mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-17 18:36:00 +00:00
7b9ef666f2
`strncpy` is deprecated for use on NUL-terminated destination strings [1]. A suitable replacement is `strscpy` [2] due to the fact that it guarantees NUL-termination on its destination buffer argument which is _not_ the case for `strncpy`! It should be noted that the destination buffer is zero-initialized and had a max length of `sizeof(dest) - 1`. There is likely _not_ a bug present in the current implementation. However, by switching to `strscpy` we get the benefit of no longer needing the `- 1`'s from the string copy invocations on top of `strscpy` being a safer interface all together. [1]: www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [2]: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html Link: https://github.com/KSPP/linux/issues/90 Cc: linux-hardening@vger.kernel.org Signed-off-by: Justin Stitt <justinstitt@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
945 lines
25 KiB
C
945 lines
25 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* security/tomoyo/domain.c
|
|
*
|
|
* Copyright (C) 2005-2011 NTT DATA CORPORATION
|
|
*/
|
|
|
|
#include "common.h"
|
|
|
|
#include <linux/binfmts.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/rculist.h>
|
|
|
|
/* Variables definitions.*/
|
|
|
|
/* The initial domain. */
|
|
struct tomoyo_domain_info tomoyo_kernel_domain;
|
|
|
|
/**
|
|
* tomoyo_update_policy - Update an entry for exception policy.
|
|
*
|
|
* @new_entry: Pointer to "struct tomoyo_acl_info".
|
|
* @size: Size of @new_entry in bytes.
|
|
* @param: Pointer to "struct tomoyo_acl_param".
|
|
* @check_duplicate: Callback function to find duplicated entry.
|
|
*
|
|
* Returns 0 on success, negative value otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
|
|
struct tomoyo_acl_param *param,
|
|
bool (*check_duplicate)(const struct tomoyo_acl_head
|
|
*,
|
|
const struct tomoyo_acl_head
|
|
*))
|
|
{
|
|
int error = param->is_delete ? -ENOENT : -ENOMEM;
|
|
struct tomoyo_acl_head *entry;
|
|
struct list_head *list = param->list;
|
|
|
|
if (mutex_lock_interruptible(&tomoyo_policy_lock))
|
|
return -ENOMEM;
|
|
list_for_each_entry_rcu(entry, list, list,
|
|
srcu_read_lock_held(&tomoyo_ss)) {
|
|
if (entry->is_deleted == TOMOYO_GC_IN_PROGRESS)
|
|
continue;
|
|
if (!check_duplicate(entry, new_entry))
|
|
continue;
|
|
entry->is_deleted = param->is_delete;
|
|
error = 0;
|
|
break;
|
|
}
|
|
if (error && !param->is_delete) {
|
|
entry = tomoyo_commit_ok(new_entry, size);
|
|
if (entry) {
|
|
list_add_tail_rcu(&entry->list, list);
|
|
error = 0;
|
|
}
|
|
}
|
|
mutex_unlock(&tomoyo_policy_lock);
|
|
return error;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_same_acl_head - Check for duplicated "struct tomoyo_acl_info" entry.
|
|
*
|
|
* @a: Pointer to "struct tomoyo_acl_info".
|
|
* @b: Pointer to "struct tomoyo_acl_info".
|
|
*
|
|
* Returns true if @a == @b, false otherwise.
|
|
*/
|
|
static inline bool tomoyo_same_acl_head(const struct tomoyo_acl_info *a,
|
|
const struct tomoyo_acl_info *b)
|
|
{
|
|
return a->type == b->type && a->cond == b->cond;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_update_domain - Update an entry for domain policy.
|
|
*
|
|
* @new_entry: Pointer to "struct tomoyo_acl_info".
|
|
* @size: Size of @new_entry in bytes.
|
|
* @param: Pointer to "struct tomoyo_acl_param".
|
|
* @check_duplicate: Callback function to find duplicated entry.
|
|
* @merge_duplicate: Callback function to merge duplicated entry.
|
|
*
|
|
* Returns 0 on success, negative value otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
|
|
struct tomoyo_acl_param *param,
|
|
bool (*check_duplicate)(const struct tomoyo_acl_info
|
|
*,
|
|
const struct tomoyo_acl_info
|
|
*),
|
|
bool (*merge_duplicate)(struct tomoyo_acl_info *,
|
|
struct tomoyo_acl_info *,
|
|
const bool))
|
|
{
|
|
const bool is_delete = param->is_delete;
|
|
int error = is_delete ? -ENOENT : -ENOMEM;
|
|
struct tomoyo_acl_info *entry;
|
|
struct list_head * const list = param->list;
|
|
|
|
if (param->data[0]) {
|
|
new_entry->cond = tomoyo_get_condition(param);
|
|
if (!new_entry->cond)
|
|
return -EINVAL;
|
|
/*
|
|
* Domain transition preference is allowed for only
|
|
* "file execute" entries.
|
|
*/
|
|
if (new_entry->cond->transit &&
|
|
!(new_entry->type == TOMOYO_TYPE_PATH_ACL &&
|
|
container_of(new_entry, struct tomoyo_path_acl, head)
|
|
->perm == 1 << TOMOYO_TYPE_EXECUTE))
|
|
goto out;
|
|
}
|
|
if (mutex_lock_interruptible(&tomoyo_policy_lock))
|
|
goto out;
|
|
list_for_each_entry_rcu(entry, list, list,
|
|
srcu_read_lock_held(&tomoyo_ss)) {
|
|
if (entry->is_deleted == TOMOYO_GC_IN_PROGRESS)
|
|
continue;
|
|
if (!tomoyo_same_acl_head(entry, new_entry) ||
|
|
!check_duplicate(entry, new_entry))
|
|
continue;
|
|
if (merge_duplicate)
|
|
entry->is_deleted = merge_duplicate(entry, new_entry,
|
|
is_delete);
|
|
else
|
|
entry->is_deleted = is_delete;
|
|
error = 0;
|
|
break;
|
|
}
|
|
if (error && !is_delete) {
|
|
entry = tomoyo_commit_ok(new_entry, size);
|
|
if (entry) {
|
|
list_add_tail_rcu(&entry->list, list);
|
|
error = 0;
|
|
}
|
|
}
|
|
mutex_unlock(&tomoyo_policy_lock);
|
|
out:
|
|
tomoyo_put_condition(new_entry->cond);
|
|
return error;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_check_acl - Do permission check.
|
|
*
|
|
* @r: Pointer to "struct tomoyo_request_info".
|
|
* @check_entry: Callback function to check type specific parameters.
|
|
*
|
|
* Returns 0 on success, negative value otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
void tomoyo_check_acl(struct tomoyo_request_info *r,
|
|
bool (*check_entry)(struct tomoyo_request_info *,
|
|
const struct tomoyo_acl_info *))
|
|
{
|
|
const struct tomoyo_domain_info *domain = r->domain;
|
|
struct tomoyo_acl_info *ptr;
|
|
const struct list_head *list = &domain->acl_info_list;
|
|
u16 i = 0;
|
|
|
|
retry:
|
|
list_for_each_entry_rcu(ptr, list, list,
|
|
srcu_read_lock_held(&tomoyo_ss)) {
|
|
if (ptr->is_deleted || ptr->type != r->param_type)
|
|
continue;
|
|
if (!check_entry(r, ptr))
|
|
continue;
|
|
if (!tomoyo_condition(r, ptr->cond))
|
|
continue;
|
|
r->matched_acl = ptr;
|
|
r->granted = true;
|
|
return;
|
|
}
|
|
for (; i < TOMOYO_MAX_ACL_GROUPS; i++) {
|
|
if (!test_bit(i, domain->group))
|
|
continue;
|
|
list = &domain->ns->acl_group[i++];
|
|
goto retry;
|
|
}
|
|
r->granted = false;
|
|
}
|
|
|
|
/* The list for "struct tomoyo_domain_info". */
|
|
LIST_HEAD(tomoyo_domain_list);
|
|
|
|
/**
|
|
* tomoyo_last_word - Get last component of a domainname.
|
|
*
|
|
* @name: Domainname to check.
|
|
*
|
|
* Returns the last word of @domainname.
|
|
*/
|
|
static const char *tomoyo_last_word(const char *name)
|
|
{
|
|
const char *cp = strrchr(name, ' ');
|
|
|
|
if (cp)
|
|
return cp + 1;
|
|
return name;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_same_transition_control - Check for duplicated "struct tomoyo_transition_control" entry.
|
|
*
|
|
* @a: Pointer to "struct tomoyo_acl_head".
|
|
* @b: Pointer to "struct tomoyo_acl_head".
|
|
*
|
|
* Returns true if @a == @b, false otherwise.
|
|
*/
|
|
static bool tomoyo_same_transition_control(const struct tomoyo_acl_head *a,
|
|
const struct tomoyo_acl_head *b)
|
|
{
|
|
const struct tomoyo_transition_control *p1 = container_of(a,
|
|
typeof(*p1),
|
|
head);
|
|
const struct tomoyo_transition_control *p2 = container_of(b,
|
|
typeof(*p2),
|
|
head);
|
|
|
|
return p1->type == p2->type && p1->is_last_name == p2->is_last_name
|
|
&& p1->domainname == p2->domainname
|
|
&& p1->program == p2->program;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_write_transition_control - Write "struct tomoyo_transition_control" list.
|
|
*
|
|
* @param: Pointer to "struct tomoyo_acl_param".
|
|
* @type: Type of this entry.
|
|
*
|
|
* Returns 0 on success, negative value otherwise.
|
|
*/
|
|
int tomoyo_write_transition_control(struct tomoyo_acl_param *param,
|
|
const u8 type)
|
|
{
|
|
struct tomoyo_transition_control e = { .type = type };
|
|
int error = param->is_delete ? -ENOENT : -ENOMEM;
|
|
char *program = param->data;
|
|
char *domainname = strstr(program, " from ");
|
|
|
|
if (domainname) {
|
|
*domainname = '\0';
|
|
domainname += 6;
|
|
} else if (type == TOMOYO_TRANSITION_CONTROL_NO_KEEP ||
|
|
type == TOMOYO_TRANSITION_CONTROL_KEEP) {
|
|
domainname = program;
|
|
program = NULL;
|
|
}
|
|
if (program && strcmp(program, "any")) {
|
|
if (!tomoyo_correct_path(program))
|
|
return -EINVAL;
|
|
e.program = tomoyo_get_name(program);
|
|
if (!e.program)
|
|
goto out;
|
|
}
|
|
if (domainname && strcmp(domainname, "any")) {
|
|
if (!tomoyo_correct_domain(domainname)) {
|
|
if (!tomoyo_correct_path(domainname))
|
|
goto out;
|
|
e.is_last_name = true;
|
|
}
|
|
e.domainname = tomoyo_get_name(domainname);
|
|
if (!e.domainname)
|
|
goto out;
|
|
}
|
|
param->list = ¶m->ns->policy_list[TOMOYO_ID_TRANSITION_CONTROL];
|
|
error = tomoyo_update_policy(&e.head, sizeof(e), param,
|
|
tomoyo_same_transition_control);
|
|
out:
|
|
tomoyo_put_name(e.domainname);
|
|
tomoyo_put_name(e.program);
|
|
return error;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_scan_transition - Try to find specific domain transition type.
|
|
*
|
|
* @list: Pointer to "struct list_head".
|
|
* @domainname: The name of current domain.
|
|
* @program: The name of requested program.
|
|
* @last_name: The last component of @domainname.
|
|
* @type: One of values in "enum tomoyo_transition_type".
|
|
*
|
|
* Returns true if found one, false otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static inline bool tomoyo_scan_transition
|
|
(const struct list_head *list, const struct tomoyo_path_info *domainname,
|
|
const struct tomoyo_path_info *program, const char *last_name,
|
|
const enum tomoyo_transition_type type)
|
|
{
|
|
const struct tomoyo_transition_control *ptr;
|
|
|
|
list_for_each_entry_rcu(ptr, list, head.list,
|
|
srcu_read_lock_held(&tomoyo_ss)) {
|
|
if (ptr->head.is_deleted || ptr->type != type)
|
|
continue;
|
|
if (ptr->domainname) {
|
|
if (!ptr->is_last_name) {
|
|
if (ptr->domainname != domainname)
|
|
continue;
|
|
} else {
|
|
/*
|
|
* Use direct strcmp() since this is
|
|
* unlikely used.
|
|
*/
|
|
if (strcmp(ptr->domainname->name, last_name))
|
|
continue;
|
|
}
|
|
}
|
|
if (ptr->program && tomoyo_pathcmp(ptr->program, program))
|
|
continue;
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_transition_type - Get domain transition type.
|
|
*
|
|
* @ns: Pointer to "struct tomoyo_policy_namespace".
|
|
* @domainname: The name of current domain.
|
|
* @program: The name of requested program.
|
|
*
|
|
* Returns TOMOYO_TRANSITION_CONTROL_TRANSIT if executing @program causes
|
|
* domain transition across namespaces, TOMOYO_TRANSITION_CONTROL_INITIALIZE if
|
|
* executing @program reinitializes domain transition within that namespace,
|
|
* TOMOYO_TRANSITION_CONTROL_KEEP if executing @program stays at @domainname ,
|
|
* others otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static enum tomoyo_transition_type tomoyo_transition_type
|
|
(const struct tomoyo_policy_namespace *ns,
|
|
const struct tomoyo_path_info *domainname,
|
|
const struct tomoyo_path_info *program)
|
|
{
|
|
const char *last_name = tomoyo_last_word(domainname->name);
|
|
enum tomoyo_transition_type type = TOMOYO_TRANSITION_CONTROL_NO_RESET;
|
|
|
|
while (type < TOMOYO_MAX_TRANSITION_TYPE) {
|
|
const struct list_head * const list =
|
|
&ns->policy_list[TOMOYO_ID_TRANSITION_CONTROL];
|
|
|
|
if (!tomoyo_scan_transition(list, domainname, program,
|
|
last_name, type)) {
|
|
type++;
|
|
continue;
|
|
}
|
|
if (type != TOMOYO_TRANSITION_CONTROL_NO_RESET &&
|
|
type != TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE)
|
|
break;
|
|
/*
|
|
* Do not check for reset_domain if no_reset_domain matched.
|
|
* Do not check for initialize_domain if no_initialize_domain
|
|
* matched.
|
|
*/
|
|
type++;
|
|
type++;
|
|
}
|
|
return type;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_same_aggregator - Check for duplicated "struct tomoyo_aggregator" entry.
|
|
*
|
|
* @a: Pointer to "struct tomoyo_acl_head".
|
|
* @b: Pointer to "struct tomoyo_acl_head".
|
|
*
|
|
* Returns true if @a == @b, false otherwise.
|
|
*/
|
|
static bool tomoyo_same_aggregator(const struct tomoyo_acl_head *a,
|
|
const struct tomoyo_acl_head *b)
|
|
{
|
|
const struct tomoyo_aggregator *p1 = container_of(a, typeof(*p1),
|
|
head);
|
|
const struct tomoyo_aggregator *p2 = container_of(b, typeof(*p2),
|
|
head);
|
|
|
|
return p1->original_name == p2->original_name &&
|
|
p1->aggregated_name == p2->aggregated_name;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_write_aggregator - Write "struct tomoyo_aggregator" list.
|
|
*
|
|
* @param: Pointer to "struct tomoyo_acl_param".
|
|
*
|
|
* Returns 0 on success, negative value otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
int tomoyo_write_aggregator(struct tomoyo_acl_param *param)
|
|
{
|
|
struct tomoyo_aggregator e = { };
|
|
int error = param->is_delete ? -ENOENT : -ENOMEM;
|
|
const char *original_name = tomoyo_read_token(param);
|
|
const char *aggregated_name = tomoyo_read_token(param);
|
|
|
|
if (!tomoyo_correct_word(original_name) ||
|
|
!tomoyo_correct_path(aggregated_name))
|
|
return -EINVAL;
|
|
e.original_name = tomoyo_get_name(original_name);
|
|
e.aggregated_name = tomoyo_get_name(aggregated_name);
|
|
if (!e.original_name || !e.aggregated_name ||
|
|
e.aggregated_name->is_patterned) /* No patterns allowed. */
|
|
goto out;
|
|
param->list = ¶m->ns->policy_list[TOMOYO_ID_AGGREGATOR];
|
|
error = tomoyo_update_policy(&e.head, sizeof(e), param,
|
|
tomoyo_same_aggregator);
|
|
out:
|
|
tomoyo_put_name(e.original_name);
|
|
tomoyo_put_name(e.aggregated_name);
|
|
return error;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_find_namespace - Find specified namespace.
|
|
*
|
|
* @name: Name of namespace to find.
|
|
* @len: Length of @name.
|
|
*
|
|
* Returns pointer to "struct tomoyo_policy_namespace" if found,
|
|
* NULL otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
static struct tomoyo_policy_namespace *tomoyo_find_namespace
|
|
(const char *name, const unsigned int len)
|
|
{
|
|
struct tomoyo_policy_namespace *ns;
|
|
|
|
list_for_each_entry(ns, &tomoyo_namespace_list, namespace_list) {
|
|
if (strncmp(name, ns->name, len) ||
|
|
(name[len] && name[len] != ' '))
|
|
continue;
|
|
return ns;
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_assign_namespace - Create a new namespace.
|
|
*
|
|
* @domainname: Name of namespace to create.
|
|
*
|
|
* Returns pointer to "struct tomoyo_policy_namespace" on success,
|
|
* NULL otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
struct tomoyo_policy_namespace *tomoyo_assign_namespace(const char *domainname)
|
|
{
|
|
struct tomoyo_policy_namespace *ptr;
|
|
struct tomoyo_policy_namespace *entry;
|
|
const char *cp = domainname;
|
|
unsigned int len = 0;
|
|
|
|
while (*cp && *cp++ != ' ')
|
|
len++;
|
|
ptr = tomoyo_find_namespace(domainname, len);
|
|
if (ptr)
|
|
return ptr;
|
|
if (len >= TOMOYO_EXEC_TMPSIZE - 10 || !tomoyo_domain_def(domainname))
|
|
return NULL;
|
|
entry = kzalloc(sizeof(*entry) + len + 1, GFP_NOFS | __GFP_NOWARN);
|
|
if (mutex_lock_interruptible(&tomoyo_policy_lock))
|
|
goto out;
|
|
ptr = tomoyo_find_namespace(domainname, len);
|
|
if (!ptr && tomoyo_memory_ok(entry)) {
|
|
char *name = (char *) (entry + 1);
|
|
|
|
ptr = entry;
|
|
memmove(name, domainname, len);
|
|
name[len] = '\0';
|
|
entry->name = name;
|
|
tomoyo_init_policy_namespace(entry);
|
|
entry = NULL;
|
|
}
|
|
mutex_unlock(&tomoyo_policy_lock);
|
|
out:
|
|
kfree(entry);
|
|
return ptr;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_namespace_jump - Check for namespace jump.
|
|
*
|
|
* @domainname: Name of domain.
|
|
*
|
|
* Returns true if namespace differs, false otherwise.
|
|
*/
|
|
static bool tomoyo_namespace_jump(const char *domainname)
|
|
{
|
|
const char *namespace = tomoyo_current_namespace()->name;
|
|
const int len = strlen(namespace);
|
|
|
|
return strncmp(domainname, namespace, len) ||
|
|
(domainname[len] && domainname[len] != ' ');
|
|
}
|
|
|
|
/**
|
|
* tomoyo_assign_domain - Create a domain or a namespace.
|
|
*
|
|
* @domainname: The name of domain.
|
|
* @transit: True if transit to domain found or created.
|
|
*
|
|
* Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname,
|
|
const bool transit)
|
|
{
|
|
struct tomoyo_domain_info e = { };
|
|
struct tomoyo_domain_info *entry = tomoyo_find_domain(domainname);
|
|
bool created = false;
|
|
|
|
if (entry) {
|
|
if (transit) {
|
|
/*
|
|
* Since namespace is created at runtime, profiles may
|
|
* not be created by the moment the process transits to
|
|
* that domain. Do not perform domain transition if
|
|
* profile for that domain is not yet created.
|
|
*/
|
|
if (tomoyo_policy_loaded &&
|
|
!entry->ns->profile_ptr[entry->profile])
|
|
return NULL;
|
|
}
|
|
return entry;
|
|
}
|
|
/* Requested domain does not exist. */
|
|
/* Don't create requested domain if domainname is invalid. */
|
|
if (strlen(domainname) >= TOMOYO_EXEC_TMPSIZE - 10 ||
|
|
!tomoyo_correct_domain(domainname))
|
|
return NULL;
|
|
/*
|
|
* Since definition of profiles and acl_groups may differ across
|
|
* namespaces, do not inherit "use_profile" and "use_group" settings
|
|
* by automatically creating requested domain upon domain transition.
|
|
*/
|
|
if (transit && tomoyo_namespace_jump(domainname))
|
|
return NULL;
|
|
e.ns = tomoyo_assign_namespace(domainname);
|
|
if (!e.ns)
|
|
return NULL;
|
|
/*
|
|
* "use_profile" and "use_group" settings for automatically created
|
|
* domains are inherited from current domain. These are 0 for manually
|
|
* created domains.
|
|
*/
|
|
if (transit) {
|
|
const struct tomoyo_domain_info *domain = tomoyo_domain();
|
|
|
|
e.profile = domain->profile;
|
|
memcpy(e.group, domain->group, sizeof(e.group));
|
|
}
|
|
e.domainname = tomoyo_get_name(domainname);
|
|
if (!e.domainname)
|
|
return NULL;
|
|
if (mutex_lock_interruptible(&tomoyo_policy_lock))
|
|
goto out;
|
|
entry = tomoyo_find_domain(domainname);
|
|
if (!entry) {
|
|
entry = tomoyo_commit_ok(&e, sizeof(e));
|
|
if (entry) {
|
|
INIT_LIST_HEAD(&entry->acl_info_list);
|
|
list_add_tail_rcu(&entry->list, &tomoyo_domain_list);
|
|
created = true;
|
|
}
|
|
}
|
|
mutex_unlock(&tomoyo_policy_lock);
|
|
out:
|
|
tomoyo_put_name(e.domainname);
|
|
if (entry && transit) {
|
|
if (created) {
|
|
struct tomoyo_request_info r;
|
|
int i;
|
|
|
|
tomoyo_init_request_info(&r, entry,
|
|
TOMOYO_MAC_FILE_EXECUTE);
|
|
r.granted = false;
|
|
tomoyo_write_log(&r, "use_profile %u\n",
|
|
entry->profile);
|
|
for (i = 0; i < TOMOYO_MAX_ACL_GROUPS; i++)
|
|
if (test_bit(i, entry->group))
|
|
tomoyo_write_log(&r, "use_group %u\n",
|
|
i);
|
|
tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES);
|
|
}
|
|
}
|
|
return entry;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_environ - Check permission for environment variable names.
|
|
*
|
|
* @ee: Pointer to "struct tomoyo_execve".
|
|
*
|
|
* Returns 0 on success, negative value otherwise.
|
|
*/
|
|
static int tomoyo_environ(struct tomoyo_execve *ee)
|
|
{
|
|
struct tomoyo_request_info *r = &ee->r;
|
|
struct linux_binprm *bprm = ee->bprm;
|
|
/* env_page.data is allocated by tomoyo_dump_page(). */
|
|
struct tomoyo_page_dump env_page = { };
|
|
char *arg_ptr; /* Size is TOMOYO_EXEC_TMPSIZE bytes */
|
|
int arg_len = 0;
|
|
unsigned long pos = bprm->p;
|
|
int offset = pos % PAGE_SIZE;
|
|
int argv_count = bprm->argc;
|
|
int envp_count = bprm->envc;
|
|
int error = -ENOMEM;
|
|
|
|
ee->r.type = TOMOYO_MAC_ENVIRON;
|
|
ee->r.profile = r->domain->profile;
|
|
ee->r.mode = tomoyo_get_mode(r->domain->ns, ee->r.profile,
|
|
TOMOYO_MAC_ENVIRON);
|
|
if (!r->mode || !envp_count)
|
|
return 0;
|
|
arg_ptr = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS);
|
|
if (!arg_ptr)
|
|
goto out;
|
|
while (error == -ENOMEM) {
|
|
if (!tomoyo_dump_page(bprm, pos, &env_page))
|
|
goto out;
|
|
pos += PAGE_SIZE - offset;
|
|
/* Read. */
|
|
while (argv_count && offset < PAGE_SIZE) {
|
|
if (!env_page.data[offset++])
|
|
argv_count--;
|
|
}
|
|
if (argv_count) {
|
|
offset = 0;
|
|
continue;
|
|
}
|
|
while (offset < PAGE_SIZE) {
|
|
const unsigned char c = env_page.data[offset++];
|
|
|
|
if (c && arg_len < TOMOYO_EXEC_TMPSIZE - 10) {
|
|
if (c == '=') {
|
|
arg_ptr[arg_len++] = '\0';
|
|
} else if (c == '\\') {
|
|
arg_ptr[arg_len++] = '\\';
|
|
arg_ptr[arg_len++] = '\\';
|
|
} else if (c > ' ' && c < 127) {
|
|
arg_ptr[arg_len++] = c;
|
|
} else {
|
|
arg_ptr[arg_len++] = '\\';
|
|
arg_ptr[arg_len++] = (c >> 6) + '0';
|
|
arg_ptr[arg_len++]
|
|
= ((c >> 3) & 7) + '0';
|
|
arg_ptr[arg_len++] = (c & 7) + '0';
|
|
}
|
|
} else {
|
|
arg_ptr[arg_len] = '\0';
|
|
}
|
|
if (c)
|
|
continue;
|
|
if (tomoyo_env_perm(r, arg_ptr)) {
|
|
error = -EPERM;
|
|
break;
|
|
}
|
|
if (!--envp_count) {
|
|
error = 0;
|
|
break;
|
|
}
|
|
arg_len = 0;
|
|
}
|
|
offset = 0;
|
|
}
|
|
out:
|
|
if (r->mode != TOMOYO_CONFIG_ENFORCING)
|
|
error = 0;
|
|
kfree(env_page.data);
|
|
kfree(arg_ptr);
|
|
return error;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_find_next_domain - Find a domain.
|
|
*
|
|
* @bprm: Pointer to "struct linux_binprm".
|
|
*
|
|
* Returns 0 on success, negative value otherwise.
|
|
*
|
|
* Caller holds tomoyo_read_lock().
|
|
*/
|
|
int tomoyo_find_next_domain(struct linux_binprm *bprm)
|
|
{
|
|
struct tomoyo_domain_info *old_domain = tomoyo_domain();
|
|
struct tomoyo_domain_info *domain = NULL;
|
|
const char *original_name = bprm->filename;
|
|
int retval = -ENOMEM;
|
|
bool reject_on_transition_failure = false;
|
|
const struct tomoyo_path_info *candidate;
|
|
struct tomoyo_path_info exename;
|
|
struct tomoyo_execve *ee = kzalloc(sizeof(*ee), GFP_NOFS);
|
|
|
|
if (!ee)
|
|
return -ENOMEM;
|
|
ee->tmp = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS);
|
|
if (!ee->tmp) {
|
|
kfree(ee);
|
|
return -ENOMEM;
|
|
}
|
|
/* ee->dump->data is allocated by tomoyo_dump_page(). */
|
|
tomoyo_init_request_info(&ee->r, NULL, TOMOYO_MAC_FILE_EXECUTE);
|
|
ee->r.ee = ee;
|
|
ee->bprm = bprm;
|
|
ee->r.obj = &ee->obj;
|
|
ee->obj.path1 = bprm->file->f_path;
|
|
/* Get symlink's pathname of program. */
|
|
retval = -ENOENT;
|
|
exename.name = tomoyo_realpath_nofollow(original_name);
|
|
if (!exename.name)
|
|
goto out;
|
|
tomoyo_fill_path_info(&exename);
|
|
retry:
|
|
/* Check 'aggregator' directive. */
|
|
{
|
|
struct tomoyo_aggregator *ptr;
|
|
struct list_head *list =
|
|
&old_domain->ns->policy_list[TOMOYO_ID_AGGREGATOR];
|
|
|
|
/* Check 'aggregator' directive. */
|
|
candidate = &exename;
|
|
list_for_each_entry_rcu(ptr, list, head.list,
|
|
srcu_read_lock_held(&tomoyo_ss)) {
|
|
if (ptr->head.is_deleted ||
|
|
!tomoyo_path_matches_pattern(&exename,
|
|
ptr->original_name))
|
|
continue;
|
|
candidate = ptr->aggregated_name;
|
|
break;
|
|
}
|
|
}
|
|
|
|
/* Check execute permission. */
|
|
retval = tomoyo_execute_permission(&ee->r, candidate);
|
|
if (retval == TOMOYO_RETRY_REQUEST)
|
|
goto retry;
|
|
if (retval < 0)
|
|
goto out;
|
|
/*
|
|
* To be able to specify domainnames with wildcards, use the
|
|
* pathname specified in the policy (which may contain
|
|
* wildcard) rather than the pathname passed to execve()
|
|
* (which never contains wildcard).
|
|
*/
|
|
if (ee->r.param.path.matched_path)
|
|
candidate = ee->r.param.path.matched_path;
|
|
|
|
/*
|
|
* Check for domain transition preference if "file execute" matched.
|
|
* If preference is given, make execve() fail if domain transition
|
|
* has failed, for domain transition preference should be used with
|
|
* destination domain defined.
|
|
*/
|
|
if (ee->transition) {
|
|
const char *domainname = ee->transition->name;
|
|
|
|
reject_on_transition_failure = true;
|
|
if (!strcmp(domainname, "keep"))
|
|
goto force_keep_domain;
|
|
if (!strcmp(domainname, "child"))
|
|
goto force_child_domain;
|
|
if (!strcmp(domainname, "reset"))
|
|
goto force_reset_domain;
|
|
if (!strcmp(domainname, "initialize"))
|
|
goto force_initialize_domain;
|
|
if (!strcmp(domainname, "parent")) {
|
|
char *cp;
|
|
|
|
strscpy(ee->tmp, old_domain->domainname->name, TOMOYO_EXEC_TMPSIZE);
|
|
cp = strrchr(ee->tmp, ' ');
|
|
if (cp)
|
|
*cp = '\0';
|
|
} else if (*domainname == '<')
|
|
strscpy(ee->tmp, domainname, TOMOYO_EXEC_TMPSIZE);
|
|
else
|
|
snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s",
|
|
old_domain->domainname->name, domainname);
|
|
goto force_jump_domain;
|
|
}
|
|
/*
|
|
* No domain transition preference specified.
|
|
* Calculate domain to transit to.
|
|
*/
|
|
switch (tomoyo_transition_type(old_domain->ns, old_domain->domainname,
|
|
candidate)) {
|
|
case TOMOYO_TRANSITION_CONTROL_RESET:
|
|
force_reset_domain:
|
|
/* Transit to the root of specified namespace. */
|
|
snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "<%s>",
|
|
candidate->name);
|
|
/*
|
|
* Make execve() fail if domain transition across namespaces
|
|
* has failed.
|
|
*/
|
|
reject_on_transition_failure = true;
|
|
break;
|
|
case TOMOYO_TRANSITION_CONTROL_INITIALIZE:
|
|
force_initialize_domain:
|
|
/* Transit to the child of current namespace's root. */
|
|
snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s",
|
|
old_domain->ns->name, candidate->name);
|
|
break;
|
|
case TOMOYO_TRANSITION_CONTROL_KEEP:
|
|
force_keep_domain:
|
|
/* Keep current domain. */
|
|
domain = old_domain;
|
|
break;
|
|
default:
|
|
if (old_domain == &tomoyo_kernel_domain &&
|
|
!tomoyo_policy_loaded) {
|
|
/*
|
|
* Needn't to transit from kernel domain before
|
|
* starting /sbin/init. But transit from kernel domain
|
|
* if executing initializers because they might start
|
|
* before /sbin/init.
|
|
*/
|
|
domain = old_domain;
|
|
break;
|
|
}
|
|
force_child_domain:
|
|
/* Normal domain transition. */
|
|
snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s",
|
|
old_domain->domainname->name, candidate->name);
|
|
break;
|
|
}
|
|
force_jump_domain:
|
|
if (!domain)
|
|
domain = tomoyo_assign_domain(ee->tmp, true);
|
|
if (domain)
|
|
retval = 0;
|
|
else if (reject_on_transition_failure) {
|
|
pr_warn("ERROR: Domain '%s' not ready.\n", ee->tmp);
|
|
retval = -ENOMEM;
|
|
} else if (ee->r.mode == TOMOYO_CONFIG_ENFORCING)
|
|
retval = -ENOMEM;
|
|
else {
|
|
retval = 0;
|
|
if (!old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED]) {
|
|
old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED] = true;
|
|
ee->r.granted = false;
|
|
tomoyo_write_log(&ee->r, "%s", tomoyo_dif
|
|
[TOMOYO_DIF_TRANSITION_FAILED]);
|
|
pr_warn("ERROR: Domain '%s' not defined.\n", ee->tmp);
|
|
}
|
|
}
|
|
out:
|
|
if (!domain)
|
|
domain = old_domain;
|
|
/* Update reference count on "struct tomoyo_domain_info". */
|
|
{
|
|
struct tomoyo_task *s = tomoyo_task(current);
|
|
|
|
s->old_domain_info = s->domain_info;
|
|
s->domain_info = domain;
|
|
atomic_inc(&domain->users);
|
|
}
|
|
kfree(exename.name);
|
|
if (!retval) {
|
|
ee->r.domain = domain;
|
|
retval = tomoyo_environ(ee);
|
|
}
|
|
kfree(ee->tmp);
|
|
kfree(ee->dump.data);
|
|
kfree(ee);
|
|
return retval;
|
|
}
|
|
|
|
/**
|
|
* tomoyo_dump_page - Dump a page to buffer.
|
|
*
|
|
* @bprm: Pointer to "struct linux_binprm".
|
|
* @pos: Location to dump.
|
|
* @dump: Pointer to "struct tomoyo_page_dump".
|
|
*
|
|
* Returns true on success, false otherwise.
|
|
*/
|
|
bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos,
|
|
struct tomoyo_page_dump *dump)
|
|
{
|
|
struct page *page;
|
|
#ifdef CONFIG_MMU
|
|
int ret;
|
|
#endif
|
|
|
|
/* dump->data is released by tomoyo_find_next_domain(). */
|
|
if (!dump->data) {
|
|
dump->data = kzalloc(PAGE_SIZE, GFP_NOFS);
|
|
if (!dump->data)
|
|
return false;
|
|
}
|
|
/* Same with get_arg_page(bprm, pos, 0) in fs/exec.c */
|
|
#ifdef CONFIG_MMU
|
|
/*
|
|
* This is called at execve() time in order to dig around
|
|
* in the argv/environment of the new proceess
|
|
* (represented by bprm).
|
|
*/
|
|
mmap_read_lock(bprm->mm);
|
|
ret = get_user_pages_remote(bprm->mm, pos, 1,
|
|
FOLL_FORCE, &page, NULL);
|
|
mmap_read_unlock(bprm->mm);
|
|
if (ret <= 0)
|
|
return false;
|
|
#else
|
|
page = bprm->page[pos / PAGE_SIZE];
|
|
#endif
|
|
if (page != dump->page) {
|
|
const unsigned int offset = pos % PAGE_SIZE;
|
|
/*
|
|
* Maybe kmap()/kunmap() should be used here.
|
|
* But remove_arg_zero() uses kmap_atomic()/kunmap_atomic().
|
|
* So do I.
|
|
*/
|
|
char *kaddr = kmap_atomic(page);
|
|
|
|
dump->page = page;
|
|
memcpy(dump->data + offset, kaddr + offset,
|
|
PAGE_SIZE - offset);
|
|
kunmap_atomic(kaddr);
|
|
}
|
|
/* Same with put_arg_page(page) in fs/exec.c */
|
|
#ifdef CONFIG_MMU
|
|
put_page(page);
|
|
#endif
|
|
return true;
|
|
}
|