642 lines
18 KiB
C
Raw Normal View History

/*
* security/tomoyo/domain.c
*
* Domain transition functions for TOMOYO.
*
* Copyright (C) 2005-2010 NTT DATA CORPORATION
*/
#include "common.h"
#include <linux/binfmts.h>
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h percpu.h is included by sched.h and module.h and thus ends up being included when building most .c files. percpu.h includes slab.h which in turn includes gfp.h making everything defined by the two files universally available and complicating inclusion dependencies. percpu.h -> slab.h dependency is about to be removed. Prepare for this change by updating users of gfp and slab facilities include those headers directly instead of assuming availability. As this conversion needs to touch large number of source files, the following script is used as the basis of conversion. http://userweb.kernel.org/~tj/misc/slabh-sweep.py The script does the followings. * Scan files for gfp and slab usages and update includes such that only the necessary includes are there. ie. if only gfp is used, gfp.h, if slab is used, slab.h. * When the script inserts a new include, it looks at the include blocks and try to put the new include such that its order conforms to its surrounding. It's put in the include block which contains core kernel includes, in the same order that the rest are ordered - alphabetical, Christmas tree, rev-Xmas-tree or at the end if there doesn't seem to be any matching order. * If the script can't find a place to put a new include (mostly because the file doesn't have fitting include block), it prints out an error message indicating which .h file needs to be added to the file. The conversion was done in the following steps. 1. The initial automatic conversion of all .c files updated slightly over 4000 files, deleting around 700 includes and adding ~480 gfp.h and ~3000 slab.h inclusions. The script emitted errors for ~400 files. 2. Each error was manually checked. Some didn't need the inclusion, some needed manual addition while adding it to implementation .h or embedding .c file was more appropriate for others. This step added inclusions to around 150 files. 3. The script was run again and the output was compared to the edits from #2 to make sure no file was left behind. 4. Several build tests were done and a couple of problems were fixed. e.g. lib/decompress_*.c used malloc/free() wrappers around slab APIs requiring slab.h to be added manually. 5. The script was run on all .h files but without automatically editing them as sprinkling gfp.h and slab.h inclusions around .h files could easily lead to inclusion dependency hell. Most gfp.h inclusion directives were ignored as stuff from gfp.h was usually wildly available and often used in preprocessor macros. Each slab.h inclusion directive was examined and added manually as necessary. 6. percpu.h was updated not to include slab.h. 7. Build test were done on the following configurations and failures were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my distributed build env didn't work with gcov compiles) and a few more options had to be turned off depending on archs to make things build (like ipr on powerpc/64 which failed due to missing writeq). * x86 and x86_64 UP and SMP allmodconfig and a custom test config. * powerpc and powerpc64 SMP allmodconfig * sparc and sparc64 SMP allmodconfig * ia64 SMP allmodconfig * s390 SMP allmodconfig * alpha SMP allmodconfig * um on x86_64 SMP allmodconfig 8. percpu.h modifications were reverted so that it could be applied as a separate patch and serve as bisection point. Given the fact that I had only a couple of failures from tests on step 6, I'm fairly confident about the coverage of this conversion patch. If there is a breakage, it's likely to be something in one of the arch headers which should be easily discoverable easily on most builds of the specific arch. Signed-off-by: Tejun Heo <tj@kernel.org> Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 17:04:11 +09:00
#include <linux/slab.h>
/* Variables definitions.*/
/* The initial domain. */
struct tomoyo_domain_info tomoyo_kernel_domain;
/**
* tomoyo_update_policy - Update an entry for exception policy.
*
* @new_entry: Pointer to "struct tomoyo_acl_info".
* @size: Size of @new_entry in bytes.
* @is_delete: True if it is a delete request.
* @list: Pointer to "struct list_head".
* @check_duplicate: Callback function to find duplicated entry.
*
* Returns 0 on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
bool is_delete, struct list_head *list,
bool (*check_duplicate) (const struct tomoyo_acl_head
*,
const struct tomoyo_acl_head
*))
{
int error = is_delete ? -ENOENT : -ENOMEM;
struct tomoyo_acl_head *entry;
if (mutex_lock_interruptible(&tomoyo_policy_lock))
return -ENOMEM;
list_for_each_entry_rcu(entry, list, list) {
if (!check_duplicate(entry, new_entry))
continue;
entry->is_deleted = is_delete;
error = 0;
break;
}
if (error && !is_delete) {
entry = tomoyo_commit_ok(new_entry, size);
if (entry) {
list_add_tail_rcu(&entry->list, list);
error = 0;
}
}
mutex_unlock(&tomoyo_policy_lock);
return error;
}
/**
* tomoyo_update_domain - Update an entry for domain policy.
