1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * security/tomoyo/common.h 4 * 5 * Header file for TOMOYO. 6 * 7 * Copyright (C) 2005-2011 NTT DATA CORPORATION 8 */ 9 10 #ifndef _SECURITY_TOMOYO_COMMON_H 11 #define _SECURITY_TOMOYO_COMMON_H 12 13 #define pr_fmt(fmt) fmt 14 15 #include <linux/ctype.h> 16 #include <linux/string.h> 17 #include <linux/mm.h> 18 #include <linux/file.h> 19 #include <linux/kmod.h> 20 #include <linux/fs.h> 21 #include <linux/sched.h> 22 #include <linux/namei.h> 23 #include <linux/mount.h> 24 #include <linux/list.h> 25 #include <linux/cred.h> 26 #include <linux/poll.h> 27 #include <linux/binfmts.h> 28 #include <linux/highmem.h> 29 #include <linux/net.h> 30 #include <linux/inet.h> 31 #include <linux/in.h> 32 #include <linux/in6.h> 33 #include <linux/un.h> 34 #include <linux/lsm_hooks.h> 35 #include <net/sock.h> 36 #include <net/af_unix.h> 37 #include <net/ip.h> 38 #include <net/ipv6.h> 39 #include <net/udp.h> 40 41 /********** Constants definitions. **********/ 42 43 /* 44 * TOMOYO uses this hash only when appending a string into the string 45 * table. Frequency of appending strings is very low. So we don't need 46 * large (e.g. 64k) hash size. 256 will be sufficient. 47 */ 48 #define TOMOYO_HASH_BITS 8 49 #define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS) 50 51 /* 52 * TOMOYO checks only SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_SEQPACKET. 53 * Therefore, we don't need SOCK_MAX. 54 */ 55 #define TOMOYO_SOCK_MAX 6 56 57 #define TOMOYO_EXEC_TMPSIZE 4096 58 59 /* Garbage collector is trying to kfree() this element. */ 60 #define TOMOYO_GC_IN_PROGRESS -1 61 62 /* Profile number is an integer between 0 and 255. */ 63 #define TOMOYO_MAX_PROFILES 256 64 65 /* Group number is an integer between 0 and 255. */ 66 #define TOMOYO_MAX_ACL_GROUPS 256 67 68 /* Index numbers for "struct tomoyo_condition". */ 69 enum tomoyo_conditions_index { 70 TOMOYO_TASK_UID, /* current_uid() */ 71 TOMOYO_TASK_EUID, /* current_euid() */ 72 TOMOYO_TASK_SUID, /* current_suid() */ 73 TOMOYO_TASK_FSUID, /* current_fsuid() */ 74 TOMOYO_TASK_GID, /* current_gid() */ 75 TOMOYO_TASK_EGID, /* current_egid() */ 76 TOMOYO_TASK_SGID, /* current_sgid() */ 77 TOMOYO_TASK_FSGID, /* current_fsgid() */ 78 TOMOYO_TASK_PID, /* sys_getpid() */ 79 TOMOYO_TASK_PPID, /* sys_getppid() */ 80 TOMOYO_EXEC_ARGC, /* "struct linux_binprm *"->argc */ 81 TOMOYO_EXEC_ENVC, /* "struct linux_binprm *"->envc */ 82 TOMOYO_TYPE_IS_SOCKET, /* S_IFSOCK */ 83 TOMOYO_TYPE_IS_SYMLINK, /* S_IFLNK */ 84 TOMOYO_TYPE_IS_FILE, /* S_IFREG */ 85 TOMOYO_TYPE_IS_BLOCK_DEV, /* S_IFBLK */ 86 TOMOYO_TYPE_IS_DIRECTORY, /* S_IFDIR */ 87 TOMOYO_TYPE_IS_CHAR_DEV, /* S_IFCHR */ 88 TOMOYO_TYPE_IS_FIFO, /* S_IFIFO */ 89 TOMOYO_MODE_SETUID, /* S_ISUID */ 90 TOMOYO_MODE_SETGID, /* S_ISGID */ 91 TOMOYO_MODE_STICKY, /* S_ISVTX */ 92 TOMOYO_MODE_OWNER_READ, /* S_IRUSR */ 93 TOMOYO_MODE_OWNER_WRITE, /* S_IWUSR */ 94 TOMOYO_MODE_OWNER_EXECUTE, /* S_IXUSR */ 95 TOMOYO_MODE_GROUP_READ, /* S_IRGRP */ 96 TOMOYO_MODE_GROUP_WRITE, /* S_IWGRP */ 97 TOMOYO_MODE_GROUP_EXECUTE, /* S_IXGRP */ 98 TOMOYO_MODE_OTHERS_READ, /* S_IROTH */ 99 TOMOYO_MODE_OTHERS_WRITE, /* S_IWOTH */ 100 TOMOYO_MODE_OTHERS_EXECUTE, /* S_IXOTH */ 101 TOMOYO_EXEC_REALPATH, 102 TOMOYO_SYMLINK_TARGET, 103 TOMOYO_PATH1_UID, 104 TOMOYO_PATH1_GID, 105 TOMOYO_PATH1_INO, 106 TOMOYO_PATH1_MAJOR, 107 TOMOYO_PATH1_MINOR, 108 TOMOYO_PATH1_PERM, 109 TOMOYO_PATH1_TYPE, 110 TOMOYO_PATH1_DEV_MAJOR, 111 TOMOYO_PATH1_DEV_MINOR, 112 TOMOYO_PATH2_UID, 113 TOMOYO_PATH2_GID, 114 TOMOYO_PATH2_INO, 115 TOMOYO_PATH2_MAJOR, 116 TOMOYO_PATH2_MINOR, 117 TOMOYO_PATH2_PERM, 118 TOMOYO_PATH2_TYPE, 119 TOMOYO_PATH2_DEV_MAJOR, 120 TOMOYO_PATH2_DEV_MINOR, 121 TOMOYO_PATH1_PARENT_UID, 122 TOMOYO_PATH1_PARENT_GID, 123 TOMOYO_PATH1_PARENT_INO, 124 TOMOYO_PATH1_PARENT_PERM, 125 TOMOYO_PATH2_PARENT_UID, 126 TOMOYO_PATH2_PARENT_GID, 127 TOMOYO_PATH2_PARENT_INO, 128 TOMOYO_PATH2_PARENT_PERM, 129 TOMOYO_MAX_CONDITION_KEYWORD, 130 TOMOYO_NUMBER_UNION, 131 TOMOYO_NAME_UNION, 132 TOMOYO_ARGV_ENTRY, 133 TOMOYO_ENVP_ENTRY, 134 }; 135 136 137 /* Index numbers for stat(). */ 138 enum tomoyo_path_stat_index { 139 /* Do not change this order. */ 140 TOMOYO_PATH1, 141 TOMOYO_PATH1_PARENT, 142 TOMOYO_PATH2, 143 TOMOYO_PATH2_PARENT, 144 TOMOYO_MAX_PATH_STAT 145 }; 146 147 /* Index numbers for operation mode. */ 148 enum tomoyo_mode_index { 149 TOMOYO_CONFIG_DISABLED, 150 TOMOYO_CONFIG_LEARNING, 151 TOMOYO_CONFIG_PERMISSIVE, 152 TOMOYO_CONFIG_ENFORCING, 153 TOMOYO_CONFIG_MAX_MODE, 154 TOMOYO_CONFIG_WANT_REJECT_LOG = 64, 155 TOMOYO_CONFIG_WANT_GRANT_LOG = 128, 156 TOMOYO_CONFIG_USE_DEFAULT = 255, 157 }; 158 159 /* Index numbers for entry type. */ 160 enum tomoyo_policy_id { 161 TOMOYO_ID_GROUP, 162 TOMOYO_ID_ADDRESS_GROUP, 163 TOMOYO_ID_PATH_GROUP, 164 TOMOYO_ID_NUMBER_GROUP, 165 TOMOYO_ID_TRANSITION_CONTROL, 166 TOMOYO_ID_AGGREGATOR, 167 TOMOYO_ID_MANAGER, 168 TOMOYO_ID_CONDITION, 169 TOMOYO_ID_NAME, 170 TOMOYO_ID_ACL, 171 TOMOYO_ID_DOMAIN, 172 TOMOYO_MAX_POLICY 173 }; 174 175 /* Index numbers for domain's attributes. */ 176 enum tomoyo_domain_info_flags_index { 177 /* Quota warnning flag. */ 178 TOMOYO_DIF_QUOTA_WARNED, 179 /* 180 * This domain was unable to create a new domain at 181 * tomoyo_find_next_domain() because the name of the domain to be 182 * created was too long or it could not allocate memory. 183 * More than one process continued execve() without domain transition. 