123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332 |
- /*
- * security/tomoyo/common.h
- *
- * Header file for TOMOYO.
- *
- * Copyright (C) 2005-2011 NTT DATA CORPORATION
- */
- #ifndef _SECURITY_TOMOYO_COMMON_H
- #define _SECURITY_TOMOYO_COMMON_H
- #include <linux/ctype.h>
- #include <linux/string.h>
- #include <linux/mm.h>
- #include <linux/file.h>
- #include <linux/kmod.h>
- #include <linux/fs.h>
- #include <linux/sched.h>
- #include <linux/namei.h>
- #include <linux/mount.h>
- #include <linux/list.h>
- #include <linux/cred.h>
- #include <linux/poll.h>
- #include <linux/binfmts.h>
- #include <linux/highmem.h>
- #include <linux/net.h>
- #include <linux/inet.h>
- #include <linux/in.h>
- #include <linux/in6.h>
- #include <linux/un.h>
- #include <net/sock.h>
- #include <net/af_unix.h>
- #include <net/ip.h>
- #include <net/ipv6.h>
- #include <net/udp.h>
- /********** Constants definitions. **********/
- /*
- * TOMOYO uses this hash only when appending a string into the string
- * table. Frequency of appending strings is very low. So we don't need
- * large (e.g. 64k) hash size. 256 will be sufficient.
- */
- #define TOMOYO_HASH_BITS 8
- #define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
- /*
- * TOMOYO checks only SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_SEQPACKET.
- * Therefore, we don't need SOCK_MAX.
- */
- #define TOMOYO_SOCK_MAX 6
- #define TOMOYO_EXEC_TMPSIZE 4096
- /* Garbage collector is trying to kfree() this element. */
- #define TOMOYO_GC_IN_PROGRESS -1
- /* Profile number is an integer between 0 and 255. */
- #define TOMOYO_MAX_PROFILES 256
- /* Group number is an integer between 0 and 255. */
- #define TOMOYO_MAX_ACL_GROUPS 256
- /* Index numbers for "struct tomoyo_condition". */
- enum tomoyo_conditions_index {
- TOMOYO_TASK_UID, /* current_uid() */
- TOMOYO_TASK_EUID, /* current_euid() */
- TOMOYO_TASK_SUID, /* current_suid() */
- TOMOYO_TASK_FSUID, /* current_fsuid() */
- TOMOYO_TASK_GID, /* current_gid() */
- TOMOYO_TASK_EGID, /* current_egid() */
- TOMOYO_TASK_SGID, /* current_sgid() */
- TOMOYO_TASK_FSGID, /* current_fsgid() */
- TOMOYO_TASK_PID, /* sys_getpid() */
- TOMOYO_TASK_PPID, /* sys_getppid() */
- TOMOYO_EXEC_ARGC, /* "struct linux_binprm *"->argc */
- TOMOYO_EXEC_ENVC, /* "struct linux_binprm *"->envc */
- TOMOYO_TYPE_IS_SOCKET, /* S_IFSOCK */
- TOMOYO_TYPE_IS_SYMLINK, /* S_IFLNK */
- TOMOYO_TYPE_IS_FILE, /* S_IFREG */
- TOMOYO_TYPE_IS_BLOCK_DEV, /* S_IFBLK */
- TOMOYO_TYPE_IS_DIRECTORY, /* S_IFDIR */
- TOMOYO_TYPE_IS_CHAR_DEV, /* S_IFCHR */
- TOMOYO_TYPE_IS_FIFO, /* S_IFIFO */
- TOMOYO_MODE_SETUID, /* S_ISUID */
- TOMOYO_MODE_SETGID, /* S_ISGID */
- TOMOYO_MODE_STICKY, /* S_ISVTX */
- TOMOYO_MODE_OWNER_READ, /* S_IRUSR */
- TOMOYO_MODE_OWNER_WRITE, /* S_IWUSR */
- TOMOYO_MODE_OWNER_EXECUTE, /* S_IXUSR */
- TOMOYO_MODE_GROUP_READ, /* S_IRGRP */
- TOMOYO_MODE_GROUP_WRITE, /* S_IWGRP */
- TOMOYO_MODE_GROUP_EXECUTE, /* S_IXGRP */
- TOMOYO_MODE_OTHERS_READ, /* S_IROTH */
- TOMOYO_MODE_OTHERS_WRITE, /* S_IWOTH */
- TOMOYO_MODE_OTHERS_EXECUTE, /* S_IXOTH */
- TOMOYO_EXEC_REALPATH,
- TOMOYO_SYMLINK_TARGET,
- TOMOYO_PATH1_UID,
- TOMOYO_PATH1_GID,
- TOMOYO_PATH1_INO,
- TOMOYO_PATH1_MAJOR,
- TOMOYO_PATH1_MINOR,
- TOMOYO_PATH1_PERM,
- TOMOYO_PATH1_TYPE,
- TOMOYO_PATH1_DEV_MAJOR,
- TOMOYO_PATH1_DEV_MINOR,
- TOMOYO_PATH2_UID,
- TOMOYO_PATH2_GID,
- TOMOYO_PATH2_INO,
- TOMOYO_PATH2_MAJOR,
- TOMOYO_PATH2_MINOR,
- TOMOYO_PATH2_PERM,
- TOMOYO_PATH2_TYPE,
- TOMOYO_PATH2_DEV_MAJOR,
- TOMOYO_PATH2_DEV_MINOR,
- TOMOYO_PATH1_PARENT_UID,
- TOMOYO_PATH1_PARENT_GID,
- TOMOYO_PATH1_PARENT_INO,
- TOMOYO_PATH1_PARENT_PERM,
- TOMOYO_PATH2_PARENT_UID,
- TOMOYO_PATH2_PARENT_GID,
- TOMOYO_PATH2_PARENT_INO,
- TOMOYO_PATH2_PARENT_PERM,
- TOMOYO_MAX_CONDITION_KEYWORD,
- TOMOYO_NUMBER_UNION,
- TOMOYO_NAME_UNION,
- TOMOYO_ARGV_ENTRY,
- TOMOYO_ENVP_ENTRY,
- };
- /* Index numbers for stat(). */
- enum tomoyo_path_stat_index {
- /* Do not change this order. */
- TOMOYO_PATH1,
- TOMOYO_PATH1_PARENT,
- TOMOYO_PATH2,
- TOMOYO_PATH2_PARENT,
- TOMOYO_MAX_PATH_STAT
- };
- /* Index numbers for operation mode. */
- enum tomoyo_mode_index {
- TOMOYO_CONFIG_DISABLED,
- TOMOYO_CONFIG_LEARNING,
- TOMOYO_CONFIG_PERMISSIVE,
- TOMOYO_CONFIG_ENFORCING,
- TOMOYO_CONFIG_MAX_MODE,
- TOMOYO_CONFIG_WANT_REJECT_LOG = 64,
- TOMOYO_CONFIG_WANT_GRANT_LOG = 128,
- TOMOYO_CONFIG_USE_DEFAULT = 255,
- };
- /* Index numbers for entry type. */
- enum tomoyo_policy_id {
- TOMOYO_ID_GROUP,
- TOMOYO_ID_ADDRESS_GROUP,
- TOMOYO_ID_PATH_GROUP,
- TOMOYO_ID_NUMBER_GROUP,
- TOMOYO_ID_TRANSITION_CONTROL,
- TOMOYO_ID_AGGREGATOR,
- TOMOYO_ID_MANAGER,
- TOMOYO_ID_CONDITION,
- TOMOYO_ID_NAME,
- TOMOYO_ID_ACL,
- TOMOYO_ID_DOMAIN,
- TOMOYO_MAX_POLICY
- };
- /* Index numbers for domain's attributes. */
- enum tomoyo_domain_info_flags_index {
- /* Quota warnning flag. */
- TOMOYO_DIF_QUOTA_WARNED,
- /*
- * This domain was unable to create a new domain at
- * tomoyo_find_next_domain() because the name of the domain to be
- * created was too long or it could not allocate memory.
