1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3 * security/tomoyo/common.h
4 *
5 * Header file for TOMOYO.
6 *
7 * Copyright (C) 2005-2011 NTT DATA CORPORATION
8 */
9
10 #ifndef _SECURITY_TOMOYO_COMMON_H
11 #define _SECURITY_TOMOYO_COMMON_H
12
13 #define pr_fmt(fmt) fmt
14
15 #include <linux/ctype.h>
16 #include <linux/string.h>
17 #include <linux/mm.h>
18 #include <linux/file.h>
19 #include <linux/kmod.h>
20 #include <linux/fs.h>
21 #include <linux/sched.h>
22 #include <linux/namei.h>
23 #include <linux/mount.h>
24 #include <linux/list.h>
25 #include <linux/cred.h>
26 #include <linux/poll.h>
27 #include <linux/binfmts.h>
28 #include <linux/highmem.h>
29 #include <linux/net.h>
30 #include <linux/inet.h>
31 #include <linux/in.h>
32 #include <linux/in6.h>
33 #include <linux/un.h>
34 #include <linux/lsm_hooks.h>
35 #include <net/sock.h>
36 #include <net/af_unix.h>
37 #include <net/ip.h>
38 #include <net/ipv6.h>
39 #include <net/udp.h>
40
41 /********** Constants definitions. **********/
42
43 /*
44 * TOMOYO uses this hash only when appending a string into the string
45 * table. Frequency of appending strings is very low. So we don't need
46 * large (e.g. 64k) hash size. 256 will be sufficient.
47 */
48 #define TOMOYO_HASH_BITS 8
49 #define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
50
51 /*
52 * TOMOYO checks only SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_SEQPACKET.
53 * Therefore, we don't need SOCK_MAX.
54 */
55 #define TOMOYO_SOCK_MAX 6
56
57 #define TOMOYO_EXEC_TMPSIZE 4096
58
59 /* Garbage collector is trying to kfree() this element. */
60 #define TOMOYO_GC_IN_PROGRESS -1
61
62 /* Profile number is an integer between 0 and 255. */
63 #define TOMOYO_MAX_PROFILES 256
64
65 /* Group number is an integer between 0 and 255. */
66 #define TOMOYO_MAX_ACL_GROUPS 256
67
68 /* Index numbers for "struct tomoyo_condition". */
69 enum tomoyo_conditions_index {
70 TOMOYO_TASK_UID, /* current_uid() */
71 TOMOYO_TASK_EUID, /* current_euid() */
72 TOMOYO_TASK_SUID, /* current_suid() */
73 TOMOYO_TASK_FSUID, /* current_fsuid() */
74 TOMOYO_TASK_GID, /* current_gid() */
75 TOMOYO_TASK_EGID, /* current_egid() */
76 TOMOYO_TASK_SGID, /* current_sgid() */
77 TOMOYO_TASK_FSGID, /* current_fsgid() */
78 TOMOYO_TASK_PID, /* sys_getpid() */
79 TOMOYO_TASK_PPID, /* sys_getppid() */
80 TOMOYO_EXEC_ARGC, /* "struct linux_binprm *"->argc */
81 TOMOYO_EXEC_ENVC, /* "struct linux_binprm *"->envc */
82 TOMOYO_TYPE_IS_SOCKET, /* S_IFSOCK */
83 TOMOYO_TYPE_IS_SYMLINK, /* S_IFLNK */
84 TOMOYO_TYPE_IS_FILE, /* S_IFREG */
85 TOMOYO_TYPE_IS_BLOCK_DEV, /* S_IFBLK */
86 TOMOYO_TYPE_IS_DIRECTORY, /* S_IFDIR */
87 TOMOYO_TYPE_IS_CHAR_DEV, /* S_IFCHR */
88 TOMOYO_TYPE_IS_FIFO, /* S_IFIFO */
89 TOMOYO_MODE_SETUID, /* S_ISUID */
90 TOMOYO_MODE_SETGID, /* S_ISGID */
91 TOMOYO_MODE_STICKY, /* S_ISVTX */
92 TOMOYO_MODE_OWNER_READ, /* S_IRUSR */
93 TOMOYO_MODE_OWNER_WRITE, /* S_IWUSR */
94 TOMOYO_MODE_OWNER_EXECUTE, /* S_IXUSR */
95 TOMOYO_MODE_GROUP_READ, /* S_IRGRP */
96 TOMOYO_MODE_GROUP_WRITE, /* S_IWGRP */
97 TOMOYO_MODE_GROUP_EXECUTE, /* S_IXGRP */
98 TOMOYO_MODE_OTHERS_READ, /* S_IROTH */
99 TOMOYO_MODE_OTHERS_WRITE, /* S_IWOTH */
100 TOMOYO_MODE_OTHERS_EXECUTE, /* S_IXOTH */
101 TOMOYO_EXEC_REALPATH,
102 TOMOYO_SYMLINK_TARGET,
103 TOMOYO_PATH1_UID,
104 TOMOYO_PATH1_GID,
105 TOMOYO_PATH1_INO,
106 TOMOYO_PATH1_MAJOR,
107 TOMOYO_PATH1_MINOR,
108 TOMOYO_PATH1_PERM,
109 TOMOYO_PATH1_TYPE,
110 TOMOYO_PATH1_DEV_MAJOR,
111 TOMOYO_PATH1_DEV_MINOR,
112 TOMOYO_PATH2_UID,
113 TOMOYO_PATH2_GID,
114 TOMOYO_PATH2_INO,
115 TOMOYO_PATH2_MAJOR,
116 TOMOYO_PATH2_MINOR,
117 TOMOYO_PATH2_PERM,
118 TOMOYO_PATH2_TYPE,
119 TOMOYO_PATH2_DEV_MAJOR,
120 TOMOYO_PATH2_DEV_MINOR,
121 TOMOYO_PATH1_PARENT_UID,
122 TOMOYO_PATH1_PARENT_GID,
123 TOMOYO_PATH1_PARENT_INO,
124 TOMOYO_PATH1_PARENT_PERM,
125 TOMOYO_PATH2_PARENT_UID,
126 TOMOYO_PATH2_PARENT_GID,
127 TOMOYO_PATH2_PARENT_INO,
128 TOMOYO_PATH2_PARENT_PERM,
129 TOMOYO_MAX_CONDITION_KEYWORD,
130 TOMOYO_NUMBER_UNION,
131 TOMOYO_NAME_UNION,
132 TOMOYO_ARGV_ENTRY,
133 TOMOYO_ENVP_ENTRY,
134 };
135
136
137 /* Index numbers for stat(). */
138 enum tomoyo_path_stat_index {
139 /* Do not change this order. */
140 TOMOYO_PATH1,
141 TOMOYO_PATH1_PARENT,
142 TOMOYO_PATH2,
143 TOMOYO_PATH2_PARENT,
144 TOMOYO_MAX_PATH_STAT
145 };
146
147 /* Index numbers for operation mode. */
148 enum tomoyo_mode_index {
149 TOMOYO_CONFIG_DISABLED,
150 TOMOYO_CONFIG_LEARNING,
151 TOMOYO_CONFIG_PERMISSIVE,
152 TOMOYO_CONFIG_ENFORCING,
153 TOMOYO_CONFIG_MAX_MODE,
154 TOMOYO_CONFIG_WANT_REJECT_LOG = 64,
155 TOMOYO_CONFIG_WANT_GRANT_LOG = 128,
156 TOMOYO_CONFIG_USE_DEFAULT = 255,
157 };
158
159 /* Index numbers for entry type. */
160 enum tomoyo_policy_id {
161 TOMOYO_ID_GROUP,
162 TOMOYO_ID_ADDRESS_GROUP,
163 TOMOYO_ID_PATH_GROUP,
164 TOMOYO_ID_NUMBER_GROUP,
165 TOMOYO_ID_TRANSITION_CONTROL,
166 TOMOYO_ID_AGGREGATOR,
167 TOMOYO_ID_MANAGER,
168 TOMOYO_ID_CONDITION,
169 TOMOYO_ID_NAME,
170 TOMOYO_ID_ACL,
171 TOMOYO_ID_DOMAIN,
172 TOMOYO_MAX_POLICY
173 };
174
175 /* Index numbers for domain's attributes. */
176 enum tomoyo_domain_info_flags_index {
177 /* Quota warnning flag. */
178 TOMOYO_DIF_QUOTA_WARNED,
179 /*
180 * This domain was unable to create a new domain at
181 * tomoyo_find_next_domain() because the name of the domain to be
182 * created was too long or it could not allocate memory.
183 * More than one process continued execve() without domain transition.
184 */
185 TOMOYO_DIF_TRANSITION_FAILED,
186 TOMOYO_MAX_DOMAIN_INFO_FLAGS
187 };
188
189 /* Index numbers for audit type. */
190 enum tomoyo_grant_log {
191 /* Follow profile's configuration. */
192 TOMOYO_GRANTLOG_AUTO,
193 /* Do not generate grant log. */
194 TOMOYO_GRANTLOG_NO,
195 /* Generate grant_log. */
196 TOMOYO_GRANTLOG_YES,
197 };
198
199 /* Index numbers for group entries. */
200 enum tomoyo_group_id {
201 TOMOYO_PATH_GROUP,
202 TOMOYO_NUMBER_GROUP,
203 TOMOYO_ADDRESS_GROUP,
204 TOMOYO_MAX_GROUP
205 };
206
207 /* Index numbers for type of numeric values. */
208 enum tomoyo_value_type {
209 TOMOYO_VALUE_TYPE_INVALID,
210 TOMOYO_VALUE_TYPE_DECIMAL,
211 TOMOYO_VALUE_TYPE_OCTAL,
212 TOMOYO_VALUE_TYPE_HEXADECIMAL,
213 };
214
215 /* Index numbers for domain transition control keywords. */
216 enum tomoyo_transition_type {
217 /* Do not change this order, */
218 TOMOYO_TRANSITION_CONTROL_NO_RESET,
219 TOMOYO_TRANSITION_CONTROL_RESET,
220 TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE,
221 TOMOYO_TRANSITION_CONTROL_INITIALIZE,
222 TOMOYO_TRANSITION_CONTROL_NO_KEEP,
223 TOMOYO_TRANSITION_CONTROL_KEEP,
224 TOMOYO_MAX_TRANSITION_TYPE
225 };
226
227 /* Index numbers for Access Controls. */
228 enum tomoyo_acl_entry_type_index {
229 TOMOYO_TYPE_PATH_ACL,
230 TOMOYO_TYPE_PATH2_ACL,
231 TOMOYO_TYPE_PATH_NUMBER_ACL,
232 TOMOYO_TYPE_MKDEV_ACL,
233 TOMOYO_TYPE_MOUNT_ACL,
234 TOMOYO_TYPE_INET_ACL,
235 TOMOYO_TYPE_UNIX_ACL,
236 TOMOYO_TYPE_ENV_ACL,
237 TOMOYO_TYPE_MANUAL_TASK_ACL,
238 };
239
240 /* Index numbers for access controls with one pathname. */
241 enum tomoyo_path_acl_index {
242 TOMOYO_TYPE_EXECUTE,
243 TOMOYO_TYPE_READ,
244 TOMOYO_TYPE_WRITE,
245 TOMOYO_TYPE_APPEND,
246 TOMOYO_TYPE_UNLINK,
247 TOMOYO_TYPE_GETATTR,
248 TOMOYO_TYPE_RMDIR,
249 TOMOYO_TYPE_TRUNCATE,
250 TOMOYO_TYPE_SYMLINK,
251 TOMOYO_TYPE_CHROOT,
252 TOMOYO_TYPE_UMOUNT,
253 TOMOYO_MAX_PATH_OPERATION
254 };
255
256 /* Index numbers for /sys/kernel/security/tomoyo/stat interface. */
257 enum tomoyo_memory_stat_type {
258 TOMOYO_MEMORY_POLICY,
259 TOMOYO_MEMORY_AUDIT,
260 TOMOYO_MEMORY_QUERY,
261 TOMOYO_MAX_MEMORY_STAT
262 };
263
264 enum tomoyo_mkdev_acl_index {
265 TOMOYO_TYPE_MKBLOCK,
266 TOMOYO_TYPE_MKCHAR,
267 TOMOYO_MAX_MKDEV_OPERATION
268 };
269
270 /* Index numbers for socket operations. */
271 enum tomoyo_network_acl_index {
272 TOMOYO_NETWORK_BIND, /* bind() operation. */
273 TOMOYO_NETWORK_LISTEN, /* listen() operation. */
274 TOMOYO_NETWORK_CONNECT, /* connect() operation. */
275 TOMOYO_NETWORK_SEND, /* send() operation. */
276 TOMOYO_MAX_NETWORK_OPERATION
277 };
278
279 /* Index numbers for access controls with two pathnames. */
280 enum tomoyo_path2_acl_index {
281 TOMOYO_TYPE_LINK,
282 TOMOYO_TYPE_RENAME,
283 TOMOYO_TYPE_PIVOT_ROOT,
284 TOMOYO_MAX_PATH2_OPERATION
285 };
286
287 /* Index numbers for access controls with one pathname and one number. */
288 enum tomoyo_path_number_acl_index {
289 TOMOYO_TYPE_CREATE,
290 TOMOYO_TYPE_MKDIR,
291 TOMOYO_TYPE_MKFIFO,
292 TOMOYO_TYPE_MKSOCK,
293 TOMOYO_TYPE_IOCTL,
294 TOMOYO_TYPE_CHMOD,
295 TOMOYO_TYPE_CHOWN,
296 TOMOYO_TYPE_CHGRP,
297 TOMOYO_MAX_PATH_NUMBER_OPERATION
298 };
299
300 /* Index numbers for /sys/kernel/security/tomoyo/ interfaces. */
301 enum tomoyo_securityfs_interface_index {
302 TOMOYO_DOMAINPOLICY,
303 TOMOYO_EXCEPTIONPOLICY,
304 TOMOYO_PROCESS_STATUS,
305 TOMOYO_STAT,
306 TOMOYO_AUDIT,
307 TOMOYO_VERSION,
308 TOMOYO_PROFILE,
309 TOMOYO_QUERY,
310 TOMOYO_MANAGER
311 };
312
313 /* Index numbers for special mount operations. */
314 enum tomoyo_special_mount {
315 TOMOYO_MOUNT_BIND, /* mount --bind /source /dest */
316 TOMOYO_MOUNT_MOVE, /* mount --move /old /new */
317 TOMOYO_MOUNT_REMOUNT, /* mount -o remount /dir */
318 TOMOYO_MOUNT_MAKE_UNBINDABLE, /* mount --make-unbindable /dir */
319 TOMOYO_MOUNT_MAKE_PRIVATE, /* mount --make-private /dir */
320 TOMOYO_MOUNT_MAKE_SLAVE, /* mount --make-slave /dir */
321 TOMOYO_MOUNT_MAKE_SHARED, /* mount --make-shared /dir */
322 TOMOYO_MAX_SPECIAL_MOUNT
323 };
324
325 /* Index numbers for functionality. */
326 enum tomoyo_mac_index {
327 TOMOYO_MAC_FILE_EXECUTE,
328 TOMOYO_MAC_FILE_OPEN,
329 TOMOYO_MAC_FILE_CREATE,
330 TOMOYO_MAC_FILE_UNLINK,
331 TOMOYO_MAC_FILE_GETATTR,
332 TOMOYO_MAC_FILE_MKDIR,
333 TOMOYO_MAC_FILE_RMDIR,
334 TOMOYO_MAC_FILE_MKFIFO,
335 TOMOYO_MAC_FILE_MKSOCK,
336 TOMOYO_MAC_FILE_TRUNCATE,
337 TOMOYO_MAC_FILE_SYMLINK,
338 TOMOYO_MAC_FILE_MKBLOCK,
339 TOMOYO_MAC_FILE_MKCHAR,
340 TOMOYO_MAC_FILE_LINK,
341 TOMOYO_MAC_FILE_RENAME,
342 TOMOYO_MAC_FILE_CHMOD,
343 TOMOYO_MAC_FILE_CHOWN,
344 TOMOYO_MAC_FILE_CHGRP,
345 TOMOYO_MAC_FILE_IOCTL,
346 TOMOYO_MAC_FILE_CHROOT,
347 TOMOYO_MAC_FILE_MOUNT,
348 TOMOYO_MAC_FILE_UMOUNT,
349 TOMOYO_MAC_FILE_PIVOT_ROOT,
350 TOMOYO_MAC_NETWORK_INET_STREAM_BIND,
351 TOMOYO_MAC_NETWORK_INET_STREAM_LISTEN,
352 TOMOYO_MAC_NETWORK_INET_STREAM_CONNECT,
353 TOMOYO_MAC_NETWORK_INET_DGRAM_BIND,
354 TOMOYO_MAC_NETWORK_INET_DGRAM_SEND,
355 TOMOYO_MAC_NETWORK_INET_RAW_BIND,
356 TOMOYO_MAC_NETWORK_INET_RAW_SEND,
357 TOMOYO_MAC_NETWORK_UNIX_STREAM_BIND,
358 TOMOYO_MAC_NETWORK_UNIX_STREAM_LISTEN,
359 TOMOYO_MAC_NETWORK_UNIX_STREAM_CONNECT,
360 TOMOYO_MAC_NETWORK_UNIX_DGRAM_BIND,
361 TOMOYO_MAC_NETWORK_UNIX_DGRAM_SEND,
362 TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_BIND,
363 TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_LISTEN,
364 TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_CONNECT,
365 TOMOYO_MAC_ENVIRON,
366 TOMOYO_MAX_MAC_INDEX
367 };
368
369 /* Index numbers for category of functionality. */
370 enum tomoyo_mac_category_index {
371 TOMOYO_MAC_CATEGORY_FILE,
372 TOMOYO_MAC_CATEGORY_NETWORK,
373 TOMOYO_MAC_CATEGORY_MISC,
374 TOMOYO_MAX_MAC_CATEGORY_INDEX
375 };
376
377 /*
378 * Retry this request. Returned by tomoyo_supervisor() if policy violation has
379 * occurred in enforcing mode and the userspace daemon decided to retry.
380 *
381 * We must choose a positive value in order to distinguish "granted" (which is
382 * 0) and "rejected" (which is a negative value) and "retry".
383 */
384 #define TOMOYO_RETRY_REQUEST 1
385
386 /* Index numbers for /sys/kernel/security/tomoyo/stat interface. */
387 enum tomoyo_policy_stat_type {
388 /* Do not change this order. */
389 TOMOYO_STAT_POLICY_UPDATES,
390 TOMOYO_STAT_POLICY_LEARNING, /* == TOMOYO_CONFIG_LEARNING */
391 TOMOYO_STAT_POLICY_PERMISSIVE, /* == TOMOYO_CONFIG_PERMISSIVE */
392 TOMOYO_STAT_POLICY_ENFORCING, /* == TOMOYO_CONFIG_ENFORCING */
393 TOMOYO_MAX_POLICY_STAT
394 };
395
396 /* Index numbers for profile's PREFERENCE values. */
397 enum tomoyo_pref_index {
398 TOMOYO_PREF_MAX_AUDIT_LOG,
399 TOMOYO_PREF_MAX_LEARNING_ENTRY,
400 TOMOYO_MAX_PREF
401 };
402
403 /********** Structure definitions. **********/
404
405 /* Common header for holding ACL entries. */
406 struct tomoyo_acl_head {
407 struct list_head list;
408 s8 is_deleted; /* true or false or TOMOYO_GC_IN_PROGRESS */
409 } __packed;
410
411 /* Common header for shared entries. */
412 struct tomoyo_shared_acl_head {
413 struct list_head list;
414 atomic_t users;
415 } __packed;
416
417 struct tomoyo_policy_namespace;
418
419 /* Structure for request info. */
420 struct tomoyo_request_info {
421 /*
422 * For holding parameters specific to operations which deal files.
423 * NULL if not dealing files.
424 */
425 struct tomoyo_obj_info *obj;
426 /*
427 * For holding parameters specific to execve() request.
428 * NULL if not dealing execve().
429 */
430 struct tomoyo_execve *ee;
431 struct tomoyo_domain_info *domain;
432 /* For holding parameters. */
433 union {
434 struct {
435 const struct tomoyo_path_info *filename;
436 /* For using wildcards at tomoyo_find_next_domain(). */
437 const struct tomoyo_path_info *matched_path;
438 /* One of values in "enum tomoyo_path_acl_index". */
439 u8 operation;
440 } path;
441 struct {
442 const struct tomoyo_path_info *filename1;
443 const struct tomoyo_path_info *filename2;
444 /* One of values in "enum tomoyo_path2_acl_index". */
445 u8 operation;
446 } path2;
447 struct {
448 const struct tomoyo_path_info *filename;
449 unsigned int mode;
450 unsigned int major;
451 unsigned int minor;
452 /* One of values in "enum tomoyo_mkdev_acl_index". */
453 u8 operation;
454 } mkdev;
455 struct {
456 const struct tomoyo_path_info *filename;
457 unsigned long number;
458 /*
459 * One of values in
460 * "enum tomoyo_path_number_acl_index".
461 */
462 u8 operation;
463 } path_number;
464 struct {
465 const struct tomoyo_path_info *name;
466 } environ;
467 struct {
468 const __be32 *address;
469 u16 port;
470 /* One of values smaller than TOMOYO_SOCK_MAX. */
471 u8 protocol;
472 /* One of values in "enum tomoyo_network_acl_index". */
473 u8 operation;
474 bool is_ipv6;
475 } inet_network;
476 struct {
477 const struct tomoyo_path_info *address;
478 /* One of values smaller than TOMOYO_SOCK_MAX. */
479 u8 protocol;
480 /* One of values in "enum tomoyo_network_acl_index". */
481 u8 operation;
482 } unix_network;
483 struct {
484 const struct tomoyo_path_info *type;
485 const struct tomoyo_path_info *dir;
486 const struct tomoyo_path_info *dev;
487 unsigned long flags;
488 int need_dev;
489 } mount;
490 struct {
491 const struct tomoyo_path_info *domainname;
492 } task;
493 } param;
494 struct tomoyo_acl_info *matched_acl;
495 u8 param_type;
496 bool granted;
497 u8 retry;
498 u8 profile;
499 u8 mode; /* One of tomoyo_mode_index . */
500 u8 type;
501 };
502
503 /* Structure for holding a token. */
504 struct tomoyo_path_info {
505 const char *name;
506 u32 hash; /* = full_name_hash(name, strlen(name)) */
507 u16 const_len; /* = tomoyo_const_part_length(name) */
508 bool is_dir; /* = tomoyo_strendswith(name, "/") */
509 bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
510 };
511
512 /* Structure for holding string data. */
513 struct tomoyo_name {
514 struct tomoyo_shared_acl_head head;
515 struct tomoyo_path_info entry;
516 };
517
518 /* Structure for holding a word. */
519 struct tomoyo_name_union {
520 /* Either @filename or @group is NULL. */
521 const struct tomoyo_path_info *filename;
522 struct tomoyo_group *group;
523 };
524
525 /* Structure for holding a number. */
526 struct tomoyo_number_union {
527 unsigned long values[2];
528 struct tomoyo_group *group; /* Maybe NULL. */
529 /* One of values in "enum tomoyo_value_type". */
530 u8 value_type[2];
531 };
532
533 /* Structure for holding an IP address. */
534 struct tomoyo_ipaddr_union {
535 struct in6_addr ip[2]; /* Big endian. */
536 struct tomoyo_group *group; /* Pointer to address group. */
537 bool is_ipv6; /* Valid only if @group == NULL. */
538 };
539
540 /* Structure for "path_group"/"number_group"/"address_group" directive. */
541 struct tomoyo_group {
542 struct tomoyo_shared_acl_head head;
543 const struct tomoyo_path_info *group_name;
544 struct list_head member_list;
545 };
546
547 /* Structure for "path_group" directive. */
548 struct tomoyo_path_group {
549 struct tomoyo_acl_head head;
550 const struct tomoyo_path_info *member_name;
551 };
552
553 /* Structure for "number_group" directive. */
554 struct tomoyo_number_group {
555 struct tomoyo_acl_head head;
556 struct tomoyo_number_union number;
557 };
558
559 /* Structure for "address_group" directive. */
560 struct tomoyo_address_group {
561 struct tomoyo_acl_head head;
562 /* Structure for holding an IP address. */
563 struct tomoyo_ipaddr_union address;
564 };
565
566 /* Subset of "struct stat". Used by conditional ACL and audit logs. */
567 struct tomoyo_mini_stat {
568 kuid_t uid;
569 kgid_t gid;
570 ino_t ino;
571 umode_t mode;
572 dev_t dev;
573 dev_t rdev;
574 };
575
576 /* Structure for dumping argv[] and envp[] of "struct linux_binprm". */
577 struct tomoyo_page_dump {
578 struct page *page; /* Previously dumped page. */
579 char *data; /* Contents of "page". Size is PAGE_SIZE. */
580 };
581
582 /* Structure for attribute checks in addition to pathname checks. */
583 struct tomoyo_obj_info {
584 /*
585 * True if tomoyo_get_attributes() was already called, false otherwise.
586 */
587 bool validate_done;
588 /* True if @stat[] is valid. */
589 bool stat_valid[TOMOYO_MAX_PATH_STAT];
590 /* First pathname. Initialized with { NULL, NULL } if no path. */
591 struct path path1;
592 /* Second pathname. Initialized with { NULL, NULL } if no path. */
593 struct path path2;
594 /*
595 * Information on @path1, @path1's parent directory, @path2, @path2's
596 * parent directory.
597 */
598 struct tomoyo_mini_stat stat[TOMOYO_MAX_PATH_STAT];
599 /*
600 * Content of symbolic link to be created. NULL for operations other
601 * than symlink().
602 */
603 struct tomoyo_path_info *symlink_target;
604 };
605
606 /* Structure for argv[]. */
607 struct tomoyo_argv {
608 unsigned long index;
609 const struct tomoyo_path_info *value;
610 bool is_not;
611 };
612
613 /* Structure for envp[]. */
614 struct tomoyo_envp {
615 const struct tomoyo_path_info *name;
616 const struct tomoyo_path_info *value;
617 bool is_not;
618 };
619
620 /* Structure for execve() operation. */
621 struct tomoyo_execve {
622 struct tomoyo_request_info r;
623 struct tomoyo_obj_info obj;
624 struct linux_binprm *bprm;
625 const struct tomoyo_path_info *transition;
626 /* For dumping argv[] and envp[]. */
627 struct tomoyo_page_dump dump;
628 /* For temporary use. */
629 char *tmp; /* Size is TOMOYO_EXEC_TMPSIZE bytes */
630 };
631
632 /* Structure for entries which follows "struct tomoyo_condition". */
633 struct tomoyo_condition_element {
634 /*
635 * Left hand operand. A "struct tomoyo_argv" for TOMOYO_ARGV_ENTRY, a
636 * "struct tomoyo_envp" for TOMOYO_ENVP_ENTRY is attached to the tail
637 * of the array of this struct.
638 */
639 u8 left;
640 /*
641 * Right hand operand. A "struct tomoyo_number_union" for
642 * TOMOYO_NUMBER_UNION, a "struct tomoyo_name_union" for
643 * TOMOYO_NAME_UNION is attached to the tail of the array of this
644 * struct.
645 */
646 u8 right;
647 /* Equation operator. True if equals or overlaps, false otherwise. */
648 bool equals;
649 };
650
651 /* Structure for optional arguments. */
652 struct tomoyo_condition {
653 struct tomoyo_shared_acl_head head;
654 u32 size; /* Memory size allocated for this entry. */
655 u16 condc; /* Number of conditions in this struct. */
656 u16 numbers_count; /* Number of "struct tomoyo_number_union values". */
657 u16 names_count; /* Number of "struct tomoyo_name_union names". */
658 u16 argc; /* Number of "struct tomoyo_argv". */
659 u16 envc; /* Number of "struct tomoyo_envp". */
660 u8 grant_log; /* One of values in "enum tomoyo_grant_log". */
661 const struct tomoyo_path_info *transit; /* Maybe NULL. */
662 /*
663 * struct tomoyo_condition_element condition[condc];
664 * struct tomoyo_number_union values[numbers_count];
665 * struct tomoyo_name_union names[names_count];
666 * struct tomoyo_argv argv[argc];
667 * struct tomoyo_envp envp[envc];
668 */
669 };
670
671 /* Common header for individual entries. */
672 struct tomoyo_acl_info {
673 struct list_head list;
674 struct tomoyo_condition *cond; /* Maybe NULL. */
675 s8 is_deleted; /* true or false or TOMOYO_GC_IN_PROGRESS */
676 u8 type; /* One of values in "enum tomoyo_acl_entry_type_index". */
677 } __packed;
678
679 /* Structure for domain information. */
680 struct tomoyo_domain_info {
681 struct list_head list;
682 struct list_head acl_info_list;
683 /* Name of this domain. Never NULL. */
684 const struct tomoyo_path_info *domainname;
685 /* Namespace for this domain. Never NULL. */
686 struct tomoyo_policy_namespace *ns;
687 /* Group numbers to use. */
688 unsigned long group[TOMOYO_MAX_ACL_GROUPS / BITS_PER_LONG];
689 u8 profile; /* Profile number to use. */
690 bool is_deleted; /* Delete flag. */
691 bool flags[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
692 atomic_t users; /* Number of referring tasks. */
693 };
694
695 /*
696 * Structure for "task manual_domain_transition" directive.
697 */
698 struct tomoyo_task_acl {
699 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MANUAL_TASK_ACL */
700 /* Pointer to domainname. */
701 const struct tomoyo_path_info *domainname;
702 };
703
704 /*
705 * Structure for "file execute", "file read", "file write", "file append",
706 * "file unlink", "file getattr", "file rmdir", "file truncate",
707 * "file symlink", "file chroot" and "file unmount" directive.
708 */
709 struct tomoyo_path_acl {
710 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */
711 u16 perm; /* Bitmask of values in "enum tomoyo_path_acl_index". */
712 struct tomoyo_name_union name;
713 };
714
715 /*
716 * Structure for "file create", "file mkdir", "file mkfifo", "file mksock",
717 * "file ioctl", "file chmod", "file chown" and "file chgrp" directive.
718 */
719 struct tomoyo_path_number_acl {
720 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_NUMBER_ACL */
721 /* Bitmask of values in "enum tomoyo_path_number_acl_index". */
722 u8 perm;
723 struct tomoyo_name_union name;
724 struct tomoyo_number_union number;
725 };
726
727 /* Structure for "file mkblock" and "file mkchar" directive. */
728 struct tomoyo_mkdev_acl {
729 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MKDEV_ACL */
730 u8 perm; /* Bitmask of values in "enum tomoyo_mkdev_acl_index". */
731 struct tomoyo_name_union name;
732 struct tomoyo_number_union mode;
733 struct tomoyo_number_union major;
734 struct tomoyo_number_union minor;
735 };
736
737 /*
738 * Structure for "file rename", "file link" and "file pivot_root" directive.
739 */
740 struct tomoyo_path2_acl {
741 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */
742 u8 perm; /* Bitmask of values in "enum tomoyo_path2_acl_index". */
743 struct tomoyo_name_union name1;
744 struct tomoyo_name_union name2;
745 };
746
747 /* Structure for "file mount" directive. */
748 struct tomoyo_mount_acl {
749 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MOUNT_ACL */
750 struct tomoyo_name_union dev_name;
751 struct tomoyo_name_union dir_name;
752 struct tomoyo_name_union fs_type;
753 struct tomoyo_number_union flags;
754 };
755
756 /* Structure for "misc env" directive in domain policy. */
757 struct tomoyo_env_acl {
758 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_ENV_ACL */
759 const struct tomoyo_path_info *env; /* environment variable */
760 };
761
762 /* Structure for "network inet" directive. */
763 struct tomoyo_inet_acl {
764 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_INET_ACL */
765 u8 protocol;
766 u8 perm; /* Bitmask of values in "enum tomoyo_network_acl_index" */
767 struct tomoyo_ipaddr_union address;
768 struct tomoyo_number_union port;
769 };
770
771 /* Structure for "network unix" directive. */
772 struct tomoyo_unix_acl {
773 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_UNIX_ACL */
774 u8 protocol;
775 u8 perm; /* Bitmask of values in "enum tomoyo_network_acl_index" */
776 struct tomoyo_name_union name;
777 };
778
779 /* Structure for holding a line from /sys/kernel/security/tomoyo/ interface. */
780 struct tomoyo_acl_param {
781 char *data;
782 struct list_head *list;
783 struct tomoyo_policy_namespace *ns;
784 bool is_delete;
785 };
786
787 #define TOMOYO_MAX_IO_READ_QUEUE 64
788
789 /*
790 * Structure for reading/writing policy via /sys/kernel/security/tomoyo
791 * interfaces.
792 */
793 struct tomoyo_io_buffer {
794 void (*read)(struct tomoyo_io_buffer *head);
795 int (*write)(struct tomoyo_io_buffer *head);
796 __poll_t (*poll)(struct file *file, poll_table *wait);
797 /* Exclusive lock for this structure. */
798 struct mutex io_sem;
799 char __user *read_user_buf;
800 size_t read_user_buf_avail;
801 struct {
802 struct list_head *ns;
803 struct list_head *domain;
804 struct list_head *group;
805 struct list_head *acl;
806 size_t avail;
807 unsigned int step;
808 unsigned int query_index;
809 u16 index;
810 u16 cond_index;
811 u8 acl_group_index;
812 u8 cond_step;
813 u8 bit;
814 u8 w_pos;
815 bool eof;
816 bool print_this_domain_only;
817 bool print_transition_related_only;
818 bool print_cond_part;
819 const char *w[TOMOYO_MAX_IO_READ_QUEUE];
820 } r;
821 struct {
822 struct tomoyo_policy_namespace *ns;
823 /* The position currently writing to. */
824 struct tomoyo_domain_info *domain;
825 /* Bytes available for writing. */
826 size_t avail;
827 bool is_delete;
828 } w;
829 /* Buffer for reading. */
830 char *read_buf;
831 /* Size of read buffer. */
832 size_t readbuf_size;
833 /* Buffer for writing. */
834 char *write_buf;
835 /* Size of write buffer. */
836 size_t writebuf_size;
837 /* Type of this interface. */
838 enum tomoyo_securityfs_interface_index type;
839 /* Users counter protected by tomoyo_io_buffer_list_lock. */
840 u8 users;
841 /* List for telling GC not to kfree() elements. */
842 struct list_head list;
843 };
844
845 /*
846 * Structure for "initialize_domain"/"no_initialize_domain"/"keep_domain"/
847 * "no_keep_domain" keyword.
848 */
849 struct tomoyo_transition_control {
850 struct tomoyo_acl_head head;
851 u8 type; /* One of values in "enum tomoyo_transition_type". */
852 /* True if the domainname is tomoyo_get_last_name(). */
853 bool is_last_name;
854 const struct tomoyo_path_info *domainname; /* Maybe NULL */
855 const struct tomoyo_path_info *program; /* Maybe NULL */
856 };
857
858 /* Structure for "aggregator" keyword. */
859 struct tomoyo_aggregator {
860 struct tomoyo_acl_head head;
861 const struct tomoyo_path_info *original_name;
862 const struct tomoyo_path_info *aggregated_name;
863 };
864
865 /* Structure for policy manager. */
866 struct tomoyo_manager {
867 struct tomoyo_acl_head head;
868 /* A path to program or a domainname. */
869 const struct tomoyo_path_info *manager;
870 };
871
872 struct tomoyo_preference {
873 unsigned int learning_max_entry;
874 bool enforcing_verbose;
875 bool learning_verbose;
876 bool permissive_verbose;
877 };
878
879 /* Structure for /sys/kernel/security/tomnoyo/profile interface. */
880 struct tomoyo_profile {
881 const struct tomoyo_path_info *comment;
882 struct tomoyo_preference *learning;
883 struct tomoyo_preference *permissive;
884 struct tomoyo_preference *enforcing;
885 struct tomoyo_preference preference;
886 u8 default_config;
887 u8 config[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX];
888 unsigned int pref[TOMOYO_MAX_PREF];
889 };
890
891 /* Structure for representing YYYY/MM/DD hh/mm/ss. */
892 struct tomoyo_time {
893 u16 year;
894 u8 month;
895 u8 day;
896 u8 hour;
897 u8 min;
898 u8 sec;
899 };
900
901 /* Structure for policy namespace. */
902 struct tomoyo_policy_namespace {
903 /* Profile table. Memory is allocated as needed. */
904 struct tomoyo_profile *profile_ptr[TOMOYO_MAX_PROFILES];
905 /* List of "struct tomoyo_group". */
906 struct list_head group_list[TOMOYO_MAX_GROUP];
907 /* List of policy. */
908 struct list_head policy_list[TOMOYO_MAX_POLICY];
909 /* The global ACL referred by "use_group" keyword. */
910 struct list_head acl_group[TOMOYO_MAX_ACL_GROUPS];
911 /* List for connecting to tomoyo_namespace_list list. */
912 struct list_head namespace_list;
913 /* Profile version. Currently only 20150505 is defined. */
914 unsigned int profile_version;
915 /* Name of this namespace (e.g. "<kernel>", "</usr/sbin/httpd>" ). */
916 const char *name;
917 };
918
919 /* Structure for "struct task_struct"->security. */
920 struct tomoyo_task {
921 struct tomoyo_domain_info *domain_info;
922 struct tomoyo_domain_info *old_domain_info;
923 };
924
925 /********** Function prototypes. **********/
926
927 bool tomoyo_address_matches_group(const bool is_ipv6, const __be32 *address,
928 const struct tomoyo_group *group);
929 bool tomoyo_compare_number_union(const unsigned long value,
930 const struct tomoyo_number_union *ptr);
931 bool tomoyo_condition(struct tomoyo_request_info *r,
932 const struct tomoyo_condition *cond);
933 bool tomoyo_correct_domain(const unsigned char *domainname);
934 bool tomoyo_correct_path(const char *filename);
935 bool tomoyo_correct_word(const char *string);
936 bool tomoyo_domain_def(const unsigned char *buffer);
937 bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r);
938 bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos,
939 struct tomoyo_page_dump *dump);
940 bool tomoyo_memory_ok(void *ptr);
941 bool tomoyo_number_matches_group(const unsigned long min,
942 const unsigned long max,
943 const struct tomoyo_group *group);
944 bool tomoyo_parse_ipaddr_union(struct tomoyo_acl_param *param,
945 struct tomoyo_ipaddr_union *ptr);
946 bool tomoyo_parse_name_union(struct tomoyo_acl_param *param,
947 struct tomoyo_name_union *ptr);
948 bool tomoyo_parse_number_union(struct tomoyo_acl_param *param,
949 struct tomoyo_number_union *ptr);
950 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
951 const struct tomoyo_path_info *pattern);
952 bool tomoyo_permstr(const char *string, const char *keyword);
953 bool tomoyo_str_starts(char **src, const char *find);
954 char *tomoyo_encode(const char *str);
955 char *tomoyo_encode2(const char *str, int str_len);
956 char *tomoyo_init_log(struct tomoyo_request_info *r, int len, const char *fmt,
957 va_list args) __printf(3, 0);
958 char *tomoyo_read_token(struct tomoyo_acl_param *param);
959 char *tomoyo_realpath_from_path(const struct path *path);
960 char *tomoyo_realpath_nofollow(const char *pathname);
961 const char *tomoyo_get_exe(void);
962 const struct tomoyo_path_info *tomoyo_compare_name_union
963 (const struct tomoyo_path_info *name, const struct tomoyo_name_union *ptr);
964 const struct tomoyo_path_info *tomoyo_get_domainname
965 (struct tomoyo_acl_param *param);
966 const struct tomoyo_path_info *tomoyo_get_name(const char *name);
967 const struct tomoyo_path_info *tomoyo_path_matches_group
968 (const struct tomoyo_path_info *pathname, const struct tomoyo_group *group);
969 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
970 const struct path *path, const int flag);
971 void tomoyo_close_control(struct tomoyo_io_buffer *head);
972 int tomoyo_env_perm(struct tomoyo_request_info *r, const char *env);
973 int tomoyo_execute_permission(struct tomoyo_request_info *r,
974 const struct tomoyo_path_info *filename);
975 int tomoyo_find_next_domain(struct linux_binprm *bprm);
976 int tomoyo_get_mode(const struct tomoyo_policy_namespace *ns, const u8 profile,
977 const u8 index);
978 int tomoyo_init_request_info(struct tomoyo_request_info *r,
979 struct tomoyo_domain_info *domain,
980 const u8 index);
981 int tomoyo_mkdev_perm(const u8 operation, const struct path *path,
982 const unsigned int mode, unsigned int dev);
983 int tomoyo_mount_permission(const char *dev_name, const struct path *path,
984 const char *type, unsigned long flags,
985 void *data_page);
986 int tomoyo_open_control(const u8 type, struct file *file);
987 int tomoyo_path2_perm(const u8 operation, const struct path *path1,
988 const struct path *path2);
989 int tomoyo_path_number_perm(const u8 operation, const struct path *path,
990 unsigned long number);
991 int tomoyo_path_perm(const u8 operation, const struct path *path,
992 const char *target);
993 __poll_t tomoyo_poll_control(struct file *file, poll_table *wait);
994 __poll_t tomoyo_poll_log(struct file *file, poll_table *wait);
995 int tomoyo_socket_bind_permission(struct socket *sock, struct sockaddr *addr,
996 int addr_len);
997 int tomoyo_socket_connect_permission(struct socket *sock,
998 struct sockaddr *addr, int addr_len);
999 int tomoyo_socket_listen_permission(struct socket *sock);
1000 int tomoyo_socket_sendmsg_permission(struct socket *sock, struct msghdr *msg,
1001 int size);
1002 int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...)
1003 __printf(2, 3);
1004 int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
1005 struct tomoyo_acl_param *param,
1006 bool (*check_duplicate)
1007 (const struct tomoyo_acl_info *,
1008 const struct tomoyo_acl_info *),
1009 bool (*merge_duplicate)
1010 (struct tomoyo_acl_info *, struct tomoyo_acl_info *,
1011 const bool));
1012 int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
1013 struct tomoyo_acl_param *param,
1014 bool (*check_duplicate)
1015 (const struct tomoyo_acl_head *,
1016 const struct tomoyo_acl_head *));
1017 int tomoyo_write_aggregator(struct tomoyo_acl_param *param);
1018 int tomoyo_write_file(struct tomoyo_acl_param *param);
1019 int tomoyo_write_group(struct tomoyo_acl_param *param, const u8 type);
1020 int tomoyo_write_misc(struct tomoyo_acl_param *param);
1021 int tomoyo_write_inet_network(struct tomoyo_acl_param *param);
1022 int tomoyo_write_transition_control(struct tomoyo_acl_param *param,
1023 const u8 type);
1024 int tomoyo_write_unix_network(struct tomoyo_acl_param *param);
1025 ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
1026 const int buffer_len);
1027 ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
1028 const char __user *buffer, const int buffer_len);
1029 struct tomoyo_condition *tomoyo_get_condition(struct tomoyo_acl_param *param);
1030 struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname,
1031 const bool transit);
1032 struct tomoyo_domain_info *tomoyo_domain(void);
1033 struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname);
1034 struct tomoyo_group *tomoyo_get_group(struct tomoyo_acl_param *param,
1035 const u8 idx);
1036 struct tomoyo_policy_namespace *tomoyo_assign_namespace
1037 (const char *domainname);
1038 struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns,
1039 const u8 profile);
1040 u8 tomoyo_parse_ulong(unsigned long *result, char **str);
1041 void *tomoyo_commit_ok(void *data, const unsigned int size);
1042 void __init tomoyo_load_builtin_policy(void);
1043 void __init tomoyo_mm_init(void);
1044 void tomoyo_check_acl(struct tomoyo_request_info *r,
1045 bool (*check_entry)(struct tomoyo_request_info *,
1046 const struct tomoyo_acl_info *));
1047 void tomoyo_check_profile(void);
1048 void tomoyo_convert_time(time64_t time, struct tomoyo_time *stamp);
1049 void tomoyo_del_condition(struct list_head *element);
1050 void tomoyo_fill_path_info(struct tomoyo_path_info *ptr);
1051 void tomoyo_get_attributes(struct tomoyo_obj_info *obj);
1052 void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns);
1053 void tomoyo_load_policy(const char *filename);
1054 void tomoyo_normalize_line(unsigned char *buffer);
1055 void tomoyo_notify_gc(struct tomoyo_io_buffer *head, const bool is_register);
1056 void tomoyo_print_ip(char *buf, const unsigned int size,
1057 const struct tomoyo_ipaddr_union *ptr);
1058 void tomoyo_print_ulong(char *buffer, const int buffer_len,
1059 const unsigned long value, const u8 type);
1060 void tomoyo_put_name_union(struct tomoyo_name_union *ptr);
1061 void tomoyo_put_number_union(struct tomoyo_number_union *ptr);
1062 void tomoyo_read_log(struct tomoyo_io_buffer *head);
1063 void tomoyo_update_stat(const u8 index);
1064 void tomoyo_warn_oom(const char *function);
1065 void tomoyo_write_log(struct tomoyo_request_info *r, const char *fmt, ...)
1066 __printf(2, 3);
1067 void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt,
1068 va_list args) __printf(3, 0);
1069
1070 /********** External variable definitions. **********/
1071
1072 extern bool tomoyo_policy_loaded;
1073 extern int tomoyo_enabled;
1074 extern const char * const tomoyo_condition_keyword
1075 [TOMOYO_MAX_CONDITION_KEYWORD];
1076 extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
1077 extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
1078 + TOMOYO_MAX_MAC_CATEGORY_INDEX];
1079 extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
1080 extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
1081 extern const char * const tomoyo_proto_keyword[TOMOYO_SOCK_MAX];
1082 extern const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION];
1083 extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX];
1084 extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];
1085 extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION];
1086 extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION];
1087 extern struct list_head tomoyo_condition_list;
1088 extern struct list_head tomoyo_domain_list;
1089 extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH];
1090 extern struct list_head tomoyo_namespace_list;
1091 extern struct mutex tomoyo_policy_lock;
1092 extern struct srcu_struct tomoyo_ss;
1093 extern struct tomoyo_domain_info tomoyo_kernel_domain;
1094 extern struct tomoyo_policy_namespace tomoyo_kernel_namespace;
1095 extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT];
1096 extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT];
1097 extern struct lsm_blob_sizes tomoyo_blob_sizes;
1098
1099 /********** Inlined functions. **********/
1100
1101 /**
1102 * tomoyo_read_lock - Take lock for protecting policy.
1103 *
1104 * Returns index number for tomoyo_read_unlock().
1105 */
tomoyo_read_lock(void)1106 static inline int tomoyo_read_lock(void)
1107 {
1108 return srcu_read_lock(&tomoyo_ss);
1109 }
1110
1111 /**
1112 * tomoyo_read_unlock - Release lock for protecting policy.
1113 *
1114 * @idx: Index number returned by tomoyo_read_lock().
1115 *
1116 * Returns nothing.
1117 */
tomoyo_read_unlock(int idx)1118 static inline void tomoyo_read_unlock(int idx)
1119 {
1120 srcu_read_unlock(&tomoyo_ss, idx);
1121 }
1122
1123 /**
1124 * tomoyo_sys_getppid - Copy of getppid().
1125 *
1126 * Returns parent process's PID.
1127 *
1128 * Alpha does not have getppid() defined. To be able to build this module on
1129 * Alpha, I have to copy getppid() from kernel/timer.c.
1130 */
tomoyo_sys_getppid(void)1131 static inline pid_t tomoyo_sys_getppid(void)
1132 {
1133 pid_t pid;
1134
1135 rcu_read_lock();
1136 pid = task_tgid_vnr(rcu_dereference(current->real_parent));
1137 rcu_read_unlock();
1138 return pid;
1139 }
1140
1141 /**
1142 * tomoyo_sys_getpid - Copy of getpid().
1143 *
1144 * Returns current thread's PID.
1145 *
1146 * Alpha does not have getpid() defined. To be able to build this module on
1147 * Alpha, I have to copy getpid() from kernel/timer.c.
1148 */
tomoyo_sys_getpid(void)1149 static inline pid_t tomoyo_sys_getpid(void)
1150 {
1151 return task_tgid_vnr(current);
1152 }
1153
1154 /**
1155 * tomoyo_pathcmp - strcmp() for "struct tomoyo_path_info" structure.
1156 *
1157 * @a: Pointer to "struct tomoyo_path_info".
1158 * @b: Pointer to "struct tomoyo_path_info".
1159 *
1160 * Returns true if @a == @b, false otherwise.
1161 */
tomoyo_pathcmp(const struct tomoyo_path_info * a,const struct tomoyo_path_info * b)1162 static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a,
1163 const struct tomoyo_path_info *b)
1164 {
1165 return a->hash != b->hash || strcmp(a->name, b->name);
1166 }
1167
1168 /**
1169 * tomoyo_put_name - Drop reference on "struct tomoyo_name".
1170 *
1171 * @name: Pointer to "struct tomoyo_path_info". Maybe NULL.
1172 *
1173 * Returns nothing.
1174 */
tomoyo_put_name(const struct tomoyo_path_info * name)1175 static inline void tomoyo_put_name(const struct tomoyo_path_info *name)
1176 {
1177 if (name) {
1178 struct tomoyo_name *ptr =
1179 container_of(name, typeof(*ptr), entry);
1180 atomic_dec(&ptr->head.users);
1181 }
1182 }
1183
1184 /**
1185 * tomoyo_put_condition - Drop reference on "struct tomoyo_condition".
1186 *
1187 * @cond: Pointer to "struct tomoyo_condition". Maybe NULL.
1188 *
1189 * Returns nothing.
1190 */
tomoyo_put_condition(struct tomoyo_condition * cond)1191 static inline void tomoyo_put_condition(struct tomoyo_condition *cond)
1192 {
1193 if (cond)
1194 atomic_dec(&cond->head.users);
1195 }
1196
1197 /**
1198 * tomoyo_put_group - Drop reference on "struct tomoyo_group".
1199 *
1200 * @group: Pointer to "struct tomoyo_group". Maybe NULL.
1201 *
1202 * Returns nothing.
1203 */
tomoyo_put_group(struct tomoyo_group * group)1204 static inline void tomoyo_put_group(struct tomoyo_group *group)
1205 {
1206 if (group)
1207 atomic_dec(&group->head.users);
1208 }
1209
1210 /**
1211 * tomoyo_task - Get "struct tomoyo_task" for specified thread.
1212 *
1213 * @task - Pointer to "struct task_struct".
1214 *
1215 * Returns pointer to "struct tomoyo_task" for specified thread.
1216 */
tomoyo_task(struct task_struct * task)1217 static inline struct tomoyo_task *tomoyo_task(struct task_struct *task)
1218 {
1219 return task->security + tomoyo_blob_sizes.lbs_task;
1220 }
1221
1222 /**
1223 * tomoyo_same_name_union - Check for duplicated "struct tomoyo_name_union" entry.
1224 *
1225 * @a: Pointer to "struct tomoyo_name_union".
1226 * @b: Pointer to "struct tomoyo_name_union".
1227 *
1228 * Returns true if @a == @b, false otherwise.
1229 */
tomoyo_same_name_union(const struct tomoyo_name_union * a,const struct tomoyo_name_union * b)1230 static inline bool tomoyo_same_name_union
1231 (const struct tomoyo_name_union *a, const struct tomoyo_name_union *b)
1232 {
1233 return a->filename == b->filename && a->group == b->group;
1234 }
1235
1236 /**
1237 * tomoyo_same_number_union - Check for duplicated "struct tomoyo_number_union" entry.
1238 *
1239 * @a: Pointer to "struct tomoyo_number_union".
1240 * @b: Pointer to "struct tomoyo_number_union".
1241 *
1242 * Returns true if @a == @b, false otherwise.
1243 */
tomoyo_same_number_union(const struct tomoyo_number_union * a,const struct tomoyo_number_union * b)1244 static inline bool tomoyo_same_number_union
1245 (const struct tomoyo_number_union *a, const struct tomoyo_number_union *b)
1246 {
1247 return a->values[0] == b->values[0] && a->values[1] == b->values[1] &&
1248 a->group == b->group && a->value_type[0] == b->value_type[0] &&
1249 a->value_type[1] == b->value_type[1];
1250 }
1251
1252 /**
1253 * tomoyo_same_ipaddr_union - Check for duplicated "struct tomoyo_ipaddr_union" entry.
1254 *
1255 * @a: Pointer to "struct tomoyo_ipaddr_union".
1256 * @b: Pointer to "struct tomoyo_ipaddr_union".
1257 *
1258 * Returns true if @a == @b, false otherwise.
1259 */
tomoyo_same_ipaddr_union(const struct tomoyo_ipaddr_union * a,const struct tomoyo_ipaddr_union * b)1260 static inline bool tomoyo_same_ipaddr_union
1261 (const struct tomoyo_ipaddr_union *a, const struct tomoyo_ipaddr_union *b)
1262 {
1263 return !memcmp(a->ip, b->ip, sizeof(a->ip)) && a->group == b->group &&
1264 a->is_ipv6 == b->is_ipv6;
1265 }
1266
1267 /**
1268 * tomoyo_current_namespace - Get "struct tomoyo_policy_namespace" for current thread.
1269 *
1270 * Returns pointer to "struct tomoyo_policy_namespace" for current thread.
1271 */
tomoyo_current_namespace(void)1272 static inline struct tomoyo_policy_namespace *tomoyo_current_namespace(void)
1273 {
1274 return tomoyo_domain()->ns;
1275 }
1276
1277 /**
1278 * list_for_each_cookie - iterate over a list with cookie.
1279 * @pos: the &struct list_head to use as a loop cursor.
1280 * @head: the head for your list.
1281 */
1282 #define list_for_each_cookie(pos, head) \
1283 if (!pos) \
1284 pos = srcu_dereference((head)->next, &tomoyo_ss); \
1285 for ( ; pos != (head); pos = srcu_dereference(pos->next, &tomoyo_ss))
1286
1287 #endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */
1288