184 */ 185 TOMOYO_DIF_TRANSITION_FAILED, 186 TOMOYO_MAX_DOMAIN_INFO_FLAGS 187 }; 188 189 /* Index numbers for audit type. */ 190 enum tomoyo_grant_log { 191 /* Follow profile's configuration. */ 192 TOMOYO_GRANTLOG_AUTO, 193 /* Do not generate grant log. */ 194 TOMOYO_GRANTLOG_NO, 195 /* Generate grant_log. */ 196 TOMOYO_GRANTLOG_YES, 197 }; 198 199 /* Index numbers for group entries. */ 200 enum tomoyo_group_id { 201 TOMOYO_PATH_GROUP, 202 TOMOYO_NUMBER_GROUP, 203 TOMOYO_ADDRESS_GROUP, 204 TOMOYO_MAX_GROUP 205 }; 206 207 /* Index numbers for type of numeric values. */ 208 enum tomoyo_value_type { 209 TOMOYO_VALUE_TYPE_INVALID, 210 TOMOYO_VALUE_TYPE_DECIMAL, 211 TOMOYO_VALUE_TYPE_OCTAL, 212 TOMOYO_VALUE_TYPE_HEXADECIMAL, 213 }; 214 215 /* Index numbers for domain transition control keywords. */ 216 enum tomoyo_transition_type { 217 /* Do not change this order, */ 218 TOMOYO_TRANSITION_CONTROL_NO_RESET, 219 TOMOYO_TRANSITION_CONTROL_RESET, 220 TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE, 221 TOMOYO_TRANSITION_CONTROL_INITIALIZE, 222 TOMOYO_TRANSITION_CONTROL_NO_KEEP, 223 TOMOYO_TRANSITION_CONTROL_KEEP, 224 TOMOYO_MAX_TRANSITION_TYPE 225 }; 226 227 /* Index numbers for Access Controls. */ 228 enum tomoyo_acl_entry_type_index { 229 TOMOYO_TYPE_PATH_ACL, 230 TOMOYO_TYPE_PATH2_ACL, 231 TOMOYO_TYPE_PATH_NUMBER_ACL, 232 TOMOYO_TYPE_MKDEV_ACL, 233 TOMOYO_TYPE_MOUNT_ACL, 234 TOMOYO_TYPE_INET_ACL, 235 TOMOYO_TYPE_UNIX_ACL, 236 TOMOYO_TYPE_ENV_ACL, 237 TOMOYO_TYPE_MANUAL_TASK_ACL, 238 }; 239 240 /* Index numbers for access controls with one pathname. */ 241 enum tomoyo_path_acl_index { 242 TOMOYO_TYPE_EXECUTE, 243 TOMOYO_TYPE_READ, 244 TOMOYO_TYPE_WRITE, 245 TOMOYO_TYPE_APPEND, 246 TOMOYO_TYPE_UNLINK, 247 TOMOYO_TYPE_GETATTR, 248 TOMOYO_TYPE_RMDIR, 249 TOMOYO_TYPE_TRUNCATE, 250 TOMOYO_TYPE_SYMLINK, 251 TOMOYO_TYPE_CHROOT, 252 TOMOYO_TYPE_UMOUNT, 253 TOMOYO_MAX_PATH_OPERATION 254 }; 255 256 /* Index numbers for /sys/kernel/security/tomoyo/stat interface. */ 257 enum tomoyo_memory_stat_type { 258 TOMOYO_MEMORY_POLICY, 259 TOMOYO_MEMORY_AUDIT, 260 TOMOYO_MEMORY_QUERY, 261 TOMOYO_MAX_MEMORY_STAT 262 }; 263 264 enum tomoyo_mkdev_acl_index { 265 TOMOYO_TYPE_MKBLOCK, 266 TOMOYO_TYPE_MKCHAR, 267 TOMOYO_MAX_MKDEV_OPERATION 268 }; 269 270 /* Index numbers for socket operations. */ 271 enum tomoyo_network_acl_index { 272 TOMOYO_NETWORK_BIND, /* bind() operation. */ 273 TOMOYO_NETWORK_LISTEN, /* listen() operation. */ 274 TOMOYO_NETWORK_CONNECT, /* connect() operation. */ 275 TOMOYO_NETWORK_SEND, /* send() operation. */ 276 TOMOYO_MAX_NETWORK_OPERATION 277 }; 278 279 /* Index numbers for access controls with two pathnames. */ 280 enum tomoyo_path2_acl_index { 281 TOMOYO_TYPE_LINK, 282 TOMOYO_TYPE_RENAME, 283 TOMOYO_TYPE_PIVOT_ROOT, 284 TOMOYO_MAX_PATH2_OPERATION 285 }; 286 287 /* Index numbers for access controls with one pathname and one number. */ 288 enum tomoyo_path_number_acl_index { 289 TOMOYO_TYPE_CREATE, 290 TOMOYO_TYPE_MKDIR, 291 TOMOYO_TYPE_MKFIFO, 292 TOMOYO_TYPE_MKSOCK, 293 TOMOYO_TYPE_IOCTL, 294 TOMOYO_TYPE_CHMOD, 295 TOMOYO_TYPE_CHOWN, 296 TOMOYO_TYPE_CHGRP, 297 TOMOYO_MAX_PATH_NUMBER_OPERATION 298 }; 299 300 /* Index numbers for /sys/kernel/security/tomoyo/ interfaces. */ 301 enum tomoyo_securityfs_interface_index { 302 TOMOYO_DOMAINPOLICY, 303 TOMOYO_EXCEPTIONPOLICY, 304 TOMOYO_PROCESS_STATUS, 305 TOMOYO_STAT, 306 TOMOYO_AUDIT, 307 TOMOYO_VERSION, 308 TOMOYO_PROFILE, 309 TOMOYO_QUERY, 310 TOMOYO_MANAGER 311 }; 312 313 /* Index numbers for special mount operations. */ 314 enum tomoyo_special_mount { 315 TOMOYO_MOUNT_BIND, /* mount --bind /source /dest */ 316 TOMOYO_MOUNT_MOVE, /* mount --move /old /new */ 317 TOMOYO_MOUNT_REMOUNT, /* mount -o remount /dir */ 318 TOMOYO_MOUNT_MAKE_UNBINDABLE, /* mount --make-unbindable /dir */ 319 TOMOYO_MOUNT_MAKE_PRIVATE, /* mount --make-private /dir */ 320 TOMOYO_MOUNT_MAKE_SLAVE, /* mount --make-slave /dir */ 321 TOMOYO_MOUNT_MAKE_SHARED, /* mount --make-shared /dir */ 322 TOMOYO_MAX_SPECIAL_MOUNT 323 }; 324 325 /* Index numbers for functionality. */ 326 enum tomoyo_mac_index { 327 TOMOYO_MAC_FILE_EXECUTE, 328 TOMOYO_MAC_FILE_OPEN, 329 TOMOYO_MAC_FILE_CREATE, 330 TOMOYO_MAC_FILE_UNLINK, 331 TOMOYO_MAC_FILE_GETATTR, 332 TOMOYO_MAC_FILE_MKDIR, 333 TOMOYO_MAC_FILE_RMDIR, 334 TOMOYO_MAC_FILE_MKFIFO, 335 TOMOYO_MAC_FILE_MKSOCK, 336 TOMOYO_MAC_FILE_TRUNCATE, 337 TOMOYO_MAC_FILE_SYMLINK, 338 TOMOYO_MAC_FILE_MKBLOCK, 339 TOMOYO_MAC_FILE_MKCHAR, 340 TOMOYO_MAC_FILE_LINK, 341 TOMOYO_MAC_FILE_RENAME, 342 TOMOYO_MAC_FILE_CHMOD, 343 TOMOYO_MAC_FILE_CHOWN, 344 TOMOYO_MAC_FILE_CHGRP, 345 TOMOYO_MAC_FILE_IOCTL, 346 TOMOYO_MAC_FILE_CHROOT, 347 TOMOYO_MAC_FILE_MOUNT, 348 TOMOYO_MAC_FILE_UMOUNT, 349 TOMOYO_MAC_FILE_PIVOT_ROOT, 350 TOMOYO_MAC_NETWORK_INET_STREAM_BIND, 351 TOMOYO_MAC_NETWORK_INET_STREAM_LISTEN, 352 TOMOYO_MAC_NETWORK_INET_STREAM_CONNECT, 353 TOMOYO_MAC_NETWORK_INET_DGRAM_BIND, 354 TOMOYO_MAC_NETWORK_INET_DGRAM_SEND, 355 TOMOYO_MAC_NETWORK_INET_RAW_BIND, 356 TOMOYO_MAC_NETWORK_INET_RAW_SEND, 357 TOMOYO_MAC_NETWORK_UNIX_STREAM_BIND, 358 TOMOYO_MAC_NETWORK_UNIX_STREAM_LISTEN, 359 TOMOYO_MAC_NETWORK_UNIX_STREAM_CONNECT, 360 TOMOYO_MAC_NETWORK_UNIX_DGRAM_BIND, 361 TOMOYO_MAC_NETWORK_UNIX_DGRAM_SEND, 362 TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_BIND, 363 TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_LISTEN, 364 TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_CONNECT, 365 TOMOYO_MAC_ENVIRON, 366 TOMOYO_MAX_MAC_INDEX 367 }; 368 369 /* Index numbers for category of functionality. */ 370 enum tomoyo_mac_category_index { 371 TOMOYO_MAC_CATEGORY_FILE, 372 TOMOYO_MAC_CATEGORY_NETWORK, 373 TOMOYO_MAC_CATEGORY_MISC, 374 TOMOYO_MAX_MAC_CATEGORY_INDEX 375 }; 376 377 /* 378 * Retry this request. Returned by tomoyo_supervisor() if policy violation has 379 * occurred in enforcing mode and the userspace daemon decided to retry. 380 * 381 * We must choose a positive value in order to distinguish "granted" (which is 382 * 0) and "rejected" (which is a negative value) and "retry". 383 */ 384 #define TOMOYO_RETRY_REQUEST 1 385 386 /* Index numbers for /sys/kernel/security/tomoyo/stat interface. */ 387 enum tomoyo_policy_stat_type { 388 /* Do not change this order. */ 389 TOMOYO_STAT_POLICY_UPDATES, 390 TOMOYO_STAT_POLICY_LEARNING, /* == TOMOYO_CONFIG_LEARNING */ 391 TOMOYO_STAT_POLICY_PERMISSIVE, /* == TOMOYO_CONFIG_PERMISSIVE */ 392 TOMOYO_STAT_POLICY_ENFORCING, /* == TOMOYO_CONFIG_ENFORCING */ 393 TOMOYO_MAX_POLICY_STAT 394 }; 395 396 /* Index numbers for profile's PREFERENCE values. */ 397 enum tomoyo_pref_index { 398 TOMOYO_PREF_MAX_AUDIT_LOG, 399 TOMOYO_PREF_MAX_LEARNING_ENTRY, 400 TOMOYO_MAX_PREF 401 }; 402 403 /********** Structure definitions. **********/ 404 405 /* Common header for holding ACL entries. */ 406 struct tomoyo_acl_head { 407 struct list_head list; 408 s8 is_deleted; /* true or false or TOMOYO_GC_IN_PROGRESS */ 409 } __packed; 410 411 /* Common header for shared entries. */ 412 struct tomoyo_shared_acl_head { 413 struct list_head list; 414 atomic_t users; 415 } __packed; 416 417 struct tomoyo_policy_namespace; 418 419 /* Structure for request info. */ 420 struct tomoyo_request_info { 421 /* 422 * For holding parameters specific to operations which deal files. 423 * NULL if not dealing files. 424 */ 425 struct tomoyo_obj_info *obj; 426 /* 427 * For holding parameters specific to execve() request. 428 * NULL if not dealing execve(). 429 */ 430 struct tomoyo_execve *ee; 431 struct tomoyo_domain_info *domain; 432 /* For holding parameters. */ 433 union { 434 struct { 435 const struct tomoyo_path_info *filename; 436 /* For using wildcards at tomoyo_find_next_domain(). */ 437 const struct tomoyo_path_info *matched_path; 438 /* One of values in "enum tomoyo_path_acl_index". */ 439 u8 operation; 440 } path; 441 struct { 442 const struct tomoyo_path_info *filename1; 443 const struct tomoyo_path_info *filename2; 444 /* One of values in "enum tomoyo_path2_acl_index". */ 445 u8 operation; 446 } path2; 447 struct { 448 const struct tomoyo_path_info *filename; 449 unsigned int mode; 450 unsigned int major; 451 unsigned int minor; 452 /* One of values in "enum tomoyo_mkdev_acl_index". */ 453 u8 operation; 454 } mkdev; 455 struct { 456 const struct tomoyo_path_info *filename; 457 unsigned long number; 458 /* 459 * One of values in 460 * "enum tomoyo_path_number_acl_index". 461 */ 462 u8 operation; 463 } path_number; 464 struct { 465 const struct tomoyo_path_info *name; 466 } environ; 467 struct { 468 const __be32 *address; 469 u16 port; 470 /* One of values smaller than TOMOYO_SOCK_MAX. */ 471 u8 protocol; 472 /* One of values in "enum tomoyo_network_acl_index". */ 473 u8 operation; 474 bool is_ipv6; 475 } inet_network; 476 struct { 477 const struct tomoyo_path_info *address; 478 /* One of values smaller than TOMOYO_SOCK_MAX. */ 479 u8 protocol; 480 /* One of values in "enum tomoyo_network_acl_index". */ 481 u8 operation; 482 } unix_network; 483 struct { 484 const struct tomoyo_path_info *type; 485 const struct tomoyo_path_info *dir; 486 const struct tomoyo_path_info *dev; 487 unsigned long flags; 488 int need_dev; 489 } mount; 490 struct { 491 const struct tomoyo_path_info *domainname; 492 } task; 493 } param; 494 struct tomoyo_acl_info *matched_acl; 495 u8 param_type; 496 bool granted; 497 u8 retry; 498 u8 profile; 499 u8 mode; /* One of tomoyo_mode_index . */ 500 u8 type; 501 }; 502 503 /* Structure for holding a token. */ 504 struct tomoyo_path_info { 505 const char *name; 506 u32 hash; /* = full_name_hash(name, strlen(name)) */ 507 u16 const_len; /* = tomoyo_const_part_length(name) */ 508 bool is_dir; /* = tomoyo_strendswith(name, "/") */ 509 bool is_patterned; /* = tomoyo_path_contains_pattern(name) */ 510 }; 511 512 /* Structure for holding string data. */ 513 struct tomoyo_name { 514 struct tomoyo_shared_acl_head head; 515 struct tomoyo_path_info entry; 516 }; 517 518 /* Structure for holding a word. */ 519 struct tomoyo_name_union { 520 /* Either @filename or @group is NULL. */ 521 const struct tomoyo_path_info *filename; 522 struct tomoyo_group *group; 523 }; 524 525 /* Structure for holding a number. */ 526 struct tomoyo_number_union { 527 unsigned long values[2]; 528 struct tomoyo_group *group; /* Maybe NULL. */ 529 /* One of values in "enum tomoyo_value_type". */ 530 u8 value_type[2]; 531 }; 532 533 /* Structure for holding an IP address. */ 534 struct tomoyo_ipaddr_union { 535 struct in6_addr ip[2]; /* Big endian. */ 536 struct tomoyo_group *group; /* Pointer to address group. */ 537 bool is_ipv6; /* Valid only if @group == NULL. */ 538 }; 539 540 /* Structure for "path_group"/"number_group"/"address_group" directive. */ 541 struct tomoyo_group { 542 struct tomoyo_shared_acl_head head; 543 const struct tomoyo_path_info *group_name; 544 struct list_head member_list; 545 }; 546 547 /* Structure for "path_group" directive. */ 548 struct tomoyo_path_group { 549 struct tomoyo_acl_head head; 550 const struct tomoyo_path_info *member_name; 551 }; 552 553 /* Structure for "number_group" directive. */ 554 struct tomoyo_number_group { 555 struct tomoyo_acl_head head; 556 struct tomoyo_number_union number; 557 }; 558 559 /* Structure for "address_group" directive. */ 560 struct tomoyo_address_group { 561 struct tomoyo_acl_head head; 562 /* Structure for holding an IP address. */ 563 struct tomoyo_ipaddr_union address; 564 }; 565 566 /* Subset of "struct stat". Used by conditional ACL and audit logs. */ 567 struct tomoyo_mini_stat { 568 kuid_t uid; 569 kgid_t gid; 570 ino_t ino; 571 umode_t mode; 572 dev_t dev; 573 dev_t rdev; 574 }; 575 576 /* Structure for dumping argv[] and envp[] of "struct linux_binprm". */ 577 struct tomoyo_page_dump { 578 struct page *page; /* Previously dumped page. */ 579 char *data; /* Contents of "page". Size is PAGE_SIZE. */ 580 }; 581 582 /* Structure for attribute checks in addition to pathname checks. */ 583 struct tomoyo_obj_info { 584 /* 585 * True if tomoyo_get_attributes() was already called, false otherwise. 586 */ 587 bool validate_done; 588 /* True if @stat[] is valid. */ 589 bool stat_valid[TOMOYO_MAX_PATH_STAT]; 590 /* First pathname. Initialized with { NULL, NULL } if no path. */ 591 struct path path1; 592 /* Second pathname. Initialized with { NULL, NULL } if no path. */ 593 struct path path2; 594 /* 595 * Information on @path1, @path1's parent directory, @path2, @path2's 596 * parent directory. 597 */ 598 struct tomoyo_mini_stat stat[TOMOYO_MAX_PATH_STAT]; 599 /* 600 * Content of symbolic link to be created. NULL for operations other 601 * than symlink(). 602 */ 603 struct tomoyo_path_info *symlink_target; 604 }; 605 606 /* Structure for argv[]. */ 607 struct tomoyo_argv { 608 unsigned long index; 609 const struct tomoyo_path_info *value; 610 bool is_not; 611 }; 612 613 /* Structure for envp[]. */ 614 struct tomoyo_envp { 615 const struct tomoyo_path_info *name; 616 const struct tomoyo_path_info *value; 617 bool is_not; 618 }; 619 620 /* Structure for execve() operation. */ 621 struct tomoyo_execve { 622 struct tomoyo_request_info r; 623 struct tomoyo_obj_info obj; 624 struct linux_binprm *bprm; 625 const struct tomoyo_path_info *transition; 626 /* For dumping argv[] and envp[]. */ 627 struct tomoyo_page_dump dump; 628 /* For temporary use. */ 629 char *tmp; /* Size is TOMOYO_EXEC_TMPSIZE bytes */ 630 }; 631 632 /* Structure for entries which follows "struct tomoyo_condition". */ 633 struct tomoyo_condition_element { 634 /* 635 * Left hand operand. A "struct tomoyo_argv" for TOMOYO_ARGV_ENTRY, a 636 * "struct tomoyo_envp" for TOMOYO_ENVP_ENTRY is attached to the tail 637 * of the array of this struct. 638 */ 639 u8 left; 640 /* 641 * Right hand operand. A "struct tomoyo_number_union" for 642 * TOMOYO_NUMBER_UNION, a "struct tomoyo_name_union" for 643 * TOMOYO_NAME_UNION is attached to the tail of the array of this 644 * struct. 645 */ 646 u8 right; 647 /* Equation operator. True if equals or overlaps, false otherwise. */ 648 bool equals; 649 }; 650 651 /* Structure for optional arguments. */ 652 struct tomoyo_condition { 653 struct tomoyo_shared_acl_head head; 654 u32 size; /* Memory size allocated for this entry. */ 655 u16 condc; /* Number of conditions in this struct. */ 656 u16 numbers_count; /* Number of "struct tomoyo_number_union values". */ 657 u16 names_count; /* Number of "struct tomoyo_name_union names". */ 658 u16 argc; /* Number of "struct tomoyo_argv". */ 659 u16 envc; /* Number of "struct tomoyo_envp". */ 660 u8 grant_log; /* One of values in "enum tomoyo_grant_log". */ 661 const struct tomoyo_path_info *transit; /* Maybe NULL. */ 662 /* 663 * struct tomoyo_condition_element condition[condc]; 664 * struct tomoyo_number_union values[numbers_count]; 665 * struct tomoyo_name_union names[names_count]; 666 * struct tomoyo_argv argv[argc]; 667 * struct tomoyo_envp envp[envc]; 668 */ 669 }; 670 671 /* Common header for individual entries. */ 672 struct tomoyo_acl_info { 673 struct list_head list; 674 struct tomoyo_condition *cond; /* Maybe NULL. */ 675 s8 is_deleted; /* true or false or TOMOYO_GC_IN_PROGRESS */ 676 u8 type; /* One of values in "enum tomoyo_acl_entry_type_index". */ 677 } __packed; 678 679 /* Structure for domain information. */ 680 struct tomoyo_domain_info { 681 struct list_head list; 682 struct list_head acl_info_list; 683 /* Name of this domain. Never NULL. */ 684 const struct tomoyo_path_info *domainname; 685 /* Namespace for this domain. Never NULL. */ 686 struct tomoyo_policy_namespace *ns; 687 /* Group numbers to use. */ 688 unsigned long group[TOMOYO_MAX_ACL_GROUPS / BITS_PER_LONG]; 689 u8 profile; /* Profile number to use. */ 690 bool is_deleted; /* Delete flag. */ 691 bool flags[TOMOYO_MAX_DOMAIN_INFO_FLAGS]; 692 atomic_t users; /* Number of referring tasks. */ 693 }; 694 695 /* 696 * Structure for "task manual_domain_transition" directive. 697 */ 698 struct tomoyo_task_acl { 699 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MANUAL_TASK_ACL */ 700 /* Pointer to domainname. */ 701 const struct tomoyo_path_info *domainname; 702 }; 703 704 /* 705 * Structure for "file execute", "file read", "file write", "file append", 706 * "file unlink", "file getattr", "file rmdir", "file truncate", 707 * "file symlink", "file chroot" and "file unmount" directive. 708 */ 709 struct tomoyo_path_acl { 710 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */ 711 u16 perm; /* Bitmask of values in "enum tomoyo_path_acl_index". */ 712 struct tomoyo_name_union name; 713 }; 714 715 /* 716 * Structure for "file create", "file mkdir", "file mkfifo", "file mksock", 717 * "file ioctl", "file chmod", "file chown" and "file chgrp" directive. 718 */ 719 struct tomoyo_path_number_acl { 720 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_NUMBER_ACL */ 721 /* Bitmask of values in "enum tomoyo_path_number_acl_index". */ 722 u8 perm; 723 struct tomoyo_name_union name; 724 struct tomoyo_number_union number; 725 }; 726 727 /* Structure for "file mkblock" and "file mkchar" directive. */ 728 struct tomoyo_mkdev_acl { 729 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MKDEV_ACL */ 730 u8 perm; /* Bitmask of values in "enum tomoyo_mkdev_acl_index". */ 731 struct tomoyo_name_union name; 732 struct tomoyo_number_union mode; 733 struct tomoyo_number_union major; 734 struct tomoyo_number_union minor; 735 }; 736 737 /* 738 * Structure for "file rename", "file link" and "file pivot_root" directive. 739 */ 740 struct tomoyo_path2_acl { 741 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */ 742 u8 perm; /* Bitmask of values in "enum tomoyo_path2_acl_index". */ 743 struct tomoyo_name_union name1; 744 struct tomoyo_name_union name2; 745 }; 746 747 /* Structure for "file mount" directive. */ 748 struct tomoyo_mount_acl { 749 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MOUNT_ACL */ 750 struct tomoyo_name_union dev_name; 751 struct tomoyo_name_union dir_name; 752 struct tomoyo_name_union fs_type; 753 struct tomoyo_number_union flags; 754 }; 755 756 /* Structure for "misc env" directive in domain policy. */ 757 struct tomoyo_env_acl { 758 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_ENV_ACL */ 759 const struct tomoyo_path_info *env; /* environment variable */ 760 }; 761 762 /* Structure for "network inet" directive. */ 763 struct tomoyo_inet_acl { 764 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_INET_ACL */ 765 u8 protocol; 766 u8 perm; /* Bitmask of values in "enum tomoyo_network_acl_index" */ 767 struct tomoyo_ipaddr_union address; 768 struct tomoyo_number_union port; 769 }; 770 771 /* Structure for "network unix" directive. */ 772 struct tomoyo_unix_acl { 773 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_UNIX_ACL */ 774 u8 protocol; 775 u8 perm; /* Bitmask of values in "enum tomoyo_network_acl_index" */ 776 struct tomoyo_name_union name; 777 }; 778 779 /* Structure for holding a line from /sys/kernel/security/tomoyo/ interface. */ 780 struct tomoyo_acl_param { 781 char *data; 782 struct list_head *list; 783 struct tomoyo_policy_namespace *ns; 784 bool is_delete; 785 }; 786 787 #define TOMOYO_MAX_IO_READ_QUEUE 64 788 789 /* 790 * Structure for reading/writing policy via /sys/kernel/security/tomoyo 791 * interfaces. 792 */ 793 struct tomoyo_io_buffer { 794 void (*read)(struct tomoyo_io_buffer *head); 795 int (*write)(struct tomoyo_io_buffer *head); 796 __poll_t (*poll)(struct file *file, poll_table *wait); 797 /* Exclusive lock for this structure. */ 798 struct mutex io_sem; 799 char __user *read_user_buf; 800 size_t read_user_buf_avail; 801 struct { 802 struct list_head *ns; 803 struct list_head *domain; 804 struct list_head *group; 805 struct list_head *acl; 806 size_t avail; 807 unsigned int step; 808 unsigned int query_index; 809 u16 index; 810 u16 cond_index; 811 u8 acl_group_index; 812 u8 cond_step; 813 u8 bit; 814 u8 w_pos; 815 bool eof; 816 bool print_this_domain_only; 817 bool print_transition_related_only; 818 bool print_cond_part; 819 const char *w[TOMOYO_MAX_IO_READ_QUEUE]; 820 } r; 821 struct { 822 struct tomoyo_policy_namespace *ns; 823 /* The position currently writing to. */ 824 struct tomoyo_domain_info *domain; 825 /* Bytes available for writing. */ 826 size_t avail; 827 bool is_delete; 828 } w; 829 /* Buffer for reading. */ 830 char *read_buf; 831 /* Size of read buffer. */ 832 size_t readbuf_size; 833 /* Buffer for writing. */ 834 char *write_buf; 835 /* Size of write buffer. */ 836 size_t writebuf_size; 837 /* Type of this interface. */ 838 enum tomoyo_securityfs_interface_index type; 839 /* Users counter protected by tomoyo_io_buffer_list_lock. */ 840 u8 users; 841 /* List for telling GC not to kfree() elements. */ 842 struct list_head list; 843 }; 844 845 /* 846 * Structure for "initialize_domain"/"no_initialize_domain"/"keep_domain"/ 847 * "no_keep_domain" keyword. 848 */ 849 struct tomoyo_transition_control { 850 struct tomoyo_acl_head head; 851 u8 type; /* One of values in "enum tomoyo_transition_type". */ 852 /* True if the domainname is tomoyo_get_last_name(). */ 853 bool is_last_name; 854 const struct tomoyo_path_info *domainname; /* Maybe NULL */ 855 const struct tomoyo_path_info *program; /* Maybe NULL */ 856 }; 857 858 /* Structure for "aggregator" keyword. */ 859 struct tomoyo_aggregator { 860 struct tomoyo_acl_head head; 861 const struct tomoyo_path_info *original_name; 862 const struct tomoyo_path_info *aggregated_name; 863 }; 864 865 /* Structure for policy manager. */ 866 struct tomoyo_manager { 867 struct tomoyo_acl_head head; 868 /* A path to program or a domainname. */ 869 const struct tomoyo_path_info *manager; 870 }; 871 872 struct tomoyo_preference { 873 unsigned int learning_max_entry; 874 bool enforcing_verbose; 875 bool learning_verbose; 876 bool permissive_verbose; 877 }; 878 879 /* Structure for /sys/kernel/security/tomnoyo/profile interface. */ 880 struct tomoyo_profile { 881 const struct tomoyo_path_info *comment; 882 struct tomoyo_preference *learning; 883 struct tomoyo_preference *permissive; 884 struct tomoyo_preference *enforcing; 885 struct tomoyo_preference preference; 886 u8 default_config; 887 u8 config[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX]; 888 unsigned int pref[TOMOYO_MAX_PREF]; 889 }; 890 891 /* Structure for representing YYYY/MM/DD hh/mm/ss. */ 892 struct tomoyo_time { 893 u16 year; 894 u8 month; 895 u8 day; 896 u8 hour; 897 u8 min; 898 u8 sec; 899 }; 900 901 /* Structure for policy namespace. */ 902 struct tomoyo_policy_namespace { 903 /* Profile table. Memory is allocated as needed. */ 904 struct tomoyo_profile *profile_ptr[TOMOYO_MAX_PROFILES]; 905 /* List of "struct tomoyo_group". */ 906 struct list_head group_list[TOMOYO_MAX_GROUP]; 907 /* List of policy. */ 908 struct list_head policy_list[TOMOYO_MAX_POLICY]; 909 /* The global ACL referred by "use_group" keyword. */ 910 struct list_head acl_group[TOMOYO_MAX_ACL_GROUPS]; 911 /* List for connecting to tomoyo_namespace_list list. */ 912 struct list_head namespace_list; 913 /* Profile version. Currently only 20150505 is defined. */ 914 unsigned int profile_version; 915 /* Name of this namespace (e.g. "<kernel>", "</usr/sbin/httpd>" ). */ 916 const char *name; 917 }; 918 919 /* Structure for "struct task_struct"->security. */ 920 struct tomoyo_task { 921 struct tomoyo_domain_info *domain_info; 922 struct tomoyo_domain_info *old_domain_info; 923 }; 924 925 /********** Function prototypes. **********/ 926 927 bool tomoyo_address_matches_group(const bool is_ipv6, const __be32 *address, 928 const struct tomoyo_group *group); 929 bool tomoyo_compare_number_union(const unsigned long value, 930 const struct tomoyo_number_union *ptr); 931 bool tomoyo_condition(struct tomoyo_request_info *r, 932 const struct tomoyo_condition *cond); 933 bool tomoyo_correct_domain(const unsigned char *domainname); 934 bool tomoyo_correct_path(const char *filename); 935 bool tomoyo_correct_word(const char *string); 936 bool tomoyo_domain_def(const unsigned char *buffer); 937 bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r); 938 bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos, 939 struct tomoyo_page_dump *dump); 940 bool tomoyo_memory_ok(void *ptr); 941 bool tomoyo_number_matches_group(const unsigned long min, 942 const unsigned long max, 943 const struct tomoyo_group *group); 944 bool tomoyo_parse_ipaddr_union(struct tomoyo_acl_param *param, 945 struct tomoyo_ipaddr_union *ptr); 946 bool tomoyo_parse_name_union(struct tomoyo_acl_param *param, 947 struct tomoyo_name_union *ptr); 948 bool tomoyo_parse_number_union(struct tomoyo_acl_param *param, 949 struct tomoyo_number_union *ptr); 950 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, 951 const struct tomoyo_path_info *pattern); 952 bool tomoyo_permstr(const char *string, const char *keyword); 953 bool tomoyo_str_starts(char **src, const char *find); 954 char *tomoyo_encode(const char *str); 955 char *tomoyo_encode2(const char *str, int str_len); 956 char *tomoyo_init_log(struct tomoyo_request_info *r, int len, const char *fmt, 957 va_list args) __printf(3, 0); 958 char *tomoyo_read_token(struct tomoyo_acl_param *param); 959 char *tomoyo_realpath_from_path(const struct path *path); 960 char *tomoyo_realpath_nofollow(const char *pathname); 961 const char *tomoyo_get_exe(void); 962 const struct tomoyo_path_info *tomoyo_compare_name_union 963 (const struct tomoyo_path_info *name, const struct tomoyo_name_union *ptr); 964 const struct tomoyo_path_info *tomoyo_get_domainname 965 (struct tomoyo_acl_param *param); 966 const struct tomoyo_path_info *tomoyo_get_name(const char *name); 967 const struct tomoyo_path_info *tomoyo_path_matches_group 968 (const struct tomoyo_path_info *pathname, const struct tomoyo_group *group); 969 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, 970 const struct path *path, const int flag); 971 void tomoyo_close_control(struct tomoyo_io_buffer *head); 972 int tomoyo_env_perm(struct tomoyo_request_info *r, const char *env); 973 int tomoyo_execute_permission(struct tomoyo_request_info *r, 974 const struct tomoyo_path_info *filename); 975 int tomoyo_find_next_domain(struct linux_binprm *bprm); 976 int tomoyo_get_mode(const struct tomoyo_policy_namespace *ns, const u8 profile, 977 const u8 index); 978 int tomoyo_init_request_info(struct tomoyo_request_info *r, 979 struct tomoyo_domain_info *domain, 980 const u8 index); 981 int tomoyo_mkdev_perm(const u8 operation, const struct path *path, 982 const unsigned int mode, unsigned int dev); 983 int tomoyo_mount_permission(const char *dev_name, const struct path *path, 984 const char *type, unsigned long flags, 985 void *data_page); 986 int tomoyo_open_control(const u8 type, struct file *file); 987 int tomoyo_path2_perm(const u8 operation, const struct path *path1, 988 const struct path *path2); 989 int tomoyo_path_number_perm(const u8 operation, const struct path *path, 990 unsigned long number); 991 int tomoyo_path_perm(const u8 operation, const struct path *path, 992 const char *target); 993 __poll_t tomoyo_poll_control(struct file *file, poll_table *wait); 994 __poll_t tomoyo_poll_log(struct file *file, poll_table *wait); 995 int tomoyo_socket_bind_permission(struct socket *sock, struct sockaddr *addr, 996 int addr_len); 997 int tomoyo_socket_connect_permission(struct socket *sock, 998 struct sockaddr *addr, int addr_len); 999 int tomoyo_socket_listen_permission(struct socket *sock); 1000 int tomoyo_socket_sendmsg_permission(struct socket *sock, struct msghdr *msg, 1001 int size); 1002 int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...) 1003 __printf(2, 3); 1004 int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size, 1005 struct tomoyo_acl_param *param, 1006 bool (*check_duplicate) 1007 (const struct tomoyo_acl_info *, 1008 const struct tomoyo_acl_info *), 1009 bool (*merge_duplicate) 1010 (struct tomoyo_acl_info *, struct tomoyo_acl_info *, 1011 const bool)); 1012 int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size, 1013 struct tomoyo_acl_param *param, 1014 bool (*check_duplicate) 1015 (const struct tomoyo_acl_head *, 1016 const struct tomoyo_acl_head *)); 1017 int tomoyo_write_aggregator(struct tomoyo_acl_param *param); 1018 int tomoyo_write_file(struct tomoyo_acl_param *param); 1019 int tomoyo_write_group(struct tomoyo_acl_param *param, const u8 type); 1020 int tomoyo_write_misc(struct tomoyo_acl_param *param); 1021 int tomoyo_write_inet_network(struct tomoyo_acl_param *param); 1022 int tomoyo_write_transition_control(struct tomoyo_acl_param *param, 1023 const u8 type); 1024 int tomoyo_write_unix_network(struct tomoyo_acl_param *param); 1025 ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer, 1026 const int buffer_len); 1027 ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, 1028 const char __user *buffer, const int buffer_len); 1029 struct tomoyo_condition *tomoyo_get_condition(struct tomoyo_acl_param *param); 1030 struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname, 1031 const bool transit); 1032 struct tomoyo_domain_info *tomoyo_domain(void); 1033 struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname); 1034 struct tomoyo_group *tomoyo_get_group(struct tomoyo_acl_param *param, 1035 const u8 idx); 1036 struct tomoyo_policy_namespace *tomoyo_assign_namespace 1037 (const char *domainname); 1038 struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns, 1039 const u8 profile); 1040 u8 tomoyo_parse_ulong(unsigned long *result, char **str); 1041 void *tomoyo_commit_ok(void *data, const unsigned int size); 1042 void __init tomoyo_load_builtin_policy(void); 1043 void __init tomoyo_mm_init(void); 1044 void tomoyo_check_acl(struct tomoyo_request_info *r, 1045 bool (*check_entry)(struct tomoyo_request_info *, 1046 const struct tomoyo_acl_info *)); 1047 void tomoyo_check_profile(void); 1048 void tomoyo_convert_time(time64_t time, struct tomoyo_time *stamp); 1049 void tomoyo_del_condition(struct list_head *element); 1050 void tomoyo_fill_path_info(struct tomoyo_path_info *ptr); 1051 void tomoyo_get_attributes(struct tomoyo_obj_info *obj); 1052 void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns); 1053 void tomoyo_load_policy(const char *filename); 1054 void tomoyo_normalize_line(unsigned char *buffer); 1055 void tomoyo_notify_gc(struct tomoyo_io_buffer *head, const bool is_register); 1056 void tomoyo_print_ip(char *buf, const unsigned int size, 1057 const struct tomoyo_ipaddr_union *ptr); 1058 void tomoyo_print_ulong(char *buffer, const int buffer_len, 1059 const unsigned long value, const u8 type); 1060 void tomoyo_put_name_union(struct tomoyo_name_union *ptr); 1061 void tomoyo_put_number_union(struct tomoyo_number_union *ptr); 1062 void tomoyo_read_log(struct tomoyo_io_buffer *head); 1063 void tomoyo_update_stat(const u8 index); 1064 void tomoyo_warn_oom(const char *function); 1065 void tomoyo_write_log(struct tomoyo_request_info *r, const char *fmt, ...) 1066 __printf(2, 3); 1067 void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt, 1068 va_list args) __printf(3, 0); 1069 1070 /********** External variable definitions. **********/ 1071 1072 extern bool tomoyo_policy_loaded; 1073 extern int tomoyo_enabled; 1074 extern const char * const tomoyo_condition_keyword 1075 [TOMOYO_MAX_CONDITION_KEYWORD]; 1076 extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS]; 1077 extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX 1078 + TOMOYO_MAX_MAC_CATEGORY_INDEX]; 1079 extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE]; 1080 extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION]; 1081 extern const char * const tomoyo_proto_keyword[TOMOYO_SOCK_MAX]; 1082 extern const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION]; 1083 extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX]; 1084 extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION]; 1085 extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION]; 1086 extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION]; 1087 extern struct list_head tomoyo_condition_list; 1088 extern struct list_head tomoyo_domain_list; 1089 extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH]; 1090 extern struct list_head tomoyo_namespace_list; 1091 extern struct mutex tomoyo_policy_lock; 1092 extern struct srcu_struct tomoyo_ss; 1093 extern struct tomoyo_domain_info tomoyo_kernel_domain; 1094 extern struct tomoyo_policy_namespace tomoyo_kernel_namespace; 1095 extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT]; 1096 extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT]; 1097 extern struct lsm_blob_sizes tomoyo_blob_sizes; 1098 1099 /********** Inlined functions. **********/ 1100 1101 /** 1102 * tomoyo_read_lock - Take lock for protecting policy. 1103 * 1104 * Returns index number for tomoyo_read_unlock(). 1105 */ tomoyo_read_lock(void)1106 static inline int tomoyo_read_lock(void) 1107 { 1108 return srcu_read_lock(&tomoyo_ss); 1109 } 1110 1111 /** 1112 * tomoyo_read_unlock - Release lock for protecting policy. 1113 * 1114 * @idx: Index number returned by tomoyo_read_lock(). 1115 * 1116 * Returns nothing. 1117 */ tomoyo_read_unlock(int idx)1118 static inline void tomoyo_read_unlock(int idx) 1119 { 1120 srcu_read_unlock(&tomoyo_ss, idx); 1121 } 1122 1123 /** 1124 * tomoyo_sys_getppid - Copy of getppid(). 1125 * 1126 * Returns parent process's PID. 1127 * 1128 * Alpha does not have getppid() defined. To be able to build this module on 1129 * Alpha, I have to copy getppid() from kernel/timer.c. 1130 */ tomoyo_sys_getppid(void)1131 static inline pid_t tomoyo_sys_getppid(void) 1132 { 1133 pid_t pid; 1134 1135 rcu_read_lock(); 1136 pid = task_tgid_vnr(rcu_dereference(current->real_parent)); 1137 rcu_read_unlock(); 1138 return pid; 1139 } 1140 1141 /** 1142 * tomoyo_sys_getpid - Copy of getpid(). 1143 * 1144 * Returns current thread's PID. 1145 * 1146 * Alpha does not have getpid() defined. To be able to build this module on 1147 * Alpha, I have to copy getpid() from kernel/timer.c. 1148 */ tomoyo_sys_getpid(void)1149 static inline pid_t tomoyo_sys_getpid(void) 1150 { 1151 return task_tgid_vnr(current); 1152 } 1153 1154 /** 1155 * tomoyo_pathcmp - strcmp() for "struct tomoyo_path_info" structure. 1156 * 1157 * @a: Pointer to "struct tomoyo_path_info". 1158 * @b: Pointer to "struct tomoyo_path_info". 1159 * 1160 * Returns true if @a == @b, false otherwise. 1161 */ tomoyo_pathcmp(const struct tomoyo_path_info * a,const struct tomoyo_path_info * b)1162 static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a, 1163 const struct tomoyo_path_info *b) 1164 { 1165 return a->hash != b->hash || strcmp(a->name, b->name); 1166 } 1167 1168 /** 1169 * tomoyo_put_name - Drop reference on "struct tomoyo_name". 1170 * 1171 * @name: Pointer to "struct tomoyo_path_info". Maybe NULL. 1172 * 1173 * Returns nothing. 1174 */ tomoyo_put_name(const struct tomoyo_path_info * name)1175 static inline void tomoyo_put_name(const struct tomoyo_path_info *name) 1176 { 1177 if (name) { 1178 struct tomoyo_name *ptr = 1179 container_of(name, typeof(*ptr), entry); 1180 atomic_dec(&ptr->head.users); 1181 } 1182 } 1183 1184 /** 1185 * tomoyo_put_condition - Drop reference on "struct tomoyo_condition". 1186 * 1187 * @cond: Pointer to "struct tomoyo_condition". Maybe NULL. 1188 * 1189 * Returns nothing. 1190 */ tomoyo_put_condition(struct tomoyo_condition * cond)1191 static inline void tomoyo_put_condition(struct tomoyo_condition *cond) 1192 { 1193 if (cond) 1194 atomic_dec(&cond->head.users); 1195 } 1196 1197 /** 1198 * tomoyo_put_group - Drop reference on "struct tomoyo_group". 1199 * 1200 * @group: Pointer to "struct tomoyo_group". Maybe NULL. 1201 * 1202 * Returns nothing. 1203 */ tomoyo_put_group(struct tomoyo_group * group)1204 static inline void tomoyo_put_group(struct tomoyo_group *group) 1205 { 1206 if (group) 1207 atomic_dec(&group->head.users); 1208 } 1209 1210 /** 1211 * tomoyo_task - Get "struct tomoyo_task" for specified thread. 1212 * 1213 * @task - Pointer to "struct task_struct". 1214 * 1215 * Returns pointer to "struct tomoyo_task" for specified thread. 1216 */ tomoyo_task(struct task_struct * task)1217 static inline struct tomoyo_task *tomoyo_task(struct task_struct *task) 1218 { 1219 return task->security + tomoyo_blob_sizes.lbs_task; 1220 } 1221 1222 /** 1223 * tomoyo_same_name_union - Check for duplicated "struct tomoyo_name_union" entry. 1224 * 1225 * @a: Pointer to "struct tomoyo_name_union". 1226 * @b: Pointer to "struct tomoyo_name_union". 1227 * 1228 * Returns true if @a == @b, false otherwise. 1229 */ tomoyo_same_name_union(const struct tomoyo_name_union * a,const struct tomoyo_name_union * b)1230 static inline bool tomoyo_same_name_union 1231 (const struct tomoyo_name_union *a, const struct tomoyo_name_union *b) 1232 { 1233 return a->filename == b->filename && a->group == b->group; 1234 } 1235 1236 /** 1237 * tomoyo_same_number_union - Check for duplicated "struct tomoyo_number_union" entry. 1238 * 1239 * @a: Pointer to "struct tomoyo_number_union". 1240 * @b: Pointer to "struct tomoyo_number_union". 1241 * 1242 * Returns true if @a == @b, false otherwise. 1243 */ tomoyo_same_number_union(const struct tomoyo_number_union * a,const struct tomoyo_number_union * b)1244 static inline bool tomoyo_same_number_union 1245 (const struct tomoyo_number_union *a, const struct tomoyo_number_union *b) 1246 { 1247 return a->values[0] == b->values[0] && a->values[1] == b->values[1] && 1248 a->group == b->group && a->value_type[0] == b->value_type[0] && 1249 a->value_type[1] == b->value_type[1]; 1250 } 1251 1252 /** 1253 * tomoyo_same_ipaddr_union - Check for duplicated "struct tomoyo_ipaddr_union" entry. 1254 * 1255 * @a: Pointer to "struct tomoyo_ipaddr_union". 1256 * @b: Pointer to "struct tomoyo_ipaddr_union". 1257 * 1258 * Returns true if @a == @b, false otherwise. 1259 */ tomoyo_same_ipaddr_union(const struct tomoyo_ipaddr_union * a,const struct tomoyo_ipaddr_union * b)1260 static inline bool tomoyo_same_ipaddr_union 1261 (const struct tomoyo_ipaddr_union *a, const struct tomoyo_ipaddr_union *b) 1262 { 1263 return !memcmp(a->ip, b->ip, sizeof(a->ip)) && a->group == b->group && 1264 a->is_ipv6 == b->is_ipv6; 1265 } 1266 1267 /** 1268 * tomoyo_current_namespace - Get "struct tomoyo_policy_namespace" for current thread. 1269 * 1270 * Returns pointer to "struct tomoyo_policy_namespace" for current thread. 1271 */ tomoyo_current_namespace(void)1272 static inline struct tomoyo_policy_namespace *tomoyo_current_namespace(void) 1273 { 1274 return tomoyo_domain()->ns; 1275 } 1276 1277 /** 1278 * list_for_each_cookie - iterate over a list with cookie. 1279 * @pos: the &struct list_head to use as a loop cursor. 1280 * @head: the head for your list. 1281 */ 1282 #define list_for_each_cookie(pos, head) \ 1283 if (!pos) \ 1284 pos = srcu_dereference((head)->next, &tomoyo_ss); \ 1285 for ( ; pos != (head); pos = srcu_dereference(pos->next, &tomoyo_ss)) 1286 1287 #endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */ 1288