1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * security/tomoyo/domain.c 4 * 5 * Copyright (C) 2005-2011 NTT DATA CORPORATION 6 */ 7 8 #include "common.h" 9 10 #include <linux/binfmts.h> 11 #include <linux/slab.h> 12 #include <linux/rculist.h> 13 14 /* Variables definitions.*/ 15 16 /* The initial domain. */ 17 struct tomoyo_domain_info tomoyo_kernel_domain; 18 19 /** 20 * tomoyo_update_policy - Update an entry for exception policy. 21 * 22 * @new_entry: Pointer to "struct tomoyo_acl_info". 23 * @size: Size of @new_entry in bytes. 24 * @param: Pointer to "struct tomoyo_acl_param". 25 * @check_duplicate: Callback function to find duplicated entry. 26 * 27 * Returns 0 on success, negative value otherwise. 28 * 29 * Caller holds tomoyo_read_lock(). 30 */ 31 int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size, 32 struct tomoyo_acl_param *param, 33 bool (*check_duplicate)(const struct tomoyo_acl_head 34 *, 35 const struct tomoyo_acl_head 36 *)) 37 { 38 int error = param->is_delete ? -ENOENT : -ENOMEM; 39 struct tomoyo_acl_head *entry; 40 struct list_head *list = param->list; 41 42 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 43 return -ENOMEM; 44 list_for_each_entry_rcu(entry, list, list, 45 srcu_read_lock_held(&tomoyo_ss)) { 46 if (entry->is_deleted == TOMOYO_GC_IN_PROGRESS) 47 continue; 48 if (!check_duplicate(entry, new_entry)) 49 continue; 50 entry->is_deleted = param->is_delete; 51 error = 0; 52 break; 53 } 54 if (error && !param->is_delete) { 55 entry = tomoyo_commit_ok(new_entry, size); 56 if (entry) { 57 list_add_tail_rcu(&entry->list, list); 58 error = 0; 59 } 60 } 61 mutex_unlock(&tomoyo_policy_lock); 62 return error; 63 } 64 65 /** 66 * tomoyo_same_acl_head - Check for duplicated "struct tomoyo_acl_info" entry. 67 * 68 * @a: Pointer to "struct tomoyo_acl_info". 69 * @b: Pointer to "struct tomoyo_acl_info". 70 * 71 * Returns true if @a == @b, false otherwise. 72 */ 73 static inline bool tomoyo_same_acl_head(const struct tomoyo_acl_info *a, 74 const struct tomoyo_acl_info *b) 75 { 76 return a->type == b->type && a->cond == b->cond; 77 } 78 79 /** 80 * tomoyo_update_domain - Update an entry for domain policy. 81 * 82 * @new_entry: Pointer to "struct tomoyo_acl_info". 83 * @size: Size of @new_entry in bytes. 84 * @param: Pointer to "struct tomoyo_acl_param". 85 * @check_duplicate: Callback function to find duplicated entry. 86 * @merge_duplicate: Callback function to merge duplicated entry. 87 * 88 * Returns 0 on success, negative value otherwise. 89 * 90 * Caller holds tomoyo_read_lock(). 91 */ 92 int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size, 93 struct tomoyo_acl_param *param, 94 bool (*check_duplicate)(const struct tomoyo_acl_info 95 *, 96 const struct tomoyo_acl_info 97 *), 98 bool (*merge_duplicate)(struct tomoyo_acl_info *, 99 struct tomoyo_acl_info *, 100 const bool)) 101 { 102 const bool is_delete = param->is_delete; 103 int error = is_delete ? -ENOENT : -ENOMEM; 104 struct tomoyo_acl_info *entry; 105 struct list_head * const list = param->list; 106 107 if (param->data[0]) { 108 new_entry->cond = tomoyo_get_condition(param); 109 if (!new_entry->cond) 110 return -EINVAL; 111 /* 112 * Domain transition preference is allowed for only 113 * "file execute" entries. 114 */ 115 if (new_entry->cond->transit && 116 !