projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
capabilities: Use RCU to protect task lookup in sys_capget
[linux-2.6-block.git] / security / tomoyo / file.c
CommitLineData
b69a54ee
KT		 1/*
2 * security/tomoyo/file.c
3 *
4 * Implementation of the Domain-Based Mandatory Access Control.
5 *
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
7 *
39826a1e 8 * Version: 2.2.0 2009/04/01
b69a54ee
KT		 9 *
10 */
11
12#include "common.h"
13#include "tomoyo.h"
14#include "realpath.h"
15#define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
16
c3fa109a
TH		 17/*
18 * tomoyo_globally_readable_file_entry is a structure which is used for holding
19 * "allow_read" entries.
20 * It has following fields.
21 *
22 * (1) "list" which is linked to tomoyo_globally_readable_list .
23 * (2) "filename" is a pathname which is allowed to open(O_RDONLY).
24 * (3) "is_deleted" is a bool which is true if marked as deleted, false
25 * otherwise.
26 */
b69a54ee
KT		 27struct tomoyo_globally_readable_file_entry {
28 struct list_head list;
29 const struct tomoyo_path_info *filename;
30 bool is_deleted;
31};
32
c3fa109a
TH		 33/*
34 * tomoyo_pattern_entry is a structure which is used for holding
35 * "tomoyo_pattern_list" entries.
36 * It has following fields.
37 *
38 * (1) "list" which is linked to tomoyo_pattern_list .
39 * (2) "pattern" is a pathname pattern which is used for converting pathnames
40 * to pathname patterns during learning mode.
41 * (3) "is_deleted" is a bool which is true if marked as deleted, false
42 * otherwise.
43 */
b69a54ee
KT		 44struct tomoyo_pattern_entry {
45 struct list_head list;
46 const struct tomoyo_path_info *pattern;
47 bool is_deleted;
48};
49
c3fa109a
TH		 50/*
51 * tomoyo_no_rewrite_entry is a structure which is used for holding
52 * "deny_rewrite" entries.
53 * It has following fields.
54 *
55 * (1) "list" which is linked to tomoyo_no_rewrite_list .
56 * (2) "pattern" is a pathname which is by default not permitted to modify
57 * already existing content.
58 * (3) "is_deleted" is a bool which is true if marked as deleted, false
59 * otherwise.
60 */
b69a54ee
KT		 61struct tomoyo_no_rewrite_entry {
62 struct list_head list;
63 const struct tomoyo_path_info *pattern;
64 bool is_deleted;
65};
66
67/* Keyword array for single path operations. */
68static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = {
69 [TOMOYO_TYPE_READ_WRITE_ACL] = "read/write",
70 [TOMOYO_TYPE_EXECUTE_ACL] = "execute",
71 [TOMOYO_TYPE_READ_ACL] = "read",
72 [TOMOYO_TYPE_WRITE_ACL] = "write",
73 [TOMOYO_TYPE_CREATE_ACL] = "create",
74 [TOMOYO_TYPE_UNLINK_ACL] = "unlink",
75 [TOMOYO_TYPE_MKDIR_ACL] = "mkdir",
76 [TOMOYO_TYPE_RMDIR_ACL] = "rmdir",
77 [TOMOYO_TYPE_MKFIFO_ACL] = "mkfifo",
78 [TOMOYO_TYPE_MKSOCK_ACL] = "mksock",
79 [TOMOYO_TYPE_MKBLOCK_ACL] = "mkblock",
80 [TOMOYO_TYPE_MKCHAR_ACL] = "mkchar",
81 [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate",
82 [TOMOYO_TYPE_SYMLINK_ACL] = "symlink",
83 [TOMOYO_TYPE_REWRITE_ACL] = "rewrite",
937bf613
TH		 84 [TOMOYO_TYPE_IOCTL_ACL] = "ioctl",
85 [TOMOYO_TYPE_CHMOD_ACL] = "chmod",
86 [TOMOYO_TYPE_CHOWN_ACL] = "chown",
87 [TOMOYO_TYPE_CHGRP_ACL] = "chgrp",
88 [TOMOYO_TYPE_CHROOT_ACL] = "chroot",
89 [TOMOYO_TYPE_MOUNT_ACL] = "mount",
90 [TOMOYO_TYPE_UMOUNT_ACL] = "unmount",
b69a54ee
KT		 91};
92
93/* Keyword array for double path operations. */
94static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = {
95 [TOMOYO_TYPE_LINK_ACL] = "link",
96 [TOMOYO_TYPE_RENAME_ACL] = "rename",
937bf613 97 [TOMOYO_TYPE_PIVOT_ROOT_ACL] = "pivot_root",
b69a54ee
KT		 98};
99
100/**
101 * tomoyo_sp2keyword - Get the name of single path operation.
102 *
103 * @operation: Type of operation.
104 *
105 * Returns the name of single path operation.
106 */
107const char *tomoyo_sp2keyword(const u8 operation)
108{
109 return (operation < TOMOYO_MAX_SINGLE_PATH_OPERATION)
110 ? tomoyo_sp_keyword[operation] : NULL;
111}
112
113/**
114 * tomoyo_dp2keyword - Get the name of double path operation.
115 *
116 * @operation: Type of operation.
117 *
118 * Returns the name of double path operation.
119 */
120const char *tomoyo_dp2keyword(const u8 operation)
121{
122 return (operation < TOMOYO_MAX_DOUBLE_PATH_OPERATION)
123 ? tomoyo_dp_keyword[operation] : NULL;
124}
125
126/**
127 * tomoyo_strendswith - Check whether the token ends with the given token.
128 *
129 * @name: The token to check.
130 * @tail: The token to find.
131 *
132 * Returns true if @name ends with @tail, false otherwise.
133 */
134static bool tomoyo_strendswith(const char *name, const char *tail)
135{
136 int len;
137
138 if (!name || !tail)
139 return false;
140 len = strlen(name) - strlen(tail);
141 return len >= 0 && !strcmp(name + len, tail);
142}
143
144/**
145 * tomoyo_get_path - Get realpath.
146 *
147 * @path: Pointer to "struct path".
148 *
149 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
150 */
151static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
152{
153 int error;
154 struct tomoyo_path_info_with_data *buf = tomoyo_alloc(sizeof(*buf));
155
156 if (!buf)
157 return NULL;
158 /* Reserve one byte for appending "/". */
159 error = tomoyo_realpath_from_path2(path, buf->body,
160 sizeof(buf->body) - 2);
161 if (!error) {
162 buf->head.name = buf->body;
163 tomoyo_fill_path_info(&buf->head);
164 return &buf->head;
165 }
166 tomoyo_free(buf);
167 return NULL;
168}
169
170/* Lock for domain->acl_info_list. */
171DECLARE_RWSEM(tomoyo_domain_acl_info_list_lock);
172
173static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
174 const char *filename2,
175 struct tomoyo_domain_info *
176 const domain, const bool is_delete);
177static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
178 struct tomoyo_domain_info *
179 const domain, const bool is_delete);
180
c3fa109a
TH		 181/*
182 * tomoyo_globally_readable_list is used for holding list of pathnames which
183 * are by default allowed to be open()ed for reading by any process.
184 *
185 * An entry is added by
186 *
187 * # echo 'allow_read /lib/libc-2.5.so' > \
188 * /sys/kernel/security/tomoyo/exception_policy
189 *
190 * and is deleted by
191 *
192 * # echo 'delete allow_read /lib/libc-2.5.so' > \
193 * /sys/kernel/security/tomoyo/exception_policy
194 *
195 * and all entries are retrieved by
196 *
197 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
198 *
199 * In the example above, any process is allowed to
200 * open("/lib/libc-2.5.so", O_RDONLY).
201 * One exception is, if the domain which current process belongs to is marked
202 * as "ignore_global_allow_read", current process can't do so unless explicitly
203 * given "allow_read /lib/libc-2.5.so" to the domain which current process
204 * belongs to.
205 */
b69a54ee
KT		 206static LIST_HEAD(tomoyo_globally_readable_list);
207static DECLARE_RWSEM(tomoyo_globally_readable_list_lock);
208
209/**
210 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
211 *
212 * @filename: Filename unconditionally permitted to open() for reading.
213 * @is_delete: True if it is a delete request.
214 *
215 * Returns 0 on success, negative value otherwise.
216 */
217static int tomoyo_update_globally_readable_entry(const char *filename,
218 const bool is_delete)
219{
220 struct tomoyo_globally_readable_file_entry *new_entry;
221 struct tomoyo_globally_readable_file_entry *ptr;
222 const struct tomoyo_path_info *saved_filename;
223 int error = -ENOMEM;
224
225 if (!tomoyo_is_correct_path(filename, 1, 0, -1, __func__))
226 return -EINVAL;
227 saved_filename = tomoyo_save_name(filename);
228 if (!saved_filename)
229 return -ENOMEM;
b69a54ee
KT		 230 down_write(&tomoyo_globally_readable_list_lock);
231 list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) {
232 if (ptr->filename != saved_filename)
233 continue;
234 ptr->is_deleted = is_delete;
235 error = 0;
236 goto out;
237 }
238 if (is_delete) {
239 error = -ENOENT;
240 goto out;
241 }
242 new_entry = tomoyo_alloc_element(sizeof(*new_entry));
243 if (!new_entry)
244 goto out;
245 new_entry->filename = saved_filename;
246 list_add_tail(&new_entry->list, &tomoyo_globally_readable_list);
247 error = 0;
248 out:
249 up_write(&tomoyo_globally_readable_list_lock);
b69a54ee
KT		 250 return error;
251}
252
253/**
254 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
255 *
256 * @filename: The filename to check.
257 *
258 * Returns true if any domain can open @filename for reading, false otherwise.
259 */
260static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
261 filename)
262{
263 struct tomoyo_globally_readable_file_entry *ptr;
264 bool found = false;
265 down_read(&tomoyo_globally_readable_list_lock);
266 list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) {
267 if (!ptr->is_deleted &&
268 tomoyo_path_matches_pattern(filename, ptr->filename)) {
269 found = true;
270 break;
271 }
272 }
273 up_read(&tomoyo_globally_readable_list_lock);
274 return found;
275}
276
277/**
278 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
279 *
280 * @data: String to parse.
281 * @is_delete: True if it is a delete request.
282 *
283 * Returns 0 on success, negative value otherwise.
284 */
285int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
286{
287 return tomoyo_update_globally_readable_entry(data, is_delete);
288}
289
290/**
291 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
292 *
293 * @head: Pointer to "struct tomoyo_io_buffer".
294 *
295 * Returns true on success, false otherwise.
296 */
297bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
298{
299 struct list_head *pos;
300 bool done = true;
301
302 down_read(&tomoyo_globally_readable_list_lock);
303 list_for_each_cookie(pos, head->read_var2,
304 &tomoyo_globally_readable_list) {
305 struct tomoyo_globally_readable_file_entry *ptr;
306 ptr = list_entry(pos,
307 struct tomoyo_globally_readable_file_entry,
308 list);
309 if (ptr->is_deleted)
310 continue;
7d2948b1
TH		 311 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n",
312 ptr->filename->name);
313 if (!done)
b69a54ee 314 break;
b69a54ee
KT		 315 }
316 up_read(&tomoyo_globally_readable_list_lock);
317 return done;
318}
319
c3fa109a
TH		 320/* tomoyo_pattern_list is used for holding list of pathnames which are used for
321 * converting pathnames to pathname patterns during learning mode.
322 *
323 * An entry is added by
324 *
325 * # echo 'file_pattern /proc/\$/mounts' > \
326 * /sys/kernel/security/tomoyo/exception_policy
327 *
328 * and is deleted by
329 *
330 * # echo 'delete file_pattern /proc/\$/mounts' > \
331 * /sys/kernel/security/tomoyo/exception_policy
332 *
333 * and all entries are retrieved by
334 *
335 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
336 *
337 * In the example above, if a process which belongs to a domain which is in
338 * learning mode requested open("/proc/1/mounts", O_RDONLY),
339 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
340 * process belongs to.
341 *
342 * It is not a desirable behavior that we have to use /proc/\$/ instead of
343 * /proc/self/ when current process needs to access only current process's
344 * information. As of now, LSM version of TOMOYO is using __d_path() for
345 * calculating pathname. Non LSM version of TOMOYO is using its own function
346 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
347 * current process from accessing other process's information.
348 */
b69a54ee
KT		 349static LIST_HEAD(tomoyo_pattern_list);
350static DECLARE_RWSEM(tomoyo_pattern_list_lock);
351
352/**
353 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
354 *
355 * @pattern: Pathname pattern.
356 * @is_delete: True if it is a delete request.
357 *
358 * Returns 0 on success, negative value otherwise.
359 */
360static int tomoyo_update_file_pattern_entry(const char *pattern,
361 const bool is_delete)
362{
363 struct tomoyo_pattern_entry *new_entry;
364 struct tomoyo_pattern_entry *ptr;
365 const struct tomoyo_path_info *saved_pattern;
366 int error = -ENOMEM;
367
368 if (!tomoyo_is_correct_path(pattern, 0, 1, 0, __func__))
369 return -EINVAL;
370 saved_pattern = tomoyo_save_name(pattern);
371 if (!saved_pattern)
372 return -ENOMEM;
b69a54ee
KT		 373 down_write(&tomoyo_pattern_list_lock);
374 list_for_each_entry(ptr, &tomoyo_pattern_list, list) {
375 if (saved_pattern != ptr->pattern)
376 continue;
377 ptr->is_deleted = is_delete;
378 error = 0;
379 goto out;
380 }
381 if (is_delete) {
382 error = -ENOENT;
383 goto out;
384 }
385 new_entry = tomoyo_alloc_element(sizeof(*new_entry));
386 if (!new_entry)
387 goto out;
388 new_entry->pattern = saved_pattern;
389 list_add_tail(&new_entry->list, &tomoyo_pattern_list);
390 error = 0;
391 out:
392 up_write(&tomoyo_pattern_list_lock);
b69a54ee
KT		 393 return error;
394}
395
396/**
397 * tomoyo_get_file_pattern - Get patterned pathname.
398 *
399 * @filename: The filename to find patterned pathname.
400 *
401 * Returns pointer to pathname pattern if matched, @filename otherwise.
402 */
403static const struct tomoyo_path_info *
404tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
405{
406 struct tomoyo_pattern_entry *ptr;
407 const struct tomoyo_path_info *pattern = NULL;
408
409 down_read(&tomoyo_pattern_list_lock);
410 list_for_each_entry(ptr, &tomoyo_pattern_list, list) {
411 if (ptr->is_deleted)
412 continue;
413 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
414 continue;
415 pattern = ptr->pattern;
416 if (tomoyo_strendswith(pattern->name, "/\\*")) {
417 /* Do nothing. Try to find the better match. */
418 } else {
419 /* This would be the better match. Use this. */
420 break;
421 }
422 }
423 up_read(&tomoyo_pattern_list_lock);
424 if (pattern)
425 filename = pattern;
426 return filename;
427}
428
429/**
430 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
431 *
432 * @data: String to parse.
433 * @is_delete: True if it is a delete request.
434 *
435 * Returns 0 on success, negative value otherwise.
436 */
437int tomoyo_write_pattern_policy(char *data, const bool is_delete)
438{
439 return tomoyo_update_file_pattern_entry(data, is_delete);
440}
441
442/**
443 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
444 *
445 * @head: Pointer to "struct tomoyo_io_buffer".
446 *
447 * Returns true on success, false otherwise.
448 */
449bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
450{
451 struct list_head *pos;
452 bool done = true;
453
454 down_read(&tomoyo_pattern_list_lock);
455 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) {
456 struct tomoyo_pattern_entry *ptr;
457 ptr = list_entry(pos, struct tomoyo_pattern_entry, list);
458 if (ptr->is_deleted)
459 continue;
7d2948b1
TH		 460 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN
461 "%s\n", ptr->pattern->name);
462 if (!done)
b69a54ee 463 break;
b69a54ee
KT		 464 }
465 up_read(&tomoyo_pattern_list_lock);
466 return done;
467}
468
c3fa109a
TH		 469/*
470 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
471 * default forbidden to modify already written content of a file.
472 *
473 * An entry is added by
474 *
475 * # echo 'deny_rewrite /var/log/messages' > \
476 * /sys/kernel/security/tomoyo/exception_policy
477 *
478 * and is deleted by
479 *
480 * # echo 'delete deny_rewrite /var/log/messages' > \
481 * /sys/kernel/security/tomoyo/exception_policy
482 *
483 * and all entries are retrieved by
484 *
485 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
486 *
487 * In the example above, if a process requested to rewrite /var/log/messages ,
488 * the process can't rewrite unless the domain which that process belongs to
489 * has "allow_rewrite /var/log/messages" entry.
490 *
491 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
492 * when we want to allow rewriting already unlink()ed file. As of now,
493 * LSM version of TOMOYO is using __d_path() for calculating pathname.
494 * Non LSM version of TOMOYO is using its own function which doesn't append
495 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
496 * need to worry whether the file is already unlink()ed or not.
497 */
b69a54ee
KT		 498static LIST_HEAD(tomoyo_no_rewrite_list);
499static DECLARE_RWSEM(tomoyo_no_rewrite_list_lock);
500
501/**
502 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
503 *
504 * @pattern: Pathname pattern that are not rewritable by default.
505 * @is_delete: True if it is a delete request.
506 *
507 * Returns 0 on success, negative value otherwise.
508 */
509static int tomoyo_update_no_rewrite_entry(const char *pattern,
510 const bool is_delete)
511{
512 struct tomoyo_no_rewrite_entry *new_entry, *ptr;
513 const struct tomoyo_path_info *saved_pattern;
514 int error = -ENOMEM;
515
516 if (!tomoyo_is_correct_path(pattern, 0, 0, 0, __func__))
517 return -EINVAL;
518 saved_pattern = tomoyo_save_name(pattern);
519 if (!saved_pattern)
520 return -ENOMEM;
b69a54ee
KT		 521 down_write(&tomoyo_no_rewrite_list_lock);
522 list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) {
523 if (ptr->pattern != saved_pattern)
524 continue;
525 ptr->is_deleted = is_delete;
526 error = 0;
527 goto out;
528 }
529 if (is_delete) {
530 error = -ENOENT;
531 goto out;
532 }
533 new_entry = tomoyo_alloc_element(sizeof(*new_entry));
534 if (!new_entry)
535 goto out;
536 new_entry->pattern = saved_pattern;
537 list_add_tail(&new_entry->list, &tomoyo_no_rewrite_list);
538 error = 0;
539 out:
540 up_write(&tomoyo_no_rewrite_list_lock);
b69a54ee
KT		 541 return error;
542}
543
544/**
545 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
546 *
547 * @filename: Filename to check.
548 *
549 * Returns true if @filename is specified by "deny_rewrite" directive,
550 * false otherwise.
551 */
552static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
553{
554 struct tomoyo_no_rewrite_entry *ptr;
555 bool found = false;
556
557 down_read(&tomoyo_no_rewrite_list_lock);
558 list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) {
559 if (ptr->is_deleted)
560 continue;
561 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
562 continue;
563 found = true;
564 break;
565 }
566 up_read(&tomoyo_no_rewrite_list_lock);
567 return found;
568}
569
570/**
571 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
572 *
573 * @data: String to parse.
574 * @is_delete: True if it is a delete request.
575 *
576 * Returns 0 on success, negative value otherwise.
577 */
578int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
579{
580 return tomoyo_update_no_rewrite_entry(data, is_delete);
581}
582
583/**
584 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
585 *
586 * @head: Pointer to "struct tomoyo_io_buffer".
587 *
588 * Returns true on success, false otherwise.
589 */
590bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
591{
592 struct list_head *pos;
593 bool done = true;
594
595 down_read(&tomoyo_no_rewrite_list_lock);
596 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) {
597 struct tomoyo_no_rewrite_entry *ptr;
598 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list);
599 if (ptr->is_deleted)
600 continue;
7d2948b1
TH		 601 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE
602 "%s\n", ptr->pattern->name);
603 if (!done)
b69a54ee 604 break;
b69a54ee
KT		 605 }
606 up_read(&tomoyo_no_rewrite_list_lock);
607 return done;
608}
609
610/**
611 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
612 *
613 * @filename: Filename.
614 * @perm: Permission (between 1 to 7).
615 * @domain: Pointer to "struct tomoyo_domain_info".
616 * @is_delete: True if it is a delete request.
617 *
618 * Returns 0 on success, negative value otherwise.
619 *
620 * This is legacy support interface for older policy syntax.
621 * Current policy syntax uses "allow_read/write" instead of "6",
622 * "allow_read" instead of "4", "allow_write" instead of "2",
623 * "allow_execute" instead of "1".
624 */
625static int tomoyo_update_file_acl(const char *filename, u8 perm,
626 struct tomoyo_domain_info * const domain,
627 const bool is_delete)
628{
629 if (perm > 7 || !perm) {
630 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n",
631 __func__, perm, filename);
632 return -EINVAL;
633 }
634 if (filename[0] != '@' && tomoyo_strendswith(filename, "/"))
635 /*
636 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
637 * directory permissions.
638 */
639 return 0;
640 if (perm & 4)
641 tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL, filename,
642 domain, is_delete);
643 if (perm & 2)
644 tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL, filename,
645 domain, is_delete);
646 if (perm & 1)
647 tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL,
648 filename, domain, is_delete);
649 return 0;
650}
651
652/**
653 * tomoyo_check_single_path_acl2 - Check permission for single path operation.
654 *
655 * @domain: Pointer to "struct tomoyo_domain_info".
656 * @filename: Filename to check.
657 * @perm: Permission.
658 * @may_use_pattern: True if patterned ACL is permitted.
659 *
660 * Returns 0 on success, -EPERM otherwise.
