2 * security/tomoyo/common.c
4 * Common functions for TOMOYO.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
12 #include <linux/uaccess.h>
13 #include <linux/security.h>
14 #include <linux/hardirq.h>
17 /* Lock for protecting policy. */
18 DEFINE_MUTEX(tomoyo_policy_lock);
20 /* Has loading policy done? */
21 bool tomoyo_policy_loaded;
23 /* String table for functionality that takes 4 modes. */
24 static const char *tomoyo_mode_4[4] = {
25 "disabled", "learning", "permissive", "enforcing"
27 /* String table for functionality that takes 2 modes. */
28 static const char *tomoyo_mode_2[4] = {
29 "disabled", "enabled", "enabled", "enabled"
33 * tomoyo_control_array is a static data which contains
35 * (1) functionality name used by /sys/kernel/security/tomoyo/profile .
36 * (2) initial values for "struct tomoyo_profile".
37 * (3) max values for "struct tomoyo_profile".
41 unsigned int current_value;
42 const unsigned int max_value;
43 } tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = {
44 [TOMOYO_MAC_FOR_FILE] = { "MAC_FOR_FILE", 0, 3 },
45 [TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX },
46 [TOMOYO_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 },
50 * tomoyo_profile is a structure which is used for holding the mode of access
51 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
52 * An administrator can define up to 256 profiles.
53 * The ->profile of "struct tomoyo_domain_info" is used for remembering
54 * the profile's number (0 - 255) assigned to that domain.
56 static struct tomoyo_profile {
57 unsigned int value[TOMOYO_MAX_CONTROL_INDEX];
58 const struct tomoyo_path_info *comment;
59 } *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES];
61 /* Permit policy management by non-root user? */
62 static bool tomoyo_manage_by_non_root;
64 /* Utility functions. */
66 /* Open operation for /sys/kernel/security/tomoyo/ interface. */
67 static int tomoyo_open_control(const u8 type, struct file *file);
68 /* Close /sys/kernel/security/tomoyo/ interface. */
69 static int tomoyo_close_control(struct file *file);
70 /* Read operation for /sys/kernel/security/tomoyo/ interface. */
71 static int tomoyo_read_control(struct file *file, char __user *buffer,
72 const int buffer_len);
73 /* Write operation for /sys/kernel/security/tomoyo/ interface. */
74 static int tomoyo_write_control(struct file *file, const char __user *buffer,
75 const int buffer_len);
78 * tomoyo_is_byte_range - Check whether the string isa \ooo style octal value.
80 * @str: Pointer to the string.
82 * Returns true if @str is a \ooo style octal value, false otherwise.
84 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
85 * This function verifies that \ooo is in valid range.
87 static inline bool tomoyo_is_byte_range(const char *str)
89 return *str >= '0' && *str++ <= '3' &&
90 *str >= '0' && *str++ <= '7' &&
91 *str >= '0' && *str <= '7';
95 * tomoyo_is_alphabet_char - Check whether the character is an alphabet.
97 * @c: The character to check.
99 * Returns true if @c is an alphabet character, false otherwise.
101 static inline bool tomoyo_is_alphabet_char(const char c)
103 return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z');
107 * tomoyo_make_byte - Make byte value from three octal characters.
109 * @c1: The first character.
110 * @c2: The second character.
111 * @c3: The third character.
113 * Returns byte value.
115 static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3)
117 return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0');
121 * tomoyo_str_starts - Check whether the given string starts with the given keyword.
123 * @src: Pointer to pointer to the string.
124 * @find: Pointer to the keyword.
126 * Returns true if @src starts with @find, false otherwise.
128 * The @src is updated to point the first character after the @find
129 * if @src starts with @find.
131 static bool tomoyo_str_starts(char **src, const char *find)
133 const int len = strlen(find);
136 if (strncmp(tmp, find, len))
144 * tomoyo_normalize_line - Format string.
146 * @buffer: The line to normalize.
148 * Leading and trailing whitespaces are removed.
149 * Multiple whitespaces are packed into single space.
153 static void tomoyo_normalize_line(unsigned char *buffer)
155 unsigned char *sp = buffer;
156 unsigned char *dp = buffer;
159 while (tomoyo_is_invalid(*sp))
165 while (tomoyo_is_valid(*sp))
167 while (tomoyo_is_invalid(*sp))
174 * tomoyo_is_correct_path - Validate a pathname.
175 * @filename: The pathname to check.
176 * @start_type: Should the pathname start with '/'?
177 * 1 = must / -1 = must not / 0 = don't care
178 * @pattern_type: Can the pathname contain a wildcard?
179 * 1 = must / -1 = must not / 0 = don't care
180 * @end_type: Should the pathname end with '/'?
181 * 1 = must / -1 = must not / 0 = don't care
183 * Check whether the given filename follows the naming rules.
184 * Returns true if @filename follows the naming rules, false otherwise.
186 bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
187 const s8 pattern_type, const s8 end_type)
189 const char *const start = filename;
190 bool in_repetition = false;
191 bool contains_pattern = false;
199 if (start_type == 1) { /* Must start with '/' */
202 } else if (start_type == -1) { /* Must not start with '/' */
207 c = *(filename + strlen(filename) - 1);
208 if (end_type == 1) { /* Must end with '/' */
211 } else if (end_type == -1) { /* Must not end with '/' */
222 case '\\': /* "\\" */
234 if (pattern_type == -1)
235 break; /* Must not contain pattern */
236 contains_pattern = true;
238 case '{': /* "/\{" */
239 if (filename - 3 < start ||
240 *(filename - 3) != '/')
242 if (pattern_type == -1)
243 break; /* Must not contain pattern */
244 contains_pattern = true;
245 in_repetition = true;
247 case '}': /* "\}/" */
248 if (*filename != '/')
252 in_repetition = false;
254 case '0': /* "\ooo" */
259 if (d < '0' || d > '7')
262 if (e < '0' || e > '7')
264 c = tomoyo_make_byte(c, d, e);
265 if (tomoyo_is_invalid(c))
266 continue; /* pattern is not \000 */
269 } else if (in_repetition && c == '/') {
271 } else if (tomoyo_is_invalid(c)) {
275 if (pattern_type == 1) { /* Must contain pattern */
276 if (!contains_pattern)
287 * tomoyo_is_correct_domain - Check whether the given domainname follows the naming rules.
288 * @domainname: The domainname to check.
290 * Returns true if @domainname follows the naming rules, false otherwise.
292 bool tomoyo_is_correct_domain(const unsigned char *domainname)
298 if (!domainname || strncmp(domainname, TOMOYO_ROOT_NAME,
299 TOMOYO_ROOT_NAME_LEN))
301 domainname += TOMOYO_ROOT_NAME_LEN;
305 if (*domainname++ != ' ')
307 if (*domainname++ != '/')
309 while ((c = *domainname) != '\0' && c != ' ') {
314 case '\\': /* "\\" */
316 case '0': /* "\ooo" */
321 if (d < '0' || d > '7')
324 if (e < '0' || e > '7')
326 c = tomoyo_make_byte(c, d, e);
327 if (tomoyo_is_invalid(c))
328 /* pattern is not \000 */
332 } else if (tomoyo_is_invalid(c)) {
336 } while (*domainname);
343 * tomoyo_is_domain_def - Check whether the given token can be a domainname.
345 * @buffer: The token to check.
347 * Returns true if @buffer possibly be a domainname, false otherwise.
349 bool tomoyo_is_domain_def(const unsigned char *buffer)
351 return !strncmp(buffer, TOMOYO_ROOT_NAME, TOMOYO_ROOT_NAME_LEN);
355 * tomoyo_find_domain - Find a domain by the given name.
357 * @domainname: The domainname to find.
359 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
361 * Caller holds tomoyo_read_lock().
363 struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
365 struct tomoyo_domain_info *domain;
366 struct tomoyo_path_info name;
368 name.name = domainname;
369 tomoyo_fill_path_info(&name);
370 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
371 if (!domain->is_deleted &&
372 !tomoyo_pathcmp(&name, domain->domainname))
379 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
381 * @filename: The string to evaluate.
383 * Returns the initial length without a pattern in @filename.
385 static int tomoyo_const_part_length(const char *filename)
392 while ((c = *filename++) != '\0') {
399 case '\\': /* "\\" */
402 case '0': /* "\ooo" */
407 if (c < '0' || c > '7')
410 if (c < '0' || c > '7')
421 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
423 * @ptr: Pointer to "struct tomoyo_path_info" to fill in.
425 * The caller sets "struct tomoyo_path_info"->name.
427 void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
429 const char *name = ptr->name;
430 const int len = strlen(name);
432 ptr->const_len = tomoyo_const_part_length(name);
433 ptr->is_dir = len && (name[len - 1] == '/');
434 ptr->is_patterned = (ptr->const_len < len);
435 ptr->hash = full_name_hash(name, len);
439 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
442 * @filename: The start of string to check.
443 * @filename_end: The end of string to check.
444 * @pattern: The start of pattern to compare.
445 * @pattern_end: The end of pattern to compare.
447 * Returns true if @filename matches @pattern, false otherwise.
449 static bool tomoyo_file_matches_pattern2(const char *filename,
450 const char *filename_end,
452 const char *pattern_end)
454 while (filename < filename_end && pattern < pattern_end) {
456 if (*pattern != '\\') {
457 if (*filename++ != *pattern++)
469 } else if (c == '\\') {
470 if (filename[1] == '\\')
472 else if (tomoyo_is_byte_range(filename + 1))
481 if (*++filename != '\\')
493 if (!tomoyo_is_alphabet_char(c))
500 if (c == '\\' && tomoyo_is_byte_range(filename + 1)
501 && strncmp(filename + 1, pattern, 3) == 0) {
506 return false; /* Not matched. */
509 for (i = 0; i <= filename_end - filename; i++) {
510 if (tomoyo_file_matches_pattern2(
511 filename + i, filename_end,
512 pattern + 1, pattern_end))
515 if (c == '.' && *pattern == '@')
519 if (filename[i + 1] == '\\')
521 else if (tomoyo_is_byte_range(filename + i + 1))
524 break; /* Bad pattern. */
526 return false; /* Not matched. */
531 while (isdigit(filename[j]))
533 } else if (c == 'X') {
534 while (isxdigit(filename[j]))
536 } else if (c == 'A') {
537 while (tomoyo_is_alphabet_char(filename[j]))
540 for (i = 1; i <= j; i++) {
541 if (tomoyo_file_matches_pattern2(
542 filename + i, filename_end,
543 pattern + 1, pattern_end))
546 return false; /* Not matched or bad pattern. */
551 while (*pattern == '\\' &&
552 (*(pattern + 1) == '*' || *(pattern + 1) == '@'))
554 return filename == filename_end && pattern == pattern_end;
558 * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
560 * @filename: The start of string to check.
561 * @filename_end: The end of string to check.
562 * @pattern: The start of pattern to compare.
563 * @pattern_end: The end of pattern to compare.
565 * Returns true if @filename matches @pattern, false otherwise.
567 static bool tomoyo_file_matches_pattern(const char *filename,
568 const char *filename_end,
570 const char *pattern_end)
572 const char *pattern_start = pattern;
576 while (pattern < pattern_end - 1) {
577 /* Split at "\-" pattern. */
578 if (*pattern++ != '\\' || *pattern++ != '-')
580 result = tomoyo_file_matches_pattern2(filename,
589 pattern_start = pattern;
591 result = tomoyo_file_matches_pattern2(filename, filename_end,
592 pattern_start, pattern_end);
593 return first ? result : !result;
597 * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
599 * @f: The start of string to check.
600 * @p: The start of pattern to compare.
602 * Returns true if @f matches @p, false otherwise.
604 static bool tomoyo_path_matches_pattern2(const char *f, const char *p)
606 const char *f_delimiter;
607 const char *p_delimiter;
610 f_delimiter = strchr(f, '/');
612 f_delimiter = f + strlen(f);
613 p_delimiter = strchr(p, '/');
615 p_delimiter = p + strlen(p);
616 if (*p == '\\' && *(p + 1) == '{')
618 if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
628 /* Ignore trailing "\*" and "\@" in @pattern. */
630 (*(p + 1) == '*' || *(p + 1) == '@'))
635 * The "\{" pattern is permitted only after '/' character.
636 * This guarantees that below "*(p - 1)" is safe.
637 * Also, the "\}" pattern is permitted only before '/' character
638 * so that "\{" + "\}" pair will not break the "\-" operator.
640 if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' ||
641 *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\')
642 return false; /* Bad pattern. */
644 /* Compare current component with pattern. */
645 if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2,
648 /* Proceed to next component. */
653 /* Continue comparison. */
654 if (tomoyo_path_matches_pattern2(f, p_delimiter + 1))
656 f_delimiter = strchr(f, '/');
657 } while (f_delimiter);
658 return false; /* Not matched. */
662 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
664 * @filename: The filename to check.
665 * @pattern: The pattern to compare.
667 * Returns true if matches, false otherwise.
669 * The following patterns are available.
671 * \ooo Octal representation of a byte.
672 * \* Zero or more repetitions of characters other than '/'.
673 * \@ Zero or more repetitions of characters other than '/' or '.'.
674 * \? 1 byte character other than '/'.
675 * \$ One or more repetitions of decimal digits.
676 * \+ 1 decimal digit.
677 * \X One or more repetitions of hexadecimal digits.
678 * \x 1 hexadecimal digit.
679 * \A One or more repetitions of alphabet characters.
680 * \a 1 alphabet character.
682 * \- Subtraction operator.
684 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
687 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
688 const struct tomoyo_path_info *pattern)
690 const char *f = filename->name;
691 const char *p = pattern->name;
692 const int len = pattern->const_len;
694 /* If @pattern doesn't contain pattern, I can use strcmp(). */
695 if (!pattern->is_patterned)
696 return !tomoyo_pathcmp(filename, pattern);
697 /* Don't compare directory and non-directory. */
698 if (filename->is_dir != pattern->is_dir)
700 /* Compare the initial length without patterns. */
701 if (strncmp(f, p, len))
705 return tomoyo_path_matches_pattern2(f, p);
709 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
711 * @head: Pointer to "struct tomoyo_io_buffer".
712 * @fmt: The printf()'s format string, followed by parameters.
714 * Returns true if output was written, false otherwise.
716 * The snprintf() will truncate, but tomoyo_io_printf() won't.
718 bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
722 int pos = head->read_avail;
723 int size = head->readbuf_size - pos;
728 len = vsnprintf(head->read_buf + pos, size, fmt, args);
730 if (pos + len >= head->readbuf_size)
732 head->read_avail += len;
737 * tomoyo_get_exe - Get tomoyo_realpath() of current process.
739 * Returns the tomoyo_realpath() of current process on success, NULL otherwise.
741 * This function uses kzalloc(), so the caller must call kfree()
742 * if this function didn't return NULL.
744 static const char *tomoyo_get_exe(void)
746 struct mm_struct *mm = current->mm;
747 struct vm_area_struct *vma;
748 const char *cp = NULL;
752 down_read(&mm->mmap_sem);
753 for (vma = mm->mmap; vma; vma = vma->vm_next) {
754 if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) {
755 cp = tomoyo_realpath_from_path(&vma->vm_file->f_path);
759 up_read(&mm->mmap_sem);
764 * tomoyo_get_msg - Get warning message.
766 * @is_enforce: Is it enforcing mode?
768 * Returns "ERROR" or "WARNING".
770 const char *tomoyo_get_msg(const bool is_enforce)
779 * tomoyo_check_flags - Check mode for specified functionality.
781 * @domain: Pointer to "struct tomoyo_domain_info".
782 * @index: The functionality to check mode.
784 * TOMOYO checks only process context.
785 * This code disables TOMOYO's enforcement in case the function is called from
788 unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
791 const u8 profile = domain->profile;
793 if (WARN_ON(in_interrupt()))
795 return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX
796 #if TOMOYO_MAX_PROFILES != 256
797 && profile < TOMOYO_MAX_PROFILES
799 && tomoyo_profile_ptr[profile] ?
800 tomoyo_profile_ptr[profile]->value[index] : 0;
804 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
806 * @domain: Pointer to "struct tomoyo_domain_info".
808 * Returns true if domain policy violation warning should be printed to
811 bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain)
813 return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0;
817 * tomoyo_domain_quota_is_ok - Check for domain's quota.
819 * @domain: Pointer to "struct tomoyo_domain_info".
821 * Returns true if the domain is not exceeded quota, false otherwise.
823 * Caller holds tomoyo_read_lock().
825 bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain)
827 unsigned int count = 0;
828 struct tomoyo_acl_info *ptr;
832 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
834 struct tomoyo_path_acl *acl;
837 case TOMOYO_TYPE_PATH_ACL:
838 acl = container_of(ptr, struct tomoyo_path_acl, head);
839 perm = acl->perm | (((u32) acl->perm_high) << 16);
840 for (i = 0; i < TOMOYO_MAX_PATH_OPERATION; i++)
843 if (perm & (1 << TOMOYO_TYPE_READ_WRITE))
846 case TOMOYO_TYPE_PATH2_ACL:
847 perm = container_of(ptr, struct tomoyo_path2_acl, head)
849 for (i = 0; i < TOMOYO_MAX_PATH2_OPERATION; i++)
855 if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY))
857 if (!domain->quota_warned) {
858 domain->quota_warned = true;
859 printk(KERN_WARNING "TOMOYO-WARNING: "
860 "Domain '%s' has so many ACLs to hold. "
861 "Stopped learning mode.\n", domain->domainname->name);
867 * tomoyo_find_or_assign_new_profile - Create a new profile.
869 * @profile: Profile number to create.
871 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
873 static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned
876 static DEFINE_MUTEX(lock);
877 struct tomoyo_profile *ptr = NULL;
880 if (profile >= TOMOYO_MAX_PROFILES)
883 ptr = tomoyo_profile_ptr[profile];
886 ptr = kmalloc(sizeof(*ptr), GFP_KERNEL);
887 if (!tomoyo_memory_ok(ptr)) {
891 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++)
892 ptr->value[i] = tomoyo_control_array[i].current_value;
893 mb(); /* Avoid out-of-order execution. */
894 tomoyo_profile_ptr[profile] = ptr;
901 * tomoyo_write_profile - Write to profile table.
903 * @head: Pointer to "struct tomoyo_io_buffer".
905 * Returns 0 on success, negative value otherwise.
907 static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
909 char *data = head->write_buf;
913 struct tomoyo_profile *profile;
916 cp = strchr(data, '-');
919 if (strict_strtoul(data, 10, &num))
923 profile = tomoyo_find_or_assign_new_profile(num);
926 cp = strchr(data, '=');
930 if (!strcmp(data, "COMMENT")) {
931 const struct tomoyo_path_info *old_comment = profile->comment;
932 profile->comment = tomoyo_get_name(cp + 1);
933 tomoyo_put_name(old_comment);
936 for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) {
937 if (strcmp(data, tomoyo_control_array[i].keyword))
939 if (sscanf(cp + 1, "%u", &value) != 1) {
944 modes = tomoyo_mode_2;
947 modes = tomoyo_mode_4;
950 for (j = 0; j < 4; j++) {
951 if (strcmp(cp + 1, modes[j]))
958 } else if (value > tomoyo_control_array[i].max_value) {
959 value = tomoyo_control_array[i].max_value;
961 profile->value[i] = value;
968 * tomoyo_read_profile - Read from profile table.
970 * @head: Pointer to "struct tomoyo_io_buffer".
974 static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
976 static const int total = TOMOYO_MAX_CONTROL_INDEX + 1;
981 for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total;
983 const u8 index = step / total;
984 u8 type = step % total;
985 const struct tomoyo_profile *profile
986 = tomoyo_profile_ptr[index];
987 head->read_step = step;
990 if (!type) { /* Print profile' comment tag. */
991 if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n",
992 index, profile->comment ?
993 profile->comment->name : ""))
998 if (type < TOMOYO_MAX_CONTROL_INDEX) {
999 const unsigned int value = profile->value[type];
1000 const char **modes = NULL;
1002 = tomoyo_control_array[type].keyword;
1003 switch (tomoyo_control_array[type].max_value) {
1005 modes = tomoyo_mode_4;
1008 modes = tomoyo_mode_2;
1012 if (!tomoyo_io_printf(head, "%u-%s=%s\n", index,
1013 keyword, modes[value]))
1016 if (!tomoyo_io_printf(head, "%u-%s=%u\n", index,
1022 if (step == TOMOYO_MAX_PROFILES * total)
1023 head->read_eof = true;
1028 * tomoyo_policy_manager_list is used for holding list of domainnames or
1029 * programs which are permitted to modify configuration via
1030 * /sys/kernel/security/tomoyo/ interface.
1032 * An entry is added by
1034 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
1035 * /sys/kernel/security/tomoyo/manager
1036 * (if you want to specify by a domainname)
1040 * # echo '/usr/lib/ccs/editpolicy' > /sys/kernel/security/tomoyo/manager
1041 * (if you want to specify by a program's location)
1045 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
1046 * /sys/kernel/security/tomoyo/manager
1050 * # echo 'delete /usr/lib/ccs/editpolicy' > \
1051 * /sys/kernel/security/tomoyo/manager
1053 * and all entries are retrieved by
1055 * # cat /sys/kernel/security/tomoyo/manager
1057 LIST_HEAD(tomoyo_policy_manager_list);
1060 * tomoyo_update_manager_entry - Add a manager entry.
1062 * @manager: The path to manager or the domainnamme.
1063 * @is_delete: True if it is a delete request.
1065 * Returns 0 on success, negative value otherwise.
1067 * Caller holds tomoyo_read_lock().
1069 static int tomoyo_update_manager_entry(const char *manager,
1070 const bool is_delete)
1072 struct tomoyo_policy_manager_entry *entry = NULL;
1073 struct tomoyo_policy_manager_entry *ptr;
1074 const struct tomoyo_path_info *saved_manager;
1075 int error = is_delete ? -ENOENT : -ENOMEM;
1076 bool is_domain = false;
1078 if (tomoyo_is_domain_def(manager)) {
1079 if (!tomoyo_is_correct_domain(manager))
1083 if (!tomoyo_is_correct_path(manager, 1, -1, -1))
1086 saved_manager = tomoyo_get_name(manager);
1090 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
1091 mutex_lock(&tomoyo_policy_lock);
1092 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1093 if (ptr->manager != saved_manager)
1095 ptr->is_deleted = is_delete;
1099 if (!is_delete && error && tomoyo_memory_ok(entry)) {
1100 entry->manager = saved_manager;
1101 saved_manager = NULL;
1102 entry->is_domain = is_domain;
1103 list_add_tail_rcu(&entry->list, &tomoyo_policy_manager_list);
1107 mutex_unlock(&tomoyo_policy_lock);
1108 tomoyo_put_name(saved_manager);
1114 * tomoyo_write_manager_policy - Write manager policy.
1116 * @head: Pointer to "struct tomoyo_io_buffer".
1118 * Returns 0 on success, negative value otherwise.
1120 * Caller holds tomoyo_read_lock().
1122 static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head)
1124 char *data = head->write_buf;
1125 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
1127 if (!strcmp(data, "manage_by_non_root")) {
1128 tomoyo_manage_by_non_root = !is_delete;
1131 return tomoyo_update_manager_entry(data, is_delete);
1135 * tomoyo_read_manager_policy - Read manager policy.
1137 * @head: Pointer to "struct tomoyo_io_buffer".
1141 * Caller holds tomoyo_read_lock().
1143 static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
1145 struct list_head *pos;
1150 list_for_each_cookie(pos, head->read_var2,
1151 &tomoyo_policy_manager_list) {
1152 struct tomoyo_policy_manager_entry *ptr;
1153 ptr = list_entry(pos, struct tomoyo_policy_manager_entry,
1155 if (ptr->is_deleted)
1157 done = tomoyo_io_printf(head, "%s\n", ptr->manager->name);
1161 head->read_eof = done;
1166 * tomoyo_is_policy_manager - Check whether the current process is a policy manager.
1168 * Returns true if the current process is permitted to modify policy
1169 * via /sys/kernel/security/tomoyo/ interface.
1171 * Caller holds tomoyo_read_lock().
1173 static bool tomoyo_is_policy_manager(void)
1175 struct tomoyo_policy_manager_entry *ptr;
1177 const struct task_struct *task = current;
1178 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname;
1181 if (!tomoyo_policy_loaded)
1183 if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
1185 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1186 if (!ptr->is_deleted && ptr->is_domain
1187 && !tomoyo_pathcmp(domainname, ptr->manager)) {
1194 exe = tomoyo_get_exe();
1197 list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
1198 if (!ptr->is_deleted && !ptr->is_domain
1199 && !strcmp(exe, ptr->manager->name)) {
1204 if (!found) { /* Reduce error messages. */
1205 static pid_t last_pid;
1206 const pid_t pid = current->pid;
1207 if (last_pid != pid) {
1208 printk(KERN_WARNING "%s ( %s ) is not permitted to "
1209 "update policies.\n", domainname->name, exe);
1218 * tomoyo_is_select_one - Parse select command.
1220 * @head: Pointer to "struct tomoyo_io_buffer".
1221 * @data: String to parse.
1223 * Returns true on success, false otherwise.
1225 * Caller holds tomoyo_read_lock().
1227 static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
1231 struct tomoyo_domain_info *domain = NULL;
1233 if (sscanf(data, "pid=%u", &pid) == 1) {
1234 struct task_struct *p;
1236 read_lock(&tasklist_lock);
1237 p = find_task_by_vpid(pid);
1239 domain = tomoyo_real_domain(p);
1240 read_unlock(&tasklist_lock);
1242 } else if (!strncmp(data, "domain=", 7)) {
1243 if (tomoyo_is_domain_def(data + 7))
1244 domain = tomoyo_find_domain(data + 7);
1247 head->write_var1 = domain;
1248 /* Accessing read_buf is safe because head->io_sem is held. */
1249 if (!head->read_buf)
1250 return true; /* Do nothing if open(O_WRONLY). */
1251 head->read_avail = 0;
1252 tomoyo_io_printf(head, "# select %s\n", data);
1253 head->read_single_domain = true;
1254 head->read_eof = !domain;
1256 struct tomoyo_domain_info *d;
1257 head->read_var1 = NULL;
1258 list_for_each_entry_rcu(d, &tomoyo_domain_list, list) {
1261 head->read_var1 = &d->list;
1263 head->read_var2 = NULL;
1265 head->read_step = 0;
1266 if (domain->is_deleted)
1267 tomoyo_io_printf(head, "# This is a deleted domain.\n");
1273 * tomoyo_delete_domain - Delete a domain.
1275 * @domainname: The name of domain.
1279 * Caller holds tomoyo_read_lock().
1281 static int tomoyo_delete_domain(char *domainname)
1283 struct tomoyo_domain_info *domain;
1284 struct tomoyo_path_info name;
1286 name.name = domainname;
1287 tomoyo_fill_path_info(&name);
1288 mutex_lock(&tomoyo_policy_lock);
1289 /* Is there an active domain? */
1290 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
1291 /* Never delete tomoyo_kernel_domain */
1292 if (domain == &tomoyo_kernel_domain)
1294 if (domain->is_deleted ||
1295 tomoyo_pathcmp(domain->domainname, &name))
1297 domain->is_deleted = true;
1300 mutex_unlock(&tomoyo_policy_lock);
1305 * tomoyo_write_domain_policy - Write domain policy.
1307 * @head: Pointer to "struct tomoyo_io_buffer".
1309 * Returns 0 on success, negative value otherwise.
1311 * Caller holds tomoyo_read_lock().
1313 static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
1315 char *data = head->write_buf;
1316 struct tomoyo_domain_info *domain = head->write_var1;
1317 bool is_delete = false;
1318 bool is_select = false;
1319 unsigned int profile;
1321 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE))
1323 else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT))
1325 if (is_select && tomoyo_is_select_one(head, data))
1327 /* Don't allow updating policies by non manager programs. */
1328 if (!tomoyo_is_policy_manager())
1330 if (tomoyo_is_domain_def(data)) {
1333 tomoyo_delete_domain(data);
1335 domain = tomoyo_find_domain(data);
1337 domain = tomoyo_find_or_assign_new_domain(data, 0);
1338 head->write_var1 = domain;
1344 if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1
1345 && profile < TOMOYO_MAX_PROFILES) {
1346 if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)
1347 domain->profile = (u8) profile;
1350 if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) {
1351 domain->ignore_global_allow_read = !is_delete;
1354 return tomoyo_write_file_policy(data, domain, is_delete);
1358 * tomoyo_print_path_acl - Print a single path ACL entry.
1360 * @head: Pointer to "struct tomoyo_io_buffer".
1361 * @ptr: Pointer to "struct tomoyo_path_acl".
1363 * Returns true on success, false otherwise.
1365 static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head,
1366 struct tomoyo_path_acl *ptr)
1370 const char *filename;
1371 const u32 perm = ptr->perm | (((u32) ptr->perm_high) << 16);
1373 filename = ptr->filename->name;
1374 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
1376 if (!(perm & (1 << bit)))
1378 /* Print "read/write" instead of "read" and "write". */
1379 if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE)
1380 && (perm & (1 << TOMOYO_TYPE_READ_WRITE)))
1382 msg = tomoyo_path2keyword(bit);
1383 pos = head->read_avail;
1384 if (!tomoyo_io_printf(head, "allow_%s %s\n", msg, filename))
1390 head->read_bit = bit;
1391 head->read_avail = pos;
1396 * tomoyo_print_path2_acl - Print a double path ACL entry.
1398 * @head: Pointer to "struct tomoyo_io_buffer".
1399 * @ptr: Pointer to "struct tomoyo_path2_acl".
1401 * Returns true on success, false otherwise.
1403 static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer *head,
1404 struct tomoyo_path2_acl *ptr)
1407 const char *filename1;
1408 const char *filename2;
1409 const u8 perm = ptr->perm;
1412 filename1 = ptr->filename1->name;
1413 filename2 = ptr->filename2->name;
1414 for (bit = head->read_bit; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) {
1416 if (!(perm & (1 << bit)))
1418 msg = tomoyo_path22keyword(bit);
1419 pos = head->read_avail;
1420 if (!tomoyo_io_printf(head, "allow_%s %s %s\n", msg,
1421 filename1, filename2))
1427 head->read_bit = bit;
1428 head->read_avail = pos;
1433 * tomoyo_print_entry - Print an ACL entry.
1435 * @head: Pointer to "struct tomoyo_io_buffer".
1436 * @ptr: Pointer to an ACL entry.
1438 * Returns true on success, false otherwise.
1440 static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
1441 struct tomoyo_acl_info *ptr)
1443 const u8 acl_type = ptr->type;
1445 if (acl_type == TOMOYO_TYPE_PATH_ACL) {
1446 struct tomoyo_path_acl *acl
1447 = container_of(ptr, struct tomoyo_path_acl, head);
1448 return tomoyo_print_path_acl(head, acl);
1450 if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
1451 struct tomoyo_path2_acl *acl
1452 = container_of(ptr, struct tomoyo_path2_acl, head);
1453 return tomoyo_print_path2_acl(head, acl);
1455 BUG(); /* This must not happen. */
1460 * tomoyo_read_domain_policy - Read domain policy.
1462 * @head: Pointer to "struct tomoyo_io_buffer".
1466 * Caller holds tomoyo_read_lock().
1468 static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head)
1470 struct list_head *dpos;
1471 struct list_head *apos;
1476 if (head->read_step == 0)
1477 head->read_step = 1;
1478 list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) {
1479 struct tomoyo_domain_info *domain;
1480 const char *quota_exceeded = "";
1481 const char *transition_failed = "";
1482 const char *ignore_global_allow_read = "";
1483 domain = list_entry(dpos, struct tomoyo_domain_info, list);
1484 if (head->read_step != 1)
1486 if (domain->is_deleted && !head->read_single_domain)
1488 /* Print domainname and flags. */
1489 if (domain->quota_warned)
1490 quota_exceeded = "quota_exceeded\n";
1491 if (domain->transition_failed)
1492 transition_failed = "transition_failed\n";
1493 if (domain->ignore_global_allow_read)
1494 ignore_global_allow_read
1495 = TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n";
1496 done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
1498 domain->domainname->name,
1499 domain->profile, quota_exceeded,
1501 ignore_global_allow_read);
1504 head->read_step = 2;
1506 if (head->read_step == 3)
1508 /* Print ACL entries in the domain. */
1509 list_for_each_cookie(apos, head->read_var2,
1510 &domain->acl_info_list) {
1511 struct tomoyo_acl_info *ptr
1512 = list_entry(apos, struct tomoyo_acl_info,
1514 done = tomoyo_print_entry(head, ptr);
1520 head->read_step = 3;
1522 done = tomoyo_io_printf(head, "\n");
1525 head->read_step = 1;
1526 if (head->read_single_domain)
1529 head->read_eof = done;
1534 * tomoyo_write_domain_profile - Assign profile for specified domain.
1536 * @head: Pointer to "struct tomoyo_io_buffer".
1538 * Returns 0 on success, -EINVAL otherwise.
1540 * This is equivalent to doing
1542 * ( echo "select " $domainname; echo "use_profile " $profile ) |
1543 * /usr/lib/ccs/loadpolicy -d
1545 * Caller holds tomoyo_read_lock().
1547 static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head)
1549 char *data = head->write_buf;
1550 char *cp = strchr(data, ' ');
1551 struct tomoyo_domain_info *domain;
1552 unsigned long profile;
1557 domain = tomoyo_find_domain(cp + 1);
1558 if (strict_strtoul(data, 10, &profile))
1560 if (domain && profile < TOMOYO_MAX_PROFILES
1561 && (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded))
1562 domain->profile = (u8) profile;
1567 * tomoyo_read_domain_profile - Read only domainname and profile.
1569 * @head: Pointer to "struct tomoyo_io_buffer".
1571 * Returns list of profile number and domainname pairs.
1573 * This is equivalent to doing
1575 * grep -A 1 '^<kernel>' /sys/kernel/security/tomoyo/domain_policy |
1576 * awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
1577 * domainname = $0; } else if ( $1 == "use_profile" ) {
1578 * print $2 " " domainname; domainname = ""; } } ; '
1580 * Caller holds tomoyo_read_lock().
1582 static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head)
1584 struct list_head *pos;
1589 list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) {
1590 struct tomoyo_domain_info *domain;
1591 domain = list_entry(pos, struct tomoyo_domain_info, list);
1592 if (domain->is_deleted)
1594 done = tomoyo_io_printf(head, "%u %s\n", domain->profile,
1595 domain->domainname->name);
1599 head->read_eof = done;
1604 * tomoyo_write_pid: Specify PID to obtain domainname.
1606 * @head: Pointer to "struct tomoyo_io_buffer".
1610 static int tomoyo_write_pid(struct tomoyo_io_buffer *head)
1613 /* No error check. */
1614 strict_strtoul(head->write_buf, 10, &pid);
1615 head->read_step = (int) pid;
1616 head->read_eof = false;
1621 * tomoyo_read_pid - Get domainname of the specified PID.
1623 * @head: Pointer to "struct tomoyo_io_buffer".
1625 * Returns the domainname which the specified PID is in on success,
1626 * empty string otherwise.
1627 * The PID is specified by tomoyo_write_pid() so that the user can obtain
1628 * using read()/write() interface rather than sysctl() interface.
1630 static int tomoyo_read_pid(struct tomoyo_io_buffer *head)
1632 if (head->read_avail == 0 && !head->read_eof) {
1633 const int pid = head->read_step;
1634 struct task_struct *p;
1635 struct tomoyo_domain_info *domain = NULL;
1637 read_lock(&tasklist_lock);
1638 p = find_task_by_vpid(pid);
1640 domain = tomoyo_real_domain(p);
1641 read_unlock(&tasklist_lock);
1644 tomoyo_io_printf(head, "%d %u %s", pid, domain->profile,
1645 domain->domainname->name);
1646 head->read_eof = true;
1652 * tomoyo_write_exception_policy - Write exception policy.
1654 * @head: Pointer to "struct tomoyo_io_buffer".
1656 * Returns 0 on success, negative value otherwise.
1658 * Caller holds tomoyo_read_lock().
1660 static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head)
1662 char *data = head->write_buf;
1663 bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);
1665 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_KEEP_DOMAIN))
1666 return tomoyo_write_domain_keeper_policy(data, false,
1668 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_KEEP_DOMAIN))
1669 return tomoyo_write_domain_keeper_policy(data, true, is_delete);
1670 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_INITIALIZE_DOMAIN))
1671 return tomoyo_write_domain_initializer_policy(data, false,
1673 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN))
1674 return tomoyo_write_domain_initializer_policy(data, true,
1676 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALIAS))
1677 return tomoyo_write_alias_policy(data, is_delete);
1678 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_READ))
1679 return tomoyo_write_globally_readable_policy(data, is_delete);
1680 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_FILE_PATTERN))
1681 return tomoyo_write_pattern_policy(data, is_delete);
1682 if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DENY_REWRITE))
1683 return tomoyo_write_no_rewrite_policy(data, is_delete);
1688 * tomoyo_read_exception_policy - Read exception policy.
1690 * @head: Pointer to "struct tomoyo_io_buffer".
1692 * Returns 0 on success, -EINVAL otherwise.
1694 * Caller holds tomoyo_read_lock().
1696 static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head)
1698 if (!head->read_eof) {
1699 switch (head->read_step) {
1701 head->read_var2 = NULL;
1702 head->read_step = 1;
1704 if (!tomoyo_read_domain_keeper_policy(head))
1706 head->read_var2 = NULL;
1707 head->read_step = 2;
1709 if (!tomoyo_read_globally_readable_policy(head))
1711 head->read_var2 = NULL;
1712 head->read_step = 3;
1714 head->read_var2 = NULL;
1715 head->read_step = 4;
1717 if (!tomoyo_read_domain_initializer_policy(head))
1719 head->read_var2 = NULL;
1720 head->read_step = 5;
1722 if (!tomoyo_read_alias_policy(head))
1724 head->read_var2 = NULL;
1725 head->read_step = 6;
1727 head->read_var2 = NULL;
1728 head->read_step = 7;
1730 if (!tomoyo_read_file_pattern(head))
1732 head->read_var2 = NULL;
1733 head->read_step = 8;
1735 if (!tomoyo_read_no_rewrite_policy(head))
1737 head->read_var2 = NULL;
1738 head->read_step = 9;
1740 head->read_eof = true;
1749 /* path to policy loader */
1750 static const char *tomoyo_loader = "/sbin/tomoyo-init";
1753 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
1755 * Returns true if /sbin/tomoyo-init exists, false otherwise.
1757 static bool tomoyo_policy_loader_exists(void)
1760 * Don't activate MAC if the policy loader doesn't exist.
1761 * If the initrd includes /sbin/init but real-root-dev has not
1762 * mounted on / yet, activating MAC will block the system since
1763 * policies are not loaded yet.
1764 * Thus, let do_execve() call this function everytime.
1768 if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
1769 printk(KERN_INFO "Not activating Mandatory Access Control now "
1770 "since %s doesn't exist.\n", tomoyo_loader);
1778 * tomoyo_load_policy - Run external policy loader to load policy.
1780 * @filename: The program about to start.
1782 * This function checks whether @filename is /sbin/init , and if so
1783 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
1784 * and then continues invocation of /sbin/init.
1785 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
1786 * writes to /sys/kernel/security/tomoyo/ interfaces.
1790 void tomoyo_load_policy(const char *filename)
1795 if (tomoyo_policy_loaded)
1798 * Check filename is /sbin/init or /sbin/tomoyo-start.
1799 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
1801 * You can create /sbin/tomoyo-start by
1802 * "ln -s /bin/true /sbin/tomoyo-start".
1804 if (strcmp(filename, "/sbin/init") &&
1805 strcmp(filename, "/sbin/tomoyo-start"))
1807 if (!tomoyo_policy_loader_exists())
1810 printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
1812 argv[0] = (char *) tomoyo_loader;
1815 envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
1817 call_usermodehelper(argv[0], argv, envp, 1);
1819 printk(KERN_INFO "TOMOYO: 2.2.0 2009/04/01\n");
1820 printk(KERN_INFO "Mandatory Access Control activated.\n");
1821 tomoyo_policy_loaded = true;
1822 { /* Check all profiles currently assigned to domains are defined. */
1823 struct tomoyo_domain_info *domain;
1824 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
1825 const u8 profile = domain->profile;
1826 if (tomoyo_profile_ptr[profile])
1828 panic("Profile %u (used by '%s') not defined.\n",
1829 profile, domain->domainname->name);
1835 * tomoyo_read_version: Get version.
1837 * @head: Pointer to "struct tomoyo_io_buffer".
1839 * Returns version information.
1841 static int tomoyo_read_version(struct tomoyo_io_buffer *head)
1843 if (!head->read_eof) {
1844 tomoyo_io_printf(head, "2.2.0");
1845 head->read_eof = true;
1851 * tomoyo_read_self_domain - Get the current process's domainname.
1853 * @head: Pointer to "struct tomoyo_io_buffer".
1855 * Returns the current process's domainname.
1857 static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head)
1859 if (!head->read_eof) {
1861 * tomoyo_domain()->domainname != NULL
1862 * because every process belongs to a domain and
1863 * the domain's name cannot be NULL.
1865 tomoyo_io_printf(head, "%s", tomoyo_domain()->domainname->name);
1866 head->read_eof = true;
1872 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
1874 * @type: Type of interface.
1875 * @file: Pointer to "struct file".
1877 * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
1879 * Caller acquires tomoyo_read_lock().
1881 static int tomoyo_open_control(const u8 type, struct file *file)
1883 struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_KERNEL);
1887 mutex_init(&head->io_sem);
1889 case TOMOYO_DOMAINPOLICY:
1890 /* /sys/kernel/security/tomoyo/domain_policy */
1891 head->write = tomoyo_write_domain_policy;
1892 head->read = tomoyo_read_domain_policy;
1894 case TOMOYO_EXCEPTIONPOLICY:
1895 /* /sys/kernel/security/tomoyo/exception_policy */
1896 head->write = tomoyo_write_exception_policy;
1897 head->read = tomoyo_read_exception_policy;
1899 case TOMOYO_SELFDOMAIN:
1900 /* /sys/kernel/security/tomoyo/self_domain */
1901 head->read = tomoyo_read_self_domain;
1903 case TOMOYO_DOMAIN_STATUS:
1904 /* /sys/kernel/security/tomoyo/.domain_status */
1905 head->write = tomoyo_write_domain_profile;
1906 head->read = tomoyo_read_domain_profile;
1908 case TOMOYO_PROCESS_STATUS:
1909 /* /sys/kernel/security/tomoyo/.process_status */
1910 head->write = tomoyo_write_pid;
1911 head->read = tomoyo_read_pid;
1913 case TOMOYO_VERSION:
1914 /* /sys/kernel/security/tomoyo/version */
1915 head->read = tomoyo_read_version;
1916 head->readbuf_size = 128;
1918 case TOMOYO_MEMINFO:
1919 /* /sys/kernel/security/tomoyo/meminfo */
1920 head->write = tomoyo_write_memory_quota;
1921 head->read = tomoyo_read_memory_counter;
1922 head->readbuf_size = 512;
1924 case TOMOYO_PROFILE:
1925 /* /sys/kernel/security/tomoyo/profile */
1926 head->write = tomoyo_write_profile;
1927 head->read = tomoyo_read_profile;
1929 case TOMOYO_MANAGER:
1930 /* /sys/kernel/security/tomoyo/manager */
1931 head->write = tomoyo_write_manager_policy;
1932 head->read = tomoyo_read_manager_policy;
1935 if (!(file->f_mode & FMODE_READ)) {
1937 * No need to allocate read_buf since it is not opened
1942 if (!head->readbuf_size)
1943 head->readbuf_size = 4096 * 2;
1944 head->read_buf = kzalloc(head->readbuf_size, GFP_KERNEL);
1945 if (!head->read_buf) {
1950 if (!(file->f_mode & FMODE_WRITE)) {
1952 * No need to allocate write_buf since it is not opened
1956 } else if (head->write) {
1957 head->writebuf_size = 4096 * 2;
1958 head->write_buf = kzalloc(head->writebuf_size, GFP_KERNEL);
1959 if (!head->write_buf) {
1960 kfree(head->read_buf);
1965 head->reader_idx = tomoyo_read_lock();
1966 file->private_data = head;
1968 * Call the handler now if the file is
1969 * /sys/kernel/security/tomoyo/self_domain
1970 * so that the user can use
1971 * cat < /sys/kernel/security/tomoyo/self_domain"
1972 * to know the current process's domainname.
1974 if (type == TOMOYO_SELFDOMAIN)
1975 tomoyo_read_control(file, NULL, 0);
1980 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
1982 * @file: Pointer to "struct file".
1983 * @buffer: Poiner to buffer to write to.
1984 * @buffer_len: Size of @buffer.
1986 * Returns bytes read on success, negative value otherwise.
1988 * Caller holds tomoyo_read_lock().
1990 static int tomoyo_read_control(struct file *file, char __user *buffer,
1991 const int buffer_len)
1994 struct tomoyo_io_buffer *head = file->private_data;
1999 if (mutex_lock_interruptible(&head->io_sem))
2001 /* Call the policy handler. */
2002 len = head->read(head);
2005 /* Write to buffer. */
2006 len = head->read_avail;
2007 if (len > buffer_len)
2011 /* head->read_buf changes by some functions. */
2012 cp = head->read_buf;
2013 if (copy_to_user(buffer, cp, len)) {
2017 head->read_avail -= len;
2018 memmove(cp, cp + len, head->read_avail);
2020 mutex_unlock(&head->io_sem);
2025 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
2027 * @file: Pointer to "struct file".
2028 * @buffer: Pointer to buffer to read from.
2029 * @buffer_len: Size of @buffer.
2031 * Returns @buffer_len on success, negative value otherwise.
2033 * Caller holds tomoyo_read_lock().
2035 static int tomoyo_write_control(struct file *file, const char __user *buffer,
2036 const int buffer_len)
2038 struct tomoyo_io_buffer *head = file->private_data;
2039 int error = buffer_len;
2040 int avail_len = buffer_len;
2041 char *cp0 = head->write_buf;
2045 if (!access_ok(VERIFY_READ, buffer, buffer_len))
2047 /* Don't allow updating policies by non manager programs. */
2048 if (head->write != tomoyo_write_pid &&
2049 head->write != tomoyo_write_domain_policy &&
2050 !tomoyo_is_policy_manager())
2052 if (mutex_lock_interruptible(&head->io_sem))
2054 /* Read a line and dispatch it to the policy handler. */
2055 while (avail_len > 0) {
2057 if (head->write_avail >= head->writebuf_size - 1) {
2060 } else if (get_user(c, buffer)) {
2066 cp0[head->write_avail++] = c;
2069 cp0[head->write_avail - 1] = '\0';
2070 head->write_avail = 0;
2071 tomoyo_normalize_line(cp0);
2074 mutex_unlock(&head->io_sem);
2079 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
2081 * @file: Pointer to "struct file".
2083 * Releases memory and returns 0.
2085 * Caller looses tomoyo_read_lock().
2087 static int tomoyo_close_control(struct file *file)
2089 struct tomoyo_io_buffer *head = file->private_data;
2090 const bool is_write = !!head->write_buf;
2092 tomoyo_read_unlock(head->reader_idx);
2093 /* Release memory used for policy I/O. */
2094 kfree(head->read_buf);
2095 head->read_buf = NULL;
2096 kfree(head->write_buf);
2097 head->write_buf = NULL;
2100 file->private_data = NULL;
2107 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
2109 * @inode: Pointer to "struct inode".
2110 * @file: Pointer to "struct file".
2112 * Returns 0 on success, negative value otherwise.
2114 static int tomoyo_open(struct inode *inode, struct file *file)
2116 const int key = ((u8 *) file->f_path.dentry->d_inode->i_private)
2118 return tomoyo_open_control(key, file);
2122 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
2124 * @inode: Pointer to "struct inode".
2125 * @file: Pointer to "struct file".
2127 * Returns 0 on success, negative value otherwise.
2129 static int tomoyo_release(struct inode *inode, struct file *file)
2131 return tomoyo_close_control(file);
2135 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
2137 * @file: Pointer to "struct file".
2138 * @buf: Pointer to buffer.
2139 * @count: Size of @buf.
2142 * Returns bytes read on success, negative value otherwise.
2144 static ssize_t tomoyo_read(struct file *file, char __user *buf, size_t count,
2147 return tomoyo_read_control(file, buf, count);
2151 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
2153 * @file: Pointer to "struct file".
2154 * @buf: Pointer to buffer.
2155 * @count: Size of @buf.
2158 * Returns @count on success, negative value otherwise.
2160 static ssize_t tomoyo_write(struct file *file, const char __user *buf,
2161 size_t count, loff_t *ppos)
2163 return tomoyo_write_control(file, buf, count);
2167 * tomoyo_operations is a "struct file_operations" which is used for handling
2168 * /sys/kernel/security/tomoyo/ interface.
2170 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
2171 * See tomoyo_io_buffer for internals.
2173 static const struct file_operations tomoyo_operations = {
2174 .open = tomoyo_open,
2175 .release = tomoyo_release,
2176 .read = tomoyo_read,
2177 .write = tomoyo_write,
2181 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
2183 * @name: The name of the interface file.
2184 * @mode: The permission of the interface file.
2185 * @parent: The parent directory.
2186 * @key: Type of interface.
2190 static void __init tomoyo_create_entry(const char *name, const mode_t mode,
2191 struct dentry *parent, const u8 key)
2193 securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key,
2194 &tomoyo_operations);
2198 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
2202 static int __init tomoyo_initerface_init(void)
2204 struct dentry *tomoyo_dir;
2206 /* Don't create securityfs entries unless registered. */
2207 if (current_cred()->security != &tomoyo_kernel_domain)
2210 tomoyo_dir = securityfs_create_dir("tomoyo", NULL);
2211 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir,
2212 TOMOYO_DOMAINPOLICY);
2213 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir,
2214 TOMOYO_EXCEPTIONPOLICY);
2215 tomoyo_create_entry("self_domain", 0400, tomoyo_dir,
2217 tomoyo_create_entry(".domain_status", 0600, tomoyo_dir,
2218 TOMOYO_DOMAIN_STATUS);
2219 tomoyo_create_entry(".process_status", 0600, tomoyo_dir,
2220 TOMOYO_PROCESS_STATUS);
2221 tomoyo_create_entry("meminfo", 0600, tomoyo_dir,
2223 tomoyo_create_entry("profile", 0600, tomoyo_dir,
2225 tomoyo_create_entry("manager", 0600, tomoyo_dir,
2227 tomoyo_create_entry("version", 0400, tomoyo_dir,
2232 fs_initcall(tomoyo_initerface_init);