2 * security/tomoyo/file.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
17 * tomoyo_globally_readable_file_entry is a structure which is used for holding
18 * "allow_read" entries.
19 * It has following fields.
21 * (1) "list" which is linked to tomoyo_globally_readable_list .
22 * (2) "filename" is a pathname which is allowed to open(O_RDONLY).
23 * (3) "is_deleted" is a bool which is true if marked as deleted, false
26 struct tomoyo_globally_readable_file_entry {
27 struct list_head list;
28 const struct tomoyo_path_info *filename;
33 * tomoyo_pattern_entry is a structure which is used for holding
34 * "tomoyo_pattern_list" entries.
35 * It has following fields.
37 * (1) "list" which is linked to tomoyo_pattern_list .
38 * (2) "pattern" is a pathname pattern which is used for converting pathnames
39 * to pathname patterns during learning mode.
40 * (3) "is_deleted" is a bool which is true if marked as deleted, false
43 struct tomoyo_pattern_entry {
44 struct list_head list;
45 const struct tomoyo_path_info *pattern;
50 * tomoyo_no_rewrite_entry is a structure which is used for holding
51 * "deny_rewrite" entries.
52 * It has following fields.
54 * (1) "list" which is linked to tomoyo_no_rewrite_list .
55 * (2) "pattern" is a pathname which is by default not permitted to modify
56 * already existing content.
57 * (3) "is_deleted" is a bool which is true if marked as deleted, false
60 struct tomoyo_no_rewrite_entry {
61 struct list_head list;
62 const struct tomoyo_path_info *pattern;
66 /* Keyword array for single path operations. */
67 static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = {
68 [TOMOYO_TYPE_READ_WRITE_ACL] = "read/write",
69 [TOMOYO_TYPE_EXECUTE_ACL] = "execute",
70 [TOMOYO_TYPE_READ_ACL] = "read",
71 [TOMOYO_TYPE_WRITE_ACL] = "write",
72 [TOMOYO_TYPE_CREATE_ACL] = "create",
73 [TOMOYO_TYPE_UNLINK_ACL] = "unlink",
74 [TOMOYO_TYPE_MKDIR_ACL] = "mkdir",
75 [TOMOYO_TYPE_RMDIR_ACL] = "rmdir",
76 [TOMOYO_TYPE_MKFIFO_ACL] = "mkfifo",
77 [TOMOYO_TYPE_MKSOCK_ACL] = "mksock",
78 [TOMOYO_TYPE_MKBLOCK_ACL] = "mkblock",
79 [TOMOYO_TYPE_MKCHAR_ACL] = "mkchar",
80 [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate",
81 [TOMOYO_TYPE_SYMLINK_ACL] = "symlink",
82 [TOMOYO_TYPE_REWRITE_ACL] = "rewrite",
83 [TOMOYO_TYPE_IOCTL_ACL] = "ioctl",
84 [TOMOYO_TYPE_CHMOD_ACL] = "chmod",
85 [TOMOYO_TYPE_CHOWN_ACL] = "chown",
86 [TOMOYO_TYPE_CHGRP_ACL] = "chgrp",
87 [TOMOYO_TYPE_CHROOT_ACL] = "chroot",
88 [TOMOYO_TYPE_MOUNT_ACL] = "mount",
89 [TOMOYO_TYPE_UMOUNT_ACL] = "unmount",
92 /* Keyword array for double path operations. */
93 static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = {
94 [TOMOYO_TYPE_LINK_ACL] = "link",
95 [TOMOYO_TYPE_RENAME_ACL] = "rename",
96 [TOMOYO_TYPE_PIVOT_ROOT_ACL] = "pivot_root",
100 * tomoyo_sp2keyword - Get the name of single path operation.
102 * @operation: Type of operation.
104 * Returns the name of single path operation.
106 const char *tomoyo_sp2keyword(const u8 operation)
108 return (operation < TOMOYO_MAX_SINGLE_PATH_OPERATION)
109 ? tomoyo_sp_keyword[operation] : NULL;
113 * tomoyo_dp2keyword - Get the name of double path operation.
115 * @operation: Type of operation.
117 * Returns the name of double path operation.
119 const char *tomoyo_dp2keyword(const u8 operation)
121 return (operation < TOMOYO_MAX_DOUBLE_PATH_OPERATION)
122 ? tomoyo_dp_keyword[operation] : NULL;
126 * tomoyo_strendswith - Check whether the token ends with the given token.
128 * @name: The token to check.
129 * @tail: The token to find.
131 * Returns true if @name ends with @tail, false otherwise.
133 static bool tomoyo_strendswith(const char *name, const char *tail)
139 len = strlen(name) - strlen(tail);
140 return len >= 0 && !strcmp(name + len, tail);
144 * tomoyo_get_path - Get realpath.
146 * @path: Pointer to "struct path".
148 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
150 static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
153 struct tomoyo_path_info_with_data *buf = kzalloc(sizeof(*buf),
158 /* Reserve one byte for appending "/". */
159 error = tomoyo_realpath_from_path2(path, buf->body,
160 sizeof(buf->body) - 2);
162 buf->head.name = buf->body;
163 tomoyo_fill_path_info(&buf->head);
170 static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
171 const char *filename2,
172 struct tomoyo_domain_info *
173 const domain, const bool is_delete);
174 static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
175 struct tomoyo_domain_info *
176 const domain, const bool is_delete);
179 * tomoyo_globally_readable_list is used for holding list of pathnames which
180 * are by default allowed to be open()ed for reading by any process.
182 * An entry is added by
184 * # echo 'allow_read /lib/libc-2.5.so' > \
185 * /sys/kernel/security/tomoyo/exception_policy
189 * # echo 'delete allow_read /lib/libc-2.5.so' > \
190 * /sys/kernel/security/tomoyo/exception_policy
192 * and all entries are retrieved by
194 * # grep ^allow_read /sys/kernel/security/tomoyo/exception_policy
196 * In the example above, any process is allowed to
197 * open("/lib/libc-2.5.so", O_RDONLY).
198 * One exception is, if the domain which current process belongs to is marked
199 * as "ignore_global_allow_read", current process can't do so unless explicitly
200 * given "allow_read /lib/libc-2.5.so" to the domain which current process
203 static LIST_HEAD(tomoyo_globally_readable_list);
206 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
208 * @filename: Filename unconditionally permitted to open() for reading.
209 * @is_delete: True if it is a delete request.
211 * Returns 0 on success, negative value otherwise.
213 * Caller holds tomoyo_read_lock().
215 static int tomoyo_update_globally_readable_entry(const char *filename,
216 const bool is_delete)
218 struct tomoyo_globally_readable_file_entry *entry = NULL;
219 struct tomoyo_globally_readable_file_entry *ptr;
220 const struct tomoyo_path_info *saved_filename;
221 int error = is_delete ? -ENOENT : -ENOMEM;
223 if (!tomoyo_is_correct_path(filename, 1, 0, -1, __func__))
225 saved_filename = tomoyo_save_name(filename);
229 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
230 mutex_lock(&tomoyo_policy_lock);
231 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
232 if (ptr->filename != saved_filename)
234 ptr->is_deleted = is_delete;
238 if (!is_delete && error && tomoyo_memory_ok(entry)) {
239 entry->filename = saved_filename;
240 list_add_tail_rcu(&entry->list, &tomoyo_globally_readable_list);
244 mutex_unlock(&tomoyo_policy_lock);
250 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
252 * @filename: The filename to check.
254 * Returns true if any domain can open @filename for reading, false otherwise.
256 * Caller holds tomoyo_read_lock().
258 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
261 struct tomoyo_globally_readable_file_entry *ptr;
264 list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
265 if (!ptr->is_deleted &&
266 tomoyo_path_matches_pattern(filename, ptr->filename)) {
275 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
277 * @data: String to parse.
278 * @is_delete: True if it is a delete request.
280 * Returns 0 on success, negative value otherwise.
282 * Caller holds tomoyo_read_lock().
284 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
286 return tomoyo_update_globally_readable_entry(data, is_delete);
290 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
292 * @head: Pointer to "struct tomoyo_io_buffer".
294 * Returns true on success, false otherwise.
296 * Caller holds tomoyo_read_lock().
298 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
300 struct list_head *pos;
303 list_for_each_cookie(pos, head->read_var2,
304 &tomoyo_globally_readable_list) {
305 struct tomoyo_globally_readable_file_entry *ptr;
306 ptr = list_entry(pos,
307 struct tomoyo_globally_readable_file_entry,
311 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n",
312 ptr->filename->name);
319 /* tomoyo_pattern_list is used for holding list of pathnames which are used for
320 * converting pathnames to pathname patterns during learning mode.
322 * An entry is added by
324 * # echo 'file_pattern /proc/\$/mounts' > \
325 * /sys/kernel/security/tomoyo/exception_policy
329 * # echo 'delete file_pattern /proc/\$/mounts' > \
330 * /sys/kernel/security/tomoyo/exception_policy
332 * and all entries are retrieved by
334 * # grep ^file_pattern /sys/kernel/security/tomoyo/exception_policy
336 * In the example above, if a process which belongs to a domain which is in
337 * learning mode requested open("/proc/1/mounts", O_RDONLY),
338 * "allow_read /proc/\$/mounts" is automatically added to the domain which that
339 * process belongs to.
341 * It is not a desirable behavior that we have to use /proc/\$/ instead of
342 * /proc/self/ when current process needs to access only current process's
343 * information. As of now, LSM version of TOMOYO is using __d_path() for
344 * calculating pathname. Non LSM version of TOMOYO is using its own function
345 * which pretends as if /proc/self/ is not a symlink; so that we can forbid
346 * current process from accessing other process's information.
348 static LIST_HEAD(tomoyo_pattern_list);
351 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
353 * @pattern: Pathname pattern.
354 * @is_delete: True if it is a delete request.
356 * Returns 0 on success, negative value otherwise.
358 * Caller holds tomoyo_read_lock().
360 static int tomoyo_update_file_pattern_entry(const char *pattern,
361 const bool is_delete)
363 struct tomoyo_pattern_entry *entry = NULL;
364 struct tomoyo_pattern_entry *ptr;
365 const struct tomoyo_path_info *saved_pattern;
366 int error = is_delete ? -ENOENT : -ENOMEM;
368 saved_pattern = tomoyo_save_name(pattern);
371 if (!saved_pattern->is_patterned)
374 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
375 mutex_lock(&tomoyo_policy_lock);
376 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
377 if (saved_pattern != ptr->pattern)
379 ptr->is_deleted = is_delete;
383 if (!is_delete && error && tomoyo_memory_ok(entry)) {
384 entry->pattern = saved_pattern;
385 list_add_tail_rcu(&entry->list, &tomoyo_pattern_list);
389 mutex_unlock(&tomoyo_policy_lock);
396 * tomoyo_get_file_pattern - Get patterned pathname.
398 * @filename: The filename to find patterned pathname.
400 * Returns pointer to pathname pattern if matched, @filename otherwise.
402 * Caller holds tomoyo_read_lock().
404 static const struct tomoyo_path_info *
405 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
407 struct tomoyo_pattern_entry *ptr;
408 const struct tomoyo_path_info *pattern = NULL;
410 list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
413 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
415 pattern = ptr->pattern;
416 if (tomoyo_strendswith(pattern->name, "/\\*")) {
417 /* Do nothing. Try to find the better match. */
419 /* This would be the better match. Use this. */
429 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
431 * @data: String to parse.
432 * @is_delete: True if it is a delete request.
434 * Returns 0 on success, negative value otherwise.
436 * Caller holds tomoyo_read_lock().
438 int tomoyo_write_pattern_policy(char *data, const bool is_delete)
440 return tomoyo_update_file_pattern_entry(data, is_delete);
444 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
446 * @head: Pointer to "struct tomoyo_io_buffer".
448 * Returns true on success, false otherwise.
450 * Caller holds tomoyo_read_lock().
452 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
454 struct list_head *pos;
457 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) {
458 struct tomoyo_pattern_entry *ptr;
459 ptr = list_entry(pos, struct tomoyo_pattern_entry, list);
462 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN
463 "%s\n", ptr->pattern->name);
471 * tomoyo_no_rewrite_list is used for holding list of pathnames which are by
472 * default forbidden to modify already written content of a file.
474 * An entry is added by
476 * # echo 'deny_rewrite /var/log/messages' > \
477 * /sys/kernel/security/tomoyo/exception_policy
481 * # echo 'delete deny_rewrite /var/log/messages' > \
482 * /sys/kernel/security/tomoyo/exception_policy
484 * and all entries are retrieved by
486 * # grep ^deny_rewrite /sys/kernel/security/tomoyo/exception_policy
488 * In the example above, if a process requested to rewrite /var/log/messages ,
489 * the process can't rewrite unless the domain which that process belongs to
490 * has "allow_rewrite /var/log/messages" entry.
492 * It is not a desirable behavior that we have to add "\040(deleted)" suffix
493 * when we want to allow rewriting already unlink()ed file. As of now,
494 * LSM version of TOMOYO is using __d_path() for calculating pathname.
495 * Non LSM version of TOMOYO is using its own function which doesn't append
496 * " (deleted)" suffix if the file is already unlink()ed; so that we don't
497 * need to worry whether the file is already unlink()ed or not.
499 static LIST_HEAD(tomoyo_no_rewrite_list);
502 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
504 * @pattern: Pathname pattern that are not rewritable by default.
505 * @is_delete: True if it is a delete request.
507 * Returns 0 on success, negative value otherwise.
509 * Caller holds tomoyo_read_lock().
511 static int tomoyo_update_no_rewrite_entry(const char *pattern,
512 const bool is_delete)
514 struct tomoyo_no_rewrite_entry *entry = NULL;
515 struct tomoyo_no_rewrite_entry *ptr;
516 const struct tomoyo_path_info *saved_pattern;
517 int error = is_delete ? -ENOENT : -ENOMEM;
519 if (!tomoyo_is_correct_path(pattern, 0, 0, 0, __func__))
521 saved_pattern = tomoyo_save_name(pattern);
525 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
526 mutex_lock(&tomoyo_policy_lock);
527 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
528 if (ptr->pattern != saved_pattern)
530 ptr->is_deleted = is_delete;
534 if (!is_delete && error && tomoyo_memory_ok(entry)) {
535 entry->pattern = saved_pattern;
536 list_add_tail_rcu(&entry->list, &tomoyo_no_rewrite_list);
540 mutex_unlock(&tomoyo_policy_lock);
546 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
548 * @filename: Filename to check.
550 * Returns true if @filename is specified by "deny_rewrite" directive,
553 * Caller holds tomoyo_read_lock().
555 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
557 struct tomoyo_no_rewrite_entry *ptr;
560 list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
563 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
572 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
574 * @data: String to parse.
575 * @is_delete: True if it is a delete request.
577 * Returns 0 on success, negative value otherwise.
579 * Caller holds tomoyo_read_lock().
581 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
583 return tomoyo_update_no_rewrite_entry(data, is_delete);
587 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
589 * @head: Pointer to "struct tomoyo_io_buffer".
591 * Returns true on success, false otherwise.
593 * Caller holds tomoyo_read_lock().
595 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
597 struct list_head *pos;
600 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) {
601 struct tomoyo_no_rewrite_entry *ptr;
602 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list);
605 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE
606 "%s\n", ptr->pattern->name);
614 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
616 * @filename: Filename.
617 * @perm: Permission (between 1 to 7).
618 * @domain: Pointer to "struct tomoyo_domain_info".
619 * @is_delete: True if it is a delete request.
621 * Returns 0 on success, negative value otherwise.
623 * This is legacy support interface for older policy syntax.
624 * Current policy syntax uses "allow_read/write" instead of "6",
625 * "allow_read" instead of "4", "allow_write" instead of "2",
626 * "allow_execute" instead of "1".
628 * Caller holds tomoyo_read_lock().
630 static int tomoyo_update_file_acl(const char *filename, u8 perm,
631 struct tomoyo_domain_info * const domain,
632 const bool is_delete)
634 if (perm > 7 || !perm) {
635 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n",
636 __func__, perm, filename);
639 if (filename[0] != '@' && tomoyo_strendswith(filename, "/"))
641 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
642 * directory permissions.
646 tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL, filename,
649 tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL, filename,
652 tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL,
653 filename, domain, is_delete);
658 * tomoyo_check_single_path_acl2 - Check permission for single path operation.
660 * @domain: Pointer to "struct tomoyo_domain_info".
661 * @filename: Filename to check.
663 * @may_use_pattern: True if patterned ACL is permitted.
665 * Returns 0 on success, -EPERM otherwise.
667 * Caller holds tomoyo_read_lock().
669 static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info *
671 const struct tomoyo_path_info *
674 const bool may_use_pattern)
676 struct tomoyo_acl_info *ptr;
679 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
680 struct tomoyo_single_path_acl_record *acl;
681 if (ptr->type != TOMOYO_TYPE_SINGLE_PATH_ACL)
683 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
685 if (perm <= 0xFFFF) {
686 if (!(acl->perm & perm))
689 if (!(acl->perm_high & (perm >> 16)))
692 if (may_use_pattern || !acl->filename->is_patterned) {
693 if (!tomoyo_path_matches_pattern(filename,
706 * tomoyo_check_file_acl - Check permission for opening files.
708 * @domain: Pointer to "struct tomoyo_domain_info".
709 * @filename: Filename to check.
710 * @operation: Mode ("read" or "write" or "read/write" or "execute").
712 * Returns 0 on success, -EPERM otherwise.
714 * Caller holds tomoyo_read_lock().
716 static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
717 const struct tomoyo_path_info *filename,
722 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
725 perm = 1 << TOMOYO_TYPE_READ_WRITE_ACL;
726 else if (operation == 4)
727 perm = 1 << TOMOYO_TYPE_READ_ACL;
728 else if (operation == 2)
729 perm = 1 << TOMOYO_TYPE_WRITE_ACL;
730 else if (operation == 1)
731 perm = 1 << TOMOYO_TYPE_EXECUTE_ACL;
734 return tomoyo_check_single_path_acl2(domain, filename, perm,
739 * tomoyo_check_file_perm2 - Check permission for opening files.
741 * @domain: Pointer to "struct tomoyo_domain_info".
742 * @filename: Filename to check.
743 * @perm: Mode ("read" or "write" or "read/write" or "execute").
744 * @operation: Operation name passed used for verbose mode.
745 * @mode: Access control mode.
747 * Returns 0 on success, negative value otherwise.
749 * Caller holds tomoyo_read_lock().
751 static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
752 const struct tomoyo_path_info *filename,
753 const u8 perm, const char *operation,
756 const bool is_enforce = (mode == 3);
757 const char *msg = "<unknown>";
762 error = tomoyo_check_file_acl(domain, filename, perm);
763 if (error && perm == 4 && !domain->ignore_global_allow_read
764 && tomoyo_is_globally_readable_file(filename))
767 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL);
769 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL);
771 msg = tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL);
773 msg = tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL);
778 if (tomoyo_verbose_mode(domain))
779 printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied "
780 "for %s\n", tomoyo_get_msg(is_enforce), msg, operation,
781 filename->name, tomoyo_get_last_name(domain));
784 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
785 /* Don't use patterns for execute permission. */
786 const struct tomoyo_path_info *patterned_file = (perm != 1) ?
787 tomoyo_get_file_pattern(filename) : filename;
788 tomoyo_update_file_acl(patterned_file->name, perm,
795 * tomoyo_write_file_policy - Update file related list.
797 * @data: String to parse.
798 * @domain: Pointer to "struct tomoyo_domain_info".
799 * @is_delete: True if it is a delete request.
801 * Returns 0 on success, negative value otherwise.
803 * Caller holds tomoyo_read_lock().
805 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
806 const bool is_delete)
808 char *filename = strchr(data, ' ');
816 if (sscanf(data, "%u", &perm) == 1)
817 return tomoyo_update_file_acl(filename, (u8) perm, domain,
819 if (strncmp(data, "allow_", 6))
822 for (type = 0; type < TOMOYO_MAX_SINGLE_PATH_OPERATION; type++) {
823 if (strcmp(data, tomoyo_sp_keyword[type]))
825 return tomoyo_update_single_path_acl(type, filename,
828 filename2 = strchr(filename, ' ');
832 for (type = 0; type < TOMOYO_MAX_DOUBLE_PATH_OPERATION; type++) {
833 if (strcmp(data, tomoyo_dp_keyword[type]))
835 return tomoyo_update_double_path_acl(type, filename, filename2,
843 * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list.
845 * @type: Type of operation.
846 * @filename: Filename.
847 * @domain: Pointer to "struct tomoyo_domain_info".
848 * @is_delete: True if it is a delete request.
850 * Returns 0 on success, negative value otherwise.
852 * Caller holds tomoyo_read_lock().
854 static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
855 struct tomoyo_domain_info *
856 const domain, const bool is_delete)
858 static const u32 rw_mask =
859 (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL);
860 const struct tomoyo_path_info *saved_filename;
861 struct tomoyo_acl_info *ptr;
862 struct tomoyo_single_path_acl_record *entry = NULL;
863 int error = is_delete ? -ENOENT : -ENOMEM;
864 const u32 perm = 1 << type;
868 if (!tomoyo_is_correct_path(filename, 0, 0, 0, __func__))
870 saved_filename = tomoyo_save_name(filename);
874 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
875 mutex_lock(&tomoyo_policy_lock);
876 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
877 struct tomoyo_single_path_acl_record *acl =
878 container_of(ptr, struct tomoyo_single_path_acl_record,
880 if (ptr->type != TOMOYO_TYPE_SINGLE_PATH_ACL)
882 if (acl->filename != saved_filename)
888 acl->perm_high &= ~(perm >> 16);
889 if ((acl->perm & rw_mask) != rw_mask)
890 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL);
891 else if (!(acl->perm &
892 (1 << TOMOYO_TYPE_READ_WRITE_ACL)))
893 acl->perm &= ~rw_mask;
898 acl->perm_high |= (perm >> 16);
899 if ((acl->perm & rw_mask) == rw_mask)
900 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL;
901 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))
902 acl->perm |= rw_mask;
907 if (!is_delete && error && tomoyo_memory_ok(entry)) {
908 entry->head.type = TOMOYO_TYPE_SINGLE_PATH_ACL;
912 entry->perm_high = (perm >> 16);
913 if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL))
914 entry->perm |= rw_mask;
915 entry->filename = saved_filename;
916 list_add_tail_rcu(&entry->head.list, &domain->acl_info_list);
920 mutex_unlock(&tomoyo_policy_lock);
926 * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list.
928 * @type: Type of operation.
929 * @filename1: First filename.
930 * @filename2: Second filename.
931 * @domain: Pointer to "struct tomoyo_domain_info".
932 * @is_delete: True if it is a delete request.
934 * Returns 0 on success, negative value otherwise.
936 * Caller holds tomoyo_read_lock().
938 static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
939 const char *filename2,
940 struct tomoyo_domain_info *
941 const domain, const bool is_delete)
943 const struct tomoyo_path_info *saved_filename1;
944 const struct tomoyo_path_info *saved_filename2;
945 struct tomoyo_acl_info *ptr;
946 struct tomoyo_double_path_acl_record *entry = NULL;
947 int error = is_delete ? -ENOENT : -ENOMEM;
948 const u8 perm = 1 << type;
952 if (!tomoyo_is_correct_path(filename1, 0, 0, 0, __func__) ||
953 !tomoyo_is_correct_path(filename2, 0, 0, 0, __func__))
955 saved_filename1 = tomoyo_save_name(filename1);
956 saved_filename2 = tomoyo_save_name(filename2);
957 if (!saved_filename1 || !saved_filename2)
960 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
961 mutex_lock(&tomoyo_policy_lock);
962 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
963 struct tomoyo_double_path_acl_record *acl =
964 container_of(ptr, struct tomoyo_double_path_acl_record,
966 if (ptr->type != TOMOYO_TYPE_DOUBLE_PATH_ACL)
968 if (acl->filename1 != saved_filename1 ||
969 acl->filename2 != saved_filename2)
978 if (!is_delete && error && tomoyo_memory_ok(entry)) {
979 entry->head.type = TOMOYO_TYPE_DOUBLE_PATH_ACL;
981 entry->filename1 = saved_filename1;
982 entry->filename2 = saved_filename2;
983 list_add_tail_rcu(&entry->head.list, &domain->acl_info_list);
987 mutex_unlock(&tomoyo_policy_lock);
994 * tomoyo_check_single_path_acl - Check permission for single path operation.
996 * @domain: Pointer to "struct tomoyo_domain_info".
997 * @type: Type of operation.
998 * @filename: Filename to check.
1000 * Returns 0 on success, negative value otherwise.
1002 * Caller holds tomoyo_read_lock().
1004 static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain,
1006 const struct tomoyo_path_info *filename)
1008 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
1010 return tomoyo_check_single_path_acl2(domain, filename, 1 << type, 1);
1014 * tomoyo_check_double_path_acl - Check permission for double path operation.
1016 * @domain: Pointer to "struct tomoyo_domain_info".
1017 * @type: Type of operation.
1018 * @filename1: First filename to check.
1019 * @filename2: Second filename to check.
1021 * Returns 0 on success, -EPERM otherwise.
1023 * Caller holds tomoyo_read_lock().
1025 static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
1027 const struct tomoyo_path_info *
1029 const struct tomoyo_path_info *
1032 struct tomoyo_acl_info *ptr;
1033 const u8 perm = 1 << type;
1036 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
1038 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1039 struct tomoyo_double_path_acl_record *acl;
1040 if (ptr->type != TOMOYO_TYPE_DOUBLE_PATH_ACL)
1042 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
1044 if (!(acl->perm & perm))
1046 if (!tomoyo_path_matches_pattern(filename1, acl->filename1))
1048 if (!tomoyo_path_matches_pattern(filename2, acl->filename2))
1057 * tomoyo_check_single_path_permission2 - Check permission for single path operation.
1059 * @domain: Pointer to "struct tomoyo_domain_info".
1060 * @operation: Type of operation.
1061 * @filename: Filename to check.
1062 * @mode: Access control mode.
1064 * Returns 0 on success, negative value otherwise.
1066 * Caller holds tomoyo_read_lock().
1068 static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
1069 const domain, u8 operation,
1070 const struct tomoyo_path_info *
1071 filename, const u8 mode)
1075 const bool is_enforce = (mode == 3);
1080 error = tomoyo_check_single_path_acl(domain, operation, filename);
1081 msg = tomoyo_sp2keyword(operation);
1084 if (tomoyo_verbose_mode(domain))
1085 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n",
1086 tomoyo_get_msg(is_enforce), msg, filename->name,
1087 tomoyo_get_last_name(domain));
1088 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1089 const char *name = tomoyo_get_file_pattern(filename)->name;
1090 tomoyo_update_single_path_acl(operation, name, domain, false);
1096 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
1097 * we need to check "allow_rewrite" permission if the filename is
1098 * specified by "deny_rewrite" keyword.
1100 if (!error && operation == TOMOYO_TYPE_TRUNCATE_ACL &&
1101 tomoyo_is_no_rewrite_file(filename)) {
1102 operation = TOMOYO_TYPE_REWRITE_ACL;
1109 * tomoyo_check_exec_perm - Check permission for "execute".
1111 * @domain: Pointer to "struct tomoyo_domain_info".
1112 * @filename: Check permission for "execute".
1114 * Returns 0 on success, negativevalue otherwise.
1116 * Caller holds tomoyo_read_lock().
1118 int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
1119 const struct tomoyo_path_info *filename)
1121 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1125 return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode);
1129 * tomoyo_check_open_permission - Check permission for "read" and "write".
1131 * @domain: Pointer to "struct tomoyo_domain_info".
1132 * @path: Pointer to "struct path".
1133 * @flag: Flags for open().
1135 * Returns 0 on success, negative value otherwise.
1137 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1138 struct path *path, const int flag)
1140 const u8 acc_mode = ACC_MODE(flag);
1141 int error = -ENOMEM;
1142 struct tomoyo_path_info *buf;
1143 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1144 const bool is_enforce = (mode == 3);
1147 if (!mode || !path->mnt)
1151 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode))
1153 * I don't check directories here because mkdir() and rmdir()
1157 idx = tomoyo_read_lock();
1158 buf = tomoyo_get_path(path);
1163 * If the filename is specified by "deny_rewrite" keyword,
1164 * we need to check "allow_rewrite" permission when the filename is not
1165 * opened for append mode or the filename is truncated at open time.
1167 if ((acc_mode & MAY_WRITE) &&
1168 ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
1169 (tomoyo_is_no_rewrite_file(buf))) {
1170 error = tomoyo_check_single_path_permission2(domain,
1171 TOMOYO_TYPE_REWRITE_ACL,
1175 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open",
1177 if (!error && (flag & O_TRUNC))
1178 error = tomoyo_check_single_path_permission2(domain,
1179 TOMOYO_TYPE_TRUNCATE_ACL,
1183 tomoyo_read_unlock(idx);
1190 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate", "symlink", "ioctl", "chmod", "chown", "chgrp", "chroot", "mount" and "unmount".
1192 * @domain: Pointer to "struct tomoyo_domain_info".
1193 * @operation: Type of operation.
1194 * @path: Pointer to "struct path".
1196 * Returns 0 on success, negative value otherwise.
1198 int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
1199 const u8 operation, struct path *path)
1201 int error = -ENOMEM;
1202 struct tomoyo_path_info *buf;
1203 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1204 const bool is_enforce = (mode == 3);
1207 if (!mode || !path->mnt)
1209 idx = tomoyo_read_lock();
1210 buf = tomoyo_get_path(path);
1213 switch (operation) {
1214 case TOMOYO_TYPE_MKDIR_ACL:
1215 case TOMOYO_TYPE_RMDIR_ACL:
1216 case TOMOYO_TYPE_CHROOT_ACL:
1219 * tomoyo_get_path() reserves space for appending "/."
1221 strcat((char *) buf->name, "/");
1222 tomoyo_fill_path_info(buf);
1225 error = tomoyo_check_single_path_permission2(domain, operation, buf,
1229 tomoyo_read_unlock(idx);
1236 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1238 * @domain: Pointer to "struct tomoyo_domain_info".
1239 * @filp: Pointer to "struct file".
1241 * Returns 0 on success, negative value otherwise.
1243 int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
1246 int error = -ENOMEM;
1247 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1248 const bool is_enforce = (mode == 3);
1249 struct tomoyo_path_info *buf;
1252 if (!mode || !filp->f_path.mnt)
1255 idx = tomoyo_read_lock();
1256 buf = tomoyo_get_path(&filp->f_path);
1259 if (!tomoyo_is_no_rewrite_file(buf)) {
1263 error = tomoyo_check_single_path_permission2(domain,
1264 TOMOYO_TYPE_REWRITE_ACL,
1268 tomoyo_read_unlock(idx);
1275 * tomoyo_check_2path_perm - Check permission for "rename", "link" and "pivot_root".
1277 * @domain: Pointer to "struct tomoyo_domain_info".
1278 * @operation: Type of operation.
1279 * @path1: Pointer to "struct path".
1280 * @path2: Pointer to "struct path".
1282 * Returns 0 on success, negative value otherwise.
1284 int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain,
1285 const u8 operation, struct path *path1,
1288 int error = -ENOMEM;
1289 struct tomoyo_path_info *buf1, *buf2;
1290 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1291 const bool is_enforce = (mode == 3);
1295 if (!mode || !path1->mnt || !path2->mnt)
1297 idx = tomoyo_read_lock();
1298 buf1 = tomoyo_get_path(path1);
1299 buf2 = tomoyo_get_path(path2);
1303 struct dentry *dentry = path1->dentry;
1304 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) {
1306 * tomoyo_get_path() reserves space for appending "/."
1308 if (!buf1->is_dir) {
1309 strcat((char *) buf1->name, "/");
1310 tomoyo_fill_path_info(buf1);
1312 if (!buf2->is_dir) {
1313 strcat((char *) buf2->name, "/");
1314 tomoyo_fill_path_info(buf2);
1318 error = tomoyo_check_double_path_acl(domain, operation, buf1, buf2);
1319 msg = tomoyo_dp2keyword(operation);
1322 if (tomoyo_verbose_mode(domain))
1323 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' "
1324 "denied for %s\n", tomoyo_get_msg(is_enforce),
1325 msg, buf1->name, buf2->name,
1326 tomoyo_get_last_name(domain));
1327 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1328 const char *name1 = tomoyo_get_file_pattern(buf1)->name;
1329 const char *name2 = tomoyo_get_file_pattern(buf2)->name;
1330 tomoyo_update_double_path_acl(operation, name1, name2, domain,
1336 tomoyo_read_unlock(idx);