1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * security/tomoyo/common.c 4 * 5 * Copyright (C) 2005-2011 NTT DATA CORPORATION 6 */ 7 8 #include <linux/uaccess.h> 9 #include <linux/slab.h> 10 #include <linux/security.h> 11 #include <linux/string_helpers.h> 12 #include "common.h" 13 14 /* String table for operation mode. */ 15 const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE] = { 16 [TOMOYO_CONFIG_DISABLED] = "disabled", 17 [TOMOYO_CONFIG_LEARNING] = "learning", 18 [TOMOYO_CONFIG_PERMISSIVE] = "permissive", 19 [TOMOYO_CONFIG_ENFORCING] = "enforcing" 20 }; 21 22 /* String table for /sys/kernel/security/tomoyo/profile */ 23 const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX 24 + TOMOYO_MAX_MAC_CATEGORY_INDEX] = { 25 /* CONFIG::file group */ 26 [TOMOYO_MAC_FILE_EXECUTE] = "execute", 27 [TOMOYO_MAC_FILE_OPEN] = "open", 28 [TOMOYO_MAC_FILE_CREATE] = "create", 29 [TOMOYO_MAC_FILE_UNLINK] = "unlink", 30 [TOMOYO_MAC_FILE_GETATTR] = "getattr", 31 [TOMOYO_MAC_FILE_MKDIR] = "mkdir", 32 [TOMOYO_MAC_FILE_RMDIR] = "rmdir", 33 [TOMOYO_MAC_FILE_MKFIFO] = "mkfifo", 34 [TOMOYO_MAC_FILE_MKSOCK] = "mksock", 35 [TOMOYO_MAC_FILE_TRUNCATE] = "truncate", 36 [TOMOYO_MAC_FILE_SYMLINK] = "symlink", 37 [TOMOYO_MAC_FILE_MKBLOCK] = "mkblock", 38 [TOMOYO_MAC_FILE_MKCHAR] = "mkchar", 39 [TOMOYO_MAC_FILE_LINK] = "link", 40 [TOMOYO_MAC_FILE_RENAME] = "rename", 41 [TOMOYO_MAC_FILE_CHMOD] = "chmod", 42 [TOMOYO_MAC_FILE_CHOWN] = "chown", 43 [TOMOYO_MAC_FILE_CHGRP] = "chgrp", 44 [TOMOYO_MAC_FILE_IOCTL] = "ioctl", 45 [TOMOYO_MAC_FILE_CHROOT] = "chroot", 46 [TOMOYO_MAC_FILE_MOUNT] = "mount", 47 [TOMOYO_MAC_FILE_UMOUNT] = "unmount", 48 [TOMOYO_MAC_FILE_PIVOT_ROOT] = "pivot_root", 49 /* CONFIG::network group */ 50 [TOMOYO_MAC_NETWORK_INET_STREAM_BIND] = "inet_stream_bind", 51 [TOMOYO_MAC_NETWORK_INET_STREAM_LISTEN] = "inet_stream_listen", 52 [TOMOYO_MAC_NETWORK_INET_STREAM_CONNECT] = "inet_stream_connect", 53 [TOMOYO_MAC_NETWORK_INET_DGRAM_BIND] = "inet_dgram_bind", 54 [TOMOYO_MAC_NETWORK_INET_DGRAM_SEND] = "inet_dgram_send", 55 [TOMOYO_MAC_NETWORK_INET_RAW_BIND] = "inet_raw_bind", 56 [TOMOYO_MAC_NETWORK_INET_RAW_SEND] = "inet_raw_send", 57 [TOMOYO_MAC_NETWORK_UNIX_STREAM_BIND] = "unix_stream_bind", 58 [TOMOYO_MAC_NETWORK_UNIX_STREAM_LISTEN] = "unix_stream_listen", 59 [TOMOYO_MAC_NETWORK_UNIX_STREAM_CONNECT] = "unix_stream_connect", 60 [TOMOYO_MAC_NETWORK_UNIX_DGRAM_BIND] = "unix_dgram_bind", 61 [TOMOYO_MAC_NETWORK_UNIX_DGRAM_SEND] = "unix_dgram_send", 62 [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_BIND] = "unix_seqpacket_bind", 63 [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_LISTEN] = "unix_seqpacket_listen", 64 [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_CONNECT] = "unix_seqpacket_connect", 65 /* CONFIG::misc group */ 66 [TOMOYO_MAC_ENVIRON] = "env", 67 /* CONFIG group */ 68 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file", 69 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_NETWORK] = "network", 70 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_MISC] = "misc", 71 }; 72 73 /* String table for conditions. */ 74 const char * const tomoyo_condition_keyword[TOMOYO_MAX_CONDITION_KEYWORD] = { 75 [TOMOYO_TASK_UID] = "task.uid", 76 [TOMOYO_TASK_EUID] = "task.euid", 77 [TOMOYO_TASK_SUID] = "task.suid", 78 [TOMOYO_TASK_FSUID] = "task.fsuid", 79 [TOMOYO_TASK_GID] = "task.gid", 80 [TOMOYO_TASK_EGID] = "task.egid", 81 [TOMOYO_TASK_SGID] = "task.sgid", 82 [TOMOYO_TASK_FSGID] = "task.fsgid", 83 [TOMOYO_TASK_PID] = "task.pid", 84 [TOMOYO_TASK_PPID] = "task.ppid", 85 [TOMOYO_EXEC_ARGC] = "exec.argc", 86 [TOMOYO_EXEC_ENVC] = "exec.envc", 87 [TOMOYO_TYPE_IS_SOCKET] = "socket", 88 [TOMOYO_TYPE_IS_SYMLINK] = "symlink", 89 [TOMOYO_TYPE_IS_FILE] = "file", 90 [TOMOYO_TYPE_IS_BLOCK_DEV] = "block", 91 [TOMOYO_TYPE_IS_DIRECTORY] = "directory", 92 [TOMOYO_TYPE_IS_CHAR_DEV] = "char", 93 [TOMOYO_TYPE_IS_FIFO] = "fifo", 94 [TOMOYO_MODE_SETUID] = "setuid", 95 [TOMOYO_MODE_SETGID] = "setgid", 96 [TOMOYO_MODE_STICKY] = "sticky", 97 [TOMOYO_MODE_OWNER_READ] = "owner_read", 98 [TOMOYO_MODE_OWNER_WRITE] = "owner_write", 99 [TOMOYO_MODE_OWNER_EXECUTE] = "owner_execute", 100 [TOMOYO_MODE_GROUP_READ] = "group_read", 101 [TOMOYO_MODE_GROUP_WRITE] = "group_write", 102 [TOMOYO_MODE_GROUP_EXECUTE] = "group_execute", 103 [TOMOYO_MODE_OTHERS_READ] = "others_read", 104 [TOMOYO_MODE_OTHERS_WRITE] = "others_write", 105 [TOMOYO_MODE_OTHERS_EXECUTE] = "others_execute", 106 [TOMOYO_EXEC_REALPATH] = "exec.realpath", 107 [TOMOYO_SYMLINK_TARGET] = "symlink.target", 108 [TOMOYO_PATH1_UID] = "path1.uid", 109 [TOMOYO_PATH1_GID] = "path1.gid", 110 [TOMOYO_PATH1_INO] = "path1.ino", 111 [TOMOYO_PATH1_MAJOR] = "path1.major", 112 [TOMOYO_PATH1_MINOR] = "path1.minor", 113 [TOMOYO_PATH1_PERM] = "path1.perm", 114 [TOMOYO_PATH1_TYPE] = "path1.type", 115 [TOMOYO_PATH1_DEV_MAJOR] = "path1.dev_major", 116 [TOMOYO_PATH1_DEV_MINOR] = "path1.dev_minor", 117 [TOMOYO_PATH2_UID] = "path2.uid", 118 [TOMOYO_PATH2_GID] = "path2.gid", 119 [TOMOYO_PATH2_INO] = "path2.ino", 120 [TOMOYO_PATH2_MAJOR] = "path2.major", 121 [TOMOYO_PATH2_MINOR] = "path2.minor", 122 [TOMOYO_PATH2_PERM] = "path2.perm", 123 [TOMOYO_PATH2_TYPE] = "path2.type", 124 [TOMOYO_PATH2_DEV_MAJOR] = "path2.dev_major", 125 [TOMOYO_PATH2_DEV_MINOR] = "path2.dev_minor", 126 [TOMOYO_PATH1_PARENT_UID] = "path1.parent.uid", 127 [TOMOYO_PATH1_PARENT_GID] = "path1.parent.gid", 128 [TOMOYO_PATH1_PARENT_INO] = "path1.parent.ino", 129 [TOMOYO_PATH1_PARENT_PERM] = "path1.parent.perm", 130 [TOMOYO_PATH2_PARENT_UID] = "path2.parent.uid", 131 [TOMOYO_PATH2_PARENT_GID] = "path2.parent.gid", 132 [TOMOYO_PATH2_PARENT_INO] = "path2.parent.ino", 133 [TOMOYO_PATH2_PARENT_PERM] = "path2.parent.perm", 134 }; 135 136 /* String table for PREFERENCE keyword. */ 137 static const char * const tomoyo_pref_keywords[TOMOYO_MAX_PREF] = { 138 [TOMOYO_PREF_MAX_AUDIT_LOG] = "max_audit_log", 139 [TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry", 140 }; 141 142 /* String table for path operation. */ 143 const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = { 144 [TOMOYO_TYPE_EXECUTE] = "execute", 145 [TOMOYO_TYPE_READ] = "read", 146 [TOMOYO_TYPE_WRITE] = "write", 147 [TOMOYO_TYPE_APPEND] = "append", 148 [TOMOYO_TYPE_UNLINK] = "unlink", 149 [TOMOYO_TYPE_GETATTR] = "getattr", 150 [TOMOYO_TYPE_RMDIR] = "rmdir", 151 [TOMOYO_TYPE_TRUNCATE] = "truncate", 152 [TOMOYO_TYPE_SYMLINK] = "symlink", 153 [TOMOYO_TYPE_CHROOT] = "chroot", 154 [TOMOYO_TYPE_UMOUNT] = "unmount", 155 }; 156 157 /* String table for socket's operation. */ 158 const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION] = { 159 [TOMOYO_NETWORK_BIND] = "bind", 160 [TOMOYO_NETWORK_LISTEN] = "listen", 161 [TOMOYO_NETWORK_CONNECT] = "connect", 162 [TOMOYO_NETWORK_SEND] = "send", 163 }; 164 165 /* String table for categories. */ 166 static const char * const tomoyo_category_keywords 167 [TOMOYO_MAX_MAC_CATEGORY_INDEX] = { 168 [TOMOYO_MAC_CATEGORY_FILE] = "file", 169 [TOMOYO_MAC_CATEGORY_NETWORK] = "network", 170 [TOMOYO_MAC_CATEGORY_MISC] = "misc", 171 }; 172 173 /* Permit policy management by non-root user? */ 174 static bool tomoyo_manage_by_non_root; 175 176 /* Utility functions. */ 177 178 /** 179 * tomoyo_addprintf - strncat()-like-snprintf(). 180 * 181 * @buffer: Buffer to write to. Must be '\0'-terminated. 182 * @len: Size of @buffer. 183 * @fmt: The printf()'s format string, followed by parameters. 184 * 185 * Returns nothing. 186 */ 187 __printf(3, 4) 188 static void tomoyo_addprintf(char *buffer, int len, const char *fmt, ...) 189 { 190 va_list args; 191 const int pos = strlen(buffer); 192 193 va_start(args, fmt); 194 vsnprintf(buffer + pos, len - pos - 1, fmt, args); 195 va_end(args); 196 } 197 198 /** 199 * tomoyo_flush - Flush queued string to userspace's buffer. 200 * 201 * @head: Pointer to "struct tomoyo_io_buffer". 202 * 203 * Returns true if all data was flushed, false otherwise. 204 */ 205 static bool tomoyo_flush(struct tomoyo_io_buffer *head) 206 { 207 while (head->r.w_pos) { 208 const char *w = head->r.w[0]; 209 size_t len = strlen(w); 210 211 if (len) { 212 if (len > head->read_user_buf_avail) 213 len = head->read_user_buf_avail; 214 if (!len) 215 return false; 216 if (copy_to_user(head->read_user_buf, w, len)) 217 return false; 218 head->read_user_buf_avail -= len; 219 head->read_user_buf += len; 220 w += len; 221 } 222 head->r.w[0] = w; 223 if (*w) 224 return false; 225 /* Add '\0' for audit logs and query. */ 226 if (head->poll) { 227 if (!head->read_user_buf_avail || 228 copy_to_user(head->read_user_buf, "", 1)) 229 return false; 230 head->read_user_buf_avail--; 231 head->read_user_buf++; 232 } 233 head->r.w_pos--; 234 for (len = 0; len < head->r.w_pos; len++) 235 head->r.w[len] = head->r.w[len + 1]; 236 } 237 head->r.avail = 0; 238 return true; 239 } 240 241 /** 242 * tomoyo_set_string - Queue string to "struct tomoyo_io_buffer" structure. 243 * 244 * @head: Pointer to "struct tomoyo_io_buffer". 245 * @string: String to print. 246 * 247 * Note that @string has to be kept valid until @head is kfree()d. 248 * This means that char[] allocated on stack memory cannot be passed to 249 * this function. Use tomoyo_io_printf() for char[] allocated on stack memory. 250 */ 251 static void tomoyo_set_string(struct tomoyo_io_buffer *head, const char *string) 252 { 253 if (head->r.w_pos < TOMOYO_MAX_IO_READ_QUEUE) { 254 head->r.w[head->r.w_pos++] = string; 255 tomoyo_flush(head); 256 } else 257 WARN_ON(1); 258 } 259 260 static void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, 261 ...) __printf(2, 3); 262 263 /** 264 * tomoyo_io_printf - printf() to "struct tomoyo_io_buffer" structure. 265 * 266 * @head: Pointer to "struct tomoyo_io_buffer". 267 * @fmt: The printf()'s format string, followed by parameters. 268 */ 269 static void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, 270 ...) 271 __must_hold(&head->io_sem) 272 { 273 va_list args; 274 size_t len; 275 size_t pos = head->r.avail; 276 int size = head->readbuf_size - pos; 277 278 if (size <= 0) 279 return; 280 va_start(args, fmt); 281 len = vsnprintf(head->read_buf + pos, size, fmt, args) + 1; 282 va_end(args); 283 if (pos + len >= head->readbuf_size) { 284 WARN_ON(1); 285 return; 286 } 287 head->r.avail += len; 288 tomoyo_set_string(head, head->read_buf + pos); 289 } 290 291 /** 292 * tomoyo_set_space - Put a space to "struct tomoyo_io_buffer" structure. 293 * 294 * @head: Pointer to "struct tomoyo_io_buffer". 295 * 296 * Returns nothing. 297 */ 298 static void tomoyo_set_space(struct tomoyo_io_buffer *head) 299 { 300 tomoyo_set_string(head, " "); 301 } 302 303 /** 304 * tomoyo_set_lf - Put a line feed to "struct tomoyo_io_buffer" structure. 305 * 306 * @head: Pointer to "struct tomoyo_io_buffer". 307 * 308 * Returns nothing. 309 */ 310 static bool tomoyo_set_lf(struct tomoyo_io_buffer *head) 311 { 312 tomoyo_set_string(head, "\n"); 313 return !head->r.w_pos; 314 } 315 316 /** 317 * tomoyo_set_slash - Put a shash to "struct tomoyo_io_buffer" structure. 318 * 319 * @head: Pointer to "struct tomoyo_io_buffer". 320 * 321 * Returns nothing. 322 */ 323 static void tomoyo_set_slash(struct tomoyo_io_buffer *head) 324 { 325 tomoyo_set_string(head, "/"); 326 } 327 328 /* List of namespaces. */ 329 LIST_HEAD(tomoyo_namespace_list); 330 /* True if namespace other than tomoyo_kernel_namespace is defined. */ 331 static bool tomoyo_namespace_enabled; 332 333 /** 334 * tomoyo_init_policy_namespace - Initialize namespace. 335 * 336 * @ns: Pointer to "struct tomoyo_policy_namespace". 337 * 338 * Returns nothing. 339 */ 340 void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns) 341 { 342 unsigned int idx; 343 344 for (idx = 0; idx < TOMOYO_MAX_ACL_GROUPS; idx++) 345 INIT_LIST_HEAD(&ns->acl_group[idx]); 346 for (idx = 0; idx < TOMOYO_MAX_GROUP; idx++) 347 INIT_LIST_HEAD(&ns->group_list[idx]); 348 for (idx = 0; idx < TOMOYO_MAX_POLICY; idx++) 349 INIT_LIST_HEAD(&ns->policy_list[idx]); 350 ns->profile_version = 20150505; 351 tomoyo_namespace_enabled = !list_empty(&tomoyo_namespace_list); 352 list_add_tail_rcu(&ns->namespace_list, &tomoyo_namespace_list); 353 } 354 355 /** 356 * tomoyo_print_namespace - Print namespace header. 357 * 358 * @head: Pointer to "struct tomoyo_io_buffer". 359 * 360 * Returns nothing. 361 */ 362 static void tomoyo_print_namespace(struct tomoyo_io_buffer *head) 363 { 364 if (!tomoyo_namespace_enabled) 365 return; 366 tomoyo_set_string(head, 367 container_of(head->r.ns, 368 struct tomoyo_policy_namespace, 369 namespace_list)->name); 370 tomoyo_set_space(head); 371 } 372 373 /** 374 * tomoyo_print_name_union - Print a tomoyo_name_union. 375 * 376 * @head: Pointer to "struct tomoyo_io_buffer". 377 * @ptr: Pointer to "struct tomoyo_name_union". 378 */ 379 static void tomoyo_print_name_union(struct tomoyo_io_buffer *head, 380 const struct tomoyo_name_union *ptr) 381 { 382 tomoyo_set_space(head); 383 if (ptr->group) { 384 tomoyo_set_string(head, "@"); 385 tomoyo_set_string(head, ptr->group->group_name->name); 386 } else { 387 tomoyo_set_string(head, ptr->filename->name); 388 } 389 } 390 391 /** 392 * tomoyo_print_name_union_quoted - Print a tomoyo_name_union with a quote. 393 * 394 * @head: Pointer to "struct tomoyo_io_buffer". 395 * @ptr: Pointer to "struct tomoyo_name_union". 396 * 397 * Returns nothing. 398 */ 399 static void tomoyo_print_name_union_quoted(struct tomoyo_io_buffer *head, 400 const struct tomoyo_name_union *ptr) 401 { 402 if (ptr->group) { 403 tomoyo_set_string(head, "@"); 404 tomoyo_set_string(head, ptr->group->group_name->name); 405 } else { 406 tomoyo_set_string(head, "\""); 407 tomoyo_set_string(head, ptr->filename->name); 408 tomoyo_set_string(head, "\""); 409 } 410 } 411 412 /** 413 * tomoyo_print_number_union_nospace - Print a tomoyo_number_union without a space. 414 * 415 * @head: Pointer to "struct tomoyo_io_buffer". 416 * @ptr: Pointer to "struct tomoyo_number_union". 417 * 418 * Returns nothing. 419 */ 420 static void 421 tomoyo_print_number_union_nospace(struct tomoyo_io_buffer *head, const struct tomoyo_number_union *ptr) 422 __must_hold(&head->io_sem) 423 { 424 if (ptr->group) { 425 tomoyo_set_string(head, "@"); 426 tomoyo_set_string(head, ptr->group->group_name->name); 427 } else { 428 int i; 429 unsigned long min = ptr->values[0]; 430 const unsigned long max = ptr->values[1]; 431 u8 min_type = ptr->value_type[0]; 432 const u8 max_type = ptr->value_type[1]; 433 char buffer[128]; 434 435 buffer[0] = '\0'; 436 for (i = 0; i < 2; i++) { 437 switch (min_type) { 438 case TOMOYO_VALUE_TYPE_HEXADECIMAL: 439 tomoyo_addprintf(buffer, sizeof(buffer), 440 "0x%lX", min); 441 break; 442 case TOMOYO_VALUE_TYPE_OCTAL: 443 tomoyo_addprintf(buffer, sizeof(buffer), 444 "0%lo", min); 445 break; 446 default: 447 tomoyo_addprintf(buffer, sizeof(buffer), "%lu", 448 min); 449 break; 450 } 451 if (min == max && min_type == max_type) 452 break; 453 tomoyo_addprintf(buffer, sizeof(buffer), "-"); 454 min_type = max_type; 455 min = max; 456 } 457 tomoyo_io_printf(head, "%s", buffer); 458 } 459 } 460 461 /** 462 * tomoyo_print_number_union - Print a tomoyo_number_union. 463 * 464 * @head: Pointer to "struct tomoyo_io_buffer". 465 * @ptr: Pointer to "struct tomoyo_number_union". 466 * 467 * Returns nothing. 468 */ 469 static void tomoyo_print_number_union(struct tomoyo_io_buffer *head, 470 const struct tomoyo_number_union *ptr) 471 __must_hold(&head->io_sem) 472 { 473 tomoyo_set_space(head); 474 tomoyo_print_number_union_nospace(head, ptr); 475 } 476 477 /** 478 * tomoyo_assign_profile - Create a new profile. 479 * 480 * @ns: Pointer to "struct tomoyo_policy_namespace". 481 * @profile: Profile number to create. 482 * 483 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. 484 */ 485 static struct tomoyo_profile *tomoyo_assign_profile 486 (struct tomoyo_policy_namespace *ns, const unsigned int profile) 487 { 488 struct tomoyo_profile *ptr; 489 struct tomoyo_profile *entry; 490 491 if (profile >= TOMOYO_MAX_PROFILES) 492 return NULL; 493 ptr = ns->profile_ptr[profile]; 494 if (ptr) 495 return ptr; 496 entry = kzalloc(sizeof(*entry), GFP_NOFS | __GFP_NOWARN); 497 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 498 goto out; 499 ptr = ns->profile_ptr[profile]; 500 if (!ptr && tomoyo_memory_ok(entry)) { 501 ptr = entry; 502 ptr->default_config = TOMOYO_CONFIG_DISABLED | 503 TOMOYO_CONFIG_WANT_GRANT_LOG | 504 TOMOYO_CONFIG_WANT_REJECT_LOG; 505 memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT, 506 sizeof(ptr->config)); 507 ptr->pref[TOMOYO_PREF_MAX_AUDIT_LOG] = 508 CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG; 509 ptr->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] = 510 CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY; 511 mb(); /* Avoid out-of-order execution. */ 512 ns->profile_ptr[profile] = ptr; 513 entry = NULL; 514 } 515 mutex_unlock(&tomoyo_policy_lock); 516 out: 517 kfree(entry); 518 return ptr; 519 } 520 521 /** 522 * tomoyo_profile - Find a profile. 523 * 524 * @ns: Pointer to "struct tomoyo_policy_namespace". 525 * @profile: Profile number to find. 526 * 527 * Returns pointer to "struct tomoyo_profile". 528 */ 529 struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns, 530 const u8 profile) 531 { 532 static struct tomoyo_profile tomoyo_null_profile; 533 struct tomoyo_profile *ptr = ns->profile_ptr[profile]; 534 535 if (!ptr) 536 ptr = &tomoyo_null_profile; 537 return ptr; 538 } 539 540 /** 541 * tomoyo_find_yesno - Find values for specified keyword. 542 * 543 * @string: String to check. 544 * @find: Name of keyword. 545 * 546 * Returns 1 if "@find=yes" was found, 0 if "@find=no" was found, -1 otherwise. 547 */ 548 static s8 tomoyo_find_yesno(const char *string, const char *find) 549 { 550 const char *cp = strstr(string, find); 551 552 if (cp) { 553 cp += strlen(find); 554 if (!strncmp(cp, "=yes", 4)) 555 return 1; 556 else if (!strncmp(cp, "=no", 3)) 557 return 0; 558 } 559 return -1; 560 } 561 562 /** 563 * tomoyo_set_uint - Set value for specified preference. 564 * 565 * @i: Pointer to "unsigned int". 566 * @string: String to check. 567 * @find: Name of keyword. 568 * 569 * Returns nothing. 570 */ 571 static void tomoyo_set_uint(unsigned int *i, const char *string, 572 const char *find) 573 { 574 const char *cp = strstr(string, find); 575 576 if (cp) 577 sscanf(cp + strlen(find), "=%u", i); 578 } 579 580 /** 581 * tomoyo_set_mode - Set mode for specified profile. 582 * 583 * @name: Name of functionality. 584 * @value: Mode for @name. 585 * @profile: Pointer to "struct tomoyo_profile". 586 * 587 * Returns 0 on success, negative value otherwise. 588 */ 589 static int tomoyo_set_mode(char *name, const char *value, 590 struct tomoyo_profile *profile) 591 { 592 u8 i; 593 u8 config; 594 595 if (!strcmp(name, "CONFIG")) { 596 i = TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX; 597 config = profile->default_config; 598 } else if (tomoyo_str_starts(&name, "CONFIG::")) { 599 config = 0; 600 for (i = 0; i < TOMOYO_MAX_MAC_INDEX 601 + TOMOYO_MAX_MAC_CATEGORY_INDEX; i++) { 602 int len = 0; 603 604 if (i < TOMOYO_MAX_MAC_INDEX) { 605 const u8 c = tomoyo_index2category[i]; 606 const char *category = 607 tomoyo_category_keywords[c]; 608 609 len = strlen(category); 610 if (strncmp(name, category, len) || 611 name[len++] != ':' || name[len++] != ':') 612 continue; 613 } 614 if (strcmp(name + len, tomoyo_mac_keywords[i])) 615 continue; 616 config = profile->config[i]; 617 break; 618 } 619 if (i == TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX) 620 return -EINVAL; 621 } else { 622 return -EINVAL; 623 } 624 if (strstr(value, "use_default")) { 625 config = TOMOYO_CONFIG_USE_DEFAULT; 626 } else { 627 u8 mode; 628 629 for (mode = 0; mode < 4; mode++) 630 if (strstr(value, tomoyo_mode[mode])) 631 /* 632 * Update lower 3 bits in order to distinguish 633 * 'config' from 'TOMOYO_CONFIG_USE_DEFAULT'. 634 */ 635 config = (config & ~7) | mode; 636 if (config != TOMOYO_CONFIG_USE_DEFAULT) { 637 switch (tomoyo_find_yesno(value, "grant_log")) { 638 case 1: 639 config |= TOMOYO_CONFIG_WANT_GRANT_LOG; 640 break; 641 case 0: 642 config &= ~TOMOYO_CONFIG_WANT_GRANT_LOG; 643 break; 644 } 645 switch (tomoyo_find_yesno(value, "reject_log")) { 646 case 1: 647 config |= TOMOYO_CONFIG_WANT_REJECT_LOG; 648 break; 649 case 0: 650 config &= ~TOMOYO_CONFIG_WANT_REJECT_LOG; 651 break; 652 } 653 } 654 } 655 if (i < TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX) 656 profile->config[i] = config; 657 else if (config != TOMOYO_CONFIG_USE_DEFAULT) 658 profile->default_config = config; 659 return 0; 660 } 661 662 /** 663 * tomoyo_write_profile - Write profile table. 664 * 665 * @head: Pointer to "struct tomoyo_io_buffer". 666 * 667 * Returns 0 on success, negative value otherwise. 668 */ 669 static int tomoyo_write_profile(struct tomoyo_io_buffer *head) 670 __must_hold(&head->io_sem) 671 { 672 char *data = head->write_buf; 673 unsigned int i; 674 char *cp; 675 struct tomoyo_profile *profile; 676 677 if (sscanf(data, "PROFILE_VERSION=%u", &head->w.ns->profile_version) 678 == 1) 679 return 0; 680 i = simple_strtoul(data, &cp, 10); 681 if (*cp != '-') 682 return -EINVAL; 683 data = cp + 1; 684 profile = tomoyo_assign_profile(head->w.ns, i); 685 if (!profile) 686 return -EINVAL; 687 cp = strchr(data, '='); 688 if (!cp) 689 return -EINVAL; 690 *cp++ = '\0'; 691 if (!strcmp(data, "COMMENT")) { 692 static DEFINE_SPINLOCK(lock); 693 const struct tomoyo_path_info *new_comment 694 = tomoyo_get_name(cp); 695 const struct tomoyo_path_info *old_comment; 696 697 if (!new_comment) 698 return -ENOMEM; 699 spin_lock(&lock); 700 old_comment = profile->comment; 701 profile->comment = new_comment; 702 spin_unlock(&lock); 703 tomoyo_put_name(old_comment); 704 return 0; 705 } 706 if (!strcmp(data, "PREFERENCE")) { 707 for (i = 0; i < TOMOYO_MAX_PREF; i++) 708 tomoyo_set_uint(&profile->pref[i], cp, 709 tomoyo_pref_keywords[i]); 710 return 0; 711 } 712 return tomoyo_set_mode(data, cp, profile); 713 } 714 715 /** 716 * tomoyo_print_config - Print mode for specified functionality. 717 * 718 * @head: Pointer to "struct tomoyo_io_buffer". 719 * @config: Mode for that functionality. 720 * 721 * Returns nothing. 722 * 723 * Caller prints functionality's name. 724 */ 725 static void tomoyo_print_config(struct tomoyo_io_buffer *head, const u8 config) 726 __must_hold(&head->io_sem) 727 { 728 tomoyo_io_printf(head, "={ mode=%s grant_log=%s reject_log=%s }\n", 729 tomoyo_mode[config & 3], 730 str_yes_no(config & TOMOYO_CONFIG_WANT_GRANT_LOG), 731 str_yes_no(config & TOMOYO_CONFIG_WANT_REJECT_LOG)); 732 } 733 734 /** 735 * tomoyo_read_profile - Read profile table. 736 * 737 * @head: Pointer to "struct tomoyo_io_buffer". 738 * 739 * Returns nothing. 740 */ 741 static void tomoyo_read_profile(struct tomoyo_io_buffer *head) 742 __must_hold(&head->io_sem) 743 { 744 u8 index; 745 struct tomoyo_policy_namespace *ns = 746 container_of(head->r.ns, typeof(*ns), namespace_list); 747 const struct tomoyo_profile *profile; 748 749 if (head->r.eof) 750 return; 751 next: 752 index = head->r.index; 753 profile = ns->profile_ptr[index]; 754 switch (head->r.step) { 755 case 0: 756 tomoyo_print_namespace(head); 757 tomoyo_io_printf(head, "PROFILE_VERSION=%u\n", 758 ns->profile_version); 759 head->r.step++; 760 break; 761 case 1: 762 for ( ; head->r.index < TOMOYO_MAX_PROFILES; 763 head->r.index++) 764 if (ns->profile_ptr[head->r.index]) 765 break; 766 if (head->r.index == TOMOYO_MAX_PROFILES) { 767 head->r.eof = true; 768 return; 769 } 770 head->r.step++; 771 break; 772 case 2: 773 { 774 u8 i; 775 const struct tomoyo_path_info *comment = 776 profile->comment; 777 778 tomoyo_print_namespace(head); 779 tomoyo_io_printf(head, "%u-COMMENT=", index); 780 tomoyo_set_string(head, comment ? comment->name : ""); 781 tomoyo_set_lf(head); 782 tomoyo_print_namespace(head); 783 tomoyo_io_printf(head, "%u-PREFERENCE={ ", index); 784 for (i = 0; i < TOMOYO_MAX_PREF; i++) 785 tomoyo_io_printf(head, "%s=%u ", 786 tomoyo_pref_keywords[i], 787 profile->pref[i]); 788 tomoyo_set_string(head, "}\n"); 789 head->r.step++; 790 } 791 break; 792 case 3: 793 { 794 tomoyo_print_namespace(head); 795 tomoyo_io_printf(head, "%u-%s", index, "CONFIG"); 796 tomoyo_print_config(head, profile->default_config); 797 head->r.bit = 0; 798 head->r.step++; 799 } 800 break; 801 case 4: 802 for ( ; head->r.bit < TOMOYO_MAX_MAC_INDEX 803 + TOMOYO_MAX_MAC_CATEGORY_INDEX; head->r.bit++) { 804 const u8 i = head->r.bit; 805 const u8 config = profile->config[i]; 806 807 if (config == TOMOYO_CONFIG_USE_DEFAULT) 808 continue; 809 tomoyo_print_namespace(head); 810 if (i < TOMOYO_MAX_MAC_INDEX) 811 tomoyo_io_printf(head, "%u-CONFIG::%s::%s", 812 index, 813 tomoyo_category_keywords 814 [tomoyo_index2category[i]], 815 tomoyo_mac_keywords[i]); 816 else 817 tomoyo_io_printf(head, "%u-CONFIG::%s", index, 818 tomoyo_mac_keywords[i]); 819 tomoyo_print_config(head, config); 820 head->r.bit++; 821 break; 822 } 823 if (head->r.bit == TOMOYO_MAX_MAC_INDEX 824 + TOMOYO_MAX_MAC_CATEGORY_INDEX) { 825 head->r.index++; 826 head->r.step = 1; 827 } 828 break; 829 } 830 if (tomoyo_flush(head)) 831 goto next; 832 } 833 834 /** 835 * tomoyo_same_manager - Check for duplicated "struct tomoyo_manager" entry. 836 * 837 * @a: Pointer to "struct tomoyo_acl_head". 838 * @b: Pointer to "struct tomoyo_acl_head". 839 * 840 * Returns true if @a == @b, false otherwise. 841 */ 842 static bool tomoyo_same_manager(const struct tomoyo_acl_head *a, 843 const struct tomoyo_acl_head *b) 844 { 845 return container_of(a, struct tomoyo_manager, head)->manager == 846 container_of(b, struct tomoyo_manager, head)->manager; 847 } 848 849 /** 850 * tomoyo_update_manager_entry - Add a manager entry. 851 * 852 * @manager: The path to manager or the domainnamme. 853 * @is_delete: True if it is a delete request. 854 * 855 * Returns 0 on success, negative value otherwise. 856 * 857 * Caller holds tomoyo_read_lock(). 858 */ 859 static int tomoyo_update_manager_entry(const char *manager, 860 const bool is_delete) 861 __must_hold_shared(&tomoyo_ss) 862 { 863 struct tomoyo_manager e = { }; 864 struct tomoyo_acl_param param = { 865 /* .ns = &tomoyo_kernel_namespace, */ 866 .is_delete = is_delete, 867 .list = &tomoyo_kernel_namespace.policy_list[TOMOYO_ID_MANAGER], 868 }; 869 int error = is_delete ? -ENOENT : -ENOMEM; 870 871 if (!tomoyo_correct_domain(manager) && 872 !tomoyo_correct_word(manager)) 873 return -EINVAL; 874 e.manager = tomoyo_get_name(manager); 875 if (e.manager) { 876 error = tomoyo_update_policy(&e.head, sizeof(e), ¶m, 877 tomoyo_same_manager); 878 tomoyo_put_name(e.manager); 879 } 880 return error; 881 } 882 883 /** 884 * tomoyo_write_manager - Write manager policy. 885 * 886 * @head: Pointer to "struct tomoyo_io_buffer". 887 * 888 * Returns 0 on success, negative value otherwise. 889 * 890 * Caller holds tomoyo_read_lock(). 891 */ 892 static int tomoyo_write_manager(struct tomoyo_io_buffer *head) 893 __must_hold_shared(&tomoyo_ss) 894 __must_hold(&head->io_sem) 895 { 896 char *data = head->write_buf; 897 898 if (!strcmp(data, "manage_by_non_root")) { 899 tomoyo_manage_by_non_root = !head->w.is_delete; 900 return 0; 901 } 902 return tomoyo_update_manager_entry(data, head->w.is_delete); 903 } 904 905 /** 906 * tomoyo_read_manager - Read manager policy. 907 * 908 * @head: Pointer to "struct tomoyo_io_buffer". 909 * 910 * Caller holds tomoyo_read_lock(). 911 */ 912 static void tomoyo_read_manager(struct tomoyo_io_buffer *head) 913 __must_hold_shared(&tomoyo_ss) 914 { 915 if (head->r.eof) 916 return; 917 list_for_each_cookie(head->r.acl, &tomoyo_kernel_namespace.policy_list[TOMOYO_ID_MANAGER]) { 918 struct tomoyo_manager *ptr = 919 list_entry(head->r.acl, typeof(*ptr), head.list); 920 921 if (ptr->head.is_deleted) 922 continue; 923 if (!tomoyo_flush(head)) 924 return; 925 tomoyo_set_string(head, ptr->manager->name); 926 tomoyo_set_lf(head); 927 } 928 head->r.eof = true; 929 } 930 931 /** 932 * tomoyo_manager - Check whether the current process is a policy manager. 933 * 934 * Returns true if the current process is permitted to modify policy 935 * via /sys/kernel/security/tomoyo/ interface. 936 * 937 * Caller holds tomoyo_read_lock(). 938 */ 939 static bool tomoyo_manager(void) 940 __must_hold_shared(&tomoyo_ss) 941 { 942 struct tomoyo_manager *ptr; 943 const char *exe; 944 const struct task_struct *task = current; 945 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; 946 bool found = IS_ENABLED(CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING); 947 948 if (!tomoyo_policy_loaded) 949 return true; 950 if (!tomoyo_manage_by_non_root && 951 (!uid_eq(task->cred->uid, GLOBAL_ROOT_UID) || 952 !uid_eq(task->cred->euid, GLOBAL_ROOT_UID))) 953 return false; 954 exe = tomoyo_get_exe(); 955 if (!exe) 956 return false; 957 list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace.policy_list[TOMOYO_ID_MANAGER], head.list, 958 srcu_read_lock_held(&tomoyo_ss)) { 959 if (!ptr->head.is_deleted && 960 (!tomoyo_pathcmp(domainname, ptr->manager) || 961 !strcmp(exe, ptr->manager->name))) { 962 found = true; 963 break; 964 } 965 } 966 if (!found) { /* Reduce error messages. */ 967 static pid_t last_pid; 968 const pid_t pid = current->pid; 969 970 if (last_pid != pid) { 971 pr_warn("%s ( %s ) is not permitted to update policies.\n", 972 domainname->name, exe); 973 last_pid = pid; 974 } 975 } 976 kfree(exe); 977 return found; 978 } 979 980 static struct tomoyo_domain_info *tomoyo_find_domain_by_qid 981 (unsigned int serial); 982 983 /** 984 * tomoyo_select_domain - Parse select command. 985 * 986 * @head: Pointer to "struct tomoyo_io_buffer". 987 * @data: String to parse. 988 * 989 * Returns true on success, false otherwise. 990 * 991 * Caller holds tomoyo_read_lock(). 992 */ 993 static bool tomoyo_select_domain(struct tomoyo_io_buffer *head, 994 const char *data) 995 __must_hold_shared(&tomoyo_ss) 996 __must_hold(&head->io_sem) 997 { 998 unsigned int pid; 999 struct tomoyo_domain_info *domain = NULL; 1000 bool global_pid = false; 1001 1002 if (strncmp(data, "select ", 7)) 1003 return false; 1004 data += 7; 1005 if (sscanf(data, "pid=%u", &pid) == 1 || 1006 (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { 1007 struct task_struct *p; 1008 1009 rcu_read_lock(); 1010 if (global_pid) 1011 p = find_task_by_pid_ns(pid, &init_pid_ns); 1012 else 1013 p = find_task_by_vpid(pid); 1014 if (p) 1015 domain = tomoyo_task(p)->domain_info; 1016 rcu_read_unlock(); 1017 } else if (!strncmp(data, "domain=", 7)) { 1018 if (tomoyo_domain_def(data + 7)) 1019 domain = tomoyo_find_domain(data + 7); 1020 } else if (sscanf(data, "Q=%u", &pid) == 1) { 1021 domain = tomoyo_find_domain_by_qid(pid); 1022 } else 1023 return false; 1024 head->w.domain = domain; 1025 /* Accessing read_buf is safe because head->io_sem is held. */ 1026 if (!head->read_buf) 1027 return true; /* Do nothing if open(O_WRONLY). */ 1028 memset(&head->r, 0, sizeof(head->r)); 1029 head->r.print_this_domain_only = true; 1030 if (domain) 1031 head->r.domain = &domain->list; 1032 else 1033 head->r.eof = true; 1034 tomoyo_io_printf(head, "# select %s\n", data); 1035 if (domain && domain->is_deleted) 1036 tomoyo_io_printf(head, "# This is a deleted domain.\n"); 1037 return true; 1038 } 1039 1040 /** 1041 * tomoyo_same_task_acl - Check for duplicated "struct tomoyo_task_acl" entry. 1042 * 1043 * @a: Pointer to "struct tomoyo_acl_info". 1044 * @b: Pointer to "struct tomoyo_acl_info". 1045 * 1046 * Returns true if @a == @b, false otherwise. 1047 */ 1048 static bool tomoyo_same_task_acl(const struct tomoyo_acl_info *a, 1049 const struct tomoyo_acl_info *b) 1050 { 1051 const struct tomoyo_task_acl *p1 = container_of(a, typeof(*p1), head); 1052 const struct tomoyo_task_acl *p2 = container_of(b, typeof(*p2), head); 1053 1054 return p1->domainname == p2->domainname; 1055 } 1056 1057 /** 1058 * tomoyo_write_task - Update task related list. 1059 * 1060 * @param: Pointer to "struct tomoyo_acl_param". 1061 * 1062 * Returns 0 on success, negative value otherwise. 1063 * 1064 * Caller holds tomoyo_read_lock(). 1065 */ 1066 static int tomoyo_write_task(struct tomoyo_acl_param *param) 1067 __must_hold_shared(&tomoyo_ss) 1068 { 1069 int error = -EINVAL; 1070 1071 if (tomoyo_str_starts(¶m->data, "manual_domain_transition ")) { 1072 struct tomoyo_task_acl e = { 1073 .head.type = TOMOYO_TYPE_MANUAL_TASK_ACL, 1074 .domainname = tomoyo_get_domainname(param), 1075 }; 1076 1077 if (e.domainname) 1078 error = tomoyo_update_domain(&e.head, sizeof(e), param, 1079 tomoyo_same_task_acl, 1080 NULL); 1081 tomoyo_put_name(e.domainname); 1082 } 1083 return error; 1084 } 1085 1086 /** 1087 * tomoyo_delete_domain - Delete a domain. 1088 * 1089 * @domainname: The name of domain. 1090 * 1091 * Returns 0 on success, negative value otherwise. 1092 * 1093 * Caller holds tomoyo_read_lock(). 1094 */ 1095 static int tomoyo_delete_domain(char *domainname) 1096 __must_hold_shared(&tomoyo_ss) 1097 { 1098 struct tomoyo_domain_info *domain; 1099 struct tomoyo_path_info name; 1100 1101 name.name = domainname; 1102 tomoyo_fill_path_info(&name); 1103 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 1104 return -EINTR; 1105 /* Is there an active domain? */ 1106 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list, 1107 srcu_read_lock_held(&tomoyo_ss)) { 1108 /* Never delete tomoyo_kernel_domain */ 1109 if (domain == &tomoyo_kernel_domain) 1110 continue; 1111 if (domain->is_deleted || 1112 tomoyo_pathcmp(domain->domainname, &name)) 1113 continue; 1114 domain->is_deleted = true; 1115 break; 1116 } 1117 mutex_unlock(&tomoyo_policy_lock); 1118 return 0; 1119 } 1120 1121 /** 1122 * tomoyo_write_domain2 - Write domain policy. 1123 * 1124 * @ns: Pointer to "struct tomoyo_policy_namespace". 1125 * @list: Pointer to "struct list_head". 1126 * @data: Policy to be interpreted. 1127 * @is_delete: True if it is a delete request. 1128 * 1129 * Returns 0 on success, negative value otherwise. 1130 * 1131 * Caller holds tomoyo_read_lock(). 1132 */ 1133 static int tomoyo_write_domain2(struct tomoyo_policy_namespace *ns, 1134 struct list_head *list, char *data, 1135 const bool is_delete) 1136 __must_hold_shared(&tomoyo_ss) 1137 { 1138 struct tomoyo_acl_param param = { 1139 .ns = ns, 1140 .list = list, 1141 .data = data, 1142 .is_delete = is_delete, 1143 }; 1144 static const struct { 1145 const char *keyword; 1146 int (*write)(struct tomoyo_acl_param *param); 1147 } tomoyo_callback[5] = { 1148 { "file ", tomoyo_write_file }, 1149 { "network inet ", tomoyo_write_inet_network }, 1150 { "network unix ", tomoyo_write_unix_network }, 1151 { "misc ", tomoyo_write_misc }, 1152 { "task ", tomoyo_write_task }, 1153 }; 1154 u8 i; 1155 1156 for (i = 0; i < ARRAY_SIZE(tomoyo_callback); i++) { 1157 if (!tomoyo_str_starts(¶m.data, 1158 tomoyo_callback[i].keyword)) 1159 continue; 1160 return tomoyo_callback[i].write(¶m); 1161 } 1162 return -EINVAL; 1163 } 1164 1165 /* String table for domain flags. */ 1166 const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS] = { 1167 [TOMOYO_DIF_QUOTA_WARNED] = "quota_exceeded\n", 1168 [TOMOYO_DIF_TRANSITION_FAILED] = "transition_failed\n", 1169 }; 1170 1171 /** 1172 * tomoyo_write_domain - Write domain policy. 1173 * 1174 * @head: Pointer to "struct tomoyo_io_buffer". 1175 * 1176 * Returns 0 on success, negative value otherwise. 1177 * 1178 * Caller holds tomoyo_read_lock(). 1179 */ 1180 static int tomoyo_write_domain(struct tomoyo_io_buffer *head) 1181 __must_hold_shared(&tomoyo_ss) 1182 __must_hold(&head->io_sem) 1183 { 1184 char *data = head->write_buf; 1185 struct tomoyo_policy_namespace *ns; 1186 struct tomoyo_domain_info *domain = head->w.domain; 1187 const bool is_delete = head->w.is_delete; 1188 bool is_select = !is_delete && tomoyo_str_starts(&data, "select "); 1189 unsigned int idx; 1190 1191 if (*data == '<') { 1192 int ret = 0; 1193 1194 domain = NULL; 1195 if (is_delete) 1196 ret = tomoyo_delete_domain(data); 1197 else if (is_select) 1198 domain = tomoyo_find_domain(data); 1199 else 1200 domain = tomoyo_assign_domain(data, false); 1201 head->w.domain = domain; 1202 return ret; 1203 } 1204 if (!domain) 1205 return -EINVAL; 1206 ns = domain->ns; 1207 if (sscanf(data, "use_profile %u", &idx) == 1 1208 && idx < TOMOYO_MAX_PROFILES) { 1209 if (!tomoyo_policy_loaded || ns->profile_ptr[idx]) 1210 if (!is_delete) 1211 domain->profile = (u8) idx; 1212 return 0; 1213 } 1214 if (sscanf(data, "use_group %u\n", &idx) == 1 1215 && idx < TOMOYO_MAX_ACL_GROUPS) { 1216 if (!is_delete) 1217 set_bit(idx, domain->group); 1218 else 1219 clear_bit(idx, domain->group); 1220 return 0; 1221 } 1222 for (idx = 0; idx < TOMOYO_MAX_DOMAIN_INFO_FLAGS; idx++) { 1223 const char *cp = tomoyo_dif[idx]; 1224 1225 if (strncmp(data, cp, strlen(cp) - 1)) 1226 continue; 1227 domain->flags[idx] = !is_delete; 1228 return 0; 1229 } 1230 return tomoyo_write_domain2(ns, &domain->acl_info_list, data, 1231 is_delete); 1232 } 1233 1234 /** 1235 * tomoyo_print_condition - Print condition part. 1236 * 1237 * @head: Pointer to "struct tomoyo_io_buffer". 1238 * @cond: Pointer to "struct tomoyo_condition". 1239 * 1240 * Returns true on success, false otherwise. 1241 */ 1242 static bool tomoyo_print_condition(struct tomoyo_io_buffer *head, 1243 const struct tomoyo_condition *cond) 1244 __must_hold(&head->io_sem) 1245 { 1246 switch (head->r.cond_step) { 1247 case 0: 1248 head->r.cond_index = 0; 1249 head->r.cond_step++; 1250 if (cond->transit) { 1251 tomoyo_set_space(head); 1252 tomoyo_set_string(head, cond->transit->name); 1253 } 1254 fallthrough; 1255 case 1: 1256 { 1257 const u16 condc = cond->condc; 1258 const struct tomoyo_condition_element *condp = 1259 (typeof(condp)) (cond + 1); 1260 const struct tomoyo_number_union *numbers_p = 1261 (typeof(numbers_p)) (condp + condc); 1262 const struct tomoyo_name_union *names_p = 1263 (typeof(names_p)) 1264 (numbers_p + cond->numbers_count); 1265 const struct tomoyo_argv *argv = 1266 (typeof(argv)) (names_p + cond->names_count); 1267 const struct tomoyo_envp *envp = 1268 (typeof(envp)) (argv + cond->argc); 1269 u16 skip; 1270 1271 for (skip = 0; skip < head->r.cond_index; skip++) { 1272 const u8 left = condp->left; 1273 const u8 right = condp->right; 1274 1275 condp++; 1276 switch (left) { 1277 case TOMOYO_ARGV_ENTRY: 1278 argv++; 1279 continue; 1280 case TOMOYO_ENVP_ENTRY: 1281 envp++; 1282 continue; 1283 case TOMOYO_NUMBER_UNION: 1284 numbers_p++; 1285 break; 1286 } 1287 switch (right) { 1288 case TOMOYO_NAME_UNION: 1289 names_p++; 1290 break; 1291 case TOMOYO_NUMBER_UNION: 1292 numbers_p++; 1293 break; 1294 } 1295 } 1296 while (head->r.cond_index < condc) { 1297 const u8 match = condp->equals; 1298 const u8 left = condp->left; 1299 const u8 right = condp->right; 1300 1301 if (!tomoyo_flush(head)) 1302 return false; 1303 condp++; 1304 head->r.cond_index++; 1305 tomoyo_set_space(head); 1306 switch (left) { 1307 case TOMOYO_ARGV_ENTRY: 1308 tomoyo_io_printf(head, 1309 "exec.argv[%lu]%s=\"", 1310 argv->index, argv->is_not ? "!" : ""); 1311 tomoyo_set_string(head, 1312 argv->value->name); 1313 tomoyo_set_string(head, "\""); 1314 argv++; 1315 continue; 1316 case TOMOYO_ENVP_ENTRY: 1317 tomoyo_set_string(head, 1318 "exec.envp[\""); 1319 tomoyo_set_string(head, 1320 envp->name->name); 1321 tomoyo_io_printf(head, "\"]%s=", envp->is_not ? "!" : ""); 1322 if (envp->value) { 1323 tomoyo_set_string(head, "\""); 1324 tomoyo_set_string(head, envp->value->name); 1325 tomoyo_set_string(head, "\""); 1326 } else { 1327 tomoyo_set_string(head, 1328 "NULL"); 1329 } 1330 envp++; 1331 continue; 1332 case TOMOYO_NUMBER_UNION: 1333 tomoyo_print_number_union_nospace 1334 (head, numbers_p++); 1335 break; 1336 default: 1337 tomoyo_set_string(head, 1338 tomoyo_condition_keyword[left]); 1339 break; 1340 } 1341 tomoyo_set_string(head, match ? "=" : "!="); 1342 switch (right) { 1343 case TOMOYO_NAME_UNION: 1344 tomoyo_print_name_union_quoted 1345 (head, names_p++); 1346 break; 1347 case TOMOYO_NUMBER_UNION: 1348 tomoyo_print_number_union_nospace 1349 (head, numbers_p++); 1350 break; 1351 default: 1352 tomoyo_set_string(head, 1353 tomoyo_condition_keyword[right]); 1354 break; 1355 } 1356 } 1357 } 1358 head->r.cond_step++; 1359 fallthrough; 1360 case 2: 1361 if (!tomoyo_flush(head)) 1362 break; 1363 head->r.cond_step++; 1364 fallthrough; 1365 case 3: 1366 if (cond->grant_log != TOMOYO_GRANTLOG_AUTO) 1367 tomoyo_io_printf(head, " grant_log=%s", 1368 str_yes_no(cond->grant_log == 1369 TOMOYO_GRANTLOG_YES)); 1370 tomoyo_set_lf(head); 1371 return true; 1372 } 1373 return false; 1374 } 1375 1376 /** 1377 * tomoyo_set_group - Print "acl_group " header keyword and category name. 1378 * 1379 * @head: Pointer to "struct tomoyo_io_buffer". 1380 * @category: Category name. 1381 * 1382 * Returns nothing. 1383 */ 1384 static void tomoyo_set_group(struct tomoyo_io_buffer *head, 1385 const char *category) 1386 __must_hold(&head->io_sem) 1387 { 1388 if (head->type == TOMOYO_EXCEPTIONPOLICY) { 1389 tomoyo_print_namespace(head); 1390 tomoyo_io_printf(head, "acl_group %u ", 1391 head->r.acl_group_index); 1392 } 1393 tomoyo_set_string(head, category); 1394 } 1395 1396 /** 1397 * tomoyo_print_entry - Print an ACL entry. 1398 * 1399 * @head: Pointer to "struct tomoyo_io_buffer". 1400 * @acl: Pointer to an ACL entry. 1401 * 1402 * Returns true on success, false otherwise. 1403 */ 1404 static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, 1405 struct tomoyo_acl_info *acl) 1406 __must_hold(&head->io_sem) 1407 { 1408 const u8 acl_type = acl->type; 1409 bool first = true; 1410 u8 bit; 1411 1412 if (head->r.print_cond_part) 1413 goto print_cond_part; 1414 if (acl->is_deleted) 1415 return true; 1416 if (!tomoyo_flush(head)) 1417 return false; 1418 else if (acl_type == TOMOYO_TYPE_PATH_ACL) { 1419 struct tomoyo_path_acl *ptr = 1420 container_of(acl, typeof(*ptr), head); 1421 const u16 perm = ptr->perm; 1422 1423 for (bit = 0; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { 1424 if (!(perm & (1 << bit))) 1425 continue; 1426 if (head->r.print_transition_related_only && 1427 bit != TOMOYO_TYPE_EXECUTE) 1428 continue; 1429 if (first) { 1430 tomoyo_set_group(head, "file "); 1431 first = false; 1432 } else { 1433 tomoyo_set_slash(head); 1434 } 1435 tomoyo_set_string(head, tomoyo_path_keyword[bit]); 1436 } 1437 if (first) 1438 return true; 1439 tomoyo_print_name_union(head, &ptr->name); 1440 } else if (acl_type == TOMOYO_TYPE_MANUAL_TASK_ACL) { 1441 struct tomoyo_task_acl *ptr = 1442 container_of(acl, typeof(*ptr), head); 1443 1444 tomoyo_set_group(head, "task "); 1445 tomoyo_set_string(head, "manual_domain_transition "); 1446 tomoyo_set_string(head, ptr->domainname->name); 1447 } else if (head->r.print_transition_related_only) { 1448 return true; 1449 } else if (acl_type == TOMOYO_TYPE_PATH2_ACL) { 1450 struct tomoyo_path2_acl *ptr = 1451 container_of(acl, typeof(*ptr), head); 1452 const u8 perm = ptr->perm; 1453 1454 for (bit = 0; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) { 1455 if (!(perm & (1 << bit))) 1456 continue; 1457 if (first) { 1458 tomoyo_set_group(head, "file "); 1459 first = false; 1460 } else { 1461 tomoyo_set_slash(head); 1462 } 1463 tomoyo_set_string(head, tomoyo_mac_keywords 1464 [tomoyo_pp2mac[bit]]); 1465 } 1466 if (first) 1467 return true; 1468 tomoyo_print_name_union(head, &ptr->name1); 1469 tomoyo_print_name_union(head, &ptr->name2); 1470 } else if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) { 1471 struct tomoyo_path_number_acl *ptr = 1472 container_of(acl, typeof(*ptr), head); 1473 const u8 perm = ptr->perm; 1474 1475 for (bit = 0; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION; bit++) { 1476 if (!(perm & (1 << bit))) 1477 continue; 1478 if (first) { 1479 tomoyo_set_group(head, "file "); 1480 first = false; 1481 } else { 1482 tomoyo_set_slash(head); 1483 } 1484 tomoyo_set_string(head, tomoyo_mac_keywords 1485 [tomoyo_pn2mac[bit]]); 1486 } 1487 if (first) 1488 return true; 1489 tomoyo_print_name_union(head, &ptr->name); 1490 tomoyo_print_number_union(head, &ptr->number); 1491 } else if (acl_type == TOMOYO_TYPE_MKDEV_ACL) { 1492 struct tomoyo_mkdev_acl *ptr = 1493 container_of(acl, typeof(*ptr), head); 1494 const u8 perm = ptr->perm; 1495 1496 for (bit = 0; bit < TOMOYO_MAX_MKDEV_OPERATION; bit++) { 1497 if (!(perm & (1 << bit))) 1498 continue; 1499 if (first) { 1500 tomoyo_set_group(head, "file "); 1501 first = false; 1502 } else { 1503 tomoyo_set_slash(head); 1504 } 1505 tomoyo_set_string(head, tomoyo_mac_keywords 1506 [tomoyo_pnnn2mac[bit]]); 1507 } 1508 if (first) 1509 return true; 1510 tomoyo_print_name_union(head, &ptr->name); 1511 tomoyo_print_number_union(head, &ptr->mode); 1512 tomoyo_print_number_union(head, &ptr->major); 1513 tomoyo_print_number_union(head, &ptr->minor); 1514 } else if (acl_type == TOMOYO_TYPE_INET_ACL) { 1515 struct tomoyo_inet_acl *ptr = 1516 container_of(acl, typeof(*ptr), head); 1517 const u8 perm = ptr->perm; 1518 1519 for (bit = 0; bit < TOMOYO_MAX_NETWORK_OPERATION; bit++) { 1520 if (!(perm & (1 << bit))) 1521 continue; 1522 if (first) { 1523 tomoyo_set_group(head, "network inet "); 1524 tomoyo_set_string(head, tomoyo_proto_keyword 1525 [ptr->protocol]); 1526 tomoyo_set_space(head); 1527 first = false; 1528 } else { 1529 tomoyo_set_slash(head); 1530 } 1531 tomoyo_set_string(head, tomoyo_socket_keyword[bit]); 1532 } 1533 if (first) 1534 return true; 1535 tomoyo_set_space(head); 1536 if (ptr->address.group) { 1537 tomoyo_set_string(head, "@"); 1538 tomoyo_set_string(head, ptr->address.group->group_name 1539 ->name); 1540 } else { 1541 char buf[128]; 1542 1543 tomoyo_print_ip(buf, sizeof(buf), &ptr->address); 1544 tomoyo_io_printf(head, "%s", buf); 1545 } 1546 tomoyo_print_number_union(head, &ptr->port); 1547 } else if (acl_type == TOMOYO_TYPE_UNIX_ACL) { 1548 struct tomoyo_unix_acl *ptr = 1549 container_of(acl, typeof(*ptr), head); 1550 const u8 perm = ptr->perm; 1551 1552 for (bit = 0; bit < TOMOYO_MAX_NETWORK_OPERATION; bit++) { 1553 if (!(perm & (1 << bit))) 1554 continue; 1555 if (first) { 1556 tomoyo_set_group(head, "network unix "); 1557 tomoyo_set_string(head, tomoyo_proto_keyword 1558 [ptr->protocol]); 1559 tomoyo_set_space(head); 1560 first = false; 1561 } else { 1562 tomoyo_set_slash(head); 1563 } 1564 tomoyo_set_string(head, tomoyo_socket_keyword[bit]); 1565 } 1566 if (first) 1567 return true; 1568 tomoyo_print_name_union(head, &ptr->name); 1569 } else if (acl_type == TOMOYO_TYPE_MOUNT_ACL) { 1570 struct tomoyo_mount_acl *ptr = 1571 container_of(acl, typeof(*ptr), head); 1572 1573 tomoyo_set_group(head, "file mount"); 1574 tomoyo_print_name_union(head, &ptr->dev_name); 1575 tomoyo_print_name_union(head, &ptr->dir_name); 1576 tomoyo_print_name_union(head, &ptr->fs_type); 1577 tomoyo_print_number_union(head, &ptr->flags); 1578 } else if (acl_type == TOMOYO_TYPE_ENV_ACL) { 1579 struct tomoyo_env_acl *ptr = 1580 container_of(acl, typeof(*ptr), head); 1581 1582 tomoyo_set_group(head, "misc env "); 1583 tomoyo_set_string(head, ptr->env->name); 1584 } 1585 if (acl->cond) { 1586 head->r.print_cond_part = true; 1587 head->r.cond_step = 0; 1588 if (!tomoyo_flush(head)) 1589 return false; 1590 print_cond_part: 1591 if (!tomoyo_print_condition(head, acl->cond)) 1592 return false; 1593 head->r.print_cond_part = false; 1594 } else { 1595 tomoyo_set_lf(head); 1596 } 1597 return true; 1598 } 1599 1600 /** 1601 * tomoyo_read_domain2 - Read domain policy. 1602 * 1603 * @head: Pointer to "struct tomoyo_io_buffer". 1604 * @list: Pointer to "struct list_head". 1605 * 1606 * Caller holds tomoyo_read_lock(). 1607 * 1608 * Returns true on success, false otherwise. 1609 */ 1610 static bool tomoyo_read_domain2(struct tomoyo_io_buffer *head, 1611 struct list_head *list) 1612 __must_hold_shared(&tomoyo_ss) 1613 __must_hold(&head->io_sem) 1614 { 1615 list_for_each_cookie(head->r.acl, list) { 1616 struct tomoyo_acl_info *ptr = 1617 list_entry(head->r.acl, typeof(*ptr), list); 1618 1619 if (!tomoyo_print_entry(head, ptr)) 1620 return false; 1621 } 1622 head->r.acl = NULL; 1623 return true; 1624 } 1625 1626 /** 1627 * tomoyo_read_domain - Read domain policy. 1628 * 1629 * @head: Pointer to "struct tomoyo_io_buffer". 1630 * 1631 * Caller holds tomoyo_read_lock(). 1632 */ 1633 static void tomoyo_read_domain(struct tomoyo_io_buffer *head) 1634 __must_hold_shared(&tomoyo_ss) 1635 __must_hold(&head->io_sem) 1636 { 1637 if (head->r.eof) 1638 return; 1639 list_for_each_cookie(head->r.domain, &tomoyo_domain_list) { 1640 struct tomoyo_domain_info *domain = 1641 list_entry(head->r.domain, typeof(*domain), list); 1642 u8 i; 1643 1644 switch (head->r.step) { 1645 case 0: 1646 if (domain->is_deleted && 1647 !head->r.print_this_domain_only) 1648 continue; 1649 /* Print domainname and flags. */ 1650 tomoyo_set_string(head, domain->domainname->name); 1651 tomoyo_set_lf(head); 1652 tomoyo_io_printf(head, "use_profile %u\n", 1653 domain->profile); 1654 for (i = 0; i < TOMOYO_MAX_DOMAIN_INFO_FLAGS; i++) 1655 if (domain->flags[i]) 1656 tomoyo_set_string(head, tomoyo_dif[i]); 1657 head->r.index = 0; 1658 head->r.step++; 1659 fallthrough; 1660 case 1: 1661 while (head->r.index < TOMOYO_MAX_ACL_GROUPS) { 1662 i = head->r.index++; 1663 if (!test_bit(i, domain->group)) 1664 continue; 1665 tomoyo_io_printf(head, "use_group %u\n", i); 1666 if (!tomoyo_flush(head)) 1667 return; 1668 } 1669 head->r.index = 0; 1670 head->r.step++; 1671 tomoyo_set_lf(head); 1672 fallthrough; 1673 case 2: 1674 if (!tomoyo_read_domain2(head, &domain->acl_info_list)) 1675 return; 1676 head->r.step++; 1677 if (!tomoyo_set_lf(head)) 1678 return; 1679 fallthrough; 1680 case 3: 1681 head->r.step = 0; 1682 if (head->r.print_this_domain_only) 1683 goto done; 1684 } 1685 } 1686 done: 1687 head->r.eof = true; 1688 } 1689 1690 /** 1691 * tomoyo_write_pid: Specify PID to obtain domainname. 1692 * 1693 * @head: Pointer to "struct tomoyo_io_buffer". 1694 * 1695 * Returns 0. 1696 */ 1697 static int tomoyo_write_pid(struct tomoyo_io_buffer *head) 1698 { 1699 head->r.eof = false; 1700 return 0; 1701 } 1702 1703 /** 1704 * tomoyo_read_pid - Get domainname of the specified PID. 1705 * 1706 * @head: Pointer to "struct tomoyo_io_buffer". 1707 * 1708 * Returns the domainname which the specified PID is in on success, 1709 * empty string otherwise. 1710 * The PID is specified by tomoyo_write_pid() so that the user can obtain 1711 * using read()/write() interface rather than sysctl() interface. 1712 */ 1713 static void tomoyo_read_pid(struct tomoyo_io_buffer *head) 1714 __must_hold(&head->io_sem) 1715 { 1716 char *buf = head->write_buf; 1717 bool global_pid = false; 1718 unsigned int pid; 1719 struct task_struct *p; 1720 struct tomoyo_domain_info *domain = NULL; 1721 1722 /* Accessing write_buf is safe because head->io_sem is held. */ 1723 if (!buf) { 1724 head->r.eof = true; 1725 return; /* Do nothing if open(O_RDONLY). */ 1726 } 1727 if (head->r.w_pos || head->r.eof) 1728 return; 1729 head->r.eof = true; 1730 if (tomoyo_str_starts(&buf, "global-pid ")) 1731 global_pid = true; 1732 if (kstrtouint(buf, 10, &pid)) 1733 return; 1734 rcu_read_lock(); 1735 if (global_pid) 1736 p = find_task_by_pid_ns(pid, &init_pid_ns); 1737 else 1738 p = find_task_by_vpid(pid); 1739 if (p) 1740 domain = tomoyo_task(p)->domain_info; 1741 rcu_read_unlock(); 1742 if (!domain) 1743 return; 1744 tomoyo_io_printf(head, "%u %u ", pid, domain->profile); 1745 tomoyo_set_string(head, domain->domainname->name); 1746 } 1747 1748 /* String table for domain transition control keywords. */ 1749 static const char *tomoyo_transition_type[TOMOYO_MAX_TRANSITION_TYPE] = { 1750 [TOMOYO_TRANSITION_CONTROL_NO_RESET] = "no_reset_domain ", 1751 [TOMOYO_TRANSITION_CONTROL_RESET] = "reset_domain ", 1752 [TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE] = "no_initialize_domain ", 1753 [TOMOYO_TRANSITION_CONTROL_INITIALIZE] = "initialize_domain ", 1754 [TOMOYO_TRANSITION_CONTROL_NO_KEEP] = "no_keep_domain ", 1755 [TOMOYO_TRANSITION_CONTROL_KEEP] = "keep_domain ", 1756 }; 1757 1758 /* String table for grouping keywords. */ 1759 static const char *tomoyo_group_name[TOMOYO_MAX_GROUP] = { 1760 [TOMOYO_PATH_GROUP] = "path_group ", 1761 [TOMOYO_NUMBER_GROUP] = "number_group ", 1762 [TOMOYO_ADDRESS_GROUP] = "address_group ", 1763 }; 1764 1765 /** 1766 * tomoyo_write_exception - Write exception policy. 1767 * 1768 * @head: Pointer to "struct tomoyo_io_buffer". 1769 * 1770 * Returns 0 on success, negative value otherwise. 1771 * 1772 * Caller holds tomoyo_read_lock(). 1773 */ 1774 static int tomoyo_write_exception(struct tomoyo_io_buffer *head) 1775 __must_hold_shared(&tomoyo_ss) 1776 __must_hold(&head->io_sem) 1777 { 1778 const bool is_delete = head->w.is_delete; 1779 struct tomoyo_acl_param param = { 1780 .ns = head->w.ns, 1781 .is_delete = is_delete, 1782 .data = head->write_buf, 1783 }; 1784 u8 i; 1785 1786 if (tomoyo_str_starts(¶m.data, "aggregator ")) 1787 return tomoyo_write_aggregator(¶m); 1788 for (i = 0; i < TOMOYO_MAX_TRANSITION_TYPE; i++) 1789 if (tomoyo_str_starts(¶m.data, tomoyo_transition_type[i])) 1790 return tomoyo_write_transition_control(¶m, i); 1791 for (i = 0; i < TOMOYO_MAX_GROUP; i++) 1792 if (tomoyo_str_starts(¶m.data, tomoyo_group_name[i])) 1793 return tomoyo_write_group(¶m, i); 1794 if (tomoyo_str_starts(¶m.data, "acl_group ")) { 1795 unsigned int group; 1796 char *data; 1797 1798 group = simple_strtoul(param.data, &data, 10); 1799 if (group < TOMOYO_MAX_ACL_GROUPS && *data++ == ' ') 1800 return tomoyo_write_domain2 1801 (head->w.ns, &head->w.ns->acl_group[group], 1802 data, is_delete); 1803 } 1804 return -EINVAL; 1805 } 1806 1807 /** 1808 * tomoyo_read_group - Read "struct tomoyo_path_group"/"struct tomoyo_number_group"/"struct tomoyo_address_group" list. 1809 * 1810 * @head: Pointer to "struct tomoyo_io_buffer". 1811 * @idx: Index number. 1812 * 1813 * Returns true on success, false otherwise. 1814 * 1815 * Caller holds tomoyo_read_lock(). 1816 */ 1817 static bool tomoyo_read_group(struct tomoyo_io_buffer *head, const int idx) 1818 __must_hold_shared(&tomoyo_ss) 1819 __must_hold(&head->io_sem) 1820 { 1821 struct tomoyo_policy_namespace *ns = 1822 container_of(head->r.ns, typeof(*ns), namespace_list); 1823 struct list_head *list = &ns->group_list[idx]; 1824 1825 list_for_each_cookie(head->r.group, list) { 1826 struct tomoyo_group *group = 1827 list_entry(head->r.group, typeof(*group), head.list); 1828 1829 list_for_each_cookie(head->r.acl, &group->member_list) { 1830 struct tomoyo_acl_head *ptr = 1831 list_entry(head->r.acl, typeof(*ptr), list); 1832 1833 if (ptr->is_deleted) 1834 continue; 1835 if (!tomoyo_flush(head)) 1836 return false; 1837 tomoyo_print_namespace(head); 1838 tomoyo_set_string(head, tomoyo_group_name[idx]); 1839 tomoyo_set_string(head, group->group_name->name); 1840 if (idx == TOMOYO_PATH_GROUP) { 1841 tomoyo_set_space(head); 1842 tomoyo_set_string(head, container_of 1843 (ptr, struct tomoyo_path_group, 1844 head)->member_name->name); 1845 } else if (idx == TOMOYO_NUMBER_GROUP) { 1846 tomoyo_print_number_union(head, &container_of 1847 (ptr, 1848 struct tomoyo_number_group, 1849 head)->number); 1850 } else if (idx == TOMOYO_ADDRESS_GROUP) { 1851 char buffer[128]; 1852 struct tomoyo_address_group *member = 1853 container_of(ptr, typeof(*member), 1854 head); 1855 1856 tomoyo_print_ip(buffer, sizeof(buffer), 1857 &member->address); 1858 tomoyo_io_printf(head, " %s", buffer); 1859 } 1860 tomoyo_set_lf(head); 1861 } 1862 head->r.acl = NULL; 1863 } 1864 head->r.group = NULL; 1865 return true; 1866 } 1867 1868 /** 1869 * tomoyo_read_policy - Read "struct tomoyo_..._entry" list. 1870 * 1871 * @head: Pointer to "struct tomoyo_io_buffer". 1872 * @idx: Index number. 1873 * 1874 * Returns true on success, false otherwise. 1875 * 1876 * Caller holds tomoyo_read_lock(). 1877 */ 1878 static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx) 1879 __must_hold_shared(&tomoyo_ss) 1880 { 1881 struct tomoyo_policy_namespace *ns = 1882 container_of(head->r.ns, typeof(*ns), namespace_list); 1883 struct list_head *list = &ns->policy_list[idx]; 1884 1885 list_for_each_cookie(head->r.acl, list) { 1886 struct tomoyo_acl_head *acl = 1887 container_of(head->r.acl, typeof(*acl), list); 1888 if (acl->is_deleted) 1889 continue; 1890 if (!tomoyo_flush(head)) 1891 return false; 1892 switch (idx) { 1893 case TOMOYO_ID_TRANSITION_CONTROL: 1894 { 1895 struct tomoyo_transition_control *ptr = 1896 container_of(acl, typeof(*ptr), head); 1897 1898 tomoyo_print_namespace(head); 1899 tomoyo_set_string(head, tomoyo_transition_type 1900 [ptr->type]); 1901 tomoyo_set_string(head, ptr->program ? 1902 ptr->program->name : "any"); 1903 tomoyo_set_string(head, " from "); 1904 tomoyo_set_string(head, ptr->domainname ? 1905 ptr->domainname->name : 1906 "any"); 1907 } 1908 break; 1909 case TOMOYO_ID_AGGREGATOR: 1910 { 1911 struct tomoyo_aggregator *ptr = 1912 container_of(acl, typeof(*ptr), head); 1913 1914 tomoyo_print_namespace(head); 1915 tomoyo_set_string(head, "aggregator "); 1916 tomoyo_set_string(head, 1917 ptr->original_name->name); 1918 tomoyo_set_space(head); 1919 tomoyo_set_string(head, 1920 ptr->aggregated_name->name); 1921 } 1922 break; 1923 default: 1924 continue; 1925 } 1926 tomoyo_set_lf(head); 1927 } 1928 head->r.acl = NULL; 1929 return true; 1930 } 1931 1932 /** 1933 * tomoyo_read_exception - Read exception policy. 1934 * 1935 * @head: Pointer to "struct tomoyo_io_buffer". 1936 * 1937 * Caller holds tomoyo_read_lock(). 1938 */ 1939 static void tomoyo_read_exception(struct tomoyo_io_buffer *head) 1940 __must_hold_shared(&tomoyo_ss) 1941 __must_hold(&head->io_sem) 1942 { 1943 struct tomoyo_policy_namespace *ns = 1944 container_of(head->r.ns, typeof(*ns), namespace_list); 1945 1946 if (head->r.eof) 1947 return; 1948 while (head->r.step < TOMOYO_MAX_POLICY && 1949 tomoyo_read_policy(head, head->r.step)) 1950 head->r.step++; 1951 if (head->r.step < TOMOYO_MAX_POLICY) 1952 return; 1953 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP && 1954 tomoyo_read_group(head, head->r.step - TOMOYO_MAX_POLICY)) 1955 head->r.step++; 1956 if (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP) 1957 return; 1958 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP 1959 + TOMOYO_MAX_ACL_GROUPS) { 1960 head->r.acl_group_index = head->r.step - TOMOYO_MAX_POLICY 1961 - TOMOYO_MAX_GROUP; 1962 if (!tomoyo_read_domain2(head, &ns->acl_group 1963 [head->r.acl_group_index])) 1964 return; 1965 head->r.step++; 1966 } 1967 head->r.eof = true; 1968 } 1969 1970 /* Wait queue for kernel -> userspace notification. */ 1971 static DECLARE_WAIT_QUEUE_HEAD(tomoyo_query_wait); 1972 /* Wait queue for userspace -> kernel notification. */ 1973 static DECLARE_WAIT_QUEUE_HEAD(tomoyo_answer_wait); 1974 1975 /* Structure for query. */ 1976 struct tomoyo_query { 1977 struct list_head list; 1978 struct tomoyo_domain_info *domain; 1979 char *query; 1980 size_t query_len; 1981 unsigned int serial; 1982 u8 timer; 1983 u8 answer; 1984 u8 retry; 1985 }; 1986 1987 /* The list for "struct tomoyo_query". */ 1988 static LIST_HEAD(tomoyo_query_list); 1989 1990 /* Lock for manipulating tomoyo_query_list. */ 1991 static DEFINE_SPINLOCK(tomoyo_query_list_lock); 1992 1993 /* 1994 * Number of "struct file" referring /sys/kernel/security/tomoyo/query 1995 * interface. 1996 */ 1997 static atomic_t tomoyo_query_observers = ATOMIC_INIT(0); 1998 1999 /** 2000 * tomoyo_truncate - Truncate a line. 2001 * 2002 * @str: String to truncate. 2003 * 2004 * Returns length of truncated @str. 2005 */ 2006 static int tomoyo_truncate(char *str) 2007 { 2008 char *start = str; 2009 2010 while (*(unsigned char *) str > (unsigned char) ' ') 2011 str++; 2012 *str = '\0'; 2013 return strlen(start) + 1; 2014 } 2015 2016 /** 2017 * tomoyo_numscan - sscanf() which stores the length of a decimal integer value. 2018 * 2019 * @str: String to scan. 2020 * @head: Leading string that must start with. 2021 * @width: Pointer to "int" for storing length of a decimal integer value after @head. 2022 * @tail: Optional character that must match after a decimal integer value. 2023 * 2024 * Returns whether @str starts with @head and a decimal value follows @head. 2025 */ 2026 static bool tomoyo_numscan(const char *str, const char *head, int *width, const char tail) 2027 { 2028 const char *cp; 2029 const int n = strlen(head); 2030 2031 if (!strncmp(str, head, n)) { 2032 cp = str + n; 2033 while (*cp && *cp >= '0' && *cp <= '9') 2034 cp++; 2035 if (*cp == tail || !tail) { 2036 *width = cp - (str + n); 2037 return *width != 0; 2038 } 2039 } 2040 *width = 0; 2041 return 0; 2042 } 2043 2044 /** 2045 * tomoyo_patternize_path - Make patterns for file path. Used by learning mode. 2046 * 2047 * @buffer: Destination buffer. 2048 * @len: Size of @buffer. 2049 * @entry: Original line. 2050 * 2051 * Returns nothing. 2052 */ 2053 static void tomoyo_patternize_path(char *buffer, const int len, char *entry) 2054 { 2055 int width; 2056 char *cp = entry; 2057 2058 /* Nothing to do if this line is not for "file" related entry. */ 2059 if (strncmp(entry, "file ", 5)) 2060 goto flush; 2061 /* 2062 * Nothing to do if there is no colon in this line, for this rewriting 2063 * applies to only filesystems where numeric values in the path are volatile. 2064 */ 2065 cp = strchr(entry + 5, ':'); 2066 if (!cp) { 2067 cp = entry; 2068 goto flush; 2069 } 2070 /* Flush e.g. "file ioctl" part. */ 2071 while (*cp != ' ') 2072 cp--; 2073 *cp++ = '\0'; 2074 tomoyo_addprintf(buffer, len, "%s ", entry); 2075 /* e.g. file ioctl pipe:[$INO] $CMD */ 2076 if (tomoyo_numscan(cp, "pipe:[", &width, ']')) { 2077 cp += width + 7; 2078 tomoyo_addprintf(buffer, len, "pipe:[\\$]"); 2079 goto flush; 2080 } 2081 /* e.g. file ioctl socket:[$INO] $CMD */ 2082 if (tomoyo_numscan(cp, "socket:[", &width, ']')) { 2083 cp += width + 9; 2084 tomoyo_addprintf(buffer, len, "socket:[\\$]"); 2085 goto flush; 2086 } 2087 if (!strncmp(cp, "proc:/self", 10)) { 2088 /* e.g. file read proc:/self/task/$TID/fdinfo/$FD */ 2089 cp += 10; 2090 tomoyo_addprintf(buffer, len, "proc:/self"); 2091 } else if (tomoyo_numscan(cp, "proc:/", &width, 0)) { 2092 /* e.g. file read proc:/$PID/task/$TID/fdinfo/$FD */ 2093 /* 2094 * Don't patternize $PID part if $PID == 1, for several 2095 * programs access only files in /proc/1/ directory. 2096 */ 2097 cp += width + 6; 2098 if (width == 1 && *(cp - 1) == '1') 2099 tomoyo_addprintf(buffer, len, "proc:/1"); 2100 else 2101 tomoyo_addprintf(buffer, len, "proc:/\\$"); 2102 } else { 2103 goto flush; 2104 } 2105 /* Patternize $TID part if "/task/" follows. */ 2106 if (tomoyo_numscan(cp, "/task/", &width, 0)) { 2107 cp += width + 6; 2108 tomoyo_addprintf(buffer, len, "/task/\\$"); 2109 } 2110 /* Patternize $FD part if "/fd/" or "/fdinfo/" follows. */ 2111 if (tomoyo_numscan(cp, "/fd/", &width, 0)) { 2112 cp += width + 4; 2113 tomoyo_addprintf(buffer, len, "/fd/\\$"); 2114 } else if (tomoyo_numscan(cp, "/fdinfo/", &width, 0)) { 2115 cp += width + 8; 2116 tomoyo_addprintf(buffer, len, "/fdinfo/\\$"); 2117 } 2118 flush: 2119 /* Flush remaining part if any. */ 2120 if (*cp) 2121 tomoyo_addprintf(buffer, len, "%s", cp); 2122 } 2123 2124 /** 2125 * tomoyo_add_entry - Add an ACL to current thread's domain. Used by learning mode. 2126 * 2127 * @domain: Pointer to "struct tomoyo_domain_info". 2128 * @header: Lines containing ACL. 2129 * 2130 * Returns nothing. 2131 */ 2132 static void tomoyo_add_entry(struct tomoyo_domain_info *domain, char *header) 2133 __must_hold_shared(&tomoyo_ss) 2134 { 2135 char *buffer; 2136 char *realpath = NULL; 2137 char *argv0 = NULL; 2138 char *symlink = NULL; 2139 char *cp = strchr(header, '\n'); 2140 int len; 2141 2142 if (!cp) 2143 return; 2144 cp = strchr(cp + 1, '\n'); 2145 if (!cp) 2146 return; 2147 *cp++ = '\0'; 2148 /* Reserve some space for potentially using patterns. */ 2149 len = strlen(cp) + 16; 2150 /* strstr() will return NULL if ordering is wrong. */ 2151 if (*cp == 'f') { 2152 argv0 = strstr(header, " argv[]={ \""); 2153 if (argv0) { 2154 argv0 += 10; 2155 len += tomoyo_truncate(argv0) + 14; 2156 } 2157 realpath = strstr(header, " exec={ realpath=\""); 2158 if (realpath) { 2159 realpath += 8; 2160 len += tomoyo_truncate(realpath) + 6; 2161 } 2162 symlink = strstr(header, " symlink.target=\""); 2163 if (symlink) 2164 len += tomoyo_truncate(symlink + 1) + 1; 2165 } 2166 buffer = kmalloc(len, GFP_NOFS | __GFP_ZERO); 2167 if (!buffer) 2168 return; 2169 tomoyo_patternize_path(buffer, len, cp); 2170 if (realpath) 2171 tomoyo_addprintf(buffer, len, " exec.%s", realpath); 2172 if (argv0) 2173 tomoyo_addprintf(buffer, len, " exec.argv[0]=%s", argv0); 2174 if (symlink) 2175 tomoyo_addprintf(buffer, len, "%s", symlink); 2176 tomoyo_normalize_line(buffer); 2177 if (!tomoyo_write_domain2(domain->ns, &domain->acl_info_list, buffer, 2178 false)) 2179 tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); 2180 kfree(buffer); 2181 } 2182 2183 /** 2184 * tomoyo_supervisor - Ask for the supervisor's decision. 2185 * 2186 * @r: Pointer to "struct tomoyo_request_info". 2187 * @fmt: The printf()'s format string, followed by parameters. 2188 * 2189 * Returns 0 if the supervisor decided to permit the access request which 2190 * violated the policy in enforcing mode, TOMOYO_RETRY_REQUEST if the 2191 * supervisor decided to retry the access request which violated the policy in 2192 * enforcing mode, 0 if it is not in enforcing mode, -EPERM otherwise. 2193 */ 2194 int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) 2195 { 2196 va_list args; 2197 int error; 2198 int len; 2199 static unsigned int tomoyo_serial; 2200 struct tomoyo_query entry = { }; 2201 bool quota_exceeded = false; 2202 2203 va_start(args, fmt); 2204 len = vsnprintf(NULL, 0, fmt, args) + 1; 2205 va_end(args); 2206 /* Write /sys/kernel/security/tomoyo/audit. */ 2207 va_start(args, fmt); 2208 tomoyo_write_log2(r, len, fmt, args); 2209 va_end(args); 2210 /* Nothing more to do if granted. */ 2211 if (r->granted) 2212 return 0; 2213 if (r->mode) 2214 tomoyo_update_stat(r->mode); 2215 switch (r->mode) { 2216 case TOMOYO_CONFIG_ENFORCING: 2217 error = -EPERM; 2218 if (atomic_read(&tomoyo_query_observers)) 2219 break; 2220 goto out; 2221 case TOMOYO_CONFIG_LEARNING: 2222 error = 0; 2223 /* Check max_learning_entry parameter. */ 2224 if (tomoyo_domain_quota_is_ok(r)) 2225 break; 2226 fallthrough; 2227 default: 2228 return 0; 2229 } 2230 /* Get message. */ 2231 va_start(args, fmt); 2232 entry.query = tomoyo_init_log(r, len, fmt, args); 2233 va_end(args); 2234 if (!entry.query) 2235 goto out; 2236 entry.query_len = strlen(entry.query) + 1; 2237 if (!error) { 2238 tomoyo_add_entry(r->domain, entry.query); 2239 goto out; 2240 } 2241 len = kmalloc_size_roundup(entry.query_len); 2242 entry.domain = r->domain; 2243 spin_lock(&tomoyo_query_list_lock); 2244 if (tomoyo_memory_quota[TOMOYO_MEMORY_QUERY] && 2245 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] + len 2246 >= tomoyo_memory_quota[TOMOYO_MEMORY_QUERY]) { 2247 quota_exceeded = true; 2248 } else { 2249 entry.serial = tomoyo_serial++; 2250 entry.retry = r->retry; 2251 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] += len; 2252 list_add_tail(&entry.list, &tomoyo_query_list); 2253 } 2254 spin_unlock(&tomoyo_query_list_lock); 2255 if (quota_exceeded) 2256 goto out; 2257 /* Give 10 seconds for supervisor's opinion. */ 2258 while (entry.timer < 10) { 2259 wake_up_all(&tomoyo_query_wait); 2260 if (wait_event_interruptible_timeout 2261 (tomoyo_answer_wait, entry.answer || 2262 !atomic_read(&tomoyo_query_observers), HZ)) 2263 break; 2264 entry.timer++; 2265 } 2266 spin_lock(&tomoyo_query_list_lock); 2267 list_del(&entry.list); 2268 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] -= len; 2269 spin_unlock(&tomoyo_query_list_lock); 2270 switch (entry.answer) { 2271 case 3: /* Asked to retry by administrator. */ 2272 error = TOMOYO_RETRY_REQUEST; 2273 r->retry++; 2274 break; 2275 case 1: 2276 /* Granted by administrator. */ 2277 error = 0; 2278 break; 2279 default: 2280 /* Timed out or rejected by administrator. */ 2281 break; 2282 } 2283 out: 2284 kfree(entry.query); 2285 return error; 2286 } 2287 2288 /** 2289 * tomoyo_find_domain_by_qid - Get domain by query id. 2290 * 2291 * @serial: Query ID assigned by tomoyo_supervisor(). 2292 * 2293 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise. 2294 */ 2295 static struct tomoyo_domain_info *tomoyo_find_domain_by_qid 2296 (unsigned int serial) 2297 { 2298 struct tomoyo_query *ptr; 2299 struct tomoyo_domain_info *domain = NULL; 2300 2301 spin_lock(&tomoyo_query_list_lock); 2302 list_for_each_entry(ptr, &tomoyo_query_list, list) { 2303 if (ptr->serial != serial) 2304 continue; 2305 domain = ptr->domain; 2306 break; 2307 } 2308 spin_unlock(&tomoyo_query_list_lock); 2309 return domain; 2310 } 2311 2312 /** 2313 * tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query. 2314 * 2315 * @file: Pointer to "struct file". 2316 * @wait: Pointer to "poll_table". 2317 * 2318 * Returns EPOLLIN | EPOLLRDNORM when ready to read, 0 otherwise. 2319 * 2320 * Waits for access requests which violated policy in enforcing mode. 2321 */ 2322 static __poll_t tomoyo_poll_query(struct file *file, poll_table *wait) 2323 { 2324 if (!list_empty(&tomoyo_query_list)) 2325 return EPOLLIN | EPOLLRDNORM; 2326 poll_wait(file, &tomoyo_query_wait, wait); 2327 if (!list_empty(&tomoyo_query_list)) 2328 return EPOLLIN | EPOLLRDNORM; 2329 return 0; 2330 } 2331 2332 /** 2333 * tomoyo_read_query - Read access requests which violated policy in enforcing mode. 2334 * 2335 * @head: Pointer to "struct tomoyo_io_buffer". 2336 */ 2337 static void tomoyo_read_query(struct tomoyo_io_buffer *head) 2338 __must_hold(&head->io_sem) 2339 { 2340 struct list_head *tmp; 2341 unsigned int pos = 0; 2342 size_t len = 0; 2343 char *buf; 2344 2345 if (head->r.w_pos) 2346 return; 2347 kfree(head->read_buf); 2348 head->read_buf = NULL; 2349 spin_lock(&tomoyo_query_list_lock); 2350 list_for_each(tmp, &tomoyo_query_list) { 2351 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 2352 2353 if (pos++ != head->r.query_index) 2354 continue; 2355 len = ptr->query_len; 2356 break; 2357 } 2358 spin_unlock(&tomoyo_query_list_lock); 2359 if (!len) { 2360 head->r.query_index = 0; 2361 return; 2362 } 2363 buf = kzalloc(len + 32, GFP_NOFS); 2364 if (!buf) 2365 return; 2366 pos = 0; 2367 spin_lock(&tomoyo_query_list_lock); 2368 list_for_each(tmp, &tomoyo_query_list) { 2369 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 2370 2371 if (pos++ != head->r.query_index) 2372 continue; 2373 /* 2374 * Some query can be skipped because tomoyo_query_list 2375 * can change, but I don't care. 2376 */ 2377 if (len == ptr->query_len) 2378 snprintf(buf, len + 31, "Q%u-%hu\n%s", ptr->serial, 2379 ptr->retry, ptr->query); 2380 break; 2381 } 2382 spin_unlock(&tomoyo_query_list_lock); 2383 if (buf[0]) { 2384 head->read_buf = buf; 2385 head->r.w[head->r.w_pos++] = buf; 2386 head->r.query_index++; 2387 } else { 2388 kfree(buf); 2389 } 2390 } 2391 2392 /** 2393 * tomoyo_write_answer - Write the supervisor's decision. 2394 * 2395 * @head: Pointer to "struct tomoyo_io_buffer". 2396 * 2397 * Returns 0 on success, -EINVAL otherwise. 2398 */ 2399 static int tomoyo_write_answer(struct tomoyo_io_buffer *head) 2400 __must_hold(&head->io_sem) 2401 { 2402 char *data = head->write_buf; 2403 struct list_head *tmp; 2404 unsigned int serial; 2405 unsigned int answer; 2406 2407 spin_lock(&tomoyo_query_list_lock); 2408 list_for_each(tmp, &tomoyo_query_list) { 2409 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 2410 2411 ptr->timer = 0; 2412 } 2413 spin_unlock(&tomoyo_query_list_lock); 2414 if (sscanf(data, "A%u=%u", &serial, &answer) != 2) 2415 return -EINVAL; 2416 spin_lock(&tomoyo_query_list_lock); 2417 list_for_each(tmp, &tomoyo_query_list) { 2418 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 2419 2420 if (ptr->serial != serial) 2421 continue; 2422 ptr->answer = answer; 2423 /* Remove from tomoyo_query_list. */ 2424 if (ptr->answer) 2425 list_del_init(&ptr->list); 2426 break; 2427 } 2428 spin_unlock(&tomoyo_query_list_lock); 2429 return 0; 2430 } 2431 2432 /** 2433 * tomoyo_read_version: Get version. 2434 * 2435 * @head: Pointer to "struct tomoyo_io_buffer". 2436 * 2437 * Returns version information. 2438 */ 2439 static void tomoyo_read_version(struct tomoyo_io_buffer *head) 2440 __must_hold(&head->io_sem) 2441 { 2442 if (!head->r.eof) { 2443 tomoyo_io_printf(head, "2.6.0"); 2444 head->r.eof = true; 2445 } 2446 } 2447 2448 /* String table for /sys/kernel/security/tomoyo/stat interface. */ 2449 static const char * const tomoyo_policy_headers[TOMOYO_MAX_POLICY_STAT] = { 2450 [TOMOYO_STAT_POLICY_UPDATES] = "update:", 2451 [TOMOYO_STAT_POLICY_LEARNING] = "violation in learning mode:", 2452 [TOMOYO_STAT_POLICY_PERMISSIVE] = "violation in permissive mode:", 2453 [TOMOYO_STAT_POLICY_ENFORCING] = "violation in enforcing mode:", 2454 }; 2455 2456 /* String table for /sys/kernel/security/tomoyo/stat interface. */ 2457 static const char * const tomoyo_memory_headers[TOMOYO_MAX_MEMORY_STAT] = { 2458 [TOMOYO_MEMORY_POLICY] = "policy:", 2459 [TOMOYO_MEMORY_AUDIT] = "audit log:", 2460 [TOMOYO_MEMORY_QUERY] = "query message:", 2461 }; 2462 2463 /* Counter for number of updates. */ 2464 static atomic_t tomoyo_stat_updated[TOMOYO_MAX_POLICY_STAT]; 2465 /* Timestamp counter for last updated. */ 2466 static time64_t tomoyo_stat_modified[TOMOYO_MAX_POLICY_STAT]; 2467 2468 /** 2469 * tomoyo_update_stat - Update statistic counters. 2470 * 2471 * @index: Index for policy type. 2472 * 2473 * Returns nothing. 2474 */ 2475 void tomoyo_update_stat(const u8 index) 2476 { 2477 atomic_inc(&tomoyo_stat_updated[index]); 2478 tomoyo_stat_modified[index] = ktime_get_real_seconds(); 2479 } 2480 2481 /** 2482 * tomoyo_read_stat - Read statistic data. 2483 * 2484 * @head: Pointer to "struct tomoyo_io_buffer". 2485 * 2486 * Returns nothing. 2487 */ 2488 static void tomoyo_read_stat(struct tomoyo_io_buffer *head) 2489 __must_hold(&head->io_sem) 2490 { 2491 u8 i; 2492 unsigned int total = 0; 2493 2494 if (head->r.eof) 2495 return; 2496 for (i = 0; i < TOMOYO_MAX_POLICY_STAT; i++) { 2497 tomoyo_io_printf(head, "Policy %-30s %10u", 2498 tomoyo_policy_headers[i], 2499 atomic_read(&tomoyo_stat_updated[i])); 2500 if (tomoyo_stat_modified[i]) { 2501 struct tomoyo_time stamp; 2502 2503 tomoyo_convert_time(tomoyo_stat_modified[i], &stamp); 2504 tomoyo_io_printf(head, " (Last: %04u/%02u/%02u %02u:%02u:%02u)", 2505 stamp.year, stamp.month, stamp.day, 2506 stamp.hour, stamp.min, stamp.sec); 2507 } 2508 tomoyo_set_lf(head); 2509 } 2510 for (i = 0; i < TOMOYO_MAX_MEMORY_STAT; i++) { 2511 unsigned int used = tomoyo_memory_used[i]; 2512 2513 total += used; 2514 tomoyo_io_printf(head, "Memory used by %-22s %10u", 2515 tomoyo_memory_headers[i], used); 2516 used = tomoyo_memory_quota[i]; 2517 if (used) 2518 tomoyo_io_printf(head, " (Quota: %10u)", used); 2519 tomoyo_set_lf(head); 2520 } 2521 tomoyo_io_printf(head, "Total memory used: %10u\n", 2522 total); 2523 head->r.eof = true; 2524 } 2525 2526 /** 2527 * tomoyo_write_stat - Set memory quota. 2528 * 2529 * @head: Pointer to "struct tomoyo_io_buffer". 2530 * 2531 * Returns 0. 2532 */ 2533 static int tomoyo_write_stat(struct tomoyo_io_buffer *head) 2534 __must_hold(&head->io_sem) 2535 { 2536 char *data = head->write_buf; 2537 u8 i; 2538 2539 if (tomoyo_str_starts(&data, "Memory used by ")) 2540 for (i = 0; i < TOMOYO_MAX_MEMORY_STAT; i++) 2541 if (tomoyo_str_starts(&data, tomoyo_memory_headers[i])) 2542 sscanf(data, "%u", &tomoyo_memory_quota[i]); 2543 return 0; 2544 } 2545 2546 /** 2547 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface. 2548 * 2549 * @type: Type of interface. 2550 * @file: Pointer to "struct file". 2551 * 2552 * Returns 0 on success, negative value otherwise. 2553 */ 2554 int tomoyo_open_control(const u8 type, struct file *file) 2555 { 2556 struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS); 2557 2558 if (!head) 2559 return -ENOMEM; 2560 guard(mutex_init)(&head->io_sem); 2561 head->type = type; 2562 switch (type) { 2563 case TOMOYO_DOMAINPOLICY: 2564 /* /sys/kernel/security/tomoyo/domain_policy */ 2565 head->write = tomoyo_write_domain; 2566 head->read = tomoyo_read_domain; 2567 break; 2568 case TOMOYO_EXCEPTIONPOLICY: 2569 /* /sys/kernel/security/tomoyo/exception_policy */ 2570 head->write = tomoyo_write_exception; 2571 head->read = tomoyo_read_exception; 2572 break; 2573 case TOMOYO_AUDIT: 2574 /* /sys/kernel/security/tomoyo/audit */ 2575 head->poll = tomoyo_poll_log; 2576 head->read = tomoyo_read_log; 2577 break; 2578 case TOMOYO_PROCESS_STATUS: 2579 /* /sys/kernel/security/tomoyo/.process_status */ 2580 head->write = tomoyo_write_pid; 2581 head->read = tomoyo_read_pid; 2582 break; 2583 case TOMOYO_VERSION: 2584 /* /sys/kernel/security/tomoyo/version */ 2585 head->read = tomoyo_read_version; 2586 head->readbuf_size = 128; 2587 break; 2588 case TOMOYO_STAT: 2589 /* /sys/kernel/security/tomoyo/stat */ 2590 head->write = tomoyo_write_stat; 2591 head->read = tomoyo_read_stat; 2592 head->readbuf_size = 1024; 2593 break; 2594 case TOMOYO_PROFILE: 2595 /* /sys/kernel/security/tomoyo/profile */ 2596 head->write = tomoyo_write_profile; 2597 head->read = tomoyo_read_profile; 2598 break; 2599 case TOMOYO_QUERY: /* /sys/kernel/security/tomoyo/query */ 2600 head->poll = tomoyo_poll_query; 2601 head->write = tomoyo_write_answer; 2602 head->read = tomoyo_read_query; 2603 break; 2604 case TOMOYO_MANAGER: 2605 /* /sys/kernel/security/tomoyo/manager */ 2606 head->write = tomoyo_write_manager; 2607 head->read = tomoyo_read_manager; 2608 break; 2609 } 2610 if (!(file->f_mode & FMODE_READ)) { 2611 /* 2612 * No need to allocate read_buf since it is not opened 2613 * for reading. 2614 */ 2615 head->read = NULL; 2616 head->poll = NULL; 2617 } else if (!head->poll) { 2618 /* Don't allocate read_buf for poll() access. */ 2619 if (!head->readbuf_size) 2620 head->readbuf_size = 4096 * 2; 2621 head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS); 2622 if (!head->read_buf) { 2623 kfree(head); 2624 return -ENOMEM; 2625 } 2626 } 2627 if (!(file->f_mode & FMODE_WRITE)) { 2628 /* 2629 * No need to allocate write_buf since it is not opened 2630 * for writing. 2631 */ 2632 head->write = NULL; 2633 } else if (head->write) { 2634 head->writebuf_size = 4096 * 2; 2635 head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS); 2636 if (!head->write_buf) { 2637 kfree(head->read_buf); 2638 kfree(head); 2639 return -ENOMEM; 2640 } 2641 } 2642 /* 2643 * If the file is /sys/kernel/security/tomoyo/query , increment the 2644 * observer counter. 2645 * The obserber counter is used by tomoyo_supervisor() to see if 2646 * there is some process monitoring /sys/kernel/security/tomoyo/query. 2647 */ 2648 if (type == TOMOYO_QUERY) 2649 atomic_inc(&tomoyo_query_observers); 2650 file->private_data = head; 2651 tomoyo_notify_gc(head, true); 2652 return 0; 2653 } 2654 2655 /** 2656 * tomoyo_poll_control - poll() for /sys/kernel/security/tomoyo/ interface. 2657 * 2658 * @file: Pointer to "struct file". 2659 * @wait: Pointer to "poll_table". Maybe NULL. 2660 * 2661 * Returns EPOLLIN | EPOLLRDNORM | EPOLLOUT | EPOLLWRNORM if ready to read/write, 2662 * EPOLLOUT | EPOLLWRNORM otherwise. 2663 */ 2664 __poll_t tomoyo_poll_control(struct file *file, poll_table *wait) 2665 { 2666 struct tomoyo_io_buffer *head = file->private_data; 2667 2668 if (head->poll) 2669 return head->poll(file, wait) | EPOLLOUT | EPOLLWRNORM; 2670 return EPOLLIN | EPOLLRDNORM | EPOLLOUT | EPOLLWRNORM; 2671 } 2672 2673 /** 2674 * tomoyo_set_namespace_cursor - Set namespace to read. 2675 * 2676 * @head: Pointer to "struct tomoyo_io_buffer". 2677 * 2678 * Returns nothing. 2679 */ 2680 static inline void tomoyo_set_namespace_cursor(struct tomoyo_io_buffer *head) 2681 { 2682 struct list_head *ns; 2683 2684 if (head->type != TOMOYO_EXCEPTIONPOLICY && 2685 head->type != TOMOYO_PROFILE) 2686 return; 2687 /* 2688 * If this is the first read, or reading previous namespace finished 2689 * and has more namespaces to read, update the namespace cursor. 2690 */ 2691 ns = head->r.ns; 2692 if (!ns || (head->r.eof && ns->next != &tomoyo_namespace_list)) { 2693 /* Clearing is OK because tomoyo_flush() returned true. */ 2694 memset(&head->r, 0, sizeof(head->r)); 2695 head->r.ns = ns ? ns->next : tomoyo_namespace_list.next; 2696 } 2697 } 2698 2699 /** 2700 * tomoyo_has_more_namespace - Check for unread namespaces. 2701 * 2702 * @head: Pointer to "struct tomoyo_io_buffer". 2703 * 2704 * Returns true if we have more entries to print, false otherwise. 2705 */ 2706 static inline bool tomoyo_has_more_namespace(struct tomoyo_io_buffer *head) 2707 { 2708 return (head->type == TOMOYO_EXCEPTIONPOLICY || 2709 head->type == TOMOYO_PROFILE) && head->r.eof && 2710 head->r.ns->next != &tomoyo_namespace_list; 2711 } 2712 2713 /** 2714 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. 2715 * 2716 * @head: Pointer to "struct tomoyo_io_buffer". 2717 * @buffer: Pointer to buffer to write to. 2718 * @buffer_len: Size of @buffer. 2719 * 2720 * Returns bytes read on success, negative value otherwise. 2721 */ 2722 ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, 2723 const int buffer_len) 2724 { 2725 int len; 2726 int idx; 2727 2728 if (!head->read) 2729 return -EINVAL; 2730 if (mutex_lock_interruptible(&head->io_sem)) 2731 return -EINTR; 2732 head->read_user_buf = buffer; 2733 head->read_user_buf_avail = buffer_len; 2734 idx = tomoyo_read_lock(); 2735 if (tomoyo_flush(head)) 2736 /* Call the policy handler. */ 2737 do { 2738 tomoyo_set_namespace_cursor(head); 2739 head->read(head); 2740 } while (tomoyo_flush(head) && 2741 tomoyo_has_more_namespace(head)); 2742 tomoyo_read_unlock(idx); 2743 len = head->read_user_buf - buffer; 2744 mutex_unlock(&head->io_sem); 2745 return len; 2746 } 2747 2748 /** 2749 * tomoyo_parse_policy - Parse a policy line. 2750 * 2751 * @head: Pointer to "struct tomoyo_io_buffer". 2752 * @line: Line to parse. 2753 * 2754 * Returns 0 on success, negative value otherwise. 2755 * 2756 * Caller holds tomoyo_read_lock(). 2757 */ 2758 static int tomoyo_parse_policy(struct tomoyo_io_buffer *head, char *line) 2759 __must_hold_shared(&tomoyo_ss) 2760 __must_hold(&head->io_sem) 2761 { 2762 /* Delete request? */ 2763 head->w.is_delete = !strncmp(line, "delete ", 7); 2764 if (head->w.is_delete) 2765 memmove(line, line + 7, strlen(line + 7) + 1); 2766 /* Selecting namespace to update. */ 2767 if (head->type == TOMOYO_EXCEPTIONPOLICY || 2768 head->type == TOMOYO_PROFILE) { 2769 if (*line == '<') { 2770 char *cp = strchr(line, ' '); 2771 2772 if (cp) { 2773 *cp++ = '\0'; 2774 head->w.ns = tomoyo_assign_namespace(line); 2775 memmove(line, cp, strlen(cp) + 1); 2776 } else 2777 head->w.ns = NULL; 2778 } else 2779 head->w.ns = &tomoyo_kernel_namespace; 2780 /* Don't allow updating if namespace is invalid. */ 2781 if (!head->w.ns) 2782 return -ENOENT; 2783 } 2784 /* Do the update. */ 2785 return head->write(head); 2786 } 2787 2788 /** 2789 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. 2790 * 2791 * @head: Pointer to "struct tomoyo_io_buffer". 2792 * @buffer: Pointer to buffer to read from. 2793 * @buffer_len: Size of @buffer. 2794 * 2795 * Returns @buffer_len on success, negative value otherwise. 2796 */ 2797 ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, 2798 const char __user *buffer, const int buffer_len) 2799 { 2800 int error = buffer_len; 2801 size_t avail_len = buffer_len; 2802 char *cp0; 2803 int idx; 2804 2805 if (!head->write) 2806 return -EINVAL; 2807 if (mutex_lock_interruptible(&head->io_sem)) 2808 return -EINTR; 2809 cp0 = head->write_buf; 2810 head->read_user_buf_avail = 0; 2811 idx = tomoyo_read_lock(); 2812 /* Read a line and dispatch it to the policy handler. */ 2813 while (avail_len > 0) { 2814 char c; 2815 2816 if (head->w.avail >= head->writebuf_size - 1) { 2817 const int len = head->writebuf_size * 2; 2818 char *cp = kzalloc(len, GFP_NOFS | __GFP_NOWARN); 2819 2820 if (!cp) { 2821 error = -ENOMEM; 2822 break; 2823 } 2824 memmove(cp, cp0, head->w.avail); 2825 kfree(cp0); 2826 head->write_buf = cp; 2827 cp0 = cp; 2828 head->writebuf_size = len; 2829 } 2830 if (get_user(c, buffer)) { 2831 error = -EFAULT; 2832 break; 2833 } 2834 buffer++; 2835 avail_len--; 2836 cp0[head->w.avail++] = c; 2837 if (c != '\n') 2838 continue; 2839 cp0[head->w.avail - 1] = '\0'; 2840 head->w.avail = 0; 2841 tomoyo_normalize_line(cp0); 2842 if (!strcmp(cp0, "reset")) { 2843 head->w.ns = &tomoyo_kernel_namespace; 2844 head->w.domain = NULL; 2845 memset(&head->r, 0, sizeof(head->r)); 2846 continue; 2847 } 2848 /* Don't allow updating policies by non manager programs. */ 2849 switch (head->type) { 2850 case TOMOYO_PROCESS_STATUS: 2851 /* This does not write anything. */ 2852 break; 2853 case TOMOYO_DOMAINPOLICY: 2854 if (tomoyo_select_domain(head, cp0)) 2855 continue; 2856 fallthrough; 2857 case TOMOYO_EXCEPTIONPOLICY: 2858 if (!strcmp(cp0, "select transition_only")) { 2859 head->r.print_transition_related_only = true; 2860 continue; 2861 } 2862 fallthrough; 2863 default: 2864 if (!tomoyo_manager()) { 2865 error = -EPERM; 2866 goto out; 2867 } 2868 } 2869 switch (tomoyo_parse_policy(head, cp0)) { 2870 case -EPERM: 2871 error = -EPERM; 2872 goto out; 2873 case 0: 2874 switch (head->type) { 2875 case TOMOYO_DOMAINPOLICY: 2876 case TOMOYO_EXCEPTIONPOLICY: 2877 case TOMOYO_STAT: 2878 case TOMOYO_PROFILE: 2879 case TOMOYO_MANAGER: 2880 tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); 2881 break; 2882 default: 2883 break; 2884 } 2885 break; 2886 } 2887 } 2888 out: 2889 tomoyo_read_unlock(idx); 2890 mutex_unlock(&head->io_sem); 2891 return error; 2892 } 2893 2894 /** 2895 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. 2896 * 2897 * @head: Pointer to "struct tomoyo_io_buffer". 2898 */ 2899 void tomoyo_close_control(struct tomoyo_io_buffer *head) 2900 { 2901 /* 2902 * If the file is /sys/kernel/security/tomoyo/query , decrement the 2903 * observer counter. 2904 */ 2905 if (head->type == TOMOYO_QUERY && 2906 atomic_dec_and_test(&tomoyo_query_observers)) 2907 wake_up_all(&tomoyo_answer_wait); 2908 tomoyo_notify_gc(head, false); 2909 } 2910 2911 /** 2912 * tomoyo_check_profile - Check all profiles currently assigned to domains are defined. 2913 */ 2914 void tomoyo_check_profile(void) 2915 { 2916 struct tomoyo_domain_info *domain; 2917 const int idx = tomoyo_read_lock(); 2918 2919 tomoyo_policy_loaded = true; 2920 pr_info("TOMOYO: 2.6.0\n"); 2921 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list, 2922 srcu_read_lock_held(&tomoyo_ss)) { 2923 const u8 profile = domain->profile; 2924 struct tomoyo_policy_namespace *ns = domain->ns; 2925 2926 if (ns->profile_version == 20110903) { 2927 pr_info_once("Converting profile version from %u to %u.\n", 2928 20110903, 20150505); 2929 ns->profile_version = 20150505; 2930 } 2931 if (ns->profile_version != 20150505) 2932 pr_err("Profile version %u is not supported.\n", 2933 ns->profile_version); 2934 else if (!ns->profile_ptr[profile]) 2935 pr_err("Profile %u (used by '%s') is not defined.\n", 2936 profile, domain->domainname->name); 2937 else 2938 continue; 2939 pr_err("Userland tools for TOMOYO 2.6 must be installed and policy must be initialized.\n"); 2940 pr_err("Please see https://tomoyo.sourceforge.net/2.6/ for more information.\n"); 2941 panic("STOP!"); 2942 } 2943 tomoyo_read_unlock(idx); 2944 pr_info("Mandatory Access Control activated.\n"); 2945 } 2946 2947 /** 2948 * tomoyo_load_builtin_policy - Load built-in policy. 2949 * 2950 * Returns nothing. 2951 */ 2952 void __init tomoyo_load_builtin_policy(void) 2953 { 2954 #ifdef CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING 2955 static char tomoyo_builtin_profile[] __initdata = 2956 "PROFILE_VERSION=20150505\n" 2957 "0-CONFIG={ mode=learning grant_log=no reject_log=yes }\n"; 2958 static char tomoyo_builtin_exception_policy[] __initdata = 2959 "aggregator proc:/self/exe /proc/self/exe\n"; 2960 static char tomoyo_builtin_domain_policy[] __initdata = ""; 2961 static char tomoyo_builtin_manager[] __initdata = ""; 2962 static char tomoyo_builtin_stat[] __initdata = ""; 2963 #else 2964 /* 2965 * This include file is manually created and contains built-in policy 2966 * named "tomoyo_builtin_profile", "tomoyo_builtin_exception_policy", 2967 * "tomoyo_builtin_domain_policy", "tomoyo_builtin_manager", 2968 * "tomoyo_builtin_stat" in the form of "static char [] __initdata". 2969 */ 2970 #include "builtin-policy.h" 2971 #endif 2972 u8 i; 2973 const int idx = tomoyo_read_lock(); 2974 2975 for (i = 0; i < 5; i++) { 2976 struct tomoyo_io_buffer head = { }; 2977 char *start = ""; 2978 2979 switch (i) { 2980 case 0: 2981 start = tomoyo_builtin_profile; 2982 head.type = TOMOYO_PROFILE; 2983 head.write = tomoyo_write_profile; 2984 break; 2985 case 1: 2986 start = tomoyo_builtin_exception_policy; 2987 head.type = TOMOYO_EXCEPTIONPOLICY; 2988 head.write = tomoyo_write_exception; 2989 break; 2990 case 2: 2991 start = tomoyo_builtin_domain_policy; 2992 head.type = TOMOYO_DOMAINPOLICY; 2993 head.write = tomoyo_write_domain; 2994 break; 2995 case 3: 2996 start = tomoyo_builtin_manager; 2997 head.type = TOMOYO_MANAGER; 2998 head.write = tomoyo_write_manager; 2999 break; 3000 case 4: 3001 start = tomoyo_builtin_stat; 3002 head.type = TOMOYO_STAT; 3003 head.write = tomoyo_write_stat; 3004 break; 3005 } 3006 while (1) { 3007 char *end = strchr(start, '\n'); 3008 3009 if (!end) 3010 break; 3011 *end = '\0'; 3012 tomoyo_normalize_line(start); 3013 /* head is stack-local and not shared. */ 3014 context_unsafe( 3015 head.write_buf = start; 3016 tomoyo_parse_policy(&head, start); 3017 ); 3018 start = end + 1; 3019 } 3020 } 3021 tomoyo_read_unlock(idx); 3022 #ifdef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER 3023 tomoyo_check_profile(); 3024 #endif 3025 } 3026