2 * security/tomoyo/util.c
4 * Copyright (C) 2005-2011 NTT DATA CORPORATION
7 #include <linux/slab.h>
8 #include <linux/rculist.h>
12 /* Lock for protecting policy. */
13 DEFINE_MUTEX(tomoyo_policy_lock);
15 /* Has /sbin/init started? */
16 bool tomoyo_policy_loaded;
19 * Mapping table from "enum tomoyo_mac_index" to
20 * "enum tomoyo_mac_category_index".
22 const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX] = {
23 /* CONFIG::file group */
24 [TOMOYO_MAC_FILE_EXECUTE] = TOMOYO_MAC_CATEGORY_FILE,
25 [TOMOYO_MAC_FILE_OPEN] = TOMOYO_MAC_CATEGORY_FILE,
26 [TOMOYO_MAC_FILE_CREATE] = TOMOYO_MAC_CATEGORY_FILE,
27 [TOMOYO_MAC_FILE_UNLINK] = TOMOYO_MAC_CATEGORY_FILE,
28 [TOMOYO_MAC_FILE_GETATTR] = TOMOYO_MAC_CATEGORY_FILE,
29 [TOMOYO_MAC_FILE_MKDIR] = TOMOYO_MAC_CATEGORY_FILE,
30 [TOMOYO_MAC_FILE_RMDIR] = TOMOYO_MAC_CATEGORY_FILE,
31 [TOMOYO_MAC_FILE_MKFIFO] = TOMOYO_MAC_CATEGORY_FILE,
32 [TOMOYO_MAC_FILE_MKSOCK] = TOMOYO_MAC_CATEGORY_FILE,
33 [TOMOYO_MAC_FILE_TRUNCATE] = TOMOYO_MAC_CATEGORY_FILE,
34 [TOMOYO_MAC_FILE_SYMLINK] = TOMOYO_MAC_CATEGORY_FILE,
35 [TOMOYO_MAC_FILE_MKBLOCK] = TOMOYO_MAC_CATEGORY_FILE,
36 [TOMOYO_MAC_FILE_MKCHAR] = TOMOYO_MAC_CATEGORY_FILE,
37 [TOMOYO_MAC_FILE_LINK] = TOMOYO_MAC_CATEGORY_FILE,
38 [TOMOYO_MAC_FILE_RENAME] = TOMOYO_MAC_CATEGORY_FILE,
39 [TOMOYO_MAC_FILE_CHMOD] = TOMOYO_MAC_CATEGORY_FILE,
40 [TOMOYO_MAC_FILE_CHOWN] = TOMOYO_MAC_CATEGORY_FILE,
41 [TOMOYO_MAC_FILE_CHGRP] = TOMOYO_MAC_CATEGORY_FILE,
42 [TOMOYO_MAC_FILE_IOCTL] = TOMOYO_MAC_CATEGORY_FILE,
43 [TOMOYO_MAC_FILE_CHROOT] = TOMOYO_MAC_CATEGORY_FILE,
44 [TOMOYO_MAC_FILE_MOUNT] = TOMOYO_MAC_CATEGORY_FILE,
45 [TOMOYO_MAC_FILE_UMOUNT] = TOMOYO_MAC_CATEGORY_FILE,
46 [TOMOYO_MAC_FILE_PIVOT_ROOT] = TOMOYO_MAC_CATEGORY_FILE,
47 /* CONFIG::network group */
48 [TOMOYO_MAC_NETWORK_INET_STREAM_BIND] =
49 TOMOYO_MAC_CATEGORY_NETWORK,
50 [TOMOYO_MAC_NETWORK_INET_STREAM_LISTEN] =
51 TOMOYO_MAC_CATEGORY_NETWORK,
52 [TOMOYO_MAC_NETWORK_INET_STREAM_CONNECT] =
53 TOMOYO_MAC_CATEGORY_NETWORK,
54 [TOMOYO_MAC_NETWORK_INET_DGRAM_BIND] =
55 TOMOYO_MAC_CATEGORY_NETWORK,
56 [TOMOYO_MAC_NETWORK_INET_DGRAM_SEND] =
57 TOMOYO_MAC_CATEGORY_NETWORK,
58 [TOMOYO_MAC_NETWORK_INET_RAW_BIND] =
59 TOMOYO_MAC_CATEGORY_NETWORK,
60 [TOMOYO_MAC_NETWORK_INET_RAW_SEND] =
61 TOMOYO_MAC_CATEGORY_NETWORK,
62 [TOMOYO_MAC_NETWORK_UNIX_STREAM_BIND] =
63 TOMOYO_MAC_CATEGORY_NETWORK,
64 [TOMOYO_MAC_NETWORK_UNIX_STREAM_LISTEN] =
65 TOMOYO_MAC_CATEGORY_NETWORK,
66 [TOMOYO_MAC_NETWORK_UNIX_STREAM_CONNECT] =
67 TOMOYO_MAC_CATEGORY_NETWORK,
68 [TOMOYO_MAC_NETWORK_UNIX_DGRAM_BIND] =
69 TOMOYO_MAC_CATEGORY_NETWORK,
70 [TOMOYO_MAC_NETWORK_UNIX_DGRAM_SEND] =
71 TOMOYO_MAC_CATEGORY_NETWORK,
72 [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_BIND] =
73 TOMOYO_MAC_CATEGORY_NETWORK,
74 [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_LISTEN] =
75 TOMOYO_MAC_CATEGORY_NETWORK,
76 [TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_CONNECT] =
77 TOMOYO_MAC_CATEGORY_NETWORK,
78 /* CONFIG::misc group */
79 [TOMOYO_MAC_ENVIRON] = TOMOYO_MAC_CATEGORY_MISC,
83 * tomoyo_convert_time - Convert time_t to YYYY/MM/DD hh/mm/ss.
85 * @time: Seconds since 1970/01/01 00:00:00.
86 * @stamp: Pointer to "struct tomoyo_time".
90 * This function does not handle Y2038 problem.
92 void tomoyo_convert_time(time_t time, struct tomoyo_time *stamp)
94 static const u16 tomoyo_eom[2][12] = {
95 { 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 365 },
96 { 31, 60, 91, 121, 152, 182, 213, 244, 274, 305, 335, 366 }
101 stamp->sec = time % 60;
103 stamp->min = time % 60;
105 stamp->hour = time % 24;
107 for (y = 1970; ; y++) {
108 const unsigned short days = (y & 3) ? 365 : 366;
114 for (m = 0; m < 11 && time >= tomoyo_eom[r][m]; m++)
117 time -= tomoyo_eom[r][m - 1];
124 * tomoyo_permstr - Find permission keywords.
126 * @string: String representation for permissions in foo/bar/buz format.
127 * @keyword: Keyword to find from @string/
129 * Returns ture if @keyword was found in @string, false otherwise.
131 * This function assumes that strncmp(w1, w2, strlen(w1)) != 0 if w1 != w2.
133 bool tomoyo_permstr(const char *string, const char *keyword)
135 const char *cp = strstr(string, keyword);
137 return cp == string || *(cp - 1) == '/';
142 * tomoyo_read_token - Read a word from a line.
144 * @param: Pointer to "struct tomoyo_acl_param".
146 * Returns a word on success, "" otherwise.
148 * To allow the caller to skip NULL check, this function returns "" rather than
149 * NULL if there is no more words to read.
151 char *tomoyo_read_token(struct tomoyo_acl_param *param)
153 char *pos = param->data;
154 char *del = strchr(pos, ' ');
158 del = pos + strlen(pos);
164 * tomoyo_get_domainname - Read a domainname from a line.
166 * @param: Pointer to "struct tomoyo_acl_param".
168 * Returns a domainname on success, NULL otherwise.
170 const struct tomoyo_path_info *tomoyo_get_domainname
171 (struct tomoyo_acl_param *param)
173 char *start = param->data;
176 if (*pos++ != ' ' || *pos++ == '/')
183 if (tomoyo_correct_domain(start))
184 return tomoyo_get_name(start);
189 * tomoyo_parse_ulong - Parse an "unsigned long" value.
191 * @result: Pointer to "unsigned long".
192 * @str: Pointer to string to parse.
194 * Returns one of values in "enum tomoyo_value_type".
196 * The @src is updated to point the first character after the value
199 u8 tomoyo_parse_ulong(unsigned long *result, char **str)
201 const char *cp = *str;
206 if (c == 'x' || c == 'X') {
209 } else if (c >= '0' && c <= '7') {
214 *result = simple_strtoul(cp, &ep, base);
216 return TOMOYO_VALUE_TYPE_INVALID;
220 return TOMOYO_VALUE_TYPE_HEXADECIMAL;
222 return TOMOYO_VALUE_TYPE_OCTAL;
224 return TOMOYO_VALUE_TYPE_DECIMAL;
229 * tomoyo_print_ulong - Print an "unsigned long" value.
231 * @buffer: Pointer to buffer.
232 * @buffer_len: Size of @buffer.
233 * @value: An "unsigned long" value.
234 * @type: Type of @value.
238 void tomoyo_print_ulong(char *buffer, const int buffer_len,
239 const unsigned long value, const u8 type)
241 if (type == TOMOYO_VALUE_TYPE_DECIMAL)
242 snprintf(buffer, buffer_len, "%lu", value);
243 else if (type == TOMOYO_VALUE_TYPE_OCTAL)
244 snprintf(buffer, buffer_len, "0%lo", value);
245 else if (type == TOMOYO_VALUE_TYPE_HEXADECIMAL)
246 snprintf(buffer, buffer_len, "0x%lX", value);
248 snprintf(buffer, buffer_len, "type(%u)", type);
252 * tomoyo_parse_name_union - Parse a tomoyo_name_union.
254 * @param: Pointer to "struct tomoyo_acl_param".
255 * @ptr: Pointer to "struct tomoyo_name_union".
257 * Returns true on success, false otherwise.
259 bool tomoyo_parse_name_union(struct tomoyo_acl_param *param,
260 struct tomoyo_name_union *ptr)
263 if (param->data[0] == '@') {
265 ptr->group = tomoyo_get_group(param, TOMOYO_PATH_GROUP);
266 return ptr->group != NULL;
268 filename = tomoyo_read_token(param);
269 if (!tomoyo_correct_word(filename))
271 ptr->filename = tomoyo_get_name(filename);
272 return ptr->filename != NULL;
276 * tomoyo_parse_number_union - Parse a tomoyo_number_union.
278 * @param: Pointer to "struct tomoyo_acl_param".
279 * @ptr: Pointer to "struct tomoyo_number_union".
281 * Returns true on success, false otherwise.
283 bool tomoyo_parse_number_union(struct tomoyo_acl_param *param,
284 struct tomoyo_number_union *ptr)
289 memset(ptr, 0, sizeof(*ptr));
290 if (param->data[0] == '@') {
292 ptr->group = tomoyo_get_group(param, TOMOYO_NUMBER_GROUP);
293 return ptr->group != NULL;
295 data = tomoyo_read_token(param);
296 type = tomoyo_parse_ulong(&v, &data);
297 if (type == TOMOYO_VALUE_TYPE_INVALID)
300 ptr->value_type[0] = type;
303 ptr->value_type[1] = type;
308 type = tomoyo_parse_ulong(&v, &data);
309 if (type == TOMOYO_VALUE_TYPE_INVALID || *data || ptr->values[0] > v)
312 ptr->value_type[1] = type;
317 * tomoyo_byte_range - Check whether the string is a \ooo style octal value.
319 * @str: Pointer to the string.
321 * Returns true if @str is a \ooo style octal value, false otherwise.
323 * TOMOYO uses \ooo style representation for 0x01 - 0x20 and 0x7F - 0xFF.
324 * This function verifies that \ooo is in valid range.
326 static inline bool tomoyo_byte_range(const char *str)
328 return *str >= '0' && *str++ <= '3' &&
329 *str >= '0' && *str++ <= '7' &&
330 *str >= '0' && *str <= '7';
334 * tomoyo_alphabet_char - Check whether the character is an alphabet.
336 * @c: The character to check.
338 * Returns true if @c is an alphabet character, false otherwise.
340 static inline bool tomoyo_alphabet_char(const char c)
342 return (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z');
346 * tomoyo_make_byte - Make byte value from three octal characters.
348 * @c1: The first character.
349 * @c2: The second character.
350 * @c3: The third character.
352 * Returns byte value.
354 static inline u8 tomoyo_make_byte(const u8 c1, const u8 c2, const u8 c3)
356 return ((c1 - '0') << 6) + ((c2 - '0') << 3) + (c3 - '0');
360 * tomoyo_valid - Check whether the character is a valid char.
362 * @c: The character to check.
364 * Returns true if @c is a valid character, false otherwise.
366 static inline bool tomoyo_valid(const unsigned char c)
368 return c > ' ' && c < 127;
372 * tomoyo_invalid - Check whether the character is an invalid char.
374 * @c: The character to check.
376 * Returns true if @c is an invalid character, false otherwise.
378 static inline bool tomoyo_invalid(const unsigned char c)
380 return c && (c <= ' ' || c >= 127);
384 * tomoyo_str_starts - Check whether the given string starts with the given keyword.
386 * @src: Pointer to pointer to the string.
387 * @find: Pointer to the keyword.
389 * Returns true if @src starts with @find, false otherwise.
391 * The @src is updated to point the first character after the @find
392 * if @src starts with @find.
394 bool tomoyo_str_starts(char **src, const char *find)
396 const int len = strlen(find);
399 if (strncmp(tmp, find, len))
407 * tomoyo_normalize_line - Format string.
409 * @buffer: The line to normalize.
411 * Leading and trailing whitespaces are removed.
412 * Multiple whitespaces are packed into single space.
416 void tomoyo_normalize_line(unsigned char *buffer)
418 unsigned char *sp = buffer;
419 unsigned char *dp = buffer;
422 while (tomoyo_invalid(*sp))
428 while (tomoyo_valid(*sp))
430 while (tomoyo_invalid(*sp))
437 * tomoyo_correct_word2 - Validate a string.
439 * @string: The string to check. Maybe non-'\0'-terminated.
440 * @len: Length of @string.
442 * Check whether the given string follows the naming rules.
443 * Returns true if @string follows the naming rules, false otherwise.
445 static bool tomoyo_correct_word2(const char *string, size_t len)
447 const char *const start = string;
448 bool in_repetition = false;
461 case '\\': /* "\\" */
474 case '{': /* "/\{" */
475 if (string - 3 < start || *(string - 3) != '/')
477 in_repetition = true;
479 case '}': /* "\}/" */
484 in_repetition = false;
486 case '0': /* "\ooo" */
490 if (!len-- || !len--)
494 if (d < '0' || d > '7' || e < '0' || e > '7')
496 c = tomoyo_make_byte(c, d, e);
497 if (c <= ' ' || c >= 127)
501 } else if (in_repetition && c == '/') {
503 } else if (c <= ' ' || c >= 127) {
515 * tomoyo_correct_word - Validate a string.
517 * @string: The string to check.
519 * Check whether the given string follows the naming rules.
520 * Returns true if @string follows the naming rules, false otherwise.
522 bool tomoyo_correct_word(const char *string)
524 return tomoyo_correct_word2(string, strlen(string));
528 * tomoyo_correct_path - Validate a pathname.
530 * @filename: The pathname to check.
532 * Check whether the given pathname follows the naming rules.
533 * Returns true if @filename follows the naming rules, false otherwise.
535 bool tomoyo_correct_path(const char *filename)
537 return *filename == '/' && tomoyo_correct_word(filename);
541 * tomoyo_correct_domain - Check whether the given domainname follows the naming rules.
543 * @domainname: The domainname to check.
545 * Returns true if @domainname follows the naming rules, false otherwise.
547 bool tomoyo_correct_domain(const unsigned char *domainname)
549 if (!domainname || !tomoyo_domain_def(domainname))
551 domainname = strchr(domainname, ' ');
555 const unsigned char *cp = strchr(domainname, ' ');
558 if (*domainname != '/' ||
559 !tomoyo_correct_word2(domainname, cp - domainname))
563 return tomoyo_correct_path(domainname);
567 * tomoyo_domain_def - Check whether the given token can be a domainname.
569 * @buffer: The token to check.
571 * Returns true if @buffer possibly be a domainname, false otherwise.
573 bool tomoyo_domain_def(const unsigned char *buffer)
575 const unsigned char *cp;
579 cp = strchr(buffer, ' ');
581 len = strlen(buffer);
584 if (buffer[len - 1] != '>' ||
585 !tomoyo_correct_word2(buffer + 1, len - 2))
591 * tomoyo_find_domain - Find a domain by the given name.
593 * @domainname: The domainname to find.
595 * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
597 * Caller holds tomoyo_read_lock().
599 struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
601 struct tomoyo_domain_info *domain;
602 struct tomoyo_path_info name;
604 name.name = domainname;
605 tomoyo_fill_path_info(&name);
606 list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
607 if (!domain->is_deleted &&
608 !tomoyo_pathcmp(&name, domain->domainname))
615 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
617 * @filename: The string to evaluate.
619 * Returns the initial length without a pattern in @filename.
621 static int tomoyo_const_part_length(const char *filename)
628 while ((c = *filename++) != '\0') {
635 case '\\': /* "\\" */
638 case '0': /* "\ooo" */
643 if (c < '0' || c > '7')
646 if (c < '0' || c > '7')
657 * tomoyo_fill_path_info - Fill in "struct tomoyo_path_info" members.
659 * @ptr: Pointer to "struct tomoyo_path_info" to fill in.
661 * The caller sets "struct tomoyo_path_info"->name.
663 void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
665 const char *name = ptr->name;
666 const int len = strlen(name);
668 ptr->const_len = tomoyo_const_part_length(name);
669 ptr->is_dir = len && (name[len - 1] == '/');
670 ptr->is_patterned = (ptr->const_len < len);
671 ptr->hash = full_name_hash(NULL, name, len);
675 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character and "\-" pattern.
677 * @filename: The start of string to check.
678 * @filename_end: The end of string to check.
679 * @pattern: The start of pattern to compare.
680 * @pattern_end: The end of pattern to compare.
682 * Returns true if @filename matches @pattern, false otherwise.
684 static bool tomoyo_file_matches_pattern2(const char *filename,
685 const char *filename_end,
687 const char *pattern_end)
689 while (filename < filename_end && pattern < pattern_end) {
691 if (*pattern != '\\') {
692 if (*filename++ != *pattern++)
704 } else if (c == '\\') {
705 if (filename[1] == '\\')
707 else if (tomoyo_byte_range(filename + 1))
716 if (*++filename != '\\')
728 if (!tomoyo_alphabet_char(c))
735 if (c == '\\' && tomoyo_byte_range(filename + 1)
736 && strncmp(filename + 1, pattern, 3) == 0) {
741 return false; /* Not matched. */
744 for (i = 0; i <= filename_end - filename; i++) {
745 if (tomoyo_file_matches_pattern2(
746 filename + i, filename_end,
747 pattern + 1, pattern_end))
750 if (c == '.' && *pattern == '@')
754 if (filename[i + 1] == '\\')
756 else if (tomoyo_byte_range(filename + i + 1))
759 break; /* Bad pattern. */
761 return false; /* Not matched. */
766 while (isdigit(filename[j]))
768 } else if (c == 'X') {
769 while (isxdigit(filename[j]))
771 } else if (c == 'A') {
772 while (tomoyo_alphabet_char(filename[j]))
775 for (i = 1; i <= j; i++) {
776 if (tomoyo_file_matches_pattern2(
777 filename + i, filename_end,
778 pattern + 1, pattern_end))
781 return false; /* Not matched or bad pattern. */
786 while (*pattern == '\\' &&
787 (*(pattern + 1) == '*' || *(pattern + 1) == '@'))
789 return filename == filename_end && pattern == pattern_end;
793 * tomoyo_file_matches_pattern - Pattern matching without '/' character.
795 * @filename: The start of string to check.
796 * @filename_end: The end of string to check.
797 * @pattern: The start of pattern to compare.
798 * @pattern_end: The end of pattern to compare.
800 * Returns true if @filename matches @pattern, false otherwise.
802 static bool tomoyo_file_matches_pattern(const char *filename,
803 const char *filename_end,
805 const char *pattern_end)
807 const char *pattern_start = pattern;
811 while (pattern < pattern_end - 1) {
812 /* Split at "\-" pattern. */
813 if (*pattern++ != '\\' || *pattern++ != '-')
815 result = tomoyo_file_matches_pattern2(filename,
824 pattern_start = pattern;
826 result = tomoyo_file_matches_pattern2(filename, filename_end,
827 pattern_start, pattern_end);
828 return first ? result : !result;
832 * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
834 * @f: The start of string to check.
835 * @p: The start of pattern to compare.
837 * Returns true if @f matches @p, false otherwise.
839 static bool tomoyo_path_matches_pattern2(const char *f, const char *p)
841 const char *f_delimiter;
842 const char *p_delimiter;
845 f_delimiter = strchr(f, '/');
847 f_delimiter = f + strlen(f);
848 p_delimiter = strchr(p, '/');
850 p_delimiter = p + strlen(p);
851 if (*p == '\\' && *(p + 1) == '{')
853 if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
863 /* Ignore trailing "\*" and "\@" in @pattern. */
865 (*(p + 1) == '*' || *(p + 1) == '@'))
870 * The "\{" pattern is permitted only after '/' character.
871 * This guarantees that below "*(p - 1)" is safe.
872 * Also, the "\}" pattern is permitted only before '/' character
873 * so that "\{" + "\}" pair will not break the "\-" operator.
875 if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' ||
876 *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\')
877 return false; /* Bad pattern. */
879 /* Compare current component with pattern. */
880 if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2,
883 /* Proceed to next component. */
888 /* Continue comparison. */
889 if (tomoyo_path_matches_pattern2(f, p_delimiter + 1))
891 f_delimiter = strchr(f, '/');
892 } while (f_delimiter);
893 return false; /* Not matched. */
897 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
899 * @filename: The filename to check.
900 * @pattern: The pattern to compare.
902 * Returns true if matches, false otherwise.
904 * The following patterns are available.
906 * \ooo Octal representation of a byte.
907 * \* Zero or more repetitions of characters other than '/'.
908 * \@ Zero or more repetitions of characters other than '/' or '.'.
909 * \? 1 byte character other than '/'.
910 * \$ One or more repetitions of decimal digits.
911 * \+ 1 decimal digit.
912 * \X One or more repetitions of hexadecimal digits.
913 * \x 1 hexadecimal digit.
914 * \A One or more repetitions of alphabet characters.
915 * \a 1 alphabet character.
917 * \- Subtraction operator.
919 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
922 bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
923 const struct tomoyo_path_info *pattern)
925 const char *f = filename->name;
926 const char *p = pattern->name;
927 const int len = pattern->const_len;
929 /* If @pattern doesn't contain pattern, I can use strcmp(). */
930 if (!pattern->is_patterned)
931 return !tomoyo_pathcmp(filename, pattern);
932 /* Don't compare directory and non-directory. */
933 if (filename->is_dir != pattern->is_dir)
935 /* Compare the initial length without patterns. */
936 if (strncmp(f, p, len))
940 return tomoyo_path_matches_pattern2(f, p);
944 * tomoyo_get_exe - Get tomoyo_realpath() of current process.
946 * Returns the tomoyo_realpath() of current process on success, NULL otherwise.
948 * This function uses kzalloc(), so the caller must call kfree()
949 * if this function didn't return NULL.
951 const char *tomoyo_get_exe(void)
953 struct file *exe_file;
955 struct mm_struct *mm = current->mm;
959 exe_file = get_mm_exe_file(mm);
963 cp = tomoyo_realpath_from_path(&exe_file->f_path);
969 * tomoyo_get_mode - Get MAC mode.
971 * @ns: Pointer to "struct tomoyo_policy_namespace".
972 * @profile: Profile number.
973 * @index: Index number of functionality.
977 int tomoyo_get_mode(const struct tomoyo_policy_namespace *ns, const u8 profile,
981 struct tomoyo_profile *p;
983 if (!tomoyo_policy_loaded)
984 return TOMOYO_CONFIG_DISABLED;
985 p = tomoyo_profile(ns, profile);
986 mode = p->config[index];
987 if (mode == TOMOYO_CONFIG_USE_DEFAULT)
988 mode = p->config[tomoyo_index2category[index]
989 + TOMOYO_MAX_MAC_INDEX];
990 if (mode == TOMOYO_CONFIG_USE_DEFAULT)
991 mode = p->default_config;
996 * tomoyo_init_request_info - Initialize "struct tomoyo_request_info" members.
998 * @r: Pointer to "struct tomoyo_request_info" to initialize.
999 * @domain: Pointer to "struct tomoyo_domain_info". NULL for tomoyo_domain().
1000 * @index: Index number of functionality.
1004 int tomoyo_init_request_info(struct tomoyo_request_info *r,
1005 struct tomoyo_domain_info *domain, const u8 index)
1008 memset(r, 0, sizeof(*r));
1010 domain = tomoyo_domain();
1012 profile = domain->profile;
1013 r->profile = profile;
1015 r->mode = tomoyo_get_mode(domain->ns, profile, index);
1020 * tomoyo_domain_quota_is_ok - Check for domain's quota.
1022 * @r: Pointer to "struct tomoyo_request_info".
1024 * Returns true if the domain is not exceeded quota, false otherwise.
1026 * Caller holds tomoyo_read_lock().
1028 bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r)
1030 unsigned int count = 0;
1031 struct tomoyo_domain_info *domain = r->domain;
1032 struct tomoyo_acl_info *ptr;
1034 if (r->mode != TOMOYO_CONFIG_LEARNING)
1038 list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
1041 if (ptr->is_deleted)
1043 switch (ptr->type) {
1044 case TOMOYO_TYPE_PATH_ACL:
1045 perm = container_of(ptr, struct tomoyo_path_acl, head)
1048 case TOMOYO_TYPE_PATH2_ACL:
1049 perm = container_of(ptr, struct tomoyo_path2_acl, head)
1052 case TOMOYO_TYPE_PATH_NUMBER_ACL:
1053 perm = container_of(ptr, struct tomoyo_path_number_acl,
1056 case TOMOYO_TYPE_MKDEV_ACL:
1057 perm = container_of(ptr, struct tomoyo_mkdev_acl,
1060 case TOMOYO_TYPE_INET_ACL:
1061 perm = container_of(ptr, struct tomoyo_inet_acl,
1064 case TOMOYO_TYPE_UNIX_ACL:
1065 perm = container_of(ptr, struct tomoyo_unix_acl,
1068 case TOMOYO_TYPE_MANUAL_TASK_ACL:
1074 for (i = 0; i < 16; i++)
1075 if (perm & (1 << i))
1078 if (count < tomoyo_profile(domain->ns, domain->profile)->
1079 pref[TOMOYO_PREF_MAX_LEARNING_ENTRY])
1081 if (!domain->flags[TOMOYO_DIF_QUOTA_WARNED]) {
1082 domain->flags[TOMOYO_DIF_QUOTA_WARNED] = true;
1083 /* r->granted = false; */
1084 tomoyo_write_log(r, "%s", tomoyo_dif[TOMOYO_DIF_QUOTA_WARNED]);
1085 printk(KERN_WARNING "WARNING: "
1086 "Domain '%s' has too many ACLs to hold. "
1087 "Stopped learning mode.\n", domain->domainname->name);
git.samba.org / sfrench / cifs-2.6.git / blob