security/tomoyo/tomoyo.c

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  * security/tomoyo/tomoyo.c
0004  *
0005  * Copyright (C) 2005-2011  NTT DATA CORPORATION
0006  */
0007
0008 #include <linux/lsm_hooks.h>
0009 #include "common.h"
0010
0011 /**
0012  * tomoyo_domain - Get "struct tomoyo_domain_info" for current thread.
0013  *
0014  * Returns pointer to "struct tomoyo_domain_info" for current thread.
0015  */
0016 struct tomoyo_domain_info *tomoyo_domain(void)
0017 {
0018     struct tomoyo_task *s = tomoyo_task(current);
0019
0020     if (s->old_domain_info && !current->in_execve) {
0021         atomic_dec(&s->old_domain_info->users);
0022         s->old_domain_info = NULL;
0023     }
0024     return s->domain_info;
0025 }
0026
0027 /**
0028  * tomoyo_cred_prepare - Target for security_prepare_creds().
0029  *
0030  * @new: Pointer to "struct cred".
0031  * @old: Pointer to "struct cred".
0032  * @gfp: Memory allocation flags.
0033  *
0034  * Returns 0.
0035  */
0036 static int tomoyo_cred_prepare(struct cred *new, const struct cred *old,
0037                    gfp_t gfp)
0038 {
0039     /* Restore old_domain_info saved by previous execve() request. */
0040     struct tomoyo_task *s = tomoyo_task(current);
0041
0042     if (s->old_domain_info && !current->in_execve) {
0043         atomic_dec(&s->domain_info->users);
0044         s->domain_info = s->old_domain_info;
0045         s->old_domain_info = NULL;
0046     }
0047     return 0;
0048 }
0049
0050 /**
0051  * tomoyo_bprm_committed_creds - Target for security_bprm_committed_creds().
0052  *
0053  * @bprm: Pointer to "struct linux_binprm".
0054  */
0055 static void tomoyo_bprm_committed_creds(struct linux_binprm *bprm)
0056 {
0057     /* Clear old_domain_info saved by execve() request. */
0058     struct tomoyo_task *s = tomoyo_task(current);
0059
0060     atomic_dec(&s->old_domain_info->users);
0061     s->old_domain_info = NULL;
0062 }
0063
0064 #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
0065 /**
0066  * tomoyo_bprm_creds_for_exec - Target for security_bprm_creds_for_exec().
0067  *
0068  * @bprm: Pointer to "struct linux_binprm".
0069  *
0070  * Returns 0.
0071  */
0072 static int tomoyo_bprm_creds_for_exec(struct linux_binprm *bprm)
0073 {
0074     /*
0075      * Load policy if /sbin/tomoyo-init exists and /sbin/init is requested
0076      * for the first time.
0077      */
0078     if (!tomoyo_policy_loaded)
0079         tomoyo_load_policy(bprm->filename);
0080     return 0;
0081 }
0082 #endif
0083
0084 /**
0085  * tomoyo_bprm_check_security - Target for security_bprm_check().
0086  *
0087  * @bprm: Pointer to "struct linux_binprm".
0088  *
0089  * Returns 0 on success, negative value otherwise.
0090  */
0091 static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
0092 {
0093     struct tomoyo_task *s = tomoyo_task(current);
0094
0095     /*
0096      * Execute permission is checked against pathname passed to execve()
0097      * using current domain.
0098      */
0099     if (!s->old_domain_info) {
0100         const int idx = tomoyo_read_lock();
0101         const int err = tomoyo_find_next_domain(bprm);
0102
0103         tomoyo_read_unlock(idx);
0104         return err;
0105     }
0106     /*
0107      * Read permission is checked against interpreters using next domain.
0108      */
0109     return tomoyo_check_open_permission(s->domain_info,
0110                         &bprm->file->f_path, O_RDONLY);
0111 }
0112
0113 /**
0114  * tomoyo_inode_getattr - Target for security_inode_getattr().
0115  *
0116  * @path: Pointer to "struct path".
0117  *
0118  * Returns 0 on success, negative value otherwise.
0119  */
0120 static int tomoyo_inode_getattr(const struct path *path)
0121 {
0122     return tomoyo_path_perm(TOMOYO_TYPE_GETATTR, path, NULL);
0123 }
0124
0125 /**
0126  * tomoyo_path_truncate - Target for security_path_truncate().
0127  *
0128  * @path: Pointer to "struct path".
0129  *
0130  * Returns 0 on success, negative value otherwise.
0131  */
0132 static int tomoyo_path_truncate(const struct path *path)
0133 {
0134     return tomoyo_path_perm(TOMOYO_TYPE_TRUNCATE, path, NULL);
0135 }
0136
0137 /**
0138  * tomoyo_path_unlink - Target for security_path_unlink().
0139  *
0140  * @parent: Pointer to "struct path".
0141  * @dentry: Pointer to "struct dentry".
0142  *
0143  * Returns 0 on success, negative value otherwise.
0144  */
0145 static int tomoyo_path_unlink(const struct path *parent, struct dentry *dentry)
0146 {
0147     struct path path = { .mnt = parent->mnt, .dentry = dentry };
0148
0149     return tomoyo_path_perm(TOMOYO_TYPE_UNLINK, &path, NULL);
0150 }
0151
0152 /**
0153  * tomoyo_path_mkdir - Target for security_path_mkdir().
0154  *
0155  * @parent: Pointer to "struct path".
0156  * @dentry: Pointer to "struct dentry".
0157  * @mode:   DAC permission mode.
0158  *
0159  * Returns 0 on success, negative value otherwise.
0160  */
0161 static int tomoyo_path_mkdir(const struct path *parent, struct dentry *dentry,
0162                  umode_t mode)
0163 {
0164     struct path path = { .mnt = parent->mnt, .dentry = dentry };
0165
0166     return tomoyo_path_number_perm(TOMOYO_TYPE_MKDIR, &path,
0167                        mode & S_IALLUGO);
0168 }
0169
0170 /**
0171  * tomoyo_path_rmdir - Target for security_path_rmdir().
0172  *
0173  * @parent: Pointer to "struct path".
0174  * @dentry: Pointer to "struct dentry".
0175  *
0176  * Returns 0 on success, negative value otherwise.
0177  */
0178 static int tomoyo_path_rmdir(const struct path *parent, struct dentry *dentry)
0179 {
0180     struct path path = { .mnt = parent->mnt, .dentry = dentry };
0181
0182     return tomoyo_path_perm(TOMOYO_TYPE_RMDIR, &path, NULL);
0183 }
0184
0185 /**
0186  * tomoyo_path_symlink - Target for security_path_symlink().
0187  *
0188  * @parent:   Pointer to "struct path".
0189  * @dentry:   Pointer to "struct dentry".
0190  * @old_name: Symlink's content.
0191  *
0192  * Returns 0 on success, negative value otherwise.
0193  */
0194 static int tomoyo_path_symlink(const struct path *parent, struct dentry *dentry,
0195                    const char *old_name)
0196 {
0197     struct path path = { .mnt = parent->mnt, .dentry = dentry };
0198
0199     return tomoyo_path_perm(TOMOYO_TYPE_SYMLINK, &path, old_name);
0200 }
0201
0202 /**
0203  * tomoyo_path_mknod - Target for security_path_mknod().
0204  *
0205  * @parent: Pointer to "struct path".
0206  * @dentry: Pointer to "struct dentry".
0207  * @mode:   DAC permission mode.
0208  * @dev:    Device attributes.
0209  *
0210  * Returns 0 on success, negative value otherwise.
0211  */
0212 static int tomoyo_path_mknod(const struct path *parent, struct dentry *dentry,
0213                  umode_t mode, unsigned int dev)
0214 {
0215     struct path path = { .mnt = parent->mnt, .dentry = dentry };
0216     int type = TOMOYO_TYPE_CREATE;
0217     const unsigned int perm = mode & S_IALLUGO;
0218
0219     switch (mode & S_IFMT) {
0220     case S_IFCHR:
0221         type = TOMOYO_TYPE_MKCHAR;
0222         break;
0223     case S_IFBLK:
0224         type = TOMOYO_TYPE_MKBLOCK;
0225         break;
0226     default:
0227         goto no_dev;
0228     }
0229     return tomoyo_mkdev_perm(type, &path, perm, dev);
0230  no_dev:
0231     switch (mode & S_IFMT) {
0232     case S_IFIFO:
0233         type = TOMOYO_TYPE_MKFIFO;
0234         break;
0235     case S_IFSOCK:
0236         type = TOMOYO_TYPE_MKSOCK;
0237         break;
0238     }
0239     return tomoyo_path_number_perm(type, &path, perm);
0240 }
0241
0242 /**
0243  * tomoyo_path_link - Target for security_path_link().
0244  *
0245  * @old_dentry: Pointer to "struct dentry".
0246  * @new_dir:    Pointer to "struct path".
0247  * @new_dentry: Pointer to "struct dentry".
0248  *
0249  * Returns 0 on success, negative value otherwise.
0250  */
0251 static int tomoyo_path_link(struct dentry *old_dentry, const struct path *new_dir,
0252                 struct dentry *new_dentry)
0253 {
0254     struct path path1 = { .mnt = new_dir->mnt, .dentry = old_dentry };
0255     struct path path2 = { .mnt = new_dir->mnt, .dentry = new_dentry };
0256
0257     return tomoyo_path2_perm(TOMOYO_TYPE_LINK, &path1, &path2);
0258 }
0259
0260 /**
0261  * tomoyo_path_rename - Target for security_path_rename().
0262  *
0263  * @old_parent: Pointer to "struct path".
0264  * @old_dentry: Pointer to "struct dentry".
0265  * @new_parent: Pointer to "struct path".
0266  * @new_dentry: Pointer to "struct dentry".
0267  * @flags: Rename options.
0268  *
0269  * Returns 0 on success, negative value otherwise.
0270  */
0271 static int tomoyo_path_rename(const struct path *old_parent,
0272                   struct dentry *old_dentry,
0273                   const struct path *new_parent,
0274                   struct dentry *new_dentry,
0275                   const unsigned int flags)
0276 {
0277     struct path path1 = { .mnt = old_parent->mnt, .dentry = old_dentry };
0278     struct path path2 = { .mnt = new_parent->mnt, .dentry = new_dentry };
0279
0280     if (flags & RENAME_EXCHANGE) {
0281         const int err = tomoyo_path2_perm(TOMOYO_TYPE_RENAME, &path2,
0282                 &path1);
0283
0284         if (err)
0285             return err;
0286     }
0287     return tomoyo_path2_perm(TOMOYO_TYPE_RENAME, &path1, &path2);
0288 }
0289
0290 /**
0291  * tomoyo_file_fcntl - Target for security_file_fcntl().
0292  *
0293  * @file: Pointer to "struct file".
0294  * @cmd:  Command for fcntl().
0295  * @arg:  Argument for @cmd.
0296  *
0297  * Returns 0 on success, negative value otherwise.
0298  */
0299 static int tomoyo_file_fcntl(struct file *file, unsigned int cmd,
0300                  unsigned long arg)
0301 {
0302     if (!(cmd == F_SETFL && ((arg ^ file->f_flags) & O_APPEND)))
0303         return 0;
0304     return tomoyo_check_open_permission(tomoyo_domain(), &file->f_path,
0305                         O_WRONLY | (arg & O_APPEND));
0306 }
0307
0308 /**
0309  * tomoyo_file_open - Target for security_file_open().
0310  *
0311  * @f: Pointer to "struct file".
0312  *
0313  * Returns 0 on success, negative value otherwise.
0314  */
0315 static int tomoyo_file_open(struct file *f)
0316 {
0317     /* Don't check read permission here if called from execve(). */
0318     if (current->in_execve)
0319         return 0;
0320     return tomoyo_check_open_permission(tomoyo_domain(), &f->f_path,
0321                         f->f_flags);
0322 }
0323
0324 /**
0325  * tomoyo_file_ioctl - Target for security_file_ioctl().
0326  *
0327  * @file: Pointer to "struct file".
0328  * @cmd:  Command for ioctl().
0329  * @arg:  Argument for @cmd.
0330  *
0331  * Returns 0 on success, negative value otherwise.
0332  */
0333 static int tomoyo_file_ioctl(struct file *file, unsigned int cmd,
0334                  unsigned long arg)
0335 {
0336     return tomoyo_path_number_perm(TOMOYO_TYPE_IOCTL, &file->f_path, cmd);
0337 }
0338
0339 /**
0340  * tomoyo_path_chmod - Target for security_path_chmod().
0341  *
0342  * @path: Pointer to "struct path".
0343  * @mode: DAC permission mode.
0344  *
0345  * Returns 0 on success, negative value otherwise.
0346  */
0347 static int tomoyo_path_chmod(const struct path *path, umode_t mode)
0348 {
0349     return tomoyo_path_number_perm(TOMOYO_TYPE_CHMOD, path,
0350                        mode & S_IALLUGO);
0351 }
0352
0353 /**
0354  * tomoyo_path_chown - Target for security_path_chown().
0355  *
0356  * @path: Pointer to "struct path".
0357  * @uid:  Owner ID.
0358  * @gid:  Group ID.
0359  *
0360  * Returns 0 on success, negative value otherwise.
0361  */
0362 static int tomoyo_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
0363 {
0364     int error = 0;
0365
0366     if (uid_valid(uid))
0367         error = tomoyo_path_number_perm(TOMOYO_TYPE_CHOWN, path,
0368                         from_kuid(&init_user_ns, uid));
0369     if (!error && gid_valid(gid))
0370         error = tomoyo_path_number_perm(TOMOYO_TYPE_CHGRP, path,
0371                         from_kgid(&init_user_ns, gid));
0372     return error;
0373 }
0374
0375 /**
0376  * tomoyo_path_chroot - Target for security_path_chroot().
0377  *
0378  * @path: Pointer to "struct path".
0379  *
0380  * Returns 0 on success, negative value otherwise.
0381  */
0382 static int tomoyo_path_chroot(const struct path *path)
0383 {
0384     return tomoyo_path_perm(TOMOYO_TYPE_CHROOT, path, NULL);
0385 }
0386
0387 /**
0388  * tomoyo_sb_mount - Target for security_sb_mount().
0389  *
0390  * @dev_name: Name of device file. Maybe NULL.
0391  * @path:     Pointer to "struct path".
0392  * @type:     Name of filesystem type. Maybe NULL.
0393  * @flags:    Mount options.
0394  * @data:     Optional data. Maybe NULL.
0395  *
0396  * Returns 0 on success, negative value otherwise.
0397  */
0398 static int tomoyo_sb_mount(const char *dev_name, const struct path *path,
0399                const char *type, unsigned long flags, void *data)
0400 {
0401     return tomoyo_mount_permission(dev_name, path, type, flags, data);
0402 }
0403
0404 /**
0405  * tomoyo_sb_umount - Target for security_sb_umount().
0406  *
0407  * @mnt:   Pointer to "struct vfsmount".
0408  * @flags: Unmount options.
0409  *
0410  * Returns 0 on success, negative value otherwise.
0411  */
0412 static int tomoyo_sb_umount(struct vfsmount *mnt, int flags)
0413 {
0414     struct path path = { .mnt = mnt, .dentry = mnt->mnt_root };
0415
0416     return tomoyo_path_perm(TOMOYO_TYPE_UMOUNT, &path, NULL);
0417 }
0418
0419 /**
0420  * tomoyo_sb_pivotroot - Target for security_sb_pivotroot().
0421  *
0422  * @old_path: Pointer to "struct path".
0423  * @new_path: Pointer to "struct path".
0424  *
0425  * Returns 0 on success, negative value otherwise.
0426  */
0427 static int tomoyo_sb_pivotroot(const struct path *old_path, const struct path *new_path)
0428 {
0429     return tomoyo_path2_perm(TOMOYO_TYPE_PIVOT_ROOT, new_path, old_path);
0430 }
0431
0432 /**
0433  * tomoyo_socket_listen - Check permission for listen().
0434  *
0435  * @sock:    Pointer to "struct socket".
0436  * @backlog: Backlog parameter.
0437  *
0438  * Returns 0 on success, negative value otherwise.
0439  */
0440 static int tomoyo_socket_listen(struct socket *sock, int backlog)
0441 {
0442     return tomoyo_socket_listen_permission(sock);
0443 }
0444
0445 /**
0446  * tomoyo_socket_connect - Check permission for connect().
0447  *
0448  * @sock:     Pointer to "struct socket".
0449  * @addr:     Pointer to "struct sockaddr".
0450  * @addr_len: Size of @addr.
0451  *
0452  * Returns 0 on success, negative value otherwise.
0453  */
0454 static int tomoyo_socket_connect(struct socket *sock, struct sockaddr *addr,
0455                  int addr_len)
0456 {
0457     return tomoyo_socket_connect_permission(sock, addr, addr_len);
0458 }
0459
0460 /**
0461  * tomoyo_socket_bind - Check permission for bind().
0462  *
0463  * @sock:     Pointer to "struct socket".
0464  * @addr:     Pointer to "struct sockaddr".
0465  * @addr_len: Size of @addr.
0466  *
0467  * Returns 0 on success, negative value otherwise.
0468  */
0469 static int tomoyo_socket_bind(struct socket *sock, struct sockaddr *addr,
0470                   int addr_len)
0471 {
0472     return tomoyo_socket_bind_permission(sock, addr, addr_len);
0473 }
0474
0475 /**
0476  * tomoyo_socket_sendmsg - Check permission for sendmsg().
0477  *
0478  * @sock: Pointer to "struct socket".
0479  * @msg:  Pointer to "struct msghdr".
0480  * @size: Size of message.
0481  *
0482  * Returns 0 on success, negative value otherwise.
0483  */
0484 static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
0485                  int size)
0486 {
0487     return tomoyo_socket_sendmsg_permission(sock, msg, size);
0488 }
0489
0490 struct lsm_blob_sizes tomoyo_blob_sizes __lsm_ro_after_init = {
0491     .lbs_task = sizeof(struct tomoyo_task),
0492 };
0493
0494 /**
0495  * tomoyo_task_alloc - Target for security_task_alloc().
0496  *
0497  * @task:        Pointer to "struct task_struct".
0498  * @clone_flags: clone() flags.
0499  *
0500  * Returns 0.
0501  */
0502 static int tomoyo_task_alloc(struct task_struct *task,
0503                  unsigned long clone_flags)
0504 {
0505     struct tomoyo_task *old = tomoyo_task(current);
0506     struct tomoyo_task *new = tomoyo_task(task);
0507
0508     new->domain_info = old->domain_info;
0509     atomic_inc(&new->domain_info->users);
0510     new->old_domain_info = NULL;
0511     return 0;
0512 }
0513
0514 /**
0515  * tomoyo_task_free - Target for security_task_free().
0516  *
0517  * @task: Pointer to "struct task_struct".
0518  */
0519 static void tomoyo_task_free(struct task_struct *task)
0520 {
0521     struct tomoyo_task *s = tomoyo_task(task);
0522
0523     if (s->domain_info) {
0524         atomic_dec(&s->domain_info->users);
0525         s->domain_info = NULL;
0526     }
0527     if (s->old_domain_info) {
0528         atomic_dec(&s->old_domain_info->users);
0529         s->old_domain_info = NULL;
0530     }
0531 }
0532
0533 /*
0534  * tomoyo_security_ops is a "struct security_operations" which is used for
0535  * registering TOMOYO.
0536  */
0537 static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = {
0538     LSM_HOOK_INIT(cred_prepare, tomoyo_cred_prepare),
0539     LSM_HOOK_INIT(bprm_committed_creds, tomoyo_bprm_committed_creds),
0540     LSM_HOOK_INIT(task_alloc, tomoyo_task_alloc),
0541     LSM_HOOK_INIT(task_free, tomoyo_task_free),
0542 #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
0543     LSM_HOOK_INIT(bprm_creds_for_exec, tomoyo_bprm_creds_for_exec),
0544 #endif
0545     LSM_HOOK_INIT(bprm_check_security, tomoyo_bprm_check_security),
0546     LSM_HOOK_INIT(file_fcntl, tomoyo_file_fcntl),
0547     LSM_HOOK_INIT(file_open, tomoyo_file_open),
0548     LSM_HOOK_INIT(path_truncate, tomoyo_path_truncate),
0549     LSM_HOOK_INIT(path_unlink, tomoyo_path_unlink),
0550     LSM_HOOK_INIT(path_mkdir, tomoyo_path_mkdir),
0551     LSM_HOOK_INIT(path_rmdir, tomoyo_path_rmdir),
0552     LSM_HOOK_INIT(path_symlink, tomoyo_path_symlink),
0553     LSM_HOOK_INIT(path_mknod, tomoyo_path_mknod),
0554     LSM_HOOK_INIT(path_link, tomoyo_path_link),
0555     LSM_HOOK_INIT(path_rename, tomoyo_path_rename),
0556     LSM_HOOK_INIT(inode_getattr, tomoyo_inode_getattr),
0557     LSM_HOOK_INIT(file_ioctl, tomoyo_file_ioctl),
0558     LSM_HOOK_INIT(path_chmod, tomoyo_path_chmod),
0559     LSM_HOOK_INIT(path_chown, tomoyo_path_chown),
0560     LSM_HOOK_INIT(path_chroot, tomoyo_path_chroot),
0561     LSM_HOOK_INIT(sb_mount, tomoyo_sb_mount),
0562     LSM_HOOK_INIT(sb_umount, tomoyo_sb_umount),
0563     LSM_HOOK_INIT(sb_pivotroot, tomoyo_sb_pivotroot),
0564     LSM_HOOK_INIT(socket_bind, tomoyo_socket_bind),
0565     LSM_HOOK_INIT(socket_connect, tomoyo_socket_connect),
0566     LSM_HOOK_INIT(socket_listen, tomoyo_socket_listen),
0567     LSM_HOOK_INIT(socket_sendmsg, tomoyo_socket_sendmsg),
0568 };
0569
0570 /* Lock for GC. */
0571 DEFINE_SRCU(tomoyo_ss);
0572
0573 int tomoyo_enabled __lsm_ro_after_init = 1;
0574
0575 /**
0576  * tomoyo_init - Register TOMOYO Linux as a LSM module.
0577  *
0578  * Returns 0.
0579  */
0580 static int __init tomoyo_init(void)
0581 {
0582     struct tomoyo_task *s = tomoyo_task(current);
0583
0584     /* register ourselves with the security framework */
0585     security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
0586     pr_info("TOMOYO Linux initialized\n");
0587     s->domain_info = &tomoyo_kernel_domain;
0588     atomic_inc(&tomoyo_kernel_domain.users);
0589     s->old_domain_info = NULL;
0590     tomoyo_mm_init();
0591
0592     return 0;
0593 }
0594
0595 DEFINE_LSM(tomoyo) = {
0596     .name = "tomoyo",
0597     .enabled = &tomoyo_enabled,
0598     .flags = LSM_FLAG_LEGACY_MAJOR,
0599     .blobs = &tomoyo_blob_sizes,
0600     .init = tomoyo_init,
0601 };