- * More than one process continued execve() without domain transition.
- */
- TOMOYO_DIF_TRANSITION_FAILED,
- TOMOYO_MAX_DOMAIN_INFO_FLAGS
- };
- /* Index numbers for audit type. */
- enum tomoyo_grant_log {
- /* Follow profile's configuration. */
- TOMOYO_GRANTLOG_AUTO,
- /* Do not generate grant log. */
- TOMOYO_GRANTLOG_NO,
- /* Generate grant_log. */
- TOMOYO_GRANTLOG_YES,
- };
- /* Index numbers for group entries. */
- enum tomoyo_group_id {
- TOMOYO_PATH_GROUP,
- TOMOYO_NUMBER_GROUP,
- TOMOYO_ADDRESS_GROUP,
- TOMOYO_MAX_GROUP
- };
- /* Index numbers for type of numeric values. */
- enum tomoyo_value_type {
- TOMOYO_VALUE_TYPE_INVALID,
- TOMOYO_VALUE_TYPE_DECIMAL,
- TOMOYO_VALUE_TYPE_OCTAL,
- TOMOYO_VALUE_TYPE_HEXADECIMAL,
- };
- /* Index numbers for domain transition control keywords. */
- enum tomoyo_transition_type {
- /* Do not change this order, */
- TOMOYO_TRANSITION_CONTROL_NO_RESET,
- TOMOYO_TRANSITION_CONTROL_RESET,
- TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE,
- TOMOYO_TRANSITION_CONTROL_INITIALIZE,
- TOMOYO_TRANSITION_CONTROL_NO_KEEP,
- TOMOYO_TRANSITION_CONTROL_KEEP,
- TOMOYO_MAX_TRANSITION_TYPE
- };
- /* Index numbers for Access Controls. */
- enum tomoyo_acl_entry_type_index {
- TOMOYO_TYPE_PATH_ACL,
- TOMOYO_TYPE_PATH2_ACL,
- TOMOYO_TYPE_PATH_NUMBER_ACL,
- TOMOYO_TYPE_MKDEV_ACL,
- TOMOYO_TYPE_MOUNT_ACL,
- TOMOYO_TYPE_INET_ACL,
- TOMOYO_TYPE_UNIX_ACL,
- TOMOYO_TYPE_ENV_ACL,
- TOMOYO_TYPE_MANUAL_TASK_ACL,
- };
- /* Index numbers for access controls with one pathname. */
- enum tomoyo_path_acl_index {
- TOMOYO_TYPE_EXECUTE,
- TOMOYO_TYPE_READ,
- TOMOYO_TYPE_WRITE,
- TOMOYO_TYPE_APPEND,
- TOMOYO_TYPE_UNLINK,
- TOMOYO_TYPE_GETATTR,
- TOMOYO_TYPE_RMDIR,
- TOMOYO_TYPE_TRUNCATE,
- TOMOYO_TYPE_SYMLINK,
- TOMOYO_TYPE_CHROOT,
- TOMOYO_TYPE_UMOUNT,
- TOMOYO_MAX_PATH_OPERATION
- };
- /* Index numbers for /sys/kernel/security/tomoyo/stat interface. */
- enum tomoyo_memory_stat_type {
- TOMOYO_MEMORY_POLICY,
- TOMOYO_MEMORY_AUDIT,
- TOMOYO_MEMORY_QUERY,
- TOMOYO_MAX_MEMORY_STAT
- };
- enum tomoyo_mkdev_acl_index {
- TOMOYO_TYPE_MKBLOCK,
- TOMOYO_TYPE_MKCHAR,
- TOMOYO_MAX_MKDEV_OPERATION
- };
- /* Index numbers for socket operations. */
- enum tomoyo_network_acl_index {
- TOMOYO_NETWORK_BIND, /* bind() operation. */
- TOMOYO_NETWORK_LISTEN, /* listen() operation. */
- TOMOYO_NETWORK_CONNECT, /* connect() operation. */
- TOMOYO_NETWORK_SEND, /* send() operation. */
- TOMOYO_MAX_NETWORK_OPERATION
- };
- /* Index numbers for access controls with two pathnames. */
- enum tomoyo_path2_acl_index {
- TOMOYO_TYPE_LINK,
- TOMOYO_TYPE_RENAME,
- TOMOYO_TYPE_PIVOT_ROOT,
- TOMOYO_MAX_PATH2_OPERATION
- };
- /* Index numbers for access controls with one pathname and one number. */
- enum tomoyo_path_number_acl_index {
- TOMOYO_TYPE_CREATE,
- TOMOYO_TYPE_MKDIR,
- TOMOYO_TYPE_MKFIFO,
- TOMOYO_TYPE_MKSOCK,
- TOMOYO_TYPE_IOCTL,
- TOMOYO_TYPE_CHMOD,
- TOMOYO_TYPE_CHOWN,
- TOMOYO_TYPE_CHGRP,
- TOMOYO_MAX_PATH_NUMBER_OPERATION
- };
- /* Index numbers for /sys/kernel/security/tomoyo/ interfaces. */
- enum tomoyo_securityfs_interface_index {
- TOMOYO_DOMAINPOLICY,
- TOMOYO_EXCEPTIONPOLICY,
- TOMOYO_PROCESS_STATUS,
- TOMOYO_STAT,
- TOMOYO_AUDIT,
- TOMOYO_VERSION,
- TOMOYO_PROFILE,
- TOMOYO_QUERY,
- TOMOYO_MANAGER
- };
- /* Index numbers for special mount operations. */
- enum tomoyo_special_mount {
- TOMOYO_MOUNT_BIND, /* mount --bind /source /dest */
- TOMOYO_MOUNT_MOVE, /* mount --move /old /new */
- TOMOYO_MOUNT_REMOUNT, /* mount -o remount /dir */
- TOMOYO_MOUNT_MAKE_UNBINDABLE, /* mount --make-unbindable /dir */
- TOMOYO_MOUNT_MAKE_PRIVATE, /* mount --make-private /dir */
- TOMOYO_MOUNT_MAKE_SLAVE, /* mount --make-slave /dir */
- TOMOYO_MOUNT_MAKE_SHARED, /* mount --make-shared /dir */
- TOMOYO_MAX_SPECIAL_MOUNT
- };
- /* Index numbers for functionality. */
- enum tomoyo_mac_index {
- TOMOYO_MAC_FILE_EXECUTE,
- TOMOYO_MAC_FILE_OPEN,
- TOMOYO_MAC_FILE_CREATE,
- TOMOYO_MAC_FILE_UNLINK,
- TOMOYO_MAC_FILE_GETATTR,
- TOMOYO_MAC_FILE_MKDIR,
- TOMOYO_MAC_FILE_RMDIR,
- TOMOYO_MAC_FILE_MKFIFO,
- TOMOYO_MAC_FILE_MKSOCK,
- TOMOYO_MAC_FILE_TRUNCATE,
- TOMOYO_MAC_FILE_SYMLINK,
- TOMOYO_MAC_FILE_MKBLOCK,
- TOMOYO_MAC_FILE_MKCHAR,
- TOMOYO_MAC_FILE_LINK,
- TOMOYO_MAC_FILE_RENAME,
- TOMOYO_MAC_FILE_CHMOD,
- TOMOYO_MAC_FILE_CHOWN,
- TOMOYO_MAC_FILE_CHGRP,
- TOMOYO_MAC_FILE_IOCTL,
- TOMOYO_MAC_FILE_CHROOT,
- TOMOYO_MAC_FILE_MOUNT,
- TOMOYO_MAC_FILE_UMOUNT,
- TOMOYO_MAC_FILE_PIVOT_ROOT,
- TOMOYO_MAC_NETWORK_INET_STREAM_BIND,
- TOMOYO_MAC_NETWORK_INET_STREAM_LISTEN,
- TOMOYO_MAC_NETWORK_INET_STREAM_CONNECT,
- TOMOYO_MAC_NETWORK_INET_DGRAM_BIND,
- TOMOYO_MAC_NETWORK_INET_DGRAM_SEND,
- TOMOYO_MAC_NETWORK_INET_RAW_BIND,
- TOMOYO_MAC_NETWORK_INET_RAW_SEND,
- TOMOYO_MAC_NETWORK_UNIX_STREAM_BIND,
- TOMOYO_MAC_NETWORK_UNIX_STREAM_LISTEN,
- TOMOYO_MAC_NETWORK_UNIX_STREAM_CONNECT,
- TOMOYO_MAC_NETWORK_UNIX_DGRAM_BIND,
- TOMOYO_MAC_NETWORK_UNIX_DGRAM_SEND,
- TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_BIND,
- TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_LISTEN,
- TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_CONNECT,
- TOMOYO_MAC_ENVIRON,
- TOMOYO_MAX_MAC_INDEX
- };
- /* Index numbers for category of functionality. */
- enum tomoyo_mac_category_index {
- TOMOYO_MAC_CATEGORY_FILE,
- TOMOYO_MAC_CATEGORY_NETWORK,
- TOMOYO_MAC_CATEGORY_MISC,
- TOMOYO_MAX_MAC_CATEGORY_INDEX
- };
- /*
- * Retry this request. Returned by tomoyo_supervisor() if policy violation has
- * occurred in enforcing mode and the userspace daemon decided to retry.
- *
- * We must choose a positive value in order to distinguish "granted" (which is
- * 0) and "rejected" (which is a negative value) and "retry".
- */
- #define TOMOYO_RETRY_REQUEST 1
- /* Index numbers for /sys/kernel/security/tomoyo/stat interface. */
- enum tomoyo_policy_stat_type {
- /* Do not change this order. */
- TOMOYO_STAT_POLICY_UPDATES,
- TOMOYO_STAT_POLICY_LEARNING, /* == TOMOYO_CONFIG_LEARNING */
- TOMOYO_STAT_POLICY_PERMISSIVE, /* == TOMOYO_CONFIG_PERMISSIVE */
- TOMOYO_STAT_POLICY_ENFORCING, /* == TOMOYO_CONFIG_ENFORCING */
- TOMOYO_MAX_POLICY_STAT
- };
- /* Index numbers for profile's PREFERENCE values. */
- enum tomoyo_pref_index {
- TOMOYO_PREF_MAX_AUDIT_LOG,
- TOMOYO_PREF_MAX_LEARNING_ENTRY,
- TOMOYO_MAX_PREF
- };
- /********** Structure definitions. **********/
- /* Common header for holding ACL entries. */
- struct tomoyo_acl_head {
- struct list_head list;
- s8 is_deleted; /* true or false or TOMOYO_GC_IN_PROGRESS */
- } __packed;
- /* Common header for shared entries. */
- struct tomoyo_shared_acl_head {
- struct list_head list;
- atomic_t users;
- } __packed;
- struct tomoyo_policy_namespace;
- /* Structure for request info. */
- struct tomoyo_request_info {
- /*
- * For holding parameters specific to operations which deal files.
- * NULL if not dealing files.
- */
- struct tomoyo_obj_info *obj;
- /*
- * For holding parameters specific to execve() request.
- * NULL if not dealing do_execve().
- */
- struct tomoyo_execve *ee;
- struct tomoyo_domain_info *domain;
- /* For holding parameters. */
- union {
- struct {
- const struct tomoyo_path_info *filename;
- /* For using wildcards at tomoyo_find_next_domain(). */
- const struct tomoyo_path_info *matched_path;
- /* One of values in "enum tomoyo_path_acl_index". */
- u8 operation;
- } path;
- struct {
- const struct tomoyo_path_info *filename1;
- const struct tomoyo_path_info *filename2;
- /* One of values in "enum tomoyo_path2_acl_index". */
- u8 operation;
- } path2;
- struct {
- const struct tomoyo_path_info *filename;
- unsigned int mode;
- unsigned int major;
- unsigned int minor;
- /* One of values in "enum tomoyo_mkdev_acl_index". */
- u8 operation;
- } mkdev;
- struct {
- const struct tomoyo_path_info *filename;
- unsigned long number;
- /*
- * One of values in
- * "enum tomoyo_path_number_acl_index".
- */
- u8 operation;
- } path_number;
- struct {
- const struct tomoyo_path_info *name;
- } environ;
- struct {
- const __be32 *address;
- u16 port;
- /* One of values smaller than TOMOYO_SOCK_MAX. */
- u8 protocol;
- /* One of values in "enum tomoyo_network_acl_index". */
- u8 operation;
- bool is_ipv6;
- } inet_network;
- struct {
- const struct tomoyo_path_info *address;
- /* One of values smaller than TOMOYO_SOCK_MAX. */
- u8 protocol;
- /* One of values in "enum tomoyo_network_acl_index". */
- u8 operation;
- } unix_network;
- struct {
- const struct tomoyo_path_info *type;
- const struct tomoyo_path_info *dir;
- const struct tomoyo_path_info *dev;
- unsigned long flags;
- int need_dev;
- } mount;
- struct {
- const struct tomoyo_path_info *domainname;
- } task;
- } param;
- struct tomoyo_acl_info *matched_acl;
- u8 param_type;
- bool granted;
- u8 retry;
- u8 profile;
- u8 mode; /* One of tomoyo_mode_index . */
- u8 type;
- };
- /* Structure for holding a token. */
- struct tomoyo_path_info {
- const char *name;
- u32 hash; /* = full_name_hash(name, strlen(name)) */
- u16 const_len; /* = tomoyo_const_part_length(name) */
- bool is_dir; /* = tomoyo_strendswith(name, "/") */
- bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
- };
- /* Structure for holding string data. */
- struct tomoyo_name {
- struct tomoyo_shared_acl_head head;
- struct tomoyo_path_info entry;
- };
- /* Structure for holding a word. */
- struct tomoyo_name_union {
- /* Either @filename or @group is NULL. */
- const struct tomoyo_path_info *filename;
- struct tomoyo_group *group;
- };
- /* Structure for holding a number. */
- struct tomoyo_number_union {
- unsigned long values[2];
- struct tomoyo_group *group; /* Maybe NULL. */
- /* One of values in "enum tomoyo_value_type". */
- u8 value_type[2];
- };
- /* Structure for holding an IP address. */
- struct tomoyo_ipaddr_union {
- struct in6_addr ip[2]; /* Big endian. */
- struct tomoyo_group *group; /* Pointer to address group. */
- bool is_ipv6; /* Valid only if @group == NULL. */
- };
- /* Structure for "path_group"/"number_group"/"address_group" directive. */
- struct tomoyo_group {
- struct tomoyo_shared_acl_head head;
- const struct tomoyo_path_info *group_name;
- struct list_head member_list;
- };
- /* Structure for "path_group" directive. */
- struct tomoyo_path_group {
- struct tomoyo_acl_head head;
- const struct tomoyo_path_info *member_name;
- };
- /* Structure for "number_group" directive. */
- struct tomoyo_number_group {
- struct tomoyo_acl_head head;
- struct tomoyo_number_union number;
- };
- /* Structure for "address_group" directive. */
- struct tomoyo_address_group {
- struct tomoyo_acl_head head;
- /* Structure for holding an IP address. */
- struct tomoyo_ipaddr_union address;
- };
- /* Subset of "struct stat". Used by conditional ACL and audit logs. */
- struct tomoyo_mini_stat {
- uid_t uid;
- gid_t gid;
- ino_t ino;
- umode_t mode;
- dev_t dev;
- dev_t rdev;
- };
- /* Structure for dumping argv[] and envp[] of "struct linux_binprm". */
- struct tomoyo_page_dump {
- struct page *page; /* Previously dumped page. */
- char *data; /* Contents of "page". Size is PAGE_SIZE. */
- };
- /* Structure for attribute checks in addition to pathname checks. */
- struct tomoyo_obj_info {
- /*
- * True if tomoyo_get_attributes() was already called, false otherwise.
- */
- bool validate_done;
- /* True if @stat[] is valid. */
- bool stat_valid[TOMOYO_MAX_PATH_STAT];
- /* First pathname. Initialized with { NULL, NULL } if no path. */
- struct path path1;
- /* Second pathname. Initialized with { NULL, NULL } if no path. */
- struct path path2;
- /*
- * Information on @path1, @path1's parent directory, @path2, @path2's
- * parent directory.
- */
- struct tomoyo_mini_stat stat[TOMOYO_MAX_PATH_STAT];
- /*
- * Content of symbolic link to be created. NULL for operations other
- * than symlink().
- */
- struct tomoyo_path_info *symlink_target;
- };
- /* Structure for argv[]. */
- struct tomoyo_argv {
- unsigned long index;
- const struct tomoyo_path_info *value;
- bool is_not;
- };
- /* Structure for envp[]. */
- struct tomoyo_envp {
- const struct tomoyo_path_info *name;
- const struct tomoyo_path_info *value;
- bool is_not;
- };
- /* Structure for execve() operation. */
- struct tomoyo_execve {
- struct tomoyo_request_info r;
- struct tomoyo_obj_info obj;
- struct linux_binprm *bprm;
- const struct tomoyo_path_info *transition;
- /* For dumping argv[] and envp[]. */
- struct tomoyo_page_dump dump;
- /* For temporary use. */
- char *tmp; /* Size is TOMOYO_EXEC_TMPSIZE bytes */
- };
- /* Structure for entries which follows "struct tomoyo_condition". */
- struct tomoyo_condition_element {
- /*
- * Left hand operand. A "struct tomoyo_argv" for TOMOYO_ARGV_ENTRY, a
- * "struct tomoyo_envp" for TOMOYO_ENVP_ENTRY is attached to the tail
- * of the array of this struct.
- */
- u8 left;
- /*
- * Right hand operand. A "struct tomoyo_number_union" for
- * TOMOYO_NUMBER_UNION, a "struct tomoyo_name_union" for
- * TOMOYO_NAME_UNION is attached to the tail of the array of this
- * struct.
- */
- u8 right;
- /* Equation operator. True if equals or overlaps, false otherwise. */
- bool equals;
- };
- /* Structure for optional arguments. */
- struct tomoyo_condition {
- struct tomoyo_shared_acl_head head;
- u32 size; /* Memory size allocated for this entry. */
- u16 condc; /* Number of conditions in this struct. */
- u16 numbers_count; /* Number of "struct tomoyo_number_union values". */
- u16 names_count; /* Number of "struct tomoyo_name_union names". */
- u16 argc; /* Number of "struct tomoyo_argv". */
- u16 envc; /* Number of "struct tomoyo_envp". */
- u8 grant_log; /* One of values in "enum tomoyo_grant_log". */
- const struct tomoyo_path_info *transit; /* Maybe NULL. */
- /*
- * struct tomoyo_condition_element condition[condc];
- * struct tomoyo_number_union values[numbers_count];
- * struct tomoyo_name_union names[names_count];
- * struct tomoyo_argv argv[argc];
- * struct tomoyo_envp envp[envc];
- */
- };
- /* Common header for individual entries. */
- struct tomoyo_acl_info {
- struct list_head list;
- struct tomoyo_condition *cond; /* Maybe NULL. */
- s8 is_deleted; /* true or false or TOMOYO_GC_IN_PROGRESS */
- u8 type; /* One of values in "enum tomoyo_acl_entry_type_index". */
- } __packed;
- /* Structure for domain information. */
- struct tomoyo_domain_info {
- struct list_head list;
- struct list_head acl_info_list;
- /* Name of this domain. Never NULL. */
- const struct tomoyo_path_info *domainname;
- /* Namespace for this domain. Never NULL. */
- struct tomoyo_policy_namespace *ns;
- u8 profile; /* Profile number to use. */
- u8 group; /* Group number to use. */
- bool is_deleted; /* Delete flag. */
- bool flags[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
- atomic_t users; /* Number of referring credentials. */
- };
- /*
- * Structure for "task manual_domain_transition" directive.
- */
- struct tomoyo_task_acl {
- struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MANUAL_TASK_ACL */
- /* Pointer to domainname. */
- const struct tomoyo_path_info *domainname;
- };
- /*
- * Structure for "file execute", "file read", "file write", "file append",
- * "file unlink", "file getattr", "file rmdir", "file truncate",
- * "file symlink", "file chroot" and "file unmount" directive.
- */
- struct tomoyo_path_acl {
- struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */
- u16 perm; /* Bitmask of values in "enum tomoyo_path_acl_index". */
- struct tomoyo_name_union name;
- };
- /*
- * Structure for "file create", "file mkdir", "file mkfifo", "file mksock",
- * "file ioctl", "file chmod", "file chown" and "file chgrp" directive.
- */
- struct tomoyo_path_number_acl {
- struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_NUMBER_ACL */
- /* Bitmask of values in "enum tomoyo_path_number_acl_index". */
- u8 perm;
- struct tomoyo_name_union name;
- struct tomoyo_number_union number;
- };
- /* Structure for "file mkblock" and "file mkchar" directive. */
- struct tomoyo_mkdev_acl {
- struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MKDEV_ACL */
- u8 perm; /* Bitmask of values in "enum tomoyo_mkdev_acl_index". */
- struct tomoyo_name_union name;
- struct tomoyo_number_union mode;
- struct tomoyo_number_union major;
- struct tomoyo_number_union minor;
- };
- /*
- * Structure for "file rename", "file link" and "file pivot_root" directive.
- */
- struct tomoyo_path2_acl {
- struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */
- u8 perm; /* Bitmask of values in "enum tomoyo_path2_acl_index". */
- struct tomoyo_name_union name1;
- struct tomoyo_name_union name2;
- };
- /* Structure for "file mount" directive. */
- struct tomoyo_mount_acl {
- struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MOUNT_ACL */
- struct tomoyo_name_union dev_name;
- struct tomoyo_name_union dir_name;
- struct tomoyo_name_union fs_type;
- struct tomoyo_number_union flags;
- };
- /* Structure for "misc env" directive in domain policy. */
- struct tomoyo_env_acl {
- struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_ENV_ACL */
- const struct tomoyo_path_info *env; /* environment variable */
- };
- /* Structure for "network inet" directive. */
- struct tomoyo_inet_acl {
- struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_INET_ACL */
- u8 protocol;
- u8 perm; /* Bitmask of values in "enum tomoyo_network_acl_index" */
- struct tomoyo_ipaddr_union address;
- struct tomoyo_number_union port;
- };
- /* Structure for "network unix" directive. */
- struct tomoyo_unix_acl {
- struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_UNIX_ACL */
- u8 protocol;
- u8 perm; /* Bitmask of values in "enum tomoyo_network_acl_index" */
- struct tomoyo_name_union name;
- };
- /* Structure for holding a line from /sys/kernel/security/tomoyo/ interface. */
- struct tomoyo_acl_param {
- char *data;
- struct list_head *list;
- struct tomoyo_policy_namespace *ns;
- bool is_delete;
- };
- #define TOMOYO_MAX_IO_READ_QUEUE 64
- /*
- * Structure for reading/writing policy via /sys/kernel/security/tomoyo
- * interfaces.
- */
- struct tomoyo_io_buffer {
- void (*read) (struct tomoyo_io_buffer *);
- int (*write) (struct tomoyo_io_buffer *);
- unsigned int (*poll) (struct file *file, poll_table *wait);
- /* Exclusive lock for this structure. */
- struct mutex io_sem;
- char __user *read_user_buf;
- size_t read_user_buf_avail;
- struct {
- struct list_head *ns;
- struct list_head *domain;
- struct list_head *group;
- struct list_head *acl;
- size_t avail;
- unsigned int step;
- unsigned int query_index;
- u16 index;
- u16 cond_index;
- u8 acl_group_index;
- u8 cond_step;
- u8 bit;
- u8 w_pos;
- bool eof;
- bool print_this_domain_only;
- bool print_transition_related_only;
- bool print_cond_part;
- const char *w[TOMOYO_MAX_IO_READ_QUEUE];
- } r;
- struct {
- struct tomoyo_policy_namespace *ns;
- /* The position currently writing to. */
- struct tomoyo_domain_info *domain;
- /* Bytes available for writing. */
- size_t avail;
- bool is_delete;
- } w;
- /* Buffer for reading. */
- char *read_buf;
- /* Size of read buffer. */
- size_t readbuf_size;
- /* Buffer for writing. */
- char *write_buf;
- /* Size of write buffer. */
- size_t writebuf_size;
- /* Type of this interface. */
- enum tomoyo_securityfs_interface_index type;
- /* Users counter protected by tomoyo_io_buffer_list_lock. */
- u8 users;
- /* List for telling GC not to kfree() elements. */
- struct list_head list;
- };
- /*
- * Structure for "initialize_domain"/"no_initialize_domain"/"keep_domain"/
- * "no_keep_domain" keyword.
- */
- struct tomoyo_transition_control {
- struct tomoyo_acl_head head;
- u8 type; /* One of values in "enum tomoyo_transition_type". */
- /* True if the domainname is tomoyo_get_last_name(). */
- bool is_last_name;
- const struct tomoyo_path_info *domainname; /* Maybe NULL */
- const struct tomoyo_path_info *program; /* Maybe NULL */
- };
- /* Structure for "aggregator" keyword. */
- struct tomoyo_aggregator {
- struct tomoyo_acl_head head;
- const struct tomoyo_path_info *original_name;
- const struct tomoyo_path_info *aggregated_name;
- };
- /* Structure for policy manager. */
- struct tomoyo_manager {
- struct tomoyo_acl_head head;
- bool is_domain; /* True if manager is a domainname. */
- /* A path to program or a domainname. */
- const struct tomoyo_path_info *manager;
- };
- struct tomoyo_preference {
- unsigned int learning_max_entry;
- bool enforcing_verbose;
- bool learning_verbose;
- bool permissive_verbose;
- };
- /* Structure for /sys/kernel/security/tomnoyo/profile interface. */
- struct tomoyo_profile {
- const struct tomoyo_path_info *comment;
- struct tomoyo_preference *learning;
- struct tomoyo_preference *permissive;
- struct tomoyo_preference *enforcing;
- struct tomoyo_preference preference;
- u8 default_config;
- u8 config[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX];
- unsigned int pref[TOMOYO_MAX_PREF];
- };
- /* Structure for representing YYYY/MM/DD hh/mm/ss. */
- struct tomoyo_time {
- u16 year;
- u8 month;
- u8 day;
- u8 hour;
- u8 min;
- u8 sec;
- };
- /* Structure for policy namespace. */
- struct tomoyo_policy_namespace {
- /* Profile table. Memory is allocated as needed. */
- struct tomoyo_profile *profile_ptr[TOMOYO_MAX_PROFILES];
- /* List of "struct tomoyo_group". */
- struct list_head group_list[TOMOYO_MAX_GROUP];
- /* List of policy. */
- struct list_head policy_list[TOMOYO_MAX_POLICY];
- /* The global ACL referred by "use_group" keyword. */
- struct list_head acl_group[TOMOYO_MAX_ACL_GROUPS];
- /* List for connecting to tomoyo_namespace_list list. */
- struct list_head namespace_list;
- /* Profile version. Currently only 20110903 is defined. */
- unsigned int profile_version;
- /* Name of this namespace (e.g. "<kernel>", "</usr/sbin/httpd>" ). */
- const char *name;
- };
- /********** Function prototypes. **********/
- bool tomoyo_address_matches_group(const bool is_ipv6, const __be32 *address,
- const struct tomoyo_group *group);
- bool tomoyo_compare_number_union(const unsigned long value,
- const struct tomoyo_number_union *ptr);
- bool tomoyo_condition(struct tomoyo_request_info *r,
- const struct tomoyo_condition *cond);
- bool tomoyo_correct_domain(const unsigned char *domainname);
- bool tomoyo_correct_path(const char *filename);
- bool tomoyo_correct_word(const char *string);
- bool tomoyo_domain_def(const unsigned char *buffer);
- bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r);
- bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos,
- struct tomoyo_page_dump *dump);
- bool tomoyo_memory_ok(void *ptr);
- bool tomoyo_number_matches_group(const unsigned long min,
- const unsigned long max,
- const struct tomoyo_group *group);
- bool tomoyo_parse_ipaddr_union(struct tomoyo_acl_param *param,
- struct tomoyo_ipaddr_union *ptr);
- bool tomoyo_parse_name_union(struct tomoyo_acl_param *param,
- struct tomoyo_name_union *ptr);
- bool tomoyo_parse_number_union(struct tomoyo_acl_param *param,
- struct tomoyo_number_union *ptr);
- bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
- const struct tomoyo_path_info *pattern);
- bool tomoyo_permstr(const char *string, const char *keyword);
- bool tomoyo_str_starts(char **src, const char *find);
- char *tomoyo_encode(const char *str);
- char *tomoyo_encode2(const char *str, int str_len);
- char *tomoyo_init_log(struct tomoyo_request_info *r, int len, const char *fmt,
- va_list args);
- char *tomoyo_read_token(struct tomoyo_acl_param *param);
- char *tomoyo_realpath_from_path(struct path *path);
- char *tomoyo_realpath_nofollow(const char *pathname);
- const char *tomoyo_get_exe(void);
- const char *tomoyo_yesno(const unsigned int value);
- const struct tomoyo_path_info *tomoyo_compare_name_union
- (const struct tomoyo_path_info *name, const struct tomoyo_name_union *ptr);
- const struct tomoyo_path_info *tomoyo_get_domainname
- (struct tomoyo_acl_param *param);
- const struct tomoyo_path_info *tomoyo_get_name(const char *name);
- const struct tomoyo_path_info *tomoyo_path_matches_group
- (const struct tomoyo_path_info *pathname, const struct tomoyo_group *group);
- int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
- struct path *path, const int flag);
- int tomoyo_close_control(struct tomoyo_io_buffer *head);
- int tomoyo_env_perm(struct tomoyo_request_info *r, const char *env);
- int tomoyo_execute_permission(struct tomoyo_request_info *r,
- const struct tomoyo_path_info *filename);
- int tomoyo_find_next_domain(struct linux_binprm *bprm);
- int tomoyo_get_mode(const struct tomoyo_policy_namespace *ns, const u8 profile,
- const u8 index);
- int tomoyo_init_request_info(struct tomoyo_request_info *r,
- struct tomoyo_domain_info *domain,
- const u8 index);
- int tomoyo_mkdev_perm(const u8 operation, struct path *path,
- const unsigned int mode, unsigned int dev);
- int tomoyo_mount_permission(const char *dev_name, struct path *path,
- const char *type, unsigned long flags,
- void *data_page);
- int tomoyo_open_control(const u8 type, struct file *file);
- int tomoyo_path2_perm(const u8 operation, struct path *path1,
- struct path *path2);
- int tomoyo_path_number_perm(const u8 operation, struct path *path,
- unsigned long number);
- int tomoyo_path_perm(const u8 operation, struct path *path,
- const char *target);
- unsigned int tomoyo_poll_control(struct file *file, poll_table *wait);
- unsigned int tomoyo_poll_log(struct file *file, poll_table *wait);
- int tomoyo_socket_bind_permission(struct socket *sock, struct sockaddr *addr,
- int addr_len);
- int tomoyo_socket_connect_permission(struct socket *sock,
- struct sockaddr *addr, int addr_len);
- int tomoyo_socket_listen_permission(struct socket *sock);
- int tomoyo_socket_sendmsg_permission(struct socket *sock, struct msghdr *msg,
- int size);
- int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...)
- __printf(2, 3);
- int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
- struct tomoyo_acl_param *param,
- bool (*check_duplicate)
- (const struct tomoyo_acl_info *,
- const struct tomoyo_acl_info *),
- bool (*merge_duplicate)
- (struct tomoyo_acl_info *, struct tomoyo_acl_info *,
- const bool));
- int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
- struct tomoyo_acl_param *param,
- bool (*check_duplicate)
- (const struct tomoyo_acl_head *,
- const struct tomoyo_acl_head *));
- int tomoyo_write_aggregator(struct tomoyo_acl_param *param);
- int tomoyo_write_file(struct tomoyo_acl_param *param);
- int tomoyo_write_group(struct tomoyo_acl_param *param, const u8 type);
- int tomoyo_write_misc(struct tomoyo_acl_param *param);
- int tomoyo_write_inet_network(struct tomoyo_acl_param *param);
- int tomoyo_write_transition_control(struct tomoyo_acl_param *param,
- const u8 type);
- int tomoyo_write_unix_network(struct tomoyo_acl_param *param);
- ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
- const int buffer_len);
- ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
- const char __user *buffer, const int buffer_len);
- struct tomoyo_condition *tomoyo_get_condition(struct tomoyo_acl_param *param);
- struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname,
- const bool transit);
- struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname);
- struct tomoyo_group *tomoyo_get_group(struct tomoyo_acl_param *param,
- const u8 idx);
- struct tomoyo_policy_namespace *tomoyo_assign_namespace
- (const char *domainname);
- struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns,
- const u8 profile);
- unsigned int tomoyo_check_flags(const struct tomoyo_domain_info *domain,
- const u8 index);
- u8 tomoyo_parse_ulong(unsigned long *result, char **str);
- void *tomoyo_commit_ok(void *data, const unsigned int size);
- void __init tomoyo_load_builtin_policy(void);
- void __init tomoyo_mm_init(void);
- void tomoyo_check_acl(struct tomoyo_request_info *r,
- bool (*check_entry) (struct tomoyo_request_info *,
- const struct tomoyo_acl_info *));
- void tomoyo_check_profile(void);
- void tomoyo_convert_time(time_t time, struct tomoyo_time *stamp);
- void tomoyo_del_condition(struct list_head *element);
- void tomoyo_fill_path_info(struct tomoyo_path_info *ptr);
- void tomoyo_get_attributes(struct tomoyo_obj_info *obj);
- void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns);
- void tomoyo_load_policy(const char *filename);
- void tomoyo_normalize_line(unsigned char *buffer);
- void tomoyo_notify_gc(struct tomoyo_io_buffer *head, const bool is_register);
- void tomoyo_print_ip(char *buf, const unsigned int size,
- const struct tomoyo_ipaddr_union *ptr);
- void tomoyo_print_ulong(char *buffer, const int buffer_len,
- const unsigned long value, const u8 type);
- void tomoyo_put_name_union(struct tomoyo_name_union *ptr);
- void tomoyo_put_number_union(struct tomoyo_number_union *ptr);
- void tomoyo_read_log(struct tomoyo_io_buffer *head);
- void tomoyo_update_stat(const u8 index);
- void tomoyo_warn_oom(const char *function);
- void tomoyo_write_log(struct tomoyo_request_info *r, const char *fmt, ...)
- __printf(2, 3);
- void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt,
- va_list args);
- /********** External variable definitions. **********/
- extern bool tomoyo_policy_loaded;
- extern const char * const tomoyo_condition_keyword
- [TOMOYO_MAX_CONDITION_KEYWORD];
- extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
- extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
- + TOMOYO_MAX_MAC_CATEGORY_INDEX];
- extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
- extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
- extern const char * const tomoyo_proto_keyword[TOMOYO_SOCK_MAX];
- extern const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION];
- extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX];
- extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];
- extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION];
- extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION];
- extern struct list_head tomoyo_condition_list;
- extern struct list_head tomoyo_domain_list;
- extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH];
- extern struct list_head tomoyo_namespace_list;
- extern struct mutex tomoyo_policy_lock;
- extern struct srcu_struct tomoyo_ss;
- extern struct tomoyo_domain_info tomoyo_kernel_domain;
- extern struct tomoyo_policy_namespace tomoyo_kernel_namespace;
- extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT];
- extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT];
- /********** Inlined functions. **********/
- /**
- * tomoyo_read_lock - Take lock for protecting policy.
- *
- * Returns index number for tomoyo_read_unlock().
- */
- static inline int tomoyo_read_lock(void)
- {
- return srcu_read_lock(&tomoyo_ss);
- }
- /**
- * tomoyo_read_unlock - Release lock for protecting policy.
- *
- * @idx: Index number returned by tomoyo_read_lock().
- *
- * Returns nothing.
- */
- static inline void tomoyo_read_unlock(int idx)
- {
- srcu_read_unlock(&tomoyo_ss, idx);
- }
- /**
- * tomoyo_sys_getppid - Copy of getppid().
- *
- * Returns parent process's PID.
- *
- * Alpha does not have getppid() defined. To be able to build this module on
- * Alpha, I have to copy getppid() from kernel/timer.c.
- */
- static inline pid_t tomoyo_sys_getppid(void)
- {
- pid_t pid;
- rcu_read_lock();
- pid = task_tgid_vnr(rcu_dereference(current->real_parent));
- rcu_read_unlock();
- return pid;
- }
- /**
- * tomoyo_sys_getpid - Copy of getpid().
- *
- * Returns current thread's PID.
- *
- * Alpha does not have getpid() defined. To be able to build this module on
- * Alpha, I have to copy getpid() from kernel/timer.c.
- */
- static inline pid_t tomoyo_sys_getpid(void)
- {
- return task_tgid_vnr(current);
- }
- /**
- * tomoyo_pathcmp - strcmp() for "struct tomoyo_path_info" structure.
- *
- * @a: Pointer to "struct tomoyo_path_info".
- * @b: Pointer to "struct tomoyo_path_info".
- *
- * Returns true if @a == @b, false otherwise.
- */
- static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a,
- const struct tomoyo_path_info *b)
- {
- return a->hash != b->hash || strcmp(a->name, b->name);
- }
- /**
- * tomoyo_put_name - Drop reference on "struct tomoyo_name".
- *
- * @name: Pointer to "struct tomoyo_path_info". Maybe NULL.
- *
- * Returns nothing.
- */
- static inline void tomoyo_put_name(const struct tomoyo_path_info *name)
- {
- if (name) {
- struct tomoyo_name *ptr =
- container_of(name, typeof(*ptr), entry);
- atomic_dec(&ptr->head.users);
- }
- }
- /**
- * tomoyo_put_condition - Drop reference on "struct tomoyo_condition".
- *
- * @cond: Pointer to "struct tomoyo_condition". Maybe NULL.
- *
- * Returns nothing.
- */
- static inline void tomoyo_put_condition(struct tomoyo_condition *cond)
- {
- if (cond)
- atomic_dec(&cond->head.users);
- }
- /**
- * tomoyo_put_group - Drop reference on "struct tomoyo_group".
- *
- * @group: Pointer to "struct tomoyo_group". Maybe NULL.
- *
- * Returns nothing.
- */
- static inline void tomoyo_put_group(struct tomoyo_group *group)
- {
- if (group)
- atomic_dec(&group->head.users);
- }
- /**
- * tomoyo_domain - Get "struct tomoyo_domain_info" for current thread.
- *
- * Returns pointer to "struct tomoyo_domain_info" for current thread.
- */
- static inline struct tomoyo_domain_info *tomoyo_domain(void)
- {
- return current_cred()->security;
- }
- /**
- * tomoyo_real_domain - Get "struct tomoyo_domain_info" for specified thread.
- *
- * @task: Pointer to "struct task_struct".
- *
- * Returns pointer to "struct tomoyo_security" for specified thread.
- */
- static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct
- *task)
- {
- return task_cred_xxx(task, security);
- }
- /**
- * tomoyo_same_name_union - Check for duplicated "struct tomoyo_name_union" entry.
- *
- * @a: Pointer to "struct tomoyo_name_union".
- * @b: Pointer to "struct tomoyo_name_union".
- *
- * Returns true if @a == @b, false otherwise.
- */
- static inline bool tomoyo_same_name_union
- (const struct tomoyo_name_union *a, const struct tomoyo_name_union *b)
- {
- return a->filename == b->filename && a->group == b->group;
- }
- /**
- * tomoyo_same_number_union - Check for duplicated "struct tomoyo_number_union" entry.
- *
- * @a: Pointer to "struct tomoyo_number_union".
- * @b: Pointer to "struct tomoyo_number_union".
- *
- * Returns true if @a == @b, false otherwise.
- */
- static inline bool tomoyo_same_number_union
- (const struct tomoyo_number_union *a, const struct tomoyo_number_union *b)
- {
- return a->values[0] == b->values[0] && a->values[1] == b->values[1] &&
- a->group == b->group && a->value_type[0] == b->value_type[0] &&
- a->value_type[1] == b->value_type[1];
- }
- /**
- * tomoyo_same_ipaddr_union - Check for duplicated "struct tomoyo_ipaddr_union" entry.
- *
- * @a: Pointer to "struct tomoyo_ipaddr_union".
- * @b: Pointer to "struct tomoyo_ipaddr_union".
- *
- * Returns true if @a == @b, false otherwise.
- */
- static inline bool tomoyo_same_ipaddr_union
- (const struct tomoyo_ipaddr_union *a, const struct tomoyo_ipaddr_union *b)
- {
- return !memcmp(a->ip, b->ip, sizeof(a->ip)) && a->group == b->group &&
- a->is_ipv6 == b->is_ipv6;
- }
- /**
- * tomoyo_current_namespace - Get "struct tomoyo_policy_namespace" for current thread.
- *
- * Returns pointer to "struct tomoyo_policy_namespace" for current thread.
- */
- static inline struct tomoyo_policy_namespace *tomoyo_current_namespace(void)
- {
- return tomoyo_domain()->ns;
- }
- #if defined(CONFIG_SLOB)
- /**
- * tomoyo_round2 - Round up to power of 2 for calculating memory usage.
- *
- * @size: Size to be rounded up.
- *
- * Returns @size.
- *
- * Since SLOB does not round up, this function simply returns @size.
- */
- static inline int tomoyo_round2(size_t size)
- {
- return size;
- }
- #else
- /**
- * tomoyo_round2 - Round up to power of 2 for calculating memory usage.
- *
- * @size: Size to be rounded up.
- *
- * Returns rounded size.
- *
- * Strictly speaking, SLAB may be able to allocate (e.g.) 96 bytes instead of
- * (e.g.) 128 bytes.
- */
- static inline int tomoyo_round2(size_t size)
- {
- #if PAGE_SIZE == 4096
- size_t bsize = 32;
- #else
- size_t bsize = 64;
- #endif
- if (!size)
- return 0;
- while (size > bsize)
- bsize <<= 1;
- return bsize;
- }
- #endif
- /**
- * list_for_each_cookie - iterate over a list with cookie.
- * @pos: the &struct list_head to use as a loop cursor.
- * @head: the head for your list.
- */
- #define list_for_each_cookie(pos, head) \
- if (!pos) \
- pos = srcu_dereference((head)->next, &tomoyo_ss); \
- for ( ; pos != (head); pos = srcu_dereference(pos->next, &tomoyo_ss))
- #endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */
|