~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/ccsecurity/internal.h

Version: ~ [ linux-5.8 ] ~ [ linux-5.7.12 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.55 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.136 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.191 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.232 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.232 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * security/ccsecurity/internal.h
  3  *
  4  * Copyright (C) 2005-2012  NTT DATA CORPORATION
  5  *
  6  * Version: 1.8.6   2019/08/20
  7  */
  8 
  9 #ifndef _SECURITY_CCSECURITY_INTERNAL_H
 10 #define _SECURITY_CCSECURITY_INTERNAL_H
 11 
 12 #include <linux/version.h>
 13 #include <linux/types.h>
 14 #include <linux/kernel.h>
 15 #include <linux/string.h>
 16 #include <linux/mm.h>
 17 #include <linux/utime.h>
 18 #include <linux/file.h>
 19 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 38)
 20 #include <linux/smp_lock.h>
 21 #endif
 22 #include <linux/module.h>
 23 #include <linux/init.h>
 24 #include <linux/slab.h>
 25 #include <linux/highmem.h>
 26 #include <linux/poll.h>
 27 #include <linux/binfmts.h>
 28 #include <linux/delay.h>
 29 #include <linux/sched.h>
 30 #include <linux/dcache.h>
 31 #include <linux/mount.h>
 32 #include <linux/net.h>
 33 #include <linux/inet.h>
 34 #include <linux/in.h>
 35 #include <linux/in6.h>
 36 #include <linux/un.h>
 37 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
 38 #include <linux/fs.h>
 39 #endif
 40 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0)
 41 #include <linux/namei.h>
 42 #endif
 43 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 30)
 44 #include <linux/fs_struct.h>
 45 #endif
 46 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20)
 47 #include <linux/namespace.h>
 48 #endif
 49 #include <linux/proc_fs.h>
 50 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 0) || defined(RHEL_MAJOR)
 51 #include <linux/hash.h>
 52 #endif
 53 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18) || (LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) && defined(CONFIG_SYSCTL_SYSCALL))
 54 #include <linux/sysctl.h>
 55 #endif
 56 #if LINUX_VERSION_CODE > KERNEL_VERSION(2, 6, 6)
 57 #include <linux/kthread.h>
 58 #endif
 59 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 10, 0)
 60 #include <linux/magic.h>
 61 #endif
 62 #include <stdarg.h>
 63 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
 64 #include <linux/uaccess.h>
 65 #else
 66 #include <asm/uaccess.h>
 67 #endif
 68 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
 69 #include <linux/sched/signal.h>
 70 #endif
 71 #include <net/sock.h>
 72 #include <net/af_unix.h>
 73 #include <net/ip.h>
 74 #include <net/ipv6.h>
 75 #include <net/udp.h>
 76 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
 77 #include <uapi/linux/mount.h>
 78 #endif
 79 
 80 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
 81 #define sk_family family
 82 #define sk_protocol protocol
 83 #define sk_type type
 84 #endif
 85 
 86 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 20)
 87 
 88 /* Structure for holding "struct vfsmount *" and "struct dentry *". */
 89 struct path {
 90         struct vfsmount *mnt;
 91         struct dentry *dentry;
 92 };
 93 
 94 #endif
 95 
 96 #ifndef __printf
 97 #define __printf(a,b) __attribute__((format(printf,a,b)))
 98 #endif
 99 #ifndef __packed
100 #define __packed __attribute__((__packed__))
101 #endif
102 #ifndef bool
103 #define bool _Bool
104 #endif
105 #ifndef false
106 #define false 0
107 #endif
108 #ifndef true
109 #define true 1
110 #endif
111 
112 #ifndef __user
113 #define __user
114 #endif
115 
116 #ifndef current_uid
117 #define current_uid()   (current->uid)
118 #endif
119 #ifndef current_gid
120 #define current_gid()   (current->gid)
121 #endif
122 #ifndef current_euid
123 #define current_euid()  (current->euid)
124 #endif
125 #ifndef current_egid
126 #define current_egid()  (current->egid)
127 #endif
128 #ifndef current_suid
129 #define current_suid()  (current->suid)
130 #endif
131 #ifndef current_sgid
132 #define current_sgid()  (current->sgid)
133 #endif
134 #ifndef current_fsuid
135 #define current_fsuid() (current->fsuid)
136 #endif
137 #ifndef current_fsgid
138 #define current_fsgid() (current->fsgid)
139 #endif
140 
141 #ifndef DEFINE_SPINLOCK
142 #define DEFINE_SPINLOCK(x) spinlock_t x = SPIN_LOCK_UNLOCKED
143 #endif
144 
145 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 16)
146 #define mutex semaphore
147 #define mutex_init(mutex) init_MUTEX(mutex)
148 #define mutex_unlock(mutex) up(mutex)
149 #define mutex_lock(mutex) down(mutex)
150 #define mutex_lock_interruptible(mutex) down_interruptible(mutex)
151 #define mutex_trylock(mutex) (!down_trylock(mutex))
152 #define DEFINE_MUTEX(mutexname) DECLARE_MUTEX(mutexname)
153 #endif
154 
155 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 15)
156 #define MS_UNBINDABLE   (1<<17) /* change to unbindable */
157 #define MS_PRIVATE      (1<<18) /* change to private */
158 #define MS_SLAVE        (1<<19) /* change to slave */
159 #define MS_SHARED       (1<<20) /* change to shared */
160 #endif
161 
162 #ifndef container_of
163 #define container_of(ptr, type, member) ({                              \
164                         const typeof(((type *)0)->member) *__mptr = (ptr); \
165                         (type *)((char *)__mptr - offsetof(type, member)); })
166 #endif
167 
168 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 0)
169 #define smp_read_barrier_depends smp_rmb
170 #endif
171 
172 #ifndef ACCESS_ONCE
173 #define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
174 #endif
175 
176 #ifndef rcu_dereference
177 #define rcu_dereference(p)     ({                                       \
178                         typeof(p) _________p1 = ACCESS_ONCE(p);         \
179                         smp_read_barrier_depends(); /* see RCU */       \
180                         (_________p1);                                  \
181                 })
182 #endif
183 
184 #ifndef rcu_assign_pointer
185 #define rcu_assign_pointer(p, v)                        \
186         ({                                              \
187                 if (!__builtin_constant_p(v) ||         \
188                     ((v) != NULL))                      \
189                         smp_wmb(); /* see RCU */        \
190                 (p) = (v);                              \
191         })
192 #endif
193 
194 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0)
195 #define f_vfsmnt f_path.mnt
196 #endif
197 
198 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 14)
199 
200 /**
201  * kzalloc() - Allocate memory. The memory is set to zero.
202  *
203  * @size:  Size to allocate.
204  * @flags: GFP flags.
205  *
206  * Returns pointer to allocated memory on success, NULL otherwise.
207  *
208  * This is for compatibility with older kernels.
209  *
210  * Since several distributions backported kzalloc(), I define it as a macro
211  * rather than an inlined function in order to avoid multiple definition error.
212  */
213 #define kzalloc(size, flags) ({                                 \
214                         void *ret = kmalloc((size), (flags));   \
215                         if (ret)                                \
216                                 memset(ret, 0, (size));         \
217                         ret; })
218 
219 #endif
220 
221 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 25)
222 
223 /**
224  * path_put - Drop reference on "struct path".
225  *
226  * @path: Pointer to "struct path".
227  *
228  * Returns nothing.
229  *
230  * This is for compatibility with older kernels.
231  */
232 static inline void path_put(struct path *path)
233 {
234         dput(path->dentry);
235         mntput(path->mnt);
236 }
237 
238 #endif
239 
240 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0)
241 
242 /**
243  * __list_add_rcu - Insert a new entry between two known consecutive entries.
244  *
245  * @new:  Pointer to "struct list_head".
246  * @prev: Pointer to "struct list_head".
247  * @next: Pointer to "struct list_head".
248  *
249  * Returns nothing.
250  *
251  * This is for compatibility with older kernels.
252  */
253 static inline void __list_add_rcu(struct list_head *new,
254                                   struct list_head *prev,
255                                   struct list_head *next)
256 {
257         new->next = next;
258         new->prev = prev;
259         rcu_assign_pointer(prev->next, new);
260         next->prev = new;
261 }
262 
263 /**
264  * list_add_tail_rcu - Add a new entry to rcu-protected list.
265  *
266  * @new:  Pointer to "struct list_head".
267  * @head: Pointer to "struct list_head".
268  *
269  * Returns nothing.
270  *
271  * This is for compatibility with older kernels.
272  */
273 static inline void list_add_tail_rcu(struct list_head *new,
274                                      struct list_head *head)
275 {
276         __list_add_rcu(new, head->prev, head);
277 }
278 
279 /**
280  * list_add_rcu - Add a new entry to rcu-protected list.
281  *
282  * @new:  Pointer to "struct list_head".
283  * @head: Pointer to "struct list_head".
284  *
285  * Returns nothing.
286  *
287  * This is for compatibility with older kernels.
288  */
289 static inline void list_add_rcu(struct list_head *new, struct list_head *head)
290 {
291         __list_add_rcu(new, head, head->next);
292 }
293 
294 #endif
295 
296 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 38)
297 
298 /**
299  * __list_del_entry - Deletes entry from list without re-initialization.
300  *
301  * @entry: Pointer to "struct list_head".
302  *
303  * Returns nothing.
304  *
305  * This is for compatibility with older kernels.
306  */
307 static inline void __list_del_entry(struct list_head *entry)
308 {
309         __list_del(entry->prev, entry->next);
310 }
311 
312 #endif
313 
314 #ifndef list_for_each_entry_safe
315 
316 /**
317  * list_for_each_entry_safe - Iterate over list of given type safe against removal of list entry.
318  *
319  * @pos:    The "type *" to use as a loop cursor.
320  * @n:      Another "type *" to use as temporary storage.
321  * @head:   Pointer to "struct list_head".
322  * @member: The name of the list_struct within the struct.
323  *
324  * This is for compatibility with older kernels.
