2 * security/tomoyo/file.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
17 * tomoyo_globally_readable_file_entry is a structure which is used for holding
18 * "allow_read" entries.
19 * It has following fields.
21 * (1) "list" which is linked to tomoyo_globally_readable_list .
22 * (2) "filename" is a pathname which is allowed to open(O_RDONLY).
23 * (3) "is_deleted" is a bool which is true if marked as deleted, false
26 struct tomoyo_globally_readable_file_entry {
27 struct list_head list;
28 const struct tomoyo_path_info *filename;
33 * tomoyo_pattern_entry is a structure which is used for holding
34 * "tomoyo_pattern_list" entries.
35 * It has following fields.
37 * (1) "list" which is linked to tomoyo_pattern_list .
38 * (2) "pattern" is a pathname pattern which is used for converting pathnames
39 * to pathname patterns during learning mode.
40 * (3) "is_deleted" is a bool which is true if marked as deleted, false
43 struct tomoyo_pattern_entry {
44 struct list_head list;
45 const struct tomoyo_path_info *pattern;
50 * tomoyo_no_rewrite_entry is a structure which is used for holding
51 * "deny_rewrite" entries.
52 * It has following fields.
54 * (1) "list" which is linked to tomoyo_no_rewrite_list .
55 * (2) "pattern" is a pathname which is by default not permitted to modify
56 * already existing content.
57 * (3) "is_deleted" is a bool which is true if marked as deleted, false
60 struct tomoyo_no_rewrite_entry {
61 struct list_head list;
62 const struct tomoyo_path_info *pattern;
66 /* Keyword array for single path operations. */
67 static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = {
68 [TOMOYO_TYPE_READ_WRITE_ACL] = "read/write",
69 [TOMOYO_TYPE_EXECUTE_ACL] = "execute",
70 [TOMOYO_TYPE_READ_ACL] = "read",
71 [TOMOYO_TYPE_WRITE_ACL] = "write",
72 [TOMOYO_TYPE_CREATE_ACL] = "create",
73 [TOMOYO_TYPE_UNLINK_ACL] = "unlink",
74 [TOMOYO_TYPE_MKDIR_ACL] = "mkdir",
75 [TOMOYO_TYPE_RMDIR_ACL] = "rmdir",
76 [TOMOYO_TYPE_MKFIFO_ACL] = "mkfifo",
77 [TOMOYO_TYPE_MKSOCK_ACL] = "mksock",
78 [TOMOYO_TYPE_MKBLOCK_ACL] = "mkblock",
79 [TOMOYO_TYPE_MKCHAR_ACL] = "mkchar",
80 [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate",
81 [TOMOYO_TYPE_SYMLINK_ACL] = "symlink",
82 [TOMOYO_TYPE_REWRITE_ACL] = "rewrite",
83 [TOMOYO_TYPE_IOCTL_ACL] = "ioctl",
84 [TOMOYO_TYPE_CHMOD_ACL] = "chmod",
85 [TOMOYO_TYPE_CHOWN_ACL] = "chown",
86 [TOMOYO_TYPE_CHGRP_ACL] = "chgrp",
87 [TOMOYO_TYPE_CHROOT_ACL] = "chroot",
88 [TOMOYO_TYPE_MOUNT_ACL] = "mount",
89 [TOMOYO_TYPE_UMOUNT_ACL] = "unmount",
92 /* Keyword array for double path operations. */
93 static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = {
94 [TOMOYO_TYPE_LINK_ACL] = "link",
95 [TOMOYO_TYPE_RENAME_ACL] = "rename",
96 [TOMOYO_TYPE_PIVOT_ROOT_ACL] = "pivot_root",
100 * tomoyo_sp2keyword - Get the name of single path operation.
102 * @operation: Type of operation.
104 * Returns the name of single path operation.
106 const char *tomoyo_sp2keyword(const u8 operation)
108 return (operation < TOMOYO_MAX_SINGLE_PATH_OPERATION)
109 ? tomoyo_sp_keyword[operation] : NULL;
113 * tomoyo_dp2keyword - Get the name of double path operation.
115 * @operation: Type of operation.
117 * Returns the name of double path operation.
119 const char *tomoyo_dp2keyword(const u8 operation)
121 return (operation < TOMOYO_MAX_DOUBLE_PATH_OPERATION)
122 ? tomoyo_dp_keyword[operation] : NULL;
126 * tomoyo_strendswith - Check whether the token ends with the given token.
128 * @name: The token to check.
129 * @tail: The token to find.
131 * Returns true if @name ends with @tail, false otherwise.
133 static bool tomoyo_strendswith(const char *name, const char *tail)
139 len = strlen(name) - strlen(tail);
140 return len >= 0 && !strcmp(name + len, tail);
144 * tomoyo_get_path - Get realpath.
146 * @path: Pointer to "struct path".
148 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
150 static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
153 struct tomoyo_path_info_with_data *buf = tomoyo_alloc(sizeof(*buf));
157 /* Reserve one byte for appending "/". */
158 error = tomoyo_realpath_from_path2(path, buf->body,
159 sizeof(buf->body) - 2);
161 buf->head.name = buf->body;
162 tomoyo_fill_path_info(&buf->head);
169 static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
170 const char *filename2,
171 struct tomoyo_domain_info *
172 const domain, const bool is_delete);
173 static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
174 struct tomoyo_domain_info *
175 const domain, const bool is_delete);
178 * tomoyo_globally_readable_list is used for holding list of pathnames which
179 * are by default allowed to be open()ed for reading by any process.
181 * An entry is added by
183 * # echo 'allow_read /lib/libc-2.5.so' > \
184 * /sys/kernel/security/tomoyo/exception_policy
188 * # echo 'delete allow_read /lib/libc-2.5.so' > \
189 * /sys/kernel/security/tomoyo/exception_policy
191 * and all entries are retrieved by
193 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
195 * In the example above, any process is allowed to
196 * open("/lib/libc-2.5.so", O_RDONLY).
197 * One exception is, if the domain which current process belongs to is marked
198 * as "ignore_global_allow_read", current process can't do so unless explicitly
199 * given "allow_read /lib/libc-2.5.so" to the domain which current process
202 static LIST_HEAD(tomoyo_globally_readable_list);
205 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
207 * @filename: Filename unconditionally permitted to open() for reading.
208 * @is_delete: True if it is a delete request.
210 * Returns 0 on success, negative value otherwise.
212 * Caller holds tomoyo_read_lock().
214 static int tomoyo_update_globally_readable_entry(const char *filename,
215 const bool is_delete)
217 struct tomoyo_globally_readable_file_entry *new_entry;
218 struct tomoyo_globally_readable_file_entry *ptr;
219 const struct tomoyo_path_info *saved_filename;
222 if (!tomoyo_is_correct_path(filename, 1, 0, -1, __func__))
224 saved_filename = tomoyo_save_name(filename);
227 new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL);
228 mutex_lock(&tomoyo_policy_lock);
229 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
230 if (ptr->filename != saved_filename)
232 ptr->is_deleted = is_delete;
240 if (!tomoyo_memory_ok(new_entry))
242 new_entry->filename = saved_filename;
243 list_add_tail_rcu(&new_entry->list, &tomoyo_globally_readable_list);
247 mutex_unlock(&tomoyo_policy_lock);
253 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
255 * @filename: The filename to check.
257 * Returns true if any domain can open @filename for reading, false otherwise.
259 * Caller holds tomoyo_read_lock().
261 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
264 struct tomoyo_globally_readable_file_entry *ptr;
267 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
268 if (!ptr->is_deleted &&
269 tomoyo_path_matches_pattern(filename, ptr->filename)) {
278 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
280 * @data: String to parse.
281 * @is_delete: True if it is a delete request.
283 * Returns 0 on success, negative value otherwise.
285 * Caller holds tomoyo_read_lock().
287 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
289 return tomoyo_update_globally_readable_entry(data, is_delete);
293 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
295 * @head: Pointer to "struct tomoyo_io_buffer".
297 * Returns true on success, false otherwise.
299 * Caller holds tomoyo_read_lock().
301 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
303 struct list_head *pos;
306 list_for_each_cookie(pos, head->read_var2,
307 &tomoyo_globally_readable_list) {
308 struct tomoyo_globally_readable_file_entry *ptr;
309 ptr = list_entry(pos,
310 struct tomoyo_globally_readable_file_entry,
314 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n",
315 ptr->filename->name);
322 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
323 * converting pathnames to pathname patterns during learning mode.
325 * An entry is added by
327 * # echo 'file_pattern /proc/\$/mounts' > \
328 * /sys/kernel/security/tomoyo/exception_policy
332 * # echo 'delete file_pattern /proc/\$/mounts' > \
333 * /sys/kernel/security/tomoyo/exception_policy
335 * and all entries are retrieved by
337 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
339 * In the example above, if a process which belongs to a domain which is in
340 * learning mode requested open("/proc/1/mounts", O_RDONLY),
341 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
342 * process belongs to.
344 * It is not a desirable behavior that we have to use /proc/\$/ instead of
345 * /proc/self/ when current process needs to access only current process's
346 * information. As of now, LSM version of TOMOYO is using __d_path() for
347 * calculating pathname. Non LSM version of TOMOYO is using its own function
348 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
349 * current process from accessing other process's information.
351 static LIST_HEAD(tomoyo_pattern_list);
354 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
356 * @pattern: Pathname pattern.
357 * @is_delete: True if it is a delete request.
359 * Returns 0 on success, negative value otherwise.
361 * Caller holds tomoyo_read_lock().
363 static int tomoyo_update_file_pattern_entry(const char *pattern,
364 const bool is_delete)
366 struct tomoyo_pattern_entry *new_entry;
367 struct tomoyo_pattern_entry *ptr;
368 const struct tomoyo_path_info *saved_pattern;
371 if (!tomoyo_is_correct_path(pattern, 0, 1, 0, __func__))
373 saved_pattern = tomoyo_save_name(pattern);
376 new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL);
377 mutex_lock(&tomoyo_policy_lock);
378 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
379 if (saved_pattern != ptr->pattern)
381 ptr->is_deleted = is_delete;
389 if (!tomoyo_memory_ok(new_entry))
391 new_entry->pattern = saved_pattern;
392 list_add_tail_rcu(&new_entry->list, &tomoyo_pattern_list);
396 mutex_unlock(&tomoyo_policy_lock);
402 * tomoyo_get_file_pattern - Get patterned pathname.
404 * @filename: The filename to find patterned pathname.
406 * Returns pointer to pathname pattern if matched, @filename otherwise.
408 * Caller holds tomoyo_read_lock().
410 static const struct tomoyo_path_info *
411 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
413 struct tomoyo_pattern_entry *ptr;
414 const struct tomoyo_path_info *pattern = NULL;
416 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
419 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
421 pattern = ptr->pattern;
422 if (tomoyo_strendswith(pattern->name, "/\\*")) {
423 /* Do nothing. Try to find the better match. */
425 /* This would be the better match. Use this. */
435 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
437 * @data: String to parse.
438 * @is_delete: True if it is a delete request.
440 * Returns 0 on success, negative value otherwise.
442 * Caller holds tomoyo_read_lock().
444 int tomoyo_write_pattern_policy(char *data, const bool is_delete)
446 return tomoyo_update_file_pattern_entry(data, is_delete);
450 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
452 * @head: Pointer to "struct tomoyo_io_buffer".
454 * Returns true on success, false otherwise.
456 * Caller holds tomoyo_read_lock().
458 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
460 struct list_head *pos;
463 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) {
464 struct tomoyo_pattern_entry *ptr;
465 ptr = list_entry(pos, struct tomoyo_pattern_entry, list);
468 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN
469 "%s\n", ptr->pattern->name);
477 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
478 * default forbidden to modify already written content of a file.
480 * An entry is added by
482 * # echo 'deny_rewrite /var/log/messages' > \
483 * /sys/kernel/security/tomoyo/exception_policy
487 * # echo 'delete deny_rewrite /var/log/messages' > \
488 * /sys/kernel/security/tomoyo/exception_policy
490 * and all entries are retrieved by
492 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
494 * In the example above, if a process requested to rewrite /var/log/messages ,
495 * the process can't rewrite unless the domain which that process belongs to
496 * has "allow_rewrite /var/log/messages" entry.
498 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
499 * when we want to allow rewriting already unlink()ed file. As of now,
500 * LSM version of TOMOYO is using __d_path() for calculating pathname.
501 * Non LSM version of TOMOYO is using its own function which doesn't append
502 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
503 * need to worry whether the file is already unlink()ed or not.
505 static LIST_HEAD(tomoyo_no_rewrite_list);
508 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
510 * @pattern: Pathname pattern that are not rewritable by default.
511 * @is_delete: True if it is a delete request.
513 * Returns 0 on success, negative value otherwise.
515 * Caller holds tomoyo_read_lock().
517 static int tomoyo_update_no_rewrite_entry(const char *pattern,
518 const bool is_delete)
520 struct tomoyo_no_rewrite_entry *new_entry, *ptr;
521 const struct tomoyo_path_info *saved_pattern;
524 if (!tomoyo_is_correct_path(pattern, 0, 0, 0, __func__))
526 saved_pattern = tomoyo_save_name(pattern);
529 new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL);
530 mutex_lock(&tomoyo_policy_lock);
531 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
532 if (ptr->pattern != saved_pattern)
534 ptr->is_deleted = is_delete;
542 if (!tomoyo_memory_ok(new_entry))
544 new_entry->pattern = saved_pattern;
545 list_add_tail_rcu(&new_entry->list, &tomoyo_no_rewrite_list);
549 mutex_unlock(&tomoyo_policy_lock);
555 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
557 * @filename: Filename to check.
559 * Returns true if @filename is specified by "deny_rewrite" directive,
562 * Caller holds tomoyo_read_lock().
564 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
566 struct tomoyo_no_rewrite_entry *ptr;
569 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
572 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
581 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
583 * @data: String to parse.
584 * @is_delete: True if it is a delete request.
586 * Returns 0 on success, negative value otherwise.
588 * Caller holds tomoyo_read_lock().
590 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
592 return tomoyo_update_no_rewrite_entry(data, is_delete);
596 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
598 * @head: Pointer to "struct tomoyo_io_buffer".
600 * Returns true on success, false otherwise.
602 * Caller holds tomoyo_read_lock().
604 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
606 struct list_head *pos;
609 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) {
610 struct tomoyo_no_rewrite_entry *ptr;
611 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list);
614 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE
615 "%s\n", ptr->pattern->name);
623 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
625 * @filename: Filename.
626 * @perm: Permission (between 1 to 7).
627 * @domain: Pointer to "struct tomoyo_domain_info".
628 * @is_delete: True if it is a delete request.
630 * Returns 0 on success, negative value otherwise.
632 * This is legacy support interface for older policy syntax.
633 * Current policy syntax uses "allow_read/write" instead of "6",
634 * "allow_read" instead of "4", "allow_write" instead of "2",
635 * "allow_execute" instead of "1".
637 * Caller holds tomoyo_read_lock().
639 static int tomoyo_update_file_acl(const char *filename, u8 perm,
640 struct tomoyo_domain_info * const domain,
641 const bool is_delete)
643 if (perm > 7 || !perm) {
644 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n",
645 __func__, perm, filename);
648 if (filename[0] != '@' && tomoyo_strendswith(filename, "/"))
650 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
651 * directory permissions.
655 tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL, filename,
658 tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL, filename,
661 tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL,
662 filename, domain, is_delete);
667 * tomoyo_check_single_path_acl2 - Check permission for single path operation.
669 * @domain: Pointer to "struct tomoyo_domain_info".
670 * @filename: Filename to check.
672 * @may_use_pattern: True if patterned ACL is permitted.
674 * Returns 0 on success, -EPERM otherwise.
676 * Caller holds tomoyo_read_lock().
678 static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info *
680 const struct tomoyo_path_info *
683 const bool may_use_pattern)
685 struct tomoyo_acl_info *ptr;
688 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
689 struct tomoyo_single_path_acl_record *acl;
690 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
692 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
694 if (perm <= 0xFFFF) {
695 if (!(acl->perm & perm))
698 if (!(acl->perm_high & (perm >> 16)))
701 if (may_use_pattern || !acl->filename->is_patterned) {
702 if (!tomoyo_path_matches_pattern(filename,
715 * tomoyo_check_file_acl - Check permission for opening files.
717 * @domain: Pointer to "struct tomoyo_domain_info".
718 * @filename: Filename to check.
719 * @operation: Mode ("read" or "write" or "read/write" or "execute").
721 * Returns 0 on success, -EPERM otherwise.
723 * Caller holds tomoyo_read_lock().
725 static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
726 const struct tomoyo_path_info *filename,
731 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
734 perm = 1 << TOMOYO_TYPE_READ_WRITE_ACL;
735 else if (operation == 4)
736 perm = 1 << TOMOYO_TYPE_READ_ACL;
737 else if (operation == 2)
738 perm = 1 << TOMOYO_TYPE_WRITE_ACL;
739 else if (operation == 1)
740 perm = 1 << TOMOYO_TYPE_EXECUTE_ACL;
743 return tomoyo_check_single_path_acl2(domain, filename, perm,
748 * tomoyo_check_file_perm2 - Check permission for opening files.
750 * @domain: Pointer to "struct tomoyo_domain_info".
751 * @filename: Filename to check.
752 * @perm: Mode ("read" or "write" or "read/write" or "execute").
753 * @operation: Operation name passed used for verbose mode.
754 * @mode: Access control mode.
756 * Returns 0 on success, negative value otherwise.
758 * Caller holds tomoyo_read_lock().
760 static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
761 const struct tomoyo_path_info *filename,
762 const u8 perm, const char *operation,
765 const bool is_enforce = (mode == 3);
766 const char *msg = "<unknown>";
771 error = tomoyo_check_file_acl(domain, filename, perm);
772 if (error && perm == 4 &&
773 (domain->flags & TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ) == 0
774 && tomoyo_is_globally_readable_file(filename))
777 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL);
779 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL);
781 msg = tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL);
783 msg = tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL);
788 if (tomoyo_verbose_mode(domain))
789 printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied "
790 "for %s\n", tomoyo_get_msg(is_enforce), msg, operation,
791 filename->name, tomoyo_get_last_name(domain));
794 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
795 /* Don't use patterns for execute permission. */
796 const struct tomoyo_path_info *patterned_file = (perm != 1) ?
797 tomoyo_get_file_pattern(filename) : filename;
798 tomoyo_update_file_acl(patterned_file->name, perm,
805 * tomoyo_write_file_policy - Update file related list.
807 * @data: String to parse.
808 * @domain: Pointer to "struct tomoyo_domain_info".
809 * @is_delete: True if it is a delete request.
811 * Returns 0 on success, negative value otherwise.
813 * Caller holds tomoyo_read_lock().
815 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
816 const bool is_delete)
818 char *filename = strchr(data, ' ');
826 if (sscanf(data, "%u", &perm) == 1)
827 return tomoyo_update_file_acl(filename, (u8) perm, domain,
829 if (strncmp(data, "allow_", 6))
832 for (type = 0; type < TOMOYO_MAX_SINGLE_PATH_OPERATION; type++) {
833 if (strcmp(data, tomoyo_sp_keyword[type]))
835 return tomoyo_update_single_path_acl(type, filename,
838 filename2 = strchr(filename, ' ');
842 for (type = 0; type < TOMOYO_MAX_DOUBLE_PATH_OPERATION; type++) {
843 if (strcmp(data, tomoyo_dp_keyword[type]))
845 return tomoyo_update_double_path_acl(type, filename, filename2,
853 * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list.
855 * @type: Type of operation.
856 * @filename: Filename.
857 * @domain: Pointer to "struct tomoyo_domain_info".
858 * @is_delete: True if it is a delete request.
860 * Returns 0 on success, negative value otherwise.
862 * Caller holds tomoyo_read_lock().
864 static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
865 struct tomoyo_domain_info *
866 const domain, const bool is_delete)
868 static const u32 rw_mask =
869 (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL);
870 const struct tomoyo_path_info *saved_filename;
871 struct tomoyo_acl_info *ptr;
872 struct tomoyo_single_path_acl_record *acl;
874 const u32 perm = 1 << type;
878 if (!tomoyo_is_correct_path(filename, 0, 0, 0, __func__))
880 saved_filename = tomoyo_save_name(filename);
883 mutex_lock(&tomoyo_policy_lock);
886 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
887 if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
889 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
891 if (acl->filename != saved_filename)
893 /* Special case. Clear all bits if marked as deleted. */
894 if (ptr->type & TOMOYO_ACL_DELETED)
899 acl->perm_high |= (perm >> 16);
900 if ((acl->perm & rw_mask) == rw_mask)
901 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL;
902 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))
903 acl->perm |= rw_mask;
904 ptr->type &= ~TOMOYO_ACL_DELETED;
908 /* Not found. Append it to the tail. */
909 acl = kmalloc(sizeof(*acl), GFP_KERNEL);
910 if (!tomoyo_memory_ok(acl)) {
915 acl->head.type = TOMOYO_TYPE_SINGLE_PATH_ACL;
919 acl->perm_high = (perm >> 16);
920 if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL))
921 acl->perm |= rw_mask;
922 acl->filename = saved_filename;
923 list_add_tail_rcu(&acl->head.list, &domain->acl_info_list);
928 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
929 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
931 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
933 if (acl->filename != saved_filename)
938 acl->perm_high &= ~(perm >> 16);
939 if ((acl->perm & rw_mask) != rw_mask)
940 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL);
941 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)))
942 acl->perm &= ~rw_mask;
943 if (!acl->perm && !acl->perm_high)
944 ptr->type |= TOMOYO_ACL_DELETED;
949 mutex_unlock(&tomoyo_policy_lock);
954 * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list.
956 * @type: Type of operation.
957 * @filename1: First filename.
958 * @filename2: Second filename.
959 * @domain: Pointer to "struct tomoyo_domain_info".
960 * @is_delete: True if it is a delete request.
962 * Returns 0 on success, negative value otherwise.
964 * Caller holds tomoyo_read_lock().
966 static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
967 const char *filename2,
968 struct tomoyo_domain_info *
969 const domain, const bool is_delete)
971 const struct tomoyo_path_info *saved_filename1;
972 const struct tomoyo_path_info *saved_filename2;
973 struct tomoyo_acl_info *ptr;
974 struct tomoyo_double_path_acl_record *acl;
976 const u8 perm = 1 << type;
980 if (!tomoyo_is_correct_path(filename1, 0, 0, 0, __func__) ||
981 !tomoyo_is_correct_path(filename2, 0, 0, 0, __func__))
983 saved_filename1 = tomoyo_save_name(filename1);
984 saved_filename2 = tomoyo_save_name(filename2);
985 if (!saved_filename1 || !saved_filename2)
987 mutex_lock(&tomoyo_policy_lock);
990 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
991 if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
993 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
995 if (acl->filename1 != saved_filename1 ||
996 acl->filename2 != saved_filename2)
998 /* Special case. Clear all bits if marked as deleted. */
999 if (ptr->type & TOMOYO_ACL_DELETED)
1002 ptr->type &= ~TOMOYO_ACL_DELETED;
1006 /* Not found. Append it to the tail. */
1007 acl = kmalloc(sizeof(*acl), GFP_KERNEL);
1008 if (!tomoyo_memory_ok(acl)) {
1013 acl->head.type = TOMOYO_TYPE_DOUBLE_PATH_ACL;
1015 acl->filename1 = saved_filename1;
1016 acl->filename2 = saved_filename2;
1017 list_add_tail_rcu(&acl->head.list, &domain->acl_info_list);
1022 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1023 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
1025 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
1027 if (acl->filename1 != saved_filename1 ||
1028 acl->filename2 != saved_filename2)
1032 ptr->type |= TOMOYO_ACL_DELETED;
1037 mutex_unlock(&tomoyo_policy_lock);
1042 * tomoyo_check_single_path_acl - Check permission for single path operation.
1044 * @domain: Pointer to "struct tomoyo_domain_info".
1045 * @type: Type of operation.
1046 * @filename: Filename to check.
1048 * Returns 0 on success, negative value otherwise.
1050 * Caller holds tomoyo_read_lock().
1052 static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain,
1054 const struct tomoyo_path_info *filename)
1056 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
1058 return tomoyo_check_single_path_acl2(domain, filename, 1 << type, 1);
1062 * tomoyo_check_double_path_acl - Check permission for double path operation.
1064 * @domain: Pointer to "struct tomoyo_domain_info".
1065 * @type: Type of operation.
1066 * @filename1: First filename to check.
1067 * @filename2: Second filename to check.
1069 * Returns 0 on success, -EPERM otherwise.
1071 * Caller holds tomoyo_read_lock().
1073 static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
1075 const struct tomoyo_path_info *
1077 const struct tomoyo_path_info *
1080 struct tomoyo_acl_info *ptr;
1081 const u8 perm = 1 << type;
1084 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
1086 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1087 struct tomoyo_double_path_acl_record *acl;
1088 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
1090 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
1092 if (!(acl->perm & perm))
1094 if (!tomoyo_path_matches_pattern(filename1, acl->filename1))
1096 if (!tomoyo_path_matches_pattern(filename2, acl->filename2))
1105 * tomoyo_check_single_path_permission2 - Check permission for single path operation.
1107 * @domain: Pointer to "struct tomoyo_domain_info".
1108 * @operation: Type of operation.
1109 * @filename: Filename to check.
1110 * @mode: Access control mode.
1112 * Returns 0 on success, negative value otherwise.
1114 * Caller holds tomoyo_read_lock().
1116 static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
1117 const domain, u8 operation,
1118 const struct tomoyo_path_info *
1119 filename, const u8 mode)
1123 const bool is_enforce = (mode == 3);
1128 error = tomoyo_check_single_path_acl(domain, operation, filename);
1129 msg = tomoyo_sp2keyword(operation);
1132 if (tomoyo_verbose_mode(domain))
1133 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n",
1134 tomoyo_get_msg(is_enforce), msg, filename->name,
1135 tomoyo_get_last_name(domain));
1136 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1137 const char *name = tomoyo_get_file_pattern(filename)->name;
1138 tomoyo_update_single_path_acl(operation, name, domain, false);
1144 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1145 * we need to check "allow_rewrite" permission if the filename is
1146 * specified by "deny_rewrite" keyword.
1148 if (!error && operation == TOMOYO_TYPE_TRUNCATE_ACL &&
1149 tomoyo_is_no_rewrite_file(filename)) {
1150 operation = TOMOYO_TYPE_REWRITE_ACL;
1157 * tomoyo_check_exec_perm - Check permission for "execute".
1159 * @domain: Pointer to "struct tomoyo_domain_info".
1160 * @filename: Check permission for "execute".
1162 * Returns 0 on success, negativevalue otherwise.
1164 * Caller holds tomoyo_read_lock().
1166 int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
1167 const struct tomoyo_path_info *filename)
1169 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1173 return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode);
1177 * tomoyo_check_open_permission - Check permission for "read" and "write".
1179 * @domain: Pointer to "struct tomoyo_domain_info".
1180 * @path: Pointer to "struct path".
1181 * @flag: Flags for open().
1183 * Returns 0 on success, negative value otherwise.
1185 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1186 struct path *path, const int flag)
1188 const u8 acc_mode = ACC_MODE(flag);
1189 int error = -ENOMEM;
1190 struct tomoyo_path_info *buf;
1191 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1192 const bool is_enforce = (mode == 3);
1195 if (!mode || !path->mnt)
1199 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode))
1201 * I don't check directories here because mkdir() and rmdir()
1205 idx = tomoyo_read_lock();
1206 buf = tomoyo_get_path(path);
1211 * If the filename is specified by "deny_rewrite" keyword,
1212 * we need to check "allow_rewrite" permission when the filename is not
1213 * opened for append mode or the filename is truncated at open time.
1215 if ((acc_mode & MAY_WRITE) &&
1216 ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
1217 (tomoyo_is_no_rewrite_file(buf))) {
1218 error = tomoyo_check_single_path_permission2(domain,
1219 TOMOYO_TYPE_REWRITE_ACL,
1223 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open",
1225 if (!error && (flag & O_TRUNC))
1226 error = tomoyo_check_single_path_permission2(domain,
1227 TOMOYO_TYPE_TRUNCATE_ACL,
1231 tomoyo_read_unlock(idx);
1238 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1240 * @domain: Pointer to "struct tomoyo_domain_info".
1241 * @operation: Type of operation.
1242 * @path: Pointer to "struct path".
1244 * Returns 0 on success, negative value otherwise.
1246 int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
1247 const u8 operation, struct path *path)
1249 int error = -ENOMEM;
1250 struct tomoyo_path_info *buf;
1251 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1252 const bool is_enforce = (mode == 3);
1255 if (!mode || !path->mnt)
1257 idx = tomoyo_read_lock();
1258 buf = tomoyo_get_path(path);
1261 switch (operation) {
1262 case TOMOYO_TYPE_MKDIR_ACL:
1263 case TOMOYO_TYPE_RMDIR_ACL:
1264 case TOMOYO_TYPE_CHROOT_ACL:
1267 * tomoyo_get_path() reserves space for appending "/."
1269 strcat((char *) buf->name, "/");
1270 tomoyo_fill_path_info(buf);
1273 error = tomoyo_check_single_path_permission2(domain, operation, buf,
1277 tomoyo_read_unlock(idx);
1284 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1286 * @domain: Pointer to "struct tomoyo_domain_info".
1287 * @filp: Pointer to "struct file".
1289 * Returns 0 on success, negative value otherwise.
1291 int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
1294 int error = -ENOMEM;
1295 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1296 const bool is_enforce = (mode == 3);
1297 struct tomoyo_path_info *buf;
1300 if (!mode || !filp->f_path.mnt)
1303 idx = tomoyo_read_lock();
1304 buf = tomoyo_get_path(&filp->f_path);
1307 if (!tomoyo_is_no_rewrite_file(buf)) {
1311 error = tomoyo_check_single_path_permission2(domain,
1312 TOMOYO_TYPE_REWRITE_ACL,
1316 tomoyo_read_unlock(idx);
1323 * tomoyo_check_2path_perm - Check permission for "rename", "link" and "pivot_root".
1325 * @domain: Pointer to "struct tomoyo_domain_info".
1326 * @operation: Type of operation.
1327 * @path1: Pointer to "struct path".
1328 * @path2: Pointer to "struct path".
1330 * Returns 0 on success, negative value otherwise.
1332 int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain,
1333 const u8 operation, struct path *path1,
1336 int error = -ENOMEM;
1337 struct tomoyo_path_info *buf1, *buf2;
1338 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1339 const bool is_enforce = (mode == 3);
1343 if (!mode || !path1->mnt || !path2->mnt)
1345 idx = tomoyo_read_lock();
1346 buf1 = tomoyo_get_path(path1);
1347 buf2 = tomoyo_get_path(path2);
1351 struct dentry *dentry = path1->dentry;
1352 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) {
1354 * tomoyo_get_path() reserves space for appending "/."
1356 if (!buf1->is_dir) {
1357 strcat((char *) buf1->name, "/");
1358 tomoyo_fill_path_info(buf1);
1360 if (!buf2->is_dir) {
1361 strcat((char *) buf2->name, "/");
1362 tomoyo_fill_path_info(buf2);
1366 error = tomoyo_check_double_path_acl(domain, operation, buf1, buf2);
1367 msg = tomoyo_dp2keyword(operation);
1370 if (tomoyo_verbose_mode(domain))
1371 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' "
1372 "denied for %s\n", tomoyo_get_msg(is_enforce),
1373 msg, buf1->name, buf2->name,
1374 tomoyo_get_last_name(domain));
1375 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1376 const char *name1 = tomoyo_get_file_pattern(buf1)->name;
1377 const char *name2 = tomoyo_get_file_pattern(buf2)->name;
1378 tomoyo_update_double_path_acl(operation, name1, name2, domain,
1384 tomoyo_read_unlock(idx);
projects / linux-2.6.git / blob