1.0.40
@@ -0,0 +1,335 @@ | ||
1 | +Notes for AKARI project | |
2 | + | |
3 | +AKARI is Access Keeping And Regulating Instrument for Linux 2.6 and later | |
4 | +kernels. | |
5 | + | |
6 | +You can use AKARI for analyzing your system's behavior (i.e. reports which | |
7 | +application accesses which resources like strace command does) and optionally | |
8 | +restricting your system's behavior (i.e. controls which application can | |
9 | +access which resources like TOMOYO/AppArmor does). | |
10 | + | |
11 | +AKARI is forked from TOMOYO 1.8 and made as a LKM (loadable kernel module) | |
12 | +so that you don't need to replace your kernels installed in your system. | |
13 | + | |
14 | +This patch is released under the GPLv2. | |
15 | + | |
16 | +Project URL: https://akari.osdn.jp/ | |
17 | + | |
18 | +ChangeLog: | |
19 | + | |
20 | +Version 1.0 2010/10/10 First release. | |
21 | + | |
22 | +Version 1.0.1 2010/10/18 Minor update release. | |
23 | + | |
24 | + Synchronize with TOMOYO revision 4069. | |
25 | + | |
26 | + Fix off-by-two in ccs_check_unix_address(). | |
27 | + | |
28 | + Implement post accept() LSM hook. | |
29 | + | |
30 | +Version 1.0.2 2010/10/25 Minor update release. | |
31 | + | |
32 | + Synchronize with TOMOYO revision 4090. | |
33 | + | |
34 | + Add getattr() and readdir() checks. | |
35 | + | |
36 | + Use "YYYY/MM/DD hh:mm:ss" format for /proc/ccs/ interface. | |
37 | + | |
38 | + Do not automatically add / for umount(). | |
39 | + | |
40 | +Version 1.0.3 2010/11/01 Minor update release. | |
41 | + | |
42 | + Synchronize with TOMOYO revision 4104. | |
43 | + | |
44 | + Fix pathname handling in ccs_unix_entry(). | |
45 | + | |
46 | +Version 1.0.4 2010/11/11 Minor update release. | |
47 | + | |
48 | + Synchronize with TOMOYO 1.8.0 release. | |
49 | + | |
50 | + Add sysctl() check for 2.6.21 to 2.6.32 kernels. | |
51 | + | |
52 | + Fix double new_decode_dev() bug for mknod(). | |
53 | + | |
54 | + Fix keyword typo. | |
55 | + | |
56 | + Fix build failure on some kernels. | |
57 | + | |
58 | + Changed pathname prefix priority. | |
59 | + | |
60 | + Use hash table for faster scan. | |
61 | + | |
62 | + Updated function comments. | |
63 | + | |
64 | +Version 1.0.5 2010/11/22 Minor update release. | |
65 | + | |
66 | + Make ccs_domain_info/ccs_flags inheritable for 2.6.29 and later kernels. | |
67 | + | |
68 | +Version 1.0.6 2010/12/31 Minor update release. | |
69 | + | |
70 | + Synchronize with TOMOYO revision 4280. | |
71 | + | |
72 | + Use same interface for audit logs. | |
73 | + | |
74 | + Split ccs_null_security into ccs_default_security and ccs_oom_security. | |
75 | + | |
76 | +Version 1.0.7 2011/01/21 Minor update release. | |
77 | + | |
78 | + Synchronize with TOMOYO revision 4400. | |
79 | + | |
80 | + Use filesystem name for unnamed devices when vfsmount is missing. | |
81 | + | |
82 | +Version 1.0.8 2011/02/07 Minor update release. | |
83 | + | |
84 | + Synchronize with TOMOYO revision 4545. | |
85 | + | |
86 | + Fix infinite loop bug when reading /proc/ccs/audit or /proc/ccs/query . | |
87 | + | |
88 | +Version 1.0.9 2011/02/14 Minor update release. | |
89 | + | |
90 | + Fix missing permission check for interpreters in 2.6.30 and later kernels. | |
91 | + | |
92 | +Version 1.0.10 2011/02/15 Minor update release. | |
93 | + | |
94 | + Fix missing permission check for interpreters in 2.6.23 and earlier kernels. | |
95 | + | |
96 | + Fix wrong execute permission check and domain transition in 2.6.28 and earlier kernels. | |
97 | + | |
98 | +Version 1.0.11 2010/04/01 Minor update release. | |
99 | + | |
100 | + Synchronize with TOMOYO 1.8.1 release. | |
101 | + | |
102 | + Run garbage collector without waiting for /proc/ccs/ users. | |
103 | + | |
104 | + Support built-in policy configuration. | |
105 | + | |
106 | + Remove /proc/ccs/meminfo interface. | |
107 | + | |
108 | + Pack policy when printing via /proc/ccs/ interface. | |
109 | + | |
110 | + Fix conditional policy parsing. | |
111 | + | |
112 | + Serialize updating profile's comment line. | |
113 | + | |
114 | +Version 1.0.12 2011/04/11 Minor update release. | |
115 | + | |
116 | + Synchronize with TOMOYO revision 4874. | |
117 | + | |
118 | + Fix fcntl(F_SETFL, O_APPEND) handling. | |
119 | + | |
120 | +Version 1.0.13 2011/05/05 Minor update release. | |
121 | + | |
122 | + Synchronize with TOMOYO revision 4963. | |
123 | + | |
124 | + Fix wrong profile number in audit logs for "misc env" permission. | |
125 | + | |
126 | +Version 1.0.14 2011/05/11 Minor update release. | |
127 | + | |
128 | + Synchronize with TOMOYO revision 4978. | |
129 | + | |
130 | + Fix wrong domainname validation. | |
131 | + | |
132 | +Version 1.0.15 2011/06/20 Minor update release. | |
133 | + | |
134 | + Synchronize with TOMOYO 1.8.2 release. | |
135 | + | |
136 | + Add policy namespace support. | |
137 | + | |
138 | +Version 1.0.16 2011/07/07 Minor update release. | |
139 | + | |
140 | + Synchronize with TOMOYO revision 5235. | |
141 | + | |
142 | + Remove /proc/ccs/.domain_status interface. | |
143 | + | |
144 | +Version 1.0.17 2011/07/13 Minor update release. | |
145 | + | |
146 | + Synchronize with TOMOYO revision 5266. | |
147 | + | |
148 | + Fix /proc/ccs/stat parser. | |
149 | + | |
150 | + Accept "::" notation for IPv6 address. | |
151 | + | |
152 | +Version 1.0.18 2011/09/03 Minor update release. | |
153 | + | |
154 | + Synchronize with TOMOYO revision 5401. | |
155 | + | |
156 | + Avoid race when retrying "file execute" permission check. | |
157 | + | |
158 | + Remove unneeded daemonize(). | |
159 | + | |
160 | + Fix load failure with !CONFIG_SMP && !CONFIG_DEBUG_SPINLOCK kernels. | |
161 | + | |
162 | +Version 1.0.19 2011/09/15 Minor update release. | |
163 | + | |
164 | + Use akari/config.h for choosing build options. | |
165 | + | |
166 | + Fix build error on CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER=y case. | |
167 | + | |
168 | + Use lookup_mnt() rather than __put_namespace(). (2.6.0 to 2.6.2 kernels) | |
169 | + | |
170 | + Fix unbalanced spin_lock()/spin_unlock() pair in lsm_pin(). | |
171 | + (2.6.15 to 2.6.35 kernels) | |
172 | + | |
173 | + Fix "struct task_struct" leaks of tasks created before loading akari.ko . | |
174 | + (2.6.28 and earlier kernels) | |
175 | + | |
176 | + Use "struct task_struct"->pids[PIDTYPE_PID].pid instead of | |
177 | + "struct task_struct" for associating with per "struct task_struct" variables | |
178 | + (i.e. "struct ccs_security") in order to reduce amount of dead memory | |
179 | + waiting for garbage collection. (2.6.29 and later kernels) | |
180 | + | |
181 | + Add akari_test.ko for checking whether akari.ko seems to work or not. | |
182 | + | |
183 | + Add SH and ARM architectures support. (Needs more testing.) | |
184 | + | |
185 | +Version 1.0.20 2011/09/29 Minor update release. | |
186 | + | |
187 | + Synchronize with TOMOYO 1.8.3 release. | |
188 | + | |
189 | + Allow specifying domain transition preference. | |
190 | + | |
191 | + Simplify garbage collector. | |
192 | + | |
193 | +Version 1.0.21 2011/10/25 Minor update release. | |
194 | + | |
195 | + Synchronize with TOMOYO revision 5569. | |
196 | + | |
197 | + Fix incomplete read after seek. | |
198 | + | |
199 | + Use query id for reaching target process's domain policy. | |
200 | + | |
201 | + Fix quota counting. | |
202 | + | |
203 | +Version 1.0.22 2011/11/11 Minor update release. | |
204 | + | |
205 | + Synchronize with TOMOYO revision 5625. | |
206 | + | |
207 | + Optimize for object's size. | |
208 | + | |
209 | +Version 1.0.23 2011/11/18 Minor update release. | |
210 | + | |
211 | + Synchronize with TOMOYO revision 5646. | |
212 | + | |
213 | + Fix kernel config mapping error. | |
214 | + | |
215 | +Version 1.0.24 2011/12/13 Minor update release. | |
216 | + | |
217 | + Synchronize with TOMOYO revision 5711. | |
218 | + | |
219 | + Follow __d_path() behavior change. (Only 2.6.36 and later) | |
220 | + | |
221 | +Version 1.0.25 2012/02/29 Minor update release. | |
222 | + | |
223 | + Synchronize with TOMOYO revision 5893. | |
224 | + | |
225 | + Follow UMH_WAIT_PROC constant renumbering. | |
226 | + | |
227 | + Fix mount flags checking order. | |
228 | + | |
229 | +Version 1.0.26 2012/04/01 Minor update release. | |
230 | + | |
231 | + Synchronize with TOMOYO revision 5973. | |
232 | + | |
233 | + Return appropriate value to poll(). | |
234 | + | |
235 | +Version 1.0.27 2012/05/05 Minor update release. | |
236 | + | |
237 | + Synchronize with TOMOYO revision 6035. | |
238 | + | |
239 | + Readd RHEL_MINOR/AX_MINOR checks. | |
240 | + | |
241 | + Accept manager programs which do not start with / . | |
242 | + | |
243 | +Version 1.0.28 2012/10/20 Security update release. | |
244 | + | |
245 | + Fix kernel panic caused by double kfree() bug when "struct ccs_execve" | |
246 | + pointer was by error duplicated at __ccs_alloc_task_security(). | |
247 | + This bug affects only 2.6.28 and earlier kernels. | |
248 | + | |
249 | +Version 1.0.29 2012/11/04 Minor update release. | |
250 | + | |
251 | + Use dummy pointer as needed in order to make sure that security_bprm_free() | |
252 | + (which is used for making the caller of do_execve() return to previous | |
253 | + domain when do_execve() failed after domain transition) is always called. | |
254 | + Without this fix, domain transition history on 2.6.28 and earlier kernels | |
255 | + becomes inaccurate. | |
256 | + | |
257 | +Version 1.0.30 2013/02/14 Minor update release. | |
258 | + | |
259 | + Commit a2a8474c "exec: do not sleep in TASK_TRACED under ->cred_guard_mutex" | |
260 | + moved "current->in_execve = 1;" from before prepare_bprm_creds() to after | |
261 | + prepare_bprm_creds(). It turned out that, as an unexpected bonus, we can use | |
262 | + security_prepare_creds() as a hook for emulating security_bprm_free() hook. | |
263 | + | |
264 | + I updated the logic for security_bprm_free() emulation, and now AKARI should | |
265 | + be able to coexist with other AKARI-like LKM-based LSM implementations (e.g. | |
266 | + CaitSith) on all kernel versions other than 2.6.29 and 2.6.30. | |
267 | + | |
268 | +Version 1.0.31 2015/01/12 Minor update release. | |
269 | + | |
270 | + Synchronize with TOMOYO revision 6373. | |
271 | + | |
272 | + Fix missing chmod(-1) check in Linux 3.1 and later kernels. | |
273 | + | |
274 | + Fix potentially using bogus attributes when stat() fails. | |
275 | + | |
276 | +Version 1.0.32 2015/04/08 Minor update release. | |
277 | + | |
278 | + Synchronize with TOMOYO revision 6388. | |
279 | + | |
280 | + Fix incorrect readdir() permission check. | |
281 | + | |
282 | +Version 1.0.33 2015/04/21 Minor update release. | |
283 | + | |
284 | + Synchronize with TOMOYO revision 6407. | |
285 | + | |
286 | + Fix incorrect retry request check. | |
287 | + | |
288 | +Version 1.0.34 2015/05/05 Minor update release. | |
289 | + | |
290 | + Synchronize with TOMOYO 1.8.4 release. | |
291 | + | |
292 | + Support multiple use_group entries. | |
293 | + | |
294 | +Version 1.0.35 2015/11/11 Minor update release. | |
295 | + | |
296 | + Synchronize with TOMOYO 1.8.5 release. | |
297 | + | |
298 | + Use memory allocation flags used by TOMOYO 2.x. | |
299 | + | |
300 | + Limit wildcard recursion depth. | |
301 | + | |
302 | +Version 1.0.36 2017/02/20 Minor update release. | |
303 | + | |
304 | + Synchronize with TOMOYO revision 6553. | |
305 | + | |
306 | + The bug fixed in TOMOYO's GC does not affect AKARI because | |
307 | + AKARI always uses CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY. | |
308 | + | |
309 | +Version 1.0.37 2017/09/17 Minor update release. | |
310 | + | |
311 | + Use smp_rmb() when waiting for hook readiness. | |
312 | + | |
313 | +Version 1.0.38 2018/04/01 Minor update release. | |
314 | + | |
315 | + Synchronize with TOMOYO revision 6638. | |
316 | + | |
317 | + Due to incorrect probe_kernel_write() usage, previously registered LSM | |
318 | + hook (if any) was by error overwritten by this hook. This bug affects | |
319 | + only 4.12 and later kernels. | |
320 | + | |
321 | +Version 1.0.39 2019/08/20 Minor update release. | |
322 | + | |
323 | + Synchronize with TOMOYO 1.8.6 release. | |
324 | + | |
325 | + Change pathname calculation for read-only filesystems. | |
326 | + | |
327 | + Reject move_mount() system call for now. | |
328 | + | |
329 | + Don't check open/getattr permission on sockets. | |
330 | + | |
331 | +Version 1.0.40 2019/12/25 Minor update release. | |
332 | + | |
333 | + Synchronize with TOMOYO revision 6758. | |
334 | + | |
335 | + Don't use nifty names on sockets. |
@@ -0,0 +1,1588 @@ | ||
1 | +/* | |
2 | + * lsm.c | |
3 | + * | |
4 | + * Copyright (C) 2010-2015 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | |
5 | + * | |
6 | + * Version: 1.0.40 2019/12/25 | |
7 | + */ | |
8 | + | |
9 | +#include "internal.h" | |
10 | +#include "probe.h" | |
11 | + | |
12 | +/* Prototype definition. */ | |
13 | + | |
14 | +static int __ccs_alloc_task_security(const struct task_struct *task); | |
15 | +static void __ccs_free_task_security(const struct task_struct *task); | |
16 | + | |
17 | +/* Dummy security context for avoiding NULL pointer dereference. */ | |
18 | +static struct ccs_security ccs_oom_security = { | |
19 | + .ccs_domain_info = &ccs_kernel_domain | |
20 | +}; | |
21 | + | |
22 | +/* Dummy security context for avoiding NULL pointer dereference. */ | |
23 | +static struct ccs_security ccs_default_security = { | |
24 | + .ccs_domain_info = &ccs_kernel_domain | |
25 | +}; | |
26 | + | |
27 | +/* List of "struct ccs_security". */ | |
28 | +struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH]; | |
29 | +/* Lock for protecting ccs_task_security_list[]. */ | |
30 | +static DEFINE_SPINLOCK(ccs_task_security_list_lock); | |
31 | + | |
32 | +/* Dummy marker for calling security_bprm_free(). */ | |
33 | +static const unsigned long ccs_bprm_security; | |
34 | + | |
35 | +/* For exporting variables and functions. */ | |
36 | +struct ccsecurity_exports ccsecurity_exports; | |
37 | +/* Members are updated by loadable kernel module. */ | |
38 | +struct ccsecurity_operations ccsecurity_ops; | |
39 | + | |
40 | +/* Function pointers originally registered by register_security(). */ | |
41 | +static struct security_operations original_security_ops /* = *security_ops; */; | |
42 | + | |
43 | +#ifdef CONFIG_AKARI_TRACE_EXECVE_COUNT | |
44 | + | |
45 | +/** | |
46 | + * ccs_update_ee_counter - Update "struct ccs_execve" counter. | |
47 | + * | |
48 | + * @count: Count to increment or decrement. | |
49 | + * | |
50 | + * Returns updated counter. | |
51 | + */ | |
52 | +static unsigned int ccs_update_ee_counter(int count) | |
53 | +{ | |
54 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 10) || defined(atomic_add_return) | |
55 | + /* Debug counter for detecting "struct ccs_execve" memory leak. */ | |
56 | + static atomic_t ccs_ee_counter = ATOMIC_INIT(0); | |
57 | + return atomic_add_return(count, &ccs_ee_counter); | |
58 | +#else | |
59 | + static DEFINE_SPINLOCK(ccs_ee_lock); | |
60 | + static unsigned int ccs_ee_counter; | |
61 | + unsigned long flags; | |
62 | + spin_lock_irqsave(&ccs_ee_lock, flags); | |
63 | + ccs_ee_counter += count; | |
64 | + count = ccs_ee_counter; | |
65 | + spin_unlock_irqrestore(&ccs_ee_lock, flags); | |
66 | + return count; | |
67 | +#endif | |
68 | +} | |
69 | + | |
70 | +/** | |
71 | + * ccs_audit_alloc_execve - Audit allocation of "struct ccs_execve". | |
72 | + * | |
73 | + * @ee: Pointer to "struct ccs_execve". | |
74 | + * | |
75 | + * Returns nothing. | |
76 | + */ | |
77 | +void ccs_audit_alloc_execve(const struct ccs_execve * const ee) | |
78 | +{ | |
79 | + printk(KERN_INFO "AKARI: Allocated %p by pid=%u (count=%u)\n", ee, | |
80 | + current->pid, ccs_update_ee_counter(1) - 1); | |
81 | +} | |
82 | + | |
83 | +/** | |
84 | + * ccs_audit_free_execve - Audit release of "struct ccs_execve". | |
85 | + * | |
86 | + * @ee: Pointer to "struct ccs_execve". | |
87 | + * @task: True if released by current task, false otherwise. | |
88 | + * | |
89 | + * Returns nothing. | |
90 | + */ | |
91 | +void ccs_audit_free_execve(const struct ccs_execve * const ee, | |
92 | + const bool is_current) | |
93 | +{ | |
94 | + const unsigned int tmp = ccs_update_ee_counter(-1); | |
95 | + if (is_current) | |
96 | + printk(KERN_INFO "AKARI: Releasing %p by pid=%u (count=%u)\n", | |
97 | + ee, current->pid, tmp); | |
98 | + else | |
99 | + printk(KERN_INFO "AKARI: Releasing %p by kernel (count=%u)\n", | |
100 | + ee, tmp); | |
101 | +} | |
102 | + | |
103 | +#endif | |
104 | + | |
105 | +#if !defined(CONFIG_AKARI_DEBUG) | |
106 | +#define ccs_debug_trace(pos) do { } while (0) | |
107 | +#else | |
108 | +#define ccs_debug_trace(pos) \ | |
109 | + do { \ | |
110 | + static bool done; \ | |
111 | + if (!done) { \ | |
112 | + printk(KERN_INFO \ | |
113 | + "AKARI: Debug trace: " pos " of 4\n"); \ | |
114 | + done = true; \ | |
115 | + } \ | |
116 | + } while (0) | |
117 | +#endif | |
118 | + | |
119 | +/** | |
120 | + * ccs_clear_execve - Release memory used by do_execve(). | |
121 | + * | |
122 | + * @ret: 0 if do_execve() succeeded, negative value otherwise. | |
123 | + * @security: Pointer to "struct ccs_security". | |
124 | + * | |
125 | + * Returns nothing. | |
126 | + */ | |
127 | +static void ccs_clear_execve(int ret, struct ccs_security *security) | |
128 | +{ | |
129 | + struct ccs_execve *ee; | |
130 | + if (security == &ccs_default_security || security == &ccs_oom_security) | |
131 | + return; | |
132 | + ee = security->ee; | |
133 | + security->ee = NULL; | |
134 | + if (!ee) | |
135 | + return; | |
136 | + ccs_finish_execve(ret, ee); | |
137 | +} | |
138 | + | |
139 | +/** | |
140 | + * ccs_task_alloc_security - Allocate memory for new tasks. | |
141 | + * | |
142 | + * @p: Pointer to "struct task_struct". | |
143 | + * | |
144 | + * Returns 0 on success, negative value otherwise. | |
145 | + */ | |
146 | +static int ccs_task_alloc_security(struct task_struct *p) | |
147 | +{ | |
148 | + int rc = __ccs_alloc_task_security(p); | |
149 | + if (rc) | |
150 | + return rc; | |
151 | + while (!original_security_ops.task_alloc_security) | |
152 | + smp_rmb(); | |
153 | + rc = original_security_ops.task_alloc_security(p); | |
154 | + if (rc) | |
155 | + __ccs_free_task_security(p); | |
156 | + return rc; | |
157 | +} | |
158 | + | |
159 | +/** | |
160 | + * ccs_task_free_security - Release memory for "struct task_struct". | |
161 | + * | |
162 | + * @p: Pointer to "struct task_struct". | |
163 | + * | |
164 | + * Returns nothing. | |
165 | + */ | |
166 | +static void ccs_task_free_security(struct task_struct *p) | |
167 | +{ | |
168 | + while (!original_security_ops.task_free_security) | |
169 | + smp_rmb(); | |
170 | + original_security_ops.task_free_security(p); | |
171 | + __ccs_free_task_security(p); | |
172 | +} | |
173 | + | |
174 | +/** | |
175 | + * ccs_bprm_alloc_security - Allocate memory for "struct linux_binprm". | |
176 | + * | |
177 | + * @bprm: Pointer to "struct linux_binprm". | |
178 | + * | |
179 | + * Returns 0 on success, negative value otherwise. | |
180 | + */ | |
181 | +static int ccs_bprm_alloc_security(struct linux_binprm *bprm) | |
182 | +{ | |
183 | + int rc; | |
184 | + while (!original_security_ops.bprm_alloc_security) | |
185 | + smp_rmb(); | |
186 | + rc = original_security_ops.bprm_alloc_security(bprm); | |
187 | + if (bprm->security || rc) | |
188 | + return rc; | |
189 | + /* | |
190 | + * Update bprm->security to &ccs_bprm_security so that | |
191 | + * security_bprm_free() is called even if do_execve() failed at | |
192 | + * search_binary_handler() without allocating memory at | |
193 | + * security_bprm_alloc(). This trick assumes that active LSM module | |
194 | + * does not access bprm->security if that module did not allocate | |
195 | + * memory at security_bprm_alloc(). | |
196 | + */ | |
197 | + bprm->security = (void *) &ccs_bprm_security; | |
198 | + return 0; | |
199 | +} | |
200 | + | |
201 | +/** | |
202 | + * ccs_bprm_free_security - Release memory for "struct linux_binprm". | |
203 | + * | |
204 | + * @bprm: Pointer to "struct linux_binprm". | |
205 | + * | |
206 | + * Returns nothing. | |
207 | + */ | |
208 | +static void ccs_bprm_free_security(struct linux_binprm *bprm) | |
209 | +{ | |
210 | + /* | |
211 | + * If do_execve() succeeded, bprm->security will be updated to NULL at | |
212 | + * security_bprm_compute_creds()/security_bprm_apply_creds() if | |
213 | + * bprm->security was set to &ccs_bprm_security at | |
214 | + * security_bprm_alloc(). | |
215 | + * | |
216 | + * If do_execve() failed, bprm->security remains at &ccs_bprm_security | |
217 | + * if bprm->security was set to &ccs_bprm_security at | |
218 | + * security_bprm_alloc(). | |
219 | + * | |
220 | + * And do_execve() does not call security_bprm_free() if do_execve() | |
221 | + * failed and bprm->security == NULL. Therefore, do not call | |
222 | + * original_security_ops.bprm_free_security() if bprm->security remains | |
223 | + * at &ccs_bprm_security . | |
224 | + */ | |
225 | + if (bprm->security != &ccs_bprm_security) { | |
226 | + while (!original_security_ops.bprm_free_security) | |
227 | + smp_rmb(); | |
228 | + original_security_ops.bprm_free_security(bprm); | |
229 | + } | |
230 | + /* | |
231 | + * If do_execve() succeeded, | |
232 | + * ccs_clear_execve(0, ccs_current_security()); | |
233 | + * is called before calling below one. | |
234 | + * Thus, below call becomes no-op if do_execve() succeeded. | |
235 | + */ | |
236 | + ccs_clear_execve(-1, ccs_current_security()); | |
237 | +} | |
238 | + | |
239 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 6) | |
240 | + | |
241 | +/** | |
242 | + * ccs_bprm_compute_creds - A hook which is called when do_execve() succeeded. | |
243 | + * | |
244 | + * @bprm: Pointer to "struct linux_binprm". | |
245 | + * | |
246 | + * Returns nothing. | |
247 | + */ | |
248 | +static void ccs_bprm_compute_creds(struct linux_binprm *bprm) | |
249 | +{ | |
250 | + if (bprm->security == &ccs_bprm_security) | |
251 | + bprm->security = NULL; | |
252 | + while (!original_security_ops.bprm_compute_creds) | |
253 | + smp_rmb(); | |
254 | + original_security_ops.bprm_compute_creds(bprm); | |
255 | + ccs_clear_execve(0, ccs_current_security()); | |
256 | +} | |
257 | + | |
258 | +#else | |
259 | + | |
260 | +/** | |
261 | + * ccs_bprm_apply_creds - A hook which is called when do_execve() succeeded. | |
262 | + * | |
263 | + * @bprm: Pointer to "struct linux_binprm". | |
264 | + * @unsafe: Unsafe flag. | |
265 | + * | |
266 | + * Returns nothing. | |
267 | + */ | |
268 | +static void ccs_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) | |
269 | +{ | |
270 | + if (bprm->security == &ccs_bprm_security) | |
271 | + bprm->security = NULL; | |
272 | + while (!original_security_ops.bprm_apply_creds) | |
273 | + smp_rmb(); | |
274 | + original_security_ops.bprm_apply_creds(bprm, unsafe); | |
275 | + ccs_clear_execve(0, ccs_current_security()); | |
276 | +} | |
277 | + | |
278 | +#endif | |
279 | + | |
280 | +/** | |
281 | + * ccs_bprm_check_security - Check permission for execve(). | |
282 | + * | |
283 | + * @bprm: Pointer to "struct linux_binprm". | |
284 | + * | |
285 | + * Returns 0 on success, negative value otherwise. | |
286 | + */ | |
287 | +static int ccs_bprm_check_security(struct linux_binprm *bprm) | |
288 | +{ | |
289 | + struct ccs_security *security = ccs_current_security(); | |
290 | + if (security == &ccs_default_security || security == &ccs_oom_security) | |
291 | + return -ENOMEM; | |
292 | + if (!security->ee) { | |
293 | + int rc; | |
294 | +#ifndef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER | |
295 | + if (!ccs_policy_loaded) | |
296 | + ccs_load_policy(bprm->filename); | |
297 | +#endif | |
298 | + rc = ccs_start_execve(bprm, &security->ee); | |
299 | + if (rc) | |
300 | + return rc; | |
301 | + } | |
302 | + while (!original_security_ops.bprm_check_security) | |
303 | + smp_rmb(); | |
304 | + return original_security_ops.bprm_check_security(bprm); | |
305 | +} | |
306 | + | |
307 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) | |
308 | + | |
309 | +/** | |
310 | + * ccs_open - Check permission for open(). | |
311 | + * | |
312 | + * @f: Pointer to "struct file". | |
313 | + * | |
314 | + * Returns 0 on success, negative value otherwise. | |
315 | + */ | |
316 | +static int ccs_open(struct file *f) | |
317 | +{ | |
318 | + return ccs_open_permission(f->f_path.dentry, f->f_path.mnt, | |
319 | + f->f_flags + 1); | |
320 | +} | |
321 | + | |
322 | +#endif | |
323 | + | |
324 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) | |
325 | + | |
326 | +/** | |
327 | + * ccs_dentry_open - Check permission for open(). | |
328 | + * | |
329 | + * @f: Pointer to "struct file". | |
330 | + * | |
331 | + * Returns 0 on success, negative value otherwise. | |
332 | + */ | |
333 | +static int ccs_dentry_open(struct file *f) | |
334 | +{ | |
335 | + int rc = ccs_open(f); | |
336 | + if (rc) | |
337 | + return rc; | |
338 | + while (!original_security_ops.dentry_open) | |
339 | + smp_rmb(); | |
340 | + return original_security_ops.dentry_open(f); | |
341 | +} | |
342 | + | |
343 | +#else | |
344 | + | |
345 | +/** | |
346 | + * ccs_open - Check permission for open(). | |
347 | + * | |
348 | + * @inode: Pointer to "struct inode". | |
349 | + * @mask: Open mode. | |
350 | + * @nd: Pointer to "struct nameidata". | |
351 | + * | |
352 | + * Returns 0 on success, negative value otherwise. | |
353 | + */ | |
354 | +static int ccs_open(struct inode *inode, int mask, struct nameidata *nd) | |
355 | +{ | |
356 | + int flags; | |
357 | + if (!nd || !nd->dentry) | |
358 | + return 0; | |
359 | + /* open_exec() passes MAY_EXEC . */ | |
360 | + if (mask == MAY_EXEC && inode && S_ISREG(inode->i_mode) && | |
361 | + (ccs_current_flags() & CCS_TASK_IS_IN_EXECVE)) | |
362 | + mask = MAY_READ; | |
363 | + /* | |
364 | + * This flags value is passed to ACC_MODE(). | |
365 | + * ccs_open_permission() for older versions uses old ACC_MODE(). | |
366 | + */ | |
367 | + switch (mask & (MAY_READ | MAY_WRITE)) { | |
368 | + case MAY_READ: | |
369 | + flags = 01; | |
370 | + break; | |
371 | + case MAY_WRITE: | |
372 | + flags = 02; | |
373 | + break; | |
374 | + case MAY_READ | MAY_WRITE: | |
375 | + flags = 03; | |
376 | + break; | |
377 | + default: | |
378 | + return 0; | |
379 | + } | |
380 | + return ccs_open_permission(nd->dentry, nd->mnt, flags); | |
381 | +} | |
382 | + | |
383 | +/** | |
384 | + * ccs_inode_permission - Check permission for open(). | |
385 | + * | |
386 | + * @inode: Pointer to "struct inode". | |
387 | + * @mask: Open mode. | |
388 | + * @nd: Pointer to "struct nameidata". | |
389 | + * | |
390 | + * Returns 0 on success, negative value otherwise. | |
391 | + * | |
392 | + * Note that this hook is called from permission(), and may not be called for | |
393 | + * open(). Maybe it is better to use security_file_permission(). | |
394 | + */ | |
395 | +static int ccs_inode_permission(struct inode *inode, int mask, | |
396 | + struct nameidata *nd) | |
397 | +{ | |
398 | + int rc = ccs_open(inode, mask, nd); | |
399 | + if (rc) | |
400 | + return rc; | |
401 | + while (!original_security_ops.inode_permission) | |
402 | + smp_rmb(); | |
403 | + return original_security_ops.inode_permission(inode, mask, nd); | |
404 | +} | |
405 | + | |
406 | +#endif | |
407 | + | |
408 | +/** | |
409 | + * ccs_inode_setattr - Check permission for chown()/chgrp()/chmod()/truncate(). | |
410 | + * | |
411 | + * @dentry: Pointer to "struct dentry". | |
412 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
413 | + * @attr: Pointer to "struct iattr". | |
414 | + * | |
415 | + * Returns 0 on success, negative value otherwise. | |
416 | + */ | |
417 | +static int ccs_inode_setattr(struct dentry *dentry, struct vfsmount *mnt, | |
418 | + struct iattr *attr) | |
419 | +{ | |
420 | + int rc = 0; | |
421 | + if (attr->ia_valid & ATTR_UID) | |
422 | + rc = ccs_chown_permission(dentry, mnt, attr->ia_uid, -1); | |
423 | + if (!rc && (attr->ia_valid & ATTR_GID)) | |
424 | + rc = ccs_chown_permission(dentry, mnt, -1, attr->ia_gid); | |
425 | + if (!rc && (attr->ia_valid & ATTR_MODE)) | |
426 | + rc = ccs_chmod_permission(dentry, mnt, attr->ia_mode); | |
427 | + if (!rc && (attr->ia_valid & ATTR_SIZE)) | |
428 | + rc = ccs_truncate_permission(dentry, mnt); | |
429 | + if (rc) | |
430 | + return rc; | |
431 | + while (!original_security_ops.inode_setattr) | |
432 | + smp_rmb(); | |
433 | + return original_security_ops.inode_setattr(dentry, mnt, attr); | |
434 | +} | |
435 | + | |
436 | +/** | |
437 | + * ccs_inode_getattr - Check permission for stat(). | |
438 | + * | |
439 | + * @mnt: Pointer to "struct vfsmount". | |
440 | + * @dentry: Pointer to "struct dentry". | |
441 | + * | |
442 | + * Returns 0 on success, negative value otherwise. | |
443 | + */ | |
444 | +static int ccs_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) | |
445 | +{ | |
446 | + int rc = ccs_getattr_permission(mnt, dentry); | |
447 | + if (rc) | |
448 | + return rc; | |
449 | + while (!original_security_ops.inode_getattr) | |
450 | + smp_rmb(); | |
451 | + return original_security_ops.inode_getattr(mnt, dentry); | |
452 | +} | |
453 | + | |
454 | +/** | |
455 | + * ccs_inode_mknod - Check permission for mknod(). | |
456 | + * | |
457 | + * @dir: Pointer to "struct inode". | |
458 | + * @dentry: Pointer to "struct dentry". | |
459 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
460 | + * @mode: Create mode. | |
461 | + * @dev: Device major/minor number. | |
462 | + * | |
463 | + * Returns 0 on success, negative value otherwise. | |
464 | + */ | |
465 | +static int ccs_inode_mknod(struct inode *dir, struct dentry *dentry, | |
466 | + struct vfsmount *mnt, int mode, dev_t dev) | |
467 | +{ | |
468 | + int rc = ccs_mknod_permission(dentry, mnt, mode, dev); | |
469 | + if (rc) | |
470 | + return rc; | |
471 | + while (!original_security_ops.inode_mknod) | |
472 | + smp_rmb(); | |
473 | + return original_security_ops.inode_mknod(dir, dentry, mnt, mode, dev); | |
474 | +} | |
475 | + | |
476 | +/** | |
477 | + * ccs_inode_mkdir - Check permission for mkdir(). | |
478 | + * | |
479 | + * @dir: Pointer to "struct inode". | |
480 | + * @dentry: Pointer to "struct dentry". | |
481 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
482 | + * @mode: Create mode. | |
483 | + * | |
484 | + * Returns 0 on success, negative value otherwise. | |
485 | + */ | |
486 | +static int ccs_inode_mkdir(struct inode *dir, struct dentry *dentry, | |
487 | + struct vfsmount *mnt, int mode) | |
488 | +{ | |
489 | + int rc = ccs_mkdir_permission(dentry, mnt, mode); | |
490 | + if (rc) | |
491 | + return rc; | |
492 | + while (!original_security_ops.inode_mkdir) | |
493 | + smp_rmb(); | |
494 | + return original_security_ops.inode_mkdir(dir, dentry, mnt, mode); | |
495 | +} | |
496 | + | |
497 | +/** | |
498 | + * ccs_inode_rmdir - Check permission for rmdir(). | |
499 | + * | |
500 | + * @dir: Pointer to "struct inode". | |
501 | + * @dentry: Pointer to "struct dentry". | |
502 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
503 | + * | |
504 | + * Returns 0 on success, negative value otherwise. | |
505 | + */ | |
506 | +static int ccs_inode_rmdir(struct inode *dir, struct dentry *dentry, | |
507 | + struct vfsmount *mnt) | |
508 | +{ | |
509 | + int rc = ccs_rmdir_permission(dentry, mnt); | |
510 | + if (rc) | |
511 | + return rc; | |
512 | + while (!original_security_ops.inode_rmdir) | |
513 | + smp_rmb(); | |
514 | + return original_security_ops.inode_rmdir(dir, dentry, mnt); | |
515 | +} | |
516 | + | |
517 | +/** | |
518 | + * ccs_inode_unlink - Check permission for unlink(). | |
519 | + * | |
520 | + * @dir: Pointer to "struct inode". | |
521 | + * @dentry: Pointer to "struct dentry". | |
522 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
523 | + * | |
524 | + * Returns 0 on success, negative value otherwise. | |
525 | + */ | |
526 | +static int ccs_inode_unlink(struct inode *dir, struct dentry *dentry, | |
527 | + struct vfsmount *mnt) | |
528 | +{ | |
529 | + int rc = ccs_unlink_permission(dentry, mnt); | |
530 | + if (rc) | |
531 | + return rc; | |
532 | + while (!original_security_ops.inode_unlink) | |
533 | + smp_rmb(); | |
534 | + return original_security_ops.inode_unlink(dir, dentry, mnt); | |
535 | +} | |
536 | + | |
537 | +/** | |
538 | + * ccs_inode_symlink - Check permission for symlink(). | |
539 | + * | |
540 | + * @dir: Pointer to "struct inode". | |
541 | + * @dentry: Pointer to "struct dentry". | |
542 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
543 | + * @old_name: Content of symbolic link. | |
544 | + * | |
545 | + * Returns 0 on success, negative value otherwise. | |
546 | + */ | |
547 | +static int ccs_inode_symlink(struct inode *dir, struct dentry *dentry, | |
548 | + struct vfsmount *mnt, const char *old_name) | |
549 | +{ | |
550 | + int rc = ccs_symlink_permission(dentry, mnt, old_name); | |
551 | + if (rc) | |
552 | + return rc; | |
553 | + while (!original_security_ops.inode_symlink) | |
554 | + smp_rmb(); | |
555 | + return original_security_ops.inode_symlink(dir, dentry, mnt, old_name); | |
556 | +} | |
557 | + | |
558 | +/** | |
559 | + * ccs_inode_rename - Check permission for rename(). | |
560 | + * | |
561 | + * @old_dir: Pointer to "struct inode". | |
562 | + * @old_dentry: Pointer to "struct dentry". | |
563 | + * @old_mnt: Pointer to "struct vfsmount". Maybe NULL. | |
564 | + * @new_dir: Pointer to "struct inode". | |
565 | + * @new_dentry: Pointer to "struct dentry". | |
566 | + * @new_mnt: Pointer to "struct vfsmount". Maybe NULL. | |
567 | + * | |
568 | + * Returns 0 on success, negative value otherwise. | |
569 | + */ | |
570 | +static int ccs_inode_rename(struct inode *old_dir, struct dentry *old_dentry, | |
571 | + struct vfsmount *old_mnt, struct inode *new_dir, | |
572 | + struct dentry *new_dentry, | |
573 | + struct vfsmount *new_mnt) | |
574 | +{ | |
575 | + int rc = ccs_rename_permission(old_dentry, new_dentry, new_mnt); | |
576 | + if (rc) | |
577 | + return rc; | |
578 | + while (!original_security_ops.inode_rename) | |
579 | + smp_rmb(); | |
580 | + return original_security_ops.inode_rename(old_dir, old_dentry, old_mnt, | |
581 | + new_dir, new_dentry, | |
582 | + new_mnt); | |
583 | +} | |
584 | + | |
585 | +/** | |
586 | + * ccs_inode_link - Check permission for link(). | |
587 | + * | |
588 | + * @old_dentry: Pointer to "struct dentry". | |
589 | + * @old_mnt: Pointer to "struct vfsmount". Maybe NULL. | |
590 | + * @dir: Pointer to "struct inode". | |
591 | + * @new_dentry: Pointer to "struct dentry". | |
592 | + * @new_mnt: Pointer to "struct vfsmount". Maybe NULL. | |
593 | + * | |
594 | + * Returns 0 on success, negative value otherwise. | |
595 | + */ | |
596 | +static int ccs_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt, | |
597 | + struct inode *dir, struct dentry *new_dentry, | |
598 | + struct vfsmount *new_mnt) | |
599 | +{ | |
600 | + int rc = ccs_link_permission(old_dentry, new_dentry, new_mnt); | |
601 | + if (rc) | |
602 | + return rc; | |
603 | + while (!original_security_ops.inode_link) | |
604 | + smp_rmb(); | |
605 | + return original_security_ops.inode_link(old_dentry, old_mnt, dir, | |
606 | + new_dentry, new_mnt); | |
607 | +} | |
608 | + | |
609 | +/** | |
610 | + * ccs_inode_create - Check permission for creat(). | |
611 | + * | |
612 | + * @dir: Pointer to "struct inode". | |
613 | + * @dentry: Pointer to "struct dentry". | |
614 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
615 | + * @mode: Create mode. | |
616 | + * | |
617 | + * Returns 0 on success, negative value otherwise. | |
618 | + */ | |
619 | +static int ccs_inode_create(struct inode *dir, struct dentry *dentry, | |
620 | + struct vfsmount *mnt, int mode) | |
621 | +{ | |
622 | + int rc = ccs_mknod_permission(dentry, mnt, mode, 0); | |
623 | + if (rc) | |
624 | + return rc; | |
625 | + while (!original_security_ops.inode_create) | |
626 | + smp_rmb(); | |
627 | + return original_security_ops.inode_create(dir, dentry, mnt, mode); | |
628 | +} | |
629 | + | |
630 | +#ifdef CONFIG_SECURITY_NETWORK | |
631 | + | |
632 | +#include <net/sock.h> | |
633 | + | |
634 | +/* Structure for remembering an accept()ed socket's status. */ | |
635 | +struct ccs_socket_tag { | |
636 | + struct list_head list; | |
637 | + struct inode *inode; | |
638 | + int status; | |
639 | + struct rcu_head rcu; | |
640 | +}; | |
641 | + | |
642 | +/* | |
643 | + * List for managing accept()ed sockets. | |
644 | + * Since we don't need to keep an accept()ed socket into this list after | |
645 | + * once the permission was granted, the number of entries in this list is | |
646 | + * likely small. Therefore, we don't use hash tables. | |
647 | + */ | |
648 | +static LIST_HEAD(ccs_accepted_socket_list); | |
649 | +/* Lock for protecting ccs_accepted_socket_list . */ | |
650 | +static DEFINE_SPINLOCK(ccs_accepted_socket_list_lock); | |
651 | + | |
652 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8) | |
653 | + | |
654 | +/** | |
655 | + * ccs_socket_rcu_free - RCU callback for releasing "struct ccs_socket_tag". | |
656 | + * | |
657 | + * @rcu: Pointer to "struct rcu_head". | |
658 | + * | |
659 | + * Returns nothing. | |
660 | + */ | |
661 | +static void ccs_socket_rcu_free(struct rcu_head *rcu) | |
662 | +{ | |
663 | + struct ccs_socket_tag *ptr = container_of(rcu, typeof(*ptr), rcu); | |
664 | + kfree(ptr); | |
665 | +} | |
666 | + | |
667 | +#else | |
668 | + | |
669 | +/** | |
670 | + * ccs_socket_rcu_free - RCU callback for releasing "struct ccs_socket_tag". | |
671 | + * | |
672 | + * @arg: Pointer to "void". | |
673 | + * | |
674 | + * Returns nothing. | |
675 | + */ | |
676 | +static void ccs_socket_rcu_free(void *arg) | |
677 | +{ | |
678 | + struct ccs_socket_tag *ptr = arg; | |
679 | + kfree(ptr); | |
680 | +} | |
681 | + | |
682 | +#endif | |
683 | + | |
684 | +/** | |
685 | + * ccs_update_socket_tag - Update tag associated with accept()ed sockets. | |
686 | + * | |
687 | + * @inode: Pointer to "struct inode". | |
688 | + * @status: New status. | |
689 | + * | |
690 | + * Returns nothing. | |
691 | + * | |
692 | + * If @status == 0, memory for that socket will be released after RCU grace | |
693 | + * period. | |
694 | + */ | |
695 | +static void ccs_update_socket_tag(struct inode *inode, int status) | |
696 | +{ | |
697 | + struct ccs_socket_tag *ptr; | |
698 | + /* | |
699 | + * Protect whole section because multiple threads may call this | |
700 | + * function with same "sock" via ccs_validate_socket(). | |
701 | + */ | |
702 | + spin_lock(&ccs_accepted_socket_list_lock); | |
703 | + rcu_read_lock(); | |
704 | + list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) { | |
705 | + if (ptr->inode != inode) | |
706 | + continue; | |
707 | + ptr->status = status; | |
708 | + if (status) | |
709 | + break; | |
710 | + list_del_rcu(&ptr->list); | |
711 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8) | |
712 | + call_rcu(&ptr->rcu, ccs_socket_rcu_free); | |
713 | +#else | |
714 | + call_rcu(&ptr->rcu, ccs_socket_rcu_free, ptr); | |
715 | +#endif | |
716 | + break; | |
717 | + } | |
718 | + rcu_read_unlock(); | |
719 | + spin_unlock(&ccs_accepted_socket_list_lock); | |
720 | +} | |
721 | + | |
722 | +/** | |
723 | + * ccs_validate_socket - Check post accept() permission if needed. | |
724 | + * | |
725 | + * @sock: Pointer to "struct socket". | |
726 | + * | |
727 | + * Returns 0 on success, negative value otherwise. | |
728 | + */ | |
729 | +static int ccs_validate_socket(struct socket *sock) | |
730 | +{ | |
731 | + struct inode *inode = SOCK_INODE(sock); | |
732 | + struct ccs_socket_tag *ptr; | |
733 | + int ret = 0; | |
734 | + rcu_read_lock(); | |
735 | + list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) { | |
736 | + if (ptr->inode != inode) | |
737 | + continue; | |
738 | + ret = ptr->status; | |
739 | + break; | |
740 | + } | |
741 | + rcu_read_unlock(); | |
742 | + if (ret <= 0) | |
743 | + /* | |
744 | + * This socket is not an accept()ed socket or this socket is | |
745 | + * an accept()ed socket and post accept() permission is done. | |
746 | + */ | |
747 | + return ret; | |
748 | + /* | |
749 | + * Check post accept() permission now. | |
750 | + * | |
751 | + * Strictly speaking, we need to pass both listen()ing socket and | |
752 | + * accept()ed socket to __ccs_socket_post_accept_permission(). | |
753 | + * But since socket's family and type are same for both sockets, | |
754 | + * passing the accept()ed socket in place for the listen()ing socket | |
755 | + * will work. | |
756 | + */ | |
757 | + ret = ccs_socket_post_accept_permission(sock, sock); | |
758 | + /* | |
759 | + * If permission was granted, we forget that this is an accept()ed | |
760 | + * socket. Otherwise, we remember that this socket needs to return | |
761 | + * error for subsequent socketcalls. | |
762 | + */ | |
763 | + ccs_update_socket_tag(inode, ret); | |
764 | + return ret; | |
765 | +} | |
766 | + | |
767 | +/** | |
768 | + * ccs_socket_accept - Check permission for accept(). | |
769 | + * | |
770 | + * @sock: Pointer to "struct socket". | |
771 | + * @newsock: Pointer to "struct socket". | |
772 | + * | |
773 | + * Returns 0 on success, negative value otherwise. | |
774 | + * | |
775 | + * This hook is used for setting up environment for doing post accept() | |
776 | + * permission check. If dereferencing sock->ops->something() were ordered by | |
777 | + * rcu_dereference(), we could replace sock->ops with "a copy of original | |
778 | + * sock->ops with modified sock->ops->accept()" using rcu_assign_pointer() | |
779 | + * in order to do post accept() permission check before returning to userspace. | |
780 | + * If we make the copy in security_socket_post_create(), it would be possible | |
781 | + * to safely replace sock->ops here, but we don't do so because we don't want | |
782 | + * to allocate memory for sockets which do not call sock->ops->accept(). | |
783 | + * Therefore, we do post accept() permission check upon next socket syscalls | |
784 | + * rather than between sock->ops->accept() and returning to userspace. | |
785 | + * This means that if a socket was close()d before calling some socket | |
786 | + * syscalls, post accept() permission check will not be done. | |
787 | + */ | |
788 | +static int ccs_socket_accept(struct socket *sock, struct socket *newsock) | |
789 | +{ | |
790 | + struct ccs_socket_tag *ptr; | |
791 | + int rc = ccs_validate_socket(sock); | |
792 | + if (rc < 0) | |
793 | + return rc; | |
794 | + ptr = kzalloc(sizeof(*ptr), GFP_KERNEL); | |
795 | + if (!ptr) | |
796 | + return -ENOMEM; | |
797 | + while (!original_security_ops.socket_accept) | |
798 | + smp_rmb(); | |
799 | + rc = original_security_ops.socket_accept(sock, newsock); | |
800 | + if (rc) { | |
801 | + kfree(ptr); | |
802 | + return rc; | |
803 | + } | |
804 | + /* | |
805 | + * Subsequent LSM hooks will receive "newsock". Therefore, I mark | |
806 | + * "newsock" as "an accept()ed socket but post accept() permission | |
807 | + * check is not done yet" by allocating memory using inode of the | |
808 | + * "newsock" as a search key. | |
809 | + */ | |
810 | + ptr->inode = SOCK_INODE(newsock); | |
811 | + ptr->status = 1; /* Check post accept() permission later. */ | |
812 | + spin_lock(&ccs_accepted_socket_list_lock); | |
813 | + list_add_tail_rcu(&ptr->list, &ccs_accepted_socket_list); | |
814 | + spin_unlock(&ccs_accepted_socket_list_lock); | |
815 | + return 0; | |
816 | +} | |
817 | + | |
818 | +/** | |
819 | + * ccs_socket_listen - Check permission for listen(). | |
820 | + * | |
821 | + * @sock: Pointer to "struct socket". | |
822 | + * @backlog: Backlog parameter. | |
823 | + * | |
824 | + * Returns 0 on success, negative value otherwise. | |
825 | + */ | |
826 | +static int ccs_socket_listen(struct socket *sock, int backlog) | |
827 | +{ | |
828 | + int rc = ccs_validate_socket(sock); | |
829 | + if (rc < 0) | |
830 | + return rc; | |
831 | + rc = ccs_socket_listen_permission(sock); | |
832 | + if (rc) | |
833 | + return rc; | |
834 | + while (!original_security_ops.socket_listen) | |
835 | + smp_rmb(); | |
836 | + return original_security_ops.socket_listen(sock, backlog); | |
837 | +} | |
838 | + | |
839 | +/** | |
840 | + * ccs_socket_connect - Check permission for connect(). | |
841 | + * | |
842 | + * @sock: Pointer to "struct socket". | |
843 | + * @addr: Pointer to "struct sockaddr". | |
844 | + * @addr_len: Size of @addr. | |
845 | + * | |
846 | + * Returns 0 on success, negative value otherwise. | |
847 | + */ | |
848 | +static int ccs_socket_connect(struct socket *sock, struct sockaddr *addr, | |
849 | + int addr_len) | |
850 | +{ | |
851 | + int rc = ccs_validate_socket(sock); | |
852 | + if (rc < 0) | |
853 | + return rc; | |
854 | + rc = ccs_socket_connect_permission(sock, addr, addr_len); | |
855 | + if (rc) | |
856 | + return rc; | |
857 | + while (!original_security_ops.socket_connect) | |
858 | + smp_rmb(); | |
859 | + return original_security_ops.socket_connect(sock, addr, addr_len); | |
860 | +} | |
861 | + | |
862 | +/** | |
863 | + * ccs_socket_bind - Check permission for bind(). | |
864 | + * | |
865 | + * @sock: Pointer to "struct socket". | |
866 | + * @addr: Pointer to "struct sockaddr". | |
867 | + * @addr_len: Size of @addr. | |
868 | + * | |
869 | + * Returns 0 on success, negative value otherwise. | |
870 | + */ | |
871 | +static int ccs_socket_bind(struct socket *sock, struct sockaddr *addr, | |
872 | + int addr_len) | |
873 | +{ | |
874 | + int rc = ccs_validate_socket(sock); | |
875 | + if (rc < 0) | |
876 | + return rc; | |
877 | + rc = ccs_socket_bind_permission(sock, addr, addr_len); | |
878 | + if (rc) | |
879 | + return rc; | |
880 | + while (!original_security_ops.socket_bind) | |
881 | + smp_rmb(); | |
882 | + return original_security_ops.socket_bind(sock, addr, addr_len); | |
883 | +} | |
884 | + | |
885 | +/** | |
886 | + * ccs_socket_sendmsg - Check permission for sendmsg(). | |
887 | + * | |
888 | + * @sock: Pointer to "struct socket". | |
889 | + * @msg: Pointer to "struct msghdr". | |
890 | + * @size: Size of message. | |
891 | + * | |
892 | + * Returns 0 on success, negative value otherwise. | |
893 | + */ | |
894 | +static int ccs_socket_sendmsg(struct socket *sock, struct msghdr *msg, | |
895 | + int size) | |
896 | +{ | |
897 | + int rc = ccs_validate_socket(sock); | |
898 | + if (rc < 0) | |
899 | + return rc; | |
900 | + rc = ccs_socket_sendmsg_permission(sock, msg, size); | |
901 | + if (rc) | |
902 | + return rc; | |
903 | + while (!original_security_ops.socket_sendmsg) | |
904 | + smp_rmb(); | |
905 | + return original_security_ops.socket_sendmsg(sock, msg, size); | |
906 | +} | |
907 | + | |
908 | +/** | |
909 | + * ccs_socket_recvmsg - Check permission for recvmsg(). | |
910 | + * | |
911 | + * @sock: Pointer to "struct socket". | |
912 | + * @msg: Pointer to "struct msghdr". | |
913 | + * @size: Size of message. | |
914 | + * @flags: Flags. | |
915 | + * | |
916 | + * Returns 0 on success, negative value otherwise. | |
917 | + */ | |
918 | +static int ccs_socket_recvmsg(struct socket *sock, struct msghdr *msg, | |
919 | + int size, int flags) | |
920 | +{ | |
921 | + int rc = ccs_validate_socket(sock); | |
922 | + if (rc < 0) | |
923 | + return rc; | |
924 | + while (!original_security_ops.socket_recvmsg) | |
925 | + smp_rmb(); | |
926 | + return original_security_ops.socket_recvmsg(sock, msg, size, flags); | |
927 | +} | |
928 | + | |
929 | +/** | |
930 | + * ccs_socket_getsockname - Check permission for getsockname(). | |
931 | + * | |
932 | + * @sock: Pointer to "struct socket". | |
933 | + * | |
934 | + * Returns 0 on success, negative value otherwise. | |
935 | + */ | |
936 | +static int ccs_socket_getsockname(struct socket *sock) | |
937 | +{ | |
938 | + int rc = ccs_validate_socket(sock); | |
939 | + if (rc < 0) | |
940 | + return rc; | |
941 | + while (!original_security_ops.socket_getsockname) | |
942 | + smp_rmb(); | |
943 | + return original_security_ops.socket_getsockname(sock); | |
944 | +} | |
945 | + | |
946 | +/** | |
947 | + * ccs_socket_getpeername - Check permission for getpeername(). | |
948 | + * | |
949 | + * @sock: Pointer to "struct socket". | |
950 | + * | |
951 | + * Returns 0 on success, negative value otherwise. | |
952 | + */ | |
953 | +static int ccs_socket_getpeername(struct socket *sock) | |
954 | +{ | |
955 | + int rc = ccs_validate_socket(sock); | |
956 | + if (rc < 0) | |
957 | + return rc; | |
958 | + while (!original_security_ops.socket_getpeername) | |
959 | + smp_rmb(); | |
960 | + return original_security_ops.socket_getpeername(sock); | |
961 | +} | |
962 | + | |
963 | +/** | |
964 | + * ccs_socket_getsockopt - Check permission for getsockopt(). | |
965 | + * | |
966 | + * @sock: Pointer to "struct socket". | |
967 | + * @level: Level. | |
968 | + * @optname: Option's name, | |
969 | + * | |
970 | + * Returns 0 on success, negative value otherwise. | |
971 | + */ | |
972 | +static int ccs_socket_getsockopt(struct socket *sock, int level, int optname) | |
973 | +{ | |
974 | + int rc = ccs_validate_socket(sock); | |
975 | + if (rc < 0) | |
976 | + return rc; | |
977 | + while (!original_security_ops.socket_getsockopt) | |
978 | + smp_rmb(); | |
979 | + return original_security_ops.socket_getsockopt(sock, level, optname); | |
980 | +} | |
981 | + | |
982 | +/** | |
983 | + * ccs_socket_setsockopt - Check permission for setsockopt(). | |
984 | + * | |
985 | + * @sock: Pointer to "struct socket". | |
986 | + * @level: Level. | |
987 | + * @optname: Option's name, | |
988 | + * | |
989 | + * Returns 0 on success, negative value otherwise. | |
990 | + */ | |
991 | +static int ccs_socket_setsockopt(struct socket *sock, int level, int optname) | |
992 | +{ | |
993 | + int rc = ccs_validate_socket(sock); | |
994 | + if (rc < 0) | |
995 | + return rc; | |
996 | + while (!original_security_ops.socket_setsockopt) | |
997 | + smp_rmb(); | |
998 | + return original_security_ops.socket_setsockopt(sock, level, optname); | |
999 | +} | |
1000 | + | |
1001 | +/** | |
1002 | + * ccs_socket_shutdown - Check permission for shutdown(). | |
1003 | + * | |
1004 | + * @sock: Pointer to "struct socket". | |
1005 | + * @how: Shutdown mode. | |
1006 | + * | |
1007 | + * Returns 0 on success, negative value otherwise. | |
1008 | + */ | |
1009 | +static int ccs_socket_shutdown(struct socket *sock, int how) | |
1010 | +{ | |
1011 | + int rc = ccs_validate_socket(sock); | |
1012 | + if (rc < 0) | |
1013 | + return rc; | |
1014 | + while (!original_security_ops.socket_shutdown) | |
1015 | + smp_rmb(); | |
1016 | + return original_security_ops.socket_shutdown(sock, how); | |
1017 | +} | |
1018 | + | |
1019 | +#define SOCKFS_MAGIC 0x534F434B | |
1020 | + | |
1021 | +/** | |
1022 | + * ccs_inode_free_security - Release memory associated with an inode. | |
1023 | + * | |
1024 | + * @inode: Pointer to "struct inode". | |
1025 | + * | |
1026 | + * Returns nothing. | |
1027 | + * | |
1028 | + * We use this hook for releasing memory associated with an accept()ed socket. | |
1029 | + */ | |
1030 | +static void ccs_inode_free_security(struct inode *inode) | |
1031 | +{ | |
1032 | + while (!original_security_ops.inode_free_security) | |
1033 | + smp_rmb(); | |
1034 | + original_security_ops.inode_free_security(inode); | |
1035 | + if (inode->i_sb && inode->i_sb->s_magic == SOCKFS_MAGIC) | |
1036 | + ccs_update_socket_tag(inode, 0); | |
1037 | +} | |
1038 | + | |
1039 | +#endif | |
1040 | + | |
1041 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24) | |
1042 | + | |
1043 | +/** | |
1044 | + * ccs_sb_pivotroot - Check permission for pivot_root(). | |
1045 | + * | |
1046 | + * @old_nd: Pointer to "struct nameidata". | |
1047 | + * @new_nd: Pointer to "struct nameidata". | |
1048 | + * | |
1049 | + * Returns 0 on success, negative value otherwise. | |
1050 | + */ | |
1051 | +static int ccs_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd) | |
1052 | +{ | |
1053 | + int rc = ccs_pivot_root_permission(old_nd, new_nd); | |
1054 | + if (rc) | |
1055 | + return rc; | |
1056 | + while (!original_security_ops.sb_pivotroot) | |
1057 | + smp_rmb(); | |
1058 | + return original_security_ops.sb_pivotroot(old_nd, new_nd); | |
1059 | +} | |
1060 | + | |
1061 | +/** | |
1062 | + * ccs_sb_mount - Check permission for mount(). | |
1063 | + * | |
1064 | + * @dev_name: Name of device file. | |
1065 | + * @nd: Pointer to "struct nameidata". | |
1066 | + * @type: Name of filesystem type. Maybe NULL. | |
1067 | + * @flags: Mount options. | |
1068 | + * @data_page: Optional data. Maybe NULL. | |
1069 | + * | |
1070 | + * Returns 0 on success, negative value otherwise. | |
1071 | + */ | |
1072 | +static int ccs_sb_mount(char *dev_name, struct nameidata *nd, char *type, | |
1073 | + unsigned long flags, void *data_page) | |
1074 | +{ | |
1075 | + int rc = ccs_mount_permission(dev_name, nd, type, flags, data_page); | |
1076 | + if (rc) | |
1077 | + return rc; | |
1078 | + while (!original_security_ops.sb_mount) | |
1079 | + smp_rmb(); | |
1080 | + return original_security_ops.sb_mount(dev_name, nd, type, flags, | |
1081 | + data_page); | |
1082 | +} | |
1083 | + | |
1084 | +#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 26) | |
1085 | + | |
1086 | +/** | |
1087 | + * ccs_sb_pivotroot - Check permission for pivot_root(). | |
1088 | + * | |
1089 | + * @old_nd: Pointer to "struct nameidata". | |
1090 | + * @new_nd: Pointer to "struct nameidata". | |
1091 | + * | |
1092 | + * Returns 0 on success, negative value otherwise. | |
1093 | + */ | |
1094 | +static int ccs_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd) | |
1095 | +{ | |
1096 | + int rc = ccs_pivot_root_permission(&old_nd->path, &new_nd->path); | |
1097 | + if (rc) | |
1098 | + return rc; | |
1099 | + while (!original_security_ops.sb_pivotroot) | |
1100 | + smp_rmb(); | |
1101 | + return original_security_ops.sb_pivotroot(old_nd, new_nd); | |
1102 | +} | |
1103 | + | |
1104 | +/** | |
1105 | + * ccs_sb_mount - Check permission for mount(). | |
1106 | + * | |
1107 | + * @dev_name: Name of device file. | |
1108 | + * @nd: Pointer to "struct nameidata". | |
1109 | + * @type: Name of filesystem type. Maybe NULL. | |
1110 | + * @flags: Mount options. | |
1111 | + * @data_page: Optional data. Maybe NULL. | |
1112 | + * | |
1113 | + * Returns 0 on success, negative value otherwise. | |
1114 | + */ | |
1115 | +static int ccs_sb_mount(char *dev_name, struct nameidata *nd, char *type, | |
1116 | + unsigned long flags, void *data_page) | |
1117 | +{ | |
1118 | + int rc = ccs_mount_permission(dev_name, &nd->path, type, flags, | |
1119 | + data_page); | |
1120 | + if (rc) | |
1121 | + return rc; | |
1122 | + while (!original_security_ops.sb_mount) | |
1123 | + smp_rmb(); | |
1124 | + return original_security_ops.sb_mount(dev_name, nd, type, flags, | |
1125 | + data_page); | |
1126 | +} | |
1127 | + | |
1128 | +#else | |
1129 | + | |
1130 | +/** | |
1131 | + * ccs_sb_pivotroot - Check permission for pivot_root(). | |
1132 | + * | |
1133 | + * @old_path: Pointer to "struct path". | |
1134 | + * @new_path: Pointer to "struct path". | |
1135 | + * | |
1136 | + * Returns 0 on success, negative value otherwise. | |
1137 | + */ | |
1138 | +static int ccs_sb_pivotroot(struct path *old_path, struct path *new_path) | |
1139 | +{ | |
1140 | + int rc = ccs_pivot_root_permission(old_path, new_path); | |
1141 | + if (rc) | |
1142 | + return rc; | |
1143 | + while (!original_security_ops.sb_pivotroot) | |
1144 | + smp_rmb(); | |
1145 | + return original_security_ops.sb_pivotroot(old_path, new_path); | |
1146 | +} | |
1147 | + | |
1148 | +/** | |
1149 | + * ccs_sb_mount - Check permission for mount(). | |
1150 | + * | |
1151 | + * @dev_name: Name of device file. | |
1152 | + * @path: Pointer to "struct path". | |
1153 | + * @type: Name of filesystem type. Maybe NULL. | |
1154 | + * @flags: Mount options. | |
1155 | + * @data_page: Optional data. Maybe NULL. | |
1156 | + * | |
1157 | + * Returns 0 on success, negative value otherwise. | |
1158 | + */ | |
1159 | +static int ccs_sb_mount(char *dev_name, struct path *path, char *type, | |
1160 | + unsigned long flags, void *data_page) | |
1161 | +{ | |
1162 | + int rc = ccs_mount_permission(dev_name, path, type, flags, data_page); | |
1163 | + if (rc) | |
1164 | + return rc; | |
1165 | + while (!original_security_ops.sb_mount) | |
1166 | + smp_rmb(); | |
1167 | + return original_security_ops.sb_mount(dev_name, path, type, flags, | |
1168 | + data_page); | |
1169 | +} | |
1170 | + | |
1171 | +#endif | |
1172 | + | |
1173 | +/** | |
1174 | + * ccs_sb_umount - Check permission for umount(). | |
1175 | + * | |
1176 | + * @mnt: Pointer to "struct vfsmount". | |
1177 | + * @flags: Unmount flags. | |
1178 | + * | |
1179 | + * Returns 0 on success, negative value otherwise. | |
1180 | + */ | |
1181 | +static int ccs_sb_umount(struct vfsmount *mnt, int flags) | |
1182 | +{ | |
1183 | + int rc = ccs_umount_permission(mnt, flags); | |
1184 | + if (rc) | |
1185 | + return rc; | |
1186 | + while (!original_security_ops.sb_umount) | |
1187 | + smp_rmb(); | |
1188 | + return original_security_ops.sb_umount(mnt, flags); | |
1189 | +} | |
1190 | + | |
1191 | +/** | |
1192 | + * ccs_file_fcntl - Check permission for fcntl(). | |
1193 | + * | |
1194 | + * @file: Pointer to "struct file". | |
1195 | + * @cmd: Command number. | |
1196 | + * @arg: Value for @cmd. | |
1197 | + * | |
1198 | + * Returns 0 on success, negative value otherwise. | |
1199 | + */ | |
1200 | +static int ccs_file_fcntl(struct file *file, unsigned int cmd, | |
1201 | + unsigned long arg) | |
1202 | +{ | |
1203 | + int rc = ccs_fcntl_permission(file, cmd, arg); | |
1204 | + if (rc) | |
1205 | + return rc; | |
1206 | + while (!original_security_ops.file_fcntl) | |
1207 | + smp_rmb(); | |
1208 | + return original_security_ops.file_fcntl(file, cmd, arg); | |
1209 | +} | |
1210 | + | |
1211 | +/** | |
1212 | + * ccs_file_ioctl - Check permission for ioctl(). | |
1213 | + * | |
1214 | + * @filp: Pointer to "struct file". | |
1215 | + * @cmd: Command number. | |
1216 | + * @arg: Value for @cmd. | |
1217 | + * | |
1218 | + * Returns 0 on success, negative value otherwise. | |
1219 | + */ | |
1220 | +static int ccs_file_ioctl(struct file *filp, unsigned int cmd, | |
1221 | + unsigned long arg) | |
1222 | +{ | |
1223 | + int rc = ccs_ioctl_permission(filp, cmd, arg); | |
1224 | + if (rc) | |
1225 | + return rc; | |
1226 | + while (!original_security_ops.file_ioctl) | |
1227 | + smp_rmb(); | |
1228 | + return original_security_ops.file_ioctl(filp, cmd, arg); | |
1229 | +} | |
1230 | + | |
1231 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) && defined(CONFIG_SYSCTL_SYSCALL) | |
1232 | +int ccs_path_permission(struct ccs_request_info *r, u8 operation, | |
1233 | + const struct ccs_path_info *filename); | |
1234 | + | |
1235 | +/** | |
1236 | + * ccs_prepend - Copy of prepend() in fs/dcache.c. | |
1237 | + * | |
1238 | + * @buffer: Pointer to "struct char *". | |
1239 | + * @buflen: Pointer to int which holds size of @buffer. | |
1240 | + * @str: String to copy. | |
1241 | + * | |
1242 | + * Returns 0 on success, negative value otherwise. | |
1243 | + * | |
1244 | + * @buffer and @buflen are updated upon success. | |
1245 | + */ | |
1246 | +static int ccs_prepend(char **buffer, int *buflen, const char *str) | |
1247 | +{ | |
1248 | + int namelen = strlen(str); | |
1249 | + if (*buflen < namelen) | |
1250 | + return -ENOMEM; | |
1251 | + *buflen -= namelen; | |
1252 | + *buffer -= namelen; | |
1253 | + memcpy(*buffer, str, namelen); | |
1254 | + return 0; | |
1255 | +} | |
1256 | + | |
1257 | +/** | |
1258 | + * ccs_sysctl_permission - Check permission for sysctl(). | |
1259 | + * | |
1260 | + * @table: Pointer to "struct ctl_table". | |
1261 | + * @op: Operation. (MAY_READ and/or MAY_WRITE) | |
1262 | + * | |
1263 | + * Returns 0 on success, negative value otherwise. | |
1264 | + */ | |
1265 | +static int ccs_sysctl(struct ctl_table *table, int op) | |
1266 | +{ | |
1267 | + int error; | |
1268 | + struct ccs_path_info buf; | |
1269 | + struct ccs_request_info r; | |
1270 | + int buflen; | |
1271 | + char *buffer; | |
1272 | + int idx; | |
1273 | + while (!original_security_ops.sysctl) | |
1274 | + smp_rmb(); | |
1275 | + error = original_security_ops.sysctl(table, op); | |
1276 | + if (error) | |
1277 | + return error; | |
1278 | + op &= MAY_READ | MAY_WRITE; | |
1279 | + if (!op) | |
1280 | + return 0; | |
1281 | + buffer = NULL; | |
1282 | + buf.name = NULL; | |
1283 | + idx = ccs_read_lock(); | |
1284 | + if (ccs_init_request_info(&r, CCS_MAC_FILE_OPEN) | |
1285 | + == CCS_CONFIG_DISABLED) | |
1286 | + goto out; | |
1287 | + error = -ENOMEM; | |
1288 | + buflen = 4096; | |
1289 | + buffer = kmalloc(buflen, CCS_GFP_FLAGS); | |
1290 | + if (buffer) { | |
1291 | + char *end = buffer + buflen; | |
1292 | + *--end = '\0'; | |
1293 | + buflen--; | |
1294 | + while (table) { | |
1295 | + char num[32]; | |
1296 | + const char *sp = table->procname; | |
1297 | + if (!sp) { | |
1298 | + memset(num, 0, sizeof(num)); | |
1299 | + snprintf(num, sizeof(num) - 1, "=%d=", | |
1300 | + table->ctl_name); | |
1301 | + sp = num; | |
1302 | + } | |
1303 | + if (ccs_prepend(&end, &buflen, sp) || | |
1304 | + ccs_prepend(&end, &buflen, "/")) | |
1305 | + goto out; | |
1306 | + table = table->parent; | |
1307 | + } | |
1308 | + if (ccs_prepend(&end, &buflen, "proc:/sys")) | |
1309 | + goto out; | |
1310 | + buf.name = ccs_encode(end); | |
1311 | + } | |
1312 | + if (buf.name) { | |
1313 | + ccs_fill_path_info(&buf); | |
1314 | + if (op & MAY_READ) | |
1315 | + error = ccs_path_permission(&r, CCS_TYPE_READ, &buf); | |
1316 | + else | |
1317 | + error = 0; | |
1318 | + if (!error && (op & MAY_WRITE)) | |
1319 | + error = ccs_path_permission(&r, CCS_TYPE_WRITE, &buf); | |
1320 | + } | |
1321 | +out: | |
1322 | + ccs_read_unlock(idx); | |
1323 | + kfree(buf.name); | |
1324 | + kfree(buffer); | |
1325 | + return error; | |
1326 | +} | |
1327 | + | |
1328 | +#endif | |
1329 | + | |
1330 | +/* | |
1331 | + * Why not to copy all operations by "original_security_ops = *ops" ? | |
1332 | + * Because copying byte array is not atomic. Reader checks | |
1333 | + * original_security_ops.op != NULL before doing original_security_ops.op(). | |
1334 | + * Thus, modifying original_security_ops.op has to be atomic. | |
1335 | + */ | |
1336 | +#define swap_security_ops(op) \ | |
1337 | + original_security_ops.op = ops->op; smp_wmb(); ops->op = ccs_##op; | |
1338 | + | |
1339 | +/** | |
1340 | + * ccs_update_security_ops - Overwrite original "struct security_operations". | |
1341 | + * | |
1342 | + * @ops: Pointer to "struct security_operations". | |
1343 | + * | |
1344 | + * Returns nothing. | |
1345 | + */ | |
1346 | +static void __init ccs_update_security_ops(struct security_operations *ops) | |
1347 | +{ | |
1348 | + /* Security context allocator. */ | |
1349 | + swap_security_ops(task_alloc_security); | |
1350 | + swap_security_ops(task_free_security); | |
1351 | + swap_security_ops(bprm_alloc_security); | |
1352 | + swap_security_ops(bprm_free_security); | |
1353 | + /* Security context updater for successful execve(). */ | |
1354 | + swap_security_ops(bprm_check_security); | |
1355 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 6) | |
1356 | + swap_security_ops(bprm_compute_creds); | |
1357 | +#else | |
1358 | + swap_security_ops(bprm_apply_creds); | |
1359 | +#endif | |
1360 | + /* Various permission checker. */ | |
1361 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) | |
1362 | + swap_security_ops(dentry_open); | |
1363 | +#else | |
1364 | + swap_security_ops(inode_permission); | |
1365 | +#endif | |
1366 | + swap_security_ops(file_fcntl); | |
1367 | + swap_security_ops(file_ioctl); | |
1368 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) && defined(CONFIG_SYSCTL_SYSCALL) | |
1369 | + swap_security_ops(sysctl); | |
1370 | +#endif | |
1371 | + swap_security_ops(sb_pivotroot); | |
1372 | + swap_security_ops(sb_mount); | |
1373 | + swap_security_ops(sb_umount); | |
1374 | + swap_security_ops(inode_mknod); | |
1375 | + swap_security_ops(inode_mkdir); | |
1376 | + swap_security_ops(inode_rmdir); | |
1377 | + swap_security_ops(inode_unlink); | |
1378 | + swap_security_ops(inode_symlink); | |
1379 | + swap_security_ops(inode_rename); | |
1380 | + swap_security_ops(inode_link); | |
1381 | + swap_security_ops(inode_create); | |
1382 | + swap_security_ops(inode_setattr); | |
1383 | + swap_security_ops(inode_getattr); | |
1384 | +#ifdef CONFIG_SECURITY_NETWORK | |
1385 | + swap_security_ops(socket_bind); | |
1386 | + swap_security_ops(socket_connect); | |
1387 | + swap_security_ops(socket_listen); | |
1388 | + swap_security_ops(socket_sendmsg); | |
1389 | + swap_security_ops(socket_recvmsg); | |
1390 | + swap_security_ops(socket_getsockname); | |
1391 | + swap_security_ops(socket_getpeername); | |
1392 | + swap_security_ops(socket_getsockopt); | |
1393 | + swap_security_ops(socket_setsockopt); | |
1394 | + swap_security_ops(socket_shutdown); | |
1395 | + swap_security_ops(socket_accept); | |
1396 | + swap_security_ops(inode_free_security); | |
1397 | +#endif | |
1398 | +} | |
1399 | + | |
1400 | +#undef swap_security_ops | |
1401 | + | |
1402 | +/** | |
1403 | + * ccs_init - Initialize this module. | |
1404 | + * | |
1405 | + * Returns 0 on success, negative value otherwise. | |
1406 | + */ | |
1407 | +static int __init ccs_init(void) | |
1408 | +{ | |
1409 | + struct security_operations *ops = probe_security_ops(); | |
1410 | + if (!ops) | |
1411 | + goto out; | |
1412 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) | |
1413 | + ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid(); | |
1414 | + if (!ccsecurity_exports.find_task_by_vpid) | |
1415 | + goto out; | |
1416 | + ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns(); | |
1417 | + if (!ccsecurity_exports.find_task_by_pid_ns) | |
1418 | + goto out; | |
1419 | +#endif | |
1420 | + ccsecurity_exports.vfsmount_lock = probe_vfsmount_lock(); | |
1421 | + if (!ccsecurity_exports.vfsmount_lock) | |
1422 | + goto out; | |
1423 | + ccs_main_init(); | |
1424 | + ccs_update_security_ops(ops); | |
1425 | + printk(KERN_INFO "AKARI: 1.0.40 2019/12/25\n"); | |
1426 | + printk(KERN_INFO | |
1427 | + "Access Keeping And Regulating Instrument registered.\n"); | |
1428 | + return 0; | |
1429 | +out: | |
1430 | + return -EINVAL; | |
1431 | +} | |
1432 | + | |
1433 | +module_init(ccs_init); | |
1434 | +MODULE_LICENSE("GPL"); | |
1435 | + | |
1436 | +/** | |
1437 | + * ccs_used_by_cred - Check whether the given domain is in use or not. | |
1438 | + * | |
1439 | + * @domain: Pointer to "struct ccs_domain_info". | |
1440 | + * | |
1441 | + * Returns true if @domain is in use, false otherwise. | |
1442 | + * | |
1443 | + * Caller holds rcu_read_lock(). | |
1444 | + */ | |
1445 | +bool ccs_used_by_cred(const struct ccs_domain_info *domain) | |
1446 | +{ | |
1447 | + return false; | |
1448 | +} | |
1449 | + | |
1450 | +/** | |
1451 | + * ccs_add_task_security - Add "struct ccs_security" to list. | |
1452 | + * | |
1453 | + * @ptr: Pointer to "struct ccs_security". | |
1454 | + * @list: Pointer to "struct list_head". | |
1455 | + * | |
1456 | + * Returns nothing. | |
1457 | + */ | |
1458 | +static void ccs_add_task_security(struct ccs_security *ptr, | |
1459 | + struct list_head *list) | |
1460 | +{ | |
1461 | + unsigned long flags; | |
1462 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
1463 | + list_add_rcu(&ptr->list, list); | |
1464 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
1465 | +} | |
1466 | + | |
1467 | +/** | |
1468 | + * __ccs_alloc_task_security - Allocate memory for new tasks. | |
1469 | + * | |
1470 | + * @task: Pointer to "struct task_struct". | |
1471 | + * | |
1472 | + * Returns 0 on success, negative value otherwise. | |
1473 | + */ | |
1474 | +static int __ccs_alloc_task_security(const struct task_struct *task) | |
1475 | +{ | |
1476 | + struct ccs_security *old_security = ccs_current_security(); | |
1477 | + struct ccs_security *new_security = kzalloc(sizeof(*new_security), | |
1478 | + GFP_KERNEL); | |
1479 | + struct list_head *list = &ccs_task_security_list | |
1480 | + [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)]; | |
1481 | + if (!new_security) | |
1482 | + return -ENOMEM; | |
1483 | + new_security->task = task; | |
1484 | + new_security->ccs_domain_info = old_security->ccs_domain_info; | |
1485 | + new_security->ccs_flags = old_security->ccs_flags; | |
1486 | + ccs_add_task_security(new_security, list); | |
1487 | + return 0; | |
1488 | +} | |
1489 | + | |
1490 | +/** | |
1491 | + * ccs_find_task_security - Find "struct ccs_security" for given task. | |
1492 | + * | |
1493 | + * @task: Pointer to "struct task_struct". | |
1494 | + * | |
1495 | + * Returns pointer to "struct ccs_security" on success, &ccs_oom_security on | |
1496 | + * out of memory, &ccs_default_security otherwise. | |
1497 | + * | |
1498 | + * If @task is current thread and "struct ccs_security" for current thread was | |
1499 | + * not found, I try to allocate it. But if allocation failed, current thread | |
1500 | + * will be killed by SIGKILL. Note that if current->pid == 1, sending SIGKILL | |
1501 | + * won't work. | |
1502 | + */ | |
1503 | +struct ccs_security *ccs_find_task_security(const struct task_struct *task) | |
1504 | +{ | |
1505 | + struct ccs_security *ptr; | |
1506 | + struct list_head *list = &ccs_task_security_list | |
1507 | + [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)]; | |
1508 | + /* Make sure INIT_LIST_HEAD() in ccs_mm_init() takes effect. */ | |
1509 | + while (!list->next) | |
1510 | + smp_rmb(); | |
1511 | + rcu_read_lock(); | |
1512 | + list_for_each_entry_rcu(ptr, list, list) { | |
1513 | + if (ptr->task != task) | |
1514 | + continue; | |
1515 | + rcu_read_unlock(); | |
1516 | + return ptr; | |
1517 | + } | |
1518 | + rcu_read_unlock(); | |
1519 | + if (task != current) | |
1520 | + return &ccs_default_security; | |
1521 | + /* Use GFP_ATOMIC because caller may have called rcu_read_lock(). */ | |
1522 | + ptr = kzalloc(sizeof(*ptr), GFP_ATOMIC); | |
1523 | + if (!ptr) { | |
1524 | + printk(KERN_WARNING "Unable to allocate memory for pid=%u\n", | |
1525 | + task->pid); | |
1526 | + send_sig(SIGKILL, current, 0); | |
1527 | + return &ccs_oom_security; | |
1528 | + } | |
1529 | + *ptr = ccs_default_security; | |
1530 | + ptr->task = task; | |
1531 | + ccs_add_task_security(ptr, list); | |
1532 | + return ptr; | |
1533 | +} | |
1534 | + | |
1535 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8) | |
1536 | + | |
1537 | +/** | |
1538 | + * ccs_rcu_free - RCU callback for releasing "struct ccs_security". | |
1539 | + * | |
1540 | + * @rcu: Pointer to "struct rcu_head". | |
1541 | + * | |
1542 | + * Returns nothing. | |
1543 | + */ | |
1544 | +static void ccs_rcu_free(struct rcu_head *rcu) | |
1545 | +{ | |
1546 | + struct ccs_security *ptr = container_of(rcu, typeof(*ptr), rcu); | |
1547 | + kfree(ptr); | |
1548 | +} | |
1549 | + | |
1550 | +#else | |
1551 | + | |
1552 | +/** | |
1553 | + * ccs_rcu_free - RCU callback for releasing "struct ccs_security". | |
1554 | + * | |
1555 | + * @arg: Pointer to "void". | |
1556 | + * | |
1557 | + * Returns nothing. | |
1558 | + */ | |
1559 | +static void ccs_rcu_free(void *arg) | |
1560 | +{ | |
1561 | + struct ccs_security *ptr = arg; | |
1562 | + kfree(ptr); | |
1563 | +} | |
1564 | + | |
1565 | +#endif | |
1566 | + | |
1567 | +/** | |
1568 | + * __ccs_free_task_security - Release memory associated with "struct task_struct". | |
1569 | + * | |
1570 | + * @task: Pointer to "struct task_struct". | |
1571 | + * | |
1572 | + * Returns nothing. | |
1573 | + */ | |
1574 | +static void __ccs_free_task_security(const struct task_struct *task) | |
1575 | +{ | |
1576 | + unsigned long flags; | |
1577 | + struct ccs_security *ptr = ccs_find_task_security(task); | |
1578 | + if (ptr == &ccs_default_security || ptr == &ccs_oom_security) | |
1579 | + return; | |
1580 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
1581 | + list_del_rcu(&ptr->list); | |
1582 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
1583 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8) | |
1584 | + call_rcu(&ptr->rcu, ccs_rcu_free); | |
1585 | +#else | |
1586 | + call_rcu(&ptr->rcu, ccs_rcu_free, ptr); | |
1587 | +#endif | |
1588 | +} |
@@ -0,0 +1,1568 @@ | ||
1 | +/* | |
2 | + * lsm.c | |
3 | + * | |
4 | + * Copyright (C) 2010-2015 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | |
5 | + * | |
6 | + * Version: 1.0.40 2019/12/25 | |
7 | + */ | |
8 | + | |
9 | +#include "internal.h" | |
10 | +#include "probe.h" | |
11 | + | |
12 | +/* Prototype definition. */ | |
13 | + | |
14 | +static int __ccs_alloc_task_security(const struct task_struct *task); | |
15 | +static void __ccs_free_task_security(const struct task_struct *task); | |
16 | + | |
17 | +/* Dummy security context for avoiding NULL pointer dereference. */ | |
18 | +static struct ccs_security ccs_oom_security = { | |
19 | + .ccs_domain_info = &ccs_kernel_domain | |
20 | +}; | |
21 | + | |
22 | +/* Dummy security context for avoiding NULL pointer dereference. */ | |
23 | +static struct ccs_security ccs_default_security = { | |
24 | + .ccs_domain_info = &ccs_kernel_domain | |
25 | +}; | |
26 | + | |
27 | +/* List of "struct ccs_security". */ | |
28 | +struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH]; | |
29 | +/* Lock for protecting ccs_task_security_list[]. */ | |
30 | +static DEFINE_SPINLOCK(ccs_task_security_list_lock); | |
31 | + | |
32 | +/* Dummy marker for calling security_bprm_free(). */ | |
33 | +static const unsigned long ccs_bprm_security; | |
34 | + | |
35 | +/* For exporting variables and functions. */ | |
36 | +struct ccsecurity_exports ccsecurity_exports; | |
37 | +/* Members are updated by loadable kernel module. */ | |
38 | +struct ccsecurity_operations ccsecurity_ops; | |
39 | + | |
40 | +/* Function pointers originally registered by register_security(). */ | |
41 | +static struct security_operations original_security_ops /* = *security_ops; */; | |
42 | + | |
43 | +#ifdef CONFIG_AKARI_TRACE_EXECVE_COUNT | |
44 | + | |
45 | +/** | |
46 | + * ccs_update_ee_counter - Update "struct ccs_execve" counter. | |
47 | + * | |
48 | + * @count: Count to increment or decrement. | |
49 | + * | |
50 | + * Returns updated counter. | |
51 | + */ | |
52 | +static unsigned int ccs_update_ee_counter(int count) | |
53 | +{ | |
54 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 10) || defined(atomic_add_return) | |
55 | + /* Debug counter for detecting "struct ccs_execve" memory leak. */ | |
56 | + static atomic_t ccs_ee_counter = ATOMIC_INIT(0); | |
57 | + return atomic_add_return(count, &ccs_ee_counter); | |
58 | +#else | |
59 | + static DEFINE_SPINLOCK(ccs_ee_lock); | |
60 | + static unsigned int ccs_ee_counter; | |
61 | + unsigned long flags; | |
62 | + spin_lock_irqsave(&ccs_ee_lock, flags); | |
63 | + ccs_ee_counter += count; | |
64 | + count = ccs_ee_counter; | |
65 | + spin_unlock_irqrestore(&ccs_ee_lock, flags); | |
66 | + return count; | |
67 | +#endif | |
68 | +} | |
69 | + | |
70 | +/** | |
71 | + * ccs_audit_alloc_execve - Audit allocation of "struct ccs_execve". | |
72 | + * | |
73 | + * @ee: Pointer to "struct ccs_execve". | |
74 | + * | |
75 | + * Returns nothing. | |
76 | + */ | |
77 | +void ccs_audit_alloc_execve(const struct ccs_execve * const ee) | |
78 | +{ | |
79 | + printk(KERN_INFO "AKARI: Allocated %p by pid=%u (count=%u)\n", ee, | |
80 | + current->pid, ccs_update_ee_counter(1) - 1); | |
81 | +} | |
82 | + | |
83 | +/** | |
84 | + * ccs_audit_free_execve - Audit release of "struct ccs_execve". | |
85 | + * | |
86 | + * @ee: Pointer to "struct ccs_execve". | |
87 | + * @task: True if released by current task, false otherwise. | |
88 | + * | |
89 | + * Returns nothing. | |
90 | + */ | |
91 | +void ccs_audit_free_execve(const struct ccs_execve * const ee, | |
92 | + const bool is_current) | |
93 | +{ | |
94 | + const unsigned int tmp = ccs_update_ee_counter(-1); | |
95 | + if (is_current) | |
96 | + printk(KERN_INFO "AKARI: Releasing %p by pid=%u (count=%u)\n", | |
97 | + ee, current->pid, tmp); | |
98 | + else | |
99 | + printk(KERN_INFO "AKARI: Releasing %p by kernel (count=%u)\n", | |
100 | + ee, tmp); | |
101 | +} | |
102 | + | |
103 | +#endif | |
104 | + | |
105 | +#if !defined(CONFIG_AKARI_DEBUG) | |
106 | +#define ccs_debug_trace(pos) do { } while (0) | |
107 | +#else | |
108 | +#define ccs_debug_trace(pos) \ | |
109 | + do { \ | |
110 | + static bool done; \ | |
111 | + if (!done) { \ | |
112 | + printk(KERN_INFO \ | |
113 | + "AKARI: Debug trace: " pos " of 4\n"); \ | |
114 | + done = true; \ | |
115 | + } \ | |
116 | + } while (0) | |
117 | +#endif | |
118 | + | |
119 | +/** | |
120 | + * ccs_clear_execve - Release memory used by do_execve(). | |
121 | + * | |
122 | + * @ret: 0 if do_execve() succeeded, negative value otherwise. | |
123 | + * @security: Pointer to "struct ccs_security". | |
124 | + * | |
125 | + * Returns nothing. | |
126 | + */ | |
127 | +static void ccs_clear_execve(int ret, struct ccs_security *security) | |
128 | +{ | |
129 | + struct ccs_execve *ee; | |
130 | + if (security == &ccs_default_security || security == &ccs_oom_security) | |
131 | + return; | |
132 | + ee = security->ee; | |
133 | + security->ee = NULL; | |
134 | + if (!ee) | |
135 | + return; | |
136 | + ccs_finish_execve(ret, ee); | |
137 | +} | |
138 | + | |
139 | +/** | |
140 | + * ccs_task_alloc_security - Allocate memory for new tasks. | |
141 | + * | |
142 | + * @p: Pointer to "struct task_struct". | |
143 | + * | |
144 | + * Returns 0 on success, negative value otherwise. | |
145 | + */ | |
146 | +static int ccs_task_alloc_security(struct task_struct *p) | |
147 | +{ | |
148 | + int rc = __ccs_alloc_task_security(p); | |
149 | + if (rc) | |
150 | + return rc; | |
151 | + while (!original_security_ops.task_alloc_security) | |
152 | + smp_rmb(); | |
153 | + rc = original_security_ops.task_alloc_security(p); | |
154 | + if (rc) | |
155 | + __ccs_free_task_security(p); | |
156 | + return rc; | |
157 | +} | |
158 | + | |
159 | +/** | |
160 | + * ccs_task_free_security - Release memory for "struct task_struct". | |
161 | + * | |
162 | + * @p: Pointer to "struct task_struct". | |
163 | + * | |
164 | + * Returns nothing. | |
165 | + */ | |
166 | +static void ccs_task_free_security(struct task_struct *p) | |
167 | +{ | |
168 | + while (!original_security_ops.task_free_security) | |
169 | + smp_rmb(); | |
170 | + original_security_ops.task_free_security(p); | |
171 | + __ccs_free_task_security(p); | |
172 | +} | |
173 | + | |
174 | +/** | |
175 | + * ccs_bprm_alloc_security - Allocate memory for "struct linux_binprm". | |
176 | + * | |
177 | + * @bprm: Pointer to "struct linux_binprm". | |
178 | + * | |
179 | + * Returns 0 on success, negative value otherwise. | |
180 | + */ | |
181 | +static int ccs_bprm_alloc_security(struct linux_binprm *bprm) | |
182 | +{ | |
183 | + int rc; | |
184 | + while (!original_security_ops.bprm_alloc_security) | |
185 | + smp_rmb(); | |
186 | + rc = original_security_ops.bprm_alloc_security(bprm); | |
187 | + if (bprm->security || rc) | |
188 | + return rc; | |
189 | + /* | |
190 | + * Update bprm->security to &ccs_bprm_security so that | |
191 | + * security_bprm_free() is called even if do_execve() failed at | |
192 | + * search_binary_handler() without allocating memory at | |
193 | + * security_bprm_alloc(). This trick assumes that active LSM module | |
194 | + * does not access bprm->security if that module did not allocate | |
195 | + * memory at security_bprm_alloc(). | |
196 | + */ | |
197 | + bprm->security = (void *) &ccs_bprm_security; | |
198 | + return 0; | |
199 | +} | |
200 | + | |
201 | +/** | |
202 | + * ccs_bprm_free_security - Release memory for "struct linux_binprm". | |
203 | + * | |
204 | + * @bprm: Pointer to "struct linux_binprm". | |
205 | + * | |
206 | + * Returns nothing. | |
207 | + */ | |
208 | +static void ccs_bprm_free_security(struct linux_binprm *bprm) | |
209 | +{ | |
210 | + /* | |
211 | + * If do_execve() succeeded, bprm->security will be updated to NULL at | |
212 | + * security_bprm_compute_creds()/security_bprm_apply_creds() if | |
213 | + * bprm->security was set to &ccs_bprm_security at | |
214 | + * security_bprm_alloc(). | |
215 | + * | |
216 | + * If do_execve() failed, bprm->security remains at &ccs_bprm_security | |
217 | + * if bprm->security was set to &ccs_bprm_security at | |
218 | + * security_bprm_alloc(). | |
219 | + * | |
220 | + * And do_execve() does not call security_bprm_free() if do_execve() | |
221 | + * failed and bprm->security == NULL. Therefore, do not call | |
222 | + * original_security_ops.bprm_free_security() if bprm->security remains | |
223 | + * at &ccs_bprm_security . | |
224 | + */ | |
225 | + if (bprm->security != &ccs_bprm_security) { | |
226 | + while (!original_security_ops.bprm_free_security) | |
227 | + smp_rmb(); | |
228 | + original_security_ops.bprm_free_security(bprm); | |
229 | + } | |
230 | + /* | |
231 | + * If do_execve() succeeded, | |
232 | + * ccs_clear_execve(0, ccs_current_security()); | |
233 | + * is called before calling below one. | |
234 | + * Thus, below call becomes no-op if do_execve() succeeded. | |
235 | + */ | |
236 | + ccs_clear_execve(-1, ccs_current_security()); | |
237 | +} | |
238 | + | |
239 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 6) | |
240 | + | |
241 | +/** | |
242 | + * ccs_bprm_compute_creds - A hook which is called when do_execve() succeeded. | |
243 | + * | |
244 | + * @bprm: Pointer to "struct linux_binprm". | |
245 | + * | |
246 | + * Returns nothing. | |
247 | + */ | |
248 | +static void ccs_bprm_compute_creds(struct linux_binprm *bprm) | |
249 | +{ | |
250 | + if (bprm->security == &ccs_bprm_security) | |
251 | + bprm->security = NULL; | |
252 | + while (!original_security_ops.bprm_compute_creds) | |
253 | + smp_rmb(); | |
254 | + original_security_ops.bprm_compute_creds(bprm); | |
255 | + ccs_clear_execve(0, ccs_current_security()); | |
256 | +} | |
257 | + | |
258 | +#else | |
259 | + | |
260 | +/** | |
261 | + * ccs_bprm_apply_creds - A hook which is called when do_execve() succeeded. | |
262 | + * | |
263 | + * @bprm: Pointer to "struct linux_binprm". | |
264 | + * @unsafe: Unsafe flag. | |
265 | + * | |
266 | + * Returns nothing. | |
267 | + */ | |
268 | +static void ccs_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) | |
269 | +{ | |
270 | + if (bprm->security == &ccs_bprm_security) | |
271 | + bprm->security = NULL; | |
272 | + while (!original_security_ops.bprm_apply_creds) | |
273 | + smp_rmb(); | |
274 | + original_security_ops.bprm_apply_creds(bprm, unsafe); | |
275 | + ccs_clear_execve(0, ccs_current_security()); | |
276 | +} | |
277 | + | |
278 | +#endif | |
279 | + | |
280 | +/** | |
281 | + * ccs_bprm_check_security - Check permission for execve(). | |
282 | + * | |
283 | + * @bprm: Pointer to "struct linux_binprm". | |
284 | + * | |
285 | + * Returns 0 on success, negative value otherwise. | |
286 | + */ | |
287 | +static int ccs_bprm_check_security(struct linux_binprm *bprm) | |
288 | +{ | |
289 | + struct ccs_security *security = ccs_current_security(); | |
290 | + if (security == &ccs_default_security || security == &ccs_oom_security) | |
291 | + return -ENOMEM; | |
292 | + if (!security->ee) { | |
293 | + int rc; | |
294 | +#ifndef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER | |
295 | + if (!ccs_policy_loaded) | |
296 | + ccs_load_policy(bprm->filename); | |
297 | +#endif | |
298 | + rc = ccs_start_execve(bprm, &security->ee); | |
299 | + if (rc) | |
300 | + return rc; | |
301 | + } | |
302 | + while (!original_security_ops.bprm_check_security) | |
303 | + smp_rmb(); | |
304 | + return original_security_ops.bprm_check_security(bprm); | |
305 | +} | |
306 | + | |
307 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) | |
308 | + | |
309 | +/** | |
310 | + * ccs_open - Check permission for open(). | |
311 | + * | |
312 | + * @f: Pointer to "struct file". | |
313 | + * | |
314 | + * Returns 0 on success, negative value otherwise. | |
315 | + */ | |
316 | +static int ccs_open(struct file *f) | |
317 | +{ | |
318 | + return ccs_open_permission(f->f_path.dentry, f->f_path.mnt, | |
319 | + f->f_flags + 1); | |
320 | +} | |
321 | + | |
322 | +#endif | |
323 | + | |
324 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) | |
325 | + | |
326 | +/** | |
327 | + * ccs_dentry_open - Check permission for open(). | |
328 | + * | |
329 | + * @f: Pointer to "struct file". | |
330 | + * | |
331 | + * Returns 0 on success, negative value otherwise. | |
332 | + */ | |
333 | +static int ccs_dentry_open(struct file *f) | |
334 | +{ | |
335 | + int rc = ccs_open(f); | |
336 | + if (rc) | |
337 | + return rc; | |
338 | + while (!original_security_ops.dentry_open) | |
339 | + smp_rmb(); | |
340 | + return original_security_ops.dentry_open(f); | |
341 | +} | |
342 | + | |
343 | +#else | |
344 | + | |
345 | +/** | |
346 | + * ccs_open - Check permission for open(). | |
347 | + * | |
348 | + * @inode: Pointer to "struct inode". | |
349 | + * @mask: Open mode. | |
350 | + * @nd: Pointer to "struct nameidata". | |
351 | + * | |
352 | + * Returns 0 on success, negative value otherwise. | |
353 | + */ | |
354 | +static int ccs_open(struct inode *inode, int mask, struct nameidata *nd) | |
355 | +{ | |
356 | + int flags; | |
357 | + if (!nd || !nd->dentry) | |
358 | + return 0; | |
359 | + /* open_exec() passes MAY_EXEC . */ | |
360 | + if (mask == MAY_EXEC && inode && S_ISREG(inode->i_mode) && | |
361 | + (ccs_current_flags() & CCS_TASK_IS_IN_EXECVE)) | |
362 | + mask = MAY_READ; | |
363 | + /* | |
364 | + * This flags value is passed to ACC_MODE(). | |
365 | + * ccs_open_permission() for older versions uses old ACC_MODE(). | |
366 | + */ | |
367 | + switch (mask & (MAY_READ | MAY_WRITE)) { | |
368 | + case MAY_READ: | |
369 | + flags = 01; | |
370 | + break; | |
371 | + case MAY_WRITE: | |
372 | + flags = 02; | |
373 | + break; | |
374 | + case MAY_READ | MAY_WRITE: | |
375 | + flags = 03; | |
376 | + break; | |
377 | + default: | |
378 | + return 0; | |
379 | + } | |
380 | + return ccs_open_permission(nd->dentry, nd->mnt, flags); | |
381 | +} | |
382 | + | |
383 | +/** | |
384 | + * ccs_inode_permission - Check permission for open(). | |
385 | + * | |
386 | + * @inode: Pointer to "struct inode". | |
387 | + * @mask: Open mode. | |
388 | + * @nd: Pointer to "struct nameidata". | |
389 | + * | |
390 | + * Returns 0 on success, negative value otherwise. | |
391 | + * | |
392 | + * Note that this hook is called from permission(), and may not be called for | |
393 | + * open(). Maybe it is better to use security_file_permission(). | |
394 | + */ | |
395 | +static int ccs_inode_permission(struct inode *inode, int mask, | |
396 | + struct nameidata *nd) | |
397 | +{ | |
398 | + int rc = ccs_open(inode, mask, nd); | |
399 | + if (rc) | |
400 | + return rc; | |
401 | + while (!original_security_ops.inode_permission) | |
402 | + smp_rmb(); | |
403 | + return original_security_ops.inode_permission(inode, mask, nd); | |
404 | +} | |
405 | + | |
406 | +#endif | |
407 | + | |
408 | +/** | |
409 | + * ccs_inode_setattr - Check permission for chown()/chgrp()/chmod()/truncate(). | |
410 | + * | |
411 | + * @dentry: Pointer to "struct dentry". | |
412 | + * @attr: Pointer to "struct iattr". | |
413 | + * | |
414 | + * Returns 0 on success, negative value otherwise. | |
415 | + */ | |
416 | +static int ccs_inode_setattr(struct dentry *dentry, struct iattr *attr) | |
417 | +{ | |
418 | + int rc = 0; | |
419 | + if (attr->ia_valid & ATTR_UID) | |
420 | + rc = ccs_chown_permission(dentry, NULL, attr->ia_uid, -1); | |
421 | + if (!rc && (attr->ia_valid & ATTR_GID)) | |
422 | + rc = ccs_chown_permission(dentry, NULL, -1, attr->ia_gid); | |
423 | + if (!rc && (attr->ia_valid & ATTR_MODE)) | |
424 | + rc = ccs_chmod_permission(dentry, NULL, attr->ia_mode); | |
425 | + if (!rc && (attr->ia_valid & ATTR_SIZE)) | |
426 | + rc = ccs_truncate_permission(dentry, NULL); | |
427 | + if (rc) | |
428 | + return rc; | |
429 | + while (!original_security_ops.inode_setattr) | |
430 | + smp_rmb(); | |
431 | + return original_security_ops.inode_setattr(dentry, attr); | |
432 | +} | |
433 | + | |
434 | +/** | |
435 | + * ccs_inode_getattr - Check permission for stat(). | |
436 | + * | |
437 | + * @mnt: Pointer to "struct vfsmount". | |
438 | + * @dentry: Pointer to "struct dentry". | |
439 | + * | |
440 | + * Returns 0 on success, negative value otherwise. | |
441 | + */ | |
442 | +static int ccs_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) | |
443 | +{ | |
444 | + int rc = ccs_getattr_permission(mnt, dentry); | |
445 | + if (rc) | |
446 | + return rc; | |
447 | + while (!original_security_ops.inode_getattr) | |
448 | + smp_rmb(); | |
449 | + return original_security_ops.inode_getattr(mnt, dentry); | |
450 | +} | |
451 | + | |
452 | +/** | |
453 | + * ccs_inode_mknod - Check permission for mknod(). | |
454 | + * | |
455 | + * @dir: Pointer to "struct inode". | |
456 | + * @dentry: Pointer to "struct dentry". | |
457 | + * @mode: Create mode. | |
458 | + * @dev: Device major/minor number. | |
459 | + * | |
460 | + * Returns 0 on success, negative value otherwise. | |
461 | + */ | |
462 | +static int ccs_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, | |
463 | + dev_t dev) | |
464 | +{ | |
465 | + int rc = ccs_mknod_permission(dentry, NULL, mode, dev); | |
466 | + if (rc) | |
467 | + return rc; | |
468 | + while (!original_security_ops.inode_mknod) | |
469 | + smp_rmb(); | |
470 | + return original_security_ops.inode_mknod(dir, dentry, mode, dev); | |
471 | +} | |
472 | + | |
473 | +/** | |
474 | + * ccs_inode_mkdir - Check permission for mkdir(). | |
475 | + * | |
476 | + * @dir: Pointer to "struct inode". | |
477 | + * @dentry: Pointer to "struct dentry". | |
478 | + * @mode: Create mode. | |
479 | + * | |
480 | + * Returns 0 on success, negative value otherwise. | |
481 | + */ | |
482 | +static int ccs_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode) | |
483 | +{ | |
484 | + int rc = ccs_mkdir_permission(dentry, NULL, mode); | |
485 | + if (rc) | |
486 | + return rc; | |
487 | + while (!original_security_ops.inode_mkdir) | |
488 | + smp_rmb(); | |
489 | + return original_security_ops.inode_mkdir(dir, dentry, mode); | |
490 | +} | |
491 | + | |
492 | +/** | |
493 | + * ccs_inode_rmdir - Check permission for rmdir(). | |
494 | + * | |
495 | + * @dir: Pointer to "struct inode". | |
496 | + * @dentry: Pointer to "struct dentry". | |
497 | + * | |
498 | + * Returns 0 on success, negative value otherwise. | |
499 | + */ | |
500 | +static int ccs_inode_rmdir(struct inode *dir, struct dentry *dentry) | |
501 | +{ | |
502 | + int rc = ccs_rmdir_permission(dentry, NULL); | |
503 | + if (rc) | |
504 | + return rc; | |
505 | + while (!original_security_ops.inode_rmdir) | |
506 | + smp_rmb(); | |
507 | + return original_security_ops.inode_rmdir(dir, dentry); | |
508 | +} | |
509 | + | |
510 | +/** | |
511 | + * ccs_inode_unlink - Check permission for unlink(). | |
512 | + * | |
513 | + * @dir: Pointer to "struct inode". | |
514 | + * @dentry: Pointer to "struct dentry". | |
515 | + * | |
516 | + * Returns 0 on success, negative value otherwise. | |
517 | + */ | |
518 | +static int ccs_inode_unlink(struct inode *dir, struct dentry *dentry) | |
519 | +{ | |
520 | + int rc = ccs_unlink_permission(dentry, NULL); | |
521 | + if (rc) | |
522 | + return rc; | |
523 | + while (!original_security_ops.inode_unlink) | |
524 | + smp_rmb(); | |
525 | + return original_security_ops.inode_unlink(dir, dentry); | |
526 | +} | |
527 | + | |
528 | +/** | |
529 | + * ccs_inode_symlink - Check permission for symlink(). | |
530 | + * | |
531 | + * @dir: Pointer to "struct inode". | |
532 | + * @dentry: Pointer to "struct dentry". | |
533 | + * @old_name: Content of symbolic link. | |
534 | + * | |
535 | + * Returns 0 on success, negative value otherwise. | |
536 | + */ | |
537 | +static int ccs_inode_symlink(struct inode *dir, struct dentry *dentry, | |
538 | + const char *old_name) | |
539 | +{ | |
540 | + int rc = ccs_symlink_permission(dentry, NULL, old_name); | |
541 | + if (rc) | |
542 | + return rc; | |
543 | + while (!original_security_ops.inode_symlink) | |
544 | + smp_rmb(); | |
545 | + return original_security_ops.inode_symlink(dir, dentry, old_name); | |
546 | +} | |
547 | + | |
548 | +/** | |
549 | + * ccs_inode_rename - Check permission for rename(). | |
550 | + * | |
551 | + * @old_dir: Pointer to "struct inode". | |
552 | + * @old_dentry: Pointer to "struct dentry". | |
553 | + * @new_dir: Pointer to "struct inode". | |
554 | + * @new_dentry: Pointer to "struct dentry". | |
555 | + * | |
556 | + * Returns 0 on success, negative value otherwise. | |
557 | + */ | |
558 | +static int ccs_inode_rename(struct inode *old_dir, struct dentry *old_dentry, | |
559 | + struct inode *new_dir, struct dentry *new_dentry) | |
560 | +{ | |
561 | + int rc = ccs_rename_permission(old_dentry, new_dentry, NULL); | |
562 | + if (rc) | |
563 | + return rc; | |
564 | + while (!original_security_ops.inode_rename) | |
565 | + smp_rmb(); | |
566 | + return original_security_ops.inode_rename(old_dir, old_dentry, new_dir, | |
567 | + new_dentry); | |
568 | +} | |
569 | + | |
570 | +/** | |
571 | + * ccs_inode_link - Check permission for link(). | |
572 | + * | |
573 | + * @old_dentry: Pointer to "struct dentry". | |
574 | + * @dir: Pointer to "struct inode". | |
575 | + * @new_dentry: Pointer to "struct dentry". | |
576 | + * | |
577 | + * Returns 0 on success, negative value otherwise. | |
578 | + */ | |
579 | +static int ccs_inode_link(struct dentry *old_dentry, struct inode *dir, | |
580 | + struct dentry *new_dentry) | |
581 | +{ | |
582 | + int rc = ccs_link_permission(old_dentry, new_dentry, NULL); | |
583 | + if (rc) | |
584 | + return rc; | |
585 | + while (!original_security_ops.inode_link) | |
586 | + smp_rmb(); | |
587 | + return original_security_ops.inode_link(old_dentry, dir, new_dentry); | |
588 | +} | |
589 | + | |
590 | +/** | |
591 | + * ccs_inode_create - Check permission for creat(). | |
592 | + * | |
593 | + * @dir: Pointer to "struct inode". | |
594 | + * @dentry: Pointer to "struct dentry". | |
595 | + * @mode: Create mode. | |
596 | + * | |
597 | + * Returns 0 on success, negative value otherwise. | |
598 | + */ | |
599 | +static int ccs_inode_create(struct inode *dir, struct dentry *dentry, | |
600 | + int mode) | |
601 | +{ | |
602 | + int rc = ccs_mknod_permission(dentry, NULL, mode, 0); | |
603 | + if (rc) | |
604 | + return rc; | |
605 | + while (!original_security_ops.inode_create) | |
606 | + smp_rmb(); | |
607 | + return original_security_ops.inode_create(dir, dentry, mode); | |
608 | +} | |
609 | + | |
610 | +#ifdef CONFIG_SECURITY_NETWORK | |
611 | + | |
612 | +#include <net/sock.h> | |
613 | + | |
614 | +/* Structure for remembering an accept()ed socket's status. */ | |
615 | +struct ccs_socket_tag { | |
616 | + struct list_head list; | |
617 | + struct inode *inode; | |
618 | + int status; | |
619 | + struct rcu_head rcu; | |
620 | +}; | |
621 | + | |
622 | +/* | |
623 | + * List for managing accept()ed sockets. | |
624 | + * Since we don't need to keep an accept()ed socket into this list after | |
625 | + * once the permission was granted, the number of entries in this list is | |
626 | + * likely small. Therefore, we don't use hash tables. | |
627 | + */ | |
628 | +static LIST_HEAD(ccs_accepted_socket_list); | |
629 | +/* Lock for protecting ccs_accepted_socket_list . */ | |
630 | +static DEFINE_SPINLOCK(ccs_accepted_socket_list_lock); | |
631 | + | |
632 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8) | |
633 | + | |
634 | +/** | |
635 | + * ccs_socket_rcu_free - RCU callback for releasing "struct ccs_socket_tag". | |
636 | + * | |
637 | + * @rcu: Pointer to "struct rcu_head". | |
638 | + * | |
639 | + * Returns nothing. | |
640 | + */ | |
641 | +static void ccs_socket_rcu_free(struct rcu_head *rcu) | |
642 | +{ | |
643 | + struct ccs_socket_tag *ptr = container_of(rcu, typeof(*ptr), rcu); | |
644 | + kfree(ptr); | |
645 | +} | |
646 | + | |
647 | +#else | |
648 | + | |
649 | +/** | |
650 | + * ccs_socket_rcu_free - RCU callback for releasing "struct ccs_socket_tag". | |
651 | + * | |
652 | + * @arg: Pointer to "void". | |
653 | + * | |
654 | + * Returns nothing. | |
655 | + */ | |
656 | +static void ccs_socket_rcu_free(void *arg) | |
657 | +{ | |
658 | + struct ccs_socket_tag *ptr = arg; | |
659 | + kfree(ptr); | |
660 | +} | |
661 | + | |
662 | +#endif | |
663 | + | |
664 | +/** | |
665 | + * ccs_update_socket_tag - Update tag associated with accept()ed sockets. | |
666 | + * | |
667 | + * @inode: Pointer to "struct inode". | |
668 | + * @status: New status. | |
669 | + * | |
670 | + * Returns nothing. | |
671 | + * | |
672 | + * If @status == 0, memory for that socket will be released after RCU grace | |
673 | + * period. | |
674 | + */ | |
675 | +static void ccs_update_socket_tag(struct inode *inode, int status) | |
676 | +{ | |
677 | + struct ccs_socket_tag *ptr; | |
678 | + /* | |
679 | + * Protect whole section because multiple threads may call this | |
680 | + * function with same "sock" via ccs_validate_socket(). | |
681 | + */ | |
682 | + spin_lock(&ccs_accepted_socket_list_lock); | |
683 | + rcu_read_lock(); | |
684 | + list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) { | |
685 | + if (ptr->inode != inode) | |
686 | + continue; | |
687 | + ptr->status = status; | |
688 | + if (status) | |
689 | + break; | |
690 | + list_del_rcu(&ptr->list); | |
691 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8) | |
692 | + call_rcu(&ptr->rcu, ccs_socket_rcu_free); | |
693 | +#else | |
694 | + call_rcu(&ptr->rcu, ccs_socket_rcu_free, ptr); | |
695 | +#endif | |
696 | + break; | |
697 | + } | |
698 | + rcu_read_unlock(); | |
699 | + spin_unlock(&ccs_accepted_socket_list_lock); | |
700 | +} | |
701 | + | |
702 | +/** | |
703 | + * ccs_validate_socket - Check post accept() permission if needed. | |
704 | + * | |
705 | + * @sock: Pointer to "struct socket". | |
706 | + * | |
707 | + * Returns 0 on success, negative value otherwise. | |
708 | + */ | |
709 | +static int ccs_validate_socket(struct socket *sock) | |
710 | +{ | |
711 | + struct inode *inode = SOCK_INODE(sock); | |
712 | + struct ccs_socket_tag *ptr; | |
713 | + int ret = 0; | |
714 | + rcu_read_lock(); | |
715 | + list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) { | |
716 | + if (ptr->inode != inode) | |
717 | + continue; | |
718 | + ret = ptr->status; | |
719 | + break; | |
720 | + } | |
721 | + rcu_read_unlock(); | |
722 | + if (ret <= 0) | |
723 | + /* | |
724 | + * This socket is not an accept()ed socket or this socket is | |
725 | + * an accept()ed socket and post accept() permission is done. | |
726 | + */ | |
727 | + return ret; | |
728 | + /* | |
729 | + * Check post accept() permission now. | |
730 | + * | |
731 | + * Strictly speaking, we need to pass both listen()ing socket and | |
732 | + * accept()ed socket to __ccs_socket_post_accept_permission(). | |
733 | + * But since socket's family and type are same for both sockets, | |
734 | + * passing the accept()ed socket in place for the listen()ing socket | |
735 | + * will work. | |
736 | + */ | |
737 | + ret = ccs_socket_post_accept_permission(sock, sock); | |
738 | + /* | |
739 | + * If permission was granted, we forget that this is an accept()ed | |
740 | + * socket. Otherwise, we remember that this socket needs to return | |
741 | + * error for subsequent socketcalls. | |
742 | + */ | |
743 | + ccs_update_socket_tag(inode, ret); | |
744 | + return ret; | |
745 | +} | |
746 | + | |
747 | +/** | |
748 | + * ccs_socket_accept - Check permission for accept(). | |
749 | + * | |
750 | + * @sock: Pointer to "struct socket". | |
751 | + * @newsock: Pointer to "struct socket". | |
752 | + * | |
753 | + * Returns 0 on success, negative value otherwise. | |
754 | + * | |
755 | + * This hook is used for setting up environment for doing post accept() | |
756 | + * permission check. If dereferencing sock->ops->something() were ordered by | |
757 | + * rcu_dereference(), we could replace sock->ops with "a copy of original | |
758 | + * sock->ops with modified sock->ops->accept()" using rcu_assign_pointer() | |
759 | + * in order to do post accept() permission check before returning to userspace. | |
760 | + * If we make the copy in security_socket_post_create(), it would be possible | |
761 | + * to safely replace sock->ops here, but we don't do so because we don't want | |
762 | + * to allocate memory for sockets which do not call sock->ops->accept(). | |
763 | + * Therefore, we do post accept() permission check upon next socket syscalls | |
764 | + * rather than between sock->ops->accept() and returning to userspace. | |
765 | + * This means that if a socket was close()d before calling some socket | |
766 | + * syscalls, post accept() permission check will not be done. | |
767 | + */ | |
768 | +static int ccs_socket_accept(struct socket *sock, struct socket *newsock) | |
769 | +{ | |
770 | + struct ccs_socket_tag *ptr; | |
771 | + int rc = ccs_validate_socket(sock); | |
772 | + if (rc < 0) | |
773 | + return rc; | |
774 | + ptr = kzalloc(sizeof(*ptr), GFP_KERNEL); | |
775 | + if (!ptr) | |
776 | + return -ENOMEM; | |
777 | + while (!original_security_ops.socket_accept) | |
778 | + smp_rmb(); | |
779 | + rc = original_security_ops.socket_accept(sock, newsock); | |
780 | + if (rc) { | |
781 | + kfree(ptr); | |
782 | + return rc; | |
783 | + } | |
784 | + /* | |
785 | + * Subsequent LSM hooks will receive "newsock". Therefore, I mark | |
786 | + * "newsock" as "an accept()ed socket but post accept() permission | |
787 | + * check is not done yet" by allocating memory using inode of the | |
788 | + * "newsock" as a search key. | |
789 | + */ | |
790 | + ptr->inode = SOCK_INODE(newsock); | |
791 | + ptr->status = 1; /* Check post accept() permission later. */ | |
792 | + spin_lock(&ccs_accepted_socket_list_lock); | |
793 | + list_add_tail_rcu(&ptr->list, &ccs_accepted_socket_list); | |
794 | + spin_unlock(&ccs_accepted_socket_list_lock); | |
795 | + return 0; | |
796 | +} | |
797 | + | |
798 | +/** | |
799 | + * ccs_socket_listen - Check permission for listen(). | |
800 | + * | |
801 | + * @sock: Pointer to "struct socket". | |
802 | + * @backlog: Backlog parameter. | |
803 | + * | |
804 | + * Returns 0 on success, negative value otherwise. | |
805 | + */ | |
806 | +static int ccs_socket_listen(struct socket *sock, int backlog) | |
807 | +{ | |
808 | + int rc = ccs_validate_socket(sock); | |
809 | + if (rc < 0) | |
810 | + return rc; | |
811 | + rc = ccs_socket_listen_permission(sock); | |
812 | + if (rc) | |
813 | + return rc; | |
814 | + while (!original_security_ops.socket_listen) | |
815 | + smp_rmb(); | |
816 | + return original_security_ops.socket_listen(sock, backlog); | |
817 | +} | |
818 | + | |
819 | +/** | |
820 | + * ccs_socket_connect - Check permission for connect(). | |
821 | + * | |
822 | + * @sock: Pointer to "struct socket". | |
823 | + * @addr: Pointer to "struct sockaddr". | |
824 | + * @addr_len: Size of @addr. | |
825 | + * | |
826 | + * Returns 0 on success, negative value otherwise. | |
827 | + */ | |
828 | +static int ccs_socket_connect(struct socket *sock, struct sockaddr *addr, | |
829 | + int addr_len) | |
830 | +{ | |
831 | + int rc = ccs_validate_socket(sock); | |
832 | + if (rc < 0) | |
833 | + return rc; | |
834 | + rc = ccs_socket_connect_permission(sock, addr, addr_len); | |
835 | + if (rc) | |
836 | + return rc; | |
837 | + while (!original_security_ops.socket_connect) | |
838 | + smp_rmb(); | |
839 | + return original_security_ops.socket_connect(sock, addr, addr_len); | |
840 | +} | |
841 | + | |
842 | +/** | |
843 | + * ccs_socket_bind - Check permission for bind(). | |
844 | + * | |
845 | + * @sock: Pointer to "struct socket". | |
846 | + * @addr: Pointer to "struct sockaddr". | |
847 | + * @addr_len: Size of @addr. | |
848 | + * | |
849 | + * Returns 0 on success, negative value otherwise. | |
850 | + */ | |
851 | +static int ccs_socket_bind(struct socket *sock, struct sockaddr *addr, | |
852 | + int addr_len) | |
853 | +{ | |
854 | + int rc = ccs_validate_socket(sock); | |
855 | + if (rc < 0) | |
856 | + return rc; | |
857 | + rc = ccs_socket_bind_permission(sock, addr, addr_len); | |
858 | + if (rc) | |
859 | + return rc; | |
860 | + while (!original_security_ops.socket_bind) | |
861 | + smp_rmb(); | |
862 | + return original_security_ops.socket_bind(sock, addr, addr_len); | |
863 | +} | |
864 | + | |
865 | +/** | |
866 | + * ccs_socket_sendmsg - Check permission for sendmsg(). | |
867 | + * | |
868 | + * @sock: Pointer to "struct socket". | |
869 | + * @msg: Pointer to "struct msghdr". | |
870 | + * @size: Size of message. | |
871 | + * | |
872 | + * Returns 0 on success, negative value otherwise. | |
873 | + */ | |
874 | +static int ccs_socket_sendmsg(struct socket *sock, struct msghdr *msg, | |
875 | + int size) | |
876 | +{ | |
877 | + int rc = ccs_validate_socket(sock); | |
878 | + if (rc < 0) | |
879 | + return rc; | |
880 | + rc = ccs_socket_sendmsg_permission(sock, msg, size); | |
881 | + if (rc) | |
882 | + return rc; | |
883 | + while (!original_security_ops.socket_sendmsg) | |
884 | + smp_rmb(); | |
885 | + return original_security_ops.socket_sendmsg(sock, msg, size); | |
886 | +} | |
887 | + | |
888 | +/** | |
889 | + * ccs_socket_recvmsg - Check permission for recvmsg(). | |
890 | + * | |
891 | + * @sock: Pointer to "struct socket". | |
892 | + * @msg: Pointer to "struct msghdr". | |
893 | + * @size: Size of message. | |
894 | + * @flags: Flags. | |
895 | + * | |
896 | + * Returns 0 on success, negative value otherwise. | |
897 | + */ | |
898 | +static int ccs_socket_recvmsg(struct socket *sock, struct msghdr *msg, | |
899 | + int size, int flags) | |
900 | +{ | |
901 | + int rc = ccs_validate_socket(sock); | |
902 | + if (rc < 0) | |
903 | + return rc; | |
904 | + while (!original_security_ops.socket_recvmsg) | |
905 | + smp_rmb(); | |
906 | + return original_security_ops.socket_recvmsg(sock, msg, size, flags); | |
907 | +} | |
908 | + | |
909 | +/** | |
910 | + * ccs_socket_getsockname - Check permission for getsockname(). | |
911 | + * | |
912 | + * @sock: Pointer to "struct socket". | |
913 | + * | |
914 | + * Returns 0 on success, negative value otherwise. | |
915 | + */ | |
916 | +static int ccs_socket_getsockname(struct socket *sock) | |
917 | +{ | |
918 | + int rc = ccs_validate_socket(sock); | |
919 | + if (rc < 0) | |
920 | + return rc; | |
921 | + while (!original_security_ops.socket_getsockname) | |
922 | + smp_rmb(); | |
923 | + return original_security_ops.socket_getsockname(sock); | |
924 | +} | |
925 | + | |
926 | +/** | |
927 | + * ccs_socket_getpeername - Check permission for getpeername(). | |
928 | + * | |
929 | + * @sock: Pointer to "struct socket". | |
930 | + * | |
931 | + * Returns 0 on success, negative value otherwise. | |
932 | + */ | |
933 | +static int ccs_socket_getpeername(struct socket *sock) | |
934 | +{ | |
935 | + int rc = ccs_validate_socket(sock); | |
936 | + if (rc < 0) | |
937 | + return rc; | |
938 | + while (!original_security_ops.socket_getpeername) | |
939 | + smp_rmb(); | |
940 | + return original_security_ops.socket_getpeername(sock); | |
941 | +} | |
942 | + | |
943 | +/** | |
944 | + * ccs_socket_getsockopt - Check permission for getsockopt(). | |
945 | + * | |
946 | + * @sock: Pointer to "struct socket". | |
947 | + * @level: Level. | |
948 | + * @optname: Option's name, | |
949 | + * | |
950 | + * Returns 0 on success, negative value otherwise. | |
951 | + */ | |
952 | +static int ccs_socket_getsockopt(struct socket *sock, int level, int optname) | |
953 | +{ | |
954 | + int rc = ccs_validate_socket(sock); | |
955 | + if (rc < 0) | |
956 | + return rc; | |
957 | + while (!original_security_ops.socket_getsockopt) | |
958 | + smp_rmb(); | |
959 | + return original_security_ops.socket_getsockopt(sock, level, optname); | |
960 | +} | |
961 | + | |
962 | +/** | |
963 | + * ccs_socket_setsockopt - Check permission for setsockopt(). | |
964 | + * | |
965 | + * @sock: Pointer to "struct socket". | |
966 | + * @level: Level. | |
967 | + * @optname: Option's name, | |
968 | + * | |
969 | + * Returns 0 on success, negative value otherwise. | |
970 | + */ | |
971 | +static int ccs_socket_setsockopt(struct socket *sock, int level, int optname) | |
972 | +{ | |
973 | + int rc = ccs_validate_socket(sock); | |
974 | + if (rc < 0) | |
975 | + return rc; | |
976 | + while (!original_security_ops.socket_setsockopt) | |
977 | + smp_rmb(); | |
978 | + return original_security_ops.socket_setsockopt(sock, level, optname); | |
979 | +} | |
980 | + | |
981 | +/** | |
982 | + * ccs_socket_shutdown - Check permission for shutdown(). | |
983 | + * | |
984 | + * @sock: Pointer to "struct socket". | |
985 | + * @how: Shutdown mode. | |
986 | + * | |
987 | + * Returns 0 on success, negative value otherwise. | |
988 | + */ | |
989 | +static int ccs_socket_shutdown(struct socket *sock, int how) | |
990 | +{ | |
991 | + int rc = ccs_validate_socket(sock); | |
992 | + if (rc < 0) | |
993 | + return rc; | |
994 | + while (!original_security_ops.socket_shutdown) | |
995 | + smp_rmb(); | |
996 | + return original_security_ops.socket_shutdown(sock, how); | |
997 | +} | |
998 | + | |
999 | +#define SOCKFS_MAGIC 0x534F434B | |
1000 | + | |
1001 | +/** | |
1002 | + * ccs_inode_free_security - Release memory associated with an inode. | |
1003 | + * | |
1004 | + * @inode: Pointer to "struct inode". | |
1005 | + * | |
1006 | + * Returns nothing. | |
1007 | + * | |
1008 | + * We use this hook for releasing memory associated with an accept()ed socket. | |
1009 | + */ | |
1010 | +static void ccs_inode_free_security(struct inode *inode) | |
1011 | +{ | |
1012 | + while (!original_security_ops.inode_free_security) | |
1013 | + smp_rmb(); | |
1014 | + original_security_ops.inode_free_security(inode); | |
1015 | + if (inode->i_sb && inode->i_sb->s_magic == SOCKFS_MAGIC) | |
1016 | + ccs_update_socket_tag(inode, 0); | |
1017 | +} | |
1018 | + | |
1019 | +#endif | |
1020 | + | |
1021 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24) | |
1022 | + | |
1023 | +/** | |
1024 | + * ccs_sb_pivotroot - Check permission for pivot_root(). | |
1025 | + * | |
1026 | + * @old_nd: Pointer to "struct nameidata". | |
1027 | + * @new_nd: Pointer to "struct nameidata". | |
1028 | + * | |
1029 | + * Returns 0 on success, negative value otherwise. | |
1030 | + */ | |
1031 | +static int ccs_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd) | |
1032 | +{ | |
1033 | + int rc = ccs_pivot_root_permission(old_nd, new_nd); | |
1034 | + if (rc) | |
1035 | + return rc; | |
1036 | + while (!original_security_ops.sb_pivotroot) | |
1037 | + smp_rmb(); | |
1038 | + return original_security_ops.sb_pivotroot(old_nd, new_nd); | |
1039 | +} | |
1040 | + | |
1041 | +/** | |
1042 | + * ccs_sb_mount - Check permission for mount(). | |
1043 | + * | |
1044 | + * @dev_name: Name of device file. | |
1045 | + * @nd: Pointer to "struct nameidata". | |
1046 | + * @type: Name of filesystem type. Maybe NULL. | |
1047 | + * @flags: Mount options. | |
1048 | + * @data_page: Optional data. Maybe NULL. | |
1049 | + * | |
1050 | + * Returns 0 on success, negative value otherwise. | |
1051 | + */ | |
1052 | +static int ccs_sb_mount(char *dev_name, struct nameidata *nd, char *type, | |
1053 | + unsigned long flags, void *data_page) | |
1054 | +{ | |
1055 | + int rc = ccs_mount_permission(dev_name, nd, type, flags, data_page); | |
1056 | + if (rc) | |
1057 | + return rc; | |
1058 | + while (!original_security_ops.sb_mount) | |
1059 | + smp_rmb(); | |
1060 | + return original_security_ops.sb_mount(dev_name, nd, type, flags, | |
1061 | + data_page); | |
1062 | +} | |
1063 | + | |
1064 | +#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 26) | |
1065 | + | |
1066 | +/** | |
1067 | + * ccs_sb_pivotroot - Check permission for pivot_root(). | |
1068 | + * | |
1069 | + * @old_nd: Pointer to "struct nameidata". | |
1070 | + * @new_nd: Pointer to "struct nameidata". | |
1071 | + * | |
1072 | + * Returns 0 on success, negative value otherwise. | |
1073 | + */ | |
1074 | +static int ccs_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd) | |
1075 | +{ | |
1076 | + int rc = ccs_pivot_root_permission(&old_nd->path, &new_nd->path); | |
1077 | + if (rc) | |
1078 | + return rc; | |
1079 | + while (!original_security_ops.sb_pivotroot) | |
1080 | + smp_rmb(); | |
1081 | + return original_security_ops.sb_pivotroot(old_nd, new_nd); | |
1082 | +} | |
1083 | + | |
1084 | +/** | |
1085 | + * ccs_sb_mount - Check permission for mount(). | |
1086 | + * | |
1087 | + * @dev_name: Name of device file. | |
1088 | + * @nd: Pointer to "struct nameidata". | |
1089 | + * @type: Name of filesystem type. Maybe NULL. | |
1090 | + * @flags: Mount options. | |
1091 | + * @data_page: Optional data. Maybe NULL. | |
1092 | + * | |
1093 | + * Returns 0 on success, negative value otherwise. | |
1094 | + */ | |
1095 | +static int ccs_sb_mount(char *dev_name, struct nameidata *nd, char *type, | |
1096 | + unsigned long flags, void *data_page) | |
1097 | +{ | |
1098 | + int rc = ccs_mount_permission(dev_name, &nd->path, type, flags, | |
1099 | + data_page); | |
1100 | + if (rc) | |
1101 | + return rc; | |
1102 | + while (!original_security_ops.sb_mount) | |
1103 | + smp_rmb(); | |
1104 | + return original_security_ops.sb_mount(dev_name, nd, type, flags, | |
1105 | + data_page); | |
1106 | +} | |
1107 | + | |
1108 | +#else | |
1109 | + | |
1110 | +/** | |
1111 | + * ccs_sb_pivotroot - Check permission for pivot_root(). | |
1112 | + * | |
1113 | + * @old_path: Pointer to "struct path". | |
1114 | + * @new_path: Pointer to "struct path". | |
1115 | + * | |
1116 | + * Returns 0 on success, negative value otherwise. | |
1117 | + */ | |
1118 | +static int ccs_sb_pivotroot(struct path *old_path, struct path *new_path) | |
1119 | +{ | |
1120 | + int rc = ccs_pivot_root_permission(old_path, new_path); | |
1121 | + if (rc) | |
1122 | + return rc; | |
1123 | + while (!original_security_ops.sb_pivotroot) | |
1124 | + smp_rmb(); | |
1125 | + return original_security_ops.sb_pivotroot(old_path, new_path); | |
1126 | +} | |
1127 | + | |
1128 | +/** | |
1129 | + * ccs_sb_mount - Check permission for mount(). | |
1130 | + * | |
1131 | + * @dev_name: Name of device file. | |
1132 | + * @path: Pointer to "struct path". | |
1133 | + * @type: Name of filesystem type. Maybe NULL. | |
1134 | + * @flags: Mount options. | |
1135 | + * @data_page: Optional data. Maybe NULL. | |
1136 | + * | |
1137 | + * Returns 0 on success, negative value otherwise. | |
1138 | + */ | |
1139 | +static int ccs_sb_mount(char *dev_name, struct path *path, char *type, | |
1140 | + unsigned long flags, void *data_page) | |
1141 | +{ | |
1142 | + int rc = ccs_mount_permission(dev_name, path, type, flags, data_page); | |
1143 | + if (rc) | |
1144 | + return rc; | |
1145 | + while (!original_security_ops.sb_mount) | |
1146 | + smp_rmb(); | |
1147 | + return original_security_ops.sb_mount(dev_name, path, type, flags, | |
1148 | + data_page); | |
1149 | +} | |
1150 | + | |
1151 | +#endif | |
1152 | + | |
1153 | +/** | |
1154 | + * ccs_sb_umount - Check permission for umount(). | |
1155 | + * | |
1156 | + * @mnt: Pointer to "struct vfsmount". | |
1157 | + * @flags: Unmount flags. | |
1158 | + * | |
1159 | + * Returns 0 on success, negative value otherwise. | |
1160 | + */ | |
1161 | +static int ccs_sb_umount(struct vfsmount *mnt, int flags) | |
1162 | +{ | |
1163 | + int rc = ccs_umount_permission(mnt, flags); | |
1164 | + if (rc) | |
1165 | + return rc; | |
1166 | + while (!original_security_ops.sb_umount) | |
1167 | + smp_rmb(); | |
1168 | + return original_security_ops.sb_umount(mnt, flags); | |
1169 | +} | |
1170 | + | |
1171 | +/** | |
1172 | + * ccs_file_fcntl - Check permission for fcntl(). | |
1173 | + * | |
1174 | + * @file: Pointer to "struct file". | |
1175 | + * @cmd: Command number. | |
1176 | + * @arg: Value for @cmd. | |
1177 | + * | |
1178 | + * Returns 0 on success, negative value otherwise. | |
1179 | + */ | |
1180 | +static int ccs_file_fcntl(struct file *file, unsigned int cmd, | |
1181 | + unsigned long arg) | |
1182 | +{ | |
1183 | + int rc = ccs_fcntl_permission(file, cmd, arg); | |
1184 | + if (rc) | |
1185 | + return rc; | |
1186 | + while (!original_security_ops.file_fcntl) | |
1187 | + smp_rmb(); | |
1188 | + return original_security_ops.file_fcntl(file, cmd, arg); | |
1189 | +} | |
1190 | + | |
1191 | +/** | |
1192 | + * ccs_file_ioctl - Check permission for ioctl(). | |
1193 | + * | |
1194 | + * @filp: Pointer to "struct file". | |
1195 | + * @cmd: Command number. | |
1196 | + * @arg: Value for @cmd. | |
1197 | + * | |
1198 | + * Returns 0 on success, negative value otherwise. | |
1199 | + */ | |
1200 | +static int ccs_file_ioctl(struct file *filp, unsigned int cmd, | |
1201 | + unsigned long arg) | |
1202 | +{ | |
1203 | + int rc = ccs_ioctl_permission(filp, cmd, arg); | |
1204 | + if (rc) | |
1205 | + return rc; | |
1206 | + while (!original_security_ops.file_ioctl) | |
1207 | + smp_rmb(); | |
1208 | + return original_security_ops.file_ioctl(filp, cmd, arg); | |
1209 | +} | |
1210 | + | |
1211 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) && defined(CONFIG_SYSCTL_SYSCALL) | |
1212 | +int ccs_path_permission(struct ccs_request_info *r, u8 operation, | |
1213 | + const struct ccs_path_info *filename); | |
1214 | + | |
1215 | +/** | |
1216 | + * ccs_prepend - Copy of prepend() in fs/dcache.c. | |
1217 | + * | |
1218 | + * @buffer: Pointer to "struct char *". | |
1219 | + * @buflen: Pointer to int which holds size of @buffer. | |
1220 | + * @str: String to copy. | |
1221 | + * | |
1222 | + * Returns 0 on success, negative value otherwise. | |
1223 | + * | |
1224 | + * @buffer and @buflen are updated upon success. | |
1225 | + */ | |
1226 | +static int ccs_prepend(char **buffer, int *buflen, const char *str) | |
1227 | +{ | |
1228 | + int namelen = strlen(str); | |
1229 | + if (*buflen < namelen) | |
1230 | + return -ENOMEM; | |
1231 | + *buflen -= namelen; | |
1232 | + *buffer -= namelen; | |
1233 | + memcpy(*buffer, str, namelen); | |
1234 | + return 0; | |
1235 | +} | |
1236 | + | |
1237 | +/** | |
1238 | + * ccs_sysctl_permission - Check permission for sysctl(). | |
1239 | + * | |
1240 | + * @table: Pointer to "struct ctl_table". | |
1241 | + * @op: Operation. (MAY_READ and/or MAY_WRITE) | |
1242 | + * | |
1243 | + * Returns 0 on success, negative value otherwise. | |
1244 | + */ | |
1245 | +static int ccs_sysctl(struct ctl_table *table, int op) | |
1246 | +{ | |
1247 | + int error; | |
1248 | + struct ccs_path_info buf; | |
1249 | + struct ccs_request_info r; | |
1250 | + int buflen; | |
1251 | + char *buffer; | |
1252 | + int idx; | |
1253 | + while (!original_security_ops.sysctl) | |
1254 | + smp_rmb(); | |
1255 | + error = original_security_ops.sysctl(table, op); | |
1256 | + if (error) | |
1257 | + return error; | |
1258 | + op &= MAY_READ | MAY_WRITE; | |
1259 | + if (!op) | |
1260 | + return 0; | |
1261 | + buffer = NULL; | |
1262 | + buf.name = NULL; | |
1263 | + idx = ccs_read_lock(); | |
1264 | + if (ccs_init_request_info(&r, CCS_MAC_FILE_OPEN) | |
1265 | + == CCS_CONFIG_DISABLED) | |
1266 | + goto out; | |
1267 | + error = -ENOMEM; | |
1268 | + buflen = 4096; | |
1269 | + buffer = kmalloc(buflen, CCS_GFP_FLAGS); | |
1270 | + if (buffer) { | |
1271 | + char *end = buffer + buflen; | |
1272 | + *--end = '\0'; | |
1273 | + buflen--; | |
1274 | + while (table) { | |
1275 | + char num[32]; | |
1276 | + const char *sp = table->procname; | |
1277 | + if (!sp) { | |
1278 | + memset(num, 0, sizeof(num)); | |
1279 | + snprintf(num, sizeof(num) - 1, "=%d=", | |
1280 | + table->ctl_name); | |
1281 | + sp = num; | |
1282 | + } | |
1283 | + if (ccs_prepend(&end, &buflen, sp) || | |
1284 | + ccs_prepend(&end, &buflen, "/")) | |
1285 | + goto out; | |
1286 | + table = table->parent; | |
1287 | + } | |
1288 | + if (ccs_prepend(&end, &buflen, "proc:/sys")) | |
1289 | + goto out; | |
1290 | + buf.name = ccs_encode(end); | |
1291 | + } | |
1292 | + if (buf.name) { | |
1293 | + ccs_fill_path_info(&buf); | |
1294 | + if (op & MAY_READ) | |
1295 | + error = ccs_path_permission(&r, CCS_TYPE_READ, &buf); | |
1296 | + else | |
1297 | + error = 0; | |
1298 | + if (!error && (op & MAY_WRITE)) | |
1299 | + error = ccs_path_permission(&r, CCS_TYPE_WRITE, &buf); | |
1300 | + } | |
1301 | +out: | |
1302 | + ccs_read_unlock(idx); | |
1303 | + kfree(buf.name); | |
1304 | + kfree(buffer); | |
1305 | + return error; | |
1306 | +} | |
1307 | + | |
1308 | +#endif | |
1309 | + | |
1310 | +/* | |
1311 | + * Why not to copy all operations by "original_security_ops = *ops" ? | |
1312 | + * Because copying byte array is not atomic. Reader checks | |
1313 | + * original_security_ops.op != NULL before doing original_security_ops.op(). | |
1314 | + * Thus, modifying original_security_ops.op has to be atomic. | |
1315 | + */ | |
1316 | +#define swap_security_ops(op) \ | |
1317 | + original_security_ops.op = ops->op; smp_wmb(); ops->op = ccs_##op; | |
1318 | + | |
1319 | +/** | |
1320 | + * ccs_update_security_ops - Overwrite original "struct security_operations". | |
1321 | + * | |
1322 | + * @ops: Pointer to "struct security_operations". | |
1323 | + * | |
1324 | + * Returns nothing. | |
1325 | + */ | |
1326 | +static void __init ccs_update_security_ops(struct security_operations *ops) | |
1327 | +{ | |
1328 | + /* Security context allocator. */ | |
1329 | + swap_security_ops(task_alloc_security); | |
1330 | + swap_security_ops(task_free_security); | |
1331 | + swap_security_ops(bprm_alloc_security); | |
1332 | + swap_security_ops(bprm_free_security); | |
1333 | + /* Security context updater for successful execve(). */ | |
1334 | + swap_security_ops(bprm_check_security); | |
1335 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 6) | |
1336 | + swap_security_ops(bprm_compute_creds); | |
1337 | +#else | |
1338 | + swap_security_ops(bprm_apply_creds); | |
1339 | +#endif | |
1340 | + /* Various permission checker. */ | |
1341 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) | |
1342 | + swap_security_ops(dentry_open); | |
1343 | +#else | |
1344 | + swap_security_ops(inode_permission); | |
1345 | +#endif | |
1346 | + swap_security_ops(file_fcntl); | |
1347 | + swap_security_ops(file_ioctl); | |
1348 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) && defined(CONFIG_SYSCTL_SYSCALL) | |
1349 | + swap_security_ops(sysctl); | |
1350 | +#endif | |
1351 | + swap_security_ops(sb_pivotroot); | |
1352 | + swap_security_ops(sb_mount); | |
1353 | + swap_security_ops(sb_umount); | |
1354 | + swap_security_ops(inode_mknod); | |
1355 | + swap_security_ops(inode_mkdir); | |
1356 | + swap_security_ops(inode_rmdir); | |
1357 | + swap_security_ops(inode_unlink); | |
1358 | + swap_security_ops(inode_symlink); | |
1359 | + swap_security_ops(inode_rename); | |
1360 | + swap_security_ops(inode_link); | |
1361 | + swap_security_ops(inode_create); | |
1362 | + swap_security_ops(inode_setattr); | |
1363 | + swap_security_ops(inode_getattr); | |
1364 | +#ifdef CONFIG_SECURITY_NETWORK | |
1365 | + swap_security_ops(socket_bind); | |
1366 | + swap_security_ops(socket_connect); | |
1367 | + swap_security_ops(socket_listen); | |
1368 | + swap_security_ops(socket_sendmsg); | |
1369 | + swap_security_ops(socket_recvmsg); | |
1370 | + swap_security_ops(socket_getsockname); | |
1371 | + swap_security_ops(socket_getpeername); | |
1372 | + swap_security_ops(socket_getsockopt); | |
1373 | + swap_security_ops(socket_setsockopt); | |
1374 | + swap_security_ops(socket_shutdown); | |
1375 | + swap_security_ops(socket_accept); | |
1376 | + swap_security_ops(inode_free_security); | |
1377 | +#endif | |
1378 | +} | |
1379 | + | |
1380 | +#undef swap_security_ops | |
1381 | + | |
1382 | +/** | |
1383 | + * ccs_init - Initialize this module. | |
1384 | + * | |
1385 | + * Returns 0 on success, negative value otherwise. | |
1386 | + */ | |
1387 | +static int __init ccs_init(void) | |
1388 | +{ | |
1389 | + struct security_operations *ops = probe_security_ops(); | |
1390 | + if (!ops) | |
1391 | + goto out; | |
1392 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) | |
1393 | + ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid(); | |
1394 | + if (!ccsecurity_exports.find_task_by_vpid) | |
1395 | + goto out; | |
1396 | + ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns(); | |
1397 | + if (!ccsecurity_exports.find_task_by_pid_ns) | |
1398 | + goto out; | |
1399 | +#endif | |
1400 | + ccsecurity_exports.vfsmount_lock = probe_vfsmount_lock(); | |
1401 | + if (!ccsecurity_exports.vfsmount_lock) | |
1402 | + goto out; | |
1403 | + ccs_main_init(); | |
1404 | + ccs_update_security_ops(ops); | |
1405 | + printk(KERN_INFO "AKARI: 1.0.40 2019/12/25\n"); | |
1406 | + printk(KERN_INFO | |
1407 | + "Access Keeping And Regulating Instrument registered.\n"); | |
1408 | + return 0; | |
1409 | +out: | |
1410 | + return -EINVAL; | |
1411 | +} | |
1412 | + | |
1413 | +module_init(ccs_init); | |
1414 | +MODULE_LICENSE("GPL"); | |
1415 | + | |
1416 | +/** | |
1417 | + * ccs_used_by_cred - Check whether the given domain is in use or not. | |
1418 | + * | |
1419 | + * @domain: Pointer to "struct ccs_domain_info". | |
1420 | + * | |
1421 | + * Returns true if @domain is in use, false otherwise. | |
1422 | + * | |
1423 | + * Caller holds rcu_read_lock(). | |
1424 | + */ | |
1425 | +bool ccs_used_by_cred(const struct ccs_domain_info *domain) | |
1426 | +{ | |
1427 | + return false; | |
1428 | +} | |
1429 | + | |
1430 | +/** | |
1431 | + * ccs_add_task_security - Add "struct ccs_security" to list. | |
1432 | + * | |
1433 | + * @ptr: Pointer to "struct ccs_security". | |
1434 | + * @list: Pointer to "struct list_head". | |
1435 | + * | |
1436 | + * Returns nothing. | |
1437 | + */ | |
1438 | +static void ccs_add_task_security(struct ccs_security *ptr, | |
1439 | + struct list_head *list) | |
1440 | +{ | |
1441 | + unsigned long flags; | |
1442 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
1443 | + list_add_rcu(&ptr->list, list); | |
1444 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
1445 | +} | |
1446 | + | |
1447 | +/** | |
1448 | + * __ccs_alloc_task_security - Allocate memory for new tasks. | |
1449 | + * | |
1450 | + * @task: Pointer to "struct task_struct". | |
1451 | + * | |
1452 | + * Returns 0 on success, negative value otherwise. | |
1453 | + */ | |
1454 | +static int __ccs_alloc_task_security(const struct task_struct *task) | |
1455 | +{ | |
1456 | + struct ccs_security *old_security = ccs_current_security(); | |
1457 | + struct ccs_security *new_security = kzalloc(sizeof(*new_security), | |
1458 | + GFP_KERNEL); | |
1459 | + struct list_head *list = &ccs_task_security_list | |
1460 | + [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)]; | |
1461 | + if (!new_security) | |
1462 | + return -ENOMEM; | |
1463 | + new_security->task = task; | |
1464 | + new_security->ccs_domain_info = old_security->ccs_domain_info; | |
1465 | + new_security->ccs_flags = old_security->ccs_flags; | |
1466 | + ccs_add_task_security(new_security, list); | |
1467 | + return 0; | |
1468 | +} | |
1469 | + | |
1470 | +/** | |
1471 | + * ccs_find_task_security - Find "struct ccs_security" for given task. | |
1472 | + * | |
1473 | + * @task: Pointer to "struct task_struct". | |
1474 | + * | |
1475 | + * Returns pointer to "struct ccs_security" on success, &ccs_oom_security on | |
1476 | + * out of memory, &ccs_default_security otherwise. | |
1477 | + * | |
1478 | + * If @task is current thread and "struct ccs_security" for current thread was | |
1479 | + * not found, I try to allocate it. But if allocation failed, current thread | |
1480 | + * will be killed by SIGKILL. Note that if current->pid == 1, sending SIGKILL | |
1481 | + * won't work. | |
1482 | + */ | |
1483 | +struct ccs_security *ccs_find_task_security(const struct task_struct *task) | |
1484 | +{ | |
1485 | + struct ccs_security *ptr; | |
1486 | + struct list_head *list = &ccs_task_security_list | |
1487 | + [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)]; | |
1488 | + /* Make sure INIT_LIST_HEAD() in ccs_mm_init() takes effect. */ | |
1489 | + while (!list->next) | |
1490 | + smp_rmb(); | |
1491 | + rcu_read_lock(); | |
1492 | + list_for_each_entry_rcu(ptr, list, list) { | |
1493 | + if (ptr->task != task) | |
1494 | + continue; | |
1495 | + rcu_read_unlock(); | |
1496 | + return ptr; | |
1497 | + } | |
1498 | + rcu_read_unlock(); | |
1499 | + if (task != current) | |
1500 | + return &ccs_default_security; | |
1501 | + /* Use GFP_ATOMIC because caller may have called rcu_read_lock(). */ | |
1502 | + ptr = kzalloc(sizeof(*ptr), GFP_ATOMIC); | |
1503 | + if (!ptr) { | |
1504 | + printk(KERN_WARNING "Unable to allocate memory for pid=%u\n", | |
1505 | + task->pid); | |
1506 | + send_sig(SIGKILL, current, 0); | |
1507 | + return &ccs_oom_security; | |
1508 | + } | |
1509 | + *ptr = ccs_default_security; | |
1510 | + ptr->task = task; | |
1511 | + ccs_add_task_security(ptr, list); | |
1512 | + return ptr; | |
1513 | +} | |
1514 | + | |
1515 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8) | |
1516 | + | |
1517 | +/** | |
1518 | + * ccs_rcu_free - RCU callback for releasing "struct ccs_security". | |
1519 | + * | |
1520 | + * @rcu: Pointer to "struct rcu_head". | |
1521 | + * | |
1522 | + * Returns nothing. | |
1523 | + */ | |
1524 | +static void ccs_rcu_free(struct rcu_head *rcu) | |
1525 | +{ | |
1526 | + struct ccs_security *ptr = container_of(rcu, typeof(*ptr), rcu); | |
1527 | + kfree(ptr); | |
1528 | +} | |
1529 | + | |
1530 | +#else | |
1531 | + | |
1532 | +/** | |
1533 | + * ccs_rcu_free - RCU callback for releasing "struct ccs_security". | |
1534 | + * | |
1535 | + * @arg: Pointer to "void". | |
1536 | + * | |
1537 | + * Returns nothing. | |
1538 | + */ | |
1539 | +static void ccs_rcu_free(void *arg) | |
1540 | +{ | |
1541 | + struct ccs_security *ptr = arg; | |
1542 | + kfree(ptr); | |
1543 | +} | |
1544 | + | |
1545 | +#endif | |
1546 | + | |
1547 | +/** | |
1548 | + * __ccs_free_task_security - Release memory associated with "struct task_struct". | |
1549 | + * | |
1550 | + * @task: Pointer to "struct task_struct". | |
1551 | + * | |
1552 | + * Returns nothing. | |
1553 | + */ | |
1554 | +static void __ccs_free_task_security(const struct task_struct *task) | |
1555 | +{ | |
1556 | + unsigned long flags; | |
1557 | + struct ccs_security *ptr = ccs_find_task_security(task); | |
1558 | + if (ptr == &ccs_default_security || ptr == &ccs_oom_security) | |
1559 | + return; | |
1560 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
1561 | + list_del_rcu(&ptr->list); | |
1562 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
1563 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8) | |
1564 | + call_rcu(&ptr->rcu, ccs_rcu_free); | |
1565 | +#else | |
1566 | + call_rcu(&ptr->rcu, ccs_rcu_free, ptr); | |
1567 | +#endif | |
1568 | +} |
@@ -0,0 +1,2246 @@ | ||
1 | +/* | |
2 | + * lsm.c | |
3 | + * | |
4 | + * Copyright (C) 2010-2015 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | |
5 | + * | |
6 | + * Version: 1.0.40 2019/12/25 | |
7 | + */ | |
8 | + | |
9 | +#include "internal.h" | |
10 | +#include "probe.h" | |
11 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 3, 0) | |
12 | +#define USE_UMODE_T | |
13 | +#else | |
14 | +#include "check_umode_t.h" | |
15 | +#endif | |
16 | + | |
17 | +/* Prototype definition. */ | |
18 | +static void ccs_task_security_gc(void); | |
19 | +static int ccs_copy_cred_security(const struct cred *new, | |
20 | + const struct cred *old, gfp_t gfp); | |
21 | +static struct ccs_security *ccs_find_cred_security(const struct cred *cred); | |
22 | +static DEFINE_SPINLOCK(ccs_task_security_list_lock); | |
23 | +static atomic_t ccs_in_execve_tasks = ATOMIC_INIT(0); | |
24 | +/* | |
25 | + * List of "struct ccs_security" for "struct pid". | |
26 | + * | |
27 | + * All instances on this list is guaranteed that "struct ccs_security"->pid != | |
28 | + * NULL. Also, instances on this list that are in execve() are guaranteed that | |
29 | + * "struct ccs_security"->cred remembers "struct linux_binprm"->cred with a | |
30 | + * refcount on "struct linux_binprm"->cred. | |
31 | + */ | |
32 | +struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH]; | |
33 | +/* | |
34 | + * List of "struct ccs_security" for "struct cred". | |
35 | + * | |
36 | + * Since the number of "struct cred" is nearly equals to the number of | |
37 | + * "struct pid", we allocate hash tables like ccs_task_security_list. | |
38 | + * | |
39 | + * All instances on this list are guaranteed that "struct ccs_security"->pid == | |
40 | + * NULL and "struct ccs_security"->cred != NULL. | |
41 | + */ | |
42 | +static struct list_head ccs_cred_security_list[CCS_MAX_TASK_SECURITY_HASH]; | |
43 | + | |
44 | +/* Dummy security context for avoiding NULL pointer dereference. */ | |
45 | +static struct ccs_security ccs_oom_security = { | |
46 | + .ccs_domain_info = &ccs_kernel_domain | |
47 | +}; | |
48 | + | |
49 | +/* Dummy security context for avoiding NULL pointer dereference. */ | |
50 | +static struct ccs_security ccs_default_security = { | |
51 | + .ccs_domain_info = &ccs_kernel_domain | |
52 | +}; | |
53 | + | |
54 | +/* For exporting variables and functions. */ | |
55 | +struct ccsecurity_exports ccsecurity_exports; | |
56 | +/* Members are updated by loadable kernel module. */ | |
57 | +struct ccsecurity_operations ccsecurity_ops; | |
58 | + | |
59 | +/* Function pointers originally registered by register_security(). */ | |
60 | +static struct security_operations original_security_ops /* = *security_ops; */; | |
61 | + | |
62 | +#ifdef CONFIG_AKARI_TRACE_EXECVE_COUNT | |
63 | + | |
64 | +/** | |
65 | + * ccs_update_ee_counter - Update "struct ccs_execve" counter. | |
66 | + * | |
67 | + * @count: Count to increment or decrement. | |
68 | + * | |
69 | + * Returns updated counter. | |
70 | + */ | |
71 | +static unsigned int ccs_update_ee_counter(int count) | |
72 | +{ | |
73 | + /* Debug counter for detecting "struct ccs_execve" memory leak. */ | |
74 | + static atomic_t ccs_ee_counter = ATOMIC_INIT(0); | |
75 | + return atomic_add_return(count, &ccs_ee_counter); | |
76 | +} | |
77 | + | |
78 | +/** | |
79 | + * ccs_audit_alloc_execve - Audit allocation of "struct ccs_execve". | |
80 | + * | |
81 | + * @ee: Pointer to "struct ccs_execve". | |
82 | + * | |
83 | + * Returns nothing. | |
84 | + */ | |
85 | +void ccs_audit_alloc_execve(const struct ccs_execve * const ee) | |
86 | +{ | |
87 | + printk(KERN_INFO "AKARI: Allocated %p by pid=%u (count=%u)\n", ee, | |
88 | + current->pid, ccs_update_ee_counter(1) - 1); | |
89 | +} | |
90 | + | |
91 | +/** | |
92 | + * ccs_audit_free_execve - Audit release of "struct ccs_execve". | |
93 | + * | |
94 | + * @ee: Pointer to "struct ccs_execve". | |
95 | + * @task: True if released by current task, false otherwise. | |
96 | + * | |
97 | + * Returns nothing. | |
98 | + */ | |
99 | +void ccs_audit_free_execve(const struct ccs_execve * const ee, | |
100 | + const bool is_current) | |
101 | +{ | |
102 | + const unsigned int tmp = ccs_update_ee_counter(-1); | |
103 | + if (is_current) | |
104 | + printk(KERN_INFO "AKARI: Releasing %p by pid=%u (count=%u)\n", | |
105 | + ee, current->pid, tmp); | |
106 | + else | |
107 | + printk(KERN_INFO "AKARI: Releasing %p by kernel (count=%u)\n", | |
108 | + ee, tmp); | |
109 | +} | |
110 | + | |
111 | +#endif | |
112 | + | |
113 | +#if !defined(CONFIG_AKARI_DEBUG) | |
114 | +#define ccs_debug_trace(pos) do { } while (0) | |
115 | +#else | |
116 | +#define ccs_debug_trace(pos) \ | |
117 | + do { \ | |
118 | + static bool done; \ | |
119 | + if (!done) { \ | |
120 | + printk(KERN_INFO \ | |
121 | + "AKARI: Debug trace: " pos " of 4\n"); \ | |
122 | + done = true; \ | |
123 | + } \ | |
124 | + } while (0) | |
125 | +#endif | |
126 | + | |
127 | +/** | |
128 | + * ccs_clear_execve - Release memory used by do_execve(). | |
129 | + * | |
130 | + * @ret: 0 if do_execve() succeeded, negative value otherwise. | |
131 | + * @security: Pointer to "struct ccs_security". | |
132 | + * | |
133 | + * Returns nothing. | |
134 | + */ | |
135 | +static void ccs_clear_execve(int ret, struct ccs_security *security) | |
136 | +{ | |
137 | + struct ccs_execve *ee; | |
138 | + if (security == &ccs_default_security || security == &ccs_oom_security) | |
139 | + return; | |
140 | + ee = security->ee; | |
141 | + security->ee = NULL; | |
142 | + if (!ee) | |
143 | + return; | |
144 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 31) | |
145 | + /* | |
146 | + * Drop refcount on "struct cred" in "struct linux_binprm" and forget | |
147 | + * it. | |
148 | + */ | |
149 | + put_cred(security->cred); | |
150 | + security->cred = NULL; | |
151 | +#endif | |
152 | + atomic_dec(&ccs_in_execve_tasks); | |
153 | + ccs_finish_execve(ret, ee); | |
154 | +} | |
155 | + | |
156 | +/** | |
157 | + * ccs_rcu_free - RCU callback for releasing "struct ccs_security". | |
158 | + * | |
159 | + * @rcu: Pointer to "struct rcu_head". | |
160 | + * | |
161 | + * Returns nothing. | |
162 | + */ | |
163 | +static void ccs_rcu_free(struct rcu_head *rcu) | |
164 | +{ | |
165 | + struct ccs_security *ptr = container_of(rcu, typeof(*ptr), rcu); | |
166 | + struct ccs_execve *ee = ptr->ee; | |
167 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 31) | |
168 | + /* | |
169 | + * If this security context was associated with "struct pid" and | |
170 | + * ptr->ccs_flags has CCS_TASK_IS_IN_EXECVE set, it indicates that a | |
171 | + * "struct task_struct" associated with this security context exited | |
172 | + * immediately after do_execve() has failed. | |
173 | + */ | |
174 | + if (ptr->pid && (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE)) { | |
175 | + ccs_debug_trace("1"); | |
176 | + atomic_dec(&ccs_in_execve_tasks); | |
177 | + } | |
178 | +#else | |
179 | + /* | |
180 | + * If this security context was associated with "struct pid" and | |
181 | + * remembers "struct cred" in "struct linux_binprm", it indicates that | |
182 | + * a "struct task_struct" associated with this security context exited | |
183 | + * immediately after do_execve() has failed. | |
184 | + */ | |
185 | + if (ptr->pid && ptr->cred) { | |
186 | + ccs_debug_trace("1"); | |
187 | + put_cred(ptr->cred); | |
188 | + atomic_dec(&ccs_in_execve_tasks); | |
189 | + } | |
190 | +#endif | |
191 | + /* | |
192 | + * If this security context was associated with "struct pid", | |
193 | + * drop refcount obtained by get_pid() in ccs_find_task_security(). | |
194 | + */ | |
195 | + if (ptr->pid) { | |
196 | + ccs_debug_trace("2"); | |
197 | + put_pid(ptr->pid); | |
198 | + } | |
199 | + if (ee) { | |
200 | + ccs_debug_trace("3"); | |
201 | + ccs_audit_free_execve(ee, false); | |
202 | + kfree(ee->handler_path); | |
203 | + kfree(ee); | |
204 | + } | |
205 | + kfree(ptr); | |
206 | +} | |
207 | + | |
208 | +/** | |
209 | + * ccs_del_security - Release "struct ccs_security". | |
210 | + * | |
211 | + * @ptr: Pointer to "struct ccs_security". | |
212 | + * | |
213 | + * Returns nothing. | |
214 | + */ | |
215 | +static void ccs_del_security(struct ccs_security *ptr) | |
216 | +{ | |
217 | + unsigned long flags; | |
218 | + if (ptr == &ccs_default_security || ptr == &ccs_oom_security) | |
219 | + return; | |
220 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
221 | + list_del_rcu(&ptr->list); | |
222 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
223 | + call_rcu(&ptr->rcu, ccs_rcu_free); | |
224 | +} | |
225 | + | |
226 | +/** | |
227 | + * ccs_add_cred_security - Add "struct ccs_security" to list. | |
228 | + * | |
229 | + * @ptr: Pointer to "struct ccs_security". | |
230 | + * | |
231 | + * Returns nothing. | |
232 | + */ | |
233 | +static void ccs_add_cred_security(struct ccs_security *ptr) | |
234 | +{ | |
235 | + unsigned long flags; | |
236 | + struct list_head *list = &ccs_cred_security_list | |
237 | + [hash_ptr((void *) ptr->cred, CCS_TASK_SECURITY_HASH_BITS)]; | |
238 | +#ifdef CONFIG_AKARI_DEBUG | |
239 | + if (ptr->pid) | |
240 | + printk(KERN_INFO "AKARI: \"struct ccs_security\"->pid != NULL" | |
241 | + "\n"); | |
242 | +#endif | |
243 | + ptr->pid = NULL; | |
244 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
245 | + list_add_rcu(&ptr->list, list); | |
246 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
247 | +} | |
248 | + | |
249 | +/** | |
250 | + * ccs_task_create - Make snapshot of security context for new task. | |
251 | + * | |
252 | + * @clone_flags: Flags passed to clone(). | |
253 | + * | |
254 | + * Returns 0 on success, negative value otherwise. | |
255 | + */ | |
256 | +static int ccs_task_create(unsigned long clone_flags) | |
257 | +{ | |
258 | + int rc; | |
259 | + struct ccs_security *old_security; | |
260 | + struct ccs_security *new_security; | |
261 | + struct cred *cred = prepare_creds(); | |
262 | + if (!cred) | |
263 | + return -ENOMEM; | |
264 | + while (!original_security_ops.task_create) | |
265 | + smp_rmb(); | |
266 | + rc = original_security_ops.task_create(clone_flags); | |
267 | + if (rc) { | |
268 | + abort_creds(cred); | |
269 | + return rc; | |
270 | + } | |
271 | + old_security = ccs_find_task_security(current); | |
272 | + new_security = ccs_find_cred_security(cred); | |
273 | + new_security->ccs_domain_info = old_security->ccs_domain_info; | |
274 | + new_security->ccs_flags = old_security->ccs_flags; | |
275 | + return commit_creds(cred); | |
276 | +} | |
277 | + | |
278 | +/** | |
279 | + * ccs_cred_prepare - Allocate memory for new credentials. | |
280 | + * | |
281 | + * @new: Pointer to "struct cred". | |
282 | + * @old: Pointer to "struct cred". | |
283 | + * @gfp: Memory allocation flags. | |
284 | + * | |
285 | + * Returns 0 on success, negative value otherwise. | |
286 | + */ | |
287 | +static int ccs_cred_prepare(struct cred *new, const struct cred *old, | |
288 | + gfp_t gfp) | |
289 | +{ | |
290 | + int rc; | |
291 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 31) | |
292 | + /* | |
293 | + * For checking whether reverting domain transition is needed or not. | |
294 | + * | |
295 | + * See ccs_find_task_security() for reason. | |
296 | + */ | |
297 | + if (gfp == GFP_KERNEL) | |
298 | + ccs_find_task_security(current); | |
299 | +#endif | |
300 | + rc = ccs_copy_cred_security(new, old, gfp); | |
301 | + if (rc) | |
302 | + return rc; | |
303 | + if (gfp == GFP_KERNEL) | |
304 | + ccs_task_security_gc(); | |
305 | + while (!original_security_ops.cred_prepare) | |
306 | + smp_rmb(); | |
307 | + rc = original_security_ops.cred_prepare(new, old, gfp); | |
308 | + if (rc) | |
309 | + ccs_del_security(ccs_find_cred_security(new)); | |
310 | + return rc; | |
311 | +} | |
312 | + | |
313 | +/** | |
314 | + * ccs_cred_free - Release memory used by credentials. | |
315 | + * | |
316 | + * @cred: Pointer to "struct cred". | |
317 | + * | |
318 | + * Returns nothing. | |
319 | + */ | |
320 | +static void ccs_cred_free(struct cred *cred) | |
321 | +{ | |
322 | + while (!original_security_ops.cred_free) | |
323 | + smp_rmb(); | |
324 | + original_security_ops.cred_free(cred); | |
325 | + ccs_del_security(ccs_find_cred_security(cred)); | |
326 | +} | |
327 | + | |
328 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32) | |
329 | + | |
330 | +/** | |
331 | + * ccs_alloc_cred_security - Allocate memory for new credentials. | |
332 | + * | |
333 | + * @cred: Pointer to "struct cred". | |
334 | + * @gfp: Memory allocation flags. | |
335 | + * | |
336 | + * Returns 0 on success, negative value otherwise. | |
337 | + */ | |
338 | +static int ccs_alloc_cred_security(const struct cred *cred, gfp_t gfp) | |
339 | +{ | |
340 | + struct ccs_security *new_security = kzalloc(sizeof(*new_security), | |
341 | + gfp); | |
342 | + if (!new_security) | |
343 | + return -ENOMEM; | |
344 | + new_security->cred = cred; | |
345 | + ccs_add_cred_security(new_security); | |
346 | + return 0; | |
347 | +} | |
348 | + | |
349 | +/** | |
350 | + * ccs_cred_alloc_blank - Allocate memory for new credentials. | |
351 | + * | |
352 | + * @new: Pointer to "struct cred". | |
353 | + * @gfp: Memory allocation flags. | |
354 | + * | |
355 | + * Returns 0 on success, negative value otherwise. | |
356 | + */ | |
357 | +static int ccs_cred_alloc_blank(struct cred *new, gfp_t gfp) | |
358 | +{ | |
359 | + int rc = ccs_alloc_cred_security(new, gfp); | |
360 | + if (rc) | |
361 | + return rc; | |
362 | + while (!original_security_ops.cred_alloc_blank) | |
363 | + smp_rmb(); | |
364 | + rc = original_security_ops.cred_alloc_blank(new, gfp); | |
365 | + if (rc) | |
366 | + ccs_del_security(ccs_find_cred_security(new)); | |
367 | + return rc; | |
368 | +} | |
369 | + | |
370 | +/** | |
371 | + * ccs_cred_transfer - Transfer "struct ccs_security" between credentials. | |
372 | + * | |
373 | + * @new: Pointer to "struct cred". | |
374 | + * @old: Pointer to "struct cred". | |
375 | + * | |
376 | + * Returns nothing. | |
377 | + */ | |
378 | +static void ccs_cred_transfer(struct cred *new, const struct cred *old) | |
379 | +{ | |
380 | + struct ccs_security *new_security; | |
381 | + struct ccs_security *old_security; | |
382 | + while (!original_security_ops.cred_transfer) | |
383 | + smp_rmb(); | |
384 | + original_security_ops.cred_transfer(new, old); | |
385 | + new_security = ccs_find_cred_security(new); | |
386 | + old_security = ccs_find_cred_security(old); | |
387 | + if (new_security == &ccs_default_security || | |
388 | + new_security == &ccs_oom_security || | |
389 | + old_security == &ccs_default_security || | |
390 | + old_security == &ccs_oom_security) | |
391 | + return; | |
392 | + new_security->ccs_flags = old_security->ccs_flags; | |
393 | + new_security->ccs_domain_info = old_security->ccs_domain_info; | |
394 | +} | |
395 | + | |
396 | +#endif | |
397 | + | |
398 | +/** | |
399 | + * ccs_bprm_committing_creds - A hook which is called when do_execve() succeeded. | |
400 | + * | |
401 | + * @bprm: Pointer to "struct linux_binprm". | |
402 | + * | |
403 | + * Returns nothing. | |
404 | + */ | |
405 | +static void ccs_bprm_committing_creds(struct linux_binprm *bprm) | |
406 | +{ | |
407 | + struct ccs_security *old_security; | |
408 | + struct ccs_security *new_security; | |
409 | + while (!original_security_ops.bprm_committing_creds) | |
410 | + smp_rmb(); | |
411 | + original_security_ops.bprm_committing_creds(bprm); | |
412 | + old_security = ccs_current_security(); | |
413 | + if (old_security == &ccs_default_security || | |
414 | + old_security == &ccs_oom_security) | |
415 | + return; | |
416 | + ccs_clear_execve(0, old_security); | |
417 | + /* Update current task's cred's domain for future fork(). */ | |
418 | + new_security = ccs_find_cred_security(bprm->cred); | |
419 | + new_security->ccs_flags = old_security->ccs_flags; | |
420 | + new_security->ccs_domain_info = old_security->ccs_domain_info; | |
421 | +} | |
422 | + | |
423 | +/** | |
424 | + * ccs_bprm_check_security - Check permission for execve(). | |
425 | + * | |
426 | + * @bprm: Pointer to "struct linux_binprm". | |
427 | + * | |
428 | + * Returns 0 on success, negative value otherwise. | |
429 | + */ | |
430 | +static int ccs_bprm_check_security(struct linux_binprm *bprm) | |
431 | +{ | |
432 | + struct ccs_security *security = ccs_current_security(); | |
433 | + if (security == &ccs_default_security || security == &ccs_oom_security) | |
434 | + return -ENOMEM; | |
435 | + if (!security->ee) { | |
436 | + int rc; | |
437 | +#ifndef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER | |
438 | + if (!ccs_policy_loaded) | |
439 | + ccs_load_policy(bprm->filename); | |
440 | +#endif | |
441 | + rc = ccs_start_execve(bprm, &security->ee); | |
442 | + if (security->ee) { | |
443 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 31) | |
444 | + /* | |
445 | + * Get refcount on "struct cred" in | |
446 | + * "struct linux_binprm" and remember it. | |
447 | + */ | |
448 | + get_cred(bprm->cred); | |
449 | + security->cred = bprm->cred; | |
450 | +#endif | |
451 | + atomic_inc(&ccs_in_execve_tasks); | |
452 | + } | |
453 | + if (rc) | |
454 | + return rc; | |
455 | + } | |
456 | + while (!original_security_ops.bprm_check_security) | |
457 | + smp_rmb(); | |
458 | + return original_security_ops.bprm_check_security(bprm); | |
459 | +} | |
460 | + | |
461 | +/** | |
462 | + * ccs_open - Check permission for open(). | |
463 | + * | |
464 | + * @f: Pointer to "struct file". | |
465 | + * | |
466 | + * Returns 0 on success, negative value otherwise. | |
467 | + */ | |
468 | +static int ccs_open(struct file *f) | |
469 | +{ | |
470 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 33) | |
471 | + return ccs_open_permission(f); | |
472 | +#elif defined(RHEL_MAJOR) && RHEL_MAJOR == 6 | |
473 | + return ccs_open_permission(f->f_path.dentry, f->f_path.mnt, | |
474 | + f->f_flags); | |
475 | +#else | |
476 | + return ccs_open_permission(f->f_path.dentry, f->f_path.mnt, | |
477 | + f->f_flags + 1); | |
478 | +#endif | |
479 | +} | |
480 | + | |
481 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0) | |
482 | + | |
483 | +/** | |
484 | + * ccs_file_open - Check permission for open(). | |
485 | + * | |
486 | + * @f: Pointer to "struct file". | |
487 | + * @cred: Pointer to "struct cred". | |
488 | + * | |
489 | + * Returns 0 on success, negative value otherwise. | |
490 | + */ | |
491 | +static int ccs_file_open(struct file *f, const struct cred *cred) | |
492 | +{ | |
493 | + int rc = ccs_open(f); | |
494 | + if (rc) | |
495 | + return rc; | |
496 | + while (!original_security_ops.file_open) | |
497 | + smp_rmb(); | |
498 | + return original_security_ops.file_open(f, cred); | |
499 | +} | |
500 | + | |
501 | +#else | |
502 | + | |
503 | +/** | |
504 | + * ccs_dentry_open - Check permission for open(). | |
505 | + * | |
506 | + * @f: Pointer to "struct file". | |
507 | + * @cred: Pointer to "struct cred". | |
508 | + * | |
509 | + * Returns 0 on success, negative value otherwise. | |
510 | + */ | |
511 | +static int ccs_dentry_open(struct file *f, const struct cred *cred) | |
512 | +{ | |
513 | + int rc = ccs_open(f); | |
514 | + if (rc) | |
515 | + return rc; | |
516 | + while (!original_security_ops.dentry_open) | |
517 | + smp_rmb(); | |
518 | + return original_security_ops.dentry_open(f, cred); | |
519 | +} | |
520 | + | |
521 | +#endif | |
522 | + | |
523 | +#if defined(CONFIG_SECURITY_PATH) | |
524 | + | |
525 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0) | |
526 | + | |
527 | +/** | |
528 | + * ccs_path_chown - Check permission for chown()/chgrp(). | |
529 | + * | |
530 | + * @path: Pointer to "struct path". | |
531 | + * @user: User ID. | |
532 | + * @group: Group ID. | |
533 | + * | |
534 | + * Returns 0 on success, negative value otherwise. | |
535 | + */ | |
536 | +static int ccs_path_chown(struct path *path, kuid_t user, kgid_t group) | |
537 | +{ | |
538 | + int rc = ccs_chown_permission(path->dentry, path->mnt, user, group); | |
539 | + if (rc) | |
540 | + return rc; | |
541 | + while (!original_security_ops.path_chown) | |
542 | + smp_rmb(); | |
543 | + return original_security_ops.path_chown(path, user, group); | |
544 | +} | |
545 | + | |
546 | +/** | |
547 | + * ccs_path_chmod - Check permission for chmod(). | |
548 | + * | |
549 | + * @path: Pointer to "struct path". | |
550 | + * @mode: Mode. | |
551 | + * | |
552 | + * Returns 0 on success, negative value otherwise. | |
553 | + */ | |
554 | +static int ccs_path_chmod(struct path *path, umode_t mode) | |
555 | +{ | |
556 | + int rc = ccs_chmod_permission(path->dentry, path->mnt, mode); | |
557 | + if (rc) | |
558 | + return rc; | |
559 | + while (!original_security_ops.path_chmod) | |
560 | + smp_rmb(); | |
561 | + return original_security_ops.path_chmod(path, mode); | |
562 | +} | |
563 | + | |
564 | +/** | |
565 | + * ccs_path_chroot - Check permission for chroot(). | |
566 | + * | |
567 | + * @path: Pointer to "struct path". | |
568 | + * | |
569 | + * Returns 0 on success, negative value otherwise. | |
570 | + */ | |
571 | +static int ccs_path_chroot(struct path *path) | |
572 | +{ | |
573 | + int rc = ccs_chroot_permission(path); | |
574 | + if (rc) | |
575 | + return rc; | |
576 | + while (!original_security_ops.path_chroot) | |
577 | + smp_rmb(); | |
578 | + return original_security_ops.path_chroot(path); | |
579 | +} | |
580 | + | |
581 | +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 33) | |
582 | + | |
583 | +/** | |
584 | + * ccs_path_chown - Check permission for chown()/chgrp(). | |
585 | + * | |
586 | + * @path: Pointer to "struct path". | |
587 | + * @user: User ID. | |
588 | + * @group: Group ID. | |
589 | + * | |
590 | + * Returns 0 on success, negative value otherwise. | |
591 | + */ | |
592 | +static int ccs_path_chown(struct path *path, uid_t user, gid_t group) | |
593 | +{ | |
594 | + int rc = ccs_chown_permission(path->dentry, path->mnt, user, group); | |
595 | + if (rc) | |
596 | + return rc; | |
597 | + while (!original_security_ops.path_chown) | |
598 | + smp_rmb(); | |
599 | + return original_security_ops.path_chown(path, user, group); | |
600 | +} | |
601 | + | |
602 | +#if defined(USE_UMODE_T) | |
603 | + | |
604 | +/** | |
605 | + * ccs_path_chmod - Check permission for chmod(). | |
606 | + * | |
607 | + * @path: Pointer to "struct path". | |
608 | + * @mode: Mode. | |
609 | + * | |
610 | + * Returns 0 on success, negative value otherwise. | |
611 | + */ | |
612 | +static int ccs_path_chmod(struct path *path, umode_t mode) | |
613 | +{ | |
614 | + int rc = ccs_chmod_permission(path->dentry, path->mnt, mode); | |
615 | + if (rc) | |
616 | + return rc; | |
617 | + while (!original_security_ops.path_chmod) | |
618 | + smp_rmb(); | |
619 | + return original_security_ops.path_chmod(path, mode); | |
620 | +} | |
621 | + | |
622 | +#else | |
623 | + | |
624 | +/** | |
625 | + * ccs_path_chmod - Check permission for chmod(). | |
626 | + * | |
627 | + * @dentry: Pointer to "struct dentry". | |
628 | + * @vfsmnt: Pointer to "struct vfsmount". | |
629 | + * @mode: Mode. | |
630 | + * | |
631 | + * Returns 0 on success, negative value otherwise. | |
632 | + */ | |
633 | +static int ccs_path_chmod(struct dentry *dentry, struct vfsmount *vfsmnt, | |
634 | + mode_t mode) | |
635 | +{ | |
636 | + int rc = ccs_chmod_permission(dentry, vfsmnt, mode); | |
637 | + if (rc) | |
638 | + return rc; | |
639 | + while (!original_security_ops.path_chmod) | |
640 | + smp_rmb(); | |
641 | + return original_security_ops.path_chmod(dentry, vfsmnt, mode); | |
642 | +} | |
643 | + | |
644 | +#endif | |
645 | + | |
646 | +/** | |
647 | + * ccs_path_chroot - Check permission for chroot(). | |
648 | + * | |
649 | + * @path: Pointer to "struct path". | |
650 | + * | |
651 | + * Returns 0 on success, negative value otherwise. | |
652 | + */ | |
653 | +static int ccs_path_chroot(struct path *path) | |
654 | +{ | |
655 | + int rc = ccs_chroot_permission(path); | |
656 | + if (rc) | |
657 | + return rc; | |
658 | + while (!original_security_ops.path_chroot) | |
659 | + smp_rmb(); | |
660 | + return original_security_ops.path_chroot(path); | |
661 | +} | |
662 | + | |
663 | +#endif | |
664 | + | |
665 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36) | |
666 | + | |
667 | +/** | |
668 | + * ccs_path_truncate - Check permission for truncate(). | |
669 | + * | |
670 | + * @path: Pointer to "struct path". | |
671 | + * | |
672 | + * Returns 0 on success, negative value otherwise. | |
673 | + */ | |
674 | +static int ccs_path_truncate(struct path *path) | |
675 | +{ | |
676 | + int rc = ccs_truncate_permission(path->dentry, path->mnt); | |
677 | + if (rc) | |
678 | + return rc; | |
679 | + while (!original_security_ops.path_truncate) | |
680 | + smp_rmb(); | |
681 | + return original_security_ops.path_truncate(path); | |
682 | +} | |
683 | + | |
684 | +#else | |
685 | + | |
686 | +/** | |
687 | + * ccs_path_truncate - Check permission for truncate(). | |
688 | + * | |
689 | + * @path: Pointer to "struct path". | |
690 | + * @length: New length. | |
691 | + * @time_attrs: New time attributes. | |
692 | + * | |
693 | + * Returns 0 on success, negative value otherwise. | |
694 | + */ | |
695 | +static int ccs_path_truncate(struct path *path, loff_t length, | |
696 | + unsigned int time_attrs) | |
697 | +{ | |
698 | + int rc = ccs_truncate_permission(path->dentry, path->mnt); | |
699 | + if (rc) | |
700 | + return rc; | |
701 | + while (!original_security_ops.path_truncate) | |
702 | + smp_rmb(); | |
703 | + return original_security_ops.path_truncate(path, length, time_attrs); | |
704 | +} | |
705 | + | |
706 | +#endif | |
707 | + | |
708 | +#endif | |
709 | + | |
710 | +/** | |
711 | + * ccs_inode_setattr - Check permission for chown()/chgrp()/chmod()/truncate(). | |
712 | + * | |
713 | + * @dentry: Pointer to "struct dentry". | |
714 | + * @attr: Pointer to "struct iattr". | |
715 | + * | |
716 | + * Returns 0 on success, negative value otherwise. | |
717 | + */ | |
718 | +static int ccs_inode_setattr(struct dentry *dentry, struct iattr *attr) | |
719 | +{ | |
720 | + int rc = 0; | |
721 | +#if !defined(CONFIG_SECURITY_PATH) || LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) | |
722 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0) | |
723 | + if (attr->ia_valid & ATTR_UID) | |
724 | + rc = ccs_chown_permission(dentry, NULL, attr->ia_uid, | |
725 | + INVALID_GID); | |
726 | + if (!rc && (attr->ia_valid & ATTR_GID)) | |
727 | + rc = ccs_chown_permission(dentry, NULL, INVALID_UID, | |
728 | + attr->ia_gid); | |
729 | +#else | |
730 | + if (attr->ia_valid & ATTR_UID) | |
731 | + rc = ccs_chown_permission(dentry, NULL, attr->ia_uid, -1); | |
732 | + if (!rc && (attr->ia_valid & ATTR_GID)) | |
733 | + rc = ccs_chown_permission(dentry, NULL, -1, attr->ia_gid); | |
734 | +#endif | |
735 | + if (!rc && (attr->ia_valid & ATTR_MODE)) | |
736 | + rc = ccs_chmod_permission(dentry, NULL, attr->ia_mode); | |
737 | +#endif | |
738 | +#if !defined(CONFIG_SECURITY_PATH) | |
739 | + if (!rc && (attr->ia_valid & ATTR_SIZE)) | |
740 | + rc = ccs_truncate_permission(dentry, NULL); | |
741 | +#endif | |
742 | + if (rc) | |
743 | + return rc; | |
744 | + while (!original_security_ops.inode_setattr) | |
745 | + smp_rmb(); | |
746 | + return original_security_ops.inode_setattr(dentry, attr); | |
747 | +} | |
748 | + | |
749 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0) | |
750 | + | |
751 | +/** | |
752 | + * ccs_inode_getattr - Check permission for stat(). | |
753 | + * | |
754 | + * @path: Pointer to "struct path". | |
755 | + * | |
756 | + * Returns 0 on success, negative value otherwise. | |
757 | + */ | |
758 | +static int ccs_inode_getattr(const struct path *path) | |
759 | +{ | |
760 | + int rc = ccs_getattr_permission(path->mnt, path->dentry); | |
761 | + if (rc) | |
762 | + return rc; | |
763 | + while (!original_security_ops.inode_getattr) | |
764 | + smp_rmb(); | |
765 | + return original_security_ops.inode_getattr(path); | |
766 | +} | |
767 | + | |
768 | +#else | |
769 | + | |
770 | +/** | |
771 | + * ccs_inode_getattr - Check permission for stat(). | |
772 | + * | |
773 | + * @mnt: Pointer to "struct vfsmount". | |
774 | + * @dentry: Pointer to "struct dentry". | |
775 | + * | |
776 | + * Returns 0 on success, negative value otherwise. | |
777 | + */ | |
778 | +static int ccs_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) | |
779 | +{ | |
780 | + int rc = ccs_getattr_permission(mnt, dentry); | |
781 | + if (rc) | |
782 | + return rc; | |
783 | + while (!original_security_ops.inode_getattr) | |
784 | + smp_rmb(); | |
785 | + return original_security_ops.inode_getattr(mnt, dentry); | |
786 | +} | |
787 | + | |
788 | +#endif | |
789 | + | |
790 | +#if defined(CONFIG_SECURITY_PATH) | |
791 | + | |
792 | +#if defined(USE_UMODE_T) | |
793 | + | |
794 | +/** | |
795 | + * ccs_path_mknod - Check permission for mknod(). | |
796 | + * | |
797 | + * @dir: Pointer to "struct path". | |
798 | + * @dentry: Pointer to "struct dentry". | |
799 | + * @mode: Create mode. | |
800 | + * @dev: Device major/minor number. | |
801 | + * | |
802 | + * Returns 0 on success, negative value otherwise. | |
803 | + */ | |
804 | +static int ccs_path_mknod(struct path *dir, struct dentry *dentry, | |
805 | + umode_t mode, unsigned int dev) | |
806 | +{ | |
807 | + int rc = ccs_mknod_permission(dentry, dir->mnt, mode, dev); | |
808 | + if (rc) | |
809 | + return rc; | |
810 | + while (!original_security_ops.path_mknod) | |
811 | + smp_rmb(); | |
812 | + return original_security_ops.path_mknod(dir, dentry, mode, dev); | |
813 | +} | |
814 | + | |
815 | +/** | |
816 | + * ccs_path_mkdir - Check permission for mkdir(). | |
817 | + * | |
818 | + * @dir: Pointer to "struct path". | |
819 | + * @dentry: Pointer to "struct dentry". | |
820 | + * @mode: Create mode. | |
821 | + * | |
822 | + * Returns 0 on success, negative value otherwise. | |
823 | + */ | |
824 | +static int ccs_path_mkdir(struct path *dir, struct dentry *dentry, | |
825 | + umode_t mode) | |
826 | +{ | |
827 | + int rc = ccs_mkdir_permission(dentry, dir->mnt, mode); | |
828 | + if (rc) | |
829 | + return rc; | |
830 | + while (!original_security_ops.path_mkdir) | |
831 | + smp_rmb(); | |
832 | + return original_security_ops.path_mkdir(dir, dentry, mode); | |
833 | +} | |
834 | + | |
835 | +#else | |
836 | + | |
837 | +/** | |
838 | + * ccs_path_mknod - Check permission for mknod(). | |
839 | + * | |
840 | + * @dir: Pointer to "struct path". | |
841 | + * @dentry: Pointer to "struct dentry". | |
842 | + * @mode: Create mode. | |
843 | + * @dev: Device major/minor number. | |
844 | + * | |
845 | + * Returns 0 on success, negative value otherwise. | |
846 | + */ | |
847 | +static int ccs_path_mknod(struct path *dir, struct dentry *dentry, int mode, | |
848 | + unsigned int dev) | |
849 | +{ | |
850 | + int rc = ccs_mknod_permission(dentry, dir->mnt, mode, dev); | |
851 | + if (rc) | |
852 | + return rc; | |
853 | + while (!original_security_ops.path_mknod) | |
854 | + smp_rmb(); | |
855 | + return original_security_ops.path_mknod(dir, dentry, mode, dev); | |
856 | +} | |
857 | + | |
858 | +/** | |
859 | + * ccs_path_mkdir - Check permission for mkdir(). | |
860 | + * | |
861 | + * @dir: Pointer to "struct path". | |
862 | + * @dentry: Pointer to "struct dentry". | |
863 | + * @mode: Create mode. | |
864 | + * | |
865 | + * Returns 0 on success, negative value otherwise. | |
866 | + */ | |
867 | +static int ccs_path_mkdir(struct path *dir, struct dentry *dentry, int mode) | |
868 | +{ | |
869 | + int rc = ccs_mkdir_permission(dentry, dir->mnt, mode); | |
870 | + if (rc) | |
871 | + return rc; | |
872 | + while (!original_security_ops.path_mkdir) | |
873 | + smp_rmb(); | |
874 | + return original_security_ops.path_mkdir(dir, dentry, mode); | |
875 | +} | |
876 | + | |
877 | +#endif | |
878 | + | |
879 | +/** | |
880 | + * ccs_path_rmdir - Check permission for rmdir(). | |
881 | + * | |
882 | + * @dir: Pointer to "struct path". | |
883 | + * @dentry: Pointer to "struct dentry". | |
884 | + * | |
885 | + * Returns 0 on success, negative value otherwise. | |
886 | + */ | |
887 | +static int ccs_path_rmdir(struct path *dir, struct dentry *dentry) | |
888 | +{ | |
889 | + int rc = ccs_rmdir_permission(dentry, dir->mnt); | |
890 | + if (rc) | |
891 | + return rc; | |
892 | + while (!original_security_ops.path_rmdir) | |
893 | + smp_rmb(); | |
894 | + return original_security_ops.path_rmdir(dir, dentry); | |
895 | +} | |
896 | + | |
897 | +/** | |
898 | + * ccs_path_unlink - Check permission for unlink(). | |
899 | + * | |
900 | + * @dir: Pointer to "struct path". | |
901 | + * @dentry: Pointer to "struct dentry". | |
902 | + * | |
903 | + * Returns 0 on success, negative value otherwise. | |
904 | + */ | |
905 | +static int ccs_path_unlink(struct path *dir, struct dentry *dentry) | |
906 | +{ | |
907 | + int rc = ccs_unlink_permission(dentry, dir->mnt); | |
908 | + if (rc) | |
909 | + return rc; | |
910 | + while (!original_security_ops.path_unlink) | |
911 | + smp_rmb(); | |
912 | + return original_security_ops.path_unlink(dir, dentry); | |
913 | +} | |
914 | + | |
915 | +/** | |
916 | + * ccs_path_symlink - Check permission for symlink(). | |
917 | + * | |
918 | + * @dir: Pointer to "struct path". | |
919 | + * @dentry: Pointer to "struct dentry". | |
920 | + * @old_name: Content of symbolic link. | |
921 | + * | |
922 | + * Returns 0 on success, negative value otherwise. | |
923 | + */ | |
924 | +static int ccs_path_symlink(struct path *dir, struct dentry *dentry, | |
925 | + const char *old_name) | |
926 | +{ | |
927 | + int rc = ccs_symlink_permission(dentry, dir->mnt, old_name); | |
928 | + if (rc) | |
929 | + return rc; | |
930 | + while (!original_security_ops.path_symlink) | |
931 | + smp_rmb(); | |
932 | + return original_security_ops.path_symlink(dir, dentry, old_name); | |
933 | +} | |
934 | + | |
935 | +/** | |
936 | + * ccs_path_rename - Check permission for rename(). | |
937 | + * | |
938 | + * @old_dir: Pointer to "struct path". | |
939 | + * @old_dentry: Pointer to "struct dentry". | |
940 | + * @new_dir: Pointer to "struct path". | |
941 | + * @new_dentry: Pointer to "struct dentry". | |
942 | + * | |
943 | + * Returns 0 on success, negative value otherwise. | |
944 | + */ | |
945 | +static int ccs_path_rename(struct path *old_dir, struct dentry *old_dentry, | |
946 | + struct path *new_dir, struct dentry *new_dentry) | |
947 | +{ | |
948 | + int rc = ccs_rename_permission(old_dentry, new_dentry, old_dir->mnt); | |
949 | + if (rc) | |
950 | + return rc; | |
951 | + while (!original_security_ops.path_rename) | |
952 | + smp_rmb(); | |
953 | + return original_security_ops.path_rename(old_dir, old_dentry, new_dir, | |
954 | + new_dentry); | |
955 | +} | |
956 | + | |
957 | +/** | |
958 | + * ccs_path_link - Check permission for link(). | |
959 | + * | |
960 | + * @old_dentry: Pointer to "struct dentry". | |
961 | + * @new_dir: Pointer to "struct path". | |
962 | + * @new_dentry: Pointer to "struct dentry". | |
963 | + * | |
964 | + * Returns 0 on success, negative value otherwise. | |
965 | + */ | |
966 | +static int ccs_path_link(struct dentry *old_dentry, struct path *new_dir, | |
967 | + struct dentry *new_dentry) | |
968 | +{ | |
969 | + int rc = ccs_link_permission(old_dentry, new_dentry, new_dir->mnt); | |
970 | + if (rc) | |
971 | + return rc; | |
972 | + while (!original_security_ops.path_link) | |
973 | + smp_rmb(); | |
974 | + return original_security_ops.path_link(old_dentry, new_dir, | |
975 | + new_dentry); | |
976 | +} | |
977 | + | |
978 | +#else | |
979 | + | |
980 | +#if defined(USE_UMODE_T) | |
981 | + | |
982 | +/** | |
983 | + * ccs_inode_mknod - Check permission for mknod(). | |
984 | + * | |
985 | + * @dir: Pointer to "struct inode". | |
986 | + * @dentry: Pointer to "struct dentry". | |
987 | + * @mode: Create mode. | |
988 | + * @dev: Device major/minor number. | |
989 | + * | |
990 | + * Returns 0 on success, negative value otherwise. | |
991 | + */ | |
992 | +static int ccs_inode_mknod(struct inode *dir, struct dentry *dentry, | |
993 | + umode_t mode, dev_t dev) | |
994 | +{ | |
995 | + int rc = ccs_mknod_permission(dentry, NULL, mode, dev); | |
996 | + if (rc) | |
997 | + return rc; | |
998 | + while (!original_security_ops.inode_mknod) | |
999 | + smp_rmb(); | |
1000 | + return original_security_ops.inode_mknod(dir, dentry, mode, dev); | |
1001 | +} | |
1002 | + | |
1003 | +/** | |
1004 | + * ccs_inode_mkdir - Check permission for mkdir(). | |
1005 | + * | |
1006 | + * @dir: Pointer to "struct inode". | |
1007 | + * @dentry: Pointer to "struct dentry". | |
1008 | + * @mode: Create mode. | |
1009 | + * | |
1010 | + * Returns 0 on success, negative value otherwise. | |
1011 | + */ | |
1012 | +static int ccs_inode_mkdir(struct inode *dir, struct dentry *dentry, | |
1013 | + umode_t mode) | |
1014 | +{ | |
1015 | + int rc = ccs_mkdir_permission(dentry, NULL, mode); | |
1016 | + if (rc) | |
1017 | + return rc; | |
1018 | + while (!original_security_ops.inode_mkdir) | |
1019 | + smp_rmb(); | |
1020 | + return original_security_ops.inode_mkdir(dir, dentry, mode); | |
1021 | +} | |
1022 | + | |
1023 | +#else | |
1024 | + | |
1025 | +/** | |
1026 | + * ccs_inode_mknod - Check permission for mknod(). | |
1027 | + * | |
1028 | + * @dir: Pointer to "struct inode". | |
1029 | + * @dentry: Pointer to "struct dentry". | |
1030 | + * @mode: Create mode. | |
1031 | + * @dev: Device major/minor number. | |
1032 | + * | |
1033 | + * Returns 0 on success, negative value otherwise. | |
1034 | + */ | |
1035 | +static int ccs_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, | |
1036 | + dev_t dev) | |
1037 | +{ | |
1038 | + int rc = ccs_mknod_permission(dentry, NULL, mode, dev); | |
1039 | + if (rc) | |
1040 | + return rc; | |
1041 | + while (!original_security_ops.inode_mknod) | |
1042 | + smp_rmb(); | |
1043 | + return original_security_ops.inode_mknod(dir, dentry, mode, dev); | |
1044 | +} | |
1045 | + | |
1046 | +/** | |
1047 | + * ccs_inode_mkdir - Check permission for mkdir(). | |
1048 | + * | |
1049 | + * @dir: Pointer to "struct inode". | |
1050 | + * @dentry: Pointer to "struct dentry". | |
1051 | + * @mode: Create mode. | |
1052 | + * | |
1053 | + * Returns 0 on success, negative value otherwise. | |
1054 | + */ | |
1055 | +static int ccs_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode) | |
1056 | +{ | |
1057 | + int rc = ccs_mkdir_permission(dentry, NULL, mode); | |
1058 | + if (rc) | |
1059 | + return rc; | |
1060 | + while (!original_security_ops.inode_mkdir) | |
1061 | + smp_rmb(); | |
1062 | + return original_security_ops.inode_mkdir(dir, dentry, mode); | |
1063 | +} | |
1064 | + | |
1065 | +#endif | |
1066 | + | |
1067 | +/** | |
1068 | + * ccs_inode_rmdir - Check permission for rmdir(). | |
1069 | + * | |
1070 | + * @dir: Pointer to "struct inode". | |
1071 | + * @dentry: Pointer to "struct dentry". | |
1072 | + * | |
1073 | + * Returns 0 on success, negative value otherwise. | |
1074 | + */ | |
1075 | +static int ccs_inode_rmdir(struct inode *dir, struct dentry *dentry) | |
1076 | +{ | |
1077 | + int rc = ccs_rmdir_permission(dentry, NULL); | |
1078 | + if (rc) | |
1079 | + return rc; | |
1080 | + while (!original_security_ops.inode_rmdir) | |
1081 | + smp_rmb(); | |
1082 | + return original_security_ops.inode_rmdir(dir, dentry); | |
1083 | +} | |
1084 | + | |
1085 | +/** | |
1086 | + * ccs_inode_unlink - Check permission for unlink(). | |
1087 | + * | |
1088 | + * @dir: Pointer to "struct inode". | |
1089 | + * @dentry: Pointer to "struct dentry". | |
1090 | + * | |
1091 | + * Returns 0 on success, negative value otherwise. | |
1092 | + */ | |
1093 | +static int ccs_inode_unlink(struct inode *dir, struct dentry *dentry) | |
1094 | +{ | |
1095 | + int rc = ccs_unlink_permission(dentry, NULL); | |
1096 | + if (rc) | |
1097 | + return rc; | |
1098 | + while (!original_security_ops.inode_unlink) | |
1099 | + smp_rmb(); | |
1100 | + return original_security_ops.inode_unlink(dir, dentry); | |
1101 | +} | |
1102 | + | |
1103 | +/** | |
1104 | + * ccs_inode_symlink - Check permission for symlink(). | |
1105 | + * | |
1106 | + * @dir: Pointer to "struct inode". | |
1107 | + * @dentry: Pointer to "struct dentry". | |
1108 | + * @old_name: Content of symbolic link. | |
1109 | + * | |
1110 | + * Returns 0 on success, negative value otherwise. | |
1111 | + */ | |
1112 | +static int ccs_inode_symlink(struct inode *dir, struct dentry *dentry, | |
1113 | + const char *old_name) | |
1114 | +{ | |
1115 | + int rc = ccs_symlink_permission(dentry, NULL, old_name); | |
1116 | + if (rc) | |
1117 | + return rc; | |
1118 | + while (!original_security_ops.inode_symlink) | |
1119 | + smp_rmb(); | |
1120 | + return original_security_ops.inode_symlink(dir, dentry, old_name); | |
1121 | +} | |
1122 | + | |
1123 | +/** | |
1124 | + * ccs_inode_rename - Check permission for rename(). | |
1125 | + * | |
1126 | + * @old_dir: Pointer to "struct inode". | |
1127 | + * @old_dentry: Pointer to "struct dentry". | |
1128 | + * @new_dir: Pointer to "struct inode". | |
1129 | + * @new_dentry: Pointer to "struct dentry". | |
1130 | + * | |
1131 | + * Returns 0 on success, negative value otherwise. | |
1132 | + */ | |
1133 | +static int ccs_inode_rename(struct inode *old_dir, struct dentry *old_dentry, | |
1134 | + struct inode *new_dir, struct dentry *new_dentry) | |
1135 | +{ | |
1136 | + int rc = ccs_rename_permission(old_dentry, new_dentry, NULL); | |
1137 | + if (rc) | |
1138 | + return rc; | |
1139 | + while (!original_security_ops.inode_rename) | |
1140 | + smp_rmb(); | |
1141 | + return original_security_ops.inode_rename(old_dir, old_dentry, new_dir, | |
1142 | + new_dentry); | |
1143 | +} | |
1144 | + | |
1145 | +/** | |
1146 | + * ccs_inode_link - Check permission for link(). | |
1147 | + * | |
1148 | + * @old_dentry: Pointer to "struct dentry". | |
1149 | + * @dir: Pointer to "struct inode". | |
1150 | + * @new_dentry: Pointer to "struct dentry". | |
1151 | + * | |
1152 | + * Returns 0 on success, negative value otherwise. | |
1153 | + */ | |
1154 | +static int ccs_inode_link(struct dentry *old_dentry, struct inode *dir, | |
1155 | + struct dentry *new_dentry) | |
1156 | +{ | |
1157 | + int rc = ccs_link_permission(old_dentry, new_dentry, NULL); | |
1158 | + if (rc) | |
1159 | + return rc; | |
1160 | + while (!original_security_ops.inode_link) | |
1161 | + smp_rmb(); | |
1162 | + return original_security_ops.inode_link(old_dentry, dir, new_dentry); | |
1163 | +} | |
1164 | + | |
1165 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 3, 0) | |
1166 | + | |
1167 | +/** | |
1168 | + * ccs_inode_create - Check permission for creat(). | |
1169 | + * | |
1170 | + * @dir: Pointer to "struct inode". | |
1171 | + * @dentry: Pointer to "struct dentry". | |
1172 | + * @mode: Create mode. | |
1173 | + * | |
1174 | + * Returns 0 on success, negative value otherwise. | |
1175 | + */ | |
1176 | +static int ccs_inode_create(struct inode *dir, struct dentry *dentry, | |
1177 | + umode_t mode) | |
1178 | +{ | |
1179 | + int rc = ccs_mknod_permission(dentry, NULL, mode, 0); | |
1180 | + if (rc) | |
1181 | + return rc; | |
1182 | + while (!original_security_ops.inode_create) | |
1183 | + smp_rmb(); | |
1184 | + return original_security_ops.inode_create(dir, dentry, mode); | |
1185 | +} | |
1186 | + | |
1187 | +#else | |
1188 | + | |
1189 | +/** | |
1190 | + * ccs_inode_create - Check permission for creat(). | |
1191 | + * | |
1192 | + * @dir: Pointer to "struct inode". | |
1193 | + * @dentry: Pointer to "struct dentry". | |
1194 | + * @mode: Create mode. | |
1195 | + * | |
1196 | + * Returns 0 on success, negative value otherwise. | |
1197 | + */ | |
1198 | +static int ccs_inode_create(struct inode *dir, struct dentry *dentry, | |
1199 | + int mode) | |
1200 | +{ | |
1201 | + int rc = ccs_mknod_permission(dentry, NULL, mode, 0); | |
1202 | + if (rc) | |
1203 | + return rc; | |
1204 | + while (!original_security_ops.inode_create) | |
1205 | + smp_rmb(); | |
1206 | + return original_security_ops.inode_create(dir, dentry, mode); | |
1207 | +} | |
1208 | + | |
1209 | +#endif | |
1210 | + | |
1211 | +#endif | |
1212 | + | |
1213 | +#ifdef CONFIG_SECURITY_NETWORK | |
1214 | + | |
1215 | +#include <net/sock.h> | |
1216 | + | |
1217 | +/* Structure for remembering an accept()ed socket's status. */ | |
1218 | +struct ccs_socket_tag { | |
1219 | + struct list_head list; | |
1220 | + struct inode *inode; | |
1221 | + int status; | |
1222 | + struct rcu_head rcu; | |
1223 | +}; | |
1224 | + | |
1225 | +/* | |
1226 | + * List for managing accept()ed sockets. | |
1227 | + * Since we don't need to keep an accept()ed socket into this list after | |
1228 | + * once the permission was granted, the number of entries in this list is | |
1229 | + * likely small. Therefore, we don't use hash tables. | |
1230 | + */ | |
1231 | +static LIST_HEAD(ccs_accepted_socket_list); | |
1232 | +/* Lock for protecting ccs_accepted_socket_list . */ | |
1233 | +static DEFINE_SPINLOCK(ccs_accepted_socket_list_lock); | |
1234 | + | |
1235 | +/** | |
1236 | + * ccs_socket_rcu_free - RCU callback for releasing "struct ccs_socket_tag". | |
1237 | + * | |
1238 | + * @rcu: Pointer to "struct rcu_head". | |
1239 | + * | |
1240 | + * Returns nothing. | |
1241 | + */ | |
1242 | +static void ccs_socket_rcu_free(struct rcu_head *rcu) | |
1243 | +{ | |
1244 | + struct ccs_socket_tag *ptr = container_of(rcu, typeof(*ptr), rcu); | |
1245 | + kfree(ptr); | |
1246 | +} | |
1247 | + | |
1248 | +/** | |
1249 | + * ccs_update_socket_tag - Update tag associated with accept()ed sockets. | |
1250 | + * | |
1251 | + * @inode: Pointer to "struct inode". | |
1252 | + * @status: New status. | |
1253 | + * | |
1254 | + * Returns nothing. | |
1255 | + * | |
1256 | + * If @status == 0, memory for that socket will be released after RCU grace | |
1257 | + * period. | |
1258 | + */ | |
1259 | +static void ccs_update_socket_tag(struct inode *inode, int status) | |
1260 | +{ | |
1261 | + struct ccs_socket_tag *ptr; | |
1262 | + /* | |
1263 | + * Protect whole section because multiple threads may call this | |
1264 | + * function with same "sock" via ccs_validate_socket(). | |
1265 | + */ | |
1266 | + spin_lock(&ccs_accepted_socket_list_lock); | |
1267 | + rcu_read_lock(); | |
1268 | + list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) { | |
1269 | + if (ptr->inode != inode) | |
1270 | + continue; | |
1271 | + ptr->status = status; | |
1272 | + if (status) | |
1273 | + break; | |
1274 | + list_del_rcu(&ptr->list); | |
1275 | + call_rcu(&ptr->rcu, ccs_socket_rcu_free); | |
1276 | + break; | |
1277 | + } | |
1278 | + rcu_read_unlock(); | |
1279 | + spin_unlock(&ccs_accepted_socket_list_lock); | |
1280 | +} | |
1281 | + | |
1282 | +/** | |
1283 | + * ccs_validate_socket - Check post accept() permission if needed. | |
1284 | + * | |
1285 | + * @sock: Pointer to "struct socket". | |
1286 | + * | |
1287 | + * Returns 0 on success, negative value otherwise. | |
1288 | + */ | |
1289 | +static int ccs_validate_socket(struct socket *sock) | |
1290 | +{ | |
1291 | + struct inode *inode = SOCK_INODE(sock); | |
1292 | + struct ccs_socket_tag *ptr; | |
1293 | + int ret = 0; | |
1294 | + rcu_read_lock(); | |
1295 | + list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) { | |
1296 | + if (ptr->inode != inode) | |
1297 | + continue; | |
1298 | + ret = ptr->status; | |
1299 | + break; | |
1300 | + } | |
1301 | + rcu_read_unlock(); | |
1302 | + if (ret <= 0) | |
1303 | + /* | |
1304 | + * This socket is not an accept()ed socket or this socket is | |
1305 | + * an accept()ed socket and post accept() permission is done. | |
1306 | + */ | |
1307 | + return ret; | |
1308 | + /* | |
1309 | + * Check post accept() permission now. | |
1310 | + * | |
1311 | + * Strictly speaking, we need to pass both listen()ing socket and | |
1312 | + * accept()ed socket to __ccs_socket_post_accept_permission(). | |
1313 | + * But since socket's family and type are same for both sockets, | |
1314 | + * passing the accept()ed socket in place for the listen()ing socket | |
1315 | + * will work. | |
1316 | + */ | |
1317 | + ret = ccs_socket_post_accept_permission(sock, sock); | |
1318 | + /* | |
1319 | + * If permission was granted, we forget that this is an accept()ed | |
1320 | + * socket. Otherwise, we remember that this socket needs to return | |
1321 | + * error for subsequent socketcalls. | |
1322 | + */ | |
1323 | + ccs_update_socket_tag(inode, ret); | |
1324 | + return ret; | |
1325 | +} | |
1326 | + | |
1327 | +/** | |
1328 | + * ccs_socket_accept - Check permission for accept(). | |
1329 | + * | |
1330 | + * @sock: Pointer to "struct socket". | |
1331 | + * @newsock: Pointer to "struct socket". | |
1332 | + * | |
1333 | + * Returns 0 on success, negative value otherwise. | |
1334 | + * | |
1335 | + * This hook is used for setting up environment for doing post accept() | |
1336 | + * permission check. If dereferencing sock->ops->something() were ordered by | |
1337 | + * rcu_dereference(), we could replace sock->ops with "a copy of original | |
1338 | + * sock->ops with modified sock->ops->accept()" using rcu_assign_pointer() | |
1339 | + * in order to do post accept() permission check before returning to userspace. | |
1340 | + * If we make the copy in security_socket_post_create(), it would be possible | |
1341 | + * to safely replace sock->ops here, but we don't do so because we don't want | |
1342 | + * to allocate memory for sockets which do not call sock->ops->accept(). | |
1343 | + * Therefore, we do post accept() permission check upon next socket syscalls | |
1344 | + * rather than between sock->ops->accept() and returning to userspace. | |
1345 | + * This means that if a socket was close()d before calling some socket | |
1346 | + * syscalls, post accept() permission check will not be done. | |
1347 | + */ | |
1348 | +static int ccs_socket_accept(struct socket *sock, struct socket *newsock) | |
1349 | +{ | |
1350 | + struct ccs_socket_tag *ptr; | |
1351 | + int rc = ccs_validate_socket(sock); | |
1352 | + if (rc < 0) | |
1353 | + return rc; | |
1354 | + ptr = kzalloc(sizeof(*ptr), GFP_KERNEL); | |
1355 | + if (!ptr) | |
1356 | + return -ENOMEM; | |
1357 | + while (!original_security_ops.socket_accept) | |
1358 | + smp_rmb(); | |
1359 | + rc = original_security_ops.socket_accept(sock, newsock); | |
1360 | + if (rc) { | |
1361 | + kfree(ptr); | |
1362 | + return rc; | |
1363 | + } | |
1364 | + /* | |
1365 | + * Subsequent LSM hooks will receive "newsock". Therefore, I mark | |
1366 | + * "newsock" as "an accept()ed socket but post accept() permission | |
1367 | + * check is not done yet" by allocating memory using inode of the | |
1368 | + * "newsock" as a search key. | |
1369 | + */ | |
1370 | + ptr->inode = SOCK_INODE(newsock); | |
1371 | + ptr->status = 1; /* Check post accept() permission later. */ | |
1372 | + spin_lock(&ccs_accepted_socket_list_lock); | |
1373 | + list_add_tail_rcu(&ptr->list, &ccs_accepted_socket_list); | |
1374 | + spin_unlock(&ccs_accepted_socket_list_lock); | |
1375 | + return 0; | |
1376 | +} | |
1377 | + | |
1378 | +/** | |
1379 | + * ccs_socket_listen - Check permission for listen(). | |
1380 | + * | |
1381 | + * @sock: Pointer to "struct socket". | |
1382 | + * @backlog: Backlog parameter. | |
1383 | + * | |
1384 | + * Returns 0 on success, negative value otherwise. | |
1385 | + */ | |
1386 | +static int ccs_socket_listen(struct socket *sock, int backlog) | |
1387 | +{ | |
1388 | + int rc = ccs_validate_socket(sock); | |
1389 | + if (rc < 0) | |
1390 | + return rc; | |
1391 | + rc = ccs_socket_listen_permission(sock); | |
1392 | + if (rc) | |
1393 | + return rc; | |
1394 | + while (!original_security_ops.socket_listen) | |
1395 | + smp_rmb(); | |
1396 | + return original_security_ops.socket_listen(sock, backlog); | |
1397 | +} | |
1398 | + | |
1399 | +/** | |
1400 | + * ccs_socket_connect - Check permission for connect(). | |
1401 | + * | |
1402 | + * @sock: Pointer to "struct socket". | |
1403 | + * @addr: Pointer to "struct sockaddr". | |
1404 | + * @addr_len: Size of @addr. | |
1405 | + * | |
1406 | + * Returns 0 on success, negative value otherwise. | |
1407 | + */ | |
1408 | +static int ccs_socket_connect(struct socket *sock, struct sockaddr *addr, | |
1409 | + int addr_len) | |
1410 | +{ | |
1411 | + int rc = ccs_validate_socket(sock); | |
1412 | + if (rc < 0) | |
1413 | + return rc; | |
1414 | + rc = ccs_socket_connect_permission(sock, addr, addr_len); | |
1415 | + if (rc) | |
1416 | + return rc; | |
1417 | + while (!original_security_ops.socket_connect) | |
1418 | + smp_rmb(); | |
1419 | + return original_security_ops.socket_connect(sock, addr, addr_len); | |
1420 | +} | |
1421 | + | |
1422 | +/** | |
1423 | + * ccs_socket_bind - Check permission for bind(). | |
1424 | + * | |
1425 | + * @sock: Pointer to "struct socket". | |
1426 | + * @addr: Pointer to "struct sockaddr". | |
1427 | + * @addr_len: Size of @addr. | |
1428 | + * | |
1429 | + * Returns 0 on success, negative value otherwise. | |
1430 | + */ | |
1431 | +static int ccs_socket_bind(struct socket *sock, struct sockaddr *addr, | |
1432 | + int addr_len) | |
1433 | +{ | |
1434 | + int rc = ccs_validate_socket(sock); | |
1435 | + if (rc < 0) | |
1436 | + return rc; | |
1437 | + rc = ccs_socket_bind_permission(sock, addr, addr_len); | |
1438 | + if (rc) | |
1439 | + return rc; | |
1440 | + while (!original_security_ops.socket_bind) | |
1441 | + smp_rmb(); | |
1442 | + return original_security_ops.socket_bind(sock, addr, addr_len); | |
1443 | +} | |
1444 | + | |
1445 | +/** | |
1446 | + * ccs_socket_sendmsg - Check permission for sendmsg(). | |
1447 | + * | |
1448 | + * @sock: Pointer to "struct socket". | |
1449 | + * @msg: Pointer to "struct msghdr". | |
1450 | + * @size: Size of message. | |
1451 | + * | |
1452 | + * Returns 0 on success, negative value otherwise. | |
1453 | + */ | |
1454 | +static int ccs_socket_sendmsg(struct socket *sock, struct msghdr *msg, | |
1455 | + int size) | |
1456 | +{ | |
1457 | + int rc = ccs_validate_socket(sock); | |
1458 | + if (rc < 0) | |
1459 | + return rc; | |
1460 | + rc = ccs_socket_sendmsg_permission(sock, msg, size); | |
1461 | + if (rc) | |
1462 | + return rc; | |
1463 | + while (!original_security_ops.socket_sendmsg) | |
1464 | + smp_rmb(); | |
1465 | + return original_security_ops.socket_sendmsg(sock, msg, size); | |
1466 | +} | |
1467 | + | |
1468 | +/** | |
1469 | + * ccs_socket_recvmsg - Check permission for recvmsg(). | |
1470 | + * | |
1471 | + * @sock: Pointer to "struct socket". | |
1472 | + * @msg: Pointer to "struct msghdr". | |
1473 | + * @size: Size of message. | |
1474 | + * @flags: Flags. | |
1475 | + * | |
1476 | + * Returns 0 on success, negative value otherwise. | |
1477 | + */ | |
1478 | +static int ccs_socket_recvmsg(struct socket *sock, struct msghdr *msg, | |
1479 | + int size, int flags) | |
1480 | +{ | |
1481 | + int rc = ccs_validate_socket(sock); | |
1482 | + if (rc < 0) | |
1483 | + return rc; | |
1484 | + while (!original_security_ops.socket_recvmsg) | |
1485 | + smp_rmb(); | |
1486 | + return original_security_ops.socket_recvmsg(sock, msg, size, flags); | |
1487 | +} | |
1488 | + | |
1489 | +/** | |
1490 | + * ccs_socket_getsockname - Check permission for getsockname(). | |
1491 | + * | |
1492 | + * @sock: Pointer to "struct socket". | |
1493 | + * | |
1494 | + * Returns 0 on success, negative value otherwise. | |
1495 | + */ | |
1496 | +static int ccs_socket_getsockname(struct socket *sock) | |
1497 | +{ | |
1498 | + int rc = ccs_validate_socket(sock); | |
1499 | + if (rc < 0) | |
1500 | + return rc; | |
1501 | + while (!original_security_ops.socket_getsockname) | |
1502 | + smp_rmb(); | |
1503 | + return original_security_ops.socket_getsockname(sock); | |
1504 | +} | |
1505 | + | |
1506 | +/** | |
1507 | + * ccs_socket_getpeername - Check permission for getpeername(). | |
1508 | + * | |
1509 | + * @sock: Pointer to "struct socket". | |
1510 | + * | |
1511 | + * Returns 0 on success, negative value otherwise. | |
1512 | + */ | |
1513 | +static int ccs_socket_getpeername(struct socket *sock) | |
1514 | +{ | |
1515 | + int rc = ccs_validate_socket(sock); | |
1516 | + if (rc < 0) | |
1517 | + return rc; | |
1518 | + while (!original_security_ops.socket_getpeername) | |
1519 | + smp_rmb(); | |
1520 | + return original_security_ops.socket_getpeername(sock); | |
1521 | +} | |
1522 | + | |
1523 | +/** | |
1524 | + * ccs_socket_getsockopt - Check permission for getsockopt(). | |
1525 | + * | |
1526 | + * @sock: Pointer to "struct socket". | |
1527 | + * @level: Level. | |
1528 | + * @optname: Option's name, | |
1529 | + * | |
1530 | + * Returns 0 on success, negative value otherwise. | |
1531 | + */ | |
1532 | +static int ccs_socket_getsockopt(struct socket *sock, int level, int optname) | |
1533 | +{ | |
1534 | + int rc = ccs_validate_socket(sock); | |
1535 | + if (rc < 0) | |
1536 | + return rc; | |
1537 | + while (!original_security_ops.socket_getsockopt) | |
1538 | + smp_rmb(); | |
1539 | + return original_security_ops.socket_getsockopt(sock, level, optname); | |
1540 | +} | |
1541 | + | |
1542 | +/** | |
1543 | + * ccs_socket_setsockopt - Check permission for setsockopt(). | |
1544 | + * | |
1545 | + * @sock: Pointer to "struct socket". | |
1546 | + * @level: Level. | |
1547 | + * @optname: Option's name, | |
1548 | + * | |
1549 | + * Returns 0 on success, negative value otherwise. | |
1550 | + */ | |
1551 | +static int ccs_socket_setsockopt(struct socket *sock, int level, int optname) | |
1552 | +{ | |
1553 | + int rc = ccs_validate_socket(sock); | |
1554 | + if (rc < 0) | |
1555 | + return rc; | |
1556 | + while (!original_security_ops.socket_setsockopt) | |
1557 | + smp_rmb(); | |
1558 | + return original_security_ops.socket_setsockopt(sock, level, optname); | |
1559 | +} | |
1560 | + | |
1561 | +/** | |
1562 | + * ccs_socket_shutdown - Check permission for shutdown(). | |
1563 | + * | |
1564 | + * @sock: Pointer to "struct socket". | |
1565 | + * @how: Shutdown mode. | |
1566 | + * | |
1567 | + * Returns 0 on success, negative value otherwise. | |
1568 | + */ | |
1569 | +static int ccs_socket_shutdown(struct socket *sock, int how) | |
1570 | +{ | |
1571 | + int rc = ccs_validate_socket(sock); | |
1572 | + if (rc < 0) | |
1573 | + return rc; | |
1574 | + while (!original_security_ops.socket_shutdown) | |
1575 | + smp_rmb(); | |
1576 | + return original_security_ops.socket_shutdown(sock, how); | |
1577 | +} | |
1578 | + | |
1579 | +#define SOCKFS_MAGIC 0x534F434B | |
1580 | + | |
1581 | +/** | |
1582 | + * ccs_inode_free_security - Release memory associated with an inode. | |
1583 | + * | |
1584 | + * @inode: Pointer to "struct inode". | |
1585 | + * | |
1586 | + * Returns nothing. | |
1587 | + * | |
1588 | + * We use this hook for releasing memory associated with an accept()ed socket. | |
1589 | + */ | |
1590 | +static void ccs_inode_free_security(struct inode *inode) | |
1591 | +{ | |
1592 | + while (!original_security_ops.inode_free_security) | |
1593 | + smp_rmb(); | |
1594 | + original_security_ops.inode_free_security(inode); | |
1595 | + if (inode->i_sb && inode->i_sb->s_magic == SOCKFS_MAGIC) | |
1596 | + ccs_update_socket_tag(inode, 0); | |
1597 | +} | |
1598 | + | |
1599 | +#endif | |
1600 | + | |
1601 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 7, 0) | |
1602 | + | |
1603 | +/** | |
1604 | + * ccs_sb_pivotroot - Check permission for pivot_root(). | |
1605 | + * | |
1606 | + * @old_path: Pointer to "struct path". | |
1607 | + * @new_path: Pointer to "struct path". | |
1608 | + * | |
1609 | + * Returns 0 on success, negative value otherwise. | |
1610 | + */ | |
1611 | +static int ccs_sb_pivotroot(struct path *old_path, struct path *new_path) | |
1612 | +{ | |
1613 | + int rc = ccs_pivot_root_permission(old_path, new_path); | |
1614 | + if (rc) | |
1615 | + return rc; | |
1616 | + while (!original_security_ops.sb_pivotroot) | |
1617 | + smp_rmb(); | |
1618 | + return original_security_ops.sb_pivotroot(old_path, new_path); | |
1619 | +} | |
1620 | + | |
1621 | +/** | |
1622 | + * ccs_sb_mount - Check permission for mount(). | |
1623 | + * | |
1624 | + * @dev_name: Name of device file. | |
1625 | + * @path: Pointer to "struct path". | |
1626 | + * @type: Name of filesystem type. Maybe NULL. | |
1627 | + * @flags: Mount options. | |
1628 | + * @data_page: Optional data. Maybe NULL. | |
1629 | + * | |
1630 | + * Returns 0 on success, negative value otherwise. | |
1631 | + */ | |
1632 | +static int ccs_sb_mount(char *dev_name, struct path *path, char *type, | |
1633 | + unsigned long flags, void *data_page) | |
1634 | +{ | |
1635 | + int rc = ccs_mount_permission(dev_name, path, type, flags, data_page); | |
1636 | + if (rc) | |
1637 | + return rc; | |
1638 | + while (!original_security_ops.sb_mount) | |
1639 | + smp_rmb(); | |
1640 | + return original_security_ops.sb_mount(dev_name, path, type, flags, | |
1641 | + data_page); | |
1642 | +} | |
1643 | + | |
1644 | +#else | |
1645 | + | |
1646 | +/** | |
1647 | + * ccs_sb_pivotroot - Check permission for pivot_root(). | |
1648 | + * | |
1649 | + * @old_path: Pointer to "struct path". | |
1650 | + * @new_path: Pointer to "struct path". | |
1651 | + * | |
1652 | + * Returns 0 on success, negative value otherwise. | |
1653 | + */ | |
1654 | +static int ccs_sb_pivotroot(struct path *old_path, struct path *new_path) | |
1655 | +{ | |
1656 | + int rc = ccs_pivot_root_permission(old_path, new_path); | |
1657 | + if (rc) | |
1658 | + return rc; | |
1659 | + while (!original_security_ops.sb_pivotroot) | |
1660 | + smp_rmb(); | |
1661 | + return original_security_ops.sb_pivotroot(old_path, new_path); | |
1662 | +} | |
1663 | + | |
1664 | +/** | |
1665 | + * ccs_sb_mount - Check permission for mount(). | |
1666 | + * | |
1667 | + * @dev_name: Name of device file. | |
1668 | + * @path: Pointer to "struct path". | |
1669 | + * @type: Name of filesystem type. Maybe NULL. | |
1670 | + * @flags: Mount options. | |
1671 | + * @data_page: Optional data. Maybe NULL. | |
1672 | + * | |
1673 | + * Returns 0 on success, negative value otherwise. | |
1674 | + */ | |
1675 | +static int ccs_sb_mount(const char *dev_name, struct path *path, | |
1676 | + const char *type, unsigned long flags, void *data_page) | |
1677 | +{ | |
1678 | + int rc = ccs_mount_permission(dev_name, path, type, flags, data_page); | |
1679 | + if (rc) | |
1680 | + return rc; | |
1681 | + while (!original_security_ops.sb_mount) | |
1682 | + smp_rmb(); | |
1683 | + return original_security_ops.sb_mount(dev_name, path, type, flags, | |
1684 | + data_page); | |
1685 | +} | |
1686 | + | |
1687 | +#endif | |
1688 | + | |
1689 | +/** | |
1690 | + * ccs_sb_umount - Check permission for umount(). | |
1691 | + * | |
1692 | + * @mnt: Pointer to "struct vfsmount". | |
1693 | + * @flags: Unmount flags. | |
1694 | + * | |
1695 | + * Returns 0 on success, negative value otherwise. | |
1696 | + */ | |
1697 | +static int ccs_sb_umount(struct vfsmount *mnt, int flags) | |
1698 | +{ | |
1699 | + int rc = ccs_umount_permission(mnt, flags); | |
1700 | + if (rc) | |
1701 | + return rc; | |
1702 | + while (!original_security_ops.sb_umount) | |
1703 | + smp_rmb(); | |
1704 | + return original_security_ops.sb_umount(mnt, flags); | |
1705 | +} | |
1706 | + | |
1707 | +/** | |
1708 | + * ccs_file_fcntl - Check permission for fcntl(). | |
1709 | + * | |
1710 | + * @file: Pointer to "struct file". | |
1711 | + * @cmd: Command number. | |
1712 | + * @arg: Value for @cmd. | |
1713 | + * | |
1714 | + * Returns 0 on success, negative value otherwise. | |
1715 | + */ | |
1716 | +static int ccs_file_fcntl(struct file *file, unsigned int cmd, | |
1717 | + unsigned long arg) | |
1718 | +{ | |
1719 | + int rc = ccs_fcntl_permission(file, cmd, arg); | |
1720 | + if (rc) | |
1721 | + return rc; | |
1722 | + while (!original_security_ops.file_fcntl) | |
1723 | + smp_rmb(); | |
1724 | + return original_security_ops.file_fcntl(file, cmd, arg); | |
1725 | +} | |
1726 | + | |
1727 | +/** | |
1728 | + * ccs_file_ioctl - Check permission for ioctl(). | |
1729 | + * | |
1730 | + * @filp: Pointer to "struct file". | |
1731 | + * @cmd: Command number. | |
1732 | + * @arg: Value for @cmd. | |
1733 | + * | |
1734 | + * Returns 0 on success, negative value otherwise. | |
1735 | + */ | |
1736 | +static int ccs_file_ioctl(struct file *filp, unsigned int cmd, | |
1737 | + unsigned long arg) | |
1738 | +{ | |
1739 | + int rc = ccs_ioctl_permission(filp, cmd, arg); | |
1740 | + if (rc) | |
1741 | + return rc; | |
1742 | + while (!original_security_ops.file_ioctl) | |
1743 | + smp_rmb(); | |
1744 | + return original_security_ops.file_ioctl(filp, cmd, arg); | |
1745 | +} | |
1746 | + | |
1747 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) && defined(CONFIG_SYSCTL_SYSCALL) | |
1748 | +int ccs_path_permission(struct ccs_request_info *r, u8 operation, | |
1749 | + const struct ccs_path_info *filename); | |
1750 | + | |
1751 | +/** | |
1752 | + * ccs_prepend - Copy of prepend() in fs/dcache.c. | |
1753 | + * | |
1754 | + * @buffer: Pointer to "struct char *". | |
1755 | + * @buflen: Pointer to int which holds size of @buffer. | |
1756 | + * @str: String to copy. | |
1757 | + * | |
1758 | + * Returns 0 on success, negative value otherwise. | |
1759 | + * | |
1760 | + * @buffer and @buflen are updated upon success. | |
1761 | + */ | |
1762 | +static int ccs_prepend(char **buffer, int *buflen, const char *str) | |
1763 | +{ | |
1764 | + int namelen = strlen(str); | |
1765 | + if (*buflen < namelen) | |
1766 | + return -ENOMEM; | |
1767 | + *buflen -= namelen; | |
1768 | + *buffer -= namelen; | |
1769 | + memcpy(*buffer, str, namelen); | |
1770 | + return 0; | |
1771 | +} | |
1772 | + | |
1773 | +/** | |
1774 | + * ccs_sysctl_permission - Check permission for sysctl(). | |
1775 | + * | |
1776 | + * @table: Pointer to "struct ctl_table". | |
1777 | + * @op: Operation. (MAY_READ and/or MAY_WRITE) | |
1778 | + * | |
1779 | + * Returns 0 on success, negative value otherwise. | |
1780 | + */ | |
1781 | +static int ccs_sysctl(struct ctl_table *table, int op) | |
1782 | +{ | |
1783 | + int error; | |
1784 | + struct ccs_path_info buf; | |
1785 | + struct ccs_request_info r; | |
1786 | + int buflen; | |
1787 | + char *buffer; | |
1788 | + int idx; | |
1789 | + while (!original_security_ops.sysctl) | |
1790 | + smp_rmb(); | |
1791 | + error = original_security_ops.sysctl(table, op); | |
1792 | + if (error) | |
1793 | + return error; | |
1794 | + op &= MAY_READ | MAY_WRITE; | |
1795 | + if (!op) | |
1796 | + return 0; | |
1797 | + buffer = NULL; | |
1798 | + buf.name = NULL; | |
1799 | + idx = ccs_read_lock(); | |
1800 | + if (ccs_init_request_info(&r, CCS_MAC_FILE_OPEN) | |
1801 | + == CCS_CONFIG_DISABLED) | |
1802 | + goto out; | |
1803 | + error = -ENOMEM; | |
1804 | + buflen = 4096; | |
1805 | + buffer = kmalloc(buflen, CCS_GFP_FLAGS); | |
1806 | + if (buffer) { | |
1807 | + char *end = buffer + buflen; | |
1808 | + *--end = '\0'; | |
1809 | + buflen--; | |
1810 | + while (table) { | |
1811 | + char num[32]; | |
1812 | + const char *sp = table->procname; | |
1813 | + if (!sp) { | |
1814 | + memset(num, 0, sizeof(num)); | |
1815 | + snprintf(num, sizeof(num) - 1, "=%d=", | |
1816 | + table->ctl_name); | |
1817 | + sp = num; | |
1818 | + } | |
1819 | + if (ccs_prepend(&end, &buflen, sp) || | |
1820 | + ccs_prepend(&end, &buflen, "/")) | |
1821 | + goto out; | |
1822 | + table = table->parent; | |
1823 | + } | |
1824 | + if (ccs_prepend(&end, &buflen, "proc:/sys")) | |
1825 | + goto out; | |
1826 | + buf.name = ccs_encode(end); | |
1827 | + } | |
1828 | + if (buf.name) { | |
1829 | + ccs_fill_path_info(&buf); | |
1830 | + if (op & MAY_READ) | |
1831 | + error = ccs_path_permission(&r, CCS_TYPE_READ, &buf); | |
1832 | + else | |
1833 | + error = 0; | |
1834 | + if (!error && (op & MAY_WRITE)) | |
1835 | + error = ccs_path_permission(&r, CCS_TYPE_WRITE, &buf); | |
1836 | + } | |
1837 | +out: | |
1838 | + ccs_read_unlock(idx); | |
1839 | + kfree(buf.name); | |
1840 | + kfree(buffer); | |
1841 | + return error; | |
1842 | +} | |
1843 | + | |
1844 | +#endif | |
1845 | + | |
1846 | +/* | |
1847 | + * Why not to copy all operations by "original_security_ops = *ops" ? | |
1848 | + * Because copying byte array is not atomic. Reader checks | |
1849 | + * original_security_ops.op != NULL before doing original_security_ops.op(). | |
1850 | + * Thus, modifying original_security_ops.op has to be atomic. | |
1851 | + */ | |
1852 | +#define swap_security_ops(op) \ | |
1853 | + original_security_ops.op = ops->op; smp_wmb(); ops->op = ccs_##op; | |
1854 | + | |
1855 | +/** | |
1856 | + * ccs_update_security_ops - Overwrite original "struct security_operations". | |
1857 | + * | |
1858 | + * @ops: Pointer to "struct security_operations". | |
1859 | + * | |
1860 | + * Returns nothing. | |
1861 | + */ | |
1862 | +static void __init ccs_update_security_ops(struct security_operations *ops) | |
1863 | +{ | |
1864 | + /* Security context allocator. */ | |
1865 | + swap_security_ops(task_create); | |
1866 | + swap_security_ops(cred_prepare); | |
1867 | + swap_security_ops(cred_free); | |
1868 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32) | |
1869 | + swap_security_ops(cred_alloc_blank); | |
1870 | + swap_security_ops(cred_transfer); | |
1871 | +#endif | |
1872 | + /* Security context updater for successful execve(). */ | |
1873 | + swap_security_ops(bprm_check_security); | |
1874 | + swap_security_ops(bprm_committing_creds); | |
1875 | + /* Various permission checker. */ | |
1876 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0) | |
1877 | + swap_security_ops(file_open); | |
1878 | +#else | |
1879 | + swap_security_ops(dentry_open); | |
1880 | +#endif | |
1881 | + swap_security_ops(file_fcntl); | |
1882 | + swap_security_ops(file_ioctl); | |
1883 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) && defined(CONFIG_SYSCTL_SYSCALL) | |
1884 | + swap_security_ops(sysctl); | |
1885 | +#endif | |
1886 | + swap_security_ops(sb_pivotroot); | |
1887 | + swap_security_ops(sb_mount); | |
1888 | + swap_security_ops(sb_umount); | |
1889 | +#if defined(CONFIG_SECURITY_PATH) | |
1890 | + swap_security_ops(path_mknod); | |
1891 | + swap_security_ops(path_mkdir); | |
1892 | + swap_security_ops(path_rmdir); | |
1893 | + swap_security_ops(path_unlink); | |
1894 | + swap_security_ops(path_symlink); | |
1895 | + swap_security_ops(path_rename); | |
1896 | + swap_security_ops(path_link); | |
1897 | + swap_security_ops(path_truncate); | |
1898 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 33) | |
1899 | + swap_security_ops(path_chmod); | |
1900 | + swap_security_ops(path_chown); | |
1901 | + swap_security_ops(path_chroot); | |
1902 | +#endif | |
1903 | +#else | |
1904 | + swap_security_ops(inode_mknod); | |
1905 | + swap_security_ops(inode_mkdir); | |
1906 | + swap_security_ops(inode_rmdir); | |
1907 | + swap_security_ops(inode_unlink); | |
1908 | + swap_security_ops(inode_symlink); | |
1909 | + swap_security_ops(inode_rename); | |
1910 | + swap_security_ops(inode_link); | |
1911 | + swap_security_ops(inode_create); | |
1912 | +#endif | |
1913 | + swap_security_ops(inode_setattr); | |
1914 | + swap_security_ops(inode_getattr); | |
1915 | +#ifdef CONFIG_SECURITY_NETWORK | |
1916 | + swap_security_ops(socket_bind); | |
1917 | + swap_security_ops(socket_connect); | |
1918 | + swap_security_ops(socket_listen); | |
1919 | + swap_security_ops(socket_sendmsg); | |
1920 | + swap_security_ops(socket_recvmsg); | |
1921 | + swap_security_ops(socket_getsockname); | |
1922 | + swap_security_ops(socket_getpeername); | |
1923 | + swap_security_ops(socket_getsockopt); | |
1924 | + swap_security_ops(socket_setsockopt); | |
1925 | + swap_security_ops(socket_shutdown); | |
1926 | + swap_security_ops(socket_accept); | |
1927 | + swap_security_ops(inode_free_security); | |
1928 | +#endif | |
1929 | +} | |
1930 | + | |
1931 | +#undef swap_security_ops | |
1932 | + | |
1933 | +/** | |
1934 | + * ccs_init - Initialize this module. | |
1935 | + * | |
1936 | + * Returns 0 on success, negative value otherwise. | |
1937 | + */ | |
1938 | +static int __init ccs_init(void) | |
1939 | +{ | |
1940 | + struct security_operations *ops = probe_security_ops(); | |
1941 | + if (!ops) | |
1942 | + goto out; | |
1943 | + ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid(); | |
1944 | + if (!ccsecurity_exports.find_task_by_vpid) | |
1945 | + goto out; | |
1946 | + ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns(); | |
1947 | + if (!ccsecurity_exports.find_task_by_pid_ns) | |
1948 | + goto out; | |
1949 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 36) | |
1950 | + ccsecurity_exports.vfsmount_lock = probe_vfsmount_lock(); | |
1951 | + if (!ccsecurity_exports.vfsmount_lock) | |
1952 | + goto out; | |
1953 | +#elif LINUX_VERSION_CODE < KERNEL_VERSION(3, 2, 0) | |
1954 | + ccsecurity_exports.__d_path = probe___d_path(); | |
1955 | + if (!ccsecurity_exports.__d_path) | |
1956 | + goto out; | |
1957 | +#else | |
1958 | + ccsecurity_exports.d_absolute_path = probe_d_absolute_path(); | |
1959 | + if (!ccsecurity_exports.d_absolute_path) | |
1960 | + goto out; | |
1961 | +#endif | |
1962 | + { | |
1963 | + int idx; | |
1964 | + for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) { | |
1965 | + INIT_LIST_HEAD(&ccs_cred_security_list[idx]); | |
1966 | + INIT_LIST_HEAD(&ccs_task_security_list[idx]); | |
1967 | + } | |
1968 | + } | |
1969 | + ccs_main_init(); | |
1970 | + ccs_update_security_ops(ops); | |
1971 | + printk(KERN_INFO "AKARI: 1.0.40 2019/12/25\n"); | |
1972 | + printk(KERN_INFO | |
1973 | + "Access Keeping And Regulating Instrument registered.\n"); | |
1974 | + return 0; | |
1975 | +out: | |
1976 | + return -EINVAL; | |
1977 | +} | |
1978 | + | |
1979 | +module_init(ccs_init); | |
1980 | +MODULE_LICENSE("GPL"); | |
1981 | + | |
1982 | +/** | |
1983 | + * ccs_used_by_cred - Check whether the given domain is in use or not. | |
1984 | + * | |
1985 | + * @domain: Pointer to "struct ccs_domain_info". | |
1986 | + * | |
1987 | + * Returns true if @domain is in use, false otherwise. | |
1988 | + * | |
1989 | + * Caller holds rcu_read_lock(). | |
1990 | + */ | |
1991 | +bool ccs_used_by_cred(const struct ccs_domain_info *domain) | |
1992 | +{ | |
1993 | + int idx; | |
1994 | + struct ccs_security *ptr; | |
1995 | + for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) { | |
1996 | + struct list_head *list = &ccs_cred_security_list[idx]; | |
1997 | + list_for_each_entry_rcu(ptr, list, list) { | |
1998 | + struct ccs_execve *ee = ptr->ee; | |
1999 | + if (ptr->ccs_domain_info == domain || | |
2000 | + (ee && ee->previous_domain == domain)) { | |
2001 | + return true; | |
2002 | + } | |
2003 | + } | |
2004 | + } | |
2005 | + return false; | |
2006 | +} | |
2007 | + | |
2008 | +/** | |
2009 | + * ccs_add_task_security - Add "struct ccs_security" to list. | |
2010 | + * | |
2011 | + * @ptr: Pointer to "struct ccs_security". | |
2012 | + * @list: Pointer to "struct list_head". | |
2013 | + * | |
2014 | + * Returns nothing. | |
2015 | + */ | |
2016 | +static void ccs_add_task_security(struct ccs_security *ptr, | |
2017 | + struct list_head *list) | |
2018 | +{ | |
2019 | + unsigned long flags; | |
2020 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
2021 | + list_add_rcu(&ptr->list, list); | |
2022 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
2023 | +} | |
2024 | + | |
2025 | +/** | |
2026 | + * ccs_find_task_security - Find "struct ccs_security" for given task. | |
2027 | + * | |
2028 | + * @task: Pointer to "struct task_struct". | |
2029 | + * | |
2030 | + * Returns pointer to "struct ccs_security" on success, &ccs_oom_security on | |
2031 | + * out of memory, &ccs_default_security otherwise. | |
2032 | + * | |
2033 | + * If @task is current thread and "struct ccs_security" for current thread was | |
2034 | + * not found, I try to allocate it. But if allocation failed, current thread | |
2035 | + * will be killed by SIGKILL. Note that if current->pid == 1, sending SIGKILL | |
2036 | + * won't work. | |
2037 | + */ | |
2038 | +struct ccs_security *ccs_find_task_security(const struct task_struct *task) | |
2039 | +{ | |
2040 | + struct ccs_security *ptr; | |
2041 | + struct list_head *list = &ccs_task_security_list | |
2042 | + [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)]; | |
2043 | + /* Make sure INIT_LIST_HEAD() in ccs_mm_init() takes effect. */ | |
2044 | + while (!list->next) | |
2045 | + smp_rmb(); | |
2046 | + rcu_read_lock(); | |
2047 | + list_for_each_entry_rcu(ptr, list, list) { | |
2048 | + if (ptr->pid != task->pids[PIDTYPE_PID].pid) | |
2049 | + continue; | |
2050 | + rcu_read_unlock(); | |
2051 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 31) | |
2052 | + /* | |
2053 | + * Current thread needs to transit from old domain to new | |
2054 | + * domain before do_execve() succeeds in order to check | |
2055 | + * permission for interpreters and environment variables using | |
2056 | + * new domain's ACL rules. The domain transition has to be | |
2057 | + * visible from other CPU in order to allow interactive | |
2058 | + * enforcing mode. Also, the domain transition has to be | |
2059 | + * reverted if do_execve() failed. However, an LSM hook for | |
2060 | + * reverting domain transition is missing. | |
2061 | + * | |
2062 | + * security_prepare_creds() is called from prepare_creds() from | |
2063 | + * prepare_bprm_creds() from do_execve() before setting | |
2064 | + * current->in_execve flag, and current->in_execve flag is | |
2065 | + * cleared by the time next do_execve() request starts. | |
2066 | + * This means that we can emulate the missing LSM hook for | |
2067 | + * reverting domain transition, by calling this function from | |
2068 | + * security_prepare_creds(). | |
2069 | + * | |
2070 | + * If current->in_execve is not set but ptr->ccs_flags has | |
2071 | + * CCS_TASK_IS_IN_EXECVE set, it indicates that do_execve() | |
2072 | + * has failed and reverting domain transition is needed. | |
2073 | + */ | |
2074 | + if (task == current && | |
2075 | + (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE) && | |
2076 | + !current->in_execve) { | |
2077 | + ccs_debug_trace("4"); | |
2078 | + ccs_clear_execve(-1, ptr); | |
2079 | + } | |
2080 | +#else | |
2081 | + /* | |
2082 | + * Current thread needs to transit from old domain to new | |
2083 | + * domain before do_execve() succeeds in order to check | |
2084 | + * permission for interpreters and environment variables using | |
2085 | + * new domain's ACL rules. The domain transition has to be | |
2086 | + * visible from other CPU in order to allow interactive | |
2087 | + * enforcing mode. Also, the domain transition has to be | |
2088 | + * reverted if do_execve() failed. However, an LSM hook for | |
2089 | + * reverting domain transition is missing. | |
2090 | + * | |
2091 | + * When do_execve() failed, "struct cred" in | |
2092 | + * "struct linux_binprm" is scheduled for destruction. | |
2093 | + * But current thread returns to userspace without waiting for | |
2094 | + * destruction. The security_cred_free() LSM hook is called | |
2095 | + * after an RCU grace period has elapsed. Since some CPU may be | |
2096 | + * doing long long RCU read side critical section, there is | |
2097 | + * no guarantee that security_cred_free() is called before | |
2098 | + * current thread again calls do_execve(). | |
2099 | + * | |
2100 | + * To be able to revert domain transition before processing | |
2101 | + * next do_execve() request, current thread gets a refcount on | |
2102 | + * "struct cred" in "struct linux_binprm" and memorizes it. | |
2103 | + * Current thread drops the refcount and forgets it when | |
2104 | + * do_execve() succeeded. | |
2105 | + * | |
2106 | + * Therefore, if current thread hasn't forgotten it and | |
2107 | + * current thread is the last one using that "struct cred", | |
2108 | + * it indicates that do_execve() has failed and reverting | |
2109 | + * domain transition is needed. | |
2110 | + */ | |
2111 | + if (task == current && ptr->cred && | |
2112 | + atomic_read(&ptr->cred->usage) == 1) { | |
2113 | + ccs_debug_trace("4"); | |
2114 | + ccs_clear_execve(-1, ptr); | |
2115 | + } | |
2116 | +#endif | |
2117 | + return ptr; | |
2118 | + } | |
2119 | + rcu_read_unlock(); | |
2120 | + if (task != current) { | |
2121 | + /* | |
2122 | + * If a thread does nothing after fork(), caller will reach | |
2123 | + * here because "struct ccs_security" for that thread is not | |
2124 | + * yet allocated. But that thread is keeping a snapshot of | |
2125 | + * "struct ccs_security" taken as of ccs_task_create() | |
2126 | + * associated with that thread's "struct cred". | |
2127 | + * | |
2128 | + * Since that snapshot will be used as initial data when that | |
2129 | + * thread allocates "struct ccs_security" for that thread, we | |
2130 | + * can return that snapshot rather than &ccs_default_security. | |
2131 | + * | |
2132 | + * Since this function is called by only ccs_select_one() and | |
2133 | + * ccs_read_pid() (via ccs_task_domain() and ccs_task_flags()), | |
2134 | + * it is guaranteed that caller has called rcu_read_lock() | |
2135 | + * (via ccs_tasklist_lock()) before finding this thread and | |
2136 | + * this thread is valid. Therefore, we can do __task_cred(task) | |
2137 | + * like get_robust_list() does. | |
2138 | + */ | |
2139 | + return ccs_find_cred_security(__task_cred(task)); | |
2140 | + } | |
2141 | + /* Use GFP_ATOMIC because caller may have called rcu_read_lock(). */ | |
2142 | + ptr = kzalloc(sizeof(*ptr), GFP_ATOMIC); | |
2143 | + if (!ptr) { | |
2144 | + printk(KERN_WARNING "Unable to allocate memory for pid=%u\n", | |
2145 | + task->pid); | |
2146 | + send_sig(SIGKILL, current, 0); | |
2147 | + return &ccs_oom_security; | |
2148 | + } | |
2149 | + *ptr = *ccs_find_cred_security(task->cred); | |
2150 | + /* We can shortcut because task == current. */ | |
2151 | + ptr->pid = get_pid(((struct task_struct *) task)-> | |
2152 | + pids[PIDTYPE_PID].pid); | |
2153 | + ptr->cred = NULL; | |
2154 | + ccs_add_task_security(ptr, list); | |
2155 | + return ptr; | |
2156 | +} | |
2157 | + | |
2158 | +/** | |
2159 | + * ccs_copy_cred_security - Allocate memory for new credentials. | |
2160 | + * | |
2161 | + * @new: Pointer to "struct cred". | |
2162 | + * @old: Pointer to "struct cred". | |
2163 | + * @gfp: Memory allocation flags. | |
2164 | + * | |
2165 | + * Returns 0 on success, negative value otherwise. | |
2166 | + */ | |
2167 | +static int ccs_copy_cred_security(const struct cred *new, | |
2168 | + const struct cred *old, gfp_t gfp) | |
2169 | +{ | |
2170 | + struct ccs_security *old_security = ccs_find_cred_security(old); | |
2171 | + struct ccs_security *new_security = | |
2172 | + kzalloc(sizeof(*new_security), gfp); | |
2173 | + if (!new_security) | |
2174 | + return -ENOMEM; | |
2175 | + *new_security = *old_security; | |
2176 | + new_security->cred = new; | |
2177 | + ccs_add_cred_security(new_security); | |
2178 | + return 0; | |
2179 | +} | |
2180 | + | |
2181 | +/** | |
2182 | + * ccs_find_cred_security - Find "struct ccs_security" for given credential. | |
2183 | + * | |
2184 | + * @cred: Pointer to "struct cred". | |
2185 | + * | |
2186 | + * Returns pointer to "struct ccs_security" on success, &ccs_default_security | |
2187 | + * otherwise. | |
2188 | + */ | |
2189 | +static struct ccs_security *ccs_find_cred_security(const struct cred *cred) | |
2190 | +{ | |
2191 | + struct ccs_security *ptr; | |
2192 | + struct list_head *list = &ccs_cred_security_list | |
2193 | + [hash_ptr((void *) cred, CCS_TASK_SECURITY_HASH_BITS)]; | |
2194 | + rcu_read_lock(); | |
2195 | + list_for_each_entry_rcu(ptr, list, list) { | |
2196 | + if (ptr->cred != cred) | |
2197 | + continue; | |
2198 | + rcu_read_unlock(); | |
2199 | + return ptr; | |
2200 | + } | |
2201 | + rcu_read_unlock(); | |
2202 | + return &ccs_default_security; | |
2203 | +} | |
2204 | + | |
2205 | +/** | |
2206 | + * ccs_task_security_gc - Do garbage collection for "struct task_struct". | |
2207 | + * | |
2208 | + * Returns nothing. | |
2209 | + * | |
2210 | + * Since security_task_free() is missing, I can't release memory associated | |
2211 | + * with "struct task_struct" when a task dies. Therefore, I hold a reference on | |
2212 | + * "struct pid" and runs garbage collection when associated | |
2213 | + * "struct task_struct" has gone. | |
2214 | + */ | |
2215 | +static void ccs_task_security_gc(void) | |
2216 | +{ | |
2217 | + static DEFINE_SPINLOCK(lock); | |
2218 | + static atomic_t gc_counter = ATOMIC_INIT(0); | |
2219 | + unsigned int idx; | |
2220 | + /* | |
2221 | + * If some process is doing execve(), try to garbage collection now. | |
2222 | + * We should kfree() memory associated with "struct ccs_security"->ee | |
2223 | + * as soon as execve() has completed in order to compensate for lack of | |
2224 | + * security_bprm_free() and security_task_free() hooks. | |
2225 | + * | |
2226 | + * Otherwise, reduce frequency for performance reason. | |
2227 | + */ | |
2228 | + if (!atomic_read(&ccs_in_execve_tasks) && | |
2229 | + atomic_inc_return(&gc_counter) < 1024) | |
2230 | + return; | |
2231 | + if (!spin_trylock(&lock)) | |
2232 | + return; | |
2233 | + atomic_set(&gc_counter, 0); | |
2234 | + rcu_read_lock(); | |
2235 | + for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) { | |
2236 | + struct ccs_security *ptr; | |
2237 | + struct list_head *list = &ccs_task_security_list[idx]; | |
2238 | + list_for_each_entry_rcu(ptr, list, list) { | |
2239 | + if (pid_task(ptr->pid, PIDTYPE_PID)) | |
2240 | + continue; | |
2241 | + ccs_del_security(ptr); | |
2242 | + } | |
2243 | + } | |
2244 | + rcu_read_unlock(); | |
2245 | + spin_unlock(&lock); | |
2246 | +} |
@@ -0,0 +1,1376 @@ | ||
1 | +/* | |
2 | + * lsm.c | |
3 | + * | |
4 | + * Copyright (C) 2010-2015 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | |
5 | + * | |
6 | + * Version: 1.0.40 2019/12/25 | |
7 | + */ | |
8 | + | |
9 | +#include "internal.h" | |
10 | +#include "probe.h" | |
11 | + | |
12 | +/* Prototype definition. */ | |
13 | +static int __ccs_alloc_task_security(const struct task_struct *task); | |
14 | +static void __ccs_free_task_security(const struct task_struct *task); | |
15 | + | |
16 | +/* Dummy security context for avoiding NULL pointer dereference. */ | |
17 | +static struct ccs_security ccs_oom_security = { | |
18 | + .ccs_domain_info = &ccs_kernel_domain | |
19 | +}; | |
20 | + | |
21 | +/* Dummy security context for avoiding NULL pointer dereference. */ | |
22 | +static struct ccs_security ccs_default_security = { | |
23 | + .ccs_domain_info = &ccs_kernel_domain | |
24 | +}; | |
25 | + | |
26 | +/* List of "struct ccs_security". */ | |
27 | +struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH]; | |
28 | +/* Lock for protecting ccs_task_security_list[]. */ | |
29 | +static DEFINE_SPINLOCK(ccs_task_security_list_lock); | |
30 | + | |
31 | +/* For exporting variables and functions. */ | |
32 | +struct ccsecurity_exports ccsecurity_exports; | |
33 | +/* Members are updated by loadable kernel module. */ | |
34 | +struct ccsecurity_operations ccsecurity_ops; | |
35 | + | |
36 | +/* Original hooks. */ | |
37 | +static union security_list_options original_cred_prepare; | |
38 | +static union security_list_options original_task_alloc; | |
39 | +static union security_list_options original_task_free; | |
40 | + | |
41 | +#ifdef CONFIG_AKARI_TRACE_EXECVE_COUNT | |
42 | + | |
43 | +/** | |
44 | + * ccs_update_ee_counter - Update "struct ccs_execve" counter. | |
45 | + * | |
46 | + * @count: Count to increment or decrement. | |
47 | + * | |
48 | + * Returns updated counter. | |
49 | + */ | |
50 | +static unsigned int ccs_update_ee_counter(int count) | |
51 | +{ | |
52 | + /* Debug counter for detecting "struct ccs_execve" memory leak. */ | |
53 | + static atomic_t ccs_ee_counter = ATOMIC_INIT(0); | |
54 | + return atomic_add_return(count, &ccs_ee_counter); | |
55 | +} | |
56 | + | |
57 | +/** | |
58 | + * ccs_audit_alloc_execve - Audit allocation of "struct ccs_execve". | |
59 | + * | |
60 | + * @ee: Pointer to "struct ccs_execve". | |
61 | + * | |
62 | + * Returns nothing. | |
63 | + */ | |
64 | +void ccs_audit_alloc_execve(const struct ccs_execve * const ee) | |
65 | +{ | |
66 | + printk(KERN_INFO "AKARI: Allocated %p by pid=%u (count=%u)\n", ee, | |
67 | + current->pid, ccs_update_ee_counter(1) - 1); | |
68 | +} | |
69 | + | |
70 | +/** | |
71 | + * ccs_audit_free_execve - Audit release of "struct ccs_execve". | |
72 | + * | |
73 | + * @ee: Pointer to "struct ccs_execve". | |
74 | + * @task: True if released by current task, false otherwise. | |
75 | + * | |
76 | + * Returns nothing. | |
77 | + */ | |
78 | +void ccs_audit_free_execve(const struct ccs_execve * const ee, | |
79 | + const bool is_current) | |
80 | +{ | |
81 | + const unsigned int tmp = ccs_update_ee_counter(-1); | |
82 | + if (is_current) | |
83 | + printk(KERN_INFO "AKARI: Releasing %p by pid=%u (count=%u)\n", | |
84 | + ee, current->pid, tmp); | |
85 | + else | |
86 | + printk(KERN_INFO "AKARI: Releasing %p by kernel (count=%u)\n", | |
87 | + ee, tmp); | |
88 | +} | |
89 | + | |
90 | +#endif | |
91 | + | |
92 | +#if !defined(CONFIG_AKARI_DEBUG) | |
93 | +#define ccs_debug_trace(pos) do { } while (0) | |
94 | +#else | |
95 | +#define ccs_debug_trace(pos) \ | |
96 | + do { \ | |
97 | + static bool done; \ | |
98 | + if (!done) { \ | |
99 | + printk(KERN_INFO \ | |
100 | + "AKARI: Debug trace: " pos " of 2\n"); \ | |
101 | + done = true; \ | |
102 | + } \ | |
103 | + } while (0) | |
104 | +#endif | |
105 | + | |
106 | +/** | |
107 | + * ccs_clear_execve - Release memory used by do_execve(). | |
108 | + * | |
109 | + * @ret: 0 if do_execve() succeeded, negative value otherwise. | |
110 | + * @security: Pointer to "struct ccs_security". | |
111 | + * | |
112 | + * Returns nothing. | |
113 | + */ | |
114 | +static void ccs_clear_execve(int ret, struct ccs_security *security) | |
115 | +{ | |
116 | + struct ccs_execve *ee = security->ee; | |
117 | + if (security == &ccs_default_security || security == &ccs_oom_security | |
118 | + || !ee) | |
119 | + return; | |
120 | + security->ee = NULL; | |
121 | + ccs_finish_execve(ret, ee); | |
122 | +} | |
123 | + | |
124 | +/** | |
125 | + * ccs_task_alloc_security - Allocate memory for new tasks. | |
126 | + * | |
127 | + * @p: Pointer to "struct task_struct". | |
128 | + * @clone_flags: Flags passed to clone(). | |
129 | + * | |
130 | + * Returns 0 on success, negative value otherwise. | |
131 | + */ | |
132 | +static int ccs_task_alloc_security(struct task_struct *p, | |
133 | + unsigned long clone_flags) | |
134 | +{ | |
135 | + int rc = __ccs_alloc_task_security(p); | |
136 | + if (rc) | |
137 | + return rc; | |
138 | + if (original_task_alloc.task_alloc) { | |
139 | + rc = original_task_alloc.task_alloc(p, clone_flags); | |
140 | + if (rc) | |
141 | + __ccs_free_task_security(p); | |
142 | + } | |
143 | + return rc; | |
144 | +} | |
145 | + | |
146 | +/** | |
147 | + * ccs_task_free_security - Release memory for "struct task_struct". | |
148 | + * | |
149 | + * @p: Pointer to "struct task_struct". | |
150 | + * | |
151 | + * Returns nothing. | |
152 | + */ | |
153 | +static void ccs_task_free_security(struct task_struct *p) | |
154 | +{ | |
155 | + struct ccs_security *ptr = ccs_find_task_security(p); | |
156 | + struct ccs_execve *ee = ptr->ee; | |
157 | + if (original_task_free.task_free) | |
158 | + original_task_free.task_free(p); | |
159 | + /* | |
160 | + * Since an LSM hook for reverting domain transition is missing, | |
161 | + * ccs_finish_execve() is not called if exited immediately after | |
162 | + * execve() failed. | |
163 | + */ | |
164 | + if (ee) { | |
165 | + ccs_debug_trace("2"); | |
166 | + ccs_audit_free_execve(ee, false); | |
167 | + kfree(ee->handler_path); | |
168 | + kfree(ee); | |
169 | + ptr->ee = NULL; | |
170 | + } | |
171 | + __ccs_free_task_security(p); | |
172 | +} | |
173 | + | |
174 | +/** | |
175 | + * ccs_bprm_committing_creds - A hook which is called when do_execve() succeeded. | |
176 | + * | |
177 | + * @bprm: Pointer to "struct linux_binprm". | |
178 | + * | |
179 | + * Returns nothing. | |
180 | + */ | |
181 | +static void ccs_bprm_committing_creds(struct linux_binprm *bprm) | |
182 | +{ | |
183 | + ccs_clear_execve(0, ccs_current_security()); | |
184 | +} | |
185 | + | |
186 | +/** | |
187 | + * ccs_cred_prepare - Allocate memory for new credentials. | |
188 | + * | |
189 | + * @new: Pointer to "struct cred". | |
190 | + * @old: Pointer to "struct cred". | |
191 | + * @gfp: Memory allocation flags. | |
192 | + * | |
193 | + * Returns 0 on success, negative value otherwise. | |
194 | + */ | |
195 | +static int ccs_cred_prepare(struct cred *new, const struct cred *old, | |
196 | + gfp_t gfp) | |
197 | +{ | |
198 | + /* | |
199 | + * For checking whether reverting domain transition is needed or not. | |
200 | + * | |
201 | + * See ccs_find_task_security() for reason. | |
202 | + */ | |
203 | + if (gfp == GFP_KERNEL) | |
204 | + ccs_find_task_security(current); | |
205 | + if (original_cred_prepare.cred_prepare) | |
206 | + return original_cred_prepare.cred_prepare(new, old, gfp); | |
207 | + return 0; | |
208 | +} | |
209 | + | |
210 | +/** | |
211 | + * ccs_bprm_check_security - Check permission for execve(). | |
212 | + * | |
213 | + * @bprm: Pointer to "struct linux_binprm". | |
214 | + * | |
215 | + * Returns 0 on success, negative value otherwise. | |
216 | + */ | |
217 | +static int ccs_bprm_check_security(struct linux_binprm *bprm) | |
218 | +{ | |
219 | + struct ccs_security *security = ccs_current_security(); | |
220 | + if (security == &ccs_default_security || security == &ccs_oom_security) | |
221 | + return -ENOMEM; | |
222 | + if (security->ee) | |
223 | + return 0; | |
224 | +#ifndef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER | |
225 | + if (!ccs_policy_loaded) | |
226 | + ccs_load_policy(bprm->filename); | |
227 | +#endif | |
228 | + return ccs_start_execve(bprm, &security->ee); | |
229 | +} | |
230 | + | |
231 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0) || (defined(RHEL_MAJOR) && RHEL_MAJOR == 8) | |
232 | +/** | |
233 | + * ccs_file_open - Check permission for open(). | |
234 | + * | |
235 | + * @f: Pointer to "struct file". | |
236 | + * | |
237 | + * Returns 0 on success, negative value otherwise. | |
238 | + */ | |
239 | +static int ccs_file_open(struct file *f) | |
240 | +{ | |
241 | + return ccs_open_permission(f); | |
242 | +} | |
243 | +#else | |
244 | +/** | |
245 | + * ccs_file_open - Check permission for open(). | |
246 | + * | |
247 | + * @f: Pointer to "struct file". | |
248 | + * @cred: Pointer to "struct cred". | |
249 | + * | |
250 | + * Returns 0 on success, negative value otherwise. | |
251 | + */ | |
252 | +static int ccs_file_open(struct file *f, const struct cred *cred) | |
253 | +{ | |
254 | + return ccs_open_permission(f); | |
255 | +} | |
256 | +#endif | |
257 | + | |
258 | +#ifdef CONFIG_SECURITY_PATH | |
259 | + | |
260 | +/** | |
261 | + * ccs_path_chown - Check permission for chown()/chgrp(). | |
262 | + * | |
263 | + * @path: Pointer to "struct path". | |
264 | + * @user: User ID. | |
265 | + * @group: Group ID. | |
266 | + * | |
267 | + * Returns 0 on success, negative value otherwise. | |
268 | + */ | |
269 | +static int ccs_path_chown(const struct path *path, kuid_t user, kgid_t group) | |
270 | +{ | |
271 | + return ccs_chown_permission(path->dentry, path->mnt, user, group); | |
272 | +} | |
273 | + | |
274 | +/** | |
275 | + * ccs_path_chmod - Check permission for chmod(). | |
276 | + * | |
277 | + * @path: Pointer to "struct path". | |
278 | + * @mode: Mode. | |
279 | + * | |
280 | + * Returns 0 on success, negative value otherwise. | |
281 | + */ | |
282 | +static int ccs_path_chmod(const struct path *path, umode_t mode) | |
283 | +{ | |
284 | + return ccs_chmod_permission(path->dentry, path->mnt, mode); | |
285 | +} | |
286 | + | |
287 | +/** | |
288 | + * ccs_path_chroot - Check permission for chroot(). | |
289 | + * | |
290 | + * @path: Pointer to "struct path". | |
291 | + * | |
292 | + * Returns 0 on success, negative value otherwise. | |
293 | + */ | |
294 | +static int ccs_path_chroot(const struct path *path) | |
295 | +{ | |
296 | + return ccs_chroot_permission(path); | |
297 | +} | |
298 | + | |
299 | +/** | |
300 | + * ccs_path_truncate - Check permission for truncate(). | |
301 | + * | |
302 | + * @path: Pointer to "struct path". | |
303 | + * | |
304 | + * Returns 0 on success, negative value otherwise. | |
305 | + */ | |
306 | +static int ccs_path_truncate(const struct path *path) | |
307 | +{ | |
308 | + return ccs_truncate_permission(path->dentry, path->mnt); | |
309 | +} | |
310 | + | |
311 | +#else | |
312 | + | |
313 | +/** | |
314 | + * ccs_inode_setattr - Check permission for chown()/chgrp()/chmod()/truncate(). | |
315 | + * | |
316 | + * @dentry: Pointer to "struct dentry". | |
317 | + * @attr: Pointer to "struct iattr". | |
318 | + * | |
319 | + * Returns 0 on success, negative value otherwise. | |
320 | + */ | |
321 | +static int ccs_inode_setattr(struct dentry *dentry, struct iattr *attr) | |
322 | +{ | |
323 | + const int rc1 = (attr->ia_valid & ATTR_UID) ? | |
324 | + ccs_chown_permission(dentry, NULL, attr->ia_uid, INVALID_GID) : | |
325 | + 0; | |
326 | + const int rc2 = (attr->ia_valid & ATTR_GID) ? | |
327 | + ccs_chown_permission(dentry, NULL, INVALID_UID, attr->ia_gid) : | |
328 | + 0; | |
329 | + const int rc3 = (attr->ia_valid & ATTR_MODE) ? | |
330 | + ccs_chmod_permission(dentry, NULL, attr->ia_mode) : 0; | |
331 | + const int rc4 = (attr->ia_valid & ATTR_SIZE) ? | |
332 | + ccs_truncate_permission(dentry, NULL) : 0; | |
333 | + if (rc4) | |
334 | + return rc4; | |
335 | + if (rc3) | |
336 | + return rc3; | |
337 | + if (rc2) | |
338 | + return rc2; | |
339 | + return rc1; | |
340 | +} | |
341 | + | |
342 | +#endif | |
343 | + | |
344 | +/** | |
345 | + * ccs_inode_getattr - Check permission for stat(). | |
346 | + * | |
347 | + * @path: Pointer to "struct path". | |
348 | + * | |
349 | + * Returns 0 on success, negative value otherwise. | |
350 | + */ | |
351 | +static int ccs_inode_getattr(const struct path *path) | |
352 | +{ | |
353 | + return ccs_getattr_permission(path->mnt, path->dentry); | |
354 | +} | |
355 | + | |
356 | +#ifdef CONFIG_SECURITY_PATH | |
357 | + | |
358 | +/** | |
359 | + * ccs_path_mknod - Check permission for mknod(). | |
360 | + * | |
361 | + * @dir: Pointer to "struct path". | |
362 | + * @dentry: Pointer to "struct dentry". | |
363 | + * @mode: Create mode. | |
364 | + * @dev: Device major/minor number. | |
365 | + * | |
366 | + * Returns 0 on success, negative value otherwise. | |
367 | + */ | |
368 | +static int ccs_path_mknod(const struct path *dir, struct dentry *dentry, | |
369 | + umode_t mode, unsigned int dev) | |
370 | +{ | |
371 | + return ccs_mknod_permission(dentry, dir->mnt, mode, dev); | |
372 | +} | |
373 | + | |
374 | +/** | |
375 | + * ccs_path_mkdir - Check permission for mkdir(). | |
376 | + * | |
377 | + * @dir: Pointer to "struct path". | |
378 | + * @dentry: Pointer to "struct dentry". | |
379 | + * @mode: Create mode. | |
380 | + * | |
381 | + * Returns 0 on success, negative value otherwise. | |
382 | + */ | |
383 | +static int ccs_path_mkdir(const struct path *dir, struct dentry *dentry, | |
384 | + umode_t mode) | |
385 | +{ | |
386 | + return ccs_mkdir_permission(dentry, dir->mnt, mode); | |
387 | +} | |
388 | + | |
389 | +/** | |
390 | + * ccs_path_rmdir - Check permission for rmdir(). | |
391 | + * | |
392 | + * @dir: Pointer to "struct path". | |
393 | + * @dentry: Pointer to "struct dentry". | |
394 | + * | |
395 | + * Returns 0 on success, negative value otherwise. | |
396 | + */ | |
397 | +static int ccs_path_rmdir(const struct path *dir, struct dentry *dentry) | |
398 | +{ | |
399 | + return ccs_rmdir_permission(dentry, dir->mnt); | |
400 | +} | |
401 | + | |
402 | +/** | |
403 | + * ccs_path_unlink - Check permission for unlink(). | |
404 | + * | |
405 | + * @dir: Pointer to "struct path". | |
406 | + * @dentry: Pointer to "struct dentry". | |
407 | + * | |
408 | + * Returns 0 on success, negative value otherwise. | |
409 | + */ | |
410 | +static int ccs_path_unlink(const struct path *dir, struct dentry *dentry) | |
411 | +{ | |
412 | + return ccs_unlink_permission(dentry, dir->mnt); | |
413 | +} | |
414 | + | |
415 | +/** | |
416 | + * ccs_path_symlink - Check permission for symlink(). | |
417 | + * | |
418 | + * @dir: Pointer to "struct path". | |
419 | + * @dentry: Pointer to "struct dentry". | |
420 | + * @old_name: Content of symbolic link. | |
421 | + * | |
422 | + * Returns 0 on success, negative value otherwise. | |
423 | + */ | |
424 | +static int ccs_path_symlink(const struct path *dir, struct dentry *dentry, | |
425 | + const char *old_name) | |
426 | +{ | |
427 | + return ccs_symlink_permission(dentry, dir->mnt, old_name); | |
428 | +} | |
429 | + | |
430 | +/** | |
431 | + * ccs_path_rename - Check permission for rename(). | |
432 | + * | |
433 | + * @old_dir: Pointer to "struct path". | |
434 | + * @old_dentry: Pointer to "struct dentry". | |
435 | + * @new_dir: Pointer to "struct path". | |
436 | + * @new_dentry: Pointer to "struct dentry". | |
437 | + * | |
438 | + * Returns 0 on success, negative value otherwise. | |
439 | + */ | |
440 | +static int ccs_path_rename(const struct path *old_dir, | |
441 | + struct dentry *old_dentry, | |
442 | + const struct path *new_dir, | |
443 | + struct dentry *new_dentry) | |
444 | +{ | |
445 | + return ccs_rename_permission(old_dentry, new_dentry, old_dir->mnt); | |
446 | +} | |
447 | + | |
448 | +/** | |
449 | + * ccs_path_link - Check permission for link(). | |
450 | + * | |
451 | + * @old_dentry: Pointer to "struct dentry". | |
452 | + * @new_dir: Pointer to "struct path". | |
453 | + * @new_dentry: Pointer to "struct dentry". | |
454 | + * | |
455 | + * Returns 0 on success, negative value otherwise. | |
456 | + */ | |
457 | +static int ccs_path_link(struct dentry *old_dentry, const struct path *new_dir, | |
458 | + struct dentry *new_dentry) | |
459 | +{ | |
460 | + return ccs_link_permission(old_dentry, new_dentry, new_dir->mnt); | |
461 | +} | |
462 | + | |
463 | +#else | |
464 | + | |
465 | +/** | |
466 | + * ccs_inode_mknod - Check permission for mknod(). | |
467 | + * | |
468 | + * @dir: Pointer to "struct inode". | |
469 | + * @dentry: Pointer to "struct dentry". | |
470 | + * @mode: Create mode. | |
471 | + * @dev: Device major/minor number. | |
472 | + * | |
473 | + * Returns 0 on success, negative value otherwise. | |
474 | + */ | |
475 | +static int ccs_inode_mknod(struct inode *dir, struct dentry *dentry, | |
476 | + umode_t mode, dev_t dev) | |
477 | +{ | |
478 | + return ccs_mknod_permission(dentry, NULL, mode, dev); | |
479 | +} | |
480 | + | |
481 | +/** | |
482 | + * ccs_inode_mkdir - Check permission for mkdir(). | |
483 | + * | |
484 | + * @dir: Pointer to "struct inode". | |
485 | + * @dentry: Pointer to "struct dentry". | |
486 | + * @mode: Create mode. | |
487 | + * | |
488 | + * Returns 0 on success, negative value otherwise. | |
489 | + */ | |
490 | +static int ccs_inode_mkdir(struct inode *dir, struct dentry *dentry, | |
491 | + umode_t mode) | |
492 | +{ | |
493 | + return ccs_mkdir_permission(dentry, NULL, mode); | |
494 | +} | |
495 | + | |
496 | +/** | |
497 | + * ccs_inode_rmdir - Check permission for rmdir(). | |
498 | + * | |
499 | + * @dir: Pointer to "struct inode". | |
500 | + * @dentry: Pointer to "struct dentry". | |
501 | + * | |
502 | + * Returns 0 on success, negative value otherwise. | |
503 | + */ | |
504 | +static int ccs_inode_rmdir(struct inode *dir, struct dentry *dentry) | |
505 | +{ | |
506 | + return ccs_rmdir_permission(dentry, NULL); | |
507 | +} | |
508 | + | |
509 | +/** | |
510 | + * ccs_inode_unlink - Check permission for unlink(). | |
511 | + * | |
512 | + * @dir: Pointer to "struct inode". | |
513 | + * @dentry: Pointer to "struct dentry". | |
514 | + * | |
515 | + * Returns 0 on success, negative value otherwise. | |
516 | + */ | |
517 | +static int ccs_inode_unlink(struct inode *dir, struct dentry *dentry) | |
518 | +{ | |
519 | + return ccs_unlink_permission(dentry, NULL); | |
520 | +} | |
521 | + | |
522 | +/** | |
523 | + * ccs_inode_symlink - Check permission for symlink(). | |
524 | + * | |
525 | + * @dir: Pointer to "struct inode". | |
526 | + * @dentry: Pointer to "struct dentry". | |
527 | + * @old_name: Content of symbolic link. | |
528 | + * | |
529 | + * Returns 0 on success, negative value otherwise. | |
530 | + */ | |
531 | +static int ccs_inode_symlink(struct inode *dir, struct dentry *dentry, | |
532 | + const char *old_name) | |
533 | +{ | |
534 | + return ccs_symlink_permission(dentry, NULL, old_name); | |
535 | +} | |
536 | + | |
537 | +/** | |
538 | + * ccs_inode_rename - Check permission for rename(). | |
539 | + * | |
540 | + * @old_dir: Pointer to "struct inode". | |
541 | + * @old_dentry: Pointer to "struct dentry". | |
542 | + * @new_dir: Pointer to "struct inode". | |
543 | + * @new_dentry: Pointer to "struct dentry". | |
544 | + * | |
545 | + * Returns 0 on success, negative value otherwise. | |
546 | + */ | |
547 | +static int ccs_inode_rename(struct inode *old_dir, struct dentry *old_dentry, | |
548 | + struct inode *new_dir, struct dentry *new_dentry) | |
549 | +{ | |
550 | + return ccs_rename_permission(old_dentry, new_dentry, NULL); | |
551 | +} | |
552 | + | |
553 | +/** | |
554 | + * ccs_inode_link - Check permission for link(). | |
555 | + * | |
556 | + * @old_dentry: Pointer to "struct dentry". | |
557 | + * @dir: Pointer to "struct inode". | |
558 | + * @new_dentry: Pointer to "struct dentry". | |
559 | + * | |
560 | + * Returns 0 on success, negative value otherwise. | |
561 | + */ | |
562 | +static int ccs_inode_link(struct dentry *old_dentry, struct inode *dir, | |
563 | + struct dentry *new_dentry) | |
564 | +{ | |
565 | + return ccs_link_permission(old_dentry, new_dentry, NULL); | |
566 | +} | |
567 | + | |
568 | +/** | |
569 | + * ccs_inode_create - Check permission for creat(). | |
570 | + * | |
571 | + * @dir: Pointer to "struct inode". | |
572 | + * @dentry: Pointer to "struct dentry". | |
573 | + * @mode: Create mode. | |
574 | + * | |
575 | + * Returns 0 on success, negative value otherwise. | |
576 | + */ | |
577 | +static int ccs_inode_create(struct inode *dir, struct dentry *dentry, | |
578 | + umode_t mode) | |
579 | +{ | |
580 | + return ccs_mknod_permission(dentry, NULL, mode, 0); | |
581 | +} | |
582 | + | |
583 | +#endif | |
584 | + | |
585 | +#ifdef CONFIG_SECURITY_NETWORK | |
586 | + | |
587 | +#include <net/sock.h> | |
588 | + | |
589 | +/* Structure for remembering an accept()ed socket's status. */ | |
590 | +struct ccs_socket_tag { | |
591 | + struct list_head list; | |
592 | + struct inode *inode; | |
593 | + int status; | |
594 | + struct rcu_head rcu; | |
595 | +}; | |
596 | + | |
597 | +/* | |
598 | + * List for managing accept()ed sockets. | |
599 | + * Since we don't need to keep an accept()ed socket into this list after | |
600 | + * once the permission was granted, the number of entries in this list is | |
601 | + * likely small. Therefore, we don't use hash tables. | |
602 | + */ | |
603 | +static LIST_HEAD(ccs_accepted_socket_list); | |
604 | +/* Lock for protecting ccs_accepted_socket_list . */ | |
605 | +static DEFINE_SPINLOCK(ccs_accepted_socket_list_lock); | |
606 | + | |
607 | +/** | |
608 | + * ccs_update_socket_tag - Update tag associated with accept()ed sockets. | |
609 | + * | |
610 | + * @inode: Pointer to "struct inode". | |
611 | + * @status: New status. | |
612 | + * | |
613 | + * Returns nothing. | |
614 | + * | |
615 | + * If @status == 0, memory for that socket will be released after RCU grace | |
616 | + * period. | |
617 | + */ | |
618 | +static void ccs_update_socket_tag(struct inode *inode, int status) | |
619 | +{ | |
620 | + struct ccs_socket_tag *ptr; | |
621 | + /* | |
622 | + * Protect whole section because multiple threads may call this | |
623 | + * function with same "sock" via ccs_validate_socket(). | |
624 | + */ | |
625 | + spin_lock(&ccs_accepted_socket_list_lock); | |
626 | + rcu_read_lock(); | |
627 | + list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) { | |
628 | + if (ptr->inode != inode) | |
629 | + continue; | |
630 | + ptr->status = status; | |
631 | + if (status) | |
632 | + break; | |
633 | + list_del_rcu(&ptr->list); | |
634 | + kfree_rcu(ptr, rcu); | |
635 | + break; | |
636 | + } | |
637 | + rcu_read_unlock(); | |
638 | + spin_unlock(&ccs_accepted_socket_list_lock); | |
639 | +} | |
640 | + | |
641 | +/** | |
642 | + * ccs_validate_socket - Check post accept() permission if needed. | |
643 | + * | |
644 | + * @sock: Pointer to "struct socket". | |
645 | + * | |
646 | + * Returns 0 on success, negative value otherwise. | |
647 | + */ | |
648 | +static int ccs_validate_socket(struct socket *sock) | |
649 | +{ | |
650 | + struct inode *inode = SOCK_INODE(sock); | |
651 | + struct ccs_socket_tag *ptr; | |
652 | + int ret = 0; | |
653 | + rcu_read_lock(); | |
654 | + list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) { | |
655 | + if (ptr->inode != inode) | |
656 | + continue; | |
657 | + ret = ptr->status; | |
658 | + break; | |
659 | + } | |
660 | + rcu_read_unlock(); | |
661 | + if (ret <= 0) | |
662 | + /* | |
663 | + * This socket is not an accept()ed socket or this socket is | |
664 | + * an accept()ed socket and post accept() permission is done. | |
665 | + */ | |
666 | + return ret; | |
667 | + /* | |
668 | + * Check post accept() permission now. | |
669 | + * | |
670 | + * Strictly speaking, we need to pass both listen()ing socket and | |
671 | + * accept()ed socket to __ccs_socket_post_accept_permission(). | |
672 | + * But since socket's family and type are same for both sockets, | |
673 | + * passing the accept()ed socket in place for the listen()ing socket | |
674 | + * will work. | |
675 | + */ | |
676 | + ret = ccs_socket_post_accept_permission(sock, sock); | |
677 | + /* | |
678 | + * If permission was granted, we forget that this is an accept()ed | |
679 | + * socket. Otherwise, we remember that this socket needs to return | |
680 | + * error for subsequent socketcalls. | |
681 | + */ | |
682 | + ccs_update_socket_tag(inode, ret); | |
683 | + return ret; | |
684 | +} | |
685 | + | |
686 | +/** | |
687 | + * ccs_socket_accept - Check permission for accept(). | |
688 | + * | |
689 | + * @sock: Pointer to "struct socket". | |
690 | + * @newsock: Pointer to "struct socket". | |
691 | + * | |
692 | + * Returns 0 on success, negative value otherwise. | |
693 | + * | |
694 | + * This hook is used for setting up environment for doing post accept() | |
695 | + * permission check. If dereferencing sock->ops->something() were ordered by | |
696 | + * rcu_dereference(), we could replace sock->ops with "a copy of original | |
697 | + * sock->ops with modified sock->ops->accept()" using rcu_assign_pointer() | |
698 | + * in order to do post accept() permission check before returning to userspace. | |
699 | + * If we make the copy in security_socket_post_create(), it would be possible | |
700 | + * to safely replace sock->ops here, but we don't do so because we don't want | |
701 | + * to allocate memory for sockets which do not call sock->ops->accept(). | |
702 | + * Therefore, we do post accept() permission check upon next socket syscalls | |
703 | + * rather than between sock->ops->accept() and returning to userspace. | |
704 | + * This means that if a socket was close()d before calling some socket | |
705 | + * syscalls, post accept() permission check will not be done. | |
706 | + */ | |
707 | +static int ccs_socket_accept(struct socket *sock, struct socket *newsock) | |
708 | +{ | |
709 | + struct ccs_socket_tag *ptr; | |
710 | + const int rc = ccs_validate_socket(sock); | |
711 | + if (rc < 0) | |
712 | + return rc; | |
713 | + ptr = kzalloc(sizeof(*ptr), GFP_KERNEL); | |
714 | + if (!ptr) | |
715 | + return -ENOMEM; | |
716 | + /* | |
717 | + * Subsequent LSM hooks will receive "newsock". Therefore, I mark | |
718 | + * "newsock" as "an accept()ed socket but post accept() permission | |
719 | + * check is not done yet" by allocating memory using inode of the | |
720 | + * "newsock" as a search key. | |
721 | + */ | |
722 | + ptr->inode = SOCK_INODE(newsock); | |
723 | + ptr->status = 1; /* Check post accept() permission later. */ | |
724 | + spin_lock(&ccs_accepted_socket_list_lock); | |
725 | + list_add_tail_rcu(&ptr->list, &ccs_accepted_socket_list); | |
726 | + spin_unlock(&ccs_accepted_socket_list_lock); | |
727 | + return 0; | |
728 | +} | |
729 | + | |
730 | +/** | |
731 | + * ccs_socket_listen - Check permission for listen(). | |
732 | + * | |
733 | + * @sock: Pointer to "struct socket". | |
734 | + * @backlog: Backlog parameter. | |
735 | + * | |
736 | + * Returns 0 on success, negative value otherwise. | |
737 | + */ | |
738 | +static int ccs_socket_listen(struct socket *sock, int backlog) | |
739 | +{ | |
740 | + const int rc = ccs_validate_socket(sock); | |
741 | + if (rc < 0) | |
742 | + return rc; | |
743 | + return ccs_socket_listen_permission(sock); | |
744 | +} | |
745 | + | |
746 | +/** | |
747 | + * ccs_socket_connect - Check permission for connect(). | |
748 | + * | |
749 | + * @sock: Pointer to "struct socket". | |
750 | + * @addr: Pointer to "struct sockaddr". | |
751 | + * @addr_len: Size of @addr. | |
752 | + * | |
753 | + * Returns 0 on success, negative value otherwise. | |
754 | + */ | |
755 | +static int ccs_socket_connect(struct socket *sock, struct sockaddr *addr, | |
756 | + int addr_len) | |
757 | +{ | |
758 | + const int rc = ccs_validate_socket(sock); | |
759 | + if (rc < 0) | |
760 | + return rc; | |
761 | + return ccs_socket_connect_permission(sock, addr, addr_len); | |
762 | +} | |
763 | + | |
764 | +/** | |
765 | + * ccs_socket_bind - Check permission for bind(). | |
766 | + * | |
767 | + * @sock: Pointer to "struct socket". | |
768 | + * @addr: Pointer to "struct sockaddr". | |
769 | + * @addr_len: Size of @addr. | |
770 | + * | |
771 | + * Returns 0 on success, negative value otherwise. | |
772 | + */ | |
773 | +static int ccs_socket_bind(struct socket *sock, struct sockaddr *addr, | |
774 | + int addr_len) | |
775 | +{ | |
776 | + const int rc = ccs_validate_socket(sock); | |
777 | + if (rc < 0) | |
778 | + return rc; | |
779 | + return ccs_socket_bind_permission(sock, addr, addr_len); | |
780 | +} | |
781 | + | |
782 | +/** | |
783 | + * ccs_socket_sendmsg - Check permission for sendmsg(). | |
784 | + * | |
785 | + * @sock: Pointer to "struct socket". | |
786 | + * @msg: Pointer to "struct msghdr". | |
787 | + * @size: Size of message. | |
788 | + * | |
789 | + * Returns 0 on success, negative value otherwise. | |
790 | + */ | |
791 | +static int ccs_socket_sendmsg(struct socket *sock, struct msghdr *msg, | |
792 | + int size) | |
793 | +{ | |
794 | + const int rc = ccs_validate_socket(sock); | |
795 | + if (rc < 0) | |
796 | + return rc; | |
797 | + return ccs_socket_sendmsg_permission(sock, msg, size); | |
798 | +} | |
799 | + | |
800 | +/** | |
801 | + * ccs_socket_recvmsg - Check permission for recvmsg(). | |
802 | + * | |
803 | + * @sock: Pointer to "struct socket". | |
804 | + * @msg: Pointer to "struct msghdr". | |
805 | + * @size: Size of message. | |
806 | + * @flags: Flags. | |
807 | + * | |
808 | + * Returns 0 on success, negative value otherwise. | |
809 | + */ | |
810 | +static int ccs_socket_recvmsg(struct socket *sock, struct msghdr *msg, | |
811 | + int size, int flags) | |
812 | +{ | |
813 | + return ccs_validate_socket(sock); | |
814 | +} | |
815 | + | |
816 | +/** | |
817 | + * ccs_socket_getsockname - Check permission for getsockname(). | |
818 | + * | |
819 | + * @sock: Pointer to "struct socket". | |
820 | + * | |
821 | + * Returns 0 on success, negative value otherwise. | |
822 | + */ | |
823 | +static int ccs_socket_getsockname(struct socket *sock) | |
824 | +{ | |
825 | + return ccs_validate_socket(sock); | |
826 | +} | |
827 | + | |
828 | +/** | |
829 | + * ccs_socket_getpeername - Check permission for getpeername(). | |
830 | + * | |
831 | + * @sock: Pointer to "struct socket". | |
832 | + * | |
833 | + * Returns 0 on success, negative value otherwise. | |
834 | + */ | |
835 | +static int ccs_socket_getpeername(struct socket *sock) | |
836 | +{ | |
837 | + return ccs_validate_socket(sock); | |
838 | +} | |
839 | + | |
840 | +/** | |
841 | + * ccs_socket_getsockopt - Check permission for getsockopt(). | |
842 | + * | |
843 | + * @sock: Pointer to "struct socket". | |
844 | + * @level: Level. | |
845 | + * @optname: Option's name, | |
846 | + * | |
847 | + * Returns 0 on success, negative value otherwise. | |
848 | + */ | |
849 | +static int ccs_socket_getsockopt(struct socket *sock, int level, int optname) | |
850 | +{ | |
851 | + return ccs_validate_socket(sock); | |
852 | +} | |
853 | + | |
854 | +/** | |
855 | + * ccs_socket_setsockopt - Check permission for setsockopt(). | |
856 | + * | |
857 | + * @sock: Pointer to "struct socket". | |
858 | + * @level: Level. | |
859 | + * @optname: Option's name, | |
860 | + * | |
861 | + * Returns 0 on success, negative value otherwise. | |
862 | + */ | |
863 | +static int ccs_socket_setsockopt(struct socket *sock, int level, int optname) | |
864 | +{ | |
865 | + return ccs_validate_socket(sock); | |
866 | +} | |
867 | + | |
868 | +/** | |
869 | + * ccs_socket_shutdown - Check permission for shutdown(). | |
870 | + * | |
871 | + * @sock: Pointer to "struct socket". | |
872 | + * @how: Shutdown mode. | |
873 | + * | |
874 | + * Returns 0 on success, negative value otherwise. | |
875 | + */ | |
876 | +static int ccs_socket_shutdown(struct socket *sock, int how) | |
877 | +{ | |
878 | + return ccs_validate_socket(sock); | |
879 | +} | |
880 | + | |
881 | +#define SOCKFS_MAGIC 0x534F434B | |
882 | + | |
883 | +/** | |
884 | + * ccs_inode_free_security - Release memory associated with an inode. | |
885 | + * | |
886 | + * @inode: Pointer to "struct inode". | |
887 | + * | |
888 | + * Returns nothing. | |
889 | + * | |
890 | + * We use this hook for releasing memory associated with an accept()ed socket. | |
891 | + */ | |
892 | +static void ccs_inode_free_security(struct inode *inode) | |
893 | +{ | |
894 | + if (inode->i_sb && inode->i_sb->s_magic == SOCKFS_MAGIC) | |
895 | + ccs_update_socket_tag(inode, 0); | |
896 | +} | |
897 | + | |
898 | +#endif | |
899 | + | |
900 | +/** | |
901 | + * ccs_sb_pivotroot - Check permission for pivot_root(). | |
902 | + * | |
903 | + * @old_path: Pointer to "struct path". | |
904 | + * @new_path: Pointer to "struct path". | |
905 | + * | |
906 | + * Returns 0 on success, negative value otherwise. | |
907 | + */ | |
908 | +static int ccs_sb_pivotroot(const struct path *old_path, | |
909 | + const struct path *new_path) | |
910 | +{ | |
911 | + return ccs_pivot_root_permission(old_path, new_path); | |
912 | +} | |
913 | + | |
914 | +/** | |
915 | + * ccs_sb_mount - Check permission for mount(). | |
916 | + * | |
917 | + * @dev_name: Name of device file. | |
918 | + * @path: Pointer to "struct path". | |
919 | + * @type: Name of filesystem type. Maybe NULL. | |
920 | + * @flags: Mount options. | |
921 | + * @data_page: Optional data. Maybe NULL. | |
922 | + * | |
923 | + * Returns 0 on success, negative value otherwise. | |
924 | + */ | |
925 | +static int ccs_sb_mount(const char *dev_name, const struct path *path, | |
926 | + const char *type, unsigned long flags, void *data_page) | |
927 | +{ | |
928 | + return ccs_mount_permission(dev_name, path, type, flags, data_page); | |
929 | +} | |
930 | + | |
931 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) | |
932 | +/** | |
933 | + * ccs_move_mount - Check permission for move_mount() operation. | |
934 | + * | |
935 | + * @from_path: Pointer to "struct path". | |
936 | + * @to_path: Pointer to "struct path". | |
937 | + * | |
938 | + * Returns 0 on success, negative value otherwise. | |
939 | + */ | |
940 | +static int ccs_move_mount(const struct path *from_path, const struct path *to_path) | |
941 | +{ | |
942 | + return ccs_move_mount_permission(from_path, to_path); | |
943 | +} | |
944 | +#endif | |
945 | + | |
946 | +/** | |
947 | + * ccs_sb_umount - Check permission for umount(). | |
948 | + * | |
949 | + * @mnt: Pointer to "struct vfsmount". | |
950 | + * @flags: Unmount flags. | |
951 | + * | |
952 | + * Returns 0 on success, negative value otherwise. | |
953 | + */ | |
954 | +static int ccs_sb_umount(struct vfsmount *mnt, int flags) | |
955 | +{ | |
956 | + return ccs_umount_permission(mnt, flags); | |
957 | +} | |
958 | + | |
959 | +/** | |
960 | + * ccs_file_fcntl - Check permission for fcntl(). | |
961 | + * | |
962 | + * @file: Pointer to "struct file". | |
963 | + * @cmd: Command number. | |
964 | + * @arg: Value for @cmd. | |
965 | + * | |
966 | + * Returns 0 on success, negative value otherwise. | |
967 | + */ | |
968 | +static int ccs_file_fcntl(struct file *file, unsigned int cmd, | |
969 | + unsigned long arg) | |
970 | +{ | |
971 | + return ccs_fcntl_permission(file, cmd, arg); | |
972 | +} | |
973 | + | |
974 | +/** | |
975 | + * ccs_file_ioctl - Check permission for ioctl(). | |
976 | + * | |
977 | + * @filp: Pointer to "struct file". | |
978 | + * @cmd: Command number. | |
979 | + * @arg: Value for @cmd. | |
980 | + * | |
981 | + * Returns 0 on success, negative value otherwise. | |
982 | + */ | |
983 | +static int ccs_file_ioctl(struct file *filp, unsigned int cmd, | |
984 | + unsigned long arg) | |
985 | +{ | |
986 | + return ccs_ioctl_permission(filp, cmd, arg); | |
987 | +} | |
988 | + | |
989 | +#define MY_HOOK_INIT(HEAD, HOOK) \ | |
990 | + { .head = &probe_dummy_security_hook_heads.HEAD, \ | |
991 | + .hook = { .HEAD = HOOK } } | |
992 | + | |
993 | +static struct security_hook_list akari_hooks[] = { | |
994 | + /* Security context allocator. */ | |
995 | + MY_HOOK_INIT(task_free, ccs_task_free_security), | |
996 | + MY_HOOK_INIT(cred_prepare, ccs_cred_prepare), | |
997 | + MY_HOOK_INIT(task_alloc, ccs_task_alloc_security), | |
998 | + /* Security context updater for successful execve(). */ | |
999 | + MY_HOOK_INIT(bprm_check_security, ccs_bprm_check_security), | |
1000 | + MY_HOOK_INIT(bprm_committing_creds, ccs_bprm_committing_creds), | |
1001 | + /* Various permission checker. */ | |
1002 | + MY_HOOK_INIT(file_open, ccs_file_open), | |
1003 | + MY_HOOK_INIT(file_fcntl, ccs_file_fcntl), | |
1004 | + MY_HOOK_INIT(file_ioctl, ccs_file_ioctl), | |
1005 | + MY_HOOK_INIT(sb_pivotroot, ccs_sb_pivotroot), | |
1006 | + MY_HOOK_INIT(sb_mount, ccs_sb_mount), | |
1007 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) | |
1008 | + MY_HOOK_INIT(move_mount, ccs_move_mount), | |
1009 | +#endif | |
1010 | + MY_HOOK_INIT(sb_umount, ccs_sb_umount), | |
1011 | +#ifdef CONFIG_SECURITY_PATH | |
1012 | + MY_HOOK_INIT(path_mknod, ccs_path_mknod), | |
1013 | + MY_HOOK_INIT(path_mkdir, ccs_path_mkdir), | |
1014 | + MY_HOOK_INIT(path_rmdir, ccs_path_rmdir), | |
1015 | + MY_HOOK_INIT(path_unlink, ccs_path_unlink), | |
1016 | + MY_HOOK_INIT(path_symlink, ccs_path_symlink), | |
1017 | + MY_HOOK_INIT(path_rename, ccs_path_rename), | |
1018 | + MY_HOOK_INIT(path_link, ccs_path_link), | |
1019 | + MY_HOOK_INIT(path_truncate, ccs_path_truncate), | |
1020 | + MY_HOOK_INIT(path_chmod, ccs_path_chmod), | |
1021 | + MY_HOOK_INIT(path_chown, ccs_path_chown), | |
1022 | + MY_HOOK_INIT(path_chroot, ccs_path_chroot), | |
1023 | +#else | |
1024 | + MY_HOOK_INIT(inode_mknod, ccs_inode_mknod), | |
1025 | + MY_HOOK_INIT(inode_mkdir, ccs_inode_mkdir), | |
1026 | + MY_HOOK_INIT(inode_rmdir, ccs_inode_rmdir), | |
1027 | + MY_HOOK_INIT(inode_unlink, ccs_inode_unlink), | |
1028 | + MY_HOOK_INIT(inode_symlink, ccs_inode_symlink), | |
1029 | + MY_HOOK_INIT(inode_rename, ccs_inode_rename), | |
1030 | + MY_HOOK_INIT(inode_link, ccs_inode_link), | |
1031 | + MY_HOOK_INIT(inode_create, ccs_inode_create), | |
1032 | + MY_HOOK_INIT(inode_setattr, ccs_inode_setattr), | |
1033 | +#endif | |
1034 | + MY_HOOK_INIT(inode_getattr, ccs_inode_getattr), | |
1035 | +#ifdef CONFIG_SECURITY_NETWORK | |
1036 | + MY_HOOK_INIT(socket_bind, ccs_socket_bind), | |
1037 | + MY_HOOK_INIT(socket_connect, ccs_socket_connect), | |
1038 | + MY_HOOK_INIT(socket_listen, ccs_socket_listen), | |
1039 | + MY_HOOK_INIT(socket_sendmsg, ccs_socket_sendmsg), | |
1040 | + MY_HOOK_INIT(socket_recvmsg, ccs_socket_recvmsg), | |
1041 | + MY_HOOK_INIT(socket_getsockname, ccs_socket_getsockname), | |
1042 | + MY_HOOK_INIT(socket_getpeername, ccs_socket_getpeername), | |
1043 | + MY_HOOK_INIT(socket_getsockopt, ccs_socket_getsockopt), | |
1044 | + MY_HOOK_INIT(socket_setsockopt, ccs_socket_setsockopt), | |
1045 | + MY_HOOK_INIT(socket_shutdown, ccs_socket_shutdown), | |
1046 | + MY_HOOK_INIT(socket_accept, ccs_socket_accept), | |
1047 | + MY_HOOK_INIT(inode_free_security, ccs_inode_free_security), | |
1048 | +#endif | |
1049 | +}; | |
1050 | + | |
1051 | +static inline void add_hook(struct security_hook_list *hook) | |
1052 | +{ | |
1053 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0) | |
1054 | + hlist_add_tail_rcu(&hook->list, hook->head); | |
1055 | +#else | |
1056 | + list_add_tail_rcu(&hook->list, hook->head); | |
1057 | +#endif | |
1058 | +} | |
1059 | + | |
1060 | +static void __init swap_hook(struct security_hook_list *hook, | |
1061 | + union security_list_options *original) | |
1062 | +{ | |
1063 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0) | |
1064 | + struct hlist_head *list = hook->head; | |
1065 | + | |
1066 | + if (hlist_empty(list)) { | |
1067 | + add_hook(hook); | |
1068 | + } else { | |
1069 | + struct security_hook_list *shp = | |
1070 | + hlist_entry(list->first, typeof(*shp), list); | |
1071 | + | |
1072 | + while (shp->list.next) | |
1073 | + shp = hlist_entry(shp->list.next, typeof(*shp), list); | |
1074 | + *original = shp->hook; | |
1075 | + smp_wmb(); | |
1076 | + shp->hook = hook->hook; | |
1077 | + } | |
1078 | +#else | |
1079 | + struct list_head *list = hook->head; | |
1080 | + | |
1081 | + if (list_empty(list)) { | |
1082 | + add_hook(hook); | |
1083 | + } else { | |
1084 | + struct security_hook_list *shp = | |
1085 | + list_last_entry(list, struct security_hook_list, list); | |
1086 | + *original = shp->hook; | |
1087 | + smp_wmb(); | |
1088 | + shp->hook = hook->hook; | |
1089 | + } | |
1090 | +#endif | |
1091 | +} | |
1092 | + | |
1093 | +#if defined(CONFIG_STRICT_KERNEL_RWX) && !defined(CONFIG_SECURITY_WRITABLE_HOOKS) | |
1094 | +#include <linux/uaccess.h> /* probe_kernel_write() */ | |
1095 | +#define NEED_TO_CHECK_HOOKS_ARE_WRITABLE | |
1096 | + | |
1097 | +#if defined(CONFIG_X86) | |
1098 | +#define MAX_RO_PAGES 1024 | |
1099 | +static struct page *ro_pages[MAX_RO_PAGES] __initdata; | |
1100 | +static unsigned int ro_pages_len __initdata; | |
1101 | + | |
1102 | +static bool __init lsm_test_page_ro(void *addr) | |
1103 | +{ | |
1104 | + unsigned int i; | |
1105 | + int unused; | |
1106 | + struct page *page; | |
1107 | + | |
1108 | + page = (struct page *) lookup_address((unsigned long) addr, &unused); | |
1109 | + if (!page) | |
1110 | + return false; | |
1111 | + if (test_bit(_PAGE_BIT_RW, &(page->flags))) | |
1112 | + return true; | |
1113 | + for (i = 0; i < ro_pages_len; i++) | |
1114 | + if (page == ro_pages[i]) | |
1115 | + return true; | |
1116 | + if (ro_pages_len == MAX_RO_PAGES) | |
1117 | + return false; | |
1118 | + ro_pages[ro_pages_len++] = page; | |
1119 | + return true; | |
1120 | +} | |
1121 | + | |
1122 | +static bool __init check_ro_pages(struct security_hook_heads *hooks) | |
1123 | +{ | |
1124 | + int i; | |
1125 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0) | |
1126 | + struct hlist_head *list = &hooks->capable; | |
1127 | + | |
1128 | + if (!probe_kernel_write(list, list, sizeof(void *))) | |
1129 | + return true; | |
1130 | + for (i = 0; i < ARRAY_SIZE(akari_hooks); i++) { | |
1131 | + struct hlist_head *head = akari_hooks[i].head; | |
1132 | + struct security_hook_list *shp; | |
1133 | + | |
1134 | + if (!lsm_test_page_ro(&head->first)) | |
1135 | + return false; | |
1136 | + hlist_for_each_entry(shp, head, list) | |
1137 | + if (!lsm_test_page_ro(&shp->list.next) || | |
1138 | + !lsm_test_page_ro(&shp->list.pprev)) | |
1139 | + return false; | |
1140 | + } | |
1141 | +#else | |
1142 | + struct list_head *list = &hooks->capable; | |
1143 | + | |
1144 | + if (!probe_kernel_write(list, list, sizeof(void *))) | |
1145 | + return true; | |
1146 | + for (i = 0; i < ARRAY_SIZE(akari_hooks); i++) { | |
1147 | + struct list_head *head = akari_hooks[i].head; | |
1148 | + struct security_hook_list *shp; | |
1149 | + | |
1150 | + if (!lsm_test_page_ro(&head->next) || | |
1151 | + !lsm_test_page_ro(&head->prev)) | |
1152 | + return false; | |
1153 | + list_for_each_entry(shp, head, list) | |
1154 | + if (!lsm_test_page_ro(&shp->list.next) || | |
1155 | + !lsm_test_page_ro(&shp->list.prev)) | |
1156 | + return false; | |
1157 | + } | |
1158 | +#endif | |
1159 | + return true; | |
1160 | +} | |
1161 | +#else | |
1162 | +static bool __init check_ro_pages(struct security_hook_heads *hooks) | |
1163 | +{ | |
1164 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0) | |
1165 | + struct hlist_head *list = &hooks->capable; | |
1166 | +#else | |
1167 | + struct list_head *list = &hooks->capable; | |
1168 | +#endif | |
1169 | + | |
1170 | + return !probe_kernel_write(list, list, sizeof(void *)); | |
1171 | +} | |
1172 | +#endif | |
1173 | +#endif | |
1174 | + | |
1175 | +/** | |
1176 | + * ccs_init - Initialize this module. | |
1177 | + * | |
1178 | + * Returns 0 on success, negative value otherwise. | |
1179 | + */ | |
1180 | +static int __init ccs_init(void) | |
1181 | +{ | |
1182 | + int idx; | |
1183 | + struct security_hook_heads *hooks = probe_security_hook_heads(); | |
1184 | + if (!hooks) | |
1185 | + goto out; | |
1186 | + for (idx = 0; idx < ARRAY_SIZE(akari_hooks); idx++) | |
1187 | + akari_hooks[idx].head = ((void *) hooks) | |
1188 | + + ((unsigned long) akari_hooks[idx].head) | |
1189 | + - ((unsigned long) &probe_dummy_security_hook_heads); | |
1190 | +#if defined(NEED_TO_CHECK_HOOKS_ARE_WRITABLE) | |
1191 | + if (!check_ro_pages(hooks)) { | |
1192 | + printk(KERN_INFO "Can't update security_hook_heads due to write protected. Retry with rodata=0 kernel command line option added.\n"); | |
1193 | + return -EINVAL; | |
1194 | + } | |
1195 | +#endif | |
1196 | + ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid(); | |
1197 | + if (!ccsecurity_exports.find_task_by_vpid) | |
1198 | + goto out; | |
1199 | + ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns(); | |
1200 | + if (!ccsecurity_exports.find_task_by_pid_ns) | |
1201 | + goto out; | |
1202 | + ccsecurity_exports.d_absolute_path = probe_d_absolute_path(); | |
1203 | + if (!ccsecurity_exports.d_absolute_path) | |
1204 | + goto out; | |
1205 | + for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) | |
1206 | + INIT_LIST_HEAD(&ccs_task_security_list[idx]); | |
1207 | + ccs_main_init(); | |
1208 | +#if defined(NEED_TO_CHECK_HOOKS_ARE_WRITABLE) && defined(CONFIG_X86) | |
1209 | + for (idx = 0; idx < ro_pages_len; idx++) | |
1210 | + set_bit(_PAGE_BIT_RW, &(ro_pages[idx]->flags)); | |
1211 | +#endif | |
1212 | + swap_hook(&akari_hooks[0], &original_task_free); | |
1213 | + swap_hook(&akari_hooks[1], &original_cred_prepare); | |
1214 | + swap_hook(&akari_hooks[2], &original_task_alloc); | |
1215 | + for (idx = 3; idx < ARRAY_SIZE(akari_hooks); idx++) | |
1216 | + add_hook(&akari_hooks[idx]); | |
1217 | +#if defined(NEED_TO_CHECK_HOOKS_ARE_WRITABLE) && defined(CONFIG_X86) | |
1218 | + for (idx = 0; idx < ro_pages_len; idx++) | |
1219 | + clear_bit(_PAGE_BIT_RW, &(ro_pages[idx]->flags)); | |
1220 | +#endif | |
1221 | + printk(KERN_INFO "AKARI: 1.0.40 2019/12/25\n"); | |
1222 | + printk(KERN_INFO | |
1223 | + "Access Keeping And Regulating Instrument registered.\n"); | |
1224 | + return 0; | |
1225 | +out: | |
1226 | + return -EINVAL; | |
1227 | +} | |
1228 | + | |
1229 | +module_init(ccs_init); | |
1230 | +MODULE_LICENSE("GPL"); | |
1231 | + | |
1232 | +/** | |
1233 | + * ccs_used_by_cred - Check whether the given domain is in use or not. | |
1234 | + * | |
1235 | + * @domain: Pointer to "struct ccs_domain_info". | |
1236 | + * | |
1237 | + * Returns true if @domain is in use, false otherwise. | |
1238 | + * | |
1239 | + * Caller holds rcu_read_lock(). | |
1240 | + */ | |
1241 | +bool ccs_used_by_cred(const struct ccs_domain_info *domain) | |
1242 | +{ | |
1243 | + return false; | |
1244 | +} | |
1245 | + | |
1246 | +/** | |
1247 | + * ccs_add_task_security - Add "struct ccs_security" to list. | |
1248 | + * | |
1249 | + * @ptr: Pointer to "struct ccs_security". | |
1250 | + * @list: Pointer to "struct list_head". | |
1251 | + * | |
1252 | + * Returns nothing. | |
1253 | + */ | |
1254 | +static void ccs_add_task_security(struct ccs_security *ptr, | |
1255 | + struct list_head *list) | |
1256 | +{ | |
1257 | + unsigned long flags; | |
1258 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
1259 | + list_add_rcu(&ptr->list, list); | |
1260 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
1261 | +} | |
1262 | + | |
1263 | +/** | |
1264 | + * __ccs_alloc_task_security - Allocate memory for new tasks. | |
1265 | + * | |
1266 | + * @task: Pointer to "struct task_struct". | |
1267 | + * | |
1268 | + * Returns 0 on success, negative value otherwise. | |
1269 | + */ | |
1270 | +static int __ccs_alloc_task_security(const struct task_struct *task) | |
1271 | +{ | |
1272 | + struct ccs_security *old_security = ccs_current_security(); | |
1273 | + struct ccs_security *new_security = kzalloc(sizeof(*new_security), | |
1274 | + GFP_KERNEL); | |
1275 | + struct list_head *list = &ccs_task_security_list | |
1276 | + [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)]; | |
1277 | + if (!new_security) | |
1278 | + return -ENOMEM; | |
1279 | + new_security->task = task; | |
1280 | + new_security->ccs_domain_info = old_security->ccs_domain_info; | |
1281 | + new_security->ccs_flags = old_security->ccs_flags; | |
1282 | + ccs_add_task_security(new_security, list); | |
1283 | + return 0; | |
1284 | +} | |
1285 | + | |
1286 | +/** | |
1287 | + * ccs_find_task_security - Find "struct ccs_security" for given task. | |
1288 | + * | |
1289 | + * @task: Pointer to "struct task_struct". | |
1290 | + * | |
1291 | + * Returns pointer to "struct ccs_security" on success, &ccs_oom_security on | |
1292 | + * out of memory, &ccs_default_security otherwise. | |
1293 | + * | |
1294 | + * If @task is current thread and "struct ccs_security" for current thread was | |
1295 | + * not found, I try to allocate it. But if allocation failed, current thread | |
1296 | + * will be killed by SIGKILL. Note that if current->pid == 1, sending SIGKILL | |
1297 | + * won't work. | |
1298 | + */ | |
1299 | +struct ccs_security *ccs_find_task_security(const struct task_struct *task) | |
1300 | +{ | |
1301 | + struct ccs_security *ptr; | |
1302 | + struct list_head *list = &ccs_task_security_list | |
1303 | + [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)]; | |
1304 | + /* Make sure INIT_LIST_HEAD() in ccs_mm_init() takes effect. */ | |
1305 | + while (!list->next) | |
1306 | + smp_rmb(); | |
1307 | + rcu_read_lock(); | |
1308 | + list_for_each_entry_rcu(ptr, list, list) { | |
1309 | + if (ptr->task != task) | |
1310 | + continue; | |
1311 | + rcu_read_unlock(); | |
1312 | + /* | |
1313 | + * Current thread needs to transit from old domain to new | |
1314 | + * domain before do_execve() succeeds in order to check | |
1315 | + * permission for interpreters and environment variables using | |
1316 | + * new domain's ACL rules. The domain transition has to be | |
1317 | + * visible from other CPU in order to allow interactive | |
1318 | + * enforcing mode. Also, the domain transition has to be | |
1319 | + * reverted if do_execve() failed. However, an LSM hook for | |
1320 | + * reverting domain transition is missing. | |
1321 | + * | |
1322 | + * security_prepare_creds() is called from prepare_creds() from | |
1323 | + * prepare_bprm_creds() from do_execve() before setting | |
1324 | + * current->in_execve flag, and current->in_execve flag is | |
1325 | + * cleared by the time next do_execve() request starts. | |
1326 | + * This means that we can emulate the missing LSM hook for | |
1327 | + * reverting domain transition, by calling this function from | |
1328 | + * security_prepare_creds(). | |
1329 | + * | |
1330 | + * If current->in_execve is not set but ptr->ccs_flags has | |
1331 | + * CCS_TASK_IS_IN_EXECVE set, it indicates that do_execve() | |
1332 | + * has failed and reverting domain transition is needed. | |
1333 | + */ | |
1334 | + if (task == current && | |
1335 | + (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE) && | |
1336 | + !current->in_execve) { | |
1337 | + ccs_debug_trace("1"); | |
1338 | + ccs_clear_execve(-1, ptr); | |
1339 | + } | |
1340 | + return ptr; | |
1341 | + } | |
1342 | + rcu_read_unlock(); | |
1343 | + if (task != current) | |
1344 | + return &ccs_default_security; | |
1345 | + /* Use GFP_ATOMIC because caller may have called rcu_read_lock(). */ | |
1346 | + ptr = kzalloc(sizeof(*ptr), GFP_ATOMIC); | |
1347 | + if (!ptr) { | |
1348 | + printk(KERN_WARNING "Unable to allocate memory for pid=%u\n", | |
1349 | + task->pid); | |
1350 | + send_sig(SIGKILL, current, 0); | |
1351 | + return &ccs_oom_security; | |
1352 | + } | |
1353 | + *ptr = ccs_default_security; | |
1354 | + ptr->task = task; | |
1355 | + ccs_add_task_security(ptr, list); | |
1356 | + return ptr; | |
1357 | +} | |
1358 | + | |
1359 | +/** | |
1360 | + * __ccs_free_task_security - Release memory associated with "struct task_struct". | |
1361 | + * | |
1362 | + * @task: Pointer to "struct task_struct". | |
1363 | + * | |
1364 | + * Returns nothing. | |
1365 | + */ | |
1366 | +static void __ccs_free_task_security(const struct task_struct *task) | |
1367 | +{ | |
1368 | + unsigned long flags; | |
1369 | + struct ccs_security *ptr = ccs_find_task_security(task); | |
1370 | + if (ptr == &ccs_default_security || ptr == &ccs_oom_security) | |
1371 | + return; | |
1372 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
1373 | + list_del_rcu(&ptr->list); | |
1374 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
1375 | + kfree_rcu(ptr, rcu); | |
1376 | +} |
@@ -0,0 +1,1479 @@ | ||
1 | +/* | |
2 | + * lsm.c | |
3 | + * | |
4 | + * Copyright (C) 2010-2015 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | |
5 | + * | |
6 | + * Version: 1.0.40 2019/12/25 | |
7 | + */ | |
8 | + | |
9 | +#include "internal.h" | |
10 | +#include "probe.h" | |
11 | + | |
12 | +/* Prototype definition. */ | |
13 | +static void ccs_task_security_gc(void); | |
14 | +static int ccs_copy_cred_security(const struct cred *new, | |
15 | + const struct cred *old, gfp_t gfp); | |
16 | +static struct ccs_security *ccs_find_cred_security(const struct cred *cred); | |
17 | +static DEFINE_SPINLOCK(ccs_task_security_list_lock); | |
18 | +static atomic_t ccs_in_execve_tasks = ATOMIC_INIT(0); | |
19 | +/* | |
20 | + * List of "struct ccs_security" for "struct pid". | |
21 | + * | |
22 | + * All instances on this list is guaranteed that "struct ccs_security"->pid != | |
23 | + * NULL. Also, instances on this list that are in execve() are guaranteed that | |
24 | + * "struct ccs_security"->cred remembers "struct linux_binprm"->cred with a | |
25 | + * refcount on "struct linux_binprm"->cred. | |
26 | + */ | |
27 | +struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH]; | |
28 | +/* | |
29 | + * List of "struct ccs_security" for "struct cred". | |
30 | + * | |
31 | + * Since the number of "struct cred" is nearly equals to the number of | |
32 | + * "struct pid", we allocate hash tables like ccs_task_security_list. | |
33 | + * | |
34 | + * All instances on this list are guaranteed that "struct ccs_security"->pid == | |
35 | + * NULL and "struct ccs_security"->cred != NULL. | |
36 | + */ | |
37 | +static struct list_head ccs_cred_security_list[CCS_MAX_TASK_SECURITY_HASH]; | |
38 | + | |
39 | +/* Dummy security context for avoiding NULL pointer dereference. */ | |
40 | +static struct ccs_security ccs_oom_security = { | |
41 | + .ccs_domain_info = &ccs_kernel_domain | |
42 | +}; | |
43 | + | |
44 | +/* Dummy security context for avoiding NULL pointer dereference. */ | |
45 | +static struct ccs_security ccs_default_security = { | |
46 | + .ccs_domain_info = &ccs_kernel_domain | |
47 | +}; | |
48 | + | |
49 | +/* For exporting variables and functions. */ | |
50 | +struct ccsecurity_exports ccsecurity_exports; | |
51 | +/* Members are updated by loadable kernel module. */ | |
52 | +struct ccsecurity_operations ccsecurity_ops; | |
53 | + | |
54 | +/* Original hooks. */ | |
55 | +static union security_list_options original_cred_prepare; | |
56 | +static union security_list_options original_cred_free; | |
57 | +static union security_list_options original_cred_alloc_blank; | |
58 | + | |
59 | +#ifdef CONFIG_AKARI_TRACE_EXECVE_COUNT | |
60 | + | |
61 | +/** | |
62 | + * ccs_update_ee_counter - Update "struct ccs_execve" counter. | |
63 | + * | |
64 | + * @count: Count to increment or decrement. | |
65 | + * | |
66 | + * Returns updated counter. | |
67 | + */ | |
68 | +static unsigned int ccs_update_ee_counter(int count) | |
69 | +{ | |
70 | + /* Debug counter for detecting "struct ccs_execve" memory leak. */ | |
71 | + static atomic_t ccs_ee_counter = ATOMIC_INIT(0); | |
72 | + return atomic_add_return(count, &ccs_ee_counter); | |
73 | +} | |
74 | + | |
75 | +/** | |
76 | + * ccs_audit_alloc_execve - Audit allocation of "struct ccs_execve". | |
77 | + * | |
78 | + * @ee: Pointer to "struct ccs_execve". | |
79 | + * | |
80 | + * Returns nothing. | |
81 | + */ | |
82 | +void ccs_audit_alloc_execve(const struct ccs_execve * const ee) | |
83 | +{ | |
84 | + printk(KERN_INFO "AKARI: Allocated %p by pid=%u (count=%u)\n", ee, | |
85 | + current->pid, ccs_update_ee_counter(1) - 1); | |
86 | +} | |
87 | + | |
88 | +/** | |
89 | + * ccs_audit_free_execve - Audit release of "struct ccs_execve". | |
90 | + * | |
91 | + * @ee: Pointer to "struct ccs_execve". | |
92 | + * @task: True if released by current task, false otherwise. | |
93 | + * | |
94 | + * Returns nothing. | |
95 | + */ | |
96 | +void ccs_audit_free_execve(const struct ccs_execve * const ee, | |
97 | + const bool is_current) | |
98 | +{ | |
99 | + const unsigned int tmp = ccs_update_ee_counter(-1); | |
100 | + if (is_current) | |
101 | + printk(KERN_INFO "AKARI: Releasing %p by pid=%u (count=%u)\n", | |
102 | + ee, current->pid, tmp); | |
103 | + else | |
104 | + printk(KERN_INFO "AKARI: Releasing %p by kernel (count=%u)\n", | |
105 | + ee, tmp); | |
106 | +} | |
107 | + | |
108 | +#endif | |
109 | + | |
110 | +#if !defined(CONFIG_AKARI_DEBUG) | |
111 | +#define ccs_debug_trace(pos) do { } while (0) | |
112 | +#else | |
113 | +#define ccs_debug_trace(pos) \ | |
114 | + do { \ | |
115 | + static bool done; \ | |
116 | + if (!done) { \ | |
117 | + printk(KERN_INFO \ | |
118 | + "AKARI: Debug trace: " pos " of 4\n"); \ | |
119 | + done = true; \ | |
120 | + } \ | |
121 | + } while (0) | |
122 | +#endif | |
123 | + | |
124 | +/** | |
125 | + * ccs_clear_execve - Release memory used by do_execve(). | |
126 | + * | |
127 | + * @ret: 0 if do_execve() succeeded, negative value otherwise. | |
128 | + * @security: Pointer to "struct ccs_security". | |
129 | + * | |
130 | + * Returns nothing. | |
131 | + */ | |
132 | +static void ccs_clear_execve(int ret, struct ccs_security *security) | |
133 | +{ | |
134 | + struct ccs_execve *ee; | |
135 | + if (security == &ccs_default_security || security == &ccs_oom_security) | |
136 | + return; | |
137 | + ee = security->ee; | |
138 | + security->ee = NULL; | |
139 | + if (!ee) | |
140 | + return; | |
141 | + atomic_dec(&ccs_in_execve_tasks); | |
142 | + ccs_finish_execve(ret, ee); | |
143 | +} | |
144 | + | |
145 | +/** | |
146 | + * ccs_rcu_free - RCU callback for releasing "struct ccs_security". | |
147 | + * | |
148 | + * @rcu: Pointer to "struct rcu_head". | |
149 | + * | |
150 | + * Returns nothing. | |
151 | + */ | |
152 | +static void ccs_rcu_free(struct rcu_head *rcu) | |
153 | +{ | |
154 | + struct ccs_security *ptr = container_of(rcu, typeof(*ptr), rcu); | |
155 | + struct ccs_execve *ee = ptr->ee; | |
156 | + /* | |
157 | + * If this security context was associated with "struct pid" and | |
158 | + * ptr->ccs_flags has CCS_TASK_IS_IN_EXECVE set, it indicates that a | |
159 | + * "struct task_struct" associated with this security context exited | |
160 | + * immediately after do_execve() has failed. | |
161 | + */ | |
162 | + if (ptr->pid && (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE)) { | |
163 | + ccs_debug_trace("1"); | |
164 | + atomic_dec(&ccs_in_execve_tasks); | |
165 | + } | |
166 | + /* | |
167 | + * If this security context was associated with "struct pid", | |
168 | + * drop refcount obtained by get_pid() in ccs_find_task_security(). | |
169 | + */ | |
170 | + if (ptr->pid) { | |
171 | + ccs_debug_trace("2"); | |
172 | + put_pid(ptr->pid); | |
173 | + } | |
174 | + if (ee) { | |
175 | + ccs_debug_trace("3"); | |
176 | + ccs_audit_free_execve(ee, false); | |
177 | + kfree(ee->handler_path); | |
178 | + kfree(ee); | |
179 | + } | |
180 | + kfree(ptr); | |
181 | +} | |
182 | + | |
183 | +/** | |
184 | + * ccs_del_security - Release "struct ccs_security". | |
185 | + * | |
186 | + * @ptr: Pointer to "struct ccs_security". | |
187 | + * | |
188 | + * Returns nothing. | |
189 | + */ | |
190 | +static void ccs_del_security(struct ccs_security *ptr) | |
191 | +{ | |
192 | + unsigned long flags; | |
193 | + if (ptr == &ccs_default_security || ptr == &ccs_oom_security) | |
194 | + return; | |
195 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
196 | + list_del_rcu(&ptr->list); | |
197 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
198 | + call_rcu(&ptr->rcu, ccs_rcu_free); | |
199 | +} | |
200 | + | |
201 | +/** | |
202 | + * ccs_add_cred_security - Add "struct ccs_security" to list. | |
203 | + * | |
204 | + * @ptr: Pointer to "struct ccs_security". | |
205 | + * | |
206 | + * Returns nothing. | |
207 | + */ | |
208 | +static void ccs_add_cred_security(struct ccs_security *ptr) | |
209 | +{ | |
210 | + unsigned long flags; | |
211 | + struct list_head *list = &ccs_cred_security_list | |
212 | + [hash_ptr((void *) ptr->cred, CCS_TASK_SECURITY_HASH_BITS)]; | |
213 | +#ifdef CONFIG_AKARI_DEBUG | |
214 | + if (ptr->pid) | |
215 | + printk(KERN_INFO "AKARI: \"struct ccs_security\"->pid != NULL" | |
216 | + "\n"); | |
217 | +#endif | |
218 | + ptr->pid = NULL; | |
219 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
220 | + list_add_rcu(&ptr->list, list); | |
221 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
222 | +} | |
223 | + | |
224 | +/** | |
225 | + * ccs_task_create - Make snapshot of security context for new task. | |
226 | + * | |
227 | + * @clone_flags: Flags passed to clone(). | |
228 | + * | |
229 | + * Returns 0 on success, negative value otherwise. | |
230 | + */ | |
231 | +static int ccs_task_create(unsigned long clone_flags) | |
232 | +{ | |
233 | + struct ccs_security *old_security; | |
234 | + struct ccs_security *new_security; | |
235 | + struct cred *cred = prepare_creds(); | |
236 | + if (!cred) | |
237 | + return -ENOMEM; | |
238 | + old_security = ccs_find_task_security(current); | |
239 | + new_security = ccs_find_cred_security(cred); | |
240 | + new_security->ccs_domain_info = old_security->ccs_domain_info; | |
241 | + new_security->ccs_flags = old_security->ccs_flags; | |
242 | + return commit_creds(cred); | |
243 | +} | |
244 | + | |
245 | +/** | |
246 | + * ccs_cred_prepare - Allocate memory for new credentials. | |
247 | + * | |
248 | + * @new: Pointer to "struct cred". | |
249 | + * @old: Pointer to "struct cred". | |
250 | + * @gfp: Memory allocation flags. | |
251 | + * | |
252 | + * Returns 0 on success, negative value otherwise. | |
253 | + */ | |
254 | +static int ccs_cred_prepare(struct cred *new, const struct cred *old, | |
255 | + gfp_t gfp) | |
256 | +{ | |
257 | + int rc1; | |
258 | + /* | |
259 | + * For checking whether reverting domain transition is needed or not. | |
260 | + * | |
261 | + * See ccs_find_task_security() for reason. | |
262 | + */ | |
263 | + if (gfp == GFP_KERNEL) | |
264 | + ccs_find_task_security(current); | |
265 | + rc1 = ccs_copy_cred_security(new, old, gfp); | |
266 | + if (gfp == GFP_KERNEL) | |
267 | + ccs_task_security_gc(); | |
268 | + if (original_cred_prepare.cred_prepare) { | |
269 | + const int rc2 = original_cred_prepare.cred_prepare(new, old, | |
270 | + gfp); | |
271 | + if (rc2) { | |
272 | + ccs_del_security(ccs_find_cred_security(new)); | |
273 | + return rc2; | |
274 | + } | |
275 | + } | |
276 | + return rc1; | |
277 | +} | |
278 | + | |
279 | +/** | |
280 | + * ccs_cred_free - Release memory used by credentials. | |
281 | + * | |
282 | + * @cred: Pointer to "struct cred". | |
283 | + * | |
284 | + * Returns nothing. | |
285 | + */ | |
286 | +static void ccs_cred_free(struct cred *cred) | |
287 | +{ | |
288 | + if (original_cred_free.cred_free) | |
289 | + original_cred_free.cred_free(cred); | |
290 | + ccs_del_security(ccs_find_cred_security(cred)); | |
291 | +} | |
292 | + | |
293 | +/** | |
294 | + * ccs_alloc_cred_security - Allocate memory for new credentials. | |
295 | + * | |
296 | + * @cred: Pointer to "struct cred". | |
297 | + * @gfp: Memory allocation flags. | |
298 | + * | |
299 | + * Returns 0 on success, negative value otherwise. | |
300 | + */ | |
301 | +static int ccs_alloc_cred_security(const struct cred *cred, gfp_t gfp) | |
302 | +{ | |
303 | + struct ccs_security *new_security = kzalloc(sizeof(*new_security), | |
304 | + gfp); | |
305 | + if (!new_security) | |
306 | + return -ENOMEM; | |
307 | + new_security->cred = cred; | |
308 | + ccs_add_cred_security(new_security); | |
309 | + return 0; | |
310 | +} | |
311 | + | |
312 | +/** | |
313 | + * ccs_cred_alloc_blank - Allocate memory for new credentials. | |
314 | + * | |
315 | + * @new: Pointer to "struct cred". | |
316 | + * @gfp: Memory allocation flags. | |
317 | + * | |
318 | + * Returns 0 on success, negative value otherwise. | |
319 | + */ | |
320 | +static int ccs_cred_alloc_blank(struct cred *new, gfp_t gfp) | |
321 | +{ | |
322 | + const int rc1 = ccs_alloc_cred_security(new, gfp); | |
323 | + if (original_cred_alloc_blank.cred_alloc_blank) { | |
324 | + const int rc2 = original_cred_alloc_blank. | |
325 | + cred_alloc_blank(new, gfp); | |
326 | + if (rc2) { | |
327 | + ccs_del_security(ccs_find_cred_security(new)); | |
328 | + return rc2; | |
329 | + } | |
330 | + } | |
331 | + return rc1; | |
332 | +} | |
333 | + | |
334 | +/** | |
335 | + * ccs_cred_transfer - Transfer "struct ccs_security" between credentials. | |
336 | + * | |
337 | + * @new: Pointer to "struct cred". | |
338 | + * @old: Pointer to "struct cred". | |
339 | + * | |
340 | + * Returns nothing. | |
341 | + */ | |
342 | +static void ccs_cred_transfer(struct cred *new, const struct cred *old) | |
343 | +{ | |
344 | + struct ccs_security *new_security = ccs_find_cred_security(new); | |
345 | + struct ccs_security *old_security = ccs_find_cred_security(old); | |
346 | + if (new_security == &ccs_default_security || | |
347 | + new_security == &ccs_oom_security || | |
348 | + old_security == &ccs_default_security || | |
349 | + old_security == &ccs_oom_security) | |
350 | + return; | |
351 | + new_security->ccs_flags = old_security->ccs_flags; | |
352 | + new_security->ccs_domain_info = old_security->ccs_domain_info; | |
353 | +} | |
354 | + | |
355 | +/** | |
356 | + * ccs_bprm_committing_creds - A hook which is called when do_execve() succeeded. | |
357 | + * | |
358 | + * @bprm: Pointer to "struct linux_binprm". | |
359 | + * | |
360 | + * Returns nothing. | |
361 | + */ | |
362 | +static void ccs_bprm_committing_creds(struct linux_binprm *bprm) | |
363 | +{ | |
364 | + struct ccs_security *old_security = ccs_current_security(); | |
365 | + struct ccs_security *new_security; | |
366 | + if (old_security == &ccs_default_security || | |
367 | + old_security == &ccs_oom_security) | |
368 | + return; | |
369 | + ccs_clear_execve(0, old_security); | |
370 | + /* Update current task's cred's domain for future fork(). */ | |
371 | + new_security = ccs_find_cred_security(bprm->cred); | |
372 | + new_security->ccs_flags = old_security->ccs_flags; | |
373 | + new_security->ccs_domain_info = old_security->ccs_domain_info; | |
374 | +} | |
375 | + | |
376 | +/** | |
377 | + * ccs_bprm_check_security - Check permission for execve(). | |
378 | + * | |
379 | + * @bprm: Pointer to "struct linux_binprm". | |
380 | + * | |
381 | + * Returns 0 on success, negative value otherwise. | |
382 | + */ | |
383 | +static int ccs_bprm_check_security(struct linux_binprm *bprm) | |
384 | +{ | |
385 | + struct ccs_security *security = ccs_current_security(); | |
386 | + int rc; | |
387 | + if (security == &ccs_default_security || security == &ccs_oom_security) | |
388 | + return -ENOMEM; | |
389 | + if (security->ee) | |
390 | + return 0; | |
391 | +#ifndef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER | |
392 | + if (!ccs_policy_loaded) | |
393 | + ccs_load_policy(bprm->filename); | |
394 | +#endif | |
395 | + rc = ccs_start_execve(bprm, &security->ee); | |
396 | + if (security->ee) | |
397 | + atomic_inc(&ccs_in_execve_tasks); | |
398 | + return rc; | |
399 | +} | |
400 | + | |
401 | +/** | |
402 | + * ccs_file_open - Check permission for open(). | |
403 | + * | |
404 | + * @f: Pointer to "struct file". | |
405 | + * @cred: Pointer to "struct cred". | |
406 | + * | |
407 | + * Returns 0 on success, negative value otherwise. | |
408 | + */ | |
409 | +static int ccs_file_open(struct file *f, const struct cred *cred) | |
410 | +{ | |
411 | + return ccs_open_permission(f); | |
412 | +} | |
413 | + | |
414 | +#ifdef CONFIG_SECURITY_PATH | |
415 | + | |
416 | +/** | |
417 | + * ccs_path_chown - Check permission for chown()/chgrp(). | |
418 | + * | |
419 | + * @path: Pointer to "struct path". | |
420 | + * @user: User ID. | |
421 | + * @group: Group ID. | |
422 | + * | |
423 | + * Returns 0 on success, negative value otherwise. | |
424 | + */ | |
425 | +static int ccs_path_chown(struct path *path, kuid_t user, kgid_t group) | |
426 | +{ | |
427 | + return ccs_chown_permission(path->dentry, path->mnt, user, group); | |
428 | +} | |
429 | + | |
430 | +/** | |
431 | + * ccs_path_chmod - Check permission for chmod(). | |
432 | + * | |
433 | + * @path: Pointer to "struct path". | |
434 | + * @mode: Mode. | |
435 | + * | |
436 | + * Returns 0 on success, negative value otherwise. | |
437 | + */ | |
438 | +static int ccs_path_chmod(struct path *path, umode_t mode) | |
439 | +{ | |
440 | + return ccs_chmod_permission(path->dentry, path->mnt, mode); | |
441 | +} | |
442 | + | |
443 | +/** | |
444 | + * ccs_path_chroot - Check permission for chroot(). | |
445 | + * | |
446 | + * @path: Pointer to "struct path". | |
447 | + * | |
448 | + * Returns 0 on success, negative value otherwise. | |
449 | + */ | |
450 | +static int ccs_path_chroot(struct path *path) | |
451 | +{ | |
452 | + return ccs_chroot_permission(path); | |
453 | +} | |
454 | + | |
455 | +/** | |
456 | + * ccs_path_truncate - Check permission for truncate(). | |
457 | + * | |
458 | + * @path: Pointer to "struct path". | |
459 | + * | |
460 | + * Returns 0 on success, negative value otherwise. | |
461 | + */ | |
462 | +static int ccs_path_truncate(struct path *path) | |
463 | +{ | |
464 | + return ccs_truncate_permission(path->dentry, path->mnt); | |
465 | +} | |
466 | + | |
467 | +#else | |
468 | + | |
469 | +/** | |
470 | + * ccs_inode_setattr - Check permission for chown()/chgrp()/chmod()/truncate(). | |
471 | + * | |
472 | + * @dentry: Pointer to "struct dentry". | |
473 | + * @attr: Pointer to "struct iattr". | |
474 | + * | |
475 | + * Returns 0 on success, negative value otherwise. | |
476 | + */ | |
477 | +static int ccs_inode_setattr(struct dentry *dentry, struct iattr *attr) | |
478 | +{ | |
479 | + const int rc1 = (attr->ia_valid & ATTR_UID) ? | |
480 | + ccs_chown_permission(dentry, NULL, attr->ia_uid, INVALID_GID) : | |
481 | + 0; | |
482 | + const int rc2 = (attr->ia_valid & ATTR_GID) ? | |
483 | + ccs_chown_permission(dentry, NULL, INVALID_UID, attr->ia_gid) : | |
484 | + 0; | |
485 | + const int rc3 = (attr->ia_valid & ATTR_MODE) ? | |
486 | + ccs_chmod_permission(dentry, NULL, attr->ia_mode) : 0; | |
487 | + const int rc4 = (attr->ia_valid & ATTR_SIZE) ? | |
488 | + ccs_truncate_permission(dentry, NULL) : 0; | |
489 | + if (rc4) | |
490 | + return rc4; | |
491 | + if (rc3) | |
492 | + return rc3; | |
493 | + if (rc2) | |
494 | + return rc2; | |
495 | + return rc1; | |
496 | +} | |
497 | + | |
498 | +#endif | |
499 | + | |
500 | +/** | |
501 | + * ccs_inode_getattr - Check permission for stat(). | |
502 | + * | |
503 | + * @path: Pointer to "struct path". | |
504 | + * | |
505 | + * Returns 0 on success, negative value otherwise. | |
506 | + */ | |
507 | +static int ccs_inode_getattr(const struct path *path) | |
508 | +{ | |
509 | + return ccs_getattr_permission(path->mnt, path->dentry); | |
510 | +} | |
511 | + | |
512 | +#ifdef CONFIG_SECURITY_PATH | |
513 | + | |
514 | +/** | |
515 | + * ccs_path_mknod - Check permission for mknod(). | |
516 | + * | |
517 | + * @dir: Pointer to "struct path". | |
518 | + * @dentry: Pointer to "struct dentry". | |
519 | + * @mode: Create mode. | |
520 | + * @dev: Device major/minor number. | |
521 | + * | |
522 | + * Returns 0 on success, negative value otherwise. | |
523 | + */ | |
524 | +static int ccs_path_mknod(struct path *dir, struct dentry *dentry, | |
525 | + umode_t mode, unsigned int dev) | |
526 | +{ | |
527 | + return ccs_mknod_permission(dentry, dir->mnt, mode, dev); | |
528 | +} | |
529 | + | |
530 | +/** | |
531 | + * ccs_path_mkdir - Check permission for mkdir(). | |
532 | + * | |
533 | + * @dir: Pointer to "struct path". | |
534 | + * @dentry: Pointer to "struct dentry". | |
535 | + * @mode: Create mode. | |
536 | + * | |
537 | + * Returns 0 on success, negative value otherwise. | |
538 | + */ | |
539 | +static int ccs_path_mkdir(struct path *dir, struct dentry *dentry, | |
540 | + umode_t mode) | |
541 | +{ | |
542 | + return ccs_mkdir_permission(dentry, dir->mnt, mode); | |
543 | +} | |
544 | + | |
545 | +/** | |
546 | + * ccs_path_rmdir - Check permission for rmdir(). | |
547 | + * | |
548 | + * @dir: Pointer to "struct path". | |
549 | + * @dentry: Pointer to "struct dentry". | |
550 | + * | |
551 | + * Returns 0 on success, negative value otherwise. | |
552 | + */ | |
553 | +static int ccs_path_rmdir(struct path *dir, struct dentry *dentry) | |
554 | +{ | |
555 | + return ccs_rmdir_permission(dentry, dir->mnt); | |
556 | +} | |
557 | + | |
558 | +/** | |
559 | + * ccs_path_unlink - Check permission for unlink(). | |
560 | + * | |
561 | + * @dir: Pointer to "struct path". | |
562 | + * @dentry: Pointer to "struct dentry". | |
563 | + * | |
564 | + * Returns 0 on success, negative value otherwise. | |
565 | + */ | |
566 | +static int ccs_path_unlink(struct path *dir, struct dentry *dentry) | |
567 | +{ | |
568 | + return ccs_unlink_permission(dentry, dir->mnt); | |
569 | +} | |
570 | + | |
571 | +/** | |
572 | + * ccs_path_symlink - Check permission for symlink(). | |
573 | + * | |
574 | + * @dir: Pointer to "struct path". | |
575 | + * @dentry: Pointer to "struct dentry". | |
576 | + * @old_name: Content of symbolic link. | |
577 | + * | |
578 | + * Returns 0 on success, negative value otherwise. | |
579 | + */ | |
580 | +static int ccs_path_symlink(struct path *dir, struct dentry *dentry, | |
581 | + const char *old_name) | |
582 | +{ | |
583 | + return ccs_symlink_permission(dentry, dir->mnt, old_name); | |
584 | +} | |
585 | + | |
586 | +/** | |
587 | + * ccs_path_rename - Check permission for rename(). | |
588 | + * | |
589 | + * @old_dir: Pointer to "struct path". | |
590 | + * @old_dentry: Pointer to "struct dentry". | |
591 | + * @new_dir: Pointer to "struct path". | |
592 | + * @new_dentry: Pointer to "struct dentry". | |
593 | + * | |
594 | + * Returns 0 on success, negative value otherwise. | |
595 | + */ | |
596 | +static int ccs_path_rename(struct path *old_dir, struct dentry *old_dentry, | |
597 | + struct path *new_dir, struct dentry *new_dentry) | |
598 | +{ | |
599 | + return ccs_rename_permission(old_dentry, new_dentry, old_dir->mnt); | |
600 | +} | |
601 | + | |
602 | +/** | |
603 | + * ccs_path_link - Check permission for link(). | |
604 | + * | |
605 | + * @old_dentry: Pointer to "struct dentry". | |
606 | + * @new_dir: Pointer to "struct path". | |
607 | + * @new_dentry: Pointer to "struct dentry". | |
608 | + * | |
609 | + * Returns 0 on success, negative value otherwise. | |
610 | + */ | |
611 | +static int ccs_path_link(struct dentry *old_dentry, struct path *new_dir, | |
612 | + struct dentry *new_dentry) | |
613 | +{ | |
614 | + return ccs_link_permission(old_dentry, new_dentry, new_dir->mnt); | |
615 | +} | |
616 | + | |
617 | +#else | |
618 | + | |
619 | +/** | |
620 | + * ccs_inode_mknod - Check permission for mknod(). | |
621 | + * | |
622 | + * @dir: Pointer to "struct inode". | |
623 | + * @dentry: Pointer to "struct dentry". | |
624 | + * @mode: Create mode. | |
625 | + * @dev: Device major/minor number. | |
626 | + * | |
627 | + * Returns 0 on success, negative value otherwise. | |
628 | + */ | |
629 | +static int ccs_inode_mknod(struct inode *dir, struct dentry *dentry, | |
630 | + umode_t mode, dev_t dev) | |
631 | +{ | |
632 | + return ccs_mknod_permission(dentry, NULL, mode, dev); | |
633 | +} | |
634 | + | |
635 | +/** | |
636 | + * ccs_inode_mkdir - Check permission for mkdir(). | |
637 | + * | |
638 | + * @dir: Pointer to "struct inode". | |
639 | + * @dentry: Pointer to "struct dentry". | |
640 | + * @mode: Create mode. | |
641 | + * | |
642 | + * Returns 0 on success, negative value otherwise. | |
643 | + */ | |
644 | +static int ccs_inode_mkdir(struct inode *dir, struct dentry *dentry, | |
645 | + umode_t mode) | |
646 | +{ | |
647 | + return ccs_mkdir_permission(dentry, NULL, mode); | |
648 | +} | |
649 | + | |
650 | +/** | |
651 | + * ccs_inode_rmdir - Check permission for rmdir(). | |
652 | + * | |
653 | + * @dir: Pointer to "struct inode". | |
654 | + * @dentry: Pointer to "struct dentry". | |
655 | + * | |
656 | + * Returns 0 on success, negative value otherwise. | |
657 | + */ | |
658 | +static int ccs_inode_rmdir(struct inode *dir, struct dentry *dentry) | |
659 | +{ | |
660 | + return ccs_rmdir_permission(dentry, NULL); | |
661 | +} | |
662 | + | |
663 | +/** | |
664 | + * ccs_inode_unlink - Check permission for unlink(). | |
665 | + * | |
666 | + * @dir: Pointer to "struct inode". | |
667 | + * @dentry: Pointer to "struct dentry". | |
668 | + * | |
669 | + * Returns 0 on success, negative value otherwise. | |
670 | + */ | |
671 | +static int ccs_inode_unlink(struct inode *dir, struct dentry *dentry) | |
672 | +{ | |
673 | + return ccs_unlink_permission(dentry, NULL); | |
674 | +} | |
675 | + | |
676 | +/** | |
677 | + * ccs_inode_symlink - Check permission for symlink(). | |
678 | + * | |
679 | + * @dir: Pointer to "struct inode". | |
680 | + * @dentry: Pointer to "struct dentry". | |
681 | + * @old_name: Content of symbolic link. | |
682 | + * | |
683 | + * Returns 0 on success, negative value otherwise. | |
684 | + */ | |
685 | +static int ccs_inode_symlink(struct inode *dir, struct dentry *dentry, | |
686 | + const char *old_name) | |
687 | +{ | |
688 | + return ccs_symlink_permission(dentry, NULL, old_name); | |
689 | +} | |
690 | + | |
691 | +/** | |
692 | + * ccs_inode_rename - Check permission for rename(). | |
693 | + * | |
694 | + * @old_dir: Pointer to "struct inode". | |
695 | + * @old_dentry: Pointer to "struct dentry". | |
696 | + * @new_dir: Pointer to "struct inode". | |
697 | + * @new_dentry: Pointer to "struct dentry". | |
698 | + * | |
699 | + * Returns 0 on success, negative value otherwise. | |
700 | + */ | |
701 | +static int ccs_inode_rename(struct inode *old_dir, struct dentry *old_dentry, | |
702 | + struct inode *new_dir, struct dentry *new_dentry) | |
703 | +{ | |
704 | + return ccs_rename_permission(old_dentry, new_dentry, NULL); | |
705 | +} | |
706 | + | |
707 | +/** | |
708 | + * ccs_inode_link - Check permission for link(). | |
709 | + * | |
710 | + * @old_dentry: Pointer to "struct dentry". | |
711 | + * @dir: Pointer to "struct inode". | |
712 | + * @new_dentry: Pointer to "struct dentry". | |
713 | + * | |
714 | + * Returns 0 on success, negative value otherwise. | |
715 | + */ | |
716 | +static int ccs_inode_link(struct dentry *old_dentry, struct inode *dir, | |
717 | + struct dentry *new_dentry) | |
718 | +{ | |
719 | + return ccs_link_permission(old_dentry, new_dentry, NULL); | |
720 | +} | |
721 | + | |
722 | +/** | |
723 | + * ccs_inode_create - Check permission for creat(). | |
724 | + * | |
725 | + * @dir: Pointer to "struct inode". | |
726 | + * @dentry: Pointer to "struct dentry". | |
727 | + * @mode: Create mode. | |
728 | + * | |
729 | + * Returns 0 on success, negative value otherwise. | |
730 | + */ | |
731 | +static int ccs_inode_create(struct inode *dir, struct dentry *dentry, | |
732 | + umode_t mode) | |
733 | +{ | |
734 | + return ccs_mknod_permission(dentry, NULL, mode, 0); | |
735 | +} | |
736 | + | |
737 | +#endif | |
738 | + | |
739 | +#ifdef CONFIG_SECURITY_NETWORK | |
740 | + | |
741 | +#include <net/sock.h> | |
742 | + | |
743 | +/* Structure for remembering an accept()ed socket's status. */ | |
744 | +struct ccs_socket_tag { | |
745 | + struct list_head list; | |
746 | + struct inode *inode; | |
747 | + int status; | |
748 | + struct rcu_head rcu; | |
749 | +}; | |
750 | + | |
751 | +/* | |
752 | + * List for managing accept()ed sockets. | |
753 | + * Since we don't need to keep an accept()ed socket into this list after | |
754 | + * once the permission was granted, the number of entries in this list is | |
755 | + * likely small. Therefore, we don't use hash tables. | |
756 | + */ | |
757 | +static LIST_HEAD(ccs_accepted_socket_list); | |
758 | +/* Lock for protecting ccs_accepted_socket_list . */ | |
759 | +static DEFINE_SPINLOCK(ccs_accepted_socket_list_lock); | |
760 | + | |
761 | +/** | |
762 | + * ccs_update_socket_tag - Update tag associated with accept()ed sockets. | |
763 | + * | |
764 | + * @inode: Pointer to "struct inode". | |
765 | + * @status: New status. | |
766 | + * | |
767 | + * Returns nothing. | |
768 | + * | |
769 | + * If @status == 0, memory for that socket will be released after RCU grace | |
770 | + * period. | |
771 | + */ | |
772 | +static void ccs_update_socket_tag(struct inode *inode, int status) | |
773 | +{ | |
774 | + struct ccs_socket_tag *ptr; | |
775 | + /* | |
776 | + * Protect whole section because multiple threads may call this | |
777 | + * function with same "sock" via ccs_validate_socket(). | |
778 | + */ | |
779 | + spin_lock(&ccs_accepted_socket_list_lock); | |
780 | + rcu_read_lock(); | |
781 | + list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) { | |
782 | + if (ptr->inode != inode) | |
783 | + continue; | |
784 | + ptr->status = status; | |
785 | + if (status) | |
786 | + break; | |
787 | + list_del_rcu(&ptr->list); | |
788 | + kfree_rcu(ptr, rcu); | |
789 | + break; | |
790 | + } | |
791 | + rcu_read_unlock(); | |
792 | + spin_unlock(&ccs_accepted_socket_list_lock); | |
793 | +} | |
794 | + | |
795 | +/** | |
796 | + * ccs_validate_socket - Check post accept() permission if needed. | |
797 | + * | |
798 | + * @sock: Pointer to "struct socket". | |
799 | + * | |
800 | + * Returns 0 on success, negative value otherwise. | |
801 | + */ | |
802 | +static int ccs_validate_socket(struct socket *sock) | |
803 | +{ | |
804 | + struct inode *inode = SOCK_INODE(sock); | |
805 | + struct ccs_socket_tag *ptr; | |
806 | + int ret = 0; | |
807 | + rcu_read_lock(); | |
808 | + list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) { | |
809 | + if (ptr->inode != inode) | |
810 | + continue; | |
811 | + ret = ptr->status; | |
812 | + break; | |
813 | + } | |
814 | + rcu_read_unlock(); | |
815 | + if (ret <= 0) | |
816 | + /* | |
817 | + * This socket is not an accept()ed socket or this socket is | |
818 | + * an accept()ed socket and post accept() permission is done. | |
819 | + */ | |
820 | + return ret; | |
821 | + /* | |
822 | + * Check post accept() permission now. | |
823 | + * | |
824 | + * Strictly speaking, we need to pass both listen()ing socket and | |
825 | + * accept()ed socket to __ccs_socket_post_accept_permission(). | |
826 | + * But since socket's family and type are same for both sockets, | |
827 | + * passing the accept()ed socket in place for the listen()ing socket | |
828 | + * will work. | |
829 | + */ | |
830 | + ret = ccs_socket_post_accept_permission(sock, sock); | |
831 | + /* | |
832 | + * If permission was granted, we forget that this is an accept()ed | |
833 | + * socket. Otherwise, we remember that this socket needs to return | |
834 | + * error for subsequent socketcalls. | |
835 | + */ | |
836 | + ccs_update_socket_tag(inode, ret); | |
837 | + return ret; | |
838 | +} | |
839 | + | |
840 | +/** | |
841 | + * ccs_socket_accept - Check permission for accept(). | |
842 | + * | |
843 | + * @sock: Pointer to "struct socket". | |
844 | + * @newsock: Pointer to "struct socket". | |
845 | + * | |
846 | + * Returns 0 on success, negative value otherwise. | |
847 | + * | |
848 | + * This hook is used for setting up environment for doing post accept() | |
849 | + * permission check. If dereferencing sock->ops->something() were ordered by | |
850 | + * rcu_dereference(), we could replace sock->ops with "a copy of original | |
851 | + * sock->ops with modified sock->ops->accept()" using rcu_assign_pointer() | |
852 | + * in order to do post accept() permission check before returning to userspace. | |
853 | + * If we make the copy in security_socket_post_create(), it would be possible | |
854 | + * to safely replace sock->ops here, but we don't do so because we don't want | |
855 | + * to allocate memory for sockets which do not call sock->ops->accept(). | |
856 | + * Therefore, we do post accept() permission check upon next socket syscalls | |
857 | + * rather than between sock->ops->accept() and returning to userspace. | |
858 | + * This means that if a socket was close()d before calling some socket | |
859 | + * syscalls, post accept() permission check will not be done. | |
860 | + */ | |
861 | +static int ccs_socket_accept(struct socket *sock, struct socket *newsock) | |
862 | +{ | |
863 | + struct ccs_socket_tag *ptr; | |
864 | + const int rc = ccs_validate_socket(sock); | |
865 | + if (rc < 0) | |
866 | + return rc; | |
867 | + ptr = kzalloc(sizeof(*ptr), GFP_KERNEL); | |
868 | + if (!ptr) | |
869 | + return -ENOMEM; | |
870 | + /* | |
871 | + * Subsequent LSM hooks will receive "newsock". Therefore, I mark | |
872 | + * "newsock" as "an accept()ed socket but post accept() permission | |
873 | + * check is not done yet" by allocating memory using inode of the | |
874 | + * "newsock" as a search key. | |
875 | + */ | |
876 | + ptr->inode = SOCK_INODE(newsock); | |
877 | + ptr->status = 1; /* Check post accept() permission later. */ | |
878 | + spin_lock(&ccs_accepted_socket_list_lock); | |
879 | + list_add_tail_rcu(&ptr->list, &ccs_accepted_socket_list); | |
880 | + spin_unlock(&ccs_accepted_socket_list_lock); | |
881 | + return 0; | |
882 | +} | |
883 | + | |
884 | +/** | |
885 | + * ccs_socket_listen - Check permission for listen(). | |
886 | + * | |
887 | + * @sock: Pointer to "struct socket". | |
888 | + * @backlog: Backlog parameter. | |
889 | + * | |
890 | + * Returns 0 on success, negative value otherwise. | |
891 | + */ | |
892 | +static int ccs_socket_listen(struct socket *sock, int backlog) | |
893 | +{ | |
894 | + const int rc = ccs_validate_socket(sock); | |
895 | + if (rc < 0) | |
896 | + return rc; | |
897 | + return ccs_socket_listen_permission(sock); | |
898 | +} | |
899 | + | |
900 | +/** | |
901 | + * ccs_socket_connect - Check permission for connect(). | |
902 | + * | |
903 | + * @sock: Pointer to "struct socket". | |
904 | + * @addr: Pointer to "struct sockaddr". | |
905 | + * @addr_len: Size of @addr. | |
906 | + * | |
907 | + * Returns 0 on success, negative value otherwise. | |
908 | + */ | |
909 | +static int ccs_socket_connect(struct socket *sock, struct sockaddr *addr, | |
910 | + int addr_len) | |
911 | +{ | |
912 | + const int rc = ccs_validate_socket(sock); | |
913 | + if (rc < 0) | |
914 | + return rc; | |
915 | + return ccs_socket_connect_permission(sock, addr, addr_len); | |
916 | +} | |
917 | + | |
918 | +/** | |
919 | + * ccs_socket_bind - Check permission for bind(). | |
920 | + * | |
921 | + * @sock: Pointer to "struct socket". | |
922 | + * @addr: Pointer to "struct sockaddr". | |
923 | + * @addr_len: Size of @addr. | |
924 | + * | |
925 | + * Returns 0 on success, negative value otherwise. | |
926 | + */ | |
927 | +static int ccs_socket_bind(struct socket *sock, struct sockaddr *addr, | |
928 | + int addr_len) | |
929 | +{ | |
930 | + const int rc = ccs_validate_socket(sock); | |
931 | + if (rc < 0) | |
932 | + return rc; | |
933 | + return ccs_socket_bind_permission(sock, addr, addr_len); | |
934 | +} | |
935 | + | |
936 | +/** | |
937 | + * ccs_socket_sendmsg - Check permission for sendmsg(). | |
938 | + * | |
939 | + * @sock: Pointer to "struct socket". | |
940 | + * @msg: Pointer to "struct msghdr". | |
941 | + * @size: Size of message. | |
942 | + * | |
943 | + * Returns 0 on success, negative value otherwise. | |
944 | + */ | |
945 | +static int ccs_socket_sendmsg(struct socket *sock, struct msghdr *msg, | |
946 | + int size) | |
947 | +{ | |
948 | + const int rc = ccs_validate_socket(sock); | |
949 | + if (rc < 0) | |
950 | + return rc; | |
951 | + return ccs_socket_sendmsg_permission(sock, msg, size); | |
952 | +} | |
953 | + | |
954 | +/** | |
955 | + * ccs_socket_recvmsg - Check permission for recvmsg(). | |
956 | + * | |
957 | + * @sock: Pointer to "struct socket". | |
958 | + * @msg: Pointer to "struct msghdr". | |
959 | + * @size: Size of message. | |
960 | + * @flags: Flags. | |
961 | + * | |
962 | + * Returns 0 on success, negative value otherwise. | |
963 | + */ | |
964 | +static int ccs_socket_recvmsg(struct socket *sock, struct msghdr *msg, | |
965 | + int size, int flags) | |
966 | +{ | |
967 | + return ccs_validate_socket(sock); | |
968 | +} | |
969 | + | |
970 | +/** | |
971 | + * ccs_socket_getsockname - Check permission for getsockname(). | |
972 | + * | |
973 | + * @sock: Pointer to "struct socket". | |
974 | + * | |
975 | + * Returns 0 on success, negative value otherwise. | |
976 | + */ | |
977 | +static int ccs_socket_getsockname(struct socket *sock) | |
978 | +{ | |
979 | + return ccs_validate_socket(sock); | |
980 | +} | |
981 | + | |
982 | +/** | |
983 | + * ccs_socket_getpeername - Check permission for getpeername(). | |
984 | + * | |
985 | + * @sock: Pointer to "struct socket". | |
986 | + * | |
987 | + * Returns 0 on success, negative value otherwise. | |
988 | + */ | |
989 | +static int ccs_socket_getpeername(struct socket *sock) | |
990 | +{ | |
991 | + return ccs_validate_socket(sock); | |
992 | +} | |
993 | + | |
994 | +/** | |
995 | + * ccs_socket_getsockopt - Check permission for getsockopt(). | |
996 | + * | |
997 | + * @sock: Pointer to "struct socket". | |
998 | + * @level: Level. | |
999 | + * @optname: Option's name, | |
1000 | + * | |
1001 | + * Returns 0 on success, negative value otherwise. | |
1002 | + */ | |
1003 | +static int ccs_socket_getsockopt(struct socket *sock, int level, int optname) | |
1004 | +{ | |
1005 | + return ccs_validate_socket(sock); | |
1006 | +} | |
1007 | + | |
1008 | +/** | |
1009 | + * ccs_socket_setsockopt - Check permission for setsockopt(). | |
1010 | + * | |
1011 | + * @sock: Pointer to "struct socket". | |
1012 | + * @level: Level. | |
1013 | + * @optname: Option's name, | |
1014 | + * | |
1015 | + * Returns 0 on success, negative value otherwise. | |
1016 | + */ | |
1017 | +static int ccs_socket_setsockopt(struct socket *sock, int level, int optname) | |
1018 | +{ | |
1019 | + return ccs_validate_socket(sock); | |
1020 | +} | |
1021 | + | |
1022 | +/** | |
1023 | + * ccs_socket_shutdown - Check permission for shutdown(). | |
1024 | + * | |
1025 | + * @sock: Pointer to "struct socket". | |
1026 | + * @how: Shutdown mode. | |
1027 | + * | |
1028 | + * Returns 0 on success, negative value otherwise. | |
1029 | + */ | |
1030 | +static int ccs_socket_shutdown(struct socket *sock, int how) | |
1031 | +{ | |
1032 | + return ccs_validate_socket(sock); | |
1033 | +} | |
1034 | + | |
1035 | +#define SOCKFS_MAGIC 0x534F434B | |
1036 | + | |
1037 | +/** | |
1038 | + * ccs_inode_free_security - Release memory associated with an inode. | |
1039 | + * | |
1040 | + * @inode: Pointer to "struct inode". | |
1041 | + * | |
1042 | + * Returns nothing. | |
1043 | + * | |
1044 | + * We use this hook for releasing memory associated with an accept()ed socket. | |
1045 | + */ | |
1046 | +static void ccs_inode_free_security(struct inode *inode) | |
1047 | +{ | |
1048 | + if (inode->i_sb && inode->i_sb->s_magic == SOCKFS_MAGIC) | |
1049 | + ccs_update_socket_tag(inode, 0); | |
1050 | +} | |
1051 | + | |
1052 | +#endif | |
1053 | + | |
1054 | +/** | |
1055 | + * ccs_sb_pivotroot - Check permission for pivot_root(). | |
1056 | + * | |
1057 | + * @old_path: Pointer to "struct path". | |
1058 | + * @new_path: Pointer to "struct path". | |
1059 | + * | |
1060 | + * Returns 0 on success, negative value otherwise. | |
1061 | + */ | |
1062 | +static int ccs_sb_pivotroot(struct path *old_path, struct path *new_path) | |
1063 | +{ | |
1064 | + return ccs_pivot_root_permission(old_path, new_path); | |
1065 | +} | |
1066 | + | |
1067 | +/** | |
1068 | + * ccs_sb_mount - Check permission for mount(). | |
1069 | + * | |
1070 | + * @dev_name: Name of device file. | |
1071 | + * @path: Pointer to "struct path". | |
1072 | + * @type: Name of filesystem type. Maybe NULL. | |
1073 | + * @flags: Mount options. | |
1074 | + * @data_page: Optional data. Maybe NULL. | |
1075 | + * | |
1076 | + * Returns 0 on success, negative value otherwise. | |
1077 | + */ | |
1078 | +static int ccs_sb_mount(const char *dev_name, struct path *path, | |
1079 | + const char *type, unsigned long flags, void *data_page) | |
1080 | +{ | |
1081 | + return ccs_mount_permission(dev_name, path, type, flags, data_page); | |
1082 | +} | |
1083 | + | |
1084 | +/** | |
1085 | + * ccs_sb_umount - Check permission for umount(). | |
1086 | + * | |
1087 | + * @mnt: Pointer to "struct vfsmount". | |
1088 | + * @flags: Unmount flags. | |
1089 | + * | |
1090 | + * Returns 0 on success, negative value otherwise. | |
1091 | + */ | |
1092 | +static int ccs_sb_umount(struct vfsmount *mnt, int flags) | |
1093 | +{ | |
1094 | + return ccs_umount_permission(mnt, flags); | |
1095 | +} | |
1096 | + | |
1097 | +/** | |
1098 | + * ccs_file_fcntl - Check permission for fcntl(). | |
1099 | + * | |
1100 | + * @file: Pointer to "struct file". | |
1101 | + * @cmd: Command number. | |
1102 | + * @arg: Value for @cmd. | |
1103 | + * | |
1104 | + * Returns 0 on success, negative value otherwise. | |
1105 | + */ | |
1106 | +static int ccs_file_fcntl(struct file *file, unsigned int cmd, | |
1107 | + unsigned long arg) | |
1108 | +{ | |
1109 | + return ccs_fcntl_permission(file, cmd, arg); | |
1110 | +} | |
1111 | + | |
1112 | +/** | |
1113 | + * ccs_file_ioctl - Check permission for ioctl(). | |
1114 | + * | |
1115 | + * @filp: Pointer to "struct file". | |
1116 | + * @cmd: Command number. | |
1117 | + * @arg: Value for @cmd. | |
1118 | + * | |
1119 | + * Returns 0 on success, negative value otherwise. | |
1120 | + */ | |
1121 | +static int ccs_file_ioctl(struct file *filp, unsigned int cmd, | |
1122 | + unsigned long arg) | |
1123 | +{ | |
1124 | + return ccs_ioctl_permission(filp, cmd, arg); | |
1125 | +} | |
1126 | + | |
1127 | +#define MY_HOOK_INIT(HEAD, HOOK) \ | |
1128 | + { .head = &probe_dummy_security_hook_heads.HEAD, \ | |
1129 | + .hook = { .HEAD = HOOK } } | |
1130 | + | |
1131 | +static struct security_hook_list akari_hooks[] = { | |
1132 | + /* Security context allocator. */ | |
1133 | + MY_HOOK_INIT(cred_free, ccs_cred_free), | |
1134 | + MY_HOOK_INIT(cred_prepare, ccs_cred_prepare), | |
1135 | + MY_HOOK_INIT(cred_alloc_blank, ccs_cred_alloc_blank), | |
1136 | + MY_HOOK_INIT(cred_transfer, ccs_cred_transfer), | |
1137 | + MY_HOOK_INIT(task_create, ccs_task_create), | |
1138 | + /* Security context updater for successful execve(). */ | |
1139 | + MY_HOOK_INIT(bprm_check_security, ccs_bprm_check_security), | |
1140 | + MY_HOOK_INIT(bprm_committing_creds, ccs_bprm_committing_creds), | |
1141 | + /* Various permission checker. */ | |
1142 | + MY_HOOK_INIT(file_open, ccs_file_open), | |
1143 | + MY_HOOK_INIT(file_fcntl, ccs_file_fcntl), | |
1144 | + MY_HOOK_INIT(file_ioctl, ccs_file_ioctl), | |
1145 | + MY_HOOK_INIT(sb_pivotroot, ccs_sb_pivotroot), | |
1146 | + MY_HOOK_INIT(sb_mount, ccs_sb_mount), | |
1147 | + MY_HOOK_INIT(sb_umount, ccs_sb_umount), | |
1148 | +#ifdef CONFIG_SECURITY_PATH | |
1149 | + MY_HOOK_INIT(path_mknod, ccs_path_mknod), | |
1150 | + MY_HOOK_INIT(path_mkdir, ccs_path_mkdir), | |
1151 | + MY_HOOK_INIT(path_rmdir, ccs_path_rmdir), | |
1152 | + MY_HOOK_INIT(path_unlink, ccs_path_unlink), | |
1153 | + MY_HOOK_INIT(path_symlink, ccs_path_symlink), | |
1154 | + MY_HOOK_INIT(path_rename, ccs_path_rename), | |
1155 | + MY_HOOK_INIT(path_link, ccs_path_link), | |
1156 | + MY_HOOK_INIT(path_truncate, ccs_path_truncate), | |
1157 | + MY_HOOK_INIT(path_chmod, ccs_path_chmod), | |
1158 | + MY_HOOK_INIT(path_chown, ccs_path_chown), | |
1159 | + MY_HOOK_INIT(path_chroot, ccs_path_chroot), | |
1160 | +#else | |
1161 | + MY_HOOK_INIT(inode_mknod, ccs_inode_mknod), | |
1162 | + MY_HOOK_INIT(inode_mkdir, ccs_inode_mkdir), | |
1163 | + MY_HOOK_INIT(inode_rmdir, ccs_inode_rmdir), | |
1164 | + MY_HOOK_INIT(inode_unlink, ccs_inode_unlink), | |
1165 | + MY_HOOK_INIT(inode_symlink, ccs_inode_symlink), | |
1166 | + MY_HOOK_INIT(inode_rename, ccs_inode_rename), | |
1167 | + MY_HOOK_INIT(inode_link, ccs_inode_link), | |
1168 | + MY_HOOK_INIT(inode_create, ccs_inode_create), | |
1169 | + MY_HOOK_INIT(inode_setattr, ccs_inode_setattr), | |
1170 | +#endif | |
1171 | + MY_HOOK_INIT(inode_getattr, ccs_inode_getattr), | |
1172 | +#ifdef CONFIG_SECURITY_NETWORK | |
1173 | + MY_HOOK_INIT(socket_bind, ccs_socket_bind), | |
1174 | + MY_HOOK_INIT(socket_connect, ccs_socket_connect), | |
1175 | + MY_HOOK_INIT(socket_listen, ccs_socket_listen), | |
1176 | + MY_HOOK_INIT(socket_sendmsg, ccs_socket_sendmsg), | |
1177 | + MY_HOOK_INIT(socket_recvmsg, ccs_socket_recvmsg), | |
1178 | + MY_HOOK_INIT(socket_getsockname, ccs_socket_getsockname), | |
1179 | + MY_HOOK_INIT(socket_getpeername, ccs_socket_getpeername), | |
1180 | + MY_HOOK_INIT(socket_getsockopt, ccs_socket_getsockopt), | |
1181 | + MY_HOOK_INIT(socket_setsockopt, ccs_socket_setsockopt), | |
1182 | + MY_HOOK_INIT(socket_shutdown, ccs_socket_shutdown), | |
1183 | + MY_HOOK_INIT(socket_accept, ccs_socket_accept), | |
1184 | + MY_HOOK_INIT(inode_free_security, ccs_inode_free_security), | |
1185 | +#endif | |
1186 | +}; | |
1187 | + | |
1188 | +static inline void add_hook(struct security_hook_list *hook) | |
1189 | +{ | |
1190 | + list_add_tail_rcu(&hook->list, hook->head); | |
1191 | +} | |
1192 | + | |
1193 | +static void __init swap_hook(struct security_hook_list *hook, | |
1194 | + union security_list_options *original) | |
1195 | +{ | |
1196 | + struct list_head *list = hook->head; | |
1197 | + if (list_empty(list)) { | |
1198 | + add_hook(hook); | |
1199 | + } else { | |
1200 | + struct security_hook_list *shp = | |
1201 | + list_last_entry(list, struct security_hook_list, list); | |
1202 | + *original = shp->hook; | |
1203 | + smp_wmb(); | |
1204 | + shp->hook = hook->hook; | |
1205 | + } | |
1206 | +} | |
1207 | + | |
1208 | +/** | |
1209 | + * ccs_init - Initialize this module. | |
1210 | + * | |
1211 | + * Returns 0 on success, negative value otherwise. | |
1212 | + */ | |
1213 | +static int __init ccs_init(void) | |
1214 | +{ | |
1215 | + int idx; | |
1216 | + struct security_hook_heads *hooks = probe_security_hook_heads(); | |
1217 | + if (!hooks) | |
1218 | + goto out; | |
1219 | + for (idx = 0; idx < ARRAY_SIZE(akari_hooks); idx++) | |
1220 | + akari_hooks[idx].head = ((void *) hooks) | |
1221 | + + ((unsigned long) akari_hooks[idx].head) | |
1222 | + - ((unsigned long) &probe_dummy_security_hook_heads); | |
1223 | + ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid(); | |
1224 | + if (!ccsecurity_exports.find_task_by_vpid) | |
1225 | + goto out; | |
1226 | + ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns(); | |
1227 | + if (!ccsecurity_exports.find_task_by_pid_ns) | |
1228 | + goto out; | |
1229 | + ccsecurity_exports.d_absolute_path = probe_d_absolute_path(); | |
1230 | + if (!ccsecurity_exports.d_absolute_path) | |
1231 | + goto out; | |
1232 | + for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) { | |
1233 | + INIT_LIST_HEAD(&ccs_cred_security_list[idx]); | |
1234 | + INIT_LIST_HEAD(&ccs_task_security_list[idx]); | |
1235 | + } | |
1236 | + ccs_main_init(); | |
1237 | + swap_hook(&akari_hooks[0], &original_cred_free); | |
1238 | + swap_hook(&akari_hooks[1], &original_cred_prepare); | |
1239 | + swap_hook(&akari_hooks[2], &original_cred_alloc_blank); | |
1240 | + for (idx = 3; idx < ARRAY_SIZE(akari_hooks); idx++) | |
1241 | + add_hook(&akari_hooks[idx]); | |
1242 | + printk(KERN_INFO "AKARI: 1.0.40 2019/12/25\n"); | |
1243 | + printk(KERN_INFO | |
1244 | + "Access Keeping And Regulating Instrument registered.\n"); | |
1245 | + return 0; | |
1246 | +out: | |
1247 | + return -EINVAL; | |
1248 | +} | |
1249 | + | |
1250 | +module_init(ccs_init); | |
1251 | +MODULE_LICENSE("GPL"); | |
1252 | + | |
1253 | +/** | |
1254 | + * ccs_used_by_cred - Check whether the given domain is in use or not. | |
1255 | + * | |
1256 | + * @domain: Pointer to "struct ccs_domain_info". | |
1257 | + * | |
1258 | + * Returns true if @domain is in use, false otherwise. | |
1259 | + * | |
1260 | + * Caller holds rcu_read_lock(). | |
1261 | + */ | |
1262 | +bool ccs_used_by_cred(const struct ccs_domain_info *domain) | |
1263 | +{ | |
1264 | + int idx; | |
1265 | + struct ccs_security *ptr; | |
1266 | + for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) { | |
1267 | + struct list_head *list = &ccs_cred_security_list[idx]; | |
1268 | + list_for_each_entry_rcu(ptr, list, list) { | |
1269 | + struct ccs_execve *ee = ptr->ee; | |
1270 | + if (ptr->ccs_domain_info == domain || | |
1271 | + (ee && ee->previous_domain == domain)) { | |
1272 | + return true; | |
1273 | + } | |
1274 | + } | |
1275 | + } | |
1276 | + return false; | |
1277 | +} | |
1278 | + | |
1279 | +/** | |
1280 | + * ccs_add_task_security - Add "struct ccs_security" to list. | |
1281 | + * | |
1282 | + * @ptr: Pointer to "struct ccs_security". | |
1283 | + * @list: Pointer to "struct list_head". | |
1284 | + * | |
1285 | + * Returns nothing. | |
1286 | + */ | |
1287 | +static void ccs_add_task_security(struct ccs_security *ptr, | |
1288 | + struct list_head *list) | |
1289 | +{ | |
1290 | + unsigned long flags; | |
1291 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
1292 | + list_add_rcu(&ptr->list, list); | |
1293 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
1294 | +} | |
1295 | + | |
1296 | +/** | |
1297 | + * ccs_find_task_security - Find "struct ccs_security" for given task. | |
1298 | + * | |
1299 | + * @task: Pointer to "struct task_struct". | |
1300 | + * | |
1301 | + * Returns pointer to "struct ccs_security" on success, &ccs_oom_security on | |
1302 | + * out of memory, &ccs_default_security otherwise. | |
1303 | + * | |
1304 | + * If @task is current thread and "struct ccs_security" for current thread was | |
1305 | + * not found, I try to allocate it. But if allocation failed, current thread | |
1306 | + * will be killed by SIGKILL. Note that if current->pid == 1, sending SIGKILL | |
1307 | + * won't work. | |
1308 | + */ | |
1309 | +struct ccs_security *ccs_find_task_security(const struct task_struct *task) | |
1310 | +{ | |
1311 | + struct ccs_security *ptr; | |
1312 | + struct list_head *list = &ccs_task_security_list | |
1313 | + [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)]; | |
1314 | + /* Make sure INIT_LIST_HEAD() in ccs_mm_init() takes effect. */ | |
1315 | + while (!list->next) | |
1316 | + smp_rmb(); | |
1317 | + rcu_read_lock(); | |
1318 | + list_for_each_entry_rcu(ptr, list, list) { | |
1319 | + if (ptr->pid != task->pids[PIDTYPE_PID].pid) | |
1320 | + continue; | |
1321 | + rcu_read_unlock(); | |
1322 | + /* | |
1323 | + * Current thread needs to transit from old domain to new | |
1324 | + * domain before do_execve() succeeds in order to check | |
1325 | + * permission for interpreters and environment variables using | |
1326 | + * new domain's ACL rules. The domain transition has to be | |
1327 | + * visible from other CPU in order to allow interactive | |
1328 | + * enforcing mode. Also, the domain transition has to be | |
1329 | + * reverted if do_execve() failed. However, an LSM hook for | |
1330 | + * reverting domain transition is missing. | |
1331 | + * | |
1332 | + * security_prepare_creds() is called from prepare_creds() from | |
1333 | + * prepare_bprm_creds() from do_execve() before setting | |
1334 | + * current->in_execve flag, and current->in_execve flag is | |
1335 | + * cleared by the time next do_execve() request starts. | |
1336 | + * This means that we can emulate the missing LSM hook for | |
1337 | + * reverting domain transition, by calling this function from | |
1338 | + * security_prepare_creds(). | |
1339 | + * | |
1340 | + * If current->in_execve is not set but ptr->ccs_flags has | |
1341 | + * CCS_TASK_IS_IN_EXECVE set, it indicates that do_execve() | |
1342 | + * has failed and reverting domain transition is needed. | |
1343 | + */ | |
1344 | + if (task == current && | |
1345 | + (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE) && | |
1346 | + !current->in_execve) { | |
1347 | + ccs_debug_trace("4"); | |
1348 | + ccs_clear_execve(-1, ptr); | |
1349 | + } | |
1350 | + return ptr; | |
1351 | + } | |
1352 | + rcu_read_unlock(); | |
1353 | + if (task != current) { | |
1354 | + /* | |
1355 | + * If a thread does nothing after fork(), caller will reach | |
1356 | + * here because "struct ccs_security" for that thread is not | |
1357 | + * yet allocated. But that thread is keeping a snapshot of | |
1358 | + * "struct ccs_security" taken as of ccs_task_create() | |
1359 | + * associated with that thread's "struct cred". | |
1360 | + * | |
1361 | + * Since that snapshot will be used as initial data when that | |
1362 | + * thread allocates "struct ccs_security" for that thread, we | |
1363 | + * can return that snapshot rather than &ccs_default_security. | |
1364 | + * | |
1365 | + * Since this function is called by only ccs_select_one() and | |
1366 | + * ccs_read_pid() (via ccs_task_domain() and ccs_task_flags()), | |
1367 | + * it is guaranteed that caller has called rcu_read_lock() | |
1368 | + * (via ccs_tasklist_lock()) before finding this thread and | |
1369 | + * this thread is valid. Therefore, we can do __task_cred(task) | |
1370 | + * like get_robust_list() does. | |
1371 | + */ | |
1372 | + return ccs_find_cred_security(__task_cred(task)); | |
1373 | + } | |
1374 | + /* Use GFP_ATOMIC because caller may have called rcu_read_lock(). */ | |
1375 | + ptr = kzalloc(sizeof(*ptr), GFP_ATOMIC); | |
1376 | + if (!ptr) { | |
1377 | + printk(KERN_WARNING "Unable to allocate memory for pid=%u\n", | |
1378 | + task->pid); | |
1379 | + send_sig(SIGKILL, current, 0); | |
1380 | + return &ccs_oom_security; | |
1381 | + } | |
1382 | + *ptr = *ccs_find_cred_security(task->cred); | |
1383 | + /* We can shortcut because task == current. */ | |
1384 | + ptr->pid = get_pid(((struct task_struct *) task)-> | |
1385 | + pids[PIDTYPE_PID].pid); | |
1386 | + ptr->cred = NULL; | |
1387 | + ccs_add_task_security(ptr, list); | |
1388 | + return ptr; | |
1389 | +} | |
1390 | + | |
1391 | +/** | |
1392 | + * ccs_copy_cred_security - Allocate memory for new credentials. | |
1393 | + * | |
1394 | + * @new: Pointer to "struct cred". | |
1395 | + * @old: Pointer to "struct cred". | |
1396 | + * @gfp: Memory allocation flags. | |
1397 | + * | |
1398 | + * Returns 0 on success, negative value otherwise. | |
1399 | + */ | |
1400 | +static int ccs_copy_cred_security(const struct cred *new, | |
1401 | + const struct cred *old, gfp_t gfp) | |
1402 | +{ | |
1403 | + struct ccs_security *old_security = ccs_find_cred_security(old); | |
1404 | + struct ccs_security *new_security = | |
1405 | + kzalloc(sizeof(*new_security), gfp); | |
1406 | + if (!new_security) | |
1407 | + return -ENOMEM; | |
1408 | + *new_security = *old_security; | |
1409 | + new_security->cred = new; | |
1410 | + ccs_add_cred_security(new_security); | |
1411 | + return 0; | |
1412 | +} | |
1413 | + | |
1414 | +/** | |
1415 | + * ccs_find_cred_security - Find "struct ccs_security" for given credential. | |
1416 | + * | |
1417 | + * @cred: Pointer to "struct cred". | |
1418 | + * | |
1419 | + * Returns pointer to "struct ccs_security" on success, &ccs_default_security | |
1420 | + * otherwise. | |
1421 | + */ | |
1422 | +static struct ccs_security *ccs_find_cred_security(const struct cred *cred) | |
1423 | +{ | |
1424 | + struct ccs_security *ptr; | |
1425 | + struct list_head *list = &ccs_cred_security_list | |
1426 | + [hash_ptr((void *) cred, CCS_TASK_SECURITY_HASH_BITS)]; | |
1427 | + rcu_read_lock(); | |
1428 | + list_for_each_entry_rcu(ptr, list, list) { | |
1429 | + if (ptr->cred != cred) | |
1430 | + continue; | |
1431 | + rcu_read_unlock(); | |
1432 | + return ptr; | |
1433 | + } | |
1434 | + rcu_read_unlock(); | |
1435 | + return &ccs_default_security; | |
1436 | +} | |
1437 | + | |
1438 | +/** | |
1439 | + * ccs_task_security_gc - Do garbage collection for "struct task_struct". | |
1440 | + * | |
1441 | + * Returns nothing. | |
1442 | + * | |
1443 | + * Since security_task_free() is missing, I can't release memory associated | |
1444 | + * with "struct task_struct" when a task dies. Therefore, I hold a reference on | |
1445 | + * "struct pid" and runs garbage collection when associated | |
1446 | + * "struct task_struct" has gone. | |
1447 | + */ | |
1448 | +static void ccs_task_security_gc(void) | |
1449 | +{ | |
1450 | + static DEFINE_SPINLOCK(lock); | |
1451 | + static atomic_t gc_counter = ATOMIC_INIT(0); | |
1452 | + unsigned int idx; | |
1453 | + /* | |
1454 | + * If some process is doing execve(), try to garbage collection now. | |
1455 | + * We should kfree() memory associated with "struct ccs_security"->ee | |
1456 | + * as soon as execve() has completed in order to compensate for lack of | |
1457 | + * security_bprm_free() and security_task_free() hooks. | |
1458 | + * | |
1459 | + * Otherwise, reduce frequency for performance reason. | |
1460 | + */ | |
1461 | + if (!atomic_read(&ccs_in_execve_tasks) && | |
1462 | + atomic_inc_return(&gc_counter) < 1024) | |
1463 | + return; | |
1464 | + if (!spin_trylock(&lock)) | |
1465 | + return; | |
1466 | + atomic_set(&gc_counter, 0); | |
1467 | + rcu_read_lock(); | |
1468 | + for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) { | |
1469 | + struct ccs_security *ptr; | |
1470 | + struct list_head *list = &ccs_task_security_list[idx]; | |
1471 | + list_for_each_entry_rcu(ptr, list, list) { | |
1472 | + if (pid_task(ptr->pid, PIDTYPE_PID)) | |
1473 | + continue; | |
1474 | + ccs_del_security(ptr); | |
1475 | + } | |
1476 | + } | |
1477 | + rcu_read_unlock(); | |
1478 | + spin_unlock(&lock); | |
1479 | +} |
@@ -0,0 +1,1482 @@ | ||
1 | +/* | |
2 | + * lsm.c | |
3 | + * | |
4 | + * Copyright (C) 2010-2015 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | |
5 | + * | |
6 | + * Version: 1.0.40 2019/12/25 | |
7 | + */ | |
8 | + | |
9 | +#include "internal.h" | |
10 | +#include "probe.h" | |
11 | + | |
12 | +/* Prototype definition. */ | |
13 | +static void ccs_task_security_gc(void); | |
14 | +static int ccs_copy_cred_security(const struct cred *new, | |
15 | + const struct cred *old, gfp_t gfp); | |
16 | +static struct ccs_security *ccs_find_cred_security(const struct cred *cred); | |
17 | +static DEFINE_SPINLOCK(ccs_task_security_list_lock); | |
18 | +static atomic_t ccs_in_execve_tasks = ATOMIC_INIT(0); | |
19 | +/* | |
20 | + * List of "struct ccs_security" for "struct pid". | |
21 | + * | |
22 | + * All instances on this list is guaranteed that "struct ccs_security"->pid != | |
23 | + * NULL. Also, instances on this list that are in execve() are guaranteed that | |
24 | + * "struct ccs_security"->cred remembers "struct linux_binprm"->cred with a | |
25 | + * refcount on "struct linux_binprm"->cred. | |
26 | + */ | |
27 | +struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH]; | |
28 | +/* | |
29 | + * List of "struct ccs_security" for "struct cred". | |
30 | + * | |
31 | + * Since the number of "struct cred" is nearly equals to the number of | |
32 | + * "struct pid", we allocate hash tables like ccs_task_security_list. | |
33 | + * | |
34 | + * All instances on this list are guaranteed that "struct ccs_security"->pid == | |
35 | + * NULL and "struct ccs_security"->cred != NULL. | |
36 | + */ | |
37 | +static struct list_head ccs_cred_security_list[CCS_MAX_TASK_SECURITY_HASH]; | |
38 | + | |
39 | +/* Dummy security context for avoiding NULL pointer dereference. */ | |
40 | +static struct ccs_security ccs_oom_security = { | |
41 | + .ccs_domain_info = &ccs_kernel_domain | |
42 | +}; | |
43 | + | |
44 | +/* Dummy security context for avoiding NULL pointer dereference. */ | |
45 | +static struct ccs_security ccs_default_security = { | |
46 | + .ccs_domain_info = &ccs_kernel_domain | |
47 | +}; | |
48 | + | |
49 | +/* For exporting variables and functions. */ | |
50 | +struct ccsecurity_exports ccsecurity_exports; | |
51 | +/* Members are updated by loadable kernel module. */ | |
52 | +struct ccsecurity_operations ccsecurity_ops; | |
53 | + | |
54 | +/* Original hooks. */ | |
55 | +static union security_list_options original_cred_prepare; | |
56 | +static union security_list_options original_cred_free; | |
57 | +static union security_list_options original_cred_alloc_blank; | |
58 | + | |
59 | +#ifdef CONFIG_AKARI_TRACE_EXECVE_COUNT | |
60 | + | |
61 | +/** | |
62 | + * ccs_update_ee_counter - Update "struct ccs_execve" counter. | |
63 | + * | |
64 | + * @count: Count to increment or decrement. | |
65 | + * | |
66 | + * Returns updated counter. | |
67 | + */ | |
68 | +static unsigned int ccs_update_ee_counter(int count) | |
69 | +{ | |
70 | + /* Debug counter for detecting "struct ccs_execve" memory leak. */ | |
71 | + static atomic_t ccs_ee_counter = ATOMIC_INIT(0); | |
72 | + return atomic_add_return(count, &ccs_ee_counter); | |
73 | +} | |
74 | + | |
75 | +/** | |
76 | + * ccs_audit_alloc_execve - Audit allocation of "struct ccs_execve". | |
77 | + * | |
78 | + * @ee: Pointer to "struct ccs_execve". | |
79 | + * | |
80 | + * Returns nothing. | |
81 | + */ | |
82 | +void ccs_audit_alloc_execve(const struct ccs_execve * const ee) | |
83 | +{ | |
84 | + printk(KERN_INFO "AKARI: Allocated %p by pid=%u (count=%u)\n", ee, | |
85 | + current->pid, ccs_update_ee_counter(1) - 1); | |
86 | +} | |
87 | + | |
88 | +/** | |
89 | + * ccs_audit_free_execve - Audit release of "struct ccs_execve". | |
90 | + * | |
91 | + * @ee: Pointer to "struct ccs_execve". | |
92 | + * @task: True if released by current task, false otherwise. | |
93 | + * | |
94 | + * Returns nothing. | |
95 | + */ | |
96 | +void ccs_audit_free_execve(const struct ccs_execve * const ee, | |
97 | + const bool is_current) | |
98 | +{ | |
99 | + const unsigned int tmp = ccs_update_ee_counter(-1); | |
100 | + if (is_current) | |
101 | + printk(KERN_INFO "AKARI: Releasing %p by pid=%u (count=%u)\n", | |
102 | + ee, current->pid, tmp); | |
103 | + else | |
104 | + printk(KERN_INFO "AKARI: Releasing %p by kernel (count=%u)\n", | |
105 | + ee, tmp); | |
106 | +} | |
107 | + | |
108 | +#endif | |
109 | + | |
110 | +#if !defined(CONFIG_AKARI_DEBUG) | |
111 | +#define ccs_debug_trace(pos) do { } while (0) | |
112 | +#else | |
113 | +#define ccs_debug_trace(pos) \ | |
114 | + do { \ | |
115 | + static bool done; \ | |
116 | + if (!done) { \ | |
117 | + printk(KERN_INFO \ | |
118 | + "AKARI: Debug trace: " pos " of 4\n"); \ | |
119 | + done = true; \ | |
120 | + } \ | |
121 | + } while (0) | |
122 | +#endif | |
123 | + | |
124 | +/** | |
125 | + * ccs_clear_execve - Release memory used by do_execve(). | |
126 | + * | |
127 | + * @ret: 0 if do_execve() succeeded, negative value otherwise. | |
128 | + * @security: Pointer to "struct ccs_security". | |
129 | + * | |
130 | + * Returns nothing. | |
131 | + */ | |
132 | +static void ccs_clear_execve(int ret, struct ccs_security *security) | |
133 | +{ | |
134 | + struct ccs_execve *ee; | |
135 | + if (security == &ccs_default_security || security == &ccs_oom_security) | |
136 | + return; | |
137 | + ee = security->ee; | |
138 | + security->ee = NULL; | |
139 | + if (!ee) | |
140 | + return; | |
141 | + atomic_dec(&ccs_in_execve_tasks); | |
142 | + ccs_finish_execve(ret, ee); | |
143 | +} | |
144 | + | |
145 | +/** | |
146 | + * ccs_rcu_free - RCU callback for releasing "struct ccs_security". | |
147 | + * | |
148 | + * @rcu: Pointer to "struct rcu_head". | |
149 | + * | |
150 | + * Returns nothing. | |
151 | + */ | |
152 | +static void ccs_rcu_free(struct rcu_head *rcu) | |
153 | +{ | |
154 | + struct ccs_security *ptr = container_of(rcu, typeof(*ptr), rcu); | |
155 | + struct ccs_execve *ee = ptr->ee; | |
156 | + /* | |
157 | + * If this security context was associated with "struct pid" and | |
158 | + * ptr->ccs_flags has CCS_TASK_IS_IN_EXECVE set, it indicates that a | |
159 | + * "struct task_struct" associated with this security context exited | |
160 | + * immediately after do_execve() has failed. | |
161 | + */ | |
162 | + if (ptr->pid && (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE)) { | |
163 | + ccs_debug_trace("1"); | |
164 | + atomic_dec(&ccs_in_execve_tasks); | |
165 | + } | |
166 | + /* | |
167 | + * If this security context was associated with "struct pid", | |
168 | + * drop refcount obtained by get_pid() in ccs_find_task_security(). | |
169 | + */ | |
170 | + if (ptr->pid) { | |
171 | + ccs_debug_trace("2"); | |
172 | + put_pid(ptr->pid); | |
173 | + } | |
174 | + if (ee) { | |
175 | + ccs_debug_trace("3"); | |
176 | + ccs_audit_free_execve(ee, false); | |
177 | + kfree(ee->handler_path); | |
178 | + kfree(ee); | |
179 | + } | |
180 | + kfree(ptr); | |
181 | +} | |
182 | + | |
183 | +/** | |
184 | + * ccs_del_security - Release "struct ccs_security". | |
185 | + * | |
186 | + * @ptr: Pointer to "struct ccs_security". | |
187 | + * | |
188 | + * Returns nothing. | |
189 | + */ | |
190 | +static void ccs_del_security(struct ccs_security *ptr) | |
191 | +{ | |
192 | + unsigned long flags; | |
193 | + if (ptr == &ccs_default_security || ptr == &ccs_oom_security) | |
194 | + return; | |
195 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
196 | + list_del_rcu(&ptr->list); | |
197 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
198 | + call_rcu(&ptr->rcu, ccs_rcu_free); | |
199 | +} | |
200 | + | |
201 | +/** | |
202 | + * ccs_add_cred_security - Add "struct ccs_security" to list. | |
203 | + * | |
204 | + * @ptr: Pointer to "struct ccs_security". | |
205 | + * | |
206 | + * Returns nothing. | |
207 | + */ | |
208 | +static void ccs_add_cred_security(struct ccs_security *ptr) | |
209 | +{ | |
210 | + unsigned long flags; | |
211 | + struct list_head *list = &ccs_cred_security_list | |
212 | + [hash_ptr((void *) ptr->cred, CCS_TASK_SECURITY_HASH_BITS)]; | |
213 | +#ifdef CONFIG_AKARI_DEBUG | |
214 | + if (ptr->pid) | |
215 | + printk(KERN_INFO "AKARI: \"struct ccs_security\"->pid != NULL" | |
216 | + "\n"); | |
217 | +#endif | |
218 | + ptr->pid = NULL; | |
219 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
220 | + list_add_rcu(&ptr->list, list); | |
221 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
222 | +} | |
223 | + | |
224 | +/** | |
225 | + * ccs_task_create - Make snapshot of security context for new task. | |
226 | + * | |
227 | + * @clone_flags: Flags passed to clone(). | |
228 | + * | |
229 | + * Returns 0 on success, negative value otherwise. | |
230 | + */ | |
231 | +static int ccs_task_create(unsigned long clone_flags) | |
232 | +{ | |
233 | + struct ccs_security *old_security; | |
234 | + struct ccs_security *new_security; | |
235 | + struct cred *cred = prepare_creds(); | |
236 | + if (!cred) | |
237 | + return -ENOMEM; | |
238 | + old_security = ccs_find_task_security(current); | |
239 | + new_security = ccs_find_cred_security(cred); | |
240 | + new_security->ccs_domain_info = old_security->ccs_domain_info; | |
241 | + new_security->ccs_flags = old_security->ccs_flags; | |
242 | + return commit_creds(cred); | |
243 | +} | |
244 | + | |
245 | +/** | |
246 | + * ccs_cred_prepare - Allocate memory for new credentials. | |
247 | + * | |
248 | + * @new: Pointer to "struct cred". | |
249 | + * @old: Pointer to "struct cred". | |
250 | + * @gfp: Memory allocation flags. | |
251 | + * | |
252 | + * Returns 0 on success, negative value otherwise. | |
253 | + */ | |
254 | +static int ccs_cred_prepare(struct cred *new, const struct cred *old, | |
255 | + gfp_t gfp) | |
256 | +{ | |
257 | + int rc1; | |
258 | + /* | |
259 | + * For checking whether reverting domain transition is needed or not. | |
260 | + * | |
261 | + * See ccs_find_task_security() for reason. | |
262 | + */ | |
263 | + if (gfp == GFP_KERNEL) | |
264 | + ccs_find_task_security(current); | |
265 | + rc1 = ccs_copy_cred_security(new, old, gfp); | |
266 | + if (gfp == GFP_KERNEL) | |
267 | + ccs_task_security_gc(); | |
268 | + if (original_cred_prepare.cred_prepare) { | |
269 | + const int rc2 = original_cred_prepare.cred_prepare(new, old, | |
270 | + gfp); | |
271 | + if (rc2) { | |
272 | + ccs_del_security(ccs_find_cred_security(new)); | |
273 | + return rc2; | |
274 | + } | |
275 | + } | |
276 | + return rc1; | |
277 | +} | |
278 | + | |
279 | +/** | |
280 | + * ccs_cred_free - Release memory used by credentials. | |
281 | + * | |
282 | + * @cred: Pointer to "struct cred". | |
283 | + * | |
284 | + * Returns nothing. | |
285 | + */ | |
286 | +static void ccs_cred_free(struct cred *cred) | |
287 | +{ | |
288 | + if (original_cred_free.cred_free) | |
289 | + original_cred_free.cred_free(cred); | |
290 | + ccs_del_security(ccs_find_cred_security(cred)); | |
291 | +} | |
292 | + | |
293 | +/** | |
294 | + * ccs_alloc_cred_security - Allocate memory for new credentials. | |
295 | + * | |
296 | + * @cred: Pointer to "struct cred". | |
297 | + * @gfp: Memory allocation flags. | |
298 | + * | |
299 | + * Returns 0 on success, negative value otherwise. | |
300 | + */ | |
301 | +static int ccs_alloc_cred_security(const struct cred *cred, gfp_t gfp) | |
302 | +{ | |
303 | + struct ccs_security *new_security = kzalloc(sizeof(*new_security), | |
304 | + gfp); | |
305 | + if (!new_security) | |
306 | + return -ENOMEM; | |
307 | + new_security->cred = cred; | |
308 | + ccs_add_cred_security(new_security); | |
309 | + return 0; | |
310 | +} | |
311 | + | |
312 | +/** | |
313 | + * ccs_cred_alloc_blank - Allocate memory for new credentials. | |
314 | + * | |
315 | + * @new: Pointer to "struct cred". | |
316 | + * @gfp: Memory allocation flags. | |
317 | + * | |
318 | + * Returns 0 on success, negative value otherwise. | |
319 | + */ | |
320 | +static int ccs_cred_alloc_blank(struct cred *new, gfp_t gfp) | |
321 | +{ | |
322 | + const int rc1 = ccs_alloc_cred_security(new, gfp); | |
323 | + if (original_cred_alloc_blank.cred_alloc_blank) { | |
324 | + const int rc2 = original_cred_alloc_blank. | |
325 | + cred_alloc_blank(new, gfp); | |
326 | + if (rc2) { | |
327 | + ccs_del_security(ccs_find_cred_security(new)); | |
328 | + return rc2; | |
329 | + } | |
330 | + } | |
331 | + return rc1; | |
332 | +} | |
333 | + | |
334 | +/** | |
335 | + * ccs_cred_transfer - Transfer "struct ccs_security" between credentials. | |
336 | + * | |
337 | + * @new: Pointer to "struct cred". | |
338 | + * @old: Pointer to "struct cred". | |
339 | + * | |
340 | + * Returns nothing. | |
341 | + */ | |
342 | +static void ccs_cred_transfer(struct cred *new, const struct cred *old) | |
343 | +{ | |
344 | + struct ccs_security *new_security = ccs_find_cred_security(new); | |
345 | + struct ccs_security *old_security = ccs_find_cred_security(old); | |
346 | + if (new_security == &ccs_default_security || | |
347 | + new_security == &ccs_oom_security || | |
348 | + old_security == &ccs_default_security || | |
349 | + old_security == &ccs_oom_security) | |
350 | + return; | |
351 | + new_security->ccs_flags = old_security->ccs_flags; | |
352 | + new_security->ccs_domain_info = old_security->ccs_domain_info; | |
353 | +} | |
354 | + | |
355 | +/** | |
356 | + * ccs_bprm_committing_creds - A hook which is called when do_execve() succeeded. | |
357 | + * | |
358 | + * @bprm: Pointer to "struct linux_binprm". | |
359 | + * | |
360 | + * Returns nothing. | |
361 | + */ | |
362 | +static void ccs_bprm_committing_creds(struct linux_binprm *bprm) | |
363 | +{ | |
364 | + struct ccs_security *old_security = ccs_current_security(); | |
365 | + struct ccs_security *new_security; | |
366 | + if (old_security == &ccs_default_security || | |
367 | + old_security == &ccs_oom_security) | |
368 | + return; | |
369 | + ccs_clear_execve(0, old_security); | |
370 | + /* Update current task's cred's domain for future fork(). */ | |
371 | + new_security = ccs_find_cred_security(bprm->cred); | |
372 | + new_security->ccs_flags = old_security->ccs_flags; | |
373 | + new_security->ccs_domain_info = old_security->ccs_domain_info; | |
374 | +} | |
375 | + | |
376 | +/** | |
377 | + * ccs_bprm_check_security - Check permission for execve(). | |
378 | + * | |
379 | + * @bprm: Pointer to "struct linux_binprm". | |
380 | + * | |
381 | + * Returns 0 on success, negative value otherwise. | |
382 | + */ | |
383 | +static int ccs_bprm_check_security(struct linux_binprm *bprm) | |
384 | +{ | |
385 | + struct ccs_security *security = ccs_current_security(); | |
386 | + int rc; | |
387 | + if (security == &ccs_default_security || security == &ccs_oom_security) | |
388 | + return -ENOMEM; | |
389 | + if (security->ee) | |
390 | + return 0; | |
391 | +#ifndef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER | |
392 | + if (!ccs_policy_loaded) | |
393 | + ccs_load_policy(bprm->filename); | |
394 | +#endif | |
395 | + rc = ccs_start_execve(bprm, &security->ee); | |
396 | + if (security->ee) | |
397 | + atomic_inc(&ccs_in_execve_tasks); | |
398 | + return rc; | |
399 | +} | |
400 | + | |
401 | +/** | |
402 | + * ccs_file_open - Check permission for open(). | |
403 | + * | |
404 | + * @f: Pointer to "struct file". | |
405 | + * @cred: Pointer to "struct cred". | |
406 | + * | |
407 | + * Returns 0 on success, negative value otherwise. | |
408 | + */ | |
409 | +static int ccs_file_open(struct file *f, const struct cred *cred) | |
410 | +{ | |
411 | + return ccs_open_permission(f); | |
412 | +} | |
413 | + | |
414 | +#ifdef CONFIG_SECURITY_PATH | |
415 | + | |
416 | +/** | |
417 | + * ccs_path_chown - Check permission for chown()/chgrp(). | |
418 | + * | |
419 | + * @path: Pointer to "struct path". | |
420 | + * @user: User ID. | |
421 | + * @group: Group ID. | |
422 | + * | |
423 | + * Returns 0 on success, negative value otherwise. | |
424 | + */ | |
425 | +static int ccs_path_chown(const struct path *path, kuid_t user, kgid_t group) | |
426 | +{ | |
427 | + return ccs_chown_permission(path->dentry, path->mnt, user, group); | |
428 | +} | |
429 | + | |
430 | +/** | |
431 | + * ccs_path_chmod - Check permission for chmod(). | |
432 | + * | |
433 | + * @path: Pointer to "struct path". | |
434 | + * @mode: Mode. | |
435 | + * | |
436 | + * Returns 0 on success, negative value otherwise. | |
437 | + */ | |
438 | +static int ccs_path_chmod(const struct path *path, umode_t mode) | |
439 | +{ | |
440 | + return ccs_chmod_permission(path->dentry, path->mnt, mode); | |
441 | +} | |
442 | + | |
443 | +/** | |
444 | + * ccs_path_chroot - Check permission for chroot(). | |
445 | + * | |
446 | + * @path: Pointer to "struct path". | |
447 | + * | |
448 | + * Returns 0 on success, negative value otherwise. | |
449 | + */ | |
450 | +static int ccs_path_chroot(const struct path *path) | |
451 | +{ | |
452 | + return ccs_chroot_permission(path); | |
453 | +} | |
454 | + | |
455 | +/** | |
456 | + * ccs_path_truncate - Check permission for truncate(). | |
457 | + * | |
458 | + * @path: Pointer to "struct path". | |
459 | + * | |
460 | + * Returns 0 on success, negative value otherwise. | |
461 | + */ | |
462 | +static int ccs_path_truncate(const struct path *path) | |
463 | +{ | |
464 | + return ccs_truncate_permission(path->dentry, path->mnt); | |
465 | +} | |
466 | + | |
467 | +#else | |
468 | + | |
469 | +/** | |
470 | + * ccs_inode_setattr - Check permission for chown()/chgrp()/chmod()/truncate(). | |
471 | + * | |
472 | + * @dentry: Pointer to "struct dentry". | |
473 | + * @attr: Pointer to "struct iattr". | |
474 | + * | |
475 | + * Returns 0 on success, negative value otherwise. | |
476 | + */ | |
477 | +static int ccs_inode_setattr(struct dentry *dentry, struct iattr *attr) | |
478 | +{ | |
479 | + const int rc1 = (attr->ia_valid & ATTR_UID) ? | |
480 | + ccs_chown_permission(dentry, NULL, attr->ia_uid, INVALID_GID) : | |
481 | + 0; | |
482 | + const int rc2 = (attr->ia_valid & ATTR_GID) ? | |
483 | + ccs_chown_permission(dentry, NULL, INVALID_UID, attr->ia_gid) : | |
484 | + 0; | |
485 | + const int rc3 = (attr->ia_valid & ATTR_MODE) ? | |
486 | + ccs_chmod_permission(dentry, NULL, attr->ia_mode) : 0; | |
487 | + const int rc4 = (attr->ia_valid & ATTR_SIZE) ? | |
488 | + ccs_truncate_permission(dentry, NULL) : 0; | |
489 | + if (rc4) | |
490 | + return rc4; | |
491 | + if (rc3) | |
492 | + return rc3; | |
493 | + if (rc2) | |
494 | + return rc2; | |
495 | + return rc1; | |
496 | +} | |
497 | + | |
498 | +#endif | |
499 | + | |
500 | +/** | |
501 | + * ccs_inode_getattr - Check permission for stat(). | |
502 | + * | |
503 | + * @path: Pointer to "struct path". | |
504 | + * | |
505 | + * Returns 0 on success, negative value otherwise. | |
506 | + */ | |
507 | +static int ccs_inode_getattr(const struct path *path) | |
508 | +{ | |
509 | + return ccs_getattr_permission(path->mnt, path->dentry); | |
510 | +} | |
511 | + | |
512 | +#ifdef CONFIG_SECURITY_PATH | |
513 | + | |
514 | +/** | |
515 | + * ccs_path_mknod - Check permission for mknod(). | |
516 | + * | |
517 | + * @dir: Pointer to "struct path". | |
518 | + * @dentry: Pointer to "struct dentry". | |
519 | + * @mode: Create mode. | |
520 | + * @dev: Device major/minor number. | |
521 | + * | |
522 | + * Returns 0 on success, negative value otherwise. | |
523 | + */ | |
524 | +static int ccs_path_mknod(const struct path *dir, struct dentry *dentry, | |
525 | + umode_t mode, unsigned int dev) | |
526 | +{ | |
527 | + return ccs_mknod_permission(dentry, dir->mnt, mode, dev); | |
528 | +} | |
529 | + | |
530 | +/** | |
531 | + * ccs_path_mkdir - Check permission for mkdir(). | |
532 | + * | |
533 | + * @dir: Pointer to "struct path". | |
534 | + * @dentry: Pointer to "struct dentry". | |
535 | + * @mode: Create mode. | |
536 | + * | |
537 | + * Returns 0 on success, negative value otherwise. | |
538 | + */ | |
539 | +static int ccs_path_mkdir(const struct path *dir, struct dentry *dentry, | |
540 | + umode_t mode) | |
541 | +{ | |
542 | + return ccs_mkdir_permission(dentry, dir->mnt, mode); | |
543 | +} | |
544 | + | |
545 | +/** | |
546 | + * ccs_path_rmdir - Check permission for rmdir(). | |
547 | + * | |
548 | + * @dir: Pointer to "struct path". | |
549 | + * @dentry: Pointer to "struct dentry". | |
550 | + * | |
551 | + * Returns 0 on success, negative value otherwise. | |
552 | + */ | |
553 | +static int ccs_path_rmdir(const struct path *dir, struct dentry *dentry) | |
554 | +{ | |
555 | + return ccs_rmdir_permission(dentry, dir->mnt); | |
556 | +} | |
557 | + | |
558 | +/** | |
559 | + * ccs_path_unlink - Check permission for unlink(). | |
560 | + * | |
561 | + * @dir: Pointer to "struct path". | |
562 | + * @dentry: Pointer to "struct dentry". | |
563 | + * | |
564 | + * Returns 0 on success, negative value otherwise. | |
565 | + */ | |
566 | +static int ccs_path_unlink(const struct path *dir, struct dentry *dentry) | |
567 | +{ | |
568 | + return ccs_unlink_permission(dentry, dir->mnt); | |
569 | +} | |
570 | + | |
571 | +/** | |
572 | + * ccs_path_symlink - Check permission for symlink(). | |
573 | + * | |
574 | + * @dir: Pointer to "struct path". | |
575 | + * @dentry: Pointer to "struct dentry". | |
576 | + * @old_name: Content of symbolic link. | |
577 | + * | |
578 | + * Returns 0 on success, negative value otherwise. | |
579 | + */ | |
580 | +static int ccs_path_symlink(const struct path *dir, struct dentry *dentry, | |
581 | + const char *old_name) | |
582 | +{ | |
583 | + return ccs_symlink_permission(dentry, dir->mnt, old_name); | |
584 | +} | |
585 | + | |
586 | +/** | |
587 | + * ccs_path_rename - Check permission for rename(). | |
588 | + * | |
589 | + * @old_dir: Pointer to "struct path". | |
590 | + * @old_dentry: Pointer to "struct dentry". | |
591 | + * @new_dir: Pointer to "struct path". | |
592 | + * @new_dentry: Pointer to "struct dentry". | |
593 | + * | |
594 | + * Returns 0 on success, negative value otherwise. | |
595 | + */ | |
596 | +static int ccs_path_rename(const struct path *old_dir, | |
597 | + struct dentry *old_dentry, | |
598 | + const struct path *new_dir, | |
599 | + struct dentry *new_dentry) | |
600 | +{ | |
601 | + return ccs_rename_permission(old_dentry, new_dentry, old_dir->mnt); | |
602 | +} | |
603 | + | |
604 | +/** | |
605 | + * ccs_path_link - Check permission for link(). | |
606 | + * | |
607 | + * @old_dentry: Pointer to "struct dentry". | |
608 | + * @new_dir: Pointer to "struct path". | |
609 | + * @new_dentry: Pointer to "struct dentry". | |
610 | + * | |
611 | + * Returns 0 on success, negative value otherwise. | |
612 | + */ | |
613 | +static int ccs_path_link(struct dentry *old_dentry, const struct path *new_dir, | |
614 | + struct dentry *new_dentry) | |
615 | +{ | |
616 | + return ccs_link_permission(old_dentry, new_dentry, new_dir->mnt); | |
617 | +} | |
618 | + | |
619 | +#else | |
620 | + | |
621 | +/** | |
622 | + * ccs_inode_mknod - Check permission for mknod(). | |
623 | + * | |
624 | + * @dir: Pointer to "struct inode". | |
625 | + * @dentry: Pointer to "struct dentry". | |
626 | + * @mode: Create mode. | |
627 | + * @dev: Device major/minor number. | |
628 | + * | |
629 | + * Returns 0 on success, negative value otherwise. | |
630 | + */ | |
631 | +static int ccs_inode_mknod(struct inode *dir, struct dentry *dentry, | |
632 | + umode_t mode, dev_t dev) | |
633 | +{ | |
634 | + return ccs_mknod_permission(dentry, NULL, mode, dev); | |
635 | +} | |
636 | + | |
637 | +/** | |
638 | + * ccs_inode_mkdir - Check permission for mkdir(). | |
639 | + * | |
640 | + * @dir: Pointer to "struct inode". | |
641 | + * @dentry: Pointer to "struct dentry". | |
642 | + * @mode: Create mode. | |
643 | + * | |
644 | + * Returns 0 on success, negative value otherwise. | |
645 | + */ | |
646 | +static int ccs_inode_mkdir(struct inode *dir, struct dentry *dentry, | |
647 | + umode_t mode) | |
648 | +{ | |
649 | + return ccs_mkdir_permission(dentry, NULL, mode); | |
650 | +} | |
651 | + | |
652 | +/** | |
653 | + * ccs_inode_rmdir - Check permission for rmdir(). | |
654 | + * | |
655 | + * @dir: Pointer to "struct inode". | |
656 | + * @dentry: Pointer to "struct dentry". | |
657 | + * | |
658 | + * Returns 0 on success, negative value otherwise. | |
659 | + */ | |
660 | +static int ccs_inode_rmdir(struct inode *dir, struct dentry *dentry) | |
661 | +{ | |
662 | + return ccs_rmdir_permission(dentry, NULL); | |
663 | +} | |
664 | + | |
665 | +/** | |
666 | + * ccs_inode_unlink - Check permission for unlink(). | |
667 | + * | |
668 | + * @dir: Pointer to "struct inode". | |
669 | + * @dentry: Pointer to "struct dentry". | |
670 | + * | |
671 | + * Returns 0 on success, negative value otherwise. | |
672 | + */ | |
673 | +static int ccs_inode_unlink(struct inode *dir, struct dentry *dentry) | |
674 | +{ | |
675 | + return ccs_unlink_permission(dentry, NULL); | |
676 | +} | |
677 | + | |
678 | +/** | |
679 | + * ccs_inode_symlink - Check permission for symlink(). | |
680 | + * | |
681 | + * @dir: Pointer to "struct inode". | |
682 | + * @dentry: Pointer to "struct dentry". | |
683 | + * @old_name: Content of symbolic link. | |
684 | + * | |
685 | + * Returns 0 on success, negative value otherwise. | |
686 | + */ | |
687 | +static int ccs_inode_symlink(struct inode *dir, struct dentry *dentry, | |
688 | + const char *old_name) | |
689 | +{ | |
690 | + return ccs_symlink_permission(dentry, NULL, old_name); | |
691 | +} | |
692 | + | |
693 | +/** | |
694 | + * ccs_inode_rename - Check permission for rename(). | |
695 | + * | |
696 | + * @old_dir: Pointer to "struct inode". | |
697 | + * @old_dentry: Pointer to "struct dentry". | |
698 | + * @new_dir: Pointer to "struct inode". | |
699 | + * @new_dentry: Pointer to "struct dentry". | |
700 | + * | |
701 | + * Returns 0 on success, negative value otherwise. | |
702 | + */ | |
703 | +static int ccs_inode_rename(struct inode *old_dir, struct dentry *old_dentry, | |
704 | + struct inode *new_dir, struct dentry *new_dentry) | |
705 | +{ | |
706 | + return ccs_rename_permission(old_dentry, new_dentry, NULL); | |
707 | +} | |
708 | + | |
709 | +/** | |
710 | + * ccs_inode_link - Check permission for link(). | |
711 | + * | |
712 | + * @old_dentry: Pointer to "struct dentry". | |
713 | + * @dir: Pointer to "struct inode". | |
714 | + * @new_dentry: Pointer to "struct dentry". | |
715 | + * | |
716 | + * Returns 0 on success, negative value otherwise. | |
717 | + */ | |
718 | +static int ccs_inode_link(struct dentry *old_dentry, struct inode *dir, | |
719 | + struct dentry *new_dentry) | |
720 | +{ | |
721 | + return ccs_link_permission(old_dentry, new_dentry, NULL); | |
722 | +} | |
723 | + | |
724 | +/** | |
725 | + * ccs_inode_create - Check permission for creat(). | |
726 | + * | |
727 | + * @dir: Pointer to "struct inode". | |
728 | + * @dentry: Pointer to "struct dentry". | |
729 | + * @mode: Create mode. | |
730 | + * | |
731 | + * Returns 0 on success, negative value otherwise. | |
732 | + */ | |
733 | +static int ccs_inode_create(struct inode *dir, struct dentry *dentry, | |
734 | + umode_t mode) | |
735 | +{ | |
736 | + return ccs_mknod_permission(dentry, NULL, mode, 0); | |
737 | +} | |
738 | + | |
739 | +#endif | |
740 | + | |
741 | +#ifdef CONFIG_SECURITY_NETWORK | |
742 | + | |
743 | +#include <net/sock.h> | |
744 | + | |
745 | +/* Structure for remembering an accept()ed socket's status. */ | |
746 | +struct ccs_socket_tag { | |
747 | + struct list_head list; | |
748 | + struct inode *inode; | |
749 | + int status; | |
750 | + struct rcu_head rcu; | |
751 | +}; | |
752 | + | |
753 | +/* | |
754 | + * List for managing accept()ed sockets. | |
755 | + * Since we don't need to keep an accept()ed socket into this list after | |
756 | + * once the permission was granted, the number of entries in this list is | |
757 | + * likely small. Therefore, we don't use hash tables. | |
758 | + */ | |
759 | +static LIST_HEAD(ccs_accepted_socket_list); | |
760 | +/* Lock for protecting ccs_accepted_socket_list . */ | |
761 | +static DEFINE_SPINLOCK(ccs_accepted_socket_list_lock); | |
762 | + | |
763 | +/** | |
764 | + * ccs_update_socket_tag - Update tag associated with accept()ed sockets. | |
765 | + * | |
766 | + * @inode: Pointer to "struct inode". | |
767 | + * @status: New status. | |
768 | + * | |
769 | + * Returns nothing. | |
770 | + * | |
771 | + * If @status == 0, memory for that socket will be released after RCU grace | |
772 | + * period. | |
773 | + */ | |
774 | +static void ccs_update_socket_tag(struct inode *inode, int status) | |
775 | +{ | |
776 | + struct ccs_socket_tag *ptr; | |
777 | + /* | |
778 | + * Protect whole section because multiple threads may call this | |
779 | + * function with same "sock" via ccs_validate_socket(). | |
780 | + */ | |
781 | + spin_lock(&ccs_accepted_socket_list_lock); | |
782 | + rcu_read_lock(); | |
783 | + list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) { | |
784 | + if (ptr->inode != inode) | |
785 | + continue; | |
786 | + ptr->status = status; | |
787 | + if (status) | |
788 | + break; | |
789 | + list_del_rcu(&ptr->list); | |
790 | + kfree_rcu(ptr, rcu); | |
791 | + break; | |
792 | + } | |
793 | + rcu_read_unlock(); | |
794 | + spin_unlock(&ccs_accepted_socket_list_lock); | |
795 | +} | |
796 | + | |
797 | +/** | |
798 | + * ccs_validate_socket - Check post accept() permission if needed. | |
799 | + * | |
800 | + * @sock: Pointer to "struct socket". | |
801 | + * | |
802 | + * Returns 0 on success, negative value otherwise. | |
803 | + */ | |
804 | +static int ccs_validate_socket(struct socket *sock) | |
805 | +{ | |
806 | + struct inode *inode = SOCK_INODE(sock); | |
807 | + struct ccs_socket_tag *ptr; | |
808 | + int ret = 0; | |
809 | + rcu_read_lock(); | |
810 | + list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) { | |
811 | + if (ptr->inode != inode) | |
812 | + continue; | |
813 | + ret = ptr->status; | |
814 | + break; | |
815 | + } | |
816 | + rcu_read_unlock(); | |
817 | + if (ret <= 0) | |
818 | + /* | |
819 | + * This socket is not an accept()ed socket or this socket is | |
820 | + * an accept()ed socket and post accept() permission is done. | |
821 | + */ | |
822 | + return ret; | |
823 | + /* | |
824 | + * Check post accept() permission now. | |
825 | + * | |
826 | + * Strictly speaking, we need to pass both listen()ing socket and | |
827 | + * accept()ed socket to __ccs_socket_post_accept_permission(). | |
828 | + * But since socket's family and type are same for both sockets, | |
829 | + * passing the accept()ed socket in place for the listen()ing socket | |
830 | + * will work. | |
831 | + */ | |
832 | + ret = ccs_socket_post_accept_permission(sock, sock); | |
833 | + /* | |
834 | + * If permission was granted, we forget that this is an accept()ed | |
835 | + * socket. Otherwise, we remember that this socket needs to return | |
836 | + * error for subsequent socketcalls. | |
837 | + */ | |
838 | + ccs_update_socket_tag(inode, ret); | |
839 | + return ret; | |
840 | +} | |
841 | + | |
842 | +/** | |
843 | + * ccs_socket_accept - Check permission for accept(). | |
844 | + * | |
845 | + * @sock: Pointer to "struct socket". | |
846 | + * @newsock: Pointer to "struct socket". | |
847 | + * | |
848 | + * Returns 0 on success, negative value otherwise. | |
849 | + * | |
850 | + * This hook is used for setting up environment for doing post accept() | |
851 | + * permission check. If dereferencing sock->ops->something() were ordered by | |
852 | + * rcu_dereference(), we could replace sock->ops with "a copy of original | |
853 | + * sock->ops with modified sock->ops->accept()" using rcu_assign_pointer() | |
854 | + * in order to do post accept() permission check before returning to userspace. | |
855 | + * If we make the copy in security_socket_post_create(), it would be possible | |
856 | + * to safely replace sock->ops here, but we don't do so because we don't want | |
857 | + * to allocate memory for sockets which do not call sock->ops->accept(). | |
858 | + * Therefore, we do post accept() permission check upon next socket syscalls | |
859 | + * rather than between sock->ops->accept() and returning to userspace. | |
860 | + * This means that if a socket was close()d before calling some socket | |
861 | + * syscalls, post accept() permission check will not be done. | |
862 | + */ | |
863 | +static int ccs_socket_accept(struct socket *sock, struct socket *newsock) | |
864 | +{ | |
865 | + struct ccs_socket_tag *ptr; | |
866 | + const int rc = ccs_validate_socket(sock); | |
867 | + if (rc < 0) | |
868 | + return rc; | |
869 | + ptr = kzalloc(sizeof(*ptr), GFP_KERNEL); | |
870 | + if (!ptr) | |
871 | + return -ENOMEM; | |
872 | + /* | |
873 | + * Subsequent LSM hooks will receive "newsock". Therefore, I mark | |
874 | + * "newsock" as "an accept()ed socket but post accept() permission | |
875 | + * check is not done yet" by allocating memory using inode of the | |
876 | + * "newsock" as a search key. | |
877 | + */ | |
878 | + ptr->inode = SOCK_INODE(newsock); | |
879 | + ptr->status = 1; /* Check post accept() permission later. */ | |
880 | + spin_lock(&ccs_accepted_socket_list_lock); | |
881 | + list_add_tail_rcu(&ptr->list, &ccs_accepted_socket_list); | |
882 | + spin_unlock(&ccs_accepted_socket_list_lock); | |
883 | + return 0; | |
884 | +} | |
885 | + | |
886 | +/** | |
887 | + * ccs_socket_listen - Check permission for listen(). | |
888 | + * | |
889 | + * @sock: Pointer to "struct socket". | |
890 | + * @backlog: Backlog parameter. | |
891 | + * | |
892 | + * Returns 0 on success, negative value otherwise. | |
893 | + */ | |
894 | +static int ccs_socket_listen(struct socket *sock, int backlog) | |
895 | +{ | |
896 | + const int rc = ccs_validate_socket(sock); | |
897 | + if (rc < 0) | |
898 | + return rc; | |
899 | + return ccs_socket_listen_permission(sock); | |
900 | +} | |
901 | + | |
902 | +/** | |
903 | + * ccs_socket_connect - Check permission for connect(). | |
904 | + * | |
905 | + * @sock: Pointer to "struct socket". | |
906 | + * @addr: Pointer to "struct sockaddr". | |
907 | + * @addr_len: Size of @addr. | |
908 | + * | |
909 | + * Returns 0 on success, negative value otherwise. | |
910 | + */ | |
911 | +static int ccs_socket_connect(struct socket *sock, struct sockaddr *addr, | |
912 | + int addr_len) | |
913 | +{ | |
914 | + const int rc = ccs_validate_socket(sock); | |
915 | + if (rc < 0) | |
916 | + return rc; | |
917 | + return ccs_socket_connect_permission(sock, addr, addr_len); | |
918 | +} | |
919 | + | |
920 | +/** | |
921 | + * ccs_socket_bind - Check permission for bind(). | |
922 | + * | |
923 | + * @sock: Pointer to "struct socket". | |
924 | + * @addr: Pointer to "struct sockaddr". | |
925 | + * @addr_len: Size of @addr. | |
926 | + * | |
927 | + * Returns 0 on success, negative value otherwise. | |
928 | + */ | |
929 | +static int ccs_socket_bind(struct socket *sock, struct sockaddr *addr, | |
930 | + int addr_len) | |
931 | +{ | |
932 | + const int rc = ccs_validate_socket(sock); | |
933 | + if (rc < 0) | |
934 | + return rc; | |
935 | + return ccs_socket_bind_permission(sock, addr, addr_len); | |
936 | +} | |
937 | + | |
938 | +/** | |
939 | + * ccs_socket_sendmsg - Check permission for sendmsg(). | |
940 | + * | |
941 | + * @sock: Pointer to "struct socket". | |
942 | + * @msg: Pointer to "struct msghdr". | |
943 | + * @size: Size of message. | |
944 | + * | |
945 | + * Returns 0 on success, negative value otherwise. | |
946 | + */ | |
947 | +static int ccs_socket_sendmsg(struct socket *sock, struct msghdr *msg, | |
948 | + int size) | |
949 | +{ | |
950 | + const int rc = ccs_validate_socket(sock); | |
951 | + if (rc < 0) | |
952 | + return rc; | |
953 | + return ccs_socket_sendmsg_permission(sock, msg, size); | |
954 | +} | |
955 | + | |
956 | +/** | |
957 | + * ccs_socket_recvmsg - Check permission for recvmsg(). | |
958 | + * | |
959 | + * @sock: Pointer to "struct socket". | |
960 | + * @msg: Pointer to "struct msghdr". | |
961 | + * @size: Size of message. | |
962 | + * @flags: Flags. | |
963 | + * | |
964 | + * Returns 0 on success, negative value otherwise. | |
965 | + */ | |
966 | +static int ccs_socket_recvmsg(struct socket *sock, struct msghdr *msg, | |
967 | + int size, int flags) | |
968 | +{ | |
969 | + return ccs_validate_socket(sock); | |
970 | +} | |
971 | + | |
972 | +/** | |
973 | + * ccs_socket_getsockname - Check permission for getsockname(). | |
974 | + * | |
975 | + * @sock: Pointer to "struct socket". | |
976 | + * | |
977 | + * Returns 0 on success, negative value otherwise. | |
978 | + */ | |
979 | +static int ccs_socket_getsockname(struct socket *sock) | |
980 | +{ | |
981 | + return ccs_validate_socket(sock); | |
982 | +} | |
983 | + | |
984 | +/** | |
985 | + * ccs_socket_getpeername - Check permission for getpeername(). | |
986 | + * | |
987 | + * @sock: Pointer to "struct socket". | |
988 | + * | |
989 | + * Returns 0 on success, negative value otherwise. | |
990 | + */ | |
991 | +static int ccs_socket_getpeername(struct socket *sock) | |
992 | +{ | |
993 | + return ccs_validate_socket(sock); | |
994 | +} | |
995 | + | |
996 | +/** | |
997 | + * ccs_socket_getsockopt - Check permission for getsockopt(). | |
998 | + * | |
999 | + * @sock: Pointer to "struct socket". | |
1000 | + * @level: Level. | |
1001 | + * @optname: Option's name, | |
1002 | + * | |
1003 | + * Returns 0 on success, negative value otherwise. | |
1004 | + */ | |
1005 | +static int ccs_socket_getsockopt(struct socket *sock, int level, int optname) | |
1006 | +{ | |
1007 | + return ccs_validate_socket(sock); | |
1008 | +} | |
1009 | + | |
1010 | +/** | |
1011 | + * ccs_socket_setsockopt - Check permission for setsockopt(). | |
1012 | + * | |
1013 | + * @sock: Pointer to "struct socket". | |
1014 | + * @level: Level. | |
1015 | + * @optname: Option's name, | |
1016 | + * | |
1017 | + * Returns 0 on success, negative value otherwise. | |
1018 | + */ | |
1019 | +static int ccs_socket_setsockopt(struct socket *sock, int level, int optname) | |
1020 | +{ | |
1021 | + return ccs_validate_socket(sock); | |
1022 | +} | |
1023 | + | |
1024 | +/** | |
1025 | + * ccs_socket_shutdown - Check permission for shutdown(). | |
1026 | + * | |
1027 | + * @sock: Pointer to "struct socket". | |
1028 | + * @how: Shutdown mode. | |
1029 | + * | |
1030 | + * Returns 0 on success, negative value otherwise. | |
1031 | + */ | |
1032 | +static int ccs_socket_shutdown(struct socket *sock, int how) | |
1033 | +{ | |
1034 | + return ccs_validate_socket(sock); | |
1035 | +} | |
1036 | + | |
1037 | +#define SOCKFS_MAGIC 0x534F434B | |
1038 | + | |
1039 | +/** | |
1040 | + * ccs_inode_free_security - Release memory associated with an inode. | |
1041 | + * | |
1042 | + * @inode: Pointer to "struct inode". | |
1043 | + * | |
1044 | + * Returns nothing. | |
1045 | + * | |
1046 | + * We use this hook for releasing memory associated with an accept()ed socket. | |
1047 | + */ | |
1048 | +static void ccs_inode_free_security(struct inode *inode) | |
1049 | +{ | |
1050 | + if (inode->i_sb && inode->i_sb->s_magic == SOCKFS_MAGIC) | |
1051 | + ccs_update_socket_tag(inode, 0); | |
1052 | +} | |
1053 | + | |
1054 | +#endif | |
1055 | + | |
1056 | +/** | |
1057 | + * ccs_sb_pivotroot - Check permission for pivot_root(). | |
1058 | + * | |
1059 | + * @old_path: Pointer to "struct path". | |
1060 | + * @new_path: Pointer to "struct path". | |
1061 | + * | |
1062 | + * Returns 0 on success, negative value otherwise. | |
1063 | + */ | |
1064 | +static int ccs_sb_pivotroot(const struct path *old_path, | |
1065 | + const struct path *new_path) | |
1066 | +{ | |
1067 | + return ccs_pivot_root_permission(old_path, new_path); | |
1068 | +} | |
1069 | + | |
1070 | +/** | |
1071 | + * ccs_sb_mount - Check permission for mount(). | |
1072 | + * | |
1073 | + * @dev_name: Name of device file. | |
1074 | + * @path: Pointer to "struct path". | |
1075 | + * @type: Name of filesystem type. Maybe NULL. | |
1076 | + * @flags: Mount options. | |
1077 | + * @data_page: Optional data. Maybe NULL. | |
1078 | + * | |
1079 | + * Returns 0 on success, negative value otherwise. | |
1080 | + */ | |
1081 | +static int ccs_sb_mount(const char *dev_name, const struct path *path, | |
1082 | + const char *type, unsigned long flags, void *data_page) | |
1083 | +{ | |
1084 | + return ccs_mount_permission(dev_name, path, type, flags, data_page); | |
1085 | +} | |
1086 | + | |
1087 | +/** | |
1088 | + * ccs_sb_umount - Check permission for umount(). | |
1089 | + * | |
1090 | + * @mnt: Pointer to "struct vfsmount". | |
1091 | + * @flags: Unmount flags. | |
1092 | + * | |
1093 | + * Returns 0 on success, negative value otherwise. | |
1094 | + */ | |
1095 | +static int ccs_sb_umount(struct vfsmount *mnt, int flags) | |
1096 | +{ | |
1097 | + return ccs_umount_permission(mnt, flags); | |
1098 | +} | |
1099 | + | |
1100 | +/** | |
1101 | + * ccs_file_fcntl - Check permission for fcntl(). | |
1102 | + * | |
1103 | + * @file: Pointer to "struct file". | |
1104 | + * @cmd: Command number. | |
1105 | + * @arg: Value for @cmd. | |
1106 | + * | |
1107 | + * Returns 0 on success, negative value otherwise. | |
1108 | + */ | |
1109 | +static int ccs_file_fcntl(struct file *file, unsigned int cmd, | |
1110 | + unsigned long arg) | |
1111 | +{ | |
1112 | + return ccs_fcntl_permission(file, cmd, arg); | |
1113 | +} | |
1114 | + | |
1115 | +/** | |
1116 | + * ccs_file_ioctl - Check permission for ioctl(). | |
1117 | + * | |
1118 | + * @filp: Pointer to "struct file". | |
1119 | + * @cmd: Command number. | |
1120 | + * @arg: Value for @cmd. | |
1121 | + * | |
1122 | + * Returns 0 on success, negative value otherwise. | |
1123 | + */ | |
1124 | +static int ccs_file_ioctl(struct file *filp, unsigned int cmd, | |
1125 | + unsigned long arg) | |
1126 | +{ | |
1127 | + return ccs_ioctl_permission(filp, cmd, arg); | |
1128 | +} | |
1129 | + | |
1130 | +#define MY_HOOK_INIT(HEAD, HOOK) \ | |
1131 | + { .head = &probe_dummy_security_hook_heads.HEAD, \ | |
1132 | + .hook = { .HEAD = HOOK } } | |
1133 | + | |
1134 | +static struct security_hook_list akari_hooks[] = { | |
1135 | + /* Security context allocator. */ | |
1136 | + MY_HOOK_INIT(cred_free, ccs_cred_free), | |
1137 | + MY_HOOK_INIT(cred_prepare, ccs_cred_prepare), | |
1138 | + MY_HOOK_INIT(cred_alloc_blank, ccs_cred_alloc_blank), | |
1139 | + MY_HOOK_INIT(cred_transfer, ccs_cred_transfer), | |
1140 | + MY_HOOK_INIT(task_create, ccs_task_create), | |
1141 | + /* Security context updater for successful execve(). */ | |
1142 | + MY_HOOK_INIT(bprm_check_security, ccs_bprm_check_security), | |
1143 | + MY_HOOK_INIT(bprm_committing_creds, ccs_bprm_committing_creds), | |
1144 | + /* Various permission checker. */ | |
1145 | + MY_HOOK_INIT(file_open, ccs_file_open), | |
1146 | + MY_HOOK_INIT(file_fcntl, ccs_file_fcntl), | |
1147 | + MY_HOOK_INIT(file_ioctl, ccs_file_ioctl), | |
1148 | + MY_HOOK_INIT(sb_pivotroot, ccs_sb_pivotroot), | |
1149 | + MY_HOOK_INIT(sb_mount, ccs_sb_mount), | |
1150 | + MY_HOOK_INIT(sb_umount, ccs_sb_umount), | |
1151 | +#ifdef CONFIG_SECURITY_PATH | |
1152 | + MY_HOOK_INIT(path_mknod, ccs_path_mknod), | |
1153 | + MY_HOOK_INIT(path_mkdir, ccs_path_mkdir), | |
1154 | + MY_HOOK_INIT(path_rmdir, ccs_path_rmdir), | |
1155 | + MY_HOOK_INIT(path_unlink, ccs_path_unlink), | |
1156 | + MY_HOOK_INIT(path_symlink, ccs_path_symlink), | |
1157 | + MY_HOOK_INIT(path_rename, ccs_path_rename), | |
1158 | + MY_HOOK_INIT(path_link, ccs_path_link), | |
1159 | + MY_HOOK_INIT(path_truncate, ccs_path_truncate), | |
1160 | + MY_HOOK_INIT(path_chmod, ccs_path_chmod), | |
1161 | + MY_HOOK_INIT(path_chown, ccs_path_chown), | |
1162 | + MY_HOOK_INIT(path_chroot, ccs_path_chroot), | |
1163 | +#else | |
1164 | + MY_HOOK_INIT(inode_mknod, ccs_inode_mknod), | |
1165 | + MY_HOOK_INIT(inode_mkdir, ccs_inode_mkdir), | |
1166 | + MY_HOOK_INIT(inode_rmdir, ccs_inode_rmdir), | |
1167 | + MY_HOOK_INIT(inode_unlink, ccs_inode_unlink), | |
1168 | + MY_HOOK_INIT(inode_symlink, ccs_inode_symlink), | |
1169 | + MY_HOOK_INIT(inode_rename, ccs_inode_rename), | |
1170 | + MY_HOOK_INIT(inode_link, ccs_inode_link), | |
1171 | + MY_HOOK_INIT(inode_create, ccs_inode_create), | |
1172 | + MY_HOOK_INIT(inode_setattr, ccs_inode_setattr), | |
1173 | +#endif | |
1174 | + MY_HOOK_INIT(inode_getattr, ccs_inode_getattr), | |
1175 | +#ifdef CONFIG_SECURITY_NETWORK | |
1176 | + MY_HOOK_INIT(socket_bind, ccs_socket_bind), | |
1177 | + MY_HOOK_INIT(socket_connect, ccs_socket_connect), | |
1178 | + MY_HOOK_INIT(socket_listen, ccs_socket_listen), | |
1179 | + MY_HOOK_INIT(socket_sendmsg, ccs_socket_sendmsg), | |
1180 | + MY_HOOK_INIT(socket_recvmsg, ccs_socket_recvmsg), | |
1181 | + MY_HOOK_INIT(socket_getsockname, ccs_socket_getsockname), | |
1182 | + MY_HOOK_INIT(socket_getpeername, ccs_socket_getpeername), | |
1183 | + MY_HOOK_INIT(socket_getsockopt, ccs_socket_getsockopt), | |
1184 | + MY_HOOK_INIT(socket_setsockopt, ccs_socket_setsockopt), | |
1185 | + MY_HOOK_INIT(socket_shutdown, ccs_socket_shutdown), | |
1186 | + MY_HOOK_INIT(socket_accept, ccs_socket_accept), | |
1187 | + MY_HOOK_INIT(inode_free_security, ccs_inode_free_security), | |
1188 | +#endif | |
1189 | +}; | |
1190 | + | |
1191 | +static inline void add_hook(struct security_hook_list *hook) | |
1192 | +{ | |
1193 | + list_add_tail_rcu(&hook->list, hook->head); | |
1194 | +} | |
1195 | + | |
1196 | +static void __init swap_hook(struct security_hook_list *hook, | |
1197 | + union security_list_options *original) | |
1198 | +{ | |
1199 | + struct list_head *list = hook->head; | |
1200 | + if (list_empty(list)) { | |
1201 | + add_hook(hook); | |
1202 | + } else { | |
1203 | + struct security_hook_list *shp = | |
1204 | + list_last_entry(list, struct security_hook_list, list); | |
1205 | + *original = shp->hook; | |
1206 | + smp_wmb(); | |
1207 | + shp->hook = hook->hook; | |
1208 | + } | |
1209 | +} | |
1210 | + | |
1211 | +/** | |
1212 | + * ccs_init - Initialize this module. | |
1213 | + * | |
1214 | + * Returns 0 on success, negative value otherwise. | |
1215 | + */ | |
1216 | +static int __init ccs_init(void) | |
1217 | +{ | |
1218 | + int idx; | |
1219 | + struct security_hook_heads *hooks = probe_security_hook_heads(); | |
1220 | + if (!hooks) | |
1221 | + goto out; | |
1222 | + for (idx = 0; idx < ARRAY_SIZE(akari_hooks); idx++) | |
1223 | + akari_hooks[idx].head = ((void *) hooks) | |
1224 | + + ((unsigned long) akari_hooks[idx].head) | |
1225 | + - ((unsigned long) &probe_dummy_security_hook_heads); | |
1226 | + ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid(); | |
1227 | + if (!ccsecurity_exports.find_task_by_vpid) | |
1228 | + goto out; | |
1229 | + ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns(); | |
1230 | + if (!ccsecurity_exports.find_task_by_pid_ns) | |
1231 | + goto out; | |
1232 | + ccsecurity_exports.d_absolute_path = probe_d_absolute_path(); | |
1233 | + if (!ccsecurity_exports.d_absolute_path) | |
1234 | + goto out; | |
1235 | + for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) { | |
1236 | + INIT_LIST_HEAD(&ccs_cred_security_list[idx]); | |
1237 | + INIT_LIST_HEAD(&ccs_task_security_list[idx]); | |
1238 | + } | |
1239 | + ccs_main_init(); | |
1240 | + swap_hook(&akari_hooks[0], &original_cred_free); | |
1241 | + swap_hook(&akari_hooks[1], &original_cred_prepare); | |
1242 | + swap_hook(&akari_hooks[2], &original_cred_alloc_blank); | |
1243 | + for (idx = 3; idx < ARRAY_SIZE(akari_hooks); idx++) | |
1244 | + add_hook(&akari_hooks[idx]); | |
1245 | + printk(KERN_INFO "AKARI: 1.0.40 2019/12/25\n"); | |
1246 | + printk(KERN_INFO | |
1247 | + "Access Keeping And Regulating Instrument registered.\n"); | |
1248 | + return 0; | |
1249 | +out: | |
1250 | + return -EINVAL; | |
1251 | +} | |
1252 | + | |
1253 | +module_init(ccs_init); | |
1254 | +MODULE_LICENSE("GPL"); | |
1255 | + | |
1256 | +/** | |
1257 | + * ccs_used_by_cred - Check whether the given domain is in use or not. | |
1258 | + * | |
1259 | + * @domain: Pointer to "struct ccs_domain_info". | |
1260 | + * | |
1261 | + * Returns true if @domain is in use, false otherwise. | |
1262 | + * | |
1263 | + * Caller holds rcu_read_lock(). | |
1264 | + */ | |
1265 | +bool ccs_used_by_cred(const struct ccs_domain_info *domain) | |
1266 | +{ | |
1267 | + int idx; | |
1268 | + struct ccs_security *ptr; | |
1269 | + for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) { | |
1270 | + struct list_head *list = &ccs_cred_security_list[idx]; | |
1271 | + list_for_each_entry_rcu(ptr, list, list) { | |
1272 | + struct ccs_execve *ee = ptr->ee; | |
1273 | + if (ptr->ccs_domain_info == domain || | |
1274 | + (ee && ee->previous_domain == domain)) { | |
1275 | + return true; | |
1276 | + } | |
1277 | + } | |
1278 | + } | |
1279 | + return false; | |
1280 | +} | |
1281 | + | |
1282 | +/** | |
1283 | + * ccs_add_task_security - Add "struct ccs_security" to list. | |
1284 | + * | |
1285 | + * @ptr: Pointer to "struct ccs_security". | |
1286 | + * @list: Pointer to "struct list_head". | |
1287 | + * | |
1288 | + * Returns nothing. | |
1289 | + */ | |
1290 | +static void ccs_add_task_security(struct ccs_security *ptr, | |
1291 | + struct list_head *list) | |
1292 | +{ | |
1293 | + unsigned long flags; | |
1294 | + spin_lock_irqsave(&ccs_task_security_list_lock, flags); | |
1295 | + list_add_rcu(&ptr->list, list); | |
1296 | + spin_unlock_irqrestore(&ccs_task_security_list_lock, flags); | |
1297 | +} | |
1298 | + | |
1299 | +/** | |
1300 | + * ccs_find_task_security - Find "struct ccs_security" for given task. | |
1301 | + * | |
1302 | + * @task: Pointer to "struct task_struct". | |
1303 | + * | |
1304 | + * Returns pointer to "struct ccs_security" on success, &ccs_oom_security on | |
1305 | + * out of memory, &ccs_default_security otherwise. | |
1306 | + * | |
1307 | + * If @task is current thread and "struct ccs_security" for current thread was | |
1308 | + * not found, I try to allocate it. But if allocation failed, current thread | |
1309 | + * will be killed by SIGKILL. Note that if current->pid == 1, sending SIGKILL | |
1310 | + * won't work. | |
1311 | + */ | |
1312 | +struct ccs_security *ccs_find_task_security(const struct task_struct *task) | |
1313 | +{ | |
1314 | + struct ccs_security *ptr; | |
1315 | + struct list_head *list = &ccs_task_security_list | |
1316 | + [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)]; | |
1317 | + /* Make sure INIT_LIST_HEAD() in ccs_mm_init() takes effect. */ | |
1318 | + while (!list->next) | |
1319 | + smp_rmb(); | |
1320 | + rcu_read_lock(); | |
1321 | + list_for_each_entry_rcu(ptr, list, list) { | |
1322 | + if (ptr->pid != task->pids[PIDTYPE_PID].pid) | |
1323 | + continue; | |
1324 | + rcu_read_unlock(); | |
1325 | + /* | |
1326 | + * Current thread needs to transit from old domain to new | |
1327 | + * domain before do_execve() succeeds in order to check | |
1328 | + * permission for interpreters and environment variables using | |
1329 | + * new domain's ACL rules. The domain transition has to be | |
1330 | + * visible from other CPU in order to allow interactive | |
1331 | + * enforcing mode. Also, the domain transition has to be | |
1332 | + * reverted if do_execve() failed. However, an LSM hook for | |
1333 | + * reverting domain transition is missing. | |
1334 | + * | |
1335 | + * security_prepare_creds() is called from prepare_creds() from | |
1336 | + * prepare_bprm_creds() from do_execve() before setting | |
1337 | + * current->in_execve flag, and current->in_execve flag is | |
1338 | + * cleared by the time next do_execve() request starts. | |
1339 | + * This means that we can emulate the missing LSM hook for | |
1340 | + * reverting domain transition, by calling this function from | |
1341 | + * security_prepare_creds(). | |
1342 | + * | |
1343 | + * If current->in_execve is not set but ptr->ccs_flags has | |
1344 | + * CCS_TASK_IS_IN_EXECVE set, it indicates that do_execve() | |
1345 | + * has failed and reverting domain transition is needed. | |
1346 | + */ | |
1347 | + if (task == current && | |
1348 | + (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE) && | |
1349 | + !current->in_execve) { | |
1350 | + ccs_debug_trace("4"); | |
1351 | + ccs_clear_execve(-1, ptr); | |
1352 | + } | |
1353 | + return ptr; | |
1354 | + } | |
1355 | + rcu_read_unlock(); | |
1356 | + if (task != current) { | |
1357 | + /* | |
1358 | + * If a thread does nothing after fork(), caller will reach | |
1359 | + * here because "struct ccs_security" for that thread is not | |
1360 | + * yet allocated. But that thread is keeping a snapshot of | |
1361 | + * "struct ccs_security" taken as of ccs_task_create() | |
1362 | + * associated with that thread's "struct cred". | |
1363 | + * | |
1364 | + * Since that snapshot will be used as initial data when that | |
1365 | + * thread allocates "struct ccs_security" for that thread, we | |
1366 | + * can return that snapshot rather than &ccs_default_security. | |
1367 | + * | |
1368 | + * Since this function is called by only ccs_select_one() and | |
1369 | + * ccs_read_pid() (via ccs_task_domain() and ccs_task_flags()), | |
1370 | + * it is guaranteed that caller has called rcu_read_lock() | |
1371 | + * (via ccs_tasklist_lock()) before finding this thread and | |
1372 | + * this thread is valid. Therefore, we can do __task_cred(task) | |
1373 | + * like get_robust_list() does. | |
1374 | + */ | |
1375 | + return ccs_find_cred_security(__task_cred(task)); | |
1376 | + } | |
1377 | + /* Use GFP_ATOMIC because caller may have called rcu_read_lock(). */ | |
1378 | + ptr = kzalloc(sizeof(*ptr), GFP_ATOMIC); | |
1379 | + if (!ptr) { | |
1380 | + printk(KERN_WARNING "Unable to allocate memory for pid=%u\n", | |
1381 | + task->pid); | |
1382 | + send_sig(SIGKILL, current, 0); | |
1383 | + return &ccs_oom_security; | |
1384 | + } | |
1385 | + *ptr = *ccs_find_cred_security(task->cred); | |
1386 | + /* We can shortcut because task == current. */ | |
1387 | + ptr->pid = get_pid(((struct task_struct *) task)-> | |
1388 | + pids[PIDTYPE_PID].pid); | |
1389 | + ptr->cred = NULL; | |
1390 | + ccs_add_task_security(ptr, list); | |
1391 | + return ptr; | |
1392 | +} | |
1393 | + | |
1394 | +/** | |
1395 | + * ccs_copy_cred_security - Allocate memory for new credentials. | |
1396 | + * | |
1397 | + * @new: Pointer to "struct cred". | |
1398 | + * @old: Pointer to "struct cred". | |
1399 | + * @gfp: Memory allocation flags. | |
1400 | + * | |
1401 | + * Returns 0 on success, negative value otherwise. | |
1402 | + */ | |
1403 | +static int ccs_copy_cred_security(const struct cred *new, | |
1404 | + const struct cred *old, gfp_t gfp) | |
1405 | +{ | |
1406 | + struct ccs_security *old_security = ccs_find_cred_security(old); | |
1407 | + struct ccs_security *new_security = | |
1408 | + kzalloc(sizeof(*new_security), gfp); | |
1409 | + if (!new_security) | |
1410 | + return -ENOMEM; | |
1411 | + *new_security = *old_security; | |
1412 | + new_security->cred = new; | |
1413 | + ccs_add_cred_security(new_security); | |
1414 | + return 0; | |
1415 | +} | |
1416 | + | |
1417 | +/** | |
1418 | + * ccs_find_cred_security - Find "struct ccs_security" for given credential. | |
1419 | + * | |
1420 | + * @cred: Pointer to "struct cred". | |
1421 | + * | |
1422 | + * Returns pointer to "struct ccs_security" on success, &ccs_default_security | |
1423 | + * otherwise. | |
1424 | + */ | |
1425 | +static struct ccs_security *ccs_find_cred_security(const struct cred *cred) | |
1426 | +{ | |
1427 | + struct ccs_security *ptr; | |
1428 | + struct list_head *list = &ccs_cred_security_list | |
1429 | + [hash_ptr((void *) cred, CCS_TASK_SECURITY_HASH_BITS)]; | |
1430 | + rcu_read_lock(); | |
1431 | + list_for_each_entry_rcu(ptr, list, list) { | |
1432 | + if (ptr->cred != cred) | |
1433 | + continue; | |
1434 | + rcu_read_unlock(); | |
1435 | + return ptr; | |
1436 | + } | |
1437 | + rcu_read_unlock(); | |
1438 | + return &ccs_default_security; | |
1439 | +} | |
1440 | + | |
1441 | +/** | |
1442 | + * ccs_task_security_gc - Do garbage collection for "struct task_struct". | |
1443 | + * | |
1444 | + * Returns nothing. | |
1445 | + * | |
1446 | + * Since security_task_free() is missing, I can't release memory associated | |
1447 | + * with "struct task_struct" when a task dies. Therefore, I hold a reference on | |
1448 | + * "struct pid" and runs garbage collection when associated | |
1449 | + * "struct task_struct" has gone. | |
1450 | + */ | |
1451 | +static void ccs_task_security_gc(void) | |
1452 | +{ | |
1453 | + static DEFINE_SPINLOCK(lock); | |
1454 | + static atomic_t gc_counter = ATOMIC_INIT(0); | |
1455 | + unsigned int idx; | |
1456 | + /* | |
1457 | + * If some process is doing execve(), try to garbage collection now. | |
1458 | + * We should kfree() memory associated with "struct ccs_security"->ee | |
1459 | + * as soon as execve() has completed in order to compensate for lack of | |
1460 | + * security_bprm_free() and security_task_free() hooks. | |
1461 | + * | |
1462 | + * Otherwise, reduce frequency for performance reason. | |
1463 | + */ | |
1464 | + if (!atomic_read(&ccs_in_execve_tasks) && | |
1465 | + atomic_inc_return(&gc_counter) < 1024) | |
1466 | + return; | |
1467 | + if (!spin_trylock(&lock)) | |
1468 | + return; | |
1469 | + atomic_set(&gc_counter, 0); | |
1470 | + rcu_read_lock(); | |
1471 | + for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) { | |
1472 | + struct ccs_security *ptr; | |
1473 | + struct list_head *list = &ccs_task_security_list[idx]; | |
1474 | + list_for_each_entry_rcu(ptr, list, list) { | |
1475 | + if (pid_task(ptr->pid, PIDTYPE_PID)) | |
1476 | + continue; | |
1477 | + ccs_del_security(ptr); | |
1478 | + } | |
1479 | + } | |
1480 | + rcu_read_unlock(); | |
1481 | + spin_unlock(&lock); | |
1482 | +} |
@@ -0,0 +1,34 @@ | ||
1 | +/* | |
2 | + * lsm.c | |
3 | + * | |
4 | + * Copyright (C) 2010-2015 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> | |
5 | + * | |
6 | + * Version: 1.0.40 2019/12/25 | |
7 | + */ | |
8 | + | |
9 | +#include <linux/version.h> | |
10 | +#include <linux/security.h> | |
11 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0) | |
12 | +#include "lsm-4.12.c" | |
13 | +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 7, 0) | |
14 | +#include "lsm-4.7.c" | |
15 | +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 2, 0) | |
16 | +#include "lsm-4.2.c" | |
17 | +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 29) | |
18 | +#include "lsm-2.6.29.c" | |
19 | +/* | |
20 | + * AppArmor patch added "struct vfsmount *" to security_inode_\*() hooks. | |
21 | + * Detect it by checking whether D_PATH_DISCONNECT is defined or not. | |
22 | + * Also, there may be other kernels with "struct vfsmount *" added. | |
23 | + * If you got build failure, check security_inode_\*() hooks in | |
24 | + * include/linux/security.h. | |
25 | + */ | |
26 | +#elif defined(D_PATH_DISCONNECT) | |
27 | +#include "lsm-2.6.0-vfs.c" | |
28 | +#elif defined(CONFIG_SUSE_KERNEL) && LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 25) | |
29 | +#include "lsm-2.6.0-vfs.c" | |
30 | +#elif defined(CONFIG_SECURITY_APPARMOR) && LINUX_VERSION_CODE == KERNEL_VERSION(2, 6, 24) | |
31 | +#include "lsm-2.6.0-vfs.c" | |
32 | +#else | |
33 | +#include "lsm-2.6.0.c" | |
34 | +#endif |
@@ -0,0 +1,5081 @@ | ||
1 | +/* | |
2 | + * security/ccsecurity/permission.c | |
3 | + * | |
4 | + * Copyright (C) 2005-2012 NTT DATA CORPORATION | |
5 | + * | |
6 | + * Version: 1.8.6+ 2019/12/25 | |
7 | + */ | |
8 | + | |
9 | +#include "internal.h" | |
10 | + | |
11 | +/***** SECTION1: Constants definition *****/ | |
12 | + | |
13 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32) | |
14 | + | |
15 | +/* | |
16 | + * may_open() receives open flags modified by open_to_namei_flags() until | |
17 | + * 2.6.32. We stop here in case some distributions backported ACC_MODE changes, | |
18 | + * for we can't determine whether may_open() receives open flags modified by | |
19 | + * open_to_namei_flags() or not. | |
20 | + */ | |
21 | +#ifdef ACC_MODE | |
22 | +#error ACC_MODE already defined. | |
23 | +#endif | |
24 | +#define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE]) | |
25 | + | |
26 | +#if defined(RHEL_MAJOR) && RHEL_MAJOR == 6 | |
27 | +/* RHEL6 passes unmodified flags since 2.6.32-71.14.1.el6 . */ | |
28 | +#undef ACC_MODE | |
29 | +#define ACC_MODE(x) ("\004\002\006"[(x)&O_ACCMODE]) | |
30 | +#endif | |
31 | + | |
32 | +#endif | |
33 | + | |
34 | +/* String table for special mount operations. */ | |
35 | +static const char * const ccs_mounts[CCS_MAX_SPECIAL_MOUNT] = { | |
36 | + [CCS_MOUNT_BIND] = "--bind", | |
37 | + [CCS_MOUNT_MOVE] = "--move", | |
38 | + [CCS_MOUNT_REMOUNT] = "--remount", | |
39 | + [CCS_MOUNT_MAKE_UNBINDABLE] = "--make-unbindable", | |
40 | + [CCS_MOUNT_MAKE_PRIVATE] = "--make-private", | |
41 | + [CCS_MOUNT_MAKE_SLAVE] = "--make-slave", | |
42 | + [CCS_MOUNT_MAKE_SHARED] = "--make-shared", | |
43 | +}; | |
44 | + | |
45 | +/* Mapping table from "enum ccs_path_acl_index" to "enum ccs_mac_index". */ | |
46 | +static const u8 ccs_p2mac[CCS_MAX_PATH_OPERATION] = { | |
47 | + [CCS_TYPE_EXECUTE] = CCS_MAC_FILE_EXECUTE, | |
48 | + [CCS_TYPE_READ] = CCS_MAC_FILE_OPEN, | |
49 | + [CCS_TYPE_WRITE] = CCS_MAC_FILE_OPEN, | |
50 | + [CCS_TYPE_APPEND] = CCS_MAC_FILE_OPEN, | |
51 | + [CCS_TYPE_UNLINK] = CCS_MAC_FILE_UNLINK, | |
52 | +#ifdef CONFIG_CCSECURITY_FILE_GETATTR | |
53 | + [CCS_TYPE_GETATTR] = CCS_MAC_FILE_GETATTR, | |
54 | +#endif | |
55 | + [CCS_TYPE_RMDIR] = CCS_MAC_FILE_RMDIR, | |
56 | + [CCS_TYPE_TRUNCATE] = CCS_MAC_FILE_TRUNCATE, | |
57 | + [CCS_TYPE_SYMLINK] = CCS_MAC_FILE_SYMLINK, | |
58 | + [CCS_TYPE_CHROOT] = CCS_MAC_FILE_CHROOT, | |
59 | + [CCS_TYPE_UMOUNT] = CCS_MAC_FILE_UMOUNT, | |
60 | +}; | |
61 | + | |
62 | +/* Mapping table from "enum ccs_mkdev_acl_index" to "enum ccs_mac_index". */ | |
63 | +const u8 ccs_pnnn2mac[CCS_MAX_MKDEV_OPERATION] = { | |
64 | + [CCS_TYPE_MKBLOCK] = CCS_MAC_FILE_MKBLOCK, | |
65 | + [CCS_TYPE_MKCHAR] = CCS_MAC_FILE_MKCHAR, | |
66 | +}; | |
67 | + | |
68 | +/* Mapping table from "enum ccs_path2_acl_index" to "enum ccs_mac_index". */ | |
69 | +const u8 ccs_pp2mac[CCS_MAX_PATH2_OPERATION] = { | |
70 | + [CCS_TYPE_LINK] = CCS_MAC_FILE_LINK, | |
71 | + [CCS_TYPE_RENAME] = CCS_MAC_FILE_RENAME, | |
72 | + [CCS_TYPE_PIVOT_ROOT] = CCS_MAC_FILE_PIVOT_ROOT, | |
73 | +}; | |
74 | + | |
75 | +/* | |
76 | + * Mapping table from "enum ccs_path_number_acl_index" to "enum ccs_mac_index". | |
77 | + */ | |
78 | +const u8 ccs_pn2mac[CCS_MAX_PATH_NUMBER_OPERATION] = { | |
79 | + [CCS_TYPE_CREATE] = CCS_MAC_FILE_CREATE, | |
80 | + [CCS_TYPE_MKDIR] = CCS_MAC_FILE_MKDIR, | |
81 | + [CCS_TYPE_MKFIFO] = CCS_MAC_FILE_MKFIFO, | |
82 | + [CCS_TYPE_MKSOCK] = CCS_MAC_FILE_MKSOCK, | |
83 | + [CCS_TYPE_IOCTL] = CCS_MAC_FILE_IOCTL, | |
84 | + [CCS_TYPE_CHMOD] = CCS_MAC_FILE_CHMOD, | |
85 | + [CCS_TYPE_CHOWN] = CCS_MAC_FILE_CHOWN, | |
86 | + [CCS_TYPE_CHGRP] = CCS_MAC_FILE_CHGRP, | |
87 | +}; | |
88 | + | |
89 | +#ifdef CONFIG_CCSECURITY_NETWORK | |
90 | + | |
91 | +/* | |
92 | + * Mapping table from "enum ccs_network_acl_index" to "enum ccs_mac_index" for | |
93 | + * inet domain socket. | |
94 | + */ | |
95 | +static const u8 ccs_inet2mac[CCS_SOCK_MAX][CCS_MAX_NETWORK_OPERATION] = { | |
96 | + [SOCK_STREAM] = { | |
97 | + [CCS_NETWORK_BIND] = CCS_MAC_NETWORK_INET_STREAM_BIND, | |
98 | + [CCS_NETWORK_LISTEN] = CCS_MAC_NETWORK_INET_STREAM_LISTEN, | |
99 | + [CCS_NETWORK_CONNECT] = CCS_MAC_NETWORK_INET_STREAM_CONNECT, | |
100 | + [CCS_NETWORK_ACCEPT] = CCS_MAC_NETWORK_INET_STREAM_ACCEPT, | |
101 | + }, | |
102 | + [SOCK_DGRAM] = { | |
103 | + [CCS_NETWORK_BIND] = CCS_MAC_NETWORK_INET_DGRAM_BIND, | |
104 | + [CCS_NETWORK_SEND] = CCS_MAC_NETWORK_INET_DGRAM_SEND, | |
105 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
106 | + [CCS_NETWORK_RECV] = CCS_MAC_NETWORK_INET_DGRAM_RECV, | |
107 | +#endif | |
108 | + }, | |
109 | + [SOCK_RAW] = { | |
110 | + [CCS_NETWORK_BIND] = CCS_MAC_NETWORK_INET_RAW_BIND, | |
111 | + [CCS_NETWORK_SEND] = CCS_MAC_NETWORK_INET_RAW_SEND, | |
112 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
113 | + [CCS_NETWORK_RECV] = CCS_MAC_NETWORK_INET_RAW_RECV, | |
114 | +#endif | |
115 | + }, | |
116 | +}; | |
117 | + | |
118 | +/* | |
119 | + * Mapping table from "enum ccs_network_acl_index" to "enum ccs_mac_index" for | |
120 | + * unix domain socket. | |
121 | + */ | |
122 | +static const u8 ccs_unix2mac[CCS_SOCK_MAX][CCS_MAX_NETWORK_OPERATION] = { | |
123 | + [SOCK_STREAM] = { | |
124 | + [CCS_NETWORK_BIND] = CCS_MAC_NETWORK_UNIX_STREAM_BIND, | |
125 | + [CCS_NETWORK_LISTEN] = CCS_MAC_NETWORK_UNIX_STREAM_LISTEN, | |
126 | + [CCS_NETWORK_CONNECT] = CCS_MAC_NETWORK_UNIX_STREAM_CONNECT, | |
127 | + [CCS_NETWORK_ACCEPT] = CCS_MAC_NETWORK_UNIX_STREAM_ACCEPT, | |
128 | + }, | |
129 | + [SOCK_DGRAM] = { | |
130 | + [CCS_NETWORK_BIND] = CCS_MAC_NETWORK_UNIX_DGRAM_BIND, | |
131 | + [CCS_NETWORK_SEND] = CCS_MAC_NETWORK_UNIX_DGRAM_SEND, | |
132 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
133 | + [CCS_NETWORK_RECV] = CCS_MAC_NETWORK_UNIX_DGRAM_RECV, | |
134 | +#endif | |
135 | + }, | |
136 | + [SOCK_SEQPACKET] = { | |
137 | + [CCS_NETWORK_BIND] = CCS_MAC_NETWORK_UNIX_SEQPACKET_BIND, | |
138 | + [CCS_NETWORK_LISTEN] = CCS_MAC_NETWORK_UNIX_SEQPACKET_LISTEN, | |
139 | + [CCS_NETWORK_CONNECT] = CCS_MAC_NETWORK_UNIX_SEQPACKET_CONNECT, | |
140 | + [CCS_NETWORK_ACCEPT] = CCS_MAC_NETWORK_UNIX_SEQPACKET_ACCEPT, | |
141 | + }, | |
142 | +}; | |
143 | + | |
144 | +#endif | |
145 | + | |
146 | +#ifdef CONFIG_CCSECURITY_CAPABILITY | |
147 | + | |
148 | +/* | |
149 | + * Mapping table from "enum ccs_capability_acl_index" to "enum ccs_mac_index". | |
150 | + */ | |
151 | +const u8 ccs_c2mac[CCS_MAX_CAPABILITY_INDEX] = { | |
152 | + [CCS_USE_ROUTE_SOCKET] = CCS_MAC_CAPABILITY_USE_ROUTE_SOCKET, | |
153 | + [CCS_USE_PACKET_SOCKET] = CCS_MAC_CAPABILITY_USE_PACKET_SOCKET, | |
154 | + [CCS_SYS_REBOOT] = CCS_MAC_CAPABILITY_SYS_REBOOT, | |
155 | + [CCS_SYS_VHANGUP] = CCS_MAC_CAPABILITY_SYS_VHANGUP, | |
156 | + [CCS_SYS_SETTIME] = CCS_MAC_CAPABILITY_SYS_SETTIME, | |
157 | + [CCS_SYS_NICE] = CCS_MAC_CAPABILITY_SYS_NICE, | |
158 | + [CCS_SYS_SETHOSTNAME] = CCS_MAC_CAPABILITY_SYS_SETHOSTNAME, | |
159 | + [CCS_USE_KERNEL_MODULE] = CCS_MAC_CAPABILITY_USE_KERNEL_MODULE, | |
160 | + [CCS_SYS_KEXEC_LOAD] = CCS_MAC_CAPABILITY_SYS_KEXEC_LOAD, | |
161 | + [CCS_SYS_PTRACE] = CCS_MAC_CAPABILITY_SYS_PTRACE, | |
162 | +}; | |
163 | + | |
164 | +#endif | |
165 | + | |
166 | +/***** SECTION2: Structure definition *****/ | |
167 | + | |
168 | +/* Structure for holding inet domain socket's address. */ | |
169 | +struct ccs_inet_addr_info { | |
170 | + u16 port; /* In network byte order. */ | |
171 | + const u32 *address; /* In network byte order. */ | |
172 | + bool is_ipv6; | |
173 | +}; | |
174 | + | |
175 | +/* Structure for holding unix domain socket's address. */ | |
176 | +struct ccs_unix_addr_info { | |
177 | + u8 *addr; /* This may not be '\0' terminated string. */ | |
178 | + unsigned int addr_len; | |
179 | +}; | |
180 | + | |
181 | +/* Structure for holding socket address. */ | |
182 | +struct ccs_addr_info { | |
183 | + u8 protocol; | |
184 | + u8 operation; | |
185 | + struct ccs_inet_addr_info inet; | |
186 | + struct ccs_unix_addr_info unix0; | |
187 | +}; | |
188 | + | |
189 | +/***** SECTION3: Prototype definition section *****/ | |
190 | + | |
191 | +bool ccs_dump_page(struct linux_binprm *bprm, unsigned long pos, | |
192 | + struct ccs_page_dump *dump); | |
193 | +void ccs_get_attributes(struct ccs_obj_info *obj); | |
194 | + | |
195 | +static bool ccs_alphabet_char(const char c); | |
196 | +static bool ccs_argv(const unsigned int index, const char *arg_ptr, | |
197 | + const int argc, const struct ccs_argv *argv, u8 *checked); | |
198 | +static bool ccs_byte_range(const char *str); | |
199 | +static bool ccs_check_entry(struct ccs_request_info *r, | |
200 | + struct ccs_acl_info *ptr); | |
201 | +static bool ccs_check_mkdev_acl(struct ccs_request_info *r, | |
202 | + const struct ccs_acl_info *ptr); | |
203 | +static bool ccs_check_mount_acl(struct ccs_request_info *r, | |
204 | + const struct ccs_acl_info *ptr); | |
205 | +static bool ccs_check_path2_acl(struct ccs_request_info *r, | |
206 | + const struct ccs_acl_info *ptr); | |
207 | +static bool ccs_check_path_acl(struct ccs_request_info *r, | |
208 | + const struct ccs_acl_info *ptr); | |
209 | +static bool ccs_check_path_number_acl(struct ccs_request_info *r, | |
210 | + const struct ccs_acl_info *ptr); | |
211 | +static bool ccs_compare_number_union(const unsigned long value, | |
212 | + const struct ccs_number_union *ptr); | |
213 | +static bool ccs_condition(struct ccs_request_info *r, | |
214 | + const struct ccs_condition *cond); | |
215 | +static bool ccs_decimal(const char c); | |
216 | +static bool ccs_envp(const char *env_name, const char *env_value, | |
217 | + const int envc, const struct ccs_envp *envp, u8 *checked); | |
218 | +static bool ccs_file_matches_pattern(const char *filename, | |
219 | + const char *filename_end, | |
220 | + const char *pattern, | |
221 | + const char *pattern_end); | |
222 | +static bool ccs_file_matches_pattern2(const char *filename, | |
223 | + const char *filename_end, | |
224 | + const char *pattern, | |
225 | + const char *pattern_end); | |
226 | +static bool ccs_get_realpath(struct ccs_path_info *buf, struct path *path); | |
227 | +static bool ccs_hexadecimal(const char c); | |
228 | +static bool ccs_number_matches_group(const unsigned long min, | |
229 | + const unsigned long max, | |
230 | + const struct ccs_group *group); | |
231 | +static bool ccs_path_matches_pattern(const struct ccs_path_info *filename, | |
232 | + const struct ccs_path_info *pattern); | |
233 | +static bool ccs_path_matches_pattern2(const char *f, const char *p); | |
234 | +static bool ccs_scan_bprm(struct ccs_execve *ee, const u16 argc, | |
235 | + const struct ccs_argv *argv, const u16 envc, | |
236 | + const struct ccs_envp *envp); | |
237 | +static bool ccs_scan_exec_realpath(struct file *file, | |
238 | + const struct ccs_name_union *ptr, | |
239 | + const bool match); | |
240 | +static bool ccs_scan_transition(const struct list_head *list, | |
241 | + const struct ccs_path_info *domainname, | |
242 | + const struct ccs_path_info *program, | |
243 | + const char *last_name, | |
244 | + const enum ccs_transition_type type); | |
245 | +static const char *ccs_last_word(const char *name); | |
246 | +static const struct ccs_path_info *ccs_compare_name_union | |
247 | +(const struct ccs_path_info *name, const struct ccs_name_union *ptr); | |
248 | +static const struct ccs_path_info *ccs_path_matches_group | |
249 | +(const struct ccs_path_info *pathname, const struct ccs_group *group); | |
250 | +static enum ccs_transition_type ccs_transition_type | |
251 | +(const struct ccs_policy_namespace *ns, const struct ccs_path_info *domainname, | |
252 | + const struct ccs_path_info *program); | |
253 | +static int __ccs_chmod_permission(struct dentry *dentry, | |
254 | + struct vfsmount *vfsmnt, mode_t mode); | |
255 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0) | |
256 | +static int __ccs_chown_permission(struct dentry *dentry, | |
257 | + struct vfsmount *vfsmnt, kuid_t user, | |
258 | + kgid_t group); | |
259 | +#else | |
260 | +static int __ccs_chown_permission(struct dentry *dentry, | |
261 | + struct vfsmount *vfsmnt, uid_t user, | |
262 | + gid_t group); | |
263 | +#endif | |
264 | +static int __ccs_chroot_permission(const struct path *path); | |
265 | +static int __ccs_fcntl_permission(struct file *file, unsigned int cmd, | |
266 | + unsigned long arg); | |
267 | +static int __ccs_ioctl_permission(struct file *filp, unsigned int cmd, | |
268 | + unsigned long arg); | |
269 | +static int __ccs_link_permission(struct dentry *old_dentry, | |
270 | + struct dentry *new_dentry, | |
271 | + struct vfsmount *mnt); | |
272 | +static int __ccs_mkdir_permission(struct dentry *dentry, struct vfsmount *mnt, | |
273 | + unsigned int mode); | |
274 | +static int __ccs_mknod_permission(struct dentry *dentry, struct vfsmount *mnt, | |
275 | + const unsigned int mode, unsigned int dev); | |
276 | +static int __ccs_mount_permission(const char *dev_name, | |
277 | + const struct path *path, const char *type, | |
278 | + unsigned long flags, void *data_page); | |
279 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) | |
280 | +static int __ccs_move_mount_permission(const struct path *from_path, | |
281 | + const struct path *to_path); | |
282 | +#endif | |
283 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 30) | |
284 | +static int __ccs_open_exec_permission(struct dentry *dentry, | |
285 | + struct vfsmount *mnt); | |
286 | +#endif | |
287 | +static int __ccs_open_permission(struct dentry *dentry, struct vfsmount *mnt, | |
288 | + const int flag); | |
289 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) || (LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) && defined(CONFIG_SYSCTL_SYSCALL)) | |
290 | +static int __ccs_parse_table(int __user *name, int nlen, void __user *oldval, | |
291 | + void __user *newval, struct ctl_table *table); | |
292 | +#endif | |
293 | +static int __ccs_pivot_root_permission(const struct path *old_path, | |
294 | + const struct path *new_path); | |
295 | +static int __ccs_rename_permission(struct dentry *old_dentry, | |
296 | + struct dentry *new_dentry, | |
297 | + struct vfsmount *mnt); | |
298 | +static int __ccs_rmdir_permission(struct dentry *dentry, struct vfsmount *mnt); | |
299 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 8, 0) | |
300 | +static int __ccs_search_binary_handler(struct linux_binprm *bprm); | |
301 | +#else | |
302 | +static int __ccs_search_binary_handler(struct linux_binprm *bprm, | |
303 | + struct pt_regs *regs); | |
304 | +#endif | |
305 | +static int __ccs_symlink_permission(struct dentry *dentry, | |
306 | + struct vfsmount *mnt, const char *from); | |
307 | +static int __ccs_truncate_permission(struct dentry *dentry, | |
308 | + struct vfsmount *mnt); | |
309 | +static int __ccs_umount_permission(struct vfsmount *mnt, int flags); | |
310 | +static int __ccs_unlink_permission(struct dentry *dentry, | |
311 | + struct vfsmount *mnt); | |
312 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 30) | |
313 | +static int __ccs_uselib_permission(struct dentry *dentry, | |
314 | + struct vfsmount *mnt); | |
315 | +#endif | |
316 | +static int ccs_execute_permission(struct ccs_request_info *r, | |
317 | + const struct ccs_path_info *filename); | |
318 | +static int ccs_find_next_domain(struct ccs_execve *ee); | |
319 | +static int ccs_get_path(const char *pathname, struct path *path); | |
320 | +static int ccs_kern_path(const char *pathname, int flags, struct path *path); | |
321 | +static int ccs_mkdev_perm(const u8 operation, struct dentry *dentry, | |
322 | + struct vfsmount *mnt, const unsigned int mode, | |
323 | + unsigned int dev); | |
324 | +static int ccs_mount_acl(struct ccs_request_info *r, const char *dev_name, | |
325 | + const struct path *dir, const char *type, | |
326 | + unsigned long flags); | |
327 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 33) | |
328 | +static int ccs_new_open_permission(struct file *filp); | |
329 | +#endif | |
330 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24) | |
331 | +static int ccs_old_chroot_permission(struct nameidata *nd); | |
332 | +static int ccs_old_mount_permission(const char *dev_name, struct nameidata *nd, | |
333 | + const char *type, unsigned long flags, | |
334 | + void *data_page); | |
335 | +static int ccs_old_pivot_root_permission(struct nameidata *old_nd, | |
336 | + struct nameidata *new_nd); | |
337 | +#endif | |
338 | +static int ccs_path2_perm(const u8 operation, struct dentry *dentry1, | |
339 | + struct vfsmount *mnt1, struct dentry *dentry2, | |
340 | + struct vfsmount *mnt2); | |
341 | +static int ccs_path_number_perm(const u8 type, struct dentry *dentry, | |
342 | + struct vfsmount *vfsmnt, unsigned long number); | |
343 | +static int ccs_path_perm(const u8 operation, struct dentry *dentry, | |
344 | + struct vfsmount *mnt, const char *target); | |
345 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 21) || LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 33) || !defined(CONFIG_SYSCTL_SYSCALL) | |
346 | +static | |
347 | +#endif | |
348 | +int ccs_path_permission(struct ccs_request_info *r, u8 operation, | |
349 | + const struct ccs_path_info *filename); | |
350 | +static int ccs_symlink_path(const char *pathname, struct ccs_path_info *name); | |
351 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32) | |
352 | +static void __ccs_clear_open_mode(void); | |
353 | +static void __ccs_save_open_mode(int mode); | |
354 | +#endif | |
355 | +static void ccs_add_slash(struct ccs_path_info *buf); | |
356 | + | |
357 | +#ifdef CONFIG_CCSECURITY_MISC | |
358 | +static bool ccs_check_env_acl(struct ccs_request_info *r, | |
359 | + const struct ccs_acl_info *ptr); | |
360 | +static int ccs_env_perm(struct ccs_request_info *r, const char *env); | |
361 | +static int ccs_environ(struct ccs_execve *ee); | |
362 | +#endif | |
363 | + | |
364 | +#ifdef CONFIG_CCSECURITY_CAPABILITY | |
365 | +static bool __ccs_capable(const u8 operation); | |
366 | +static bool ccs_check_capability_acl(struct ccs_request_info *r, | |
367 | + const struct ccs_acl_info *ptr); | |
368 | +static bool ccs_kernel_service(void); | |
369 | +static int __ccs_ptrace_permission(long request, long pid); | |
370 | +static int __ccs_socket_create_permission(int family, int type, int protocol); | |
371 | +#endif | |
372 | + | |
373 | +#ifdef CONFIG_CCSECURITY_NETWORK | |
374 | +static bool ccs_address_matches_group(const bool is_ipv6, const u32 *address, | |
375 | + const struct ccs_group *group); | |
376 | +static bool ccs_check_inet_acl(struct ccs_request_info *r, | |
377 | + const struct ccs_acl_info *ptr); | |
378 | +static bool ccs_check_unix_acl(struct ccs_request_info *r, | |
379 | + const struct ccs_acl_info *ptr); | |
380 | +static bool ccs_kernel_service(void); | |
381 | +static int __ccs_socket_bind_permission(struct socket *sock, | |
382 | + struct sockaddr *addr, int addr_len); | |
383 | +static int __ccs_socket_connect_permission(struct socket *sock, | |
384 | + struct sockaddr *addr, | |
385 | + int addr_len); | |
386 | +static int __ccs_socket_listen_permission(struct socket *sock); | |
387 | +static int __ccs_socket_post_accept_permission(struct socket *sock, | |
388 | + struct socket *newsock); | |
389 | +static int __ccs_socket_sendmsg_permission(struct socket *sock, | |
390 | + struct msghdr *msg, int size); | |
391 | +static int ccs_check_inet_address(const struct sockaddr *addr, | |
392 | + const unsigned int addr_len, const u16 port, | |
393 | + struct ccs_addr_info *address); | |
394 | +static int ccs_check_unix_address(struct sockaddr *addr, | |
395 | + const unsigned int addr_len, | |
396 | + struct ccs_addr_info *address); | |
397 | +static int ccs_inet_entry(const struct ccs_addr_info *address); | |
398 | +static int ccs_unix_entry(const struct ccs_addr_info *address); | |
399 | +static u8 ccs_sock_family(struct sock *sk); | |
400 | +#endif | |
401 | + | |
402 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
403 | +static int __ccs_socket_post_recvmsg_permission(struct sock *sk, | |
404 | + struct sk_buff *skb, | |
405 | + int flags); | |
406 | +#endif | |
407 | + | |
408 | +#ifdef CONFIG_CCSECURITY_IPC | |
409 | +static bool ccs_check_signal_acl(struct ccs_request_info *r, | |
410 | + const struct ccs_acl_info *ptr); | |
411 | +static int ccs_signal_acl(const int pid, const int sig); | |
412 | +static int ccs_signal_acl0(pid_t tgid, pid_t pid, int sig); | |
413 | +static int ccs_signal_acl2(const int sig, const int pid); | |
414 | +#endif | |
415 | + | |
416 | +#ifdef CONFIG_CCSECURITY_FILE_GETATTR | |
417 | +static int __ccs_getattr_permission(struct vfsmount *mnt, | |
418 | + struct dentry *dentry); | |
419 | +#endif | |
420 | + | |
421 | +#ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER | |
422 | +static bool ccs_find_execute_handler(struct ccs_execve *ee, const u8 type); | |
423 | +static int ccs_try_alt_exec(struct ccs_execve *ee); | |
424 | +static void ccs_unescape(unsigned char *dest); | |
425 | +#endif | |
426 | + | |
427 | +#ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION | |
428 | +static bool ccs_check_task_acl(struct ccs_request_info *r, | |
429 | + const struct ccs_acl_info *ptr); | |
430 | +#endif | |
431 | + | |
432 | +/***** SECTION4: Standalone functions section *****/ | |
433 | + | |
434 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36) | |
435 | + | |
436 | +/** | |
437 | + * ccs_copy_argv - Wrapper for copy_strings_kernel(). | |
438 | + * | |
439 | + * @arg: String to copy. | |
440 | + * @bprm: Pointer to "struct linux_binprm". | |
441 | + * | |
442 | + * Returns return value of copy_strings_kernel(). | |
443 | + */ | |
444 | +static inline int ccs_copy_argv(const char *arg, struct linux_binprm *bprm) | |
445 | +{ | |
446 | + const int ret = copy_strings_kernel(1, &arg, bprm); | |
447 | + if (ret >= 0) | |
448 | + bprm->argc++; | |
449 | + return ret; | |
450 | +} | |
451 | + | |
452 | +#else | |
453 | + | |
454 | +/** | |
455 | + * ccs_copy_argv - Wrapper for copy_strings_kernel(). | |
456 | + * | |
457 | + * @arg: String to copy. | |
458 | + * @bprm: Pointer to "struct linux_binprm". | |
459 | + * | |
460 | + * Returns return value of copy_strings_kernel(). | |
461 | + */ | |
462 | +static inline int ccs_copy_argv(char *arg, struct linux_binprm *bprm) | |
463 | +{ | |
464 | + const int ret = copy_strings_kernel(1, &arg, bprm); | |
465 | + if (ret >= 0) | |
466 | + bprm->argc++; | |
467 | + return ret; | |
468 | +} | |
469 | + | |
470 | +#endif | |
471 | + | |
472 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 35) | |
473 | + | |
474 | +/** | |
475 | + * get_fs_root - Get reference on root directory. | |
476 | + * | |
477 | + * @fs: Pointer to "struct fs_struct". | |
478 | + * @root: Pointer to "struct path". | |
479 | + * | |
480 | + * Returns nothing. | |
481 | + * | |
482 | + * This is for compatibility with older kernels. | |
483 | + */ | |
484 | +static inline void get_fs_root(struct fs_struct *fs, struct path *root) | |
485 | +{ | |
486 | + read_lock(&fs->lock); | |
487 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) | |
488 | + *root = fs->root; | |
489 | + path_get(root); | |
490 | +#else | |
491 | + root->dentry = dget(fs->root); | |
492 | + root->mnt = mntget(fs->rootmnt); | |
493 | +#endif | |
494 | + read_unlock(&fs->lock); | |
495 | +} | |
496 | + | |
497 | +#endif | |
498 | + | |
499 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0) | |
500 | + | |
501 | +/** | |
502 | + * module_put - Put a reference on module. | |
503 | + * | |
504 | + * @module: Pointer to "struct module". Maybe NULL. | |
505 | + * | |
506 | + * Returns nothing. | |
507 | + * | |
508 | + * This is for compatibility with older kernels. | |
509 | + */ | |
510 | +static inline void module_put(struct module *module) | |
511 | +{ | |
512 | + if (module) | |
513 | + __MOD_DEC_USE_COUNT(module); | |
514 | +} | |
515 | + | |
516 | +#endif | |
517 | + | |
518 | +/** | |
519 | + * ccs_put_filesystem - Wrapper for put_filesystem(). | |
520 | + * | |
521 | + * @fstype: Pointer to "struct file_system_type". | |
522 | + * | |
523 | + * Returns nothing. | |
524 | + * | |
525 | + * Since put_filesystem() is not exported, I embed put_filesystem() here. | |
526 | + */ | |
527 | +static inline void ccs_put_filesystem(struct file_system_type *fstype) | |
528 | +{ | |
529 | + module_put(fstype->owner); | |
530 | +} | |
531 | + | |
532 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
533 | + | |
534 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 22) | |
535 | +#if !defined(RHEL_MAJOR) || RHEL_MAJOR != 5 | |
536 | +#if !defined(AX_MAJOR) || AX_MAJOR != 3 | |
537 | + | |
538 | +/** | |
539 | + * ip_hdr - Get "struct iphdr". | |
540 | + * | |
541 | + * @skb: Pointer to "struct sk_buff". | |
542 | + * | |
543 | + * Returns pointer to "struct iphdr". | |
544 | + * | |
545 | + * This is for compatibility with older kernels. | |
546 | + */ | |
547 | +static inline struct iphdr *ip_hdr(const struct sk_buff *skb) | |
548 | +{ | |
549 | + return skb->nh.iph; | |
550 | +} | |
551 | + | |
552 | +/** | |
553 | + * udp_hdr - Get "struct udphdr". | |
554 | + * | |
555 | + * @skb: Pointer to "struct sk_buff". | |
556 | + * | |
557 | + * Returns pointer to "struct udphdr". | |
558 | + * | |
559 | + * This is for compatibility with older kernels. | |
560 | + */ | |
561 | +static inline struct udphdr *udp_hdr(const struct sk_buff *skb) | |
562 | +{ | |
563 | + return skb->h.uh; | |
564 | +} | |
565 | + | |
566 | +/** | |
567 | + * ipv6_hdr - Get "struct ipv6hdr". | |
568 | + * | |
569 | + * @skb: Pointer to "struct sk_buff". | |
570 | + * | |
571 | + * Returns pointer to "struct ipv6hdr". | |
572 | + * | |
573 | + * This is for compatibility with older kernels. | |
574 | + */ | |
575 | +static inline struct ipv6hdr *ipv6_hdr(const struct sk_buff *skb) | |
576 | +{ | |
577 | + return skb->nh.ipv6h; | |
578 | +} | |
579 | + | |
580 | +#endif | |
581 | +#endif | |
582 | +#endif | |
583 | + | |
584 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0) | |
585 | + | |
586 | +/** | |
587 | + * skb_kill_datagram - Kill a datagram forcibly. | |
588 | + * | |
589 | + * @sk: Pointer to "struct sock". | |
590 | + * @skb: Pointer to "struct sk_buff". | |
591 | + * @flags: Flags passed to skb_recv_datagram(). | |
592 | + * | |
593 | + * Returns nothing. | |
594 | + */ | |
595 | +static inline void skb_kill_datagram(struct sock *sk, struct sk_buff *skb, | |
596 | + int flags) | |
597 | +{ | |
598 | + /* Clear queue. */ | |
599 | + if (flags & MSG_PEEK) { | |
600 | + int clear = 0; | |
601 | + spin_lock_irq(&sk->receive_queue.lock); | |
602 | + if (skb == skb_peek(&sk->receive_queue)) { | |
603 | + __skb_unlink(skb, &sk->receive_queue); | |
604 | + clear = 1; | |
605 | + } | |
606 | + spin_unlock_irq(&sk->receive_queue.lock); | |
607 | + if (clear) | |
608 | + kfree_skb(skb); | |
609 | + } | |
610 | + skb_free_datagram(sk, skb); | |
611 | +} | |
612 | + | |
613 | +#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 16) | |
614 | + | |
615 | +/** | |
616 | + * skb_kill_datagram - Kill a datagram forcibly. | |
617 | + * | |
618 | + * @sk: Pointer to "struct sock". | |
619 | + * @skb: Pointer to "struct sk_buff". | |
620 | + * @flags: Flags passed to skb_recv_datagram(). | |
621 | + * | |
622 | + * Returns nothing. | |
623 | + */ | |
624 | +static inline void skb_kill_datagram(struct sock *sk, struct sk_buff *skb, | |
625 | + int flags) | |
626 | +{ | |
627 | + /* Clear queue. */ | |
628 | + if (flags & MSG_PEEK) { | |
629 | + int clear = 0; | |
630 | + spin_lock_bh(&sk->sk_receive_queue.lock); | |
631 | + if (skb == skb_peek(&sk->sk_receive_queue)) { | |
632 | + __skb_unlink(skb, &sk->sk_receive_queue); | |
633 | + clear = 1; | |
634 | + } | |
635 | + spin_unlock_bh(&sk->sk_receive_queue.lock); | |
636 | + if (clear) | |
637 | + kfree_skb(skb); | |
638 | + } | |
639 | + skb_free_datagram(sk, skb); | |
640 | +} | |
641 | + | |
642 | +#endif | |
643 | + | |
644 | +#endif | |
645 | + | |
646 | +/***** SECTION5: Variables definition section *****/ | |
647 | + | |
648 | +/* The initial domain. */ | |
649 | +struct ccs_domain_info ccs_kernel_domain; | |
650 | + | |
651 | +/* The list for "struct ccs_domain_info". */ | |
652 | +LIST_HEAD(ccs_domain_list); | |
653 | + | |
654 | +/***** SECTION6: Dependent functions section *****/ | |
655 | + | |
656 | +/** | |
657 | + * ccs_path_matches_group - Check whether the given pathname matches members of the given pathname group. | |
658 | + * | |
659 | + * @pathname: The name of pathname. | |
660 | + * @group: Pointer to "struct ccs_path_group". | |
661 | + * | |
662 | + * Returns matched member's pathname if @pathname matches pathnames in @group, | |
663 | + * NULL otherwise. | |
664 | + * | |
665 | + * Caller holds ccs_read_lock(). | |
666 | + */ | |
667 | +static const struct ccs_path_info *ccs_path_matches_group | |
668 | +(const struct ccs_path_info *pathname, const struct ccs_group *group) | |
669 | +{ | |
670 | + struct ccs_path_group *member; | |
671 | + list_for_each_entry_srcu(member, &group->member_list, head.list, | |
672 | + &ccs_ss) { | |
673 | + if (member->head.is_deleted) | |
674 | + continue; | |
675 | + if (!ccs_path_matches_pattern(pathname, member->member_name)) | |
676 | + continue; | |
677 | + return member->member_name; | |
678 | + } | |
679 | + return NULL; | |
680 | +} | |
681 | + | |
682 | +/** | |
683 | + * ccs_number_matches_group - Check whether the given number matches members of the given number group. | |
684 | + * | |
685 | + * @min: Min number. | |
686 | + * @max: Max number. | |
687 | + * @group: Pointer to "struct ccs_number_group". | |
688 | + * | |
689 | + * Returns true if @min and @max partially overlaps @group, false otherwise. | |
690 | + * | |
691 | + * Caller holds ccs_read_lock(). | |
692 | + */ | |
693 | +static bool ccs_number_matches_group(const unsigned long min, | |
694 | + const unsigned long max, | |
695 | + const struct ccs_group *group) | |
696 | +{ | |
697 | + struct ccs_number_group *member; | |
698 | + bool matched = false; | |
699 | + list_for_each_entry_srcu(member, &group->member_list, head.list, | |
700 | + &ccs_ss) { | |
701 | + if (member->head.is_deleted) | |
702 | + continue; | |
703 | + if (min > member->number.values[1] || | |
704 | + max < member->number.values[0]) | |
705 | + continue; | |
706 | + matched = true; | |
707 | + break; | |
708 | + } | |
709 | + return matched; | |
710 | +} | |
711 | + | |
712 | +/** | |
713 | + * ccs_check_entry - Do permission check. | |
714 | + * | |
715 | + * @r: Pointer to "struct ccs_request_info". | |
716 | + * @ptr: Pointer to "struct ccs_acl_info". | |
717 | + * | |
718 | + * Returns true on match, false otherwise. | |
719 | + * | |
720 | + * Caller holds ccs_read_lock(). | |
721 | + */ | |
722 | +static bool ccs_check_entry(struct ccs_request_info *r, | |
723 | + struct ccs_acl_info *ptr) | |
724 | +{ | |
725 | + if (ptr->is_deleted || ptr->type != r->param_type) | |
726 | + return false; | |
727 | + switch (r->param_type) { | |
728 | + case CCS_TYPE_PATH_ACL: | |
729 | + return ccs_check_path_acl(r, ptr); | |
730 | + case CCS_TYPE_PATH2_ACL: | |
731 | + return ccs_check_path2_acl(r, ptr); | |
732 | + case CCS_TYPE_PATH_NUMBER_ACL: | |
733 | + return ccs_check_path_number_acl(r, ptr); | |
734 | + case CCS_TYPE_MKDEV_ACL: | |
735 | + return ccs_check_mkdev_acl(r, ptr); | |
736 | + case CCS_TYPE_MOUNT_ACL: | |
737 | + return ccs_check_mount_acl(r, ptr); | |
738 | +#ifdef CONFIG_CCSECURITY_MISC | |
739 | + case CCS_TYPE_ENV_ACL: | |
740 | + return ccs_check_env_acl(r, ptr); | |
741 | +#endif | |
742 | +#ifdef CONFIG_CCSECURITY_CAPABILITY | |
743 | + case CCS_TYPE_CAPABILITY_ACL: | |
744 | + return ccs_check_capability_acl(r, ptr); | |
745 | +#endif | |
746 | +#ifdef CONFIG_CCSECURITY_NETWORK | |
747 | + case CCS_TYPE_INET_ACL: | |
748 | + return ccs_check_inet_acl(r, ptr); | |
749 | + case CCS_TYPE_UNIX_ACL: | |
750 | + return ccs_check_unix_acl(r, ptr); | |
751 | +#endif | |
752 | +#ifdef CONFIG_CCSECURITY_IPC | |
753 | + case CCS_TYPE_SIGNAL_ACL: | |
754 | + return ccs_check_signal_acl(r, ptr); | |
755 | +#endif | |
756 | +#ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION | |
757 | + case CCS_TYPE_MANUAL_TASK_ACL: | |
758 | + return ccs_check_task_acl(r, ptr); | |
759 | +#endif | |
760 | + } | |
761 | + return true; | |
762 | +} | |
763 | + | |
764 | +/** | |
765 | + * ccs_check_acl - Do permission check. | |
766 | + * | |
767 | + * @r: Pointer to "struct ccs_request_info". | |
768 | + * | |
769 | + * Returns 0 on success, negative value otherwise. | |
770 | + * | |
771 | + * Caller holds ccs_read_lock(). | |
772 | + */ | |
773 | +int ccs_check_acl(struct ccs_request_info *r) | |
774 | +{ | |
775 | + const struct ccs_domain_info *domain = ccs_current_domain(); | |
776 | + int error; | |
777 | + do { | |
778 | + struct ccs_acl_info *ptr; | |
779 | + const struct list_head *list = &domain->acl_info_list; | |
780 | + u16 i = 0; | |
781 | +retry: | |
782 | + list_for_each_entry_srcu(ptr, list, list, &ccs_ss) { | |
783 | + if (!ccs_check_entry(r, ptr)) | |
784 | + continue; | |
785 | + if (!ccs_condition(r, ptr->cond)) | |
786 | + continue; | |
787 | + r->matched_acl = ptr; | |
788 | + r->granted = true; | |
789 | + ccs_audit_log(r); | |
790 | + return 0; | |
791 | + } | |
792 | + for (; i < CCS_MAX_ACL_GROUPS; i++) { | |
793 | + if (!test_bit(i, domain->group)) | |
794 | + continue; | |
795 | + list = &domain->ns->acl_group[i++]; | |
796 | + goto retry; | |
797 | + } | |
798 | + r->granted = false; | |
799 | + error = ccs_audit_log(r); | |
800 | + } while (error == CCS_RETRY_REQUEST && | |
801 | + r->type != CCS_MAC_FILE_EXECUTE); | |
802 | + return error; | |
803 | +} | |
804 | + | |
805 | +/** | |
806 | + * ccs_last_word - Get last component of a domainname. | |
807 | + * | |
808 | + * @name: Domainname to check. | |
809 | + * | |
810 | + * Returns the last word of @name. | |
811 | + */ | |
812 | +static const char *ccs_last_word(const char *name) | |
813 | +{ | |
814 | + const char *cp = strrchr(name, ' '); | |
815 | + if (cp) | |
816 | + return cp + 1; | |
817 | + return name; | |
818 | +} | |
819 | + | |
820 | +/** | |
821 | + * ccs_scan_transition - Try to find specific domain transition type. | |
822 | + * | |
823 | + * @list: Pointer to "struct list_head". | |
824 | + * @domainname: The name of current domain. | |
825 | + * @program: The name of requested program. | |
826 | + * @last_name: The last component of @domainname. | |
827 | + * @type: One of values in "enum ccs_transition_type". | |
828 | + * | |
829 | + * Returns true if found one, false otherwise. | |
830 | + * | |
831 | + * Caller holds ccs_read_lock(). | |
832 | + */ | |
833 | +static bool ccs_scan_transition(const struct list_head *list, | |
834 | + const struct ccs_path_info *domainname, | |
835 | + const struct ccs_path_info *program, | |
836 | + const char *last_name, | |
837 | + const enum ccs_transition_type type) | |
838 | +{ | |
839 | + const struct ccs_transition_control *ptr; | |
840 | + list_for_each_entry_srcu(ptr, list, head.list, &ccs_ss) { | |
841 | + if (ptr->head.is_deleted || ptr->type != type) | |
842 | + continue; | |
843 | + if (ptr->domainname) { | |
844 | + if (!ptr->is_last_name) { | |
845 | + if (ptr->domainname != domainname) | |
846 | + continue; | |
847 | + } else { | |
848 | + /* | |
849 | + * Use direct strcmp() since this is | |
850 | + * unlikely used. | |
851 | + */ | |
852 | + if (strcmp(ptr->domainname->name, last_name)) | |
853 | + continue; | |
854 | + } | |
855 | + } | |
856 | + if (ptr->program && ccs_pathcmp(ptr->program, program)) | |
857 | + continue; | |
858 | + return true; | |
859 | + } | |
860 | + return false; | |
861 | +} | |
862 | + | |
863 | +/** | |
864 | + * ccs_transition_type - Get domain transition type. | |
865 | + * | |
866 | + * @ns: Pointer to "struct ccs_policy_namespace". | |
867 | + * @domainname: The name of current domain. | |
868 | + * @program: The name of requested program. | |
869 | + * | |
870 | + * Returns CCS_TRANSITION_CONTROL_TRANSIT if executing @program causes domain | |
871 | + * transition across namespaces, CCS_TRANSITION_CONTROL_INITIALIZE if executing | |
872 | + * @program reinitializes domain transition within that namespace, | |
873 | + * CCS_TRANSITION_CONTROL_KEEP if executing @program stays at @domainname , | |
874 | + * others otherwise. | |
875 | + * | |
876 | + * Caller holds ccs_read_lock(). | |
877 | + */ | |
878 | +static enum ccs_transition_type ccs_transition_type | |
879 | +(const struct ccs_policy_namespace *ns, const struct ccs_path_info *domainname, | |
880 | + const struct ccs_path_info *program) | |
881 | +{ | |
882 | + const char *last_name = ccs_last_word(domainname->name); | |
883 | + enum ccs_transition_type type = CCS_TRANSITION_CONTROL_NO_RESET; | |
884 | + while (type < CCS_MAX_TRANSITION_TYPE) { | |
885 | + const struct list_head * const list = | |
886 | + &ns->policy_list[CCS_ID_TRANSITION_CONTROL]; | |
887 | + if (!ccs_scan_transition(list, domainname, program, last_name, | |
888 | + type)) { | |
889 | + type++; | |
890 | + continue; | |
891 | + } | |
892 | + if (type != CCS_TRANSITION_CONTROL_NO_RESET && | |
893 | + type != CCS_TRANSITION_CONTROL_NO_INITIALIZE) | |
894 | + break; | |
895 | + /* | |
896 | + * Do not check for reset_domain if no_reset_domain matched. | |
897 | + * Do not check for initialize_domain if no_initialize_domain | |
898 | + * matched. | |
899 | + */ | |
900 | + type++; | |
901 | + type++; | |
902 | + } | |
903 | + return type; | |
904 | +} | |
905 | + | |
906 | +/** | |
907 | + * ccs_find_next_domain - Find a domain. | |
908 | + * | |
909 | + * @ee: Pointer to "struct ccs_execve". | |
910 | + * | |
911 | + * Returns 0 on success, negative value otherwise. | |
912 | + * | |
913 | + * Caller holds ccs_read_lock(). | |
914 | + */ | |
915 | +static int ccs_find_next_domain(struct ccs_execve *ee) | |
916 | +{ | |
917 | + struct ccs_request_info *r = &ee->r; | |
918 | +#ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER | |
919 | + const struct ccs_path_info *handler = ee->handler; | |
920 | +#endif | |
921 | + struct ccs_domain_info *domain = NULL; | |
922 | + struct ccs_domain_info * const old_domain = ccs_current_domain(); | |
923 | + struct linux_binprm *bprm = ee->bprm; | |
924 | + struct ccs_security *task = ccs_current_security(); | |
925 | + const struct ccs_path_info *candidate; | |
926 | + struct ccs_path_info exename; | |
927 | + int retval; | |
928 | + bool reject_on_transition_failure = false; | |
929 | + | |
930 | + /* Get symlink's pathname of program. */ | |
931 | + retval = ccs_symlink_path(bprm->filename, &exename); | |
932 | + if (retval < 0) | |
933 | + return retval; | |
934 | + | |
935 | +#ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER | |
936 | + if (handler) { | |
937 | + /* No permission check for execute handler. */ | |
938 | + candidate = &exename; | |
939 | + if (ccs_pathcmp(candidate, handler)) { | |
940 | + /* Failed to verify execute handler. */ | |
941 | + static u8 counter = 20; | |
942 | + if (counter) { | |
943 | + counter--; | |
944 | + printk(KERN_WARNING "Failed to verify: %s\n", | |
945 | + handler->name); | |
946 | + } | |
947 | + goto out; | |
948 | + } | |
949 | + } else | |
950 | +#endif | |
951 | + { | |
952 | + struct ccs_aggregator *ptr; | |
953 | + struct list_head *list; | |
954 | +retry: | |
955 | + /* Check 'aggregator' directive. */ | |
956 | + candidate = &exename; | |
957 | + list = &old_domain->ns->policy_list[CCS_ID_AGGREGATOR]; | |
958 | + list_for_each_entry_srcu(ptr, list, head.list, &ccs_ss) { | |
959 | + if (ptr->head.is_deleted || | |
960 | + !ccs_path_matches_pattern(candidate, | |
961 | + ptr->original_name)) | |
962 | + continue; | |
963 | + candidate = ptr->aggregated_name; | |
964 | + break; | |
965 | + } | |
966 | + | |
967 | + /* Check execute permission. */ | |
968 | + retval = ccs_execute_permission(r, candidate); | |
969 | + if (retval == CCS_RETRY_REQUEST) | |
970 | + goto retry; | |
971 | + if (retval < 0) | |
972 | + goto out; | |
973 | + /* | |
974 | + * To be able to specify domainnames with wildcards, use the | |
975 | + * pathname specified in the policy (which may contain | |
976 | + * wildcard) rather than the pathname passed to execve() | |
977 | + * (which never contains wildcard). | |
978 | + */ | |
979 | + if (r->param.path.matched_path) | |
980 | + candidate = r->param.path.matched_path; | |
981 | + } | |
982 | + /* | |
983 | + * Check for domain transition preference if "file execute" matched. | |
984 | + * If preference is given, make do_execve() fail if domain transition | |
985 | + * has failed, for domain transition preference should be used with | |
986 | + * destination domain defined. | |
987 | + */ | |
988 | + if (r->ee->transition) { | |
989 | + const char *domainname = r->ee->transition->name; | |
990 | + reject_on_transition_failure = true; | |
991 | + if (!strcmp(domainname, "keep")) | |
992 | + goto force_keep_domain; | |
993 | + if (!strcmp(domainname, "child")) | |
994 | + goto force_child_domain; | |
995 | + if (!strcmp(domainname, "reset")) | |
996 | + goto force_reset_domain; | |
997 | + if (!strcmp(domainname, "initialize")) | |
998 | + goto force_initialize_domain; | |
999 | + if (!strcmp(domainname, "parent")) { | |
1000 | + char *cp; | |
1001 | + strncpy(ee->tmp, old_domain->domainname->name, | |
1002 | + CCS_EXEC_TMPSIZE - 1); | |
1003 | + cp = strrchr(ee->tmp, ' '); | |
1004 | + if (cp) | |
1005 | + *cp = '\0'; | |
1006 | + } else if (*domainname == '<') | |
1007 | + strncpy(ee->tmp, domainname, CCS_EXEC_TMPSIZE - 1); | |
1008 | + else | |
1009 | + snprintf(ee->tmp, CCS_EXEC_TMPSIZE - 1, "%s %s", | |
1010 | + old_domain->domainname->name, domainname); | |
1011 | + goto force_jump_domain; | |
1012 | + } | |
1013 | + /* | |
1014 | + * No domain transition preference specified. | |
1015 | + * Calculate domain to transit to. | |
1016 | + */ | |
1017 | + switch (ccs_transition_type(old_domain->ns, old_domain->domainname, | |
1018 | + candidate)) { | |
1019 | + case CCS_TRANSITION_CONTROL_RESET: | |
1020 | +force_reset_domain: | |
1021 | + /* Transit to the root of specified namespace. */ | |
1022 | + snprintf(ee->tmp, CCS_EXEC_TMPSIZE - 1, "<%s>", | |
1023 | + candidate->name); | |
1024 | + /* | |
1025 | + * Make do_execve() fail if domain transition across namespaces | |
1026 | + * has failed. | |
1027 | + */ | |
1028 | + reject_on_transition_failure = true; | |
1029 | + break; | |
1030 | + case CCS_TRANSITION_CONTROL_INITIALIZE: | |
1031 | +force_initialize_domain: | |
1032 | + /* Transit to the child of current namespace's root. */ | |
1033 | + snprintf(ee->tmp, CCS_EXEC_TMPSIZE - 1, "%s %s", | |
1034 | + old_domain->ns->name, candidate->name); | |
1035 | + break; | |
1036 | + case CCS_TRANSITION_CONTROL_KEEP: | |
1037 | +force_keep_domain: | |
1038 | + /* Keep current domain. */ | |
1039 | + domain = old_domain; | |
1040 | + break; | |
1041 | + default: | |
1042 | + if (old_domain == &ccs_kernel_domain && !ccs_policy_loaded) { | |
1043 | + /* | |
1044 | + * Needn't to transit from kernel domain before | |
1045 | + * starting /sbin/init. But transit from kernel domain | |
1046 | + * if executing initializers because they might start | |
1047 | + * before /sbin/init. | |
1048 | + */ | |
1049 | + domain = old_domain; | |
1050 | + break; | |
1051 | + } | |
1052 | +force_child_domain: | |
1053 | + /* Normal domain transition. */ | |
1054 | + snprintf(ee->tmp, CCS_EXEC_TMPSIZE - 1, "%s %s", | |
1055 | + old_domain->domainname->name, candidate->name); | |
1056 | + break; | |
1057 | + } | |
1058 | +force_jump_domain: | |
1059 | + /* | |
1060 | + * Tell GC that I started execve(). | |
1061 | + * Also, tell open_exec() to check read permission. | |
1062 | + */ | |
1063 | + task->ccs_flags |= CCS_TASK_IS_IN_EXECVE; | |
1064 | + /* | |
1065 | + * Make task->ccs_flags visible to GC before changing | |
1066 | + * task->ccs_domain_info. | |
1067 | + */ | |
1068 | + smp_wmb(); | |
1069 | + /* | |
1070 | + * Proceed to the next domain in order to allow reaching via PID. | |
1071 | + * It will be reverted if execve() failed. Reverting is not good. | |
1072 | + * But it is better than being unable to reach via PID in interactive | |
1073 | + * enforcing mode. | |
1074 | + */ | |
1075 | + if (!domain) | |
1076 | + domain = ccs_assign_domain(ee->tmp, true); | |
1077 | + if (domain) | |
1078 | + retval = 0; | |
1079 | + else if (reject_on_transition_failure) { | |
1080 | + printk(KERN_WARNING | |
1081 | + "ERROR: Domain '%s' not ready.\n", ee->tmp); | |
1082 | + retval = -ENOMEM; | |
1083 | + } else if (r->mode == CCS_CONFIG_ENFORCING) | |
1084 | + retval = -ENOMEM; | |
1085 | + else { | |
1086 | + retval = 0; | |
1087 | + if (!old_domain->flags[CCS_DIF_TRANSITION_FAILED]) { | |
1088 | + old_domain->flags[CCS_DIF_TRANSITION_FAILED] = true; | |
1089 | + r->granted = false; | |
1090 | + ccs_write_log(r, "%s", | |
1091 | + ccs_dif[CCS_DIF_TRANSITION_FAILED]); | |
1092 | + printk(KERN_WARNING | |
1093 | + "ERROR: Domain '%s' not defined.\n", ee->tmp); | |
1094 | + } | |
1095 | + } | |
1096 | +out: | |
1097 | + kfree(exename.name); | |
1098 | + return retval; | |
1099 | +} | |
1100 | + | |
1101 | +#ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER | |
1102 | + | |
1103 | +/** | |
1104 | + * ccs_unescape - Unescape escaped string. | |
1105 | + * | |
1106 | + * @dest: String to unescape. | |
1107 | + * | |
1108 | + * Returns nothing. | |
1109 | + */ | |
1110 | +static void ccs_unescape(unsigned char *dest) | |
1111 | +{ | |
1112 | + unsigned char *src = dest; | |
1113 | + unsigned char c; | |
1114 | + unsigned char d; | |
1115 | + unsigned char e; | |
1116 | + while (1) { | |
1117 | + c = *src++; | |
1118 | + if (!c) | |
1119 | + break; | |
1120 | + if (c != '\\') { | |
1121 | + *dest++ = c; | |
1122 | + continue; | |
1123 | + } | |
1124 | + c = *src++; | |
1125 | + if (c == '\\') { | |
1126 | + *dest++ = c; | |
1127 | + continue; | |
1128 | + } | |
1129 | + if (c < '0' || c > '3') | |
1130 | + break; | |
1131 | + d = *src++; | |
1132 | + if (d < '0' || d > '7') | |
1133 | + break; | |
1134 | + e = *src++; | |
1135 | + if (e < '0' || e > '7') | |
1136 | + break; | |
1137 | + *dest++ = ((c - '0') << 6) + ((d - '0') << 3) + (e - '0'); | |
1138 | + } | |
1139 | + *dest = '\0'; | |
1140 | +} | |
1141 | + | |
1142 | +/** | |
1143 | + * ccs_try_alt_exec - Try to start execute handler. | |
1144 | + * | |
1145 | + * @ee: Pointer to "struct ccs_execve". | |
1146 | + * | |
1147 | + * Returns 0 on success, negative value otherwise. | |
1148 | + */ | |
1149 | +static int ccs_try_alt_exec(struct ccs_execve *ee) | |
1150 | +{ | |
1151 | + /* | |
1152 | + * Contents of modified bprm. | |
1153 | + * The envp[] in original bprm is moved to argv[] so that | |
1154 | + * the alternatively executed program won't be affected by | |
1155 | + * some dangerous environment variables like LD_PRELOAD. | |
1156 | + * | |
1157 | + * modified bprm->argc | |
1158 | + * = original bprm->argc + original bprm->envc + 7 | |
1159 | + * modified bprm->envc | |
1160 | + * = 0 | |
1161 | + * | |
1162 | + * modified bprm->argv[0] | |
1163 | + * = the program's name specified by *_execute_handler | |
1164 | + * modified bprm->argv[1] | |
1165 | + * = ccs_current_domain()->domainname->name | |
1166 | + * modified bprm->argv[2] | |
1167 | + * = the current process's name | |
1168 | + * modified bprm->argv[3] | |
1169 | + * = the current process's information (e.g. uid/gid). | |
1170 | + * modified bprm->argv[4] | |
1171 | + * = original bprm->filename | |
1172 | + * modified bprm->argv[5] | |
1173 | + * = original bprm->argc in string expression | |
1174 | + * modified bprm->argv[6] | |
1175 | + * = original bprm->envc in string expression | |
1176 | + * modified bprm->argv[7] | |
1177 | + * = original bprm->argv[0] | |
1178 | + * ... | |
1179 | + * modified bprm->argv[bprm->argc + 6] | |
1180 | + * = original bprm->argv[bprm->argc - 1] | |
1181 | + * modified bprm->argv[bprm->argc + 7] | |
1182 | + * = original bprm->envp[0] | |
1183 | + * ... | |
1184 | + * modified bprm->argv[bprm->envc + bprm->argc + 6] | |
1185 | + * = original bprm->envp[bprm->envc - 1] | |
1186 | + */ | |
1187 | + struct linux_binprm *bprm = ee->bprm; | |
1188 | + struct file *filp; | |
1189 | + int retval; | |
1190 | + const int original_argc = bprm->argc; | |
1191 | + const int original_envc = bprm->envc; | |
1192 | + | |
1193 | + /* Close the requested program's dentry. */ | |
1194 | + ee->obj.path1.dentry = NULL; | |
1195 | + ee->obj.path1.mnt = NULL; | |
1196 | + ee->obj.stat_valid[CCS_PATH1] = false; | |
1197 | + ee->obj.stat_valid[CCS_PATH1_PARENT] = false; | |
1198 | + ee->obj.validate_done = false; | |
1199 | + allow_write_access(bprm->file); | |
1200 | + fput(bprm->file); | |
1201 | + bprm->file = NULL; | |
1202 | + | |
1203 | + /* Invalidate page dump cache. */ | |
1204 | + ee->dump.page = NULL; | |
1205 | + | |
1206 | + /* Move envp[] to argv[] */ | |
1207 | + bprm->argc += bprm->envc; | |
1208 | + bprm->envc = 0; | |
1209 | + | |
1210 | + /* Set argv[6] */ | |
1211 | + { | |
1212 | + snprintf(ee->tmp, CCS_EXEC_TMPSIZE - 1, "%d", original_envc); | |
1213 | + retval = ccs_copy_argv(ee->tmp, bprm); | |
1214 | + if (retval < 0) | |
1215 | + goto out; | |
1216 | + } | |
1217 | + | |
1218 | + /* Set argv[5] */ | |
1219 | + { | |
1220 | + snprintf(ee->tmp, CCS_EXEC_TMPSIZE - 1, "%d", original_argc); | |
1221 | + retval = ccs_copy_argv(ee->tmp, bprm); | |
1222 | + if (retval < 0) | |
1223 | + goto out; | |
1224 | + } | |
1225 | + | |
1226 | + /* Set argv[4] */ | |
1227 | + { | |
1228 | + retval = ccs_copy_argv(bprm->filename, bprm); | |
1229 | + if (retval < 0) | |
1230 | + goto out; | |
1231 | + } | |
1232 | + | |
1233 | + /* Set argv[3] */ | |
1234 | + { | |
1235 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0) | |
1236 | + /* | |
1237 | + * Pass uid/gid seen from current user namespace, for these | |
1238 | + * values are used by programs in current user namespace in | |
1239 | + * order to decide whether to execve() or not (rather than by | |
1240 | + * auditing daemon in init's user namespace). | |
1241 | + */ | |
1242 | + snprintf(ee->tmp, CCS_EXEC_TMPSIZE - 1, | |
1243 | + "pid=%d uid=%d gid=%d euid=%d egid=%d suid=%d " | |
1244 | + "sgid=%d fsuid=%d fsgid=%d", ccs_sys_getpid(), | |
1245 | + __kuid_val(current_uid()), __kgid_val(current_gid()), | |
1246 | + __kuid_val(current_euid()), | |
1247 | + __kgid_val(current_egid()), | |
1248 | + __kuid_val(current_suid()), | |
1249 | + __kgid_val(current_sgid()), | |
1250 | + __kuid_val(current_fsuid()), | |
1251 | + __kgid_val(current_fsgid())); | |
1252 | +#else | |
1253 | + snprintf(ee->tmp, CCS_EXEC_TMPSIZE - 1, | |
1254 | + "pid=%d uid=%d gid=%d euid=%d egid=%d suid=%d " | |
1255 | + "sgid=%d fsuid=%d fsgid=%d", ccs_sys_getpid(), | |
1256 | + current_uid(), current_gid(), current_euid(), | |
1257 | + current_egid(), current_suid(), current_sgid(), | |
1258 | + current_fsuid(), current_fsgid()); | |
1259 | +#endif | |
1260 | + retval = ccs_copy_argv(ee->tmp, bprm); | |
1261 | + if (retval < 0) | |
1262 | + goto out; | |
1263 | + } | |
1264 | + | |
1265 | + /* Set argv[2] */ | |
1266 | + { | |
1267 | + char *exe = (char *) ccs_get_exe(); | |
1268 | + if (exe) { | |
1269 | + retval = ccs_copy_argv(exe, bprm); | |
1270 | + kfree(exe); | |
1271 | + } else { | |
1272 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36) | |
1273 | + retval = ccs_copy_argv("<unknown>", bprm); | |
1274 | +#else | |
1275 | + snprintf(ee->tmp, CCS_EXEC_TMPSIZE - 1, "<unknown>"); | |
1276 | + retval = ccs_copy_argv(ee->tmp, bprm); | |
1277 | +#endif | |
1278 | + } | |
1279 | + if (retval < 0) | |
1280 | + goto out; | |
1281 | + } | |
1282 | + | |
1283 | + /* Set argv[1] */ | |
1284 | + { | |
1285 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36) | |
1286 | + retval = ccs_copy_argv(ccs_current_domain()->domainname->name, | |
1287 | + bprm); | |
1288 | +#else | |
1289 | + snprintf(ee->tmp, CCS_EXEC_TMPSIZE - 1, "%s", | |
1290 | + ccs_current_domain()->domainname->name); | |
1291 | + retval = ccs_copy_argv(ee->tmp, bprm); | |
1292 | +#endif | |
1293 | + if (retval < 0) | |
1294 | + goto out; | |
1295 | + } | |
1296 | + | |
1297 | + /* Set argv[0] */ | |
1298 | + { | |
1299 | + struct path root; | |
1300 | + char *cp; | |
1301 | + int root_len; | |
1302 | + int handler_len; | |
1303 | + get_fs_root(current->fs, &root); | |
1304 | + cp = ccs_realpath(&root); | |
1305 | + path_put(&root); | |
1306 | + if (!cp) { | |
1307 | + retval = -ENOMEM; | |
1308 | + goto out; | |
1309 | + } | |
1310 | + root_len = strlen(cp); | |
1311 | + retval = strncmp(ee->handler->name, cp, root_len); | |
1312 | + root_len--; | |
1313 | + kfree(cp); | |
1314 | + if (retval) { | |
1315 | + retval = -ENOENT; | |
1316 | + goto out; | |
1317 | + } | |
1318 | + handler_len = ee->handler->total_len + 1; | |
1319 | + cp = kmalloc(handler_len, CCS_GFP_FLAGS); | |
1320 | + if (!cp) { | |
1321 | + retval = -ENOMEM; | |
1322 | + goto out; | |
1323 | + } | |
1324 | + /* ee->handler_path is released by ccs_finish_execve(). */ | |
1325 | + ee->handler_path = cp; | |
1326 | + /* Adjust root directory for open_exec(). */ | |
1327 | + memmove(cp, ee->handler->name + root_len, | |
1328 | + handler_len - root_len); | |
1329 | + ccs_unescape(cp); | |
1330 | + retval = -ENOENT; | |
1331 | + if (*cp != '/') | |
1332 | + goto out; | |
1333 | + retval = ccs_copy_argv(cp, bprm); | |
1334 | + if (retval < 0) | |
1335 | + goto out; | |
1336 | + } | |
1337 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 23) | |
1338 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24) | |
1339 | + bprm->argv_len = bprm->exec - bprm->p; | |
1340 | +#endif | |
1341 | +#endif | |
1342 | + | |
1343 | + /* | |
1344 | + * OK, now restart the process with execute handler program's dentry. | |
1345 | + */ | |
1346 | + filp = open_exec(ee->handler_path); | |
1347 | + if (IS_ERR(filp)) { | |
1348 | + retval = PTR_ERR(filp); | |
1349 | + goto out; | |
1350 | + } | |
1351 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) | |
1352 | + ee->obj.path1 = filp->f_path; | |
1353 | +#else | |
1354 | + ee->obj.path1.dentry = filp->f_dentry; | |
1355 | + ee->obj.path1.mnt = filp->f_vfsmnt; | |
1356 | +#endif | |
1357 | + bprm->file = filp; | |
1358 | + bprm->filename = ee->handler_path; | |
1359 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0) | |
1360 | + bprm->interp = bprm->filename; | |
1361 | +#endif | |
1362 | + retval = prepare_binprm(bprm); | |
1363 | + if (retval < 0) | |
1364 | + goto out; | |
1365 | + ee->r.dont_sleep_on_enforce_error = true; | |
1366 | + retval = ccs_find_next_domain(ee); | |
1367 | + ee->r.dont_sleep_on_enforce_error = false; | |
1368 | +out: | |
1369 | + return retval; | |
1370 | +} | |
1371 | + | |
1372 | +/** | |
1373 | + * ccs_find_execute_handler - Find an execute handler. | |
1374 | + * | |
1375 | + * @ee: Pointer to "struct ccs_execve". | |
1376 | + * @type: Type of execute handler. | |
1377 | + * | |
1378 | + * Returns true if found, false otherwise. | |
1379 | + * | |
1380 | + * Caller holds ccs_read_lock(). | |
1381 | + */ | |
1382 | +static bool ccs_find_execute_handler(struct ccs_execve *ee, const u8 type) | |
1383 | +{ | |
1384 | + struct ccs_request_info *r = &ee->r; | |
1385 | + /* | |
1386 | + * To avoid infinite execute handler loop, don't use execute handler | |
1387 | + * if the current process is marked as execute handler. | |
1388 | + */ | |
1389 | + if (ccs_current_flags() & CCS_TASK_IS_EXECUTE_HANDLER) | |
1390 | + return false; | |
1391 | + r->param_type = type; | |
1392 | + ccs_check_acl(r); | |
1393 | + if (!r->granted) | |
1394 | + return false; | |
1395 | + ee->handler = container_of(r->matched_acl, struct ccs_handler_acl, | |
1396 | + head)->handler; | |
1397 | + ee->transition = r->matched_acl && r->matched_acl->cond && | |
1398 | + r->matched_acl->cond->exec_transit ? | |
1399 | + r->matched_acl->cond->transit : NULL; | |
1400 | + return true; | |
1401 | +} | |
1402 | + | |
1403 | +#endif | |
1404 | + | |
1405 | +#ifdef CONFIG_MMU | |
1406 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 23) | |
1407 | +#define CCS_BPRM_MMU | |
1408 | +#elif defined(RHEL_MAJOR) && RHEL_MAJOR == 5 && defined(RHEL_MINOR) && RHEL_MINOR >= 3 | |
1409 | +#define CCS_BPRM_MMU | |
1410 | +#elif defined(AX_MAJOR) && AX_MAJOR == 3 && defined(AX_MINOR) && AX_MINOR >= 2 | |
1411 | +#define CCS_BPRM_MMU | |
1412 | +#endif | |
1413 | +#endif | |
1414 | + | |
1415 | +/** | |
1416 | + * ccs_dump_page - Dump a page to buffer. | |
1417 | + * | |
1418 | + * @bprm: Pointer to "struct linux_binprm". | |
1419 | + * @pos: Location to dump. | |
1420 | + * @dump: Poiner to "struct ccs_page_dump". | |
1421 | + * | |
1422 | + * Returns true on success, false otherwise. | |
1423 | + */ | |
1424 | +bool ccs_dump_page(struct linux_binprm *bprm, unsigned long pos, | |
1425 | + struct ccs_page_dump *dump) | |
1426 | +{ | |
1427 | + struct page *page; | |
1428 | + /* dump->data is released by ccs_start_execve(). */ | |
1429 | + if (!dump->data) { | |
1430 | + dump->data = kzalloc(PAGE_SIZE, CCS_GFP_FLAGS); | |
1431 | + if (!dump->data) | |
1432 | + return false; | |
1433 | + } | |
1434 | + /* Same with get_arg_page(bprm, pos, 0) in fs/exec.c */ | |
1435 | +#ifdef CCS_BPRM_MMU | |
1436 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0) | |
1437 | + if (get_user_pages_remote(current, bprm->mm, pos, 1, FOLL_FORCE, &page, | |
1438 | + NULL, NULL) <= 0) | |
1439 | + return false; | |
1440 | +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0) | |
1441 | + if (get_user_pages_remote(current, bprm->mm, pos, 1, FOLL_FORCE, &page, | |
1442 | + NULL) <= 0) | |
1443 | + return false; | |
1444 | +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 168) && LINUX_VERSION_CODE < KERNEL_VERSION(4, 5, 0) | |
1445 | + if (get_user_pages(current, bprm->mm, pos, 1, FOLL_FORCE, &page, | |
1446 | + NULL) <= 0) | |
1447 | + return false; | |
1448 | +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0) | |
1449 | + if (get_user_pages_remote(current, bprm->mm, pos, 1, 0, 1, &page, | |
1450 | + NULL) <= 0) | |
1451 | + return false; | |
1452 | +#else | |
1453 | + if (get_user_pages(current, bprm->mm, pos, 1, 0, 1, &page, NULL) <= 0) | |
1454 | + return false; | |
1455 | +#endif | |
1456 | +#else | |
1457 | + page = bprm->page[pos / PAGE_SIZE]; | |
1458 | +#endif | |
1459 | + if (page != dump->page) { | |
1460 | + const unsigned int offset = pos % PAGE_SIZE; | |
1461 | + /* | |
1462 | + * Maybe kmap()/kunmap() should be used here. | |
1463 | + * But remove_arg_zero() uses kmap_atomic()/kunmap_atomic(). | |
1464 | + * So do I. | |
1465 | + */ | |
1466 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 37) | |
1467 | + char *kaddr = kmap_atomic(page); | |
1468 | +#else | |
1469 | + char *kaddr = kmap_atomic(page, KM_USER0); | |
1470 | +#endif | |
1471 | + dump->page = page; | |
1472 | + memcpy(dump->data + offset, kaddr + offset, | |
1473 | + PAGE_SIZE - offset); | |
1474 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 37) | |
1475 | + kunmap_atomic(kaddr); | |
1476 | +#else | |
1477 | + kunmap_atomic(kaddr, KM_USER0); | |
1478 | +#endif | |
1479 | + } | |
1480 | + /* Same with put_arg_page(page) in fs/exec.c */ | |
1481 | +#ifdef CCS_BPRM_MMU | |
1482 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) | |
1483 | + put_user_page(page); | |
1484 | +#else | |
1485 | + put_page(page); | |
1486 | +#endif | |
1487 | +#endif | |
1488 | + return true; | |
1489 | +} | |
1490 | + | |
1491 | +/** | |
1492 | + * ccs_start_execve - Prepare for execve() operation. | |
1493 | + * | |
1494 | + * @bprm: Pointer to "struct linux_binprm". | |
1495 | + * @eep: Pointer to "struct ccs_execve *". | |
1496 | + * | |
1497 | + * Returns 0 on success, negative value otherwise. | |
1498 | + */ | |
1499 | +int ccs_start_execve(struct linux_binprm *bprm, struct ccs_execve **eep) | |
1500 | +{ | |
1501 | + int retval; | |
1502 | + struct ccs_security *task = ccs_current_security(); | |
1503 | + struct ccs_execve *ee; | |
1504 | + int idx; | |
1505 | + *eep = NULL; | |
1506 | + ee = kzalloc(sizeof(*ee), CCS_GFP_FLAGS); | |
1507 | + if (!ee) | |
1508 | + return -ENOMEM; | |
1509 | + ee->tmp = kzalloc(CCS_EXEC_TMPSIZE, CCS_GFP_FLAGS); | |
1510 | + if (!ee->tmp) { | |
1511 | + kfree(ee); | |
1512 | + return -ENOMEM; | |
1513 | + } | |
1514 | + ccs_audit_alloc_execve(ee); | |
1515 | + idx = ccs_read_lock(); | |
1516 | + /* ee->dump->data is allocated by ccs_dump_page(). */ | |
1517 | + ee->previous_domain = task->ccs_domain_info; | |
1518 | + /* Clear manager flag. */ | |
1519 | + task->ccs_flags &= ~CCS_TASK_IS_MANAGER; | |
1520 | + *eep = ee; | |
1521 | + ccs_init_request_info(&ee->r, CCS_MAC_FILE_EXECUTE); | |
1522 | + ee->r.ee = ee; | |
1523 | + ee->bprm = bprm; | |
1524 | + ee->r.obj = &ee->obj; | |
1525 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) | |
1526 | + ee->obj.path1 = bprm->file->f_path; | |
1527 | +#else | |
1528 | + ee->obj.path1.dentry = bprm->file->f_dentry; | |
1529 | + ee->obj.path1.mnt = bprm->file->f_vfsmnt; | |
1530 | +#endif | |
1531 | +#ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER | |
1532 | + /* | |
1533 | + * No need to call ccs_environ() for execute handler because envp[] is | |
1534 | + * moved to argv[]. | |
1535 | + */ | |
1536 | + if (ccs_find_execute_handler(ee, CCS_TYPE_AUTO_EXECUTE_HANDLER)) { | |
1537 | + retval = ccs_try_alt_exec(ee); | |
1538 | + goto done; | |
1539 | + } | |
1540 | +#endif | |
1541 | + retval = ccs_find_next_domain(ee); | |
1542 | +#ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER | |
1543 | + if (retval == -EPERM && | |
1544 | + ccs_find_execute_handler(ee, CCS_TYPE_DENIED_EXECUTE_HANDLER)) { | |
1545 | + retval = ccs_try_alt_exec(ee); | |
1546 | + goto done; | |
1547 | + } | |
1548 | +#endif | |
1549 | +#ifdef CONFIG_CCSECURITY_MISC | |
1550 | + if (!retval) | |
1551 | + retval = ccs_environ(ee); | |
1552 | +#endif | |
1553 | +#ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER | |
1554 | +done: | |
1555 | +#endif | |
1556 | + ccs_read_unlock(idx); | |
1557 | + kfree(ee->tmp); | |
1558 | + ee->tmp = NULL; | |
1559 | + kfree(ee->dump.data); | |
1560 | + ee->dump.data = NULL; | |
1561 | + return retval; | |
1562 | +} | |
1563 | + | |
1564 | +/** | |
1565 | + * ccs_finish_execve - Clean up execve() operation. | |
1566 | + * | |
1567 | + * @retval: Return code of an execve() operation. | |
1568 | + * @ee: Pointer to "struct ccs_execve". | |
1569 | + * | |
1570 | + * Returns nothing. | |
1571 | + */ | |
1572 | +void ccs_finish_execve(int retval, struct ccs_execve *ee) | |
1573 | +{ | |
1574 | + struct ccs_security *task = ccs_current_security(); | |
1575 | + if (!ee) | |
1576 | + return; | |
1577 | + if (retval < 0) { | |
1578 | + task->ccs_domain_info = ee->previous_domain; | |
1579 | + /* | |
1580 | + * Make task->ccs_domain_info visible to GC before changing | |
1581 | + * task->ccs_flags. | |
1582 | + */ | |
1583 | + smp_wmb(); | |
1584 | + } else { | |
1585 | + /* Mark the current process as execute handler. */ | |
1586 | + if (ee->handler) | |
1587 | + task->ccs_flags |= CCS_TASK_IS_EXECUTE_HANDLER; | |
1588 | + /* Mark the current process as normal process. */ | |
1589 | + else | |
1590 | + task->ccs_flags &= ~CCS_TASK_IS_EXECUTE_HANDLER; | |
1591 | + } | |
1592 | + /* Tell GC that I finished execve(). */ | |
1593 | + task->ccs_flags &= ~CCS_TASK_IS_IN_EXECVE; | |
1594 | + ccs_audit_free_execve(ee, true); | |
1595 | + kfree(ee->handler_path); | |
1596 | + kfree(ee); | |
1597 | +} | |
1598 | + | |
1599 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 8, 0) | |
1600 | + | |
1601 | +/** | |
1602 | + * __ccs_search_binary_handler - Main routine for do_execve(). | |
1603 | + * | |
1604 | + * @bprm: Pointer to "struct linux_binprm". | |
1605 | + * | |
1606 | + * Returns 0 on success, negative value otherwise. | |
1607 | + * | |
1608 | + * Performs permission checks for do_execve() and domain transition. | |
1609 | + * Domain transition by "struct ccs_domain_transition_control" and | |
1610 | + * "auto_domain_transition=" parameter of "struct ccs_condition" are reverted | |
1611 | + * if do_execve() failed. | |
1612 | + * Garbage collector does not remove "struct ccs_domain_info" from | |
1613 | + * ccs_domain_list nor kfree("struct ccs_domain_info") if the current thread is | |
1614 | + * marked as CCS_TASK_IS_IN_EXECVE. | |
1615 | + */ | |
1616 | +static int __ccs_search_binary_handler(struct linux_binprm *bprm) | |
1617 | +{ | |
1618 | + struct ccs_execve *ee; | |
1619 | + int retval; | |
1620 | +#ifndef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER | |
1621 | + if (!ccs_policy_loaded) | |
1622 | + ccsecurity_exports.load_policy(bprm->filename); | |
1623 | +#endif | |
1624 | + retval = ccs_start_execve(bprm, &ee); | |
1625 | + if (!retval) | |
1626 | + retval = search_binary_handler(bprm); | |
1627 | + ccs_finish_execve(retval, ee); | |
1628 | + return retval; | |
1629 | +} | |
1630 | + | |
1631 | +#else | |
1632 | + | |
1633 | +/** | |
1634 | + * __ccs_search_binary_handler - Main routine for do_execve(). | |
1635 | + * | |
1636 | + * @bprm: Pointer to "struct linux_binprm". | |
1637 | + * @regs: Pointer to "struct pt_regs". | |
1638 | + * | |
1639 | + * Returns 0 on success, negative value otherwise. | |
1640 | + * | |
1641 | + * Performs permission checks for do_execve() and domain transition. | |
1642 | + * Domain transition by "struct ccs_domain_transition_control" and | |
1643 | + * "auto_domain_transition=" parameter of "struct ccs_condition" are reverted | |
1644 | + * if do_execve() failed. | |
1645 | + * Garbage collector does not remove "struct ccs_domain_info" from | |
1646 | + * ccs_domain_list nor kfree("struct ccs_domain_info") if the current thread is | |
1647 | + * marked as CCS_TASK_IS_IN_EXECVE. | |
1648 | + */ | |
1649 | +static int __ccs_search_binary_handler(struct linux_binprm *bprm, | |
1650 | + struct pt_regs *regs) | |
1651 | +{ | |
1652 | + struct ccs_execve *ee; | |
1653 | + int retval; | |
1654 | +#ifndef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER | |
1655 | + if (!ccs_policy_loaded) | |
1656 | + ccsecurity_exports.load_policy(bprm->filename); | |
1657 | +#endif | |
1658 | + retval = ccs_start_execve(bprm, &ee); | |
1659 | + if (!retval) | |
1660 | + retval = search_binary_handler(bprm, regs); | |
1661 | + ccs_finish_execve(retval, ee); | |
1662 | + return retval; | |
1663 | +} | |
1664 | + | |
1665 | +#endif | |
1666 | + | |
1667 | +/** | |
1668 | + * ccs_permission_init - Register permission check hooks. | |
1669 | + * | |
1670 | + * Returns nothing. | |
1671 | + */ | |
1672 | +void __init ccs_permission_init(void) | |
1673 | +{ | |
1674 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32) | |
1675 | + ccsecurity_ops.save_open_mode = __ccs_save_open_mode; | |
1676 | + ccsecurity_ops.clear_open_mode = __ccs_clear_open_mode; | |
1677 | + ccsecurity_ops.open_permission = __ccs_open_permission; | |
1678 | +#else | |
1679 | + ccsecurity_ops.open_permission = ccs_new_open_permission; | |
1680 | +#endif | |
1681 | + ccsecurity_ops.fcntl_permission = __ccs_fcntl_permission; | |
1682 | + ccsecurity_ops.ioctl_permission = __ccs_ioctl_permission; | |
1683 | + ccsecurity_ops.chmod_permission = __ccs_chmod_permission; | |
1684 | + ccsecurity_ops.chown_permission = __ccs_chown_permission; | |
1685 | +#ifdef CONFIG_CCSECURITY_FILE_GETATTR | |
1686 | + ccsecurity_ops.getattr_permission = __ccs_getattr_permission; | |
1687 | +#endif | |
1688 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) | |
1689 | + ccsecurity_ops.pivot_root_permission = __ccs_pivot_root_permission; | |
1690 | + ccsecurity_ops.chroot_permission = __ccs_chroot_permission; | |
1691 | +#else | |
1692 | + ccsecurity_ops.pivot_root_permission = ccs_old_pivot_root_permission; | |
1693 | + ccsecurity_ops.chroot_permission = ccs_old_chroot_permission; | |
1694 | +#endif | |
1695 | + ccsecurity_ops.umount_permission = __ccs_umount_permission; | |
1696 | + ccsecurity_ops.mknod_permission = __ccs_mknod_permission; | |
1697 | + ccsecurity_ops.mkdir_permission = __ccs_mkdir_permission; | |
1698 | + ccsecurity_ops.rmdir_permission = __ccs_rmdir_permission; | |
1699 | + ccsecurity_ops.unlink_permission = __ccs_unlink_permission; | |
1700 | + ccsecurity_ops.symlink_permission = __ccs_symlink_permission; | |
1701 | + ccsecurity_ops.truncate_permission = __ccs_truncate_permission; | |
1702 | + ccsecurity_ops.rename_permission = __ccs_rename_permission; | |
1703 | + ccsecurity_ops.link_permission = __ccs_link_permission; | |
1704 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 30) | |
1705 | + ccsecurity_ops.open_exec_permission = __ccs_open_exec_permission; | |
1706 | + ccsecurity_ops.uselib_permission = __ccs_uselib_permission; | |
1707 | +#endif | |
1708 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) || (LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) && defined(CONFIG_SYSCTL_SYSCALL)) | |
1709 | + ccsecurity_ops.parse_table = __ccs_parse_table; | |
1710 | +#endif | |
1711 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) | |
1712 | + ccsecurity_ops.mount_permission = __ccs_mount_permission; | |
1713 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) | |
1714 | + ccsecurity_ops.move_mount_permission = __ccs_move_mount_permission; | |
1715 | +#endif | |
1716 | +#else | |
1717 | + ccsecurity_ops.mount_permission = ccs_old_mount_permission; | |
1718 | +#endif | |
1719 | +#ifdef CONFIG_CCSECURITY_CAPABILITY | |
1720 | + ccsecurity_ops.socket_create_permission = | |
1721 | + __ccs_socket_create_permission; | |
1722 | +#endif | |
1723 | +#ifdef CONFIG_CCSECURITY_NETWORK | |
1724 | + ccsecurity_ops.socket_listen_permission = | |
1725 | + __ccs_socket_listen_permission; | |
1726 | + ccsecurity_ops.socket_connect_permission = | |
1727 | + __ccs_socket_connect_permission; | |
1728 | + ccsecurity_ops.socket_bind_permission = __ccs_socket_bind_permission; | |
1729 | + ccsecurity_ops.socket_post_accept_permission = | |
1730 | + __ccs_socket_post_accept_permission; | |
1731 | + ccsecurity_ops.socket_sendmsg_permission = | |
1732 | + __ccs_socket_sendmsg_permission; | |
1733 | +#endif | |
1734 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
1735 | + ccsecurity_ops.socket_post_recvmsg_permission = | |
1736 | + __ccs_socket_post_recvmsg_permission; | |
1737 | +#endif | |
1738 | +#ifdef CONFIG_CCSECURITY_IPC | |
1739 | + ccsecurity_ops.kill_permission = ccs_signal_acl; | |
1740 | + ccsecurity_ops.tgkill_permission = ccs_signal_acl0; | |
1741 | + ccsecurity_ops.tkill_permission = ccs_signal_acl; | |
1742 | + ccsecurity_ops.sigqueue_permission = ccs_signal_acl; | |
1743 | + ccsecurity_ops.tgsigqueue_permission = ccs_signal_acl0; | |
1744 | +#endif | |
1745 | +#ifdef CONFIG_CCSECURITY_CAPABILITY | |
1746 | + ccsecurity_ops.capable = __ccs_capable; | |
1747 | + ccsecurity_ops.ptrace_permission = __ccs_ptrace_permission; | |
1748 | +#endif | |
1749 | + ccsecurity_ops.search_binary_handler = __ccs_search_binary_handler; | |
1750 | +} | |
1751 | + | |
1752 | +/** | |
1753 | + * ccs_kern_path - Wrapper for kern_path(). | |
1754 | + * | |
1755 | + * @pathname: Pathname to resolve. Maybe NULL. | |
1756 | + * @flags: Lookup flags. | |
1757 | + * @path: Pointer to "struct path". | |
1758 | + * | |
1759 | + * Returns 0 on success, negative value otherwise. | |
1760 | + */ | |
1761 | +static int ccs_kern_path(const char *pathname, int flags, struct path *path) | |
1762 | +{ | |
1763 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 28) | |
1764 | + if (!pathname || kern_path(pathname, flags, path)) | |
1765 | + return -ENOENT; | |
1766 | +#else | |
1767 | + struct nameidata nd; | |
1768 | + if (!pathname || path_lookup(pathname, flags, &nd)) | |
1769 | + return -ENOENT; | |
1770 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) | |
1771 | + *path = nd.path; | |
1772 | +#else | |
1773 | + path->dentry = nd.dentry; | |
1774 | + path->mnt = nd.mnt; | |
1775 | +#endif | |
1776 | +#endif | |
1777 | + return 0; | |
1778 | +} | |
1779 | + | |
1780 | +/** | |
1781 | + * ccs_get_path - Get dentry/vfsmmount of a pathname. | |
1782 | + * | |
1783 | + * @pathname: The pathname to solve. Maybe NULL. | |
1784 | + * @path: Pointer to "struct path". | |
1785 | + * | |
1786 | + * Returns 0 on success, negative value otherwise. | |
1787 | + */ | |
1788 | +static int ccs_get_path(const char *pathname, struct path *path) | |
1789 | +{ | |
1790 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0) | |
1791 | + return ccs_kern_path(pathname, LOOKUP_FOLLOW, path); | |
1792 | +#else | |
1793 | + return ccs_kern_path(pathname, LOOKUP_FOLLOW | LOOKUP_POSITIVE, path); | |
1794 | +#endif | |
1795 | +} | |
1796 | + | |
1797 | +/** | |
1798 | + * ccs_symlink_path - Get symlink's pathname. | |
1799 | + * | |
1800 | + * @pathname: The pathname to solve. Maybe NULL. | |
1801 | + * @name: Pointer to "struct ccs_path_info". | |
1802 | + * | |
1803 | + * Returns 0 on success, negative value otherwise. | |
1804 | + * | |
1805 | + * This function uses kzalloc(), so caller must kfree() if this function | |
1806 | + * didn't return NULL. | |
1807 | + */ | |
1808 | +static int ccs_symlink_path(const char *pathname, struct ccs_path_info *name) | |
1809 | +{ | |
1810 | + char *buf; | |
1811 | + struct path path; | |
1812 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0) | |
1813 | + if (ccs_kern_path(pathname, 0, &path)) | |
1814 | + return -ENOENT; | |
1815 | +#else | |
1816 | + if (ccs_kern_path(pathname, LOOKUP_POSITIVE, &path)) | |
1817 | + return -ENOENT; | |
1818 | +#endif | |
1819 | + buf = ccs_realpath(&path); | |
1820 | + path_put(&path); | |
1821 | + if (buf) { | |
1822 | + name->name = buf; | |
1823 | + ccs_fill_path_info(name); | |
1824 | + return 0; | |
1825 | + } | |
1826 | + return -ENOMEM; | |
1827 | +} | |
1828 | + | |
1829 | +/** | |
1830 | + * ccs_check_mount_acl - Check permission for path path path number operation. | |
1831 | + * | |
1832 | + * @r: Pointer to "struct ccs_request_info". | |
1833 | + * @ptr: Pointer to "struct ccs_acl_info". | |
1834 | + * | |
1835 | + * Returns true if granted, false otherwise. | |
1836 | + */ | |
1837 | +static bool ccs_check_mount_acl(struct ccs_request_info *r, | |
1838 | + const struct ccs_acl_info *ptr) | |
1839 | +{ | |
1840 | + const struct ccs_mount_acl *acl = | |
1841 | + container_of(ptr, typeof(*acl), head); | |
1842 | + return ccs_compare_number_union(r->param.mount.flags, &acl->flags) && | |
1843 | + ccs_compare_name_union(r->param.mount.type, &acl->fs_type) && | |
1844 | + ccs_compare_name_union(r->param.mount.dir, &acl->dir_name) && | |
1845 | + (!r->param.mount.need_dev || | |
1846 | + ccs_compare_name_union(r->param.mount.dev, &acl->dev_name)); | |
1847 | +} | |
1848 | + | |
1849 | +/** | |
1850 | + * ccs_mount_acl - Check permission for mount() operation. | |
1851 | + * | |
1852 | + * @r: Pointer to "struct ccs_request_info". | |
1853 | + * @dev_name: Name of device file. Maybe NULL. | |
1854 | + * @dir: Pointer to "struct path". | |
1855 | + * @type: Name of filesystem type. | |
1856 | + * @flags: Mount options. | |
1857 | + * | |
1858 | + * Returns 0 on success, negative value otherwise. | |
1859 | + * | |
1860 | + * Caller holds ccs_read_lock(). | |
1861 | + */ | |
1862 | +static int ccs_mount_acl(struct ccs_request_info *r, const char *dev_name, | |
1863 | + const struct path *dir, const char *type, | |
1864 | + unsigned long flags) | |
1865 | +{ | |
1866 | + struct ccs_obj_info obj = { }; | |
1867 | + struct file_system_type *fstype = NULL; | |
1868 | + const char *requested_type = NULL; | |
1869 | + const char *requested_dir_name = NULL; | |
1870 | + const char *requested_dev_name = NULL; | |
1871 | + struct ccs_path_info rtype; | |
1872 | + struct ccs_path_info rdev; | |
1873 | + struct ccs_path_info rdir; | |
1874 | + int need_dev = 0; | |
1875 | + int error = -ENOMEM; | |
1876 | + r->obj = &obj; | |
1877 | + | |
1878 | + /* Get fstype. */ | |
1879 | + requested_type = ccs_encode(type); | |
1880 | + if (!requested_type) | |
1881 | + goto out; | |
1882 | + rtype.name = requested_type; | |
1883 | + ccs_fill_path_info(&rtype); | |
1884 | + | |
1885 | + /* Get mount point. */ | |
1886 | + obj.path2 = *dir; | |
1887 | + requested_dir_name = ccs_realpath(dir); | |
1888 | + if (!requested_dir_name) { | |
1889 | + error = -ENOMEM; | |
1890 | + goto out; | |
1891 | + } | |
1892 | + rdir.name = requested_dir_name; | |
1893 | + ccs_fill_path_info(&rdir); | |
1894 | + | |
1895 | + /* Compare fs name. */ | |
1896 | + if (type == ccs_mounts[CCS_MOUNT_REMOUNT]) { | |
1897 | + /* dev_name is ignored. */ | |
1898 | + } else if (type == ccs_mounts[CCS_MOUNT_MAKE_UNBINDABLE] || | |
1899 | + type == ccs_mounts[CCS_MOUNT_MAKE_PRIVATE] || | |
1900 | + type == ccs_mounts[CCS_MOUNT_MAKE_SLAVE] || | |
1901 | + type == ccs_mounts[CCS_MOUNT_MAKE_SHARED]) { | |
1902 | + /* dev_name is ignored. */ | |
1903 | + } else if (type == ccs_mounts[CCS_MOUNT_BIND] || | |
1904 | + type == ccs_mounts[CCS_MOUNT_MOVE]) { | |
1905 | + need_dev = -1; /* dev_name is a directory */ | |
1906 | + } else { | |
1907 | + fstype = get_fs_type(type); | |
1908 | + if (!fstype) { | |
1909 | + error = -ENODEV; | |
1910 | + goto out; | |
1911 | + } | |
1912 | + if (fstype->fs_flags & FS_REQUIRES_DEV) | |
1913 | + /* dev_name is a block device file. */ | |
1914 | + need_dev = 1; | |
1915 | + } | |
1916 | + if (need_dev) { | |
1917 | + /* Get mount point or device file. */ | |
1918 | + if (ccs_get_path(dev_name, &obj.path1)) { | |
1919 | + error = -ENOENT; | |
1920 | + goto out; | |
1921 | + } | |
1922 | + requested_dev_name = ccs_realpath(&obj.path1); | |
1923 | + if (!requested_dev_name) { | |
1924 | + error = -ENOENT; | |
1925 | + goto out; | |
1926 | + } | |
1927 | + } else { | |
1928 | + /* Map dev_name to "<NULL>" if no dev_name given. */ | |
1929 | + if (!dev_name) | |
1930 | + dev_name = "<NULL>"; | |
1931 | + requested_dev_name = ccs_encode(dev_name); | |
1932 | + if (!requested_dev_name) { | |
1933 | + error = -ENOMEM; | |
1934 | + goto out; | |
1935 | + } | |
1936 | + } | |
1937 | + rdev.name = requested_dev_name; | |
1938 | + ccs_fill_path_info(&rdev); | |
1939 | + r->param_type = CCS_TYPE_MOUNT_ACL; | |
1940 | + r->param.mount.need_dev = need_dev; | |
1941 | + r->param.mount.dev = &rdev; | |
1942 | + r->param.mount.dir = &rdir; | |
1943 | + r->param.mount.type = &rtype; | |
1944 | + r->param.mount.flags = flags; | |
1945 | + error = ccs_check_acl(r); | |
1946 | +out: | |
1947 | + kfree(requested_dev_name); | |
1948 | + kfree(requested_dir_name); | |
1949 | + if (fstype) | |
1950 | + ccs_put_filesystem(fstype); | |
1951 | + kfree(requested_type); | |
1952 | + /* Drop refcount obtained by ccs_get_path(). */ | |
1953 | + if (obj.path1.dentry) | |
1954 | + path_put(&obj.path1); | |
1955 | + return error; | |
1956 | +} | |
1957 | + | |
1958 | +/** | |
1959 | + * __ccs_mount_permission - Check permission for mount() operation. | |
1960 | + * | |
1961 | + * @dev_name: Name of device file. Maybe NULL. | |
1962 | + * @path: Pointer to "struct path". | |
1963 | + * @type: Name of filesystem type. Maybe NULL. | |
1964 | + * @flags: Mount options. | |
1965 | + * @data_page: Optional data. Maybe NULL. | |
1966 | + * | |
1967 | + * Returns 0 on success, negative value otherwise. | |
1968 | + */ | |
1969 | +static int __ccs_mount_permission(const char *dev_name, | |
1970 | + const struct path *path, const char *type, | |
1971 | + unsigned long flags, void *data_page) | |
1972 | +{ | |
1973 | + struct ccs_request_info r; | |
1974 | + int error = 0; | |
1975 | + int idx; | |
1976 | + if ((flags & MS_MGC_MSK) == MS_MGC_VAL) | |
1977 | + flags &= ~MS_MGC_MSK; | |
1978 | + if (flags & MS_REMOUNT) { | |
1979 | + type = ccs_mounts[CCS_MOUNT_REMOUNT]; | |
1980 | + flags &= ~MS_REMOUNT; | |
1981 | + } else if (flags & MS_BIND) { | |
1982 | + type = ccs_mounts[CCS_MOUNT_BIND]; | |
1983 | + flags &= ~MS_BIND; | |
1984 | + } else if (flags & MS_SHARED) { | |
1985 | + if (flags & (MS_PRIVATE | MS_SLAVE | MS_UNBINDABLE)) | |
1986 | + return -EINVAL; | |
1987 | + type = ccs_mounts[CCS_MOUNT_MAKE_SHARED]; | |
1988 | + flags &= ~MS_SHARED; | |
1989 | + } else if (flags & MS_PRIVATE) { | |
1990 | + if (flags & (MS_SHARED | MS_SLAVE | MS_UNBINDABLE)) | |
1991 | + return -EINVAL; | |
1992 | + type = ccs_mounts[CCS_MOUNT_MAKE_PRIVATE]; | |
1993 | + flags &= ~MS_PRIVATE; | |
1994 | + } else if (flags & MS_SLAVE) { | |
1995 | + if (flags & (MS_SHARED | MS_PRIVATE | MS_UNBINDABLE)) | |
1996 | + return -EINVAL; | |
1997 | + type = ccs_mounts[CCS_MOUNT_MAKE_SLAVE]; | |
1998 | + flags &= ~MS_SLAVE; | |
1999 | + } else if (flags & MS_UNBINDABLE) { | |
2000 | + if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE)) | |
2001 | + return -EINVAL; | |
2002 | + type = ccs_mounts[CCS_MOUNT_MAKE_UNBINDABLE]; | |
2003 | + flags &= ~MS_UNBINDABLE; | |
2004 | + } else if (flags & MS_MOVE) { | |
2005 | + type = ccs_mounts[CCS_MOUNT_MOVE]; | |
2006 | + flags &= ~MS_MOVE; | |
2007 | + } | |
2008 | + if (!type) | |
2009 | + type = "<NULL>"; | |
2010 | + idx = ccs_read_lock(); | |
2011 | + if (ccs_init_request_info(&r, CCS_MAC_FILE_MOUNT) | |
2012 | + != CCS_CONFIG_DISABLED) | |
2013 | + error = ccs_mount_acl(&r, dev_name, path, type, flags); | |
2014 | + ccs_read_unlock(idx); | |
2015 | + return error; | |
2016 | +} | |
2017 | + | |
2018 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24) | |
2019 | + | |
2020 | +/** | |
2021 | + * ccs_old_mount_permission - Check permission for mount() operation. | |
2022 | + * | |
2023 | + * @dev_name: Name of device file. | |
2024 | + * @nd: Pointer to "struct nameidata". | |
2025 | + * @type: Name of filesystem type. Maybe NULL. | |
2026 | + * @flags: Mount options. | |
2027 | + * @data_page: Optional data. Maybe NULL. | |
2028 | + * | |
2029 | + * Returns 0 on success, negative value otherwise. | |
2030 | + */ | |
2031 | +static int ccs_old_mount_permission(const char *dev_name, struct nameidata *nd, | |
2032 | + const char *type, unsigned long flags, | |
2033 | + void *data_page) | |
2034 | +{ | |
2035 | + struct path path = { nd->mnt, nd->dentry }; | |
2036 | + return __ccs_mount_permission(dev_name, &path, type, flags, data_page); | |
2037 | +} | |
2038 | + | |
2039 | +#endif | |
2040 | + | |
2041 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) | |
2042 | +/** | |
2043 | + * __ccs_move_mount_permission - Check permission for move_mount() operation. | |
2044 | + * | |
2045 | + * @from_path: Pointer to "struct path". | |
2046 | + * @to_path: Pointer to "struct path". | |
2047 | + * | |
2048 | + * Returns 0 on success, negative value otherwise. | |
2049 | + */ | |
2050 | +static int __ccs_move_mount_permission(const struct path *from_path, | |
2051 | + const struct path *to_path) | |
2052 | +{ | |
2053 | + return -ENOSYS; /* For now. */ | |
2054 | +} | |
2055 | +#endif | |
2056 | + | |
2057 | +/** | |
2058 | + * ccs_compare_number_union - Check whether a value matches "struct ccs_number_union" or not. | |
2059 | + * | |
2060 | + * @value: Number to check. | |
2061 | + * @ptr: Pointer to "struct ccs_number_union". | |
2062 | + * | |
2063 | + * Returns true if @value matches @ptr, false otherwise. | |
2064 | + */ | |
2065 | +static bool ccs_compare_number_union(const unsigned long value, | |
2066 | + const struct ccs_number_union *ptr) | |
2067 | +{ | |
2068 | + if (ptr->group) | |
2069 | + return ccs_number_matches_group(value, value, ptr->group); | |
2070 | + return value >= ptr->values[0] && value <= ptr->values[1]; | |
2071 | +} | |
2072 | + | |
2073 | +/** | |
2074 | + * ccs_compare_name_union - Check whether a name matches "struct ccs_name_union" or not. | |
2075 | + * | |
2076 | + * @name: Pointer to "struct ccs_path_info". | |
2077 | + * @ptr: Pointer to "struct ccs_name_union". | |
2078 | + * | |
2079 | + * Returns "struct ccs_path_info" if @name matches @ptr, NULL otherwise. | |
2080 | + */ | |
2081 | +static const struct ccs_path_info *ccs_compare_name_union | |
2082 | +(const struct ccs_path_info *name, const struct ccs_name_union *ptr) | |
2083 | +{ | |
2084 | + if (ptr->group) | |
2085 | + return ccs_path_matches_group(name, ptr->group); | |
2086 | + if (ccs_path_matches_pattern(name, ptr->filename)) | |
2087 | + return ptr->filename; | |
2088 | + return NULL; | |
2089 | +} | |
2090 | + | |
2091 | +/** | |
2092 | + * ccs_add_slash - Add trailing '/' if needed. | |
2093 | + * | |
2094 | + * @buf: Pointer to "struct ccs_path_info". | |
2095 | + * | |
2096 | + * Returns nothing. | |
2097 | + * | |
2098 | + * @buf must be generated by ccs_encode() because this function does not | |
2099 | + * allocate memory for adding '/'. | |
2100 | + */ | |
2101 | +static void ccs_add_slash(struct ccs_path_info *buf) | |
2102 | +{ | |
2103 | + if (buf->is_dir) | |
2104 | + return; | |
2105 | + /* This is OK because ccs_encode() reserves space for appending "/". */ | |
2106 | + strcat((char *) buf->name, "/"); | |
2107 | + ccs_fill_path_info(buf); | |
2108 | +} | |
2109 | + | |
2110 | +/** | |
2111 | + * ccs_get_realpath - Get realpath. | |
2112 | + * | |
2113 | + * @buf: Pointer to "struct ccs_path_info". | |
2114 | + * @path: Pointer to "struct path". @path->mnt may be NULL. | |
2115 | + * | |
2116 | + * Returns true on success, false otherwise. | |
2117 | + */ | |
2118 | +static bool ccs_get_realpath(struct ccs_path_info *buf, struct path *path) | |
2119 | +{ | |
2120 | + buf->name = ccs_realpath(path); | |
2121 | + if (buf->name) { | |
2122 | + ccs_fill_path_info(buf); | |
2123 | + return true; | |
2124 | + } | |
2125 | + return false; | |
2126 | +} | |
2127 | + | |
2128 | +/** | |
2129 | + * ccs_check_path_acl - Check permission for path operation. | |
2130 | + * | |
2131 | + * @r: Pointer to "struct ccs_request_info". | |
2132 | + * @ptr: Pointer to "struct ccs_acl_info". | |
2133 | + * | |
2134 | + * Returns true if granted, false otherwise. | |
2135 | + * | |
2136 | + * To be able to use wildcard for domain transition, this function sets | |
2137 | + * matching entry on success. Since the caller holds ccs_read_lock(), | |
2138 | + * it is safe to set matching entry. | |
2139 | + */ | |
2140 | +static bool ccs_check_path_acl(struct ccs_request_info *r, | |
2141 | + const struct ccs_acl_info *ptr) | |
2142 | +{ | |
2143 | + const struct ccs_path_acl *acl = container_of(ptr, typeof(*acl), head); | |
2144 | + if (ptr->perm & (1 << r->param.path.operation)) { | |
2145 | + r->param.path.matched_path = | |
2146 | + ccs_compare_name_union(r->param.path.filename, | |
2147 | + &acl->name); | |
2148 | + return r->param.path.matched_path != NULL; | |
2149 | + } | |
2150 | + return false; | |
2151 | +} | |
2152 | + | |
2153 | +/** | |
2154 | + * ccs_check_path_number_acl - Check permission for path number operation. | |
2155 | + * | |
2156 | + * @r: Pointer to "struct ccs_request_info". | |
2157 | + * @ptr: Pointer to "struct ccs_acl_info". | |
2158 | + * | |
2159 | + * Returns true if granted, false otherwise. | |
2160 | + */ | |
2161 | +static bool ccs_check_path_number_acl(struct ccs_request_info *r, | |
2162 | + const struct ccs_acl_info *ptr) | |
2163 | +{ | |
2164 | + const struct ccs_path_number_acl *acl = | |
2165 | + container_of(ptr, typeof(*acl), head); | |
2166 | + return (ptr->perm & (1 << r->param.path_number.operation)) && | |
2167 | + ccs_compare_number_union(r->param.path_number.number, | |
2168 | + &acl->number) && | |
2169 | + ccs_compare_name_union(r->param.path_number.filename, | |
2170 | + &acl->name); | |
2171 | +} | |
2172 | + | |
2173 | +/** | |
2174 | + * ccs_check_path2_acl - Check permission for path path operation. | |
2175 | + * | |
2176 | + * @r: Pointer to "struct ccs_request_info". | |
2177 | + * @ptr: Pointer to "struct ccs_acl_info". | |
2178 | + * | |
2179 | + * Returns true if granted, false otherwise. | |
2180 | + */ | |
2181 | +static bool ccs_check_path2_acl(struct ccs_request_info *r, | |
2182 | + const struct ccs_acl_info *ptr) | |
2183 | +{ | |
2184 | + const struct ccs_path2_acl *acl = | |
2185 | + container_of(ptr, typeof(*acl), head); | |
2186 | + return (ptr->perm & (1 << r->param.path2.operation)) && | |
2187 | + ccs_compare_name_union(r->param.path2.filename1, &acl->name1) | |
2188 | + && ccs_compare_name_union(r->param.path2.filename2, | |
2189 | + &acl->name2); | |
2190 | +} | |
2191 | + | |
2192 | +/** | |
2193 | + * ccs_check_mkdev_acl - Check permission for path number number number operation. | |
2194 | + * | |
2195 | + * @r: Pointer to "struct ccs_request_info". | |
2196 | + * @ptr: Pointer to "struct ccs_acl_info". | |
2197 | + * | |
2198 | + * Returns true if granted, false otherwise. | |
2199 | + */ | |
2200 | +static bool ccs_check_mkdev_acl(struct ccs_request_info *r, | |
2201 | + const struct ccs_acl_info *ptr) | |
2202 | +{ | |
2203 | + const struct ccs_mkdev_acl *acl = | |
2204 | + container_of(ptr, typeof(*acl), head); | |
2205 | + return (ptr->perm & (1 << r->param.mkdev.operation)) && | |
2206 | + ccs_compare_number_union(r->param.mkdev.mode, &acl->mode) && | |
2207 | + ccs_compare_number_union(r->param.mkdev.major, &acl->major) && | |
2208 | + ccs_compare_number_union(r->param.mkdev.minor, &acl->minor) && | |
2209 | + ccs_compare_name_union(r->param.mkdev.filename, &acl->name); | |
2210 | +} | |
2211 | + | |
2212 | +/** | |
2213 | + * ccs_path_permission - Check permission for path operation. | |
2214 | + * | |
2215 | + * @r: Pointer to "struct ccs_request_info". | |
2216 | + * @operation: Type of operation. | |
2217 | + * @filename: Filename to check. | |
2218 | + * | |
2219 | + * Returns 0 on success, negative value otherwise. | |
2220 | + * | |
2221 | + * Caller holds ccs_read_lock(). | |
2222 | + */ | |
2223 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 21) || LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 33) || !defined(CONFIG_SYSCTL_SYSCALL) | |
2224 | +static | |
2225 | +#endif | |
2226 | +int ccs_path_permission(struct ccs_request_info *r, u8 operation, | |
2227 | + const struct ccs_path_info *filename) | |
2228 | +{ | |
2229 | + r->type = ccs_p2mac[operation]; | |
2230 | + r->mode = ccs_get_mode(r->profile, r->type); | |
2231 | + if (r->mode == CCS_CONFIG_DISABLED) | |
2232 | + return 0; | |
2233 | + r->param_type = CCS_TYPE_PATH_ACL; | |
2234 | + r->param.path.filename = filename; | |
2235 | + r->param.path.operation = operation; | |
2236 | + return ccs_check_acl(r); | |
2237 | +} | |
2238 | + | |
2239 | +/** | |
2240 | + * ccs_execute_permission - Check permission for execute operation. | |
2241 | + * | |
2242 | + * @r: Pointer to "struct ccs_request_info". | |
2243 | + * @filename: Filename to check. | |
2244 | + * | |
2245 | + * Returns 0 on success, CCS_RETRY_REQUEST on retry, negative value otherwise. | |
2246 | + * | |
2247 | + * Caller holds ccs_read_lock(). | |
2248 | + */ | |
2249 | +static int ccs_execute_permission(struct ccs_request_info *r, | |
2250 | + const struct ccs_path_info *filename) | |
2251 | +{ | |
2252 | + int error; | |
2253 | + /* | |
2254 | + * Unlike other permission checks, this check is done regardless of | |
2255 | + * profile mode settings in order to check for domain transition | |
2256 | + * preference. | |
2257 | + */ | |
2258 | + r->type = CCS_MAC_FILE_EXECUTE; | |
2259 | + r->mode = ccs_get_mode(r->profile, r->type); | |
2260 | + r->param_type = CCS_TYPE_PATH_ACL; | |
2261 | + r->param.path.filename = filename; | |
2262 | + r->param.path.operation = CCS_TYPE_EXECUTE; | |
2263 | + error = ccs_check_acl(r); | |
2264 | + r->ee->transition = r->matched_acl && r->matched_acl->cond && | |
2265 | + r->matched_acl->cond->exec_transit ? | |
2266 | + r->matched_acl->cond->transit : NULL; | |
2267 | + return error; | |
2268 | +} | |
2269 | + | |
2270 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32) | |
2271 | + | |
2272 | +/** | |
2273 | + * __ccs_save_open_mode - Remember original flags passed to sys_open(). | |
2274 | + * | |
2275 | + * @mode: Flags passed to sys_open(). | |
2276 | + * | |
2277 | + * Returns nothing. | |
2278 | + * | |
2279 | + * TOMOYO does not check "file write" if open(path, O_TRUNC | O_RDONLY) was | |
2280 | + * requested because write() is not permitted. Instead, TOMOYO checks | |
2281 | + * "file truncate" if O_TRUNC is passed. | |
2282 | + * | |
2283 | + * TOMOYO does not check "file read" and "file write" if open(path, 3) was | |
2284 | + * requested because read()/write() are not permitted. Instead, TOMOYO checks | |
2285 | + * "file ioctl" when ioctl() is requested. | |
2286 | + */ | |
2287 | +static void __ccs_save_open_mode(int mode) | |
2288 | +{ | |
2289 | + if ((mode & 3) == 3) | |
2290 | + ccs_current_security()->ccs_flags |= CCS_OPEN_FOR_IOCTL_ONLY; | |
2291 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 14) | |
2292 | + /* O_TRUNC passes MAY_WRITE to ccs_open_permission(). */ | |
2293 | + else if (!(mode & 3) && (mode & O_TRUNC)) | |
2294 | + ccs_current_security()->ccs_flags |= | |
2295 | + CCS_OPEN_FOR_READ_TRUNCATE; | |
2296 | +#endif | |
2297 | +} | |
2298 | + | |
2299 | +/** | |
2300 | + * __ccs_clear_open_mode - Forget original flags passed to sys_open(). | |
2301 | + * | |
2302 | + * Returns nothing. | |
2303 | + */ | |
2304 | +static void __ccs_clear_open_mode(void) | |
2305 | +{ | |
2306 | + ccs_current_security()->ccs_flags &= ~(CCS_OPEN_FOR_IOCTL_ONLY | | |
2307 | + CCS_OPEN_FOR_READ_TRUNCATE); | |
2308 | +} | |
2309 | + | |
2310 | +#endif | |
2311 | + | |
2312 | +/** | |
2313 | + * __ccs_open_permission - Check permission for "read" and "write". | |
2314 | + * | |
2315 | + * @dentry: Pointer to "struct dentry". | |
2316 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
2317 | + * @flag: Flags for open(). | |
2318 | + * | |
2319 | + * Returns 0 on success, negative value otherwise. | |
2320 | + */ | |
2321 | +static int __ccs_open_permission(struct dentry *dentry, struct vfsmount *mnt, | |
2322 | + const int flag) | |
2323 | +{ | |
2324 | + struct ccs_request_info r; | |
2325 | + struct ccs_obj_info obj = { | |
2326 | + .path1.dentry = dentry, | |
2327 | + .path1.mnt = mnt, | |
2328 | + }; | |
2329 | + const u32 ccs_flags = ccs_current_flags(); | |
2330 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 33) | |
2331 | + const u8 acc_mode = (flag & 3) == 3 ? 0 : ACC_MODE(flag); | |
2332 | +#else | |
2333 | + const u8 acc_mode = (ccs_flags & CCS_OPEN_FOR_IOCTL_ONLY) ? 0 : | |
2334 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 14) | |
2335 | + (ccs_flags & CCS_OPEN_FOR_READ_TRUNCATE) ? 4 : | |
2336 | +#endif | |
2337 | + ACC_MODE(flag); | |
2338 | +#endif | |
2339 | + int error = 0; | |
2340 | + struct ccs_path_info buf; | |
2341 | + int idx; | |
2342 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 30) | |
2343 | + if (current->in_execve && !(ccs_flags & CCS_TASK_IS_IN_EXECVE)) | |
2344 | + return 0; | |
2345 | +#endif | |
2346 | +#ifndef CONFIG_CCSECURITY_FILE_READDIR | |
2347 | + if (d_is_dir(dentry)) | |
2348 | + return 0; | |
2349 | +#endif | |
2350 | + buf.name = NULL; | |
2351 | + r.mode = CCS_CONFIG_DISABLED; | |
2352 | + idx = ccs_read_lock(); | |
2353 | + if (acc_mode && ccs_init_request_info(&r, CCS_MAC_FILE_OPEN) | |
2354 | + != CCS_CONFIG_DISABLED) { | |
2355 | + if (!ccs_get_realpath(&buf, &obj.path1)) { | |
2356 | + error = -ENOMEM; | |
2357 | + goto out; | |
2358 | + } | |
2359 | + r.obj = &obj; | |
2360 | + if (acc_mode & MAY_READ) | |
2361 | + error = ccs_path_permission(&r, CCS_TYPE_READ, &buf); | |
2362 | + if (!error && (acc_mode & MAY_WRITE)) | |
2363 | + error = ccs_path_permission(&r, (flag & O_APPEND) ? | |
2364 | + CCS_TYPE_APPEND : | |
2365 | + CCS_TYPE_WRITE, &buf); | |
2366 | + } | |
2367 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32) | |
2368 | + if (!error && (flag & O_TRUNC) && | |
2369 | + ccs_init_request_info(&r, CCS_MAC_FILE_TRUNCATE) | |
2370 | + != CCS_CONFIG_DISABLED) { | |
2371 | + if (!buf.name && !ccs_get_realpath(&buf, &obj.path1)) { | |
2372 | + error = -ENOMEM; | |
2373 | + goto out; | |
2374 | + } | |
2375 | + r.obj = &obj; | |
2376 | + error = ccs_path_permission(&r, CCS_TYPE_TRUNCATE, &buf); | |
2377 | + } | |
2378 | +#endif | |
2379 | +out: | |
2380 | + kfree(buf.name); | |
2381 | + ccs_read_unlock(idx); | |
2382 | + if (r.mode != CCS_CONFIG_ENFORCING) | |
2383 | + error = 0; | |
2384 | + return error; | |
2385 | +} | |
2386 | + | |
2387 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 33) | |
2388 | + | |
2389 | +/** | |
2390 | + * ccs_new_open_permission - Check permission for "read" and "write". | |
2391 | + * | |
2392 | + * @filp: Pointer to "struct file". | |
2393 | + * | |
2394 | + * Returns 0 on success, negative value otherwise. | |
2395 | + */ | |
2396 | +static int ccs_new_open_permission(struct file *filp) | |
2397 | +{ | |
2398 | + return __ccs_open_permission(filp->f_path.dentry, filp->f_path.mnt, | |
2399 | + filp->f_flags); | |
2400 | +} | |
2401 | + | |
2402 | +#endif | |
2403 | + | |
2404 | +/** | |
2405 | + * ccs_path_perm - Check permission for "unlink", "rmdir", "truncate", "symlink", "append", "getattr", "chroot" and "unmount". | |
2406 | + * | |
2407 | + * @operation: Type of operation. | |
2408 | + * @dentry: Pointer to "struct dentry". | |
2409 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
2410 | + * @target: Symlink's target if @operation is CCS_TYPE_SYMLINK, | |
2411 | + * NULL otherwise. | |
2412 | + * | |
2413 | + * Returns 0 on success, negative value otherwise. | |
2414 | + */ | |
2415 | +static int ccs_path_perm(const u8 operation, struct dentry *dentry, | |
2416 | + struct vfsmount *mnt, const char *target) | |
2417 | +{ | |
2418 | + struct ccs_request_info r; | |
2419 | + struct ccs_obj_info obj = { | |
2420 | + .path1.dentry = dentry, | |
2421 | + .path1.mnt = mnt, | |
2422 | + }; | |
2423 | + int error = 0; | |
2424 | + struct ccs_path_info buf; | |
2425 | + bool is_enforce = false; | |
2426 | + struct ccs_path_info symlink_target; | |
2427 | + int idx; | |
2428 | + buf.name = NULL; | |
2429 | + symlink_target.name = NULL; | |
2430 | + idx = ccs_read_lock(); | |
2431 | + if (ccs_init_request_info(&r, ccs_p2mac[operation]) | |
2432 | + == CCS_CONFIG_DISABLED) | |
2433 | + goto out; | |
2434 | + is_enforce = (r.mode == CCS_CONFIG_ENFORCING); | |
2435 | + error = -ENOMEM; | |
2436 | + if (!ccs_get_realpath(&buf, &obj.path1)) | |
2437 | + goto out; | |
2438 | + r.obj = &obj; | |
2439 | + switch (operation) { | |
2440 | + case CCS_TYPE_RMDIR: | |
2441 | + case CCS_TYPE_CHROOT: | |
2442 | + ccs_add_slash(&buf); | |
2443 | + break; | |
2444 | + case CCS_TYPE_SYMLINK: | |
2445 | + symlink_target.name = ccs_encode(target); | |
2446 | + if (!symlink_target.name) | |
2447 | + goto out; | |
2448 | + ccs_fill_path_info(&symlink_target); | |
2449 | + obj.symlink_target = &symlink_target; | |
2450 | + break; | |
2451 | + } | |
2452 | + error = ccs_path_permission(&r, operation, &buf); | |
2453 | + if (operation == CCS_TYPE_SYMLINK) | |
2454 | + kfree(symlink_target.name); | |
2455 | +out: | |
2456 | + kfree(buf.name); | |
2457 | + ccs_read_unlock(idx); | |
2458 | + if (!is_enforce) | |
2459 | + error = 0; | |
2460 | + return error; | |
2461 | +} | |
2462 | + | |
2463 | +/** | |
2464 | + * ccs_mkdev_perm - Check permission for "mkblock" and "mkchar". | |
2465 | + * | |
2466 | + * @operation: Type of operation. (CCS_TYPE_MKCHAR or CCS_TYPE_MKBLOCK) | |
2467 | + * @dentry: Pointer to "struct dentry". | |
2468 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
2469 | + * @mode: Create mode. | |
2470 | + * @dev: Device number. | |
2471 | + * | |
2472 | + * Returns 0 on success, negative value otherwise. | |
2473 | + */ | |
2474 | +static int ccs_mkdev_perm(const u8 operation, struct dentry *dentry, | |
2475 | + struct vfsmount *mnt, const unsigned int mode, | |
2476 | + unsigned int dev) | |
2477 | +{ | |
2478 | + struct ccs_request_info r; | |
2479 | + struct ccs_obj_info obj = { | |
2480 | + .path1.dentry = dentry, | |
2481 | + .path1.mnt = mnt, | |
2482 | + }; | |
2483 | + int error = 0; | |
2484 | + struct ccs_path_info buf; | |
2485 | + bool is_enforce = false; | |
2486 | + int idx; | |
2487 | + idx = ccs_read_lock(); | |
2488 | + if (ccs_init_request_info(&r, ccs_pnnn2mac[operation]) | |
2489 | + == CCS_CONFIG_DISABLED) | |
2490 | + goto out; | |
2491 | + is_enforce = (r.mode == CCS_CONFIG_ENFORCING); | |
2492 | + error = -EPERM; | |
2493 | + if (!capable(CAP_MKNOD)) | |
2494 | + goto out; | |
2495 | + error = -ENOMEM; | |
2496 | + if (!ccs_get_realpath(&buf, &obj.path1)) | |
2497 | + goto out; | |
2498 | + r.obj = &obj; | |
2499 | +#ifdef CONFIG_SECURITY_PATH | |
2500 | + dev = new_decode_dev(dev); | |
2501 | +#endif | |
2502 | + r.param_type = CCS_TYPE_MKDEV_ACL; | |
2503 | + r.param.mkdev.filename = &buf; | |
2504 | + r.param.mkdev.operation = operation; | |
2505 | + r.param.mkdev.mode = mode; | |
2506 | + r.param.mkdev.major = MAJOR(dev); | |
2507 | + r.param.mkdev.minor = MINOR(dev); | |
2508 | + error = ccs_check_acl(&r); | |
2509 | + kfree(buf.name); | |
2510 | +out: | |
2511 | + ccs_read_unlock(idx); | |
2512 | + if (!is_enforce) | |
2513 | + error = 0; | |
2514 | + return error; | |
2515 | +} | |
2516 | + | |
2517 | +/** | |
2518 | + * ccs_path2_perm - Check permission for "rename", "link" and "pivot_root". | |
2519 | + * | |
2520 | + * @operation: Type of operation. | |
2521 | + * @dentry1: Pointer to "struct dentry". | |
2522 | + * @mnt1: Pointer to "struct vfsmount". Maybe NULL. | |
2523 | + * @dentry2: Pointer to "struct dentry". | |
2524 | + * @mnt2: Pointer to "struct vfsmount". Maybe NULL. | |
2525 | + * | |
2526 | + * Returns 0 on success, negative value otherwise. | |
2527 | + */ | |
2528 | +static int ccs_path2_perm(const u8 operation, struct dentry *dentry1, | |
2529 | + struct vfsmount *mnt1, struct dentry *dentry2, | |
2530 | + struct vfsmount *mnt2) | |
2531 | +{ | |
2532 | + struct ccs_request_info r; | |
2533 | + int error = 0; | |
2534 | + struct ccs_path_info buf1; | |
2535 | + struct ccs_path_info buf2; | |
2536 | + bool is_enforce = false; | |
2537 | + struct ccs_obj_info obj = { | |
2538 | + .path1.dentry = dentry1, | |
2539 | + .path1.mnt = mnt1, | |
2540 | + .path2.dentry = dentry2, | |
2541 | + .path2.mnt = mnt2, | |
2542 | + }; | |
2543 | + int idx; | |
2544 | + buf1.name = NULL; | |
2545 | + buf2.name = NULL; | |
2546 | + idx = ccs_read_lock(); | |
2547 | + if (ccs_init_request_info(&r, ccs_pp2mac[operation]) | |
2548 | + == CCS_CONFIG_DISABLED) | |
2549 | + goto out; | |
2550 | + is_enforce = (r.mode == CCS_CONFIG_ENFORCING); | |
2551 | + error = -ENOMEM; | |
2552 | + if (!ccs_get_realpath(&buf1, &obj.path1) || | |
2553 | + !ccs_get_realpath(&buf2, &obj.path2)) | |
2554 | + goto out; | |
2555 | + switch (operation) { | |
2556 | + case CCS_TYPE_RENAME: | |
2557 | + case CCS_TYPE_LINK: | |
2558 | + if (!d_is_dir(dentry1)) | |
2559 | + break; | |
2560 | + /* fall through */ | |
2561 | + case CCS_TYPE_PIVOT_ROOT: | |
2562 | + ccs_add_slash(&buf1); | |
2563 | + ccs_add_slash(&buf2); | |
2564 | + break; | |
2565 | + } | |
2566 | + r.obj = &obj; | |
2567 | + r.param_type = CCS_TYPE_PATH2_ACL; | |
2568 | + r.param.path2.operation = operation; | |
2569 | + r.param.path2.filename1 = &buf1; | |
2570 | + r.param.path2.filename2 = &buf2; | |
2571 | + error = ccs_check_acl(&r); | |
2572 | +out: | |
2573 | + kfree(buf1.name); | |
2574 | + kfree(buf2.name); | |
2575 | + ccs_read_unlock(idx); | |
2576 | + if (!is_enforce) | |
2577 | + error = 0; | |
2578 | + return error; | |
2579 | +} | |
2580 | + | |
2581 | +/** | |
2582 | + * ccs_path_number_perm - Check permission for "create", "mkdir", "mkfifo", "mksock", "ioctl", "chmod", "chown", "chgrp". | |
2583 | + * | |
2584 | + * @type: Type of operation. | |
2585 | + * @dentry: Pointer to "struct dentry". | |
2586 | + * @vfsmnt: Pointer to "struct vfsmount". Maybe NULL. | |
2587 | + * @number: Number. | |
2588 | + * | |
2589 | + * Returns 0 on success, negative value otherwise. | |
2590 | + */ | |
2591 | +static int ccs_path_number_perm(const u8 type, struct dentry *dentry, | |
2592 | + struct vfsmount *vfsmnt, unsigned long number) | |
2593 | +{ | |
2594 | + struct ccs_request_info r; | |
2595 | + struct ccs_obj_info obj = { | |
2596 | + .path1.dentry = dentry, | |
2597 | + .path1.mnt = vfsmnt, | |
2598 | + }; | |
2599 | + int error = 0; | |
2600 | + struct ccs_path_info buf; | |
2601 | + int idx; | |
2602 | + if (!dentry) | |
2603 | + return 0; | |
2604 | + idx = ccs_read_lock(); | |
2605 | + if (ccs_init_request_info(&r, ccs_pn2mac[type]) == CCS_CONFIG_DISABLED) | |
2606 | + goto out; | |
2607 | + error = -ENOMEM; | |
2608 | + if (!ccs_get_realpath(&buf, &obj.path1)) | |
2609 | + goto out; | |
2610 | + r.obj = &obj; | |
2611 | + if (type == CCS_TYPE_MKDIR) | |
2612 | + ccs_add_slash(&buf); | |
2613 | + r.param_type = CCS_TYPE_PATH_NUMBER_ACL; | |
2614 | + r.param.path_number.operation = type; | |
2615 | + r.param.path_number.filename = &buf; | |
2616 | + r.param.path_number.number = number; | |
2617 | + error = ccs_check_acl(&r); | |
2618 | + kfree(buf.name); | |
2619 | +out: | |
2620 | + ccs_read_unlock(idx); | |
2621 | + if (r.mode != CCS_CONFIG_ENFORCING) | |
2622 | + error = 0; | |
2623 | + return error; | |
2624 | +} | |
2625 | + | |
2626 | +/** | |
2627 | + * __ccs_ioctl_permission - Check permission for "ioctl". | |
2628 | + * | |
2629 | + * @filp: Pointer to "struct file". | |
2630 | + * @cmd: Ioctl command number. | |
2631 | + * @arg: Param for @cmd. | |
2632 | + * | |
2633 | + * Returns 0 on success, negative value otherwise. | |
2634 | + */ | |
2635 | +static int __ccs_ioctl_permission(struct file *filp, unsigned int cmd, | |
2636 | + unsigned long arg) | |
2637 | +{ | |
2638 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) | |
2639 | + return ccs_path_number_perm(CCS_TYPE_IOCTL, filp->f_path.dentry, | |
2640 | + filp->f_path.mnt, cmd); | |
2641 | +#else | |
2642 | + return ccs_path_number_perm(CCS_TYPE_IOCTL, filp->f_dentry, | |
2643 | + filp->f_vfsmnt, cmd); | |
2644 | +#endif | |
2645 | +} | |
2646 | + | |
2647 | +/** | |
2648 | + * __ccs_chmod_permission - Check permission for "chmod". | |
2649 | + * | |
2650 | + * @dentry: Pointer to "struct dentry". | |
2651 | + * @vfsmnt: Pointer to "struct vfsmount". Maybe NULL. | |
2652 | + * @mode: Mode. | |
2653 | + * | |
2654 | + * Returns 0 on success, negative value otherwise. | |
2655 | + */ | |
2656 | +static int __ccs_chmod_permission(struct dentry *dentry, | |
2657 | + struct vfsmount *vfsmnt, mode_t mode) | |
2658 | +{ | |
2659 | + return ccs_path_number_perm(CCS_TYPE_CHMOD, dentry, vfsmnt, | |
2660 | + mode & S_IALLUGO); | |
2661 | +} | |
2662 | + | |
2663 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0) | |
2664 | + | |
2665 | +/** | |
2666 | + * __ccs_chown_permission - Check permission for "chown/chgrp". | |
2667 | + * | |
2668 | + * @dentry: Pointer to "struct dentry". | |
2669 | + * @vfsmnt: Pointer to "struct vfsmount". Maybe NULL. | |
2670 | + * @user: User ID. | |
2671 | + * @group: Group ID. | |
2672 | + * | |
2673 | + * Returns 0 on success, negative value otherwise. | |
2674 | + */ | |
2675 | +static int __ccs_chown_permission(struct dentry *dentry, | |
2676 | + struct vfsmount *vfsmnt, kuid_t user, | |
2677 | + kgid_t group) | |
2678 | +{ | |
2679 | + int error = 0; | |
2680 | + if (uid_valid(user)) | |
2681 | + error = ccs_path_number_perm(CCS_TYPE_CHOWN, dentry, vfsmnt, | |
2682 | + from_kuid(&init_user_ns, user)); | |
2683 | + if (!error && gid_valid(group)) | |
2684 | + error = ccs_path_number_perm(CCS_TYPE_CHGRP, dentry, vfsmnt, | |
2685 | + from_kgid(&init_user_ns, group)); | |
2686 | + return error; | |
2687 | +} | |
2688 | + | |
2689 | +#else | |
2690 | + | |
2691 | +/** | |
2692 | + * __ccs_chown_permission - Check permission for "chown/chgrp". | |
2693 | + * | |
2694 | + * @dentry: Pointer to "struct dentry". | |
2695 | + * @vfsmnt: Pointer to "struct vfsmount". Maybe NULL. | |
2696 | + * @user: User ID. | |
2697 | + * @group: Group ID. | |
2698 | + * | |
2699 | + * Returns 0 on success, negative value otherwise. | |
2700 | + */ | |
2701 | +static int __ccs_chown_permission(struct dentry *dentry, | |
2702 | + struct vfsmount *vfsmnt, uid_t user, | |
2703 | + gid_t group) | |
2704 | +{ | |
2705 | + int error = 0; | |
2706 | + if (user == (uid_t) -1 && group == (gid_t) -1) | |
2707 | + return 0; | |
2708 | + if (user != (uid_t) -1) | |
2709 | + error = ccs_path_number_perm(CCS_TYPE_CHOWN, dentry, vfsmnt, | |
2710 | + user); | |
2711 | + if (!error && group != (gid_t) -1) | |
2712 | + error = ccs_path_number_perm(CCS_TYPE_CHGRP, dentry, vfsmnt, | |
2713 | + group); | |
2714 | + return error; | |
2715 | +} | |
2716 | + | |
2717 | +#endif | |
2718 | + | |
2719 | +/** | |
2720 | + * __ccs_fcntl_permission - Check permission for changing O_APPEND flag. | |
2721 | + * | |
2722 | + * @file: Pointer to "struct file". | |
2723 | + * @cmd: Command number. | |
2724 | + * @arg: Value for @cmd. | |
2725 | + * | |
2726 | + * Returns 0 on success, negative value otherwise. | |
2727 | + */ | |
2728 | +static int __ccs_fcntl_permission(struct file *file, unsigned int cmd, | |
2729 | + unsigned long arg) | |
2730 | +{ | |
2731 | + if (!(cmd == F_SETFL && ((arg ^ file->f_flags) & O_APPEND))) | |
2732 | + return 0; | |
2733 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 33) | |
2734 | + return __ccs_open_permission(file->f_path.dentry, file->f_path.mnt, | |
2735 | + O_WRONLY | (arg & O_APPEND)); | |
2736 | +#elif defined(RHEL_MAJOR) && RHEL_MAJOR == 6 | |
2737 | + return __ccs_open_permission(file->f_dentry, file->f_vfsmnt, | |
2738 | + O_WRONLY | (arg & O_APPEND)); | |
2739 | +#else | |
2740 | + return __ccs_open_permission(file->f_dentry, file->f_vfsmnt, | |
2741 | + (O_WRONLY + 1) | (arg & O_APPEND)); | |
2742 | +#endif | |
2743 | +} | |
2744 | + | |
2745 | +/** | |
2746 | + * __ccs_pivot_root_permission - Check permission for pivot_root(). | |
2747 | + * | |
2748 | + * @old_path: Pointer to "struct path". | |
2749 | + * @new_path: Pointer to "struct path". | |
2750 | + * | |
2751 | + * Returns 0 on success, negative value otherwise. | |
2752 | + */ | |
2753 | +static int __ccs_pivot_root_permission(const struct path *old_path, | |
2754 | + const struct path *new_path) | |
2755 | +{ | |
2756 | + return ccs_path2_perm(CCS_TYPE_PIVOT_ROOT, new_path->dentry, | |
2757 | + new_path->mnt, old_path->dentry, old_path->mnt); | |
2758 | +} | |
2759 | + | |
2760 | +/** | |
2761 | + * __ccs_chroot_permission - Check permission for chroot(). | |
2762 | + * | |
2763 | + * @path: Pointer to "struct path". | |
2764 | + * | |
2765 | + * Returns 0 on success, negative value otherwise. | |
2766 | + */ | |
2767 | +static int __ccs_chroot_permission(const struct path *path) | |
2768 | +{ | |
2769 | + return ccs_path_perm(CCS_TYPE_CHROOT, path->dentry, path->mnt, NULL); | |
2770 | +} | |
2771 | + | |
2772 | +/** | |
2773 | + * __ccs_umount_permission - Check permission for unmount. | |
2774 | + * | |
2775 | + * @mnt: Pointer to "struct vfsmount". | |
2776 | + * @flags: Unused. | |
2777 | + * | |
2778 | + * Returns 0 on success, negative value otherwise. | |
2779 | + */ | |
2780 | +static int __ccs_umount_permission(struct vfsmount *mnt, int flags) | |
2781 | +{ | |
2782 | + return ccs_path_perm(CCS_TYPE_UMOUNT, mnt->mnt_root, mnt, NULL); | |
2783 | +} | |
2784 | + | |
2785 | +/** | |
2786 | + * __ccs_mknod_permission - Check permission for vfs_mknod(). | |
2787 | + * | |
2788 | + * @dentry: Pointer to "struct dentry". | |
2789 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
2790 | + * @mode: Device type and permission. | |
2791 | + * @dev: Device number for block or character device. | |
2792 | + * | |
2793 | + * Returns 0 on success, negative value otherwise. | |
2794 | + */ | |
2795 | +static int __ccs_mknod_permission(struct dentry *dentry, struct vfsmount *mnt, | |
2796 | + const unsigned int mode, unsigned int dev) | |
2797 | +{ | |
2798 | + int error = 0; | |
2799 | + const unsigned int perm = mode & S_IALLUGO; | |
2800 | + switch (mode & S_IFMT) { | |
2801 | + case S_IFCHR: | |
2802 | + error = ccs_mkdev_perm(CCS_TYPE_MKCHAR, dentry, mnt, perm, | |
2803 | + dev); | |
2804 | + break; | |
2805 | + case S_IFBLK: | |
2806 | + error = ccs_mkdev_perm(CCS_TYPE_MKBLOCK, dentry, mnt, perm, | |
2807 | + dev); | |
2808 | + break; | |
2809 | + case S_IFIFO: | |
2810 | + error = ccs_path_number_perm(CCS_TYPE_MKFIFO, dentry, mnt, | |
2811 | + perm); | |
2812 | + break; | |
2813 | + case S_IFSOCK: | |
2814 | + error = ccs_path_number_perm(CCS_TYPE_MKSOCK, dentry, mnt, | |
2815 | + perm); | |
2816 | + break; | |
2817 | + case 0: | |
2818 | + case S_IFREG: | |
2819 | + error = ccs_path_number_perm(CCS_TYPE_CREATE, dentry, mnt, | |
2820 | + perm); | |
2821 | + break; | |
2822 | + } | |
2823 | + return error; | |
2824 | +} | |
2825 | + | |
2826 | +/** | |
2827 | + * __ccs_mkdir_permission - Check permission for vfs_mkdir(). | |
2828 | + * | |
2829 | + * @dentry: Pointer to "struct dentry". | |
2830 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
2831 | + * @mode: Create mode. | |
2832 | + * | |
2833 | + * Returns 0 on success, negative value otherwise. | |
2834 | + */ | |
2835 | +static int __ccs_mkdir_permission(struct dentry *dentry, struct vfsmount *mnt, | |
2836 | + unsigned int mode) | |
2837 | +{ | |
2838 | + return ccs_path_number_perm(CCS_TYPE_MKDIR, dentry, mnt, mode); | |
2839 | +} | |
2840 | + | |
2841 | +/** | |
2842 | + * __ccs_rmdir_permission - Check permission for vfs_rmdir(). | |
2843 | + * | |
2844 | + * @dentry: Pointer to "struct dentry". | |
2845 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
2846 | + * | |
2847 | + * Returns 0 on success, negative value otherwise. | |
2848 | + */ | |
2849 | +static int __ccs_rmdir_permission(struct dentry *dentry, struct vfsmount *mnt) | |
2850 | +{ | |
2851 | + return ccs_path_perm(CCS_TYPE_RMDIR, dentry, mnt, NULL); | |
2852 | +} | |
2853 | + | |
2854 | +/** | |
2855 | + * __ccs_unlink_permission - Check permission for vfs_unlink(). | |
2856 | + * | |
2857 | + * @dentry: Pointer to "struct dentry". | |
2858 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
2859 | + * | |
2860 | + * Returns 0 on success, negative value otherwise. | |
2861 | + */ | |
2862 | +static int __ccs_unlink_permission(struct dentry *dentry, struct vfsmount *mnt) | |
2863 | +{ | |
2864 | + return ccs_path_perm(CCS_TYPE_UNLINK, dentry, mnt, NULL); | |
2865 | +} | |
2866 | + | |
2867 | +#ifdef CONFIG_CCSECURITY_FILE_GETATTR | |
2868 | + | |
2869 | +/** | |
2870 | + * __ccs_getattr_permission - Check permission for vfs_getattr(). | |
2871 | + * | |
2872 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
2873 | + * @dentry: Pointer to "struct dentry". | |
2874 | + * | |
2875 | + * Returns 0 on success, negative value otherwise. | |
2876 | + */ | |
2877 | +static int __ccs_getattr_permission(struct vfsmount *mnt, | |
2878 | + struct dentry *dentry) | |
2879 | +{ | |
2880 | + return ccs_path_perm(CCS_TYPE_GETATTR, dentry, mnt, NULL); | |
2881 | +} | |
2882 | + | |
2883 | +#endif | |
2884 | + | |
2885 | +/** | |
2886 | + * __ccs_symlink_permission - Check permission for vfs_symlink(). | |
2887 | + * | |
2888 | + * @dentry: Pointer to "struct dentry". | |
2889 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
2890 | + * @from: Content of symlink. | |
2891 | + * | |
2892 | + * Returns 0 on success, negative value otherwise. | |
2893 | + */ | |
2894 | +static int __ccs_symlink_permission(struct dentry *dentry, | |
2895 | + struct vfsmount *mnt, const char *from) | |
2896 | +{ | |
2897 | + return ccs_path_perm(CCS_TYPE_SYMLINK, dentry, mnt, from); | |
2898 | +} | |
2899 | + | |
2900 | +/** | |
2901 | + * __ccs_truncate_permission - Check permission for notify_change(). | |
2902 | + * | |
2903 | + * @dentry: Pointer to "struct dentry". | |
2904 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
2905 | + * | |
2906 | + * Returns 0 on success, negative value otherwise. | |
2907 | + */ | |
2908 | +static int __ccs_truncate_permission(struct dentry *dentry, | |
2909 | + struct vfsmount *mnt) | |
2910 | +{ | |
2911 | + return ccs_path_perm(CCS_TYPE_TRUNCATE, dentry, mnt, NULL); | |
2912 | +} | |
2913 | + | |
2914 | +/** | |
2915 | + * __ccs_rename_permission - Check permission for vfs_rename(). | |
2916 | + * | |
2917 | + * @old_dentry: Pointer to "struct dentry". | |
2918 | + * @new_dentry: Pointer to "struct dentry". | |
2919 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
2920 | + * | |
2921 | + * Returns 0 on success, negative value otherwise. | |
2922 | + */ | |
2923 | +static int __ccs_rename_permission(struct dentry *old_dentry, | |
2924 | + struct dentry *new_dentry, | |
2925 | + struct vfsmount *mnt) | |
2926 | +{ | |
2927 | + return ccs_path2_perm(CCS_TYPE_RENAME, old_dentry, mnt, new_dentry, | |
2928 | + mnt); | |
2929 | +} | |
2930 | + | |
2931 | +/** | |
2932 | + * __ccs_link_permission - Check permission for vfs_link(). | |
2933 | + * | |
2934 | + * @old_dentry: Pointer to "struct dentry". | |
2935 | + * @new_dentry: Pointer to "struct dentry". | |
2936 | + * @mnt: Pointer to "struct vfsmount". Maybe NULL. | |
2937 | + * | |
2938 | + * Returns 0 on success, negative value otherwise. | |
2939 | + */ | |
2940 | +static int __ccs_link_permission(struct dentry *old_dentry, | |
2941 | + struct dentry *new_dentry, | |
2942 | + struct vfsmount *mnt) | |
2943 | +{ | |
2944 | + return ccs_path2_perm(CCS_TYPE_LINK, old_dentry, mnt, new_dentry, mnt); | |
2945 | +} | |
2946 | + | |
2947 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 30) | |
2948 | + | |
2949 | +/** | |
2950 | + * __ccs_open_exec_permission - Check permission for open_exec(). | |
2951 | + * | |
2952 | + * @dentry: Pointer to "struct dentry". | |
2953 | + * @mnt: Pointer to "struct vfsmount". | |
2954 | + * | |
2955 | + * Returns 0 on success, negative value otherwise. | |
2956 | + */ | |
2957 | +static int __ccs_open_exec_permission(struct dentry *dentry, | |
2958 | + struct vfsmount *mnt) | |
2959 | +{ | |
2960 | + return (ccs_current_flags() & CCS_TASK_IS_IN_EXECVE) ? | |
2961 | + __ccs_open_permission(dentry, mnt, O_RDONLY + 1) : 0; | |
2962 | +} | |
2963 | + | |
2964 | +/** | |
2965 | + * __ccs_uselib_permission - Check permission for sys_uselib(). | |
2966 | + * | |
2967 | + * @dentry: Pointer to "struct dentry". | |
2968 | + * @mnt: Pointer to "struct vfsmount". | |
2969 | + * | |
2970 | + * Returns 0 on success, negative value otherwise. | |
2971 | + */ | |
2972 | +static int __ccs_uselib_permission(struct dentry *dentry, struct vfsmount *mnt) | |
2973 | +{ | |
2974 | + return __ccs_open_permission(dentry, mnt, O_RDONLY + 1); | |
2975 | +} | |
2976 | + | |
2977 | +#endif | |
2978 | + | |
2979 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) || (LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) && defined(CONFIG_SYSCTL_SYSCALL)) | |
2980 | + | |
2981 | +/** | |
2982 | + * __ccs_parse_table - Check permission for parse_table(). | |
2983 | + * | |
2984 | + * @name: Pointer to "int __user". | |
2985 | + * @nlen: Number of elements in @name. | |
2986 | + * @oldval: Pointer to "void __user". | |
2987 | + * @newval: Pointer to "void __user". | |
2988 | + * @table: Pointer to "struct ctl_table". | |
2989 | + * | |
2990 | + * Returns 0 on success, negative value otherwise. | |
2991 | + * | |
2992 | + * Note that this function is racy because this function checks values in | |
2993 | + * userspace memory which could be changed after permission check. | |
2994 | + */ | |
2995 | +static int __ccs_parse_table(int __user *name, int nlen, void __user *oldval, | |
2996 | + void __user *newval, struct ctl_table *table) | |
2997 | +{ | |
2998 | + int n; | |
2999 | + int error = -ENOMEM; | |
3000 | + int op = 0; | |
3001 | + struct ccs_path_info buf; | |
3002 | + char *buffer = NULL; | |
3003 | + struct ccs_request_info r; | |
3004 | + int idx; | |
3005 | + if (oldval) | |
3006 | + op |= 004; | |
3007 | + if (newval) | |
3008 | + op |= 002; | |
3009 | + if (!op) /* Neither read nor write */ | |
3010 | + return 0; | |
3011 | + idx = ccs_read_lock(); | |
3012 | + if (ccs_init_request_info(&r, CCS_MAC_FILE_OPEN) | |
3013 | + == CCS_CONFIG_DISABLED) { | |
3014 | + error = 0; | |
3015 | + goto out; | |
3016 | + } | |
3017 | + buffer = kmalloc(PAGE_SIZE, CCS_GFP_FLAGS); | |
3018 | + if (!buffer) | |
3019 | + goto out; | |
3020 | + snprintf(buffer, PAGE_SIZE - 1, "proc:/sys"); | |
3021 | +repeat: | |
3022 | + if (!nlen) { | |
3023 | + error = -ENOTDIR; | |
3024 | + goto out; | |
3025 | + } | |
3026 | + if (get_user(n, name)) { | |
3027 | + error = -EFAULT; | |
3028 | + goto out; | |
3029 | + } | |
3030 | + for ( ; table->ctl_name | |
3031 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) | |
3032 | + || table->procname | |
3033 | +#endif | |
3034 | + ; table++) { | |
3035 | + int pos; | |
3036 | + const char *cp; | |
3037 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 21) | |
3038 | + if (n != table->ctl_name && table->ctl_name != CTL_ANY) | |
3039 | + continue; | |
3040 | +#else | |
3041 | + if (!n || n != table->ctl_name) | |
3042 | + continue; | |
3043 | +#endif | |
3044 | + pos = strlen(buffer); | |
3045 | + cp = table->procname; | |
3046 | + error = -ENOMEM; | |
3047 | + if (cp) { | |
3048 | + int len = strlen(cp); | |
3049 | + if (len + 2 > PAGE_SIZE - 1) | |
3050 | + goto out; | |
3051 | + buffer[pos++] = '/'; | |
3052 | + memmove(buffer + pos, cp, len + 1); | |
3053 | + } else { | |
3054 | + /* Assume nobody assigns "=\$=" for procname. */ | |
3055 | + snprintf(buffer + pos, PAGE_SIZE - pos - 1, | |
3056 | + "/=%d=", table->ctl_name); | |
3057 | + if (!memchr(buffer, '\0', PAGE_SIZE - 2)) | |
3058 | + goto out; | |
3059 | + } | |
3060 | + if (!table->child) | |
3061 | + goto no_child; | |
3062 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 21) | |
3063 | + if (!table->strategy) | |
3064 | + goto no_strategy; | |
3065 | + /* printk("sysctl='%s'\n", buffer); */ | |
3066 | + buf.name = ccs_encode(buffer); | |
3067 | + if (!buf.name) | |
3068 | + goto out; | |
3069 | + ccs_fill_path_info(&buf); | |
3070 | + if (op & MAY_READ) | |
3071 | + error = ccs_path_permission(&r, CCS_TYPE_READ, &buf); | |
3072 | + else | |
3073 | + error = 0; | |
3074 | + if (!error && (op & MAY_WRITE)) | |
3075 | + error = ccs_path_permission(&r, CCS_TYPE_WRITE, &buf); | |
3076 | + kfree(buf.name); | |
3077 | + if (error) | |
3078 | + goto out; | |
3079 | +no_strategy: | |
3080 | +#endif | |
3081 | + name++; | |
3082 | + nlen--; | |
3083 | + table = table->child; | |
3084 | + goto repeat; | |
3085 | +no_child: | |
3086 | + /* printk("sysctl='%s'\n", buffer); */ | |
3087 | + buf.name = ccs_encode(buffer); | |
3088 | + if (!buf.name) | |
3089 | + goto out; | |
3090 | + ccs_fill_path_info(&buf); | |
3091 | + if (op & MAY_READ) | |
3092 | + error = ccs_path_permission(&r, CCS_TYPE_READ, &buf); | |
3093 | + else | |
3094 | + error = 0; | |
3095 | + if (!error && (op & MAY_WRITE)) | |
3096 | + error = ccs_path_permission(&r, CCS_TYPE_WRITE, &buf); | |
3097 | + kfree(buf.name); | |
3098 | + goto out; | |
3099 | + } | |
3100 | + error = -ENOTDIR; | |
3101 | +out: | |
3102 | + ccs_read_unlock(idx); | |
3103 | + kfree(buffer); | |
3104 | + return error; | |
3105 | +} | |
3106 | + | |
3107 | +#endif | |
3108 | + | |
3109 | +#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24) | |
3110 | + | |
3111 | +/** | |
3112 | + * ccs_old_pivot_root_permission - Check permission for pivot_root(). | |
3113 | + * | |
3114 | + * @old_nd: Pointer to "struct nameidata". | |
3115 | + * @new_nd: Pointer to "struct nameidata". | |
3116 | + * | |
3117 | + * Returns 0 on success, negative value otherwise. | |
3118 | + */ | |
3119 | +static int ccs_old_pivot_root_permission(struct nameidata *old_nd, | |
3120 | + struct nameidata *new_nd) | |
3121 | +{ | |
3122 | + struct path old_path = { old_nd->mnt, old_nd->dentry }; | |
3123 | + struct path new_path = { new_nd->mnt, new_nd->dentry }; | |
3124 | + return __ccs_pivot_root_permission(&old_path, &new_path); | |
3125 | +} | |
3126 | + | |
3127 | +/** | |
3128 | + * ccs_old_chroot_permission - Check permission for chroot(). | |
3129 | + * | |
3130 | + * @nd: Pointer to "struct nameidata". | |
3131 | + * | |
3132 | + * Returns 0 on success, negative value otherwise. | |
3133 | + */ | |
3134 | +static int ccs_old_chroot_permission(struct nameidata *nd) | |
3135 | +{ | |
3136 | + struct path path = { nd->mnt, nd->dentry }; | |
3137 | + return __ccs_chroot_permission(&path); | |
3138 | +} | |
3139 | + | |
3140 | +#endif | |
3141 | + | |
3142 | +#ifdef CONFIG_CCSECURITY_NETWORK | |
3143 | + | |
3144 | +/** | |
3145 | + * ccs_address_matches_group - Check whether the given address matches members of the given address group. | |
3146 | + * | |
3147 | + * @is_ipv6: True if @address is an IPv6 address. | |
3148 | + * @address: An IPv4 or IPv6 address. | |
3149 | + * @group: Pointer to "struct ccs_address_group". | |
3150 | + * | |
3151 | + * Returns true if @address matches addresses in @group group, false otherwise. | |
3152 | + * | |
3153 | + * Caller holds ccs_read_lock(). | |
3154 | + */ | |
3155 | +static bool ccs_address_matches_group(const bool is_ipv6, const u32 *address, | |
3156 | + const struct ccs_group *group) | |
3157 | +{ | |
3158 | + struct ccs_address_group *member; | |
3159 | + bool matched = false; | |
3160 | + const u8 size = is_ipv6 ? 16 : 4; | |
3161 | + list_for_each_entry_srcu(member, &group->member_list, head.list, | |
3162 | + &ccs_ss) { | |
3163 | + if (member->head.is_deleted) | |
3164 | + continue; | |
3165 | + if (member->address.is_ipv6 != is_ipv6) | |
3166 | + continue; | |
3167 | + if (memcmp(&member->address.ip[0], address, size) > 0 || | |
3168 | + memcmp(address, &member->address.ip[1], size) > 0) | |
3169 | + continue; | |
3170 | + matched = true; | |
3171 | + break; | |
3172 | + } | |
3173 | + return matched; | |
3174 | +} | |
3175 | + | |
3176 | +/** | |
3177 | + * ccs_check_inet_acl - Check permission for inet domain socket operation. | |
3178 | + * | |
3179 | + * @r: Pointer to "struct ccs_request_info". | |
3180 | + * @ptr: Pointer to "struct ccs_acl_info". | |
3181 | + * | |
3182 | + * Returns true if granted, false otherwise. | |
3183 | + */ | |
3184 | +static bool ccs_check_inet_acl(struct ccs_request_info *r, | |
3185 | + const struct ccs_acl_info *ptr) | |
3186 | +{ | |
3187 | + const struct ccs_inet_acl *acl = container_of(ptr, typeof(*acl), head); | |
3188 | + const u8 size = r->param.inet_network.is_ipv6 ? 16 : 4; | |
3189 | + if (!(ptr->perm & (1 << r->param.inet_network.operation)) || | |
3190 | + !ccs_compare_number_union(r->param.inet_network.port, &acl->port)) | |
3191 | + return false; | |
3192 | + if (acl->address.group) | |
3193 | + return ccs_address_matches_group(r->param.inet_network.is_ipv6, | |
3194 | + r->param.inet_network.address, | |
3195 | + acl->address.group); | |
3196 | + return acl->address.is_ipv6 == r->param.inet_network.is_ipv6 && | |
3197 | + memcmp(&acl->address.ip[0], | |
3198 | + r->param.inet_network.address, size) <= 0 && | |
3199 | + memcmp(r->param.inet_network.address, | |
3200 | + &acl->address.ip[1], size) <= 0; | |
3201 | +} | |
3202 | + | |
3203 | +/** | |
3204 | + * ccs_check_unix_acl - Check permission for unix domain socket operation. | |
3205 | + * | |
3206 | + * @r: Pointer to "struct ccs_request_info". | |
3207 | + * @ptr: Pointer to "struct ccs_acl_info". | |
3208 | + * | |
3209 | + * Returns true if granted, false otherwise. | |
3210 | + */ | |
3211 | +static bool ccs_check_unix_acl(struct ccs_request_info *r, | |
3212 | + const struct ccs_acl_info *ptr) | |
3213 | +{ | |
3214 | + const struct ccs_unix_acl *acl = container_of(ptr, typeof(*acl), head); | |
3215 | + return (ptr->perm & (1 << r->param.unix_network.operation)) && | |
3216 | + ccs_compare_name_union(r->param.unix_network.address, | |
3217 | + &acl->name); | |
3218 | +} | |
3219 | + | |
3220 | +/** | |
3221 | + * ccs_inet_entry - Check permission for INET network operation. | |
3222 | + * | |
3223 | + * @address: Pointer to "struct ccs_addr_info". | |
3224 | + * | |
3225 | + * Returns 0 on success, negative value otherwise. | |
3226 | + */ | |
3227 | +static int ccs_inet_entry(const struct ccs_addr_info *address) | |
3228 | +{ | |
3229 | + const int idx = ccs_read_lock(); | |
3230 | + struct ccs_request_info r; | |
3231 | + int error = 0; | |
3232 | + const u8 type = ccs_inet2mac[address->protocol][address->operation]; | |
3233 | + if (type && ccs_init_request_info(&r, type) != CCS_CONFIG_DISABLED) { | |
3234 | + r.param_type = CCS_TYPE_INET_ACL; | |
3235 | + r.param.inet_network.protocol = address->protocol; | |
3236 | + r.param.inet_network.operation = address->operation; | |
3237 | + r.param.inet_network.is_ipv6 = address->inet.is_ipv6; | |
3238 | + r.param.inet_network.address = address->inet.address; | |
3239 | + r.param.inet_network.port = ntohs(address->inet.port); | |
3240 | + r.dont_sleep_on_enforce_error = | |
3241 | + address->operation == CCS_NETWORK_ACCEPT | |
3242 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
3243 | + || address->operation == CCS_NETWORK_RECV | |
3244 | +#endif | |
3245 | + ; | |
3246 | + error = ccs_check_acl(&r); | |
3247 | + } | |
3248 | + ccs_read_unlock(idx); | |
3249 | + return error; | |
3250 | +} | |
3251 | + | |
3252 | +/** | |
3253 | + * ccs_check_inet_address - Check permission for inet domain socket's operation. | |
3254 | + * | |
3255 | + * @addr: Pointer to "struct sockaddr". | |
3256 | + * @addr_len: Size of @addr. | |
3257 | + * @port: Port number. | |
3258 | + * @address: Pointer to "struct ccs_addr_info". | |
3259 | + * | |
3260 | + * Returns 0 on success, negative value otherwise. | |
3261 | + */ | |
3262 | +static int ccs_check_inet_address(const struct sockaddr *addr, | |
3263 | + const unsigned int addr_len, const u16 port, | |
3264 | + struct ccs_addr_info *address) | |
3265 | +{ | |
3266 | + struct ccs_inet_addr_info *i = &address->inet; | |
3267 | + if (addr_len < sizeof(addr->sa_family)) | |
3268 | + goto skip; | |
3269 | + switch (addr->sa_family) { | |
3270 | + case AF_INET6: | |
3271 | + if (addr_len < SIN6_LEN_RFC2133) | |
3272 | + goto skip; | |
3273 | + i->is_ipv6 = true; | |
3274 | + i->address = (u32 *) | |
3275 | + ((struct sockaddr_in6 *) addr)->sin6_addr.s6_addr; | |
3276 | + i->port = ((struct sockaddr_in6 *) addr)->sin6_port; | |
3277 | + break; | |
3278 | + case AF_INET: | |
3279 | + if (addr_len < sizeof(struct sockaddr_in)) | |
3280 | + goto skip; | |
3281 | + i->is_ipv6 = false; | |
3282 | + i->address = (u32 *) &((struct sockaddr_in *) addr)->sin_addr; | |
3283 | + i->port = ((struct sockaddr_in *) addr)->sin_port; | |
3284 | + break; | |
3285 | + default: | |
3286 | + goto skip; | |
3287 | + } | |
3288 | + if (address->protocol == SOCK_RAW) | |
3289 | + i->port = htons(port); | |
3290 | + return ccs_inet_entry(address); | |
3291 | +skip: | |
3292 | + return 0; | |
3293 | +} | |
3294 | + | |
3295 | +/** | |
3296 | + * ccs_unix_entry - Check permission for UNIX network operation. | |
3297 | + * | |
3298 | + * @address: Pointer to "struct ccs_addr_info". | |
3299 | + * | |
3300 | + * Returns 0 on success, negative value otherwise. | |
3301 | + */ | |
3302 | +static int ccs_unix_entry(const struct ccs_addr_info *address) | |
3303 | +{ | |
3304 | + const int idx = ccs_read_lock(); | |
3305 | + struct ccs_request_info r; | |
3306 | + int error = 0; | |
3307 | + const u8 type = ccs_unix2mac[address->protocol][address->operation]; | |
3308 | + if (type && ccs_init_request_info(&r, type) != CCS_CONFIG_DISABLED) { | |
3309 | + char *buf = address->unix0.addr; | |
3310 | + int len = address->unix0.addr_len - sizeof(sa_family_t); | |
3311 | + if (len <= 0) { | |
3312 | + buf = "anonymous"; | |
3313 | + len = 9; | |
3314 | + } else if (buf[0]) { | |
3315 | + len = strnlen(buf, len); | |
3316 | + } | |
3317 | + buf = ccs_encode2(buf, len); | |
3318 | + if (buf) { | |
3319 | + struct ccs_path_info addr; | |
3320 | + addr.name = buf; | |
3321 | + ccs_fill_path_info(&addr); | |
3322 | + r.param_type = CCS_TYPE_UNIX_ACL; | |
3323 | + r.param.unix_network.protocol = address->protocol; | |
3324 | + r.param.unix_network.operation = address->operation; | |
3325 | + r.param.unix_network.address = &addr; | |
3326 | + r.dont_sleep_on_enforce_error = | |
3327 | + address->operation == CCS_NETWORK_ACCEPT | |
3328 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
3329 | + || address->operation == CCS_NETWORK_RECV | |
3330 | +#endif | |
3331 | + ; | |
3332 | + error = ccs_check_acl(&r); | |
3333 | + kfree(buf); | |
3334 | + } else | |
3335 | + error = -ENOMEM; | |
3336 | + } | |
3337 | + ccs_read_unlock(idx); | |
3338 | + return error; | |
3339 | +} | |
3340 | + | |
3341 | +/** | |
3342 | + * ccs_check_unix_address - Check permission for unix domain socket's operation. | |
3343 | + * | |
3344 | + * @addr: Pointer to "struct sockaddr". | |
3345 | + * @addr_len: Size of @addr. | |
3346 | + * @address: Pointer to "struct ccs_addr_info". | |
3347 | + * | |
3348 | + * Returns 0 on success, negative value otherwise. | |
3349 | + */ | |
3350 | +static int ccs_check_unix_address(struct sockaddr *addr, | |
3351 | + const unsigned int addr_len, | |
3352 | + struct ccs_addr_info *address) | |
3353 | +{ | |
3354 | + struct ccs_unix_addr_info *u = &address->unix0; | |
3355 | + if (addr_len < sizeof(addr->sa_family)) | |
3356 | + return 0; | |
3357 | + if (addr->sa_family != AF_UNIX) | |
3358 | + return 0; | |
3359 | + u->addr = ((struct sockaddr_un *) addr)->sun_path; | |
3360 | + u->addr_len = addr_len; | |
3361 | + return ccs_unix_entry(address); | |
3362 | +} | |
3363 | + | |
3364 | +/** | |
3365 | + * ccs_sock_family - Get socket's family. | |
3366 | + * | |
3367 | + * @sk: Pointer to "struct sock". | |
3368 | + * | |
3369 | + * Returns one of PF_INET, PF_INET6, PF_UNIX or 0. | |
3370 | + */ | |
3371 | +static u8 ccs_sock_family(struct sock *sk) | |
3372 | +{ | |
3373 | + u8 family; | |
3374 | + if (ccs_kernel_service()) | |
3375 | + return 0; | |
3376 | + family = sk->sk_family; | |
3377 | + switch (family) { | |
3378 | + case PF_INET: | |
3379 | + case PF_INET6: | |
3380 | + case PF_UNIX: | |
3381 | + return family; | |
3382 | + default: | |
3383 | + return 0; | |
3384 | + } | |
3385 | +} | |
3386 | + | |
3387 | +/** | |
3388 | + * __ccs_socket_listen_permission - Check permission for listening a socket. | |
3389 | + * | |
3390 | + * @sock: Pointer to "struct socket". | |
3391 | + * | |
3392 | + * Returns 0 on success, negative value otherwise. | |
3393 | + */ | |
3394 | +static int __ccs_socket_listen_permission(struct socket *sock) | |
3395 | +{ | |
3396 | + struct ccs_addr_info address; | |
3397 | + const u8 family = ccs_sock_family(sock->sk); | |
3398 | + const unsigned int type = sock->type; | |
3399 | + struct sockaddr_storage addr; | |
3400 | + int addr_len; | |
3401 | + if (!family || (type != SOCK_STREAM && type != SOCK_SEQPACKET)) | |
3402 | + return 0; | |
3403 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 17, 0) | |
3404 | + { | |
3405 | + const int error = sock->ops->getname(sock, (struct sockaddr *) | |
3406 | + &addr, &addr_len, 0); | |
3407 | + if (error) | |
3408 | + return error; | |
3409 | + } | |
3410 | +#else | |
3411 | + addr_len = sock->ops->getname(sock, (struct sockaddr *) &addr, 0); | |
3412 | + if (addr_len < 0) | |
3413 | + return addr_len; | |
3414 | +#endif | |
3415 | + address.protocol = type; | |
3416 | + address.operation = CCS_NETWORK_LISTEN; | |
3417 | + if (family == PF_UNIX) | |
3418 | + return ccs_check_unix_address((struct sockaddr *) &addr, | |
3419 | + addr_len, &address); | |
3420 | + return ccs_check_inet_address((struct sockaddr *) &addr, addr_len, 0, | |
3421 | + &address); | |
3422 | +} | |
3423 | + | |
3424 | +/** | |
3425 | + * __ccs_socket_connect_permission - Check permission for setting the remote address of a socket. | |
3426 | + * | |
3427 | + * @sock: Pointer to "struct socket". | |
3428 | + * @addr: Pointer to "struct sockaddr". | |
3429 | + * @addr_len: Size of @addr. | |
3430 | + * | |
3431 | + * Returns 0 on success, negative value otherwise. | |
3432 | + */ | |
3433 | +static int __ccs_socket_connect_permission(struct socket *sock, | |
3434 | + struct sockaddr *addr, int addr_len) | |
3435 | +{ | |
3436 | + struct ccs_addr_info address; | |
3437 | + const u8 family = ccs_sock_family(sock->sk); | |
3438 | + const unsigned int type = sock->type; | |
3439 | + if (!family) | |
3440 | + return 0; | |
3441 | + address.protocol = type; | |
3442 | + switch (type) { | |
3443 | + case SOCK_DGRAM: | |
3444 | + case SOCK_RAW: | |
3445 | + address.operation = CCS_NETWORK_SEND; | |
3446 | + break; | |
3447 | + case SOCK_STREAM: | |
3448 | + case SOCK_SEQPACKET: | |
3449 | + address.operation = CCS_NETWORK_CONNECT; | |
3450 | + break; | |
3451 | + default: | |
3452 | + return 0; | |
3453 | + } | |
3454 | + if (family == PF_UNIX) | |
3455 | + return ccs_check_unix_address(addr, addr_len, &address); | |
3456 | + return ccs_check_inet_address(addr, addr_len, sock->sk->sk_protocol, | |
3457 | + &address); | |
3458 | +} | |
3459 | + | |
3460 | +/** | |
3461 | + * __ccs_socket_bind_permission - Check permission for setting the local address of a socket. | |
3462 | + * | |
3463 | + * @sock: Pointer to "struct socket". | |
3464 | + * @addr: Pointer to "struct sockaddr". | |
3465 | + * @addr_len: Size of @addr. | |
3466 | + * | |
3467 | + * Returns 0 on success, negative value otherwise. | |
3468 | + */ | |
3469 | +static int __ccs_socket_bind_permission(struct socket *sock, | |
3470 | + struct sockaddr *addr, int addr_len) | |
3471 | +{ | |
3472 | + struct ccs_addr_info address; | |
3473 | + const u8 family = ccs_sock_family(sock->sk); | |
3474 | + const unsigned int type = sock->type; | |
3475 | + if (!family) | |
3476 | + return 0; | |
3477 | + switch (type) { | |
3478 | + case SOCK_STREAM: | |
3479 | + case SOCK_DGRAM: | |
3480 | + case SOCK_RAW: | |
3481 | + case SOCK_SEQPACKET: | |
3482 | + address.protocol = type; | |
3483 | + address.operation = CCS_NETWORK_BIND; | |
3484 | + break; | |
3485 | + default: | |
3486 | + return 0; | |
3487 | + } | |
3488 | + if (family == PF_UNIX) | |
3489 | + return ccs_check_unix_address(addr, addr_len, &address); | |
3490 | + return ccs_check_inet_address(addr, addr_len, sock->sk->sk_protocol, | |
3491 | + &address); | |
3492 | +} | |
3493 | + | |
3494 | +/** | |
3495 | + * __ccs_socket_sendmsg_permission - Check permission for sending a datagram. | |
3496 | + * | |
3497 | + * @sock: Pointer to "struct socket". | |
3498 | + * @msg: Pointer to "struct msghdr". | |
3499 | + * @size: Unused. | |
3500 | + * | |
3501 | + * Returns 0 on success, negative value otherwise. | |
3502 | + */ | |
3503 | +static int __ccs_socket_sendmsg_permission(struct socket *sock, | |
3504 | + struct msghdr *msg, int size) | |
3505 | +{ | |
3506 | + struct ccs_addr_info address; | |
3507 | + const u8 family = ccs_sock_family(sock->sk); | |
3508 | + const unsigned int type = sock->type; | |
3509 | + if (!msg->msg_name || !family || | |
3510 | + (type != SOCK_DGRAM && type != SOCK_RAW)) | |
3511 | + return 0; | |
3512 | + address.protocol = type; | |
3513 | + address.operation = CCS_NETWORK_SEND; | |
3514 | + if (family == PF_UNIX) | |
3515 | + return ccs_check_unix_address((struct sockaddr *) | |
3516 | + msg->msg_name, msg->msg_namelen, | |
3517 | + &address); | |
3518 | + return ccs_check_inet_address((struct sockaddr *) msg->msg_name, | |
3519 | + msg->msg_namelen, sock->sk->sk_protocol, | |
3520 | + &address); | |
3521 | +} | |
3522 | + | |
3523 | +/** | |
3524 | + * __ccs_socket_post_accept_permission - Check permission for accepting a socket. | |
3525 | + * | |
3526 | + * @sock: Pointer to "struct socket". | |
3527 | + * @newsock: Pointer to "struct socket". | |
3528 | + * | |
3529 | + * Returns 0 on success, negative value otherwise. | |
3530 | + */ | |
3531 | +static int __ccs_socket_post_accept_permission(struct socket *sock, | |
3532 | + struct socket *newsock) | |
3533 | +{ | |
3534 | + struct ccs_addr_info address; | |
3535 | + const u8 family = ccs_sock_family(sock->sk); | |
3536 | + const unsigned int type = sock->type; | |
3537 | + struct sockaddr_storage addr; | |
3538 | + int addr_len; | |
3539 | + if (!family || (type != SOCK_STREAM && type != SOCK_SEQPACKET)) | |
3540 | + return 0; | |
3541 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 17, 0) | |
3542 | + { | |
3543 | + const int error = newsock->ops->getname(newsock, | |
3544 | + (struct sockaddr *) | |
3545 | + &addr, &addr_len, 2); | |
3546 | + if (error) | |
3547 | + return error; | |
3548 | + } | |
3549 | +#else | |
3550 | + addr_len = newsock->ops->getname(newsock, (struct sockaddr *) &addr, | |
3551 | + 2); | |
3552 | + if (addr_len < 0) | |
3553 | + return addr_len; | |
3554 | +#endif | |
3555 | + address.protocol = type; | |
3556 | + address.operation = CCS_NETWORK_ACCEPT; | |
3557 | + if (family == PF_UNIX) | |
3558 | + return ccs_check_unix_address((struct sockaddr *) &addr, | |
3559 | + addr_len, &address); | |
3560 | + return ccs_check_inet_address((struct sockaddr *) &addr, addr_len, 0, | |
3561 | + &address); | |
3562 | +} | |
3563 | + | |
3564 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
3565 | + | |
3566 | +/** | |
3567 | + * __ccs_socket_post_recvmsg_permission - Check permission for receiving a datagram. | |
3568 | + * | |
3569 | + * @sk: Pointer to "struct sock". | |
3570 | + * @skb: Pointer to "struct sk_buff". | |
3571 | + * @flags: Flags passed to skb_recv_datagram(). | |
3572 | + * | |
3573 | + * Returns 0 on success, negative value otherwise. | |
3574 | + */ | |
3575 | +static int __ccs_socket_post_recvmsg_permission(struct sock *sk, | |
3576 | + struct sk_buff *skb, int flags) | |
3577 | +{ | |
3578 | + struct ccs_addr_info address; | |
3579 | + const u8 family = ccs_sock_family(sk); | |
3580 | + const unsigned int type = sk->sk_type; | |
3581 | + struct sockaddr_storage addr; | |
3582 | + if (!family) | |
3583 | + return 0; | |
3584 | + switch (type) { | |
3585 | + case SOCK_DGRAM: | |
3586 | + case SOCK_RAW: | |
3587 | + address.protocol = type; | |
3588 | + break; | |
3589 | + default: | |
3590 | + return 0; | |
3591 | + } | |
3592 | + address.operation = CCS_NETWORK_RECV; | |
3593 | + switch (family) { | |
3594 | + case PF_INET6: | |
3595 | + { | |
3596 | + struct in6_addr *sin6 = (struct in6_addr *) &addr; | |
3597 | + address.inet.is_ipv6 = true; | |
3598 | + if (type == SOCK_DGRAM && | |
3599 | + skb->protocol == htons(ETH_P_IP)) | |
3600 | + ipv6_addr_set(sin6, 0, 0, htonl(0xffff), | |
3601 | + ip_hdr(skb)->saddr); | |
3602 | + else | |
3603 | + *sin6 = ipv6_hdr(skb)->saddr; | |
3604 | + break; | |
3605 | + } | |
3606 | + case PF_INET: | |
3607 | + { | |
3608 | + struct in_addr *sin4 = (struct in_addr *) &addr; | |
3609 | + address.inet.is_ipv6 = false; | |
3610 | + sin4->s_addr = ip_hdr(skb)->saddr; | |
3611 | + break; | |
3612 | + } | |
3613 | + default: /* == PF_UNIX */ | |
3614 | + { | |
3615 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0) | |
3616 | + struct unix_address *u = unix_sk(skb->sk)->addr; | |
3617 | +#else | |
3618 | + struct unix_address *u = | |
3619 | + skb->sk->protinfo.af_unix.addr; | |
3620 | +#endif | |
3621 | + unsigned int addr_len; | |
3622 | + if (u && u->len <= sizeof(addr)) { | |
3623 | + addr_len = u->len; | |
3624 | + memcpy(&addr, u->name, addr_len); | |
3625 | + } else { | |
3626 | + addr_len = sizeof(addr.ss_family); | |
3627 | + addr.ss_family = AF_UNIX; | |
3628 | + } | |
3629 | + if (ccs_check_unix_address((struct sockaddr *) &addr, | |
3630 | + addr_len, &address)) | |
3631 | + goto out; | |
3632 | + return 0; | |
3633 | + } | |
3634 | + } | |
3635 | + address.inet.address = (u32 *) &addr; | |
3636 | + if (type == SOCK_DGRAM) | |
3637 | + address.inet.port = udp_hdr(skb)->source; | |
3638 | + else | |
3639 | + address.inet.port = htons(sk->sk_protocol); | |
3640 | + if (ccs_inet_entry(&address)) | |
3641 | + goto out; | |
3642 | + return 0; | |
3643 | +out: | |
3644 | + /* | |
3645 | + * Remove from queue if MSG_PEEK is used so that | |
3646 | + * the head message from unwanted source in receive queue will not | |
3647 | + * prevent the caller from picking up next message from wanted source | |
3648 | + * when the caller is using MSG_PEEK flag for picking up. | |
3649 | + */ | |
3650 | + { | |
3651 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35) | |
3652 | + bool slow = false; | |
3653 | + if (type == SOCK_DGRAM && family != PF_UNIX) | |
3654 | + slow = lock_sock_fast(sk); | |
3655 | +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) | |
3656 | + if (type == SOCK_DGRAM && family != PF_UNIX) | |
3657 | + lock_sock(sk); | |
3658 | +#elif defined(RHEL_MAJOR) && RHEL_MAJOR == 5 && defined(RHEL_MINOR) && RHEL_MINOR >= 2 | |
3659 | + if (type == SOCK_DGRAM && family != PF_UNIX) | |
3660 | + lock_sock(sk); | |
3661 | +#endif | |
3662 | + skb_kill_datagram(sk, skb, flags); | |
3663 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35) | |
3664 | + if (type == SOCK_DGRAM && family != PF_UNIX) | |
3665 | + unlock_sock_fast(sk, slow); | |
3666 | +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) | |
3667 | + if (type == SOCK_DGRAM && family != PF_UNIX) | |
3668 | + release_sock(sk); | |
3669 | +#elif defined(RHEL_MAJOR) && RHEL_MAJOR == 5 && defined(RHEL_MINOR) && RHEL_MINOR >= 2 | |
3670 | + if (type == SOCK_DGRAM && family != PF_UNIX) | |
3671 | + release_sock(sk); | |
3672 | +#endif | |
3673 | + } | |
3674 | + return -EPERM; | |
3675 | +} | |
3676 | + | |
3677 | +#endif | |
3678 | + | |
3679 | +#endif | |
3680 | + | |
3681 | +#if defined(CONFIG_CCSECURITY_CAPABILITY) || defined(CONFIG_CCSECURITY_NETWORK) | |
3682 | + | |
3683 | +/** | |
3684 | + * ccs_kernel_service - Check whether I'm kernel service or not. | |
3685 | + * | |
3686 | + * Returns true if I'm kernel service, false otherwise. | |
3687 | + */ | |
3688 | +static bool ccs_kernel_service(void) | |
3689 | +{ | |
3690 | + /* Nothing to do if I am a kernel service. */ | |
3691 | + return segment_eq(get_fs(), KERNEL_DS); | |
3692 | +} | |
3693 | + | |
3694 | +#endif | |
3695 | + | |
3696 | +#ifdef CONFIG_CCSECURITY_CAPABILITY | |
3697 | + | |
3698 | +/** | |
3699 | + * ccs_check_capability_acl - Check permission for capability operation. | |
3700 | + * | |
3701 | + * @r: Pointer to "struct ccs_request_info". | |
3702 | + * @ptr: Pointer to "struct ccs_acl_info". | |
3703 | + * | |
3704 | + * Returns true if granted, false otherwise. | |
3705 | + */ | |
3706 | +static bool ccs_check_capability_acl(struct ccs_request_info *r, | |
3707 | + const struct ccs_acl_info *ptr) | |
3708 | +{ | |
3709 | + const struct ccs_capability_acl *acl = | |
3710 | + container_of(ptr, typeof(*acl), head); | |
3711 | + return acl->operation == r->param.capability.operation; | |
3712 | +} | |
3713 | + | |
3714 | +/** | |
3715 | + * ccs_capable - Check permission for capability. | |
3716 | + * | |
3717 | + * @operation: Type of operation. | |
3718 | + * | |
3719 | + * Returns true on success, false otherwise. | |
3720 | + */ | |
3721 | +static bool __ccs_capable(const u8 operation) | |
3722 | +{ | |
3723 | + struct ccs_request_info r; | |
3724 | + int error = 0; | |
3725 | + const int idx = ccs_read_lock(); | |
3726 | + if (ccs_init_request_info(&r, ccs_c2mac[operation]) | |
3727 | + != CCS_CONFIG_DISABLED) { | |
3728 | + r.param_type = CCS_TYPE_CAPABILITY_ACL; | |
3729 | + r.param.capability.operation = operation; | |
3730 | + error = ccs_check_acl(&r); | |
3731 | + } | |
3732 | + ccs_read_unlock(idx); | |
3733 | + return !error; | |
3734 | +} | |
3735 | + | |
3736 | +/** | |
3737 | + * __ccs_socket_create_permission - Check permission for creating a socket. | |
3738 | + * | |
3739 | + * @family: Protocol family. | |
3740 | + * @type: Unused. | |
3741 | + * @protocol: Unused. | |
3742 | + * | |
3743 | + * Returns 0 on success, negative value otherwise. | |
3744 | + */ | |
3745 | +static int __ccs_socket_create_permission(int family, int type, int protocol) | |
3746 | +{ | |
3747 | + if (ccs_kernel_service()) | |
3748 | + return 0; | |
3749 | + if (family == PF_PACKET && !ccs_capable(CCS_USE_PACKET_SOCKET)) | |
3750 | + return -EPERM; | |
3751 | + if (family == PF_ROUTE && !ccs_capable(CCS_USE_ROUTE_SOCKET)) | |
3752 | + return -EPERM; | |
3753 | + return 0; | |
3754 | +} | |
3755 | + | |
3756 | +/** | |
3757 | + * __ccs_ptrace_permission - Check permission for ptrace(). | |
3758 | + * | |
3759 | + * @request: Unused. | |
3760 | + * @pid: Unused. | |
3761 | + * | |
3762 | + * Returns 0 on success, negative value otherwise. | |
3763 | + * | |
3764 | + * Since this function is called from location where it is permitted to sleep, | |
3765 | + * it is racy to check target process's domainname anyway. Therefore, we don't | |
3766 | + * use target process's domainname. | |
3767 | + */ | |
3768 | +static int __ccs_ptrace_permission(long request, long pid) | |
3769 | +{ | |
3770 | + return __ccs_capable(CCS_SYS_PTRACE) ? 0 : -EPERM; | |
3771 | +} | |
3772 | + | |
3773 | +#endif | |
3774 | + | |
3775 | +#ifdef CONFIG_CCSECURITY_IPC | |
3776 | + | |
3777 | +/** | |
3778 | + * ccs_check_signal_acl - Check permission for signal operation. | |
3779 | + * | |
3780 | + * @r: Pointer to "struct ccs_request_info". | |
3781 | + * @ptr: Pointer to "struct ccs_acl_info". | |
3782 | + * | |
3783 | + * Returns true if granted, false otherwise. | |
3784 | + */ | |
3785 | +static bool ccs_check_signal_acl(struct ccs_request_info *r, | |
3786 | + const struct ccs_acl_info *ptr) | |
3787 | +{ | |
3788 | + const struct ccs_signal_acl *acl = | |
3789 | + container_of(ptr, typeof(*acl), head); | |
3790 | + if (ccs_compare_number_union(r->param.signal.sig, &acl->sig)) { | |
3791 | + const int len = acl->domainname->total_len; | |
3792 | + if (!strncmp(acl->domainname->name, | |
3793 | + r->param.signal.dest_pattern, len)) { | |
3794 | + switch (r->param.signal.dest_pattern[len]) { | |
3795 | + case ' ': | |
3796 | + case '\0': | |
3797 | + return true; | |
3798 | + } | |
3799 | + } | |
3800 | + } | |
3801 | + return false; | |
3802 | +} | |
3803 | + | |
3804 | +/** | |
3805 | + * ccs_signal_acl2 - Check permission for signal. | |
3806 | + * | |
3807 | + * @sig: Signal number. | |
3808 | + * @pid: Target's PID. | |
3809 | + * | |
3810 | + * Returns 0 on success, negative value otherwise. | |
3811 | + * | |
3812 | + * Caller holds ccs_read_lock(). | |
3813 | + */ | |
3814 | +static int ccs_signal_acl2(const int sig, const int pid) | |
3815 | +{ | |
3816 | + struct ccs_request_info r; | |
3817 | + struct ccs_domain_info *dest = NULL; | |
3818 | + const struct ccs_domain_info * const domain = ccs_current_domain(); | |
3819 | + if (ccs_init_request_info(&r, CCS_MAC_SIGNAL) == CCS_CONFIG_DISABLED) | |
3820 | + return 0; | |
3821 | + if (!sig) | |
3822 | + return 0; /* No check for NULL signal. */ | |
3823 | + r.param_type = CCS_TYPE_SIGNAL_ACL; | |
3824 | + r.param.signal.sig = sig; | |
3825 | + r.param.signal.dest_pattern = domain->domainname->name; | |
3826 | + r.granted = true; | |
3827 | + if (ccs_sys_getpid() == pid) { | |
3828 | + ccs_audit_log(&r); | |
3829 | + return 0; /* No check for self process. */ | |
3830 | + } | |
3831 | + { /* Simplified checking. */ | |
3832 | + struct task_struct *p = NULL; | |
3833 | + ccs_tasklist_lock(); | |
3834 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24) | |
3835 | + if (pid > 0) | |
3836 | + p = ccsecurity_exports.find_task_by_vpid((pid_t) pid); | |
3837 | + else if (pid == 0) | |
3838 | + p = current; | |
3839 | + else if (pid == -1) | |
3840 | + dest = &ccs_kernel_domain; | |
3841 | + else | |
3842 | + p = ccsecurity_exports.find_task_by_vpid((pid_t) -pid); | |
3843 | +#else | |
3844 | + if (pid > 0) | |
3845 | + p = find_task_by_pid((pid_t) pid); | |
3846 | + else if (pid == 0) | |
3847 | + p = current; | |
3848 | + else if (pid == -1) | |
3849 | + dest = &ccs_kernel_domain; | |
3850 | + else | |
3851 | + p = find_task_by_pid((pid_t) -pid); | |
3852 | +#endif | |
3853 | + if (p) | |
3854 | + dest = ccs_task_domain(p); | |
3855 | + ccs_tasklist_unlock(); | |
3856 | + } | |
3857 | + if (!dest) | |
3858 | + return 0; /* I can't find destinatioin. */ | |
3859 | + if (domain == dest) { | |
3860 | + ccs_audit_log(&r); | |
3861 | + return 0; /* No check for self domain. */ | |
3862 | + } | |
3863 | + r.param.signal.dest_pattern = dest->domainname->name; | |
3864 | + return ccs_check_acl(&r); | |
3865 | +} | |
3866 | + | |
3867 | +/** | |
3868 | + * ccs_signal_acl - Check permission for signal. | |
3869 | + * | |
3870 | + * @pid: Target's PID. | |
3871 | + * @sig: Signal number. | |
3872 | + * | |
3873 | + * Returns 0 on success, negative value otherwise. | |
3874 | + */ | |
3875 | +static int ccs_signal_acl(const int pid, const int sig) | |
3876 | +{ | |
3877 | + int error; | |
3878 | + if (!sig) | |
3879 | + error = 0; | |
3880 | + else { | |
3881 | + const int idx = ccs_read_lock(); | |
3882 | + error = ccs_signal_acl2(sig, pid); | |
3883 | + ccs_read_unlock(idx); | |
3884 | + } | |
3885 | + return error; | |
3886 | +} | |
3887 | + | |
3888 | +/** | |
3889 | + * ccs_signal_acl0 - Permission check for signal(). | |
3890 | + * | |
3891 | + * @tgid: Unused. | |
3892 | + * @pid: Target's PID. | |
3893 | + * @sig: Signal number. | |
3894 | + * | |
3895 | + * Returns 0 on success, negative value otherwise. | |
3896 | + */ | |
3897 | +static int ccs_signal_acl0(pid_t tgid, pid_t pid, int sig) | |
3898 | +{ | |
3899 | + return ccs_signal_acl(pid, sig); | |
3900 | +} | |
3901 | + | |
3902 | +#endif | |
3903 | + | |
3904 | +#ifdef CONFIG_CCSECURITY_MISC | |
3905 | + | |
3906 | +/** | |
3907 | + * ccs_check_env_acl - Check permission for environment variable's name. | |
3908 | + * | |
3909 | + * @r: Pointer to "struct ccs_request_info". | |
3910 | + * @ptr: Pointer to "struct ccs_acl_info". | |
3911 | + * | |
3912 | + * Returns true if granted, false otherwise. | |
3913 | + */ | |
3914 | +static bool ccs_check_env_acl(struct ccs_request_info *r, | |
3915 | + const struct ccs_acl_info *ptr) | |
3916 | +{ | |
3917 | + const struct ccs_env_acl *acl = container_of(ptr, typeof(*acl), head); | |
3918 | + return ccs_path_matches_pattern(r->param.environ.name, acl->env); | |
3919 | +} | |
3920 | + | |
3921 | +/** | |
3922 | + * ccs_env_perm - Check permission for environment variable's name. | |
3923 | + * | |
3924 | + * @r: Pointer to "struct ccs_request_info". | |
3925 | + * @env: The name of environment variable. | |
3926 | + * | |
3927 | + * Returns 0 on success, negative value otherwise. | |
3928 | + * | |
3929 | + * Caller holds ccs_read_lock(). | |
3930 | + */ | |
3931 | +static int ccs_env_perm(struct ccs_request_info *r, const char *env) | |
3932 | +{ | |
3933 | + struct ccs_path_info environ; | |
3934 | + if (!env || !*env) | |
3935 | + return 0; | |
3936 | + environ.name = env; | |
3937 | + ccs_fill_path_info(&environ); | |
3938 | + r->param_type = CCS_TYPE_ENV_ACL; | |
3939 | + r->param.environ.name = &environ; | |
3940 | + return ccs_check_acl(r); | |
3941 | +} | |
3942 | + | |
3943 | +/** | |
3944 | + * ccs_environ - Check permission for environment variable names. | |
3945 | + * | |
3946 | + * @ee: Pointer to "struct ccs_execve". | |
3947 | + * | |
3948 | + * Returns 0 on success, negative value otherwise. | |
3949 | + */ | |
3950 | +static int ccs_environ(struct ccs_execve *ee) | |
3951 | +{ | |
3952 | + struct ccs_request_info *r = &ee->r; | |
3953 | + struct linux_binprm *bprm = ee->bprm; | |
3954 | + /* env_page.data is allocated by ccs_dump_page(). */ | |
3955 | + struct ccs_page_dump env_page = { }; | |
3956 | + char *arg_ptr; /* Size is CCS_EXEC_TMPSIZE bytes */ | |
3957 | + int arg_len = 0; | |
3958 | + unsigned long pos = bprm->p; | |
3959 | + int offset = pos % PAGE_SIZE; | |
3960 | + int argv_count = bprm->argc; | |
3961 | + int envp_count = bprm->envc; | |
3962 | + /* printk(KERN_DEBUG "start %d %d\n", argv_count, envp_count); */ | |
3963 | + int error = -ENOMEM; | |
3964 | + ee->r.type = CCS_MAC_ENVIRON; | |
3965 | + ee->r.profile = ccs_current_domain()->profile; | |
3966 | + ee->r.mode = ccs_get_mode(ee->r.profile, CCS_MAC_ENVIRON); | |
3967 | + if (!r->mode || !envp_count) | |
3968 | + return 0; | |
3969 | + arg_ptr = kzalloc(CCS_EXEC_TMPSIZE, CCS_GFP_FLAGS); | |
3970 | + if (!arg_ptr) | |
3971 | + goto out; | |
3972 | + while (error == -ENOMEM) { | |
3973 | + if (!ccs_dump_page(bprm, pos, &env_page)) | |
3974 | + goto out; | |
3975 | + pos += PAGE_SIZE - offset; | |
3976 | + /* Read. */ | |
3977 | + while (argv_count && offset < PAGE_SIZE) { | |
3978 | + if (!env_page.data[offset++]) | |
3979 | + argv_count--; | |
3980 | + } | |
3981 | + if (argv_count) { | |
3982 | + offset = 0; | |
3983 | + continue; | |
3984 | + } | |
3985 | + while (offset < PAGE_SIZE) { | |
3986 | + const unsigned char c = env_page.data[offset++]; | |
3987 | + if (c && arg_len < CCS_EXEC_TMPSIZE - 10) { | |
3988 | + if (c == '=') { | |
3989 | + arg_ptr[arg_len++] = '\0'; | |
3990 | + } else if (c == '\\') { | |
3991 | + arg_ptr[arg_len++] = '\\'; | |
3992 | + arg_ptr[arg_len++] = '\\'; | |
3993 | + } else if (c > ' ' && c < 127) { | |
3994 | + arg_ptr[arg_len++] = c; | |
3995 | + } else { | |
3996 | + arg_ptr[arg_len++] = '\\'; | |
3997 | + arg_ptr[arg_len++] = (c >> 6) + '0'; | |
3998 | + arg_ptr[arg_len++] | |
3999 | + = ((c >> 3) & 7) + '0'; | |
4000 | + arg_ptr[arg_len++] = (c & 7) + '0'; | |
4001 | + } | |
4002 | + } else { | |
4003 | + arg_ptr[arg_len] = '\0'; | |
4004 | + } | |
4005 | + if (c) | |
4006 | + continue; | |
4007 | + if (ccs_env_perm(r, arg_ptr)) { | |
4008 | + error = -EPERM; | |
4009 | + break; | |
4010 | + } | |
4011 | + if (!--envp_count) { | |
4012 | + error = 0; | |
4013 | + break; | |
4014 | + } | |
4015 | + arg_len = 0; | |
4016 | + } | |
4017 | + offset = 0; | |
4018 | + } | |
4019 | +out: | |
4020 | + if (r->mode != CCS_CONFIG_ENFORCING) | |
4021 | + error = 0; | |
4022 | + kfree(env_page.data); | |
4023 | + kfree(arg_ptr); | |
4024 | + return error; | |
4025 | +} | |
4026 | + | |
4027 | +#endif | |
4028 | + | |
4029 | +/** | |
4030 | + * ccs_argv - Check argv[] in "struct linux_binbrm". | |
4031 | + * | |
4032 | + * @index: Index number of @arg_ptr. | |
4033 | + * @arg_ptr: Contents of argv[@index]. | |
4034 | + * @argc: Length of @argv. | |
4035 | + * @argv: Pointer to "struct ccs_argv". | |
4036 | + * @checked: Set to true if @argv[@index] was found. | |
4037 | + * | |
4038 | + * Returns true on success, false otherwise. | |
4039 | + */ | |
4040 | +static bool ccs_argv(const unsigned int index, const char *arg_ptr, | |
4041 | + const int argc, const struct ccs_argv *argv, | |
4042 | + u8 *checked) | |
4043 | +{ | |
4044 | + int i; | |
4045 | + struct ccs_path_info arg; | |
4046 | + arg.name = arg_ptr; | |
4047 | + for (i = 0; i < argc; argv++, checked++, i++) { | |
4048 | + bool result; | |
4049 | + if (index != argv->index) | |
4050 | + continue; | |
4051 | + *checked = 1; | |
4052 | + ccs_fill_path_info(&arg); | |
4053 | + result = ccs_path_matches_pattern(&arg, argv->value); | |
4054 | + if (argv->is_not) | |
4055 | + result = !result; | |
4056 | + if (!result) | |
4057 | + return false; | |
4058 | + } | |
4059 | + return true; | |
4060 | +} | |
4061 | + | |
4062 | +/** | |
4063 | + * ccs_envp - Check envp[] in "struct linux_binbrm". | |
4064 | + * | |
4065 | + * @env_name: The name of environment variable. | |
4066 | + * @env_value: The value of environment variable. | |
4067 | + * @envc: Length of @envp. | |
4068 | + * @envp: Pointer to "struct ccs_envp". | |
4069 | + * @checked: Set to true if @envp[@env_name] was found. | |
4070 | + * | |
4071 | + * Returns true on success, false otherwise. | |
4072 | + */ | |
4073 | +static bool ccs_envp(const char *env_name, const char *env_value, | |
4074 | + const int envc, const struct ccs_envp *envp, | |
4075 | + u8 *checked) | |
4076 | +{ | |
4077 | + int i; | |
4078 | + struct ccs_path_info name; | |
4079 | + struct ccs_path_info value; | |
4080 | + name.name = env_name; | |
4081 | + ccs_fill_path_info(&name); | |
4082 | + value.name = env_value; | |
4083 | + ccs_fill_path_info(&value); | |
4084 | + for (i = 0; i < envc; envp++, checked++, i++) { | |
4085 | + bool result; | |
4086 | + if (!ccs_path_matches_pattern(&name, envp->name)) | |
4087 | + continue; | |
4088 | + *checked = 1; | |
4089 | + if (envp->value) { | |
4090 | + result = ccs_path_matches_pattern(&value, envp->value); | |
4091 | + if (envp->is_not) | |
4092 | + result = !result; | |
4093 | + } else { | |
4094 | + result = true; | |
4095 | + if (!envp->is_not) | |
4096 | + result = !result; | |
4097 | + } | |
4098 | + if (!result) | |
4099 | + return false; | |
4100 | + } | |
4101 | + return true; | |
4102 | +} | |
4103 | + | |
4104 | +/** | |
4105 | + * ccs_scan_bprm - Scan "struct linux_binprm". | |
4106 | + * | |
4107 | + * @ee: Pointer to "struct ccs_execve". | |
4108 | + * @argc: Length of @argc. | |
4109 | + * @argv: Pointer to "struct ccs_argv". | |
4110 | + * @envc: Length of @envp. | |
4111 | + * @envp: Poiner to "struct ccs_envp". | |
4112 | + * | |
4113 | + * Returns true on success, false otherwise. | |
4114 | + */ | |
4115 | +static bool ccs_scan_bprm(struct ccs_execve *ee, | |
4116 | + const u16 argc, const struct ccs_argv *argv, | |
4117 | + const u16 envc, const struct ccs_envp *envp) | |
4118 | +{ | |
4119 | + struct linux_binprm *bprm = ee->bprm; | |
4120 | + struct ccs_page_dump *dump = &ee->dump; | |
4121 | + char *arg_ptr = ee->tmp; | |
4122 | + int arg_len = 0; | |
4123 | + unsigned long pos = bprm->p; | |
4124 | + int offset = pos % PAGE_SIZE; | |
4125 | + int argv_count = bprm->argc; | |
4126 | + int envp_count = bprm->envc; | |
4127 | + bool result = true; | |
4128 | + u8 local_checked[32]; | |
4129 | + u8 *checked; | |
4130 | + if (argc + envc <= sizeof(local_checked)) { | |
4131 | + checked = local_checked; | |
4132 | + memset(local_checked, 0, sizeof(local_checked)); | |
4133 | + } else { | |
4134 | + checked = kzalloc(argc + envc, CCS_GFP_FLAGS); | |
4135 | + if (!checked) | |
4136 | + return false; | |
4137 | + } | |
4138 | + while (argv_count || envp_count) { | |
4139 | + if (!ccs_dump_page(bprm, pos, dump)) { | |
4140 | + result = false; | |
4141 | + goto out; | |
4142 | + } | |
4143 | + pos += PAGE_SIZE - offset; | |
4144 | + while (offset < PAGE_SIZE) { | |
4145 | + /* Read. */ | |
4146 | + const char *kaddr = dump->data; | |
4147 | + const unsigned char c = kaddr[offset++]; | |
4148 | + if (c && arg_len < CCS_EXEC_TMPSIZE - 10) { | |
4149 | + if (c == '\\') { | |
4150 | + arg_ptr[arg_len++] = '\\'; | |
4151 | + arg_ptr[arg_len++] = '\\'; | |
4152 | + } else if (c > ' ' && c < 127) { | |
4153 | + arg_ptr[arg_len++] = c; | |
4154 | + } else { | |
4155 | + arg_ptr[arg_len++] = '\\'; | |
4156 | + arg_ptr[arg_len++] = (c >> 6) + '0'; | |
4157 | + arg_ptr[arg_len++] = | |
4158 | + ((c >> 3) & 7) + '0'; | |
4159 | + arg_ptr[arg_len++] = (c & 7) + '0'; | |
4160 | + } | |
4161 | + } else { | |
4162 | + arg_ptr[arg_len] = '\0'; | |
4163 | + } | |
4164 | + if (c) | |
4165 | + continue; | |
4166 | + /* Check. */ | |
4167 | + if (argv_count) { | |
4168 | + if (!ccs_argv(bprm->argc - argv_count, | |
4169 | + arg_ptr, argc, argv, | |
4170 | + checked)) { | |
4171 | + result = false; | |
4172 | + break; | |
4173 | + } | |
4174 | + argv_count--; | |
4175 | + } else if (envp_count) { | |
4176 | + char *cp = strchr(arg_ptr, '='); | |
4177 | + if (cp) { | |
4178 | + *cp = '\0'; | |
4179 | + if (!ccs_envp(arg_ptr, cp + 1, | |
4180 | + envc, envp, | |
4181 | + checked + argc)) { | |
4182 | + result = false; | |
4183 | + break; | |
4184 | + } | |
4185 | + } | |
4186 | + envp_count--; | |
4187 | + } else { | |
4188 | + break; | |
4189 | + } | |
4190 | + arg_len = 0; | |
4191 | + } | |
4192 | + offset = 0; | |
4193 | + if (!result) | |
4194 | + break; | |
4195 | + } | |
4196 | +out: | |
4197 | + if (result) { | |
4198 | + int i; | |
4199 | + /* Check not-yet-checked entries. */ | |
4200 | + for (i = 0; i < argc; i++) { | |
4201 | + if (checked[i]) | |
4202 | + continue; | |
4203 | + /* | |
4204 | + * Return true only if all unchecked indexes in | |
4205 | + * bprm->argv[] are not matched. | |
4206 | + */ | |
4207 | + if (argv[i].is_not) | |
4208 | + continue; | |
4209 | + result = false; | |
4210 | + break; | |
4211 | + } | |
4212 | + for (i = 0; i < envc; envp++, i++) { | |
4213 | + if (checked[argc + i]) | |
4214 | + continue; | |
4215 | + /* | |
4216 | + * Return true only if all unchecked environ variables | |
4217 | + * in bprm->envp[] are either undefined or not matched. | |
4218 | + */ | |
4219 | + if ((!envp->value && !envp->is_not) || | |
4220 | + (envp->value && envp->is_not)) | |
4221 | + continue; | |
4222 | + result = false; | |
4223 | + break; | |
4224 | + } | |
4225 | + } | |
4226 | + if (checked != local_checked) | |
4227 | + kfree(checked); | |
4228 | + return result; | |
4229 | +} | |
4230 | + | |
4231 | +/** | |
4232 | + * ccs_scan_exec_realpath - Check "exec.realpath" parameter of "struct ccs_condition". | |
4233 | + * | |
4234 | + * @file: Pointer to "struct file". | |
4235 | + * @ptr: Pointer to "struct ccs_name_union". | |
4236 | + * @match: True if "exec.realpath=", false if "exec.realpath!=". | |
4237 | + * | |
4238 | + * Returns true on success, false otherwise. | |
4239 | + */ | |
4240 | +static bool ccs_scan_exec_realpath(struct file *file, | |
4241 | + const struct ccs_name_union *ptr, | |
4242 | + const bool match) | |
4243 | +{ | |
4244 | + bool result; | |
4245 | + struct ccs_path_info exe; | |
4246 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20) | |
4247 | + struct path path; | |
4248 | +#endif | |
4249 | + if (!file) | |
4250 | + return false; | |
4251 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20) | |
4252 | + exe.name = ccs_realpath(&file->f_path); | |
4253 | +#else | |
4254 | + path.mnt = file->f_vfsmnt; | |
4255 | + path.dentry = file->f_dentry; | |
4256 | + exe.name = ccs_realpath(&path); | |
4257 | +#endif | |
4258 | + if (!exe.name) | |
4259 | + return false; | |
4260 | + ccs_fill_path_info(&exe); | |
4261 | + result = ccs_compare_name_union(&exe, ptr); | |
4262 | + kfree(exe.name); | |
4263 | + return result == match; | |
4264 | +} | |
4265 | + | |
4266 | +/** | |
4267 | + * ccs_get_attributes - Revalidate "struct inode". | |
4268 | + * | |
4269 | + * @obj: Pointer to "struct ccs_obj_info". | |
4270 | + * | |
4271 | + * Returns nothing. | |
4272 | + */ | |
4273 | +void ccs_get_attributes(struct ccs_obj_info *obj) | |
4274 | +{ | |
4275 | + u8 i; | |
4276 | + struct dentry *dentry = NULL; | |
4277 | + | |
4278 | + for (i = 0; i < CCS_MAX_PATH_STAT; i++) { | |
4279 | + struct inode *inode; | |
4280 | + switch (i) { | |
4281 | + case CCS_PATH1: | |
4282 | + dentry = obj->path1.dentry; | |
4283 | + if (!dentry) | |
4284 | + continue; | |
4285 | + break; | |
4286 | + case CCS_PATH2: | |
4287 | + dentry = obj->path2.dentry; | |
4288 | + if (!dentry) | |
4289 | + continue; | |
4290 | + break; | |
4291 | + default: | |
4292 | + if (!dentry) | |
4293 | + continue; | |
4294 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0) | |
4295 | + spin_lock(&dcache_lock); | |
4296 | + dentry = dget(dentry->d_parent); | |
4297 | + spin_unlock(&dcache_lock); | |
4298 | +#else | |
4299 | + dentry = dget_parent(dentry); | |
4300 | +#endif | |
4301 | + break; | |
4302 | + } | |
4303 | + inode = d_backing_inode(dentry); | |
4304 | + if (inode) { | |
4305 | + struct ccs_mini_stat *stat = &obj->stat[i]; | |
4306 | + stat->uid = inode->i_uid; | |
4307 | + stat->gid = inode->i_gid; | |
4308 | + stat->ino = inode->i_ino; | |
4309 | + stat->mode = inode->i_mode; | |
4310 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0) | |
4311 | + stat->dev = inode->i_dev; | |
4312 | +#else | |
4313 | + stat->dev = inode->i_sb->s_dev; | |
4314 | +#endif | |
4315 | + stat->rdev = inode->i_rdev; | |
4316 | + obj->stat_valid[i] = true; | |
4317 | + } | |
4318 | + if (i & 1) /* i == CCS_PATH1_PARENT || i == CCS_PATH2_PARENT */ | |
4319 | + dput(dentry); | |
4320 | + } | |
4321 | +} | |
4322 | + | |
4323 | +/** | |
4324 | + * ccs_condition - Check condition part. | |
4325 | + * | |
4326 | + * @r: Pointer to "struct ccs_request_info". | |
4327 | + * @cond: Pointer to "struct ccs_condition". Maybe NULL. | |
4328 | + * | |
4329 | + * Returns true on success, false otherwise. | |
4330 | + * | |
4331 | + * Caller holds ccs_read_lock(). | |
4332 | + */ | |
4333 | +static bool ccs_condition(struct ccs_request_info *r, | |
4334 | + const struct ccs_condition *cond) | |
4335 | +{ | |
4336 | + const u32 ccs_flags = ccs_current_flags(); | |
4337 | + u32 i; | |
4338 | + unsigned long min_v[2] = { 0, 0 }; | |
4339 | + unsigned long max_v[2] = { 0, 0 }; | |
4340 | + const struct ccs_condition_element *condp; | |
4341 | + const struct ccs_number_union *numbers_p; | |
4342 | + const struct ccs_name_union *names_p; | |
4343 | + const struct ccs_argv *argv; | |
4344 | + const struct ccs_envp *envp; | |
4345 | + struct ccs_obj_info *obj; | |
4346 | + u16 condc; | |
4347 | + u16 argc; | |
4348 | + u16 envc; | |
4349 | + struct linux_binprm *bprm = NULL; | |
4350 | + if (!cond) | |
4351 | + return true; | |
4352 | + condc = cond->condc; | |
4353 | + argc = cond->argc; | |
4354 | + envc = cond->envc; | |
4355 | + obj = r->obj; | |
4356 | + if (r->ee) | |
4357 | + bprm = r->ee->bprm; | |
4358 | + if (!bprm && (argc || envc)) | |
4359 | + return false; | |
4360 | + condp = (struct ccs_condition_element *) (cond + 1); | |
4361 | + numbers_p = (const struct ccs_number_union *) (condp + condc); | |
4362 | + names_p = (const struct ccs_name_union *) | |
4363 | + (numbers_p + cond->numbers_count); | |
4364 | + argv = (const struct ccs_argv *) (names_p + cond->names_count); | |
4365 | + envp = (const struct ccs_envp *) (argv + argc); | |
4366 | + for (i = 0; i < condc; i++) { | |
4367 | + const bool match = condp->equals; | |
4368 | + const u8 left = condp->left; | |
4369 | + const u8 right = condp->right; | |
4370 | + bool is_bitop[2] = { false, false }; | |
4371 | + u8 j; | |
4372 | + condp++; | |
4373 | + /* Check argv[] and envp[] later. */ | |
4374 | + if (left == CCS_ARGV_ENTRY || left == CCS_ENVP_ENTRY) | |
4375 | + continue; | |
4376 | + /* Check string expressions. */ | |
4377 | + if (right == CCS_NAME_UNION) { | |
4378 | + const struct ccs_name_union *ptr = names_p++; | |
4379 | + switch (left) { | |
4380 | + struct ccs_path_info *symlink; | |
4381 | + struct ccs_execve *ee; | |
4382 | + struct file *file; | |
4383 | + case CCS_SYMLINK_TARGET: | |
4384 | + symlink = obj ? obj->symlink_target : NULL; | |
4385 | + if (!symlink || | |
4386 | + !ccs_compare_name_union(symlink, ptr) | |
4387 | + == match) | |
4388 | + goto out; | |
4389 | + break; | |
4390 | + case CCS_EXEC_REALPATH: | |
4391 | + ee = r->ee; | |
4392 | + file = ee ? ee->bprm->file : NULL; | |
4393 | + if (!ccs_scan_exec_realpath(file, ptr, match)) | |
4394 | + goto out; | |
4395 | + break; | |
4396 | + } | |
4397 | + continue; | |
4398 | + } | |
4399 | + /* Check numeric or bit-op expressions. */ | |
4400 | + for (j = 0; j < 2; j++) { | |
4401 | + const u8 index = j ? right : left; | |
4402 | + unsigned long value = 0; | |
4403 | + switch (index) { | |
4404 | + case CCS_TASK_UID: | |
4405 | + value = from_kuid(&init_user_ns, | |
4406 | + current_uid()); | |
4407 | + break; | |
4408 | + case CCS_TASK_EUID: | |
4409 | + value = from_kuid(&init_user_ns, | |
4410 | + current_euid()); | |
4411 | + break; | |
4412 | + case CCS_TASK_SUID: | |
4413 | + value = from_kuid(&init_user_ns, | |
4414 | + current_suid()); | |
4415 | + break; | |
4416 | + case CCS_TASK_FSUID: | |
4417 | + value = from_kuid(&init_user_ns, | |
4418 | + current_fsuid()); | |
4419 | + break; | |
4420 | + case CCS_TASK_GID: | |
4421 | + value = from_kgid(&init_user_ns, | |
4422 | + current_gid()); | |
4423 | + break; | |
4424 | + case CCS_TASK_EGID: | |
4425 | + value = from_kgid(&init_user_ns, | |
4426 | + current_egid()); | |
4427 | + break; | |
4428 | + case CCS_TASK_SGID: | |
4429 | + value = from_kgid(&init_user_ns, | |
4430 | + current_sgid()); | |
4431 | + break; | |
4432 | + case CCS_TASK_FSGID: | |
4433 | + value = from_kgid(&init_user_ns, | |
4434 | + current_fsgid()); | |
4435 | + break; | |
4436 | + case CCS_TASK_PID: | |
4437 | + value = ccs_sys_getpid(); | |
4438 | + break; | |
4439 | + case CCS_TASK_PPID: | |
4440 | + value = ccs_sys_getppid(); | |
4441 | + break; | |
4442 | + case CCS_TYPE_IS_SOCKET: | |
4443 | + value = S_IFSOCK; | |
4444 | + break; | |
4445 | + case CCS_TYPE_IS_SYMLINK: | |
4446 | + value = S_IFLNK; | |
4447 | + break; | |
4448 | + case CCS_TYPE_IS_FILE: | |
4449 | + value = S_IFREG; | |
4450 | + break; | |
4451 | + case CCS_TYPE_IS_BLOCK_DEV: | |
4452 | + value = S_IFBLK; | |
4453 | + break; | |
4454 | + case CCS_TYPE_IS_DIRECTORY: | |
4455 | + value = S_IFDIR; | |
4456 | + break; | |
4457 | + case CCS_TYPE_IS_CHAR_DEV: | |
4458 | + value = S_IFCHR; | |
4459 | + break; | |
4460 | + case CCS_TYPE_IS_FIFO: | |
4461 | + value = S_IFIFO; | |
4462 | + break; | |
4463 | + case CCS_MODE_SETUID: | |
4464 | + value = S_ISUID; | |
4465 | + break; | |
4466 | + case CCS_MODE_SETGID: | |
4467 | + value = S_ISGID; | |
4468 | + break; | |
4469 | + case CCS_MODE_STICKY: | |
4470 | + value = S_ISVTX; | |
4471 | + break; | |
4472 | + case CCS_MODE_OWNER_READ: | |
4473 | + value = S_IRUSR; | |
4474 | + break; | |
4475 | + case CCS_MODE_OWNER_WRITE: | |
4476 | + value = S_IWUSR; | |
4477 | + break; | |
4478 | + case CCS_MODE_OWNER_EXECUTE: | |
4479 | + value = S_IXUSR; | |
4480 | + break; | |
4481 | + case CCS_MODE_GROUP_READ: | |
4482 | + value = S_IRGRP; | |
4483 | + break; | |
4484 | + case CCS_MODE_GROUP_WRITE: | |
4485 | + value = S_IWGRP; | |
4486 | + break; | |
4487 | + case CCS_MODE_GROUP_EXECUTE: | |
4488 | + value = S_IXGRP; | |
4489 | + break; | |
4490 | + case CCS_MODE_OTHERS_READ: | |
4491 | + value = S_IROTH; | |
4492 | + break; | |
4493 | + case CCS_MODE_OTHERS_WRITE: | |
4494 | + value = S_IWOTH; | |
4495 | + break; | |
4496 | + case CCS_MODE_OTHERS_EXECUTE: | |
4497 | + value = S_IXOTH; | |
4498 | + break; | |
4499 | + case CCS_EXEC_ARGC: | |
4500 | + if (!bprm) | |
4501 | + goto out; | |
4502 | + value = bprm->argc; | |
4503 | + break; | |
4504 | + case CCS_EXEC_ENVC: | |
4505 | + if (!bprm) | |
4506 | + goto out; | |
4507 | + value = bprm->envc; | |
4508 | + break; | |
4509 | + case CCS_TASK_TYPE: | |
4510 | + value = ((u8) ccs_flags) | |
4511 | + & CCS_TASK_IS_EXECUTE_HANDLER; | |
4512 | + break; | |
4513 | + case CCS_TASK_EXECUTE_HANDLER: | |
4514 | + value = CCS_TASK_IS_EXECUTE_HANDLER; | |
4515 | + break; | |
4516 | + case CCS_NUMBER_UNION: | |
4517 | + /* Fetch values later. */ | |
4518 | + break; | |
4519 | + default: | |
4520 | + if (!obj) | |
4521 | + goto out; | |
4522 | + if (!obj->validate_done) { | |
4523 | + ccs_get_attributes(obj); | |
4524 | + obj->validate_done = true; | |
4525 | + } | |
4526 | + { | |
4527 | + u8 stat_index; | |
4528 | + struct ccs_mini_stat *stat; | |
4529 | + switch (index) { | |
4530 | + case CCS_PATH1_UID: | |
4531 | + case CCS_PATH1_GID: | |
4532 | + case CCS_PATH1_INO: | |
4533 | + case CCS_PATH1_MAJOR: | |
4534 | + case CCS_PATH1_MINOR: | |
4535 | + case CCS_PATH1_TYPE: | |
4536 | + case CCS_PATH1_DEV_MAJOR: | |
4537 | + case CCS_PATH1_DEV_MINOR: | |
4538 | + case CCS_PATH1_PERM: | |
4539 | + stat_index = CCS_PATH1; | |
4540 | + break; | |
4541 | + case CCS_PATH2_UID: | |
4542 | + case CCS_PATH2_GID: | |
4543 | + case CCS_PATH2_INO: | |
4544 | + case CCS_PATH2_MAJOR: | |
4545 | + case CCS_PATH2_MINOR: | |
4546 | + case CCS_PATH2_TYPE: | |
4547 | + case CCS_PATH2_DEV_MAJOR: | |
4548 | + case CCS_PATH2_DEV_MINOR: | |
4549 | + case CCS_PATH2_PERM: | |
4550 | + stat_index = CCS_PATH2; | |
4551 | + break; | |
4552 | + case CCS_PATH1_PARENT_UID: | |
4553 | + case CCS_PATH1_PARENT_GID: | |
4554 | + case CCS_PATH1_PARENT_INO: | |
4555 | + case CCS_PATH1_PARENT_PERM: | |
4556 | + stat_index = CCS_PATH1_PARENT; | |
4557 | + break; | |
4558 | + case CCS_PATH2_PARENT_UID: | |
4559 | + case CCS_PATH2_PARENT_GID: | |
4560 | + case CCS_PATH2_PARENT_INO: | |
4561 | + case CCS_PATH2_PARENT_PERM: | |
4562 | + stat_index = CCS_PATH2_PARENT; | |
4563 | + break; | |
4564 | + default: | |
4565 | + goto out; | |
4566 | + } | |
4567 | + if (!obj->stat_valid[stat_index]) | |
4568 | + goto out; | |
4569 | + stat = &obj->stat[stat_index]; | |
4570 | + switch (index) { | |
4571 | + case CCS_PATH1_UID: | |
4572 | + case CCS_PATH2_UID: | |
4573 | + case CCS_PATH1_PARENT_UID: | |
4574 | + case CCS_PATH2_PARENT_UID: | |
4575 | + value = from_kuid | |
4576 | + (&init_user_ns, | |
4577 | + stat->uid); | |
4578 | + break; | |
4579 | + case CCS_PATH1_GID: | |
4580 | + case CCS_PATH2_GID: | |
4581 | + case CCS_PATH1_PARENT_GID: | |
4582 | + case CCS_PATH2_PARENT_GID: | |
4583 | + value = from_kgid | |
4584 | + (&init_user_ns, | |
4585 | + stat->gid); | |
4586 | + break; | |
4587 | + case CCS_PATH1_INO: | |
4588 | + case CCS_PATH2_INO: | |
4589 | + case CCS_PATH1_PARENT_INO: | |
4590 | + case CCS_PATH2_PARENT_INO: | |
4591 | + value = stat->ino; | |
4592 | + break; | |
4593 | + case CCS_PATH1_MAJOR: | |
4594 | + case CCS_PATH2_MAJOR: | |
4595 | + value = MAJOR(stat->dev); | |
4596 | + break; | |
4597 | + case CCS_PATH1_MINOR: | |
4598 | + case CCS_PATH2_MINOR: | |
4599 | + value = MINOR(stat->dev); | |
4600 | + break; | |
4601 | + case CCS_PATH1_TYPE: | |
4602 | + case CCS_PATH2_TYPE: | |
4603 | + value = stat->mode & S_IFMT; | |
4604 | + break; | |
4605 | + case CCS_PATH1_DEV_MAJOR: | |
4606 | + case CCS_PATH2_DEV_MAJOR: | |
4607 | + value = MAJOR(stat->rdev); | |
4608 | + break; | |
4609 | + case CCS_PATH1_DEV_MINOR: | |
4610 | + case CCS_PATH2_DEV_MINOR: | |
4611 | + value = MINOR(stat->rdev); | |
4612 | + break; | |
4613 | + case CCS_PATH1_PERM: | |
4614 | + case CCS_PATH2_PERM: | |
4615 | + case CCS_PATH1_PARENT_PERM: | |
4616 | + case CCS_PATH2_PARENT_PERM: | |
4617 | + value = stat->mode & S_IALLUGO; | |
4618 | + break; | |
4619 | + } | |
4620 | + } | |
4621 | + break; | |
4622 | + } | |
4623 | + max_v[j] = value; | |
4624 | + min_v[j] = value; | |
4625 | + switch (index) { | |
4626 | + case CCS_MODE_SETUID: | |
4627 | + case CCS_MODE_SETGID: | |
4628 | + case CCS_MODE_STICKY: | |
4629 | + case CCS_MODE_OWNER_READ: | |
4630 | + case CCS_MODE_OWNER_WRITE: | |
4631 | + case CCS_MODE_OWNER_EXECUTE: | |
4632 | + case CCS_MODE_GROUP_READ: | |
4633 | + case CCS_MODE_GROUP_WRITE: | |
4634 | + case CCS_MODE_GROUP_EXECUTE: | |
4635 | + case CCS_MODE_OTHERS_READ: | |
4636 | + case CCS_MODE_OTHERS_WRITE: | |
4637 | + case CCS_MODE_OTHERS_EXECUTE: | |
4638 | + is_bitop[j] = true; | |
4639 | + } | |
4640 | + } | |
4641 | + if (left == CCS_NUMBER_UNION) { | |
4642 | + /* Fetch values now. */ | |
4643 | + const struct ccs_number_union *ptr = numbers_p++; | |
4644 | + min_v[0] = ptr->values[0]; | |
4645 | + max_v[0] = ptr->values[1]; | |
4646 | + } | |
4647 | + if (right == CCS_NUMBER_UNION) { | |
4648 | + /* Fetch values now. */ | |
4649 | + const struct ccs_number_union *ptr = numbers_p++; | |
4650 | + if (ptr->group) { | |
4651 | + if (ccs_number_matches_group(min_v[0], | |
4652 | + max_v[0], | |
4653 | + ptr->group) | |
4654 | + == match) | |
4655 | + continue; | |
4656 | + } else { | |
4657 | + if ((min_v[0] <= ptr->values[1] && | |
4658 | + max_v[0] >= ptr->values[0]) == match) | |
4659 | + continue; | |
4660 | + } | |
4661 | + goto out; | |
4662 | + } | |
4663 | + /* | |
4664 | + * Bit operation is valid only when counterpart value | |
4665 | + * represents permission. | |
4666 | + */ | |
4667 | + if (is_bitop[0] && is_bitop[1]) { | |
4668 | + goto out; | |
4669 | + } else if (is_bitop[0]) { | |
4670 | + switch (right) { | |
4671 | + case CCS_PATH1_PERM: | |
4672 | + case CCS_PATH1_PARENT_PERM: | |
4673 | + case CCS_PATH2_PERM: | |
4674 | + case CCS_PATH2_PARENT_PERM: | |
4675 | + if (!(max_v[0] & max_v[1]) == !match) | |
4676 | + continue; | |
4677 | + } | |
4678 | + goto out; | |
4679 | + } else if (is_bitop[1]) { | |
4680 | + switch (left) { | |
4681 | + case CCS_PATH1_PERM: | |
4682 | + case CCS_PATH1_PARENT_PERM: | |
4683 | + case CCS_PATH2_PERM: | |
4684 | + case CCS_PATH2_PARENT_PERM: | |
4685 | + if (!(max_v[0] & max_v[1]) == !match) | |
4686 | + continue; | |
4687 | + } | |
4688 | + goto out; | |
4689 | + } | |
4690 | + /* Normal value range comparison. */ | |
4691 | + if ((min_v[0] <= max_v[1] && max_v[0] >= min_v[1]) == match) | |
4692 | + continue; | |
4693 | +out: | |
4694 | + return false; | |
4695 | + } | |
4696 | + /* Check argv[] and envp[] now. */ | |
4697 | + if (r->ee && (argc || envc)) | |
4698 | + return ccs_scan_bprm(r->ee, argc, argv, envc, envp); | |
4699 | + return true; | |
4700 | +} | |
4701 | + | |
4702 | +#ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION | |
4703 | + | |
4704 | +/** | |
4705 | + * ccs_check_task_acl - Check permission for task operation. | |
4706 | + * | |
4707 | + * @r: Pointer to "struct ccs_request_info". | |
4708 | + * @ptr: Pointer to "struct ccs_acl_info". | |
4709 | + * | |
4710 | + * Returns true if granted, false otherwise. | |
4711 | + */ | |
4712 | +static bool ccs_check_task_acl(struct ccs_request_info *r, | |
4713 | + const struct ccs_acl_info *ptr) | |
4714 | +{ | |
4715 | + const struct ccs_task_acl *acl = container_of(ptr, typeof(*acl), head); | |
4716 | + return !ccs_pathcmp(r->param.task.domainname, acl->domainname); | |
4717 | +} | |
4718 | + | |
4719 | +#endif | |
4720 | + | |
4721 | +/** | |
4722 | + * ccs_init_request_info - Initialize "struct ccs_request_info" members. | |
4723 | + * | |
4724 | + * @r: Pointer to "struct ccs_request_info" to initialize. | |
4725 | + * @index: Index number of functionality. | |
4726 | + * | |
4727 | + * Returns mode. | |
4728 | + * | |
4729 | + * "task auto_domain_transition" keyword is evaluated before returning mode for | |
4730 | + * @index. If "task auto_domain_transition" keyword was specified and | |
4731 | + * transition to that domain failed, the current thread will be killed by | |
4732 | + * SIGKILL. Note that if current->pid == 1, sending SIGKILL won't work. | |
4733 | + */ | |
4734 | +int ccs_init_request_info(struct ccs_request_info *r, const u8 index) | |
4735 | +{ | |
4736 | +#ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION | |
4737 | + u8 i; | |
4738 | + const char *buf; | |
4739 | + for (i = 0; i < 255; i++) { | |
4740 | + const u8 profile = ccs_current_domain()->profile; | |
4741 | + memset(r, 0, sizeof(*r)); | |
4742 | + r->profile = profile; | |
4743 | + r->type = index; | |
4744 | + r->mode = ccs_get_mode(profile, index); | |
4745 | + r->param_type = CCS_TYPE_AUTO_TASK_ACL; | |
4746 | + ccs_check_acl(r); | |
4747 | + if (!r->granted) | |
4748 | + return r->mode; | |
4749 | + buf = container_of(r->matched_acl, typeof(struct ccs_task_acl), | |
4750 | + head)->domainname->name; | |
4751 | + if (!ccs_assign_domain(buf, true)) | |
4752 | + break; | |
4753 | + } | |
4754 | + ccs_transition_failed(buf); | |
4755 | + return CCS_CONFIG_DISABLED; | |
4756 | +#else | |
4757 | + const u8 profile = ccs_current_domain()->profile; | |
4758 | + memset(r, 0, sizeof(*r)); | |
4759 | + r->profile = profile; | |
4760 | + r->type = index; | |
4761 | + r->mode = ccs_get_mode(profile, index); | |
4762 | + return r->mode; | |
4763 | +#endif | |
4764 | +} | |
4765 | + | |
4766 | +/** | |
4767 | + * ccs_byte_range - Check whether the string is a \ooo style octal value. | |
4768 | + * | |
4769 | + * @str: Pointer to the string. | |
4770 | + * | |
4771 | + * Returns true if @str is a \ooo style octal value, false otherwise. | |
4772 | + */ | |
4773 | +static bool ccs_byte_range(const char *str) | |
4774 | +{ | |
4775 | + return *str >= '0' && *str++ <= '3' && | |
4776 | + *str >= '0' && *str++ <= '7' && | |
4777 | + *str >= '0' && *str <= '7'; | |
4778 | +} | |
4779 | + | |
4780 | +/** | |
4781 | + * ccs_decimal - Check whether the character is a decimal character. | |
4782 | + * | |
4783 | + * @c: The character to check. | |
4784 | + * | |
4785 | + * Returns true if @c is a decimal character, false otherwise. | |
4786 | + */ | |
4787 | +static bool ccs_decimal(const char c) | |
4788 | +{ | |
4789 | + return c >= '0' && c <= '9'; | |
4790 | +} | |
4791 | + | |
4792 | +/** | |
4793 | + * ccs_hexadecimal - Check whether the character is a hexadecimal character. | |
4794 | + * | |
4795 | + * @c: The character to check. | |
4796 | + * | |
4797 | + * Returns true if @c is a hexadecimal character, false otherwise. | |
4798 | + */ | |
4799 | +static bool ccs_hexadecimal(const char c) | |
4800 | +{ | |
4801 | + return (c >= '0' && c <= '9') || | |
4802 | + (c >= 'A' && c <= 'F') || | |
4803 | + (c >= 'a' && c <= 'f'); | |
4804 | +} | |
4805 | + | |
4806 | +/** | |
4807 | + * ccs_alphabet_char - Check whether the character is an alphabet. | |
4808 | + * | |
4809 | + * @c: The character to check. | |
4810 | + * | |
4811 | + * Returns true if @c is an alphabet character, false otherwise. | |
4812 | + */ | |
4813 | +static bool ccs_alphabet_char(const char c) | |
4814 | +{ | |
4815 | + return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z'); | |
4816 | +} | |
4817 | + | |
4818 | +/** | |
4819 | + * ccs_file_matches_pattern2 - Pattern matching without '/' character and "\-" pattern. | |
4820 | + * | |
4821 | + * @filename: The start of string to check. | |
4822 | + * @filename_end: The end of string to check. | |
4823 | + * @pattern: The start of pattern to compare. | |
4824 | + * @pattern_end: The end of pattern to compare. | |
4825 | + * | |
4826 | + * Returns true if @filename matches @pattern, false otherwise. | |
4827 | + */ | |
4828 | +static bool ccs_file_matches_pattern2(const char *filename, | |
4829 | + const char *filename_end, | |
4830 | + const char *pattern, | |
4831 | + const char *pattern_end) | |
4832 | +{ | |
4833 | + while (filename < filename_end && pattern < pattern_end) { | |
4834 | + char c; | |
4835 | + if (*pattern != '\\') { | |
4836 | + if (*filename++ != *pattern++) | |
4837 | + return false; | |
4838 | + continue; | |
4839 | + } | |
4840 | + c = *filename; | |
4841 | + pattern++; | |
4842 | + switch (*pattern) { | |
4843 | + int i; | |
4844 | + int j; | |
4845 | + case '?': | |
4846 | + if (c == '/') { | |
4847 | + return false; | |
4848 | + } else if (c == '\\') { | |
4849 | + if (filename[1] == '\\') | |
4850 | + filename++; | |
4851 | + else if (ccs_byte_range(filename + 1)) | |
4852 | + filename += 3; | |
4853 | + else | |
4854 | + return false; | |
4855 | + } | |
4856 | + break; | |
4857 | + case '\\': | |
4858 | + if (c != '\\') | |
4859 | + return false; | |
4860 | + if (*++filename != '\\') | |
4861 | + return false; | |
4862 | + break; | |
4863 | + case '+': | |
4864 | + if (!ccs_decimal(c)) | |
4865 | + return false; | |
4866 | + break; | |
4867 | + case 'x': | |
4868 | + if (!ccs_hexadecimal(c)) | |
4869 | + return false; | |
4870 | + break; | |
4871 | + case 'a': | |
4872 | + if (!ccs_alphabet_char(c)) | |
4873 | + return false; | |
4874 | + break; | |
4875 | + case '0': | |
4876 | + case '1': | |
4877 | + case '2': | |
4878 | + case '3': | |
4879 | + if (c == '\\' && ccs_byte_range(filename + 1) | |
4880 | + && !strncmp(filename + 1, pattern, 3)) { | |
4881 | + filename += 3; | |
4882 | + pattern += 2; | |
4883 | + break; | |
4884 | + } | |
4885 | + return false; /* Not matched. */ | |
4886 | + case '*': | |
4887 | + case '@': | |
4888 | + for (i = 0; i <= filename_end - filename; i++) { | |
4889 | + if (ccs_file_matches_pattern2(filename + i, | |
4890 | + filename_end, | |
4891 | + pattern + 1, | |
4892 | + pattern_end)) | |
4893 | + return true; | |
4894 | + c = filename[i]; | |
4895 | + if (c == '.' && *pattern == '@') | |
4896 | + break; | |
4897 | + if (c != '\\') | |
4898 | + continue; | |
4899 | + if (filename[i + 1] == '\\') | |
4900 | + i++; | |
4901 | + else if (ccs_byte_range(filename + i + 1)) | |
4902 | + i += 3; | |
4903 | + else | |
4904 | + break; /* Bad pattern. */ | |
4905 | + } | |
4906 | + return false; /* Not matched. */ | |
4907 | + default: | |
4908 | + j = 0; | |
4909 | + c = *pattern; | |
4910 | + if (c == '$') { | |
4911 | + while (ccs_decimal(filename[j])) | |
4912 | + j++; | |
4913 | + } else if (c == 'X') { | |
4914 | + while (ccs_hexadecimal(filename[j])) | |
4915 | + j++; | |
4916 | + } else if (c == 'A') { | |
4917 | + while (ccs_alphabet_char(filename[j])) | |
4918 | + j++; | |
4919 | + } | |
4920 | + for (i = 1; i <= j; i++) { | |
4921 | + if (ccs_file_matches_pattern2(filename + i, | |
4922 | + filename_end, | |
4923 | + pattern + 1, | |
4924 | + pattern_end)) | |
4925 | + return true; | |
4926 | + } | |
4927 | + return false; /* Not matched or bad pattern. */ | |
4928 | + } | |
4929 | + filename++; | |
4930 | + pattern++; | |
4931 | + } | |
4932 | + while (*pattern == '\\' && | |
4933 | + (*(pattern + 1) == '*' || *(pattern + 1) == '@')) | |
4934 | + pattern += 2; | |
4935 | + return filename == filename_end && pattern == pattern_end; | |
4936 | +} | |
4937 | + | |
4938 | +/** | |
4939 | + * ccs_file_matches_pattern - Pattern matching without '/' character. | |
4940 | + * | |
4941 | + * @filename: The start of string to check. | |
4942 | + * @filename_end: The end of string to check. | |
4943 | + * @pattern: The start of pattern to compare. | |
4944 | + * @pattern_end: The end of pattern to compare. | |
4945 | + * | |
4946 | + * Returns true if @filename matches @pattern, false otherwise. | |
4947 | + */ | |
4948 | +static bool ccs_file_matches_pattern(const char *filename, | |
4949 | + const char *filename_end, | |
4950 | + const char *pattern, | |
4951 | + const char *pattern_end) | |
4952 | +{ | |
4953 | + const char *pattern_start = pattern; | |
4954 | + bool first = true; | |
4955 | + bool result; | |
4956 | + while (pattern < pattern_end - 1) { | |
4957 | + /* Split at "\-" pattern. */ | |
4958 | + if (*pattern++ != '\\' || *pattern++ != '-') | |
4959 | + continue; | |
4960 | + result = ccs_file_matches_pattern2(filename, filename_end, | |
4961 | + pattern_start, pattern - 2); | |
4962 | + if (first) | |
4963 | + result = !result; | |
4964 | + if (result) | |
4965 | + return false; | |
4966 | + first = false; | |
4967 | + pattern_start = pattern; | |
4968 | + } | |
4969 | + result = ccs_file_matches_pattern2(filename, filename_end, | |
4970 | + pattern_start, pattern_end); | |
4971 | + return first ? result : !result; | |
4972 | +} | |
4973 | + | |
4974 | +/** | |
4975 | + * ccs_path_matches_pattern2 - Do pathname pattern matching. | |
4976 | + * | |
4977 | + * @f: The start of string to check. | |
4978 | + * @p: The start of pattern to compare. | |
4979 | + * | |
4980 | + * Returns true if @f matches @p, false otherwise. | |
4981 | + */ | |
4982 | +static bool ccs_path_matches_pattern2(const char *f, const char *p) | |
4983 | +{ | |
4984 | + const char *f_delimiter; | |
4985 | + const char *p_delimiter; | |
4986 | + while (*f && *p) { | |
4987 | + f_delimiter = strchr(f, '/'); | |
4988 | + if (!f_delimiter) | |
4989 | + f_delimiter = f + strlen(f); | |
4990 | + p_delimiter = strchr(p, '/'); | |
4991 | + if (!p_delimiter) | |
4992 | + p_delimiter = p + strlen(p); | |
4993 | + if (*p == '\\' && *(p + 1) == '{') | |
4994 | + goto recursive; | |
4995 | + if (!ccs_file_matches_pattern(f, f_delimiter, p, p_delimiter)) | |
4996 | + return false; | |
4997 | + f = f_delimiter; | |
4998 | + if (*f) | |
4999 | + f++; | |
5000 | + p = p_delimiter; | |
5001 | + if (*p) | |
5002 | + p++; | |
5003 | + } | |
5004 | + /* Ignore trailing "\*" and "\@" in @pattern. */ | |
5005 | + while (*p == '\\' && | |
5006 | + (*(p + 1) == '*' || *(p + 1) == '@')) | |
5007 | + p += 2; | |
5008 | + return !*f && !*p; | |
5009 | +recursive: | |
5010 | + /* | |
5011 | + * The "\{" pattern is permitted only after '/' character. | |
5012 | + * This guarantees that below "*(p - 1)" is safe. | |
5013 | + * Also, the "\}" pattern is permitted only before '/' character | |
5014 | + * so that "\{" + "\}" pair will not break the "\-" operator. | |
5015 | + */ | |
5016 | + if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' || | |
5017 | + *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\') | |
5018 | + return false; /* Bad pattern. */ | |
5019 | + do { | |
5020 | + /* Compare current component with pattern. */ | |
5021 | + if (!ccs_file_matches_pattern(f, f_delimiter, p + 2, | |
5022 | + p_delimiter - 2)) | |
5023 | + break; | |
5024 | + /* Proceed to next component. */ | |
5025 | + f = f_delimiter; | |
5026 | + if (!*f) | |
5027 | + break; | |
5028 | + f++; | |
5029 | + /* Continue comparison. */ | |
5030 | + if (ccs_path_matches_pattern2(f, p_delimiter + 1)) | |
5031 | + return true; | |
5032 | + f_delimiter = strchr(f, '/'); | |
5033 | + } while (f_delimiter); | |
5034 | + return false; /* Not matched. */ | |
5035 | +} | |
5036 | + | |
5037 | +/** | |
5038 | + * ccs_path_matches_pattern - Check whether the given filename matches the given pattern. | |
5039 | + * | |
5040 | + * @filename: The filename to check. | |
5041 | + * @pattern: The pattern to compare. | |
5042 | + * | |
5043 | + * Returns true if matches, false otherwise. | |
5044 | + * | |
5045 | + * The following patterns are available. | |
5046 | + * \\ \ itself. | |
5047 | + * \ooo Octal representation of a byte. | |
5048 | + * \* Zero or more repetitions of characters other than '/'. | |
5049 | + * \@ Zero or more repetitions of characters other than '/' or '.'. | |
5050 | + * \? 1 byte character other than '/'. | |
5051 | + * \$ One or more repetitions of decimal digits. | |
5052 | + * \+ 1 decimal digit. | |
5053 | + * \X One or more repetitions of hexadecimal digits. | |
5054 | + * \x 1 hexadecimal digit. | |
5055 | + * \A One or more repetitions of alphabet characters. | |
5056 | + * \a 1 alphabet character. | |
5057 | + * | |
5058 | + * \- Subtraction operator. | |
5059 | + * | |
5060 | + * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/ | |
5061 | + * /dir/dir/dir/ ). | |
5062 | + */ | |
5063 | +static bool ccs_path_matches_pattern(const struct ccs_path_info *filename, | |
5064 | + const struct ccs_path_info *pattern) | |
5065 | +{ | |
5066 | + const char *f = filename->name; | |
5067 | + const char *p = pattern->name; | |
5068 | + const int len = pattern->const_len; | |
5069 | + /* If @pattern doesn't contain pattern, I can use strcmp(). */ | |
5070 | + if (!pattern->is_patterned) | |
5071 | + return !ccs_pathcmp(filename, pattern); | |
5072 | + /* Don't compare directory and non-directory. */ | |
5073 | + if (filename->is_dir != pattern->is_dir) | |
5074 | + return false; | |
5075 | + /* Compare the initial length without patterns. */ | |
5076 | + if (strncmp(f, p, len)) | |
5077 | + return false; | |
5078 | + f += len; | |
5079 | + p += len; | |
5080 | + return ccs_path_matches_pattern2(f, p); | |
5081 | +} |
@@ -0,0 +1,6503 @@ | ||
1 | +/* | |
2 | + * security/ccsecurity/policy_io.c | |
3 | + * | |
4 | + * Copyright (C) 2005-2012 NTT DATA CORPORATION | |
5 | + * | |
6 | + * Version: 1.8.6+ 2019/12/25 | |
7 | + */ | |
8 | + | |
9 | +#include "internal.h" | |
10 | + | |
11 | +/***** SECTION1: Constants definition *****/ | |
12 | + | |
13 | +/* Define this to enable debug mode. */ | |
14 | +/* #define DEBUG_CONDITION */ | |
15 | + | |
16 | +#ifdef DEBUG_CONDITION | |
17 | +#define dprintk printk | |
18 | +#else | |
19 | +#define dprintk(...) do { } while (0) | |
20 | +#endif | |
21 | + | |
22 | +/* Mapping table from "enum ccs_mac_index" to "enum ccs_mac_category_index". */ | |
23 | +static const u8 ccs_index2category[CCS_MAX_MAC_INDEX] = { | |
24 | + /* CONFIG::file group */ | |
25 | + [CCS_MAC_FILE_EXECUTE] = CCS_MAC_CATEGORY_FILE, | |
26 | + [CCS_MAC_FILE_OPEN] = CCS_MAC_CATEGORY_FILE, | |
27 | + [CCS_MAC_FILE_CREATE] = CCS_MAC_CATEGORY_FILE, | |
28 | + [CCS_MAC_FILE_UNLINK] = CCS_MAC_CATEGORY_FILE, | |
29 | +#ifdef CONFIG_CCSECURITY_FILE_GETATTR | |
30 | + [CCS_MAC_FILE_GETATTR] = CCS_MAC_CATEGORY_FILE, | |
31 | +#endif | |
32 | + [CCS_MAC_FILE_MKDIR] = CCS_MAC_CATEGORY_FILE, | |
33 | + [CCS_MAC_FILE_RMDIR] = CCS_MAC_CATEGORY_FILE, | |
34 | + [CCS_MAC_FILE_MKFIFO] = CCS_MAC_CATEGORY_FILE, | |
35 | + [CCS_MAC_FILE_MKSOCK] = CCS_MAC_CATEGORY_FILE, | |
36 | + [CCS_MAC_FILE_TRUNCATE] = CCS_MAC_CATEGORY_FILE, | |
37 | + [CCS_MAC_FILE_SYMLINK] = CCS_MAC_CATEGORY_FILE, | |
38 | + [CCS_MAC_FILE_MKBLOCK] = CCS_MAC_CATEGORY_FILE, | |
39 | + [CCS_MAC_FILE_MKCHAR] = CCS_MAC_CATEGORY_FILE, | |
40 | + [CCS_MAC_FILE_LINK] = CCS_MAC_CATEGORY_FILE, | |
41 | + [CCS_MAC_FILE_RENAME] = CCS_MAC_CATEGORY_FILE, | |
42 | + [CCS_MAC_FILE_CHMOD] = CCS_MAC_CATEGORY_FILE, | |
43 | + [CCS_MAC_FILE_CHOWN] = CCS_MAC_CATEGORY_FILE, | |
44 | + [CCS_MAC_FILE_CHGRP] = CCS_MAC_CATEGORY_FILE, | |
45 | + [CCS_MAC_FILE_IOCTL] = CCS_MAC_CATEGORY_FILE, | |
46 | + [CCS_MAC_FILE_CHROOT] = CCS_MAC_CATEGORY_FILE, | |
47 | + [CCS_MAC_FILE_MOUNT] = CCS_MAC_CATEGORY_FILE, | |
48 | + [CCS_MAC_FILE_UMOUNT] = CCS_MAC_CATEGORY_FILE, | |
49 | + [CCS_MAC_FILE_PIVOT_ROOT] = CCS_MAC_CATEGORY_FILE, | |
50 | +#ifdef CONFIG_CCSECURITY_MISC | |
51 | + /* CONFIG::misc group */ | |
52 | + [CCS_MAC_ENVIRON] = CCS_MAC_CATEGORY_MISC, | |
53 | +#endif | |
54 | +#ifdef CONFIG_CCSECURITY_NETWORK | |
55 | + /* CONFIG::network group */ | |
56 | + [CCS_MAC_NETWORK_INET_STREAM_BIND] = CCS_MAC_CATEGORY_NETWORK, | |
57 | + [CCS_MAC_NETWORK_INET_STREAM_LISTEN] = CCS_MAC_CATEGORY_NETWORK, | |
58 | + [CCS_MAC_NETWORK_INET_STREAM_CONNECT] = CCS_MAC_CATEGORY_NETWORK, | |
59 | + [CCS_MAC_NETWORK_INET_STREAM_ACCEPT] = CCS_MAC_CATEGORY_NETWORK, | |
60 | + [CCS_MAC_NETWORK_INET_DGRAM_BIND] = CCS_MAC_CATEGORY_NETWORK, | |
61 | + [CCS_MAC_NETWORK_INET_DGRAM_SEND] = CCS_MAC_CATEGORY_NETWORK, | |
62 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
63 | + [CCS_MAC_NETWORK_INET_DGRAM_RECV] = CCS_MAC_CATEGORY_NETWORK, | |
64 | +#endif | |
65 | + [CCS_MAC_NETWORK_INET_RAW_BIND] = CCS_MAC_CATEGORY_NETWORK, | |
66 | + [CCS_MAC_NETWORK_INET_RAW_SEND] = CCS_MAC_CATEGORY_NETWORK, | |
67 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
68 | + [CCS_MAC_NETWORK_INET_RAW_RECV] = CCS_MAC_CATEGORY_NETWORK, | |
69 | +#endif | |
70 | + [CCS_MAC_NETWORK_UNIX_STREAM_BIND] = CCS_MAC_CATEGORY_NETWORK, | |
71 | + [CCS_MAC_NETWORK_UNIX_STREAM_LISTEN] = CCS_MAC_CATEGORY_NETWORK, | |
72 | + [CCS_MAC_NETWORK_UNIX_STREAM_CONNECT] = CCS_MAC_CATEGORY_NETWORK, | |
73 | + [CCS_MAC_NETWORK_UNIX_STREAM_ACCEPT] = CCS_MAC_CATEGORY_NETWORK, | |
74 | + [CCS_MAC_NETWORK_UNIX_DGRAM_BIND] = CCS_MAC_CATEGORY_NETWORK, | |
75 | + [CCS_MAC_NETWORK_UNIX_DGRAM_SEND] = CCS_MAC_CATEGORY_NETWORK, | |
76 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
77 | + [CCS_MAC_NETWORK_UNIX_DGRAM_RECV] = CCS_MAC_CATEGORY_NETWORK, | |
78 | +#endif | |
79 | + [CCS_MAC_NETWORK_UNIX_SEQPACKET_BIND] = CCS_MAC_CATEGORY_NETWORK, | |
80 | + [CCS_MAC_NETWORK_UNIX_SEQPACKET_LISTEN] = CCS_MAC_CATEGORY_NETWORK, | |
81 | + [CCS_MAC_NETWORK_UNIX_SEQPACKET_CONNECT] = CCS_MAC_CATEGORY_NETWORK, | |
82 | + [CCS_MAC_NETWORK_UNIX_SEQPACKET_ACCEPT] = CCS_MAC_CATEGORY_NETWORK, | |
83 | +#endif | |
84 | +#ifdef CONFIG_CCSECURITY_IPC | |
85 | + /* CONFIG::ipc group */ | |
86 | + [CCS_MAC_SIGNAL] = CCS_MAC_CATEGORY_IPC, | |
87 | +#endif | |
88 | +#ifdef CONFIG_CCSECURITY_CAPABILITY | |
89 | + /* CONFIG::capability group */ | |
90 | + [CCS_MAC_CAPABILITY_USE_ROUTE_SOCKET] = CCS_MAC_CATEGORY_CAPABILITY, | |
91 | + [CCS_MAC_CAPABILITY_USE_PACKET_SOCKET] = CCS_MAC_CATEGORY_CAPABILITY, | |
92 | + [CCS_MAC_CAPABILITY_SYS_REBOOT] = CCS_MAC_CATEGORY_CAPABILITY, | |
93 | + [CCS_MAC_CAPABILITY_SYS_VHANGUP] = CCS_MAC_CATEGORY_CAPABILITY, | |
94 | + [CCS_MAC_CAPABILITY_SYS_SETTIME] = CCS_MAC_CATEGORY_CAPABILITY, | |
95 | + [CCS_MAC_CAPABILITY_SYS_NICE] = CCS_MAC_CATEGORY_CAPABILITY, | |
96 | + [CCS_MAC_CAPABILITY_SYS_SETHOSTNAME] = CCS_MAC_CATEGORY_CAPABILITY, | |
97 | + [CCS_MAC_CAPABILITY_USE_KERNEL_MODULE] = CCS_MAC_CATEGORY_CAPABILITY, | |
98 | + [CCS_MAC_CAPABILITY_SYS_KEXEC_LOAD] = CCS_MAC_CATEGORY_CAPABILITY, | |
99 | + [CCS_MAC_CAPABILITY_SYS_PTRACE] = CCS_MAC_CATEGORY_CAPABILITY, | |
100 | +#endif | |
101 | +}; | |
102 | + | |
103 | +/* String table for operation mode. */ | |
104 | +static const char * const ccs_mode[CCS_CONFIG_MAX_MODE] = { | |
105 | + [CCS_CONFIG_DISABLED] = "disabled", | |
106 | + [CCS_CONFIG_LEARNING] = "learning", | |
107 | + [CCS_CONFIG_PERMISSIVE] = "permissive", | |
108 | + [CCS_CONFIG_ENFORCING] = "enforcing" | |
109 | +}; | |
110 | + | |
111 | +/* String table for /proc/ccs/profile interface. */ | |
112 | +static const char * const ccs_mac_keywords[CCS_MAX_MAC_INDEX | |
113 | + + CCS_MAX_MAC_CATEGORY_INDEX] = { | |
114 | + /* CONFIG::file group */ | |
115 | + [CCS_MAC_FILE_EXECUTE] = "execute", | |
116 | + [CCS_MAC_FILE_OPEN] = "open", | |
117 | + [CCS_MAC_FILE_CREATE] = "create", | |
118 | + [CCS_MAC_FILE_UNLINK] = "unlink", | |
119 | +#ifdef CONFIG_CCSECURITY_FILE_GETATTR | |
120 | + [CCS_MAC_FILE_GETATTR] = "getattr", | |
121 | +#endif | |
122 | + [CCS_MAC_FILE_MKDIR] = "mkdir", | |
123 | + [CCS_MAC_FILE_RMDIR] = "rmdir", | |
124 | + [CCS_MAC_FILE_MKFIFO] = "mkfifo", | |
125 | + [CCS_MAC_FILE_MKSOCK] = "mksock", | |
126 | + [CCS_MAC_FILE_TRUNCATE] = "truncate", | |
127 | + [CCS_MAC_FILE_SYMLINK] = "symlink", | |
128 | + [CCS_MAC_FILE_MKBLOCK] = "mkblock", | |
129 | + [CCS_MAC_FILE_MKCHAR] = "mkchar", | |
130 | + [CCS_MAC_FILE_LINK] = "link", | |
131 | + [CCS_MAC_FILE_RENAME] = "rename", | |
132 | + [CCS_MAC_FILE_CHMOD] = "chmod", | |
133 | + [CCS_MAC_FILE_CHOWN] = "chown", | |
134 | + [CCS_MAC_FILE_CHGRP] = "chgrp", | |
135 | + [CCS_MAC_FILE_IOCTL] = "ioctl", | |
136 | + [CCS_MAC_FILE_CHROOT] = "chroot", | |
137 | + [CCS_MAC_FILE_MOUNT] = "mount", | |
138 | + [CCS_MAC_FILE_UMOUNT] = "unmount", | |
139 | + [CCS_MAC_FILE_PIVOT_ROOT] = "pivot_root", | |
140 | +#ifdef CONFIG_CCSECURITY_MISC | |
141 | + /* CONFIG::misc group */ | |
142 | + [CCS_MAC_ENVIRON] = "env", | |
143 | +#endif | |
144 | +#ifdef CONFIG_CCSECURITY_NETWORK | |
145 | + /* CONFIG::network group */ | |
146 | + [CCS_MAC_NETWORK_INET_STREAM_BIND] = "inet_stream_bind", | |
147 | + [CCS_MAC_NETWORK_INET_STREAM_LISTEN] = "inet_stream_listen", | |
148 | + [CCS_MAC_NETWORK_INET_STREAM_CONNECT] = "inet_stream_connect", | |
149 | + [CCS_MAC_NETWORK_INET_STREAM_ACCEPT] = "inet_stream_accept", | |
150 | + [CCS_MAC_NETWORK_INET_DGRAM_BIND] = "inet_dgram_bind", | |
151 | + [CCS_MAC_NETWORK_INET_DGRAM_SEND] = "inet_dgram_send", | |
152 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
153 | + [CCS_MAC_NETWORK_INET_DGRAM_RECV] = "inet_dgram_recv", | |
154 | +#endif | |
155 | + [CCS_MAC_NETWORK_INET_RAW_BIND] = "inet_raw_bind", | |
156 | + [CCS_MAC_NETWORK_INET_RAW_SEND] = "inet_raw_send", | |
157 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
158 | + [CCS_MAC_NETWORK_INET_RAW_RECV] = "inet_raw_recv", | |
159 | +#endif | |
160 | + [CCS_MAC_NETWORK_UNIX_STREAM_BIND] = "unix_stream_bind", | |
161 | + [CCS_MAC_NETWORK_UNIX_STREAM_LISTEN] = "unix_stream_listen", | |
162 | + [CCS_MAC_NETWORK_UNIX_STREAM_CONNECT] = "unix_stream_connect", | |
163 | + [CCS_MAC_NETWORK_UNIX_STREAM_ACCEPT] = "unix_stream_accept", | |
164 | + [CCS_MAC_NETWORK_UNIX_DGRAM_BIND] = "unix_dgram_bind", | |
165 | + [CCS_MAC_NETWORK_UNIX_DGRAM_SEND] = "unix_dgram_send", | |
166 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
167 | + [CCS_MAC_NETWORK_UNIX_DGRAM_RECV] = "unix_dgram_recv", | |
168 | +#endif | |
169 | + [CCS_MAC_NETWORK_UNIX_SEQPACKET_BIND] = "unix_seqpacket_bind", | |
170 | + [CCS_MAC_NETWORK_UNIX_SEQPACKET_LISTEN] = "unix_seqpacket_listen", | |
171 | + [CCS_MAC_NETWORK_UNIX_SEQPACKET_CONNECT] = "unix_seqpacket_connect", | |
172 | + [CCS_MAC_NETWORK_UNIX_SEQPACKET_ACCEPT] = "unix_seqpacket_accept", | |
173 | +#endif | |
174 | +#ifdef CONFIG_CCSECURITY_IPC | |
175 | + /* CONFIG::ipc group */ | |
176 | + [CCS_MAC_SIGNAL] = "signal", | |
177 | +#endif | |
178 | +#ifdef CONFIG_CCSECURITY_CAPABILITY | |
179 | + /* CONFIG::capability group */ | |
180 | + [CCS_MAC_CAPABILITY_USE_ROUTE_SOCKET] = "use_route", | |
181 | + [CCS_MAC_CAPABILITY_USE_PACKET_SOCKET] = "use_packet", | |
182 | + [CCS_MAC_CAPABILITY_SYS_REBOOT] = "SYS_REBOOT", | |
183 | + [CCS_MAC_CAPABILITY_SYS_VHANGUP] = "SYS_VHANGUP", | |
184 | + [CCS_MAC_CAPABILITY_SYS_SETTIME] = "SYS_TIME", | |
185 | + [CCS_MAC_CAPABILITY_SYS_NICE] = "SYS_NICE", | |
186 | + [CCS_MAC_CAPABILITY_SYS_SETHOSTNAME] = "SYS_SETHOSTNAME", | |
187 | + [CCS_MAC_CAPABILITY_USE_KERNEL_MODULE] = "use_kernel_module", | |
188 | + [CCS_MAC_CAPABILITY_SYS_KEXEC_LOAD] = "SYS_KEXEC_LOAD", | |
189 | + [CCS_MAC_CAPABILITY_SYS_PTRACE] = "SYS_PTRACE", | |
190 | +#endif | |
191 | + /* CONFIG group */ | |
192 | + [CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_FILE] = "file", | |
193 | +#ifdef CONFIG_CCSECURITY_NETWORK | |
194 | + [CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_NETWORK] = "network", | |
195 | +#endif | |
196 | +#ifdef CONFIG_CCSECURITY_MISC | |
197 | + [CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_MISC] = "misc", | |
198 | +#endif | |
199 | +#ifdef CONFIG_CCSECURITY_IPC | |
200 | + [CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_IPC] = "ipc", | |
201 | +#endif | |
202 | +#ifdef CONFIG_CCSECURITY_CAPABILITY | |
203 | + [CCS_MAX_MAC_INDEX + CCS_MAC_CATEGORY_CAPABILITY] = "capability", | |
204 | +#endif | |
205 | +}; | |
206 | + | |
207 | +/* String table for path operation. */ | |
208 | +static const char * const ccs_path_keyword[CCS_MAX_PATH_OPERATION] = { | |
209 | + [CCS_TYPE_EXECUTE] = "execute", | |
210 | + [CCS_TYPE_READ] = "read", | |
211 | + [CCS_TYPE_WRITE] = "write", | |
212 | + [CCS_TYPE_APPEND] = "append", | |
213 | + [CCS_TYPE_UNLINK] = "unlink", | |
214 | +#ifdef CONFIG_CCSECURITY_FILE_GETATTR | |
215 | + [CCS_TYPE_GETATTR] = "getattr", | |
216 | +#endif | |
217 | + [CCS_TYPE_RMDIR] = "rmdir", | |
218 | + [CCS_TYPE_TRUNCATE] = "truncate", | |
219 | + [CCS_TYPE_SYMLINK] = "symlink", | |
220 | + [CCS_TYPE_CHROOT] = "chroot", | |
221 | + [CCS_TYPE_UMOUNT] = "unmount", | |
222 | +}; | |
223 | + | |
224 | +#ifdef CONFIG_CCSECURITY_NETWORK | |
225 | + | |
226 | +/* String table for socket's operation. */ | |
227 | +static const char * const ccs_socket_keyword[CCS_MAX_NETWORK_OPERATION] = { | |
228 | + [CCS_NETWORK_BIND] = "bind", | |
229 | + [CCS_NETWORK_LISTEN] = "listen", | |
230 | + [CCS_NETWORK_CONNECT] = "connect", | |
231 | + [CCS_NETWORK_ACCEPT] = "accept", | |
232 | + [CCS_NETWORK_SEND] = "send", | |
233 | +#ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG | |
234 | + [CCS_NETWORK_RECV] = "recv", | |
235 | +#endif | |
236 | +}; | |
237 | + | |
238 | +/* String table for socket's protocols. */ | |
239 | +static const char * const ccs_proto_keyword[CCS_SOCK_MAX] = { | |
240 | + [SOCK_STREAM] = "stream", | |
241 | + [SOCK_DGRAM] = "dgram", | |
242 | + [SOCK_RAW] = "raw", | |
243 | + [SOCK_SEQPACKET] = "seqpacket", | |
244 | + [0] = " ", /* Dummy for avoiding NULL pointer dereference. */ | |
245 | + [4] = " ", /* Dummy for avoiding NULL pointer dereference. */ | |
246 | +}; | |
247 | + | |
248 | +#endif | |
249 | + | |
250 | +/* String table for categories. */ | |
251 | +static const char * const ccs_category_keywords[CCS_MAX_MAC_CATEGORY_INDEX] = { | |
252 | + [CCS_MAC_CATEGORY_FILE] = "file", | |
253 | +#ifdef CONFIG_CCSECURITY_NETWORK | |
254 | + [CCS_MAC_CATEGORY_NETWORK] = "network", | |
255 | +#endif | |
256 | +#ifdef CONFIG_CCSECURITY_MISC | |
257 | + [CCS_MAC_CATEGORY_MISC] = "misc", | |
258 | +#endif | |
259 | +#ifdef CONFIG_CCSECURITY_IPC | |
260 | + [CCS_MAC_CATEGORY_IPC] = "ipc", | |
261 | +#endif | |
262 | +#ifdef CONFIG_CCSECURITY_CAPABILITY | |
263 | + [CCS_MAC_CATEGORY_CAPABILITY] = "capability", | |
264 | +#endif | |
265 | +}; | |
266 | + | |
267 | +/* String table for conditions. */ | |
268 | +static const char * const ccs_condition_keyword[CCS_MAX_CONDITION_KEYWORD] = { | |
269 | + [CCS_TASK_UID] = "task.uid", | |
270 | + [CCS_TASK_EUID] = "task.euid", | |
271 | + [CCS_TASK_SUID] = "task.suid", | |
272 | + [CCS_TASK_FSUID] = "task.fsuid", | |
273 | + [CCS_TASK_GID] = "task.gid", | |
274 | + [CCS_TASK_EGID] = "task.egid", | |
275 | + [CCS_TASK_SGID] = "task.sgid", | |
276 | + [CCS_TASK_FSGID] = "task.fsgid", | |
277 | + [CCS_TASK_PID] = "task.pid", | |
278 | + [CCS_TASK_PPID] = "task.ppid", | |
279 | + [CCS_EXEC_ARGC] = "exec.argc", | |
280 | + [CCS_EXEC_ENVC] = "exec.envc", | |
281 | + [CCS_TYPE_IS_SOCKET] = "socket", | |
282 | + [CCS_TYPE_IS_SYMLINK] = "symlink", | |
283 | + [CCS_TYPE_IS_FILE] = "file", | |
284 | + [CCS_TYPE_IS_BLOCK_DEV] = "block", | |
285 | + [CCS_TYPE_IS_DIRECTORY] = "directory", | |
286 | + [CCS_TYPE_IS_CHAR_DEV] = "char", | |
287 | + [CCS_TYPE_IS_FIFO] = "fifo", | |
288 | + [CCS_MODE_SETUID] = "setuid", | |
289 | + [CCS_MODE_SETGID] = "setgid", | |
290 | + [CCS_MODE_STICKY] = "sticky", | |
291 | + [CCS_MODE_OWNER_READ] = "owner_read", | |
292 | + [CCS_MODE_OWNER_WRITE] = "owner_write", | |
293 | + [CCS_MODE_OWNER_EXECUTE] = "owner_execute", | |
294 | + [CCS_MODE_GROUP_READ] = "group_read", | |
295 | + [CCS_MODE_GROUP_WRITE] = "group_write", | |
296 | + [CCS_MODE_GROUP_EXECUTE] = "group_execute", | |
297 | + [CCS_MODE_OTHERS_READ] = "others_read", | |
298 | + [CCS_MODE_OTHERS_WRITE] = "others_write", | |
299 | + [CCS_MODE_OTHERS_EXECUTE] = "others_execute", | |
300 | + [CCS_TASK_TYPE] = "task.type", | |
301 | + [CCS_TASK_EXECUTE_HANDLER] = "execute_handler", | |
302 | + [CCS_EXEC_REALPATH] = "exec.realpath", | |
303 | + [CCS_SYMLINK_TARGET] = "symlink.target", | |
304 | + [CCS_PATH1_UID] = "path1.uid", | |
305 | + [CCS_PATH1_GID] = "path1.gid", | |
306 | + [CCS_PATH1_INO] = "path1.ino", | |
307 | + [CCS_PATH1_MAJOR] = "path1.major", | |
308 | + [CCS_PATH1_MINOR] = "path1.minor", | |
309 | + [CCS_PATH1_PERM] = "path1.perm", | |
310 | + [CCS_PATH1_TYPE] = "path1.type", | |
311 | + [CCS_PATH1_DEV_MAJOR] = "path1.dev_major", | |
312 | + [CCS_PATH1_DEV_MINOR] = "path1.dev_minor", | |
313 | + [CCS_PATH2_UID] = "path2.uid", | |
314 | + [CCS_PATH2_GID] = "path2.gid", | |
315 | + [CCS_PATH2_INO] = "path2.ino", | |
316 | + [CCS_PATH2_MAJOR] = "path2.major", | |
317 | + [CCS_PATH2_MINOR] = "path2.minor", | |
318 | + [CCS_PATH2_PERM] = "path2.perm", | |
319 | + [CCS_PATH2_TYPE] = "path2.type", | |
320 | + [CCS_PATH2_DEV_MAJOR] = "path2.dev_major", | |
321 | + [CCS_PATH2_DEV_MINOR] = "path2.dev_minor", | |
322 | + [CCS_PATH1_PARENT_UID] = "path1.parent.uid", | |
323 | + [CCS_PATH1_PARENT_GID] = "path1.parent.gid", | |
324 | + [CCS_PATH1_PARENT_INO] = "path1.parent.ino", | |
325 | + [CCS_PATH1_PARENT_PERM] = "path1.parent.perm", | |
326 | + [CCS_PATH2_PARENT_UID] = "path2.parent.uid", | |
327 | + [CCS_PATH2_PARENT_GID] = "path2.parent.gid", | |
328 | + [CCS_PATH2_PARENT_INO] = "path2.parent.ino", | |
329 | + [CCS_PATH2_PARENT_PERM] = "path2.parent.perm", | |
330 | +}; | |
331 | + | |
332 | +/* String table for PREFERENCE keyword. */ | |
333 | +static const char * const ccs_pref_keywords[CCS_MAX_PREF] = { | |
334 | + [CCS_PREF_MAX_AUDIT_LOG] = "max_audit_log", | |
335 | + [CCS_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry", | |
336 | + [CCS_PREF_ENFORCING_PENALTY] = "enforcing_penalty", | |
337 | +}; | |
338 | + | |
339 | +/* String table for domain flags. */ | |
340 | +const char * const ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS] = { | |
341 | + [CCS_DIF_QUOTA_WARNED] = "quota_exceeded\n", | |
342 | + [CCS_DIF_TRANSITION_FAILED] = "transition_failed\n", | |
343 | +}; | |
344 | + | |
345 | +/* String table for domain transition control keywords. */ | |
346 | +static const char * const ccs_transition_type[CCS_MAX_TRANSITION_TYPE] = { | |
347 | + [CCS_TRANSITION_CONTROL_NO_RESET] = "no_reset_domain ", | |
348 | + [CCS_TRANSITION_CONTROL_RESET] = "reset_domain ", | |
349 | + [CCS_TRANSITION_CONTROL_NO_INITIALIZE] = "no_initialize_domain ", | |
350 | + [CCS_TRANSITION_CONTROL_INITIALIZE] = "initialize_domain ", | |
351 | + [CCS_TRANSITION_CONTROL_NO_KEEP] = "no_keep_domain ", | |
352 | + [CCS_TRANSITION_CONTROL_KEEP] = "keep_domain ", | |
353 | +}; | |
354 | + | |
355 | +/* String table for grouping keywords. */ | |
356 | +static const char * const ccs_group_name[CCS_MAX_GROUP] = { | |
357 | + [CCS_PATH_GROUP] = "path_group ", | |
358 | + [CCS_NUMBER_GROUP] = "number_group ", | |
359 | +#ifdef CONFIG_CCSECURITY_NETWORK | |
360 | + [CCS_ADDRESS_GROUP] = "address_group ", | |
361 | +#endif | |
362 | +}; | |
363 | + | |
364 | +/* String table for /proc/ccs/stat interface. */ | |
365 | +static const char * const ccs_policy_headers[CCS_MAX_POLICY_STAT] = { | |
366 | + [CCS_STAT_POLICY_UPDATES] = "update:", | |
367 | + [CCS_STAT_POLICY_LEARNING] = "violation in learning mode:", | |
368 | + [CCS_STAT_POLICY_PERMISSIVE] = "violation in permissive mode:", | |
369 | + [CCS_STAT_POLICY_ENFORCING] = "violation in enforcing mode:", | |
370 | +}; | |
371 | + | |
372 | +/* String table for /proc/ccs/stat interface. */ | |
373 | +static const char * const ccs_memory_headers[CCS_MAX_MEMORY_STAT] = { | |
374 | + [CCS_MEMORY_POLICY] = "policy:", | |
375 | + [CCS_MEMORY_AUDIT] = "audit log:", | |
376 | + [CCS_MEMORY_QUERY] = "query message:", | |
377 | +}; | |
378 | + | |
379 | +/***** SECTION2: Structure definition *****/ | |
380 | + | |
381 | +struct iattr; | |
382 | + | |
383 | +/* Structure for query. */ | |
384 | +struct ccs_query { | |
385 | + struct list_head list; | |
386 | + struct ccs_domain_info *domain; | |
387 | + char *query; | |
388 | + size_t query_len; | |
389 | + unsigned int serial; | |
390 | + u8 timer; | |
391 | + u8 answer; | |
392 | + u8 retry; | |
393 | +}; | |
394 | + | |
395 | +/* Structure for audit log. */ | |
396 | +struct ccs_log { | |
397 | + struct list_head list; | |
398 | + char *log; | |
399 | + int size; | |
400 | +}; | |
401 | + | |
402 | +/***** SECTION3: Prototype definition section *****/ | |
403 | + | |
404 | +int ccs_audit_log(struct ccs_request_info *r); | |
405 | +struct ccs_domain_info *ccs_assign_domain(const char *domainname, | |
406 | + const bool transit); | |
407 | +u8 ccs_get_config(const u8 profile, const u8 index); | |
408 | +void ccs_transition_failed(const char *domainname); | |
409 | +void ccs_write_log(struct ccs_request_info *r, const char *fmt, ...); | |
410 | + | |
411 | +static bool ccs_correct_domain(const unsigned char *domainname); | |
412 | +static bool ccs_correct_path(const char *filename); | |
413 | +static bool ccs_correct_word(const char *string); | |
414 | +static bool ccs_correct_word2(const char *string, size_t len); | |
415 | +static bool ccs_domain_def(const unsigned char *buffer); | |
416 | +static bool ccs_domain_quota_ok(struct ccs_request_info *r); | |
417 | +static bool ccs_flush(struct ccs_io_buffer *head); | |
418 | +static bool ccs_get_audit(const struct ccs_request_info *r); | |
419 | +static bool ccs_has_more_namespace(struct ccs_io_buffer *head); | |
420 | +static bool ccs_manager(void); | |
421 | +static bool ccs_namespace_jump(const char *domainname); | |
422 | +static bool ccs_parse_argv(char *left, char *right, struct ccs_argv *argv); | |
423 | +static bool ccs_parse_envp(char *left, char *right, struct ccs_envp *envp); | |
424 | +static bool ccs_parse_name_union(struct ccs_acl_param *param, | |
425 | + struct ccs_name_union *ptr); | |
426 | +static bool ccs_parse_name_union_quoted(struct ccs_acl_param *param, | |
427 | + struct ccs_name_union *ptr); | |
428 | +static bool ccs_parse_number_union(struct ccs_acl_param *param, | |
429 | + struct ccs_number_union *ptr); | |
430 | +static bool ccs_permstr(const char *string, const char *keyword); | |
431 | +static bool ccs_print_condition(struct ccs_io_buffer *head, | |
432 | + const struct ccs_condition *cond); | |
433 | +static bool ccs_print_entry(struct ccs_io_buffer *head, | |
434 | + const struct ccs_acl_info *acl); | |
435 | +static bool ccs_print_group(struct ccs_io_buffer *head, | |
436 | + const struct ccs_group *group); | |
437 | +static bool ccs_read_acl(struct ccs_io_buffer *head, struct list_head *list); | |
438 | +static bool ccs_read_group(struct ccs_io_buffer *head, const int idx); | |
439 | +static bool ccs_read_policy(struct ccs_io_buffer *head, const int idx); | |
440 | +static bool ccs_same_condition(const struct ccs_condition *a, | |
441 | + const struct ccs_condition *b); | |
442 | +static bool ccs_select_domain(struct ccs_io_buffer *head, const char *data); | |
443 | +static bool ccs_set_lf(struct ccs_io_buffer *head); | |
444 | +static bool ccs_str_starts(char **src, const char *find); | |
445 | +static char *ccs_get_transit_preference(struct ccs_acl_param *param, | |
446 | + struct ccs_condition *e); | |
447 | +static char *ccs_init_log(struct ccs_request_info *r, int len, const char *fmt, | |
448 | + va_list args); | |
449 | +static char *ccs_print_bprm(struct linux_binprm *bprm, | |
450 | + struct ccs_page_dump *dump); | |
451 | +static char *ccs_print_header(struct ccs_request_info *r); | |
452 | +static char *ccs_read_token(struct ccs_acl_param *param); | |
453 | +static const char *ccs_yesno(const unsigned int value); | |
454 | +static const struct ccs_path_info *ccs_get_domainname | |
455 | +(struct ccs_acl_param *param); | |
456 | +static const struct ccs_path_info *ccs_get_dqword(char *start); | |
457 | +static int __init ccs_init_module(void); | |
458 | +static int ccs_delete_domain(char *domainname); | |
459 | +static int ccs_open(struct inode *inode, struct file *file); | |
460 | +static int ccs_parse_policy(struct ccs_io_buffer *head, char *line); | |
461 | +static int ccs_release(struct inode *inode, struct file *file); | |
462 | +static int ccs_set_mode(char *name, const char *value, | |
463 | + struct ccs_profile *profile); | |
464 | +static int ccs_supervisor(struct ccs_request_info *r, const char *fmt, ...) | |
465 | + __printf(2, 3); | |
466 | +static int ccs_truncate(char *str); | |
467 | +static int ccs_update_acl(const int size, struct ccs_acl_param *param); | |
468 | +static int ccs_update_manager_entry(const char *manager, const bool is_delete); | |
469 | +static int ccs_update_policy(const int size, struct ccs_acl_param *param); | |
470 | +static int ccs_write_acl(struct ccs_policy_namespace *ns, | |
471 | + struct list_head *list, char *data, | |
472 | + const bool is_delete); | |
473 | +static int ccs_write_aggregator(struct ccs_acl_param *param); | |
474 | +static int ccs_write_answer(struct ccs_io_buffer *head); | |
475 | +static int ccs_write_domain(struct ccs_io_buffer *head); | |
476 | +static int ccs_write_exception(struct ccs_io_buffer *head); | |
477 | +static int ccs_write_file(struct ccs_acl_param *param); | |
478 | +static int ccs_write_group(struct ccs_acl_param *param, const u8 type); | |
479 | +static int ccs_write_manager(struct ccs_io_buffer *head); | |
480 | +static int ccs_write_pid(struct ccs_io_buffer *head); | |
481 | +static int ccs_write_profile(struct ccs_io_buffer *head); | |
482 | +static int ccs_write_stat(struct ccs_io_buffer *head); | |
483 | +static int ccs_write_task(struct ccs_acl_param *param); | |
484 | +static int ccs_write_transition_control(struct ccs_acl_param *param, | |
485 | + const u8 type); | |
486 | +static s8 ccs_find_yesno(const char *string, const char *find); | |
487 | +static ssize_t ccs_read(struct file *file, char __user *buf, size_t count, | |
488 | + loff_t *ppos); | |
489 | +static ssize_t ccs_read_self(struct file *file, char __user *buf, size_t count, | |
490 | + loff_t *ppos); | |
491 | +static ssize_t ccs_write(struct file *file, const char __user *buf, | |
492 | + size_t count, loff_t *ppos); | |
493 | +static struct ccs_condition *ccs_commit_condition(struct ccs_condition *entry); | |
494 | +static struct ccs_condition *ccs_get_condition(struct ccs_acl_param *param); | |
495 | +static struct ccs_domain_info *ccs_find_domain(const char *domainname); | |
496 | +static struct ccs_domain_info *ccs_find_domain_by_qid(unsigned int serial); | |
497 | +static struct ccs_group *ccs_get_group(struct ccs_acl_param *param, | |
498 | + const u8 idx); | |
499 | +static struct ccs_policy_namespace *ccs_assign_namespace | |
500 | +(const char *domainname); | |
501 | +static struct ccs_policy_namespace *ccs_find_namespace(const char *name, | |
502 | + const unsigned int len); | |
503 | +static struct ccs_profile *ccs_assign_profile(struct ccs_policy_namespace *ns, | |
504 | + const unsigned int profile); | |
505 | +static struct ccs_profile *ccs_profile(const u8 profile); | |
506 | +static u8 ccs_condition_type(const char *word); | |
507 | +static u8 ccs_make_byte(const u8 c1, const u8 c2, const u8 c3); | |
508 | +static u8 ccs_parse_ulong(unsigned long *result, char **str); | |
509 | +static unsigned int ccs_poll(struct file *file, poll_table *wait); | |
510 | +static void __init ccs_create_entry(const char *name, const umode_t mode, | |
511 | + struct proc_dir_entry *parent, | |
512 | + const u8 key); | |
513 | +static void __init ccs_load_builtin_policy(void); | |
514 | +static void __init ccs_policy_io_init(void); | |
515 | +static void __init ccs_proc_init(void); | |
516 | +static void ccs_add_entry(char *header); | |
517 | +static void ccs_addprintf(char *buffer, int len, const char *fmt, ...) | |
518 | + __printf(3, 4); | |
519 | +static void ccs_addprintf(char *buffer, int len, const char *fmt, ...); | |
520 | +static void ccs_check_profile(void); | |
521 | +static void ccs_convert_time(time_t time, struct ccs_time *stamp); | |
522 | +static void ccs_init_policy_namespace(struct ccs_policy_namespace *ns); | |
523 | +static void ccs_io_printf(struct ccs_io_buffer *head, const char *fmt, ...) | |
524 | + __printf(2, 3); | |
525 | +static void ccs_normalize_line(unsigned char *buffer); | |
526 | +static void ccs_print_config(struct ccs_io_buffer *head, const u8 config); | |
527 | +static void ccs_print_name_union(struct ccs_io_buffer *head, | |
528 | + const struct ccs_name_union *ptr); | |
529 | +static void ccs_print_name_union_quoted(struct ccs_io_buffer *head, | |
530 | + const struct ccs_name_union *ptr); | |
531 | +static void ccs_print_namespace(struct ccs_io_buffer *head); | |
532 | +static void ccs_print_number_union(struct ccs_io_buffer *head, | |
533 | + const struct ccs_number_union *ptr); | |
534 | +static void ccs_print_number_union_nospace(struct ccs_io_buffer *head, | |
535 | + const struct ccs_number_union *ptr); | |
536 | +static void ccs_read_domain(struct ccs_io_buffer *head); | |
537 | +static void ccs_read_exception(struct ccs_io_buffer *head); | |
538 | +static void ccs_read_log(struct ccs_io_buffer *head); | |
539 | +static void ccs_read_manager(struct ccs_io_buffer *head); | |
540 | +static void ccs_read_pid(struct ccs_io_buffer *head); | |
541 | +static void ccs_read_profile(struct ccs_io_buffer *head); | |
542 | +static void ccs_read_query(struct ccs_io_buffer *head); | |
543 | +static void ccs_read_stat(struct ccs_io_buffer *head); | |
544 | +static void ccs_read_version(struct ccs_io_buffer *head); | |
545 | +static void ccs_set_group(struct ccs_io_buffer *head, const char *category); | |
546 | +static void ccs_set_namespace_cursor(struct ccs_io_buffer *head); | |
547 | +static void ccs_set_slash(struct ccs_io_buffer *head); | |
548 | +static void ccs_set_space(struct ccs_io_buffer *head); | |
549 | +static void ccs_set_string(struct ccs_io_buffer *head, const char *string); | |
550 | +static void ccs_set_uint(unsigned int *i, const char *string, | |
551 | + const char *find); | |
552 | +static void ccs_update_stat(const u8 index); | |
553 | +static void ccs_update_task_domain(struct ccs_request_info *r); | |
554 | +static void ccs_write_log2(struct ccs_request_info *r, int len, | |
555 | + const char *fmt, va_list args); | |
556 | + | |
557 | +#ifdef CONFIG_CCSECURITY_PORTRESERVE | |
558 | +static bool __ccs_lport_reserved(const u16 port); | |
559 | +static int ccs_write_reserved_port(struct ccs_acl_param *param); | |
560 | +#endif | |
561 | + | |
562 | +#ifdef CONFIG_CCSECURITY_NETWORK | |
563 | +static bool ccs_parse_ipaddr_union(struct ccs_acl_param *param, | |
564 | + struct ccs_ipaddr_union *ptr); | |
565 | +static int ccs_print_ipv4(char *buffer, const unsigned int buffer_len, | |
566 | + const u32 *ip); | |
567 | +static int ccs_print_ipv6(char *buffer, const unsigned int buffer_len, | |
568 | + const struct in6_addr *ip); | |
569 | +static int ccs_write_inet_network(struct ccs_acl_param *param); | |
570 | +static int ccs_write_unix_network(struct ccs_acl_param *param); | |
571 | +static void ccs_print_ip(char *buf, const unsigned int size, | |
572 | + const struct ccs_ipaddr_union *ptr); | |
573 | +#endif | |
574 | + | |
575 | +#ifdef CONFIG_CCSECURITY_CAPABILITY | |
576 | +static int ccs_write_capability(struct ccs_acl_param *param); | |
577 | +#endif | |
578 | + | |
579 | +#ifdef CONFIG_CCSECURITY_MISC | |
580 | +static int ccs_write_misc(struct ccs_acl_param *param); | |
581 | +#endif | |
582 | + | |
583 | +#ifdef CONFIG_CCSECURITY_IPC | |
584 | +static int ccs_write_ipc(struct ccs_acl_param *param); | |
585 | +#endif | |
586 | + | |
587 | +#ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION | |
588 | +static ssize_t ccs_write_self(struct file *file, const char __user *buf, | |
589 | + size_t count, loff_t *ppos); | |
590 | +#endif | |
591 | + | |
592 | +/***** SECTION4: Standalone functions section *****/ | |
593 | + | |
594 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 25) | |
595 | + | |
596 | +/** | |
597 | + * fatal_signal_pending - Check whether SIGKILL is pending or not. | |
598 | + * | |
599 | + * @p: Pointer to "struct task_struct". | |
600 | + * | |
601 | + * Returns true if SIGKILL is pending on @p, false otherwise. | |
602 | + * | |
603 | + * This is for compatibility with older kernels. | |
604 | + */ | |
605 | +#define fatal_signal_pending(p) (signal_pending(p) && \ | |
606 | + sigismember(&p->pending.signal, SIGKILL)) | |
607 | + | |
608 | +#endif | |
609 | + | |
610 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0) | |
611 | + | |
612 | +/** | |
613 | + * __wait_event_interruptible_timeout - Sleep until a condition gets true or a timeout elapses. | |
614 | + * | |
615 | + * @wq: The waitqueue to wait on. | |
616 | + * @condition: A C expression for the event to wait for. | |
617 | + * @ret: Timeout, in jiffies. | |
618 | + * | |
619 | + * Returns 0 if the @timeout elapsed, -ERESTARTSYS if it was interrupted by a | |
620 | + * signal, and the remaining jiffies otherwise if the condition evaluated to | |
621 | + * true before the timeout elapsed. | |
622 | + * | |
623 | + * This is for compatibility with older kernels. | |
624 | + */ | |
625 | +#define __wait_event_interruptible_timeout(wq, condition, ret) \ | |
626 | +do { \ | |
627 | + wait_queue_t __wait; \ | |
628 | + init_waitqueue_entry(&__wait, current); \ | |
629 | + \ | |
630 | + add_wait_queue(&wq, &__wait); \ | |
631 | + for (;;) { \ | |
632 | + set_current_state(TASK_INTERRUPTIBLE); \ | |
633 | + if (condition) \ | |
634 | + break; \ | |
635 | + if (!signal_pending(current)) { \ | |
636 | + ret = schedule_timeout(ret); \ | |
637 | + if (!ret) \ | |
638 | + break; \ | |
639 | + continue; \ | |
640 | + } \ | |
641 | + ret = -ERESTARTSYS; \ | |
642 | + break; \ | |
643 | + } \ | |
644 | + current->state = TASK_RUNNING; \ | |
645 | + remove_wait_queue(&wq, &__wait); \ | |
646 | +} while (0) | |
647 | + | |
648 | +/** | |
649 | + * wait_event_interruptible_timeout - Sleep until a condition gets true or a timeout elapses. | |
650 | + * | |
651 | + * @wq: The waitqueue to wait on. | |
652 | + * @condition: A C expression for the event to wait for. | |
653 | + * @timeout: Timeout, in jiffies. | |
654 | + * | |
655 | + * Returns 0 if the @timeout elapsed, -ERESTARTSYS if it was interrupted by a | |
656 | + * signal, and the remaining jiffies otherwise if the condition evaluated to | |
657 | + * true before the timeout elapsed. | |
658 | + * | |
659 | + * This is for compatibility with older kernels. | |
660 | + */ | |
661 | +#define wait_event_interruptible_timeout(wq, condition, timeout) \ | |
662 | +({ \ | |
663 | + long __ret = timeout; \ | |
664 | + if (!(condition)) \ | |
665 | + __wait_event_interruptible_timeout(wq, condition, __ret); \ | |
666 | + __ret; \ | |
667 | +}) | |
668 | + | |
669 | +#endif | |
670 | + | |
671 | +/** | |
672 | + * ccs_convert_time - Convert time_t to YYYY/MM/DD hh/mm/ss. | |
673 | + * | |
674 | + * @time: Seconds since 1970/01/01 00:00:00. | |
675 | + * @stamp: Pointer to "struct ccs_time". | |
676 | + * | |
677 | + * Returns nothing. | |
678 | + * | |
679 | + * This function does not handle Y2038 problem. | |
680 | + */ | |
681 | +static void ccs_convert_time(time_t time, struct ccs_time *stamp) | |
682 | +{ | |
683 | + static const u16 ccs_eom[2][12] = { | |
684 | + { 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 365 }, | |
685 | + { 31, 60, 91, 121, 152, 182, 213, 244, 274, 305, 335, 366 } | |
686 | + }; | |
687 | + u16 y; | |
688 | + u8 m; | |
689 | + bool r; | |
690 | + stamp->sec = time % 60; | |
691 | + time /= 60; | |
692 | + stamp->min = time % 60; | |
693 | + time /= 60; | |
694 | + stamp->hour = time % 24; | |
695 | + time /= 24; | |
696 | + for (y = 1970; ; y++) { | |
697 | + const unsigned short days = (y & 3) ? 365 : 366; | |
698 | + if (time < days) | |
699 | + break; | |
700 | + time -= days; | |
701 | + } | |
702 | + r = (y & 3) == 0; | |
703 | + for (m = 0; m < 11 && time >= ccs_eom[r][m]; m++); | |
704 | + if (m) | |
705 | + time -= ccs_eom[r][m - 1]; | |
706 | + stamp->year = y; | |
707 | + stamp->month = ++m; | |
708 | + stamp->day = ++time; | |
709 | +} | |
710 | + | |
711 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 4, 23) | |
712 | +#if !defined(RHEL_VERSION) || RHEL_VERSION != 3 | |
713 | + | |
714 | +/** | |
715 | + * PDE - Get "struct proc_dir_entry". | |
716 | + * | |
717 | + * @inode: Pointer to "struct inode". | |
718 | + * | |
719 | + * Returns pointer to "struct proc_dir_entry". | |
720 | + * | |
721 | + * This is for compatibility with older kernels. | |
722 | + */ | |
723 | +static inline struct proc_dir_entry *PDE(const struct inode *inode) | |
724 | +{ | |
725 | + return (struct proc_dir_entry *) inode->u.generic_ip; | |
726 | +} | |
727 | + | |
728 | +#endif | |
729 | +#endif | |
730 | + | |
731 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0) | |
732 | + | |
733 | +/** | |
734 | + * proc_notify_change - Update inode's attributes and reflect to the dentry. | |
735 | + * | |
736 | + * @dentry: Pointer to "struct dentry". | |
737 | + * @iattr: Pointer to "struct iattr". | |
738 | + * | |
739 | + * Returns 0 on success, negative value otherwise. | |
740 | + * | |
741 | + * The 2.4 kernels don't allow chmod()/chown() for files in /proc, | |
742 | + * while the 2.6 kernels allow. | |
743 | + * To permit management of /proc/ccs/ interface by non-root user, | |
744 | + * I modified to allow chmod()/chown() of /proc/ccs/ interface like 2.6 kernels | |
745 | + * by adding "struct inode_operations"->setattr hook. | |
746 | + */ | |
747 | +static int proc_notify_change(struct dentry *dentry, struct iattr *iattr) | |
748 | +{ | |
749 | + struct inode *inode = dentry->d_inode; | |
750 | + struct proc_dir_entry *de = PDE(inode); | |
751 | + int error; | |
752 | + | |
753 | + error = inode_change_ok(inode, iattr); | |
754 | + if (error) | |
755 | + goto out; | |
756 | + | |
757 | + error = inode_setattr(inode, iattr); | |
758 | + if (error) | |
759 | + goto out; | |
760 | + | |
761 | + de->uid = inode->i_uid; | |
762 | + de->gid = inode->i_gid; | |
763 | + de->mode = inode->i_mode; | |
764 | +out: | |
765 | + return error; | |
766 | +} | |
767 | + | |
768 | +#endif | |
769 | + | |
770 | +#ifdef CONFIG_CCSECURITY_NETWORK | |
771 | + | |
772 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19) && defined(CONFIG_NET) | |
773 | +#define ccs_in4_pton in4_pton | |
774 | +#define ccs_in6_pton in6_pton | |
775 | +#else | |
776 | +/* | |
777 | + * Routines for parsing IPv4 or IPv6 address. | |
778 | + * These are copied from lib/hexdump.c net/core/utils.c . | |
779 | + */ | |
780 | +#include <linux/ctype.h> | |
781 | + | |
782 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 35) | |
783 | +static int hex_to_bin(char ch) | |
784 | +{ | |
785 | + if ((ch >= '0') && (ch <= '9')) | |
786 | + return ch - '0'; | |
787 | + ch = tolower(ch); | |
788 | + if ((ch >= 'a') && (ch <= 'f')) | |
789 | + return ch - 'a' + 10; | |
790 | + return -1; | |
791 | +} | |
792 | +#endif | |
793 | + | |
794 | +#define IN6PTON_XDIGIT 0x00010000 | |
795 | +#define IN6PTON_DIGIT 0x00020000 | |
796 | +#define IN6PTON_COLON_MASK 0x00700000 | |
797 | +#define IN6PTON_COLON_1 0x00100000 /* single : requested */ | |
798 | +#define IN6PTON_COLON_2 0x00200000 /* second : requested */ | |
799 | +#define IN6PTON_COLON_1_2 0x00400000 /* :: requested */ | |
800 | +#define IN6PTON_DOT 0x00800000 /* . */ | |
801 | +#define IN6PTON_DELIM 0x10000000 | |
802 | +#define IN6PTON_NULL 0x20000000 /* first/tail */ | |
803 | +#define IN6PTON_UNKNOWN 0x40000000 | |
804 | + | |
805 | +static inline int xdigit2bin(char c, int delim) | |
806 | +{ | |
807 | + int val; | |
808 | + | |
809 | + if (c == delim || c == '\0') | |
810 | + return IN6PTON_DELIM; | |
811 | + if (c == ':') | |
812 | + return IN6PTON_COLON_MASK; | |
813 | + if (c == '.') | |
814 | + return IN6PTON_DOT; | |
815 | + | |
816 | + val = hex_to_bin(c); | |
817 | + if (val >= 0) | |
818 | + return val | IN6PTON_XDIGIT | (val < 10 ? IN6PTON_DIGIT : 0); | |
819 | + | |
820 | + if (delim == -1) | |
821 | + return IN6PTON_DELIM; | |
822 | + return IN6PTON_UNKNOWN; | |
823 | +} | |
824 | + | |
825 | +static int ccs_in4_pton(const char *src, int srclen, u8 *dst, int delim, | |
826 | + const char **end) | |
827 | +{ | |
828 | + const char *s; | |
829 | + u8 *d; | |
830 | + u8 dbuf[4]; | |
831 | + int ret = 0; | |
832 | + int i; | |
833 | + int w = 0; | |
834 | + | |
835 | + if (srclen < 0) | |
836 | + srclen = strlen(src); | |
837 | + s = src; | |
838 | + d = dbuf; | |
839 | + i = 0; | |
840 | + while (1) { | |
841 | + int c; | |
842 | + c = xdigit2bin(srclen > 0 ? *s : '\0', delim); | |
843 | + if (!(c & (IN6PTON_DIGIT | IN6PTON_DOT | IN6PTON_DELIM | | |
844 | + IN6PTON_COLON_MASK))) | |
845 | + goto out; | |
846 | + if (c & (IN6PTON_DOT | IN6PTON_DELIM | IN6PTON_COLON_MASK)) { | |
847 | + if (w == 0) | |
848 | + goto out; | |
849 | + *d++ = w & 0xff; | |
850 | + w = 0; | |
851 | + i++; | |
852 | + if (c & (IN6PTON_DELIM | IN6PTON_COLON_MASK)) { | |
853 | + if (i != 4) | |
854 | + goto out; | |
855 | + break; | |
856 | + } | |
857 | + goto cont; | |
858 | + } | |
859 | + w = (w * 10) + c; | |
860 | + if ((w & 0xffff) > 255) | |
861 | + goto out; | |
862 | +cont: | |
863 | + if (i >= 4) | |
864 | + goto out; | |
865 | + s++; | |
866 | + srclen--; | |
867 | + } | |
868 | + ret = 1; | |
869 | + memcpy(dst, dbuf, sizeof(dbuf)); | |
870 | +out: | |
871 | + if (end) | |
872 | + *end = s; | |
873 | + return ret; | |
874 | +} | |
875 | + | |
876 | +static int ccs_in6_pton(const char *src, int srclen, u8 *dst, int delim, | |
877 | + const char **end) | |
878 | +{ | |
879 | + const char *s, *tok = NULL; | |
880 | + u8 *d, *dc = NULL; | |
881 | + u8 dbuf[16]; | |
882 | + int ret = 0; | |
883 | + int i; | |
884 | + int state = IN6PTON_COLON_1_2 | IN6PTON_XDIGIT | IN6PTON_NULL; | |
885 | + int w = 0; | |
886 | + | |
887 | + memset(dbuf, 0, sizeof(dbuf)); | |
888 | + | |
889 | + s = src; | |
890 | + d = dbuf; | |
891 | + if (srclen < 0) | |
892 | + srclen = strlen(src); | |
893 | + | |
894 | + while (1) { | |
895 | + int c; | |
896 | + | |
897 | + c = xdigit2bin(srclen > 0 ? *s : '\0', delim); | |
898 | + if (!(c & state)) | |
899 | + goto out; | |
900 | + if (c & (IN6PTON_DELIM | IN6PTON_COLON_MASK)) { | |
901 | + /* process one 16-bit word */ | |
902 | + if (!(state & IN6PTON_NULL)) { | |
903 | + *d++ = (w >> 8) & 0xff; | |
904 | + *d++ = w & 0xff; | |
905 | + } | |
906 | + w = 0; | |
907 | + if (c & IN6PTON_DELIM) { | |
908 | + /* We've processed last word */ | |
909 | + break; | |
910 | + } | |
911 | + /* | |
912 | + * COLON_1 => XDIGIT | |
913 | + * COLON_2 => XDIGIT|DELIM | |
914 | + * COLON_1_2 => COLON_2 | |
915 | + */ | |
916 | + switch (state & IN6PTON_COLON_MASK) { | |
917 | + case IN6PTON_COLON_2: | |
918 | + dc = d; | |
919 | + state = IN6PTON_XDIGIT | IN6PTON_DELIM; | |
920 | + if (dc - dbuf >= sizeof(dbuf)) | |
921 | + state |= IN6PTON_NULL; | |
922 | + break; | |
923 | + case IN6PTON_COLON_1|IN6PTON_COLON_1_2: | |
924 | + state = IN6PTON_XDIGIT | IN6PTON_COLON_2; | |
925 | + break; | |
926 | + case IN6PTON_COLON_1: | |
927 | + state = IN6PTON_XDIGIT; | |
928 | + break; | |
929 | + case IN6PTON_COLON_1_2: | |
930 | + state = IN6PTON_COLON_2; | |
931 | + break; | |
932 | + default: | |
933 | + state = 0; | |
934 | + } | |
935 | + tok = s + 1; | |
936 | + goto cont; | |
937 | + } | |
938 | + | |
939 | + if (c & IN6PTON_DOT) { | |
940 | + ret = ccs_in4_pton(tok ? tok : s, srclen + | |
941 | + (int)(s - tok), d, delim, &s); | |
942 | + if (ret > 0) { | |
943 | + d += 4; | |
944 | + break; | |
945 | + } | |
946 | + goto out; | |
947 | + } | |
948 | + | |
949 | + w = (w << 4) | (0xff & c); | |
950 | + state = IN6PTON_COLON_1 | IN6PTON_DELIM; | |
951 | + if (!(w & 0xf000)) | |
952 | + state |= IN6PTON_XDIGIT; | |
953 | + if (!dc && d + 2 < dbuf + sizeof(dbuf)) { | |
954 | + state |= IN6PTON_COLON_1_2; | |
955 | + state &= ~IN6PTON_DELIM; | |
956 | + } | |
957 | + if (d + 2 >= dbuf + sizeof(dbuf)) | |
958 | + state &= ~(IN6PTON_COLON_1|IN6PTON_COLON_1_2); | |
959 | +cont: | |
960 | + if ((dc && d + 4 < dbuf + sizeof(dbuf)) || | |
961 | + d + 4 == dbuf + sizeof(dbuf)) | |
962 | + state |= IN6PTON_DOT; | |
963 | + if (d >= dbuf + sizeof(dbuf)) | |
964 | + state &= ~(IN6PTON_XDIGIT|IN6PTON_COLON_MASK); | |
965 | + s++; | |
966 | + srclen--; | |
967 | + } | |
968 | + | |
969 | + i = 15; d--; | |
970 | + | |
971 | + if (dc) { | |
972 | + while (d >= dc) | |
973 | + dst[i--] = *d--; | |
974 | + while (i >= dc - dbuf) | |
975 | + dst[i--] = 0; | |
976 | + while (i >= 0) | |
977 | + dst[i--] = *d--; | |
978 | + } else | |
979 | + memcpy(dst, dbuf, sizeof(dbuf)); | |
980 | + | |
981 | + ret = 1; | |
982 | +out: | |
983 | + if (end) | |
984 | + *end = s; | |
985 | + return ret; | |
986 | +} | |
987 | +#endif | |
988 | + | |
989 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 32) | |
990 | + | |
991 | +/* | |
992 | + * Routines for printing IPv4 or IPv6 address. | |
993 | + * These are copied from include/linux/kernel.h include/net/ipv6.h | |
994 | + * include/net/addrconf.h lib/hexdump.c lib/vsprintf.c and simplified. | |
995 | + */ | |
996 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 26) | |
997 | +#if !defined(RHEL_MAJOR) || RHEL_MAJOR != 5 || !defined(RHEL_MINOR) || RHEL_MINOR < 9 | |
998 | +static const char hex_asc[] = "0123456789abcdef"; | |
999 | +#define hex_asc_lo(x) hex_asc[((x) & 0x0f)] | |
1000 | +#define hex_asc_hi(x) hex_asc[((x) & 0xf0) >> 4] | |
1001 | + | |
1002 | +static inline char *pack_hex_byte(char *buf, u8 byte) | |
1003 | +{ | |
1004 | + *buf++ = hex_asc_hi(byte); | |
1005 | + *buf++ = hex_asc_lo(byte); | |
1006 | + return buf; | |
1007 | +} | |
1008 | +#endif | |
1009 | +#endif | |
1010 | + | |
1011 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 24) | |
1012 | +static inline int ipv6_addr_v4mapped(const struct in6_addr *a) | |
1013 | +{ | |
1014 | + return (a->s6_addr32[0] | a->s6_addr32[1] | | |
1015 | + (a->s6_addr32[2] ^ htonl(0x0000ffff))) == 0; | |
1016 | +} | |
1017 | +#endif | |
1018 | + | |
1019 | +static inline int ipv6_addr_is_isatap(const struct in6_addr *addr) | |
1020 | +{ | |
1021 | + return (addr->s6_addr32[2] | htonl(0x02000000)) == htonl(0x02005EFE); | |
1022 | +} | |
1023 | + | |
1024 | +static char *ip4_string(char *p, const u8 *addr) | |
1025 | +{ | |
1026 | + /* | |
1027 | + * Since this function is called outside vsnprintf(), I can use | |
1028 | + * sprintf() here. | |
1029 | + */ | |
1030 | + return p + | |
1031 | + sprintf(p, "%u.%u.%u.%u", addr[0], addr[1], addr[2], addr[3]); | |
1032 | +} | |
1033 | + | |
1034 | +static char *ip6_compressed_string(char *p, const char *addr) | |
1035 | +{ | |
1036 | + int i, j, range; | |
1037 | + unsigned char zerolength[8]; | |
1038 | + int longest = 1; | |
1039 | + int colonpos = -1; | |
1040 | + u16 word; | |
1041 | + u8 hi, lo; | |
1042 | + bool needcolon = false; | |
1043 | + bool useIPv4; | |
1044 | + struct in6_addr in6; | |
1045 | + | |
1046 | + memcpy(&in6, addr, sizeof(struct in6_addr)); | |
1047 | + | |
1048 | + useIPv4 = ipv6_addr_v4mapped(&in6) || ipv6_addr_is_isatap(&in6); | |
1049 | + | |
1050 | + memset(zerolength, 0, sizeof(zerolength)); | |
1051 | + | |
1052 | + if (useIPv4) | |
1053 | + range = 6; | |
1054 | + else | |
1055 | + range = 8; | |
1056 | + | |
1057 | + /* find position of longest 0 run */ | |
1058 | + for (i = 0; i < range; i++) { | |
1059 | + for (j = i; j < range; j++) { | |
1060 | + if (in6.s6_addr16[j] != 0) | |
1061 | + break; | |
1062 | + zerolength[i]++; | |
1063 | + } | |
1064 | + } | |
1065 | + for (i = 0; i < range; i++) { | |
1066 | + if (zerolength[i] > longest) { | |
1067 | + longest = zerolength[i]; | |
1068 | + colonpos = i; | |
1069 | + } | |
1070 | + } | |
1071 | + if (longest == 1) /* don't compress a single 0 */ | |
1072 | + colonpos = -1; | |
1073 | + | |
1074 | + /* emit address */ | |
1075 | + for (i = 0; i < range; i++) { | |
1076 | + if (i == colonpos) { | |
1077 | + if (needcolon || i == 0) | |
1078 | + *p++ = ':'; | |
1079 | + *p++ = ':'; | |
1080 | + needcolon = false; | |
1081 | + i += longest - 1; | |
1082 | + continue; | |
1083 | + } | |
1084 | + if (needcolon) { | |
1085 | + *p++ = ':'; | |
1086 | + needcolon = false; | |
1087 | + } | |
1088 | + /* hex u16 without leading 0s */ | |
1089 | + word = ntohs(in6.s6_addr16[i]); | |
1090 | + hi = word >> 8; | |
1091 | + lo = word & 0xff; | |
1092 | + if (hi) { | |
1093 | + if (hi > 0x0f) | |
1094 | + p = pack_hex_byte(p, hi); | |
1095 | + else | |
1096 | + *p++ = hex_asc_lo(hi); | |
1097 | + p = pack_hex_byte(p, lo); | |
1098 | + } else if (lo > 0x0f) | |
1099 | + p = pack_hex_byte(p, lo); | |
1100 | + else | |
1101 | + *p++ = hex_asc_lo(lo); | |
1102 | + needcolon = true; | |
1103 | + } | |
1104 | + | |
1105 | + if (useIPv4) { | |
1106 | + if (needcolon) | |
1107 | + *p++ = ':'; | |
1108 | + p = ip4_string(p, &in6.s6_addr[12]); | |
1109 | + } | |
1110 | + *p = '\0'; | |
1111 | + | |
1112 | + return p; | |
1113 | +} | |
1114 | +#endif | |
1115 | + | |
1116 | +/** | |
1117 | + * ccs_print_ipv4 - Print an IPv4 address. | |
1118 | + * | |
1119 | + * @buffer: Buffer to write to. | |
1120 | + * @buffer_len: Size of @buffer. | |
1121 | + * @ip: Pointer to "u32 in network byte order". | |
1122 | + * | |
1123 | + * Returns written length. | |
1124 | + */ | |
1125 | +static int ccs_print_ipv4(char *buffer, const unsigned int buffer_len, | |
1126 | + const u32 *ip) | |
1127 | +{ | |
1128 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32) | |
1129 | + return snprintf(buffer, buffer_len, "%pI4", ip); | |
1130 | +#else | |
1131 | + char addr[sizeof("255.255.255.255")]; | |
1132 | + ip4_string(addr, (const u8 *) ip); | |
1133 | + return snprintf(buffer, buffer_len, "%s", addr); | |
1134 | +#endif | |
1135 | +} | |
1136 | + | |
1137 | +/** | |
1138 | + * ccs_print_ipv6 - Print an IPv6 address. | |
1139 | + * | |
1140 | + * @buffer: Buffer to write to. | |
1141 | + * @buffer_len: Size of @buffer. | |
1142 | + * @ip: Pointer to "struct in6_addr". | |
1143 | + * | |
1144 | + * Returns written length. | |
1145 | + */ | |
1146 | +static int ccs_print_ipv6(char *buffer, const unsigned int buffer_len, | |
1147 | + const struct in6_addr *ip) | |
1148 | +{ | |
1149 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32) | |
1150 | + return snprintf(buffer, buffer_len, "%pI6c", ip); | |
1151 | +#else | |
1152 | + char addr[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255")]; | |
1153 | + ip6_compressed_string(addr, (const u8 *) ip); | |
1154 | + return snprintf(buffer, buffer_len, "%s", addr); | |
1155 | +#endif | |
1156 | +} | |
1157 | + | |
1158 | +/** | |
1159 | + * ccs_print_ip - Print an IP address. | |
1160 | + * | |
1161 | + * @buf: Buffer to write to. | |
1162 | + * @size: Size of @buf. | |
1163 | + * @ptr: Pointer to "struct ipaddr_union". | |
1164 | + * | |
1165 | + * Returns nothing. | |
1166 | + */ | |
1167 | +static void ccs_print_ip(char *buf, const unsigned int size, | |
1168 | + const struct ccs_ipaddr_union *ptr) | |
1169 | +{ | |
1170 | + int len; | |
1171 | + if (ptr->is_ipv6) | |
1172 | + len = ccs_print_ipv6(buf, size, &ptr->ip[0]); | |
1173 | + else | |
1174 | + len = ccs_print_ipv4(buf, size, &ptr->ip[0].s6_addr32[0]); | |
1175 | + if (!memcmp(&ptr->ip[0], &ptr->ip[1], 16) || len >= size / 2) | |
1176 | + return; | |
1177 | + buf[len++] = '-'; | |
1178 | + if (ptr->is_ipv6) | |
1179 | + ccs_print_ipv6(buf + len, size - len, &ptr->ip[1]); | |
1180 | + else | |
1181 | + ccs_print_ipv4(buf + len, size - len, | |
1182 | + &ptr->ip[1].s6_addr32[0]); | |
1183 | +} | |
1184 | + | |
1185 | +#endif | |
1186 | + | |
1187 | +/***** SECTION5: Variables definition section *****/ | |
1188 | + | |
1189 | +/* Permit policy management by non-root user? */ | |
1190 | +static bool ccs_manage_by_non_root; | |
1191 | + | |
1192 | +/* Lock for protecting policy. */ | |
1193 | +DEFINE_MUTEX(ccs_policy_lock); | |
1194 | + | |
1195 | +/* Has /sbin/init started? */ | |
1196 | +bool ccs_policy_loaded; | |
1197 | + | |
1198 | +/* List of namespaces. */ | |
1199 | +LIST_HEAD(ccs_namespace_list); | |
1200 | +/* True if namespace other than ccs_kernel_namespace is defined. */ | |
1201 | +static bool ccs_namespace_enabled; | |
1202 | + | |
1203 | +/* Initial namespace.*/ | |
1204 | +static struct ccs_policy_namespace ccs_kernel_namespace; | |
1205 | + | |
1206 | +/* List of "struct ccs_condition". */ | |
1207 | +LIST_HEAD(ccs_condition_list); | |
1208 | + | |
1209 | +#ifdef CONFIG_CCSECURITY_PORTRESERVE | |
1210 | +/* Bitmap for reserved local port numbers.*/ | |
1211 | +static u8 ccs_reserved_port_map[8192]; | |
1212 | +#endif | |
1213 | + | |
1214 | +/* Wait queue for kernel -> userspace notification. */ | |
1215 | +static DECLARE_WAIT_QUEUE_HEAD(ccs_query_wait); | |
1216 | +/* Wait queue for userspace -> kernel notification. */ | |
1217 | +static DECLARE_WAIT_QUEUE_HEAD(ccs_answer_wait); | |
1218 | + | |
1219 | +/* The list for "struct ccs_query". */ | |
1220 | +static LIST_HEAD(ccs_query_list); | |
1221 | + | |
1222 | +/* Lock for manipulating ccs_query_list. */ | |
1223 | +static DEFINE_SPINLOCK(ccs_query_list_lock); | |
1224 | + | |
1225 | +/* Number of "struct file" referring /proc/ccs/query interface. */ | |
1226 | +static atomic_t ccs_query_observers = ATOMIC_INIT(0); | |
1227 | + | |
1228 | +/* Wait queue for /proc/ccs/audit. */ | |
1229 | +static DECLARE_WAIT_QUEUE_HEAD(ccs_log_wait); | |
1230 | + | |
1231 | +/* The list for "struct ccs_log". */ | |
1232 | +static LIST_HEAD(ccs_log); | |
1233 | + | |
1234 | +/* Lock for "struct list_head ccs_log". */ | |
1235 | +static DEFINE_SPINLOCK(ccs_log_lock); | |
1236 | + | |
1237 | +/* Length of "stuct list_head ccs_log". */ | |
1238 | +static unsigned int ccs_log_count; | |
1239 | + | |
1240 | +/* Timestamp counter for last updated. */ | |
1241 | +static unsigned int ccs_stat_updated[CCS_MAX_POLICY_STAT]; | |
1242 | + | |
1243 | +/* Counter for number of updates. */ | |
1244 | +static unsigned int ccs_stat_modified[CCS_MAX_POLICY_STAT]; | |
1245 | + | |
1246 | +/* Operations for /proc/ccs/self_domain interface. */ | |
1247 | +static | |
1248 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 17) | |
1249 | +const | |
1250 | +#endif | |
1251 | +struct file_operations ccs_self_operations = { | |
1252 | +#ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION | |
1253 | + .write = ccs_write_self, | |
1254 | +#endif | |
1255 | + .read = ccs_read_self, | |
1256 | +}; | |
1257 | + | |
1258 | +/* Operations for /proc/ccs/ interface. */ | |
1259 | +static | |
1260 | +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 17) | |
1261 | +const | |
1262 | +#endif | |
1263 | +struct file_operations ccs_operations = { | |
1264 | + .open = ccs_open, | |
1265 | + .release = ccs_release, | |
1266 | + .poll = ccs_poll, | |
1267 | + .read = ccs_read, | |
1268 | + .write = ccs_write, | |
1269 | +}; | |
1270 | + | |
1271 | +#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0) | |
1272 | + | |
1273 | +/* The inode operations for /proc/ccs/ directory. */ | |
1274 | +static struct inode_operations ccs_dir_inode_operations; | |
1275 | + | |
1276 | +/* The inode operations for files under /proc/ccs/ directory. */ | |
1277 | +static struct inode_operations ccs_file_inode_operations; | |
1278 | + | |
1279 | +#endif | |
1280 | + | |
1281 | +/***** SECTION6: Dependent functions section *****/ | |
1282 | + | |
1283 | +/** | |
1284 | + * list_for_each_cookie - iterate over a list with cookie. | |
1285 | + * | |
1286 | + * @pos: Pointer to "struct list_head". | |
1287 | + * @head: Pointer to "struct list_head". | |
1288 | + */ | |
1289 | +#define list_for_each_cookie(pos, head) \ | |
1290 | + for (pos = pos ? pos : srcu_dereference((head)->next, &ccs_ss); \ | |
1291 | + pos != (head); pos = srcu_dereference(pos->next, &ccs_ss)) | |
1292 | + | |
1293 | +/** | |
1294 | + * ccs_read_token - Read a word from a line. | |
1295 | + * | |
1296 | + * @param: Pointer to "struct ccs_acl_param". | |
1297 | + * | |
1298 | + * Returns a word on success, "" otherwise. | |
1299 | + * | |
1300 | + * To allow the caller to skip NULL check, this function returns "" rather than | |
1301 | + * NULL if there is no more words to read. | |
1302 | + */ | |
1303 | +static char *ccs_read_token(struct ccs_acl_param *param) | |
1304 | +{ | |
1305 | + char *pos = param->data; | |
1306 | + char *del = strchr(pos, ' '); | |
1307 | + if (del) | |
1308 | + *del++ = '\0'; | |
1309 | + else | |
1310 | + del = pos + strlen(pos); | |
1311 | + param->data = del; | |
1312 | + return pos; | |
1313 | +} | |
1314 | + | |
1315 | +/** | |
1316 | + * ccs_make_byte - Make byte value from three octal characters. | |
1317 | + * | |
1318 | + * @c1: The first character. | |
1319 | + * @c2: The second character. | |
1320 | + * @c3: The third character. | |
1321 | + * | |
1322 | + * Returns byte value. | |
1323 | + */ | |
1324 | +static u8 ccs_make_byte(const u8 c1, const u8 c2, const u8 c3) | |
1325 | +{ | |
1326 | + return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0'); | |
1327 | +} | |
1328 | + | |
1329 | +/** | |
1330 | + * ccs_correct_word2 - Check whether the given string follows the naming rules. | |
1331 | + * | |
1332 | + * @string: The byte sequence to check. Not '\0'-terminated. | |
1333 | + * @len: Length of @string. | |
1334 | + * | |
1335 | + * Returns true if @string follows the naming rules, false otherwise. | |
1336 | + */ | |
1337 | +static bool ccs_correct_word2(const char *string, size_t len) | |
1338 | +{ | |
1339 | + u8 recursion = 20; | |
1340 | + const char *const start = string; | |
1341 | + bool in_repetition = false; | |
1342 | + if (!len) | |
1343 | + goto out; | |
1344 | + while (len--) { | |
1345 | + unsigned char c = *string++; | |
1346 | + if (c == '\\') { | |
1347 | + if (!len--) | |
1348 | + goto out; | |
1349 | + c = *string++; | |
1350 | + if (c >= '0' && c <= '3') { | |
1351 | + unsigned char d; | |
1352 | + unsigned char e; | |
1353 | + if (!len-- || !len--) | |
1354 | + goto out; | |
1355 | + d = *string++; | |
1356 | + e = *string++; | |
1357 | + if (d < '0' || d > '7' || e < '0' || e > '7') | |
1358 | + goto out; | |
1359 | + c = ccs_make_byte(c, d, e); | |
1360 | + if (c <= ' ' || c >= 127) | |
1361 | + continue; | |
1362 | + goto out; | |
1363 | + } | |
1364 | + switch (c) { | |
1365 | + case '\\': /* "\\" */ | |
1366 | + case '+': /* "\+" */ | |
1367 | + case '?': /* "\?" */ | |
1368 | + case 'x': /* "\x" */ | |
1369 | + case 'a': /* "\a" */ | |
1370 | + case '-': /* "\-" */ | |
1371 | + continue; | |
1372 | + } | |
1373 | + if (!recursion--) | |
1374 | + goto out; | |
1375 | + switch (c) { | |
1376 | + case '*': /* "\*" */ | |
1377 | + case '@': /* "\@" */ | |
1378 | + case '$': /* "\$" */ | |
1379 | + case 'X': /* "\X" */ | |
1380 | + case 'A': /* "\A" */ | |
1381 | + continue; | |
1382 | + case '{': /* "/\{" */ | |
1383 | + if (string - 3 < start || *(string - 3) != '/') | |
1384 | + goto out; | |
1385 | + in_repetition = true; | |
1386 | + continue; | |
1387 | + case '}': /* "\}/" */ | |
1388 | + if (*string != '/') | |
1389 | + goto out; | |
1390 | + if (!in_repetition) | |
1391 | + goto out; | |
1392 | + in_repetition = false; | |
1393 | + continue; | |
1394 | + } | |
1395 | + goto out; | |
1396 | + } else if (in_repetition && c == '/') { | |
1397 | + goto out; | |
1398 | + } else if (c <= ' ' || c >= 127) { | |
1399 | + goto out; | |
1400 | + } | |
1401 | + } | |
1402 | + if (in_repetition) | |
1403 | + goto out; | |
1404 | + return true; | |
1405 | +out: | |
1406 | + return false; | |
1407 | +} | |
1408 | + | |
1409 | +/** | |
1410 | + * ccs_correct_word - Check whether the given string follows the naming rules. | |
1411 | + * | |
1412 | + * @string: The string to check. | |
1413 | + * | |
1414 | + * Returns true if @string follows the naming rules, false otherwise. | |
1415 | + */ | |
1416 | +static bool ccs_correct_word(const char *string) | |
1417 | +{ | |
1418 | + return ccs_correct_word2(string, strlen(string)); | |
1419 | +} | |
1420 | + | |
1421 | +/** | |
1422 | + * ccs_get_group - Allocate memory for "struct ccs_path_group"/"struct ccs_number_group"/"struct ccs_address_group". | |
1423 | + * | |
1424 | + * @param: Pointer to "struct ccs_acl_param". | |
1425 | + * @idx: Index number. | |
1426 | + * | |
1427 | + * Returns pointer to "struct ccs_group" on success, NULL otherwise. | |
1428 | + */ | |
1429 | +static struct ccs_group *ccs_get_group(struct ccs_acl_param *param, | |
1430 | + const u8 idx) | |
1431 | +{ | |
1432 | + struct ccs_group e = { }; | |
1433 | + struct ccs_group *group = NULL; | |
1434 | + struct list_head *list; | |
1435 | + const char *group_name = ccs_read_token(param); | |
1436 | + bool found = false; | |
1437 | + if (!ccs_correct_word(group_name) || idx >= CCS_MAX_GROUP) | |
1438 | + return NULL; | |
1439 | + e.group_name = ccs_get_name(group_name); | |
1440 | + if (!e.group_name) | |
1441 | + return NULL; | |
1442 | + if (mutex_lock_interruptible(&ccs_policy_lock)) | |
1443 | + goto out; | |
1444 | + list = ¶m->ns->group_list[idx]; | |
1445 | + list_for_each_entry(group, list, head.list) { | |
1446 | + if (e.group_name != group->group_name || | |
1447 | + atomic_read(&group->head.users) == CCS_GC_IN_PROGRESS) | |
1448 | + continue; | |
1449 | + atomic_inc(&group->head.users); | |
1450 | + found = true; | |
1451 | + break; | |
1452 | + } | |
1453 | + if (!found) { | |
1454 | + struct ccs_group *entry = ccs_commit_ok(&e, sizeof(e)); | |
1455 | + if (entry) { | |
1456 | + INIT_LIST_HEAD(&entry->member_list); | |
1457 | + atomic_set(&entry->head.users, 1); | |
1458 | + list_add_tail_rcu(&entry->head.list, list); | |
1459 | + group = entry; | |
1460 | + found = true; | |
1461 | + } | |
1462 | + } | |
1463 | + mutex_unlock(&ccs_policy_lock); | |
1464 | +out: | |
1465 | + ccs_put_name(e.group_name); | |
1466 | + return found ? group : NULL; | |
1467 | +} | |
1468 | + | |
1469 | +/** | |
1470 | + * ccs_parse_name_union - Parse a ccs_name_union. | |
1471 | + * | |
1472 | + * @param: Pointer to "struct ccs_acl_param". | |
1473 | + * @ptr: Pointer to "struct ccs_name_union". | |
1474 | + * | |
1475 | + * Returns true on success, false otherwise. | |
1476 | + */ | |
1477 | +static bool ccs_parse_name_union(struct ccs_acl_param *param, | |
1478 | + struct ccs_name_union *ptr) | |
1479 | +{ | |
1480 | + char *filename; | |
1481 | + if (param->data[0] == '@') { | |
1482 | + param->data++; | |
1483 | + ptr->group = ccs_get_group(param, CCS_PATH_GROUP); | |
1484 | + return ptr->group != NULL; | |
1485 | + } | |
1486 | + filename = ccs_read_token(param); | |
1487 | + if (!ccs_correct_word(filename)) | |
1488 | + return false; | |
1489 | + ptr->filename = ccs_get_name(filename); | |
1490 | + return ptr->filename != NULL; | |
1491 | +} | |
1492 | + | |
1493 | +/** | |
1494 | + * ccs_parse_ulong - Parse an "unsigned long" value. | |
1495 | + * | |
1496 | + * @result: Pointer to "unsigned long". | |
1497 | + * @str: Pointer to string to parse. | |
1498 | + * | |
1499 | + * Returns one of values in "enum ccs_value_type". | |
1500 | + * | |
1501 | + * The @src is updated to point the first character after the value | |
1502 | + * on success. | |
1503 | + */ | |
1504 | +static u8 ccs_parse_ulong(unsigned long *result, char **str) | |
1505 | +{ | |
1506 | + const char *cp = *str; | |
1507 | + char *ep; | |
1508 | + int base = 10; | |
1509 | + if (*cp == '0') { | |
1510 | + char c = *(cp + 1); | |
1511 | + if (c == 'x' || c == 'X') { | |
1512 | + base = 16; | |
1513 | + cp += 2; | |
1514 | + } else if (c >= '0' && c <= '7') { | |
1515 | + base = 8; | |
1516 | + cp++; | |
1517 | + } | |
1518 | + } | |
1519 | + *result = simple_strtoul(cp, &ep, base); | |
1520 | + if (cp == ep) | |
1521 | + return CCS_VALUE_TYPE_INVALID; | |
1522 | + *str = ep; | |
1523 | + switch (base) { | |
1524 | + case 16: | |
1525 | + return CCS_VALUE_TYPE_HEXADECIMAL; | |
1526 | + case 8: | |
1527 | + return CCS_VALUE_TYPE_OCTAL; | |
1528 | + default: | |
1529 | + return CCS_VALUE_TYPE_DECIMAL; | |
1530 | + } | |
1531 | +} | |
1532 | + | |
1533 | +/** | |
1534 | + * ccs_parse_number_union - Parse a ccs_number_union. | |
1535 | + * | |
1536 | + * @param: Pointer to "struct ccs_acl_param". | |
1537 | + * @ptr: Pointer to "struct ccs_number_union". | |
1538 | + * | |
1539 | + * Returns true on success, false otherwise. | |
1540 | + */ | |
1541 | +static bool ccs_parse_number_union(struct ccs_acl_param *param, | |
1542 | + struct ccs_number_union *ptr) | |
1543 | +{ | |
1544 | + char *data; | |
1545 | + u8 type; | |
1546 | + unsigned long v; | |
1547 | + memset(ptr, 0, sizeof(*ptr)); | |
1548 | + if (param->data[0] == '@') { | |
1549 | + param->data++; | |
1550 | + ptr->group = ccs_get_group(param, CCS_NUMBER_GROUP); | |
1551 | + return ptr->group != NULL; | |
1552 | + } | |
1553 | + data = ccs_read_token(param); | |
1554 | + type = ccs_parse_ulong(&v, &data); | |
1555 | + if (type == CCS_VALUE_TYPE_INVALID) | |
1556 | + return false; | |
1557 | + ptr->values[0] = v; | |
1558 | + ptr->value_type[0] = type; | |
1559 | + if (!*data) { | |
1560 | + ptr->values[1] = v; | |
1561 | + ptr->value_type[1] = type; | |
1562 | + return true; | |
1563 | + } | |
1564 | + if (*data++ != '-') | |
1565 | + return false; | |
1566 | + type = ccs_parse_ulong(&v, &data); | |
1567 | + if (type == CCS_VALUE_TYPE_INVALID || *data || ptr->values[0] > v) | |
1568 | + return false; | |
1569 | + ptr->values[1] = v; | |
1570 | + ptr->value_type[1] = type; | |
1571 | + return true; | |
1572 | +} | |
1573 | + | |
1574 | +#ifdef CONFIG_CCSECURITY_NETWORK | |
1575 | + | |
1576 | +/** | |
1577 | + * ccs_parse_ipaddr_union - Parse an IP address. | |
1578 | + * | |
1579 | + * @param: Pointer to "struct ccs_acl_param". | |
1580 | + * @ptr: Pointer to "struct ccs_ipaddr_union". | |
1581 | + * | |
1582 | + * Returns true on success, false otherwise. | |
1583 | + */ | |
1584 | +static bool ccs_parse_ipaddr_union(struct ccs_acl_param *param, | |
1585 | + struct ccs_ipaddr_union *ptr) | |
1586 | +{ | |
1587 | + u8 * const min = ptr->ip[0].in6_u.u6_addr8; | |
1588 | + u8 * const max = ptr->ip[1].in6_u.u6_addr8; | |
1589 | + char *address = ccs_read_token(param); | |
1590 | + const char *end; | |
1591 | + if (!strchr(address, ':') && | |
1592 | + ccs_in4_pton(address, -1, min, '-', &end) > 0) { | |
1593 | + ptr->is_ipv6 = false; | |
1594 | + if (!*end) | |
1595 | + ptr->ip[1].s6_addr32[0] = ptr->ip[0].s6_addr32[0]; | |
1596 | + else if (*end++ != '-' || | |
1597 | + ccs_in4_pton(end, -1, max, '\0', &end) <= 0 || *end) | |
1598 | + return false; | |
1599 | + return true; | |
1600 | + } | |
1601 | + if (ccs_in6_pton(address, -1, min, '-', &end) > 0) { | |
1602 | + ptr->is_ipv6 = true; | |
1603 | + if (!*end) | |
1604 | + memmove(max, min, sizeof(u16) * 8); | |
1605 | + else if (*end++ != '-' || | |
1606 | + ccs_in6_pton(end, -1, max, '\0', &end) <= 0 || *end) | |
1607 | + return false; | |
1608 | + return true; | |
1609 | + } | |
1610 | + return false; | |
1611 | +} | |
1612 | + | |
1613 | +#endif | |
1614 | + | |
1615 | +/** | |
1616 | + * ccs_get_dqword - ccs_get_name() for a quoted string. | |
1617 | + * | |
1618 | + * @start: String to save. | |
1619 | + * | |
1620 | + * Returns pointer to "struct ccs_path_info" on success, NULL otherwise. | |
1621 | + */ | |
1622 | +static const struct ccs_path_info *ccs_get_dqword(char *start) | |
1623 | +{ | |
1624 | + char *cp = start + strlen(start) - 1; | |
1625 | + if (cp == start || *start++ != '"' || *cp != '"') | |
1626 | + return NULL; | |
1627 | + *cp = '\0'; | |
1628 | + if (*start && !ccs_correct_word(start)) | |
1629 | + return NULL; | |
1630 | + return ccs_get_name(start); | |
1631 | +} | |
1632 | + | |
1633 | +/** | |
1634 | + * ccs_parse_name_union_quoted - Parse a quoted word. | |
1635 | + * | |
1636 | + * @param: Pointer to "struct ccs_acl_param". | |
1637 | + * @ptr: Pointer to "struct ccs_name_union". | |
1638 | + * | |
1639 | + * Returns true on success, false otherwise. | |
1640 | + */ | |
1641 | +static bool ccs_parse_name_union_quoted(struct ccs_acl_param *param, | |
1642 | + struct ccs_name_union *ptr) | |
1643 | +{ | |
1644 | + char *filename = param->data; | |
1645 | + if (*filename == '@') | |
1646 | + return ccs_parse_name_union(param, ptr); | |
1647 | + ptr->filename = ccs_get_dqword(filename); | |
1648 | + return ptr->filename != NULL; | |
1649 | +} | |
1650 | + | |
1651 | +/** | |
1652 | + * ccs_parse_argv - Parse an argv[] condition part. | |
1653 | + * | |
1654 | + * @left: Lefthand value. | |
1655 | + * @right: Righthand value. | |
1656 | + * @argv: Pointer to "struct ccs_argv". | |
1657 | + * | |
1658 | + * Returns true on success, false otherwise. | |
1659 | + */ | |
1660 | +static bool ccs_parse_argv(char *left, char *right, struct ccs_argv *argv) | |
1661 | +{ | |
1662 | + if (ccs_parse_ulong(&argv->index, &left) != CCS_VALUE_TYPE_DECIMAL || | |
1663 | + *left++ != ']' || *left) | |
1664 | + return false; | |
1665 | + argv->value = ccs_get_dqword(right); | |
1666 | + return argv->value != NULL; | |
1667 | +} | |
1668 | + | |
1669 | +/** | |
1670 | + * ccs_parse_envp - Parse an envp[] condition part. | |
1671 | + * | |
1672 | + * @left: Lefthand value. | |
1673 | + * @right: Righthand value. | |
1674 | + * @envp: Pointer to "struct ccs_envp". | |
1675 | + * | |
1676 | + * Returns true on success, false otherwise. | |
1677 | + */ | |
1678 | +static bool ccs_parse_envp(char *left, char *right, struct ccs_envp *envp) | |
1679 | +{ | |
1680 | + const struct ccs_path_info *name; | |
1681 | + const struct ccs_path_info *value; | |
1682 | + char *cp = left + strlen(left) - 1; | |
1683 | + if (*cp-- != ']' || *cp != '"') | |
1684 | + goto out; | |
1685 | + *cp = '\0'; | |
1686 | + if (!ccs_correct_word(left)) | |
1687 | + goto out; | |
1688 | + name = ccs_get_name(left); | |
1689 | + if (!name) | |
1690 | + goto out; | |
1691 | + if (!strcmp(right, "NULL")) { | |
1692 | + value = NULL; | |
1693 | + } else { | |
1694 | + value = ccs_get_dqword(right); | |
1695 | + if (!value) { | |
1696 | + ccs_put_name(name); | |
1697 | + goto out; | |
1698 | + } | |
1699 | + } | |
1700 | + envp->name = name; | |
1701 | + envp->value = value; | |
1702 | + return true; | |
1703 | +out: | |
1704 | + return false; | |
1705 | +} | |
1706 | + | |
1707 | +/** | |
1708 | + * ccs_same_condition - Check for duplicated "struct ccs_condition" entry. | |
1709 | + * | |
1710 | + * @a: Pointer to "struct ccs_condition". | |
1711 | + * @b: Pointer to "struct ccs_condition". | |
1712 | + * | |
1713 | + * Returns true if @a == @b, false otherwise. | |
1714 | + */ | |
1715 | +static bool ccs_same_condition(const struct ccs_condition *a, | |
1716 | + const struct ccs_condition *b) | |
1717 | +{ | |
1718 | + return a->size == b->size && a->condc == b->condc && | |
1719 | + a->numbers_count == b->numbers_count && | |
1720 | + a->names_count == b->names_count && | |
1721 | + a->argc == b->argc && a->envc == b->envc && | |
1722 | + a->grant_log == b->grant_log && | |
1723 | + a->exec_transit == b->exec_transit && a->transit == b->transit | |
1724 | + && !memcmp(a + 1, b + 1, a->size - sizeof(*a)); | |
1725 | +} | |
1726 | + | |
1727 | +/** | |
1728 | + * ccs_condition_type - Get condition type. | |
1729 | + * | |
1730 | + * @word: Keyword string. | |
1731 | + * | |
1732 | + * Returns one of values in "enum ccs_conditions_index" on success, | |
1733 | + * CCS_MAX_CONDITION_KEYWORD otherwise. | |
1734 | + */ | |
1735 | +static u8 ccs_condition_type(const char *word) | |
1736 | +{ | |
1737 | + u8 i; | |
1738 | + for (i = 0; i < CCS_MAX_CONDITION_KEYWORD; i++) { | |
1739 | + if (!strcmp(word, ccs_condition_keyword[i])) | |
1740 | + break; | |
1741 | + } | |
1742 | + return i; | |
1743 | +} | |
1744 | + | |
1745 | +/** | |
1746 | + * ccs_commit_condition - Commit "struct ccs_condition". | |
1747 | + * | |
1748 | + * @entry: Pointer to "struct ccs_condition". | |
1749 | + * | |
1750 | + * Returns pointer to "struct ccs_condition" on success, NULL otherwise. | |
1751 | + * | |
1752 | + * This function merges duplicated entries. This function returns NULL if | |
1753 | + * @entry is not duplicated but memory quota for policy has exceeded. | |
1754 | + */ | |
1755 | +static struct ccs_condition *ccs_commit_condition(struct ccs_condition *entry) | |
1756 | +{ | |
1757 | + struct ccs_condition *ptr; | |
1758 | + bool found = false; | |
1759 | + if (mutex_lock_interruptible(&ccs_policy_lock)) { | |
1760 | + dprintk(KERN_WARNING "%u: %s failed\n", __LINE__, __func__); | |
1761 | + ptr = NULL; | |
1762 | + found = true; | |
1763 | + goto out; | |
1764 | + } | |
1765 | + list_for_each_entry(ptr, &ccs_condition_list, head.list) { | |
1766 | + if (!ccs_same_condition(ptr, entry) || | |
1767 | + atomic_read(&ptr->head.users) == CCS_GC_IN_PROGRESS) | |
1768 | + continue; | |
1769 | + /* Same entry found. Share this entry. */ | |
1770 | + atomic_inc(&ptr->head.users); | |
1771 | + found = true; | |
1772 | + break; | |
1773 | + } | |
1774 | + if (!found) { | |
1775 | + if (ccs_memory_ok(entry, entry->size)) { | |
1776 | + atomic_set(&entry->head.users, 1); | |
1777 | + list_add(&entry->head.list, &ccs_condition_list); | |
1778 | + } else { | |
1779 | + found = true; | |
1780 | + ptr = NULL; | |
1781 | + } | |
1782 | + } | |
1783 | + mutex_unlock(&ccs_policy_lock); | |
1784 | +out: | |
1785 | + if (found) { | |
1786 | + ccs_del_condition(&entry->head.list); | |
1787 | + kfree(entry); | |
1788 | + entry = ptr; | |
1789 | + } | |
1790 | + return entry; | |
1791 | +} | |
1792 | + | |
1793 | +/** | |
1794 | + * ccs_correct_path - Check whether the given pathname follows the naming rules. | |
1795 | + * | |
1796 | + * @filename: The pathname to check. | |
1797 | + * | |
1798 | + * Returns true if @filename follows the naming rules, false otherwise. | |
1799 | + */ | |
1800 | +static bool ccs_correct_path(const char *filename) | |
1801 | +{ | |
1802 | + return *filename == '/' && ccs_correct_word(filename); | |
1803 | +} | |
1804 | + | |
1805 | +/** | |
1806 | + * ccs_domain_def - Check whether the given token can be a domainname. | |
1807 | + * | |
1808 | + * @buffer: The token to check. | |
1809 | + * | |
1810 | + * Returns true if @buffer possibly be a domainname, false otherwise. | |
1811 | + */ | |
1812 | +static bool ccs_domain_def(const unsigned char *buffer) | |
1813 | +{ | |
1814 | + const unsigned char *cp; | |
1815 | + int len; | |
1816 | + if (*buffer != '<') | |
1817 | + return false; | |
1818 | + cp = strchr(buffer, ' '); | |
1819 | + if (!cp) | |
1820 | + len = strlen(buffer); | |
1821 | + else | |
1822 | + len = cp - buffer; | |
1823 | + if (buffer[len - 1] != '>' || !ccs_correct_word2(buffer + 1, len - 2)) | |
1824 | + return false; | |
1825 | + return true; | |
1826 | +} | |
1827 | + | |
1828 | +/** | |
1829 | + * ccs_correct_domain - Check whether the given domainname follows the naming rules. | |
1830 | + * | |
1831 | + * @domainname: The domainname to check. | |
1832 | + * | |
1833 | + * Returns true if @domainname follows the naming rules, false otherwise. | |
1834 | + */ | |
1835 | +static bool ccs_correct_domain(const unsigned char *domainname) | |
1836 | +{ | |
1837 | + if (!domainname || !ccs_domain_def(domainname)) | |
1838 | + return false; | |
1839 | + domainname = strchr(domainname, ' '); | |
1840 | + if (!domainname++) | |
1841 | + return true; | |
1842 | + while (1) { | |
1843 | + const unsigned char *cp = strchr(domainname, ' '); | |
1844 | + if (!cp) | |
1845 | + break; | |
1846 | + if (*domainname != '/' || | |
1847 | + !ccs_correct_word2(domainname, cp - domainname)) | |
1848 | + return false; | |
1849 | + domainname = cp + 1; | |
1850 | + } | |
1851 | + return ccs_correct_path(domainname); | |
1852 | +} | |
1853 | + | |
1854 | +/** | |
1855 | + * ccs_normalize_line - Format string. | |
1856 | + * | |
1857 | + * @buffer: The line to normalize. | |
1858 | + * | |
1859 | + * Returns nothing. | |
1860 | + * | |
1861 | + * Leading and trailing whitespaces are removed. | |
1862 | + * Multiple whitespaces are packed into single space. | |
1863 | + */ | |
1864 | +static void ccs_normalize_line(unsigned char *buffer) | |
1865 | +{ | |
1866 | + unsigned char *sp = buffer; | |
1867 | + unsigned char *dp = buffer; | |
1868 | + bool first = true; | |
1869 | + while (*sp && (*sp <= ' ' || *sp >= 127)) | |
1870 | + sp++; | |
1871 | + while (*sp) { | |
1872 | + if (!first) | |
1873 | + *dp++ = ' '; | |
1874 | + first = false; | |
1875 | + while (*sp > ' ' && *sp < 127) | |
1876 | + *dp++ = *sp++; | |
1877 | + while (*sp && (*sp <= ' ' || *sp >= 127)) | |
1878 | + sp++; | |
1879 | + } | |
1880 | + *dp = '\0'; | |
1881 | +} | |
1882 | + | |
1883 | +/** | |
1884 | + * ccs_get_domainname - Read a domainname from a line. | |
1885 | + * | |
1886 | + * @param: Pointer to "struct ccs_acl_param". | |
1887 | + * | |
1888 | + * Returns a domainname on success, NULL otherwise. | |
1889 | + */ | |
1890 | +static const struct ccs_path_info *ccs_get_domainname | |
1891 | +(struct ccs_acl_param *param) | |
1892 | +{ | |
1893 | + char *start = param->data; | |
1894 | + char *pos = start; | |
1895 | + while (*pos) { | |
1896 | + if (*pos++ != ' ' || *pos++ == '/') | |
1897 | + continue; | |
1898 | + pos -= 2; | |
1899 | + *pos++ = '\0'; | |
1900 | + break; | |
1901 | + } | |
1902 | + param->data = pos; | |
1903 | + if (ccs_correct_domain(start)) | |
1904 | + return ccs_get_name(start); | |
1905 | + return NULL; | |
1906 | +} | |
1907 | + | |
1908 | +/** | |
1909 | + * ccs_get_transit_preference - Parse domain transition preference for execve(). | |
1910 | + * | |
1911 | + * @param: Pointer to "struct ccs_acl_param". | |
1912 | + * @e: Pointer to "struct ccs_condition". | |
1913 | + * | |
1914 | + * Returns the condition string part. | |
1915 | + */ | |
1916 | +static char *ccs_get_transit_preference(struct ccs_acl_param *param, | |
1917 | + struct ccs_condition *e) | |
1918 | +{ | |
1919 | + char * const pos = param->data; | |
1920 | + bool flag; | |
1921 | + if (*pos == '<') { | |
1922 | + e->transit = ccs_get_domainname(param); | |
1923 | + goto done; | |
1924 | + } | |
1925 | + { | |
1926 | + char *cp = strchr(pos, ' '); | |
1927 | + if (cp) | |
1928 | + *cp = '\0'; | |
1929 | + flag = ccs_correct_path(pos) || !strcmp(pos, "keep") || | |
1930 | + !strcmp(pos, "initialize") || !strcmp(pos, "reset") || | |
1931 | + !strcmp(pos, "child") || !strcmp(pos, "parent"); | |
1932 | + if (cp) | |
1933 | + *cp = ' '; | |
1934 | + } | |
1935 | + if (!flag) | |
1936 | + return pos; | |
1937 | + e->transit = ccs_get_name(ccs_read_token(param)); | |
1938 | +done: | |
1939 | + if (e->transit) { | |
1940 | + e->exec_transit = true; | |
1941 | + return param->data; | |
1942 | + } | |
1943 | + /* | |
1944 | + * Return a bad read-only condition string that will let | |
1945 | + * ccs_get_condition() return NULL. | |
1946 | + */ | |
1947 | + return "/"; | |
1948 | +} | |
1949 | + | |
1950 | +/** | |
1951 | + * ccs_get_condition - Parse condition part. | |
1952 | + * | |
1953 | + * @param: Pointer to "struct ccs_acl_param". | |
1954 | + * | |
1955 | + * Returns pointer to "struct ccs_condition" on success, NULL otherwise. | |
1956 | + */ | |
1957 | +static struct ccs_condition *ccs_get_condition(struct ccs_acl_param *param) | |
1958 | +{ | |
1959 | + struct ccs_condition *entry = NULL; | |
1960 | + struct ccs_condition_element *condp = NULL; | |
1961 | + struct ccs_number_union *numbers_p = NULL; | |
1962 | + struct ccs_name_union *names_p = NULL; | |
1963 | + struct ccs_argv *argv = NULL; | |
1964 | + struct ccs_envp *envp = NULL; | |
1965 | + struct ccs_condition e = { }; | |
1966 | + char * const start_of_string = ccs_get_transit_preference(param, &e); | |
1967 | + char * const end_of_string = start_of_string + strlen(start_of_string); | |
1968 | + char *pos; | |
1969 | +rerun: | |
1970 | + pos = start_of_string; | |
1971 | + while (1) { | |
1972 | + u8 left = -1; | |
1973 | + u8 right = -1; | |
1974 | + char *left_word = pos; | |
1975 | + char *cp; | |
1976 | + char *right_word; | |
1977 | + bool is_not; | |
1978 | + if (!*left_word) | |
1979 | + break; | |
1980 | + /* | |
1981 | + * Since left-hand condition does not allow use of "path_group" | |
1982 | + * or "number_group" and environment variable's names do not | |
1983 | + * accept '=', it is guaranteed that the original line consists | |
1984 | + * of one or more repetition of $left$operator$right blocks | |
1985 | + * where "$left is free from '=' and ' '" and "$operator is | |
1986 | + * either '=' or '!='" and "$right is free from ' '". | |
1987 | + * Therefore, we can reconstruct the original line at the end | |
1988 | + * of dry run even if we overwrite $operator with '\0'. | |
1989 | + */ | |
1990 | + cp = strchr(pos, ' '); | |
1991 | + if (cp) { | |
1992 | + *cp = '\0'; /* Will restore later. */ | |
1993 | + pos = cp + 1; | |
1994 | + } else { | |
1995 | + pos = ""; | |
1996 | + } | |
1997 | + right_word = strchr(left_word, '='); | |
1998 | + if (!right_word || right_word == left_word) | |
1999 | + goto out; | |
2000 | + is_not = *(right_word - 1) == '!'; | |
2001 | + if (is_not) | |
2002 | + *(right_word++ - 1) = '\0'; /* Will restore later. */ | |
2003 | + else if (*(right_word + 1) != '=') | |
2004 | + *right_word++ = '\0'; /* Will restore later. */ | |
2005 | + else | |
2006 | + goto out; | |
2007 | + dprintk(KERN_WARNING "%u: <%s>%s=<%s>\n", __LINE__, left_word, | |
2008 | + is_not ? "!" : "", right_word); | |
2009 | + if (!strcmp(left_word, "grant_log")) { | |
2010 | + if (entry) { | |
2011 | + if (is_not || | |
2012 | + entry->grant_log != CCS_GRANTLOG_AUTO) | |
2013 | + goto out; | |
2014 | + else if (!strcmp(right_word, "yes")) | |
2015 | + entry->grant_log = CCS_GRANTLOG_YES; | |
2016 | + else if (!strcmp(right_word, "no")) | |
2017 | + entry->grant_log = CCS_GRANTLOG_NO; | |
2018 | + else | |
2019 | + goto out; | |
2020 | + } | |
2021 | + continue; | |
2022 | + } | |
2023 | + if (!strcmp(left_word, "auto_domain_transition")) { | |
2024 | + if (entry) { | |
2025 | + if (is_not || entry->transit) | |
2026 | + goto out; | |
2027 | + entry->transit = ccs_get_dqword(right_word); | |
2028 | + if (!entry->transit || | |
2029 | + (entry->transit->name[0] != '/' && | |
2030 | + !ccs_domain_def(entry->transit->name))) | |
2031 | + goto out; | |
2032 | + } | |
2033 | + continue; | |
2034 | + } | |
2035 | + if (!strncmp(left_word, "exec.argv[", 10)) { | |
2036 | + if (!argv) { | |
2037 | + e.argc++; | |
2038 | + e.condc++; | |
2039 | + } else { | |
2040 | + e.argc--; | |
2041 | + e.condc--; | |
2042 | + left = CCS_ARGV_ENTRY; | |
2043 | + argv->is_not = is_not; | |
2044 | + if (!ccs_parse_argv(left_word + 10, | |
2045 | + right_word, argv++)) | |
2046 | + goto out; | |
2047 | + } | |
2048 | + goto store_value; | |
2049 | + } | |
2050 | + if (!strncmp(left_word, "exec.envp[\"", 11)) { | |
2051 | + if (!envp) { | |
2052 | + e.envc++; | |
2053 | + e.condc++; | |
2054 | + } else { | |
2055 | + e.envc--; | |
2056 | + e.condc--; | |
2057 | + left = CCS_ENVP_ENTRY; | |
2058 | + envp->is_not = is_not; | |
2059 | + if (!ccs_parse_envp(left_word + 11, | |
2060 | + right_word, envp++)) | |
2061 | + goto out; | |
2062 | + } | |
2063 | + goto store_value; | |
2064 | + } | |
2065 | + left = ccs_condition_type(left_word); | |
2066 | + dprintk(KERN_WARNING "%u: <%s> left=%u\n", __LINE__, left_word, | |
2067 | + left); | |
2068 | + if (left == CCS_MAX_CONDITION_KEYWORD) { | |
2069 | + if (!numbers_p) { | |
2070 | + e.numbers_count++; | |
2071 | + } else { | |
2072 | + e.numbers_count--; | |
2073 | + left = CCS_NUMBER_UNION; | |
2074 | + param->data = left_word; | |
2075 | + if (*left_word == '@' || | |
2076 | + !ccs_parse_number_union(param, | |
2077 | + numbers_p++)) | |
2078 | + goto out; | |
2079 | + } | |
2080 | + } | |
2081 | + if (!condp) | |
2082 | + e.condc++; | |
2083 | + else | |
2084 | + e.condc--; | |
2085 | + if (left == CCS_EXEC_REALPATH || left == CCS_SYMLINK_TARGET) { | |
2086 | + if (!names_p) { | |
2087 | + e.names_count++; | |
2088 | + } else { | |
2089 | + e.names_count--; | |
2090 | + right = CCS_NAME_UNION; | |
2091 | + param->data = right_word; | |
2092 | + if (!ccs_parse_name_union_quoted(param, | |
2093 | + names_p++)) | |
2094 | + goto out; | |
2095 | + } | |
2096 | + goto store_value; | |
2097 | + } | |
2098 | + right = ccs_condition_type(right_word); | |
2099 | + if (right == CCS_MAX_CONDITION_KEYWORD) { | |
2100 | + if (!numbers_p) { | |
2101 | + e.numbers_count++; | |
2102 | + } else { | |
2103 | + e.numbers_count--; | |
2104 | + right = CCS_NUMBER_UNION; | |
2105 | + param->data = right_word; | |
2106 | + if (!ccs_parse_number_union(param, | |
2107 | + numbers_p++)) | |
2108 | + goto out; | |
2109 | + } | |
2110 | + } | |
2111 | +store_value: | |
2112 | + if (!condp) { | |
2113 | + dprintk(KERN_WARNING "%u: dry_run left=%u right=%u " | |
2114 | + "match=%u\n", __LINE__, left, right, !is_not); | |
2115 | + continue; | |
2116 | + } | |
2117 | + condp->left = left; | |
2118 | + condp->right = right; | |
2119 | + condp->equals = !is_not; | |
2120 | + dprintk(KERN_WARNING "%u: left=%u right=%u match=%u\n", | |
2121 | + __LINE__, condp->left, condp->right, | |
2122 | + condp->equals); | |
2123 | + condp++; | |
2124 | + } | |
2125 | + dprintk(KERN_INFO "%u: cond=%u numbers=%u names=%u ac=%u ec=%u\n", | |
2126 | + __LINE__, e.condc, e.numbers_count, e.names_count, e.argc, | |
2127 | + e.envc); | |
2128 | + if (entry) { | |
2129 | + BUG_ON(e.names_count | e.numbers_count | e.argc | e.envc | | |
2130 | + e.condc); | |
2131 | + return ccs_commit_condition(entry); | |
2132 | + } | |
2133 | + e.size = sizeof(*entry) | |
2134 | + + e.condc * sizeof(struct ccs_condition_element) | |
2135 | + + e.numbers_count * sizeof(struct ccs_number_union) | |
2136 | + + e.names_count * sizeof(struct ccs_name_union) | |
2137 | + + e.argc * sizeof(struct ccs_argv) | |
2138 | + + e.envc * sizeof(struct ccs_envp); | |
2139 | + entry = kzalloc(e.size, CCS_GFP_FLAGS); | |
2140 | + if (!entry) | |
2141 | + goto out2; | |
2142 | + *entry = e; | |
2143 | + e.transit = NULL; | |
2144 | + condp = (struct ccs_condition_element *) (entry + 1); | |
2145 | + numbers_p = (struct ccs_number_union *) (condp + e.condc); | |
2146 | + names_p = (struct ccs_name_union *) (numbers_p + e.numbers_count); | |
2147 | + argv = (struct ccs_argv *) (names_p + e.names_count); | |
2148 | + envp = (struct ccs_envp *) (argv + e.argc); | |
2149 | + { | |
2150 | + bool flag = false; | |
2151 | + for (pos = start_of_string; pos < end_of_string; pos++) { | |
2152 | + if (*pos) | |
2153 | + continue; | |
2154 | + if (flag) /* Restore " ". */ | |
2155 | + *pos = ' '; | |
2156 | + else if (*(pos + 1) == '=') /* Restore "!=". */ | |
2157 | + *pos = '!'; | |
2158 | + else /* Restore "=". */ | |
2159 | + *pos = '='; | |
2160 | + flag = !flag; | |
2161 | + } | |
2162 | + } | |
2163 | + goto rerun; | |
2164 | +out: | |
2165 | + dprintk(KERN_WARNING "%u: %s failed\n", __LINE__, __func__); | |
2166 | + if (entry) { | |
2167 | + ccs_del_condition(&entry->head.list); | |
2168 | + kfree(entry); | |
2169 | + } | |
2170 | +out2: | |
2171 | + ccs_put_name(e.transit); | |
2172 | + return NULL; | |
2173 | +} | |
2174 | + | |
2175 | +/** | |
2176 | + * ccs_yesno - Return "yes" or "no". | |
2177 | + * | |
2178 | + * @value: Bool value. | |
2179 | + * | |
2180 | + * Returns "yes" if @value is not 0, "no" otherwise. | |
2181 | + */ | |
2182 | +static const char *ccs_yesno(const unsigned int value) | |
2183 | +{ | |
2184 | + return value ? "yes" : "no"; | |
2185 | +} | |
2186 | + | |
2187 | +/** | |
2188 | + * ccs_addprintf - strncat()-like-snprintf(). | |
2189 | + * | |
2190 | + * @buffer: Buffer to write to. Must be '\0'-terminated. | |
2191 | + * @len: Size of @buffer. | |
2192 | + * @fmt: The printf()'s format string, followed by parameters. | |
2193 | + * | |
2194 | + * Returns nothing. | |
2195 | + */ | |
2196 | +static void ccs_addprintf(char *buffer, int len, const char *fmt, ...) | |
2197 | +{ | |
2198 | + va_list args; | |
2199 | + const int pos = strlen(buffer); | |
2200 | + va_start(args, fmt); | |
2201 | + vsnprintf(buffer + pos, len - pos - 1, fmt, args); | |
2202 | + va_end(args); | |
2203 | +} | |
2204 | + | |
2205 | +/** | |
2206 | + * ccs_flush - Flush queued string to userspace's buffer. | |
2207 | + * | |
2208 | + * @head: Pointer to "struct ccs_io_buffer". | |
2209 | + * | |
2210 | + * Returns true if all data was flushed, false otherwise. | |
2211 | + */ | |
2212 | +static bool ccs_flush(struct ccs_io_buffer *head) | |
2213 | +{ | |
2214 | + while (head->r.w_pos) { | |
2215 | + const char *w = head->r.w[0]; | |
2216 | + size_t len = strlen(w); | |
2217 | + if (len) { | |
2218 | + if (len > head->read_user_buf_avail) | |
2219 | + len = head->read_user_buf_avail; | |
2220 | + if (!len) | |
2221 | + return false; | |
2222 | + if (copy_to_user(head->read_user_buf, w, len)) | |
2223 | + return false; | |
2224 | + head->read_user_buf_avail -= len; | |
2225 | + head->read_user_buf += len; | |
2226 | + w += len; | |
2227 | + } | |
2228 | + head->r.w[0] = w; | |
2229 | + if (*w) | |
2230 | + return false; | |
2231 | + /* Add '\0' for audit logs and query. */ | |
2232 | + if (head->type == CCS_AUDIT || head->type == CCS_QUERY) { | |
2233 | + if (!head->read_user_buf_avail || | |
2234 | + copy_to_user(head->read_user_buf, "", 1)) | |
2235 | + return false; | |
2236 | + head->read_user_buf_avail--; | |
2237 | + head->read_user_buf++; | |
2238 | + } | |
2239 | + head->r.w_pos--; | |
2240 | + for (len = 0; len < head->r.w_pos; len++) | |
2241 | + head->r.w[len] = head->r.w[len + 1]; | |
2242 | + } | |
2243 | + head->r.avail = 0; | |
2244 | + return true; | |
2245 | +} | |
2246 | + | |
2247 | +/** | |
2248 | + * ccs_set_string - Queue string to "struct ccs_io_buffer" structure. | |
2249 | + * | |
2250 | + * @head: Pointer to "struct ccs_io_buffer". | |
2251 | + * @string: String to print. | |
2252 | + * | |
2253 | + * Returns nothing. | |
2254 | + * | |
2255 | + * Note that @string has to be kept valid until @head is kfree()d. | |
2256 | + * This means that char[] allocated on stack memory cannot be passed to | |
2257 | + * this function. Use ccs_io_printf() for char[] allocated on stack memory. | |
2258 | + */ | |
2259 | +static void ccs_set_string(struct ccs_io_buffer *head, const char *string) | |
2260 | +{ | |
2261 | + if (head->r.w_pos < CCS_MAX_IO_READ_QUEUE) { | |
2262 | + head->r.w[head->r.w_pos++] = string; | |
2263 | + ccs_flush(head); | |
2264 | + } else | |
2265 | + printk(KERN_WARNING "Too many words in a line.\n"); | |
2266 | +} | |
2267 | + | |
2268 | +/** | |
2269 | + * ccs_io_printf - printf() to "struct ccs_io_buffer" structure. | |
2270 | + * | |
2271 | + * @head: Pointer to "struct ccs_io_buffer". | |
2272 | + * @fmt: The printf()'s format string, followed by parameters. | |
2273 | + * | |
2274 | + * Returns nothing. | |
2275 | + */ | |
2276 | +static void ccs_io_printf(struct ccs_io_buffer *head, const char *fmt, ...) | |
2277 | +{ | |
2278 | + va_list args; | |
2279 | + size_t len; | |
2280 | + size_t pos = head->r.avail; | |
2281 | + int size = head->readbuf_size - pos; | |
2282 | + if (size <= 0) | |
2283 | + return; | |
2284 | + va_start(args, fmt); | |
2285 | + len = vsnprintf(head->read_buf + pos, size, fmt, args) + 1; | |
2286 | + va_end(args); | |
2287 | + if (pos + len >= head->readbuf_size) { | |
2288 | + printk(KERN_WARNING "Too many words in a line.\n"); | |
2289 | + return; | |
2290 | + } | |
2291 | + head->r.avail += len; | |
2292 | + ccs_set_string(head, head->read_buf + pos); | |
2293 | +} | |
2294 | + | |
2295 | +/** | |
2296 | + * ccs_set_space - Put a space to "struct ccs_io_buffer" structure. | |
2297 | + * | |
2298 | + * @head: Pointer to "struct ccs_io_buffer". | |
2299 | + * | |
2300 | + * Returns nothing. | |
2301 | + */ | |
2302 | +static void ccs_set_space(struct ccs_io_buffer *head) | |
2303 | +{ | |
2304 | + ccs_set_string(head, " "); | |
2305 | +} | |
2306 | + | |
2307 | +/** | |
2308 | + * ccs_set_lf - Put a line feed to "struct ccs_io_buffer" structure. | |
2309 | + * | |
2310 | + * @head: Pointer to "struct ccs_io_buffer". | |
2311 | + * | |
2312 | + * Returns true if all data was flushed, false otherwise. | |
2313 | + */ | |
2314 | +static bool ccs_set_lf(struct ccs_io_buffer *head) | |
2315 | +{ | |
2316 | + ccs_set_string(head, "\n"); | |
2317 | + return !head->r.w_pos; | |
2318 | +} | |
2319 | + | |
2320 | +/** | |
2321 | + * ccs_set_slash - Put a shash to "struct ccs_io_buffer" structure. | |
2322 | + * | |
2323 | + * @head: Pointer to "struct ccs_io_buffer". | |
2324 | + * | |
2325 | + * Returns nothing. | |
2326 | + */ | |
2327 | +static void ccs_set_slash(struct ccs_io_buffer *head) | |
2328 | +{ | |
2329 | + ccs_set_string(head, "/"); | |
2330 | +} | |
2331 | + | |
2332 | +/** | |
2333 | + * ccs_init_policy_namespace - Initialize namespace. | |
2334 | + * | |
2335 | + * @ns: Pointer to "struct ccs_policy_namespace". | |
2336 | + * | |
2337 | + * Returns nothing. | |
2338 | + */ | |
2339 | +static void ccs_init_policy_namespace(struct ccs_policy_namespace *ns) | |
2340 | +{ | |
2341 | + unsigned int idx; | |
2342 | + for (idx = 0; idx < CCS_MAX_ACL_GROUPS; idx++) | |
2343 | + INIT_LIST_HEAD(&ns->acl_group[idx]); | |
2344 | + for (idx = 0; idx < CCS_MAX_GROUP; idx++) | |
2345 | + INIT_LIST_HEAD(&ns->group_list[idx]); | |
2346 | + for (idx = 0; idx < CCS_MAX_POLICY; idx++) | |
2347 | + INIT_LIST_HEAD(&ns->policy_list[idx]); | |
2348 | + ns->profile_version = 20150505; | |
2349 | + ccs_namespace_enabled = !list_empty(&ccs_namespace_list); | |
2350 | + list_add_tail_rcu(&ns->namespace_list, &ccs_namespace_list); | |
2351 | +} | |
2352 | + | |
2353 | +/** | |
2354 | + * ccs_print_namespace - Print namespace header. | |
2355 | + * | |
2356 | + * @head: Pointer to "struct ccs_io_buffer". | |
2357 | + * | |
2358 | + * Returns nothing. | |
2359 | + */ | |
2360 | +static void ccs_print_namespace(struct ccs_io_buffer *head) | |
2361 | +{ | |
2362 | + if (!ccs_namespace_enabled) | |
2363 | + return; | |
2364 | + ccs_set_string(head, | |
2365 | + container_of(head->r.ns, struct ccs_policy_namespace, | |
2366 | + namespace_list)->name); | |
2367 | + ccs_set_space(head); | |
2368 | +} | |
2369 | + | |
2370 | +/** | |
2371 | + * ccs_assign_profile - Create a new profile. | |
2372 | + * | |
2373 | + * @ns: Pointer to "struct ccs_policy_namespace". | |
2374 | + * @profile: Profile number to create. | |
2375 | + * | |
2376 | + * Returns pointer to "struct ccs_profile" on success, NULL otherwise. | |
2377 | + */ | |
2378 | +static struct ccs_profile *ccs_assign_profile(struct ccs_policy_namespace *ns, | |
2379 | + const unsigned int profile) | |
2380 | +{ | |
2381 | + struct ccs_profile *ptr; | |
2382 | + struct ccs_profile *entry; | |
2383 | + if (profile >= CCS_MAX_PROFILES) | |
2384 | + return NULL; | |
2385 | + ptr = ns->profile_ptr[profile]; | |
2386 | + if (ptr) | |
2387 | + return ptr; | |
2388 | + entry = kzalloc(sizeof(*entry), CCS_GFP_FLAGS); | |
2389 | + if (mutex_lock_interruptible(&ccs_policy_lock)) | |
2390 | + goto out; | |
2391 | + ptr = ns->profile_ptr[profile]; | |
2392 | + if (!ptr && ccs_memory_ok(entry, sizeof(*entry))) { | |
2393 | + ptr = entry; | |
2394 | + ptr->default_config = CCS_CONFIG_DISABLED | | |
2395 | + CCS_CONFIG_WANT_GRANT_LOG | CCS_CONFIG_WANT_REJECT_LOG; | |
2396 | + memset(ptr->config, CCS_CONFIG_USE_DEFAULT, | |
2397 | + sizeof(ptr->config)); | |
2398 | + ptr->pref[CCS_PREF_MAX_AUDIT_LOG] = | |
2399 | + CONFIG_CCSECURITY_MAX_AUDIT_LOG; | |
2400 | + ptr->pref[CCS_PREF_MAX_LEARNING_ENTRY] = | |
2401 | + CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY; | |
2402 | + mb(); /* Avoid out-of-order execution. */ | |
2403 | + ns->profile_ptr[profile] = ptr; | |
2404 | + entry = NULL; | |
2405 | + } | |
2406 | + mutex_unlock(&ccs_policy_lock); | |
2407 | +out: | |
2408 | + kfree(entry); | |
2409 | + return ptr; | |
2410 | +} | |
2411 | + | |
2412 | +/** | |
2413 | + * ccs_check_profile - Check all profiles currently assigned to domains are defined. | |
2414 | + * | |
2415 | + * Returns nothing. | |
2416 | + */ | |
2417 | +static void ccs_check_profile(void) | |
2418 | +{ | |
2419 | + struct ccs_domain_info *domain; | |
2420 | + const int idx = ccs_read_lock(); | |
2421 | + ccs_policy_loaded = true; | |
2422 | + printk(KERN_INFO "CCSecurity: 1.8.6+ 2019/12/25\n"); | |
2423 | + list_for_each_entry_srcu(domain, &ccs_domain_list, list, &ccs_ss) { | |
2424 | + const u8 profile = domain->profile; | |
2425 | + struct ccs_policy_namespace *ns = domain->ns; | |
2426 | + if (ns->profile_version == 20100903) { | |
2427 | + static bool done; | |
2428 | + if (!done) | |
2429 | + printk(KERN_INFO "Converting profile version " | |
2430 | + "from %u to %u.\n", 20100903, 20150505); | |
2431 | + done = true; | |
2432 | + ns->profile_version = 20150505; | |
2433 | + } | |
2434 | + if (ns->profile_version != 20150505) | |
2435 | + printk(KERN_ERR | |
2436 | + "Profile version %u is not supported.\n", | |
2437 | + ns->profile_version); | |
2438 | + else if (!ns->profile_ptr[profile]) | |
2439 | + printk(KERN_ERR | |
2440 | + "Profile %u (used by '%s') is not defined.\n", | |
2441 | + profile, domain->domainname->name); | |
2442 | + else | |
2443 | + continue; | |
2444 | + printk(KERN_ERR | |
2445 | + "Userland tools for TOMOYO 1.8 must be installed and " | |
2446 | + "policy must be initialized.\n"); | |
2447 | + printk(KERN_ERR "Please see https://tomoyo.osdn.jp/1.8/ " | |
2448 | + "for more information.\n"); | |
2449 | + panic("STOP!"); | |
2450 | + } | |
2451 | + ccs_read_unlock(idx); | |
2452 | + printk(KERN_INFO "Mandatory Access Control activated.\n"); | |
2453 | +} | |
2454 | + | |
2455 | +/** | |
2456 | + * ccs_profile - Find a profile. | |
2457 | + * | |
2458 | + * @profile: Profile number to find. | |
2459 | + * | |
2460 | + * Returns pointer to "struct ccs_profile". | |
2461 | + */ | |
2462 | +static struct ccs_profile *ccs_profile(const u8 profile) | |
2463 | +{ | |
2464 | + static struct ccs_profile ccs_null_profile; | |
2465 | + struct ccs_profile *ptr = ccs_current_namespace()-> | |
2466 | + profile_ptr[profile]; | |
2467 | + if (!ptr) | |
2468 | + ptr = &ccs_null_profile; | |
2469 | + return ptr; | |
2470 | +} | |
2471 | + | |
2472 | +/** | |
2473 | + * ccs_get_config - Get config for specified profile's specified functionality. | |
2474 | + * | |
2475 | + * @profile: Profile number. | |
2476 | + * @index: Index number of functionality. | |
2477 | + * | |
2478 | + * Returns config. | |
2479 | + * | |
2480 | + * First, check for CONFIG::category::functionality. | |
2481 | + * If CONFIG::category::functionality is set to use default, then check | |
2482 | + * CONFIG::category. If CONFIG::category is set to use default, then use | |
2483 | + * CONFIG. CONFIG cannot be set to use default. | |
2484 | + */ | |
2485 | +u8 ccs_get_config(const u8 profile, const u8 index) | |
2486 | +{ | |
2487 | + u8 config; | |
2488 | + const struct ccs_profile *p; | |
2489 | + if (!ccs_policy_loaded) | |
2490 | + return CCS_CONFIG_DISABLED; | |
2491 | + p = ccs_profile(profile); | |
2492 | + config = p->config[index]; | |
2493 | + if (config == CCS_CONFIG_USE_DEFAULT) | |
2494 | + config = p->config[ccs_index2category[index] | |
2495 | + + CCS_MAX_MAC_INDEX]; | |
2496 | + if (config == CCS_CONFIG_USE_DEFAULT) | |
2497 | + config = p->default_config; | |
2498 | + return config; | |
2499 | +} | |
2500 | + | |
2501 | +/** | |
2502 | + * ccs_find_yesno - Find values for specified keyword. | |
2503 | + * | |
2504 | + * @string: String to check. | |
2505 | + * @find: Name of keyword. | |
2506 | + * | |
2507 | + * Returns 1 if "@find=yes" was found, 0 if "@find=no" was found, -1 otherwise. | |
2508 | + */ | |
2509 | +static s8 ccs_find_yesno(const char *string, const char *find) | |
2510 | +{ | |
2511 | + const char *cp = strstr(string, find); | |
2512 | + if (cp) { | |
2513 | + cp += strlen(find); | |
2514 | + if (!strncmp(cp, "=yes", 4)) | |
2515 | + return 1; | |
2516 | + else if (!strncmp(cp, "=no", 3)) | |
2517 | + return 0; | |
2518 | + } | |
2519 | + return -1; | |
2520 | +} | |
2521 | + | |
2522 | +/** | |
2523 | + * ccs_set_uint - Set value for specified preference. | |
2524 | + * | |
2525 | + * @i: Pointer to "unsigned int". | |
2526 | + * @string: String to check. | |
2527 | + * @find: Name of keyword. | |
2528 | + * | |
2529 | + * Returns nothing. | |
2530 | + */ | |
2531 | +static void ccs_set_uint(unsigned int *i, const char *string, const char *find) | |
2532 | +{ | |
2533 | + const char *cp = strstr(string, find); | |
2534 | + if (cp) | |
2535 | + sscanf(cp + strlen(find), "=%u", i); | |
2536 | +} | |
2537 | + | |
2538 | +/** | |
2539 | + * ccs_str_starts - Check whether the given string starts with the given keyword. | |
2540 | + * | |
2541 | + * @src: Pointer to pointer to the string. | |
2542 | + * @find: Pointer to the keyword. | |
2543 | + * | |
2544 | + * Returns true if @src starts with @find, false otherwise. | |
2545 | + * | |
2546 | + * The @src is updated to point the first character after the @find | |
2547 | + * if @src starts with @find. | |
2548 | + */ | |
2549 | +static bool ccs_str_starts(char **src, const char *find) | |
2550 | +{ | |
2551 | + const int len = strlen(find); | |
2552 | + char *tmp = *src; | |
2553 | + if (strncmp(tmp, find, len)) | |
2554 | + return false; | |
2555 | + tmp += len; | |
2556 | + *src = tmp; | |
2557 | + return true; | |
2558 | +} | |
2559 | + | |
2560 | +/** | |
2561 | + * ccs_print_group - Print group's name. | |
2562 | + * | |
2563 | + * @head: Pointer to "struct ccs_io_buffer". | |
2564 | + * @group: Pointer to "struct ccsgroup". Maybe NULL. | |
2565 | + * | |
2566 | + * Returns true if @group is not NULL. false otherwise. | |
2567 | + */ | |
2568 | +static bool ccs_print_group(struct ccs_io_buffer *head, | |
2569 | + const struct ccs_group *group) | |
2570 | +{ | |
2571 | + if (group) { | |
2572 | + ccs_set_string(head, "@"); | |
2573 | + ccs_set_string(head, group->group_name->name); | |
2574 | + return true; | |
2575 | + } | |
2576 | + return false; | |
2577 | +} | |
2578 | + | |
2579 | +/** | |
2580 | + * ccs_set_mode - Set mode for specified profile. | |
2581 | + * | |
2582 | + * @name: Name of functionality. | |
2583 | + * @value: Mode for @name. | |
2584 | + * @profile: Pointer to "struct ccs_profile". | |
2585 | + * | |
2586 | + * Returns 0 on success, negative value otherwise. | |
2587 | + */ | |
2588 | +static int ccs_set_mode(char *name, const char *value, | |
2589 | + struct ccs_profile *profile) | |
2590 | +{ | |
2591 | + u8 i; | |
2592 | + u8 config; | |
2593 | + if (!strcmp(name, "CONFIG")) { | |
2594 | + i = CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX; | |
2595 | + config = profile->default_config; | |
2596 | + } else if (ccs_str_starts(&name, "CONFIG::")) { | |
2597 | + config = 0; | |
2598 | + for (i = 0; i < CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX; | |
2599 | + i++) { | |
2600 | + int len = 0; | |
2601 | + if (i < CCS_MAX_MAC_INDEX) { | |
2602 | + const u8 c = ccs_index2category[i]; | |
2603 | + const char *category = | |
2604 | + ccs_category_keywords[c]; | |
2605 | + len = strlen(category); | |
2606 | + if (strncmp(name, category, len) || | |
2607 | + name[len++] != ':' || name[len++] != ':') | |
2608 | + continue; | |
2609 | + } | |
2610 | + if (strcmp(name + len, ccs_mac_keywords[i])) | |
2611 | + continue; | |
2612 | + config = profile->config[i]; | |
2613 | + break; | |
2614 | + } | |
2615 | + if (i == CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX) | |
2616 | + return -EINVAL; | |
2617 | + } else { | |
2618 | + return -EINVAL; | |
2619 | + } | |
2620 | + if (strstr(value, "use_default")) { | |
2621 | + config = CCS_CONFIG_USE_DEFAULT; | |
2622 | + } else { | |
2623 | + u8 mode; | |
2624 | + for (mode = 0; mode < CCS_CONFIG_MAX_MODE; mode++) | |
2625 | + if (strstr(value, ccs_mode[mode])) | |
2626 | + /* | |
2627 | + * Update lower 3 bits in order to distinguish | |
2628 | + * 'config' from 'CCS_CONFIG_USE_DEAFULT'. | |
2629 | + */ | |
2630 | + config = (config & ~7) | mode; | |
2631 | + if (config != CCS_CONFIG_USE_DEFAULT) { | |
2632 | + switch (ccs_find_yesno(value, "grant_log")) { | |
2633 | + case 1: | |
2634 | + config |= CCS_CONFIG_WANT_GRANT_LOG; | |
2635 | + break; | |
2636 | + case 0: | |
2637 | + config &= ~CCS_CONFIG_WANT_GRANT_LOG; | |
2638 | + break; | |
2639 | + } | |
2640 | + switch (ccs_find_yesno(value, "reject_log")) { | |
2641 | + case 1: | |
2642 | + config |= CCS_CONFIG_WANT_REJECT_LOG; | |
2643 | + break; | |
2644 | + case 0: | |
2645 | + config &= ~CCS_CONFIG_WANT_REJECT_LOG; | |
2646 | + break; | |
2647 | + } | |
2648 | + } | |
2649 | + } | |
2650 | + if (i < CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX) | |
2651 | + profile->config[i] = config; | |
2652 | + else if (config != CCS_CONFIG_USE_DEFAULT) | |
2653 | + profile->default_config = config; | |
2654 | + return 0; | |
2655 | +} | |
2656 | + | |
2657 | +/** | |
2658 | + * ccs_write_profile - Write profile table. | |
2659 | + * | |
2660 | + * @head: Pointer to "struct ccs_io_buffer". | |
2661 | + * | |
2662 | + * Returns 0 on success, negative value otherwise. | |
2663 | + */ | |
2664 | +static int ccs_write_profile(struct ccs_io_buffer *head) | |
2665 | +{ | |
2666 | + char *data = head->write_buf; | |
2667 | + unsigned int i; | |
2668 | + char *cp; | |
2669 | + struct ccs_profile *profile; | |
2670 | + if (sscanf(data, "PROFILE_VERSION=%u", &head->w.ns->profile_version) | |
2671 | + == 1) | |
2672 | + return 0; | |
2673 | + i = simple_strtoul(data, &cp, 10); | |
2674 | + if (*cp != '-') | |
2675 | + return -EINVAL; | |
2676 | + data = cp + 1; | |
2677 | + profile = ccs_assign_profile(head->w.ns, i); | |
2678 | + if (!profile) | |
2679 | + return -EINVAL; | |
2680 | + cp = strchr(data, '='); | |
2681 | + if (!cp) | |
2682 | + return -EINVAL; | |
2683 | + *cp++ = '\0'; | |
2684 | + if (!strcmp(data, "COMMENT")) { | |
2685 | + static DEFINE_SPINLOCK(lock); | |
2686 | + const struct ccs_path_info *new_comment = ccs_get_name(cp); | |
2687 | + const struct ccs_path_info *old_comment; | |
2688 | + if (!new_comment) | |
2689 | + return -ENOMEM; | |
2690 | + spin_lock(&lock); | |
2691 | + old_comment = profile->comment; | |
2692 | + profile->comment = new_comment; | |
2693 | + spin_unlock(&lock); | |
2694 | + ccs_put_name(old_comment); | |
2695 | + return 0; | |
2696 | + } | |
2697 | + if (!strcmp(data, "PREFERENCE")) { | |
2698 | + for (i = 0; i < CCS_MAX_PREF; i++) | |
2699 | + ccs_set_uint(&profile->pref[i], cp, | |
2700 | + ccs_pref_keywords[i]); | |
2701 | + return 0; | |
2702 | + } | |
2703 | + return ccs_set_mode(data, cp, profile); | |
2704 | +} | |
2705 | + | |
2706 | +/** | |
2707 | + * ccs_print_config - Print mode for specified functionality. | |
2708 | + * | |
2709 | + * @head: Pointer to "struct ccs_io_buffer". | |
2710 | + * @config: Mode for that functionality. | |
2711 | + * | |
2712 | + * Returns nothing. | |
2713 | + * | |
2714 | + * Caller prints functionality's name. | |
2715 | + */ | |
2716 | +static void ccs_print_config(struct ccs_io_buffer *head, const u8 config) | |
2717 | +{ | |
2718 | + ccs_io_printf(head, "={ mode=%s grant_log=%s reject_log=%s }\n", | |
2719 | + ccs_mode[config & 3], | |
2720 | + ccs_yesno(config & CCS_CONFIG_WANT_GRANT_LOG), | |
2721 | + ccs_yesno(config & CCS_CONFIG_WANT_REJECT_LOG)); | |
2722 | +} | |
2723 | + | |
2724 | +/** | |
2725 | + * ccs_read_profile - Read profile table. | |
2726 | + * | |
2727 | + * @head: Pointer to "struct ccs_io_buffer". | |
2728 | + * | |
2729 | + * Returns nothing. | |
2730 | + */ | |
2731 | +static void ccs_read_profile(struct ccs_io_buffer *head) | |
2732 | +{ | |
2733 | + u8 index; | |
2734 | + struct ccs_policy_namespace *ns = container_of(head->r.ns, typeof(*ns), | |
2735 | + namespace_list); | |
2736 | + const struct ccs_profile *profile; | |
2737 | + if (head->r.eof) | |
2738 | + return; | |
2739 | +next: | |
2740 | + index = head->r.index; | |
2741 | + profile = ns->profile_ptr[index]; | |
2742 | + switch (head->r.step) { | |
2743 | + case 0: | |
2744 | + ccs_print_namespace(head); | |
2745 | + ccs_io_printf(head, "PROFILE_VERSION=%u\n", | |
2746 | + ns->profile_version); | |
2747 | + head->r.step++; | |
2748 | + break; | |
2749 | + case 1: | |
2750 | + for ( ; head->r.index < CCS_MAX_PROFILES; head->r.index++) | |
2751 | + if (ns->profile_ptr[head->r.index]) | |
2752 | + break; | |
2753 | + if (head->r.index == CCS_MAX_PROFILES) { | |
2754 | + head->r.eof = true; | |
2755 | + return; | |
2756 | + } | |
2757 | + head->r.step++; | |
2758 | + break; | |
2759 | + case 2: | |
2760 | + { | |
2761 | + u8 i; | |
2762 | + const struct ccs_path_info *comment = profile->comment; | |
2763 | + ccs_print_namespace(head); | |
2764 | + ccs_io_printf(head, "%u-COMMENT=", index); | |
2765 | + ccs_set_string(head, comment ? comment->name : ""); | |
2766 | + ccs_set_lf(head); | |
2767 | + ccs_print_namespace(head); | |
2768 | + ccs_io_printf(head, "%u-PREFERENCE={ ", index); | |
2769 | + for (i = 0; i < CCS_MAX_PREF; i++) | |
2770 | + ccs_io_printf(head, "%s=%u ", | |
2771 | + ccs_pref_keywords[i], | |
2772 | + profile->pref[i]); | |
2773 | + ccs_set_string(head, "}\n"); | |
2774 | + head->r.step++; | |
2775 | + } | |
2776 | + break; | |
2777 | + case 3: | |
2778 | + { | |
2779 | + ccs_print_namespace(head); | |
2780 | + ccs_io_printf(head, "%u-%s", index, "CONFIG"); | |
2781 | + ccs_print_config(head, profile->default_config); | |
2782 | + head->r.bit = 0; | |
2783 | + head->r.step++; | |
2784 | + } | |
2785 | + break; | |
2786 | + case 4: | |
2787 | + for ( ; head->r.bit < CCS_MAX_MAC_INDEX | |
2788 | + + CCS_MAX_MAC_CATEGORY_INDEX; head->r.bit++) { | |
2789 | + const u8 i = head->r.bit; | |
2790 | + const u8 config = profile->config[i]; | |
2791 | + if (config == CCS_CONFIG_USE_DEFAULT) | |
2792 | + continue; | |
2793 | + ccs_print_namespace(head); | |
2794 | + if (i < CCS_MAX_MAC_INDEX) | |
2795 | + ccs_io_printf(head, "%u-CONFIG::%s::%s", index, | |
2796 | + ccs_category_keywords | |
2797 | + [ccs_index2category[i]], | |
2798 | + ccs_mac_keywords[i]); | |
2799 | + else | |
2800 | + ccs_io_printf(head, "%u-CONFIG::%s", index, | |
2801 | + ccs_mac_keywords[i]); | |
2802 | + ccs_print_config(head, config); | |
2803 | + head->r.bit++; | |
2804 | + break; | |
2805 | + } | |
2806 | + if (head->r.bit == CCS_MAX_MAC_INDEX | |
2807 | + + CCS_MAX_MAC_CATEGORY_INDEX) { | |
2808 | + head->r.index++; | |
2809 | + head->r.step = 1; | |
2810 | + } | |
2811 | + break; | |
2812 | + } | |
2813 | + if (ccs_flush(head)) | |
2814 | + goto next; | |
2815 | +} | |
2816 | + | |
2817 | +/** | |
2818 | + * ccs_update_policy - Update an entry for exception policy. | |
2819 | + * | |
2820 | + * @size: Size of new entry in bytes. | |
2821 | + * @param: Pointer to "struct ccs_acl_param". | |
2822 | + * | |
2823 | + * Returns 0 on success, negative value otherwise. | |
2824 | + * | |
2825 | + * Caller holds ccs_read_lock(). | |
2826 | + */ | |
2827 | +static int ccs_update_policy(const int size, struct ccs_acl_param *param) | |
2828 | +{ | |
2829 | + struct ccs_acl_head *new_entry = ¶m->e.acl_head; | |
2830 | + int error = param->is_delete ? -ENOENT : -ENOMEM; | |
2831 | + struct ccs_acl_head *entry; | |
2832 | + struct list_head *list = param->list; | |
2833 | + BUG_ON(size < sizeof(*entry)); | |
2834 | + if (mutex_lock_interruptible(&ccs_policy_lock)) | |
2835 | + return -ENOMEM; | |
2836 | + list_for_each_entry_srcu(entry, list, list, &ccs_ss) { | |
2837 | + if (entry->is_deleted == CCS_GC_IN_PROGRESS) | |
2838 | + continue; | |
2839 | + if (memcmp(entry + 1, new_entry + 1, size - sizeof(*entry))) | |
2840 | + continue; | |
2841 | + entry->is_deleted = param->is_delete; | |
2842 | + error = 0; | |
2843 | + break; | |
2844 | + } | |
2845 | + if (error && !param->is_delete) { | |
2846 | + entry = ccs_commit_ok(new_entry, size); | |
2847 | + if (entry) { | |
2848 | + list_add_tail_rcu(&entry->list, list); | |
2849 | + error = 0; | |
2850 | + } | |
2851 | + } | |
2852 | + mutex_unlock(&ccs_policy_lock); | |
2853 | + return error; | |
2854 | +} | |
2855 | + | |
2856 | +/** | |
2857 | + * ccs_update_manager_entry - Add a manager entry. | |
2858 | + * | |
2859 | + * @manager: The path to manager or the domainnamme. | |
2860 | + * @is_delete: True if it is a delete request. | |
2861 | + * | |
2862 | + * Returns 0 on success, negative value otherwise. | |
2863 | + */ | |
2864 | +static int ccs_update_manager_entry(const char *manager, | |
2865 | + const bool is_delete) | |
2866 | +{ | |
2867 | + struct ccs_acl_param param = { | |
2868 | + /* .ns = &ccs_kernel_namespace, */ | |
2869 | + .is_delete = is_delete, | |
2870 | + .list = &ccs_kernel_namespace.policy_list[CCS_ID_MANAGER], | |
2871 | + }; | |
2872 | + struct ccs_manager *e = ¶m.e.manager; | |
2873 | + int error = is_delete ? -ENOENT : -ENOMEM; | |
2874 | + /* Forced zero clear for using memcmp() at ccs_update_policy(). */ | |
2875 | + memset(¶m.e, 0, sizeof(param.e)); | |
2876 | + if (!ccs_correct_domain(manager) && !ccs_correct_word(manager)) | |
2877 | + return -EINVAL; | |
2878 | + e->manager = ccs_get_name(manager); | |
2879 | + if (e->manager) { | |
2880 | + error = ccs_update_policy(sizeof(*e), ¶m); | |
2881 | + ccs_put_name(e->manager); | |
2882 | + } | |
2883 | + return error; | |
2884 | +} | |
2885 | + | |
2886 | +/** | |
2887 | + * ccs_write_manager - Write manager policy. | |
2888 | + * | |
2889 | + * @head: Pointer to "struct ccs_io_buffer". | |
2890 | + * | |
2891 | + * Returns 0 on success, negative value otherwise. | |
2892 | + */ | |
2893 | +static int ccs_write_manager(struct ccs_io_buffer *head) | |
2894 | +{ | |
2895 | + const char *data = head->write_buf; | |
2896 | + if (!strcmp(data, "manage_by_non_root")) { | |
2897 | + ccs_manage_by_non_root = !head->w.is_delete; | |
2898 | + return 0; | |
2899 | + } | |
2900 | + return ccs_update_manager_entry(data, head->w.is_delete); | |
2901 | +} | |
2902 | + | |
2903 | +/** | |
2904 | + * ccs_read_manager - Read manager policy. | |
2905 | + * | |
2906 | + * @head: Pointer to "struct ccs_io_buffer". | |
2907 | + * | |
2908 | + * Returns nothing. | |
2909 | + * | |
2910 | + * Caller holds ccs_read_lock(). | |
2911 | + */ | |
2912 | +static void ccs_read_manager(struct ccs_io_buffer *head) | |
2913 | +{ | |
2914 | + if (head->r.eof) | |
2915 | + return; | |
2916 | + list_for_each_cookie(head->r.acl, &ccs_kernel_namespace. | |
2917 | + policy_list[CCS_ID_MANAGER]) { | |
2918 | + struct ccs_manager *ptr = | |
2919 | + list_entry(head->r.acl, typeof(*ptr), head.list); | |
2920 | + if (ptr->head.is_deleted) | |
2921 | + continue; | |
2922 | + if (!ccs_flush(head)) | |
2923 | + return; | |
2924 | + ccs_set_string(head, ptr->manager->name); | |
2925 | + ccs_set_lf(head); | |
2926 | + } | |
2927 | + head->r.eof = true; | |
2928 | +} | |
2929 | + | |
2930 | +/** | |
2931 | + * ccs_manager - Check whether the current process is a policy manager. | |
2932 | + * | |
2933 | + * Returns true if the current process is permitted to modify policy | |
2934 | + * via /proc/ccs/ interface. | |
2935 | + * | |
2936 | + * Caller holds ccs_read_lock(). | |
2937 | + */ | |
2938 | +static bool ccs_manager(void) | |
2939 | +{ | |
2940 | + struct ccs_manager *ptr; | |
2941 | + struct ccs_path_info exe; | |
2942 | + struct ccs_security *task = ccs_current_security(); | |
2943 | + const struct ccs_path_info *domainname | |
2944 | + = ccs_current_domain()->domainname; | |
2945 | + bool found = false; | |
2946 | + if (!ccs_policy_loaded) | |
2947 | + return true; | |
2948 | + if (task->ccs_flags & CCS_TASK_IS_MANAGER) | |
2949 | + return true; | |
2950 | + if (!ccs_manage_by_non_root && | |
2951 | + (!uid_eq(current_uid(), GLOBAL_ROOT_UID) || | |
2952 | + !uid_eq(current_euid(), GLOBAL_ROOT_UID))) | |
2953 | + return false; | |
2954 | + exe.name = ccs_get_exe(); | |
2955 | + if (!exe.name) | |
2956 | + return false; | |
2957 | + ccs_fill_path_info(&exe); | |
2958 | + list_for_each_entry_srcu(ptr, &ccs_kernel_namespace. | |
2959 | + policy_list[CCS_ID_MANAGER], head.list, | |
2960 | + &ccs_ss) { | |
2961 | + if (ptr->head.is_deleted) | |
2962 | + continue; | |
2963 | + if (ccs_pathcmp(domainname, ptr->manager) && | |
2964 | + ccs_pathcmp(&exe, ptr->manager)) | |
2965 | + continue; | |
2966 | + /* Set manager flag. */ | |
2967 | + task->ccs_flags |= CCS_TASK_IS_MANAGER; | |
2968 | + found = true; | |
2969 | + break; | |
2970 | + } | |
2971 | + if (!found) { /* Reduce error messages. */ | |
2972 | + static pid_t ccs_last_pid; | |
2973 | + const pid_t pid = current->pid; | |
2974 | + if (ccs_last_pid != pid) { | |
2975 | + printk(KERN_WARNING "%s ( %s ) is not permitted to " | |
2976 | + "update policies.\n", domainname->name, | |
2977 | + exe.name); | |
2978 | + ccs_last_pid = pid; | |
2979 | + } | |
2980 | + } | |
2981 | + kfree(exe.name); | |
2982 | + return found; | |
2983 | +} | |
2984 | + | |
2985 | +/** | |
2986 | + * ccs_find_domain - Find a domain by the given name. | |
2987 | + * | |
2988 | + * @domainname: The domainname to find. | |
2989 | + * | |
2990 | + * Returns pointer to "struct ccs_domain_info" if found, NULL otherwise. | |
2991 | + * | |
2992 | + * Caller holds ccs_read_lock(). | |
2993 | + */ | |
2994 | +static struct ccs_domain_info *ccs_find_domain(const char *domainname) | |
2995 | +{ | |
2996 | + struct ccs_domain_info *domain; | |
2997 | + struct ccs_path_info name; | |
2998 | + name.name = domainname; | |
2999 | + ccs_fill_path_info(&name); | |
3000 | + list_for_each_entry_srcu(domain, &ccs_domain_list, list, &ccs_ss) { | |
3001 | + if (!domain->is_deleted && | |
3002 | + !ccs_pathcmp(&name, domain->domainname)) | |
3003 | + return domain; | |
3004 | + } | |
3005 | + return NULL; | |
3006 | +} | |
3007 | + | |
3008 | +/** | |
3009 | + * ccs_select_domain - Parse select command. | |
3010 | + * | |
3011 | + * @head: Pointer to "struct ccs_io_buffer". | |
3012 | + * @data: String to parse. | |
3013 | + * | |
3014 | + * Returns true on success, false otherwise. | |
3015 | + * | |
3016 | + * Caller holds ccs_read_lock(). | |
3017 | + */ | |
3018 | +static bool ccs_select_domain(struct ccs_io_buffer *head, const char *data) | |
3019 | +{ | |
3020 | + unsigned int pid; | |
3021 | + struct ccs_domain_info *domain = NULL; | |
3022 | + bool global_pid = false; | |
3023 | + if (strncmp(data, "select ", 7)) | |
3024 | + return false; | |
3025 | + data += 7; | |
3026 | + if (sscanf(data, "pid=%u", &pid) == 1 || | |
3027 | + (global |
Part of diff was cut off due to size limit. Use your local client to view the full diff.