325  */
326 #define list_for_each_entry_safe(pos, n, head, member)                  \
327         for (pos = list_entry((head)->next, typeof(*pos), member),      \
328                      n = list_entry(pos->member.next, typeof(*pos), member); \
329              &pos->member != (head);                                    \
330              pos = n, n = list_entry(n->member.next, typeof(*n), member))
331 
332 #endif
333 
334 #ifndef srcu_dereference
335 
336 /**
337  * srcu_dereference - Fetch SRCU-protected pointer with checking.
338  *
339  * @p:  The pointer to read, prior to dereferencing.
340  * @ss: Pointer to "struct srcu_struct".
341  *
342  * Returns @p.
343  *
344  * This is for compatibility with older kernels.
345  */
346 #define srcu_dereference(p, ss) rcu_dereference(p)
347 
348 #endif
349 
350 #ifndef list_for_each_entry_srcu
351 
352 /**
353  * list_for_each_entry_srcu - Iterate over rcu list of given type.
354  *
355  * @pos:    The type * to use as a loop cursor.
356  * @head:   The head for your list.
357  * @member: The name of the list_struct within the struct.
358  * @ss:     Pointer to "struct srcu_struct".
359  *
360  * As of 2.6.36, this macro is not provided because only TOMOYO wants it.
361  */
362 #define list_for_each_entry_srcu(pos, head, member, ss)               \
363         for (pos = list_entry(srcu_dereference((head)->next, ss),     \
364                               typeof(*pos), member);                  \
365              prefetch(pos->member.next), &pos->member != (head);      \
366              pos = list_entry(srcu_dereference(pos->member.next, ss), \
367                               typeof(*pos), member))
368 
369 #endif
370 
371 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 4, 30) || (LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0) && LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 9))
372 
373 #if LINUX_VERSION_CODE == KERNEL_VERSION(2, 4, 21)
374 #undef ssleep
375 #endif
376 
377 #ifndef ssleep
378 
379 /**
380  * ssleep - Sleep for specified seconds.
381  *
382  * @secs: Seconds to sleep.
383  *
384  * Returns nothing.
385  *
386  * This is for compatibility with older kernels.
387  *
388  * Since several distributions backported ssleep(), I define it as a macro
389  * rather than an inlined function in order to avoid multiple definition error.
390  */
391 #define ssleep(secs) {                                          \
392                 set_current_state(TASK_UNINTERRUPTIBLE);        \
393                 schedule_timeout((HZ * secs) + 1);              \
394         }
395 
396 #endif
397 
398 #endif
399 
400 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 5, 0)
401 
402 /**
403  * from_kuid - Convert kuid_t to uid_t.
404  *
405  * @ns:  Unused.
406  * @uid: kuid_t value.
407  *
408  * Returns uid seen from init's user namespace.
409  */
410 #define from_kuid(ns, uid) (uid)
411 
412 /**
413  * from_kgid - Convert kgid_t to gid_t.
414  *
415  * @ns:  Unused.
416  * @gid: kgid_t value.
417  *
418  * Returns gid seen from init's user namespace.
419  */
420 #define from_kgid(ns, gid) (gid)
421 
422 /**
423  * uid_eq - Check whether the uids are equals or not.
424  *
425  * @left: Uid seen from current user namespace.
426  * @right: Uid seen from current user namespace.
427  *
428  * Returns true if uid is root in init's user namespace, false otherwise.
429  */
430 #define uid_eq(left, right) ((left) == (right))
431 #define GLOBAL_ROOT_UID 0
432 
433 #endif
434 
435 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
436 #define d_backing_inode(upper) (upper)->d_inode
437 #endif
438 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 14, 0)
439 #define d_is_dir(dentry) ({ struct inode *inode = d_backing_inode(dentry); \
440                         inode && S_ISDIR(inode->i_mode); })
441 #endif
442 
443 /*
444  * TOMOYO specific part start.
445  */
446 
447 #include <linux/ccsecurity.h>
448 
449 /* Enumeration definition for internal use. */
450 
451 /* Index numbers for Access Controls. */
452 enum ccs_acl_entry_type_index {
453         CCS_TYPE_PATH_ACL,
454         CCS_TYPE_PATH2_ACL,
455         CCS_TYPE_PATH_NUMBER_ACL,
456         CCS_TYPE_MKDEV_ACL,
457         CCS_TYPE_MOUNT_ACL,
458 #ifdef CONFIG_CCSECURITY_MISC
459         CCS_TYPE_ENV_ACL,
460 #endif
461 #ifdef CONFIG_CCSECURITY_CAPABILITY
462         CCS_TYPE_CAPABILITY_ACL,
463 #endif
464 #ifdef CONFIG_CCSECURITY_NETWORK
465         CCS_TYPE_INET_ACL,
466         CCS_TYPE_UNIX_ACL,
467 #endif
468 #ifdef CONFIG_CCSECURITY_IPC
469         CCS_TYPE_SIGNAL_ACL,
470 #endif
471 #ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER
472         CCS_TYPE_AUTO_EXECUTE_HANDLER,
473         CCS_TYPE_DENIED_EXECUTE_HANDLER,
474 #endif
475 #ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION
476         CCS_TYPE_AUTO_TASK_ACL,
477         CCS_TYPE_MANUAL_TASK_ACL,
478 #endif
479 };
480 
481 /* Index numbers for "struct ccs_condition". */
482 enum ccs_conditions_index {
483         CCS_TASK_UID,             /* current_uid()   */
484         CCS_TASK_EUID,            /* current_euid()  */
485         CCS_TASK_SUID,            /* current_suid()  */
486         CCS_TASK_FSUID,           /* current_fsuid() */
487         CCS_TASK_GID,             /* current_gid()   */
488         CCS_TASK_EGID,            /* current_egid()  */
489         CCS_TASK_SGID,            /* current_sgid()  */
490         CCS_TASK_FSGID,           /* current_fsgid() */
491         CCS_TASK_PID,             /* sys_getpid()   */
492         CCS_TASK_PPID,            /* sys_getppid()  */
493         CCS_EXEC_ARGC,            /* "struct linux_binprm *"->argc */
494         CCS_EXEC_ENVC,            /* "struct linux_binprm *"->envc */
495         CCS_TYPE_IS_SOCKET,       /* S_IFSOCK */
496         CCS_TYPE_IS_SYMLINK,      /* S_IFLNK */
497         CCS_TYPE_IS_FILE,         /* S_IFREG */
498         CCS_TYPE_IS_BLOCK_DEV,    /* S_IFBLK */
499         CCS_TYPE_IS_DIRECTORY,    /* S_IFDIR */
500         CCS_TYPE_IS_CHAR_DEV,     /* S_IFCHR */
501         CCS_TYPE_IS_FIFO,         /* S_IFIFO */
502         CCS_MODE_SETUID,          /* S_ISUID */
503         CCS_MODE_SETGID,          /* S_ISGID */
504         CCS_MODE_STICKY,          /* S_ISVTX */
505         CCS_MODE_OWNER_READ,      /* S_IRUSR */
506         CCS_MODE_OWNER_WRITE,     /* S_IWUSR */
507         CCS_MODE_OWNER_EXECUTE,   /* S_IXUSR */
508         CCS_MODE_GROUP_READ,      /* S_IRGRP */
509         CCS_MODE_GROUP_WRITE,     /* S_IWGRP */
510         CCS_MODE_GROUP_EXECUTE,   /* S_IXGRP */
511         CCS_MODE_OTHERS_READ,     /* S_IROTH */
512         CCS_MODE_OTHERS_WRITE,    /* S_IWOTH */
513         CCS_MODE_OTHERS_EXECUTE,  /* S_IXOTH */
514         CCS_TASK_TYPE,            /* ((u8) task->ccs_flags) &
515                                      CCS_TASK_IS_EXECUTE_HANDLER */
516         CCS_TASK_EXECUTE_HANDLER, /* CCS_TASK_IS_EXECUTE_HANDLER */
517         CCS_EXEC_REALPATH,
518         CCS_SYMLINK_TARGET,
519         CCS_PATH1_UID,
520         CCS_PATH1_GID,
521         CCS_PATH1_INO,
522         CCS_PATH1_MAJOR,
523         CCS_PATH1_MINOR,
524         CCS_PATH1_PERM,
525         CCS_PATH1_TYPE,
526         CCS_PATH1_DEV_MAJOR,
527         CCS_PATH1_DEV_MINOR,
528         CCS_PATH2_UID,
529         CCS_PATH2_GID,
530         CCS_PATH2_INO,
531         CCS_PATH2_MAJOR,
532         CCS_PATH2_MINOR,
533         CCS_PATH2_PERM,
534         CCS_PATH2_TYPE,
535         CCS_PATH2_DEV_MAJOR,
536         CCS_PATH2_DEV_MINOR,
537         CCS_PATH1_PARENT_UID,
538         CCS_PATH1_PARENT_GID,
539         CCS_PATH1_PARENT_INO,
540         CCS_PATH1_PARENT_PERM,
541         CCS_PATH2_PARENT_UID,
542         CCS_PATH2_PARENT_GID,
543         CCS_PATH2_PARENT_INO,
544         CCS_PATH2_PARENT_PERM,
545         CCS_MAX_CONDITION_KEYWORD,
546         CCS_NUMBER_UNION,
547         CCS_NAME_UNION,
548         CCS_ARGV_ENTRY,
549         CCS_ENVP_ENTRY,
550 };
551 
552 /* Index numbers for domain's attributes. */
553 enum ccs_domain_info_flags_index {
554         /* Quota warnning flag.   */
555         CCS_DIF_QUOTA_WARNED,
556         /*
557          * This domain was unable to create a new domain at
558          * ccs_find_next_domain() because the name of the domain to be created
559          * was too long or it could not allocate memory.
560          * More than one process continued execve() without domain transition.
561          */
562         CCS_DIF_TRANSITION_FAILED,
563         CCS_MAX_DOMAIN_INFO_FLAGS
564 };
565 
566 /* Index numbers for audit type. */
567 enum ccs_grant_log {
568         /* Follow profile's configuration. */
569         CCS_GRANTLOG_AUTO,
570         /* Do not generate grant log. */
571         CCS_GRANTLOG_NO,
572         /* Generate grant_log. */
573         CCS_GRANTLOG_YES,
574 };
575 
576 /* Index numbers for group entries. */
577 enum ccs_group_id {
578         CCS_PATH_GROUP,
579         CCS_NUMBER_GROUP,
580 #ifdef CONFIG_CCSECURITY_NETWORK
581         CCS_ADDRESS_GROUP,
582 #endif
583         CCS_MAX_GROUP
584 };
585 
586 /* Index numbers for category of functionality. */
587 enum ccs_mac_category_index {
588         CCS_MAC_CATEGORY_FILE,
589 #ifdef CONFIG_CCSECURITY_NETWORK
590         CCS_MAC_CATEGORY_NETWORK,
591 #endif
592 #ifdef CONFIG_CCSECURITY_MISC
593         CCS_MAC_CATEGORY_MISC,
594 #endif
595 #ifdef CONFIG_CCSECURITY_IPC
596         CCS_MAC_CATEGORY_IPC,
597 #endif
598 #ifdef CONFIG_CCSECURITY_CAPABILITY
599         CCS_MAC_CATEGORY_CAPABILITY,
600 #endif
601         CCS_MAX_MAC_CATEGORY_INDEX
602 };
603 
604 /* Index numbers for functionality. */
605 enum ccs_mac_index {
606         CCS_MAC_FILE_EXECUTE,
607         CCS_MAC_FILE_OPEN,
608         CCS_MAC_FILE_CREATE,
609         CCS_MAC_FILE_UNLINK,
610 #ifdef CONFIG_CCSECURITY_FILE_GETATTR
611         CCS_MAC_FILE_GETATTR,
612 #endif
613         CCS_MAC_FILE_MKDIR,
614         CCS_MAC_FILE_RMDIR,
615         CCS_MAC_FILE_MKFIFO,
616         CCS_MAC_FILE_MKSOCK,
617         CCS_MAC_FILE_TRUNCATE,
618         CCS_MAC_FILE_SYMLINK,
619         CCS_MAC_FILE_MKBLOCK,
620         CCS_MAC_FILE_MKCHAR,
621         CCS_MAC_FILE_LINK,
622         CCS_MAC_FILE_RENAME,
623         CCS_MAC_FILE_CHMOD,
624         CCS_MAC_FILE_CHOWN,
625         CCS_MAC_FILE_CHGRP,
626         CCS_MAC_FILE_IOCTL,
627         CCS_MAC_FILE_CHROOT,
628         CCS_MAC_FILE_MOUNT,
629         CCS_MAC_FILE_UMOUNT,
630         CCS_MAC_FILE_PIVOT_ROOT,
631 #ifdef CONFIG_CCSECURITY_NETWORK
632         CCS_MAC_NETWORK_INET_STREAM_BIND,
633         CCS_MAC_NETWORK_INET_STREAM_LISTEN,
634         CCS_MAC_NETWORK_INET_STREAM_CONNECT,
635         CCS_MAC_NETWORK_INET_STREAM_ACCEPT,
636         CCS_MAC_NETWORK_INET_DGRAM_BIND,
637         CCS_MAC_NETWORK_INET_DGRAM_SEND,
638 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
639         CCS_MAC_NETWORK_INET_DGRAM_RECV,
640 #endif
641         CCS_MAC_NETWORK_INET_RAW_BIND,
642         CCS_MAC_NETWORK_INET_RAW_SEND,
643 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
644         CCS_MAC_NETWORK_INET_RAW_RECV,
645 #endif
646         CCS_MAC_NETWORK_UNIX_STREAM_BIND,
647         CCS_MAC_NETWORK_UNIX_STREAM_LISTEN,
648         CCS_MAC_NETWORK_UNIX_STREAM_CONNECT,
649         CCS_MAC_NETWORK_UNIX_STREAM_ACCEPT,
650         CCS_MAC_NETWORK_UNIX_DGRAM_BIND,
651         CCS_MAC_NETWORK_UNIX_DGRAM_SEND,
652 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
653         CCS_MAC_NETWORK_UNIX_DGRAM_RECV,
654 #endif
655         CCS_MAC_NETWORK_UNIX_SEQPACKET_BIND,
656         CCS_MAC_NETWORK_UNIX_SEQPACKET_LISTEN,
657         CCS_MAC_NETWORK_UNIX_SEQPACKET_CONNECT,
658         CCS_MAC_NETWORK_UNIX_SEQPACKET_ACCEPT,
659 #endif
660 #ifdef CONFIG_CCSECURITY_MISC
661         CCS_MAC_ENVIRON,
662 #endif
663 #ifdef CONFIG_CCSECURITY_IPC
664         CCS_MAC_SIGNAL,
665 #endif
666 #ifdef CONFIG_CCSECURITY_CAPABILITY
667         CCS_MAC_CAPABILITY_USE_ROUTE_SOCKET,
668         CCS_MAC_CAPABILITY_USE_PACKET_SOCKET,
669         CCS_MAC_CAPABILITY_SYS_REBOOT,
670         CCS_MAC_CAPABILITY_SYS_VHANGUP,
671         CCS_MAC_CAPABILITY_SYS_SETTIME,
672         CCS_MAC_CAPABILITY_SYS_NICE,
673         CCS_MAC_CAPABILITY_SYS_SETHOSTNAME,
674         CCS_MAC_CAPABILITY_USE_KERNEL_MODULE,
675         CCS_MAC_CAPABILITY_SYS_KEXEC_LOAD,
676         CCS_MAC_CAPABILITY_SYS_PTRACE,
677 #endif
678         CCS_MAX_MAC_INDEX
679 };
680 
681 /* Index numbers for /proc/ccs/stat interface. */
682 enum ccs_memory_stat_type {
683         CCS_MEMORY_POLICY,
684         CCS_MEMORY_AUDIT,
685         CCS_MEMORY_QUERY,
686         CCS_MAX_MEMORY_STAT
687 };
688 
689 /* Index numbers for access controls with one pathname and three numbers. */
690 enum ccs_mkdev_acl_index {
691         CCS_TYPE_MKBLOCK,
692         CCS_TYPE_MKCHAR,
693         CCS_MAX_MKDEV_OPERATION
694 };
695 
696 /* Index numbers for operation mode. */
697 enum ccs_mode_value {
698         CCS_CONFIG_DISABLED,
699         CCS_CONFIG_LEARNING,
700         CCS_CONFIG_PERMISSIVE,
701         CCS_CONFIG_ENFORCING,
702         CCS_CONFIG_MAX_MODE,
703         CCS_CONFIG_WANT_REJECT_LOG =  64,
704         CCS_CONFIG_WANT_GRANT_LOG  = 128,
705         CCS_CONFIG_USE_DEFAULT     = 255,
706 };
707 
708 /* Index numbers for socket operations. */
709 enum ccs_network_acl_index {
710         CCS_NETWORK_BIND,    /* bind() operation. */
711         CCS_NETWORK_LISTEN,  /* listen() operation. */
712         CCS_NETWORK_CONNECT, /* connect() operation. */
713         CCS_NETWORK_ACCEPT,  /* accept() operation. */
714         CCS_NETWORK_SEND,    /* send() operation. */
715 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
716         CCS_NETWORK_RECV,    /* recv() operation. */
717 #endif
718         CCS_MAX_NETWORK_OPERATION
719 };
720 
721 /* Index numbers for access controls with two pathnames. */
722 enum ccs_path2_acl_index {
723         CCS_TYPE_LINK,
724         CCS_TYPE_RENAME,
725         CCS_TYPE_PIVOT_ROOT,
726         CCS_MAX_PATH2_OPERATION
727 };
728 
729 /* Index numbers for access controls with one pathname. */
730 enum ccs_path_acl_index {
731         CCS_TYPE_EXECUTE,
732         CCS_TYPE_READ,
733         CCS_TYPE_WRITE,
734         CCS_TYPE_APPEND,
735         CCS_TYPE_UNLINK,
736 #ifdef CONFIG_CCSECURITY_FILE_GETATTR
737         CCS_TYPE_GETATTR,
738 #endif
739         CCS_TYPE_RMDIR,
740         CCS_TYPE_TRUNCATE,
741         CCS_TYPE_SYMLINK,
742         CCS_TYPE_CHROOT,
743         CCS_TYPE_UMOUNT,
744         CCS_MAX_PATH_OPERATION
745 };
746 
747 /* Index numbers for access controls with one pathname and one number. */
748 enum ccs_path_number_acl_index {
749         CCS_TYPE_CREATE,
750         CCS_TYPE_MKDIR,
751         CCS_TYPE_MKFIFO,
752         CCS_TYPE_MKSOCK,
753         CCS_TYPE_IOCTL,
754         CCS_TYPE_CHMOD,
755         CCS_TYPE_CHOWN,
756         CCS_TYPE_CHGRP,
757         CCS_MAX_PATH_NUMBER_OPERATION
758 };
759 
760 /* Index numbers for stat(). */
761 enum ccs_path_stat_index {
762         /* Do not change this order. */
763         CCS_PATH1,
764         CCS_PATH1_PARENT,
765         CCS_PATH2,
766         CCS_PATH2_PARENT,
767         CCS_MAX_PATH_STAT
768 };
769 
770 /* Index numbers for entry type. */
771 enum ccs_policy_id {
772 #ifdef CONFIG_CCSECURITY_PORTRESERVE
773         CCS_ID_RESERVEDPORT,
774 #endif
775         CCS_ID_GROUP,
776 #ifdef CONFIG_CCSECURITY_NETWORK
777         CCS_ID_ADDRESS_GROUP,
778 #endif
779         CCS_ID_PATH_GROUP,
780         CCS_ID_NUMBER_GROUP,
781         CCS_ID_AGGREGATOR,
782         CCS_ID_TRANSITION_CONTROL,
783         CCS_ID_MANAGER,
784         CCS_ID_CONDITION,
785         CCS_ID_NAME,
786         CCS_ID_ACL,
787         CCS_ID_DOMAIN,
788         CCS_MAX_POLICY
789 };
790 
791 /* Index numbers for /proc/ccs/stat interface. */
792 enum ccs_policy_stat_type {
793         /* Do not change this order. */
794         CCS_STAT_POLICY_UPDATES,
795         CCS_STAT_POLICY_LEARNING,   /* == CCS_CONFIG_LEARNING */
796         CCS_STAT_POLICY_PERMISSIVE, /* == CCS_CONFIG_PERMISSIVE */
797         CCS_STAT_POLICY_ENFORCING,  /* == CCS_CONFIG_ENFORCING */
798         CCS_MAX_POLICY_STAT
799 };
800 
801 /* Index numbers for profile's PREFERENCE values. */
802 enum ccs_pref_index {
803         CCS_PREF_MAX_AUDIT_LOG,
804         CCS_PREF_MAX_LEARNING_ENTRY,
805         CCS_PREF_ENFORCING_PENALTY,
806         CCS_MAX_PREF
807 };
808 
809 /* Index numbers for /proc/ccs/ interfaces. */
810 enum ccs_proc_interface_index {
811         CCS_DOMAIN_POLICY,
812         CCS_EXCEPTION_POLICY,
813         CCS_PROCESS_STATUS,
814         CCS_STAT,
815         CCS_AUDIT,
816         CCS_VERSION,
817         CCS_PROFILE,
818         CCS_QUERY,
819         CCS_MANAGER,
820 #ifdef CONFIG_CCSECURITY_TASK_EXECUTE_HANDLER
821         CCS_EXECUTE_HANDLER,
822 #endif
823 };
824 
825 /* Index numbers for special mount operations. */
826 enum ccs_special_mount {
827         CCS_MOUNT_BIND,            /* mount --bind /source /dest   */
828         CCS_MOUNT_MOVE,            /* mount --move /old /new       */
829         CCS_MOUNT_REMOUNT,         /* mount -o remount /dir        */
830         CCS_MOUNT_MAKE_UNBINDABLE, /* mount --make-unbindable /dir */
831         CCS_MOUNT_MAKE_PRIVATE,    /* mount --make-private /dir    */
832         CCS_MOUNT_MAKE_SLAVE,      /* mount --make-slave /dir      */
833         CCS_MOUNT_MAKE_SHARED,     /* mount --make-shared /dir     */
834         CCS_MAX_SPECIAL_MOUNT
835 };
836 
837 /* Index numbers for domain transition control keywords. */
838 enum ccs_transition_type {
839         /* Do not change this order, */
840         CCS_TRANSITION_CONTROL_NO_RESET,
841         CCS_TRANSITION_CONTROL_RESET,
842         CCS_TRANSITION_CONTROL_NO_INITIALIZE,
843         CCS_TRANSITION_CONTROL_INITIALIZE,
844         CCS_TRANSITION_CONTROL_NO_KEEP,
845         CCS_TRANSITION_CONTROL_KEEP,
846         CCS_MAX_TRANSITION_TYPE
847 };
848 
849 /* Index numbers for type of numeric values. */
850 enum ccs_value_type {
851         CCS_VALUE_TYPE_INVALID,
852         CCS_VALUE_TYPE_DECIMAL,
853         CCS_VALUE_TYPE_OCTAL,
854         CCS_VALUE_TYPE_HEXADECIMAL,
855 };
856 
857 /* Constants definition for internal use. */
858 
859 /*
860  * TOMOYO uses this hash only when appending a string into the string table.
861  * Frequency of appending strings is very low. So we don't need large (e.g.
862  * 64k) hash size. 256 will be sufficient.
863  */
864 #define CCS_HASH_BITS 8
865 #define CCS_MAX_HASH (1u << CCS_HASH_BITS)
866 
867 /*
868  * TOMOYO checks only SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_SEQPACKET.
869  * Therefore, we don't need SOCK_MAX.
870  */
871 #define CCS_SOCK_MAX 6
872 
873 /* Size of temporary buffer for execve() operation. */
874 #define CCS_EXEC_TMPSIZE     4096
875 
876 /* Garbage collector is trying to kfree() this element. */
877 #define CCS_GC_IN_PROGRESS -1
878 
879 /* Profile number is an integer between 0 and 255. */
880 #define CCS_MAX_PROFILES 256
881 
882 /* Group number is an integer between 0 and 255. */
883 #define CCS_MAX_ACL_GROUPS 256
884 
885 /* Current thread is doing open(O_RDONLY | O_TRUNC) ? */
886 #define CCS_OPEN_FOR_READ_TRUNCATE        1
887 /* Current thread is doing open(3) ? */
888 #define CCS_OPEN_FOR_IOCTL_ONLY           2
889 /* Current thread is doing do_execve() ? */
890 #define CCS_TASK_IS_IN_EXECVE             4
891 /* Current thread is running as an execute handler program? */
892 #define CCS_TASK_IS_EXECUTE_HANDLER       8
893 /* Current thread is allowed to modify policy via /proc/ccs/ interface? */
894 #define CCS_TASK_IS_MANAGER              16
895 
896 /*
897  * Retry this request. Returned by ccs_supervisor() if policy violation has
898  * occurred in enforcing mode and the userspace daemon decided to retry.
899  *
900  * We must choose a positive value in order to distinguish "granted" (which is
901  * 0) and "rejected" (which is a negative value) and "retry".
902  */
903 #define CCS_RETRY_REQUEST 1
904 
905 /* The gfp flags used by TOMOYO. */
906 #define CCS_GFP_FLAGS GFP_NOFS
907 
908 /* Size of read buffer for /proc/ccs/ interface. */
909 #define CCS_MAX_IO_READ_QUEUE 64
910 
911 /* Structure definition for internal use. */
912 
913 /* Common header for holding ACL entries. */
914 struct ccs_acl_head {
915         struct list_head list;
916         s8 is_deleted; /* true or false or CCS_GC_IN_PROGRESS */
917 } __packed;
918 
919 /* Common header for shared entries. */
920 struct ccs_shared_acl_head {
921         struct list_head list;
922         atomic_t users;
923 } __packed;
924 
925 /* Common header for individual entries. */
926 struct ccs_acl_info {
927         struct list_head list;
928         struct ccs_condition *cond; /* Maybe NULL. */
929         s8 is_deleted; /* true or false or CCS_GC_IN_PROGRESS */
930         u8 type; /* One of values in "enum ccs_acl_entry_type_index". */
931         u16 perm;
932 } __packed;
933 
934 /* Structure for holding a word. */
935 struct ccs_name_union {
936         /* Either @filename or @group is NULL. */
937         const struct ccs_path_info *filename;
938         struct ccs_group *group;
939 };
940 
941 /* Structure for holding a number. */
942 struct ccs_number_union {
943         unsigned long values[2];
944         struct ccs_group *group; /* Maybe NULL. */
945         /* One of values in "enum ccs_value_type". */
946         u8 value_type[2];
947 };
948 
949 /* Structure for holding an IP address. */
950 struct ccs_ipaddr_union {
951         struct in6_addr ip[2]; /* Big endian. */
952         struct ccs_group *group; /* Pointer to address group. */
953         bool is_ipv6; /* Valid only if @group == NULL. */
954 };
955 
956 /* Structure for "path_group"/"number_group"/"address_group" directive. */
957 struct ccs_group {
958         struct ccs_shared_acl_head head;
959         /* Name of group (without leading '@'). */
960         const struct ccs_path_info *group_name;
961         /*
962          * List of "struct ccs_path_group" or "struct ccs_number_group" or
963          * "struct ccs_address_group".
964          */
965         struct list_head member_list;
966 };
967 
968 /* Structure for "path_group" directive. */
969 struct ccs_path_group {
970         struct ccs_acl_head head;
971         const struct ccs_path_info *member_name;
972 };
973 
974 /* Structure for "number_group" directive. */
975 struct ccs_number_group {
976         struct ccs_acl_head head;
977         struct ccs_number_union number;
978 };
979 
980 /* Structure for "address_group" directive. */
981 struct ccs_address_group {
982         struct ccs_acl_head head;
983         /* Structure for holding an IP address. */
984         struct ccs_ipaddr_union address;
985 };
986 
987 /* Subset of "struct stat". Used by conditional ACL and audit logs. */
988 struct ccs_mini_stat {
989 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
990         kuid_t uid;
991         kgid_t gid;
992 #else
993         uid_t uid;
994         gid_t gid;
995 #endif
996         ino_t ino;
997         umode_t mode;
998         dev_t dev;
999         dev_t rdev;
1000 };
1001 
1002 /* Structure for dumping argv[] and envp[] of "struct linux_binprm". */
1003 struct ccs_page_dump {
1004         struct page *page;    /* Previously dumped page. */
1005         char *data;           /* Contents of "page". Size is PAGE_SIZE. */
1006 };
1007 
1008 /* Structure for attribute checks in addition to pathname checks. */
1009 struct ccs_obj_info {
1010         /* True if ccs_get_attributes() was already called, false otherwise. */
1011         bool validate_done;
1012         /* True if @stat[] is valid. */
1013         bool stat_valid[CCS_MAX_PATH_STAT];
1014         /* First pathname. Initialized with { NULL, NULL } if no path. */
1015         struct path path1;
1016         /* Second pathname. Initialized with { NULL, NULL } if no path. */
1017         struct path path2;
1018         /*
1019          * Information on @path1, @path1's parent directory, @path2, @path2's
1020          * parent directory.
1021          */
1022         struct ccs_mini_stat stat[CCS_MAX_PATH_STAT];
1023         /*
1024          * Content of symbolic link to be created. NULL for operations other
1025          * than symlink().
1026          */
1027         struct ccs_path_info *symlink_target;
1028 };
1029 
1030 /* Structure for entries which follows "struct ccs_condition". */
1031 struct ccs_condition_element {
1032         /*
1033          * Left hand operand. A "struct ccs_argv" for CCS_ARGV_ENTRY, a
1034          * "struct ccs_envp" for CCS_ENVP_ENTRY is attached to the tail
1035          * of the array of this struct.
1036          */
1037         u8 left;
1038         /*
1039          * Right hand operand. A "struct ccs_number_union" for
1040          * CCS_NUMBER_UNION, a "struct ccs_name_union" for CCS_NAME_UNION is
1041          * attached to the tail of the array of this struct.
1042          */
1043         u8 right;
1044         /* Equation operator. True if equals or overlaps, false otherwise. */
1045         bool equals;
1046 };
1047 
1048 /* Structure for optional arguments. */
1049 struct ccs_condition {
1050         struct ccs_shared_acl_head head;
1051         u32 size; /* Memory size allocated for this entry. */
1052         u16 condc; /* Number of conditions in this struct. */
1053         u16 numbers_count; /* Number of "struct ccs_number_union values". */
1054         u16 names_count; /* Number of "struct ccs_name_union names". */
1055         u16 argc; /* Number of "struct ccs_argv". */
1056         u16 envc; /* Number of "struct ccs_envp". */
1057         u8 grant_log; /* One of values in "enum ccs_grant_log". */
1058         bool exec_transit; /* True if transit is for "file execute". */
1059         const struct ccs_path_info *transit; /* Maybe NULL. */
1060         /*
1061          * struct ccs_condition_element condition[condc];
1062          * struct ccs_number_union values[numbers_count];
1063          * struct ccs_name_union names[names_count];
1064          * struct ccs_argv argv[argc];
1065          * struct ccs_envp envp[envc];
1066          */
1067 };
1068 
1069 struct ccs_execve;
1070 struct ccs_policy_namespace;
1071 
1072 /* Structure for request info. */
1073 struct ccs_request_info {
1074         /*
1075          * For holding parameters specific to operations which deal files.
1076          * NULL if not dealing files.
1077          */
1078         struct ccs_obj_info *obj;
1079         /*
1080          * For holding parameters specific to execve() request.
1081          * NULL if not dealing do_execve().
1082          */
1083         struct ccs_execve *ee;
1084         /*
1085          * For holding parameters.
1086          * Pointers in this union are not NULL except path->matched_path.
1087          */
1088         union {
1089                 struct {
1090                         const struct ccs_path_info *filename;
1091                         /*
1092                          * For using wildcards at ccs_find_next_domain().
1093                          *
1094                          * The matched_acl cannot be used because it may refer
1095                          * a "struct ccs_path_acl" with ->is_group == true.
1096                          * We want to use exact "struct ccs_path_info" rather
1097                          * than "struct ccs_path_acl".
1098                          */
1099                         const struct ccs_path_info *matched_path;
1100                         /* One of values in "enum ccs_path_acl_index". */
1101                         u8 operation;
1102                 } path;
1103                 struct {
1104                         const struct ccs_path_info *filename1;
1105                         const struct ccs_path_info *filename2;
1106                         /* One of values in "enum ccs_path2_acl_index". */
1107                         u8 operation;
1108                 } path2;
1109                 struct {
1110                         const struct ccs_path_info *filename;
1111                         unsigned int mode;
1112                         unsigned int major;
1113                         unsigned int minor;
1114                         /* One of values in "enum ccs_mkdev_acl_index". */
1115                         u8 operation;
1116                 } mkdev;
1117                 struct {
1118                         const struct ccs_path_info *filename;
1119                         unsigned long number;
1120                         /*
1121                          * One of values in "enum ccs_path_number_acl_index".
1122                          */
1123                         u8 operation;
1124                 } path_number;
1125 #ifdef CONFIG_CCSECURITY_NETWORK
1126                 struct {
1127                         const u32 *address; /* Big endian. */
1128                         u16 port; /* Host endian. */
1129                         /* One of values smaller than CCS_SOCK_MAX. */
1130                         u8 protocol;
1131                         /* One of values in "enum ccs_network_acl_index". */
1132                         u8 operation;
1133                         bool is_ipv6;
1134                 } inet_network;
1135                 struct {
1136                         const struct ccs_path_info *address;
1137                         /* One of values smaller than CCS_SOCK_MAX. */
1138                         u8 protocol;
1139                         /* One of values in "enum ccs_network_acl_index". */
1140                         u8 operation;
1141                 } unix_network;
1142 #endif
1143 #ifdef CONFIG_CCSECURITY_MISC
1144                 struct {
1145                         const struct ccs_path_info *name;
1146                 } environ;
1147 #endif
1148 #ifdef CONFIG_CCSECURITY_CAPABILITY
1149                 struct {
1150                         /* One of values in "enum ccs_capability_acl_index". */
1151                         u8 operation;
1152                 } capability;
1153 #endif
1154 #ifdef CONFIG_CCSECURITY_IPC
1155                 struct {
1156                         const char *dest_pattern;
1157                         int sig;
1158                 } signal;
1159 #endif
1160                 struct {
1161                         const struct ccs_path_info *type;
1162                         const struct ccs_path_info *dir;
1163                         const struct ccs_path_info *dev;
1164                         unsigned long flags;
1165                         int need_dev;
1166                 } mount;
1167 #ifdef CONFIG_CCSECURITY_TASK_DOMAIN_TRANSITION
1168                 struct {
1169                         const struct ccs_path_info *domainname;
1170                 } task;
1171 #endif
1172         } param;
1173         /*
1174          * For updating current->ccs_domain_info at ccs_update_task_domain().
1175          * Initialized to NULL at ccs_init_request_info().
1176          * Matching "struct ccs_acl_info" is copied if access request was
1177          * granted. Re-initialized to NULL at ccs_update_task_domain().
1178          */
1179         struct ccs_acl_info *matched_acl;
1180         u8 param_type; /* One of values in "enum ccs_acl_entry_type_index". */
1181         bool granted; /* True if granted, false otherwise. */
1182         /* True if current thread should not be carried sleep penalty. */
1183         bool dont_sleep_on_enforce_error;
1184         /*
1185          * For counting number of retries made for this request.
1186          * This counter is incremented whenever ccs_supervisor() returned
1187          * CCS_RETRY_REQUEST.
1188          */
1189         u8 retry;
1190         /*
1191          * For holding profile number used for this request.
1192          * One of values between 0 and CCS_MAX_PROFILES - 1.
1193          */
1194         u8 profile;
1195         /*
1196          * For holding operation mode used for this request.
1197          * One of CCS_CONFIG_DISABLED, CCS_CONFIG_LEARNING,
1198          * CCS_CONFIG_PERMISSIVE, CCS_CONFIG_ENFORCING.
1199          */
1200         u8 mode;
1201         /*
1202          * For holding operation index used for this request.
1203          * Used by ccs_init_request_info() / ccs_get_mode() /
1204          * ccs_write_log(). One of values in "enum ccs_mac_index".
1205          */
1206         u8 type;
1207 };
1208 
1209 /* Structure for holding a token. */
1210 struct ccs_path_info {
1211         const char *name;
1212         u32 hash;          /* = full_name_hash(name, strlen(name)) */
1213         u16 total_len;     /* = strlen(name)                       */
1214         u16 const_len;     /* = ccs_const_part_length(name)        */
1215         bool is_dir;       /* = ccs_strendswith(name, "/")         */
1216         bool is_patterned; /* = const_len < total_len              */
1217 };
1218 
1219 /* Structure for execve() operation. */
1220 struct ccs_execve {
1221         struct ccs_request_info r;
1222         struct ccs_obj_info obj;
1223         struct linux_binprm *bprm;
1224         struct ccs_domain_info *previous_domain;
1225         const struct ccs_path_info *transition;
1226         /* For execute_handler */
1227         const struct ccs_path_info *handler;
1228         char *handler_path; /* = kstrdup(handler->name, CCS_GFP_FLAGS) */
1229         /* For dumping argv[] and envp[]. */
1230         struct ccs_page_dump dump;
1231         /* For temporary use. */
1232         char *tmp; /* Size is CCS_EXEC_TMPSIZE bytes */
1233 };
1234 
1235 /* Structure for domain information. */
1236 struct ccs_domain_info {
1237         struct list_head list;
1238         struct list_head acl_info_list;
1239         /* Name of this domain. Never NULL.          */
1240         const struct ccs_path_info *domainname;
1241         /* Namespace for this domain. Never NULL. */
1242         struct ccs_policy_namespace *ns;
1243         /* Group numbers to use. */
1244         unsigned long group[CCS_MAX_ACL_GROUPS / BITS_PER_LONG];
1245         u8 profile;        /* Profile number to use. */
1246         bool is_deleted;   /* Delete flag.           */
1247         bool flags[CCS_MAX_DOMAIN_INFO_FLAGS];
1248 };
1249 
1250 /*
1251  * Structure for "reset_domain"/"no_reset_domain"/"initialize_domain"/
1252  * "no_initialize_domain"/"keep_domain"/"no_keep_domain" keyword.
1253  */
1254 struct ccs_transition_control {
1255         struct ccs_acl_head head;
1256         u8 type; /* One of values in "enum ccs_transition_type" */
1257         bool is_last_name; /* True if the domainname is ccs_last_word(). */
1258         const struct ccs_path_info *domainname; /* Maybe NULL */
1259         const struct ccs_path_info *program;    /* Maybe NULL */
1260 };
1261 
1262 /* Structure for "aggregator" keyword. */
1263 struct ccs_aggregator {
1264         struct ccs_acl_head head;
1265         const struct ccs_path_info *original_name;
1266         const struct ccs_path_info *aggregated_name;
1267 };
1268 
1269 /* Structure for "deny_autobind" keyword. */
1270 struct ccs_reserved {
1271         struct ccs_acl_head head;
1272         struct ccs_number_union port;
1273 };
1274 
1275 /* Structure for policy manager. */
1276 struct ccs_manager {
1277         struct ccs_acl_head head;
1278         /* A path to program or a domainname. */
1279         const struct ccs_path_info *manager;
1280 };
1281 
1282 /* Structure for argv[]. */
1283 struct ccs_argv {
1284         unsigned long index;
1285         const struct ccs_path_info *value;
1286         bool is_not;
1287 };
1288 
1289 /* Structure for envp[]. */
1290 struct ccs_envp {
1291         const struct ccs_path_info *name;
1292         const struct ccs_path_info *value;
1293         bool is_not;
1294 };
1295 
1296 /*
1297  * Structure for "task auto_execute_handler" and "task denied_execute_handler"
1298  * directive.
1299  *
1300  * If "task auto_execute_handler" directive exists and the current process is
1301  * not an execute handler, all execve() requests are replaced by execve()
1302  * requests of a program specified by "task auto_execute_handler" directive.
1303  * If the current process is an execute handler, "task auto_execute_handler"
1304  * and "task denied_execute_handler" directives are ignored.
1305  * The program specified by "task execute_handler" validates execve()
1306  * parameters and executes the original execve() requests if appropriate.
1307  *
1308  * "task denied_execute_handler" directive is used only when execve() request
1309  * was rejected in enforcing mode (i.e. CONFIG::file::execute={ mode=enforcing
1310  * }). The program specified by "task denied_execute_handler" does whatever it
1311  * wants to do (e.g. silently terminate, change firewall settings, redirect the
1312  * user to honey pot etc.).
1313  */
1314 struct ccs_handler_acl {
1315         struct ccs_acl_info head;       /* type = CCS_TYPE_*_EXECUTE_HANDLER */
1316         const struct ccs_path_info *handler; /* Pointer to single pathname.  */
1317 };
1318 
1319 /*
1320  * Structure for "task auto_domain_transition" and
1321  * "task manual_domain_transition" directive.
1322  */
1323 struct ccs_task_acl {
1324         struct ccs_acl_info head; /* type = CCS_TYPE_*_TASK_ACL */
1325         /* Pointer to domainname. */
1326         const struct ccs_path_info *domainname;
1327 };
1328 
1329 /*
1330  * Structure for "file execute", "file read", "file write", "file append",
1331  * "file unlink", "file getattr", "file rmdir", "file truncate",
1332  * "file symlink", "file chroot" and "file unmount" directive.
1333  */
1334 struct ccs_path_acl {
1335         struct ccs_acl_info head; /* type = CCS_TYPE_PATH_ACL */
1336         struct ccs_name_union name;
1337 };
1338 
1339 /*
1340  * Structure for "file rename", "file link" and "file pivot_root" directive.
1341  */
1342 struct ccs_path2_acl {
1343         struct ccs_acl_info head; /* type = CCS_TYPE_PATH2_ACL */
1344         struct ccs_name_union name1;
1345         struct ccs_name_union name2;
1346 };
1347 
1348 /*
1349  * Structure for "file create", "file mkdir", "file mkfifo", "file mksock",
1350  * "file ioctl", "file chmod", "file chown" and "file chgrp" directive.
1351  */
1352 struct ccs_path_number_acl {
1353         struct ccs_acl_info head; /* type = CCS_TYPE_PATH_NUMBER_ACL */
1354         struct ccs_name_union name;
1355         struct ccs_number_union number;
1356 };
1357 
1358 /* Structure for "file mkblock" and "file mkchar" directive. */
1359 struct ccs_mkdev_acl {
1360         struct ccs_acl_info head; /* type = CCS_TYPE_MKDEV_ACL */
1361         struct ccs_name_union name;
1362         struct ccs_number_union mode;
1363         struct ccs_number_union major;
1364         struct ccs_number_union minor;
1365 };
1366 
1367 /* Structure for "file mount" directive. */
1368 struct ccs_mount_acl {
1369         struct ccs_acl_info head; /* type = CCS_TYPE_MOUNT_ACL */
1370         struct ccs_name_union dev_name;
1371         struct ccs_name_union dir_name;
1372         struct ccs_name_union fs_type;
1373         struct ccs_number_union flags;
1374 };
1375 
1376 /* Structure for "misc env" directive in domain policy. */
1377 struct ccs_env_acl {
1378         struct ccs_acl_info head;        /* type = CCS_TYPE_ENV_ACL  */
1379         const struct ccs_path_info *env; /* environment variable */
1380 };
1381 
1382 /* Structure for "capability" directive. */
1383 struct ccs_capability_acl {
1384         struct ccs_acl_info head; /* type = CCS_TYPE_CAPABILITY_ACL */
1385         u8 operation; /* One of values in "enum ccs_capability_acl_index". */
1386 };
1387 
1388 /* Structure for "ipc signal" directive. */
1389 struct ccs_signal_acl {
1390         struct ccs_acl_info head; /* type = CCS_TYPE_SIGNAL_ACL */
1391         struct ccs_number_union sig;
1392         /* Pointer to destination pattern. */
1393         const struct ccs_path_info *domainname;
1394 };
1395 
1396 /* Structure for "network inet" directive. */
1397 struct ccs_inet_acl {
1398         struct ccs_acl_info head; /* type = CCS_TYPE_INET_ACL */
1399         u8 protocol;
1400         struct ccs_ipaddr_union address;
1401         struct ccs_number_union port;
1402 };
1403 
1404 /* Structure for "network unix" directive. */
1405 struct ccs_unix_acl {
1406         struct ccs_acl_info head; /* type = CCS_TYPE_UNIX_ACL */
1407         u8 protocol;
1408         struct ccs_name_union name;
1409 };
1410 
1411 /* Structure for holding string data. */
1412 struct ccs_name {
1413         struct ccs_shared_acl_head head;
1414         int size; /* Memory size allocated for this entry. */
1415         struct ccs_path_info entry;
1416 };
1417 
1418 /* Structure for holding a line from /proc/ccs/ interface. */
1419 struct ccs_acl_param {
1420         char *data; /* Unprocessed data. */
1421         struct list_head *list; /* List to add or remove. */
1422         struct ccs_policy_namespace *ns; /* Namespace to use. */
1423         bool is_delete; /* True if it is a delete request. */
1424         union ccs_acl_union {
1425                 struct ccs_acl_info acl_info;
1426                 struct ccs_handler_acl handler_acl;
1427                 struct ccs_task_acl task_acl;
1428                 struct ccs_path_acl path_acl;
1429                 struct ccs_path2_acl path2_acl;
1430                 struct ccs_path_number_acl path_number_acl;
1431                 struct ccs_mkdev_acl mkdev_acl;
1432                 struct ccs_mount_acl mount_acl;
1433                 struct ccs_env_acl env_acl;
1434                 struct ccs_capability_acl capability_acl;
1435                 struct ccs_signal_acl signal_acl;
1436                 struct ccs_inet_acl inet_acl;
1437                 struct ccs_unix_acl unix_acl;
1438                 /**/
1439                 struct ccs_acl_head acl_head;
1440                 struct ccs_transition_control transition_control;
1441                 struct ccs_aggregator aggregator;
1442                 struct ccs_reserved reserved;
1443                 struct ccs_manager manager;
1444                 struct ccs_path_group path_group;
1445                 struct ccs_number_group number_group;
1446                 struct ccs_address_group address_group;
1447         } e;
1448 };
1449 
1450 /* Structure for reading/writing policy via /proc/ccs/ interfaces. */
1451 struct ccs_io_buffer {
1452         /* Exclusive lock for this structure.   */
1453         struct mutex io_sem;
1454         char __user *read_user_buf;
1455         size_t read_user_buf_avail;
1456         struct {
1457                 struct list_head *ns;
1458                 struct list_head *domain;
1459                 struct list_head *group;
1460                 struct list_head *acl;
1461                 size_t avail;
1462                 unsigned int step;
1463                 unsigned int query_index;
1464                 u16 index;
1465                 u16 cond_index;
1466                 u8 acl_group_index;
1467                 u8 cond_step;
1468                 u8 bit;
1469                 u8 w_pos;
1470                 bool eof;
1471                 bool print_this_domain_only;
1472                 bool print_transition_related_only;
1473                 bool print_cond_part;
1474                 const char *w[CCS_MAX_IO_READ_QUEUE];
1475         } r;
1476         struct {
1477                 struct ccs_policy_namespace *ns;
1478                 struct ccs_domain_info *domain;
1479                 size_t avail;
1480                 bool is_delete;
1481         } w;
1482         /* Buffer for reading.                  */
1483         char *read_buf;
1484         /* Size of read buffer.                 */
1485         size_t readbuf_size;
1486         /* Buffer for writing.                  */
1487         char *write_buf;
1488         /* Size of write buffer.                */
1489         size_t writebuf_size;
1490         /* Type of interface. */
1491         enum ccs_proc_interface_index type;
1492         /* Users counter protected by ccs_io_buffer_list_lock. */
1493         u8 users;
1494         /* List for telling GC not to kfree() elements. */
1495         struct list_head list;
1496 };
1497 
1498 /* Structure for /proc/ccs/profile interface. */
1499 struct ccs_profile {
1500         const struct ccs_path_info *comment;
1501         u8 default_config;
1502         u8 config[CCS_MAX_MAC_INDEX + CCS_MAX_MAC_CATEGORY_INDEX];
1503         unsigned int pref[CCS_MAX_PREF];
1504 };
1505 
1506 /* Structure for representing YYYY/MM/DD hh/mm/ss. */
1507 struct ccs_time {
1508         u16 year;
1509         u8 month;
1510         u8 day;
1511         u8 hour;
1512         u8 min;
1513         u8 sec;
1514 };
1515 
1516 /* Structure for policy namespace. */
1517 struct ccs_policy_namespace {
1518         /* Profile table. Memory is allocated as needed. */
1519         struct ccs_profile *profile_ptr[CCS_MAX_PROFILES];
1520         /* List of "struct ccs_group". */
1521         struct list_head group_list[CCS_MAX_GROUP];
1522         /* List of policy. */
1523         struct list_head policy_list[CCS_MAX_POLICY];
1524         /* The global ACL referred by "use_group" keyword. */
1525         struct list_head acl_group[CCS_MAX_ACL_GROUPS];
1526         /* List for connecting to ccs_namespace_list list. */
1527         struct list_head namespace_list;
1528         /* Profile version. Currently only 20150505 is supported. */
1529         unsigned int profile_version;
1530         /* Name of this namespace (e.g. "<kernel>", "</usr/sbin/httpd>" ). */
1531         const char *name;
1532 };
1533 
1534 /* Prototype definition for "struct ccsecurity_operations". */
1535 
1536 void __init ccs_permission_init(void);
1537 void __init ccs_mm_init(void);
1538 
1539 /* Prototype definition for internal use. */
1540 
1541 bool ccs_dump_page(struct linux_binprm *bprm, unsigned long pos,
1542                    struct ccs_page_dump *dump);
1543 bool ccs_memory_ok(const void *ptr, const unsigned int size);
1544 char *ccs_encode(const char *str);
1545 char *ccs_encode2(const char *str, int str_len);
1546 char *ccs_realpath(const struct path *path);
1547 const char *ccs_get_exe(void);
1548 const struct ccs_path_info *ccs_get_name(const char *name);
1549 int ccs_audit_log(struct ccs_request_info *r);
1550 int ccs_check_acl(struct ccs_request_info *r);
1551 int ccs_init_request_info(struct ccs_request_info *r, const u8 index);
1552 struct ccs_domain_info *ccs_assign_domain(const char *domainname,
1553                                           const bool transit);
1554 u8 ccs_get_config(const u8 profile, const u8 index);
1555 void *ccs_commit_ok(void *data, const unsigned int size);
1556 void ccs_del_acl(struct list_head *element);
1557 void ccs_del_condition(struct list_head *element);
1558 void ccs_fill_path_info(struct ccs_path_info *ptr);
1559 void ccs_get_attributes(struct ccs_obj_info *obj);
1560 void ccs_notify_gc(struct ccs_io_buffer *head, const bool is_register);
1561 void ccs_transition_failed(const char *domainname);
1562 void ccs_warn_oom(const char *function);
1563 void ccs_write_log(struct ccs_request_info *r, const char *fmt, ...)
1564         __printf(2, 3);
1565 
1566 /* Variable definition for internal use. */
1567 
1568 extern bool ccs_policy_loaded;
1569 extern const char * const ccs_dif[CCS_MAX_DOMAIN_INFO_FLAGS];
1570 extern const u8 ccs_c2mac[CCS_MAX_CAPABILITY_INDEX];
1571 extern const u8 ccs_pn2mac[CCS_MAX_PATH_NUMBER_OPERATION];
1572 extern const u8 ccs_pnnn2mac[CCS_MAX_MKDEV_OPERATION];
1573 extern const u8 ccs_pp2mac[CCS_MAX_PATH2_OPERATION];
1574 extern struct ccs_domain_info ccs_kernel_domain;
1575 extern struct list_head ccs_condition_list;
1576 extern struct list_head ccs_domain_list;
1577 extern struct list_head ccs_name_list[CCS_MAX_HASH];
1578 extern struct list_head ccs_namespace_list;
1579 extern struct mutex ccs_policy_lock;
1580 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
1581 extern struct srcu_struct ccs_ss;
1582 #endif
1583 extern unsigned int ccs_memory_quota[CCS_MAX_MEMORY_STAT];
1584 extern unsigned int ccs_memory_used[CCS_MAX_MEMORY_STAT];
1585 
1586 /* Inlined functions for internal use. */
1587 
1588 /**
1589  * ccs_pathcmp - strcmp() for "struct ccs_path_info" structure.
1590  *
1591  * @a: Pointer to "struct ccs_path_info".
1592  * @b: Pointer to "struct ccs_path_info".
1593  *
1594  * Returns true if @a != @b, false otherwise.
1595  */
1596 static inline bool ccs_pathcmp(const struct ccs_path_info *a,
1597                                const struct ccs_path_info *b)
1598 {
1599         return a->hash != b->hash || strcmp(a->name, b->name);
1600 }
1601 
1602 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 19)
1603 
1604 /**
1605  * ccs_read_lock - Take lock for protecting policy.
1606  *
1607  * Returns index number for ccs_read_unlock().
1608  */
1609 static inline int ccs_read_lock(void)
1610 {
1611         return srcu_read_lock(&ccs_ss);
1612 }
1613 
1614 /**
1615  * ccs_read_unlock - Release lock for protecting policy.
1616  *
1617  * @idx: Index number returned by ccs_read_lock().
1618  *
1619  * Returns nothing.
1620  */
1621 static inline void ccs_read_unlock(const int idx)
1622 {
1623         srcu_read_unlock(&ccs_ss, idx);
1624 }
1625 
1626 #else
1627 
1628 int ccs_lock(void);
1629 void ccs_unlock(const int idx);
1630 
1631 /**
1632  * ccs_read_lock - Take lock for protecting policy.
1633  *
1634  * Returns index number for ccs_read_unlock().
1635  */
1636 static inline int ccs_read_lock(void)
1637 {
1638         return ccs_lock();
1639 }
1640 
1641 /**
1642  * ccs_read_unlock - Release lock for protecting policy.
1643  *
1644  * @idx: Index number returned by ccs_read_lock().
1645  *
1646  * Returns nothing.
1647  */
1648 static inline void ccs_read_unlock(const int idx)
1649 {
1650         ccs_unlock(idx);
1651 }
1652 
1653 #endif
1654 
1655 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 18)
1656 
1657 /**
1658  * ccs_tasklist_lock - Take lock for reading list of "struct task_struct".
1659  *
1660  * Returns nothing.
1661  */
1662 static inline void ccs_tasklist_lock(void)
1663 {
1664         rcu_read_lock();
1665 }
1666 
1667 /**
1668  * ccs_tasklist_unlock - Release lock for reading list of "struct task_struct".
1669  *
1670  * Returns nothing.
1671  */
1672 static inline void ccs_tasklist_unlock(void)
1673 {
1674         rcu_read_unlock();
1675 }
1676 
1677 #else
1678 
1679 /**
1680  * ccs_tasklist_lock - Take lock for reading list of "struct task_struct".
1681  *
1682  * Returns nothing.
1683  */
1684 static inline void ccs_tasklist_lock(void)
1685 {
1686         read_lock(&tasklist_lock);
1687 }
1688 
1689 /**
1690  * ccs_tasklist_unlock - Release lock for reading list of "struct task_struct".
1691  *
1692  * Returns nothing.
1693  */
1694 static inline void ccs_tasklist_unlock(void)
1695 {
1696         read_unlock(&tasklist_lock);
1697 }
1698 
1699 #endif
1700 
1701 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1702 
1703 /**
1704  * ccs_sys_getppid - Copy of getppid().
1705  *
1706  * Returns parent process's PID.
1707  *
1708  * Alpha does not have getppid() defined. To be able to build this module on
1709  * Alpha, I have to copy getppid() from kernel/timer.c.
1710  */
1711 static inline pid_t ccs_sys_getppid(void)
1712 {
1713         pid_t pid;
1714         rcu_read_lock();
1715         pid = task_tgid_vnr(rcu_dereference(current->real_parent));
1716         rcu_read_unlock();
1717         return pid;
1718 }
1719 
1720 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0)
1721 
1722 /**
1723  * ccs_sys_getppid - Copy of getppid().
1724  *
1725  * Returns parent process's PID.
1726  *
1727  * This function was rewritten to use RCU in 2.6.16.34. However, distributors
1728  * which use earlier kernels (e.g. 2.6.8/2.6.9) did not backport the bugfix.
1729  * Therefore, I'm using code for 2.6.16.34 for earlier kernels.
1730  */
1731 static inline pid_t ccs_sys_getppid(void)
1732 {
1733         pid_t pid;
1734         rcu_read_lock();
1735 #if (defined(RHEL_MAJOR) && RHEL_MAJOR == 5) || (defined(AX_MAJOR) && AX_MAJOR == 3)
1736         pid = rcu_dereference(current->parent)->tgid;
1737 #elif defined(CONFIG_UTRACE)
1738         /*
1739          * RHEL 5.0 kernel does not have RHEL_MAJOR/RHEL_MINOR defined.
1740          * Assume RHEL 5.0 if CONFIG_UTRACE is defined.
1741          */
1742         pid = rcu_dereference(current->parent)->tgid;
1743 #else
1744         pid = rcu_dereference(current->real_parent)->tgid;
1745 #endif
1746         rcu_read_unlock();
1747         return pid;
1748 }
1749 
1750 #else
1751 
1752 /**
1753  * ccs_sys_getppid - Copy of getppid().
1754  *
1755  * Returns parent process's PID.
1756  *
1757  * I can't use code for 2.6.16.34 for 2.4 kernels because 2.4 kernels does not
1758  * have RCU. Therefore, I'm using pessimistic lock (i.e. tasklist_lock
1759  * spinlock).
1760  */
1761 static inline pid_t ccs_sys_getppid(void)
1762 {
1763         pid_t pid;
1764         read_lock(&tasklist_lock);
1765 #ifdef TASK_DEAD
1766         pid = current->group_leader->real_parent->tgid;
1767 #else
1768         pid = current->p_opptr->pid;
1769 #endif
1770         read_unlock(&tasklist_lock);
1771         return pid;
1772 }
1773 
1774 #endif
1775 
1776 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1777 
1778 /**
1779  * ccs_sys_getpid - Copy of getpid().
1780  *
1781  * Returns current thread's PID.
1782  *
1783  * Alpha does not have getpid() defined. To be able to build this module on
1784  * Alpha, I have to copy getpid() from kernel/timer.c.
1785  */
1786 static inline pid_t ccs_sys_getpid(void)
1787 {
1788         return task_tgid_vnr(current);
1789 }
1790 
1791 #else
1792 
1793 /**
1794  * ccs_sys_getpid - Copy of getpid().
1795  *
1796  * Returns current thread's PID.
1797  */
1798 static inline pid_t ccs_sys_getpid(void)
1799 {
1800         return current->tgid;
1801 }
1802 
1803 #endif
1804 
1805 /**
1806  * ccs_get_mode - Get mode for specified functionality.
1807  *
1808  * @profile: Profile number.
1809  * @index:   Functionality number.
1810  *
1811  * Returns mode.
1812  */
1813 static inline u8 ccs_get_mode(const u8 profile, const u8 index)
1814 {
1815         return ccs_get_config(profile, index) & (CCS_CONFIG_MAX_MODE - 1);
1816 }
1817 
1818 #if defined(CONFIG_SLOB)
1819 
1820 /**
1821  * ccs_round2 - Round up to power of 2 for calculating memory usage.
1822  *
1823  * @size: Size to be rounded up.
1824  *
1825  * Returns @size.
1826  *
1827  * Since SLOB does not round up, this function simply returns @size.
1828  */
1829 static inline int ccs_round2(size_t size)
1830 {
1831         return size;
1832 }
1833 
1834 #else
1835 
1836 /**
1837  * ccs_round2 - Round up to power of 2 for calculating memory usage.
1838  *
1839  * @size: Size to be rounded up.
1840  *
1841  * Returns rounded size.
1842  *
1843  * Strictly speaking, SLAB may be able to allocate (e.g.) 96 bytes instead of
1844  * (e.g.) 128 bytes.
1845  */
1846 static inline int ccs_round2(size_t size)
1847 {
1848 #if PAGE_SIZE == 4096
1849         size_t bsize = 32;
1850 #else
1851         size_t bsize = 64;
1852 #endif
1853         if (!size)
1854                 return 0;
1855         while (size > bsize)
1856                 bsize <<= 1;
1857         return bsize;
1858 }
1859 
1860 #endif
1861 
1862 /**
1863  * ccs_put_condition - Drop reference on "struct ccs_condition".
1864  *
1865  * @cond: Pointer to "struct ccs_condition". Maybe NULL.
1866  *
1867  * Returns nothing.
1868  */
1869 static inline void ccs_put_condition(struct ccs_condition *cond)
1870 {
1871         if (cond)
1872                 atomic_dec(&cond->head.users);
1873 }
1874 
1875 /**
1876  * ccs_put_group - Drop reference on "struct ccs_group".
1877  *
1878  * @group: Pointer to "struct ccs_group". Maybe NULL.
1879  *
1880  * Returns nothing.
1881  */
1882 static inline void ccs_put_group(struct ccs_group *group)
1883 {
1884         if (group)
1885                 atomic_dec(&group->head.users);
1886 }
1887 
1888 /**
1889  * ccs_put_name - Drop reference on "struct ccs_name".
1890  *
1891  * @name: Pointer to "struct ccs_path_info". Maybe NULL.
1892  *
1893  * Returns nothing.
1894  */
1895 static inline void ccs_put_name(const struct ccs_path_info *name)
1896 {
1897         if (name)
1898                 atomic_dec(&container_of(name, struct ccs_name, entry)->
1899                            head.users);
1900 }
1901 
1902 /* For importing variables and functions. */
1903 extern const struct ccsecurity_exports ccsecurity_exports;
1904 
1905 #ifdef CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY
1906 
1907 /*
1908  * Structure for holding "struct ccs_domain_info *" and "struct ccs_execve *"
1909  * and "u32 ccs_flags" for each "struct task_struct".
1910  *
1911  * "struct ccs_domain_info *" and "u32 ccs_flags" for each "struct task_struct"
1912  * are maintained outside that "struct task_struct". Therefore, ccs_security
1913  * != task_struct . This keeps KABI for distributor's prebuilt kernels but
1914  * entails slow access.
1915  *
1916  * Memory for this structure is allocated when current thread tries to access
1917  * it. Therefore, if memory allocation failed, current thread will be killed by
1918  * SIGKILL. Note that if current->pid == 1, sending SIGKILL won't work.
1919  */
1920 struct ccs_security {
1921         struct list_head list;
1922         const struct task_struct *task;
1923         struct ccs_domain_info *ccs_domain_info;
1924         u32 ccs_flags;
1925         struct rcu_head rcu;
1926 };
1927 
1928 #define CCS_TASK_SECURITY_HASH_BITS 12
1929 #define CCS_MAX_TASK_SECURITY_HASH (1u << CCS_TASK_SECURITY_HASH_BITS)
1930 extern struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH];
1931 
1932 struct ccs_security *ccs_find_task_security(const struct task_struct *task);
1933 
1934 /**
1935  * ccs_current_security - Get "struct ccs_security" for current thread.
1936  *
1937  * Returns pointer to "struct ccs_security" for current thread.
1938  */
1939 static inline struct ccs_security *ccs_current_security(void)
1940 {
1941         return ccs_find_task_security(current);
1942 }
1943 
1944 /**
1945  * ccs_task_domain - Get "struct ccs_domain_info" for specified thread.
1946  *
1947  * @task: Pointer to "struct task_struct".
1948  *
1949  * Returns pointer to "struct ccs_security" for specified thread.
1950  */
1951 static inline struct ccs_domain_info *ccs_task_domain(struct task_struct *task)
1952 {
1953         struct ccs_domain_info *domain;
1954         rcu_read_lock();
1955         domain = ccs_find_task_security(task)->ccs_domain_info;
1956         rcu_read_unlock();
1957         return domain;
1958 }
1959 
1960 /**
1961  * ccs_current_domain - Get "struct ccs_domain_info" for current thread.
1962  *
1963  * Returns pointer to "struct ccs_domain_info" for current thread.
1964  */
1965 static inline struct ccs_domain_info *ccs_current_domain(void)
1966 {
1967         return ccs_find_task_security(current)->ccs_domain_info;
1968 }
1969 
1970 /**
1971  * ccs_task_flags - Get flags for specified thread.
1972  *
1973  * @task: Pointer to "struct task_struct".
1974  *
1975  * Returns flags for specified thread.
1976  */
1977 static inline u32 ccs_task_flags(struct task_struct *task)
1978 {
1979         u32 ccs_flags;
1980         rcu_read_lock();
1981         ccs_flags = ccs_find_task_security(task)->ccs_flags;
1982         rcu_read_unlock();
1983         return ccs_flags;
1984 }
1985 
1986 /**
1987  * ccs_current_flags - Get flags for current thread.
1988  *
1989  * Returns flags for current thread.
1990  */
1991 static inline u32 ccs_current_flags(void)
1992 {
1993         return ccs_find_task_security(current)->ccs_flags;
1994 }
1995 
1996 #else
1997 
1998 /*
1999  * "struct ccs_domain_info *" and "u32 ccs_flags" for each "struct task_struct"
2000  * are maintained inside that "struct task_struct". Therefore, ccs_security ==
2001  * task_struct . This allows fast access but breaks KABI checks for
2002  * distributor's prebuilt kernels due to changes in "struct task_struct".
2003  */
2004 #define ccs_security task_struct
2005 
2006 /**
2007  * ccs_find_task_security - Find "struct ccs_security" for given task.
2008  *
2009  * @task: Pointer to "struct task_struct".
2010  *
2011  * Returns pointer to "struct ccs_security".
2012  */
2013 static inline struct ccs_security *ccs_find_task_security(struct task_struct *
2014                                                           task)
2015 {
2016         return task;
2017 }
2018 
2019 /**
2020  * ccs_current_security - Get "struct ccs_security" for current thread.
2021  *
2022  * Returns pointer to "struct ccs_security" for current thread.
2023  */
2024 static inline struct ccs_security *ccs_current_security(void)
2025 {
2026         return ccs_find_task_security(current);
2027 }
2028 
2029 /**
2030  * ccs_task_domain - Get "struct ccs_domain_info" for specified thread.
2031  *
2032  * @task: Pointer to "struct task_struct".
2033  *
2034  * Returns pointer to "struct ccs_security" for specified thread.
2035  */
2036 static inline struct ccs_domain_info *ccs_task_domain(struct task_struct *task)
2037 {
2038         struct ccs_domain_info *domain = task->ccs_domain_info;
2039         return domain ? domain : &ccs_kernel_domain;
2040 }
2041 
2042 /**
2043  * ccs_current_domain - Get "struct ccs_domain_info" for current thread.
2044  *
2045  * Returns pointer to "struct ccs_domain_info" for current thread.
2046  *
2047  * If current thread does not belong to a domain (which is true for initial
2048  * init_task in order to hide ccs_kernel_domain from this module),
2049  * current thread enters into ccs_kernel_domain.
2050  */
2051 static inline struct ccs_domain_info *ccs_current_domain(void)
2052 {
2053         struct task_struct *task = current;
2054         if (!task->ccs_domain_info)
2055                 task->ccs_domain_info = &ccs_kernel_domain;
2056         return task->ccs_domain_info;
2057 }
2058 
2059 /**
2060  * ccs_task_flags - Get flags for specified thread.
2061  *
2062  * @task: Pointer to "struct task_struct".
2063  *
2064  * Returns flags for specified thread.
2065  */
2066 static inline u32 ccs_task_flags(struct task_struct *task)
2067 {
2068         return ccs_find_task_security(task)->ccs_flags;
2069 }
2070 
2071 /**
2072  * ccs_current_flags - Get flags for current thread.
2073  *
2074  * Returns flags for current thread.
2075  */
2076 static inline u32 ccs_current_flags(void)
2077 {
2078         return ccs_find_task_security(current)->ccs_flags;
2079 }
2080 
2081 #endif
2082 
2083 /**
2084  * ccs_current_namespace - Get "struct ccs_policy_namespace" for current thread.
2085  *
2086  * Returns pointer to "struct ccs_policy_namespace" for current thread.
2087  */
2088 static inline struct ccs_policy_namespace *ccs_current_namespace(void)
2089 {
2090         return ccs_current_domain()->ns;
2091 }
2092 
2093 #endif
2094 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp