diff options
Diffstat (limited to 'security/tomoyo')
-rw-r--r-- | security/tomoyo/common.c | 200 | ||||
-rw-r--r-- | security/tomoyo/common.h | 4 | ||||
-rw-r--r-- | security/tomoyo/file.c | 21 | ||||
-rw-r--r-- | security/tomoyo/realpath.c | 22 | ||||
-rw-r--r-- | security/tomoyo/tomoyo.c | 80 | ||||
-rw-r--r-- | security/tomoyo/tomoyo.h | 2 |
6 files changed, 139 insertions, 190 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 3c8bd8ee0b9..e0d0354008b 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -187,6 +187,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type, const s8 pattern_type, const s8 end_type, const char *function) { + const char *const start = filename; + bool in_repetition = false; bool contains_pattern = false; unsigned char c; unsigned char d; @@ -212,9 +214,13 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type, if (c == '/') goto out; } - while ((c = *filename++) != '\0') { + while (1) { + c = *filename++; + if (!c) + break; if (c == '\\') { - switch ((c = *filename++)) { + c = *filename++; + switch (c) { case '\\': /* "\\" */ continue; case '$': /* "\$" */ @@ -231,6 +237,22 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type, break; /* Must not contain pattern */ contains_pattern = true; continue; + case '{': /* "/\{" */ + if (filename - 3 < start || + *(filename - 3) != '/') + break; + if (pattern_type == -1) + break; /* Must not contain pattern */ + contains_pattern = true; + in_repetition = true; + continue; + case '}': /* "\}/" */ + if (*filename != '/') + break; + if (!in_repetition) + break; + in_repetition = false; + continue; case '0': /* "\ooo" */ case '1': case '2': @@ -246,6 +268,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type, continue; /* pattern is not \000 */ } goto out; + } else if (in_repetition && c == '/') { + goto out; } else if (tomoyo_is_invalid(c)) { goto out; } @@ -254,6 +278,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type, if (!contains_pattern) goto out; } + if (in_repetition) + goto out; return true; out: printk(KERN_DEBUG "%s: Invalid pathname '%s'\n", function, @@ -360,33 +386,6 @@ struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname) } /** - * tomoyo_path_depth - Evaluate the number of '/' in a string. - * - * @pathname: The string to evaluate. - * - * Returns path depth of the string. - * - * I score 2 for each of the '/' in the @pathname - * and score 1 if the @pathname ends with '/'. - */ -static int tomoyo_path_depth(const char *pathname) -{ - int i = 0; - - if (pathname) { - const char *ep = pathname + strlen(pathname); - if (pathname < ep--) { - if (*ep != '/') - i++; - while (pathname <= ep) - if (*ep-- == '/') - i += 2; - } - } - return i; -} - -/** * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token. * * @filename: The string to evaluate. @@ -444,11 +443,10 @@ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr) ptr->is_dir = len && (name[len - 1] == '/'); ptr->is_patterned = (ptr->const_len < len); ptr->hash = full_name_hash(name, len); - ptr->depth = tomoyo_path_depth(name); } /** - * tomoyo_file_matches_to_pattern2 - Pattern matching without '/' character + * tomoyo_file_matches_pattern2 - Pattern matching without '/' character * and "\-" pattern. * * @filename: The start of string to check. @@ -458,10 +456,10 @@ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr) * * Returns true if @filename matches @pattern, false otherwise. */ -static bool tomoyo_file_matches_to_pattern2(const char *filename, - const char *filename_end, - const char *pattern, - const char *pattern_end) +static bool tomoyo_file_matches_pattern2(const char *filename, + const char *filename_end, + const char *pattern, + const char *pattern_end) { while (filename < filename_end && pattern < pattern_end) { char c; @@ -519,7 +517,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename, case '*': case '@': for (i = 0; i <= filename_end - filename; i++) { - if (tomoyo_file_matches_to_pattern2( + if (tomoyo_file_matches_pattern2( filename + i, filename_end, pattern + 1, pattern_end)) return true; @@ -550,7 +548,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename, j++; } for (i = 1; i <= j; i++) { - if (tomoyo_file_matches_to_pattern2( + if (tomoyo_file_matches_pattern2( filename + i, filename_end, pattern + 1, pattern_end)) return true; @@ -567,7 +565,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename, } /** - * tomoyo_file_matches_to_pattern - Pattern matching without without '/' character. + * tomoyo_file_matches_pattern - Pattern matching without without '/' character. * * @filename: The start of string to check. * @filename_end: The end of string to check. @@ -576,7 +574,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename, * * Returns true if @filename matches @pattern, false otherwise. */ -static bool tomoyo_file_matches_to_pattern(const char *filename, +static bool tomoyo_file_matches_pattern(const char *filename, const char *filename_end, const char *pattern, const char *pattern_end) @@ -589,10 +587,10 @@ static bool tomoyo_file_matches_to_pattern(const char *filename, /* Split at "\-" pattern. */ if (*pattern++ != '\\' || *pattern++ != '-') continue; - result = tomoyo_file_matches_to_pattern2(filename, - filename_end, - pattern_start, - pattern - 2); + result = tomoyo_file_matches_pattern2(filename, + filename_end, + pattern_start, + pattern - 2); if (first) result = !result; if (result) @@ -600,13 +598,79 @@ static bool tomoyo_file_matches_to_pattern(const char *filename, first = false; pattern_start = pattern; } - result = tomoyo_file_matches_to_pattern2(filename, filename_end, - pattern_start, pattern_end); + result = tomoyo_file_matches_pattern2(filename, filename_end, + pattern_start, pattern_end); return first ? result : !result; } /** + * tomoyo_path_matches_pattern2 - Do pathname pattern matching. + * + * @f: The start of string to check. + * @p: The start of pattern to compare. + * + * Returns true if @f matches @p, false otherwise. + */ +static bool tomoyo_path_matches_pattern2(const char *f, const char *p) +{ + const char *f_delimiter; + const char *p_delimiter; + + while (*f && *p) { + f_delimiter = strchr(f, '/'); + if (!f_delimiter) + f_delimiter = f + strlen(f); + p_delimiter = strchr(p, '/'); + if (!p_delimiter) + p_delimiter = p + strlen(p); + if (*p == '\\' && *(p + 1) == '{') + goto recursive; + if (!tomoyo_file_matches_pattern(f, f_delimiter, p, + p_delimiter)) + return false; + f = f_delimiter; + if (*f) + f++; + p = p_delimiter; + if (*p) + p++; + } + /* Ignore trailing "\*" and "\@" in @pattern. */ + while (*p == '\\' && + (*(p + 1) == '*' || *(p + 1) == '@')) + p += 2; + return !*f && !*p; + recursive: + /* + * The "\{" pattern is permitted only after '/' character. + * This guarantees that below "*(p - 1)" is safe. + * Also, the "\}" pattern is permitted only before '/' character + * so that "\{" + "\}" pair will not break the "\-" operator. + */ + if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' || + *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\') + return false; /* Bad pattern. */ + do { + /* Compare current component with pattern. */ + if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2, + p_delimiter - 2)) + break; + /* Proceed to next component. */ + f = f_delimiter; + if (!*f) + break; + f++; + /* Continue comparison. */ + if (tomoyo_path_matches_pattern2(f, p_delimiter + 1)) + return true; + f_delimiter = strchr(f, '/'); + } while (f_delimiter); + return false; /* Not matched. */ +} + +/** * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern. + * * @filename: The filename to check. * @pattern: The pattern to compare. * @@ -615,24 +679,24 @@ static bool tomoyo_file_matches_to_pattern(const char *filename, * The following patterns are available. * \\ \ itself. * \ooo Octal representation of a byte. - * \* More than or equals to 0 character other than '/'. - * \@ More than or equals to 0 character other than '/' or '.'. + * \* Zero or more repetitions of characters other than '/'. + * \@ Zero or more repetitions of characters other than '/' or '.'. * \? 1 byte character other than '/'. - * \$ More than or equals to 1 decimal digit. + * \$ One or more repetitions of decimal digits. * \+ 1 decimal digit. - * \X More than or equals to 1 hexadecimal digit. + * \X One or more repetitions of hexadecimal digits. * \x 1 hexadecimal digit. - * \A More than or equals to 1 alphabet character. + * \A One or more repetitions of alphabet characters. * \a 1 alphabet character. + * * \- Subtraction operator. + * + * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/ + * /dir/dir/dir/ ). */ bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, const struct tomoyo_path_info *pattern) { - /* - if (!filename || !pattern) - return false; - */ const char *f = filename->name; const char *p = pattern->name; const int len = pattern->const_len; @@ -640,37 +704,15 @@ bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, /* If @pattern doesn't contain pattern, I can use strcmp(). */ if (!pattern->is_patterned) return !tomoyo_pathcmp(filename, pattern); - /* Dont compare if the number of '/' differs. */ - if (filename->depth != pattern->depth) + /* Don't compare directory and non-directory. */ + if (filename->is_dir != pattern->is_dir) return false; /* Compare the initial length without patterns. */ if (strncmp(f, p, len)) return false; f += len; p += len; - /* Main loop. Compare each directory component. */ - while (*f && *p) { - const char *f_delimiter = strchr(f, '/'); - const char *p_delimiter = strchr(p, '/'); - if (!f_delimiter) - f_delimiter = f + strlen(f); - if (!p_delimiter) - p_delimiter = p + strlen(p); - if (!tomoyo_file_matches_to_pattern(f, f_delimiter, - p, p_delimiter)) - return false; - f = f_delimiter; - if (*f) - f++; - p = p_delimiter; - if (*p) - p++; - } - /* Ignore trailing "\*" and "\@" in @pattern. */ - while (*p == '\\' && - (*(p + 1) == '*' || *(p + 1) == '@')) - p += 2; - return !*f && !*p; + return tomoyo_path_matches_pattern2(f, p); } /** diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 31df541911f..92169d29b2d 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -56,9 +56,6 @@ struct tomoyo_page_buffer { * (5) "is_patterned" is a bool which is true if "name" contains wildcard * characters, false otherwise. This allows TOMOYO to use "hash" and * strcmp() for string comparison if "is_patterned" is false. - * (6) "depth" is calculated using the number of "/" characters in "name". - * This allows TOMOYO to avoid comparing two pathnames which never match - * (e.g. whether "/var/www/html/index.html" matches "/tmp/sh-thd-\$"). */ struct tomoyo_path_info { const char *name; @@ -66,7 +63,6 @@ struct tomoyo_path_info { u16 const_len; /* = tomoyo_const_part_length(name) */ bool is_dir; /* = tomoyo_strendswith(name, "/") */ bool is_patterned; /* = tomoyo_path_contains_pattern(name) */ - u16 depth; /* = tomoyo_path_depth(name) */ }; /* diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 5ae3a571559..8346938809b 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c @@ -1096,27 +1096,6 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info * } /** - * tomoyo_check_file_perm - Check permission for sysctl()'s "read" and "write". - * - * @domain: Pointer to "struct tomoyo_domain_info". - * @filename: Filename to check. - * @perm: Mode ("read" or "write" or "read/write"). - * Returns 0 on success, negative value otherwise. - */ -int tomoyo_check_file_perm(struct tomoyo_domain_info *domain, - const char *filename, const u8 perm) -{ - struct tomoyo_path_info name; - const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE); - - if (!mode) - return 0; - name.name = filename; - tomoyo_fill_path_info(&name); - return tomoyo_check_file_perm2(domain, &name, perm, "sysctl", mode); -} - -/** * tomoyo_check_exec_perm - Check permission for "execute". * * @domain: Pointer to "struct tomoyo_domain_info". diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c index 5f2e3326337..18369d497eb 100644 --- a/security/tomoyo/realpath.c +++ b/security/tomoyo/realpath.c @@ -13,6 +13,8 @@ #include <linux/mount.h> #include <linux/mnt_namespace.h> #include <linux/fs_struct.h> +#include <linux/hash.h> + #include "common.h" #include "realpath.h" @@ -108,6 +110,15 @@ int tomoyo_realpath_from_path2(struct path *path, char *newname, spin_unlock(&dcache_lock); path_put(&root); path_put(&ns_root); + /* Prepend "/proc" prefix if using internal proc vfs mount. */ + if (!IS_ERR(sp) && (path->mnt->mnt_parent == path->mnt) && + (strcmp(path->mnt->mnt_sb->s_type->name, "proc") == 0)) { + sp -= 5; + if (sp >= newname) + memcpy(sp, "/proc", 5); + else + sp = ERR_PTR(-ENOMEM); + } } if (IS_ERR(sp)) error = PTR_ERR(sp); @@ -263,7 +274,8 @@ static unsigned int tomoyo_quota_for_savename; * table. Frequency of appending strings is very low. So we don't need * large (e.g. 64k) hash size. 256 will be sufficient. */ -#define TOMOYO_MAX_HASH 256 +#define TOMOYO_HASH_BITS 8 +#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS) /* * tomoyo_name_entry is a structure which is used for linking @@ -315,6 +327,7 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name) struct tomoyo_free_memory_block_list *fmb; int len; char *cp; + struct list_head *head; if (!name) return NULL; @@ -325,9 +338,10 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name) return NULL; } hash = full_name_hash((const unsigned char *) name, len - 1); + head = &tomoyo_name_list[hash_long(hash, TOMOYO_HASH_BITS)]; + mutex_lock(&lock); - list_for_each_entry(ptr, &tomoyo_name_list[hash % TOMOYO_MAX_HASH], - list) { + list_for_each_entry(ptr, head, list) { if (hash == ptr->entry.hash && !strcmp(name, ptr->entry.name)) goto out; } @@ -365,7 +379,7 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name) tomoyo_fill_path_info(&ptr->entry); fmb->ptr += len; fmb->len -= len; - list_add_tail(&ptr->list, &tomoyo_name_list[hash % TOMOYO_MAX_HASH]); + list_add_tail(&ptr->list, head); if (fmb->len == 0) { list_del(&fmb->list); kfree(fmb); diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 9548a0984cc..8a00ade8516 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -85,83 +85,6 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm) return tomoyo_check_open_permission(domain, &bprm->file->f_path, 1); } -#ifdef CONFIG_SYSCTL - -static int tomoyo_prepend(char **buffer, int *buflen, const char *str) -{ - int namelen = strlen(str); - - if (*buflen < namelen) - return -ENOMEM; - *buflen -= namelen; - *buffer -= namelen; - memcpy(*buffer, str, namelen); - return 0; -} - -/** - * tomoyo_sysctl_path - return the realpath of a ctl_table. - * @table: pointer to "struct ctl_table". - * - * Returns realpath(3) of the @table on success. - * Returns NULL on failure. - * - * This function uses tomoyo_alloc(), so the caller must call tomoyo_free() - * if this function didn't return NULL. - */ -static char *tomoyo_sysctl_path(struct ctl_table *table) -{ - int buflen = TOMOYO_MAX_PATHNAME_LEN; - char *buf = tomoyo_alloc(buflen); - char *end = buf + buflen; - int error = -ENOMEM; - - if (!buf) - return NULL; - - *--end = '\0'; - buflen--; - while (table) { - char num[32]; - const char *sp = table->procname; - - if (!sp) { - memset(num, 0, sizeof(num)); - snprintf(num, sizeof(num) - 1, "=%d=", table->ctl_name); - sp = num; - } - if (tomoyo_prepend(&end, &buflen, sp) || - tomoyo_prepend(&end, &buflen, "/")) - goto out; - table = table->parent; - } - if (tomoyo_prepend(&end, &buflen, "/proc/sys")) - goto out; - error = tomoyo_encode(buf, end - buf, end); - out: - if (!error) - return buf; - tomoyo_free(buf); - return NULL; -} - -static int tomoyo_sysctl(struct ctl_table *table, int op) -{ - int error; - char *name; - - op &= MAY_READ | MAY_WRITE; - if (!op) - return 0; - name = tomoyo_sysctl_path(table); - if (!name) - return -ENOMEM; - error = tomoyo_check_file_perm(tomoyo_domain(), name, op); - tomoyo_free(name); - return error; -} -#endif - static int tomoyo_path_truncate(struct path *path, loff_t length, unsigned int time_attrs) { @@ -282,9 +205,6 @@ static struct security_operations tomoyo_security_ops = { .cred_transfer = tomoyo_cred_transfer, .bprm_set_creds = tomoyo_bprm_set_creds, .bprm_check_security = tomoyo_bprm_check_security, -#ifdef CONFIG_SYSCTL - .sysctl = tomoyo_sysctl, -#endif .file_fcntl = tomoyo_file_fcntl, .dentry_open = tomoyo_dentry_open, .path_truncate = tomoyo_path_truncate, diff --git a/security/tomoyo/tomoyo.h b/security/tomoyo/tomoyo.h index cd6ba0bf706..ed758325b1a 100644 --- a/security/tomoyo/tomoyo.h +++ b/security/tomoyo/tomoyo.h @@ -18,8 +18,6 @@ struct inode; struct linux_binprm; struct pt_regs; -int tomoyo_check_file_perm(struct tomoyo_domain_info *domain, - const char *filename, const u8 perm); int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, const struct tomoyo_path_info *filename); int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, |