1 |
kumaneko |
111 |
/* |
2 |
|
|
* include/linux/ccs_common.h |
3 |
|
|
* |
4 |
|
|
* Common functions for SAKURA and TOMOYO. |
5 |
|
|
* |
6 |
kumaneko |
849 |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
7 |
kumaneko |
111 |
* |
8 |
kumaneko |
849 |
* Version: 1.5.3-pre 2008/01/02 |
9 |
kumaneko |
111 |
* |
10 |
|
|
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
11 |
|
|
* See README.ccs for ChangeLog. |
12 |
|
|
* |
13 |
|
|
*/ |
14 |
|
|
|
15 |
|
|
#ifndef _LINUX_CCS_COMMON_H |
16 |
|
|
#define _LINUX_CCS_COMMON_H |
17 |
|
|
|
18 |
|
|
#include <linux/string.h> |
19 |
|
|
#include <linux/mm.h> |
20 |
|
|
#include <linux/utime.h> |
21 |
|
|
#include <linux/file.h> |
22 |
|
|
#include <linux/smp_lock.h> |
23 |
|
|
#include <linux/module.h> |
24 |
|
|
#include <linux/init.h> |
25 |
|
|
#include <linux/slab.h> |
26 |
|
|
#include <linux/poll.h> |
27 |
|
|
#include <asm/uaccess.h> |
28 |
|
|
#include <stdarg.h> |
29 |
|
|
#include <linux/delay.h> |
30 |
|
|
#include <linux/version.h> |
31 |
|
|
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,5,0) |
32 |
|
|
#include <linux/kmod.h> |
33 |
|
|
#endif |
34 |
|
|
|
35 |
|
|
#ifndef __user |
36 |
|
|
#define __user |
37 |
|
|
#endif |
38 |
|
|
|
39 |
kumaneko |
621 |
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19) |
40 |
|
|
typedef _Bool bool; |
41 |
|
|
#endif |
42 |
|
|
|
43 |
kumaneko |
652 |
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 16) |
44 |
|
|
#define mutex semaphore |
45 |
|
|
#define mutex_init(mutex) init_MUTEX(mutex) |
46 |
|
|
#define mutex_lock(mutex) down(mutex) |
47 |
|
|
#define mutex_unlock(mutex) up(mutex) |
48 |
|
|
#define mutex_lock_interruptible(mutex) down_interruptible(mutex) |
49 |
|
|
#define DEFINE_MUTEX(mutexname) DECLARE_MUTEX(mutexname) |
50 |
|
|
#endif |
51 |
|
|
|
52 |
kumaneko |
732 |
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,5,0) |
53 |
|
|
#define container_of(ptr, type, member) ({ \ |
54 |
|
|
const typeof( ((type *)0)->member ) *__mptr = (ptr); \ |
55 |
|
|
(type *)( (char *)__mptr - offsetof(type,member) );}) |
56 |
|
|
#endif |
57 |
|
|
|
58 |
kumaneko |
722 |
#if 0 |
59 |
|
|
|
60 |
|
|
#define list1_head list_head |
61 |
|
|
#define LIST1_HEAD_INIT LIST_HEAD_INIT |
62 |
|
|
#define LIST1_HEAD LIST_HEAD |
63 |
|
|
#define INIT_LIST1_HEAD INIT_LIST_HEAD |
64 |
|
|
#define list1_entry list_entry |
65 |
|
|
#define list1_for_each list_for_each |
66 |
|
|
#define list1_for_each_entry list_for_each_entry |
67 |
|
|
#define list1_for_each_cookie(pos, cookie, head) \ |
68 |
|
|
for ((cookie) || ((cookie) = (head)), pos = (cookie)->next; \ |
69 |
|
|
prefetch(pos->next), pos != (head) || ((cookie) = NULL); \ |
70 |
|
|
(cookie) = pos, pos = pos->next) |
71 |
|
|
static inline void list1_add_tail_mb(struct list1_head *new, |
72 |
|
|
struct list1_head *head) |
73 |
|
|
{ |
74 |
|
|
struct list_head *prev = head->prev; |
75 |
|
|
struct list_head *next = head; |
76 |
|
|
new->next = next; |
77 |
|
|
new->prev = prev; |
78 |
|
|
mb(); /* Avoid out-of-order execution. */ |
79 |
|
|
next->prev = new; |
80 |
|
|
prev->next = new; |
81 |
|
|
} |
82 |
|
|
|
83 |
|
|
#else ///////////////////////////////////////////////////////////////////////// |
84 |
|
|
|
85 |
|
|
struct list1_head { |
86 |
|
|
struct list1_head *next; |
87 |
|
|
}; |
88 |
|
|
|
89 |
|
|
#define LIST1_HEAD_INIT(name) { &(name) } |
90 |
|
|
#define LIST1_HEAD(name) struct list1_head name = LIST1_HEAD_INIT(name) |
91 |
|
|
|
92 |
|
|
static inline void INIT_LIST1_HEAD(struct list1_head *list) |
93 |
|
|
{ |
94 |
|
|
list->next = list; |
95 |
|
|
} |
96 |
|
|
|
97 |
kumaneko |
708 |
/** |
98 |
kumaneko |
722 |
* list1_entry - get the struct for this entry |
99 |
|
|
* @ptr: the &struct list1_head pointer. |
100 |
|
|
* @type: the type of the struct this is embedded in. |
101 |
|
|
* @member: the name of the list1_struct within the struct. |
102 |
|
|
*/ |
103 |
|
|
#define list1_entry(ptr, type, member) container_of(ptr, type, member) |
104 |
|
|
|
105 |
|
|
/** |
106 |
|
|
* list1_for_each - iterate over a list |
107 |
|
|
* @pos: the &struct list1_head to use as a loop cursor. |
108 |
kumaneko |
708 |
* @head: the head for your list. |
109 |
kumaneko |
722 |
*/ |
110 |
|
|
#define list1_for_each(pos, head) \ |
111 |
|
|
for (pos = (head)->next; prefetch(pos->next), pos != (head); \ |
112 |
|
|
pos = pos->next) |
113 |
|
|
|
114 |
|
|
/** |
115 |
|
|
* list1_for_each_entry - iterate over list of given type |
116 |
|
|
* @pos: the type * to use as a loop cursor. |
117 |
|
|
* @head: the head for your list. |
118 |
|
|
* @member: the name of the list1_struct within the struct. |
119 |
|
|
*/ |
120 |
|
|
#define list1_for_each_entry(pos, head, member) \ |
121 |
|
|
for (pos = list1_entry((head)->next, typeof(*pos), member); \ |
122 |
|
|
prefetch(pos->member.next), &pos->member != (head); \ |
123 |
|
|
pos = list1_entry(pos->member.next, typeof(*pos), member)) |
124 |
|
|
|
125 |
|
|
/** |
126 |
|
|
* list1_for_each_cookie - iterate over a list with cookie. |
127 |
|
|
* @pos: the &struct list1_head to use as a loop cursor. |
128 |
|
|
* @cookie: the &struct list1_head to use as a cookie. |
129 |
|
|
* @head: the head for your list. |
130 |
kumaneko |
708 |
* |
131 |
|
|
* Same with list_for_each except that this primitive uses cookie |
132 |
|
|
* so that we can continue iteration. |
133 |
|
|
*/ |
134 |
kumaneko |
722 |
#define list1_for_each_cookie(pos, cookie, head) \ |
135 |
kumaneko |
708 |
for ((cookie) || ((cookie) = (head)), pos = (cookie)->next; \ |
136 |
kumaneko |
722 |
prefetch(pos->next), pos != (head) || ((cookie) = NULL); \ |
137 |
|
|
(cookie) = pos, pos = pos->next) |
138 |
kumaneko |
708 |
|
139 |
|
|
/** |
140 |
|
|
* list_add_tail_mb - add a new entry with memory barrier. |
141 |
|
|
* @new: new entry to be added. |
142 |
|
|
* @head: list head to add it before. |
143 |
|
|
* |
144 |
|
|
* Same with list_add_tail_rcu() except that this primitive uses mb() |
145 |
|
|
* so that we can traverse forwards using list_for_each() and |
146 |
|
|
* list_for_each_cookie(). |
147 |
|
|
*/ |
148 |
kumaneko |
722 |
static inline void list1_add_tail_mb(struct list1_head *new, |
149 |
|
|
struct list1_head *head) |
150 |
kumaneko |
708 |
{ |
151 |
kumaneko |
722 |
struct list1_head *pos = head; |
152 |
|
|
new->next = head; |
153 |
kumaneko |
708 |
mb(); /* Avoid out-of-order execution. */ |
154 |
kumaneko |
722 |
while (pos->next != head) |
155 |
|
|
pos = pos->next; |
156 |
|
|
pos->next = new; |
157 |
kumaneko |
708 |
} |
158 |
|
|
|
159 |
kumaneko |
722 |
#endif |
160 |
|
|
|
161 |
kumaneko |
111 |
struct mini_stat { |
162 |
|
|
uid_t uid; |
163 |
|
|
gid_t gid; |
164 |
|
|
ino_t ino; |
165 |
|
|
}; |
166 |
|
|
struct dentry; |
167 |
|
|
struct vfsmount; |
168 |
|
|
struct obj_info { |
169 |
kumaneko |
621 |
bool validate_done; |
170 |
|
|
bool path1_valid; |
171 |
|
|
bool path1_parent_valid; |
172 |
|
|
bool path2_parent_valid; |
173 |
kumaneko |
111 |
struct dentry *path1_dentry; |
174 |
|
|
struct vfsmount *path1_vfsmnt; |
175 |
|
|
struct dentry *path2_dentry; |
176 |
|
|
struct vfsmount *path2_vfsmnt; |
177 |
|
|
struct mini_stat path1_stat; |
178 |
|
|
/* I don't handle path2_stat for rename operation. */ |
179 |
|
|
struct mini_stat path1_parent_stat; |
180 |
|
|
struct mini_stat path2_parent_stat; |
181 |
|
|
}; |
182 |
|
|
|
183 |
|
|
struct path_info { |
184 |
|
|
const char *name; |
185 |
|
|
u32 hash; /* = full_name_hash(name, strlen(name)) */ |
186 |
|
|
u16 total_len; /* = strlen(name) */ |
187 |
|
|
u16 const_len; /* = const_part_length(name) */ |
188 |
kumaneko |
621 |
bool is_dir; /* = strendswith(name, "/") */ |
189 |
|
|
bool is_patterned; /* = PathContainsPattern(name) */ |
190 |
kumaneko |
111 |
u16 depth; /* = PathDepth(name) */ |
191 |
|
|
}; |
192 |
|
|
|
193 |
|
|
#define CCS_MAX_PATHNAME_LEN 4000 |
194 |
|
|
|
195 |
kumaneko |
708 |
struct path_group_member { |
196 |
kumaneko |
722 |
struct list1_head list; |
197 |
kumaneko |
111 |
const struct path_info *member_name; |
198 |
kumaneko |
621 |
bool is_deleted; |
199 |
kumaneko |
214 |
}; |
200 |
kumaneko |
111 |
|
201 |
kumaneko |
708 |
struct path_group_entry { |
202 |
kumaneko |
722 |
struct list1_head list; |
203 |
kumaneko |
111 |
const struct path_info *group_name; |
204 |
kumaneko |
722 |
struct list1_head path_group_member_list; |
205 |
kumaneko |
214 |
}; |
206 |
kumaneko |
111 |
|
207 |
kumaneko |
719 |
struct in6_addr; |
208 |
kumaneko |
214 |
struct address_group_member { |
209 |
kumaneko |
722 |
struct list1_head list; |
210 |
kumaneko |
111 |
union { |
211 |
kumaneko |
719 |
u32 ipv4; /* Host byte order */ |
212 |
|
|
const struct in6_addr *ipv6; /* Network byte order */ |
213 |
kumaneko |
111 |
} min, max; |
214 |
kumaneko |
621 |
bool is_deleted; |
215 |
|
|
bool is_ipv6; |
216 |
kumaneko |
214 |
}; |
217 |
kumaneko |
111 |
|
218 |
kumaneko |
214 |
struct address_group_entry { |
219 |
kumaneko |
722 |
struct list1_head list; |
220 |
kumaneko |
111 |
const struct path_info *group_name; |
221 |
kumaneko |
722 |
struct list1_head address_group_member_list; |
222 |
kumaneko |
214 |
}; |
223 |
kumaneko |
111 |
|
224 |
|
|
/* |
225 |
|
|
* TOMOYO uses the following structures. |
226 |
|
|
* Memory allocated for these structures are never kfree()ed. |
227 |
|
|
* Since no locks are used for reading, assignment must be performed atomically. |
228 |
|
|
*/ |
229 |
|
|
|
230 |
|
|
/************************* The structure for domains. *************************/ |
231 |
|
|
|
232 |
|
|
struct condition_list; |
233 |
|
|
|
234 |
|
|
struct acl_info { |
235 |
kumaneko |
722 |
struct list1_head list; |
236 |
kumaneko |
111 |
const struct condition_list *cond; |
237 |
|
|
u8 type; |
238 |
kumaneko |
621 |
bool is_deleted; |
239 |
kumaneko |
328 |
} __attribute__((__packed__)); |
240 |
kumaneko |
111 |
|
241 |
|
|
struct domain_info { |
242 |
kumaneko |
722 |
struct list1_head list; |
243 |
|
|
struct list1_head acl_info_list; |
244 |
kumaneko |
111 |
const struct path_info *domainname; /* Name of this domain. Never NULL. */ |
245 |
|
|
u8 profile; /* Profile to use. */ |
246 |
|
|
u8 is_deleted; /* Delete flag. */ |
247 |
kumaneko |
621 |
bool quota_warned; /* Quota warnning done flag. */ |
248 |
kumaneko |
111 |
}; |
249 |
|
|
|
250 |
|
|
#define MAX_PROFILES 256 |
251 |
|
|
|
252 |
kumaneko |
214 |
struct argv0_acl_record { |
253 |
kumaneko |
111 |
struct acl_info head; /* type = TYPE_ARGV0_ACL */ |
254 |
|
|
const struct path_info *filename; /* Pointer to single pathname. */ |
255 |
|
|
const struct path_info *argv0; /* strrchr(argv[0], '/') + 1 */ |
256 |
kumaneko |
214 |
}; |
257 |
kumaneko |
111 |
|
258 |
kumaneko |
581 |
struct env_acl_record { |
259 |
|
|
struct acl_info head; /* type = TYPE_ENV_ACL */ |
260 |
|
|
const struct path_info *env; /* environment variable */ |
261 |
|
|
}; |
262 |
|
|
|
263 |
kumaneko |
214 |
struct capability_acl_record { |
264 |
kumaneko |
328 |
struct acl_info head; /* type = TYPE_CAPABILITY_ACL */ |
265 |
kumaneko |
849 |
u32 capability; |
266 |
kumaneko |
214 |
}; |
267 |
kumaneko |
111 |
|
268 |
kumaneko |
214 |
struct signal_acl_record { |
269 |
kumaneko |
328 |
struct acl_info head; /* type = TYPE_SIGNAL_ACL */ |
270 |
|
|
u16 sig; |
271 |
|
|
const struct path_info *domainname; /* Pointer to destination pattern. */ |
272 |
kumaneko |
214 |
}; |
273 |
kumaneko |
111 |
|
274 |
kumaneko |
214 |
struct single_acl_record { |
275 |
kumaneko |
849 |
struct acl_info head; /* type = TYPE_SINGLE_PATH_ACL */ |
276 |
kumaneko |
621 |
bool u_is_group; |
277 |
kumaneko |
111 |
union { |
278 |
kumaneko |
708 |
const struct path_info *filename; /* Pointer to single pathname. */ |
279 |
|
|
const struct path_group_entry *group; /* Pointer to pathname group. */ |
280 |
kumaneko |
111 |
} u; |
281 |
kumaneko |
849 |
u16 perm; |
282 |
kumaneko |
214 |
}; |
283 |
kumaneko |
111 |
|
284 |
kumaneko |
214 |
struct double_acl_record { |
285 |
kumaneko |
849 |
struct acl_info head; /* type = TYPE_DOUBLE_PATH_ACL */ |
286 |
kumaneko |
621 |
bool u1_is_group; |
287 |
|
|
bool u2_is_group; |
288 |
kumaneko |
111 |
union { |
289 |
kumaneko |
708 |
const struct path_info *filename1; /* Pointer to single pathname. */ |
290 |
|
|
const struct path_group_entry *group1; /* Pointer to pathname group. */ |
291 |
kumaneko |
111 |
} u1; |
292 |
|
|
union { |
293 |
kumaneko |
708 |
const struct path_info *filename2; /* Pointer to single pathname. */ |
294 |
|
|
const struct path_group_entry *group2; /* Pointer to pathname group. */ |
295 |
kumaneko |
111 |
} u2; |
296 |
kumaneko |
849 |
u8 perm; |
297 |
kumaneko |
214 |
}; |
298 |
kumaneko |
111 |
|
299 |
|
|
#define IP_RECORD_TYPE_ADDRESS_GROUP 0 |
300 |
|
|
#define IP_RECORD_TYPE_IPv4 1 |
301 |
|
|
#define IP_RECORD_TYPE_IPv6 2 |
302 |
|
|
|
303 |
kumaneko |
214 |
struct ip_network_acl_record { |
304 |
kumaneko |
328 |
struct acl_info head; /* type = TYPE_IP_NETWORK_ACL */ |
305 |
|
|
u8 operation_type; |
306 |
|
|
u8 record_type; /* IP_RECORD_TYPE_* */ |
307 |
kumaneko |
111 |
union { |
308 |
|
|
struct { |
309 |
|
|
u32 min; /* Start of IPv4 address range. Host endian. */ |
310 |
|
|
u32 max; /* End of IPv4 address range. Host endian. */ |
311 |
|
|
} ipv4; |
312 |
|
|
struct { |
313 |
kumaneko |
719 |
const struct in6_addr *min; /* Start of IPv6 address range. Big endian. */ |
314 |
|
|
const struct in6_addr *max; /* End of IPv6 address range. Big endian. */ |
315 |
kumaneko |
111 |
} ipv6; |
316 |
|
|
const struct address_group_entry *group; /* Pointer to address group. */ |
317 |
|
|
} u; |
318 |
|
|
u16 min_port; /* Start of port number range. */ |
319 |
|
|
u16 max_port; /* End of port number range. */ |
320 |
kumaneko |
214 |
}; |
321 |
kumaneko |
111 |
|
322 |
|
|
/************************* Keywords for ACLs. *************************/ |
323 |
|
|
|
324 |
|
|
#define KEYWORD_ADDRESS_GROUP "address_group " |
325 |
|
|
#define KEYWORD_ADDRESS_GROUP_LEN (sizeof(KEYWORD_ADDRESS_GROUP) - 1) |
326 |
|
|
#define KEYWORD_AGGREGATOR "aggregator " |
327 |
|
|
#define KEYWORD_AGGREGATOR_LEN (sizeof(KEYWORD_AGGREGATOR) - 1) |
328 |
|
|
#define KEYWORD_ALIAS "alias " |
329 |
|
|
#define KEYWORD_ALIAS_LEN (sizeof(KEYWORD_ALIAS) - 1) |
330 |
|
|
#define KEYWORD_ALLOW_ARGV0 "allow_argv0 " |
331 |
|
|
#define KEYWORD_ALLOW_ARGV0_LEN (sizeof(KEYWORD_ALLOW_ARGV0) - 1) |
332 |
|
|
#define KEYWORD_ALLOW_CAPABILITY "allow_capability " |
333 |
|
|
#define KEYWORD_ALLOW_CAPABILITY_LEN (sizeof(KEYWORD_ALLOW_CAPABILITY) - 1) |
334 |
|
|
#define KEYWORD_ALLOW_CHROOT "allow_chroot " |
335 |
|
|
#define KEYWORD_ALLOW_CHROOT_LEN (sizeof(KEYWORD_ALLOW_CHROOT) - 1) |
336 |
kumaneko |
581 |
#define KEYWORD_ALLOW_ENV "allow_env " |
337 |
|
|
#define KEYWORD_ALLOW_ENV_LEN (sizeof(KEYWORD_ALLOW_ENV) - 1) |
338 |
kumaneko |
111 |
#define KEYWORD_ALLOW_MOUNT "allow_mount " |
339 |
|
|
#define KEYWORD_ALLOW_MOUNT_LEN (sizeof(KEYWORD_ALLOW_MOUNT) - 1) |
340 |
|
|
#define KEYWORD_ALLOW_NETWORK "allow_network " |
341 |
|
|
#define KEYWORD_ALLOW_NETWORK_LEN (sizeof(KEYWORD_ALLOW_NETWORK) - 1) |
342 |
kumaneko |
141 |
#define KEYWORD_ALLOW_PIVOT_ROOT "allow_pivot_root " |
343 |
|
|
#define KEYWORD_ALLOW_PIVOT_ROOT_LEN (sizeof(KEYWORD_ALLOW_PIVOT_ROOT) - 1) |
344 |
kumaneko |
111 |
#define KEYWORD_ALLOW_READ "allow_read " |
345 |
|
|
#define KEYWORD_ALLOW_READ_LEN (sizeof(KEYWORD_ALLOW_READ) - 1) |
346 |
|
|
#define KEYWORD_ALLOW_SIGNAL "allow_signal " |
347 |
|
|
#define KEYWORD_ALLOW_SIGNAL_LEN (sizeof(KEYWORD_ALLOW_SIGNAL) - 1) |
348 |
|
|
#define KEYWORD_DELETE "delete " |
349 |
|
|
#define KEYWORD_DELETE_LEN (sizeof(KEYWORD_DELETE) - 1) |
350 |
|
|
#define KEYWORD_DENY_AUTOBIND "deny_autobind " |
351 |
|
|
#define KEYWORD_DENY_AUTOBIND_LEN (sizeof(KEYWORD_DENY_AUTOBIND) - 1) |
352 |
|
|
#define KEYWORD_DENY_REWRITE "deny_rewrite " |
353 |
|
|
#define KEYWORD_DENY_REWRITE_LEN (sizeof(KEYWORD_DENY_REWRITE) - 1) |
354 |
|
|
#define KEYWORD_DENY_UNMOUNT "deny_unmount " |
355 |
|
|
#define KEYWORD_DENY_UNMOUNT_LEN (sizeof(KEYWORD_DENY_UNMOUNT) - 1) |
356 |
|
|
#define KEYWORD_FILE_PATTERN "file_pattern " |
357 |
|
|
#define KEYWORD_FILE_PATTERN_LEN (sizeof(KEYWORD_FILE_PATTERN) - 1) |
358 |
|
|
#define KEYWORD_INITIALIZE_DOMAIN "initialize_domain " |
359 |
|
|
#define KEYWORD_INITIALIZE_DOMAIN_LEN (sizeof(KEYWORD_INITIALIZE_DOMAIN) - 1) |
360 |
|
|
#define KEYWORD_KEEP_DOMAIN "keep_domain " |
361 |
|
|
#define KEYWORD_KEEP_DOMAIN_LEN (sizeof(KEYWORD_KEEP_DOMAIN) - 1) |
362 |
|
|
#define KEYWORD_NO_INITIALIZE_DOMAIN "no_initialize_domain " |
363 |
|
|
#define KEYWORD_NO_INITIALIZE_DOMAIN_LEN (sizeof(KEYWORD_NO_INITIALIZE_DOMAIN) - 1) |
364 |
|
|
#define KEYWORD_NO_KEEP_DOMAIN "no_keep_domain " |
365 |
|
|
#define KEYWORD_NO_KEEP_DOMAIN_LEN (sizeof(KEYWORD_NO_KEEP_DOMAIN) - 1) |
366 |
|
|
#define KEYWORD_PATH_GROUP "path_group " |
367 |
|
|
#define KEYWORD_PATH_GROUP_LEN (sizeof(KEYWORD_PATH_GROUP) - 1) |
368 |
|
|
#define KEYWORD_SELECT "select " |
369 |
|
|
#define KEYWORD_SELECT_LEN (sizeof(KEYWORD_SELECT) - 1) |
370 |
|
|
#define KEYWORD_UNDELETE "undelete " |
371 |
|
|
#define KEYWORD_UNDELETE_LEN (sizeof(KEYWORD_UNDELETE) - 1) |
372 |
|
|
|
373 |
|
|
#define KEYWORD_USE_PROFILE "use_profile " |
374 |
|
|
|
375 |
|
|
#define KEYWORD_MAC_FOR_CAPABILITY "MAC_FOR_CAPABILITY::" |
376 |
|
|
#define KEYWORD_MAC_FOR_CAPABILITY_LEN (sizeof(KEYWORD_MAC_FOR_CAPABILITY) - 1) |
377 |
|
|
|
378 |
|
|
#define ROOT_NAME "<kernel>" /* A domain definition starts with <kernel> . */ |
379 |
|
|
#define ROOT_NAME_LEN (sizeof(ROOT_NAME) - 1) |
380 |
|
|
|
381 |
|
|
/************************* Index numbers for Access Controls. *************************/ |
382 |
|
|
|
383 |
kumaneko |
418 |
#define CCS_PROFILE_COMMENT 0 /* profile.conf */ |
384 |
|
|
#define CCS_TOMOYO_MAC_FOR_FILE 1 /* domain_policy.conf */ |
385 |
|
|
#define CCS_TOMOYO_MAC_FOR_ARGV0 2 /* domain_policy.conf */ |
386 |
kumaneko |
581 |
#define CCS_TOMOYO_MAC_FOR_ENV 3 /* domain_policy.conf */ |
387 |
|
|
#define CCS_TOMOYO_MAC_FOR_NETWORK 4 /* domain_policy.conf */ |
388 |
|
|
#define CCS_TOMOYO_MAC_FOR_SIGNAL 5 /* domain_policy.conf */ |
389 |
|
|
#define CCS_SAKURA_DENY_CONCEAL_MOUNT 6 |
390 |
|
|
#define CCS_SAKURA_RESTRICT_CHROOT 7 /* system_policy.conf */ |
391 |
|
|
#define CCS_SAKURA_RESTRICT_MOUNT 8 /* system_policy.conf */ |
392 |
|
|
#define CCS_SAKURA_RESTRICT_UNMOUNT 9 /* system_policy.conf */ |
393 |
|
|
#define CCS_SAKURA_RESTRICT_PIVOT_ROOT 10 /* system_policy.conf */ |
394 |
|
|
#define CCS_SAKURA_RESTRICT_AUTOBIND 11 /* system_policy.conf */ |
395 |
|
|
#define CCS_TOMOYO_MAX_ACCEPT_ENTRY 12 |
396 |
|
|
#define CCS_TOMOYO_MAX_GRANT_LOG 13 |
397 |
|
|
#define CCS_TOMOYO_MAX_REJECT_LOG 14 |
398 |
|
|
#define CCS_TOMOYO_VERBOSE 15 |
399 |
|
|
#define CCS_ALLOW_ENFORCE_GRACE 16 |
400 |
kumaneko |
708 |
#define CCS_SLEEP_PERIOD 17 /* profile.conf */ |
401 |
|
|
#define CCS_TOMOYO_ALT_EXEC 18 /* profile.conf */ |
402 |
|
|
#define CCS_MAX_CONTROL_INDEX 19 |
403 |
kumaneko |
111 |
|
404 |
|
|
/************************* Index numbers for updates counter. *************************/ |
405 |
|
|
|
406 |
|
|
#define CCS_UPDATES_COUNTER_SYSTEM_POLICY 0 |
407 |
|
|
#define CCS_UPDATES_COUNTER_DOMAIN_POLICY 1 |
408 |
|
|
#define CCS_UPDATES_COUNTER_EXCEPTION_POLICY 2 |
409 |
kumaneko |
418 |
#define CCS_UPDATES_COUNTER_PROFILE 3 |
410 |
kumaneko |
111 |
#define CCS_UPDATES_COUNTER_QUERY 4 |
411 |
|
|
#define CCS_UPDATES_COUNTER_MANAGER 5 |
412 |
|
|
#define CCS_UPDATES_COUNTER_GRANT_LOG 6 |
413 |
|
|
#define CCS_UPDATES_COUNTER_REJECT_LOG 7 |
414 |
|
|
#define MAX_CCS_UPDATES_COUNTER 8 |
415 |
|
|
|
416 |
|
|
/************************* The structure for /proc interfaces. *************************/ |
417 |
|
|
|
418 |
kumaneko |
214 |
struct io_buffer { |
419 |
kumaneko |
111 |
int (*read) (struct io_buffer *); |
420 |
kumaneko |
652 |
struct mutex read_sem; |
421 |
kumaneko |
111 |
int (*write) (struct io_buffer *); |
422 |
kumaneko |
652 |
struct mutex write_sem; |
423 |
kumaneko |
111 |
int (*poll) (struct file *file, poll_table *wait); |
424 |
kumaneko |
722 |
struct list1_head *read_var1; /* The position currently reading from. */ |
425 |
|
|
struct list1_head *read_var2; /* Extra variables for reading. */ |
426 |
kumaneko |
111 |
struct domain_info *write_var1; /* The position currently writing to. */ |
427 |
|
|
int read_step; /* The step for reading. */ |
428 |
|
|
char *read_buf; /* Buffer for reading. */ |
429 |
kumaneko |
849 |
bool read_eof; /* EOF flag for reading. */ |
430 |
|
|
u8 read_bit; /* Extra variable for reading. */ |
431 |
kumaneko |
111 |
int read_avail; /* Bytes available for reading. */ |
432 |
|
|
int readbuf_size; /* Size of read buffer. */ |
433 |
|
|
char *write_buf; /* Buffer for writing. */ |
434 |
|
|
int write_avail; /* Bytes available for writing. */ |
435 |
|
|
int writebuf_size; /* Size of write buffer. */ |
436 |
kumaneko |
214 |
}; |
437 |
kumaneko |
111 |
|
438 |
|
|
/************************* PROTOTYPES *************************/ |
439 |
|
|
|
440 |
kumaneko |
815 |
char *InitAuditLog(int *len, const u8 profile, const unsigned int mode); |
441 |
kumaneko |
214 |
void *ccs_alloc(const size_t size); |
442 |
kumaneko |
719 |
char *print_ipv6(char *buffer, const int buffer_len, const struct in6_addr *ip); |
443 |
kumaneko |
708 |
const char *GetAltExec(void); |
444 |
kumaneko |
111 |
const char *GetEXE(void); |
445 |
|
|
const char *GetLastName(const struct domain_info *domain); |
446 |
kumaneko |
621 |
const char *GetMSG(const bool is_enforce); |
447 |
kumaneko |
111 |
const char *capability2keyword(const unsigned int capability); |
448 |
kumaneko |
849 |
const char *dp_operation2keyword(const unsigned int operation); |
449 |
|
|
const char *sp_operation2keyword(const unsigned int operation); |
450 |
kumaneko |
111 |
const char *network2keyword(const unsigned int operation); |
451 |
|
|
const struct condition_list *FindOrAssignNewCondition(const char *condition); |
452 |
kumaneko |
621 |
int AddAddressGroupPolicy(char *data, const bool is_delete); |
453 |
|
|
int AddAggregatorPolicy(char *data, const bool is_delete); |
454 |
|
|
int AddAliasPolicy(char *data, const bool is_delete); |
455 |
|
|
int AddArgv0Policy(char *data, struct domain_info *domain, const struct condition_list *condition, const bool is_delete); |
456 |
|
|
int AddCapabilityPolicy(char *data, struct domain_info *domain, const struct condition_list *condition, const bool is_delete); |
457 |
|
|
int AddChrootPolicy(char *data, const bool is_delete); |
458 |
kumaneko |
708 |
int AddDomainACL(struct domain_info *domain, struct acl_info *acl); |
459 |
kumaneko |
621 |
int AddDomainInitializerPolicy(char *data, const bool is_not, const bool is_delete); |
460 |
|
|
int AddDomainKeeperPolicy(char *data, const bool is_not, const bool is_delete); |
461 |
|
|
int AddEnvPolicy(char *data, struct domain_info *domain, const struct condition_list *condition, const bool is_delete); |
462 |
|
|
int AddFilePolicy(char *data, struct domain_info *domain, const struct condition_list *condition, const bool is_delete); |
463 |
|
|
int AddGloballyReadablePolicy(char *data, const bool is_delete); |
464 |
|
|
int AddGloballyUsableEnvPolicy(char *env, const bool is_delete); |
465 |
|
|
int AddMountPolicy(char *data, const bool is_delete); |
466 |
|
|
int AddNetworkPolicy(char *data, struct domain_info *domain, const struct condition_list *condition, const bool is_delete); |
467 |
|
|
int AddNoRewritePolicy(char *pattern, const bool is_delete); |
468 |
|
|
int AddNoUmountPolicy(char *data, const bool is_delete); |
469 |
kumaneko |
708 |
int AddPathGroupPolicy(char *data, const bool is_delete); |
470 |
kumaneko |
621 |
int AddPatternPolicy(char *data, const bool is_delete); |
471 |
|
|
int AddPivotRootPolicy(char *data, const bool is_delete); |
472 |
|
|
int AddReservedPortPolicy(char *data, const bool is_delete); |
473 |
|
|
int AddSignalPolicy(char *data, struct domain_info *domain, const struct condition_list *condition, const bool is_delete); |
474 |
kumaneko |
111 |
int CCS_CloseControl(struct file *file); |
475 |
|
|
int CCS_OpenControl(const int type, struct file *file); |
476 |
|
|
int CCS_PollControl(struct file *file, poll_table *wait); |
477 |
|
|
int CCS_ReadControl(struct file *file, char __user *buffer, const int buffer_len); |
478 |
|
|
int CCS_WriteControl(struct file *file, const char __user *buffer, const int buffer_len); |
479 |
kumaneko |
621 |
int CanSaveAuditLog(const bool is_granted); |
480 |
kumaneko |
111 |
int CheckCondition(const struct condition_list *condition, struct obj_info *obj_info); |
481 |
|
|
int CheckSupervisor(const char *fmt, ...) __attribute__ ((format(printf, 1, 2))); |
482 |
|
|
int DelDomainACL(struct acl_info *ptr); |
483 |
|
|
int DeleteDomain(char *data); |
484 |
kumaneko |
214 |
int DumpCondition(struct io_buffer *head, const struct condition_list *ptr); |
485 |
kumaneko |
621 |
bool IsCorrectDomain(const unsigned char *domainname, const char *function); |
486 |
|
|
bool IsCorrectPath(const char *filename, const int start_type, const int pattern_type, const int end_type, const char *function); |
487 |
|
|
bool IsDomainDef(const unsigned char *buffer); |
488 |
kumaneko |
111 |
int PathMatchesToPattern(const struct path_info *pathname0, const struct path_info *pattern0); |
489 |
|
|
int PollGrantLog(struct file *file, poll_table *wait); |
490 |
|
|
int PollRejectLog(struct file *file, poll_table *wait); |
491 |
kumaneko |
214 |
int ReadAddressGroupPolicy(struct io_buffer *head); |
492 |
|
|
int ReadAggregatorPolicy(struct io_buffer *head); |
493 |
|
|
int ReadAliasPolicy(struct io_buffer *head); |
494 |
|
|
int ReadCapabilityStatus(struct io_buffer *head); |
495 |
|
|
int ReadChrootPolicy(struct io_buffer *head); |
496 |
|
|
int ReadDomainInitializerPolicy(struct io_buffer *head); |
497 |
|
|
int ReadDomainKeeperPolicy(struct io_buffer *head); |
498 |
|
|
int ReadGloballyReadablePolicy(struct io_buffer *head); |
499 |
kumaneko |
581 |
int ReadGloballyUsableEnvPolicy(struct io_buffer *head); |
500 |
kumaneko |
214 |
int ReadGrantLog(struct io_buffer *head); |
501 |
|
|
int ReadMountPolicy(struct io_buffer *head); |
502 |
|
|
int ReadNoRewritePolicy(struct io_buffer *head); |
503 |
|
|
int ReadNoUmountPolicy(struct io_buffer *head); |
504 |
kumaneko |
708 |
int ReadPathGroupPolicy(struct io_buffer *head); |
505 |
kumaneko |
214 |
int ReadPatternPolicy(struct io_buffer *head); |
506 |
|
|
int ReadPivotRootPolicy(struct io_buffer *head); |
507 |
|
|
int ReadRejectLog(struct io_buffer *head); |
508 |
|
|
int ReadReservedPortPolicy(struct io_buffer *head); |
509 |
kumaneko |
111 |
int SetCapabilityStatus(const char *data, unsigned int value, const unsigned int profile); |
510 |
kumaneko |
621 |
int WriteAuditLog(char *log, const bool is_granted); |
511 |
kumaneko |
214 |
int io_printf(struct io_buffer *head, const char *fmt, ...) __attribute__ ((format(printf, 2, 3))); |
512 |
kumaneko |
111 |
struct domain_info *FindDomain(const char *domainname); |
513 |
|
|
struct domain_info *FindOrAssignNewDomain(const char *domainname, const u8 profile); |
514 |
|
|
struct domain_info *UndeleteDomain(const char *domainname0); |
515 |
kumaneko |
815 |
bool CheckCCSQuota(struct domain_info * const domain); |
516 |
kumaneko |
111 |
unsigned int CheckCCSFlags(const unsigned int index); |
517 |
kumaneko |
621 |
bool CheckDomainQuota(struct domain_info * const domain); |
518 |
|
|
bool TomoyoVerboseMode(void); |
519 |
kumaneko |
111 |
void UpdateCounter(const unsigned char index); |
520 |
|
|
void ccs_free(const void *p); |
521 |
|
|
void fill_path_info(struct path_info *ptr); |
522 |
|
|
|
523 |
kumaneko |
621 |
static inline bool pathcmp(const struct path_info *a, const struct path_info *b) |
524 |
kumaneko |
111 |
{ |
525 |
|
|
return a->hash != b->hash || strcmp(a->name, b->name); |
526 |
|
|
} |
527 |
kumaneko |
708 |
|
528 |
kumaneko |
722 |
extern struct list1_head domain_list; |
529 |
kumaneko |
708 |
|
530 |
kumaneko |
111 |
#endif |