2 * security/tomoyo/file.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
13 #include <linux/slab.h>
15 /* Keyword array for single path operations. */
16 static const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
17 [TOMOYO_TYPE_READ_WRITE] = "read/write",
18 [TOMOYO_TYPE_EXECUTE] = "execute",
19 [TOMOYO_TYPE_READ] = "read",
20 [TOMOYO_TYPE_WRITE] = "write",
21 [TOMOYO_TYPE_CREATE] = "create",
22 [TOMOYO_TYPE_UNLINK] = "unlink",
23 [TOMOYO_TYPE_MKDIR] = "mkdir",
24 [TOMOYO_TYPE_RMDIR] = "rmdir",
25 [TOMOYO_TYPE_MKFIFO] = "mkfifo",
26 [TOMOYO_TYPE_MKSOCK] = "mksock",
27 [TOMOYO_TYPE_MKBLOCK] = "mkblock",
28 [TOMOYO_TYPE_MKCHAR] = "mkchar",
29 [TOMOYO_TYPE_TRUNCATE] = "truncate",
30 [TOMOYO_TYPE_SYMLINK] = "symlink",
31 [TOMOYO_TYPE_REWRITE] = "rewrite",
32 [TOMOYO_TYPE_IOCTL] = "ioctl",
33 [TOMOYO_TYPE_CHMOD] = "chmod",
34 [TOMOYO_TYPE_CHOWN] = "chown",
35 [TOMOYO_TYPE_CHGRP] = "chgrp",
36 [TOMOYO_TYPE_CHROOT] = "chroot",
37 [TOMOYO_TYPE_MOUNT] = "mount",
38 [TOMOYO_TYPE_UMOUNT] = "unmount",
41 /* Keyword array for double path operations. */
42 static const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = {
43 [TOMOYO_TYPE_LINK] = "link",
44 [TOMOYO_TYPE_RENAME] = "rename",
45 [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root",
48 void tomoyo_put_name_union(struct tomoyo_name_union *ptr)
53 tomoyo_put_path_group(ptr->group);
55 tomoyo_put_name(ptr->filename);
58 bool tomoyo_compare_name_union(const struct tomoyo_path_info *name,
59 const struct tomoyo_name_union *ptr)
62 return tomoyo_path_matches_group(name, ptr->group, 1);
63 return tomoyo_path_matches_pattern(name, ptr->filename);
66 static bool tomoyo_compare_name_union_pattern(const struct tomoyo_path_info
68 const struct tomoyo_name_union
69 *ptr, const bool may_use_pattern)
72 return tomoyo_path_matches_group(name, ptr->group,
74 if (may_use_pattern || !ptr->filename->is_patterned)
75 return tomoyo_path_matches_pattern(name, ptr->filename);
79 void tomoyo_put_number_union(struct tomoyo_number_union *ptr)
81 if (ptr && ptr->is_group)
82 tomoyo_put_number_group(ptr->group);
85 bool tomoyo_compare_number_union(const unsigned long value,
86 const struct tomoyo_number_union *ptr)
89 return tomoyo_number_matches_group(value, value, ptr->group);
90 return value >= ptr->values[0] && value <= ptr->values[1];
94 * tomoyo_init_request_info - Initialize "struct tomoyo_request_info" members.
96 * @r: Pointer to "struct tomoyo_request_info" to initialize.
97 * @domain: Pointer to "struct tomoyo_domain_info". NULL for tomoyo_domain().
101 static int tomoyo_init_request_info(struct tomoyo_request_info *r,
102 struct tomoyo_domain_info *domain)
104 memset(r, 0, sizeof(*r));
106 domain = tomoyo_domain();
108 r->mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
112 static void tomoyo_warn_log(struct tomoyo_request_info *r, const char *fmt, ...)
113 __attribute__ ((format(printf, 2, 3)));
115 * tomoyo_warn_log - Print warning or error message on console.
117 * @r: Pointer to "struct tomoyo_request_info".
118 * @fmt: The printf()'s format string, followed by parameters.
120 static void tomoyo_warn_log(struct tomoyo_request_info *r, const char *fmt, ...)
125 if (!tomoyo_verbose_mode(r->domain))
129 buffer = kmalloc(len, GFP_NOFS);
133 len2 = vsnprintf(buffer, len - 1, fmt, args);
135 if (len2 <= len - 1) {
142 printk(KERN_WARNING "TOMOYO-%s: Access %s denied for %s\n",
143 r->mode == TOMOYO_CONFIG_ENFORCING ? "ERROR" : "WARNING",
144 buffer, tomoyo_get_last_name(r->domain));
149 * tomoyo_path2keyword - Get the name of single path operation.
151 * @operation: Type of operation.
153 * Returns the name of single path operation.
155 const char *tomoyo_path2keyword(const u8 operation)
157 return (operation < TOMOYO_MAX_PATH_OPERATION)
158 ? tomoyo_path_keyword[operation] : NULL;
162 * tomoyo_path22keyword - Get the name of double path operation.
164 * @operation: Type of operation.
166 * Returns the name of double path operation.
168 const char *tomoyo_path22keyword(const u8 operation)
170 return (operation < TOMOYO_MAX_PATH2_OPERATION)
171 ? tomoyo_path2_keyword[operation] : NULL;
175 * tomoyo_strendswith - Check whether the token ends with the given token.
177 * @name: The token to check.
178 * @tail: The token to find.
180 * Returns true if @name ends with @tail, false otherwise.
182 static bool tomoyo_strendswith(const char *name, const char *tail)
188 len = strlen(name) - strlen(tail);
189 return len >= 0 && !strcmp(name + len, tail);
193 * tomoyo_get_path - Get realpath.
195 * @path: Pointer to "struct path".
197 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
199 static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
202 struct tomoyo_path_info_with_data *buf = kzalloc(sizeof(*buf),
207 /* Reserve one byte for appending "/". */
208 error = tomoyo_realpath_from_path2(path, buf->body,
209 sizeof(buf->body) - 2);
211 buf->head.name = buf->body;
212 tomoyo_fill_path_info(&buf->head);
219 static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
220 const char *filename2,
221 struct tomoyo_domain_info *const domain,
222 const bool is_delete);
223 static int tomoyo_update_path_acl(const u8 type, const char *filename,
224 struct tomoyo_domain_info *const domain,
225 const bool is_delete);
228 * tomoyo_globally_readable_list is used for holding list of pathnames which
229 * are by default allowed to be open()ed for reading by any process.
231 * An entry is added by
233 * # echo 'allow_read /lib/libc-2.5.so' > \
234 * /sys/kernel/security/tomoyo/exception_policy
238 * # echo 'delete allow_read /lib/libc-2.5.so' > \
239 * /sys/kernel/security/tomoyo/exception_policy
241 * and all entries are retrieved by
243 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
245 * In the example above, any process is allowed to
246 * open("/lib/libc-2.5.so", O_RDONLY).
247 * One exception is, if the domain which current process belongs to is marked
248 * as "ignore_global_allow_read", current process can't do so unless explicitly
249 * given "allow_read /lib/libc-2.5.so" to the domain which current process
252 LIST_HEAD(tomoyo_globally_readable_list);
255 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
257 * @filename: Filename unconditionally permitted to open() for reading.
258 * @is_delete: True if it is a delete request.
260 * Returns 0 on success, negative value otherwise.
262 * Caller holds tomoyo_read_lock().
264 static int tomoyo_update_globally_readable_entry(const char *filename,
265 const bool is_delete)
267 struct tomoyo_globally_readable_file_entry *ptr;
268 struct tomoyo_globally_readable_file_entry e = { };
269 int error = is_delete ? -ENOENT : -ENOMEM;
271 if (!tomoyo_is_correct_path(filename, 1, 0, -1))
273 e.filename = tomoyo_get_name(filename);
276 if (mutex_lock_interruptible(&tomoyo_policy_lock))
278 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
279 if (ptr->filename != e.filename)
281 ptr->is_deleted = is_delete;
285 if (!is_delete && error) {
286 struct tomoyo_globally_readable_file_entry *entry =
287 tomoyo_commit_ok(&e, sizeof(e));
289 list_add_tail_rcu(&entry->list,
290 &tomoyo_globally_readable_list);
294 mutex_unlock(&tomoyo_policy_lock);
296 tomoyo_put_name(e.filename);
301 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
303 * @filename: The filename to check.
305 * Returns true if any domain can open @filename for reading, false otherwise.
307 * Caller holds tomoyo_read_lock().
309 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
312 struct tomoyo_globally_readable_file_entry *ptr;
315 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
316 if (!ptr->is_deleted &&
317 tomoyo_path_matches_pattern(filename, ptr->filename)) {
326 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
328 * @data: String to parse.
329 * @is_delete: True if it is a delete request.
331 * Returns 0 on success, negative value otherwise.
333 * Caller holds tomoyo_read_lock().
335 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
337 return tomoyo_update_globally_readable_entry(data, is_delete);
341 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
343 * @head: Pointer to "struct tomoyo_io_buffer".
345 * Returns true on success, false otherwise.
347 * Caller holds tomoyo_read_lock().
349 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
351 struct list_head *pos;
354 list_for_each_cookie(pos, head->read_var2,
355 &tomoyo_globally_readable_list) {
356 struct tomoyo_globally_readable_file_entry *ptr;
357 ptr = list_entry(pos,
358 struct tomoyo_globally_readable_file_entry,
362 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n",
363 ptr->filename->name);
370 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
371 * converting pathnames to pathname patterns during learning mode.
373 * An entry is added by
375 * # echo 'file_pattern /proc/\$/mounts' > \
376 * /sys/kernel/security/tomoyo/exception_policy
380 * # echo 'delete file_pattern /proc/\$/mounts' > \
381 * /sys/kernel/security/tomoyo/exception_policy
383 * and all entries are retrieved by
385 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
387 * In the example above, if a process which belongs to a domain which is in
388 * learning mode requested open("/proc/1/mounts", O_RDONLY),
389 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
390 * process belongs to.
392 * It is not a desirable behavior that we have to use /proc/\$/ instead of
393 * /proc/self/ when current process needs to access only current process's
394 * information. As of now, LSM version of TOMOYO is using __d_path() for
395 * calculating pathname. Non LSM version of TOMOYO is using its own function
396 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
397 * current process from accessing other process's information.
399 LIST_HEAD(tomoyo_pattern_list);
402 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
404 * @pattern: Pathname pattern.
405 * @is_delete: True if it is a delete request.
407 * Returns 0 on success, negative value otherwise.
409 * Caller holds tomoyo_read_lock().
411 static int tomoyo_update_file_pattern_entry(const char *pattern,
412 const bool is_delete)
414 struct tomoyo_pattern_entry *ptr;
415 struct tomoyo_pattern_entry e = { .pattern = tomoyo_get_name(pattern) };
416 int error = is_delete ? -ENOENT : -ENOMEM;
420 if (!e.pattern->is_patterned)
422 if (mutex_lock_interruptible(&tomoyo_policy_lock))
424 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
425 if (e.pattern != ptr->pattern)
427 ptr->is_deleted = is_delete;
431 if (!is_delete && error) {
432 struct tomoyo_pattern_entry *entry =
433 tomoyo_commit_ok(&e, sizeof(e));
435 list_add_tail_rcu(&entry->list, &tomoyo_pattern_list);
439 mutex_unlock(&tomoyo_policy_lock);
441 tomoyo_put_name(e.pattern);
446 * tomoyo_get_file_pattern - Get patterned pathname.
448 * @filename: The filename to find patterned pathname.
450 * Returns pointer to pathname pattern if matched, @filename otherwise.
452 * Caller holds tomoyo_read_lock().
454 static const struct tomoyo_path_info *
455 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
457 struct tomoyo_pattern_entry *ptr;
458 const struct tomoyo_path_info *pattern = NULL;
460 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
463 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
465 pattern = ptr->pattern;
466 if (tomoyo_strendswith(pattern->name, "/\\*")) {
467 /* Do nothing. Try to find the better match. */
469 /* This would be the better match. Use this. */
479 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
481 * @data: String to parse.
482 * @is_delete: True if it is a delete request.
484 * Returns 0 on success, negative value otherwise.
486 * Caller holds tomoyo_read_lock().
488 int tomoyo_write_pattern_policy(char *data, const bool is_delete)
490 return tomoyo_update_file_pattern_entry(data, is_delete);
494 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
496 * @head: Pointer to "struct tomoyo_io_buffer".
498 * Returns true on success, false otherwise.
500 * Caller holds tomoyo_read_lock().
502 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
504 struct list_head *pos;
507 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) {
508 struct tomoyo_pattern_entry *ptr;
509 ptr = list_entry(pos, struct tomoyo_pattern_entry, list);
512 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN
513 "%s\n", ptr->pattern->name);
521 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
522 * default forbidden to modify already written content of a file.
524 * An entry is added by
526 * # echo 'deny_rewrite /var/log/messages' > \
527 * /sys/kernel/security/tomoyo/exception_policy
531 * # echo 'delete deny_rewrite /var/log/messages' > \
532 * /sys/kernel/security/tomoyo/exception_policy
534 * and all entries are retrieved by
536 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
538 * In the example above, if a process requested to rewrite /var/log/messages ,
539 * the process can't rewrite unless the domain which that process belongs to
540 * has "allow_rewrite /var/log/messages" entry.
542 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
543 * when we want to allow rewriting already unlink()ed file. As of now,
544 * LSM version of TOMOYO is using __d_path() for calculating pathname.
545 * Non LSM version of TOMOYO is using its own function which doesn't append
546 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
547 * need to worry whether the file is already unlink()ed or not.
549 LIST_HEAD(tomoyo_no_rewrite_list);
552 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
554 * @pattern: Pathname pattern that are not rewritable by default.
555 * @is_delete: True if it is a delete request.
557 * Returns 0 on success, negative value otherwise.
559 * Caller holds tomoyo_read_lock().
561 static int tomoyo_update_no_rewrite_entry(const char *pattern,
562 const bool is_delete)
564 struct tomoyo_no_rewrite_entry *ptr;
565 struct tomoyo_no_rewrite_entry e = { };
566 int error = is_delete ? -ENOENT : -ENOMEM;
568 if (!tomoyo_is_correct_path(pattern, 0, 0, 0))
570 e.pattern = tomoyo_get_name(pattern);
573 if (mutex_lock_interruptible(&tomoyo_policy_lock))
575 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
576 if (ptr->pattern != e.pattern)
578 ptr->is_deleted = is_delete;
582 if (!is_delete && error) {
583 struct tomoyo_no_rewrite_entry *entry =
584 tomoyo_commit_ok(&e, sizeof(e));
586 list_add_tail_rcu(&entry->list,
587 &tomoyo_no_rewrite_list);
591 mutex_unlock(&tomoyo_policy_lock);
593 tomoyo_put_name(e.pattern);
598 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
600 * @filename: Filename to check.
602 * Returns true if @filename is specified by "deny_rewrite" directive,
605 * Caller holds tomoyo_read_lock().
607 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
609 struct tomoyo_no_rewrite_entry *ptr;
612 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
615 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
624 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
626 * @data: String to parse.
627 * @is_delete: True if it is a delete request.
629 * Returns 0 on success, negative value otherwise.
631 * Caller holds tomoyo_read_lock().
633 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
635 return tomoyo_update_no_rewrite_entry(data, is_delete);
639 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
641 * @head: Pointer to "struct tomoyo_io_buffer".
643 * Returns true on success, false otherwise.
645 * Caller holds tomoyo_read_lock().
647 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
649 struct list_head *pos;
652 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) {
653 struct tomoyo_no_rewrite_entry *ptr;
654 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list);
657 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE
658 "%s\n", ptr->pattern->name);
666 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
668 * @filename: Filename.
669 * @perm: Permission (between 1 to 7).
670 * @domain: Pointer to "struct tomoyo_domain_info".
671 * @is_delete: True if it is a delete request.
673 * Returns 0 on success, negative value otherwise.
675 * This is legacy support interface for older policy syntax.
676 * Current policy syntax uses "allow_read/write" instead of "6",
677 * "allow_read" instead of "4", "allow_write" instead of "2",
678 * "allow_execute" instead of "1".
680 * Caller holds tomoyo_read_lock().
682 static int tomoyo_update_file_acl(const char *filename, u8 perm,
683 struct tomoyo_domain_info * const domain,
684 const bool is_delete)
686 if (perm > 7 || !perm) {
687 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n",
688 __func__, perm, filename);
691 if (filename[0] != '@' && tomoyo_strendswith(filename, "/"))
693 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
694 * directory permissions.
698 tomoyo_update_path_acl(TOMOYO_TYPE_READ, filename, domain,
701 tomoyo_update_path_acl(TOMOYO_TYPE_WRITE, filename, domain,
704 tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE, filename, domain,
710 * tomoyo_path_acl - Check permission for single path operation.
712 * @r: Pointer to "struct tomoyo_request_info".
713 * @filename: Filename to check.
715 * @may_use_pattern: True if patterned ACL is permitted.
717 * Returns 0 on success, -EPERM otherwise.
719 * Caller holds tomoyo_read_lock().
721 static int tomoyo_path_acl(const struct tomoyo_request_info *r,
722 const struct tomoyo_path_info *filename,
723 const u32 perm, const bool may_use_pattern)
725 struct tomoyo_domain_info *domain = r->domain;
726 struct tomoyo_acl_info *ptr;
729 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
730 struct tomoyo_path_acl *acl;
731 if (ptr->type != TOMOYO_TYPE_PATH_ACL)
733 acl = container_of(ptr, struct tomoyo_path_acl, head);
734 if (perm <= 0xFFFF) {
735 if (!(acl->perm & perm))
738 if (!(acl->perm_high & (perm >> 16)))
741 if (!tomoyo_compare_name_union_pattern(filename, &acl->name,
751 * tomoyo_file_perm - Check permission for opening files.
753 * @r: Pointer to "struct tomoyo_request_info".
754 * @filename: Filename to check.
755 * @mode: Mode ("read" or "write" or "read/write" or "execute").
757 * Returns 0 on success, negative value otherwise.
759 * Caller holds tomoyo_read_lock().
761 static int tomoyo_file_perm(struct tomoyo_request_info *r,
762 const struct tomoyo_path_info *filename,
765 const char *msg = "<unknown>";
773 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
774 perm = 1 << TOMOYO_TYPE_READ_WRITE;
775 } else if (mode == 4) {
776 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
777 perm = 1 << TOMOYO_TYPE_READ;
778 } else if (mode == 2) {
779 msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
780 perm = 1 << TOMOYO_TYPE_WRITE;
781 } else if (mode == 1) {
782 msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
783 perm = 1 << TOMOYO_TYPE_EXECUTE;
786 error = tomoyo_path_acl(r, filename, perm, mode != 1);
787 if (error && mode == 4 && !r->domain->ignore_global_allow_read
788 && tomoyo_is_globally_readable_file(filename))
792 tomoyo_warn_log(r, "%s %s", msg, filename->name);
793 if (r->mode == TOMOYO_CONFIG_ENFORCING)
795 if (tomoyo_domain_quota_is_ok(r)) {
796 /* Don't use patterns for execute permission. */
797 const struct tomoyo_path_info *patterned_file = (mode != 1) ?
798 tomoyo_get_file_pattern(filename) : filename;
799 tomoyo_update_file_acl(patterned_file->name, mode,
806 * tomoyo_write_file_policy - Update file related list.
808 * @data: String to parse.
809 * @domain: Pointer to "struct tomoyo_domain_info".
810 * @is_delete: True if it is a delete request.
812 * Returns 0 on success, negative value otherwise.
814 * Caller holds tomoyo_read_lock().
816 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
817 const bool is_delete)
819 char *filename = strchr(data, ' ');
827 if (sscanf(data, "%u", &perm) == 1)
828 return tomoyo_update_file_acl(filename, (u8) perm, domain,
830 if (strncmp(data, "allow_", 6))
833 for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) {
834 if (strcmp(data, tomoyo_path_keyword[type]))
836 return tomoyo_update_path_acl(type, filename, domain,
839 filename2 = strchr(filename, ' ');
843 for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) {
844 if (strcmp(data, tomoyo_path2_keyword[type]))
846 return tomoyo_update_path2_acl(type, filename, filename2,
854 * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list.
856 * @type: Type of operation.
857 * @filename: Filename.
858 * @domain: Pointer to "struct tomoyo_domain_info".
859 * @is_delete: True if it is a delete request.
861 * Returns 0 on success, negative value otherwise.
863 * Caller holds tomoyo_read_lock().
865 static int tomoyo_update_path_acl(const u8 type, const char *filename,
866 struct tomoyo_domain_info *const domain,
867 const bool is_delete)
869 static const u32 tomoyo_rw_mask =
870 (1 << TOMOYO_TYPE_READ) | (1 << TOMOYO_TYPE_WRITE);
871 const u32 perm = 1 << type;
872 struct tomoyo_acl_info *ptr;
873 struct tomoyo_path_acl e = {
874 .head.type = TOMOYO_TYPE_PATH_ACL,
875 .perm_high = perm >> 16,
878 int error = is_delete ? -ENOENT : -ENOMEM;
880 if (type == TOMOYO_TYPE_READ_WRITE)
881 e.perm |= tomoyo_rw_mask;
884 if (!tomoyo_parse_name_union(filename, &e.name))
886 if (mutex_lock_interruptible(&tomoyo_policy_lock))
888 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
889 struct tomoyo_path_acl *acl =
890 container_of(ptr, struct tomoyo_path_acl, head);
891 if (!tomoyo_is_same_path_acl(acl, &e))
897 acl->perm_high &= ~(perm >> 16);
898 if ((acl->perm & tomoyo_rw_mask) != tomoyo_rw_mask)
899 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE);
900 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE)))
901 acl->perm &= ~tomoyo_rw_mask;
906 acl->perm_high |= (perm >> 16);
907 if ((acl->perm & tomoyo_rw_mask) == tomoyo_rw_mask)
908 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE;
909 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE))
910 acl->perm |= tomoyo_rw_mask;
915 if (!is_delete && error) {
916 struct tomoyo_path_acl *entry =
917 tomoyo_commit_ok(&e, sizeof(e));
919 list_add_tail_rcu(&entry->head.list,
920 &domain->acl_info_list);
924 mutex_unlock(&tomoyo_policy_lock);
926 tomoyo_put_name_union(&e.name);
931 * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list.
933 * @type: Type of operation.
934 * @filename1: First filename.
935 * @filename2: Second filename.
936 * @domain: Pointer to "struct tomoyo_domain_info".
937 * @is_delete: True if it is a delete request.
939 * Returns 0 on success, negative value otherwise.
941 * Caller holds tomoyo_read_lock().
943 static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
944 const char *filename2,
945 struct tomoyo_domain_info *const domain,
946 const bool is_delete)
948 const u8 perm = 1 << type;
949 struct tomoyo_path2_acl e = {
950 .head.type = TOMOYO_TYPE_PATH2_ACL,
953 struct tomoyo_acl_info *ptr;
954 int error = is_delete ? -ENOENT : -ENOMEM;
958 if (!tomoyo_parse_name_union(filename1, &e.name1) ||
959 !tomoyo_parse_name_union(filename2, &e.name2))
961 if (mutex_lock_interruptible(&tomoyo_policy_lock))
963 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
964 struct tomoyo_path2_acl *acl =
965 container_of(ptr, struct tomoyo_path2_acl, head);
966 if (!tomoyo_is_same_path2_acl(acl, &e))
975 if (!is_delete && error) {
976 struct tomoyo_path2_acl *entry =
977 tomoyo_commit_ok(&e, sizeof(e));
979 list_add_tail_rcu(&entry->head.list,
980 &domain->acl_info_list);
984 mutex_unlock(&tomoyo_policy_lock);
986 tomoyo_put_name_union(&e.name1);
987 tomoyo_put_name_union(&e.name2);
992 * tomoyo_path2_acl - Check permission for double path operation.
994 * @r: Pointer to "struct tomoyo_request_info".
995 * @type: Type of operation.
996 * @filename1: First filename to check.
997 * @filename2: Second filename to check.
999 * Returns 0 on success, -EPERM otherwise.
1001 * Caller holds tomoyo_read_lock().
1003 static int tomoyo_path2_acl(const struct tomoyo_request_info *r, const u8 type,
1004 const struct tomoyo_path_info *filename1,
1005 const struct tomoyo_path_info *filename2)
1007 const struct tomoyo_domain_info *domain = r->domain;
1008 struct tomoyo_acl_info *ptr;
1009 const u8 perm = 1 << type;
1012 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1013 struct tomoyo_path2_acl *acl;
1014 if (ptr->type != TOMOYO_TYPE_PATH2_ACL)
1016 acl = container_of(ptr, struct tomoyo_path2_acl, head);
1017 if (!(acl->perm & perm))
1019 if (!tomoyo_compare_name_union(filename1, &acl->name1))
1021 if (!tomoyo_compare_name_union(filename2, &acl->name2))
1030 * tomoyo_path_permission - Check permission for single path operation.
1032 * @r: Pointer to "struct tomoyo_request_info".
1033 * @operation: Type of operation.
1034 * @filename: Filename to check.
1036 * Returns 0 on success, negative value otherwise.
1038 * Caller holds tomoyo_read_lock().
1040 static int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
1041 const struct tomoyo_path_info *filename)
1046 error = tomoyo_path_acl(r, filename, 1 << operation, 1);
1049 tomoyo_warn_log(r, "%s %s", tomoyo_path2keyword(operation),
1051 if (tomoyo_domain_quota_is_ok(r)) {
1052 const char *name = tomoyo_get_file_pattern(filename)->name;
1053 tomoyo_update_path_acl(operation, name, r->domain, false);
1055 if (r->mode != TOMOYO_CONFIG_ENFORCING)
1059 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1060 * we need to check "allow_rewrite" permission if the filename is
1061 * specified by "deny_rewrite" keyword.
1063 if (!error && operation == TOMOYO_TYPE_TRUNCATE &&
1064 tomoyo_is_no_rewrite_file(filename)) {
1065 operation = TOMOYO_TYPE_REWRITE;
1072 * tomoyo_check_exec_perm - Check permission for "execute".
1074 * @domain: Pointer to "struct tomoyo_domain_info".
1075 * @filename: Check permission for "execute".
1077 * Returns 0 on success, negativevalue otherwise.
1079 * Caller holds tomoyo_read_lock().
1081 int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
1082 const struct tomoyo_path_info *filename)
1084 struct tomoyo_request_info r;
1086 if (tomoyo_init_request_info(&r, NULL) == TOMOYO_CONFIG_DISABLED)
1088 return tomoyo_file_perm(&r, filename, 1);
1092 * tomoyo_check_open_permission - Check permission for "read" and "write".
1094 * @domain: Pointer to "struct tomoyo_domain_info".
1095 * @path: Pointer to "struct path".
1096 * @flag: Flags for open().
1098 * Returns 0 on success, negative value otherwise.
1100 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1101 struct path *path, const int flag)
1103 const u8 acc_mode = ACC_MODE(flag);
1104 int error = -ENOMEM;
1105 struct tomoyo_path_info *buf;
1106 struct tomoyo_request_info r;
1109 if (tomoyo_init_request_info(&r, domain) == TOMOYO_CONFIG_DISABLED ||
1114 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode))
1116 * I don't check directories here because mkdir() and rmdir()
1120 idx = tomoyo_read_lock();
1121 buf = tomoyo_get_path(path);
1126 * If the filename is specified by "deny_rewrite" keyword,
1127 * we need to check "allow_rewrite" permission when the filename is not
1128 * opened for append mode or the filename is truncated at open time.
1130 if ((acc_mode & MAY_WRITE) &&
1131 ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
1132 (tomoyo_is_no_rewrite_file(buf))) {
1133 error = tomoyo_path_permission(&r, TOMOYO_TYPE_REWRITE, buf);
1136 error = tomoyo_file_perm(&r, buf, acc_mode);
1137 if (!error && (flag & O_TRUNC))
1138 error = tomoyo_path_permission(&r, TOMOYO_TYPE_TRUNCATE, buf);
1141 tomoyo_read_unlock(idx);
1142 if (r.mode != TOMOYO_CONFIG_ENFORCING)
1148 * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "rewrite", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1150 * @operation: Type of operation.
1151 * @path: Pointer to "struct path".
1153 * Returns 0 on success, negative value otherwise.
1155 int tomoyo_path_perm(const u8 operation, struct path *path)
1157 int error = -ENOMEM;
1158 struct tomoyo_path_info *buf;
1159 struct tomoyo_request_info r;
1162 if (tomoyo_init_request_info(&r, NULL) == TOMOYO_CONFIG_DISABLED ||
1165 idx = tomoyo_read_lock();
1166 buf = tomoyo_get_path(path);
1169 switch (operation) {
1170 case TOMOYO_TYPE_REWRITE:
1171 if (!tomoyo_is_no_rewrite_file(buf)) {
1176 case TOMOYO_TYPE_MKDIR:
1177 case TOMOYO_TYPE_RMDIR:
1178 case TOMOYO_TYPE_CHROOT:
1181 * tomoyo_get_path() reserves space for appending "/."
1183 strcat((char *) buf->name, "/");
1184 tomoyo_fill_path_info(buf);
1187 error = tomoyo_path_permission(&r, operation, buf);
1190 tomoyo_read_unlock(idx);
1191 if (r.mode != TOMOYO_CONFIG_ENFORCING)
1197 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root".
1199 * @operation: Type of operation.
1200 * @path1: Pointer to "struct path".
1201 * @path2: Pointer to "struct path".
1203 * Returns 0 on success, negative value otherwise.
1205 int tomoyo_path2_perm(const u8 operation, struct path *path1,
1208 int error = -ENOMEM;
1209 struct tomoyo_path_info *buf1;
1210 struct tomoyo_path_info *buf2;
1211 struct tomoyo_request_info r;
1214 if (tomoyo_init_request_info(&r, NULL) == TOMOYO_CONFIG_DISABLED ||
1215 !path1->mnt || !path2->mnt)
1217 idx = tomoyo_read_lock();
1218 buf1 = tomoyo_get_path(path1);
1219 buf2 = tomoyo_get_path(path2);
1223 struct dentry *dentry = path1->dentry;
1224 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) {
1226 * tomoyo_get_path() reserves space for appending "/."
1228 if (!buf1->is_dir) {
1229 strcat((char *) buf1->name, "/");
1230 tomoyo_fill_path_info(buf1);
1232 if (!buf2->is_dir) {
1233 strcat((char *) buf2->name, "/");
1234 tomoyo_fill_path_info(buf2);
1238 error = tomoyo_path2_acl(&r, operation, buf1, buf2);
1241 tomoyo_warn_log(&r, "%s %s %s", tomoyo_path22keyword(operation),
1242 buf1->name, buf2->name);
1243 if (tomoyo_domain_quota_is_ok(&r)) {
1244 const char *name1 = tomoyo_get_file_pattern(buf1)->name;
1245 const char *name2 = tomoyo_get_file_pattern(buf2)->name;
1246 tomoyo_update_path2_acl(operation, name1, name2, r.domain,
1252 tomoyo_read_unlock(idx);
1253 if (r.mode != TOMOYO_CONFIG_ENFORCING)