_RENAME] = TOMOYO_MAC_FILE_RENAME,
74 [TOMOYO_TYPE_PIVOT_ROOT] = TOMOYO_MAC_FILE_PIVOT_ROOT,
77 static const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION] = {
78 [TOMOYO_TYPE_CREATE] = TOMOYO_MAC_FILE_CREATE,
79 [TOMOYO_TYPE_MKDIR] = TOMOYO_MAC_FILE_MKDIR,
80 [TOMOYO_TYPE_MKFIFO] = TOMOYO_MAC_FILE_MKFIFO,
81 [TOMOYO_TYPE_MKSOCK] = TOMOYO_MAC_FILE_MKSOCK,
82 [TOMOYO_TYPE_IOCTL] = TOMOYO_MAC_FILE_IOCTL,
83 [TOMOYO_TYPE_CHMOD] = TOMOYO_MAC_FILE_CHMOD,
84 [TOMOYO_TYPE_CHOWN] = TOMOYO_MAC_FILE_CHOWN,
85 [TOMOYO_TYPE_CHGRP] = TOMOYO_MAC_FILE_CHGRP,
88 void tomoyo_put_name_union(struct tomoyo_name_union *ptr)
93 tomoyo_put_group(ptr->group);
95 tomoyo_put_name(ptr->filename);
98 bool tomoyo_compare_name_union(const struct tomoyo_path_info *name,
99 const struct tomoyo_name_union *ptr)
102 return tomoyo_path_matches_group(name, ptr->group);
103 return tomoyo_path_matches_pattern(name, ptr->filename);
106 void tomoyo_put_number_union(struct tomoyo_number_union *ptr)
108 if (ptr && ptr->is_group)
109 tomoyo_put_group(ptr->group);
112 bool tomoyo_compare_number_union(const unsigned long value,
113 const struct tomoyo_number_union *ptr)
116 return tomoyo_number_matches_group(value, value, ptr->group);
117 return value >= ptr->values[0] && value <= ptr->values[1];
120 static void tomoyo_add_slash(struct tomoyo_path_info *buf)
125 * This is OK because tomoyo_encode() reserves space for appending "/".
127 strcat((char *) buf->name, "/");
128 tomoyo_fill_path_info(buf);
132 * tomoyo_strendswith - Check whether the token ends with the given token.
134 * @name: The token to check.
135 * @tail: The token to find.
137 * Returns true if @name ends with @tail, false otherwise.
139 static bool tomoyo_strendswith(const char *name, const char *tail)
145 len = strlen(name) - strlen(tail);
146 return len >= 0 && !strcmp(name + len, tail);
150 * tomoyo_get_realpath - Get realpath.
152 * @buf: Pointer to "struct tomoyo_path_info".
153 * @path: Pointer to "struct path".
155 * Returns true on success, false otherwise.
157 static bool tomoyo_get_realpath(struct tomoyo_path_info *buf, struct path *path)
159 buf->name = tomoyo_realpath_from_path(path);
161 tomoyo_fill_path_info(buf);
168 * tomoyo_audit_path_log - Audit path request log.
170 * @r: Pointer to "struct tomoyo_request_info".
172 * Returns 0 on success, negative value otherwise.
174 static int tomoyo_audit_path_log(struct tomoyo_request_info *r)
176 const char *operation = tomoyo_path_keyword[r->param.path.operation];
177 const struct tomoyo_path_info *filename = r->param.path.filename;
180 tomoyo_warn_log(r, "%s %s", operation, filename->name);
181 return tomoyo_supervisor(r, "allow_%s %s\n", operation,
182 tomoyo_file_pattern(filename));
186 * tomoyo_audit_path2_log - Audit path/path request log.
188 * @r: Pointer to "struct tomoyo_request_info".
190 * Returns 0 on success, negative value otherwise.
192 static int tomoyo_audit_path2_log(struct tomoyo_request_info *r)
194 const char *operation = tomoyo_path2_keyword[r->param.path2.operation];
195 const struct tomoyo_path_info *filename1 = r->param.path2.filename1;
196 const struct tomoyo_path_info *filename2 = r->param.path2.filename2;
199 tomoyo_warn_log(r, "%s %s %s", operation, filename1->name,
201 return tomoyo_supervisor(r, "allow_%s %s %s\n", operation,
202 tomoyo_file_pattern(filename1),
203 tomoyo_file_pattern(filename2));
207 * tomoyo_audit_mkdev_log - Audit path/number/number/number request log.
209 * @r: Pointer to "struct tomoyo_request_info".
