1  /* SPDX-License-Identifier: GPL-2.0 */
2  /*
3   * security/tomoyo/common.h
4   *
5   * Header file for TOMOYO.
6   *
7   * Copyright (C) 2005-2011  NTT DATA CORPORATION
8   */
9  
10  #ifndef _SECURITY_TOMOYO_COMMON_H
11  #define _SECURITY_TOMOYO_COMMON_H
12  
13  #define pr_fmt(fmt) fmt
14  
15  #include <linux/ctype.h>
16  #include <linux/string.h>
17  #include <linux/mm.h>
18  #include <linux/file.h>
19  #include <linux/kmod.h>
20  #include <linux/fs.h>
21  #include <linux/sched.h>
22  #include <linux/namei.h>
23  #include <linux/mount.h>
24  #include <linux/list.h>
25  #include <linux/cred.h>
26  #include <linux/poll.h>
27  #include <linux/binfmts.h>
28  #include <linux/highmem.h>
29  #include <linux/net.h>
30  #include <linux/inet.h>
31  #include <linux/in.h>
32  #include <linux/in6.h>
33  #include <linux/un.h>
34  #include <linux/lsm_hooks.h>
35  #include <net/sock.h>
36  #include <net/af_unix.h>
37  #include <net/ip.h>
38  #include <net/ipv6.h>
39  #include <net/udp.h>
40  
41  /********** Constants definitions. **********/
42  
43  /*
44   * TOMOYO uses this hash only when appending a string into the string
45   * table. Frequency of appending strings is very low. So we don't need
46   * large (e.g. 64k) hash size. 256 will be sufficient.
47   */
48  #define TOMOYO_HASH_BITS  8
49  #define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
50  
51  /*
52   * TOMOYO checks only SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_SEQPACKET.
53   * Therefore, we don't need SOCK_MAX.
54   */
55  #define TOMOYO_SOCK_MAX 6
56  
57  #define TOMOYO_EXEC_TMPSIZE     4096
58  
59  /* Garbage collector is trying to kfree() this element. */
60  #define TOMOYO_GC_IN_PROGRESS -1
61  
62  /* Profile number is an integer between 0 and 255. */
63  #define TOMOYO_MAX_PROFILES 256
64  
65  /* Group number is an integer between 0 and 255. */
66  #define TOMOYO_MAX_ACL_GROUPS 256
67  
68  /* Index numbers for "struct tomoyo_condition". */
69  enum tomoyo_conditions_index {
70  	TOMOYO_TASK_UID,             /* current_uid()   */
71  	TOMOYO_TASK_EUID,            /* current_euid()  */
72  	TOMOYO_TASK_SUID,            /* current_suid()  */
73  	TOMOYO_TASK_FSUID,           /* current_fsuid() */
74  	TOMOYO_TASK_GID,             /* current_gid()   */
75  	TOMOYO_TASK_EGID,            /* current_egid()  */
76  	TOMOYO_TASK_SGID,            /* current_sgid()  */
77  	TOMOYO_TASK_FSGID,           /* current_fsgid() */
78  	TOMOYO_TASK_PID,             /* sys_getpid()   */
79  	TOMOYO_TASK_PPID,            /* sys_getppid()  */
80  	TOMOYO_EXEC_ARGC,            /* "struct linux_binprm *"->argc */
81  	TOMOYO_EXEC_ENVC,            /* "struct linux_binprm *"->envc */
82  	TOMOYO_TYPE_IS_SOCKET,       /* S_IFSOCK */
83  	TOMOYO_TYPE_IS_SYMLINK,      /* S_IFLNK */
84  	TOMOYO_TYPE_IS_FILE,         /* S_IFREG */
85  	TOMOYO_TYPE_IS_BLOCK_DEV,    /* S_IFBLK */
86  	TOMOYO_TYPE_IS_DIRECTORY,    /* S_IFDIR */
87  	TOMOYO_TYPE_IS_CHAR_DEV,     /* S_IFCHR */
88  	TOMOYO_TYPE_IS_FIFO,         /* S_IFIFO */
89  	TOMOYO_MODE_SETUID,          /* S_ISUID */
90  	TOMOYO_MODE_SETGID,          /* S_ISGID */
91  	TOMOYO_MODE_STICKY,          /* S_ISVTX */
92  	TOMOYO_MODE_OWNER_READ,      /* S_IRUSR */
93  	TOMOYO_MODE_OWNER_WRITE,     /* S_IWUSR */
94  	TOMOYO_MODE_OWNER_EXECUTE,   /* S_IXUSR */
95  	TOMOYO_MODE_GROUP_READ,      /* S_IRGRP */
96  	TOMOYO_MODE_GROUP_WRITE,     /* S_IWGRP */
97  	TOMOYO_MODE_GROUP_EXECUTE,   /* S_IXGRP */
98  	TOMOYO_MODE_OTHERS_READ,     /* S_IROTH */
99  	TOMOYO_MODE_OTHERS_WRITE,    /* S_IWOTH */
100  	TOMOYO_MODE_OTHERS_EXECUTE,  /* S_IXOTH */
101  	TOMOYO_EXEC_REALPATH,
102  	TOMOYO_SYMLINK_TARGET,
103  	TOMOYO_PATH1_UID,
104  	TOMOYO_PATH1_GID,
105  	TOMOYO_PATH1_INO,
106  	TOMOYO_PATH1_MAJOR,
107  	TOMOYO_PATH1_MINOR,
108  	TOMOYO_PATH1_PERM,
109  	TOMOYO_PATH1_TYPE,
110  	TOMOYO_PATH1_DEV_MAJOR,
111  	TOMOYO_PATH1_DEV_MINOR,
112  	TOMOYO_PATH2_UID,
113  	TOMOYO_PATH2_GID,
114  	TOMOYO_PATH2_INO,
115  	TOMOYO_PATH2_MAJOR,
116  	TOMOYO_PATH2_MINOR,
117  	TOMOYO_PATH2_PERM,
118  	TOMOYO_PATH2_TYPE,
119  	TOMOYO_PATH2_DEV_MAJOR,
120  	TOMOYO_PATH2_DEV_MINOR,
121  	TOMOYO_PATH1_PARENT_UID,
122  	TOMOYO_PATH1_PARENT_GID,
123  	TOMOYO_PATH1_PARENT_INO,
124  	TOMOYO_PATH1_PARENT_PERM,
125  	TOMOYO_PATH2_PARENT_UID,
126  	TOMOYO_PATH2_PARENT_GID,
127  	TOMOYO_PATH2_PARENT_INO,
128  	TOMOYO_PATH2_PARENT_PERM,
129  	TOMOYO_MAX_CONDITION_KEYWORD,
130  	TOMOYO_NUMBER_UNION,
131  	TOMOYO_NAME_UNION,
132  	TOMOYO_ARGV_ENTRY,
133  	TOMOYO_ENVP_ENTRY,
134  };
135  
136  
137  /* Index numbers for stat(). */
138  enum tomoyo_path_stat_index {
139  	/* Do not change this order. */
140  	TOMOYO_PATH1,
141  	TOMOYO_PATH1_PARENT,
142  	TOMOYO_PATH2,
143  	TOMOYO_PATH2_PARENT,
144  	TOMOYO_MAX_PATH_STAT
145  };
146  
147  /* Index numbers for operation mode. */
148  enum tomoyo_mode_index {
149  	TOMOYO_CONFIG_DISABLED,
150  	TOMOYO_CONFIG_LEARNING,
151  	TOMOYO_CONFIG_PERMISSIVE,
152  	TOMOYO_CONFIG_ENFORCING,
153  	TOMOYO_CONFIG_MAX_MODE,
154  	TOMOYO_CONFIG_WANT_REJECT_LOG =  64,
155  	TOMOYO_CONFIG_WANT_GRANT_LOG  = 128,
156  	TOMOYO_CONFIG_USE_DEFAULT     = 255,
157  };
158  
159  /* Index numbers for entry type. */
160  enum tomoyo_policy_id {
161  	TOMOYO_ID_GROUP,
162  	TOMOYO_ID_ADDRESS_GROUP,
163  	TOMOYO_ID_PATH_GROUP,
164  	TOMOYO_ID_NUMBER_GROUP,
165  	TOMOYO_ID_TRANSITION_CONTROL,
166  	TOMOYO_ID_AGGREGATOR,
167  	TOMOYO_ID_MANAGER,
168  	TOMOYO_ID_CONDITION,
169  	TOMOYO_ID_NAME,
170  	TOMOYO_ID_ACL,
171  	TOMOYO_ID_DOMAIN,
172  	TOMOYO_MAX_POLICY
173  };
174  
175  /* Index numbers for domain's attributes. */
176  enum tomoyo_domain_info_flags_index {
177  	/* Quota warnning flag.   */
178  	TOMOYO_DIF_QUOTA_WARNED,
179  	/*
180  	 * This domain was unable to create a new domain at
181  	 * tomoyo_find_next_domain() because the name of the domain to be
182  	 * created was too long or it could not allocate memory.
