2 * security/tomoyo/file.c
4 * Implementation of the Domain-Based Mandatory Access Control.
6 * Copyright (C) 2005-2009 NTT DATA CORPORATION
8 * Version: 2.2.0 2009/04/01
15 #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
17 /* Structure for "allow_read" keyword. */
18 struct tomoyo_globally_readable_file_entry {
19 struct list_head list;
20 const struct tomoyo_path_info *filename;
24 /* Structure for "file_pattern" keyword. */
25 struct tomoyo_pattern_entry {
26 struct list_head list;
27 const struct tomoyo_path_info *pattern;
31 /* Structure for "deny_rewrite" keyword. */
32 struct tomoyo_no_rewrite_entry {
33 struct list_head list;
34 const struct tomoyo_path_info *pattern;
38 /* Keyword array for single path operations. */
39 static const char *tomoyo_sp_keyword[TOMOYO_MAX_SINGLE_PATH_OPERATION] = {
40 [TOMOYO_TYPE_READ_WRITE_ACL] = "read/write",
41 [TOMOYO_TYPE_EXECUTE_ACL] = "execute",
42 [TOMOYO_TYPE_READ_ACL] = "read",
43 [TOMOYO_TYPE_WRITE_ACL] = "write",
44 [TOMOYO_TYPE_CREATE_ACL] = "create",
45 [TOMOYO_TYPE_UNLINK_ACL] = "unlink",
46 [TOMOYO_TYPE_MKDIR_ACL] = "mkdir",
47 [TOMOYO_TYPE_RMDIR_ACL] = "rmdir",
48 [TOMOYO_TYPE_MKFIFO_ACL] = "mkfifo",
49 [TOMOYO_TYPE_MKSOCK_ACL] = "mksock",
50 [TOMOYO_TYPE_MKBLOCK_ACL] = "mkblock",
51 [TOMOYO_TYPE_MKCHAR_ACL] = "mkchar",
52 [TOMOYO_TYPE_TRUNCATE_ACL] = "truncate",
53 [TOMOYO_TYPE_SYMLINK_ACL] = "symlink",
54 [TOMOYO_TYPE_REWRITE_ACL] = "rewrite",
57 /* Keyword array for double path operations. */
58 static const char *tomoyo_dp_keyword[TOMOYO_MAX_DOUBLE_PATH_OPERATION] = {
59 [TOMOYO_TYPE_LINK_ACL] = "link",
60 [TOMOYO_TYPE_RENAME_ACL] = "rename",
64 * tomoyo_sp2keyword - Get the name of single path operation.
66 * @operation: Type of operation.
68 * Returns the name of single path operation.
70 const char *tomoyo_sp2keyword(const u8 operation)
72 return (operation < TOMOYO_MAX_SINGLE_PATH_OPERATION)
73 ? tomoyo_sp_keyword[operation] : NULL;
77 * tomoyo_dp2keyword - Get the name of double path operation.
79 * @operation: Type of operation.
81 * Returns the name of double path operation.
83 const char *tomoyo_dp2keyword(const u8 operation)
85 return (operation < TOMOYO_MAX_DOUBLE_PATH_OPERATION)
86 ? tomoyo_dp_keyword[operation] : NULL;
90 * tomoyo_strendswith - Check whether the token ends with the given token.
92 * @name: The token to check.
93 * @tail: The token to find.
95 * Returns true if @name ends with @tail, false otherwise.
97 static bool tomoyo_strendswith(const char *name, const char *tail)
103 len = strlen(name) - strlen(tail);
104 return len >= 0 && !strcmp(name + len, tail);
108 * tomoyo_get_path - Get realpath.
110 * @path: Pointer to "struct path".
112 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
114 static struct tomoyo_path_info *tomoyo_get_path(struct path *path)
117 struct tomoyo_path_info_with_data *buf = tomoyo_alloc(sizeof(*buf));
121 /* Reserve one byte for appending "/". */
122 error = tomoyo_realpath_from_path2(path, buf->body,
123 sizeof(buf->body) - 2);
125 buf->head.name = buf->body;
126 tomoyo_fill_path_info(&buf->head);
133 /* Lock for domain->acl_info_list. */
134 DECLARE_RWSEM(tomoyo_domain_acl_info_list_lock);
136 static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
137 const char *filename2,
138 struct tomoyo_domain_info *
139 const domain, const bool is_delete);
140 static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
141 struct tomoyo_domain_info *
142 const domain, const bool is_delete);
144 /* The list for "struct tomoyo_globally_readable_file_entry". */
145 static LIST_HEAD(tomoyo_globally_readable_list);
146 static DECLARE_RWSEM(tomoyo_globally_readable_list_lock);
149 * tomoyo_update_globally_readable_entry - Update "struct tomoyo_globally_readable_file_entry" list.
151 * @filename: Filename unconditionally permitted to open() for reading.
152 * @is_delete: True if it is a delete request.
154 * Returns 0 on success, negative value otherwise.
156 static int tomoyo_update_globally_readable_entry(const char *filename,
157 const bool is_delete)
159 struct tomoyo_globally_readable_file_entry *new_entry;
160 struct tomoyo_globally_readable_file_entry *ptr;
161 const struct tomoyo_path_info *saved_filename;
164 if (!tomoyo_is_correct_path(filename, 1, 0, -1, __func__))
166 saved_filename = tomoyo_save_name(filename);
169 down_write(&tomoyo_globally_readable_list_lock);
170 list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) {
171 if (ptr->filename != saved_filename)
173 ptr->is_deleted = is_delete;
181 new_entry = tomoyo_alloc_element(sizeof(*new_entry));
184 new_entry->filename = saved_filename;
185 list_add_tail(&new_entry->list, &tomoyo_globally_readable_list);
188 up_write(&tomoyo_globally_readable_list_lock);
193 * tomoyo_is_globally_readable_file - Check if the file is unconditionnaly permitted to be open()ed for reading.
195 * @filename: The filename to check.
197 * Returns true if any domain can open @filename for reading, false otherwise.
199 static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
202 struct tomoyo_globally_readable_file_entry *ptr;
204 down_read(&tomoyo_globally_readable_list_lock);
205 list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) {
206 if (!ptr->is_deleted &&
207 tomoyo_path_matches_pattern(filename, ptr->filename)) {
212 up_read(&tomoyo_globally_readable_list_lock);
217 * tomoyo_write_globally_readable_policy - Write "struct tomoyo_globally_readable_file_entry" list.
219 * @data: String to parse.
220 * @is_delete: True if it is a delete request.
222 * Returns 0 on success, negative value otherwise.
224 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
226 return tomoyo_update_globally_readable_entry(data, is_delete);
230 * tomoyo_read_globally_readable_policy - Read "struct tomoyo_globally_readable_file_entry" list.
232 * @head: Pointer to "struct tomoyo_io_buffer".
234 * Returns true on success, false otherwise.
236 bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
238 struct list_head *pos;
241 down_read(&tomoyo_globally_readable_list_lock);
242 list_for_each_cookie(pos, head->read_var2,
243 &tomoyo_globally_readable_list) {
244 struct tomoyo_globally_readable_file_entry *ptr;
245 ptr = list_entry(pos,
246 struct tomoyo_globally_readable_file_entry,
250 if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_READ "%s\n",
251 ptr->filename->name)) {
256 up_read(&tomoyo_globally_readable_list_lock);
260 /* The list for "struct tomoyo_pattern_entry". */
261 static LIST_HEAD(tomoyo_pattern_list);
262 static DECLARE_RWSEM(tomoyo_pattern_list_lock);
265 * tomoyo_update_file_pattern_entry - Update "struct tomoyo_pattern_entry" list.
267 * @pattern: Pathname pattern.
268 * @is_delete: True if it is a delete request.
270 * Returns 0 on success, negative value otherwise.
272 static int tomoyo_update_file_pattern_entry(const char *pattern,
273 const bool is_delete)
275 struct tomoyo_pattern_entry *new_entry;
276 struct tomoyo_pattern_entry *ptr;
277 const struct tomoyo_path_info *saved_pattern;
280 if (!tomoyo_is_correct_path(pattern, 0, 1, 0, __func__))
282 saved_pattern = tomoyo_save_name(pattern);
285 down_write(&tomoyo_pattern_list_lock);
286 list_for_each_entry(ptr, &tomoyo_pattern_list, list) {
287 if (saved_pattern != ptr->pattern)
289 ptr->is_deleted = is_delete;
297 new_entry = tomoyo_alloc_element(sizeof(*new_entry));
300 new_entry->pattern = saved_pattern;
301 list_add_tail(&new_entry->list, &tomoyo_pattern_list);
304 up_write(&tomoyo_pattern_list_lock);
309 * tomoyo_get_file_pattern - Get patterned pathname.
311 * @filename: The filename to find patterned pathname.
313 * Returns pointer to pathname pattern if matched, @filename otherwise.
315 static const struct tomoyo_path_info *
316 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
318 struct tomoyo_pattern_entry *ptr;
319 const struct tomoyo_path_info *pattern = NULL;
321 down_read(&tomoyo_pattern_list_lock);
322 list_for_each_entry(ptr, &tomoyo_pattern_list, list) {
325 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
327 pattern = ptr->pattern;
328 if (tomoyo_strendswith(pattern->name, "/\\*")) {
329 /* Do nothing. Try to find the better match. */
331 /* This would be the better match. Use this. */
335 up_read(&tomoyo_pattern_list_lock);
342 * tomoyo_write_pattern_policy - Write "struct tomoyo_pattern_entry" list.
344 * @data: String to parse.
345 * @is_delete: True if it is a delete request.
347 * Returns 0 on success, negative value otherwise.
349 int tomoyo_write_pattern_policy(char *data, const bool is_delete)
351 return tomoyo_update_file_pattern_entry(data, is_delete);
355 * tomoyo_read_file_pattern - Read "struct tomoyo_pattern_entry" list.
357 * @head: Pointer to "struct tomoyo_io_buffer".
359 * Returns true on success, false otherwise.
361 bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
363 struct list_head *pos;
366 down_read(&tomoyo_pattern_list_lock);
367 list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) {
368 struct tomoyo_pattern_entry *ptr;
369 ptr = list_entry(pos, struct tomoyo_pattern_entry, list);
372 if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_FILE_PATTERN "%s\n",
373 ptr->pattern->name)) {
378 up_read(&tomoyo_pattern_list_lock);
382 /* The list for "struct tomoyo_no_rewrite_entry". */
383 static LIST_HEAD(tomoyo_no_rewrite_list);
384 static DECLARE_RWSEM(tomoyo_no_rewrite_list_lock);
387 * tomoyo_update_no_rewrite_entry - Update "struct tomoyo_no_rewrite_entry" list.
389 * @pattern: Pathname pattern that are not rewritable by default.
390 * @is_delete: True if it is a delete request.
392 * Returns 0 on success, negative value otherwise.
394 static int tomoyo_update_no_rewrite_entry(const char *pattern,
395 const bool is_delete)
397 struct tomoyo_no_rewrite_entry *new_entry, *ptr;
398 const struct tomoyo_path_info *saved_pattern;
401 if (!tomoyo_is_correct_path(pattern, 0, 0, 0, __func__))
403 saved_pattern = tomoyo_save_name(pattern);
406 down_write(&tomoyo_no_rewrite_list_lock);
407 list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) {
408 if (ptr->pattern != saved_pattern)
410 ptr->is_deleted = is_delete;
418 new_entry = tomoyo_alloc_element(sizeof(*new_entry));
421 new_entry->pattern = saved_pattern;
422 list_add_tail(&new_entry->list, &tomoyo_no_rewrite_list);
425 up_write(&tomoyo_no_rewrite_list_lock);
430 * tomoyo_is_no_rewrite_file - Check if the given pathname is not permitted to be rewrited.
432 * @filename: Filename to check.
434 * Returns true if @filename is specified by "deny_rewrite" directive,
437 static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
439 struct tomoyo_no_rewrite_entry *ptr;
442 down_read(&tomoyo_no_rewrite_list_lock);
443 list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) {
446 if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
451 up_read(&tomoyo_no_rewrite_list_lock);
456 * tomoyo_write_no_rewrite_policy - Write "struct tomoyo_no_rewrite_entry" list.
458 * @data: String to parse.
