2 * security/tomoyo/domain.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
15 #include <linux/binfmts.h>
17 /* Variables definitions.*/
19 /* The initial domain. */
20 struct tomoyo_domain_info tomoyo_kernel_domain;
23 * tomoyo_domain_list is used for holding list of domains.
24 * The ->acl_info_list of "struct tomoyo_domain_info" is used for holding
25 * permissions (e.g. "allow_read /lib/libc-2.5.so") given to each domain.
27 * An entry is added by
29 * # ( echo "<kernel>"; echo "allow_execute /sbin/init" ) > \
30 * /sys/kernel/security/tomoyo/domain_policy
34 * # ( echo "<kernel>"; echo "delete allow_execute /sbin/init" ) > \
35 * /sys/kernel/security/tomoyo/domain_policy
37 * and all entries are retrieved by
39 * # cat /sys/kernel/security/tomoyo/domain_policy
41 * A domain is added by
43 * # echo "<kernel>" > /sys/kernel/security/tomoyo/domain_policy
47 * # echo "delete <kernel>" > /sys/kernel/security/tomoyo/domain_policy
49 * and all domains are retrieved by
51 * # grep '^<kernel>' /sys/kernel/security/tomoyo/domain_policy
53 * Normally, a domainname is monotonically getting longer because a domainname
54 * which the process will belong to if an execve() operation succeeds is
55 * defined as a concatenation of "current domainname" + "pathname passed to
57 * See tomoyo_domain_initializer_list and tomoyo_domain_keeper_list for
60 LIST_HEAD(tomoyo_domain_list);
63 * tomoyo_domain_initializer_entry is a structure which is used for holding
64 * "initialize_domain" and "no_initialize_domain" entries.
65 * It has following fields.
67 * (1) "list" which is linked to tomoyo_domain_initializer_list .
68 * (2) "domainname" which is "a domainname" or "the last component of a
69 * domainname". This field is NULL if "from" clause is not specified.
70 * (3) "program" which is a program's pathname.
71 * (4) "is_deleted" is a bool which is true if marked as deleted, false
73 * (5) "is_not" is a bool which is true if "no_initialize_domain", false
75 * (6) "is_last_name" is a bool which is true if "domainname" is "the last
76 * component of a domainname", false otherwise.
78 struct tomoyo_domain_initializer_entry {
79 struct list_head list;
80 const struct tomoyo_path_info *domainname; /* This may be NULL */
81 const struct tomoyo_path_info *program;
83 bool is_not; /* True if this entry is "no_initialize_domain". */
84 /* True if the domainname is tomoyo_get_last_name(). */
89 * tomoyo_domain_keeper_entry is a structure which is used for holding
90 * "keep_domain" and "no_keep_domain" entries.
91 * It has following fields.
93 * (1) "list" which is linked to tomoyo_domain_keeper_list .
94 * (2) "domainname" which is "a domainname" or "the last component of a
96 * (3) "program" which is a program's pathname.
97 * This field is NULL if "from" clause is not specified.
98 * (4) "is_deleted" is a bool which is true if marked as deleted, false
100 * (5) "is_not" is a bool which is true if "no_initialize_domain", false
102 * (6) "is_last_name" is a bool which is true if "domainname" is "the last
103 * component of a domainname", false otherwise.
105 struct tomoyo_domain_keeper_entry {
106 struct list_head list;
107 const struct tomoyo_path_info *domainname;
108 const struct tomoyo_path_info *program; /* This may be NULL */
110 bool is_not; /* True if this entry is "no_keep_domain". */
111 /* True if the domainname is tomoyo_get_last_name(). */
116 * tomoyo_alias_entry is a structure which is used for holding "alias" entries.
117 * It has following fields.
119 * (1) "list" which is linked to tomoyo_alias_list .
120 * (2) "original_name" which is a dereferenced pathname.
121 * (3) "aliased_name" which is a symlink's pathname.
122 * (4) "is_deleted" is a bool which is true if marked as deleted, false
125 struct tomoyo_alias_entry {
126 struct list_head list;
127 const struct tomoyo_path_info *original_name;
128 const struct tomoyo_path_info *aliased_name;
133 * tomoyo_get_last_name - Get last component of a domainname.
135 * @domain: Pointer to "struct tomoyo_domain_info".
137 * Returns the last component of the domainname.
139 const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain)
141 const char *cp0 = domain->domainname->name;
142 const char *cp1 = strrchr(cp0, ' ');
150 * tomoyo_domain_initializer_list is used for holding list of programs which
151 * triggers reinitialization of domainname. Normally, a domainname is
152 * monotonically getting longer. But sometimes, we restart daemon programs.
153 * It would be convenient for us that "a daemon started upon system boot" and
154 * "the daemon restarted from console" belong to the same domain. Thus, TOMOYO
155 * provides a way to shorten domainnames.
157 * An entry is added by
159 * # echo 'initialize_domain /usr/sbin/httpd' > \
160 * /sys/kernel/security/tomoyo/exception_policy
164 * # echo 'delete initialize_domain /usr/sbin/httpd' > \
165 * /sys/kernel/security/tomoyo/exception_policy
167 * and all entries are retrieved by
169 * # grep ^initialize_domain /sys/kernel/security/tomoyo/exception_policy
171 * In the example above, /usr/sbin/httpd will belong to
172 * "<kernel> /usr/sbin/httpd" domain.
174 * You may specify a domainname using "from" keyword.
175 * "initialize_domain /usr/sbin/httpd from <kernel> /etc/rc.d/init.d/httpd"
176 * will cause "/usr/sbin/httpd" executed from "<kernel> /etc/rc.d/init.d/httpd"
177 * domain to belong to "<kernel> /usr/sbin/httpd" domain.
179 * You may add "no_" prefix to "initialize_domain".
180 * "initialize_domain /usr/sbin/httpd" and
181 * "no_initialize_domain /usr/sbin/httpd from <kernel> /etc/rc.d/init.d/httpd"
182 * will cause "/usr/sbin/httpd" to belong to "<kernel> /usr/sbin/httpd" domain
183 * unless executed from "<kernel> /etc/rc.d/init.d/httpd" domain.
185 static LIST_HEAD(tomoyo_domain_initializer_list);
188 * tomoyo_update_domain_initializer_entry - Update "struct tomoyo_domain_initializer_entry" list.
190 * @domainname: The name of domain. May be NULL.
191 * @program: The name of program.
192 * @is_not: True if it is "no_initialize_domain" entry.
193 * @is_delete: True if it is a delete request.
195 * Returns 0 on success, negative value otherwise.
197 * Caller holds tomoyo_read_lock().
199 static int tomoyo_update_domain_initializer_entry(const char *domainname,
202 const bool is_delete)
204 struct tomoyo_domain_initializer_entry *entry = NULL;
205 struct tomoyo_domain_initializer_entry *ptr;
206 const struct tomoyo_path_info *saved_program = NULL;
207 const struct tomoyo_path_info *saved_domainname = NULL;
208 int error = is_delete ? -ENOENT : -ENOMEM;
209 bool is_last_name = false;
211 if (!tomoyo_is_correct_path(program, 1, -1, -1, __func__))
212 return -EINVAL; /* No patterns allowed. */
214 if (!tomoyo_is_domain_def(domainname) &&
215 tomoyo_is_correct_path(domainname, 1, -1, -1, __func__))
217 else if (!tomoyo_is_correct_domain(domainname, __func__))
219 saved_domainname = tomoyo_get_name(domainname);
220 if (!saved_domainname)
223 saved_program = tomoyo_get_name(program);
227 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
228 mutex_lock(&tomoyo_policy_lock);
229 list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, list) {
230 if (ptr->is_not != is_not ||
231 ptr->domainname != saved_domainname ||
232 ptr->program != saved_program)
234 ptr->is_deleted = is_delete;
238 if (!is_delete && error && tomoyo_memory_ok(entry)) {
239 entry->domainname = saved_domainname;
240 saved_domainname = NULL;
241 entry->program = saved_program;
242 saved_program = NULL;
243 entry->is_not = is_not;
244 entry->is_last_name = is_last_name;
245 list_add_tail_rcu(&entry->list,
246 &tomoyo_domain_initializer_list);
250 mutex_unlock(&tomoyo_policy_lock);
252 tomoyo_put_name(saved_domainname);
253 tomoyo_put_name(saved_program);
259 * tomoyo_read_domain_initializer_policy - Read "struct tomoyo_domain_initializer_entry" list.
261 * @head: Pointer to "struct tomoyo_io_buffer".
263 * Returns true on success, false otherwise.
265 * Caller holds tomoyo_read_lock().
267 bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head)
269 struct list_head *pos;
272 list_for_each_cookie(pos, head->read_var2,
273 &tomoyo_domain_initializer_list) {
275 const char *from = "";
276 const char *domain = "";
277 struct tomoyo_domain_initializer_entry *ptr;
278 ptr = list_entry(pos, struct tomoyo_domain_initializer_entry,
282 no = ptr->is_not ? "no_" : "";
283 if (ptr->domainname) {
285 domain = ptr->domainname->name;
287 done = tomoyo_io_printf(head,
288 "%s" TOMOYO_KEYWORD_INITIALIZE_DOMAIN
289 "%s%s%s\n", no, ptr->program->name,
298 * tomoyo_write_domain_initializer_policy - Write "struct tomoyo_domain_initializer_entry" list.
300 * @data: String to parse.
301 * @is_not: True if it is "no_initialize_domain" entry.
302 * @is_delete: True if it is a delete request.
304 * Returns 0 on success, negative value otherwise.
306 * Caller holds tomoyo_read_lock().
308 int tomoyo_write_domain_initializer_policy(char *data, const bool is_not,
309 const bool is_delete)
311 char *cp = strstr(data, " from ");
315 return tomoyo_update_domain_initializer_entry(cp + 6, data,
319 return tomoyo_update_domain_initializer_entry(NULL, data, is_not,
324 * tomoyo_is_domain_initializer - Check whether the given program causes domainname reinitialization.
326 * @domainname: The name of domain.
327 * @program: The name of program.
328 * @last_name: The last component of @domainname.
330 * Returns true if executing @program reinitializes domain transition,
333 * Caller holds tomoyo_read_lock().
335 static bool tomoyo_is_domain_initializer(const struct tomoyo_path_info *
337 const struct tomoyo_path_info *program,
338 const struct tomoyo_path_info *
341 struct tomoyo_domain_initializer_entry *ptr;
344 list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, list) {
347 if (ptr->domainname) {
348 if (!ptr->is_last_name) {
349 if (ptr->domainname != domainname)
352 if (tomoyo_pathcmp(ptr->domainname, last_name))
356 if (tomoyo_pathcmp(ptr->program, program))
368 * tomoyo_domain_keeper_list is used for holding list of domainnames which
369 * suppresses domain transition. Normally, a domainname is monotonically
370 * getting longer. But sometimes, we want to suppress domain transition.
371 * It would be convenient for us that programs executed from a login session
372 * belong to the same domain. Thus, TOMOYO provides a way to suppress domain
375 * An entry is added by
377 * # echo 'keep_domain <kernel> /usr/sbin/sshd /bin/bash' > \
378 * /sys/kernel/security/tomoyo/exception_policy
382 * # echo 'delete keep_domain <kernel> /usr/sbin/sshd /bin/bash' > \
383 * /sys/kernel/security/tomoyo/exception_policy
385 * and all entries are retrieved by
387 * # grep ^keep_domain /sys/kernel/security/tomoyo/exception_policy
389 * In the example above, any process which belongs to
390 * "<kernel> /usr/sbin/sshd /bin/bash" domain will remain in that domain,
391 * unless explicitly specified by "initialize_domain" or "no_keep_domain".
393 * You may specify a program using "from" keyword.
394 * "keep_domain /bin/pwd from <kernel> /usr/sbin/sshd /bin/bash"
395 * will cause "/bin/pwd" executed from "<kernel> /usr/sbin/sshd /bin/bash"
396 * domain to remain in "<kernel> /usr/sbin/sshd /bin/bash" domain.
398 * You may add "no_" prefix to "keep_domain".
399 * "keep_domain <kernel> /usr/sbin/sshd /bin/bash" and
400 * "no_keep_domain /usr/bin/passwd from <kernel> /usr/sbin/sshd /bin/bash" will
401 * cause "/usr/bin/passwd" to belong to
402 * "<kernel> /usr/sbin/sshd /bin/bash /usr/bin/passwd" domain, unless
403 * explicitly specified by "initialize_domain".
405 static LIST_HEAD(tomoyo_domain_keeper_list);
408 * tomoyo_update_domain_keeper_entry - Update "struct tomoyo_domain_keeper_entry" list.
410 * @domainname: The name of domain.
411 * @program: The name of program. May be NULL.
412 * @is_not: True if it is "no_keep_domain" entry.
413 * @is_delete: True if it is a delete request.
415 * Returns 0 on success, negative value otherwise.
417 * Caller holds tomoyo_read_lock().
419 static int tomoyo_update_domain_keeper_entry(const char *domainname,
422 const bool is_delete)
424 struct tomoyo_domain_keeper_entry *entry = NULL;
425 struct tomoyo_domain_keeper_entry *ptr;
426 const struct tomoyo_path_info *saved_domainname = NULL;
427 const struct tomoyo_path_info *saved_program = NULL;
428 int error = is_delete ? -ENOENT : -ENOMEM;
429 bool is_last_name = false;
431 if (!tomoyo_is_domain_def(domainname) &&
432 tomoyo_is_correct_path(domainname, 1, -1, -1, __func__))
434 else if (!tomoyo_is_correct_domain(domainname, __func__))
437 if (!tomoyo_is_correct_path(program, 1, -1, -1, __func__))
439 saved_program = tomoyo_get_name(program);
443 saved_domainname = tomoyo_get_name(domainname);
444 if (!saved_domainname)
447 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
448 mutex_lock(&tomoyo_policy_lock);
449 list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) {
450 if (ptr->is_not != is_not ||
451 ptr->domainname != saved_domainname ||
452 ptr->program != saved_program)
454 ptr->is_deleted = is_delete;
458 if (!is_delete && error && tomoyo_memory_ok(entry)) {
459 entry->domainname = saved_domainname;
460 saved_domainname = NULL;
461 entry->program = saved_program;
462 saved_program = NULL;
463 entry->is_not = is_not;
464 entry->is_last_name = is_last_name;
465 list_add_tail_rcu(&entry->list, &tomoyo_domain_keeper_list);
469 mutex_unlock(&tomoyo_policy_lock);
471 tomoyo_put_name(saved_domainname);
472 tomoyo_put_name(saved_program);
478 * tomoyo_write_domain_keeper_policy - Write "struct tomoyo_domain_keeper_entry" list.
480 * @data: String to parse.
481 * @is_not: True if it is "no_keep_domain" entry.
482 * @is_delete: True if it is a delete request.
484 * Caller holds tomoyo_read_lock().
486 int tomoyo_write_domain_keeper_policy(char *data, const bool is_not,
487 const bool is_delete)
489 char *cp = strstr(data, " from ");
493 return tomoyo_update_domain_keeper_entry(cp + 6, data, is_not,
496 return tomoyo_update_domain_keeper_entry(data, NULL, is_not, is_delete);
500 * tomoyo_read_domain_keeper_policy - Read "struct tomoyo_domain_keeper_entry" list.
502 * @head: Pointer to "struct tomoyo_io_buffer".
504 * Returns true on success, false otherwise.
506 * Caller holds tomoyo_read_lock().
508 bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head)
510 struct list_head *pos;
513 list_for_each_cookie(pos, head->read_var2,
514 &tomoyo_domain_keeper_list) {
515 struct tomoyo_domain_keeper_entry *ptr;
517 const char *from = "";
518 const char *program = "";
520 ptr = list_entry(pos, struct tomoyo_domain_keeper_entry, list);
523 no = ptr->is_not ? "no_" : "";
526 program = ptr->program->name;
528 done = tomoyo_io_printf(head,
529 "%s" TOMOYO_KEYWORD_KEEP_DOMAIN
530 "%s%s%s\n", no, program, from,
531 ptr->domainname->name);
539 * tomoyo_is_domain_keeper - Check whether the given program causes domain transition suppression.
541 * @domainname: The name of domain.
542 * @program: The name of program.
543 * @last_name: The last component of @domainname.
545 * Returns true if executing @program supresses domain transition,
548 * Caller holds tomoyo_read_lock().
550 static bool tomoyo_is_domain_keeper(const struct tomoyo_path_info *domainname,
551 const struct tomoyo_path_info *program,
552 const struct tomoyo_path_info *last_name)
554 struct tomoyo_domain_keeper_entry *ptr;
557 list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) {
560 if (!ptr->is_last_name) {
561 if (ptr->domainname != domainname)
564 if (tomoyo_pathcmp(ptr->domainname, last_name))
567 if (ptr->program && tomoyo_pathcmp(ptr->program, program))
579 * tomoyo_alias_list is used for holding list of symlink's pathnames which are
580 * allowed to be passed to an execve() request. Normally, the domainname which
581 * the current process will belong to after execve() succeeds is calculated
582 * using dereferenced pathnames. But some programs behave differently depending
583 * on the name passed to argv[0]. For busybox, calculating domainname using
584 * dereferenced pathnames will cause all programs in the busybox to belong to
585 * the same domain. Thus, TOMOYO provides a way to allow use of symlink's
586 * pathname for checking execve()'s permission and calculating domainname which
587 * the current process will belong to after execve() succeeds.
589 * An entry is added by
591 * # echo 'alias /bin/busybox /bin/cat' > \
592 * /sys/kernel/security/tomoyo/exception_policy
596 * # echo 'delete alias /bin/busybox /bin/cat' > \
597 * /sys/kernel/security/tomoyo/exception_policy
599 * and all entries are retrieved by
601 * # grep ^alias /sys/kernel/security/tomoyo/exception_policy
603 * In the example above, if /bin/cat is a symlink to /bin/busybox and execution
604 * of /bin/cat is requested, permission is checked for /bin/cat rather than
605 * /bin/busybox and domainname which the current process will belong to after
606 * execve() succeeds is calculated using /bin/cat rather than /bin/busybox .
608 static LIST_HEAD(tomoyo_alias_list);
611 * tomoyo_update_alias_entry - Update "struct tomoyo_alias_entry" list.
613 * @original_name: The original program's real name.
614 * @aliased_name: The symbolic program's symbolic link's name.
615 * @is_delete: True if it is a delete request.
617 * Returns 0 on success, negative value otherwise.
619 * Caller holds tomoyo_read_lock().
621 static int tomoyo_update_alias_entry(const char *original_name,
622 const char *aliased_name,
623 const bool is_delete)
625 struct tomoyo_alias_entry *entry = NULL;
626 struct tomoyo_alias_entry *ptr;
627 const struct tomoyo_path_info *saved_original_name;
628 const struct tomoyo_path_info *saved_aliased_name;
629 int error = is_delete ? -ENOENT : -ENOMEM;
631 if (!tomoyo_is_correct_path(original_name, 1, -1, -1, __func__) ||
632 !tomoyo_is_correct_path(aliased_name, 1, -1, -1, __func__))
633 return -EINVAL; /* No patterns allowed. */
634 saved_original_name = tomoyo_get_name(original_name);
635 saved_aliased_name = tomoyo_get_name(aliased_name);
636 if (!saved_original_name || !saved_aliased_name)
639 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
640 mutex_lock(&tomoyo_policy_lock);
641 list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) {
642 if (ptr->original_name != saved_original_name ||
643 ptr->aliased_name != saved_aliased_name)
645 ptr->is_deleted = is_delete;
649 if (!is_delete && error && tomoyo_memory_ok(entry)) {
650 entry->original_name = saved_original_name;
651 saved_original_name = NULL;
652 entry->aliased_name = saved_aliased_name;
653 saved_aliased_name = NULL;
654 list_add_tail_rcu(&entry->list, &tomoyo_alias_list);
658 mutex_unlock(&tomoyo_policy_lock);
660 tomoyo_put_name(saved_original_name);
661 tomoyo_put_name(saved_aliased_name);
667 * tomoyo_read_alias_policy - Read "struct tomoyo_alias_entry" list.
669 * @head: Pointer to "struct tomoyo_io_buffer".
671 * Returns true on success, false otherwise.
673 * Caller holds tomoyo_read_lock().
675 bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head)
677 struct list_head *pos;
680 list_for_each_cookie(pos, head->read_var2, &tomoyo_alias_list) {
681 struct tomoyo_alias_entry *ptr;
683 ptr = list_entry(pos, struct tomoyo_alias_entry, list);
686 done = tomoyo_io_printf(head, TOMOYO_KEYWORD_ALIAS "%s %s\n",
687 ptr->original_name->name,
688 ptr->aliased_name->name);
696 * tomoyo_write_alias_policy - Write "struct tomoyo_alias_entry" list.
698 * @data: String to parse.
699 * @is_delete: True if it is a delete request.
701 * Returns 0 on success, negative value otherwise.
703 * Caller holds tomoyo_read_lock().
705 int tomoyo_write_alias_policy(char *data, const bool is_delete)
707 char *cp = strchr(data, ' ');
712 return tomoyo_update_alias_entry(data, cp, is_delete);
716 * tomoyo_find_or_assign_new_domain - Create a domain.
718 * @domainname: The name of domain.
719 * @profile: Profile number to assign if the domain was newly created.
721 * Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise.
723 * Caller holds tomoyo_read_lock().
725 struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char *
729 struct tomoyo_domain_info *entry;
730 struct tomoyo_domain_info *domain;
731 const struct tomoyo_path_info *saved_domainname;
734 if (!tomoyo_is_correct_domain(domainname, __func__))
736 saved_domainname = tomoyo_get_name(domainname);
737 if (!saved_domainname)
739 entry = kzalloc(sizeof(*entry), GFP_KERNEL);
740 mutex_lock(&tomoyo_policy_lock);
741 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
742 if (domain->is_deleted ||
743 tomoyo_pathcmp(saved_domainname, domain->domainname))
748 if (!found && tomoyo_memory_ok(entry)) {
749 INIT_LIST_HEAD(&entry->acl_info_list);
750 entry->domainname = saved_domainname;
751 saved_domainname = NULL;
752 entry->profile = profile;
753 list_add_tail_rcu(&entry->list, &tomoyo_domain_list);
758 mutex_unlock(&tomoyo_policy_lock);
759 tomoyo_put_name(saved_domainname);
761 return found ? domain : NULL;
765 * tomoyo_find_next_domain - Find a domain.
767 * @bprm: Pointer to "struct linux_binprm".
769 * Returns 0 on success, negative value otherwise.
771 * Caller holds tomoyo_read_lock().
773 int tomoyo_find_next_domain(struct linux_binprm *bprm)
776 * This function assumes that the size of buffer returned by
777 * tomoyo_realpath() = TOMOYO_MAX_PATHNAME_LEN.
779 struct tomoyo_page_buffer *tmp = kzalloc(sizeof(*tmp), GFP_KERNEL);
780 struct tomoyo_domain_info *old_domain = tomoyo_domain();
781 struct tomoyo_domain_info *domain = NULL;
782 const char *old_domain_name = old_domain->domainname->name;
783 const char *original_name = bprm->filename;
784 char *new_domain_name = NULL;
785 char *real_program_name = NULL;
786 char *symlink_program_name = NULL;
787 const u8 mode = tomoyo_check_flags(old_domain, TOMOYO_MAC_FOR_FILE);
788 const bool is_enforce = (mode == 3);
789 int retval = -ENOMEM;
790 struct tomoyo_path_info r; /* real name */
791 struct tomoyo_path_info s; /* symlink name */
792 struct tomoyo_path_info l; /* last name */
793 static bool initialized;
800 * Built-in initializers. This is needed because policies are
801 * not loaded until starting /sbin/init.
803 tomoyo_update_domain_initializer_entry(NULL, "/sbin/hotplug",
805 tomoyo_update_domain_initializer_entry(NULL, "/sbin/modprobe",
810 /* Get tomoyo_realpath of program. */
812 /* I hope tomoyo_realpath() won't fail with -ENOMEM. */
813 real_program_name = tomoyo_realpath(original_name);
814 if (!real_program_name)
816 /* Get tomoyo_realpath of symbolic link. */
817 symlink_program_name = tomoyo_realpath_nofollow(original_name);
818 if (!symlink_program_name)
821 r.name = real_program_name;
822 tomoyo_fill_path_info(&r);
823 s.name = symlink_program_name;
824 tomoyo_fill_path_info(&s);
825 l.name = tomoyo_get_last_name(old_domain);
826 tomoyo_fill_path_info(&l);
828 /* Check 'alias' directive. */
829 if (tomoyo_pathcmp(&r, &s)) {
830 struct tomoyo_alias_entry *ptr;
831 /* Is this program allowed to be called via symbolic links? */
832 list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) {
833 if (ptr->is_deleted ||
834 tomoyo_pathcmp(&r, ptr->original_name) ||
835 tomoyo_pathcmp(&s, ptr->aliased_name))
837 memset(real_program_name, 0, TOMOYO_MAX_PATHNAME_LEN);
838 strncpy(real_program_name, ptr->aliased_name->name,
839 TOMOYO_MAX_PATHNAME_LEN - 1);
840 tomoyo_fill_path_info(&r);
845 /* Check execute permission. */
846 retval = tomoyo_check_exec_perm(old_domain, &r);
850 new_domain_name = tmp->buffer;
851 if (tomoyo_is_domain_initializer(old_domain->domainname, &r, &l)) {
852 /* Transit to the child of tomoyo_kernel_domain domain. */
853 snprintf(new_domain_name, TOMOYO_MAX_PATHNAME_LEN + 1,
854 TOMOYO_ROOT_NAME " " "%s", real_program_name);
855 } else if (old_domain == &tomoyo_kernel_domain &&
856 !tomoyo_policy_loaded) {
858 * Needn't to transit from kernel domain before starting
859 * /sbin/init. But transit from kernel domain if executing
860 * initializers because they might start before /sbin/init.
863 } else if (tomoyo_is_domain_keeper(old_domain->domainname, &r, &l)) {
864 /* Keep current domain. */
867 /* Normal domain transition. */
868 snprintf(new_domain_name, TOMOYO_MAX_PATHNAME_LEN + 1,
869 "%s %s", old_domain_name, real_program_name);
871 if (domain || strlen(new_domain_name) >= TOMOYO_MAX_PATHNAME_LEN)
873 domain = tomoyo_find_domain(new_domain_name);
878 domain = tomoyo_find_or_assign_new_domain(new_domain_name,
879 old_domain->profile);
883 printk(KERN_WARNING "TOMOYO-ERROR: Domain '%s' not defined.\n",
888 old_domain->transition_failed = true;
892 bprm->cred->security = domain;
893 kfree(real_program_name);
894 kfree(symlink_program_name);