~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/ccsecurity/internal.h

Version: ~ [ linux-5.2-rc1 ] ~ [ linux-5.1.2 ] ~ [ linux-5.0.16 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.43 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.119 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.176 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.179 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.139 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.67 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.39.4 ] ~ [ linux-2.6.38.8 ] ~ [ linux-2.6.37.6 ] ~ [ linux-2.6.36.4 ] ~ [ linux-2.6.35.14 ] ~ [ linux-2.6.34.15 ] ~ [ linux-2.6.33.20 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * security/ccsecurity/internal.h
  3  *
  4  * Copyright (C) 2005-2012  NTT DATA CORPORATION
  5  *
  6  * Version: 1.8.5   2015/11/11
  7  */
  8 
  9 #ifndef _SECURITY_CCSECURITY_INTERNAL_H
 10 #define _SECURITY_CCSECURITY_INTERNAL_H
 11 
 12 #include <linux/version.h>
 13 #include <linux/types.h>
 14 #include <linux/kernel.h>
 15 #include <linux/string.h>
 16 #include <linux/mm.h>
 17 #include <linux/utime.h>
 18 #include <linux/file.h>
 19 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 38)
 20 #include <linux/smp_lock.h>
 21 #endif
 22 #include <linux/module.h>
 23 #include <linux/init.h>
 24 #include <linux/slab.h>
 25 #include <linux/highmem.h>
 26 #include <linux/poll.h>
 27 #include <linux/binfmts.h>
 28 #include <linux/delay.h>
 29 #include <linux/sched.h>
 30 #include <linux/dcache.h>
 31 #include <linux/mount.h>
 32 #include <linux/net.h>
 33 #include <linux/inet.h>
 34 #include <linux/in.h>
 35 #include <linux/in6.h>
 36 #include <linux/un.h>
 37 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
 38 #include <linux/fs.h>
 39 #endif
 40 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0)
 41 #include <linux/namei.h>
 42 #endif
 43 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 30)
 44 #include <linux/fs_struct.h>
 45 #endif
 46 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20)
 47 #include <linux/namespace.h>
 48 #endif
 49 #include <linux/proc_fs.h>
 50 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 0) || defined(RHEL_MAJOR)
 51 #include <linux/hash.h>
 52 #endif
 53 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) || (LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) && defined(CONFIG_SYSCTL_SYSCALL))
 54 #include <linux/sysctl.h>
 55 #endif
 56 #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 6)
 57 #include <linux/kthread.h>
 58 #endif
 59 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 10, 0)
 60 #include <linux/magic.h>
 61 #endif
 62 #include <stdarg.h>
 63 #include <asm/uaccess.h>
 64 #include <net/sock.h>
 65 #include <net/af_unix.h>
 66 #include <net/ip.h>
 67 #include <net/ipv6.h>
 68 #include <net/udp.h>
 69 
 70 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
 71 #define sk_family family
 72 #define sk_protocol protocol
 73 #define sk_type type
 74 #endif
 75 
 76 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20)
 77 
 78 /* Structure for holding "struct vfsmount *" and "struct dentry *". */
 79 struct path {
 80         struct vfsmount *mnt;
 81         struct dentry *dentry;
 82 };
 83 
 84 #endif
 85 
 86 #ifndef __printf
 87 #define __printf(a,b) __attribute__((format(printf,a,b)))
 88 #endif
 89 #ifndef __packed
 90 #define __packed __attribute__((__packed__))
 91 #endif
 92 #ifndef bool
 93 #define bool _Bool
 94 #endif
 95 #ifndef false
 96 #define false 0
 97 #endif
 98 #ifndef true
 99 #define true 1
100 #endif
101 
102 #ifndef __user
103 #define __user
104 #endif
105 
106 #ifndef current_uid
107 #define current_uid()   (current->uid)
108 #endif
109 #ifndef current_gid
110 #define current_gid()   (current->gid)
111 #endif
112 #ifndef current_euid
113 #define current_euid()  (current->euid)
114 #endif
115 #ifndef current_egid
116 #define current_egid()  (current->egid)
117 #endif
118 #ifndef current_suid
119 #define current_suid()  (current->suid)
120 #endif
121 #ifndef current_sgid
122 #define current_sgid()  (current->sgid)
123 #endif
124 #ifndef current_fsuid
125 #define current_fsuid() (current->fsuid)
126 #endif
127 #ifndef current_fsgid
128 #define current_fsgid() (current->fsgid)
129 #endif
130 
131 #ifndef DEFINE_SPINLOCK
132 #define DEFINE_SPINLOCK(x) spinlock_t x = SPIN_LOCK_UNLOCKED
133 #endif
134 
135 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 16)
136 #define mutex semaphore
137 #define mutex_init(mutex) init_MUTEX(mutex)
138 #define mutex_unlock(mutex) up(mutex)
139 #define mutex_lock(mutex) down(mutex)
140 #define mutex_lock_interruptible(mutex) down_interruptible(mutex)
141 #define mutex_trylock(mutex) (!down_trylock(mutex))
142 #define DEFINE_MUTEX(mutexname) DECLARE_MUTEX(mutexname)
143 #endif
144 
145 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 15)
146 #define MS_UNBINDABLE   (1<<17) /* change to unbindable */
147 #define MS_PRIVATE      (1<<18) /* change to private */
148 #define MS_SLAVE        (1<<19) /* change to slave */
149 #define MS_SHARED       (1<<20) /* change to shared */
150 #endif
151 
152 #ifndef container_of
153 #define container_of(ptr, type, member) ({                              \
154                         const typeof(((type *)0)->member) *__mptr = (ptr); \
155                         (type *)((char *)__mptr - offsetof(type, member)); })
156 #endif
157 
158 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 0)
159 #define smp_read_barrier_depends smp_rmb
160 #endif
161 
162 #ifndef ACCESS_ONCE
163 #define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
164 #endif
165 
166 #ifndef rcu_dereference
167 #define rcu_dereference(p)     ({                                       \
168                         typeof(p) _________p1 = ACCESS_ONCE(p);         \
169                         smp_read_barrier_depends(); /* see RCU */       \
170                         (_________p1);                                  \
171                 })
172 #endif
173 
174 #ifndef rcu_assign_pointer
175 #define rcu_assign_pointer(p, v)                        \
176         ({                                              \
177                 if (!__builtin_constant_p(v) ||         \
178                     ((v) != NULL))                      \
179                         smp_wmb(); /* see RCU */        \
180                 (p) = (v);                              \
181         })
182 #endif
183 
184 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0)
185 #define f_vfsmnt f_path.mnt
186 #endif
187 
188 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 14)
189 
190 /**
191  * kzalloc() - Allocate memory. The memory is set to zero.
192  *
193  * @size:  Size to allocate.
194  * @flags: GFP flags.
195  *
196  * Returns pointer to allocated memory on success, NULL otherwise.
197  *
198  * This is for compatibility with older kernels.
199  *
200  * Since several distributions backported kzalloc(), I define it as a macro
201  * rather than an inlined function in order to avoid multiple definition error.
202  */
203 #define kzalloc(size, flags) ({                                 \
204                         void *ret = kmalloc((size), (flags));   \
205                         if (ret)                                \
206                                 memset(ret, 0, (size));         \
207                         ret; })
208 
209 #endif
210 
211 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 25)
212 
213 /**
214  * path_put - Drop reference on "struct path".
215  *
216  * @path: Pointer to "struct path".
217  *
218  * Returns nothing.
219  *
220  * This is for compatibility with older kernels.
221  */
222 static inline void path_put(struct path *path)
223 {
224         dput(path->dentry);
225         mntput(path->mnt);
226 }
227 
228 #endif
229 
230 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
231 
232 /**
233  * __list_add_rcu - Insert a new entry between two known consecutive entries.
234  *
235  * @new:  Pointer to "struct list_head".
236  * @prev: Pointer to "struct list_head".
237  * @next: Pointer to "struct list_head".
238  *
239  * Returns nothing.
240  *
241  * This is for compatibility with older kernels.
242  */
243 static inline void __list_add_rcu(struct list_head *new,
244                                   struct list_head *prev,
245                                   struct list_head *next)
246 {
247         new->next = next;
248         new->prev = prev;
249         rcu_assign_pointer(prev->next, new);
250         next->prev = new;
251 }
252 
253 /**
254  * list_add_tail_rcu - Add a new entry to rcu-protected list.
255  *
256  * @new:  Pointer to "struct list_head".
257  * @head: Pointer to "struct list_head".
258  *
259  * Returns nothing.
260  *
261  * This is for compatibility with older kernels.
262  */
263 static inline void list_add_tail_rcu(struct list_head *new,
264                                      struct list_head *head)
265 {
266         __list_add_rcu(new, head->prev, head);
267 }
268 
269 /**
270  * list_add_rcu - Add a new entry to rcu-protected list.
271  *
272  * @new:  Pointer to "struct list_head".
273  * @head: Pointer to "struct list_head".
274  *
275  * Returns nothing.
276  *
277  * This is for compatibility with older kernels.
278  */
279 static inline void list_add_rcu(struct list_head *new, struct list_head *head)
280 {
281         __list_add_rcu(new, head, head->next);
282 }
283 
284 #endif
285 
286 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 38)
287 
288 /**
289  * __list_del_entry - Deletes entry from list without re-initialization.
290  *
291  * @entry: Pointer to "struct list_head".
292  *
293  * Returns nothing.
294  *
295  * This is for compatibility with older kernels.
296  */
297 static inline void __list_del_entry(struct list_head *entry)
298 {
299         __list_del(entry->prev, entry->next);
300 }
301 
302 #endif
303 
304 #ifndef list_for_each_entry_safe
305 
306 /**
307  * list_for_each_entry_safe - Iterate over list of given type safe against removal of list entry.
308  *
309  * @pos:    The "type *" to use as a loop cursor.
310  * @n:      Another "type *" to use as temporary storage.
311  * @head:   Pointer to "struct list_head".
312  * @member: The name of the list_struct within the struct.
313  *
314  * This is for compatibility with older kernels.
315  */
316 #define list_for_each_entry_safe(pos, n, head, member)                  \
317         for (pos = list_entry((head)->next, typeof(*pos), member),      \
318                      n = list_entry(pos->member.next, typeof(*pos), member); \
319              &pos->member != (head);                                    \
320              pos = n, n = list_entry(n->member.next, typeof(*n), member))
321 
322 #endif
323 
324 #ifndef srcu_dereference
325 
326 /**
327  * srcu_dereference - Fetch SRCU-protected pointer with checking.
328  *
329  * @p:  The pointer to read, prior to dereferencing.
330  * @ss: Pointer to "struct srcu_struct".
331  *
332  * Returns @p.
333  *
334  * This is for compatibility with older kernels.
335  */
336 #define srcu_dereference(p, ss) rcu_dereference(p)
337 
338 #endif
339 
340 #ifndef list_for_each_entry_srcu
341 
342 /**
343  * list_for_each_entry_srcu - Iterate over rcu list of given type.
344  *
345  * @pos:    The type * to use as a loop cursor.
346  * @head:   The head for your list.
347  * @member: The name of the list_struct within the struct.
348  * @ss:     Pointer to "struct srcu_struct".
349  *
350  * As of 2.6.36, this macro is not provided because only TOMOYO wants it.
351  */
352 #define list_for_each_entry_srcu(pos, head, member, ss)               \
353         for (pos = list_entry(srcu_dereference((head)->next, ss),     \
354                               typeof(*pos), member);                  \
355              prefetch(pos->member.next), &pos->member != (head);      \
356              pos = list_entry(srcu_dereference(pos->member.next, ss), \
357                               typeof(*pos), member))
358 
359 #endif
360 
361 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 4, 30) || (LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0) && LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 9))
362 
363 #if LINUX_VERSION_CODE == KERNEL_VERSION(2, 4, 21)
364 #undef ssleep
365 #endif
366 
367 #ifndef ssleep
368 
369 /**
370  * ssleep - Sleep for specified seconds.
371  *
372  * @secs: Seconds to sleep.
373  *
374  * Returns nothing.
375  *
376  * This is for compatibility with older kernels.
377  *
378  * Since several distributions backported ssleep(), I define it as a macro
379  * rather than an inlined function in order to avoid multiple definition error.
380  */
381 #define ssleep(secs) {                                          \
382                 set_current_state(TASK_UNINTERRUPTIBLE);        \
383                 schedule_timeout((HZ * secs) + 1);              \
384         }
385 
386 #endif
387 
388 #endif
389 
390 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0)
391 
392 /**
393  * from_kuid - Convert kuid_t to uid_t.
394  *
395  * @ns:  Unused.
396  * @uid: kuid_t value.
397  *
398  * Returns uid seen from init's user namespace.
399  */
400 #define from_kuid(ns, uid) (uid)
401 
402 /**
403  * from_kgid - Convert kgid_t to gid_t.
404  *
405  * @ns:  Unused.
406  * @gid: kgid_t value.
407  *
408  * Returns gid seen from init's user namespace.
409  */
410 #define from_kgid(ns, gid) (gid)
411 
412 /**
413  * uid_eq - Check whether the uids are equals or not.
414  *
415  * @left: Uid seen from current user namespace.
416  * @right: Uid seen from current user namespace.
417  *
418  * Returns true if uid is root in init's user namespace, false otherwise.
419  */
420 #define uid_eq(left, right) ((left) == (right))
421 #define GLOBAL_ROOT_UID 0
422 
423 #endif
424 
425 /*
426  * TOMOYO specific part start.
427  */
428 
429 #include <linux/ccsecurity.h>
430 
431 /* Enumeration definition for internal use. */
432 
433 /* Index numbers for Access Controls. */
434 enum ccs_acl_entry_type_index {
435         CCS_TYPE_PATH_ACL,
436         CCS_TYPE_PATH2_ACL,
437         CCS_TYPE_PATH_NUMBER_ACL,
438         CCS_TYPE_MKDEV_ACL,
439         CCS_TYPE_MOUNT_ACL,
440 #ifdef CONFIG_CCSECURITY_MISC
441         CCS_TYPE_ENV_ACL,
442 #endif
443 #ifdef CONFIG_CCSECURITY_CAPABILITY
444         CCS_TYPE_CAPABILITY_ACL,
445 #endif
446 #ifdef CONFIG_CCSECURITY_NETWORK
447         CCS_TYPE_INET_ACL,
448         CCS_TYPE_UNIX_ACL,
449 #endif
450 #ifdef CONFIG_CCSECURITY_IPC
451         CCS_TYPE_SIGNAL_ACL,
452 #endif
453 #ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER
454         CCS_TYPE_AUTO_EXECUTE_HANDLER,
455         CCS_TYPE_DENIED_EXECUTE_HANDLER,
456 #endif
457 #ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION
458         CCS_TYPE_AUTO_TASK_ACL,
459         CCS_TYPE_MANUAL_TASK_ACL,
460 #endif
461 };
462 
463 /* Index numbers for "struct ccs_condition". */
464 enum ccs_conditions_index {
465         CCS_TASK_UID,             /* current_uid()   */
466         CCS_TASK_EUID,            /* current_euid()  */
467         CCS_TASK_SUID,            /* current_suid()  */
468         CCS_TASK_FSUID,           /* current_fsuid() */
469         CCS_TASK_GID,             /* current_gid()   */
470         CCS_TASK_EGID,            /* current_egid()  */
471         CCS_TASK_SGID,            /* current_sgid()  */
472         CCS_TASK_FSGID,           /* current_fsgid() */
473         CCS_TASK_PID,             /* sys_getpid()   */
474         CCS_TASK_PPID,            /* sys_getppid()  */
475         CCS_EXEC_ARGC,            /* "struct linux_binprm *"->argc */
476         CCS_EXEC_ENVC,            /* "struct linux_binprm *"->envc */
477         CCS_TYPE_IS_SOCKET,       /* S_IFSOCK */
478         CCS_TYPE_IS_SYMLINK,      /* S_IFLNK */
479         CCS_TYPE_IS_FILE,         /* S_IFREG */
480         CCS_TYPE_IS_BLOCK_DEV,    /* S_IFBLK */
481         CCS_TYPE_IS_DIRECTORY,    /* S_IFDIR */
482         CCS_TYPE_IS_CHAR_DEV,     /* S_IFCHR */
483         CCS_TYPE_IS_FIFO,         /* S_IFIFO */
484         CCS_MODE_SETUID,          /* S_ISUID */
485         CCS_MODE_SETGID,          /* S_ISGID */
486         CCS_MODE_STICKY,          /* S_ISVTX */
487         CCS_MODE_OWNER_READ,      /* S_IRUSR */
488         CCS_MODE_OWNER_WRITE,     /* S_IWUSR */
489         CCS_MODE_OWNER_EXECUTE,   /* S_IXUSR */
490         CCS_MODE_GROUP_READ,      /* S_IRGRP */
491         CCS_MODE_GROUP_WRITE,     /* S_IWGRP */
492         CCS_MODE_GROUP_EXECUTE,   /* S_IXGRP */
493         CCS_MODE_OTHERS_READ,     /* S_IROTH */
494         CCS_MODE_OTHERS_WRITE,    /* S_IWOTH */
495         CCS_MODE_OTHERS_EXECUTE,  /* S_IXOTH */
496         CCS_TASK_TYPE,            /* ((u8) task->ccs_flags) &
497                                      CCS_TASK_IS_EXECUTE_HANDLER */
498         CCS_TASK_EXECUTE_HANDLER, /* CCS_TASK_IS_EXECUTE_HANDLER */
499         CCS_EXEC_REALPATH,
500         CCS_SYMLINK_TARGET,
501         CCS_PATH1_UID,
502         CCS_PATH1_GID,
503         CCS_PATH1_INO,
504         CCS_PATH1_MAJOR,
505         CCS_PATH1_MINOR,
506         CCS_PATH1_PERM,
507         CCS_PATH1_TYPE,
508         CCS_PATH1_DEV_MAJOR,
509         CCS_PATH1_DEV_MINOR,
510         CCS_PATH2_UID,
511         CCS_PATH2_GID,
512         CCS_PATH2_INO,
513         CCS_PATH2_MAJOR,
514         CCS_PATH2_MINOR,
515         CCS_PATH2_PERM,
516         CCS_PATH2_TYPE,
517         CCS_PATH2_DEV_MAJOR,
518         CCS_PATH2_DEV_MINOR,
519         CCS_PATH1_PARENT_UID,
520         CCS_PATH1_PARENT_GID,
521         CCS_PATH1_PARENT_INO,
522         CCS_PATH1_PARENT_PERM,
523         CCS_PATH2_PARENT_UID,
524         CCS_PATH2_PARENT_GID,
525         CCS_PATH2_PARENT_INO,
526         CCS_PATH2_PARENT_PERM,
527         CCS_MAX_CONDITION_KEYWORD,
528         CCS_NUMBER_UNION,
529         CCS_NAME_UNION,
530         CCS_ARGV_ENTRY,
531         CCS_ENVP_ENTRY,
532 };
533 
534 /* Index numbers for domain's attributes. */
535 enum ccs_domain_info_flags_index {
536         /* Quota warnning flag.   */
537         CCS_DIF_QUOTA_WARNED,
538         /*
539          * This domain was unable to create a new domain at
540          * ccs_find_next_domain() because the name of the domain to be created
541          * was too long or it could not allocate memory.
542          * More than one process continued execve() without domain transition.
543          */
544         CCS_DIF_TRANSITION_FAILED,
545         CCS_MAX_DOMAIN_INFO_FLAGS
546 };
547 
548 /* Index numbers for audit type. */
549 enum ccs_grant_log {
550         /* Follow profile's configuration. */
551         CCS_GRANTLOG_AUTO,
552         /* Do not generate grant log. */
553         CCS_GRANTLOG_NO,
554         /* Generate grant_log. */
555         CCS_GRANTLOG_YES,
556 };
557 
558 /* Index numbers for group entries. */
559 enum ccs_group_id {
560         CCS_PATH_GROUP,
561         CCS_NUMBER_GROUP,
562 #ifdef CONFIG_CCSECURITY_NETWORK
563         CCS_ADDRESS_GROUP,
564 #endif
565         CCS_MAX_GROUP
566 };
567 
568 /* Index numbers for category of functionality. */
569 enum ccs_mac_category_index {
570         CCS_MAC_CATEGORY_FILE,
571 #ifdef CONFIG_CCSECURITY_NETWORK
572         CCS_MAC_CATEGORY_NETWORK,
573 #endif
574 #ifdef CONFIG_CCSECURITY_MISC
575         CCS_MAC_CATEGORY_MISC,
576 #endif
577 #ifdef CONFIG_CCSECURITY_IPC
578         CCS_MAC_CATEGORY_IPC,
579 #endif
580 #ifdef CONFIG_CCSECURITY_CAPABILITY
581         CCS_MAC_CATEGORY_CAPABILITY,
582 #endif
583         CCS_MAX_MAC_CATEGORY_INDEX
584 };
585 
586 /* Index numbers for functionality. */
587 enum ccs_mac_index {
588         CCS_MAC_FILE_EXECUTE,
589         CCS_MAC_FILE_OPEN,
590         CCS_MAC_FILE_CREATE,
591         CCS_MAC_FILE_UNLINK,
592 #ifdef CONFIG_CCSECURITY_FILE_GETATTR
593         CCS_MAC_FILE_GETATTR,
594 #endif
595         CCS_MAC_FILE_MKDIR,
596         CCS_MAC_FILE_RMDIR,
597         CCS_MAC_FILE_MKFIFO,
598         CCS_MAC_FILE_MKSOCK,
599         CCS_MAC_FILE_TRUNCATE,
600         CCS_MAC_FILE_SYMLINK,
601         CCS_MAC_FILE_MKBLOCK,
602         CCS_MAC_FILE_MKCHAR,
603         CCS_MAC_FILE_LINK,
604         CCS_MAC_FILE_RENAME,
605         CCS_MAC_FILE_CHMOD,
606         CCS_MAC_FILE_CHOWN,
607         CCS_MAC_FILE_CHGRP,
608         CCS_MAC_FILE_IOCTL,
609         CCS_MAC_FILE_CHROOT,
610         CCS_MAC_FILE_MOUNT,
611         CCS_MAC_FILE_UMOUNT,
612         CCS_MAC_FILE_PIVOT_ROOT,
613 #ifdef CONFIG_CCSECURITY_NETWORK
614         CCS_MAC_NETWORK_INET_STREAM_BIND,
615         CCS_MAC_NETWORK_INET_STREAM_LISTEN,
616         CCS_MAC_NETWORK_INET_STREAM_CONNECT,
617         CCS_MAC_NETWORK_INET_STREAM_ACCEPT,
618         CCS_MAC_NETWORK_INET_DGRAM_BIND,
619         CCS_MAC_NETWORK_INET_DGRAM_SEND,
620 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
621         CCS_MAC_NETWORK_INET_DGRAM_RECV,
622 #endif
623         CCS_MAC_NETWORK_INET_RAW_BIND,
624         CCS_MAC_NETWORK_INET_RAW_SEND,
625 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
626         CCS_MAC_NETWORK_INET_RAW_RECV,
627 #endif
628         CCS_MAC_NETWORK_UNIX_STREAM_BIND,
629         CCS_MAC_NETWORK_UNIX_STREAM_LISTEN,
630         CCS_MAC_NETWORK_UNIX_STREAM_CONNECT,
631         CCS_MAC_NETWORK_UNIX_STREAM_ACCEPT,
632         CCS_MAC_NETWORK_UNIX_DGRAM_BIND,
633         CCS_MAC_NETWORK_UNIX_DGRAM_SEND,
634 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
635         CCS_MAC_NETWORK_UNIX_DGRAM_RECV,
636 #endif
637         CCS_MAC_NETWORK_UNIX_SEQPACKET_BIND,
638         CCS_MAC_NETWORK_UNIX_SEQPACKET_LISTEN,
639         CCS_MAC_NETWORK_UNIX_SEQPACKET_CONNECT,
640         CCS_MAC_NETWORK_UNIX_SEQPACKET_ACCEPT,
641 #endif
642 #ifdef CONFIG_CCSECURITY_MISC
643         CCS_MAC_ENVIRON,
644 #endif
645 #ifdef CONFIG_CCSECURITY_IPC
646         CCS_MAC_SIGNAL,
647 #endif
648 #ifdef CONFIG_CCSECURITY_CAPABILITY
649         CCS_MAC_CAPABILITY_USE_ROUTE_SOCKET,
650         CCS_MAC_CAPABILITY_USE_PACKET_SOCKET,
651         CCS_MAC_CAPABILITY_SYS_REBOOT,
652         CCS_MAC_CAPABILITY_SYS_VHANGUP,
653         CCS_MAC_CAPABILITY_SYS_SETTIME,
654         CCS_MAC_CAPABILITY_SYS_NICE,
655         CCS_MAC_CAPABILITY_SYS_SETHOSTNAME,
656         CCS_MAC_CAPABILITY_USE_KERNEL_MODULE,
657         CCS_MAC_CAPABILITY_SYS_KEXEC_LOAD,
658         CCS_MAC_CAPABILITY_SYS_PTRACE,
659 #endif
660         CCS_MAX_MAC_INDEX
661 };
662 
663 /* Index numbers for /proc/ccs/stat interface. */
664 enum ccs_memory_stat_type {
665         CCS_MEMORY_POLICY,
666         CCS_MEMORY_AUDIT,
667         CCS_MEMORY_QUERY,
668         CCS_MAX_MEMORY_STAT
669 };
670 
671 /* Index numbers for access controls with one pathname and three numbers. */
672 enum ccs_mkdev_acl_index {
673         CCS_TYPE_MKBLOCK,
674         CCS_TYPE_MKCHAR,
675         CCS_MAX_MKDEV_OPERATION
676 };
677 
678 /* Index numbers for operation mode. */
679 enum ccs_mode_value {
680         CCS_CONFIG_DISABLED,
681         CCS_CONFIG_LEARNING,
682         CCS_CONFIG_PERMISSIVE,
683         CCS_CONFIG_ENFORCING,
684         CCS_CONFIG_MAX_MODE,
685         CCS_CONFIG_WANT_REJECT_LOG =  64,
686         CCS_CONFIG_WANT_GRANT_LOG  = 128,
687         CCS_CONFIG_USE_DEFAULT     = 255,
688 };
689 
690 /* Index numbers for socket operations. */
691 enum ccs_network_acl_index {
692         CCS_NETWORK_BIND,    /* bind() operation. */
693         CCS_NETWORK_LISTEN,  /* listen() operation. */
694         CCS_NETWORK_CONNECT, /* connect() operation. */
695         CCS_NETWORK_ACCEPT,  /* accept() operation. */
696         CCS_NETWORK_SEND,    /* send() operation. */
697 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
698         CCS_NETWORK_RECV,    /* recv() operation. */
699 #endif
700         CCS_MAX_NETWORK_OPERATION
701 };
702 
703 /* Index numbers for access controls with two pathnames. */
704 enum ccs_path2_acl_index {
705         CCS_TYPE_LINK,
706         CCS_TYPE_RENAME,
707         CCS_TYPE_PIVOT_ROOT,
708         CCS_MAX_PATH2_OPERATION
709 };
710 
711 /* Index numbers for access controls with one pathname. */
712 enum ccs_path_acl_index {
713         CCS_TYPE_EXECUTE,
714         CCS_TYPE_READ,
715         CCS_TYPE_WRITE,
716         CCS_TYPE_APPEND,
717         CCS_TYPE_UNLINK,
718 #ifdef CONFIG_CCSECURITY_FILE_GETATTR
719         CCS_TYPE_GETATTR,
720 #endif
721         CCS_TYPE_RMDIR,
722         CCS_TYPE_TRUNCATE,
723         CCS_TYPE_SYMLINK,
724         CCS_TYPE_CHROOT,
725         CCS_TYPE_UMOUNT,
726         CCS_MAX_PATH_OPERATION
727 };
728 
729 /* Index numbers for access controls with one pathname and one number. */
730 enum ccs_path_number_acl_index {
731         CCS_TYPE_CREATE,
732         CCS_TYPE_MKDIR,
733         CCS_TYPE_MKFIFO,
734         CCS_TYPE_MKSOCK,
735         CCS_TYPE_IOCTL,
736         CCS_TYPE_CHMOD,
737         CCS_TYPE_CHOWN,
738         CCS_TYPE_CHGRP,
739         CCS_MAX_PATH_NUMBER_OPERATION
740 };
741 
742 /* Index numbers for stat(). */
743 enum ccs_path_stat_index {
744         /* Do not change this order. */
745         CCS_PATH1,
746         CCS_PATH1_PARENT,
747         CCS_PATH2,
748         CCS_PATH2_PARENT,
749         CCS_MAX_PATH_STAT
750 };
751 
752 /* Index numbers for entry type. */
753 enum ccs_policy_id {
754 #ifdef CONFIG_CCSECURITY_PORTRESERVE
755         CCS_ID_RESERVEDPORT,
756 #endif
757         CCS_ID_GROUP,
758 #ifdef CONFIG_CCSECURITY_NETWORK
759         CCS_ID_ADDRESS_GROUP,
760 #endif
761         CCS_ID_PATH_GROUP,
762         CCS_ID_NUMBER_GROUP,
763         CCS_ID_AGGREGATOR,
764         CCS_ID_TRANSITION_CONTROL,
765         CCS_ID_MANAGER,
766         CCS_ID_CONDITION,
767         CCS_ID_NAME,
768         CCS_ID_ACL,
769         CCS_ID_DOMAIN,
770         CCS_MAX_POLICY
771 };
772 
773 /* Index numbers for /proc/ccs/stat interface. */
774 enum ccs_policy_stat_type {
775         /* Do not change this order. */
776         CCS_STAT_POLICY_UPDATES,
777         CCS_STAT_POLICY_LEARNING,   /* == CCS_CONFIG_LEARNING */
778         CCS_STAT_POLICY_PERMISSIVE, /* == CCS_CONFIG_PERMISSIVE */
779         CCS_STAT_POLICY_ENFORCING,  /* == CCS_CONFIG_ENFORCING */
780         CCS_MAX_POLICY_STAT
781 };
782 
783 /* Index numbers for profile's PREFERENCE values. */
784 enum ccs_pref_index {
785         CCS_PREF_MAX_AUDIT_LOG,
786         CCS_PREF_MAX_LEARNING_ENTRY,
787         CCS_PREF_ENFORCING_PENALTY,
788         CCS_MAX_PREF
789 };
790 
791 /* Index numbers for /proc/ccs/ interfaces. */
792 enum ccs_proc_interface_index {
793         CCS_DOMAIN_POLICY,
794         CCS_EXCEPTION_POLICY,
795         CCS_PROCESS_STATUS,
796         CCS_STAT,
797         CCS_AUDIT,
798         CCS_VERSION,
799         CCS_PROFILE,
800         CCS_QUERY,
801         CCS_MANAGER,
802 #ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER
803         CCS_EXECUTE_HANDLER,
804 #endif
805 };
806 
807 /* Index numbers for special mount operations. */
808 enum ccs_special_mount {
809         CCS_MOUNT_BIND,            /* mount --bind /source /dest   */
810         CCS_MOUNT_MOVE,            /* mount --move /old /new       */
811         CCS_MOUNT_REMOUNT,         /* mount -o remount /dir        */
812         CCS_MOUNT_MAKE_UNBINDABLE, /* mount --make-unbindable /dir */
813         CCS_MOUNT_MAKE_PRIVATE,    /* mount --make-private /dir    */
814         CCS_MOUNT_MAKE_SLAVE,      /* mount --make-slave /dir      */
815         CCS_MOUNT_MAKE_SHARED,     /* mount --make-shared /dir     */
816         CCS_MAX_SPECIAL_MOUNT
817 };
818 
819 /* Index numbers for domain transition control keywords. */
820 enum ccs_transition_type {
821         /* Do not change this order, */
822         CCS_TRANSITION_CONTROL_NO_RESET,
823         CCS_TRANSITION_CONTROL_RESET,
824         CCS_TRANSITION_CONTROL_NO_INITIALIZE,
825         CCS_TRANSITION_CONTROL_INITIALIZE,
826         CCS_TRANSITION_CONTROL_NO_KEEP,
827         CCS_TRANSITION_CONTROL_KEEP,
828         CCS_MAX_TRANSITION_TYPE
829 };
830 
831 /* Index numbers for type of numeric values. */
832 enum ccs_value_type {
833         CCS_VALUE_TYPE_INVALID,
834         CCS_VALUE_TYPE_DECIMAL,
835         CCS_VALUE_TYPE_OCTAL,
836         CCS_VALUE_TYPE_HEXADECIMAL,
837 };
838 
839 /* Constants definition for internal use. */
840 
841 /*
842  * TOMOYO uses this hash only when appending a string into the string table.
843  * Frequency of appending strings is very low. So we don't need large (e.g.
844  * 64k) hash size. 256 will be sufficient.
845  */
846 #define CCS_HASH_BITS 8
847 #define CCS_MAX_HASH (1u << CCS_HASH_BITS)
848 
849 /*
850  * TOMOYO checks only SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_SEQPACKET.
851  * Therefore, we don't need SOCK_MAX.
852  */
853 #define CCS_SOCK_MAX 6
854 
855 /* Size of temporary buffer for execve() operation. */
856 #define CCS_EXEC_TMPSIZE     4096
857 
858 /* Garbage collector is trying to kfree() this element. */
859 #define CCS_GC_IN_PROGRESS -1
860 
861 /* Profile number is an integer between 0 and 255. */
862 #define CCS_MAX_PROFILES 256
863 
864 /* Group number is an integer between 0 and 255. */
865 #define CCS_MAX_ACL_GROUPS 256
866 
867 /* Current thread is doing open(O_RDONLY | O_TRUNC) ? */
868 #define CCS_OPEN_FOR_READ_TRUNCATE        1
869 /* Current thread is doing open(3) ? */
870 #define CCS_OPEN_FOR_IOCTL_ONLY           2
871 /* Current thread is doing do_execve() ? */
872 #define CCS_TASK_IS_IN_EXECVE             4
873 /* Current thread is running as an execute handler program? */
874 #define CCS_TASK_IS_EXECUTE_HANDLER       8
875 /* Current thread is allowed to modify policy via /proc/ccs/ interface? */
876 #define CCS_TASK_IS_MANAGER              16
877 
878 /*
879  * Retry this request. Returned by ccs_supervisor() if policy violation has
880  * occurred in enforcing mode and the userspace daemon decided to retry.
881  *
882  * We must choose a positive value in order to distinguish "granted" (which is
883  * 0) and "rejected" (which is a negative value) and "retry".
884  */
885 #define CCS_RETRY_REQUEST 1
886 
887 /* The gfp flags used by TOMOYO. */
888 #define CCS_GFP_FLAGS GFP_NOFS
889 
890 /* Size of read buffer for /proc/ccs/ interface. */
891 #define CCS_MAX_IO_READ_QUEUE 64
892 
893 /* Structure definition for internal use. */
894 
895 /* Common header for holding ACL entries. */
896 struct ccs_acl_head {
897         struct list_head list;
898         s8 is_deleted; /* true or false or CCS_GC_IN_PROGRESS */
899 } __packed;
900 
901 /* Common header for shared entries. */
902 struct ccs_shared_acl_head {
903         struct list_head list;
904         atomic_t users;
905 } __packed;
906 
907 /* Common header for individual entries. */
908 struct ccs_acl_info {
909         struct list_head list;
910         struct ccs_condition *cond; /* Maybe NULL. */
911         s8 is_deleted; /* true or false or CCS_GC_IN_PROGRESS */
912         u8 type; /* One of values in "enum ccs_acl_entry_type_index". */
913         u16 perm;
914 } __packed;
915 
916 /* Structure for holding a word. */
917 struct ccs_name_union {
918         /* Either @filename or @group is NULL. */
919         const struct ccs_path_info *filename;
920         struct ccs_group *group;
921 };
922 
923 /* Structure for holding a number. */
924 struct ccs_number_union {
925         unsigned long values[2];
926         struct ccs_group *group; /* Maybe NULL. */
927         /* One of values in "enum ccs_value_type". */
928         u8 value_type[2];
929 };
930 
931 /* Structure for holding an IP address. */
932 struct ccs_ipaddr_union {
933         struct in6_addr ip[2]; /* Big endian. */
934         struct ccs_group *group; /* Pointer to address group. */
935         bool is_ipv6; /* Valid only if @group == NULL. */
936 };
937 
938 /* Structure for "path_group"/"number_group"/"address_group" directive. */
939 struct ccs_group {
940         struct ccs_shared_acl_head head;
941         /* Name of group (without leading '@'). */
942         const struct ccs_path_info *group_name;
943         /*
944          * List of "struct ccs_path_group" or "struct ccs_number_group" or
945          * "struct ccs_address_group".
946          */
947         struct list_head member_list;
948 };
949 
950 /* Structure for "path_group" directive. */
951 struct ccs_path_group {
952         struct ccs_acl_head head;
953         const struct ccs_path_info *member_name;
954 };
955 
956 /* Structure for "number_group" directive. */
957 struct ccs_number_group {
958         struct ccs_acl_head head;
959         struct ccs_number_union number;
960 };
961 
962 /* Structure for "address_group" directive. */
963 struct ccs_address_group {
964         struct ccs_acl_head head;
965         /* Structure for holding an IP address. */
966         struct ccs_ipaddr_union address;
967 };
968 
969 /* Subset of "struct stat". Used by conditional ACL and audit logs. */
970 struct ccs_mini_stat {
971 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
972         kuid_t uid;
973         kgid_t gid;
974 #else
975         uid_t uid;
976         gid_t gid;
977 #endif
978         ino_t ino;
979         umode_t mode;
980         dev_t dev;
981         dev_t rdev;
982 };
983 
984 /* Structure for dumping argv[] and envp[] of "struct linux_binprm". */
985 struct ccs_page_dump {
986         struct page *page;    /* Previously dumped page. */
987         char *data;           /* Contents of "page". Size is PAGE_SIZE. */
988 };
989 
990 /* Structure for attribute checks in addition to pathname checks. */
991 struct ccs_obj_info {
992         /* True if ccs_get_attributes() was already called, false otherwise. */
993         bool validate_done;
994         /* True if @stat[] is valid. */
995         bool stat_valid[CCS_MAX_PATH_STAT];
996         /* First pathname. Initialized with { NULL, NULL } if no path. */
997         struct path path1;
998         /* Second pathname. Initialized with { NULL, NULL } if no path. */
999         struct path path2;
1000         /*
1001          * Information on @path1, @path1's parent directory, @path2, @path2's
1002          * parent directory.
1003          */
1004         struct ccs_mini_stat stat[CCS_MAX_PATH_STAT];
1005         /*
1006          * Content of symbolic link to be created. NULL for operations other
1007          * than symlink().
