1
/* SPDX-License-Identifier: GPL-2.0 */
2
/*
3
 * security/tomoyo/common.h
4
 *
5
 * Header file for TOMOYO.
6
 *
7
 * Copyright (C) 2005-2011  NTT DATA CORPORATION
8
 */
9

10
#ifndef _SECURITY_TOMOYO_COMMON_H
11
#define _SECURITY_TOMOYO_COMMON_H
12

13
#define pr_fmt(fmt) fmt
14

15
#include <linux/ctype.h>
16
#include <linux/string.h>
17
#include <linux/mm.h>
18
#include <linux/file.h>
19
#include <linux/kmod.h>
20
#include <linux/fs.h>
21
#include <linux/sched.h>
22
#include <linux/namei.h>
23
#include <linux/mount.h>
24
#include <linux/list.h>
25
#include <linux/cred.h>
26
#include <linux/poll.h>
27
#include <linux/binfmts.h>
28
#include <linux/highmem.h>
29
#include <linux/net.h>
30
#include <linux/inet.h>
31
#include <linux/in.h>
32
#include <linux/in6.h>
33
#include <linux/un.h>
34
#include <linux/lsm_hooks.h>
35
#include <net/sock.h>
36
#include <net/af_unix.h>
37
#include <net/ip.h>
38
#include <net/ipv6.h>
39
#include <net/udp.h>
40

41
/********** Constants definitions. **********/
42

43
/*
44
 * TOMOYO uses this hash only when appending a string into the string
45
 * table. Frequency of appending strings is very low. So we don't need
46
 * large (e.g. 64k) hash size. 256 will be sufficient.
47
 */
48
#define TOMOYO_HASH_BITS  8
49
#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
50

51
/*
52
 * TOMOYO checks only SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, SOCK_SEQPACKET.
53
 * Therefore, we don't need SOCK_MAX.
54
 */
55
#define TOMOYO_SOCK_MAX 6
56

57
#define TOMOYO_EXEC_TMPSIZE     4096
58

59
/* Garbage collector is trying to kfree() this element. */
60
#define TOMOYO_GC_IN_PROGRESS -1
61

62
/* Profile number is an integer between 0 and 255. */
63
#define TOMOYO_MAX_PROFILES 256
64

65
/* Group number is an integer between 0 and 255. */
66
#define TOMOYO_MAX_ACL_GROUPS 256
67

68
/* Index numbers for "struct tomoyo_condition". */
69
enum tomoyo_conditions_index {
70
	TOMOYO_TASK_UID,             /* current_uid()   */
71
	TOMOYO_TASK_EUID,            /* current_euid()  */
72
	TOMOYO_TASK_SUID,            /* current_suid()  */
73
	TOMOYO_TASK_FSUID,           /* current_fsuid() */
74
	TOMOYO_TASK_GID,             /* current_gid()   */
75
	TOMOYO_TASK_EGID,            /* current_egid()  */
76
	TOMOYO_TASK_SGID,            /* current_sgid()  */
77
	TOMOYO_TASK_FSGID,           /* current_fsgid() */
78
	TOMOYO_TASK_PID,             /* sys_getpid()   */
79
	TOMOYO_TASK_PPID,            /* sys_getppid()  */
80
	TOMOYO_EXEC_ARGC,            /* "struct linux_binprm *"->argc */
81
	TOMOYO_EXEC_ENVC,            /* "struct linux_binprm *"->envc */
82
	TOMOYO_TYPE_IS_SOCKET,       /* S_IFSOCK */
83
	TOMOYO_TYPE_IS_SYMLINK,      /* S_IFLNK */
84
	TOMOYO_TYPE_IS_FILE,         /* S_IFREG */
85
	TOMOYO_TYPE_IS_BLOCK_DEV,    /* S_IFBLK */
86
	TOMOYO_TYPE_IS_DIRECTORY,    /* S_IFDIR */
87
	TOMOYO_TYPE_IS_CHAR_DEV,     /* S_IFCHR */
88
	TOMOYO_TYPE_IS_FIFO,         /* S_IFIFO */
89
	TOMOYO_MODE_SETUID,          /* S_ISUID */
90
	TOMOYO_MODE_SETGID,          /* S_ISGID */
91
	TOMOYO_MODE_STICKY,          /* S_ISVTX */
92
	TOMOYO_MODE_OWNER_READ,      /* S_IRUSR */
93
	TOMOYO_MODE_OWNER_WRITE,     /* S_IWUSR */
94
	TOMOYO_MODE_OWNER_EXECUTE,   /* S_IXUSR */
95
	TOMOYO_MODE_GROUP_READ,      /* S_IRGRP */
96
	TOMOYO_MODE_GROUP_WRITE,     /* S_IWGRP */
97
	TOMOYO_MODE_GROUP_EXECUTE,   /* S_IXGRP */
98
	TOMOYO_MODE_OTHERS_READ,     /* S_IROTH */
99
	TOMOYO_MODE_OTHERS_WRITE,    /* S_IWOTH */
100
	TOMOYO_MODE_OTHERS_EXECUTE,  /* S_IXOTH */
101
	TOMOYO_EXEC_REALPATH,
102
	TOMOYO_SYMLINK_TARGET,
103
	TOMOYO_PATH1_UID,
104
	TOMOYO_PATH1_GID,
105
	TOMOYO_PATH1_INO,
106
	TOMOYO_PATH1_MAJOR,
107
	TOMOYO_PATH1_MINOR,
108
	TOMOYO_PATH1_PERM,
109
	TOMOYO_PATH1_TYPE,
110
	TOMOYO_PATH1_DEV_MAJOR,
111
	TOMOYO_PATH1_DEV_MINOR,
112
	TOMOYO_PATH2_UID,
113
	TOMOYO_PATH2_GID,
114
	TOMOYO_PATH2_INO,
115
	TOMOYO_PATH2_MAJOR,
116
	TOMOYO_PATH2_MINOR,
117
	TOMOYO_PATH2_PERM,
118
	TOMOYO_PATH2_TYPE,
119
	TOMOYO_PATH2_DEV_MAJOR,
120
	TOMOYO_PATH2_DEV_MINOR,
121
	TOMOYO_PATH1_PARENT_UID,
122
	TOMOYO_PATH1_PARENT_GID,
123
	TOMOYO_PATH1_PARENT_INO,
124
	TOMOYO_PATH1_PARENT_PERM,
125
	TOMOYO_PATH2_PARENT_UID,
126
	TOMOYO_PATH2_PARENT_GID,
127
	TOMOYO_PATH2_PARENT_INO,
128
	TOMOYO_PATH2_PARENT_PERM,
129
	TOMOYO_MAX_CONDITION_KEYWORD,
130
	TOMOYO_NUMBER_UNION,
131
	TOMOYO_NAME_UNION,
132
	TOMOYO_ARGV_ENTRY,
133
	TOMOYO_ENVP_ENTRY,
134
};
135

136

137
/* Index numbers for stat(). */
138
enum tomoyo_path_stat_index {
139
	/* Do not change this order. */
140
	TOMOYO_PATH1,
141
	TOMOYO_PATH1_PARENT,
142
	TOMOYO_PATH2,
143
	TOMOYO_PATH2_PARENT,
144
	TOMOYO_MAX_PATH_STAT
145
};
146

147
/* Index numbers for operation mode. */
148
enum tomoyo_mode_index {
149
	TOMOYO_CONFIG_DISABLED,
150
	TOMOYO_CONFIG_LEARNING,
151
	TOMOYO_CONFIG_PERMISSIVE,
152
	TOMOYO_CONFIG_ENFORCING,
153
	TOMOYO_CONFIG_MAX_MODE,
154
	TOMOYO_CONFIG_WANT_REJECT_LOG =  64,
155
	TOMOYO_CONFIG_WANT_GRANT_LOG  = 128,
156
	TOMOYO_CONFIG_USE_DEFAULT     = 255,
157
};
158

159
/* Index numbers for entry type. */
160
enum tomoyo_policy_id {
161
	TOMOYO_ID_GROUP,
162
	TOMOYO_ID_ADDRESS_GROUP,
163
	TOMOYO_ID_PATH_GROUP,
164
	TOMOYO_ID_NUMBER_GROUP,
165
	TOMOYO_ID_TRANSITION_CONTROL,
166
	TOMOYO_ID_AGGREGATOR,
167
	TOMOYO_ID_MANAGER,
168
	TOMOYO_ID_CONDITION,
169
	TOMOYO_ID_NAME,
170
	TOMOYO_ID_ACL,
171
	TOMOYO_ID_DOMAIN,
172
	TOMOYO_MAX_POLICY
173
};
174

175
/* Index numbers for domain's attributes. */
176
enum tomoyo_domain_info_flags_index {
177
	/* Quota warnning flag.   */
178
	TOMOYO_DIF_QUOTA_WARNED,
179
	/*
180
	 * This domain was unable to create a new domain at
181
	 * tomoyo_find_next_domain() because the name of the domain to be
182
	 * created was too long or it could not allocate memory.
183
	 * More than one process continued execve() without domain transition.
184
	 */
185
	TOMOYO_DIF_TRANSITION_FAILED,
186
	TOMOYO_MAX_DOMAIN_INFO_FLAGS
187
};
188

189
/* Index numbers for audit type. */
190
enum tomoyo_grant_log {
191
	/* Follow profile's configuration. */
192
	TOMOYO_GRANTLOG_AUTO,
193
	/* Do not generate grant log. */
194
	TOMOYO_GRANTLOG_NO,
195
	/* Generate grant_log. */
196
	TOMOYO_GRANTLOG_YES,
197
};
198

199
/* Index numbers for group entries. */
200
enum tomoyo_group_id {
201
	TOMOYO_PATH_GROUP,
202
	TOMOYO_NUMBER_GROUP,
203
	TOMOYO_ADDRESS_GROUP,
204
	TOMOYO_MAX_GROUP
205
};
206

207
/* Index numbers for type of numeric values. */
208
enum tomoyo_value_type {
209
	TOMOYO_VALUE_TYPE_INVALID,
210
	TOMOYO_VALUE_TYPE_DECIMAL,
211
	TOMOYO_VALUE_TYPE_OCTAL,
212
	TOMOYO_VALUE_TYPE_HEXADECIMAL,
213
};
214

215
/* Index numbers for domain transition control keywords. */
216
enum tomoyo_transition_type {
217
	/* Do not change this order, */
218
	TOMOYO_TRANSITION_CONTROL_NO_RESET,
219
	TOMOYO_TRANSITION_CONTROL_RESET,
220
	TOMOYO_TRANSITION_CONTROL_NO_INITIALIZE,
221
	TOMOYO_TRANSITION_CONTROL_INITIALIZE,
222
	TOMOYO_TRANSITION_CONTROL_NO_KEEP,
223
	TOMOYO_TRANSITION_CONTROL_KEEP,
224
	TOMOYO_MAX_TRANSITION_TYPE
225
};
226

227
/* Index numbers for Access Controls. */
228
enum tomoyo_acl_entry_type_index {
229
	TOMOYO_TYPE_PATH_ACL,
230
	TOMOYO_TYPE_PATH2_ACL,
231
	TOMOYO_TYPE_PATH_NUMBER_ACL,
232
	TOMOYO_TYPE_MKDEV_ACL,
233
	TOMOYO_TYPE_MOUNT_ACL,
234
	TOMOYO_TYPE_INET_ACL,
235
	TOMOYO_TYPE_UNIX_ACL,
236
	TOMOYO_TYPE_ENV_ACL,
237
	TOMOYO_TYPE_MANUAL_TASK_ACL,
238
};
239

240
/* Index numbers for access controls with one pathname. */
241
enum tomoyo_path_acl_index {
242
	TOMOYO_TYPE_EXECUTE,
243
	TOMOYO_TYPE_READ,
244
	TOMOYO_TYPE_WRITE,
245
	TOMOYO_TYPE_APPEND,
246
	TOMOYO_TYPE_UNLINK,
247
	TOMOYO_TYPE_GETATTR,
248
	TOMOYO_TYPE_RMDIR,
249
	TOMOYO_TYPE_TRUNCATE,
250
	TOMOYO_TYPE_SYMLINK,
251
	TOMOYO_TYPE_CHROOT,
252
	TOMOYO_TYPE_UMOUNT,
253
	TOMOYO_MAX_PATH_OPERATION
254
};
255

256
/* Index numbers for /sys/kernel/security/tomoyo/stat interface. */
257
enum tomoyo_memory_stat_type {
258
	TOMOYO_MEMORY_POLICY,
259
	TOMOYO_MEMORY_AUDIT,
260
	TOMOYO_MEMORY_QUERY,
261
	TOMOYO_MAX_MEMORY_STAT
262
};
263

264
enum tomoyo_mkdev_acl_index {
265
	TOMOYO_TYPE_MKBLOCK,
266
	TOMOYO_TYPE_MKCHAR,
267
	TOMOYO_MAX_MKDEV_OPERATION
268
};
269

270
/* Index numbers for socket operations. */
271
enum tomoyo_network_acl_index {
272
	TOMOYO_NETWORK_BIND,    /* bind() operation. */
273
	TOMOYO_NETWORK_LISTEN,  /* listen() operation. */
274
	TOMOYO_NETWORK_CONNECT, /* connect() operation. */
275
	TOMOYO_NETWORK_SEND,    /* send() operation. */
276
	TOMOYO_MAX_NETWORK_OPERATION
277
};
278

279
/* Index numbers for access controls with two pathnames. */
280
enum tomoyo_path2_acl_index {
281
	TOMOYO_TYPE_LINK,
282
	TOMOYO_TYPE_RENAME,
283
	TOMOYO_TYPE_PIVOT_ROOT,
284
	TOMOYO_MAX_PATH2_OPERATION
285
};
286

287
/* Index numbers for access controls with one pathname and one number. */
288
enum tomoyo_path_number_acl_index {
289
	TOMOYO_TYPE_CREATE,
290
	TOMOYO_TYPE_MKDIR,
291
	TOMOYO_TYPE_MKFIFO,
292
	TOMOYO_TYPE_MKSOCK,
293
	TOMOYO_TYPE_IOCTL,
294
	TOMOYO_TYPE_CHMOD,
295
	TOMOYO_TYPE_CHOWN,
296
	TOMOYO_TYPE_CHGRP,
297
	TOMOYO_MAX_PATH_NUMBER_OPERATION
298
};
299

300
/* Index numbers for /sys/kernel/security/tomoyo/ interfaces. */
301
enum tomoyo_securityfs_interface_index {
302
	TOMOYO_DOMAINPOLICY,
303
	TOMOYO_EXCEPTIONPOLICY,
304
	TOMOYO_PROCESS_STATUS,
305
	TOMOYO_STAT,
306
	TOMOYO_AUDIT,
307
	TOMOYO_VERSION,
308
	TOMOYO_PROFILE,
309
	TOMOYO_QUERY,
310
	TOMOYO_MANAGER
311
};
312

313
/* Index numbers for special mount operations. */
314
enum tomoyo_special_mount {
315
	TOMOYO_MOUNT_BIND,            /* mount --bind /source /dest   */
316
	TOMOYO_MOUNT_MOVE,            /* mount --move /old /new       */
317
	TOMOYO_MOUNT_REMOUNT,         /* mount -o remount /dir        */
318
	TOMOYO_MOUNT_MAKE_UNBINDABLE, /* mount --make-unbindable /dir */
319
	TOMOYO_MOUNT_MAKE_PRIVATE,    /* mount --make-private /dir    */
320
	TOMOYO_MOUNT_MAKE_SLAVE,      /* mount --make-slave /dir      */
321
	TOMOYO_MOUNT_MAKE_SHARED,     /* mount --make-shared /dir     */
322
	TOMOYO_MAX_SPECIAL_MOUNT
323
};
324

325
/* Index numbers for functionality. */
326
enum tomoyo_mac_index {
327
	TOMOYO_MAC_FILE_EXECUTE,
328
	TOMOYO_MAC_FILE_OPEN,
329
	TOMOYO_MAC_FILE_CREATE,
330
	TOMOYO_MAC_FILE_UNLINK,
331
	TOMOYO_MAC_FILE_GETATTR,
332
	TOMOYO_MAC_FILE_MKDIR,
333
	TOMOYO_MAC_FILE_RMDIR,
334
	TOMOYO_MAC_FILE_MKFIFO,
335
	TOMOYO_MAC_FILE_MKSOCK,
336
	TOMOYO_MAC_FILE_TRUNCATE,
337
	TOMOYO_MAC_FILE_SYMLINK,
338
	TOMOYO_MAC_FILE_MKBLOCK,
339
	TOMOYO_MAC_FILE_MKCHAR,
340
	TOMOYO_MAC_FILE_LINK,
341
	TOMOYO_MAC_FILE_RENAME,
342
	TOMOYO_MAC_FILE_CHMOD,
343
	TOMOYO_MAC_FILE_CHOWN,
344
	TOMOYO_MAC_FILE_CHGRP,
345
	TOMOYO_MAC_FILE_IOCTL,
346
	TOMOYO_MAC_FILE_CHROOT,
347
	TOMOYO_MAC_FILE_MOUNT,
348
	TOMOYO_MAC_FILE_UMOUNT,
349
	TOMOYO_MAC_FILE_PIVOT_ROOT,
350
	TOMOYO_MAC_NETWORK_INET_STREAM_BIND,
351
	TOMOYO_MAC_NETWORK_INET_STREAM_LISTEN,
352
	TOMOYO_MAC_NETWORK_INET_STREAM_CONNECT,
353
	TOMOYO_MAC_NETWORK_INET_DGRAM_BIND,
354
	TOMOYO_MAC_NETWORK_INET_DGRAM_SEND,
355
	TOMOYO_MAC_NETWORK_INET_RAW_BIND,
356
	TOMOYO_MAC_NETWORK_INET_RAW_SEND,
357
	TOMOYO_MAC_NETWORK_UNIX_STREAM_BIND,
358
	TOMOYO_MAC_NETWORK_UNIX_STREAM_LISTEN,
359
	TOMOYO_MAC_NETWORK_UNIX_STREAM_CONNECT,
360
	TOMOYO_MAC_NETWORK_UNIX_DGRAM_BIND,
361
	TOMOYO_MAC_NETWORK_UNIX_DGRAM_SEND,
362
	TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_BIND,
363
	TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_LISTEN,
364
	TOMOYO_MAC_NETWORK_UNIX_SEQPACKET_CONNECT,
365
	TOMOYO_MAC_ENVIRON,
366
	TOMOYO_MAX_MAC_INDEX
367
};
368

369
/* Index numbers for category of functionality. */
370
enum tomoyo_mac_category_index {
371
	TOMOYO_MAC_CATEGORY_FILE,
372
	TOMOYO_MAC_CATEGORY_NETWORK,
373
	TOMOYO_MAC_CATEGORY_MISC,
374
	TOMOYO_MAX_MAC_CATEGORY_INDEX
375
};
376

377
/*
378
 * Retry this request. Returned by tomoyo_supervisor() if policy violation has
379
 * occurred in enforcing mode and the userspace daemon decided to retry.
380
 *
381
 * We must choose a positive value in order to distinguish "granted" (which is
382
 * 0) and "rejected" (which is a negative value) and "retry".
383
 */
384
#define TOMOYO_RETRY_REQUEST 1
385

386
/* Index numbers for /sys/kernel/security/tomoyo/stat interface. */
387
enum tomoyo_policy_stat_type {
388
	/* Do not change this order. */
389
	TOMOYO_STAT_POLICY_UPDATES,
390
	TOMOYO_STAT_POLICY_LEARNING,   /* == TOMOYO_CONFIG_LEARNING */
391
	TOMOYO_STAT_POLICY_PERMISSIVE, /* == TOMOYO_CONFIG_PERMISSIVE */
392
	TOMOYO_STAT_POLICY_ENFORCING,  /* == TOMOYO_CONFIG_ENFORCING */
393
	TOMOYO_MAX_POLICY_STAT
394
};
395

396
/* Index numbers for profile's PREFERENCE values. */
397
enum tomoyo_pref_index {
398
	TOMOYO_PREF_MAX_AUDIT_LOG,
399
	TOMOYO_PREF_MAX_LEARNING_ENTRY,
400
	TOMOYO_MAX_PREF
401
};
402

403
/********** Structure definitions. **********/
404

405
/* Common header for holding ACL entries. */
406
struct tomoyo_acl_head {
407
	struct list_head list;
408
	s8 is_deleted; /* true or false or TOMOYO_GC_IN_PROGRESS */
409
} __packed;
410

411
/* Common header for shared entries. */
412
struct tomoyo_shared_acl_head {
413
	struct list_head list;
414
	atomic_t users;
415
} __packed;
416

417
struct tomoyo_policy_namespace;
418

419
/* Structure for request info. */
420
struct tomoyo_request_info {
421
	/*
422
	 * For holding parameters specific to operations which deal files.
423
	 * NULL if not dealing files.
424
	 */
425
	struct tomoyo_obj_info *obj;
426
	/*
427
	 * For holding parameters specific to execve() request.
428
	 * NULL if not dealing execve().
429
	 */
430
	struct tomoyo_execve *ee;
431
	struct tomoyo_domain_info *domain;
432
	/* For holding parameters. */
433
	union {
434
		struct {
435
			const struct tomoyo_path_info *filename;
436
			/* For using wildcards at tomoyo_find_next_domain(). */
437
			const struct tomoyo_path_info *matched_path;
438
			/* One of values in "enum tomoyo_path_acl_index". */
439
			u8 operation;
440
		} path;
441
		struct {
442
			const struct tomoyo_path_info *filename1;
443
			const struct tomoyo_path_info *filename2;
444
			/* One of values in "enum tomoyo_path2_acl_index". */
445
			u8 operation;
446
		} path2;
447
		struct {
448
			const struct tomoyo_path_info *filename;
449
			unsigned int mode;
450
			unsigned int major;
451
			unsigned int minor;
452
			/* One of values in "enum tomoyo_mkdev_acl_index". */
453
			u8 operation;
454
		} mkdev;
455
		struct {
456
			const struct tomoyo_path_info *filename;
457
			unsigned long number;
458
			/*
459
			 * One of values in
460
			 * "enum tomoyo_path_number_acl_index".
461
			 */
462
			u8 operation;
463
		} path_number;
464
		struct {
465
			const struct tomoyo_path_info *name;
466
		} environ;
467
		struct {
468
			const __be32 *address;
469
			u16 port;
470
			/* One of values smaller than TOMOYO_SOCK_MAX. */
471
			u8 protocol;
472
			/* One of values in "enum tomoyo_network_acl_index". */
473
			u8 operation;
474
			bool is_ipv6;
475
		} inet_network;
476
		struct {
477
			const struct tomoyo_path_info *address;
478
			/* One of values smaller than TOMOYO_SOCK_MAX. */
479
			u8 protocol;
480
			/* One of values in "enum tomoyo_network_acl_index". */
481
			u8 operation;
482
		} unix_network;
483
		struct {
484
			const struct tomoyo_path_info *type;
485
			const struct tomoyo_path_info *dir;
486
			const struct tomoyo_path_info *dev;
487
			unsigned long flags;
488
			int need_dev;
489
		} mount;
490
		struct {
491
			const struct tomoyo_path_info *domainname;
492
		} task;
493
	} param;
494
	struct tomoyo_acl_info *matched_acl;
495
	u8 param_type;
496
	bool granted;
497
	u8 retry;
498
	u8 profile;
499
	u8 mode; /* One of tomoyo_mode_index . */
500
	u8 type;
501
};
502

503
/* Structure for holding a token. */
504
struct tomoyo_path_info {
505
	const char *name;
506
	u32 hash;          /* = full_name_hash(name, strlen(name)) */
507
	u16 const_len;     /* = tomoyo_const_part_length(name)     */
508
	bool is_dir;       /* = tomoyo_strendswith(name, "/")      */
509
	bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
510
};
511

512
/* Structure for holding string data. */
513
struct tomoyo_name {
514
	struct tomoyo_shared_acl_head head;
515
	struct tomoyo_path_info entry;
516
};
517

518
/* Structure for holding a word. */
519
struct tomoyo_name_union {
520
	/* Either @filename or @group is NULL. */
521
	const struct tomoyo_path_info *filename;
522
	struct tomoyo_group *group;
523
};
524

525
/* Structure for holding a number. */
526
struct tomoyo_number_union {
527
	unsigned long values[2];
528
	struct tomoyo_group *group; /* Maybe NULL. */
529
	/* One of values in "enum tomoyo_value_type". */
530
	u8 value_type[2];
531
};
532

533
/* Structure for holding an IP address. */
534
struct tomoyo_ipaddr_union {
535
	struct in6_addr ip[2]; /* Big endian. */
536
	struct tomoyo_group *group; /* Pointer to address group. */
537
	bool is_ipv6; /* Valid only if @group == NULL. */
538
};
539

540
/* Structure for "path_group"/"number_group"/"address_group" directive. */
541
struct tomoyo_group {
542
	struct tomoyo_shared_acl_head head;
543
	const struct tomoyo_path_info *group_name;
544
	struct list_head member_list;
545
};
546

547
/* Structure for "path_group" directive. */
548
struct tomoyo_path_group {
549
	struct tomoyo_acl_head head;
550
	const struct tomoyo_path_info *member_name;
551
};
552

553
/* Structure for "number_group" directive. */
554
struct tomoyo_number_group {
555
	struct tomoyo_acl_head head;
556
	struct tomoyo_number_union number;
557
};
558

559
/* Structure for "address_group" directive. */
560
struct tomoyo_address_group {
561
	struct tomoyo_acl_head head;
562
	/* Structure for holding an IP address. */
563
	struct tomoyo_ipaddr_union address;
564
};
565

566
/* Subset of "struct stat". Used by conditional ACL and audit logs. */
567
struct tomoyo_mini_stat {
568
	kuid_t uid;
569
	kgid_t gid;
570
	ino_t ino;
571
	umode_t mode;
572
	dev_t dev;
573
	dev_t rdev;
574
};
575

576
/* Structure for dumping argv[] and envp[] of "struct linux_binprm". */
577
struct tomoyo_page_dump {
578
	struct page *page;    /* Previously dumped page. */
579
	char *data;           /* Contents of "page". Size is PAGE_SIZE. */
580
};
581

582
/* Structure for attribute checks in addition to pathname checks. */
583
struct tomoyo_obj_info {
584
	/*
585
	 * True if tomoyo_get_attributes() was already called, false otherwise.
586
	 */
587
	bool validate_done;
588
	/* True if @stat[] is valid. */
589
	bool stat_valid[TOMOYO_MAX_PATH_STAT];
590
	/* First pathname. Initialized with { NULL, NULL } if no path. */
591
	struct path path1;
592
	/* Second pathname. Initialized with { NULL, NULL } if no path. */
593
	struct path path2;
594
	/*
595
	 * Information on @path1, @path1's parent directory, @path2, @path2's
596
	 * parent directory.
597
	 */
598
	struct tomoyo_mini_stat stat[TOMOYO_MAX_PATH_STAT];
599
	/*
600
	 * Content of symbolic link to be created. NULL for operations other
601
	 * than symlink().
602
	 */
603
	struct tomoyo_path_info *symlink_target;
604
};
605

606
/* Structure for argv[]. */
607
struct tomoyo_argv {
608
	unsigned long index;
609
	const struct tomoyo_path_info *value;
610
	bool is_not;
611
};
612

613
/* Structure for envp[]. */
614
struct tomoyo_envp {
615
	const struct tomoyo_path_info *name;
616
	const struct tomoyo_path_info *value;
617
	bool is_not;
618
};
619

620
/* Structure for execve() operation. */
621
struct tomoyo_execve {
622
	struct tomoyo_request_info r;
623
	struct tomoyo_obj_info obj;
624
	struct linux_binprm *bprm;
625
	const struct tomoyo_path_info *transition;
626
	/* For dumping argv[] and envp[]. */
627
	struct tomoyo_page_dump dump;
628
	/* For temporary use. */
629
	char *tmp; /* Size is TOMOYO_EXEC_TMPSIZE bytes */
630
};
631

632
/* Structure for entries which follows "struct tomoyo_condition". */
633
struct tomoyo_condition_element {
634
	/*
635
	 * Left hand operand. A "struct tomoyo_argv" for TOMOYO_ARGV_ENTRY, a
636
	 * "struct tomoyo_envp" for TOMOYO_ENVP_ENTRY is attached to the tail
637
	 * of the array of this struct.
638
	 */
639
	u8 left;
640
	/*
641
	 * Right hand operand. A "struct tomoyo_number_union" for
642
	 * TOMOYO_NUMBER_UNION, a "struct tomoyo_name_union" for
643
	 * TOMOYO_NAME_UNION is attached to the tail of the array of this
644
	 * struct.
645
	 */
646
	u8 right;
647
	/* Equation operator. True if equals or overlaps, false otherwise. */
648
	bool equals;
649
};
650

651
/* Structure for optional arguments. */
652
struct tomoyo_condition {
653
	struct tomoyo_shared_acl_head head;
654
	u32 size; /* Memory size allocated for this entry. */
655
	u16 condc; /* Number of conditions in this struct. */
656
	u16 numbers_count; /* Number of "struct tomoyo_number_union values". */
657
	u16 names_count; /* Number of "struct tomoyo_name_union names". */
658
	u16 argc; /* Number of "struct tomoyo_argv". */
659
	u16 envc; /* Number of "struct tomoyo_envp". */
660
	u8 grant_log; /* One of values in "enum tomoyo_grant_log". */
661
	const struct tomoyo_path_info *transit; /* Maybe NULL. */
662
	/*
663
	 * struct tomoyo_condition_element condition[condc];
664
	 * struct tomoyo_number_union values[numbers_count];
665
	 * struct tomoyo_name_union names[names_count];
666
	 * struct tomoyo_argv argv[argc];
667
	 * struct tomoyo_envp envp[envc];
668
	 */
669
};
670

671
/* Common header for individual entries. */
672
struct tomoyo_acl_info {
673
	struct list_head list;
674
	struct tomoyo_condition *cond; /* Maybe NULL. */
675
	s8 is_deleted; /* true or false or TOMOYO_GC_IN_PROGRESS */
676
	u8 type; /* One of values in "enum tomoyo_acl_entry_type_index". */
677
} __packed;
678

679
/* Structure for domain information. */
680
struct tomoyo_domain_info {
681
	struct list_head list;
682
	struct list_head acl_info_list;
683
	/* Name of this domain. Never NULL.          */
684
	const struct tomoyo_path_info *domainname;
685
	/* Namespace for this domain. Never NULL. */
686
	struct tomoyo_policy_namespace *ns;
687
	/* Group numbers to use.   */
688
	unsigned long group[TOMOYO_MAX_ACL_GROUPS / BITS_PER_LONG];
689
	u8 profile;        /* Profile number to use. */
690
	bool is_deleted;   /* Delete flag.           */
691
	bool flags[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
692
	atomic_t users; /* Number of referring tasks. */
693
};
694

695
/*
696
 * Structure for "task manual_domain_transition" directive.
697
 */
698
struct tomoyo_task_acl {
699
	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MANUAL_TASK_ACL */
700
	/* Pointer to domainname. */
701
	const struct tomoyo_path_info *domainname;
702
};
703

704
/*
705
 * Structure for "file execute", "file read", "file write", "file append",
706
 * "file unlink", "file getattr", "file rmdir", "file truncate",
707
 * "file symlink", "file chroot" and "file unmount" directive.
708
 */
709
struct tomoyo_path_acl {
710
	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */
711
	u16 perm; /* Bitmask of values in "enum tomoyo_path_acl_index". */
712
	struct tomoyo_name_union name;
713
};
714

715
/*
716
 * Structure for "file create", "file mkdir", "file mkfifo", "file mksock",
717
 * "file ioctl", "file chmod", "file chown" and "file chgrp" directive.
718
 */
719
struct tomoyo_path_number_acl {
720
	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_NUMBER_ACL */
721
	/* Bitmask of values in "enum tomoyo_path_number_acl_index". */
722
	u8 perm;
723
	struct tomoyo_name_union name;
724
	struct tomoyo_number_union number;
725
};
726

727
/* Structure for "file mkblock" and "file mkchar" directive. */
728
struct tomoyo_mkdev_acl {
729
	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MKDEV_ACL */
730
	u8 perm; /* Bitmask of values in "enum tomoyo_mkdev_acl_index". */
731
	struct tomoyo_name_union name;
732
	struct tomoyo_number_union mode;
733
	struct tomoyo_number_union major;
734
	struct tomoyo_number_union minor;
735
};
736

737
/*
738
 * Structure for "file rename", "file link" and "file pivot_root" directive.
739
 */
740
struct tomoyo_path2_acl {
741
	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH2_ACL */
742
	u8 perm; /* Bitmask of values in "enum tomoyo_path2_acl_index". */
743
	struct tomoyo_name_union name1;
744
	struct tomoyo_name_union name2;
745
};
746

747
/* Structure for "file mount" directive. */
748
struct tomoyo_mount_acl {
749
	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MOUNT_ACL */
750
	struct tomoyo_name_union dev_name;
751
	struct tomoyo_name_union dir_name;
752
	struct tomoyo_name_union fs_type;
753
	struct tomoyo_number_union flags;
754
};
755

756
/* Structure for "misc env" directive in domain policy. */
757
struct tomoyo_env_acl {
758
	struct tomoyo_acl_info head;        /* type = TOMOYO_TYPE_ENV_ACL  */
759
	const struct tomoyo_path_info *env; /* environment variable */
760
};
761

762
/* Structure for "network inet" directive. */
763
struct tomoyo_inet_acl {
764
	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_INET_ACL */
765
	u8 protocol;
766
	u8 perm; /* Bitmask of values in "enum tomoyo_network_acl_index" */
767
	struct tomoyo_ipaddr_union address;
768
	struct tomoyo_number_union port;
769
};
770

771
/* Structure for "network unix" directive. */
772
struct tomoyo_unix_acl {
773
	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_UNIX_ACL */
774
	u8 protocol;
775
	u8 perm; /* Bitmask of values in "enum tomoyo_network_acl_index" */
776
	struct tomoyo_name_union name;
777
};
778

779
/* Structure for holding a line from /sys/kernel/security/tomoyo/ interface. */
780
struct tomoyo_acl_param {
781
	char *data;
782
	struct list_head *list;
783
	struct tomoyo_policy_namespace *ns;
784
	bool is_delete;
785
};
786

787
#define TOMOYO_MAX_IO_READ_QUEUE 64
788

789
/*
790
 * Structure for reading/writing policy via /sys/kernel/security/tomoyo
791
 * interfaces.
792
 */
793
struct tomoyo_io_buffer {
794
	void (*read)(struct tomoyo_io_buffer *head);
795
	int (*write)(struct tomoyo_io_buffer *head);
796
	__poll_t (*poll)(struct file *file, poll_table *wait);
797
	/* Exclusive lock for this structure.   */
798
	struct mutex io_sem;
799
	char __user *read_user_buf;
800
	size_t read_user_buf_avail;
801
	struct {
802
		struct list_head *ns;
803
		struct list_head *domain;
804
		struct list_head *group;
805
		struct list_head *acl;
806
		size_t avail;
807
		unsigned int step;
808
		unsigned int query_index;
809
		u16 index;
810
		u16 cond_index;
811
		u8 acl_group_index;
812
		u8 cond_step;
813
		u8 bit;
814
		u8 w_pos;
815
		bool eof;
816
		bool print_this_domain_only;
817
		bool print_transition_related_only;
818
		bool print_cond_part;
819
		const char *w[TOMOYO_MAX_IO_READ_QUEUE];
820
	} r;
821
	struct {
822
		struct tomoyo_policy_namespace *ns;
823
		/* The position currently writing to.   */
824
		struct tomoyo_domain_info *domain;
825
		/* Bytes available for writing.         */
826
		size_t avail;
827
		bool is_delete;
828
	} w;
829
	/* Buffer for reading.                  */
830
	char *read_buf;
831
	/* Size of read buffer.                 */
832
	size_t readbuf_size;
833
	/* Buffer for writing.                  */
834
	char *write_buf;
835
	/* Size of write buffer.                */
836
	size_t writebuf_size;
837
	/* Type of this interface.              */
838
	enum tomoyo_securityfs_interface_index type;
839
	/* Users counter protected by tomoyo_io_buffer_list_lock. */
840
	u8 users;
841
	/* List for telling GC not to kfree() elements. */
842
	struct list_head list;
843
};
844

845
/*
846
 * Structure for "initialize_domain"/"no_initialize_domain"/"keep_domain"/
847
 * "no_keep_domain" keyword.
848
 */
849
struct tomoyo_transition_control {
850
	struct tomoyo_acl_head head;
851
	u8 type; /* One of values in "enum tomoyo_transition_type".  */
852
	/* True if the domainname is tomoyo_get_last_name(). */
853
	bool is_last_name;
854
	const struct tomoyo_path_info *domainname; /* Maybe NULL */
855
	const struct tomoyo_path_info *program;    /* Maybe NULL */
856
};
857

858
/* Structure for "aggregator" keyword. */
859
struct tomoyo_aggregator {
860
	struct tomoyo_acl_head head;
861
	const struct tomoyo_path_info *original_name;
862
	const struct tomoyo_path_info *aggregated_name;
863
};
864

865
/* Structure for policy manager. */
866
struct tomoyo_manager {
867
	struct tomoyo_acl_head head;
868
	/* A path to program or a domainname. */
869
	const struct tomoyo_path_info *manager;
870
};
871

872
struct tomoyo_preference {
873
	unsigned int learning_max_entry;
874
	bool enforcing_verbose;
875
	bool learning_verbose;
876
	bool permissive_verbose;
877
};
878

879
/* Structure for /sys/kernel/security/tomnoyo/profile interface. */
880
struct tomoyo_profile {
881
	const struct tomoyo_path_info *comment;
882
	struct tomoyo_preference *learning;
883
	struct tomoyo_preference *permissive;
884
	struct tomoyo_preference *enforcing;
885
	struct tomoyo_preference preference;
886
	u8 default_config;
887
	u8 config[TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX];
888
	unsigned int pref[TOMOYO_MAX_PREF];
889
};
890

891
/* Structure for representing YYYY/MM/DD hh/mm/ss. */
892
struct tomoyo_time {
893
	u16 year;
894
	u8 month;
895
	u8 day;
896
	u8 hour;
897
	u8 min;
898
	u8 sec;
899
};
900

901
/* Structure for policy namespace. */
902
struct tomoyo_policy_namespace {
903
	/* Profile table. Memory is allocated as needed. */
904
	struct tomoyo_profile *profile_ptr[TOMOYO_MAX_PROFILES];
905
	/* List of "struct tomoyo_group". */
906
	struct list_head group_list[TOMOYO_MAX_GROUP];
907
	/* List of policy. */
908
	struct list_head policy_list[TOMOYO_MAX_POLICY];
909
	/* The global ACL referred by "use_group" keyword. */
910
	struct list_head acl_group[TOMOYO_MAX_ACL_GROUPS];
911
	/* List for connecting to tomoyo_namespace_list list. */
912
	struct list_head namespace_list;
913
	/* Profile version. Currently only 20150505 is defined. */
914
	unsigned int profile_version;
915
	/* Name of this namespace (e.g. "<kernel>", "</usr/sbin/httpd>" ). */
916
	const char *name;
917
};
918

919
/* Structure for "struct task_struct"->security. */
920
struct tomoyo_task {
921
	struct tomoyo_domain_info *domain_info;
922
	struct tomoyo_domain_info *old_domain_info;
923
};
924

925
/********** Function prototypes. **********/
926

927
bool tomoyo_address_matches_group(const bool is_ipv6, const __be32 *address,
928
				  const struct tomoyo_group *group);
929
bool tomoyo_compare_number_union(const unsigned long value,
930
				 const struct tomoyo_number_union *ptr);
931
bool tomoyo_condition(struct tomoyo_request_info *r,
932
		      const struct tomoyo_condition *cond);
933
bool tomoyo_correct_domain(const unsigned char *domainname);
934
bool tomoyo_correct_path(const char *filename);
935
bool tomoyo_correct_word(const char *string);
936
bool tomoyo_domain_def(const unsigned char *buffer);
937
bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r);
938
bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos,
939
		      struct tomoyo_page_dump *dump);
940
bool tomoyo_memory_ok(void *ptr);
941
bool tomoyo_number_matches_group(const unsigned long min,
942
				 const unsigned long max,
943
				 const struct tomoyo_group *group);
944
bool tomoyo_parse_ipaddr_union(struct tomoyo_acl_param *param,
945
			       struct tomoyo_ipaddr_union *ptr);
946
bool tomoyo_parse_name_union(struct tomoyo_acl_param *param,
947
			     struct tomoyo_name_union *ptr);
948
bool tomoyo_parse_number_union(struct tomoyo_acl_param *param,
949
			       struct tomoyo_number_union *ptr);
950
bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
951
				 const struct tomoyo_path_info *pattern);
952
bool tomoyo_permstr(const char *string, const char *keyword);
953
bool tomoyo_str_starts(char **src, const char *find);
954
char *tomoyo_encode(const char *str);
955
char *tomoyo_encode2(const char *str, int str_len);
956
char *tomoyo_init_log(struct tomoyo_request_info *r, int len, const char *fmt,
957
		      va_list args) __printf(3, 0);
958
char *tomoyo_read_token(struct tomoyo_acl_param *param);
959
char *tomoyo_realpath_from_path(const struct path *path);
960
char *tomoyo_realpath_nofollow(const char *pathname);
961
const char *tomoyo_get_exe(void);
962
const struct tomoyo_path_info *tomoyo_compare_name_union
963
(const struct tomoyo_path_info *name, const struct tomoyo_name_union *ptr);
964
const struct tomoyo_path_info *tomoyo_get_domainname
965
(struct tomoyo_acl_param *param);
966
const struct tomoyo_path_info *tomoyo_get_name(const char *name);
967
const struct tomoyo_path_info *tomoyo_path_matches_group
968
(const struct tomoyo_path_info *pathname, const struct tomoyo_group *group);
969
int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
970
				 const struct path *path, const int flag);
971
void tomoyo_close_control(struct tomoyo_io_buffer *head);
972
int tomoyo_env_perm(struct tomoyo_request_info *r, const char *env);
973
int tomoyo_execute_permission(struct tomoyo_request_info *r,
974
			      const struct tomoyo_path_info *filename);
975
int tomoyo_find_next_domain(struct linux_binprm *bprm);
976
int tomoyo_get_mode(const struct tomoyo_policy_namespace *ns, const u8 profile,
977
		    const u8 index);
978
int tomoyo_init_request_info(struct tomoyo_request_info *r,
979
			     struct tomoyo_domain_info *domain,
980
			     const u8 index);
981
int tomoyo_mkdev_perm(const u8 operation, const struct path *path,
982
		      const unsigned int mode, unsigned int dev);
983
int tomoyo_mount_permission(const char *dev_name, const struct path *path,
984
			    const char *type, unsigned long flags,
985
			    void *data_page);
986
int tomoyo_open_control(const u8 type, struct file *file);
987
int tomoyo_path2_perm(const u8 operation, const struct path *path1,
988
		      const struct path *path2);
989
int tomoyo_path_number_perm(const u8 operation, const struct path *path,
990
			    unsigned long number);
991
int tomoyo_path_perm(const u8 operation, const struct path *path,
992
		     const char *target);
993
__poll_t tomoyo_poll_control(struct file *file, poll_table *wait);
994
__poll_t tomoyo_poll_log(struct file *file, poll_table *wait);
995
int tomoyo_socket_bind_permission(struct socket *sock, struct sockaddr *addr,
996
				  int addr_len);
997
int tomoyo_socket_connect_permission(struct socket *sock,
998
				     struct sockaddr *addr, int addr_len);
999
int tomoyo_socket_listen_permission(struct socket *sock);
1000
int tomoyo_socket_sendmsg_permission(struct socket *sock, struct msghdr *msg,
1001
				     int size);
1002
int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...)
1003
	__printf(2, 3);
1004
int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size,
1005
			 struct tomoyo_acl_param *param,
1006
			 bool (*check_duplicate)
1007
			 (const struct tomoyo_acl_info *,
1008
			  const struct tomoyo_acl_info *),
1009
			 bool (*merge_duplicate)
1010
			 (struct tomoyo_acl_info *, struct tomoyo_acl_info *,
1011
			  const bool));
1012
int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
1013
			 struct tomoyo_acl_param *param,
1014
			 bool (*check_duplicate)
1015
			 (const struct tomoyo_acl_head *,
1016
			  const struct tomoyo_acl_head *));
1017
int tomoyo_write_aggregator(struct tomoyo_acl_param *param);
1018
int tomoyo_write_file(struct tomoyo_acl_param *param);
1019
int tomoyo_write_group(struct tomoyo_acl_param *param, const u8 type);
1020
int tomoyo_write_misc(struct tomoyo_acl_param *param);
1021
int tomoyo_write_inet_network(struct tomoyo_acl_param *param);
1022
int tomoyo_write_transition_control(struct tomoyo_acl_param *param,
1023
				    const u8 type);
1024
int tomoyo_write_unix_network(struct tomoyo_acl_param *param);
1025
ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
1026
			    const int buffer_len);
1027
ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
1028
			     const char __user *buffer, const int buffer_len);
1029
struct tomoyo_condition *tomoyo_get_condition(struct tomoyo_acl_param *param);
1030
struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname,
1031
						const bool transit);
1032
struct tomoyo_domain_info *tomoyo_domain(void);
1033
struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname);
1034
struct tomoyo_group *tomoyo_get_group(struct tomoyo_acl_param *param,
1035
				      const u8 idx);
1036
struct tomoyo_policy_namespace *tomoyo_assign_namespace
1037
(const char *domainname);
1038
struct tomoyo_profile *tomoyo_profile(const struct tomoyo_policy_namespace *ns,
1039
				      const u8 profile);
1040
u8 tomoyo_parse_ulong(unsigned long *result, char **str);
1041
void *tomoyo_commit_ok(void *data, const unsigned int size);
1042
void __init tomoyo_load_builtin_policy(void);
1043
void __init tomoyo_mm_init(void);
1044
void tomoyo_check_acl(struct tomoyo_request_info *r,
1045
		      bool (*check_entry)(struct tomoyo_request_info *,
1046
					  const struct tomoyo_acl_info *));
1047
void tomoyo_check_profile(void);
1048
void tomoyo_convert_time(time64_t time, struct tomoyo_time *stamp);
1049
void tomoyo_del_condition(struct list_head *element);
1050
void tomoyo_fill_path_info(struct tomoyo_path_info *ptr);
1051
void tomoyo_get_attributes(struct tomoyo_obj_info *obj);
1052
void tomoyo_init_policy_namespace(struct tomoyo_policy_namespace *ns);
1053
void tomoyo_load_policy(const char *filename);
1054
void tomoyo_normalize_line(unsigned char *buffer);
1055
void tomoyo_notify_gc(struct tomoyo_io_buffer *head, const bool is_register);
1056
void tomoyo_print_ip(char *buf, const unsigned int size,
1057
		     const struct tomoyo_ipaddr_union *ptr);
1058
void tomoyo_print_ulong(char *buffer, const int buffer_len,
1059
			const unsigned long value, const u8 type);
1060
void tomoyo_put_name_union(struct tomoyo_name_union *ptr);
1061
void tomoyo_put_number_union(struct tomoyo_number_union *ptr);
1062
void tomoyo_read_log(struct tomoyo_io_buffer *head);
1063
void tomoyo_update_stat(const u8 index);
1064
void tomoyo_warn_oom(const char *function);
1065
void tomoyo_write_log(struct tomoyo_request_info *r, const char *fmt, ...)
1066
	__printf(2, 3);
1067
void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt,
1068
		       va_list args) __printf(3, 0);
1069

1070
/********** External variable definitions. **********/
1071

1072
extern bool tomoyo_policy_loaded;
1073
extern int tomoyo_enabled;
1074
extern const char * const tomoyo_condition_keyword
1075
[TOMOYO_MAX_CONDITION_KEYWORD];
1076
extern const char * const tomoyo_dif[TOMOYO_MAX_DOMAIN_INFO_FLAGS];
1077
extern const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
1078
					      + TOMOYO_MAX_MAC_CATEGORY_INDEX];
1079
extern const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE];
1080
extern const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION];
1081
extern const char * const tomoyo_proto_keyword[TOMOYO_SOCK_MAX];
1082
extern const char * const tomoyo_socket_keyword[TOMOYO_MAX_NETWORK_OPERATION];
1083
extern const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX];
1084
extern const u8 tomoyo_pn2mac[TOMOYO_MAX_PATH_NUMBER_OPERATION];
1085
extern const u8 tomoyo_pnnn2mac[TOMOYO_MAX_MKDEV_OPERATION];
1086
extern const u8 tomoyo_pp2mac[TOMOYO_MAX_PATH2_OPERATION];
1087
extern struct list_head tomoyo_condition_list;
1088
extern struct list_head tomoyo_domain_list;
1089
extern struct list_head tomoyo_name_list[TOMOYO_MAX_HASH];
1090
extern struct list_head tomoyo_namespace_list;
1091
extern struct mutex tomoyo_policy_lock;
1092
extern struct srcu_struct tomoyo_ss;
1093
extern struct tomoyo_domain_info tomoyo_kernel_domain;
1094
extern struct tomoyo_policy_namespace tomoyo_kernel_namespace;
1095
extern unsigned int tomoyo_memory_quota[TOMOYO_MAX_MEMORY_STAT];
1096
extern unsigned int tomoyo_memory_used[TOMOYO_MAX_MEMORY_STAT];
1097
extern struct lsm_blob_sizes tomoyo_blob_sizes;
1098

1099
/********** Inlined functions. **********/
1100

1101
/**
1102
 * tomoyo_read_lock - Take lock for protecting policy.
1103
 *
1104
 * Returns index number for tomoyo_read_unlock().
1105
 */
1106
static inline int tomoyo_read_lock(void)
1107
{
1108
	return srcu_read_lock(&tomoyo_ss);
1109
}
1110

1111
/**
1112
 * tomoyo_read_unlock - Release lock for protecting policy.
1113
 *
1114
 * @idx: Index number returned by tomoyo_read_lock().
1115
 *
1116
 * Returns nothing.
1117
 */
1118
static inline void tomoyo_read_unlock(int idx)
1119
{
1120
	srcu_read_unlock(&tomoyo_ss, idx);
1121
}
1122

1123
/**
1124
 * tomoyo_sys_getppid - Copy of getppid().
1125
 *
1126
 * Returns parent process's PID.
1127
 *
1128
 * Alpha does not have getppid() defined. To be able to build this module on
1129
 * Alpha, I have to copy getppid() from kernel/timer.c.
1130
 */
1131
static inline pid_t tomoyo_sys_getppid(void)
1132
{
1133
	pid_t pid;
1134

1135
	rcu_read_lock();
1136
	pid = task_tgid_vnr(rcu_dereference(current->real_parent));
1137
	rcu_read_unlock();
1138
	return pid;
1139
}
1140

1141
/**
1142
 * tomoyo_sys_getpid - Copy of getpid().
1143
 *
1144
 * Returns current thread's PID.
1145
 *
1146
 * Alpha does not have getpid() defined. To be able to build this module on
1147
 * Alpha, I have to copy getpid() from kernel/timer.c.
1148
 */
1149
static inline pid_t tomoyo_sys_getpid(void)
1150
{
1151
	return task_tgid_vnr(current);
1152
}
1153

1154
/**
1155
 * tomoyo_pathcmp - strcmp() for "struct tomoyo_path_info" structure.
1156
 *
1157
 * @a: Pointer to "struct tomoyo_path_info".
1158
 * @b: Pointer to "struct tomoyo_path_info".
1159
 *
1160
 * Returns true if @a == @b, false otherwise.
1161
 */
1162
static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a,
1163
				  const struct tomoyo_path_info *b)
1164
{
1165
	return a->hash != b->hash || strcmp(a->name, b->name);
1166
}
1167

1168
/**
1169
 * tomoyo_put_name - Drop reference on "struct tomoyo_name".
1170
 *
1171
 * @name: Pointer to "struct tomoyo_path_info". Maybe NULL.
1172
 *
1173
 * Returns nothing.
1174
 */
1175
static inline void tomoyo_put_name(const struct tomoyo_path_info *name)
1176
{
1177
	if (name) {
1178
		struct tomoyo_name *ptr =
1179
			container_of(name, typeof(*ptr), entry);
1180
		atomic_dec(&ptr->head.users);
1181
	}
1182
}
1183

1184
/**
1185
 * tomoyo_put_condition - Drop reference on "struct tomoyo_condition".
1186
 *
1187
 * @cond: Pointer to "struct tomoyo_condition". Maybe NULL.
1188
 *
1189
 * Returns nothing.
1190
 */
1191
static inline void tomoyo_put_condition(struct tomoyo_condition *cond)
1192
{
1193
	if (cond)
1194
		atomic_dec(&cond->head.users);
1195
}
1196

1197
/**
1198
 * tomoyo_put_group - Drop reference on "struct tomoyo_group".
1199
 *
1200
 * @group: Pointer to "struct tomoyo_group". Maybe NULL.
1201
 *
1202
 * Returns nothing.
1203
 */
1204
static inline void tomoyo_put_group(struct tomoyo_group *group)
1205
{
1206
	if (group)
1207
		atomic_dec(&group->head.users);
1208
}
1209

1210
/**
1211
 * tomoyo_task - Get "struct tomoyo_task" for specified thread.
1212
 *
1213
 * @task - Pointer to "struct task_struct".
1214
 *
1215
 * Returns pointer to "struct tomoyo_task" for specified thread.
1216
 */
1217
static inline struct tomoyo_task *tomoyo_task(struct task_struct *task)
1218
{
1219
	return task->security + tomoyo_blob_sizes.lbs_task;
1220
}
1221

1222
/**
1223
 * tomoyo_same_name_union - Check for duplicated "struct tomoyo_name_union" entry.
1224
 *
1225
 * @a: Pointer to "struct tomoyo_name_union".
1226
 * @b: Pointer to "struct tomoyo_name_union".
1227
 *
1228
 * Returns true if @a == @b, false otherwise.
1229
 */
1230
static inline bool tomoyo_same_name_union
1231
(const struct tomoyo_name_union *a, const struct tomoyo_name_union *b)
1232
{
1233
	return a->filename == b->filename && a->group == b->group;
1234
}
1235

1236
/**
1237
 * tomoyo_same_number_union - Check for duplicated "struct tomoyo_number_union" entry.
1238
 *
1239
 * @a: Pointer to "struct tomoyo_number_union".
1240
 * @b: Pointer to "struct tomoyo_number_union".
1241
 *
1242
 * Returns true if @a == @b, false otherwise.
1243
 */
1244
static inline bool tomoyo_same_number_union
1245
(const struct tomoyo_number_union *a, const struct tomoyo_number_union *b)
1246
{
1247
	return a->values[0] == b->values[0] && a->values[1] == b->values[1] &&
1248
		a->group == b->group && a->value_type[0] == b->value_type[0] &&
1249
		a->value_type[1] == b->value_type[1];
1250
}
1251

1252
/**
1253
 * tomoyo_same_ipaddr_union - Check for duplicated "struct tomoyo_ipaddr_union" entry.
1254
 *
1255
 * @a: Pointer to "struct tomoyo_ipaddr_union".
1256
 * @b: Pointer to "struct tomoyo_ipaddr_union".
1257
 *
1258
 * Returns true if @a == @b, false otherwise.
1259
 */
1260
static inline bool tomoyo_same_ipaddr_union
1261
(const struct tomoyo_ipaddr_union *a, const struct tomoyo_ipaddr_union *b)
1262
{
1263
	return !memcmp(a->ip, b->ip, sizeof(a->ip)) && a->group == b->group &&
1264
		a->is_ipv6 == b->is_ipv6;
1265
}
1266

1267
/**
1268
 * tomoyo_current_namespace - Get "struct tomoyo_policy_namespace" for current thread.
1269
 *
1270
 * Returns pointer to "struct tomoyo_policy_namespace" for current thread.
1271
 */
1272
static inline struct tomoyo_policy_namespace *tomoyo_current_namespace(void)
1273
{
1274
	return tomoyo_domain()->ns;
1275
}
1276

1277
/**
1278
 * list_for_each_cookie - iterate over a list with cookie.
1279
 * @pos:        the &struct list_head to use as a loop cursor.
1280
 * @head:       the head for your list.
1281
 */
1282
#define list_for_each_cookie(pos, head)					\
1283
	if (!pos)							\
1284
		pos =  srcu_dereference((head)->next, &tomoyo_ss);	\
1285
	for ( ; pos != (head); pos = srcu_dereference(pos->next, &tomoyo_ss))
1286

1287
#endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */
1288

1289