(new_entry->type == TOMOYO_TYPE_PATH_ACL && 117 container_of(new_entry, struct tomoyo_path_acl, head) 118 ->perm == 1 << TOMOYO_TYPE_EXECUTE)) 119 goto out; 120 } 121 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 122 goto out; 123 list_for_each_entry_rcu(entry, list, list, 124 srcu_read_lock_held(&tomoyo_ss)) { 125 if (entry->is_deleted == TOMOYO_GC_IN_PROGRESS) 126 continue; 127 if (!tomoyo_same_acl_head(entry, new_entry) || 128 !check_duplicate(entry, new_entry)) 129 continue; 130 if (merge_duplicate) 131 entry->is_deleted = merge_duplicate(entry, new_entry, 132 is_delete); 133 else 134 entry->is_deleted = is_delete; 135 error = 0; 136 break; 137 } 138 if (error && !is_delete) { 139 entry = tomoyo_commit_ok(new_entry, size); 140 if (entry) { 141 list_add_tail_rcu(&entry->list, list); 142 error = 0; 143 } 144 } 145 mutex_unlock(&tomoyo_policy_lock); 146 out: 147 tomoyo_put_condition(new_entry->cond); 148 return error; 149 } 150 151 /** 152 * tomoyo_check_acl - Do permission check. 153 * 154 * @r: Pointer to "struct tomoyo_request_info". 155 * @check_entry: Callback function to check type specific parameters. 156 * 157 * Returns 0 on success, negative value otherwise. 158 * 159 * Caller holds tomoyo_read_lock(). 160 */ 161 void tomoyo_check_acl(struct tomoyo_request_info *r, 162 bool (*check_entry)(struct tomoyo_request_info *, 163 const struct tomoyo_acl_info *)) 164 { 165 const struct tomoyo_domain_info *domain = r->domain; 166 struct tomoyo_acl_info *ptr; 167 const struct list_head *list = &domain->acl_info_list; 168 u16 i = 0; 169 170 retry: 171 list_for_each_entry_rcu(ptr, list, list, 172 srcu_read_lock_held(&tomoyo_ss)) { 173 if (ptr->is_deleted || ptr->type != r->param_type) 174 continue; 175 if (!check_entry(r, ptr)) 176 continue; 177 if (!tomoyo_condition(r, ptr->cond)) 178 continue; 179 r->matched_acl = ptr; 180 r->granted = true; 181 return; 182 } 183 for (; i < TOMOYO_MAX_ACL_GROUPS; i++) { 184 if (!test_bit(i, domain->group)) 185 continue; 186 list = &domain->ns->acl_group[i++]; 187 goto retry; 188 } 189 r->granted = false; 190 } 191 192 /* The list for "struct tomoyo_domain_info". */ 193 LIST_HEAD(tomoyo_domain_list); 194 195 /** 196 * tomoyo_last_word - Get last component of a domainname. 197 * 198 * @name: Domainname to check. 199 * 200 * Returns the last word of @domainname. 201 */ 202 static const char *tomoyo_last_word(const char *name) 203 { 204 const char *cp = strrchr(name, ' '); 205 206 if (cp) 207 return cp + 1; 208 return name; 209 } 210 211 /** 212 * tomoyo_same_transition_control - Check for duplicated "struct tomoyo_transition_control" entry. 213 * 214 * @a: Pointer to "struct tomoyo_acl_head". 215 * @b: Pointer to "struct tomoyo_acl_head". 216 * 217 * Returns true if @a == @b, false otherwise. 218 */ 219 static bool tomoyo_same_transition_control(const struct tomoyo_acl_head *a, 220 const struct tomoyo_acl_head *b) 221 { 222 const struct tomoyo_transition_control *p1 = container_of(a, 223 typeof(*p1), 224 head); 225 const struct tomoyo_transition_control *p2 = container_of(b, 226 typeof(*p2), 227 head); 228 229 return p1->type == p2->type && p1->is_last_name == p2->is_last_name 230 && p1->domainname == p2->domainname 231 && p1->program == p2->program; 232 } 233 234 /** 235 * tomoyo_write_transition_control - Write "struct tomoyo_transition_control" list. 236 * 237 * @param: Pointer to "struct tomoyo_acl_param". 238 * @type: Type of this entry. 239 * 240 * Returns 0 on success, negative value otherwise. 241 */ 242 int tomoyo_write_transition_control(struct tomoyo_acl_param *param, 243 const u8 type) 244 { 245 struct tomoyo_transition_control e = { .type = type }; 246 int error = param->is_delete ? -ENOENT : -ENOMEM; 247 char *program = param->data; 248 char *domainname = strstr(program, " from "); 249 250 if (domainname) { 251 *domainname = '\0'; 252 domainname += 6; 253 } else if (type == TOMOYO_TRANSITION_CONTROL_NO_KEEP || 254 type == TOMOYO_TRANSITION_CONTROL_KEEP) { 255 domainname = program; 256 program = NULL; 257 } 258 if (program && strcmp(program, "any")) { 259 if (!tomoyo_correct_path(program)) 260 return -EINVAL; 261 e.program = tomoyo_get_name(program); 262 if (!e.program) 263 goto out; 264 } 265 if (domainname && strcmp(domainname, "any")) { 266 if (!tomoyo_correct_domain(domainname)) { 267 if (!tomoyo_correct_path(domainname)) 268 goto out; 269 e.is_last_name = true; 270 } 271 e.domainname = tomoyo_get_name(domainname); 272 if (!e.domainname) 273 goto out; 274 } 275 param->list = ¶m->ns->policy_list[TOMOYO_ID_TRANSITION_CONTROL]; 276 error = tomoyo_update_policy(&e.head, sizeof(e), param, 277 tomoyo_same_transition_control); 278 out: 279 tomoyo_put_name(e.domainname); 280 tomoyo_put_name(e.program); 281 return error; 282 } 283 284 /** 285 * tomoyo_scan_transition - Try to find specific domain transition type. 286 * 287 * @list: Pointer to "struct list_head". 288 * @domainname: The name of current domain. 289 * @program: The name of requested program. 290 * @last_name: The last component of @domainname. 291 * @type: One of values in "enum tomoyo_transition_type". 292 * 293 * Returns true if found one, false otherwise. 294 * 295 * Caller holds tomoyo_read_lock(). 296 */ 297 static inline bool tomoyo_scan_transition 298 (const struct list_head *list, const struct tomoyo_path_info *domainname, 299 const struct tomoyo_path_info *program, const char *last_name, 300 const enum tomoyo_transition_type type) 301 { 302 const struct tomoyo_transition_control *ptr; 303 304 list_for_each_entry_rcu(ptr, list, head.list, 305 srcu_read_lock_held(&tomoyo_ss)) { 306 if (ptr->head.is_deleted || ptr->type != type) 307 continue; 308 if (ptr->domainname) { 309 if (!ptr->is_last_name) { 310 if (ptr->domainname != domainname) 311 continue; 312 } else { 313 /* 314 * Use direct strcmp() since this is 315 * unlikely used. 316 */ 317 if (strcmp(ptr->domainname->name, last_name)) 318 continue; 319 } 320 } 321 if (ptr->program && tomoyo_pathcmp(ptr->program, program)) 322 continue; 323 return true; 324 } 325 return false; 326 } 327 328 /** 329 * tomoyo_transition_type - Get domain transition type. 330 * 331 * @ns: Pointer to "struct tomoyo_policy_namespace". 332 * @domainname: The name of current domain. 333 * @program: The name of requested program. 334 * 335 * Returns TOMOYO_TRANSITION_CONTROL_TRANSIT if executing @program causes 336 * domain transition across namespaces, TOMOYO_TRANSITION_CONTROL_INITIALIZE if 337 * executing @program reinitializes domain transition within that namespace, 338 * TOMOYO_TRANSITION_CONTROL_KEEP if executing @program stays at @domainname , 339 * others otherwise. 340 * 341 * Caller holds tomoyo_read_lock(). 342 */ 343 static enum tomoyo_transition_type tomoyo_transition_type 344 (const struct tomoyo_policy_namespace *ns, 345 const struct tomoyo_path_info *domainname, 346 const struct tomoyo_path_info *program) 347 { 348 const char *last_name = tomoyo_last_word(domainname->name); 349 enum tomoyo_transition_type type = TOMOYO_TRANSITION_CONTROL_NO_RESET; 350 351 while (type < TOMOYO_MAX_TRANSITION_TYPE) { 352 const struct list_head * const list = 353 &ns->policy_list[TOMOYO_ID_TRANSITION_CONTROL]; 354 355 if (!tomoyo_scan_transition(list, domainname, program, 356 last_name, type)) { 357 type++; 358 continue; 359 } 360 if (type != TOMOYO_TRANSITION_CONTROL_NO_RESET && 361 type != TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE) 362 break; 363 /* 364 * Do not check for reset_domain if no_reset_domain matched. 