211 * Returns 0 on success, negative value otherwise.
213 static int tomoyo_audit_mkdev_log(struct tomoyo_request_info *r)
215 const char *operation = tomoyo_mkdev_keyword[r->param.mkdev.operation];
216 const struct tomoyo_path_info *filename = r->param.mkdev.filename;
217 const unsigned int major = r->param.mkdev.major;
218 const unsigned int minor = r->param.mkdev.minor;
219 const unsigned int mode = r->param.mkdev.mode;
222 tomoyo_warn_log(r, "%s %s 0%o %u %u", operation, filename->name, mode,
224 return tomoyo_supervisor(r, "allow_%s %s 0%o %u %u\n", operation,
225 tomoyo_file_pattern(filename), mode, major,
230 * tomoyo_audit_path_number_log - Audit path/number request log.
232 * @r: Pointer to "struct tomoyo_request_info".
233 * @error: Error code.
235 * Returns 0 on success, negative value otherwise.
237 static int tomoyo_audit_path_number_log(struct tomoyo_request_info *r)
239 const u8 type = r->param.path_number.operation;
241 const struct tomoyo_path_info *filename = r->param.path_number.filename;
242 const char *operation = tomoyo_path_number_keyword[type];
247 case TOMOYO_TYPE_CREATE:
248 case TOMOYO_TYPE_MKDIR:
249 case TOMOYO_TYPE_MKFIFO:
250 case TOMOYO_TYPE_MKSOCK:
251 case TOMOYO_TYPE_CHMOD:
252 radix = TOMOYO_VALUE_TYPE_OCTAL;
254 case TOMOYO_TYPE_IOCTL:
255 radix = TOMOYO_VALUE_TYPE_HEXADECIMAL;
258 radix = TOMOYO_VALUE_TYPE_DECIMAL;
261 tomoyo_print_ulong(buffer, sizeof(buffer), r->param.path_number.number,
263 tomoyo_warn_log(r, "%s %s %s", operation, filename->name, buffer);
264 return tomoyo_supervisor(r, "allow_%s %s %s\n", operation,
265 tomoyo_file_pattern(filename), buffer);
268 static bool tomoyo_same_globally_readable(const struct tomoyo_acl_head *a,
269 const struct tomoyo_acl_head *b)
271 return container_of(a, struct tomoyo_globally_readable_file_entry,
273 container_of(b, struct tomoyo_globally_readable_file_entry,
278 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
280 * @filename: Filename unconditionally permitted to open() for reading.
281 * @is_delete: True if it is a delete request.
283 * Returns 0 on success, negative value otherwise.
285 * Caller holds tomoyo_read_lock().
287 static int tomoyo_update_globally_readable_entry(const char *filename,
288 const bool is_delete)
290 struct tomoyo_globally_readable_file_entry e = { };
293 if (!tomoyo_correct_word(filename))
295 e.filename = tomoyo_get_name(filename);
298 error = tomoyo_update_policy(&e.head, sizeof(e), is_delete,
300 [TOMOYO_ID_GLOBALLY_READABLE],
301 tomoyo_same_globally_readable);
302 tomoyo_put_name(e.filename);
307 * tomoyo_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
309 * @filename: The filename to check.
311 * Returns true if any domain can open @filename for reading, false otherwise.
313 * Caller holds tomoyo_read_lock().
315 static bool tomoyo_globally_readable_file(const struct tomoyo_path_info *
318 struct tomoyo_globally_readable_file_entry *ptr;
321 list_for_each_entry_rcu(ptr, &tomoyo_policy_list
322 [TOMOYO_ID_GLOBALLY_READABLE], head.list) {
323 if (!ptr->head.is_deleted &&
324 tomoyo_path_matches_pattern(filename, ptr->filename)) {
333 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
335 * @data: String to parse.
336 * @is_delete: True if it is a delete request.
338 * Returns 0 on success, negative value otherwise.
340 * Caller holds tomoyo_read_lock().
342 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
344 return tomoyo_update_globally_readable_entry(data, is_delete);
348 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
350 * @head: Pointer to "struct tomoyo_io_buffer".
352 * Returns true on success, false otherwise.
354 * Caller holds tomoyo_read_lock().
356 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
358 struct list_head *pos;
361 list_for_each_cookie(pos, head->read_var2,
362 &tomoyo_policy_list[TOMOYO_ID_GLOBALLY_READABLE]) {
363 struct tomoyo_globally_readable_file_entry *ptr;
364 ptr = list_entry(pos,
365 struct tomoyo_globally_readable_file_entry,
367 if (ptr->head.is_deleted)
369 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n",
370 ptr->filename->name);
377 static bool tomoyo_same_pattern(const struct tomoyo_acl_head *a,
378 const struct tomoyo_acl_head *b)
380 return container_of(a, struct tomoyo_pattern_entry, head)->pattern ==
381 container_of(b, struct tomoyo_pattern_entry, head)->pattern;
385 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
387 * @pattern: Pathname pattern.