*
* @new_entry: Pointer to "struct tomoyo_acl_info".
* @size: Size of @new_entry in bytes.
* @is_delete: True if it is a delete request.
* @domain: Pointer to "struct tomoyo_domain_info".
* @check_duplicate: Callback function to find duplicated entry.
* @merge_duplicate: Callback function to merge duplicated entry.
*
* Returns 0 on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
bool is_delete, struct tomoyo_domain_info *domain,
bool (*check_duplicate) (const struct tomoyo_acl_info
*,
const struct tomoyo_acl_info
*),
bool (*merge_duplicate) (struct tomoyo_acl_info *,
struct tomoyo_acl_info *,
const bool))
{
int error = is_delete ? -ENOENT : -ENOMEM;
struct tomoyo_acl_info *entry;
if (mutex_lock_interruptible(&tomoyo_policy_lock))
return error;
list_for_each_entry_rcu(entry, &domain->acl_info_list, list) {
if (!check_duplicate(entry, new_entry))
continue;
if (merge_duplicate)
entry->is_deleted = merge_duplicate(entry, new_entry,
is_delete);
else
entry->is_deleted = is_delete;
error = 0;
break;
}
if (error && !is_delete) {
entry = tomoyo_commit_ok(new_entry, size);
if (entry) {
list_add_tail_rcu(&entry->list, &domain->acl_info_list);
error = 0;
}
}
mutex_unlock(&tomoyo_policy_lock);
return error;
}
void tomoyo_check_acl(struct tomoyo_request_info *r,
bool (*check_entry) (const struct tomoyo_request_info *,
const struct tomoyo_acl_info *))
{
const struct tomoyo_domain_info *domain = r->domain;
struct tomoyo_acl_info *ptr;
list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
if (ptr->is_deleted || ptr->type != r->param_type)
continue;
if (check_entry(r, ptr)) {
r->granted = true;
return;
}
}
r->granted = false;
}
/* The list for "struct tomoyo_domain_info". */
LIST_HEAD(tomoyo_domain_list);
struct list_head tomoyo_policy_list[TOMOYO_MAX_POLICY];
struct list_head tomoyo_group_list[TOMOYO_MAX_GROUP];
/**
* tomoyo_get_last_name - Get last component of a domainname.
*
* @domain: Pointer to "struct tomoyo_domain_info".
*
* Returns the last component of the domainname.
*/
const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain)
{
const char *cp0 = domain->domainname->name;
const char *cp1 = strrchr(cp0, ' ');
if (cp1)
return cp1 + 1;
return cp0;
}
static bool tomoyo_same_domain_initializer_entry(const struct tomoyo_acl_head *
a,
const struct tomoyo_acl_head *
b)
{
const struct tomoyo_domain_initializer_entry *p1 =
container_of(a, typeof(*p1), head);
const struct tomoyo_domain_initializer_entry *p2 =
container_of(b, typeof(*p2), head);
return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name
&& p1->domainname == p2->domainname
&& p1->program == p2->program;
}
/**
* tomoyo_update_domain_initializer_entry - Update "struct tomoyo_domain_initializer_entry" list.
*
* @domainname: The name of domain. May be NULL.
* @program: The name of program.
* @is_not: True if it is "no_initialize_domain" entry.
* @is_delete: True if it is a delete request.
*
* Returns 0 on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_update_domain_initializer_entry(const char *domainname,
const char *program,
const bool is_not,
const bool is_delete)
{
struct tomoyo_domain_initializer_entry e = { .is_not = is_not };
int error = is_delete ? -ENOENT : -ENOMEM;
if (!tomoyo_correct_path(program))
return -EINVAL;
if (domainname) {
if (!tomoyo_domain_def(domainname) &&
tomoyo_correct_path(domainname))
e.is_last_name = true;
else if (!tomoyo_correct_domain(domainname))
return -EINVAL;
e.domainname = tomoyo_get_name(domainname);
if (!e.domainname)
goto out;
}
e.program = tomoyo_get_name(program);
if (!e.program)
goto out;
error = tomoyo_update_policy(&e.head, sizeof(e), is_delete,
&tomoyo_policy_list
[TOMOYO_ID_DOMAIN_INITIALIZER],
tomoyo_same_domain_initializer_entry);
out:
tomoyo_put_name(e.domainname);
tomoyo_put_name(e.program);
return error;
}
/**
* tomoyo_write_domain_initializer_policy - Write "struct tomoyo_domain_initializer_entry" list.
