forked from Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
940 lines
25 KiB
940 lines
25 KiB
// SPDX-License-Identifier: GPL-2.0 |
|
/* |
|
* security/tomoyo/domain.c |
|
* |
|
* Copyright (C) 2005-2011 NTT DATA CORPORATION |
|
*/ |
|
|
|
#include "common.h" |
|
|
|
#include <linux/binfmts.h> |
|
#include <linux/slab.h> |
|
#include <linux/rculist.h> |
|
|
|
/* Variables definitions.*/ |
|
|
|
/* The initial domain. */ |
|
struct tomoyo_domain_info tomoyo_kernel_domain; |
|
|
|
/** |
|
* tomoyo_update_policy - Update an entry for exception policy. |
|
* |
|
* @new_entry: Pointer to "struct tomoyo_acl_info". |
|
* @size: Size of @new_entry in bytes. |
|
* @param: Pointer to "struct tomoyo_acl_param". |
|
* @check_duplicate: Callback function to find duplicated entry. |
|
* |
|
* Returns 0 on success, negative value otherwise. |
|
* |
|
* Caller holds tomoyo_read_lock(). |
|
*/ |
|
int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size, |
|
struct tomoyo_acl_param *param, |
|
bool (*check_duplicate)(const struct tomoyo_acl_head |
|
*, |
|
const struct tomoyo_acl_head |
|
*)) |
|
{ |
|
int error = param->is_delete ? -ENOENT : -ENOMEM; |
|
struct tomoyo_acl_head *entry; |
|
struct list_head *list = param->list; |
|
|
|
if (mutex_lock_interruptible(&tomoyo_policy_lock)) |
|
return -ENOMEM; |
|
list_for_each_entry_rcu(entry, list, list, |
|
srcu_read_lock_held(&tomoyo_ss)) { |
|
if (entry->is_deleted == TOMOYO_GC_IN_PROGRESS) |
|
continue; |
|
if (!check_duplicate(entry, new_entry)) |
|
continue; |
|
entry->is_deleted = param->is_delete; |
|
error = 0; |
|
break; |
|
} |
|
if (error && !param->is_delete) { |
|
entry = tomoyo_commit_ok(new_entry, size); |
|
if (entry) { |
|
list_add_tail_rcu(&entry->list, list); |
|
error = 0; |
|
} |
|
} |
|
mutex_unlock(&tomoyo_policy_lock); |
|
return error; |
|
} |
|
|
|
/** |
|
* tomoyo_same_acl_head - Check for duplicated "struct tomoyo_acl_info" entry. |
|
* |
|
* @a: Pointer to "struct tomoyo_acl_info". |
|
* @b: Pointer to "struct tomoyo_acl_info". |
|
* |
|
* Returns true if @a == @b, false otherwise. |
|
*/ |
|
static inline bool tomoyo_same_acl_head(const struct tomoyo_acl_info *a, |
|
const struct tomoyo_acl_info *b) |
|
{ |
|
return a->type == b->type && a->cond == b->cond; |
|
} |
|
|
|
/** |
|
* tomoyo_update_domain - Update an entry for domain policy. |
|
* |
|
* @new_entry: Pointer to "struct tomoyo_acl_info". |
|
* @size: Size of @new_entry in bytes. |
|
* @param: Pointer to "struct tomoyo_acl_param". |
|
* @check_duplicate: Callback function to find duplicated entry. |
|
* @merge_duplicate: Callback function to merge duplicated entry. |
|
* |
|
* Returns 0 on success, negative value otherwise. |
|
* |
|
* Caller holds tomoyo_read_lock(). |
|
*/ |
|
int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size, |
|
struct tomoyo_acl_param *param, |
|
bool (*check_duplicate)(const struct tomoyo_acl_info |
|
*, |
|
const struct tomoyo_acl_info |
|
*), |
|
bool (*merge_duplicate)(struct tomoyo_acl_info *, |
|
struct tomoyo_acl_info *, |
|
const bool)) |
|
{ |
|
const bool is_delete = param->is_delete; |
|
int error = is_delete ? -ENOENT : -ENOMEM; |
|
struct tomoyo_acl_info *entry; |
|
struct list_head * const list = param->list; |
|
|
|
if (param->data[0]) { |
|
new_entry->cond = tomoyo_get_condition(param); |
|
if (!new_entry->cond) |
|
return -EINVAL; |
|
/* |
|
* Domain transition preference is allowed for only |
|
* "file execute" entries. |
|
*/ |
|
if (new_entry->cond->transit && |
|
!(new_entry->type == TOMOYO_TYPE_PATH_ACL && |
|
container_of(new_entry, struct tomoyo_path_acl, head) |
|
->perm == 1 << TOMOYO_TYPE_EXECUTE)) |
|
goto out; |
|
} |
|
if (mutex_lock_interruptible(&tomoyo_policy_lock)) |
|
goto out; |
|
list_for_each_entry_rcu(entry, list, list, |
|
srcu_read_lock_held(&tomoyo_ss)) { |
|
if (entry->is_deleted == TOMOYO_GC_IN_PROGRESS) |
|
continue; |
|
if (!tomoyo_same_acl_head(entry, new_entry) || |
|
!check_duplicate(entry, new_entry)) |
|
continue; |
|
if (merge_duplicate) |
|
entry->is_deleted = merge_duplicate(entry, new_entry, |
|
is_delete); |
|
else |
|
entry->is_deleted = is_delete; |
|
error = 0; |
|
break; |
|
} |
|
if (error && !is_delete) { |
|
entry = tomoyo_commit_ok(new_entry, size); |
|
if (entry) { |
|
list_add_tail_rcu(&entry->list, list); |
|
error = 0; |
|
} |
|
} |
|
mutex_unlock(&tomoyo_policy_lock); |
|
out: |
|
tomoyo_put_condition(new_entry->cond); |
|
return error; |
|
} |
|
|
|
/** |
|
* tomoyo_check_acl - Do permission check. |
|
* |
|
* @r: Pointer to "struct tomoyo_request_info". |
|
* @check_entry: Callback function to check type specific parameters. |
|
* |
|
* Returns 0 on success, negative value otherwise. |
|
* |
|
* Caller holds tomoyo_read_lock(). |
|
*/ |
|
void tomoyo_check_acl(struct tomoyo_request_info *r, |
|
bool (*check_entry)(struct tomoyo_request_info *, |
|
const struct tomoyo_acl_info *)) |
|
{ |
|
const struct tomoyo_domain_info *domain = r->domain; |
|
struct tomoyo_acl_info *ptr; |
|
const struct list_head *list = &domain->acl_info_list; |
|
u16 i = 0; |
|
|
|
retry: |
|
list_for_each_entry_rcu(ptr, list, list, |
|
srcu_read_lock_held(&tomoyo_ss)) { |
|
if (ptr->is_deleted || ptr->type != r->param_type) |
|
continue; |
|
if (!check_entry(r, ptr)) |
|
continue; |
|
if (!tomoyo_condition(r, ptr->cond)) |
|
continue; |
|
r->matched_acl = ptr; |
|
r->granted = true; |
|
return; |
|
} |
|
for (; i < TOMOYO_MAX_ACL_GROUPS; i++) { |
|
if (!test_bit(i, domain->group)) |
|
continue; |
|
list = &domain->ns->acl_group[i++]; |
|
goto retry; |
|
} |
|
r->granted = false; |
|
} |
|
|
|
/* The list for "struct tomoyo_domain_info". */ |
|
LIST_HEAD(tomoyo_domain_list); |
|
|
|
/** |
|
* tomoyo_last_word - Get last component of a domainname. |
|
* |
|
* @name: Domainname to check. |
|
* |
|
* Returns the last word of @domainname. |
|
*/ |
|
static const char *tomoyo_last_word(const char *name) |
|
{ |
|
const char *cp = strrchr(name, ' '); |
|
|
|
if (cp) |
|
return cp + 1; |
|
return name; |
|
} |
|
|
|
/** |
|
* tomoyo_same_transition_control - Check for duplicated "struct tomoyo_transition_control" entry. |
|
* |
|
* @a: Pointer to "struct tomoyo_acl_head". |
|
* @b: Pointer to "struct tomoyo_acl_head". |
|
* |
|
* Returns true if @a == @b, false otherwise. |
|
*/ |
|
static bool tomoyo_same_transition_control(const struct tomoyo_acl_head *a, |
|
const struct tomoyo_acl_head *b) |
|
{ |
|
const struct tomoyo_transition_control *p1 = container_of(a, |
|
typeof(*p1), |
|
head); |
|
const struct tomoyo_transition_control *p2 = container_of(b, |
|
typeof(*p2), |
|
head); |
|
|
|
return p1->type == p2->type && p1->is_last_name == p2->is_last_name |
|
&& p1->domainname == p2->domainname |
|
&& p1->program == p2->program; |
|
} |
|
|
|
/** |
|
* tomoyo_write_transition_control - Write "struct tomoyo_transition_control" list. |
|
* |
|
* @param: Pointer to "struct tomoyo_acl_param". |
|
* @type: Type of this entry. |
|
* |
|
* Returns 0 on success, negative value otherwise. |
|
*/ |
|
int tomoyo_write_transition_control(struct tomoyo_acl_param *param, |
|
const u8 type) |
|
{ |
|
struct tomoyo_transition_control e = { .type = type }; |
|
int error = param->is_delete ? -ENOENT : -ENOMEM; |
|
char *program = param->data; |
|
char *domainname = strstr(program, " from "); |
|
|
|
if (domainname) { |
|
*domainname = '\0'; |
|
domainname += 6; |
|
} else if (type == TOMOYO_TRANSITION_CONTROL_NO_KEEP || |
|
type == TOMOYO_TRANSITION_CONTROL_KEEP) { |
|
domainname = program; |
|
program = NULL; |
|
} |
|
if (program && strcmp(program, "any")) { |
|
if (!tomoyo_correct_path(program)) |
|
return -EINVAL; |
|
e.program = tomoyo_get_name(program); |
|
if (!e.program) |
|
goto out; |
|
} |
|
if (domainname && strcmp(domainname, "any")) { |
|
if (!tomoyo_correct_domain(domainname)) { |
|
if (!tomoyo_correct_path(domainname)) |
|
goto out; |
|
e.is_last_name = true; |
|
} |
|
e.domainname = tomoyo_get_name(domainname); |
|
if (!e.domainname) |
|
goto out; |
|
} |
|
param->list = ¶m->ns->policy_list[TOMOYO_ID_TRANSITION_CONTROL]; |
|
error = tomoyo_update_policy(&e.head, sizeof(e), param, |
|
tomoyo_same_transition_control); |
|
out: |
|
tomoyo_put_name(e.domainname); |
|
tomoyo_put_name(e.program); |
|
return error; |
|
} |
|
|
|
/** |
|
* tomoyo_scan_transition - Try to find specific domain transition type. |
|
* |
|
* @list: Pointer to "struct list_head". |
|
* @domainname: The name of current domain. |
|
* @program: The name of requested program. |
|
* @last_name: The last component of @domainname. |
|
* @type: One of values in "enum tomoyo_transition_type". |
|
* |
|
* Returns true if found one, false otherwise. |
|
* |
|
* Caller holds tomoyo_read_lock(). |
|
*/ |
|
static inline bool tomoyo_scan_transition |
|
(const struct list_head *list, const struct tomoyo_path_info *domainname, |
|
const struct tomoyo_path_info *program, const char *last_name, |
|
const enum tomoyo_transition_type type) |
|
{ |
|
const struct tomoyo_transition_control *ptr; |
|
|
|
list_for_each_entry_rcu(ptr, list, head.list, |
|
srcu_read_lock_held(&tomoyo_ss)) { |
|
if (ptr->head.is_deleted || ptr->type != type) |
|
continue; |
|
if (ptr->domainname) { |
|
if (!ptr->is_last_name) { |
|
if (ptr->domainname != domainname) |
|
continue; |
|
} else { |
|
/* |
|
* Use direct strcmp() since this is |
|
* unlikely used. |
|
*/ |
|
if (strcmp(ptr->domainname->name, last_name)) |
|
continue; |
|
} |
|
} |
|
if (ptr->program && tomoyo_pathcmp(ptr->program, program)) |
|
continue; |
|
return true; |
|
} |
|
return false; |
|
} |
|
|
|
/** |
|
* tomoyo_transition_type - Get domain transition type. |
|
* |
|
* @ns: Pointer to "struct tomoyo_policy_namespace". |
|
* @domainname: The name of current domain. |
|
* @program: The name of requested program. |
|
* |
|
* Returns TOMOYO_TRANSITION_CONTROL_TRANSIT if executing @program causes |
|
* domain transition across namespaces, TOMOYO_TRANSITION_CONTROL_INITIALIZE if |
|
* executing @program reinitializes domain transition within that namespace, |
|
* TOMOYO_TRANSITION_CONTROL_KEEP if executing @program stays at @domainname , |
|
* others otherwise. |
|
* |
|
* Caller holds tomoyo_read_lock(). |
|
*/ |
|
static enum tomoyo_transition_type tomoyo_transition_type |
|
(const struct tomoyo_policy_namespace *ns, |
|
const struct tomoyo_path_info *domainname, |
|
const struct tomoyo_path_info *program) |
|
{ |
|
const char *last_name = tomoyo_last_word(domainname->name); |
|
enum tomoyo_transition_type type = TOMOYO_TRANSITION_CONTROL_NO_RESET; |
|
|
|
while (type < TOMOYO_MAX_TRANSITION_TYPE) { |
|
const struct list_head * const list = |
|
&ns->policy_list[TOMOYO_ID_TRANSITION_CONTROL]; |
|
|
|
if (!tomoyo_scan_transition(list, domainname, program, |
|
last_name, type)) { |
|
type++; |
|
continue; |
|
} |
|
if (type != TOMOYO_TRANSITION_CONTROL_NO_RESET && |
|
type != TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE) |
|
break; |
|
/* |
|
* Do not check for reset_domain if no_reset_domain matched. |
|
* Do not check for initialize_domain if no_initialize_domain |
|
* matched. |
|
*/ |
|
type++; |
|
type++; |
|
} |
|
return type; |
|
} |
|
|
|
/** |
|
* tomoyo_same_aggregator - Check for duplicated "struct tomoyo_aggregator" entry. |
|
* |
|
* @a: Pointer to "struct tomoyo_acl_head". |
|
* @b: Pointer to "struct tomoyo_acl_head". |
|
* |
|
* Returns true if @a == @b, false otherwise. |
|
*/ |
|
static bool tomoyo_same_aggregator(const struct tomoyo_acl_head *a, |
|
const struct tomoyo_acl_head *b) |
|
{ |
|
const struct tomoyo_aggregator *p1 = container_of(a, typeof(*p1), |
|
head); |
|
const struct tomoyo_aggregator *p2 = container_of(b, typeof(*p2), |
|
head); |
|
|
|
return p1->original_name == p2->original_name && |
|
p1->aggregated_name == p2->aggregated_name; |
|
} |
|
|
|
/** |
|
* tomoyo_write_aggregator - Write "struct tomoyo_aggregator" list. |
|
* |
|
* @param: Pointer to "struct tomoyo_acl_param". |
|
* |
|
* Returns 0 on success, negative value otherwise. |
|
* |
|
* Caller holds tomoyo_read_lock(). |
|
*/ |
|
int tomoyo_write_aggregator(struct tomoyo_acl_param *param) |
|
{ |
|
struct tomoyo_aggregator e = { }; |
|
int error = param->is_delete ? -ENOENT : -ENOMEM; |
|
const char *original_name = tomoyo_read_token(param); |
|
const char *aggregated_name = tomoyo_read_token(param); |
|
|
|
if (!tomoyo_correct_word(original_name) || |
|
!tomoyo_correct_path(aggregated_name)) |
|
return -EINVAL; |
|
e.original_name = tomoyo_get_name(original_name); |
|
e.aggregated_name = tomoyo_get_name(aggregated_name); |
|
if (!e.original_name || !e.aggregated_name || |
|
e.aggregated_name->is_patterned) /* No patterns allowed. */ |
|
goto out; |
|
param->list = ¶m->ns->policy_list[TOMOYO_ID_AGGREGATOR]; |
|
error = tomoyo_update_policy(&e.head, sizeof(e), param, |
|
tomoyo_same_aggregator); |
|
out: |
|
tomoyo_put_name(e.original_name); |
|
tomoyo_put_name(e.aggregated_name); |
|
return error; |
|
} |
|
|
|
/** |
|
* tomoyo_find_namespace - Find specified namespace. |
|
* |
|
* @name: Name of namespace to find. |
|
* @len: Length of @name. |
|
* |
|
* Returns pointer to "struct tomoyo_policy_namespace" if found, |
|
* NULL otherwise. |
|
* |
|
* Caller holds tomoyo_read_lock(). |
|
*/ |
|
static struct tomoyo_policy_namespace *tomoyo_find_namespace |
|
(const char *name, const unsigned int len) |
|
{ |
|
struct tomoyo_policy_namespace *ns; |
|
|
|
list_for_each_entry(ns, &tomoyo_namespace_list, namespace_list) { |
|
if (strncmp(name, ns->name, len) || |
|
(name[len] && name[len] != ' ')) |
|
continue; |
|
return ns; |
|
} |
|
return NULL; |
|
} |
|
|
|
/** |
|
* tomoyo_assign_namespace - Create a new namespace. |
|
* |
|
* @domainname: Name of namespace to create. |
|
* |
|
* Returns pointer to "struct tomoyo_policy_namespace" on success, |
|
* NULL otherwise. |
|
* |
|
* Caller holds tomoyo_read_lock(). |
|
*/ |
|
struct tomoyo_policy_namespace *tomoyo_assign_namespace(const char *domainname) |
|
{ |
|
struct tomoyo_policy_namespace *ptr; |
|
struct tomoyo_policy_namespace *entry; |
|
const char *cp = domainname; |
|
unsigned int len = 0; |
|
|
|
while (*cp && *cp++ != ' ') |
|
len++; |
|
ptr = tomoyo_find_namespace(domainname, len); |
|
if (ptr) |
|
return ptr; |
|
if (len >= TOMOYO_EXEC_TMPSIZE - 10 || !tomoyo_domain_def(domainname)) |
|
return NULL; |
|
entry = kzalloc(sizeof(*entry) + len + 1, GFP_NOFS | __GFP_NOWARN); |
|
if (mutex_lock_interruptible(&tomoyo_policy_lock)) |
|
goto out; |
|
ptr = tomoyo_find_namespace(domainname, len); |
|
if (!ptr && tomoyo_memory_ok(entry)) { |
|
char *name = (char *) (entry + 1); |
|
|
|
ptr = entry; |
|
memmove(name, domainname, len); |
|
name[len] = '\0'; |
|
entry->name = name; |
|
tomoyo_init_policy_namespace(entry); |
|
entry = NULL; |
|
} |
|
mutex_unlock(&tomoyo_policy_lock); |
|
out: |
|
kfree(entry); |
|
return ptr; |
|
} |
|
|
|
/** |
|
* tomoyo_namespace_jump - Check for namespace jump. |
|
* |
|
* @domainname: Name of domain. |
|
* |
|
* Returns true if namespace differs, false otherwise. |
|
*/ |
|
static bool tomoyo_namespace_jump(const char *domainname) |
|
{ |
|
const char *namespace = tomoyo_current_namespace()->name; |
|
const int len = strlen(namespace); |
|
|
|
return strncmp(domainname, namespace, len) || |
|
(domainname[len] && domainname[len] != ' '); |
|
} |
|
|
|
/** |
|
* tomoyo_assign_domain - Create a domain or a namespace. |
|
* |
|
* @domainname: The name of domain. |
|
* @transit: True if transit to domain found or created. |
|
* |
|
* Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise. |
|
* |
|
* Caller holds tomoyo_read_lock(). |
|
*/ |
|
struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname, |
|
const bool transit) |
|
{ |
|
struct tomoyo_domain_info e = { }; |
|
struct tomoyo_domain_info *entry = tomoyo_find_domain(domainname); |
|
bool created = false; |
|
|
|
if (entry) { |
|
if (transit) { |
|
/* |
|
* Since namespace is created at runtime, profiles may |
|
* not be created by the moment the process transits to |
|
* that domain. Do not perform domain transition if |
|
* profile for that domain is not yet created. |
|
*/ |
|
if (tomoyo_policy_loaded && |
|
!entry->ns->profile_ptr[entry->profile]) |
|
return NULL; |
|
} |
|
return entry; |
|
} |
|
/* Requested domain does not exist. */ |
|
/* Don't create requested domain if domainname is invalid. */ |
|
if (strlen(domainname) >= TOMOYO_EXEC_TMPSIZE - 10 || |
|
!tomoyo_correct_domain(domainname)) |
|
return NULL; |
|
/* |
|
* Since definition of profiles and acl_groups may differ across |
|
* namespaces, do not inherit "use_profile" and "use_group" settings |
|
* by automatically creating requested domain upon domain transition. |
|
*/ |
|
if (transit && tomoyo_namespace_jump(domainname)) |
|
return NULL; |
|
e.ns = tomoyo_assign_namespace(domainname); |
|
if (!e.ns) |
|
return NULL; |
|
/* |
|
* "use_profile" and "use_group" settings for automatically created |
|
* domains are inherited from current domain. These are 0 for manually |
|
* created domains. |
|
*/ |
|
if (transit) { |
|
const struct tomoyo_domain_info *domain = tomoyo_domain(); |
|
|
|
e.profile = domain->profile; |
|
memcpy(e.group, domain->group, sizeof(e.group)); |
|
} |
|
e.domainname = tomoyo_get_name(domainname); |
|
if (!e.domainname) |
|
return NULL; |
|
if (mutex_lock_interruptible(&tomoyo_policy_lock)) |
|
goto out; |
|
entry = tomoyo_find_domain(domainname); |
|
if (!entry) { |
|
entry = tomoyo_commit_ok(&e, sizeof(e)); |
|
if (entry) { |
|
INIT_LIST_HEAD(&entry->acl_info_list); |
|
list_add_tail_rcu(&entry->list, &tomoyo_domain_list); |
|
created = true; |
|
} |
|
} |
|
mutex_unlock(&tomoyo_policy_lock); |
|
out: |
|
tomoyo_put_name(e.domainname); |
|
if (entry && transit) { |
|
if (created) { |
|
struct tomoyo_request_info r; |
|
int i; |
|
|
|
tomoyo_init_request_info(&r, entry, |
|
TOMOYO_MAC_FILE_EXECUTE); |
|
r.granted = false; |
|
tomoyo_write_log(&r, "use_profile %u\n", |
|
entry->profile); |
|
for (i = 0; i < TOMOYO_MAX_ACL_GROUPS; i++) |
|
if (test_bit(i, entry->group)) |
|
tomoyo_write_log(&r, "use_group %u\n", |
|
i); |
|
tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); |
|
} |
|
} |
|
return entry; |
|
} |
|
|
|
/** |
|
* tomoyo_environ - Check permission for environment variable names. |
|
* |
|
* @ee: Pointer to "struct tomoyo_execve". |
|
* |
|
* Returns 0 on success, negative value otherwise. |
|
*/ |
|
static int tomoyo_environ(struct tomoyo_execve *ee) |
|
{ |
|
struct tomoyo_request_info *r = &ee->r; |
|
struct linux_binprm *bprm = ee->bprm; |
|
/* env_page.data is allocated by tomoyo_dump_page(). */ |
|
struct tomoyo_page_dump env_page = { }; |
|
char *arg_ptr; /* Size is TOMOYO_EXEC_TMPSIZE bytes */ |
|
int arg_len = 0; |
|
unsigned long pos = bprm->p; |
|
int offset = pos % PAGE_SIZE; |
|
int argv_count = bprm->argc; |
|
int envp_count = bprm->envc; |
|
int error = -ENOMEM; |
|
|
|
ee->r.type = TOMOYO_MAC_ENVIRON; |
|
ee->r.profile = r->domain->profile; |
|
ee->r.mode = tomoyo_get_mode(r->domain->ns, ee->r.profile, |
|
TOMOYO_MAC_ENVIRON); |
|
if (!r->mode || !envp_count) |
|
return 0; |
|
arg_ptr = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS); |
|
if (!arg_ptr) |
|
goto out; |
|
while (error == -ENOMEM) { |
|
if (!tomoyo_dump_page(bprm, pos, &env_page)) |
|
goto out; |
|
pos += PAGE_SIZE - offset; |
|
/* Read. */ |
|
while (argv_count && offset < PAGE_SIZE) { |
|
if (!env_page.data[offset++]) |
|
argv_count--; |
|
} |
|
if (argv_count) { |
|
offset = 0; |
|
continue; |
|
} |
|
while (offset < PAGE_SIZE) { |
|
const unsigned char c = env_page.data[offset++]; |
|
|
|
if (c && arg_len < TOMOYO_EXEC_TMPSIZE - 10) { |
|
if (c == '=') { |
|
arg_ptr[arg_len++] = '\0'; |
|
} else if (c == '\\') { |
|
arg_ptr[arg_len++] = '\\'; |
|
arg_ptr[arg_len++] = '\\'; |
|
} else if (c > ' ' && c < 127) { |
|
arg_ptr[arg_len++] = c; |
|
} else { |
|
arg_ptr[arg_len++] = '\\'; |
|
arg_ptr[arg_len++] = (c >> 6) + '0'; |
|
arg_ptr[arg_len++] |
|
= ((c >> 3) & 7) + '0'; |
|
arg_ptr[arg_len++] = (c & 7) + '0'; |
|
} |
|
} else { |
|
arg_ptr[arg_len] = '\0'; |
|
} |
|
if (c) |
|
continue; |
|
if (tomoyo_env_perm(r, arg_ptr)) { |
|
error = -EPERM; |
|
break; |
|
} |
|
if (!--envp_count) { |
|
error = 0; |
|
break; |
|
} |
|
arg_len = 0; |
|
} |
|
offset = 0; |
|
} |
|
out: |
|
if (r->mode != TOMOYO_CONFIG_ENFORCING) |
|
error = 0; |
|
kfree(env_page.data); |
|
kfree(arg_ptr); |
|
return error; |
|
} |
|
|
|
/** |
|
* tomoyo_find_next_domain - Find a domain. |
|
* |
|
* @bprm: Pointer to "struct linux_binprm". |
|
* |
|
* Returns 0 on success, negative value otherwise. |
|
* |
|
* Caller holds tomoyo_read_lock(). |
|
*/ |
|
int tomoyo_find_next_domain(struct linux_binprm *bprm) |
|
{ |
|
struct tomoyo_domain_info *old_domain = tomoyo_domain(); |
|
struct tomoyo_domain_info *domain = NULL; |
|
const char *original_name = bprm->filename; |
|
int retval = -ENOMEM; |
|
bool reject_on_transition_failure = false; |
|
const struct tomoyo_path_info *candidate; |
|
struct tomoyo_path_info exename; |
|
struct tomoyo_execve *ee = kzalloc(sizeof(*ee), GFP_NOFS); |
|
|
|
if (!ee) |
|
return -ENOMEM; |
|
ee->tmp = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS); |
|
if (!ee->tmp) { |
|
kfree(ee); |
|
return -ENOMEM; |
|
} |
|
/* ee->dump->data is allocated by tomoyo_dump_page(). */ |
|
tomoyo_init_request_info(&ee->r, NULL, TOMOYO_MAC_FILE_EXECUTE); |
|
ee->r.ee = ee; |
|
ee->bprm = bprm; |
|
ee->r.obj = &ee->obj; |
|
ee->obj.path1 = bprm->file->f_path; |
|
/* Get symlink's pathname of program. */ |
|
retval = -ENOENT; |
|
exename.name = tomoyo_realpath_nofollow(original_name); |
|
if (!exename.name) |
|
goto out; |
|
tomoyo_fill_path_info(&exename); |
|
retry: |
|
/* Check 'aggregator' directive. */ |
|
{ |
|
struct tomoyo_aggregator *ptr; |
|
struct list_head *list = |
|
&old_domain->ns->policy_list[TOMOYO_ID_AGGREGATOR]; |
|
|
|
/* Check 'aggregator' directive. */ |
|
candidate = &exename; |
|
list_for_each_entry_rcu(ptr, list, head.list, |
|
srcu_read_lock_held(&tomoyo_ss)) { |
|
if (ptr->head.is_deleted || |
|
!tomoyo_path_matches_pattern(&exename, |
|
ptr->original_name)) |
|
continue; |
|
candidate = ptr->aggregated_name; |
|
break; |
|
} |
|
} |
|
|
|
/* Check execute permission. */ |
|
retval = tomoyo_execute_permission(&ee->r, candidate); |
|
if (retval == TOMOYO_RETRY_REQUEST) |
|
goto retry; |
|
if (retval < 0) |
|
goto out; |
|
/* |
|
* To be able to specify domainnames with wildcards, use the |
|
* pathname specified in the policy (which may contain |
|
* wildcard) rather than the pathname passed to execve() |
|
* (which never contains wildcard). |
|
*/ |
|
if (ee->r.param.path.matched_path) |
|
candidate = ee->r.param.path.matched_path; |
|
|
|
/* |
|
* Check for domain transition preference if "file execute" matched. |
|
* If preference is given, make execve() fail if domain transition |
|
* has failed, for domain transition preference should be used with |
|
* destination domain defined. |
|
*/ |
|
if (ee->transition) { |
|
const char *domainname = ee->transition->name; |
|
|
|
reject_on_transition_failure = true; |
|
if (!strcmp(domainname, "keep")) |
|
goto force_keep_domain; |
|
if (!strcmp(domainname, "child")) |
|
goto force_child_domain; |
|
if (!strcmp(domainname, "reset")) |
|
goto force_reset_domain; |
|
if (!strcmp(domainname, "initialize")) |
|
goto force_initialize_domain; |
|
if (!strcmp(domainname, "parent")) { |
|
char *cp; |
|
|
|
strncpy(ee->tmp, old_domain->domainname->name, |
|
TOMOYO_EXEC_TMPSIZE - 1); |
|
cp = strrchr(ee->tmp, ' '); |
|
if (cp) |
|
*cp = '\0'; |
|
} else if (*domainname == '<') |
|
strncpy(ee->tmp, domainname, TOMOYO_EXEC_TMPSIZE - 1); |
|
else |
|
snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", |
|
old_domain->domainname->name, domainname); |
|
goto force_jump_domain; |
|
} |
|
/* |
|
* No domain transition preference specified. |
|
* Calculate domain to transit to. |
|
*/ |
|
switch (tomoyo_transition_type(old_domain->ns, old_domain->domainname, |
|
candidate)) { |
|
case TOMOYO_TRANSITION_CONTROL_RESET: |
|
force_reset_domain: |
|
/* Transit to the root of specified namespace. */ |
|
snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "<%s>", |
|
candidate->name); |
|
/* |
|
* Make execve() fail if domain transition across namespaces |
|
* has failed. |
|
*/ |
|
reject_on_transition_failure = true; |
|
break; |
|
case TOMOYO_TRANSITION_CONTROL_INITIALIZE: |
|
force_initialize_domain: |
|
/* Transit to the child of current namespace's root. */ |
|
snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", |
|
old_domain->ns->name, candidate->name); |
|
break; |
|
case TOMOYO_TRANSITION_CONTROL_KEEP: |
|
force_keep_domain: |
|
/* Keep current domain. */ |
|
domain = old_domain; |
|
break; |
|
default: |
|
if (old_domain == &tomoyo_kernel_domain && |
|
!tomoyo_policy_loaded) { |
|
/* |
|
* Needn't to transit from kernel domain before |
|
* starting /sbin/init. But transit from kernel domain |
|
* if executing initializers because they might start |
|
* before /sbin/init. |
|
*/ |
|
domain = old_domain; |
|
break; |
|
} |
|
force_child_domain: |
|
/* Normal domain transition. */ |
|
snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", |
|
old_domain->domainname->name, candidate->name); |
|
break; |
|
} |
|
force_jump_domain: |
|
if (!domain) |
|
domain = tomoyo_assign_domain(ee->tmp, true); |
|
if (domain) |
|
retval = 0; |
|
else if (reject_on_transition_failure) { |
|
pr_warn("ERROR: Domain '%s' not ready.\n", ee->tmp); |
|
retval = -ENOMEM; |
|
} else if (ee->r.mode == TOMOYO_CONFIG_ENFORCING) |
|
retval = -ENOMEM; |
|
else { |
|
retval = 0; |
|
if (!old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED]) { |
|
old_domain->flags[TOMOYO_DIF_TRANSITION_FAILED] = true; |
|
ee->r.granted = false; |
|
tomoyo_write_log(&ee->r, "%s", tomoyo_dif |
|
[TOMOYO_DIF_TRANSITION_FAILED]); |
|
pr_warn("ERROR: Domain '%s' not defined.\n", ee->tmp); |
|
} |
|
} |
|
out: |
|
if (!domain) |
|
domain = old_domain; |
|
/* Update reference count on "struct tomoyo_domain_info". */ |
|
{ |
|
struct tomoyo_task *s = tomoyo_task(current); |
|
|
|
s->old_domain_info = s->domain_info; |
|
s->domain_info = domain; |
|
atomic_inc(&domain->users); |
|
} |
|
kfree(exename.name); |
|
if (!retval) { |
|
ee->r.domain = domain; |
|
retval = tomoyo_environ(ee); |
|
} |
|
kfree(ee->tmp); |
|
kfree(ee->dump.data); |
|
kfree(ee); |
|
return retval; |
|
} |
|
|
|
/** |
|
* tomoyo_dump_page - Dump a page to buffer. |
|
* |
|
* @bprm: Pointer to "struct linux_binprm". |
|
* @pos: Location to dump. |
|
* @dump: Pointer to "struct tomoyo_page_dump". |
|
* |
|
* Returns true on success, false otherwise. |
|
*/ |
|
bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos, |
|
struct tomoyo_page_dump *dump) |
|
{ |
|
struct page *page; |
|
|
|
/* dump->data is released by tomoyo_find_next_domain(). */ |
|
if (!dump->data) { |
|
dump->data = kzalloc(PAGE_SIZE, GFP_NOFS); |
|
if (!dump->data) |
|
return false; |
|
} |
|
/* Same with get_arg_page(bprm, pos, 0) in fs/exec.c */ |
|
#ifdef CONFIG_MMU |
|
/* |
|
* This is called at execve() time in order to dig around |
|
* in the argv/environment of the new proceess |
|
* (represented by bprm). 'current' is the process doing |
|
* the execve(). |
|
*/ |
|
if (get_user_pages_remote(bprm->mm, pos, 1, |
|
FOLL_FORCE, &page, NULL, NULL) <= 0) |
|
return false; |
|
#else |
|
page = bprm->page[pos / PAGE_SIZE]; |
|
#endif |
|
if (page != dump->page) { |
|
const unsigned int offset = pos % PAGE_SIZE; |
|
/* |
|
* Maybe kmap()/kunmap() should be used here. |
|
* But remove_arg_zero() uses kmap_atomic()/kunmap_atomic(). |
|
* So do I. |
|
*/ |
|
char *kaddr = kmap_atomic(page); |
|
|
|
dump->page = page; |
|
memcpy(dump->data + offset, kaddr + offset, |
|
PAGE_SIZE - offset); |
|
kunmap_atomic(kaddr); |
|
} |
|
/* Same with put_arg_page(page) in fs/exec.c */ |
|
#ifdef CONFIG_MMU |
|
put_page(page); |
|
#endif |
|
return true; |
|
}
|
|
|