365 * Do not check for initialize_domain if no_initialize_domain 366 * matched. 367 */ 368 type++; 369 type++; 370 } 371 return type; 372 } 373 374 /** 375 * tomoyo_same_aggregator - Check for duplicated "struct tomoyo_aggregator" entry. 376 * 377 * @a: Pointer to "struct tomoyo_acl_head". 378 * @b: Pointer to "struct tomoyo_acl_head". 379 * 380 * Returns true if @a == @b, false otherwise. 381 */ 382 static bool tomoyo_same_aggregator(const struct tomoyo_acl_head *a, 383 const struct tomoyo_acl_head *b) 384 { 385 const struct tomoyo_aggregator *p1 = container_of(a, typeof(*p1), 386 head); 387 const struct tomoyo_aggregator *p2 = container_of(b, typeof(*p2), 388 head); 389 390 return p1->original_name == p2->original_name && 391 p1->aggregated_name == p2->aggregated_name; 392 } 393 394 /** 395 * tomoyo_write_aggregator - Write "struct tomoyo_aggregator" list. 396 * 397 * @param: Pointer to "struct tomoyo_acl_param". 398 * 399 * Returns 0 on success, negative value otherwise. 400 * 401 * Caller holds tomoyo_read_lock(). 402 */ 403 int tomoyo_write_aggregator(struct tomoyo_acl_param *param) 404 { 405 struct tomoyo_aggregator e = { }; 406 int error = param->is_delete ? -ENOENT : -ENOMEM; 407 const char *original_name = tomoyo_read_token(param); 408 const char *aggregated_name = tomoyo_read_token(param); 409 410 if (!tomoyo_correct_word(original_name) || 411 !tomoyo_correct_path(aggregated_name)) 412 return -EINVAL; 413 e.original_name = tomoyo_get_name(original_name); 414 e.aggregated_name = tomoyo_get_name(aggregated_name); 415 if (!e.original_name || !e.aggregated_name || 416 e.aggregated_name->is_patterned) /* No patterns allowed. */ 417 goto out; 418 param->list = ¶m->ns->policy_list[TOMOYO_ID_AGGREGATOR]; 419 error = tomoyo_update_policy(&e.head, sizeof(e), param, 420 tomoyo_same_aggregator); 421 out: 422 tomoyo_put_name(e.original_name); 423 tomoyo_put_name(e.aggregated_name); 424 return error; 425 } 426 427 /** 428 * tomoyo_find_namespace - Find specified namespace. 429 * 430 * @name: Name of namespace to find. 431 * @len: Length of @name. 432 * 433 * Returns pointer to "struct tomoyo_policy_namespace" if found, 434 * NULL otherwise. 435 * 436 * Caller holds tomoyo_read_lock(). 437 */ 438 static struct tomoyo_policy_namespace *tomoyo_find_namespace 439 (const char *name, const unsigned int len) 440 { 441 struct tomoyo_policy_namespace *ns; 442 443 list_for_each_entry(ns, &tomoyo_namespace_list, namespace_list) { 444 if (strncmp(name, ns->name, len) || 445 (name[len] && name[len] != ' ')) 446 continue; 447 return ns; 448 } 449 return NULL; 450 } 451 452 /** 453 * tomoyo_assign_namespace - Create a new namespace. 454 * 455 * @domainname: Name of namespace to create. 456 * 457 * Returns pointer to "struct tomoyo_policy_namespace" on success, 458 * NULL otherwise. 459 * 460 * Caller holds tomoyo_read_lock(). 461 */ 462 struct tomoyo_policy_namespace *tomoyo_assign_namespace(const char *domainname) 463 { 464 struct tomoyo_policy_namespace *ptr; 465 struct tomoyo_policy_namespace *entry; 466 const char *cp = domainname; 467 unsigned int len = 0; 468 469 while (*cp && *cp++ != ' ') 470 len++; 471 ptr = tomoyo_find_namespace(domainname, len); 472 if (ptr) 473 return ptr; 474 if (len >= TOMOYO_EXEC_TMPSIZE - 10 || !tomoyo_domain_def(domainname)) 475 return NULL; 476 entry = kzalloc(sizeof(*entry) + len + 1, GFP_NOFS | __GFP_NOWARN); 477 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 478 goto out; 479 ptr = tomoyo_find_namespace(domainname, len); 480 if (!ptr && tomoyo_memory_ok(entry)) { 481 char *name = (char *) (entry + 1); 482 483 ptr = entry; 484 memmove(name, domainname, len); 485 name[len] = '\0'; 486 entry->name = name; 487 tomoyo_init_policy_namespace(entry); 488 entry = NULL; 489 } 490 mutex_unlock(&tomoyo_policy_lock); 491 out: 492 kfree(entry); 493 return ptr; 494 } 495 496 /** 497 * tomoyo_namespace_jump - Check for namespace jump. 498 * 499 * @domainname: Name of domain. 500 * 501 * Returns true if namespace differs, false otherwise. 502 */ 503 static bool tomoyo_namespace_jump(const char *domainname) 504 { 505 const char *namespace = tomoyo_current_namespace()->name; 506 const int len = strlen(namespace); 507 508 return strncmp(domainname, namespace, len) || 509 (domainname[len] && domainname[len] != ' '); 510 } 511 512 /** 513 * tomoyo_assign_domain - Create a domain or a namespace. 514 * 515 * @domainname: The name of domain. 516 * @transit: True if transit to domain found or created. 517 * 518 * Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise. 519 * 520 * Caller holds tomoyo_read_lock(). 521 */ 522 struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname, 523 const bool transit) 524 { 525 struct tomoyo_domain_info e = { }; 526 struct tomoyo_domain_info *entry = tomoyo_find_domain(domainname); 527 bool created = false; 528 529 if (entry) { 530 if (transit) { 531 /* 532 * Since namespace is created at runtime, profiles may 533 * not be created by the moment the process transits to 534 * that domain. Do not perform domain transition if 535 * profile for that domain is not yet created. 536 */ 537 if (tomoyo_policy_loaded && 538 !entry->ns->profile_ptr[entry->profile]) 539 return NULL; 540 } 541 return entry; 542 } 543 /* Requested domain does not exist. */ 544 /* Don't create requested domain if domainname is invalid. */ 545 if (strlen(domainname) >= TOMOYO_EXEC_TMPSIZE - 10 || 546 !tomoyo_correct_domain(domainname)) 547 return NULL; 548 /* 549 * Since definition of profiles and acl_groups may differ across 550 * namespaces, do not inherit "use_profile" and "use_group" settings 551 * by automatically creating requested domain upon domain transition. 552 */ 553 if (transit && tomoyo_namespace_jump(domainname)) 554 return NULL; 555 e.ns = tomoyo_assign_namespace(domainname); 556 if (!e.ns) 557 return NULL; 558 /* 559 * "use_profile" and "use_group" settings for automatically created 560 * domains are inherited from current domain. These are 0 for manually 561 * created domains. 562 */ 563 if (transit) { 564 const struct tomoyo_domain_info *domain = tomoyo_domain(); 565 566 e.profile = domain->profile; 567 memcpy(e.group, domain->group, sizeof(e.group)); 568 } 569 e.domainname = tomoyo_get_name(domainname); 570 if (!e.domainname) 571 return NULL; 572 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 573 goto out; 574 entry = tomoyo_find_domain(domainname); 575 if (!entry) { 576 entry = tomoyo_commit_ok(&e, sizeof(e)); 577 if (entry) { 578 INIT_LIST_HEAD(&entry->acl_info_list); 579 list_add_tail_rcu(&entry->list, &tomoyo_domain_list); 580 created = true; 581 } 582 } 583 mutex_unlock(&tomoyo_policy_lock); 584 out: 585 tomoyo_put_name(e.domainname); 586 if (entry && transit) { 587 if (created) { 588 struct tomoyo_request_info r; 589 int i; 590 591 tomoyo_init_request_info(&r, entry, 592 TOMOYO_MAC_FILE_EXECUTE); 593 r.granted = false; 594 tomoyo_write_log(&r, "use_profile %u\n", 595 entry->profile); 596 for (i = 0; i < TOMOYO_MAX_ACL_GROUPS; i++) 597 if (test_bit(i, entry->group)) 598 tomoyo_write_log(&r, "use_group %u\n", 599 i); 600 tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); 601 } 602 } 603 return entry; 604 } 605 606 /** 607 * tomoyo_environ - Check permission for environment variable names. 608 * 609 * @ee: Pointer to "struct tomoyo_execve". 610 * 611 * Returns 0 on success, negative value otherwise. 612 */ 613 static int tomoyo_environ(struct tomoyo_execve *ee) 614 __must_hold_shared(&tomoyo_ss) 615 { 616 struct tomoyo_request_info *r = &ee->r; 617 struct linux_binprm *bprm = ee->bprm; 618 /* env_page.data is allocated by tomoyo_dump_page(). */ 619 struct tomoyo_page_dump env_page = { }; 620 char *arg_ptr; /* Size is TOMOYO_EXEC_TMPSIZE bytes */ 621 int arg_len = 0; 622 unsigned long pos = bprm->p; 623 int offset = pos % PAGE_SIZE; 624 int argv_count = bprm->argc; 625 int envp_count = bprm->envc; 626 int error = -ENOMEM; 627 628 ee->r.type = TOMOYO_MAC_ENVIRON; 629 ee->r.profile = r->domain->profile; 630 ee->r.mode = tomoyo_get_mode(r->domain->ns, ee->r.profile, 631 TOMOYO_MAC_ENVIRON); 632 if (!r->mode || !envp_count) 633 return 0; 634 arg_ptr = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS); 635 if (!arg_ptr) 636 goto out; 637 while (error == -ENOMEM) { 638 if (!tomoyo_dump_page(bprm, pos, &env_page)) 639 goto out; 640 pos += PAGE_SIZE - offset; 641 /* Read. */ 642 while (argv_count && offset < PAGE_SIZE) { 643 if (!env_page.data[offset++]) 644 argv_count--; 645 } 646 if (argv_count) { 647 offset = 0; 648 continue; 649 } 650 while (offset < PAGE_SIZE) { 651 const unsigned char c = env_page.data[offset++]; 652 653 if (c && arg_len < TOMOYO_EXEC_TMPSIZE - 10) { 654 if (c == '=') { 655 arg_ptr[arg_len++] = '\0'; 656 } else if (c == '\\') { 657 arg_ptr[arg_len++] = '\\'; 658 arg_ptr[arg_len++] = '\\'; 659 } else if (c > ' ' && c < 127) { 660 arg_ptr[arg_len++] = c; 661 } else { 662 arg_ptr[arg_len++] = '\\'; 663 arg_ptr[arg_len++] = (c >> 6) + '0'; 664 arg_ptr[arg_len++] 665 = ((c >> 3) & 7) + '0'; 666 arg_ptr[arg_len++] = (c & 7) + '0'; 667 } 668 } else { 669 arg_ptr[arg_len] = '\0'; 670 } 671 if (c) 672 continue; 673 if (tomoyo_env_perm(r, arg_ptr)) { 674 error = -EPERM; 675 break; 676 } 677 if (!--envp_count) { 678 error = 0; 679 break; 680 } 681 arg_len = 0; 682 } 683 offset = 0; 684 } 685 out: 686 if (r->mode != TOMOYO_CONFIG_ENFORCING) 687 error = 0; 688 kfree(env_page.data); 689 kfree(arg_ptr); 690 return error; 691 } 692 693 /** 694 * tomoyo_find_next_domain - Find a domain. 695 * 696 * @bprm: Pointer to "struct linux_binprm". 697 * 698 * Returns 0 on success, negative value otherwise. 699 * 700 * Caller holds tomoyo_read_lock(). 701 */ 702 int tomoyo_find_next_domain(struct linux_binprm *bprm) 703 { 704 struct tomoyo_domain_info *old_domain = tomoyo_domain(); 705 struct tomoyo_domain_info *domain = NULL; 706 const char *original_name = bprm->filename; 707 int retval = -ENOMEM; 708 bool reject_on_transition_failure = false; 709 const struct tomoyo_path_info *candidate; 710 struct tomoyo_path_info exename; 711 struct tomoyo_execve *ee = kzalloc(sizeof(*ee), GFP_NOFS); 712 713 if (!ee) 714 return -ENOMEM; 715 ee->tmp = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS); 716 if (!ee->tmp) { 717 kfree(ee); 718 return -ENOMEM; 719 } 720 /* ee->dump->data is allocated by tomoyo_dump_page(). */ 721 tomoyo_init_request_info(&ee->r, NULL, TOMOYO_MAC_FILE_EXECUTE); 722 ee->r.ee = ee; 723 ee->bprm = bprm; 724 ee->r.obj = &ee->obj; 725 ee->obj.path1 = bprm->file->f_path; 726 /* 727 * Get symlink's pathname of program, but fallback to realpath if 728 * symlink's pathname does not exist or symlink's pathname refers 729 * to proc filesystem (e.g. /dev/fd/<num> or /proc/self/fd/<num> ). 730 */ 731 exename.name = tomoyo_realpath_nofollow(original_name); 732 if (exename.name && !strncmp(exename.name, "proc:/", 6)) { 733 kfree(exename.name); 734 exename.name = NULL; 735 } 736 if (!exename.name) { 737 exename.name = tomoyo_realpath_from_path(&bprm->file->f_path); 738 if (!exename.name) 739 goto out; 740 } 741 tomoyo_fill_path_info(&exename); 742 retry: 743 /* Check 'aggregator' directive. */ 744 { 745 struct tomoyo_aggregator *ptr; 746 struct list_head *list = 747 &old_domain->ns->policy_list[TOMOYO_ID_AGGREGATOR]; 748 749 /* Check 'aggregator' directive. */ 750 candidate = &exename; 751 list_for_each_entry_rcu(ptr, list, head.list, 752 srcu_read_lock_held(&tomoyo_ss)) { 753 if (ptr->head.is_deleted || 754 !tomoyo_path_matches_pattern(&exename, 755 ptr->original_name)) 756 continue; 757 candidate = ptr->aggregated_name; 758 break; 759 } 760 } 761 762 /* Check execute permission. */ 763 retval = tomoyo_execute_permission(&ee->r, candidate); 764 if (retval == TOMOYO_RETRY_REQUEST) 765 goto retry; 766 if (retval < 0) 767 goto out; 768 /* 769 * To be able to specify domainnames with wildcards, use the 770 * pathname specified in the policy (which may contain 771 * wildcard) rather than the pathname passed to execve() 772 * (which never contains wildcard). 773 */ 774 if (ee->r.param.path.matched_path) 775 candidate = ee->r.param.path.matched_path; 776 777 /* 778 * Check for domain transition preference if "file execute" matched. 779 * If preference is given, make execve() fail if domain transition 780 * has failed, for domain transition preference should be used with 781 * destination domain defined. 782 */ 783 if (ee->transition) { 784 const char *domainname = ee->transition->name; 785 786 reject_on_transition_failure = true; 787 if (!strcmp(domainname, "keep")) 788 goto force_keep_domain; 789 if (!strcmp(domainname, "child")) 790 goto force_child_domain; 791 if (!strcmp(domainname, "reset")) 792 goto force_reset_domain; 793 if (!strcmp(domainname, "initialize")) 794 goto force_initialize_domain; 795 if (!strcmp(domainname, "parent")) { 796 char *cp; 797 798 strscpy(ee->tmp, old_domain->domainname->name, TOMOYO_EXEC_TMPSIZE); 799 cp = strrchr(ee->tmp, ' '); 800 if (cp) 801 *cp = '\0'; 802 } else if (*domainname == '<') 803 strscpy(ee->tmp, domainname, TOMOYO_EXEC_TMPSIZE); 804 else 805 snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", 806 old_domain->domainname->name, domainname); 807 goto force_jump_domain; 808 } 809 /* 810 * No domain transition preference specified. 811 * Calculate domain to transit to. 812 */ 813 switch (tomoyo_transition_type(old_domain->ns, old_domain->domainname, 814 candidate)) { 815 case TOMOYO_TRANSITION_CONTROL_RESET: 816 force_reset_domain: 817 /* Transit to the root of specified namespace. */ 818 snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "<%s>", 819 candidate->name); 820 /* 821 * Make execve() fail if domain transition across namespaces 822 * has failed. 823 */ 824 reject_on_transition_failure = true; 825 break; 826 case TOMOYO_TRANSITION_CONTROL_INITIALIZE: 827 force_initialize_domain: 828 /* Transit to the child of current namespace's root. */ 829 snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", 830 old_domain->ns->name, candidate->name); 831 break; 832 case TOMOYO_TRANSITION_CONTROL_KEEP: 833 force_keep_domain: 834 /* Keep current domain. */ 835 domain = old_domain; 836 break; 837 default: 838 if (old_domain == &tomoyo_kernel_domain && 839 !tomoyo_policy_loaded) { 840 /* 841 * Needn't to transit from kernel domain before 842 * starting /sbin/init. But transit from kernel domain 843 * if executing initializers because they might start 844 * before /sbin/init. 845 */ 846 domain = old_domain; 847 break; 848 } 849 force_child_domain: 850 /* Normal domain transition. */ 851 snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", 852 old_domain->domainname->name, candidate->name); 853 break; 854 } 855 force_jump_domain: 856 if (!domain) 857 domain = tomoyo_assign_domain(ee->tmp, true); 858 if (domain) 859 retval = 0; 860 else if (reject_on_transition_failure) { 861 pr_warn("ERROR: Domain '%s' not ready.\n", ee->tmp); 862 retval = -ENOMEM; 863 } else if (ee->r.mode == TOMOYO_CONFIG_ENFORCING) 864 retval = -ENOMEM; 865 else { 866 retval = 0; 867 if (!old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED]) { 868 old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED] = true; 869 ee->r.granted = false; 870 tomoyo_write_log(&ee->r, "%s", tomoyo_dif 871 [TOMOYO_DIF_TRANSITION_FAILED]); 872 pr_warn("ERROR: Domain '%s' not defined.\n", ee->tmp); 873 } 874 } 875 out: 876 if (!domain) 877 domain = old_domain; 878 /* Update reference count on "struct tomoyo_domain_info". */ 879 { 880 struct tomoyo_task *s = tomoyo_task(current); 881 882 s->old_domain_info = s->domain_info; 883 s->domain_info = domain; 884 atomic_inc(&domain->users); 885 } 886 kfree(exename.name); 887 if (!retval) { 888 ee->r.domain = domain; 889 retval = tomoyo_environ(ee); 890 } 891 kfree(ee->tmp); 892 kfree(ee->dump.data); 893 kfree(ee); 894 return retval; 895 } 896 897 /** 898 * tomoyo_dump_page - Dump a page to buffer. 899 * 900 * @bprm: Pointer to "struct linux_binprm". 901 * @pos: Location to dump. 902 * @dump: Pointer to "struct tomoyo_page_dump". 903 * 904 * Returns true on success, false otherwise. 905 */ 906 bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos, 907 struct tomoyo_page_dump *dump) 908 { 909 struct page *page; 910 #ifdef CONFIG_MMU 911 int ret; 912 #endif 913 914 /* dump->data is released by tomoyo_find_next_domain(). */ 915 if (!dump->data) { 916 dump->data = kzalloc(PAGE_SIZE, GFP_NOFS); 917 if (!dump->data) 918 return false; 919 } 920 /* Same with get_arg_page(bprm, pos, 0) in fs/exec.c */ 921 #ifdef CONFIG_MMU 922 /* 923 * This is called at execve() time in order to dig around 924 * in the argv/environment of the new process 925 * (represented by bprm). 926 */ 927 mmap_read_lock(bprm->mm); 928 ret = get_user_pages_remote(bprm->mm, pos, 1, 929 FOLL_FORCE, &page, NULL); 930 mmap_read_unlock(bprm->mm); 931 if (ret <= 0) 932 return false; 933 #else 934 page = bprm->page[pos / PAGE_SIZE]; 935 #endif 936 if (page != dump->page) { 937 const unsigned int offset = pos % PAGE_SIZE; 938 char *kaddr = kmap_local_page(page); 939 940 dump->page = page; 941 memcpy(dump->data + offset, kaddr + offset, 942 PAGE_SIZE - offset); 943 kunmap_local(kaddr); 944 } 945 /* Same with put_arg_page(page) in fs/exec.c */ 946 #ifdef CONFIG_MMU 947 put_page(page); 948 #endif 949 return true; 950 } 951