Root/
1 | /* |
2 | * security/tomoyo/common.h |
3 | * |
4 | * Header file for TOMOYO. |
5 | * |
6 | * Copyright (C) 2005-2010 NTT DATA CORPORATION |
7 | */ |
8 | |
9 | #ifndef _SECURITY_TOMOYO_COMMON_H |
10 | #define _SECURITY_TOMOYO_COMMON_H |
11 | |
12 | #include <linux/ctype.h> |
13 | #include <linux/string.h> |
14 | #include <linux/mm.h> |
15 | #include <linux/file.h> |
16 | #include <linux/kmod.h> |
17 | #include <linux/fs.h> |
18 | #include <linux/sched.h> |
19 | #include <linux/namei.h> |
20 | #include <linux/mount.h> |
21 | #include <linux/list.h> |
22 | #include <linux/cred.h> |
23 | struct linux_binprm; |
24 | |
25 | /********** Constants definitions. **********/ |
26 | |
27 | /* |
28 | * TOMOYO uses this hash only when appending a string into the string |
29 | * table. Frequency of appending strings is very low. So we don't need |
30 | * large (e.g. 64k) hash size. 256 will be sufficient. |
31 | */ |
32 | #define TOMOYO_HASH_BITS 8 |
33 | #define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS) |
34 | |
35 | /* |
36 | * This is the max length of a token. |
37 | * |
38 | * A token consists of only ASCII printable characters. |
39 | * Non printable characters in a token is represented in \ooo style |
40 | * octal string. Thus, \ itself is represented as \\. |
41 | */ |
42 | #define TOMOYO_MAX_PATHNAME_LEN 4000 |
43 | |
44 | /* Profile number is an integer between 0 and 255. */ |
45 | #define TOMOYO_MAX_PROFILES 256 |
46 | |
47 | /* Keywords for ACLs. */ |
48 | #define TOMOYO_KEYWORD_ALIAS "alias " |
49 | #define TOMOYO_KEYWORD_ALLOW_READ "allow_read " |
50 | #define TOMOYO_KEYWORD_DELETE "delete " |
51 | #define TOMOYO_KEYWORD_DENY_REWRITE "deny_rewrite " |
52 | #define TOMOYO_KEYWORD_FILE_PATTERN "file_pattern " |
53 | #define TOMOYO_KEYWORD_INITIALIZE_DOMAIN "initialize_domain " |
54 | #define TOMOYO_KEYWORD_KEEP_DOMAIN "keep_domain " |
55 | #define TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN "no_initialize_domain " |
56 | #define TOMOYO_KEYWORD_NO_KEEP_DOMAIN "no_keep_domain " |
57 | #define TOMOYO_KEYWORD_SELECT "select " |
58 | #define TOMOYO_KEYWORD_USE_PROFILE "use_profile " |
59 | #define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read" |
60 | /* A domain definition starts with <kernel>. */ |
61 | #define TOMOYO_ROOT_NAME "<kernel>" |
62 | #define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1) |
63 | |
64 | /* Index numbers for Access Controls. */ |
65 | enum tomoyo_mac_index { |
66 | TOMOYO_MAC_FOR_FILE, /* domain_policy.conf */ |
67 | TOMOYO_MAX_ACCEPT_ENTRY, |
68 | TOMOYO_VERBOSE, |
69 | TOMOYO_MAX_CONTROL_INDEX |
70 | }; |
71 | |
72 | /* Index numbers for Access Controls. */ |
73 | enum tomoyo_acl_entry_type_index { |
74 | TOMOYO_TYPE_PATH_ACL, |
75 | TOMOYO_TYPE_PATH2_ACL, |
76 | }; |
77 | |
78 | /* Index numbers for File Controls. */ |
79 | |
80 | /* |
81 | * TYPE_READ_WRITE_ACL is special. TYPE_READ_WRITE_ACL is automatically set |
82 | * if both TYPE_READ_ACL and TYPE_WRITE_ACL are set. Both TYPE_READ_ACL and |
83 | * TYPE_WRITE_ACL are automatically set if TYPE_READ_WRITE_ACL is set. |
84 | * TYPE_READ_WRITE_ACL is automatically cleared if either TYPE_READ_ACL or |
85 | * TYPE_WRITE_ACL is cleared. Both TYPE_READ_ACL and TYPE_WRITE_ACL are |
86 | * automatically cleared if TYPE_READ_WRITE_ACL is cleared. |
87 | */ |
88 | |
89 | enum tomoyo_path_acl_index { |
90 | TOMOYO_TYPE_READ_WRITE, |
91 | TOMOYO_TYPE_EXECUTE, |
92 | TOMOYO_TYPE_READ, |
93 | TOMOYO_TYPE_WRITE, |
94 | TOMOYO_TYPE_CREATE, |
95 | TOMOYO_TYPE_UNLINK, |
96 | TOMOYO_TYPE_MKDIR, |
97 | TOMOYO_TYPE_RMDIR, |
98 | TOMOYO_TYPE_MKFIFO, |
99 | TOMOYO_TYPE_MKSOCK, |
100 | TOMOYO_TYPE_MKBLOCK, |
101 | TOMOYO_TYPE_MKCHAR, |
102 | TOMOYO_TYPE_TRUNCATE, |
103 | TOMOYO_TYPE_SYMLINK, |
104 | TOMOYO_TYPE_REWRITE, |
105 | TOMOYO_TYPE_IOCTL, |
106 | TOMOYO_TYPE_CHMOD, |
107 | TOMOYO_TYPE_CHOWN, |
108 | TOMOYO_TYPE_CHGRP, |
109 | TOMOYO_TYPE_CHROOT, |
110 | TOMOYO_TYPE_MOUNT, |
111 | TOMOYO_TYPE_UMOUNT, |
112 | TOMOYO_MAX_PATH_OPERATION |
113 | }; |
114 | |
115 | enum tomoyo_path2_acl_index { |
116 | TOMOYO_TYPE_LINK, |
117 | TOMOYO_TYPE_RENAME, |
118 | TOMOYO_TYPE_PIVOT_ROOT, |
119 | TOMOYO_MAX_PATH2_OPERATION |
120 | }; |
121 | |
122 | enum tomoyo_securityfs_interface_index { |
123 | TOMOYO_DOMAINPOLICY, |
124 | TOMOYO_EXCEPTIONPOLICY, |
125 | TOMOYO_DOMAIN_STATUS, |
126 | TOMOYO_PROCESS_STATUS, |
127 | TOMOYO_MEMINFO, |
128 | TOMOYO_SELFDOMAIN, |
129 | TOMOYO_VERSION, |
130 | TOMOYO_PROFILE, |
131 | TOMOYO_MANAGER |
132 | }; |
133 | |
134 | /********** Structure definitions. **********/ |
135 | |
136 | /* |
137 | * tomoyo_page_buffer is a structure which is used for holding a pathname |
138 | * obtained from "struct dentry" and "struct vfsmount" pair. |
139 | * As of now, it is 4096 bytes. If users complain that 4096 bytes is too small |
140 | * (because TOMOYO escapes non ASCII printable characters using \ooo format), |
141 | * we will make the buffer larger. |
142 | */ |
143 | struct tomoyo_page_buffer { |
144 | char buffer[4096]; |
145 | }; |
146 | |
147 | /* |
148 | * tomoyo_path_info is a structure which is used for holding a string data |
149 | * used by TOMOYO. |
150 | * This structure has several fields for supporting pattern matching. |
151 | * |
152 | * (1) "name" is the '\0' terminated string data. |
153 | * (2) "hash" is full_name_hash(name, strlen(name)). |
154 | * This allows tomoyo_pathcmp() to compare by hash before actually compare |
155 | * using strcmp(). |
156 | * (3) "const_len" is the length of the initial segment of "name" which |
157 | * consists entirely of non wildcard characters. In other words, the length |
158 | * which we can compare two strings using strncmp(). |
159 | * (4) "is_dir" is a bool which is true if "name" ends with "/", |
160 | * false otherwise. |
161 | * TOMOYO distinguishes directory and non-directory. A directory ends with |
162 | * "/" and non-directory does not end with "/". |
163 | * (5) "is_patterned" is a bool which is true if "name" contains wildcard |
164 | * characters, false otherwise. This allows TOMOYO to use "hash" and |
165 | * strcmp() for string comparison if "is_patterned" is false. |
166 | */ |
167 | struct tomoyo_path_info { |
168 | const char *name; |
169 | u32 hash; /* = full_name_hash(name, strlen(name)) */ |
170 | u16 const_len; /* = tomoyo_const_part_length(name) */ |
171 | bool is_dir; /* = tomoyo_strendswith(name, "/") */ |
172 | bool is_patterned; /* = tomoyo_path_contains_pattern(name) */ |
173 | }; |
174 | |
175 | /* |
176 | * tomoyo_name_entry is a structure which is used for linking |
177 | * "struct tomoyo_path_info" into tomoyo_name_list . |
178 | */ |
179 | struct tomoyo_name_entry { |
180 | struct list_head list; |
181 | atomic_t users; |
182 | struct tomoyo_path_info entry; |
183 | }; |
184 | |
185 | /* |
186 | * tomoyo_path_info_with_data is a structure which is used for holding a |
187 | * pathname obtained from "struct dentry" and "struct vfsmount" pair. |
188 | * |
189 | * "struct tomoyo_path_info_with_data" consists of "struct tomoyo_path_info" |
190 | * and buffer for the pathname, while "struct tomoyo_page_buffer" consists of |
191 | * buffer for the pathname only. |
192 | * |
193 | * "struct tomoyo_path_info_with_data" is intended to allow TOMOYO to release |
194 | * both "struct tomoyo_path_info" and buffer for the pathname by single kfree() |
195 | * so that we don't need to return two pointers to the caller. If the caller |
196 | * puts "struct tomoyo_path_info" on stack memory, we will be able to remove |
197 | * "struct tomoyo_path_info_with_data". |
198 | */ |
199 | struct tomoyo_path_info_with_data { |
200 | /* Keep "head" first, for this pointer is passed to kfree(). */ |
201 | struct tomoyo_path_info head; |
202 | char barrier1[16]; /* Safeguard for overrun. */ |
203 | char body[TOMOYO_MAX_PATHNAME_LEN]; |
204 | char barrier2[16]; /* Safeguard for overrun. */ |
205 | }; |
206 | |
207 | /* |
208 | * tomoyo_acl_info is a structure which is used for holding |
209 | * |
210 | * (1) "list" which is linked to the ->acl_info_list of |
211 | * "struct tomoyo_domain_info" |
212 | * (2) "type" which tells type of the entry (either |
213 | * "struct tomoyo_path_acl" or "struct tomoyo_path2_acl"). |
214 | * |
215 | * Packing "struct tomoyo_acl_info" allows |
216 | * "struct tomoyo_path_acl" to embed "u8" + "u16" and |
217 | * "struct tomoyo_path2_acl" to embed "u8" |
218 | * without enlarging their structure size. |
219 | */ |
220 | struct tomoyo_acl_info { |
221 | struct list_head list; |
222 | u8 type; |
223 | } __packed; |
224 | |
225 | /* |
226 | * tomoyo_domain_info is a structure which is used for holding permissions |
227 | * (e.g. "allow_read /lib/libc-2.5.so") given to each domain. |
228 | * It has following fields. |
229 | * |
230 | * (1) "list" which is linked to tomoyo_domain_list . |
231 | * (2) "acl_info_list" which is linked to "struct tomoyo_acl_info". |
232 | * (3) "domainname" which holds the name of the domain. |
233 | * (4) "profile" which remembers profile number assigned to this domain. |
234 | * (5) "is_deleted" is a bool which is true if this domain is marked as |
235 | * "deleted", false otherwise. |
236 | * (6) "quota_warned" is a bool which is used for suppressing warning message |
237 | * when learning mode learned too much entries. |
238 | * (7) "ignore_global_allow_read" is a bool which is true if this domain |
239 | * should ignore "allow_read" directive in exception policy. |
240 | * (8) "transition_failed" is a bool which is set to true when this domain was |
241 | * unable to create a new domain at tomoyo_find_next_domain() because the |
242 | * name of the domain to be created was too long or it could not allocate |
243 | * memory. If set to true, more than one process continued execve() |
244 | * without domain transition. |
245 | * (9) "users" is an atomic_t that holds how many "struct cred"->security |
246 | * are referring this "struct tomoyo_domain_info". If is_deleted == true |
247 | * and users == 0, this struct will be kfree()d upon next garbage |
248 | * collection. |
249 | * |
250 | * A domain's lifecycle is an analogy of files on / directory. |
251 | * Multiple domains with the same domainname cannot be created (as with |
252 | * creating files with the same filename fails with -EEXIST). |
253 | * If a process reached a domain, that process can reside in that domain after |
254 | * that domain is marked as "deleted" (as with a process can access an already |
255 | * open()ed file after that file was unlink()ed). |
256 | */ |
257 | struct tomoyo_domain_info { |
258 | struct list_head list; |
259 | struct list_head acl_info_list; |
260 | /* Name of this domain. Never NULL. */ |
261 | const struct tomoyo_path_info *domainname; |
262 | u8 profile; /* Profile number to use. */ |
263 | bool is_deleted; /* Delete flag. */ |
264 | bool quota_warned; /* Quota warnning flag. */ |
265 | bool ignore_global_allow_read; /* Ignore "allow_read" flag. */ |
266 | bool transition_failed; /* Domain transition failed flag. */ |
267 | atomic_t users; /* Number of referring credentials. */ |
268 | }; |
269 | |
270 | /* |
271 | * tomoyo_path_acl is a structure which is used for holding an |
272 | * entry with one pathname operation (e.g. open(), mkdir()). |
273 | * It has following fields. |
274 | * |
275 | * (1) "head" which is a "struct tomoyo_acl_info". |
276 | * (2) "perm" which is a bitmask of permitted operations. |
277 | * (3) "filename" is the pathname. |
278 | * |
279 | * Directives held by this structure are "allow_read/write", "allow_execute", |
280 | * "allow_read", "allow_write", "allow_create", "allow_unlink", "allow_mkdir", |
281 | * "allow_rmdir", "allow_mkfifo", "allow_mksock", "allow_mkblock", |
282 | * "allow_mkchar", "allow_truncate", "allow_symlink", "allow_rewrite", |
283 | * "allow_chmod", "allow_chown", "allow_chgrp", "allow_chroot", "allow_mount" |
284 | * and "allow_unmount". |
285 | */ |
286 | struct tomoyo_path_acl { |
287 | struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */ |
288 | u8 perm_high; |
289 | u16 perm; |
290 | /* Pointer to single pathname. */ |
291 | const struct tomoyo_path_info *filename; |
292 | }; |
293 | |
294 | /* |
295 | * tomoyo_path2_acl is a structure which is used for holding an |
296 | * entry with two pathnames operation (i.e. link(), rename() and pivot_root()). |
297 | * It has following fields. |
298 | * |
299 | * (1) "head" which is a "struct tomoyo_acl_info". |
300 | * (2) "perm" which is a bitmask of permitted operations. |
301 | * (3) "filename1" is the source/old pathname. |
302 | * (4) "filename2" is the destination/new pathname. |
303 | * |
304 | * Directives held by this structure are "allow_rename", "allow_link" and |
305 | * "allow_pivot_root". |
306 | */ |
307 | struct tomoyo_path2_acl { |
308 | struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */ |
309 | u8 perm; |
310 | /* Pointer to single pathname. */ |
311 | const struct tomoyo_path_info *filename1; |
312 | /* Pointer to single pathname. */ |
313 | const struct tomoyo_path_info *filename2; |
314 | }; |
315 | |
316 | /* |
317 | * tomoyo_io_buffer is a structure which is used for reading and modifying |
318 | * configuration via /sys/kernel/security/tomoyo/ interface. |
319 | * It has many fields. ->read_var1 , ->read_var2 , ->write_var1 are used as |
320 | * cursors. |
321 | * |
322 | * Since the content of /sys/kernel/security/tomoyo/domain_policy is a list of |
323 | * "struct tomoyo_domain_info" entries and each "struct tomoyo_domain_info" |
324 | * entry has a list of "struct tomoyo_acl_info", we need two cursors when |
325 | * reading (one is for traversing tomoyo_domain_list and the other is for |
326 | * traversing "struct tomoyo_acl_info"->acl_info_list ). |
327 | * |
328 | * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with |
329 | * "select ", TOMOYO seeks the cursor ->read_var1 and ->write_var1 to the |
330 | * domain with the domainname specified by the rest of that line (NULL is set |
331 | * if seek failed). |
332 | * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with |
333 | * "delete ", TOMOYO deletes an entry or a domain specified by the rest of that |
334 | * line (->write_var1 is set to NULL if a domain was deleted). |
335 | * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with |
336 | * neither "select " nor "delete ", an entry or a domain specified by that line |
337 | * is appended. |
338 | */ |
339 | struct tomoyo_io_buffer { |
340 | int (*read) (struct tomoyo_io_buffer *); |
341 | int (*write) (struct tomoyo_io_buffer *); |
342 | /* Exclusive lock for this structure. */ |
343 | struct mutex io_sem; |
344 | /* Index returned by tomoyo_read_lock(). */ |
345 | int reader_idx; |
346 | /* The position currently reading from. */ |
347 | struct list_head *read_var1; |
348 | /* Extra variables for reading. */ |
349 | struct list_head *read_var2; |
350 | /* The position currently writing to. */ |
351 | struct tomoyo_domain_info *write_var1; |
352 | /* The step for reading. */ |
353 | int read_step; |
354 | /* Buffer for reading. */ |
355 | char *read_buf; |
356 | /* EOF flag for reading. */ |
357 | bool read_eof; |
358 | /* Read domain ACL of specified PID? */ |
359 | bool read_single_domain; |
360 | /* Extra variable for reading. */ |
361 | u8 read_bit; |
362 | /* Bytes available for reading. */ |
363 | int read_avail; |
364 | /* Size of read buffer. */ |
365 | int readbuf_size; |
366 | /* Buffer for writing. */ |
367 | char *write_buf; |
368 | /* Bytes available for writing. */ |
369 | int write_avail; |
370 | /* Size of write buffer. */ |
371 | int writebuf_size; |
372 | }; |
373 | |
374 | /* |
375 | * tomoyo_globally_readable_file_entry is a structure which is used for holding |
376 | * "allow_read" entries. |
377 | * It has following fields. |
378 | * |
379 | * (1) "list" which is linked to tomoyo_globally_readable_list . |
380 | * (2) "filename" is a pathname which is allowed to open(O_RDONLY). |
381 | * (3) "is_deleted" is a bool which is true if marked as deleted, false |
382 | * otherwise. |
383 | */ |
384 | struct tomoyo_globally_readable_file_entry { |
385 | struct list_head list; |
386 | const struct tomoyo_path_info *filename; |
387 | bool is_deleted; |
388 | }; |
389 | |
390 | /* |
391 | * tomoyo_pattern_entry is a structure which is used for holding |
392 | * "tomoyo_pattern_list" entries. |
393 | * It has following fields. |
394 | * |
395 | * (1) "list" which is linked to tomoyo_pattern_list . |
396 | * (2) "pattern" is a pathname pattern which is used for converting pathnames |
397 | * to pathname patterns during learning mode. |
398 | * (3) "is_deleted" is a bool which is true if marked as deleted, false |
399 | * otherwise. |
400 | */ |
401 | struct tomoyo_pattern_entry { |
402 | struct list_head list; |
403 | const struct tomoyo_path_info *pattern; |
404 | bool is_deleted; |
405 | }; |
406 | |
407 | /* |
408 | * tomoyo_no_rewrite_entry is a structure which is used for holding |
409 | * "deny_rewrite" entries. |
410 | * It has following fields. |
411 | * |
412 | * (1) "list" which is linked to tomoyo_no_rewrite_list . |
413 | * (2) "pattern" is a pathname which is by default not permitted to modify |
414 | * already existing content. |
415 | * (3) "is_deleted" is a bool which is true if marked as deleted, false |
416 | * otherwise. |
417 | */ |
418 | struct tomoyo_no_rewrite_entry { |
419 | struct list_head list; |
420 | const struct tomoyo_path_info *pattern; |
421 | bool is_deleted; |
422 | }; |
423 | |
424 | /* |
425 | * tomoyo_domain_initializer_entry is a structure which is used for holding |
426 | * "initialize_domain" and "no_initialize_domain" entries. |
427 | * It has following fields. |
428 | * |
429 | * (1) "list" which is linked to tomoyo_domain_initializer_list . |
430 | * (2) "domainname" which is "a domainname" or "the last component of a |
431 | * domainname". This field is NULL if "from" clause is not specified. |
432 | * (3) "program" which is a program's pathname. |
433 | * (4) "is_deleted" is a bool which is true if marked as deleted, false |
434 | * otherwise. |
435 | * (5) "is_not" is a bool which is true if "no_initialize_domain", false |
436 | * otherwise. |
437 | * (6) "is_last_name" is a bool which is true if "domainname" is "the last |
438 | * component of a domainname", false otherwise. |
439 | */ |
440 | struct tomoyo_domain_initializer_entry { |
441 | struct list_head list; |
442 | const struct tomoyo_path_info *domainname; /* This may be NULL */ |
443 | const struct tomoyo_path_info *program; |
444 | bool is_deleted; |
445 | bool is_not; /* True if this entry is "no_initialize_domain". */ |
446 | /* True if the domainname is tomoyo_get_last_name(). */ |
447 | bool is_last_name; |
448 | }; |
449 | |
450 | /* |
451 | * tomoyo_domain_keeper_entry is a structure which is used for holding |
452 | * "keep_domain" and "no_keep_domain" entries. |
453 | * It has following fields. |
454 | * |
455 | * (1) "list" which is linked to tomoyo_domain_keeper_list . |
456 | * (2) "domainname" which is "a domainname" or "the last component of a |
457 | * domainname". |
458 | * (3) "program" which is a program's pathname. |
459 | * This field is NULL if "from" clause is not specified. |
460 | * (4) "is_deleted" is a bool which is true if marked as deleted, false |
461 | * otherwise. |
462 | * (5) "is_not" is a bool which is true if "no_initialize_domain", false |
463 | * otherwise. |
464 | * (6) "is_last_name" is a bool which is true if "domainname" is "the last |
465 | * component of a domainname", false otherwise. |
466 | */ |
467 | struct tomoyo_domain_keeper_entry { |
468 | struct list_head list; |
469 | const struct tomoyo_path_info *domainname; |
470 | const struct tomoyo_path_info *program; /* This may be NULL */ |
471 | bool is_deleted; |
472 | bool is_not; /* True if this entry is "no_keep_domain". */ |
473 | /* True if the domainname is tomoyo_get_last_name(). */ |
474 | bool is_last_name; |
475 | }; |
476 | |
477 | /* |
478 | * tomoyo_alias_entry is a structure which is used for holding "alias" entries. |
479 | * It has following fields. |
480 | * |
481 | * (1) "list" which is linked to tomoyo_alias_list . |
482 | * (2) "original_name" which is a dereferenced pathname. |
483 | * (3) "aliased_name" which is a symlink's pathname. |
484 | * (4) "is_deleted" is a bool which is true if marked as deleted, false |
485 | * otherwise. |
486 | */ |
487 | struct tomoyo_alias_entry { |
488 | struct list_head list; |
489 | const struct tomoyo_path_info *original_name; |
490 | const struct tomoyo_path_info *aliased_name; |
491 | bool is_deleted; |
492 | }; |
493 | |
494 | /* |
495 | * tomoyo_policy_manager_entry is a structure which is used for holding list of |
496 | * domainnames or programs which are permitted to modify configuration via |
497 | * /sys/kernel/security/tomoyo/ interface. |
498 | * It has following fields. |
499 | * |
500 | * (1) "list" which is linked to tomoyo_policy_manager_list . |
501 | * (2) "manager" is a domainname or a program's pathname. |
502 | * (3) "is_domain" is a bool which is true if "manager" is a domainname, false |
503 | * otherwise. |
504 | * (4) "is_deleted" is a bool which is true if marked as deleted, false |
505 | * otherwise. |
506 | */ |
507 | struct tomoyo_policy_manager_entry { |
508 | struct list_head list; |
509 | /* A path to program or a domainname. */ |
510 | const struct tomoyo_path_info *manager; |
511 | bool is_domain; /* True if manager is a domainname. */ |
512 | bool is_deleted; /* True if this entry is deleted. */ |
513 | }; |
514 | |
515 | /********** Function prototypes. **********/ |
516 | |
517 | /* Check whether the domain has too many ACL entries to hold. */ |
518 | bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain); |
519 | /* Transactional sprintf() for policy dump. */ |
520 | bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...) |
521 | __attribute__ ((format(printf, 2, 3))); |
522 | /* Check whether the domainname is correct. */ |
523 | bool tomoyo_is_correct_domain(const unsigned char *domainname); |
524 | /* Check whether the token is correct. */ |
525 | bool tomoyo_is_correct_path(const char *filename, const s8 start_type, |
526 | const s8 pattern_type, const s8 end_type); |
527 | /* Check whether the token can be a domainname. */ |
528 | bool tomoyo_is_domain_def(const unsigned char *buffer); |
529 | /* Check whether the given filename matches the given pattern. */ |
530 | bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, |
531 | const struct tomoyo_path_info *pattern); |
532 | /* Read "alias" entry in exception policy. */ |
533 | bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head); |
534 | /* |
535 | * Read "initialize_domain" and "no_initialize_domain" entry |
536 | * in exception policy. |
537 | */ |
538 | bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head); |
539 | /* Read "keep_domain" and "no_keep_domain" entry in exception policy. */ |
540 | bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head); |
541 | /* Read "file_pattern" entry in exception policy. */ |
542 | bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head); |
543 | /* Read "allow_read" entry in exception policy. */ |
544 | bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head); |
545 | /* Read "deny_rewrite" entry in exception policy. */ |
546 | bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head); |
547 | /* Write domain policy violation warning message to console? */ |
548 | bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain); |
549 | /* Convert double path operation to operation name. */ |
550 | const char *tomoyo_path22keyword(const u8 operation); |
551 | /* Get the last component of the given domainname. */ |
552 | const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain); |
553 | /* Get warning message. */ |
554 | const char *tomoyo_get_msg(const bool is_enforce); |
555 | /* Convert single path operation to operation name. */ |
556 | const char *tomoyo_path2keyword(const u8 operation); |
557 | /* Create "alias" entry in exception policy. */ |
558 | int tomoyo_write_alias_policy(char *data, const bool is_delete); |
559 | /* |
560 | * Create "initialize_domain" and "no_initialize_domain" entry |
561 | * in exception policy. |
562 | */ |
563 | int tomoyo_write_domain_initializer_policy(char *data, const bool is_not, |
564 | const bool is_delete); |
565 | /* Create "keep_domain" and "no_keep_domain" entry in exception policy. */ |
566 | int tomoyo_write_domain_keeper_policy(char *data, const bool is_not, |
567 | const bool is_delete); |
568 | /* |
569 | * Create "allow_read/write", "allow_execute", "allow_read", "allow_write", |
570 | * "allow_create", "allow_unlink", "allow_mkdir", "allow_rmdir", |
571 | * "allow_mkfifo", "allow_mksock", "allow_mkblock", "allow_mkchar", |
572 | * "allow_truncate", "allow_symlink", "allow_rewrite", "allow_rename" and |
573 | * "allow_link" entry in domain policy. |
574 | */ |
575 | int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain, |
576 | const bool is_delete); |
577 | /* Create "allow_read" entry in exception policy. */ |
578 | int tomoyo_write_globally_readable_policy(char *data, const bool is_delete); |
579 | /* Create "deny_rewrite" entry in exception policy. */ |
580 | int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete); |
581 | /* Create "file_pattern" entry in exception policy. */ |
582 | int tomoyo_write_pattern_policy(char *data, const bool is_delete); |
583 | /* Find a domain by the given name. */ |
584 | struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname); |
585 | /* Find or create a domain by the given name. */ |
586 | struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char * |
587 | domainname, |
588 | const u8 profile); |
589 | /* Check mode for specified functionality. */ |
590 | unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain, |
591 | const u8 index); |
592 | /* Fill in "struct tomoyo_path_info" members. */ |
593 | void tomoyo_fill_path_info(struct tomoyo_path_info *ptr); |
594 | /* Run policy loader when /sbin/init starts. */ |
595 | void tomoyo_load_policy(const char *filename); |
596 | |
597 | /* Convert binary string to ascii string. */ |
598 | int tomoyo_encode(char *buffer, int buflen, const char *str); |
599 | |
600 | /* Returns realpath(3) of the given pathname but ignores chroot'ed root. */ |
601 | int tomoyo_realpath_from_path2(struct path *path, char *newname, |
602 | int newname_len); |
603 | |
604 | /* |
605 | * Returns realpath(3) of the given pathname but ignores chroot'ed root. |
606 | * These functions use kzalloc(), so the caller must call kfree() |
607 | * if these functions didn't return NULL. |
608 | */ |
609 | char *tomoyo_realpath(const char *pathname); |
610 | /* |
611 | * Same with tomoyo_realpath() except that it doesn't follow the final symlink. |
612 | */ |
613 | char *tomoyo_realpath_nofollow(const char *pathname); |
614 | /* Same with tomoyo_realpath() except that the pathname is already solved. */ |
615 | char *tomoyo_realpath_from_path(struct path *path); |
616 | |
617 | /* Check memory quota. */ |
618 | bool tomoyo_memory_ok(void *ptr); |
619 | |
620 | /* |
621 | * Keep the given name on the RAM. |
622 | * The RAM is shared, so NEVER try to modify or kfree() the returned name. |
623 | */ |
624 | const struct tomoyo_path_info *tomoyo_get_name(const char *name); |
625 | |
626 | /* Check for memory usage. */ |
627 | int tomoyo_read_memory_counter(struct tomoyo_io_buffer *head); |
628 | |
629 | /* Set memory quota. */ |
630 | int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head); |
631 | |
632 | /* Initialize realpath related code. */ |
633 | void __init tomoyo_realpath_init(void); |
634 | int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, |
635 | const struct tomoyo_path_info *filename); |
636 | int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, |
637 | struct path *path, const int flag); |
638 | int tomoyo_path_perm(const u8 operation, struct path *path); |
639 | int tomoyo_path2_perm(const u8 operation, struct path *path1, |
640 | struct path *path2); |
641 | int tomoyo_check_rewrite_permission(struct file *filp); |
642 | int tomoyo_find_next_domain(struct linux_binprm *bprm); |
643 | |
644 | /* Run garbage collector. */ |
645 | void tomoyo_run_gc(void); |
646 | |
647 | void tomoyo_memory_free(void *ptr); |
648 | |
649 | /********** External variable definitions. **********/ |
650 | |
651 | /* Lock for GC. */ |
652 | extern struct srcu_struct tomoyo_ss; |
653 | |
654 | /* The list for "struct tomoyo_domain_info". */ |
655 | extern struct list_head tomoyo_domain_list; |
656 | |
657 | extern struct list_head tomoyo_domain_initializer_list; |
658 | extern struct list_head tomoyo_domain_keeper_list; |
659 | extern struct list_head tomoyo_alias_list; |
660 | extern struct list_head tomoyo_globally_readable_list; |
661 | extern struct list_head tomoyo_pattern_list; |
662 | extern struct list_head tomoyo_no_rewrite_list; |
663 | extern struct list_head tomoyo_policy_manager_list; |
664 | extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH]; |
665 | extern struct mutex tomoyo_name_list_lock; |
666 | |
667 | /* Lock for protecting policy. */ |
668 | extern struct mutex tomoyo_policy_lock; |
669 | |
670 | /* Has /sbin/init started? */ |
671 | extern bool tomoyo_policy_loaded; |
672 | |
673 | /* The kernel's domain. */ |
674 | extern struct tomoyo_domain_info tomoyo_kernel_domain; |
675 | |
676 | /********** Inlined functions. **********/ |
677 | |
678 | static inline int tomoyo_read_lock(void) |
679 | { |
680 | return srcu_read_lock(&tomoyo_ss); |
681 | } |
682 | |
683 | static inline void tomoyo_read_unlock(int idx) |
684 | { |
685 | srcu_read_unlock(&tomoyo_ss, idx); |
686 | } |
687 | |
688 | /* strcmp() for "struct tomoyo_path_info" structure. */ |
689 | static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a, |
690 | const struct tomoyo_path_info *b) |
691 | { |
692 | return a->hash != b->hash || strcmp(a->name, b->name); |
693 | } |
694 | |
695 | /** |
696 | * tomoyo_is_valid - Check whether the character is a valid char. |
697 | * |
698 | * @c: The character to check. |
699 | * |
700 | * Returns true if @c is a valid character, false otherwise. |
701 | */ |
702 | static inline bool tomoyo_is_valid(const unsigned char c) |
703 | { |
704 | return c > ' ' && c < 127; |
705 | } |
706 | |
707 | /** |
708 | * tomoyo_is_invalid - Check whether the character is an invalid char. |
709 | * |
710 | * @c: The character to check. |
711 | * |
712 | * Returns true if @c is an invalid character, false otherwise. |
713 | */ |
714 | static inline bool tomoyo_is_invalid(const unsigned char c) |
715 | { |
716 | return c && (c <= ' ' || c >= 127); |
717 | } |
718 | |
719 | static inline void tomoyo_put_name(const struct tomoyo_path_info *name) |
720 | { |
721 | if (name) { |
722 | struct tomoyo_name_entry *ptr = |
723 | container_of(name, struct tomoyo_name_entry, entry); |
724 | atomic_dec(&ptr->users); |
725 | } |
726 | } |
727 | |
728 | static inline struct tomoyo_domain_info *tomoyo_domain(void) |
729 | { |
730 | return current_cred()->security; |
731 | } |
732 | |
733 | static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct |
734 | *task) |
735 | { |
736 | return task_cred_xxx(task, security); |
737 | } |
738 | |
739 | /** |
740 | * list_for_each_cookie - iterate over a list with cookie. |
741 | * @pos: the &struct list_head to use as a loop cursor. |
742 | * @cookie: the &struct list_head to use as a cookie. |
743 | * @head: the head for your list. |
744 | * |
745 | * Same with list_for_each_rcu() except that this primitive uses @cookie |
746 | * so that we can continue iteration. |
747 | * @cookie must be NULL when iteration starts, and @cookie will become |
748 | * NULL when iteration finishes. |
749 | */ |
750 | #define list_for_each_cookie(pos, cookie, head) \ |
751 | for (({ if (!cookie) \ |
752 | cookie = head; }), \ |
753 | pos = rcu_dereference((cookie)->next); \ |
754 | prefetch(pos->next), pos != (head) || ((cookie) = NULL); \ |
755 | (cookie) = pos, pos = rcu_dereference(pos->next)) |
756 | |
757 | #endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */ |
758 |
Branches:
ben-wpan
ben-wpan-stefan
javiroman/ks7010
jz-2.6.34
jz-2.6.34-rc5
jz-2.6.34-rc6
jz-2.6.34-rc7
jz-2.6.35
jz-2.6.36
jz-2.6.37
jz-2.6.38
jz-2.6.39
jz-3.0
jz-3.1
jz-3.11
jz-3.12
jz-3.13
jz-3.15
jz-3.16
jz-3.18-dt
jz-3.2
jz-3.3
jz-3.4
jz-3.5
jz-3.6
jz-3.6-rc2-pwm
jz-3.9
jz-3.9-clk
jz-3.9-rc8
jz47xx
jz47xx-2.6.38
master
Tags:
od-2011-09-04
od-2011-09-18
v2.6.34-rc5
v2.6.34-rc6
v2.6.34-rc7
v3.9