25 |
"MAC_MODE_PERMISSIVE", "MAC_MODE_ENFORCING" |
"MAC_MODE_PERMISSIVE", "MAC_MODE_ENFORCING" |
26 |
}; |
}; |
27 |
|
|
28 |
static const char *ccs_keyword_capability_mode[4] = { |
static const char *ccs_keyword_audit[2] = { |
29 |
"MAC_MODE_CAPABILITY_DISABLED", "MAC_MODE_CAPABILITY_LEARNING", |
"NO_AUDIT_GRANT_LOG", "NO_AUDIT_REJECT_LOG" |
|
"MAC_MODE_CAPABILITY_PERMISSIVE", "MAC_MODE_CAPABILITY_ENFORCING" |
|
30 |
}; |
}; |
31 |
|
|
32 |
static const char *ccs_mac_keywords[CCS_MAX_MAC_INDEX] = { |
static const char *ccs_mac_keywords[CCS_MAX_MAC_INDEX + |
33 |
|
CCS_MAX_CAPABILITY_INDEX] = { |
34 |
[CCS_MAC_EXECUTE] = "execute", |
[CCS_MAC_EXECUTE] = "execute", |
35 |
[CCS_MAC_OPEN] = "open", |
[CCS_MAC_OPEN] = "open", |
36 |
[CCS_MAC_CREATE] = "create", |
[CCS_MAC_CREATE] = "create", |
56 |
[CCS_MAC_PIVOT_ROOT] = "pivot_root", |
[CCS_MAC_PIVOT_ROOT] = "pivot_root", |
57 |
[CCS_MAC_ENVIRON] = "env", |
[CCS_MAC_ENVIRON] = "env", |
58 |
[CCS_MAC_NETWORK] = "network", |
[CCS_MAC_NETWORK] = "network", |
59 |
[CCS_MAC_SIGNAL] = "signal" |
[CCS_MAC_SIGNAL] = "signal", |
60 |
|
[CCS_MAX_MAC_INDEX + CCS_INET_STREAM_SOCKET_CREATE] |
61 |
|
= "inet_tcp_create", |
62 |
|
[CCS_MAX_MAC_INDEX + CCS_INET_STREAM_SOCKET_LISTEN] |
63 |
|
= "inet_tcp_listen", |
64 |
|
[CCS_MAX_MAC_INDEX + CCS_INET_STREAM_SOCKET_CONNECT] |
65 |
|
= "inet_tcp_connect", |
66 |
|
[CCS_MAX_MAC_INDEX + CCS_USE_INET_DGRAM_SOCKET] = "use_inet_udp", |
67 |
|
[CCS_MAX_MAC_INDEX + CCS_USE_INET_RAW_SOCKET] = "use_inet_ip", |
68 |
|
[CCS_MAX_MAC_INDEX + CCS_USE_ROUTE_SOCKET] = "use_route", |
69 |
|
[CCS_MAX_MAC_INDEX + CCS_USE_PACKET_SOCKET] = "use_packet", |
70 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_MOUNT] = "SYS_MOUNT", |
71 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_UMOUNT] = "SYS_UMOUNT", |
72 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_REBOOT] = "SYS_REBOOT", |
73 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_CHROOT] = "SYS_CHROOT", |
74 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_KILL] = "SYS_KILL", |
75 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_VHANGUP] = "SYS_VHANGUP", |
76 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_SETTIME] = "SYS_TIME", |
77 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_NICE] = "SYS_NICE", |
78 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_SETHOSTNAME] = "SYS_SETHOSTNAME", |
79 |
|
[CCS_MAX_MAC_INDEX + CCS_USE_KERNEL_MODULE] = "use_kernel_module", |
80 |
|
[CCS_MAX_MAC_INDEX + CCS_CREATE_FIFO] = "create_fifo", |
81 |
|
[CCS_MAX_MAC_INDEX + CCS_CREATE_BLOCK_DEV] = "create_block_dev", |
82 |
|
[CCS_MAX_MAC_INDEX + CCS_CREATE_CHAR_DEV] = "create_char_dev", |
83 |
|
[CCS_MAX_MAC_INDEX + CCS_CREATE_UNIX_SOCKET] = "create_unix_socket", |
84 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_LINK] = "SYS_LINK", |
85 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_SYMLINK] = "SYS_SYMLINK", |
86 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_RENAME] = "SYS_RENAME", |
87 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_UNLINK] = "SYS_UNLINK", |
88 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_CHMOD] = "SYS_CHMOD", |
89 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_CHOWN] = "SYS_CHOWN", |
90 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_IOCTL] = "SYS_IOCTL", |
91 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_KEXEC_LOAD] = "SYS_KEXEC_LOAD", |
92 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_PIVOT_ROOT] = "SYS_PIVOT_ROOT", |
93 |
|
[CCS_MAX_MAC_INDEX + CCS_SYS_PTRACE] = "SYS_PTRACE", |
94 |
|
[CCS_MAX_MAC_INDEX + CCS_CONCEAL_MOUNT] = "conceal_mount" |
95 |
}; |
}; |
96 |
|
|
97 |
/* Table for profile. */ |
/* Table for profile. */ |
102 |
} ccs_control_array[CCS_MAX_CONTROL_INDEX] = { |
} ccs_control_array[CCS_MAX_CONTROL_INDEX] = { |
103 |
[CCS_AUTOLEARN_EXEC_REALPATH] = { "AUTOLEARN_EXEC_REALPATH", 0, 1 }, |
[CCS_AUTOLEARN_EXEC_REALPATH] = { "AUTOLEARN_EXEC_REALPATH", 0, 1 }, |
104 |
[CCS_AUTOLEARN_EXEC_ARGV0] = { "AUTOLEARN_EXEC_ARGV0", 0, 1 }, |
[CCS_AUTOLEARN_EXEC_ARGV0] = { "AUTOLEARN_EXEC_ARGV0", 0, 1 }, |
|
[CCS_RESTRICT_AUTOBIND] = { "RESTRICT_AUTOBIND", 0, 1 }, |
|
105 |
[CCS_MAX_ACCEPT_ENTRY] |
[CCS_MAX_ACCEPT_ENTRY] |
106 |
= { "MAX_ACCEPT_ENTRY", CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY, INT_MAX }, |
= { "MAX_ACCEPT_ENTRY", CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY, INT_MAX }, |
107 |
#ifdef CONFIG_CCSECURITY_AUDIT |
#ifdef CONFIG_CCSECURITY_AUDIT |
110 |
[CCS_MAX_REJECT_LOG] |
[CCS_MAX_REJECT_LOG] |
111 |
= { "MAX_REJECT_LOG", CONFIG_CCSECURITY_MAX_REJECT_LOG, INT_MAX }, |
= { "MAX_REJECT_LOG", CONFIG_CCSECURITY_MAX_REJECT_LOG, INT_MAX }, |
112 |
#endif |
#endif |
113 |
[CCS_VERBOSE] = { "TOMOYO_VERBOSE", 1, 1 }, |
[CCS_VERBOSE] = { "PRINT_VIOLATION", 1, 1 }, |
114 |
[CCS_SLEEP_PERIOD] |
[CCS_SLEEP_PERIOD] = { "SLEEP_PERIOD", 0, 3000 }, /* in 0.1 second */ |
|
= { "SLEEP_PERIOD", 0, 3000 }, /* in 0.1 second */ |
|
115 |
}; |
}; |
116 |
|
|
117 |
/* Permit policy management by non-root user? */ |
/* Permit policy management by non-root user? */ |
118 |
static bool ccs_manage_by_non_root; |
static bool ccs_manage_by_non_root; |
119 |
|
|
120 |
/** |
/** |
121 |
|
* ccs_cap2keyword - Convert capability operation to capability name. |
122 |
|
* |
123 |
|
* @operation: The capability index. |
124 |
|
* |
125 |
|
* Returns the name of the specified capability's name. |
126 |
|
*/ |
127 |
|
const char *ccs_cap2keyword(const u8 operation) |
128 |
|
{ |
129 |
|
return operation < CCS_MAX_CAPABILITY_INDEX |
130 |
|
? ccs_mac_keywords[CCS_MAX_MAC_INDEX + operation] : NULL; |
131 |
|
} |
132 |
|
|
133 |
|
/** |
134 |
* ccs_quiet_setup - Set CCS_VERBOSE=0 by default. |
* ccs_quiet_setup - Set CCS_VERBOSE=0 by default. |
135 |
* |
* |
136 |
* @str: Unused. |
* @str: Unused. |
206 |
return ptr; |
return ptr; |
207 |
} |
} |
208 |
|
|
209 |
|
static int ccs_find_match(char *str) |
210 |
|
{ |
211 |
|
int i; |
212 |
|
if (ccs_str_starts(&str, CCS_KEYWORD_CAPABILITY)) |
213 |
|
for (i = 0; i < CCS_MAX_CAPABILITY_INDEX; i++) { |
214 |
|
if (strcmp(str, |
215 |
|
ccs_mac_keywords[CCS_MAX_MAC_INDEX + i])) |
216 |
|
continue; |
217 |
|
return CCS_MAX_MAC_INDEX + i; |
218 |
|
} |
219 |
|
else |
220 |
|
for (i = 0; i < CCS_MAX_MAC_INDEX; i++) { |
221 |
|
if (strcmp(str, ccs_mac_keywords[i])) |
222 |
|
continue; |
223 |
|
return i; |
224 |
|
} |
225 |
|
return -1; |
226 |
|
} |
227 |
|
|
228 |
/** |
/** |
229 |
* ccs_write_profile - Write profile table. |
* ccs_write_profile - Write profile table. |
230 |
* |
* |
272 |
continue; |
continue; |
273 |
cp++; |
cp++; |
274 |
while (1) { |
while (1) { |
275 |
|
int index; |
276 |
char *cp2 = strchr(cp, ' '); |
char *cp2 = strchr(cp, ' '); |
277 |
if (cp2) |
if (cp2) |
278 |
*cp2 = '\0'; |
*cp2 = '\0'; |
279 |
for (i = 0; i < CCS_MAX_MAC_INDEX; i++) { |
index = ccs_find_match(cp); |
280 |
if (strcmp(cp, ccs_mac_keywords[i])) |
if (index >= 0) |
281 |
continue; |
ccs_profile->mac_mode[index] = mode; |
|
ccs_profile->mac_mode[i] = mode; |
|
|
} |
|
282 |
if (!cp2) |
if (!cp2) |
283 |
break; |
break; |
284 |
cp = cp2 + 1; |
cp = cp2 + 1; |
285 |
} |
} |
286 |
return 0; |
return 0; |
287 |
} |
} |
288 |
for (mode = 0; mode < 4; mode++) { |
for (mode = 0; mode < 2; mode++) { |
289 |
if (strcmp(data, ccs_keyword_capability_mode[mode])) |
if (strcmp(data, ccs_keyword_audit[mode])) |
290 |
continue; |
continue; |
291 |
|
memset(ccs_profile->dont_audit[mode], 0, |
292 |
|
sizeof(ccs_profile->dont_audit[mode])); |
293 |
cp++; |
cp++; |
294 |
while (1) { |
while (1) { |
295 |
|
int index; |
296 |
char *cp2 = strchr(cp, ' '); |
char *cp2 = strchr(cp, ' '); |
297 |
if (cp2) |
if (cp2) |
298 |
*cp2 = '\0'; |
*cp2 = '\0'; |
299 |
for (i = 0; i < CCS_MAX_CAPABILITY_INDEX; i++) { |
index = ccs_find_match(cp); |
300 |
if (strcmp(cp, ccs_capability_list[i])) |
if (index >= 0) |
301 |
continue; |
ccs_profile->dont_audit[mode][index] = true; |
|
ccs_profile->mac_capability_mode[i] = mode; |
|
|
} |
|
302 |
if (!cp2) |
if (!cp2) |
303 |
break; |
break; |
304 |
cp = cp2 + 1; |
cp = cp2 + 1; |
334 |
int mode; |
int mode; |
335 |
const struct ccs_profile *ccs_profile = ccs_profile_ptr[index]; |
const struct ccs_profile *ccs_profile = ccs_profile_ptr[index]; |
336 |
for (mode = 0; mode < 4; mode++) { |
for (mode = 0; mode < 4; mode++) { |
337 |
if (!ccs_io_printf(head, "%u-%s={", index, ccs_keyword_mode[mode])) |
if (!ccs_io_printf(head, "%u-%s={", index, |
338 |
|
ccs_keyword_mode[mode])) |
339 |
goto out; |
goto out; |
340 |
for (i = 0; i < CCS_MAX_MAC_INDEX; i++) { |
for (i = 0; i < CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX; |
341 |
|
i++) { |
342 |
if (ccs_profile->mac_mode[i] != mode) |
if (ccs_profile->mac_mode[i] != mode) |
343 |
continue; |
continue; |
344 |
if (!ccs_io_printf(head, " %s", ccs_mac_keywords[i])) |
if (!ccs_io_printf(head, " %s%s", |
345 |
|
i >= CCS_MAX_MAC_INDEX ? |
346 |
|
CCS_KEYWORD_CAPABILITY : "", |
347 |
|
ccs_mac_keywords[i])) |
348 |
goto out; |
goto out; |
349 |
} |
} |
350 |
if (!ccs_io_printf(head, " }\n")) |
if (!ccs_io_printf(head, " }\n")) |
356 |
return false; |
return false; |
357 |
} |
} |
358 |
|
|
359 |
static bool ccs_print_capability_mode(struct ccs_io_buffer *head, u8 index) |
static bool ccs_print_audit_mode(struct ccs_io_buffer *head, u8 index) |
360 |
{ |
{ |
361 |
const int pos = head->read_avail; |
const int pos = head->read_avail; |
362 |
int i; |
int i; |
363 |
int mode; |
int mode; |
364 |
const struct ccs_profile *ccs_profile = ccs_profile_ptr[index]; |
const struct ccs_profile *ccs_profile = ccs_profile_ptr[index]; |
365 |
for (mode = 0; mode < 4; mode++) { |
for (mode = 0; mode < 2; mode++) { |
366 |
if (!ccs_io_printf(head, "%u-%s={", index, ccs_keyword_capability_mode[mode])) |
if (!ccs_io_printf(head, "%u-%s={", index, |
367 |
|
ccs_keyword_audit[mode])) |
368 |
goto out; |
goto out; |
369 |
for (i = 0; i < CCS_MAX_CAPABILITY_INDEX; i++) { |
for (i = 0; i < CCS_MAX_MAC_INDEX + CCS_MAX_CAPABILITY_INDEX; |
370 |
if (ccs_profile->mac_capability_mode[i] != mode) |
i++) { |
371 |
|
if (!ccs_profile->dont_audit[mode][i]) |
372 |
continue; |
continue; |
373 |
if (!ccs_io_printf(head, " %s", ccs_capability_list[i])) |
if (!ccs_io_printf(head, " %s%s", |
374 |
|
i >= CCS_MAX_MAC_INDEX ? |
375 |
|
CCS_KEYWORD_CAPABILITY : "", |
376 |
|
ccs_mac_keywords[i])) |
377 |
goto out; |
goto out; |
378 |
} |
} |
379 |
if (!ccs_io_printf(head, " }\n")) |
if (!ccs_io_printf(head, " }\n")) |
423 |
break; |
break; |
424 |
continue; |
continue; |
425 |
} else if (type == 2) { |
} else if (type == 2) { |
426 |
if (!ccs_print_capability_mode(head, index)) |
if (!ccs_print_audit_mode(head, index)) |
427 |
break; |
break; |
428 |
continue; |
continue; |
429 |
} |
} |