X-Git-Url: https://git.openpandora.org/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=security%2Ftomoyo%2Ffile.c;h=df3b203d7d4f486d6ba9d7a42610d5d02b26800f;hb=a230f9e7121cbcbfe23bd5a630abf6b53cece555;hp=1c6f8238ec47a1866e74f80da1d2e6c120b69ff3;hpb=31f46717997a83bdf6db0dd04810c0a329eb3148;p=pandora-kernel.git diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 1c6f8238ec47..df3b203d7d4f 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c @@ -1,48 +1,88 @@ /* * security/tomoyo/file.c * - * Implementation of the Domain-Based Mandatory Access Control. - * - * Copyright (C) 2005-2009 NTT DATA CORPORATION - * - * Version: 2.2.0 2009/04/01 + * Pathname restriction functions. * + * Copyright (C) 2005-2010 NTT DATA CORPORATION */ #include "common.h" #include -/* Keyword array for single path operations. */ -static const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = { +/* Keyword array for operations with one pathname. */ +const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = { [TOMOYO_TYPE_READ_WRITE] = "read/write", [TOMOYO_TYPE_EXECUTE] = "execute", [TOMOYO_TYPE_READ] = "read", [TOMOYO_TYPE_WRITE] = "write", - [TOMOYO_TYPE_CREATE] = "create", [TOMOYO_TYPE_UNLINK] = "unlink", - [TOMOYO_TYPE_MKDIR] = "mkdir", [TOMOYO_TYPE_RMDIR] = "rmdir", - [TOMOYO_TYPE_MKFIFO] = "mkfifo", - [TOMOYO_TYPE_MKSOCK] = "mksock", - [TOMOYO_TYPE_MKBLOCK] = "mkblock", - [TOMOYO_TYPE_MKCHAR] = "mkchar", [TOMOYO_TYPE_TRUNCATE] = "truncate", [TOMOYO_TYPE_SYMLINK] = "symlink", [TOMOYO_TYPE_REWRITE] = "rewrite", + [TOMOYO_TYPE_CHROOT] = "chroot", + [TOMOYO_TYPE_UMOUNT] = "unmount", +}; + +/* Keyword array for operations with one pathname and three numbers. */ +const char *tomoyo_mkdev_keyword[TOMOYO_MAX_MKDEV_OPERATION] = { + [TOMOYO_TYPE_MKBLOCK] = "mkblock", + [TOMOYO_TYPE_MKCHAR] = "mkchar", +}; + +/* Keyword array for operations with two pathnames. */ +const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = { + [TOMOYO_TYPE_LINK] = "link", + [TOMOYO_TYPE_RENAME] = "rename", + [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root", +}; + +/* Keyword array for operations with one pathname and one number. */ +const char *tomoyo_path_number_keyword[TOMOYO_MAX_PATH_NUMBER_OPERATION] = { + [TOMOYO_TYPE_CREATE] = "create", + [TOMOYO_TYPE_MKDIR] = "mkdir", + [TOMOYO_TYPE_MKFIFO] = "mkfifo", + [TOMOYO_TYPE_MKSOCK] = "mksock", [TOMOYO_TYPE_IOCTL] = "ioctl", [TOMOYO_TYPE_CHMOD] = "chmod", [TOMOYO_TYPE_CHOWN] = "chown", [TOMOYO_TYPE_CHGRP] = "chgrp", - [TOMOYO_TYPE_CHROOT] = "chroot", - [TOMOYO_TYPE_MOUNT] = "mount", - [TOMOYO_TYPE_UMOUNT] = "unmount", }; -/* Keyword array for double path operations. */ -static const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = { - [TOMOYO_TYPE_LINK] = "link", - [TOMOYO_TYPE_RENAME] = "rename", - [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root", +static const u8 tomoyo_p2mac[TOMOYO_MAX_PATH_OPERATION] = { + [TOMOYO_TYPE_READ_WRITE] = TOMOYO_MAC_FILE_OPEN, + [TOMOYO_TYPE_EXECUTE] = TOMOYO_MAC_FILE_EXECUTE, + [TOMOYO_TYPE_READ] = TOMOYO_MAC_FILE_OPEN, + [TOMOYO_TYPE_WRITE] = TOMOYO_MAC_FILE_OPEN, + [TOMOYO_TYPE_UNLINK] = TOMOYO_MAC_FILE_UNLINK, + [TOMOYO_TYPE_RMDIR] = TOMOYO_MAC_FILE_RMDIR, + [TOMOYO_TYPE_TRUNCATE] = TOMOYO_MAC_FILE_TRUNCATE, + [TOMOYO_TYPE_SYMLINK] = TOMOYO_MAC_FILE_SYMLINK, + [TOMOYO_TYPE_REWRITE] = TOMOYO_MAC_FILE_REWRITE, + [TOMOYO_TYPE_CHROOT] = TOMOYO_MAC_FILE_CHROOT, + [TOMOYO_TYPE_UMOUNT] = TOMOYO_MAC_FILE_UMOUNT, +}; + +static const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION] = { + [TOMOYO_TYPE_MKBLOCK] = TOMOYO_MAC_FILE_MKBLOCK, + [TOMOYO_TYPE_MKCHAR] = TOMOYO_MAC_FILE_MKCHAR, +}; + +static const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION] = { + [TOMOYO_TYPE_LINK] = TOMOYO_MAC_FILE_LINK, + [TOMOYO_TYPE_RENAME] = TOMOYO_MAC_FILE_RENAME, + [TOMOYO_TYPE_PIVOT_ROOT] = TOMOYO_MAC_FILE_PIVOT_ROOT, +}; + +static const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION] = { + [TOMOYO_TYPE_CREATE] = TOMOYO_MAC_FILE_CREATE, + [TOMOYO_TYPE_MKDIR] = TOMOYO_MAC_FILE_MKDIR, + [TOMOYO_TYPE_MKFIFO] = TOMOYO_MAC_FILE_MKFIFO, + [TOMOYO_TYPE_MKSOCK] = TOMOYO_MAC_FILE_MKSOCK, + [TOMOYO_TYPE_IOCTL] = TOMOYO_MAC_FILE_IOCTL, + [TOMOYO_TYPE_CHMOD] = TOMOYO_MAC_FILE_CHMOD, + [TOMOYO_TYPE_CHOWN] = TOMOYO_MAC_FILE_CHOWN, + [TOMOYO_TYPE_CHGRP] = TOMOYO_MAC_FILE_CHGRP, }; void tomoyo_put_name_union(struct tomoyo_name_union *ptr) @@ -50,7 +90,7 @@ void tomoyo_put_name_union(struct tomoyo_name_union *ptr) if (!ptr) return; if (ptr->is_group) - tomoyo_put_path_group(ptr->group); + tomoyo_put_group(ptr->group); else tomoyo_put_name(ptr->filename); } @@ -59,47 +99,33 @@ bool tomoyo_compare_name_union(const struct tomoyo_path_info *name, const struct tomoyo_name_union *ptr) { if (ptr->is_group) - return tomoyo_path_matches_group(name, ptr->group, 1); + return tomoyo_path_matches_group(name, ptr->group); return tomoyo_path_matches_pattern(name, ptr->filename); } -static bool tomoyo_compare_name_union_pattern(const struct tomoyo_path_info - *name, - const struct tomoyo_name_union - *ptr, const bool may_use_pattern) +void tomoyo_put_number_union(struct tomoyo_number_union *ptr) { - if (ptr->is_group) - return tomoyo_path_matches_group(name, ptr->group, - may_use_pattern); - if (may_use_pattern || !ptr->filename->is_patterned) - return tomoyo_path_matches_pattern(name, ptr->filename); - return false; + if (ptr && ptr->is_group) + tomoyo_put_group(ptr->group); } -/** - * tomoyo_path2keyword - Get the name of single path operation. - * - * @operation: Type of operation. - * - * Returns the name of single path operation. - */ -const char *tomoyo_path2keyword(const u8 operation) +bool tomoyo_compare_number_union(const unsigned long value, + const struct tomoyo_number_union *ptr) { - return (operation < TOMOYO_MAX_PATH_OPERATION) - ? tomoyo_path_keyword[operation] : NULL; + if (ptr->is_group) + return tomoyo_number_matches_group(value, value, ptr->group); + return value >= ptr->values[0] && value <= ptr->values[1]; } -/** - * tomoyo_path22keyword - Get the name of double path operation. - * - * @operation: Type of operation. - * - * Returns the name of double path operation. - */ -const char *tomoyo_path22keyword(const u8 operation) +static void tomoyo_add_slash(struct tomoyo_path_info *buf) { - return (operation < TOMOYO_MAX_PATH2_OPERATION) - ? tomoyo_path2_keyword[operation] : NULL; + if (buf->is_dir) + return; + /* + * This is OK because tomoyo_encode() reserves space for appending "/". + */ + strcat((char *) buf->name, "/"); + tomoyo_fill_path_info(buf); } /** @@ -121,66 +147,132 @@ static bool tomoyo_strendswith(const char *name, const char *tail) } /** - * tomoyo_get_path - Get realpath. + * tomoyo_get_realpath - Get realpath. * + * @buf: Pointer to "struct tomoyo_path_info". * @path: Pointer to "struct path". * - * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise. + * Returns true on success, false otherwise. */ -static struct tomoyo_path_info *tomoyo_get_path(struct path *path) +static bool tomoyo_get_realpath(struct tomoyo_path_info *buf, struct path *path) { - int error; - struct tomoyo_path_info_with_data *buf = kzalloc(sizeof(*buf), - GFP_NOFS); - - if (!buf) - return NULL; - /* Reserve one byte for appending "/". */ - error = tomoyo_realpath_from_path2(path, buf->body, - sizeof(buf->body) - 2); - if (!error) { - buf->head.name = buf->body; - tomoyo_fill_path_info(&buf->head); - return &buf->head; + buf->name = tomoyo_realpath_from_path(path); + if (buf->name) { + tomoyo_fill_path_info(buf); + return true; } - kfree(buf); - return NULL; + return false; } -static int tomoyo_update_path2_acl(const u8 type, const char *filename1, - const char *filename2, - struct tomoyo_domain_info *const domain, - const bool is_delete); -static int tomoyo_update_path_acl(const u8 type, const char *filename, - struct tomoyo_domain_info *const domain, - const bool is_delete); - -/* - * tomoyo_globally_readable_list is used for holding list of pathnames which - * are by default allowed to be open()ed for reading by any process. +/** + * tomoyo_audit_path_log - Audit path request log. * - * An entry is added by + * @r: Pointer to "struct tomoyo_request_info". * - * # echo 'allow_read /lib/libc-2.5.so' > \ - * /sys/kernel/security/tomoyo/exception_policy + * Returns 0 on success, negative value otherwise. + */ +static int tomoyo_audit_path_log(struct tomoyo_request_info *r) +{ + const char *operation = tomoyo_path_keyword[r->param.path.operation]; + const struct tomoyo_path_info *filename = r->param.path.filename; + if (r->granted) + return 0; + tomoyo_warn_log(r, "%s %s", operation, filename->name); + return tomoyo_supervisor(r, "allow_%s %s\n", operation, + tomoyo_file_pattern(filename)); +} + +/** + * tomoyo_audit_path2_log - Audit path/path request log. * - * and is deleted by + * @r: Pointer to "struct tomoyo_request_info". * - * # echo 'delete allow_read /lib/libc-2.5.so' > \ - * /sys/kernel/security/tomoyo/exception_policy + * Returns 0 on success, negative value otherwise. + */ +static int tomoyo_audit_path2_log(struct tomoyo_request_info *r) +{ + const char *operation = tomoyo_path2_keyword[r->param.path2.operation]; + const struct tomoyo_path_info *filename1 = r->param.path2.filename1; + const struct tomoyo_path_info *filename2 = r->param.path2.filename2; + if (r->granted) + return 0; + tomoyo_warn_log(r, "%s %s %s", operation, filename1->name, + filename2->name); + return tomoyo_supervisor(r, "allow_%s %s %s\n", operation, + tomoyo_file_pattern(filename1), + tomoyo_file_pattern(filename2)); +} + +/** + * tomoyo_audit_mkdev_log - Audit path/number/number/number request log. * - * and all entries are retrieved by + * @r: Pointer to "struct tomoyo_request_info". * - * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy + * Returns 0 on success, negative value otherwise. + */ +static int tomoyo_audit_mkdev_log(struct tomoyo_request_info *r) +{ + const char *operation = tomoyo_mkdev_keyword[r->param.mkdev.operation]; + const struct tomoyo_path_info *filename = r->param.mkdev.filename; + const unsigned int major = r->param.mkdev.major; + const unsigned int minor = r->param.mkdev.minor; + const unsigned int mode = r->param.mkdev.mode; + if (r->granted) + return 0; + tomoyo_warn_log(r, "%s %s 0%o %u %u", operation, filename->name, mode, + major, minor); + return tomoyo_supervisor(r, "allow_%s %s 0%o %u %u\n", operation, + tomoyo_file_pattern(filename), mode, major, + minor); +} + +/** + * tomoyo_audit_path_number_log - Audit path/number request log. + * + * @r: Pointer to "struct tomoyo_request_info". + * @error: Error code. * - * In the example above, any process is allowed to - * open("/lib/libc-2.5.so", O_RDONLY). - * One exception is, if the domain which current process belongs to is marked - * as "ignore_global_allow_read", current process can't do so unless explicitly - * given "allow_read /lib/libc-2.5.so" to the domain which current process - * belongs to. + * Returns 0 on success, negative value otherwise. */ -LIST_HEAD(tomoyo_globally_readable_list); +static int tomoyo_audit_path_number_log(struct tomoyo_request_info *r) +{ + const u8 type = r->param.path_number.operation; + u8 radix; + const struct tomoyo_path_info *filename = r->param.path_number.filename; + const char *operation = tomoyo_path_number_keyword[type]; + char buffer[64]; + if (r->granted) + return 0; + switch (type) { + case TOMOYO_TYPE_CREATE: + case TOMOYO_TYPE_MKDIR: + case TOMOYO_TYPE_MKFIFO: + case TOMOYO_TYPE_MKSOCK: + case TOMOYO_TYPE_CHMOD: + radix = TOMOYO_VALUE_TYPE_OCTAL; + break; + case TOMOYO_TYPE_IOCTL: + radix = TOMOYO_VALUE_TYPE_HEXADECIMAL; + break; + default: + radix = TOMOYO_VALUE_TYPE_DECIMAL; + break; + } + tomoyo_print_ulong(buffer, sizeof(buffer), r->param.path_number.number, + radix); + tomoyo_warn_log(r, "%s %s %s", operation, filename->name, buffer); + return tomoyo_supervisor(r, "allow_%s %s %s\n", operation, + tomoyo_file_pattern(filename), buffer); +} + +static bool tomoyo_same_globally_readable(const struct tomoyo_acl_head *a, + const struct tomoyo_acl_head *b) +{ + return container_of(a, struct tomoyo_globally_readable_file_entry, + head)->filename == + container_of(b, struct tomoyo_globally_readable_file_entry, + head)->filename; +} /** * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list. @@ -195,41 +287,24 @@ LIST_HEAD(tomoyo_globally_readable_list); static int tomoyo_update_globally_readable_entry(const char *filename, const bool is_delete) { - struct tomoyo_globally_readable_file_entry *ptr; struct tomoyo_globally_readable_file_entry e = { }; - int error = is_delete ? -ENOENT : -ENOMEM; + int error; - if (!tomoyo_is_correct_path(filename, 1, 0, -1)) + if (!tomoyo_correct_word(filename)) return -EINVAL; e.filename = tomoyo_get_name(filename); if (!e.filename) return -ENOMEM; - if (mutex_lock_interruptible(&tomoyo_policy_lock)) - goto out; - list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) { - if (ptr->filename != e.filename) - continue; - ptr->is_deleted = is_delete; - error = 0; - break; - } - if (!is_delete && error) { - struct tomoyo_globally_readable_file_entry *entry = - tomoyo_commit_ok(&e, sizeof(e)); - if (entry) { - list_add_tail_rcu(&entry->list, - &tomoyo_globally_readable_list); - error = 0; - } - } - mutex_unlock(&tomoyo_policy_lock); - out: + error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, + &tomoyo_policy_list + [TOMOYO_ID_GLOBALLY_READABLE], + tomoyo_same_globally_readable); tomoyo_put_name(e.filename); return error; } /** - * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading. + * tomoyo_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading. * * @filename: The filename to check. * @@ -237,14 +312,15 @@ static int tomoyo_update_globally_readable_entry(const char *filename, * * Caller holds tomoyo_read_lock(). */ -static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info * +static bool tomoyo_globally_readable_file(const struct tomoyo_path_info * filename) { struct tomoyo_globally_readable_file_entry *ptr; bool found = false; - list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) { - if (!ptr->is_deleted && + list_for_each_entry_rcu(ptr, &tomoyo_policy_list + [TOMOYO_ID_GLOBALLY_READABLE], head.list) { + if (!ptr->head.is_deleted && tomoyo_path_matches_pattern(filename, ptr->filename)) { found = true; break; @@ -283,12 +359,12 @@ bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head) bool done = true; list_for_each_cookie(pos, head->read_var2, - &tomoyo_globally_readable_list) { + &tomoyo_policy_list[TOMOYO_ID_GLOBALLY_READABLE]) { struct tomoyo_globally_readable_file_entry *ptr; ptr = list_entry(pos, struct tomoyo_globally_readable_file_entry, - list); - if (ptr->is_deleted) + head.list); + if (ptr->head.is_deleted) continue; done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n", ptr->filename->name); @@ -298,36 +374,12 @@ bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head) return done; } -/* tomoyo_pattern_list is used for holding list of pathnames which are used for - * converting pathnames to pathname patterns during learning mode. - * - * An entry is added by - * - * # echo 'file_pattern /proc/\$/mounts' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and is deleted by - * - * # echo 'delete file_pattern /proc/\$/mounts' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and all entries are retrieved by - * - * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy - * - * In the example above, if a process which belongs to a domain which is in - * learning mode requested open("/proc/1/mounts", O_RDONLY), - * "allow_read /proc/\$/mounts" is automatically added to the domain which that - * process belongs to. - * - * It is not a desirable behavior that we have to use /proc/\$/ instead of - * /proc/self/ when current process needs to access only current process's - * information. As of now, LSM version of TOMOYO is using __d_path() for - * calculating pathname. Non LSM version of TOMOYO is using its own function - * which pretends as if /proc/self/ is not a symlink; so that we can forbid - * current process from accessing other process's information. - */ -LIST_HEAD(tomoyo_pattern_list); +static bool tomoyo_same_pattern(const struct tomoyo_acl_head *a, + const struct tomoyo_acl_head *b) +{ + return container_of(a, struct tomoyo_pattern_entry, head)->pattern == + container_of(b, struct tomoyo_pattern_entry, head)->pattern; +} /** * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list. @@ -342,39 +394,23 @@ LIST_HEAD(tomoyo_pattern_list); static int tomoyo_update_file_pattern_entry(const char *pattern, const bool is_delete) { - struct tomoyo_pattern_entry *ptr; - struct tomoyo_pattern_entry e = { .pattern = tomoyo_get_name(pattern) }; - int error = is_delete ? -ENOENT : -ENOMEM; + struct tomoyo_pattern_entry e = { }; + int error; + if (!tomoyo_correct_word(pattern)) + return -EINVAL; + e.pattern = tomoyo_get_name(pattern); if (!e.pattern) - return error; - if (!e.pattern->is_patterned) - goto out; - if (mutex_lock_interruptible(&tomoyo_policy_lock)) - goto out; - list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) { - if (e.pattern != ptr->pattern) - continue; - ptr->is_deleted = is_delete; - error = 0; - break; - } - if (!is_delete && error) { - struct tomoyo_pattern_entry *entry = - tomoyo_commit_ok(&e, sizeof(e)); - if (entry) { - list_add_tail_rcu(&entry->list, &tomoyo_pattern_list); - error = 0; - } - } - mutex_unlock(&tomoyo_policy_lock); - out: + return -ENOMEM; + error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, + &tomoyo_policy_list[TOMOYO_ID_PATTERN], + tomoyo_same_pattern); tomoyo_put_name(e.pattern); return error; } /** - * tomoyo_get_file_pattern - Get patterned pathname. + * tomoyo_file_pattern - Get patterned pathname. * * @filename: The filename to find patterned pathname. * @@ -382,14 +418,14 @@ static int tomoyo_update_file_pattern_entry(const char *pattern, * * Caller holds tomoyo_read_lock(). */ -static const struct tomoyo_path_info * -tomoyo_get_file_pattern(const struct tomoyo_path_info *filename) +const char *tomoyo_file_pattern(const struct tomoyo_path_info *filename) { struct tomoyo_pattern_entry *ptr; const struct tomoyo_path_info *pattern = NULL; - list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) { - if (ptr->is_deleted) + list_for_each_entry_rcu(ptr, &tomoyo_policy_list[TOMOYO_ID_PATTERN], + head.list) { + if (ptr->head.is_deleted) continue; if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) continue; @@ -403,7 +439,7 @@ tomoyo_get_file_pattern(const struct tomoyo_path_info *filename) } if (pattern) filename = pattern; - return filename; + return filename->name; } /** @@ -435,10 +471,11 @@ bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head) struct list_head *pos; bool done = true; - list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) { + list_for_each_cookie(pos, head->read_var2, + &tomoyo_policy_list[TOMOYO_ID_PATTERN]) { struct tomoyo_pattern_entry *ptr; - ptr = list_entry(pos, struct tomoyo_pattern_entry, list); - if (ptr->is_deleted) + ptr = list_entry(pos, struct tomoyo_pattern_entry, head.list); + if (ptr->head.is_deleted) continue; done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN "%s\n", ptr->pattern->name); @@ -448,36 +485,13 @@ bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head) return done; } -/* - * tomoyo_no_rewrite_list is used for holding list of pathnames which are by - * default forbidden to modify already written content of a file. - * - * An entry is added by - * - * # echo 'deny_rewrite /var/log/messages' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and is deleted by - * - * # echo 'delete deny_rewrite /var/log/messages' > \ - * /sys/kernel/security/tomoyo/exception_policy - * - * and all entries are retrieved by - * - * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy - * - * In the example above, if a process requested to rewrite /var/log/messages , - * the process can't rewrite unless the domain which that process belongs to - * has "allow_rewrite /var/log/messages" entry. - * - * It is not a desirable behavior that we have to add "\040(deleted)" suffix - * when we want to allow rewriting already unlink()ed file. As of now, - * LSM version of TOMOYO is using __d_path() for calculating pathname. - * Non LSM version of TOMOYO is using its own function which doesn't append - * " (deleted)" suffix if the file is already unlink()ed; so that we don't - * need to worry whether the file is already unlink()ed or not. - */ -LIST_HEAD(tomoyo_no_rewrite_list); +static bool tomoyo_same_no_rewrite(const struct tomoyo_acl_head *a, + const struct tomoyo_acl_head *b) +{ + return container_of(a, struct tomoyo_no_rewrite_entry, head)->pattern + == container_of(b, struct tomoyo_no_rewrite_entry, head) + ->pattern; +} /** * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list. @@ -492,41 +506,23 @@ LIST_HEAD(tomoyo_no_rewrite_list); static int tomoyo_update_no_rewrite_entry(const char *pattern, const bool is_delete) { - struct tomoyo_no_rewrite_entry *ptr; struct tomoyo_no_rewrite_entry e = { }; - int error = is_delete ? -ENOENT : -ENOMEM; + int error; - if (!tomoyo_is_correct_path(pattern, 0, 0, 0)) + if (!tomoyo_correct_word(pattern)) return -EINVAL; e.pattern = tomoyo_get_name(pattern); if (!e.pattern) - return error; - if (mutex_lock_interruptible(&tomoyo_policy_lock)) - goto out; - list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) { - if (ptr->pattern != e.pattern) - continue; - ptr->is_deleted = is_delete; - error = 0; - break; - } - if (!is_delete && error) { - struct tomoyo_no_rewrite_entry *entry = - tomoyo_commit_ok(&e, sizeof(e)); - if (entry) { - list_add_tail_rcu(&entry->list, - &tomoyo_no_rewrite_list); - error = 0; - } - } - mutex_unlock(&tomoyo_policy_lock); - out: + return -ENOMEM; + error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, + &tomoyo_policy_list[TOMOYO_ID_NO_REWRITE], + tomoyo_same_no_rewrite); tomoyo_put_name(e.pattern); return error; } /** - * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited. + * tomoyo_no_rewrite_file - Check if the given pathname is not permitted to be rewrited. * * @filename: Filename to check. * @@ -535,13 +531,14 @@ static int tomoyo_update_no_rewrite_entry(const char *pattern, * * Caller holds tomoyo_read_lock(). */ -static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename) +static bool tomoyo_no_rewrite_file(const struct tomoyo_path_info *filename) { struct tomoyo_no_rewrite_entry *ptr; bool found = false; - list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) { - if (ptr->is_deleted) + list_for_each_entry_rcu(ptr, &tomoyo_policy_list[TOMOYO_ID_NO_REWRITE], + head.list) { + if (ptr->head.is_deleted) continue; if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) continue; @@ -580,10 +577,12 @@ bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head) struct list_head *pos; bool done = true; - list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) { + list_for_each_cookie(pos, head->read_var2, + &tomoyo_policy_list[TOMOYO_ID_NO_REWRITE]) { struct tomoyo_no_rewrite_entry *ptr; - ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list); - if (ptr->is_deleted) + ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, + head.list); + if (ptr->head.is_deleted) continue; done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE "%s\n", ptr->pattern->name); @@ -593,182 +592,93 @@ bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head) return done; } -/** - * tomoyo_update_file_acl - Update file's read/write/execute ACL. - * - * @filename: Filename. - * @perm: Permission (between 1 to 7). - * @domain: Pointer to "struct tomoyo_domain_info". - * @is_delete: True if it is a delete request. - * - * Returns 0 on success, negative value otherwise. - * - * This is legacy support interface for older policy syntax. - * Current policy syntax uses "allow_read/write" instead of "6", - * "allow_read" instead of "4", "allow_write" instead of "2", - * "allow_execute" instead of "1". - * - * Caller holds tomoyo_read_lock(). - */ -static int tomoyo_update_file_acl(const char *filename, u8 perm, - struct tomoyo_domain_info * const domain, - const bool is_delete) +static bool tomoyo_check_path_acl(const struct tomoyo_request_info *r, + const struct tomoyo_acl_info *ptr) { - if (perm > 7 || !perm) { - printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n", - __func__, perm, filename); - return -EINVAL; - } - if (filename[0] != '@' && tomoyo_strendswith(filename, "/")) - /* - * Only 'allow_mkdir' and 'allow_rmdir' are valid for - * directory permissions. - */ - return 0; - if (perm & 4) - tomoyo_update_path_acl(TOMOYO_TYPE_READ, filename, domain, - is_delete); - if (perm & 2) - tomoyo_update_path_acl(TOMOYO_TYPE_WRITE, filename, domain, - is_delete); - if (perm & 1) - tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE, filename, domain, - is_delete); - return 0; + const struct tomoyo_path_acl *acl = container_of(ptr, typeof(*acl), + head); + return (acl->perm & (1 << r->param.path.operation)) && + tomoyo_compare_name_union(r->param.path.filename, &acl->name); } -/** - * tomoyo_path_acl2 - Check permission for single path operation. - * - * @domain: Pointer to "struct tomoyo_domain_info". - * @filename: Filename to check. - * @perm: Permission. - * @may_use_pattern: True if patterned ACL is permitted. - * - * Returns 0 on success, -EPERM otherwise. - * - * Caller holds tomoyo_read_lock(). - */ -static int tomoyo_path_acl2(const struct tomoyo_domain_info *domain, - const struct tomoyo_path_info *filename, - const u32 perm, const bool may_use_pattern) +static bool tomoyo_check_path_number_acl(const struct tomoyo_request_info *r, + const struct tomoyo_acl_info *ptr) { - struct tomoyo_acl_info *ptr; - int error = -EPERM; - - list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { - struct tomoyo_path_acl *acl; - if (ptr->type != TOMOYO_TYPE_PATH_ACL) - continue; - acl = container_of(ptr, struct tomoyo_path_acl, head); - if (perm <= 0xFFFF) { - if (!(acl->perm & perm)) - continue; - } else { - if (!(acl->perm_high & (perm >> 16))) - continue; - } - if (!tomoyo_compare_name_union_pattern(filename, &acl->name, - may_use_pattern)) - continue; - error = 0; - break; - } - return error; + const struct tomoyo_path_number_acl *acl = + container_of(ptr, typeof(*acl), head); + return (acl->perm & (1 << r->param.path_number.operation)) && + tomoyo_compare_number_union(r->param.path_number.number, + &acl->number) && + tomoyo_compare_name_union(r->param.path_number.filename, + &acl->name); } -/** - * tomoyo_check_file_acl - Check permission for opening files. - * - * @domain: Pointer to "struct tomoyo_domain_info". - * @filename: Filename to check. - * @operation: Mode ("read" or "write" or "read/write" or "execute"). - * - * Returns 0 on success, -EPERM otherwise. - * - * Caller holds tomoyo_read_lock(). - */ -static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain, - const struct tomoyo_path_info *filename, - const u8 operation) +static bool tomoyo_check_path2_acl(const struct tomoyo_request_info *r, + const struct tomoyo_acl_info *ptr) { - u32 perm = 0; + const struct tomoyo_path2_acl *acl = + container_of(ptr, typeof(*acl), head); + return (acl->perm & (1 << r->param.path2.operation)) && + tomoyo_compare_name_union(r->param.path2.filename1, &acl->name1) + && tomoyo_compare_name_union(r->param.path2.filename2, + &acl->name2); +} - if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) - return 0; - if (operation == 6) - perm = 1 << TOMOYO_TYPE_READ_WRITE; - else if (operation == 4) - perm = 1 << TOMOYO_TYPE_READ; - else if (operation == 2) - perm = 1 << TOMOYO_TYPE_WRITE; - else if (operation == 1) - perm = 1 << TOMOYO_TYPE_EXECUTE; - else - BUG(); - return tomoyo_path_acl2(domain, filename, perm, operation != 1); +static bool tomoyo_check_mkdev_acl(const struct tomoyo_request_info *r, + const struct tomoyo_acl_info *ptr) +{ + const struct tomoyo_mkdev_acl *acl = + container_of(ptr, typeof(*acl), head); + return (acl->perm & (1 << r->param.mkdev.operation)) && + tomoyo_compare_number_union(r->param.mkdev.mode, + &acl->mode) && + tomoyo_compare_number_union(r->param.mkdev.major, + &acl->major) && + tomoyo_compare_number_union(r->param.mkdev.minor, + &acl->minor) && + tomoyo_compare_name_union(r->param.mkdev.filename, + &acl->name); } -/** - * tomoyo_check_file_perm2 - Check permission for opening files. - * - * @domain: Pointer to "struct tomoyo_domain_info". - * @filename: Filename to check. - * @perm: Mode ("read" or "write" or "read/write" or "execute"). - * @operation: Operation name passed used for verbose mode. - * @mode: Access control mode. - * - * Returns 0 on success, negative value otherwise. - * - * Caller holds tomoyo_read_lock(). - */ -static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain, - const struct tomoyo_path_info *filename, - const u8 perm, const char *operation, - const u8 mode) +static bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a, + const struct tomoyo_acl_info *b) { - const bool is_enforce = (mode == 3); - const char *msg = ""; - int error = 0; + const struct tomoyo_path_acl *p1 = container_of(a, typeof(*p1), head); + const struct tomoyo_path_acl *p2 = container_of(b, typeof(*p2), head); + return tomoyo_same_acl_head(&p1->head, &p2->head) && + tomoyo_same_name_union(&p1->name, &p2->name); +} - if (!filename) - return 0; - error = tomoyo_check_file_acl(domain, filename, perm); - if (error && perm == 4 && !domain->ignore_global_allow_read - && tomoyo_is_globally_readable_file(filename)) - error = 0; - if (perm == 6) - msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE); - else if (perm == 4) - msg = tomoyo_path2keyword(TOMOYO_TYPE_READ); - else if (perm == 2) - msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE); - else if (perm == 1) - msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE); - else - BUG(); - if (!error) - return 0; - if (tomoyo_verbose_mode(domain)) - printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied " - "for %s\n", tomoyo_get_msg(is_enforce), msg, operation, - filename->name, tomoyo_get_last_name(domain)); - if (is_enforce) - return error; - if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { - /* Don't use patterns for execute permission. */ - const struct tomoyo_path_info *patterned_file = (perm != 1) ? - tomoyo_get_file_pattern(filename) : filename; - tomoyo_update_file_acl(patterned_file->name, perm, - domain, false); +static bool tomoyo_merge_path_acl(struct tomoyo_acl_info *a, + struct tomoyo_acl_info *b, + const bool is_delete) +{ + u16 * const a_perm = &container_of(a, struct tomoyo_path_acl, head) + ->perm; + u16 perm = *a_perm; + const u16 b_perm = container_of(b, struct tomoyo_path_acl, head)->perm; + if (is_delete) { + perm &= ~b_perm; + if ((perm & TOMOYO_RW_MASK) != TOMOYO_RW_MASK) + perm &= ~(1 << TOMOYO_TYPE_READ_WRITE); + else if (!(perm & (1 << TOMOYO_TYPE_READ_WRITE))) + perm &= ~TOMOYO_RW_MASK; + } else { + perm |= b_perm; + if ((perm & TOMOYO_RW_MASK) == TOMOYO_RW_MASK) + perm |= (1 << TOMOYO_TYPE_READ_WRITE); + else if (perm & (1 << TOMOYO_TYPE_READ_WRITE)) + perm |= TOMOYO_RW_MASK; } - return 0; + *a_perm = perm; + return !perm; } /** - * tomoyo_write_file_policy - Update file related list. + * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list. * - * @data: String to parse. + * @type: Type of operation. + * @filename: Filename. * @domain: Pointer to "struct tomoyo_domain_info". * @is_delete: True if it is a delete request. * @@ -776,48 +686,65 @@ static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain, * * Caller holds tomoyo_read_lock(). */ -int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, - const bool is_delete) +static int tomoyo_update_path_acl(const u8 type, const char *filename, + struct tomoyo_domain_info * const domain, + const bool is_delete) { - char *filename = strchr(data, ' '); - char *filename2; - unsigned int perm; - u8 type; - - if (!filename) + struct tomoyo_path_acl e = { + .head.type = TOMOYO_TYPE_PATH_ACL, + .perm = 1 << type + }; + int error; + if (e.perm == (1 << TOMOYO_TYPE_READ_WRITE)) + e.perm |= TOMOYO_RW_MASK; + if (!tomoyo_parse_name_union(filename, &e.name)) return -EINVAL; - *filename++ = '\0'; - if (sscanf(data, "%u", &perm) == 1) - return tomoyo_update_file_acl(filename, (u8) perm, domain, - is_delete); - if (strncmp(data, "allow_", 6)) - goto out; - data += 6; - for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) { - if (strcmp(data, tomoyo_path_keyword[type])) - continue; - return tomoyo_update_path_acl(type, filename, domain, - is_delete); - } - filename2 = strchr(filename, ' '); - if (!filename2) - goto out; - *filename2++ = '\0'; - for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) { - if (strcmp(data, tomoyo_path2_keyword[type])) - continue; - return tomoyo_update_path2_acl(type, filename, filename2, - domain, is_delete); - } - out: - return -EINVAL; + error = tomoyo_update_domain(&e.head, sizeof(e), is_delete, domain, + tomoyo_same_path_acl, + tomoyo_merge_path_acl); + tomoyo_put_name_union(&e.name); + return error; +} + +static bool tomoyo_same_mkdev_acl(const struct tomoyo_acl_info *a, + const struct tomoyo_acl_info *b) +{ + const struct tomoyo_mkdev_acl *p1 = container_of(a, typeof(*p1), + head); + const struct tomoyo_mkdev_acl *p2 = container_of(b, typeof(*p2), + head); + return tomoyo_same_acl_head(&p1->head, &p2->head) + && tomoyo_same_name_union(&p1->name, &p2->name) + && tomoyo_same_number_union(&p1->mode, &p2->mode) + && tomoyo_same_number_union(&p1->major, &p2->major) + && tomoyo_same_number_union(&p1->minor, &p2->minor); +} + +static bool tomoyo_merge_mkdev_acl(struct tomoyo_acl_info *a, + struct tomoyo_acl_info *b, + const bool is_delete) +{ + u8 *const a_perm = &container_of(a, struct tomoyo_mkdev_acl, + head)->perm; + u8 perm = *a_perm; + const u8 b_perm = container_of(b, struct tomoyo_mkdev_acl, head) + ->perm; + if (is_delete) + perm &= ~b_perm; + else + perm |= b_perm; + *a_perm = perm; + return !perm; } /** - * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list. + * tomoyo_update_mkdev_acl - Update "struct tomoyo_mkdev_acl" list. * * @type: Type of operation. * @filename: Filename. + * @mode: Create mode. + * @major: Device major number. + * @minor: Device minor number. * @domain: Pointer to "struct tomoyo_domain_info". * @is_delete: True if it is a delete request. * @@ -825,71 +752,58 @@ int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, * * Caller holds tomoyo_read_lock(). */ -static int tomoyo_update_path_acl(const u8 type, const char *filename, - struct tomoyo_domain_info *const domain, - const bool is_delete) +static int tomoyo_update_mkdev_acl(const u8 type, const char *filename, + char *mode, char *major, char *minor, + struct tomoyo_domain_info * const + domain, const bool is_delete) { - static const u32 tomoyo_rw_mask = - (1 << TOMOYO_TYPE_READ) | (1 << TOMOYO_TYPE_WRITE); - const u32 perm = 1 << type; - struct tomoyo_acl_info *ptr; - struct tomoyo_path_acl e = { - .head.type = TOMOYO_TYPE_PATH_ACL, - .perm_high = perm >> 16, - .perm = perm + struct tomoyo_mkdev_acl e = { + .head.type = TOMOYO_TYPE_MKDEV_ACL, + .perm = 1 << type }; int error = is_delete ? -ENOENT : -ENOMEM; - - if (type == TOMOYO_TYPE_READ_WRITE) - e.perm |= tomoyo_rw_mask; - if (!domain) - return -EINVAL; - if (!tomoyo_parse_name_union(filename, &e.name)) - return -EINVAL; - if (mutex_lock_interruptible(&tomoyo_policy_lock)) + if (!tomoyo_parse_name_union(filename, &e.name) || + !tomoyo_parse_number_union(mode, &e.mode) || + !tomoyo_parse_number_union(major, &e.major) || + !tomoyo_parse_number_union(minor, &e.minor)) goto out; - list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { - struct tomoyo_path_acl *acl = - container_of(ptr, struct tomoyo_path_acl, head); - if (!tomoyo_is_same_path_acl(acl, &e)) - continue; - if (is_delete) { - if (perm <= 0xFFFF) - acl->perm &= ~perm; - else - acl->perm_high &= ~(perm >> 16); - if ((acl->perm & tomoyo_rw_mask) != tomoyo_rw_mask) - acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE); - else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE))) - acl->perm &= ~tomoyo_rw_mask; - } else { - if (perm <= 0xFFFF) - acl->perm |= perm; - else - acl->perm_high |= (perm >> 16); - if ((acl->perm & tomoyo_rw_mask) == tomoyo_rw_mask) - acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE; - else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE)) - acl->perm |= tomoyo_rw_mask; - } - error = 0; - break; - } - if (!is_delete && error) { - struct tomoyo_path_acl *entry = - tomoyo_commit_ok(&e, sizeof(e)); - if (entry) { - list_add_tail_rcu(&entry->head.list, - &domain->acl_info_list); - error = 0; - } - } - mutex_unlock(&tomoyo_policy_lock); + error = tomoyo_update_domain(&e.head, sizeof(e), is_delete, domain, + tomoyo_same_mkdev_acl, + tomoyo_merge_mkdev_acl); out: tomoyo_put_name_union(&e.name); + tomoyo_put_number_union(&e.mode); + tomoyo_put_number_union(&e.major); + tomoyo_put_number_union(&e.minor); return error; } +static bool tomoyo_same_path2_acl(const struct tomoyo_acl_info *a, + const struct tomoyo_acl_info *b) +{ + const struct tomoyo_path2_acl *p1 = container_of(a, typeof(*p1), head); + const struct tomoyo_path2_acl *p2 = container_of(b, typeof(*p2), head); + return tomoyo_same_acl_head(&p1->head, &p2->head) + && tomoyo_same_name_union(&p1->name1, &p2->name1) + && tomoyo_same_name_union(&p1->name2, &p2->name2); +} + +static bool tomoyo_merge_path2_acl(struct tomoyo_acl_info *a, + struct tomoyo_acl_info *b, + const bool is_delete) +{ + u8 * const a_perm = &container_of(a, struct tomoyo_path2_acl, head) + ->perm; + u8 perm = *a_perm; + const u8 b_perm = container_of(b, struct tomoyo_path2_acl, head)->perm; + if (is_delete) + perm &= ~b_perm; + else + perm |= b_perm; + *a_perm = perm; + return !perm; +} + /** * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list. * @@ -905,46 +819,20 @@ static int tomoyo_update_path_acl(const u8 type, const char *filename, */ static int tomoyo_update_path2_acl(const u8 type, const char *filename1, const char *filename2, - struct tomoyo_domain_info *const domain, + struct tomoyo_domain_info * const domain, const bool is_delete) { - const u8 perm = 1 << type; struct tomoyo_path2_acl e = { .head.type = TOMOYO_TYPE_PATH2_ACL, - .perm = perm + .perm = 1 << type }; - struct tomoyo_acl_info *ptr; int error = is_delete ? -ENOENT : -ENOMEM; - - if (!domain) - return -EINVAL; if (!tomoyo_parse_name_union(filename1, &e.name1) || !tomoyo_parse_name_union(filename2, &e.name2)) goto out; - if (mutex_lock_interruptible(&tomoyo_policy_lock)) - goto out; - list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { - struct tomoyo_path2_acl *acl = - container_of(ptr, struct tomoyo_path2_acl, head); - if (!tomoyo_is_same_path2_acl(acl, &e)) - continue; - if (is_delete) - acl->perm &= ~perm; - else - acl->perm |= perm; - error = 0; - break; - } - if (!is_delete && error) { - struct tomoyo_path2_acl *entry = - tomoyo_commit_ok(&e, sizeof(e)); - if (entry) { - list_add_tail_rcu(&entry->head.list, - &domain->acl_info_list); - error = 0; - } - } - mutex_unlock(&tomoyo_policy_lock); + error = tomoyo_update_domain(&e.head, sizeof(e), is_delete, domain, + tomoyo_same_path2_acl, + tomoyo_merge_path2_acl); out: tomoyo_put_name_union(&e.name1); tomoyo_put_name_union(&e.name2); @@ -952,134 +840,158 @@ static int tomoyo_update_path2_acl(const u8 type, const char *filename1, } /** - * tomoyo_path_acl - Check permission for single path operation. - * - * @domain: Pointer to "struct tomoyo_domain_info". - * @type: Type of operation. - * @filename: Filename to check. - * - * Returns 0 on success, negative value otherwise. - * - * Caller holds tomoyo_read_lock(). - */ -static int tomoyo_path_acl(struct tomoyo_domain_info *domain, const u8 type, - const struct tomoyo_path_info *filename) -{ - if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) - return 0; - return tomoyo_path_acl2(domain, filename, 1 << type, 1); -} - -/** - * tomoyo_path2_acl - Check permission for double path operation. + * tomoyo_path_permission - Check permission for single path operation. * - * @domain: Pointer to "struct tomoyo_domain_info". - * @type: Type of operation. - * @filename1: First filename to check. - * @filename2: Second filename to check. - * - * Returns 0 on success, -EPERM otherwise. - * - * Caller holds tomoyo_read_lock(). - */ -static int tomoyo_path2_acl(const struct tomoyo_domain_info *domain, - const u8 type, - const struct tomoyo_path_info *filename1, - const struct tomoyo_path_info *filename2) -{ - struct tomoyo_acl_info *ptr; - const u8 perm = 1 << type; - int error = -EPERM; - - if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) - return 0; - list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { - struct tomoyo_path2_acl *acl; - if (ptr->type != TOMOYO_TYPE_PATH2_ACL) - continue; - acl = container_of(ptr, struct tomoyo_path2_acl, head); - if (!(acl->perm & perm)) - continue; - if (!tomoyo_compare_name_union(filename1, &acl->name1)) - continue; - if (!tomoyo_compare_name_union(filename2, &acl->name2)) - continue; - error = 0; - break; - } - return error; -} - -/** - * tomoyo_path_permission2 - Check permission for single path operation. - * - * @domain: Pointer to "struct tomoyo_domain_info". + * @r: Pointer to "struct tomoyo_request_info". * @operation: Type of operation. * @filename: Filename to check. - * @mode: Access control mode. * * Returns 0 on success, negative value otherwise. * * Caller holds tomoyo_read_lock(). */ -static int tomoyo_path_permission2(struct tomoyo_domain_info *const domain, - u8 operation, - const struct tomoyo_path_info *filename, - const u8 mode) +int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation, + const struct tomoyo_path_info *filename) { - const char *msg; int error; - const bool is_enforce = (mode == 3); - if (!mode) - return 0; next: - error = tomoyo_path_acl(domain, operation, filename); - msg = tomoyo_path2keyword(operation); - if (!error) - goto ok; - if (tomoyo_verbose_mode(domain)) - printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n", - tomoyo_get_msg(is_enforce), msg, filename->name, - tomoyo_get_last_name(domain)); - if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { - const char *name = tomoyo_get_file_pattern(filename)->name; - tomoyo_update_path_acl(operation, name, domain, false); - } - if (!is_enforce) - error = 0; - ok: + r->type = tomoyo_p2mac[operation]; + r->mode = tomoyo_get_mode(r->profile, r->type); + if (r->mode == TOMOYO_CONFIG_DISABLED) + return 0; + r->param_type = TOMOYO_TYPE_PATH_ACL; + r->param.path.filename = filename; + r->param.path.operation = operation; + do { + tomoyo_check_acl(r, tomoyo_check_path_acl); + if (!r->granted && operation == TOMOYO_TYPE_READ && + !r->domain->ignore_global_allow_read && + tomoyo_globally_readable_file(filename)) + r->granted = true; + error = tomoyo_audit_path_log(r); + /* + * Do not retry for execute request, for alias may have + * changed. + */ + } while (error == TOMOYO_RETRY_REQUEST && + operation != TOMOYO_TYPE_EXECUTE); /* * Since "allow_truncate" doesn't imply "allow_rewrite" permission, * we need to check "allow_rewrite" permission if the filename is * specified by "deny_rewrite" keyword. */ if (!error && operation == TOMOYO_TYPE_TRUNCATE && - tomoyo_is_no_rewrite_file(filename)) { + tomoyo_no_rewrite_file(filename)) { operation = TOMOYO_TYPE_REWRITE; goto next; } return error; } +static bool tomoyo_same_path_number_acl(const struct tomoyo_acl_info *a, + const struct tomoyo_acl_info *b) +{ + const struct tomoyo_path_number_acl *p1 = container_of(a, typeof(*p1), + head); + const struct tomoyo_path_number_acl *p2 = container_of(b, typeof(*p2), + head); + return tomoyo_same_acl_head(&p1->head, &p2->head) + && tomoyo_same_name_union(&p1->name, &p2->name) + && tomoyo_same_number_union(&p1->number, &p2->number); +} + +static bool tomoyo_merge_path_number_acl(struct tomoyo_acl_info *a, + struct tomoyo_acl_info *b, + const bool is_delete) +{ + u8 * const a_perm = &container_of(a, struct tomoyo_path_number_acl, + head)->perm; + u8 perm = *a_perm; + const u8 b_perm = container_of(b, struct tomoyo_path_number_acl, head) + ->perm; + if (is_delete) + perm &= ~b_perm; + else + perm |= b_perm; + *a_perm = perm; + return !perm; +} + /** - * tomoyo_check_exec_perm - Check permission for "execute". + * tomoyo_update_path_number_acl - Update ioctl/chmod/chown/chgrp ACL. + * + * @type: Type of operation. + * @filename: Filename. + * @number: Number. + * @domain: Pointer to "struct tomoyo_domain_info". + * @is_delete: True if it is a delete request. * - * @domain: Pointer to "struct tomoyo_domain_info". - * @filename: Check permission for "execute". + * Returns 0 on success, negative value otherwise. + */ +static int tomoyo_update_path_number_acl(const u8 type, const char *filename, + char *number, + struct tomoyo_domain_info * const + domain, + const bool is_delete) +{ + struct tomoyo_path_number_acl e = { + .head.type = TOMOYO_TYPE_PATH_NUMBER_ACL, + .perm = 1 << type + }; + int error = is_delete ? -ENOENT : -ENOMEM; + if (!tomoyo_parse_name_union(filename, &e.name)) + return -EINVAL; + if (!tomoyo_parse_number_union(number, &e.number)) + goto out; + error = tomoyo_update_domain(&e.head, sizeof(e), is_delete, domain, + tomoyo_same_path_number_acl, + tomoyo_merge_path_number_acl); + out: + tomoyo_put_name_union(&e.name); + tomoyo_put_number_union(&e.number); + return error; +} + +/** + * tomoyo_path_number_perm - Check permission for "create", "mkdir", "mkfifo", "mksock", "ioctl", "chmod", "chown", "chgrp". * - * Returns 0 on success, negativevalue otherwise. + * @type: Type of operation. + * @path: Pointer to "struct path". + * @number: Number. * - * Caller holds tomoyo_read_lock(). + * Returns 0 on success, negative value otherwise. */ -int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, - const struct tomoyo_path_info *filename) +int tomoyo_path_number_perm(const u8 type, struct path *path, + unsigned long number) { - const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); + struct tomoyo_request_info r; + int error = -ENOMEM; + struct tomoyo_path_info buf; + int idx; - if (!mode) + if (tomoyo_init_request_info(&r, NULL, tomoyo_pn2mac[type]) + == TOMOYO_CONFIG_DISABLED || !path->mnt || !path->dentry) return 0; - return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode); + idx = tomoyo_read_lock(); + if (!tomoyo_get_realpath(&buf, path)) + goto out; + if (type == TOMOYO_TYPE_MKDIR) + tomoyo_add_slash(&buf); + r.param_type = TOMOYO_TYPE_PATH_NUMBER_ACL; + r.param.path_number.operation = type; + r.param.path_number.filename = &buf; + r.param.path_number.number = number; + do { + tomoyo_check_acl(&r, tomoyo_check_path_number_acl); + error = tomoyo_audit_path_number_log(&r); + } while (error == TOMOYO_RETRY_REQUEST); + kfree(buf.name); + out: + tomoyo_read_unlock(idx); + if (r.mode != TOMOYO_CONFIG_ENFORCING) + error = 0; + return error; } /** @@ -1096,24 +1008,17 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, { const u8 acc_mode = ACC_MODE(flag); int error = -ENOMEM; - struct tomoyo_path_info *buf; - const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); - const bool is_enforce = (mode == 3); + struct tomoyo_path_info buf; + struct tomoyo_request_info r; int idx; - if (!mode || !path->mnt) - return 0; - if (acc_mode == 0) - return 0; - if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode)) - /* - * I don't check directories here because mkdir() and rmdir() - * don't call me. - */ + if (!path->mnt || + (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode))) return 0; + buf.name = NULL; + r.mode = TOMOYO_CONFIG_DISABLED; idx = tomoyo_read_lock(); - buf = tomoyo_get_path(path); - if (!buf) + if (!tomoyo_get_realpath(&buf, path)) goto out; error = 0; /* @@ -1121,28 +1026,43 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, * we need to check "allow_rewrite" permission when the filename is not * opened for append mode or the filename is truncated at open time. */ - if ((acc_mode & MAY_WRITE) && - ((flag & O_TRUNC) || !(flag & O_APPEND)) && - (tomoyo_is_no_rewrite_file(buf))) { - error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE, - buf, mode); + if ((acc_mode & MAY_WRITE) && !(flag & O_APPEND) + && tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_REWRITE) + != TOMOYO_CONFIG_DISABLED) { + if (!tomoyo_get_realpath(&buf, path)) { + error = -ENOMEM; + goto out; + } + if (tomoyo_no_rewrite_file(&buf)) + error = tomoyo_path_permission(&r, TOMOYO_TYPE_REWRITE, + &buf); + } + if (!error && acc_mode && + tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_OPEN) + != TOMOYO_CONFIG_DISABLED) { + u8 operation; + if (!buf.name && !tomoyo_get_realpath(&buf, path)) { + error = -ENOMEM; + goto out; + } + if (acc_mode == (MAY_READ | MAY_WRITE)) + operation = TOMOYO_TYPE_READ_WRITE; + else if (acc_mode == MAY_READ) + operation = TOMOYO_TYPE_READ; + else + operation = TOMOYO_TYPE_WRITE; + error = tomoyo_path_permission(&r, operation, &buf); } - if (!error) - error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open", - mode); - if (!error && (flag & O_TRUNC)) - error = tomoyo_path_permission2(domain, TOMOYO_TYPE_TRUNCATE, - buf, mode); out: - kfree(buf); + kfree(buf.name); tomoyo_read_unlock(idx); - if (!is_enforce) + if (r.mode != TOMOYO_CONFIG_ENFORCING) error = 0; return error; } /** - * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount". + * tomoyo_path_perm - Check permission for "unlink", "rmdir", "truncate", "symlink", "rewrite", "chroot" and "unmount". * * @operation: Type of operation. * @path: Pointer to "struct path". @@ -1152,71 +1072,79 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, int tomoyo_path_perm(const u8 operation, struct path *path) { int error = -ENOMEM; - struct tomoyo_path_info *buf; - struct tomoyo_domain_info *domain = tomoyo_domain(); - const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); - const bool is_enforce = (mode == 3); + struct tomoyo_path_info buf; + struct tomoyo_request_info r; int idx; - if (!mode || !path->mnt) + if (!path->mnt) + return 0; + if (tomoyo_init_request_info(&r, NULL, tomoyo_p2mac[operation]) + == TOMOYO_CONFIG_DISABLED) return 0; + buf.name = NULL; idx = tomoyo_read_lock(); - buf = tomoyo_get_path(path); - if (!buf) + if (!tomoyo_get_realpath(&buf, path)) goto out; switch (operation) { - case TOMOYO_TYPE_MKDIR: + case TOMOYO_TYPE_REWRITE: + if (!tomoyo_no_rewrite_file(&buf)) { + error = 0; + goto out; + } + break; case TOMOYO_TYPE_RMDIR: case TOMOYO_TYPE_CHROOT: - if (!buf->is_dir) { - /* - * tomoyo_get_path() reserves space for appending "/." - */ - strcat((char *) buf->name, "/"); - tomoyo_fill_path_info(buf); - } + case TOMOYO_TYPE_UMOUNT: + tomoyo_add_slash(&buf); + break; } - error = tomoyo_path_permission2(domain, operation, buf, mode); + error = tomoyo_path_permission(&r, operation, &buf); out: - kfree(buf); + kfree(buf.name); tomoyo_read_unlock(idx); - if (!is_enforce) + if (r.mode != TOMOYO_CONFIG_ENFORCING) error = 0; return error; } /** - * tomoyo_check_rewrite_permission - Check permission for "rewrite". + * tomoyo_mkdev_perm - Check permission for "mkblock" and "mkchar". * - * @filp: Pointer to "struct file". + * @operation: Type of operation. (TOMOYO_TYPE_MKCHAR or TOMOYO_TYPE_MKBLOCK) + * @path: Pointer to "struct path". + * @mode: Create mode. + * @dev: Device number. * * Returns 0 on success, negative value otherwise. */ -int tomoyo_check_rewrite_permission(struct file *filp) +int tomoyo_mkdev_perm(const u8 operation, struct path *path, + const unsigned int mode, unsigned int dev) { + struct tomoyo_request_info r; int error = -ENOMEM; - struct tomoyo_domain_info *domain = tomoyo_domain(); - const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); - const bool is_enforce = (mode == 3); - struct tomoyo_path_info *buf; + struct tomoyo_path_info buf; int idx; - if (!mode || !filp->f_path.mnt) + if (!path->mnt || + tomoyo_init_request_info(&r, NULL, tomoyo_pnnn2mac[operation]) + == TOMOYO_CONFIG_DISABLED) return 0; - idx = tomoyo_read_lock(); - buf = tomoyo_get_path(&filp->f_path); - if (!buf) - goto out; - if (!tomoyo_is_no_rewrite_file(buf)) { - error = 0; - goto out; + error = -ENOMEM; + if (tomoyo_get_realpath(&buf, path)) { + dev = new_decode_dev(dev); + r.param_type = TOMOYO_TYPE_MKDEV_ACL; + r.param.mkdev.filename = &buf; + r.param.mkdev.operation = operation; + r.param.mkdev.mode = mode; + r.param.mkdev.major = MAJOR(dev); + r.param.mkdev.minor = MINOR(dev); + tomoyo_check_acl(&r, tomoyo_check_mkdev_acl); + error = tomoyo_audit_mkdev_log(&r); + kfree(buf.name); } - error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE, buf, mode); - out: - kfree(buf); tomoyo_read_unlock(idx); - if (!is_enforce) + if (r.mode != TOMOYO_CONFIG_ENFORCING) error = 0; return error; } @@ -1234,56 +1162,99 @@ int tomoyo_path2_perm(const u8 operation, struct path *path1, struct path *path2) { int error = -ENOMEM; - struct tomoyo_path_info *buf1, *buf2; - struct tomoyo_domain_info *domain = tomoyo_domain(); - const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); - const bool is_enforce = (mode == 3); - const char *msg; + struct tomoyo_path_info buf1; + struct tomoyo_path_info buf2; + struct tomoyo_request_info r; int idx; - if (!mode || !path1->mnt || !path2->mnt) + if (!path1->mnt || !path2->mnt || + tomoyo_init_request_info(&r, NULL, tomoyo_pp2mac[operation]) + == TOMOYO_CONFIG_DISABLED) return 0; + buf1.name = NULL; + buf2.name = NULL; idx = tomoyo_read_lock(); - buf1 = tomoyo_get_path(path1); - buf2 = tomoyo_get_path(path2); - if (!buf1 || !buf2) + if (!tomoyo_get_realpath(&buf1, path1) || + !tomoyo_get_realpath(&buf2, path2)) goto out; - { - struct dentry *dentry = path1->dentry; - if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) { - /* - * tomoyo_get_path() reserves space for appending "/." - */ - if (!buf1->is_dir) { - strcat((char *) buf1->name, "/"); - tomoyo_fill_path_info(buf1); - } - if (!buf2->is_dir) { - strcat((char *) buf2->name, "/"); - tomoyo_fill_path_info(buf2); - } - } - } - error = tomoyo_path2_acl(domain, operation, buf1, buf2); - msg = tomoyo_path22keyword(operation); - if (!error) - goto out; - if (tomoyo_verbose_mode(domain)) - printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' " - "denied for %s\n", tomoyo_get_msg(is_enforce), - msg, buf1->name, buf2->name, - tomoyo_get_last_name(domain)); - if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { - const char *name1 = tomoyo_get_file_pattern(buf1)->name; - const char *name2 = tomoyo_get_file_pattern(buf2)->name; - tomoyo_update_path2_acl(operation, name1, name2, domain, - false); - } + switch (operation) { + struct dentry *dentry; + case TOMOYO_TYPE_RENAME: + case TOMOYO_TYPE_LINK: + dentry = path1->dentry; + if (!dentry->d_inode || !S_ISDIR(dentry->d_inode->i_mode)) + break; + /* fall through */ + case TOMOYO_TYPE_PIVOT_ROOT: + tomoyo_add_slash(&buf1); + tomoyo_add_slash(&buf2); + break; + } + r.param_type = TOMOYO_TYPE_PATH2_ACL; + r.param.path2.operation = operation; + r.param.path2.filename1 = &buf1; + r.param.path2.filename2 = &buf2; + do { + tomoyo_check_acl(&r, tomoyo_check_path2_acl); + error = tomoyo_audit_path2_log(&r); + } while (error == TOMOYO_RETRY_REQUEST); out: - kfree(buf1); - kfree(buf2); + kfree(buf1.name); + kfree(buf2.name); tomoyo_read_unlock(idx); - if (!is_enforce) + if (r.mode != TOMOYO_CONFIG_ENFORCING) error = 0; return error; } + +/** + * tomoyo_write_file_policy - Update file related list. + * + * @data: String to parse. + * @domain: Pointer to "struct tomoyo_domain_info". + * @is_delete: True if it is a delete request. + * + * Returns 0 on success, negative value otherwise. + * + * Caller holds tomoyo_read_lock(). + */ +int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, + const bool is_delete) +{ + char *w[5]; + u8 type; + if (!tomoyo_tokenize(data, w, sizeof(w)) || !w[1][0]) + return -EINVAL; + if (strncmp(w[0], "allow_", 6)) + goto out; + w[0] += 6; + for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) { + if (strcmp(w[0], tomoyo_path_keyword[type])) + continue; + return tomoyo_update_path_acl(type, w[1], domain, is_delete); + } + if (!w[2][0]) + goto out; + for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) { + if (strcmp(w[0], tomoyo_path2_keyword[type])) + continue; + return tomoyo_update_path2_acl(type, w[1], w[2], domain, + is_delete); + } + for (type = 0; type < TOMOYO_MAX_PATH_NUMBER_OPERATION; type++) { + if (strcmp(w[0], tomoyo_path_number_keyword[type])) + continue; + return tomoyo_update_path_number_acl(type, w[1], w[2], domain, + is_delete); + } + if (!w[3][0] || !w[4][0]) + goto out; + for (type = 0; type < TOMOYO_MAX_MKDEV_OPERATION; type++) { + if (strcmp(w[0], tomoyo_mkdev_keyword[type])) + continue; + return tomoyo_update_mkdev_acl(type, w[1], w[2], w[3], + w[4], domain, is_delete); + } + out: + return -EINVAL; +}