common.c 49.9 KB
Newer Older
1
2
3
4
5
/*
 * security/tomoyo/common.c
 *
 * Common functions for TOMOYO.
 *
6
 * Copyright (C) 2005-2010  NTT DATA CORPORATION
7
8
9
 */

#include <linux/uaccess.h>
10
#include <linux/slab.h>
11
12
13
14
15
16
17
18
19
20
21
22
23
#include <linux/security.h>
#include <linux/hardirq.h>
#include "common.h"

/* String table for functionality that takes 4 modes. */
static const char *tomoyo_mode_4[4] = {
	"disabled", "learning", "permissive", "enforcing"
};
/* String table for functionality that takes 2 modes. */
static const char *tomoyo_mode_2[4] = {
	"disabled", "enabled", "enabled", "enabled"
};

24
25
26
27
28
29
30
/*
 * tomoyo_control_array is a static data which contains
 *
 *  (1) functionality name used by /sys/kernel/security/tomoyo/profile .
 *  (2) initial values for "struct tomoyo_profile".
 *  (3) max values for "struct tomoyo_profile".
 */
31
32
33
34
35
36
37
38
39
40
static struct {
	const char *keyword;
	unsigned int current_value;
	const unsigned int max_value;
} tomoyo_control_array[TOMOYO_MAX_CONTROL_INDEX] = {
	[TOMOYO_MAC_FOR_FILE]     = { "MAC_FOR_FILE",        0,       3 },
	[TOMOYO_MAX_ACCEPT_ENTRY] = { "MAX_ACCEPT_ENTRY", 2048, INT_MAX },
	[TOMOYO_VERBOSE]          = { "TOMOYO_VERBOSE",      1,       1 },
};

41
42
43
44
45
46
47
/*
 * tomoyo_profile is a structure which is used for holding the mode of access
 * controls. TOMOYO has 4 modes: disabled, learning, permissive, enforcing.
 * An administrator can define up to 256 profiles.
 * The ->profile of "struct tomoyo_domain_info" is used for remembering
 * the profile's number (0 - 255) assigned to that domain.
 */
48
49
50
51
52
53
54
55
56
57
static struct tomoyo_profile {
	unsigned int value[TOMOYO_MAX_CONTROL_INDEX];
	const struct tomoyo_path_info *comment;
} *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES];

/* Permit policy management by non-root user? */
static bool tomoyo_manage_by_non_root;

/* Utility functions. */

58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
/**
 * tomoyo_print_name_union - Print a tomoyo_name_union.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
 * @ptr:  Pointer to "struct tomoyo_name_union".
 *
 * Returns true on success, false otherwise.
 */
static bool tomoyo_print_name_union(struct tomoyo_io_buffer *head,
				 const struct tomoyo_name_union *ptr)
{
	int pos = head->read_avail;
	if (pos && head->read_buf[pos - 1] == ' ')
		head->read_avail--;
	if (ptr->is_group)
		return tomoyo_io_printf(head, " @%s",
					ptr->group->group_name->name);
	return tomoyo_io_printf(head, " %s", ptr->filename->name);
}

78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
/**
 * tomoyo_print_number_union - Print a tomoyo_number_union.
 *
 * @head:       Pointer to "struct tomoyo_io_buffer".
 * @ptr:        Pointer to "struct tomoyo_number_union".
 *
 * Returns true on success, false otherwise.
 */
bool tomoyo_print_number_union(struct tomoyo_io_buffer *head,
			       const struct tomoyo_number_union *ptr)
{
	unsigned long min;
	unsigned long max;
	u8 min_type;
	u8 max_type;
	if (!tomoyo_io_printf(head, " "))
		return false;
	if (ptr->is_group)
		return tomoyo_io_printf(head, "@%s",
					ptr->group->group_name->name);
	min_type = ptr->min_type;
	max_type = ptr->max_type;
	min = ptr->values[0];
	max = ptr->values[1];
	switch (min_type) {
	case TOMOYO_VALUE_TYPE_HEXADECIMAL:
		if (!tomoyo_io_printf(head, "0x%lX", min))
			return false;
		break;
	case TOMOYO_VALUE_TYPE_OCTAL:
		if (!tomoyo_io_printf(head, "0%lo", min))
			return false;
		break;
	default:
		if (!tomoyo_io_printf(head, "%lu", min))
			return false;
		break;
	}
	if (min == max && min_type == max_type)
		return true;
	switch (max_type) {
	case TOMOYO_VALUE_TYPE_HEXADECIMAL:
		return tomoyo_io_printf(head, "-0x%lX", max);
	case TOMOYO_VALUE_TYPE_OCTAL:
		return tomoyo_io_printf(head, "-0%lo", max);
	default:
		return tomoyo_io_printf(head, "-%lu", max);
	}
}

128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
/**
 * tomoyo_io_printf - Transactional printf() to "struct tomoyo_io_buffer" structure.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
 * @fmt:  The printf()'s format string, followed by parameters.
 *
 * Returns true if output was written, false otherwise.
 *
 * The snprintf() will truncate, but tomoyo_io_printf() won't.
 */
bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
{
	va_list args;
	int len;
	int pos = head->read_avail;
	int size = head->readbuf_size - pos;

	if (size <= 0)
		return false;
	va_start(args, fmt);
	len = vsnprintf(head->read_buf + pos, size, fmt, args);
	va_end(args);
	if (pos + len >= head->readbuf_size)
		return false;
	head->read_avail += len;
	return true;
}

/**
 * tomoyo_check_flags - Check mode for specified functionality.
 *
 * @domain: Pointer to "struct tomoyo_domain_info".
 * @index:  The functionality to check mode.
 *
 * TOMOYO checks only process context.
 * This code disables TOMOYO's enforcement in case the function is called from
 * interrupt context.
 */
unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
				const u8 index)
{
	const u8 profile = domain->profile;

	if (WARN_ON(in_interrupt()))
		return 0;
	return tomoyo_policy_loaded && index < TOMOYO_MAX_CONTROL_INDEX
#if TOMOYO_MAX_PROFILES != 256
		&& profile < TOMOYO_MAX_PROFILES
#endif
		&& tomoyo_profile_ptr[profile] ?
		tomoyo_profile_ptr[profile]->value[index] : 0;
}

/**
 * tomoyo_verbose_mode - Check whether TOMOYO is verbose mode.
 *
 * @domain: Pointer to "struct tomoyo_domain_info".
 *
 * Returns true if domain policy violation warning should be printed to
 * console.
 */
bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain)
{
	return tomoyo_check_flags(domain, TOMOYO_VERBOSE) != 0;
}

/**
 * tomoyo_find_or_assign_new_profile - Create a new profile.
 *
 * @profile: Profile number to create.
 *
 * Returns pointer to "struct tomoyo_profile" on success, NULL otherwise.
 */
static struct tomoyo_profile *tomoyo_find_or_assign_new_profile(const unsigned
								int profile)
{
	struct tomoyo_profile *ptr = NULL;
	int i;

	if (profile >= TOMOYO_MAX_PROFILES)
		return NULL;
209
210
	if (mutex_lock_interruptible(&tomoyo_policy_lock))
		return NULL;
211
212
213
	ptr = tomoyo_profile_ptr[profile];
	if (ptr)
		goto ok;
214
	ptr = kmalloc(sizeof(*ptr), GFP_NOFS);
215
216
	if (!tomoyo_memory_ok(ptr)) {
		kfree(ptr);
217
		ptr = NULL;
218
		goto ok;
219
	}
220
221
222
223
224
	for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++)
		ptr->value[i] = tomoyo_control_array[i].current_value;
	mb(); /* Avoid out-of-order execution. */
	tomoyo_profile_ptr[profile] = ptr;
 ok:
225
	mutex_unlock(&tomoyo_policy_lock);
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
	return ptr;
}

/**
 * tomoyo_write_profile - Write to profile table.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
 *
 * Returns 0 on success, negative value otherwise.
 */
static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
{
	char *data = head->write_buf;
	unsigned int i;
	unsigned int value;
	char *cp;
	struct tomoyo_profile *profile;
	unsigned long num;

	cp = strchr(data, '-');
	if (cp)
		*cp = '\0';
	if (strict_strtoul(data, 10, &num))
		return -EINVAL;
	if (cp)
		data = cp + 1;
	profile = tomoyo_find_or_assign_new_profile(num);
	if (!profile)
		return -EINVAL;
	cp = strchr(data, '=');
	if (!cp)
		return -EINVAL;
	*cp = '\0';
	if (!strcmp(data, "COMMENT")) {
260
261
262
		const struct tomoyo_path_info *old_comment = profile->comment;
		profile->comment = tomoyo_get_name(cp + 1);
		tomoyo_put_name(old_comment);
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
		return 0;
	}
	for (i = 0; i < TOMOYO_MAX_CONTROL_INDEX; i++) {
		if (strcmp(data, tomoyo_control_array[i].keyword))
			continue;
		if (sscanf(cp + 1, "%u", &value) != 1) {
			int j;
			const char **modes;
			switch (i) {
			case TOMOYO_VERBOSE:
				modes = tomoyo_mode_2;
				break;
			default:
				modes = tomoyo_mode_4;
				break;
			}
			for (j = 0; j < 4; j++) {
				if (strcmp(cp + 1, modes[j]))
					continue;
				value = j;
				break;
			}
			if (j == 4)
				return -EINVAL;
		} else if (value > tomoyo_control_array[i].max_value) {
			value = tomoyo_control_array[i].max_value;
		}
		profile->value[i] = value;
		return 0;
	}
	return -EINVAL;
}

/**
 * tomoyo_read_profile - Read from profile table.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
 *
 * Returns 0.
 */
static int tomoyo_read_profile(struct tomoyo_io_buffer *head)
{
	static const int total = TOMOYO_MAX_CONTROL_INDEX + 1;
	int step;

	if (head->read_eof)
		return 0;
	for (step = head->read_step; step < TOMOYO_MAX_PROFILES * total;
	     step++) {
		const u8 index = step / total;
		u8 type = step % total;
		const struct tomoyo_profile *profile
			= tomoyo_profile_ptr[index];
		head->read_step = step;
		if (!profile)
			continue;
		if (!type) { /* Print profile' comment tag. */
			if (!tomoyo_io_printf(head, "%u-COMMENT=%s\n",
					      index, profile->comment ?
					      profile->comment->name : ""))
				break;
			continue;
		}
		type--;
		if (type < TOMOYO_MAX_CONTROL_INDEX) {
			const unsigned int value = profile->value[type];
			const char **modes = NULL;
			const char *keyword
				= tomoyo_control_array[type].keyword;
			switch (tomoyo_control_array[type].max_value) {
			case 3:
				modes = tomoyo_mode_4;
				break;
			case 1:
				modes = tomoyo_mode_2;
				break;
			}
			if (modes) {
				if (!tomoyo_io_printf(head, "%u-%s=%s\n", index,
						      keyword, modes[value]))
					break;
			} else {
				if (!tomoyo_io_printf(head, "%u-%s=%u\n", index,
						      keyword, value))
					break;
			}
		}
	}
	if (step == TOMOYO_MAX_PROFILES * total)
		head->read_eof = true;
	return 0;
}

356
357
358
359
360
361
362
363
364
365
366
367
368
/*
 * tomoyo_policy_manager_list is used for holding list of domainnames or
 * programs which are permitted to modify configuration via
 * /sys/kernel/security/tomoyo/ interface.
 *
 * An entry is added by
 *
 * # echo '<kernel> /sbin/mingetty /bin/login /bin/bash' > \
 *                                        /sys/kernel/security/tomoyo/manager
 *  (if you want to specify by a domainname)
 *
 *  or
 *
369
 * # echo '/usr/sbin/tomoyo-editpolicy' > /sys/kernel/security/tomoyo/manager
370
371
372
373
374
375
376
377
378
 *  (if you want to specify by a program's location)
 *
 * and is deleted by
 *
 * # echo 'delete <kernel> /sbin/mingetty /bin/login /bin/bash' > \
 *                                        /sys/kernel/security/tomoyo/manager
 *
 *  or
 *
379
 * # echo 'delete /usr/sbin/tomoyo-editpolicy' > \
380
381
382
383
384
385
 *                                        /sys/kernel/security/tomoyo/manager
 *
 * and all entries are retrieved by
 *
 * # cat /sys/kernel/security/tomoyo/manager
 */
Tetsuo Handa's avatar
Tetsuo Handa committed
386
LIST_HEAD(tomoyo_policy_manager_list);
387
388
389
390
391
392
393
394

/**
 * tomoyo_update_manager_entry - Add a manager entry.
 *
 * @manager:   The path to manager or the domainnamme.
 * @is_delete: True if it is a delete request.
 *
 * Returns 0 on success, negative value otherwise.
395
396
 *
 * Caller holds tomoyo_read_lock().
397
398
399
400
401
 */
static int tomoyo_update_manager_entry(const char *manager,
				       const bool is_delete)
{
	struct tomoyo_policy_manager_entry *ptr;
402
	struct tomoyo_policy_manager_entry e = { };
403
	int error = is_delete ? -ENOENT : -ENOMEM;
404
405

	if (tomoyo_is_domain_def(manager)) {
406
		if (!tomoyo_is_correct_domain(manager))
407
			return -EINVAL;
408
		e.is_domain = true;
409
	} else {
410
		if (!tomoyo_is_correct_path(manager, 1, -1, -1))
411
412
			return -EINVAL;
	}
413
414
	e.manager = tomoyo_get_name(manager);
	if (!e.manager)
415
		return -ENOMEM;
416
417
	if (mutex_lock_interruptible(&tomoyo_policy_lock))
		goto out;
418
	list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
419
		if (ptr->manager != e.manager)
420
421
422
			continue;
		ptr->is_deleted = is_delete;
		error = 0;
423
		break;
424
	}
425
426
427
428
429
430
431
432
	if (!is_delete && error) {
		struct tomoyo_policy_manager_entry *entry =
			tomoyo_commit_ok(&e, sizeof(e));
		if (entry) {
			list_add_tail_rcu(&entry->list,
					  &tomoyo_policy_manager_list);
			error = 0;
		}
433
	}
434
	mutex_unlock(&tomoyo_policy_lock);
435
 out:
436
	tomoyo_put_name(e.manager);
437
438
439
440
441
442
443
444
445
	return error;
}

/**
 * tomoyo_write_manager_policy - Write manager policy.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
 *
 * Returns 0 on success, negative value otherwise.
446
447
 *
 * Caller holds tomoyo_read_lock().
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
 */
static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head)
{
	char *data = head->write_buf;
	bool is_delete = tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE);

	if (!strcmp(data, "manage_by_non_root")) {
		tomoyo_manage_by_non_root = !is_delete;
		return 0;
	}
	return tomoyo_update_manager_entry(data, is_delete);
}

/**
 * tomoyo_read_manager_policy - Read manager policy.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
 *
 * Returns 0.
467
468
 *
 * Caller holds tomoyo_read_lock().
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
 */
static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
{
	struct list_head *pos;
	bool done = true;

	if (head->read_eof)
		return 0;
	list_for_each_cookie(pos, head->read_var2,
			     &tomoyo_policy_manager_list) {
		struct tomoyo_policy_manager_entry *ptr;
		ptr = list_entry(pos, struct tomoyo_policy_manager_entry,
				 list);
		if (ptr->is_deleted)
			continue;
Tetsuo Handa's avatar
Tetsuo Handa committed
484
485
		done = tomoyo_io_printf(head, "%s\n", ptr->manager->name);
		if (!done)
486
487
488
489
490
491
492
493
494
495
496
			break;
	}
	head->read_eof = done;
	return 0;
}

/**
 * tomoyo_is_policy_manager - Check whether the current process is a policy manager.
 *
 * Returns true if the current process is permitted to modify policy
 * via /sys/kernel/security/tomoyo/ interface.
497
498
 *
 * Caller holds tomoyo_read_lock().
499
500
501
502
503
504
505
506
507
508
509
510
511
 */
static bool tomoyo_is_policy_manager(void)
{
	struct tomoyo_policy_manager_entry *ptr;
	const char *exe;
	const struct task_struct *task = current;
	const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname;
	bool found = false;

	if (!tomoyo_policy_loaded)
		return true;
	if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
		return false;
512
	list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
513
514
515
516
517
518
519
520
521
522
523
		if (!ptr->is_deleted && ptr->is_domain
		    && !tomoyo_pathcmp(domainname, ptr->manager)) {
			found = true;
			break;
		}
	}
	if (found)
		return true;
	exe = tomoyo_get_exe();
	if (!exe)
		return false;
524
	list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
		if (!ptr->is_deleted && !ptr->is_domain
		    && !strcmp(exe, ptr->manager->name)) {
			found = true;
			break;
		}
	}
	if (!found) { /* Reduce error messages. */
		static pid_t last_pid;
		const pid_t pid = current->pid;
		if (last_pid != pid) {
			printk(KERN_WARNING "%s ( %s ) is not permitted to "
			       "update policies.\n", domainname->name, exe);
			last_pid = pid;
		}
	}
540
	kfree(exe);
541
542
543
544
545
546
547
548
549
550
	return found;
}

/**
 * tomoyo_is_select_one - Parse select command.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
 * @data: String to parse.
 *
 * Returns true on success, false otherwise.
551
552
 *
 * Caller holds tomoyo_read_lock().
553
554
555
556
557
558
 */
static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
				 const char *data)
{
	unsigned int pid;
	struct tomoyo_domain_info *domain = NULL;
559
	bool global_pid = false;
560

561
562
	if (sscanf(data, "pid=%u", &pid) == 1 ||
	    (global_pid = true, sscanf(data, "global-pid=%u", &pid) == 1)) {
563
		struct task_struct *p;
564
		rcu_read_lock();
565
		read_lock(&tasklist_lock);
566
567
568
569
		if (global_pid)
			p = find_task_by_pid_ns(pid, &init_pid_ns);
		else
			p = find_task_by_vpid(pid);
570
571
572
		if (p)
			domain = tomoyo_real_domain(p);
		read_unlock(&tasklist_lock);
573
		rcu_read_unlock();
574
	} else if (!strncmp(data, "domain=", 7)) {
575
		if (tomoyo_is_domain_def(data + 7))
576
577
578
579
580
581
582
583
584
585
586
587
588
589
			domain = tomoyo_find_domain(data + 7);
	} else
		return false;
	head->write_var1 = domain;
	/* Accessing read_buf is safe because head->io_sem is held. */
	if (!head->read_buf)
		return true; /* Do nothing if open(O_WRONLY). */
	head->read_avail = 0;
	tomoyo_io_printf(head, "# select %s\n", data);
	head->read_single_domain = true;
	head->read_eof = !domain;
	if (domain) {
		struct tomoyo_domain_info *d;
		head->read_var1 = NULL;
590
		list_for_each_entry_rcu(d, &tomoyo_domain_list, list) {
591
592
593
594
595
596
597
598
599
600
601
602
603
			if (d == domain)
				break;
			head->read_var1 = &d->list;
		}
		head->read_var2 = NULL;
		head->read_bit = 0;
		head->read_step = 0;
		if (domain->is_deleted)
			tomoyo_io_printf(head, "# This is a deleted domain.\n");
	}
	return true;
}

604
605
606
607
608
609
/**
 * tomoyo_delete_domain - Delete a domain.
 *
 * @domainname: The name of domain.
 *
 * Returns 0.
610
611
 *
 * Caller holds tomoyo_read_lock().
612
613
614
615
616
617
618
619
 */
static int tomoyo_delete_domain(char *domainname)
{
	struct tomoyo_domain_info *domain;
	struct tomoyo_path_info name;

	name.name = domainname;
	tomoyo_fill_path_info(&name);
620
621
	if (mutex_lock_interruptible(&tomoyo_policy_lock))
		return 0;
622
	/* Is there an active domain? */
623
	list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
624
625
626
627
628
629
630
631
632
		/* Never delete tomoyo_kernel_domain */
		if (domain == &tomoyo_kernel_domain)
			continue;
		if (domain->is_deleted ||
		    tomoyo_pathcmp(domain->domainname, &name))
			continue;
		domain->is_deleted = true;
		break;
	}
633
	mutex_unlock(&tomoyo_policy_lock);
634
635
636
	return 0;
}

637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
/**
 * tomoyo_write_domain_policy2 - Write domain policy.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
 *
 * Returns 0 on success, negative value otherwise.
 *
 * Caller holds tomoyo_read_lock().
 */
static int tomoyo_write_domain_policy2(char *data,
				       struct tomoyo_domain_info *domain,
				       const bool is_delete)
{
	if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_MOUNT))
                return tomoyo_write_mount_policy(data, domain, is_delete);
	return tomoyo_write_file_policy(data, domain, is_delete);
}

655
656
657
658
659
660
/**
 * tomoyo_write_domain_policy - Write domain policy.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
 *
 * Returns 0 on success, negative value otherwise.
661
662
 *
 * Caller holds tomoyo_read_lock().
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
 */
static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
{
	char *data = head->write_buf;
	struct tomoyo_domain_info *domain = head->write_var1;
	bool is_delete = false;
	bool is_select = false;
	unsigned int profile;

	if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_DELETE))
		is_delete = true;
	else if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_SELECT))
		is_select = true;
	if (is_select && tomoyo_is_select_one(head, data))
		return 0;
	/* Don't allow updating policies by non manager programs. */
	if (!tomoyo_is_policy_manager())
		return -EPERM;
	if (tomoyo_is_domain_def(data)) {
		domain = NULL;
		if (is_delete)
			tomoyo_delete_domain(data);
685
		else if (is_select)
686
			domain = tomoyo_find_domain(data);
687
		else
688
689
690
691
692
693
694
695
696
697
698
699
700
701
			domain = tomoyo_find_or_assign_new_domain(data, 0);
		head->write_var1 = domain;
		return 0;
	}
	if (!domain)
		return -EINVAL;

	if (sscanf(data, TOMOYO_KEYWORD_USE_PROFILE "%u", &profile) == 1
	    && profile < TOMOYO_MAX_PROFILES) {
		if (tomoyo_profile_ptr[profile] || !tomoyo_policy_loaded)
			domain->profile = (u8) profile;
		return 0;
	}
	if (!strcmp(data, TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ)) {
Tetsuo Handa's avatar
Tetsuo Handa committed
702
		domain->ignore_global_allow_read = !is_delete;
703
704
		return 0;
	}
705
706
707
708
709
710
711
712
	if (!strcmp(data, TOMOYO_KEYWORD_QUOTA_EXCEEDED)) {
		domain->quota_warned = !is_delete;
		return 0;
	}
	if (!strcmp(data, TOMOYO_KEYWORD_TRANSITION_FAILED)) {
		domain->transition_failed = !is_delete;
		return 0;
	}
713
	return tomoyo_write_domain_policy2(data, domain, is_delete);
714
715
716
}

/**
Tetsuo Handa's avatar
Tetsuo Handa committed
717
 * tomoyo_print_path_acl - Print a single path ACL entry.
718
719
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
Tetsuo Handa's avatar
Tetsuo Handa committed
720
 * @ptr:  Pointer to "struct tomoyo_path_acl".
721
722
723
 *
 * Returns true on success, false otherwise.
 */
Tetsuo Handa's avatar
Tetsuo Handa committed
724
725
static bool tomoyo_print_path_acl(struct tomoyo_io_buffer *head,
				  struct tomoyo_path_acl *ptr)
726
727
728
{
	int pos;
	u8 bit;
729
	const u16 perm = ptr->perm;
730

Tetsuo Handa's avatar
Tetsuo Handa committed
731
	for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_OPERATION; bit++) {
732
733
734
		if (!(perm & (1 << bit)))
			continue;
		/* Print "read/write" instead of "read" and "write". */
Tetsuo Handa's avatar
Tetsuo Handa committed
735
736
		if ((bit == TOMOYO_TYPE_READ || bit == TOMOYO_TYPE_WRITE)
		    && (perm & (1 << TOMOYO_TYPE_READ_WRITE)))
737
738
			continue;
		pos = head->read_avail;
739
740
741
742
		if (!tomoyo_io_printf(head, "allow_%s ",
				      tomoyo_path2keyword(bit)) ||
		    !tomoyo_print_name_union(head, &ptr->name) ||
		    !tomoyo_io_printf(head, "\n"))
743
744
745
746
747
748
749
750
751
752
753
			goto out;
	}
	head->read_bit = 0;
	return true;
 out:
	head->read_bit = bit;
	head->read_avail = pos;
	return false;
}

/**
Tetsuo Handa's avatar
Tetsuo Handa committed
754
 * tomoyo_print_path2_acl - Print a double path ACL entry.
755
756
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
Tetsuo Handa's avatar
Tetsuo Handa committed
757
 * @ptr:  Pointer to "struct tomoyo_path2_acl".
758
759
760
 *
 * Returns true on success, false otherwise.
 */
Tetsuo Handa's avatar
Tetsuo Handa committed
761
762
static bool tomoyo_print_path2_acl(struct tomoyo_io_buffer *head,
				   struct tomoyo_path2_acl *ptr)
763
764
765
766
767
{
	int pos;
	const u8 perm = ptr->perm;
	u8 bit;

Tetsuo Handa's avatar
Tetsuo Handa committed
768
	for (bit = head->read_bit; bit < TOMOYO_MAX_PATH2_OPERATION; bit++) {
769
770
771
		if (!(perm & (1 << bit)))
			continue;
		pos = head->read_avail;
772
773
774
775
776
		if (!tomoyo_io_printf(head, "allow_%s ",
				      tomoyo_path22keyword(bit)) ||
		    !tomoyo_print_name_union(head, &ptr->name1) ||
		    !tomoyo_print_name_union(head, &ptr->name2) ||
		    !tomoyo_io_printf(head, "\n"))
777
778
779
780
781
782
783
784
785
786
			goto out;
	}
	head->read_bit = 0;
	return true;
 out:
	head->read_bit = bit;
	head->read_avail = pos;
	return false;
}

787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
/**
 * tomoyo_print_path_number_acl - Print a path_number ACL entry.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
 * @ptr:  Pointer to "struct tomoyo_path_number_acl".
 *
 * Returns true on success, false otherwise.
 */
static bool tomoyo_print_path_number_acl(struct tomoyo_io_buffer *head,
					 struct tomoyo_path_number_acl *ptr)
{
	int pos;
	u8 bit;
	const u8 perm = ptr->perm;
	for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_NUMBER_OPERATION;
	     bit++) {
		if (!(perm & (1 << bit)))
			continue;
		pos = head->read_avail;
		if (!tomoyo_io_printf(head, "allow_%s",
				      tomoyo_path_number2keyword(bit)) ||
		    !tomoyo_print_name_union(head, &ptr->name) ||
		    !tomoyo_print_number_union(head, &ptr->number) ||
		    !tomoyo_io_printf(head, "\n"))
			goto out;
	}
	head->read_bit = 0;
	return true;
 out:
	head->read_bit = bit;
	head->read_avail = pos;
	return false;
}

/**
 * tomoyo_print_path_number3_acl - Print a path_number3 ACL entry.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
 * @ptr:  Pointer to "struct tomoyo_path_number3_acl".
 *
 * Returns true on success, false otherwise.
 */
static bool tomoyo_print_path_number3_acl(struct tomoyo_io_buffer *head,
					  struct tomoyo_path_number3_acl *ptr)
{
	int pos;
	u8 bit;
	const u16 perm = ptr->perm;
	for (bit = head->read_bit; bit < TOMOYO_MAX_PATH_NUMBER3_OPERATION;
	     bit++) {
		if (!(perm & (1 << bit)))
			continue;
		pos = head->read_avail;
		if (!tomoyo_io_printf(head, "allow_%s",
				      tomoyo_path_number32keyword(bit)) ||
		    !tomoyo_print_name_union(head, &ptr->name) ||
		    !tomoyo_print_number_union(head, &ptr->mode) ||
		    !tomoyo_print_number_union(head, &ptr->major) ||
		    !tomoyo_print_number_union(head, &ptr->minor) ||
		    !tomoyo_io_printf(head, "\n"))
			goto out;
	}
	head->read_bit = 0;
	return true;
 out:
	head->read_bit = bit;
	head->read_avail = pos;
	return false;
}

Tetsuo Handa's avatar
Tetsuo Handa committed
857
858
859
860
861
862
863
864
865
866
867
868
/**
 * tomoyo_print_mount_acl - Print a mount ACL entry.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
 * @ptr:  Pointer to "struct tomoyo_mount_acl".
 *
 * Returns true on success, false otherwise.
 */
static bool tomoyo_print_mount_acl(struct tomoyo_io_buffer *head,
				   struct tomoyo_mount_acl *ptr)
{
	const int pos = head->read_avail;
869
870
	if (ptr->is_deleted)
		return true;
Tetsuo Handa's avatar
Tetsuo Handa committed
871
872
873
874
875
876
877
878
879
880
881
882
	if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) ||
	    !tomoyo_print_name_union(head, &ptr->dev_name) ||
	    !tomoyo_print_name_union(head, &ptr->dir_name) ||
	    !tomoyo_print_name_union(head, &ptr->fs_type) ||
	    !tomoyo_print_number_union(head, &ptr->flags) ||
	    !tomoyo_io_printf(head, "\n")) {
		head->read_avail = pos;
		return false;
	}
	return true;
}

883
884
885
886
887
888
889
890
891
892
893
/**
 * tomoyo_print_entry - Print an ACL entry.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
 * @ptr:  Pointer to an ACL entry.
 *
 * Returns true on success, false otherwise.
 */
static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
			       struct tomoyo_acl_info *ptr)
{
Tetsuo Handa's avatar
Tetsuo Handa committed
894
	const u8 acl_type = ptr->type;
895

Tetsuo Handa's avatar
Tetsuo Handa committed
896
897
898
899
	if (acl_type == TOMOYO_TYPE_PATH_ACL) {
		struct tomoyo_path_acl *acl
			= container_of(ptr, struct tomoyo_path_acl, head);
		return tomoyo_print_path_acl(head, acl);
900
	}
Tetsuo Handa's avatar
Tetsuo Handa committed
901
902
903
904
	if (acl_type == TOMOYO_TYPE_PATH2_ACL) {
		struct tomoyo_path2_acl *acl
			= container_of(ptr, struct tomoyo_path2_acl, head);
		return tomoyo_print_path2_acl(head, acl);
905
	}
906
907
908
909
910
911
912
913
914
915
916
917
	if (acl_type == TOMOYO_TYPE_PATH_NUMBER_ACL) {
		struct tomoyo_path_number_acl *acl
			= container_of(ptr, struct tomoyo_path_number_acl,
				       head);
		return tomoyo_print_path_number_acl(head, acl);
	}
	if (acl_type == TOMOYO_TYPE_PATH_NUMBER3_ACL) {
		struct tomoyo_path_number3_acl *acl
			= container_of(ptr, struct tomoyo_path_number3_acl,
				       head);
		return tomoyo_print_path_number3_acl(head, acl);
	}
Tetsuo Handa's avatar
Tetsuo Handa committed
918
919
920
921
922
	if (acl_type == TOMOYO_TYPE_MOUNT_ACL) {
		struct tomoyo_mount_acl *acl
			= container_of(ptr, struct tomoyo_mount_acl, head);
		return tomoyo_print_mount_acl(head, acl);
	}
923
924
925
926
927
928
929
930
931
932
	BUG(); /* This must not happen. */
	return false;
}

/**
 * tomoyo_read_domain_policy - Read domain policy.
 *
 * @head: Pointer to "struct tomoyo_io_buffer".
 *
 * Returns 0.
933
934
 *
 * Caller holds tomoyo_read_lock().
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
 */
static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head)
{
	struct list_head *dpos;
	struct list_head *apos;
	bool done = true;

	if (head->read_eof)
		return 0;
	if (head->read_step == 0)
		head->read_step = 1;
	list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) {
		struct tomoyo_domain_info *domain;
		const char *quota_exceeded = "";
		const char *transition_failed = "";
		const char *ignore_global_allow_read = "";
		domain = list_entry(dpos, struct tomoyo_domain_info, list);
		if (head->read_step != 1)
			goto acl_loop;
		if (domain->is_deleted && !head->read_single_domain)
			continue;
		/* Print domainname and flags. */
		if (domain->quota_warned)
			quota_exceeded = "quota_exceeded\n";
Tetsuo Handa's avatar
Tetsuo Handa committed
959
		if (domain->transition_failed)
960
			transition_failed = "transition_failed\n";
Tetsuo Handa's avatar
Tetsuo Handa committed
961
		if (domain->ignore_global_allow_read)
962
963
			ignore_global_allow_read
				= TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "\n";
Tetsuo Handa's avatar
Tetsuo Handa committed
964
965
966
967
968
969
970
		done = tomoyo_io_printf(head, "%s\n" TOMOYO_KEYWORD_USE_PROFILE
					"%u\n%s%s%s\n",
					domain->domainname->name,
					domain->profile, quota_exceeded,
					transition_failed,
					ignore_global_allow_read);
		if (!done)
971
972
973
974
975
976
977
			break;
		head->read_step = 2;
acl_loop:
		if (head->read_step == 3)
			goto tail_mark;
		/* Print ACL entries in the domain. */
		list_for_each_cookie(apos, head->read_var2,
Tetsuo Handa's avatar
Tetsuo Handa committed
978
				     &domain->acl_info_list) {
979
980
			struct tomoyo_acl_info *ptr
				= list_entry(apos, struct tomoyo_acl_info,
Tetsuo Handa's avatar
Tetsuo Handa committed
981
982
983
					     list);
			done = tomoyo_print_entry(head, ptr);
			if (!done)
984
985
986
987
988
989
				break;
		}
		if (!done)
			break;
		head->read_step = 3;
tail_mark:
Tetsuo Handa's avatar
Tetsuo Handa committed
990
991
		done = tomoyo_io_printf(head, "\n");
		if (!done)
992
993
994
995
996
997
998
999
1000
			break;
		head->read_step = 1;
		if (head->read_single_domain)
			break;
	}
	head->read_eof = done;
	return 0;
}