1 |
kumaneko |
111 |
/* |
2 |
|
|
* include/linux/ccs_common.h |
3 |
|
|
* |
4 |
|
|
* Common functions for SAKURA and TOMOYO. |
5 |
|
|
* |
6 |
|
|
* Copyright (C) 2005-2007 NTT DATA CORPORATION |
7 |
|
|
* |
8 |
kumaneko |
731 |
* Version: 1.5.2-pre 2007/11/27 |
9 |
kumaneko |
111 |
* |
10 |
|
|
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
11 |
|
|
* See README.ccs for ChangeLog. |
12 |
|
|
* |
13 |
|
|
*/ |
14 |
|
|
|
15 |
|
|
#ifndef _LINUX_CCS_COMMON_H |
16 |
|
|
#define _LINUX_CCS_COMMON_H |
17 |
|
|
|
18 |
|
|
#include <linux/string.h> |
19 |
|
|
#include <linux/mm.h> |
20 |
|
|
#include <linux/utime.h> |
21 |
|
|
#include <linux/file.h> |
22 |
|
|
#include <linux/smp_lock.h> |
23 |
|
|
#include <linux/module.h> |
24 |
|
|
#include <linux/init.h> |
25 |
|
|
#include <linux/slab.h> |
26 |
|
|
#include <linux/poll.h> |
27 |
|
|
#include <asm/uaccess.h> |
28 |
|
|
#include <stdarg.h> |
29 |
|
|
#include <linux/delay.h> |
30 |
|
|
#include <linux/version.h> |
31 |
|
|
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,5,0) |
32 |
|
|
#include <linux/kmod.h> |
33 |
|
|
#endif |
34 |
|
|
|
35 |
|
|
#ifndef __user |
36 |
|
|
#define __user |
37 |
|
|
#endif |
38 |
|
|
|
39 |
kumaneko |
621 |
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) |
40 |
|
|
typedef _Bool bool; |
41 |
|
|
#endif |
42 |
|
|
|
43 |
kumaneko |
652 |
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 16) |
44 |
|
|
#define mutex semaphore |
45 |
|
|
#define mutex_init(mutex) init_MUTEX(mutex) |
46 |
|
|
#define mutex_lock(mutex) down(mutex) |
47 |
|
|
#define mutex_unlock(mutex) up(mutex) |
48 |
|
|
#define mutex_lock_interruptible(mutex) down_interruptible(mutex) |
49 |
|
|
#define DEFINE_MUTEX(mutexname) DECLARE_MUTEX(mutexname) |
50 |
|
|
#endif |
51 |
|
|
|
52 |
kumaneko |
722 |
#if 0 |
53 |
|
|
|
54 |
|
|
#define list1_head list_head |
55 |
|
|
#define LIST1_HEAD_INIT LIST_HEAD_INIT |
56 |
|
|
#define LIST1_HEAD LIST_HEAD |
57 |
|
|
#define INIT_LIST1_HEAD INIT_LIST_HEAD |
58 |
|
|
#define list1_entry list_entry |
59 |
|
|
#define list1_for_each list_for_each |
60 |
|
|
#define list1_for_each_entry list_for_each_entry |
61 |
|
|
#define list1_for_each_cookie(pos, cookie, head) \ |
62 |
|
|
for ((cookie) || ((cookie) = (head)), pos = (cookie)->next; \ |
63 |
|
|
prefetch(pos->next), pos != (head) || ((cookie) = NULL); \ |
64 |
|
|
(cookie) = pos, pos = pos->next) |
65 |
|
|
static inline void list1_add_tail_mb(struct list1_head *new, |
66 |
|
|
struct list1_head *head) |
67 |
|
|
{ |
68 |
|
|
struct list_head *prev = head->prev; |
69 |
|
|
struct list_head *next = head; |
70 |
|
|
new->next = next; |
71 |
|
|
new->prev = prev; |
72 |
|
|
mb(); /* Avoid out-of-order execution. */ |
73 |
|
|
next->prev = new; |
74 |
|
|
prev->next = new; |
75 |
|
|
} |
76 |
|
|
|
77 |
|
|
#else ///////////////////////////////////////////////////////////////////////// |
78 |
|
|
|
79 |
|
|
struct list1_head { |
80 |
|
|
struct list1_head *next; |
81 |
|
|
}; |
82 |
|
|
|
83 |
|
|
#define LIST1_HEAD_INIT(name) { &(name) } |
84 |
|
|
#define LIST1_HEAD(name) struct list1_head name = LIST1_HEAD_INIT(name) |
85 |
|
|
|
86 |
|
|
static inline void INIT_LIST1_HEAD(struct list1_head *list) |
87 |
|
|
{ |
88 |
|
|
list->next = list; |
89 |
|
|
} |
90 |
|
|
|
91 |
kumaneko |
708 |
/** |
92 |
kumaneko |
722 |
* list1_entry - get the struct for this entry |
93 |
|
|
* @ptr: the &struct list1_head pointer. |
94 |
|
|
* @type: the type of the struct this is embedded in. |
95 |
|
|
* @member: the name of the list1_struct within the struct. |
96 |
|
|
*/ |
97 |
|
|
#define list1_entry(ptr, type, member) container_of(ptr, type, member) |
98 |
|
|
|
99 |
|
|
/** |
100 |
|
|
* list1_for_each - iterate over a list |
101 |
|
|
* @pos: the &struct list1_head to use as a loop cursor. |
102 |
kumaneko |
708 |
* @head: the head for your list. |
103 |
kumaneko |
722 |
*/ |
104 |
|
|
#define list1_for_each(pos, head) \ |
105 |
|
|
for (pos = (head)->next; prefetch(pos->next), pos != (head); \ |
106 |
|
|
pos = pos->next) |
107 |
|
|
|
108 |
|
|
/** |
109 |
|
|
* list1_for_each_entry - iterate over list of given type |
110 |
|
|
* @pos: the type * to use as a loop cursor. |
111 |
|
|
* @head: the head for your list. |
112 |
|
|
* @member: the name of the list1_struct within the struct. |
113 |
|
|
*/ |
114 |
|
|
#define list1_for_each_entry(pos, head, member) \ |
115 |
|
|
for (pos = list1_entry((head)->next, typeof(*pos), member); \ |
116 |
|
|
prefetch(pos->member.next), &pos->member != (head); \ |
117 |
|
|
pos = list1_entry(pos->member.next, typeof(*pos), member)) |
118 |
|
|
|
119 |
|
|
/** |
120 |
|
|
* list1_for_each_cookie - iterate over a list with cookie. |
121 |
|
|
* @pos: the &struct list1_head to use as a loop cursor. |
122 |
|
|
* @cookie: the &struct list1_head to use as a cookie. |
123 |
|
|
* @head: the head for your list. |
124 |
kumaneko |
708 |
* |
125 |
|
|
* Same with list_for_each except that this primitive uses cookie |
126 |
|
|
* so that we can continue iteration. |
127 |
|
|
*/ |
128 |
kumaneko |
722 |
#define list1_for_each_cookie(pos, cookie, head) \ |
129 |
kumaneko |
708 |
for ((cookie) || ((cookie) = (head)), pos = (cookie)->next; \ |
130 |
kumaneko |
722 |
prefetch(pos->next), pos != (head) || ((cookie) = NULL); \ |
131 |
|
|
(cookie) = pos, pos = pos->next) |
132 |
kumaneko |
708 |
|
133 |
|
|
/** |
134 |
|
|
* list_add_tail_mb - add a new entry with memory barrier. |
135 |
|
|
* @new: new entry to be added. |
136 |
|
|
* @head: list head to add it before. |
137 |
|
|
* |
138 |
|
|
* Same with list_add_tail_rcu() except that this primitive uses mb() |
139 |
|
|
* so that we can traverse forwards using list_for_each() and |
140 |
|
|
* list_for_each_cookie(). |
141 |
|
|
*/ |
142 |
kumaneko |
722 |
static inline void list1_add_tail_mb(struct list1_head *new, |
143 |
|
|
struct list1_head *head) |
144 |
kumaneko |
708 |
{ |
145 |
kumaneko |
722 |
struct list1_head *pos = head; |
146 |
|
|
new->next = head; |
147 |
kumaneko |
708 |
mb(); /* Avoid out-of-order execution. */ |
148 |
kumaneko |
722 |
while (pos->next != head) |
149 |
|
|
pos = pos->next; |
150 |
|
|
pos->next = new; |
151 |
kumaneko |
708 |
} |
152 |
|
|
|
153 |
kumaneko |
722 |
#endif |
154 |
|
|
|
155 |
kumaneko |
111 |
struct mini_stat { |
156 |
|
|
uid_t uid; |
157 |
|
|
gid_t gid; |
158 |
|
|
ino_t ino; |
159 |
|
|
}; |
160 |
|
|
struct dentry; |
161 |
|
|
struct vfsmount; |
162 |
|
|
struct obj_info { |
163 |
kumaneko |
621 |
bool validate_done; |
164 |
|
|
bool path1_valid; |
165 |
|
|
bool path1_parent_valid; |
166 |
|
|
bool path2_parent_valid; |
167 |
kumaneko |
111 |
struct dentry *path1_dentry; |
168 |
|
|
struct vfsmount *path1_vfsmnt; |
169 |
|
|
struct dentry *path2_dentry; |
170 |
|
|
struct vfsmount *path2_vfsmnt; |
171 |
|
|
struct mini_stat path1_stat; |
172 |
|
|
/* I don't handle path2_stat for rename operation. */ |
173 |
|
|
struct mini_stat path1_parent_stat; |
174 |
|
|
struct mini_stat path2_parent_stat; |
175 |
|
|
}; |
176 |
|
|
|
177 |
|
|
struct path_info { |
178 |
|
|
const char *name; |
179 |
|
|
u32 hash; /* = full_name_hash(name, strlen(name)) */ |
180 |
|
|
u16 total_len; /* = strlen(name) */ |
181 |
|
|
u16 const_len; /* = const_part_length(name) */ |
182 |
kumaneko |
621 |
bool is_dir; /* = strendswith(name, "/") */ |
183 |
|
|
bool is_patterned; /* = PathContainsPattern(name) */ |
184 |
kumaneko |
111 |
u16 depth; /* = PathDepth(name) */ |
185 |
|
|
}; |
186 |
|
|
|
187 |
|
|
#define CCS_MAX_PATHNAME_LEN 4000 |
188 |
|
|
|
189 |
kumaneko |
708 |
struct path_group_member { |
190 |
kumaneko |
722 |
struct list1_head list; |
191 |
kumaneko |
111 |
const struct path_info *member_name; |
192 |
kumaneko |
621 |
bool is_deleted; |
193 |
kumaneko |
214 |
}; |
194 |
kumaneko |
111 |
|
195 |
kumaneko |
708 |
struct path_group_entry { |
196 |
kumaneko |
722 |
struct list1_head list; |
197 |
kumaneko |
111 |
const struct path_info *group_name; |
198 |
kumaneko |
722 |
struct list1_head path_group_member_list; |
199 |
kumaneko |
214 |
}; |
200 |
kumaneko |
111 |
|
201 |
kumaneko |
719 |
struct in6_addr; |
202 |
kumaneko |
214 |
struct address_group_member { |
203 |
kumaneko |
722 |
struct list1_head list; |
204 |
kumaneko |
111 |
union { |
205 |
kumaneko |
719 |
u32 ipv4; /* Host byte order */ |
206 |
|
|
const struct in6_addr *ipv6; /* Network byte order */ |
207 |
kumaneko |
111 |
} min, max; |
208 |
kumaneko |
621 |
bool is_deleted; |
209 |
|
|
bool is_ipv6; |
210 |
kumaneko |
214 |
}; |
211 |
kumaneko |
111 |
|
212 |
kumaneko |
214 |
struct address_group_entry { |
213 |
kumaneko |
722 |
struct list1_head list; |
214 |
kumaneko |
111 |
const struct path_info *group_name; |
215 |
kumaneko |
722 |
struct list1_head address_group_member_list; |
216 |
kumaneko |
214 |
}; |
217 |
kumaneko |
111 |
|
218 |
|
|
/* |
219 |
|
|
* TOMOYO uses the following structures. |
220 |
|
|
* Memory allocated for these structures are never kfree()ed. |
221 |
|
|
* Since no locks are used for reading, assignment must be performed atomically. |
222 |
|
|
*/ |
223 |
|
|
|
224 |
|
|
/************************* The structure for domains. *************************/ |
225 |
|
|
|
226 |
|
|
struct condition_list; |
227 |
|
|
|
228 |
|
|
struct acl_info { |
229 |
kumaneko |
722 |
struct list1_head list; |
230 |
kumaneko |
111 |
const struct condition_list *cond; |
231 |
|
|
u8 type; |
232 |
kumaneko |
621 |
bool is_deleted; |
233 |
kumaneko |
328 |
} __attribute__((__packed__)); |
234 |
kumaneko |
111 |
|
235 |
|
|
struct domain_info { |
236 |
kumaneko |
722 |
struct list1_head list; |
237 |
|
|
struct list1_head acl_info_list; |
238 |
kumaneko |
111 |
const struct path_info *domainname; /* Name of this domain. Never NULL. */ |
239 |
|
|
u8 profile; /* Profile to use. */ |
240 |
|
|
u8 is_deleted; /* Delete flag. */ |
241 |
kumaneko |
621 |
bool quota_warned; /* Quota warnning done flag. */ |
242 |
kumaneko |
111 |
}; |
243 |
|
|
|
244 |
|
|
#define MAX_PROFILES 256 |
245 |
|
|
|
246 |
kumaneko |
214 |
struct file_acl_record { |
247 |
kumaneko |
328 |
struct acl_info head; /* type = TYPE_FILE_ACL */ |
248 |
|
|
u8 perm; |
249 |
kumaneko |
621 |
bool u_is_group; |
250 |
kumaneko |
111 |
union { |
251 |
kumaneko |
708 |
const struct path_info *filename; /* Pointer to single pathname. */ |
252 |
|
|
const struct path_group_entry *group; /* Pointer to pathname group. */ |
253 |
kumaneko |
111 |
} u; |
254 |
kumaneko |
214 |
}; |
255 |
kumaneko |
111 |
|
256 |
kumaneko |
214 |
struct argv0_acl_record { |
257 |
kumaneko |
111 |
struct acl_info head; /* type = TYPE_ARGV0_ACL */ |
258 |
|
|
const struct path_info *filename; /* Pointer to single pathname. */ |
259 |
|
|
const struct path_info *argv0; /* strrchr(argv[0], '/') + 1 */ |
260 |
kumaneko |
214 |
}; |
261 |
kumaneko |
111 |
|
262 |
kumaneko |
581 |
struct env_acl_record { |
263 |
|
|
struct acl_info head; /* type = TYPE_ENV_ACL */ |
264 |
|
|
const struct path_info *env; /* environment variable */ |
265 |
|
|
}; |
266 |
|
|
|
267 |
kumaneko |
214 |
struct capability_acl_record { |
268 |
kumaneko |
328 |
struct acl_info head; /* type = TYPE_CAPABILITY_ACL */ |
269 |
|
|
u16 capability; |
270 |
kumaneko |
214 |
}; |
271 |
kumaneko |
111 |
|
272 |
kumaneko |
214 |
struct signal_acl_record { |
273 |
kumaneko |
328 |
struct acl_info head; /* type = TYPE_SIGNAL_ACL */ |
274 |
|
|
u16 sig; |
275 |
|
|
const struct path_info *domainname; /* Pointer to destination pattern. */ |
276 |
kumaneko |
214 |
}; |
277 |
kumaneko |
111 |
|
278 |
kumaneko |
214 |
struct single_acl_record { |
279 |
kumaneko |
328 |
struct acl_info head; /* type = TYPE_* */ |
280 |
kumaneko |
621 |
bool u_is_group; |
281 |
kumaneko |
111 |
union { |
282 |
kumaneko |
708 |
const struct path_info *filename; /* Pointer to single pathname. */ |
283 |
|
|
const struct path_group_entry *group; /* Pointer to pathname group. */ |
284 |
kumaneko |
111 |
} u; |
285 |
kumaneko |
214 |
}; |
286 |
kumaneko |
111 |
|
287 |
kumaneko |
214 |
struct double_acl_record { |
288 |
kumaneko |
328 |
struct acl_info head; /* type = TYPE_RENAME_ACL or TYPE_LINK_ACL */ |
289 |
kumaneko |
621 |
bool u1_is_group; |
290 |
|
|
bool u2_is_group; |
291 |
kumaneko |
111 |
union { |
292 |
kumaneko |
708 |
const struct path_info *filename1; /* Pointer to single pathname. */ |
293 |
|
|
const struct path_group_entry *group1; /* Pointer to pathname group. */ |
294 |
kumaneko |
111 |
} u1; |
295 |
|
|
union { |
296 |
kumaneko |
708 |
const struct path_info *filename2; /* Pointer to single pathname. */ |
297 |
|
|
const struct path_group_entry *group2; /* Pointer to pathname group. */ |
298 |
kumaneko |
111 |
} u2; |
299 |
kumaneko |
214 |
}; |
300 |
kumaneko |
111 |
|
301 |
|
|
#define IP_RECORD_TYPE_ADDRESS_GROUP 0 |
302 |
|
|
#define IP_RECORD_TYPE_IPv4 1 |
303 |
|
|
#define IP_RECORD_TYPE_IPv6 2 |
304 |
|
|
|
305 |
kumaneko |
214 |
struct ip_network_acl_record { |
306 |
kumaneko |
328 |
struct acl_info head; /* type = TYPE_IP_NETWORK_ACL */ |
307 |
|
|
u8 operation_type; |
308 |
|
|
u8 record_type; /* IP_RECORD_TYPE_* */ |
309 |
kumaneko |
111 |
union { |
310 |
|
|
struct { |
311 |
|
|
u32 min; /* Start of IPv4 address range. Host endian. */ |
312 |
|
|
u32 max; /* End of IPv4 address range. Host endian. */ |
313 |
|
|
} ipv4; |
314 |
|
|
struct { |
315 |
kumaneko |
719 |
const struct in6_addr *min; /* Start of IPv6 address range. Big endian. */ |
316 |
|
|
const struct in6_addr *max; /* End of IPv6 address range. Big endian. */ |
317 |
kumaneko |
111 |
} ipv6; |
318 |
|
|
const struct address_group_entry *group; /* Pointer to address group. */ |
319 |
|
|
} u; |
320 |
|
|
u16 min_port; /* Start of port number range. */ |
321 |
|
|
u16 max_port; /* End of port number range. */ |
322 |
kumaneko |
214 |
}; |
323 |
kumaneko |
111 |
|
324 |
|
|
/************************* Keywords for ACLs. *************************/ |
325 |
|
|
|
326 |
|
|
#define KEYWORD_ADDRESS_GROUP "address_group " |
327 |
|
|
#define KEYWORD_ADDRESS_GROUP_LEN (sizeof(KEYWORD_ADDRESS_GROUP) - 1) |
328 |
|
|
#define KEYWORD_AGGREGATOR "aggregator " |
329 |
|
|
#define KEYWORD_AGGREGATOR_LEN (sizeof(KEYWORD_AGGREGATOR) - 1) |
330 |
|
|
#define KEYWORD_ALIAS "alias " |
331 |
|
|
#define KEYWORD_ALIAS_LEN (sizeof(KEYWORD_ALIAS) - 1) |
332 |
|
|
#define KEYWORD_ALLOW_ARGV0 "allow_argv0 " |
333 |
|
|
#define KEYWORD_ALLOW_ARGV0_LEN (sizeof(KEYWORD_ALLOW_ARGV0) - 1) |
334 |
|
|
#define KEYWORD_ALLOW_CAPABILITY "allow_capability " |
335 |
|
|
#define KEYWORD_ALLOW_CAPABILITY_LEN (sizeof(KEYWORD_ALLOW_CAPABILITY) - 1) |
336 |
|
|
#define KEYWORD_ALLOW_CHROOT "allow_chroot " |
337 |
|
|
#define KEYWORD_ALLOW_CHROOT_LEN (sizeof(KEYWORD_ALLOW_CHROOT) - 1) |
338 |
kumaneko |
581 |
#define KEYWORD_ALLOW_ENV "allow_env " |
339 |
|
|
#define KEYWORD_ALLOW_ENV_LEN (sizeof(KEYWORD_ALLOW_ENV) - 1) |
340 |
kumaneko |
111 |
#define KEYWORD_ALLOW_MOUNT "allow_mount " |
341 |
|
|
#define KEYWORD_ALLOW_MOUNT_LEN (sizeof(KEYWORD_ALLOW_MOUNT) - 1) |
342 |
|
|
#define KEYWORD_ALLOW_NETWORK "allow_network " |
343 |
|
|
#define KEYWORD_ALLOW_NETWORK_LEN (sizeof(KEYWORD_ALLOW_NETWORK) - 1) |
344 |
kumaneko |
141 |
#define KEYWORD_ALLOW_PIVOT_ROOT "allow_pivot_root " |
345 |
|
|
#define KEYWORD_ALLOW_PIVOT_ROOT_LEN (sizeof(KEYWORD_ALLOW_PIVOT_ROOT) - 1) |
346 |
kumaneko |
111 |
#define KEYWORD_ALLOW_READ "allow_read " |
347 |
|
|
#define KEYWORD_ALLOW_READ_LEN (sizeof(KEYWORD_ALLOW_READ) - 1) |
348 |
|
|
#define KEYWORD_ALLOW_SIGNAL "allow_signal " |
349 |
|
|
#define KEYWORD_ALLOW_SIGNAL_LEN (sizeof(KEYWORD_ALLOW_SIGNAL) - 1) |
350 |
|
|
#define KEYWORD_DELETE "delete " |
351 |
|
|
#define KEYWORD_DELETE_LEN (sizeof(KEYWORD_DELETE) - 1) |
352 |
|
|
#define KEYWORD_DENY_AUTOBIND "deny_autobind " |
353 |
|
|
#define KEYWORD_DENY_AUTOBIND_LEN (sizeof(KEYWORD_DENY_AUTOBIND) - 1) |
354 |
|
|
#define KEYWORD_DENY_REWRITE "deny_rewrite " |
355 |
|
|
#define KEYWORD_DENY_REWRITE_LEN (sizeof(KEYWORD_DENY_REWRITE) - 1) |
356 |
|
|
#define KEYWORD_DENY_UNMOUNT "deny_unmount " |
357 |
|
|
#define KEYWORD_DENY_UNMOUNT_LEN (sizeof(KEYWORD_DENY_UNMOUNT) - 1) |
358 |
|
|
#define KEYWORD_FILE_PATTERN "file_pattern " |
359 |
|
|
#define KEYWORD_FILE_PATTERN_LEN (sizeof(KEYWORD_FILE_PATTERN) - 1) |
360 |
|
|
#define KEYWORD_INITIALIZE_DOMAIN "initialize_domain " |
361 |
|
|
#define KEYWORD_INITIALIZE_DOMAIN_LEN (sizeof(KEYWORD_INITIALIZE_DOMAIN) - 1) |
362 |
|
|
#define KEYWORD_KEEP_DOMAIN "keep_domain " |
363 |
|
|
#define KEYWORD_KEEP_DOMAIN_LEN (sizeof(KEYWORD_KEEP_DOMAIN) - 1) |
364 |
|
|
#define KEYWORD_NO_INITIALIZE_DOMAIN "no_initialize_domain " |
365 |
|
|
#define KEYWORD_NO_INITIALIZE_DOMAIN_LEN (sizeof(KEYWORD_NO_INITIALIZE_DOMAIN) - 1) |
366 |
|
|
#define KEYWORD_NO_KEEP_DOMAIN "no_keep_domain " |
367 |
|
|
#define KEYWORD_NO_KEEP_DOMAIN_LEN (sizeof(KEYWORD_NO_KEEP_DOMAIN) - 1) |
368 |
|
|
#define KEYWORD_PATH_GROUP "path_group " |
369 |
|
|
#define KEYWORD_PATH_GROUP_LEN (sizeof(KEYWORD_PATH_GROUP) - 1) |
370 |
|
|
#define KEYWORD_SELECT "select " |
371 |
|
|
#define KEYWORD_SELECT_LEN (sizeof(KEYWORD_SELECT) - 1) |
372 |
|
|
#define KEYWORD_UNDELETE "undelete " |
373 |
|
|
#define KEYWORD_UNDELETE_LEN (sizeof(KEYWORD_UNDELETE) - 1) |
374 |
|
|
|
375 |
|
|
#define KEYWORD_USE_PROFILE "use_profile " |
376 |
|
|
|
377 |
|
|
#define KEYWORD_MAC_FOR_CAPABILITY "MAC_FOR_CAPABILITY::" |
378 |
|
|
#define KEYWORD_MAC_FOR_CAPABILITY_LEN (sizeof(KEYWORD_MAC_FOR_CAPABILITY) - 1) |
379 |
|
|
|
380 |
|
|
#define ROOT_NAME "<kernel>" /* A domain definition starts with <kernel> . */ |
381 |
|
|
#define ROOT_NAME_LEN (sizeof(ROOT_NAME) - 1) |
382 |
|
|
|
383 |
|
|
/************************* Index numbers for Access Controls. *************************/ |
384 |
|
|
|
385 |
kumaneko |
418 |
#define CCS_PROFILE_COMMENT 0 /* profile.conf */ |
386 |
|
|
#define CCS_TOMOYO_MAC_FOR_FILE 1 /* domain_policy.conf */ |
387 |
|
|
#define CCS_TOMOYO_MAC_FOR_ARGV0 2 /* domain_policy.conf */ |
388 |
kumaneko |
581 |
#define CCS_TOMOYO_MAC_FOR_ENV 3 /* domain_policy.conf */ |
389 |
|
|
#define CCS_TOMOYO_MAC_FOR_NETWORK 4 /* domain_policy.conf */ |
390 |
|
|
#define CCS_TOMOYO_MAC_FOR_SIGNAL 5 /* domain_policy.conf */ |
391 |
|
|
#define CCS_SAKURA_DENY_CONCEAL_MOUNT 6 |
392 |
|
|
#define CCS_SAKURA_RESTRICT_CHROOT 7 /* system_policy.conf */ |
393 |
|
|
#define CCS_SAKURA_RESTRICT_MOUNT 8 /* system_policy.conf */ |
394 |
|
|
#define CCS_SAKURA_RESTRICT_UNMOUNT 9 /* system_policy.conf */ |
395 |
|
|
#define CCS_SAKURA_RESTRICT_PIVOT_ROOT 10 /* system_policy.conf */ |
396 |
|
|
#define CCS_SAKURA_RESTRICT_AUTOBIND 11 /* system_policy.conf */ |
397 |
|
|
#define CCS_TOMOYO_MAX_ACCEPT_ENTRY 12 |
398 |
|
|
#define CCS_TOMOYO_MAX_GRANT_LOG 13 |
399 |
|
|
#define CCS_TOMOYO_MAX_REJECT_LOG 14 |
400 |
|
|
#define CCS_TOMOYO_VERBOSE 15 |
401 |
|
|
#define CCS_ALLOW_ENFORCE_GRACE 16 |
402 |
kumaneko |
708 |
#define CCS_SLEEP_PERIOD 17 /* profile.conf */ |
403 |
|
|
#define CCS_TOMOYO_ALT_EXEC 18 /* profile.conf */ |
404 |
|
|
#define CCS_MAX_CONTROL_INDEX 19 |
405 |
kumaneko |
111 |
|
406 |
|
|
/************************* Index numbers for updates counter. *************************/ |
407 |
|
|
|
408 |
|
|
#define CCS_UPDATES_COUNTER_SYSTEM_POLICY 0 |
409 |
|
|
#define CCS_UPDATES_COUNTER_DOMAIN_POLICY 1 |
410 |
|
|
#define CCS_UPDATES_COUNTER_EXCEPTION_POLICY 2 |
411 |
kumaneko |
418 |
#define CCS_UPDATES_COUNTER_PROFILE 3 |
412 |
kumaneko |
111 |
#define CCS_UPDATES_COUNTER_QUERY 4 |
413 |
|
|
#define CCS_UPDATES_COUNTER_MANAGER 5 |
414 |
|
|
#define CCS_UPDATES_COUNTER_GRANT_LOG 6 |
415 |
|
|
#define CCS_UPDATES_COUNTER_REJECT_LOG 7 |
416 |
|
|
#define MAX_CCS_UPDATES_COUNTER 8 |
417 |
|
|
|
418 |
|
|
/************************* The structure for /proc interfaces. *************************/ |
419 |
|
|
|
420 |
kumaneko |
214 |
struct io_buffer { |
421 |
kumaneko |
111 |
int (*read) (struct io_buffer *); |
422 |
kumaneko |
652 |
struct mutex read_sem; |
423 |
kumaneko |
111 |
int (*write) (struct io_buffer *); |
424 |
kumaneko |
652 |
struct mutex write_sem; |
425 |
kumaneko |
111 |
int (*poll) (struct file *file, poll_table *wait); |
426 |
kumaneko |
722 |
struct list1_head *read_var1; /* The position currently reading from. */ |
427 |
|
|
struct list1_head *read_var2; /* Extra variables for reading. */ |
428 |
kumaneko |
111 |
struct domain_info *write_var1; /* The position currently writing to. */ |
429 |
|
|
int read_step; /* The step for reading. */ |
430 |
|
|
char *read_buf; /* Buffer for reading. */ |
431 |
|
|
int read_eof; /* EOF flag for reading. */ |
432 |
|
|
int read_avail; /* Bytes available for reading. */ |
433 |
|
|
int readbuf_size; /* Size of read buffer. */ |
434 |
|
|
char *write_buf; /* Buffer for writing. */ |
435 |
|
|
int write_avail; /* Bytes available for writing. */ |
436 |
|
|
int writebuf_size; /* Size of write buffer. */ |
437 |
kumaneko |
214 |
}; |
438 |
kumaneko |
111 |
|
439 |
|
|
/************************* PROTOTYPES *************************/ |
440 |
|
|
|
441 |
|
|
char *InitAuditLog(int *len); |
442 |
kumaneko |
214 |
void *ccs_alloc(const size_t size); |
443 |
kumaneko |
719 |
char *print_ipv6(char *buffer, const int buffer_len, const struct in6_addr *ip); |
444 |
kumaneko |
708 |
const char *GetAltExec(void); |
445 |
kumaneko |
111 |
const char *GetEXE(void); |
446 |
|
|
const char *GetLastName(const struct domain_info *domain); |
447 |
kumaneko |
621 |
const char *GetMSG(const bool is_enforce); |
448 |
kumaneko |
111 |
const char *acltype2keyword(const unsigned int acl_type); |
449 |
|
|
const char *capability2keyword(const unsigned int capability); |
450 |
|
|
const char *network2keyword(const unsigned int operation); |
451 |
|
|
const struct condition_list *FindOrAssignNewCondition(const char *condition); |
452 |
kumaneko |
621 |
int AddAddressGroupPolicy(char *data, const bool is_delete); |
453 |
|
|
int AddAggregatorPolicy(char *data, const bool is_delete); |
454 |
|
|
int AddAliasPolicy(char *data, const bool is_delete); |
455 |
|
|
int AddArgv0Policy(char *data, struct domain_info *domain, const struct condition_list *condition, const bool is_delete); |
456 |
|
|
int AddCapabilityPolicy(char *data, struct domain_info *domain, const struct condition_list *condition, const bool is_delete); |
457 |
|
|
int AddChrootPolicy(char *data, const bool is_delete); |
458 |
kumaneko |
708 |
int AddDomainACL(struct domain_info *domain, struct acl_info *acl); |
459 |
kumaneko |
621 |
int AddDomainInitializerPolicy(char *data, const bool is_not, const bool is_delete); |
460 |
|
|
int AddDomainKeeperPolicy(char *data, const bool is_not, const bool is_delete); |
461 |
|
|
int AddEnvPolicy(char *data, struct domain_info *domain, const struct condition_list *condition, const bool is_delete); |
462 |
|
|
int AddFilePolicy(char *data, struct domain_info *domain, const struct condition_list *condition, const bool is_delete); |
463 |
|
|
int AddGloballyReadablePolicy(char *data, const bool is_delete); |
464 |
|
|
int AddGloballyUsableEnvPolicy(char *env, const bool is_delete); |
465 |
|
|
int AddMountPolicy(char *data, const bool is_delete); |
466 |
|
|
int AddNetworkPolicy(char *data, struct domain_info *domain, const struct condition_list *condition, const bool is_delete); |
467 |
|
|
int AddNoRewritePolicy(char *pattern, const bool is_delete); |
468 |
|
|
int AddNoUmountPolicy(char *data, const bool is_delete); |
469 |
kumaneko |
708 |
int AddPathGroupPolicy(char *data, const bool is_delete); |
470 |
kumaneko |
621 |
int AddPatternPolicy(char *data, const bool is_delete); |
471 |
|
|
int AddPivotRootPolicy(char *data, const bool is_delete); |
472 |
|
|
int AddReservedPortPolicy(char *data, const bool is_delete); |
473 |
|
|
int AddSignalPolicy(char *data, struct domain_info *domain, const struct condition_list *condition, const bool is_delete); |
474 |
kumaneko |
111 |
int CCS_CloseControl(struct file *file); |
475 |
|
|
int CCS_OpenControl(const int type, struct file *file); |
476 |
|
|
int CCS_PollControl(struct file *file, poll_table *wait); |
477 |
|
|
int CCS_ReadControl(struct file *file, char __user *buffer, const int buffer_len); |
478 |
|
|
int CCS_WriteControl(struct file *file, const char __user *buffer, const int buffer_len); |
479 |
kumaneko |
621 |
int CanSaveAuditLog(const bool is_granted); |
480 |
kumaneko |
111 |
int CheckCondition(const struct condition_list *condition, struct obj_info *obj_info); |
481 |
|
|
int CheckSupervisor(const char *fmt, ...) __attribute__ ((format(printf, 1, 2))); |
482 |
|
|
int DelDomainACL(struct acl_info *ptr); |
483 |
|
|
int DeleteDomain(char *data); |
484 |
kumaneko |
214 |
int DumpCondition(struct io_buffer *head, const struct condition_list *ptr); |
485 |
kumaneko |
621 |
bool IsCorrectDomain(const unsigned char *domainname, const char *function); |
486 |
|
|
bool IsCorrectPath(const char *filename, const int start_type, const int pattern_type, const int end_type, const char *function); |
487 |
|
|
bool IsDomainDef(const unsigned char *buffer); |
488 |
kumaneko |
111 |
int PathMatchesToPattern(const struct path_info *pathname0, const struct path_info *pattern0); |
489 |
|
|
int PollGrantLog(struct file *file, poll_table *wait); |
490 |
|
|
int PollRejectLog(struct file *file, poll_table *wait); |
491 |
kumaneko |
214 |
int ReadAddressGroupPolicy(struct io_buffer *head); |
492 |
|
|
int ReadAggregatorPolicy(struct io_buffer *head); |
493 |
|
|
int ReadAliasPolicy(struct io_buffer *head); |
494 |
|
|
int ReadCapabilityStatus(struct io_buffer *head); |
495 |
|
|
int ReadChrootPolicy(struct io_buffer *head); |
496 |
|
|
int ReadDomainInitializerPolicy(struct io_buffer *head); |
497 |
|
|
int ReadDomainKeeperPolicy(struct io_buffer *head); |
498 |
|
|
int ReadGloballyReadablePolicy(struct io_buffer *head); |
499 |
kumaneko |
581 |
int ReadGloballyUsableEnvPolicy(struct io_buffer *head); |
500 |
kumaneko |
214 |
int ReadGrantLog(struct io_buffer *head); |
501 |
|
|
int ReadMountPolicy(struct io_buffer *head); |
502 |
|
|
int ReadNoRewritePolicy(struct io_buffer *head); |
503 |
|
|
int ReadNoUmountPolicy(struct io_buffer *head); |
504 |
kumaneko |
708 |
int ReadPathGroupPolicy(struct io_buffer *head); |
505 |
kumaneko |
214 |
int ReadPatternPolicy(struct io_buffer *head); |
506 |
|
|
int ReadPivotRootPolicy(struct io_buffer *head); |
507 |
|
|
int ReadRejectLog(struct io_buffer *head); |
508 |
|
|
int ReadReservedPortPolicy(struct io_buffer *head); |
509 |
kumaneko |
111 |
int SetCapabilityStatus(const char *data, unsigned int value, const unsigned int profile); |
510 |
kumaneko |
621 |
int WriteAuditLog(char *log, const bool is_granted); |
511 |
kumaneko |
111 |
int acltype2paths(const unsigned int acl_type); |
512 |
kumaneko |
214 |
int io_printf(struct io_buffer *head, const char *fmt, ...) __attribute__ ((format(printf, 2, 3))); |
513 |
kumaneko |
111 |
struct domain_info *FindDomain(const char *domainname); |
514 |
|
|
struct domain_info *FindOrAssignNewDomain(const char *domainname, const u8 profile); |
515 |
|
|
struct domain_info *UndeleteDomain(const char *domainname0); |
516 |
kumaneko |
621 |
bool CheckCCSAccept(const unsigned int index, struct domain_info * const domain); |
517 |
|
|
bool CheckCCSEnforce(const unsigned int index); |
518 |
kumaneko |
111 |
unsigned int CheckCCSFlags(const unsigned int index); |
519 |
kumaneko |
621 |
bool CheckDomainQuota(struct domain_info * const domain); |
520 |
|
|
bool TomoyoVerboseMode(void); |
521 |
kumaneko |
111 |
void UpdateCounter(const unsigned char index); |
522 |
|
|
void ccs_free(const void *p); |
523 |
|
|
void fill_path_info(struct path_info *ptr); |
524 |
|
|
|
525 |
kumaneko |
621 |
static inline bool pathcmp(const struct path_info *a, const struct path_info *b) |
526 |
kumaneko |
111 |
{ |
527 |
|
|
return a->hash != b->hash || strcmp(a->name, b->name); |
528 |
|
|
} |
529 |
kumaneko |
708 |
|
530 |
kumaneko |
722 |
extern struct list1_head domain_list; |
531 |
kumaneko |
708 |
|
532 |
kumaneko |
111 |
#endif |