[TOMOYO #6 retry 09/21] Domain transition functions.

[Kentaro Takeda <takedakn@nttdata.co.jp>]

Every process belongs to a domain in TOMOYO Linux.
Domain transition occurs when execve(2) is called
and the domain is expressed as 'process invocation history',
such as '<kernel> /sbin/init /etc/init.d/rc'.
Domain information is stored in task_struct->security.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 security/tomoyo/domain.c | 1261 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 1261 insertions(+)

--- /dev/null
+++ linux-2.6-mm/security/tomoyo/domain.c
@@ -0,0 +1,1261 @@
+/*
+ * security/tomoyo/domain.c
+ *
+ * Domain transition functions for TOMOYO Linux.
+ */
+
+#include "tomoyo.h"
+#include "realpath.h"
+
+/*************************  VARIABLES  *************************/
+
+/* The initial domain. */
+struct domain_info KERNEL_DOMAIN;
+
+/* Lock for appending domain's ACL. */
+DEFINE_MUTEX(domain_acl_lock);
+
+/* Domain creation lock. */
+static DEFINE_MUTEX(new_domain_assign_lock);
+
+/***** The structure for program files to force domain reconstruction. *****/
+
+struct domain_initializer_entry {
+	struct list_head list;
+	const struct path_info *domainname;    /* This may be NULL */
+	const struct path_info *program;
+	bool is_deleted;
+	bool is_not;
+	bool is_last_name;
+};
+
+/***** The structure for domains to not to transit domains. *****/
+
+struct domain_keeper_entry {
+	struct list_head list;
+	const struct path_info *domainname;
+	const struct path_info *program;       /* This may be NULL */
+	bool is_deleted;
+	bool is_not;
+	bool is_last_name;
+};
+
+/***** The structure for program files that should be aggregated. *****/
+
+struct aggregator_entry {
+	struct list_head list;
+	const struct path_info *original_name;
+	const struct path_info *aggregated_name;
+	bool is_deleted;
+};
+
+/***** The structure for program files that should be aliased. *****/
+
+struct alias_entry {
+	struct list_head list;
+	const struct path_info *original_name;
+	const struct path_info *aliased_name;
+	bool is_deleted;
+};
+
+/*************************  UTILITY FUNCTIONS  *************************/
+
+/**
+ * tmy_is_domain_def - check if the line is likely a domain definition.
+ * @buffer: the line to check.
+ *
+ * Returns true if @buffer is likely a domain definition.
+ * Returns false otherwise.
+ *
+ * For complete validation check, use tmy_is_correct_domain().
+ */
+bool tmy_is_domain_def(const unsigned char *buffer)
+{
+	return strncmp(buffer, TMY_ROOT_NAME, TMY_ROOT_NAME_LEN) == 0;
+}
+
+/**
+ * tmy_add_acl - add an entry to a domain.
+ * @domain: pointer to "struct domain_info".
+ * @acl: pointer to "struct acl_info" to add.
+ *
+ * Returns zero.
+ */
+int tmy_add_acl(struct domain_info *domain,
+		struct acl_info *acl)
+{
+	list_add_tail_mb(&acl->list, &domain->acl_info_list);
+	tmy_update_counter(TMY_UPDATE_DOMAINPOLICY);
+	return 0;
+}
+
+/**
+ * tmy_del_acl - remove an entry from a domain
+ * @ptr: pointer to "struct acl_info" to remove.
+ *
+ * Returns zero.
+ *
+ * TOMOYO Linux doesn't free memory used by policy because policies are not
+ * so frequently changed after entring into enforcing mode.
+ * This makes the code free of read-lock.
+ * The caller uses "down(&domain_acl_lock);" as write-lock.
+ */
+int tmy_del_acl(struct acl_info *ptr)
+{
+	ptr->is_deleted = 1;
+	tmy_update_counter(TMY_UPDATE_DOMAINPOLICY);
+	return 0;
+}
+
+/************************  DOMAIN INITIALIZER HANDLER  ************************/
+
+static LIST_HEAD(domain_initializer_list);
+
+/* Update domain initializer list. */
+static int tmy_add_domain_initializer_entry(const char *domainname,
+					    const char *program,
+					    const bool is_not,
+					    const bool is_delete)
+{
+	struct domain_initializer_entry *new_entry;
+	struct domain_initializer_entry *ptr;
+	static DEFINE_MUTEX(mutex);
+	const struct path_info *saved_program;
+	const struct path_info *saved_domainname = NULL;
+	int error = -ENOMEM;
+	bool is_last_name = 0;
+
+	if (!tmy_correct_path(program, 1, -1, -1, __FUNCTION__))
+		return -EINVAL; /* No patterns allowed. */
+
+	if (domainname) {
+		if (!tmy_is_domain_def(domainname) &&
+		    tmy_correct_path(domainname, 1, -1, -1, __FUNCTION__))
+			is_last_name = 1;
+
+		else if (!tmy_is_correct_domain(domainname, __FUNCTION__))
+			return -EINVAL;
+
+		saved_domainname = tmy_save_name(domainname);
+		if (!saved_domainname)
+			return -ENOMEM;
+	}
+
+	saved_program = tmy_save_name(program);
+	if (!saved_program)
+		return -ENOMEM;
+
+	mutex_lock(&mutex);
+
+	list_for_each_entry(ptr, &domain_initializer_list, list) {
+		if (ptr->is_not == is_not &&
+		    ptr->domainname == saved_domainname &&
+		    ptr->program == saved_program) {
+			ptr->is_deleted = is_delete;
+			error = 0;
+			goto out;
+		}
+	}
+
+	if (is_delete) {
+		error = -ENOENT;
+		goto out;
+	}
+
+	new_entry = tmy_alloc_element(sizeof(*new_entry));
+	if (!new_entry)
+		goto out;
+
+	new_entry->domainname = saved_domainname;
+	new_entry->program = saved_program;
+	new_entry->is_not = is_not;
+	new_entry->is_last_name = is_last_name;
+	list_add_tail_mb(&new_entry->list, &domain_initializer_list);
+	error = 0;
+out: ;
+
+	mutex_unlock(&mutex);
+	return error;
+}
+
+/**
+ * tmy_read_domain_initializer_policy - read domain initializer policy.
+ * @head: pointer to "struct io_buffer".
+ *
+ * Returns nonzero if reading incomplete.
+ * Returns zero otherwise.
+ */
+int tmy_read_domain_initializer_policy(struct io_buffer *head)
+{
+	struct list_head *pos;
+	list_for_each_cookie(pos, head->read_var2, &domain_initializer_list) {
+		struct domain_initializer_entry *ptr;
+		ptr = list_entry(pos, struct domain_initializer_entry, list);
+		if (ptr->is_deleted)
+			continue;
+		if (ptr->domainname) {
+			if (tmy_io_printf(head, "%s" TMY_INITIALIZE_DOMAIN
+					  "%s from %s\n",
+					  ptr->is_not ? "no_" : "",
+					  ptr->program->name,
+					  ptr->domainname->name))
+				return -ENOMEM;
+		} else {
+			if (tmy_io_printf(head, "%s" TMY_INITIALIZE_DOMAIN
+					  "%s\n",
+					  ptr->is_not ? "no_" : "",
+					  ptr->program->name))
+				return -ENOMEM;
+		}
+	}
+	return 0;
+}
+
+/**
+ * tmy_add_domain_initializer_policy - add domain initializer policy
+ * @data:      a line to parse.
+ * @is_not:    is this overriding?
+ * @is_delete: is this remove request?
+ *
+ * Returns zero on success.
+ * Returns nonzero on failure.
+ *
+ * This function adds or removes a domain initializer entry.
+ */
+int tmy_add_domain_initializer_policy(char *data,
+				      const bool is_not,
+				      const bool is_delete)
+{
+	char *cp = strstr(data, " from ");
+
+	if (cp) {
+		*cp = '\0';
+		return tmy_add_domain_initializer_entry(cp + 6,	data, is_not,
+							is_delete);
+	}
+
+	return tmy_add_domain_initializer_entry(NULL, data, is_not, is_delete);
+}
+
+/* Should I transit to a domain under "<kernel>" domain? */
+static int tmy_is_domain_initializer(const struct path_info *domainname,
+				     const struct path_info *program,
+				     const struct path_info *last_name)
+{
+	struct domain_initializer_entry *ptr;
+	int flag = 0;
+	list_for_each_entry(ptr,  &domain_initializer_list, list) {
+		if (ptr->is_deleted)
+			continue;
+		if (ptr->domainname) {
+			if (!ptr->is_last_name) {
+				if (ptr->domainname != domainname)
+					continue;
+			} else {
+				if (tmy_pathcmp(ptr->domainname, last_name))
+					continue;
+			}
+		}
+		if (tmy_pathcmp(ptr->program, program))
+			continue;
+		if (ptr->is_not)
+			return 0;
+		flag = 1;
+	}
+	return flag;
+}
+
+/*************************  DOMAIN KEEPER HANDLER  *************************/
+
+static LIST_HEAD(domain_keeper_list);
+
+/* Update domain keeper list. */
+static int tmy_add_domain_keeper_entry(const char *domainname,
+				       const char *program,
+				       const bool is_not,
+				       const bool is_delete)
+{
+	struct domain_keeper_entry *new_entry;
+	struct domain_keeper_entry *ptr;
+	const struct path_info *saved_domainname;
+	const struct path_info *saved_program = NULL;
+	static DEFINE_MUTEX(mutex);
+	int error = -ENOMEM;
+	bool is_last_name = 0;
+
+	if (!tmy_is_domain_def(domainname) &&
+	    tmy_correct_path(domainname, 1, -1, -1, __FUNCTION__))
+		is_last_name = 1;
+
+	else if (!tmy_is_correct_domain(domainname, __FUNCTION__))
+		return -EINVAL;
+
+	if (program) {
+		if (!tmy_correct_path(program, 1, -1, -1, __FUNCTION__))
+			return -EINVAL;
+
+		saved_program = tmy_save_name(program);
+		if (!saved_program)
+			return -ENOMEM;
+	}
+
+	saved_domainname = tmy_save_name(domainname);
+	if (!saved_domainname)
+		return -ENOMEM;
+
+	mutex_lock(&mutex);
+	list_for_each_entry(ptr, &domain_keeper_list, list) {
+		if (ptr->is_not == is_not &&
+		    ptr->domainname == saved_domainname &&
+		    ptr->program == saved_program) {
+			ptr->is_deleted = is_delete;
+			error = 0;
+			goto out;
+		}
+	}
+
+	if (is_delete) {
+		error = -ENOENT;
+		goto out;
+	}
+
+	new_entry = tmy_alloc_element(sizeof(*new_entry));
+	if (!new_entry)
+		goto out;
+
+	new_entry->domainname = saved_domainname;
+	new_entry->program = saved_program;
+	new_entry->is_not = is_not;
+	new_entry->is_last_name = is_last_name;
+	list_add_tail_mb(&new_entry->list, &domain_keeper_list);
+	error = 0;
+
+out: ;
+
+	mutex_unlock(&mutex);
+	return error;
+}
+
+/**
+ * tmy_add_domain_keeper_policy - add domain keeper policy.
+ * @data:      a line to parse.
+ * @is_not:    is this overriding?
+ * @is_delete: is this remove request?
+ *
+ * Returns zero on success.
+ * Returns nonzero on failure.
+ *
+ * This function adds or removes a domain keeper entry.
+ *
+ */
+int tmy_add_domain_keeper_policy(char *data,
+				 const bool is_not,
+				 const bool is_delete)
+{
+	char *cp = strstr(data, " from ");
+
+	if (cp) {
+		*cp = '\0';
+		return tmy_add_domain_keeper_entry(cp + 6, data,
+						   is_not, is_delete);
+	}
+
+	return tmy_add_domain_keeper_entry(data, NULL, is_not, is_delete);
+}
+
+/**
+ * tmy_read_domain_keeper_policy - read domain keeper policy.
+ * @head: pointer to "struct io_buffer".
+ *
+ * Returns nonzero if reading incomplete.
+ * Returns zero otherwise.
+ */
+int tmy_read_domain_keeper_policy(struct io_buffer *head)
+{
+	struct list_head *pos;
+	list_for_each_cookie(pos, head->read_var2, &domain_keeper_list) {
+		struct domain_keeper_entry *ptr;
+		ptr = list_entry(pos, struct domain_keeper_entry, list);
+		if (ptr->is_deleted)
+			continue;
+		if (ptr->program) {
+			if (tmy_io_printf(head,
+					  "%s" TMY_KEEP_DOMAIN
+					  "%s from %s\n",
+					  ptr->is_not ? "no_" : "",
+					  ptr->program->name,
+					  ptr->domainname->name))
+				return -ENOMEM;
+		} else {
+			if (tmy_io_printf(head,
+					  "%s" TMY_KEEP_DOMAIN
+					  "%s\n",
+					  ptr->is_not ? "no_" : "",
+					  ptr->domainname->name))
+				return -ENOMEM;
+		}
+	}
+	return 0;
+}
+
+/* Should I remain in current domain? */
+static int tmy_is_domain_keeper(const struct path_info *domainname,
+				const struct path_info *program,
+				const struct path_info *last_name)
+{
+	struct domain_keeper_entry *ptr;
+	int flag = 0;
+	list_for_each_entry(ptr, &domain_keeper_list, list) {
+		if (ptr->is_deleted)
+			continue;
+		if (!ptr->is_last_name) {
+			if (ptr->domainname != domainname)
+				continue;
+		} else {
+			if (tmy_pathcmp(ptr->domainname, last_name))
+				continue;
+		}
+		if (ptr->program && tmy_pathcmp(ptr->program, program))
+			continue;
+		if (ptr->is_not)
+			return 0;
+		flag = 1;
+	}
+	return flag;
+}
+
+/*********************  SYMBOLIC LINKED PROGRAM HANDLER  *********************/
+
+static LIST_HEAD(alias_list);
+
+/* Update alias list. */
+static int tmy_add_alias_entry(const char *original_name,
+			       const char *aliased_name,
+			       const bool is_delete)
+{
+	struct alias_entry *new_entry;
+	struct alias_entry *ptr;
+	static DEFINE_MUTEX(mutex);
+	const struct path_info *saved_original_name;
+	const struct path_info *saved_aliased_name;
+	int error = -ENOMEM;
+
+	if (!tmy_correct_path(original_name, 1, -1, -1, __FUNCTION__) ||
+	    !tmy_correct_path(aliased_name, 1, -1, -1, __FUNCTION__))
+		return -EINVAL; /* No patterns allowed. */
+
+	saved_original_name = tmy_save_name(original_name);
+	saved_aliased_name = tmy_save_name(aliased_name);
+	if (!saved_original_name || !saved_aliased_name)
+		return -ENOMEM;
+
+	mutex_lock(&mutex);
+
+	list_for_each_entry(ptr, &alias_list, list) {
+		if (ptr->original_name == saved_original_name &&
+		    ptr->aliased_name == saved_aliased_name) {
+			ptr->is_deleted = is_delete;
+			error = 0;
+			goto out;
+		}
+	}
+
+	if (is_delete) {
+		error = -ENOENT;
+		goto out;
+	}
+
+	new_entry = tmy_alloc_element(sizeof(*new_entry));
+	if (!new_entry)
+		goto out;
+
+	new_entry->original_name = saved_original_name;
+	new_entry->aliased_name = saved_aliased_name;
+	list_add_tail_mb(&new_entry->list, &alias_list);
+	error = 0;
+out: ;
+	mutex_unlock(&mutex);
+	return error;
+}
+
+/**
+ * tmy_read_alias_policy - read alias policy.
+ * @head: pointer to "struct io_buffer".
+ *
+ * Returns nonzero if reading incomplete.
+ * Returns zero otherwise.
+ */
+int tmy_read_alias_policy(struct io_buffer *head)
+{
+	struct list_head *pos;
+	list_for_each_cookie(pos, head->read_var2, &alias_list) {
+		struct alias_entry *ptr;
+		ptr = list_entry(pos, struct alias_entry, list);
+		if (ptr->is_deleted)
+			continue;
+		if (tmy_io_printf(head,
+				  TMY_ALIAS "%s %s\n",
+				  ptr->original_name->name,
+				  ptr->aliased_name->name))
+			return -ENOMEM;
+	}
+	return 0;
+}
+
+/**
+ * tmy_add_alias_policy - add alias policy.
+ * @data:      a line to parse.
+ * @is_delete: is this remove request?
+ *
+ * Returns zero on success.
+ * Returns nonzero on failure.
+ *
+ * This function adds or removes an alias entry.
+ */
+int tmy_add_alias_policy(char *data, const bool is_delete)
+{
+	char *cp = strchr(data, ' ');
+
+	if (!cp)
+		return -EINVAL;
+	*cp++ = '\0';
+
+	return tmy_add_alias_entry(data, cp, is_delete);
+}
+
+/************************  DOMAIN AGGREGATOR HANDLER  ************************/
+
+static LIST_HEAD(aggregator_list);
+
+/* Update aggregator list. */
+static int tmy_add_aggregator_entry(const char *original_name,
+				    const char *aggregated_name,
+				    const bool is_delete)
+{
+	struct aggregator_entry *new_entry;
+	struct aggregator_entry *ptr;
+	static DEFINE_MUTEX(mutex);
+	const struct path_info *saved_original_name;
+	const struct path_info *saved_aggregated_name;
+	int error = -ENOMEM;
+
+	if (!tmy_correct_path(original_name, 1, 0, -1, __FUNCTION__) ||
+	    !tmy_correct_path(aggregated_name, 1, -1, -1, __FUNCTION__))
+		return -EINVAL;
+
+	saved_original_name = tmy_save_name(original_name);
+	saved_aggregated_name = tmy_save_name(aggregated_name);
+	if (!saved_original_name || !saved_aggregated_name)
+		return -ENOMEM;
+
+	mutex_lock(&mutex);
+
+	list_for_each_entry(ptr, &aggregator_list, list) {
+		if (ptr->original_name == saved_original_name &&
+		    ptr->aggregated_name == saved_aggregated_name) {
+			ptr->is_deleted = is_delete;
+			error = 0;
+			goto out;
+		}
+	}
+
+	if (is_delete) {
+		error = -ENOENT;
+		goto out;
+	}
+
+	new_entry = tmy_alloc_element(sizeof(*new_entry));
+	if (!new_entry)
+		goto out;
+
+	new_entry->original_name = saved_original_name;
+	new_entry->aggregated_name = saved_aggregated_name;
+	list_add_tail_mb(&new_entry->list, &aggregator_list);
+	error = 0;
+out: ;
+
+	mutex_unlock(&mutex);
+
+	return error;
+}
+
+/**
+ * tmy_read_aggregator_policy - read aggregator policy.
+ * @head: pointer to "struct io_buffer".
+ *
+ * Returns nonzero if reading incomplete.
+ * Returns zero otherwise.
+ */
+int tmy_read_aggregator_policy(struct io_buffer *head)
+{
+	struct list_head *pos;
+	list_for_each_cookie(pos, head->read_var2, &aggregator_list) {
+		struct aggregator_entry *ptr;
+		ptr = list_entry(pos, struct aggregator_entry, list);
+		if (ptr->is_deleted)
+			continue;
+		if (tmy_io_printf(head,
+				  TMY_AGGREGATOR "%s %s\n",
+				  ptr->original_name->name,
+				  ptr->aggregated_name->name))
+			return -ENOMEM;
+	}
+	return 0;
+}
+
+/**
+ * tmy_add_aggregator_policy - add aggregator policy.
+ * @data:      a line to parse.
+ * @is_delete: is this remove request?
+ *
+ * Returns zero on success.
+ * Returns nonzero on failure.
+ *
+ * This function adds or removes an aggregator entry.
+ */
+int tmy_add_aggregator_policy(char *data, const bool is_delete)
+{
+	char *cp = strchr(data, ' ');
+
+	if (!cp)
+		return -EINVAL;
+	*cp++ = '\0';
+
+	return tmy_add_aggregator_entry(data, cp, is_delete);
+}
+
+/*************************  DOMAIN DELETION HANDLER  *************************/
+
+/**
+ * tmy_delete_domain - delete a domain.
+ * @domainname0: domainname to delete.
+ *
+ * Returns zero.
+ *
+ * This function deletes domains.
+ * The behavior of deleting domain is like deleting files on Linux's
+ * filesystem. A process transits to different domain upon do_execve(),
+ * and the process can refer the deleted domains after the domain is deleted,
+ * like a process opens a file and the process can read()/write() the deleted
+ * file after the file is deleted.
+ * This avoids processes from crashing due to referring non-existent domains.
+ * Administrator manually terminates processes thet are referring deleted
+ * domains after deleting domains.
+ * Also, undeleting domains is supported. See tmy_undelete_domain().
+ */
+int tmy_delete_domain(char *domainname0)
+{
+	struct domain_info *domain;
+	struct path_info domainname;
+
+	domainname.name = domainname0;
+	tmy_fill_path_info(&domainname);
+
+	mutex_lock(&new_domain_assign_lock);
+	/* Is there an active domain? */ /* Never delete KERNEL_DOMAIN */
+	list_for_each_entry(domain, &domain_list, list) {
+		struct domain_info *domain2;
+		if (domain == &KERNEL_DOMAIN ||
+		    domain->is_deleted ||
+		    tmy_pathcmp(domain->domainname, &domainname))
+			continue;
+		/* Mark already deleted domains as non undeletable. */
+		list_for_each_entry(domain2, &domain_list, list) {
+			if (!domain2->is_deleted ||
+			    tmy_pathcmp(domain2->domainname, &domainname))
+				continue;
+			domain2->is_deleted = 255;
+		}
+		/* Delete and mark active domain as undeletable. */
+		domain->is_deleted = 1;
+		break;
+	}
+	mutex_unlock(&new_domain_assign_lock);
+	return 0;
+}
+
+/**
+ * tmy_undelete_domain - undelete a domain.
+ * @domainname0: domainname to undelete.
+ *
+ * Returns pointer to undeleted "struct domain_info" on success.
+ * Returns NULL on failure.
+ *
+ * This function undeletes domains.
+ * Not only the domain previously deleted by tmy_delete_domain()
+ * but also all domains deleted by tmy_delete_domain() are undeletable.
+ * If there is no deleted domain named @domainname0 or
+ * a not-yet-deleted domain named @domainname0 exists, undelete fails.
+ * Otherwise, previously deleted domain named @domainname0 is undeleted.
+ */
+struct domain_info *tmy_undelete_domain(const char *domainname0)
+{
+	struct domain_info *domain;
+	struct domain_info *candidate_domain = NULL;
+	struct path_info domainname;
+
+	domainname.name = domainname0;
+	tmy_fill_path_info(&domainname);
+
+	mutex_lock(&new_domain_assign_lock);
+
+	list_for_each_entry(domain, &domain_list, list) {
+		if (tmy_pathcmp(&domainname, domain->domainname))
+			continue;
+
+		if (!domain->is_deleted) {
+			/* This domain is active. I can't undelete. */
+			candidate_domain = NULL;
+			break;
+		}
+
+		/* Is this domain undeletable? */
+		if (domain->is_deleted == 1)
+			candidate_domain = domain;
+	}
+	if (candidate_domain)
+		candidate_domain->is_deleted = 0;
+
+	mutex_unlock(&new_domain_assign_lock);
+
+	return candidate_domain;
+}
+
+/************************  DOMAIN TRANSITION HANDLER  ************************/
+
+/**
+ * tmy_find_domain - find a domain with given domainname.
+ * @domainname0: the domainname to find.
+ *
+ * Returns pointer to "struct domain_info" on success.
+ * Returns NULL on failure.
+ *
+ * This function does not create a new domain
+ * if a domain named @domainname0 does not exist.
+ */
+struct domain_info *tmy_find_domain(const char *domainname0)
+{
+	struct domain_info *domain;
+	static bool first = 1;
+	struct path_info domainname;
+
+	domainname.name = domainname0;
+	tmy_fill_path_info(&domainname);
+
+	if (first) {
+		KERNEL_DOMAIN.domainname = tmy_save_name(TMY_ROOT_NAME);
+		first = 0;
+	}
+
+	list_for_each_entry(domain, &domain_list, list) {
+		if (!domain->is_deleted &&
+		    !tmy_pathcmp(&domainname, domain->domainname))
+			return domain;
+	}
+
+	return NULL;
+}
+
+/**
+ * tmy_new_domain - find or assign a domain with given domainname.
+ * @domainname: the domainname to find.
+ * @profile:    profile number to assign if newly created.
+ *
+ * Returns pointer to "struct domain_info" on success.
+ * Returns NULL on failure.
+ *
+ * This function creates a new domain if a domain named @domainname0
+ * does not exist.
+ */
+struct domain_info *tmy_new_domain(const char *domainname,
+				   const u8 profile)
+{
+	struct domain_info *domain = NULL;
+	const struct path_info *saved_domainname;
+
+	mutex_lock(&new_domain_assign_lock);
+
+	domain = tmy_find_domain(domainname);
+	if (domain)
+		goto out;
+
+	if (!tmy_is_correct_domain(domainname, __FUNCTION__))
+		goto out;
+
+	saved_domainname = tmy_save_name(domainname);
+	if (!saved_domainname)
+		goto out;
+
+	/* Can I reuse memory of deleted domain? */
+	list_for_each_entry(domain, &domain_list, list) {
+		struct task_struct *p;
+		struct acl_info *ptr;
+		int flag;
+
+		if (!domain->is_deleted ||
+		    domain->domainname != saved_domainname)
+			continue;
+		flag = 0;
+
+		/***** CRITICAL SECTION START *****/
+		read_lock(&tasklist_lock);
+		for_each_process(p) {
+			/* "struct task_struct"->security is not NULL. */
+			if (((struct tmy_security *) p->security)->domain
+			    == domain) {
+				flag = 1;
+				break;
+			}
+		}
+		read_unlock(&tasklist_lock);
+		/***** CRITICAL SECTION END *****/
+
+		/* Somebody is still referring this deleted domain. */
+		if (flag)
+			continue;
+
+		/* OK. Let's reuse memory for this deleted domain. */
+
+		/* Delete all entries in this deleted domain. */
+		list_for_each_entry(ptr, &domain->acl_info_list, list)
+			ptr->is_deleted = 1;
+
+		domain->profile = profile;
+		domain->quota_warned = 0;
+
+		mb(); /* Avoid out-of-order execution. */
+		/* Undelete this deleted domain. */
+		domain->is_deleted = 0;
+		goto out;
+	}
+
+	/* No memory reusable. Create using new memory. */
+	domain = tmy_alloc_element(sizeof(*domain));
+	if (domain) {
+		INIT_LIST_HEAD(&domain->acl_info_list);
+		domain->domainname = saved_domainname;
+		domain->profile = profile;
+		list_add_tail_mb(&domain->list, &domain_list);
+	}
+out: ;
+	mutex_unlock(&new_domain_assign_lock);
+
+	return domain;
+}
+
+/* Convert non ASCII printable characters to ASCII printable characters. */
+static int tmy_escape(char *dest, const char *src, int dest_len)
+{
+	while (*src) {
+		const unsigned char c = *(const unsigned char *) src;
+
+		if (c == '\\') {
+			dest_len -= 2;
+			if (dest_len <= 0)
+				goto out;
+			*dest++ = '\\';
+			*dest++ = '\\';
+		} else if (c > ' ' && c < 127) {
+			if (--dest_len <= 0)
+				goto out;
+			*dest++ = c;
+		} else {
+			dest_len -= 4;
+			if (dest_len <= 0)
+				goto out;
+			*dest++ = '\\';
+			*dest++ = (c >> 6) + '0';
+			*dest++ = ((c >> 3) & 7) + '0';
+			*dest++ = (c & 7) + '0';
+		}
+		src++;
+	}
+
+	if (--dest_len <= 0)
+		goto out;
+	*dest = '\0';
+
+	return 0;
+out: ;
+	return -ENOMEM;
+}
+
+/* Get argv[0] of "struct linux_binprm". */
+static char *tmy_get_argv0(struct linux_binprm *bprm)
+{
+	char *arg_ptr;
+	int arg_len = 0;
+	unsigned long pos = bprm->p;
+	int i = pos / PAGE_SIZE;
+	int offset = pos % PAGE_SIZE;
+
+	if (bprm->argc <= 0)
+		return NULL;
+
+	arg_ptr = tmy_alloc(PAGE_SIZE);
+
+	if (!arg_ptr)
+		goto out;
+
+	while (1) {
+		struct page *page;
+		const char *kaddr;
+		char *tmp_arg;
+
+#ifdef CONFIG_MMU
+		if (get_user_pages(current, bprm->mm, pos,
+				   1, 0, 1, &page, NULL) <= 0)
+			goto out;
+#else
+		page = bprm->page[i];
+#endif
+		kaddr = kmap(page);
+		if (!kaddr) {
+			/* Mapping failed. */
+#ifdef CONFIG_MMU
+			put_page(page);
+#endif
+			goto out;
+		}
+
+		memmove(arg_ptr + arg_len, kaddr + offset, PAGE_SIZE - offset);
+		kunmap(page);
+
+#ifdef CONFIG_MMU
+		put_page(page);
+		pos += PAGE_SIZE - offset;
+#endif
+
+		arg_len += PAGE_SIZE - offset;
+
+		if (memchr(arg_ptr, '\0', arg_len))
+			break;
+
+		tmp_arg = tmy_alloc(arg_len + PAGE_SIZE);
+		if (!tmp_arg)
+			goto out;
+
+		memmove(tmp_arg, arg_ptr, arg_len);
+		tmy_free(arg_ptr);
+		arg_ptr = tmp_arg;
+		i++;
+		offset = 0;
+	}
+	return arg_ptr;
+out: ;
+	tmy_free(arg_ptr);
+
+	return NULL;
+}
+
+/**
+ * tmy_find_next_domain - find a domain to transit to if do_execve() succeeds.
+ * @bprm:        pointer to "struct linux_binprm".
+ * @next_domain: pointer to pointer to "struct domain_info".
+ *
+ * Returns zero if success. @next_domain receives new domain to transit to.
+ * Returns nonzero on failure.
+ *
+ * This function handles TOMOYO Linux's domain transition.
+ * New domains are automatically created unless the domain the caller process
+ * belongs to is assigned a profile for enforcing mode.
+ */
+int tmy_find_next_domain(struct linux_binprm *bprm,
+			 struct domain_info **next_domain)
+{
+	/* This function assumes that the size of buffer returned */
+	/* by tmy_realpath() = TMY_MAX_PATHNAME_LEN. */
+	struct domain_info *old_domain = TMY_SECURITY->domain;
+	struct domain_info *domain = NULL;
+	const char *old_domain_name = old_domain->domainname->name;
+	const char *original_name = bprm->filename;
+	struct file *filp = bprm->file;
+	char *new_domain_name = NULL;
+	char *real_program_name = NULL;
+	char *symlink_program_name = NULL;
+	const bool is_enforce = (tmy_flags(TMY_MAC_FOR_FILE) == 3);
+	int retval;
+	struct path_info r;
+	struct path_info s;
+	struct path_info l;
+
+	/*
+	 * Built-in initializers.
+	 * This is needed because policies are not loaded
+	 * until starting /sbin/init .
+	 */
+	static bool first = 1;
+	if (first) {
+		tmy_add_domain_initializer_entry(NULL, "/sbin/hotplug", 0, 0);
+		tmy_add_domain_initializer_entry(NULL, "/sbin/modprobe", 0, 0);
+		tmy_add_domain_initializer_entry(NULL, "/sbin/udevd", 0, 0);
+		first = 0;
+	}
+
+	/* Get realpath of program. */
+	/* I hope tmy_realpath() won't fail with -ENOMEM. */
+	retval = -ENOENT;
+	real_program_name = tmy_realpath(original_name);
+
+	if (!real_program_name)
+		goto out;
+
+	/* Get realpath of symbolic link. */
+	symlink_program_name = tmy_realpath_nofollow(original_name);
+	if (!symlink_program_name)
+		goto out;
+
+	r.name = real_program_name;
+	tmy_fill_path_info(&r);
+	s.name = symlink_program_name;
+	tmy_fill_path_info(&s);
+	l.name = strrchr(old_domain_name, ' ');
+
+	if (l.name)
+		l.name++;
+	else
+		l.name = old_domain_name;
+	tmy_fill_path_info(&l);
+
+	/* Check 'alias' directive. */
+	if (tmy_pathcmp(&r, &s)) {
+		struct alias_entry *ptr;
+
+		/* Is this program allowed to be called via symbolic links? */
+		list_for_each_entry(ptr, &alias_list, list) {
+			if (ptr->is_deleted ||
+			    tmy_pathcmp(&r, ptr->original_name) ||
+			    tmy_pathcmp(&s, ptr->aliased_name))
+				continue;
+			memset(real_program_name, 0, TMY_MAX_PATHNAME_LEN);
+			strncpy(real_program_name,
+				ptr->aliased_name->name,
+				TMY_MAX_PATHNAME_LEN - 1);
+			tmy_fill_path_info(&r);
+			break;
+		}
+	}
+
+	/* Compare basename of real_program_name and argv[0] */
+	if (bprm->argc > 0 && tmy_flags(TMY_MAC_FOR_ARGV0)) {
+
+		char *org_argv0 = tmy_get_argv0(bprm);
+
+		retval = -ENOMEM;
+		if (org_argv0) {
+
+			const int len = strlen(org_argv0);
+			char *printable_argv0 = tmy_alloc(len * 4 + 8);
+
+			if (printable_argv0 &&
+			    !tmy_escape(printable_argv0, org_argv0,
+					len * 4 + 8)) {
+				const char *base_argv0;
+				const char *base_filename;
+
+				base_argv0 = strrchr(printable_argv0, '/');
+				if (!base_argv0)
+					base_argv0 = printable_argv0;
+				else
+					base_argv0++;
+
+				base_filename = strrchr(real_program_name, '/');
+				if (!base_filename)
+					base_filename = real_program_name;
+				else
+					base_filename++;
+
+				if (strcmp(base_argv0, base_filename))
+					retval = tmy_argv0_perm(&r, base_argv0);
+				else
+					retval = 0;
+			}
+
+			tmy_free(printable_argv0);
+			tmy_free(org_argv0);
+		}
+
+		if (retval)
+			goto out;
+
+	}
+
+
+	/* Check 'aggregator' directive. */
+	{
+		struct aggregator_entry *ptr;
+
+		/* Is this program allowed to be aggregated? */
+		list_for_each_entry(ptr, &aggregator_list, list) {
+			if (ptr->is_deleted ||
+			    !tmy_path_match(&r, ptr->original_name))
+				continue;
+			memset(real_program_name, 0, TMY_MAX_PATHNAME_LEN);
+			strncpy(real_program_name,
+				ptr->aggregated_name->name,
+				TMY_MAX_PATHNAME_LEN - 1);
+			tmy_fill_path_info(&r);
+			break;
+		}
+	}
+
+	/* Check execute permission. */
+	retval = tmy_exec_perm(&r, filp);
+	if (retval < 0)
+		goto out;
+
+	/* Allocate memory for calcurating domain name. */
+	retval = -ENOMEM;
+	new_domain_name = tmy_alloc(TMY_MAX_PATHNAME_LEN + 16);
+	if (!new_domain_name)
+		goto out;
+
+	if (tmy_is_domain_initializer(old_domain->domainname, &r, &l))
+		/* Transit to the child of KERNEL_DOMAIN domain. */
+		snprintf(new_domain_name, TMY_MAX_PATHNAME_LEN + 1,
+			 TMY_ROOT_NAME " " "%s", real_program_name);
+	else if (old_domain == &KERNEL_DOMAIN && !sbin_init_started)
+		/*
+		 * Needn't to transit from kernel domain
+		 * before starting /sbin/init .
+		 * But transit from kernel domain if executing initializers,
+		 * for they might start before /sbin/init .
+		 */
+		domain = old_domain;
+	else if (tmy_is_domain_keeper(old_domain->domainname, &r, &l))
+		/* Keep current domain. */
+		domain = old_domain;
+	else
+		/* Normal domain transition. */
+		snprintf(new_domain_name,
+			 TMY_MAX_PATHNAME_LEN + 1,
+			 "%s %s",
+			 old_domain_name,
+			 real_program_name);
+
+	if (domain || strlen(new_domain_name) >= TMY_MAX_PATHNAME_LEN)
+		goto ok;
+
+	if (is_enforce) {
+		domain = tmy_find_domain(new_domain_name);
+		if (!domain &&
+		    tmy_supervisor("#Need to create domain\n%s\n",
+				   new_domain_name) == 0) {
+			const u8 profile = TMY_SECURITY->domain->profile;
+			domain = tmy_new_domain(new_domain_name, profile);
+		}
+	} else {
+		const u8 profile = TMY_SECURITY->domain->profile;
+		domain = tmy_new_domain(new_domain_name, profile);
+	}
+
+ok: ;
+
+	if (!domain) {
+		printk(KERN_INFO "TOMOYO-ERROR: Domain '%s' not defined.\n",
+		       new_domain_name);
+		if (is_enforce)
+			retval = -EPERM;
+	} else
+		retval = 0;
+out: ;
+
+	tmy_free(new_domain_name);
+	tmy_free(real_program_name);
+	tmy_free(symlink_program_name);
+	*next_domain = domain ? domain : old_domain;
+
+	return retval;
+}
+
+int tmy_check_environ(struct linux_binprm *bprm)
+{
+	const u8 profile = TMY_SECURITY->domain->profile;
+	const unsigned int mode = tmy_flags(TMY_MAC_FOR_ENV);
+	char *arg_ptr;
+	int arg_len = 0;
+	unsigned long pos = bprm->p;
+	int i = pos / PAGE_SIZE;
+	int offset = pos % PAGE_SIZE;
+	int argv_count = bprm->argc;
+	int envp_count = bprm->envc;
+	int error = -ENOMEM;
+	if (!mode || !envp_count)
+		return 0;
+	arg_ptr = tmy_alloc(TMY_MAX_PATHNAME_LEN);
+	if (!arg_ptr)
+		goto out;
+	while (error == -ENOMEM) {
+		struct page *page;
+		const char *kaddr;
+#ifdef CONFIG_MMU
+		if (get_user_pages(current, bprm->mm, pos, 1, 0, 1,
+				   &page, NULL) <= 0)
+			goto out;
+#else
+		page = bprm->page[i];
+#endif
+		/* Map */
+		kaddr = kmap(page);
+		if (!kaddr) {
+			/* Mapping failed. */
+#ifdef CONFIG_MMU
+			put_page(page);
+#endif
+			goto out;
+		}
+		/* Read. */
+		while (argv_count && offset < PAGE_SIZE) {
+			if (!kaddr[offset++])
+				argv_count--;
+		}
+		if (argv_count)
+			goto unmap_page;
+		while (offset < PAGE_SIZE) {
+			const unsigned char c = kaddr[offset++];
+			if (c && arg_len < TMY_MAX_PATHNAME_LEN - 10) {
+				if (c == '=') {
+					arg_ptr[arg_len++] = '\0';
+				} else if (c == '\\') {
+					arg_ptr[arg_len++] = '\\';
+					arg_ptr[arg_len++] = '\\';
+				} else if (c > ' ' && c < 127) {
+					arg_ptr[arg_len++] = c;
+				} else {
+					arg_ptr[arg_len++] = '\\';
+					arg_ptr[arg_len++] = (c >> 6) + '0';
+					arg_ptr[arg_len++] =
+						((c >> 3) & 7) + '0';
+					arg_ptr[arg_len++] = (c & 7) + '0';
+				}
+			} else {
+				arg_ptr[arg_len] = '\0';
+			}
+			if (c)
+				continue;
+			if (tmy_env_perm(arg_ptr, profile, mode)) {
+				error = -EPERM;
+				break;
+			}
+			if (!--envp_count) {
+				error = 0;
+				break;
+			}
+			arg_len = 0;
+		}
+unmap_page:
+		/* Unmap. */
+		kunmap(page);
+#ifdef CONFIG_MMU
+		put_page(page);
+		pos += PAGE_SIZE - offset;
+#endif
+		i++;
+		offset = 0;
+	}
+out:
+	tmy_free(arg_ptr);
+	if (error && mode != 3)
+		error = 0;
+	return error;
+}

--