*
* @data: String to parse.
* @is_not: True if it is "no_initialize_domain" entry.
* @is_delete: True if it is a delete request.
*
* Returns 0 on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
int tomoyo_write_domain_initializer_policy(char *data, const bool is_not,
const bool is_delete)
{
char *cp = strstr(data, " from ");
if (cp) {
*cp = '\0';
return tomoyo_update_domain_initializer_entry(cp + 6, data,
is_not,
is_delete);
}
return tomoyo_update_domain_initializer_entry(NULL, data, is_not,
is_delete);
}
/**
* tomoyo_domain_initializer - Check whether the given program causes domainname reinitialization.
*
* @domainname: The name of domain.
* @program: The name of program.
* @last_name: The last component of @domainname.
*
* Returns true if executing @program reinitializes domain transition,
* false otherwise.
*
* Caller holds tomoyo_read_lock().
*/
static bool tomoyo_domain_initializer(const struct tomoyo_path_info *
domainname,
const struct tomoyo_path_info *program,
const struct tomoyo_path_info *
last_name)
{
struct tomoyo_domain_initializer_entry *ptr;
bool flag = false;
list_for_each_entry_rcu(ptr, &tomoyo_policy_list
[TOMOYO_ID_DOMAIN_INITIALIZER], head.list) {
if (ptr->head.is_deleted)
continue;
if (ptr->domainname) {
if (!ptr->is_last_name) {
if (ptr->domainname != domainname)
continue;
} else {
if (tomoyo_pathcmp(ptr->domainname, last_name))
continue;
}
}
if (tomoyo_pathcmp(ptr->program, program))
continue;
if (ptr->is_not) {
flag = false;
break;
}
flag = true;
}
return flag;
}
static bool tomoyo_same_domain_keeper_entry(const struct tomoyo_acl_head *a,
const struct tomoyo_acl_head *b)
{
const struct tomoyo_domain_keeper_entry *p1 =
container_of(a, typeof(*p1), head);
const struct tomoyo_domain_keeper_entry *p2 =
container_of(b, typeof(*p2), head);
return p1->is_not == p2->is_not && p1->is_last_name == p2->is_last_name
&& p1->domainname == p2->domainname
&& p1->program == p2->program;
}
/**
* tomoyo_update_domain_keeper_entry - Update "struct tomoyo_domain_keeper_entry" list.
*
* @domainname: The name of domain.
* @program: The name of program. May be NULL.
* @is_not: True if it is "no_keep_domain" entry.
* @is_delete: True if it is a delete request.
*
* Returns 0 on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_update_domain_keeper_entry(const char *domainname,
const char *program,
const bool is_not,
const bool is_delete)
{
struct tomoyo_domain_keeper_entry e = { .is_not = is_not };
int error = is_delete ? -ENOENT : -ENOMEM;
if (!tomoyo_domain_def(domainname) &&
tomoyo_correct_path(domainname))
e.is_last_name = true;
else if (!tomoyo_correct_domain(domainname))
return -EINVAL;
if (program) {
if (!tomoyo_correct_path(program))
return -EINVAL;
e.program = tomoyo_get_name(program);
if (!e.program)
goto out;
}
e.domainname = tomoyo_get_name(domainname);
if (!e.domainname)
goto out;
error = tomoyo_update_policy(&e.head, sizeof(e), is_delete,
&tomoyo_policy_list
[TOMOYO_ID_DOMAIN_KEEPER],
tomoyo_same_domain_keeper_entry);
out:
tomoyo_put_name(e.domainname);
tomoyo_put_name(e.program);
return error;
}
/**
* tomoyo_write_domain_keeper_policy - Write "struct tomoyo_domain_keeper_entry" list.
*
* @data: String to parse.
* @is_not: True if it is "no_keep_domain" entry.
* @is_delete: True if it is a delete request.
*
* Caller holds tomoyo_read_lock().
*/
int tomoyo_write_domain_keeper_policy(char *data, const bool is_not,
const bool is_delete)
{
char *cp = strstr(data, " from ");
if (cp) {
*cp = '\0';
return tomoyo_update_domain_keeper_entry(cp + 6, data, is_not,
is_delete);
}
return tomoyo_update_domain_keeper_entry(data, NULL, is_not, is_delete);
}
/**
* tomoyo_domain_keeper - Check whether the given program causes domain transition suppression.
*
* @domainname: The name of domain.
* @program: The name of program.
* @last_name: The last component of @domainname.
*
* Returns true if executing @program supresses domain transition,
* false otherwise.
*
* Caller holds tomoyo_read_lock().
*/
static bool tomoyo_domain_keeper(const struct tomoyo_path_info *domainname,
const struct tomoyo_path_info *program,
const struct tomoyo_path_info *last_name)
{
struct tomoyo_domain_keeper_entry *ptr;
bool flag = false;
list_for_each_entry_rcu(ptr,
&tomoyo_policy_list[TOMOYO_ID_DOMAIN_KEEPER],
head.list) {
if (ptr->head.is_deleted)
continue;
if (!ptr->is_last_name) {
if (ptr->domainname != domainname)
continue;
} else {
if (tomoyo_pathcmp(ptr->domainname, last_name))
continue;
}
if (ptr->program && tomoyo_pathcmp(ptr->program, program))
continue;
if (ptr->is_not) {
flag = false;
break;
}
flag = true;
}
return flag;
}
static bool tomoyo_same_aggregator_entry(const struct tomoyo_acl_head *a,
const struct tomoyo_acl_head *b)
{
const struct tomoyo_aggregator_entry *p1 = container_of(a, typeof(*p1),
head);
const struct tomoyo_aggregator_entry *p2 = container_of(b, typeof(*p2),
head);
return p1->original_name == p2->original_name &&
p1->aggregated_name == p2->aggregated_name;
}
/**
* tomoyo_update_aggregator_entry - Update "struct tomoyo_aggregator_entry" list.
*
* @original_name: The original program's name.
* @aggregated_name: The program name to use.
* @is_delete: True if it is a delete request.
*
* Returns 0 on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
static int tomoyo_update_aggregator_entry(const char *original_name,
const char *aggregated_name,
const bool is_delete)
{
struct tomoyo_aggregator_entry e = { };
int error = is_delete ? -ENOENT : -ENOMEM;
if (!tomoyo_correct_path(original_name) ||
!tomoyo_correct_path(aggregated_name))
return -EINVAL;
e.original_name = tomoyo_get_name(original_name);
e.aggregated_name = tomoyo_get_name(aggregated_name);
if (!e.original_name || !e.aggregated_name ||
e.aggregated_name->is_patterned) /* No patterns allowed. */
goto out;
error = tomoyo_update_policy(&e.head, sizeof(e), is_delete,
&tomoyo_policy_list[TOMOYO_ID_AGGREGATOR],
tomoyo_same_aggregator_entry);
out:
tomoyo_put_name(e.original_name);
tomoyo_put_name(e.aggregated_name);
return error;
}
/**
* tomoyo_write_aggregator_policy - Write "struct tomoyo_aggregator_entry" list.
*
* @data: String to parse.
* @is_delete: True if it is a delete request.
*
* Returns 0 on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
int tomoyo_write_aggregator_policy(char *data, const bool is_delete)
{
char *cp = strchr(data, ' ');
if (!cp)
return -EINVAL;
*cp++ = '\0';
return tomoyo_update_aggregator_entry(data, cp, is_delete);
}
/**
* tomoyo_find_or_assign_new_domain - Create a domain.
*
* @domainname: The name of domain.
* @profile: Profile number to assign if the domain was newly created.
*
* Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise.
*
* Caller holds tomoyo_read_lock().
*/
struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char *
domainname,
const u8 profile)
{
struct tomoyo_domain_info *entry;
struct tomoyo_domain_info *domain = NULL;
const struct tomoyo_path_info *saved_domainname;
bool found = false;
if (!tomoyo_correct_domain(domainname))
return NULL;
saved_domainname = tomoyo_get_name(domainname);
if (!saved_domainname)
return NULL;
entry = kzalloc(sizeof(*entry), GFP_NOFS);
if (mutex_lock_interruptible(&tomoyo_policy_lock))
goto out;
list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
if (domain->is_deleted ||
tomoyo_pathcmp(saved_domainname, domain->domainname))
continue;
found = true;
break;
}
if (!found && tomoyo_memory_ok(entry)) {
INIT_LIST_HEAD(&entry->acl_info_list);
entry->domainname = saved_domainname;
saved_domainname = NULL;
entry->profile = profile;
list_add_tail_rcu(&entry->list, &tomoyo_domain_list);
domain = entry;
entry = NULL;
found = true;
}
mutex_unlock(&tomoyo_policy_lock);
out:
tomoyo_put_name(saved_domainname);
kfree(entry);
return found ? domain : NULL;
}
/**
* tomoyo_find_next_domain - Find a domain.
*
* @bprm: Pointer to "struct linux_binprm".
*
* Returns 0 on success, negative value otherwise.
*
* Caller holds tomoyo_read_lock().
*/
int tomoyo_find_next_domain(struct linux_binprm *bprm)
{
struct tomoyo_request_info r;
char *tmp = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS);
struct tomoyo_domain_info *old_domain = tomoyo_domain();
struct tomoyo_domain_info *domain = NULL;
const char *old_domain_name = old_domain->domainname->name;
const char *original_name = bprm->filename;
u8 mode;
bool is_enforce;
int retval = -ENOMEM;
bool need_kfree = false;
struct tomoyo_path_info rn = { }; /* real name */
struct tomoyo_path_info ln; /* last name */
ln.name = tomoyo_get_last_name(old_domain);
tomoyo_fill_path_info(&ln);
mode = tomoyo_init_request_info(&r, NULL, TOMOYO_MAC_FILE_EXECUTE);
is_enforce = (mode == TOMOYO_CONFIG_ENFORCING);
if (!tmp)
goto out;
retry:
if (need_kfree) {
kfree(rn.name);
need_kfree = false;
}
/* Get symlink's pathname of program. */
retval = -ENOENT;
rn.name = tomoyo_realpath_nofollow(original_name);
if (!rn.name)
goto out;
tomoyo_fill_path_info(&rn);
need_kfree = true;
/* Check 'aggregator' directive. */
{
struct tomoyo_aggregator_entry *ptr;
list_for_each_entry_rcu(ptr, &tomoyo_policy_list
[TOMOYO_ID_AGGREGATOR], head.list) {
if (ptr->head.is_deleted ||
!tomoyo_path_matches_pattern(&rn,
ptr->original_name))
continue;
kfree(rn.name);
need_kfree = false;
/* This is OK because it is read only. */
rn = *ptr->aggregated_name;
break;
}
}
/* Check execute permission. */
retval = tomoyo_path_permission(&r, TOMOYO_TYPE_EXECUTE, &rn);
if (retval == TOMOYO_RETRY_REQUEST)
goto retry;
if (retval < 0)
goto out;
if (tomoyo_domain_initializer(old_domain->domainname, &rn, &ln)) {
/* Transit to the child of tomoyo_kernel_domain domain. */
snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1,
TOMOYO_ROOT_NAME " " "%s", rn.name);
} else if (old_domain == &tomoyo_kernel_domain &&
!tomoyo_policy_loaded) {
/*
* Needn't to transit from kernel domain before starting
* /sbin/init. But transit from kernel domain if executing
* initializers because they might start before /sbin/init.
*/
domain = old_domain;
} else if (tomoyo_domain_keeper(old_domain->domainname, &rn, &ln)) {
/* Keep current domain. */
domain = old_domain;
} else {
/* Normal domain transition. */
snprintf(tmp, TOMOYO_EXEC_TMPSIZE - 1,
"%s %s", old_domain_name, rn.name);
}
if (domain || strlen(tmp) >= TOMOYO_EXEC_TMPSIZE - 10)
goto done;
domain = tomoyo_find_domain(tmp);
if (domain)
goto done;
if (is_enforce) {
int error = tomoyo_supervisor(&r, "# wants to create domain\n"
"%s\n", tmp);
if (error == TOMOYO_RETRY_REQUEST)
goto retry;
if (error < 0)
goto done;
}
domain = tomoyo_find_or_assign_new_domain(tmp, old_domain->profile);
done:
if (domain)
goto out;
printk(KERN_WARNING "TOMOYO-ERROR: Domain '%s' not defined.\n", tmp);
if (is_enforce)
retval = -EPERM;
else
old_domain->transition_failed = true;
out:
if (!domain)
domain = old_domain;
/* Update reference count on "struct tomoyo_domain_info". */
atomic_inc(&domain->users);
bprm->cred->security = domain;
if (need_kfree)
kfree(rn.name);
kfree(tmp);
return retval;
}