1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * security/tomoyo/common.c 4 * 5 * Copyright (C) 2005-2011 NTT DATA CORPORATION 6 */ 7 8 #include <linux/uaccess.h> 9 #include <linux/slab.h> 10 #include <linux/security.h> 11 #include <linux/string_helpers.h> 12 #include "common.h" 13 14 /* String table for operation mode. */ 15 const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE] = { 16 [TOMOYO_CONFIG_DISABLED] = "disabled", 17 [TOMOYO_CONFIG_LEARNING] = "learning", 18 [TOMOYO_CONFIG_PERMISSIVE] = "permissive", 19 [TOMOYO_CONFIG_ENFORCING] = "enforcing" 20 }; 21 22 /* String table for /sys/kernel/security/tomoyo/profile */ 23 const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX 24 + TOMOYO_MAX_MAC_CATEGORY_INDEX] = { 25 /* CONFIG::file group */ 26 [TOMOYO_MAC_FILE_EXECUTE] = "execute", 27 [TOMOYO_MAC_FILE_OPEN] = "open", 28 [TOMOYO_MAC_FILE_CREATE] = "create", 29 [TOMOYO_MAC_FILE_UNLINK] = "unlink", 30 [TOMOYO_MAC_FILE_GETATTR] = "getattr", 31 [TOMOYO_MAC_FILE_MKDIR] = "mkdir", 32 [TOMOYO_MAC_FILE_RMDIR] = "rmdir", 33 [TOMOYO_MAC_FILE_MKFIFO] = "mkfifo", 34 [TOMOYO_MAC_FILE_MKSOCK] = "mksock", 35 [TOMOYO_MAC_FILE_TRUNCATE] = "truncate", 36 [TOMOYO_MAC_FILE_SYMLINK] = "symlink", 37 [TOMOYO_MAC_FILE_MKBLOCK] = "mkblock", 38 [TOMOYO_MAC_FILE_MKCHAR] = "mkchar", 39 [TOMOYO_MAC_FILE_LINK] = "link", 40 [TOMOYO_MAC_FILE_RENAME] = "rename", 41 [TOMOYO_MAC_FILE_CHMOD] = "chmod", 42 [TOMOYO_MAC_FILE_CHOWN] = "chown", 43 [TOMOYO_MAC_FILE_CHGRP] = "chgrp", 44 [TOMOYO_MAC_FILE_IOCTL] = "ioctl", 45 [TOMOYO_MAC_FILE_CHROOT] = "chroot", 46 [TOMOYO_MAC_FILE_MOUNT] = "mount", 47 [TOMOYO_MAC_FILE_UMOUNT] = "unmount", 48 [TOMOYO_MAC_FILE_PIVOT_ROOT] = "pivot_root", 49 /* CONFIG::network group */ 50 [TOMOYO_MAC_NETWORK_INET_STREAM_BIND] = "inet_stream_bind", 51 [TOMOYO_MAC_NETWORK_INET_STREAM_LISTEN] = "inet_stream_listen", 52 [TOMOYO_MAC_NETWORK_INET_STREAM_CONNECT] = "inet_stream_connect", 53 [TOMOYO_MAC_NETWORK_INET_DGRAM_BIND] = "inet_dgram_bind", 54 [TOMOYO_MAC_NETWORK_INET_DGRAM_SEND] = "inet_dgram_send", 55 [TOMOYO_MAC_NETWORK_INET_RAW_BIND] = "inet_raw_bind", 56 [TOMOYO_MAC_NETWORK_INET_RAW_SEND] = "inet_raw_send", 57 [TOMOYO_MAC_NETWORK_UNIX_STREAM_BIND] = "unix_stream_bind", 58 [TOMOYO_MAC_NETWORK_UNIX_STREAM_LISTEN] = "unix_stream_listen", 59 [TOMOYO_MAC_NETWORK_UNIX_STREAM_CONNECT] = "unix_stream_connect", 60 [TOMOYO_MAC_NETWORK_UNIX_DGRAM_BIND] = "unix_dgram_bind", 61 [TOMOYO_MAC_NETWORK_UNIX_DGRAM_SEND] = "unix_dgram_send", 62 [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_BIND] = "unix_seqpacket_bind", 63 [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_LISTEN] = "unix_seqpacket_listen", 64 [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_CONNECT] = "unix_seqpacket_connect", 65 /* CONFIG::misc group */ 66 [TOMOYO_MAC_ENVIRON] = "env", 67 /* CONFIG group */ 68 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file", 69 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_NETWORK] = "network", 70 [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_MISC] = "misc", 71 }; 72 73 /* String table for conditions. */ 74 const char * const tomoyo_condition_keyword[TOMOYO_MAX_CONDITION_KEYWORD] = { 75 [TOMOYO_TASK_UID] = "task.uid", 76 [TOMOYO_TASK_EUID] = "task.euid", 77 [TOMOYO_TASK_SUID] = "task.suid", 78 [TOMOYO_TASK_FSUID] = "task.fsuid", 79 [TOMOYO_TASK_GID] = "task.gid", 80 [TOMOYO_TASK_EGID] = "task.egid", 81 [TOMOYO_TASK_SGID] = "task.sgid", 82 [TOMOYO_TASK_FSGID] = "task.fsgid", 83 [TOMOYO_TASK_PID] = "task.pid", 84 [TOMOYO_TASK_PPID] = "task.ppid", 85 [TOMOYO_EXEC_ARGC] = "exec.argc", 86 [TOMOYO_EXEC_ENVC] = "exec.envc", 87 [TOMOYO_TYPE_IS_SOCKET] = "socket", 88 [TOMOYO_TYPE_IS_SYMLINK] = "symlink", 89 [TOMOYO_TYPE_IS_FILE] = "file", 90 [TOMOYO_TYPE_IS_BLOCK_DEV] = "block", 91 [TOMOYO_TYPE_IS_DIRECTORY] = "directory", 92 [TOMOYO_TYPE_IS_CHAR_DEV] = "char", 93 [TOMOYO_TYPE_IS_FIFO] = "fifo", 94 [TOMOYO_MODE_SETUID] = "setuid", 95 [TOMOYO_MODE_SETGID] = "setgid", 96 [TOMOYO_MODE_STICKY] = "sticky", 97 [TOMOYO_MODE_OWNER_READ] = "owner_read", 98 [TOMOYO_MODE_OWNER_WRITE] = "owner_write", 99 [TOMOYO_MODE_OWNER_EXECUTE] = "owner_execute", 100 [TOMOYO_MODE_GROUP_READ] = "group_read", 101 [TOMOYO_MODE_GROUP_WRITE] = "group_write", 102 [TOMOYO_MODE_GROUP_EXECUTE] = "group_execute", 103 [TOMOYO_MODE_OTHERS_READ] = "others_read", 104 [TOMOYO_MODE_OTHERS_WRITE] = "others_write", 105 [TOMOYO_MODE_OTHERS_EXECUTE] = "others_execute", 106 [TOMOYO_EXEC_REALPATH] = "exec.realpath", 107 [TOMOYO_SYMLINK_TARGET] = "symlink.target", 108 [TOMOYO_PATH1_UID] = "path1.uid", 109 [TOMOYO_PATH1_GID] = "path1.gid", 110 [TOMOYO_PATH1_INO] = "path1.ino", 111 [TOMOYO_PATH1_MAJOR] = "path1.major", 112 [TOMOYO_PATH1_MINOR] = "path1.minor", 113 [TOMOYO_PATH1_PERM] = "path1.perm", 114 [TOMOYO_PATH1_TYPE] = "path1.type", 115 [TOMOYO_PATH1_DEV_MAJOR] = "path1.dev_major", 116 [TOMOYO_PATH1_DEV_MINOR] = "path1.dev_minor", 117 [TOMOYO_PATH2_UID] = "path2.uid", 118 [TOMOYO_PATH2_GID] = "path2.gid", 119 [TOMOYO_PATH2_INO] = "path2.ino", 120 [TOMOYO_PATH2_MAJOR] = "path2.major", 121 [TOMOYO_PATH2_MINOR] = "path2.minor", 122 [TOMOYO_PATH2_PERM] = "path2.perm", 123 [TOMOYO_PATH2_TYPE] = "path2.type", 124 [TOMOYO_PATH2_DEV_MAJOR] = "path2.dev_major", 125 [TOMOYO_PATH2_DEV_MINOR] = "path2.dev_minor", 126 [TOMOYO_PATH1_PARENT_UID] = "path1.parent.uid", 127 [TOMOYO_PATH1_PARENT_GID] = "path1.parent.gid", 128 [TOMOYO_PATH1_PARENT_INO] = "path1.parent.ino", 129 [TOMOYO_PATH1_PARENT_PERM] = "path1.parent.perm", 130 [TOMOYO_PATH2_PARENT_UID] = "path2.parent.uid", 131 [TOMOYO_PATH2_PARENT_GID] = "path2.parent.gid", 132 [TOMOYO_PATH2_PARENT_INO] = "path2.parent.ino", 133 [TOMOYO_PATH2_PARENT_PERM] = "path2.parent.perm", 134 }; 135 136 /* String table for PREFERENCE keyword. */ 137 static const char * const tomoyo_pref_keywords[TOMOYO_MAX_PREF] = { 138 [TOMOYO_PREF_MAX_AUDIT_LOG] = "max_audit_log", 139 [TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry", 140 }; 141 142 /* String table for path operation. */ 143 const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = { 144 [TOMOYO_TYPE_EXECUTE] = "execute", 145 [TOMOYO_TYPE_READ] = "read", 146 [TOMOYO_TYPE_WRITE] = "write", 147 [TOMOYO_TYPE_APPEND] = "append", 148 [TOMOYO_TYPE_UNLINK] = "unlink", 149 [TOMOYO_TYPE_GETATTR] = "getattr", 150 [TOMOYO_TYPE_RMDIR] = "rmdir", 151 [TOMOYO_TYPE_TRUNCATE] = "truncate", 152 [TOMOYO_TYPE_SYMLINK] = "symlink", 153 [TOMOYO_TYPE_CHROOT] = "chroot", 154 [TOMOYO_TYPE_UMOUNT] = "unmount", 155 }; 156 157 /* String table for socket's operation. */ 158 const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION] = { 159 [TOMOYO_NETWORK_BIND] = "bind", 160 [TOMOYO_NETWORK_LISTEN] = "listen", 161 [TOMOYO_NETWORK_CONNECT] = "connect", 162 [TOMOYO_NETWORK_SEND] = "send", 163 }; 164 165 /* String table for categories. */ 166 static const char * const tomoyo_category_keywords 167 [TOMOYO_MAX_MAC_CATEGORY_INDEX] = { 168 [TOMOYO_MAC_CATEGORY_FILE] = "file", 169 [TOMOYO_MAC_CATEGORY_NETWORK] = "network", 170 [TOMOYO_MAC_CATEGORY_MISC] = "misc", 171 }; 172 173 /* Permit policy management by non-root user? */ 174 static bool tomoyo_manage_by_non_root; 175 176 /* Utility functions. */ 177 178 /** 179 * tomoyo_addprintf - strncat()-like-snprintf(). 180 * 181 * @buffer: Buffer to write to. Must be '\0'-terminated. 182 * @len: Size of @buffer. 183 * @fmt: The printf()'s format string, followed by parameters. 184 * 185 * Returns nothing. 186 */ 187 __printf(3, 4) 188 static void tomoyo_addprintf(char *buffer, int len, const char *fmt, ...) 189 { 190 va_list args; 191 const int pos = strlen(buffer); 192 193 va_start(args, fmt); 194 vsnprintf(buffer + pos, len - pos - 1, fmt, args); 195 va_end(args); 196 } 197 198 /** 199 * tomoyo_flush - Flush queued string to userspace's buffer. 200 * 201 * @head: Pointer to "struct tomoyo_io_buffer". 202 * 203 * Returns true if all data was flushed, false otherwise. 204 */ 205 static bool tomoyo_flush(struct tomoyo_io_buffer *head) 206 { 207 while (head->r.w_pos) { 208 const char *w = head->r.w[0]; 209 size_t len = strlen(w); 210 211 if (len) { 212 if (len > head->read_user_buf_avail) 213 len = head->read_user_buf_avail; 214 if (!len) 215 return false; 216 if (copy_to_user(head->read_user_buf, w, len)) 217 return false; 218 head->read_user_buf_avail -= len; 219 head->read_user_buf += len; 220 w += len; 221 } 222 head->r.w[0] = w; 223 if (*w) 224 return false; 225 /* Add '\0' for audit logs and query. */ 226 if (head->poll) { 227 if (!head->read_user_buf_avail || 228 copy_to_user(head->read_user_buf, "", 1)) 229 return false; 230 head->read_user_buf_avail--; 231 head->read_user_buf++; 232 } 233 head->r.w_pos--; 234 for (len = 0; len < head->r.w_pos; len++) 235 head->r.w[len] = head->r.w[len + 1]; 236 } 237 head->r.avail = 0; 238 return true; 239 } 240 241 /** 242 * tomoyo_set_string - Queue string to "struct tomoyo_io_buffer" structure. 243 * 244 * @head: Pointer to "struct tomoyo_io_buffer". 245 * @string: String to print. 246 * 247 * Note that @string has to be kept valid until @head is kfree()d. 248 * This means that char[] allocated on stack memory cannot be passed to 249 * this function. Use tomoyo_io_printf() for char[] allocated on stack memory. 250 */ 251 static void tomoyo_set_string(struct tomoyo_io_buffer *head, const char *string) 252 { 253 if (head->r.w_pos < TOMOYO_MAX_IO_READ_QUEUE) { 254 head->r.w[head->r.w_pos++] = string; 255 tomoyo_flush(head); 256 } else 257 WARN_ON(1); 258 } 259 260 static void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, 261 ...) __printf(2, 3); 262 263 /** 264 * tomoyo_io_printf - printf() to "struct tomoyo_io_buffer" structure. 265 * 266 * @head: Pointer to "struct tomoyo_io_buffer". 267 * @fmt: The printf()'s format string, followed by parameters. 268 */ 269 static void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, 270 ...) 271 { 272 va_list args; 273 size_t len; 274 size_t pos = head->r.avail; 275 int size = head->readbuf_size - pos; 276 277 if (size <= 0) 278 return; 279 va_start(args, fmt); 280 len = vsnprintf(head->read_buf + pos, size, fmt, args) + 1; 281 va_end(args); 282 if (pos + len >= head->readbuf_size) { 283 WARN_ON(1); 284 return; 285 } 286 head->r.avail += len; 287 tomoyo_set_string(head, head->read_buf + pos); 288 } 289 290 /** 291 * tomoyo_set_space - Put a space to "struct tomoyo_io_buffer" structure. 292 * 293 * @head: Pointer to "struct tomoyo_io_buffer". 294 * 295 * Returns nothing. 296 */ 297 static void tomoyo_set_space(struct tomoyo_io_buffer *head) 298 { 299 tomoyo_set_string(head, " "); 300 } 301 302 /** 303 * tomoyo_set_lf - Put a line feed to "struct tomoyo_io_buffer" structure. 304 * 305 * @head: Pointer to "struct tomoyo_io_buffer". 306 * 307 * Returns nothing. 308 */ 309 static bool tomoyo_set_lf(struct tomoyo_io_buffer *head) 310 { 311 tomoyo_set_string(head, "\n"); 312 return !head->r.w_pos; 313 } 314 315 /** 316 * tomoyo_set_slash - Put a shash to "struct tomoyo_io_buffer" structure. 317 * 318 * @head: Pointer to "struct tomoyo_io_buffer". 319 * 320 * Returns nothing. 321 */ 322 static void tomoyo_set_slash(struct tomoyo_io_buffer *head) 323 { 324 tomoyo_set_string(head, "/"); 325 } 326 327 /* List of namespaces. */ 328 LIST_HEAD(tomoyo_namespace_list); 329 /* True if namespace other than tomoyo_kernel_namespace is defined. */ 330 static bool tomoyo_namespace_enabled; 331 332 /** 333 * tomoyo_init_policy_namespace - Initialize namespace. 334 * 335 * @ns: Pointer to "struct tomoyo_policy_namespace". 336 * 337 * Returns nothing. 338 */ 339 void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns) 340 { 341 unsigned int idx; 342 343 for (idx = 0; idx < TOMOYO_MAX_ACL_GROUPS; idx++) 344 INIT_LIST_HEAD(&ns->acl_group[idx]); 345 for (idx = 0; idx < TOMOYO_MAX_GROUP; idx++) 346 INIT_LIST_HEAD(&ns->group_list[idx]); 347 for (idx = 0; idx < TOMOYO_MAX_POLICY; idx++) 348 INIT_LIST_HEAD(&ns->policy_list[idx]); 349 ns->profile_version = 20150505; 350 tomoyo_namespace_enabled = !list_empty(&tomoyo_namespace_list); 351 list_add_tail_rcu(&ns->namespace_list, &tomoyo_namespace_list); 352 } 353 354 /** 355 * tomoyo_print_namespace - Print namespace header. 356 * 357 * @head: Pointer to "struct tomoyo_io_buffer". 358 * 359 * Returns nothing. 360 */ 361 static void tomoyo_print_namespace(struct tomoyo_io_buffer *head) 362 { 363 if (!tomoyo_namespace_enabled) 364 return; 365 tomoyo_set_string(head, 366 container_of(head->r.ns, 367 struct tomoyo_policy_namespace, 368 namespace_list)->name); 369 tomoyo_set_space(head); 370 } 371 372 /** 373 * tomoyo_print_name_union - Print a tomoyo_name_union. 374 * 375 * @head: Pointer to "struct tomoyo_io_buffer". 376 * @ptr: Pointer to "struct tomoyo_name_union". 377 */ 378 static void tomoyo_print_name_union(struct tomoyo_io_buffer *head, 379 const struct tomoyo_name_union *ptr) 380 { 381 tomoyo_set_space(head); 382 if (ptr->group) { 383 tomoyo_set_string(head, "@"); 384 tomoyo_set_string(head, ptr->group->group_name->name); 385 } else { 386 tomoyo_set_string(head, ptr->filename->name); 387 } 388 } 389 390 /** 391 * tomoyo_print_name_union_quoted - Print a tomoyo_name_union with a quote. 392 * 393 * @head: Pointer to "struct tomoyo_io_buffer". 394 * @ptr: Pointer to "struct tomoyo_name_union". 395 * 396 * Returns nothing. 397 */ 398 static void tomoyo_print_name_union_quoted(struct tomoyo_io_buffer *head, 399 const struct tomoyo_name_union *ptr) 400 { 401 if (ptr->group) { 402 tomoyo_set_string(head, "@"); 403 tomoyo_set_string(head, ptr->group->group_name->name); 404 } else { 405 tomoyo_set_string(head, "\""); 406 tomoyo_set_string(head, ptr->filename->name); 407 tomoyo_set_string(head, "\""); 408 } 409 } 410 411 /** 412 * tomoyo_print_number_union_nospace - Print a tomoyo_number_union without a space. 413 * 414 * @head: Pointer to "struct tomoyo_io_buffer". 415 * @ptr: Pointer to "struct tomoyo_number_union". 416 * 417 * Returns nothing. 418 */ 419 static void tomoyo_print_number_union_nospace 420 (struct tomoyo_io_buffer *head, const struct tomoyo_number_union *ptr) 421 { 422 if (ptr->group) { 423 tomoyo_set_string(head, "@"); 424 tomoyo_set_string(head, ptr->group->group_name->name); 425 } else { 426 int i; 427 unsigned long min = ptr->values[0]; 428 const unsigned long max = ptr->values[1]; 429 u8 min_type = ptr->value_type[0]; 430 const u8 max_type = ptr->value_type[1]; 431 char buffer[128]; 432 433 buffer[0] = '\0'; 434 for (i = 0; i < 2; i++) { 435 switch (min_type) { 436 case TOMOYO_VALUE_TYPE_HEXADECIMAL: 437 tomoyo_addprintf(buffer, sizeof(buffer), 438 "0x%lX", min); 439 break; 440 case TOMOYO_VALUE_TYPE_OCTAL: 441 tomoyo_addprintf(buffer, sizeof(buffer), 442 "0%lo", min); 443 break; 444 default: 445 tomoyo_addprintf(buffer, sizeof(buffer), "%lu", 446 min); 447 break; 448 } 449 if (min == max && min_type == max_type) 450 break; 451 tomoyo_addprintf(buffer, sizeof(buffer), "-"); 452 min_type = max_type; 453 min = max; 454 } 455 tomoyo_io_printf(head, "%s", buffer); 456 } 457 } 458 459 /** 460 * tomoyo_print_number_union - Print a tomoyo_number_union. 461 * 462 * @head: Pointer to "struct tomoyo_io_buffer". 463 * @ptr: Pointer to "struct tomoyo_number_union". 464 * 465 * Returns nothing. 466 */ 467 static void tomoyo_print_number_union(struct tomoyo_io_buffer *head, 468 const struct tomoyo_number_union *ptr) 469 { 470 tomoyo_set_space(head); 471 tomoyo_print_number_union_nospace(head, ptr); 472 } 473 474 /** 475 * tomoyo_assign_profile - Create a new profile. 476 * 477 * @ns: Pointer to "struct tomoyo_policy_namespace". 478 * @profile: Profile number to create. 479 * 480 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise. 481 */ 482 static struct tomoyo_profile *tomoyo_assign_profile 483 (struct tomoyo_policy_namespace *ns, const unsigned int profile) 484 { 485 struct tomoyo_profile *ptr; 486 struct tomoyo_profile *entry; 487 488 if (profile >= TOMOYO_MAX_PROFILES) 489 return NULL; 490 ptr = ns->profile_ptr[profile]; 491 if (ptr) 492 return ptr; 493 entry = kzalloc(sizeof(*entry), GFP_NOFS | __GFP_NOWARN); 494 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 495 goto out; 496 ptr = ns->profile_ptr[profile]; 497 if (!ptr && tomoyo_memory_ok(entry)) { 498 ptr = entry; 499 ptr->default_config = TOMOYO_CONFIG_DISABLED | 500 TOMOYO_CONFIG_WANT_GRANT_LOG | 501 TOMOYO_CONFIG_WANT_REJECT_LOG; 502 memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT, 503 sizeof(ptr->config)); 504 ptr->pref[TOMOYO_PREF_MAX_AUDIT_LOG] = 505 CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG; 506 ptr->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] = 507 CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY; 508 mb(); /* Avoid out-of-order execution. */ 509 ns->profile_ptr[profile] = ptr; 510 entry = NULL; 511 } 512 mutex_unlock(&tomoyo_policy_lock); 513 out: 514 kfree(entry); 515 return ptr; 516 } 517 518 /** 519 * tomoyo_profile - Find a profile. 520 * 521 * @ns: Pointer to "struct tomoyo_policy_namespace". 522 * @profile: Profile number to find. 523 * 524 * Returns pointer to "struct tomoyo_profile". 525 */ 526 struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns, 527 const u8 profile) 528 { 529 static struct tomoyo_profile tomoyo_null_profile; 530 struct tomoyo_profile *ptr = ns->profile_ptr[profile]; 531 532 if (!ptr) 533 ptr = &tomoyo_null_profile; 534 return ptr; 535 } 536 537 /** 538 * tomoyo_find_yesno - Find values for specified keyword. 539 * 540 * @string: String to check. 541 * @find: Name of keyword. 542 * 543 * Returns 1 if "@find=yes" was found, 0 if "@find=no" was found, -1 otherwise. 544 */ 545 static s8 tomoyo_find_yesno(const char *string, const char *find) 546 { 547 const char *cp = strstr(string, find); 548 549 if (cp) { 550 cp += strlen(find); 551 if (!strncmp(cp, "=yes", 4)) 552 return 1; 553 else if (!strncmp(cp, "=no", 3)) 554 return 0; 555 } 556 return -1; 557 } 558 559 /** 560 * tomoyo_set_uint - Set value for specified preference. 561 * 562 * @i: Pointer to "unsigned int". 563 * @string: String to check. 564 * @find: Name of keyword. 565 * 566 * Returns nothing. 567 */ 568 static void tomoyo_set_uint(unsigned int *i, const char *string, 569 const char *find) 570 { 571 const char *cp = strstr(string, find); 572 573 if (cp) 574 sscanf(cp + strlen(find), "=%u", i); 575 } 576 577 /** 578 * tomoyo_set_mode - Set mode for specified profile. 579 * 580 * @name: Name of functionality. 581 * @value: Mode for @name. 582 * @profile: Pointer to "struct tomoyo_profile". 583 * 584 * Returns 0 on success, negative value otherwise. 585 */ 586 static int tomoyo_set_mode(char *name, const char *value, 587 struct tomoyo_profile *profile) 588 { 589 u8 i; 590 u8 config; 591 592 if (!strcmp(name, "CONFIG")) { 593 i = TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX; 594 config = profile->default_config; 595 } else if (tomoyo_str_starts(&name, "CONFIG::")) { 596 config = 0; 597 for (i = 0; i < TOMOYO_MAX_MAC_INDEX 598 + TOMOYO_MAX_MAC_CATEGORY_INDEX; i++) { 599 int len = 0; 600 601 if (i < TOMOYO_MAX_MAC_INDEX) { 602 const u8 c = tomoyo_index2category[i]; 603 const char *category = 604 tomoyo_category_keywords[c]; 605 606 len = strlen(category); 607 if (strncmp(name, category, len) || 608 name[len++] != ':' || name[len++] != ':') 609 continue; 610 } 611 if (strcmp(name + len, tomoyo_mac_keywords[i])) 612 continue; 613 config = profile->config[i]; 614 break; 615 } 616 if (i == TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX) 617 return -EINVAL; 618 } else { 619 return -EINVAL; 620 } 621 if (strstr(value, "use_default")) { 622 config = TOMOYO_CONFIG_USE_DEFAULT; 623 } else { 624 u8 mode; 625 626 for (mode = 0; mode < 4; mode++) 627 if (strstr(value, tomoyo_mode[mode])) 628 /* 629 * Update lower 3 bits in order to distinguish 630 * 'config' from 'TOMOYO_CONFIG_USE_DEFAULT'. 631 */ 632 config = (config & ~7) | mode; 633 if (config != TOMOYO_CONFIG_USE_DEFAULT) { 634 switch (tomoyo_find_yesno(value, "grant_log")) { 635 case 1: 636 config |= TOMOYO_CONFIG_WANT_GRANT_LOG; 637 break; 638 case 0: 639 config &= ~TOMOYO_CONFIG_WANT_GRANT_LOG; 640 break; 641 } 642 switch (tomoyo_find_yesno(value, "reject_log")) { 643 case 1: 644 config |= TOMOYO_CONFIG_WANT_REJECT_LOG; 645 break; 646 case 0: 647 config &= ~TOMOYO_CONFIG_WANT_REJECT_LOG; 648 break; 649 } 650 } 651 } 652 if (i < TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX) 653 profile->config[i] = config; 654 else if (config != TOMOYO_CONFIG_USE_DEFAULT) 655 profile->default_config = config; 656 return 0; 657 } 658 659 /** 660 * tomoyo_write_profile - Write profile table. 661 * 662 * @head: Pointer to "struct tomoyo_io_buffer". 663 * 664 * Returns 0 on success, negative value otherwise. 665 */ 666 static int tomoyo_write_profile(struct tomoyo_io_buffer *head) 667 { 668 char *data = head->write_buf; 669 unsigned int i; 670 char *cp; 671 struct tomoyo_profile *profile; 672 673 if (sscanf(data, "PROFILE_VERSION=%u", &head->w.ns->profile_version) 674 == 1) 675 return 0; 676 i = simple_strtoul(data, &cp, 10); 677 if (*cp != '-') 678 return -EINVAL; 679 data = cp + 1; 680 profile = tomoyo_assign_profile(head->w.ns, i); 681 if (!profile) 682 return -EINVAL; 683 cp = strchr(data, '='); 684 if (!cp) 685 return -EINVAL; 686 *cp++ = '\0'; 687 if (!strcmp(data, "COMMENT")) { 688 static DEFINE_SPINLOCK(lock); 689 const struct tomoyo_path_info *new_comment 690 = tomoyo_get_name(cp); 691 const struct tomoyo_path_info *old_comment; 692 693 if (!new_comment) 694 return -ENOMEM; 695 spin_lock(&lock); 696 old_comment = profile->comment; 697 profile->comment = new_comment; 698 spin_unlock(&lock); 699 tomoyo_put_name(old_comment); 700 return 0; 701 } 702 if (!strcmp(data, "PREFERENCE")) { 703 for (i = 0; i < TOMOYO_MAX_PREF; i++) 704 tomoyo_set_uint(&profile->pref[i], cp, 705 tomoyo_pref_keywords[i]); 706 return 0; 707 } 708 return tomoyo_set_mode(data, cp, profile); 709 } 710 711 /** 712 * tomoyo_print_config - Print mode for specified functionality. 713 * 714 * @head: Pointer to "struct tomoyo_io_buffer". 715 * @config: Mode for that functionality. 716 * 717 * Returns nothing. 718 * 719 * Caller prints functionality's name. 720 */ 721 static void tomoyo_print_config(struct tomoyo_io_buffer *head, const u8 config) 722 { 723 tomoyo_io_printf(head, "={ mode=%s grant_log=%s reject_log=%s }\n", 724 tomoyo_mode[config & 3], 725 str_yes_no(config & TOMOYO_CONFIG_WANT_GRANT_LOG), 726 str_yes_no(config & TOMOYO_CONFIG_WANT_REJECT_LOG)); 727 } 728 729 /** 730 * tomoyo_read_profile - Read profile table. 731 * 732 * @head: Pointer to "struct tomoyo_io_buffer". 733 * 734 * Returns nothing. 735 */ 736 static void tomoyo_read_profile(struct tomoyo_io_buffer *head) 737 { 738 u8 index; 739 struct tomoyo_policy_namespace *ns = 740 container_of(head->r.ns, typeof(*ns), namespace_list); 741 const struct tomoyo_profile *profile; 742 743 if (head->r.eof) 744 return; 745 next: 746 index = head->r.index; 747 profile = ns->profile_ptr[index]; 748 switch (head->r.step) { 749 case 0: 750 tomoyo_print_namespace(head); 751 tomoyo_io_printf(head, "PROFILE_VERSION=%u\n", 752 ns->profile_version); 753 head->r.step++; 754 break; 755 case 1: 756 for ( ; head->r.index < TOMOYO_MAX_PROFILES; 757 head->r.index++) 758 if (ns->profile_ptr[head->r.index]) 759 break; 760 if (head->r.index == TOMOYO_MAX_PROFILES) { 761 head->r.eof = true; 762 return; 763 } 764 head->r.step++; 765 break; 766 case 2: 767 { 768 u8 i; 769 const struct tomoyo_path_info *comment = 770 profile->comment; 771 772 tomoyo_print_namespace(head); 773 tomoyo_io_printf(head, "%u-COMMENT=", index); 774 tomoyo_set_string(head, comment ? comment->name : ""); 775 tomoyo_set_lf(head); 776 tomoyo_print_namespace(head); 777 tomoyo_io_printf(head, "%u-PREFERENCE={ ", index); 778 for (i = 0; i < TOMOYO_MAX_PREF; i++) 779 tomoyo_io_printf(head, "%s=%u ", 780 tomoyo_pref_keywords[i], 781 profile->pref[i]); 782 tomoyo_set_string(head, "}\n"); 783 head->r.step++; 784 } 785 break; 786 case 3: 787 { 788 tomoyo_print_namespace(head); 789 tomoyo_io_printf(head, "%u-%s", index, "CONFIG"); 790 tomoyo_print_config(head, profile->default_config); 791 head->r.bit = 0; 792 head->r.step++; 793 } 794 break; 795 case 4: 796 for ( ; head->r.bit < TOMOYO_MAX_MAC_INDEX 797 + TOMOYO_MAX_MAC_CATEGORY_INDEX; head->r.bit++) { 798 const u8 i = head->r.bit; 799 const u8 config = profile->config[i]; 800 801 if (config == TOMOYO_CONFIG_USE_DEFAULT) 802 continue; 803 tomoyo_print_namespace(head); 804 if (i < TOMOYO_MAX_MAC_INDEX) 805 tomoyo_io_printf(head, "%u-CONFIG::%s::%s", 806 index, 807 tomoyo_category_keywords 808 [tomoyo_index2category[i]], 809 tomoyo_mac_keywords[i]); 810 else 811 tomoyo_io_printf(head, "%u-CONFIG::%s", index, 812 tomoyo_mac_keywords[i]); 813 tomoyo_print_config(head, config); 814 head->r.bit++; 815 break; 816 } 817 if (head->r.bit == TOMOYO_MAX_MAC_INDEX 818 + TOMOYO_MAX_MAC_CATEGORY_INDEX) { 819 head->r.index++; 820 head->r.step = 1; 821 } 822 break; 823 } 824 if (tomoyo_flush(head)) 825 goto next; 826 } 827 828 /** 829 * tomoyo_same_manager - Check for duplicated "struct tomoyo_manager" entry. 830 * 831 * @a: Pointer to "struct tomoyo_acl_head". 832 * @b: Pointer to "struct tomoyo_acl_head". 833 * 834 * Returns true if @a == @b, false otherwise. 835 */ 836 static bool tomoyo_same_manager(const struct tomoyo_acl_head *a, 837 const struct tomoyo_acl_head *b) 838 { 839 return container_of(a, struct tomoyo_manager, head)->manager == 840 container_of(b, struct tomoyo_manager, head)->manager; 841 } 842 843 /** 844 * tomoyo_update_manager_entry - Add a manager entry. 845 * 846 * @manager: The path to manager or the domainnamme. 847 * @is_delete: True if it is a delete request. 848 * 849 * Returns 0 on success, negative value otherwise. 850 * 851 * Caller holds tomoyo_read_lock(). 852 */ 853 static int tomoyo_update_manager_entry(const char *manager, 854 const bool is_delete) 855 { 856 struct tomoyo_manager e = { }; 857 struct tomoyo_acl_param param = { 858 /* .ns = &tomoyo_kernel_namespace, */ 859 .is_delete = is_delete, 860 .list = &tomoyo_kernel_namespace.policy_list[TOMOYO_ID_MANAGER], 861 }; 862 int error = is_delete ? -ENOENT : -ENOMEM; 863 864 if (!tomoyo_correct_domain(manager) && 865 !tomoyo_correct_word(manager)) 866 return -EINVAL; 867 e.manager = tomoyo_get_name(manager); 868 if (e.manager) { 869 error = tomoyo_update_policy(&e.head, sizeof(e), ¶m, 870 tomoyo_same_manager); 871 tomoyo_put_name(e.manager); 872 } 873 return error; 874 } 875 876 /** 877 * tomoyo_write_manager - Write manager policy. 878 * 879 * @head: Pointer to "struct tomoyo_io_buffer". 880 * 881 * Returns 0 on success, negative value otherwise. 882 * 883 * Caller holds tomoyo_read_lock(). 884 */ 885 static int tomoyo_write_manager(struct tomoyo_io_buffer *head) 886 { 887 char *data = head->write_buf; 888 889 if (!strcmp(data, "manage_by_non_root")) { 890 tomoyo_manage_by_non_root = !head->w.is_delete; 891 return 0; 892 } 893 return tomoyo_update_manager_entry(data, head->w.is_delete); 894 } 895 896 /** 897 * tomoyo_read_manager - Read manager policy. 898 * 899 * @head: Pointer to "struct tomoyo_io_buffer". 900 * 901 * Caller holds tomoyo_read_lock(). 902 */ 903 static void tomoyo_read_manager(struct tomoyo_io_buffer *head) 904 { 905 if (head->r.eof) 906 return; 907 list_for_each_cookie(head->r.acl, &tomoyo_kernel_namespace.policy_list[TOMOYO_ID_MANAGER]) { 908 struct tomoyo_manager *ptr = 909 list_entry(head->r.acl, typeof(*ptr), head.list); 910 911 if (ptr->head.is_deleted) 912 continue; 913 if (!tomoyo_flush(head)) 914 return; 915 tomoyo_set_string(head, ptr->manager->name); 916 tomoyo_set_lf(head); 917 } 918 head->r.eof = true; 919 } 920 921 /** 922 * tomoyo_manager - Check whether the current process is a policy manager. 923 * 924 * Returns true if the current process is permitted to modify policy 925 * via /sys/kernel/security/tomoyo/ interface. 926 * 927 * Caller holds tomoyo_read_lock(). 928 */ 929 static bool tomoyo_manager(void) 930 { 931 struct tomoyo_manager *ptr; 932 const char *exe; 933 const struct task_struct *task = current; 934 const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; 935 bool found = IS_ENABLED(CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING); 936 937 if (!tomoyo_policy_loaded) 938 return true; 939 if (!tomoyo_manage_by_non_root && 940 (!uid_eq(task->cred->uid, GLOBAL_ROOT_UID) || 941 !uid_eq(task->cred->euid, GLOBAL_ROOT_UID))) 942 return false; 943 exe = tomoyo_get_exe(); 944 if (!exe) 945 return false; 946 list_for_each_entry_rcu(ptr, &tomoyo_kernel_namespace.policy_list[TOMOYO_ID_MANAGER], head.list, 947 srcu_read_lock_held(&tomoyo_ss)) { 948 if (!ptr->head.is_deleted && 949 (!tomoyo_pathcmp(domainname, ptr->manager) || 950 !strcmp(exe, ptr->manager->name))) { 951 found = true; 952 break; 953 } 954 } 955 if (!found) { /* Reduce error messages. */ 956 static pid_t last_pid; 957 const pid_t pid = current->pid; 958 959 if (last_pid != pid) { 960 pr_warn("%s ( %s ) is not permitted to update policies.\n", 961 domainname->name, exe); 962 last_pid = pid; 963 } 964 } 965 kfree(exe); 966 return found; 967 } 968 969 static struct tomoyo_domain_info *tomoyo_find_domain_by_qid 970 (unsigned int serial); 971 972 /** 973 * tomoyo_select_domain - Parse select command. 974 * 975 * @head: Pointer to "struct tomoyo_io_buffer". 976 * @data: String to parse. 977 * 978 * Returns true on success, false otherwise. 979 * 980 * Caller holds tomoyo_read_lock(). 981 */ 982 static bool tomoyo_select_domain(struct tomoyo_io_buffer *head, 983 const char *data) 984 { 985 unsigned int pid; 986 struct tomoyo_domain_info *domain = NULL; 987 bool global_pid = false; 988 989 if (strncmp(data, "select ", 7)) 990 return false; 991 data += 7; 992 if (sscanf(data, "pid=%u", &pid) == 1 || 993 (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) { 994 struct task_struct *p; 995 996 rcu_read_lock(); 997 if (global_pid) 998 p = find_task_by_pid_ns(pid, &init_pid_ns); 999 else 1000 p = find_task_by_vpid(pid); 1001 if (p) 1002 domain = tomoyo_task(p)->domain_info; 1003 rcu_read_unlock(); 1004 } else if (!strncmp(data, "domain=", 7)) { 1005 if (tomoyo_domain_def(data + 7)) 1006 domain = tomoyo_find_domain(data + 7); 1007 } else if (sscanf(data, "Q=%u", &pid) == 1) { 1008 domain = tomoyo_find_domain_by_qid(pid); 1009 } else 1010 return false; 1011 head->w.domain = domain; 1012 /* Accessing read_buf is safe because head->io_sem is held. */ 1013 if (!head->read_buf) 1014 return true; /* Do nothing if open(O_WRONLY). */ 1015 memset(&head->r, 0, sizeof(head->r)); 1016 head->r.print_this_domain_only = true; 1017 if (domain) 1018 head->r.domain = &domain->list; 1019 else 1020 head->r.eof = true; 1021 tomoyo_io_printf(head, "# select %s\n", data); 1022 if (domain && domain->is_deleted) 1023 tomoyo_io_printf(head, "# This is a deleted domain.\n"); 1024 return true; 1025 } 1026 1027 /** 1028 * tomoyo_same_task_acl - Check for duplicated "struct tomoyo_task_acl" entry. 1029 * 1030 * @a: Pointer to "struct tomoyo_acl_info". 1031 * @b: Pointer to "struct tomoyo_acl_info". 1032 * 1033 * Returns true if @a == @b, false otherwise. 1034 */ 1035 static bool tomoyo_same_task_acl(const struct tomoyo_acl_info *a, 1036 const struct tomoyo_acl_info *b) 1037 { 1038 const struct tomoyo_task_acl *p1 = container_of(a, typeof(*p1), head); 1039 const struct tomoyo_task_acl *p2 = container_of(b, typeof(*p2), head); 1040 1041 return p1->domainname == p2->domainname; 1042 } 1043 1044 /** 1045 * tomoyo_write_task - Update task related list. 1046 * 1047 * @param: Pointer to "struct tomoyo_acl_param". 1048 * 1049 * Returns 0 on success, negative value otherwise. 1050 * 1051 * Caller holds tomoyo_read_lock(). 1052 */ 1053 static int tomoyo_write_task(struct tomoyo_acl_param *param) 1054 { 1055 int error = -EINVAL; 1056 1057 if (tomoyo_str_starts(¶m->data, "manual_domain_transition ")) { 1058 struct tomoyo_task_acl e = { 1059 .head.type = TOMOYO_TYPE_MANUAL_TASK_ACL, 1060 .domainname = tomoyo_get_domainname(param), 1061 }; 1062 1063 if (e.domainname) 1064 error = tomoyo_update_domain(&e.head, sizeof(e), param, 1065 tomoyo_same_task_acl, 1066 NULL); 1067 tomoyo_put_name(e.domainname); 1068 } 1069 return error; 1070 } 1071 1072 /** 1073 * tomoyo_delete_domain - Delete a domain. 1074 * 1075 * @domainname: The name of domain. 1076 * 1077 * Returns 0 on success, negative value otherwise. 1078 * 1079 * Caller holds tomoyo_read_lock(). 1080 */ 1081 static int tomoyo_delete_domain(char *domainname) 1082 { 1083 struct tomoyo_domain_info *domain; 1084 struct tomoyo_path_info name; 1085 1086 name.name = domainname; 1087 tomoyo_fill_path_info(&name); 1088 if (mutex_lock_interruptible(&tomoyo_policy_lock)) 1089 return -EINTR; 1090 /* Is there an active domain? */ 1091 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list, 1092 srcu_read_lock_held(&tomoyo_ss)) { 1093 /* Never delete tomoyo_kernel_domain */ 1094 if (domain == &tomoyo_kernel_domain) 1095 continue; 1096 if (domain->is_deleted || 1097 tomoyo_pathcmp(domain->domainname, &name)) 1098 continue; 1099 domain->is_deleted = true; 1100 break; 1101 } 1102 mutex_unlock(&tomoyo_policy_lock); 1103 return 0; 1104 } 1105 1106 /** 1107 * tomoyo_write_domain2 - Write domain policy. 1108 * 1109 * @ns: Pointer to "struct tomoyo_policy_namespace". 1110 * @list: Pointer to "struct list_head". 1111 * @data: Policy to be interpreted. 1112 * @is_delete: True if it is a delete request. 1113 * 1114 * Returns 0 on success, negative value otherwise. 1115 * 1116 * Caller holds tomoyo_read_lock(). 1117 */ 1118 static int tomoyo_write_domain2(struct tomoyo_policy_namespace *ns, 1119 struct list_head *list, char *data, 1120 const bool is_delete) 1121 { 1122 struct tomoyo_acl_param param = { 1123 .ns = ns, 1124 .list = list, 1125 .data = data, 1126 .is_delete = is_delete, 1127 }; 1128 static const struct { 1129 const char *keyword; 1130 int (*write)(struct tomoyo_acl_param *param); 1131 } tomoyo_callback[5] = { 1132 { "file ", tomoyo_write_file }, 1133 { "network inet ", tomoyo_write_inet_network }, 1134 { "network unix ", tomoyo_write_unix_network }, 1135 { "misc ", tomoyo_write_misc }, 1136 { "task ", tomoyo_write_task }, 1137 }; 1138 u8 i; 1139 1140 for (i = 0; i < ARRAY_SIZE(tomoyo_callback); i++) { 1141 if (!tomoyo_str_starts(¶m.data, 1142 tomoyo_callback[i].keyword)) 1143 continue; 1144 return tomoyo_callback[i].write(¶m); 1145 } 1146 return -EINVAL; 1147 } 1148 1149 /* String table for domain flags. */ 1150 const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS] = { 1151 [TOMOYO_DIF_QUOTA_WARNED] = "quota_exceeded\n", 1152 [TOMOYO_DIF_TRANSITION_FAILED] = "transition_failed\n", 1153 }; 1154 1155 /** 1156 * tomoyo_write_domain - Write domain policy. 1157 * 1158 * @head: Pointer to "struct tomoyo_io_buffer". 1159 * 1160 * Returns 0 on success, negative value otherwise. 1161 * 1162 * Caller holds tomoyo_read_lock(). 1163 */ 1164 static int tomoyo_write_domain(struct tomoyo_io_buffer *head) 1165 { 1166 char *data = head->write_buf; 1167 struct tomoyo_policy_namespace *ns; 1168 struct tomoyo_domain_info *domain = head->w.domain; 1169 const bool is_delete = head->w.is_delete; 1170 bool is_select = !is_delete && tomoyo_str_starts(&data, "select "); 1171 unsigned int idx; 1172 1173 if (*data == '<') { 1174 int ret = 0; 1175 1176 domain = NULL; 1177 if (is_delete) 1178 ret = tomoyo_delete_domain(data); 1179 else if (is_select) 1180 domain = tomoyo_find_domain(data); 1181 else 1182 domain = tomoyo_assign_domain(data, false); 1183 head->w.domain = domain; 1184 return ret; 1185 } 1186 if (!domain) 1187 return -EINVAL; 1188 ns = domain->ns; 1189 if (sscanf(data, "use_profile %u", &idx) == 1 1190 && idx < TOMOYO_MAX_PROFILES) { 1191 if (!tomoyo_policy_loaded || ns->profile_ptr[idx]) 1192 if (!is_delete) 1193 domain->profile = (u8) idx; 1194 return 0; 1195 } 1196 if (sscanf(data, "use_group %u\n", &idx) == 1 1197 && idx < TOMOYO_MAX_ACL_GROUPS) { 1198 if (!is_delete) 1199 set_bit(idx, domain->group); 1200 else 1201 clear_bit(idx, domain->group); 1202 return 0; 1203 } 1204 for (idx = 0; idx < TOMOYO_MAX_DOMAIN_INFO_FLAGS; idx++) { 1205 const char *cp = tomoyo_dif[idx]; 1206 1207 if (strncmp(data, cp, strlen(cp) - 1)) 1208 continue; 1209 domain->flags[idx] = !is_delete; 1210 return 0; 1211 } 1212 return tomoyo_write_domain2(ns, &domain->acl_info_list, data, 1213 is_delete); 1214 } 1215 1216 /** 1217 * tomoyo_print_condition - Print condition part. 1218 * 1219 * @head: Pointer to "struct tomoyo_io_buffer". 1220 * @cond: Pointer to "struct tomoyo_condition". 1221 * 1222 * Returns true on success, false otherwise. 1223 */ 1224 static bool tomoyo_print_condition(struct tomoyo_io_buffer *head, 1225 const struct tomoyo_condition *cond) 1226 { 1227 switch (head->r.cond_step) { 1228 case 0: 1229 head->r.cond_index = 0; 1230 head->r.cond_step++; 1231 if (cond->transit) { 1232 tomoyo_set_space(head); 1233 tomoyo_set_string(head, cond->transit->name); 1234 } 1235 fallthrough; 1236 case 1: 1237 { 1238 const u16 condc = cond->condc; 1239 const struct tomoyo_condition_element *condp = 1240 (typeof(condp)) (cond + 1); 1241 const struct tomoyo_number_union *numbers_p = 1242 (typeof(numbers_p)) (condp + condc); 1243 const struct tomoyo_name_union *names_p = 1244 (typeof(names_p)) 1245 (numbers_p + cond->numbers_count); 1246 const struct tomoyo_argv *argv = 1247 (typeof(argv)) (names_p + cond->names_count); 1248 const struct tomoyo_envp *envp = 1249 (typeof(envp)) (argv + cond->argc); 1250 u16 skip; 1251 1252 for (skip = 0; skip < head->r.cond_index; skip++) { 1253 const u8 left = condp->left; 1254 const u8 right = condp->right; 1255 1256 condp++; 1257 switch (left) { 1258 case TOMOYO_ARGV_ENTRY: 1259 argv++; 1260 continue; 1261 case TOMOYO_ENVP_ENTRY: 1262 envp++; 1263 continue; 1264 case TOMOYO_NUMBER_UNION: 1265 numbers_p++; 1266 break; 1267 } 1268 switch (right) { 1269 case TOMOYO_NAME_UNION: 1270 names_p++; 1271 break; 1272 case TOMOYO_NUMBER_UNION: 1273 numbers_p++; 1274 break; 1275 } 1276 } 1277 while (head->r.cond_index < condc) { 1278 const u8 match = condp->equals; 1279 const u8 left = condp->left; 1280 const u8 right = condp->right; 1281 1282 if (!tomoyo_flush(head)) 1283 return false; 1284 condp++; 1285 head->r.cond_index++; 1286 tomoyo_set_space(head); 1287 switch (left) { 1288 case TOMOYO_ARGV_ENTRY: 1289 tomoyo_io_printf(head, 1290 "exec.argv[%lu]%s=\"", 1291 argv->index, argv->is_not ? "!" : ""); 1292 tomoyo_set_string(head, 1293 argv->value->name); 1294 tomoyo_set_string(head, "\""); 1295 argv++; 1296 continue; 1297 case TOMOYO_ENVP_ENTRY: 1298 tomoyo_set_string(head, 1299 "exec.envp[\""); 1300 tomoyo_set_string(head, 1301 envp->name->name); 1302 tomoyo_io_printf(head, "\"]%s=", envp->is_not ? "!" : ""); 1303 if (envp->value) { 1304 tomoyo_set_string(head, "\""); 1305 tomoyo_set_string(head, envp->value->name); 1306 tomoyo_set_string(head, "\""); 1307 } else { 1308 tomoyo_set_string(head, 1309 "NULL"); 1310 } 1311 envp++; 1312 continue; 1313 case TOMOYO_NUMBER_UNION: 1314 tomoyo_print_number_union_nospace 1315 (head, numbers_p++); 1316 break; 1317 default: 1318 tomoyo_set_string(head, 1319 tomoyo_condition_keyword[left]); 1320 break; 1321 } 1322 tomoyo_set_string(head, match ? "=" : "!="); 1323 switch (right) { 1324 case TOMOYO_NAME_UNION: 1325 tomoyo_print_name_union_quoted 1326 (head, names_p++); 1327 break; 1328 case TOMOYO_NUMBER_UNION: 1329 tomoyo_print_number_union_nospace 1330 (head, numbers_p++); 1331 break; 1332 default: 1333 tomoyo_set_string(head, 1334 tomoyo_condition_keyword[right]); 1335 break; 1336 } 1337 } 1338 } 1339 head->r.cond_step++; 1340 fallthrough; 1341 case 2: 1342 if (!tomoyo_flush(head)) 1343 break; 1344 head->r.cond_step++; 1345 fallthrough; 1346 case 3: 1347 if (cond->grant_log != TOMOYO_GRANTLOG_AUTO) 1348 tomoyo_io_printf(head, " grant_log=%s", 1349 str_yes_no(cond->grant_log == 1350 TOMOYO_GRANTLOG_YES)); 1351 tomoyo_set_lf(head); 1352 return true; 1353 } 1354 return false; 1355 } 1356 1357 /** 1358 * tomoyo_set_group - Print "acl_group " header keyword and category name. 1359 * 1360 * @head: Pointer to "struct tomoyo_io_buffer". 1361 * @category: Category name. 1362 * 1363 * Returns nothing. 1364 */ 1365 static void tomoyo_set_group(struct tomoyo_io_buffer *head, 1366 const char *category) 1367 { 1368 if (head->type == TOMOYO_EXCEPTIONPOLICY) { 1369 tomoyo_print_namespace(head); 1370 tomoyo_io_printf(head, "acl_group %u ", 1371 head->r.acl_group_index); 1372 } 1373 tomoyo_set_string(head, category); 1374 } 1375 1376 /** 1377 * tomoyo_print_entry - Print an ACL entry. 1378 * 1379 * @head: Pointer to "struct tomoyo_io_buffer". 1380 * @acl: Pointer to an ACL entry. 1381 * 1382 * Returns true on success, false otherwise. 1383 */ 1384 static bool tomoyo_print_entry(struct tomoyo_io_buffer *head, 1385 struct tomoyo_acl_info *acl) 1386 { 1387 const u8 acl_type = acl->type; 1388 bool first = true; 1389 u8 bit; 1390 1391 if (head->r.print_cond_part) 1392 goto print_cond_part; 1393 if (acl->is_deleted) 1394 return true; 1395 if (!tomoyo_flush(head)) 1396 return false; 1397 else if (acl_type == TOMOYO_TYPE_PATH_ACL) { 1398 struct tomoyo_path_acl *ptr = 1399 container_of(acl, typeof(*ptr), head); 1400 const u16 perm = ptr->perm; 1401 1402 for (bit = 0; bit < TOMOYO_MAX_PATH_OPERATION; bit++) { 1403 if (!(perm & (1 << bit))) 1404 continue; 1405 if (head->r.print_transition_related_only && 1406 bit != TOMOYO_TYPE_EXECUTE) 1407 continue; 1408 if (first) { 1409 tomoyo_set_group(head, "file "); 1410 first = false; 1411 } else { 1412 tomoyo_set_slash(head); 1413 } 1414 tomoyo_set_string(head, tomoyo_path_keyword[bit]); 1415 } 1416 if (first) 1417 return true; 1418 tomoyo_print_name_union(head, &ptr->name); 1419 } else if (acl_type == TOMOYO_TYPE_MANUAL_TASK_ACL) { 1420 struct tomoyo_task_acl *ptr = 1421 container_of(acl, typeof(*ptr), head); 1422 1423 tomoyo_set_group(head, "task "); 1424 tomoyo_set_string(head, "manual_domain_transition "); 1425 tomoyo_set_string(head, ptr->domainname->name); 1426 } else if (head->r.print_transition_related_only) { 1427 return true; 1428 } else if (acl_type == TOMOYO_TYPE_PATH2_ACL) { 1429 struct tomoyo_path2_acl *ptr = 1430 container_of(acl, typeof(*ptr), head); 1431 const u8 perm = ptr->perm; 1432 1433 for (bit = 0; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) { 1434 if (!(perm & (1 << bit))) 1435 continue; 1436 if (first) { 1437 tomoyo_set_group(head, "file "); 1438 first = false; 1439 } else { 1440 tomoyo_set_slash(head); 1441 } 1442 tomoyo_set_string(head, tomoyo_mac_keywords 1443 [tomoyo_pp2mac[bit]]); 1444 } 1445 if (first) 1446 return true; 1447 tomoyo_print_name_union(head, &ptr->name1); 1448 tomoyo_print_name_union(head, &ptr->name2); 1449 } else if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) { 1450 struct tomoyo_path_number_acl *ptr = 1451 container_of(acl, typeof(*ptr), head); 1452 const u8 perm = ptr->perm; 1453 1454 for (bit = 0; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION; bit++) { 1455 if (!(perm & (1 << bit))) 1456 continue; 1457 if (first) { 1458 tomoyo_set_group(head, "file "); 1459 first = false; 1460 } else { 1461 tomoyo_set_slash(head); 1462 } 1463 tomoyo_set_string(head, tomoyo_mac_keywords 1464 [tomoyo_pn2mac[bit]]); 1465 } 1466 if (first) 1467 return true; 1468 tomoyo_print_name_union(head, &ptr->name); 1469 tomoyo_print_number_union(head, &ptr->number); 1470 } else if (acl_type == TOMOYO_TYPE_MKDEV_ACL) { 1471 struct tomoyo_mkdev_acl *ptr = 1472 container_of(acl, typeof(*ptr), head); 1473 const u8 perm = ptr->perm; 1474 1475 for (bit = 0; bit < TOMOYO_MAX_MKDEV_OPERATION; bit++) { 1476 if (!(perm & (1 << bit))) 1477 continue; 1478 if (first) { 1479 tomoyo_set_group(head, "file "); 1480 first = false; 1481 } else { 1482 tomoyo_set_slash(head); 1483 } 1484 tomoyo_set_string(head, tomoyo_mac_keywords 1485 [tomoyo_pnnn2mac[bit]]); 1486 } 1487 if (first) 1488 return true; 1489 tomoyo_print_name_union(head, &ptr->name); 1490 tomoyo_print_number_union(head, &ptr->mode); 1491 tomoyo_print_number_union(head, &ptr->major); 1492 tomoyo_print_number_union(head, &ptr->minor); 1493 } else if (acl_type == TOMOYO_TYPE_INET_ACL) { 1494 struct tomoyo_inet_acl *ptr = 1495 container_of(acl, typeof(*ptr), head); 1496 const u8 perm = ptr->perm; 1497 1498 for (bit = 0; bit < TOMOYO_MAX_NETWORK_OPERATION; bit++) { 1499 if (!(perm & (1 << bit))) 1500 continue; 1501 if (first) { 1502 tomoyo_set_group(head, "network inet "); 1503 tomoyo_set_string(head, tomoyo_proto_keyword 1504 [ptr->protocol]); 1505 tomoyo_set_space(head); 1506 first = false; 1507 } else { 1508 tomoyo_set_slash(head); 1509 } 1510 tomoyo_set_string(head, tomoyo_socket_keyword[bit]); 1511 } 1512 if (first) 1513 return true; 1514 tomoyo_set_space(head); 1515 if (ptr->address.group) { 1516 tomoyo_set_string(head, "@"); 1517 tomoyo_set_string(head, ptr->address.group->group_name 1518 ->name); 1519 } else { 1520 char buf[128]; 1521 1522 tomoyo_print_ip(buf, sizeof(buf), &ptr->address); 1523 tomoyo_io_printf(head, "%s", buf); 1524 } 1525 tomoyo_print_number_union(head, &ptr->port); 1526 } else if (acl_type == TOMOYO_TYPE_UNIX_ACL) { 1527 struct tomoyo_unix_acl *ptr = 1528 container_of(acl, typeof(*ptr), head); 1529 const u8 perm = ptr->perm; 1530 1531 for (bit = 0; bit < TOMOYO_MAX_NETWORK_OPERATION; bit++) { 1532 if (!(perm & (1 << bit))) 1533 continue; 1534 if (first) { 1535 tomoyo_set_group(head, "network unix "); 1536 tomoyo_set_string(head, tomoyo_proto_keyword 1537 [ptr->protocol]); 1538 tomoyo_set_space(head); 1539 first = false; 1540 } else { 1541 tomoyo_set_slash(head); 1542 } 1543 tomoyo_set_string(head, tomoyo_socket_keyword[bit]); 1544 } 1545 if (first) 1546 return true; 1547 tomoyo_print_name_union(head, &ptr->name); 1548 } else if (acl_type == TOMOYO_TYPE_MOUNT_ACL) { 1549 struct tomoyo_mount_acl *ptr = 1550 container_of(acl, typeof(*ptr), head); 1551 1552 tomoyo_set_group(head, "file mount"); 1553 tomoyo_print_name_union(head, &ptr->dev_name); 1554 tomoyo_print_name_union(head, &ptr->dir_name); 1555 tomoyo_print_name_union(head, &ptr->fs_type); 1556 tomoyo_print_number_union(head, &ptr->flags); 1557 } else if (acl_type == TOMOYO_TYPE_ENV_ACL) { 1558 struct tomoyo_env_acl *ptr = 1559 container_of(acl, typeof(*ptr), head); 1560 1561 tomoyo_set_group(head, "misc env "); 1562 tomoyo_set_string(head, ptr->env->name); 1563 } 1564 if (acl->cond) { 1565 head->r.print_cond_part = true; 1566 head->r.cond_step = 0; 1567 if (!tomoyo_flush(head)) 1568 return false; 1569 print_cond_part: 1570 if (!tomoyo_print_condition(head, acl->cond)) 1571 return false; 1572 head->r.print_cond_part = false; 1573 } else { 1574 tomoyo_set_lf(head); 1575 } 1576 return true; 1577 } 1578 1579 /** 1580 * tomoyo_read_domain2 - Read domain policy. 1581 * 1582 * @head: Pointer to "struct tomoyo_io_buffer". 1583 * @list: Pointer to "struct list_head". 1584 * 1585 * Caller holds tomoyo_read_lock(). 1586 * 1587 * Returns true on success, false otherwise. 1588 */ 1589 static bool tomoyo_read_domain2(struct tomoyo_io_buffer *head, 1590 struct list_head *list) 1591 { 1592 list_for_each_cookie(head->r.acl, list) { 1593 struct tomoyo_acl_info *ptr = 1594 list_entry(head->r.acl, typeof(*ptr), list); 1595 1596 if (!tomoyo_print_entry(head, ptr)) 1597 return false; 1598 } 1599 head->r.acl = NULL; 1600 return true; 1601 } 1602 1603 /** 1604 * tomoyo_read_domain - Read domain policy. 1605 * 1606 * @head: Pointer to "struct tomoyo_io_buffer". 1607 * 1608 * Caller holds tomoyo_read_lock(). 1609 */ 1610 static void tomoyo_read_domain(struct tomoyo_io_buffer *head) 1611 { 1612 if (head->r.eof) 1613 return; 1614 list_for_each_cookie(head->r.domain, &tomoyo_domain_list) { 1615 struct tomoyo_domain_info *domain = 1616 list_entry(head->r.domain, typeof(*domain), list); 1617 u8 i; 1618 1619 switch (head->r.step) { 1620 case 0: 1621 if (domain->is_deleted && 1622 !head->r.print_this_domain_only) 1623 continue; 1624 /* Print domainname and flags. */ 1625 tomoyo_set_string(head, domain->domainname->name); 1626 tomoyo_set_lf(head); 1627 tomoyo_io_printf(head, "use_profile %u\n", 1628 domain->profile); 1629 for (i = 0; i < TOMOYO_MAX_DOMAIN_INFO_FLAGS; i++) 1630 if (domain->flags[i]) 1631 tomoyo_set_string(head, tomoyo_dif[i]); 1632 head->r.index = 0; 1633 head->r.step++; 1634 fallthrough; 1635 case 1: 1636 while (head->r.index < TOMOYO_MAX_ACL_GROUPS) { 1637 i = head->r.index++; 1638 if (!test_bit(i, domain->group)) 1639 continue; 1640 tomoyo_io_printf(head, "use_group %u\n", i); 1641 if (!tomoyo_flush(head)) 1642 return; 1643 } 1644 head->r.index = 0; 1645 head->r.step++; 1646 tomoyo_set_lf(head); 1647 fallthrough; 1648 case 2: 1649 if (!tomoyo_read_domain2(head, &domain->acl_info_list)) 1650 return; 1651 head->r.step++; 1652 if (!tomoyo_set_lf(head)) 1653 return; 1654 fallthrough; 1655 case 3: 1656 head->r.step = 0; 1657 if (head->r.print_this_domain_only) 1658 goto done; 1659 } 1660 } 1661 done: 1662 head->r.eof = true; 1663 } 1664 1665 /** 1666 * tomoyo_write_pid: Specify PID to obtain domainname. 1667 * 1668 * @head: Pointer to "struct tomoyo_io_buffer". 1669 * 1670 * Returns 0. 1671 */ 1672 static int tomoyo_write_pid(struct tomoyo_io_buffer *head) 1673 { 1674 head->r.eof = false; 1675 return 0; 1676 } 1677 1678 /** 1679 * tomoyo_read_pid - Get domainname of the specified PID. 1680 * 1681 * @head: Pointer to "struct tomoyo_io_buffer". 1682 * 1683 * Returns the domainname which the specified PID is in on success, 1684 * empty string otherwise. 1685 * The PID is specified by tomoyo_write_pid() so that the user can obtain 1686 * using read()/write() interface rather than sysctl() interface. 1687 */ 1688 static void tomoyo_read_pid(struct tomoyo_io_buffer *head) 1689 { 1690 char *buf = head->write_buf; 1691 bool global_pid = false; 1692 unsigned int pid; 1693 struct task_struct *p; 1694 struct tomoyo_domain_info *domain = NULL; 1695 1696 /* Accessing write_buf is safe because head->io_sem is held. */ 1697 if (!buf) { 1698 head->r.eof = true; 1699 return; /* Do nothing if open(O_RDONLY). */ 1700 } 1701 if (head->r.w_pos || head->r.eof) 1702 return; 1703 head->r.eof = true; 1704 if (tomoyo_str_starts(&buf, "global-pid ")) 1705 global_pid = true; 1706 if (kstrtouint(buf, 10, &pid)) 1707 return; 1708 rcu_read_lock(); 1709 if (global_pid) 1710 p = find_task_by_pid_ns(pid, &init_pid_ns); 1711 else 1712 p = find_task_by_vpid(pid); 1713 if (p) 1714 domain = tomoyo_task(p)->domain_info; 1715 rcu_read_unlock(); 1716 if (!domain) 1717 return; 1718 tomoyo_io_printf(head, "%u %u ", pid, domain->profile); 1719 tomoyo_set_string(head, domain->domainname->name); 1720 } 1721 1722 /* String table for domain transition control keywords. */ 1723 static const char *tomoyo_transition_type[TOMOYO_MAX_TRANSITION_TYPE] = { 1724 [TOMOYO_TRANSITION_CONTROL_NO_RESET] = "no_reset_domain ", 1725 [TOMOYO_TRANSITION_CONTROL_RESET] = "reset_domain ", 1726 [TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE] = "no_initialize_domain ", 1727 [TOMOYO_TRANSITION_CONTROL_INITIALIZE] = "initialize_domain ", 1728 [TOMOYO_TRANSITION_CONTROL_NO_KEEP] = "no_keep_domain ", 1729 [TOMOYO_TRANSITION_CONTROL_KEEP] = "keep_domain ", 1730 }; 1731 1732 /* String table for grouping keywords. */ 1733 static const char *tomoyo_group_name[TOMOYO_MAX_GROUP] = { 1734 [TOMOYO_PATH_GROUP] = "path_group ", 1735 [TOMOYO_NUMBER_GROUP] = "number_group ", 1736 [TOMOYO_ADDRESS_GROUP] = "address_group ", 1737 }; 1738 1739 /** 1740 * tomoyo_write_exception - Write exception policy. 1741 * 1742 * @head: Pointer to "struct tomoyo_io_buffer". 1743 * 1744 * Returns 0 on success, negative value otherwise. 1745 * 1746 * Caller holds tomoyo_read_lock(). 1747 */ 1748 static int tomoyo_write_exception(struct tomoyo_io_buffer *head) 1749 { 1750 const bool is_delete = head->w.is_delete; 1751 struct tomoyo_acl_param param = { 1752 .ns = head->w.ns, 1753 .is_delete = is_delete, 1754 .data = head->write_buf, 1755 }; 1756 u8 i; 1757 1758 if (tomoyo_str_starts(¶m.data, "aggregator ")) 1759 return tomoyo_write_aggregator(¶m); 1760 for (i = 0; i < TOMOYO_MAX_TRANSITION_TYPE; i++) 1761 if (tomoyo_str_starts(¶m.data, tomoyo_transition_type[i])) 1762 return tomoyo_write_transition_control(¶m, i); 1763 for (i = 0; i < TOMOYO_MAX_GROUP; i++) 1764 if (tomoyo_str_starts(¶m.data, tomoyo_group_name[i])) 1765 return tomoyo_write_group(¶m, i); 1766 if (tomoyo_str_starts(¶m.data, "acl_group ")) { 1767 unsigned int group; 1768 char *data; 1769 1770 group = simple_strtoul(param.data, &data, 10); 1771 if (group < TOMOYO_MAX_ACL_GROUPS && *data++ == ' ') 1772 return tomoyo_write_domain2 1773 (head->w.ns, &head->w.ns->acl_group[group], 1774 data, is_delete); 1775 } 1776 return -EINVAL; 1777 } 1778 1779 /** 1780 * tomoyo_read_group - Read "struct tomoyo_path_group"/"struct tomoyo_number_group"/"struct tomoyo_address_group" list. 1781 * 1782 * @head: Pointer to "struct tomoyo_io_buffer". 1783 * @idx: Index number. 1784 * 1785 * Returns true on success, false otherwise. 1786 * 1787 * Caller holds tomoyo_read_lock(). 1788 */ 1789 static bool tomoyo_read_group(struct tomoyo_io_buffer *head, const int idx) 1790 { 1791 struct tomoyo_policy_namespace *ns = 1792 container_of(head->r.ns, typeof(*ns), namespace_list); 1793 struct list_head *list = &ns->group_list[idx]; 1794 1795 list_for_each_cookie(head->r.group, list) { 1796 struct tomoyo_group *group = 1797 list_entry(head->r.group, typeof(*group), head.list); 1798 1799 list_for_each_cookie(head->r.acl, &group->member_list) { 1800 struct tomoyo_acl_head *ptr = 1801 list_entry(head->r.acl, typeof(*ptr), list); 1802 1803 if (ptr->is_deleted) 1804 continue; 1805 if (!tomoyo_flush(head)) 1806 return false; 1807 tomoyo_print_namespace(head); 1808 tomoyo_set_string(head, tomoyo_group_name[idx]); 1809 tomoyo_set_string(head, group->group_name->name); 1810 if (idx == TOMOYO_PATH_GROUP) { 1811 tomoyo_set_space(head); 1812 tomoyo_set_string(head, container_of 1813 (ptr, struct tomoyo_path_group, 1814 head)->member_name->name); 1815 } else if (idx == TOMOYO_NUMBER_GROUP) { 1816 tomoyo_print_number_union(head, &container_of 1817 (ptr, 1818 struct tomoyo_number_group, 1819 head)->number); 1820 } else if (idx == TOMOYO_ADDRESS_GROUP) { 1821 char buffer[128]; 1822 struct tomoyo_address_group *member = 1823 container_of(ptr, typeof(*member), 1824 head); 1825 1826 tomoyo_print_ip(buffer, sizeof(buffer), 1827 &member->address); 1828 tomoyo_io_printf(head, " %s", buffer); 1829 } 1830 tomoyo_set_lf(head); 1831 } 1832 head->r.acl = NULL; 1833 } 1834 head->r.group = NULL; 1835 return true; 1836 } 1837 1838 /** 1839 * tomoyo_read_policy - Read "struct tomoyo_..._entry" list. 1840 * 1841 * @head: Pointer to "struct tomoyo_io_buffer". 1842 * @idx: Index number. 1843 * 1844 * Returns true on success, false otherwise. 1845 * 1846 * Caller holds tomoyo_read_lock(). 1847 */ 1848 static bool tomoyo_read_policy(struct tomoyo_io_buffer *head, const int idx) 1849 { 1850 struct tomoyo_policy_namespace *ns = 1851 container_of(head->r.ns, typeof(*ns), namespace_list); 1852 struct list_head *list = &ns->policy_list[idx]; 1853 1854 list_for_each_cookie(head->r.acl, list) { 1855 struct tomoyo_acl_head *acl = 1856 container_of(head->r.acl, typeof(*acl), list); 1857 if (acl->is_deleted) 1858 continue; 1859 if (!tomoyo_flush(head)) 1860 return false; 1861 switch (idx) { 1862 case TOMOYO_ID_TRANSITION_CONTROL: 1863 { 1864 struct tomoyo_transition_control *ptr = 1865 container_of(acl, typeof(*ptr), head); 1866 1867 tomoyo_print_namespace(head); 1868 tomoyo_set_string(head, tomoyo_transition_type 1869 [ptr->type]); 1870 tomoyo_set_string(head, ptr->program ? 1871 ptr->program->name : "any"); 1872 tomoyo_set_string(head, " from "); 1873 tomoyo_set_string(head, ptr->domainname ? 1874 ptr->domainname->name : 1875 "any"); 1876 } 1877 break; 1878 case TOMOYO_ID_AGGREGATOR: 1879 { 1880 struct tomoyo_aggregator *ptr = 1881 container_of(acl, typeof(*ptr), head); 1882 1883 tomoyo_print_namespace(head); 1884 tomoyo_set_string(head, "aggregator "); 1885 tomoyo_set_string(head, 1886 ptr->original_name->name); 1887 tomoyo_set_space(head); 1888 tomoyo_set_string(head, 1889 ptr->aggregated_name->name); 1890 } 1891 break; 1892 default: 1893 continue; 1894 } 1895 tomoyo_set_lf(head); 1896 } 1897 head->r.acl = NULL; 1898 return true; 1899 } 1900 1901 /** 1902 * tomoyo_read_exception - Read exception policy. 1903 * 1904 * @head: Pointer to "struct tomoyo_io_buffer". 1905 * 1906 * Caller holds tomoyo_read_lock(). 1907 */ 1908 static void tomoyo_read_exception(struct tomoyo_io_buffer *head) 1909 { 1910 struct tomoyo_policy_namespace *ns = 1911 container_of(head->r.ns, typeof(*ns), namespace_list); 1912 1913 if (head->r.eof) 1914 return; 1915 while (head->r.step < TOMOYO_MAX_POLICY && 1916 tomoyo_read_policy(head, head->r.step)) 1917 head->r.step++; 1918 if (head->r.step < TOMOYO_MAX_POLICY) 1919 return; 1920 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP && 1921 tomoyo_read_group(head, head->r.step - TOMOYO_MAX_POLICY)) 1922 head->r.step++; 1923 if (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP) 1924 return; 1925 while (head->r.step < TOMOYO_MAX_POLICY + TOMOYO_MAX_GROUP 1926 + TOMOYO_MAX_ACL_GROUPS) { 1927 head->r.acl_group_index = head->r.step - TOMOYO_MAX_POLICY 1928 - TOMOYO_MAX_GROUP; 1929 if (!tomoyo_read_domain2(head, &ns->acl_group 1930 [head->r.acl_group_index])) 1931 return; 1932 head->r.step++; 1933 } 1934 head->r.eof = true; 1935 } 1936 1937 /* Wait queue for kernel -> userspace notification. */ 1938 static DECLARE_WAIT_QUEUE_HEAD(tomoyo_query_wait); 1939 /* Wait queue for userspace -> kernel notification. */ 1940 static DECLARE_WAIT_QUEUE_HEAD(tomoyo_answer_wait); 1941 1942 /* Structure for query. */ 1943 struct tomoyo_query { 1944 struct list_head list; 1945 struct tomoyo_domain_info *domain; 1946 char *query; 1947 size_t query_len; 1948 unsigned int serial; 1949 u8 timer; 1950 u8 answer; 1951 u8 retry; 1952 }; 1953 1954 /* The list for "struct tomoyo_query". */ 1955 static LIST_HEAD(tomoyo_query_list); 1956 1957 /* Lock for manipulating tomoyo_query_list. */ 1958 static DEFINE_SPINLOCK(tomoyo_query_list_lock); 1959 1960 /* 1961 * Number of "struct file" referring /sys/kernel/security/tomoyo/query 1962 * interface. 1963 */ 1964 static atomic_t tomoyo_query_observers = ATOMIC_INIT(0); 1965 1966 /** 1967 * tomoyo_truncate - Truncate a line. 1968 * 1969 * @str: String to truncate. 1970 * 1971 * Returns length of truncated @str. 1972 */ 1973 static int tomoyo_truncate(char *str) 1974 { 1975 char *start = str; 1976 1977 while (*(unsigned char *) str > (unsigned char) ' ') 1978 str++; 1979 *str = '\0'; 1980 return strlen(start) + 1; 1981 } 1982 1983 /** 1984 * tomoyo_add_entry - Add an ACL to current thread's domain. Used by learning mode. 1985 * 1986 * @domain: Pointer to "struct tomoyo_domain_info". 1987 * @header: Lines containing ACL. 1988 * 1989 * Returns nothing. 1990 */ 1991 static void tomoyo_add_entry(struct tomoyo_domain_info *domain, char *header) 1992 { 1993 char *buffer; 1994 char *realpath = NULL; 1995 char *argv0 = NULL; 1996 char *symlink = NULL; 1997 char *cp = strchr(header, '\n'); 1998 int len; 1999 2000 if (!cp) 2001 return; 2002 cp = strchr(cp + 1, '\n'); 2003 if (!cp) 2004 return; 2005 *cp++ = '\0'; 2006 len = strlen(cp) + 1; 2007 /* strstr() will return NULL if ordering is wrong. */ 2008 if (*cp == 'f') { 2009 argv0 = strstr(header, " argv[]={ \""); 2010 if (argv0) { 2011 argv0 += 10; 2012 len += tomoyo_truncate(argv0) + 14; 2013 } 2014 realpath = strstr(header, " exec={ realpath=\""); 2015 if (realpath) { 2016 realpath += 8; 2017 len += tomoyo_truncate(realpath) + 6; 2018 } 2019 symlink = strstr(header, " symlink.target=\""); 2020 if (symlink) 2021 len += tomoyo_truncate(symlink + 1) + 1; 2022 } 2023 buffer = kmalloc(len, GFP_NOFS); 2024 if (!buffer) 2025 return; 2026 snprintf(buffer, len - 1, "%s", cp); 2027 if (*cp == 'f' && strchr(buffer, ':')) { 2028 /* Automatically replace 2 or more digits with \$ pattern. */ 2029 char *cp2; 2030 2031 /* e.g. file read proc:/$PID/stat */ 2032 cp = strstr(buffer, " proc:/"); 2033 if (cp && simple_strtoul(cp + 7, &cp2, 10) >= 10 && *cp2 == '/') { 2034 *(cp + 7) = '\\'; 2035 *(cp + 8) = '$'; 2036 memmove(cp + 9, cp2, strlen(cp2) + 1); 2037 goto ok; 2038 } 2039 /* e.g. file ioctl pipe:[$INO] $CMD */ 2040 cp = strstr(buffer, " pipe:["); 2041 if (cp && simple_strtoul(cp + 7, &cp2, 10) >= 10 && *cp2 == ']') { 2042 *(cp + 7) = '\\'; 2043 *(cp + 8) = '$'; 2044 memmove(cp + 9, cp2, strlen(cp2) + 1); 2045 goto ok; 2046 } 2047 /* e.g. file ioctl socket:[$INO] $CMD */ 2048 cp = strstr(buffer, " socket:["); 2049 if (cp && simple_strtoul(cp + 9, &cp2, 10) >= 10 && *cp2 == ']') { 2050 *(cp + 9) = '\\'; 2051 *(cp + 10) = '$'; 2052 memmove(cp + 11, cp2, strlen(cp2) + 1); 2053 goto ok; 2054 } 2055 } 2056 ok: 2057 if (realpath) 2058 tomoyo_addprintf(buffer, len, " exec.%s", realpath); 2059 if (argv0) 2060 tomoyo_addprintf(buffer, len, " exec.argv[0]=%s", argv0); 2061 if (symlink) 2062 tomoyo_addprintf(buffer, len, "%s", symlink); 2063 tomoyo_normalize_line(buffer); 2064 if (!tomoyo_write_domain2(domain->ns, &domain->acl_info_list, buffer, 2065 false)) 2066 tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); 2067 kfree(buffer); 2068 } 2069 2070 /** 2071 * tomoyo_supervisor - Ask for the supervisor's decision. 2072 * 2073 * @r: Pointer to "struct tomoyo_request_info". 2074 * @fmt: The printf()'s format string, followed by parameters. 2075 * 2076 * Returns 0 if the supervisor decided to permit the access request which 2077 * violated the policy in enforcing mode, TOMOYO_RETRY_REQUEST if the 2078 * supervisor decided to retry the access request which violated the policy in 2079 * enforcing mode, 0 if it is not in enforcing mode, -EPERM otherwise. 2080 */ 2081 int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) 2082 { 2083 va_list args; 2084 int error; 2085 int len; 2086 static unsigned int tomoyo_serial; 2087 struct tomoyo_query entry = { }; 2088 bool quota_exceeded = false; 2089 2090 va_start(args, fmt); 2091 len = vsnprintf(NULL, 0, fmt, args) + 1; 2092 va_end(args); 2093 /* Write /sys/kernel/security/tomoyo/audit. */ 2094 va_start(args, fmt); 2095 tomoyo_write_log2(r, len, fmt, args); 2096 va_end(args); 2097 /* Nothing more to do if granted. */ 2098 if (r->granted) 2099 return 0; 2100 if (r->mode) 2101 tomoyo_update_stat(r->mode); 2102 switch (r->mode) { 2103 case TOMOYO_CONFIG_ENFORCING: 2104 error = -EPERM; 2105 if (atomic_read(&tomoyo_query_observers)) 2106 break; 2107 goto out; 2108 case TOMOYO_CONFIG_LEARNING: 2109 error = 0; 2110 /* Check max_learning_entry parameter. */ 2111 if (tomoyo_domain_quota_is_ok(r)) 2112 break; 2113 fallthrough; 2114 default: 2115 return 0; 2116 } 2117 /* Get message. */ 2118 va_start(args, fmt); 2119 entry.query = tomoyo_init_log(r, len, fmt, args); 2120 va_end(args); 2121 if (!entry.query) 2122 goto out; 2123 entry.query_len = strlen(entry.query) + 1; 2124 if (!error) { 2125 tomoyo_add_entry(r->domain, entry.query); 2126 goto out; 2127 } 2128 len = kmalloc_size_roundup(entry.query_len); 2129 entry.domain = r->domain; 2130 spin_lock(&tomoyo_query_list_lock); 2131 if (tomoyo_memory_quota[TOMOYO_MEMORY_QUERY] && 2132 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] + len 2133 >= tomoyo_memory_quota[TOMOYO_MEMORY_QUERY]) { 2134 quota_exceeded = true; 2135 } else { 2136 entry.serial = tomoyo_serial++; 2137 entry.retry = r->retry; 2138 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] += len; 2139 list_add_tail(&entry.list, &tomoyo_query_list); 2140 } 2141 spin_unlock(&tomoyo_query_list_lock); 2142 if (quota_exceeded) 2143 goto out; 2144 /* Give 10 seconds for supervisor's opinion. */ 2145 while (entry.timer < 10) { 2146 wake_up_all(&tomoyo_query_wait); 2147 if (wait_event_interruptible_timeout 2148 (tomoyo_answer_wait, entry.answer || 2149 !atomic_read(&tomoyo_query_observers), HZ)) 2150 break; 2151 entry.timer++; 2152 } 2153 spin_lock(&tomoyo_query_list_lock); 2154 list_del(&entry.list); 2155 tomoyo_memory_used[TOMOYO_MEMORY_QUERY] -= len; 2156 spin_unlock(&tomoyo_query_list_lock); 2157 switch (entry.answer) { 2158 case 3: /* Asked to retry by administrator. */ 2159 error = TOMOYO_RETRY_REQUEST; 2160 r->retry++; 2161 break; 2162 case 1: 2163 /* Granted by administrator. */ 2164 error = 0; 2165 break; 2166 default: 2167 /* Timed out or rejected by administrator. */ 2168 break; 2169 } 2170 out: 2171 kfree(entry.query); 2172 return error; 2173 } 2174 2175 /** 2176 * tomoyo_find_domain_by_qid - Get domain by query id. 2177 * 2178 * @serial: Query ID assigned by tomoyo_supervisor(). 2179 * 2180 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise. 2181 */ 2182 static struct tomoyo_domain_info *tomoyo_find_domain_by_qid 2183 (unsigned int serial) 2184 { 2185 struct tomoyo_query *ptr; 2186 struct tomoyo_domain_info *domain = NULL; 2187 2188 spin_lock(&tomoyo_query_list_lock); 2189 list_for_each_entry(ptr, &tomoyo_query_list, list) { 2190 if (ptr->serial != serial) 2191 continue; 2192 domain = ptr->domain; 2193 break; 2194 } 2195 spin_unlock(&tomoyo_query_list_lock); 2196 return domain; 2197 } 2198 2199 /** 2200 * tomoyo_poll_query - poll() for /sys/kernel/security/tomoyo/query. 2201 * 2202 * @file: Pointer to "struct file". 2203 * @wait: Pointer to "poll_table". 2204 * 2205 * Returns EPOLLIN | EPOLLRDNORM when ready to read, 0 otherwise. 2206 * 2207 * Waits for access requests which violated policy in enforcing mode. 2208 */ 2209 static __poll_t tomoyo_poll_query(struct file *file, poll_table *wait) 2210 { 2211 if (!list_empty(&tomoyo_query_list)) 2212 return EPOLLIN | EPOLLRDNORM; 2213 poll_wait(file, &tomoyo_query_wait, wait); 2214 if (!list_empty(&tomoyo_query_list)) 2215 return EPOLLIN | EPOLLRDNORM; 2216 return 0; 2217 } 2218 2219 /** 2220 * tomoyo_read_query - Read access requests which violated policy in enforcing mode. 2221 * 2222 * @head: Pointer to "struct tomoyo_io_buffer". 2223 */ 2224 static void tomoyo_read_query(struct tomoyo_io_buffer *head) 2225 { 2226 struct list_head *tmp; 2227 unsigned int pos = 0; 2228 size_t len = 0; 2229 char *buf; 2230 2231 if (head->r.w_pos) 2232 return; 2233 kfree(head->read_buf); 2234 head->read_buf = NULL; 2235 spin_lock(&tomoyo_query_list_lock); 2236 list_for_each(tmp, &tomoyo_query_list) { 2237 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 2238 2239 if (pos++ != head->r.query_index) 2240 continue; 2241 len = ptr->query_len; 2242 break; 2243 } 2244 spin_unlock(&tomoyo_query_list_lock); 2245 if (!len) { 2246 head->r.query_index = 0; 2247 return; 2248 } 2249 buf = kzalloc(len + 32, GFP_NOFS); 2250 if (!buf) 2251 return; 2252 pos = 0; 2253 spin_lock(&tomoyo_query_list_lock); 2254 list_for_each(tmp, &tomoyo_query_list) { 2255 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 2256 2257 if (pos++ != head->r.query_index) 2258 continue; 2259 /* 2260 * Some query can be skipped because tomoyo_query_list 2261 * can change, but I don't care. 2262 */ 2263 if (len == ptr->query_len) 2264 snprintf(buf, len + 31, "Q%u-%hu\n%s", ptr->serial, 2265 ptr->retry, ptr->query); 2266 break; 2267 } 2268 spin_unlock(&tomoyo_query_list_lock); 2269 if (buf[0]) { 2270 head->read_buf = buf; 2271 head->r.w[head->r.w_pos++] = buf; 2272 head->r.query_index++; 2273 } else { 2274 kfree(buf); 2275 } 2276 } 2277 2278 /** 2279 * tomoyo_write_answer - Write the supervisor's decision. 2280 * 2281 * @head: Pointer to "struct tomoyo_io_buffer". 2282 * 2283 * Returns 0 on success, -EINVAL otherwise. 2284 */ 2285 static int tomoyo_write_answer(struct tomoyo_io_buffer *head) 2286 { 2287 char *data = head->write_buf; 2288 struct list_head *tmp; 2289 unsigned int serial; 2290 unsigned int answer; 2291 2292 spin_lock(&tomoyo_query_list_lock); 2293 list_for_each(tmp, &tomoyo_query_list) { 2294 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 2295 2296 ptr->timer = 0; 2297 } 2298 spin_unlock(&tomoyo_query_list_lock); 2299 if (sscanf(data, "A%u=%u", &serial, &answer) != 2) 2300 return -EINVAL; 2301 spin_lock(&tomoyo_query_list_lock); 2302 list_for_each(tmp, &tomoyo_query_list) { 2303 struct tomoyo_query *ptr = list_entry(tmp, typeof(*ptr), list); 2304 2305 if (ptr->serial != serial) 2306 continue; 2307 ptr->answer = answer; 2308 /* Remove from tomoyo_query_list. */ 2309 if (ptr->answer) 2310 list_del_init(&ptr->list); 2311 break; 2312 } 2313 spin_unlock(&tomoyo_query_list_lock); 2314 return 0; 2315 } 2316 2317 /** 2318 * tomoyo_read_version: Get version. 2319 * 2320 * @head: Pointer to "struct tomoyo_io_buffer". 2321 * 2322 * Returns version information. 2323 */ 2324 static void tomoyo_read_version(struct tomoyo_io_buffer *head) 2325 { 2326 if (!head->r.eof) { 2327 tomoyo_io_printf(head, "2.6.0"); 2328 head->r.eof = true; 2329 } 2330 } 2331 2332 /* String table for /sys/kernel/security/tomoyo/stat interface. */ 2333 static const char * const tomoyo_policy_headers[TOMOYO_MAX_POLICY_STAT] = { 2334 [TOMOYO_STAT_POLICY_UPDATES] = "update:", 2335 [TOMOYO_STAT_POLICY_LEARNING] = "violation in learning mode:", 2336 [TOMOYO_STAT_POLICY_PERMISSIVE] = "violation in permissive mode:", 2337 [TOMOYO_STAT_POLICY_ENFORCING] = "violation in enforcing mode:", 2338 }; 2339 2340 /* String table for /sys/kernel/security/tomoyo/stat interface. */ 2341 static const char * const tomoyo_memory_headers[TOMOYO_MAX_MEMORY_STAT] = { 2342 [TOMOYO_MEMORY_POLICY] = "policy:", 2343 [TOMOYO_MEMORY_AUDIT] = "audit log:", 2344 [TOMOYO_MEMORY_QUERY] = "query message:", 2345 }; 2346 2347 /* Counter for number of updates. */ 2348 static atomic_t tomoyo_stat_updated[TOMOYO_MAX_POLICY_STAT]; 2349 /* Timestamp counter for last updated. */ 2350 static time64_t tomoyo_stat_modified[TOMOYO_MAX_POLICY_STAT]; 2351 2352 /** 2353 * tomoyo_update_stat - Update statistic counters. 2354 * 2355 * @index: Index for policy type. 2356 * 2357 * Returns nothing. 2358 */ 2359 void tomoyo_update_stat(const u8 index) 2360 { 2361 atomic_inc(&tomoyo_stat_updated[index]); 2362 tomoyo_stat_modified[index] = ktime_get_real_seconds(); 2363 } 2364 2365 /** 2366 * tomoyo_read_stat - Read statistic data. 2367 * 2368 * @head: Pointer to "struct tomoyo_io_buffer". 2369 * 2370 * Returns nothing. 2371 */ 2372 static void tomoyo_read_stat(struct tomoyo_io_buffer *head) 2373 { 2374 u8 i; 2375 unsigned int total = 0; 2376 2377 if (head->r.eof) 2378 return; 2379 for (i = 0; i < TOMOYO_MAX_POLICY_STAT; i++) { 2380 tomoyo_io_printf(head, "Policy %-30s %10u", 2381 tomoyo_policy_headers[i], 2382 atomic_read(&tomoyo_stat_updated[i])); 2383 if (tomoyo_stat_modified[i]) { 2384 struct tomoyo_time stamp; 2385 2386 tomoyo_convert_time(tomoyo_stat_modified[i], &stamp); 2387 tomoyo_io_printf(head, " (Last: %04u/%02u/%02u %02u:%02u:%02u)", 2388 stamp.year, stamp.month, stamp.day, 2389 stamp.hour, stamp.min, stamp.sec); 2390 } 2391 tomoyo_set_lf(head); 2392 } 2393 for (i = 0; i < TOMOYO_MAX_MEMORY_STAT; i++) { 2394 unsigned int used = tomoyo_memory_used[i]; 2395 2396 total += used; 2397 tomoyo_io_printf(head, "Memory used by %-22s %10u", 2398 tomoyo_memory_headers[i], used); 2399 used = tomoyo_memory_quota[i]; 2400 if (used) 2401 tomoyo_io_printf(head, " (Quota: %10u)", used); 2402 tomoyo_set_lf(head); 2403 } 2404 tomoyo_io_printf(head, "Total memory used: %10u\n", 2405 total); 2406 head->r.eof = true; 2407 } 2408 2409 /** 2410 * tomoyo_write_stat - Set memory quota. 2411 * 2412 * @head: Pointer to "struct tomoyo_io_buffer". 2413 * 2414 * Returns 0. 2415 */ 2416 static int tomoyo_write_stat(struct tomoyo_io_buffer *head) 2417 { 2418 char *data = head->write_buf; 2419 u8 i; 2420 2421 if (tomoyo_str_starts(&data, "Memory used by ")) 2422 for (i = 0; i < TOMOYO_MAX_MEMORY_STAT; i++) 2423 if (tomoyo_str_starts(&data, tomoyo_memory_headers[i])) 2424 sscanf(data, "%u", &tomoyo_memory_quota[i]); 2425 return 0; 2426 } 2427 2428 /** 2429 * tomoyo_open_control - open() for /sys/kernel/security/tomoyo/ interface. 2430 * 2431 * @type: Type of interface. 2432 * @file: Pointer to "struct file". 2433 * 2434 * Returns 0 on success, negative value otherwise. 2435 */ 2436 int tomoyo_open_control(const u8 type, struct file *file) 2437 { 2438 struct tomoyo_io_buffer *head = kzalloc(sizeof(*head), GFP_NOFS); 2439 2440 if (!head) 2441 return -ENOMEM; 2442 mutex_init(&head->io_sem); 2443 head->type = type; 2444 switch (type) { 2445 case TOMOYO_DOMAINPOLICY: 2446 /* /sys/kernel/security/tomoyo/domain_policy */ 2447 head->write = tomoyo_write_domain; 2448 head->read = tomoyo_read_domain; 2449 break; 2450 case TOMOYO_EXCEPTIONPOLICY: 2451 /* /sys/kernel/security/tomoyo/exception_policy */ 2452 head->write = tomoyo_write_exception; 2453 head->read = tomoyo_read_exception; 2454 break; 2455 case TOMOYO_AUDIT: 2456 /* /sys/kernel/security/tomoyo/audit */ 2457 head->poll = tomoyo_poll_log; 2458 head->read = tomoyo_read_log; 2459 break; 2460 case TOMOYO_PROCESS_STATUS: 2461 /* /sys/kernel/security/tomoyo/.process_status */ 2462 head->write = tomoyo_write_pid; 2463 head->read = tomoyo_read_pid; 2464 break; 2465 case TOMOYO_VERSION: 2466 /* /sys/kernel/security/tomoyo/version */ 2467 head->read = tomoyo_read_version; 2468 head->readbuf_size = 128; 2469 break; 2470 case TOMOYO_STAT: 2471 /* /sys/kernel/security/tomoyo/stat */ 2472 head->write = tomoyo_write_stat; 2473 head->read = tomoyo_read_stat; 2474 head->readbuf_size = 1024; 2475 break; 2476 case TOMOYO_PROFILE: 2477 /* /sys/kernel/security/tomoyo/profile */ 2478 head->write = tomoyo_write_profile; 2479 head->read = tomoyo_read_profile; 2480 break; 2481 case TOMOYO_QUERY: /* /sys/kernel/security/tomoyo/query */ 2482 head->poll = tomoyo_poll_query; 2483 head->write = tomoyo_write_answer; 2484 head->read = tomoyo_read_query; 2485 break; 2486 case TOMOYO_MANAGER: 2487 /* /sys/kernel/security/tomoyo/manager */ 2488 head->write = tomoyo_write_manager; 2489 head->read = tomoyo_read_manager; 2490 break; 2491 } 2492 if (!(file->f_mode & FMODE_READ)) { 2493 /* 2494 * No need to allocate read_buf since it is not opened 2495 * for reading. 2496 */ 2497 head->read = NULL; 2498 head->poll = NULL; 2499 } else if (!head->poll) { 2500 /* Don't allocate read_buf for poll() access. */ 2501 if (!head->readbuf_size) 2502 head->readbuf_size = 4096 * 2; 2503 head->read_buf = kzalloc(head->readbuf_size, GFP_NOFS); 2504 if (!head->read_buf) { 2505 kfree(head); 2506 return -ENOMEM; 2507 } 2508 } 2509 if (!(file->f_mode & FMODE_WRITE)) { 2510 /* 2511 * No need to allocate write_buf since it is not opened 2512 * for writing. 2513 */ 2514 head->write = NULL; 2515 } else if (head->write) { 2516 head->writebuf_size = 4096 * 2; 2517 head->write_buf = kzalloc(head->writebuf_size, GFP_NOFS); 2518 if (!head->write_buf) { 2519 kfree(head->read_buf); 2520 kfree(head); 2521 return -ENOMEM; 2522 } 2523 } 2524 /* 2525 * If the file is /sys/kernel/security/tomoyo/query , increment the 2526 * observer counter. 2527 * The obserber counter is used by tomoyo_supervisor() to see if 2528 * there is some process monitoring /sys/kernel/security/tomoyo/query. 2529 */ 2530 if (type == TOMOYO_QUERY) 2531 atomic_inc(&tomoyo_query_observers); 2532 file->private_data = head; 2533 tomoyo_notify_gc(head, true); 2534 return 0; 2535 } 2536 2537 /** 2538 * tomoyo_poll_control - poll() for /sys/kernel/security/tomoyo/ interface. 2539 * 2540 * @file: Pointer to "struct file". 2541 * @wait: Pointer to "poll_table". Maybe NULL. 2542 * 2543 * Returns EPOLLIN | EPOLLRDNORM | EPOLLOUT | EPOLLWRNORM if ready to read/write, 2544 * EPOLLOUT | EPOLLWRNORM otherwise. 2545 */ 2546 __poll_t tomoyo_poll_control(struct file *file, poll_table *wait) 2547 { 2548 struct tomoyo_io_buffer *head = file->private_data; 2549 2550 if (head->poll) 2551 return head->poll(file, wait) | EPOLLOUT | EPOLLWRNORM; 2552 return EPOLLIN | EPOLLRDNORM | EPOLLOUT | EPOLLWRNORM; 2553 } 2554 2555 /** 2556 * tomoyo_set_namespace_cursor - Set namespace to read. 2557 * 2558 * @head: Pointer to "struct tomoyo_io_buffer". 2559 * 2560 * Returns nothing. 2561 */ 2562 static inline void tomoyo_set_namespace_cursor(struct tomoyo_io_buffer *head) 2563 { 2564 struct list_head *ns; 2565 2566 if (head->type != TOMOYO_EXCEPTIONPOLICY && 2567 head->type != TOMOYO_PROFILE) 2568 return; 2569 /* 2570 * If this is the first read, or reading previous namespace finished 2571 * and has more namespaces to read, update the namespace cursor. 2572 */ 2573 ns = head->r.ns; 2574 if (!ns || (head->r.eof && ns->next != &tomoyo_namespace_list)) { 2575 /* Clearing is OK because tomoyo_flush() returned true. */ 2576 memset(&head->r, 0, sizeof(head->r)); 2577 head->r.ns = ns ? ns->next : tomoyo_namespace_list.next; 2578 } 2579 } 2580 2581 /** 2582 * tomoyo_has_more_namespace - Check for unread namespaces. 2583 * 2584 * @head: Pointer to "struct tomoyo_io_buffer". 2585 * 2586 * Returns true if we have more entries to print, false otherwise. 2587 */ 2588 static inline bool tomoyo_has_more_namespace(struct tomoyo_io_buffer *head) 2589 { 2590 return (head->type == TOMOYO_EXCEPTIONPOLICY || 2591 head->type == TOMOYO_PROFILE) && head->r.eof && 2592 head->r.ns->next != &tomoyo_namespace_list; 2593 } 2594 2595 /** 2596 * tomoyo_read_control - read() for /sys/kernel/security/tomoyo/ interface. 2597 * 2598 * @head: Pointer to "struct tomoyo_io_buffer". 2599 * @buffer: Pointer to buffer to write to. 2600 * @buffer_len: Size of @buffer. 2601 * 2602 * Returns bytes read on success, negative value otherwise. 2603 */ 2604 ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, 2605 const int buffer_len) 2606 { 2607 int len; 2608 int idx; 2609 2610 if (!head->read) 2611 return -EINVAL; 2612 if (mutex_lock_interruptible(&head->io_sem)) 2613 return -EINTR; 2614 head->read_user_buf = buffer; 2615 head->read_user_buf_avail = buffer_len; 2616 idx = tomoyo_read_lock(); 2617 if (tomoyo_flush(head)) 2618 /* Call the policy handler. */ 2619 do { 2620 tomoyo_set_namespace_cursor(head); 2621 head->read(head); 2622 } while (tomoyo_flush(head) && 2623 tomoyo_has_more_namespace(head)); 2624 tomoyo_read_unlock(idx); 2625 len = head->read_user_buf - buffer; 2626 mutex_unlock(&head->io_sem); 2627 return len; 2628 } 2629 2630 /** 2631 * tomoyo_parse_policy - Parse a policy line. 2632 * 2633 * @head: Pointer to "struct tomoyo_io_buffer". 2634 * @line: Line to parse. 2635 * 2636 * Returns 0 on success, negative value otherwise. 2637 * 2638 * Caller holds tomoyo_read_lock(). 2639 */ 2640 static int tomoyo_parse_policy(struct tomoyo_io_buffer *head, char *line) 2641 { 2642 /* Delete request? */ 2643 head->w.is_delete = !strncmp(line, "delete ", 7); 2644 if (head->w.is_delete) 2645 memmove(line, line + 7, strlen(line + 7) + 1); 2646 /* Selecting namespace to update. */ 2647 if (head->type == TOMOYO_EXCEPTIONPOLICY || 2648 head->type == TOMOYO_PROFILE) { 2649 if (*line == '<') { 2650 char *cp = strchr(line, ' '); 2651 2652 if (cp) { 2653 *cp++ = '\0'; 2654 head->w.ns = tomoyo_assign_namespace(line); 2655 memmove(line, cp, strlen(cp) + 1); 2656 } else 2657 head->w.ns = NULL; 2658 } else 2659 head->w.ns = &tomoyo_kernel_namespace; 2660 /* Don't allow updating if namespace is invalid. */ 2661 if (!head->w.ns) 2662 return -ENOENT; 2663 } 2664 /* Do the update. */ 2665 return head->write(head); 2666 } 2667 2668 /** 2669 * tomoyo_write_control - write() for /sys/kernel/security/tomoyo/ interface. 2670 * 2671 * @head: Pointer to "struct tomoyo_io_buffer". 2672 * @buffer: Pointer to buffer to read from. 2673 * @buffer_len: Size of @buffer. 2674 * 2675 * Returns @buffer_len on success, negative value otherwise. 2676 */ 2677 ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, 2678 const char __user *buffer, const int buffer_len) 2679 { 2680 int error = buffer_len; 2681 size_t avail_len = buffer_len; 2682 char *cp0; 2683 int idx; 2684 2685 if (!head->write) 2686 return -EINVAL; 2687 if (mutex_lock_interruptible(&head->io_sem)) 2688 return -EINTR; 2689 cp0 = head->write_buf; 2690 head->read_user_buf_avail = 0; 2691 idx = tomoyo_read_lock(); 2692 /* Read a line and dispatch it to the policy handler. */ 2693 while (avail_len > 0) { 2694 char c; 2695 2696 if (head->w.avail >= head->writebuf_size - 1) { 2697 const int len = head->writebuf_size * 2; 2698 char *cp = kzalloc(len, GFP_NOFS | __GFP_NOWARN); 2699 2700 if (!cp) { 2701 error = -ENOMEM; 2702 break; 2703 } 2704 memmove(cp, cp0, head->w.avail); 2705 kfree(cp0); 2706 head->write_buf = cp; 2707 cp0 = cp; 2708 head->writebuf_size = len; 2709 } 2710 if (get_user(c, buffer)) { 2711 error = -EFAULT; 2712 break; 2713 } 2714 buffer++; 2715 avail_len--; 2716 cp0[head->w.avail++] = c; 2717 if (c != '\n') 2718 continue; 2719 cp0[head->w.avail - 1] = '\0'; 2720 head->w.avail = 0; 2721 tomoyo_normalize_line(cp0); 2722 if (!strcmp(cp0, "reset")) { 2723 head->w.ns = &tomoyo_kernel_namespace; 2724 head->w.domain = NULL; 2725 memset(&head->r, 0, sizeof(head->r)); 2726 continue; 2727 } 2728 /* Don't allow updating policies by non manager programs. */ 2729 switch (head->type) { 2730 case TOMOYO_PROCESS_STATUS: 2731 /* This does not write anything. */ 2732 break; 2733 case TOMOYO_DOMAINPOLICY: 2734 if (tomoyo_select_domain(head, cp0)) 2735 continue; 2736 fallthrough; 2737 case TOMOYO_EXCEPTIONPOLICY: 2738 if (!strcmp(cp0, "select transition_only")) { 2739 head->r.print_transition_related_only = true; 2740 continue; 2741 } 2742 fallthrough; 2743 default: 2744 if (!tomoyo_manager()) { 2745 error = -EPERM; 2746 goto out; 2747 } 2748 } 2749 switch (tomoyo_parse_policy(head, cp0)) { 2750 case -EPERM: 2751 error = -EPERM; 2752 goto out; 2753 case 0: 2754 switch (head->type) { 2755 case TOMOYO_DOMAINPOLICY: 2756 case TOMOYO_EXCEPTIONPOLICY: 2757 case TOMOYO_STAT: 2758 case TOMOYO_PROFILE: 2759 case TOMOYO_MANAGER: 2760 tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); 2761 break; 2762 default: 2763 break; 2764 } 2765 break; 2766 } 2767 } 2768 out: 2769 tomoyo_read_unlock(idx); 2770 mutex_unlock(&head->io_sem); 2771 return error; 2772 } 2773 2774 /** 2775 * tomoyo_close_control - close() for /sys/kernel/security/tomoyo/ interface. 2776 * 2777 * @head: Pointer to "struct tomoyo_io_buffer". 2778 */ 2779 void tomoyo_close_control(struct tomoyo_io_buffer *head) 2780 { 2781 /* 2782 * If the file is /sys/kernel/security/tomoyo/query , decrement the 2783 * observer counter. 2784 */ 2785 if (head->type == TOMOYO_QUERY && 2786 atomic_dec_and_test(&tomoyo_query_observers)) 2787 wake_up_all(&tomoyo_answer_wait); 2788 tomoyo_notify_gc(head, false); 2789 } 2790 2791 /** 2792 * tomoyo_check_profile - Check all profiles currently assigned to domains are defined. 2793 */ 2794 void tomoyo_check_profile(void) 2795 { 2796 struct tomoyo_domain_info *domain; 2797 const int idx = tomoyo_read_lock(); 2798 2799 tomoyo_policy_loaded = true; 2800 pr_info("TOMOYO: 2.6.0\n"); 2801 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list, 2802 srcu_read_lock_held(&tomoyo_ss)) { 2803 const u8 profile = domain->profile; 2804 struct tomoyo_policy_namespace *ns = domain->ns; 2805 2806 if (ns->profile_version == 20110903) { 2807 pr_info_once("Converting profile version from %u to %u.\n", 2808 20110903, 20150505); 2809 ns->profile_version = 20150505; 2810 } 2811 if (ns->profile_version != 20150505) 2812 pr_err("Profile version %u is not supported.\n", 2813 ns->profile_version); 2814 else if (!ns->profile_ptr[profile]) 2815 pr_err("Profile %u (used by '%s') is not defined.\n", 2816 profile, domain->domainname->name); 2817 else 2818 continue; 2819 pr_err("Userland tools for TOMOYO 2.6 must be installed and policy must be initialized.\n"); 2820 pr_err("Please see https://tomoyo.sourceforge.net/2.6/ for more information.\n"); 2821 panic("STOP!"); 2822 } 2823 tomoyo_read_unlock(idx); 2824 pr_info("Mandatory Access Control activated.\n"); 2825 } 2826 2827 /** 2828 * tomoyo_load_builtin_policy - Load built-in policy. 2829 * 2830 * Returns nothing. 2831 */ 2832 void __init tomoyo_load_builtin_policy(void) 2833 { 2834 #ifdef CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING 2835 static char tomoyo_builtin_profile[] __initdata = 2836 "PROFILE_VERSION=20150505\n" 2837 "0-CONFIG={ mode=learning grant_log=no reject_log=yes }\n"; 2838 static char tomoyo_builtin_exception_policy[] __initdata = 2839 "aggregator proc:/self/exe /proc/self/exe\n"; 2840 static char tomoyo_builtin_domain_policy[] __initdata = ""; 2841 static char tomoyo_builtin_manager[] __initdata = ""; 2842 static char tomoyo_builtin_stat[] __initdata = ""; 2843 #else 2844 /* 2845 * This include file is manually created and contains built-in policy 2846 * named "tomoyo_builtin_profile", "tomoyo_builtin_exception_policy", 2847 * "tomoyo_builtin_domain_policy", "tomoyo_builtin_manager", 2848 * "tomoyo_builtin_stat" in the form of "static char [] __initdata". 2849 */ 2850 #include "builtin-policy.h" 2851 #endif 2852 u8 i; 2853 const int idx = tomoyo_read_lock(); 2854 2855 for (i = 0; i < 5; i++) { 2856 struct tomoyo_io_buffer head = { }; 2857 char *start = ""; 2858 2859 switch (i) { 2860 case 0: 2861 start = tomoyo_builtin_profile; 2862 head.type = TOMOYO_PROFILE; 2863 head.write = tomoyo_write_profile; 2864 break; 2865 case 1: 2866 start = tomoyo_builtin_exception_policy; 2867 head.type = TOMOYO_EXCEPTIONPOLICY; 2868 head.write = tomoyo_write_exception; 2869 break; 2870 case 2: 2871 start = tomoyo_builtin_domain_policy; 2872 head.type = TOMOYO_DOMAINPOLICY; 2873 head.write = tomoyo_write_domain; 2874 break; 2875 case 3: 2876 start = tomoyo_builtin_manager; 2877 head.type = TOMOYO_MANAGER; 2878 head.write = tomoyo_write_manager; 2879 break; 2880 case 4: 2881 start = tomoyo_builtin_stat; 2882 head.type = TOMOYO_STAT; 2883 head.write = tomoyo_write_stat; 2884 break; 2885 } 2886 while (1) { 2887 char *end = strchr(start, '\n'); 2888 2889 if (!end) 2890 break; 2891 *end = '\0'; 2892 tomoyo_normalize_line(start); 2893 head.write_buf = start; 2894 tomoyo_parse_policy(&head, start); 2895 start = end + 1; 2896 } 2897 } 2898 tomoyo_read_unlock(idx); 2899 #ifdef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER 2900 tomoyo_check_profile(); 2901 #endif 2902 } 2903