~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/akari/lsm-4.2.c

Version: ~ [ linux-5.2 ] ~ [ linux-5.1.16 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.57 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.132 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.184 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.184 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.69 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.39.4 ] ~ [ linux-2.6.38.8 ] ~ [ linux-2.6.37.6 ] ~ [ linux-2.6.36.4 ] ~ [ linux-2.6.35.14 ] ~ [ linux-2.6.34.15 ] ~ [ linux-2.6.33.20 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * lsm.c
  3  *
  4  * Copyright (C) 2010-2015  Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
  5  *
  6  * Version: 1.0.35   2015/11/11
  7  */
  8 
  9 #include "internal.h"
 10 #include "probe.h"
 11 
 12 /* Prototype definition. */
 13 static void ccs_task_security_gc(void);
 14 static int ccs_copy_cred_security(const struct cred *new,
 15                                   const struct cred *old, gfp_t gfp);
 16 static struct ccs_security *ccs_find_cred_security(const struct cred *cred);
 17 static DEFINE_SPINLOCK(ccs_task_security_list_lock);
 18 static atomic_t ccs_in_execve_tasks = ATOMIC_INIT(0);
 19 /*
 20  * List of "struct ccs_security" for "struct pid".
 21  *
 22  * All instances on this list is guaranteed that "struct ccs_security"->pid !=
 23  * NULL. Also, instances on this list that are in execve() are guaranteed that
 24  * "struct ccs_security"->cred remembers "struct linux_binprm"->cred with a
 25  * refcount on "struct linux_binprm"->cred.
 26  */
 27 struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH];
 28 /*
 29  * List of "struct ccs_security" for "struct cred".
 30  *
 31  * Since the number of "struct cred" is nearly equals to the number of
 32  * "struct pid", we allocate hash tables like ccs_task_security_list.
 33  *
 34  * All instances on this list are guaranteed that "struct ccs_security"->pid ==
 35  * NULL and "struct ccs_security"->cred != NULL.
 36  */
 37 static struct list_head ccs_cred_security_list[CCS_MAX_TASK_SECURITY_HASH];
 38 
 39 /* Dummy security context for avoiding NULL pointer dereference. */
 40 static struct ccs_security ccs_oom_security = {
 41         .ccs_domain_info = &ccs_kernel_domain
 42 };
 43 
 44 /* Dummy security context for avoiding NULL pointer dereference. */
 45 static struct ccs_security ccs_default_security = {
 46         .ccs_domain_info = &ccs_kernel_domain
 47 };
 48 
 49 /* For exporting variables and functions. */
 50 struct ccsecurity_exports ccsecurity_exports;
 51 /* Members are updated by loadable kernel module. */
 52 struct ccsecurity_operations ccsecurity_ops;
 53 
 54 /* Original hooks. */
 55 static union security_list_options original_cred_prepare;
 56 static union security_list_options original_cred_free;
 57 static union security_list_options original_cred_alloc_blank;
 58 
 59 #ifdef CONFIG_AKARI_TRACE_EXECVE_COUNT
 60 
 61 /**
 62  * ccs_update_ee_counter - Update "struct ccs_execve" counter.
 63  *
 64  * @count: Count to increment or decrement.
 65  *
 66  * Returns updated counter.
 67  */
 68 static unsigned int ccs_update_ee_counter(int count)
 69 {
 70         /* Debug counter for detecting "struct ccs_execve" memory leak. */
 71         static atomic_t ccs_ee_counter = ATOMIC_INIT(0);
 72         return atomic_add_return(count, &ccs_ee_counter);
 73 }
 74 
 75 /**
 76  * ccs_audit_alloc_execve - Audit allocation of "struct ccs_execve".
 77  *
 78  * @ee: Pointer to "struct ccs_execve".
 79  *
 80  * Returns nothing.
 81  */
 82 void ccs_audit_alloc_execve(const struct ccs_execve * const ee)
 83 {
 84         printk(KERN_INFO "AKARI: Allocated %p by pid=%u (count=%u)\n", ee,
 85                current->pid, ccs_update_ee_counter(1) - 1);
 86 }
 87 
 88 /**
 89  * ccs_audit_free_execve - Audit release of "struct ccs_execve".
 90  *
 91  * @ee:   Pointer to "struct ccs_execve".
 92  * @task: True if released by current task, false otherwise.
 93  *
 94  * Returns nothing.
 95  */
 96 void ccs_audit_free_execve(const struct ccs_execve * const ee,
 97                            const bool is_current)
 98 {
 99         const unsigned int tmp = ccs_update_ee_counter(-1);
100         if (is_current)
101                 printk(KERN_INFO "AKARI: Releasing %p by pid=%u (count=%u)\n",
102                        ee, current->pid, tmp);
103         else
104                 printk(KERN_INFO "AKARI: Releasing %p by kernel (count=%u)\n",
105                        ee, tmp);
106 }
107 
108 #endif
109 
110 #if !defined(CONFIG_AKARI_DEBUG)
111 #define ccs_debug_trace(pos) do { } while (0)
112 #else
113 #define ccs_debug_trace(pos)                                            \
114         do {                                                            \
115                 static bool done;                                       \
116                 if (!done) {                                            \
117                         printk(KERN_INFO                                \
118                                "AKARI: Debug trace: " pos " of 4\n");   \
119                         done = true;                                    \
120                 }                                                       \
121         } while (0)                                              
122 #endif
123 
124 /**
125  * ccs_clear_execve - Release memory used by do_execve().
126  *
127  * @ret:      0 if do_execve() succeeded, negative value otherwise.
128  * @security: Pointer to "struct ccs_security".
129  *
130  * Returns nothing.
131  */
132 static void ccs_clear_execve(int ret, struct ccs_security *security)
133 {
134         struct ccs_execve *ee;
135         if (security == &ccs_default_security || security == &ccs_oom_security)
136                 return;
137         ee = security->ee;
138         security->ee = NULL;
139         if (!ee)
140                 return;
141         atomic_dec(&ccs_in_execve_tasks);
142         ccs_finish_execve(ret, ee);
143 }
144 
145 /**
146  * ccs_rcu_free - RCU callback for releasing "struct ccs_security".
147  *
148  * @rcu: Pointer to "struct rcu_head".
149  *
150  * Returns nothing.
151  */
152 static void ccs_rcu_free(struct rcu_head *rcu)
153 {
154         struct ccs_security *ptr = container_of(rcu, typeof(*ptr), rcu);
155         struct ccs_execve *ee = ptr->ee;
156         /*
157          * If this security context was associated with "struct pid" and
158          * ptr->ccs_flags has CCS_TASK_IS_IN_EXECVE set, it indicates that a
159          * "struct task_struct" associated with this security context exited
160          * immediately after do_execve() has failed.
161          */
162         if (ptr->pid && (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE)) {
163                 ccs_debug_trace("1");
164                 atomic_dec(&ccs_in_execve_tasks);
165         }
166         /*
167          * If this security context was associated with "struct pid",
168          * drop refcount obtained by get_pid() in ccs_find_task_security().
169          */
170         if (ptr->pid) {
171                 ccs_debug_trace("2");
172                 put_pid(ptr->pid);
173         }
174         if (ee) {
175                 ccs_debug_trace("3");
176                 ccs_audit_free_execve(ee, false);
177                 kfree(ee->handler_path);
178                 kfree(ee);
179         }
180         kfree(ptr);
181 }
182 
183 /**
184  * ccs_del_security - Release "struct ccs_security".
185  *
186  * @ptr: Pointer to "struct ccs_security".
187  *
188  * Returns nothing.
189  */
190 static void ccs_del_security(struct ccs_security *ptr)
191 {
192         unsigned long flags;
193         if (ptr == &ccs_default_security || ptr == &ccs_oom_security)
194                 return;
195         spin_lock_irqsave(&ccs_task_security_list_lock, flags);
196         list_del_rcu(&ptr->list);
197         spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
198         call_rcu(&ptr->rcu, ccs_rcu_free);
199 }
200 
201 /**
202  * ccs_add_cred_security - Add "struct ccs_security" to list.
203  *
204  * @ptr: Pointer to "struct ccs_security".
205  *
206  * Returns nothing.
207  */
208 static void ccs_add_cred_security(struct ccs_security *ptr)
209 {
210         unsigned long flags;
211         struct list_head *list = &ccs_cred_security_list
212                 [hash_ptr((void *) ptr->cred, CCS_TASK_SECURITY_HASH_BITS)];
213 #ifdef CONFIG_AKARI_DEBUG
214         if (ptr->pid)
215                 printk(KERN_INFO "AKARI: \"struct ccs_security\"->pid != NULL"
216                        "\n");
217 #endif
218         ptr->pid = NULL;
219         spin_lock_irqsave(&ccs_task_security_list_lock, flags);
220         list_add_rcu(&ptr->list, list);
221         spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
222 }
223 
224 /**
225  * ccs_task_create - Make snapshot of security context for new task.
226  *
227  * @clone_flags: Flags passed to clone().
228  *
229  * Returns 0 on success, negative value otherwise.
230  */
231 static int ccs_task_create(unsigned long clone_flags)
232 {
233         struct ccs_security *old_security;
234         struct ccs_security *new_security;
235         struct cred *cred = prepare_creds();
236         if (!cred)
237                 return -ENOMEM;
238         old_security = ccs_find_task_security(current);
239         new_security = ccs_find_cred_security(cred);
240         new_security->ccs_domain_info = old_security->ccs_domain_info;
241         new_security->ccs_flags = old_security->ccs_flags;
242         return commit_creds(cred);
243 }
244 
245 /**
246  * ccs_cred_prepare - Allocate memory for new credentials.
247  *
248  * @new: Pointer to "struct cred".
249  * @old: Pointer to "struct cred".
250  * @gfp: Memory allocation flags.
251  *
252  * Returns 0 on success, negative value otherwise.
253  */
254 static int ccs_cred_prepare(struct cred *new, const struct cred *old,
255                             gfp_t gfp)
256 {
257         int rc1;
258         /*
259          * For checking whether reverting domain transition is needed or not.
260          *
261          * See ccs_find_task_security() for reason.
262          */
263         if (gfp == GFP_KERNEL)
264                 ccs_find_task_security(current);
265         rc1 = ccs_copy_cred_security(new, old, gfp);
266         if (gfp == GFP_KERNEL)
267                 ccs_task_security_gc();
268         if (original_cred_prepare.cred_prepare) {
269                 const int rc2 = original_cred_prepare.cred_prepare(new, old,
270                                                                    gfp);
271                 if (rc2) {
272                         ccs_del_security(ccs_find_cred_security(new));
273                         return rc2;
274                 }
275         }
276         return rc1;
277 }
278 
279 /**
280  * ccs_cred_free - Release memory used by credentials.
281  *
282  * @cred: Pointer to "struct cred".
283  *
284  * Returns nothing.
285  */
286 static void ccs_cred_free(struct cred *cred)
287 {
288         if (original_cred_free.cred_free)
289                 original_cred_free.cred_free(cred);
290         ccs_del_security(ccs_find_cred_security(cred));
291 }
292 
293 /**
294  * ccs_alloc_cred_security - Allocate memory for new credentials.
295  *
296  * @cred: Pointer to "struct cred".
297  * @gfp:  Memory allocation flags.
298  *
299  * Returns 0 on success, negative value otherwise.
300  */
301 static int ccs_alloc_cred_security(const struct cred *cred, gfp_t gfp)
302 {
303         struct ccs_security *new_security = kzalloc(sizeof(*new_security),
304                                                     gfp);
305         if (!new_security)
306                 return -ENOMEM;
307         new_security->cred = cred;
308         ccs_add_cred_security(new_security);
309         return 0;
310 }
311 
312 /**
313  * ccs_cred_alloc_blank - Allocate memory for new credentials.
314  *
315  * @new: Pointer to "struct cred".
316  * @gfp: Memory allocation flags.
317  *
318  * Returns 0 on success, negative value otherwise.
319  */
320 static int ccs_cred_alloc_blank(struct cred *new, gfp_t gfp)
321 {
322         const int rc1 = ccs_alloc_cred_security(new, gfp);
323         if (original_cred_alloc_blank.cred_alloc_blank) {
324                 const int rc2 = original_cred_alloc_blank.
325                         cred_alloc_blank(new, gfp);
326                 if (rc2) {
327                         ccs_del_security(ccs_find_cred_security(new));
328                         return rc2;
329                 }
330         }
331         return rc1;
332 }
333 
334 /**
335  * ccs_cred_transfer - Transfer "struct ccs_security" between credentials.
336  *
337  * @new: Pointer to "struct cred".
338  * @old: Pointer to "struct cred".
339  *
340  * Returns nothing.
341  */
342 static void ccs_cred_transfer(struct cred *new, const struct cred *old)
343 {
344         struct ccs_security *new_security = ccs_find_cred_security(new);
345         struct ccs_security *old_security = ccs_find_cred_security(old);
346         if (new_security == &ccs_default_security ||
347             new_security == &ccs_oom_security ||
348             old_security == &ccs_default_security ||
349             old_security == &ccs_oom_security)
350                 return;
351         new_security->ccs_flags = old_security->ccs_flags;
352         new_security->ccs_domain_info = old_security->ccs_domain_info;
353 }
354 
355 /**
356  * ccs_bprm_committing_creds - A hook which is called when do_execve() succeeded.
357  *
358  * @bprm: Pointer to "struct linux_binprm".
359  *
360  * Returns nothing.
361  */
362 static void ccs_bprm_committing_creds(struct linux_binprm *bprm)
363 {
364         struct ccs_security *old_security = ccs_current_security();
365         struct ccs_security *new_security;
366         if (old_security == &ccs_default_security ||
367             old_security == &ccs_oom_security)
368                 return;
369         ccs_clear_execve(0, old_security);
370         /* Update current task's cred's domain for future fork(). */
371         new_security = ccs_find_cred_security(bprm->cred);
372         new_security->ccs_flags = old_security->ccs_flags;
373         new_security->ccs_domain_info = old_security->ccs_domain_info;
374 }
375 
376 /**
377  * ccs_bprm_check_security - Check permission for execve().
378  *
379  * @bprm: Pointer to "struct linux_binprm".
380  *
381  * Returns 0 on success, negative value otherwise.
382  */
383 static int ccs_bprm_check_security(struct linux_binprm *bprm)
384 {
385         struct ccs_security *security = ccs_current_security();
386         int rc;
387         if (security == &ccs_default_security || security == &ccs_oom_security)
388                 return -ENOMEM;
389         if (security->ee)
390                 return 0;
391 #ifndef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER
392         if (!ccs_policy_loaded)
393                 ccs_load_policy(bprm->filename);
394 #endif
395         rc = ccs_start_execve(bprm, &security->ee);
396         if (security->ee)
397                 atomic_inc(&ccs_in_execve_tasks);
398         return rc;
399 }
400 
401 /**
402  * ccs_file_open - Check permission for open().
403  *
404  * @f:    Pointer to "struct file".
405  * @cred: Pointer to "struct cred".
406  *
407  * Returns 0 on success, negative value otherwise.
408  */
409 static int ccs_file_open(struct file *f, const struct cred *cred)
410 {
411         return ccs_open_permission(f);
412 }
413 
414 #ifdef CONFIG_SECURITY_PATH
415 
416 /**
417  * ccs_path_chown - Check permission for chown()/chgrp().
418  *
419  * @path:  Pointer to "struct path".
420  * @user:  User ID.
421  * @group: Group ID.
422  *
423  * Returns 0 on success, negative value otherwise.
424  */
425 static int ccs_path_chown(struct path *path, kuid_t user, kgid_t group)
426 {
427         return ccs_chown_permission(path->dentry, path->mnt, user, group);
428 }
429 
430 /**
431  * ccs_path_chmod - Check permission for chmod().
432  *
433  * @path: Pointer to "struct path".
434  * @mode: Mode.
435  *
436  * Returns 0 on success, negative value otherwise.
437  */
438 static int ccs_path_chmod(struct path *path, umode_t mode)
439 {
440         return ccs_chmod_permission(path->dentry, path->mnt, mode);
441 }
442 
443 /**
444  * ccs_path_chroot - Check permission for chroot().
445  *
446  * @path: Pointer to "struct path".
447  *
448  * Returns 0 on success, negative value otherwise.
449  */
450 static int ccs_path_chroot(struct path *path)
451 {
452         return ccs_chroot_permission(path);
453 }
454 
455 /**
456  * ccs_path_truncate - Check permission for truncate().
457  *
458  * @path: Pointer to "struct path".
459  *
460  * Returns 0 on success, negative value otherwise.
461  */
462 static int ccs_path_truncate(struct path *path)
463 {
464         return ccs_truncate_permission(path->dentry, path->mnt);
465 }
466 
467 #else
468 
469 /**
470  * ccs_inode_setattr - Check permission for chown()/chgrp()/chmod()/truncate().
471  *
472  * @dentry: Pointer to "struct dentry".
473  * @attr:   Pointer to "struct iattr".
474  *
475  * Returns 0 on success, negative value otherwise.
476  */
477 static int ccs_inode_setattr(struct dentry *dentry, struct iattr *attr)
478 {
479         const int rc1 = (attr->ia_valid & ATTR_UID) ?
480                 ccs_chown_permission(dentry, NULL, attr->ia_uid, INVALID_GID) :
481                 0;
482         const int rc2 = (attr->ia_valid & ATTR_GID) ?
483                 ccs_chown_permission(dentry, NULL, INVALID_UID, attr->ia_gid) :
484                 0;
485         const int rc3 = (attr->ia_valid & ATTR_MODE) ?
486                 ccs_chmod_permission(dentry, NULL, attr->ia_mode) : 0;
487         const int rc4 = (attr->ia_valid & ATTR_SIZE) ?
488                 ccs_truncate_permission(dentry, NULL) : 0;
489         if (rc4)
490                 return rc4;
491         if (rc3)
492                 return rc3;
493         if (rc2)
494                 return rc2;
495         return rc1;
496 }
497 
498 #endif
499 
500 /**
501  * ccs_inode_getattr - Check permission for stat().
502  *
503  * @path: Pointer to "struct path".
504  *
505  * Returns 0 on success, negative value otherwise.
506  */
507 static int ccs_inode_getattr(const struct path *path)
508 {
509         return ccs_getattr_permission(path->mnt, path->dentry);
510 }
511 
512 #ifdef CONFIG_SECURITY_PATH
513 
514 /**
515  * ccs_path_mknod - Check permission for mknod().
516  *
517  * @dir:    Pointer to "struct path".
518  * @dentry: Pointer to "struct dentry".
519  * @mode:   Create mode.
520  * @dev:    Device major/minor number.
521  *
522  * Returns 0 on success, negative value otherwise.
523  */
524 static int ccs_path_mknod(struct path *dir, struct dentry *dentry,
525                           umode_t mode, unsigned int dev)
526 {
527         return ccs_mknod_permission(dentry, dir->mnt, mode, dev);
528 }
529 
530 /**
531  * ccs_path_mkdir - Check permission for mkdir().
532  *
533  * @dir:    Pointer to "struct path".
534  * @dentry: Pointer to "struct dentry".
535  * @mode:   Create mode.
536  *
537  * Returns 0 on success, negative value otherwise.
538  */
539 static int ccs_path_mkdir(struct path *dir, struct dentry *dentry,
540                           umode_t mode)
541 {
542         return ccs_mkdir_permission(dentry, dir->mnt, mode);
543 }
544 
545 /**
546  * ccs_path_rmdir - Check permission for rmdir().
547  *
548  * @dir:    Pointer to "struct path".
549  * @dentry: Pointer to "struct dentry".
550  *
551  * Returns 0 on success, negative value otherwise.
552  */
553 static int ccs_path_rmdir(struct path *dir, struct dentry *dentry)
554 {
555         return ccs_rmdir_permission(dentry, dir->mnt);
556 }
557 
558 /**
559  * ccs_path_unlink - Check permission for unlink().
560  *
561  * @dir:    Pointer to "struct path".
562  * @dentry: Pointer to "struct dentry".
563  *
564  * Returns 0 on success, negative value otherwise.
565  */
566 static int ccs_path_unlink(struct path *dir, struct dentry *dentry)
567 {
568         return ccs_unlink_permission(dentry, dir->mnt);
569 }
570 
571 /**
572  * ccs_path_symlink - Check permission for symlink().
573  *
574  * @dir:      Pointer to "struct path".
575  * @dentry:   Pointer to "struct dentry".
576  * @old_name: Content of symbolic link.
577  *
578  * Returns 0 on success, negative value otherwise.
579  */
580 static int ccs_path_symlink(struct path *dir, struct dentry *dentry,
581                             const char *old_name)
582 {
583         return ccs_symlink_permission(dentry, dir->mnt, old_name);
584 }
585 
586 /**
587  * ccs_path_rename - Check permission for rename().
588  *
589  * @old_dir:    Pointer to "struct path".
590  * @old_dentry: Pointer to "struct dentry".
591  * @new_dir:    Pointer to "struct path".
592  * @new_dentry: Pointer to "struct dentry".
593  *
594  * Returns 0 on success, negative value otherwise.
595  */
596 static int ccs_path_rename(struct path *old_dir, struct dentry *old_dentry,
597                            struct path *new_dir, struct dentry *new_dentry)
598 {
599         return ccs_rename_permission(old_dentry, new_dentry, old_dir->mnt);
600 }
601 
602 /**
603  * ccs_path_link - Check permission for link().
604  *
605  * @old_dentry: Pointer to "struct dentry".
606  * @new_dir:    Pointer to "struct path".
607  * @new_dentry: Pointer to "struct dentry".
608  *
609  * Returns 0 on success, negative value otherwise.
610  */
611 static int ccs_path_link(struct dentry *old_dentry, struct path *new_dir,
612                          struct dentry *new_dentry)
613 {
614         return ccs_link_permission(old_dentry, new_dentry, new_dir->mnt);
615 }
616 
617 #else
618 
619 /**
620  * ccs_inode_mknod - Check permission for mknod().
621  *
622  * @dir:    Pointer to "struct inode".
623  * @dentry: Pointer to "struct dentry".
624  * @mode:   Create mode.
625  * @dev:    Device major/minor number.
626  *
627  * Returns 0 on success, negative value otherwise.
628  */
629 static int ccs_inode_mknod(struct inode *dir, struct dentry *dentry,
630                            umode_t mode, dev_t dev)
631 {
632         return ccs_mknod_permission(dentry, NULL, mode, dev);
633 }
634 
635 /**
636  * ccs_inode_mkdir - Check permission for mkdir().
637  *
638  * @dir:    Pointer to "struct inode".
639  * @dentry: Pointer to "struct dentry".
640  * @mode:   Create mode.
641  *
642  * Returns 0 on success, negative value otherwise.
643  */
644 static int ccs_inode_mkdir(struct inode *dir, struct dentry *dentry,
645                            umode_t mode)
646 {
647         return ccs_mkdir_permission(dentry, NULL, mode);
648 }
649 
650 /**
651  * ccs_inode_rmdir - Check permission for rmdir().
652  *
653  * @dir:    Pointer to "struct inode".
654  * @dentry: Pointer to "struct dentry".
655  *
656  * Returns 0 on success, negative value otherwise.
657  */
658 static int ccs_inode_rmdir(struct inode *dir, struct dentry *dentry)
659 {
660         return ccs_rmdir_permission(dentry, NULL);
661 }
662 
663 /**
664  * ccs_inode_unlink - Check permission for unlink().
665  *
666  * @dir:    Pointer to "struct inode".
667  * @dentry: Pointer to "struct dentry".
668  *
669  * Returns 0 on success, negative value otherwise.
670  */
671 static int ccs_inode_unlink(struct inode *dir, struct dentry *dentry)
672 {
673         return ccs_unlink_permission(dentry, NULL);
674 }
675 
676 /**
677  * ccs_inode_symlink - Check permission for symlink().
678  *
679  * @dir:      Pointer to "struct inode".
680  * @dentry:   Pointer to "struct dentry".
681  * @old_name: Content of symbolic link.
682  *
683  * Returns 0 on success, negative value otherwise.
684  */
685 static int ccs_inode_symlink(struct inode *dir, struct dentry *dentry,
686                              const char *old_name)
687 {
688         return ccs_symlink_permission(dentry, NULL, old_name);
689 }
690 
691 /**
692  * ccs_inode_rename - Check permission for rename().
693  *
694  * @old_dir:    Pointer to "struct inode".
695  * @old_dentry: Pointer to "struct dentry".
696  * @new_dir:    Pointer to "struct inode".
697  * @new_dentry: Pointer to "struct dentry".
698  *
699  * Returns 0 on success, negative value otherwise.
700  */
701 static int ccs_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
702                             struct inode *new_dir, struct dentry *new_dentry)
703 {
704         return ccs_rename_permission(old_dentry, new_dentry, NULL);
705 }
706 
707 /**
708  * ccs_inode_link - Check permission for link().
709  *
710  * @old_dentry: Pointer to "struct dentry".
711  * @dir:        Pointer to "struct inode".
712  * @new_dentry: Pointer to "struct dentry".
713  *
714  * Returns 0 on success, negative value otherwise.
715  */
716 static int ccs_inode_link(struct dentry *old_dentry, struct inode *dir,
717                           struct dentry *new_dentry)
718 {
719         return ccs_link_permission(old_dentry, new_dentry, NULL);
720 }
721 
722 /**
723  * ccs_inode_create - Check permission for creat().
724  *
725  * @dir:    Pointer to "struct inode".
726  * @dentry: Pointer to "struct dentry".
727  * @mode:   Create mode.
728  *
729  * Returns 0 on success, negative value otherwise.
730  */
731 static int ccs_inode_create(struct inode *dir, struct dentry *dentry,
732                             umode_t mode)
733 {
734         return ccs_mknod_permission(dentry, NULL, mode, 0);
735 }
736 
737 #endif
738 
739 #ifdef CONFIG_SECURITY_NETWORK
740 
741 #include <net/sock.h>
742 
743 /* Structure for remembering an accept()ed socket's status. */
744 struct ccs_socket_tag {
745         struct list_head list;
746         struct inode *inode;
747         int status;
748         struct rcu_head rcu;
749 };
750 
751 /*
752  * List for managing accept()ed sockets.
753  * Since we don't need to keep an accept()ed socket into this list after
754  * once the permission was granted, the number of entries in this list is
755  * likely small. Therefore, we don't use hash tables.
756  */
757 static LIST_HEAD(ccs_accepted_socket_list);
758 /* Lock for protecting ccs_accepted_socket_list . */
759 static DEFINE_SPINLOCK(ccs_accepted_socket_list_lock);
760 
761 /**
762  * ccs_socket_rcu_free - RCU callback for releasing "struct ccs_socket_tag".
763  *
764  * @rcu: Pointer to "struct rcu_head".
765  *
766  * Returns nothing.
767  */
768 static void ccs_socket_rcu_free(struct rcu_head *rcu)
769 {
770         struct ccs_socket_tag *ptr = container_of(rcu, typeof(*ptr), rcu);
771         kfree(ptr);
772 }
773 
774 /**
775  * ccs_update_socket_tag - Update tag associated with accept()ed sockets.
776  *
777  * @inode:  Pointer to "struct inode".
778  * @status: New status.
779  *
780  * Returns nothing.
781  *
782  * If @status == 0, memory for that socket will be released after RCU grace
783  * period.
784  */
785 static void ccs_update_socket_tag(struct inode *inode, int status)
786 {
787         struct ccs_socket_tag *ptr;
788         /*
789          * Protect whole section because multiple threads may call this
790          * function with same "sock" via ccs_validate_socket().
791          */
792         spin_lock(&ccs_accepted_socket_list_lock);
793         rcu_read_lock();
794         list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) {
795                 if (ptr->inode != inode)
796                         continue;
797                 ptr->status = status;
798                 if (status)
799                         break;
800                 list_del_rcu(&ptr->list);
801                 call_rcu(&ptr->rcu, ccs_socket_rcu_free);
802                 break;
803         }
804         rcu_read_unlock();
805         spin_unlock(&ccs_accepted_socket_list_lock);
806 }
807 
808 /**
809  * ccs_validate_socket - Check post accept() permission if needed.
810  *
811  * @sock: Pointer to "struct socket".
812  *
813  * Returns 0 on success, negative value otherwise.
814  */
815 static int ccs_validate_socket(struct socket *sock)
816 {
817         struct inode *inode = SOCK_INODE(sock);
818         struct ccs_socket_tag *ptr;
819         int ret = 0;
820         rcu_read_lock();
821         list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) {
822                 if (ptr->inode != inode)
823                         continue;
824                 ret = ptr->status;
825                 break;
826         }
827         rcu_read_unlock();
828         if (ret <= 0)
829                 /*
830                  * This socket is not an accept()ed socket or this socket is
831                  * an accept()ed socket and post accept() permission is done.
832                  */
833                 return ret;
834         /*
835          * Check post accept() permission now.
836          *
837          * Strictly speaking, we need to pass both listen()ing socket and
838          * accept()ed socket to __ccs_socket_post_accept_permission().
839          * But since socket's family and type are same for both sockets,
840          * passing the accept()ed socket in place for the listen()ing socket
841          * will work.
842          */
843         ret = ccs_socket_post_accept_permission(sock, sock);
844         /*
845          * If permission was granted, we forget that this is an accept()ed
846          * socket. Otherwise, we remember that this socket needs to return
847          * error for subsequent socketcalls.
848          */
849         ccs_update_socket_tag(inode, ret);
850         return ret;
851 }
852 
853 /**
854  * ccs_socket_accept - Check permission for accept().
855  *
856  * @sock:    Pointer to "struct socket".
857  * @newsock: Pointer to "struct socket".
858  *
859  * Returns 0 on success, negative value otherwise.
860  *
861  * This hook is used for setting up environment for doing post accept()
862  * permission check. If dereferencing sock->ops->something() were ordered by
863  * rcu_dereference(), we could replace sock->ops with "a copy of original
864  * sock->ops with modified sock->ops->accept()" using rcu_assign_pointer()
865  * in order to do post accept() permission check before returning to userspace.
866  * If we make the copy in security_socket_post_create(), it would be possible
867  * to safely replace sock->ops here, but we don't do so because we don't want
868  * to allocate memory for sockets which do not call sock->ops->accept().
869  * Therefore, we do post accept() permission check upon next socket syscalls
870  * rather than between sock->ops->accept() and returning to userspace.
871  * This means that if a socket was close()d before calling some socket
872  * syscalls, post accept() permission check will not be done.
873  */
874 static int ccs_socket_accept(struct socket *sock, struct socket *newsock)
875 {
876         struct ccs_socket_tag *ptr;
877         const int rc = ccs_validate_socket(sock);
878         if (rc < 0)
879                 return rc;
880         ptr = kzalloc(sizeof(*ptr), GFP_KERNEL);
881         if (!ptr)
882                 return -ENOMEM;
883         /*
884          * Subsequent LSM hooks will receive "newsock". Therefore, I mark
885          * "newsock" as "an accept()ed socket but post accept() permission
886          * check is not done yet" by allocating memory using inode of the
887          * "newsock" as a search key.
888          */
889         ptr->inode = SOCK_INODE(newsock);
890         ptr->status = 1; /* Check post accept() permission later. */
891         spin_lock(&ccs_accepted_socket_list_lock);
892         list_add_tail_rcu(&ptr->list, &ccs_accepted_socket_list);
893         spin_unlock(&ccs_accepted_socket_list_lock);
894         return 0;
895 }
896 
897 /**
898  * ccs_socket_listen - Check permission for listen().
899  *
900  * @sock:    Pointer to "struct socket".
901  * @backlog: Backlog parameter.
902  *
903  * Returns 0 on success, negative value otherwise.
904  */
905 static int ccs_socket_listen(struct socket *sock, int backlog)
906 {
907         const int rc = ccs_validate_socket(sock);
908         if (rc < 0)
909                 return rc;
910         return ccs_socket_listen_permission(sock);
911 }
912 
913 /**
914  * ccs_socket_connect - Check permission for connect().
915  *
916  * @sock:     Pointer to "struct socket".
917  * @addr:     Pointer to "struct sockaddr".
918  * @addr_len: Size of @addr.
919  *
920  * Returns 0 on success, negative value otherwise.
921  */
922 static int ccs_socket_connect(struct socket *sock, struct sockaddr *addr,
923                               int addr_len)
924 {
925         const int rc = ccs_validate_socket(sock);
926         if (rc < 0)
927                 return rc;
928         return ccs_socket_connect_permission(sock, addr, addr_len);
929 }
930 
931 /**
932  * ccs_socket_bind - Check permission for bind().
933  *
934  * @sock:     Pointer to "struct socket".
935  * @addr:     Pointer to "struct sockaddr".
936  * @addr_len: Size of @addr.
937  *
938  * Returns 0 on success, negative value otherwise.
939  */
940 static int ccs_socket_bind(struct socket *sock, struct sockaddr *addr,
941                            int addr_len)
942 {
943         const int rc = ccs_validate_socket(sock);
944         if (rc < 0)
945                 return rc;
946         return ccs_socket_bind_permission(sock, addr, addr_len);
947 }
948 
949 /**
950  * ccs_socket_sendmsg - Check permission for sendmsg().
951  *
952  * @sock: Pointer to "struct socket".
953  * @msg:  Pointer to "struct msghdr".
954  * @size: Size of message.
955  *
956  * Returns 0 on success, negative value otherwise.
957  */
958 static int ccs_socket_sendmsg(struct socket *sock, struct msghdr *msg,
959                               int size)
960 {
961         const int rc = ccs_validate_socket(sock);
962         if (rc < 0)
963                 return rc;
964         return ccs_socket_sendmsg_permission(sock, msg, size);
965 }
966 
967 /**
968  * ccs_socket_recvmsg - Check permission for recvmsg().
969  *
970  * @sock:  Pointer to "struct socket".
971  * @msg:   Pointer to "struct msghdr".
972  * @size:  Size of message.
973  * @flags: Flags.
974  *
975  * Returns 0 on success, negative value otherwise.
976  */
977 static int ccs_socket_recvmsg(struct socket *sock, struct msghdr *msg,
978                               int size, int flags)
979 {
980         return ccs_validate_socket(sock);
981 }
982 
983 /**
984  * ccs_socket_getsockname - Check permission for getsockname().
985  *
986  * @sock: Pointer to "struct socket".
987  *
988  * Returns 0 on success, negative value otherwise.
989  */
990 static int ccs_socket_getsockname(struct socket *sock)
991 {
992         return ccs_validate_socket(sock);
993 }
994 
995 /**
996  * ccs_socket_getpeername - Check permission for getpeername().
997  *
998  * @sock: Pointer to "struct socket".
999  *
1000  * Returns 0 on success, negative value otherwise.
1001  */
1002 static int ccs_socket_getpeername(struct socket *sock)
1003 {
1004         return ccs_validate_socket(sock);
1005 }
1006 
1007 /**
1008  * ccs_socket_getsockopt - Check permission for getsockopt().
1009  *
1010  * @sock:    Pointer to "struct socket".
1011  * @level:   Level.
1012  * @optname: Option's name,
1013  *
1014  * Returns 0 on success, negative value otherwise.
1015  */
1016 static int ccs_socket_getsockopt(struct socket *sock, int level, int optname)
1017 {
1018         return ccs_validate_socket(sock);
1019 }
1020 
1021 /**
1022  * ccs_socket_setsockopt - Check permission for setsockopt().
1023  *
1024  * @sock:    Pointer to "struct socket".
1025  * @level:   Level.
1026  * @optname: Option's name,
1027  *
1028  * Returns 0 on success, negative value otherwise.
1029  */
1030 static int ccs_socket_setsockopt(struct socket *sock, int level, int optname)
1031 {
1032         return ccs_validate_socket(sock);
1033 }
1034 
1035 /**
1036  * ccs_socket_shutdown - Check permission for shutdown().
1037  *
1038  * @sock: Pointer to "struct socket".
1039  * @how:  Shutdown mode.
1040  *
1041  * Returns 0 on success, negative value otherwise.
1042  */
1043 static int ccs_socket_shutdown(struct socket *sock, int how)
1044 {
1045         return ccs_validate_socket(sock);
1046 }
1047 
1048 #define SOCKFS_MAGIC 0x534F434B
1049 
1050 /**
1051  * ccs_inode_free_security - Release memory associated with an inode.
1052  *
1053  * @inode: Pointer to "struct inode".
1054  *
1055  * Returns nothing.
1056  *
1057  * We use this hook for releasing memory associated with an accept()ed socket.
1058  */
1059 static void ccs_inode_free_security(struct inode *inode)
1060 {
1061         if (inode->i_sb && inode->i_sb->s_magic == SOCKFS_MAGIC)
1062                 ccs_update_socket_tag(inode, 0);
1063 }
1064 
1065 #endif
1066 
1067 /**
1068  * ccs_sb_pivotroot - Check permission for pivot_root().
1069  *
1070  * @old_path: Pointer to "struct path".
1071  * @new_path: Pointer to "struct path".
1072  *
1073  * Returns 0 on success, negative value otherwise.
1074  */
1075 static int ccs_sb_pivotroot(struct path *old_path, struct path *new_path)
1076 {
1077         return ccs_pivot_root_permission(old_path, new_path);
1078 }
1079 
1080 /**
1081  * ccs_sb_mount - Check permission for mount().
1082  *
1083  * @dev_name:  Name of device file.
1084  * @path:      Pointer to "struct path".
1085  * @type:      Name of filesystem type. Maybe NULL.
1086  * @flags:     Mount options.
1087  * @data_page: Optional data. Maybe NULL.
1088  *
1089  * Returns 0 on success, negative value otherwise.
1090  */
1091 static int ccs_sb_mount(const char *dev_name, struct path *path,
1092                         const char *type, unsigned long flags, void *data_page)
1093 {
1094         return ccs_mount_permission(dev_name, path, type, flags, data_page);
1095 }
1096 
1097 /**
1098  * ccs_sb_umount - Check permission for umount().
1099  *
1100  * @mnt:   Pointer to "struct vfsmount".
1101  * @flags: Unmount flags.
1102  *
1103  * Returns 0 on success, negative value otherwise.
1104  */
1105 static int ccs_sb_umount(struct vfsmount *mnt, int flags)
1106 {
1107         return ccs_umount_permission(mnt, flags);
1108 }
1109 
1110 /**
1111  * ccs_file_fcntl - Check permission for fcntl().
1112  *
1113  * @file: Pointer to "struct file".
1114  * @cmd:  Command number.
1115  * @arg:  Value for @cmd.
1116  *
1117  * Returns 0 on success, negative value otherwise.
1118  */
1119 static int ccs_file_fcntl(struct file *file, unsigned int cmd,
1120                           unsigned long arg)
1121 {
1122         return ccs_fcntl_permission(file, cmd, arg);
1123 }
1124 
1125 /**
1126  * ccs_file_ioctl - Check permission for ioctl().
1127  *
1128  * @filp: Pointer to "struct file".
1129  * @cmd:  Command number.
1130  * @arg:  Value for @cmd.
1131  *
1132  * Returns 0 on success, negative value otherwise.
1133  */
1134 static int ccs_file_ioctl(struct file *filp, unsigned int cmd,
1135                           unsigned long arg)
1136 {
1137         return ccs_ioctl_permission(filp, cmd, arg);
1138 }
1139 
1140 #define MY_HOOK_INIT(HEAD, HOOK)                                \
1141         { .head = &probe_dummy_security_hook_heads.HEAD,        \
1142                         .hook = { .HEAD = HOOK } }
1143 
1144 static struct security_hook_list akari_hooks[] = {
1145         /* Security context allocator. */
1146         MY_HOOK_INIT(cred_free, ccs_cred_free),
1147         MY_HOOK_INIT(cred_prepare, ccs_cred_prepare),
1148         MY_HOOK_INIT(cred_alloc_blank, ccs_cred_alloc_blank),
1149         MY_HOOK_INIT(cred_transfer, ccs_cred_transfer),
1150         MY_HOOK_INIT(task_create, ccs_task_create),
1151         /* Security context updater for successful execve(). */
1152         MY_HOOK_INIT(bprm_check_security, ccs_bprm_check_security),
1153         MY_HOOK_INIT(bprm_committing_creds, ccs_bprm_committing_creds),
1154         /* Various permission checker. */
1155         MY_HOOK_INIT(file_open, ccs_file_open),
1156         MY_HOOK_INIT(file_fcntl, ccs_file_fcntl),
1157         MY_HOOK_INIT(file_ioctl, ccs_file_ioctl),
1158         MY_HOOK_INIT(sb_pivotroot, ccs_sb_pivotroot),
1159         MY_HOOK_INIT(sb_mount, ccs_sb_mount),
1160         MY_HOOK_INIT(sb_umount, ccs_sb_umount),
1161 #ifdef CONFIG_SECURITY_PATH
1162         MY_HOOK_INIT(path_mknod, ccs_path_mknod),
1163         MY_HOOK_INIT(path_mkdir, ccs_path_mkdir),
1164         MY_HOOK_INIT(path_rmdir, ccs_path_rmdir),
1165         MY_HOOK_INIT(path_unlink, ccs_path_unlink),
1166         MY_HOOK_INIT(path_symlink, ccs_path_symlink),
1167         MY_HOOK_INIT(path_rename, ccs_path_rename),
1168         MY_HOOK_INIT(path_link, ccs_path_link),
1169         MY_HOOK_INIT(path_truncate, ccs_path_truncate),
1170         MY_HOOK_INIT(path_chmod, ccs_path_chmod),
1171         MY_HOOK_INIT(path_chown, ccs_path_chown),
1172         MY_HOOK_INIT(path_chroot, ccs_path_chroot),
1173 #else
1174         MY_HOOK_INIT(inode_mknod, ccs_inode_mknod),
1175         MY_HOOK_INIT(inode_mkdir, ccs_inode_mkdir),
1176         MY_HOOK_INIT(inode_rmdir, ccs_inode_rmdir),
1177         MY_HOOK_INIT(inode_unlink, ccs_inode_unlink),
1178         MY_HOOK_INIT(inode_symlink, ccs_inode_symlink),
1179         MY_HOOK_INIT(inode_rename, ccs_inode_rename),
1180         MY_HOOK_INIT(inode_link, ccs_inode_link),
1181         MY_HOOK_INIT(inode_create, ccs_inode_create),
1182         MY_HOOK_INIT(inode_setattr, ccs_inode_setattr),
1183 #endif
1184         MY_HOOK_INIT(inode_getattr, ccs_inode_getattr),
1185 #ifdef CONFIG_SECURITY_NETWORK
1186         MY_HOOK_INIT(socket_bind, ccs_socket_bind),
1187         MY_HOOK_INIT(socket_connect, ccs_socket_connect),
1188         MY_HOOK_INIT(socket_listen, ccs_socket_listen),
1189         MY_HOOK_INIT(socket_sendmsg, ccs_socket_sendmsg),
1190         MY_HOOK_INIT(socket_recvmsg, ccs_socket_recvmsg),
1191         MY_HOOK_INIT(socket_getsockname, ccs_socket_getsockname),
1192         MY_HOOK_INIT(socket_getpeername, ccs_socket_getpeername),
1193         MY_HOOK_INIT(socket_getsockopt, ccs_socket_getsockopt),
1194         MY_HOOK_INIT(socket_setsockopt, ccs_socket_setsockopt),
1195         MY_HOOK_INIT(socket_shutdown, ccs_socket_shutdown),
1196         MY_HOOK_INIT(socket_accept, ccs_socket_accept),
1197         MY_HOOK_INIT(inode_free_security, ccs_inode_free_security),
1198 #endif
1199 };
1200 
1201 static inline void add_hook(struct security_hook_list *hook)
1202 {
1203         list_add_tail_rcu(&hook->list, hook->head);
1204 }
1205 
1206 static void __init swap_hook(struct security_hook_list *hook,
1207                              union security_list_options *original)
1208 {
1209         struct list_head *list = hook->head;
1210         if (list_empty(list)) {
1211                 add_hook(hook);
1212         } else {
1213                 struct security_hook_list *shp =
1214                         list_last_entry(list, struct security_hook_list, list);
1215                 *original = shp->hook;
1216                 smp_wmb();
1217                 shp->hook = hook->hook;
1218         }
1219 }
1220 
1221 /**
1222  * ccs_init - Initialize this module.
1223  *
1224  * Returns 0 on success, negative value otherwise.
1225  */
1226 static int __init ccs_init(void)
1227 {
1228         int idx;
1229         struct security_hook_heads *hooks = probe_security_hook_heads();
1230         if (!hooks)
1231                 goto out;
1232         for (idx = 0; idx < ARRAY_SIZE(akari_hooks); idx++)
1233                 akari_hooks[idx].head = ((void *) hooks)
1234                         + ((unsigned long) akari_hooks[idx].head)
1235                         - ((unsigned long) &probe_dummy_security_hook_heads);
1236         ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid();
1237         if (!ccsecurity_exports.find_task_by_vpid)
1238                 goto out;
1239         ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns();
1240         if (!ccsecurity_exports.find_task_by_pid_ns)
1241                 goto out;
1242         ccsecurity_exports.d_absolute_path = probe_d_absolute_path();
1243         if (!ccsecurity_exports.d_absolute_path)
1244                 goto out;
1245         for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) {
1246                 INIT_LIST_HEAD(&ccs_cred_security_list[idx]);
1247                 INIT_LIST_HEAD(&ccs_task_security_list[idx]);
1248         }
1249         ccs_main_init();
1250         swap_hook(&akari_hooks[0], &original_cred_free);
1251         swap_hook(&akari_hooks[1], &original_cred_prepare);
1252         swap_hook(&akari_hooks[2], &original_cred_alloc_blank);
1253         for (idx = 3; idx < ARRAY_SIZE(akari_hooks); idx++)
1254                 add_hook(&akari_hooks[idx]);
1255         printk(KERN_INFO "AKARI: 1.0.35   2015/11/11\n");
1256         printk(KERN_INFO
1257                "Access Keeping And Regulating Instrument registered.\n");
1258         return 0;
1259 out:
1260         return -EINVAL;
1261 }
1262 
1263 module_init(ccs_init);
1264 MODULE_LICENSE("GPL");
1265 
1266 /**
1267  * ccs_used_by_cred - Check whether the given domain is in use or not.
1268  *
1269  * @domain: Pointer to "struct ccs_domain_info".
1270  *
1271  * Returns true if @domain is in use, false otherwise.
1272  *
1273  * Caller holds rcu_read_lock().
1274  */
1275 bool ccs_used_by_cred(const struct ccs_domain_info *domain)
1276 {
1277         int idx;
1278         struct ccs_security *ptr;
1279         for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) {
1280                 struct list_head *list = &ccs_cred_security_list[idx];
1281                 list_for_each_entry_rcu(ptr, list, list) {
1282                         struct ccs_execve *ee = ptr->ee;
1283                         if (ptr->ccs_domain_info == domain ||
1284                             (ee && ee->previous_domain == domain)) {
1285                                 return true;
1286                         }
1287                 }
1288         }
1289         return false;
1290 }
1291 
1292 /**
1293  * ccs_add_task_security - Add "struct ccs_security" to list.
1294  *
1295  * @ptr:  Pointer to "struct ccs_security".
1296  * @list: Pointer to "struct list_head".
1297  *
1298  * Returns nothing.
1299  */
1300 static void ccs_add_task_security(struct ccs_security *ptr,
1301                                   struct list_head *list)
1302 {
1303         unsigned long flags;
1304         spin_lock_irqsave(&ccs_task_security_list_lock, flags);
1305         list_add_rcu(&ptr->list, list);
1306         spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
1307 }
1308 
1309 /**
1310  * ccs_find_task_security - Find "struct ccs_security" for given task.
1311  *
1312  * @task: Pointer to "struct task_struct".
1313  *
1314  * Returns pointer to "struct ccs_security" on success, &ccs_oom_security on
1315  * out of memory, &ccs_default_security otherwise.
1316  *
1317  * If @task is current thread and "struct ccs_security" for current thread was
1318  * not found, I try to allocate it. But if allocation failed, current thread
1319  * will be killed by SIGKILL. Note that if current->pid == 1, sending SIGKILL
1320  * won't work.
1321  */
1322 struct ccs_security *ccs_find_task_security(const struct task_struct *task)
1323 {
1324         struct ccs_security *ptr;
1325         struct list_head *list = &ccs_task_security_list
1326                 [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)];
1327         /* Make sure INIT_LIST_HEAD() in ccs_mm_init() takes effect. */
1328         while (!list->next);
1329         rcu_read_lock();
1330         list_for_each_entry_rcu(ptr, list, list) {
1331                 if (ptr->pid != task->pids[PIDTYPE_PID].pid)
1332                         continue;
1333                 rcu_read_unlock();
1334                 /*
1335                  * Current thread needs to transit from old domain to new
1336                  * domain before do_execve() succeeds in order to check
1337                  * permission for interpreters and environment variables using
1338                  * new domain's ACL rules. The domain transition has to be
1339                  * visible from other CPU in order to allow interactive
1340                  * enforcing mode. Also, the domain transition has to be
1341                  * reverted if do_execve() failed. However, an LSM hook for
1342                  * reverting domain transition is missing.
1343                  *
1344                  * security_prepare_creds() is called from prepare_creds() from
1345                  * prepare_bprm_creds() from do_execve() before setting
1346                  * current->in_execve flag, and current->in_execve flag is
1347                  * cleared by the time next do_execve() request starts.
1348                  * This means that we can emulate the missing LSM hook for
1349                  * reverting domain transition, by calling this function from
1350                  * security_prepare_creds().
1351                  *
1352                  * If current->in_execve is not set but ptr->ccs_flags has
1353                  * CCS_TASK_IS_IN_EXECVE set, it indicates that do_execve()
1354                  * has failed and reverting domain transition is needed.
1355                  */
1356                 if (task == current &&
1357                     (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE) &&
1358                     !current->in_execve) {
1359                         ccs_debug_trace("4");
1360                         ccs_clear_execve(-1, ptr);
1361                 }
1362                 return ptr;
1363         }
1364         rcu_read_unlock();
1365         if (task != current) {
1366                 /*
1367                  * If a thread does nothing after fork(), caller will reach
1368                  * here because "struct ccs_security" for that thread is not
1369                  * yet allocated. But that thread is keeping a snapshot of
1370                  * "struct ccs_security" taken as of ccs_task_create()
1371                  * associated with that thread's "struct cred".
1372                  *
1373                  * Since that snapshot will be used as initial data when that
1374                  * thread allocates "struct ccs_security" for that thread, we
1375                  * can return that snapshot rather than &ccs_default_security.
1376                  *
1377                  * Since this function is called by only ccs_select_one() and
1378                  * ccs_read_pid() (via ccs_task_domain() and ccs_task_flags()),
1379                  * it is guaranteed that caller has called rcu_read_lock()
1380                  * (via ccs_tasklist_lock()) before finding this thread and
1381                  * this thread is valid. Therefore, we can do __task_cred(task)
1382                  * like get_robust_list() does.
1383                  */
1384                 return ccs_find_cred_security(__task_cred(task));
1385         }
1386         /* Use GFP_ATOMIC because caller may have called rcu_read_lock(). */
1387         ptr = kzalloc(sizeof(*ptr), GFP_ATOMIC);
1388         if (!ptr) {
1389                 printk(KERN_WARNING "Unable to allocate memory for pid=%u\n",
1390                        task->pid);
1391                 send_sig(SIGKILL, current, 0);
1392                 return &ccs_oom_security;
1393         }
1394         *ptr = *ccs_find_cred_security(task->cred);
1395         /* We can shortcut because task == current. */
1396         ptr->pid = get_pid(((struct task_struct *) task)->
1397                            pids[PIDTYPE_PID].pid);
1398         ptr->cred = NULL;
1399         ccs_add_task_security(ptr, list);
1400         return ptr;
1401 }
1402 
1403 /**
1404  * ccs_copy_cred_security - Allocate memory for new credentials.
1405  *
1406  * @new: Pointer to "struct cred".
1407  * @old: Pointer to "struct cred".
1408  * @gfp: Memory allocation flags.
1409  *
1410  * Returns 0 on success, negative value otherwise.
1411  */
1412 static int ccs_copy_cred_security(const struct cred *new,
1413                                   const struct cred *old, gfp_t gfp)
1414 {
1415         struct ccs_security *old_security = ccs_find_cred_security(old);
1416         struct ccs_security *new_security =
1417                 kzalloc(sizeof(*new_security), gfp);
1418         if (!new_security)
1419                 return -ENOMEM;
1420         *new_security = *old_security;
1421         new_security->cred = new;
1422         ccs_add_cred_security(new_security);
1423         return 0;
1424 }
1425 
1426 /**
1427  * ccs_find_cred_security - Find "struct ccs_security" for given credential.
1428  *
1429  * @cred: Pointer to "struct cred".
1430  *
1431  * Returns pointer to "struct ccs_security" on success, &ccs_default_security
1432  * otherwise.
1433  */
1434 static struct ccs_security *ccs_find_cred_security(const struct cred *cred)
1435 {
1436         struct ccs_security *ptr;
1437         struct list_head *list = &ccs_cred_security_list
1438                 [hash_ptr((void *) cred, CCS_TASK_SECURITY_HASH_BITS)];
1439         rcu_read_lock();
1440         list_for_each_entry_rcu(ptr, list, list) {
1441                 if (ptr->cred != cred)
1442                         continue;
1443                 rcu_read_unlock();
1444                 return ptr;
1445         }
1446         rcu_read_unlock();
1447         return &ccs_default_security;
1448 }
1449 
1450 /**
1451  * ccs_task_security_gc - Do garbage collection for "struct task_struct".
1452  *
1453  * Returns nothing.
1454  *
1455  * Since security_task_free() is missing, I can't release memory associated
1456  * with "struct task_struct" when a task dies. Therefore, I hold a reference on
1457  * "struct pid" and runs garbage collection when associated
1458  * "struct task_struct" has gone.
1459  */
1460 static void ccs_task_security_gc(void)
1461 {
1462         static DEFINE_SPINLOCK(lock);
1463         static atomic_t gc_counter = ATOMIC_INIT(0);
1464         unsigned int idx;
1465         /*
1466          * If some process is doing execve(), try to garbage collection now.
1467          * We should kfree() memory associated with "struct ccs_security"->ee
1468          * as soon as execve() has completed in order to compensate for lack of
1469          * security_bprm_free() and security_task_free() hooks.
1470          *
1471          * Otherwise, reduce frequency for performance reason.
1472          */
1473         if (!atomic_read(&ccs_in_execve_tasks) &&
1474             atomic_inc_return(&gc_counter) < 1024)
1475                 return;
1476         if (!spin_trylock(&lock))
1477                 return;
1478         atomic_set(&gc_counter, 0);
1479         rcu_read_lock();
1480         for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) {
1481                 struct ccs_security *ptr;
1482                 struct list_head *list = &ccs_task_security_list[idx];
1483                 list_for_each_entry_rcu(ptr, list, list) {
1484                         if (pid_task(ptr->pid, PIDTYPE_PID))
1485                                 continue;
1486                         ccs_del_security(ptr);
1487                 }
1488         }
1489         rcu_read_unlock();
1490         spin_unlock(&lock);
1491 }
1492 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp