2 * security/tomoyo/securityfs_if.c
4 * Copyright (C) 2005-2011 NTT DATA CORPORATION
7 #include <linux/security.h>
11 * tomoyo_check_task_acl - Check permission for task operation.
13 * @r: Pointer to "struct tomoyo_request_info".
14 * @ptr: Pointer to "struct tomoyo_acl_info".
16 * Returns true if granted, false otherwise.
18 static bool tomoyo_check_task_acl(struct tomoyo_request_info
*r
,
19 const struct tomoyo_acl_info
*ptr
)
21 const struct tomoyo_task_acl
*acl
= container_of(ptr
, typeof(*acl
),
23 return !tomoyo_pathcmp(r
->param
.task
.domainname
, acl
->domainname
);
27 * tomoyo_write_self - write() for /sys/kernel/security/tomoyo/self_domain interface.
29 * @file: Pointer to "struct file".
30 * @buf: Domainname to transit to.
31 * @count: Size of @buf.
34 * Returns @count on success, negative value otherwise.
36 * If domain transition was permitted but the domain transition failed, this
37 * function returns error rather than terminating current thread with SIGKILL.
39 static ssize_t
tomoyo_write_self(struct file
*file
, const char __user
*buf
,
40 size_t count
, loff_t
*ppos
)
44 if (!count
|| count
>= TOMOYO_EXEC_TMPSIZE
- 10)
46 data
= memdup_user_nul(buf
, count
);
49 tomoyo_normalize_line(data
);
50 if (tomoyo_correct_domain(data
)) {
51 const int idx
= tomoyo_read_lock();
52 struct tomoyo_path_info name
;
53 struct tomoyo_request_info r
;
55 tomoyo_fill_path_info(&name
);
56 /* Check "task manual_domain_transition" permission. */
57 tomoyo_init_request_info(&r
, NULL
, TOMOYO_MAC_FILE_EXECUTE
);
58 r
.param_type
= TOMOYO_TYPE_MANUAL_TASK_ACL
;
59 r
.param
.task
.domainname
= &name
;
60 tomoyo_check_acl(&r
, tomoyo_check_task_acl
);
64 struct tomoyo_domain_info
*new_domain
=
65 tomoyo_assign_domain(data
, true);
69 struct cred
*cred
= prepare_creds();
73 struct tomoyo_domain_info
**blob
;
74 struct tomoyo_domain_info
*old_domain
;
76 blob
= tomoyo_cred(cred
);
79 atomic_inc(&new_domain
->users
);
80 atomic_dec(&old_domain
->users
);
86 tomoyo_read_unlock(idx
);
90 return error
? error
: count
;
94 * tomoyo_read_self - read() for /sys/kernel/security/tomoyo/self_domain interface.
96 * @file: Pointer to "struct file".
97 * @buf: Domainname which current thread belongs to.
98 * @count: Size of @buf.
99 * @ppos: Bytes read by now.
101 * Returns read size on success, negative value otherwise.
103 static ssize_t
tomoyo_read_self(struct file
*file
, char __user
*buf
,
104 size_t count
, loff_t
*ppos
)
106 const char *domain
= tomoyo_domain()->domainname
->name
;
107 loff_t len
= strlen(domain
);
109 if (pos
>= len
|| !count
)
114 if (copy_to_user(buf
, domain
+ pos
, len
))
120 /* Operations for /sys/kernel/security/tomoyo/self_domain interface. */
121 static const struct file_operations tomoyo_self_operations
= {
122 .write
= tomoyo_write_self
,
123 .read
= tomoyo_read_self
,
127 * tomoyo_open - open() for /sys/kernel/security/tomoyo/ interface.
129 * @inode: Pointer to "struct inode".
130 * @file: Pointer to "struct file".
132 * Returns 0 on success, negative value otherwise.
134 static int tomoyo_open(struct inode
*inode
, struct file
*file
)
136 const int key
= ((u8
*) file_inode(file
)->i_private
)
138 return tomoyo_open_control(key
, file
);
142 * tomoyo_release - close() for /sys/kernel/security/tomoyo/ interface.
144 * @file: Pointer to "struct file".
147 static int tomoyo_release(struct inode
*inode
, struct file
*file
)
149 tomoyo_close_control(file
->private_data
);
154 * tomoyo_poll - poll() for /sys/kernel/security/tomoyo/ interface.
156 * @file: Pointer to "struct file".
157 * @wait: Pointer to "poll_table". Maybe NULL.
159 * Returns POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write,
160 * POLLOUT | POLLWRNORM otherwise.
162 static unsigned int tomoyo_poll(struct file
*file
, poll_table
*wait
)
164 return tomoyo_poll_control(file
, wait
);
168 * tomoyo_read - read() for /sys/kernel/security/tomoyo/ interface.
170 * @file: Pointer to "struct file".
171 * @buf: Pointer to buffer.
172 * @count: Size of @buf.
175 * Returns bytes read on success, negative value otherwise.
177 static ssize_t
tomoyo_read(struct file
*file
, char __user
*buf
, size_t count
,
180 return tomoyo_read_control(file
->private_data
, buf
, count
);
184 * tomoyo_write - write() for /sys/kernel/security/tomoyo/ interface.
186 * @file: Pointer to "struct file".
187 * @buf: Pointer to buffer.
188 * @count: Size of @buf.
191 * Returns @count on success, negative value otherwise.
193 static ssize_t
tomoyo_write(struct file
*file
, const char __user
*buf
,
194 size_t count
, loff_t
*ppos
)
196 return tomoyo_write_control(file
->private_data
, buf
, count
);
200 * tomoyo_operations is a "struct file_operations" which is used for handling
201 * /sys/kernel/security/tomoyo/ interface.
203 * Some files under /sys/kernel/security/tomoyo/ directory accept open(O_RDWR).
204 * See tomoyo_io_buffer for internals.
206 static const struct file_operations tomoyo_operations
= {
208 .release
= tomoyo_release
,
211 .write
= tomoyo_write
,
212 .llseek
= noop_llseek
,
216 * tomoyo_create_entry - Create interface files under /sys/kernel/security/tomoyo/ directory.
218 * @name: The name of the interface file.
219 * @mode: The permission of the interface file.
220 * @parent: The parent directory.
221 * @key: Type of interface.
225 static void __init
tomoyo_create_entry(const char *name
, const umode_t mode
,
226 struct dentry
*parent
, const u8 key
)
228 securityfs_create_file(name
, mode
, parent
, ((u8
*) NULL
) + key
,
233 * tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface.
237 static int __init
tomoyo_initerface_init(void)
239 struct tomoyo_domain_info
*domain
;
240 struct dentry
*tomoyo_dir
;
242 domain
= tomoyo_domain();
243 /* Don't create securityfs entries unless registered. */
244 if (domain
!= &tomoyo_kernel_domain
)
247 tomoyo_dir
= securityfs_create_dir("tomoyo", NULL
);
248 tomoyo_create_entry("query", 0600, tomoyo_dir
,
250 tomoyo_create_entry("domain_policy", 0600, tomoyo_dir
,
251 TOMOYO_DOMAINPOLICY
);
252 tomoyo_create_entry("exception_policy", 0600, tomoyo_dir
,
253 TOMOYO_EXCEPTIONPOLICY
);
254 tomoyo_create_entry("audit", 0400, tomoyo_dir
,
256 tomoyo_create_entry(".process_status", 0600, tomoyo_dir
,
257 TOMOYO_PROCESS_STATUS
);
258 tomoyo_create_entry("stat", 0644, tomoyo_dir
,
260 tomoyo_create_entry("profile", 0600, tomoyo_dir
,
262 tomoyo_create_entry("manager", 0600, tomoyo_dir
,
264 tomoyo_create_entry("version", 0400, tomoyo_dir
,
266 securityfs_create_file("self_domain", 0666, tomoyo_dir
, NULL
,
267 &tomoyo_self_operations
);
268 tomoyo_load_builtin_policy();
272 fs_initcall(tomoyo_initerface_init
);