1 /*
2 * security/ccsecurity/internal.h
3 *
4 * Copyright (C) 2005-2012 NTT DATA CORPORATION
5 *
6 * Version: 1.8.5 2015/11/11
7 */
8
9 #ifndef _SECURITY_CCSECURITY_INTERNAL_H
10 #define _SECURITY_CCSECURITY_INTERNAL_H
11
12 #include <linux/version.h>
13 #include <linux/types.h>
14 #include <linux/kernel.h>
15 #include <linux/string.h>
16 #include <linux/mm.h>
17 #include <linux/utime.h>
18 #include <linux/file.h>
19 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 38)
20 #include <linux/smp_lock.h>
21 #endif
22 #include <linux/module.h>
23 #include <linux/init.h>
24 #include <linux/slab.h>
25 #include <linux/highmem.h>
26 #include <linux/poll.h>
27 #include <linux/binfmts.h>
28 #include <linux/delay.h>
29 #include <linux/sched.h>
30 #include <linux/dcache.h>
31 #include <linux/mount.h>
32 #include <linux/net.h>
33 #include <linux/inet.h>
34 #include <linux/in.h>
35 #include <linux/in6.h>
36 #include <linux/un.h>
37 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
38 #include <linux/fs.h>
39 #endif
40 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0)
41 #include <linux/namei.h>
42 #endif
43 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 30)
44 #include <linux/fs_struct.h>
45 #endif
46 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20)
47 #include <linux/namespace.h>
48 #endif
49 #include <linux/proc_fs.h>
50 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 0) || defined(RHEL_MAJOR)
51 #include <linux/hash.h>
52 #endif
53 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) || (LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) && defined(CONFIG_SYSCTL_SYSCALL))
54 #include <linux/sysctl.h>
55 #endif
56 #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 6)
57 #include <linux/kthread.h>
58 #endif
59 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 10, 0)
60 #include <linux/magic.h>
61 #endif
62 #include <stdarg.h>
63 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
64 #include <linux/uaccess.h>
65 #else
66 #include <asm/uaccess.h>
67 #endif
68 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
69 #include <linux/sched/signal.h>
70 #endif
71 #include <net/sock.h>
72 #include <net/af_unix.h>
73 #include <net/ip.h>
74 #include <net/ipv6.h>
75 #include <net/udp.h>
76
77 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
78 #define sk_family family
79 #define sk_protocol protocol
80 #define sk_type type
81 #endif
82
83 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20)
84
85 /* Structure for holding "struct vfsmount *" and "struct dentry *". */
86 struct path {
87 struct vfsmount *mnt;
88 struct dentry *dentry;
89 };
90
91 #endif
92
93 #ifndef __printf
94 #define __printf(a,b) __attribute__((format(printf,a,b)))
95 #endif
96 #ifndef __packed
97 #define __packed __attribute__((__packed__))
98 #endif
99 #ifndef bool
100 #define bool _Bool
101 #endif
102 #ifndef false
103 #define false 0
104 #endif
105 #ifndef true
106 #define true 1
107 #endif
108
109 #ifndef __user
110 #define __user
111 #endif
112
113 #ifndef current_uid
114 #define current_uid() (current->uid)
115 #endif
116 #ifndef current_gid
117 #define current_gid() (current->gid)
118 #endif
119 #ifndef current_euid
120 #define current_euid() (current->euid)
121 #endif
122 #ifndef current_egid
123 #define current_egid() (current->egid)
124 #endif
125 #ifndef current_suid
126 #define current_suid() (current->suid)
127 #endif
128 #ifndef current_sgid
129 #define current_sgid() (current->sgid)
130 #endif
131 #ifndef current_fsuid
132 #define current_fsuid() (current->fsuid)
133 #endif
134 #ifndef current_fsgid
135 #define current_fsgid() (current->fsgid)
136 #endif
137
138 #ifndef DEFINE_SPINLOCK
139 #define DEFINE_SPINLOCK(x) spinlock_t x = SPIN_LOCK_UNLOCKED
140 #endif
141
142 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 16)
143 #define mutex semaphore
144 #define mutex_init(mutex) init_MUTEX(mutex)
145 #define mutex_unlock(mutex) up(mutex)
146 #define mutex_lock(mutex) down(mutex)
147 #define mutex_lock_interruptible(mutex) down_interruptible(mutex)
148 #define mutex_trylock(mutex) (!down_trylock(mutex))
149 #define DEFINE_MUTEX(mutexname) DECLARE_MUTEX(mutexname)
150 #endif
151
152 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 15)
153 #define MS_UNBINDABLE (1<<17) /* change to unbindable */
154 #define MS_PRIVATE (1<<18) /* change to private */
155 #define MS_SLAVE (1<<19) /* change to slave */
156 #define MS_SHARED (1<<20) /* change to shared */
157 #endif
158
159 #ifndef container_of
160 #define container_of(ptr, type, member) ({ \
161 const typeof(((type *)0)->member) *__mptr = (ptr); \
162 (type *)((char *)__mptr - offsetof(type, member)); })
163 #endif
164
165 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 0)
166 #define smp_read_barrier_depends smp_rmb
167 #endif
168
169 #ifndef ACCESS_ONCE
170 #define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
171 #endif
172
173 #ifndef rcu_dereference
174 #define rcu_dereference(p) ({ \
175 typeof(p) _________p1 = ACCESS_ONCE(p); \
176 smp_read_barrier_depends(); /* see RCU */ \
177 (_________p1); \
178 })
179 #endif
180
181 #ifndef rcu_assign_pointer
182 #define rcu_assign_pointer(p, v) \
183 ({ \
184 if (!__builtin_constant_p(v) || \
185 ((v) != NULL)) \
186 smp_wmb(); /* see RCU */ \
187 (p) = (v); \
188 })
189 #endif
190
191 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0)
192 #define f_vfsmnt f_path.mnt
193 #endif
194
195 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 14)
196
197 /**
198 * kzalloc() - Allocate memory. The memory is set to zero.
199 *
200 * @size: Size to allocate.
201 * @flags: GFP flags.
202 *
203 * Returns pointer to allocated memory on success, NULL otherwise.
204 *
205 * This is for compatibility with older kernels.
206 *
207 * Since several distributions backported kzalloc(), I define it as a macro
208 * rather than an inlined function in order to avoid multiple definition error.
209 */
210 #define kzalloc(size, flags) ({ \
211 void *ret = kmalloc((size), (flags)); \
212 if (ret) \
213 memset(ret, 0, (size)); \
214 ret; })
215
216 #endif
217
218 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 25)
219
220 /**
221 * path_put - Drop reference on "struct path".
222 *
223 * @path: Pointer to "struct path".
224 *
225 * Returns nothing.
226 *
227 * This is for compatibility with older kernels.
228 */
229 static inline void path_put(struct path *path)
230 {
231 dput(path->dentry);
232 mntput(path->mnt);
233 }
234
235 #endif
236
237 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
238
239 /**
240 * __list_add_rcu - Insert a new entry between two known consecutive entries.
241 *
242 * @new: Pointer to "struct list_head".
243 * @prev: Pointer to "struct list_head".
244 * @next: Pointer to "struct list_head".
245 *
246 * Returns nothing.
247 *
248 * This is for compatibility with older kernels.
249 */
250 static inline void __list_add_rcu(struct list_head *new,
251 struct list_head *prev,
252 struct list_head *next)
253 {
254 new->next = next;
255 new->prev = prev;
256 rcu_assign_pointer(prev->next, new);
257 next->prev = new;
258 }
259
260 /**
261 * list_add_tail_rcu - Add a new entry to rcu-protected list.
262 *
263 * @new: Pointer to "struct list_head".
264 * @head: Pointer to "struct list_head".
265 *
266 * Returns nothing.
267 *
268 * This is for compatibility with older kernels.
269 */
270 static inline void list_add_tail_rcu(struct list_head *new,
271 struct list_head *head)
272 {
273 __list_add_rcu(new, head->prev, head);
274 }
275
276 /**
277 * list_add_rcu - Add a new entry to rcu-protected list.
278 *
279 * @new: Pointer to "struct list_head".
280 * @head: Pointer to "struct list_head".
281 *
282 * Returns nothing.
283 *
284 * This is for compatibility with older kernels.
285 */
286 static inline void list_add_rcu(struct list_head *new, struct list_head *head)
287 {
288 __list_add_rcu(new, head, head->next);
289 }
290
291 #endif
292
293 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 38)
294
295 /**
296 * __list_del_entry - Deletes entry from list without re-initialization.
297 *
298 * @entry: Pointer to "struct list_head".
299 *
300 * Returns nothing.
301 *
302 * This is for compatibility with older kernels.
303 */
304 static inline void __list_del_entry(struct list_head *entry)
305 {
306 __list_del(entry->prev, entry->next);
307 }
308
309 #endif
310
311 #ifndef list_for_each_entry_safe
312
313 /**
314 * list_for_each_entry_safe - Iterate over list of given type safe against removal of list entry.
315 *
316 * @pos: The "type *" to use as a loop cursor.
317 * @n: Another "type *" to use as temporary storage.
318 * @head: Pointer to "struct list_head".
319 * @member: The name of the list_struct within the struct.
320 *
321 * This is for compatibility with older kernels.
322 */
323 #define list_for_each_entry_safe(pos, n, head, member) \
324 for (pos = list_entry((head)->next, typeof(*pos), member), \
325 n = list_entry(pos->member.next, typeof(*pos), member); \
326 &pos->member != (head); \
327 pos = n, n = list_entry(n->member.next, typeof(*n), member))
328
329 #endif
330
331 #ifndef srcu_dereference
332
333 /**
334 * srcu_dereference - Fetch SRCU-protected pointer with checking.
335 *
336 * @p: The pointer to read, prior to dereferencing.
337 * @ss: Pointer to "struct srcu_struct".
338 *
339 * Returns @p.
340 *
341 * This is for compatibility with older kernels.
342 */
343 #define srcu_dereference(p, ss) rcu_dereference(p)
344
345 #endif
346
347 #ifndef list_for_each_entry_srcu
348
349 /**
350 * list_for_each_entry_srcu - Iterate over rcu list of given type.
351 *
352 * @pos: The type * to use as a loop cursor.
353 * @head: The head for your list.
354 * @member: The name of the list_struct within the struct.
355 * @ss: Pointer to "struct srcu_struct".
356 *
357 * As of 2.6.36, this macro is not provided because only TOMOYO wants it.
358 */
359 #define list_for_each_entry_srcu(pos, head, member, ss) \
360 for (pos = list_entry(srcu_dereference((head)->next, ss), \
361 typeof(*pos), member); \
362 prefetch(pos->member.next), &pos->member != (head); \
363 pos = list_entry(srcu_dereference(pos->member.next, ss), \
364 typeof(*pos), member))
365
366 #endif
367
368 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 4, 30) || (LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0) && LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 9))
369
370 #if LINUX_VERSION_CODE == KERNEL_VERSION(2, 4, 21)
371 #undef ssleep
372 #endif
373
374 #ifndef ssleep
375
376 /**
377 * ssleep - Sleep for specified seconds.
378 *
379 * @secs: Seconds to sleep.
380 *
381 * Returns nothing.
382 *
383 * This is for compatibility with older kernels.
384 *
385 * Since several distributions backported ssleep(), I define it as a macro
386 * rather than an inlined function in order to avoid multiple definition error.
387 */
388 #define ssleep(secs) { \
389 set_current_state(TASK_UNINTERRUPTIBLE); \
390 schedule_timeout((HZ * secs) + 1); \
391 }
392
393 #endif
394
395 #endif
396
397 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0)
398
399 /**
400 * from_kuid - Convert kuid_t to uid_t.
401 *
402 * @ns: Unused.
403 * @uid: kuid_t value.
404 *
405 * Returns uid seen from init's user namespace.
406 */
407 #define from_kuid(ns, uid) (uid)
408
409 /**
410 * from_kgid - Convert kgid_t to gid_t.
411 *
412 * @ns: Unused.
413 * @gid: kgid_t value.
414 *
415 * Returns gid seen from init's user namespace.
416 */
417 #define from_kgid(ns, gid) (gid)
418
419 /**
420 * uid_eq - Check whether the uids are equals or not.
421 *
422 * @left: Uid seen from current user namespace.
423 * @right: Uid seen from current user namespace.
424 *
425 * Returns true if uid is root in init's user namespace, false otherwise.
426 */
427 #define uid_eq(left, right) ((left) == (right))
428 #define GLOBAL_ROOT_UID 0
429
430 #endif
431
432 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
433 #define d_backing_inode(upper) (upper)->d_inode
434 #endif
435 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 14, 0)
436 #define d_is_dir(dentry) ({ struct inode *inode = d_backing_inode(dentry); \
437 inode && S_ISDIR(inode->i_mode); })
438 #endif
439
440 /*
441 * TOMOYO specific part start.
442 */
443
444 #include <linux/ccsecurity.h>
445
446 /* Enumeration definition for internal use. */
447
448 /* Index numbers for Access Controls. */
449 enum ccs_acl_entry_type_index {
450 CCS_TYPE_PATH_ACL,
451 CCS_TYPE_PATH2_ACL,
452 CCS_TYPE_PATH_NUMBER_ACL,
453 CCS_TYPE_MKDEV_ACL,
454 CCS_TYPE_MOUNT_ACL,
455 #ifdef CONFIG_CCSECURITY_MISC
456 CCS_TYPE_ENV_ACL,
457 #endif
458 #ifdef CONFIG_CCSECURITY_CAPABILITY
459 CCS_TYPE_CAPABILITY_ACL,
460 #endif
461 #ifdef CONFIG_CCSECURITY_NETWORK
462 CCS_TYPE_INET_ACL,
463 CCS_TYPE_UNIX_ACL,
464 #endif
465 #ifdef CONFIG_CCSECURITY_IPC
466 CCS_TYPE_SIGNAL_ACL,
467 #endif
468 #ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER
469 CCS_TYPE_AUTO_EXECUTE_HANDLER,
470 CCS_TYPE_DENIED_EXECUTE_HANDLER,
471 #endif
472 #ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION
473 CCS_TYPE_AUTO_TASK_ACL,
474 CCS_TYPE_MANUAL_TASK_ACL,
475 #endif
476 };
477
478 /* Index numbers for "struct ccs_condition". */
479 enum ccs_conditions_index {
480 CCS_TASK_UID, /* current_uid() */
481 CCS_TASK_EUID, /* current_euid() */
482 CCS_TASK_SUID, /* current_suid() */
483 CCS_TASK_FSUID, /* current_fsuid() */
484 CCS_TASK_GID, /* current_gid() */
485 CCS_TASK_EGID, /* current_egid() */
486 CCS_TASK_SGID, /* current_sgid() */
487 CCS_TASK_FSGID, /* current_fsgid() */
488 CCS_TASK_PID, /* sys_getpid() */
489 CCS_TASK_PPID, /* sys_getppid() */
490 CCS_EXEC_ARGC, /* "struct linux_binprm *"->argc */
491 CCS_EXEC_ENVC, /* "struct linux_binprm *"->envc */
492 CCS_TYPE_IS_SOCKET, /* S_IFSOCK */
493 CCS_TYPE_IS_SYMLINK, /* S_IFLNK */
494 CCS_TYPE_IS_FILE, /* S_IFREG */
495 CCS_TYPE_IS_BLOCK_DEV, /* S_IFBLK */
496 CCS_TYPE_IS_DIRECTORY, /* S_IFDIR */
497 CCS_TYPE_IS_CHAR_DEV, /* S_IFCHR */
498 CCS_TYPE_IS_FIFO, /* S_IFIFO */
499 CCS_MODE_SETUID, /* S_ISUID */
500 CCS_MODE_SETGID, /* S_ISGID */
501 CCS_MODE_STICKY, /* S_ISVTX */
502 CCS_MODE_OWNER_READ, /* S_IRUSR */
503 CCS_MODE_OWNER_WRITE, /* S_IWUSR */
504 CCS_MODE_OWNER_EXECUTE, /* S_IXUSR */
505 CCS_MODE_GROUP_READ, /* S_IRGRP */
506 CCS_MODE_GROUP_WRITE, /* S_IWGRP */
507 CCS_MODE_GROUP_EXECUTE, /* S_IXGRP */
508 CCS_MODE_OTHERS_READ, /* S_IROTH */
509 CCS_MODE_OTHERS_WRITE, /* S_IWOTH */
510 CCS_MODE_OTHERS_EXECUTE, /* S_IXOTH */
511 CCS_TASK_TYPE, /* ((u8) task->ccs_flags) &
512 CCS_TASK_IS_EXECUTE_HANDLER */
513 CCS_TASK_EXECUTE_HANDLER, /* CCS_TASK_IS_EXECUTE_HANDLER */
514 CCS_EXEC_REALPATH,
515 CCS_SYMLINK_TARGET,
516 CCS_PATH1_UID,
517 CCS_PATH1_GID,
518 CCS_PATH1_INO,
519 CCS_PATH1_MAJOR,
520 CCS_PATH1_MINOR,
521 CCS_PATH1_PERM,
522 CCS_PATH1_TYPE,
523 CCS_PATH1_DEV_MAJOR,
524 CCS_PATH1_DEV_MINOR,
525 CCS_PATH2_UID,
526 CCS_PATH2_GID,
527 CCS_PATH2_INO,
528 CCS_PATH2_MAJOR,
529 CCS_PATH2_MINOR,
530 CCS_PATH2_PERM,
531 CCS_PATH2_TYPE,
532 CCS_PATH2_DEV_MAJOR,
533 CCS_PATH2_DEV_MINOR,
534 CCS_PATH1_PARENT_UID,
535 CCS_PATH1_PARENT_GID,
536 CCS_PATH1_PARENT_INO,
537 CCS_PATH1_PARENT_PERM,
538 CCS_PATH2_PARENT_UID,
539 CCS_PATH2_PARENT_GID,
540 CCS_PATH2_PARENT_INO,
541 CCS_PATH2_PARENT_PERM,
542 CCS_MAX_CONDITION_KEYWORD,
543 CCS_NUMBER_UNION,
544 CCS_NAME_UNION,
545 CCS_ARGV_ENTRY,
546 CCS_ENVP_ENTRY,
547 };
548
549 /* Index numbers for domain's attributes. */
550 enum ccs_domain_info_flags_index {
551 /* Quota warnning flag. */
552 CCS_DIF_QUOTA_WARNED,
553 /*
554 * This domain was unable to create a new domain at
555 * ccs_find_next_domain() because the name of the domain to be created
556 * was too long or it could not allocate memory.
557 * More than one process continued execve() without domain transition.
558 */
559 CCS_DIF_TRANSITION_FAILED,
560 CCS_MAX_DOMAIN_INFO_FLAGS
561 };
562
563 /* Index numbers for audit type. */
564 enum ccs_grant_log {
565 /* Follow profile's configuration. */
566 CCS_GRANTLOG_AUTO,
567 /* Do not generate grant log. */
568 CCS_GRANTLOG_NO,
569 /* Generate grant_log. */
570 CCS_GRANTLOG_YES,
571 };
572
573 /* Index numbers for group entries. */
574 enum ccs_group_id {
575 CCS_PATH_GROUP,
576 CCS_NUMBER_GROUP,
577 #ifdef CONFIG_CCSECURITY_NETWORK
578 CCS_ADDRESS_GROUP,
579 #endif
580 CCS_MAX_GROUP
581 };
582
583 /* Index numbers for category of functionality. */
584 enum ccs_mac_category_index {
585 CCS_MAC_CATEGORY_FILE,
586 #ifdef CONFIG_CCSECURITY_NETWORK
587 CCS_MAC_CATEGORY_NETWORK,
588 #endif
589 #ifdef CONFIG_CCSECURITY_MISC
590 CCS_MAC_CATEGORY_MISC,
591 #endif
592 #ifdef CONFIG_CCSECURITY_IPC
593 CCS_MAC_CATEGORY_IPC,
594 #endif
595 #ifdef CONFIG_CCSECURITY_CAPABILITY
596 CCS_MAC_CATEGORY_CAPABILITY,
597 #endif
598 CCS_MAX_MAC_CATEGORY_INDEX
599 };
600
601 /* Index numbers for functionality. */
602 enum ccs_mac_index {
603 CCS_MAC_FILE_EXECUTE,
604 CCS_MAC_FILE_OPEN,
605 CCS_MAC_FILE_CREATE,
606 CCS_MAC_FILE_UNLINK,
607 #ifdef CONFIG_CCSECURITY_FILE_GETATTR
608 CCS_MAC_FILE_GETATTR,
609 #endif
610 CCS_MAC_FILE_MKDIR,
611 CCS_MAC_FILE_RMDIR,
612 CCS_MAC_FILE_MKFIFO,
613 CCS_MAC_FILE_MKSOCK,
614 CCS_MAC_FILE_TRUNCATE,
615 CCS_MAC_FILE_SYMLINK,
616 CCS_MAC_FILE_MKBLOCK,
617 CCS_MAC_FILE_MKCHAR,
618 CCS_MAC_FILE_LINK,
619 CCS_MAC_FILE_RENAME,
620 CCS_MAC_FILE_CHMOD,
621 CCS_MAC_FILE_CHOWN,
622 CCS_MAC_FILE_CHGRP,
623 CCS_MAC_FILE_IOCTL,
624 CCS_MAC_FILE_CHROOT,
625 CCS_MAC_FILE_MOUNT,
626 CCS_MAC_FILE_UMOUNT,
627 CCS_MAC_FILE_PIVOT_ROOT,
628 #ifdef CONFIG_CCSECURITY_NETWORK
629 CCS_MAC_NETWORK_INET_STREAM_BIND,
630 CCS_MAC_NETWORK_INET_STREAM_LISTEN,
631 CCS_MAC_NETWORK_INET_STREAM_CONNECT,
632 CCS_MAC_NETWORK_INET_STREAM_ACCEPT,
633 CCS_MAC_NETWORK_INET_DGRAM_BIND,
634 CCS_MAC_NETWORK_INET_DGRAM_SEND,
635 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
636 CCS_MAC_NETWORK_INET_DGRAM_RECV,
637 #endif
638 CCS_MAC_NETWORK_INET_RAW_BIND,
639 CCS_MAC_NETWORK_INET_RAW_SEND,
640 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
641 CCS_MAC_NETWORK_INET_RAW_RECV,
642 #endif
643 CCS_MAC_NETWORK_UNIX_STREAM_BIND,
644 CCS_MAC_NETWORK_UNIX_STREAM_LISTEN,
645 CCS_MAC_NETWORK_UNIX_STREAM_CONNECT,
646 CCS_MAC_NETWORK_UNIX_STREAM_ACCEPT,
647 CCS_MAC_NETWORK_UNIX_DGRAM_BIND,
648 CCS_MAC_NETWORK_UNIX_DGRAM_SEND,
649 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
650 CCS_MAC_NETWORK_UNIX_DGRAM_RECV,
651 #endif
652 CCS_MAC_NETWORK_UNIX_SEQPACKET_BIND,
653 CCS_MAC_NETWORK_UNIX_SEQPACKET_LISTEN,
654 CCS_MAC_NETWORK_UNIX_SEQPACKET_CONNECT,
655 CCS_MAC_NETWORK_UNIX_SEQPACKET_ACCEPT,
656 #endif
657 #ifdef CONFIG_CCSECURITY_MISC
658 CCS_MAC_ENVIRON,
659 #endif
660 #ifdef CONFIG_CCSECURITY_IPC
661 CCS_MAC_SIGNAL,
662 #endif
663 #ifdef CONFIG_CCSECURITY_CAPABILITY
664 CCS_MAC_CAPABILITY_USE_ROUTE_SOCKET,
665 CCS_MAC_CAPABILITY_USE_PACKET_SOCKET,
666 CCS_MAC_CAPABILITY_SYS_REBOOT,
667 CCS_MAC_CAPABILITY_SYS_VHANGUP,
668 CCS_MAC_CAPABILITY_SYS_SETTIME,
669 CCS_MAC_CAPABILITY_SYS_NICE,
670 CCS_MAC_CAPABILITY_SYS_SETHOSTNAME,
671 CCS_MAC_CAPABILITY_USE_KERNEL_MODULE,
672 CCS_MAC_CAPABILITY_SYS_KEXEC_LOAD,
673 CCS_MAC_CAPABILITY_SYS_PTRACE,
674 #endif
675 CCS_MAX_MAC_INDEX
676 };
677
678 /* Index numbers for /proc/ccs/stat interface. */
679 enum ccs_memory_stat_type {
680 CCS_MEMORY_POLICY,
681 CCS_MEMORY_AUDIT,
682 CCS_MEMORY_QUERY,
683 CCS_MAX_MEMORY_STAT
684 };
685
686 /* Index numbers for access controls with one pathname and three numbers. */
687 enum ccs_mkdev_acl_index {
688 CCS_TYPE_MKBLOCK,
689 CCS_TYPE_MKCHAR,
690 CCS_MAX_MKDEV_OPERATION
691 };
692
693 /* Index numbers for operation mode. */
694 enum ccs_mode_value {
695 CCS_CONFIG_DISABLED,
696 CCS_CONFIG_LEARNING,
697 CCS_CONFIG_PERMISSIVE,
698 CCS_CONFIG_ENFORCING,
699 CCS_CONFIG_MAX_MODE,
700 CCS_CONFIG_WANT_REJECT_LOG = 64,
701 CCS_CONFIG_WANT_GRANT_LOG = 128,
702 CCS_CONFIG_USE_DEFAULT = 255,
703 };
704
705 /* Index numbers for socket operations. */
706 enum ccs_network_acl_index {
707 CCS_NETWORK_BIND, /* bind() operation. */
708 CCS_NETWORK_LISTEN, /* listen() operation. */
709 CCS_NETWORK_CONNECT, /* connect() operation. */
710 CCS_NETWORK_ACCEPT, /* accept() operation. */
711 CCS_NETWORK_SEND, /* send() operation. */
712 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
713 CCS_NETWORK_RECV, /* recv() operation. */
714 #endif
715 CCS_MAX_NETWORK_OPERATION
716 };
717
718 /* Index numbers for access controls with two pathnames. */
719 enum ccs_path2_acl_index {
720 CCS_TYPE_LINK,
721 CCS_TYPE_RENAME,
722 CCS_TYPE_PIVOT_ROOT,
723 CCS_MAX_PATH2_OPERATION
724 };
725
726 /* Index numbers for access controls with one pathname. */
727 enum ccs_path_acl_index {
728 CCS_TYPE_EXECUTE,
729 CCS_TYPE_READ,
730 CCS_TYPE_WRITE,
731 CCS_TYPE_APPEND,
732 CCS_TYPE_UNLINK,
733 #ifdef CONFIG_CCSECURITY_FILE_GETATTR
734 CCS_TYPE_GETATTR,
735 #endif
736 CCS_TYPE_RMDIR,
737 CCS_TYPE_TRUNCATE,
738 CCS_TYPE_SYMLINK,
739 CCS_TYPE_CHROOT,
740 CCS_TYPE_UMOUNT,
741 CCS_MAX_PATH_OPERATION
742 };
743
744 /* Index numbers for access controls with one pathname and one number. */
745 enum ccs_path_number_acl_index {
746 CCS_TYPE_CREATE,
747 CCS_TYPE_MKDIR,
748 CCS_TYPE_MKFIFO,
749 CCS_TYPE_MKSOCK,
750 CCS_TYPE_IOCTL,
751 CCS_TYPE_CHMOD,
752 CCS_TYPE_CHOWN,
753 CCS_TYPE_CHGRP,
754 CCS_MAX_PATH_NUMBER_OPERATION
755 };
756
757 /* Index numbers for stat(). */
758 enum ccs_path_stat_index {
759 /* Do not change this order. */
760 CCS_PATH1,
761 CCS_PATH1_PARENT,
762 CCS_PATH2,
763 CCS_PATH2_PARENT,
764 CCS_MAX_PATH_STAT
765 };
766
767 /* Index numbers for entry type. */
768 enum ccs_policy_id {
769 #ifdef CONFIG_CCSECURITY_PORTRESERVE
770 CCS_ID_RESERVEDPORT,
771 #endif
772 CCS_ID_GROUP,
773 #ifdef CONFIG_CCSECURITY_NETWORK
774 CCS_ID_ADDRESS_GROUP,
775 #endif
776 CCS_ID_PATH_GROUP,
777 CCS_ID_NUMBER_GROUP,
778 CCS_ID_AGGREGATOR,
779 CCS_ID_TRANSITION_CONTROL,
780 CCS_ID_MANAGER,
781 CCS_ID_CONDITION,
782 CCS_ID_NAME,
783 CCS_ID_ACL,
784 CCS_ID_DOMAIN,
785 CCS_MAX_POLICY
786 };
787
788 /* Index numbers for /proc/ccs/stat interface. */
789 enum ccs_policy_stat_type {
790 /* Do not change this order. */
791 CCS_STAT_POLICY_UPDATES,
792 CCS_STAT_POLICY_LEARNING, /* == CCS_CONFIG_LEARNING */
793 CCS_STAT_POLICY_PERMISSIVE, /* == CCS_CONFIG_PERMISSIVE */
794 CCS_STAT_POLICY_ENFORCING, /* == CCS_CONFIG_ENFORCING */
795 CCS_MAX_POLICY_STAT
796 };
797
798 /* Index numbers for profile's PREFERENCE values. */
799 enum ccs_pref_index {
800 CCS_PREF_MAX_AUDIT_LOG,
801 CCS_PREF_MAX_LEARNING_ENTRY,
802 CCS_PREF_ENFORCING_PENALTY,
803 CCS_MAX_PREF
804 };
805
806 /* Index numbers for /proc/ccs/ interfaces. */
807 enum ccs_proc_interface_index {
808 CCS_DOMAIN_POLICY,
809 CCS_EXCEPTION_POLICY,
810 CCS_PROCESS_STATUS,
811 CCS_STAT,
812 CCS_AUDIT,
813 CCS_VERSION,
814 CCS_PROFILE,
815 CCS_QUERY,
816 CCS_MANAGER,
817 #ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER
818 CCS_EXECUTE_HANDLER,
819 #endif
820 };
821
822 /* Index numbers for special mount operations. */
823 enum ccs_special_mount {
824 CCS_MOUNT_BIND, /* mount --bind /source /dest */
825 CCS_MOUNT_MOVE, /* mount --move /old /new */
826 CCS_MOUNT_REMOUNT, /* mount -o remount /dir */
827 CCS_MOUNT_MAKE_UNBINDABLE, /* mount --make-unbindable /dir */
828 CCS_MOUNT_MAKE_PRIVATE, /* mount --make-private /dir */
829 CCS_MOUNT_MAKE_SLAVE, /* mount --make-slave /dir */
830 CCS_MOUNT_MAKE_SHARED, /* mount --make-shared /dir */
831 CCS_MAX_SPECIAL_MOUNT
832 };
833
834 /* Index numbers for domain transition control keywords. */
835 enum ccs_transition_type {
836 /* Do not change this order, */
837 CCS_TRANSITION_CONTROL_NO_RESET,
838 CCS_TRANSITION_CONTROL_RESET,
839 CCS_TRANSITION_CONTROL_NO_INITIALIZE,
840 CCS_TRANSITION_CONTROL_INITIALIZE,
841 CCS_TRANSITION_CONTROL_NO_KEEP,
842 CCS_TRANSITION_CONTROL_KEEP,
843 CCS_MAX_TRANSITION_TYPE
844 };
845
846 /* Index numbers for type of numeric values. */
847 enum ccs_value_type {
848 CCS_VALUE_TYPE_INVALID,
849 CCS_VALUE_TYPE_DECIMAL,
850 CCS_VALUE_TYPE_OCTAL,
851 CCS_VALUE_TYPE_HEXADECIMAL,
852 };
853
854 /* Constants definition for internal use. */
855
856 /*
857 * TOMOYO uses this hash only when appending a string into the string table.
858 * Frequency of appending strings is very low. So we don't need large (e.g.
859 * 64k) hash size. 256 will be sufficient.
860 */
861 #define CCS_HASH_BITS 8
862 #define CCS_MAX_HASH (1u << CCS_HASH_BITS)
863
864 /*
865 * TOMOYO checks only SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_SEQPACKET.
866 * Therefore, we don't need SOCK_MAX.
867 */
868 #define CCS_SOCK_MAX 6
869
870 /* Size of temporary buffer for execve() operation. */
871 #define CCS_EXEC_TMPSIZE 4096
872
873 /* Garbage collector is trying to kfree() this element. */
874 #define CCS_GC_IN_PROGRESS -1
875
876 /* Profile number is an integer between 0 and 255. */
877 #define CCS_MAX_PROFILES 256
878
879 /* Group number is an integer between 0 and 255. */
880 #define CCS_MAX_ACL_GROUPS 256
881
882 /* Current thread is doing open(O_RDONLY | O_TRUNC) ? */
883 #define CCS_OPEN_FOR_READ_TRUNCATE 1
884 /* Current thread is doing open(3) ? */
885 #define CCS_OPEN_FOR_IOCTL_ONLY 2
886 /* Current thread is doing do_execve() ? */
887 #define CCS_TASK_IS_IN_EXECVE 4
888 /* Current thread is running as an execute handler program? */
889 #define CCS_TASK_IS_EXECUTE_HANDLER 8
890 /* Current thread is allowed to modify policy via /proc/ccs/ interface? */
891 #define CCS_TASK_IS_MANAGER 16
892
893 /*
894 * Retry this request. Returned by ccs_supervisor() if policy violation has
895 * occurred in enforcing mode and the userspace daemon decided to retry.
896 *
897 * We must choose a positive value in order to distinguish "granted" (which is
898 * 0) and "rejected" (which is a negative value) and "retry".
899 */
900 #define CCS_RETRY_REQUEST 1
901
902 /* The gfp flags used by TOMOYO. */
903 #define CCS_GFP_FLAGS GFP_NOFS
904
905 /* Size of read buffer for /proc/ccs/ interface. */
906 #define CCS_MAX_IO_READ_QUEUE 64
907
908 /* Structure definition for internal use. */
909
910 /* Common header for holding ACL entries. */
911 struct ccs_acl_head {
912 struct list_head list;
913 s8 is_deleted; /* true or false or CCS_GC_IN_PROGRESS */
914 } __packed;
915
916 /* Common header for shared entries. */
917 struct ccs_shared_acl_head {
918 struct list_head list;
919 atomic_t users;
920 } __packed;
921
922 /* Common header for individual entries. */
923 struct ccs_acl_info {
924 struct list_head list;
925 struct ccs_condition *cond; /* Maybe NULL. */
926 s8 is_deleted; /* true or false or CCS_GC_IN_PROGRESS */
927 u8 type; /* One of values in "enum ccs_acl_entry_type_index". */
928 u16 perm;
929 } __packed;
930
931 /* Structure for holding a word. */
932 struct ccs_name_union {
933 /* Either @filename or @group is NULL. */
934 const struct ccs_path_info *filename;
935 struct ccs_group *group;
936 };
937
938 /* Structure for holding a number. */
939 struct ccs_number_union {
940 unsigned long values[2];
941 struct ccs_group *group; /* Maybe NULL. */
942 /* One of values in "enum ccs_value_type". */
943 u8 value_type[2];
944 };
945
946 /* Structure for holding an IP address. */
947 struct ccs_ipaddr_union {
948 struct in6_addr ip[2]; /* Big endian. */
949 struct ccs_group *group; /* Pointer to address group. */
950 bool is_ipv6; /* Valid only if @group == NULL. */
951 };
952
953 /* Structure for "path_group"/"number_group"/"address_group" directive. */
954 struct ccs_group {
955 struct ccs_shared_acl_head head;
956 /* Name of group (without leading '@'). */
957 const struct ccs_path_info *group_name;
958 /*
959 * List of "struct ccs_path_group" or "struct ccs_number_group" or
960 * "struct ccs_address_group".
961 */
962 struct list_head member_list;
963 };
964
965 /* Structure for "path_group" directive. */
966 struct ccs_path_group {
967 struct ccs_acl_head head;
968 const struct ccs_path_info *member_name;
969 };
970
971 /* Structure for "number_group" directive. */
972 struct ccs_number_group {
973 struct ccs_acl_head head;
974 struct ccs_number_union number;
975 };
976
977 /* Structure for "address_group" directive. */
978 struct ccs_address_group {
979 struct ccs_acl_head head;
980 /* Structure for holding an IP address. */
981 struct ccs_ipaddr_union address;
982 };
983
984 /* Subset of "struct stat". Used by conditional ACL and audit logs. */
985 struct ccs_mini_stat {
986 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
987 kuid_t uid;
988 kgid_t gid;
989 #else
990 uid_t uid;
991 gid_t gid;
992 #endif
993 ino_t ino;
994 umode_t mode;
995 dev_t dev;
996 dev_t rdev;
997 };
998
999 /* Structure for dumping argv[] and envp[] of "struct linux_binprm". */
1000 struct ccs_page_dump {
1001 struct page *page; /* Previously dumped page. */
1002 char *data; /* Contents of "page". Size is PAGE_SIZE. */
1003 };
1004
1005 /* Structure for attribute checks in addition to pathname checks. */
1006 struct ccs_obj_info {
1007 /* True if ccs_get_attributes() was already called, false otherwise. */
1008 bool validate_done;
1009 /* True if @stat[] is valid. */
1010 bool stat_valid[CCS_MAX_PATH_STAT];
1011 /* First pathname. Initialized with { NULL, NULL } if no path. */
1012 struct path path1;
1013 /* Second pathname. Initialized with { NULL, NULL } if no path. */
1014 struct path path2;
1015 /*
1016 * Information on @path1, @path1's parent directory, @path2, @path2's
1017 * parent directory.
1018 */
1019 struct ccs_mini_stat stat[CCS_MAX_PATH_STAT];
1020 /*
1021 * Content of symbolic link to be created. NULL for operations other
1022 * than symlink().
1023 */
1024 struct ccs_path_info *symlink_target;
1025 };
1026
1027 /* Structure for entries which follows "struct ccs_condition". */
1028 struct ccs_condition_element {
1029 /*
1030 * Left hand operand. A "struct ccs_argv" for CCS_ARGV_ENTRY, a
1031 * "struct ccs_envp" for CCS_ENVP_ENTRY is attached to the tail
1032 * of the array of this struct.
1033 */
1034 u8 left;
1035 /*
1036 * Right hand operand. A "struct ccs_number_union" for
1037 * CCS_NUMBER_UNION, a "struct ccs_name_union" for CCS_NAME_UNION is
1038 * attached to the tail of the array of this struct.
1039 */
1040 u8 right;
1041 /* Equation operator. True if equals or overlaps, false otherwise. */
1042 bool equals;
1043 };
1044
1045 /* Structure for optional arguments. */
1046 struct ccs_condition {
1047 struct ccs_shared_acl_head head;
1048 u32 size; /* Memory size allocated for this entry. */
1049 u16 condc; /* Number of conditions in this struct. */
1050 u16 numbers_count; /* Number of "struct ccs_number_union values". */
1051 u16 names_count; /* Number of "struct ccs_name_union names". */
1052 u16 argc; /* Number of "struct ccs_argv". */
1053 u16 envc; /* Number of "struct ccs_envp". */
1054 u8 grant_log; /* One of values in "enum ccs_grant_log". */
1055 bool exec_transit; /* True if transit is for "file execute". */
1056 const struct ccs_path_info *transit; /* Maybe NULL. */
1057 /*
1058 * struct ccs_condition_element condition[condc];
1059 * struct ccs_number_union values[numbers_count];
1060 * struct ccs_name_union names[names_count];
1061 * struct ccs_argv argv[argc];
1062 * struct ccs_envp envp[envc];
1063 */
1064 };
1065
1066 struct ccs_execve;
1067 struct ccs_policy_namespace;
1068
1069 /* Structure for request info. */
1070 struct ccs_request_info {
1071 /*
1072 * For holding parameters specific to operations which deal files.
1073 * NULL if not dealing files.
1074 */
1075 struct ccs_obj_info *obj;
1076 /*
1077 * For holding parameters specific to execve() request.
1078 * NULL if not dealing do_execve().
1079 */
1080 struct ccs_execve *ee;
1081 /*
1082 * For holding parameters.
1083 * Pointers in this union are not NULL except path->matched_path.
1084 */
1085 union {
1086 struct {
1087 const struct ccs_path_info *filename;
1088 /*
1089 * For using wildcards at ccs_find_next_domain().
1090 *
1091 * The matched_acl cannot be used because it may refer
1092 * a "struct ccs_path_acl" with ->is_group == true.
1093 * We want to use exact "struct ccs_path_info" rather
1094 * than "struct ccs_path_acl".
1095 */
1096 const struct ccs_path_info *matched_path;
1097 /* One of values in "enum ccs_path_acl_index". */
1098 u8 operation;
1099 } path;
1100 struct {
1101 const struct ccs_path_info *filename1;
1102 const struct ccs_path_info *filename2;
1103 /* One of values in "enum ccs_path2_acl_index". */
1104 u8 operation;
1105 } path2;
1106 struct {
1107 const struct ccs_path_info *filename;
1108 unsigned int mode;
1109 unsigned int major;
1110 unsigned int minor;
1111 /* One of values in "enum ccs_mkdev_acl_index". */
1112 u8 operation;
1113 } mkdev;
1114 struct {
1115 const struct ccs_path_info *filename;
1116 unsigned long number;
1117 /*
1118 * One of values in "enum ccs_path_number_acl_index".
1119 */
1120 u8 operation;
1121 } path_number;
1122 #ifdef CONFIG_CCSECURITY_NETWORK
1123 struct {
1124 const u32 *address; /* Big endian. */
1125 u16 port; /* Host endian. */
1126 /* One of values smaller than CCS_SOCK_MAX. */
1127 u8 protocol;
1128 /* One of values in "enum ccs_network_acl_index". */
1129 u8 operation;
1130 bool is_ipv6;
1131 } inet_network;
1132 struct {
1133 const struct ccs_path_info *address;
1134 /* One of values smaller than CCS_SOCK_MAX. */
1135 u8 protocol;
1136 /* One of values in "enum ccs_network_acl_index". */
1137 u8 operation;
1138 } unix_network;
1139 #endif
1140 #ifdef CONFIG_CCSECURITY_MISC
1141 struct {
1142 const struct ccs_path_info *name;
1143 } environ;
1144 #endif
1145 #ifdef CONFIG_CCSECURITY_CAPABILITY
1146 struct {
1147 /* One of values in "enum ccs_capability_acl_index". */
1148 u8 operation;
1149 } capability;
1150 #endif
1151 #ifdef CONFIG_CCSECURITY_IPC
1152 struct {
1153 const char *dest_pattern;
1154 int sig;
1155 } signal;
1156 #endif
1157 struct {
1158 const struct ccs_path_info *type;
1159 const struct ccs_path_info *dir;
1160 const struct ccs_path_info *dev;
1161 unsigned long flags;
1162 int need_dev;
1163 } mount;
1164 #ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION
1165 struct {
1166 const struct ccs_path_info *domainname;
1167 } task;
1168 #endif
1169 } param;
1170 /*
1171 * For updating current->ccs_domain_info at ccs_update_task_domain().
1172 * Initialized to NULL at ccs_init_request_info().
1173 * Matching "struct ccs_acl_info" is copied if access request was
1174 * granted. Re-initialized to NULL at ccs_update_task_domain().
1175 */
1176 struct ccs_acl_info *matched_acl;
1177 u8 param_type; /* One of values in "enum ccs_acl_entry_type_index". */
1178 bool granted; /* True if granted, false otherwise. */
1179 /* True if current thread should not be carried sleep penalty. */
1180 bool dont_sleep_on_enforce_error;
1181 /*
1182 * For counting number of retries made for this request.
1183 * This counter is incremented whenever ccs_supervisor() returned
1184 * CCS_RETRY_REQUEST.
1185 */
1186 u8 retry;
1187 /*
1188 * For holding profile number used for this request.
1189 * One of values between 0 and CCS_MAX_PROFILES - 1.
1190 */
1191 u8 profile;
1192 /*
1193 * For holding operation mode used for this request.
1194 * One of CCS_CONFIG_DISABLED, CCS_CONFIG_LEARNING,
1195 * CCS_CONFIG_PERMISSIVE, CCS_CONFIG_ENFORCING.
1196 */
1197 u8 mode;
1198 /*
1199 * For holding operation index used for this request.
1200 * Used by ccs_init_request_info() / ccs_get_mode() /
1201 * ccs_write_log(). One of values in "enum ccs_mac_index".
1202 */
1203 u8 type;
1204 };
1205
1206 /* Structure for holding a token. */
1207 struct ccs_path_info {
1208 const char *name;
1209 u32 hash; /* = full_name_hash(name, strlen(name)) */
1210 u16 total_len; /* = strlen(name) */
1211 u16 const_len; /* = ccs_const_part_length(name) */
1212 bool is_dir; /* = ccs_strendswith(name, "/") */
1213 bool is_patterned; /* = const_len < total_len */
1214 };
1215
1216 /* Structure for execve() operation. */
1217 struct ccs_execve {
1218 struct ccs_request_info r;
1219 struct ccs_obj_info obj;
1220 struct linux_binprm *bprm;
1221 struct ccs_domain_info *previous_domain;
1222 const struct ccs_path_info *transition;
1223 /* For execute_handler */
1224 const struct ccs_path_info *handler;
1225 char *handler_path; /* = kstrdup(handler->name, CCS_GFP_FLAGS) */
1226 /* For dumping argv[] and envp[]. */
1227 struct ccs_page_dump dump;
1228 /* For temporary use. */
1229 char *tmp; /* Size is CCS_EXEC_TMPSIZE bytes */
1230 };
1231
1232 /* Structure for domain information. */
1233 struct ccs_domain_info {
1234 struct list_head list;
1235 struct list_head acl_info_list;
1236 /* Name of this domain. Never NULL. */
1237 const struct ccs_path_info *domainname;
1238 /* Namespace for this domain. Never NULL. */
1239 struct ccs_policy_namespace *ns;
1240 /* Group numbers to use. */
1241 unsigned long group[CCS_MAX_ACL_GROUPS / BITS_PER_LONG];
1242 u8 profile; /* Profile number to use. */
1243 bool is_deleted; /* Delete flag. */
1244 bool flags[CCS_MAX_DOMAIN_INFO_FLAGS];
1245 };
1246
1247 /*
1248 * Structure for "reset_domain"/"no_reset_domain"/"initialize_domain"/
1249 * "no_initialize_domain"/"keep_domain"/"no_keep_domain" keyword.
1250 */
1251 struct ccs_transition_control {
1252 struct ccs_acl_head head;
1253 u8 type; /* One of values in "enum ccs_transition_type" */
1254 bool is_last_name; /* True if the domainname is ccs_last_word(). */
1255 const struct ccs_path_info *domainname; /* Maybe NULL */
1256 const struct ccs_path_info *program; /* Maybe NULL */
1257 };
1258
1259 /* Structure for "aggregator" keyword. */
1260 struct ccs_aggregator {
1261 struct ccs_acl_head head;
1262 const struct ccs_path_info *original_name;
1263 const struct ccs_path_info *aggregated_name;
1264 };
1265
1266 /* Structure for "deny_autobind" keyword. */
1267 struct ccs_reserved {
1268 struct ccs_acl_head head;
1269 struct ccs_number_union port;
1270 };
1271
1272 /* Structure for policy manager. */
1273 struct ccs_manager {
1274 struct ccs_acl_head head;
1275 /* A path to program or a domainname. */
1276 const struct ccs_path_info *manager;
1277 };
1278
1279 /* Structure for argv[]. */
1280 struct ccs_argv {
1281 unsigned long index;
1282 const struct ccs_path_info *value;
1283 bool is_not;
1284 };
1285
1286 /* Structure for envp[]. */
1287 struct ccs_envp {
1288 const struct ccs_path_info *name;
1289 const struct ccs_path_info *value;
1290 bool is_not;
1291 };
1292
1293 /*
1294 * Structure for "task auto_execute_handler" and "task denied_execute_handler"
1295 * directive.
1296 *
1297 * If "task auto_execute_handler" directive exists and the current process is
1298 * not an execute handler, all execve() requests are replaced by execve()
1299 * requests of a program specified by "task auto_execute_handler" directive.
1300 * If the current process is an execute handler, "task auto_execute_handler"
1301 * and "task denied_execute_handler" directives are ignored.
1302 * The program specified by "task execute_handler" validates execve()
1303 * parameters and executes the original execve() requests if appropriate.
1304 *
1305 * "task denied_execute_handler" directive is used only when execve() request
1306 * was rejected in enforcing mode (i.e. CONFIG::file::execute={ mode=enforcing
1307 * }). The program specified by "task denied_execute_handler" does whatever it
1308 * wants to do (e.g. silently terminate, change firewall settings, redirect the
1309 * user to honey pot etc.).
1310 */
1311 struct ccs_handler_acl {
1312 struct ccs_acl_info head; /* type = CCS_TYPE_*_EXECUTE_HANDLER */
1313 const struct ccs_path_info *handler; /* Pointer to single pathname. */
1314 };
1315
1316 /*
1317 * Structure for "task auto_domain_transition" and
1318 * "task manual_domain_transition" directive.
1319 */
1320 struct ccs_task_acl {
1321 struct ccs_acl_info head; /* type = CCS_TYPE_*_TASK_ACL */
1322 /* Pointer to domainname. */
1323 const struct ccs_path_info *domainname;
1324 };
1325
1326 /*
1327 * Structure for "file execute", "file read", "file write", "file append",
1328 * "file unlink", "file getattr", "file rmdir", "file truncate",
1329 * "file symlink", "file chroot" and "file unmount" directive.
1330 */
1331 struct ccs_path_acl {
1332 struct ccs_acl_info head; /* type = CCS_TYPE_PATH_ACL */
1333 struct ccs_name_union name;
1334 };
1335
1336 /*
1337 * Structure for "file rename", "file link" and "file pivot_root" directive.
1338 */
1339 struct ccs_path2_acl {
1340 struct ccs_acl_info head; /* type = CCS_TYPE_PATH2_ACL */
1341 struct ccs_name_union name1;
1342 struct ccs_name_union name2;
1343 };
1344
1345 /*
1346 * Structure for "file create", "file mkdir", "file mkfifo", "file mksock",
1347 * "file ioctl", "file chmod", "file chown" and "file chgrp" directive.
1348 */
1349 struct ccs_path_number_acl {
1350 struct ccs_acl_info head; /* type = CCS_TYPE_PATH_NUMBER_ACL */
1351 struct ccs_name_union name;
1352 struct ccs_number_union number;
1353 };
1354
1355 /* Structure for "file mkblock" and "file mkchar" directive. */
1356 struct ccs_mkdev_acl {
1357 struct ccs_acl_info head; /* type = CCS_TYPE_MKDEV_ACL */
1358 struct ccs_name_union name;
1359 struct ccs_number_union mode;
1360 struct ccs_number_union major;
1361 struct ccs_number_union minor;
1362 };
1363
1364 /* Structure for "file mount" directive. */
1365 struct ccs_mount_acl {
1366 struct ccs_acl_info head; /* type = CCS_TYPE_MOUNT_ACL */
1367 struct ccs_name_union dev_name;
1368 struct ccs_name_union dir_name;
1369 struct ccs_name_union fs_type;
1370 struct ccs_number_union flags;
1371 };
1372
1373 /* Structure for "misc env" directive in domain policy. */
1374 struct ccs_env_acl {
1375 struct ccs_acl_info head; /* type = CCS_TYPE_ENV_ACL */
1376 const struct ccs_path_info *env; /* environment variable */
1377 };
1378
1379 /* Structure for "capability" directive. */
1380 struct ccs_capability_acl {
1381 struct ccs_acl_info head; /* type = CCS_TYPE_CAPABILITY_ACL */
1382 u8 operation; /* One of values in "enum ccs_capability_acl_index". */
1383 };
1384
1385 /* Structure for "ipc signal" directive. */
1386 struct ccs_signal_acl {
1387 struct ccs_acl_info head; /* type = CCS_TYPE_SIGNAL_ACL */
1388 struct ccs_number_union sig;
1389 /* Pointer to destination pattern. */
1390 const struct ccs_path_info *domainname;
1391 };
1392
1393 /* Structure for "network inet" directive. */
1394 struct ccs_inet_acl {
1395 struct ccs_acl_info head; /* type = CCS_TYPE_INET_ACL */
1396 u8 protocol;
1397 struct ccs_ipaddr_union address;
1398 struct ccs_number_union port;
1399 };
1400
1401 /* Structure for "network unix" directive. */
1402 struct ccs_unix_acl {
1403 struct ccs_acl_info head; /* type = CCS_TYPE_UNIX_ACL */
1404 u8 protocol;
1405 struct ccs_name_union name;
1406 };
1407
1408 /* Structure for holding string data. */
1409 struct ccs_name {
1410 struct ccs_shared_acl_head head;
1411 int size; /* Memory size allocated for this entry. */
1412 struct ccs_path_info entry;
1413 };
1414
1415 /* Structure for holding a line from /proc/ccs/ interface. */
1416 struct ccs_acl_param {
1417 char *data; /* Unprocessed data. */
1418 struct list_head *list; /* List to add or remove. */
1419 struct ccs_policy_namespace *ns; /* Namespace to use. */
1420 bool is_delete; /* True if it is a delete request. */
1421 union ccs_acl_union {
1422 struct ccs_acl_info acl_info;
1423 struct ccs_handler_acl handler_acl;
1424 struct ccs_task_acl task_acl;
1425 struct ccs_path_acl path_acl;
1426 struct ccs_path2_acl path2_acl;
1427 struct ccs_path_number_acl path_number_acl;
1428 struct ccs_mkdev_acl mkdev_acl;
1429 struct ccs_mount_acl mount_acl;
1430 struct ccs_env_acl env_acl;
1431 struct ccs_capability_acl capability_acl;
1432 struct ccs_signal_acl signal_acl;
1433 struct ccs_inet_acl inet_acl;
1434 struct ccs_unix_acl unix_acl;
1435 /**/
1436 struct ccs_acl_head acl_head;
1437 struct ccs_transition_control transition_control;
1438 struct ccs_aggregator aggregator;
1439 struct ccs_reserved reserved;
1440 struct ccs_manager manager;
1441 struct ccs_path_group path_group;
1442 struct ccs_number_group number_group;
1443 struct ccs_address_group address_group;
1444 } e;
1445 };
1446
1447 /* Structure for reading/writing policy via /proc/ccs/ interfaces. */
1448 struct ccs_io_buffer {
1449 /* Exclusive lock for this structure. */
1450 struct mutex io_sem;
1451 char __user *read_user_buf;
1452 size_t read_user_buf_avail;
1453 struct {
1454 struct list_head *ns;
1455 struct list_head *domain;
1456 struct list_head *group;
1457 struct list_head *acl;
1458 size_t avail;
1459 unsigned int step;
1460 unsigned int query_index;
1461 u16 index;
1462 u16 cond_index;
1463 u8 acl_group_index;
1464 u8 cond_step;
1465 u8 bit;
1466 u8 w_pos;
1467 bool eof;
1468 bool print_this_domain_only;
1469 bool print_transition_related_only;
1470 bool print_cond_part;
1471 const char *w[CCS_MAX_IO_READ_QUEUE];
1472 } r;
1473 struct {
1474 struct ccs_policy_namespace *ns;
1475 struct ccs_domain_info *domain;
1476 size_t avail;
1477 bool is_delete;
1478 } w;
1479 /* Buffer for reading. */
1480 char *read_buf;
1481 /* Size of read buffer. */
1482 size_t readbuf_size;
1483 /* Buffer for writing. */
1484 char *write_buf;
1485 /* Size of write buffer. */
1486 size_t writebuf_size;
1487 /* Type of interface. */
1488 enum ccs_proc_interface_index type;
1489 /* Users counter protected by ccs_io_buffer_list_lock. */
1490 u8 users;
1491 /* List for telling GC not to kfree() elements. */
1492 struct list_head list;
1493 };
1494
1495 /* Structure for /proc/ccs/profile interface. */
1496 struct ccs_profile {
1497 const struct ccs_path_info *comment;
1498 u8 default_config;
1499 u8 config[CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX];
1500 unsigned int pref[CCS_MAX_PREF];
1501 };
1502
1503 /* Structure for representing YYYY/MM/DD hh/mm/ss. */
1504 struct ccs_time {
1505 u16 year;
1506 u8 month;
1507 u8 day;
1508 u8 hour;
1509 u8 min;
1510 u8 sec;
1511 };
1512
1513 /* Structure for policy namespace. */
1514 struct ccs_policy_namespace {
1515 /* Profile table. Memory is allocated as needed. */
1516 struct ccs_profile *profile_ptr[CCS_MAX_PROFILES];
1517 /* List of "struct ccs_group". */
1518 struct list_head group_list[CCS_MAX_GROUP];
1519 /* List of policy. */
1520 struct list_head policy_list[CCS_MAX_POLICY];
1521 /* The global ACL referred by "use_group" keyword. */
1522 struct list_head acl_group[CCS_MAX_ACL_GROUPS];
1523 /* List for connecting to ccs_namespace_list list. */
1524 struct list_head namespace_list;
1525 /* Profile version. Currently only 20150505 is supported. */
1526 unsigned int profile_version;
1527 /* Name of this namespace (e.g. "<kernel>", "</usr/sbin/httpd>" ). */
1528 const char *name;
1529 };
1530
1531 /* Prototype definition for "struct ccsecurity_operations". */
1532
1533 void __init ccs_permission_init(void);
1534 void __init ccs_mm_init(void);
1535
1536 /* Prototype definition for internal use. */
1537
1538 bool ccs_dump_page(struct linux_binprm *bprm, unsigned long pos,
1539 struct ccs_page_dump *dump);
1540 bool ccs_memory_ok(const void *ptr, const unsigned int size);
1541 char *ccs_encode(const char *str);
1542 char *ccs_encode2(const char *str, int str_len);
1543 char *ccs_realpath(const struct path *path);
1544 const char *ccs_get_exe(void);
1545 const struct ccs_path_info *ccs_get_name(const char *name);
1546 int ccs_audit_log(struct ccs_request_info *r);
1547 int ccs_check_acl(struct ccs_request_info *r);
1548 int ccs_init_request_info(struct ccs_request_info *r, const u8 index);
1549 struct ccs_domain_info *ccs_assign_domain(const char *domainname,
1550 const bool transit);
1551 u8 ccs_get_config(const u8 profile, const u8 index);
1552 void *ccs_commit_ok(void *data, const unsigned int size);
1553 void ccs_del_acl(struct list_head *element);
1554 void ccs_del_condition(struct list_head *element);
1555 void ccs_fill_path_info(struct ccs_path_info *ptr);
1556 void ccs_get_attributes(struct ccs_obj_info *obj);
1557 void ccs_notify_gc(struct ccs_io_buffer *head, const bool is_register);
1558 void ccs_transition_failed(const char *domainname);
1559 void ccs_warn_oom(const char *function);
1560 void ccs_write_log(struct ccs_request_info *r, const char *fmt, ...)
1561 __printf(2, 3);
1562
1563 /* Variable definition for internal use. */
1564
1565 extern bool ccs_policy_loaded;
1566 extern const char * const ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS];
1567 extern const u8 ccs_c2mac[CCS_MAX_CAPABILITY_INDEX];
1568 extern const u8 ccs_pn2mac[CCS_MAX_PATH_NUMBER_OPERATION];
1569 extern const u8 ccs_pnnn2mac[CCS_MAX_MKDEV_OPERATION];
1570 extern const u8 ccs_pp2mac[CCS_MAX_PATH2_OPERATION];
1571 extern struct ccs_domain_info ccs_kernel_domain;
1572 extern struct list_head ccs_condition_list;
1573 extern struct list_head ccs_domain_list;
1574 extern struct list_head ccs_name_list[CCS_MAX_HASH];
1575 extern struct list_head ccs_namespace_list;
1576 extern struct mutex ccs_policy_lock;
1577 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
1578 extern struct srcu_struct ccs_ss;
1579 #endif
1580 extern unsigned int ccs_memory_quota[CCS_MAX_MEMORY_STAT];
1581 extern unsigned int ccs_memory_used[CCS_MAX_MEMORY_STAT];
1582
1583 /* Inlined functions for internal use. */
1584
1585 /**
1586 * ccs_pathcmp - strcmp() for "struct ccs_path_info" structure.
1587 *
1588 * @a: Pointer to "struct ccs_path_info".
1589 * @b: Pointer to "struct ccs_path_info".
1590 *
1591 * Returns true if @a != @b, false otherwise.
1592 */
1593 static inline bool ccs_pathcmp(const struct ccs_path_info *a,
1594 const struct ccs_path_info *b)
1595 {
1596 return a->hash != b->hash || strcmp(a->name, b->name);
1597 }
1598
1599 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
1600
1601 /**
1602 * ccs_read_lock - Take lock for protecting policy.
1603 *
1604 * Returns index number for ccs_read_unlock().
1605 */
1606 static inline int ccs_read_lock(void)
1607 {
1608 return srcu_read_lock(&ccs_ss);
1609 }
1610
1611 /**
1612 * ccs_read_unlock - Release lock for protecting policy.
1613 *
1614 * @idx: Index number returned by ccs_read_lock().
1615 *
1616 * Returns nothing.
1617 */
1618 static inline void ccs_read_unlock(const int idx)
1619 {
1620 srcu_read_unlock(&ccs_ss, idx);
1621 }
1622
1623 #else
1624
1625 int ccs_lock(void);
1626 void ccs_unlock(const int idx);
1627
1628 /**
1629 * ccs_read_lock - Take lock for protecting policy.
1630 *
1631 * Returns index number for ccs_read_unlock().
1632 */
1633 static inline int ccs_read_lock(void)
1634 {
1635 return ccs_lock();
1636 }
1637
1638 /**
1639 * ccs_read_unlock - Release lock for protecting policy.
1640 *
1641 * @idx: Index number returned by ccs_read_lock().
1642 *
1643 * Returns nothing.
1644 */
1645 static inline void ccs_read_unlock(const int idx)
1646 {
1647 ccs_unlock(idx);
1648 }
1649
1650 #endif
1651
1652 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 18)
1653
1654 /**
1655 * ccs_tasklist_lock - Take lock for reading list of "struct task_struct".
1656 *
1657 * Returns nothing.
1658 */
1659 static inline void ccs_tasklist_lock(void)
1660 {
1661 rcu_read_lock();
1662 }
1663
1664 /**
1665 * ccs_tasklist_unlock - Release lock for reading list of "struct task_struct".
1666 *
1667 * Returns nothing.
1668 */
1669 static inline void ccs_tasklist_unlock(void)
1670 {
1671 rcu_read_unlock();
1672 }
1673
1674 #else
1675
1676 /**
1677 * ccs_tasklist_lock - Take lock for reading list of "struct task_struct".
1678 *
1679 * Returns nothing.
1680 */
1681 static inline void ccs_tasklist_lock(void)
1682 {
1683 read_lock(&tasklist_lock);
1684 }
1685
1686 /**
1687 * ccs_tasklist_unlock - Release lock for reading list of "struct task_struct".
1688 *
1689 * Returns nothing.
1690 */
1691 static inline void ccs_tasklist_unlock(void)
1692 {
1693 read_unlock(&tasklist_lock);
1694 }
1695
1696 #endif
1697
1698 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1699
1700 /**
1701 * ccs_sys_getppid - Copy of getppid().
1702 *
1703 * Returns parent process's PID.
1704 *
1705 * Alpha does not have getppid() defined. To be able to build this module on
1706 * Alpha, I have to copy getppid() from kernel/timer.c.
1707 */
1708 static inline pid_t ccs_sys_getppid(void)
1709 {
1710 pid_t pid;
1711 rcu_read_lock();
1712 pid = task_tgid_vnr(rcu_dereference(current->real_parent));
1713 rcu_read_unlock();
1714 return pid;
1715 }
1716
1717 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0)
1718
1719 /**
1720 * ccs_sys_getppid - Copy of getppid().
1721 *
1722 * Returns parent process's PID.
1723 *
1724 * This function was rewritten to use RCU in 2.6.16.34. However, distributors
1725 * which use earlier kernels (e.g. 2.6.8/2.6.9) did not backport the bugfix.
1726 * Therefore, I'm using code for 2.6.16.34 for earlier kernels.
1727 */
1728 static inline pid_t ccs_sys_getppid(void)
1729 {
1730 pid_t pid;
1731 rcu_read_lock();
1732 #if (defined(RHEL_MAJOR) && RHEL_MAJOR == 5) || (defined(AX_MAJOR) && AX_MAJOR == 3)
1733 pid = rcu_dereference(current->parent)->tgid;
1734 #elif defined(CONFIG_UTRACE)
1735 /*
1736 * RHEL 5.0 kernel does not have RHEL_MAJOR/RHEL_MINOR defined.
1737 * Assume RHEL 5.0 if CONFIG_UTRACE is defined.
1738 */
1739 pid = rcu_dereference(current->parent)->tgid;
1740 #else
1741 pid = rcu_dereference(current->real_parent)->tgid;
1742 #endif
1743 rcu_read_unlock();
1744 return pid;
1745 }
1746
1747 #else
1748
1749 /**
1750 * ccs_sys_getppid - Copy of getppid().
1751 *
1752 * Returns parent process's PID.
1753 *
1754 * I can't use code for 2.6.16.34 for 2.4 kernels because 2.4 kernels does not
1755 * have RCU. Therefore, I'm using pessimistic lock (i.e. tasklist_lock
1756 * spinlock).
1757 */
1758 static inline pid_t ccs_sys_getppid(void)
1759 {
1760 pid_t pid;
1761 read_lock(&tasklist_lock);
1762 #ifdef TASK_DEAD
1763 pid = current->group_leader->real_parent->tgid;
1764 #else
1765 pid = current->p_opptr->pid;
1766 #endif
1767 read_unlock(&tasklist_lock);
1768 return pid;
1769 }
1770
1771 #endif
1772
1773 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1774
1775 /**
1776 * ccs_sys_getpid - Copy of getpid().
1777 *
1778 * Returns current thread's PID.
1779 *
1780 * Alpha does not have getpid() defined. To be able to build this module on
1781 * Alpha, I have to copy getpid() from kernel/timer.c.
1782 */
1783 static inline pid_t ccs_sys_getpid(void)
1784 {
1785 return task_tgid_vnr(current);
1786 }
1787
1788 #else
1789
1790 /**
1791 * ccs_sys_getpid - Copy of getpid().
1792 *
1793 * Returns current thread's PID.
1794 */
1795 static inline pid_t ccs_sys_getpid(void)
1796 {
1797 return current->tgid;
1798 }
1799
1800 #endif
1801
1802 /**
1803 * ccs_get_mode - Get mode for specified functionality.
1804 *
1805 * @profile: Profile number.
1806 * @index: Functionality number.
1807 *
1808 * Returns mode.
1809 */
1810 static inline u8 ccs_get_mode(const u8 profile, const u8 index)
1811 {
1812 return ccs_get_config(profile, index) & (CCS_CONFIG_MAX_MODE - 1);
1813 }
1814
1815 #if defined(CONFIG_SLOB)
1816
1817 /**
1818 * ccs_round2 - Round up to power of 2 for calculating memory usage.
1819 *
1820 * @size: Size to be rounded up.
1821 *
1822 * Returns @size.
1823 *
1824 * Since SLOB does not round up, this function simply returns @size.
1825 */
1826 static inline int ccs_round2(size_t size)
1827 {
1828 return size;
1829 }
1830
1831 #else
1832
1833 /**
1834 * ccs_round2 - Round up to power of 2 for calculating memory usage.
1835 *
1836 * @size: Size to be rounded up.
1837 *
1838 * Returns rounded size.
1839 *
1840 * Strictly speaking, SLAB may be able to allocate (e.g.) 96 bytes instead of
1841 * (e.g.) 128 bytes.
1842 */
1843 static inline int ccs_round2(size_t size)
1844 {
1845 #if PAGE_SIZE == 4096
1846 size_t bsize = 32;
1847 #else
1848 size_t bsize = 64;
1849 #endif
1850 if (!size)
1851 return 0;
1852 while (size > bsize)
1853 bsize <<= 1;
1854 return bsize;
1855 }
1856
1857 #endif
1858
1859 /**
1860 * ccs_put_condition - Drop reference on "struct ccs_condition".
1861 *
1862 * @cond: Pointer to "struct ccs_condition". Maybe NULL.
1863 *
1864 * Returns nothing.
1865 */
1866 static inline void ccs_put_condition(struct ccs_condition *cond)
1867 {
1868 if (cond)
1869 atomic_dec(&cond->head.users);
1870 }
1871
1872 /**
1873 * ccs_put_group - Drop reference on "struct ccs_group".
1874 *
1875 * @group: Pointer to "struct ccs_group". Maybe NULL.
1876 *
1877 * Returns nothing.
1878 */
1879 static inline void ccs_put_group(struct ccs_group *group)
1880 {
1881 if (group)
1882 atomic_dec(&group->head.users);
1883 }
1884
1885 /**
1886 * ccs_put_name - Drop reference on "struct ccs_name".
1887 *
1888 * @name: Pointer to "struct ccs_path_info". Maybe NULL.
1889 *
1890 * Returns nothing.
1891 */
1892 static inline void ccs_put_name(const struct ccs_path_info *name)
1893 {
1894 if (name)
1895 atomic_dec(&container_of(name, struct ccs_name, entry)->
1896 head.users);
1897 }
1898
1899 /* For importing variables and functions. */
1900 extern const struct ccsecurity_exports ccsecurity_exports;
1901
1902 #ifdef CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY
1903
1904 /*
1905 * Structure for holding "struct ccs_domain_info *" and "struct ccs_execve *"
1906 * and "u32 ccs_flags" for each "struct task_struct".
1907 *
1908 * "struct ccs_domain_info *" and "u32 ccs_flags" for each "struct task_struct"
1909 * are maintained outside that "struct task_struct". Therefore, ccs_security
1910 * != task_struct . This keeps KABI for distributor's prebuilt kernels but
1911 * entails slow access.
1912 *
1913 * Memory for this structure is allocated when current thread tries to access
1914 * it. Therefore, if memory allocation failed, current thread will be killed by
1915 * SIGKILL. Note that if current->pid == 1, sending SIGKILL won't work.
1916 */
1917 struct ccs_security {
1918 struct list_head list;
1919 const struct task_struct *task;
1920 struct ccs_domain_info *ccs_domain_info;
1921 u32 ccs_flags;
1922 struct rcu_head rcu;
1923 };
1924
1925 #define CCS_TASK_SECURITY_HASH_BITS 12
1926 #define CCS_MAX_TASK_SECURITY_HASH (1u << CCS_TASK_SECURITY_HASH_BITS)
1927 extern struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH];
1928
1929 struct ccs_security *ccs_find_task_security(const struct task_struct *task);
1930
1931 /**
1932 * ccs_current_security - Get "struct ccs_security" for current thread.
1933 *
1934 * Returns pointer to "struct ccs_security" for current thread.
1935 */
1936 static inline struct ccs_security *ccs_current_security(void)
1937 {
1938 return ccs_find_task_security(current);
1939 }
1940
1941 /**
1942 * ccs_task_domain - Get "struct ccs_domain_info" for specified thread.
1943 *
1944 * @task: Pointer to "struct task_struct".
1945 *
1946 * Returns pointer to "struct ccs_security" for specified thread.
1947 */
1948 static inline struct ccs_domain_info *ccs_task_domain(struct task_struct *task)
1949 {
1950 struct ccs_domain_info *domain;
1951 rcu_read_lock();
1952 domain = ccs_find_task_security(task)->ccs_domain_info;
1953 rcu_read_unlock();
1954 return domain;
1955 }
1956
1957 /**
1958 * ccs_current_domain - Get "struct ccs_domain_info" for current thread.
1959 *
1960 * Returns pointer to "struct ccs_domain_info" for current thread.
1961 */
1962 static inline struct ccs_domain_info *ccs_current_domain(void)
1963 {
1964 return ccs_find_task_security(current)->ccs_domain_info;
1965 }
1966
1967 /**
1968 * ccs_task_flags - Get flags for specified thread.
1969 *
1970 * @task: Pointer to "struct task_struct".
1971 *
1972 * Returns flags for specified thread.
1973 */
1974 static inline u32 ccs_task_flags(struct task_struct *task)
1975 {
1976 u32 ccs_flags;
1977 rcu_read_lock();
1978 ccs_flags = ccs_find_task_security(task)->ccs_flags;
1979 rcu_read_unlock();
1980 return ccs_flags;
1981 }
1982
1983 /**
1984 * ccs_current_flags - Get flags for current thread.
1985 *
1986 * Returns flags for current thread.
1987 */
1988 static inline u32 ccs_current_flags(void)
1989 {
1990 return ccs_find_task_security(current)->ccs_flags;
1991 }
1992
1993 #else
1994
1995 /*
1996 * "struct ccs_domain_info *" and "u32 ccs_flags" for each "struct task_struct"
1997 * are maintained inside that "struct task_struct". Therefore, ccs_security ==
1998 * task_struct . This allows fast access but breaks KABI checks for
1999 * distributor's prebuilt kernels due to changes in "struct task_struct".
2000 */
2001 #define ccs_security task_struct
2002
2003 /**
2004 * ccs_find_task_security - Find "struct ccs_security" for given task.
2005 *
2006 * @task: Pointer to "struct task_struct".
2007 *
2008 * Returns pointer to "struct ccs_security".
2009 */
2010 static inline struct ccs_security *ccs_find_task_security(struct task_struct *
2011 task)
2012 {
2013 return task;
2014 }
2015
2016 /**
2017 * ccs_current_security - Get "struct ccs_security" for current thread.
2018 *
2019 * Returns pointer to "struct ccs_security" for current thread.
2020 */
2021 static inline struct ccs_security *ccs_current_security(void)
2022 {
2023 return ccs_find_task_security(current);
2024 }
2025
2026 /**
2027 * ccs_task_domain - Get "struct ccs_domain_info" for specified thread.
2028 *
2029 * @task: Pointer to "struct task_struct".
2030 *
2031 * Returns pointer to "struct ccs_security" for specified thread.
2032 */
2033 static inline struct ccs_domain_info *ccs_task_domain(struct task_struct *task)
2034 {
2035 struct ccs_domain_info *domain = task->ccs_domain_info;
2036 return domain ? domain : &ccs_kernel_domain;
2037 }
2038
2039 /**
2040 * ccs_current_domain - Get "struct ccs_domain_info" for current thread.
2041 *
2042 * Returns pointer to "struct ccs_domain_info" for current thread.
2043 *
2044 * If current thread does not belong to a domain (which is true for initial
2045 * init_task in order to hide ccs_kernel_domain from this module),
2046 * current thread enters into ccs_kernel_domain.
2047 */
2048 static inline struct ccs_domain_info *ccs_current_domain(void)
2049 {
2050 struct task_struct *task = current;
2051 if (!task->ccs_domain_info)
2052 task->ccs_domain_info = &ccs_kernel_domain;
2053 return task->ccs_domain_info;
2054 }
2055
2056 /**
2057 * ccs_task_flags - Get flags for specified thread.
2058 *
2059 * @task: Pointer to "struct task_struct".
2060 *
2061 * Returns flags for specified thread.
2062 */
2063 static inline u32 ccs_task_flags(struct task_struct *task)
2064 {
2065 return ccs_find_task_security(task)->ccs_flags;
2066 }
2067
2068 /**
2069 * ccs_current_flags - Get flags for current thread.
2070 *
2071 * Returns flags for current thread.
2072 */
2073 static inline u32 ccs_current_flags(void)
2074 {
2075 return ccs_find_task_security(current)->ccs_flags;
2076 }
2077
2078 #endif
2079
2080 /**
2081 * ccs_current_namespace - Get "struct ccs_policy_namespace" for current thread.
2082 *
2083 * Returns pointer to "struct ccs_policy_namespace" for current thread.
2084 */
2085 static inline struct ccs_policy_namespace *ccs_current_namespace(void)
2086 {
2087 return ccs_current_domain()->ns;
2088 }
2089
2090 #endif
2091
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.