projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
TOMOYO: Add ACL group support.
[deliverable/linux.git] / security / tomoyo / common.h
CommitLineData
9590837b
KT		 1/*
2 * security/tomoyo/common.h
3 *
76bb0895 4 * Header file for TOMOYO.
9590837b 5 *
76bb0895 6 * Copyright (C) 2005-2010 NTT DATA CORPORATION
9590837b
KT		 7 */
8
9#ifndef _SECURITY_TOMOYO_COMMON_H
10#define _SECURITY_TOMOYO_COMMON_H
11
12#include <linux/ctype.h>
13#include <linux/string.h>
14#include <linux/mm.h>
15#include <linux/file.h>
16#include <linux/kmod.h>
17#include <linux/fs.h>
18#include <linux/sched.h>
19#include <linux/namei.h>
20#include <linux/mount.h>
21#include <linux/list.h>
76bb0895 22#include <linux/cred.h>
17fcfbd9 23#include <linux/poll.h>
76bb0895
TH		 24struct linux_binprm;
25
26/********** Constants definitions. **********/
27
28/*
29 * TOMOYO uses this hash only when appending a string into the string
30 * table. Frequency of appending strings is very low. So we don't need
31 * large (e.g. 64k) hash size. 256 will be sufficient.
32 */
33#define TOMOYO_HASH_BITS 8
34#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
35
c8c57e84 36#define TOMOYO_EXEC_TMPSIZE 4096
76bb0895
TH		 37
38/* Profile number is an integer between 0 and 255. */
39#define TOMOYO_MAX_PROFILES 256
40
32997144
TH		 41/* Group number is an integer between 0 and 255. */
42#define TOMOYO_MAX_ACL_GROUPS 256
43
b5bc60b4 44/* Index numbers for operation mode. */
cb0abe6a
TH		 45enum tomoyo_mode_index {
46 TOMOYO_CONFIG_DISABLED,
47 TOMOYO_CONFIG_LEARNING,
48 TOMOYO_CONFIG_PERMISSIVE,
57c2590f 49 TOMOYO_CONFIG_ENFORCING,
eadd99cc
TH		 50 TOMOYO_CONFIG_MAX_MODE,
51 TOMOYO_CONFIG_WANT_REJECT_LOG = 64,
52 TOMOYO_CONFIG_WANT_GRANT_LOG = 128,
53 TOMOYO_CONFIG_USE_DEFAULT = 255,
cb0abe6a
TH		 54};
55
b5bc60b4 56/* Index numbers for entry type. */
a230f9e7
TH		 57enum tomoyo_policy_id {
58 TOMOYO_ID_GROUP,
59 TOMOYO_ID_PATH_GROUP,
60 TOMOYO_ID_NUMBER_GROUP,
5448ec4f 61 TOMOYO_ID_TRANSITION_CONTROL,
a230f9e7 62 TOMOYO_ID_AGGREGATOR,
a230f9e7
TH		 63 TOMOYO_ID_MANAGER,
64 TOMOYO_ID_NAME,
65 TOMOYO_ID_ACL,
66 TOMOYO_ID_DOMAIN,
67 TOMOYO_MAX_POLICY
68};
69
b5bc60b4 70/* Index numbers for group entries. */
a230f9e7
TH		 71enum tomoyo_group_id {
72 TOMOYO_PATH_GROUP,
73 TOMOYO_NUMBER_GROUP,
74 TOMOYO_MAX_GROUP
75};
76
76bb0895
TH		 77/* A domain definition starts with <kernel>. */
78#define TOMOYO_ROOT_NAME "<kernel>"
79#define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1)
80
b5bc60b4
TH		 81/* Index numbers for type of numeric values. */
82enum tomoyo_value_type {
83 TOMOYO_VALUE_TYPE_INVALID,
84 TOMOYO_VALUE_TYPE_DECIMAL,
85 TOMOYO_VALUE_TYPE_OCTAL,
86 TOMOYO_VALUE_TYPE_HEXADECIMAL,
87};
4c3e9e2d 88
b5bc60b4 89/* Index numbers for domain transition control keywords. */
5448ec4f
TH		 90enum tomoyo_transition_type {
91 /* Do not change this order, */
92 TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE,
93 TOMOYO_TRANSITION_CONTROL_INITIALIZE,
94 TOMOYO_TRANSITION_CONTROL_NO_KEEP,
95 TOMOYO_TRANSITION_CONTROL_KEEP,
96 TOMOYO_MAX_TRANSITION_TYPE
97};
98
76bb0895 99/* Index numbers for Access Controls. */
084da356 100enum tomoyo_acl_entry_type_index {
7ef61233
TH		 101 TOMOYO_TYPE_PATH_ACL,
102 TOMOYO_TYPE_PATH2_ACL,
a1f9bb6a 103 TOMOYO_TYPE_PATH_NUMBER_ACL,
75093152 104 TOMOYO_TYPE_MKDEV_ACL,
2106ccd9 105 TOMOYO_TYPE_MOUNT_ACL,
084da356 106};
76bb0895 107
b5bc60b4 108/* Index numbers for access controls with one pathname. */
084da356 109enum tomoyo_path_acl_index {
7ef61233
TH		 110 TOMOYO_TYPE_EXECUTE,
111 TOMOYO_TYPE_READ,
112 TOMOYO_TYPE_WRITE,
7c75964f 113 TOMOYO_TYPE_APPEND,
7ef61233 114 TOMOYO_TYPE_UNLINK,
7c75964f 115 TOMOYO_TYPE_GETATTR,
7ef61233 116 TOMOYO_TYPE_RMDIR,
7ef61233
TH		 117 TOMOYO_TYPE_TRUNCATE,
118 TOMOYO_TYPE_SYMLINK,
7ef61233 119 TOMOYO_TYPE_CHROOT,
7ef61233
TH		 120 TOMOYO_TYPE_UMOUNT,
121 TOMOYO_MAX_PATH_OPERATION
084da356
TH		 122};
123
eadd99cc
TH		 124enum tomoyo_memory_stat_type {
125 TOMOYO_MEMORY_POLICY,
126 TOMOYO_MEMORY_AUDIT,
127 TOMOYO_MEMORY_QUERY,
128 TOMOYO_MAX_MEMORY_STAT
129};
130
75093152 131enum tomoyo_mkdev_acl_index {
a1f9bb6a
TH		 132 TOMOYO_TYPE_MKBLOCK,
133 TOMOYO_TYPE_MKCHAR,
75093152 134 TOMOYO_MAX_MKDEV_OPERATION
a1f9bb6a
TH		 135};
136
b5bc60b4 137/* Index numbers for access controls with two pathnames. */
084da356 138enum tomoyo_path2_acl_index {
7ef61233
TH		 139 TOMOYO_TYPE_LINK,
140 TOMOYO_TYPE_RENAME,
141 TOMOYO_TYPE_PIVOT_ROOT,
142 TOMOYO_MAX_PATH2_OPERATION
084da356
TH		 143};
144
b5bc60b4 145/* Index numbers for access controls with one pathname and one number. */
a1f9bb6a
TH		 146enum tomoyo_path_number_acl_index {
147 TOMOYO_TYPE_CREATE,
148 TOMOYO_TYPE_MKDIR,
149 TOMOYO_TYPE_MKFIFO,
150 TOMOYO_TYPE_MKSOCK,
151 TOMOYO_TYPE_IOCTL,
152 TOMOYO_TYPE_CHMOD,
153 TOMOYO_TYPE_CHOWN,
154 TOMOYO_TYPE_CHGRP,
155 TOMOYO_MAX_PATH_NUMBER_OPERATION
156};
157
b5bc60b4 158/* Index numbers for /sys/kernel/security/tomoyo/ interfaces. */
084da356
TH		 159enum tomoyo_securityfs_interface_index {
160 TOMOYO_DOMAINPOLICY,
161 TOMOYO_EXCEPTIONPOLICY,
162 TOMOYO_DOMAIN_STATUS,
163 TOMOYO_PROCESS_STATUS,
164 TOMOYO_MEMINFO,
165 TOMOYO_SELFDOMAIN,
eadd99cc 166 TOMOYO_AUDIT,
084da356
TH		 167 TOMOYO_VERSION,
168 TOMOYO_PROFILE,
17fcfbd9 169 TOMOYO_QUERY,
084da356
TH		 170 TOMOYO_MANAGER
171};
9590837b 172
b5bc60b4
TH		 173/* Index numbers for special mount operations. */
174enum tomoyo_special_mount {
175 TOMOYO_MOUNT_BIND, /* mount --bind /source /dest */
176 TOMOYO_MOUNT_MOVE, /* mount --move /old /new */
177 TOMOYO_MOUNT_REMOUNT, /* mount -o remount /dir */
178 TOMOYO_MOUNT_MAKE_UNBINDABLE, /* mount --make-unbindable /dir */
179 TOMOYO_MOUNT_MAKE_PRIVATE, /* mount --make-private /dir */
180 TOMOYO_MOUNT_MAKE_SLAVE, /* mount --make-slave /dir */
181 TOMOYO_MOUNT_MAKE_SHARED, /* mount --make-shared /dir */
182 TOMOYO_MAX_SPECIAL_MOUNT
183};
184
185/* Index numbers for functionality. */
57c2590f
TH		 186enum tomoyo_mac_index {
187 TOMOYO_MAC_FILE_EXECUTE,
188 TOMOYO_MAC_FILE_OPEN,
189 TOMOYO_MAC_FILE_CREATE,
190 TOMOYO_MAC_FILE_UNLINK,
7c75964f 191 TOMOYO_MAC_FILE_GETATTR,
57c2590f
TH		 192 TOMOYO_MAC_FILE_MKDIR,
193 TOMOYO_MAC_FILE_RMDIR,
194 TOMOYO_MAC_FILE_MKFIFO,
195 TOMOYO_MAC_FILE_MKSOCK,
196 TOMOYO_MAC_FILE_TRUNCATE,
197 TOMOYO_MAC_FILE_SYMLINK,
57c2590f
TH		 198 TOMOYO_MAC_FILE_MKBLOCK,
199 TOMOYO_MAC_FILE_MKCHAR,
200 TOMOYO_MAC_FILE_LINK,
201 TOMOYO_MAC_FILE_RENAME,
202 TOMOYO_MAC_FILE_CHMOD,
203 TOMOYO_MAC_FILE_CHOWN,
204 TOMOYO_MAC_FILE_CHGRP,
205 TOMOYO_MAC_FILE_IOCTL,
206 TOMOYO_MAC_FILE_CHROOT,
207 TOMOYO_MAC_FILE_MOUNT,
208 TOMOYO_MAC_FILE_UMOUNT,
209 TOMOYO_MAC_FILE_PIVOT_ROOT,
210 TOMOYO_MAX_MAC_INDEX
211};
212
b5bc60b4 213/* Index numbers for category of functionality. */
57c2590f
TH		 214enum tomoyo_mac_category_index {
215 TOMOYO_MAC_CATEGORY_FILE,
216 TOMOYO_MAX_MAC_CATEGORY_INDEX
217};
218
82e0f001 219/*
b5bc60b4
TH		 220 * Retry this request. Returned by tomoyo_supervisor() if policy violation has
221 * occurred in enforcing mode and the userspace daemon decided to retry.
82e0f001 222 *
b5bc60b4
TH		 223 * We must choose a positive value in order to distinguish "granted" (which is
224 * 0) and "rejected" (which is a negative value) and "retry".
82e0f001 225 */
b5bc60b4
TH		 226#define TOMOYO_RETRY_REQUEST 1
227
d5ca1725
TH		 228/* Index numbers for profile's PREFERENCE values. */
229enum tomoyo_pref_index {
eadd99cc 230 TOMOYO_PREF_MAX_AUDIT_LOG,
d5ca1725
TH		 231 TOMOYO_PREF_MAX_LEARNING_ENTRY,
232 TOMOYO_MAX_PREF
233};
234
b5bc60b4
TH		 235/********** Structure definitions. **********/
236
237/* Common header for holding ACL entries. */
82e0f001
TH		 238struct tomoyo_acl_head {
239 struct list_head list;
240 bool is_deleted;
241} __packed;
242
0df7e8b8
TH		 243/* Common header for shared entries. */
244struct tomoyo_shared_acl_head {
245 struct list_head list;
246 atomic_t users;
247} __packed;
248
b5bc60b4 249/* Structure for request info. */
cb0abe6a
TH		 250struct tomoyo_request_info {
251 struct tomoyo_domain_info *domain;
cf6e9a64
TH		 252 /* For holding parameters. */
253 union {
254 struct {
255 const struct tomoyo_path_info *filename;
484ca79c
TH		 256 /* For using wildcards at tomoyo_find_next_domain(). */
257 const struct tomoyo_path_info *matched_path;
b5bc60b4 258 /* One of values in "enum tomoyo_path_acl_index". */
cf6e9a64
TH		 259 u8 operation;
260 } path;
261 struct {
262 const struct tomoyo_path_info *filename1;
263 const struct tomoyo_path_info *filename2;
b5bc60b4 264 /* One of values in "enum tomoyo_path2_acl_index". */
cf6e9a64
TH		 265 u8 operation;
266 } path2;
267 struct {
268 const struct tomoyo_path_info *filename;
269 unsigned int mode;
270 unsigned int major;
271 unsigned int minor;
b5bc60b4 272 /* One of values in "enum tomoyo_mkdev_acl_index". */
cf6e9a64
TH		 273 u8 operation;
274 } mkdev;
275 struct {
276 const struct tomoyo_path_info *filename;
277 unsigned long number;
b5bc60b4
TH		 278 /*
279 * One of values in
280 * "enum tomoyo_path_number_acl_index".
