18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * security/tomoyo/file.c 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * Copyright (C) 2005-2011 NTT DATA CORPORATION 68c2ecf20Sopenharmony_ci */ 78c2ecf20Sopenharmony_ci 88c2ecf20Sopenharmony_ci#include "common.h" 98c2ecf20Sopenharmony_ci#include <linux/slab.h> 108c2ecf20Sopenharmony_ci 118c2ecf20Sopenharmony_ci/* 128c2ecf20Sopenharmony_ci * Mapping table from "enum tomoyo_path_acl_index" to "enum tomoyo_mac_index". 138c2ecf20Sopenharmony_ci */ 148c2ecf20Sopenharmony_cistatic const u8 tomoyo_p2mac[TOMOYO_MAX_PATH_OPERATION] = { 158c2ecf20Sopenharmony_ci [TOMOYO_TYPE_EXECUTE] = TOMOYO_MAC_FILE_EXECUTE, 168c2ecf20Sopenharmony_ci [TOMOYO_TYPE_READ] = TOMOYO_MAC_FILE_OPEN, 178c2ecf20Sopenharmony_ci [TOMOYO_TYPE_WRITE] = TOMOYO_MAC_FILE_OPEN, 188c2ecf20Sopenharmony_ci [TOMOYO_TYPE_APPEND] = TOMOYO_MAC_FILE_OPEN, 198c2ecf20Sopenharmony_ci [TOMOYO_TYPE_UNLINK] = TOMOYO_MAC_FILE_UNLINK, 208c2ecf20Sopenharmony_ci [TOMOYO_TYPE_GETATTR] = TOMOYO_MAC_FILE_GETATTR, 218c2ecf20Sopenharmony_ci [TOMOYO_TYPE_RMDIR] = TOMOYO_MAC_FILE_RMDIR, 228c2ecf20Sopenharmony_ci [TOMOYO_TYPE_TRUNCATE] = TOMOYO_MAC_FILE_TRUNCATE, 238c2ecf20Sopenharmony_ci [TOMOYO_TYPE_SYMLINK] = TOMOYO_MAC_FILE_SYMLINK, 248c2ecf20Sopenharmony_ci [TOMOYO_TYPE_CHROOT] = TOMOYO_MAC_FILE_CHROOT, 258c2ecf20Sopenharmony_ci [TOMOYO_TYPE_UMOUNT] = TOMOYO_MAC_FILE_UMOUNT, 268c2ecf20Sopenharmony_ci}; 278c2ecf20Sopenharmony_ci 288c2ecf20Sopenharmony_ci/* 298c2ecf20Sopenharmony_ci * Mapping table from "enum tomoyo_mkdev_acl_index" to "enum tomoyo_mac_index". 308c2ecf20Sopenharmony_ci */ 318c2ecf20Sopenharmony_ciconst u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION] = { 328c2ecf20Sopenharmony_ci [TOMOYO_TYPE_MKBLOCK] = TOMOYO_MAC_FILE_MKBLOCK, 338c2ecf20Sopenharmony_ci [TOMOYO_TYPE_MKCHAR] = TOMOYO_MAC_FILE_MKCHAR, 348c2ecf20Sopenharmony_ci}; 358c2ecf20Sopenharmony_ci 368c2ecf20Sopenharmony_ci/* 378c2ecf20Sopenharmony_ci * Mapping table from "enum tomoyo_path2_acl_index" to "enum tomoyo_mac_index". 388c2ecf20Sopenharmony_ci */ 398c2ecf20Sopenharmony_ciconst u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION] = { 408c2ecf20Sopenharmony_ci [TOMOYO_TYPE_LINK] = TOMOYO_MAC_FILE_LINK, 418c2ecf20Sopenharmony_ci [TOMOYO_TYPE_RENAME] = TOMOYO_MAC_FILE_RENAME, 428c2ecf20Sopenharmony_ci [TOMOYO_TYPE_PIVOT_ROOT] = TOMOYO_MAC_FILE_PIVOT_ROOT, 438c2ecf20Sopenharmony_ci}; 448c2ecf20Sopenharmony_ci 458c2ecf20Sopenharmony_ci/* 468c2ecf20Sopenharmony_ci * Mapping table from "enum tomoyo_path_number_acl_index" to 478c2ecf20Sopenharmony_ci * "enum tomoyo_mac_index". 488c2ecf20Sopenharmony_ci */ 498c2ecf20Sopenharmony_ciconst u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION] = { 508c2ecf20Sopenharmony_ci [TOMOYO_TYPE_CREATE] = TOMOYO_MAC_FILE_CREATE, 518c2ecf20Sopenharmony_ci [TOMOYO_TYPE_MKDIR] = TOMOYO_MAC_FILE_MKDIR, 528c2ecf20Sopenharmony_ci [TOMOYO_TYPE_MKFIFO] = TOMOYO_MAC_FILE_MKFIFO, 538c2ecf20Sopenharmony_ci [TOMOYO_TYPE_MKSOCK] = TOMOYO_MAC_FILE_MKSOCK, 548c2ecf20Sopenharmony_ci [TOMOYO_TYPE_IOCTL] = TOMOYO_MAC_FILE_IOCTL, 558c2ecf20Sopenharmony_ci [TOMOYO_TYPE_CHMOD] = TOMOYO_MAC_FILE_CHMOD, 568c2ecf20Sopenharmony_ci [TOMOYO_TYPE_CHOWN] = TOMOYO_MAC_FILE_CHOWN, 578c2ecf20Sopenharmony_ci [TOMOYO_TYPE_CHGRP] = TOMOYO_MAC_FILE_CHGRP, 588c2ecf20Sopenharmony_ci}; 598c2ecf20Sopenharmony_ci 608c2ecf20Sopenharmony_ci/** 618c2ecf20Sopenharmony_ci * tomoyo_put_name_union - Drop reference on "struct tomoyo_name_union". 628c2ecf20Sopenharmony_ci * 638c2ecf20Sopenharmony_ci * @ptr: Pointer to "struct tomoyo_name_union". 648c2ecf20Sopenharmony_ci * 658c2ecf20Sopenharmony_ci * Returns nothing. 668c2ecf20Sopenharmony_ci */ 678c2ecf20Sopenharmony_civoid tomoyo_put_name_union(struct tomoyo_name_union *ptr) 688c2ecf20Sopenharmony_ci{ 698c2ecf20Sopenharmony_ci tomoyo_put_group(ptr->group); 708c2ecf20Sopenharmony_ci tomoyo_put_name(ptr->filename); 718c2ecf20Sopenharmony_ci} 728c2ecf20Sopenharmony_ci 738c2ecf20Sopenharmony_ci/** 748c2ecf20Sopenharmony_ci * tomoyo_compare_name_union - Check whether a name matches "struct tomoyo_name_union" or not. 758c2ecf20Sopenharmony_ci * 768c2ecf20Sopenharmony_ci * @name: Pointer to "struct tomoyo_path_info". 778c2ecf20Sopenharmony_ci * @ptr: Pointer to "struct tomoyo_name_union". 788c2ecf20Sopenharmony_ci * 798c2ecf20Sopenharmony_ci * Returns "struct tomoyo_path_info" if @name matches @ptr, NULL otherwise. 808c2ecf20Sopenharmony_ci */ 818c2ecf20Sopenharmony_ciconst struct tomoyo_path_info * 828c2ecf20Sopenharmony_citomoyo_compare_name_union(const struct tomoyo_path_info *name, 838c2ecf20Sopenharmony_ci const struct tomoyo_name_union *ptr) 848c2ecf20Sopenharmony_ci{ 858c2ecf20Sopenharmony_ci if (ptr->group) 868c2ecf20Sopenharmony_ci return tomoyo_path_matches_group(name, ptr->group); 878c2ecf20Sopenharmony_ci if (tomoyo_path_matches_pattern(name, ptr->filename)) 888c2ecf20Sopenharmony_ci return ptr->filename; 898c2ecf20Sopenharmony_ci return NULL; 908c2ecf20Sopenharmony_ci} 918c2ecf20Sopenharmony_ci 928c2ecf20Sopenharmony_ci/** 938c2ecf20Sopenharmony_ci * tomoyo_put_number_union - Drop reference on "struct tomoyo_number_union". 948c2ecf20Sopenharmony_ci * 958c2ecf20Sopenharmony_ci * @ptr: Pointer to "struct tomoyo_number_union". 968c2ecf20Sopenharmony_ci * 978c2ecf20Sopenharmony_ci * Returns nothing. 988c2ecf20Sopenharmony_ci */ 998c2ecf20Sopenharmony_civoid tomoyo_put_number_union(struct tomoyo_number_union *ptr) 1008c2ecf20Sopenharmony_ci{ 1018c2ecf20Sopenharmony_ci tomoyo_put_group(ptr->group); 1028c2ecf20Sopenharmony_ci} 1038c2ecf20Sopenharmony_ci 1048c2ecf20Sopenharmony_ci/** 1058c2ecf20Sopenharmony_ci * tomoyo_compare_number_union - Check whether a value matches "struct tomoyo_number_union" or not. 1068c2ecf20Sopenharmony_ci * 1078c2ecf20Sopenharmony_ci * @value: Number to check. 1088c2ecf20Sopenharmony_ci * @ptr: Pointer to "struct tomoyo_number_union". 1098c2ecf20Sopenharmony_ci * 1108c2ecf20Sopenharmony_ci * Returns true if @value matches @ptr, false otherwise. 1118c2ecf20Sopenharmony_ci */ 1128c2ecf20Sopenharmony_cibool tomoyo_compare_number_union(const unsigned long value, 1138c2ecf20Sopenharmony_ci const struct tomoyo_number_union *ptr) 1148c2ecf20Sopenharmony_ci{ 1158c2ecf20Sopenharmony_ci if (ptr->group) 1168c2ecf20Sopenharmony_ci return tomoyo_number_matches_group(value, value, ptr->group); 1178c2ecf20Sopenharmony_ci return value >= ptr->values[0] && value <= ptr->values[1]; 1188c2ecf20Sopenharmony_ci} 1198c2ecf20Sopenharmony_ci 1208c2ecf20Sopenharmony_ci/** 1218c2ecf20Sopenharmony_ci * tomoyo_add_slash - Add trailing '/' if needed. 1228c2ecf20Sopenharmony_ci * 1238c2ecf20Sopenharmony_ci * @buf: Pointer to "struct tomoyo_path_info". 1248c2ecf20Sopenharmony_ci * 1258c2ecf20Sopenharmony_ci * Returns nothing. 1268c2ecf20Sopenharmony_ci * 1278c2ecf20Sopenharmony_ci * @buf must be generated by tomoyo_encode() because this function does not 1288c2ecf20Sopenharmony_ci * allocate memory for adding '/'. 