459 * @is_delete: True if it is a delete request.
461 * Returns 0 on success, negative value otherwise.
463 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
465 return tomoyo_update_no_rewrite_entry(data, is_delete);
469 * tomoyo_read_no_rewrite_policy - Read "struct tomoyo_no_rewrite_entry" list.
471 * @head: Pointer to "struct tomoyo_io_buffer".
473 * Returns true on success, false otherwise.
475 bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
477 struct list_head *pos;
480 down_read(&tomoyo_no_rewrite_list_lock);
481 list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) {
482 struct tomoyo_no_rewrite_entry *ptr;
483 ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list);
486 if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_DENY_REWRITE "%s\n",
487 ptr->pattern->name)) {
492 up_read(&tomoyo_no_rewrite_list_lock);
497 * tomoyo_update_file_acl - Update file's read/write/execute ACL.
499 * @filename: Filename.
500 * @perm: Permission (between 1 to 7).
501 * @domain: Pointer to "struct tomoyo_domain_info".
502 * @is_delete: True if it is a delete request.
504 * Returns 0 on success, negative value otherwise.
506 * This is legacy support interface for older policy syntax.
507 * Current policy syntax uses "allow_read/write" instead of "6",
508 * "allow_read" instead of "4", "allow_write" instead of "2",
509 * "allow_execute" instead of "1".
511 static int tomoyo_update_file_acl(const char *filename, u8 perm,
512 struct tomoyo_domain_info * const domain,
513 const bool is_delete)
515 if (perm > 7 || !perm) {
516 printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n",
517 __func__, perm, filename);
520 if (filename[0] != '@' && tomoyo_strendswith(filename, "/"))
522 * Only 'allow_mkdir' and 'allow_rmdir' are valid for
523 * directory permissions.
527 tomoyo_update_single_path_acl(TOMOYO_TYPE_READ_ACL, filename,
530 tomoyo_update_single_path_acl(TOMOYO_TYPE_WRITE_ACL, filename,
533 tomoyo_update_single_path_acl(TOMOYO_TYPE_EXECUTE_ACL,
534 filename, domain, is_delete);
539 * tomoyo_check_single_path_acl2 - Check permission for single path operation.
541 * @domain: Pointer to "struct tomoyo_domain_info".
542 * @filename: Filename to check.
544 * @may_use_pattern: True if patterned ACL is permitted.
546 * Returns 0 on success, -EPERM otherwise.
548 static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info *
550 const struct tomoyo_path_info *
553 const bool may_use_pattern)
555 struct tomoyo_acl_info *ptr;
558 down_read(&tomoyo_domain_acl_info_list_lock);
559 list_for_each_entry(ptr, &domain->acl_info_list, list) {
560 struct tomoyo_single_path_acl_record *acl;
561 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
563 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
565 if (!(acl->perm & perm))
567 if (may_use_pattern || !acl->filename->is_patterned) {
568 if (!tomoyo_path_matches_pattern(filename,
577 up_read(&tomoyo_domain_acl_info_list_lock);
582 * tomoyo_check_file_acl - Check permission for opening files.
584 * @domain: Pointer to "struct tomoyo_domain_info".
585 * @filename: Filename to check.
586 * @operation: Mode ("read" or "write" or "read/write" or "execute").
588 * Returns 0 on success, -EPERM otherwise.
590 static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
591 const struct tomoyo_path_info *filename,
596 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
599 perm = 1 << TOMOYO_TYPE_READ_WRITE_ACL;
600 else if (operation == 4)
601 perm = 1 << TOMOYO_TYPE_READ_ACL;
602 else if (operation == 2)
603 perm = 1 << TOMOYO_TYPE_WRITE_ACL;
604 else if (operation == 1)
605 perm = 1 << TOMOYO_TYPE_EXECUTE_ACL;
608 return tomoyo_check_single_path_acl2(domain, filename, perm,
613 * tomoyo_check_file_perm2 - Check permission for opening files.
615 * @domain: Pointer to "struct tomoyo_domain_info".
616 * @filename: Filename to check.
617 * @perm: Mode ("read" or "write" or "read/write" or "execute").
618 * @operation: Operation name passed used for verbose mode.
619 * @mode: Access control mode.
621 * Returns 0 on success, negative value otherwise.
623 static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
624 const struct tomoyo_path_info *filename,
625 const u8 perm, const char *operation,
628 const bool is_enforce = (mode == 3);
629 const char *msg = "<unknown>";
634 error = tomoyo_check_file_acl(domain, filename, perm);
635 if (error && perm == 4 &&
636 (domain->flags & TOMOYO_DOMAIN_FLAGS_IGNORE_GLOBAL_ALLOW_READ) == 0
637 && tomoyo_is_globally_readable_file(filename))
640 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_WRITE_ACL);
642 msg = tomoyo_sp2keyword(TOMOYO_TYPE_READ_ACL);
644 msg = tomoyo_sp2keyword(TOMOYO_TYPE_WRITE_ACL);
646 msg = tomoyo_sp2keyword(TOMOYO_TYPE_EXECUTE_ACL);
651 if (tomoyo_verbose_mode(domain))
652 printk(KERN_WARNING "TOMOYO-%s: Access '%s(%s) %s' denied "
653 "for %s\n", tomoyo_get_msg(is_enforce), msg, operation,
654 filename->name, tomoyo_get_last_name(domain));
657 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
658 /* Don't use patterns for execute permission. */
659 const struct tomoyo_path_info *patterned_file = (perm != 1) ?
660 tomoyo_get_file_pattern(filename) : filename;
661 tomoyo_update_file_acl(patterned_file->name, perm,
668 * tomoyo_write_file_policy - Update file related list.
670 * @data: String to parse.
671 * @domain: Pointer to "struct tomoyo_domain_info".
672 * @is_delete: True if it is a delete request.
674 * Returns 0 on success, negative value otherwise.
676 int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
677 const bool is_delete)
679 char *filename = strchr(data, ' ');
687 if (sscanf(data, "%u", &perm) == 1)
688 return tomoyo_update_file_acl(filename, (u8) perm, domain,
690 if (strncmp(data, "allow_", 6))
693 for (type = 0; type < TOMOYO_MAX_SINGLE_PATH_OPERATION; type++) {
694 if (strcmp(data, tomoyo_sp_keyword[type]))
696 return tomoyo_update_single_path_acl(type, filename,
699 filename2 = strchr(filename, ' ');
703 for (type = 0; type < TOMOYO_MAX_DOUBLE_PATH_OPERATION; type++) {
704 if (strcmp(data, tomoyo_dp_keyword[type]))
706 return tomoyo_update_double_path_acl(type, filename, filename2,
714 * tomoyo_update_single_path_acl - Update "struct tomoyo_single_path_acl_record" list.
716 * @type: Type of operation.
717 * @filename: Filename.
718 * @domain: Pointer to "struct tomoyo_domain_info".
719 * @is_delete: True if it is a delete request.
721 * Returns 0 on success, negative value otherwise.
723 static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
724 struct tomoyo_domain_info *
725 const domain, const bool is_delete)
727 static const u16 rw_mask =
728 (1 << TOMOYO_TYPE_READ_ACL) | (1 << TOMOYO_TYPE_WRITE_ACL);
729 const struct tomoyo_path_info *saved_filename;
730 struct tomoyo_acl_info *ptr;
731 struct tomoyo_single_path_acl_record *acl;
733 const u16 perm = 1 << type;
737 if (!tomoyo_is_correct_path(filename, 0, 0, 0, __func__))
739 saved_filename = tomoyo_save_name(filename);
742 down_write(&tomoyo_domain_acl_info_list_lock);
745 list_for_each_entry(ptr, &domain->acl_info_list, list) {
746 if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
748 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
750 if (acl->filename != saved_filename)
752 /* Special case. Clear all bits if marked as deleted. */
753 if (ptr->type & TOMOYO_ACL_DELETED)
756 if ((acl->perm & rw_mask) == rw_mask)
757 acl->perm |= 1 << TOMOYO_TYPE_READ_WRITE_ACL;
758 else if (acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL))
759 acl->perm |= rw_mask;
760 ptr->type &= ~TOMOYO_ACL_DELETED;
764 /* Not found. Append it to the tail. */
765 acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_SINGLE_PATH_ACL);
769 if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL))
770 acl->perm |= rw_mask;
771 acl->filename = saved_filename;
772 list_add_tail(&acl->head.list, &domain->acl_info_list);
777 list_for_each_entry(ptr, &domain->acl_info_list, list) {
778 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
780 acl = container_of(ptr, struct tomoyo_single_path_acl_record,
782 if (acl->filename != saved_filename)
785 if ((acl->perm & rw_mask) != rw_mask)
786 acl->perm &= ~(1 << TOMOYO_TYPE_READ_WRITE_ACL);
787 else if (!(acl->perm & (1 << TOMOYO_TYPE_READ_WRITE_ACL)))
788 acl->perm &= ~rw_mask;
790 ptr->type |= TOMOYO_ACL_DELETED;
795 up_write(&tomoyo_domain_acl_info_list_lock);
800 * tomoyo_update_double_path_acl - Update "struct tomoyo_double_path_acl_record" list.
802 * @type: Type of operation.
803 * @filename1: First filename.
804 * @filename2: Second filename.
805 * @domain: Pointer to "struct tomoyo_domain_info".
806 * @is_delete: True if it is a delete request.
808 * Returns 0 on success, negative value otherwise.
810 static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
811 const char *filename2,
812 struct tomoyo_domain_info *
813 const domain, const bool is_delete)
815 const struct tomoyo_path_info *saved_filename1;
816 const struct tomoyo_path_info *saved_filename2;
817 struct tomoyo_acl_info *ptr;
818 struct tomoyo_double_path_acl_record *acl;
820 const u8 perm = 1 << type;
824 if (!tomoyo_is_correct_path(filename1, 0, 0, 0, __func__) ||
825 !tomoyo_is_correct_path(filename2, 0, 0, 0, __func__))
827 saved_filename1 = tomoyo_save_name(filename1);
828 saved_filename2 = tomoyo_save_name(filename2);
829 if (!saved_filename1 || !saved_filename2)
831 down_write(&tomoyo_domain_acl_info_list_lock);
834 list_for_each_entry(ptr, &domain->acl_info_list, list) {
835 if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
837 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
839 if (acl->filename1 != saved_filename1 ||
840 acl->filename2 != saved_filename2)
842 /* Special case. Clear all bits if marked as deleted. */
843 if (ptr->type & TOMOYO_ACL_DELETED)
846 ptr->type &= ~TOMOYO_ACL_DELETED;
850 /* Not found. Append it to the tail. */
851 acl = tomoyo_alloc_acl_element(TOMOYO_TYPE_DOUBLE_PATH_ACL);
855 acl->filename1 = saved_filename1;
856 acl->filename2 = saved_filename2;
857 list_add_tail(&acl->head.list, &domain->acl_info_list);
862 list_for_each_entry(ptr, &domain->acl_info_list, list) {
863 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
865 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
867 if (acl->filename1 != saved_filename1 ||
868 acl->filename2 != saved_filename2)
872 ptr->type |= TOMOYO_ACL_DELETED;
877 up_write(&tomoyo_domain_acl_info_list_lock);
882 * tomoyo_check_single_path_acl - Check permission for single path operation.
884 * @domain: Pointer to "struct tomoyo_domain_info".
885 * @type: Type of operation.
886 * @filename: Filename to check.
888 * Returns 0 on success, negative value otherwise.
890 static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain,
892 const struct tomoyo_path_info *filename)
894 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
896 return tomoyo_check_single_path_acl2(domain, filename, 1 << type, 1);
900 * tomoyo_check_double_path_acl - Check permission for double path operation.
902 * @domain: Pointer to "struct tomoyo_domain_info".
903 * @type: Type of operation.
904 * @filename1: First filename to check.
905 * @filename2: Second filename to check.
907 * Returns 0 on success, -EPERM otherwise.
909 static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
911 const struct tomoyo_path_info *
913 const struct tomoyo_path_info *
916 struct tomoyo_acl_info *ptr;
917 const u8 perm = 1 << type;
920 if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
922 down_read(&tomoyo_domain_acl_info_list_lock);
923 list_for_each_entry(ptr, &domain->acl_info_list, list) {
924 struct tomoyo_double_path_acl_record *acl;
925 if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
927 acl = container_of(ptr, struct tomoyo_double_path_acl_record,
929 if (!(acl->perm & perm))
931 if (!tomoyo_path_matches_pattern(filename1, acl->filename1))
933 if (!tomoyo_path_matches_pattern(filename2, acl->filename2))
938 up_read(&tomoyo_domain_acl_info_list_lock);
943 * tomoyo_check_single_path_permission2 - Check permission for single path operation.
945 * @domain: Pointer to "struct tomoyo_domain_info".
946 * @operation: Type of operation.
947 * @filename: Filename to check.
948 * @mode: Access control mode.
950 * Returns 0 on success, negative value otherwise.
952 static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
953 const domain, u8 operation,
954 const struct tomoyo_path_info *
955 filename, const u8 mode)
959 const bool is_enforce = (mode == 3);
964 error = tomoyo_check_single_path_acl(domain, operation, filename);
965 msg = tomoyo_sp2keyword(operation);
968 if (tomoyo_verbose_mode(domain))
969 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s' denied for %s\n",
970 tomoyo_get_msg(is_enforce), msg, filename->name,
971 tomoyo_get_last_name(domain));
972 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
973 const char *name = tomoyo_get_file_pattern(filename)->name;
974 tomoyo_update_single_path_acl(operation, name, domain, false);
980 * Since "allow_truncate" doesn't imply "allow_rewrite" permission,
981 * we need to check "allow_rewrite" permission if the filename is
982 * specified by "deny_rewrite" keyword.
984 if (!error && operation == TOMOYO_TYPE_TRUNCATE_ACL &&
985 tomoyo_is_no_rewrite_file(filename)) {
986 operation = TOMOYO_TYPE_REWRITE_ACL;
993 * tomoyo_check_file_perm - Check permission for sysctl()'s "read" and "write".
995 * @domain: Pointer to "struct tomoyo_domain_info".
996 * @filename: Filename to check.
997 * @perm: Mode ("read" or "write" or "read/write").
998 * Returns 0 on success, negative value otherwise.
1000 int tomoyo_check_file_perm(struct tomoyo_domain_info *domain,
1001 const char *filename, const u8 perm)
1003 struct tomoyo_path_info name;
1004 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1008 name.name = filename;
1009 tomoyo_fill_path_info(&name);
1010 return tomoyo_check_file_perm2(domain, &name, perm, "sysctl", mode);
1014 * tomoyo_check_exec_perm - Check permission for "execute".
1016 * @domain: Pointer to "struct tomoyo_domain_info".
1017 * @filename: Check permission for "execute".
1018 * @tmp: Buffer for temporary use.
1020 * Returns 0 on success, negativevalue otherwise.
1022 int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
1023 const struct tomoyo_path_info *filename,
1024 struct tomoyo_page_buffer *tmp)
1026 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1030 return tomoyo_check_file_perm2(domain, filename, 1, "do_execve", mode);
1034 * tomoyo_check_open_permission - Check permission for "read" and "write".
1036 * @domain: Pointer to "struct tomoyo_domain_info".
1037 * @path: Pointer to "struct path".
1038 * @flag: Flags for open().
1040 * Returns 0 on success, negative value otherwise.
1042 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
1043 struct path *path, const int flag)
1045 const u8 acc_mode = ACC_MODE(flag);
1046 int error = -ENOMEM;
1047 struct tomoyo_path_info *buf;
1048 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1049 const bool is_enforce = (mode == 3);
1051 if (!mode || !path->mnt)
1055 if (path->dentry->d_inode && S_ISDIR(path->dentry->d_inode->i_mode))
1057 * I don't check directories here because mkdir() and rmdir()
1061 buf = tomoyo_get_path(path);
1066 * If the filename is specified by "deny_rewrite" keyword,
1067 * we need to check "allow_rewrite" permission when the filename is not
1068 * opened for append mode or the filename is truncated at open time.
1070 if ((acc_mode & MAY_WRITE) &&
1071 ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
1072 (tomoyo_is_no_rewrite_file(buf))) {
1073 error = tomoyo_check_single_path_permission2(domain,
1074 TOMOYO_TYPE_REWRITE_ACL,
1078 error = tomoyo_check_file_perm2(domain, buf, acc_mode, "open",
1080 if (!error && (flag & O_TRUNC))
1081 error = tomoyo_check_single_path_permission2(domain,
1082 TOMOYO_TYPE_TRUNCATE_ACL,
1092 * tomoyo_check_1path_perm - Check permission for "create", "unlink", "mkdir", "rmdir", "mkfifo", "mksock", "mkblock", "mkchar", "truncate" and "symlink".
1094 * @domain: Pointer to "struct tomoyo_domain_info".
1095 * @operation: Type of operation.
1096 * @path: Pointer to "struct path".
1098 * Returns 0 on success, negative value otherwise.
1100 int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
1101 const u8 operation, struct path *path)
1103 int error = -ENOMEM;
1104 struct tomoyo_path_info *buf;
1105 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1106 const bool is_enforce = (mode == 3);
1108 if (!mode || !path->mnt)
1110 buf = tomoyo_get_path(path);
1113 switch (operation) {
1114 case TOMOYO_TYPE_MKDIR_ACL:
1115 case TOMOYO_TYPE_RMDIR_ACL:
1118 * tomoyo_get_path() reserves space for appending "/."
1120 strcat((char *) buf->name, "/");
1121 tomoyo_fill_path_info(buf);
1124 error = tomoyo_check_single_path_permission2(domain, operation, buf,
1134 * tomoyo_check_rewrite_permission - Check permission for "rewrite".
1136 * @domain: Pointer to "struct tomoyo_domain_info".
1137 * @filp: Pointer to "struct file".
1139 * Returns 0 on success, negative value otherwise.
1141 int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
1144 int error = -ENOMEM;
1145 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1146 const bool is_enforce = (mode == 3);
1147 struct tomoyo_path_info *buf;
1149 if (!mode || !filp->f_path.mnt)
1151 buf = tomoyo_get_path(&filp->f_path);
1154 if (!tomoyo_is_no_rewrite_file(buf)) {
1158 error = tomoyo_check_single_path_permission2(domain,
1159 TOMOYO_TYPE_REWRITE_ACL,
1169 * tomoyo_check_2path_perm - Check permission for "rename" and "link".
1171 * @domain: Pointer to "struct tomoyo_domain_info".
1172 * @operation: Type of operation.
1173 * @path1: Pointer to "struct path".
1174 * @path2: Pointer to "struct path".
1176 * Returns 0 on success, negative value otherwise.
1178 int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain,
1179 const u8 operation, struct path *path1,
1182 int error = -ENOMEM;
1183 struct tomoyo_path_info *buf1, *buf2;
1184 const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
1185 const bool is_enforce = (mode == 3);
1188 if (!mode || !path1->mnt || !path2->mnt)
1190 buf1 = tomoyo_get_path(path1);
1191 buf2 = tomoyo_get_path(path2);
1195 struct dentry *dentry = path1->dentry;
1196 if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode)) {
1198 * tomoyo_get_path() reserves space for appending "/."
1200 if (!buf1->is_dir) {
1201 strcat((char *) buf1->name, "/");
1202 tomoyo_fill_path_info(buf1);
1204 if (!buf2->is_dir) {
1205 strcat((char *) buf2->name, "/");
1206 tomoyo_fill_path_info(buf2);
1210 error = tomoyo_check_double_path_acl(domain, operation, buf1, buf2);
1211 msg = tomoyo_dp2keyword(operation);
1214 if (tomoyo_verbose_mode(domain))
1215 printk(KERN_WARNING "TOMOYO-%s: Access '%s %s %s' "
1216 "denied for %s\n", tomoyo_get_msg(is_enforce),
1217 msg, buf1->name, buf2->name,
1218 tomoyo_get_last_name(domain));
1219 if (mode == 1 && tomoyo_domain_quota_is_ok(domain)) {
1220 const char *name1 = tomoyo_get_file_pattern(buf1)->name;
1221 const char *name2 = tomoyo_get_file_pattern(buf2)->name;
1222 tomoyo_update_double_path_acl(operation, name1, name2, domain,
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob