Lines Matching +full:wait +full:- +full:monitoring +full:- +full:ns
1 // SPDX-License-Identifier: GPL-2.0
5 * Copyright (C) 2005-2011 NTT DATA CORPORATION
173 /* Permit policy management by non-root user? */
179 * tomoyo_addprintf - strncat()-like-snprintf().
181 * @buffer: Buffer to write to. Must be '\0'-terminated.
194 vsnprintf(buffer + pos, len - pos - 1, fmt, args); in tomoyo_addprintf()
199 * tomoyo_flush - Flush queued string to userspace's buffer.
207 while (head->r.w_pos) { in tomoyo_flush()
208 const char *w = head->r.w[0]; in tomoyo_flush()
212 if (len > head->read_user_buf_avail) in tomoyo_flush()
213 len = head->read_user_buf_avail; in tomoyo_flush()
216 if (copy_to_user(head->read_user_buf, w, len)) in tomoyo_flush()
218 head->read_user_buf_avail -= len; in tomoyo_flush()
219 head->read_user_buf += len; in tomoyo_flush()
222 head->r.w[0] = w; in tomoyo_flush()
226 if (head->poll) { in tomoyo_flush()
227 if (!head->read_user_buf_avail || in tomoyo_flush()
228 copy_to_user(head->read_user_buf, "", 1)) in tomoyo_flush()
230 head->read_user_buf_avail--; in tomoyo_flush()
231 head->read_user_buf++; in tomoyo_flush()
233 head->r.w_pos--; in tomoyo_flush()
234 for (len = 0; len < head->r.w_pos; len++) in tomoyo_flush()
235 head->r.w[len] = head->r.w[len + 1]; in tomoyo_flush()
237 head->r.avail = 0; in tomoyo_flush()
242 * tomoyo_set_string - Queue string to "struct tomoyo_io_buffer" structure.
253 if (head->r.w_pos < TOMOYO_MAX_IO_READ_QUEUE) { in tomoyo_set_string()
254 head->r.w[head->r.w_pos++] = string; in tomoyo_set_string()
264 * tomoyo_io_printf - printf() to "struct tomoyo_io_buffer" structure.
274 size_t pos = head->r.avail; in tomoyo_io_printf()
275 int size = head->readbuf_size - pos; in tomoyo_io_printf()
280 len = vsnprintf(head->read_buf + pos, size, fmt, args) + 1; in tomoyo_io_printf()
282 if (pos + len >= head->readbuf_size) { in tomoyo_io_printf()
286 head->r.avail += len; in tomoyo_io_printf()
287 tomoyo_set_string(head, head->read_buf + pos); in tomoyo_io_printf()
291 * tomoyo_set_space - Put a space to "struct tomoyo_io_buffer" structure.
303 * tomoyo_set_lf - Put a line feed to "struct tomoyo_io_buffer" structure.
312 return !head->r.w_pos; in tomoyo_set_lf()
316 * tomoyo_set_slash - Put a shash to "struct tomoyo_io_buffer" structure.
333 * tomoyo_init_policy_namespace - Initialize namespace.
335 * @ns: Pointer to "struct tomoyo_policy_namespace".
339 void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns) in tomoyo_init_policy_namespace() argument
344 INIT_LIST_HEAD(&ns->acl_group[idx]); in tomoyo_init_policy_namespace()
346 INIT_LIST_HEAD(&ns->group_list[idx]); in tomoyo_init_policy_namespace()
348 INIT_LIST_HEAD(&ns->policy_list[idx]); in tomoyo_init_policy_namespace()
349 ns->profile_version = 20150505; in tomoyo_init_policy_namespace()
351 list_add_tail_rcu(&ns->namespace_list, &tomoyo_namespace_list); in tomoyo_init_policy_namespace()
355 * tomoyo_print_namespace - Print namespace header.
366 container_of(head->r.ns, in tomoyo_print_namespace()
368 namespace_list)->name); in tomoyo_print_namespace()
373 * tomoyo_print_name_union - Print a tomoyo_name_union.
382 if (ptr->group) { in tomoyo_print_name_union()
384 tomoyo_set_string(head, ptr->group->group_name->name); in tomoyo_print_name_union()
386 tomoyo_set_string(head, ptr->filename->name); in tomoyo_print_name_union()
391 * tomoyo_print_name_union_quoted - Print a tomoyo_name_union with a quote.
401 if (ptr->group) { in tomoyo_print_name_union_quoted()
403 tomoyo_set_string(head, ptr->group->group_name->name); in tomoyo_print_name_union_quoted()
406 tomoyo_set_string(head, ptr->filename->name); in tomoyo_print_name_union_quoted()
412 * tomoyo_print_number_union_nospace - Print a tomoyo_number_union without a space.
422 if (ptr->group) { in tomoyo_print_number_union_nospace()
424 tomoyo_set_string(head, ptr->group->group_name->name); in tomoyo_print_number_union_nospace()
427 unsigned long min = ptr->values[0]; in tomoyo_print_number_union_nospace()
428 const unsigned long max = ptr->values[1]; in tomoyo_print_number_union_nospace()
429 u8 min_type = ptr->value_type[0]; in tomoyo_print_number_union_nospace()
430 const u8 max_type = ptr->value_type[1]; in tomoyo_print_number_union_nospace()
451 tomoyo_addprintf(buffer, sizeof(buffer), "-"); in tomoyo_print_number_union_nospace()
460 * tomoyo_print_number_union - Print a tomoyo_number_union.