1298c2ecf20Sopenharmony_ci */ 1308c2ecf20Sopenharmony_cistatic void tomoyo_add_slash(struct tomoyo_path_info *buf) 1318c2ecf20Sopenharmony_ci{ 1328c2ecf20Sopenharmony_ci if (buf->is_dir) 1338c2ecf20Sopenharmony_ci return; 1348c2ecf20Sopenharmony_ci /* 1358c2ecf20Sopenharmony_ci * This is OK because tomoyo_encode() reserves space for appending "/". 1368c2ecf20Sopenharmony_ci */ 1378c2ecf20Sopenharmony_ci strcat((char *) buf->name, "/"); 1388c2ecf20Sopenharmony_ci tomoyo_fill_path_info(buf); 1398c2ecf20Sopenharmony_ci} 1408c2ecf20Sopenharmony_ci 1418c2ecf20Sopenharmony_ci/** 1428c2ecf20Sopenharmony_ci * tomoyo_get_realpath - Get realpath. 1438c2ecf20Sopenharmony_ci * 1448c2ecf20Sopenharmony_ci * @buf: Pointer to "struct tomoyo_path_info". 1458c2ecf20Sopenharmony_ci * @path: Pointer to "struct path". 1468c2ecf20Sopenharmony_ci * 1478c2ecf20Sopenharmony_ci * Returns true on success, false otherwise. 1488c2ecf20Sopenharmony_ci */ 1498c2ecf20Sopenharmony_cistatic bool tomoyo_get_realpath(struct tomoyo_path_info *buf, const struct path *path) 1508c2ecf20Sopenharmony_ci{ 1518c2ecf20Sopenharmony_ci buf->name = tomoyo_realpath_from_path(path); 1528c2ecf20Sopenharmony_ci if (buf->name) { 1538c2ecf20Sopenharmony_ci tomoyo_fill_path_info(buf); 1548c2ecf20Sopenharmony_ci return true; 1558c2ecf20Sopenharmony_ci } 1568c2ecf20Sopenharmony_ci return false; 1578c2ecf20Sopenharmony_ci} 1588c2ecf20Sopenharmony_ci 1598c2ecf20Sopenharmony_ci/** 1608c2ecf20Sopenharmony_ci * tomoyo_audit_path_log - Audit path request log. 1618c2ecf20Sopenharmony_ci * 1628c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 1638c2ecf20Sopenharmony_ci * 1648c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 1658c2ecf20Sopenharmony_ci */ 1668c2ecf20Sopenharmony_cistatic int tomoyo_audit_path_log(struct tomoyo_request_info *r) 1678c2ecf20Sopenharmony_ci{ 1688c2ecf20Sopenharmony_ci return tomoyo_supervisor(r, "file %s %s\n", tomoyo_path_keyword 1698c2ecf20Sopenharmony_ci [r->param.path.operation], 1708c2ecf20Sopenharmony_ci r->param.path.filename->name); 1718c2ecf20Sopenharmony_ci} 1728c2ecf20Sopenharmony_ci 1738c2ecf20Sopenharmony_ci/** 1748c2ecf20Sopenharmony_ci * tomoyo_audit_path2_log - Audit path/path request log. 1758c2ecf20Sopenharmony_ci * 1768c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 1778c2ecf20Sopenharmony_ci * 1788c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 1798c2ecf20Sopenharmony_ci */ 1808c2ecf20Sopenharmony_cistatic int tomoyo_audit_path2_log(struct tomoyo_request_info *r) 1818c2ecf20Sopenharmony_ci{ 1828c2ecf20Sopenharmony_ci return tomoyo_supervisor(r, "file %s %s %s\n", tomoyo_mac_keywords 1838c2ecf20Sopenharmony_ci [tomoyo_pp2mac[r->param.path2.operation]], 1848c2ecf20Sopenharmony_ci r->param.path2.filename1->name, 1858c2ecf20Sopenharmony_ci r->param.path2.filename2->name); 1868c2ecf20Sopenharmony_ci} 1878c2ecf20Sopenharmony_ci 1888c2ecf20Sopenharmony_ci/** 1898c2ecf20Sopenharmony_ci * tomoyo_audit_mkdev_log - Audit path/number/number/number request log. 1908c2ecf20Sopenharmony_ci * 1918c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 1928c2ecf20Sopenharmony_ci * 1938c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 1948c2ecf20Sopenharmony_ci */ 1958c2ecf20Sopenharmony_cistatic int tomoyo_audit_mkdev_log(struct tomoyo_request_info *r) 1968c2ecf20Sopenharmony_ci{ 1978c2ecf20Sopenharmony_ci return tomoyo_supervisor(r, "file %s %s 0%o %u %u\n", 1988c2ecf20Sopenharmony_ci tomoyo_mac_keywords 1998c2ecf20Sopenharmony_ci [tomoyo_pnnn2mac[r->param.mkdev.operation]], 2008c2ecf20Sopenharmony_ci r->param.mkdev.filename->name, 2018c2ecf20Sopenharmony_ci r->param.mkdev.mode, r->param.mkdev.major, 2028c2ecf20Sopenharmony_ci r->param.mkdev.minor); 2038c2ecf20Sopenharmony_ci} 2048c2ecf20Sopenharmony_ci 2058c2ecf20Sopenharmony_ci/** 2068c2ecf20Sopenharmony_ci * tomoyo_audit_path_number_log - Audit path/number request log. 2078c2ecf20Sopenharmony_ci * 2088c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 2098c2ecf20Sopenharmony_ci * 2108c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 2118c2ecf20Sopenharmony_ci */ 2128c2ecf20Sopenharmony_cistatic int tomoyo_audit_path_number_log(struct tomoyo_request_info *r) 2138c2ecf20Sopenharmony_ci{ 2148c2ecf20Sopenharmony_ci const u8 type = r->param.path_number.operation; 2158c2ecf20Sopenharmony_ci u8 radix; 2168c2ecf20Sopenharmony_ci char buffer[64]; 2178c2ecf20Sopenharmony_ci 2188c2ecf20Sopenharmony_ci switch (type) { 2198c2ecf20Sopenharmony_ci case TOMOYO_TYPE_CREATE: 2208c2ecf20Sopenharmony_ci case TOMOYO_TYPE_MKDIR: 2218c2ecf20Sopenharmony_ci case TOMOYO_TYPE_MKFIFO: 2228c2ecf20Sopenharmony_ci case TOMOYO_TYPE_MKSOCK: 2238c2ecf20Sopenharmony_ci case TOMOYO_TYPE_CHMOD: 2248c2ecf20Sopenharmony_ci radix = TOMOYO_VALUE_TYPE_OCTAL; 2258c2ecf20Sopenharmony_ci break; 2268c2ecf20Sopenharmony_ci case TOMOYO_TYPE_IOCTL: 2278c2ecf20Sopenharmony_ci radix = TOMOYO_VALUE_TYPE_HEXADECIMAL; 2288c2ecf20Sopenharmony_ci break; 2298c2ecf20Sopenharmony_ci default: 2308c2ecf20Sopenharmony_ci radix = TOMOYO_VALUE_TYPE_DECIMAL; 2318c2ecf20Sopenharmony_ci break; 2328c2ecf20Sopenharmony_ci } 2338c2ecf20Sopenharmony_ci tomoyo_print_ulong(buffer, sizeof(buffer), r->param.path_number.number, 2348c2ecf20Sopenharmony_ci radix); 2358c2ecf20Sopenharmony_ci return tomoyo_supervisor(r, "file %s %s %s\n", tomoyo_mac_keywords 2368c2ecf20Sopenharmony_ci [tomoyo_pn2mac[type]], 2378c2ecf20Sopenharmony_ci r->param.path_number.filename->name, buffer); 2388c2ecf20Sopenharmony_ci} 2398c2ecf20Sopenharmony_ci 2408c2ecf20Sopenharmony_ci/** 2418c2ecf20Sopenharmony_ci * tomoyo_check_path_acl - Check permission for path operation. 2428c2ecf20Sopenharmony_ci * 2438c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 2448c2ecf20Sopenharmony_ci * @ptr: Pointer to "struct tomoyo_acl_info". 2458c2ecf20Sopenharmony_ci * 2468c2ecf20Sopenharmony_ci * Returns true if granted, false otherwise. 2478c2ecf20Sopenharmony_ci * 2488c2ecf20Sopenharmony_ci * To be able to use wildcard for domain transition, this function sets 2498c2ecf20Sopenharmony_ci * matching entry on success. Since the caller holds tomoyo_read_lock(), 2508c2ecf20Sopenharmony_ci * it is safe to set matching entry. 2518c2ecf20Sopenharmony_ci */ 2528c2ecf20Sopenharmony_cistatic bool tomoyo_check_path_acl(struct tomoyo_request_info *r, 2538c2ecf20Sopenharmony_ci const struct tomoyo_acl_info *ptr) 2548c2ecf20Sopenharmony_ci{ 2558c2ecf20Sopenharmony_ci const struct tomoyo_path_acl *acl = container_of(ptr, typeof(*acl), 2568c2ecf20Sopenharmony_ci head); 2578c2ecf20Sopenharmony_ci 2588c2ecf20Sopenharmony_ci if (acl->perm & (1 << r->param.path.operation)) { 2598c2ecf20Sopenharmony_ci r->param.path.matched_path = 2608c2ecf20Sopenharmony_ci tomoyo_compare_name_union(r->param.path.filename, 2618c2ecf20Sopenharmony_ci &acl->name); 2628c2ecf20Sopenharmony_ci return r->param.path.matched_path != NULL; 2638c2ecf20Sopenharmony_ci } 2648c2ecf20Sopenharmony_ci return false; 2658c2ecf20Sopenharmony_ci} 2668c2ecf20Sopenharmony_ci 2678c2ecf20Sopenharmony_ci/** 2688c2ecf20Sopenharmony_ci * tomoyo_check_path_number_acl - Check permission for path number operation. 2698c2ecf20Sopenharmony_ci * 2708c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 2718c2ecf20Sopenharmony_ci * @ptr: Pointer to "struct tomoyo_acl_info". 2728c2ecf20Sopenharmony_ci * 2738c2ecf20Sopenharmony_ci * Returns true if granted, false otherwise. 2748c2ecf20Sopenharmony_ci */ 2758c2ecf20Sopenharmony_cistatic bool tomoyo_check_path_number_acl(struct tomoyo_request_info *r, 2768c2ecf20Sopenharmony_ci const struct tomoyo_acl_info *ptr) 2778c2ecf20Sopenharmony_ci{ 2788c2ecf20Sopenharmony_ci const struct tomoyo_path_number_acl *acl = 2798c2ecf20Sopenharmony_ci container_of(ptr, typeof(*acl), head); 2808c2ecf20Sopenharmony_ci 2818c2ecf20Sopenharmony_ci return (acl->perm & (1 << r->param.path_number.operation)) && 2828c2ecf20Sopenharmony_ci tomoyo_compare_number_union(r->param.path_number.number, 2838c2ecf20Sopenharmony_ci &acl->number) && 2848c2ecf20Sopenharmony_ci tomoyo_compare_name_union(r->param.path_number.filename, 2858c2ecf20Sopenharmony_ci &acl->name); 2868c2ecf20Sopenharmony_ci} 2878c2ecf20Sopenharmony_ci 2888c2ecf20Sopenharmony_ci/** 2898c2ecf20Sopenharmony_ci * tomoyo_check_path2_acl - Check permission for path path operation. 2908c2ecf20Sopenharmony_ci * 2918c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 2928c2ecf20Sopenharmony_ci * @ptr: Pointer to "struct tomoyo_acl_info". 2938c2ecf20Sopenharmony_ci * 2948c2ecf20Sopenharmony_ci * Returns true if granted, false otherwise. 2958c2ecf20Sopenharmony_ci */ 2968c2ecf20Sopenharmony_cistatic bool tomoyo_check_path2_acl(struct tomoyo_request_info *r, 2978c2ecf20Sopenharmony_ci const struct tomoyo_acl_info *ptr) 2988c2ecf20Sopenharmony_ci{ 2998c2ecf20Sopenharmony_ci const struct tomoyo_path2_acl *acl = 3008c2ecf20Sopenharmony_ci container_of(ptr, typeof(*acl), head); 3018c2ecf20Sopenharmony_ci 3028c2ecf20Sopenharmony_ci return (acl->perm & (1 << r->param.path2.operation)) && 3038c2ecf20Sopenharmony_ci tomoyo_compare_name_union(r->param.path2.filename1, &acl->name1) 3048c2ecf20Sopenharmony_ci && tomoyo_compare_name_union(r->param.path2.filename2, 3058c2ecf20Sopenharmony_ci &acl->name2); 3068c2ecf20Sopenharmony_ci} 3078c2ecf20Sopenharmony_ci 3088c2ecf20Sopenharmony_ci/** 3098c2ecf20Sopenharmony_ci * tomoyo_check_mkdev_acl - Check permission for path number number number operation. 3108c2ecf20Sopenharmony_ci * 3118c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 3128c2ecf20Sopenharmony_ci * @ptr: Pointer to "struct tomoyo_acl_info". 3138c2ecf20Sopenharmony_ci * 3148c2ecf20Sopenharmony_ci * Returns true if granted, false otherwise. 3158c2ecf20Sopenharmony_ci */ 3168c2ecf20Sopenharmony_cistatic bool tomoyo_check_mkdev_acl(struct tomoyo_request_info *r, 3178c2ecf20Sopenharmony_ci const struct tomoyo_acl_info *ptr) 3188c2ecf20Sopenharmony_ci{ 3198c2ecf20Sopenharmony_ci const struct tomoyo_mkdev_acl *acl = 3208c2ecf20Sopenharmony_ci container_of(ptr, typeof(*acl), head); 3218c2ecf20Sopenharmony_ci 3228c2ecf20Sopenharmony_ci return (acl->perm & (1 << r->param.mkdev.operation)) && 3238c2ecf20Sopenharmony_ci tomoyo_compare_number_union(r->param.mkdev.mode, 3248c2ecf20Sopenharmony_ci &acl->mode) && 3258c2ecf20Sopenharmony_ci tomoyo_compare_number_union(r->param.mkdev.major, 3268c2ecf20Sopenharmony_ci &acl->major) && 3278c2ecf20Sopenharmony_ci tomoyo_compare_number_union(r->param.mkdev.minor, 3288c2ecf20Sopenharmony_ci &acl->minor) && 3298c2ecf20Sopenharmony_ci tomoyo_compare_name_union(r->param.mkdev.filename, 3308c2ecf20Sopenharmony_ci &acl->name); 3318c2ecf20Sopenharmony_ci} 3328c2ecf20Sopenharmony_ci 3338c2ecf20Sopenharmony_ci/** 3348c2ecf20Sopenharmony_ci * tomoyo_same_path_acl - Check for duplicated "struct tomoyo_path_acl" entry. 3358c2ecf20Sopenharmony_ci * 3368c2ecf20Sopenharmony_ci * @a: Pointer to "struct tomoyo_acl_info". 3378c2ecf20Sopenharmony_ci * @b: Pointer to "struct tomoyo_acl_info". 3388c2ecf20Sopenharmony_ci * 3398c2ecf20Sopenharmony_ci * Returns true if @a == @b except permission bits, false otherwise. 3408c2ecf20Sopenharmony_ci */ 3418c2ecf20Sopenharmony_cistatic bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a, 3428c2ecf20Sopenharmony_ci const struct tomoyo_acl_info *b) 3438c2ecf20Sopenharmony_ci{ 3448c2ecf20Sopenharmony_ci const struct tomoyo_path_acl *p1 = container_of(a, typeof(*p1), head); 3458c2ecf20Sopenharmony_ci const struct tomoyo_path_acl *p2 = container_of(b, typeof(*p2), head); 3468c2ecf20Sopenharmony_ci 3478c2ecf20Sopenharmony_ci return tomoyo_same_name_union(&p1->name, &p2->name); 3488c2ecf20Sopenharmony_ci} 3498c2ecf20Sopenharmony_ci 3508c2ecf20Sopenharmony_ci/** 3518c2ecf20Sopenharmony_ci * tomoyo_merge_path_acl - Merge duplicated "struct tomoyo_path_acl" entry. 3528c2ecf20Sopenharmony_ci * 3538c2ecf20Sopenharmony_ci * @a: Pointer to "struct tomoyo_acl_info". 3548c2ecf20Sopenharmony_ci * @b: Pointer to "struct tomoyo_acl_info". 3558c2ecf20Sopenharmony_ci * @is_delete: True for @a &= ~@b, false for @a |= @b. 3568c2ecf20Sopenharmony_ci * 3578c2ecf20Sopenharmony_ci * Returns true if @a is empty, false otherwise. 3588c2ecf20Sopenharmony_ci */ 3598c2ecf20Sopenharmony_cistatic bool tomoyo_merge_path_acl(struct tomoyo_acl_info *a, 3608c2ecf20Sopenharmony_ci struct tomoyo_acl_info *b, 3618c2ecf20Sopenharmony_ci const bool is_delete) 3628c2ecf20Sopenharmony_ci{ 3638c2ecf20Sopenharmony_ci u16 * const a_perm = &container_of(a, struct tomoyo_path_acl, head) 3648c2ecf20Sopenharmony_ci ->perm; 3658c2ecf20Sopenharmony_ci u16 perm = READ_ONCE(*a_perm); 3668c2ecf20Sopenharmony_ci const u16 b_perm = container_of(b, struct tomoyo_path_acl, head)->perm; 3678c2ecf20Sopenharmony_ci 3688c2ecf20Sopenharmony_ci if (is_delete) 3698c2ecf20Sopenharmony_ci perm &= ~b_perm; 3708c2ecf20Sopenharmony_ci else 3718c2ecf20Sopenharmony_ci perm |= b_perm; 3728c2ecf20Sopenharmony_ci WRITE_ONCE(*a_perm, perm); 3738c2ecf20Sopenharmony_ci return !perm; 3748c2ecf20Sopenharmony_ci} 3758c2ecf20Sopenharmony_ci 3768c2ecf20Sopenharmony_ci/** 3778c2ecf20Sopenharmony_ci * tomoyo_update_path_acl - Update "struct tomoyo_path_acl" list. 3788c2ecf20Sopenharmony_ci * 3798c2ecf20Sopenharmony_ci * @perm: Permission. 3808c2ecf20Sopenharmony_ci * @param: Pointer to "struct tomoyo_acl_param". 3818c2ecf20Sopenharmony_ci * 3828c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 3838c2ecf20Sopenharmony_ci * 3848c2ecf20Sopenharmony_ci * Caller holds tomoyo_read_lock(). 3858c2ecf20Sopenharmony_ci */ 3868c2ecf20Sopenharmony_cistatic int tomoyo_update_path_acl(const u16 perm, 3878c2ecf20Sopenharmony_ci struct tomoyo_acl_param *param) 3888c2ecf20Sopenharmony_ci{ 3898c2ecf20Sopenharmony_ci struct tomoyo_path_acl e = { 3908c2ecf20Sopenharmony_ci .head.type = TOMOYO_TYPE_PATH_ACL, 3918c2ecf20Sopenharmony_ci .perm = perm 3928c2ecf20Sopenharmony_ci }; 3938c2ecf20Sopenharmony_ci int error; 3948c2ecf20Sopenharmony_ci 3958c2ecf20Sopenharmony_ci if (!tomoyo_parse_name_union(param, &e.name)) 3968c2ecf20Sopenharmony_ci error = -EINVAL; 3978c2ecf20Sopenharmony_ci else 3988c2ecf20Sopenharmony_ci error = tomoyo_update_domain(&e.head, sizeof(e), param, 3998c2ecf20Sopenharmony_ci tomoyo_same_path_acl, 4008c2ecf20Sopenharmony_ci tomoyo_merge_path_acl); 4018c2ecf20Sopenharmony_ci tomoyo_put_name_union(&e.name); 4028c2ecf20Sopenharmony_ci return error; 4038c2ecf20Sopenharmony_ci} 4048c2ecf20Sopenharmony_ci 4058c2ecf20Sopenharmony_ci/** 4068c2ecf20Sopenharmony_ci * tomoyo_same_mkdev_acl - Check for duplicated "struct tomoyo_mkdev_acl" entry. 4078c2ecf20Sopenharmony_ci * 4088c2ecf20Sopenharmony_ci * @a: Pointer to "struct tomoyo_acl_info". 4098c2ecf20Sopenharmony_ci * @b: Pointer to "struct tomoyo_acl_info". 4108c2ecf20Sopenharmony_ci * 4118c2ecf20Sopenharmony_ci * Returns true if @a == @b except permission bits, false otherwise. 4128c2ecf20Sopenharmony_ci */ 4138c2ecf20Sopenharmony_cistatic bool tomoyo_same_mkdev_acl(const struct tomoyo_acl_info *a, 4148c2ecf20Sopenharmony_ci const struct tomoyo_acl_info *b) 4158c2ecf20Sopenharmony_ci{ 4168c2ecf20Sopenharmony_ci const struct tomoyo_mkdev_acl *p1 = container_of(a, typeof(*p1), head); 4178c2ecf20Sopenharmony_ci const struct tomoyo_mkdev_acl *p2 = container_of(b, typeof(*p2), head); 4188c2ecf20Sopenharmony_ci 4198c2ecf20Sopenharmony_ci return tomoyo_same_name_union(&p1->name, &p2->name) && 4208c2ecf20Sopenharmony_ci tomoyo_same_number_union(&p1->mode, &p2->mode) && 4218c2ecf20Sopenharmony_ci tomoyo_same_number_union(&p1->major, &p2->major) && 4228c2ecf20Sopenharmony_ci tomoyo_same_number_union(&p1->minor, &p2->minor); 4238c2ecf20Sopenharmony_ci} 4248c2ecf20Sopenharmony_ci 4258c2ecf20Sopenharmony_ci/** 4268c2ecf20Sopenharmony_ci * tomoyo_merge_mkdev_acl - Merge duplicated "struct tomoyo_mkdev_acl" entry. 4278c2ecf20Sopenharmony_ci * 4288c2ecf20Sopenharmony_ci * @a: Pointer to "struct tomoyo_acl_info". 4298c2ecf20Sopenharmony_ci * @b: Pointer to "struct tomoyo_acl_info". 4308c2ecf20Sopenharmony_ci * @is_delete: True for @a &= ~@b, false for @a |= @b. 4318c2ecf20Sopenharmony_ci * 4328c2ecf20Sopenharmony_ci * Returns true if @a is empty, false otherwise. 4338c2ecf20Sopenharmony_ci */ 4348c2ecf20Sopenharmony_cistatic bool tomoyo_merge_mkdev_acl(struct tomoyo_acl_info *a, 4358c2ecf20Sopenharmony_ci struct tomoyo_acl_info *b, 4368c2ecf20Sopenharmony_ci const bool is_delete) 4378c2ecf20Sopenharmony_ci{ 4388c2ecf20Sopenharmony_ci u8 *const a_perm = &container_of(a, struct tomoyo_mkdev_acl, 4398c2ecf20Sopenharmony_ci head)->perm; 4408c2ecf20Sopenharmony_ci u8 perm = READ_ONCE(*a_perm); 4418c2ecf20Sopenharmony_ci const u8 b_perm = container_of(b, struct tomoyo_mkdev_acl, head) 4428c2ecf20Sopenharmony_ci ->perm; 4438c2ecf20Sopenharmony_ci 4448c2ecf20Sopenharmony_ci if (is_delete) 4458c2ecf20Sopenharmony_ci perm &= ~b_perm; 4468c2ecf20Sopenharmony_ci else 4478c2ecf20Sopenharmony_ci perm |= b_perm; 4488c2ecf20Sopenharmony_ci WRITE_ONCE(*a_perm, perm); 4498c2ecf20Sopenharmony_ci return !perm; 4508c2ecf20Sopenharmony_ci} 4518c2ecf20Sopenharmony_ci 4528c2ecf20Sopenharmony_ci/** 4538c2ecf20Sopenharmony_ci * tomoyo_update_mkdev_acl - Update "struct tomoyo_mkdev_acl" list. 4548c2ecf20Sopenharmony_ci * 4558c2ecf20Sopenharmony_ci * @perm: Permission. 4568c2ecf20Sopenharmony_ci * @param: Pointer to "struct tomoyo_acl_param". 4578c2ecf20Sopenharmony_ci * 4588c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 4598c2ecf20Sopenharmony_ci * 4608c2ecf20Sopenharmony_ci * Caller holds tomoyo_read_lock(). 4618c2ecf20Sopenharmony_ci */ 4628c2ecf20Sopenharmony_cistatic int tomoyo_update_mkdev_acl(const u8 perm, 4638c2ecf20Sopenharmony_ci struct tomoyo_acl_param *param) 4648c2ecf20Sopenharmony_ci{ 4658c2ecf20Sopenharmony_ci struct tomoyo_mkdev_acl e = { 4668c2ecf20Sopenharmony_ci .head.type = TOMOYO_TYPE_MKDEV_ACL, 4678c2ecf20Sopenharmony_ci .perm = perm 4688c2ecf20Sopenharmony_ci }; 4698c2ecf20Sopenharmony_ci int error; 4708c2ecf20Sopenharmony_ci 4718c2ecf20Sopenharmony_ci if (!tomoyo_parse_name_union(param, &e.name) || 4728c2ecf20Sopenharmony_ci !tomoyo_parse_number_union(param, &e.mode) || 4738c2ecf20Sopenharmony_ci !tomoyo_parse_number_union(param, &e.major) || 4748c2ecf20Sopenharmony_ci !tomoyo_parse_number_union(param, &e.minor)) 4758c2ecf20Sopenharmony_ci error = -EINVAL; 4768c2ecf20Sopenharmony_ci else 4778c2ecf20Sopenharmony_ci error = tomoyo_update_domain(&e.head, sizeof(e), param, 4788c2ecf20Sopenharmony_ci tomoyo_same_mkdev_acl, 4798c2ecf20Sopenharmony_ci tomoyo_merge_mkdev_acl); 4808c2ecf20Sopenharmony_ci tomoyo_put_name_union(&e.name); 4818c2ecf20Sopenharmony_ci tomoyo_put_number_union(&e.mode); 4828c2ecf20Sopenharmony_ci tomoyo_put_number_union(&e.major); 4838c2ecf20Sopenharmony_ci tomoyo_put_number_union(&e.minor); 4848c2ecf20Sopenharmony_ci return error; 4858c2ecf20Sopenharmony_ci} 4868c2ecf20Sopenharmony_ci 4878c2ecf20Sopenharmony_ci/** 4888c2ecf20Sopenharmony_ci * tomoyo_same_path2_acl - Check for duplicated "struct tomoyo_path2_acl" entry. 4898c2ecf20Sopenharmony_ci * 4908c2ecf20Sopenharmony_ci * @a: Pointer to "struct tomoyo_acl_info". 4918c2ecf20Sopenharmony_ci * @b: Pointer to "struct tomoyo_acl_info". 4928c2ecf20Sopenharmony_ci * 4938c2ecf20Sopenharmony_ci * Returns true if @a == @b except permission bits, false otherwise. 4948c2ecf20Sopenharmony_ci */ 4958c2ecf20Sopenharmony_cistatic bool tomoyo_same_path2_acl(const struct tomoyo_acl_info *a, 4968c2ecf20Sopenharmony_ci const struct tomoyo_acl_info *b) 4978c2ecf20Sopenharmony_ci{ 4988c2ecf20Sopenharmony_ci const struct tomoyo_path2_acl *p1 = container_of(a, typeof(*p1), head); 4998c2ecf20Sopenharmony_ci const struct tomoyo_path2_acl *p2 = container_of(b, typeof(*p2), head); 5008c2ecf20Sopenharmony_ci 5018c2ecf20Sopenharmony_ci return tomoyo_same_name_union(&p1->name1, &p2->name1) && 5028c2ecf20Sopenharmony_ci tomoyo_same_name_union(&p1->name2, &p2->name2); 5038c2ecf20Sopenharmony_ci} 5048c2ecf20Sopenharmony_ci 5058c2ecf20Sopenharmony_ci/** 5068c2ecf20Sopenharmony_ci * tomoyo_merge_path2_acl - Merge duplicated "struct tomoyo_path2_acl" entry. 5078c2ecf20Sopenharmony_ci * 5088c2ecf20Sopenharmony_ci * @a: Pointer to "struct tomoyo_acl_info". 5098c2ecf20Sopenharmony_ci * @b: Pointer to "struct tomoyo_acl_info". 5108c2ecf20Sopenharmony_ci * @is_delete: True for @a &= ~@b, false for @a |= @b. 5118c2ecf20Sopenharmony_ci * 5128c2ecf20Sopenharmony_ci * Returns true if @a is empty, false otherwise. 5138c2ecf20Sopenharmony_ci */ 5148c2ecf20Sopenharmony_cistatic bool tomoyo_merge_path2_acl(struct tomoyo_acl_info *a, 5158c2ecf20Sopenharmony_ci struct tomoyo_acl_info *b, 5168c2ecf20Sopenharmony_ci const bool is_delete) 5178c2ecf20Sopenharmony_ci{ 5188c2ecf20Sopenharmony_ci u8 * const a_perm = &container_of(a, struct tomoyo_path2_acl, head) 5198c2ecf20Sopenharmony_ci ->perm; 5208c2ecf20Sopenharmony_ci u8 perm = READ_ONCE(*a_perm); 5218c2ecf20Sopenharmony_ci const u8 b_perm = container_of(b, struct tomoyo_path2_acl, head)->perm; 5228c2ecf20Sopenharmony_ci 5238c2ecf20Sopenharmony_ci if (is_delete) 5248c2ecf20Sopenharmony_ci perm &= ~b_perm; 5258c2ecf20Sopenharmony_ci else 5268c2ecf20Sopenharmony_ci perm |= b_perm; 5278c2ecf20Sopenharmony_ci WRITE_ONCE(*a_perm, perm); 5288c2ecf20Sopenharmony_ci return !perm; 5298c2ecf20Sopenharmony_ci} 5308c2ecf20Sopenharmony_ci 5318c2ecf20Sopenharmony_ci/** 5328c2ecf20Sopenharmony_ci * tomoyo_update_path2_acl - Update "struct tomoyo_path2_acl" list. 5338c2ecf20Sopenharmony_ci * 5348c2ecf20Sopenharmony_ci * @perm: Permission. 5358c2ecf20Sopenharmony_ci * @param: Pointer to "struct tomoyo_acl_param". 5368c2ecf20Sopenharmony_ci * 5378c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 5388c2ecf20Sopenharmony_ci * 5398c2ecf20Sopenharmony_ci * Caller holds tomoyo_read_lock(). 5408c2ecf20Sopenharmony_ci */ 5418c2ecf20Sopenharmony_cistatic int tomoyo_update_path2_acl(const u8 perm, 5428c2ecf20Sopenharmony_ci struct tomoyo_acl_param *param) 5438c2ecf20Sopenharmony_ci{ 5448c2ecf20Sopenharmony_ci struct tomoyo_path2_acl e = { 5458c2ecf20Sopenharmony_ci .head.type = TOMOYO_TYPE_PATH2_ACL, 5468c2ecf20Sopenharmony_ci .perm = perm 5478c2ecf20Sopenharmony_ci }; 5488c2ecf20Sopenharmony_ci int error; 5498c2ecf20Sopenharmony_ci 5508c2ecf20Sopenharmony_ci if (!tomoyo_parse_name_union(param, &e.name1) || 5518c2ecf20Sopenharmony_ci !tomoyo_parse_name_union(param, &e.name2)) 5528c2ecf20Sopenharmony_ci error = -EINVAL; 5538c2ecf20Sopenharmony_ci else 5548c2ecf20Sopenharmony_ci error = tomoyo_update_domain(&e.head, sizeof(e), param, 5558c2ecf20Sopenharmony_ci tomoyo_same_path2_acl, 5568c2ecf20Sopenharmony_ci tomoyo_merge_path2_acl); 5578c2ecf20Sopenharmony_ci tomoyo_put_name_union(&e.name1); 5588c2ecf20Sopenharmony_ci tomoyo_put_name_union(&e.name2); 5598c2ecf20Sopenharmony_ci return error; 5608c2ecf20Sopenharmony_ci} 5618c2ecf20Sopenharmony_ci 5628c2ecf20Sopenharmony_ci/** 5638c2ecf20Sopenharmony_ci * tomoyo_path_permission - Check permission for single path operation. 5648c2ecf20Sopenharmony_ci * 5658c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 5668c2ecf20Sopenharmony_ci * @operation: Type of operation. 5678c2ecf20Sopenharmony_ci * @filename: Filename to check. 5688c2ecf20Sopenharmony_ci * 5698c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 5708c2ecf20Sopenharmony_ci * 5718c2ecf20Sopenharmony_ci * Caller holds tomoyo_read_lock(). 5728c2ecf20Sopenharmony_ci */ 5738c2ecf20Sopenharmony_cistatic int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation, 5748c2ecf20Sopenharmony_ci const struct tomoyo_path_info *filename) 5758c2ecf20Sopenharmony_ci{ 5768c2ecf20Sopenharmony_ci int error; 5778c2ecf20Sopenharmony_ci 5788c2ecf20Sopenharmony_ci r->type = tomoyo_p2mac[operation]; 5798c2ecf20Sopenharmony_ci r->mode = tomoyo_get_mode(r->domain->ns, r->profile, r->type); 5808c2ecf20Sopenharmony_ci if (r->mode == TOMOYO_CONFIG_DISABLED) 5818c2ecf20Sopenharmony_ci return 0; 5828c2ecf20Sopenharmony_ci r->param_type = TOMOYO_TYPE_PATH_ACL; 5838c2ecf20Sopenharmony_ci r->param.path.filename = filename; 5848c2ecf20Sopenharmony_ci r->param.path.operation = operation; 5858c2ecf20Sopenharmony_ci do { 5868c2ecf20Sopenharmony_ci tomoyo_check_acl(r, tomoyo_check_path_acl); 5878c2ecf20Sopenharmony_ci error = tomoyo_audit_path_log(r); 5888c2ecf20Sopenharmony_ci } while (error == TOMOYO_RETRY_REQUEST); 5898c2ecf20Sopenharmony_ci return error; 5908c2ecf20Sopenharmony_ci} 5918c2ecf20Sopenharmony_ci 5928c2ecf20Sopenharmony_ci/** 5938c2ecf20Sopenharmony_ci * tomoyo_execute_permission - Check permission for execute operation. 5948c2ecf20Sopenharmony_ci * 5958c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 5968c2ecf20Sopenharmony_ci * @filename: Filename to check. 5978c2ecf20Sopenharmony_ci * 5988c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 5998c2ecf20Sopenharmony_ci * 6008c2ecf20Sopenharmony_ci * Caller holds tomoyo_read_lock(). 6018c2ecf20Sopenharmony_ci */ 6028c2ecf20Sopenharmony_ciint tomoyo_execute_permission(struct tomoyo_request_info *r, 6038c2ecf20Sopenharmony_ci const struct tomoyo_path_info *filename) 6048c2ecf20Sopenharmony_ci{ 6058c2ecf20Sopenharmony_ci /* 6068c2ecf20Sopenharmony_ci * Unlike other permission checks, this check is done regardless of 6078c2ecf20Sopenharmony_ci * profile mode settings in order to check for domain transition 6088c2ecf20Sopenharmony_ci * preference. 6098c2ecf20Sopenharmony_ci */ 6108c2ecf20Sopenharmony_ci r->type = TOMOYO_MAC_FILE_EXECUTE; 6118c2ecf20Sopenharmony_ci r->mode = tomoyo_get_mode(r->domain->ns, r->profile, r->type); 6128c2ecf20Sopenharmony_ci r->param_type = TOMOYO_TYPE_PATH_ACL; 6138c2ecf20Sopenharmony_ci r->param.path.filename = filename; 6148c2ecf20Sopenharmony_ci r->param.path.operation = TOMOYO_TYPE_EXECUTE; 6158c2ecf20Sopenharmony_ci tomoyo_check_acl(r, tomoyo_check_path_acl); 6168c2ecf20Sopenharmony_ci r->ee->transition = r->matched_acl && r->matched_acl->cond ? 6178c2ecf20Sopenharmony_ci r->matched_acl->cond->transit : NULL; 6188c2ecf20Sopenharmony_ci if (r->mode != TOMOYO_CONFIG_DISABLED) 6198c2ecf20Sopenharmony_ci return tomoyo_audit_path_log(r); 6208c2ecf20Sopenharmony_ci return 0; 6218c2ecf20Sopenharmony_ci} 6228c2ecf20Sopenharmony_ci 6238c2ecf20Sopenharmony_ci/** 6248c2ecf20Sopenharmony_ci * tomoyo_same_path_number_acl - Check for duplicated "struct tomoyo_path_number_acl" entry. 6258c2ecf20Sopenharmony_ci * 6268c2ecf20Sopenharmony_ci * @a: Pointer to "struct tomoyo_acl_info". 6278c2ecf20Sopenharmony_ci * @b: Pointer to "struct tomoyo_acl_info". 6288c2ecf20Sopenharmony_ci * 6298c2ecf20Sopenharmony_ci * Returns true if @a == @b except permission bits, false otherwise. 6308c2ecf20Sopenharmony_ci */ 6318c2ecf20Sopenharmony_cistatic bool tomoyo_same_path_number_acl(const struct tomoyo_acl_info *a, 6328c2ecf20Sopenharmony_ci const struct tomoyo_acl_info *b) 6338c2ecf20Sopenharmony_ci{ 6348c2ecf20Sopenharmony_ci const struct tomoyo_path_number_acl *p1 = container_of(a, typeof(*p1), 6358c2ecf20Sopenharmony_ci head); 6368c2ecf20Sopenharmony_ci const struct tomoyo_path_number_acl *p2 = container_of(b, typeof(*p2), 6378c2ecf20Sopenharmony_ci head); 6388c2ecf20Sopenharmony_ci 6398c2ecf20Sopenharmony_ci return tomoyo_same_name_union(&p1->name, &p2->name) && 6408c2ecf20Sopenharmony_ci tomoyo_same_number_union(&p1->number, &p2->number); 6418c2ecf20Sopenharmony_ci} 6428c2ecf20Sopenharmony_ci 6438c2ecf20Sopenharmony_ci/** 6448c2ecf20Sopenharmony_ci * tomoyo_merge_path_number_acl - Merge duplicated "struct tomoyo_path_number_acl" entry. 6458c2ecf20Sopenharmony_ci * 6468c2ecf20Sopenharmony_ci * @a: Pointer to "struct tomoyo_acl_info". 6478c2ecf20Sopenharmony_ci * @b: Pointer to "struct tomoyo_acl_info". 6488c2ecf20Sopenharmony_ci * @is_delete: True for @a &= ~@b, false for @a |= @b. 6498c2ecf20Sopenharmony_ci * 6508c2ecf20Sopenharmony_ci * Returns true if @a is empty, false otherwise. 6518c2ecf20Sopenharmony_ci */ 6528c2ecf20Sopenharmony_cistatic bool tomoyo_merge_path_number_acl(struct tomoyo_acl_info *a, 6538c2ecf20Sopenharmony_ci struct tomoyo_acl_info *b, 6548c2ecf20Sopenharmony_ci const bool is_delete) 6558c2ecf20Sopenharmony_ci{ 6568c2ecf20Sopenharmony_ci u8 * const a_perm = &container_of(a, struct tomoyo_path_number_acl, 6578c2ecf20Sopenharmony_ci head)->perm; 6588c2ecf20Sopenharmony_ci u8 perm = READ_ONCE(*a_perm); 6598c2ecf20Sopenharmony_ci const u8 b_perm = container_of(b, struct tomoyo_path_number_acl, head) 6608c2ecf20Sopenharmony_ci ->perm; 6618c2ecf20Sopenharmony_ci 6628c2ecf20Sopenharmony_ci if (is_delete) 6638c2ecf20Sopenharmony_ci perm &= ~b_perm; 6648c2ecf20Sopenharmony_ci else 6658c2ecf20Sopenharmony_ci perm |= b_perm; 6668c2ecf20Sopenharmony_ci WRITE_ONCE(*a_perm, perm); 6678c2ecf20Sopenharmony_ci return !perm; 6688c2ecf20Sopenharmony_ci} 6698c2ecf20Sopenharmony_ci 6708c2ecf20Sopenharmony_ci/** 6718c2ecf20Sopenharmony_ci * tomoyo_update_path_number_acl - Update ioctl/chmod/chown/chgrp ACL. 6728c2ecf20Sopenharmony_ci * 6738c2ecf20Sopenharmony_ci * @perm: Permission. 6748c2ecf20Sopenharmony_ci * @param: Pointer to "struct tomoyo_acl_param". 6758c2ecf20Sopenharmony_ci * 6768c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 6778c2ecf20Sopenharmony_ci */ 6788c2ecf20Sopenharmony_cistatic int tomoyo_update_path_number_acl(const u8 perm, 6798c2ecf20Sopenharmony_ci struct tomoyo_acl_param *param) 6808c2ecf20Sopenharmony_ci{ 6818c2ecf20Sopenharmony_ci struct tomoyo_path_number_acl e = { 6828c2ecf20Sopenharmony_ci .head.type = TOMOYO_TYPE_PATH_NUMBER_ACL, 6838c2ecf20Sopenharmony_ci .perm = perm 6848c2ecf20Sopenharmony_ci }; 6858c2ecf20Sopenharmony_ci int error; 6868c2ecf20Sopenharmony_ci 6878c2ecf20Sopenharmony_ci if (!tomoyo_parse_name_union(param, &e.name) || 6888c2ecf20Sopenharmony_ci !tomoyo_parse_number_union(param, &e.number)) 6898c2ecf20Sopenharmony_ci error = -EINVAL; 6908c2ecf20Sopenharmony_ci else 6918c2ecf20Sopenharmony_ci error = tomoyo_update_domain(&e.head, sizeof(e), param, 6928c2ecf20Sopenharmony_ci tomoyo_same_path_number_acl, 6938c2ecf20Sopenharmony_ci tomoyo_merge_path_number_acl); 6948c2ecf20Sopenharmony_ci tomoyo_put_name_union(&e.name); 6958c2ecf20Sopenharmony_ci tomoyo_put_number_union(&e.number); 6968c2ecf20Sopenharmony_ci return error; 6978c2ecf20Sopenharmony_ci} 6988c2ecf20Sopenharmony_ci 6998c2ecf20Sopenharmony_ci/** 7008c2ecf20Sopenharmony_ci * tomoyo_path_number_perm - Check permission for "create", "mkdir", "mkfifo", "mksock", "ioctl", "chmod", "chown", "chgrp". 7018c2ecf20Sopenharmony_ci * 7028c2ecf20Sopenharmony_ci * @type: Type of operation. 7038c2ecf20Sopenharmony_ci * @path: Pointer to "struct path". 7048c2ecf20Sopenharmony_ci * @number: Number. 7058c2ecf20Sopenharmony_ci * 7068c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 7078c2ecf20Sopenharmony_ci */ 7088c2ecf20Sopenharmony_ciint tomoyo_path_number_perm(const u8 type, const struct path *path, 7098c2ecf20Sopenharmony_ci unsigned long number) 7108c2ecf20Sopenharmony_ci{ 7118c2ecf20Sopenharmony_ci struct tomoyo_request_info r; 7128c2ecf20Sopenharmony_ci struct tomoyo_obj_info obj = { 7138c2ecf20Sopenharmony_ci .path1 = { .mnt = path->mnt, .dentry = path->dentry }, 7148c2ecf20Sopenharmony_ci }; 7158c2ecf20Sopenharmony_ci int error = -ENOMEM; 7168c2ecf20Sopenharmony_ci struct tomoyo_path_info buf; 7178c2ecf20Sopenharmony_ci int idx; 7188c2ecf20Sopenharmony_ci 7198c2ecf20Sopenharmony_ci if (tomoyo_init_request_info(&r, NULL, tomoyo_pn2mac[type]) 7208c2ecf20Sopenharmony_ci == TOMOYO_CONFIG_DISABLED || !path->dentry) 7218c2ecf20Sopenharmony_ci return 0; 7228c2ecf20Sopenharmony_ci idx = tomoyo_read_lock(); 7238c2ecf20Sopenharmony_ci if (!tomoyo_get_realpath(&buf, path)) 7248c2ecf20Sopenharmony_ci goto out; 7258c2ecf20Sopenharmony_ci r.obj = &obj; 7268c2ecf20Sopenharmony_ci if (type == TOMOYO_TYPE_MKDIR) 7278c2ecf20Sopenharmony_ci tomoyo_add_slash(&buf); 7288c2ecf20Sopenharmony_ci r.param_type = TOMOYO_TYPE_PATH_NUMBER_ACL; 7298c2ecf20Sopenharmony_ci r.param.path_number.operation = type; 7308c2ecf20Sopenharmony_ci r.param.path_number.filename = &buf; 7318c2ecf20Sopenharmony_ci r.param.path_number.number = number; 7328c2ecf20Sopenharmony_ci do { 7338c2ecf20Sopenharmony_ci tomoyo_check_acl(&r, tomoyo_check_path_number_acl); 7348c2ecf20Sopenharmony_ci error = tomoyo_audit_path_number_log(&r); 7358c2ecf20Sopenharmony_ci } while (error == TOMOYO_RETRY_REQUEST); 7368c2ecf20Sopenharmony_ci kfree(buf.name); 7378c2ecf20Sopenharmony_ci out: 7388c2ecf20Sopenharmony_ci tomoyo_read_unlock(idx); 7398c2ecf20Sopenharmony_ci if (r.mode != TOMOYO_CONFIG_ENFORCING) 7408c2ecf20Sopenharmony_ci error = 0; 7418c2ecf20Sopenharmony_ci return error; 7428c2ecf20Sopenharmony_ci} 7438c2ecf20Sopenharmony_ci 7448c2ecf20Sopenharmony_ci/** 7458c2ecf20Sopenharmony_ci * tomoyo_check_open_permission - Check permission for "read" and "write". 7468c2ecf20Sopenharmony_ci * 7478c2ecf20Sopenharmony_ci * @domain: Pointer to "struct tomoyo_domain_info". 7488c2ecf20Sopenharmony_ci * @path: Pointer to "struct path". 7498c2ecf20Sopenharmony_ci * @flag: Flags for open(). 7508c2ecf20Sopenharmony_ci * 7518c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 7528c2ecf20Sopenharmony_ci */ 7538c2ecf20Sopenharmony_ciint tomoyo_check_open_permission(struct tomoyo_domain_info *domain, 7548c2ecf20Sopenharmony_ci const struct path *path, const int flag) 7558c2ecf20Sopenharmony_ci{ 7568c2ecf20Sopenharmony_ci const u8 acc_mode = ACC_MODE(flag); 7578c2ecf20Sopenharmony_ci int error = 0; 7588c2ecf20Sopenharmony_ci struct tomoyo_path_info buf; 7598c2ecf20Sopenharmony_ci struct tomoyo_request_info r; 7608c2ecf20Sopenharmony_ci struct tomoyo_obj_info obj = { 7618c2ecf20Sopenharmony_ci .path1 = { .mnt = path->mnt, .dentry = path->dentry }, 7628c2ecf20Sopenharmony_ci }; 7638c2ecf20Sopenharmony_ci int idx; 7648c2ecf20Sopenharmony_ci 7658c2ecf20Sopenharmony_ci buf.name = NULL; 7668c2ecf20Sopenharmony_ci r.mode = TOMOYO_CONFIG_DISABLED; 7678c2ecf20Sopenharmony_ci idx = tomoyo_read_lock(); 7688c2ecf20Sopenharmony_ci if (acc_mode && 7698c2ecf20Sopenharmony_ci tomoyo_init_request_info(&r, domain, TOMOYO_MAC_FILE_OPEN) 7708c2ecf20Sopenharmony_ci != TOMOYO_CONFIG_DISABLED) { 7718c2ecf20Sopenharmony_ci if (!tomoyo_get_realpath(&buf, path)) { 7728c2ecf20Sopenharmony_ci error = -ENOMEM; 7738c2ecf20Sopenharmony_ci goto out; 7748c2ecf20Sopenharmony_ci } 7758c2ecf20Sopenharmony_ci r.obj = &obj; 7768c2ecf20Sopenharmony_ci if (acc_mode & MAY_READ) 7778c2ecf20Sopenharmony_ci error = tomoyo_path_permission(&r, TOMOYO_TYPE_READ, 7788c2ecf20Sopenharmony_ci &buf); 7798c2ecf20Sopenharmony_ci if (!error && (acc_mode & MAY_WRITE)) 7808c2ecf20Sopenharmony_ci error = tomoyo_path_permission(&r, (flag & O_APPEND) ? 7818c2ecf20Sopenharmony_ci TOMOYO_TYPE_APPEND : 7828c2ecf20Sopenharmony_ci TOMOYO_TYPE_WRITE, 7838c2ecf20Sopenharmony_ci &buf); 7848c2ecf20Sopenharmony_ci } 7858c2ecf20Sopenharmony_ci out: 7868c2ecf20Sopenharmony_ci kfree(buf.name); 7878c2ecf20Sopenharmony_ci tomoyo_read_unlock(idx); 7888c2ecf20Sopenharmony_ci if (r.mode != TOMOYO_CONFIG_ENFORCING) 7898c2ecf20Sopenharmony_ci error = 0; 7908c2ecf20Sopenharmony_ci return error; 7918c2ecf20Sopenharmony_ci} 7928c2ecf20Sopenharmony_ci 7938c2ecf20Sopenharmony_ci/** 7948c2ecf20Sopenharmony_ci * tomoyo_path_perm - Check permission for "unlink", "rmdir", "truncate", "symlink", "append", "chroot" and "unmount". 7958c2ecf20Sopenharmony_ci * 7968c2ecf20Sopenharmony_ci * @operation: Type of operation. 7978c2ecf20Sopenharmony_ci * @path: Pointer to "struct path". 7988c2ecf20Sopenharmony_ci * @target: Symlink's target if @operation is TOMOYO_TYPE_SYMLINK, 7998c2ecf20Sopenharmony_ci * NULL otherwise. 8008c2ecf20Sopenharmony_ci * 8018c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 8028c2ecf20Sopenharmony_ci */ 8038c2ecf20Sopenharmony_ciint tomoyo_path_perm(const u8 operation, const struct path *path, const char *target) 8048c2ecf20Sopenharmony_ci{ 8058c2ecf20Sopenharmony_ci struct tomoyo_request_info r; 8068c2ecf20Sopenharmony_ci struct tomoyo_obj_info obj = { 8078c2ecf20Sopenharmony_ci .path1 = { .mnt = path->mnt, .dentry = path->dentry }, 8088c2ecf20Sopenharmony_ci }; 8098c2ecf20Sopenharmony_ci int error; 8108c2ecf20Sopenharmony_ci struct tomoyo_path_info buf; 8118c2ecf20Sopenharmony_ci bool is_enforce; 8128c2ecf20Sopenharmony_ci struct tomoyo_path_info symlink_target; 8138c2ecf20Sopenharmony_ci int idx; 8148c2ecf20Sopenharmony_ci 8158c2ecf20Sopenharmony_ci if (tomoyo_init_request_info(&r, NULL, tomoyo_p2mac[operation]) 8168c2ecf20Sopenharmony_ci == TOMOYO_CONFIG_DISABLED) 8178c2ecf20Sopenharmony_ci return 0; 8188c2ecf20Sopenharmony_ci is_enforce = (r.mode == TOMOYO_CONFIG_ENFORCING); 8198c2ecf20Sopenharmony_ci error = -ENOMEM; 8208c2ecf20Sopenharmony_ci buf.name = NULL; 8218c2ecf20Sopenharmony_ci idx = tomoyo_read_lock(); 8228c2ecf20Sopenharmony_ci if (!tomoyo_get_realpath(&buf, path)) 8238c2ecf20Sopenharmony_ci goto out; 8248c2ecf20Sopenharmony_ci r.obj = &obj; 8258c2ecf20Sopenharmony_ci switch (operation) { 8268c2ecf20Sopenharmony_ci case TOMOYO_TYPE_RMDIR: 8278c2ecf20Sopenharmony_ci case TOMOYO_TYPE_CHROOT: 8288c2ecf20Sopenharmony_ci tomoyo_add_slash(&buf); 8298c2ecf20Sopenharmony_ci break; 8308c2ecf20Sopenharmony_ci case TOMOYO_TYPE_SYMLINK: 8318c2ecf20Sopenharmony_ci symlink_target.name = tomoyo_encode(target); 8328c2ecf20Sopenharmony_ci if (!symlink_target.name) 8338c2ecf20Sopenharmony_ci goto out; 8348c2ecf20Sopenharmony_ci tomoyo_fill_path_info(&symlink_target); 8358c2ecf20Sopenharmony_ci obj.symlink_target = &symlink_target; 8368c2ecf20Sopenharmony_ci break; 8378c2ecf20Sopenharmony_ci } 8388c2ecf20Sopenharmony_ci error = tomoyo_path_permission(&r, operation, &buf); 8398c2ecf20Sopenharmony_ci if (operation == TOMOYO_TYPE_SYMLINK) 8408c2ecf20Sopenharmony_ci kfree(symlink_target.name); 8418c2ecf20Sopenharmony_ci out: 8428c2ecf20Sopenharmony_ci kfree(buf.name); 8438c2ecf20Sopenharmony_ci tomoyo_read_unlock(idx); 8448c2ecf20Sopenharmony_ci if (!is_enforce) 8458c2ecf20Sopenharmony_ci error = 0; 8468c2ecf20Sopenharmony_ci return error; 8478c2ecf20Sopenharmony_ci} 8488c2ecf20Sopenharmony_ci 8498c2ecf20Sopenharmony_ci/** 8508c2ecf20Sopenharmony_ci * tomoyo_mkdev_perm - Check permission for "mkblock" and "mkchar". 8518c2ecf20Sopenharmony_ci * 8528c2ecf20Sopenharmony_ci * @operation: Type of operation. (TOMOYO_TYPE_MKCHAR or TOMOYO_TYPE_MKBLOCK) 8538c2ecf20Sopenharmony_ci * @path: Pointer to "struct path". 8548c2ecf20Sopenharmony_ci * @mode: Create mode. 8558c2ecf20Sopenharmony_ci * @dev: Device number. 8568c2ecf20Sopenharmony_ci * 8578c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 8588c2ecf20Sopenharmony_ci */ 8598c2ecf20Sopenharmony_ciint tomoyo_mkdev_perm(const u8 operation, const struct path *path, 8608c2ecf20Sopenharmony_ci const unsigned int mode, unsigned int dev) 8618c2ecf20Sopenharmony_ci{ 8628c2ecf20Sopenharmony_ci struct tomoyo_request_info r; 8638c2ecf20Sopenharmony_ci struct tomoyo_obj_info obj = { 8648c2ecf20Sopenharmony_ci .path1 = { .mnt = path->mnt, .dentry = path->dentry }, 8658c2ecf20Sopenharmony_ci }; 8668c2ecf20Sopenharmony_ci int error = -ENOMEM; 8678c2ecf20Sopenharmony_ci struct tomoyo_path_info buf; 8688c2ecf20Sopenharmony_ci int idx; 8698c2ecf20Sopenharmony_ci 8708c2ecf20Sopenharmony_ci if (tomoyo_init_request_info(&r, NULL, tomoyo_pnnn2mac[operation]) 8718c2ecf20Sopenharmony_ci == TOMOYO_CONFIG_DISABLED) 8728c2ecf20Sopenharmony_ci return 0; 8738c2ecf20Sopenharmony_ci idx = tomoyo_read_lock(); 8748c2ecf20Sopenharmony_ci error = -ENOMEM; 8758c2ecf20Sopenharmony_ci if (tomoyo_get_realpath(&buf, path)) { 8768c2ecf20Sopenharmony_ci r.obj = &obj; 8778c2ecf20Sopenharmony_ci dev = new_decode_dev(dev); 8788c2ecf20Sopenharmony_ci r.param_type = TOMOYO_TYPE_MKDEV_ACL; 8798c2ecf20Sopenharmony_ci r.param.mkdev.filename = &buf; 8808c2ecf20Sopenharmony_ci r.param.mkdev.operation = operation; 8818c2ecf20Sopenharmony_ci r.param.mkdev.mode = mode; 8828c2ecf20Sopenharmony_ci r.param.mkdev.major = MAJOR(dev); 8838c2ecf20Sopenharmony_ci r.param.mkdev.minor = MINOR(dev); 8848c2ecf20Sopenharmony_ci tomoyo_check_acl(&r, tomoyo_check_mkdev_acl); 8858c2ecf20Sopenharmony_ci error = tomoyo_audit_mkdev_log(&r); 8868c2ecf20Sopenharmony_ci kfree(buf.name); 8878c2ecf20Sopenharmony_ci } 8888c2ecf20Sopenharmony_ci tomoyo_read_unlock(idx); 8898c2ecf20Sopenharmony_ci if (r.mode != TOMOYO_CONFIG_ENFORCING) 8908c2ecf20Sopenharmony_ci error = 0; 8918c2ecf20Sopenharmony_ci return error; 8928c2ecf20Sopenharmony_ci} 8938c2ecf20Sopenharmony_ci 8948c2ecf20Sopenharmony_ci/** 8958c2ecf20Sopenharmony_ci * tomoyo_path2_perm - Check permission for "rename", "link" and "pivot_root". 8968c2ecf20Sopenharmony_ci * 8978c2ecf20Sopenharmony_ci * @operation: Type of operation. 8988c2ecf20Sopenharmony_ci * @path1: Pointer to "struct path". 8998c2ecf20Sopenharmony_ci * @path2: Pointer to "struct path". 9008c2ecf20Sopenharmony_ci * 9018c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 9028c2ecf20Sopenharmony_ci */ 9038c2ecf20Sopenharmony_ciint tomoyo_path2_perm(const u8 operation, const struct path *path1, 9048c2ecf20Sopenharmony_ci const struct path *path2) 9058c2ecf20Sopenharmony_ci{ 9068c2ecf20Sopenharmony_ci int error = -ENOMEM; 9078c2ecf20Sopenharmony_ci struct tomoyo_path_info buf1; 9088c2ecf20Sopenharmony_ci struct tomoyo_path_info buf2; 9098c2ecf20Sopenharmony_ci struct tomoyo_request_info r; 9108c2ecf20Sopenharmony_ci struct tomoyo_obj_info obj = { 9118c2ecf20Sopenharmony_ci .path1 = { .mnt = path1->mnt, .dentry = path1->dentry }, 9128c2ecf20Sopenharmony_ci .path2 = { .mnt = path2->mnt, .dentry = path2->dentry } 9138c2ecf20Sopenharmony_ci }; 9148c2ecf20Sopenharmony_ci int idx; 9158c2ecf20Sopenharmony_ci 9168c2ecf20Sopenharmony_ci if (tomoyo_init_request_info(&r, NULL, tomoyo_pp2mac[operation]) 9178c2ecf20Sopenharmony_ci == TOMOYO_CONFIG_DISABLED) 9188c2ecf20Sopenharmony_ci return 0; 9198c2ecf20Sopenharmony_ci buf1.name = NULL; 9208c2ecf20Sopenharmony_ci buf2.name = NULL; 9218c2ecf20Sopenharmony_ci idx = tomoyo_read_lock(); 9228c2ecf20Sopenharmony_ci if (!tomoyo_get_realpath(&buf1, path1) || 9238c2ecf20Sopenharmony_ci !tomoyo_get_realpath(&buf2, path2)) 9248c2ecf20Sopenharmony_ci goto out; 9258c2ecf20Sopenharmony_ci switch (operation) { 9268c2ecf20Sopenharmony_ci case TOMOYO_TYPE_RENAME: 9278c2ecf20Sopenharmony_ci case TOMOYO_TYPE_LINK: 9288c2ecf20Sopenharmony_ci if (!d_is_dir(path1->dentry)) 9298c2ecf20Sopenharmony_ci break; 9308c2ecf20Sopenharmony_ci fallthrough; 9318c2ecf20Sopenharmony_ci case TOMOYO_TYPE_PIVOT_ROOT: 9328c2ecf20Sopenharmony_ci tomoyo_add_slash(&buf1); 9338c2ecf20Sopenharmony_ci tomoyo_add_slash(&buf2); 9348c2ecf20Sopenharmony_ci break; 9358c2ecf20Sopenharmony_ci } 9368c2ecf20Sopenharmony_ci r.obj = &obj; 9378c2ecf20Sopenharmony_ci r.param_type = TOMOYO_TYPE_PATH2_ACL; 9388c2ecf20Sopenharmony_ci r.param.path2.operation = operation; 9398c2ecf20Sopenharmony_ci r.param.path2.filename1 = &buf1; 9408c2ecf20Sopenharmony_ci r.param.path2.filename2 = &buf2; 9418c2ecf20Sopenharmony_ci do { 9428c2ecf20Sopenharmony_ci tomoyo_check_acl(&r, tomoyo_check_path2_acl); 9438c2ecf20Sopenharmony_ci error = tomoyo_audit_path2_log(&r); 9448c2ecf20Sopenharmony_ci } while (error == TOMOYO_RETRY_REQUEST); 9458c2ecf20Sopenharmony_ci out: 9468c2ecf20Sopenharmony_ci kfree(buf1.name); 9478c2ecf20Sopenharmony_ci kfree(buf2.name); 9488c2ecf20Sopenharmony_ci tomoyo_read_unlock(idx); 9498c2ecf20Sopenharmony_ci if (r.mode != TOMOYO_CONFIG_ENFORCING) 9508c2ecf20Sopenharmony_ci error = 0; 9518c2ecf20Sopenharmony_ci return error; 9528c2ecf20Sopenharmony_ci} 9538c2ecf20Sopenharmony_ci 9548c2ecf20Sopenharmony_ci/** 9558c2ecf20Sopenharmony_ci * tomoyo_same_mount_acl - Check for duplicated "struct tomoyo_mount_acl" entry. 9568c2ecf20Sopenharmony_ci * 9578c2ecf20Sopenharmony_ci * @a: Pointer to "struct tomoyo_acl_info". 9588c2ecf20Sopenharmony_ci * @b: Pointer to "struct tomoyo_acl_info". 9598c2ecf20Sopenharmony_ci * 9608c2ecf20Sopenharmony_ci * Returns true if @a == @b, false otherwise. 9618c2ecf20Sopenharmony_ci */ 9628c2ecf20Sopenharmony_cistatic bool tomoyo_same_mount_acl(const struct tomoyo_acl_info *a, 9638c2ecf20Sopenharmony_ci const struct tomoyo_acl_info *b) 9648c2ecf20Sopenharmony_ci{ 9658c2ecf20Sopenharmony_ci const struct tomoyo_mount_acl *p1 = container_of(a, typeof(*p1), head); 9668c2ecf20Sopenharmony_ci const struct tomoyo_mount_acl *p2 = container_of(b, typeof(*p2), head); 9678c2ecf20Sopenharmony_ci 9688c2ecf20Sopenharmony_ci return tomoyo_same_name_union(&p1->dev_name, &p2->dev_name) && 9698c2ecf20Sopenharmony_ci tomoyo_same_name_union(&p1->dir_name, &p2->dir_name) && 9708c2ecf20Sopenharmony_ci tomoyo_same_name_union(&p1->fs_type, &p2->fs_type) && 9718c2ecf20Sopenharmony_ci tomoyo_same_number_union(&p1->flags, &p2->flags); 9728c2ecf20Sopenharmony_ci} 9738c2ecf20Sopenharmony_ci 9748c2ecf20Sopenharmony_ci/** 9758c2ecf20Sopenharmony_ci * tomoyo_update_mount_acl - Write "struct tomoyo_mount_acl" list. 9768c2ecf20Sopenharmony_ci * 9778c2ecf20Sopenharmony_ci * @param: Pointer to "struct tomoyo_acl_param". 9788c2ecf20Sopenharmony_ci * 9798c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 9808c2ecf20Sopenharmony_ci * 9818c2ecf20Sopenharmony_ci * Caller holds tomoyo_read_lock(). 9828c2ecf20Sopenharmony_ci */ 9838c2ecf20Sopenharmony_cistatic int tomoyo_update_mount_acl(struct tomoyo_acl_param *param) 9848c2ecf20Sopenharmony_ci{ 9858c2ecf20Sopenharmony_ci struct tomoyo_mount_acl e = { .head.type = TOMOYO_TYPE_MOUNT_ACL }; 9868c2ecf20Sopenharmony_ci int error; 9878c2ecf20Sopenharmony_ci 9888c2ecf20Sopenharmony_ci if (!tomoyo_parse_name_union(param, &e.dev_name) || 9898c2ecf20Sopenharmony_ci !tomoyo_parse_name_union(param, &e.dir_name) || 9908c2ecf20Sopenharmony_ci !tomoyo_parse_name_union(param, &e.fs_type) || 9918c2ecf20Sopenharmony_ci !tomoyo_parse_number_union(param, &e.flags)) 9928c2ecf20Sopenharmony_ci error = -EINVAL; 9938c2ecf20Sopenharmony_ci else 9948c2ecf20Sopenharmony_ci error = tomoyo_update_domain(&e.head, sizeof(e), param, 9958c2ecf20Sopenharmony_ci tomoyo_same_mount_acl, NULL); 9968c2ecf20Sopenharmony_ci tomoyo_put_name_union(&e.dev_name); 9978c2ecf20Sopenharmony_ci tomoyo_put_name_union(&e.dir_name); 9988c2ecf20Sopenharmony_ci tomoyo_put_name_union(&e.fs_type); 9998c2ecf20Sopenharmony_ci tomoyo_put_number_union(&e.flags); 10008c2ecf20Sopenharmony_ci return error; 10018c2ecf20Sopenharmony_ci} 10028c2ecf20Sopenharmony_ci 10038c2ecf20Sopenharmony_ci/** 10048c2ecf20Sopenharmony_ci * tomoyo_write_file - Update file related list. 10058c2ecf20Sopenharmony_ci * 10068c2ecf20Sopenharmony_ci * @param: Pointer to "struct tomoyo_acl_param". 10078c2ecf20Sopenharmony_ci * 10088c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 10098c2ecf20Sopenharmony_ci * 10108c2ecf20Sopenharmony_ci * Caller holds tomoyo_read_lock(). 10118c2ecf20Sopenharmony_ci */ 10128c2ecf20Sopenharmony_ciint tomoyo_write_file(struct tomoyo_acl_param *param) 10138c2ecf20Sopenharmony_ci{ 10148c2ecf20Sopenharmony_ci u16 perm = 0; 10158c2ecf20Sopenharmony_ci u8 type; 10168c2ecf20Sopenharmony_ci const char *operation = tomoyo_read_token(param); 10178c2ecf20Sopenharmony_ci 10188c2ecf20Sopenharmony_ci for (type = 0; type < TOMOYO_MAX_PATH_OPERATION; type++) 10198c2ecf20Sopenharmony_ci if (tomoyo_permstr(operation, tomoyo_path_keyword[type])) 10208c2ecf20Sopenharmony_ci perm |= 1 << type; 10218c2ecf20Sopenharmony_ci if (perm) 10228c2ecf20Sopenharmony_ci return tomoyo_update_path_acl(perm, param); 10238c2ecf20Sopenharmony_ci for (type = 0; type < TOMOYO_MAX_PATH2_OPERATION; type++) 10248c2ecf20Sopenharmony_ci if (tomoyo_permstr(operation, 10258c2ecf20Sopenharmony_ci tomoyo_mac_keywords[tomoyo_pp2mac[type]])) 10268c2ecf20Sopenharmony_ci perm |= 1 << type; 10278c2ecf20Sopenharmony_ci if (perm) 10288c2ecf20Sopenharmony_ci return tomoyo_update_path2_acl(perm, param); 10298c2ecf20Sopenharmony_ci for (type = 0; type < TOMOYO_MAX_PATH_NUMBER_OPERATION; type++) 10308c2ecf20Sopenharmony_ci if (tomoyo_permstr(operation, 10318c2ecf20Sopenharmony_ci tomoyo_mac_keywords[tomoyo_pn2mac[type]])) 10328c2ecf20Sopenharmony_ci perm |= 1 << type; 10338c2ecf20Sopenharmony_ci if (perm) 10348c2ecf20Sopenharmony_ci return tomoyo_update_path_number_acl(perm, param); 10358c2ecf20Sopenharmony_ci for (type = 0; type < TOMOYO_MAX_MKDEV_OPERATION; type++) 10368c2ecf20Sopenharmony_ci if (tomoyo_permstr(operation, 10378c2ecf20Sopenharmony_ci tomoyo_mac_keywords[tomoyo_pnnn2mac[type]])) 10388c2ecf20Sopenharmony_ci perm |= 1 << type; 10398c2ecf20Sopenharmony_ci if (perm) 10408c2ecf20Sopenharmony_ci return tomoyo_update_mkdev_acl(perm, param); 10418c2ecf20Sopenharmony_ci if (tomoyo_permstr(operation, 10428c2ecf20Sopenharmony_ci tomoyo_mac_keywords[TOMOYO_MAC_FILE_MOUNT])) 10438c2ecf20Sopenharmony_ci return tomoyo_update_mount_acl(param); 10448c2ecf20Sopenharmony_ci return -EINVAL; 10458c2ecf20Sopenharmony_ci} 1046