1 /* 2 * security/tomoyo/file.c 3 * 4 * Implementation of the Domain-Based Mandatory Access Control. 5 * 6 * Copyright (C) 2005-2009 NTT DATA CORPORATION 7 * 8 * Version: 2.2.0 2009/04/01 9 * 10 */ 11 12 #include "common.h" 13 #include <linux/slab.h> 14 15 /* Keyword array for single path operations. */ 16 static const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = { 17 [TOMOYO_TYPE_READ_WRITE] = "read/write", 18 [TOMOYO_TYPE_EXECUTE] = "execute", 19 [TOMOYO_TYPE_READ] = "read", 20 [TOMOYO_TYPE_WRITE] = "write", 21 [TOMOYO_TYPE_CREATE] = "create", 22 [TOMOYO_TYPE_UNLINK] = "unlink", 23 [TOMOYO_TYPE_MKDIR] = "mkdir", 24 [TOMOYO_TYPE_RMDIR] = "rmdir", 25 [TOMOYO_TYPE_MKFIFO] = "mkfifo", 26 [TOMOYO_TYPE_MKSOCK] = "mksock", 27 [TOMOYO_TYPE_MKBLOCK] = "mkblock", 28 [TOMOYO_TYPE_MKCHAR] = "mkchar", 29 [TOMOYO_TYPE_TRUNCATE] = "truncate", 30 [TOMOYO_TYPE_SYMLINK] = "symlink", 31 [TOMOYO_TYPE_REWRITE] = "rewrite", 32 [TOMOYO_TYPE_IOCTL] = "ioctl", 33 [TOMOYO_TYPE_CHMOD] = "chmod", 34 [TOMOYO_TYPE_CHOWN] = "chown", 35 [TOMOYO_TYPE_CHGRP] = "chgrp", 36 [TOMOYO_TYPE_CHROOT] = "chroot", 37 [TOMOYO_TYPE_MOUNT] = "mount", 38 [TOMOYO_TYPE_UMOUNT] = "unmount", 39 }; 40 41 /* Keyword array for double path operations. */ 42 static const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION] = { 43 [TOMOYO_TYPE_LINK] = "link", 44 [TOMOYO_TYPE_RENAME] = "rename", 45 [TOMOYO_TYPE_PIVOT_ROOT] = "pivot_root", 46 }; 47 48 /** 49 * tomoyo_path2keyword - Get the name of single path operation. 50 * 51 * @operation: Type of operation. 52 * 53 * Returns the name of single path operation. 54 */ 55 const char *tomoyo_path2keyword(const u8 operation) 56 { 57 return (operation < TOMOYO_MAX_PATH_OPERATION) 58 ? tomoyo_path_keyword[operation] : NULL; 59 } 60 61 /** 62 * tomoyo_path22keyword - Get the name of double path operation. 63 * 64 * @operation: Type of operation. 65 * 66 * Returns the name of double path operation. 67 */ 68 const char *tomoyo_path22keyword(const u8 operation) 69 { 70 return (operation < TOMOYO_MAX_PATH2_OPERATION) 71 ? tomoyo_path2_keyword[operation] : NULL; 72 } 73 74 /** 75 * tomoyo_strendswith - Check whether the token ends with the given token. 76 * 77 * @name: The token to check. 78 * @tail: The token to find. 79 * 80 * Returns true if @name ends with @tail, false otherwise. 81 */ 82 static bool tomoyo_strendswith(const char *name, const char *tail) 83 { 84 int len; 85 86 if (!name || !tail) 87 return false; 88 len = strlen(name) - strlen(tail); 89 return len >= 0 && !strcmp(name + len, tail); 90 } 91 92 /** 93 * tomoyo_get_path - Get realpath. 94 * 95 * @path: Pointer to "struct path". 96 * 97 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise. 98 */ 99 static struct tomoyo_path_info *tomoyo_get_path(struct path *path) 100 { 101 int error; 102 struct tomoyo_path_info_with_data *buf = kzalloc(sizeof(*buf), 103 GFP_KERNEL); 104 105 if (!buf) 106 return NULL; 107 /* Reserve one byte for appending "/". */ 108 error = tomoyo_realpath_from_path2(path, buf->body, 109 sizeof(buf->body) - 2); 110 if (!error) { 111 buf->head.name = buf->body; 112 tomoyo_fill_path_info(&buf->head); 113 return &buf->head; 114 } 115 kfree(buf); 116 return NULL; 117 } 118 119 static int tomoyo_update_path2_acl(const u8 type, const char *filename1, 120 const char *filename2, 121 struct tomoyo_domain_info *const domain, 122 const bool is_delete); 123 static int tomoyo_update_path_acl(const u8 type, const char *filename, 124 struct tomoyo_domain_info *const domain, 125 const bool is_delete); 126 127 /* 128 * tomoyo_globally_readable_list is used for holding list of pathnames which 129 * are by default allowed to be open()ed for reading by any process. 130 * 131 * An entry is added by 132 * 133 * # echo 'allow_read /lib/libc-2.5.so' > \ 134 * /sys/kernel/security/tomoyo/exception_policy 135 * 136 * and is deleted by 137 * 138 * # echo 'delete allow_read /lib/libc-2.5.so' > \ 139 * /sys/kernel/security/tomoyo/exception_policy 140 * 141 * and all entries are retrieved by 142 * 143 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy 144 * 145 * In the example above, any process is allowed to 146 * open("/lib/libc-2.5.so", O_RDONLY). 147 * One exception is, if the domain which current process belongs to is marked 148 * as "ignore_global_allow_read", current process can't do so unless explicitly 149 * given "allow_read /lib/libc-2.5.so" to the domain which current process 150 * belongs to. 151 */ 152 LIST_HEAD(tomoyo_globally_readable_list); 153 154 /** 155 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list. 156 * 157 * @filename: Filename unconditionally permitted to open() for reading. 158 * @is_delete: True if it is a delete request. 159 * 160 * Returns 0 on success, negative value otherwise. 161 * 162 * Caller holds tomoyo_read_lock(). 163 */ 164 static int tomoyo_update_globally_readable_entry(const char *filename, 165 const bool is_delete) 166 { 167 struct tomoyo_globally_readable_file_entry *entry = NULL; 168 struct tomoyo_globally_readable_file_entry *ptr; 169 const struct tomoyo_path_info *saved_filename; 170 int error = is_delete ? -ENOENT : -ENOMEM; 171 172 if (!tomoyo_is_correct_path(filename, 1, 0, -1)) 173 return -EINVAL; 174 saved_filename = tomoyo_get_name(filename); 175 if (!saved_filename) 176 return -ENOMEM; 177 if (!is_delete) 178 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 179 mutex_lock(&tomoyo_policy_lock); 180 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) { 181 if (ptr->filename != saved_filename) 182 continue; 183 ptr->is_deleted = is_delete; 184 error = 0; 185 break; 186 } 187 if (!is_delete && error && tomoyo_memory_ok(entry)) { 188 entry->filename = saved_filename; 189 saved_filename = NULL; 190 list_add_tail_rcu(&entry->list, &tomoyo_globally_readable_list); 191 entry = NULL; 192 error = 0; 193 } 194 mutex_unlock(&tomoyo_policy_lock); 195 tomoyo_put_name(saved_filename); 196 kfree(entry); 197 return error; 198 } 199 200 /** 201 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading. 202 * 203 * @filename: The filename to check. 204 * 205 * Returns true if any domain can open @filename for reading, false otherwise. 206 * 207 * Caller holds tomoyo_read_lock(). 208 */ 209 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info * 210 filename) 211 { 212 struct tomoyo_globally_readable_file_entry *ptr; 213 bool found = false; 214 215 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) { 216 if (!ptr->is_deleted && 217 tomoyo_path_matches_pattern(filename, ptr->filename)) { 218 found = true; 219 break; 220 } 221 } 222 return found; 223 } 224 225 /** 226 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list. 227 * 228 * @data: String to parse. 229 * @is_delete: True if it is a delete request. 230 * 231 * Returns 0 on success, negative value otherwise. 232 * 233 * Caller holds tomoyo_read_lock(). 234 */ 235 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete) 236 { 237 return tomoyo_update_globally_readable_entry(data, is_delete); 238 } 239 240 /** 241 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list. 242 * 243 * @head: Pointer to "struct tomoyo_io_buffer". 244 * 245 * Returns true on success, false otherwise. 246 * 247 * Caller holds tomoyo_read_lock(). 248 */ 249 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head) 250 { 251 struct list_head *pos; 252 bool done = true; 253 254 list_for_each_cookie(pos, head->read_var2, 255 &tomoyo_globally_readable_list) { 256 struct tomoyo_globally_readable_file_entry *ptr; 257 ptr = list_entry(pos, 258 struct tomoyo_globally_readable_file_entry, 259 list); 260 if (ptr->is_deleted) 261 continue; 262 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n", 263 ptr->filename->name); 264 if (!done) 265 break; 266 } 267 return done; 268 } 269 270 /* tomoyo_pattern_list is used for holding list of pathnames which are used for 271 * converting pathnames to pathname patterns during learning mode. 272 * 273 * An entry is added by 274 * 275 * # echo 'file_pattern /proc/\$/mounts' > \ 276 * /sys/kernel/security/tomoyo/exception_policy 277 * 278 * and is deleted by 279 * 280 * # echo 'delete file_pattern /proc/\$/mounts' > \ 281 * /sys/kernel/security/tomoyo/exception_policy 282 * 283 * and all entries are retrieved by 284 * 285 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy 286 * 287 * In the example above, if a process which belongs to a domain which is in 288 * learning mode requested open("/proc/1/mounts", O_RDONLY), 289 * "allow_read /proc/\$/mounts" is automatically added to the domain which that 290 * process belongs to. 291 * 292 * It is not a desirable behavior that we have to use /proc/\$/ instead of 293 * /proc/self/ when current process needs to access only current process's 294 * information. As of now, LSM version of TOMOYO is using __d_path() for 295 * calculating pathname. Non LSM version of TOMOYO is using its own function 296 * which pretends as if /proc/self/ is not a symlink; so that we can forbid 297 * current process from accessing other process's information. 298 */ 299 LIST_HEAD(tomoyo_pattern_list); 300 301 /** 302 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list. 303 * 304 * @pattern: Pathname pattern. 305 * @is_delete: True if it is a delete request. 306 * 307 * Returns 0 on success, negative value otherwise. 308 * 309 * Caller holds tomoyo_read_lock(). 310 */ 311 static int tomoyo_update_file_pattern_entry(const char *pattern, 312 const bool is_delete) 313 { 314 struct tomoyo_pattern_entry *entry = NULL; 315 struct tomoyo_pattern_entry *ptr; 316 const struct tomoyo_path_info *saved_pattern; 317 int error = is_delete ? -ENOENT : -ENOMEM; 318 319 saved_pattern = tomoyo_get_name(pattern); 320 if (!saved_pattern) 321 return error; 322 if (!saved_pattern->is_patterned) 323 goto out; 324 if (!is_delete) 325 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 326 mutex_lock(&tomoyo_policy_lock); 327 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) { 328 if (saved_pattern != ptr->pattern) 329 continue; 330 ptr->is_deleted = is_delete; 331 error = 0; 332 break; 333 } 334 if (!is_delete && error && tomoyo_memory_ok(entry)) { 335 entry->pattern = saved_pattern; 336 saved_pattern = NULL; 337 list_add_tail_rcu(&entry->list, &tomoyo_pattern_list); 338 entry = NULL; 339 error = 0; 340 } 341 mutex_unlock(&tomoyo_policy_lock); 342 out: 343 kfree(entry); 344 tomoyo_put_name(saved_pattern); 345 return error; 346 } 347 348 /** 349 * tomoyo_get_file_pattern - Get patterned pathname. 350 * 351 * @filename: The filename to find patterned pathname. 352 * 353 * Returns pointer to pathname pattern if matched, @filename otherwise. 354 * 355 * Caller holds tomoyo_read_lock(). 356 */ 357 static const struct tomoyo_path_info * 358 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename) 359 { 360 struct tomoyo_pattern_entry *ptr; 361 const struct tomoyo_path_info *pattern = NULL; 362 363 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) { 364 if (ptr->is_deleted) 365 continue; 366 if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) 367 continue; 368 pattern = ptr->pattern; 369 if (tomoyo_strendswith(pattern->name, "/\\*")) { 370 /* Do nothing. Try to find the better match. */ 371 } else { 372 /* This would be the better match. Use this. */ 373 break; 374 } 375 } 376 if (pattern) 377 filename = pattern; 378 return filename; 379 } 380 381 /** 382 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list. 383 * 384 * @data: String to parse. 385 * @is_delete: True if it is a delete request. 386 * 387 * Returns 0 on success, negative value otherwise. 388 * 389 * Caller holds tomoyo_read_lock(). 390 */ 391 int tomoyo_write_pattern_policy(char *data, const bool is_delete) 392 { 393 return tomoyo_update_file_pattern_entry(data, is_delete); 394 } 395 396 /** 397 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list. 398 * 399 * @head: Pointer to "struct tomoyo_io_buffer". 400 * 401 * Returns true on success, false otherwise. 402 * 403 * Caller holds tomoyo_read_lock(). 404 */ 405 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head) 406 { 407 struct list_head *pos; 408 bool done = true; 409 410 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) { 411 struct tomoyo_pattern_entry *ptr; 412 ptr = list_entry(pos, struct tomoyo_pattern_entry, list); 413 if (ptr->is_deleted) 414 continue; 415 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN 416 "%s\n", ptr->pattern->name); 417 if (!done) 418 break; 419 } 420 return done; 421 } 422 423 /* 424 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by 425 * default forbidden to modify already written content of a file. 426 * 427 * An entry is added by 428 * 429 * # echo 'deny_rewrite /var/log/messages' > \ 430 * /sys/kernel/security/tomoyo/exception_policy 431 * 432 * and is deleted by 433 * 434 * # echo 'delete deny_rewrite /var/log/messages' > \ 435 * /sys/kernel/security/tomoyo/exception_policy 436 * 437 * and all entries are retrieved by 438 * 439 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy 440 * 441 * In the example above, if a process requested to rewrite /var/log/messages , 442 * the process can't rewrite unless the domain which that process belongs to 443 * has "allow_rewrite /var/log/messages" entry. 444 * 445 * It is not a desirable behavior that we have to add "\040(deleted)" suffix 446 * when we want to allow rewriting already unlink()ed file. As of now, 447 * LSM version of TOMOYO is using __d_path() for calculating pathname. 448 * Non LSM version of TOMOYO is using its own function which doesn't append 449 * " (deleted)" suffix if the file is already unlink()ed; so that we don't 450 * need to worry whether the file is already unlink()ed or not. 451 */ 452 LIST_HEAD(tomoyo_no_rewrite_list); 453 454 /** 455 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list. 456 * 457 * @pattern: Pathname pattern that are not rewritable by default. 458 * @is_delete: True if it is a delete request. 459 * 460 * Returns 0 on success, negative value otherwise. 461 * 462 * Caller holds tomoyo_read_lock(). 463 */ 464 static int tomoyo_update_no_rewrite_entry(const char *pattern, 465 const bool is_delete) 466 { 467 struct tomoyo_no_rewrite_entry *entry = NULL; 468 struct tomoyo_no_rewrite_entry *ptr; 469 const struct tomoyo_path_info *saved_pattern; 470 int error = is_delete ? -ENOENT : -ENOMEM; 471 472 if (!tomoyo_is_correct_path(pattern, 0, 0, 0)) 473 return -EINVAL; 474 saved_pattern = tomoyo_get_name(pattern); 475 if (!saved_pattern) 476 return error; 477 if (!is_delete) 478 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 479 mutex_lock(&tomoyo_policy_lock); 480 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) { 481 if (ptr->pattern != saved_pattern) 482 continue; 483 ptr->is_deleted = is_delete; 484 error = 0; 485 break; 486 } 487 if (!is_delete && error && tomoyo_memory_ok(entry)) { 488 entry->pattern = saved_pattern; 489 saved_pattern = NULL; 490 list_add_tail_rcu(&entry->list, &tomoyo_no_rewrite_list); 491 entry = NULL; 492 error = 0; 493 } 494 mutex_unlock(&tomoyo_policy_lock); 495 tomoyo_put_name(saved_pattern); 496 kfree(entry); 497 return error; 498 } 499 500 /** 501 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited. 502 * 503 * @filename: Filename to check. 504 * 505 * Returns true if @filename is specified by "deny_rewrite" directive, 506 * false otherwise. 507 * 508 * Caller holds tomoyo_read_lock(). 509 */ 510 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename) 511 { 512 struct tomoyo_no_rewrite_entry *ptr; 513 bool found = false; 514 515 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) { 516 if (ptr->is_deleted) 517 continue; 518 if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) 519 continue; 520 found = true; 521 break; 522 } 523 return found; 524 } 525 526 /** 527 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list. 528 * 529 * @data: String to parse. 530 * @is_delete: True if it is a delete request. 531 * 532 * Returns 0 on success, negative value otherwise. 533 * 534 * Caller holds tomoyo_read_lock(). 535 */ 536 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete) 537 { 538 return tomoyo_update_no_rewrite_entry(data, is_delete); 539 } 540 541 /** 542 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list. 543 * 544 * @head: Pointer to "struct tomoyo_io_buffer". 545 * 546 * Returns true on success, false otherwise. 547 * 548 * Caller holds tomoyo_read_lock(). 549 */ 550 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head) 551 { 552 struct list_head *pos; 553 bool done = true; 554 555 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) { 556 struct tomoyo_no_rewrite_entry *ptr; 557 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list); 558 if (ptr->is_deleted) 559 continue; 560 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE 561 "%s\n", ptr->pattern->name); 562 if (!done) 563 break; 564 } 565 return done; 566 } 567 568 /** 569 * tomoyo_update_file_acl - Update file's read/write/execute ACL. 570 * 571 * @filename: Filename. 572 * @perm: Permission (between 1 to 7). 573 * @domain: Pointer to "struct tomoyo_domain_info". 574 * @is_delete: True if it is a delete request. 575 * 576 * Returns 0 on success, negative value otherwise. 577 * 578 * This is legacy support interface for older policy syntax. 579 * Current policy syntax uses "allow_read/write" instead of "6", 580 * "allow_read" instead of "4", "allow_write" instead of "2", 581 * "allow_execute" instead of "1". 582 * 583 * Caller holds tomoyo_read_lock(). 584 */ 585 static int tomoyo_update_file_acl(const char *filename, u8 perm, 586 struct tomoyo_domain_info * const domain, 587 const bool is_delete) 588 { 589 if (perm > 7 || !perm) { 590 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n", 591 __func__, perm, filename); 592 return -EINVAL; 593 } 594 if (filename[0] != '@' && tomoyo_strendswith(filename, "/")) 595 /* 596 * Only 'allow_mkdir' and 'allow_rmdir' are valid for 597 * directory permissions. 598 */ 599 return 0; 600 if (perm & 4) 601 tomoyo_update_path_acl(TOMOYO_TYPE_READ, filename, domain, 602 is_delete); 603 if (perm & 2) 604 tomoyo_update_path_acl(TOMOYO_TYPE_WRITE, filename, domain, 605 is_delete); 606 if (perm & 1) 607 tomoyo_update_path_acl(TOMOYO_TYPE_EXECUTE, filename, domain, 608 is_delete); 609 return 0; 610 } 611 612 /** 613 * tomoyo_path_acl2 - Check permission for single path operation. 614 * 615 * @domain: Pointer to "struct tomoyo_domain_info". 616 * @filename: Filename to check. 617 * @perm: Permission. 618 * @may_use_pattern: True if patterned ACL is permitted. 619 * 620 * Returns 0 on success, -EPERM otherwise. 621 * 622 * Caller holds tomoyo_read_lock(). 623 */ 624 static int tomoyo_path_acl2(const struct tomoyo_domain_info *domain, 625 const struct tomoyo_path_info *filename, 626 const u32 perm, const bool may_use_pattern) 627 { 628 struct tomoyo_acl_info *ptr; 629 int error = -EPERM; 630 631 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 632 struct tomoyo_path_acl *acl; 633 if (ptr->type != TOMOYO_TYPE_PATH_ACL) 634 continue; 635 acl = container_of(ptr, struct tomoyo_path_acl, head); 636 if (perm <= 0xFFFF) { 637 if (!(acl->perm & perm)) 638 continue; 639 } else { 640 if (!(acl->perm_high & (perm >> 16))) 641 continue; 642 } 643 if (may_use_pattern || !acl->filename->is_patterned) { 644 if (!tomoyo_path_matches_pattern(filename, 645 acl->filename)) 646 continue; 647 } else { 648 continue; 649 } 650 error = 0; 651 break; 652 } 653 return error; 654 } 655 656 /** 657 * tomoyo_check_file_acl - Check permission for opening files. 658 * 659 * @domain: Pointer to "struct tomoyo_domain_info". 660 * @filename: Filename to check. 661 * @operation: Mode ("read" or "write" or "read/write" or "execute"). 662 * 663 * Returns 0 on success, -EPERM otherwise. 664 * 665 * Caller holds tomoyo_read_lock(). 666 */ 667 static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain, 668 const struct tomoyo_path_info *filename, 669 const u8 operation) 670 { 671 u32 perm = 0; 672 673 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 674 return 0; 675 if (operation == 6) 676 perm = 1 << TOMOYO_TYPE_READ_WRITE; 677 else if (operation == 4) 678 perm = 1 << TOMOYO_TYPE_READ; 679 else if (operation == 2) 680 perm = 1 << TOMOYO_TYPE_WRITE; 681 else if (operation == 1) 682 perm = 1 << TOMOYO_TYPE_EXECUTE; 683 else 684 BUG(); 685 return tomoyo_path_acl2(domain, filename, perm, operation != 1); 686 } 687 688 /** 689 * tomoyo_check_file_perm2 - Check permission for opening files. 690 * 691 * @domain: Pointer to "struct tomoyo_domain_info". 692 * @filename: Filename to check. 693 * @perm: Mode ("read" or "write" or "read/write" or "execute"). 694 * @operation: Operation name passed used for verbose mode. 695 * @mode: Access control mode. 696 * 697 * Returns 0 on success, negative value otherwise. 698 * 699 * Caller holds tomoyo_read_lock(). 700 */ 701 static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain, 702 const struct tomoyo_path_info *filename, 703 const u8 perm, const char *operation, 704 const u8 mode) 705 { 706 const bool is_enforce = (mode == 3); 707 const char *msg = "<unknown>"; 708 int error = 0; 709 710 if (!filename) 711 return 0; 712 error = tomoyo_check_file_acl(domain, filename, perm); 713 if (error && perm == 4 && !domain->ignore_global_allow_read 714 && tomoyo_is_globally_readable_file(filename)) 715 error = 0; 716 if (perm == 6) 717 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ_WRITE); 718 else if (perm == 4) 719 msg = tomoyo_path2keyword(TOMOYO_TYPE_READ); 720 else if (perm == 2) 721 msg = tomoyo_path2keyword(TOMOYO_TYPE_WRITE); 722 else if (perm == 1) 723 msg = tomoyo_path2keyword(TOMOYO_TYPE_EXECUTE); 724 else 725 BUG(); 726 if (!error) 727 return 0; 728 if (tomoyo_verbose_mode(domain)) 729 printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied " 730 "for %s\n", tomoyo_get_msg(is_enforce), msg, operation, 731 filename->name, tomoyo_get_last_name(domain)); 732 if (is_enforce) 733 return error; 734 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { 735 /* Don't use patterns for execute permission. */ 736 const struct tomoyo_path_info *patterned_file = (perm != 1) ? 737 tomoyo_get_file_pattern(filename) : filename; 738 tomoyo_update_file_acl(patterned_file->name, perm, 739 domain, false); 740 } 741 return 0; 742 } 743 744 /** 745 * tomoyo_write_file_policy - Update file related list. 746 * 747 * @data: String to parse. 748 * @domain: Pointer to "struct tomoyo_domain_info". 749 * @is_delete: True if it is a delete request. 750 * 751 * Returns 0 on success, negative value otherwise. 752 * 753 * Caller holds tomoyo_read_lock(). 754 */ 755 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, 756 const bool is_delete) 757 { 758 char *filename = strchr(data, ' '); 759 char *filename2; 760 unsigned int perm; 761 u8 type; 762 763 if (!filename) 764 return -EINVAL; 765 *filename++ = '\0'; 766 if (sscanf(data, "%u", &perm) == 1) 767 return tomoyo_update_file_acl(filename, (u8) perm, domain, 768 is_delete); 769 if (strncmp(data, "allow_", 6)) 770 goto out; 771 data += 6; 772 for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) { 773 if (strcmp(data, tomoyo_path_keyword[type])) 774 continue; 775 return tomoyo_update_path_acl(type, filename, domain, 776 is_delete); 777 } 778 filename2 = strchr(filename, ' '); 779 if (!filename2) 780 goto out; 781 *filename2++ = '\0'; 782 for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) { 783 if (strcmp(data, tomoyo_path2_keyword[type])) 784 continue; 785 return tomoyo_update_path2_acl(type, filename, filename2, 786 domain, is_delete); 787 } 788 out: 789 return -EINVAL; 790 } 791 792 /** 793 * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list. 794 * 795 * @type: Type of operation. 796 * @filename: Filename. 797 * @domain: Pointer to "struct tomoyo_domain_info". 798 * @is_delete: True if it is a delete request. 799 * 800 * Returns 0 on success, negative value otherwise. 801 * 802 * Caller holds tomoyo_read_lock(). 803 */ 804 static int tomoyo_update_path_acl(const u8 type, const char *filename, 805 struct tomoyo_domain_info *const domain, 806 const bool is_delete) 807 { 808 static const u32 rw_mask = 809 (1 << TOMOYO_TYPE_READ) | (1 << TOMOYO_TYPE_WRITE); 810 const struct tomoyo_path_info *saved_filename; 811 struct tomoyo_acl_info *ptr; 812 struct tomoyo_path_acl *entry = NULL; 813 int error = is_delete ? -ENOENT : -ENOMEM; 814 const u32 perm = 1 << type; 815 816 if (!domain) 817 return -EINVAL; 818 if (!tomoyo_is_correct_path(filename, 0, 0, 0)) 819 return -EINVAL; 820 saved_filename = tomoyo_get_name(filename); 821 if (!saved_filename) 822 return -ENOMEM; 823 if (!is_delete) 824 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 825 mutex_lock(&tomoyo_policy_lock); 826 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 827 struct tomoyo_path_acl *acl = 828 container_of(ptr, struct tomoyo_path_acl, head); 829 if (ptr->type != TOMOYO_TYPE_PATH_ACL) 830 continue; 831 if (acl->filename != saved_filename) 832 continue; 833 if (is_delete) { 834 if (perm <= 0xFFFF) 835 acl->perm &= ~perm; 836 else 837 acl->perm_high &= ~(perm >> 16); 838 if ((acl->perm & rw_mask) != rw_mask) 839 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE); 840 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE))) 841 acl->perm &= ~rw_mask; 842 } else { 843 if (perm <= 0xFFFF) 844 acl->perm |= perm; 845 else 846 acl->perm_high |= (perm >> 16); 847 if ((acl->perm & rw_mask) == rw_mask) 848 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE; 849 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE)) 850 acl->perm |= rw_mask; 851 } 852 error = 0; 853 break; 854 } 855 if (!is_delete && error && tomoyo_memory_ok(entry)) { 856 entry->head.type = TOMOYO_TYPE_PATH_ACL; 857 if (perm <= 0xFFFF) 858 entry->perm = perm; 859 else 860 entry->perm_high = (perm >> 16); 861 if (perm == (1 << TOMOYO_TYPE_READ_WRITE)) 862 entry->perm |= rw_mask; 863 entry->filename = saved_filename; 864 saved_filename = NULL; 865 list_add_tail_rcu(&entry->head.list, &domain->acl_info_list); 866 entry = NULL; 867 error = 0; 868 } 869 mutex_unlock(&tomoyo_policy_lock); 870 kfree(entry); 871 tomoyo_put_name(saved_filename); 872 return error; 873 } 874 875 /** 876 * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list. 877 * 878 * @type: Type of operation. 879 * @filename1: First filename. 880 * @filename2: Second filename. 881 * @domain: Pointer to "struct tomoyo_domain_info". 882 * @is_delete: True if it is a delete request. 883 * 884 * Returns 0 on success, negative value otherwise. 885 * 886 * Caller holds tomoyo_read_lock(). 887 */ 888 static int tomoyo_update_path2_acl(const u8 type, const char *filename1, 889 const char *filename2, 890 struct tomoyo_domain_info *const domain, 891 const bool is_delete) 892 { 893 const struct tomoyo_path_info *saved_filename1; 894 const struct tomoyo_path_info *saved_filename2; 895 struct tomoyo_acl_info *ptr; 896 struct tomoyo_path2_acl *entry = NULL; 897 int error = is_delete ? -ENOENT : -ENOMEM; 898 const u8 perm = 1 << type; 899 900 if (!domain) 901 return -EINVAL; 902 if (!tomoyo_is_correct_path(filename1, 0, 0, 0) || 903 !tomoyo_is_correct_path(filename2, 0, 0, 0)) 904 return -EINVAL; 905 saved_filename1 = tomoyo_get_name(filename1); 906 saved_filename2 = tomoyo_get_name(filename2); 907 if (!saved_filename1 || !saved_filename2) 908 goto out; 909 if (!is_delete) 910 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 911 mutex_lock(&tomoyo_policy_lock); 912 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 913 struct tomoyo_path2_acl *acl = 914 container_of(ptr, struct tomoyo_path2_acl, head); 915 if (ptr->type != TOMOYO_TYPE_PATH2_ACL) 916 continue; 917 if (acl->filename1 != saved_filename1 || 918 acl->filename2 != saved_filename2) 919 continue; 920 if (is_delete) 921 acl->perm &= ~perm; 922 else 923 acl->perm |= perm; 924 error = 0; 925 break; 926 } 927 if (!is_delete && error && tomoyo_memory_ok(entry)) { 928 entry->head.type = TOMOYO_TYPE_PATH2_ACL; 929 entry->perm = perm; 930 entry->filename1 = saved_filename1; 931 saved_filename1 = NULL; 932 entry->filename2 = saved_filename2; 933 saved_filename2 = NULL; 934 list_add_tail_rcu(&entry->head.list, &domain->acl_info_list); 935 entry = NULL; 936 error = 0; 937 } 938 mutex_unlock(&tomoyo_policy_lock); 939 out: 940 tomoyo_put_name(saved_filename1); 941 tomoyo_put_name(saved_filename2); 942 kfree(entry); 943 return error; 944 } 945 946 /** 947 * tomoyo_path_acl - Check permission for single path operation. 948 * 949 * @domain: Pointer to "struct tomoyo_domain_info". 950 * @type: Type of operation. 951 * @filename: Filename to check. 952 * 953 * Returns 0 on success, negative value otherwise. 954 * 955 * Caller holds tomoyo_read_lock(). 956 */ 957 static int tomoyo_path_acl(struct tomoyo_domain_info *domain, const u8 type, 958 const struct tomoyo_path_info *filename) 959 { 960 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 961 return 0; 962 return tomoyo_path_acl2(domain, filename, 1 << type, 1); 963 } 964 965 /** 966 * tomoyo_path2_acl - Check permission for double path operation. 967 * 968 * @domain: Pointer to "struct tomoyo_domain_info". 969 * @type: Type of operation. 970 * @filename1: First filename to check. 971 * @filename2: Second filename to check. 972 * 973 * Returns 0 on success, -EPERM otherwise. 974 * 975 * Caller holds tomoyo_read_lock(). 976 */ 977 static int tomoyo_path2_acl(const struct tomoyo_domain_info *domain, 978 const u8 type, 979 const struct tomoyo_path_info *filename1, 980 const struct tomoyo_path_info *filename2) 981 { 982 struct tomoyo_acl_info *ptr; 983 const u8 perm = 1 << type; 984 int error = -EPERM; 985 986 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) 987 return 0; 988 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { 989 struct tomoyo_path2_acl *acl; 990 if (ptr->type != TOMOYO_TYPE_PATH2_ACL) 991 continue; 992 acl = container_of(ptr, struct tomoyo_path2_acl, head); 993 if (!(acl->perm & perm)) 994 continue; 995 if (!tomoyo_path_matches_pattern(filename1, acl->filename1)) 996 continue; 997 if (!tomoyo_path_matches_pattern(filename2, acl->filename2)) 998 continue; 999 error = 0; 1000 break; 1001 } 1002 return error; 1003 } 1004 1005 /** 1006 * tomoyo_path_permission2 - Check permission for single path operation. 1007 * 1008 * @domain: Pointer to "struct tomoyo_domain_info". 1009 * @operation: Type of operation. 1010 * @filename: Filename to check. 1011 * @mode: Access control mode. 1012 * 1013 * Returns 0 on success, negative value otherwise. 1014 * 1015 * Caller holds tomoyo_read_lock(). 1016 */ 1017 static int tomoyo_path_permission2(struct tomoyo_domain_info *const domain, 1018 u8 operation, 1019 const struct tomoyo_path_info *filename, 1020 const u8 mode) 1021 { 1022 const char *msg; 1023 int error; 1024 const bool is_enforce = (mode == 3); 1025 1026 if (!mode) 1027 return 0; 1028 next: 1029 error = tomoyo_path_acl(domain, operation, filename); 1030 msg = tomoyo_path2keyword(operation); 1031 if (!error) 1032 goto ok; 1033 if (tomoyo_verbose_mode(domain)) 1034 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n", 1035 tomoyo_get_msg(is_enforce), msg, filename->name, 1036 tomoyo_get_last_name(domain)); 1037 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { 1038 const char *name = tomoyo_get_file_pattern(filename)->name; 1039 tomoyo_update_path_acl(operation, name, domain, false); 1040 } 1041 if (!is_enforce) 1042 error = 0; 1043 ok: 1044 /* 1045 * Since "allow_truncate" doesn't imply "allow_rewrite" permission, 1046 * we need to check "allow_rewrite" permission if the filename is 1047 * specified by "deny_rewrite" keyword. 1048 */ 1049 if (!error && operation == TOMOYO_TYPE_TRUNCATE && 1050 tomoyo_is_no_rewrite_file(filename)) { 1051 operation = TOMOYO_TYPE_REWRITE; 1052 goto next; 1053 } 1054 return error; 1055 } 1056 1057 /** 1058 * tomoyo_check_exec_perm - Check permission for "execute". 1059 * 1060 * @domain: Pointer to "struct tomoyo_domain_info". 1061 * @filename: Check permission for "execute". 1062 * 1063 * Returns 0 on success, negativevalue otherwise. 1064 * 1065 * Caller holds tomoyo_read_lock(). 1066 */ 1067 int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, 1068 const struct tomoyo_path_info *filename) 1069 { 1070 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1071 1072 if (!mode) 1073 return 0; 1074 return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode); 1075 } 1076 1077 /** 1078 * tomoyo_check_open_permission - Check permission for "read" and "write". 1079 * 1080 * @domain: Pointer to "struct tomoyo_domain_info". 1081 * @path: Pointer to "struct path". 1082 * @flag: Flags for open(). 1083 * 1084 * Returns 0 on success, negative value otherwise. 1085 */ 1086 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, 1087 struct path *path, const int flag) 1088 { 1089 const u8 acc_mode = ACC_MODE(flag); 1090 int error = -ENOMEM; 1091 struct tomoyo_path_info *buf; 1092 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1093 const bool is_enforce = (mode == 3); 1094 int idx; 1095 1096 if (!mode || !path->mnt) 1097 return 0; 1098 if (acc_mode == 0) 1099 return 0; 1100 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode)) 1101 /* 1102 * I don't check directories here because mkdir() and rmdir() 1103 * don't call me. 1104 */ 1105 return 0; 1106 idx = tomoyo_read_lock(); 1107 buf = tomoyo_get_path(path); 1108 if (!buf) 1109 goto out; 1110 error = 0; 1111 /* 1112 * If the filename is specified by "deny_rewrite" keyword, 1113 * we need to check "allow_rewrite" permission when the filename is not 1114 * opened for append mode or the filename is truncated at open time. 1115 */ 1116 if ((acc_mode & MAY_WRITE) && 1117 ((flag & O_TRUNC) || !(flag & O_APPEND)) && 1118 (tomoyo_is_no_rewrite_file(buf))) { 1119 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE, 1120 buf, mode); 1121 } 1122 if (!error) 1123 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open", 1124 mode); 1125 if (!error && (flag & O_TRUNC)) 1126 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_TRUNCATE, 1127 buf, mode); 1128 out: 1129 kfree(buf); 1130 tomoyo_read_unlock(idx); 1131 if (!is_enforce) 1132 error = 0; 1133 return error; 1134 } 1135 1136 /** 1137 * tomoyo_path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount". 1138 * 1139 * @operation: Type of operation. 1140 * @path: Pointer to "struct path". 1141 * 1142 * Returns 0 on success, negative value otherwise. 1143 */ 1144 int tomoyo_path_perm(const u8 operation, struct path *path) 1145 { 1146 int error = -ENOMEM; 1147 struct tomoyo_path_info *buf; 1148 struct tomoyo_domain_info *domain = tomoyo_domain(); 1149 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1150 const bool is_enforce = (mode == 3); 1151 int idx; 1152 1153 if (!mode || !path->mnt) 1154 return 0; 1155 idx = tomoyo_read_lock(); 1156 buf = tomoyo_get_path(path); 1157 if (!buf) 1158 goto out; 1159 switch (operation) { 1160 case TOMOYO_TYPE_MKDIR: 1161 case TOMOYO_TYPE_RMDIR: 1162 case TOMOYO_TYPE_CHROOT: 1163 if (!buf->is_dir) { 1164 /* 1165 * tomoyo_get_path() reserves space for appending "/." 1166 */ 1167 strcat((char *) buf->name, "/"); 1168 tomoyo_fill_path_info(buf); 1169 } 1170 } 1171 error = tomoyo_path_permission2(domain, operation, buf, mode); 1172 out: 1173 kfree(buf); 1174 tomoyo_read_unlock(idx); 1175 if (!is_enforce) 1176 error = 0; 1177 return error; 1178 } 1179 1180 /** 1181 * tomoyo_check_rewrite_permission - Check permission for "rewrite". 1182 * 1183 * @filp: Pointer to "struct file". 1184 * 1185 * Returns 0 on success, negative value otherwise. 1186 */ 1187 int tomoyo_check_rewrite_permission(struct file *filp) 1188 { 1189 int error = -ENOMEM; 1190 struct tomoyo_domain_info *domain = tomoyo_domain(); 1191 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1192 const bool is_enforce = (mode == 3); 1193 struct tomoyo_path_info *buf; 1194 int idx; 1195 1196 if (!mode || !filp->f_path.mnt) 1197 return 0; 1198 1199 idx = tomoyo_read_lock(); 1200 buf = tomoyo_get_path(&filp->f_path); 1201 if (!buf) 1202 goto out; 1203 if (!tomoyo_is_no_rewrite_file(buf)) { 1204 error = 0; 1205 goto out; 1206 } 1207 error = tomoyo_path_permission2(domain, TOMOYO_TYPE_REWRITE, buf, mode); 1208 out: 1209 kfree(buf); 1210 tomoyo_read_unlock(idx); 1211 if (!is_enforce) 1212 error = 0; 1213 return error; 1214 } 1215 1216 /** 1217 * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root". 1218 * 1219 * @operation: Type of operation. 1220 * @path1: Pointer to "struct path". 1221 * @path2: Pointer to "struct path". 1222 * 1223 * Returns 0 on success, negative value otherwise. 1224 */ 1225 int tomoyo_path2_perm(const u8 operation, struct path *path1, 1226 struct path *path2) 1227 { 1228 int error = -ENOMEM; 1229 struct tomoyo_path_info *buf1, *buf2; 1230 struct tomoyo_domain_info *domain = tomoyo_domain(); 1231 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); 1232 const bool is_enforce = (mode == 3); 1233 const char *msg; 1234 int idx; 1235 1236 if (!mode || !path1->mnt || !path2->mnt) 1237 return 0; 1238 idx = tomoyo_read_lock(); 1239 buf1 = tomoyo_get_path(path1); 1240 buf2 = tomoyo_get_path(path2); 1241 if (!buf1 || !buf2) 1242 goto out; 1243 { 1244 struct dentry *dentry = path1->dentry; 1245 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) { 1246 /* 1247 * tomoyo_get_path() reserves space for appending "/." 1248 */ 1249 if (!buf1->is_dir) { 1250 strcat((char *) buf1->name, "/"); 1251 tomoyo_fill_path_info(buf1); 1252 } 1253 if (!buf2->is_dir) { 1254 strcat((char *) buf2->name, "/"); 1255 tomoyo_fill_path_info(buf2); 1256 } 1257 } 1258 } 1259 error = tomoyo_path2_acl(domain, operation, buf1, buf2); 1260 msg = tomoyo_path22keyword(operation); 1261 if (!error) 1262 goto out; 1263 if (tomoyo_verbose_mode(domain)) 1264 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' " 1265 "denied for %s\n", tomoyo_get_msg(is_enforce), 1266 msg, buf1->name, buf2->name, 1267 tomoyo_get_last_name(domain)); 1268 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { 1269 const char *name1 = tomoyo_get_file_pattern(buf1)->name; 1270 const char *name2 = tomoyo_get_file_pattern(buf2)->name; 1271 tomoyo_update_path2_acl(operation, name1, name2, domain, 1272 false); 1273 } 1274 out: 1275 kfree(buf1); 1276 kfree(buf2); 1277 tomoyo_read_unlock(idx); 1278 if (!is_enforce) 1279 error = 0; 1280 return error; 1281 } 1282