1 /* 2 * security/tomoyo/common.c 3 * 4 * Common functions for TOMOYO. 5 * 6 * Copyright (C) 2005-2010 NTT DATA CORPORATION 7 */ 8 9 #include <linux/uaccess.h> 10 #include <linux/slab.h> 11 #include <linux/security.h> 12 #include "common.h" 13 14 static struct tomoyo_profile tomoyo_default_profile = { 15 .learning = &tomoyo_default_profile.preference, 16 .permissive = &tomoyo_default_profile.preference, 17 .enforcing = &tomoyo_default_profile.preference, 18 .preference.enforcing_verbose = true, 19 .preference.learning_max_entry = 2048, 20 .preference.learning_verbose = false, 21 .preference.permissive_verbose = true 22 }; 23 24 /* Profile version. Currently only 20090903 is defined. */ 25 static unsigned int tomoyo_profile_version; 26 27 /* Profile table. Memory is allocated as needed. */ 28 static struct tomoyo_profile *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES]; 29 30 /* String table for functionality that takes 4 modes. */ 31 static const char *tomoyo_mode[4] = { 32 "disabled", "learning", "permissive", "enforcing" 33 }; 34 35 /* String table for /sys/kernel/security/tomoyo/profile */ 36 static const char *tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX 37 + TOMOYO_MAX_MAC_CATEGORY_INDEX] = { 38 [TOMOYO_MAC_FILE_EXECUTE] = "file::execute", 39 [TOMOYO_MAC_FILE_OPEN] = "file::open", 40 [TOMOYO_MAC_FILE_CREATE] = "file::create", 41 [TOMOYO_MAC_FILE_UNLINK] = "file::unlink", 42 [TOMOYO_MAC_FILE_MKDIR] = "file::mkdir", 43 [TOMOYO_MAC_FILE_RMDIR] = "file::rmdir", 44 [TOMOYO_MAC_FILE_MKFIFO] = "file::mkfifo", 45 [TOMOYO_MAC_FILE_MKSOCK] = "file::mksock", 46 [TOMOYO_MAC_FILE_TRUNCATE] = "file::truncate", 47 [TOMOYO_MAC_FILE_SYMLINK] = "file::symlink", 48 [TOMOYO_MAC_FILE_REWRITE] = "file::rewrite", 49 [TOMOYO_MAC_FILE_MKBLOCK] = "file::mkblock", 50 [TOMOYO_MAC_FILE_MKCHAR] = "file::mkchar", 51 [TOMOYO_MAC_FILE_LINK] = "file::link", 52 [TOMOYO_MAC_FILE_RENAME] = "file::rename", 53 [TOMOYO_MAC_FILE_CHMOD] = "file::chmod", 54 [TOMOYO_MAC_FILE_CHOWN] = "file::chown", 55 [TOMOYO_MAC_FILE_CHGRP] = "file::chgrp", 56 [TOMOYO_MAC_FILE_IOCTL] = "file::ioctl", 57 [TOMOYO_MAC_FILE_CHROOT] = "file::chroot", 58 [TOMOYO_MAC_FILE_MOUNT] = "file::mount", 59 [TOMOYO_MAC_FILE_UMOUNT] = "file::umount", 60 [TOMOYO_MAC_FILE_PIVOT_ROOT] = "file::pivot_root", 61 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file", 62 }; 63 64 /* Permit policy management by non-root user? */ 65 static bool tomoyo_manage_by_non_root; 66 67 /* Utility functions. */ 68 69 /** 70 * tomoyo_yesno - Return "yes" or "no". 71 * 72 * @value: Bool value. 73 */ 74 static const char *tomoyo_yesno(const unsigned int value) 75 { 76 return value ? "yes" : "no"; 77 } 78 79 static void tomoyo_addprintf(char *buffer, int len, const char *fmt, ...) 80 { 81 va_list args; 82 const int pos = strlen(buffer); 83 va_start(args, fmt); 84 vsnprintf(buffer + pos, len - pos - 1, fmt, args); 85 va_end(args); 86 } 87 88 /** 89 * tomoyo_flush - Flush queued string to userspace's buffer. 90 * 91 * @head: Pointer to "struct tomoyo_io_buffer". 92 * 93 * Returns true if all data was flushed, false otherwise. 94 */ 95 static bool tomoyo_flush(struct tomoyo_io_buffer *head) 96 { 97 while (head->r.w_pos) { 98 const char *w = head->r.w[0]; 99 int len = strlen(w); 100 if (len) { 101 if (len > head->read_user_buf_avail) 102 len = head->read_user_buf_avail; 103 if (!len) 104 return false; 105 if (copy_to_user(head->read_user_buf, w, len)) 106 return false; 107 head->read_user_buf_avail -= len; 108 head->read_user_buf += len; 109 w += len; 110 } 111 head->r.w[0] = w; 112 if (*w) 113 return false; 114 /* Add '\0' for query. */ 115 if (head->poll) { 116 if (!head->read_user_buf_avail || 117 copy_to_user(head->read_user_buf, "", 1)) 118 return false; 119 head->read_user_buf_avail--; 120 head->read_user_buf++; 121 } 122 head->r.w_pos--; 123 for (len = 0; len < head->r.w_pos; len++) 124 head->r.w[len] = head->r.w[len + 1]; 125 } 126 head->r.avail = 0; 127 return true; 128 } 129 130 /** 131 * tomoyo_set_string - Queue string to "struct tomoyo_io_buffer" structure. 132 * 133 * @head: Pointer to "struct tomoyo_io_buffer". 134 * @string: String to print. 135 * 136 * Note that @string has to be kept valid until @head is kfree()d. 137 * This means that char[] allocated on stack memory cannot be passed to 138 * this function. Use tomoyo_io_printf() for char[] allocated on stack memory. 139 */ 140 static void tomoyo_set_string(struct tomoyo_io_buffer *head, const char *string) 141 { 142 if (head->r.w_pos < TOMOYO_MAX_IO_READ_QUEUE) { 143 head->r.w[head->r.w_pos++] = string; 144 tomoyo_flush(head); 145 } else 146 WARN_ON(1); 147 } 148 149 /** 150 * tomoyo_io_printf - printf() to "struct tomoyo_io_buffer" structure. 151 * 152 * @head: Pointer to "struct tomoyo_io_buffer". 153 * @fmt: The printf()'s format string, followed by parameters. 154 */ 155 void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) 156 { 157 va_list args; 158 int len; 159 int pos = head->r.avail; 160 int size = head->readbuf_size - pos; 161 if (size <= 0) 162 return; 163 va_start(args, fmt); 164 len = vsnprintf(head->read_buf + pos, size, fmt, args) + 1; 165 va_end(args); 166 if (pos + len >= head->readbuf_size) { 167 WARN_ON(1); 168 return; 169 } 170 head->r.avail += len; 171 tomoyo_set_string(head, head->read_buf + pos); 172 } 173 174 static void tomoyo_set_space(struct tomoyo_io_buffer *head) 175 { 176 tomoyo_set_string(head, " "); 177 } 178 179 static bool tomoyo_set_lf(struct tomoyo_io_buffer *head) 180 { 181 tomoyo_set_string(head, "\n"); 182 return !head->r.w_pos; 183 } 184 185 /** 186 * tomoyo_print_name_union - Print a tomoyo_name_union. 187 * 188 * @head: Pointer to "struct tomoyo_io_buffer". 189 * @ptr: Pointer to "struct tomoyo_name_union". 190 */ 191 static void tomoyo_print_name_union(struct tomoyo_io_buffer *head, 192 const struct tomoyo_name_union *ptr) 193 { 194 tomoyo_set_space(head); 195 if (ptr->is_group) { 196 tomoyo_set_string(head, "@"); 197 tomoyo_set_string(head, ptr->group->group_name->name); 198 } else { 199 tomoyo_set_string(head, ptr->filename->name); 200 } 201 } 202 203 /** 204 * tomoyo_print_number_union - Print a tomoyo_number_union. 205 * 206 * @head: Pointer to "struct tomoyo_io_buffer". 207 * @ptr: Pointer to "struct tomoyo_number_union". 208 */ 209 static void tomoyo_print_number_union(struct tomoyo_io_buffer *head, 210 const struct tomoyo_number_union *ptr) 211 { 212 tomoyo_set_space(head); 213 if (ptr->is_group) { 214 tomoyo_set_string(head, "@"); 215 tomoyo_set_string(head, ptr->group->group_name->name); 216 } else { 217 int i; 218 unsigned long min = ptr->values[0]; 219 const unsigned long max = ptr->values[1]; 220 u8 min_type = ptr->min_type; 221 const u8 max_type = ptr->max_type; 222 char buffer[128]; 223 buffer[0] = '\0'; 224 for (i = 0; i < 2; i++) { 225 switch (min_type) { 226 case TOMOYO_VALUE_TYPE_HEXADECIMAL: 227 tomoyo_addprintf(buffer, sizeof(buffer), 228 "0x%lX", min); 229 break; 230 case TOMOYO_VALUE_TYPE_OCTAL: 231 tomoyo_addprintf(buffer, sizeof(buffer), 232 "0%lo", min); 233 break; 234 default: 235 tomoyo_addprintf(buffer, sizeof(buffer), 236 "%lu", min); 237 break; 238 } 239 if (min == max && min_type == max_type) 240 break; 241 tomoyo_addprintf(buffer, sizeof(buffer), "-"); 242 min_type = max_type; 243 min = max; 244 } 245 tomoyo_io_printf(head, "%s", buffer); 246 } 247 } 248 249 /** 250 * tomoyo_assign_profile - Create a new profile. 251 * 252 * @profile: Profile number to create. 253 * 254 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. 255 */ 256 static struct tomoyo_profile *tomoyo_assign_profile(const unsigned int profile) 257 { 258 struct tomoyo_profile *ptr; 259 struct tomoyo_profile *entry; 260 if (profile >= TOMOYO_MAX_PROFILES) 261 return NULL; 262 ptr = tomoyo_profile_ptr[profile]; 263 if (ptr) 264 return ptr; 265 entry = kzalloc(sizeof(*entry), GFP_NOFS); 266 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 267 goto out; 268 ptr = tomoyo_profile_ptr[profile]; 269 if (!ptr && tomoyo_memory_ok(entry)) { 270 ptr = entry; 271 ptr->learning = &tomoyo_default_profile.preference; 272 ptr->permissive = &tomoyo_default_profile.preference; 273 ptr->enforcing = &tomoyo_default_profile.preference; 274 ptr->default_config = TOMOYO_CONFIG_DISABLED; 275 memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT, 276 sizeof(ptr->config)); 277 mb(); /* Avoid out-of-order execution. */ 278 tomoyo_profile_ptr[profile] = ptr; 279 entry = NULL; 280 } 281 mutex_unlock(&tomoyo_policy_lock); 282 out: 283 kfree(entry); 284 return ptr; 285 } 286 287 /** 288 * tomoyo_profile - Find a profile. 289 * 290 * @profile: Profile number to find. 291 * 292 * Returns pointer to "struct tomoyo_profile". 293 */ 294 struct tomoyo_profile *tomoyo_profile(const u8 profile) 295 { 296 struct tomoyo_profile *ptr = tomoyo_profile_ptr[profile]; 297 if (!tomoyo_policy_loaded) 298 return &tomoyo_default_profile; 299 BUG_ON(!ptr); 300 return ptr; 301 } 302 303 static s8 tomoyo_find_yesno(const char *string, const char *find) 304 { 305 const char *cp = strstr(string, find); 306 if (cp) { 307 cp += strlen(find); 308 if (!strncmp(cp, "=yes", 4)) 309 return 1; 310 else if (!strncmp(cp, "=no", 3)) 311 return 0; 312 } 313 return -1; 314 } 315 316 static void tomoyo_set_bool(bool *b, const char *string, const char *find) 317 { 318 switch (tomoyo_find_yesno(string, find)) { 319 case 1: 320 *b = true; 321 break; 322 case 0: 323 *b = false; 324 break; 325 } 326 } 327 328 static void tomoyo_set_uint(unsigned int *i, const char *string, 329 const char *find) 330 { 331 const char *cp = strstr(string, find); 332 if (cp) 333 sscanf(cp + strlen(find), "=%u", i); 334 } 335 336 static void tomoyo_set_pref(const char *name, const char *value, 337 const bool use_default, 338 struct tomoyo_profile *profile) 339 { 340 struct tomoyo_preference **pref; 341 bool *verbose; 342 if (!strcmp(name, "enforcing")) { 343 if (use_default) { 344 pref = &profile->enforcing; 345 goto set_default; 346 } 347 profile->enforcing = &profile->preference; 348 verbose = &profile->preference.enforcing_verbose; 349 goto set_verbose; 350 } 351 if (!strcmp(name, "permissive")) { 352 if (use_default) { 353 pref = &profile->permissive; 354 goto set_default; 355 } 356 profile->permissive = &profile->preference; 357 verbose = &profile->preference.permissive_verbose; 358 goto set_verbose; 359 } 360 if (!strcmp(name, "learning")) { 361 if (use_default) { 362 pref = &profile->learning; 363 goto set_default; 364 } 365 profile->learning = &profile->preference; 366 tomoyo_set_uint(&profile->preference.learning_max_entry, value, 367 "max_entry"); 368 verbose = &profile->preference.learning_verbose; 369 goto set_verbose; 370 } 371 return; 372 set_default: 373 *pref = &tomoyo_default_profile.preference; 374 return; 375 set_verbose: 376 tomoyo_set_bool(verbose, value, "verbose"); 377 } 378 379 static int tomoyo_set_mode(char *name, const char *value, 380 const bool use_default, 381 struct tomoyo_profile *profile) 382 { 383 u8 i; 384 u8 config; 385 if (!strcmp(name, "CONFIG")) { 386 i = TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX; 387 config = profile->default_config; 388 } else if (tomoyo_str_starts(&name, "CONFIG::")) { 389 config = 0; 390 for (i = 0; i < TOMOYO_MAX_MAC_INDEX 391 + TOMOYO_MAX_MAC_CATEGORY_INDEX; i++) { 392 if (strcmp(name, tomoyo_mac_keywords[i])) 393 continue; 394 config = profile->config[i]; 395 break; 396 } 397 if (i == TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX) 398 return -EINVAL; 399 } else { 400 return -EINVAL; 401 } 402 if (use_default) { 403 config = TOMOYO_CONFIG_USE_DEFAULT; 404 } else { 405 u8 mode; 406 for (mode = 0; mode < 4; mode++) 407 if (strstr(value, tomoyo_mode[mode])) 408 /* 409 * Update lower 3 bits in order to distinguish 410 * 'config' from 'TOMOYO_CONFIG_USE_DEAFULT'. 411 */ 412 config = (config & ~7) | mode; 413 } 414 if (i < TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX) 415 profile->config[i] = config; 416 else if (config != TOMOYO_CONFIG_USE_DEFAULT) 417 profile->default_config = config; 418 return 0; 419 } 420 421 /** 422 * tomoyo_write_profile - Write profile table. 423 * 424 * @head: Pointer to "struct tomoyo_io_buffer". 425 * 426 * Returns 0 on success, negative value otherwise. 427 */ 428 static int tomoyo_write_profile(struct tomoyo_io_buffer *head) 429 { 430 char *data = head->write_buf; 431 unsigned int i; 432 bool use_default = false; 433 char *cp; 434 struct tomoyo_profile *profile; 435 if (sscanf(data, "PROFILE_VERSION=%u", &tomoyo_profile_version) == 1) 436 return 0; 437 i = simple_strtoul(data, &cp, 10); 438 if (data == cp) { 439 profile = &tomoyo_default_profile; 440 } else { 441 if (*cp != '-') 442 return -EINVAL; 443 data = cp + 1; 444 profile = tomoyo_assign_profile(i); 445 if (!profile) 446 return -EINVAL; 447 } 448 cp = strchr(data, '='); 449 if (!cp) 450 return -EINVAL; 451 *cp++ = '\0'; 452 if (profile != &tomoyo_default_profile) 453 use_default = strstr(cp, "use_default") != NULL; 454 if (tomoyo_str_starts(&data, "PREFERENCE::")) { 455 tomoyo_set_pref(data, cp, use_default, profile); 456 return 0; 457 } 458 if (profile == &tomoyo_default_profile) 459 return -EINVAL; 460 if (!strcmp(data, "COMMENT")) { 461 static DEFINE_SPINLOCK(lock); 462 const struct tomoyo_path_info *new_comment 463 = tomoyo_get_name(cp); 464 const struct tomoyo_path_info *old_comment; 465 if (!new_comment) 466 return -ENOMEM; 467 spin_lock(&lock); 468 old_comment = profile->comment; 469 profile->comment = new_comment; 470 spin_unlock(&lock); 471 tomoyo_put_name(old_comment); 472 return 0; 473 } 474 return tomoyo_set_mode(data, cp, use_default, profile); 475 } 476 477 static void tomoyo_print_preference(struct tomoyo_io_buffer *head, 478 const int idx) 479 { 480 struct tomoyo_preference *pref = &tomoyo_default_profile.preference; 481 const struct tomoyo_profile *profile = idx >= 0 ? 482 tomoyo_profile_ptr[idx] : NULL; 483 char buffer[16] = ""; 484 if (profile) { 485 buffer[sizeof(buffer) - 1] = '\0'; 486 snprintf(buffer, sizeof(buffer) - 1, "%u-", idx); 487 } 488 if (profile) { 489 pref = profile->learning; 490 if (pref == &tomoyo_default_profile.preference) 491 goto skip1; 492 } 493 tomoyo_io_printf(head, "%sPREFERENCE::%s={ " 494 "verbose=%s max_entry=%u }\n", 495 buffer, "learning", 496 tomoyo_yesno(pref->learning_verbose), 497 pref->learning_max_entry); 498 skip1: 499 if (profile) { 500 pref = profile->permissive; 501 if (pref == &tomoyo_default_profile.preference) 502 goto skip2; 503 } 504 tomoyo_io_printf(head, "%sPREFERENCE::%s={ verbose=%s }\n", 505 buffer, "permissive", 506 tomoyo_yesno(pref->permissive_verbose)); 507 skip2: 508 if (profile) { 509 pref = profile->enforcing; 510 if (pref == &tomoyo_default_profile.preference) 511 return; 512 } 513 tomoyo_io_printf(head, "%sPREFERENCE::%s={ verbose=%s }\n", 514 buffer, "enforcing", 515 tomoyo_yesno(pref->enforcing_verbose)); 516 } 517 518 static void tomoyo_print_config(struct tomoyo_io_buffer *head, const u8 config) 519 { 520 tomoyo_io_printf(head, "={ mode=%s }\n", tomoyo_mode[config & 3]); 521 } 522 523 /** 524 * tomoyo_read_profile - Read profile table. 525 * 526 * @head: Pointer to "struct tomoyo_io_buffer". 527 */ 528 static void tomoyo_read_profile(struct tomoyo_io_buffer *head) 529 { 530 u8 index; 531 const struct tomoyo_profile *profile; 532 next: 533 index = head->r.index; 534 profile = tomoyo_profile_ptr[index]; 535 switch (head->r.step) { 536 case 0: 537 tomoyo_io_printf(head, "PROFILE_VERSION=%s\n", "20090903"); 538 tomoyo_print_preference(head, -1); 539 head->r.step++; 540 break; 541 case 1: 542 for ( ; head->r.index < TOMOYO_MAX_PROFILES; 543 head->r.index++) 544 if (tomoyo_profile_ptr[head->r.index]) 545 break; 546 if (head->r.index == TOMOYO_MAX_PROFILES) 547 return; 548 head->r.step++; 549 break; 550 case 2: 551 { 552 const struct tomoyo_path_info *comment = 553 profile->comment; 554 tomoyo_io_printf(head, "%u-COMMENT=", index); 555 tomoyo_set_string(head, comment ? comment->name : ""); 556 tomoyo_set_lf(head); 557 head->r.step++; 558 } 559 break; 560 case 3: 561 { 562 tomoyo_io_printf(head, "%u-%s", index, "CONFIG"); 563 tomoyo_print_config(head, profile->default_config); 564 head->r.bit = 0; 565 head->r.step++; 566 } 567 break; 568 case 4: 569 for ( ; head->r.bit < TOMOYO_MAX_MAC_INDEX 570 + TOMOYO_MAX_MAC_CATEGORY_INDEX; head->r.bit++) { 571 const u8 i = head->r.bit; 572 const u8 config = profile->config[i]; 573 if (config == TOMOYO_CONFIG_USE_DEFAULT) 574 continue; 575 tomoyo_io_printf(head, "%u-%s%s", index, "CONFIG::", 576 tomoyo_mac_keywords[i]); 577 tomoyo_print_config(head, config); 578 head->r.bit++; 579 break; 580 } 581 if (head->r.bit == TOMOYO_MAX_MAC_INDEX 582 + TOMOYO_MAX_MAC_CATEGORY_INDEX) { 583 tomoyo_print_preference(head, index); 584 head->r.index++; 585 head->r.step = 1; 586 } 587 break; 588 } 589 if (tomoyo_flush(head)) 590 goto next; 591 } 592 593 static bool tomoyo_same_manager(const struct tomoyo_acl_head *a, 594 const struct tomoyo_acl_head *b) 595 { 596 return container_of(a, struct tomoyo_manager, head)->manager == 597 container_of(b, struct tomoyo_manager, head)->manager; 598 } 599 600 /** 601 * tomoyo_update_manager_entry - Add a manager entry. 602 * 603 * @manager: The path to manager or the domainnamme. 604 * @is_delete: True if it is a delete request. 605 * 606 * Returns 0 on success, negative value otherwise. 607 * 608 * Caller holds tomoyo_read_lock(). 609 */ 610 static int tomoyo_update_manager_entry(const char *manager, 611 const bool is_delete) 612 { 613 struct tomoyo_manager e = { }; 614 int error; 615 616 if (tomoyo_domain_def(manager)) { 617 if (!tomoyo_correct_domain(manager)) 618 return -EINVAL; 619 e.is_domain = true; 620 } else { 621 if (!tomoyo_correct_path(manager)) 622 return -EINVAL; 623 } 624 e.manager = tomoyo_get_name(manager); 625 if (!e.manager) 626 return -ENOMEM; 627 error = tomoyo_update_policy(&e.head, sizeof(e), is_delete, 628 &tomoyo_policy_list[TOMOYO_ID_MANAGER], 629 tomoyo_same_manager); 630 tomoyo_put_name(e.manager); 631 return error; 632 } 633 634 /** 635 * tomoyo_write_manager - Write manager policy. 636 * 637 * @head: Pointer to "struct tomoyo_io_buffer". 638 * 639 * Returns 0 on success, negative value otherwise. 640 * 641 * Caller holds tomoyo_read_lock(). 642 */ 643 static int tomoyo_write_manager(struct tomoyo_io_buffer *head) 644 { 645 char *data = head->write_buf; 646 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); 647 648 if (!strcmp(data, "manage_by_non_root")) { 649 tomoyo_manage_by_non_root = !is_delete; 650 return 0; 651 } 652 return tomoyo_update_manager_entry(data, is_delete); 653 } 654 655 /** 656 * tomoyo_read_manager - Read manager policy. 657 * 658 * @head: Pointer to "struct tomoyo_io_buffer". 659 * 660 * Caller holds tomoyo_read_lock(). 661 */ 662 static void tomoyo_read_manager(struct tomoyo_io_buffer *head) 663 { 664 if (head->r.eof) 665 return; 666 list_for_each_cookie(head->r.acl, 667 &tomoyo_policy_list[TOMOYO_ID_MANAGER]) { 668 struct tomoyo_manager *ptr = 669 list_entry(head->r.acl, typeof(*ptr), head.list); 670 if (ptr->head.is_deleted) 671 continue; 672 if (!tomoyo_flush(head)) 673 return; 674 tomoyo_set_string(head, ptr->manager->name); 675 tomoyo_set_lf(head); 676 } 677 head->r.eof = true; 678 } 679 680 /** 681 * tomoyo_manager - Check whether the current process is a policy manager. 682 * 683 * Returns true if the current process is permitted to modify policy 684 * via /sys/kernel/security/tomoyo/ interface. 685 * 686 * Caller holds tomoyo_read_lock(). 687 */ 688 static bool tomoyo_manager(void) 689 { 690 struct tomoyo_manager *ptr; 691 const char *exe; 692 const struct task_struct *task = current; 693 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; 694 bool found = false; 695 696 if (!tomoyo_policy_loaded) 697 return true; 698 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid)) 699 return false; 700 list_for_each_entry_rcu(ptr, &tomoyo_policy_list[TOMOYO_ID_MANAGER], 701 head.list) { 702 if (!ptr->head.is_deleted && ptr->is_domain 703 && !tomoyo_pathcmp(domainname, ptr->manager)) { 704 found = true; 705 break; 706 } 707 } 708 if (found) 709 return true; 710 exe = tomoyo_get_exe(); 711 if (!exe) 712 return false; 713 list_for_each_entry_rcu(ptr, &tomoyo_policy_list[TOMOYO_ID_MANAGER], 714 head.list) { 715 if (!ptr->head.is_deleted && !ptr->is_domain 716 && !strcmp(exe, ptr->manager->name)) { 717 found = true; 718 break; 719 } 720 } 721 if (!found) { /* Reduce error messages. */ 722 static pid_t last_pid; 723 const pid_t pid = current->pid; 724 if (last_pid != pid) { 725 printk(KERN_WARNING "%s ( %s ) is not permitted to " 726 "update policies.\n", domainname->name, exe); 727 last_pid = pid; 728 } 729 } 730 kfree(exe); 731 return found; 732 } 733 734 /** 735 * tomoyo_select_one - Parse select command. 736 * 737 * @head: Pointer to "struct tomoyo_io_buffer". 738 * @data: String to parse. 739 * 740 * Returns true on success, false otherwise. 741 * 742 * Caller holds tomoyo_read_lock(). 743 */ 744 static bool tomoyo_select_one(struct tomoyo_io_buffer *head, const char *data) 745 { 746 unsigned int pid; 747 struct tomoyo_domain_info *domain = NULL; 748 bool global_pid = false; 749 750 if (!strcmp(data, "allow_execute")) { 751 head->r.print_execute_only = true; 752 return true; 753 } 754 if (sscanf(data, "pid=%u", &pid) == 1 || 755 (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { 756 struct task_struct *p; 757 rcu_read_lock(); 758 read_lock(&tasklist_lock); 759 if (global_pid) 760 p = find_task_by_pid_ns(pid, &init_pid_ns); 761 else 762 p = find_task_by_vpid(pid); 763 if (p) 764 domain = tomoyo_real_domain(p); 765 read_unlock(&tasklist_lock); 766 rcu_read_unlock(); 767 } else if (!strncmp(data, "domain=", 7)) { 768 if (tomoyo_domain_def(data + 7)) 769 domain = tomoyo_find_domain(data + 7); 770 } else 771 return false; 772 head->write_var1 = domain; 773 /* Accessing read_buf is safe because head->io_sem is held. */ 774 if (!head->read_buf) 775 return true; /* Do nothing if open(O_WRONLY). */ 776 memset(&head->r, 0, sizeof(head->r)); 777 head->r.print_this_domain_only = true; 778 if (domain) 779 head->r.domain = &domain->list; 780 else 781 head->r.eof = 1; 782 tomoyo_io_printf(head, "# select %s\n", data); 783 if (domain && domain->is_deleted) 784 tomoyo_io_printf(head, "# This is a deleted domain.\n"); 785 return true; 786 } 787 788 /** 789 * tomoyo_delete_domain - Delete a domain. 790 * 791 * @domainname: The name of domain. 792 * 793 * Returns 0. 794 * 795 * Caller holds tomoyo_read_lock(). 796 */ 797 static int tomoyo_delete_domain(char *domainname) 798 { 799 struct tomoyo_domain_info *domain; 800 struct tomoyo_path_info name; 801 802 name.name = domainname; 803 tomoyo_fill_path_info(&name); 804 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 805 return 0; 806 /* Is there an active domain? */ 807 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 808 /* Never delete tomoyo_kernel_domain */ 809 if (domain == &tomoyo_kernel_domain) 810 continue; 811 if (domain->is_deleted || 812 tomoyo_pathcmp(domain->domainname, &name)) 813 continue; 814 domain->is_deleted = true; 815 break; 816 } 817 mutex_unlock(&tomoyo_policy_lock); 818 return 0; 819 } 820 821 /** 822 * tomoyo_write_domain2 - Write domain policy. 823 * 824 * @head: Pointer to "struct tomoyo_io_buffer". 825 * 826 * Returns 0 on success, negative value otherwise. 827 * 828 * Caller holds tomoyo_read_lock(). 829 */ 830 static int tomoyo_write_domain2(char *data, struct tomoyo_domain_info *domain, 831 const bool is_delete) 832 { 833 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_MOUNT)) 834 return tomoyo_write_mount(data, domain, is_delete); 835 return tomoyo_write_file(data, domain, is_delete); 836 } 837 838 /** 839 * tomoyo_write_domain - Write domain policy. 840 * 841 * @head: Pointer to "struct tomoyo_io_buffer". 842 * 843 * Returns 0 on success, negative value otherwise. 844 * 845 * Caller holds tomoyo_read_lock(). 846 */ 847 static int tomoyo_write_domain(struct tomoyo_io_buffer *head) 848 { 849 char *data = head->write_buf; 850 struct tomoyo_domain_info *domain = head->write_var1; 851 bool is_delete = false; 852 bool is_select = false; 853 unsigned int profile; 854 855 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE)) 856 is_delete = true; 857 else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT)) 858 is_select = true; 859 if (is_select && tomoyo_select_one(head, data)) 860 return 0; 861 /* Don't allow updating policies by non manager programs. */ 862 if (!tomoyo_manager()) 863 return -EPERM; 864 if (tomoyo_domain_def(data)) { 865 domain = NULL; 866 if (is_delete) 867 tomoyo_delete_domain(data); 868 else if (is_select) 869 domain = tomoyo_find_domain(data); 870 else 871 domain = tomoyo_assign_domain(data, 0); 872 head->write_var1 = domain; 873 return 0; 874 } 875 if (!domain) 876 return -EINVAL; 877 878 if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1 879 && profile < TOMOYO_MAX_PROFILES) { 880 if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded) 881 domain->profile = (u8) profile; 882 return 0; 883 } 884 if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) { 885 domain->ignore_global_allow_read = !is_delete; 886 return 0; 887 } 888 if (!strcmp(data, TOMOYO_KEYWORD_QUOTA_EXCEEDED)) { 889 domain->quota_warned = !is_delete; 890 return 0; 891 } 892 if (!strcmp(data, TOMOYO_KEYWORD_TRANSITION_FAILED)) { 893 domain->transition_failed = !is_delete; 894 return 0; 895 } 896 return tomoyo_write_domain2(data, domain, is_delete); 897 } 898 899 /** 900 * tomoyo_fns - Find next set bit. 901 * 902 * @perm: 8 bits value. 903 * @bit: First bit to find. 904 * 905 * Returns next on-bit on success, 8 otherwise. 906 */ 907 static u8 tomoyo_fns(const u8 perm, u8 bit) 908 { 909 for ( ; bit < 8; bit++) 910 if (perm & (1 << bit)) 911 break; 912 return bit; 913 } 914 915 /** 916 * tomoyo_print_entry - Print an ACL entry. 917 * 918 * @head: Pointer to "struct tomoyo_io_buffer". 919 * @acl: Pointer to an ACL entry. 920 * 921 * Returns true on success, false otherwise. 922 */ 923 static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, 924 struct tomoyo_acl_info *acl) 925 { 926 const u8 acl_type = acl->type; 927 u8 bit; 928 929 if (acl->is_deleted) 930 return true; 931 next: 932 bit = head->r.bit; 933 if (!tomoyo_flush(head)) 934 return false; 935 else if (acl_type == TOMOYO_TYPE_PATH_ACL) { 936 struct tomoyo_path_acl *ptr = 937 container_of(acl, typeof(*ptr), head); 938 const u16 perm = ptr->perm; 939 for ( ; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { 940 if (!(perm & (1 << bit))) 941 continue; 942 if (head->r.print_execute_only && 943 bit != TOMOYO_TYPE_EXECUTE) 944 continue; 945 /* Print "read/write" instead of "read" and "write". */ 946 if ((bit == TOMOYO_TYPE_READ || 947 bit == TOMOYO_TYPE_WRITE) 948 && (perm & (1 << TOMOYO_TYPE_READ_WRITE))) 949 continue; 950 break; 951 } 952 if (bit >= TOMOYO_MAX_PATH_OPERATION) 953 goto done; 954 tomoyo_io_printf(head, "allow_%s", tomoyo_path_keyword[bit]); 955 tomoyo_print_name_union(head, &ptr->name); 956 } else if (head->r.print_execute_only) { 957 return true; 958 } else if (acl_type == TOMOYO_TYPE_PATH2_ACL) { 959 struct tomoyo_path2_acl *ptr = 960 container_of(acl, typeof(*ptr), head); 961 bit = tomoyo_fns(ptr->perm, bit); 962 if (bit >= TOMOYO_MAX_PATH2_OPERATION) 963 goto done; 964 tomoyo_io_printf(head, "allow_%s", tomoyo_path2_keyword[bit]); 965 tomoyo_print_name_union(head, &ptr->name1); 966 tomoyo_print_name_union(head, &ptr->name2); 967 } else if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) { 968 struct tomoyo_path_number_acl *ptr = 969 container_of(acl, typeof(*ptr), head); 970 bit = tomoyo_fns(ptr->perm, bit); 971 if (bit >= TOMOYO_MAX_PATH_NUMBER_OPERATION) 972 goto done; 973 tomoyo_io_printf(head, "allow_%s", 974 tomoyo_path_number_keyword[bit]); 975 tomoyo_print_name_union(head, &ptr->name); 976 tomoyo_print_number_union(head, &ptr->number); 977 } else if (acl_type == TOMOYO_TYPE_MKDEV_ACL) { 978 struct tomoyo_mkdev_acl *ptr = 979 container_of(acl, typeof(*ptr), head); 980 bit = tomoyo_fns(ptr->perm, bit); 981 if (bit >= TOMOYO_MAX_MKDEV_OPERATION) 982 goto done; 983 tomoyo_io_printf(head, "allow_%s", tomoyo_mkdev_keyword[bit]); 984 tomoyo_print_name_union(head, &ptr->name); 985 tomoyo_print_number_union(head, &ptr->mode); 986 tomoyo_print_number_union(head, &ptr->major); 987 tomoyo_print_number_union(head, &ptr->minor); 988 } else if (acl_type == TOMOYO_TYPE_MOUNT_ACL) { 989 struct tomoyo_mount_acl *ptr = 990 container_of(acl, typeof(*ptr), head); 991 tomoyo_io_printf(head, "allow_mount"); 992 tomoyo_print_name_union(head, &ptr->dev_name); 993 tomoyo_print_name_union(head, &ptr->dir_name); 994 tomoyo_print_name_union(head, &ptr->fs_type); 995 tomoyo_print_number_union(head, &ptr->flags); 996 } 997 head->r.bit = bit + 1; 998 tomoyo_io_printf(head, "\n"); 999 if (acl_type != TOMOYO_TYPE_MOUNT_ACL) 1000 goto next; 1001 done: 1002 head->r.bit = 0; 1003 return true; 1004 } 1005 1006 /** 1007 * tomoyo_read_domain2 - Read domain policy. 1008 * 1009 * @head: Pointer to "struct tomoyo_io_buffer". 1010 * @domain: Pointer to "struct tomoyo_domain_info". 1011 * 1012 * Caller holds tomoyo_read_lock(). 1013 * 1014 * Returns true on success, false otherwise. 1015 */ 1016 static bool tomoyo_read_domain2(struct tomoyo_io_buffer *head, 1017 struct tomoyo_domain_info *domain) 1018 { 1019 list_for_each_cookie(head->r.acl, &domain->acl_info_list) { 1020 struct tomoyo_acl_info *ptr = 1021 list_entry(head->r.acl, typeof(*ptr), list); 1022 if (!tomoyo_print_entry(head, ptr)) 1023 return false; 1024 } 1025 head->r.acl = NULL; 1026 return true; 1027 } 1028 1029 /** 1030 * tomoyo_read_domain - Read domain policy. 1031 * 1032 * @head: Pointer to "struct tomoyo_io_buffer". 1033 * 1034 * Caller holds tomoyo_read_lock(). 1035 */ 1036 static void tomoyo_read_domain(struct tomoyo_io_buffer *head) 1037 { 1038 if (head->r.eof) 1039 return; 1040 list_for_each_cookie(head->r.domain, &tomoyo_domain_list) { 1041 struct tomoyo_domain_info *domain = 1042 list_entry(head->r.domain, typeof(*domain), list); 1043 switch (head->r.step) { 1044 case 0: 1045 if (domain->is_deleted && 1046 !head->r.print_this_domain_only) 1047 continue; 1048 /* Print domainname and flags. */ 1049 tomoyo_set_string(head, domain->domainname->name); 1050 tomoyo_set_lf(head); 1051 tomoyo_io_printf(head, 1052 TOMOYO_KEYWORD_USE_PROFILE "%u\n", 1053 domain->profile); 1054 if (domain->quota_warned) 1055 tomoyo_set_string(head, "quota_exceeded\n"); 1056 if (domain->transition_failed) 1057 tomoyo_set_string(head, "transition_failed\n"); 1058 if (domain->ignore_global_allow_read) 1059 tomoyo_set_string(head, 1060 TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ 1061 "\n"); 1062 head->r.step++; 1063 tomoyo_set_lf(head); 1064 /* fall through */ 1065 case 1: 1066 if (!tomoyo_read_domain2(head, domain)) 1067 return; 1068 head->r.step++; 1069 if (!tomoyo_set_lf(head)) 1070 return; 1071 /* fall through */ 1072 case 2: 1073 head->r.step = 0; 1074 if (head->r.print_this_domain_only) 1075 goto done; 1076 } 1077 } 1078 done: 1079 head->r.eof = true; 1080 } 1081 1082 /** 1083 * tomoyo_write_domain_profile - Assign profile for specified domain. 1084 * 1085 * @head: Pointer to "struct tomoyo_io_buffer". 1086 * 1087 * Returns 0 on success, -EINVAL otherwise. 1088 * 1089 * This is equivalent to doing 1090 * 1091 * ( echo "select " $domainname; echo "use_profile " $profile ) | 1092 * /usr/sbin/tomoyo-loadpolicy -d 1093 * 1094 * Caller holds tomoyo_read_lock(). 1095 */ 1096 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head) 1097 { 1098 char *data = head->write_buf; 1099 char *cp = strchr(data, ' '); 1100 struct tomoyo_domain_info *domain; 1101 unsigned long profile; 1102 1103 if (!cp) 1104 return -EINVAL; 1105 *cp = '\0'; 1106 domain = tomoyo_find_domain(cp + 1); 1107 if (strict_strtoul(data, 10, &profile)) 1108 return -EINVAL; 1109 if (domain && profile < TOMOYO_MAX_PROFILES 1110 && (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)) 1111 domain->profile = (u8) profile; 1112 return 0; 1113 } 1114 1115 /** 1116 * tomoyo_read_domain_profile - Read only domainname and profile. 1117 * 1118 * @head: Pointer to "struct tomoyo_io_buffer". 1119 * 1120 * Returns list of profile number and domainname pairs. 1121 * 1122 * This is equivalent to doing 1123 * 1124 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy | 1125 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" ) 1126 * domainname = $0; } else if ( $1 == "use_profile" ) { 1127 * print $2 " " domainname; domainname = ""; } } ; ' 1128 * 1129 * Caller holds tomoyo_read_lock(). 1130 */ 1131 static void tomoyo_read_domain_profile(struct tomoyo_io_buffer *head) 1132 { 1133 if (head->r.eof) 1134 return; 1135 list_for_each_cookie(head->r.domain, &tomoyo_domain_list) { 1136 struct tomoyo_domain_info *domain = 1137 list_entry(head->r.domain, typeof(*domain), list); 1138 if (domain->is_deleted) 1139 continue; 1140 if (!tomoyo_flush(head)) 1141 return; 1142 tomoyo_io_printf(head, "%u ", domain->profile); 1143 tomoyo_set_string(head, domain->domainname->name); 1144 tomoyo_set_lf(head); 1145 } 1146 head->r.eof = true; 1147 } 1148 1149 /** 1150 * tomoyo_write_pid: Specify PID to obtain domainname. 1151 * 1152 * @head: Pointer to "struct tomoyo_io_buffer". 1153 * 1154 * Returns 0. 1155 */ 1156 static int tomoyo_write_pid(struct tomoyo_io_buffer *head) 1157 { 1158 head->r.eof = false; 1159 return 0; 1160 } 1161 1162 /** 1163 * tomoyo_read_pid - Get domainname of the specified PID. 1164 * 1165 * @head: Pointer to "struct tomoyo_io_buffer". 1166 * 1167 * Returns the domainname which the specified PID is in on success, 1168 * empty string otherwise. 1169 * The PID is specified by tomoyo_write_pid() so that the user can obtain 1170 * using read()/write() interface rather than sysctl() interface. 1171 */ 1172 static void tomoyo_read_pid(struct tomoyo_io_buffer *head) 1173 { 1174 char *buf = head->write_buf; 1175 bool global_pid = false; 1176 unsigned int pid; 1177 struct task_struct *p; 1178 struct tomoyo_domain_info *domain = NULL; 1179 1180 /* Accessing write_buf is safe because head->io_sem is held. */ 1181 if (!buf) { 1182 head->r.eof = true; 1183 return; /* Do nothing if open(O_RDONLY). */ 1184 } 1185 if (head->r.w_pos || head->r.eof) 1186 return; 1187 head->r.eof = true; 1188 if (tomoyo_str_starts(&buf, "global-pid ")) 1189 global_pid = true; 1190 pid = (unsigned int) simple_strtoul(buf, NULL, 10); 1191 rcu_read_lock(); 1192 read_lock(&tasklist_lock); 1193 if (global_pid) 1194 p = find_task_by_pid_ns(pid, &init_pid_ns); 1195 else 1196 p = find_task_by_vpid(pid); 1197 if (p) 1198 domain = tomoyo_real_domain(p); 1199 read_unlock(&tasklist_lock); 1200 rcu_read_unlock(); 1201 if (!domain) 1202 return; 1203 tomoyo_io_printf(head, "%u %u ", pid, domain->profile); 1204 tomoyo_set_string(head, domain->domainname->name); 1205 } 1206 1207 static const char *tomoyo_transition_type[TOMOYO_MAX_TRANSITION_TYPE] = { 1208 [TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE] 1209 = TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN, 1210 [TOMOYO_TRANSITION_CONTROL_INITIALIZE] 1211 = TOMOYO_KEYWORD_INITIALIZE_DOMAIN, 1212 [TOMOYO_TRANSITION_CONTROL_NO_KEEP] = TOMOYO_KEYWORD_NO_KEEP_DOMAIN, 1213 [TOMOYO_TRANSITION_CONTROL_KEEP] = TOMOYO_KEYWORD_KEEP_DOMAIN 1214 }; 1215 1216 static const char *tomoyo_group_name[TOMOYO_MAX_GROUP] = { 1217 [TOMOYO_PATH_GROUP] = TOMOYO_KEYWORD_PATH_GROUP, 1218 [TOMOYO_NUMBER_GROUP] = TOMOYO_KEYWORD_NUMBER_GROUP 1219 }; 1220 1221 /** 1222 * tomoyo_write_exception - Write exception policy. 1223 * 1224 * @head: Pointer to "struct tomoyo_io_buffer". 1225 * 1226 * Returns 0 on success, negative value otherwise. 1227 * 1228 * Caller holds tomoyo_read_lock(). 1229 */ 1230 static int tomoyo_write_exception(struct tomoyo_io_buffer *head) 1231 { 1232 char *data = head->write_buf; 1233 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE); 1234 u8 i; 1235 static const struct { 1236 const char *keyword; 1237 int (*write) (char *, const bool); 1238 } tomoyo_callback[4] = { 1239 { TOMOYO_KEYWORD_AGGREGATOR, tomoyo_write_aggregator }, 1240 { TOMOYO_KEYWORD_FILE_PATTERN, tomoyo_write_pattern }, 1241 { TOMOYO_KEYWORD_DENY_REWRITE, tomoyo_write_no_rewrite }, 1242 { TOMOYO_KEYWORD_ALLOW_READ, tomoyo_write_globally_readable }, 1243 }; 1244 1245 for (i = 0; i < TOMOYO_MAX_TRANSITION_TYPE; i++) 1246 if (tomoyo_str_starts(&data, tomoyo_transition_type[i])) 1247 return tomoyo_write_transition_control(data, is_delete, 1248 i); 1249 for (i = 0; i < 4; i++) 1250 if (tomoyo_str_starts(&data, tomoyo_callback[i].keyword)) 1251 return tomoyo_callback[i].write(data, is_delete); 1252 for (i = 0; i < TOMOYO_MAX_GROUP; i++) 1253 if (tomoyo_str_starts(&data, tomoyo_group_name[i])) 1254 return tomoyo_write_group(data, is_delete, i); 1255 return -EINVAL; 1256 } 1257 1258 /** 1259 * tomoyo_read_group - Read "struct tomoyo_path_group"/"struct tomoyo_number_group" list. 1260 * 1261 * @head: Pointer to "struct tomoyo_io_buffer". 1262 * @idx: Index number. 1263 * 1264 * Returns true on success, false otherwise. 1265 * 1266 * Caller holds tomoyo_read_lock(). 1267 */ 1268 static bool tomoyo_read_group(struct tomoyo_io_buffer *head, const int idx) 1269 { 1270 list_for_each_cookie(head->r.group, &tomoyo_group_list[idx]) { 1271 struct tomoyo_group *group = 1272 list_entry(head->r.group, typeof(*group), list); 1273 list_for_each_cookie(head->r.acl, &group->member_list) { 1274 struct tomoyo_acl_head *ptr = 1275 list_entry(head->r.acl, typeof(*ptr), list); 1276 if (ptr->is_deleted) 1277 continue; 1278 if (!tomoyo_flush(head)) 1279 return false; 1280 tomoyo_set_string(head, tomoyo_group_name[idx]); 1281 tomoyo_set_string(head, group->group_name->name); 1282 if (idx == TOMOYO_PATH_GROUP) { 1283 tomoyo_set_space(head); 1284 tomoyo_set_string(head, container_of 1285 (ptr, struct tomoyo_path_group, 1286 head)->member_name->name); 1287 } else if (idx == TOMOYO_NUMBER_GROUP) { 1288 tomoyo_print_number_union(head, &container_of 1289 (ptr, 1290 struct tomoyo_number_group, 1291 head)->number); 1292 } 1293 tomoyo_set_lf(head); 1294 } 1295 head->r.acl = NULL; 1296 } 1297 head->r.group = NULL; 1298 return true; 1299 } 1300 1301 /** 1302 * tomoyo_read_policy - Read "struct tomoyo_..._entry" list. 1303 * 1304 * @head: Pointer to "struct tomoyo_io_buffer". 1305 * @idx: Index number. 1306 * 1307 * Returns true on success, false otherwise. 1308 * 1309 * Caller holds tomoyo_read_lock(). 1310 */ 1311 static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx) 1312 { 1313 list_for_each_cookie(head->r.acl, &tomoyo_policy_list[idx]) { 1314 struct tomoyo_acl_head *acl = 1315 container_of(head->r.acl, typeof(*acl), list); 1316 if (acl->is_deleted) 1317 continue; 1318 if (!tomoyo_flush(head)) 1319 return false; 1320 switch (idx) { 1321 case TOMOYO_ID_TRANSITION_CONTROL: 1322 { 1323 struct tomoyo_transition_control *ptr = 1324 container_of(acl, typeof(*ptr), head); 1325 tomoyo_set_string(head, 1326 tomoyo_transition_type 1327 [ptr->type]); 1328 if (ptr->program) 1329 tomoyo_set_string(head, 1330 ptr->program->name); 1331 if (ptr->program && ptr->domainname) 1332 tomoyo_set_string(head, " from "); 1333 if (ptr->domainname) 1334 tomoyo_set_string(head, 1335 ptr->domainname-> 1336 name); 1337 } 1338 break; 1339 case TOMOYO_ID_GLOBALLY_READABLE: 1340 { 1341 struct tomoyo_readable_file *ptr = 1342 container_of(acl, typeof(*ptr), head); 1343 tomoyo_set_string(head, 1344 TOMOYO_KEYWORD_ALLOW_READ); 1345 tomoyo_set_string(head, ptr->filename->name); 1346 } 1347 break; 1348 case TOMOYO_ID_AGGREGATOR: 1349 { 1350 struct tomoyo_aggregator *ptr = 1351 container_of(acl, typeof(*ptr), head); 1352 tomoyo_set_string(head, 1353 TOMOYO_KEYWORD_AGGREGATOR); 1354 tomoyo_set_string(head, 1355 ptr->original_name->name); 1356 tomoyo_set_space(head); 1357 tomoyo_set_string(head, 1358 ptr->aggregated_name->name); 1359 } 1360 break; 1361 case TOMOYO_ID_PATTERN: 1362 { 1363 struct tomoyo_no_pattern *ptr = 1364 container_of(acl, typeof(*ptr), head); 1365 tomoyo_set_string(head, 1366 TOMOYO_KEYWORD_FILE_PATTERN); 1367 tomoyo_set_string(head, ptr->pattern->name); 1368 } 1369 break; 1370 case TOMOYO_ID_NO_REWRITE: 1371 { 1372 struct tomoyo_no_rewrite *ptr = 1373 container_of(acl, typeof(*ptr), head); 1374 tomoyo_set_string(head, 1375 TOMOYO_KEYWORD_DENY_REWRITE); 1376 tomoyo_set_string(head, ptr->pattern->name); 1377 } 1378 break; 1379 default: 1380 continue; 1381 } 1382 tomoyo_set_lf(head); 1383 } 1384 head->r.acl = NULL; 1385 return true; 1386 } 1387 1388 /** 1389 * tomoyo_read_exception - Read exception policy. 1390 * 1391 * @head: Pointer to "struct tomoyo_io_buffer". 1392 * 1393 * Caller holds tomoyo_read_lock(). 1394 */ 1395 static void tomoyo_read_exception(struct tomoyo_io_buffer *head) 1396 { 1397 if (head->r.eof) 1398 return; 1399 while (head->r.step < TOMOYO_MAX_POLICY && 1400 tomoyo_read_policy(head, head->r.step)) 1401 head->r.step++; 1402 if (head->r.step < TOMOYO_MAX_POLICY) 1403 return; 1404 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP && 1405 tomoyo_read_group(head, head->r.step - TOMOYO_MAX_POLICY)) 1406 head->r.step++; 1407 if (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP) 1408 return; 1409 head->r.eof = true; 1410 } 1411 1412 /** 1413 * tomoyo_print_header - Get header line of audit log. 1414 * 1415 * @r: Pointer to "struct tomoyo_request_info". 1416 * 1417 * Returns string representation. 1418 * 1419 * This function uses kmalloc(), so caller must kfree() if this function 1420 * didn't return NULL. 1421 */ 1422 static char *tomoyo_print_header(struct tomoyo_request_info *r) 1423 { 1424 struct timeval tv; 1425 const pid_t gpid = task_pid_nr(current); 1426 static const int tomoyo_buffer_len = 4096; 1427 char *buffer = kmalloc(tomoyo_buffer_len, GFP_NOFS); 1428 pid_t ppid; 1429 if (!buffer) 1430 return NULL; 1431 do_gettimeofday(&tv); 1432 rcu_read_lock(); 1433 ppid = task_tgid_vnr(current->real_parent); 1434 rcu_read_unlock(); 1435 snprintf(buffer, tomoyo_buffer_len - 1, 1436 "#timestamp=%lu profile=%u mode=%s (global-pid=%u)" 1437 " task={ pid=%u ppid=%u uid=%u gid=%u euid=%u" 1438 " egid=%u suid=%u sgid=%u fsuid=%u fsgid=%u }", 1439 tv.tv_sec, r->profile, tomoyo_mode[r->mode], gpid, 1440 task_tgid_vnr(current), ppid, 1441 current_uid(), current_gid(), current_euid(), 1442 current_egid(), current_suid(), current_sgid(), 1443 current_fsuid(), current_fsgid()); 1444 return buffer; 1445 } 1446 1447 /** 1448 * tomoyo_init_audit_log - Allocate buffer for audit logs. 1449 * 1450 * @len: Required size. 1451 * @r: Pointer to "struct tomoyo_request_info". 1452 * 1453 * Returns pointer to allocated memory. 1454 * 1455 * The @len is updated to add the header lines' size on success. 1456 * 1457 * This function uses kzalloc(), so caller must kfree() if this function 1458 * didn't return NULL. 1459 */ 1460 static char *tomoyo_init_audit_log(int *len, struct tomoyo_request_info *r) 1461 { 1462 char *buf = NULL; 1463 const char *header; 1464 const char *domainname; 1465 if (!r->domain) 1466 r->domain = tomoyo_domain(); 1467 domainname = r->domain->domainname->name; 1468 header = tomoyo_print_header(r); 1469 if (!header) 1470 return NULL; 1471 *len += strlen(domainname) + strlen(header) + 10; 1472 buf = kzalloc(*len, GFP_NOFS); 1473 if (buf) 1474 snprintf(buf, (*len) - 1, "%s\n%s\n", header, domainname); 1475 kfree(header); 1476 return buf; 1477 } 1478 1479 /* Wait queue for tomoyo_query_list. */ 1480 static DECLARE_WAIT_QUEUE_HEAD(tomoyo_query_wait); 1481 1482 /* Lock for manipulating tomoyo_query_list. */ 1483 static DEFINE_SPINLOCK(tomoyo_query_list_lock); 1484 1485 /* Structure for query. */ 1486 struct tomoyo_query { 1487 struct list_head list; 1488 char *query; 1489 int query_len; 1490 unsigned int serial; 1491 int timer; 1492 int answer; 1493 }; 1494 1495 /* The list for "struct tomoyo_query". */ 1496 static LIST_HEAD(tomoyo_query_list); 1497 1498 /* 1499 * Number of "struct file" referring /sys/kernel/security/tomoyo/query 1500 * interface. 1501 */ 1502 static atomic_t tomoyo_query_observers = ATOMIC_INIT(0); 1503 1504 /** 1505 * tomoyo_supervisor - Ask for the supervisor's decision. 1506 * 1507 * @r: Pointer to "struct tomoyo_request_info". 1508 * @fmt: The printf()'s format string, followed by parameters. 1509 * 1510 * Returns 0 if the supervisor decided to permit the access request which 1511 * violated the policy in enforcing mode, TOMOYO_RETRY_REQUEST if the 1512 * supervisor decided to retry the access request which violated the policy in 1513 * enforcing mode, 0 if it is not in enforcing mode, -EPERM otherwise. 1514 */ 1515 int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) 1516 { 1517 va_list args; 1518 int error = -EPERM; 1519 int pos; 1520 int len; 1521 static unsigned int tomoyo_serial; 1522 struct tomoyo_query *entry = NULL; 1523 bool quota_exceeded = false; 1524 char *header; 1525 switch (r->mode) { 1526 char *buffer; 1527 case TOMOYO_CONFIG_LEARNING: 1528 if (!tomoyo_domain_quota_is_ok(r)) 1529 return 0; 1530 va_start(args, fmt); 1531 len = vsnprintf((char *) &pos, sizeof(pos) - 1, fmt, args) + 4; 1532 va_end(args); 1533 buffer = kmalloc(len, GFP_NOFS); 1534 if (!buffer) 1535 return 0; 1536 va_start(args, fmt); 1537 vsnprintf(buffer, len - 1, fmt, args); 1538 va_end(args); 1539 tomoyo_normalize_line(buffer); 1540 tomoyo_write_domain2(buffer, r->domain, false); 1541 kfree(buffer); 1542 /* fall through */ 1543 case TOMOYO_CONFIG_PERMISSIVE: 1544 return 0; 1545 } 1546 if (!r->domain) 1547 r->domain = tomoyo_domain(); 1548 if (!atomic_read(&tomoyo_query_observers)) 1549 return -EPERM; 1550 va_start(args, fmt); 1551 len = vsnprintf((char *) &pos, sizeof(pos) - 1, fmt, args) + 32; 1552 va_end(args); 1553 header = tomoyo_init_audit_log(&len, r); 1554 if (!header) 1555 goto out; 1556 entry = kzalloc(sizeof(*entry), GFP_NOFS); 1557 if (!entry) 1558 goto out; 1559 entry->query = kzalloc(len, GFP_NOFS); 1560 if (!entry->query) 1561 goto out; 1562 len = ksize(entry->query); 1563 spin_lock(&tomoyo_query_list_lock); 1564 if (tomoyo_quota_for_query && tomoyo_query_memory_size + len + 1565 sizeof(*entry) >= tomoyo_quota_for_query) { 1566 quota_exceeded = true; 1567 } else { 1568 tomoyo_query_memory_size += len + sizeof(*entry); 1569 entry->serial = tomoyo_serial++; 1570 } 1571 spin_unlock(&tomoyo_query_list_lock); 1572 if (quota_exceeded) 1573 goto out; 1574 pos = snprintf(entry->query, len - 1, "Q%u-%hu\n%s", 1575 entry->serial, r->retry, header); 1576 kfree(header); 1577 header = NULL; 1578 va_start(args, fmt); 1579 vsnprintf(entry->query + pos, len - 1 - pos, fmt, args); 1580 entry->query_len = strlen(entry->query) + 1; 1581 va_end(args); 1582 spin_lock(&tomoyo_query_list_lock); 1583 list_add_tail(&entry->list, &tomoyo_query_list); 1584 spin_unlock(&tomoyo_query_list_lock); 1585 /* Give 10 seconds for supervisor's opinion. */ 1586 for (entry->timer = 0; 1587 atomic_read(&tomoyo_query_observers) && entry->timer < 100; 1588 entry->timer++) { 1589 wake_up(&tomoyo_query_wait); 1590 set_current_state(TASK_INTERRUPTIBLE); 1591 schedule_timeout(HZ / 10); 1592 if (entry->answer) 1593 break; 1594 } 1595 spin_lock(&tomoyo_query_list_lock); 1596 list_del(&entry->list); 1597 tomoyo_query_memory_size -= len + sizeof(*entry); 1598 spin_unlock(&tomoyo_query_list_lock); 1599 switch (entry->answer) { 1600 case 3: /* Asked to retry by administrator. */ 1601 error = TOMOYO_RETRY_REQUEST; 1602 r->retry++; 1603 break; 1604 case 1: 1605 /* Granted by administrator. */ 1606 error = 0; 1607 break; 1608 case 0: 1609 /* Timed out. */ 1610 break; 1611 default: 1612 /* Rejected by administrator. */ 1613 break; 1614 } 1615 out: 1616 if (entry) 1617 kfree(entry->query); 1618 kfree(entry); 1619 kfree(header); 1620 return error; 1621 } 1622 1623 /** 1624 * tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query. 1625 * 1626 * @file: Pointer to "struct file". 1627 * @wait: Pointer to "poll_table". 1628 * 1629 * Returns POLLIN | POLLRDNORM when ready to read, 0 otherwise. 1630 * 1631 * Waits for access requests which violated policy in enforcing mode. 1632 */ 1633 static int tomoyo_poll_query(struct file *file, poll_table *wait) 1634 { 1635 struct list_head *tmp; 1636 bool found = false; 1637 u8 i; 1638 for (i = 0; i < 2; i++) { 1639 spin_lock(&tomoyo_query_list_lock); 1640 list_for_each(tmp, &tomoyo_query_list) { 1641 struct tomoyo_query *ptr = 1642 list_entry(tmp, typeof(*ptr), list); 1643 if (ptr->answer) 1644 continue; 1645 found = true; 1646 break; 1647 } 1648 spin_unlock(&tomoyo_query_list_lock); 1649 if (found) 1650 return POLLIN | POLLRDNORM; 1651 if (i) 1652 break; 1653 poll_wait(file, &tomoyo_query_wait, wait); 1654 } 1655 return 0; 1656 } 1657 1658 /** 1659 * tomoyo_read_query - Read access requests which violated policy in enforcing mode. 1660 * 1661 * @head: Pointer to "struct tomoyo_io_buffer". 1662 */ 1663 static void tomoyo_read_query(struct tomoyo_io_buffer *head) 1664 { 1665 struct list_head *tmp; 1666 int pos = 0; 1667 int len = 0; 1668 char *buf; 1669 if (head->r.w_pos) 1670 return; 1671 if (head->read_buf) { 1672 kfree(head->read_buf); 1673 head->read_buf = NULL; 1674 } 1675 spin_lock(&tomoyo_query_list_lock); 1676 list_for_each(tmp, &tomoyo_query_list) { 1677 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1678 if (ptr->answer) 1679 continue; 1680 if (pos++ != head->r.query_index) 1681 continue; 1682 len = ptr->query_len; 1683 break; 1684 } 1685 spin_unlock(&tomoyo_query_list_lock); 1686 if (!len) { 1687 head->r.query_index = 0; 1688 return; 1689 } 1690 buf = kzalloc(len, GFP_NOFS); 1691 if (!buf) 1692 return; 1693 pos = 0; 1694 spin_lock(&tomoyo_query_list_lock); 1695 list_for_each(tmp, &tomoyo_query_list) { 1696 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1697 if (ptr->answer) 1698 continue; 1699 if (pos++ != head->r.query_index) 1700 continue; 1701 /* 1702 * Some query can be skipped because tomoyo_query_list 1703 * can change, but I don't care. 1704 */ 1705 if (len == ptr->query_len) 1706 memmove(buf, ptr->query, len); 1707 break; 1708 } 1709 spin_unlock(&tomoyo_query_list_lock); 1710 if (buf[0]) { 1711 head->read_buf = buf; 1712 head->r.w[head->r.w_pos++] = buf; 1713 head->r.query_index++; 1714 } else { 1715 kfree(buf); 1716 } 1717 } 1718 1719 /** 1720 * tomoyo_write_answer - Write the supervisor's decision. 1721 * 1722 * @head: Pointer to "struct tomoyo_io_buffer". 1723 * 1724 * Returns 0 on success, -EINVAL otherwise. 1725 */ 1726 static int tomoyo_write_answer(struct tomoyo_io_buffer *head) 1727 { 1728 char *data = head->write_buf; 1729 struct list_head *tmp; 1730 unsigned int serial; 1731 unsigned int answer; 1732 spin_lock(&tomoyo_query_list_lock); 1733 list_for_each(tmp, &tomoyo_query_list) { 1734 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1735 ptr->timer = 0; 1736 } 1737 spin_unlock(&tomoyo_query_list_lock); 1738 if (sscanf(data, "A%u=%u", &serial, &answer) != 2) 1739 return -EINVAL; 1740 spin_lock(&tomoyo_query_list_lock); 1741 list_for_each(tmp, &tomoyo_query_list) { 1742 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 1743 if (ptr->serial != serial) 1744 continue; 1745 if (!ptr->answer) 1746 ptr->answer = answer; 1747 break; 1748 } 1749 spin_unlock(&tomoyo_query_list_lock); 1750 return 0; 1751 } 1752 1753 /** 1754 * tomoyo_read_version: Get version. 1755 * 1756 * @head: Pointer to "struct tomoyo_io_buffer". 1757 * 1758 * Returns version information. 1759 */ 1760 static void tomoyo_read_version(struct tomoyo_io_buffer *head) 1761 { 1762 if (!head->r.eof) { 1763 tomoyo_io_printf(head, "2.3.0"); 1764 head->r.eof = true; 1765 } 1766 } 1767 1768 /** 1769 * tomoyo_read_self_domain - Get the current process's domainname. 1770 * 1771 * @head: Pointer to "struct tomoyo_io_buffer". 1772 * 1773 * Returns the current process's domainname. 1774 */ 1775 static void tomoyo_read_self_domain(struct tomoyo_io_buffer *head) 1776 { 1777 if (!head->r.eof) { 1778 /* 1779 * tomoyo_domain()->domainname != NULL 1780 * because every process belongs to a domain and 1781 * the domain's name cannot be NULL. 1782 */ 1783 tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name); 1784 head->r.eof = true; 1785 } 1786 } 1787 1788 /** 1789 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface. 1790 * 1791 * @type: Type of interface. 1792 * @file: Pointer to "struct file". 1793 * 1794 * Associates policy handler and returns 0 on success, -ENOMEM otherwise. 1795 * 1796 * Caller acquires tomoyo_read_lock(). 1797 */ 1798 int tomoyo_open_control(const u8 type, struct file *file) 1799 { 1800 struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS); 1801 1802 if (!head) 1803 return -ENOMEM; 1804 mutex_init(&head->io_sem); 1805 head->type = type; 1806 switch (type) { 1807 case TOMOYO_DOMAINPOLICY: 1808 /* /sys/kernel/security/tomoyo/domain_policy */ 1809 head->write = tomoyo_write_domain; 1810 head->read = tomoyo_read_domain; 1811 break; 1812 case TOMOYO_EXCEPTIONPOLICY: 1813 /* /sys/kernel/security/tomoyo/exception_policy */ 1814 head->write = tomoyo_write_exception; 1815 head->read = tomoyo_read_exception; 1816 break; 1817 case TOMOYO_SELFDOMAIN: 1818 /* /sys/kernel/security/tomoyo/self_domain */ 1819 head->read = tomoyo_read_self_domain; 1820 break; 1821 case TOMOYO_DOMAIN_STATUS: 1822 /* /sys/kernel/security/tomoyo/.domain_status */ 1823 head->write = tomoyo_write_domain_profile; 1824 head->read = tomoyo_read_domain_profile; 1825 break; 1826 case TOMOYO_PROCESS_STATUS: 1827 /* /sys/kernel/security/tomoyo/.process_status */ 1828 head->write = tomoyo_write_pid; 1829 head->read = tomoyo_read_pid; 1830 break; 1831 case TOMOYO_VERSION: 1832 /* /sys/kernel/security/tomoyo/version */ 1833 head->read = tomoyo_read_version; 1834 head->readbuf_size = 128; 1835 break; 1836 case TOMOYO_MEMINFO: 1837 /* /sys/kernel/security/tomoyo/meminfo */ 1838 head->write = tomoyo_write_memory_quota; 1839 head->read = tomoyo_read_memory_counter; 1840 head->readbuf_size = 512; 1841 break; 1842 case TOMOYO_PROFILE: 1843 /* /sys/kernel/security/tomoyo/profile */ 1844 head->write = tomoyo_write_profile; 1845 head->read = tomoyo_read_profile; 1846 break; 1847 case TOMOYO_QUERY: /* /sys/kernel/security/tomoyo/query */ 1848 head->poll = tomoyo_poll_query; 1849 head->write = tomoyo_write_answer; 1850 head->read = tomoyo_read_query; 1851 break; 1852 case TOMOYO_MANAGER: 1853 /* /sys/kernel/security/tomoyo/manager */ 1854 head->write = tomoyo_write_manager; 1855 head->read = tomoyo_read_manager; 1856 break; 1857 } 1858 if (!(file->f_mode & FMODE_READ)) { 1859 /* 1860 * No need to allocate read_buf since it is not opened 1861 * for reading. 1862 */ 1863 head->read = NULL; 1864 head->poll = NULL; 1865 } else if (!head->poll) { 1866 /* Don't allocate read_buf for poll() access. */ 1867 if (!head->readbuf_size) 1868 head->readbuf_size = 4096 * 2; 1869 head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS); 1870 if (!head->read_buf) { 1871 kfree(head); 1872 return -ENOMEM; 1873 } 1874 } 1875 if (!(file->f_mode & FMODE_WRITE)) { 1876 /* 1877 * No need to allocate write_buf since it is not opened 1878 * for writing. 1879 */ 1880 head->write = NULL; 1881 } else if (head->write) { 1882 head->writebuf_size = 4096 * 2; 1883 head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS); 1884 if (!head->write_buf) { 1885 kfree(head->read_buf); 1886 kfree(head); 1887 return -ENOMEM; 1888 } 1889 } 1890 if (type != TOMOYO_QUERY) 1891 head->reader_idx = tomoyo_read_lock(); 1892 file->private_data = head; 1893 /* 1894 * Call the handler now if the file is 1895 * /sys/kernel/security/tomoyo/self_domain 1896 * so that the user can use 1897 * cat < /sys/kernel/security/tomoyo/self_domain" 1898 * to know the current process's domainname. 1899 */ 1900 if (type == TOMOYO_SELFDOMAIN) 1901 tomoyo_read_control(file, NULL, 0); 1902 /* 1903 * If the file is /sys/kernel/security/tomoyo/query , increment the 1904 * observer counter. 1905 * The obserber counter is used by tomoyo_supervisor() to see if 1906 * there is some process monitoring /sys/kernel/security/tomoyo/query. 1907 */ 1908 else if (type == TOMOYO_QUERY) 1909 atomic_inc(&tomoyo_query_observers); 1910 return 0; 1911 } 1912 1913 /** 1914 * tomoyo_poll_control - poll() for /sys/kernel/security/tomoyo/ interface. 1915 * 1916 * @file: Pointer to "struct file". 1917 * @wait: Pointer to "poll_table". 1918 * 1919 * Waits for read readiness. 1920 * /sys/kernel/security/tomoyo/query is handled by /usr/sbin/tomoyo-queryd . 1921 */ 1922 int tomoyo_poll_control(struct file *file, poll_table *wait) 1923 { 1924 struct tomoyo_io_buffer *head = file->private_data; 1925 if (!head->poll) 1926 return -ENOSYS; 1927 return head->poll(file, wait); 1928 } 1929 1930 /** 1931 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. 1932 * 1933 * @file: Pointer to "struct file". 1934 * @buffer: Poiner to buffer to write to. 1935 * @buffer_len: Size of @buffer. 1936 * 1937 * Returns bytes read on success, negative value otherwise. 1938 * 1939 * Caller holds tomoyo_read_lock(). 1940 */ 1941 int tomoyo_read_control(struct file *file, char __user *buffer, 1942 const int buffer_len) 1943 { 1944 int len; 1945 struct tomoyo_io_buffer *head = file->private_data; 1946 1947 if (!head->read) 1948 return -ENOSYS; 1949 if (mutex_lock_interruptible(&head->io_sem)) 1950 return -EINTR; 1951 head->read_user_buf = buffer; 1952 head->read_user_buf_avail = buffer_len; 1953 if (tomoyo_flush(head)) 1954 /* Call the policy handler. */ 1955 head->read(head); 1956 tomoyo_flush(head); 1957 len = head->read_user_buf - buffer; 1958 mutex_unlock(&head->io_sem); 1959 return len; 1960 } 1961 1962 /** 1963 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. 1964 * 1965 * @file: Pointer to "struct file". 1966 * @buffer: Pointer to buffer to read from. 1967 * @buffer_len: Size of @buffer. 1968 * 1969 * Returns @buffer_len on success, negative value otherwise. 1970 * 1971 * Caller holds tomoyo_read_lock(). 1972 */ 1973 int tomoyo_write_control(struct file *file, const char __user *buffer, 1974 const int buffer_len) 1975 { 1976 struct tomoyo_io_buffer *head = file->private_data; 1977 int error = buffer_len; 1978 int avail_len = buffer_len; 1979 char *cp0 = head->write_buf; 1980 1981 if (!head->write) 1982 return -ENOSYS; 1983 if (!access_ok(VERIFY_READ, buffer, buffer_len)) 1984 return -EFAULT; 1985 /* Don't allow updating policies by non manager programs. */ 1986 if (head->write != tomoyo_write_pid && 1987 head->write != tomoyo_write_domain && !tomoyo_manager()) 1988 return -EPERM; 1989 if (mutex_lock_interruptible(&head->io_sem)) 1990 return -EINTR; 1991 /* Read a line and dispatch it to the policy handler. */ 1992 while (avail_len > 0) { 1993 char c; 1994 if (head->write_avail >= head->writebuf_size - 1) { 1995 error = -ENOMEM; 1996 break; 1997 } else if (get_user(c, buffer)) { 1998 error = -EFAULT; 1999 break; 2000 } 2001 buffer++; 2002 avail_len--; 2003 cp0[head->write_avail++] = c; 2004 if (c != '\n') 2005 continue; 2006 cp0[head->write_avail - 1] = '\0'; 2007 head->write_avail = 0; 2008 tomoyo_normalize_line(cp0); 2009 head->write(head); 2010 } 2011 mutex_unlock(&head->io_sem); 2012 return error; 2013 } 2014 2015 /** 2016 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. 2017 * 2018 * @file: Pointer to "struct file". 2019 * 2020 * Releases memory and returns 0. 2021 * 2022 * Caller looses tomoyo_read_lock(). 2023 */ 2024 int tomoyo_close_control(struct file *file) 2025 { 2026 struct tomoyo_io_buffer *head = file->private_data; 2027 const bool is_write = !!head->write_buf; 2028 2029 /* 2030 * If the file is /sys/kernel/security/tomoyo/query , decrement the 2031 * observer counter. 2032 */ 2033 if (head->type == TOMOYO_QUERY) 2034 atomic_dec(&tomoyo_query_observers); 2035 else 2036 tomoyo_read_unlock(head->reader_idx); 2037 /* Release memory used for policy I/O. */ 2038 kfree(head->read_buf); 2039 head->read_buf = NULL; 2040 kfree(head->write_buf); 2041 head->write_buf = NULL; 2042 kfree(head); 2043 head = NULL; 2044 file->private_data = NULL; 2045 if (is_write) 2046 tomoyo_run_gc(); 2047 return 0; 2048 } 2049 2050 /** 2051 * tomoyo_check_profile - Check all profiles currently assigned to domains are defined. 2052 */ 2053 void tomoyo_check_profile(void) 2054 { 2055 struct tomoyo_domain_info *domain; 2056 const int idx = tomoyo_read_lock(); 2057 tomoyo_policy_loaded = true; 2058 /* Check all profiles currently assigned to domains are defined. */ 2059 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) { 2060 const u8 profile = domain->profile; 2061 if (tomoyo_profile_ptr[profile]) 2062 continue; 2063 printk(KERN_ERR "You need to define profile %u before using it.\n", 2064 profile); 2065 printk(KERN_ERR "Please see http://tomoyo.sourceforge.jp/2.3/ " 2066 "for more information.\n"); 2067 panic("Profile %u (used by '%s') not defined.\n", 2068 profile, domain->domainname->name); 2069 } 2070 tomoyo_read_unlock(idx); 2071 if (tomoyo_profile_version != 20090903) { 2072 printk(KERN_ERR "You need to install userland programs for " 2073 "TOMOYO 2.3 and initialize policy configuration.\n"); 2074 printk(KERN_ERR "Please see http://tomoyo.sourceforge.jp/2.3/ " 2075 "for more information.\n"); 2076 panic("Profile version %u is not supported.\n", 2077 tomoyo_profile_version); 2078 } 2079 printk(KERN_INFO "TOMOYO: 2.3.0\n"); 2080 printk(KERN_INFO "Mandatory Access Control activated.\n"); 2081 } 2082