183  	 * More than one process continued execve() without domain transition.
184  	 */
185  	TOMOYO_DIF_TRANSITION_FAILED,
186  	TOMOYO_MAX_DOMAIN_INFO_FLAGS
187  };
188  
189  /* Index numbers for audit type. */
190  enum tomoyo_grant_log {
191  	/* Follow profile's configuration. */
192  	TOMOYO_GRANTLOG_AUTO,
193  	/* Do not generate grant log. */
194  	TOMOYO_GRANTLOG_NO,
195  	/* Generate grant_log. */
196  	TOMOYO_GRANTLOG_YES,
197  };
198  
199  /* Index numbers for group entries. */
200  enum tomoyo_group_id {
201  	TOMOYO_PATH_GROUP,
202  	TOMOYO_NUMBER_GROUP,
203  	TOMOYO_ADDRESS_GROUP,
204  	TOMOYO_MAX_GROUP
205  };
206  
207  /* Index numbers for type of numeric values. */
208  enum tomoyo_value_type {
209  	TOMOYO_VALUE_TYPE_INVALID,
210  	TOMOYO_VALUE_TYPE_DECIMAL,
211  	TOMOYO_VALUE_TYPE_OCTAL,
212  	TOMOYO_VALUE_TYPE_HEXADECIMAL,
213  };
214  
215  /* Index numbers for domain transition control keywords. */
216  enum tomoyo_transition_type {
217  	/* Do not change this order, */
218  	TOMOYO_TRANSITION_CONTROL_NO_RESET,
219  	TOMOYO_TRANSITION_CONTROL_RESET,
220  	TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE,
221  	TOMOYO_TRANSITION_CONTROL_INITIALIZE,
222  	TOMOYO_TRANSITION_CONTROL_NO_KEEP,
223  	TOMOYO_TRANSITION_CONTROL_KEEP,
224  	TOMOYO_MAX_TRANSITION_TYPE
225  };
226  
227  /* Index numbers for Access Controls. */
228  enum tomoyo_acl_entry_type_index {
229  	TOMOYO_TYPE_PATH_ACL,
230  	TOMOYO_TYPE_PATH2_ACL,
231  	TOMOYO_TYPE_PATH_NUMBER_ACL,
232  	TOMOYO_TYPE_MKDEV_ACL,
233  	TOMOYO_TYPE_MOUNT_ACL,
234  	TOMOYO_TYPE_INET_ACL,
235  	TOMOYO_TYPE_UNIX_ACL,
236  	TOMOYO_TYPE_ENV_ACL,
237  	TOMOYO_TYPE_MANUAL_TASK_ACL,
238  };
239  
240  /* Index numbers for access controls with one pathname. */
241  enum tomoyo_path_acl_index {
242  	TOMOYO_TYPE_EXECUTE,
243  	TOMOYO_TYPE_READ,
244  	TOMOYO_TYPE_WRITE,
245  	TOMOYO_TYPE_APPEND,
246  	TOMOYO_TYPE_UNLINK,
247  	TOMOYO_TYPE_GETATTR,
248  	TOMOYO_TYPE_RMDIR,
249  	TOMOYO_TYPE_TRUNCATE,
250  	TOMOYO_TYPE_SYMLINK,
251  	TOMOYO_TYPE_CHROOT,
252  	TOMOYO_TYPE_UMOUNT,
253  	TOMOYO_MAX_PATH_OPERATION
254  };
255  
256  /* Index numbers for /sys/kernel/security/tomoyo/stat interface. */
257  enum tomoyo_memory_stat_type {
258  	TOMOYO_MEMORY_POLICY,
259  	TOMOYO_MEMORY_AUDIT,
260  	TOMOYO_MEMORY_QUERY,
261  	TOMOYO_MAX_MEMORY_STAT
262  };
263  
264  enum tomoyo_mkdev_acl_index {
265  	TOMOYO_TYPE_MKBLOCK,
266  	TOMOYO_TYPE_MKCHAR,
267  	TOMOYO_MAX_MKDEV_OPERATION
268  };
269  
270  /* Index numbers for socket operations. */
271  enum tomoyo_network_acl_index {
272  	TOMOYO_NETWORK_BIND,    /* bind() operation. */
273  	TOMOYO_NETWORK_LISTEN,  /* listen() operation. */
274  	TOMOYO_NETWORK_CONNECT, /* connect() operation. */
275  	TOMOYO_NETWORK_SEND,    /* send() operation. */
276  	TOMOYO_MAX_NETWORK_OPERATION
277  };
278  
279  /* Index numbers for access controls with two pathnames. */
280  enum tomoyo_path2_acl_index {
281  	TOMOYO_TYPE_LINK,
282  	TOMOYO_TYPE_RENAME,
283  	TOMOYO_TYPE_PIVOT_ROOT,
284  	TOMOYO_MAX_PATH2_OPERATION
285  };
286  
287  /* Index numbers for access controls with one pathname and one number. */
288  enum tomoyo_path_number_acl_index {
289  	TOMOYO_TYPE_CREATE,
290  	TOMOYO_TYPE_MKDIR,
291  	TOMOYO_TYPE_MKFIFO,
292  	TOMOYO_TYPE_MKSOCK,
293  	TOMOYO_TYPE_IOCTL,
294  	TOMOYO_TYPE_CHMOD,
295  	TOMOYO_TYPE_CHOWN,
296  	TOMOYO_TYPE_CHGRP,
297  	TOMOYO_MAX_PATH_NUMBER_OPERATION
298  };
299  
300  /* Index numbers for /sys/kernel/security/tomoyo/ interfaces. */
301  enum tomoyo_securityfs_interface_index {
302  	TOMOYO_DOMAINPOLICY,
303  	TOMOYO_EXCEPTIONPOLICY,
304  	TOMOYO_PROCESS_STATUS,
305  	TOMOYO_STAT,
306  	TOMOYO_AUDIT,
307  	TOMOYO_VERSION,
308  	TOMOYO_PROFILE,
309  	TOMOYO_QUERY,
310  	TOMOYO_MANAGER
311  };
312  
313  /* Index numbers for special mount operations. */
314  enum tomoyo_special_mount {
315  	TOMOYO_MOUNT_BIND,            /* mount --bind /source /dest   */
316  	TOMOYO_MOUNT_MOVE,            /* mount --move /old /new       */
317  	TOMOYO_MOUNT_REMOUNT,         /* mount -o remount /dir        */
318  	TOMOYO_MOUNT_MAKE_UNBINDABLE, /* mount --make-unbindable /dir */
319  	TOMOYO_MOUNT_MAKE_PRIVATE,    /* mount --make-private /dir    */
320  	TOMOYO_MOUNT_MAKE_SLAVE,      /* mount --make-slave /dir      */
321  	TOMOYO_MOUNT_MAKE_SHARED,     /* mount --make-shared /dir     */
322  	TOMOYO_MAX_SPECIAL_MOUNT
323  };
324  
325  /* Index numbers for functionality. */
326  enum tomoyo_mac_index {
327  	TOMOYO_MAC_FILE_EXECUTE,
328  	TOMOYO_MAC_FILE_OPEN,
329  	TOMOYO_MAC_FILE_CREATE,
330  	TOMOYO_MAC_FILE_UNLINK,
331  	TOMOYO_MAC_FILE_GETATTR,
332  	TOMOYO_MAC_FILE_MKDIR,
333  	TOMOYO_MAC_FILE_RMDIR,
334  	TOMOYO_MAC_FILE_MKFIFO,
335  	TOMOYO_MAC_FILE_MKSOCK,
336  	TOMOYO_MAC_FILE_TRUNCATE,
337  	TOMOYO_MAC_FILE_SYMLINK,
338  	TOMOYO_MAC_FILE_MKBLOCK,
339  	TOMOYO_MAC_FILE_MKCHAR,
340  	TOMOYO_MAC_FILE_LINK,
341  	TOMOYO_MAC_FILE_RENAME,
342  	TOMOYO_MAC_FILE_CHMOD,
343  	TOMOYO_MAC_FILE_CHOWN,
344  	TOMOYO_MAC_FILE_CHGRP,
345  	TOMOYO_MAC_FILE_IOCTL,
346  	TOMOYO_MAC_FILE_CHROOT,
347  	TOMOYO_MAC_FILE_MOUNT,
348  	TOMOYO_MAC_FILE_UMOUNT,
349  	TOMOYO_MAC_FILE_PIVOT_ROOT,
350  	TOMOYO_MAC_NETWORK_INET_STREAM_BIND,
351  	TOMOYO_MAC_NETWORK_INET_STREAM_LISTEN,
352  	TOMOYO_MAC_NETWORK_INET_STREAM_CONNECT,
353  	TOMOYO_MAC_NETWORK_INET_DGRAM_BIND,
354  	TOMOYO_MAC_NETWORK_INET_DGRAM_SEND,
355  	TOMOYO_MAC_NETWORK_INET_RAW_BIND,
356  	TOMOYO_MAC_NETWORK_INET_RAW_SEND,
357  	TOMOYO_MAC_NETWORK_UNIX_STREAM_BIND,
358  	TOMOYO_MAC_NETWORK_UNIX_STREAM_LISTEN,
359  	TOMOYO_MAC_NETWORK_UNIX_STREAM_CONNECT,
360  	TOMOYO_MAC_NETWORK_UNIX_DGRAM_BIND,
361  	TOMOYO_MAC_NETWORK_UNIX_DGRAM_SEND,
362  	TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_BIND,
363  	TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_LISTEN,
364  	TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_CONNECT,
365  	TOMOYO_MAC_ENVIRON,
366  	TOMOYO_MAX_MAC_INDEX
367  };
368  
369  /* Index numbers for category of functionality. */
370  enum tomoyo_mac_category_index {
371  	TOMOYO_MAC_CATEGORY_FILE,
372  	TOMOYO_MAC_CATEGORY_NETWORK,
373  	TOMOYO_MAC_CATEGORY_MISC,
374  	TOMOYO_MAX_MAC_CATEGORY_INDEX
375  };
376  
377  /*
378   * Retry this request. Returned by tomoyo_supervisor() if policy violation has
379   * occurred in enforcing mode and the userspace daemon decided to retry.
380   *
381   * We must choose a positive value in order to distinguish "granted" (which is
382   * 0) and "rejected" (which is a negative value) and "retry".
383   */
384  #define TOMOYO_RETRY_REQUEST 1
385  
386  /* Index numbers for /sys/kernel/security/tomoyo/stat interface. */
387  enum tomoyo_policy_stat_type {
388  	/* Do not change this order. */
389  	TOMOYO_STAT_POLICY_UPDATES,
390  	TOMOYO_STAT_POLICY_LEARNING,   /* == TOMOYO_CONFIG_LEARNING */
391  	TOMOYO_STAT_POLICY_PERMISSIVE, /* == TOMOYO_CONFIG_PERMISSIVE */
392  	TOMOYO_STAT_POLICY_ENFORCING,  /* == TOMOYO_CONFIG_ENFORCING */
393  	TOMOYO_MAX_POLICY_STAT
394  };
395  
396  /* Index numbers for profile's PREFERENCE values. */
397  enum tomoyo_pref_index {
398  	TOMOYO_PREF_MAX_AUDIT_LOG,
399  	TOMOYO_PREF_MAX_LEARNING_ENTRY,
400  	TOMOYO_MAX_PREF
401  };
402  
403  /********** Structure definitions. **********/
404  
405  /* Common header for holding ACL entries. */
406  struct tomoyo_acl_head {
407  	struct list_head list;
408  	s8 is_deleted; /* true or false or TOMOYO_GC_IN_PROGRESS */
409  } __packed;
410  
411  /* Common header for shared entries. */
412  struct tomoyo_shared_acl_head {
413  	struct list_head list;
414  	atomic_t users;
415  } __packed;
416  
417  struct tomoyo_policy_namespace;
418  
419  /* Structure for request info. */
420  struct tomoyo_request_info {
421  	/*
422  	 * For holding parameters specific to operations which deal files.
423  	 * NULL if not dealing files.
424  	 */
425  	struct tomoyo_obj_info *obj;
426  	/*
427  	 * For holding parameters specific to execve() request.
428  	 * NULL if not dealing execve().
429  	 */
430  	struct tomoyo_execve *ee;
431  	struct tomoyo_domain_info *domain;
432  	/* For holding parameters. */
433  	union {
434  		struct {
435  			const struct tomoyo_path_info *filename;
436  			/* For using wildcards at tomoyo_find_next_domain(). */
437  			const struct tomoyo_path_info *matched_path;
438  			/* One of values in "enum tomoyo_path_acl_index". */
439  			u8 operation;
440  		} path;
441  		struct {
442  			const struct tomoyo_path_info *filename1;
443  			const struct tomoyo_path_info *filename2;
444  			/* One of values in "enum tomoyo_path2_acl_index". */
445  			u8 operation;
446  		} path2;
447  		struct {
448  			const struct tomoyo_path_info *filename;
449  			unsigned int mode;
450  			unsigned int major;
451  			unsigned int minor;
452  			/* One of values in "enum tomoyo_mkdev_acl_index". */
453  			u8 operation;
454  		} mkdev;
455  		struct {
456  			const struct tomoyo_path_info *filename;
457  			unsigned long number;
458  			/*
459  			 * One of values in
460  			 * "enum tomoyo_path_number_acl_index".
461  			 */
462  			u8 operation;
463  		} path_number;
464  		struct {
465  			const struct tomoyo_path_info *name;
466  		} environ;
467  		struct {
468  			const __be32 *address;
469  			u16 port;
470  			/* One of values smaller than TOMOYO_SOCK_MAX. */
471  			u8 protocol;
472  			/* One of values in "enum tomoyo_network_acl_index". */
473  			u8 operation;
474  			bool is_ipv6;
475  		} inet_network;
476  		struct {
477  			const struct tomoyo_path_info *address;
478  			/* One of values smaller than TOMOYO_SOCK_MAX. */
479  			u8 protocol;
480  			/* One of values in "enum tomoyo_network_acl_index". */
481  			u8 operation;
482  		} unix_network;
483  		struct {
484  			const struct tomoyo_path_info *type;
485  			const struct tomoyo_path_info *dir;
486  			const struct tomoyo_path_info *dev;
487  			unsigned long flags;
488  			int need_dev;
489  		} mount;
490  		struct {
491  			const struct tomoyo_path_info *domainname;
492  		} task;
493  	} param;
494  	struct tomoyo_acl_info *matched_acl;
495  	u8 param_type;
496  	bool granted;
497  	u8 retry;
498  	u8 profile;
499  	u8 mode; /* One of tomoyo_mode_index . */
500  	u8 type;
501  };
502  
503  /* Structure for holding a token. */
504  struct tomoyo_path_info {
505  	const char *name;
506  	u32 hash;          /* = full_name_hash(name, strlen(name)) */
507  	u16 const_len;     /* = tomoyo_const_part_length(name)     */
508  	bool is_dir;       /* = tomoyo_strendswith(name, "/")      */
509  	bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
510  };
511  
512  /* Structure for holding string data. */
513  struct tomoyo_name {
514  	struct tomoyo_shared_acl_head head;
515  	struct tomoyo_path_info entry;
516  };
517  
518  /* Structure for holding a word. */
519  struct tomoyo_name_union {
520  	/* Either @filename or @group is NULL. */
521  	const struct tomoyo_path_info *filename;
522  	struct tomoyo_group *group;
523  };
524  
525  /* Structure for holding a number. */
526  struct tomoyo_number_union {
527  	unsigned long values[2];
528  	struct tomoyo_group *group; /* Maybe NULL. */
529  	/* One of values in "enum tomoyo_value_type". */
530  	u8 value_type[2];
531  };
532  
533  /* Structure for holding an IP address. */
534  struct tomoyo_ipaddr_union {
535  	struct in6_addr ip[2]; /* Big endian. */
536  	struct tomoyo_group *group; /* Pointer to address group. */
537  	bool is_ipv6; /* Valid only if @group == NULL. */
538  };
539  
540  /* Structure for "path_group"/"number_group"/"address_group" directive. */
541  struct tomoyo_group {
542  	struct tomoyo_shared_acl_head head;
543  	const struct tomoyo_path_info *group_name;
544  	struct list_head member_list;
545  };
546  
547  /* Structure for "path_group" directive. */
548  struct tomoyo_path_group {
549  	struct tomoyo_acl_head head;
550  	const struct tomoyo_path_info *member_name;
551  };
552  
553  /* Structure for "number_group" directive. */
554  struct tomoyo_number_group {
555  	struct tomoyo_acl_head head;
556  	struct tomoyo_number_union number;
557  };
558  
559  /* Structure for "address_group" directive. */
560  struct tomoyo_address_group {
561  	struct tomoyo_acl_head head;
562  	/* Structure for holding an IP address. */
563  	struct tomoyo_ipaddr_union address;
564  };
565  
566  /* Subset of "struct stat". Used by conditional ACL and audit logs. */
567  struct tomoyo_mini_stat {
568  	kuid_t uid;
569  	kgid_t gid;
570  	ino_t ino;
571  	umode_t mode;
572  	dev_t dev;
573  	dev_t rdev;
574  };
575  
576  /* Structure for dumping argv[] and envp[] of "struct linux_binprm". */
577  struct tomoyo_page_dump {
578  	struct page *page;    /* Previously dumped page. */
579  	char *data;           /* Contents of "page". Size is PAGE_SIZE. */
580  };
581  
582  /* Structure for attribute checks in addition to pathname checks. */
583  struct tomoyo_obj_info {
584  	/*
585  	 * True if tomoyo_get_attributes() was already called, false otherwise.
586  	 */
587  	bool validate_done;
588  	/* True if @stat[] is valid. */
589  	bool stat_valid[TOMOYO_MAX_PATH_STAT];
590  	/* First pathname. Initialized with { NULL, NULL } if no path. */
591  	struct path path1;
592  	/* Second pathname. Initialized with { NULL, NULL } if no path. */
593  	struct path path2;
594  	/*
595  	 * Information on @path1, @path1's parent directory, @path2, @path2's
596  	 * parent directory.
597  	 */
598  	struct tomoyo_mini_stat stat[TOMOYO_MAX_PATH_STAT];
599  	/*
600  	 * Content of symbolic link to be created. NULL for operations other
601  	 * than symlink().
602  	 */
603  	struct tomoyo_path_info *symlink_target;
604  };
605  
606  /* Structure for argv[]. */
607  struct tomoyo_argv {
608  	unsigned long index;
609  	const struct tomoyo_path_info *value;
610  	bool is_not;
611  };
612  
613  /* Structure for envp[]. */
614  struct tomoyo_envp {
615  	const struct tomoyo_path_info *name;
616  	const struct tomoyo_path_info *value;
617  	bool is_not;
618  };
619  
620  /* Structure for execve() operation. */
621  struct tomoyo_execve {
622  	struct tomoyo_request_info r;
623  	struct tomoyo_obj_info obj;
624  	struct linux_binprm *bprm;
625  	const struct tomoyo_path_info *transition;
626  	/* For dumping argv[] and envp[]. */
627  	struct tomoyo_page_dump dump;
628  	/* For temporary use. */
629  	char *tmp; /* Size is TOMOYO_EXEC_TMPSIZE bytes */
630  };
631  
632  /* Structure for entries which follows "struct tomoyo_condition". */
633  struct tomoyo_condition_element {
634  	/*
635  	 * Left hand operand. A "struct tomoyo_argv" for TOMOYO_ARGV_ENTRY, a
636  	 * "struct tomoyo_envp" for TOMOYO_ENVP_ENTRY is attached to the tail
637  	 * of the array of this struct.
638  	 */
639  	u8 left;
640  	/*
641  	 * Right hand operand. A "struct tomoyo_number_union" for
642  	 * TOMOYO_NUMBER_UNION, a "struct tomoyo_name_union" for
643  	 * TOMOYO_NAME_UNION is attached to the tail of the array of this
644  	 * struct.
645  	 */
646  	u8 right;
647  	/* Equation operator. True if equals or overlaps, false otherwise. */
648  	bool equals;
649  };
650  
651  /* Structure for optional arguments. */
652  struct tomoyo_condition {
653  	struct tomoyo_shared_acl_head head;
654  	u32 size; /* Memory size allocated for this entry. */
655  	u16 condc; /* Number of conditions in this struct. */
656  	u16 numbers_count; /* Number of "struct tomoyo_number_union values". */
657  	u16 names_count; /* Number of "struct tomoyo_name_union names". */
658  	u16 argc; /* Number of "struct tomoyo_argv". */
659  	u16 envc; /* Number of "struct tomoyo_envp". */
660  	u8 grant_log; /* One of values in "enum tomoyo_grant_log". */
661  	const struct tomoyo_path_info *transit; /* Maybe NULL. */
662  	/*
663  	 * struct tomoyo_condition_element condition[condc];
664  	 * struct tomoyo_number_union values[numbers_count];
665  	 * struct tomoyo_name_union names[names_count];
666  	 * struct tomoyo_argv argv[argc];
667  	 * struct tomoyo_envp envp[envc];
668  	 */
669  };
670  
671  /* Common header for individual entries. */
672  struct tomoyo_acl_info {
673  	struct list_head list;
674  	struct tomoyo_condition *cond; /* Maybe NULL. */
675  	s8 is_deleted; /* true or false or TOMOYO_GC_IN_PROGRESS */
676  	u8 type; /* One of values in "enum tomoyo_acl_entry_type_index". */
677  } __packed;
678  
679  /* Structure for domain information. */
680  struct tomoyo_domain_info {
681  	struct list_head list;
682  	struct list_head acl_info_list;
683  	/* Name of this domain. Never NULL.          */
684  	const struct tomoyo_path_info *domainname;
685  	/* Namespace for this domain. Never NULL. */
686  	struct tomoyo_policy_namespace *ns;
687  	/* Group numbers to use.   */
688  	unsigned long group[TOMOYO_MAX_ACL_GROUPS / BITS_PER_LONG];
689  	u8 profile;        /* Profile number to use. */
690  	bool is_deleted;   /* Delete flag.           */
691  	bool flags[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
692  	atomic_t users; /* Number of referring tasks. */
693  };
694  
695  /*
696   * Structure for "task manual_domain_transition" directive.
697   */
698  struct tomoyo_task_acl {
699  	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MANUAL_TASK_ACL */
700  	/* Pointer to domainname. */
701  	const struct tomoyo_path_info *domainname;
702  };
703  
704  /*
705   * Structure for "file execute", "file read", "file write", "file append",
706   * "file unlink", "file getattr", "file rmdir", "file truncate",
707   * "file symlink", "file chroot" and "file unmount" directive.
708   */
709  struct tomoyo_path_acl {
710  	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */
711  	u16 perm; /* Bitmask of values in "enum tomoyo_path_acl_index". */
712  	struct tomoyo_name_union name;
713  };
714  
715  /*
716   * Structure for "file create", "file mkdir", "file mkfifo", "file mksock",
717   * "file ioctl", "file chmod", "file chown" and "file chgrp" directive.
718   */
719  struct tomoyo_path_number_acl {
720  	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_NUMBER_ACL */
721  	/* Bitmask of values in "enum tomoyo_path_number_acl_index". */
722  	u8 perm;
723  	struct tomoyo_name_union name;
724  	struct tomoyo_number_union number;
725  };
726  
727  /* Structure for "file mkblock" and "file mkchar" directive. */
728  struct tomoyo_mkdev_acl {
729  	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MKDEV_ACL */
730  	u8 perm; /* Bitmask of values in "enum tomoyo_mkdev_acl_index". */
731  	struct tomoyo_name_union name;
732  	struct tomoyo_number_union mode;
733  	struct tomoyo_number_union major;
734  	struct tomoyo_number_union minor;
735  };
736  
737  /*
738   * Structure for "file rename", "file link" and "file pivot_root" directive.
739   */
740  struct tomoyo_path2_acl {
741  	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */
742  	u8 perm; /* Bitmask of values in "enum tomoyo_path2_acl_index". */
743  	struct tomoyo_name_union name1;
744  	struct tomoyo_name_union name2;
745  };
746  
747  /* Structure for "file mount" directive. */
748  struct tomoyo_mount_acl {
749  	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MOUNT_ACL */
750  	struct tomoyo_name_union dev_name;
751  	struct tomoyo_name_union dir_name;
752  	struct tomoyo_name_union fs_type;
753  	struct tomoyo_number_union flags;
754  };
755  
756  /* Structure for "misc env" directive in domain policy. */
757  struct tomoyo_env_acl {
758  	struct tomoyo_acl_info head;        /* type = TOMOYO_TYPE_ENV_ACL  */
759  	const struct tomoyo_path_info *env; /* environment variable */
760  };
761  
762  /* Structure for "network inet" directive. */
763  struct tomoyo_inet_acl {
764  	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_INET_ACL */
765  	u8 protocol;
766  	u8 perm; /* Bitmask of values in "enum tomoyo_network_acl_index" */
767  	struct tomoyo_ipaddr_union address;
768  	struct tomoyo_number_union port;
769  };
770  
771  /* Structure for "network unix" directive. */
772  struct tomoyo_unix_acl {
773  	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_UNIX_ACL */
774  	u8 protocol;
775  	u8 perm; /* Bitmask of values in "enum tomoyo_network_acl_index" */
776  	struct tomoyo_name_union name;
777  };
778  
779  /* Structure for holding a line from /sys/kernel/security/tomoyo/ interface. */
780  struct tomoyo_acl_param {
781  	char *data;
782  	struct list_head *list;
783  	struct tomoyo_policy_namespace *ns;
784  	bool is_delete;
785  };
786  
787  #define TOMOYO_MAX_IO_READ_QUEUE 64
788  
789  /*
790   * Structure for reading/writing policy via /sys/kernel/security/tomoyo
791   * interfaces.
792   */
793  struct tomoyo_io_buffer {
794  	void (*read)(struct tomoyo_io_buffer *head);
795  	int (*write)(struct tomoyo_io_buffer *head);
796  	__poll_t (*poll)(struct file *file, poll_table *wait);
797  	/* Exclusive lock for this structure.   */
798  	struct mutex io_sem;
799  	char __user *read_user_buf;
800  	size_t read_user_buf_avail;
801  	struct {
802  		struct list_head *ns;
803  		struct list_head *domain;
804  		struct list_head *group;
805  		struct list_head *acl;
806  		size_t avail;
807  		unsigned int step;
808  		unsigned int query_index;
809  		u16 index;
810  		u16 cond_index;
811  		u8 acl_group_index;
812  		u8 cond_step;
813  		u8 bit;
814  		u8 w_pos;
815  		bool eof;
816  		bool print_this_domain_only;
817  		bool print_transition_related_only;
818  		bool print_cond_part;
819  		const char *w[TOMOYO_MAX_IO_READ_QUEUE];
820  	} r;
821  	struct {
822  		struct tomoyo_policy_namespace *ns;
823  		/* The position currently writing to.   */
824  		struct tomoyo_domain_info *domain;
825  		/* Bytes available for writing.         */
826  		size_t avail;
827  		bool is_delete;
828  	} w;
829  	/* Buffer for reading.                  */
830  	char *read_buf;
831  	/* Size of read buffer.                 */
832  	size_t readbuf_size;
833  	/* Buffer for writing.                  */
834  	char *write_buf;
835  	/* Size of write buffer.                */
836  	size_t writebuf_size;
837  	/* Type of this interface.              */
838  	enum tomoyo_securityfs_interface_index type;
839  	/* Users counter protected by tomoyo_io_buffer_list_lock. */
840  	u8 users;
841  	/* List for telling GC not to kfree() elements. */
842  	struct list_head list;
843  };
844  
845  /*
846   * Structure for "initialize_domain"/"no_initialize_domain"/"keep_domain"/
847   * "no_keep_domain" keyword.
848   */
849  struct tomoyo_transition_control {
850  	struct tomoyo_acl_head head;
851  	u8 type; /* One of values in "enum tomoyo_transition_type".  */
852  	/* True if the domainname is tomoyo_get_last_name(). */
853  	bool is_last_name;
854  	const struct tomoyo_path_info *domainname; /* Maybe NULL */
855  	const struct tomoyo_path_info *program;    /* Maybe NULL */
856  };
857  
858  /* Structure for "aggregator" keyword. */
859  struct tomoyo_aggregator {
860  	struct tomoyo_acl_head head;
861  	const struct tomoyo_path_info *original_name;
862  	const struct tomoyo_path_info *aggregated_name;
863  };
864  
865  /* Structure for policy manager. */
866  struct tomoyo_manager {
867  	struct tomoyo_acl_head head;
868  	/* A path to program or a domainname. */
869  	const struct tomoyo_path_info *manager;
870  };
871  
872  struct tomoyo_preference {
873  	unsigned int learning_max_entry;
874  	bool enforcing_verbose;
875  	bool learning_verbose;
876  	bool permissive_verbose;
877  };
878  
879  /* Structure for /sys/kernel/security/tomnoyo/profile interface. */
880  struct tomoyo_profile {
881  	const struct tomoyo_path_info *comment;
882  	struct tomoyo_preference *learning;
883  	struct tomoyo_preference *permissive;
884  	struct tomoyo_preference *enforcing;
885  	struct tomoyo_preference preference;
886  	u8 default_config;
887  	u8 config[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX];
888  	unsigned int pref[TOMOYO_MAX_PREF];
889  };
890  
891  /* Structure for representing YYYY/MM/DD hh/mm/ss. */
892  struct tomoyo_time {
893  	u16 year;
894  	u8 month;
895  	u8 day;
896  	u8 hour;
897  	u8 min;
898  	u8 sec;
899  };
900  
901  /* Structure for policy namespace. */
902  struct tomoyo_policy_namespace {
903  	/* Profile table. Memory is allocated as needed. */
904  	struct tomoyo_profile *profile_ptr[TOMOYO_MAX_PROFILES];
905  	/* List of "struct tomoyo_group". */
906  	struct list_head group_list[TOMOYO_MAX_GROUP];
907  	/* List of policy. */
908  	struct list_head policy_list[TOMOYO_MAX_POLICY];
909  	/* The global ACL referred by "use_group" keyword. */
910  	struct list_head acl_group[TOMOYO_MAX_ACL_GROUPS];
911  	/* List for connecting to tomoyo_namespace_list list. */
912  	struct list_head namespace_list;
913  	/* Profile version. Currently only 20150505 is defined. */
914  	unsigned int profile_version;
915  	/* Name of this namespace (e.g. "<kernel>", "</usr/sbin/httpd>" ). */
916  	const char *name;
917  };
918  
919  /* Structure for "struct task_struct"->security. */
920  struct tomoyo_task {
921  	struct tomoyo_domain_info *domain_info;
922  	struct tomoyo_domain_info *old_domain_info;
923  };
924  
925  /********** Function prototypes. **********/
926  
927  bool tomoyo_address_matches_group(const bool is_ipv6, const __be32 *address,
928  				  const struct tomoyo_group *group);
929  bool tomoyo_compare_number_union(const unsigned long value,
930  				 const struct tomoyo_number_union *ptr);
931  bool tomoyo_condition(struct tomoyo_request_info *r,
932  		      const struct tomoyo_condition *cond);
933  bool tomoyo_correct_domain(const unsigned char *domainname);
934  bool tomoyo_correct_path(const char *filename);
935  bool tomoyo_correct_word(const char *string);
936  bool tomoyo_domain_def(const unsigned char *buffer);
937  bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r);
938  bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos,
939  		      struct tomoyo_page_dump *dump);
940  bool tomoyo_memory_ok(void *ptr);
941  bool tomoyo_number_matches_group(const unsigned long min,
942  				 const unsigned long max,
943  				 const struct tomoyo_group *group);
944  bool tomoyo_parse_ipaddr_union(struct tomoyo_acl_param *param,
945  			       struct tomoyo_ipaddr_union *ptr);
946  bool tomoyo_parse_name_union(struct tomoyo_acl_param *param,
947  			     struct tomoyo_name_union *ptr);
948  bool tomoyo_parse_number_union(struct tomoyo_acl_param *param,
949  			       struct tomoyo_number_union *ptr);
950  bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
951  				 const struct tomoyo_path_info *pattern);
952  bool tomoyo_permstr(const char *string, const char *keyword);
953  bool tomoyo_str_starts(char **src, const char *find);
954  char *tomoyo_encode(const char *str);
955  char *tomoyo_encode2(const char *str, int str_len);
956  char *tomoyo_init_log(struct tomoyo_request_info *r, int len, const char *fmt,
957  		      va_list args) __printf(3, 0);
958  char *tomoyo_read_token(struct tomoyo_acl_param *param);
959  char *tomoyo_realpath_from_path(const struct path *path);
960  char *tomoyo_realpath_nofollow(const char *pathname);
961  const char *tomoyo_get_exe(void);
962  const struct tomoyo_path_info *tomoyo_compare_name_union
963  (const struct tomoyo_path_info *name, const struct tomoyo_name_union *ptr);
964  const struct tomoyo_path_info *tomoyo_get_domainname
965  (struct tomoyo_acl_param *param);
966  const struct tomoyo_path_info *tomoyo_get_name(const char *name);
967  const struct tomoyo_path_info *tomoyo_path_matches_group
968  (const struct tomoyo_path_info *pathname, const struct tomoyo_group *group);
969  int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
970  				 const struct path *path, const int flag);
971  void tomoyo_close_control(struct tomoyo_io_buffer *head);
972  int tomoyo_env_perm(struct tomoyo_request_info *r, const char *env);
973  int tomoyo_execute_permission(struct tomoyo_request_info *r,
974  			      const struct tomoyo_path_info *filename);
975  int tomoyo_find_next_domain(struct linux_binprm *bprm);
976  int tomoyo_get_mode(const struct tomoyo_policy_namespace *ns, const u8 profile,
977  		    const u8 index);
978  int tomoyo_init_request_info(struct tomoyo_request_info *r,
979  			     struct tomoyo_domain_info *domain,
980  			     const u8 index);
981  int tomoyo_mkdev_perm(const u8 operation, const struct path *path,
982  		      const unsigned int mode, unsigned int dev);
983  int tomoyo_mount_permission(const char *dev_name, const struct path *path,
984  			    const char *type, unsigned long flags,
985  			    void *data_page);
986  int tomoyo_open_control(const u8 type, struct file *file);
987  int tomoyo_path2_perm(const u8 operation, const struct path *path1,
988  		      const struct path *path2);
989  int tomoyo_path_number_perm(const u8 operation, const struct path *path,
990  			    unsigned long number);
991  int tomoyo_path_perm(const u8 operation, const struct path *path,
992  		     const char *target);
993  __poll_t tomoyo_poll_control(struct file *file, poll_table *wait);
994  __poll_t tomoyo_poll_log(struct file *file, poll_table *wait);
995  int tomoyo_socket_bind_permission(struct socket *sock, struct sockaddr *addr,
996  				  int addr_len);
997  int tomoyo_socket_connect_permission(struct socket *sock,
998  				     struct sockaddr *addr, int addr_len);
999  int tomoyo_socket_listen_permission(struct socket *sock);
1000  int tomoyo_socket_sendmsg_permission(struct socket *sock, struct msghdr *msg,
1001  				     int size);
1002  int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...)
1003  	__printf(2, 3);
1004  int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
1005  			 struct tomoyo_acl_param *param,
1006  			 bool (*check_duplicate)
1007  			 (const struct tomoyo_acl_info *,
1008  			  const struct tomoyo_acl_info *),
1009  			 bool (*merge_duplicate)
1010  			 (struct tomoyo_acl_info *, struct tomoyo_acl_info *,
1011  			  const bool));
1012  int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
1013  			 struct tomoyo_acl_param *param,
1014  			 bool (*check_duplicate)
1015  			 (const struct tomoyo_acl_head *,
1016  			  const struct tomoyo_acl_head *));
1017  int tomoyo_write_aggregator(struct tomoyo_acl_param *param);
1018  int tomoyo_write_file(struct tomoyo_acl_param *param);
1019  int tomoyo_write_group(struct tomoyo_acl_param *param, const u8 type);
1020  int tomoyo_write_misc(struct tomoyo_acl_param *param);
1021  int tomoyo_write_inet_network(struct tomoyo_acl_param *param);
1022  int tomoyo_write_transition_control(struct tomoyo_acl_param *param,
1023  				    const u8 type);
1024  int tomoyo_write_unix_network(struct tomoyo_acl_param *param);
1025  ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
1026  			    const int buffer_len);
1027  ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
1028  			     const char __user *buffer, const int buffer_len);
1029  struct tomoyo_condition *tomoyo_get_condition(struct tomoyo_acl_param *param);
1030  struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname,
1031  						const bool transit);
1032  struct tomoyo_domain_info *tomoyo_domain(void);
1033  struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname);
1034  struct tomoyo_group *tomoyo_get_group(struct tomoyo_acl_param *param,
1035  				      const u8 idx);
1036  struct tomoyo_policy_namespace *tomoyo_assign_namespace
1037  (const char *domainname);
1038  struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns,
1039  				      const u8 profile);
1040  u8 tomoyo_parse_ulong(unsigned long *result, char **str);
1041  void *tomoyo_commit_ok(void *data, const unsigned int size);
1042  void __init tomoyo_load_builtin_policy(void);
1043  void __init tomoyo_mm_init(void);
1044  void tomoyo_check_acl(struct tomoyo_request_info *r,
1045  		      bool (*check_entry)(struct tomoyo_request_info *,
1046  					  const struct tomoyo_acl_info *));
1047  void tomoyo_check_profile(void);
1048  void tomoyo_convert_time(time64_t time, struct tomoyo_time *stamp);
1049  void tomoyo_del_condition(struct list_head *element);
1050  void tomoyo_fill_path_info(struct tomoyo_path_info *ptr);
1051  void tomoyo_get_attributes(struct tomoyo_obj_info *obj);
1052  void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns);
1053  void tomoyo_load_policy(const char *filename);
1054  void tomoyo_normalize_line(unsigned char *buffer);
1055  void tomoyo_notify_gc(struct tomoyo_io_buffer *head, const bool is_register);
1056  void tomoyo_print_ip(char *buf, const unsigned int size,
1057  		     const struct tomoyo_ipaddr_union *ptr);
1058  void tomoyo_print_ulong(char *buffer, const int buffer_len,
1059  			const unsigned long value, const u8 type);
1060  void tomoyo_put_name_union(struct tomoyo_name_union *ptr);
1061  void tomoyo_put_number_union(struct tomoyo_number_union *ptr);
1062  void tomoyo_read_log(struct tomoyo_io_buffer *head);
1063  void tomoyo_update_stat(const u8 index);
1064  void tomoyo_warn_oom(const char *function);
1065  void tomoyo_write_log(struct tomoyo_request_info *r, const char *fmt, ...)
1066  	__printf(2, 3);
1067  void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt,
1068  		       va_list args) __printf(3, 0);
1069  
1070  /********** External variable definitions. **********/
1071  
1072  extern bool tomoyo_policy_loaded;
1073  extern int tomoyo_enabled;
1074  extern const char * const tomoyo_condition_keyword
1075  [TOMOYO_MAX_CONDITION_KEYWORD];
1076  extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
1077  extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
1078  					      + TOMOYO_MAX_MAC_CATEGORY_INDEX];
1079  extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
1080  extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
1081  extern const char * const tomoyo_proto_keyword[TOMOYO_SOCK_MAX];
1082  extern const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION];
1083  extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX];
1084  extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];
1085  extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION];
1086  extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION];
1087  extern struct list_head tomoyo_condition_list;
1088  extern struct list_head tomoyo_domain_list;
1089  extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH];
1090  extern struct list_head tomoyo_namespace_list;
1091  extern struct mutex tomoyo_policy_lock;
1092  extern struct srcu_struct tomoyo_ss;
1093  extern struct tomoyo_domain_info tomoyo_kernel_domain;
1094  extern struct tomoyo_policy_namespace tomoyo_kernel_namespace;
1095  extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT];
1096  extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT];
1097  extern struct lsm_blob_sizes tomoyo_blob_sizes;
1098  
1099  /********** Inlined functions. **********/
1100  
1101  /**
1102   * tomoyo_read_lock - Take lock for protecting policy.
1103   *
1104   * Returns index number for tomoyo_read_unlock().
1105   */
tomoyo_read_lock(void)1106  static inline int tomoyo_read_lock(void)
1107  {
1108  	return srcu_read_lock(&tomoyo_ss);
1109  }
1110  
1111  /**
1112   * tomoyo_read_unlock - Release lock for protecting policy.
1113   *
1114   * @idx: Index number returned by tomoyo_read_lock().
1115   *
1116   * Returns nothing.
1117   */
tomoyo_read_unlock(int idx)1118  static inline void tomoyo_read_unlock(int idx)
1119  {
1120  	srcu_read_unlock(&tomoyo_ss, idx);
1121  }
1122  
1123  /**
1124   * tomoyo_sys_getppid - Copy of getppid().
1125   *
1126   * Returns parent process's PID.
1127   *
1128   * Alpha does not have getppid() defined. To be able to build this module on
1129   * Alpha, I have to copy getppid() from kernel/timer.c.
1130   */
tomoyo_sys_getppid(void)1131  static inline pid_t tomoyo_sys_getppid(void)
1132  {
1133  	pid_t pid;
1134  
1135  	rcu_read_lock();
1136  	pid = task_tgid_vnr(rcu_dereference(current->real_parent));
1137  	rcu_read_unlock();
1138  	return pid;
1139  }
1140  
1141  /**
1142   * tomoyo_sys_getpid - Copy of getpid().
1143   *
1144   * Returns current thread's PID.
1145   *
1146   * Alpha does not have getpid() defined. To be able to build this module on
1147   * Alpha, I have to copy getpid() from kernel/timer.c.
1148   */
tomoyo_sys_getpid(void)1149  static inline pid_t tomoyo_sys_getpid(void)
1150  {
1151  	return task_tgid_vnr(current);
1152  }
1153  
1154  /**
1155   * tomoyo_pathcmp - strcmp() for "struct tomoyo_path_info" structure.
1156   *
1157   * @a: Pointer to "struct tomoyo_path_info".
1158   * @b: Pointer to "struct tomoyo_path_info".
1159   *
1160   * Returns true if @a == @b, false otherwise.
1161   */
tomoyo_pathcmp(const struct tomoyo_path_info * a,const struct tomoyo_path_info * b)1162  static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a,
1163  				  const struct tomoyo_path_info *b)
1164  {
1165  	return a->hash != b->hash || strcmp(a->name, b->name);
1166  }
1167  
1168  /**
1169   * tomoyo_put_name - Drop reference on "struct tomoyo_name".
1170   *
1171   * @name: Pointer to "struct tomoyo_path_info". Maybe NULL.
1172   *
1173   * Returns nothing.
1174   */
tomoyo_put_name(const struct tomoyo_path_info * name)1175  static inline void tomoyo_put_name(const struct tomoyo_path_info *name)
1176  {
1177  	if (name) {
1178  		struct tomoyo_name *ptr =
1179  			container_of(name, typeof(*ptr), entry);
1180  		atomic_dec(&ptr->head.users);
1181  	}
1182  }
1183  
1184  /**
1185   * tomoyo_put_condition - Drop reference on "struct tomoyo_condition".
1186   *
1187   * @cond: Pointer to "struct tomoyo_condition". Maybe NULL.
1188   *
1189   * Returns nothing.
1190   */
tomoyo_put_condition(struct tomoyo_condition * cond)1191  static inline void tomoyo_put_condition(struct tomoyo_condition *cond)
1192  {
1193  	if (cond)
1194  		atomic_dec(&cond->head.users);
1195  }
1196  
1197  /**
1198   * tomoyo_put_group - Drop reference on "struct tomoyo_group".
1199   *
1200   * @group: Pointer to "struct tomoyo_group". Maybe NULL.
1201   *
1202   * Returns nothing.
1203   */
tomoyo_put_group(struct tomoyo_group * group)1204  static inline void tomoyo_put_group(struct tomoyo_group *group)
1205  {
1206  	if (group)
1207  		atomic_dec(&group->head.users);
1208  }
1209  
1210  /**
1211   * tomoyo_task - Get "struct tomoyo_task" for specified thread.
1212   *
1213   * @task - Pointer to "struct task_struct".
1214   *
1215   * Returns pointer to "struct tomoyo_task" for specified thread.
1216   */
tomoyo_task(struct task_struct * task)1217  static inline struct tomoyo_task *tomoyo_task(struct task_struct *task)
1218  {
1219  	return task->security + tomoyo_blob_sizes.lbs_task;
1220  }
1221  
1222  /**
1223   * tomoyo_same_name_union - Check for duplicated "struct tomoyo_name_union" entry.
1224   *
1225   * @a: Pointer to "struct tomoyo_name_union".
1226   * @b: Pointer to "struct tomoyo_name_union".
1227   *
1228   * Returns true if @a == @b, false otherwise.
1229   */
tomoyo_same_name_union(const struct tomoyo_name_union * a,const struct tomoyo_name_union * b)1230  static inline bool tomoyo_same_name_union
1231  (const struct tomoyo_name_union *a, const struct tomoyo_name_union *b)
1232  {
1233  	return a->filename == b->filename && a->group == b->group;
1234  }
1235  
1236  /**
1237   * tomoyo_same_number_union - Check for duplicated "struct tomoyo_number_union" entry.
1238   *
1239   * @a: Pointer to "struct tomoyo_number_union".
1240   * @b: Pointer to "struct tomoyo_number_union".
1241   *
1242   * Returns true if @a == @b, false otherwise.
1243   */
tomoyo_same_number_union(const struct tomoyo_number_union * a,const struct tomoyo_number_union * b)1244  static inline bool tomoyo_same_number_union
1245  (const struct tomoyo_number_union *a, const struct tomoyo_number_union *b)
1246  {
1247  	return a->values[0] == b->values[0] && a->values[1] == b->values[1] &&
1248  		a->group == b->group && a->value_type[0] == b->value_type[0] &&
1249  		a->value_type[1] == b->value_type[1];
1250  }
1251  
1252  /**
1253   * tomoyo_same_ipaddr_union - Check for duplicated "struct tomoyo_ipaddr_union" entry.
1254   *
1255   * @a: Pointer to "struct tomoyo_ipaddr_union".
1256   * @b: Pointer to "struct tomoyo_ipaddr_union".
1257   *
1258   * Returns true if @a == @b, false otherwise.
1259   */
tomoyo_same_ipaddr_union(const struct tomoyo_ipaddr_union * a,const struct tomoyo_ipaddr_union * b)1260  static inline bool tomoyo_same_ipaddr_union
1261  (const struct tomoyo_ipaddr_union *a, const struct tomoyo_ipaddr_union *b)
1262  {
1263  	return !memcmp(a->ip, b->ip, sizeof(a->ip)) && a->group == b->group &&
1264  		a->is_ipv6 == b->is_ipv6;
1265  }
1266  
1267  /**
1268   * tomoyo_current_namespace - Get "struct tomoyo_policy_namespace" for current thread.
1269   *
1270   * Returns pointer to "struct tomoyo_policy_namespace" for current thread.
1271   */
tomoyo_current_namespace(void)1272  static inline struct tomoyo_policy_namespace *tomoyo_current_namespace(void)
1273  {
1274  	return tomoyo_domain()->ns;
1275  }
1276  
1277  /**
1278   * list_for_each_cookie - iterate over a list with cookie.
1279   * @pos:        the &struct list_head to use as a loop cursor.
1280   * @head:       the head for your list.
1281   */
1282  #define list_for_each_cookie(pos, head)					\
1283  	if (!pos)							\
1284  		pos =  srcu_dereference((head)->next, &tomoyo_ss);	\
1285  	for ( ; pos != (head); pos = srcu_dereference(pos->next, &tomoyo_ss))
1286  
1287  #endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */
1288