18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * security/tomoyo/network.c 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * Copyright (C) 2005-2011 NTT DATA CORPORATION 68c2ecf20Sopenharmony_ci */ 78c2ecf20Sopenharmony_ci 88c2ecf20Sopenharmony_ci#include "common.h" 98c2ecf20Sopenharmony_ci#include <linux/slab.h> 108c2ecf20Sopenharmony_ci 118c2ecf20Sopenharmony_ci/* Structure for holding inet domain socket's address. */ 128c2ecf20Sopenharmony_cistruct tomoyo_inet_addr_info { 138c2ecf20Sopenharmony_ci __be16 port; /* In network byte order. */ 148c2ecf20Sopenharmony_ci const __be32 *address; /* In network byte order. */ 158c2ecf20Sopenharmony_ci bool is_ipv6; 168c2ecf20Sopenharmony_ci}; 178c2ecf20Sopenharmony_ci 188c2ecf20Sopenharmony_ci/* Structure for holding unix domain socket's address. */ 198c2ecf20Sopenharmony_cistruct tomoyo_unix_addr_info { 208c2ecf20Sopenharmony_ci u8 *addr; /* This may not be '\0' terminated string. */ 218c2ecf20Sopenharmony_ci unsigned int addr_len; 228c2ecf20Sopenharmony_ci}; 238c2ecf20Sopenharmony_ci 248c2ecf20Sopenharmony_ci/* Structure for holding socket address. */ 258c2ecf20Sopenharmony_cistruct tomoyo_addr_info { 268c2ecf20Sopenharmony_ci u8 protocol; 278c2ecf20Sopenharmony_ci u8 operation; 288c2ecf20Sopenharmony_ci struct tomoyo_inet_addr_info inet; 298c2ecf20Sopenharmony_ci struct tomoyo_unix_addr_info unix0; 308c2ecf20Sopenharmony_ci}; 318c2ecf20Sopenharmony_ci 328c2ecf20Sopenharmony_ci/* String table for socket's protocols. */ 338c2ecf20Sopenharmony_ciconst char * const tomoyo_proto_keyword[TOMOYO_SOCK_MAX] = { 348c2ecf20Sopenharmony_ci [SOCK_STREAM] = "stream", 358c2ecf20Sopenharmony_ci [SOCK_DGRAM] = "dgram", 368c2ecf20Sopenharmony_ci [SOCK_RAW] = "raw", 378c2ecf20Sopenharmony_ci [SOCK_SEQPACKET] = "seqpacket", 388c2ecf20Sopenharmony_ci [0] = " ", /* Dummy for avoiding NULL pointer dereference. */ 398c2ecf20Sopenharmony_ci [4] = " ", /* Dummy for avoiding NULL pointer dereference. */ 408c2ecf20Sopenharmony_ci}; 418c2ecf20Sopenharmony_ci 428c2ecf20Sopenharmony_ci/** 438c2ecf20Sopenharmony_ci * tomoyo_parse_ipaddr_union - Parse an IP address. 448c2ecf20Sopenharmony_ci * 458c2ecf20Sopenharmony_ci * @param: Pointer to "struct tomoyo_acl_param". 468c2ecf20Sopenharmony_ci * @ptr: Pointer to "struct tomoyo_ipaddr_union". 478c2ecf20Sopenharmony_ci * 488c2ecf20Sopenharmony_ci * Returns true on success, false otherwise. 498c2ecf20Sopenharmony_ci */ 508c2ecf20Sopenharmony_cibool tomoyo_parse_ipaddr_union(struct tomoyo_acl_param *param, 518c2ecf20Sopenharmony_ci struct tomoyo_ipaddr_union *ptr) 528c2ecf20Sopenharmony_ci{ 538c2ecf20Sopenharmony_ci u8 * const min = ptr->ip[0].in6_u.u6_addr8; 548c2ecf20Sopenharmony_ci u8 * const max = ptr->ip[1].in6_u.u6_addr8; 558c2ecf20Sopenharmony_ci char *address = tomoyo_read_token(param); 568c2ecf20Sopenharmony_ci const char *end; 578c2ecf20Sopenharmony_ci 588c2ecf20Sopenharmony_ci if (!strchr(address, ':') && 598c2ecf20Sopenharmony_ci in4_pton(address, -1, min, '-', &end) > 0) { 608c2ecf20Sopenharmony_ci ptr->is_ipv6 = false; 618c2ecf20Sopenharmony_ci if (!*end) 628c2ecf20Sopenharmony_ci ptr->ip[1].s6_addr32[0] = ptr->ip[0].s6_addr32[0]; 638c2ecf20Sopenharmony_ci else if (*end++ != '-' || 648c2ecf20Sopenharmony_ci in4_pton(end, -1, max, '\0', &end) <= 0 || *end) 658c2ecf20Sopenharmony_ci return false; 668c2ecf20Sopenharmony_ci return true; 678c2ecf20Sopenharmony_ci } 688c2ecf20Sopenharmony_ci if (in6_pton(address, -1, min, '-', &end) > 0) { 698c2ecf20Sopenharmony_ci ptr->is_ipv6 = true; 708c2ecf20Sopenharmony_ci if (!*end) 718c2ecf20Sopenharmony_ci memmove(max, min, sizeof(u16) * 8); 728c2ecf20Sopenharmony_ci else if (*end++ != '-' || 738c2ecf20Sopenharmony_ci in6_pton(end, -1, max, '\0', &end) <= 0 || *end) 748c2ecf20Sopenharmony_ci return false; 758c2ecf20Sopenharmony_ci return true; 768c2ecf20Sopenharmony_ci } 778c2ecf20Sopenharmony_ci return false; 788c2ecf20Sopenharmony_ci} 798c2ecf20Sopenharmony_ci 808c2ecf20Sopenharmony_ci/** 818c2ecf20Sopenharmony_ci * tomoyo_print_ipv4 - Print an IPv4 address. 828c2ecf20Sopenharmony_ci * 838c2ecf20Sopenharmony_ci * @buffer: Buffer to write to. 848c2ecf20Sopenharmony_ci * @buffer_len: Size of @buffer. 858c2ecf20Sopenharmony_ci * @min_ip: Pointer to __be32. 868c2ecf20Sopenharmony_ci * @max_ip: Pointer to __be32. 878c2ecf20Sopenharmony_ci * 888c2ecf20Sopenharmony_ci * Returns nothing. 898c2ecf20Sopenharmony_ci */ 908c2ecf20Sopenharmony_cistatic void tomoyo_print_ipv4(char *buffer, const unsigned int buffer_len, 918c2ecf20Sopenharmony_ci const __be32 *min_ip, const __be32 *max_ip) 928c2ecf20Sopenharmony_ci{ 938c2ecf20Sopenharmony_ci snprintf(buffer, buffer_len, "%pI4%c%pI4", min_ip, 948c2ecf20Sopenharmony_ci *min_ip == *max_ip ? '\0' : '-', max_ip); 958c2ecf20Sopenharmony_ci} 968c2ecf20Sopenharmony_ci 978c2ecf20Sopenharmony_ci/** 988c2ecf20Sopenharmony_ci * tomoyo_print_ipv6 - Print an IPv6 address. 998c2ecf20Sopenharmony_ci * 1008c2ecf20Sopenharmony_ci * @buffer: Buffer to write to. 1018c2ecf20Sopenharmony_ci * @buffer_len: Size of @buffer. 1028c2ecf20Sopenharmony_ci * @min_ip: Pointer to "struct in6_addr". 1038c2ecf20Sopenharmony_ci * @max_ip: Pointer to "struct in6_addr". 1048c2ecf20Sopenharmony_ci * 1058c2ecf20Sopenharmony_ci * Returns nothing. 1068c2ecf20Sopenharmony_ci */ 1078c2ecf20Sopenharmony_cistatic void tomoyo_print_ipv6(char *buffer, const unsigned int buffer_len, 1088c2ecf20Sopenharmony_ci const struct in6_addr *min_ip, 1098c2ecf20Sopenharmony_ci const struct in6_addr *max_ip) 1108c2ecf20Sopenharmony_ci{ 1118c2ecf20Sopenharmony_ci snprintf(buffer, buffer_len, "%pI6c%c%pI6c", min_ip, 1128c2ecf20Sopenharmony_ci !memcmp(min_ip, max_ip, 16) ? '\0' : '-', max_ip); 1138c2ecf20Sopenharmony_ci} 1148c2ecf20Sopenharmony_ci 1158c2ecf20Sopenharmony_ci/** 1168c2ecf20Sopenharmony_ci * tomoyo_print_ip - Print an IP address. 1178c2ecf20Sopenharmony_ci * 1188c2ecf20Sopenharmony_ci * @buf: Buffer to write to. 1198c2ecf20Sopenharmony_ci * @size: Size of @buf. 1208c2ecf20Sopenharmony_ci * @ptr: Pointer to "struct ipaddr_union". 1218c2ecf20Sopenharmony_ci * 1228c2ecf20Sopenharmony_ci * Returns nothing. 1238c2ecf20Sopenharmony_ci */ 1248c2ecf20Sopenharmony_civoid tomoyo_print_ip(char *buf, const unsigned int size, 1258c2ecf20Sopenharmony_ci const struct tomoyo_ipaddr_union *ptr) 1268c2ecf20Sopenharmony_ci{ 1278c2ecf20Sopenharmony_ci if (ptr->is_ipv6) 1288c2ecf20Sopenharmony_ci tomoyo_print_ipv6(buf, size, &ptr->ip[0], &ptr->ip[1]); 1298c2ecf20Sopenharmony_ci else 1308c2ecf20Sopenharmony_ci tomoyo_print_ipv4(buf, size, &ptr->ip[0].s6_addr32[0], 1318c2ecf20Sopenharmony_ci &ptr->ip[1].s6_addr32[0]); 1328c2ecf20Sopenharmony_ci} 1338c2ecf20Sopenharmony_ci 1348c2ecf20Sopenharmony_ci/* 1358c2ecf20Sopenharmony_ci * Mapping table from "enum tomoyo_network_acl_index" to 1368c2ecf20Sopenharmony_ci * "enum tomoyo_mac_index" for inet domain socket. 1378c2ecf20Sopenharmony_ci */ 1388c2ecf20Sopenharmony_cistatic const u8 tomoyo_inet2mac 1398c2ecf20Sopenharmony_ci[TOMOYO_SOCK_MAX][TOMOYO_MAX_NETWORK_OPERATION] = { 1408c2ecf20Sopenharmony_ci [SOCK_STREAM] = { 1418c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_BIND] = TOMOYO_MAC_NETWORK_INET_STREAM_BIND, 1428c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_LISTEN] = 1438c2ecf20Sopenharmony_ci TOMOYO_MAC_NETWORK_INET_STREAM_LISTEN, 1448c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_CONNECT] = 1458c2ecf20Sopenharmony_ci TOMOYO_MAC_NETWORK_INET_STREAM_CONNECT, 1468c2ecf20Sopenharmony_ci }, 1478c2ecf20Sopenharmony_ci [SOCK_DGRAM] = { 1488c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_BIND] = TOMOYO_MAC_NETWORK_INET_DGRAM_BIND, 1498c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_SEND] = TOMOYO_MAC_NETWORK_INET_DGRAM_SEND, 1508c2ecf20Sopenharmony_ci }, 1518c2ecf20Sopenharmony_ci [SOCK_RAW] = { 1528c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_BIND] = TOMOYO_MAC_NETWORK_INET_RAW_BIND, 1538c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_SEND] = TOMOYO_MAC_NETWORK_INET_RAW_SEND, 1548c2ecf20Sopenharmony_ci }, 1558c2ecf20Sopenharmony_ci}; 1568c2ecf20Sopenharmony_ci 1578c2ecf20Sopenharmony_ci/* 1588c2ecf20Sopenharmony_ci * Mapping table from "enum tomoyo_network_acl_index" to 1598c2ecf20Sopenharmony_ci * "enum tomoyo_mac_index" for unix domain socket. 1608c2ecf20Sopenharmony_ci */ 1618c2ecf20Sopenharmony_cistatic const u8 tomoyo_unix2mac 1628c2ecf20Sopenharmony_ci[TOMOYO_SOCK_MAX][TOMOYO_MAX_NETWORK_OPERATION] = { 1638c2ecf20Sopenharmony_ci [SOCK_STREAM] = { 1648c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_BIND] = TOMOYO_MAC_NETWORK_UNIX_STREAM_BIND, 1658c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_LISTEN] = 1668c2ecf20Sopenharmony_ci TOMOYO_MAC_NETWORK_UNIX_STREAM_LISTEN, 1678c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_CONNECT] = 1688c2ecf20Sopenharmony_ci TOMOYO_MAC_NETWORK_UNIX_STREAM_CONNECT, 1698c2ecf20Sopenharmony_ci }, 1708c2ecf20Sopenharmony_ci [SOCK_DGRAM] = { 1718c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_BIND] = TOMOYO_MAC_NETWORK_UNIX_DGRAM_BIND, 1728c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_SEND] = TOMOYO_MAC_NETWORK_UNIX_DGRAM_SEND, 1738c2ecf20Sopenharmony_ci }, 1748c2ecf20Sopenharmony_ci [SOCK_SEQPACKET] = { 1758c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_BIND] = 1768c2ecf20Sopenharmony_ci TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_BIND, 1778c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_LISTEN] = 1788c2ecf20Sopenharmony_ci TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_LISTEN, 1798c2ecf20Sopenharmony_ci [TOMOYO_NETWORK_CONNECT] = 1808c2ecf20Sopenharmony_ci TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_CONNECT, 1818c2ecf20Sopenharmony_ci }, 1828c2ecf20Sopenharmony_ci}; 1838c2ecf20Sopenharmony_ci 1848c2ecf20Sopenharmony_ci/** 1858c2ecf20Sopenharmony_ci * tomoyo_same_inet_acl - Check for duplicated "struct tomoyo_inet_acl" entry. 1868c2ecf20Sopenharmony_ci * 1878c2ecf20Sopenharmony_ci * @a: Pointer to "struct tomoyo_acl_info". 1888c2ecf20Sopenharmony_ci * @b: Pointer to "struct tomoyo_acl_info". 1898c2ecf20Sopenharmony_ci * 1908c2ecf20Sopenharmony_ci * Returns true if @a == @b except permission bits, false otherwise. 1918c2ecf20Sopenharmony_ci */ 1928c2ecf20Sopenharmony_cistatic bool tomoyo_same_inet_acl(const struct tomoyo_acl_info *a, 1938c2ecf20Sopenharmony_ci const struct tomoyo_acl_info *b) 1948c2ecf20Sopenharmony_ci{ 1958c2ecf20Sopenharmony_ci const struct tomoyo_inet_acl *p1 = container_of(a, typeof(*p1), head); 1968c2ecf20Sopenharmony_ci const struct tomoyo_inet_acl *p2 = container_of(b, typeof(*p2), head); 1978c2ecf20Sopenharmony_ci 1988c2ecf20Sopenharmony_ci return p1->protocol == p2->protocol && 1998c2ecf20Sopenharmony_ci tomoyo_same_ipaddr_union(&p1->address, &p2->address) && 2008c2ecf20Sopenharmony_ci tomoyo_same_number_union(&p1->port, &p2->port); 2018c2ecf20Sopenharmony_ci} 2028c2ecf20Sopenharmony_ci 2038c2ecf20Sopenharmony_ci/** 2048c2ecf20Sopenharmony_ci * tomoyo_same_unix_acl - Check for duplicated "struct tomoyo_unix_acl" entry. 2058c2ecf20Sopenharmony_ci * 2068c2ecf20Sopenharmony_ci * @a: Pointer to "struct tomoyo_acl_info". 2078c2ecf20Sopenharmony_ci * @b: Pointer to "struct tomoyo_acl_info". 2088c2ecf20Sopenharmony_ci * 2098c2ecf20Sopenharmony_ci * Returns true if @a == @b except permission bits, false otherwise. 2108c2ecf20Sopenharmony_ci */ 2118c2ecf20Sopenharmony_cistatic bool tomoyo_same_unix_acl(const struct tomoyo_acl_info *a, 2128c2ecf20Sopenharmony_ci const struct tomoyo_acl_info *b) 2138c2ecf20Sopenharmony_ci{ 2148c2ecf20Sopenharmony_ci const struct tomoyo_unix_acl *p1 = container_of(a, typeof(*p1), head); 2158c2ecf20Sopenharmony_ci const struct tomoyo_unix_acl *p2 = container_of(b, typeof(*p2), head); 2168c2ecf20Sopenharmony_ci 2178c2ecf20Sopenharmony_ci return p1->protocol == p2->protocol && 2188c2ecf20Sopenharmony_ci tomoyo_same_name_union(&p1->name, &p2->name); 2198c2ecf20Sopenharmony_ci} 2208c2ecf20Sopenharmony_ci 2218c2ecf20Sopenharmony_ci/** 2228c2ecf20Sopenharmony_ci * tomoyo_merge_inet_acl - Merge duplicated "struct tomoyo_inet_acl" entry. 2238c2ecf20Sopenharmony_ci * 2248c2ecf20Sopenharmony_ci * @a: Pointer to "struct tomoyo_acl_info". 2258c2ecf20Sopenharmony_ci * @b: Pointer to "struct tomoyo_acl_info". 2268c2ecf20Sopenharmony_ci * @is_delete: True for @a &= ~@b, false for @a |= @b. 2278c2ecf20Sopenharmony_ci * 2288c2ecf20Sopenharmony_ci * Returns true if @a is empty, false otherwise. 2298c2ecf20Sopenharmony_ci */ 2308c2ecf20Sopenharmony_cistatic bool tomoyo_merge_inet_acl(struct tomoyo_acl_info *a, 2318c2ecf20Sopenharmony_ci struct tomoyo_acl_info *b, 2328c2ecf20Sopenharmony_ci const bool is_delete) 2338c2ecf20Sopenharmony_ci{ 2348c2ecf20Sopenharmony_ci u8 * const a_perm = 2358c2ecf20Sopenharmony_ci &container_of(a, struct tomoyo_inet_acl, head)->perm; 2368c2ecf20Sopenharmony_ci u8 perm = READ_ONCE(*a_perm); 2378c2ecf20Sopenharmony_ci const u8 b_perm = container_of(b, struct tomoyo_inet_acl, head)->perm; 2388c2ecf20Sopenharmony_ci 2398c2ecf20Sopenharmony_ci if (is_delete) 2408c2ecf20Sopenharmony_ci perm &= ~b_perm; 2418c2ecf20Sopenharmony_ci else 2428c2ecf20Sopenharmony_ci perm |= b_perm; 2438c2ecf20Sopenharmony_ci WRITE_ONCE(*a_perm, perm); 2448c2ecf20Sopenharmony_ci return !perm; 2458c2ecf20Sopenharmony_ci} 2468c2ecf20Sopenharmony_ci 2478c2ecf20Sopenharmony_ci/** 2488c2ecf20Sopenharmony_ci * tomoyo_merge_unix_acl - Merge duplicated "struct tomoyo_unix_acl" entry. 2498c2ecf20Sopenharmony_ci * 2508c2ecf20Sopenharmony_ci * @a: Pointer to "struct tomoyo_acl_info". 2518c2ecf20Sopenharmony_ci * @b: Pointer to "struct tomoyo_acl_info". 2528c2ecf20Sopenharmony_ci * @is_delete: True for @a &= ~@b, false for @a |= @b. 2538c2ecf20Sopenharmony_ci * 2548c2ecf20Sopenharmony_ci * Returns true if @a is empty, false otherwise. 2558c2ecf20Sopenharmony_ci */ 2568c2ecf20Sopenharmony_cistatic bool tomoyo_merge_unix_acl(struct tomoyo_acl_info *a, 2578c2ecf20Sopenharmony_ci struct tomoyo_acl_info *b, 2588c2ecf20Sopenharmony_ci const bool is_delete) 2598c2ecf20Sopenharmony_ci{ 2608c2ecf20Sopenharmony_ci u8 * const a_perm = 2618c2ecf20Sopenharmony_ci &container_of(a, struct tomoyo_unix_acl, head)->perm; 2628c2ecf20Sopenharmony_ci u8 perm = READ_ONCE(*a_perm); 2638c2ecf20Sopenharmony_ci const u8 b_perm = container_of(b, struct tomoyo_unix_acl, head)->perm; 2648c2ecf20Sopenharmony_ci 2658c2ecf20Sopenharmony_ci if (is_delete) 2668c2ecf20Sopenharmony_ci perm &= ~b_perm; 2678c2ecf20Sopenharmony_ci else 2688c2ecf20Sopenharmony_ci perm |= b_perm; 2698c2ecf20Sopenharmony_ci WRITE_ONCE(*a_perm, perm); 2708c2ecf20Sopenharmony_ci return !perm; 2718c2ecf20Sopenharmony_ci} 2728c2ecf20Sopenharmony_ci 2738c2ecf20Sopenharmony_ci/** 2748c2ecf20Sopenharmony_ci * tomoyo_write_inet_network - Write "struct tomoyo_inet_acl" list. 2758c2ecf20Sopenharmony_ci * 2768c2ecf20Sopenharmony_ci * @param: Pointer to "struct tomoyo_acl_param". 2778c2ecf20Sopenharmony_ci * 2788c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 2798c2ecf20Sopenharmony_ci * 2808c2ecf20Sopenharmony_ci * Caller holds tomoyo_read_lock(). 2818c2ecf20Sopenharmony_ci */ 2828c2ecf20Sopenharmony_ciint tomoyo_write_inet_network(struct tomoyo_acl_param *param) 2838c2ecf20Sopenharmony_ci{ 2848c2ecf20Sopenharmony_ci struct tomoyo_inet_acl e = { .head.type = TOMOYO_TYPE_INET_ACL }; 2858c2ecf20Sopenharmony_ci int error = -EINVAL; 2868c2ecf20Sopenharmony_ci u8 type; 2878c2ecf20Sopenharmony_ci const char *protocol = tomoyo_read_token(param); 2888c2ecf20Sopenharmony_ci const char *operation = tomoyo_read_token(param); 2898c2ecf20Sopenharmony_ci 2908c2ecf20Sopenharmony_ci for (e.protocol = 0; e.protocol < TOMOYO_SOCK_MAX; e.protocol++) 2918c2ecf20Sopenharmony_ci if (!strcmp(protocol, tomoyo_proto_keyword[e.protocol])) 2928c2ecf20Sopenharmony_ci break; 2938c2ecf20Sopenharmony_ci for (type = 0; type < TOMOYO_MAX_NETWORK_OPERATION; type++) 2948c2ecf20Sopenharmony_ci if (tomoyo_permstr(operation, tomoyo_socket_keyword[type])) 2958c2ecf20Sopenharmony_ci e.perm |= 1 << type; 2968c2ecf20Sopenharmony_ci if (e.protocol == TOMOYO_SOCK_MAX || !e.perm) 2978c2ecf20Sopenharmony_ci return -EINVAL; 2988c2ecf20Sopenharmony_ci if (param->data[0] == '@') { 2998c2ecf20Sopenharmony_ci param->data++; 3008c2ecf20Sopenharmony_ci e.address.group = 3018c2ecf20Sopenharmony_ci tomoyo_get_group(param, TOMOYO_ADDRESS_GROUP); 3028c2ecf20Sopenharmony_ci if (!e.address.group) 3038c2ecf20Sopenharmony_ci return -ENOMEM; 3048c2ecf20Sopenharmony_ci } else { 3058c2ecf20Sopenharmony_ci if (!tomoyo_parse_ipaddr_union(param, &e.address)) 3068c2ecf20Sopenharmony_ci goto out; 3078c2ecf20Sopenharmony_ci } 3088c2ecf20Sopenharmony_ci if (!tomoyo_parse_number_union(param, &e.port) || 3098c2ecf20Sopenharmony_ci e.port.values[1] > 65535) 3108c2ecf20Sopenharmony_ci goto out; 3118c2ecf20Sopenharmony_ci error = tomoyo_update_domain(&e.head, sizeof(e), param, 3128c2ecf20Sopenharmony_ci tomoyo_same_inet_acl, 3138c2ecf20Sopenharmony_ci tomoyo_merge_inet_acl); 3148c2ecf20Sopenharmony_ciout: 3158c2ecf20Sopenharmony_ci tomoyo_put_group(e.address.group); 3168c2ecf20Sopenharmony_ci tomoyo_put_number_union(&e.port); 3178c2ecf20Sopenharmony_ci return error; 3188c2ecf20Sopenharmony_ci} 3198c2ecf20Sopenharmony_ci 3208c2ecf20Sopenharmony_ci/** 3218c2ecf20Sopenharmony_ci * tomoyo_write_unix_network - Write "struct tomoyo_unix_acl" list. 3228c2ecf20Sopenharmony_ci * 3238c2ecf20Sopenharmony_ci * @param: Pointer to "struct tomoyo_acl_param". 3248c2ecf20Sopenharmony_ci * 3258c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 3268c2ecf20Sopenharmony_ci */ 3278c2ecf20Sopenharmony_ciint tomoyo_write_unix_network(struct tomoyo_acl_param *param) 3288c2ecf20Sopenharmony_ci{ 3298c2ecf20Sopenharmony_ci struct tomoyo_unix_acl e = { .head.type = TOMOYO_TYPE_UNIX_ACL }; 3308c2ecf20Sopenharmony_ci int error; 3318c2ecf20Sopenharmony_ci u8 type; 3328c2ecf20Sopenharmony_ci const char *protocol = tomoyo_read_token(param); 3338c2ecf20Sopenharmony_ci const char *operation = tomoyo_read_token(param); 3348c2ecf20Sopenharmony_ci 3358c2ecf20Sopenharmony_ci for (e.protocol = 0; e.protocol < TOMOYO_SOCK_MAX; e.protocol++) 3368c2ecf20Sopenharmony_ci if (!strcmp(protocol, tomoyo_proto_keyword[e.protocol])) 3378c2ecf20Sopenharmony_ci break; 3388c2ecf20Sopenharmony_ci for (type = 0; type < TOMOYO_MAX_NETWORK_OPERATION; type++) 3398c2ecf20Sopenharmony_ci if (tomoyo_permstr(operation, tomoyo_socket_keyword[type])) 3408c2ecf20Sopenharmony_ci e.perm |= 1 << type; 3418c2ecf20Sopenharmony_ci if (e.protocol == TOMOYO_SOCK_MAX || !e.perm) 3428c2ecf20Sopenharmony_ci return -EINVAL; 3438c2ecf20Sopenharmony_ci if (!tomoyo_parse_name_union(param, &e.name)) 3448c2ecf20Sopenharmony_ci return -EINVAL; 3458c2ecf20Sopenharmony_ci error = tomoyo_update_domain(&e.head, sizeof(e), param, 3468c2ecf20Sopenharmony_ci tomoyo_same_unix_acl, 3478c2ecf20Sopenharmony_ci tomoyo_merge_unix_acl); 3488c2ecf20Sopenharmony_ci tomoyo_put_name_union(&e.name); 3498c2ecf20Sopenharmony_ci return error; 3508c2ecf20Sopenharmony_ci} 3518c2ecf20Sopenharmony_ci 3528c2ecf20Sopenharmony_ci/** 3538c2ecf20Sopenharmony_ci * tomoyo_audit_net_log - Audit network log. 3548c2ecf20Sopenharmony_ci * 3558c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 3568c2ecf20Sopenharmony_ci * @family: Name of socket family ("inet" or "unix"). 3578c2ecf20Sopenharmony_ci * @protocol: Name of protocol in @family. 3588c2ecf20Sopenharmony_ci * @operation: Name of socket operation. 3598c2ecf20Sopenharmony_ci * @address: Name of address. 3608c2ecf20Sopenharmony_ci * 3618c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 3628c2ecf20Sopenharmony_ci */ 3638c2ecf20Sopenharmony_cistatic int tomoyo_audit_net_log(struct tomoyo_request_info *r, 3648c2ecf20Sopenharmony_ci const char *family, const u8 protocol, 3658c2ecf20Sopenharmony_ci const u8 operation, const char *address) 3668c2ecf20Sopenharmony_ci{ 3678c2ecf20Sopenharmony_ci return tomoyo_supervisor(r, "network %s %s %s %s\n", family, 3688c2ecf20Sopenharmony_ci tomoyo_proto_keyword[protocol], 3698c2ecf20Sopenharmony_ci tomoyo_socket_keyword[operation], address); 3708c2ecf20Sopenharmony_ci} 3718c2ecf20Sopenharmony_ci 3728c2ecf20Sopenharmony_ci/** 3738c2ecf20Sopenharmony_ci * tomoyo_audit_inet_log - Audit INET network log. 3748c2ecf20Sopenharmony_ci * 3758c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 3768c2ecf20Sopenharmony_ci * 3778c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 3788c2ecf20Sopenharmony_ci */ 3798c2ecf20Sopenharmony_cistatic int tomoyo_audit_inet_log(struct tomoyo_request_info *r) 3808c2ecf20Sopenharmony_ci{ 3818c2ecf20Sopenharmony_ci char buf[128]; 3828c2ecf20Sopenharmony_ci int len; 3838c2ecf20Sopenharmony_ci const __be32 *address = r->param.inet_network.address; 3848c2ecf20Sopenharmony_ci 3858c2ecf20Sopenharmony_ci if (r->param.inet_network.is_ipv6) 3868c2ecf20Sopenharmony_ci tomoyo_print_ipv6(buf, sizeof(buf), (const struct in6_addr *) 3878c2ecf20Sopenharmony_ci address, (const struct in6_addr *) address); 3888c2ecf20Sopenharmony_ci else 3898c2ecf20Sopenharmony_ci tomoyo_print_ipv4(buf, sizeof(buf), address, address); 3908c2ecf20Sopenharmony_ci len = strlen(buf); 3918c2ecf20Sopenharmony_ci snprintf(buf + len, sizeof(buf) - len, " %u", 3928c2ecf20Sopenharmony_ci r->param.inet_network.port); 3938c2ecf20Sopenharmony_ci return tomoyo_audit_net_log(r, "inet", r->param.inet_network.protocol, 3948c2ecf20Sopenharmony_ci r->param.inet_network.operation, buf); 3958c2ecf20Sopenharmony_ci} 3968c2ecf20Sopenharmony_ci 3978c2ecf20Sopenharmony_ci/** 3988c2ecf20Sopenharmony_ci * tomoyo_audit_unix_log - Audit UNIX network log. 3998c2ecf20Sopenharmony_ci * 4008c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 4018c2ecf20Sopenharmony_ci * 4028c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 4038c2ecf20Sopenharmony_ci */ 4048c2ecf20Sopenharmony_cistatic int tomoyo_audit_unix_log(struct tomoyo_request_info *r) 4058c2ecf20Sopenharmony_ci{ 4068c2ecf20Sopenharmony_ci return tomoyo_audit_net_log(r, "unix", r->param.unix_network.protocol, 4078c2ecf20Sopenharmony_ci r->param.unix_network.operation, 4088c2ecf20Sopenharmony_ci r->param.unix_network.address->name); 4098c2ecf20Sopenharmony_ci} 4108c2ecf20Sopenharmony_ci 4118c2ecf20Sopenharmony_ci/** 4128c2ecf20Sopenharmony_ci * tomoyo_check_inet_acl - Check permission for inet domain socket operation. 4138c2ecf20Sopenharmony_ci * 4148c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 4158c2ecf20Sopenharmony_ci * @ptr: Pointer to "struct tomoyo_acl_info". 4168c2ecf20Sopenharmony_ci * 4178c2ecf20Sopenharmony_ci * Returns true if granted, false otherwise. 4188c2ecf20Sopenharmony_ci */ 4198c2ecf20Sopenharmony_cistatic bool tomoyo_check_inet_acl(struct tomoyo_request_info *r, 4208c2ecf20Sopenharmony_ci const struct tomoyo_acl_info *ptr) 4218c2ecf20Sopenharmony_ci{ 4228c2ecf20Sopenharmony_ci const struct tomoyo_inet_acl *acl = 4238c2ecf20Sopenharmony_ci container_of(ptr, typeof(*acl), head); 4248c2ecf20Sopenharmony_ci const u8 size = r->param.inet_network.is_ipv6 ? 16 : 4; 4258c2ecf20Sopenharmony_ci 4268c2ecf20Sopenharmony_ci if (!(acl->perm & (1 << r->param.inet_network.operation)) || 4278c2ecf20Sopenharmony_ci !tomoyo_compare_number_union(r->param.inet_network.port, 4288c2ecf20Sopenharmony_ci &acl->port)) 4298c2ecf20Sopenharmony_ci return false; 4308c2ecf20Sopenharmony_ci if (acl->address.group) 4318c2ecf20Sopenharmony_ci return tomoyo_address_matches_group 4328c2ecf20Sopenharmony_ci (r->param.inet_network.is_ipv6, 4338c2ecf20Sopenharmony_ci r->param.inet_network.address, acl->address.group); 4348c2ecf20Sopenharmony_ci return acl->address.is_ipv6 == r->param.inet_network.is_ipv6 && 4358c2ecf20Sopenharmony_ci memcmp(&acl->address.ip[0], 4368c2ecf20Sopenharmony_ci r->param.inet_network.address, size) <= 0 && 4378c2ecf20Sopenharmony_ci memcmp(r->param.inet_network.address, 4388c2ecf20Sopenharmony_ci &acl->address.ip[1], size) <= 0; 4398c2ecf20Sopenharmony_ci} 4408c2ecf20Sopenharmony_ci 4418c2ecf20Sopenharmony_ci/** 4428c2ecf20Sopenharmony_ci * tomoyo_check_unix_acl - Check permission for unix domain socket operation. 4438c2ecf20Sopenharmony_ci * 4448c2ecf20Sopenharmony_ci * @r: Pointer to "struct tomoyo_request_info". 4458c2ecf20Sopenharmony_ci * @ptr: Pointer to "struct tomoyo_acl_info". 4468c2ecf20Sopenharmony_ci * 4478c2ecf20Sopenharmony_ci * Returns true if granted, false otherwise. 4488c2ecf20Sopenharmony_ci */ 4498c2ecf20Sopenharmony_cistatic bool tomoyo_check_unix_acl(struct tomoyo_request_info *r, 4508c2ecf20Sopenharmony_ci const struct tomoyo_acl_info *ptr) 4518c2ecf20Sopenharmony_ci{ 4528c2ecf20Sopenharmony_ci const struct tomoyo_unix_acl *acl = 4538c2ecf20Sopenharmony_ci container_of(ptr, typeof(*acl), head); 4548c2ecf20Sopenharmony_ci 4558c2ecf20Sopenharmony_ci return (acl->perm & (1 << r->param.unix_network.operation)) && 4568c2ecf20Sopenharmony_ci tomoyo_compare_name_union(r->param.unix_network.address, 4578c2ecf20Sopenharmony_ci &acl->name); 4588c2ecf20Sopenharmony_ci} 4598c2ecf20Sopenharmony_ci 4608c2ecf20Sopenharmony_ci/** 4618c2ecf20Sopenharmony_ci * tomoyo_inet_entry - Check permission for INET network operation. 4628c2ecf20Sopenharmony_ci * 4638c2ecf20Sopenharmony_ci * @address: Pointer to "struct tomoyo_addr_info". 4648c2ecf20Sopenharmony_ci * 4658c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 4668c2ecf20Sopenharmony_ci */ 4678c2ecf20Sopenharmony_cistatic int tomoyo_inet_entry(const struct tomoyo_addr_info *address) 4688c2ecf20Sopenharmony_ci{ 4698c2ecf20Sopenharmony_ci const int idx = tomoyo_read_lock(); 4708c2ecf20Sopenharmony_ci struct tomoyo_request_info r; 4718c2ecf20Sopenharmony_ci int error = 0; 4728c2ecf20Sopenharmony_ci const u8 type = tomoyo_inet2mac[address->protocol][address->operation]; 4738c2ecf20Sopenharmony_ci 4748c2ecf20Sopenharmony_ci if (type && tomoyo_init_request_info(&r, NULL, type) 4758c2ecf20Sopenharmony_ci != TOMOYO_CONFIG_DISABLED) { 4768c2ecf20Sopenharmony_ci r.param_type = TOMOYO_TYPE_INET_ACL; 4778c2ecf20Sopenharmony_ci r.param.inet_network.protocol = address->protocol; 4788c2ecf20Sopenharmony_ci r.param.inet_network.operation = address->operation; 4798c2ecf20Sopenharmony_ci r.param.inet_network.is_ipv6 = address->inet.is_ipv6; 4808c2ecf20Sopenharmony_ci r.param.inet_network.address = address->inet.address; 4818c2ecf20Sopenharmony_ci r.param.inet_network.port = ntohs(address->inet.port); 4828c2ecf20Sopenharmony_ci do { 4838c2ecf20Sopenharmony_ci tomoyo_check_acl(&r, tomoyo_check_inet_acl); 4848c2ecf20Sopenharmony_ci error = tomoyo_audit_inet_log(&r); 4858c2ecf20Sopenharmony_ci } while (error == TOMOYO_RETRY_REQUEST); 4868c2ecf20Sopenharmony_ci } 4878c2ecf20Sopenharmony_ci tomoyo_read_unlock(idx); 4888c2ecf20Sopenharmony_ci return error; 4898c2ecf20Sopenharmony_ci} 4908c2ecf20Sopenharmony_ci 4918c2ecf20Sopenharmony_ci/** 4928c2ecf20Sopenharmony_ci * tomoyo_check_inet_address - Check permission for inet domain socket's operation. 4938c2ecf20Sopenharmony_ci * 4948c2ecf20Sopenharmony_ci * @addr: Pointer to "struct sockaddr". 4958c2ecf20Sopenharmony_ci * @addr_len: Size of @addr. 4968c2ecf20Sopenharmony_ci * @port: Port number. 4978c2ecf20Sopenharmony_ci * @address: Pointer to "struct tomoyo_addr_info". 4988c2ecf20Sopenharmony_ci * 4998c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 5008c2ecf20Sopenharmony_ci */ 5018c2ecf20Sopenharmony_cistatic int tomoyo_check_inet_address(const struct sockaddr *addr, 5028c2ecf20Sopenharmony_ci const unsigned int addr_len, 5038c2ecf20Sopenharmony_ci const u16 port, 5048c2ecf20Sopenharmony_ci struct tomoyo_addr_info *address) 5058c2ecf20Sopenharmony_ci{ 5068c2ecf20Sopenharmony_ci struct tomoyo_inet_addr_info *i = &address->inet; 5078c2ecf20Sopenharmony_ci 5088c2ecf20Sopenharmony_ci if (addr_len < offsetofend(struct sockaddr, sa_family)) 5098c2ecf20Sopenharmony_ci return 0; 5108c2ecf20Sopenharmony_ci switch (addr->sa_family) { 5118c2ecf20Sopenharmony_ci case AF_INET6: 5128c2ecf20Sopenharmony_ci if (addr_len < SIN6_LEN_RFC2133) 5138c2ecf20Sopenharmony_ci goto skip; 5148c2ecf20Sopenharmony_ci i->is_ipv6 = true; 5158c2ecf20Sopenharmony_ci i->address = (__be32 *) 5168c2ecf20Sopenharmony_ci ((struct sockaddr_in6 *) addr)->sin6_addr.s6_addr; 5178c2ecf20Sopenharmony_ci i->port = ((struct sockaddr_in6 *) addr)->sin6_port; 5188c2ecf20Sopenharmony_ci break; 5198c2ecf20Sopenharmony_ci case AF_INET: 5208c2ecf20Sopenharmony_ci if (addr_len < sizeof(struct sockaddr_in)) 5218c2ecf20Sopenharmony_ci goto skip; 5228c2ecf20Sopenharmony_ci i->is_ipv6 = false; 5238c2ecf20Sopenharmony_ci i->address = (__be32 *) 5248c2ecf20Sopenharmony_ci &((struct sockaddr_in *) addr)->sin_addr; 5258c2ecf20Sopenharmony_ci i->port = ((struct sockaddr_in *) addr)->sin_port; 5268c2ecf20Sopenharmony_ci break; 5278c2ecf20Sopenharmony_ci default: 5288c2ecf20Sopenharmony_ci goto skip; 5298c2ecf20Sopenharmony_ci } 5308c2ecf20Sopenharmony_ci if (address->protocol == SOCK_RAW) 5318c2ecf20Sopenharmony_ci i->port = htons(port); 5328c2ecf20Sopenharmony_ci return tomoyo_inet_entry(address); 5338c2ecf20Sopenharmony_ciskip: 5348c2ecf20Sopenharmony_ci return 0; 5358c2ecf20Sopenharmony_ci} 5368c2ecf20Sopenharmony_ci 5378c2ecf20Sopenharmony_ci/** 5388c2ecf20Sopenharmony_ci * tomoyo_unix_entry - Check permission for UNIX network operation. 5398c2ecf20Sopenharmony_ci * 5408c2ecf20Sopenharmony_ci * @address: Pointer to "struct tomoyo_addr_info". 5418c2ecf20Sopenharmony_ci * 5428c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 5438c2ecf20Sopenharmony_ci */ 5448c2ecf20Sopenharmony_cistatic int tomoyo_unix_entry(const struct tomoyo_addr_info *address) 5458c2ecf20Sopenharmony_ci{ 5468c2ecf20Sopenharmony_ci const int idx = tomoyo_read_lock(); 5478c2ecf20Sopenharmony_ci struct tomoyo_request_info r; 5488c2ecf20Sopenharmony_ci int error = 0; 5498c2ecf20Sopenharmony_ci const u8 type = tomoyo_unix2mac[address->protocol][address->operation]; 5508c2ecf20Sopenharmony_ci 5518c2ecf20Sopenharmony_ci if (type && tomoyo_init_request_info(&r, NULL, type) 5528c2ecf20Sopenharmony_ci != TOMOYO_CONFIG_DISABLED) { 5538c2ecf20Sopenharmony_ci char *buf = address->unix0.addr; 5548c2ecf20Sopenharmony_ci int len = address->unix0.addr_len - sizeof(sa_family_t); 5558c2ecf20Sopenharmony_ci 5568c2ecf20Sopenharmony_ci if (len <= 0) { 5578c2ecf20Sopenharmony_ci buf = "anonymous"; 5588c2ecf20Sopenharmony_ci len = 9; 5598c2ecf20Sopenharmony_ci } else if (buf[0]) { 5608c2ecf20Sopenharmony_ci len = strnlen(buf, len); 5618c2ecf20Sopenharmony_ci } 5628c2ecf20Sopenharmony_ci buf = tomoyo_encode2(buf, len); 5638c2ecf20Sopenharmony_ci if (buf) { 5648c2ecf20Sopenharmony_ci struct tomoyo_path_info addr; 5658c2ecf20Sopenharmony_ci 5668c2ecf20Sopenharmony_ci addr.name = buf; 5678c2ecf20Sopenharmony_ci tomoyo_fill_path_info(&addr); 5688c2ecf20Sopenharmony_ci r.param_type = TOMOYO_TYPE_UNIX_ACL; 5698c2ecf20Sopenharmony_ci r.param.unix_network.protocol = address->protocol; 5708c2ecf20Sopenharmony_ci r.param.unix_network.operation = address->operation; 5718c2ecf20Sopenharmony_ci r.param.unix_network.address = &addr; 5728c2ecf20Sopenharmony_ci do { 5738c2ecf20Sopenharmony_ci tomoyo_check_acl(&r, tomoyo_check_unix_acl); 5748c2ecf20Sopenharmony_ci error = tomoyo_audit_unix_log(&r); 5758c2ecf20Sopenharmony_ci } while (error == TOMOYO_RETRY_REQUEST); 5768c2ecf20Sopenharmony_ci kfree(buf); 5778c2ecf20Sopenharmony_ci } else 5788c2ecf20Sopenharmony_ci error = -ENOMEM; 5798c2ecf20Sopenharmony_ci } 5808c2ecf20Sopenharmony_ci tomoyo_read_unlock(idx); 5818c2ecf20Sopenharmony_ci return error; 5828c2ecf20Sopenharmony_ci} 5838c2ecf20Sopenharmony_ci 5848c2ecf20Sopenharmony_ci/** 5858c2ecf20Sopenharmony_ci * tomoyo_check_unix_address - Check permission for unix domain socket's operation. 5868c2ecf20Sopenharmony_ci * 5878c2ecf20Sopenharmony_ci * @addr: Pointer to "struct sockaddr". 5888c2ecf20Sopenharmony_ci * @addr_len: Size of @addr. 5898c2ecf20Sopenharmony_ci * @address: Pointer to "struct tomoyo_addr_info". 5908c2ecf20Sopenharmony_ci * 5918c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 5928c2ecf20Sopenharmony_ci */ 5938c2ecf20Sopenharmony_cistatic int tomoyo_check_unix_address(struct sockaddr *addr, 5948c2ecf20Sopenharmony_ci const unsigned int addr_len, 5958c2ecf20Sopenharmony_ci struct tomoyo_addr_info *address) 5968c2ecf20Sopenharmony_ci{ 5978c2ecf20Sopenharmony_ci struct tomoyo_unix_addr_info *u = &address->unix0; 5988c2ecf20Sopenharmony_ci 5998c2ecf20Sopenharmony_ci if (addr_len < offsetofend(struct sockaddr, sa_family)) 6008c2ecf20Sopenharmony_ci return 0; 6018c2ecf20Sopenharmony_ci if (addr->sa_family != AF_UNIX) 6028c2ecf20Sopenharmony_ci return 0; 6038c2ecf20Sopenharmony_ci u->addr = ((struct sockaddr_un *) addr)->sun_path; 6048c2ecf20Sopenharmony_ci u->addr_len = addr_len; 6058c2ecf20Sopenharmony_ci return tomoyo_unix_entry(address); 6068c2ecf20Sopenharmony_ci} 6078c2ecf20Sopenharmony_ci 6088c2ecf20Sopenharmony_ci/** 6098c2ecf20Sopenharmony_ci * tomoyo_kernel_service - Check whether I'm kernel service or not. 6108c2ecf20Sopenharmony_ci * 6118c2ecf20Sopenharmony_ci * Returns true if I'm kernel service, false otherwise. 6128c2ecf20Sopenharmony_ci */ 6138c2ecf20Sopenharmony_cistatic bool tomoyo_kernel_service(void) 6148c2ecf20Sopenharmony_ci{ 6158c2ecf20Sopenharmony_ci /* Nothing to do if I am a kernel service. */ 6168c2ecf20Sopenharmony_ci return (current->flags & (PF_KTHREAD | PF_IO_WORKER)) == PF_KTHREAD; 6178c2ecf20Sopenharmony_ci} 6188c2ecf20Sopenharmony_ci 6198c2ecf20Sopenharmony_ci/** 6208c2ecf20Sopenharmony_ci * tomoyo_sock_family - Get socket's family. 6218c2ecf20Sopenharmony_ci * 6228c2ecf20Sopenharmony_ci * @sk: Pointer to "struct sock". 6238c2ecf20Sopenharmony_ci * 6248c2ecf20Sopenharmony_ci * Returns one of PF_INET, PF_INET6, PF_UNIX or 0. 6258c2ecf20Sopenharmony_ci */ 6268c2ecf20Sopenharmony_cistatic u8 tomoyo_sock_family(struct sock *sk) 6278c2ecf20Sopenharmony_ci{ 6288c2ecf20Sopenharmony_ci u8 family; 6298c2ecf20Sopenharmony_ci 6308c2ecf20Sopenharmony_ci if (tomoyo_kernel_service()) 6318c2ecf20Sopenharmony_ci return 0; 6328c2ecf20Sopenharmony_ci family = sk->sk_family; 6338c2ecf20Sopenharmony_ci switch (family) { 6348c2ecf20Sopenharmony_ci case PF_INET: 6358c2ecf20Sopenharmony_ci case PF_INET6: 6368c2ecf20Sopenharmony_ci case PF_UNIX: 6378c2ecf20Sopenharmony_ci return family; 6388c2ecf20Sopenharmony_ci default: 6398c2ecf20Sopenharmony_ci return 0; 6408c2ecf20Sopenharmony_ci } 6418c2ecf20Sopenharmony_ci} 6428c2ecf20Sopenharmony_ci 6438c2ecf20Sopenharmony_ci/** 6448c2ecf20Sopenharmony_ci * tomoyo_socket_listen_permission - Check permission for listening a socket. 6458c2ecf20Sopenharmony_ci * 6468c2ecf20Sopenharmony_ci * @sock: Pointer to "struct socket". 6478c2ecf20Sopenharmony_ci * 6488c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 6498c2ecf20Sopenharmony_ci */ 6508c2ecf20Sopenharmony_ciint tomoyo_socket_listen_permission(struct socket *sock) 6518c2ecf20Sopenharmony_ci{ 6528c2ecf20Sopenharmony_ci struct tomoyo_addr_info address; 6538c2ecf20Sopenharmony_ci const u8 family = tomoyo_sock_family(sock->sk); 6548c2ecf20Sopenharmony_ci const unsigned int type = sock->type; 6558c2ecf20Sopenharmony_ci struct sockaddr_storage addr; 6568c2ecf20Sopenharmony_ci int addr_len; 6578c2ecf20Sopenharmony_ci 6588c2ecf20Sopenharmony_ci if (!family || (type != SOCK_STREAM && type != SOCK_SEQPACKET)) 6598c2ecf20Sopenharmony_ci return 0; 6608c2ecf20Sopenharmony_ci { 6618c2ecf20Sopenharmony_ci const int error = sock->ops->getname(sock, (struct sockaddr *) 6628c2ecf20Sopenharmony_ci &addr, 0); 6638c2ecf20Sopenharmony_ci 6648c2ecf20Sopenharmony_ci if (error < 0) 6658c2ecf20Sopenharmony_ci return error; 6668c2ecf20Sopenharmony_ci addr_len = error; 6678c2ecf20Sopenharmony_ci } 6688c2ecf20Sopenharmony_ci address.protocol = type; 6698c2ecf20Sopenharmony_ci address.operation = TOMOYO_NETWORK_LISTEN; 6708c2ecf20Sopenharmony_ci if (family == PF_UNIX) 6718c2ecf20Sopenharmony_ci return tomoyo_check_unix_address((struct sockaddr *) &addr, 6728c2ecf20Sopenharmony_ci addr_len, &address); 6738c2ecf20Sopenharmony_ci return tomoyo_check_inet_address((struct sockaddr *) &addr, addr_len, 6748c2ecf20Sopenharmony_ci 0, &address); 6758c2ecf20Sopenharmony_ci} 6768c2ecf20Sopenharmony_ci 6778c2ecf20Sopenharmony_ci/** 6788c2ecf20Sopenharmony_ci * tomoyo_socket_connect_permission - Check permission for setting the remote address of a socket. 6798c2ecf20Sopenharmony_ci * 6808c2ecf20Sopenharmony_ci * @sock: Pointer to "struct socket". 6818c2ecf20Sopenharmony_ci * @addr: Pointer to "struct sockaddr". 6828c2ecf20Sopenharmony_ci * @addr_len: Size of @addr. 6838c2ecf20Sopenharmony_ci * 6848c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 6858c2ecf20Sopenharmony_ci */ 6868c2ecf20Sopenharmony_ciint tomoyo_socket_connect_permission(struct socket *sock, 6878c2ecf20Sopenharmony_ci struct sockaddr *addr, int addr_len) 6888c2ecf20Sopenharmony_ci{ 6898c2ecf20Sopenharmony_ci struct tomoyo_addr_info address; 6908c2ecf20Sopenharmony_ci const u8 family = tomoyo_sock_family(sock->sk); 6918c2ecf20Sopenharmony_ci const unsigned int type = sock->type; 6928c2ecf20Sopenharmony_ci 6938c2ecf20Sopenharmony_ci if (!family) 6948c2ecf20Sopenharmony_ci return 0; 6958c2ecf20Sopenharmony_ci address.protocol = type; 6968c2ecf20Sopenharmony_ci switch (type) { 6978c2ecf20Sopenharmony_ci case SOCK_DGRAM: 6988c2ecf20Sopenharmony_ci case SOCK_RAW: 6998c2ecf20Sopenharmony_ci address.operation = TOMOYO_NETWORK_SEND; 7008c2ecf20Sopenharmony_ci break; 7018c2ecf20Sopenharmony_ci case SOCK_STREAM: 7028c2ecf20Sopenharmony_ci case SOCK_SEQPACKET: 7038c2ecf20Sopenharmony_ci address.operation = TOMOYO_NETWORK_CONNECT; 7048c2ecf20Sopenharmony_ci break; 7058c2ecf20Sopenharmony_ci default: 7068c2ecf20Sopenharmony_ci return 0; 7078c2ecf20Sopenharmony_ci } 7088c2ecf20Sopenharmony_ci if (family == PF_UNIX) 7098c2ecf20Sopenharmony_ci return tomoyo_check_unix_address(addr, addr_len, &address); 7108c2ecf20Sopenharmony_ci return tomoyo_check_inet_address(addr, addr_len, sock->sk->sk_protocol, 7118c2ecf20Sopenharmony_ci &address); 7128c2ecf20Sopenharmony_ci} 7138c2ecf20Sopenharmony_ci 7148c2ecf20Sopenharmony_ci/** 7158c2ecf20Sopenharmony_ci * tomoyo_socket_bind_permission - Check permission for setting the local address of a socket. 7168c2ecf20Sopenharmony_ci * 7178c2ecf20Sopenharmony_ci * @sock: Pointer to "struct socket". 7188c2ecf20Sopenharmony_ci * @addr: Pointer to "struct sockaddr". 7198c2ecf20Sopenharmony_ci * @addr_len: Size of @addr. 7208c2ecf20Sopenharmony_ci * 7218c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 7228c2ecf20Sopenharmony_ci */ 7238c2ecf20Sopenharmony_ciint tomoyo_socket_bind_permission(struct socket *sock, struct sockaddr *addr, 7248c2ecf20Sopenharmony_ci int addr_len) 7258c2ecf20Sopenharmony_ci{ 7268c2ecf20Sopenharmony_ci struct tomoyo_addr_info address; 7278c2ecf20Sopenharmony_ci const u8 family = tomoyo_sock_family(sock->sk); 7288c2ecf20Sopenharmony_ci const unsigned int type = sock->type; 7298c2ecf20Sopenharmony_ci 7308c2ecf20Sopenharmony_ci if (!family) 7318c2ecf20Sopenharmony_ci return 0; 7328c2ecf20Sopenharmony_ci switch (type) { 7338c2ecf20Sopenharmony_ci case SOCK_STREAM: 7348c2ecf20Sopenharmony_ci case SOCK_DGRAM: 7358c2ecf20Sopenharmony_ci case SOCK_RAW: 7368c2ecf20Sopenharmony_ci case SOCK_SEQPACKET: 7378c2ecf20Sopenharmony_ci address.protocol = type; 7388c2ecf20Sopenharmony_ci address.operation = TOMOYO_NETWORK_BIND; 7398c2ecf20Sopenharmony_ci break; 7408c2ecf20Sopenharmony_ci default: 7418c2ecf20Sopenharmony_ci return 0; 7428c2ecf20Sopenharmony_ci } 7438c2ecf20Sopenharmony_ci if (family == PF_UNIX) 7448c2ecf20Sopenharmony_ci return tomoyo_check_unix_address(addr, addr_len, &address); 7458c2ecf20Sopenharmony_ci return tomoyo_check_inet_address(addr, addr_len, sock->sk->sk_protocol, 7468c2ecf20Sopenharmony_ci &address); 7478c2ecf20Sopenharmony_ci} 7488c2ecf20Sopenharmony_ci 7498c2ecf20Sopenharmony_ci/** 7508c2ecf20Sopenharmony_ci * tomoyo_socket_sendmsg_permission - Check permission for sending a datagram. 7518c2ecf20Sopenharmony_ci * 7528c2ecf20Sopenharmony_ci * @sock: Pointer to "struct socket". 7538c2ecf20Sopenharmony_ci * @msg: Pointer to "struct msghdr". 7548c2ecf20Sopenharmony_ci * @size: Unused. 7558c2ecf20Sopenharmony_ci * 7568c2ecf20Sopenharmony_ci * Returns 0 on success, negative value otherwise. 7578c2ecf20Sopenharmony_ci */ 7588c2ecf20Sopenharmony_ciint tomoyo_socket_sendmsg_permission(struct socket *sock, struct msghdr *msg, 7598c2ecf20Sopenharmony_ci int size) 7608c2ecf20Sopenharmony_ci{ 7618c2ecf20Sopenharmony_ci struct tomoyo_addr_info address; 7628c2ecf20Sopenharmony_ci const u8 family = tomoyo_sock_family(sock->sk); 7638c2ecf20Sopenharmony_ci const unsigned int type = sock->type; 7648c2ecf20Sopenharmony_ci 7658c2ecf20Sopenharmony_ci if (!msg->msg_name || !family || 7668c2ecf20Sopenharmony_ci (type != SOCK_DGRAM && type != SOCK_RAW)) 7678c2ecf20Sopenharmony_ci return 0; 7688c2ecf20Sopenharmony_ci address.protocol = type; 7698c2ecf20Sopenharmony_ci address.operation = TOMOYO_NETWORK_SEND; 7708c2ecf20Sopenharmony_ci if (family == PF_UNIX) 7718c2ecf20Sopenharmony_ci return tomoyo_check_unix_address((struct sockaddr *) 7728c2ecf20Sopenharmony_ci msg->msg_name, 7738c2ecf20Sopenharmony_ci msg->msg_namelen, &address); 7748c2ecf20Sopenharmony_ci return tomoyo_check_inet_address((struct sockaddr *) msg->msg_name, 7758c2ecf20Sopenharmony_ci msg->msg_namelen, 7768c2ecf20Sopenharmony_ci sock->sk->sk_protocol, &address); 7778c2ecf20Sopenharmony_ci} 778