~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/akari/internal.h

Version: ~ [ linux-5.2-rc1 ] ~ [ linux-5.1.2 ] ~ [ linux-5.0.16 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.43 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.119 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.176 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.179 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.139 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.67 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.39.4 ] ~ [ linux-2.6.38.8 ] ~ [ linux-2.6.37.6 ] ~ [ linux-2.6.36.4 ] ~ [ linux-2.6.35.14 ] ~ [ linux-2.6.34.15 ] ~ [ linux-2.6.33.20 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * security/ccsecurity/internal.h
  3  *
  4  * Copyright (C) 2005-2012  NTT DATA CORPORATION
  5  *
  6  * Version: 1.8.5   2015/11/11
  7  */
  8 
  9 #ifndef _SECURITY_CCSECURITY_INTERNAL_H
 10 #define _SECURITY_CCSECURITY_INTERNAL_H
 11 
 12 #include <linux/version.h>
 13 #include <linux/types.h>
 14 #include <linux/kernel.h>
 15 #include <linux/string.h>
 16 #include <linux/mm.h>
 17 #include <linux/utime.h>
 18 #include <linux/file.h>
 19 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 38)
 20 #include <linux/smp_lock.h>
 21 #endif
 22 #include <linux/module.h>
 23 #include <linux/init.h>
 24 #include <linux/slab.h>
 25 #include <linux/highmem.h>
 26 #include <linux/poll.h>
 27 #include <linux/binfmts.h>
 28 #include <linux/delay.h>
 29 #include <linux/sched.h>
 30 #include <linux/dcache.h>
 31 #include <linux/mount.h>
 32 #include <linux/net.h>
 33 #include <linux/inet.h>
 34 #include <linux/in.h>
 35 #include <linux/in6.h>
 36 #include <linux/un.h>
 37 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
 38 #include <linux/fs.h>
 39 #endif
 40 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0)
 41 #include <linux/namei.h>
 42 #endif
 43 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 30)
 44 #include <linux/fs_struct.h>
 45 #endif
 46 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20)
 47 #include <linux/namespace.h>
 48 #endif
 49 #include <linux/proc_fs.h>
 50 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 0) || defined(RHEL_MAJOR)
 51 #include <linux/hash.h>
 52 #endif
 53 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) || (LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) && defined(CONFIG_SYSCTL_SYSCALL))
 54 #include <linux/sysctl.h>
 55 #endif
 56 #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 6)
 57 #include <linux/kthread.h>
 58 #endif
 59 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 10, 0)
 60 #include <linux/magic.h>
 61 #endif
 62 #include <stdarg.h>
 63 #include <asm/uaccess.h>
 64 #include <net/sock.h>
 65 #include <net/af_unix.h>
 66 #include <net/ip.h>
 67 #include <net/ipv6.h>
 68 #include <net/udp.h>
 69 
 70 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
 71 #define sk_family family
 72 #define sk_protocol protocol
 73 #define sk_type type
 74 #endif
 75 
 76 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20)
 77 
 78 /* Structure for holding "struct vfsmount *" and "struct dentry *". */
 79 struct path {
 80         struct vfsmount *mnt;
 81         struct dentry *dentry;
 82 };
 83 
 84 #endif
 85 
 86 #ifndef __printf
 87 #define __printf(a,b) __attribute__((format(printf,a,b)))
 88 #endif
 89 #ifndef __packed
 90 #define __packed __attribute__((__packed__))
 91 #endif
 92 #ifndef bool
 93 #define bool _Bool
 94 #endif
 95 #ifndef false
 96 #define false 0
 97 #endif
 98 #ifndef true
 99 #define true 1
100 #endif
101 
102 #ifndef __user
103 #define __user
104 #endif
105 
106 #ifndef current_uid
107 #define current_uid()   (current->uid)
108 #endif
109 #ifndef current_gid
110 #define current_gid()   (current->gid)
111 #endif
112 #ifndef current_euid
113 #define current_euid()  (current->euid)
114 #endif
115 #ifndef current_egid
116 #define current_egid()  (current->egid)
117 #endif
118 #ifndef current_suid
119 #define current_suid()  (current->suid)
120 #endif
121 #ifndef current_sgid
122 #define current_sgid()  (current->sgid)
123 #endif
124 #ifndef current_fsuid
125 #define current_fsuid() (current->fsuid)
126 #endif
127 #ifndef current_fsgid
128 #define current_fsgid() (current->fsgid)
129 #endif
130 
131 #ifndef DEFINE_SPINLOCK
132 #define DEFINE_SPINLOCK(x) spinlock_t x = SPIN_LOCK_UNLOCKED
133 #endif
134 
135 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 16)
136 #define mutex semaphore
137 #define mutex_init(mutex) init_MUTEX(mutex)
138 #define mutex_unlock(mutex) up(mutex)
139 #define mutex_lock(mutex) down(mutex)
140 #define mutex_lock_interruptible(mutex) down_interruptible(mutex)
141 #define mutex_trylock(mutex) (!down_trylock(mutex))
142 #define DEFINE_MUTEX(mutexname) DECLARE_MUTEX(mutexname)
143 #endif
144 
145 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 15)
146 #define MS_UNBINDABLE   (1<<17) /* change to unbindable */
147 #define MS_PRIVATE      (1<<18) /* change to private */
148 #define MS_SLAVE        (1<<19) /* change to slave */
149 #define MS_SHARED       (1<<20) /* change to shared */
150 #endif
151 
152 #ifndef container_of
153 #define container_of(ptr, type, member) ({                              \
154                         const typeof(((type *)0)->member) *__mptr = (ptr); \
155                         (type *)((char *)__mptr - offsetof(type, member)); })
156 #endif
157 
158 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 0)
159 #define smp_read_barrier_depends smp_rmb
160 #endif
161 
162 #ifndef ACCESS_ONCE
163 #define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
164 #endif
165 
166 #ifndef rcu_dereference
167 #define rcu_dereference(p)     ({                                       \
168                         typeof(p) _________p1 = ACCESS_ONCE(p);         \
169                         smp_read_barrier_depends(); /* see RCU */       \
170                         (_________p1);                                  \
171                 })
172 #endif
173 
174 #ifndef rcu_assign_pointer
175 #define rcu_assign_pointer(p, v)                        \
176         ({                                              \
177                 if (!__builtin_constant_p(v) ||         \
178                     ((v) != NULL))                      \
179                         smp_wmb(); /* see RCU */        \
180                 (p) = (v);                              \
181         })
182 #endif
183 
184 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0)
185 #define f_vfsmnt f_path.mnt
186 #endif
187 
188 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 14)
189 
190 /**
191  * kzalloc() - Allocate memory. The memory is set to zero.
192  *
193  * @size:  Size to allocate.
194  * @flags: GFP flags.
195  *
196  * Returns pointer to allocated memory on success, NULL otherwise.
197  *
198  * This is for compatibility with older kernels.
199  *
200  * Since several distributions backported kzalloc(), I define it as a macro
201  * rather than an inlined function in order to avoid multiple definition error.
202  */
203 #define kzalloc(size, flags) ({                                 \
204                         void *ret = kmalloc((size), (flags));   \
205                         if (ret)                                \
206                                 memset(ret, 0, (size));         \
207                         ret; })
208 
209 #endif
210 
211 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 25)
212 
213 /**
214  * path_put - Drop reference on "struct path".
215  *
216  * @path: Pointer to "struct path".
217  *
218  * Returns nothing.
219  *
220  * This is for compatibility with older kernels.
221  */
222 static inline void path_put(struct path *path)
223 {
224         dput(path->dentry);
225         mntput(path->mnt);
226 }
227 
228 #endif
229 
230 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
231 
232 /**
233  * __list_add_rcu - Insert a new entry between two known consecutive entries.
234  *
235  * @new:  Pointer to "struct list_head".
236  * @prev: Pointer to "struct list_head".
237  * @next: Pointer to "struct list_head".
238  *
239  * Returns nothing.
240  *
241  * This is for compatibility with older kernels.
242  */
243 static inline void __list_add_rcu(struct list_head *new,
244                                   struct list_head *prev,
245                                   struct list_head *next)
246 {
247         new->next = next;
248         new->prev = prev;
249         rcu_assign_pointer(prev->next, new);
250         next->prev = new;
251 }
252 
253 /**
254  * list_add_tail_rcu - Add a new entry to rcu-protected list.
255  *
256  * @new:  Pointer to "struct list_head".
257  * @head: Pointer to "struct list_head".
258  *
259  * Returns nothing.
260  *
261  * This is for compatibility with older kernels.
262  */
263 static inline void list_add_tail_rcu(struct list_head *new,
264                                      struct list_head *head)
265 {
266         __list_add_rcu(new, head->prev, head);
267 }
268 
269 /**
270  * list_add_rcu - Add a new entry to rcu-protected list.
271  *
272  * @new:  Pointer to "struct list_head".
273  * @head: Pointer to "struct list_head".
274  *
275  * Returns nothing.
276  *
277  * This is for compatibility with older kernels.
278  */
279 static inline void list_add_rcu(struct list_head *new, struct list_head *head)
280 {
281         __list_add_rcu(new, head, head->next);
282 }
283 
284 #endif
285 
286 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 38)
287 
288 /**
289  * __list_del_entry - Deletes entry from list without re-initialization.
290  *
291  * @entry: Pointer to "struct list_head".
292  *
293  * Returns nothing.
294  *
295  * This is for compatibility with older kernels.
296  */
297 static inline void __list_del_entry(struct list_head *entry)
298 {
299         __list_del(entry->prev, entry->next);
300 }
301 
302 #endif
303 
304 #ifndef list_for_each_entry_safe
305 
306 /**
307  * list_for_each_entry_safe - Iterate over list of given type safe against removal of list entry.
308  *
309  * @pos:    The "type *" to use as a loop cursor.
310  * @n:      Another "type *" to use as temporary storage.
311  * @head:   Pointer to "struct list_head".
312  * @member: The name of the list_struct within the struct.
313  *
314  * This is for compatibility with older kernels.
315  */
316 #define list_for_each_entry_safe(pos, n, head, member)                  \
317         for (pos = list_entry((head)->next, typeof(*pos), member),      \
318                      n = list_entry(pos->member.next, typeof(*pos), member); \
319              &pos->member != (head);                                    \
320              pos = n, n = list_entry(n->member.next, typeof(*n), member))
321 
322 #endif
323 
324 #ifndef srcu_dereference
325 
326 /**
327  * srcu_dereference - Fetch SRCU-protected pointer with checking.
328  *
329  * @p:  The pointer to read, prior to dereferencing.
330  * @ss: Pointer to "struct srcu_struct".
331  *
332  * Returns @p.
333  *
334  * This is for compatibility with older kernels.
335  */
336 #define srcu_dereference(p, ss) rcu_dereference(p)
337 
338 #endif
339 
340 #ifndef list_for_each_entry_srcu
341 
342 /**
343  * list_for_each_entry_srcu - Iterate over rcu list of given type.
344  *
345  * @pos:    The type * to use as a loop cursor.
346  * @head:   The head for your list.
347  * @member: The name of the list_struct within the struct.
348  * @ss:     Pointer to "struct srcu_struct".
349  *
350  * As of 2.6.36, this macro is not provided because only TOMOYO wants it.
351  */
352 #define list_for_each_entry_srcu(pos, head, member, ss)               \
353         for (pos = list_entry(srcu_dereference((head)->next, ss),     \
354                               typeof(*pos), member);                  \
355              prefetch(pos->member.next), &pos->member != (head);      \
356              pos = list_entry(srcu_dereference(pos->member.next, ss), \
357                               typeof(*pos), member))
358 
359 #endif
360 
361 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 4, 30) || (LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0) && LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 9))
362 
363 #if LINUX_VERSION_CODE == KERNEL_VERSION(2, 4, 21)
364 #undef ssleep
365 #endif
366 
367 #ifndef ssleep
368 
369 /**
370  * ssleep - Sleep for specified seconds.
371  *
372  * @secs: Seconds to sleep.
373  *
374  * Returns nothing.
375  *
376  * This is for compatibility with older kernels.
377  *
378  * Since several distributions backported ssleep(), I define it as a macro
379  * rather than an inlined function in order to avoid multiple definition error.
380  */
381 #define ssleep(secs) {                                          \
382                 set_current_state(TASK_UNINTERRUPTIBLE);        \
383                 schedule_timeout((HZ * secs) + 1);              \
384         }
385 
386 #endif
387 
388 #endif
389 
390 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0)
391 
392 /**
393  * from_kuid - Convert kuid_t to uid_t.
394  *
395  * @ns:  Unused.
396  * @uid: kuid_t value.
397  *
398  * Returns uid seen from init's user namespace.
399  */
400 #define from_kuid(ns, uid) (uid)
401 
402 /**
403  * from_kgid - Convert kgid_t to gid_t.
404  *
405  * @ns:  Unused.
406  * @gid: kgid_t value.
407  *
408  * Returns gid seen from init's user namespace.
409  */
410 #define from_kgid(ns, gid) (gid)
411 
412 /**
413  * uid_eq - Check whether the uids are equals or not.
414  *
415  * @left: Uid seen from current user namespace.
416  * @right: Uid seen from current user namespace.
417  *
418  * Returns true if uid is root in init's user namespace, false otherwise.
419  */
420 #define uid_eq(left, right) ((left) == (right))
421 #define GLOBAL_ROOT_UID 0
422 
423 #endif
424 
425 /*
426  * TOMOYO specific part start.
427  */
428 
429 /* Clear TOMOYO 1.8 config. */
430 #undef CONFIG_CCSECURITY
431 #undef CONFIG_CCSECURITY_LKM
432 #undef CONFIG_CCSECURITY_DISABLE_BY_DEFAULT
433 #undef CONFIG_CCSECURITY_MAX_AUDIT_LOG
434 #undef CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY
435 #undef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER
436 #undef CONFIG_CCSECURITY_POLICY_LOADER
437 #undef CONFIG_CCSECURITY_ACTIVATION_TRIGGER
438 #undef CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY
439 #undef CONFIG_CCSECURITY_FILE_READDIR
440 #undef CONFIG_CCSECURITY_FILE_GETATTR
441 #undef CONFIG_CCSECURITY_NETWORK
442 #undef CONFIG_CCSECURITY_NETWORK_RECVMSG
443 #undef CONFIG_CCSECURITY_CAPABILITY
444 #undef CONFIG_CCSECURITY_IPC
445 #undef CONFIG_CCSECURITY_MISC
446 #undef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER
447 #undef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION
448 #undef CONFIG_CCSECURITY_PORTRESERVE
449 /* Define AKARI 1.0 config. */
450 #include "config.h"
451 #ifndef CONFIG_CCSECURITY
452 #define CONFIG_CCSECURITY
453 #endif
454 #ifndef CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY
455 #define CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY
456 #endif
457 #ifndef CONFIG_CCSECURITY_MAX_AUDIT_LOG
458 #define CONFIG_CCSECURITY_MAX_AUDIT_LOG 1024
459 #endif
460 #ifndef CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY
461 #define CONFIG_CCSECURITY_MAX_ACCEPT_ENTRY 2048
462 #endif
463 #ifndef CONFIG_CCSECURITY_POLICY_LOADER
464 #define CONFIG_CCSECURITY_POLICY_LOADER "/sbin/ccs-init"
465 #endif
466 #ifndef CONFIG_CCSECURITY_ACTIVATION_TRIGGER
467 #define CONFIG_CCSECURITY_ACTIVATION_TRIGGER "/sbin/init"
468 #endif
469 #include "ccsecurity.h"
470 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 0)
471 #error This module supports only 2.6.0 and later kernels.
472 #endif
473 #ifndef CONFIG_SECURITY
474 #error You must choose CONFIG_SECURITY=y for building this module.
475 #endif
476 #ifndef CONFIG_KALLSYMS
477 #error You must choose CONFIG_KALLSYMS=y for building this module.
478 #endif
479 #ifndef CONFIG_PROC_FS
480 #error You must choose CONFIG_PROC_FS=y for building this module.
481 #endif
482 #ifndef CONFIG_MODULES
483 #error You must choose CONFIG_MODULES=y for building this module.
484 #endif
485 
486 /* Enumeration definition for internal use. */
487 
488 /* Index numbers for Access Controls. */
489 enum ccs_acl_entry_type_index {
490         CCS_TYPE_PATH_ACL,
491         CCS_TYPE_PATH2_ACL,
492         CCS_TYPE_PATH_NUMBER_ACL,
493         CCS_TYPE_MKDEV_ACL,
494         CCS_TYPE_MOUNT_ACL,
495 #ifdef CONFIG_CCSECURITY_MISC
496         CCS_TYPE_ENV_ACL,
497 #endif
498 #ifdef CONFIG_CCSECURITY_CAPABILITY
499         CCS_TYPE_CAPABILITY_ACL,
500 #endif
501 #ifdef CONFIG_CCSECURITY_NETWORK
502         CCS_TYPE_INET_ACL,
503         CCS_TYPE_UNIX_ACL,
504 #endif
505 #ifdef CONFIG_CCSECURITY_IPC
506         CCS_TYPE_SIGNAL_ACL,
507 #endif
508 #ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER
509         CCS_TYPE_AUTO_EXECUTE_HANDLER,
510         CCS_TYPE_DENIED_EXECUTE_HANDLER,
511 #endif
512 #ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION
513         CCS_TYPE_AUTO_TASK_ACL,
514         CCS_TYPE_MANUAL_TASK_ACL,
515 #endif
516 };
517 
518 /* Index numbers for "struct ccs_condition". */
519 enum ccs_conditions_index {
520         CCS_TASK_UID,             /* current_uid()   */
521         CCS_TASK_EUID,            /* current_euid()  */
522         CCS_TASK_SUID,            /* current_suid()  */
523         CCS_TASK_FSUID,           /* current_fsuid() */
524         CCS_TASK_GID,             /* current_gid()   */
525         CCS_TASK_EGID,            /* current_egid()  */
526         CCS_TASK_SGID,            /* current_sgid()  */
527         CCS_TASK_FSGID,           /* current_fsgid() */
528         CCS_TASK_PID,             /* sys_getpid()   */
529         CCS_TASK_PPID,            /* sys_getppid()  */
530         CCS_EXEC_ARGC,            /* "struct linux_binprm *"->argc */
531         CCS_EXEC_ENVC,            /* "struct linux_binprm *"->envc */
532         CCS_TYPE_IS_SOCKET,       /* S_IFSOCK */
533         CCS_TYPE_IS_SYMLINK,      /* S_IFLNK */
534         CCS_TYPE_IS_FILE,         /* S_IFREG */
535         CCS_TYPE_IS_BLOCK_DEV,    /* S_IFBLK */
536         CCS_TYPE_IS_DIRECTORY,    /* S_IFDIR */
537         CCS_TYPE_IS_CHAR_DEV,     /* S_IFCHR */
538         CCS_TYPE_IS_FIFO,         /* S_IFIFO */
539         CCS_MODE_SETUID,          /* S_ISUID */
540         CCS_MODE_SETGID,          /* S_ISGID */
541         CCS_MODE_STICKY,          /* S_ISVTX */
542         CCS_MODE_OWNER_READ,      /* S_IRUSR */
543         CCS_MODE_OWNER_WRITE,     /* S_IWUSR */
544         CCS_MODE_OWNER_EXECUTE,   /* S_IXUSR */
545         CCS_MODE_GROUP_READ,      /* S_IRGRP */
546         CCS_MODE_GROUP_WRITE,     /* S_IWGRP */
547         CCS_MODE_GROUP_EXECUTE,   /* S_IXGRP */
548         CCS_MODE_OTHERS_READ,     /* S_IROTH */
549         CCS_MODE_OTHERS_WRITE,    /* S_IWOTH */
550         CCS_MODE_OTHERS_EXECUTE,  /* S_IXOTH */
551         CCS_TASK_TYPE,            /* ((u8) task->ccs_flags) &
552                                      CCS_TASK_IS_EXECUTE_HANDLER */
553         CCS_TASK_EXECUTE_HANDLER, /* CCS_TASK_IS_EXECUTE_HANDLER */
554         CCS_EXEC_REALPATH,
555         CCS_SYMLINK_TARGET,
556         CCS_PATH1_UID,
557         CCS_PATH1_GID,
558         CCS_PATH1_INO,
559         CCS_PATH1_MAJOR,
560         CCS_PATH1_MINOR,
561         CCS_PATH1_PERM,
562         CCS_PATH1_TYPE,
563         CCS_PATH1_DEV_MAJOR,
564         CCS_PATH1_DEV_MINOR,
565         CCS_PATH2_UID,
566         CCS_PATH2_GID,
567         CCS_PATH2_INO,
568         CCS_PATH2_MAJOR,
569         CCS_PATH2_MINOR,
570         CCS_PATH2_PERM,
571         CCS_PATH2_TYPE,
572         CCS_PATH2_DEV_MAJOR,
573         CCS_PATH2_DEV_MINOR,
574         CCS_PATH1_PARENT_UID,
575         CCS_PATH1_PARENT_GID,
576         CCS_PATH1_PARENT_INO,
577         CCS_PATH1_PARENT_PERM,
578         CCS_PATH2_PARENT_UID,
579         CCS_PATH2_PARENT_GID,
580         CCS_PATH2_PARENT_INO,
581         CCS_PATH2_PARENT_PERM,
582         CCS_MAX_CONDITION_KEYWORD,
583         CCS_NUMBER_UNION,
584         CCS_NAME_UNION,
585         CCS_ARGV_ENTRY,
586         CCS_ENVP_ENTRY,
587 };
588 
589 /* Index numbers for domain's attributes. */
590 enum ccs_domain_info_flags_index {
591         /* Quota warnning flag.   */
592         CCS_DIF_QUOTA_WARNED,
593         /*
594          * This domain was unable to create a new domain at
595          * ccs_find_next_domain() because the name of the domain to be created
596          * was too long or it could not allocate memory.
597          * More than one process continued execve() without domain transition.
598          */
599         CCS_DIF_TRANSITION_FAILED,
600         CCS_MAX_DOMAIN_INFO_FLAGS
601 };
602 
603 /* Index numbers for audit type. */
604 enum ccs_grant_log {
605         /* Follow profile's configuration. */
606         CCS_GRANTLOG_AUTO,
607         /* Do not generate grant log. */
608         CCS_GRANTLOG_NO,
609         /* Generate grant_log. */
610         CCS_GRANTLOG_YES,
611 };
612 
613 /* Index numbers for group entries. */
614 enum ccs_group_id {
615         CCS_PATH_GROUP,
616         CCS_NUMBER_GROUP,
617 #ifdef CONFIG_CCSECURITY_NETWORK
618         CCS_ADDRESS_GROUP,
619 #endif
620         CCS_MAX_GROUP
621 };
622 
623 /* Index numbers for category of functionality. */
624 enum ccs_mac_category_index {
625         CCS_MAC_CATEGORY_FILE,
626 #ifdef CONFIG_CCSECURITY_NETWORK
627         CCS_MAC_CATEGORY_NETWORK,
628 #endif
629 #ifdef CONFIG_CCSECURITY_MISC
630         CCS_MAC_CATEGORY_MISC,
631 #endif
632 #ifdef CONFIG_CCSECURITY_IPC
633         CCS_MAC_CATEGORY_IPC,
634 #endif
635 #ifdef CONFIG_CCSECURITY_CAPABILITY
636         CCS_MAC_CATEGORY_CAPABILITY,
637 #endif
638         CCS_MAX_MAC_CATEGORY_INDEX
639 };
640 
641 /* Index numbers for functionality. */
642 enum ccs_mac_index {
643         CCS_MAC_FILE_EXECUTE,
644         CCS_MAC_FILE_OPEN,
645         CCS_MAC_FILE_CREATE,
646         CCS_MAC_FILE_UNLINK,
647 #ifdef CONFIG_CCSECURITY_FILE_GETATTR
648         CCS_MAC_FILE_GETATTR,
649 #endif
650         CCS_MAC_FILE_MKDIR,
651         CCS_MAC_FILE_RMDIR,
652         CCS_MAC_FILE_MKFIFO,
653         CCS_MAC_FILE_MKSOCK,
654         CCS_MAC_FILE_TRUNCATE,
655         CCS_MAC_FILE_SYMLINK,
656         CCS_MAC_FILE_MKBLOCK,
657         CCS_MAC_FILE_MKCHAR,
658         CCS_MAC_FILE_LINK,
659         CCS_MAC_FILE_RENAME,
660         CCS_MAC_FILE_CHMOD,
661         CCS_MAC_FILE_CHOWN,
662         CCS_MAC_FILE_CHGRP,
663         CCS_MAC_FILE_IOCTL,
664         CCS_MAC_FILE_CHROOT,
665         CCS_MAC_FILE_MOUNT,
666         CCS_MAC_FILE_UMOUNT,
667         CCS_MAC_FILE_PIVOT_ROOT,
668 #ifdef CONFIG_CCSECURITY_NETWORK
669         CCS_MAC_NETWORK_INET_STREAM_BIND,
670         CCS_MAC_NETWORK_INET_STREAM_LISTEN,
671         CCS_MAC_NETWORK_INET_STREAM_CONNECT,
672         CCS_MAC_NETWORK_INET_STREAM_ACCEPT,
673         CCS_MAC_NETWORK_INET_DGRAM_BIND,
674         CCS_MAC_NETWORK_INET_DGRAM_SEND,
675 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
676         CCS_MAC_NETWORK_INET_DGRAM_RECV,
677 #endif
678         CCS_MAC_NETWORK_INET_RAW_BIND,
679         CCS_MAC_NETWORK_INET_RAW_SEND,
680 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
681         CCS_MAC_NETWORK_INET_RAW_RECV,
682 #endif
683         CCS_MAC_NETWORK_UNIX_STREAM_BIND,
684         CCS_MAC_NETWORK_UNIX_STREAM_LISTEN,
685         CCS_MAC_NETWORK_UNIX_STREAM_CONNECT,
686         CCS_MAC_NETWORK_UNIX_STREAM_ACCEPT,
687         CCS_MAC_NETWORK_UNIX_DGRAM_BIND,
688         CCS_MAC_NETWORK_UNIX_DGRAM_SEND,
689 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
690         CCS_MAC_NETWORK_UNIX_DGRAM_RECV,
691 #endif
692         CCS_MAC_NETWORK_UNIX_SEQPACKET_BIND,
693         CCS_MAC_NETWORK_UNIX_SEQPACKET_LISTEN,
694         CCS_MAC_NETWORK_UNIX_SEQPACKET_CONNECT,
695         CCS_MAC_NETWORK_UNIX_SEQPACKET_ACCEPT,
696 #endif
697 #ifdef CONFIG_CCSECURITY_MISC
698         CCS_MAC_ENVIRON,
699 #endif
700 #ifdef CONFIG_CCSECURITY_IPC
701         CCS_MAC_SIGNAL,
702 #endif
703 #ifdef CONFIG_CCSECURITY_CAPABILITY
704         CCS_MAC_CAPABILITY_USE_ROUTE_SOCKET,
705         CCS_MAC_CAPABILITY_USE_PACKET_SOCKET,
706         CCS_MAC_CAPABILITY_SYS_REBOOT,
707         CCS_MAC_CAPABILITY_SYS_VHANGUP,
708         CCS_MAC_CAPABILITY_SYS_SETTIME,
709         CCS_MAC_CAPABILITY_SYS_NICE,
710         CCS_MAC_CAPABILITY_SYS_SETHOSTNAME,
711         CCS_MAC_CAPABILITY_USE_KERNEL_MODULE,
712         CCS_MAC_CAPABILITY_SYS_KEXEC_LOAD,
713         CCS_MAC_CAPABILITY_SYS_PTRACE,
714 #endif
715         CCS_MAX_MAC_INDEX
716 };
717 
718 /* Index numbers for /proc/ccs/stat interface. */
719 enum ccs_memory_stat_type {
720         CCS_MEMORY_POLICY,
721         CCS_MEMORY_AUDIT,
722         CCS_MEMORY_QUERY,
723         CCS_MAX_MEMORY_STAT
724 };
725 
726 /* Index numbers for access controls with one pathname and three numbers. */
727 enum ccs_mkdev_acl_index {
728         CCS_TYPE_MKBLOCK,
729         CCS_TYPE_MKCHAR,
730         CCS_MAX_MKDEV_OPERATION
731 };
732 
733 /* Index numbers for operation mode. */
734 enum ccs_mode_value {
735         CCS_CONFIG_DISABLED,
736         CCS_CONFIG_LEARNING,
737         CCS_CONFIG_PERMISSIVE,
738         CCS_CONFIG_ENFORCING,
739         CCS_CONFIG_MAX_MODE,
740         CCS_CONFIG_WANT_REJECT_LOG =  64,
741         CCS_CONFIG_WANT_GRANT_LOG  = 128,
742         CCS_CONFIG_USE_DEFAULT     = 255,
743 };
744 
745 /* Index numbers for socket operations. */
746 enum ccs_network_acl_index {
747         CCS_NETWORK_BIND,    /* bind() operation. */
748         CCS_NETWORK_LISTEN,  /* listen() operation. */
749         CCS_NETWORK_CONNECT, /* connect() operation. */
750         CCS_NETWORK_ACCEPT,  /* accept() operation. */
751         CCS_NETWORK_SEND,    /* send() operation. */
752 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
753         CCS_NETWORK_RECV,    /* recv() operation. */
754 #endif
755         CCS_MAX_NETWORK_OPERATION
756 };
757 
758 /* Index numbers for access controls with two pathnames. */
759 enum ccs_path2_acl_index {
760         CCS_TYPE_LINK,
761         CCS_TYPE_RENAME,
762         CCS_TYPE_PIVOT_ROOT,
763         CCS_MAX_PATH2_OPERATION
764 };
765 
766 /* Index numbers for access controls with one pathname. */
767 enum ccs_path_acl_index {
768         CCS_TYPE_EXECUTE,
769         CCS_TYPE_READ,
770         CCS_TYPE_WRITE,
771         CCS_TYPE_APPEND,
772         CCS_TYPE_UNLINK,
773 #ifdef CONFIG_CCSECURITY_FILE_GETATTR
774         CCS_TYPE_GETATTR,
775 #endif
776         CCS_TYPE_RMDIR,
777         CCS_TYPE_TRUNCATE,
778         CCS_TYPE_SYMLINK,
779         CCS_TYPE_CHROOT,
780         CCS_TYPE_UMOUNT,
781         CCS_MAX_PATH_OPERATION
782 };
783 
784 /* Index numbers for access controls with one pathname and one number. */
785 enum ccs_path_number_acl_index {
786         CCS_TYPE_CREATE,
787         CCS_TYPE_MKDIR,
788         CCS_TYPE_MKFIFO,
789         CCS_TYPE_MKSOCK,
790         CCS_TYPE_IOCTL,
791         CCS_TYPE_CHMOD,
792         CCS_TYPE_CHOWN,
793         CCS_TYPE_CHGRP,
794         CCS_MAX_PATH_NUMBER_OPERATION
795 };
796 
797 /* Index numbers for stat(). */
798 enum ccs_path_stat_index {
799         /* Do not change this order. */
800         CCS_PATH1,
801         CCS_PATH1_PARENT,
802         CCS_PATH2,
803         CCS_PATH2_PARENT,
804         CCS_MAX_PATH_STAT
805 };
806 
807 /* Index numbers for entry type. */
808 enum ccs_policy_id {
809 #ifdef CONFIG_CCSECURITY_PORTRESERVE
810         CCS_ID_RESERVEDPORT,
811 #endif
812         CCS_ID_GROUP,
813 #ifdef CONFIG_CCSECURITY_NETWORK
814         CCS_ID_ADDRESS_GROUP,
815 #endif
816         CCS_ID_PATH_GROUP,
817         CCS_ID_NUMBER_GROUP,
818         CCS_ID_AGGREGATOR,
819         CCS_ID_TRANSITION_CONTROL,
820         CCS_ID_MANAGER,
821         CCS_ID_CONDITION,
822         CCS_ID_NAME,
823         CCS_ID_ACL,
824         CCS_ID_DOMAIN,
825         CCS_MAX_POLICY
826 };
827 
828 /* Index numbers for /proc/ccs/stat interface. */
829 enum ccs_policy_stat_type {
830         /* Do not change this order. */
831         CCS_STAT_POLICY_UPDATES,
832         CCS_STAT_POLICY_LEARNING,   /* == CCS_CONFIG_LEARNING */
833         CCS_STAT_POLICY_PERMISSIVE, /* == CCS_CONFIG_PERMISSIVE */
834         CCS_STAT_POLICY_ENFORCING,  /* == CCS_CONFIG_ENFORCING */
835         CCS_MAX_POLICY_STAT
836 };
837 
838 /* Index numbers for profile's PREFERENCE values. */
839 enum ccs_pref_index {
840         CCS_PREF_MAX_AUDIT_LOG,
841         CCS_PREF_MAX_LEARNING_ENTRY,
842         CCS_PREF_ENFORCING_PENALTY,
843         CCS_MAX_PREF
844 };
845 
846 /* Index numbers for /proc/ccs/ interfaces. */
847 enum ccs_proc_interface_index {
848         CCS_DOMAIN_POLICY,
849         CCS_EXCEPTION_POLICY,
850         CCS_PROCESS_STATUS,
851         CCS_STAT,
852         CCS_AUDIT,
853         CCS_VERSION,
854         CCS_PROFILE,
855         CCS_QUERY,
856         CCS_MANAGER,
857 #ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER
858         CCS_EXECUTE_HANDLER,
859 #endif
860 };
861 
862 /* Index numbers for special mount operations. */
863 enum ccs_special_mount {
864         CCS_MOUNT_BIND,            /* mount --bind /source /dest   */
865         CCS_MOUNT_MOVE,            /* mount --move /old /new       */
866         CCS_MOUNT_REMOUNT,         /* mount -o remount /dir        */
867         CCS_MOUNT_MAKE_UNBINDABLE, /* mount --make-unbindable /dir */
868         CCS_MOUNT_MAKE_PRIVATE,    /* mount --make-private /dir    */
869         CCS_MOUNT_MAKE_SLAVE,      /* mount --make-slave /dir      */
870         CCS_MOUNT_MAKE_SHARED,     /* mount --make-shared /dir     */
871         CCS_MAX_SPECIAL_MOUNT
872 };
873 
874 /* Index numbers for domain transition control keywords. */
875 enum ccs_transition_type {
876         /* Do not change this order, */
877         CCS_TRANSITION_CONTROL_NO_RESET,
878         CCS_TRANSITION_CONTROL_RESET,
879         CCS_TRANSITION_CONTROL_NO_INITIALIZE,
880         CCS_TRANSITION_CONTROL_INITIALIZE,
881         CCS_TRANSITION_CONTROL_NO_KEEP,
882         CCS_TRANSITION_CONTROL_KEEP,
883         CCS_MAX_TRANSITION_TYPE
884 };
885 
886 /* Index numbers for type of numeric values. */
887 enum ccs_value_type {
888         CCS_VALUE_TYPE_INVALID,
889         CCS_VALUE_TYPE_DECIMAL,
890         CCS_VALUE_TYPE_OCTAL,
891         CCS_VALUE_TYPE_HEXADECIMAL,
892 };
893 
894 /* Constants definition for internal use. */
895 
896 /*
897  * TOMOYO uses this hash only when appending a string into the string table.
898  * Frequency of appending strings is very low. So we don't need large (e.g.
899  * 64k) hash size. 256 will be sufficient.
900  */
901 #define CCS_HASH_BITS 8
902 #define CCS_MAX_HASH (1u << CCS_HASH_BITS)
903 
904 /*
905  * TOMOYO checks only SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_SEQPACKET.
906  * Therefore, we don't need SOCK_MAX.
907  */
908 #define CCS_SOCK_MAX 6
909 
910 /* Size of temporary buffer for execve() operation. */
911 #define CCS_EXEC_TMPSIZE     4096
912 
913 /* Garbage collector is trying to kfree() this element. */
914 #define CCS_GC_IN_PROGRESS -1
915 
916 /* Profile number is an integer between 0 and 255. */
917 #define CCS_MAX_PROFILES 256
918 
919 /* Group number is an integer between 0 and 255. */
920 #define CCS_MAX_ACL_GROUPS 256
921 
922 /* Current thread is doing open(O_RDONLY | O_TRUNC) ? */
923 #define CCS_OPEN_FOR_READ_TRUNCATE        1
924 /* Current thread is doing open(3) ? */
925 #define CCS_OPEN_FOR_IOCTL_ONLY           2
926 /* Current thread is doing do_execve() ? */
927 #define CCS_TASK_IS_IN_EXECVE             4
928 /* Current thread is running as an execute handler program? */
929 #define CCS_TASK_IS_EXECUTE_HANDLER       8
930 /* Current thread is allowed to modify policy via /proc/ccs/ interface? */
931 #define CCS_TASK_IS_MANAGER              16
932 
933 /*
934  * Retry this request. Returned by ccs_supervisor() if policy violation has
935  * occurred in enforcing mode and the userspace daemon decided to retry.
936  *
937  * We must choose a positive value in order to distinguish "granted" (which is
938  * 0) and "rejected" (which is a negative value) and "retry".
939  */
940 #define CCS_RETRY_REQUEST 1
941 
942 /* The gfp flags used by TOMOYO. */
943 #define CCS_GFP_FLAGS GFP_NOFS
944 
945 /* Size of read buffer for /proc/ccs/ interface. */
946 #define CCS_MAX_IO_READ_QUEUE 64
947 
948 /* Structure definition for internal use. */
949 
950 /* Common header for holding ACL entries. */
951 struct ccs_acl_head {
952         struct list_head list;
953         s8 is_deleted; /* true or false or CCS_GC_IN_PROGRESS */
954 } __packed;
955 
956 /* Common header for shared entries. */
957 struct ccs_shared_acl_head {
958         struct list_head list;
959         atomic_t users;
960 } __packed;
961 
962 /* Common header for individual entries. */
963 struct ccs_acl_info {
964         struct list_head list;
965         struct ccs_condition *cond; /* Maybe NULL. */
966         s8 is_deleted; /* true or false or CCS_GC_IN_PROGRESS */
967         u8 type; /* One of values in "enum ccs_acl_entry_type_index". */
968         u16 perm;
969 } __packed;
970 
971 /* Structure for holding a word. */
972 struct ccs_name_union {
973         /* Either @filename or @group is NULL. */
974         const struct ccs_path_info *filename;
975         struct ccs_group *group;
976 };
977 
978 /* Structure for holding a number. */
979 struct ccs_number_union {
980         unsigned long values[2];
981         struct ccs_group *group; /* Maybe NULL. */
982         /* One of values in "enum ccs_value_type". */
983         u8 value_type[2];
984 };
985 
986 /* Structure for holding an IP address. */
987 struct ccs_ipaddr_union {
988         struct in6_addr ip[2]; /* Big endian. */
989         struct ccs_group *group; /* Pointer to address group. */
990         bool is_ipv6; /* Valid only if @group == NULL. */
991 };
992 
993 /* Structure for "path_group"/"number_group"/"address_group" directive. */
994 struct ccs_group {
995         struct ccs_shared_acl_head head;
996         /* Name of group (without leading '@'). */
997         const struct ccs_path_info *group_name;
998         /*
999          * List of "struct ccs_path_group" or "struct ccs_number_group" or
1000          * "struct ccs_address_group".
1001          */
1002         struct list_head member_list;
1003 };
1004 
1005 /* Structure for "path_group" directive. */
1006 struct ccs_path_group {
1007         struct ccs_acl_head head;
1008         const struct ccs_path_info *member_name;
1009 };
1010 
1011 /* Structure for "number_group" directive. */
1012 struct ccs_number_group {
1013         struct ccs_acl_head head;
1014         struct ccs_number_union number;
1015 };
1016 
1017 /* Structure for "address_group" directive. */
1018 struct ccs_address_group {
1019         struct ccs_acl_head head;
1020         /* Structure for holding an IP address. */
1021         struct ccs_ipaddr_union address;
1022 };
1023 
1024 /* Subset of "struct stat". Used by conditional ACL and audit logs. */
1025 struct ccs_mini_stat {
1026 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
1027         kuid_t uid;
1028         kgid_t gid;
1029 #else
1030         uid_t uid;
1031         gid_t gid;
1032 #endif
1033         ino_t ino;
1034         umode_t mode;
1035         dev_t dev;
1036         dev_t rdev;
1037 };
1038 
1039 /* Structure for dumping argv[] and envp[] of "struct linux_binprm". */
1040 struct ccs_page_dump {
1041         struct page *page;    /* Previously dumped page. */
1042         char *data;           /* Contents of "page". Size is PAGE_SIZE. */
1043 };
1044 
1045 /* Structure for attribute checks in addition to pathname checks. */
1046 struct ccs_obj_info {
1047         /* True if ccs_get_attributes() was already called, false otherwise. */
1048         bool validate_done;
1049         /* True if @stat[] is valid. */
1050         bool stat_valid[CCS_MAX_PATH_STAT];
1051         /* First pathname. Initialized with { NULL, NULL } if no path. */
1052         struct path path1;
1053         /* Second pathname. Initialized with { NULL, NULL } if no path. */
1054         struct path path2;
1055         /*
1056          * Information on @path1, @path1's parent directory, @path2, @path2's
1057          * parent directory.
1058          */
1059         struct ccs_mini_stat stat[CCS_MAX_PATH_STAT];
1060         /*
1061          * Content of symbolic link to be created. NULL for operations other
1062          * than symlink().
1063          */
1064         struct ccs_path_info *symlink_target;
1065 };
1066 
1067 /* Structure for entries which follows "struct ccs_condition". */
1068 struct ccs_condition_element {
1069         /*
1070          * Left hand operand. A "struct ccs_argv" for CCS_ARGV_ENTRY, a
1071          * "struct ccs_envp" for CCS_ENVP_ENTRY is attached to the tail
1072          * of the array of this struct.
1073          */
1074         u8 left;
1075         /*
1076          * Right hand operand. A "struct ccs_number_union" for
1077          * CCS_NUMBER_UNION, a "struct ccs_name_union" for CCS_NAME_UNION is
1078          * attached to the tail of the array of this struct.
1079          */
1080         u8 right;
1081         /* Equation operator. True if equals or overlaps, false otherwise. */
1082         bool equals;
1083 };
1084 
1085 /* Structure for optional arguments. */
1086 struct ccs_condition {
1087         struct ccs_shared_acl_head head;
1088         u32 size; /* Memory size allocated for this entry. */
1089         u16 condc; /* Number of conditions in this struct. */
1090         u16 numbers_count; /* Number of "struct ccs_number_union values". */
1091         u16 names_count; /* Number of "struct ccs_name_union names". */
1092         u16 argc; /* Number of "struct ccs_argv". */
1093         u16 envc; /* Number of "struct ccs_envp". */
1094         u8 grant_log; /* One of values in "enum ccs_grant_log". */
1095         bool exec_transit; /* True if transit is for "file execute". */
1096         const struct ccs_path_info *transit; /* Maybe NULL. */
1097         /*
1098          * struct ccs_condition_element condition[condc];
1099          * struct ccs_number_union values[numbers_count];
1100          * struct ccs_name_union names[names_count];
1101          * struct ccs_argv argv[argc];
1102          * struct ccs_envp envp[envc];
1103          */
1104 };
1105 
1106 struct ccs_execve;
1107 struct ccs_policy_namespace;
1108 
1109 /* Structure for request info. */
1110 struct ccs_request_info {
1111         /*
1112          * For holding parameters specific to operations which deal files.
1113          * NULL if not dealing files.
1114          */
1115         struct ccs_obj_info *obj;
1116         /*
1117          * For holding parameters specific to execve() request.
1118          * NULL if not dealing do_execve().
1119          */
1120         struct ccs_execve *ee;
1121         /*
1122          * For holding parameters.
1123          * Pointers in this union are not NULL except path->matched_path.
1124          */
1125         union {
1126                 struct {
1127                         const struct ccs_path_info *filename;
1128                         /*
1129                          * For using wildcards at ccs_find_next_domain().
1130                          *
1131                          * The matched_acl cannot be used because it may refer
1132                          * a "struct ccs_path_acl" with ->is_group == true.
1133                          * We want to use exact "struct ccs_path_info" rather
1134                          * than "struct ccs_path_acl".
1135                          */
1136                         const struct ccs_path_info *matched_path;
1137                         /* One of values in "enum ccs_path_acl_index". */
1138                         u8 operation;
1139                 } path;
1140                 struct {
1141                         const struct ccs_path_info *filename1;
1142                         const struct ccs_path_info *filename2;
1143                         /* One of values in "enum ccs_path2_acl_index". */
1144                         u8 operation;
1145                 } path2;
1146                 struct {
1147                         const struct ccs_path_info *filename;
1148                         unsigned int mode;
1149                         unsigned int major;
1150                         unsigned int minor;
1151                         /* One of values in "enum ccs_mkdev_acl_index". */
1152                         u8 operation;
1153                 } mkdev;
1154                 struct {
1155                         const struct ccs_path_info *filename;
1156                         unsigned long number;
1157                         /*
1158                          * One of values in "enum ccs_path_number_acl_index".
1159                          */
1160                         u8 operation;
1161                 } path_number;
1162 #ifdef CONFIG_CCSECURITY_NETWORK
1163                 struct {
1164                         const u32 *address; /* Big endian. */
1165                         u16 port; /* Host endian. */
1166                         /* One of values smaller than CCS_SOCK_MAX. */
1167                         u8 protocol;
1168                         /* One of values in "enum ccs_network_acl_index". */
1169                         u8 operation;
1170                         bool is_ipv6;
1171                 } inet_network;
1172                 struct {
1173                         const struct ccs_path_info *address;
1174                         /* One of values smaller than CCS_SOCK_MAX. */
1175                         u8 protocol;
1176                         /* One of values in "enum ccs_network_acl_index". */
1177                         u8 operation;
1178                 } unix_network;
1179 #endif
1180 #ifdef CONFIG_CCSECURITY_MISC
1181                 struct {
1182                         const struct ccs_path_info *name;
1183                 } environ;
1184 #endif
1185 #ifdef CONFIG_CCSECURITY_CAPABILITY
1186                 struct {
1187                         /* One of values in "enum ccs_capability_acl_index". */
1188                         u8 operation;
1189                 } capability;
1190 #endif
1191 #ifdef CONFIG_CCSECURITY_IPC
1192                 struct {
1193                         const char *dest_pattern;
1194                         int sig;
1195                 } signal;
1196 #endif
1197                 struct {
1198                         const struct ccs_path_info *type;
1199                         const struct ccs_path_info *dir;
1200                         const struct ccs_path_info *dev;
1201                         unsigned long flags;
1202                         int need_dev;
1203                 } mount;
1204 #ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION
1205                 struct {
1206                         const struct ccs_path_info *domainname;
1207                 } task;
1208 #endif
1209         } param;
1210         /*
1211          * For updating current->ccs_domain_info at ccs_update_task_domain().
1212          * Initialized to NULL at ccs_init_request_info().
1213          * Matching "struct ccs_acl_info" is copied if access request was
1214          * granted. Re-initialized to NULL at ccs_update_task_domain().
1215          */
1216         struct ccs_acl_info *matched_acl;
1217         u8 param_type; /* One of values in "enum ccs_acl_entry_type_index". */
1218         bool granted; /* True if granted, false otherwise. */
1219         /* True if current thread should not be carried sleep penalty. */
1220         bool dont_sleep_on_enforce_error;
1221         /*
1222          * For counting number of retries made for this request.
1223          * This counter is incremented whenever ccs_supervisor() returned
1224          * CCS_RETRY_REQUEST.
1225          */
1226         u8 retry;
1227         /*
1228          * For holding profile number used for this request.
1229          * One of values between 0 and CCS_MAX_PROFILES - 1.
1230          */
1231         u8 profile;
1232         /*
1233          * For holding operation mode used for this request.
1234          * One of CCS_CONFIG_DISABLED, CCS_CONFIG_LEARNING,
1235          * CCS_CONFIG_PERMISSIVE, CCS_CONFIG_ENFORCING.
1236          */
1237         u8 mode;
1238         /*
1239          * For holding operation index used for this request.
1240          * Used by ccs_init_request_info() / ccs_get_mode() /
1241          * ccs_write_log(). One of values in "enum ccs_mac_index".
1242          */
1243         u8 type;
1244 };
1245 
1246 /* Structure for holding a token. */
1247 struct ccs_path_info {
1248         const char *name;
1249         u32 hash;          /* = full_name_hash(name, strlen(name)) */
1250         u16 total_len;     /* = strlen(name)                       */
1251         u16 const_len;     /* = ccs_const_part_length(name)        */
1252         bool is_dir;       /* = ccs_strendswith(name, "/")         */
1253         bool is_patterned; /* = const_len < total_len              */
1254 };
1255 
1256 /* Structure for execve() operation. */
1257 struct ccs_execve {
1258         struct ccs_request_info r;
1259         struct ccs_obj_info obj;
1260         struct linux_binprm *bprm;
1261         struct ccs_domain_info *previous_domain;
1262         const struct ccs_path_info *transition;
1263         /* For execute_handler */
1264         const struct ccs_path_info *handler;
1265         char *handler_path; /* = kstrdup(handler->name, CCS_GFP_FLAGS) */
1266         /* For dumping argv[] and envp[]. */
1267         struct ccs_page_dump dump;
1268         /* For temporary use. */
1269         char *tmp; /* Size is CCS_EXEC_TMPSIZE bytes */
1270 };
1271 
1272 /* Structure for domain information. */
1273 struct ccs_domain_info {
1274         struct list_head list;
1275         struct list_head acl_info_list;
1276         /* Name of this domain. Never NULL.          */
1277         const struct ccs_path_info *domainname;
1278         /* Namespace for this domain. Never NULL. */
1279         struct ccs_policy_namespace *ns;
1280         /* Group numbers to use. */
1281         unsigned long group[CCS_MAX_ACL_GROUPS / BITS_PER_LONG];
1282         u8 profile;        /* Profile number to use. */
1283         bool is_deleted;   /* Delete flag.           */
1284         bool flags[CCS_MAX_DOMAIN_INFO_FLAGS];
1285 };
1286 
1287 /*
1288  * Structure for "reset_domain"/"no_reset_domain"/"initialize_domain"/
1289  * "no_initialize_domain"/"keep_domain"/"no_keep_domain" keyword.
1290  */
1291 struct ccs_transition_control {
1292         struct ccs_acl_head head;
1293         u8 type; /* One of values in "enum ccs_transition_type" */
1294         bool is_last_name; /* True if the domainname is ccs_last_word(). */
1295         const struct ccs_path_info *domainname; /* Maybe NULL */
1296         const struct ccs_path_info *program;    /* Maybe NULL */
1297 };
1298 
1299 /* Structure for "aggregator" keyword. */
1300 struct ccs_aggregator {
1301         struct ccs_acl_head head;
1302         const struct ccs_path_info *original_name;
1303         const struct ccs_path_info *aggregated_name;
1304 };
1305 
1306 /* Structure for "deny_autobind" keyword. */
1307 struct ccs_reserved {
1308         struct ccs_acl_head head;
1309         struct ccs_number_union port;
1310 };
1311 
1312 /* Structure for policy manager. */
1313 struct ccs_manager {
1314         struct ccs_acl_head head;
1315         /* A path to program or a domainname. */
1316         const struct ccs_path_info *manager;
1317 };
1318 
1319 /* Structure for argv[]. */
1320 struct ccs_argv {
1321         unsigned long index;
1322         const struct ccs_path_info *value;
1323         bool is_not;
1324 };
1325 
1326 /* Structure for envp[]. */
1327 struct ccs_envp {
1328         const struct ccs_path_info *name;
1329         const struct ccs_path_info *value;
1330         bool is_not;
1331 };
1332 
1333 /*
1334  * Structure for "task auto_execute_handler" and "task denied_execute_handler"
1335  * directive.
1336  *
1337  * If "task auto_execute_handler" directive exists and the current process is
1338  * not an execute handler, all execve() requests are replaced by execve()
1339  * requests of a program specified by "task auto_execute_handler" directive.
1340  * If the current process is an execute handler, "task auto_execute_handler"
1341  * and "task denied_execute_handler" directives are ignored.
1342  * The program specified by "task execute_handler" validates execve()
1343  * parameters and executes the original execve() requests if appropriate.
1344  *
1345  * "task denied_execute_handler" directive is used only when execve() request
1346  * was rejected in enforcing mode (i.e. CONFIG::file::execute={ mode=enforcing
1347  * }). The program specified by "task denied_execute_handler" does whatever it
1348  * wants to do (e.g. silently terminate, change firewall settings, redirect the
1349  * user to honey pot etc.).
1350  */
1351 struct ccs_handler_acl {
1352         struct ccs_acl_info head;       /* type = CCS_TYPE_*_EXECUTE_HANDLER */
1353         const struct ccs_path_info *handler; /* Pointer to single pathname.  */
1354 };
1355 
1356 /*
1357  * Structure for "task auto_domain_transition" and
1358  * "task manual_domain_transition" directive.
1359  */
1360 struct ccs_task_acl {
1361         struct ccs_acl_info head; /* type = CCS_TYPE_*_TASK_ACL */
1362         /* Pointer to domainname. */
1363         const struct ccs_path_info *domainname;
1364 };
1365 
1366 /*
1367  * Structure for "file execute", "file read", "file write", "file append",
1368  * "file unlink", "file getattr", "file rmdir", "file truncate",
1369  * "file symlink", "file chroot" and "file unmount" directive.
1370  */
1371 struct ccs_path_acl {
1372         struct ccs_acl_info head; /* type = CCS_TYPE_PATH_ACL */
1373         struct ccs_name_union name;
1374 };
1375 
1376 /*
1377  * Structure for "file rename", "file link" and "file pivot_root" directive.
1378  */
1379 struct ccs_path2_acl {
1380         struct ccs_acl_info head; /* type = CCS_TYPE_PATH2_ACL */
1381         struct ccs_name_union name1;
1382         struct ccs_name_union name2;
1383 };
1384 
1385 /*
1386  * Structure for "file create", "file mkdir", "file mkfifo", "file mksock",
1387  * "file ioctl", "file chmod", "file chown" and "file chgrp" directive.
1388  */
1389 struct ccs_path_number_acl {
1390         struct ccs_acl_info head; /* type = CCS_TYPE_PATH_NUMBER_ACL */
1391         struct ccs_name_union name;
1392         struct ccs_number_union number;
1393 };
1394 
1395 /* Structure for "file mkblock" and "file mkchar" directive. */
1396 struct ccs_mkdev_acl {
1397         struct ccs_acl_info head; /* type = CCS_TYPE_MKDEV_ACL */
1398         struct ccs_name_union name;
1399         struct ccs_number_union mode;
1400         struct ccs_number_union major;
1401         struct ccs_number_union minor;
1402 };
1403 
1404 /* Structure for "file mount" directive. */
1405 struct ccs_mount_acl {
1406         struct ccs_acl_info head; /* type = CCS_TYPE_MOUNT_ACL */
1407         struct ccs_name_union dev_name;
1408         struct ccs_name_union dir_name;
1409         struct ccs_name_union fs_type;
1410         struct ccs_number_union flags;
1411 };
1412 
1413 /* Structure for "misc env" directive in domain policy. */
1414 struct ccs_env_acl {
1415         struct ccs_acl_info head;        /* type = CCS_TYPE_ENV_ACL  */
1416         const struct ccs_path_info *env; /* environment variable */
1417 };
1418 
1419 /* Structure for "capability" directive. */
1420 struct ccs_capability_acl {
1421         struct ccs_acl_info head; /* type = CCS_TYPE_CAPABILITY_ACL */
1422         u8 operation; /* One of values in "enum ccs_capability_acl_index". */
1423 };
1424 
1425 /* Structure for "ipc signal" directive. */
1426 struct ccs_signal_acl {
1427         struct ccs_acl_info head; /* type = CCS_TYPE_SIGNAL_ACL */
1428         struct ccs_number_union sig;
1429         /* Pointer to destination pattern. */
1430         const struct ccs_path_info *domainname;
1431 };
1432 
1433 /* Structure for "network inet" directive. */
1434 struct ccs_inet_acl {
1435         struct ccs_acl_info head; /* type = CCS_TYPE_INET_ACL */
1436         u8 protocol;
1437         struct ccs_ipaddr_union address;
1438         struct ccs_number_union port;
1439 };
1440 
1441 /* Structure for "network unix" directive. */
1442 struct ccs_unix_acl {
1443         struct ccs_acl_info head; /* type = CCS_TYPE_UNIX_ACL */
1444         u8 protocol;
1445         struct ccs_name_union name;
1446 };
1447 
1448 /* Structure for holding string data. */
1449 struct ccs_name {
1450         struct ccs_shared_acl_head head;
1451         int size; /* Memory size allocated for this entry. */
1452         struct ccs_path_info entry;
1453 };
1454 
1455 /* Structure for holding a line from /proc/ccs/ interface. */
1456 struct ccs_acl_param {
1457         char *data; /* Unprocessed data. */
1458         struct list_head *list; /* List to add or remove. */
1459         struct ccs_policy_namespace *ns; /* Namespace to use. */
1460         bool is_delete; /* True if it is a delete request. */
1461         union ccs_acl_union {
1462                 struct ccs_acl_info acl_info;
1463                 struct ccs_handler_acl handler_acl;
1464                 struct ccs_task_acl task_acl;
1465                 struct ccs_path_acl path_acl;
1466                 struct ccs_path2_acl path2_acl;
1467                 struct ccs_path_number_acl path_number_acl;
1468                 struct ccs_mkdev_acl mkdev_acl;
1469                 struct ccs_mount_acl mount_acl;
1470                 struct ccs_env_acl env_acl;
1471                 struct ccs_capability_acl capability_acl;
1472                 struct ccs_signal_acl signal_acl;
1473                 struct ccs_inet_acl inet_acl;
1474                 struct ccs_unix_acl unix_acl;
1475                 /**/
1476                 struct ccs_acl_head acl_head;
1477                 struct ccs_transition_control transition_control;
1478                 struct ccs_aggregator aggregator;
1479                 struct ccs_reserved reserved;
1480                 struct ccs_manager manager;
1481                 struct ccs_path_group path_group;
1482                 struct ccs_number_group number_group;
1483                 struct ccs_address_group address_group;
1484         } e;
1485 };
1486 
1487 /* Structure for reading/writing policy via /proc/ccs/ interfaces. */
1488 struct ccs_io_buffer {
1489         /* Exclusive lock for this structure.   */
1490         struct mutex io_sem;
1491         char __user *read_user_buf;
1492         size_t read_user_buf_avail;
1493         struct {
1494                 struct list_head *ns;
1495                 struct list_head *domain;
1496                 struct list_head *group;
1497                 struct list_head *acl;
1498                 size_t avail;
1499                 unsigned int step;
1500                 unsigned int query_index;
1501                 u16 index;
1502                 u16 cond_index;
1503                 u8 acl_group_index;
1504                 u8 cond_step;
1505                 u8 bit;
1506                 u8 w_pos;
1507                 bool eof;
1508                 bool print_this_domain_only;
1509                 bool print_transition_related_only;
1510                 bool print_cond_part;
1511                 const char *w[CCS_MAX_IO_READ_QUEUE];
1512         } r;
1513         struct {
1514                 struct ccs_policy_namespace *ns;
1515                 struct ccs_domain_info *domain;
1516                 size_t avail;
1517                 bool is_delete;
1518         } w;
1519         /* Buffer for reading.                  */
1520         char *read_buf;
1521         /* Size of read buffer.                 */
1522         size_t readbuf_size;
1523         /* Buffer for writing.                  */
1524         char *write_buf;
1525         /* Size of write buffer.                */
1526         size_t writebuf_size;
1527         /* Type of interface. */
1528         enum ccs_proc_interface_index type;
1529         /* Users counter protected by ccs_io_buffer_list_lock. */
1530         u8 users;
1531         /* List for telling GC not to kfree() elements. */
1532         struct list_head list;
1533 };
1534 
1535 /* Structure for /proc/ccs/profile interface. */
1536 struct ccs_profile {
1537         const struct ccs_path_info *comment;
1538         u8 default_config;
1539         u8 config[CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX];
1540         unsigned int pref[CCS_MAX_PREF];
1541 };
1542 
1543 /* Structure for representing YYYY/MM/DD hh/mm/ss. */
1544 struct ccs_time {
1545         u16 year;
1546         u8 month;
1547         u8 day;
1548         u8 hour;
1549         u8 min;
1550         u8 sec;
1551 };
1552 
1553 /* Structure for policy namespace. */
1554 struct ccs_policy_namespace {
1555         /* Profile table. Memory is allocated as needed. */
1556         struct ccs_profile *profile_ptr[CCS_MAX_PROFILES];
1557         /* List of "struct ccs_group". */
1558         struct list_head group_list[CCS_MAX_GROUP];
1559         /* List of policy. */
1560         struct list_head policy_list[CCS_MAX_POLICY];
1561         /* The global ACL referred by "use_group" keyword. */
1562         struct list_head acl_group[CCS_MAX_ACL_GROUPS];
1563         /* List for connecting to ccs_namespace_list list. */
1564         struct list_head namespace_list;
1565         /* Profile version. Currently only 20150505 is supported. */
1566         unsigned int profile_version;
1567         /* Name of this namespace (e.g. "<kernel>", "</usr/sbin/httpd>" ). */
1568         const char *name;
1569 };
1570 
1571 /* Prototype definition for "struct ccsecurity_operations". */
1572 
1573 void __init ccs_permission_init(void);
1574 void __init ccs_mm_init(void);
1575 
1576 /* Prototype definition for internal use. */
1577 
1578 bool ccs_dump_page(struct linux_binprm *bprm, unsigned long pos,
1579                    struct ccs_page_dump *dump);
1580 bool ccs_memory_ok(const void *ptr, const unsigned int size);
1581 char *ccs_encode(const char *str);
1582 char *ccs_encode2(const char *str, int str_len);
1583 char *ccs_realpath(const struct path *path);
1584 const char *ccs_get_exe(void);
1585 const struct ccs_path_info *ccs_get_name(const char *name);
1586 int ccs_audit_log(struct ccs_request_info *r);
1587 int ccs_check_acl(struct ccs_request_info *r);
1588 int ccs_init_request_info(struct ccs_request_info *r, const u8 index);
1589 struct ccs_domain_info *ccs_assign_domain(const char *domainname,
1590                                           const bool transit);
1591 u8 ccs_get_config(const u8 profile, const u8 index);
1592 void *ccs_commit_ok(void *data, const unsigned int size);
1593 void ccs_del_acl(struct list_head *element);
1594 void ccs_del_condition(struct list_head *element);
1595 void ccs_fill_path_info(struct ccs_path_info *ptr);
1596 void ccs_get_attributes(struct ccs_obj_info *obj);
1597 void ccs_notify_gc(struct ccs_io_buffer *head, const bool is_register);
1598 void ccs_transition_failed(const char *domainname);
1599 void ccs_warn_oom(const char *function);
1600 void ccs_write_log(struct ccs_request_info *r, const char *fmt, ...)
1601         __printf(2, 3);
1602 
1603 /* Variable definition for internal use. */
1604 
1605 extern bool ccs_policy_loaded;
1606 extern const char * const ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS];
1607 extern const u8 ccs_c2mac[CCS_MAX_CAPABILITY_INDEX];
1608 extern const u8 ccs_pn2mac[CCS_MAX_PATH_NUMBER_OPERATION];
1609 extern const u8 ccs_pnnn2mac[CCS_MAX_MKDEV_OPERATION];
1610 extern const u8 ccs_pp2mac[CCS_MAX_PATH2_OPERATION];
1611 extern struct ccs_domain_info ccs_kernel_domain;
1612 extern struct list_head ccs_condition_list;
1613 extern struct list_head ccs_domain_list;
1614 extern struct list_head ccs_name_list[CCS_MAX_HASH];
1615 extern struct list_head ccs_namespace_list;
1616 extern struct mutex ccs_policy_lock;
1617 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
1618 extern struct srcu_struct ccs_ss;
1619 #endif
1620 extern unsigned int ccs_memory_quota[CCS_MAX_MEMORY_STAT];
1621 extern unsigned int ccs_memory_used[CCS_MAX_MEMORY_STAT];
1622 
1623 /* Inlined functions for internal use. */
1624 
1625 /**
1626  * ccs_pathcmp - strcmp() for "struct ccs_path_info" structure.
1627  *
1628  * @a: Pointer to "struct ccs_path_info".
1629  * @b: Pointer to "struct ccs_path_info".
1630  *
1631  * Returns true if @a != @b, false otherwise.
1632  */
1633 static inline bool ccs_pathcmp(const struct ccs_path_info *a,
1634                                const struct ccs_path_info *b)
1635 {
1636         return a->hash != b->hash || strcmp(a->name, b->name);
1637 }
1638 
1639 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
1640 
1641 /**
1642  * ccs_read_lock - Take lock for protecting policy.
1643  *
1644  * Returns index number for ccs_read_unlock().
1645  */
1646 static inline int ccs_read_lock(void)
1647 {
1648         return srcu_read_lock(&ccs_ss);
1649 }
1650 
1651 /**
1652  * ccs_read_unlock - Release lock for protecting policy.
1653  *
1654  * @idx: Index number returned by ccs_read_lock().
1655  *
1656  * Returns nothing.
1657  */
1658 static inline void ccs_read_unlock(const int idx)
1659 {
1660         srcu_read_unlock(&ccs_ss, idx);
1661 }
1662 
1663 #else
1664 
1665 int ccs_lock(void);
1666 void ccs_unlock(const int idx);
1667 
1668 /**
1669  * ccs_read_lock - Take lock for protecting policy.
1670  *
1671  * Returns index number for ccs_read_unlock().
1672  */
1673 static inline int ccs_read_lock(void)
1674 {
1675         return ccs_lock();
1676 }
1677 
1678 /**
1679  * ccs_read_unlock - Release lock for protecting policy.
1680  *
1681  * @idx: Index number returned by ccs_read_lock().
1682  *
1683  * Returns nothing.
1684  */
1685 static inline void ccs_read_unlock(const int idx)
1686 {
1687         ccs_unlock(idx);
1688 }
1689 
1690 #endif
1691 
1692 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 18)
1693 
1694 /**
1695  * ccs_tasklist_lock - Take lock for reading list of "struct task_struct".
1696  *
1697  * Returns nothing.
1698  */
1699 static inline void ccs_tasklist_lock(void)
1700 {
1701         rcu_read_lock();
1702 }
1703 
1704 /**
1705  * ccs_tasklist_unlock - Release lock for reading list of "struct task_struct".
1706  *
1707  * Returns nothing.
1708  */
1709 static inline void ccs_tasklist_unlock(void)
1710 {
1711         rcu_read_unlock();
1712 }
1713 
1714 #else
1715 
1716 /**
1717  * ccs_tasklist_lock - Take lock for reading list of "struct task_struct".
1718  *
1719  * Returns nothing.
1720  */
1721 static inline void ccs_tasklist_lock(void)
1722 {
1723         read_lock(&tasklist_lock);
1724 }
1725 
1726 /**
1727  * ccs_tasklist_unlock - Release lock for reading list of "struct task_struct".
1728  *
1729  * Returns nothing.
1730  */
1731 static inline void ccs_tasklist_unlock(void)
1732 {
1733         read_unlock(&tasklist_lock);
1734 }
1735 
1736 #endif
1737 
1738 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1739 
1740 /**
1741  * ccs_sys_getppid - Copy of getppid().
1742  *
1743  * Returns parent process's PID.
1744  *
1745  * Alpha does not have getppid() defined. To be able to build this module on
1746  * Alpha, I have to copy getppid() from kernel/timer.c.
1747  */
1748 static inline pid_t ccs_sys_getppid(void)
1749 {
1750         pid_t pid;
1751         rcu_read_lock();
1752         pid = task_tgid_vnr(rcu_dereference(current->real_parent));
1753         rcu_read_unlock();
1754         return pid;
1755 }
1756 
1757 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0)
1758 
1759 /**
1760  * ccs_sys_getppid - Copy of getppid().
1761  *
1762  * Returns parent process's PID.
1763  *
1764  * This function was rewritten to use RCU in 2.6.16.34. However, distributors
1765  * which use earlier kernels (e.g. 2.6.8/2.6.9) did not backport the bugfix.
1766  * Therefore, I'm using code for 2.6.16.34 for earlier kernels.
1767  */
1768 static inline pid_t ccs_sys_getppid(void)
1769 {
1770         pid_t pid;
1771         rcu_read_lock();
1772 #if (defined(RHEL_MAJOR) && RHEL_MAJOR == 5) || (defined(AX_MAJOR) && AX_MAJOR == 3)
1773         pid = rcu_dereference(current->parent)->tgid;
1774 #elif defined(CONFIG_UTRACE)
1775         /*
1776          * RHEL 5.0 kernel does not have RHEL_MAJOR/RHEL_MINOR defined.
1777          * Assume RHEL 5.0 if CONFIG_UTRACE is defined.
1778          */
1779         pid = rcu_dereference(current->parent)->tgid;
1780 #else
1781         pid = rcu_dereference(current->real_parent)->tgid;
1782 #endif
1783         rcu_read_unlock();
1784         return pid;
1785 }
1786 
1787 #else
1788 
1789 /**
1790  * ccs_sys_getppid - Copy of getppid().
1791  *
1792  * Returns parent process's PID.
1793  *
1794  * I can't use code for 2.6.16.34 for 2.4 kernels because 2.4 kernels does not
1795  * have RCU. Therefore, I'm using pessimistic lock (i.e. tasklist_lock
1796  * spinlock).
1797  */
1798 static inline pid_t ccs_sys_getppid(void)
1799 {
1800         pid_t pid;
1801         read_lock(&tasklist_lock);
1802 #ifdef TASK_DEAD
1803         pid = current->group_leader->real_parent->tgid;
1804 #else
1805         pid = current->p_opptr->pid;
1806 #endif
1807         read_unlock(&tasklist_lock);
1808         return pid;
1809 }
1810 
1811 #endif
1812 
1813 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1814 
1815 /**
1816  * ccs_sys_getpid - Copy of getpid().
1817  *
1818  * Returns current thread's PID.
1819  *
1820  * Alpha does not have getpid() defined. To be able to build this module on
1821  * Alpha, I have to copy getpid() from kernel/timer.c.
1822  */
1823 static inline pid_t ccs_sys_getpid(void)
1824 {
1825         return task_tgid_vnr(current);
1826 }
1827 
1828 #else
1829 
1830 /**
1831  * ccs_sys_getpid - Copy of getpid().
1832  *
1833  * Returns current thread's PID.
1834  */
1835 static inline pid_t ccs_sys_getpid(void)
1836 {
1837         return current->tgid;
1838 }
1839 
1840 #endif
1841 
1842 /**
1843  * ccs_get_mode - Get mode for specified functionality.
1844  *
1845  * @profile: Profile number.
1846  * @index:   Functionality number.
1847  *
1848  * Returns mode.
1849  */
1850 static inline u8 ccs_get_mode(const u8 profile, const u8 index)
1851 {
1852         return ccs_get_config(profile, index) & (CCS_CONFIG_MAX_MODE - 1);
1853 }
1854 
1855 #if defined(CONFIG_SLOB)
1856 
1857 /**
1858  * ccs_round2 - Round up to power of 2 for calculating memory usage.
1859  *
1860  * @size: Size to be rounded up.
1861  *
1862  * Returns @size.
1863  *
1864  * Since SLOB does not round up, this function simply returns @size.
1865  */
1866 static inline int ccs_round2(size_t size)
1867 {
1868         return size;
1869 }
1870 
1871 #else
1872 
1873 /**
1874  * ccs_round2 - Round up to power of 2 for calculating memory usage.
1875  *
1876  * @size: Size to be rounded up.
1877  *
1878  * Returns rounded size.
1879  *
1880  * Strictly speaking, SLAB may be able to allocate (e.g.) 96 bytes instead of
1881  * (e.g.) 128 bytes.
1882  */
1883 static inline int ccs_round2(size_t size)
1884 {
1885 #if PAGE_SIZE == 4096
1886         size_t bsize = 32;
1887 #else
1888         size_t bsize = 64;
1889 #endif
1890         if (!size)
1891                 return 0;
1892         while (size > bsize)
1893                 bsize <<= 1;
1894         return bsize;
1895 }
1896 
1897 #endif
1898 
1899 /**
1900  * ccs_put_condition - Drop reference on "struct ccs_condition".
1901  *
1902  * @cond: Pointer to "struct ccs_condition". Maybe NULL.
1903  *
1904  * Returns nothing.
1905  */
1906 static inline void ccs_put_condition(struct ccs_condition *cond)
1907 {
1908         if (cond)
1909                 atomic_dec(&cond->head.users);
1910 }
1911 
1912 /**
1913  * ccs_put_group - Drop reference on "struct ccs_group".
1914  *
1915  * @group: Pointer to "struct ccs_group". Maybe NULL.
1916  *
1917  * Returns nothing.
1918  */
1919 static inline void ccs_put_group(struct ccs_group *group)
1920 {
1921         if (group)
1922                 atomic_dec(&group->head.users);
1923 }
1924 
1925 /**
1926  * ccs_put_name - Drop reference on "struct ccs_name".
1927  *
1928  * @name: Pointer to "struct ccs_path_info". Maybe NULL.
1929  *
1930  * Returns nothing.
1931  */
1932 static inline void ccs_put_name(const struct ccs_path_info *name)
1933 {
1934         if (name)
1935                 atomic_dec(&container_of(name, struct ccs_name, entry)->
1936                            head.users);
1937 }
1938 
1939 /* For importing variables and functions. */
1940 extern struct ccsecurity_exports ccsecurity_exports;
1941 
1942 #ifdef CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY
1943 
1944 /*
1945  * Structure for holding "struct ccs_domain_info *" and "struct ccs_execve *"
1946  * and "u32 ccs_flags" for each "struct task_struct".
1947  *
1948  * "struct ccs_domain_info *" and "u32 ccs_flags" for each "struct task_struct"
1949  * are maintained outside that "struct task_struct". Therefore, ccs_security
1950  * != task_struct . This keeps KABI for distributor's prebuilt kernels but
1951  * entails slow access.
1952  *
1953  * Memory for this structure is allocated when current thread tries to access
1954  * it. Therefore, if memory allocation failed, current thread will be killed by
1955  * SIGKILL. Note that if current->pid == 1, sending SIGKILL won't work.
1956  */
1957 struct ccs_security {
1958         struct list_head list;
1959 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 29)
1960         const struct task_struct *task;
1961 #else
1962         struct pid *pid; /* Maybe NULL. */
1963         const struct cred *cred; /* Maybe NULL. */
1964 #endif
1965         struct ccs_domain_info *ccs_domain_info;
1966         u32 ccs_flags;
1967         struct ccs_execve *ee; /* Maybe NULL. */
1968         struct rcu_head rcu;
1969 };
1970 
1971 void __init ccs_main_init(void);
1972 bool ccs_used_by_cred(const struct ccs_domain_info *domain);
1973 int ccs_start_execve(struct linux_binprm *bprm, struct ccs_execve **eep);
1974 void ccs_finish_execve(int retval, struct ccs_execve *ee);
1975 void ccs_load_policy(const char *filename);
1976 #ifndef CONFIG_AKARI_TRACE_EXECVE_COUNT
1977 #define ccs_audit_alloc_execve(ee) do { } while (0)
1978 #define ccs_audit_free_execve(ee, is_current)   do { } while (0)
1979 #else
1980 void ccs_audit_alloc_execve(const struct ccs_execve * const ee);
1981 void ccs_audit_free_execve(const struct ccs_execve * const ee,
1982                            const bool is_current);
1983 #endif
1984 
1985 #define CCS_TASK_SECURITY_HASH_BITS 12
1986 #define CCS_MAX_TASK_SECURITY_HASH (1u << CCS_TASK_SECURITY_HASH_BITS)
1987 extern struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH];
1988 
1989 struct ccs_security *ccs_find_task_security(const struct task_struct *task);
1990 
1991 /**
1992  * ccs_current_security - Get "struct ccs_security" for current thread.
1993  *
1994  * Returns pointer to "struct ccs_security" for current thread.
1995  */
1996 static inline struct ccs_security *ccs_current_security(void)
1997 {
1998         return ccs_find_task_security(current);
1999 }
2000 
2001 /**
2002  * ccs_task_domain - Get "struct ccs_domain_info" for specified thread.
2003  *
2004  * @task: Pointer to "struct task_struct".
2005  *
2006  * Returns pointer to "struct ccs_security" for specified thread.
2007  */
2008 static inline struct ccs_domain_info *ccs_task_domain(struct task_struct *task)
2009 {
2010         struct ccs_domain_info *domain;
2011         rcu_read_lock();
2012         domain = ccs_find_task_security(task)->ccs_domain_info;
2013         rcu_read_unlock();
2014         return domain;
2015 }
2016 
2017 /**
2018  * ccs_current_domain - Get "struct ccs_domain_info" for current thread.
2019  *
2020  * Returns pointer to "struct ccs_domain_info" for current thread.
2021  */
2022 static inline struct ccs_domain_info *ccs_current_domain(void)
2023 {
2024         return ccs_find_task_security(current)->ccs_domain_info;
2025 }
2026 
2027 /**
2028  * ccs_task_flags - Get flags for specified thread.
2029  *
2030  * @task: Pointer to "struct task_struct".
2031  *
2032  * Returns flags for specified thread.
2033  */
2034 static inline u32 ccs_task_flags(struct task_struct *task)
2035 {
2036         u32 ccs_flags;
2037         rcu_read_lock();
2038         ccs_flags = ccs_find_task_security(task)->ccs_flags;
2039         rcu_read_unlock();
2040         return ccs_flags;
2041 }
2042 
2043 /**
2044  * ccs_current_flags - Get flags for current thread.
2045  *
2046  * Returns flags for current thread.
2047  */
2048 static inline u32 ccs_current_flags(void)
2049 {
2050         return ccs_find_task_security(current)->ccs_flags;
2051 }
2052 
2053 #else
2054 
2055 /*
2056  * "struct ccs_domain_info *" and "u32 ccs_flags" for each "struct task_struct"
2057  * are maintained inside that "struct task_struct". Therefore, ccs_security ==
2058  * task_struct . This allows fast access but breaks KABI checks for
2059  * distributor's prebuilt kernels due to changes in "struct task_struct".
2060  */
2061 #define ccs_security task_struct
2062 
2063 /**
2064  * ccs_find_task_security - Find "struct ccs_security" for given task.
2065  *
2066  * @task: Pointer to "struct task_struct".
2067  *
2068  * Returns pointer to "struct ccs_security".
2069  */
2070 static inline struct ccs_security *ccs_find_task_security(struct task_struct *
2071                                                           task)
2072 {
2073         return task;
2074 }
2075 
2076 /**
2077  * ccs_current_security - Get "struct ccs_security" for current thread.
2078  *
2079  * Returns pointer to "struct ccs_security" for current thread.
2080  */
2081 static inline struct ccs_security *ccs_current_security(void)
2082 {
2083         return ccs_find_task_security(current);
2084 }
2085 
2086 /**
2087  * ccs_task_domain - Get "struct ccs_domain_info" for specified thread.
2088  *
2089  * @task: Pointer to "struct task_struct".
2090  *
2091  * Returns pointer to "struct ccs_security" for specified thread.
2092  */
2093 static inline struct ccs_domain_info *ccs_task_domain(struct task_struct *task)
2094 {
2095         struct ccs_domain_info *domain = task->ccs_domain_info;
2096         return domain ? domain : &ccs_kernel_domain;
2097 }
2098 
2099 /**
2100  * ccs_current_domain - Get "struct ccs_domain_info" for current thread.
2101  *
2102  * Returns pointer to "struct ccs_domain_info" for current thread.
2103  *
2104  * If current thread does not belong to a domain (which is true for initial
2105  * init_task in order to hide ccs_kernel_domain from this module),
2106  * current thread enters into ccs_kernel_domain.
2107  */
2108 static inline struct ccs_domain_info *ccs_current_domain(void)
2109 {
2110         struct task_struct *task = current;
2111         if (!task->ccs_domain_info)
2112                 task->ccs_domain_info = &ccs_kernel_domain;
2113         return task->ccs_domain_info;
2114 }
2115 
2116 /**
2117  * ccs_task_flags - Get flags for specified thread.
2118  *
2119  * @task: Pointer to "struct task_struct".
2120  *
2121  * Returns flags for specified thread.
2122  */
2123 static inline u32 ccs_task_flags(struct task_struct *task)
2124 {
2125         return ccs_find_task_security(task)->ccs_flags;
2126 }
2127 
2128 /**
2129  * ccs_current_flags - Get flags for current thread.
2130  *
2131  * Returns flags for current thread.
2132  */
2133 static inline u32 ccs_current_flags(void)
2134 {
2135         return ccs_find_task_security(current)->ccs_flags;
2136 }
2137 
2138 #endif
2139 
2140 /**
2141  * ccs_current_namespace - Get "struct ccs_policy_namespace" for current thread.
2142  *
2143  * Returns pointer to "struct ccs_policy_namespace" for current thread.
2144  */
2145 static inline struct ccs_policy_namespace *ccs_current_namespace(void)
2146 {
2147         return ccs_current_domain()->ns;
2148 }
2149 
2150 #endif
2151 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp