/security/tomoyo/common.h
C Header | 757 lines | 313 code | 61 blank | 383 comment | 10 complexity | cc9e479717d0f698325b3a7bb5b0de16 MD5 | raw file
Possible License(s): CC-BY-SA-3.0, GPL-2.0, LGPL-2.0, AGPL-1.0
1/*
2 * security/tomoyo/common.h
3 *
4 * Header file for TOMOYO.
5 *
6 * Copyright (C) 2005-2010 NTT DATA CORPORATION
7 */
8
9#ifndef _SECURITY_TOMOYO_COMMON_H
10#define _SECURITY_TOMOYO_COMMON_H
11
12#include <linux/ctype.h>
13#include <linux/string.h>
14#include <linux/mm.h>
15#include <linux/file.h>
16#include <linux/kmod.h>
17#include <linux/fs.h>
18#include <linux/sched.h>
19#include <linux/namei.h>
20#include <linux/mount.h>
21#include <linux/list.h>
22#include <linux/cred.h>
23struct linux_binprm;
24
25/********** Constants definitions. **********/
26
27/*
28 * TOMOYO uses this hash only when appending a string into the string
29 * table. Frequency of appending strings is very low. So we don't need
30 * large (e.g. 64k) hash size. 256 will be sufficient.
31 */
32#define TOMOYO_HASH_BITS 8
33#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
34
35/*
36 * This is the max length of a token.
37 *
38 * A token consists of only ASCII printable characters.
39 * Non printable characters in a token is represented in \ooo style
40 * octal string. Thus, \ itself is represented as \\.
41 */
42#define TOMOYO_MAX_PATHNAME_LEN 4000
43
44/* Profile number is an integer between 0 and 255. */
45#define TOMOYO_MAX_PROFILES 256
46
47/* Keywords for ACLs. */
48#define TOMOYO_KEYWORD_ALIAS "alias "
49#define TOMOYO_KEYWORD_ALLOW_READ "allow_read "
50#define TOMOYO_KEYWORD_DELETE "delete "
51#define TOMOYO_KEYWORD_DENY_REWRITE "deny_rewrite "
52#define TOMOYO_KEYWORD_FILE_PATTERN "file_pattern "
53#define TOMOYO_KEYWORD_INITIALIZE_DOMAIN "initialize_domain "
54#define TOMOYO_KEYWORD_KEEP_DOMAIN "keep_domain "
55#define TOMOYO_KEYWORD_NO_INITIALIZE_DOMAIN "no_initialize_domain "
56#define TOMOYO_KEYWORD_NO_KEEP_DOMAIN "no_keep_domain "
57#define TOMOYO_KEYWORD_SELECT "select "
58#define TOMOYO_KEYWORD_USE_PROFILE "use_profile "
59#define TOMOYO_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read"
60/* A domain definition starts with <kernel>. */
61#define TOMOYO_ROOT_NAME "<kernel>"
62#define TOMOYO_ROOT_NAME_LEN (sizeof(TOMOYO_ROOT_NAME) - 1)
63
64/* Index numbers for Access Controls. */
65enum tomoyo_mac_index {
66 TOMOYO_MAC_FOR_FILE, /* domain_policy.conf */
67 TOMOYO_MAX_ACCEPT_ENTRY,
68 TOMOYO_VERBOSE,
69 TOMOYO_MAX_CONTROL_INDEX
70};
71
72/* Index numbers for Access Controls. */
73enum tomoyo_acl_entry_type_index {
74 TOMOYO_TYPE_PATH_ACL,
75 TOMOYO_TYPE_PATH2_ACL,
76};
77
78/* Index numbers for File Controls. */
79
80/*
81 * TYPE_READ_WRITE_ACL is special. TYPE_READ_WRITE_ACL is automatically set
82 * if both TYPE_READ_ACL and TYPE_WRITE_ACL are set. Both TYPE_READ_ACL and
83 * TYPE_WRITE_ACL are automatically set if TYPE_READ_WRITE_ACL is set.
84 * TYPE_READ_WRITE_ACL is automatically cleared if either TYPE_READ_ACL or
85 * TYPE_WRITE_ACL is cleared. Both TYPE_READ_ACL and TYPE_WRITE_ACL are
86 * automatically cleared if TYPE_READ_WRITE_ACL is cleared.
87 */
88
89enum tomoyo_path_acl_index {
90 TOMOYO_TYPE_READ_WRITE,
91 TOMOYO_TYPE_EXECUTE,
92 TOMOYO_TYPE_READ,
93 TOMOYO_TYPE_WRITE,
94 TOMOYO_TYPE_CREATE,
95 TOMOYO_TYPE_UNLINK,
96 TOMOYO_TYPE_MKDIR,
97 TOMOYO_TYPE_RMDIR,
98 TOMOYO_TYPE_MKFIFO,
99 TOMOYO_TYPE_MKSOCK,
100 TOMOYO_TYPE_MKBLOCK,
101 TOMOYO_TYPE_MKCHAR,
102 TOMOYO_TYPE_TRUNCATE,
103 TOMOYO_TYPE_SYMLINK,
104 TOMOYO_TYPE_REWRITE,
105 TOMOYO_TYPE_IOCTL,
106 TOMOYO_TYPE_CHMOD,
107 TOMOYO_TYPE_CHOWN,
108 TOMOYO_TYPE_CHGRP,
109 TOMOYO_TYPE_CHROOT,
110 TOMOYO_TYPE_MOUNT,
111 TOMOYO_TYPE_UMOUNT,
112 TOMOYO_MAX_PATH_OPERATION
113};
114
115enum tomoyo_path2_acl_index {
116 TOMOYO_TYPE_LINK,
117 TOMOYO_TYPE_RENAME,
118 TOMOYO_TYPE_PIVOT_ROOT,
119 TOMOYO_MAX_PATH2_OPERATION
120};
121
122enum tomoyo_securityfs_interface_index {
123 TOMOYO_DOMAINPOLICY,
124 TOMOYO_EXCEPTIONPOLICY,
125 TOMOYO_DOMAIN_STATUS,
126 TOMOYO_PROCESS_STATUS,
127 TOMOYO_MEMINFO,
128 TOMOYO_SELFDOMAIN,
129 TOMOYO_VERSION,
130 TOMOYO_PROFILE,
131 TOMOYO_MANAGER
132};
133
134/********** Structure definitions. **********/
135
136/*
137 * tomoyo_page_buffer is a structure which is used for holding a pathname
138 * obtained from "struct dentry" and "struct vfsmount" pair.
139 * As of now, it is 4096 bytes. If users complain that 4096 bytes is too small
140 * (because TOMOYO escapes non ASCII printable characters using \ooo format),
141 * we will make the buffer larger.
142 */
143struct tomoyo_page_buffer {
144 char buffer[4096];
145};
146
147/*
148 * tomoyo_path_info is a structure which is used for holding a string data
149 * used by TOMOYO.
150 * This structure has several fields for supporting pattern matching.
151 *
152 * (1) "name" is the '\0' terminated string data.
153 * (2) "hash" is full_name_hash(name, strlen(name)).
154 * This allows tomoyo_pathcmp() to compare by hash before actually compare
155 * using strcmp().
156 * (3) "const_len" is the length of the initial segment of "name" which
157 * consists entirely of non wildcard characters. In other words, the length
158 * which we can compare two strings using strncmp().
159 * (4) "is_dir" is a bool which is true if "name" ends with "/",
160 * false otherwise.
161 * TOMOYO distinguishes directory and non-directory. A directory ends with
162 * "/" and non-directory does not end with "/".
163 * (5) "is_patterned" is a bool which is true if "name" contains wildcard
164 * characters, false otherwise. This allows TOMOYO to use "hash" and
165 * strcmp() for string comparison if "is_patterned" is false.
166 */
167struct tomoyo_path_info {
168 const char *name;
169 u32 hash; /* = full_name_hash(name, strlen(name)) */
170 u16 const_len; /* = tomoyo_const_part_length(name) */
171 bool is_dir; /* = tomoyo_strendswith(name, "/") */
172 bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
173};
174
175/*
176 * tomoyo_name_entry is a structure which is used for linking
177 * "struct tomoyo_path_info" into tomoyo_name_list .
178 */
179struct tomoyo_name_entry {
180 struct list_head list;
181 atomic_t users;
182 struct tomoyo_path_info entry;
183};
184
185/*
186 * tomoyo_path_info_with_data is a structure which is used for holding a
187 * pathname obtained from "struct dentry" and "struct vfsmount" pair.
188 *
189 * "struct tomoyo_path_info_with_data" consists of "struct tomoyo_path_info"
190 * and buffer for the pathname, while "struct tomoyo_page_buffer" consists of
191 * buffer for the pathname only.
192 *
193 * "struct tomoyo_path_info_with_data" is intended to allow TOMOYO to release
194 * both "struct tomoyo_path_info" and buffer for the pathname by single kfree()
195 * so that we don't need to return two pointers to the caller. If the caller
196 * puts "struct tomoyo_path_info" on stack memory, we will be able to remove
197 * "struct tomoyo_path_info_with_data".
198 */
199struct tomoyo_path_info_with_data {
200 /* Keep "head" first, for this pointer is passed to kfree(). */
201 struct tomoyo_path_info head;
202 char barrier1[16]; /* Safeguard for overrun. */
203 char body[TOMOYO_MAX_PATHNAME_LEN];
204 char barrier2[16]; /* Safeguard for overrun. */
205};
206
207/*
208 * tomoyo_acl_info is a structure which is used for holding
209 *
210 * (1) "list" which is linked to the ->acl_info_list of
211 * "struct tomoyo_domain_info"
212 * (2) "type" which tells type of the entry (either
213 * "struct tomoyo_path_acl" or "struct tomoyo_path2_acl").
214 *
215 * Packing "struct tomoyo_acl_info" allows
216 * "struct tomoyo_path_acl" to embed "u8" + "u16" and
217 * "struct tomoyo_path2_acl" to embed "u8"
218 * without enlarging their structure size.
219 */
220struct tomoyo_acl_info {
221 struct list_head list;
222 u8 type;
223} __packed;
224
225/*
226 * tomoyo_domain_info is a structure which is used for holding permissions
227 * (e.g. "allow_read /lib/libc-2.5.so") given to each domain.
228 * It has following fields.
229 *
230 * (1) "list" which is linked to tomoyo_domain_list .
231 * (2) "acl_info_list" which is linked to "struct tomoyo_acl_info".
232 * (3) "domainname" which holds the name of the domain.
233 * (4) "profile" which remembers profile number assigned to this domain.
234 * (5) "is_deleted" is a bool which is true if this domain is marked as
235 * "deleted", false otherwise.
236 * (6) "quota_warned" is a bool which is used for suppressing warning message
237 * when learning mode learned too much entries.
238 * (7) "ignore_global_allow_read" is a bool which is true if this domain
239 * should ignore "allow_read" directive in exception policy.
240 * (8) "transition_failed" is a bool which is set to true when this domain was
241 * unable to create a new domain at tomoyo_find_next_domain() because the
242 * name of the domain to be created was too long or it could not allocate
243 * memory. If set to true, more than one process continued execve()
244 * without domain transition.
245 * (9) "users" is an atomic_t that holds how many "struct cred"->security
246 * are referring this "struct tomoyo_domain_info". If is_deleted == true
247 * and users == 0, this struct will be kfree()d upon next garbage
248 * collection.
249 *
250 * A domain's lifecycle is an analogy of files on / directory.
251 * Multiple domains with the same domainname cannot be created (as with
252 * creating files with the same filename fails with -EEXIST).
253 * If a process reached a domain, that process can reside in that domain after
254 * that domain is marked as "deleted" (as with a process can access an already
255 * open()ed file after that file was unlink()ed).
256 */
257struct tomoyo_domain_info {
258 struct list_head list;
259 struct list_head acl_info_list;
260 /* Name of this domain. Never NULL. */
261 const struct tomoyo_path_info *domainname;
262 u8 profile; /* Profile number to use. */
263 bool is_deleted; /* Delete flag. */
264 bool quota_warned; /* Quota warnning flag. */
265 bool ignore_global_allow_read; /* Ignore "allow_read" flag. */
266 bool transition_failed; /* Domain transition failed flag. */
267 atomic_t users; /* Number of referring credentials. */
268};
269
270/*
271 * tomoyo_path_acl is a structure which is used for holding an
272 * entry with one pathname operation (e.g. open(), mkdir()).
273 * It has following fields.
274 *
275 * (1) "head" which is a "struct tomoyo_acl_info".
276 * (2) "perm" which is a bitmask of permitted operations.
277 * (3) "filename" is the pathname.
278 *
279 * Directives held by this structure are "allow_read/write", "allow_execute",
280 * "allow_read", "allow_write", "allow_create", "allow_unlink", "allow_mkdir",
281 * "allow_rmdir", "allow_mkfifo", "allow_mksock", "allow_mkblock",
282 * "allow_mkchar", "allow_truncate", "allow_symlink", "allow_rewrite",
283 * "allow_chmod", "allow_chown", "allow_chgrp", "allow_chroot", "allow_mount"
284 * and "allow_unmount".
285 */
286struct tomoyo_path_acl {
287 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */
288 u8 perm_high;
289 u16 perm;
290 /* Pointer to single pathname. */
291 const struct tomoyo_path_info *filename;
292};
293
294/*
295 * tomoyo_path2_acl is a structure which is used for holding an
296 * entry with two pathnames operation (i.e. link(), rename() and pivot_root()).
297 * It has following fields.
298 *
299 * (1) "head" which is a "struct tomoyo_acl_info".
300 * (2) "perm" which is a bitmask of permitted operations.
301 * (3) "filename1" is the source/old pathname.
302 * (4) "filename2" is the destination/new pathname.
303 *
304 * Directives held by this structure are "allow_rename", "allow_link" and
305 * "allow_pivot_root".
306 */
307struct tomoyo_path2_acl {
308 struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */
309 u8 perm;
310 /* Pointer to single pathname. */
311 const struct tomoyo_path_info *filename1;
312 /* Pointer to single pathname. */
313 const struct tomoyo_path_info *filename2;
314};
315
316/*
317 * tomoyo_io_buffer is a structure which is used for reading and modifying
318 * configuration via /sys/kernel/security/tomoyo/ interface.
319 * It has many fields. ->read_var1 , ->read_var2 , ->write_var1 are used as
320 * cursors.
321 *
322 * Since the content of /sys/kernel/security/tomoyo/domain_policy is a list of
323 * "struct tomoyo_domain_info" entries and each "struct tomoyo_domain_info"
324 * entry has a list of "struct tomoyo_acl_info", we need two cursors when
325 * reading (one is for traversing tomoyo_domain_list and the other is for
326 * traversing "struct tomoyo_acl_info"->acl_info_list ).
327 *
328 * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with
329 * "select ", TOMOYO seeks the cursor ->read_var1 and ->write_var1 to the
330 * domain with the domainname specified by the rest of that line (NULL is set
331 * if seek failed).
332 * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with
333 * "delete ", TOMOYO deletes an entry or a domain specified by the rest of that
334 * line (->write_var1 is set to NULL if a domain was deleted).
335 * If a line written to /sys/kernel/security/tomoyo/domain_policy starts with
336 * neither "select " nor "delete ", an entry or a domain specified by that line
337 * is appended.
338 */
339struct tomoyo_io_buffer {
340 int (*read) (struct tomoyo_io_buffer *);
341 int (*write) (struct tomoyo_io_buffer *);
342 /* Exclusive lock for this structure. */
343 struct mutex io_sem;
344 /* Index returned by tomoyo_read_lock(). */
345 int reader_idx;
346 /* The position currently reading from. */
347 struct list_head *read_var1;
348 /* Extra variables for reading. */
349 struct list_head *read_var2;
350 /* The position currently writing to. */
351 struct tomoyo_domain_info *write_var1;
352 /* The step for reading. */
353 int read_step;
354 /* Buffer for reading. */
355 char *read_buf;
356 /* EOF flag for reading. */
357 bool read_eof;
358 /* Read domain ACL of specified PID? */
359 bool read_single_domain;
360 /* Extra variable for reading. */
361 u8 read_bit;
362 /* Bytes available for reading. */
363 int read_avail;
364 /* Size of read buffer. */
365 int readbuf_size;
366 /* Buffer for writing. */
367 char *write_buf;
368 /* Bytes available for writing. */
369 int write_avail;
370 /* Size of write buffer. */
371 int writebuf_size;
372};
373
374/*
375 * tomoyo_globally_readable_file_entry is a structure which is used for holding
376 * "allow_read" entries.
377 * It has following fields.
378 *
379 * (1) "list" which is linked to tomoyo_globally_readable_list .
380 * (2) "filename" is a pathname which is allowed to open(O_RDONLY).
381 * (3) "is_deleted" is a bool which is true if marked as deleted, false
382 * otherwise.
383 */
384struct tomoyo_globally_readable_file_entry {
385 struct list_head list;
386 const struct tomoyo_path_info *filename;
387 bool is_deleted;
388};
389
390/*
391 * tomoyo_pattern_entry is a structure which is used for holding
392 * "tomoyo_pattern_list" entries.
393 * It has following fields.
394 *
395 * (1) "list" which is linked to tomoyo_pattern_list .
396 * (2) "pattern" is a pathname pattern which is used for converting pathnames
397 * to pathname patterns during learning mode.
398 * (3) "is_deleted" is a bool which is true if marked as deleted, false
399 * otherwise.
400 */
401struct tomoyo_pattern_entry {
402 struct list_head list;
403 const struct tomoyo_path_info *pattern;
404 bool is_deleted;
405};
406
407/*
408 * tomoyo_no_rewrite_entry is a structure which is used for holding
409 * "deny_rewrite" entries.
410 * It has following fields.
411 *
412 * (1) "list" which is linked to tomoyo_no_rewrite_list .
413 * (2) "pattern" is a pathname which is by default not permitted to modify
414 * already existing content.
415 * (3) "is_deleted" is a bool which is true if marked as deleted, false
416 * otherwise.
417 */
418struct tomoyo_no_rewrite_entry {
419 struct list_head list;
420 const struct tomoyo_path_info *pattern;
421 bool is_deleted;
422};
423
424/*
425 * tomoyo_domain_initializer_entry is a structure which is used for holding
426 * "initialize_domain" and "no_initialize_domain" entries.
427 * It has following fields.
428 *
429 * (1) "list" which is linked to tomoyo_domain_initializer_list .
430 * (2) "domainname" which is "a domainname" or "the last component of a
431 * domainname". This field is NULL if "from" clause is not specified.
432 * (3) "program" which is a program's pathname.
433 * (4) "is_deleted" is a bool which is true if marked as deleted, false
434 * otherwise.
435 * (5) "is_not" is a bool which is true if "no_initialize_domain", false
436 * otherwise.
437 * (6) "is_last_name" is a bool which is true if "domainname" is "the last
438 * component of a domainname", false otherwise.
439 */
440struct tomoyo_domain_initializer_entry {
441 struct list_head list;
442 const struct tomoyo_path_info *domainname; /* This may be NULL */
443 const struct tomoyo_path_info *program;
444 bool is_deleted;
445 bool is_not; /* True if this entry is "no_initialize_domain". */
446 /* True if the domainname is tomoyo_get_last_name(). */
447 bool is_last_name;
448};
449
450/*
451 * tomoyo_domain_keeper_entry is a structure which is used for holding
452 * "keep_domain" and "no_keep_domain" entries.
453 * It has following fields.
454 *
455 * (1) "list" which is linked to tomoyo_domain_keeper_list .
456 * (2) "domainname" which is "a domainname" or "the last component of a
457 * domainname".
458 * (3) "program" which is a program's pathname.
459 * This field is NULL if "from" clause is not specified.
460 * (4) "is_deleted" is a bool which is true if marked as deleted, false
461 * otherwise.
462 * (5) "is_not" is a bool which is true if "no_initialize_domain", false
463 * otherwise.
464 * (6) "is_last_name" is a bool which is true if "domainname" is "the last
465 * component of a domainname", false otherwise.
466 */
467struct tomoyo_domain_keeper_entry {
468 struct list_head list;
469 const struct tomoyo_path_info *domainname;
470 const struct tomoyo_path_info *program; /* This may be NULL */
471 bool is_deleted;
472 bool is_not; /* True if this entry is "no_keep_domain". */
473 /* True if the domainname is tomoyo_get_last_name(). */
474 bool is_last_name;
475};
476
477/*
478 * tomoyo_alias_entry is a structure which is used for holding "alias" entries.
479 * It has following fields.
480 *
481 * (1) "list" which is linked to tomoyo_alias_list .
482 * (2) "original_name" which is a dereferenced pathname.
483 * (3) "aliased_name" which is a symlink's pathname.
484 * (4) "is_deleted" is a bool which is true if marked as deleted, false
485 * otherwise.
486 */
487struct tomoyo_alias_entry {
488 struct list_head list;
489 const struct tomoyo_path_info *original_name;
490 const struct tomoyo_path_info *aliased_name;
491 bool is_deleted;
492};
493
494/*
495 * tomoyo_policy_manager_entry is a structure which is used for holding list of
496 * domainnames or programs which are permitted to modify configuration via
497 * /sys/kernel/security/tomoyo/ interface.
498 * It has following fields.
499 *
500 * (1) "list" which is linked to tomoyo_policy_manager_list .
501 * (2) "manager" is a domainname or a program's pathname.
502 * (3) "is_domain" is a bool which is true if "manager" is a domainname, false
503 * otherwise.
504 * (4) "is_deleted" is a bool which is true if marked as deleted, false
505 * otherwise.
506 */
507struct tomoyo_policy_manager_entry {
508 struct list_head list;
509 /* A path to program or a domainname. */
510 const struct tomoyo_path_info *manager;
511 bool is_domain; /* True if manager is a domainname. */
512 bool is_deleted; /* True if this entry is deleted. */
513};
514
515/********** Function prototypes. **********/
516
517/* Check whether the domain has too many ACL entries to hold. */
518bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain);
519/* Transactional sprintf() for policy dump. */
520bool tomoyo_io_printf(struct tomoyo_io_buffer *head, const char *fmt, ...)
521 __attribute__ ((format(printf, 2, 3)));
522/* Check whether the domainname is correct. */
523bool tomoyo_is_correct_domain(const unsigned char *domainname);
524/* Check whether the token is correct. */
525bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
526 const s8 pattern_type, const s8 end_type);
527/* Check whether the token can be a domainname. */
528bool tomoyo_is_domain_def(const unsigned char *buffer);
529/* Check whether the given filename matches the given pattern. */
530bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
531 const struct tomoyo_path_info *pattern);
532/* Read "alias" entry in exception policy. */
533bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head);
534/*
535 * Read "initialize_domain" and "no_initialize_domain" entry
536 * in exception policy.
537 */
538bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head);
539/* Read "keep_domain" and "no_keep_domain" entry in exception policy. */
540bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head);
541/* Read "file_pattern" entry in exception policy. */
542bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head);
543/* Read "allow_read" entry in exception policy. */
544bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head);
545/* Read "deny_rewrite" entry in exception policy. */
546bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head);
547/* Write domain policy violation warning message to console? */
548bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain);
549/* Convert double path operation to operation name. */
550const char *tomoyo_path22keyword(const u8 operation);
551/* Get the last component of the given domainname. */
552const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain);
553/* Get warning message. */
554const char *tomoyo_get_msg(const bool is_enforce);
555/* Convert single path operation to operation name. */
556const char *tomoyo_path2keyword(const u8 operation);
557/* Create "alias" entry in exception policy. */
558int tomoyo_write_alias_policy(char *data, const bool is_delete);
559/*
560 * Create "initialize_domain" and "no_initialize_domain" entry
561 * in exception policy.
562 */
563int tomoyo_write_domain_initializer_policy(char *data, const bool is_not,
564 const bool is_delete);
565/* Create "keep_domain" and "no_keep_domain" entry in exception policy. */
566int tomoyo_write_domain_keeper_policy(char *data, const bool is_not,
567 const bool is_delete);
568/*
569 * Create "allow_read/write", "allow_execute", "allow_read", "allow_write",
570 * "allow_create", "allow_unlink", "allow_mkdir", "allow_rmdir",
571 * "allow_mkfifo", "allow_mksock", "allow_mkblock", "allow_mkchar",
572 * "allow_truncate", "allow_symlink", "allow_rewrite", "allow_rename" and
573 * "allow_link" entry in domain policy.
574 */
575int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
576 const bool is_delete);
577/* Create "allow_read" entry in exception policy. */
578int tomoyo_write_globally_readable_policy(char *data, const bool is_delete);
579/* Create "deny_rewrite" entry in exception policy. */
580int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete);
581/* Create "file_pattern" entry in exception policy. */
582int tomoyo_write_pattern_policy(char *data, const bool is_delete);
583/* Find a domain by the given name. */
584struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname);
585/* Find or create a domain by the given name. */
586struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char *
587 domainname,
588 const u8 profile);
589/* Check mode for specified functionality. */
590unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
591 const u8 index);
592/* Fill in "struct tomoyo_path_info" members. */
593void tomoyo_fill_path_info(struct tomoyo_path_info *ptr);
594/* Run policy loader when /sbin/init starts. */
595void tomoyo_load_policy(const char *filename);
596
597/* Convert binary string to ascii string. */
598int tomoyo_encode(char *buffer, int buflen, const char *str);
599
600/* Returns realpath(3) of the given pathname but ignores chroot'ed root. */
601int tomoyo_realpath_from_path2(struct path *path, char *newname,
602 int newname_len);
603
604/*
605 * Returns realpath(3) of the given pathname but ignores chroot'ed root.
606 * These functions use kzalloc(), so the caller must call kfree()
607 * if these functions didn't return NULL.
608 */
609char *tomoyo_realpath(const char *pathname);
610/*
611 * Same with tomoyo_realpath() except that it doesn't follow the final symlink.
612 */
613char *tomoyo_realpath_nofollow(const char *pathname);
614/* Same with tomoyo_realpath() except that the pathname is already solved. */
615char *tomoyo_realpath_from_path(struct path *path);
616
617/* Check memory quota. */
618bool tomoyo_memory_ok(void *ptr);
619
620/*
621 * Keep the given name on the RAM.
622 * The RAM is shared, so NEVER try to modify or kfree() the returned name.
623 */
624const struct tomoyo_path_info *tomoyo_get_name(const char *name);
625
626/* Check for memory usage. */
627int tomoyo_read_memory_counter(struct tomoyo_io_buffer *head);
628
629/* Set memory quota. */
630int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head);
631
632/* Initialize realpath related code. */
633void __init tomoyo_realpath_init(void);
634int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
635 const struct tomoyo_path_info *filename);
636int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
637 struct path *path, const int flag);
638int tomoyo_path_perm(const u8 operation, struct path *path);
639int tomoyo_path2_perm(const u8 operation, struct path *path1,
640 struct path *path2);
641int tomoyo_check_rewrite_permission(struct file *filp);
642int tomoyo_find_next_domain(struct linux_binprm *bprm);
643
644/* Run garbage collector. */
645void tomoyo_run_gc(void);
646
647void tomoyo_memory_free(void *ptr);
648
649/********** External variable definitions. **********/
650
651/* Lock for GC. */
652extern struct srcu_struct tomoyo_ss;
653
654/* The list for "struct tomoyo_domain_info". */
655extern struct list_head tomoyo_domain_list;
656
657extern struct list_head tomoyo_domain_initializer_list;
658extern struct list_head tomoyo_domain_keeper_list;
659extern struct list_head tomoyo_alias_list;
660extern struct list_head tomoyo_globally_readable_list;
661extern struct list_head tomoyo_pattern_list;
662extern struct list_head tomoyo_no_rewrite_list;
663extern struct list_head tomoyo_policy_manager_list;
664extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH];
665extern struct mutex tomoyo_name_list_lock;
666
667/* Lock for protecting policy. */
668extern struct mutex tomoyo_policy_lock;
669
670/* Has /sbin/init started? */
671extern bool tomoyo_policy_loaded;
672
673/* The kernel's domain. */
674extern struct tomoyo_domain_info tomoyo_kernel_domain;
675
676/********** Inlined functions. **********/
677
678static inline int tomoyo_read_lock(void)
679{
680 return srcu_read_lock(&tomoyo_ss);
681}
682
683static inline void tomoyo_read_unlock(int idx)
684{
685 srcu_read_unlock(&tomoyo_ss, idx);
686}
687
688/* strcmp() for "struct tomoyo_path_info" structure. */
689static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a,
690 const struct tomoyo_path_info *b)
691{
692 return a->hash != b->hash || strcmp(a->name, b->name);
693}
694
695/**
696 * tomoyo_is_valid - Check whether the character is a valid char.
697 *
698 * @c: The character to check.
699 *
700 * Returns true if @c is a valid character, false otherwise.
701 */
702static inline bool tomoyo_is_valid(const unsigned char c)
703{
704 return c > ' ' && c < 127;
705}
706
707/**
708 * tomoyo_is_invalid - Check whether the character is an invalid char.
709 *
710 * @c: The character to check.
711 *
712 * Returns true if @c is an invalid character, false otherwise.
713 */
714static inline bool tomoyo_is_invalid(const unsigned char c)
715{
716 return c && (c <= ' ' || c >= 127);
717}
718
719static inline void tomoyo_put_name(const struct tomoyo_path_info *name)
720{
721 if (name) {
722 struct tomoyo_name_entry *ptr =
723 container_of(name, struct tomoyo_name_entry, entry);
724 atomic_dec(&ptr->users);
725 }
726}
727
728static inline struct tomoyo_domain_info *tomoyo_domain(void)
729{
730 return current_cred()->security;
731}
732
733static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
734 *task)
735{
736 return task_cred_xxx(task, security);
737}
738
739/**
740 * list_for_each_cookie - iterate over a list with cookie.
741 * @pos: the &struct list_head to use as a loop cursor.
742 * @cookie: the &struct list_head to use as a cookie.
743 * @head: the head for your list.
744 *
745 * Same with list_for_each_rcu() except that this primitive uses @cookie
746 * so that we can continue iteration.
747 * @cookie must be NULL when iteration starts, and @cookie will become
748 * NULL when iteration finishes.
749 */
750#define list_for_each_cookie(pos, cookie, head) \
751 for (({ if (!cookie) \
752 cookie = head; }), \
753 pos = rcu_dereference((cookie)->next); \
754 prefetch(pos->next), pos != (head) || ((cookie) = NULL); \
755 (cookie) = pos, pos = rcu_dereference(pos->next))
756
757#endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */