| 3 |
* |
* |
| 4 |
* Implementation of the Domain-Based Mandatory Access Control. |
* Implementation of the Domain-Based Mandatory Access Control. |
| 5 |
* |
* |
| 6 |
* Copyright (C) 2005-2007 NTT DATA CORPORATION |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
| 7 |
* |
* |
| 8 |
* Version: 1.5.3-pre 2007/12/03 |
* Version: 1.6.0-pre 2008/01/21 |
| 9 |
* |
* |
| 10 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
| 11 |
* See README.ccs for ChangeLog. |
* See README.ccs for ChangeLog. |
| 24 |
|
|
| 25 |
/************************* AUDIT FUNCTIONS *************************/ |
/************************* AUDIT FUNCTIONS *************************/ |
| 26 |
|
|
| 27 |
static int AuditNetworkLog(const bool is_ipv6, const char *operation, const u32 *address, const u16 port, const bool is_granted) |
static int AuditNetworkLog(const bool is_ipv6, const char *operation, const u32 *address, const u16 port, const bool is_granted, const u8 profile, const u8 mode) |
| 28 |
{ |
{ |
| 29 |
char *buf; |
char *buf; |
| 30 |
int len = 256; |
int len = 256; |
| 31 |
if (CanSaveAuditLog(is_granted) < 0) return -ENOMEM; |
if (CanSaveAuditLog(is_granted) < 0) return -ENOMEM; |
| 32 |
if ((buf = InitAuditLog(&len)) == NULL) return -ENOMEM; |
if ((buf = InitAuditLog(&len, profile, mode)) == NULL) return -ENOMEM; |
| 33 |
snprintf(buf + strlen(buf), len - strlen(buf) - 1, KEYWORD_ALLOW_NETWORK "%s ", operation); |
snprintf(buf + strlen(buf), len - strlen(buf) - 1, KEYWORD_ALLOW_NETWORK "%s ", operation); |
| 34 |
if (is_ipv6) { |
if (is_ipv6) { |
| 35 |
print_ipv6(buf + strlen(buf), len - strlen(buf), (const struct in6_addr *) address); |
print_ipv6(buf + strlen(buf), len - strlen(buf), (const struct in6_addr *) address); |
| 46 |
/* Keep the given IPv6 address on the RAM. The RAM is shared, so NEVER try to modify or kfree() the returned address. */ |
/* Keep the given IPv6 address on the RAM. The RAM is shared, so NEVER try to modify or kfree() the returned address. */ |
| 47 |
static const struct in6_addr *SaveIPv6Address(const struct in6_addr *addr) |
static const struct in6_addr *SaveIPv6Address(const struct in6_addr *addr) |
| 48 |
{ |
{ |
| 49 |
static const int block_size = 16; |
static const u8 block_size = 16; |
| 50 |
struct addr_list { |
struct addr_list { |
| 51 |
struct in6_addr addr[block_size]; |
struct in6_addr addr[block_size]; |
| 52 |
struct list1_head list; |
struct list1_head list; |
| 55 |
static LIST1_HEAD(address_list); |
static LIST1_HEAD(address_list); |
| 56 |
struct addr_list *ptr; |
struct addr_list *ptr; |
| 57 |
static DEFINE_MUTEX(lock); |
static DEFINE_MUTEX(lock); |
| 58 |
int i = block_size; |
u8 i = block_size; |
| 59 |
if (!addr) return NULL; |
if (!addr) return NULL; |
| 60 |
mutex_lock(&lock); |
mutex_lock(&lock); |
| 61 |
list1_for_each_entry(ptr, &address_list, list) { |
list1_for_each_entry(ptr, &address_list, list) { |
| 141 |
|
|
| 142 |
int AddAddressGroupPolicy(char *data, const bool is_delete) |
int AddAddressGroupPolicy(char *data, const bool is_delete) |
| 143 |
{ |
{ |
| 144 |
int count, is_ipv6; |
u8 count; |
| 145 |
|
bool is_ipv6; |
| 146 |
u16 min_address[8], max_address[8]; |
u16 min_address[8], max_address[8]; |
| 147 |
char *cp = strchr(data, ' '); |
char *cp = strchr(data, ' '); |
| 148 |
if (!cp) return -EINVAL; |
if (!cp) return -EINVAL; |
| 152 |
&min_address[4], &min_address[5], &min_address[6], &min_address[7], |
&min_address[4], &min_address[5], &min_address[6], &min_address[7], |
| 153 |
&max_address[0], &max_address[1], &max_address[2], &max_address[3], |
&max_address[0], &max_address[1], &max_address[2], &max_address[3], |
| 154 |
&max_address[4], &max_address[5], &max_address[6], &max_address[7])) == 8 || count == 16) { |
&max_address[4], &max_address[5], &max_address[6], &max_address[7])) == 8 || count == 16) { |
| 155 |
int i; |
u8 i; |
| 156 |
for (i = 0; i < 8; i++) { |
for (i = 0; i < 8; i++) { |
| 157 |
min_address[i] = htons(min_address[i]); |
min_address[i] = htons(min_address[i]); |
| 158 |
max_address[i] = htons(max_address[i]); |
max_address[i] = htons(max_address[i]); |
| 175 |
|
|
| 176 |
static struct address_group_entry *FindOrAssignNewAddressGroup(const char *group_name) |
static struct address_group_entry *FindOrAssignNewAddressGroup(const char *group_name) |
| 177 |
{ |
{ |
| 178 |
int i; |
u8 i; |
| 179 |
struct address_group_entry *group; |
struct address_group_entry *group; |
| 180 |
for (i = 0; i <= 1; i++) { |
for (i = 0; i <= 1; i++) { |
| 181 |
list1_for_each_entry(group, &address_group_list, list) { |
list1_for_each_entry(group, &address_group_list, list) { |
| 190 |
return NULL; |
return NULL; |
| 191 |
} |
} |
| 192 |
|
|
| 193 |
static int AddressMatchesToGroup(const bool is_ipv6, const u32 *address, const struct address_group_entry *group) |
static bool AddressMatchesToGroup(const bool is_ipv6, const u32 *address, const struct address_group_entry *group) |
| 194 |
{ |
{ |
| 195 |
struct address_group_member *member; |
struct address_group_member *member; |
| 196 |
const u32 ip = ntohl(*address); |
const u32 ip = ntohl(*address); |
| 261 |
return buffer; |
return buffer; |
| 262 |
} |
} |
| 263 |
|
|
| 264 |
const char *network2keyword(const unsigned int operation) |
const char *net_operation2keyword(const u8 operation) |
| 265 |
{ |
{ |
| 266 |
const char *keyword = "unknown"; |
const char *keyword = "unknown"; |
| 267 |
switch (operation) { |
switch (operation) { |
| 308 |
mutex_lock(&domain_acl_lock); |
mutex_lock(&domain_acl_lock); |
| 309 |
if (!is_delete) { |
if (!is_delete) { |
| 310 |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
| 311 |
|
if ((ptr->type & ~(ACL_DELETED | ACL_WITH_CONDITION)) != TYPE_IP_NETWORK_ACL) continue; |
| 312 |
|
if (GetConditionPart(ptr) != condition) continue; |
| 313 |
acl = container_of(ptr, struct ip_network_acl_record, head); |
acl = container_of(ptr, struct ip_network_acl_record, head); |
| 314 |
if (ptr->type == TYPE_IP_NETWORK_ACL && acl->operation_type == operation && acl->record_type == record_type && ptr->cond == condition && acl->min_port == min_port && max_port == acl->max_port) { |
if (acl->operation_type != operation || acl->record_type != record_type || acl->min_port != min_port || max_port != acl->max_port) continue; |
| 315 |
if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
| 316 |
if (acl->u.group == group) { |
if (acl->u.group != group) continue; |
| 317 |
ptr->is_deleted = 0; |
} else if (record_type == IP_RECORD_TYPE_IPv4) { |
| 318 |
/* Found. Nothing to do. */ |
if (acl->u.ipv4.min != min_ip || max_ip != acl->u.ipv4.max) continue; |
| 319 |
error = 0; |
} else if (record_type == IP_RECORD_TYPE_IPv6) { |
| 320 |
goto out; |
if (acl->u.ipv6.min != saved_min_address || saved_max_address != acl->u.ipv6.max) continue; |
|
} |
|
|
} else if (record_type == IP_RECORD_TYPE_IPv4) { |
|
|
if (acl->u.ipv4.min == min_ip && max_ip == acl->u.ipv4.max) { |
|
|
ptr->is_deleted = 0; |
|
|
/* Found. Nothing to do. */ |
|
|
error = 0; |
|
|
goto out; |
|
|
} |
|
|
} else if (record_type == IP_RECORD_TYPE_IPv6) { |
|
|
if (acl->u.ipv6.min == saved_min_address && saved_max_address == acl->u.ipv6.max) { |
|
|
ptr->is_deleted = 0; |
|
|
/* Found. Nothing to do. */ |
|
|
error = 0; |
|
|
goto out; |
|
|
} |
|
|
} |
|
| 321 |
} |
} |
| 322 |
|
error = AddDomainACL(NULL, ptr); |
| 323 |
|
goto out; |
| 324 |
} |
} |
| 325 |
/* Not found. Append it to the tail. */ |
/* Not found. Append it to the tail. */ |
| 326 |
if ((acl = alloc_element(sizeof(*acl))) == NULL) goto out; |
if ((acl = alloc_acl_element(TYPE_IP_NETWORK_ACL, condition)) == NULL) goto out; |
|
acl->head.type = TYPE_IP_NETWORK_ACL; |
|
| 327 |
acl->operation_type = operation; |
acl->operation_type = operation; |
| 328 |
acl->record_type = record_type; |
acl->record_type = record_type; |
|
acl->head.cond = condition; |
|
| 329 |
if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
| 330 |
acl->u.group = group; |
acl->u.group = group; |
| 331 |
} else if (record_type == IP_RECORD_TYPE_IPv4) { |
} else if (record_type == IP_RECORD_TYPE_IPv4) { |
| 341 |
} else { |
} else { |
| 342 |
error = -ENOENT; |
error = -ENOENT; |
| 343 |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
| 344 |
|
if ((ptr->type & ~ACL_WITH_CONDITION) != TYPE_IP_NETWORK_ACL) continue; |
| 345 |
|
if (GetConditionPart(ptr) != condition) continue; |
| 346 |
acl = container_of(ptr, struct ip_network_acl_record, head); |
acl = container_of(ptr, struct ip_network_acl_record, head); |
| 347 |
if (ptr->type != TYPE_IP_NETWORK_ACL || ptr->is_deleted || acl->operation_type != operation || acl->record_type != record_type || ptr->cond != condition || acl->min_port != min_port || acl->max_port != max_port) continue; |
if (acl->operation_type != operation || acl->record_type != record_type || acl->min_port != min_port || max_port != acl->max_port) continue; |
| 348 |
if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
if (record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
| 349 |
if (acl->u.group != group) continue; |
if (acl->u.group != group) continue; |
| 350 |
} else if (record_type == IP_RECORD_TYPE_IPv4) { |
} else if (record_type == IP_RECORD_TYPE_IPv4) { |
| 361 |
return error; |
return error; |
| 362 |
} |
} |
| 363 |
|
|
| 364 |
static int CheckNetworkEntry(const bool is_ipv6, const int operation, const u32 *address, const u16 port) |
static int CheckNetworkEntry(const bool is_ipv6, const u8 operation, const u32 *address, const u16 port) |
| 365 |
{ |
{ |
| 366 |
struct domain_info * const domain = current->domain_info; |
struct domain_info * const domain = current->domain_info; |
| 367 |
struct acl_info *ptr; |
struct acl_info *ptr; |
| 368 |
const char *keyword = network2keyword(operation); |
const char *keyword = net_operation2keyword(operation); |
| 369 |
const bool is_enforce = CheckCCSEnforce(CCS_TOMOYO_MAC_FOR_NETWORK); |
const u8 profile = current->domain_info->profile; |
| 370 |
|
const u8 mode = CheckCCSFlags(CCS_TOMOYO_MAC_FOR_NETWORK); |
| 371 |
|
const bool is_enforce = (mode == 3); |
| 372 |
const u32 ip = ntohl(*address); /* using host byte order to allow u32 comparison than memcmp().*/ |
const u32 ip = ntohl(*address); /* using host byte order to allow u32 comparison than memcmp().*/ |
| 373 |
bool found = 0; |
bool found = 0; |
| 374 |
if (!CheckCCSFlags(CCS_TOMOYO_MAC_FOR_NETWORK)) return 0; |
if (!mode) return 0; |
| 375 |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
list1_for_each_entry(ptr, &domain->acl_info_list, list) { |
| 376 |
struct ip_network_acl_record *acl; |
struct ip_network_acl_record *acl; |
| 377 |
|
if ((ptr->type & ~ACL_WITH_CONDITION) != TYPE_IP_NETWORK_ACL) continue; |
| 378 |
acl = container_of(ptr, struct ip_network_acl_record, head); |
acl = container_of(ptr, struct ip_network_acl_record, head); |
| 379 |
if (ptr->type != TYPE_IP_NETWORK_ACL || ptr->is_deleted || acl->operation_type != operation || port < acl->min_port || acl->max_port < port || CheckCondition(ptr->cond, NULL)) continue; |
if (acl->operation_type != operation || port < acl->min_port || acl->max_port < port || !CheckCondition(ptr, NULL)) continue; |
| 380 |
if (acl->record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
if (acl->record_type == IP_RECORD_TYPE_ADDRESS_GROUP) { |
| 381 |
if (!AddressMatchesToGroup(is_ipv6, address, acl->u.group)) continue; |
if (!AddressMatchesToGroup(is_ipv6, address, acl->u.group)) continue; |
| 382 |
} else if (acl->record_type == IP_RECORD_TYPE_IPv4) { |
} else if (acl->record_type == IP_RECORD_TYPE_IPv4) { |
| 386 |
} |
} |
| 387 |
found = 1; |
found = 1; |
| 388 |
break; |
break; |
|
|
|
| 389 |
} |
} |
| 390 |
AuditNetworkLog(is_ipv6, keyword, address, port, found); |
AuditNetworkLog(is_ipv6, keyword, address, port, found, profile, mode); |
| 391 |
if (found) return 0; |
if (found) return 0; |
| 392 |
if (TomoyoVerboseMode()) { |
if (TomoyoVerboseMode()) { |
| 393 |
if (is_ipv6) { |
if (is_ipv6) { |
| 398 |
printk("TOMOYO-%s: %s to %u.%u.%u.%u %u denied for %s\n", GetMSG(is_enforce), keyword, HIPQUAD(ip), port, GetLastName(domain)); |
printk("TOMOYO-%s: %s to %u.%u.%u.%u %u denied for %s\n", GetMSG(is_enforce), keyword, HIPQUAD(ip), port, GetLastName(domain)); |
| 399 |
} |
} |
| 400 |
} |
} |
|
AuditNetworkLog(is_ipv6, keyword, address, port, 0); |
|
| 401 |
if (is_enforce) { |
if (is_enforce) { |
| 402 |
if (is_ipv6) { |
if (is_ipv6) { |
| 403 |
char buf[64]; |
char buf[64]; |
| 406 |
} |
} |
| 407 |
return CheckSupervisor("%s\n" KEYWORD_ALLOW_NETWORK "%s %u.%u.%u.%u %u\n", domain->domainname->name, keyword, HIPQUAD(ip), port); |
return CheckSupervisor("%s\n" KEYWORD_ALLOW_NETWORK "%s %u.%u.%u.%u %u\n", domain->domainname->name, keyword, HIPQUAD(ip), port); |
| 408 |
} |
} |
| 409 |
if (CheckCCSAccept(CCS_TOMOYO_MAC_FOR_NETWORK, domain)) AddNetworkEntry(operation, is_ipv6 ? IP_RECORD_TYPE_IPv6 : IP_RECORD_TYPE_IPv4, NULL, address, address, port, port, domain, NULL, 0); |
else if (mode == 1 && CheckDomainQuota(domain)) AddNetworkEntry(operation, is_ipv6 ? IP_RECORD_TYPE_IPv6 : IP_RECORD_TYPE_IPv4, NULL, address, address, port, port, domain, NULL, 0); |
| 410 |
return 0; |
return 0; |
| 411 |
} |
} |
| 412 |
|
|
| 416 |
u16 min_address[8], max_address[8]; |
u16 min_address[8], max_address[8]; |
| 417 |
struct address_group_entry *group = NULL; |
struct address_group_entry *group = NULL; |
| 418 |
u16 min_port, max_port; |
u16 min_port, max_port; |
| 419 |
int count; |
u8 count; |
| 420 |
char *cp1 = NULL, *cp2 = NULL; |
char *cp1 = NULL, *cp2 = NULL; |
| 421 |
if ((cp1 = strchr(data, ' ')) == NULL) goto out; cp1++; |
if ((cp1 = strchr(data, ' ')) == NULL) goto out; cp1++; |
| 422 |
if (strncmp(data, "TCP ", 4) == 0) sock_type = SOCK_STREAM; |
if (strncmp(data, "TCP ", 4) == 0) sock_type = SOCK_STREAM; |
| 441 |
&min_address[4], &min_address[5], &min_address[6], &min_address[7], |
&min_address[4], &min_address[5], &min_address[6], &min_address[7], |
| 442 |
&max_address[0], &max_address[1], &max_address[2], &max_address[3], |
&max_address[0], &max_address[1], &max_address[2], &max_address[3], |
| 443 |
&max_address[4], &max_address[5], &max_address[6], &max_address[7])) == 8 || count == 16) { |
&max_address[4], &max_address[5], &max_address[6], &max_address[7])) == 8 || count == 16) { |
| 444 |
int i; |
u8 i; |
| 445 |
for (i = 0; i < 8; i++) { |
for (i = 0; i < 8; i++) { |
| 446 |
min_address[i] = htons(min_address[i]); |
min_address[i] = htons(min_address[i]); |
| 447 |
max_address[i] = htons(max_address[i]); |
max_address[i] = htons(max_address[i]); |
| 475 |
{ |
{ |
| 476 |
return CheckNetworkEntry(is_ipv6, NETWORK_ACL_TCP_LISTEN, (const u32 *) address, ntohs(port)); |
return CheckNetworkEntry(is_ipv6, NETWORK_ACL_TCP_LISTEN, (const u32 *) address, ntohs(port)); |
| 477 |
} |
} |
|
EXPORT_SYMBOL(CheckNetworkListenACL); |
|
| 478 |
|
|
| 479 |
int CheckNetworkConnectACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port) |
int CheckNetworkConnectACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port) |
| 480 |
{ |
{ |
| 481 |
return CheckNetworkEntry(is_ipv6, sock_type == SOCK_STREAM ? NETWORK_ACL_TCP_CONNECT : (sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT), (const u32 *) address, ntohs(port)); |
return CheckNetworkEntry(is_ipv6, sock_type == SOCK_STREAM ? NETWORK_ACL_TCP_CONNECT : (sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT), (const u32 *) address, ntohs(port)); |
| 482 |
} |
} |
|
EXPORT_SYMBOL(CheckNetworkConnectACL); |
|
| 483 |
|
|
| 484 |
int CheckNetworkBindACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port) |
int CheckNetworkBindACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port) |
| 485 |
{ |
{ |
| 486 |
return CheckNetworkEntry(is_ipv6, sock_type == SOCK_STREAM ? NETWORK_ACL_TCP_BIND : (sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_BIND : NETWORK_ACL_RAW_BIND), (const u32 *) address, ntohs(port)); |
return CheckNetworkEntry(is_ipv6, sock_type == SOCK_STREAM ? NETWORK_ACL_TCP_BIND : (sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_BIND : NETWORK_ACL_RAW_BIND), (const u32 *) address, ntohs(port)); |
| 487 |
} |
} |
|
EXPORT_SYMBOL(CheckNetworkBindACL); |
|
| 488 |
|
|
| 489 |
int CheckNetworkAcceptACL(const _Bool is_ipv6, const u8 *address, const u16 port) |
int CheckNetworkAcceptACL(const _Bool is_ipv6, const u8 *address, const u16 port) |
| 490 |
{ |
{ |
| 494 |
current->tomoyo_flags &= ~CCS_DONT_SLEEP_ON_ENFORCE_ERROR; |
current->tomoyo_flags &= ~CCS_DONT_SLEEP_ON_ENFORCE_ERROR; |
| 495 |
return retval; |
return retval; |
| 496 |
} |
} |
|
EXPORT_SYMBOL(CheckNetworkAcceptACL); |
|
| 497 |
|
|
| 498 |
int CheckNetworkSendMsgACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port) |
int CheckNetworkSendMsgACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port) |
| 499 |
{ |
{ |
| 500 |
return CheckNetworkEntry(is_ipv6, sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT, (const u32 *) address, ntohs(port)); |
return CheckNetworkEntry(is_ipv6, sock_type == SOCK_DGRAM ? NETWORK_ACL_UDP_CONNECT : NETWORK_ACL_RAW_CONNECT, (const u32 *) address, ntohs(port)); |
| 501 |
} |
} |
|
EXPORT_SYMBOL(CheckNetworkSendMsgACL); |
|
| 502 |
|
|
| 503 |
int CheckNetworkRecvMsgACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port) |
int CheckNetworkRecvMsgACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port) |
| 504 |
{ |
{ |
| 508 |
current->tomoyo_flags &= ~CCS_DONT_SLEEP_ON_ENFORCE_ERROR; |
current->tomoyo_flags &= ~CCS_DONT_SLEEP_ON_ENFORCE_ERROR; |
| 509 |
return retval; |
return retval; |
| 510 |
} |
} |
|
EXPORT_SYMBOL(CheckNetworkRecvMsgACL); |
|
| 511 |
|
|
| 512 |
/***** TOMOYO Linux end. *****/ |
/***** TOMOYO Linux end. *****/ |
TOMOYO
Parent Directory
Revision Log
Patch