475 * tomoyo_assign_profile - Create a new profile.
477 * @ns: Pointer to "struct tomoyo_policy_namespace".
483 (struct tomoyo_policy_namespace *ns, const unsigned int profile) in tomoyo_assign_profile() argument
490 ptr = ns->profile_ptr[profile]; in tomoyo_assign_profile()
496 ptr = ns->profile_ptr[profile]; in tomoyo_assign_profile()
499 ptr->default_config = TOMOYO_CONFIG_DISABLED | in tomoyo_assign_profile()
502 memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT, in tomoyo_assign_profile()
503 sizeof(ptr->config)); in tomoyo_assign_profile()
504 ptr->pref[TOMOYO_PREF_MAX_AUDIT_LOG] = in tomoyo_assign_profile()
506 ptr->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] = in tomoyo_assign_profile()
508 mb(); /* Avoid out-of-order execution. */ in tomoyo_assign_profile()
509 ns->profile_ptr[profile] = ptr; in tomoyo_assign_profile()
519 * tomoyo_profile - Find a profile.
521 * @ns: Pointer to "struct tomoyo_policy_namespace".
526 struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns, in tomoyo_profile() argument
530 struct tomoyo_profile *ptr = ns->profile_ptr[profile]; in tomoyo_profile()
538 * tomoyo_find_yesno - Find values for specified keyword.
543 * Returns 1 if "@find=yes" was found, 0 if "@find=no" was found, -1 otherwise.
556 return -1; in tomoyo_find_yesno()
560 * tomoyo_set_uint - Set value for specified preference.
578 * tomoyo_set_mode - Set mode for specified profile.
594 config = profile->default_config; in tomoyo_set_mode()
613 config = profile->config[i]; in tomoyo_set_mode()
617 return -EINVAL; in tomoyo_set_mode()
619 return -EINVAL; in tomoyo_set_mode()
653 profile->config[i] = config; in tomoyo_set_mode()
655 profile->default_config = config; in tomoyo_set_mode()
660 * tomoyo_write_profile - Write profile table.
668 char *data = head->write_buf; in tomoyo_write_profile()
673 if (sscanf(data, "PROFILE_VERSION=%u", &head->w.ns->profile_version) in tomoyo_write_profile()
677 if (*cp != '-') in tomoyo_write_profile()
678 return -EINVAL; in tomoyo_write_profile()
680 profile = tomoyo_assign_profile(head->w.ns, i); in tomoyo_write_profile()
682 return -EINVAL; in tomoyo_write_profile()
685 return -EINVAL; in tomoyo_write_profile()
694 return -ENOMEM; in tomoyo_write_profile()
696 old_comment = profile->comment; in tomoyo_write_profile()
697 profile->comment = new_comment; in tomoyo_write_profile()
704 tomoyo_set_uint(&profile->pref[i], cp, in tomoyo_write_profile()
712 * tomoyo_print_config - Print mode for specified functionality.
730 * tomoyo_read_profile - Read profile table.
739 struct tomoyo_policy_namespace *ns = in tomoyo_read_profile() local
740 container_of(head->r.ns, typeof(*ns), namespace_list); in tomoyo_read_profile()
743 if (head->r.eof) in tomoyo_read_profile()
746 index = head->r.index; in tomoyo_read_profile()
747 profile = ns->profile_ptr[index]; in tomoyo_read_profile()
748 switch (head->r.step) { in tomoyo_read_profile()
752 ns->profile_version); in tomoyo_read_profile()
753 head->r.step++; in tomoyo_read_profile()
756 for ( ; head->r.index < TOMOYO_MAX_PROFILES; in tomoyo_read_profile()
757 head->r.index++) in tomoyo_read_profile()
758 if (ns->profile_ptr[head->r.index]) in tomoyo_read_profile()
760 if (head->r.index == TOMOYO_MAX_PROFILES) { in tomoyo_read_profile()
761 head->r.eof = true; in tomoyo_read_profile()
764 head->r.step++; in tomoyo_read_profile()
770 profile->comment; in tomoyo_read_profile()
773 tomoyo_io_printf(head, "%u-COMMENT=", index); in tomoyo_read_profile()
774 tomoyo_set_string(head, comment ? comment->name : ""); in tomoyo_read_profile()
777 tomoyo_io_printf(head, "%u-PREFERENCE={ ", index); in tomoyo_read_profile()
781 profile->pref[i]); in tomoyo_read_profile()
783 head->r.step++; in tomoyo_read_profile()
789 tomoyo_io_printf(head, "%u-%s", index, "CONFIG"); in tomoyo_read_profile()
790 tomoyo_print_config(head, profile->default_config); in tomoyo_read_profile()
791 head->r.bit = 0; in tomoyo_read_profile()
792 head->r.step++; in tomoyo_read_profile()
796 for ( ; head->r.bit < TOMOYO_MAX_MAC_INDEX in tomoyo_read_profile()
797 + TOMOYO_MAX_MAC_CATEGORY_INDEX; head->r.bit++) { in tomoyo_read_profile()
798 const u8 i = head->r.bit; in tomoyo_read_profile()
799 const u8 config = profile->config[i]; in tomoyo_read_profile()
805 tomoyo_io_printf(head, "%u-CONFIG::%s::%s", in tomoyo_read_profile()
811 tomoyo_io_printf(head, "%u-CONFIG::%s", index, in tomoyo_read_profile()
814 head->r.bit++; in tomoyo_read_profile()
817 if (head->r.bit == TOMOYO_MAX_MAC_INDEX in tomoyo_read_profile()
819 head->r.index++; in tomoyo_read_profile()
820 head->r.step = 1; in tomoyo_read_profile()
829 * tomoyo_same_manager - Check for duplicated "struct tomoyo_manager" entry.
839 return container_of(a, struct tomoyo_manager, head)->manager == in tomoyo_same_manager()
840 container_of(b, struct tomoyo_manager, head)->manager; in tomoyo_same_manager()
844 * tomoyo_update_manager_entry - Add a manager entry.
858 /* .ns = &tomoyo_kernel_namespace, */ in tomoyo_update_manager_entry()
862 int error = is_delete ? -ENOENT : -ENOMEM; in tomoyo_update_manager_entry()
866 return -EINVAL; in tomoyo_update_manager_entry()
877 * tomoyo_write_manager - Write manager policy.
887 char *data = head->write_buf; in tomoyo_write_manager()
890 tomoyo_manage_by_non_root = !head->w.is_delete; in tomoyo_write_manager()
893 return tomoyo_update_manager_entry(data, head->w.is_delete); in tomoyo_write_manager()
897 * tomoyo_read_manager - Read manager policy.
905 if (head->r.eof) in tomoyo_read_manager()
907 list_for_each_cookie(head->r.acl, &tomoyo_kernel_namespace.policy_list[TOMOYO_ID_MANAGER]) { in tomoyo_read_manager()
909 list_entry(head->r.acl, typeof(*ptr), head.list); in tomoyo_read_manager()
911 if (ptr->head.is_deleted) in tomoyo_read_manager()
915 tomoyo_set_string(head, ptr->manager->name); in tomoyo_read_manager()
918 head->r.eof = true; in tomoyo_read_manager()
922 * tomoyo_manager - Check whether the current process is a policy manager.
934 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; in tomoyo_manager()
940 (!uid_eq(task->cred->uid, GLOBAL_ROOT_UID) || in tomoyo_manager()
941 !uid_eq(task->cred->euid, GLOBAL_ROOT_UID))) in tomoyo_manager()
948 if (!ptr->head.is_deleted && in tomoyo_manager()
949 (!tomoyo_pathcmp(domainname, ptr->manager) || in tomoyo_manager()
950 !strcmp(exe, ptr->manager->name))) { in tomoyo_manager()
957 const pid_t pid = current->pid; in tomoyo_manager()
961 domainname->name, exe); in tomoyo_manager()
973 * tomoyo_select_domain - Parse select command.
993 (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { in tomoyo_select_domain()
1002 domain = tomoyo_task(p)->domain_info; in tomoyo_select_domain()
1011 head->w.domain = domain; in tomoyo_select_domain()
1012 /* Accessing read_buf is safe because head->io_sem is held. */ in tomoyo_select_domain()
1013 if (!head->read_buf) in tomoyo_select_domain()
1015 memset(&head->r, 0, sizeof(head->r)); in tomoyo_select_domain()
1016 head->r.print_this_domain_only = true; in tomoyo_select_domain()
1018 head->r.domain = &domain->list; in tomoyo_select_domain()
1020 head->r.eof = true; in tomoyo_select_domain()
1022 if (domain && domain->is_deleted) in tomoyo_select_domain()
1028 * tomoyo_same_task_acl - Check for duplicated "struct tomoyo_task_acl" entry.
1041 return p1->domainname == p2->domainname; in tomoyo_same_task_acl()
1045 * tomoyo_write_task - Update task related list.
1055 int error = -EINVAL; in tomoyo_write_task()
1057 if (tomoyo_str_starts(¶m->data, "manual_domain_transition ")) { in tomoyo_write_task()
1073 * tomoyo_delete_domain - Delete a domain.
1089 return -EINTR; in tomoyo_delete_domain()
1096 if (domain->is_deleted || in tomoyo_delete_domain()
1097 tomoyo_pathcmp(domain->domainname, &name)) in tomoyo_delete_domain()
1099 domain->is_deleted = true; in tomoyo_delete_domain()
1107 * tomoyo_write_domain2 - Write domain policy.
1109 * @ns: Pointer to "struct tomoyo_policy_namespace".
1118 static int tomoyo_write_domain2(struct tomoyo_policy_namespace *ns, in tomoyo_write_domain2() argument
1123 .ns = ns, in tomoyo_write_domain2()
1146 return -EINVAL; in tomoyo_write_domain2()
1156 * tomoyo_write_domain - Write domain policy.
1166 char *data = head->write_buf; in tomoyo_write_domain()
1167 struct tomoyo_policy_namespace *ns; in tomoyo_write_domain() local
1168 struct tomoyo_domain_info *domain = head->w.domain; in tomoyo_write_domain()
1169 const bool is_delete = head->w.is_delete; in tomoyo_write_domain()
1183 head->w.domain = domain; in tomoyo_write_domain()
1187 return -EINVAL; in tomoyo_write_domain()
1188 ns = domain->ns; in tomoyo_write_domain()
1191 if (!tomoyo_policy_loaded || ns->profile_ptr[idx]) in tomoyo_write_domain()
1193 domain->profile = (u8) idx; in tomoyo_write_domain()
1199 set_bit(idx, domain->group); in tomoyo_write_domain()
1201 clear_bit(idx, domain->group); in tomoyo_write_domain()
1207 if (strncmp(data, cp, strlen(cp) - 1)) in tomoyo_write_domain()
1209 domain->flags[idx] = !is_delete; in tomoyo_write_domain()
1212 return tomoyo_write_domain2(ns, &domain->acl_info_list, data, in tomoyo_write_domain()
1217 * tomoyo_print_condition - Print condition part.
1227 switch (head->r.cond_step) { in tomoyo_print_condition()
1229 head->r.cond_index = 0; in tomoyo_print_condition()
1230 head->r.cond_step++; in tomoyo_print_condition()
1231 if (cond->transit) { in tomoyo_print_condition()
1233 tomoyo_set_string(head, cond->transit->name); in tomoyo_print_condition()
1238 const u16 condc = cond->condc; in tomoyo_print_condition()
1245 (numbers_p + cond->numbers_count); in tomoyo_print_condition()
1247 (typeof(argv)) (names_p + cond->names_count); in tomoyo_print_condition()
1249 (typeof(envp)) (argv + cond->argc); in tomoyo_print_condition()
1252 for (skip = 0; skip < head->r.cond_index; skip++) { in tomoyo_print_condition()
1253 const u8 left = condp->left; in tomoyo_print_condition()
1254 const u8 right = condp->right; in tomoyo_print_condition()
1277 while (head->r.cond_index < condc) { in tomoyo_print_condition()
1278 const u8 match = condp->equals; in tomoyo_print_condition()
1279 const u8 left = condp->left; in tomoyo_print_condition()
1280 const u8 right = condp->right; in tomoyo_print_condition()
1285 head->r.cond_index++; in tomoyo_print_condition()
1291 argv->index, argv->is_not ? "!" : ""); in tomoyo_print_condition()
1293 argv->value->name); in tomoyo_print_condition()
1301 envp->name->name); in tomoyo_print_condition()
1302 tomoyo_io_printf(head, "\"]%s=", envp->is_not ? "!" : ""); in tomoyo_print_condition()
1303 if (envp->value) { in tomoyo_print_condition()
1305 tomoyo_set_string(head, envp->value->name); in tomoyo_print_condition()
1339 head->r.cond_step++; in tomoyo_print_condition()
1344 head->r.cond_step++; in tomoyo_print_condition()
1347 if (cond->grant_log != TOMOYO_GRANTLOG_AUTO) in tomoyo_print_condition()
1349 str_yes_no(cond->grant_log == in tomoyo_print_condition()
1358 * tomoyo_set_group - Print "acl_group " header keyword and category name.
1368 if (head->type == TOMOYO_EXCEPTIONPOLICY) { in tomoyo_set_group()
1371 head->r.acl_group_index); in tomoyo_set_group()
1377 * tomoyo_print_entry - Print an ACL entry.
1387 const u8 acl_type = acl->type; in tomoyo_print_entry()
1391 if (head->r.print_cond_part) in tomoyo_print_entry()
1393 if (acl->is_deleted) in tomoyo_print_entry()
1400 const u16 perm = ptr->perm; in tomoyo_print_entry()
1405 if (head->r.print_transition_related_only && in tomoyo_print_entry()
1418 tomoyo_print_name_union(head, &ptr->name); in tomoyo_print_entry()
1425 tomoyo_set_string(head, ptr->domainname->name); in tomoyo_print_entry()
1426 } else if (head->r.print_transition_related_only) { in tomoyo_print_entry()
1431 const u8 perm = ptr->perm; in tomoyo_print_entry()
1447 tomoyo_print_name_union(head, &ptr->name1); in tomoyo_print_entry()
1448 tomoyo_print_name_union(head, &ptr->name2); in tomoyo_print_entry()
1452 const u8 perm = ptr->perm; in tomoyo_print_entry()
1468 tomoyo_print_name_union(head, &ptr->name); in tomoyo_print_entry()
1469 tomoyo_print_number_union(head, &ptr->number); in tomoyo_print_entry()
1473 const u8 perm = ptr->perm; in tomoyo_print_entry()
1489 tomoyo_print_name_union(head, &ptr->name); in tomoyo_print_entry()
1490 tomoyo_print_number_union(head, &ptr->mode); in tomoyo_print_entry()
1491 tomoyo_print_number_union(head, &ptr->major); in tomoyo_print_entry()
1492 tomoyo_print_number_union(head, &ptr->minor); in tomoyo_print_entry()
1496 const u8 perm = ptr->perm; in tomoyo_print_entry()
1504 [ptr->protocol]); in tomoyo_print_entry()
1515 if (ptr->address.group) { in tomoyo_print_entry()
1517 tomoyo_set_string(head, ptr->address.group->group_name in tomoyo_print_entry()
1518 ->name); in tomoyo_print_entry()
1522 tomoyo_print_ip(buf, sizeof(buf), &ptr->address); in tomoyo_print_entry()
1525 tomoyo_print_number_union(head, &ptr->port); in tomoyo_print_entry()
1529 const u8 perm = ptr->perm; in tomoyo_print_entry()
1537 [ptr->protocol]); in tomoyo_print_entry()
1547 tomoyo_print_name_union(head, &ptr->name); in tomoyo_print_entry()
1553 tomoyo_print_name_union(head, &ptr->dev_name); in tomoyo_print_entry()
1554 tomoyo_print_name_union(head, &ptr->dir_name); in tomoyo_print_entry()
1555 tomoyo_print_name_union(head, &ptr->fs_type); in tomoyo_print_entry()
1556 tomoyo_print_number_union(head, &ptr->flags); in tomoyo_print_entry()
1562 tomoyo_set_string(head, ptr->env->name); in tomoyo_print_entry()
1564 if (acl->cond) { in tomoyo_print_entry()
1565 head->r.print_cond_part = true; in tomoyo_print_entry()
1566 head->r.cond_step = 0; in tomoyo_print_entry()
1570 if (!tomoyo_print_condition(head, acl->cond)) in tomoyo_print_entry()
1572 head->r.print_cond_part = false; in tomoyo_print_entry()
1580 * tomoyo_read_domain2 - Read domain policy.
1592 list_for_each_cookie(head->r.acl, list) { in tomoyo_read_domain2()
1594 list_entry(head->r.acl, typeof(*ptr), list); in tomoyo_read_domain2()
1599 head->r.acl = NULL; in tomoyo_read_domain2()
1604 * tomoyo_read_domain - Read domain policy.
1612 if (head->r.eof) in tomoyo_read_domain()
1614 list_for_each_cookie(head->r.domain, &tomoyo_domain_list) { in tomoyo_read_domain()
1616 list_entry(head->r.domain, typeof(*domain), list); in tomoyo_read_domain()
1619 switch (head->r.step) { in tomoyo_read_domain()
1621 if (domain->is_deleted && in tomoyo_read_domain()
1622 !head->r.print_this_domain_only) in tomoyo_read_domain()
1625 tomoyo_set_string(head, domain->domainname->name); in tomoyo_read_domain()
1628 domain->profile); in tomoyo_read_domain()
1630 if (domain->flags[i]) in tomoyo_read_domain()
1632 head->r.index = 0; in tomoyo_read_domain()
1633 head->r.step++; in tomoyo_read_domain()
1636 while (head->r.index < TOMOYO_MAX_ACL_GROUPS) { in tomoyo_read_domain()
1637 i = head->r.index++; in tomoyo_read_domain()
1638 if (!test_bit(i, domain->group)) in tomoyo_read_domain()
1644 head->r.index = 0; in tomoyo_read_domain()
1645 head->r.step++; in tomoyo_read_domain()
1649 if (!tomoyo_read_domain2(head, &domain->acl_info_list)) in tomoyo_read_domain()
1651 head->r.step++; in tomoyo_read_domain()
1656 head->r.step = 0; in tomoyo_read_domain()
1657 if (head->r.print_this_domain_only) in tomoyo_read_domain()
1662 head->r.eof = true; in tomoyo_read_domain()
1674 head->r.eof = false; in tomoyo_write_pid()
1679 * tomoyo_read_pid - Get domainname of the specified PID.
1690 char *buf = head->write_buf; in tomoyo_read_pid()
1696 /* Accessing write_buf is safe because head->io_sem is held. */ in tomoyo_read_pid()
1698 head->r.eof = true; in tomoyo_read_pid()
1701 if (head->r.w_pos || head->r.eof) in tomoyo_read_pid()
1703 head->r.eof = true; in tomoyo_read_pid()
1704 if (tomoyo_str_starts(&buf, "global-pid ")) in tomoyo_read_pid()
1714 domain = tomoyo_task(p)->domain_info; in tomoyo_read_pid()
1718 tomoyo_io_printf(head, "%u %u ", pid, domain->profile); in tomoyo_read_pid()
1719 tomoyo_set_string(head, domain->domainname->name); in tomoyo_read_pid()
1740 * tomoyo_write_exception - Write exception policy.
1750 const bool is_delete = head->w.is_delete; in tomoyo_write_exception()
1752 .ns = head->w.ns, in tomoyo_write_exception()
1754 .data = head->write_buf, in tomoyo_write_exception()
1773 (head->w.ns, &head->w.ns->acl_group[group], in tomoyo_write_exception()
1776 return -EINVAL; in tomoyo_write_exception()
1780 …* tomoyo_read_group - Read "struct tomoyo_path_group"/"struct tomoyo_number_group"/"struct tomoyo_…
1791 struct tomoyo_policy_namespace *ns = in tomoyo_read_group() local
1792 container_of(head->r.ns, typeof(*ns), namespace_list); in tomoyo_read_group()
1793 struct list_head *list = &ns->group_list[idx]; in tomoyo_read_group()
1795 list_for_each_cookie(head->r.group, list) { in tomoyo_read_group()
1797 list_entry(head->r.group, typeof(*group), head.list); in tomoyo_read_group()
1799 list_for_each_cookie(head->r.acl, &group->member_list) { in tomoyo_read_group()
1801 list_entry(head->r.acl, typeof(*ptr), list); in tomoyo_read_group()
1803 if (ptr->is_deleted) in tomoyo_read_group()
1809 tomoyo_set_string(head, group->group_name->name); in tomoyo_read_group()
1814 head)->member_name->name); in tomoyo_read_group()
1819 head)->number); in tomoyo_read_group()
1827 &member->address); in tomoyo_read_group()
1832 head->r.acl = NULL; in tomoyo_read_group()
1834 head->r.group = NULL; in tomoyo_read_group()
1839 * tomoyo_read_policy - Read "struct tomoyo_..._entry" list.
1850 struct tomoyo_policy_namespace *ns = in tomoyo_read_policy() local
1851 container_of(head->r.ns, typeof(*ns), namespace_list); in tomoyo_read_policy()
1852 struct list_head *list = &ns->policy_list[idx]; in tomoyo_read_policy()
1854 list_for_each_cookie(head->r.acl, list) { in tomoyo_read_policy()
1856 container_of(head->r.acl, typeof(*acl), list); in tomoyo_read_policy()
1857 if (acl->is_deleted) in tomoyo_read_policy()
1869 [ptr->type]); in tomoyo_read_policy()
1870 tomoyo_set_string(head, ptr->program ? in tomoyo_read_policy()
1871 ptr->program->name : "any"); in tomoyo_read_policy()
1873 tomoyo_set_string(head, ptr->domainname ? in tomoyo_read_policy()
1874 ptr->domainname->name : in tomoyo_read_policy()
1886 ptr->original_name->name); in tomoyo_read_policy()
1889 ptr->aggregated_name->name); in tomoyo_read_policy()
1897 head->r.acl = NULL; in tomoyo_read_policy()
1902 * tomoyo_read_exception - Read exception policy.
1910 struct tomoyo_policy_namespace *ns = in tomoyo_read_exception() local
1911 container_of(head->r.ns, typeof(*ns), namespace_list); in tomoyo_read_exception()
1913 if (head->r.eof) in tomoyo_read_exception()
1915 while (head->r.step < TOMOYO_MAX_POLICY && in tomoyo_read_exception()
1916 tomoyo_read_policy(head, head->r.step)) in tomoyo_read_exception()
1917 head->r.step++; in tomoyo_read_exception()
1918 if (head->r.step < TOMOYO_MAX_POLICY) in tomoyo_read_exception()
1920 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP && in tomoyo_read_exception()
1921 tomoyo_read_group(head, head->r.step - TOMOYO_MAX_POLICY)) in tomoyo_read_exception()
1922 head->r.step++; in tomoyo_read_exception()
1923 if (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP) in tomoyo_read_exception()
1925 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP in tomoyo_read_exception()
1927 head->r.acl_group_index = head->r.step - TOMOYO_MAX_POLICY in tomoyo_read_exception()
1928 - TOMOYO_MAX_GROUP; in tomoyo_read_exception()
1929 if (!tomoyo_read_domain2(head, &ns->acl_group in tomoyo_read_exception()
1930 [head->r.acl_group_index])) in tomoyo_read_exception()
1932 head->r.step++; in tomoyo_read_exception()
1934 head->r.eof = true; in tomoyo_read_exception()
1937 /* Wait queue for kernel -> userspace notification. */
1939 /* Wait queue for userspace -> kernel notification. */
1967 * tomoyo_truncate - Truncate a line.
1984 * tomoyo_add_entry - Add an ACL to current thread's domain. Used by learning mode.
2026 snprintf(buffer, len - 1, "%s", cp); in tomoyo_add_entry()
2034 if (!tomoyo_write_domain2(domain->ns, &domain->acl_info_list, buffer, in tomoyo_add_entry()
2041 * tomoyo_supervisor - Ask for the supervisor's decision.
2049 * enforcing mode, 0 if it is not in enforcing mode, -EPERM otherwise.
2068 if (r->granted) in tomoyo_supervisor()
2070 if (r->mode) in tomoyo_supervisor()
2071 tomoyo_update_stat(r->mode); in tomoyo_supervisor()
2072 switch (r->mode) { in tomoyo_supervisor()
2074 error = -EPERM; in tomoyo_supervisor()
2095 tomoyo_add_entry(r->domain, entry.query); in tomoyo_supervisor()
2099 entry.domain = r->domain; in tomoyo_supervisor()
2107 entry.retry = r->retry; in tomoyo_supervisor()
2125 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] -= len; in tomoyo_supervisor()
2130 r->retry++; in tomoyo_supervisor()
2146 * tomoyo_find_domain_by_qid - Get domain by query id.
2160 if (ptr->serial != serial) in tomoyo_find_domain_by_qid()
2162 domain = ptr->domain; in tomoyo_find_domain_by_qid()
2170 * tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query.
2173 * @wait: Pointer to "poll_table".
2179 static __poll_t tomoyo_poll_query(struct file *file, poll_table *wait) in tomoyo_poll_query() argument
2183 poll_wait(file, &tomoyo_query_wait, wait); in tomoyo_poll_query()
2190 * tomoyo_read_query - Read access requests which violated policy in enforcing mode.
2201 if (head->r.w_pos) in tomoyo_read_query()
2203 kfree(head->read_buf); in tomoyo_read_query()
2204 head->read_buf = NULL; in tomoyo_read_query()
2209 if (pos++ != head->r.query_index) in tomoyo_read_query()
2211 len = ptr->query_len; in tomoyo_read_query()
2216 head->r.query_index = 0; in tomoyo_read_query()
2227 if (pos++ != head->r.query_index) in tomoyo_read_query()
2233 if (len == ptr->query_len) in tomoyo_read_query()
2234 snprintf(buf, len + 31, "Q%u-%hu\n%s", ptr->serial, in tomoyo_read_query()
2235 ptr->retry, ptr->query); in tomoyo_read_query()
2240 head->read_buf = buf; in tomoyo_read_query()
2241 head->r.w[head->r.w_pos++] = buf; in tomoyo_read_query()
2242 head->r.query_index++; in tomoyo_read_query()
2249 * tomoyo_write_answer - Write the supervisor's decision.
2253 * Returns 0 on success, -EINVAL otherwise.
2257 char *data = head->write_buf; in tomoyo_write_answer()
2266 ptr->timer = 0; in tomoyo_write_answer()
2270 return -EINVAL; in tomoyo_write_answer()
2275 if (ptr->serial != serial) in tomoyo_write_answer()
2277 ptr->answer = answer; in tomoyo_write_answer()
2279 if (ptr->answer) in tomoyo_write_answer()
2280 list_del_init(&ptr->list); in tomoyo_write_answer()
2296 if (!head->r.eof) { in tomoyo_read_version()
2298 head->r.eof = true; in tomoyo_read_version()
2323 * tomoyo_update_stat - Update statistic counters.
2336 * tomoyo_read_stat - Read statistic data.
2347 if (head->r.eof) in tomoyo_read_stat()
2350 tomoyo_io_printf(head, "Policy %-30s %10u", in tomoyo_read_stat()
2367 tomoyo_io_printf(head, "Memory used by %-22s %10u", in tomoyo_read_stat()
2376 head->r.eof = true; in tomoyo_read_stat()
2380 * tomoyo_write_stat - Set memory quota.
2388 char *data = head->write_buf; in tomoyo_write_stat()
2399 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface.
2411 return -ENOMEM; in tomoyo_open_control()
2412 mutex_init(&head->io_sem); in tomoyo_open_control()
2413 head->type = type; in tomoyo_open_control()
2417 head->write = tomoyo_write_domain; in tomoyo_open_control()
2418 head->read = tomoyo_read_domain; in tomoyo_open_control()
2422 head->write = tomoyo_write_exception; in tomoyo_open_control()
2423 head->read = tomoyo_read_exception; in tomoyo_open_control()
2427 head->poll = tomoyo_poll_log; in tomoyo_open_control()
2428 head->read = tomoyo_read_log; in tomoyo_open_control()
2432 head->write = tomoyo_write_pid; in tomoyo_open_control()
2433 head->read = tomoyo_read_pid; in tomoyo_open_control()
2437 head->read = tomoyo_read_version; in tomoyo_open_control()
2438 head->readbuf_size = 128; in tomoyo_open_control()
2442 head->write = tomoyo_write_stat; in tomoyo_open_control()
2443 head->read = tomoyo_read_stat; in tomoyo_open_control()
2444 head->readbuf_size = 1024; in tomoyo_open_control()
2448 head->write = tomoyo_write_profile; in tomoyo_open_control()
2449 head->read = tomoyo_read_profile; in tomoyo_open_control()
2452 head->poll = tomoyo_poll_query; in tomoyo_open_control()
2453 head->write = tomoyo_write_answer; in tomoyo_open_control()
2454 head->read = tomoyo_read_query; in tomoyo_open_control()
2458 head->write = tomoyo_write_manager; in tomoyo_open_control()
2459 head->read = tomoyo_read_manager; in tomoyo_open_control()
2462 if (!(file->f_mode & FMODE_READ)) { in tomoyo_open_control()
2467 head->read = NULL; in tomoyo_open_control()
2468 head->poll = NULL; in tomoyo_open_control()
2469 } else if (!head->poll) { in tomoyo_open_control()
2471 if (!head->readbuf_size) in tomoyo_open_control()
2472 head->readbuf_size = 4096 * 2; in tomoyo_open_control()
2473 head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS); in tomoyo_open_control()
2474 if (!head->read_buf) { in tomoyo_open_control()
2476 return -ENOMEM; in tomoyo_open_control()
2479 if (!(file->f_mode & FMODE_WRITE)) { in tomoyo_open_control()
2484 head->write = NULL; in tomoyo_open_control()
2485 } else if (head->write) { in tomoyo_open_control()
2486 head->writebuf_size = 4096 * 2; in tomoyo_open_control()
2487 head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS); in tomoyo_open_control()
2488 if (!head->write_buf) { in tomoyo_open_control()
2489 kfree(head->read_buf); in tomoyo_open_control()
2491 return -ENOMEM; in tomoyo_open_control()
2498 * there is some process monitoring /sys/kernel/security/tomoyo/query. in tomoyo_open_control()
2502 file->private_data = head; in tomoyo_open_control()
2508 * tomoyo_poll_control - poll() for /sys/kernel/security/tomoyo/ interface.
2511 * @wait: Pointer to "poll_table". Maybe NULL.
2516 __poll_t tomoyo_poll_control(struct file *file, poll_table *wait) in tomoyo_poll_control() argument
2518 struct tomoyo_io_buffer *head = file->private_data; in tomoyo_poll_control()
2520 if (head->poll) in tomoyo_poll_control()
2521 return head->poll(file, wait) | EPOLLOUT | EPOLLWRNORM; in tomoyo_poll_control()
2526 * tomoyo_set_namespace_cursor - Set namespace to read.
2534 struct list_head *ns; in tomoyo_set_namespace_cursor() local
2536 if (head->type != TOMOYO_EXCEPTIONPOLICY && in tomoyo_set_namespace_cursor()
2537 head->type != TOMOYO_PROFILE) in tomoyo_set_namespace_cursor()
2543 ns = head->r.ns; in tomoyo_set_namespace_cursor()
2544 if (!ns || (head->r.eof && ns->next != &tomoyo_namespace_list)) { in tomoyo_set_namespace_cursor()
2546 memset(&head->r, 0, sizeof(head->r)); in tomoyo_set_namespace_cursor()
2547 head->r.ns = ns ? ns->next : tomoyo_namespace_list.next; in tomoyo_set_namespace_cursor()
2552 * tomoyo_has_more_namespace - Check for unread namespaces.
2560 return (head->type == TOMOYO_EXCEPTIONPOLICY || in tomoyo_has_more_namespace()
2561 head->type == TOMOYO_PROFILE) && head->r.eof && in tomoyo_has_more_namespace()
2562 head->r.ns->next != &tomoyo_namespace_list; in tomoyo_has_more_namespace()
2566 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface.
2580 if (!head->read) in tomoyo_read_control()
2581 return -EINVAL; in tomoyo_read_control()
2582 if (mutex_lock_interruptible(&head->io_sem)) in tomoyo_read_control()
2583 return -EINTR; in tomoyo_read_control()
2584 head->read_user_buf = buffer; in tomoyo_read_control()
2585 head->read_user_buf_avail = buffer_len; in tomoyo_read_control()
2591 head->read(head); in tomoyo_read_control()
2595 len = head->read_user_buf - buffer; in tomoyo_read_control()
2596 mutex_unlock(&head->io_sem); in tomoyo_read_control()
2601 * tomoyo_parse_policy - Parse a policy line.
2613 head->w.is_delete = !strncmp(line, "delete ", 7); in tomoyo_parse_policy()
2614 if (head->w.is_delete) in tomoyo_parse_policy()
2617 if (head->type == TOMOYO_EXCEPTIONPOLICY || in tomoyo_parse_policy()
2618 head->type == TOMOYO_PROFILE) { in tomoyo_parse_policy()
2624 head->w.ns = tomoyo_assign_namespace(line); in tomoyo_parse_policy()
2627 head->w.ns = NULL; in tomoyo_parse_policy()
2629 head->w.ns = &tomoyo_kernel_namespace; in tomoyo_parse_policy()
2631 if (!head->w.ns) in tomoyo_parse_policy()
2632 return -ENOENT; in tomoyo_parse_policy()
2635 return head->write(head); in tomoyo_parse_policy()
2639 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface.
2655 if (!head->write) in tomoyo_write_control()
2656 return -EINVAL; in tomoyo_write_control()
2657 if (mutex_lock_interruptible(&head->io_sem)) in tomoyo_write_control()
2658 return -EINTR; in tomoyo_write_control()
2659 cp0 = head->write_buf; in tomoyo_write_control()
2660 head->read_user_buf_avail = 0; in tomoyo_write_control()
2666 if (head->w.avail >= head->writebuf_size - 1) { in tomoyo_write_control()
2667 const int len = head->writebuf_size * 2; in tomoyo_write_control()
2671 error = -ENOMEM; in tomoyo_write_control()
2674 memmove(cp, cp0, head->w.avail); in tomoyo_write_control()
2676 head->write_buf = cp; in tomoyo_write_control()
2678 head->writebuf_size = len; in tomoyo_write_control()
2681 error = -EFAULT; in tomoyo_write_control()
2685 avail_len--; in tomoyo_write_control()
2686 cp0[head->w.avail++] = c; in tomoyo_write_control()
2689 cp0[head->w.avail - 1] = '\0'; in tomoyo_write_control()
2690 head->w.avail = 0; in tomoyo_write_control()
2693 head->w.ns = &tomoyo_kernel_namespace; in tomoyo_write_control()
2694 head->w.domain = NULL; in tomoyo_write_control()
2695 memset(&head->r, 0, sizeof(head->r)); in tomoyo_write_control()
2699 switch (head->type) { in tomoyo_write_control()
2709 head->r.print_transition_related_only = true; in tomoyo_write_control()
2715 error = -EPERM; in tomoyo_write_control()
2720 case -EPERM: in tomoyo_write_control()
2721 error = -EPERM; in tomoyo_write_control()
2724 switch (head->type) { in tomoyo_write_control()
2740 mutex_unlock(&head->io_sem); in tomoyo_write_control()
2745 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface.
2755 if (head->type == TOMOYO_QUERY && in tomoyo_close_control()
2762 * tomoyo_check_profile - Check all profiles currently assigned to domains are defined.
2773 const u8 profile = domain->profile; in tomoyo_check_profile()
2774 struct tomoyo_policy_namespace *ns = domain->ns; in tomoyo_check_profile() local
2776 if (ns->profile_version == 20110903) { in tomoyo_check_profile()
2779 ns->profile_version = 20150505; in tomoyo_check_profile()
2781 if (ns->profile_version != 20150505) in tomoyo_check_profile()
2783 ns->profile_version); in tomoyo_check_profile()
2784 else if (!ns->profile_ptr[profile]) in tomoyo_check_profile()
2786 profile, domain->domainname->name); in tomoyo_check_profile()
2798 * tomoyo_load_builtin_policy - Load built-in policy.
2807 "0-CONFIG={ mode=learning grant_log=no reject_log=yes }\n"; in tomoyo_load_builtin_policy()
2815 * This include file is manually created and contains built-in policy in tomoyo_load_builtin_policy()
2820 #include "builtin-policy.h" in tomoyo_load_builtin_policy()