オープンソース・ソフトウェアの開発とダウンロード

TOMOYO

Subversion リポジトリの参照

/[tomoyo]/branches/ccs-patch/security/ccsecurity/internal.h

Contents of /branches/ccs-patch/security/ccsecurity/internal.h

Parent Directory Parent Directory | Revision Log Revision Log

Revision 3707 - (show annotations) (download) (as text)
Tue Jun 1 05:21:48 2010 UTC (14 years ago) by kumaneko
File MIME type: text/x-chdr
File size: 40241 byte(s) 
Allow wildcard for execute permission and domainname
1 /*
2 * security/ccsecurity/internal.h
3 *
4 * Copyright (C) 2005-2010 NTT DATA CORPORATION
5 *
6 * Version: 1.7.2 2010/04/01
7 *
8 * This file is applicable to both 2.4.30 and 2.6.11 and later.
9 * See README.ccs for ChangeLog.
10 *
11 */
12
13 #ifndef _SECURITY_CCSECURITY_INTERNAL_H
14 #define _SECURITY_CCSECURITY_INTERNAL_H
15
16 #include <linux/string.h>
17 #include <linux/mm.h>
18 #include <linux/utime.h>
19 #include <linux/file.h>
20 #include <linux/smp_lock.h>
21 #include <linux/module.h>
22 #include <linux/init.h>
23 #include <linux/slab.h>
24 #include <linux/poll.h>
25 #include <linux/binfmts.h>
26 #include <asm/uaccess.h>
27 #include <stdarg.h>
28 #include <linux/delay.h>
29 #include <linux/sched.h>
30 #include <linux/version.h>
31 #include <linux/in6.h>
32 #include <linux/ccsecurity.h>
33 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
34 #include <linux/fs.h>
35 #endif
36 #include "compat.h"
37
38 /* Prototype definition for "struct ccsecurity_operations". */
39
40 void __init ccs_policy_io_init(void);
41 void __init ccs_mm_init(void);
42 void __init ccs_domain_init(void);
43 void __init ccs_file_init(void);
44 void __init ccs_network_init(void);
45 void __init ccs_signal_init(void);
46 void __init ccs_capability_init(void);
47 void __init ccs_mount_init(void);
48 void __init ccs_maymount_init(void);
49
50 /* Index numbers for Access Controls. */
51 enum ccs_acl_entry_type_index {
52 CCS_TYPE_PATH_ACL,
53 CCS_TYPE_PATH2_ACL,
54 CCS_TYPE_PATH_NUMBER_ACL,
55 CCS_TYPE_PATH_NUMBER3_ACL,
56 CCS_TYPE_ENV_ACL,
57 CCS_TYPE_CAPABILITY_ACL,
58 CCS_TYPE_IP_NETWORK_ACL,
59 CCS_TYPE_SIGNAL_ACL,
60 CCS_TYPE_MOUNT_ACL,
61 CCS_TYPE_EXECUTE_HANDLER,
62 CCS_TYPE_DENIED_EXECUTE_HANDLER
63 };
64
65 /*
66 * CCS_TYPE_READ_WRITE is special. CCS_TYPE_READ_WRITE is automatically set if
67 * both CCS_TYPE_READ and CCS_TYPE_WRITE are set. Both CCS_TYPE_READ and
68 * CCS_TYPE_WRITE are automatically set if CCS_TYPE_READ_WRITE is set.
69 * CCS_TYPE_READ_WRITE is automatically cleared if either CCS_TYPE_READ or
70 * CCS_TYPE_WRITE is cleared. Both CCS_TYPE_READ and CCS_TYPE_WRITE are
71 * automatically cleared if CCS_TYPE_READ_WRITE is cleared.
72 */
73
74 enum ccs_path_acl_index {
75 CCS_TYPE_READ_WRITE,
76 CCS_TYPE_EXECUTE,
77 CCS_TYPE_READ,
78 CCS_TYPE_WRITE,
79 CCS_TYPE_UNLINK,
80 CCS_TYPE_RMDIR,
81 CCS_TYPE_TRUNCATE,
82 CCS_TYPE_SYMLINK,
83 CCS_TYPE_REWRITE,
84 CCS_TYPE_CHROOT,
85 CCS_TYPE_UMOUNT,
86 CCS_TYPE_TRANSIT,
87 CCS_MAX_PATH_OPERATION
88 };
89
90 #define CCS_RW_MASK ((1 << CCS_TYPE_READ) | (1 << CCS_TYPE_WRITE))
91
92 enum ccs_path_number3_acl_index {
93 CCS_TYPE_MKBLOCK,
94 CCS_TYPE_MKCHAR,
95 CCS_MAX_PATH_NUMBER3_OPERATION
96 };
97
98 enum ccs_path2_acl_index {
99 CCS_TYPE_LINK,
100 CCS_TYPE_RENAME,
101 CCS_TYPE_PIVOT_ROOT,
102 CCS_MAX_PATH2_OPERATION
103 };
104
105 enum ccs_path_number_acl_index {
106 CCS_TYPE_CREATE,
107 CCS_TYPE_MKDIR,
108 CCS_TYPE_MKFIFO,
109 CCS_TYPE_MKSOCK,
110 CCS_TYPE_IOCTL,
111 CCS_TYPE_CHMOD,
112 CCS_TYPE_CHOWN,
113 CCS_TYPE_CHGRP,
114 CCS_MAX_PATH_NUMBER_OPERATION
115 };
116
117 enum ccs_network_acl_index {
118 CCS_NETWORK_UDP_BIND, /* UDP's bind() operation. */
119 CCS_NETWORK_UDP_CONNECT, /* UDP's connect()/send()/recv() operation. */
120 CCS_NETWORK_TCP_BIND, /* TCP's bind() operation. */
121 CCS_NETWORK_TCP_LISTEN, /* TCP's listen() operation. */
122 CCS_NETWORK_TCP_CONNECT, /* TCP's connect() operation. */
123 CCS_NETWORK_TCP_ACCEPT, /* TCP's accept() operation. */
124 CCS_NETWORK_RAW_BIND, /* IP's bind() operation. */
125 CCS_NETWORK_RAW_CONNECT, /* IP's connect()/send()/recv() operation. */
126 CCS_MAX_NETWORK_OPERATION
127 };
128
129 enum ccs_ip_address_type {
130 CCS_IP_ADDRESS_TYPE_ADDRESS_GROUP,
131 CCS_IP_ADDRESS_TYPE_IPv4,
132 CCS_IP_ADDRESS_TYPE_IPv6
133 };
134
135 /* Indexes for /proc/ccs/ interfaces. */
136 enum ccs_proc_interface_index {
137 CCS_DOMAINPOLICY,
138 CCS_EXCEPTIONPOLICY,
139 CCS_DOMAIN_STATUS,
140 CCS_PROCESS_STATUS,
141 CCS_MEMINFO,
142 CCS_GRANTLOG,
143 CCS_REJECTLOG,
144 CCS_SELFDOMAIN,
145 CCS_VERSION,
146 CCS_PROFILE,
147 CCS_QUERY,
148 CCS_MANAGER,
149 CCS_EXECUTE_HANDLER
150 };
151
152 enum ccs_mac_index {
153 CCS_MAC_FILE_EXECUTE,
154 CCS_MAC_FILE_OPEN,
155 CCS_MAC_FILE_CREATE,
156 CCS_MAC_FILE_UNLINK,
157 CCS_MAC_FILE_MKDIR,
158 CCS_MAC_FILE_RMDIR,
159 CCS_MAC_FILE_MKFIFO,
160 CCS_MAC_FILE_MKSOCK,
161 CCS_MAC_FILE_TRUNCATE,
162 CCS_MAC_FILE_SYMLINK,
163 CCS_MAC_FILE_REWRITE,
164 CCS_MAC_FILE_MKBLOCK,
165 CCS_MAC_FILE_MKCHAR,
166 CCS_MAC_FILE_LINK,
167 CCS_MAC_FILE_RENAME,
168 CCS_MAC_FILE_CHMOD,
169 CCS_MAC_FILE_CHOWN,
170 CCS_MAC_FILE_CHGRP,
171 CCS_MAC_FILE_IOCTL,
172 CCS_MAC_FILE_CHROOT,
173 CCS_MAC_FILE_MOUNT,
174 CCS_MAC_FILE_UMOUNT,
175 CCS_MAC_FILE_PIVOT_ROOT,
176 CCS_MAC_FILE_TRANSIT,
177 CCS_MAC_NETWORK_UDP_BIND,
178 CCS_MAC_NETWORK_UDP_CONNECT,
179 CCS_MAC_NETWORK_TCP_BIND,
180 CCS_MAC_NETWORK_TCP_LISTEN,
181 CCS_MAC_NETWORK_TCP_CONNECT,
182 CCS_MAC_NETWORK_TCP_ACCEPT,
183 CCS_MAC_NETWORK_RAW_BIND,
184 CCS_MAC_NETWORK_RAW_CONNECT,
185 CCS_MAC_ENVIRON,
186 CCS_MAC_SIGNAL,
187 CCS_MAX_MAC_INDEX
188 };
189
190 enum ccs_mac_category_index {
191 CCS_MAC_CATEGORY_FILE,
192 CCS_MAC_CATEGORY_NETWORK,
193 CCS_MAC_CATEGORY_MISC,
194 CCS_MAC_CATEGORY_IPC,
195 CCS_MAC_CATEGORY_CAPABILITY,
196 CCS_MAX_MAC_CATEGORY_INDEX
197 };
198
199 enum ccs_conditions_index {
200 CCS_TASK_UID, /* current_uid() */
201 CCS_TASK_EUID, /* current_euid() */
202 CCS_TASK_SUID, /* current_suid() */
203 CCS_TASK_FSUID, /* current_fsuid() */
204 CCS_TASK_GID, /* current_gid() */
205 CCS_TASK_EGID, /* current_egid() */
206 CCS_TASK_SGID, /* current_sgid() */
207 CCS_TASK_FSGID, /* current_fsgid() */
208 CCS_TASK_PID, /* sys_getpid() */
209 CCS_TASK_PPID, /* sys_getppid() */
210 CCS_EXEC_ARGC, /* "struct linux_binprm *"->argc */
211 CCS_EXEC_ENVC, /* "struct linux_binprm *"->envc */
212 CCS_TASK_STATE_0, /* (u8) (current->ccs_flags >> 24) */
213 CCS_TASK_STATE_1, /* (u8) (current->ccs_flags >> 16) */
214 CCS_TASK_STATE_2, /* (u8) (task->ccs_flags >> 8) */
215 CCS_TYPE_IS_SOCKET, /* S_IFSOCK */
216 CCS_TYPE_IS_SYMLINK, /* S_IFLNK */
217 CCS_TYPE_IS_FILE, /* S_IFREG */
218 CCS_TYPE_IS_BLOCK_DEV, /* S_IFBLK */
219 CCS_TYPE_IS_DIRECTORY, /* S_IFDIR */
220 CCS_TYPE_IS_CHAR_DEV, /* S_IFCHR */
221 CCS_TYPE_IS_FIFO, /* S_IFIFO */
222 CCS_MODE_SETUID, /* S_ISUID */
223 CCS_MODE_SETGID, /* S_ISGID */
224 CCS_MODE_STICKY, /* S_ISVTX */
225 CCS_MODE_OWNER_READ, /* S_IRUSR */
226 CCS_MODE_OWNER_WRITE, /* S_IWUSR */
227 CCS_MODE_OWNER_EXECUTE, /* S_IXUSR */
228 CCS_MODE_GROUP_READ, /* S_IRGRP */
229 CCS_MODE_GROUP_WRITE, /* S_IWGRP */
230 CCS_MODE_GROUP_EXECUTE, /* S_IXGRP */
231 CCS_MODE_OTHERS_READ, /* S_IROTH */
232 CCS_MODE_OTHERS_WRITE, /* S_IWOTH */
233 CCS_MODE_OTHERS_EXECUTE, /* S_IXOTH */
234 CCS_TASK_TYPE, /* ((u8) task->ccs_flags) &
235 CCS_TASK_IS_EXECUTE_HANDLER */
236 CCS_TASK_EXECUTE_HANDLER, /* CCS_TASK_IS_EXECUTE_HANDLER */
237 CCS_EXEC_REALPATH,
238 CCS_SYMLINK_TARGET,
239 CCS_PATH1_UID,
240 CCS_PATH1_GID,
241 CCS_PATH1_INO,
242 CCS_PATH1_MAJOR,
243 CCS_PATH1_MINOR,
244 CCS_PATH1_PERM,
245 CCS_PATH1_TYPE,
246 CCS_PATH1_DEV_MAJOR,
247 CCS_PATH1_DEV_MINOR,
248 CCS_PATH2_UID,
249 CCS_PATH2_GID,
250 CCS_PATH2_INO,
251 CCS_PATH2_MAJOR,
252 CCS_PATH2_MINOR,
253 CCS_PATH2_PERM,
254 CCS_PATH2_TYPE,
255 CCS_PATH2_DEV_MAJOR,
256 CCS_PATH2_DEV_MINOR,
257 CCS_PATH1_PARENT_UID,
258 CCS_PATH1_PARENT_GID,
259 CCS_PATH1_PARENT_INO,
260 CCS_PATH1_PARENT_PERM,
261 CCS_PATH2_PARENT_UID,
262 CCS_PATH2_PARENT_GID,
263 CCS_PATH2_PARENT_INO,
264 CCS_PATH2_PARENT_PERM,
265 CCS_MAX_CONDITION_KEYWORD,
266 CCS_NUMBER_UNION,
267 CCS_NAME_UNION,
268 CCS_ARGV_ENTRY,
269 CCS_ENVP_ENTRY
270 };
271
272 enum ccs_stat_index {
273 CCS_PATH1,
274 CCS_PATH1_PARENT,
275 CCS_PATH2,
276 CCS_PATH2_PARENT,
277 CCS_MAX_STAT
278 };
279
280 /* Keywords for ACLs. */
281 #define CCS_KEYWORD_ADDRESS_GROUP "address_group "
282 #define CCS_KEYWORD_AGGREGATOR "aggregator "
283 #define CCS_KEYWORD_ALLOW_CAPABILITY "allow_capability "
284 #define CCS_KEYWORD_ALLOW_ENV "allow_env "
285 #define CCS_KEYWORD_ALLOW_MOUNT "allow_mount "
286 #define CCS_KEYWORD_ALLOW_NETWORK "allow_network "
287 #define CCS_KEYWORD_ALLOW_READ "allow_read "
288 #define CCS_KEYWORD_ALLOW_SIGNAL "allow_signal "
289 #define CCS_KEYWORD_DELETE "delete "
290 #define CCS_KEYWORD_DENY_AUTOBIND "deny_autobind "
291 #define CCS_KEYWORD_DENY_REWRITE "deny_rewrite "
292 #define CCS_KEYWORD_FILE_PATTERN "file_pattern "
293 #define CCS_KEYWORD_INITIALIZE_DOMAIN "initialize_domain "
294 #define CCS_KEYWORD_KEEP_DOMAIN "keep_domain "
295 #define CCS_KEYWORD_NO_INITIALIZE_DOMAIN "no_initialize_domain "
296 #define CCS_KEYWORD_NO_KEEP_DOMAIN "no_keep_domain "
297 #define CCS_KEYWORD_PATH_GROUP "path_group "
298 #define CCS_KEYWORD_PREFERENCE_AUDIT "PREFERENCE::audit"
299 #define CCS_KEYWORD_PREFERENCE_ENFORCING "PREFERENCE::enforcing"
300 #define CCS_KEYWORD_PREFERENCE_LEARNING "PREFERENCE::learning"
301 #define CCS_KEYWORD_PREFERENCE_PERMISSIVE "PREFERENCE::permissive"
302 #define CCS_KEYWORD_NUMBER_GROUP "number_group "
303 #define CCS_KEYWORD_SELECT "select "
304 #define CCS_KEYWORD_USE_PROFILE "use_profile "
305 #define CCS_KEYWORD_IGNORE_GLOBAL "ignore_global"
306 #define CCS_KEYWORD_IGNORE_GLOBAL_ALLOW_READ "ignore_global_allow_read"
307 #define CCS_KEYWORD_IGNORE_GLOBAL_ALLOW_ENV "ignore_global_allow_env"
308 #define CCS_KEYWORD_QUOTA_EXCEEDED "quota_exceeded"
309 #define CCS_KEYWORD_TRANSITION_FAILED "transition_failed"
310 #define CCS_KEYWORD_EXECUTE_HANDLER "execute_handler"
311 #define CCS_KEYWORD_DENIED_EXECUTE_HANDLER "denied_execute_handler"
312
313 /* A domain definition starts with <kernel>. */
314 #define CCS_ROOT_NAME "<kernel>"
315 #define CCS_ROOT_NAME_LEN (sizeof(CCS_ROOT_NAME) - 1)
316
317 /* Value type definition. */
318 enum ccs_value_type {
319 CCS_VALUE_TYPE_INVALID,
320 CCS_VALUE_TYPE_DECIMAL,
321 CCS_VALUE_TYPE_OCTAL,
322 CCS_VALUE_TYPE_HEXADECIMAL
323 };
324
325 #define CCS_EXEC_TMPSIZE 4096
326
327 /* Profile number is an integer between 0 and 255. */
328 #define CCS_MAX_PROFILES 256
329
330 enum ccs_mode_value {
331 CCS_CONFIG_DISABLED,
332 CCS_CONFIG_LEARNING,
333 CCS_CONFIG_PERMISSIVE,
334 CCS_CONFIG_ENFORCING,
335 CCS_CONFIG_WANT_REJECT_LOG = 64,
336 CCS_CONFIG_WANT_GRANT_LOG = 128,
337 CCS_CONFIG_USE_DEFAULT = 255
338 };
339
340 #define CCS_OPEN_FOR_READ_TRUNCATE 4
341 #define CCS_OPEN_FOR_IOCTL_ONLY 8
342 #define CCS_TASK_IS_IN_EXECVE 16
343 #define CCS_DONT_SLEEP_ON_ENFORCE_ERROR 32
344 #define CCS_TASK_IS_EXECUTE_HANDLER 64
345 #define CCS_TASK_IS_MANAGER 128
346 /* Highest 24 bits are reserved for task.state[] conditions. */
347
348 struct dentry;
349 struct vfsmount;
350 struct in6_addr;
351
352 /**
353 * list_for_each_cookie - iterate over a list with cookie.
354 * @pos: the &struct list_head to use as a loop cursor.
355 * @cookie: the &struct list_head to use as a cookie.
356 * @head: the head for your list.
357 *
358 * Same with list_for_each_rcu() except that this primitive uses @cookie
359 * so that we can continue iteration.
360 * @cookie must be NULL when iteration starts, and @cookie will become
361 * NULL when iteration finishes.
362 */
363 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 34)
364 #define list_for_each_cookie(pos, cookie, head) \
365 for (({ if (!cookie) \
366 cookie = head; }), \
367 pos = rcu_dereference((cookie)->next); \
368 prefetch(pos->next), pos != (head) || ((cookie) = NULL); \
369 (cookie) = pos, pos = rcu_dereference(pos->next))
370 #else
371 #define list_for_each_cookie(pos, cookie, head) \
372 for (({ if (!cookie) \
373 cookie = head; }), \
374 pos = srcu_dereference((cookie)->next, &ccs_ss); \
375 prefetch(pos->next), pos != (head) || ((cookie) = NULL); \
376 (cookie) = pos, pos = srcu_dereference(pos->next, &ccs_ss))
377 #endif
378
379 /* Common header for holding ACL entries. */
380 struct ccs_acl_head {
381 struct list_head list;
382 bool is_deleted;
383 } __attribute__((__packed__));
384
385 struct ccs_shared_acl_head {
386 struct list_head list;
387 atomic_t users;
388 } __attribute__((__packed__));
389
390 struct ccs_acl_info {
391 struct list_head list;
392 struct ccs_condition *cond;
393 bool is_deleted;
394 u8 type; /* = one of values in "enum ccs_acl_entry_type_index" */
395 } __attribute__((__packed__));
396
397 enum ccs_shared_acl_id {
398 CCS_CONDITION_LIST,
399 CCS_IPV6ADDRESS_LIST,
400 CCS_MAX_LIST
401 };
402
403 struct ccs_name_union {
404 const struct ccs_path_info *filename;
405 struct ccs_group *group;
406 u8 is_group;
407 };
408
409 struct ccs_number_union {
410 unsigned long values[2];
411 struct ccs_group *group;
412 u8 value_type[2];
413 u8 is_group;
414 };
415
416 enum ccs_group_id {
417 CCS_PATH_GROUP,
418 CCS_NUMBER_GROUP,
419 CCS_ADDRESS_GROUP,
420 CCS_MAX_GROUP
421 };
422
423 /* Structure for "path_group"/"number_group"/"address_group" directive. */
424 struct ccs_group {
425 struct ccs_shared_acl_head head;
426 const struct ccs_path_info *group_name;
427 struct list_head member_list;
428 };
429
430 /* Structure for "path_group" directive. */
431 struct ccs_path_group {
432 struct ccs_acl_head head;
433 const struct ccs_path_info *member_name;
434 };
435
436 /* Structure for "number_group" directive. */
437 struct ccs_number_group {
438 struct ccs_acl_head head;
439 struct ccs_number_union number;
440 };
441
442 /* Structure for "address_group" directive. */
443 struct ccs_address_group {
444 struct ccs_acl_head head;
445 bool is_ipv6;
446 union {
447 u32 ipv4; /* Host byte order */
448 const struct in6_addr *ipv6; /* Network byte order */
449 } min, max;
450 };
451
452 /* Subset of "struct stat". */
453 struct ccs_mini_stat {
454 uid_t uid;
455 gid_t gid;
456 ino_t ino;
457 mode_t mode;
458 dev_t dev;
459 dev_t rdev;
460 };
461
462 /* Structure for dumping argv[] and envp[] of "struct linux_binprm". */
463 struct ccs_page_dump {
464 struct page *page; /* Previously dumped page. */
465 char *data; /* Contents of "page". Size is PAGE_SIZE. */
466 };
467
468 /* Structure for attribute checks in addition to pathname checks. */
469 struct ccs_obj_info {
470 bool validate_done;
471 bool stat_valid[CCS_MAX_STAT];
472 struct path path1;
473 struct path path2;
474 struct ccs_mini_stat stat[CCS_MAX_STAT];
475 struct ccs_path_info *symlink_target;
476 unsigned int dev;
477 };
478
479 struct ccs_condition_element {
480 /*
481 * Left hand operand. A "struct ccs_argv" for CCS_ARGV_ENTRY, a
482 * "struct ccs_envp" for CCS_ENVP_ENTRY is attached to the tail
483 * of the array of this struct.
484 */
485 u8 left;
486 /*
487 * Right hand operand. A "struct ccs_number_union" for
488 * CCS_NUMBER_UNION, a "struct ccs_name_union" for CCS_NAME_UNION is
489 * attached to the tail of the array of this struct.
490 */
491 u8 right;
492 /* Equation operator. true if equals or overlaps, false otherwise. */
493 bool equals;
494 };
495
496 /* Structure for " if " and "; set" part. */
497 struct ccs_condition {
498 struct ccs_shared_acl_head head;
499 u32 size;
500 u16 condc;
501 u16 numbers_count;
502 u16 names_count;
503 u16 argc;
504 u16 envc;
505 u8 post_state[5];
506 /*
507 * struct ccs_condition_element condition[condc];
508 * struct ccs_number_union values[numbers_count];
509 * struct ccs_name_union names[names_count];
510 * struct ccs_argv argv[argc];
511 * struct ccs_envp envp[envc];
512 */
513 };
514
515 struct ccs_execve;
516
517 #define CCS_RETRY_REQUEST 1 /* Retry this request. */
518
519 /* Structure for request info. */
520 struct ccs_request_info {
521 /*
522 * For holding parameters specific to operations which deal files.
523 */
524 struct ccs_obj_info *obj;
525 /*
526 * For holding parameters specific to execve() request.
527 */
528 struct ccs_execve *ee;
529 /* For holding parameters. */
530 union {
531 struct {
532 const struct ccs_path_info *filename;
533 u8 operation;
534 } path;
535 struct {
536 const struct ccs_path_info *filename1;
537 const struct ccs_path_info *filename2;
538 u8 operation;
539 } path2;
540 struct {
541 const struct ccs_path_info *filename;
542 unsigned int mode;
543 unsigned int major;
544 unsigned int minor;
545 u8 operation;
546 } path_number3;
547 struct {
548 const struct ccs_path_info *filename;
549 unsigned long number;
550 u8 operation;
551 } path_number;
552 struct {
553 const u32 *address;
554 u32 ip;
555 u16 port;
556 u8 operation;
557 bool is_ipv6;
558 } network;
559 struct {
560 const struct ccs_path_info *name;
561 } environ;
562 struct {
563 u8 operation;
564 } capability;
565 struct {
566 const char *dest_pattern;
567 int sig;
568 } signal;
569 struct {
570 const struct ccs_path_info *type;
571 const struct ccs_path_info *dir;
572 const struct ccs_path_info *dev;
573 unsigned long flags;
574 int need_dev;
575 } mount;
576 } param;
577 u8 param_type;
578 bool granted;
579 /*
580 * For updating current->ccs_flags at ccs_update_task_state().
581 * Initialized to NULL at ccs_init_request_info().
582 * Matching "struct ccs_acl_info"->cond is copied if access request was
583 * granted. Re-initialized to NULL at ccs_update_task_state().
584 */
585 struct ccs_condition *cond;
586 /*
587 * For counting number of retries made for this request.
588 * This counter is incremented whenever ccs_supervisor() returned
589 * CCS_RETRY_REQUEST.
590 */
591 u8 retry;
592 /*
593 * For holding profile number used for this request.
594 * One of values between 0 and CCS_MAX_PROFILES - 1.
595 */
596 u8 profile;
597 /*
598 * For holding access control mode used for this request.
599 * One of CCS_CONFIG_DISABLED, CCS_CONFIG_LEARNING,
600 * CCS_CONFIG_PERMISSIVE, CCS_CONFIG_ENFORCING.
601 */
602 u8 mode;
603 /*
604 * For holding operation index used for this request.
605 * Used by ccs_init_request_info() / ccs_get_mode() /
606 * ccs_write_log(). One of values in "enum ccs_mac_index".
607 */
608 u8 type;
609 };
610
611 /* Structure for holding a token. */
612 struct ccs_path_info {
613 const char *name;
614 u32 hash; /* = full_name_hash(name, strlen(name)) */
615 u16 total_len; /* = strlen(name) */
616 u16 const_len; /* = ccs_const_part_length(name) */
617 bool is_dir; /* = ccs_strendswith(name, "/") */
618 bool is_patterned; /* = const_len < total_len */
619 };
620
621 /* Structure for execve() operation. */
622 struct ccs_execve {
623 struct ccs_request_info r;
624 struct ccs_obj_info obj;
625 struct linux_binprm *bprm;
626 struct ccs_domain_info *previous_domain;
627 int reader_idx;
628 /* For execute_handler */
629 const struct ccs_path_info *handler;
630 char *handler_path; /* = kstrdup(handler->name, CCS_GFP_FLAGS) */
631 u8 handler_type; /* = CCS_TYPE_EXECUTE_HANDLER or
632 CCS_TYPE_DENIED_EXECUTE_HANDLER */
633 /* For dumping argv[] and envp[]. */
634 struct ccs_page_dump dump;
635 /* For temporary use. */
636 char *tmp; /* Size is CCS_EXEC_TMPSIZE bytes */
637 };
638
639 /* Structure for domain information. */
640 struct ccs_domain_info {
641 struct list_head list;
642 struct list_head acl_info_list;
643 /* Name of this domain. Never NULL. */
644 const struct ccs_path_info *domainname;
645 u8 profile; /* Profile number to use. */
646 bool is_deleted; /* Delete flag. */
647 bool quota_warned; /* Quota warnning flag. */
648 /* Ignore "allow_*" directives in ccs_global_domain . */
649 bool ignore_global;
650 /* Ignore "allow_read" directive in ccs_global_domain . */
651 bool ignore_global_allow_read;
652 /* Ignore "allow_env" directive in ccs_global_domain . */
653 bool ignore_global_allow_env;
654 /*
655 * This domain was unable to create a new domain at
656 * ccs_find_next_domain() because the name of the domain to be created
657 * was too long or it could not allocate memory.
658 * More than one process continued execve() without domain transition.
659 */
660 bool domain_transition_failed;
661 };
662
663 /* Structure for "file_pattern" keyword. */
664 struct ccs_pattern {
665 struct ccs_acl_head head;
666 const struct ccs_path_info *pattern;
667 };
668
669 /* Structure for "deny_rewrite" keyword. */
670 struct ccs_no_rewrite {
671 struct ccs_acl_head head;
672 const struct ccs_path_info *pattern;
673 };
674
675 /* Structure for "initialize_domain" and "no_initialize_domain" keyword. */
676 struct ccs_domain_initializer {
677 struct ccs_acl_head head;
678 bool is_not; /* True if this entry is "no_initialize_domain". */
679 bool is_last_name; /* True if the domainname is ccs_last_word(). */
680 const struct ccs_path_info *domainname; /* This may be NULL */
681 const struct ccs_path_info *program;
682 };
683
684 /* Structure for "keep_domain" and "no_keep_domain" keyword. */
685 struct ccs_domain_keeper {
686 struct ccs_acl_head head;
687 bool is_not; /* True if this entry is "no_keep_domain". */
688 bool is_last_name; /* True if the domainname is ccs_last_word(). */
689 const struct ccs_path_info *domainname;
690 const struct ccs_path_info *program; /* This may be NULL */
691 };
692
693 /* Structure for "aggregator" keyword. */
694 struct ccs_aggregator {
695 struct ccs_acl_head head;
696 const struct ccs_path_info *original_name;
697 const struct ccs_path_info *aggregated_name;
698 };
699
700 /* Structure for "allow_mount" keyword. */
701 struct ccs_mount_acl {
702 struct ccs_acl_info head; /* type = CCS_TYPE_MOUNT_ACL */
703 struct ccs_name_union dev_name;
704 struct ccs_name_union dir_name;
705 struct ccs_name_union fs_type;
706 struct ccs_number_union flags;
707 };
708
709 /* Structure for "deny_autobind" keyword. */
710 struct ccs_reserved {
711 struct ccs_acl_head head;
712 u16 min_port; /* Start of port number range. */
713 u16 max_port; /* End of port number range. */
714 };
715
716 /* Structure for policy manager. */
717 struct ccs_manager {
718 struct ccs_acl_head head;
719 bool is_domain; /* True if manager is a domainname. */
720 /* A path to program or a domainname. */
721 const struct ccs_path_info *manager;
722 };
723
724 /* Structure for argv[]. */
725 struct ccs_argv {
726 unsigned int index;
727 const struct ccs_path_info *value;
728 bool is_not;
729 };
730
731 /* Structure for envp[]. */
732 struct ccs_envp {
733 const struct ccs_path_info *name;
734 const struct ccs_path_info *value;
735 bool is_not;
736 };
737
738 /*
739 * Structure for "execute_handler" and "denied_execute_handler" directive.
740 * These directives can exist only one entry in a domain.
741 *
742 * If "execute_handler" directive exists and the current process is not
743 * an execute handler, all execve() requests are replaced by execve() requests
744 * of a program specified by "execute_handler" directive.
745 * If the current process is an execute handler,
746 * "execute_handler" and "denied_execute_handler" directives are ignored.
747 * The program specified by "execute_handler" validates execve() parameters
748 * and executes the original execve() requests if appropriate.
749 *
750 * "denied_execute_handler" directive is used only when execve() request was
751 * rejected in enforcing mode (i.e. CONFIG::file::execute={ mode=enforcing }).
752 * The program specified by "denied_execute_handler" does whatever it wants
753 * to do (e.g. silently terminate, change firewall settings,
754 * redirect the user to honey pot etc.).
755 */
756 struct ccs_execute_handler {
757 struct ccs_acl_info head; /* type = CCS_TYPE_*EXECUTE_HANDLER */
758 const struct ccs_path_info *handler; /* Pointer to single pathname. */
759 };
760
761 /*
762 * Structure for "allow_read/write", "allow_execute", "allow_read",
763 * "allow_write", "allow_unlink", "allow_rmdir", "allow_truncate",
764 * "allow_symlink", "allow_rewrite", "allow_chroot" and "allow_unmount"
765 * directive.
766 */
767 struct ccs_path_acl {
768 struct ccs_acl_info head; /* type = CCS_TYPE_PATH_ACL */
769 u16 perm; /* Bitmask of values in "enum ccs_path_acl_index" */
770 struct ccs_name_union name;
771 };
772
773 /* Structure for "allow_mkblock" and "allow_mkchar" directive. */
774 struct ccs_path_number3_acl {
775 struct ccs_acl_info head; /* type = CCS_TYPE_PATH_NUMBER3_ACL */
776 u8 perm; /* Bitmask of values in "enum ccs_path_number3_acl_index" */
777 struct ccs_name_union name;
778 struct ccs_number_union mode;
779 struct ccs_number_union major;
780 struct ccs_number_union minor;
781 };
782
783 /*
784 * Structure for "allow_rename", "allow_link" and "allow_pivot_root" directive.
785 */
786 struct ccs_path2_acl {
787 struct ccs_acl_info head; /* type = CCS_TYPE_PATH2_ACL */
788 u8 perm; /* Bitmask of values in "enum ccs_path2_acl_index" */
789 struct ccs_name_union name1;
790 struct ccs_name_union name2;
791 };
792
793 /*
794 * Structure for "allow_create", "allow_mkdir", "allow_mkfifo", "allow_mksock",
795 * "allow_ioctl", "allow_chmod", "allow_chown" and "allow_chgrp" directive.
796 */
797 struct ccs_path_number_acl {
798 struct ccs_acl_info head; /* type = CCS_TYPE_PATH_NUMBER_ACL */
799 u8 perm; /* Bitmask of values in "enum ccs_path_number_acl_index" */
800 struct ccs_name_union name;
801 struct ccs_number_union number;
802 };
803
804 /* Structure for "allow_env" directive in domain policy. */
805 struct ccs_env_acl {
806 struct ccs_acl_info head; /* type = CCS_TYPE_ENV_ACL */
807 const struct ccs_path_info *env; /* environment variable */
808 };
809
810 /* Structure for "allow_capability" directive. */
811 struct ccs_capability_acl {
812 struct ccs_acl_info head; /* type = CCS_TYPE_CAPABILITY_ACL */
813 u8 operation;
814 };
815
816 /* Structure for "allow_signal" directive. */
817 struct ccs_signal_acl {
818 struct ccs_acl_info head; /* type = CCS_TYPE_SIGNAL_ACL */
819 u16 sig;
820 /* Pointer to destination pattern. */
821 const struct ccs_path_info *domainname;
822 };
823
824 struct ccs_ipv6addr {
825 struct ccs_shared_acl_head head;
826 struct in6_addr addr;
827 };
828
829 /* Structure for "allow_network" directive. */
830 struct ccs_ip_network_acl {
831 struct ccs_acl_info head; /* type = CCS_TYPE_IP_NETWORK_ACL */
832 u8 perm; /* Bitmask of values in "enum ccs_network_acl_index" */
833 /*
834 * address_type takes one of the following constants.
835 * CCS_IP_ADDRESS_TYPE_ADDRESS_GROUP
836 * if address points to "address_group" directive.
837 * CCS_IP_ADDRESS_TYPE_IPv4
838 * if address points to an IPv4 address.
839 * CCS_IP_ADDRESS_TYPE_IPv6
840 * if address points to an IPv6 address.
841 */
842 u8 address_type;
843 union {
844 struct {
845 /* Start of IPv4 address range. Host endian. */
846 u32 min;
847 /* End of IPv4 address range. Host endian. */
848 u32 max;
849 } ipv4;
850 struct {
851 /* Start of IPv6 address range. Big endian. */
852 const struct in6_addr *min;
853 /* End of IPv6 address range. Big endian. */
854 const struct in6_addr *max;
855 } ipv6;
856 /* Pointer to address group. */
857 struct ccs_group *group;
858 } address;
859 struct ccs_number_union port;
860 };
861
862 /* Structure for string data. */
863 struct ccs_name {
864 struct ccs_shared_acl_head head;
865 int size;
866 struct ccs_path_info entry;
867 };
868
869 /* Structure for reading/writing policy via /proc interfaces. */
870 struct ccs_io_buffer {
871 void (*read) (struct ccs_io_buffer *);
872 int (*write) (struct ccs_io_buffer *);
873 int (*poll) (struct file *file, poll_table *wait);
874 /* Exclusive lock for this structure. */
875 struct mutex io_sem;
876 /* Index returned by ccs_lock(). */
877 int reader_idx;
878 /* The position currently reading from. */
879 struct list_head *read_var1;
880 /* Extra variables for reading. */
881 struct list_head *read_var2;
882 /* The position currently writing to. */
883 struct ccs_domain_info *write_var1;
884 /* The step for reading. */
885 int read_step;
886 /* Buffer for reading. */
887 char *read_buf;
888 /* EOF flag for reading. */
889 bool read_eof;
890 /* Read domain ACL of specified PID? */
891 bool read_single_domain;
892 /* Read allow_execute entry only? */
893 bool read_execute_only;
894 /* Extra variable for reading. */
895 u8 read_bit;
896 /* Bytes available for reading. */
897 int read_avail;
898 /* Size of read buffer. */
899 int readbuf_size;
900 /* Buffer for writing. */
901 char *write_buf;
902 /* Bytes available for writing. */
903 int write_avail;
904 /* Size of write buffer. */
905 int writebuf_size;
906 /* Type of this interface. */
907 u8 type;
908 };
909
910 struct ccs_preference {
911 #ifdef CONFIG_CCSECURITY_AUDIT
912 unsigned int audit_max_grant_log;
913 unsigned int audit_max_reject_log;
914 #endif
915 unsigned int learning_max_entry;
916 unsigned int enforcing_penalty;
917 bool audit_task_info;
918 bool audit_path_info;
919 bool enforcing_verbose;
920 bool learning_verbose;
921 bool learning_exec_realpath;
922 bool learning_exec_argv0;
923 bool learning_symlink_target;
924 bool permissive_verbose;
925 };
926
927 struct ccs_profile {
928 const struct ccs_path_info *comment;
929 struct ccs_preference *audit;
930 struct ccs_preference *learning;
931 struct ccs_preference *permissive;
932 struct ccs_preference *enforcing;
933 struct ccs_preference preference;
934 u8 default_config;
935 u8 config[CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX
936 + CCS_MAX_MAC_CATEGORY_INDEX];
937 };
938
939 /* Prototype definition for internal use. */
940
941 bool ccs_address_matches_group(const bool is_ipv6, const u32 *address,
942 const struct ccs_group *group);
943 bool ccs_compare_name_union(const struct ccs_path_info *name,
944 const struct ccs_name_union *ptr);
945 bool ccs_compare_number_union(const unsigned long value,
946 const struct ccs_number_union *ptr);
947 bool ccs_condition(struct ccs_request_info *r,
948 const struct ccs_condition *cond);
949 bool ccs_domain_quota_ok(struct ccs_request_info *r);
950 bool ccs_dump_page(struct linux_binprm *bprm, unsigned long pos,
951 struct ccs_page_dump *dump);
952 bool ccs_io_printf(struct ccs_io_buffer *head, const char *fmt, ...)
953 __attribute__ ((format(printf, 2, 3)));
954 bool ccs_correct_domain(const unsigned char *domainname);
955 bool ccs_correct_path(const char *filename);
956 bool ccs_correct_word(const char *string);
957 bool ccs_domain_def(const unsigned char *buffer);
958 bool ccs_memory_ok(const void *ptr, const unsigned int size);
959 bool ccs_number_matches_group(const unsigned long min, const unsigned long max,
960 const struct ccs_group *group);
961 bool ccs_parse_name_union(const char *filename, struct ccs_name_union *ptr);
962 bool ccs_parse_number_union(char *data, struct ccs_number_union *num);
963 bool ccs_path_matches_group(const struct ccs_path_info *pathname,
964 const struct ccs_group *group);
965 bool ccs_path_matches_pattern(const struct ccs_path_info *filename,
966 const struct ccs_path_info *pattern);
967 bool ccs_str_starts(char **src, const char *find);
968 bool ccs_tokenize(char *buffer, char *w[], size_t size);
969 void ccs_check_acl(struct ccs_request_info *r,
970 bool (*check_entry) (const struct ccs_request_info *,
971 const struct ccs_acl_info *));
972 int ccs_update_domain(struct ccs_acl_info *new_entry, const int size,
973 bool is_delete, struct ccs_domain_info *domain,
974 bool (*check_duplicate) (const struct ccs_acl_info *,
975 const struct ccs_acl_info *),
976 bool (*merge_duplicate) (struct ccs_acl_info *,
977 struct ccs_acl_info *,
978 const bool));
979 int ccs_update_group(struct ccs_acl_head *new_entry, const int size,
980 bool is_delete, struct ccs_group *group,
981 bool (*check_duplicate) (const struct ccs_acl_head *,
982 const struct ccs_acl_head *));
983 int ccs_update_policy(struct ccs_acl_head *new_entry, const int size,
984 bool is_delete, const int idx, bool (*check_duplicate)
985 (const struct ccs_acl_head *,
986 const struct ccs_acl_head *));
987 char *ccs_encode(const char *str);
988 char *ccs_init_log(int *len, struct ccs_request_info *r);
989 char *ccs_realpath_from_path(struct path *path);
990 const char *ccs_cap2keyword(const u8 operation);
991 const char *ccs_file_pattern(const struct ccs_path_info *filename);
992 const char *ccs_get_exe(void);
993 const char *ccs_last_word(const char *name);
994 const char *ccs_net2keyword(const u8 operation);
995 const char *ccs_path22keyword(const u8 operation);
996 const char *ccs_path2keyword(const u8 operation);
997 const char *ccs_path_number2keyword(const u8 operation);
998 const char *ccs_path_number32keyword(const u8 operation);
999 const struct ccs_path_info *ccs_get_name(const char *name);
1000 const struct in6_addr *ccs_get_ipv6_address(const struct in6_addr *addr);
1001 int ccs_close_control(struct file *file);
1002 int ccs_delete_domain(char *data);
1003 int ccs_env_perm(struct ccs_request_info *r, const char *env);
1004 int ccs_get_mode(const u8 profile, const u8 index);
1005 int ccs_get_path(const char *pathname, struct path *path);
1006 int ccs_init_request_info(struct ccs_request_info *r, const u8 index);
1007 int ccs_lock(void);
1008 int ccs_may_transit(const char *domainname, const char *pathname);
1009 int ccs_open_control(const u8 type, struct file *file);
1010 int ccs_parse_ip_address(char *address, u16 *min, u16 *max);
1011 int ccs_path_permission(struct ccs_request_info *r, u8 operation,
1012 const struct ccs_path_info *filename);
1013 int ccs_poll_control(struct file *file, poll_table *wait);
1014 int ccs_poll_log(struct file *file, poll_table *wait);
1015 int ccs_read_control(struct file *file, char __user *buffer,
1016 const int buffer_len);
1017 int ccs_supervisor(struct ccs_request_info *r, const char *fmt, ...)
1018 __attribute__ ((format(printf, 2, 3)));
1019 int ccs_symlink_path(const char *pathname, struct ccs_path_info *name);
1020 int ccs_write_aggregator(char *data, const bool is_delete,
1021 const u8 flags);
1022 int ccs_write_log(struct ccs_request_info *r, const char *fmt, ...)
1023 __attribute__ ((format(printf, 2, 3)));
1024 int ccs_write_capability(char *data, struct ccs_domain_info *domain,
1025 struct ccs_condition *condition,
1026 const bool is_delete);
1027 int ccs_write_control(struct file *file, const char __user *buffer,
1028 const int buffer_len);
1029 int ccs_write_domain_initializer(char *data, const bool is_delete,
1030 const u8 flags);
1031 int ccs_write_domain_keeper(char *data, const bool is_delete, const u8 flags);
1032 int ccs_write_env(char *data, struct ccs_domain_info *domain,
1033 struct ccs_condition *condition, const bool is_delete);
1034 int ccs_write_file(char *data, struct ccs_domain_info *domain,
1035 struct ccs_condition *condition, const bool is_delete);
1036 int ccs_write_group(char *data, const bool is_delete, const u8 type);
1037 int ccs_write_memory_quota(struct ccs_io_buffer *head);
1038 int ccs_write_mount(char *data, struct ccs_domain_info *domain,
1039 struct ccs_condition *condition, const bool is_delete);
1040 int ccs_write_network(char *data, struct ccs_domain_info *domain,
1041 struct ccs_condition *condition, const bool is_delete);
1042 int ccs_write_no_rewrite(char *data, const bool is_delete, const u8 flags);
1043 int ccs_write_pattern(char *data, const bool is_delete, const u8 flags);
1044 int ccs_write_reserved_port(char *data, const bool is_delete, const u8 flags);
1045 int ccs_write_signal(char *data, struct ccs_domain_info *domain,
1046 struct ccs_condition *condition, const bool is_delete);
1047 size_t ccs_del_condition(struct list_head *element);
1048 struct ccs_condition *ccs_get_condition(char * const condition);
1049 struct ccs_domain_info *ccs_assign_domain(const char *domainname,
1050 const u8 profile);
1051 struct ccs_domain_info *ccs_find_domain(const char *domainname);
1052 struct ccs_group *ccs_get_group(const char *group_name, const u8 idx);
1053 struct ccs_profile *ccs_profile(const u8 profile);
1054 u8 ccs_parse_ulong(unsigned long *result, char **str);
1055 void ccs_fill_path_info(struct ccs_path_info *ptr);
1056 void ccs_get_attributes(struct ccs_obj_info *obj);
1057 void ccs_memory_free(const void *ptr, size_t size);
1058 void ccs_normalize_line(unsigned char *buffer);
1059 void ccs_print_ipv4(char *buffer, const int buffer_len, const u32 min_ip,
1060 const u32 max_ip);
1061 void ccs_print_ipv6(char *buffer, const int buffer_len,
1062 const struct in6_addr *min_ip,
1063 const struct in6_addr *max_ip);
1064 void ccs_print_ulong(char *buffer, const int buffer_len,
1065 const unsigned long value, const u8 type);
1066 void ccs_put_name_union(struct ccs_name_union *ptr);
1067 void ccs_put_number_union(struct ccs_number_union *ptr);
1068 void ccs_read_log(struct ccs_io_buffer *head);
1069 void ccs_read_memory_counter(struct ccs_io_buffer *head);
1070 void ccs_run_gc(void);
1071 void ccs_unlock(const int idx);
1072 void ccs_warn_log(struct ccs_request_info *r, const char *fmt, ...)
1073 __attribute__ ((format(printf, 2, 3)));
1074 void ccs_warn_oom(const char *function);
1075 void *ccs_commit_ok(void *data, const unsigned int size);
1076
1077 /* strcmp() for "struct ccs_path_info" structure. */
1078 static inline bool ccs_pathcmp(const struct ccs_path_info *a,
1079 const struct ccs_path_info *b)
1080 {
1081 return a->hash != b->hash || strcmp(a->name, b->name);
1082 }
1083
1084 static inline bool ccs_same_acl_head(const struct ccs_acl_info *p1,
1085 const struct ccs_acl_info *p2)
1086 {
1087 return p1->type == p2->type && p1->cond == p2->cond;
1088 }
1089
1090 static inline bool ccs_same_name_union(const struct ccs_name_union *p1,
1091 const struct ccs_name_union *p2)
1092 {
1093 return p1->filename == p2->filename && p1->group == p2->group &&
1094 p1->is_group == p2->is_group;
1095 }
1096
1097 static inline bool ccs_same_number_union(const struct ccs_number_union *p1,
1098 const struct ccs_number_union *p2)
1099 {
1100 return p1->values[0] == p2->values[0] && p1->values[1] == p2->values[1]
1101 && p1->group == p2->group &&
1102 p1->value_type[0] == p2->value_type[0] &&
1103 p1->value_type[1] == p2->value_type[1] &&
1104 p1->is_group == p2->is_group;
1105 }
1106
1107 #define CCS_HASH_BITS 8
1108 #define CCS_MAX_HASH (1 << CCS_HASH_BITS)
1109
1110 /* Index numbers for garbage collection. */
1111 enum ccs_gc_id {
1112 CCS_ID_RESERVEDPORT,
1113 CCS_ID_GROUP,
1114 CCS_ID_ADDRESS_GROUP,
1115 CCS_ID_PATH_GROUP,
1116 CCS_ID_NUMBER_GROUP,
1117 CCS_ID_AGGREGATOR,
1118 CCS_ID_DOMAIN_INITIALIZER,
1119 CCS_ID_DOMAIN_KEEPER,
1120 CCS_ID_PATTERN,
1121 CCS_ID_NO_REWRITE,
1122 CCS_ID_MANAGER,
1123 CCS_ID_IPV6_ADDRESS,
1124 CCS_ID_CONDITION,
1125 CCS_ID_NAME,
1126 CCS_ID_ACL,
1127 CCS_ID_DOMAIN,
1128 CCS_MAX_POLICY
1129 };
1130
1131 extern struct mutex ccs_policy_lock;
1132 extern struct list_head ccs_domain_list;
1133 extern struct list_head ccs_policy_list[CCS_MAX_POLICY];
1134 extern struct list_head ccs_group_list[CCS_MAX_GROUP];
1135 extern struct list_head ccs_shared_list[CCS_MAX_LIST];
1136 extern struct list_head ccs_name_list[CCS_MAX_HASH];
1137 extern bool ccs_policy_loaded;
1138 extern struct ccs_domain_info ccs_global_domain;
1139 extern struct ccs_domain_info ccs_kernel_domain;
1140
1141 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
1142 extern struct srcu_struct ccs_ss;
1143
1144 static inline int ccs_read_lock(void)
1145 {
1146 return srcu_read_lock(&ccs_ss);
1147 }
1148
1149 static inline void ccs_read_unlock(const int idx)
1150 {
1151 srcu_read_unlock(&ccs_ss, idx);
1152 }
1153 #else
1154 static inline int ccs_read_lock(void)
1155 {
1156 return ccs_lock();
1157 }
1158 static inline void ccs_read_unlock(const int idx)
1159 {
1160 ccs_unlock(idx);
1161 }
1162 #endif
1163
1164 extern const char *ccs_condition_keyword[CCS_MAX_CONDITION_KEYWORD];
1165 extern const u8 ccs_index2category[CCS_MAX_MAC_INDEX
1166 + CCS_MAX_CAPABILITY_INDEX];
1167
1168 extern unsigned int ccs_log_memory_size;
1169 extern unsigned int ccs_quota_for_log;
1170 extern unsigned int ccs_query_memory_size;
1171 extern unsigned int ccs_quota_for_query;
1172
1173 #include <linux/dcache.h>
1174
1175 #ifdef D_PATH_DISCONNECT
1176
1177 static inline void ccs_realpath_lock(void)
1178 {
1179 spin_lock(ccsecurity_exports.vfsmount_lock);
1180 spin_lock(&dcache_lock);
1181 }
1182 static inline void ccs_realpath_unlock(void)
1183 {
1184 spin_unlock(&dcache_lock);
1185 spin_unlock(ccsecurity_exports.vfsmount_lock);
1186 }
1187
1188 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0)
1189
1190 static inline void ccs_realpath_lock(void)
1191 {
1192 spin_lock(&dcache_lock);
1193 spin_lock(ccsecurity_exports.vfsmount_lock);
1194 }
1195 static inline void ccs_realpath_unlock(void)
1196 {
1197 spin_unlock(ccsecurity_exports.vfsmount_lock);
1198 spin_unlock(&dcache_lock);
1199 }
1200
1201 #else
1202
1203 static inline void ccs_realpath_lock(void)
1204 {
1205 spin_lock(&dcache_lock);
1206 }
1207 static inline void ccs_realpath_unlock(void)
1208 {
1209 spin_unlock(&dcache_lock);
1210 }
1211
1212 #endif
1213
1214 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 18)
1215
1216 static inline void ccs_tasklist_lock(void)
1217 {
1218 rcu_read_lock();
1219 }
1220 static inline void ccs_tasklist_unlock(void)
1221 {
1222 rcu_read_unlock();
1223 }
1224
1225 #else
1226
1227 static inline void ccs_tasklist_lock(void)
1228 {
1229 read_lock(&tasklist_lock);
1230 }
1231 static inline void ccs_tasklist_unlock(void)
1232 {
1233 read_unlock(&tasklist_lock);
1234 }
1235
1236 #endif
1237
1238 static inline struct ccs_domain_info *ccs_task_domain(struct task_struct *task)
1239 {
1240 struct ccs_domain_info *domain = task->ccs_domain_info;
1241 return domain ? domain : &ccs_kernel_domain;
1242 }
1243
1244 static inline struct ccs_domain_info *ccs_current_domain(void)
1245 {
1246 struct task_struct *task = current;
1247 if (!task->ccs_domain_info)
1248 task->ccs_domain_info = &ccs_kernel_domain;
1249 return task->ccs_domain_info;
1250 }
1251
1252 static inline void ccs_add_domain_acl(struct ccs_domain_info *domain,
1253 struct ccs_acl_info *acl)
1254 {
1255 if (acl->cond)
1256 atomic_inc(&acl->cond->head.users);
1257 list_add_tail_rcu(&acl->list, &domain->acl_info_list);
1258 }
1259
1260 #if defined(CONFIG_SLOB)
1261 static inline int ccs_round2(size_t size)
1262 {
1263 return size;
1264 }
1265 #else
1266 static inline int ccs_round2(size_t size)
1267 {
1268 #if PAGE_SIZE == 4096
1269 size_t bsize = 32;
1270 #else
1271 size_t bsize = 64;
1272 #endif
1273 if (!size)
1274 return 0;
1275 while (size > bsize)
1276 bsize <<= 1;
1277 return bsize;
1278 }
1279 #endif
1280
1281 static inline void ccs_put_group(struct ccs_group *group)
1282 {
1283 if (group)
1284 atomic_dec(&group->head.users);
1285 }
1286
1287 static inline void ccs_put_ipv6_address(const struct in6_addr *addr)
1288 {
1289 if (addr)
1290 atomic_dec(&container_of(addr, struct ccs_ipv6addr,
1291 addr)->head.users);
1292 }
1293
1294 static inline void ccs_put_condition(struct ccs_condition *cond)
1295 {
1296 if (cond)
1297 atomic_dec(&cond->head.users);
1298 }
1299
1300 static inline void ccs_put_name(const struct ccs_path_info *name)
1301 {
1302 if (name)
1303 atomic_dec(&container_of(name, struct ccs_name, entry)->
1304 head.users);
1305 }
1306
1307 #ifndef __GFP_HIGHIO
1308 #define __GFP_HIGHIO 0
1309 #endif
1310 #ifndef __GFP_NOWARN
1311 #define __GFP_NOWARN 0
1312 #endif
1313 #ifndef __GFP_NORETRY
1314 #define __GFP_NORETRY 0
1315 #endif
1316 #ifndef __GFP_NOMEMALLOC
1317 #define __GFP_NOMEMALLOC 0
1318 #endif
1319
1320 #define CCS_GFP_FLAGS (__GFP_WAIT | __GFP_IO | __GFP_HIGHIO | __GFP_NOWARN | \
1321 __GFP_NORETRY | __GFP_NOMEMALLOC)
1322
1323 #endif
Back to OSDN">Back to OSDN
 ViewVC Help
Powered by ViewVC 1.1.26  
サイト情報
ソフトウェアを探す
ソフトウェアを作る
コミュニティ
ヘルプ