661 */
662static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info *
663 domain,
664 const struct tomoyo_path_info *
665 filename,
937bf613 666 const u32 perm,
b69a54ee
KT		 667 const bool may_use_pattern)
668{
669 struct tomoyo_acl_info *ptr;
670 int error = -EPERM;
671
672 down_read(&tomoyo_domain_acl_info_list_lock);
673 list_for_each_entry(ptr, &domain->acl_info_list, list) {
674 struct tomoyo_single_path_acl_record *acl;
675 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
676 continue;
677 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
678 head);
937bf613
TH		 679 if (perm <= 0xFFFF) {
680 if (!(acl->perm & perm))
681 continue;
682 } else {
683 if (!(acl->perm_high & (perm >> 16)))
684 continue;
685 }
b69a54ee
KT		 686 if (may_use_pattern || !acl->filename->is_patterned) {
687 if (!tomoyo_path_matches_pattern(filename,
688 acl->filename))
689 continue;
690 } else {
691 continue;
692 }
693 error = 0;
694 break;
695 }
696 up_read(&tomoyo_domain_acl_info_list_lock);
697 return error;
698}
699
700/**
701 * tomoyo_check_file_acl - Check permission for opening files.
702 *
703 * @domain: Pointer to "struct tomoyo_domain_info".
704 * @filename: Filename to check.
705 * @operation: Mode ("read" or "write" or "read/write" or "execute").
706 *
707 * Returns 0 on success, -EPERM otherwise.
708 */
709static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
710 const struct tomoyo_path_info *filename,
711 const u8 operation)
712{
937bf613 713 u32 perm = 0;
b69a54ee
KT		 714
715 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
716 return 0;
717 if (operation == 6)
718 perm = 1 << TOMOYO_TYPE_READ_WRITE_ACL;
719 else if (operation == 4)
720 perm = 1 << TOMOYO_TYPE_READ_ACL;
721 else if (operation == 2)
722 perm = 1 << TOMOYO_TYPE_WRITE_ACL;
723 else if (operation == 1)
724 perm = 1 << TOMOYO_TYPE_EXECUTE_ACL;
725 else
726 BUG();
727 return tomoyo_check_single_path_acl2(domain, filename, perm,
728 operation != 1);
729}
730
731/**
732 * tomoyo_check_file_perm2 - Check permission for opening files.
733 *
734 * @domain: Pointer to "struct tomoyo_domain_info".
735 * @filename: Filename to check.
736 * @perm: Mode ("read" or "write" or "read/write" or "execute").
737 * @operation: Operation name passed used for verbose mode.
738 * @mode: Access control mode.
739 *
740 * Returns 0 on success, negative value otherwise.
741 */
742static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
743 const struct tomoyo_path_info *filename,
744 const u8 perm, const char *operation,
745 const u8 mode)
746{
747 const bool is_enforce = (mode == 3);
748 const char *msg = "<unknown>";
749 int error = 0;
750
751 if (!filename)
752 return 0;
753 error = tomoyo_check_file_acl(domain, filename, perm);
754 if (error && perm == 4 &&
755 (domain->flags & TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ) == 0
756 && tomoyo_is_globally_readable_file(filename))
757 error = 0;
758 if (perm == 6)
759 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL);
760 else if (perm == 4)
761 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL);
762 else if (perm == 2)
763 msg = tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL);
764 else if (perm == 1)
765 msg = tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL);
766 else
767 BUG();
768 if (!error)
769 return 0;
770 if (tomoyo_verbose_mode(domain))
771 printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied "
772 "for %s\n", tomoyo_get_msg(is_enforce), msg, operation,
773 filename->name, tomoyo_get_last_name(domain));
774 if (is_enforce)
775 return error;
776 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
777 /* Don't use patterns for execute permission. */
778 const struct tomoyo_path_info *patterned_file = (perm != 1) ?
779 tomoyo_get_file_pattern(filename) : filename;
780 tomoyo_update_file_acl(patterned_file->name, perm,
781 domain, false);
782 }
783 return 0;
784}
785
786/**
787 * tomoyo_write_file_policy - Update file related list.
788 *
789 * @data: String to parse.
790 * @domain: Pointer to "struct tomoyo_domain_info".
791 * @is_delete: True if it is a delete request.
792 *
793 * Returns 0 on success, negative value otherwise.
794 */
795int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
796 const bool is_delete)
797{
798 char *filename = strchr(data, ' ');
799 char *filename2;
800 unsigned int perm;
801 u8 type;
802
803 if (!filename)
804 return -EINVAL;
805 *filename++ = '\0';
806 if (sscanf(data, "%u", &perm) == 1)
807 return tomoyo_update_file_acl(filename, (u8) perm, domain,
808 is_delete);
809 if (strncmp(data, "allow_", 6))
810 goto out;
811 data += 6;
812 for (type = 0; type < TOMOYO_MAX_SINGLE_PATH_OPERATION; type++) {
813 if (strcmp(data, tomoyo_sp_keyword[type]))
814 continue;
815 return tomoyo_update_single_path_acl(type, filename,
816 domain, is_delete);
817 }
818 filename2 = strchr(filename, ' ');
819 if (!filename2)
820 goto out;
821 *filename2++ = '\0';
822 for (type = 0; type < TOMOYO_MAX_DOUBLE_PATH_OPERATION; type++) {
823 if (strcmp(data, tomoyo_dp_keyword[type]))
824 continue;
825 return tomoyo_update_double_path_acl(type, filename, filename2,
826 domain, is_delete);
827 }
828 out:
829 return -EINVAL;
830}
831
832/**
833 * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list.
834 *
835 * @type: Type of operation.
836 * @filename: Filename.
837 * @domain: Pointer to "struct tomoyo_domain_info".
838 * @is_delete: True if it is a delete request.
839 *
840 * Returns 0 on success, negative value otherwise.
841 */
842static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
843 struct tomoyo_domain_info *
844 const domain, const bool is_delete)
845{
937bf613 846 static const u32 rw_mask =
b69a54ee
KT		 847 (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL);
848 const struct tomoyo_path_info *saved_filename;
849 struct tomoyo_acl_info *ptr;
850 struct tomoyo_single_path_acl_record *acl;
851 int error = -ENOMEM;
937bf613 852 const u32 perm = 1 << type;
b69a54ee
KT		 853
854 if (!domain)
855 return -EINVAL;
856 if (!tomoyo_is_correct_path(filename, 0, 0, 0, __func__))
857 return -EINVAL;
858 saved_filename = tomoyo_save_name(filename);
859 if (!saved_filename)
860 return -ENOMEM;
b69a54ee
KT		 861 down_write(&tomoyo_domain_acl_info_list_lock);
862 if (is_delete)
863 goto delete;
864 list_for_each_entry(ptr, &domain->acl_info_list, list) {
865 if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
866 continue;
867 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
868 head);
869 if (acl->filename != saved_filename)
870 continue;
871 /* Special case. Clear all bits if marked as deleted. */
872 if (ptr->type & TOMOYO_ACL_DELETED)
873 acl->perm = 0;
937bf613
TH		 874 if (perm <= 0xFFFF)
875 acl->perm |= perm;
876 else
877 acl->perm_high |= (perm >> 16);
b69a54ee
KT		 878 if ((acl->perm & rw_mask) == rw_mask)
879 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL;
880 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))
881 acl->perm |= rw_mask;
882 ptr->type &= ~TOMOYO_ACL_DELETED;
883 error = 0;
884 goto out;
885 }
886 /* Not found. Append it to the tail. */
887 acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_SINGLE_PATH_ACL);
888 if (!acl)
889 goto out;
937bf613
TH		 890 if (perm <= 0xFFFF)
891 acl->perm = perm;
892 else
893 acl->perm_high = (perm >> 16);
b69a54ee
KT		 894 if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL))
895 acl->perm |= rw_mask;
896 acl->filename = saved_filename;
897 list_add_tail(&acl->head.list, &domain->acl_info_list);
898 error = 0;
899 goto out;
900 delete:
901 error = -ENOENT;
902 list_for_each_entry(ptr, &domain->acl_info_list, list) {
903 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
904 continue;
905 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
906 head);
907 if (acl->filename != saved_filename)
908 continue;
937bf613
TH		 909 if (perm <= 0xFFFF)
910 acl->perm &= ~perm;
911 else
912 acl->perm_high &= ~(perm >> 16);
b69a54ee
KT		 913 if ((acl->perm & rw_mask) != rw_mask)
914 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL);
915 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)))
916 acl->perm &= ~rw_mask;
937bf613 917 if (!acl->perm && !acl->perm_high)
b69a54ee
KT		 918 ptr->type |= TOMOYO_ACL_DELETED;
919 error = 0;
920 break;
921 }
922 out:
923 up_write(&tomoyo_domain_acl_info_list_lock);
b69a54ee
KT		 924 return error;
925}
926
927/**
928 * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list.
929 *
930 * @type: Type of operation.
931 * @filename1: First filename.
932 * @filename2: Second filename.
933 * @domain: Pointer to "struct tomoyo_domain_info".
934 * @is_delete: True if it is a delete request.
935 *
936 * Returns 0 on success, negative value otherwise.
937 */
938static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
939 const char *filename2,
940 struct tomoyo_domain_info *
941 const domain, const bool is_delete)
942{
943 const struct tomoyo_path_info *saved_filename1;
944 const struct tomoyo_path_info *saved_filename2;
945 struct tomoyo_acl_info *ptr;
946 struct tomoyo_double_path_acl_record *acl;
947 int error = -ENOMEM;
948 const u8 perm = 1 << type;
949
950 if (!domain)
951 return -EINVAL;
952 if (!tomoyo_is_correct_path(filename1, 0, 0, 0, __func__) ||
953 !tomoyo_is_correct_path(filename2, 0, 0, 0, __func__))
954 return -EINVAL;
955 saved_filename1 = tomoyo_save_name(filename1);
956 saved_filename2 = tomoyo_save_name(filename2);
957 if (!saved_filename1 || !saved_filename2)
958 return -ENOMEM;
b69a54ee
KT		 959 down_write(&tomoyo_domain_acl_info_list_lock);
960 if (is_delete)
961 goto delete;
962 list_for_each_entry(ptr, &domain->acl_info_list, list) {
963 if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
964 continue;
965 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
966 head);
967 if (acl->filename1 != saved_filename1 ||
968 acl->filename2 != saved_filename2)
969 continue;
970 /* Special case. Clear all bits if marked as deleted. */
971 if (ptr->type & TOMOYO_ACL_DELETED)
972 acl->perm = 0;
973 acl->perm |= perm;
974 ptr->type &= ~TOMOYO_ACL_DELETED;
975 error = 0;
976 goto out;
977 }
978 /* Not found. Append it to the tail. */
979 acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_DOUBLE_PATH_ACL);
980 if (!acl)
981 goto out;
982 acl->perm = perm;
983 acl->filename1 = saved_filename1;
984 acl->filename2 = saved_filename2;
985 list_add_tail(&acl->head.list, &domain->acl_info_list);
986 error = 0;
987 goto out;
988 delete:
989 error = -ENOENT;
990 list_for_each_entry(ptr, &domain->acl_info_list, list) {
991 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
992 continue;
993 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
994 head);
995 if (acl->filename1 != saved_filename1 ||
996 acl->filename2 != saved_filename2)
997 continue;
998 acl->perm &= ~perm;
999 if (!acl->perm)
1000 ptr->type |= TOMOYO_ACL_DELETED;
1001 error = 0;
1002 break;
1003 }
1004 out:
1005 up_write(&tomoyo_domain_acl_info_list_lock);
b69a54ee
KT		 1006 return error;
1007}
1008
1009/**
1010 * tomoyo_check_single_path_acl - Check permission for single path operation.
1011 *
1012 * @domain: Pointer to "struct tomoyo_domain_info".
1013 * @type: Type of operation.
1014 * @filename: Filename to check.
1015 *
1016 * Returns 0 on success, negative value otherwise.
1017 */
1018static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain,
1019 const u8 type,
1020 const struct tomoyo_path_info *filename)
1021{
1022 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
1023 return 0;
1024 return tomoyo_check_single_path_acl2(domain, filename, 1 << type, 1);
1025}
1026
1027/**
1028 * tomoyo_check_double_path_acl - Check permission for double path operation.
1029 *
1030 * @domain: Pointer to "struct tomoyo_domain_info".
1031 * @type: Type of operation.
1032 * @filename1: First filename to check.
1033 * @filename2: Second filename to check.
1034 *
1035 * Returns 0 on success, -EPERM otherwise.
1036 */
1037static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
1038 const u8 type,
1039 const struct tomoyo_path_info *
1040 filename1,
1041 const struct tomoyo_path_info *
1042 filename2)
1043{
1044 struct tomoyo_acl_info *ptr;
1045 const u8 perm = 1 << type;
1046 int error = -EPERM;
1047
1048 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
1049 return 0;
1050 down_read(&tomoyo_domain_acl_info_list_lock);
1051 list_for_each_entry(ptr, &domain->acl_info_list, list) {
1052 struct tomoyo_double_path_acl_record *acl;
1053 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
1054 continue;
1055 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
1056 head);
1057 if (!(acl->perm & perm))
1058 continue;
1059 if (!tomoyo_path_matches_pattern(filename1, acl->filename1))
1060 continue;
1061 if (!tomoyo_path_matches_pattern(filename2, acl->filename2))
1062 continue;
1063 error = 0;
1064 break;
1065 }
1066 up_read(&tomoyo_domain_acl_info_list_lock);
1067 return error;
1068}
1069
1070/**
1071 * tomoyo_check_single_path_permission2 - Check permission for single path operation.
1072 *
1073 * @domain: Pointer to "struct tomoyo_domain_info".
1074 * @operation: Type of operation.
1075 * @filename: Filename to check.
1076 * @mode: Access control mode.
1077 *
1078 * Returns 0 on success, negative value otherwise.
1079 */
1080static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
1081 const domain, u8 operation,
1082 const struct tomoyo_path_info *
1083 filename, const u8 mode)
1084{
1085 const char *msg;
1086 int error;
1087 const bool is_enforce = (mode == 3);
1088
1089 if (!mode)
1090 return 0;
1091 next:
1092 error = tomoyo_check_single_path_acl(domain, operation, filename);
1093 msg = tomoyo_sp2keyword(operation);
1094 if (!error)
1095 goto ok;
1096 if (tomoyo_verbose_mode(domain))
1097 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n",
1098 tomoyo_get_msg(is_enforce), msg, filename->name,
1099 tomoyo_get_last_name(domain));
1100 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1101 const char *name = tomoyo_get_file_pattern(filename)->name;
1102 tomoyo_update_single_path_acl(operation, name, domain, false);
1103 }
1104 if (!is_enforce)
1105 error = 0;
1106 ok:
1107 /*
1108 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1109 * we need to check "allow_rewrite" permission if the filename is
1110 * specified by "deny_rewrite" keyword.
1111 */
1112 if (!error && operation == TOMOYO_TYPE_TRUNCATE_ACL &&
1113 tomoyo_is_no_rewrite_file(filename)) {
1114 operation = TOMOYO_TYPE_REWRITE_ACL;
1115 goto next;
1116 }
1117 return error;
1118}
1119
b69a54ee
KT		 1120/**
1121 * tomoyo_check_exec_perm - Check permission for "execute".
1122 *
1123 * @domain: Pointer to "struct tomoyo_domain_info".
1124 * @filename: Check permission for "execute".
b69a54ee
KT		 1125 *
1126 * Returns 0 on success, negativevalue otherwise.
1127 */
1128int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
bcb86975 1129 const struct tomoyo_path_info *filename)
b69a54ee
KT		 1130{
1131 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1132
1133 if (!mode)
1134 return 0;
1135 return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode);
1136}
1137
1138/**
1139 * tomoyo_check_open_permission - Check permission for "read" and "write".
1140 *
1141 * @domain: Pointer to "struct tomoyo_domain_info".
1142 * @path: Pointer to "struct path".
1143 * @flag: Flags for open().
1144 *
1145 * Returns 0 on success, negative value otherwise.
1146 */
1147int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1148 struct path *path, const int flag)
1149{
1150 const u8 acc_mode = ACC_MODE(flag);
1151 int error = -ENOMEM;
1152 struct tomoyo_path_info *buf;
1153 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1154 const bool is_enforce = (mode == 3);
1155
1156 if (!mode || !path->mnt)
1157 return 0;
1158 if (acc_mode == 0)
1159 return 0;
1160 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode))
1161 /*
1162 * I don't check directories here because mkdir() and rmdir()
1163 * don't call me.
1164 */
1165 return 0;
1166 buf = tomoyo_get_path(path);
1167 if (!buf)
1168 goto out;
1169 error = 0;
1170 /*
1171 * If the filename is specified by "deny_rewrite" keyword,
1172 * we need to check "allow_rewrite" permission when the filename is not
1173 * opened for append mode or the filename is truncated at open time.
1174 */
1175 if ((acc_mode & MAY_WRITE) &&
1176 ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
1177 (tomoyo_is_no_rewrite_file(buf))) {
1178 error = tomoyo_check_single_path_permission2(domain,
1179 TOMOYO_TYPE_REWRITE_ACL,
1180 buf, mode);
1181 }
1182 if (!error)
1183 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open",
1184 mode);
1185 if (!error && (flag & O_TRUNC))
1186 error = tomoyo_check_single_path_permission2(domain,
1187 TOMOYO_TYPE_TRUNCATE_ACL,
1188 buf, mode);
1189 out:
1190 tomoyo_free(buf);
1191 if (!is_enforce)
1192 error = 0;
1193 return error;
1194}
1195
1196/**
937bf613 1197 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
b69a54ee
KT		 1198 *
1199 * @domain: Pointer to "struct tomoyo_domain_info".
1200 * @operation: Type of operation.
1201 * @path: Pointer to "struct path".
1202 *
1203 * Returns 0 on success, negative value otherwise.
1204 */
1205int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
1206 const u8 operation, struct path *path)
1207{
1208 int error = -ENOMEM;
1209 struct tomoyo_path_info *buf;
1210 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1211 const bool is_enforce = (mode == 3);
1212
1213 if (!mode || !path->mnt)
1214 return 0;
1215 buf = tomoyo_get_path(path);
1216 if (!buf)
1217 goto out;
1218 switch (operation) {
1219 case TOMOYO_TYPE_MKDIR_ACL:
1220 case TOMOYO_TYPE_RMDIR_ACL:
937bf613 1221 case TOMOYO_TYPE_CHROOT_ACL:
b69a54ee
KT		 1222 if (!buf->is_dir) {
1223 /*
1224 * tomoyo_get_path() reserves space for appending "/."
1225 */
1226 strcat((char *) buf->name, "/");
1227 tomoyo_fill_path_info(buf);
1228 }
1229 }
1230 error = tomoyo_check_single_path_permission2(domain, operation, buf,
1231 mode);
1232 out:
1233 tomoyo_free(buf);
1234 if (!is_enforce)
1235 error = 0;
1236 return error;
1237}
1238
1239/**
1240 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1241 *
1242 * @domain: Pointer to "struct tomoyo_domain_info".
1243 * @filp: Pointer to "struct file".
1244 *
1245 * Returns 0 on success, negative value otherwise.
1246 */
1247int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
1248 struct file *filp)
1249{
1250 int error = -ENOMEM;
1251 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1252 const bool is_enforce = (mode == 3);
1253 struct tomoyo_path_info *buf;
1254
1255 if (!mode || !filp->f_path.mnt)
1256 return 0;
1257 buf = tomoyo_get_path(&filp->f_path);
1258 if (!buf)
1259 goto out;
1260 if (!tomoyo_is_no_rewrite_file(buf)) {
1261 error = 0;
1262 goto out;
1263 }
1264 error = tomoyo_check_single_path_permission2(domain,
1265 TOMOYO_TYPE_REWRITE_ACL,
1266 buf, mode);
1267 out:
1268 tomoyo_free(buf);
1269 if (!is_enforce)
1270 error = 0;
1271 return error;
1272}
1273
1274/**
937bf613 1275 * tomoyo_check_2path_perm - Check permission for "rename", "link" and "pivot_root".
b69a54ee
KT		 1276 *
1277 * @domain: Pointer to "struct tomoyo_domain_info".
1278 * @operation: Type of operation.
1279 * @path1: Pointer to "struct path".
1280 * @path2: Pointer to "struct path".
1281 *
1282 * Returns 0 on success, negative value otherwise.
1283 */
1284int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain,
1285 const u8 operation, struct path *path1,
1286 struct path *path2)
1287{
1288 int error = -ENOMEM;
1289 struct tomoyo_path_info *buf1, *buf2;
1290 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1291 const bool is_enforce = (mode == 3);
1292 const char *msg;
1293
1294 if (!mode || !path1->mnt || !path2->mnt)
1295 return 0;
1296 buf1 = tomoyo_get_path(path1);
1297 buf2 = tomoyo_get_path(path2);
1298 if (!buf1 || !buf2)
1299 goto out;
1300 {
1301 struct dentry *dentry = path1->dentry;
1302 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) {
1303 /*
1304 * tomoyo_get_path() reserves space for appending "/."
1305 */
1306 if (!buf1->is_dir) {
1307 strcat((char *) buf1->name, "/");
1308 tomoyo_fill_path_info(buf1);
1309 }
1310 if (!buf2->is_dir) {
1311 strcat((char *) buf2->name, "/");
1312 tomoyo_fill_path_info(buf2);
1313 }
1314 }
1315 }
1316 error = tomoyo_check_double_path_acl(domain, operation, buf1, buf2);
1317 msg = tomoyo_dp2keyword(operation);
1318 if (!error)
1319 goto out;
1320 if (tomoyo_verbose_mode(domain))
1321 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' "
1322 "denied for %s\n", tomoyo_get_msg(is_enforce),
1323 msg, buf1->name, buf2->name,
1324 tomoyo_get_last_name(domain));
1325 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1326 const char *name1 = tomoyo_get_file_pattern(buf1)->name;
1327 const char *name2 = tomoyo_get_file_pattern(buf2)->name;
1328 tomoyo_update_double_path_acl(operation, name1, name2, domain,
1329 false);
1330 }
1331 out:
1332 tomoyo_free(buf1);
1333 tomoyo_free(buf2);
1334 if (!is_enforce)
1335 error = 0;
1336 return error;
1337}
Linux 6.x block layer and io_uring tree(s)