Commit | Line | Data |
---|---|---|
b69a54ee KT |
1 | /* |
2 | * security/tomoyo/file.c | |
3 | * | |
4 | * Implementation of the Domain-Based Mandatory Access Control. | |
5 | * | |
6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION | |
7 | * | |
39826a1e | 8 | * Version: 2.2.0 2009/04/01 |
b69a54ee KT |
9 | * |
10 | */ | |
11 | ||
12 | #include "common.h" | |
13 | #include "tomoyo.h" | |
14 | #include "realpath.h" | |
15 | #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE]) | |
16 | ||
c3fa109a TH |
17 | /* |
18 | * tomoyo_globally_readable_file_entry is a structure which is used for holding | |
19 | * "allow_read" entries. | |
20 | * It has following fields. | |
21 | * | |
22 | * (1) "list" which is linked to tomoyo_globally_readable_list . | |
23 | * (2) "filename" is a pathname which is allowed to open(O_RDONLY). | |
24 | * (3) "is_deleted" is a bool which is true if marked as deleted, false | |
25 | * otherwise. | |
26 | */ | |
b69a54ee KT |
27 | struct tomoyo_globally_readable_file_entry { |
28 | struct list_head list; | |
29 | const struct tomoyo_path_info *filename; | |
30 | bool is_deleted; | |
31 | }; | |
32 | ||
c3fa109a TH |
33 | /* |
34 | * tomoyo_pattern_entry is a structure which is used for holding | |
35 | * "tomoyo_pattern_list" entries. | |
36 | * It has following fields. | |
37 | * | |
38 | * (1) "list" which is linked to tomoyo_pattern_list . | |
39 | * (2) "pattern" is a pathname pattern which is used for converting pathnames | |
40 | * to pathname patterns during learning mode. | |
41 | * (3) "is_deleted" is a bool which is true if marked as deleted, false | |
42 | * otherwise. | |
43 | */ | |
b69a54ee KT |
44 | struct tomoyo_pattern_entry { |
45 | struct list_head list; | |
46 | const struct tomoyo_path_info *pattern; | |
47 | bool is_deleted; | |
48 | }; | |
49 | ||
c3fa109a TH |
50 | /* |
51 | * tomoyo_no_rewrite_entry is a structure which is used for holding | |
52 | * "deny_rewrite" entries. | |
53 | * It has following fields. | |
54 | * | |
55 | * (1) "list" which is linked to tomoyo_no_rewrite_list . | |
56 | * (2) "pattern" is a pathname which is by default not permitted to modify | |
57 | * already existing content. | |
58 | * (3) "is_deleted" is a bool which is true if marked as deleted, false | |
59 | * otherwise. | |
60 | */ | |
b69a54ee KT |
61 | struct tomoyo_no_rewrite_entry { |
62 | struct list_head list; | |
63 | const struct tomoyo_path_info *pattern; | |
64 | bool is_deleted; | |
65 | }; | |
66 | ||
67 | /* Keyword array for single path operations. */ | |
68 | static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = { | |
69 | [TOMOYO_TYPE_READ_WRITE_ACL] = "read/write", | |
70 | [TOMOYO_TYPE_EXECUTE_ACL] = "execute", | |
71 | [TOMOYO_TYPE_READ_ACL] = "read", | |
72 | [TOMOYO_TYPE_WRITE_ACL] = "write", | |
73 | [TOMOYO_TYPE_CREATE_ACL] = "create", | |
74 | [TOMOYO_TYPE_UNLINK_ACL] = "unlink", | |
75 | [TOMOYO_TYPE_MKDIR_ACL] = "mkdir", | |
76 | [TOMOYO_TYPE_RMDIR_ACL] = "rmdir", | |
77 | [TOMOYO_TYPE_MKFIFO_ACL] = "mkfifo", | |
78 | [TOMOYO_TYPE_MKSOCK_ACL] = "mksock", | |
79 | [TOMOYO_TYPE_MKBLOCK_ACL] = "mkblock", | |
80 | [TOMOYO_TYPE_MKCHAR_ACL] = "mkchar", | |
81 | [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate", | |
82 | [TOMOYO_TYPE_SYMLINK_ACL] = "symlink", | |
83 | [TOMOYO_TYPE_REWRITE_ACL] = "rewrite", | |
937bf613 TH |
84 | [TOMOYO_TYPE_IOCTL_ACL] = "ioctl", |
85 | [TOMOYO_TYPE_CHMOD_ACL] = "chmod", | |
86 | [TOMOYO_TYPE_CHOWN_ACL] = "chown", | |
87 | [TOMOYO_TYPE_CHGRP_ACL] = "chgrp", | |
88 | [TOMOYO_TYPE_CHROOT_ACL] = "chroot", | |
89 | [TOMOYO_TYPE_MOUNT_ACL] = "mount", | |
90 | [TOMOYO_TYPE_UMOUNT_ACL] = "unmount", | |
b69a54ee KT |
91 | }; |
92 | ||
93 | /* Keyword array for double path operations. */ | |
94 | static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = { | |
95 | [TOMOYO_TYPE_LINK_ACL] = "link", | |
96 | [TOMOYO_TYPE_RENAME_ACL] = "rename", | |
937bf613 | 97 | [TOMOYO_TYPE_PIVOT_ROOT_ACL] = "pivot_root", |
b69a54ee KT |
98 | }; |
99 | ||
100 | /** | |
101 | * tomoyo_sp2keyword - Get the name of single path operation. | |
102 | * | |
103 | * @operation: Type of operation. | |
104 | * | |
105 | * Returns the name of single path operation. | |
106 | */ | |
107 | const char *tomoyo_sp2keyword(const u8 operation) | |
108 | { | |
109 | return (operation < TOMOYO_MAX_SINGLE_PATH_OPERATION) | |
110 | ? tomoyo_sp_keyword[operation] : NULL; | |
111 | } | |
112 | ||
113 | /** | |
114 | * tomoyo_dp2keyword - Get the name of double path operation. | |
115 | * | |
116 | * @operation: Type of operation. | |
117 | * | |
118 | * Returns the name of double path operation. | |
119 | */ | |
120 | const char *tomoyo_dp2keyword(const u8 operation) | |
121 | { | |
122 | return (operation < TOMOYO_MAX_DOUBLE_PATH_OPERATION) | |
123 | ? tomoyo_dp_keyword[operation] : NULL; | |
124 | } | |
125 | ||
126 | /** | |
127 | * tomoyo_strendswith - Check whether the token ends with the given token. | |
128 | * | |
129 | * @name: The token to check. | |
130 | * @tail: The token to find. | |
131 | * | |
132 | * Returns true if @name ends with @tail, false otherwise. | |
133 | */ | |
134 | static bool tomoyo_strendswith(const char *name, const char *tail) | |
135 | { | |
136 | int len; | |
137 | ||
138 | if (!name || !tail) | |
139 | return false; | |
140 | len = strlen(name) - strlen(tail); | |
141 | return len >= 0 && !strcmp(name + len, tail); | |
142 | } | |
143 | ||
144 | /** | |
145 | * tomoyo_get_path - Get realpath. | |
146 | * | |
147 | * @path: Pointer to "struct path". | |
148 | * | |
149 | * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise. | |
150 | */ | |
151 | static struct tomoyo_path_info *tomoyo_get_path(struct path *path) | |
152 | { | |
153 | int error; | |
154 | struct tomoyo_path_info_with_data *buf = tomoyo_alloc(sizeof(*buf)); | |
155 | ||
156 | if (!buf) | |
157 | return NULL; | |
158 | /* Reserve one byte for appending "/". */ | |
159 | error = tomoyo_realpath_from_path2(path, buf->body, | |
160 | sizeof(buf->body) - 2); | |
161 | if (!error) { | |
162 | buf->head.name = buf->body; | |
163 | tomoyo_fill_path_info(&buf->head); | |
164 | return &buf->head; | |
165 | } | |
166 | tomoyo_free(buf); | |
167 | return NULL; | |
168 | } | |
169 | ||
170 | /* Lock for domain->acl_info_list. */ | |
171 | DECLARE_RWSEM(tomoyo_domain_acl_info_list_lock); | |
172 | ||
173 | static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, | |
174 | const char *filename2, | |
175 | struct tomoyo_domain_info * | |
176 | const domain, const bool is_delete); | |
177 | static int tomoyo_update_single_path_acl(const u8 type, const char *filename, | |
178 | struct tomoyo_domain_info * | |
179 | const domain, const bool is_delete); | |
180 | ||
c3fa109a TH |
181 | /* |
182 | * tomoyo_globally_readable_list is used for holding list of pathnames which | |
183 | * are by default allowed to be open()ed for reading by any process. | |
184 | * | |
185 | * An entry is added by | |
186 | * | |
187 | * # echo 'allow_read /lib/libc-2.5.so' > \ | |
188 | * /sys/kernel/security/tomoyo/exception_policy | |
189 | * | |
190 | * and is deleted by | |
191 | * | |
192 | * # echo 'delete allow_read /lib/libc-2.5.so' > \ | |
193 | * /sys/kernel/security/tomoyo/exception_policy | |
194 | * | |
195 | * and all entries are retrieved by | |
196 | * | |
197 | * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy | |
198 | * | |
199 | * In the example above, any process is allowed to | |
200 | * open("/lib/libc-2.5.so", O_RDONLY). | |
201 | * One exception is, if the domain which current process belongs to is marked | |
202 | * as "ignore_global_allow_read", current process can't do so unless explicitly | |
203 | * given "allow_read /lib/libc-2.5.so" to the domain which current process | |
204 | * belongs to. | |
205 | */ | |
b69a54ee KT |
206 | static LIST_HEAD(tomoyo_globally_readable_list); |
207 | static DECLARE_RWSEM(tomoyo_globally_readable_list_lock); | |
208 | ||
209 | /** | |
210 | * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list. | |
211 | * | |
212 | * @filename: Filename unconditionally permitted to open() for reading. | |
213 | * @is_delete: True if it is a delete request. | |
214 | * | |
215 | * Returns 0 on success, negative value otherwise. | |
216 | */ | |
217 | static int tomoyo_update_globally_readable_entry(const char *filename, | |
218 | const bool is_delete) | |
219 | { | |
220 | struct tomoyo_globally_readable_file_entry *new_entry; | |
221 | struct tomoyo_globally_readable_file_entry *ptr; | |
222 | const struct tomoyo_path_info *saved_filename; | |
223 | int error = -ENOMEM; | |
224 | ||
225 | if (!tomoyo_is_correct_path(filename, 1, 0, -1, __func__)) | |
226 | return -EINVAL; | |
227 | saved_filename = tomoyo_save_name(filename); | |
228 | if (!saved_filename) | |
229 | return -ENOMEM; | |
b69a54ee KT |
230 | down_write(&tomoyo_globally_readable_list_lock); |
231 | list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) { | |
232 | if (ptr->filename != saved_filename) | |
233 | continue; | |
234 | ptr->is_deleted = is_delete; | |
235 | error = 0; | |
236 | goto out; | |
237 | } | |
238 | if (is_delete) { | |
239 | error = -ENOENT; | |
240 | goto out; | |
241 | } | |
242 | new_entry = tomoyo_alloc_element(sizeof(*new_entry)); | |
243 | if (!new_entry) | |
244 | goto out; | |
245 | new_entry->filename = saved_filename; | |
246 | list_add_tail(&new_entry->list, &tomoyo_globally_readable_list); | |
247 | error = 0; | |
248 | out: | |
249 | up_write(&tomoyo_globally_readable_list_lock); | |
b69a54ee KT |
250 | return error; |
251 | } | |
252 | ||
253 | /** | |
254 | * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading. | |
255 | * | |
256 | * @filename: The filename to check. | |
257 | * | |
258 | * Returns true if any domain can open @filename for reading, false otherwise. | |
259 | */ | |
260 | static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info * | |
261 | filename) | |
262 | { | |
263 | struct tomoyo_globally_readable_file_entry *ptr; | |
264 | bool found = false; | |
265 | down_read(&tomoyo_globally_readable_list_lock); | |
266 | list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) { | |
267 | if (!ptr->is_deleted && | |
268 | tomoyo_path_matches_pattern(filename, ptr->filename)) { | |
269 | found = true; | |
270 | break; | |
271 | } | |
272 | } | |
273 | up_read(&tomoyo_globally_readable_list_lock); | |
274 | return found; | |
275 | } | |
276 | ||
277 | /** | |
278 | * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list. | |
279 | * | |
280 | * @data: String to parse. | |
281 | * @is_delete: True if it is a delete request. | |
282 | * | |
283 | * Returns 0 on success, negative value otherwise. | |
284 | */ | |
285 | int tomoyo_write_globally_readable_policy(char *data, const bool is_delete) | |
286 | { | |
287 | return tomoyo_update_globally_readable_entry(data, is_delete); | |
288 | } | |
289 | ||
290 | /** | |
291 | * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list. | |
292 | * | |
293 | * @head: Pointer to "struct tomoyo_io_buffer". | |
294 | * | |
295 | * Returns true on success, false otherwise. | |
296 | */ | |
297 | bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head) | |
298 | { | |
299 | struct list_head *pos; | |
300 | bool done = true; | |
301 | ||
302 | down_read(&tomoyo_globally_readable_list_lock); | |
303 | list_for_each_cookie(pos, head->read_var2, | |
304 | &tomoyo_globally_readable_list) { | |
305 | struct tomoyo_globally_readable_file_entry *ptr; | |
306 | ptr = list_entry(pos, | |
307 | struct tomoyo_globally_readable_file_entry, | |
308 | list); | |
309 | if (ptr->is_deleted) | |
310 | continue; | |
7d2948b1 TH |
311 | done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n", |
312 | ptr->filename->name); | |
313 | if (!done) | |
b69a54ee | 314 | break; |
b69a54ee KT |
315 | } |
316 | up_read(&tomoyo_globally_readable_list_lock); | |
317 | return done; | |
318 | } | |
319 | ||
c3fa109a TH |
320 | /* tomoyo_pattern_list is used for holding list of pathnames which are used for |
321 | * converting pathnames to pathname patterns during learning mode. | |
322 | * | |
323 | * An entry is added by | |
324 | * | |
325 | * # echo 'file_pattern /proc/\$/mounts' > \ | |
326 | * /sys/kernel/security/tomoyo/exception_policy | |
327 | * | |
328 | * and is deleted by | |
329 | * | |
330 | * # echo 'delete file_pattern /proc/\$/mounts' > \ | |
331 | * /sys/kernel/security/tomoyo/exception_policy | |
332 | * | |
333 | * and all entries are retrieved by | |
334 | * | |
335 | * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy | |
336 | * | |
337 | * In the example above, if a process which belongs to a domain which is in | |
338 | * learning mode requested open("/proc/1/mounts", O_RDONLY), | |
339 | * "allow_read /proc/\$/mounts" is automatically added to the domain which that | |
340 | * process belongs to. | |
341 | * | |
342 | * It is not a desirable behavior that we have to use /proc/\$/ instead of | |
343 | * /proc/self/ when current process needs to access only current process's | |
344 | * information. As of now, LSM version of TOMOYO is using __d_path() for | |
345 | * calculating pathname. Non LSM version of TOMOYO is using its own function | |
346 | * which pretends as if /proc/self/ is not a symlink; so that we can forbid | |
347 | * current process from accessing other process's information. | |
348 | */ | |
b69a54ee KT |
349 | static LIST_HEAD(tomoyo_pattern_list); |
350 | static DECLARE_RWSEM(tomoyo_pattern_list_lock); | |
351 | ||
352 | /** | |
353 | * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list. | |
354 | * | |
355 | * @pattern: Pathname pattern. | |
356 | * @is_delete: True if it is a delete request. | |
357 | * | |
358 | * Returns 0 on success, negative value otherwise. | |
359 | */ | |
360 | static int tomoyo_update_file_pattern_entry(const char *pattern, | |
361 | const bool is_delete) | |
362 | { | |
363 | struct tomoyo_pattern_entry *new_entry; | |
364 | struct tomoyo_pattern_entry *ptr; | |
365 | const struct tomoyo_path_info *saved_pattern; | |
366 | int error = -ENOMEM; | |
367 | ||
368 | if (!tomoyo_is_correct_path(pattern, 0, 1, 0, __func__)) | |
369 | return -EINVAL; | |
370 | saved_pattern = tomoyo_save_name(pattern); | |
371 | if (!saved_pattern) | |
372 | return -ENOMEM; | |
b69a54ee KT |
373 | down_write(&tomoyo_pattern_list_lock); |
374 | list_for_each_entry(ptr, &tomoyo_pattern_list, list) { | |
375 | if (saved_pattern != ptr->pattern) | |
376 | continue; | |
377 | ptr->is_deleted = is_delete; | |
378 | error = 0; | |
379 | goto out; | |
380 | } | |
381 | if (is_delete) { | |
382 | error = -ENOENT; | |
383 | goto out; | |
384 | } | |
385 | new_entry = tomoyo_alloc_element(sizeof(*new_entry)); | |
386 | if (!new_entry) | |
387 | goto out; | |
388 | new_entry->pattern = saved_pattern; | |
389 | list_add_tail(&new_entry->list, &tomoyo_pattern_list); | |
390 | error = 0; | |
391 | out: | |
392 | up_write(&tomoyo_pattern_list_lock); | |
b69a54ee KT |
393 | return error; |
394 | } | |
395 | ||
396 | /** | |
397 | * tomoyo_get_file_pattern - Get patterned pathname. | |
398 | * | |
399 | * @filename: The filename to find patterned pathname. | |
400 | * | |
401 | * Returns pointer to pathname pattern if matched, @filename otherwise. | |
402 | */ | |
403 | static const struct tomoyo_path_info * | |
404 | tomoyo_get_file_pattern(const struct tomoyo_path_info *filename) | |
405 | { | |
406 | struct tomoyo_pattern_entry *ptr; | |
407 | const struct tomoyo_path_info *pattern = NULL; | |
408 | ||
409 | down_read(&tomoyo_pattern_list_lock); | |
410 | list_for_each_entry(ptr, &tomoyo_pattern_list, list) { | |
411 | if (ptr->is_deleted) | |
412 | continue; | |
413 | if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) | |
414 | continue; | |
415 | pattern = ptr->pattern; | |
416 | if (tomoyo_strendswith(pattern->name, "/\\*")) { | |
417 | /* Do nothing. Try to find the better match. */ | |
418 | } else { | |
419 | /* This would be the better match. Use this. */ | |
420 | break; | |
421 | } | |
422 | } | |
423 | up_read(&tomoyo_pattern_list_lock); | |
424 | if (pattern) | |
425 | filename = pattern; | |
426 | return filename; | |
427 | } | |
428 | ||
429 | /** | |
430 | * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list. | |
431 | * | |
432 | * @data: String to parse. | |
433 | * @is_delete: True if it is a delete request. | |
434 | * | |
435 | * Returns 0 on success, negative value otherwise. | |
436 | */ | |
437 | int tomoyo_write_pattern_policy(char *data, const bool is_delete) | |
438 | { | |
439 | return tomoyo_update_file_pattern_entry(data, is_delete); | |
440 | } | |
441 | ||
442 | /** | |
443 | * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list. | |
444 | * | |
445 | * @head: Pointer to "struct tomoyo_io_buffer". | |
446 | * | |
447 | * Returns true on success, false otherwise. | |
448 | */ | |
449 | bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head) | |
450 | { | |
451 | struct list_head *pos; | |
452 | bool done = true; | |
453 | ||
454 | down_read(&tomoyo_pattern_list_lock); | |
455 | list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) { | |
456 | struct tomoyo_pattern_entry *ptr; | |
457 | ptr = list_entry(pos, struct tomoyo_pattern_entry, list); | |
458 | if (ptr->is_deleted) | |
459 | continue; | |
7d2948b1 TH |
460 | done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN |
461 | "%s\n", ptr->pattern->name); | |
462 | if (!done) | |
b69a54ee | 463 | break; |
b69a54ee KT |
464 | } |
465 | up_read(&tomoyo_pattern_list_lock); | |
466 | return done; | |
467 | } | |
468 | ||
c3fa109a TH |
469 | /* |
470 | * tomoyo_no_rewrite_list is used for holding list of pathnames which are by | |
471 | * default forbidden to modify already written content of a file. | |
472 | * | |
473 | * An entry is added by | |
474 | * | |
475 | * # echo 'deny_rewrite /var/log/messages' > \ | |
476 | * /sys/kernel/security/tomoyo/exception_policy | |
477 | * | |
478 | * and is deleted by | |
479 | * | |
480 | * # echo 'delete deny_rewrite /var/log/messages' > \ | |
481 | * /sys/kernel/security/tomoyo/exception_policy | |
482 | * | |
483 | * and all entries are retrieved by | |
484 | * | |
485 | * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy | |
486 | * | |
487 | * In the example above, if a process requested to rewrite /var/log/messages , | |
488 | * the process can't rewrite unless the domain which that process belongs to | |
489 | * has "allow_rewrite /var/log/messages" entry. | |
490 | * | |
491 | * It is not a desirable behavior that we have to add "\040(deleted)" suffix | |
492 | * when we want to allow rewriting already unlink()ed file. As of now, | |
493 | * LSM version of TOMOYO is using __d_path() for calculating pathname. | |
494 | * Non LSM version of TOMOYO is using its own function which doesn't append | |
495 | * " (deleted)" suffix if the file is already unlink()ed; so that we don't | |
496 | * need to worry whether the file is already unlink()ed or not. | |
497 | */ | |
b69a54ee KT |
498 | static LIST_HEAD(tomoyo_no_rewrite_list); |
499 | static DECLARE_RWSEM(tomoyo_no_rewrite_list_lock); | |
500 | ||
501 | /** | |
502 | * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list. | |
503 | * | |
504 | * @pattern: Pathname pattern that are not rewritable by default. | |
505 | * @is_delete: True if it is a delete request. | |
506 | * | |
507 | * Returns 0 on success, negative value otherwise. | |
508 | */ | |
509 | static int tomoyo_update_no_rewrite_entry(const char *pattern, | |
510 | const bool is_delete) | |
511 | { | |
512 | struct tomoyo_no_rewrite_entry *new_entry, *ptr; | |
513 | const struct tomoyo_path_info *saved_pattern; | |
514 | int error = -ENOMEM; | |
515 | ||
516 | if (!tomoyo_is_correct_path(pattern, 0, 0, 0, __func__)) | |
517 | return -EINVAL; | |
518 | saved_pattern = tomoyo_save_name(pattern); | |
519 | if (!saved_pattern) | |
520 | return -ENOMEM; | |
b69a54ee KT |
521 | down_write(&tomoyo_no_rewrite_list_lock); |
522 | list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) { | |
523 | if (ptr->pattern != saved_pattern) | |
524 | continue; | |
525 | ptr->is_deleted = is_delete; | |
526 | error = 0; | |
527 | goto out; | |
528 | } | |
529 | if (is_delete) { | |
530 | error = -ENOENT; | |
531 | goto out; | |
532 | } | |
533 | new_entry = tomoyo_alloc_element(sizeof(*new_entry)); | |
534 | if (!new_entry) | |
535 | goto out; | |
536 | new_entry->pattern = saved_pattern; | |
537 | list_add_tail(&new_entry->list, &tomoyo_no_rewrite_list); | |
538 | error = 0; | |
539 | out: | |
540 | up_write(&tomoyo_no_rewrite_list_lock); | |
b69a54ee KT |
541 | return error; |
542 | } | |
543 | ||
544 | /** | |
545 | * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited. | |
546 | * | |
547 | * @filename: Filename to check. | |
548 | * | |
549 | * Returns true if @filename is specified by "deny_rewrite" directive, | |
550 | * false otherwise. | |
551 | */ | |
552 | static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename) | |
553 | { | |
554 | struct tomoyo_no_rewrite_entry *ptr; | |
555 | bool found = false; | |
556 | ||
557 | down_read(&tomoyo_no_rewrite_list_lock); | |
558 | list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) { | |
559 | if (ptr->is_deleted) | |
560 | continue; | |
561 | if (!tomoyo_path_matches_pattern(filename, ptr->pattern)) | |
562 | continue; | |
563 | found = true; | |
564 | break; | |
565 | } | |
566 | up_read(&tomoyo_no_rewrite_list_lock); | |
567 | return found; | |
568 | } | |
569 | ||
570 | /** | |
571 | * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list. | |
572 | * | |
573 | * @data: String to parse. | |
574 | * @is_delete: True if it is a delete request. | |
575 | * | |
576 | * Returns 0 on success, negative value otherwise. | |
577 | */ | |
578 | int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete) | |
579 | { | |
580 | return tomoyo_update_no_rewrite_entry(data, is_delete); | |
581 | } | |
582 | ||
583 | /** | |
584 | * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list. | |
585 | * | |
586 | * @head: Pointer to "struct tomoyo_io_buffer". | |
587 | * | |
588 | * Returns true on success, false otherwise. | |
589 | */ | |
590 | bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head) | |
591 | { | |
592 | struct list_head *pos; | |
593 | bool done = true; | |
594 | ||
595 | down_read(&tomoyo_no_rewrite_list_lock); | |
596 | list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) { | |
597 | struct tomoyo_no_rewrite_entry *ptr; | |
598 | ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list); | |
599 | if (ptr->is_deleted) | |
600 | continue; | |
7d2948b1 TH |
601 | done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE |
602 | "%s\n", ptr->pattern->name); | |
603 | if (!done) | |
b69a54ee | 604 | break; |
b69a54ee KT |
605 | } |
606 | up_read(&tomoyo_no_rewrite_list_lock); | |
607 | return done; | |
608 | } | |
609 | ||
610 | /** | |
611 | * tomoyo_update_file_acl - Update file's read/write/execute ACL. | |
612 | * | |
613 | * @filename: Filename. | |
614 | * @perm: Permission (between 1 to 7). | |
615 | * @domain: Pointer to "struct tomoyo_domain_info". | |
616 | * @is_delete: True if it is a delete request. | |
617 | * | |
618 | * Returns 0 on success, negative value otherwise. | |
619 | * | |
620 | * This is legacy support interface for older policy syntax. | |
621 | * Current policy syntax uses "allow_read/write" instead of "6", | |
622 | * "allow_read" instead of "4", "allow_write" instead of "2", | |
623 | * "allow_execute" instead of "1". | |
624 | */ | |
625 | static int tomoyo_update_file_acl(const char *filename, u8 perm, | |
626 | struct tomoyo_domain_info * const domain, | |
627 | const bool is_delete) | |
628 | { | |
629 | if (perm > 7 || !perm) { | |
630 | printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n", | |
631 | __func__, perm, filename); | |
632 | return -EINVAL; | |
633 | } | |
634 | if (filename[0] != '@' && tomoyo_strendswith(filename, "/")) | |
635 | /* | |
636 | * Only 'allow_mkdir' and 'allow_rmdir' are valid for | |
637 | * directory permissions. | |
638 | */ | |
639 | return 0; | |
640 | if (perm & 4) | |
641 | tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL, filename, | |
642 | domain, is_delete); | |
643 | if (perm & 2) | |
644 | tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL, filename, | |
645 | domain, is_delete); | |
646 | if (perm & 1) | |
647 | tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL, | |
648 | filename, domain, is_delete); | |
649 | return 0; | |
650 | } | |
651 | ||
652 | /** | |
653 | * tomoyo_check_single_path_acl2 - Check permission for single path operation. | |
654 | * | |
655 | * @domain: Pointer to "struct tomoyo_domain_info". | |
656 | * @filename: Filename to check. | |
657 | * @perm: Permission. | |
658 | * @may_use_pattern: True if patterned ACL is permitted. | |
659 | * | |
660 | * Returns 0 on success, -EPERM otherwise. | |
661 | */ | |
662 | static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info * | |
663 | domain, | |
664 | const struct tomoyo_path_info * | |
665 | filename, | |
937bf613 | 666 | const u32 perm, |
b69a54ee KT |
667 | const bool may_use_pattern) |
668 | { | |
669 | struct tomoyo_acl_info *ptr; | |
670 | int error = -EPERM; | |
671 | ||
672 | down_read(&tomoyo_domain_acl_info_list_lock); | |
673 | list_for_each_entry(ptr, &domain->acl_info_list, list) { | |
674 | struct tomoyo_single_path_acl_record *acl; | |
675 | if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL) | |
676 | continue; | |
677 | acl = container_of(ptr, struct tomoyo_single_path_acl_record, | |
678 | head); | |
937bf613 TH |
679 | if (perm <= 0xFFFF) { |
680 | if (!(acl->perm & perm)) | |
681 | continue; | |
682 | } else { | |
683 | if (!(acl->perm_high & (perm >> 16))) | |
684 | continue; | |
685 | } | |
b69a54ee KT |
686 | if (may_use_pattern || !acl->filename->is_patterned) { |
687 | if (!tomoyo_path_matches_pattern(filename, | |
688 | acl->filename)) | |
689 | continue; | |
690 | } else { | |
691 | continue; | |
692 | } | |
693 | error = 0; | |
694 | break; | |
695 | } | |
696 | up_read(&tomoyo_domain_acl_info_list_lock); | |
697 | return error; | |
698 | } | |
699 | ||
700 | /** | |
701 | * tomoyo_check_file_acl - Check permission for opening files. | |
702 | * | |
703 | * @domain: Pointer to "struct tomoyo_domain_info". | |
704 | * @filename: Filename to check. | |
705 | * @operation: Mode ("read" or "write" or "read/write" or "execute"). | |
706 | * | |
707 | * Returns 0 on success, -EPERM otherwise. | |
708 | */ | |
709 | static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain, | |
710 | const struct tomoyo_path_info *filename, | |
711 | const u8 operation) | |
712 | { | |
937bf613 | 713 | u32 perm = 0; |
b69a54ee KT |
714 | |
715 | if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) | |
716 | return 0; | |
717 | if (operation == 6) | |
718 | perm = 1 << TOMOYO_TYPE_READ_WRITE_ACL; | |
719 | else if (operation == 4) | |
720 | perm = 1 << TOMOYO_TYPE_READ_ACL; | |
721 | else if (operation == 2) | |
722 | perm = 1 << TOMOYO_TYPE_WRITE_ACL; | |
723 | else if (operation == 1) | |
724 | perm = 1 << TOMOYO_TYPE_EXECUTE_ACL; | |
725 | else | |
726 | BUG(); | |
727 | return tomoyo_check_single_path_acl2(domain, filename, perm, | |
728 | operation != 1); | |
729 | } | |
730 | ||
731 | /** | |
732 | * tomoyo_check_file_perm2 - Check permission for opening files. | |
733 | * | |
734 | * @domain: Pointer to "struct tomoyo_domain_info". | |
735 | * @filename: Filename to check. | |
736 | * @perm: Mode ("read" or "write" or "read/write" or "execute"). | |
737 | * @operation: Operation name passed used for verbose mode. | |
738 | * @mode: Access control mode. | |
739 | * | |
740 | * Returns 0 on success, negative value otherwise. | |
741 | */ | |
742 | static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain, | |
743 | const struct tomoyo_path_info *filename, | |
744 | const u8 perm, const char *operation, | |
745 | const u8 mode) | |
746 | { | |
747 | const bool is_enforce = (mode == 3); | |
748 | const char *msg = "<unknown>"; | |
749 | int error = 0; | |
750 | ||
751 | if (!filename) | |
752 | return 0; | |
753 | error = tomoyo_check_file_acl(domain, filename, perm); | |
754 | if (error && perm == 4 && | |
755 | (domain->flags & TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ) == 0 | |
756 | && tomoyo_is_globally_readable_file(filename)) | |
757 | error = 0; | |
758 | if (perm == 6) | |
759 | msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL); | |
760 | else if (perm == 4) | |
761 | msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL); | |
762 | else if (perm == 2) | |
763 | msg = tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL); | |
764 | else if (perm == 1) | |
765 | msg = tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL); | |
766 | else | |
767 | BUG(); | |
768 | if (!error) | |
769 | return 0; | |
770 | if (tomoyo_verbose_mode(domain)) | |
771 | printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied " | |
772 | "for %s\n", tomoyo_get_msg(is_enforce), msg, operation, | |
773 | filename->name, tomoyo_get_last_name(domain)); | |
774 | if (is_enforce) | |
775 | return error; | |
776 | if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { | |
777 | /* Don't use patterns for execute permission. */ | |
778 | const struct tomoyo_path_info *patterned_file = (perm != 1) ? | |
779 | tomoyo_get_file_pattern(filename) : filename; | |
780 | tomoyo_update_file_acl(patterned_file->name, perm, | |
781 | domain, false); | |
782 | } | |
783 | return 0; | |
784 | } | |
785 | ||
786 | /** | |
787 | * tomoyo_write_file_policy - Update file related list. | |
788 | * | |
789 | * @data: String to parse. | |
790 | * @domain: Pointer to "struct tomoyo_domain_info". | |
791 | * @is_delete: True if it is a delete request. | |
792 | * | |
793 | * Returns 0 on success, negative value otherwise. | |
794 | */ | |
795 | int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, | |
796 | const bool is_delete) | |
797 | { | |
798 | char *filename = strchr(data, ' '); | |
799 | char *filename2; | |
800 | unsigned int perm; | |
801 | u8 type; | |
802 | ||
803 | if (!filename) | |
804 | return -EINVAL; | |
805 | *filename++ = '\0'; | |
806 | if (sscanf(data, "%u", &perm) == 1) | |
807 | return tomoyo_update_file_acl(filename, (u8) perm, domain, | |
808 | is_delete); | |
809 | if (strncmp(data, "allow_", 6)) | |
810 | goto out; | |
811 | data += 6; | |
812 | for (type = 0; type < TOMOYO_MAX_SINGLE_PATH_OPERATION; type++) { | |
813 | if (strcmp(data, tomoyo_sp_keyword[type])) | |
814 | continue; | |
815 | return tomoyo_update_single_path_acl(type, filename, | |
816 | domain, is_delete); | |
817 | } | |
818 | filename2 = strchr(filename, ' '); | |
819 | if (!filename2) | |
820 | goto out; | |
821 | *filename2++ = '\0'; | |
822 | for (type = 0; type < TOMOYO_MAX_DOUBLE_PATH_OPERATION; type++) { | |
823 | if (strcmp(data, tomoyo_dp_keyword[type])) | |
824 | continue; | |
825 | return tomoyo_update_double_path_acl(type, filename, filename2, | |
826 | domain, is_delete); | |
827 | } | |
828 | out: | |
829 | return -EINVAL; | |
830 | } | |
831 | ||
832 | /** | |
833 | * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list. | |
834 | * | |
835 | * @type: Type of operation. | |
836 | * @filename: Filename. | |
837 | * @domain: Pointer to "struct tomoyo_domain_info". | |
838 | * @is_delete: True if it is a delete request. | |
839 | * | |
840 | * Returns 0 on success, negative value otherwise. | |
841 | */ | |
842 | static int tomoyo_update_single_path_acl(const u8 type, const char *filename, | |
843 | struct tomoyo_domain_info * | |
844 | const domain, const bool is_delete) | |
845 | { | |
937bf613 | 846 | static const u32 rw_mask = |
b69a54ee KT |
847 | (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL); |
848 | const struct tomoyo_path_info *saved_filename; | |
849 | struct tomoyo_acl_info *ptr; | |
850 | struct tomoyo_single_path_acl_record *acl; | |
851 | int error = -ENOMEM; | |
937bf613 | 852 | const u32 perm = 1 << type; |
b69a54ee KT |
853 | |
854 | if (!domain) | |
855 | return -EINVAL; | |
856 | if (!tomoyo_is_correct_path(filename, 0, 0, 0, __func__)) | |
857 | return -EINVAL; | |
858 | saved_filename = tomoyo_save_name(filename); | |
859 | if (!saved_filename) | |
860 | return -ENOMEM; | |
b69a54ee KT |
861 | down_write(&tomoyo_domain_acl_info_list_lock); |
862 | if (is_delete) | |
863 | goto delete; | |
864 | list_for_each_entry(ptr, &domain->acl_info_list, list) { | |
865 | if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL) | |
866 | continue; | |
867 | acl = container_of(ptr, struct tomoyo_single_path_acl_record, | |
868 | head); | |
869 | if (acl->filename != saved_filename) | |
870 | continue; | |
871 | /* Special case. Clear all bits if marked as deleted. */ | |
872 | if (ptr->type & TOMOYO_ACL_DELETED) | |
873 | acl->perm = 0; | |
937bf613 TH |
874 | if (perm <= 0xFFFF) |
875 | acl->perm |= perm; | |
876 | else | |
877 | acl->perm_high |= (perm >> 16); | |
b69a54ee KT |
878 | if ((acl->perm & rw_mask) == rw_mask) |
879 | acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL; | |
880 | else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)) | |
881 | acl->perm |= rw_mask; | |
882 | ptr->type &= ~TOMOYO_ACL_DELETED; | |
883 | error = 0; | |
884 | goto out; | |
885 | } | |
886 | /* Not found. Append it to the tail. */ | |
887 | acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_SINGLE_PATH_ACL); | |
888 | if (!acl) | |
889 | goto out; | |
937bf613 TH |
890 | if (perm <= 0xFFFF) |
891 | acl->perm = perm; | |
892 | else | |
893 | acl->perm_high = (perm >> 16); | |
b69a54ee KT |
894 | if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL)) |
895 | acl->perm |= rw_mask; | |
896 | acl->filename = saved_filename; | |
897 | list_add_tail(&acl->head.list, &domain->acl_info_list); | |
898 | error = 0; | |
899 | goto out; | |
900 | delete: | |
901 | error = -ENOENT; | |
902 | list_for_each_entry(ptr, &domain->acl_info_list, list) { | |
903 | if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL) | |
904 | continue; | |
905 | acl = container_of(ptr, struct tomoyo_single_path_acl_record, | |
906 | head); | |
907 | if (acl->filename != saved_filename) | |
908 | continue; | |
937bf613 TH |
909 | if (perm <= 0xFFFF) |
910 | acl->perm &= ~perm; | |
911 | else | |
912 | acl->perm_high &= ~(perm >> 16); | |
b69a54ee KT |
913 | if ((acl->perm & rw_mask) != rw_mask) |
914 | acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL); | |
915 | else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))) | |
916 | acl->perm &= ~rw_mask; | |
937bf613 | 917 | if (!acl->perm && !acl->perm_high) |
b69a54ee KT |
918 | ptr->type |= TOMOYO_ACL_DELETED; |
919 | error = 0; | |
920 | break; | |
921 | } | |
922 | out: | |
923 | up_write(&tomoyo_domain_acl_info_list_lock); | |
b69a54ee KT |
924 | return error; |
925 | } | |
926 | ||
927 | /** | |
928 | * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list. | |
929 | * | |
930 | * @type: Type of operation. | |
931 | * @filename1: First filename. | |
932 | * @filename2: Second filename. | |
933 | * @domain: Pointer to "struct tomoyo_domain_info". | |
934 | * @is_delete: True if it is a delete request. | |
935 | * | |
936 | * Returns 0 on success, negative value otherwise. | |
937 | */ | |
938 | static int tomoyo_update_double_path_acl(const u8 type, const char *filename1, | |
939 | const char *filename2, | |
940 | struct tomoyo_domain_info * | |
941 | const domain, const bool is_delete) | |
942 | { | |
943 | const struct tomoyo_path_info *saved_filename1; | |
944 | const struct tomoyo_path_info *saved_filename2; | |
945 | struct tomoyo_acl_info *ptr; | |
946 | struct tomoyo_double_path_acl_record *acl; | |
947 | int error = -ENOMEM; | |
948 | const u8 perm = 1 << type; | |
949 | ||
950 | if (!domain) | |
951 | return -EINVAL; | |
952 | if (!tomoyo_is_correct_path(filename1, 0, 0, 0, __func__) || | |
953 | !tomoyo_is_correct_path(filename2, 0, 0, 0, __func__)) | |
954 | return -EINVAL; | |
955 | saved_filename1 = tomoyo_save_name(filename1); | |
956 | saved_filename2 = tomoyo_save_name(filename2); | |
957 | if (!saved_filename1 || !saved_filename2) | |
958 | return -ENOMEM; | |
b69a54ee KT |
959 | down_write(&tomoyo_domain_acl_info_list_lock); |
960 | if (is_delete) | |
961 | goto delete; | |
962 | list_for_each_entry(ptr, &domain->acl_info_list, list) { | |
963 | if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL) | |
964 | continue; | |
965 | acl = container_of(ptr, struct tomoyo_double_path_acl_record, | |
966 | head); | |
967 | if (acl->filename1 != saved_filename1 || | |
968 | acl->filename2 != saved_filename2) | |
969 | continue; | |
970 | /* Special case. Clear all bits if marked as deleted. */ | |
971 | if (ptr->type & TOMOYO_ACL_DELETED) | |
972 | acl->perm = 0; | |
973 | acl->perm |= perm; | |
974 | ptr->type &= ~TOMOYO_ACL_DELETED; | |
975 | error = 0; | |
976 | goto out; | |
977 | } | |
978 | /* Not found. Append it to the tail. */ | |
979 | acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_DOUBLE_PATH_ACL); | |
980 | if (!acl) | |
981 | goto out; | |
982 | acl->perm = perm; | |
983 | acl->filename1 = saved_filename1; | |
984 | acl->filename2 = saved_filename2; | |
985 | list_add_tail(&acl->head.list, &domain->acl_info_list); | |
986 | error = 0; | |
987 | goto out; | |
988 | delete: | |
989 | error = -ENOENT; | |
990 | list_for_each_entry(ptr, &domain->acl_info_list, list) { | |
991 | if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL) | |
992 | continue; | |
993 | acl = container_of(ptr, struct tomoyo_double_path_acl_record, | |
994 | head); | |
995 | if (acl->filename1 != saved_filename1 || | |
996 | acl->filename2 != saved_filename2) | |
997 | continue; | |
998 | acl->perm &= ~perm; | |
999 | if (!acl->perm) | |
1000 | ptr->type |= TOMOYO_ACL_DELETED; | |
1001 | error = 0; | |
1002 | break; | |
1003 | } | |
1004 | out: | |
1005 | up_write(&tomoyo_domain_acl_info_list_lock); | |
b69a54ee KT |
1006 | return error; |
1007 | } | |
1008 | ||
1009 | /** | |
1010 | * tomoyo_check_single_path_acl - Check permission for single path operation. | |
1011 | * | |
1012 | * @domain: Pointer to "struct tomoyo_domain_info". | |
1013 | * @type: Type of operation. | |
1014 | * @filename: Filename to check. | |
1015 | * | |
1016 | * Returns 0 on success, negative value otherwise. | |
1017 | */ | |
1018 | static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain, | |
1019 | const u8 type, | |
1020 | const struct tomoyo_path_info *filename) | |
1021 | { | |
1022 | if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) | |
1023 | return 0; | |
1024 | return tomoyo_check_single_path_acl2(domain, filename, 1 << type, 1); | |
1025 | } | |
1026 | ||
1027 | /** | |
1028 | * tomoyo_check_double_path_acl - Check permission for double path operation. | |
1029 | * | |
1030 | * @domain: Pointer to "struct tomoyo_domain_info". | |
1031 | * @type: Type of operation. | |
1032 | * @filename1: First filename to check. | |
1033 | * @filename2: Second filename to check. | |
1034 | * | |
1035 | * Returns 0 on success, -EPERM otherwise. | |
1036 | */ | |
1037 | static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain, | |
1038 | const u8 type, | |
1039 | const struct tomoyo_path_info * | |
1040 | filename1, | |
1041 | const struct tomoyo_path_info * | |
1042 | filename2) | |
1043 | { | |
1044 | struct tomoyo_acl_info *ptr; | |
1045 | const u8 perm = 1 << type; | |
1046 | int error = -EPERM; | |
1047 | ||
1048 | if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE)) | |
1049 | return 0; | |
1050 | down_read(&tomoyo_domain_acl_info_list_lock); | |
1051 | list_for_each_entry(ptr, &domain->acl_info_list, list) { | |
1052 | struct tomoyo_double_path_acl_record *acl; | |
1053 | if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL) | |
1054 | continue; | |
1055 | acl = container_of(ptr, struct tomoyo_double_path_acl_record, | |
1056 | head); | |
1057 | if (!(acl->perm & perm)) | |
1058 | continue; | |
1059 | if (!tomoyo_path_matches_pattern(filename1, acl->filename1)) | |
1060 | continue; | |
1061 | if (!tomoyo_path_matches_pattern(filename2, acl->filename2)) | |
1062 | continue; | |
1063 | error = 0; | |
1064 | break; | |
1065 | } | |
1066 | up_read(&tomoyo_domain_acl_info_list_lock); | |
1067 | return error; | |
1068 | } | |
1069 | ||
1070 | /** | |
1071 | * tomoyo_check_single_path_permission2 - Check permission for single path operation. | |
1072 | * | |
1073 | * @domain: Pointer to "struct tomoyo_domain_info". | |
1074 | * @operation: Type of operation. | |
1075 | * @filename: Filename to check. | |
1076 | * @mode: Access control mode. | |
1077 | * | |
1078 | * Returns 0 on success, negative value otherwise. | |
1079 | */ | |
1080 | static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info * | |
1081 | const domain, u8 operation, | |
1082 | const struct tomoyo_path_info * | |
1083 | filename, const u8 mode) | |
1084 | { | |
1085 | const char *msg; | |
1086 | int error; | |
1087 | const bool is_enforce = (mode == 3); | |
1088 | ||
1089 | if (!mode) | |
1090 | return 0; | |
1091 | next: | |
1092 | error = tomoyo_check_single_path_acl(domain, operation, filename); | |
1093 | msg = tomoyo_sp2keyword(operation); | |
1094 | if (!error) | |
1095 | goto ok; | |
1096 | if (tomoyo_verbose_mode(domain)) | |
1097 | printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n", | |
1098 | tomoyo_get_msg(is_enforce), msg, filename->name, | |
1099 | tomoyo_get_last_name(domain)); | |
1100 | if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { | |
1101 | const char *name = tomoyo_get_file_pattern(filename)->name; | |
1102 | tomoyo_update_single_path_acl(operation, name, domain, false); | |
1103 | } | |
1104 | if (!is_enforce) | |
1105 | error = 0; | |
1106 | ok: | |
1107 | /* | |
1108 | * Since "allow_truncate" doesn't imply "allow_rewrite" permission, | |
1109 | * we need to check "allow_rewrite" permission if the filename is | |
1110 | * specified by "deny_rewrite" keyword. | |
1111 | */ | |
1112 | if (!error && operation == TOMOYO_TYPE_TRUNCATE_ACL && | |
1113 | tomoyo_is_no_rewrite_file(filename)) { | |
1114 | operation = TOMOYO_TYPE_REWRITE_ACL; | |
1115 | goto next; | |
1116 | } | |
1117 | return error; | |
1118 | } | |
1119 | ||
b69a54ee KT |
1120 | /** |
1121 | * tomoyo_check_exec_perm - Check permission for "execute". | |
1122 | * | |
1123 | * @domain: Pointer to "struct tomoyo_domain_info". | |
1124 | * @filename: Check permission for "execute". | |
b69a54ee KT |
1125 | * |
1126 | * Returns 0 on success, negativevalue otherwise. | |
1127 | */ | |
1128 | int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, | |
bcb86975 | 1129 | const struct tomoyo_path_info *filename) |
b69a54ee KT |
1130 | { |
1131 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); | |
1132 | ||
1133 | if (!mode) | |
1134 | return 0; | |
1135 | return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode); | |
1136 | } | |
1137 | ||
1138 | /** | |
1139 | * tomoyo_check_open_permission - Check permission for "read" and "write". | |
1140 | * | |
1141 | * @domain: Pointer to "struct tomoyo_domain_info". | |
1142 | * @path: Pointer to "struct path". | |
1143 | * @flag: Flags for open(). | |
1144 | * | |
1145 | * Returns 0 on success, negative value otherwise. | |
1146 | */ | |
1147 | int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, | |
1148 | struct path *path, const int flag) | |
1149 | { | |
1150 | const u8 acc_mode = ACC_MODE(flag); | |
1151 | int error = -ENOMEM; | |
1152 | struct tomoyo_path_info *buf; | |
1153 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); | |
1154 | const bool is_enforce = (mode == 3); | |
1155 | ||
1156 | if (!mode || !path->mnt) | |
1157 | return 0; | |
1158 | if (acc_mode == 0) | |
1159 | return 0; | |
1160 | if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode)) | |
1161 | /* | |
1162 | * I don't check directories here because mkdir() and rmdir() | |
1163 | * don't call me. | |
1164 | */ | |
1165 | return 0; | |
1166 | buf = tomoyo_get_path(path); | |
1167 | if (!buf) | |
1168 | goto out; | |
1169 | error = 0; | |
1170 | /* | |
1171 | * If the filename is specified by "deny_rewrite" keyword, | |
1172 | * we need to check "allow_rewrite" permission when the filename is not | |
1173 | * opened for append mode or the filename is truncated at open time. | |
1174 | */ | |
1175 | if ((acc_mode & MAY_WRITE) && | |
1176 | ((flag & O_TRUNC) || !(flag & O_APPEND)) && | |
1177 | (tomoyo_is_no_rewrite_file(buf))) { | |
1178 | error = tomoyo_check_single_path_permission2(domain, | |
1179 | TOMOYO_TYPE_REWRITE_ACL, | |
1180 | buf, mode); | |
1181 | } | |
1182 | if (!error) | |
1183 | error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open", | |
1184 | mode); | |
1185 | if (!error && (flag & O_TRUNC)) | |
1186 | error = tomoyo_check_single_path_permission2(domain, | |
1187 | TOMOYO_TYPE_TRUNCATE_ACL, | |
1188 | buf, mode); | |
1189 | out: | |
1190 | tomoyo_free(buf); | |
1191 | if (!is_enforce) | |
1192 | error = 0; | |
1193 | return error; | |
1194 | } | |
1195 | ||
1196 | /** | |
937bf613 | 1197 | * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount". |
b69a54ee KT |
1198 | * |
1199 | * @domain: Pointer to "struct tomoyo_domain_info". | |
1200 | * @operation: Type of operation. | |
1201 | * @path: Pointer to "struct path". | |
1202 | * | |
1203 | * Returns 0 on success, negative value otherwise. | |
1204 | */ | |
1205 | int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain, | |
1206 | const u8 operation, struct path *path) | |
1207 | { | |
1208 | int error = -ENOMEM; | |
1209 | struct tomoyo_path_info *buf; | |
1210 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); | |
1211 | const bool is_enforce = (mode == 3); | |
1212 | ||
1213 | if (!mode || !path->mnt) | |
1214 | return 0; | |
1215 | buf = tomoyo_get_path(path); | |
1216 | if (!buf) | |
1217 | goto out; | |
1218 | switch (operation) { | |
1219 | case TOMOYO_TYPE_MKDIR_ACL: | |
1220 | case TOMOYO_TYPE_RMDIR_ACL: | |
937bf613 | 1221 | case TOMOYO_TYPE_CHROOT_ACL: |
b69a54ee KT |
1222 | if (!buf->is_dir) { |
1223 | /* | |
1224 | * tomoyo_get_path() reserves space for appending "/." | |
1225 | */ | |
1226 | strcat((char *) buf->name, "/"); | |
1227 | tomoyo_fill_path_info(buf); | |
1228 | } | |
1229 | } | |
1230 | error = tomoyo_check_single_path_permission2(domain, operation, buf, | |
1231 | mode); | |
1232 | out: | |
1233 | tomoyo_free(buf); | |
1234 | if (!is_enforce) | |
1235 | error = 0; | |
1236 | return error; | |
1237 | } | |
1238 | ||
1239 | /** | |
1240 | * tomoyo_check_rewrite_permission - Check permission for "rewrite". | |
1241 | * | |
1242 | * @domain: Pointer to "struct tomoyo_domain_info". | |
1243 | * @filp: Pointer to "struct file". | |
1244 | * | |
1245 | * Returns 0 on success, negative value otherwise. | |
1246 | */ | |
1247 | int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, | |
1248 | struct file *filp) | |
1249 | { | |
1250 | int error = -ENOMEM; | |
1251 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); | |
1252 | const bool is_enforce = (mode == 3); | |
1253 | struct tomoyo_path_info *buf; | |
1254 | ||
1255 | if (!mode || !filp->f_path.mnt) | |
1256 | return 0; | |
1257 | buf = tomoyo_get_path(&filp->f_path); | |
1258 | if (!buf) | |
1259 | goto out; | |
1260 | if (!tomoyo_is_no_rewrite_file(buf)) { | |
1261 | error = 0; | |
1262 | goto out; | |
1263 | } | |
1264 | error = tomoyo_check_single_path_permission2(domain, | |
1265 | TOMOYO_TYPE_REWRITE_ACL, | |
1266 | buf, mode); | |
1267 | out: | |
1268 | tomoyo_free(buf); | |
1269 | if (!is_enforce) | |
1270 | error = 0; | |
1271 | return error; | |
1272 | } | |
1273 | ||
1274 | /** | |
937bf613 | 1275 | * tomoyo_check_2path_perm - Check permission for "rename", "link" and "pivot_root". |
b69a54ee KT |
1276 | * |
1277 | * @domain: Pointer to "struct tomoyo_domain_info". | |
1278 | * @operation: Type of operation. | |
1279 | * @path1: Pointer to "struct path". | |
1280 | * @path2: Pointer to "struct path". | |
1281 | * | |
1282 | * Returns 0 on success, negative value otherwise. | |
1283 | */ | |
1284 | int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain, | |
1285 | const u8 operation, struct path *path1, | |
1286 | struct path *path2) | |
1287 | { | |
1288 | int error = -ENOMEM; | |
1289 | struct tomoyo_path_info *buf1, *buf2; | |
1290 | const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); | |
1291 | const bool is_enforce = (mode == 3); | |
1292 | const char *msg; | |
1293 | ||
1294 | if (!mode || !path1->mnt || !path2->mnt) | |
1295 | return 0; | |
1296 | buf1 = tomoyo_get_path(path1); | |
1297 | buf2 = tomoyo_get_path(path2); | |
1298 | if (!buf1 || !buf2) | |
1299 | goto out; | |
1300 | { | |
1301 | struct dentry *dentry = path1->dentry; | |
1302 | if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) { | |
1303 | /* | |
1304 | * tomoyo_get_path() reserves space for appending "/." | |
1305 | */ | |
1306 | if (!buf1->is_dir) { | |
1307 | strcat((char *) buf1->name, "/"); | |
1308 | tomoyo_fill_path_info(buf1); | |
1309 | } | |
1310 | if (!buf2->is_dir) { | |
1311 | strcat((char *) buf2->name, "/"); | |
1312 | tomoyo_fill_path_info(buf2); | |
1313 | } | |
1314 | } | |
1315 | } | |
1316 | error = tomoyo_check_double_path_acl(domain, operation, buf1, buf2); | |
1317 | msg = tomoyo_dp2keyword(operation); | |
1318 | if (!error) | |
1319 | goto out; | |
1320 | if (tomoyo_verbose_mode(domain)) | |
1321 | printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' " | |
1322 | "denied for %s\n", tomoyo_get_msg(is_enforce), | |
1323 | msg, buf1->name, buf2->name, | |
1324 | tomoyo_get_last_name(domain)); | |
1325 | if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) { | |
1326 | const char *name1 = tomoyo_get_file_pattern(buf1)->name; | |
1327 | const char *name2 = tomoyo_get_file_pattern(buf2)->name; | |
1328 | tomoyo_update_double_path_acl(operation, name1, name2, domain, | |
1329 | false); | |
1330 | } | |
1331 | out: | |
1332 | tomoyo_free(buf1); | |
1333 | tomoyo_free(buf2); | |
1334 | if (!is_enforce) | |
1335 | error = 0; | |
1336 | return error; | |
1337 | } |