388 * @is_delete: True if it is a delete request.
390 * Returns 0 on success, negative value otherwise.
392 * Caller holds tomoyo_read_lock().
394 static int tomoyo_update_file_pattern_entry(const char *pattern,
395 const bool is_delete)
397 struct tomoyo_pattern_entry e = { };
400 if (!tomoyo_correct_word(pattern))
402 e.pattern = tomoyo_get_name(pattern);
405 error = tomoyo_update_policy(&e.head, sizeof(e), is_delete,
406 &tomoyo_policy_list[TOMOYO_ID_PATTERN],
407 tomoyo_same_pattern);
408 tomoyo_put_name(e.pattern);
413 * tomoyo_file_pattern - Get patterned pathname.
415 * @filename: The filename to find patterned pathname.
417 * Returns pointer to pathname pattern if matched, @filename otherwise.
419 * Caller holds tomoyo_read_lock().
421 const char *tomoyo_file_pattern(const struct tomoyo_path_info *filename)
423 struct tomoyo_pattern_entry *ptr;
424 const struct tomoyo_path_info *pattern = NULL;
426 list_for_each_entry_rcu(ptr, &tomoyo_policy_list[TOMOYO_ID_PATTERN],
428 if (ptr->head.is_deleted)
430 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
432 pattern = ptr->pattern;
433 if (tomoyo_strendswith(pattern->name, "/\\*")) {
434 /* Do nothing. Try to find the better match. */
436 /* This would be the better match. Use this. */
442 return filename->name;
446 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
448 * @data: String to parse.
449 * @is_delete: True if it is a delete request.
451 * Returns 0 on success, negative value otherwise.
453 * Caller holds tomoyo_read_lock().
455 int tomoyo_write_pattern_policy(char *data, const bool is_delete)
457 return tomoyo_update_file_pattern_entry(data, is_delete);
461 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
463 * @head: Pointer to "struct tomoyo_io_buffer".
465 * Returns true on success, false otherwise.
467 * Caller holds tomoyo_read_lock().
469 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
471 struct list_head *pos;
474 list_for_each_cookie(pos, head->read_var2,
475 &tomoyo_policy_list[TOMOYO_ID_PATTERN]) {
476 struct tomoyo_pattern_entry *ptr;
477 ptr = list_entry(pos, struct tomoyo_pattern_entry, head.list);
478 if (ptr->head.is_deleted)
480 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN
481 "%s\n", ptr->pattern->name);
488 static bool tomoyo_same_no_rewrite(const struct tomoyo_acl_head *a,
489 const struct tomoyo_acl_head *b)
491 return container_of(a, struct tomoyo_no_rewrite_entry, head)->pattern
492 == container_of(b, struct tomoyo_no_rewrite_entry, head)
497 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
499 * @pattern: Pathname pattern that are not rewritable by default.
500 * @is_delete: True if it is a delete request.
502 * Returns 0 on success, negative value otherwise.
504 * Caller holds tomoyo_read_lock().
506 static int tomoyo_update_no_rewrite_entry(const char *pattern,
507 const bool is_delete)
509 struct tomoyo_no_rewrite_entry e = { };
512 if (!tomoyo_correct_word(pattern))
514 e.pattern = tomoyo_get_name(pattern);
517 error = tomoyo_update_policy(&e.head, sizeof(e), is_delete,
518 &tomoyo_policy_list[TOMOYO_ID_NO_REWRITE],
519 tomoyo_same_no_rewrite);
520 tomoyo_put_name(e.pattern);
525 * tomoyo_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
527 * @filename: Filename to check.
529 * Returns true if @filename is specified by "deny_rewrite" directive,
532 * Caller holds tomoyo_read_lock().
534 static bool tomoyo_no_rewrite_file(const struct tomoyo_path_info *filename)
536 struct tomoyo_no_rewrite_entry *ptr;
539 list_for_each_entry_rcu(ptr, &tomoyo_policy_list[TOMOYO_ID_NO_REWRITE],
541 if (ptr->head.is_deleted)
543 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
552 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
554 * @data: String to parse.
555 * @is_delete: True if it is a delete request.
557 * Returns 0 on success, negative value otherwise.
559 * Caller holds tomoyo_read_lock().
561 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
563 return tomoyo_update_no_rewrite_entry(data, is_delete);
567 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
569 * @head: Pointer to "struct tomoyo_io_buffer".
571 * Returns true on success, false otherwise.
573 * Caller holds tomoyo_read_lock().
575 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
577 struct list_head *pos;
580 list_for_each_cookie(pos, head->read_var2,
581 &tomoyo_policy_list[TOMOYO_ID_NO_REWRITE]) {
582 struct tomoyo_no_rewrite_entry *ptr;
583 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry,
585 if (ptr->head.is_deleted)
587 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE
588 "%s\n", ptr->pattern->name);
595 static bool tomoyo_check_path_acl(const struct tomoyo_request_info *r,
596 const struct tomoyo_acl_info *ptr)
598 const struct tomoyo_path_acl *acl = container_of(ptr, typeof(*acl),
600 return (acl->perm & (1 << r->param.path.operation)) &&
601 tomoyo_compare_name_union(r->param.path.filename, &acl->name);
604 static bool tomoyo_check_path_number_acl(const struct tomoyo_request_info *r,
605 const struct tomoyo_acl_info *ptr)
607 const struct tomoyo_path_number_acl *acl =
608 container_of(ptr, typeof(*acl), head);
609 return (acl->perm & (1 << r->param.path_number.operation)) &&
610 tomoyo_compare_number_union(r->param.path_number.number,
612 tomoyo_compare_name_union(r->param.path_number.filename,
616 static bool tomoyo_check_path2_acl(const struct tomoyo_request_info *r,
617 const struct tomoyo_acl_info *ptr)
619 const struct tomoyo_path2_acl *acl =
620 container_of(ptr, typeof(*acl), head);
621 return (acl->perm & (1 << r->param.path2.operation)) &&
622 tomoyo_compare_name_union(r->param.path2.filename1, &acl->name1)
623 && tomoyo_compare_name_union(r->param.path2.filename2,
627 static bool tomoyo_check_mkdev_acl(const struct tomoyo_request_info *r,
628 const struct tomoyo_acl_info *ptr)
630 const struct tomoyo_mkdev_acl *acl =
631 container_of(ptr, typeof(*acl), head);
632 return (acl->perm & (1 << r->param.mkdev.operation)) &&
633 tomoyo_compare_number_union(r->param.mkdev.mode,
635 tomoyo_compare_number_union(r->param.mkdev.major,
637 tomoyo_compare_number_union(r->param.mkdev.minor,
639 tomoyo_compare_name_union(r->param.mkdev.filename,
643 static bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a,
644 const struct tomoyo_acl_info *b)
646 const struct tomoyo_path_acl *p1 = container_of(a, typeof(*p1), head);
647 const struct tomoyo_path_acl *p2 = container_of(b, typeof(*p2), head);
648 return tomoyo_same_acl_head(&p1->head, &p2->head) &&
649 tomoyo_same_name_union(&p1->name, &p2->name);
652 static bool tomoyo_merge_path_acl(struct tomoyo_acl_info *a,
653 struct tomoyo_acl_info *b,
654 const bool is_delete)
656 u16 * const a_perm = &container_of(a, struct tomoyo_path_acl, head)
659 const u16 b_perm = container_of(b, struct tomoyo_path_acl, head)->perm;
662 if ((perm & TOMOYO_RW_MASK) != TOMOYO_RW_MASK)
663 perm &= ~(1 << TOMOYO_TYPE_READ_WRITE);
664 else if (!(perm & (1 << TOMOYO_TYPE_READ_WRITE)))
665 perm &= ~TOMOYO_RW_MASK;
668 if ((perm & TOMOYO_RW_MASK) == TOMOYO_RW_MASK)
669 perm |= (1 << TOMOYO_TYPE_READ_WRITE);
670 else if (perm & (1 << TOMOYO_TYPE_READ_WRITE))
671 perm |= TOMOYO_RW_MASK;
678 * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list.
680 * @type: Type of operation.
681 * @filename: Filename.
682 * @domain: Pointer to "struct tomoyo_domain_info".
683 * @is_delete: True if it is a delete request.
685 * Returns 0 on success, negative value otherwise.
687 * Caller holds tomoyo_read_lock().
689 static int tomoyo_update_path_acl(const u8 type, const char *filename,
690 struct tomoyo_domain_info * const domain,
691 const bool is_delete)
693 struct tomoyo_path_acl e = {
694 .head.type = TOMOYO_TYPE_PATH_ACL,
698 if (e.perm == (1 << TOMOYO_TYPE_READ_WRITE))
699 e.perm |= TOMOYO_RW_MASK;
700 if (!tomoyo_parse_name_union(filename, &e.name))
702 error = tomoyo_update_domain(&e.head, sizeof(e), is_delete, domain,
703 tomoyo_same_path_acl,
704 tomoyo_merge_path_acl);
705 tomoyo_put_name_union(&e.name);
709 static bool tomoyo_same_mkdev_acl(const struct tomoyo_acl_info *a,
710 const struct tomoyo_acl_info *b)
712 const struct tomoyo_mkdev_acl *p1 = container_of(a, typeof(*p1),
714 const struct tomoyo_mkdev_acl *p2 = container_of(b, typeof(*p2),
716 return tomoyo_same_acl_head(&p1->head, &p2->head)
717 && tomoyo_same_name_union(&p1->name, &p2->name)
718 && tomoyo_same_number_union(&p1->mode, &p2->mode)
719 && tomoyo_same_number_union(&p1->major, &p2->major)
720 && tomoyo_same_number_union(&p1->minor, &p2->minor);
723 static bool tomoyo_merge_mkdev_acl(struct tomoyo_acl_info *a,
724 struct tomoyo_acl_info *b,
725 const bool is_delete)
727 u8 *const a_perm = &container_of(a, struct tomoyo_mkdev_acl,
730 const u8 b_perm = container_of(b, struct tomoyo_mkdev_acl, head)
741 * tomoyo_update_mkdev_acl - Update "struct tomoyo_mkdev_acl" list.
743 * @type: Type of operation.
744 * @filename: Filename.
745 * @mode: Create mode.
746 * @major: Device major number.
747 * @minor: Device minor number.
748 * @domain: Pointer to "struct tomoyo_domain_info".
749 * @is_delete: True if it is a delete request.
751 * Returns 0 on success, negative value otherwise.
753 * Caller holds tomoyo_read_lock().
755 static int tomoyo_update_mkdev_acl(const u8 type, const char *filename,
756 char *mode, char *major, char *minor,
757 struct tomoyo_domain_info * const
758 domain, const bool is_delete)
760 struct tomoyo_mkdev_acl e = {
761 .head.type = TOMOYO_TYPE_MKDEV_ACL,
764 int error = is_delete ? -ENOENT : -ENOMEM;
765 if (!tomoyo_parse_name_union(filename, &e.name) ||
766 !tomoyo_parse_number_union(mode, &e.mode) ||
767 !tomoyo_parse_number_union(major, &e.major) ||
768 !tomoyo_parse_number_union(minor, &e.minor))
770 error = tomoyo_update_domain(&e.head, sizeof(e), is_delete, domain,
771 tomoyo_same_mkdev_acl,
772 tomoyo_merge_mkdev_acl);
774 tomoyo_put_name_union(&e.name);
775 tomoyo_put_number_union(&e.mode);
776 tomoyo_put_number_union(&e.major);
777 tomoyo_put_number_union(&e.minor);
781 static bool tomoyo_same_path2_acl(const struct tomoyo_acl_info *a,
782 const struct tomoyo_acl_info *b)
784 const struct tomoyo_path2_acl *p1 = container_of(a, typeof(*p1), head);
785 const struct tomoyo_path2_acl *p2 = container_of(b, typeof(*p2), head);
786 return tomoyo_same_acl_head(&p1->head, &p2->head)
787 && tomoyo_same_name_union(&p1->name1, &p2->name1)
788 && tomoyo_same_name_union(&p1->name2, &p2->name2);
791 static bool tomoyo_merge_path2_acl(struct tomoyo_acl_info *a,
792 struct tomoyo_acl_info *b,
793 const bool is_delete)
795 u8 * const a_perm = &container_of(a, struct tomoyo_path2_acl, head)
798 const u8 b_perm = container_of(b, struct tomoyo_path2_acl, head)->perm;
808 * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list.
810 * @type: Type of operation.
811 * @filename1: First filename.
812 * @filename2: Second filename.
813 * @domain: Pointer to "struct tomoyo_domain_info".
814 * @is_delete: True if it is a delete request.
816 * Returns 0 on success, negative value otherwise.
818 * Caller holds tomoyo_read_lock().
820 static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
821 const char *filename2,
822 struct tomoyo_domain_info * const domain,
823 const bool is_delete)
825 struct tomoyo_path2_acl e = {
826 .head.type = TOMOYO_TYPE_PATH2_ACL,
829 int error = is_delete ? -ENOENT : -ENOMEM;
830 if (!tomoyo_parse_name_union(filename1, &e.name1) ||
831 !tomoyo_parse_name_union(filename2, &e.name2))
833 error = tomoyo_update_domain(&e.head, sizeof(e), is_delete, domain,
834 tomoyo_same_path2_acl,
835 tomoyo_merge_path2_acl);
837 tomoyo_put_name_union(&e.name1);
838 tomoyo_put_name_union(&e.name2);
843 * tomoyo_path_permission - Check permission for single path operation.
845 * @r: Pointer to "struct tomoyo_request_info".
846 * @operation: Type of operation.
847 * @filename: Filename to check.
849 * Returns 0 on success, negative value otherwise.
851 * Caller holds tomoyo_read_lock().
853 int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
854 const struct tomoyo_path_info *filename)
859 r->type = tomoyo_p2mac[operation];
860 r->mode = tomoyo_get_mode(r->profile, r->type);
861 if (r->mode == TOMOYO_CONFIG_DISABLED)
863 r->param_type = TOMOYO_TYPE_PATH_ACL;
864 r->param.path.filename = filename;
865 r->param.path.operation = operation;
867 tomoyo_check_acl(r, tomoyo_check_path_acl);
868 if (!r->granted && operation == TOMOYO_TYPE_READ &&
869 !r->domain->ignore_global_allow_read &&
870 tomoyo_globally_readable_file(filename))
872 error = tomoyo_audit_path_log(r);
874 * Do not retry for execute request, for alias may have
877 } while (error == TOMOYO_RETRY_REQUEST &&
878 operation != TOMOYO_TYPE_EXECUTE);
880 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
881 * we need to check "allow_rewrite" permission if the filename is
882 * specified by "deny_rewrite" keyword.
884 if (!error && operation == TOMOYO_TYPE_TRUNCATE &&
885 tomoyo_no_rewrite_file(filename)) {
886 operation = TOMOYO_TYPE_REWRITE;
892 static bool tomoyo_same_path_number_acl(const struct tomoyo_acl_info *a,
893 const struct tomoyo_acl_info *b)
895 const struct tomoyo_path_number_acl *p1 = container_of(a, typeof(*p1),
897 const struct tomoyo_path_number_acl *p2 = container_of(b, typeof(*p2),
899 return tomoyo_same_acl_head(&p1->head, &p2->head)
900 && tomoyo_same_name_union(&p1->name, &p2->name)
901 && tomoyo_same_number_union(&p1->number, &p2->number);
904 static bool tomoyo_merge_path_number_acl(struct tomoyo_acl_info *a,
905 struct tomoyo_acl_info *b,
906 const bool is_delete)
908 u8 * const a_perm = &container_of(a, struct tomoyo_path_number_acl,
911 const u8 b_perm = container_of(b, struct tomoyo_path_number_acl, head)
922 * tomoyo_update_path_number_acl - Update ioctl/chmod/chown/chgrp ACL.
924 * @type: Type of operation.
925 * @filename: Filename.
927 * @domain: Pointer to "struct tomoyo_domain_info".
928 * @is_delete: True if it is a delete request.
930 * Returns 0 on success, negative value otherwise.
932 static int tomoyo_update_path_number_acl(const u8 type, const char *filename,
934 struct tomoyo_domain_info * const
936 const bool is_delete)
938 struct tomoyo_path_number_acl e = {
939 .head.type = TOMOYO_TYPE_PATH_NUMBER_ACL,
942 int error = is_delete ? -ENOENT : -ENOMEM;
943 if (!tomoyo_parse_name_union(filename, &e.name))
945 if (!tomoyo_parse_number_union(number, &e.number))
947 error = tomoyo_update_domain(&e.head, sizeof(e), is_delete, domain,
948 tomoyo_same_path_number_acl,
949 tomoyo_merge_path_number_acl);
951 tomoyo_put_name_union(&e.name);
952 tomoyo_put_number_union(&e.number);
957 * tomoyo_path_number_perm - Check permission for "create", "mkdir", "mkfifo", "mksock", "ioctl", "chmod", "chown", "chgrp".
959 * @type: Type of operation.
960 * @path: Pointer to "struct path".
963 * Returns 0 on success, negative value otherwise.
965 int tomoyo_path_number_perm(const u8 type, struct path *path,
966 unsigned long number)
968 struct tomoyo_request_info r;
970 struct tomoyo_path_info buf;
973 if (tomoyo_init_request_info(&r, NULL, tomoyo_pn2mac[type])
974 == TOMOYO_CONFIG_DISABLED || !path->mnt || !path->dentry)
976 idx = tomoyo_read_lock();
977 if (!tomoyo_get_realpath(&buf, path))
979 if (type == TOMOYO_TYPE_MKDIR)
980 tomoyo_add_slash(&buf);
981 r.param_type = TOMOYO_TYPE_PATH_NUMBER_ACL;
982 r.param.path_number.operation = type;
983 r.param.path_number.filename = &buf;
984 r.param.path_number.number = number;
986 tomoyo_check_acl(&r, tomoyo_check_path_number_acl);
987 error = tomoyo_audit_path_number_log(&r);
988 } while (error == TOMOYO_RETRY_REQUEST);
991 tomoyo_read_unlock(idx);
992 if (r.mode != TOMOYO_CONFIG_ENFORCING)
998 * tomoyo_check_open_permission - Check permission for "read" and "write".
1000 * @domain: Pointer to "struct tomoyo_domain_info".
1001 * @path: Pointer to "struct path".
1002 * @flag: Flags for open().
1004 * Returns 0 on success, negative value otherwise.
1006 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1007 struct path *path, const int flag)
1009 const u8 acc_mode = ACC_MODE(flag);
1010 int error = -ENOMEM;
1011 struct tomoyo_path_info buf;
1012 struct tomoyo_request_info r;
1016 (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode)))
1019 r.mode = TOMOYO_CONFIG_DISABLED;
1020 idx = tomoyo_read_lock();
1021 if (!tomoyo_get_realpath(&buf, path))
1025 * If the filename is specified by "deny_rewrite" keyword,
1026 * we need to check "allow_rewrite" permission when the filename is not
1027 * opened for append mode or the filename is truncated at open time.
1029 if ((acc_mode & MAY_WRITE) && !(flag & O_APPEND)
1030 && tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_REWRITE)
1031 != TOMOYO_CONFIG_DISABLED) {
1032 if (!tomoyo_get_realpath(&buf, path)) {
1036 if (tomoyo_no_rewrite_file(&buf))
1037 error = tomoyo_path_permission(&r, TOMOYO_TYPE_REWRITE,
1040 if (!error && acc_mode &&
1041 tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_OPEN)
1042 != TOMOYO_CONFIG_DISABLED) {
1044 if (!buf.name && !tomoyo_get_realpath(&buf, path)) {
1048 if (acc_mode == (MAY_READ | MAY_WRITE))
1049 operation = TOMOYO_TYPE_READ_WRITE;
1050 else if (acc_mode == MAY_READ)
1051 operation = TOMOYO_TYPE_READ;
1053 operation = TOMOYO_TYPE_WRITE;
1054 error = tomoyo_path_permission(&r, operation, &buf);
1058 tomoyo_read_unlock(idx);
1059 if (r.mode != TOMOYO_CONFIG_ENFORCING)
1065 * tomoyo_path_perm - Check permission for "unlink", "rmdir", "truncate", "symlink", "rewrite", "chroot" and "unmount".
1067 * @operation: Type of operation.
1068 * @path: Pointer to "struct path".
1070 * Returns 0 on success, negative value otherwise.
1072 int tomoyo_path_perm(const u8 operation, struct path *path)
1074 int error = -ENOMEM;
1075 struct tomoyo_path_info buf;
1076 struct tomoyo_request_info r;
1081 if (tomoyo_init_request_info(&r, NULL, tomoyo_p2mac[operation])
1082 == TOMOYO_CONFIG_DISABLED)
1085 idx = tomoyo_read_lock();
1086 if (!tomoyo_get_realpath(&buf, path))
1088 switch (operation) {
1089 case TOMOYO_TYPE_REWRITE:
1090 if (!tomoyo_no_rewrite_file(&buf)) {
1095 case TOMOYO_TYPE_RMDIR:
1096 case TOMOYO_TYPE_CHROOT:
1097 case TOMOYO_TYPE_UMOUNT:
1098 tomoyo_add_slash(&buf);
1101 error = tomoyo_path_permission(&r, operation, &buf);
1104 tomoyo_read_unlock(idx);
1105 if (r.mode != TOMOYO_CONFIG_ENFORCING)
1111 * tomoyo_mkdev_perm - Check permission for "mkblock" and "mkchar".
1113 * @operation: Type of operation. (TOMOYO_TYPE_MKCHAR or TOMOYO_TYPE_MKBLOCK)
1114 * @path: Pointer to "struct path".
1115 * @mode: Create mode.
1116 * @dev: Device number.
1118 * Returns 0 on success, negative value otherwise.
1120 int tomoyo_mkdev_perm(const u8 operation, struct path *path,
1121 const unsigned int mode, unsigned int dev)
1123 struct tomoyo_request_info r;
1124 int error = -ENOMEM;
1125 struct tomoyo_path_info buf;
1129 tomoyo_init_request_info(&r, NULL, tomoyo_pnnn2mac[operation])
1130 == TOMOYO_CONFIG_DISABLED)
1132 idx = tomoyo_read_lock();
1134 if (tomoyo_get_realpath(&buf, path)) {
1135 dev = new_decode_dev(dev);
1136 r.param_type = TOMOYO_TYPE_MKDEV_ACL;
1137 r.param.mkdev.filename = &buf;
1138 r.param.mkdev.operation = operation;
1139 r.param.mkdev.mode = mode;
1140 r.param.mkdev.major = MAJOR(dev);
1141 r.param.mkdev.minor = MINOR(dev);
1142 tomoyo_check_acl(&r, tomoyo_check_mkdev_acl);
1143 error = tomoyo_audit_mkdev_log(&r);
1146 tomoyo_read_unlock(idx);
1147 if (r.mode != TOMOYO_CONFIG_ENFORCING)
1153 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root".
1155 * @operation: Type of operation.
1156 * @path1: Pointer to "struct path".
1157 * @path2: Pointer to "struct path".
1159 * Returns 0 on success, negative value otherwise.
1161 int tomoyo_path2_perm(const u8 operation, struct path *path1,
1164 int error = -ENOMEM;
1165 struct tomoyo_path_info buf1;
1166 struct tomoyo_path_info buf2;
1167 struct tomoyo_request_info r;
1170 if (!path1->mnt || !path2->mnt ||
1171 tomoyo_init_request_info(&r, NULL, tomoyo_pp2mac[operation])
1172 == TOMOYO_CONFIG_DISABLED)
1176 idx = tomoyo_read_lock();
1177 if (!tomoyo_get_realpath(&buf1, path1) ||
1178 !tomoyo_get_realpath(&buf2, path2))
1180 switch (operation) {
1181 struct dentry *dentry;
1182 case TOMOYO_TYPE_RENAME:
1183 case TOMOYO_TYPE_LINK:
1184 dentry = path1->dentry;
1185 if (!dentry->d_inode || !S_ISDIR(dentry->d_inode->i_mode))
1188 case TOMOYO_TYPE_PIVOT_ROOT:
1189 tomoyo_add_slash(&buf1);
1190 tomoyo_add_slash(&buf2);
1193 r.param_type = TOMOYO_TYPE_PATH2_ACL;
1194 r.param.path2.operation = operation;
1195 r.param.path2.filename1 = &buf1;
1196 r.param.path2.filename2 = &buf2;
1198 tomoyo_check_acl(&r, tomoyo_check_path2_acl);
1199 error = tomoyo_audit_path2_log(&r);
1200 } while (error == TOMOYO_RETRY_REQUEST);
1204 tomoyo_read_unlock(idx);
1205 if (r.mode != TOMOYO_CONFIG_ENFORCING)
1211 * tomoyo_write_file_policy - Update file related list.
1213 * @data: String to parse.
1214 * @domain: Pointer to "struct tomoyo_domain_info".
1215 * @is_delete: True if it is a delete request.
1217 * Returns 0 on success, negative value otherwise.
1219 * Caller holds tomoyo_read_lock().
1221 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
1222 const bool is_delete)
1226 if (!tomoyo_tokenize(data, w, sizeof(w)) || !w[1][0])
1228 if (strncmp(w[0], "allow_", 6))
1231 for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) {
1232 if (strcmp(w[0], tomoyo_path_keyword[type]))
1234 return tomoyo_update_path_acl(type, w[1], domain, is_delete);
1238 for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) {
1239 if (strcmp(w[0], tomoyo_path2_keyword[type]))
1241 return tomoyo_update_path2_acl(type, w[1], w[2], domain,
1244 for (type = 0; type < TOMOYO_MAX_PATH_NUMBER_OPERATION; type++) {
1245 if (strcmp(w[0], tomoyo_path_number_keyword[type]))
1247 return tomoyo_update_path_number_acl(type, w[1], w[2], domain,
1250 if (!w[3][0] || !w[4][0])
1252 for (type = 0; type < TOMOYO_MAX_MKDEV_OPERATION; type++) {
1253 if (strcmp(w[0], tomoyo_mkdev_keyword[type]))
1255 return tomoyo_update_mkdev_acl(type, w[1], w[2], w[3],
1256 w[4], domain, is_delete);