1008          */
1009         struct ccs_path_info *symlink_target;
1010 };
1011 
1012 /* Structure for entries which follows "struct ccs_condition". */
1013 struct ccs_condition_element {
1014         /*
1015          * Left hand operand. A "struct ccs_argv" for CCS_ARGV_ENTRY, a
1016          * "struct ccs_envp" for CCS_ENVP_ENTRY is attached to the tail
1017          * of the array of this struct.
1018          */
1019         u8 left;
1020         /*
1021          * Right hand operand. A "struct ccs_number_union" for
1022          * CCS_NUMBER_UNION, a "struct ccs_name_union" for CCS_NAME_UNION is
1023          * attached to the tail of the array of this struct.
1024          */
1025         u8 right;
1026         /* Equation operator. True if equals or overlaps, false otherwise. */
1027         bool equals;
1028 };
1029 
1030 /* Structure for optional arguments. */
1031 struct ccs_condition {
1032         struct ccs_shared_acl_head head;
1033         u32 size; /* Memory size allocated for this entry. */
1034         u16 condc; /* Number of conditions in this struct. */
1035         u16 numbers_count; /* Number of "struct ccs_number_union values". */
1036         u16 names_count; /* Number of "struct ccs_name_union names". */
1037         u16 argc; /* Number of "struct ccs_argv". */
1038         u16 envc; /* Number of "struct ccs_envp". */
1039         u8 grant_log; /* One of values in "enum ccs_grant_log". */
1040         bool exec_transit; /* True if transit is for "file execute". */
1041         const struct ccs_path_info *transit; /* Maybe NULL. */
1042         /*
1043          * struct ccs_condition_element condition[condc];
1044          * struct ccs_number_union values[numbers_count];
1045          * struct ccs_name_union names[names_count];
1046          * struct ccs_argv argv[argc];
1047          * struct ccs_envp envp[envc];
1048          */
1049 };
1050 
1051 struct ccs_execve;
1052 struct ccs_policy_namespace;
1053 
1054 /* Structure for request info. */
1055 struct ccs_request_info {
1056         /*
1057          * For holding parameters specific to operations which deal files.
1058          * NULL if not dealing files.
1059          */
1060         struct ccs_obj_info *obj;
1061         /*
1062          * For holding parameters specific to execve() request.
1063          * NULL if not dealing do_execve().
1064          */
1065         struct ccs_execve *ee;
1066         /*
1067          * For holding parameters.
1068          * Pointers in this union are not NULL except path->matched_path.
1069          */
1070         union {
1071                 struct {
1072                         const struct ccs_path_info *filename;
1073                         /*
1074                          * For using wildcards at ccs_find_next_domain().
1075                          *
1076                          * The matched_acl cannot be used because it may refer
1077                          * a "struct ccs_path_acl" with ->is_group == true.
1078                          * We want to use exact "struct ccs_path_info" rather
1079                          * than "struct ccs_path_acl".
1080                          */
1081                         const struct ccs_path_info *matched_path;
1082                         /* One of values in "enum ccs_path_acl_index". */
1083                         u8 operation;
1084                 } path;
1085                 struct {
1086                         const struct ccs_path_info *filename1;
1087                         const struct ccs_path_info *filename2;
1088                         /* One of values in "enum ccs_path2_acl_index". */
1089                         u8 operation;
1090                 } path2;
1091                 struct {
1092                         const struct ccs_path_info *filename;
1093                         unsigned int mode;
1094                         unsigned int major;
1095                         unsigned int minor;
1096                         /* One of values in "enum ccs_mkdev_acl_index". */
1097                         u8 operation;
1098                 } mkdev;
1099                 struct {
1100                         const struct ccs_path_info *filename;
1101                         unsigned long number;
1102                         /*
1103                          * One of values in "enum ccs_path_number_acl_index".
1104                          */
1105                         u8 operation;
1106                 } path_number;
1107 #ifdef CONFIG_CCSECURITY_NETWORK
1108                 struct {
1109                         const u32 *address; /* Big endian. */
1110                         u16 port; /* Host endian. */
1111                         /* One of values smaller than CCS_SOCK_MAX. */
1112                         u8 protocol;
1113                         /* One of values in "enum ccs_network_acl_index". */
1114                         u8 operation;
1115                         bool is_ipv6;
1116                 } inet_network;
1117                 struct {
1118                         const struct ccs_path_info *address;
1119                         /* One of values smaller than CCS_SOCK_MAX. */
1120                         u8 protocol;
1121                         /* One of values in "enum ccs_network_acl_index". */
1122                         u8 operation;
1123                 } unix_network;
1124 #endif
1125 #ifdef CONFIG_CCSECURITY_MISC
1126                 struct {
1127                         const struct ccs_path_info *name;
1128                 } environ;
1129 #endif
1130 #ifdef CONFIG_CCSECURITY_CAPABILITY
1131                 struct {
1132                         /* One of values in "enum ccs_capability_acl_index". */
1133                         u8 operation;
1134                 } capability;
1135 #endif
1136 #ifdef CONFIG_CCSECURITY_IPC
1137                 struct {
1138                         const char *dest_pattern;
1139                         int sig;
1140                 } signal;
1141 #endif
1142                 struct {
1143                         const struct ccs_path_info *type;
1144                         const struct ccs_path_info *dir;
1145                         const struct ccs_path_info *dev;
1146                         unsigned long flags;
1147                         int need_dev;
1148                 } mount;
1149 #ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION
1150                 struct {
1151                         const struct ccs_path_info *domainname;
1152                 } task;
1153 #endif
1154         } param;
1155         /*
1156          * For updating current->ccs_domain_info at ccs_update_task_domain().
1157          * Initialized to NULL at ccs_init_request_info().
1158          * Matching "struct ccs_acl_info" is copied if access request was
1159          * granted. Re-initialized to NULL at ccs_update_task_domain().
1160          */
1161         struct ccs_acl_info *matched_acl;
1162         u8 param_type; /* One of values in "enum ccs_acl_entry_type_index". */
1163         bool granted; /* True if granted, false otherwise. */
1164         /* True if current thread should not be carried sleep penalty. */
1165         bool dont_sleep_on_enforce_error;
1166         /*
1167          * For counting number of retries made for this request.
1168          * This counter is incremented whenever ccs_supervisor() returned
1169          * CCS_RETRY_REQUEST.
1170          */
1171         u8 retry;
1172         /*
1173          * For holding profile number used for this request.
1174          * One of values between 0 and CCS_MAX_PROFILES - 1.
1175          */
1176         u8 profile;
1177         /*
1178          * For holding operation mode used for this request.
1179          * One of CCS_CONFIG_DISABLED, CCS_CONFIG_LEARNING,
1180          * CCS_CONFIG_PERMISSIVE, CCS_CONFIG_ENFORCING.
1181          */
1182         u8 mode;
1183         /*
1184          * For holding operation index used for this request.
1185          * Used by ccs_init_request_info() / ccs_get_mode() /
1186          * ccs_write_log(). One of values in "enum ccs_mac_index".
1187          */
1188         u8 type;
1189 };
1190 
1191 /* Structure for holding a token. */
1192 struct ccs_path_info {
1193         const char *name;
1194         u32 hash;          /* = full_name_hash(name, strlen(name)) */
1195         u16 total_len;     /* = strlen(name)                       */
1196         u16 const_len;     /* = ccs_const_part_length(name)        */
1197         bool is_dir;       /* = ccs_strendswith(name, "/")         */
1198         bool is_patterned; /* = const_len < total_len              */
1199 };
1200 
1201 /* Structure for execve() operation. */
1202 struct ccs_execve {
1203         struct ccs_request_info r;
1204         struct ccs_obj_info obj;
1205         struct linux_binprm *bprm;
1206         struct ccs_domain_info *previous_domain;
1207         const struct ccs_path_info *transition;
1208         /* For execute_handler */
1209         const struct ccs_path_info *handler;
1210         char *handler_path; /* = kstrdup(handler->name, CCS_GFP_FLAGS) */
1211         /* For dumping argv[] and envp[]. */
1212         struct ccs_page_dump dump;
1213         /* For temporary use. */
1214         char *tmp; /* Size is CCS_EXEC_TMPSIZE bytes */
1215 };
1216 
1217 /* Structure for domain information. */
1218 struct ccs_domain_info {
1219         struct list_head list;
1220         struct list_head acl_info_list;
1221         /* Name of this domain. Never NULL.          */
1222         const struct ccs_path_info *domainname;
1223         /* Namespace for this domain. Never NULL. */
1224         struct ccs_policy_namespace *ns;
1225         /* Group numbers to use. */
1226         unsigned long group[CCS_MAX_ACL_GROUPS / BITS_PER_LONG];
1227         u8 profile;        /* Profile number to use. */
1228         bool is_deleted;   /* Delete flag.           */
1229         bool flags[CCS_MAX_DOMAIN_INFO_FLAGS];
1230 };
1231 
1232 /*
1233  * Structure for "reset_domain"/"no_reset_domain"/"initialize_domain"/
1234  * "no_initialize_domain"/"keep_domain"/"no_keep_domain" keyword.
1235  */
1236 struct ccs_transition_control {
1237         struct ccs_acl_head head;
1238         u8 type; /* One of values in "enum ccs_transition_type" */
1239         bool is_last_name; /* True if the domainname is ccs_last_word(). */
1240         const struct ccs_path_info *domainname; /* Maybe NULL */
1241         const struct ccs_path_info *program;    /* Maybe NULL */
1242 };
1243 
1244 /* Structure for "aggregator" keyword. */
1245 struct ccs_aggregator {
1246         struct ccs_acl_head head;
1247         const struct ccs_path_info *original_name;
1248         const struct ccs_path_info *aggregated_name;
1249 };
1250 
1251 /* Structure for "deny_autobind" keyword. */
1252 struct ccs_reserved {
1253         struct ccs_acl_head head;
1254         struct ccs_number_union port;
1255 };
1256 
1257 /* Structure for policy manager. */
1258 struct ccs_manager {
1259         struct ccs_acl_head head;
1260         /* A path to program or a domainname. */
1261         const struct ccs_path_info *manager;
1262 };
1263 
1264 /* Structure for argv[]. */
1265 struct ccs_argv {
1266         unsigned long index;
1267         const struct ccs_path_info *value;
1268         bool is_not;
1269 };
1270 
1271 /* Structure for envp[]. */
1272 struct ccs_envp {
1273         const struct ccs_path_info *name;
1274         const struct ccs_path_info *value;
1275         bool is_not;
1276 };
1277 
1278 /*
1279  * Structure for "task auto_execute_handler" and "task denied_execute_handler"
1280  * directive.
1281  *
1282  * If "task auto_execute_handler" directive exists and the current process is
1283  * not an execute handler, all execve() requests are replaced by execve()
1284  * requests of a program specified by "task auto_execute_handler" directive.
1285  * If the current process is an execute handler, "task auto_execute_handler"
1286  * and "task denied_execute_handler" directives are ignored.
1287  * The program specified by "task execute_handler" validates execve()
1288  * parameters and executes the original execve() requests if appropriate.
1289  *
1290  * "task denied_execute_handler" directive is used only when execve() request
1291  * was rejected in enforcing mode (i.e. CONFIG::file::execute={ mode=enforcing
1292  * }). The program specified by "task denied_execute_handler" does whatever it
1293  * wants to do (e.g. silently terminate, change firewall settings, redirect the
1294  * user to honey pot etc.).
1295  */
1296 struct ccs_handler_acl {
1297         struct ccs_acl_info head;       /* type = CCS_TYPE_*_EXECUTE_HANDLER */
1298         const struct ccs_path_info *handler; /* Pointer to single pathname.  */
1299 };
1300 
1301 /*
1302  * Structure for "task auto_domain_transition" and
1303  * "task manual_domain_transition" directive.
1304  */
1305 struct ccs_task_acl {
1306         struct ccs_acl_info head; /* type = CCS_TYPE_*_TASK_ACL */
1307         /* Pointer to domainname. */
1308         const struct ccs_path_info *domainname;
1309 };
1310 
1311 /*
1312  * Structure for "file execute", "file read", "file write", "file append",
1313  * "file unlink", "file getattr", "file rmdir", "file truncate",
1314  * "file symlink", "file chroot" and "file unmount" directive.
1315  */
1316 struct ccs_path_acl {
1317         struct ccs_acl_info head; /* type = CCS_TYPE_PATH_ACL */
1318         struct ccs_name_union name;
1319 };
1320 
1321 /*
1322  * Structure for "file rename", "file link" and "file pivot_root" directive.
1323  */
1324 struct ccs_path2_acl {
1325         struct ccs_acl_info head; /* type = CCS_TYPE_PATH2_ACL */
1326         struct ccs_name_union name1;
1327         struct ccs_name_union name2;
1328 };
1329 
1330 /*
1331  * Structure for "file create", "file mkdir", "file mkfifo", "file mksock",
1332  * "file ioctl", "file chmod", "file chown" and "file chgrp" directive.
1333  */
1334 struct ccs_path_number_acl {
1335         struct ccs_acl_info head; /* type = CCS_TYPE_PATH_NUMBER_ACL */
1336         struct ccs_name_union name;
1337         struct ccs_number_union number;
1338 };
1339 
1340 /* Structure for "file mkblock" and "file mkchar" directive. */
1341 struct ccs_mkdev_acl {
1342         struct ccs_acl_info head; /* type = CCS_TYPE_MKDEV_ACL */
1343         struct ccs_name_union name;
1344         struct ccs_number_union mode;
1345         struct ccs_number_union major;
1346         struct ccs_number_union minor;
1347 };
1348 
1349 /* Structure for "file mount" directive. */
1350 struct ccs_mount_acl {
1351         struct ccs_acl_info head; /* type = CCS_TYPE_MOUNT_ACL */
1352         struct ccs_name_union dev_name;
1353         struct ccs_name_union dir_name;
1354         struct ccs_name_union fs_type;
1355         struct ccs_number_union flags;
1356 };
1357 
1358 /* Structure for "misc env" directive in domain policy. */
1359 struct ccs_env_acl {
1360         struct ccs_acl_info head;        /* type = CCS_TYPE_ENV_ACL  */
1361         const struct ccs_path_info *env; /* environment variable */
1362 };
1363 
1364 /* Structure for "capability" directive. */
1365 struct ccs_capability_acl {
1366         struct ccs_acl_info head; /* type = CCS_TYPE_CAPABILITY_ACL */
1367         u8 operation; /* One of values in "enum ccs_capability_acl_index". */
1368 };
1369 
1370 /* Structure for "ipc signal" directive. */
1371 struct ccs_signal_acl {
1372         struct ccs_acl_info head; /* type = CCS_TYPE_SIGNAL_ACL */
1373         struct ccs_number_union sig;
1374         /* Pointer to destination pattern. */
1375         const struct ccs_path_info *domainname;
1376 };
1377 
1378 /* Structure for "network inet" directive. */
1379 struct ccs_inet_acl {
1380         struct ccs_acl_info head; /* type = CCS_TYPE_INET_ACL */
1381         u8 protocol;
1382         struct ccs_ipaddr_union address;
1383         struct ccs_number_union port;
1384 };
1385 
1386 /* Structure for "network unix" directive. */
1387 struct ccs_unix_acl {
1388         struct ccs_acl_info head; /* type = CCS_TYPE_UNIX_ACL */
1389         u8 protocol;
1390         struct ccs_name_union name;
1391 };
1392 
1393 /* Structure for holding string data. */
1394 struct ccs_name {
1395         struct ccs_shared_acl_head head;
1396         int size; /* Memory size allocated for this entry. */
1397         struct ccs_path_info entry;
1398 };
1399 
1400 /* Structure for holding a line from /proc/ccs/ interface. */
1401 struct ccs_acl_param {
1402         char *data; /* Unprocessed data. */
1403         struct list_head *list; /* List to add or remove. */
1404         struct ccs_policy_namespace *ns; /* Namespace to use. */
1405         bool is_delete; /* True if it is a delete request. */
1406         union ccs_acl_union {
1407                 struct ccs_acl_info acl_info;
1408                 struct ccs_handler_acl handler_acl;
1409                 struct ccs_task_acl task_acl;
1410                 struct ccs_path_acl path_acl;
1411                 struct ccs_path2_acl path2_acl;
1412                 struct ccs_path_number_acl path_number_acl;
1413                 struct ccs_mkdev_acl mkdev_acl;
1414                 struct ccs_mount_acl mount_acl;
1415                 struct ccs_env_acl env_acl;
1416                 struct ccs_capability_acl capability_acl;
1417                 struct ccs_signal_acl signal_acl;
1418                 struct ccs_inet_acl inet_acl;
1419                 struct ccs_unix_acl unix_acl;
1420                 /**/
1421                 struct ccs_acl_head acl_head;
1422                 struct ccs_transition_control transition_control;
1423                 struct ccs_aggregator aggregator;
1424                 struct ccs_reserved reserved;
1425                 struct ccs_manager manager;
1426                 struct ccs_path_group path_group;
1427                 struct ccs_number_group number_group;
1428                 struct ccs_address_group address_group;
1429         } e;
1430 };
1431 
1432 /* Structure for reading/writing policy via /proc/ccs/ interfaces. */
1433 struct ccs_io_buffer {
1434         /* Exclusive lock for this structure.   */
1435         struct mutex io_sem;
1436         char __user *read_user_buf;
1437         size_t read_user_buf_avail;
1438         struct {
1439                 struct list_head *ns;
1440                 struct list_head *domain;
1441                 struct list_head *group;
1442                 struct list_head *acl;
1443                 size_t avail;
1444                 unsigned int step;
1445                 unsigned int query_index;
1446                 u16 index;
1447                 u16 cond_index;
1448                 u8 acl_group_index;
1449                 u8 cond_step;
1450                 u8 bit;
1451                 u8 w_pos;
1452                 bool eof;
1453                 bool print_this_domain_only;
1454                 bool print_transition_related_only;
1455                 bool print_cond_part;
1456                 const char *w[CCS_MAX_IO_READ_QUEUE];
1457         } r;
1458         struct {
1459                 struct ccs_policy_namespace *ns;
1460                 struct ccs_domain_info *domain;
1461                 size_t avail;
1462                 bool is_delete;
1463         } w;
1464         /* Buffer for reading.                  */
1465         char *read_buf;
1466         /* Size of read buffer.                 */
1467         size_t readbuf_size;
1468         /* Buffer for writing.                  */
1469         char *write_buf;
1470         /* Size of write buffer.                */
1471         size_t writebuf_size;
1472         /* Type of interface. */
1473         enum ccs_proc_interface_index type;
1474         /* Users counter protected by ccs_io_buffer_list_lock. */
1475         u8 users;
1476         /* List for telling GC not to kfree() elements. */
1477         struct list_head list;
1478 };
1479 
1480 /* Structure for /proc/ccs/profile interface. */
1481 struct ccs_profile {
1482         const struct ccs_path_info *comment;
1483         u8 default_config;
1484         u8 config[CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX];
1485         unsigned int pref[CCS_MAX_PREF];
1486 };
1487 
1488 /* Structure for representing YYYY/MM/DD hh/mm/ss. */
1489 struct ccs_time {
1490         u16 year;
1491         u8 month;
1492         u8 day;
1493         u8 hour;
1494         u8 min;
1495         u8 sec;
1496 };
1497 
1498 /* Structure for policy namespace. */
1499 struct ccs_policy_namespace {
1500         /* Profile table. Memory is allocated as needed. */
1501         struct ccs_profile *profile_ptr[CCS_MAX_PROFILES];
1502         /* List of "struct ccs_group". */
1503         struct list_head group_list[CCS_MAX_GROUP];
1504         /* List of policy. */
1505         struct list_head policy_list[CCS_MAX_POLICY];
1506         /* The global ACL referred by "use_group" keyword. */
1507         struct list_head acl_group[CCS_MAX_ACL_GROUPS];
1508         /* List for connecting to ccs_namespace_list list. */
1509         struct list_head namespace_list;
1510         /* Profile version. Currently only 20150505 is supported. */
1511         unsigned int profile_version;
1512         /* Name of this namespace (e.g. "<kernel>", "</usr/sbin/httpd>" ). */
1513         const char *name;
1514 };
1515 
1516 /* Prototype definition for "struct ccsecurity_operations". */
1517 
1518 void __init ccs_permission_init(void);
1519 void __init ccs_mm_init(void);
1520 
1521 /* Prototype definition for internal use. */
1522 
1523 bool ccs_dump_page(struct linux_binprm *bprm, unsigned long pos,
1524                    struct ccs_page_dump *dump);
1525 bool ccs_memory_ok(const void *ptr, const unsigned int size);
1526 char *ccs_encode(const char *str);
1527 char *ccs_encode2(const char *str, int str_len);
1528 char *ccs_realpath(const struct path *path);
1529 const char *ccs_get_exe(void);
1530 const struct ccs_path_info *ccs_get_name(const char *name);
1531 int ccs_audit_log(struct ccs_request_info *r);
1532 int ccs_check_acl(struct ccs_request_info *r);
1533 int ccs_init_request_info(struct ccs_request_info *r, const u8 index);
1534 struct ccs_domain_info *ccs_assign_domain(const char *domainname,
1535                                           const bool transit);
1536 u8 ccs_get_config(const u8 profile, const u8 index);
1537 void *ccs_commit_ok(void *data, const unsigned int size);
1538 void ccs_del_acl(struct list_head *element);
1539 void ccs_del_condition(struct list_head *element);
1540 void ccs_fill_path_info(struct ccs_path_info *ptr);
1541 void ccs_get_attributes(struct ccs_obj_info *obj);
1542 void ccs_notify_gc(struct ccs_io_buffer *head, const bool is_register);
1543 void ccs_transition_failed(const char *domainname);
1544 void ccs_warn_oom(const char *function);
1545 void ccs_write_log(struct ccs_request_info *r, const char *fmt, ...)
1546         __printf(2, 3);
1547 
1548 /* Variable definition for internal use. */
1549 
1550 extern bool ccs_policy_loaded;
1551 extern const char * const ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS];
1552 extern const u8 ccs_c2mac[CCS_MAX_CAPABILITY_INDEX];
1553 extern const u8 ccs_pn2mac[CCS_MAX_PATH_NUMBER_OPERATION];
1554 extern const u8 ccs_pnnn2mac[CCS_MAX_MKDEV_OPERATION];
1555 extern const u8 ccs_pp2mac[CCS_MAX_PATH2_OPERATION];
1556 extern struct ccs_domain_info ccs_kernel_domain;
1557 extern struct list_head ccs_condition_list;
1558 extern struct list_head ccs_domain_list;
1559 extern struct list_head ccs_name_list[CCS_MAX_HASH];
1560 extern struct list_head ccs_namespace_list;
1561 extern struct mutex ccs_policy_lock;
1562 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
1563 extern struct srcu_struct ccs_ss;
1564 #endif
1565 extern unsigned int ccs_memory_quota[CCS_MAX_MEMORY_STAT];
1566 extern unsigned int ccs_memory_used[CCS_MAX_MEMORY_STAT];
1567 
1568 /* Inlined functions for internal use. */
1569 
1570 /**
1571  * ccs_pathcmp - strcmp() for "struct ccs_path_info" structure.
1572  *
1573  * @a: Pointer to "struct ccs_path_info".
1574  * @b: Pointer to "struct ccs_path_info".
1575  *
1576  * Returns true if @a != @b, false otherwise.
1577  */
1578 static inline bool ccs_pathcmp(const struct ccs_path_info *a,
1579                                const struct ccs_path_info *b)
1580 {
1581         return a->hash != b->hash || strcmp(a->name, b->name);
1582 }
1583 
1584 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
1585 
1586 /**
1587  * ccs_read_lock - Take lock for protecting policy.
1588  *
1589  * Returns index number for ccs_read_unlock().
1590  */
1591 static inline int ccs_read_lock(void)
1592 {
1593         return srcu_read_lock(&ccs_ss);
1594 }
1595 
1596 /**
1597  * ccs_read_unlock - Release lock for protecting policy.
1598  *
1599  * @idx: Index number returned by ccs_read_lock().
1600  *
1601  * Returns nothing.
1602  */
1603 static inline void ccs_read_unlock(const int idx)
1604 {
1605         srcu_read_unlock(&ccs_ss, idx);
1606 }
1607 
1608 #else
1609 
1610 int ccs_lock(void);
1611 void ccs_unlock(const int idx);
1612 
1613 /**
1614  * ccs_read_lock - Take lock for protecting policy.
1615  *
1616  * Returns index number for ccs_read_unlock().
1617  */
1618 static inline int ccs_read_lock(void)
1619 {
1620         return ccs_lock();
1621 }
1622 
1623 /**
1624  * ccs_read_unlock - Release lock for protecting policy.
1625  *
1626  * @idx: Index number returned by ccs_read_lock().
1627  *
1628  * Returns nothing.
1629  */
1630 static inline void ccs_read_unlock(const int idx)
1631 {
1632         ccs_unlock(idx);
1633 }
1634 
1635 #endif
1636 
1637 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 18)
1638 
1639 /**
1640  * ccs_tasklist_lock - Take lock for reading list of "struct task_struct".
1641  *
1642  * Returns nothing.
1643  */
1644 static inline void ccs_tasklist_lock(void)
1645 {
1646         rcu_read_lock();
1647 }
1648 
1649 /**
1650  * ccs_tasklist_unlock - Release lock for reading list of "struct task_struct".
1651  *
1652  * Returns nothing.
1653  */
1654 static inline void ccs_tasklist_unlock(void)
1655 {
1656         rcu_read_unlock();
1657 }
1658 
1659 #else
1660 
1661 /**
1662  * ccs_tasklist_lock - Take lock for reading list of "struct task_struct".
1663  *
1664  * Returns nothing.
1665  */
1666 static inline void ccs_tasklist_lock(void)
1667 {
1668         read_lock(&tasklist_lock);
1669 }
1670 
1671 /**
1672  * ccs_tasklist_unlock - Release lock for reading list of "struct task_struct".
1673  *
1674  * Returns nothing.
1675  */
1676 static inline void ccs_tasklist_unlock(void)
1677 {
1678         read_unlock(&tasklist_lock);
1679 }
1680 
1681 #endif
1682 
1683 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1684 
1685 /**
1686  * ccs_sys_getppid - Copy of getppid().
1687  *
1688  * Returns parent process's PID.
1689  *
1690  * Alpha does not have getppid() defined. To be able to build this module on
1691  * Alpha, I have to copy getppid() from kernel/timer.c.
1692  */
1693 static inline pid_t ccs_sys_getppid(void)
1694 {
1695         pid_t pid;
1696         rcu_read_lock();
1697         pid = task_tgid_vnr(rcu_dereference(current->real_parent));
1698         rcu_read_unlock();
1699         return pid;
1700 }
1701 
1702 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0)
1703 
1704 /**
1705  * ccs_sys_getppid - Copy of getppid().
1706  *
1707  * Returns parent process's PID.
1708  *
1709  * This function was rewritten to use RCU in 2.6.16.34. However, distributors
1710  * which use earlier kernels (e.g. 2.6.8/2.6.9) did not backport the bugfix.
1711  * Therefore, I'm using code for 2.6.16.34 for earlier kernels.
1712  */
1713 static inline pid_t ccs_sys_getppid(void)
1714 {
1715         pid_t pid;
1716         rcu_read_lock();
1717 #if (defined(RHEL_MAJOR) && RHEL_MAJOR == 5) || (defined(AX_MAJOR) && AX_MAJOR == 3)
1718         pid = rcu_dereference(current->parent)->tgid;
1719 #elif defined(CONFIG_UTRACE)
1720         /*
1721          * RHEL 5.0 kernel does not have RHEL_MAJOR/RHEL_MINOR defined.
1722          * Assume RHEL 5.0 if CONFIG_UTRACE is defined.
1723          */
1724         pid = rcu_dereference(current->parent)->tgid;
1725 #else
1726         pid = rcu_dereference(current->real_parent)->tgid;
1727 #endif
1728         rcu_read_unlock();
1729         return pid;
1730 }
1731 
1732 #else
1733 
1734 /**
1735  * ccs_sys_getppid - Copy of getppid().
1736  *
1737  * Returns parent process's PID.
1738  *
1739  * I can't use code for 2.6.16.34 for 2.4 kernels because 2.4 kernels does not
1740  * have RCU. Therefore, I'm using pessimistic lock (i.e. tasklist_lock
1741  * spinlock).
1742  */
1743 static inline pid_t ccs_sys_getppid(void)
1744 {
1745         pid_t pid;
1746         read_lock(&tasklist_lock);
1747 #ifdef TASK_DEAD
1748         pid = current->group_leader->real_parent->tgid;
1749 #else
1750         pid = current->p_opptr->pid;
1751 #endif
1752         read_unlock(&tasklist_lock);
1753         return pid;
1754 }
1755 
1756 #endif
1757 
1758 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1759 
1760 /**
1761  * ccs_sys_getpid - Copy of getpid().
1762  *
1763  * Returns current thread's PID.
1764  *
1765  * Alpha does not have getpid() defined. To be able to build this module on
1766  * Alpha, I have to copy getpid() from kernel/timer.c.
1767  */
1768 static inline pid_t ccs_sys_getpid(void)
1769 {
1770         return task_tgid_vnr(current);
1771 }
1772 
1773 #else
1774 
1775 /**
1776  * ccs_sys_getpid - Copy of getpid().
1777  *
1778  * Returns current thread's PID.
1779  */
1780 static inline pid_t ccs_sys_getpid(void)
1781 {
1782         return current->tgid;
1783 }
1784 
1785 #endif
1786 
1787 /**
1788  * ccs_get_mode - Get mode for specified functionality.
1789  *
1790  * @profile: Profile number.
1791  * @index:   Functionality number.
1792  *
1793  * Returns mode.
1794  */
1795 static inline u8 ccs_get_mode(const u8 profile, const u8 index)
1796 {
1797         return ccs_get_config(profile, index) & (CCS_CONFIG_MAX_MODE - 1);
1798 }
1799 
1800 #if defined(CONFIG_SLOB)
1801 
1802 /**
1803  * ccs_round2 - Round up to power of 2 for calculating memory usage.
1804  *
1805  * @size: Size to be rounded up.
1806  *
1807  * Returns @size.
1808  *
1809  * Since SLOB does not round up, this function simply returns @size.
1810  */
1811 static inline int ccs_round2(size_t size)
1812 {
1813         return size;
1814 }
1815 
1816 #else
1817 
1818 /**
1819  * ccs_round2 - Round up to power of 2 for calculating memory usage.
1820  *
1821  * @size: Size to be rounded up.
1822  *
1823  * Returns rounded size.
1824  *
1825  * Strictly speaking, SLAB may be able to allocate (e.g.) 96 bytes instead of
1826  * (e.g.) 128 bytes.
1827  */
1828 static inline int ccs_round2(size_t size)
1829 {
1830 #if PAGE_SIZE == 4096
1831         size_t bsize = 32;
1832 #else
1833         size_t bsize = 64;
1834 #endif
1835         if (!size)
1836                 return 0;
1837         while (size > bsize)
1838                 bsize <<= 1;
1839         return bsize;
1840 }
1841 
1842 #endif
1843 
1844 /**
1845  * ccs_put_condition - Drop reference on "struct ccs_condition".
1846  *
1847  * @cond: Pointer to "struct ccs_condition". Maybe NULL.
1848  *
1849  * Returns nothing.
1850  */
1851 static inline void ccs_put_condition(struct ccs_condition *cond)
1852 {
1853         if (cond)
1854                 atomic_dec(&cond->head.users);
1855 }
1856 
1857 /**
1858  * ccs_put_group - Drop reference on "struct ccs_group".
1859  *
1860  * @group: Pointer to "struct ccs_group". Maybe NULL.
1861  *
1862  * Returns nothing.
1863  */
1864 static inline void ccs_put_group(struct ccs_group *group)
1865 {
1866         if (group)
1867                 atomic_dec(&group->head.users);
1868 }
1869 
1870 /**
1871  * ccs_put_name - Drop reference on "struct ccs_name".
1872  *
1873  * @name: Pointer to "struct ccs_path_info". Maybe NULL.
1874  *
1875  * Returns nothing.
1876  */
1877 static inline void ccs_put_name(const struct ccs_path_info *name)
1878 {
1879         if (name)
1880                 atomic_dec(&container_of(name, struct ccs_name, entry)->
1881                            head.users);
1882 }
1883 
1884 /* For importing variables and functions. */
1885 extern const struct ccsecurity_exports ccsecurity_exports;
1886 
1887 #ifdef CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY
1888 
1889 /*
1890  * Structure for holding "struct ccs_domain_info *" and "struct ccs_execve *"
1891  * and "u32 ccs_flags" for each "struct task_struct".
1892  *
1893  * "struct ccs_domain_info *" and "u32 ccs_flags" for each "struct task_struct"
1894  * are maintained outside that "struct task_struct". Therefore, ccs_security
1895  * != task_struct . This keeps KABI for distributor's prebuilt kernels but
1896  * entails slow access.
1897  *
1898  * Memory for this structure is allocated when current thread tries to access
1899  * it. Therefore, if memory allocation failed, current thread will be killed by
1900  * SIGKILL. Note that if current->pid == 1, sending SIGKILL won't work.
1901  */
1902 struct ccs_security {
1903         struct list_head list;
1904         const struct task_struct *task;
1905         struct ccs_domain_info *ccs_domain_info;
1906         u32 ccs_flags;
1907         struct rcu_head rcu;
1908 };
1909 
1910 #define CCS_TASK_SECURITY_HASH_BITS 12
1911 #define CCS_MAX_TASK_SECURITY_HASH (1u << CCS_TASK_SECURITY_HASH_BITS)
1912 extern struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH];
1913 
1914 struct ccs_security *ccs_find_task_security(const struct task_struct *task);
1915 
1916 /**
1917  * ccs_current_security - Get "struct ccs_security" for current thread.
1918  *
1919  * Returns pointer to "struct ccs_security" for current thread.
1920  */
1921 static inline struct ccs_security *ccs_current_security(void)
1922 {
1923         return ccs_find_task_security(current);
1924 }
1925 
1926 /**
1927  * ccs_task_domain - Get "struct ccs_domain_info" for specified thread.
1928  *
1929  * @task: Pointer to "struct task_struct".
1930  *
1931  * Returns pointer to "struct ccs_security" for specified thread.
1932  */
1933 static inline struct ccs_domain_info *ccs_task_domain(struct task_struct *task)
1934 {
1935         struct ccs_domain_info *domain;
1936         rcu_read_lock();
1937         domain = ccs_find_task_security(task)->ccs_domain_info;
1938         rcu_read_unlock();
1939         return domain;
1940 }
1941 
1942 /**
1943  * ccs_current_domain - Get "struct ccs_domain_info" for current thread.
1944  *
1945  * Returns pointer to "struct ccs_domain_info" for current thread.
1946  */
1947 static inline struct ccs_domain_info *ccs_current_domain(void)
1948 {
1949         return ccs_find_task_security(current)->ccs_domain_info;
1950 }
1951 
1952 /**
1953  * ccs_task_flags - Get flags for specified thread.
1954  *
1955  * @task: Pointer to "struct task_struct".
1956  *
1957  * Returns flags for specified thread.
1958  */
1959 static inline u32 ccs_task_flags(struct task_struct *task)
1960 {
1961         u32 ccs_flags;
1962         rcu_read_lock();
1963         ccs_flags = ccs_find_task_security(task)->ccs_flags;
1964         rcu_read_unlock();
1965         return ccs_flags;
1966 }
1967 
1968 /**
1969  * ccs_current_flags - Get flags for current thread.
1970  *
1971  * Returns flags for current thread.
1972  */
1973 static inline u32 ccs_current_flags(void)
1974 {
1975         return ccs_find_task_security(current)->ccs_flags;
1976 }
1977 
1978 #else
1979 
1980 /*
1981  * "struct ccs_domain_info *" and "u32 ccs_flags" for each "struct task_struct"
1982  * are maintained inside that "struct task_struct". Therefore, ccs_security ==
1983  * task_struct . This allows fast access but breaks KABI checks for
1984  * distributor's prebuilt kernels due to changes in "struct task_struct".
1985  */
1986 #define ccs_security task_struct
1987 
1988 /**
1989  * ccs_find_task_security - Find "struct ccs_security" for given task.
1990  *
1991  * @task: Pointer to "struct task_struct".
1992  *
1993  * Returns pointer to "struct ccs_security".
1994  */
1995 static inline struct ccs_security *ccs_find_task_security(struct task_struct *
1996                                                           task)
1997 {
1998         return task;
1999 }
2000 
2001 /**
2002  * ccs_current_security - Get "struct ccs_security" for current thread.
2003  *
2004  * Returns pointer to "struct ccs_security" for current thread.
2005  */
2006 static inline struct ccs_security *ccs_current_security(void)
2007 {
2008         return ccs_find_task_security(current);
2009 }
2010 
2011 /**
2012  * ccs_task_domain - Get "struct ccs_domain_info" for specified thread.
2013  *
2014  * @task: Pointer to "struct task_struct".
2015  *
2016  * Returns pointer to "struct ccs_security" for specified thread.
2017  */
2018 static inline struct ccs_domain_info *ccs_task_domain(struct task_struct *task)
2019 {
2020         struct ccs_domain_info *domain = task->ccs_domain_info;
2021         return domain ? domain : &ccs_kernel_domain;
2022 }
2023 
2024 /**
2025  * ccs_current_domain - Get "struct ccs_domain_info" for current thread.
2026  *
2027  * Returns pointer to "struct ccs_domain_info" for current thread.
2028  *
2029  * If current thread does not belong to a domain (which is true for initial
2030  * init_task in order to hide ccs_kernel_domain from this module),
2031  * current thread enters into ccs_kernel_domain.
2032  */
2033 static inline struct ccs_domain_info *ccs_current_domain(void)
2034 {
2035         struct task_struct *task = current;
2036         if (!task->ccs_domain_info)
2037                 task->ccs_domain_info = &ccs_kernel_domain;
2038         return task->ccs_domain_info;
2039 }
2040 
2041 /**
2042  * ccs_task_flags - Get flags for specified thread.
2043  *
2044  * @task: Pointer to "struct task_struct".
2045  *
2046  * Returns flags for specified thread.
2047  */
2048 static inline u32 ccs_task_flags(struct task_struct *task)
2049 {
2050         return ccs_find_task_security(task)->ccs_flags;
2051 }
2052 
2053 /**
2054  * ccs_current_flags - Get flags for current thread.
2055  *
2056  * Returns flags for current thread.
2057  */
2058 static inline u32 ccs_current_flags(void)
2059 {
2060         return ccs_find_task_security(current)->ccs_flags;
2061 }
2062 
2063 #endif
2064 
2065 /**
2066  * ccs_current_namespace - Get "struct ccs_policy_namespace" for current thread.
2067  *
2068  * Returns pointer to "struct ccs_policy_namespace" for current thread.
2069  */
2070 static inline struct ccs_policy_namespace *ccs_current_namespace(void)
2071 {
2072         return ccs_current_domain()->ns;
2073 }
2074 
2075 #endif
2076 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp