security/tomoyo/environ.c

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  * security/tomoyo/environ.c
0004  *
0005  * Copyright (C) 2005-2011  NTT DATA CORPORATION
0006  */
0007
0008 #include "common.h"
0009
0010 /**
0011  * tomoyo_check_env_acl - Check permission for environment variable's name.
0012  *
0013  * @r:   Pointer to "struct tomoyo_request_info".
0014  * @ptr: Pointer to "struct tomoyo_acl_info".
0015  *
0016  * Returns true if granted, false otherwise.
0017  */
0018 static bool tomoyo_check_env_acl(struct tomoyo_request_info *r,
0019                  const struct tomoyo_acl_info *ptr)
0020 {
0021     const struct tomoyo_env_acl *acl =
0022         container_of(ptr, typeof(*acl), head);
0023
0024     return tomoyo_path_matches_pattern(r->param.environ.name, acl->env);
0025 }
0026
0027 /**
0028  * tomoyo_audit_env_log - Audit environment variable name log.
0029  *
0030  * @r: Pointer to "struct tomoyo_request_info".
0031  *
0032  * Returns 0 on success, negative value otherwise.
0033  */
0034 static int tomoyo_audit_env_log(struct tomoyo_request_info *r)
0035 {
0036     return tomoyo_supervisor(r, "misc env %s\n",
0037                  r->param.environ.name->name);
0038 }
0039
0040 /**
0041  * tomoyo_env_perm - Check permission for environment variable's name.
0042  *
0043  * @r:   Pointer to "struct tomoyo_request_info".
0044  * @env: The name of environment variable.
0045  *
0046  * Returns 0 on success, negative value otherwise.
0047  *
0048  * Caller holds tomoyo_read_lock().
0049  */
0050 int tomoyo_env_perm(struct tomoyo_request_info *r, const char *env)
0051 {
0052     struct tomoyo_path_info environ;
0053     int error;
0054
0055     if (!env || !*env)
0056         return 0;
0057     environ.name = env;
0058     tomoyo_fill_path_info(&environ);
0059     r->param_type = TOMOYO_TYPE_ENV_ACL;
0060     r->param.environ.name = &environ;
0061     do {
0062         tomoyo_check_acl(r, tomoyo_check_env_acl);
0063         error = tomoyo_audit_env_log(r);
0064     } while (error == TOMOYO_RETRY_REQUEST);
0065     return error;
0066 }
0067
0068 /**
0069  * tomoyo_same_env_acl - Check for duplicated "struct tomoyo_env_acl" entry.
0070  *
0071  * @a: Pointer to "struct tomoyo_acl_info".
0072  * @b: Pointer to "struct tomoyo_acl_info".
0073  *
0074  * Returns true if @a == @b, false otherwise.
0075  */
0076 static bool tomoyo_same_env_acl(const struct tomoyo_acl_info *a,
0077                 const struct tomoyo_acl_info *b)
0078 {
0079     const struct tomoyo_env_acl *p1 = container_of(a, typeof(*p1), head);
0080     const struct tomoyo_env_acl *p2 = container_of(b, typeof(*p2), head);
0081
0082     return p1->env == p2->env;
0083 }
0084
0085 /**
0086  * tomoyo_write_env - Write "struct tomoyo_env_acl" list.
0087  *
0088  * @param: Pointer to "struct tomoyo_acl_param".
0089  *
0090  * Returns 0 on success, negative value otherwise.
0091  *
0092  * Caller holds tomoyo_read_lock().
0093  */
0094 static int tomoyo_write_env(struct tomoyo_acl_param *param)
0095 {
0096     struct tomoyo_env_acl e = { .head.type = TOMOYO_TYPE_ENV_ACL };
0097     int error = -ENOMEM;
0098     const char *data = tomoyo_read_token(param);
0099
0100     if (!tomoyo_correct_word(data) || strchr(data, '='))
0101         return -EINVAL;
0102     e.env = tomoyo_get_name(data);
0103     if (!e.env)
0104         return error;
0105     error = tomoyo_update_domain(&e.head, sizeof(e), param,
0106                   tomoyo_same_env_acl, NULL);
0107     tomoyo_put_name(e.env);
0108     return error;
0109 }
0110
0111 /**
0112  * tomoyo_write_misc - Update environment variable list.
0113  *
0114  * @param: Pointer to "struct tomoyo_acl_param".
0115  *
0116  * Returns 0 on success, negative value otherwise.
0117  */
0118 int tomoyo_write_misc(struct tomoyo_acl_param *param)
0119 {
0120     if (tomoyo_str_starts(&param->data, "env "))
0121         return tomoyo_write_env(param);
0122     return -EINVAL;
0123 }