4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2010 NTT DATA CORPORATION
11 #include <linux/kthread.h>
12 #include <linux/slab.h>
14 enum tomoyo_policy_id {
16 TOMOYO_ID_PATH_GROUP_MEMBER,
17 TOMOYO_ID_NUMBER_GROUP,
18 TOMOYO_ID_NUMBER_GROUP_MEMBER,
19 TOMOYO_ID_DOMAIN_INITIALIZER,
20 TOMOYO_ID_DOMAIN_KEEPER,
23 TOMOYO_ID_GLOBALLY_READABLE,
33 struct tomoyo_gc_entry {
34 struct list_head list;
36 struct list_head *element;
38 static LIST_HEAD(tomoyo_gc_queue);
39 static DEFINE_MUTEX(tomoyo_gc_mutex);
41 /* Caller holds tomoyo_policy_lock mutex. */
42 static bool tomoyo_add_to_gc(const int type, struct list_head *element)
44 struct tomoyo_gc_entry *entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
48 entry->element = element;
49 list_add(&entry->list, &tomoyo_gc_queue);
50 list_del_rcu(element);
54 static void tomoyo_del_allow_read(struct list_head *element)
56 struct tomoyo_globally_readable_file_entry *ptr =
57 container_of(element, typeof(*ptr), head.list);
58 tomoyo_put_name(ptr->filename);
61 static void tomoyo_del_file_pattern(struct list_head *element)
63 struct tomoyo_pattern_entry *ptr =
64 container_of(element, typeof(*ptr), head.list);
65 tomoyo_put_name(ptr->pattern);
68 static void tomoyo_del_no_rewrite(struct list_head *element)
70 struct tomoyo_no_rewrite_entry *ptr =
71 container_of(element, typeof(*ptr), head.list);
72 tomoyo_put_name(ptr->pattern);
75 static void tomoyo_del_domain_initializer(struct list_head *element)
77 struct tomoyo_domain_initializer_entry *ptr =
78 container_of(element, typeof(*ptr), head.list);
79 tomoyo_put_name(ptr->domainname);
80 tomoyo_put_name(ptr->program);
83 static void tomoyo_del_domain_keeper(struct list_head *element)
85 struct tomoyo_domain_keeper_entry *ptr =
86 container_of(element, typeof(*ptr), head.list);
87 tomoyo_put_name(ptr->domainname);
88 tomoyo_put_name(ptr->program);
91 static void tomoyo_del_aggregator(struct list_head *element)
93 struct tomoyo_aggregator_entry *ptr =
94 container_of(element, typeof(*ptr), head.list);
95 tomoyo_put_name(ptr->original_name);
96 tomoyo_put_name(ptr->aggregated_name);
99 static void tomoyo_del_alias(struct list_head *element)
101 struct tomoyo_alias_entry *ptr =
102 container_of(element, typeof(*ptr), head.list);
103 tomoyo_put_name(ptr->original_name);
104 tomoyo_put_name(ptr->aliased_name);
107 static void tomoyo_del_manager(struct list_head *element)
109 struct tomoyo_policy_manager_entry *ptr =
110 container_of(element, typeof(*ptr), head.list);
111 tomoyo_put_name(ptr->manager);
114 static void tomoyo_del_acl(struct list_head *element)
116 struct tomoyo_acl_info *acl =
117 container_of(element, typeof(*acl), list);
119 case TOMOYO_TYPE_PATH_ACL:
121 struct tomoyo_path_acl *entry
122 = container_of(acl, typeof(*entry), head);
123 tomoyo_put_name_union(&entry->name);
126 case TOMOYO_TYPE_PATH2_ACL:
128 struct tomoyo_path2_acl *entry
129 = container_of(acl, typeof(*entry), head);
130 tomoyo_put_name_union(&entry->name1);
131 tomoyo_put_name_union(&entry->name2);
134 case TOMOYO_TYPE_PATH_NUMBER_ACL:
136 struct tomoyo_path_number_acl *entry
137 = container_of(acl, typeof(*entry), head);
138 tomoyo_put_name_union(&entry->name);
139 tomoyo_put_number_union(&entry->number);
142 case TOMOYO_TYPE_MKDEV_ACL:
144 struct tomoyo_mkdev_acl *entry
145 = container_of(acl, typeof(*entry), head);
146 tomoyo_put_name_union(&entry->name);
147 tomoyo_put_number_union(&entry->mode);
148 tomoyo_put_number_union(&entry->major);
149 tomoyo_put_number_union(&entry->minor);
152 case TOMOYO_TYPE_MOUNT_ACL:
154 struct tomoyo_mount_acl *entry
155 = container_of(acl, typeof(*entry), head);
156 tomoyo_put_name_union(&entry->dev_name);
157 tomoyo_put_name_union(&entry->dir_name);
158 tomoyo_put_name_union(&entry->fs_type);
159 tomoyo_put_number_union(&entry->flags);
165 static bool tomoyo_del_domain(struct list_head *element)
167 struct tomoyo_domain_info *domain =
168 container_of(element, typeof(*domain), list);
169 struct tomoyo_acl_info *acl;
170 struct tomoyo_acl_info *tmp;
172 * Since we don't protect whole execve() operation using SRCU,
173 * we need to recheck domain->users at this point.
175 * (1) Reader starts SRCU section upon execve().
176 * (2) Reader traverses tomoyo_domain_list and finds this domain.
177 * (3) Writer marks this domain as deleted.
178 * (4) Garbage collector removes this domain from tomoyo_domain_list
179 * because this domain is marked as deleted and used by nobody.
180 * (5) Reader saves reference to this domain into
181 * "struct linux_binprm"->cred->security .
182 * (6) Reader finishes SRCU section, although execve() operation has
184 * (7) Garbage collector waits for SRCU synchronization.
185 * (8) Garbage collector kfree() this domain because this domain is
187 * (9) Reader finishes execve() operation and restores this domain from
188 * "struct linux_binprm"->cred->security.
190 * By updating domain->users at (5), we can solve this race problem
191 * by rechecking domain->users at (8).
193 if (atomic_read(&domain->users))
195 list_for_each_entry_safe(acl, tmp, &domain->acl_info_list, list) {
196 tomoyo_del_acl(&acl->list);
197 tomoyo_memory_free(acl);
199 tomoyo_put_name(domain->domainname);
204 static void tomoyo_del_name(struct list_head *element)
206 const struct tomoyo_name_entry *ptr =
207 container_of(element, typeof(*ptr), list);
210 static void tomoyo_del_path_group_member(struct list_head *element)
212 struct tomoyo_path_group_member *member =
213 container_of(element, typeof(*member), head.list);
214 tomoyo_put_name(member->member_name);
217 static void tomoyo_del_path_group(struct list_head *element)
219 struct tomoyo_path_group *group =
220 container_of(element, typeof(*group), list);
221 tomoyo_put_name(group->group_name);
224 static void tomoyo_del_number_group_member(struct list_head *element)
226 struct tomoyo_number_group_member *member =
227 container_of(element, typeof(*member), head.list);
230 static void tomoyo_del_number_group(struct list_head *element)
232 struct tomoyo_number_group *group =
233 container_of(element, typeof(*group), list);
234 tomoyo_put_name(group->group_name);
237 static struct list_head *tomoyo_policy_list[TOMOYO_MAX_POLICY] = {
238 [TOMOYO_ID_GLOBALLY_READABLE] = &tomoyo_globally_readable_list,
239 [TOMOYO_ID_PATTERN] = &tomoyo_pattern_list,
240 [TOMOYO_ID_NO_REWRITE] = &tomoyo_no_rewrite_list,
241 [TOMOYO_ID_DOMAIN_INITIALIZER] = &tomoyo_domain_initializer_list,
242 [TOMOYO_ID_DOMAIN_KEEPER] = &tomoyo_domain_keeper_list,
243 [TOMOYO_ID_AGGREGATOR] = &tomoyo_aggregator_list,
244 [TOMOYO_ID_ALIAS] = &tomoyo_alias_list,
245 [TOMOYO_ID_MANAGER] = &tomoyo_policy_manager_list,
248 static bool tomoyo_collect_member(struct list_head *member_list, int id)
250 struct tomoyo_acl_head *member;
251 list_for_each_entry(member, member_list, list) {
252 if (!member->is_deleted)
254 if (!tomoyo_add_to_gc(id, &member->list))
260 static bool tomoyo_collect_acl(struct tomoyo_domain_info *domain)
262 struct tomoyo_acl_info *acl;
263 list_for_each_entry(acl, &domain->acl_info_list, list) {
264 if (!acl->is_deleted)
266 if (!tomoyo_add_to_gc(TOMOYO_ID_ACL, &acl->list))
272 static void tomoyo_collect_entry(void)
275 if (mutex_lock_interruptible(&tomoyo_policy_lock))
277 for (i = 0; i < TOMOYO_MAX_POLICY; i++) {
278 if (tomoyo_policy_list[i])
279 if (!tomoyo_collect_member(tomoyo_policy_list[i], i))
283 struct tomoyo_domain_info *domain;
284 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
285 if (!tomoyo_collect_acl(domain))
287 if (!domain->is_deleted || atomic_read(&domain->users))
290 * Nobody is referring this domain. But somebody may
291 * refer this domain after successful execve().
292 * We recheck domain->users after SRCU synchronization.
294 if (!tomoyo_add_to_gc(TOMOYO_ID_DOMAIN, &domain->list))
298 for (i = 0; i < TOMOYO_MAX_HASH; i++) {
299 struct tomoyo_name_entry *ptr;
300 list_for_each_entry_rcu(ptr, &tomoyo_name_list[i], list) {
301 if (atomic_read(&ptr->users))
303 if (!tomoyo_add_to_gc(TOMOYO_ID_NAME, &ptr->list))
308 struct tomoyo_path_group *group;
309 list_for_each_entry_rcu(group, &tomoyo_path_group_list, list) {
310 tomoyo_collect_member(&group->member_list,
311 TOMOYO_ID_PATH_GROUP_MEMBER);
312 if (!list_empty(&group->member_list) ||
313 atomic_read(&group->users))
315 if (!tomoyo_add_to_gc(TOMOYO_ID_PATH_GROUP,
321 struct tomoyo_number_group *group;
322 list_for_each_entry_rcu(group, &tomoyo_number_group_list,
324 tomoyo_collect_member(&group->member_list,
325 TOMOYO_ID_NUMBER_GROUP_MEMBER);
326 if (!list_empty(&group->member_list) ||
327 atomic_read(&group->users))
329 if (!tomoyo_add_to_gc(TOMOYO_ID_NUMBER_GROUP,
335 mutex_unlock(&tomoyo_policy_lock);
338 static void tomoyo_kfree_entry(void)
340 struct tomoyo_gc_entry *p;
341 struct tomoyo_gc_entry *tmp;
343 list_for_each_entry_safe(p, tmp, &tomoyo_gc_queue, list) {
344 struct list_head *element = p->element;
346 case TOMOYO_ID_DOMAIN_INITIALIZER:
347 tomoyo_del_domain_initializer(element);
349 case TOMOYO_ID_DOMAIN_KEEPER:
350 tomoyo_del_domain_keeper(element);
352 case TOMOYO_ID_AGGREGATOR:
353 tomoyo_del_aggregator(element);
355 case TOMOYO_ID_ALIAS:
356 tomoyo_del_alias(element);
358 case TOMOYO_ID_GLOBALLY_READABLE:
359 tomoyo_del_allow_read(element);
361 case TOMOYO_ID_PATTERN:
362 tomoyo_del_file_pattern(element);
364 case TOMOYO_ID_NO_REWRITE:
365 tomoyo_del_no_rewrite(element);
367 case TOMOYO_ID_MANAGER:
368 tomoyo_del_manager(element);
371 tomoyo_del_name(element);
374 tomoyo_del_acl(element);
376 case TOMOYO_ID_DOMAIN:
377 if (!tomoyo_del_domain(element))
380 case TOMOYO_ID_PATH_GROUP_MEMBER:
381 tomoyo_del_path_group_member(element);
383 case TOMOYO_ID_PATH_GROUP:
384 tomoyo_del_path_group(element);
386 case TOMOYO_ID_NUMBER_GROUP_MEMBER:
387 tomoyo_del_number_group_member(element);
389 case TOMOYO_ID_NUMBER_GROUP:
390 tomoyo_del_number_group(element);
393 tomoyo_memory_free(element);
399 static int tomoyo_gc_thread(void *unused)
401 daemonize("GC for TOMOYO");
402 if (mutex_trylock(&tomoyo_gc_mutex)) {
404 for (i = 0; i < 10; i++) {
405 tomoyo_collect_entry();
406 if (list_empty(&tomoyo_gc_queue))
408 synchronize_srcu(&tomoyo_ss);
409 tomoyo_kfree_entry();
411 mutex_unlock(&tomoyo_gc_mutex);
416 void tomoyo_run_gc(void)
418 struct task_struct *task = kthread_create(tomoyo_gc_thread, NULL,
421 wake_up_process(task);