281 */
cf6e9a64
TH		 282 u8 operation;
283 } path_number;
284 struct {
285 const struct tomoyo_path_info *type;
286 const struct tomoyo_path_info *dir;
287 const struct tomoyo_path_info *dev;
288 unsigned long flags;
289 int need_dev;
290 } mount;
291 } param;
292 u8 param_type;
293 bool granted;
17fcfbd9
TH		 294 u8 retry;
295 u8 profile;
cb0abe6a 296 u8 mode; /* One of tomoyo_mode_index . */
57c2590f 297 u8 type;
cb0abe6a
TH		 298};
299
b5bc60b4 300/* Structure for holding a token. */
9590837b
KT		 301struct tomoyo_path_info {
302 const char *name;
303 u32 hash; /* = full_name_hash(name, strlen(name)) */
9590837b
KT		 304 u16 const_len; /* = tomoyo_const_part_length(name) */
305 bool is_dir; /* = tomoyo_strendswith(name, "/") */
306 bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
9590837b
KT		 307};
308
b5bc60b4 309/* Structure for holding string data. */
e2bf6907 310struct tomoyo_name {
0df7e8b8 311 struct tomoyo_shared_acl_head head;
76bb0895
TH		 312 struct tomoyo_path_info entry;
313};
9590837b 314
b5bc60b4 315/* Structure for holding a word. */
7762fbff 316struct tomoyo_name_union {
b5bc60b4 317 /* Either @filename or @group is NULL. */
7762fbff 318 const struct tomoyo_path_info *filename;
a98aa4de 319 struct tomoyo_group *group;
7762fbff
TH		 320};
321
b5bc60b4 322/* Structure for holding a number. */
4c3e9e2d
TH		 323struct tomoyo_number_union {
324 unsigned long values[2];
b5bc60b4
TH		 325 struct tomoyo_group *group; /* Maybe NULL. */
326 /* One of values in "enum tomoyo_value_type". */
0df7e8b8 327 u8 value_type[2];
4c3e9e2d
TH		 328};
329
a98aa4de
TH		 330/* Structure for "path_group"/"number_group" directive. */
331struct tomoyo_group {
0df7e8b8 332 struct tomoyo_shared_acl_head head;
4c3e9e2d
TH		 333 const struct tomoyo_path_info *group_name;
334 struct list_head member_list;
4c3e9e2d
TH		 335};
336
7762fbff 337/* Structure for "path_group" directive. */
a98aa4de 338struct tomoyo_path_group {
82e0f001 339 struct tomoyo_acl_head head;
7762fbff
TH		 340 const struct tomoyo_path_info *member_name;
341};
342
4c3e9e2d 343/* Structure for "number_group" directive. */
a98aa4de 344struct tomoyo_number_group {
82e0f001 345 struct tomoyo_acl_head head;
4c3e9e2d
TH		 346 struct tomoyo_number_union number;
347};
348
b5bc60b4 349/* Common header for individual entries. */
9590837b
KT		 350struct tomoyo_acl_info {
351 struct list_head list;
237ab459 352 bool is_deleted;
b5bc60b4 353 u8 type; /* One of values in "enum tomoyo_acl_entry_type_index". */
9590837b
KT		 354} __packed;
355
b5bc60b4 356/* Structure for domain information. */
9590837b
KT		 357struct tomoyo_domain_info {
358 struct list_head list;
359 struct list_head acl_info_list;
360 /* Name of this domain. Never NULL. */
361 const struct tomoyo_path_info *domainname;
362 u8 profile; /* Profile number to use. */
32997144 363 u8 group; /* Group number to use. */
a0558fc3 364 bool is_deleted; /* Delete flag. */
9590837b 365 bool quota_warned; /* Quota warnning flag. */
ea13ddba 366 bool transition_failed; /* Domain transition failed flag. */
ec8e6a4e 367 atomic_t users; /* Number of referring credentials. */
9590837b
KT		 368};
369
9590837b 370/*
b5bc60b4
TH		 371 * Structure for "file execute", "file read", "file write", "file append",
372 * "file unlink", "file getattr", "file rmdir", "file truncate",
373 * "file symlink", "file chroot" and "file unmount" directive.
9590837b 374 */
7ef61233
TH		 375struct tomoyo_path_acl {
376 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */
b5bc60b4 377 u16 perm; /* Bitmask of values in "enum tomoyo_path_acl_index". */
7762fbff 378 struct tomoyo_name_union name;
9590837b
KT		 379};
380
a1f9bb6a 381/*
b5bc60b4
TH		 382 * Structure for "file create", "file mkdir", "file mkfifo", "file mksock",
383 * "file ioctl", "file chmod", "file chown" and "file chgrp" directive.
a1f9bb6a
TH		 384 */
385struct tomoyo_path_number_acl {
386 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_NUMBER_ACL */
b5bc60b4 387 /* Bitmask of values in "enum tomoyo_path_number_acl_index". */
a1f9bb6a
TH		 388 u8 perm;
389 struct tomoyo_name_union name;
390 struct tomoyo_number_union number;
391};
392
b5bc60b4 393/* Structure for "file mkblock" and "file mkchar" directive. */
75093152
TH		 394struct tomoyo_mkdev_acl {
395 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MKDEV_ACL */
b5bc60b4 396 u8 perm; /* Bitmask of values in "enum tomoyo_mkdev_acl_index". */
a1f9bb6a
TH		 397 struct tomoyo_name_union name;
398 struct tomoyo_number_union mode;
399 struct tomoyo_number_union major;
400 struct tomoyo_number_union minor;
401};
402
c3fa109a 403/*
b5bc60b4 404 * Structure for "file rename", "file link" and "file pivot_root" directive.
c3fa109a 405 */
7ef61233
TH		 406struct tomoyo_path2_acl {
407 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */
b5bc60b4 408 u8 perm; /* Bitmask of values in "enum tomoyo_path2_acl_index". */
7762fbff
TH		 409 struct tomoyo_name_union name1;
410 struct tomoyo_name_union name2;
9590837b
KT		 411};
412
b5bc60b4 413/* Structure for "file mount" directive. */
2106ccd9
TH		 414struct tomoyo_mount_acl {
415 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MOUNT_ACL */
2106ccd9
TH		 416 struct tomoyo_name_union dev_name;
417 struct tomoyo_name_union dir_name;
418 struct tomoyo_name_union fs_type;
419 struct tomoyo_number_union flags;
420};
421
a238cf5b
TH		 422/* Structure for holding a line from /sys/kernel/security/tomoyo/ interface. */
423struct tomoyo_acl_param {
424 char *data;
425 struct list_head *list;
426 bool is_delete;
427};
428
0d2171d7 429#define TOMOYO_MAX_IO_READ_QUEUE 64
f23571e8 430
c3fa109a 431/*
f23571e8
TH		 432 * Structure for reading/writing policy via /sys/kernel/security/tomoyo
433 * interfaces.
c3fa109a 434 */
9590837b 435struct tomoyo_io_buffer {
8fbe71f0 436 void (*read) (struct tomoyo_io_buffer *);
9590837b 437 int (*write) (struct tomoyo_io_buffer *);
17fcfbd9 438 int (*poll) (struct file *file, poll_table *wait);
9590837b
KT		 439 /* Exclusive lock for this structure. */
440 struct mutex io_sem;
fdb8ebb7
TH		 441 /* Index returned by tomoyo_read_lock(). */
442 int reader_idx;
f23571e8
TH		 443 char __user *read_user_buf;
444 int read_user_buf_avail;
445 struct {
446 struct list_head *domain;
447 struct list_head *group;
448 struct list_head *acl;
449 int avail;
450 int step;
451 int query_index;
452 u16 index;
32997144 453 u8 acl_group_index;
f23571e8
TH		 454 u8 bit;
455 u8 w_pos;
456 bool eof;
457 bool print_this_domain_only;
458 bool print_execute_only;
459 const char *w[TOMOYO_MAX_IO_READ_QUEUE];
460 } r;
0df7e8b8
TH		 461 struct {
462 /* The position currently writing to. */
463 struct tomoyo_domain_info *domain;
464 /* Bytes available for writing. */
465 int avail;
466 } w;
9590837b
KT		 467 /* Buffer for reading. */
468 char *read_buf;
9590837b
KT		 469 /* Size of read buffer. */
470 int readbuf_size;
471 /* Buffer for writing. */
472 char *write_buf;
9590837b
KT		 473 /* Size of write buffer. */
474 int writebuf_size;
17fcfbd9
TH		 475 /* Type of this interface. */
476 u8 type;
9590837b
KT		 477};
478
76bb0895 479/*
b5bc60b4
TH		 480 * Structure for "initialize_domain"/"no_initialize_domain"/"keep_domain"/
481 * "no_keep_domain" keyword.
76bb0895 482 */
5448ec4f 483struct tomoyo_transition_control {
82e0f001 484 struct tomoyo_acl_head head;
5448ec4f 485 u8 type; /* One of values in "enum tomoyo_transition_type". */
76bb0895
TH		 486 /* True if the domainname is tomoyo_get_last_name(). */
487 bool is_last_name;
5448ec4f
TH		 488 const struct tomoyo_path_info *domainname; /* Maybe NULL */
489 const struct tomoyo_path_info *program; /* Maybe NULL */
76bb0895
TH		 490};
491
b5bc60b4 492/* Structure for "aggregator" keyword. */
e2bf6907 493struct tomoyo_aggregator {
82e0f001 494 struct tomoyo_acl_head head;
1084307c
TH		 495 const struct tomoyo_path_info *original_name;
496 const struct tomoyo_path_info *aggregated_name;
1084307c
TH		 497};
498
b5bc60b4 499/* Structure for policy manager. */
e2bf6907 500struct tomoyo_manager {
82e0f001
TH		 501 struct tomoyo_acl_head head;
502 bool is_domain; /* True if manager is a domainname. */
76bb0895
TH		 503 /* A path to program or a domainname. */
504 const struct tomoyo_path_info *manager;
76bb0895
TH		 505};
506
57c2590f
TH		 507struct tomoyo_preference {
508 unsigned int learning_max_entry;
509 bool enforcing_verbose;
510 bool learning_verbose;
511 bool permissive_verbose;
512};
513
b5bc60b4 514/* Structure for /sys/kernel/security/tomnoyo/profile interface. */
57c2590f
TH		 515struct tomoyo_profile {
516 const struct tomoyo_path_info *comment;
517 struct tomoyo_preference *learning;
518 struct tomoyo_preference *permissive;
519 struct tomoyo_preference *enforcing;
520 struct tomoyo_preference preference;
521 u8 default_config;
522 u8 config[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX];
d5ca1725 523 unsigned int pref[TOMOYO_MAX_PREF];
57c2590f
TH		 524};
525
eadd99cc
TH		 526/* Structure for representing YYYY/MM/DD hh/mm/ss. */
527struct tomoyo_time {
528 u16 year;
529 u8 month;
530 u8 day;
531 u8 hour;
532 u8 min;
533 u8 sec;
534};
535
76bb0895
TH		 536/********** Function prototypes. **********/
537
c3ef1500 538bool tomoyo_str_starts(char **src, const char *find);
c3ef1500 539const char *tomoyo_get_exe(void);
c3ef1500 540void tomoyo_normalize_line(unsigned char *buffer);
c3ef1500 541void tomoyo_check_profile(void);
c3ef1500 542int tomoyo_open_control(const u8 type, struct file *file);
0df7e8b8 543int tomoyo_close_control(struct tomoyo_io_buffer *head);
0849e3ba 544int tomoyo_poll_control(struct file *file, poll_table *wait);
0df7e8b8 545int tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
c3ef1500 546 const int buffer_len);
0df7e8b8
TH		 547int tomoyo_write_control(struct tomoyo_io_buffer *head,
548 const char __user *buffer, const int buffer_len);
c3ef1500 549bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r);
c3ef1500 550void tomoyo_warn_oom(const char *function);
484ca79c
TH		 551const struct tomoyo_path_info *
552tomoyo_compare_name_union(const struct tomoyo_path_info *name,
553 const struct tomoyo_name_union *ptr);
2106ccd9
TH		 554bool tomoyo_compare_number_union(const unsigned long value,
555 const struct tomoyo_number_union *ptr);
57c2590f 556int tomoyo_get_mode(const u8 profile, const u8 index);
f23571e8 557void tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
9590837b 558 __attribute__ ((format(printf, 2, 3)));
75093152 559bool tomoyo_correct_domain(const unsigned char *domainname);
75093152
TH		 560bool tomoyo_correct_path(const char *filename);
561bool tomoyo_correct_word(const char *string);
75093152 562bool tomoyo_domain_def(const unsigned char *buffer);
a238cf5b 563bool tomoyo_parse_name_union(struct tomoyo_acl_param *param,
7762fbff 564 struct tomoyo_name_union *ptr);
484ca79c
TH		 565const struct tomoyo_path_info *
566tomoyo_path_matches_group(const struct tomoyo_path_info *pathname,
567 const struct tomoyo_group *group);
4c3e9e2d
TH		 568bool tomoyo_number_matches_group(const unsigned long min,
569 const unsigned long max,
a98aa4de 570 const struct tomoyo_group *group);
9590837b
KT		 571bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
572 const struct tomoyo_path_info *pattern);
a238cf5b
TH		 573bool tomoyo_parse_number_union(struct tomoyo_acl_param *param,
574 struct tomoyo_number_union *ptr);
7762fbff 575bool tomoyo_tokenize(char *buffer, char *w[], size_t size);
9590837b 576bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain);
2106ccd9 577int tomoyo_init_request_info(struct tomoyo_request_info *r,
57c2590f
TH		 578 struct tomoyo_domain_info *domain,
579 const u8 index);
b5bc60b4
TH		 580int tomoyo_mount_permission(char *dev_name, struct path *path,
581 const char *type, unsigned long flags,
582 void *data_page);
a238cf5b
TH		 583int tomoyo_write_aggregator(struct tomoyo_acl_param *param);
584int tomoyo_write_transition_control(struct tomoyo_acl_param *param,
5448ec4f 585 const u8 type);
a238cf5b
TH		 586int tomoyo_write_file(struct tomoyo_acl_param *param);
587int tomoyo_write_group(struct tomoyo_acl_param *param, const u8 type);
17fcfbd9
TH		 588int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...)
589 __attribute__ ((format(printf, 2, 3)));
9590837b 590struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname);
e2bf6907
TH		 591struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname,
592 const u8 profile);
57c2590f 593struct tomoyo_profile *tomoyo_profile(const u8 profile);
a238cf5b
TH		 594struct tomoyo_group *tomoyo_get_group(struct tomoyo_acl_param *param,
595 const u8 idx);
9590837b
KT		 596unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
597 const u8 index);
9590837b 598void tomoyo_fill_path_info(struct tomoyo_path_info *ptr);
9590837b 599void tomoyo_load_policy(const char *filename);
4c3e9e2d 600void tomoyo_put_number_union(struct tomoyo_number_union *ptr);
c8c57e84 601char *tomoyo_encode(const char *str);
0617c7ff 602char *tomoyo_realpath_nofollow(const char *pathname);
76bb0895 603char *tomoyo_realpath_from_path(struct path *path);
76bb0895 604bool tomoyo_memory_ok(void *ptr);
9e4b50e9 605void *tomoyo_commit_ok(void *data, const unsigned int size);
76bb0895 606const struct tomoyo_path_info *tomoyo_get_name(const char *name);
8fbe71f0 607void tomoyo_read_memory_counter(struct tomoyo_io_buffer *head);
76bb0895 608int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head);
c3ef1500 609void __init tomoyo_mm_init(void);
05336dee 610int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
76bb0895
TH		 611 const struct tomoyo_path_info *filename);
612int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
613 struct path *path, const int flag);
a1f9bb6a
TH		 614int tomoyo_path_number_perm(const u8 operation, struct path *path,
615 unsigned long number);
75093152
TH		 616int tomoyo_mkdev_perm(const u8 operation, struct path *path,
617 const unsigned int mode, unsigned int dev);
97d6931e
TH		 618int tomoyo_path_perm(const u8 operation, struct path *path);
619int tomoyo_path2_perm(const u8 operation, struct path *path1,
620 struct path *path2);
76bb0895 621int tomoyo_find_next_domain(struct linux_binprm *bprm);
a1f9bb6a
TH		 622void tomoyo_print_ulong(char *buffer, const int buffer_len,
623 const unsigned long value, const u8 type);
7762fbff 624void tomoyo_put_name_union(struct tomoyo_name_union *ptr);
847b173e 625void tomoyo_run_gc(void);
847b173e 626void tomoyo_memory_free(void *ptr);
237ab459 627int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
a238cf5b 628 struct tomoyo_acl_param *param,
237ab459
TH		 629 bool (*check_duplicate) (const struct tomoyo_acl_info
630 *,
631 const struct tomoyo_acl_info
632 *),
633 bool (*merge_duplicate) (struct tomoyo_acl_info *,
634 struct tomoyo_acl_info *,
635 const bool));
36f5e1ff 636int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
a238cf5b 637 struct tomoyo_acl_param *param,
36f5e1ff
TH		 638 bool (*check_duplicate) (const struct tomoyo_acl_head
639 *,
640 const struct tomoyo_acl_head
641 *));
99a85259 642void tomoyo_check_acl(struct tomoyo_request_info *r,
484ca79c 643 bool (*check_entry) (struct tomoyo_request_info *,
99a85259 644 const struct tomoyo_acl_info *));
a238cf5b
TH		 645char *tomoyo_read_token(struct tomoyo_acl_param *param);
646bool tomoyo_permstr(const char *string, const char *keyword);
237ab459 647
eadd99cc
TH		 648const char *tomoyo_yesno(const unsigned int value);
649void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt,
650 va_list args);
651void tomoyo_read_log(struct tomoyo_io_buffer *head);
652int tomoyo_poll_log(struct file *file, poll_table *wait);
653char *tomoyo_init_log(struct tomoyo_request_info *r, int len, const char *fmt,
654 va_list args);
655
76bb0895
TH		 656/********** External variable definitions. **********/
657
658/* Lock for GC. */
659extern struct srcu_struct tomoyo_ss;
660
661/* The list for "struct tomoyo_domain_info". */
662extern struct list_head tomoyo_domain_list;
663
a230f9e7
TH		 664extern struct list_head tomoyo_policy_list[TOMOYO_MAX_POLICY];
665extern struct list_head tomoyo_group_list[TOMOYO_MAX_GROUP];
847b173e 666extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH];
847b173e 667
76bb0895
TH		 668/* Lock for protecting policy. */
669extern struct mutex tomoyo_policy_lock;
670
671/* Has /sbin/init started? */
672extern bool tomoyo_policy_loaded;
673
32997144
TH		 674extern struct list_head tomoyo_acl_group[TOMOYO_MAX_ACL_GROUPS];
675
76bb0895
TH		 676/* The kernel's domain. */
677extern struct tomoyo_domain_info tomoyo_kernel_domain;
678
71c28236
TH		 679extern const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
680extern const char *tomoyo_mkdev_keyword[TOMOYO_MAX_MKDEV_OPERATION];
681extern const char *tomoyo_path2_keyword[TOMOYO_MAX_PATH2_OPERATION];
682extern const char *tomoyo_path_number_keyword[TOMOYO_MAX_PATH_NUMBER_OPERATION];
683
0d2171d7
TH		 684extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION];
685extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION];
686extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];
687
eadd99cc
TH		 688extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
689extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT];
690extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT];
17fcfbd9 691
76bb0895
TH		 692/********** Inlined functions. **********/
693
b5bc60b4
TH		 694/**
695 * tomoyo_read_lock - Take lock for protecting policy.
696 *
697 * Returns index number for tomoyo_read_unlock().
698 */
76bb0895
TH		 699static inline int tomoyo_read_lock(void)
700{
701 return srcu_read_lock(&tomoyo_ss);
702}
703
b5bc60b4
TH		 704/**
705 * tomoyo_read_unlock - Release lock for protecting policy.
706 *
707 * @idx: Index number returned by tomoyo_read_lock().
708 *
709 * Returns nothing.
710 */
76bb0895
TH		 711static inline void tomoyo_read_unlock(int idx)
712{
713 srcu_read_unlock(&tomoyo_ss, idx);
714}
715
b5bc60b4
TH		 716/**
717 * tomoyo_pathcmp - strcmp() for "struct tomoyo_path_info" structure.
718 *
719 * @a: Pointer to "struct tomoyo_path_info".
720 * @b: Pointer to "struct tomoyo_path_info".
721 *
722 * Returns true if @a == @b, false otherwise.
723 */
9590837b
KT		 724static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a,
725 const struct tomoyo_path_info *b)
726{
727 return a->hash != b->hash || strcmp(a->name, b->name);
728}
729
b5bc60b4
TH		 730/**
731 * tomoyo_put_name - Drop reference on "struct tomoyo_name".
732 *
733 * @name: Pointer to "struct tomoyo_path_info". Maybe NULL.
734 *
735 * Returns nothing.
736 */
76bb0895
TH		 737static inline void tomoyo_put_name(const struct tomoyo_path_info *name)
738{
739 if (name) {
e2bf6907
TH		 740 struct tomoyo_name *ptr =
741 container_of(name, typeof(*ptr), entry);
0df7e8b8 742 atomic_dec(&ptr->head.users);
76bb0895
TH		 743 }
744}
9590837b 745
b5bc60b4
TH		 746/**
747 * tomoyo_put_group - Drop reference on "struct tomoyo_group".
748 *
749 * @group: Pointer to "struct tomoyo_group". Maybe NULL.
750 *
751 * Returns nothing.
752 */
a98aa4de 753static inline void tomoyo_put_group(struct tomoyo_group *group)
4c3e9e2d
TH		 754{
755 if (group)
0df7e8b8 756 atomic_dec(&group->head.users);
4c3e9e2d
TH		 757}
758
b5bc60b4
TH		 759/**
760 * tomoyo_domain - Get "struct tomoyo_domain_info" for current thread.
761 *
762 * Returns pointer to "struct tomoyo_domain_info" for current thread.
763 */
76bb0895
TH		 764static inline struct tomoyo_domain_info *tomoyo_domain(void)
765{
766 return current_cred()->security;
767}
9590837b 768
b5bc60b4
TH		 769/**
770 * tomoyo_real_domain - Get "struct tomoyo_domain_info" for specified thread.
771 *
772 * @task: Pointer to "struct task_struct".
773 *
774 * Returns pointer to "struct tomoyo_security" for specified thread.
775 */
76bb0895
TH		 776static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
777 *task)
778{
779 return task_cred_xxx(task, security);
780}
9590837b 781
b5bc60b4
TH		 782/**
783 * tomoyo_same_name_union - Check for duplicated "struct tomoyo_name_union" entry.
784 *
785 * @a: Pointer to "struct tomoyo_name_union".
786 * @b: Pointer to "struct tomoyo_name_union".
787 *
788 * Returns true if @a == @b, false otherwise.
789 */
75093152 790static inline bool tomoyo_same_name_union
b5bc60b4 791(const struct tomoyo_name_union *a, const struct tomoyo_name_union *b)
7762fbff 792{
0df7e8b8 793 return a->filename == b->filename && a->group == b->group;
7762fbff
TH		 794}
795
b5bc60b4
TH		 796/**
797 * tomoyo_same_number_union - Check for duplicated "struct tomoyo_number_union" entry.
798 *
799 * @a: Pointer to "struct tomoyo_number_union".
800 * @b: Pointer to "struct tomoyo_number_union".
801 *
802 * Returns true if @a == @b, false otherwise.
803 */
75093152 804static inline bool tomoyo_same_number_union
b5bc60b4 805(const struct tomoyo_number_union *a, const struct tomoyo_number_union *b)
4c3e9e2d 806{
b5bc60b4 807 return a->values[0] == b->values[0] && a->values[1] == b->values[1] &&
0df7e8b8
TH		 808 a->group == b->group && a->value_type[0] == b->value_type[0] &&
809 a->value_type[1] == b->value_type[1];
4c3e9e2d
TH		 810}
811
eadd99cc
TH		 812#if defined(CONFIG_SLOB)
813
814/**
815 * tomoyo_round2 - Round up to power of 2 for calculating memory usage.
816 *
817 * @size: Size to be rounded up.
818 *
819 * Returns @size.
820 *
821 * Since SLOB does not round up, this function simply returns @size.
822 */
823static inline int tomoyo_round2(size_t size)
824{
825 return size;
826}
827
828#else
829
830/**
831 * tomoyo_round2 - Round up to power of 2 for calculating memory usage.
832 *
833 * @size: Size to be rounded up.
834 *
835 * Returns rounded size.
836 *
837 * Strictly speaking, SLAB may be able to allocate (e.g.) 96 bytes instead of
838 * (e.g.) 128 bytes.
839 */
840static inline int tomoyo_round2(size_t size)
841{
842#if PAGE_SIZE == 4096
843 size_t bsize = 32;
844#else
845 size_t bsize = 64;
846#endif
847 if (!size)
848 return 0;
849 while (size > bsize)
850 bsize <<= 1;
851 return bsize;
852}
853
854#endif
855
9590837b
KT		 856/**
857 * list_for_each_cookie - iterate over a list with cookie.
858 * @pos: the &struct list_head to use as a loop cursor.
9590837b 859 * @head: the head for your list.
9590837b 860 */
475e6fa3
TH		 861#define list_for_each_cookie(pos, head) \
862 if (!pos) \
863 pos = srcu_dereference((head)->next, &tomoyo_ss); \
864 for ( ; pos != (head); pos = srcu_dereference(pos->next, &tomoyo_ss))
fdb8ebb7 865
9590837b 866#endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */
Linux kernel - Deliverables
This page took 0.460368 seconds and 5 git commands to generate.