~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/ccsecurity/internal.h

Version: ~ [ linux-5.11-rc3 ] ~ [ linux-5.10.7 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.89 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.167 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.215 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.251 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.251 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * security/ccsecurity/internal.h
  3  *
  4  * Copyright (C) 2005-2012  NTT DATA CORPORATION
  5  *
  6  * Version: 1.8.5   2015/11/11
  7  */
  8 
  9 #ifndef _SECURITY_CCSECURITY_INTERNAL_H
 10 #define _SECURITY_CCSECURITY_INTERNAL_H
 11 
 12 #include <linux/version.h>
 13 #include <linux/types.h>
 14 #include <linux/kernel.h>
 15 #include <linux/string.h>
 16 #include <linux/mm.h>
 17 #include <linux/utime.h>
 18 #include <linux/file.h>
 19 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 38)
 20 #include <linux/smp_lock.h>
 21 #endif
 22 #include <linux/module.h>
 23 #include <linux/init.h>
 24 #include <linux/slab.h>
 25 #include <linux/highmem.h>
 26 #include <linux/poll.h>
 27 #include <linux/binfmts.h>
 28 #include <linux/delay.h>
 29 #include <linux/sched.h>
 30 #include <linux/dcache.h>
 31 #include <linux/mount.h>
 32 #include <linux/net.h>
 33 #include <linux/inet.h>
 34 #include <linux/in.h>
 35 #include <linux/in6.h>
 36 #include <linux/un.h>
 37 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
 38 #include <linux/fs.h>
 39 #endif
 40 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0)
 41 #include <linux/namei.h>
 42 #endif
 43 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 30)
 44 #include <linux/fs_struct.h>
 45 #endif
 46 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20)
 47 #include <linux/namespace.h>
 48 #endif
 49 #include <linux/proc_fs.h>
 50 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 0) || defined(RHEL_MAJOR)
 51 #include <linux/hash.h>
 52 #endif
 53 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) || (LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) && defined(CONFIG_SYSCTL_SYSCALL))
 54 #include <linux/sysctl.h>
 55 #endif
 56 #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 6)
 57 #include <linux/kthread.h>
 58 #endif
 59 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 10, 0)
 60 #include <linux/magic.h>
 61 #endif
 62 #include <stdarg.h>
 63 #include <asm/uaccess.h>
 64 #include <net/sock.h>
 65 #include <net/af_unix.h>
 66 #include <net/ip.h>
 67 #include <net/ipv6.h>
 68 #include <net/udp.h>
 69 
 70 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
 71 #define sk_family family
 72 #define sk_protocol protocol
 73 #define sk_type type
 74 #endif
 75 
 76 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20)
 77 
 78 /* Structure for holding "struct vfsmount *" and "struct dentry *". */
 79 struct path {
 80         struct vfsmount *mnt;
 81         struct dentry *dentry;
 82 };
 83 
 84 #endif
 85 
 86 #ifndef __printf
 87 #define __printf(a,b) __attribute__((format(printf,a,b)))
 88 #endif
 89 #ifndef __packed
 90 #define __packed __attribute__((__packed__))
 91 #endif
 92 #ifndef bool
 93 #define bool _Bool
 94 #endif
 95 #ifndef false
 96 #define false 0
 97 #endif
 98 #ifndef true
 99 #define true 1
100 #endif
101 
102 #ifndef __user
103 #define __user
104 #endif
105 
106 #ifndef current_uid
107 #define current_uid()   (current->uid)
108 #endif
109 #ifndef current_gid
110 #define current_gid()   (current->gid)
111 #endif
112 #ifndef current_euid
113 #define current_euid()  (current->euid)
114 #endif
115 #ifndef current_egid
116 #define current_egid()  (current->egid)
117 #endif
118 #ifndef current_suid
119 #define current_suid()  (current->suid)
120 #endif
121 #ifndef current_sgid
122 #define current_sgid()  (current->sgid)
123 #endif
124 #ifndef current_fsuid
125 #define current_fsuid() (current->fsuid)
126 #endif
127 #ifndef current_fsgid
128 #define current_fsgid() (current->fsgid)
129 #endif
130 
131 #ifndef DEFINE_SPINLOCK
132 #define DEFINE_SPINLOCK(x) spinlock_t x = SPIN_LOCK_UNLOCKED
133 #endif
134 
135 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 16)
136 #define mutex semaphore
137 #define mutex_init(mutex) init_MUTEX(mutex)
138 #define mutex_unlock(mutex) up(mutex)
139 #define mutex_lock(mutex) down(mutex)
140 #define mutex_lock_interruptible(mutex) down_interruptible(mutex)
141 #define mutex_trylock(mutex) (!down_trylock(mutex))
142 #define DEFINE_MUTEX(mutexname) DECLARE_MUTEX(mutexname)
143 #endif
144 
145 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 15)
146 #define MS_UNBINDABLE   (1<<17) /* change to unbindable */
147 #define MS_PRIVATE      (1<<18) /* change to private */
148 #define MS_SLAVE        (1<<19) /* change to slave */
149 #define MS_SHARED       (1<<20) /* change to shared */
150 #endif
151 
152 #ifndef container_of
153 #define container_of(ptr, type, member) ({                              \
154                         const typeof(((type *)0)->member) *__mptr = (ptr); \
155                         (type *)((char *)__mptr - offsetof(type, member)); })
156 #endif
157 
158 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 0)
159 #define smp_read_barrier_depends smp_rmb
160 #endif
161 
162 #ifndef ACCESS_ONCE
163 #define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
164 #endif
165 
166 #ifndef rcu_dereference
167 #define rcu_dereference(p)     ({                                       \
168                         typeof(p) _________p1 = ACCESS_ONCE(p);         \
169                         smp_read_barrier_depends(); /* see RCU */       \
170                         (_________p1);                                  \
171                 })
172 #endif
173 
174 #ifndef rcu_assign_pointer
175 #define rcu_assign_pointer(p, v)                        \
176         ({                                              \
177                 if (!__builtin_constant_p(v) ||         \
178                     ((v) != NULL))                      \
179                         smp_wmb(); /* see RCU */        \
180                 (p) = (v);                              \
181         })
182 #endif
183 
184 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0)
185 #define f_vfsmnt f_path.mnt
186 #endif
187 
188 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 14)
189 
190 /**
191  * kzalloc() - Allocate memory. The memory is set to zero.
192  *
193  * @size:  Size to allocate.
194  * @flags: GFP flags.
195  *
196  * Returns pointer to allocated memory on success, NULL otherwise.
197  *
198  * This is for compatibility with older kernels.
199  *
200  * Since several distributions backported kzalloc(), I define it as a macro
201  * rather than an inlined function in order to avoid multiple definition error.
202  */
203 #define kzalloc(size, flags) ({                                 \
204                         void *ret = kmalloc((size), (flags));   \
205                         if (ret)                                \
206                                 memset(ret, 0, (size));         \
207                         ret; })
208 
209 #endif
210 
211 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 25)
212 
213 /**
214  * path_put - Drop reference on "struct path".
215  *
216  * @path: Pointer to "struct path".
217  *
218  * Returns nothing.
219  *
220  * This is for compatibility with older kernels.
221  */
222 static inline void path_put(struct path *path)
223 {
224         dput(path->dentry);
225         mntput(path->mnt);
226 }
227 
228 #endif
229 
230 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
231 
232 /**
233  * __list_add_rcu - Insert a new entry between two known consecutive entries.
234  *
235  * @new:  Pointer to "struct list_head".
236  * @prev: Pointer to "struct list_head".
237  * @next: Pointer to "struct list_head".
238  *
239  * Returns nothing.
240  *
241  * This is for compatibility with older kernels.
242  */
243 static inline void __list_add_rcu(struct list_head *new,
244                                   struct list_head *prev,
245                                   struct list_head *next)
246 {
247         new->next = next;
248         new->prev = prev;
249         rcu_assign_pointer(prev->next, new);
250         next->prev = new;
251 }
252 
253 /**
254  * list_add_tail_rcu - Add a new entry to rcu-protected list.
255  *
256  * @new:  Pointer to "struct list_head".
257  * @head: Pointer to "struct list_head".
258  *
259  * Returns nothing.
260  *
261  * This is for compatibility with older kernels.
262  */
263 static inline void list_add_tail_rcu(struct list_head *new,
264                                      struct list_head *head)
265 {
266         __list_add_rcu(new, head->prev, head);
267 }
268 
269 /**
270  * list_add_rcu - Add a new entry to rcu-protected list.
271  *
272  * @new:  Pointer to "struct list_head".
273  * @head: Pointer to "struct list_head".
274  *
275  * Returns nothing.
276  *
277  * This is for compatibility with older kernels.
278  */
279 static inline void list_add_rcu(struct list_head *new, struct list_head *head)
280 {
281         __list_add_rcu(new, head, head->next);
282 }
283 
284 #endif
285 
286 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 38)
287 
288 /**
289  * __list_del_entry - Deletes entry from list without re-initialization.
290  *
291  * @entry: Pointer to "struct list_head".
292  *
293  * Returns nothing.
294  *
295  * This is for compatibility with older kernels.
296  */
297 static inline void __list_del_entry(struct list_head *entry)
298 {
299         __list_del(entry->prev, entry->next);
300 }
301 
302 #endif
303 
304 #ifndef list_for_each_entry_safe
305 
306 /**
307  * list_for_each_entry_safe - Iterate over list of given type safe against removal of list entry.
308  *
309  * @pos:    The "type *" to use as a loop cursor.
310  * @n:      Another "type *" to use as temporary storage.
311  * @head:   Pointer to "struct list_head".
312  * @member: The name of the list_struct within the struct.
313  *
314  * This is for compatibility with older kernels.
315  */
316 #define list_for_each_entry_safe(pos, n, head, member)                  \
317         for (pos = list_entry((head)->next, typeof(*pos), member),      \
318                      n = list_entry(pos->member.next, typeof(*pos), member); \
319              &pos->member != (head);                                    \
320              pos = n, n = list_entry(n->member.next, typeof(*n), member))
321 
322 #endif
323 
324 #ifndef srcu_dereference
325 
326 /**
327  * srcu_dereference - Fetch SRCU-protected pointer with checking.
328  *
329  * @p:  The pointer to read, prior to dereferencing.
330  * @ss: Pointer to "struct srcu_struct".
331  *
332  * Returns @p.
333  *
334  * This is for compatibility with older kernels.
335  */
336 #define srcu_dereference(p, ss) rcu_dereference(p)
337 
338 #endif
339 
340 #ifndef list_for_each_entry_srcu
341 
342 /**
343  * list_for_each_entry_srcu - Iterate over rcu list of given type.
344  *
345  * @pos:    The type * to use as a loop cursor.
346  * @head:   The head for your list.
347  * @member: The name of the list_struct within the struct.
348  * @ss:     Pointer to "struct srcu_struct".
349  *
350  * As of 2.6.36, this macro is not provided because only TOMOYO wants it.
351  */
352 #define list_for_each_entry_srcu(pos, head, member, ss)               \
353         for (pos = list_entry(srcu_dereference((head)->next, ss),     \
354                               typeof(*pos), member);                  \
355              prefetch(pos->member.next), &pos->member != (head);      \
356              pos = list_entry(srcu_dereference(pos->member.next, ss), \
357                               typeof(*pos), member))
358 
359 #endif
360 
361 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 4, 30) || (LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0) && LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 9))
362 
363 #if LINUX_VERSION_CODE == KERNEL_VERSION(2, 4, 21)
364 #undef ssleep
365 #endif
366 
367 #ifndef ssleep
368 
369 /**
370  * ssleep - Sleep for specified seconds.
371  *
372  * @secs: Seconds to sleep.
373  *
374  * Returns nothing.
375  *
376  * This is for compatibility with older kernels.
377  *
378  * Since several distributions backported ssleep(), I define it as a macro
379  * rather than an inlined function in order to avoid multiple definition error.
380  */
381 #define ssleep(secs) {                                          \
382                 set_current_state(TASK_UNINTERRUPTIBLE);        \
383                 schedule_timeout((HZ * secs) + 1);              \
384         }
385 
386 #endif
387 
388 #endif
389 
390 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0)
391 
392 /**
393  * from_kuid - Convert kuid_t to uid_t.
394  *
395  * @ns:  Unused.
396  * @uid: kuid_t value.
397  *
398  * Returns uid seen from init's user namespace.
399  */
400 #define from_kuid(ns, uid) (uid)
401 
402 /**
403  * from_kgid - Convert kgid_t to gid_t.
404  *
405  * @ns:  Unused.
406  * @gid: kgid_t value.
407  *
408  * Returns gid seen from init's user namespace.
409  */
410 #define from_kgid(ns, gid) (gid)
411 
412 /**
413  * uid_eq - Check whether the uids are equals or not.
414  *
415  * @left: Uid seen from current user namespace.
416  * @right: Uid seen from current user namespace.
417  *
418  * Returns true if uid is root in init's user namespace, false otherwise.
419  */
420 #define uid_eq(left, right) ((left) == (right))
421 #define GLOBAL_ROOT_UID 0
422 
423 #endif
424 
425 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
426 #define d_backing_inode(upper) (upper)->d_inode
427 #endif
428 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 14, 0)
429 #define d_is_dir(dentry) ({ struct inode *inode = d_backing_inode(dentry); \
430                         inode && S_ISDIR(inode->i_mode); })
431 #endif
432 
433 /*
434  * TOMOYO specific part start.
435  */
436 
437 #include <linux/ccsecurity.h>
438 
439 /* Enumeration definition for internal use. */
440 
441 /* Index numbers for Access Controls. */
442 enum ccs_acl_entry_type_index {
443         CCS_TYPE_PATH_ACL,
444         CCS_TYPE_PATH2_ACL,
445         CCS_TYPE_PATH_NUMBER_ACL,
446         CCS_TYPE_MKDEV_ACL,
447         CCS_TYPE_MOUNT_ACL,
448 #ifdef CONFIG_CCSECURITY_MISC
449         CCS_TYPE_ENV_ACL,
450 #endif
451 #ifdef CONFIG_CCSECURITY_CAPABILITY
452         CCS_TYPE_CAPABILITY_ACL,
453 #endif
454 #ifdef CONFIG_CCSECURITY_NETWORK
455         CCS_TYPE_INET_ACL,
456         CCS_TYPE_UNIX_ACL,
457 #endif
458 #ifdef CONFIG_CCSECURITY_IPC
459         CCS_TYPE_SIGNAL_ACL,
460 #endif
461 #ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER
462         CCS_TYPE_AUTO_EXECUTE_HANDLER,
463         CCS_TYPE_DENIED_EXECUTE_HANDLER,
464 #endif
465 #ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION
466         CCS_TYPE_AUTO_TASK_ACL,
467         CCS_TYPE_MANUAL_TASK_ACL,
468 #endif
469 };
470 
471 /* Index numbers for "struct ccs_condition". */
472 enum ccs_conditions_index {
473         CCS_TASK_UID,             /* current_uid()   */
474         CCS_TASK_EUID,            /* current_euid()  */
475         CCS_TASK_SUID,            /* current_suid()  */
476         CCS_TASK_FSUID,           /* current_fsuid() */
477         CCS_TASK_GID,             /* current_gid()   */
478         CCS_TASK_EGID,            /* current_egid()  */
479         CCS_TASK_SGID,            /* current_sgid()  */
480         CCS_TASK_FSGID,           /* current_fsgid() */
481         CCS_TASK_PID,             /* sys_getpid()   */
482         CCS_TASK_PPID,            /* sys_getppid()  */
483         CCS_EXEC_ARGC,            /* "struct linux_binprm *"->argc */
484         CCS_EXEC_ENVC,            /* "struct linux_binprm *"->envc */
485         CCS_TYPE_IS_SOCKET,       /* S_IFSOCK */
486         CCS_TYPE_IS_SYMLINK,      /* S_IFLNK */
487         CCS_TYPE_IS_FILE,         /* S_IFREG */
488         CCS_TYPE_IS_BLOCK_DEV,    /* S_IFBLK */
489         CCS_TYPE_IS_DIRECTORY,    /* S_IFDIR */
490         CCS_TYPE_IS_CHAR_DEV,     /* S_IFCHR */
491         CCS_TYPE_IS_FIFO,         /* S_IFIFO */
492         CCS_MODE_SETUID,          /* S_ISUID */
493         CCS_MODE_SETGID,          /* S_ISGID */
494         CCS_MODE_STICKY,          /* S_ISVTX */
495         CCS_MODE_OWNER_READ,      /* S_IRUSR */
496         CCS_MODE_OWNER_WRITE,     /* S_IWUSR */
497         CCS_MODE_OWNER_EXECUTE,   /* S_IXUSR */
498         CCS_MODE_GROUP_READ,      /* S_IRGRP */
499         CCS_MODE_GROUP_WRITE,     /* S_IWGRP */
500         CCS_MODE_GROUP_EXECUTE,   /* S_IXGRP */
501         CCS_MODE_OTHERS_READ,     /* S_IROTH */
502         CCS_MODE_OTHERS_WRITE,    /* S_IWOTH */
503         CCS_MODE_OTHERS_EXECUTE,  /* S_IXOTH */
504         CCS_TASK_TYPE,            /* ((u8) task->ccs_flags) &
505                                      CCS_TASK_IS_EXECUTE_HANDLER */
506         CCS_TASK_EXECUTE_HANDLER, /* CCS_TASK_IS_EXECUTE_HANDLER */
507         CCS_EXEC_REALPATH,
508         CCS_SYMLINK_TARGET,
509         CCS_PATH1_UID,
510         CCS_PATH1_GID,
511         CCS_PATH1_INO,
512         CCS_PATH1_MAJOR,
513         CCS_PATH1_MINOR,
514         CCS_PATH1_PERM,
515         CCS_PATH1_TYPE,
516         CCS_PATH1_DEV_MAJOR,
517         CCS_PATH1_DEV_MINOR,
518         CCS_PATH2_UID,
519         CCS_PATH2_GID,
520         CCS_PATH2_INO,
521         CCS_PATH2_MAJOR,
522         CCS_PATH2_MINOR,
523         CCS_PATH2_PERM,
524         CCS_PATH2_TYPE,
525         CCS_PATH2_DEV_MAJOR,
526         CCS_PATH2_DEV_MINOR,
527         CCS_PATH1_PARENT_UID,
528         CCS_PATH1_PARENT_GID,
529         CCS_PATH1_PARENT_INO,
530         CCS_PATH1_PARENT_PERM,
531         CCS_PATH2_PARENT_UID,
532         CCS_PATH2_PARENT_GID,
533         CCS_PATH2_PARENT_INO,
534         CCS_PATH2_PARENT_PERM,
535         CCS_MAX_CONDITION_KEYWORD,
536         CCS_NUMBER_UNION,
537         CCS_NAME_UNION,
538         CCS_ARGV_ENTRY,
539         CCS_ENVP_ENTRY,
540 };
541 
542 /* Index numbers for domain's attributes. */
543 enum ccs_domain_info_flags_index {
544         /* Quota warnning flag.   */
545         CCS_DIF_QUOTA_WARNED,
546         /*
547          * This domain was unable to create a new domain at
548          * ccs_find_next_domain() because the name of the domain to be created
549          * was too long or it could not allocate memory.
550          * More than one process continued execve() without domain transition.
551          */
552         CCS_DIF_TRANSITION_FAILED,
553         CCS_MAX_DOMAIN_INFO_FLAGS
554 };
555 
556 /* Index numbers for audit type. */
557 enum ccs_grant_log {
558         /* Follow profile's configuration. */
559         CCS_GRANTLOG_AUTO,
560         /* Do not generate grant log. */
561         CCS_GRANTLOG_NO,
562         /* Generate grant_log. */
563         CCS_GRANTLOG_YES,
564 };
565 
566 /* Index numbers for group entries. */
567 enum ccs_group_id {
568         CCS_PATH_GROUP,
569         CCS_NUMBER_GROUP,
570 #ifdef CONFIG_CCSECURITY_NETWORK
571         CCS_ADDRESS_GROUP,
572 #endif
573         CCS_MAX_GROUP
574 };
575 
576 /* Index numbers for category of functionality. */
577 enum ccs_mac_category_index {
578         CCS_MAC_CATEGORY_FILE,
579 #ifdef CONFIG_CCSECURITY_NETWORK
580         CCS_MAC_CATEGORY_NETWORK,
581 #endif
582 #ifdef CONFIG_CCSECURITY_MISC
583         CCS_MAC_CATEGORY_MISC,
584 #endif
585 #ifdef CONFIG_CCSECURITY_IPC
586         CCS_MAC_CATEGORY_IPC,
587 #endif
588 #ifdef CONFIG_CCSECURITY_CAPABILITY
589         CCS_MAC_CATEGORY_CAPABILITY,
590 #endif
591         CCS_MAX_MAC_CATEGORY_INDEX
592 };
593 
594 /* Index numbers for functionality. */
595 enum ccs_mac_index {
596         CCS_MAC_FILE_EXECUTE,
597         CCS_MAC_FILE_OPEN,
598         CCS_MAC_FILE_CREATE,
599         CCS_MAC_FILE_UNLINK,
600 #ifdef CONFIG_CCSECURITY_FILE_GETATTR
601         CCS_MAC_FILE_GETATTR,
602 #endif
603         CCS_MAC_FILE_MKDIR,
604         CCS_MAC_FILE_RMDIR,
605         CCS_MAC_FILE_MKFIFO,
606         CCS_MAC_FILE_MKSOCK,
607         CCS_MAC_FILE_TRUNCATE,
608         CCS_MAC_FILE_SYMLINK,
609         CCS_MAC_FILE_MKBLOCK,
610         CCS_MAC_FILE_MKCHAR,
611         CCS_MAC_FILE_LINK,
612         CCS_MAC_FILE_RENAME,
613         CCS_MAC_FILE_CHMOD,
614         CCS_MAC_FILE_CHOWN,
615         CCS_MAC_FILE_CHGRP,
616         CCS_MAC_FILE_IOCTL,
617         CCS_MAC_FILE_CHROOT,
618         CCS_MAC_FILE_MOUNT,
619         CCS_MAC_FILE_UMOUNT,
620         CCS_MAC_FILE_PIVOT_ROOT,
621 #ifdef CONFIG_CCSECURITY_NETWORK
622         CCS_MAC_NETWORK_INET_STREAM_BIND,
623         CCS_MAC_NETWORK_INET_STREAM_LISTEN,
624         CCS_MAC_NETWORK_INET_STREAM_CONNECT,
625         CCS_MAC_NETWORK_INET_STREAM_ACCEPT,
626         CCS_MAC_NETWORK_INET_DGRAM_BIND,
627         CCS_MAC_NETWORK_INET_DGRAM_SEND,
628 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
629         CCS_MAC_NETWORK_INET_DGRAM_RECV,
630 #endif
631         CCS_MAC_NETWORK_INET_RAW_BIND,
632         CCS_MAC_NETWORK_INET_RAW_SEND,
633 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
634         CCS_MAC_NETWORK_INET_RAW_RECV,
635 #endif
636         CCS_MAC_NETWORK_UNIX_STREAM_BIND,
637         CCS_MAC_NETWORK_UNIX_STREAM_LISTEN,
638         CCS_MAC_NETWORK_UNIX_STREAM_CONNECT,
639         CCS_MAC_NETWORK_UNIX_STREAM_ACCEPT,
640         CCS_MAC_NETWORK_UNIX_DGRAM_BIND,
641         CCS_MAC_NETWORK_UNIX_DGRAM_SEND,
642 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
643         CCS_MAC_NETWORK_UNIX_DGRAM_RECV,
644 #endif
645         CCS_MAC_NETWORK_UNIX_SEQPACKET_BIND,
646         CCS_MAC_NETWORK_UNIX_SEQPACKET_LISTEN,
647         CCS_MAC_NETWORK_UNIX_SEQPACKET_CONNECT,
648         CCS_MAC_NETWORK_UNIX_SEQPACKET_ACCEPT,
649 #endif
650 #ifdef CONFIG_CCSECURITY_MISC
651         CCS_MAC_ENVIRON,
652 #endif
653 #ifdef CONFIG_CCSECURITY_IPC
654         CCS_MAC_SIGNAL,
655 #endif
656 #ifdef CONFIG_CCSECURITY_CAPABILITY
657         CCS_MAC_CAPABILITY_USE_ROUTE_SOCKET,
658         CCS_MAC_CAPABILITY_USE_PACKET_SOCKET,
659         CCS_MAC_CAPABILITY_SYS_REBOOT,
660         CCS_MAC_CAPABILITY_SYS_VHANGUP,
661         CCS_MAC_CAPABILITY_SYS_SETTIME,
662         CCS_MAC_CAPABILITY_SYS_NICE,
663         CCS_MAC_CAPABILITY_SYS_SETHOSTNAME,
664         CCS_MAC_CAPABILITY_USE_KERNEL_MODULE,
665         CCS_MAC_CAPABILITY_SYS_KEXEC_LOAD,
666         CCS_MAC_CAPABILITY_SYS_PTRACE,
667 #endif
668         CCS_MAX_MAC_INDEX
669 };
670 
671 /* Index numbers for /proc/ccs/stat interface. */
672 enum ccs_memory_stat_type {
673         CCS_MEMORY_POLICY,
674         CCS_MEMORY_AUDIT,
675         CCS_MEMORY_QUERY,
676         CCS_MAX_MEMORY_STAT
677 };
678 
679 /* Index numbers for access controls with one pathname and three numbers. */
680 enum ccs_mkdev_acl_index {
681         CCS_TYPE_MKBLOCK,
682         CCS_TYPE_MKCHAR,
683         CCS_MAX_MKDEV_OPERATION
684 };
685 
686 /* Index numbers for operation mode. */
687 enum ccs_mode_value {
688         CCS_CONFIG_DISABLED,
689         CCS_CONFIG_LEARNING,
690         CCS_CONFIG_PERMISSIVE,
691         CCS_CONFIG_ENFORCING,
692         CCS_CONFIG_MAX_MODE,
693         CCS_CONFIG_WANT_REJECT_LOG =  64,
694         CCS_CONFIG_WANT_GRANT_LOG  = 128,
695         CCS_CONFIG_USE_DEFAULT     = 255,
696 };
697 
698 /* Index numbers for socket operations. */
699 enum ccs_network_acl_index {
700         CCS_NETWORK_BIND,    /* bind() operation. */
701         CCS_NETWORK_LISTEN,  /* listen() operation. */
702         CCS_NETWORK_CONNECT, /* connect() operation. */
703         CCS_NETWORK_ACCEPT,  /* accept() operation. */
704         CCS_NETWORK_SEND,    /* send() operation. */
705 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
706         CCS_NETWORK_RECV,    /* recv() operation. */
707 #endif
708         CCS_MAX_NETWORK_OPERATION
709 };
710 
711 /* Index numbers for access controls with two pathnames. */
712 enum ccs_path2_acl_index {
713         CCS_TYPE_LINK,
714         CCS_TYPE_RENAME,
715         CCS_TYPE_PIVOT_ROOT,
716         CCS_MAX_PATH2_OPERATION
717 };
718 
719 /* Index numbers for access controls with one pathname. */
720 enum ccs_path_acl_index {
721         CCS_TYPE_EXECUTE,
722         CCS_TYPE_READ,
723         CCS_TYPE_WRITE,
724         CCS_TYPE_APPEND,
725         CCS_TYPE_UNLINK,
726 #ifdef CONFIG_CCSECURITY_FILE_GETATTR
727         CCS_TYPE_GETATTR,
728 #endif
729         CCS_TYPE_RMDIR,
730         CCS_TYPE_TRUNCATE,
731         CCS_TYPE_SYMLINK,
732         CCS_TYPE_CHROOT,
733         CCS_TYPE_UMOUNT,
734         CCS_MAX_PATH_OPERATION
735 };
736 
737 /* Index numbers for access controls with one pathname and one number. */
738 enum ccs_path_number_acl_index {
739         CCS_TYPE_CREATE,
740         CCS_TYPE_MKDIR,
741         CCS_TYPE_MKFIFO,
742         CCS_TYPE_MKSOCK,
743         CCS_TYPE_IOCTL,
744         CCS_TYPE_CHMOD,
745         CCS_TYPE_CHOWN,
746         CCS_TYPE_CHGRP,
747         CCS_MAX_PATH_NUMBER_OPERATION
748 };
749 
750 /* Index numbers for stat(). */
751 enum ccs_path_stat_index {
752         /* Do not change this order. */
753         CCS_PATH1,
754         CCS_PATH1_PARENT,
755         CCS_PATH2,
756         CCS_PATH2_PARENT,
757         CCS_MAX_PATH_STAT
758 };
759 
760 /* Index numbers for entry type. */
761 enum ccs_policy_id {
762 #ifdef CONFIG_CCSECURITY_PORTRESERVE
763         CCS_ID_RESERVEDPORT,
764 #endif
765         CCS_ID_GROUP,
766 #ifdef CONFIG_CCSECURITY_NETWORK
767         CCS_ID_ADDRESS_GROUP,
768 #endif
769         CCS_ID_PATH_GROUP,
770         CCS_ID_NUMBER_GROUP,
771         CCS_ID_AGGREGATOR,
772         CCS_ID_TRANSITION_CONTROL,
773         CCS_ID_MANAGER,
774         CCS_ID_CONDITION,
775         CCS_ID_NAME,
776         CCS_ID_ACL,
777         CCS_ID_DOMAIN,
778         CCS_MAX_POLICY
779 };
780 
781 /* Index numbers for /proc/ccs/stat interface. */
782 enum ccs_policy_stat_type {
783         /* Do not change this order. */
784         CCS_STAT_POLICY_UPDATES,
785         CCS_STAT_POLICY_LEARNING,   /* == CCS_CONFIG_LEARNING */
786         CCS_STAT_POLICY_PERMISSIVE, /* == CCS_CONFIG_PERMISSIVE */
787         CCS_STAT_POLICY_ENFORCING,  /* == CCS_CONFIG_ENFORCING */
788         CCS_MAX_POLICY_STAT
789 };
790 
791 /* Index numbers for profile's PREFERENCE values. */
792 enum ccs_pref_index {
793         CCS_PREF_MAX_AUDIT_LOG,
794         CCS_PREF_MAX_LEARNING_ENTRY,
795         CCS_PREF_ENFORCING_PENALTY,
796         CCS_MAX_PREF
797 };
798 
799 /* Index numbers for /proc/ccs/ interfaces. */
800 enum ccs_proc_interface_index {
801         CCS_DOMAIN_POLICY,
802         CCS_EXCEPTION_POLICY,
803         CCS_PROCESS_STATUS,
804         CCS_STAT,
805         CCS_AUDIT,
806         CCS_VERSION,
807         CCS_PROFILE,
808         CCS_QUERY,
809         CCS_MANAGER,
810 #ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER
811         CCS_EXECUTE_HANDLER,
812 #endif
813 };
814 
815 /* Index numbers for special mount operations. */
816 enum ccs_special_mount {
817         CCS_MOUNT_BIND,            /* mount --bind /source /dest   */
818         CCS_MOUNT_MOVE,            /* mount --move /old /new       */
819         CCS_MOUNT_REMOUNT,         /* mount -o remount /dir        */
820         CCS_MOUNT_MAKE_UNBINDABLE, /* mount --make-unbindable /dir */
821         CCS_MOUNT_MAKE_PRIVATE,    /* mount --make-private /dir    */
822         CCS_MOUNT_MAKE_SLAVE,      /* mount --make-slave /dir      */
823         CCS_MOUNT_MAKE_SHARED,     /* mount --make-shared /dir     */
824         CCS_MAX_SPECIAL_MOUNT
825 };
826 
827 /* Index numbers for domain transition control keywords. */
828 enum ccs_transition_type {
829         /* Do not change this order, */
830         CCS_TRANSITION_CONTROL_NO_RESET,
831         CCS_TRANSITION_CONTROL_RESET,
832         CCS_TRANSITION_CONTROL_NO_INITIALIZE,
833         CCS_TRANSITION_CONTROL_INITIALIZE,
834         CCS_TRANSITION_CONTROL_NO_KEEP,
835         CCS_TRANSITION_CONTROL_KEEP,
836         CCS_MAX_TRANSITION_TYPE
837 };
838 
839 /* Index numbers for type of numeric values. */
840 enum ccs_value_type {
841         CCS_VALUE_TYPE_INVALID,
842         CCS_VALUE_TYPE_DECIMAL,
843         CCS_VALUE_TYPE_OCTAL,
844         CCS_VALUE_TYPE_HEXADECIMAL,
845 };
846 
847 /* Constants definition for internal use. */
848 
849 /*
850  * TOMOYO uses this hash only when appending a string into the string table.
851  * Frequency of appending strings is very low. So we don't need large (e.g.
852  * 64k) hash size. 256 will be sufficient.
853  */
854 #define CCS_HASH_BITS 8
855 #define CCS_MAX_HASH (1u << CCS_HASH_BITS)
856 
857 /*
858  * TOMOYO checks only SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_SEQPACKET.
859  * Therefore, we don't need SOCK_MAX.
860  */
861 #define CCS_SOCK_MAX 6
862 
863 /* Size of temporary buffer for execve() operation. */
864 #define CCS_EXEC_TMPSIZE     4096
865 
866 /* Garbage collector is trying to kfree() this element. */
867 #define CCS_GC_IN_PROGRESS -1
868 
869 /* Profile number is an integer between 0 and 255. */
870 #define CCS_MAX_PROFILES 256
871 
872 /* Group number is an integer between 0 and 255. */
873 #define CCS_MAX_ACL_GROUPS 256
874 
875 /* Current thread is doing open(O_RDONLY | O_TRUNC) ? */
876 #define CCS_OPEN_FOR_READ_TRUNCATE        1
877 /* Current thread is doing open(3) ? */
878 #define CCS_OPEN_FOR_IOCTL_ONLY           2
879 /* Current thread is doing do_execve() ? */
880 #define CCS_TASK_IS_IN_EXECVE             4
881 /* Current thread is running as an execute handler program? */
882 #define CCS_TASK_IS_EXECUTE_HANDLER       8
883 /* Current thread is allowed to modify policy via /proc/ccs/ interface? */
884 #define CCS_TASK_IS_MANAGER              16
885 
886 /*
887  * Retry this request. Returned by ccs_supervisor() if policy violation has
888  * occurred in enforcing mode and the userspace daemon decided to retry.
889  *
890  * We must choose a positive value in order to distinguish "granted" (which is
891  * 0) and "rejected" (which is a negative value) and "retry".
892  */
893 #define CCS_RETRY_REQUEST 1
894 
895 /* The gfp flags used by TOMOYO. */
896 #define CCS_GFP_FLAGS GFP_NOFS
897 
898 /* Size of read buffer for /proc/ccs/ interface. */
899 #define CCS_MAX_IO_READ_QUEUE 64
900 
901 /* Structure definition for internal use. */
902 
903 /* Common header for holding ACL entries. */
904 struct ccs_acl_head {
905         struct list_head list;
906         s8 is_deleted; /* true or false or CCS_GC_IN_PROGRESS */
907 } __packed;
908 
909 /* Common header for shared entries. */
910 struct ccs_shared_acl_head {
911         struct list_head list;
912         atomic_t users;
913 } __packed;
914 
915 /* Common header for individual entries. */
916 struct ccs_acl_info {
917         struct list_head list;
918         struct ccs_condition *cond; /* Maybe NULL. */
919         s8 is_deleted; /* true or false or CCS_GC_IN_PROGRESS */
920         u8 type; /* One of values in "enum ccs_acl_entry_type_index". */
921         u16 perm;
922 } __packed;
923 
924 /* Structure for holding a word. */
925 struct ccs_name_union {
926         /* Either @filename or @group is NULL. */
927         const struct ccs_path_info *filename;
928         struct ccs_group *group;
929 };
930 
931 /* Structure for holding a number. */
932 struct ccs_number_union {
933         unsigned long values[2];
934         struct ccs_group *group; /* Maybe NULL. */
935         /* One of values in "enum ccs_value_type". */
936         u8 value_type[2];
937 };
938 
939 /* Structure for holding an IP address. */
940 struct ccs_ipaddr_union {
941         struct in6_addr ip[2]; /* Big endian. */
942         struct ccs_group *group; /* Pointer to address group. */
943         bool is_ipv6; /* Valid only if @group == NULL. */
944 };
945 
946 /* Structure for "path_group"/"number_group"/"address_group" directive. */
947 struct ccs_group {
948         struct ccs_shared_acl_head head;
949         /* Name of group (without leading '@'). */
950         const struct ccs_path_info *group_name;
951         /*
952          * List of "struct ccs_path_group" or "struct ccs_number_group" or
953          * "struct ccs_address_group".
954          */
955         struct list_head member_list;
956 };
957 
958 /* Structure for "path_group" directive. */
959 struct ccs_path_group {
960         struct ccs_acl_head head;
961         const struct ccs_path_info *member_name;
962 };
963 
964 /* Structure for "number_group" directive. */
965 struct ccs_number_group {
966         struct ccs_acl_head head;
967         struct ccs_number_union number;
968 };
969 
970 /* Structure for "address_group" directive. */
971 struct ccs_address_group {
972         struct ccs_acl_head head;
973         /* Structure for holding an IP address. */
974         struct ccs_ipaddr_union address;
975 };
976 
977 /* Subset of "struct stat". Used by conditional ACL and audit logs. */
978 struct ccs_mini_stat {
979 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
980         kuid_t uid;
981         kgid_t gid;
982 #else
983         uid_t uid;
984         gid_t gid;
985 #endif
986         ino_t ino;
987         umode_t mode;
988         dev_t dev;
989         dev_t rdev;
990 };
991 
992 /* Structure for dumping argv[] and envp[] of "struct linux_binprm". */
993 struct ccs_page_dump {
994         struct page *page;    /* Previously dumped page. */
995         char *data;           /* Contents of "page". Size is PAGE_SIZE. */
996 };
997 
998 /* Structure for attribute checks in addition to pathname checks. */
999 struct ccs_obj_info {
1000         /* True if ccs_get_attributes() was already called, false otherwise. */
1001         bool validate_done;
1002         /* True if @stat[] is valid. */
1003         bool stat_valid[CCS_MAX_PATH_STAT];
1004         /* First pathname. Initialized with { NULL, NULL } if no path. */
1005         struct path path1;
1006         /* Second pathname. Initialized with { NULL, NULL } if no path. */
1007         struct path path2;
1008         /*
1009          * Information on @path1, @path1's parent directory, @path2, @path2's
1010          * parent directory.
1011          */
1012         struct ccs_mini_stat stat[CCS_MAX_PATH_STAT];
1013         /*
1014          * Content of symbolic link to be created. NULL for operations other
1015          * than symlink().
1016          */
1017         struct ccs_path_info *symlink_target;
1018 };
1019 
1020 /* Structure for entries which follows "struct ccs_condition". */
1021 struct ccs_condition_element {
1022         /*
1023          * Left hand operand. A "struct ccs_argv" for CCS_ARGV_ENTRY, a
1024          * "struct ccs_envp" for CCS_ENVP_ENTRY is attached to the tail
1025          * of the array of this struct.
1026          */
1027         u8 left;
1028         /*
1029          * Right hand operand. A "struct ccs_number_union" for
1030          * CCS_NUMBER_UNION, a "struct ccs_name_union" for CCS_NAME_UNION is
1031          * attached to the tail of the array of this struct.
1032          */
1033         u8 right;
1034         /* Equation operator. True if equals or overlaps, false otherwise. */
1035         bool equals;
1036 };
1037 
1038 /* Structure for optional arguments. */
1039 struct ccs_condition {
1040         struct ccs_shared_acl_head head;
1041         u32 size; /* Memory size allocated for this entry. */
1042         u16 condc; /* Number of conditions in this struct. */
1043         u16 numbers_count; /* Number of "struct ccs_number_union values". */
1044         u16 names_count; /* Number of "struct ccs_name_union names". */
1045         u16 argc; /* Number of "struct ccs_argv". */
1046         u16 envc; /* Number of "struct ccs_envp". */
1047         u8 grant_log; /* One of values in "enum ccs_grant_log". */
1048         bool exec_transit; /* True if transit is for "file execute". */
1049         const struct ccs_path_info *transit; /* Maybe NULL. */
1050         /*
1051          * struct ccs_condition_element condition[condc];
1052          * struct ccs_number_union values[numbers_count];
1053          * struct ccs_name_union names[names_count];
1054          * struct ccs_argv argv[argc];
1055          * struct ccs_envp envp[envc];
1056          */
1057 };
1058 
1059 struct ccs_execve;
1060 struct ccs_policy_namespace;
1061 
1062 /* Structure for request info. */
1063 struct ccs_request_info {
1064         /*
1065          * For holding parameters specific to operations which deal files.
1066          * NULL if not dealing files.
1067          */
1068         struct ccs_obj_info *obj;
1069         /*
1070          * For holding parameters specific to execve() request.
1071          * NULL if not dealing do_execve().
1072          */
1073         struct ccs_execve *ee;
1074         /*
1075          * For holding parameters.
1076          * Pointers in this union are not NULL except path->matched_path.
1077          */
1078         union {
1079                 struct {
1080                         const struct ccs_path_info *filename;
1081                         /*
1082                          * For using wildcards at ccs_find_next_domain().
1083                          *
1084                          * The matched_acl cannot be used because it may refer
1085                          * a "struct ccs_path_acl" with ->is_group == true.
1086                          * We want to use exact "struct ccs_path_info" rather
1087                          * than "struct ccs_path_acl".
1088                          */
1089                         const struct ccs_path_info *matched_path;
1090                         /* One of values in "enum ccs_path_acl_index". */
1091                         u8 operation;
1092                 } path;
1093                 struct {
1094                         const struct ccs_path_info *filename1;
1095                         const struct ccs_path_info *filename2;
1096                         /* One of values in "enum ccs_path2_acl_index". */
1097                         u8 operation;
1098                 } path2;
1099                 struct {
1100                         const struct ccs_path_info *filename;
1101                         unsigned int mode;
1102                         unsigned int major;
1103                         unsigned int minor;
1104                         /* One of values in "enum ccs_mkdev_acl_index". */
1105                         u8 operation;
1106                 } mkdev;
1107                 struct {
1108                         const struct ccs_path_info *filename;
1109                         unsigned long number;
1110                         /*
1111                          * One of values in "enum ccs_path_number_acl_index".
1112                          */
1113                         u8 operation;
1114                 } path_number;
1115 #ifdef CONFIG_CCSECURITY_NETWORK
1116                 struct {
1117                         const u32 *address; /* Big endian. */
1118                         u16 port; /* Host endian. */
1119                         /* One of values smaller than CCS_SOCK_MAX. */
1120                         u8 protocol;
1121                         /* One of values in "enum ccs_network_acl_index". */
1122                         u8 operation;
1123                         bool is_ipv6;
1124                 } inet_network;
1125                 struct {
1126                         const struct ccs_path_info *address;
1127                         /* One of values smaller than CCS_SOCK_MAX. */
1128                         u8 protocol;
1129                         /* One of values in "enum ccs_network_acl_index". */
1130                         u8 operation;
1131                 } unix_network;
1132 #endif
1133 #ifdef CONFIG_CCSECURITY_MISC
1134                 struct {
1135                         const struct ccs_path_info *name;
1136                 } environ;
1137 #endif
1138 #ifdef CONFIG_CCSECURITY_CAPABILITY
1139                 struct {
1140                         /* One of values in "enum ccs_capability_acl_index". */
1141                         u8 operation;
1142                 } capability;
1143 #endif
1144 #ifdef CONFIG_CCSECURITY_IPC
1145                 struct {
1146                         const char *dest_pattern;
1147                         int sig;
1148                 } signal;
1149 #endif
1150                 struct {
1151                         const struct ccs_path_info *type;
1152                         const struct ccs_path_info *dir;
1153                         const struct ccs_path_info *dev;
1154                         unsigned long flags;
1155                         int need_dev;
1156                 } mount;
1157 #ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION
1158                 struct {
1159                         const struct ccs_path_info *domainname;
1160                 } task;
1161 #endif
1162         } param;
1163         /*
1164          * For updating current->ccs_domain_info at ccs_update_task_domain().
1165          * Initialized to NULL at ccs_init_request_info().
1166          * Matching "struct ccs_acl_info" is copied if access request was
1167          * granted. Re-initialized to NULL at ccs_update_task_domain().
1168          */
1169         struct ccs_acl_info *matched_acl;
1170         u8 param_type; /* One of values in "enum ccs_acl_entry_type_index". */
1171         bool granted; /* True if granted, false otherwise. */
1172         /* True if current thread should not be carried sleep penalty. */
1173         bool dont_sleep_on_enforce_error;
1174         /*
1175          * For counting number of retries made for this request.
1176          * This counter is incremented whenever ccs_supervisor() returned
1177          * CCS_RETRY_REQUEST.
1178          */
1179         u8 retry;
1180         /*
1181          * For holding profile number used for this request.
1182          * One of values between 0 and CCS_MAX_PROFILES - 1.
1183          */
1184         u8 profile;
1185         /*
1186          * For holding operation mode used for this request.
1187          * One of CCS_CONFIG_DISABLED, CCS_CONFIG_LEARNING,
1188          * CCS_CONFIG_PERMISSIVE, CCS_CONFIG_ENFORCING.
1189          */
1190         u8 mode;
1191         /*
1192          * For holding operation index used for this request.
1193          * Used by ccs_init_request_info() / ccs_get_mode() /
1194          * ccs_write_log(). One of values in "enum ccs_mac_index".
1195          */
1196         u8 type;
1197 };
1198 
1199 /* Structure for holding a token. */
1200 struct ccs_path_info {
1201         const char *name;
1202         u32 hash;          /* = full_name_hash(name, strlen(name)) */
1203         u16 total_len;     /* = strlen(name)                       */
1204         u16 const_len;     /* = ccs_const_part_length(name)        */
1205         bool is_dir;       /* = ccs_strendswith(name, "/")         */
1206         bool is_patterned; /* = const_len < total_len              */
1207 };
1208 
1209 /* Structure for execve() operation. */
1210 struct ccs_execve {
1211         struct ccs_request_info r;
1212         struct ccs_obj_info obj;
1213         struct linux_binprm *bprm;
1214         struct ccs_domain_info *previous_domain;
1215         const struct ccs_path_info *transition;
1216         /* For execute_handler */
1217         const struct ccs_path_info *handler;
1218         char *handler_path; /* = kstrdup(handler->name, CCS_GFP_FLAGS) */
1219         /* For dumping argv[] and envp[]. */
1220         struct ccs_page_dump dump;
1221         /* For temporary use. */
1222         char *tmp; /* Size is CCS_EXEC_TMPSIZE bytes */
1223 };
1224 
1225 /* Structure for domain information. */
1226 struct ccs_domain_info {
1227         struct list_head list;
1228         struct list_head acl_info_list;
1229         /* Name of this domain. Never NULL.          */
1230         const struct ccs_path_info *domainname;
1231         /* Namespace for this domain. Never NULL. */
1232         struct ccs_policy_namespace *ns;
1233         /* Group numbers to use. */
1234         unsigned long group[CCS_MAX_ACL_GROUPS / BITS_PER_LONG];
1235         u8 profile;        /* Profile number to use. */
1236         bool is_deleted;   /* Delete flag.           */
1237         bool flags[CCS_MAX_DOMAIN_INFO_FLAGS];
1238 };
1239 
1240 /*
1241  * Structure for "reset_domain"/"no_reset_domain"/"initialize_domain"/
1242  * "no_initialize_domain"/"keep_domain"/"no_keep_domain" keyword.
1243  */
1244 struct ccs_transition_control {
1245         struct ccs_acl_head head;
1246         u8 type; /* One of values in "enum ccs_transition_type" */
1247         bool is_last_name; /* True if the domainname is ccs_last_word(). */
1248         const struct ccs_path_info *domainname; /* Maybe NULL */
1249         const struct ccs_path_info *program;    /* Maybe NULL */
1250 };
1251 
1252 /* Structure for "aggregator" keyword. */
1253 struct ccs_aggregator {
1254         struct ccs_acl_head head;
1255         const struct ccs_path_info *original_name;
1256         const struct ccs_path_info *aggregated_name;
1257 };
1258 
1259 /* Structure for "deny_autobind" keyword. */
1260 struct ccs_reserved {
1261         struct ccs_acl_head head;
1262         struct ccs_number_union port;
1263 };
1264 
1265 /* Structure for policy manager. */
1266 struct ccs_manager {
1267         struct ccs_acl_head head;
1268         /* A path to program or a domainname. */
1269         const struct ccs_path_info *manager;
1270 };
1271 
1272 /* Structure for argv[]. */
1273 struct ccs_argv {
1274         unsigned long index;
1275         const struct ccs_path_info *value;
1276         bool is_not;
1277 };
1278 
1279 /* Structure for envp[]. */
1280 struct ccs_envp {
1281         const struct ccs_path_info *name;
1282         const struct ccs_path_info *value;
1283         bool is_not;
1284 };
1285 
1286 /*
1287  * Structure for "task auto_execute_handler" and "task denied_execute_handler"
1288  * directive.
1289  *
1290  * If "task auto_execute_handler" directive exists and the current process is
1291  * not an execute handler, all execve() requests are replaced by execve()
1292  * requests of a program specified by "task auto_execute_handler" directive.
1293  * If the current process is an execute handler, "task auto_execute_handler"
1294  * and "task denied_execute_handler" directives are ignored.
1295  * The program specified by "task execute_handler" validates execve()
1296  * parameters and executes the original execve() requests if appropriate.
1297  *
1298  * "task denied_execute_handler" directive is used only when execve() request
1299  * was rejected in enforcing mode (i.e. CONFIG::file::execute={ mode=enforcing
1300  * }). The program specified by "task denied_execute_handler" does whatever it
1301  * wants to do (e.g. silently terminate, change firewall settings, redirect the
1302  * user to honey pot etc.).
1303  */
1304 struct ccs_handler_acl {
1305         struct ccs_acl_info head;       /* type = CCS_TYPE_*_EXECUTE_HANDLER */
1306         const struct ccs_path_info *handler; /* Pointer to single pathname.  */
1307 };
1308 
1309 /*
1310  * Structure for "task auto_domain_transition" and
1311  * "task manual_domain_transition" directive.
1312  */
1313 struct ccs_task_acl {
1314         struct ccs_acl_info head; /* type = CCS_TYPE_*_TASK_ACL */
1315         /* Pointer to domainname. */
1316         const struct ccs_path_info *domainname;
1317 };
1318 
1319 /*
1320  * Structure for "file execute", "file read", "file write", "file append",
1321  * "file unlink", "file getattr", "file rmdir", "file truncate",
1322  * "file symlink", "file chroot" and "file unmount" directive.
1323  */
1324 struct ccs_path_acl {
1325         struct ccs_acl_info head; /* type = CCS_TYPE_PATH_ACL */
1326         struct ccs_name_union name;
1327 };
1328 
1329 /*
1330  * Structure for "file rename", "file link" and "file pivot_root" directive.
1331  */
1332 struct ccs_path2_acl {
1333         struct ccs_acl_info head; /* type = CCS_TYPE_PATH2_ACL */
1334         struct ccs_name_union name1;
1335         struct ccs_name_union name2;
1336 };
1337 
1338 /*
1339  * Structure for "file create", "file mkdir", "file mkfifo", "file mksock",
1340  * "file ioctl", "file chmod", "file chown" and "file chgrp" directive.
1341  */
1342 struct ccs_path_number_acl {
1343         struct ccs_acl_info head; /* type = CCS_TYPE_PATH_NUMBER_ACL */
1344         struct ccs_name_union name;
1345         struct ccs_number_union number;
1346 };
1347 
1348 /* Structure for "file mkblock" and "file mkchar" directive. */
1349 struct ccs_mkdev_acl {
1350         struct ccs_acl_info head; /* type = CCS_TYPE_MKDEV_ACL */
1351         struct ccs_name_union name;
1352         struct ccs_number_union mode;
1353         struct ccs_number_union major;
1354         struct ccs_number_union minor;
1355 };
1356 
1357 /* Structure for "file mount" directive. */
1358 struct ccs_mount_acl {
1359         struct ccs_acl_info head; /* type = CCS_TYPE_MOUNT_ACL */
1360         struct ccs_name_union dev_name;
1361         struct ccs_name_union dir_name;
1362         struct ccs_name_union fs_type;
1363         struct ccs_number_union flags;
1364 };
1365 
1366 /* Structure for "misc env" directive in domain policy. */
1367 struct ccs_env_acl {
1368         struct ccs_acl_info head;        /* type = CCS_TYPE_ENV_ACL  */
1369         const struct ccs_path_info *env; /* environment variable */
1370 };
1371 
1372 /* Structure for "capability" directive. */
1373 struct ccs_capability_acl {
1374         struct ccs_acl_info head; /* type = CCS_TYPE_CAPABILITY_ACL */
1375         u8 operation; /* One of values in "enum ccs_capability_acl_index". */
1376 };
1377 
1378 /* Structure for "ipc signal" directive. */
1379 struct ccs_signal_acl {
1380         struct ccs_acl_info head; /* type = CCS_TYPE_SIGNAL_ACL */
1381         struct ccs_number_union sig;
1382         /* Pointer to destination pattern. */
1383         const struct ccs_path_info *domainname;
1384 };
1385 
1386 /* Structure for "network inet" directive. */
1387 struct ccs_inet_acl {
1388         struct ccs_acl_info head; /* type = CCS_TYPE_INET_ACL */
1389         u8 protocol;
1390         struct ccs_ipaddr_union address;
1391         struct ccs_number_union port;
1392 };
1393 
1394 /* Structure for "network unix" directive. */
1395 struct ccs_unix_acl {
1396         struct ccs_acl_info head; /* type = CCS_TYPE_UNIX_ACL */
1397         u8 protocol;
1398         struct ccs_name_union name;
1399 };
1400 
1401 /* Structure for holding string data. */
1402 struct ccs_name {
1403         struct ccs_shared_acl_head head;
1404         int size; /* Memory size allocated for this entry. */
1405         struct ccs_path_info entry;
1406 };
1407 
1408 /* Structure for holding a line from /proc/ccs/ interface. */
1409 struct ccs_acl_param {
1410         char *data; /* Unprocessed data. */
1411         struct list_head *list; /* List to add or remove. */
1412         struct ccs_policy_namespace *ns; /* Namespace to use. */
1413         bool is_delete; /* True if it is a delete request. */
1414         union ccs_acl_union {
1415                 struct ccs_acl_info acl_info;
1416                 struct ccs_handler_acl handler_acl;
1417                 struct ccs_task_acl task_acl;
1418                 struct ccs_path_acl path_acl;
1419                 struct ccs_path2_acl path2_acl;
1420                 struct ccs_path_number_acl path_number_acl;
1421                 struct ccs_mkdev_acl mkdev_acl;
1422                 struct ccs_mount_acl mount_acl;
1423                 struct ccs_env_acl env_acl;
1424                 struct ccs_capability_acl capability_acl;
1425                 struct ccs_signal_acl signal_acl;
1426                 struct ccs_inet_acl inet_acl;
1427                 struct ccs_unix_acl unix_acl;
1428                 /**/
1429                 struct ccs_acl_head acl_head;
1430                 struct ccs_transition_control transition_control;
1431                 struct ccs_aggregator aggregator;
1432                 struct ccs_reserved reserved;
1433                 struct ccs_manager manager;
1434                 struct ccs_path_group path_group;
1435                 struct ccs_number_group number_group;
1436                 struct ccs_address_group address_group;
1437         } e;
1438 };
1439 
1440 /* Structure for reading/writing policy via /proc/ccs/ interfaces. */
1441 struct ccs_io_buffer {
1442         /* Exclusive lock for this structure.   */
1443         struct mutex io_sem;
1444         char __user *read_user_buf;
1445         size_t read_user_buf_avail;
1446         struct {
1447                 struct list_head *ns;
1448                 struct list_head *domain;
1449                 struct list_head *group;
1450                 struct list_head *acl;
1451                 size_t avail;
1452                 unsigned int step;
1453                 unsigned int query_index;
1454                 u16 index;
1455                 u16 cond_index;
1456                 u8 acl_group_index;
1457                 u8 cond_step;
1458                 u8 bit;
1459                 u8 w_pos;
1460                 bool eof;
1461                 bool print_this_domain_only;
1462                 bool print_transition_related_only;
1463                 bool print_cond_part;
1464                 const char *w[CCS_MAX_IO_READ_QUEUE];
1465         } r;
1466         struct {
1467                 struct ccs_policy_namespace *ns;
1468                 struct ccs_domain_info *domain;
1469                 size_t avail;
1470                 bool is_delete;
1471         } w;
1472         /* Buffer for reading.                  */
1473         char *read_buf;
1474         /* Size of read buffer.                 */
1475         size_t readbuf_size;
1476         /* Buffer for writing.                  */
1477         char *write_buf;
1478         /* Size of write buffer.                */
1479         size_t writebuf_size;
1480         /* Type of interface. */
1481         enum ccs_proc_interface_index type;
1482         /* Users counter protected by ccs_io_buffer_list_lock. */
1483         u8 users;
1484         /* List for telling GC not to kfree() elements. */
1485         struct list_head list;
1486 };
1487 
1488 /* Structure for /proc/ccs/profile interface. */
1489 struct ccs_profile {
1490         const struct ccs_path_info *comment;
1491         u8 default_config;
1492         u8 config[CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX];
1493         unsigned int pref[CCS_MAX_PREF];
1494 };
1495 
1496 /* Structure for representing YYYY/MM/DD hh/mm/ss. */
1497 struct ccs_time {
1498         u16 year;
1499         u8 month;
1500         u8 day;
1501         u8 hour;
1502         u8 min;
1503         u8 sec;
1504 };
1505 
1506 /* Structure for policy namespace. */
1507 struct ccs_policy_namespace {
1508         /* Profile table. Memory is allocated as needed. */
1509         struct ccs_profile *profile_ptr[CCS_MAX_PROFILES];
1510         /* List of "struct ccs_group". */
1511         struct list_head group_list[CCS_MAX_GROUP];
1512         /* List of policy. */
1513         struct list_head policy_list[CCS_MAX_POLICY];
1514         /* The global ACL referred by "use_group" keyword. */
1515         struct list_head acl_group[CCS_MAX_ACL_GROUPS];
1516         /* List for connecting to ccs_namespace_list list. */
1517         struct list_head namespace_list;
1518         /* Profile version. Currently only 20150505 is supported. */
1519         unsigned int profile_version;
1520         /* Name of this namespace (e.g. "<kernel>", "</usr/sbin/httpd>" ). */
1521         const char *name;
1522 };
1523 
1524 /* Prototype definition for "struct ccsecurity_operations". */
1525 
1526 void __init ccs_permission_init(void);
1527 void __init ccs_mm_init(void);
1528 
1529 /* Prototype definition for internal use. */
1530 
1531 bool ccs_dump_page(struct linux_binprm *bprm, unsigned long pos,
1532                    struct ccs_page_dump *dump);
1533 bool ccs_memory_ok(const void *ptr, const unsigned int size);
1534 char *ccs_encode(const char *str);
1535 char *ccs_encode2(const char *str, int str_len);
1536 char *ccs_realpath(const struct path *path);
1537 const char *ccs_get_exe(void);
1538 const struct ccs_path_info *ccs_get_name(const char *name);
1539 int ccs_audit_log(struct ccs_request_info *r);
1540 int ccs_check_acl(struct ccs_request_info *r);
1541 int ccs_init_request_info(struct ccs_request_info *r, const u8 index);
1542 struct ccs_domain_info *ccs_assign_domain(const char *domainname,
1543                                           const bool transit);
1544 u8 ccs_get_config(const u8 profile, const u8 index);
1545 void *ccs_commit_ok(void *data, const unsigned int size);
1546 void ccs_del_acl(struct list_head *element);
1547 void ccs_del_condition(struct list_head *element);
1548 void ccs_fill_path_info(struct ccs_path_info *ptr);
1549 void ccs_get_attributes(struct ccs_obj_info *obj);
1550 void ccs_notify_gc(struct ccs_io_buffer *head, const bool is_register);
1551 void ccs_transition_failed(const char *domainname);
1552 void ccs_warn_oom(const char *function);
1553 void ccs_write_log(struct ccs_request_info *r, const char *fmt, ...)
1554         __printf(2, 3);
1555 
1556 /* Variable definition for internal use. */
1557 
1558 extern bool ccs_policy_loaded;
1559 extern const char * const ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS];
1560 extern const u8 ccs_c2mac[CCS_MAX_CAPABILITY_INDEX];
1561 extern const u8 ccs_pn2mac[CCS_MAX_PATH_NUMBER_OPERATION];
1562 extern const u8 ccs_pnnn2mac[CCS_MAX_MKDEV_OPERATION];
1563 extern const u8 ccs_pp2mac[CCS_MAX_PATH2_OPERATION];
1564 extern struct ccs_domain_info ccs_kernel_domain;
1565 extern struct list_head ccs_condition_list;
1566 extern struct list_head ccs_domain_list;
1567 extern struct list_head ccs_name_list[CCS_MAX_HASH];
1568 extern struct list_head ccs_namespace_list;
1569 extern struct mutex ccs_policy_lock;
1570 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
1571 extern struct srcu_struct ccs_ss;
1572 #endif
1573 extern unsigned int ccs_memory_quota[CCS_MAX_MEMORY_STAT];
1574 extern unsigned int ccs_memory_used[CCS_MAX_MEMORY_STAT];
1575 
1576 /* Inlined functions for internal use. */
1577 
1578 /**
1579  * ccs_pathcmp - strcmp() for "struct ccs_path_info" structure.
1580  *
1581  * @a: Pointer to "struct ccs_path_info".
1582  * @b: Pointer to "struct ccs_path_info".
1583  *
1584  * Returns true if @a != @b, false otherwise.
1585  */
1586 static inline bool ccs_pathcmp(const struct ccs_path_info *a,
1587                                const struct ccs_path_info *b)
1588 {
1589         return a->hash != b->hash || strcmp(a->name, b->name);
1590 }
1591 
1592 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
1593 
1594 /**
1595  * ccs_read_lock - Take lock for protecting policy.
1596  *
1597  * Returns index number for ccs_read_unlock().
1598  */
1599 static inline int ccs_read_lock(void)
1600 {
1601         return srcu_read_lock(&ccs_ss);
1602 }
1603 
1604 /**
1605  * ccs_read_unlock - Release lock for protecting policy.
1606  *
1607  * @idx: Index number returned by ccs_read_lock().
1608  *
1609  * Returns nothing.
1610  */
1611 static inline void ccs_read_unlock(const int idx)
1612 {
1613         srcu_read_unlock(&ccs_ss, idx);
1614 }
1615 
1616 #else
1617 
1618 int ccs_lock(void);
1619 void ccs_unlock(const int idx);
1620 
1621 /**
1622  * ccs_read_lock - Take lock for protecting policy.
1623  *
1624  * Returns index number for ccs_read_unlock().
1625  */
1626 static inline int ccs_read_lock(void)
1627 {
1628         return ccs_lock();
1629 }
1630 
1631 /**
1632  * ccs_read_unlock - Release lock for protecting policy.
1633  *
1634  * @idx: Index number returned by ccs_read_lock().
1635  *
1636  * Returns nothing.
1637  */
1638 static inline void ccs_read_unlock(const int idx)
1639 {
1640         ccs_unlock(idx);
1641 }
1642 
1643 #endif
1644 
1645 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 18)
1646 
1647 /**
1648  * ccs_tasklist_lock - Take lock for reading list of "struct task_struct".
1649  *
1650  * Returns nothing.
1651  */
1652 static inline void ccs_tasklist_lock(void)
1653 {
1654         rcu_read_lock();
1655 }
1656 
1657 /**
1658  * ccs_tasklist_unlock - Release lock for reading list of "struct task_struct".
1659  *
1660  * Returns nothing.
1661  */
1662 static inline void ccs_tasklist_unlock(void)
1663 {
1664         rcu_read_unlock();
1665 }
1666 
1667 #else
1668 
1669 /**
1670  * ccs_tasklist_lock - Take lock for reading list of "struct task_struct".
1671  *
1672  * Returns nothing.
1673  */
1674 static inline void ccs_tasklist_lock(void)
1675 {
1676         read_lock(&tasklist_lock);
1677 }
1678 
1679 /**
1680  * ccs_tasklist_unlock - Release lock for reading list of "struct task_struct".
1681  *
1682  * Returns nothing.
1683  */
1684 static inline void ccs_tasklist_unlock(void)
1685 {
1686         read_unlock(&tasklist_lock);
1687 }
1688 
1689 #endif
1690 
1691 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1692 
1693 /**
1694  * ccs_sys_getppid - Copy of getppid().
1695  *
1696  * Returns parent process's PID.
1697  *
1698  * Alpha does not have getppid() defined. To be able to build this module on
1699  * Alpha, I have to copy getppid() from kernel/timer.c.
1700  */
1701 static inline pid_t ccs_sys_getppid(void)
1702 {
1703         pid_t pid;
1704         rcu_read_lock();
1705         pid = task_tgid_vnr(rcu_dereference(current->real_parent));
1706         rcu_read_unlock();
1707         return pid;
1708 }
1709 
1710 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0)
1711 
1712 /**
1713  * ccs_sys_getppid - Copy of getppid().
1714  *
1715  * Returns parent process's PID.
1716  *
1717  * This function was rewritten to use RCU in 2.6.16.34. However, distributors
1718  * which use earlier kernels (e.g. 2.6.8/2.6.9) did not backport the bugfix.
1719  * Therefore, I'm using code for 2.6.16.34 for earlier kernels.
1720  */
1721 static inline pid_t ccs_sys_getppid(void)
1722 {
1723         pid_t pid;
1724         rcu_read_lock();
1725 #if (defined(RHEL_MAJOR) && RHEL_MAJOR == 5) || (defined(AX_MAJOR) && AX_MAJOR == 3)
1726         pid = rcu_dereference(current->parent)->tgid;
1727 #elif defined(CONFIG_UTRACE)
1728         /*
1729          * RHEL 5.0 kernel does not have RHEL_MAJOR/RHEL_MINOR defined.
1730          * Assume RHEL 5.0 if CONFIG_UTRACE is defined.
1731          */
1732         pid = rcu_dereference(current->parent)->tgid;
1733 #else
1734         pid = rcu_dereference(current->real_parent)->tgid;
1735 #endif
1736         rcu_read_unlock();
1737         return pid;
1738 }
1739 
1740 #else
1741 
1742 /**
1743  * ccs_sys_getppid - Copy of getppid().
1744  *
1745  * Returns parent process's PID.
1746  *
1747  * I can't use code for 2.6.16.34 for 2.4 kernels because 2.4 kernels does not
1748  * have RCU. Therefore, I'm using pessimistic lock (i.e. tasklist_lock
1749  * spinlock).
1750  */
1751 static inline pid_t ccs_sys_getppid(void)
1752 {
1753         pid_t pid;
1754         read_lock(&tasklist_lock);
1755 #ifdef TASK_DEAD
1756         pid = current->group_leader->real_parent->tgid;
1757 #else
1758         pid = current->p_opptr->pid;
1759 #endif
1760         read_unlock(&tasklist_lock);
1761         return pid;
1762 }
1763 
1764 #endif
1765 
1766 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1767 
1768 /**
1769  * ccs_sys_getpid - Copy of getpid().
1770  *
1771  * Returns current thread's PID.
1772  *
1773  * Alpha does not have getpid() defined. To be able to build this module on
1774  * Alpha, I have to copy getpid() from kernel/timer.c.
1775  */
1776 static inline pid_t ccs_sys_getpid(void)
1777 {
1778         return task_tgid_vnr(current);
1779 }
1780 
1781 #else
1782 
1783 /**
1784  * ccs_sys_getpid - Copy of getpid().
1785  *
1786  * Returns current thread's PID.
1787  */
1788 static inline pid_t ccs_sys_getpid(void)
1789 {
1790         return current->tgid;
1791 }
1792 
1793 #endif
1794 
1795 /**
1796  * ccs_get_mode - Get mode for specified functionality.
1797  *
1798  * @profile: Profile number.
1799  * @index:   Functionality number.
1800  *
1801  * Returns mode.
1802  */
1803 static inline u8 ccs_get_mode(const u8 profile, const u8 index)
1804 {
1805         return ccs_get_config(profile, index) & (CCS_CONFIG_MAX_MODE - 1);
1806 }
1807 
1808 #if defined(CONFIG_SLOB)
1809 
1810 /**
1811  * ccs_round2 - Round up to power of 2 for calculating memory usage.
1812  *
1813  * @size: Size to be rounded up.
1814  *
1815  * Returns @size.
1816  *
1817  * Since SLOB does not round up, this function simply returns @size.
1818  */
1819 static inline int ccs_round2(size_t size)
1820 {
1821         return size;
1822 }
1823 
1824 #else
1825 
1826 /**
1827  * ccs_round2 - Round up to power of 2 for calculating memory usage.
1828  *
1829  * @size: Size to be rounded up.
1830  *
1831  * Returns rounded size.
1832  *
1833  * Strictly speaking, SLAB may be able to allocate (e.g.) 96 bytes instead of
1834  * (e.g.) 128 bytes.
1835  */
1836 static inline int ccs_round2(size_t size)
1837 {
1838 #if PAGE_SIZE == 4096
1839         size_t bsize = 32;
1840 #else
1841         size_t bsize = 64;
1842 #endif
1843         if (!size)
1844                 return 0;
1845         while (size > bsize)
1846                 bsize <<= 1;
1847         return bsize;
1848 }
1849 
1850 #endif
1851 
1852 /**
1853  * ccs_put_condition - Drop reference on "struct ccs_condition".
1854  *
1855  * @cond: Pointer to "struct ccs_condition". Maybe NULL.
1856  *
1857  * Returns nothing.
1858  */
1859 static inline void ccs_put_condition(struct ccs_condition *cond)
1860 {
1861         if (cond)
1862                 atomic_dec(&cond->head.users);
1863 }
1864 
1865 /**
1866  * ccs_put_group - Drop reference on "struct ccs_group".
1867  *
1868  * @group: Pointer to "struct ccs_group". Maybe NULL.
1869  *
1870  * Returns nothing.
1871  */
1872 static inline void ccs_put_group(struct ccs_group *group)
1873 {
1874         if (group)
1875                 atomic_dec(&group->head.users);
1876 }
1877 
1878 /**
1879  * ccs_put_name - Drop reference on "struct ccs_name".
1880  *
1881  * @name: Pointer to "struct ccs_path_info". Maybe NULL.
1882  *
1883  * Returns nothing.
1884  */
1885 static inline void ccs_put_name(const struct ccs_path_info *name)
1886 {
1887         if (name)
1888                 atomic_dec(&container_of(name, struct ccs_name, entry)->
1889                            head.users);
1890 }
1891 
1892 /* For importing variables and functions. */
1893 extern const struct ccsecurity_exports ccsecurity_exports;
1894 
1895 #ifdef CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY
1896 
1897 /*
1898  * Structure for holding "struct ccs_domain_info *" and "struct ccs_execve *"
1899  * and "u32 ccs_flags" for each "struct task_struct".
1900  *
1901  * "struct ccs_domain_info *" and "u32 ccs_flags" for each "struct task_struct"
1902  * are maintained outside that "struct task_struct". Therefore, ccs_security
1903  * != task_struct . This keeps KABI for distributor's prebuilt kernels but
1904  * entails slow access.
1905  *
1906  * Memory for this structure is allocated when current thread tries to access
1907  * it. Therefore, if memory allocation failed, current thread will be killed by
1908  * SIGKILL. Note that if current->pid == 1, sending SIGKILL won't work.
1909  */
1910 struct ccs_security {
1911         struct list_head list;
1912         const struct task_struct *task;
1913         struct ccs_domain_info *ccs_domain_info;
1914         u32 ccs_flags;
1915         struct rcu_head rcu;
1916 };
1917 
1918 #define CCS_TASK_SECURITY_HASH_BITS 12
1919 #define CCS_MAX_TASK_SECURITY_HASH (1u << CCS_TASK_SECURITY_HASH_BITS)
1920 extern struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH];
1921 
1922 struct ccs_security *ccs_find_task_security(const struct task_struct *task);
1923 
1924 /**
1925  * ccs_current_security - Get "struct ccs_security" for current thread.
1926  *
1927  * Returns pointer to "struct ccs_security" for current thread.
1928  */
1929 static inline struct ccs_security *ccs_current_security(void)
1930 {
1931         return ccs_find_task_security(current);
1932 }
1933 
1934 /**
1935  * ccs_task_domain - Get "struct ccs_domain_info" for specified thread.
1936  *
1937  * @task: Pointer to "struct task_struct".
1938  *
1939  * Returns pointer to "struct ccs_security" for specified thread.
1940  */
1941 static inline struct ccs_domain_info *ccs_task_domain(struct task_struct *task)
1942 {
1943         struct ccs_domain_info *domain;
1944         rcu_read_lock();
1945         domain = ccs_find_task_security(task)->ccs_domain_info;
1946         rcu_read_unlock();
1947         return domain;
1948 }
1949 
1950 /**
1951  * ccs_current_domain - Get "struct ccs_domain_info" for current thread.
1952  *
1953  * Returns pointer to "struct ccs_domain_info" for current thread.
1954  */
1955 static inline struct ccs_domain_info *ccs_current_domain(void)
1956 {
1957         return ccs_find_task_security(current)->ccs_domain_info;
1958 }
1959 
1960 /**
1961  * ccs_task_flags - Get flags for specified thread.
1962  *
1963  * @task: Pointer to "struct task_struct".
1964  *
1965  * Returns flags for specified thread.
1966  */
1967 static inline u32 ccs_task_flags(struct task_struct *task)
1968 {
1969         u32 ccs_flags;
1970         rcu_read_lock();
1971         ccs_flags = ccs_find_task_security(task)->ccs_flags;
1972         rcu_read_unlock();
1973         return ccs_flags;
1974 }
1975 
1976 /**
1977  * ccs_current_flags - Get flags for current thread.
1978  *
1979  * Returns flags for current thread.
1980  */
1981 static inline u32 ccs_current_flags(void)
1982 {
1983         return ccs_find_task_security(current)->ccs_flags;
1984 }
1985 
1986 #else
1987 
1988 /*
1989  * "struct ccs_domain_info *" and "u32 ccs_flags" for each "struct task_struct"
1990  * are maintained inside that "struct task_struct". Therefore, ccs_security ==
1991  * task_struct . This allows fast access but breaks KABI checks for
1992  * distributor's prebuilt kernels due to changes in "struct task_struct".
1993  */
1994 #define ccs_security task_struct
1995 
1996 /**
1997  * ccs_find_task_security - Find "struct ccs_security" for given task.
1998  *
1999  * @task: Pointer to "struct task_struct".
2000  *
2001  * Returns pointer to "struct ccs_security".
2002  */
2003 static inline struct ccs_security *ccs_find_task_security(struct task_struct *
2004                                                           task)
2005 {
2006         return task;
2007 }
2008 
2009 /**
2010  * ccs_current_security - Get "struct ccs_security" for current thread.
2011  *
2012  * Returns pointer to "struct ccs_security" for current thread.
2013  */
2014 static inline struct ccs_security *ccs_current_security(void)
2015 {
2016         return ccs_find_task_security(current);
2017 }
2018 
2019 /**
2020  * ccs_task_domain - Get "struct ccs_domain_info" for specified thread.
2021  *
2022  * @task: Pointer to "struct task_struct".
2023  *
2024  * Returns pointer to "struct ccs_security" for specified thread.
2025  */
2026 static inline struct ccs_domain_info *ccs_task_domain(struct task_struct *task)
2027 {
2028         struct ccs_domain_info *domain = task->ccs_domain_info;
2029         return domain ? domain : &ccs_kernel_domain;
2030 }
2031 
2032 /**
2033  * ccs_current_domain - Get "struct ccs_domain_info" for current thread.
2034  *
2035  * Returns pointer to "struct ccs_domain_info" for current thread.
2036  *
2037  * If current thread does not belong to a domain (which is true for initial
2038  * init_task in order to hide ccs_kernel_domain from this module),
2039  * current thread enters into ccs_kernel_domain.
2040  */
2041 static inline struct ccs_domain_info *ccs_current_domain(void)
2042 {
2043         struct task_struct *task = current;
2044         if (!task->ccs_domain_info)
2045                 task->ccs_domain_info = &ccs_kernel_domain;
2046         return task->ccs_domain_info;
2047 }
2048 
2049 /**
2050  * ccs_task_flags - Get flags for specified thread.
2051  *
2052  * @task: Pointer to "struct task_struct".
2053  *
2054  * Returns flags for specified thread.
2055  */
2056 static inline u32 ccs_task_flags(struct task_struct *task)
2057 {
2058         return ccs_find_task_security(task)->ccs_flags;
2059 }
2060 
2061 /**
2062  * ccs_current_flags - Get flags for current thread.
2063  *
2064  * Returns flags for current thread.
2065  */
2066 static inline u32 ccs_current_flags(void)
2067 {
2068         return ccs_find_task_security(current)->ccs_flags;
2069 }
2070 
2071 #endif
2072 
2073 /**
2074  * ccs_current_namespace - Get "struct ccs_policy_namespace" for current thread.
2075  *
2076  * Returns pointer to "struct ccs_policy_namespace" for current thread.
2077  */
2078 static inline struct ccs_policy_namespace *ccs_current_namespace(void)
2079 {
2080         return ccs_current_domain()->ns;
2081 }
2082 
2083 #endif
2084 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp