~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/ccsecurity/internal.h

Version: ~ [ linux-5.4 ] ~ [ linux-5.3.13 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.86 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.156 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.203 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.202 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.78 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * security/ccsecurity/internal.h
  3  *
  4  * Copyright (C) 2005-2012  NTT DATA CORPORATION
  5  *
  6  * Version: 1.8.5   2015/11/11
  7  */
  8 
  9 #ifndef _SECURITY_CCSECURITY_INTERNAL_H
 10 #define _SECURITY_CCSECURITY_INTERNAL_H
 11 
 12 #include <linux/version.h>
 13 #include <linux/types.h>
 14 #include <linux/kernel.h>
 15 #include <linux/string.h>
 16 #include <linux/mm.h>
 17 #include <linux/utime.h>
 18 #include <linux/file.h>
 19 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 38)
 20 #include <linux/smp_lock.h>
 21 #endif
 22 #include <linux/module.h>
 23 #include <linux/init.h>
 24 #include <linux/slab.h>
 25 #include <linux/highmem.h>
 26 #include <linux/poll.h>
 27 #include <linux/binfmts.h>
 28 #include <linux/delay.h>
 29 #include <linux/sched.h>
 30 #include <linux/dcache.h>
 31 #include <linux/mount.h>
 32 #include <linux/net.h>
 33 #include <linux/inet.h>
 34 #include <linux/in.h>
 35 #include <linux/in6.h>
 36 #include <linux/un.h>
 37 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
 38 #include <linux/fs.h>
 39 #endif
 40 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0)
 41 #include <linux/namei.h>
 42 #endif
 43 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 30)
 44 #include <linux/fs_struct.h>
 45 #endif
 46 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20)
 47 #include <linux/namespace.h>
 48 #endif
 49 #include <linux/proc_fs.h>
 50 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 0) || defined(RHEL_MAJOR)
 51 #include <linux/hash.h>
 52 #endif
 53 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) || (LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) && defined(CONFIG_SYSCTL_SYSCALL))
 54 #include <linux/sysctl.h>
 55 #endif
 56 #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 6)
 57 #include <linux/kthread.h>
 58 #endif
 59 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 10, 0)
 60 #include <linux/magic.h>
 61 #endif
 62 #include <stdarg.h>
 63 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
 64 #include <linux/uaccess.h>
 65 #else
 66 #include <asm/uaccess.h>
 67 #endif
 68 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
 69 #include <linux/sched/signal.h>
 70 #endif
 71 #include <net/sock.h>
 72 #include <net/af_unix.h>
 73 #include <net/ip.h>
 74 #include <net/ipv6.h>
 75 #include <net/udp.h>
 76 
 77 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
 78 #define sk_family family
 79 #define sk_protocol protocol
 80 #define sk_type type
 81 #endif
 82 
 83 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20)
 84 
 85 /* Structure for holding "struct vfsmount *" and "struct dentry *". */
 86 struct path {
 87         struct vfsmount *mnt;
 88         struct dentry *dentry;
 89 };
 90 
 91 #endif
 92 
 93 #ifndef __printf
 94 #define __printf(a,b) __attribute__((format(printf,a,b)))
 95 #endif
 96 #ifndef __packed
 97 #define __packed __attribute__((__packed__))
 98 #endif
 99 #ifndef bool
100 #define bool _Bool
101 #endif
102 #ifndef false
103 #define false 0
104 #endif
105 #ifndef true
106 #define true 1
107 #endif
108 
109 #ifndef __user
110 #define __user
111 #endif
112 
113 #ifndef current_uid
114 #define current_uid()   (current->uid)
115 #endif
116 #ifndef current_gid
117 #define current_gid()   (current->gid)
118 #endif
119 #ifndef current_euid
120 #define current_euid()  (current->euid)
121 #endif
122 #ifndef current_egid
123 #define current_egid()  (current->egid)
124 #endif
125 #ifndef current_suid
126 #define current_suid()  (current->suid)
127 #endif
128 #ifndef current_sgid
129 #define current_sgid()  (current->sgid)
130 #endif
131 #ifndef current_fsuid
132 #define current_fsuid() (current->fsuid)
133 #endif
134 #ifndef current_fsgid
135 #define current_fsgid() (current->fsgid)
136 #endif
137 
138 #ifndef DEFINE_SPINLOCK
139 #define DEFINE_SPINLOCK(x) spinlock_t x = SPIN_LOCK_UNLOCKED
140 #endif
141 
142 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 16)
143 #define mutex semaphore
144 #define mutex_init(mutex) init_MUTEX(mutex)
145 #define mutex_unlock(mutex) up(mutex)
146 #define mutex_lock(mutex) down(mutex)
147 #define mutex_lock_interruptible(mutex) down_interruptible(mutex)
148 #define mutex_trylock(mutex) (!down_trylock(mutex))
149 #define DEFINE_MUTEX(mutexname) DECLARE_MUTEX(mutexname)
150 #endif
151 
152 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 15)
153 #define MS_UNBINDABLE   (1<<17) /* change to unbindable */
154 #define MS_PRIVATE      (1<<18) /* change to private */
155 #define MS_SLAVE        (1<<19) /* change to slave */
156 #define MS_SHARED       (1<<20) /* change to shared */
157 #endif
158 
159 #ifndef container_of
160 #define container_of(ptr, type, member) ({                              \
161                         const typeof(((type *)0)->member) *__mptr = (ptr); \
162                         (type *)((char *)__mptr - offsetof(type, member)); })
163 #endif
164 
165 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 0)
166 #define smp_read_barrier_depends smp_rmb
167 #endif
168 
169 #ifndef ACCESS_ONCE
170 #define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
171 #endif
172 
173 #ifndef rcu_dereference
174 #define rcu_dereference(p)     ({                                       \
175                         typeof(p) _________p1 = ACCESS_ONCE(p);         \
176                         smp_read_barrier_depends(); /* see RCU */       \
177                         (_________p1);                                  \
178                 })
179 #endif
180 
181 #ifndef rcu_assign_pointer
182 #define rcu_assign_pointer(p, v)                        \
183         ({                                              \
184                 if (!__builtin_constant_p(v) ||         \
185                     ((v) != NULL))                      \
186                         smp_wmb(); /* see RCU */        \
187                 (p) = (v);                              \
188         })
189 #endif
190 
191 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0)
192 #define f_vfsmnt f_path.mnt
193 #endif
194 
195 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 14)
196 
197 /**
198  * kzalloc() - Allocate memory. The memory is set to zero.
199  *
200  * @size:  Size to allocate.
201  * @flags: GFP flags.
202  *
203  * Returns pointer to allocated memory on success, NULL otherwise.
204  *
205  * This is for compatibility with older kernels.
206  *
207  * Since several distributions backported kzalloc(), I define it as a macro
208  * rather than an inlined function in order to avoid multiple definition error.
209  */
210 #define kzalloc(size, flags) ({                                 \
211                         void *ret = kmalloc((size), (flags));   \
212                         if (ret)                                \
213                                 memset(ret, 0, (size));         \
214                         ret; })
215 
216 #endif
217 
218 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 25)
219 
220 /**
221  * path_put - Drop reference on "struct path".
222  *
223  * @path: Pointer to "struct path".
224  *
225  * Returns nothing.
226  *
227  * This is for compatibility with older kernels.
228  */
229 static inline void path_put(struct path *path)
230 {
231         dput(path->dentry);
232         mntput(path->mnt);
233 }
234 
235 #endif
236 
237 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
238 
239 /**
240  * __list_add_rcu - Insert a new entry between two known consecutive entries.
241  *
242  * @new:  Pointer to "struct list_head".
243  * @prev: Pointer to "struct list_head".
244  * @next: Pointer to "struct list_head".
245  *
246  * Returns nothing.
247  *
248  * This is for compatibility with older kernels.
249  */
250 static inline void __list_add_rcu(struct list_head *new,
251                                   struct list_head *prev,
252                                   struct list_head *next)
253 {
254         new->next = next;
255         new->prev = prev;
256         rcu_assign_pointer(prev->next, new);
257         next->prev = new;
258 }
259 
260 /**
261  * list_add_tail_rcu - Add a new entry to rcu-protected list.
262  *
263  * @new:  Pointer to "struct list_head".
264  * @head: Pointer to "struct list_head".
265  *
266  * Returns nothing.
267  *
268  * This is for compatibility with older kernels.
269  */
270 static inline void list_add_tail_rcu(struct list_head *new,
271                                      struct list_head *head)
272 {
273         __list_add_rcu(new, head->prev, head);
274 }
275 
276 /**
277  * list_add_rcu - Add a new entry to rcu-protected list.
278  *
279  * @new:  Pointer to "struct list_head".
280  * @head: Pointer to "struct list_head".
281  *
282  * Returns nothing.
283  *
284  * This is for compatibility with older kernels.
285  */
286 static inline void list_add_rcu(struct list_head *new, struct list_head *head)
287 {
288         __list_add_rcu(new, head, head->next);
289 }
290 
291 #endif
292 
293 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 38)
294 
295 /**
296  * __list_del_entry - Deletes entry from list without re-initialization.
297  *
298  * @entry: Pointer to "struct list_head".
299  *
300  * Returns nothing.
301  *
302  * This is for compatibility with older kernels.
303  */
304 static inline void __list_del_entry(struct list_head *entry)
305 {
306         __list_del(entry->prev, entry->next);
307 }
308 
309 #endif
310 
311 #ifndef list_for_each_entry_safe
312 
313 /**
314  * list_for_each_entry_safe - Iterate over list of given type safe against removal of list entry.
315  *
316  * @pos:    The "type *" to use as a loop cursor.
317  * @n:      Another "type *" to use as temporary storage.
318  * @head:   Pointer to "struct list_head".
319  * @member: The name of the list_struct within the struct.
320  *
321  * This is for compatibility with older kernels.
322  */
323 #define list_for_each_entry_safe(pos, n, head, member)                  \
324         for (pos = list_entry((head)->next, typeof(*pos), member),      \
325                      n = list_entry(pos->member.next, typeof(*pos), member); \
326              &pos->member != (head);                                    \
327              pos = n, n = list_entry(n->member.next, typeof(*n), member))
328 
329 #endif
330 
331 #ifndef srcu_dereference
332 
333 /**
334  * srcu_dereference - Fetch SRCU-protected pointer with checking.
335  *
336  * @p:  The pointer to read, prior to dereferencing.
337  * @ss: Pointer to "struct srcu_struct".
338  *
339  * Returns @p.
340  *
341  * This is for compatibility with older kernels.
342  */
343 #define srcu_dereference(p, ss) rcu_dereference(p)
344 
345 #endif
346 
347 #ifndef list_for_each_entry_srcu
348 
349 /**
350  * list_for_each_entry_srcu - Iterate over rcu list of given type.
351  *
352  * @pos:    The type * to use as a loop cursor.
353  * @head:   The head for your list.
354  * @member: The name of the list_struct within the struct.
355  * @ss:     Pointer to "struct srcu_struct".
356  *
357  * As of 2.6.36, this macro is not provided because only TOMOYO wants it.
358  */
359 #define list_for_each_entry_srcu(pos, head, member, ss)               \
360         for (pos = list_entry(srcu_dereference((head)->next, ss),     \
361                               typeof(*pos), member);                  \
362              prefetch(pos->member.next), &pos->member != (head);      \
363              pos = list_entry(srcu_dereference(pos->member.next, ss), \
364                               typeof(*pos), member))
365 
366 #endif
367 
368 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 4, 30) || (LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0) && LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 9))
369 
370 #if LINUX_VERSION_CODE == KERNEL_VERSION(2, 4, 21)
371 #undef ssleep
372 #endif
373 
374 #ifndef ssleep
375 
376 /**
377  * ssleep - Sleep for specified seconds.
378  *
379  * @secs: Seconds to sleep.
380  *
381  * Returns nothing.
382  *
383  * This is for compatibility with older kernels.
384  *
385  * Since several distributions backported ssleep(), I define it as a macro
386  * rather than an inlined function in order to avoid multiple definition error.
387  */
388 #define ssleep(secs) {                                          \
389                 set_current_state(TASK_UNINTERRUPTIBLE);        \
390                 schedule_timeout((HZ * secs) + 1);              \
391         }
392 
393 #endif
394 
395 #endif
396 
397 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0)
398 
399 /**
400  * from_kuid - Convert kuid_t to uid_t.
401  *
402  * @ns:  Unused.
403  * @uid: kuid_t value.
404  *
405  * Returns uid seen from init's user namespace.
406  */
407 #define from_kuid(ns, uid) (uid)
408 
409 /**
410  * from_kgid - Convert kgid_t to gid_t.
411  *
412  * @ns:  Unused.
413  * @gid: kgid_t value.
414  *
415  * Returns gid seen from init's user namespace.
416  */
417 #define from_kgid(ns, gid) (gid)
418 
419 /**
420  * uid_eq - Check whether the uids are equals or not.
421  *
422  * @left: Uid seen from current user namespace.
423  * @right: Uid seen from current user namespace.
424  *
425  * Returns true if uid is root in init's user namespace, false otherwise.
426  */
427 #define uid_eq(left, right) ((left) == (right))
428 #define GLOBAL_ROOT_UID 0
429 
430 #endif
431 
432 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
433 #define d_backing_inode(upper) (upper)->d_inode
434 #endif
435 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 14, 0)
436 #define d_is_dir(dentry) ({ struct inode *inode = d_backing_inode(dentry); \
437                         inode && S_ISDIR(inode->i_mode); })
438 #endif
439 
440 /*
441  * TOMOYO specific part start.
442  */
443 
444 #include <linux/ccsecurity.h>
445 
446 /* Enumeration definition for internal use. */
447 
448 /* Index numbers for Access Controls. */
449 enum ccs_acl_entry_type_index {
450         CCS_TYPE_PATH_ACL,
451         CCS_TYPE_PATH2_ACL,
452         CCS_TYPE_PATH_NUMBER_ACL,
453         CCS_TYPE_MKDEV_ACL,
454         CCS_TYPE_MOUNT_ACL,
455 #ifdef CONFIG_CCSECURITY_MISC
456         CCS_TYPE_ENV_ACL,
457 #endif
458 #ifdef CONFIG_CCSECURITY_CAPABILITY
459         CCS_TYPE_CAPABILITY_ACL,
460 #endif
461 #ifdef CONFIG_CCSECURITY_NETWORK
462         CCS_TYPE_INET_ACL,
463         CCS_TYPE_UNIX_ACL,
464 #endif
465 #ifdef CONFIG_CCSECURITY_IPC
466         CCS_TYPE_SIGNAL_ACL,
467 #endif
468 #ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER
469         CCS_TYPE_AUTO_EXECUTE_HANDLER,
470         CCS_TYPE_DENIED_EXECUTE_HANDLER,
471 #endif
472 #ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION
473         CCS_TYPE_AUTO_TASK_ACL,
474         CCS_TYPE_MANUAL_TASK_ACL,
475 #endif
476 };
477 
478 /* Index numbers for "struct ccs_condition". */
479 enum ccs_conditions_index {
480         CCS_TASK_UID,             /* current_uid()   */
481         CCS_TASK_EUID,            /* current_euid()  */
482         CCS_TASK_SUID,            /* current_suid()  */
483         CCS_TASK_FSUID,           /* current_fsuid() */
484         CCS_TASK_GID,             /* current_gid()   */
485         CCS_TASK_EGID,            /* current_egid()  */
486         CCS_TASK_SGID,            /* current_sgid()  */
487         CCS_TASK_FSGID,           /* current_fsgid() */
488         CCS_TASK_PID,             /* sys_getpid()   */
489         CCS_TASK_PPID,            /* sys_getppid()  */
490         CCS_EXEC_ARGC,            /* "struct linux_binprm *"->argc */
491         CCS_EXEC_ENVC,            /* "struct linux_binprm *"->envc */
492         CCS_TYPE_IS_SOCKET,       /* S_IFSOCK */
493         CCS_TYPE_IS_SYMLINK,      /* S_IFLNK */
494         CCS_TYPE_IS_FILE,         /* S_IFREG */
495         CCS_TYPE_IS_BLOCK_DEV,    /* S_IFBLK */
496         CCS_TYPE_IS_DIRECTORY,    /* S_IFDIR */
497         CCS_TYPE_IS_CHAR_DEV,     /* S_IFCHR */
498         CCS_TYPE_IS_FIFO,         /* S_IFIFO */
499         CCS_MODE_SETUID,          /* S_ISUID */
500         CCS_MODE_SETGID,          /* S_ISGID */
501         CCS_MODE_STICKY,          /* S_ISVTX */
502         CCS_MODE_OWNER_READ,      /* S_IRUSR */
503         CCS_MODE_OWNER_WRITE,     /* S_IWUSR */
504         CCS_MODE_OWNER_EXECUTE,   /* S_IXUSR */
505         CCS_MODE_GROUP_READ,      /* S_IRGRP */
506         CCS_MODE_GROUP_WRITE,     /* S_IWGRP */
507         CCS_MODE_GROUP_EXECUTE,   /* S_IXGRP */
508         CCS_MODE_OTHERS_READ,     /* S_IROTH */
509         CCS_MODE_OTHERS_WRITE,    /* S_IWOTH */
510         CCS_MODE_OTHERS_EXECUTE,  /* S_IXOTH */
511         CCS_TASK_TYPE,            /* ((u8) task->ccs_flags) &
512                                      CCS_TASK_IS_EXECUTE_HANDLER */
513         CCS_TASK_EXECUTE_HANDLER, /* CCS_TASK_IS_EXECUTE_HANDLER */
514         CCS_EXEC_REALPATH,
515         CCS_SYMLINK_TARGET,
516         CCS_PATH1_UID,
517         CCS_PATH1_GID,
518         CCS_PATH1_INO,
519         CCS_PATH1_MAJOR,
520         CCS_PATH1_MINOR,
521         CCS_PATH1_PERM,
522         CCS_PATH1_TYPE,
523         CCS_PATH1_DEV_MAJOR,
524         CCS_PATH1_DEV_MINOR,
525         CCS_PATH2_UID,
526         CCS_PATH2_GID,
527         CCS_PATH2_INO,
528         CCS_PATH2_MAJOR,
529         CCS_PATH2_MINOR,
530         CCS_PATH2_PERM,
531         CCS_PATH2_TYPE,
532         CCS_PATH2_DEV_MAJOR,
533         CCS_PATH2_DEV_MINOR,
534         CCS_PATH1_PARENT_UID,
535         CCS_PATH1_PARENT_GID,
536         CCS_PATH1_PARENT_INO,
537         CCS_PATH1_PARENT_PERM,
538         CCS_PATH2_PARENT_UID,
539         CCS_PATH2_PARENT_GID,
540         CCS_PATH2_PARENT_INO,
541         CCS_PATH2_PARENT_PERM,
542         CCS_MAX_CONDITION_KEYWORD,
543         CCS_NUMBER_UNION,
544         CCS_NAME_UNION,
545         CCS_ARGV_ENTRY,
546         CCS_ENVP_ENTRY,
547 };
548 
549 /* Index numbers for domain's attributes. */
550 enum ccs_domain_info_flags_index {
551         /* Quota warnning flag.   */
552         CCS_DIF_QUOTA_WARNED,
553         /*
554          * This domain was unable to create a new domain at
555          * ccs_find_next_domain() because the name of the domain to be created
556          * was too long or it could not allocate memory.
557          * More than one process continued execve() without domain transition.
558          */
559         CCS_DIF_TRANSITION_FAILED,
560         CCS_MAX_DOMAIN_INFO_FLAGS
561 };
562 
563 /* Index numbers for audit type. */
564 enum ccs_grant_log {
565         /* Follow profile's configuration. */
566         CCS_GRANTLOG_AUTO,
567         /* Do not generate grant log. */
568         CCS_GRANTLOG_NO,
569         /* Generate grant_log. */
570         CCS_GRANTLOG_YES,
571 };
572 
573 /* Index numbers for group entries. */
574 enum ccs_group_id {
575         CCS_PATH_GROUP,
576         CCS_NUMBER_GROUP,
577 #ifdef CONFIG_CCSECURITY_NETWORK
578         CCS_ADDRESS_GROUP,
579 #endif
580         CCS_MAX_GROUP
581 };
582 
583 /* Index numbers for category of functionality. */
584 enum ccs_mac_category_index {
585         CCS_MAC_CATEGORY_FILE,
586 #ifdef CONFIG_CCSECURITY_NETWORK
587         CCS_MAC_CATEGORY_NETWORK,
588 #endif
589 #ifdef CONFIG_CCSECURITY_MISC
590         CCS_MAC_CATEGORY_MISC,
591 #endif
592 #ifdef CONFIG_CCSECURITY_IPC
593         CCS_MAC_CATEGORY_IPC,
594 #endif
595 #ifdef CONFIG_CCSECURITY_CAPABILITY
596         CCS_MAC_CATEGORY_CAPABILITY,
597 #endif
598         CCS_MAX_MAC_CATEGORY_INDEX
599 };
600 
601 /* Index numbers for functionality. */
602 enum ccs_mac_index {
603         CCS_MAC_FILE_EXECUTE,
604         CCS_MAC_FILE_OPEN,
605         CCS_MAC_FILE_CREATE,
606         CCS_MAC_FILE_UNLINK,
607 #ifdef CONFIG_CCSECURITY_FILE_GETATTR
608         CCS_MAC_FILE_GETATTR,
609 #endif
610         CCS_MAC_FILE_MKDIR,
611         CCS_MAC_FILE_RMDIR,
612         CCS_MAC_FILE_MKFIFO,
613         CCS_MAC_FILE_MKSOCK,
614         CCS_MAC_FILE_TRUNCATE,
615         CCS_MAC_FILE_SYMLINK,
616         CCS_MAC_FILE_MKBLOCK,
617         CCS_MAC_FILE_MKCHAR,
618         CCS_MAC_FILE_LINK,
619         CCS_MAC_FILE_RENAME,
620         CCS_MAC_FILE_CHMOD,
621         CCS_MAC_FILE_CHOWN,
622         CCS_MAC_FILE_CHGRP,
623         CCS_MAC_FILE_IOCTL,
624         CCS_MAC_FILE_CHROOT,
625         CCS_MAC_FILE_MOUNT,
626         CCS_MAC_FILE_UMOUNT,
627         CCS_MAC_FILE_PIVOT_ROOT,
628 #ifdef CONFIG_CCSECURITY_NETWORK
629         CCS_MAC_NETWORK_INET_STREAM_BIND,
630         CCS_MAC_NETWORK_INET_STREAM_LISTEN,
631         CCS_MAC_NETWORK_INET_STREAM_CONNECT,
632         CCS_MAC_NETWORK_INET_STREAM_ACCEPT,
633         CCS_MAC_NETWORK_INET_DGRAM_BIND,
634         CCS_MAC_NETWORK_INET_DGRAM_SEND,
635 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
636         CCS_MAC_NETWORK_INET_DGRAM_RECV,
637 #endif
638         CCS_MAC_NETWORK_INET_RAW_BIND,
639         CCS_MAC_NETWORK_INET_RAW_SEND,
640 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
641         CCS_MAC_NETWORK_INET_RAW_RECV,
642 #endif
643         CCS_MAC_NETWORK_UNIX_STREAM_BIND,
644         CCS_MAC_NETWORK_UNIX_STREAM_LISTEN,
645         CCS_MAC_NETWORK_UNIX_STREAM_CONNECT,
646         CCS_MAC_NETWORK_UNIX_STREAM_ACCEPT,
647         CCS_MAC_NETWORK_UNIX_DGRAM_BIND,
648         CCS_MAC_NETWORK_UNIX_DGRAM_SEND,
649 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
650         CCS_MAC_NETWORK_UNIX_DGRAM_RECV,
651 #endif
652         CCS_MAC_NETWORK_UNIX_SEQPACKET_BIND,
653         CCS_MAC_NETWORK_UNIX_SEQPACKET_LISTEN,
654         CCS_MAC_NETWORK_UNIX_SEQPACKET_CONNECT,
655         CCS_MAC_NETWORK_UNIX_SEQPACKET_ACCEPT,
656 #endif
657 #ifdef CONFIG_CCSECURITY_MISC
658         CCS_MAC_ENVIRON,
659 #endif
660 #ifdef CONFIG_CCSECURITY_IPC
661         CCS_MAC_SIGNAL,
662 #endif
663 #ifdef CONFIG_CCSECURITY_CAPABILITY
664         CCS_MAC_CAPABILITY_USE_ROUTE_SOCKET,
665         CCS_MAC_CAPABILITY_USE_PACKET_SOCKET,
666         CCS_MAC_CAPABILITY_SYS_REBOOT,
667         CCS_MAC_CAPABILITY_SYS_VHANGUP,
668         CCS_MAC_CAPABILITY_SYS_SETTIME,
669         CCS_MAC_CAPABILITY_SYS_NICE,
670         CCS_MAC_CAPABILITY_SYS_SETHOSTNAME,
671         CCS_MAC_CAPABILITY_USE_KERNEL_MODULE,
672         CCS_MAC_CAPABILITY_SYS_KEXEC_LOAD,
673         CCS_MAC_CAPABILITY_SYS_PTRACE,
674 #endif
675         CCS_MAX_MAC_INDEX
676 };
677 
678 /* Index numbers for /proc/ccs/stat interface. */
679 enum ccs_memory_stat_type {
680         CCS_MEMORY_POLICY,
681         CCS_MEMORY_AUDIT,
682         CCS_MEMORY_QUERY,
683         CCS_MAX_MEMORY_STAT
684 };
685 
686 /* Index numbers for access controls with one pathname and three numbers. */
687 enum ccs_mkdev_acl_index {
688         CCS_TYPE_MKBLOCK,
689         CCS_TYPE_MKCHAR,
690         CCS_MAX_MKDEV_OPERATION
691 };
692 
693 /* Index numbers for operation mode. */
694 enum ccs_mode_value {
695         CCS_CONFIG_DISABLED,
696         CCS_CONFIG_LEARNING,
697         CCS_CONFIG_PERMISSIVE,
698         CCS_CONFIG_ENFORCING,
699         CCS_CONFIG_MAX_MODE,
700         CCS_CONFIG_WANT_REJECT_LOG =  64,
701         CCS_CONFIG_WANT_GRANT_LOG  = 128,
702         CCS_CONFIG_USE_DEFAULT     = 255,
703 };
704 
705 /* Index numbers for socket operations. */
706 enum ccs_network_acl_index {
707         CCS_NETWORK_BIND,    /* bind() operation. */
708         CCS_NETWORK_LISTEN,  /* listen() operation. */
709         CCS_NETWORK_CONNECT, /* connect() operation. */
710         CCS_NETWORK_ACCEPT,  /* accept() operation. */
711         CCS_NETWORK_SEND,    /* send() operation. */
712 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
713         CCS_NETWORK_RECV,    /* recv() operation. */
714 #endif
715         CCS_MAX_NETWORK_OPERATION
716 };
717 
718 /* Index numbers for access controls with two pathnames. */
719 enum ccs_path2_acl_index {
720         CCS_TYPE_LINK,
721         CCS_TYPE_RENAME,
722         CCS_TYPE_PIVOT_ROOT,
723         CCS_MAX_PATH2_OPERATION
724 };
725 
726 /* Index numbers for access controls with one pathname. */
727 enum ccs_path_acl_index {
728         CCS_TYPE_EXECUTE,
729         CCS_TYPE_READ,
730         CCS_TYPE_WRITE,
731         CCS_TYPE_APPEND,
732         CCS_TYPE_UNLINK,
733 #ifdef CONFIG_CCSECURITY_FILE_GETATTR
734         CCS_TYPE_GETATTR,
735 #endif
736         CCS_TYPE_RMDIR,
737         CCS_TYPE_TRUNCATE,
738         CCS_TYPE_SYMLINK,
739         CCS_TYPE_CHROOT,
740         CCS_TYPE_UMOUNT,
741         CCS_MAX_PATH_OPERATION
742 };
743 
744 /* Index numbers for access controls with one pathname and one number. */
745 enum ccs_path_number_acl_index {
746         CCS_TYPE_CREATE,
747         CCS_TYPE_MKDIR,
748         CCS_TYPE_MKFIFO,
749         CCS_TYPE_MKSOCK,
750         CCS_TYPE_IOCTL,
751         CCS_TYPE_CHMOD,
752         CCS_TYPE_CHOWN,
753         CCS_TYPE_CHGRP,
754         CCS_MAX_PATH_NUMBER_OPERATION
755 };
756 
757 /* Index numbers for stat(). */
758 enum ccs_path_stat_index {
759         /* Do not change this order. */
760         CCS_PATH1,
761         CCS_PATH1_PARENT,
762         CCS_PATH2,
763         CCS_PATH2_PARENT,
764         CCS_MAX_PATH_STAT
765 };
766 
767 /* Index numbers for entry type. */
768 enum ccs_policy_id {
769 #ifdef CONFIG_CCSECURITY_PORTRESERVE
770         CCS_ID_RESERVEDPORT,
771 #endif
772         CCS_ID_GROUP,
773 #ifdef CONFIG_CCSECURITY_NETWORK
774         CCS_ID_ADDRESS_GROUP,
775 #endif
776         CCS_ID_PATH_GROUP,
777         CCS_ID_NUMBER_GROUP,
778         CCS_ID_AGGREGATOR,
779         CCS_ID_TRANSITION_CONTROL,
780         CCS_ID_MANAGER,
781         CCS_ID_CONDITION,
782         CCS_ID_NAME,
783         CCS_ID_ACL,
784         CCS_ID_DOMAIN,
785         CCS_MAX_POLICY
786 };
787 
788 /* Index numbers for /proc/ccs/stat interface. */
789 enum ccs_policy_stat_type {
790         /* Do not change this order. */
791         CCS_STAT_POLICY_UPDATES,
792         CCS_STAT_POLICY_LEARNING,   /* == CCS_CONFIG_LEARNING */
793         CCS_STAT_POLICY_PERMISSIVE, /* == CCS_CONFIG_PERMISSIVE */
794         CCS_STAT_POLICY_ENFORCING,  /* == CCS_CONFIG_ENFORCING */
795         CCS_MAX_POLICY_STAT
796 };
797 
798 /* Index numbers for profile's PREFERENCE values. */
799 enum ccs_pref_index {
800         CCS_PREF_MAX_AUDIT_LOG,
801         CCS_PREF_MAX_LEARNING_ENTRY,
802         CCS_PREF_ENFORCING_PENALTY,
803         CCS_MAX_PREF
804 };
805 
806 /* Index numbers for /proc/ccs/ interfaces. */
807 enum ccs_proc_interface_index {
808         CCS_DOMAIN_POLICY,
809         CCS_EXCEPTION_POLICY,
810         CCS_PROCESS_STATUS,
811         CCS_STAT,
812         CCS_AUDIT,
813         CCS_VERSION,
814         CCS_PROFILE,
815         CCS_QUERY,
816         CCS_MANAGER,
817 #ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER
818         CCS_EXECUTE_HANDLER,
819 #endif
820 };
821 
822 /* Index numbers for special mount operations. */
823 enum ccs_special_mount {
824         CCS_MOUNT_BIND,            /* mount --bind /source /dest   */
825         CCS_MOUNT_MOVE,            /* mount --move /old /new       */
826         CCS_MOUNT_REMOUNT,         /* mount -o remount /dir        */
827         CCS_MOUNT_MAKE_UNBINDABLE, /* mount --make-unbindable /dir */
828         CCS_MOUNT_MAKE_PRIVATE,    /* mount --make-private /dir    */
829         CCS_MOUNT_MAKE_SLAVE,      /* mount --make-slave /dir      */
830         CCS_MOUNT_MAKE_SHARED,     /* mount --make-shared /dir     */
831         CCS_MAX_SPECIAL_MOUNT
832 };
833 
834 /* Index numbers for domain transition control keywords. */
835 enum ccs_transition_type {
836         /* Do not change this order, */
837         CCS_TRANSITION_CONTROL_NO_RESET,
838         CCS_TRANSITION_CONTROL_RESET,
839         CCS_TRANSITION_CONTROL_NO_INITIALIZE,
840         CCS_TRANSITION_CONTROL_INITIALIZE,
841         CCS_TRANSITION_CONTROL_NO_KEEP,
842         CCS_TRANSITION_CONTROL_KEEP,
843         CCS_MAX_TRANSITION_TYPE
844 };
845 
846 /* Index numbers for type of numeric values. */
847 enum ccs_value_type {
848         CCS_VALUE_TYPE_INVALID,
849         CCS_VALUE_TYPE_DECIMAL,
850         CCS_VALUE_TYPE_OCTAL,
851         CCS_VALUE_TYPE_HEXADECIMAL,
852 };
853 
854 /* Constants definition for internal use. */
855 
856 /*
857  * TOMOYO uses this hash only when appending a string into the string table.
858  * Frequency of appending strings is very low. So we don't need large (e.g.
859  * 64k) hash size. 256 will be sufficient.
860  */
861 #define CCS_HASH_BITS 8
862 #define CCS_MAX_HASH (1u << CCS_HASH_BITS)
863 
864 /*
865  * TOMOYO checks only SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_SEQPACKET.
866  * Therefore, we don't need SOCK_MAX.
867  */
868 #define CCS_SOCK_MAX 6
869 
870 /* Size of temporary buffer for execve() operation. */
871 #define CCS_EXEC_TMPSIZE     4096
872 
873 /* Garbage collector is trying to kfree() this element. */
874 #define CCS_GC_IN_PROGRESS -1
875 
876 /* Profile number is an integer between 0 and 255. */
877 #define CCS_MAX_PROFILES 256
878 
879 /* Group number is an integer between 0 and 255. */
880 #define CCS_MAX_ACL_GROUPS 256
881 
882 /* Current thread is doing open(O_RDONLY | O_TRUNC) ? */
883 #define CCS_OPEN_FOR_READ_TRUNCATE        1
884 /* Current thread is doing open(3) ? */
885 #define CCS_OPEN_FOR_IOCTL_ONLY           2
886 /* Current thread is doing do_execve() ? */
887 #define CCS_TASK_IS_IN_EXECVE             4
888 /* Current thread is running as an execute handler program? */
889 #define CCS_TASK_IS_EXECUTE_HANDLER       8
890 /* Current thread is allowed to modify policy via /proc/ccs/ interface? */
891 #define CCS_TASK_IS_MANAGER              16
892 
893 /*
894  * Retry this request. Returned by ccs_supervisor() if policy violation has
895  * occurred in enforcing mode and the userspace daemon decided to retry.
896  *
897  * We must choose a positive value in order to distinguish "granted" (which is
898  * 0) and "rejected" (which is a negative value) and "retry".
899  */
900 #define CCS_RETRY_REQUEST 1
901 
902 /* The gfp flags used by TOMOYO. */
903 #define CCS_GFP_FLAGS GFP_NOFS
904 
905 /* Size of read buffer for /proc/ccs/ interface. */
906 #define CCS_MAX_IO_READ_QUEUE 64
907 
908 /* Structure definition for internal use. */
909 
910 /* Common header for holding ACL entries. */
911 struct ccs_acl_head {
912         struct list_head list;
913         s8 is_deleted; /* true or false or CCS_GC_IN_PROGRESS */
914 } __packed;
915 
916 /* Common header for shared entries. */
917 struct ccs_shared_acl_head {
918         struct list_head list;
919         atomic_t users;
920 } __packed;
921 
922 /* Common header for individual entries. */
923 struct ccs_acl_info {
924         struct list_head list;
925         struct ccs_condition *cond; /* Maybe NULL. */
926         s8 is_deleted; /* true or false or CCS_GC_IN_PROGRESS */
927         u8 type; /* One of values in "enum ccs_acl_entry_type_index". */
928         u16 perm;
929 } __packed;
930 
931 /* Structure for holding a word. */
932 struct ccs_name_union {
933         /* Either @filename or @group is NULL. */
934         const struct ccs_path_info *filename;
935         struct ccs_group *group;
936 };
937 
938 /* Structure for holding a number. */
939 struct ccs_number_union {
940         unsigned long values[2];
941         struct ccs_group *group; /* Maybe NULL. */
942         /* One of values in "enum ccs_value_type". */
943         u8 value_type[2];
944 };
945 
946 /* Structure for holding an IP address. */
947 struct ccs_ipaddr_union {
948         struct in6_addr ip[2]; /* Big endian. */
949         struct ccs_group *group; /* Pointer to address group. */
950         bool is_ipv6; /* Valid only if @group == NULL. */
951 };
952 
953 /* Structure for "path_group"/"number_group"/"address_group" directive. */
954 struct ccs_group {
955         struct ccs_shared_acl_head head;
956         /* Name of group (without leading '@'). */
957         const struct ccs_path_info *group_name;
958         /*
959          * List of "struct ccs_path_group" or "struct ccs_number_group" or
960          * "struct ccs_address_group".
961          */
962         struct list_head member_list;
963 };
964 
965 /* Structure for "path_group" directive. */
966 struct ccs_path_group {
967         struct ccs_acl_head head;
968         const struct ccs_path_info *member_name;
969 };
970 
971 /* Structure for "number_group" directive. */
972 struct ccs_number_group {
973         struct ccs_acl_head head;
974         struct ccs_number_union number;
975 };
976 
977 /* Structure for "address_group" directive. */
978 struct ccs_address_group {
979         struct ccs_acl_head head;
980         /* Structure for holding an IP address. */
981         struct ccs_ipaddr_union address;
982 };
983 
984 /* Subset of "struct stat". Used by conditional ACL and audit logs. */
985 struct ccs_mini_stat {
986 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
987         kuid_t uid;
988         kgid_t gid;
989 #else
990         uid_t uid;
991         gid_t gid;
992 #endif
993         ino_t ino;
994         umode_t mode;
995         dev_t dev;
996         dev_t rdev;
997 };
998 
999 /* Structure for dumping argv[] and envp[] of "struct linux_binprm". */
1000 struct ccs_page_dump {
1001         struct page *page;    /* Previously dumped page. */
1002         char *data;           /* Contents of "page". Size is PAGE_SIZE. */
1003 };
1004 
1005 /* Structure for attribute checks in addition to pathname checks. */
1006 struct ccs_obj_info {
1007         /* True if ccs_get_attributes() was already called, false otherwise. */
1008         bool validate_done;
1009         /* True if @stat[] is valid. */
1010         bool stat_valid[CCS_MAX_PATH_STAT];
1011         /* First pathname. Initialized with { NULL, NULL } if no path. */
1012         struct path path1;
1013         /* Second pathname. Initialized with { NULL, NULL } if no path. */
1014         struct path path2;
1015         /*
1016          * Information on @path1, @path1's parent directory, @path2, @path2's
1017          * parent directory.
1018          */
1019         struct ccs_mini_stat stat[CCS_MAX_PATH_STAT];
1020         /*
1021          * Content of symbolic link to be created. NULL for operations other
1022          * than symlink().
1023          */
1024         struct ccs_path_info *symlink_target;
1025 };
1026 
1027 /* Structure for entries which follows "struct ccs_condition". */
1028 struct ccs_condition_element {
1029         /*
1030          * Left hand operand. A "struct ccs_argv" for CCS_ARGV_ENTRY, a
1031          * "struct ccs_envp" for CCS_ENVP_ENTRY is attached to the tail
1032          * of the array of this struct.
1033          */
1034         u8 left;
1035         /*
1036          * Right hand operand. A "struct ccs_number_union" for
1037          * CCS_NUMBER_UNION, a "struct ccs_name_union" for CCS_NAME_UNION is
1038          * attached to the tail of the array of this struct.
1039          */
1040         u8 right;
1041         /* Equation operator. True if equals or overlaps, false otherwise. */
1042         bool equals;
1043 };
1044 
1045 /* Structure for optional arguments. */
1046 struct ccs_condition {
1047         struct ccs_shared_acl_head head;
1048         u32 size; /* Memory size allocated for this entry. */
1049         u16 condc; /* Number of conditions in this struct. */
1050         u16 numbers_count; /* Number of "struct ccs_number_union values". */
1051         u16 names_count; /* Number of "struct ccs_name_union names". */
1052         u16 argc; /* Number of "struct ccs_argv". */
1053         u16 envc; /* Number of "struct ccs_envp". */
1054         u8 grant_log; /* One of values in "enum ccs_grant_log". */
1055         bool exec_transit; /* True if transit is for "file execute". */
1056         const struct ccs_path_info *transit; /* Maybe NULL. */
1057         /*
1058          * struct ccs_condition_element condition[condc];
1059          * struct ccs_number_union values[numbers_count];
1060          * struct ccs_name_union names[names_count];
1061          * struct ccs_argv argv[argc];
1062          * struct ccs_envp envp[envc];
1063          */
1064 };
1065 
1066 struct ccs_execve;
1067 struct ccs_policy_namespace;
1068 
1069 /* Structure for request info. */
1070 struct ccs_request_info {
1071         /*
1072          * For holding parameters specific to operations which deal files.
1073          * NULL if not dealing files.
1074          */
1075         struct ccs_obj_info *obj;
1076         /*
1077          * For holding parameters specific to execve() request.
1078          * NULL if not dealing do_execve().
1079          */
1080         struct ccs_execve *ee;
1081         /*
1082          * For holding parameters.
1083          * Pointers in this union are not NULL except path->matched_path.
1084          */
1085         union {
1086                 struct {
1087                         const struct ccs_path_info *filename;
1088                         /*
1089                          * For using wildcards at ccs_find_next_domain().
1090                          *
1091                          * The matched_acl cannot be used because it may refer
1092                          * a "struct ccs_path_acl" with ->is_group == true.
1093                          * We want to use exact "struct ccs_path_info" rather
1094                          * than "struct ccs_path_acl".
1095                          */
1096                         const struct ccs_path_info *matched_path;
1097                         /* One of values in "enum ccs_path_acl_index". */
1098                         u8 operation;
1099                 } path;
1100                 struct {
1101                         const struct ccs_path_info *filename1;
1102                         const struct ccs_path_info *filename2;
1103                         /* One of values in "enum ccs_path2_acl_index". */
1104                         u8 operation;
1105                 } path2;
1106                 struct {
1107                         const struct ccs_path_info *filename;
1108                         unsigned int mode;
1109                         unsigned int major;
1110                         unsigned int minor;
1111                         /* One of values in "enum ccs_mkdev_acl_index". */
1112                         u8 operation;
1113                 } mkdev;
1114                 struct {
1115                         const struct ccs_path_info *filename;
1116                         unsigned long number;
1117                         /*
1118                          * One of values in "enum ccs_path_number_acl_index".
1119                          */
1120                         u8 operation;
1121                 } path_number;
1122 #ifdef CONFIG_CCSECURITY_NETWORK
1123                 struct {
1124                         const u32 *address; /* Big endian. */
1125                         u16 port; /* Host endian. */
1126                         /* One of values smaller than CCS_SOCK_MAX. */
1127                         u8 protocol;
1128                         /* One of values in "enum ccs_network_acl_index". */
1129                         u8 operation;
1130                         bool is_ipv6;
1131                 } inet_network;
1132                 struct {
1133                         const struct ccs_path_info *address;
1134                         /* One of values smaller than CCS_SOCK_MAX. */
1135                         u8 protocol;
1136                         /* One of values in "enum ccs_network_acl_index". */
1137                         u8 operation;
1138                 } unix_network;
1139 #endif
1140 #ifdef CONFIG_CCSECURITY_MISC
1141                 struct {
1142                         const struct ccs_path_info *name;
1143                 } environ;
1144 #endif
1145 #ifdef CONFIG_CCSECURITY_CAPABILITY
1146                 struct {
1147                         /* One of values in "enum ccs_capability_acl_index". */
1148                         u8 operation;
1149                 } capability;
1150 #endif
1151 #ifdef CONFIG_CCSECURITY_IPC
1152                 struct {
1153                         const char *dest_pattern;
1154                         int sig;
1155                 } signal;
1156 #endif
1157                 struct {
1158                         const struct ccs_path_info *type;
1159                         const struct ccs_path_info *dir;
1160                         const struct ccs_path_info *dev;
1161                         unsigned long flags;
1162                         int need_dev;
1163                 } mount;
1164 #ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION
1165                 struct {
1166                         const struct ccs_path_info *domainname;
1167                 } task;
1168 #endif
1169         } param;
1170         /*
1171          * For updating current->ccs_domain_info at ccs_update_task_domain().
1172          * Initialized to NULL at ccs_init_request_info().
1173          * Matching "struct ccs_acl_info" is copied if access request was
1174          * granted. Re-initialized to NULL at ccs_update_task_domain().
1175          */
1176         struct ccs_acl_info *matched_acl;
1177         u8 param_type; /* One of values in "enum ccs_acl_entry_type_index". */
1178         bool granted; /* True if granted, false otherwise. */
1179         /* True if current thread should not be carried sleep penalty. */
1180         bool dont_sleep_on_enforce_error;
1181         /*
1182          * For counting number of retries made for this request.
1183          * This counter is incremented whenever ccs_supervisor() returned
1184          * CCS_RETRY_REQUEST.
1185          */
1186         u8 retry;
1187         /*
1188          * For holding profile number used for this request.
1189          * One of values between 0 and CCS_MAX_PROFILES - 1.
1190          */
1191         u8 profile;
1192         /*
1193          * For holding operation mode used for this request.
1194          * One of CCS_CONFIG_DISABLED, CCS_CONFIG_LEARNING,
1195          * CCS_CONFIG_PERMISSIVE, CCS_CONFIG_ENFORCING.
1196          */
1197         u8 mode;
1198         /*
1199          * For holding operation index used for this request.
1200          * Used by ccs_init_request_info() / ccs_get_mode() /
1201          * ccs_write_log(). One of values in "enum ccs_mac_index".
1202          */
1203         u8 type;
1204 };
1205 
1206 /* Structure for holding a token. */
1207 struct ccs_path_info {
1208         const char *name;
1209         u32 hash;          /* = full_name_hash(name, strlen(name)) */
1210         u16 total_len;     /* = strlen(name)                       */
1211         u16 const_len;     /* = ccs_const_part_length(name)        */
1212         bool is_dir;       /* = ccs_strendswith(name, "/")         */
1213         bool is_patterned; /* = const_len < total_len              */
1214 };
1215 
1216 /* Structure for execve() operation. */
1217 struct ccs_execve {
1218         struct ccs_request_info r;
1219         struct ccs_obj_info obj;
1220         struct linux_binprm *bprm;
1221         struct ccs_domain_info *previous_domain;
1222         const struct ccs_path_info *transition;
1223         /* For execute_handler */
1224         const struct ccs_path_info *handler;
1225         char *handler_path; /* = kstrdup(handler->name, CCS_GFP_FLAGS) */
1226         /* For dumping argv[] and envp[]. */
1227         struct ccs_page_dump dump;
1228         /* For temporary use. */
1229         char *tmp; /* Size is CCS_EXEC_TMPSIZE bytes */
1230 };
1231 
1232 /* Structure for domain information. */
1233 struct ccs_domain_info {
1234         struct list_head list;
1235         struct list_head acl_info_list;
1236         /* Name of this domain. Never NULL.          */
1237         const struct ccs_path_info *domainname;
1238         /* Namespace for this domain. Never NULL. */
1239         struct ccs_policy_namespace *ns;
1240         /* Group numbers to use. */
1241         unsigned long group[CCS_MAX_ACL_GROUPS / BITS_PER_LONG];
1242         u8 profile;        /* Profile number to use. */
1243         bool is_deleted;   /* Delete flag.           */
1244         bool flags[CCS_MAX_DOMAIN_INFO_FLAGS];
1245 };
1246 
1247 /*
1248  * Structure for "reset_domain"/"no_reset_domain"/"initialize_domain"/
1249  * "no_initialize_domain"/"keep_domain"/"no_keep_domain" keyword.
1250  */
1251 struct ccs_transition_control {
1252         struct ccs_acl_head head;
1253         u8 type; /* One of values in "enum ccs_transition_type" */
1254         bool is_last_name; /* True if the domainname is ccs_last_word(). */
1255         const struct ccs_path_info *domainname; /* Maybe NULL */
1256         const struct ccs_path_info *program;    /* Maybe NULL */
1257 };
1258 
1259 /* Structure for "aggregator" keyword. */
1260 struct ccs_aggregator {
1261         struct ccs_acl_head head;
1262         const struct ccs_path_info *original_name;
1263         const struct ccs_path_info *aggregated_name;
1264 };
1265 
1266 /* Structure for "deny_autobind" keyword. */
1267 struct ccs_reserved {
1268         struct ccs_acl_head head;
1269         struct ccs_number_union port;
1270 };
1271 
1272 /* Structure for policy manager. */
1273 struct ccs_manager {
1274         struct ccs_acl_head head;
1275         /* A path to program or a domainname. */
1276         const struct ccs_path_info *manager;
1277 };
1278 
1279 /* Structure for argv[]. */
1280 struct ccs_argv {
1281         unsigned long index;
1282         const struct ccs_path_info *value;
1283         bool is_not;
1284 };
1285 
1286 /* Structure for envp[]. */
1287 struct ccs_envp {
1288         const struct ccs_path_info *name;
1289         const struct ccs_path_info *value;
1290         bool is_not;
1291 };
1292 
1293 /*
1294  * Structure for "task auto_execute_handler" and "task denied_execute_handler"
1295  * directive.
1296  *
1297  * If "task auto_execute_handler" directive exists and the current process is
1298  * not an execute handler, all execve() requests are replaced by execve()
1299  * requests of a program specified by "task auto_execute_handler" directive.
1300  * If the current process is an execute handler, "task auto_execute_handler"
1301  * and "task denied_execute_handler" directives are ignored.
1302  * The program specified by "task execute_handler" validates execve()
1303  * parameters and executes the original execve() requests if appropriate.
1304  *
1305  * "task denied_execute_handler" directive is used only when execve() request
1306  * was rejected in enforcing mode (i.e. CONFIG::file::execute={ mode=enforcing
1307  * }). The program specified by "task denied_execute_handler" does whatever it
1308  * wants to do (e.g. silently terminate, change firewall settings, redirect the
1309  * user to honey pot etc.).
1310  */
1311 struct ccs_handler_acl {
1312         struct ccs_acl_info head;       /* type = CCS_TYPE_*_EXECUTE_HANDLER */
1313         const struct ccs_path_info *handler; /* Pointer to single pathname.  */
1314 };
1315 
1316 /*
1317  * Structure for "task auto_domain_transition" and
1318  * "task manual_domain_transition" directive.
1319  */
1320 struct ccs_task_acl {
1321         struct ccs_acl_info head; /* type = CCS_TYPE_*_TASK_ACL */
1322         /* Pointer to domainname. */
1323         const struct ccs_path_info *domainname;
1324 };
1325 
1326 /*
1327  * Structure for "file execute", "file read", "file write", "file append",
1328  * "file unlink", "file getattr", "file rmdir", "file truncate",
1329  * "file symlink", "file chroot" and "file unmount" directive.
1330  */
1331 struct ccs_path_acl {
1332         struct ccs_acl_info head; /* type = CCS_TYPE_PATH_ACL */
1333         struct ccs_name_union name;
1334 };
1335 
1336 /*
1337  * Structure for "file rename", "file link" and "file pivot_root" directive.
1338  */
1339 struct ccs_path2_acl {
1340         struct ccs_acl_info head; /* type = CCS_TYPE_PATH2_ACL */
1341         struct ccs_name_union name1;
1342         struct ccs_name_union name2;
1343 };
1344 
1345 /*
1346  * Structure for "file create", "file mkdir", "file mkfifo", "file mksock",
1347  * "file ioctl", "file chmod", "file chown" and "file chgrp" directive.
1348  */
1349 struct ccs_path_number_acl {
1350         struct ccs_acl_info head; /* type = CCS_TYPE_PATH_NUMBER_ACL */
1351         struct ccs_name_union name;
1352         struct ccs_number_union number;
1353 };
1354 
1355 /* Structure for "file mkblock" and "file mkchar" directive. */
1356 struct ccs_mkdev_acl {
1357         struct ccs_acl_info head; /* type = CCS_TYPE_MKDEV_ACL */
1358         struct ccs_name_union name;
1359         struct ccs_number_union mode;
1360         struct ccs_number_union major;
1361         struct ccs_number_union minor;
1362 };
1363 
1364 /* Structure for "file mount" directive. */
1365 struct ccs_mount_acl {
1366         struct ccs_acl_info head; /* type = CCS_TYPE_MOUNT_ACL */
1367         struct ccs_name_union dev_name;
1368         struct ccs_name_union dir_name;
1369         struct ccs_name_union fs_type;
1370         struct ccs_number_union flags;
1371 };
1372 
1373 /* Structure for "misc env" directive in domain policy. */
1374 struct ccs_env_acl {
1375         struct ccs_acl_info head;        /* type = CCS_TYPE_ENV_ACL  */
1376         const struct ccs_path_info *env; /* environment variable */
1377 };
1378 
1379 /* Structure for "capability" directive. */
1380 struct ccs_capability_acl {
1381         struct ccs_acl_info head; /* type = CCS_TYPE_CAPABILITY_ACL */
1382         u8 operation; /* One of values in "enum ccs_capability_acl_index". */
1383 };
1384 
1385 /* Structure for "ipc signal" directive. */
1386 struct ccs_signal_acl {
1387         struct ccs_acl_info head; /* type = CCS_TYPE_SIGNAL_ACL */
1388         struct ccs_number_union sig;
1389         /* Pointer to destination pattern. */
1390         const struct ccs_path_info *domainname;
1391 };
1392 
1393 /* Structure for "network inet" directive. */
1394 struct ccs_inet_acl {
1395         struct ccs_acl_info head; /* type = CCS_TYPE_INET_ACL */
1396         u8 protocol;
1397         struct ccs_ipaddr_union address;
1398         struct ccs_number_union port;
1399 };
1400 
1401 /* Structure for "network unix" directive. */
1402 struct ccs_unix_acl {
1403         struct ccs_acl_info head; /* type = CCS_TYPE_UNIX_ACL */
1404         u8 protocol;
1405         struct ccs_name_union name;
1406 };
1407 
1408 /* Structure for holding string data. */
1409 struct ccs_name {
1410         struct ccs_shared_acl_head head;
1411         int size; /* Memory size allocated for this entry. */
1412         struct ccs_path_info entry;
1413 };
1414 
1415 /* Structure for holding a line from /proc/ccs/ interface. */
1416 struct ccs_acl_param {
1417         char *data; /* Unprocessed data. */
1418         struct list_head *list; /* List to add or remove. */
1419         struct ccs_policy_namespace *ns; /* Namespace to use. */
1420         bool is_delete; /* True if it is a delete request. */
1421         union ccs_acl_union {
1422                 struct ccs_acl_info acl_info;
1423                 struct ccs_handler_acl handler_acl;
1424                 struct ccs_task_acl task_acl;
1425                 struct ccs_path_acl path_acl;
1426                 struct ccs_path2_acl path2_acl;
1427                 struct ccs_path_number_acl path_number_acl;
1428                 struct ccs_mkdev_acl mkdev_acl;
1429                 struct ccs_mount_acl mount_acl;
1430                 struct ccs_env_acl env_acl;
1431                 struct ccs_capability_acl capability_acl;
1432                 struct ccs_signal_acl signal_acl;
1433                 struct ccs_inet_acl inet_acl;
1434                 struct ccs_unix_acl unix_acl;
1435                 /**/
1436                 struct ccs_acl_head acl_head;
1437                 struct ccs_transition_control transition_control;
1438                 struct ccs_aggregator aggregator;
1439                 struct ccs_reserved reserved;
1440                 struct ccs_manager manager;
1441                 struct ccs_path_group path_group;
1442                 struct ccs_number_group number_group;
1443                 struct ccs_address_group address_group;
1444         } e;
1445 };
1446 
1447 /* Structure for reading/writing policy via /proc/ccs/ interfaces. */
1448 struct ccs_io_buffer {
1449         /* Exclusive lock for this structure.   */
1450         struct mutex io_sem;
1451         char __user *read_user_buf;
1452         size_t read_user_buf_avail;
1453         struct {
1454                 struct list_head *ns;
1455                 struct list_head *domain;
1456                 struct list_head *group;
1457                 struct list_head *acl;
1458                 size_t avail;
1459                 unsigned int step;
1460                 unsigned int query_index;
1461                 u16 index;
1462                 u16 cond_index;
1463                 u8 acl_group_index;
1464                 u8 cond_step;
1465                 u8 bit;
1466                 u8 w_pos;
1467                 bool eof;
1468                 bool print_this_domain_only;
1469                 bool print_transition_related_only;
1470                 bool print_cond_part;
1471                 const char *w[CCS_MAX_IO_READ_QUEUE];
1472         } r;
1473         struct {
1474                 struct ccs_policy_namespace *ns;
1475                 struct ccs_domain_info *domain;
1476                 size_t avail;
1477                 bool is_delete;
1478         } w;
1479         /* Buffer for reading.                  */
1480         char *read_buf;
1481         /* Size of read buffer.                 */
1482         size_t readbuf_size;
1483         /* Buffer for writing.                  */
1484         char *write_buf;
1485         /* Size of write buffer.                */
1486         size_t writebuf_size;
1487         /* Type of interface. */
1488         enum ccs_proc_interface_index type;
1489         /* Users counter protected by ccs_io_buffer_list_lock. */
1490         u8 users;
1491         /* List for telling GC not to kfree() elements. */
1492         struct list_head list;
1493 };
1494 
1495 /* Structure for /proc/ccs/profile interface. */
1496 struct ccs_profile {
1497         const struct ccs_path_info *comment;
1498         u8 default_config;
1499         u8 config[CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX];
1500         unsigned int pref[CCS_MAX_PREF];
1501 };
1502 
1503 /* Structure for representing YYYY/MM/DD hh/mm/ss. */
1504 struct ccs_time {
1505         u16 year;
1506         u8 month;
1507         u8 day;
1508         u8 hour;
1509         u8 min;
1510         u8 sec;
1511 };
1512 
1513 /* Structure for policy namespace. */
1514 struct ccs_policy_namespace {
1515         /* Profile table. Memory is allocated as needed. */
1516         struct ccs_profile *profile_ptr[CCS_MAX_PROFILES];
1517         /* List of "struct ccs_group". */
1518         struct list_head group_list[CCS_MAX_GROUP];
1519         /* List of policy. */
1520         struct list_head policy_list[CCS_MAX_POLICY];
1521         /* The global ACL referred by "use_group" keyword. */
1522         struct list_head acl_group[CCS_MAX_ACL_GROUPS];
1523         /* List for connecting to ccs_namespace_list list. */
1524         struct list_head namespace_list;
1525         /* Profile version. Currently only 20150505 is supported. */
1526         unsigned int profile_version;
1527         /* Name of this namespace (e.g. "<kernel>", "</usr/sbin/httpd>" ). */
1528         const char *name;
1529 };
1530 
1531 /* Prototype definition for "struct ccsecurity_operations". */
1532 
1533 void __init ccs_permission_init(void);
1534 void __init ccs_mm_init(void);
1535 
1536 /* Prototype definition for internal use. */
1537 
1538 bool ccs_dump_page(struct linux_binprm *bprm, unsigned long pos,
1539                    struct ccs_page_dump *dump);
1540 bool ccs_memory_ok(const void *ptr, const unsigned int size);
1541 char *ccs_encode(const char *str);
1542 char *ccs_encode2(const char *str, int str_len);
1543 char *ccs_realpath(const struct path *path);
1544 const char *ccs_get_exe(void);
1545 const struct ccs_path_info *ccs_get_name(const char *name);
1546 int ccs_audit_log(struct ccs_request_info *r);
1547 int ccs_check_acl(struct ccs_request_info *r);
1548 int ccs_init_request_info(struct ccs_request_info *r, const u8 index);
1549 struct ccs_domain_info *ccs_assign_domain(const char *domainname,
1550                                           const bool transit);
1551 u8 ccs_get_config(const u8 profile, const u8 index);
1552 void *ccs_commit_ok(void *data, const unsigned int size);
1553 void ccs_del_acl(struct list_head *element);
1554 void ccs_del_condition(struct list_head *element);
1555 void ccs_fill_path_info(struct ccs_path_info *ptr);
1556 void ccs_get_attributes(struct ccs_obj_info *obj);
1557 void ccs_notify_gc(struct ccs_io_buffer *head, const bool is_register);
1558 void ccs_transition_failed(const char *domainname);
1559 void ccs_warn_oom(const char *function);
1560 void ccs_write_log(struct ccs_request_info *r, const char *fmt, ...)
1561         __printf(2, 3);
1562 
1563 /* Variable definition for internal use. */
1564 
1565 extern bool ccs_policy_loaded;
1566 extern const char * const ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS];
1567 extern const u8 ccs_c2mac[CCS_MAX_CAPABILITY_INDEX];
1568 extern const u8 ccs_pn2mac[CCS_MAX_PATH_NUMBER_OPERATION];
1569 extern const u8 ccs_pnnn2mac[CCS_MAX_MKDEV_OPERATION];
1570 extern const u8 ccs_pp2mac[CCS_MAX_PATH2_OPERATION];
1571 extern struct ccs_domain_info ccs_kernel_domain;
1572 extern struct list_head ccs_condition_list;
1573 extern struct list_head ccs_domain_list;
1574 extern struct list_head ccs_name_list[CCS_MAX_HASH];
1575 extern struct list_head ccs_namespace_list;
1576 extern struct mutex ccs_policy_lock;
1577 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
1578 extern struct srcu_struct ccs_ss;
1579 #endif
1580 extern unsigned int ccs_memory_quota[CCS_MAX_MEMORY_STAT];
1581 extern unsigned int ccs_memory_used[CCS_MAX_MEMORY_STAT];
1582 
1583 /* Inlined functions for internal use. */
1584 
1585 /**
1586  * ccs_pathcmp - strcmp() for "struct ccs_path_info" structure.
1587  *
1588  * @a: Pointer to "struct ccs_path_info".
1589  * @b: Pointer to "struct ccs_path_info".
1590  *
1591  * Returns true if @a != @b, false otherwise.
1592  */
1593 static inline bool ccs_pathcmp(const struct ccs_path_info *a,
1594                                const struct ccs_path_info *b)
1595 {
1596         return a->hash != b->hash || strcmp(a->name, b->name);
1597 }
1598 
1599 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
1600 
1601 /**
1602  * ccs_read_lock - Take lock for protecting policy.
1603  *
1604  * Returns index number for ccs_read_unlock().
1605  */
1606 static inline int ccs_read_lock(void)
1607 {
1608         return srcu_read_lock(&ccs_ss);
1609 }
1610 
1611 /**
1612  * ccs_read_unlock - Release lock for protecting policy.
1613  *
1614  * @idx: Index number returned by ccs_read_lock().
1615  *
1616  * Returns nothing.
1617  */
1618 static inline void ccs_read_unlock(const int idx)
1619 {
1620         srcu_read_unlock(&ccs_ss, idx);
1621 }
1622 
1623 #else
1624 
1625 int ccs_lock(void);
1626 void ccs_unlock(const int idx);
1627 
1628 /**
1629  * ccs_read_lock - Take lock for protecting policy.
1630  *
1631  * Returns index number for ccs_read_unlock().
1632  */
1633 static inline int ccs_read_lock(void)
1634 {
1635         return ccs_lock();
1636 }
1637 
1638 /**
1639  * ccs_read_unlock - Release lock for protecting policy.
1640  *
1641  * @idx: Index number returned by ccs_read_lock().
1642  *
1643  * Returns nothing.
1644  */
1645 static inline void ccs_read_unlock(const int idx)
1646 {
1647         ccs_unlock(idx);
1648 }
1649 
1650 #endif
1651 
1652 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 18)
1653 
1654 /**
1655  * ccs_tasklist_lock - Take lock for reading list of "struct task_struct".
1656  *
1657  * Returns nothing.
1658  */
1659 static inline void ccs_tasklist_lock(void)
1660 {
1661         rcu_read_lock();
1662 }
1663 
1664 /**
1665  * ccs_tasklist_unlock - Release lock for reading list of "struct task_struct".
1666  *
1667  * Returns nothing.
1668  */
1669 static inline void ccs_tasklist_unlock(void)
1670 {
1671         rcu_read_unlock();
1672 }
1673 
1674 #else
1675 
1676 /**
1677  * ccs_tasklist_lock - Take lock for reading list of "struct task_struct".
1678  *
1679  * Returns nothing.
1680  */
1681 static inline void ccs_tasklist_lock(void)
1682 {
1683         read_lock(&tasklist_lock);
1684 }
1685 
1686 /**
1687  * ccs_tasklist_unlock - Release lock for reading list of "struct task_struct".
1688  *
1689  * Returns nothing.
1690  */
1691 static inline void ccs_tasklist_unlock(void)
1692 {
1693         read_unlock(&tasklist_lock);
1694 }
1695 
1696 #endif
1697 
1698 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1699 
1700 /**
1701  * ccs_sys_getppid - Copy of getppid().
1702  *
1703  * Returns parent process's PID.
1704  *
1705  * Alpha does not have getppid() defined. To be able to build this module on
1706  * Alpha, I have to copy getppid() from kernel/timer.c.
1707  */
1708 static inline pid_t ccs_sys_getppid(void)
1709 {
1710         pid_t pid;
1711         rcu_read_lock();
1712         pid = task_tgid_vnr(rcu_dereference(current->real_parent));
1713         rcu_read_unlock();
1714         return pid;
1715 }
1716 
1717 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0)
1718 
1719 /**
1720  * ccs_sys_getppid - Copy of getppid().
1721  *
1722  * Returns parent process's PID.
1723  *
1724  * This function was rewritten to use RCU in 2.6.16.34. However, distributors
1725  * which use earlier kernels (e.g. 2.6.8/2.6.9) did not backport the bugfix.
1726  * Therefore, I'm using code for 2.6.16.34 for earlier kernels.
1727  */
1728 static inline pid_t ccs_sys_getppid(void)
1729 {
1730         pid_t pid;
1731         rcu_read_lock();
1732 #if (defined(RHEL_MAJOR) && RHEL_MAJOR == 5) || (defined(AX_MAJOR) && AX_MAJOR == 3)
1733         pid = rcu_dereference(current->parent)->tgid;
1734 #elif defined(CONFIG_UTRACE)
1735         /*
1736          * RHEL 5.0 kernel does not have RHEL_MAJOR/RHEL_MINOR defined.
1737          * Assume RHEL 5.0 if CONFIG_UTRACE is defined.
1738          */
1739         pid = rcu_dereference(current->parent)->tgid;
1740 #else
1741         pid = rcu_dereference(current->real_parent)->tgid;
1742 #endif
1743         rcu_read_unlock();
1744         return pid;
1745 }
1746 
1747 #else
1748 
1749 /**
1750  * ccs_sys_getppid - Copy of getppid().
1751  *
1752  * Returns parent process's PID.
1753  *
1754  * I can't use code for 2.6.16.34 for 2.4 kernels because 2.4 kernels does not
1755  * have RCU. Therefore, I'm using pessimistic lock (i.e. tasklist_lock
1756  * spinlock).
1757  */
1758 static inline pid_t ccs_sys_getppid(void)
1759 {
1760         pid_t pid;
1761         read_lock(&tasklist_lock);
1762 #ifdef TASK_DEAD
1763         pid = current->group_leader->real_parent->tgid;
1764 #else
1765         pid = current->p_opptr->pid;
1766 #endif
1767         read_unlock(&tasklist_lock);
1768         return pid;
1769 }
1770 
1771 #endif
1772 
1773 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1774 
1775 /**
1776  * ccs_sys_getpid - Copy of getpid().
1777  *
1778  * Returns current thread's PID.
1779  *
1780  * Alpha does not have getpid() defined. To be able to build this module on
1781  * Alpha, I have to copy getpid() from kernel/timer.c.
1782  */
1783 static inline pid_t ccs_sys_getpid(void)
1784 {
1785         return task_tgid_vnr(current);
1786 }
1787 
1788 #else
1789 
1790 /**
1791  * ccs_sys_getpid - Copy of getpid().
1792  *
1793  * Returns current thread's PID.
1794  */
1795 static inline pid_t ccs_sys_getpid(void)
1796 {
1797         return current->tgid;
1798 }
1799 
1800 #endif
1801 
1802 /**
1803  * ccs_get_mode - Get mode for specified functionality.
1804  *
1805  * @profile: Profile number.
1806  * @index:   Functionality number.
1807  *
1808  * Returns mode.
1809  */
1810 static inline u8 ccs_get_mode(const u8 profile, const u8 index)
1811 {
1812         return ccs_get_config(profile, index) & (CCS_CONFIG_MAX_MODE - 1);
1813 }
1814 
1815 #if defined(CONFIG_SLOB)
1816 
1817 /**
1818  * ccs_round2 - Round up to power of 2 for calculating memory usage.
1819  *
1820  * @size: Size to be rounded up.
1821  *
1822  * Returns @size.
1823  *
1824  * Since SLOB does not round up, this function simply returns @size.
1825  */
1826 static inline int ccs_round2(size_t size)
1827 {
1828         return size;
1829 }
1830 
1831 #else
1832 
1833 /**
1834  * ccs_round2 - Round up to power of 2 for calculating memory usage.
1835  *
1836  * @size: Size to be rounded up.
1837  *
1838  * Returns rounded size.
1839  *
1840  * Strictly speaking, SLAB may be able to allocate (e.g.) 96 bytes instead of
1841  * (e.g.) 128 bytes.
1842  */
1843 static inline int ccs_round2(size_t size)
1844 {
1845 #if PAGE_SIZE == 4096
1846         size_t bsize = 32;
1847 #else
1848         size_t bsize = 64;
1849 #endif
1850         if (!size)
1851                 return 0;
1852         while (size > bsize)
1853                 bsize <<= 1;
1854         return bsize;
1855 }
1856 
1857 #endif
1858 
1859 /**
1860  * ccs_put_condition - Drop reference on "struct ccs_condition".
1861  *
1862  * @cond: Pointer to "struct ccs_condition". Maybe NULL.
1863  *
1864  * Returns nothing.
1865  */
1866 static inline void ccs_put_condition(struct ccs_condition *cond)
1867 {
1868         if (cond)
1869                 atomic_dec(&cond->head.users);
1870 }
1871 
1872 /**
1873  * ccs_put_group - Drop reference on "struct ccs_group".
1874  *
1875  * @group: Pointer to "struct ccs_group". Maybe NULL.
1876  *
1877  * Returns nothing.
1878  */
1879 static inline void ccs_put_group(struct ccs_group *group)
1880 {
1881         if (group)
1882                 atomic_dec(&group->head.users);
1883 }
1884 
1885 /**
1886  * ccs_put_name - Drop reference on "struct ccs_name".
1887  *
1888  * @name: Pointer to "struct ccs_path_info". Maybe NULL.
1889  *
1890  * Returns nothing.
1891  */
1892 static inline void ccs_put_name(const struct ccs_path_info *name)
1893 {
1894         if (name)
1895                 atomic_dec(&container_of(name, struct ccs_name, entry)->
1896                            head.users);
1897 }
1898 
1899 /* For importing variables and functions. */
1900 extern const struct ccsecurity_exports ccsecurity_exports;
1901 
1902 #ifdef CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY
1903 
1904 /*
1905  * Structure for holding "struct ccs_domain_info *" and "struct ccs_execve *"
1906  * and "u32 ccs_flags" for each "struct task_struct".
1907  *
1908  * "struct ccs_domain_info *" and "u32 ccs_flags" for each "struct task_struct"
1909  * are maintained outside that "struct task_struct". Therefore, ccs_security
1910  * != task_struct . This keeps KABI for distributor's prebuilt kernels but
1911  * entails slow access.
1912  *
1913  * Memory for this structure is allocated when current thread tries to access
1914  * it. Therefore, if memory allocation failed, current thread will be killed by
1915  * SIGKILL. Note that if current->pid == 1, sending SIGKILL won't work.
1916  */
1917 struct ccs_security {
1918         struct list_head list;
1919         const struct task_struct *task;
1920         struct ccs_domain_info *ccs_domain_info;
1921         u32 ccs_flags;
1922         struct rcu_head rcu;
1923 };
1924 
1925 #define CCS_TASK_SECURITY_HASH_BITS 12
1926 #define CCS_MAX_TASK_SECURITY_HASH (1u << CCS_TASK_SECURITY_HASH_BITS)
1927 extern struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH];
1928 
1929 struct ccs_security *ccs_find_task_security(const struct task_struct *task);
1930 
1931 /**
1932  * ccs_current_security - Get "struct ccs_security" for current thread.
1933  *
1934  * Returns pointer to "struct ccs_security" for current thread.
1935  */
1936 static inline struct ccs_security *ccs_current_security(void)
1937 {
1938         return ccs_find_task_security(current);
1939 }
1940 
1941 /**
1942  * ccs_task_domain - Get "struct ccs_domain_info" for specified thread.
1943  *
1944  * @task: Pointer to "struct task_struct".
1945  *
1946  * Returns pointer to "struct ccs_security" for specified thread.
1947  */
1948 static inline struct ccs_domain_info *ccs_task_domain(struct task_struct *task)
1949 {
1950         struct ccs_domain_info *domain;
1951         rcu_read_lock();
1952         domain = ccs_find_task_security(task)->ccs_domain_info;
1953         rcu_read_unlock();
1954         return domain;
1955 }
1956 
1957 /**
1958  * ccs_current_domain - Get "struct ccs_domain_info" for current thread.
1959  *
1960  * Returns pointer to "struct ccs_domain_info" for current thread.
1961  */
1962 static inline struct ccs_domain_info *ccs_current_domain(void)
1963 {
1964         return ccs_find_task_security(current)->ccs_domain_info;
1965 }
1966 
1967 /**
1968  * ccs_task_flags - Get flags for specified thread.
1969  *
1970  * @task: Pointer to "struct task_struct".
1971  *
1972  * Returns flags for specified thread.
1973  */
1974 static inline u32 ccs_task_flags(struct task_struct *task)
1975 {
1976         u32 ccs_flags;
1977         rcu_read_lock();
1978         ccs_flags = ccs_find_task_security(task)->ccs_flags;
1979         rcu_read_unlock();
1980         return ccs_flags;
1981 }
1982 
1983 /**
1984  * ccs_current_flags - Get flags for current thread.
1985  *
1986  * Returns flags for current thread.
1987  */
1988 static inline u32 ccs_current_flags(void)
1989 {
1990         return ccs_find_task_security(current)->ccs_flags;
1991 }
1992 
1993 #else
1994 
1995 /*
1996  * "struct ccs_domain_info *" and "u32 ccs_flags" for each "struct task_struct"
1997  * are maintained inside that "struct task_struct". Therefore, ccs_security ==
1998  * task_struct . This allows fast access but breaks KABI checks for
1999  * distributor's prebuilt kernels due to changes in "struct task_struct".
2000  */
2001 #define ccs_security task_struct
2002 
2003 /**
2004  * ccs_find_task_security - Find "struct ccs_security" for given task.
2005  *
2006  * @task: Pointer to "struct task_struct".
2007  *
2008  * Returns pointer to "struct ccs_security".
2009  */
2010 static inline struct ccs_security *ccs_find_task_security(struct task_struct *
2011                                                           task)
2012 {
2013         return task;
2014 }
2015 
2016 /**
2017  * ccs_current_security - Get "struct ccs_security" for current thread.
2018  *
2019  * Returns pointer to "struct ccs_security" for current thread.
2020  */
2021 static inline struct ccs_security *ccs_current_security(void)
2022 {
2023         return ccs_find_task_security(current);
2024 }
2025 
2026 /**
2027  * ccs_task_domain - Get "struct ccs_domain_info" for specified thread.
2028  *
2029  * @task: Pointer to "struct task_struct".
2030  *
2031  * Returns pointer to "struct ccs_security" for specified thread.
2032  */
2033 static inline struct ccs_domain_info *ccs_task_domain(struct task_struct *task)
2034 {
2035         struct ccs_domain_info *domain = task->ccs_domain_info;
2036         return domain ? domain : &ccs_kernel_domain;
2037 }
2038 
2039 /**
2040  * ccs_current_domain - Get "struct ccs_domain_info" for current thread.
2041  *
2042  * Returns pointer to "struct ccs_domain_info" for current thread.
2043  *
2044  * If current thread does not belong to a domain (which is true for initial
2045  * init_task in order to hide ccs_kernel_domain from this module),
2046  * current thread enters into ccs_kernel_domain.
2047  */
2048 static inline struct ccs_domain_info *ccs_current_domain(void)
2049 {
2050         struct task_struct *task = current;
2051         if (!task->ccs_domain_info)
2052                 task->ccs_domain_info = &ccs_kernel_domain;
2053         return task->ccs_domain_info;
2054 }
2055 
2056 /**
2057  * ccs_task_flags - Get flags for specified thread.
2058  *
2059  * @task: Pointer to "struct task_struct".
2060  *
2061  * Returns flags for specified thread.
2062  */
2063 static inline u32 ccs_task_flags(struct task_struct *task)
2064 {
2065         return ccs_find_task_security(task)->ccs_flags;
2066 }
2067 
2068 /**
2069  * ccs_current_flags - Get flags for current thread.
2070  *
2071  * Returns flags for current thread.
2072  */
2073 static inline u32 ccs_current_flags(void)
2074 {
2075         return ccs_find_task_security(current)->ccs_flags;
2076 }
2077 
2078 #endif
2079 
2080 /**
2081  * ccs_current_namespace - Get "struct ccs_policy_namespace" for current thread.
2082  *
2083  * Returns pointer to "struct ccs_policy_namespace" for current thread.
2084  */
2085 static inline struct ccs_policy_namespace *ccs_current_namespace(void)
2086 {
2087         return ccs_current_domain()->ns;
2088 }
2089 
2090 #endif
2091 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp