1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * security/tomoyo/common.c 4 * 5 * Copyright (C) 2005-2011 NTT DATA CORPORATION 6 */ 7 8 #include <linux/uaccess.h> 9 #include <linux/slab.h> 10 #include <linux/security.h> 11 #include <linux/string_helpers.h> 12 #include "common.h" 13 14 /* String table for operation mode. */ 15 const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE] = { 16 [TOMOYO_CONFIG_DISABLED] = "disabled", 17 [TOMOYO_CONFIG_LEARNING] = "learning", 18 [TOMOYO_CONFIG_PERMISSIVE] = "permissive", 19 [TOMOYO_CONFIG_ENFORCING] = "enforcing" 20 }; 21 22 /* String table for /sys/kernel/security/tomoyo/profile */ 23 const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX 24 + TOMOYO_MAX_MAC_CATEGORY_INDEX] = { 25 /* CONFIG::file group */ 26 [TOMOYO_MAC_FILE_EXECUTE] = "execute", 27 [TOMOYO_MAC_FILE_OPEN] = "open", 28 [TOMOYO_MAC_FILE_CREATE] = "create", 29 [TOMOYO_MAC_FILE_UNLINK] = "unlink", 30 [TOMOYO_MAC_FILE_GETATTR] = "getattr", 31 [TOMOYO_MAC_FILE_MKDIR] = "mkdir", 32 [TOMOYO_MAC_FILE_RMDIR] = "rmdir", 33 [TOMOYO_MAC_FILE_MKFIFO] = "mkfifo", 34 [TOMOYO_MAC_FILE_MKSOCK] = "mksock", 35 [TOMOYO_MAC_FILE_TRUNCATE] = "truncate", 36 [TOMOYO_MAC_FILE_SYMLINK] = "symlink", 37 [TOMOYO_MAC_FILE_MKBLOCK] = "mkblock", 38 [TOMOYO_MAC_FILE_MKCHAR] = "mkchar", 39 [TOMOYO_MAC_FILE_LINK] = "link", 40 [TOMOYO_MAC_FILE_RENAME] = "rename", 41 [TOMOYO_MAC_FILE_CHMOD] = "chmod", 42 [TOMOYO_MAC_FILE_CHOWN] = "chown", 43 [TOMOYO_MAC_FILE_CHGRP] = "chgrp", 44 [TOMOYO_MAC_FILE_IOCTL] = "ioctl", 45 [TOMOYO_MAC_FILE_CHROOT] = "chroot", 46 [TOMOYO_MAC_FILE_MOUNT] = "mount", 47 [TOMOYO_MAC_FILE_UMOUNT] = "unmount", 48 [TOMOYO_MAC_FILE_PIVOT_ROOT] = "pivot_root", 49 /* CONFIG::network group */ 50 [TOMOYO_MAC_NETWORK_INET_STREAM_BIND] = "inet_stream_bind", 51 [TOMOYO_MAC_NETWORK_INET_STREAM_LISTEN] = "inet_stream_listen", 52 [TOMOYO_MAC_NETWORK_INET_STREAM_CONNECT] = "inet_stream_connect", 53 [TOMOYO_MAC_NETWORK_INET_DGRAM_BIND] = "inet_dgram_bind", 54 [TOMOYO_MAC_NETWORK_INET_DGRAM_SEND] = "inet_dgram_send", 55 [TOMOYO_MAC_NETWORK_INET_RAW_BIND] = "inet_raw_bind", 56 [TOMOYO_MAC_NETWORK_INET_RAW_SEND] = "inet_raw_send", 57 [TOMOYO_MAC_NETWORK_UNIX_STREAM_BIND] = "unix_stream_bind", 58 [TOMOYO_MAC_NETWORK_UNIX_STREAM_LISTEN] = "unix_stream_listen", 59 [TOMOYO_MAC_NETWORK_UNIX_STREAM_CONNECT] = "unix_stream_connect", 60 [TOMOYO_MAC_NETWORK_UNIX_DGRAM_BIND] = "unix_dgram_bind", 61 [TOMOYO_MAC_NETWORK_UNIX_DGRAM_SEND] = "unix_dgram_send", 62 [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_BIND] = "unix_seqpacket_bind", 63 [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_LISTEN] = "unix_seqpacket_listen", 64 [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_CONNECT] = "unix_seqpacket_connect", 65 /* CONFIG::misc group */ 66 [TOMOYO_MAC_ENVIRON] = "env", 67 /* CONFIG group */ 68 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file", 69 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_NETWORK] = "network", 70 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_MISC] = "misc", 71 }; 72 73 /* String table for conditions. */ 74 const char * const tomoyo_condition_keyword[TOMOYO_MAX_CONDITION_KEYWORD] = { 75 [TOMOYO_TASK_UID] = "task.uid", 76 [TOMOYO_TASK_EUID] = "task.euid", 77 [TOMOYO_TASK_SUID] = "task.suid", 78 [TOMOYO_TASK_FSUID] = "task.fsuid", 79 [TOMOYO_TASK_GID] = "task.gid", 80 [TOMOYO_TASK_EGID] = "task.egid", 81 [TOMOYO_TASK_SGID] = "task.sgid", 82 [TOMOYO_TASK_FSGID] = "task.fsgid", 83 [TOMOYO_TASK_PID] = "task.pid", 84 [TOMOYO_TASK_PPID] = "task.ppid", 85 [TOMOYO_EXEC_ARGC] = "exec.argc", 86 [TOMOYO_EXEC_ENVC] = "exec.envc", 87 [TOMOYO_TYPE_IS_SOCKET] = "socket", 88 [TOMOYO_TYPE_IS_SYMLINK] = "symlink", 89 [TOMOYO_TYPE_IS_FILE] = "file", 90 [TOMOYO_TYPE_IS_BLOCK_DEV] = "block", 91 [TOMOYO_TYPE_IS_DIRECTORY] = "directory", 92 [TOMOYO_TYPE_IS_CHAR_DEV] = "char", 93 [TOMOYO_TYPE_IS_FIFO] = "fifo", 94 [TOMOYO_MODE_SETUID] = "setuid", 95 [TOMOYO_MODE_SETGID] = "setgid", 96 [TOMOYO_MODE_STICKY] = "sticky", 97 [TOMOYO_MODE_OWNER_READ] = "owner_read", 98 [TOMOYO_MODE_OWNER_WRITE] = "owner_write", 99 [TOMOYO_MODE_OWNER_EXECUTE] = "owner_execute", 100 [TOMOYO_MODE_GROUP_READ] = "group_read", 101 [TOMOYO_MODE_GROUP_WRITE] = "group_write", 102 [TOMOYO_MODE_GROUP_EXECUTE] = "group_execute", 103 [TOMOYO_MODE_OTHERS_READ] = "others_read", 104 [TOMOYO_MODE_OTHERS_WRITE] = "others_write", 105 [TOMOYO_MODE_OTHERS_EXECUTE] = "others_execute", 106 [TOMOYO_EXEC_REALPATH] = "exec.realpath", 107 [TOMOYO_SYMLINK_TARGET] = "symlink.target", 108 [TOMOYO_PATH1_UID] = "path1.uid", 109 [TOMOYO_PATH1_GID] = "path1.gid", 110 [TOMOYO_PATH1_INO] = "path1.ino", 111 [TOMOYO_PATH1_MAJOR] = "path1.major", 112 [TOMOYO_PATH1_MINOR] = "path1.minor", 113 [TOMOYO_PATH1_PERM] = "path1.perm", 114 [TOMOYO_PATH1_TYPE] = "path1.type", 115 [TOMOYO_PATH1_DEV_MAJOR] = "path1.dev_major", 116 [TOMOYO_PATH1_DEV_MINOR] = "path1.dev_minor", 117 [TOMOYO_PATH2_UID] = "path2.uid", 118 [TOMOYO_PATH2_GID] = "path2.gid", 119 [TOMOYO_PATH2_INO] = "path2.ino", 120 [TOMOYO_PATH2_MAJOR] = "path2.major", 121 [TOMOYO_PATH2_MINOR] = "path2.minor", 122 [TOMOYO_PATH2_PERM] = "path2.perm", 123 [TOMOYO_PATH2_TYPE] = "path2.type", 124 [TOMOYO_PATH2_DEV_MAJOR] = "path2.dev_major", 125 [TOMOYO_PATH2_DEV_MINOR] = "path2.dev_minor", 126 [TOMOYO_PATH1_PARENT_UID] = "path1.parent.uid", 127 [TOMOYO_PATH1_PARENT_GID] = "path1.parent.gid", 128 [TOMOYO_PATH1_PARENT_INO] = "path1.parent.ino", 129 [TOMOYO_PATH1_PARENT_PERM] = "path1.parent.perm", 130 [TOMOYO_PATH2_PARENT_UID] = "path2.parent.uid", 131 [TOMOYO_PATH2_PARENT_GID] = "path2.parent.gid", 132 [TOMOYO_PATH2_PARENT_INO] = "path2.parent.ino", 133 [TOMOYO_PATH2_PARENT_PERM] = "path2.parent.perm", 134 }; 135 136 /* String table for PREFERENCE keyword. */ 137 static const char * const tomoyo_pref_keywords[TOMOYO_MAX_PREF] = { 138 [TOMOYO_PREF_MAX_AUDIT_LOG] = "max_audit_log", 139 [TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry", 140 }; 141 142 /* String table for path operation. */ 143 const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = { 144 [TOMOYO_TYPE_EXECUTE] = "execute", 145 [TOMOYO_TYPE_READ] = "read", 146 [TOMOYO_TYPE_WRITE] = "write", 147 [TOMOYO_TYPE_APPEND] = "append", 148 [TOMOYO_TYPE_UNLINK] = "unlink", 149 [TOMOYO_TYPE_GETATTR] = "getattr", 150 [TOMOYO_TYPE_RMDIR] = "rmdir", 151 [TOMOYO_TYPE_TRUNCATE] = "truncate", 152 [TOMOYO_TYPE_SYMLINK] = "symlink", 153 [TOMOYO_TYPE_CHROOT] = "chroot", 154 [TOMOYO_TYPE_UMOUNT] = "unmount", 155 }; 156 157 /* String table for socket's operation. */ 158 const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION] = { 159 [TOMOYO_NETWORK_BIND] = "bind", 160 [TOMOYO_NETWORK_LISTEN] = "listen", 161 [TOMOYO_NETWORK_CONNECT] = "connect", 162 [TOMOYO_NETWORK_SEND] = "send", 163 }; 164 165 /* String table for categories. */ 166 static const char * const tomoyo_category_keywords 167 [TOMOYO_MAX_MAC_CATEGORY_INDEX] = { 168 [TOMOYO_MAC_CATEGORY_FILE] = "file", 169 [TOMOYO_MAC_CATEGORY_NETWORK] = "network", 170 [TOMOYO_MAC_CATEGORY_MISC] = "misc", 171 }; 172 173 /* Permit policy management by non-root user? */ 174 static bool tomoyo_manage_by_non_root; 175 176 /* Utility functions. */ 177 178 /** 179 * tomoyo_addprintf - strncat()-like-snprintf(). 180 * 181 * @buffer: Buffer to write to. Must be '\0'-terminated. 182 * @len: Size of @buffer. 183 * @fmt: The printf()'s format string, followed by parameters. 184 * 185 * Returns nothing. 186 */ 187 __printf(3, 4) 188 static void tomoyo_addprintf(char *buffer, int len, const char *fmt, ...) 189 { 190 va_list args; 191 const int pos = strlen(buffer); 192 193 va_start(args, fmt); 194 vsnprintf(buffer + pos, len - pos - 1, fmt, args); 195 va_end(args); 196 } 197 198 /** 199 * tomoyo_flush - Flush queued string to userspace's buffer. 200 * 201 * @head: Pointer to "struct tomoyo_io_buffer". 202 * 203 * Returns true if all data was flushed, false otherwise. 204 */ 205 static bool tomoyo_flush(struct tomoyo_io_buffer *head) 206 { 207 while (head->r.w_pos) { 208 const char *w = head->r.w[0]; 209 size_t len = strlen(w); 210 211 if (len) { 212 if (len > head->read_user_buf_avail) 213 len = head->read_user_buf_avail; 214 if (!len) 215 return false; 216 if (copy_to_user(head->read_user_buf, w, len)) 217 return false; 218 head->read_user_buf_avail -= len; 219 head->read_user_buf += len; 220 w += len; 221 } 222 head->r.w[0] = w; 223 if (*w) 224 return false; 225 /* Add '\0' for audit logs and query. */ 226 if (head->poll) { 227 if (!head->read_user_buf_avail || 228 copy_to_user(head->read_user_buf, "", 1)) 229 return false; 230 head->read_user_buf_avail--; 231 head->read_user_buf++; 232 } 233 head->r.w_pos--; 234 for (len = 0; len < head->r.w_pos; len++) 235 head->r.w[len] = head->r.w[len + 1]; 236 } 237 head->r.avail = 0; 238 return true; 239 } 240 241 /** 242 * tomoyo_set_string - Queue string to "struct tomoyo_io_buffer" structure. 243 * 244 * @head: Pointer to "struct tomoyo_io_buffer". 245 * @string: String to print. 246 * 247 * Note that @string has to be kept valid until @head is kfree()d. 248 * This means that char[] allocated on stack memory cannot be passed to 249 * this function. Use tomoyo_io_printf() for char[] allocated on stack memory. 250 */ 251 static void tomoyo_set_string(struct tomoyo_io_buffer *head, const char *string) 252 { 253 if (head->r.w_pos < TOMOYO_MAX_IO_READ_QUEUE) { 254 head->r.w[head->r.w_pos++] = string; 255 tomoyo_flush(head); 256 } else 257 WARN_ON(1); 258 } 259 260 static void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, 261 ...) __printf(2, 3); 262 263 /** 264 * tomoyo_io_printf - printf() to "struct tomoyo_io_buffer" structure. 265 * 266 * @head: Pointer to "struct tomoyo_io_buffer". 267 * @fmt: The printf()'s format string, followed by parameters. 268 */ 269 static void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, 270 ...) 271 { 272 va_list args; 273 size_t len; 274 size_t pos = head->r.avail; 275 int size = head->readbuf_size - pos; 276 277 if (size <= 0) 278 return; 279 va_start(args, fmt); 280 len = vsnprintf(head->read_buf + pos, size, fmt, args) + 1; 281 va_end(args); 282 if (pos + len >= head->readbuf_size) { 283 WARN_ON(1); 284 return; 285 } 286 head->r.avail += len; 287 tomoyo_set_string(head, head->read_buf + pos); 288 } 289 290 /** 291 * tomoyo_set_space - Put a space to "struct tomoyo_io_buffer" structure. 292 * 293 * @head: Pointer to "struct tomoyo_io_buffer". 294 * 295 * Returns nothing. 296 */ 297 static void tomoyo_set_space(struct tomoyo_io_buffer *head) 298 { 299 tomoyo_set_string(head, " "); 300 } 301 302 /** 303 * tomoyo_set_lf - Put a line feed to "struct tomoyo_io_buffer" structure. 304 * 305 * @head: Pointer to "struct tomoyo_io_buffer". 306 * 307 * Returns nothing. 308 */ 309 static bool tomoyo_set_lf(struct tomoyo_io_buffer *head) 310 { 311 tomoyo_set_string(head, "\n"); 312 return !head->r.w_pos; 313 } 314 315 /** 316 * tomoyo_set_slash - Put a shash to "struct tomoyo_io_buffer" structure. 317 * 318 * @head: Pointer to "struct tomoyo_io_buffer". 319 * 320 * Returns nothing. 321 */ 322 static void tomoyo_set_slash(struct tomoyo_io_buffer *head) 323 { 324 tomoyo_set_string(head, "/"); 325 } 326 327 /* List of namespaces. */ 328 LIST_HEAD(tomoyo_namespace_list); 329 /* True if namespace other than tomoyo_kernel_namespace is defined. */ 330 static bool tomoyo_namespace_enabled; 331 332 /** 333 * tomoyo_init_policy_namespace - Initialize namespace. 334 * 335 * @ns: Pointer to "struct tomoyo_policy_namespace". 336 * 337 * Returns nothing. 338 */ 339 void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns) 340 { 341 unsigned int idx; 342 343 for (idx = 0; idx < TOMOYO_MAX_ACL_GROUPS; idx++) 344 INIT_LIST_HEAD(&ns->acl_group[idx]); 345 for (idx = 0; idx < TOMOYO_MAX_GROUP; idx++) 346 INIT_LIST_HEAD(&ns->group_list[idx]); 347 for (idx = 0; idx < TOMOYO_MAX_POLICY; idx++) 348 INIT_LIST_HEAD(&ns->policy_list[idx]); 349 ns->profile_version = 20150505; 350 tomoyo_namespace_enabled = !list_empty(&tomoyo_namespace_list); 351 list_add_tail_rcu(&ns->namespace_list, &tomoyo_namespace_list); 352 } 353 354 /** 355 * tomoyo_print_namespace - Print namespace header. 356 * 357 * @head: Pointer to "struct tomoyo_io_buffer". 358 * 359 * Returns nothing. 360 */ 361 static void tomoyo_print_namespace(struct tomoyo_io_buffer *head) 362 { 363 if (!tomoyo_namespace_enabled) 364 return; 365 tomoyo_set_string(head, 366 container_of(head->r.ns, 367 struct tomoyo_policy_namespace, 368 namespace_list)->name); 369 tomoyo_set_space(head); 370 } 371 372 /** 373 * tomoyo_print_name_union - Print a tomoyo_name_union. 374 * 375 * @head: Pointer to "struct tomoyo_io_buffer". 376 * @ptr: Pointer to "struct tomoyo_name_union". 377 */ 378 static void tomoyo_print_name_union(struct tomoyo_io_buffer *head, 379 const struct tomoyo_name_union *ptr) 380 { 381 tomoyo_set_space(head); 382 if (ptr->group) { 383 tomoyo_set_string(head, "@"); 384 tomoyo_set_string(head, ptr->group->group_name->name); 385 } else { 386 tomoyo_set_string(head, ptr->filename->name); 387 } 388 } 389 390 /** 391 * tomoyo_print_name_union_quoted - Print a tomoyo_name_union with a quote. 392 * 393 * @head: Pointer to "struct tomoyo_io_buffer". 394 * @ptr: Pointer to "struct tomoyo_name_union". 395 * 396 * Returns nothing. 397 */ 398 static void tomoyo_print_name_union_quoted(struct tomoyo_io_buffer *head, 399 const struct tomoyo_name_union *ptr) 400 { 401 if (ptr->group) { 402 tomoyo_set_string(head, "@"); 403 tomoyo_set_string(head, ptr->group->group_name->name); 404 } else { 405 tomoyo_set_string(head, "\""); 406 tomoyo_set_string(head, ptr->filename->name); 407 tomoyo_set_string(head, "\""); 408 } 409 } 410 411 /** 412 * tomoyo_print_number_union_nospace - Print a tomoyo_number_union without a space. 413 * 414 * @head: Pointer to "struct tomoyo_io_buffer". 415 * @ptr: Pointer to "struct tomoyo_number_union". 416 * 417 * Returns nothing. 418 */ 419 static void tomoyo_print_number_union_nospace 420 (struct tomoyo_io_buffer *head, const struct tomoyo_number_union *ptr) 421 { 422 if (ptr->group) { 423 tomoyo_set_string(head, "@"); 424 tomoyo_set_string(head, ptr->group->group_name->name); 425 } else { 426 int i; 427 unsigned long min = ptr->values[0]; 428 const unsigned long max = ptr->values[1]; 429 u8 min_type = ptr->value_type[0]; 430 const u8 max_type = ptr->value_type[1]; 431 char buffer[128]; 432 433 buffer[0] = '\0'; 434 for (i = 0; i < 2; i++) { 435 switch (min_type) { 436 case TOMOYO_VALUE_TYPE_HEXADECIMAL: 437 tomoyo_addprintf(buffer, sizeof(buffer), 438 "0x%lX", min); 439 break; 440 case TOMOYO_VALUE_TYPE_OCTAL: 441 tomoyo_addprintf(buffer, sizeof(buffer), 442 "0%lo", min); 443 break; 444 default: 445 tomoyo_addprintf(buffer, sizeof(buffer), "%lu", 446 min); 447 break; 448 } 449 if (min == max && min_type == max_type) 450 break; 451 tomoyo_addprintf(buffer, sizeof(buffer), "-"); 452 min_type = max_type; 453 min = max; 454 } 455 tomoyo_io_printf(head, "%s", buffer); 456 } 457 } 458 459 /** 460 * tomoyo_print_number_union - Print a tomoyo_number_union. 461 * 462 * @head: Pointer to "struct tomoyo_io_buffer". 463 * @ptr: Pointer to "struct tomoyo_number_union". 464 * 465 * Returns nothing. 466 */ 467 static void tomoyo_print_number_union(struct tomoyo_io_buffer *head, 468 const struct tomoyo_number_union *ptr) 469 { 470 tomoyo_set_space(head); 471 tomoyo_print_number_union_nospace(head, ptr); 472 } 473 474 /** 475 * tomoyo_assign_profile - Create a new profile. 476 * 477 * @ns: Pointer to "struct tomoyo_policy_namespace". 478 * @profile: Profile number to create. 479 * 480 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. 481 */ 482 static struct tomoyo_profile *tomoyo_assign_profile 483 (struct tomoyo_policy_namespace *ns, const unsigned int profile) 484 { 485 struct tomoyo_profile *ptr; 486 struct tomoyo_profile *entry; 487 488 if (profile >= TOMOYO_MAX_PROFILES) 489 return NULL; 490 ptr = ns->profile_ptr[profile]; 491 if (ptr) 492 return ptr; 493 entry = kzalloc(sizeof(*entry), GFP_NOFS | __GFP_NOWARN); 494 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 495 goto out; 496 ptr = ns->profile_ptr[profile]; 497 if (!ptr && tomoyo_memory_ok(entry)) { 498 ptr = entry; 499 ptr->default_config = TOMOYO_CONFIG_DISABLED | 500 TOMOYO_CONFIG_WANT_GRANT_LOG | 501 TOMOYO_CONFIG_WANT_REJECT_LOG; 502 memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT, 503 sizeof(ptr->config)); 504 ptr->pref[TOMOYO_PREF_MAX_AUDIT_LOG] = 505 CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG; 506 ptr->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] = 507 CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY; 508 mb(); /* Avoid out-of-order execution. */ 509 ns->profile_ptr[profile] = ptr; 510 entry = NULL; 511 } 512 mutex_unlock(&tomoyo_policy_lock); 513 out: 514 kfree(entry); 515 return ptr; 516 } 517 518 /** 519 * tomoyo_profile - Find a profile. 520 * 521 * @ns: Pointer to "struct tomoyo_policy_namespace". 522 * @profile: Profile number to find. 523 * 524 * Returns pointer to "struct tomoyo_profile". 525 */ 526 struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns, 527 const u8 profile) 528 { 529 static struct tomoyo_profile tomoyo_null_profile; 530 struct tomoyo_profile *ptr = ns->profile_ptr[profile]; 531 532 if (!ptr) 533 ptr = &tomoyo_null_profile; 534 return ptr; 535 } 536 537 /** 538 * tomoyo_find_yesno - Find values for specified keyword. 539 * 540 * @string: String to check. 541 * @find: Name of keyword. 542 * 543 * Returns 1 if "@find=yes" was found, 0 if "@find=no" was found, -1 otherwise. 544 */ 545 static s8 tomoyo_find_yesno(const char *string, const char *find) 546 { 547 const char *cp = strstr(string, find); 548 549 if (cp) { 550 cp += strlen(find); 551 if (!strncmp(cp, "=yes", 4)) 552 return 1; 553 else if (!strncmp(cp, "=no", 3)) 554 return 0; 555 } 556 return -1; 557 } 558 559 /** 560 * tomoyo_set_uint - Set value for specified preference. 561 * 562 * @i: Pointer to "unsigned int". 563 * @string: String to check. 564 * @find: Name of keyword. 565 * 566 * Returns nothing. 567 */ 568 static void tomoyo_set_uint(unsigned int *i, const char *string, 569 const char *find) 570 { 571 const char *cp = strstr(string, find); 572 573 if (cp) 574 sscanf(cp + strlen(find), "=%u", i); 575 } 576 577 /** 578 * tomoyo_set_mode - Set mode for specified profile. 579 * 580 * @name: Name of functionality. 581 * @value: Mode for @name. 582 * @profile: Pointer to "struct tomoyo_profile". 583 * 584 * Returns 0 on success, negative value otherwise. 585 */ 586 static int tomoyo_set_mode(char *name, const char *value, 587 struct tomoyo_profile *profile) 588 { 589 u8 i; 590 u8 config; 591 592 if (!strcmp(name, "CONFIG")) { 593 i = TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX; 594 config = profile->default_config; 595 } else if (tomoyo_str_starts(&name, "CONFIG::")) { 596 config = 0; 597 for (i = 0; i < TOMOYO_MAX_MAC_INDEX 598 + TOMOYO_MAX_MAC_CATEGORY_INDEX; i++) { 599 int len = 0; 600 601 if (i < TOMOYO_MAX_MAC_INDEX) { 602 const u8 c = tomoyo_index2category[i]; 603 const char *category = 604 tomoyo_category_keywords[c]; 605 606 len = strlen(category); 607 if (strncmp(name, category, len) || 608 name[len++] != ':' || name[len++] != ':') 609 continue; 610 } 611 if (strcmp(name + len, tomoyo_mac_keywords[i])) 612 continue; 613 config = profile->config[i]; 614 break; 615 } 616 if (i == TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX) 617 return -EINVAL; 618 } else { 619 return -EINVAL; 620 } 621 if (strstr(value, "use_default")) { 622 config = TOMOYO_CONFIG_USE_DEFAULT; 623 } else { 624 u8 mode; 625 626 for (mode = 0; mode < 4; mode++) 627 if (strstr(value, tomoyo_mode[mode])) 628 /* 629 * Update lower 3 bits in order to distinguish 630 * 'config' from 'TOMOYO_CONFIG_USE_DEFAULT'. 631 */ 632 config = (config & ~7) | mode; 633 if (config != TOMOYO_CONFIG_USE_DEFAULT) { 634 switch (tomoyo_find_yesno(value, "grant_log")) { 635 case 1: 636 config |= TOMOYO_CONFIG_WANT_GRANT_LOG; 637 break; 638 case 0: 639 config &= ~TOMOYO_CONFIG_WANT_GRANT_LOG; 640 break; 641 } 642 switch (tomoyo_find_yesno(value, "reject_log")) { 643 case 1: 644 config |= TOMOYO_CONFIG_WANT_REJECT_LOG; 645 break; 646 case 0: 647 config &= ~TOMOYO_CONFIG_WANT_REJECT_LOG; 648 break; 649 } 650 } 651 } 652 if (i < TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX) 653 profile->config[i] = config; 654 else if (config != TOMOYO_CONFIG_USE_DEFAULT) 655 profile->default_config = config; 656 return 0; 657 } 658 659 /** 660 * tomoyo_write_profile - Write profile table. 661 * 662 * @head: Pointer to "struct tomoyo_io_buffer". 663 * 664 * Returns 0 on success, negative value otherwise. 665 */ 666 static int tomoyo_write_profile(struct tomoyo_io_buffer *head) 667 { 668 char *data = head->write_buf; 669 unsigned int i; 670 char *cp; 671 struct tomoyo_profile *profile; 672 673 if (sscanf(data, "PROFILE_VERSION=%u", &head->w.ns->profile_version) 674 == 1) 675 return 0; 676 i = simple_strtoul(data, &cp, 10); 677 if (*cp != '-') 678 return -EINVAL; 679 data = cp + 1; 680 profile = tomoyo_assign_profile(head->w.ns, i); 681 if (!profile) 682 return -EINVAL; 683 cp = strchr(data, '='); 684 if (!cp) 685 return -EINVAL; 686 *cp++ = '\0'; 687 if (!strcmp(data, "COMMENT")) { 688 static DEFINE_SPINLOCK(lock); 689 const struct tomoyo_path_info *new_comment 690 = tomoyo_get_name(cp); 691 const struct tomoyo_path_info *old_comment; 692 693 if (!new_comment) 694 return -ENOMEM; 695 spin_lock(&lock); 696 old_comment = profile->comment; 697 profile->comment = new_comment; 698 spin_unlock(&lock); 699 tomoyo_put_name(old_comment); 700 return 0; 701 } 702 if (!strcmp(data, "PREFERENCE")) { 703 for (i = 0; i < TOMOYO_MAX_PREF; i++) 704 tomoyo_set_uint(&profile->pref[i], cp, 705 tomoyo_pref_keywords[i]); 706 return 0; 707 } 708 return tomoyo_set_mode(data, cp, profile); 709 } 710 711 /** 712 * tomoyo_print_config - Print mode for specified functionality. 713 * 714 * @head: Pointer to "struct tomoyo_io_buffer". 715 * @config: Mode for that functionality. 716 * 717 * Returns nothing. 718 * 719 * Caller prints functionality's name. 720 */ 721 static void tomoyo_print_config(struct tomoyo_io_buffer *head, const u8 config) 722 { 723 tomoyo_io_printf(head, "={ mode=%s grant_log=%s reject_log=%s }\n", 724 tomoyo_mode[config & 3], 725 str_yes_no(config & TOMOYO_CONFIG_WANT_GRANT_LOG), 726 str_yes_no(config & TOMOYO_CONFIG_WANT_REJECT_LOG)); 727 } 728 729 /** 730 * tomoyo_read_profile - Read profile table. 731 * 732 * @head: Pointer to "struct tomoyo_io_buffer". 733 * 734 * Returns nothing. 735 */ 736 static void tomoyo_read_profile(struct tomoyo_io_buffer *head) 737 { 738 u8 index; 739 struct tomoyo_policy_namespace *ns = 740 container_of(head->r.ns, typeof(*ns), namespace_list); 741 const struct tomoyo_profile *profile; 742 743 if (head->r.eof) 744 return; 745 next: 746 index = head->r.index; 747 profile = ns->profile_ptr[index]; 748 switch (head->r.step) { 749 case 0: 750 tomoyo_print_namespace(head); 751 tomoyo_io_printf(head, "PROFILE_VERSION=%u\n", 752 ns->profile_version); 753 head->r.step++; 754 break; 755 case 1: 756 for ( ; head->r.index < TOMOYO_MAX_PROFILES; 757 head->r.index++) 758 if (ns->profile_ptr[head->r.index]) 759 break; 760 if (head->r.index == TOMOYO_MAX_PROFILES) { 761 head->r.eof = true; 762 return; 763 } 764 head->r.step++; 765 break; 766 case 2: 767 { 768 u8 i; 769 const struct tomoyo_path_info *comment = 770 profile->comment; 771 772 tomoyo_print_namespace(head); 773 tomoyo_io_printf(head, "%u-COMMENT=", index); 774 tomoyo_set_string(head, comment ? comment->name : ""); 775 tomoyo_set_lf(head); 776 tomoyo_print_namespace(head); 777 tomoyo_io_printf(head, "%u-PREFERENCE={ ", index); 778 for (i = 0; i < TOMOYO_MAX_PREF; i++) 779 tomoyo_io_printf(head, "%s=%u ", 780 tomoyo_pref_keywords[i], 781 profile->pref[i]); 782 tomoyo_set_string(head, "}\n"); 783 head->r.step++; 784 } 785 break; 786 case 3: 787 { 788 tomoyo_print_namespace(head); 789 tomoyo_io_printf(head, "%u-%s", index, "CONFIG"); 790 tomoyo_print_config(head, profile->default_config); 791 head->r.bit = 0; 792 head->r.step++; 793 } 794 break; 795 case 4: 796 for ( ; head->r.bit < TOMOYO_MAX_MAC_INDEX 797 + TOMOYO_MAX_MAC_CATEGORY_INDEX; head->r.bit++) { 798 const u8 i = head->r.bit; 799 const u8 config = profile->config[i]; 800 801 if (config == TOMOYO_CONFIG_USE_DEFAULT) 802 continue; 803 tomoyo_print_namespace(head); 804 if (i < TOMOYO_MAX_MAC_INDEX) 805 tomoyo_io_printf(head, "%u-CONFIG::%s::%s", 806 index, 807 tomoyo_category_keywords 808 [tomoyo_index2category[i]], 809 tomoyo_mac_keywords[i]); 810 else 811 tomoyo_io_printf(head, "%u-CONFIG::%s", index, 812 tomoyo_mac_keywords[i]); 813 tomoyo_print_config(head, config); 814 head->r.bit++; 815 break; 816 } 817 if (head->r.bit == TOMOYO_MAX_MAC_INDEX 818 + TOMOYO_MAX_MAC_CATEGORY_INDEX) { 819 head->r.index++; 820 head->r.step = 1; 821 } 822 break; 823 } 824 if (tomoyo_flush(head)) 825 goto next; 826 } 827 828 /** 829 * tomoyo_same_manager - Check for duplicated "struct tomoyo_manager" entry. 830 * 831 * @a: Pointer to "struct tomoyo_acl_head". 832 * @b: Pointer to "struct tomoyo_acl_head". 833 * 834 * Returns true if @a == @b, false otherwise. 835 */ 836 static bool tomoyo_same_manager(const struct tomoyo_acl_head *a, 837 const struct tomoyo_acl_head *b) 838 { 839 return container_of(a, struct tomoyo_manager, head)->manager == 840 container_of(b, struct tomoyo_manager, head)->manager; 841 } 842 843 /** 844 * tomoyo_update_manager_entry - Add a manager entry. 845 * 846 * @manager: The path to manager or the domainnamme. 847 * @is_delete: True if it is a delete request. 848 * 849 * Returns 0 on success, negative value otherwise. 850 * 851 * Caller holds tomoyo_read_lock(). 852 */ 853 static int tomoyo_update_manager_entry(const char *manager, 854 const bool is_delete) 855 { 856 struct tomoyo_manager e = { }; 857 struct tomoyo_acl_param param = { 858 /* .ns = &tomoyo_kernel_namespace, */ 859 .is_delete = is_delete, 860 .list = &tomoyo_kernel_namespace.policy_list[TOMOYO_ID_MANAGER], 861 }; 862 int error = is_delete ? -ENOENT : -ENOMEM; 863 864 if (!tomoyo_correct_domain(manager) && 865 !tomoyo_correct_word(manager)) 866 return -EINVAL; 867 e.manager = tomoyo_get_name(manager); 868 if (e.manager) { 869 error = tomoyo_update_policy(&e.head, sizeof(e), ¶m, 870 tomoyo_same_manager); 871 tomoyo_put_name(e.manager); 872 } 873 return error; 874 } 875 876 /** 877 * tomoyo_write_manager - Write manager policy. 878 * 879 * @head: Pointer to "struct tomoyo_io_buffer". 880 * 881 * Returns 0 on success, negative value otherwise. 882 * 883 * Caller holds tomoyo_read_lock(). 884 */ 885 static int tomoyo_write_manager(struct tomoyo_io_buffer *head) 886 { 887 char *data = head->write_buf; 888 889 if (!strcmp(data, "manage_by_non_root")) { 890 tomoyo_manage_by_non_root = !head->w.is_delete; 891 return 0; 892 } 893 return tomoyo_update_manager_entry(data, head->w.is_delete); 894 } 895 896 /** 897 * tomoyo_read_manager - Read manager policy. 898 * 899 * @head: Pointer to "struct tomoyo_io_buffer". 900 * 901 * Caller holds tomoyo_read_lock(). 902 */ 903 static void tomoyo_read_manager(struct tomoyo_io_buffer *head) 904 { 905 if (head->r.eof) 906 return; 907 list_for_each_cookie(head->r.acl, &tomoyo_kernel_namespace.policy_list[TOMOYO_ID_MANAGER]) { 908 struct tomoyo_manager *ptr = 909 list_entry(head->r.acl, typeof(*ptr), head.list); 910 911 if (ptr->head.is_deleted) 912 continue; 913 if (!tomoyo_flush(head)) 914 return; 915 tomoyo_set_string(head, ptr->manager->name); 916 tomoyo_set_lf(head); 917 } 918 head->r.eof = true; 919 } 920 921 /** 922 * tomoyo_manager - Check whether the current process is a policy manager. 923 * 924 * Returns true if the current process is permitted to modify policy 925 * via /sys/kernel/security/tomoyo/ interface. 926 * 927 * Caller holds tomoyo_read_lock(). 928 */ 929 static bool tomoyo_manager(void) 930 { 931 struct tomoyo_manager *ptr; 932 const char *exe; 933 const struct task_struct *task = current; 934 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; 935 bool found = IS_ENABLED(CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING); 936 937 if (!tomoyo_policy_loaded) 938 return true; 939 if (!tomoyo_manage_by_non_root && 940 (!uid_eq(task->cred->uid, GLOBAL_ROOT_UID) || 941 !uid_eq(task->cred->euid, GLOBAL_ROOT_UID))) 942 return false; 943 exe = tomoyo_get_exe(); 944 if (!exe) 945 return false; 946 list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace.policy_list[TOMOYO_ID_MANAGER], head.list, 947 srcu_read_lock_held(&tomoyo_ss)) { 948 if (!ptr->head.is_deleted && 949 (!tomoyo_pathcmp(domainname, ptr->manager) || 950 !strcmp(exe, ptr->manager->name))) { 951 found = true; 952 break; 953 } 954 } 955 if (!found) { /* Reduce error messages. */ 956 static pid_t last_pid; 957 const pid_t pid = current->pid; 958 959 if (last_pid != pid) { 960 pr_warn("%s ( %s ) is not permitted to update policies.\n", 961 domainname->name, exe); 962 last_pid = pid; 963 } 964 } 965 kfree(exe); 966 return found; 967 } 968 969 static struct tomoyo_domain_info *tomoyo_find_domain_by_qid 970 (unsigned int serial); 971 972 /** 973 * tomoyo_select_domain - Parse select command. 974 * 975 * @head: Pointer to "struct tomoyo_io_buffer". 976 * @data: String to parse. 977 * 978 * Returns true on success, false otherwise. 979 * 980 * Caller holds tomoyo_read_lock(). 981 */ 982 static bool tomoyo_select_domain(struct tomoyo_io_buffer *head, 983 const char *data) 984 { 985 unsigned int pid; 986 struct tomoyo_domain_info *domain = NULL; 987 bool global_pid = false; 988 989 if (strncmp(data, "select ", 7)) 990 return false; 991 data += 7; 992 if (sscanf(data, "pid=%u", &pid) == 1 || 993 (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { 994 struct task_struct *p; 995 996 rcu_read_lock(); 997 if (global_pid) 998 p = find_task_by_pid_ns(pid, &init_pid_ns); 999 else 1000 p = find_task_by_vpid(pid); 1001 if (p) { 1002 domain = tomoyo_task(p)->domain_info; 1003 #ifdef CONFIG_SECURITY_TOMOYO_LKM 1004 if (!domain) 1005 domain = &tomoyo_kernel_domain; 1006 #endif 1007 } 1008 rcu_read_unlock(); 1009 } else if (!strncmp(data, "domain=", 7)) { 1010 if (tomoyo_domain_def(data + 7)) 1011 domain = tomoyo_find_domain(data + 7); 1012 } else if (sscanf(data, "Q=%u", &pid) == 1) { 1013 domain = tomoyo_find_domain_by_qid(pid); 1014 } else 1015 return false; 1016 head->w.domain = domain; 1017 /* Accessing read_buf is safe because head->io_sem is held. */ 1018 if (!head->read_buf) 1019 return true; /* Do nothing if open(O_WRONLY). */ 1020 memset(&head->r, 0, sizeof(head->r)); 1021 head->r.print_this_domain_only = true; 1022 if (domain) 1023 head->r.domain = &domain->list; 1024 else 1025 head->r.eof = true; 1026 tomoyo_io_printf(head, "# select %s\n", data); 1027 if (domain && domain->is_deleted) 1028 tomoyo_io_printf(head, "# This is a deleted domain.\n"); 1029 return true; 1030 } 1031 1032 /** 1033 * tomoyo_same_task_acl - Check for duplicated "struct tomoyo_task_acl" entry. 1034 * 1035 * @a: Pointer to "struct tomoyo_acl_info". 1036 * @b: Pointer to "struct tomoyo_acl_info". 1037 * 1038 * Returns true if @a == @b, false otherwise. 1039 */ 1040 static bool tomoyo_same_task_acl(const struct tomoyo_acl_info *a, 1041 const struct tomoyo_acl_info *b) 1042 { 1043 const struct tomoyo_task_acl *p1 = container_of(a, typeof(*p1), head); 1044 const struct tomoyo_task_acl *p2 = container_of(b, typeof(*p2), head); 1045 1046 return p1->domainname == p2->domainname; 1047 } 1048 1049 /** 1050 * tomoyo_write_task - Update task related list. 1051 * 1052 * @param: Pointer to "struct tomoyo_acl_param". 1053 * 1054 * Returns 0 on success, negative value otherwise. 1055 * 1056 * Caller holds tomoyo_read_lock(). 1057 */ 1058 static int tomoyo_write_task(struct tomoyo_acl_param *param) 1059 { 1060 int error = -EINVAL; 1061 1062 if (tomoyo_str_starts(¶m->data, "manual_domain_transition ")) { 1063 struct tomoyo_task_acl e = { 1064 .head.type = TOMOYO_TYPE_MANUAL_TASK_ACL, 1065 .domainname = tomoyo_get_domainname(param), 1066 }; 1067 1068 if (e.domainname) 1069 error = tomoyo_update_domain(&e.head, sizeof(e), param, 1070 tomoyo_same_task_acl, 1071 NULL); 1072 tomoyo_put_name(e.domainname); 1073 } 1074 return error; 1075 } 1076 1077 /** 1078 * tomoyo_delete_domain - Delete a domain. 1079 * 1080 * @domainname: The name of domain. 1081 * 1082 * Returns 0 on success, negative value otherwise. 1083 * 1084 * Caller holds tomoyo_read_lock(). 1085 */ 1086 static int tomoyo_delete_domain(char *domainname) 1087 { 1088 struct tomoyo_domain_info *domain; 1089 struct tomoyo_path_info name; 1090 1091 name.name = domainname; 1092 tomoyo_fill_path_info(&name); 1093 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 1094 return -EINTR; 1095 /* Is there an active domain? */ 1096 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list, 1097 srcu_read_lock_held(&tomoyo_ss)) { 1098 /* Never delete tomoyo_kernel_domain */ 1099 if (domain == &tomoyo_kernel_domain) 1100 continue; 1101 if (domain->is_deleted || 1102 tomoyo_pathcmp(domain->domainname, &name)) 1103 continue; 1104 domain->is_deleted = true; 1105 break; 1106 } 1107 mutex_unlock(&tomoyo_policy_lock); 1108 return 0; 1109 } 1110 1111 /** 1112 * tomoyo_write_domain2 - Write domain policy. 1113 * 1114 * @ns: Pointer to "struct tomoyo_policy_namespace". 1115 * @list: Pointer to "struct list_head". 1116 * @data: Policy to be interpreted. 1117 * @is_delete: True if it is a delete request. 1118 * 1119 * Returns 0 on success, negative value otherwise. 1120 * 1121 * Caller holds tomoyo_read_lock(). 1122 */ 1123 static int tomoyo_write_domain2(struct tomoyo_policy_namespace *ns, 1124 struct list_head *list, char *data, 1125 const bool is_delete) 1126 { 1127 struct tomoyo_acl_param param = { 1128 .ns = ns, 1129 .list = list, 1130 .data = data, 1131 .is_delete = is_delete, 1132 }; 1133 static const struct { 1134 const char *keyword; 1135 int (*write)(struct tomoyo_acl_param *param); 1136 } tomoyo_callback[5] = { 1137 { "file ", tomoyo_write_file }, 1138 { "network inet ", tomoyo_write_inet_network }, 1139 { "network unix ", tomoyo_write_unix_network }, 1140 { "misc ", tomoyo_write_misc }, 1141 { "task ", tomoyo_write_task }, 1142 }; 1143 u8 i; 1144 1145 for (i = 0; i < ARRAY_SIZE(tomoyo_callback); i++) { 1146 if (!tomoyo_str_starts(¶m.data, 1147 tomoyo_callback[i].keyword)) 1148 continue; 1149 return tomoyo_callback[i].write(¶m); 1150 } 1151 return -EINVAL; 1152 } 1153 1154 /* String table for domain flags. */ 1155 const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS] = { 1156 [TOMOYO_DIF_QUOTA_WARNED] = "quota_exceeded\n", 1157 [TOMOYO_DIF_TRANSITION_FAILED] = "transition_failed\n", 1158 }; 1159 1160 /** 1161 * tomoyo_write_domain - Write domain policy. 1162 * 1163 * @head: Pointer to "struct tomoyo_io_buffer". 1164 * 1165 * Returns 0 on success, negative value otherwise. 1166 * 1167 * Caller holds tomoyo_read_lock(). 1168 */ 1169 static int tomoyo_write_domain(struct tomoyo_io_buffer *head) 1170 { 1171 char *data = head->write_buf; 1172 struct tomoyo_policy_namespace *ns; 1173 struct tomoyo_domain_info *domain = head->w.domain; 1174 const bool is_delete = head->w.is_delete; 1175 bool is_select = !is_delete && tomoyo_str_starts(&data, "select "); 1176 unsigned int idx; 1177 1178 if (*data == '<') { 1179 int ret = 0; 1180 1181 domain = NULL; 1182 if (is_delete) 1183 ret = tomoyo_delete_domain(data); 1184 else if (is_select) 1185 domain = tomoyo_find_domain(data); 1186 else 1187 domain = tomoyo_assign_domain(data, false); 1188 head->w.domain = domain; 1189 return ret; 1190 } 1191 if (!domain) 1192 return -EINVAL; 1193 ns = domain->ns; 1194 if (sscanf(data, "use_profile %u", &idx) == 1 1195 && idx < TOMOYO_MAX_PROFILES) { 1196 if (!tomoyo_policy_loaded || ns->profile_ptr[idx]) 1197 if (!is_delete) 1198 domain->profile = (u8) idx; 1199 return 0; 1200 } 1201 if (sscanf(data, "use_group %u\n", &idx) == 1 1202 && idx < TOMOYO_MAX_ACL_GROUPS) { 1203 if (!is_delete) 1204 set_bit(idx, domain->group); 1205 else 1206 clear_bit(idx, domain->group); 1207 return 0; 1208 } 1209 for (idx = 0; idx < TOMOYO_MAX_DOMAIN_INFO_FLAGS; idx++) { 1210 const char *cp = tomoyo_dif[idx]; 1211 1212 if (strncmp(data, cp, strlen(cp) - 1)) 1213 continue; 1214 domain->flags[idx] = !is_delete; 1215 return 0; 1216 } 1217 return tomoyo_write_domain2(ns, &domain->acl_info_list, data, 1218 is_delete); 1219 } 1220 1221 /** 1222 * tomoyo_print_condition - Print condition part. 1223 * 1224 * @head: Pointer to "struct tomoyo_io_buffer". 1225 * @cond: Pointer to "struct tomoyo_condition". 1226 * 1227 * Returns true on success, false otherwise. 1228 */ 1229 static bool tomoyo_print_condition(struct tomoyo_io_buffer *head, 1230 const struct tomoyo_condition *cond) 1231 { 1232 switch (head->r.cond_step) { 1233 case 0: 1234 head->r.cond_index = 0; 1235 head->r.cond_step++; 1236 if (cond->transit) { 1237 tomoyo_set_space(head); 1238 tomoyo_set_string(head, cond->transit->name); 1239 } 1240 fallthrough; 1241 case 1: 1242 { 1243 const u16 condc = cond->condc; 1244 const struct tomoyo_condition_element *condp = 1245 (typeof(condp)) (cond + 1); 1246 const struct tomoyo_number_union *numbers_p = 1247 (typeof(numbers_p)) (condp + condc); 1248 const struct tomoyo_name_union *names_p = 1249 (typeof(names_p)) 1250 (numbers_p + cond->numbers_count); 1251 const struct tomoyo_argv *argv = 1252 (typeof(argv)) (names_p + cond->names_count); 1253 const struct tomoyo_envp *envp = 1254 (typeof(envp)) (argv + cond->argc); 1255 u16 skip; 1256 1257 for (skip = 0; skip < head->r.cond_index; skip++) { 1258 const u8 left = condp->left; 1259 const u8 right = condp->right; 1260 1261 condp++; 1262 switch (left) { 1263 case TOMOYO_ARGV_ENTRY: 1264 argv++; 1265 continue; 1266 case TOMOYO_ENVP_ENTRY: 1267 envp++; 1268 continue; 1269 case TOMOYO_NUMBER_UNION: 1270 numbers_p++; 1271 break; 1272 } 1273 switch (right) { 1274 case TOMOYO_NAME_UNION: 1275 names_p++; 1276 break; 1277 case TOMOYO_NUMBER_UNION: 1278 numbers_p++; 1279 break; 1280 } 1281 } 1282 while (head->r.cond_index < condc) { 1283 const u8 match = condp->equals; 1284 const u8 left = condp->left; 1285 const u8 right = condp->right; 1286 1287 if (!tomoyo_flush(head)) 1288 return false; 1289 condp++; 1290 head->r.cond_index++; 1291 tomoyo_set_space(head); 1292 switch (left) { 1293 case TOMOYO_ARGV_ENTRY: 1294 tomoyo_io_printf(head, 1295 "exec.argv[%lu]%s=\"", 1296 argv->index, argv->is_not ? "!" : ""); 1297 tomoyo_set_string(head, 1298 argv->value->name); 1299 tomoyo_set_string(head, "\""); 1300 argv++; 1301 continue; 1302 case TOMOYO_ENVP_ENTRY: 1303 tomoyo_set_string(head, 1304 "exec.envp[\""); 1305 tomoyo_set_string(head, 1306 envp->name->name); 1307 tomoyo_io_printf(head, "\"]%s=", envp->is_not ? "!" : ""); 1308 if (envp->value) { 1309 tomoyo_set_string(head, "\""); 1310 tomoyo_set_string(head, envp->value->name); 1311 tomoyo_set_string(head, "\""); 1312 } else { 1313 tomoyo_set_string(head, 1314 "NULL"); 1315 } 1316 envp++; 1317 continue; 1318 case TOMOYO_NUMBER_UNION: 1319 tomoyo_print_number_union_nospace 1320 (head, numbers_p++); 1321 break; 1322 default: 1323 tomoyo_set_string(head, 1324 tomoyo_condition_keyword[left]); 1325 break; 1326 } 1327 tomoyo_set_string(head, match ? "=" : "!="); 1328 switch (right) { 1329 case TOMOYO_NAME_UNION: 1330 tomoyo_print_name_union_quoted 1331 (head, names_p++); 1332 break; 1333 case TOMOYO_NUMBER_UNION: 1334 tomoyo_print_number_union_nospace 1335 (head, numbers_p++); 1336 break; 1337 default: 1338 tomoyo_set_string(head, 1339 tomoyo_condition_keyword[right]); 1340 break; 1341 } 1342 } 1343 } 1344 head->r.cond_step++; 1345 fallthrough; 1346 case 2: 1347 if (!tomoyo_flush(head)) 1348 break; 1349 head->r.cond_step++; 1350 fallthrough; 1351 case 3: 1352 if (cond->grant_log != TOMOYO_GRANTLOG_AUTO) 1353 tomoyo_io_printf(head, " grant_log=%s", 1354 str_yes_no(cond->grant_log == 1355 TOMOYO_GRANTLOG_YES)); 1356 tomoyo_set_lf(head); 1357 return true; 1358 } 1359 return false; 1360 } 1361 1362 /** 1363 * tomoyo_set_group - Print "acl_group " header keyword and category name. 1364 * 1365 * @head: Pointer to "struct tomoyo_io_buffer". 1366 * @category: Category name. 1367 * 1368 * Returns nothing. 1369 */ 1370 static void tomoyo_set_group(struct tomoyo_io_buffer *head, 1371 const char *category) 1372 { 1373 if (head->type == TOMOYO_EXCEPTIONPOLICY) { 1374 tomoyo_print_namespace(head); 1375 tomoyo_io_printf(head, "acl_group %u ", 1376 head->r.acl_group_index); 1377 } 1378 tomoyo_set_string(head, category); 1379 } 1380 1381 /** 1382 * tomoyo_print_entry - Print an ACL entry. 1383 * 1384 * @head: Pointer to "struct tomoyo_io_buffer". 1385 * @acl: Pointer to an ACL entry. 1386 * 1387 * Returns true on success, false otherwise. 1388 */ 1389 static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, 1390 struct tomoyo_acl_info *acl) 1391 { 1392 const u8 acl_type = acl->type; 1393 bool first = true; 1394 u8 bit; 1395 1396 if (head->r.print_cond_part) 1397 goto print_cond_part; 1398 if (acl->is_deleted) 1399 return true; 1400 if (!tomoyo_flush(head)) 1401 return false; 1402 else if (acl_type == TOMOYO_TYPE_PATH_ACL) { 1403 struct tomoyo_path_acl *ptr = 1404 container_of(acl, typeof(*ptr), head); 1405 const u16 perm = ptr->perm; 1406 1407 for (bit = 0; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { 1408 if (!(perm & (1 << bit))) 1409 continue; 1410 if (head->r.print_transition_related_only && 1411 bit != TOMOYO_TYPE_EXECUTE) 1412 continue; 1413 if (first) { 1414 tomoyo_set_group(head, "file "); 1415 first = false; 1416 } else { 1417 tomoyo_set_slash(head); 1418 } 1419 tomoyo_set_string(head, tomoyo_path_keyword[bit]); 1420 } 1421 if (first) 1422 return true; 1423 tomoyo_print_name_union(head, &ptr->name); 1424 } else if (acl_type == TOMOYO_TYPE_MANUAL_TASK_ACL) { 1425 struct tomoyo_task_acl *ptr = 1426 container_of(acl, typeof(*ptr), head); 1427 1428 tomoyo_set_group(head, "task "); 1429 tomoyo_set_string(head, "manual_domain_transition "); 1430 tomoyo_set_string(head, ptr->domainname->name); 1431 } else if (head->r.print_transition_related_only) { 1432 return true; 1433 } else if (acl_type == TOMOYO_TYPE_PATH2_ACL) { 1434 struct tomoyo_path2_acl *ptr = 1435 container_of(acl, typeof(*ptr), head); 1436 const u8 perm = ptr->perm; 1437 1438 for (bit = 0; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) { 1439 if (!(perm & (1 << bit))) 1440 continue; 1441 if (first) { 1442 tomoyo_set_group(head, "file "); 1443 first = false; 1444 } else { 1445 tomoyo_set_slash(head); 1446 } 1447 tomoyo_set_string(head, tomoyo_mac_keywords 1448 [tomoyo_pp2mac[bit]]); 1449 } 1450 if (first) 1451 return true; 1452 tomoyo_print_name_union(head, &ptr->name1); 1453 tomoyo_print_name_union(head, &ptr->name2); 1454 } else if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) { 1455 struct tomoyo_path_number_acl *ptr = 1456 container_of(acl, typeof(*ptr), head); 1457 const u8 perm = ptr->perm; 1458 1459 for (bit = 0; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION; bit++) { 1460 if (!(perm & (1 << bit))) 1461 continue; 1462 if (first) { 1463 tomoyo_set_group(head, "file "); 1464 first = false; 1465 } else { 1466 tomoyo_set_slash(head); 1467 } 1468 tomoyo_set_string(head, tomoyo_mac_keywords 1469 [tomoyo_pn2mac[bit]]); 1470 } 1471 if (first) 1472 return true; 1473 tomoyo_print_name_union(head, &ptr->name); 1474 tomoyo_print_number_union(head, &ptr->number); 1475 } else if (acl_type == TOMOYO_TYPE_MKDEV_ACL) { 1476 struct tomoyo_mkdev_acl *ptr = 1477 container_of(acl, typeof(*ptr), head); 1478 const u8 perm = ptr->perm; 1479 1480 for (bit = 0; bit < TOMOYO_MAX_MKDEV_OPERATION; bit++) { 1481 if (!(perm & (1 << bit))) 1482 continue; 1483 if (first) { 1484 tomoyo_set_group(head, "file "); 1485 first = false; 1486 } else { 1487 tomoyo_set_slash(head); 1488 } 1489 tomoyo_set_string(head, tomoyo_mac_keywords 1490 [tomoyo_pnnn2mac[bit]]); 1491 } 1492 if (first) 1493 return true; 1494 tomoyo_print_name_union(head, &ptr->name); 1495 tomoyo_print_number_union(head, &ptr->mode); 1496 tomoyo_print_number_union(head, &ptr->major); 1497 tomoyo_print_number_union(head, &ptr->minor); 1498 } else if (acl_type == TOMOYO_TYPE_INET_ACL) { 1499 struct tomoyo_inet_acl *ptr = 1500 container_of(acl, typeof(*ptr), head); 1501 const u8 perm = ptr->perm; 1502 1503 for (bit = 0; bit < TOMOYO_MAX_NETWORK_OPERATION; bit++) { 1504 if (!(perm & (1 << bit))) 1505 continue; 1506 if (first) { 1507 tomoyo_set_group(head, "network inet "); 1508 tomoyo_set_string(head, tomoyo_proto_keyword 1509 [ptr->protocol]); 1510 tomoyo_set_space(head); 1511 first = false; 1512 } else { 1513 tomoyo_set_slash(head); 1514 } 1515 tomoyo_set_string(head, tomoyo_socket_keyword[bit]); 1516 } 1517 if (first) 1518 return true; 1519 tomoyo_set_space(head); 1520 if (ptr->address.group) { 1521 tomoyo_set_string(head, "@"); 1522 tomoyo_set_string(head, ptr->address.group->group_name 1523 ->name); 1524 } else { 1525 char buf[128]; 1526 1527 tomoyo_print_ip(buf, sizeof(buf), &ptr->address); 1528 tomoyo_io_printf(head, "%s", buf); 1529 } 1530 tomoyo_print_number_union(head, &ptr->port); 1531 } else if (acl_type == TOMOYO_TYPE_UNIX_ACL) { 1532 struct tomoyo_unix_acl *ptr = 1533 container_of(acl, typeof(*ptr), head); 1534 const u8 perm = ptr->perm; 1535 1536 for (bit = 0; bit < TOMOYO_MAX_NETWORK_OPERATION; bit++) { 1537 if (!(perm & (1 << bit))) 1538 continue; 1539 if (first) { 1540 tomoyo_set_group(head, "network unix "); 1541 tomoyo_set_string(head, tomoyo_proto_keyword 1542 [ptr->protocol]); 1543 tomoyo_set_space(head); 1544 first = false; 1545 } else { 1546 tomoyo_set_slash(head); 1547 } 1548 tomoyo_set_string(head, tomoyo_socket_keyword[bit]); 1549 } 1550 if (first) 1551 return true; 1552 tomoyo_print_name_union(head, &ptr->name); 1553 } else if (acl_type == TOMOYO_TYPE_MOUNT_ACL) { 1554 struct tomoyo_mount_acl *ptr = 1555 container_of(acl, typeof(*ptr), head); 1556 1557 tomoyo_set_group(head, "file mount"); 1558 tomoyo_print_name_union(head, &ptr->dev_name); 1559 tomoyo_print_name_union(head, &ptr->dir_name); 1560 tomoyo_print_name_union(head, &ptr->fs_type); 1561 tomoyo_print_number_union(head, &ptr->flags); 1562 } else if (acl_type == TOMOYO_TYPE_ENV_ACL) { 1563 struct tomoyo_env_acl *ptr = 1564 container_of(acl, typeof(*ptr), head); 1565 1566 tomoyo_set_group(head, "misc env "); 1567 tomoyo_set_string(head, ptr->env->name); 1568 } 1569 if (acl->cond) { 1570 head->r.print_cond_part = true; 1571 head->r.cond_step = 0; 1572 if (!tomoyo_flush(head)) 1573 return false; 1574 print_cond_part: 1575 if (!tomoyo_print_condition(head, acl->cond)) 1576 return false; 1577 head->r.print_cond_part = false; 1578 } else { 1579 tomoyo_set_lf(head); 1580 } 1581 return true; 1582 } 1583 1584 /** 1585 * tomoyo_read_domain2 - Read domain policy. 1586 * 1587 * @head: Pointer to "struct tomoyo_io_buffer". 1588 * @list: Pointer to "struct list_head". 1589 * 1590 * Caller holds tomoyo_read_lock(). 1591 * 1592 * Returns true on success, false otherwise. 1593 */ 1594 static bool tomoyo_read_domain2(struct tomoyo_io_buffer *head, 1595 struct list_head *list) 1596 { 1597 list_for_each_cookie(head->r.acl, list) { 1598 struct tomoyo_acl_info *ptr = 1599 list_entry(head->r.acl, typeof(*ptr), list); 1600 1601 if (!tomoyo_print_entry(head, ptr)) 1602 return false; 1603 } 1604 head->r.acl = NULL; 1605 return true; 1606 } 1607 1608 /** 1609 * tomoyo_read_domain - Read domain policy. 1610 * 1611 * @head: Pointer to "struct tomoyo_io_buffer". 1612 * 1613 * Caller holds tomoyo_read_lock(). 1614 */ 1615 static void tomoyo_read_domain(struct tomoyo_io_buffer *head) 1616 { 1617 if (head->r.eof) 1618 return; 1619 list_for_each_cookie(head->r.domain, &tomoyo_domain_list) { 1620 struct tomoyo_domain_info *domain = 1621 list_entry(head->r.domain, typeof(*domain), list); 1622 u8 i; 1623 1624 switch (head->r.step) { 1625 case 0: 1626 if (domain->is_deleted && 1627 !head->r.print_this_domain_only) 1628 continue; 1629 /* Print domainname and flags. */ 1630 tomoyo_set_string(head, domain->domainname->name); 1631 tomoyo_set_lf(head); 1632 tomoyo_io_printf(head, "use_profile %u\n", 1633 domain->profile); 1634 for (i = 0; i < TOMOYO_MAX_DOMAIN_INFO_FLAGS; i++) 1635 if (domain->flags[i]) 1636 tomoyo_set_string(head, tomoyo_dif[i]); 1637 head->r.index = 0; 1638 head->r.step++; 1639 fallthrough; 1640 case 1: 1641 while (head->r.index < TOMOYO_MAX_ACL_GROUPS) { 1642 i = head->r.index++; 1643 if (!test_bit(i, domain->group)) 1644 continue; 1645 tomoyo_io_printf(head, "use_group %u\n", i); 1646 if (!tomoyo_flush(head)) 1647 return; 1648 } 1649 head->r.index = 0; 1650 head->r.step++; 1651 tomoyo_set_lf(head); 1652 fallthrough; 1653 case 2: 1654 if (!tomoyo_read_domain2(head, &domain->acl_info_list)) 1655 return; 1656 head->r.step++; 1657 if (!tomoyo_set_lf(head)) 1658 return; 1659 fallthrough; 1660 case 3: 1661 head->r.step = 0; 1662 if (head->r.print_this_domain_only) 1663 goto done; 1664 } 1665 } 1666 done: 1667 head->r.eof = true; 1668 } 1669 1670 /** 1671 * tomoyo_write_pid: Specify PID to obtain domainname. 1672 * 1673 * @head: Pointer to "struct tomoyo_io_buffer". 1674 * 1675 * Returns 0. 1676 */ 1677 static int tomoyo_write_pid(struct tomoyo_io_buffer *head) 1678 { 1679 head->r.eof = false; 1680 return 0; 1681 } 1682 1683 /** 1684 * tomoyo_read_pid - Get domainname of the specified PID. 1685 * 1686 * @head: Pointer to "struct tomoyo_io_buffer". 1687 * 1688 * Returns the domainname which the specified PID is in on success, 1689 * empty string otherwise. 1690 * The PID is specified by tomoyo_write_pid() so that the user can obtain 1691 * using read()/write() interface rather than sysctl() interface. 1692 */ 1693 static void tomoyo_read_pid(struct tomoyo_io_buffer *head) 1694 { 1695 char *buf = head->write_buf; 1696 bool global_pid = false; 1697 unsigned int pid; 1698 struct task_struct *p; 1699 struct tomoyo_domain_info *domain = NULL; 1700 1701 /* Accessing write_buf is safe because head->io_sem is held. */ 1702 if (!buf) { 1703 head->r.eof = true; 1704 return; /* Do nothing if open(O_RDONLY). */ 1705 } 1706 if (head->r.w_pos || head->r.eof) 1707 return; 1708 head->r.eof = true; 1709 if (tomoyo_str_starts(&buf, "global-pid ")) 1710 global_pid = true; 1711 if (kstrtouint(buf, 10, &pid)) 1712 return; 1713 rcu_read_lock(); 1714 if (global_pid) 1715 p = find_task_by_pid_ns(pid, &init_pid_ns); 1716 else 1717 p = find_task_by_vpid(pid); 1718 if (p) { 1719 domain = tomoyo_task(p)->domain_info; 1720 #ifdef CONFIG_SECURITY_TOMOYO_LKM 1721 if (!domain) 1722 domain = &tomoyo_kernel_domain; 1723 #endif 1724 } 1725 rcu_read_unlock(); 1726 if (!domain) 1727 return; 1728 tomoyo_io_printf(head, "%u %u ", pid, domain->profile); 1729 tomoyo_set_string(head, domain->domainname->name); 1730 } 1731 1732 /* String table for domain transition control keywords. */ 1733 static const char *tomoyo_transition_type[TOMOYO_MAX_TRANSITION_TYPE] = { 1734 [TOMOYO_TRANSITION_CONTROL_NO_RESET] = "no_reset_domain ", 1735 [TOMOYO_TRANSITION_CONTROL_RESET] = "reset_domain ", 1736 [TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE] = "no_initialize_domain ", 1737 [TOMOYO_TRANSITION_CONTROL_INITIALIZE] = "initialize_domain ", 1738 [TOMOYO_TRANSITION_CONTROL_NO_KEEP] = "no_keep_domain ", 1739 [TOMOYO_TRANSITION_CONTROL_KEEP] = "keep_domain ", 1740 }; 1741 1742 /* String table for grouping keywords. */ 1743 static const char *tomoyo_group_name[TOMOYO_MAX_GROUP] = { 1744 [TOMOYO_PATH_GROUP] = "path_group ", 1745 [TOMOYO_NUMBER_GROUP] = "number_group ", 1746 [TOMOYO_ADDRESS_GROUP] = "address_group ", 1747 }; 1748 1749 /** 1750 * tomoyo_write_exception - Write exception policy. 1751 * 1752 * @head: Pointer to "struct tomoyo_io_buffer". 1753 * 1754 * Returns 0 on success, negative value otherwise. 1755 * 1756 * Caller holds tomoyo_read_lock(). 1757 */ 1758 static int tomoyo_write_exception(struct tomoyo_io_buffer *head) 1759 { 1760 const bool is_delete = head->w.is_delete; 1761 struct tomoyo_acl_param param = { 1762 .ns = head->w.ns, 1763 .is_delete = is_delete, 1764 .data = head->write_buf, 1765 }; 1766 u8 i; 1767 1768 if (tomoyo_str_starts(¶m.data, "aggregator ")) 1769 return tomoyo_write_aggregator(¶m); 1770 for (i = 0; i < TOMOYO_MAX_TRANSITION_TYPE; i++) 1771 if (tomoyo_str_starts(¶m.data, tomoyo_transition_type[i])) 1772 return tomoyo_write_transition_control(¶m, i); 1773 for (i = 0; i < TOMOYO_MAX_GROUP; i++) 1774 if (tomoyo_str_starts(¶m.data, tomoyo_group_name[i])) 1775 return tomoyo_write_group(¶m, i); 1776 if (tomoyo_str_starts(¶m.data, "acl_group ")) { 1777 unsigned int group; 1778 char *data; 1779 1780 group = simple_strtoul(param.data, &data, 10); 1781 if (group < TOMOYO_MAX_ACL_GROUPS && *data++ == ' ') 1782 return tomoyo_write_domain2 1783 (head->w.ns, &head->w.ns->acl_group[group], 1784 data, is_delete); 1785 } 1786 return -EINVAL; 1787 } 1788 1789 /** 1790 * tomoyo_read_group - Read "struct tomoyo_path_group"/"struct tomoyo_number_group"/"struct tomoyo_address_group" list. 1791 * 1792 * @head: Pointer to "struct tomoyo_io_buffer". 1793 * @idx: Index number. 1794 * 1795 * Returns true on success, false otherwise. 1796 * 1797 * Caller holds tomoyo_read_lock(). 1798 */ 1799 static bool tomoyo_read_group(struct tomoyo_io_buffer *head, const int idx) 1800 { 1801 struct tomoyo_policy_namespace *ns = 1802 container_of(head->r.ns, typeof(*ns), namespace_list); 1803 struct list_head *list = &ns->group_list[idx]; 1804 1805 list_for_each_cookie(head->r.group, list) { 1806 struct tomoyo_group *group = 1807 list_entry(head->r.group, typeof(*group), head.list); 1808 1809 list_for_each_cookie(head->r.acl, &group->member_list) { 1810 struct tomoyo_acl_head *ptr = 1811 list_entry(head->r.acl, typeof(*ptr), list); 1812 1813 if (ptr->is_deleted) 1814 continue; 1815 if (!tomoyo_flush(head)) 1816 return false; 1817 tomoyo_print_namespace(head); 1818 tomoyo_set_string(head, tomoyo_group_name[idx]); 1819 tomoyo_set_string(head, group->group_name->name); 1820 if (idx == TOMOYO_PATH_GROUP) { 1821 tomoyo_set_space(head); 1822 tomoyo_set_string(head, container_of 1823 (ptr, struct tomoyo_path_group, 1824 head)->member_name->name); 1825 } else if (idx == TOMOYO_NUMBER_GROUP) { 1826 tomoyo_print_number_union(head, &container_of 1827 (ptr, 1828 struct tomoyo_number_group, 1829 head)->number); 1830 } else if (idx == TOMOYO_ADDRESS_GROUP) { 1831 char buffer[128]; 1832 struct tomoyo_address_group *member = 1833 container_of(ptr, typeof(*member), 1834 head); 1835 1836 tomoyo_print_ip(buffer, sizeof(buffer), 1837 &member->address); 1838 tomoyo_io_printf(head, " %s", buffer); 1839 } 1840 tomoyo_set_lf(head); 1841 } 1842 head->r.acl = NULL; 1843 } 1844 head->r.group = NULL; 1845 return true; 1846 } 1847 1848 /** 1849 * tomoyo_read_policy - Read "struct tomoyo_..._entry" list. 1850 * 1851 * @head: Pointer to "struct tomoyo_io_buffer". 1852 * @idx: Index number. 1853 * 1854 * Returns true on success, false otherwise. 1855 * 1856 * Caller holds tomoyo_read_lock(). 1857 */ 1858 static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx) 1859 { 1860 struct tomoyo_policy_namespace *ns = 1861 container_of(head->r.ns, typeof(*ns), namespace_list); 1862 struct list_head *list = &ns->policy_list[idx]; 1863 1864 list_for_each_cookie(head->r.acl, list) { 1865 struct tomoyo_acl_head *acl = 1866 container_of(head->r.acl, typeof(*acl), list); 1867 if (acl->is_deleted) 1868 continue; 1869 if (!tomoyo_flush(head)) 1870 return false; 1871 switch (idx) { 1872 case TOMOYO_ID_TRANSITION_CONTROL: 1873 { 1874 struct tomoyo_transition_control *ptr = 1875 container_of(acl, typeof(*ptr), head); 1876 1877 tomoyo_print_namespace(head); 1878 tomoyo_set_string(head, tomoyo_transition_type 1879 [ptr->type]); 1880 tomoyo_set_string(head, ptr->program ? 1881 ptr->program->name : "any"); 1882 tomoyo_set_string(head, " from "); 1883 tomoyo_set_string(head, ptr->domainname ? 1884 ptr->domainname->name : 1885 "any"); 1886 } 1887 break; 1888 case TOMOYO_ID_AGGREGATOR: 1889 { 1890 struct tomoyo_aggregator *ptr = 1891 container_of(acl, typeof(*ptr), head); 1892 1893 tomoyo_print_namespace(head); 1894 tomoyo_set_string(head, "aggregator "); 1895 tomoyo_set_string(head, 1896 ptr->original_name->name); 1897 tomoyo_set_space(head); 1898 tomoyo_set_string(head, 1899 ptr->aggregated_name->name); 1900 } 1901 break; 1902 default: 1903 continue; 1904 } 1905 tomoyo_set_lf(head); 1906 } 1907 head->r.acl = NULL; 1908 return true; 1909 } 1910 1911 /** 1912 * tomoyo_read_exception - Read exception policy. 1913 * 1914 * @head: Pointer to "struct tomoyo_io_buffer". 1915 * 1916 * Caller holds tomoyo_read_lock(). 1917 */ 1918 static void tomoyo_read_exception(struct tomoyo_io_buffer *head) 1919 { 1920 struct tomoyo_policy_namespace *ns = 1921 container_of(head->r.ns, typeof(*ns), namespace_list); 1922 1923 if (head->r.eof) 1924 return; 1925 while (head->r.step < TOMOYO_MAX_POLICY && 1926 tomoyo_read_policy(head, head->r.step)) 1927 head->r.step++; 1928 if (head->r.step < TOMOYO_MAX_POLICY) 1929 return; 1930 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP && 1931 tomoyo_read_group(head, head->r.step - TOMOYO_MAX_POLICY)) 1932 head->r.step++; 1933 if (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP) 1934 return; 1935 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP 1936 + TOMOYO_MAX_ACL_GROUPS) { 1937 head->r.acl_group_index = head->r.step - TOMOYO_MAX_POLICY 1938 - TOMOYO_MAX_GROUP; 1939 if (!tomoyo_read_domain2(head, &ns->acl_group 1940 [head->r.acl_group_index])) 1941 return; 1942 head->r.step++; 1943 } 1944 head->r.eof = true; 1945 } 1946 1947 /* Wait queue for kernel -> userspace notification. */ 1948 static DECLARE_WAIT_QUEUE_HEAD(tomoyo_query_wait); 1949 /* Wait queue for userspace -> kernel notification. */ 1950 static DECLARE_WAIT_QUEUE_HEAD(tomoyo_answer_wait); 1951 1952 /* Structure for query. */ 1953 struct tomoyo_query { 1954 struct list_head list; 1955 struct tomoyo_domain_info *domain; 1956 char *query; 1957 size_t query_len; 1958 unsigned int serial; 1959 u8 timer; 1960 u8 answer; 1961 u8 retry; 1962 }; 1963 1964 /* The list for "struct tomoyo_query". */ 1965 static LIST_HEAD(tomoyo_query_list); 1966 1967 /* Lock for manipulating tomoyo_query_list. */ 1968 static DEFINE_SPINLOCK(tomoyo_query_list_lock); 1969 1970 /* 1971 * Number of "struct file" referring /sys/kernel/security/tomoyo/query 1972 * interface. 1973 */ 1974 static atomic_t tomoyo_query_observers = ATOMIC_INIT(0); 1975 1976 /** 1977 * tomoyo_truncate - Truncate a line. 1978 * 1979 * @str: String to truncate. 1980 * 1981 * Returns length of truncated @str. 1982 */ 1983 static int tomoyo_truncate(char *str) 1984 { 1985 char *start = str; 1986 1987 while (*(unsigned char *) str > (unsigned char) ' ') 1988 str++; 1989 *str = '\0'; 1990 return strlen(start) + 1; 1991 } 1992 1993 /** 1994 * tomoyo_add_entry - Add an ACL to current thread's domain. Used by learning mode. 1995 * 1996 * @domain: Pointer to "struct tomoyo_domain_info". 1997 * @header: Lines containing ACL. 1998 * 1999 * Returns nothing. 2000 */ 2001 static void tomoyo_add_entry(struct tomoyo_domain_info *domain, char *header) 2002 { 2003 char *buffer; 2004 char *realpath = NULL; 2005 char *argv0 = NULL; 2006 char *symlink = NULL; 2007 char *cp = strchr(header, '\n'); 2008 int len; 2009 2010 if (!cp) 2011 return; 2012 cp = strchr(cp + 1, '\n'); 2013 if (!cp) 2014 return; 2015 *cp++ = '\0'; 2016 len = strlen(cp) + 1; 2017 /* strstr() will return NULL if ordering is wrong. */ 2018 if (*cp == 'f') { 2019 argv0 = strstr(header, " argv[]={ \""); 2020 if (argv0) { 2021 argv0 += 10; 2022 len += tomoyo_truncate(argv0) + 14; 2023 } 2024 realpath = strstr(header, " exec={ realpath=\""); 2025 if (realpath) { 2026 realpath += 8; 2027 len += tomoyo_truncate(realpath) + 6; 2028 } 2029 symlink = strstr(header, " symlink.target=\""); 2030 if (symlink) 2031 len += tomoyo_truncate(symlink + 1) + 1; 2032 } 2033 buffer = kmalloc(len, GFP_NOFS); 2034 if (!buffer) 2035 return; 2036 snprintf(buffer, len - 1, "%s", cp); 2037 if (realpath) 2038 tomoyo_addprintf(buffer, len, " exec.%s", realpath); 2039 if (argv0) 2040 tomoyo_addprintf(buffer, len, " exec.argv[0]=%s", argv0); 2041 if (symlink) 2042 tomoyo_addprintf(buffer, len, "%s", symlink); 2043 tomoyo_normalize_line(buffer); 2044 if (!tomoyo_write_domain2(domain->ns, &domain->acl_info_list, buffer, 2045 false)) 2046 tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); 2047 kfree(buffer); 2048 } 2049 2050 /** 2051 * tomoyo_supervisor - Ask for the supervisor's decision. 2052 * 2053 * @r: Pointer to "struct tomoyo_request_info". 2054 * @fmt: The printf()'s format string, followed by parameters. 2055 * 2056 * Returns 0 if the supervisor decided to permit the access request which 2057 * violated the policy in enforcing mode, TOMOYO_RETRY_REQUEST if the 2058 * supervisor decided to retry the access request which violated the policy in 2059 * enforcing mode, 0 if it is not in enforcing mode, -EPERM otherwise. 2060 */ 2061 int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) 2062 { 2063 va_list args; 2064 int error; 2065 int len; 2066 static unsigned int tomoyo_serial; 2067 struct tomoyo_query entry = { }; 2068 bool quota_exceeded = false; 2069 2070 va_start(args, fmt); 2071 len = vsnprintf(NULL, 0, fmt, args) + 1; 2072 va_end(args); 2073 /* Write /sys/kernel/security/tomoyo/audit. */ 2074 va_start(args, fmt); 2075 tomoyo_write_log2(r, len, fmt, args); 2076 va_end(args); 2077 /* Nothing more to do if granted. */ 2078 if (r->granted) 2079 return 0; 2080 if (r->mode) 2081 tomoyo_update_stat(r->mode); 2082 switch (r->mode) { 2083 case TOMOYO_CONFIG_ENFORCING: 2084 error = -EPERM; 2085 if (atomic_read(&tomoyo_query_observers)) 2086 break; 2087 goto out; 2088 case TOMOYO_CONFIG_LEARNING: 2089 error = 0; 2090 /* Check max_learning_entry parameter. */ 2091 if (tomoyo_domain_quota_is_ok(r)) 2092 break; 2093 fallthrough; 2094 default: 2095 return 0; 2096 } 2097 /* Get message. */ 2098 va_start(args, fmt); 2099 entry.query = tomoyo_init_log(r, len, fmt, args); 2100 va_end(args); 2101 if (!entry.query) 2102 goto out; 2103 entry.query_len = strlen(entry.query) + 1; 2104 if (!error) { 2105 tomoyo_add_entry(r->domain, entry.query); 2106 goto out; 2107 } 2108 len = kmalloc_size_roundup(entry.query_len); 2109 entry.domain = r->domain; 2110 spin_lock(&tomoyo_query_list_lock); 2111 if (tomoyo_memory_quota[TOMOYO_MEMORY_QUERY] && 2112 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] + len 2113 >= tomoyo_memory_quota[TOMOYO_MEMORY_QUERY]) { 2114 quota_exceeded = true; 2115 } else { 2116 entry.serial = tomoyo_serial++; 2117 entry.retry = r->retry; 2118 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] += len; 2119 list_add_tail(&entry.list, &tomoyo_query_list); 2120 } 2121 spin_unlock(&tomoyo_query_list_lock); 2122 if (quota_exceeded) 2123 goto out; 2124 /* Give 10 seconds for supervisor's opinion. */ 2125 while (entry.timer < 10) { 2126 wake_up_all(&tomoyo_query_wait); 2127 if (wait_event_interruptible_timeout 2128 (tomoyo_answer_wait, entry.answer || 2129 !atomic_read(&tomoyo_query_observers), HZ)) 2130 break; 2131 entry.timer++; 2132 } 2133 spin_lock(&tomoyo_query_list_lock); 2134 list_del(&entry.list); 2135 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] -= len; 2136 spin_unlock(&tomoyo_query_list_lock); 2137 switch (entry.answer) { 2138 case 3: /* Asked to retry by administrator. */ 2139 error = TOMOYO_RETRY_REQUEST; 2140 r->retry++; 2141 break; 2142 case 1: 2143 /* Granted by administrator. */ 2144 error = 0; 2145 break; 2146 default: 2147 /* Timed out or rejected by administrator. */ 2148 break; 2149 } 2150 out: 2151 kfree(entry.query); 2152 return error; 2153 } 2154 2155 /** 2156 * tomoyo_find_domain_by_qid - Get domain by query id. 2157 * 2158 * @serial: Query ID assigned by tomoyo_supervisor(). 2159 * 2160 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise. 2161 */ 2162 static struct tomoyo_domain_info *tomoyo_find_domain_by_qid 2163 (unsigned int serial) 2164 { 2165 struct tomoyo_query *ptr; 2166 struct tomoyo_domain_info *domain = NULL; 2167 2168 spin_lock(&tomoyo_query_list_lock); 2169 list_for_each_entry(ptr, &tomoyo_query_list, list) { 2170 if (ptr->serial != serial) 2171 continue; 2172 domain = ptr->domain; 2173 break; 2174 } 2175 spin_unlock(&tomoyo_query_list_lock); 2176 return domain; 2177 } 2178 2179 /** 2180 * tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query. 2181 * 2182 * @file: Pointer to "struct file". 2183 * @wait: Pointer to "poll_table". 2184 * 2185 * Returns EPOLLIN | EPOLLRDNORM when ready to read, 0 otherwise. 2186 * 2187 * Waits for access requests which violated policy in enforcing mode. 2188 */ 2189 static __poll_t tomoyo_poll_query(struct file *file, poll_table *wait) 2190 { 2191 if (!list_empty(&tomoyo_query_list)) 2192 return EPOLLIN | EPOLLRDNORM; 2193 poll_wait(file, &tomoyo_query_wait, wait); 2194 if (!list_empty(&tomoyo_query_list)) 2195 return EPOLLIN | EPOLLRDNORM; 2196 return 0; 2197 } 2198 2199 /** 2200 * tomoyo_read_query - Read access requests which violated policy in enforcing mode. 2201 * 2202 * @head: Pointer to "struct tomoyo_io_buffer". 2203 */ 2204 static void tomoyo_read_query(struct tomoyo_io_buffer *head) 2205 { 2206 struct list_head *tmp; 2207 unsigned int pos = 0; 2208 size_t len = 0; 2209 char *buf; 2210 2211 if (head->r.w_pos) 2212 return; 2213 kfree(head->read_buf); 2214 head->read_buf = NULL; 2215 spin_lock(&tomoyo_query_list_lock); 2216 list_for_each(tmp, &tomoyo_query_list) { 2217 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 2218 2219 if (pos++ != head->r.query_index) 2220 continue; 2221 len = ptr->query_len; 2222 break; 2223 } 2224 spin_unlock(&tomoyo_query_list_lock); 2225 if (!len) { 2226 head->r.query_index = 0; 2227 return; 2228 } 2229 buf = kzalloc(len + 32, GFP_NOFS); 2230 if (!buf) 2231 return; 2232 pos = 0; 2233 spin_lock(&tomoyo_query_list_lock); 2234 list_for_each(tmp, &tomoyo_query_list) { 2235 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 2236 2237 if (pos++ != head->r.query_index) 2238 continue; 2239 /* 2240 * Some query can be skipped because tomoyo_query_list 2241 * can change, but I don't care. 2242 */ 2243 if (len == ptr->query_len) 2244 snprintf(buf, len + 31, "Q%u-%hu\n%s", ptr->serial, 2245 ptr->retry, ptr->query); 2246 break; 2247 } 2248 spin_unlock(&tomoyo_query_list_lock); 2249 if (buf[0]) { 2250 head->read_buf = buf; 2251 head->r.w[head->r.w_pos++] = buf; 2252 head->r.query_index++; 2253 } else { 2254 kfree(buf); 2255 } 2256 } 2257 2258 /** 2259 * tomoyo_write_answer - Write the supervisor's decision. 2260 * 2261 * @head: Pointer to "struct tomoyo_io_buffer". 2262 * 2263 * Returns 0 on success, -EINVAL otherwise. 2264 */ 2265 static int tomoyo_write_answer(struct tomoyo_io_buffer *head) 2266 { 2267 char *data = head->write_buf; 2268 struct list_head *tmp; 2269 unsigned int serial; 2270 unsigned int answer; 2271 2272 spin_lock(&tomoyo_query_list_lock); 2273 list_for_each(tmp, &tomoyo_query_list) { 2274 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 2275 2276 ptr->timer = 0; 2277 } 2278 spin_unlock(&tomoyo_query_list_lock); 2279 if (sscanf(data, "A%u=%u", &serial, &answer) != 2) 2280 return -EINVAL; 2281 spin_lock(&tomoyo_query_list_lock); 2282 list_for_each(tmp, &tomoyo_query_list) { 2283 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 2284 2285 if (ptr->serial != serial) 2286 continue; 2287 ptr->answer = answer; 2288 /* Remove from tomoyo_query_list. */ 2289 if (ptr->answer) 2290 list_del_init(&ptr->list); 2291 break; 2292 } 2293 spin_unlock(&tomoyo_query_list_lock); 2294 return 0; 2295 } 2296 2297 /** 2298 * tomoyo_read_version: Get version. 2299 * 2300 * @head: Pointer to "struct tomoyo_io_buffer". 2301 * 2302 * Returns version information. 2303 */ 2304 static void tomoyo_read_version(struct tomoyo_io_buffer *head) 2305 { 2306 if (!head->r.eof) { 2307 tomoyo_io_printf(head, "2.6.0"); 2308 head->r.eof = true; 2309 } 2310 } 2311 2312 /* String table for /sys/kernel/security/tomoyo/stat interface. */ 2313 static const char * const tomoyo_policy_headers[TOMOYO_MAX_POLICY_STAT] = { 2314 [TOMOYO_STAT_POLICY_UPDATES] = "update:", 2315 [TOMOYO_STAT_POLICY_LEARNING] = "violation in learning mode:", 2316 [TOMOYO_STAT_POLICY_PERMISSIVE] = "violation in permissive mode:", 2317 [TOMOYO_STAT_POLICY_ENFORCING] = "violation in enforcing mode:", 2318 }; 2319 2320 /* String table for /sys/kernel/security/tomoyo/stat interface. */ 2321 static const char * const tomoyo_memory_headers[TOMOYO_MAX_MEMORY_STAT] = { 2322 [TOMOYO_MEMORY_POLICY] = "policy:", 2323 [TOMOYO_MEMORY_AUDIT] = "audit log:", 2324 [TOMOYO_MEMORY_QUERY] = "query message:", 2325 }; 2326 2327 /* Counter for number of updates. */ 2328 static atomic_t tomoyo_stat_updated[TOMOYO_MAX_POLICY_STAT]; 2329 /* Timestamp counter for last updated. */ 2330 static time64_t tomoyo_stat_modified[TOMOYO_MAX_POLICY_STAT]; 2331 2332 /** 2333 * tomoyo_update_stat - Update statistic counters. 2334 * 2335 * @index: Index for policy type. 2336 * 2337 * Returns nothing. 2338 */ 2339 void tomoyo_update_stat(const u8 index) 2340 { 2341 atomic_inc(&tomoyo_stat_updated[index]); 2342 tomoyo_stat_modified[index] = ktime_get_real_seconds(); 2343 } 2344 2345 /** 2346 * tomoyo_read_stat - Read statistic data. 2347 * 2348 * @head: Pointer to "struct tomoyo_io_buffer". 2349 * 2350 * Returns nothing. 2351 */ 2352 static void tomoyo_read_stat(struct tomoyo_io_buffer *head) 2353 { 2354 u8 i; 2355 unsigned int total = 0; 2356 2357 if (head->r.eof) 2358 return; 2359 for (i = 0; i < TOMOYO_MAX_POLICY_STAT; i++) { 2360 tomoyo_io_printf(head, "Policy %-30s %10u", 2361 tomoyo_policy_headers[i], 2362 atomic_read(&tomoyo_stat_updated[i])); 2363 if (tomoyo_stat_modified[i]) { 2364 struct tomoyo_time stamp; 2365 2366 tomoyo_convert_time(tomoyo_stat_modified[i], &stamp); 2367 tomoyo_io_printf(head, " (Last: %04u/%02u/%02u %02u:%02u:%02u)", 2368 stamp.year, stamp.month, stamp.day, 2369 stamp.hour, stamp.min, stamp.sec); 2370 } 2371 tomoyo_set_lf(head); 2372 } 2373 for (i = 0; i < TOMOYO_MAX_MEMORY_STAT; i++) { 2374 unsigned int used = tomoyo_memory_used[i]; 2375 2376 total += used; 2377 tomoyo_io_printf(head, "Memory used by %-22s %10u", 2378 tomoyo_memory_headers[i], used); 2379 used = tomoyo_memory_quota[i]; 2380 if (used) 2381 tomoyo_io_printf(head, " (Quota: %10u)", used); 2382 tomoyo_set_lf(head); 2383 } 2384 tomoyo_io_printf(head, "Total memory used: %10u\n", 2385 total); 2386 head->r.eof = true; 2387 } 2388 2389 /** 2390 * tomoyo_write_stat - Set memory quota. 2391 * 2392 * @head: Pointer to "struct tomoyo_io_buffer". 2393 * 2394 * Returns 0. 2395 */ 2396 static int tomoyo_write_stat(struct tomoyo_io_buffer *head) 2397 { 2398 char *data = head->write_buf; 2399 u8 i; 2400 2401 if (tomoyo_str_starts(&data, "Memory used by ")) 2402 for (i = 0; i < TOMOYO_MAX_MEMORY_STAT; i++) 2403 if (tomoyo_str_starts(&data, tomoyo_memory_headers[i])) 2404 sscanf(data, "%u", &tomoyo_memory_quota[i]); 2405 return 0; 2406 } 2407 2408 /** 2409 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface. 2410 * 2411 * @type: Type of interface. 2412 * @file: Pointer to "struct file". 2413 * 2414 * Returns 0 on success, negative value otherwise. 2415 */ 2416 int tomoyo_open_control(const u8 type, struct file *file) 2417 { 2418 struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS); 2419 2420 if (!head) 2421 return -ENOMEM; 2422 mutex_init(&head->io_sem); 2423 head->type = type; 2424 switch (type) { 2425 case TOMOYO_DOMAINPOLICY: 2426 /* /sys/kernel/security/tomoyo/domain_policy */ 2427 head->write = tomoyo_write_domain; 2428 head->read = tomoyo_read_domain; 2429 break; 2430 case TOMOYO_EXCEPTIONPOLICY: 2431 /* /sys/kernel/security/tomoyo/exception_policy */ 2432 head->write = tomoyo_write_exception; 2433 head->read = tomoyo_read_exception; 2434 break; 2435 case TOMOYO_AUDIT: 2436 /* /sys/kernel/security/tomoyo/audit */ 2437 head->poll = tomoyo_poll_log; 2438 head->read = tomoyo_read_log; 2439 break; 2440 case TOMOYO_PROCESS_STATUS: 2441 /* /sys/kernel/security/tomoyo/.process_status */ 2442 head->write = tomoyo_write_pid; 2443 head->read = tomoyo_read_pid; 2444 break; 2445 case TOMOYO_VERSION: 2446 /* /sys/kernel/security/tomoyo/version */ 2447 head->read = tomoyo_read_version; 2448 head->readbuf_size = 128; 2449 break; 2450 case TOMOYO_STAT: 2451 /* /sys/kernel/security/tomoyo/stat */ 2452 head->write = tomoyo_write_stat; 2453 head->read = tomoyo_read_stat; 2454 head->readbuf_size = 1024; 2455 break; 2456 case TOMOYO_PROFILE: 2457 /* /sys/kernel/security/tomoyo/profile */ 2458 head->write = tomoyo_write_profile; 2459 head->read = tomoyo_read_profile; 2460 break; 2461 case TOMOYO_QUERY: /* /sys/kernel/security/tomoyo/query */ 2462 head->poll = tomoyo_poll_query; 2463 head->write = tomoyo_write_answer; 2464 head->read = tomoyo_read_query; 2465 break; 2466 case TOMOYO_MANAGER: 2467 /* /sys/kernel/security/tomoyo/manager */ 2468 head->write = tomoyo_write_manager; 2469 head->read = tomoyo_read_manager; 2470 break; 2471 } 2472 if (!(file->f_mode & FMODE_READ)) { 2473 /* 2474 * No need to allocate read_buf since it is not opened 2475 * for reading. 2476 */ 2477 head->read = NULL; 2478 head->poll = NULL; 2479 } else if (!head->poll) { 2480 /* Don't allocate read_buf for poll() access. */ 2481 if (!head->readbuf_size) 2482 head->readbuf_size = 4096 * 2; 2483 head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS); 2484 if (!head->read_buf) { 2485 kfree(head); 2486 return -ENOMEM; 2487 } 2488 } 2489 if (!(file->f_mode & FMODE_WRITE)) { 2490 /* 2491 * No need to allocate write_buf since it is not opened 2492 * for writing. 2493 */ 2494 head->write = NULL; 2495 } else if (head->write) { 2496 head->writebuf_size = 4096 * 2; 2497 head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS); 2498 if (!head->write_buf) { 2499 kfree(head->read_buf); 2500 kfree(head); 2501 return -ENOMEM; 2502 } 2503 } 2504 /* 2505 * If the file is /sys/kernel/security/tomoyo/query , increment the 2506 * observer counter. 2507 * The obserber counter is used by tomoyo_supervisor() to see if 2508 * there is some process monitoring /sys/kernel/security/tomoyo/query. 2509 */ 2510 if (type == TOMOYO_QUERY) 2511 atomic_inc(&tomoyo_query_observers); 2512 file->private_data = head; 2513 tomoyo_notify_gc(head, true); 2514 return 0; 2515 } 2516 2517 /** 2518 * tomoyo_poll_control - poll() for /sys/kernel/security/tomoyo/ interface. 2519 * 2520 * @file: Pointer to "struct file". 2521 * @wait: Pointer to "poll_table". Maybe NULL. 2522 * 2523 * Returns EPOLLIN | EPOLLRDNORM | EPOLLOUT | EPOLLWRNORM if ready to read/write, 2524 * EPOLLOUT | EPOLLWRNORM otherwise. 2525 */ 2526 __poll_t tomoyo_poll_control(struct file *file, poll_table *wait) 2527 { 2528 struct tomoyo_io_buffer *head = file->private_data; 2529 2530 if (head->poll) 2531 return head->poll(file, wait) | EPOLLOUT | EPOLLWRNORM; 2532 return EPOLLIN | EPOLLRDNORM | EPOLLOUT | EPOLLWRNORM; 2533 } 2534 2535 /** 2536 * tomoyo_set_namespace_cursor - Set namespace to read. 2537 * 2538 * @head: Pointer to "struct tomoyo_io_buffer". 2539 * 2540 * Returns nothing. 2541 */ 2542 static inline void tomoyo_set_namespace_cursor(struct tomoyo_io_buffer *head) 2543 { 2544 struct list_head *ns; 2545 2546 if (head->type != TOMOYO_EXCEPTIONPOLICY && 2547 head->type != TOMOYO_PROFILE) 2548 return; 2549 /* 2550 * If this is the first read, or reading previous namespace finished 2551 * and has more namespaces to read, update the namespace cursor. 2552 */ 2553 ns = head->r.ns; 2554 if (!ns || (head->r.eof && ns->next != &tomoyo_namespace_list)) { 2555 /* Clearing is OK because tomoyo_flush() returned true. */ 2556 memset(&head->r, 0, sizeof(head->r)); 2557 head->r.ns = ns ? ns->next : tomoyo_namespace_list.next; 2558 } 2559 } 2560 2561 /** 2562 * tomoyo_has_more_namespace - Check for unread namespaces. 2563 * 2564 * @head: Pointer to "struct tomoyo_io_buffer". 2565 * 2566 * Returns true if we have more entries to print, false otherwise. 2567 */ 2568 static inline bool tomoyo_has_more_namespace(struct tomoyo_io_buffer *head) 2569 { 2570 return (head->type == TOMOYO_EXCEPTIONPOLICY || 2571 head->type == TOMOYO_PROFILE) && head->r.eof && 2572 head->r.ns->next != &tomoyo_namespace_list; 2573 } 2574 2575 /** 2576 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. 2577 * 2578 * @head: Pointer to "struct tomoyo_io_buffer". 2579 * @buffer: Pointer to buffer to write to. 2580 * @buffer_len: Size of @buffer. 2581 * 2582 * Returns bytes read on success, negative value otherwise. 2583 */ 2584 ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, 2585 const int buffer_len) 2586 { 2587 int len; 2588 int idx; 2589 2590 if (!head->read) 2591 return -EINVAL; 2592 if (mutex_lock_interruptible(&head->io_sem)) 2593 return -EINTR; 2594 head->read_user_buf = buffer; 2595 head->read_user_buf_avail = buffer_len; 2596 idx = tomoyo_read_lock(); 2597 if (tomoyo_flush(head)) 2598 /* Call the policy handler. */ 2599 do { 2600 tomoyo_set_namespace_cursor(head); 2601 head->read(head); 2602 } while (tomoyo_flush(head) && 2603 tomoyo_has_more_namespace(head)); 2604 tomoyo_read_unlock(idx); 2605 len = head->read_user_buf - buffer; 2606 mutex_unlock(&head->io_sem); 2607 return len; 2608 } 2609 2610 /** 2611 * tomoyo_parse_policy - Parse a policy line. 2612 * 2613 * @head: Pointer to "struct tomoyo_io_buffer". 2614 * @line: Line to parse. 2615 * 2616 * Returns 0 on success, negative value otherwise. 2617 * 2618 * Caller holds tomoyo_read_lock(). 2619 */ 2620 static int tomoyo_parse_policy(struct tomoyo_io_buffer *head, char *line) 2621 { 2622 /* Delete request? */ 2623 head->w.is_delete = !strncmp(line, "delete ", 7); 2624 if (head->w.is_delete) 2625 memmove(line, line + 7, strlen(line + 7) + 1); 2626 /* Selecting namespace to update. */ 2627 if (head->type == TOMOYO_EXCEPTIONPOLICY || 2628 head->type == TOMOYO_PROFILE) { 2629 if (*line == '<') { 2630 char *cp = strchr(line, ' '); 2631 2632 if (cp) { 2633 *cp++ = '\0'; 2634 head->w.ns = tomoyo_assign_namespace(line); 2635 memmove(line, cp, strlen(cp) + 1); 2636 } else 2637 head->w.ns = NULL; 2638 } else 2639 head->w.ns = &tomoyo_kernel_namespace; 2640 /* Don't allow updating if namespace is invalid. */ 2641 if (!head->w.ns) 2642 return -ENOENT; 2643 } 2644 /* Do the update. */ 2645 return head->write(head); 2646 } 2647 2648 /** 2649 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. 2650 * 2651 * @head: Pointer to "struct tomoyo_io_buffer". 2652 * @buffer: Pointer to buffer to read from. 2653 * @buffer_len: Size of @buffer. 2654 * 2655 * Returns @buffer_len on success, negative value otherwise. 2656 */ 2657 ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, 2658 const char __user *buffer, const int buffer_len) 2659 { 2660 int error = buffer_len; 2661 size_t avail_len = buffer_len; 2662 char *cp0; 2663 int idx; 2664 2665 if (!head->write) 2666 return -EINVAL; 2667 if (mutex_lock_interruptible(&head->io_sem)) 2668 return -EINTR; 2669 cp0 = head->write_buf; 2670 head->read_user_buf_avail = 0; 2671 idx = tomoyo_read_lock(); 2672 /* Read a line and dispatch it to the policy handler. */ 2673 while (avail_len > 0) { 2674 char c; 2675 2676 if (head->w.avail >= head->writebuf_size - 1) { 2677 const int len = head->writebuf_size * 2; 2678 char *cp = kzalloc(len, GFP_NOFS); 2679 2680 if (!cp) { 2681 error = -ENOMEM; 2682 break; 2683 } 2684 memmove(cp, cp0, head->w.avail); 2685 kfree(cp0); 2686 head->write_buf = cp; 2687 cp0 = cp; 2688 head->writebuf_size = len; 2689 } 2690 if (get_user(c, buffer)) { 2691 error = -EFAULT; 2692 break; 2693 } 2694 buffer++; 2695 avail_len--; 2696 cp0[head->w.avail++] = c; 2697 if (c != '\n') 2698 continue; 2699 cp0[head->w.avail - 1] = '\0'; 2700 head->w.avail = 0; 2701 tomoyo_normalize_line(cp0); 2702 if (!strcmp(cp0, "reset")) { 2703 head->w.ns = &tomoyo_kernel_namespace; 2704 head->w.domain = NULL; 2705 memset(&head->r, 0, sizeof(head->r)); 2706 continue; 2707 } 2708 /* Don't allow updating policies by non manager programs. */ 2709 switch (head->type) { 2710 case TOMOYO_PROCESS_STATUS: 2711 /* This does not write anything. */ 2712 break; 2713 case TOMOYO_DOMAINPOLICY: 2714 if (tomoyo_select_domain(head, cp0)) 2715 continue; 2716 fallthrough; 2717 case TOMOYO_EXCEPTIONPOLICY: 2718 if (!strcmp(cp0, "select transition_only")) { 2719 head->r.print_transition_related_only = true; 2720 continue; 2721 } 2722 fallthrough; 2723 default: 2724 if (!tomoyo_manager()) { 2725 error = -EPERM; 2726 goto out; 2727 } 2728 } 2729 switch (tomoyo_parse_policy(head, cp0)) { 2730 case -EPERM: 2731 error = -EPERM; 2732 goto out; 2733 case 0: 2734 switch (head->type) { 2735 case TOMOYO_DOMAINPOLICY: 2736 case TOMOYO_EXCEPTIONPOLICY: 2737 case TOMOYO_STAT: 2738 case TOMOYO_PROFILE: 2739 case TOMOYO_MANAGER: 2740 tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); 2741 break; 2742 default: 2743 break; 2744 } 2745 break; 2746 } 2747 } 2748 out: 2749 tomoyo_read_unlock(idx); 2750 mutex_unlock(&head->io_sem); 2751 return error; 2752 } 2753 2754 /** 2755 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. 2756 * 2757 * @head: Pointer to "struct tomoyo_io_buffer". 2758 */ 2759 void tomoyo_close_control(struct tomoyo_io_buffer *head) 2760 { 2761 /* 2762 * If the file is /sys/kernel/security/tomoyo/query , decrement the 2763 * observer counter. 2764 */ 2765 if (head->type == TOMOYO_QUERY && 2766 atomic_dec_and_test(&tomoyo_query_observers)) 2767 wake_up_all(&tomoyo_answer_wait); 2768 tomoyo_notify_gc(head, false); 2769 } 2770 2771 /** 2772 * tomoyo_check_profile - Check all profiles currently assigned to domains are defined. 2773 */ 2774 void tomoyo_check_profile(void) 2775 { 2776 struct tomoyo_domain_info *domain; 2777 const int idx = tomoyo_read_lock(); 2778 2779 tomoyo_policy_loaded = true; 2780 pr_info("TOMOYO: 2.6.0\n"); 2781 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list, 2782 srcu_read_lock_held(&tomoyo_ss)) { 2783 const u8 profile = domain->profile; 2784 struct tomoyo_policy_namespace *ns = domain->ns; 2785 2786 if (ns->profile_version == 20110903) { 2787 pr_info_once("Converting profile version from %u to %u.\n", 2788 20110903, 20150505); 2789 ns->profile_version = 20150505; 2790 } 2791 if (ns->profile_version != 20150505) 2792 pr_err("Profile version %u is not supported.\n", 2793 ns->profile_version); 2794 else if (!ns->profile_ptr[profile]) 2795 pr_err("Profile %u (used by '%s') is not defined.\n", 2796 profile, domain->domainname->name); 2797 else 2798 continue; 2799 pr_err("Userland tools for TOMOYO 2.6 must be installed and policy must be initialized.\n"); 2800 pr_err("Please see https://tomoyo.sourceforge.net/2.6/ for more information.\n"); 2801 panic("STOP!"); 2802 } 2803 tomoyo_read_unlock(idx); 2804 pr_info("Mandatory Access Control activated.\n"); 2805 } 2806 2807 /** 2808 * tomoyo_load_builtin_policy - Load built-in policy. 2809 * 2810 * Returns nothing. 2811 */ 2812 void __init tomoyo_load_builtin_policy(void) 2813 { 2814 #ifdef CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING 2815 static char tomoyo_builtin_profile[] __initdata = 2816 "PROFILE_VERSION=20150505\n" 2817 "0-CONFIG={ mode=learning grant_log=no reject_log=yes }\n"; 2818 static char tomoyo_builtin_exception_policy[] __initdata = 2819 "aggregator proc:/self/exe /proc/self/exe\n"; 2820 static char tomoyo_builtin_domain_policy[] __initdata = ""; 2821 static char tomoyo_builtin_manager[] __initdata = ""; 2822 static char tomoyo_builtin_stat[] __initdata = ""; 2823 #else 2824 /* 2825 * This include file is manually created and contains built-in policy 2826 * named "tomoyo_builtin_profile", "tomoyo_builtin_exception_policy", 2827 * "tomoyo_builtin_domain_policy", "tomoyo_builtin_manager", 2828 * "tomoyo_builtin_stat" in the form of "static char [] __initdata". 2829 */ 2830 #include "builtin-policy.h" 2831 #endif 2832 u8 i; 2833 const int idx = tomoyo_read_lock(); 2834 2835 for (i = 0; i < 5; i++) { 2836 struct tomoyo_io_buffer head = { }; 2837 char *start = ""; 2838 2839 switch (i) { 2840 case 0: 2841 start = tomoyo_builtin_profile; 2842 head.type = TOMOYO_PROFILE; 2843 head.write = tomoyo_write_profile; 2844 break; 2845 case 1: 2846 start = tomoyo_builtin_exception_policy; 2847 head.type = TOMOYO_EXCEPTIONPOLICY; 2848 head.write = tomoyo_write_exception; 2849 break; 2850 case 2: 2851 start = tomoyo_builtin_domain_policy; 2852 head.type = TOMOYO_DOMAINPOLICY; 2853 head.write = tomoyo_write_domain; 2854 break; 2855 case 3: 2856 start = tomoyo_builtin_manager; 2857 head.type = TOMOYO_MANAGER; 2858 head.write = tomoyo_write_manager; 2859 break; 2860 case 4: 2861 start = tomoyo_builtin_stat; 2862 head.type = TOMOYO_STAT; 2863 head.write = tomoyo_write_stat; 2864 break; 2865 } 2866 while (1) { 2867 char *end = strchr(start, '\n'); 2868 2869 if (!end) 2870 break; 2871 *end = '\0'; 2872 tomoyo_normalize_line(start); 2873 head.write_buf = start; 2874 tomoyo_parse_policy(&head, start); 2875 start = end + 1; 2876 } 2877 } 2878 tomoyo_read_unlock(idx); 2879 #ifdef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER 2880 tomoyo_check_profile(); 2881 #endif 2882 } 2883