2 * security/tomoyo/file.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
14 /* Keyword array for single path operations. */
15 static const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
16 [TOMOYO_TYPE_READ_WRITE] = "read/write",
17 [TOMOYO_TYPE_EXECUTE] = "execute",
18 [TOMOYO_TYPE_READ] = "read",
19 [TOMOYO_TYPE_WRITE] = "write",
20 [TOMOYO_TYPE_CREATE] = "create",
21 [TOMOYO_TYPE_UNLINK] = "unlink",
22 [TOMOYO_TYPE_MKDIR] = "mkdir",
23 [TOMOYO_TYPE_RMDIR] = "rmdir",
24 [TOMOYO_TYPE_MKFIFO] = "mkfifo",
25 [TOMOYO_TYPE_MKSOCK] = "mksock",
26 [TOMOYO_TYPE_MKBLOCK] = "mkblock",
27 [TOMOYO_TYPE_MKCHAR] = "mkchar",
28 [TOMOYO_TYPE_TRUNCATE] = "truncate",
29 [TOMOYO_TYPE_SYMLINK] = "symlink",
30 [TOMOYO_TYPE_REWRITE] = "rewrite",
31 [TOMOYO_TYPE_IOCTL] = "ioctl",
32 [TOMOYO_TYPE_CHMOD] = "chmod",
33 [TOMOYO_TYPE_CHOWN] = "chown",
34 [TOMOYO_TYPE_CHGRP] = "chgrp",
35 [TOMOYO_TYPE_CHROOT] = "chroot",
36 [TOMOYO_TYPE_MOUNT] = "mount",
37 [TOMOYO_TYPE_UMOUNT] = "unmount",
40 /* Keyword array for double path operations. */
41 static const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = {
42 [TOMOYO_TYPE_LINK] = "link",
43 [TOMOYO_TYPE_RENAME] = "rename",
44 [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root",
48 * tomoyo_path2keyword - Get the name of single path operation.
50 * @operation: Type of operation.
52 * Returns the name of single path operation.
54 const char *tomoyo_path2keyword(const u8 operation)
56 return (operation < TOMOYO_MAX_PATH_OPERATION)
57 ? tomoyo_path_keyword[operation] : NULL;
61 * tomoyo_path22keyword - Get the name of double path operation.
63 * @operation: Type of operation.
65 * Returns the name of double path operation.
67 const char *tomoyo_path22keyword(const u8 operation)
69 return (operation < TOMOYO_MAX_PATH2_OPERATION)
70 ? tomoyo_path2_keyword[operation] : NULL;
74 * tomoyo_strendswith - Check whether the token ends with the given token.
76 * @name: The token to check.
77 * @tail: The token to find.
79 * Returns true if @name ends with @tail, false otherwise.
81 static bool tomoyo_strendswith(const char *name, const char *tail)
87 len = strlen(name) - strlen(tail);
88 return len >= 0 && !strcmp(name + len, tail);
92 * tomoyo_get_path - Get realpath.
94 * @path: Pointer to "struct path".
96 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
98 static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
101 struct tomoyo_path_info_with_data *buf = kzalloc(sizeof(*buf),
106 /* Reserve one byte for appending "/". */
107 error = tomoyo_realpath_from_path2(path, buf->body,
108 sizeof(buf->body) - 2);
110 buf->head.name = buf->body;
111 tomoyo_fill_path_info(&buf->head);
118 static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
119 const char *filename2,
120 struct tomoyo_domain_info *const domain,
121 const bool is_delete);
122 static int tomoyo_update_path_acl(const u8 type, const char *filename,
123 struct tomoyo_domain_info *const domain,
124 const bool is_delete);
127 * tomoyo_globally_readable_list is used for holding list of pathnames which
128 * are by default allowed to be open()ed for reading by any process.
130 * An entry is added by
132 * # echo 'allow_read /lib/libc-2.5.so' > \
133 * /sys/kernel/security/tomoyo/exception_policy
137 * # echo 'delete allow_read /lib/libc-2.5.so' > \
138 * /sys/kernel/security/tomoyo/exception_policy
140 * and all entries are retrieved by
142 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
144 * In the example above, any process is allowed to
145 * open("/lib/libc-2.5.so", O_RDONLY).
146 * One exception is, if the domain which current process belongs to is marked
147 * as "ignore_global_allow_read", current process can't do so unless explicitly
148 * given "allow_read /lib/libc-2.5.so" to the domain which current process
151 LIST_HEAD(tomoyo_globally_readable_list);
154 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
156 * @filename: Filename unconditionally permitted to open() for reading.
157 * @is_delete: True if it is a delete request.
159 * Returns 0 on success, negative value otherwise.
161 * Caller holds tomoyo_read_lock().
163 static int tomoyo_update_globally_readable_entry(const char *filename,
164 const bool is_delete)
166 struct tomoyo_globally_readable_file_entry *entry = NULL;
167 struct tomoyo_globally_readable_file_entry *ptr;
168 const struct tomoyo_path_info *saved_filename;
169 int error = is_delete ? -ENOENT : -ENOMEM;
171 if (!tomoyo_is_correct_path(filename, 1, 0, -1))
173 saved_filename = tomoyo_get_name(filename);
177 entry = kmalloc(sizeof(*entry), GFP_NOFS);
178 mutex_lock(&tomoyo_policy_lock);
179 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
180 if (ptr->filename != saved_filename)
182 ptr->is_deleted = is_delete;
186 if (!is_delete && error && tomoyo_memory_ok(entry)) {
187 entry->filename = saved_filename;
188 saved_filename = NULL;
189 list_add_tail_rcu(&entry->list, &tomoyo_globally_readable_list);
193 mutex_unlock(&tomoyo_policy_lock);
194 tomoyo_put_name(saved_filename);
200 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
202 * @filename: The filename to check.
204 * Returns true if any domain can open @filename for reading, false otherwise.
206 * Caller holds tomoyo_read_lock().
208 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
211 struct tomoyo_globally_readable_file_entry *ptr;
214 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
215 if (!ptr->is_deleted &&
216 tomoyo_path_matches_pattern(filename, ptr->filename)) {
225 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
227 * @data: String to parse.
228 * @is_delete: True if it is a delete request.
230 * Returns 0 on success, negative value otherwise.
232 * Caller holds tomoyo_read_lock().
234 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
236 return tomoyo_update_globally_readable_entry(data, is_delete);
240 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
242 * @head: Pointer to "struct tomoyo_io_buffer".
244 * Returns true on success, false otherwise.
246 * Caller holds tomoyo_read_lock().
248 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
250 struct list_head *pos;
253 list_for_each_cookie(pos, head->read_var2,
254 &tomoyo_globally_readable_list) {
255 struct tomoyo_globally_readable_file_entry *ptr;
256 ptr = list_entry(pos,
257 struct tomoyo_globally_readable_file_entry,
261 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n",
262 ptr->filename->name);
269 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
270 * converting pathnames to pathname patterns during learning mode.
272 * An entry is added by
274 * # echo 'file_pattern /proc/\$/mounts' > \
275 * /sys/kernel/security/tomoyo/exception_policy
279 * # echo 'delete file_pattern /proc/\$/mounts' > \
280 * /sys/kernel/security/tomoyo/exception_policy
282 * and all entries are retrieved by
284 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
286 * In the example above, if a process which belongs to a domain which is in
287 * learning mode requested open("/proc/1/mounts", O_RDONLY),
288 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
289 * process belongs to.
291 * It is not a desirable behavior that we have to use /proc/\$/ instead of
292 * /proc/self/ when current process needs to access only current process's
293 * information. As of now, LSM version of TOMOYO is using __d_path() for
294 * calculating pathname. Non LSM version of TOMOYO is using its own function
295 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
296 * current process from accessing other process's information.
298 LIST_HEAD(tomoyo_pattern_list);
301 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
303 * @pattern: Pathname pattern.
304 * @is_delete: True if it is a delete request.
306 * Returns 0 on success, negative value otherwise.
308 * Caller holds tomoyo_read_lock().
310 static int tomoyo_update_file_pattern_entry(const char *pattern,
311 const bool is_delete)
313 struct tomoyo_pattern_entry *entry = NULL;
314 struct tomoyo_pattern_entry *ptr;
315 const struct tomoyo_path_info *saved_pattern;
316 int error = is_delete ? -ENOENT : -ENOMEM;
318 saved_pattern = tomoyo_get_name(pattern);
321 if (!saved_pattern->is_patterned)
324 entry = kmalloc(sizeof(*entry), GFP_NOFS);
325 mutex_lock(&tomoyo_policy_lock);
326 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
327 if (saved_pattern != ptr->pattern)
329 ptr->is_deleted = is_delete;
333 if (!is_delete && error && tomoyo_memory_ok(entry)) {
334 entry->pattern = saved_pattern;
335 saved_pattern = NULL;
336 list_add_tail_rcu(&entry->list, &tomoyo_pattern_list);
340 mutex_unlock(&tomoyo_policy_lock);
343 tomoyo_put_name(saved_pattern);
348 * tomoyo_get_file_pattern - Get patterned pathname.
350 * @filename: The filename to find patterned pathname.
352 * Returns pointer to pathname pattern if matched, @filename otherwise.
354 * Caller holds tomoyo_read_lock().
356 static const struct tomoyo_path_info *
357 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
359 struct tomoyo_pattern_entry *ptr;
360 const struct tomoyo_path_info *pattern = NULL;
362 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
365 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
367 pattern = ptr->pattern;
368 if (tomoyo_strendswith(pattern->name, "/\\*")) {
369 /* Do nothing. Try to find the better match. */
371 /* This would be the better match. Use this. */
381 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
383 * @data: String to parse.
384 * @is_delete: True if it is a delete request.
386 * Returns 0 on success, negative value otherwise.
388 * Caller holds tomoyo_read_lock().
390 int tomoyo_write_pattern_policy(char *data, const bool is_delete)
392 return tomoyo_update_file_pattern_entry(data, is_delete);
396 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
398 * @head: Pointer to "struct tomoyo_io_buffer".
400 * Returns true on success, false otherwise.
402 * Caller holds tomoyo_read_lock().
404 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
406 struct list_head *pos;
409 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) {
410 struct tomoyo_pattern_entry *ptr;
411 ptr = list_entry(pos, struct tomoyo_pattern_entry, list);
414 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN
415 "%s\n", ptr->pattern->name);
423 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
424 * default forbidden to modify already written content of a file.
426 * An entry is added by
428 * # echo 'deny_rewrite /var/log/messages' > \
429 * /sys/kernel/security/tomoyo/exception_policy
433 * # echo 'delete deny_rewrite /var/log/messages' > \
434 * /sys/kernel/security/tomoyo/exception_policy
436 * and all entries are retrieved by
438 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
440 * In the example above, if a process requested to rewrite /var/log/messages ,
441 * the process can't rewrite unless the domain which that process belongs to
442 * has "allow_rewrite /var/log/messages" entry.
444 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
445 * when we want to allow rewriting already unlink()ed file. As of now,
446 * LSM version of TOMOYO is using __d_path() for calculating pathname.
447 * Non LSM version of TOMOYO is using its own function which doesn't append
448 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
449 * need to worry whether the file is already unlink()ed or not.
451 LIST_HEAD(tomoyo_no_rewrite_list);
454 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
456 * @pattern: Pathname pattern that are not rewritable by default.
457 * @is_delete: True if it is a delete request.
459 * Returns 0 on success, negative value otherwise.
461 * Caller holds tomoyo_read_lock().
463 static int tomoyo_update_no_rewrite_entry(const char *pattern,
464 const bool is_delete)
466 struct tomoyo_no_rewrite_entry *entry = NULL;
467 struct tomoyo_no_rewrite_entry *ptr;
468 const struct tomoyo_path_info *saved_pattern;
469 int error = is_delete ? -ENOENT : -ENOMEM;
471 if (!tomoyo_is_correct_path(pattern, 0, 0, 0))
473 saved_pattern = tomoyo_get_name(pattern);
477 entry = kmalloc(sizeof(*entry), GFP_NOFS);
478 mutex_lock(&tomoyo_policy_lock);
479 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
480 if (ptr->pattern != saved_pattern)
482 ptr->is_deleted = is_delete;
486 if (!is_delete && error && tomoyo_memory_ok(entry)) {
487 entry->pattern = saved_pattern;
488 saved_pattern = NULL;
489 list_add_tail_rcu(&entry->list, &tomoyo_no_rewrite_list);
493 mutex_unlock(&tomoyo_policy_lock);
494 tomoyo_put_name(saved_pattern);
500 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
502 * @filename: Filename to check.
504 * Returns true if @filename is specified by "deny_rewrite" directive,
507 * Caller holds tomoyo_read_lock().
509 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
511 struct tomoyo_no_rewrite_entry *ptr;
514 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
517 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
526 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
528 * @data: String to parse.
529 * @is_delete: True if it is a delete request.
531 * Returns 0 on success, negative value otherwise.
533 * Caller holds tomoyo_read_lock().
535 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
537 return tomoyo_update_no_rewrite_entry(data, is_delete);
541 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
543 * @head: Pointer to "struct tomoyo_io_buffer".
545 * Returns true on success, false otherwise.
547 * Caller holds tomoyo_read_lock().
549 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
551 struct list_head *pos;
554 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) {
555 struct tomoyo_no_rewrite_entry *ptr;
556 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list);
559 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE
560 "%s\n", ptr->pattern->name);
568 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
570 * @filename: Filename.
571 * @perm: Permission (between 1 to 7).
572 * @domain: Pointer to "struct tomoyo_domain_info".
573 * @is_delete: True if it is a delete request.
575 * Returns 0 on success, negative value otherwise.
577 * This is legacy support interface for older policy syntax.
578 * Current policy syntax uses "allow_read/write" instead of "6",
579 * "allow_read" instead of "4", "allow_write" instead of "2",
580 * "allow_execute" instead of "1".
582 * Caller holds tomoyo_read_lock().
584 static int tomoyo_update_file_acl(const char *filename, u8 perm,
585 struct tomoyo_domain_info * const domain,
586 const bool is_delete)
588 if (perm > 7 || !perm) {
589 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n",
590 __func__, perm, filename);
593 if (filename[0] != '@' && tomoyo_strendswith(filename, "/"))
595 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
596 * directory permissions.
600 tomoyo_update_path_acl(TOMOYO_TYPE_READ, filename, domain,
603 tomoyo_update_path_acl(TOMOYO_TYPE_WRITE, filename, domain,
606 tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE, filename, domain,
612 * tomoyo_path_acl2 - Check permission for single path operation.
614 * @domain: Pointer to "struct tomoyo_domain_info".
615 * @filename: Filename to check.
617 * @may_use_pattern: True if patterned ACL is permitted.
619 * Returns 0 on success, -EPERM otherwise.
621 * Caller holds tomoyo_read_lock().
623 static int tomoyo_path_acl2(const struct tomoyo_domain_info *domain,
624 const struct tomoyo_path_info *filename,
625 const u32 perm, const bool may_use_pattern)
627 struct tomoyo_acl_info *ptr;
630 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
631 struct tomoyo_path_acl *acl;
632 if (ptr->type != TOMOYO_TYPE_PATH_ACL)
634 acl = container_of(ptr, struct tomoyo_path_acl, head);
635 if (perm <= 0xFFFF) {
636 if (!(acl->perm & perm))
639 if (!(acl->perm_high & (perm >> 16)))
642 if (may_use_pattern || !acl->filename->is_patterned) {
643 if (!tomoyo_path_matches_pattern(filename,
656 * tomoyo_check_file_acl - Check permission for opening files.
658 * @domain: Pointer to "struct tomoyo_domain_info".
659 * @filename: Filename to check.
660 * @operation: Mode ("read" or "write" or "read/write" or "execute").
662 * Returns 0 on success, -EPERM otherwise.
664 * Caller holds tomoyo_read_lock().
666 static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
667 const struct tomoyo_path_info *filename,
672 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
675 perm = 1 << TOMOYO_TYPE_READ_WRITE;
676 else if (operation == 4)
677 perm = 1 << TOMOYO_TYPE_READ;
678 else if (operation == 2)
679 perm = 1 << TOMOYO_TYPE_WRITE;
680 else if (operation == 1)
681 perm = 1 << TOMOYO_TYPE_EXECUTE;
684 return tomoyo_path_acl2(domain, filename, perm, operation != 1);
688 * tomoyo_check_file_perm2 - Check permission for opening files.
690 * @domain: Pointer to "struct tomoyo_domain_info".
691 * @filename: Filename to check.
692 * @perm: Mode ("read" or "write" or "read/write" or "execute").
693 * @operation: Operation name passed used for verbose mode.
694 * @mode: Access control mode.
696 * Returns 0 on success, negative value otherwise.
698 * Caller holds tomoyo_read_lock().
700 static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
701 const struct tomoyo_path_info *filename,
702 const u8 perm, const char *operation,
705 const bool is_enforce = (mode == 3);
706 const char *msg = "<unknown>";
711 error = tomoyo_check_file_acl(domain, filename, perm);
712 if (error && perm == 4 && !domain->ignore_global_allow_read
713 && tomoyo_is_globally_readable_file(filename))
716 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE);
718 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ);
720 msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE);
722 msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE);
727 if (tomoyo_verbose_mode(domain))
728 printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied "
729 "for %s\n", tomoyo_get_msg(is_enforce), msg, operation,
730 filename->name, tomoyo_get_last_name(domain));
733 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
734 /* Don't use patterns for execute permission. */
735 const struct tomoyo_path_info *patterned_file = (perm != 1) ?
736 tomoyo_get_file_pattern(filename) : filename;
737 tomoyo_update_file_acl(patterned_file->name, perm,
744 * tomoyo_write_file_policy - Update file related list.
746 * @data: String to parse.
747 * @domain: Pointer to "struct tomoyo_domain_info".
748 * @is_delete: True if it is a delete request.
750 * Returns 0 on success, negative value otherwise.
752 * Caller holds tomoyo_read_lock().
754 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
755 const bool is_delete)
757 char *filename = strchr(data, ' ');
765 if (sscanf(data, "%u", &perm) == 1)
766 return tomoyo_update_file_acl(filename, (u8) perm, domain,
768 if (strncmp(data, "allow_", 6))
771 for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) {
772 if (strcmp(data, tomoyo_path_keyword[type]))
774 return tomoyo_update_path_acl(type, filename, domain,
777 filename2 = strchr(filename, ' ');
781 for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) {
782 if (strcmp(data, tomoyo_path2_keyword[type]))
784 return tomoyo_update_path2_acl(type, filename, filename2,
792 * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list.
794 * @type: Type of operation.
795 * @filename: Filename.
796 * @domain: Pointer to "struct tomoyo_domain_info".
797 * @is_delete: True if it is a delete request.
799 * Returns 0 on success, negative value otherwise.
801 * Caller holds tomoyo_read_lock().
803 static int tomoyo_update_path_acl(const u8 type, const char *filename,
804 struct tomoyo_domain_info *const domain,
805 const bool is_delete)
807 static const u32 rw_mask =
808 (1 << TOMOYO_TYPE_READ) | (1 << TOMOYO_TYPE_WRITE);
809 const struct tomoyo_path_info *saved_filename;
810 struct tomoyo_acl_info *ptr;
811 struct tomoyo_path_acl *entry = NULL;
812 int error = is_delete ? -ENOENT : -ENOMEM;
813 const u32 perm = 1 << type;
817 if (!tomoyo_is_correct_path(filename, 0, 0, 0))
819 saved_filename = tomoyo_get_name(filename);
823 entry = kmalloc(sizeof(*entry), GFP_NOFS);
824 mutex_lock(&tomoyo_policy_lock);
825 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
826 struct tomoyo_path_acl *acl =
827 container_of(ptr, struct tomoyo_path_acl, head);
828 if (ptr->type != TOMOYO_TYPE_PATH_ACL)
830 if (acl->filename != saved_filename)
836 acl->perm_high &= ~(perm >> 16);
837 if ((acl->perm & rw_mask) != rw_mask)
838 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE);
839 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE)))
840 acl->perm &= ~rw_mask;
845 acl->perm_high |= (perm >> 16);
846 if ((acl->perm & rw_mask) == rw_mask)
847 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE;
848 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE))
849 acl->perm |= rw_mask;
854 if (!is_delete && error && tomoyo_memory_ok(entry)) {
855 entry->head.type = TOMOYO_TYPE_PATH_ACL;
859 entry->perm_high = (perm >> 16);
860 if (perm == (1 << TOMOYO_TYPE_READ_WRITE))
861 entry->perm |= rw_mask;
862 entry->filename = saved_filename;
863 saved_filename = NULL;
864 list_add_tail_rcu(&entry->head.list, &domain->acl_info_list);
868 mutex_unlock(&tomoyo_policy_lock);
870 tomoyo_put_name(saved_filename);
875 * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list.
877 * @type: Type of operation.
878 * @filename1: First filename.
879 * @filename2: Second filename.
880 * @domain: Pointer to "struct tomoyo_domain_info".
881 * @is_delete: True if it is a delete request.
883 * Returns 0 on success, negative value otherwise.
885 * Caller holds tomoyo_read_lock().
887 static int tomoyo_update_path2_acl(const u8 type, const char *filename1,
888 const char *filename2,
889 struct tomoyo_domain_info *const domain,
890 const bool is_delete)
892 const struct tomoyo_path_info *saved_filename1;
893 const struct tomoyo_path_info *saved_filename2;
894 struct tomoyo_acl_info *ptr;
895 struct tomoyo_path2_acl *entry = NULL;
896 int error = is_delete ? -ENOENT : -ENOMEM;
897 const u8 perm = 1 << type;
901 if (!tomoyo_is_correct_path(filename1, 0, 0, 0) ||
902 !tomoyo_is_correct_path(filename2, 0, 0, 0))
904 saved_filename1 = tomoyo_get_name(filename1);
905 saved_filename2 = tomoyo_get_name(filename2);
906 if (!saved_filename1 || !saved_filename2)
909 entry = kmalloc(sizeof(*entry), GFP_NOFS);
910 mutex_lock(&tomoyo_policy_lock);
911 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
912 struct tomoyo_path2_acl *acl =
913 container_of(ptr, struct tomoyo_path2_acl, head);
914 if (ptr->type != TOMOYO_TYPE_PATH2_ACL)
916 if (acl->filename1 != saved_filename1 ||
917 acl->filename2 != saved_filename2)
926 if (!is_delete && error && tomoyo_memory_ok(entry)) {
927 entry->head.type = TOMOYO_TYPE_PATH2_ACL;
929 entry->filename1 = saved_filename1;
930 saved_filename1 = NULL;
931 entry->filename2 = saved_filename2;
932 saved_filename2 = NULL;
933 list_add_tail_rcu(&entry->head.list, &domain->acl_info_list);
937 mutex_unlock(&tomoyo_policy_lock);
939 tomoyo_put_name(saved_filename1);
940 tomoyo_put_name(saved_filename2);
946 * tomoyo_path_acl - Check permission for single path operation.
948 * @domain: Pointer to "struct tomoyo_domain_info".
949 * @type: Type of operation.
950 * @filename: Filename to check.
952 * Returns 0 on success, negative value otherwise.
954 * Caller holds tomoyo_read_lock().
956 static int tomoyo_path_acl(struct tomoyo_domain_info *domain, const u8 type,
957 const struct tomoyo_path_info *filename)
959 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
961 return tomoyo_path_acl2(domain, filename, 1 << type, 1);
965 * tomoyo_path2_acl - Check permission for double path operation.
967 * @domain: Pointer to "struct tomoyo_domain_info".
968 * @type: Type of operation.
969 * @filename1: First filename to check.
970 * @filename2: Second filename to check.
972 * Returns 0 on success, -EPERM otherwise.
974 * Caller holds tomoyo_read_lock().
976 static int tomoyo_path2_acl(const struct tomoyo_domain_info *domain,
978 const struct tomoyo_path_info *filename1,
979 const struct tomoyo_path_info *filename2)
981 struct tomoyo_acl_info *ptr;
982 const u8 perm = 1 << type;
985 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
987 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
988 struct tomoyo_path2_acl *acl;
989 if (ptr->type != TOMOYO_TYPE_PATH2_ACL)
991 acl = container_of(ptr, struct tomoyo_path2_acl, head);
992 if (!(acl->perm & perm))
994 if (!tomoyo_path_matches_pattern(filename1, acl->filename1))
996 if (!tomoyo_path_matches_pattern(filename2, acl->filename2))
1005 * tomoyo_path_permission2 - Check permission for single path operation.
1007 * @domain: Pointer to "struct tomoyo_domain_info".
1008 * @operation: Type of operation.
1009 * @filename: Filename to check.
1010 * @mode: Access control mode.
1012 * Returns 0 on success, negative value otherwise.
1014 * Caller holds tomoyo_read_lock().
1016 static int tomoyo_path_permission2(struct tomoyo_domain_info *const domain,
1018 const struct tomoyo_path_info *filename,
1023 const bool is_enforce = (mode == 3);
1028 error = tomoyo_path_acl(domain, operation, filename);
1029 msg = tomoyo_path2keyword(operation);
1032 if (tomoyo_verbose_mode(domain))
1033 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n",
1034 tomoyo_get_msg(is_enforce), msg, filename->name,
1035 tomoyo_get_last_name(domain));
1036 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1037 const char *name = tomoyo_get_file_pattern(filename)->name;
1038 tomoyo_update_path_acl(operation, name, domain, false);
1044 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1045 * we need to check "allow_rewrite" permission if the filename is
1046 * specified by "deny_rewrite" keyword.
1048 if (!error && operation == TOMOYO_TYPE_TRUNCATE &&
1049 tomoyo_is_no_rewrite_file(filename)) {
1050 operation = TOMOYO_TYPE_REWRITE;
1057 * tomoyo_check_exec_perm - Check permission for "execute".
1059 * @domain: Pointer to "struct tomoyo_domain_info".
1060 * @filename: Check permission for "execute".
1062 * Returns 0 on success, negativevalue otherwise.
1064 * Caller holds tomoyo_read_lock().
1066 int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
1067 const struct tomoyo_path_info *filename)
1069 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1073 return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode);
1077 * tomoyo_check_open_permission - Check permission for "read" and "write".
1079 * @domain: Pointer to "struct tomoyo_domain_info".
1080 * @path: Pointer to "struct path".
1081 * @flag: Flags for open().
1083 * Returns 0 on success, negative value otherwise.
1085 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1086 struct path *path, const int flag)
1088 const u8 acc_mode = ACC_MODE(flag);
1089 int error = -ENOMEM;
1090 struct tomoyo_path_info *buf;
1091 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1092 const bool is_enforce = (mode == 3);
1095 if (!mode || !path->mnt)
1099 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode))
1101 * I don't check directories here because mkdir() and rmdir()
1105 idx = tomoyo_read_lock();
1106 buf = tomoyo_get_path(path);
1111 * If the filename is specified by "deny_rewrite" keyword,
1112 * we need to check "allow_rewrite" permission when the filename is not
1113 * opened for append mode or the filename is truncated at open time.
1115 if ((acc_mode & MAY_WRITE) &&
1116 ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
1117 (tomoyo_is_no_rewrite_file(buf))) {
1118 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE,
1122 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open",
1124 if (!error && (flag & O_TRUNC))
1125 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_TRUNCATE,
1129 tomoyo_read_unlock(idx);
1136 * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1138 * @operation: Type of operation.
1139 * @path: Pointer to "struct path".
1141 * Returns 0 on success, negative value otherwise.
1143 int tomoyo_path_perm(const u8 operation, struct path *path)
1145 int error = -ENOMEM;
1146 struct tomoyo_path_info *buf;
1147 struct tomoyo_domain_info *domain = tomoyo_domain();
1148 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1149 const bool is_enforce = (mode == 3);
1152 if (!mode || !path->mnt)
1154 idx = tomoyo_read_lock();
1155 buf = tomoyo_get_path(path);
1158 switch (operation) {
1159 case TOMOYO_TYPE_MKDIR:
1160 case TOMOYO_TYPE_RMDIR:
1161 case TOMOYO_TYPE_CHROOT:
1164 * tomoyo_get_path() reserves space for appending "/."
1166 strcat((char *) buf->name, "/");
1167 tomoyo_fill_path_info(buf);
1170 error = tomoyo_path_permission2(domain, operation, buf, mode);
1173 tomoyo_read_unlock(idx);
1180 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1182 * @filp: Pointer to "struct file".
1184 * Returns 0 on success, negative value otherwise.
1186 int tomoyo_check_rewrite_permission(struct file *filp)
1188 int error = -ENOMEM;
1189 struct tomoyo_domain_info *domain = tomoyo_domain();
1190 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1191 const bool is_enforce = (mode == 3);
1192 struct tomoyo_path_info *buf;
1195 if (!mode || !filp->f_path.mnt)
1198 idx = tomoyo_read_lock();
1199 buf = tomoyo_get_path(&filp->f_path);
1202 if (!tomoyo_is_no_rewrite_file(buf)) {
1206 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE, buf, mode);
1209 tomoyo_read_unlock(idx);
1216 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root".
1218 * @operation: Type of operation.
1219 * @path1: Pointer to "struct path".
1220 * @path2: Pointer to "struct path".
1222 * Returns 0 on success, negative value otherwise.
1224 int tomoyo_path2_perm(const u8 operation, struct path *path1,
1227 int error = -ENOMEM;
1228 struct tomoyo_path_info *buf1, *buf2;
1229 struct tomoyo_domain_info *domain = tomoyo_domain();
1230 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1231 const bool is_enforce = (mode == 3);
1235 if (!mode || !path1->mnt || !path2->mnt)
1237 idx = tomoyo_read_lock();
1238 buf1 = tomoyo_get_path(path1);
1239 buf2 = tomoyo_get_path(path2);
1243 struct dentry *dentry = path1->dentry;
1244 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) {
1246 * tomoyo_get_path() reserves space for appending "/."
1248 if (!buf1->is_dir) {
1249 strcat((char *) buf1->name, "/");
1250 tomoyo_fill_path_info(buf1);
1252 if (!buf2->is_dir) {
1253 strcat((char *) buf2->name, "/");
1254 tomoyo_fill_path_info(buf2);
1258 error = tomoyo_path2_acl(domain, operation, buf1, buf2);
1259 msg = tomoyo_path22keyword(operation);
1262 if (tomoyo_verbose_mode(domain))
1263 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' "
1264 "denied for %s\n", tomoyo_get_msg(is_enforce),
1265 msg, buf1->name, buf2->name,
1266 tomoyo_get_last_name(domain));
1267 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1268 const char *name1 = tomoyo_get_file_pattern(buf1)->name;
1269 const char *name2 = tomoyo_get_file_pattern(buf2)->name;
1270 tomoyo_update_path2_acl(operation, name1, name2, domain,
1276 tomoyo_read_unlock(idx);