[TOMOYO #6 retry 11/21] File access control functions.

[Kentaro Takeda <takedakn@nttdata.co.jp>]

TOMOYO Linux checks permission in
open/creat/unlink/truncate/ftruncate/mknod/mkdir/
rmdir/symlink/link/rename/uselib/sysctl .

Each permission can be automatically accumulated into
the policy of each domain using 'learning mode'.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 security/tomoyo/file.c | 1468 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 1468 insertions(+)

--- /dev/null
+++ linux-2.6-mm/security/tomoyo/file.c
@@ -0,0 +1,1468 @@
+/*
+ * security/tomoyo/file.c
+ *
+ * File access control functions for TOMOYO Linux.
+ */
+
+#include "tomoyo.h"
+#include "realpath.h"
+
+#define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
+
+/*************************  VARIABLES  *************************/
+
+/***** The structure for globally readable files. *****/
+
+struct globally_readable_file_entry {
+	struct list_head list;
+	const struct path_info *filename;
+	bool is_deleted;
+};
+
+/***** The structure for filename patterns. *****/
+
+struct pattern_entry {
+	struct list_head list;
+	const struct path_info *pattern;
+	bool is_deleted;
+};
+
+/***** The structure for non-rewritable-by-default file patterns. *****/
+
+struct no_rewrite_entry {
+	struct list_head list;
+	const struct path_info *pattern;
+	bool is_deleted;
+};
+
+/***** The structure for detailed write operations. *****/
+
+static struct {
+	const char *keyword;
+	const int paths;
+} acl_type_array[] = {
+	{ "create",   1 }, /* TMY_TYPE_CREATE_ACL */
+	{ "unlink",   1 }, /* TMY_TYPE_UNLINK_ACL */
+	{ "mkdir",    1 }, /* TMY_TYPE_MKDIR_ACL */
+	{ "rmdir",    1 }, /* TMY_TYPE_RMDIR_ACL */
+	{ "mkfifo",   1 }, /* TMY_TYPE_MKFIFO_ACL */
+	{ "mksock",   1 }, /* TMY_TYPE_MKSOCK_ACL */
+	{ "mkblock",  1 }, /* TMY_TYPE_MKBLOCK_ACL */
+	{ "mkchar",   1 }, /* TMY_TYPE_MKCHAR_ACL */
+	{ "truncate", 1 }, /* TMY_TYPE_TRUNCATE_ACL */
+	{ "symlink",  1 }, /* TMY_TYPE_SYMLINK_ACL */
+	{ "link",     2 }, /* TMY_TYPE_LINK_ACL */
+	{ "rename",   2 }, /* TMY_TYPE_RENAME_ACL */
+	{ "rewrite",  1 }, /* TMY_TYPE_REWRITE_ACL */
+	{ NULL, 0 }
+};
+
+/*************************  UTILITY FUNCTIONS  *************************/
+
+/**
+ * tmy_acltype2keyword - get keyword from access control index.
+ * @acl_type: index number.
+ *
+ * Returns keyword that corresponds with @acl_type .
+ */
+const char *tmy_acltype2keyword(const unsigned int acl_type)
+{
+	return (acl_type < ARRAY_SIZE(acl_type_array))
+		? acl_type_array[acl_type].keyword : NULL;
+}
+
+/**
+ * tmy_acltype2paths - get number of arguments from access control index.
+ * @acl_type: index number.
+ *
+ * Returns number of arguments that corresponds with @acl_type .
+ */
+int tmy_acltype2paths(const unsigned int acl_type)
+{
+	return (acl_type < ARRAY_SIZE(acl_type_array))
+		? acl_type_array[acl_type].paths : 0;
+}
+
+static int tmy_strendswith(const char *name, const char *tail)
+{
+	int len;
+
+	if (!name || !tail)
+		return 0;
+
+	len = strlen(name) - strlen(tail);
+	return len >= 0 && strcmp(name + len, tail) == 0;
+}
+
+static struct path_info *tmy_get_path(struct dentry *dentry,
+				      struct vfsmount *mnt)
+{
+	/* sizeof(struct path_info_with_data) <= PAGE_SIZE */
+	struct path_info_with_data {
+		/* Keep this first, this pointer is passed to tmy_free(). */
+		struct path_info head;
+		char bariier1[16];
+		char body[TMY_MAX_PATHNAME_LEN];
+		char barrier2[16];
+	} *buf = tmy_alloc(sizeof(*buf));
+
+	if (buf) {
+		int error = tmy_realpath_dentry2(dentry,
+						 mnt,
+						 buf->body,
+						 sizeof(buf->body) - 1);
+
+		if (error == 0) {
+			buf->head.name = buf->body;
+			tmy_fill_path_info(&buf->head);
+			return &buf->head;
+		}
+
+		tmy_free(buf);
+		buf = NULL;
+		printk(KERN_INFO "tmy_realpath_dentry = %d\n", error);
+	}
+
+	return NULL;
+}
+
+/*************************  PROTOTYPES  *************************/
+
+static int tmy_add_double_write_acl(const u8 type,
+				    const char *filename1,
+				    const char *filename2,
+				    struct domain_info * const domain,
+				    const struct condition_list *cond,
+				    const bool is_delete);
+static int tmy_add_single_write_acl(const u8 type,
+				    const char *filename,
+				    struct domain_info * const domain,
+				    const struct condition_list *cond,
+				    const bool is_delete);
+
+/*************************  AUDIT FUNCTIONS  *************************/
+
+static int tmy_audit_file_log(const struct path_info *filename,
+			      const u8 perm,
+			      const bool is_granted,
+			      const u8 profile,
+			      const unsigned int mode)
+{
+	char *buf;
+	int len;
+
+	if (is_granted) {
+		if (!tmy_audit_grant())
+			return 0;
+	} else {
+		if (!tmy_audit_reject())
+			return 0;
+	}
+
+	len = filename->total_len + 8;
+	buf = tmy_init_audit_log(&len, profile, mode);
+
+	if (!buf)
+		return -ENOMEM;
+
+	tmy_sncatprintf(buf, len - 1, "%d %s\n", perm, filename->name);
+
+	return tmy_write_audit_log(buf, is_granted);
+}
+
+static int tmy_audit_write_log(const char *operation,
+			       const struct path_info *filename1,
+			       const struct path_info *filename2,
+			       const bool is_granted,
+			       const u8 profile,
+			       const unsigned int mode)
+{
+	char *buf;
+	int len;
+
+	if (is_granted) {
+		if (!tmy_audit_grant())
+			return 0;
+	} else {
+		if (!tmy_audit_reject())
+			return 0;
+	}
+
+	len = strlen(operation) +
+		filename1->total_len +
+		(filename2 ? filename2->total_len : 0)
+		+ 16;
+
+	buf = tmy_init_audit_log(&len, profile, mode);
+	if (!buf)
+		return -ENOMEM;
+
+	tmy_sncatprintf(buf, len - 1, "allow_%s %s %s\n",
+		 operation, filename1->name, filename2 ? filename2->name : "");
+
+	return tmy_write_audit_log(buf, is_granted);
+}
+
+/**********************  GLOBALLY READABLE FILE HANDLER  **********************/
+
+static LIST_HEAD(globally_readable_list);
+
+static int tmy_add_globally_readable_entry(const char *filename,
+					   const bool is_delete)
+{
+	struct globally_readable_file_entry *new_entry;
+	struct globally_readable_file_entry *ptr;
+	static DEFINE_MUTEX(mutex);
+	const struct path_info *saved;
+	int error = -ENOMEM;
+
+	if (!tmy_correct_path(filename, 1, -1, -1, __FUNCTION__))
+		return -EINVAL; /* No patterns allowed. */
+	saved = tmy_save_name(filename);
+	if (!saved)
+		return -ENOMEM;
+
+	mutex_lock(&mutex);
+
+	list_for_each_entry(ptr, &globally_readable_list, list) {
+		if (ptr->filename == saved) {
+			ptr->is_deleted = is_delete;
+			error = 0;
+			goto out;
+		}
+	}
+	if (is_delete) {
+		error = -ENOENT;
+		goto out;
+	}
+
+	new_entry = tmy_alloc_element(sizeof(*new_entry));
+	if (!new_entry)
+		goto out;
+
+	new_entry->filename = saved;
+	list_add_tail_mb(&new_entry->list, &globally_readable_list);
+	error = 0;
+
+out: ;
+	mutex_unlock(&mutex);
+
+	return error;
+}
+
+static int tmy_globally_readable(const struct path_info *filename)
+{
+	struct globally_readable_file_entry *ptr;
+
+	list_for_each_entry(ptr, &globally_readable_list, list) {
+		if (!ptr->is_deleted &&
+		    !tmy_pathcmp(filename, ptr->filename))
+			return 1;
+	}
+
+	return 0;
+}
+
+/**
+ * tmy_add_globally_readable_policy - add or delete globally readable policy.
+ * @filename:  pointer to filename to add ore remove.
+ * @is_delete: is this delete request?
+ *
+ * Returns zero on success.
+ * Returns nonzero on failure.
+ */
+int tmy_add_globally_readable_policy(char *filename, const bool is_delete)
+{
+	return tmy_add_globally_readable_entry(filename, is_delete);
+}
+
+/**
+ * tmy_read_globally_readable_policy - read globally readable policy.
+ * @head: pointer to "struct io_buffer".
+ *
+ * Returns nonzero if reading incomplete.
+ * Returns zero otherwise.
+ */
+int tmy_read_globally_readable_policy(struct io_buffer *head)
+{
+	struct list_head *pos;
+	list_for_each_cookie(pos, head->read_var2, &globally_readable_list) {
+		struct globally_readable_file_entry *ptr;
+		ptr = list_entry(pos, struct globally_readable_file_entry,
+				 list);
+		if (ptr->is_deleted)
+			continue;
+		if (tmy_io_printf(head, TMY_ALLOW_READ "%s\n",
+				  ptr->filename->name))
+			return -ENOMEM;
+	}
+	return 0;
+}
+
+/*************************  FILE GROUP HANDLER  *************************/
+
+static LIST_HEAD(path_group_list);
+
+static int tmy_add_group_entry(const char *group_name,
+			       const char *member_name,
+			       const bool is_delete)
+{
+	static DEFINE_MUTEX(mutex);
+	struct path_group_entry *new_group;
+	struct path_group_entry *group;
+	struct path_group_member *new_member;
+	struct path_group_member *member;
+	const struct path_info *saved_group;
+	const struct path_info *saved_member;
+	int error = -ENOMEM;
+	bool found = 0;
+
+	if (!tmy_correct_path(group_name, 0, 0, 0, __FUNCTION__) ||
+	    !group_name[0] ||
+	    !tmy_correct_path(member_name, 0, 0, 0, __FUNCTION__) ||
+	    !member_name[0])
+		return -EINVAL;
+
+	saved_group = tmy_save_name(group_name);
+	saved_member = tmy_save_name(member_name);
+
+	if (!saved_group || !saved_member)
+		return -ENOMEM;
+
+	mutex_lock(&mutex);
+	list_for_each_entry(group, &path_group_list, list) {
+		if (saved_group != group->group_name)
+			continue;
+		list_for_each_entry(member, &group->path_group_member_list,
+				    list) {
+			if (member->member_name == saved_member) {
+				member->is_deleted = is_delete;
+				error = 0;
+				goto out;
+			}
+		}
+		found = 1;
+		break;
+	}
+
+	if (is_delete) {
+		error = -ENOENT;
+		goto out;
+	}
+
+	if (!found) {
+		new_group = tmy_alloc_element(sizeof(*new_group));
+		if (!new_group)
+			goto out;
+		INIT_LIST_HEAD(&new_group->path_group_member_list);
+		new_group->group_name = saved_group;
+		list_add_tail_mb(&new_group->list, &path_group_list);
+		group = new_group;
+	}
+
+	new_member = tmy_alloc_element(sizeof(*new_member));
+	if (!new_member)
+		goto out;
+	new_member->member_name = saved_member;
+	list_add_tail_mb(&new_member->list, &group->path_group_member_list);
+	error = 0;
+out: ;
+	mutex_unlock(&mutex);
+
+	return error;
+}
+
+/**
+ * tmy_add_group_policy - add or delete path group policy.
+ * @data:      a line to parse.
+ * @is_delete: is this delete request?
+ *
+ * Returns zero on success.
+ * Returns nonzero on failure.
+ */
+int tmy_add_group_policy(char *data, const bool is_delete)
+{
+	char *cp = strchr(data, ' ');
+
+	if (!cp)
+		return -EINVAL;
+	*cp++ = '\0';
+	return tmy_add_group_entry(data, cp, is_delete);
+}
+
+static struct path_group_entry *tmy_new_path_group(const char *group_name)
+{
+	int i;
+	struct path_group_entry *group;
+
+	for (i = 0; i <= 1; i++) {
+		list_for_each_entry(group, &path_group_list, list) {
+			if (strcmp(group_name, group->group_name->name) == 0)
+				return group;
+		}
+
+		if (i == 0) {
+			/*
+			 * Add a dummy entry to create new path group
+			 * and delete that entry.
+			 */
+			tmy_add_group_entry(group_name, "/", 0);
+			tmy_add_group_entry(group_name, "/", 1);
+		}
+	}
+
+	return NULL;
+}
+
+static int tmy_path_match_group(const struct path_info *pathname,
+				const struct path_group_entry *group,
+				const int may_use_pattern)
+{
+	struct path_group_member *member;
+	list_for_each_entry(member, &group->path_group_member_list, list) {
+		if (member->is_deleted)
+			continue;
+		if (!member->member_name->is_patterned) {
+			if (!tmy_pathcmp(pathname, member->member_name))
+				return 1;
+		} else if (may_use_pattern) {
+			if (tmy_path_match(pathname, member->member_name))
+				return 1;
+		}
+	}
+
+	return 0;
+}
+
+/**
+ * tmy_read_path_group_policy - read path group policy.
+ * @head: pointer to "struct io_buffer".
+ *
+ * Returns nonzero if reading incomplete.
+ * Returns zero otherwise.
+ */
+int tmy_read_path_group_policy(struct io_buffer *head)
+{
+	struct list_head *gpos;
+	struct list_head *mpos;
+	list_for_each_cookie(gpos, head->read_var1, &path_group_list) {
+		struct path_group_entry *group;
+		group = list_entry(gpos, struct path_group_entry, list);
+		list_for_each_cookie(mpos, head->read_var2,
+				     &group->path_group_member_list) {
+			struct path_group_member *member;
+			member = list_entry(mpos, struct path_group_member,
+					    list);
+			if (member->is_deleted)
+				continue;
+			if (tmy_io_printf(head,
+					  TMY_PATH_GROUP "%s %s\n",
+					  group->group_name->name,
+					  member->member_name->name))
+				return -ENOMEM;
+		}
+	}
+	return 0;
+}
+
+/*************************  FILE PATTERN HANDLER  *************************/
+
+static LIST_HEAD(pattern_list);
+
+static int tmy_add_pattern_entry(const char *pattern, const bool is_delete)
+{
+	struct pattern_entry *new_entry;
+	struct pattern_entry *ptr;
+	static DEFINE_MUTEX(mutex);
+	const struct path_info *saved;
+	int error = -ENOMEM;
+
+	if (!tmy_correct_path(pattern, 0, 1, 0, __FUNCTION__))
+		return -EINVAL;
+
+	saved = tmy_save_name(pattern);
+	if (!saved)
+		return -ENOMEM;
+
+	mutex_lock(&mutex);
+
+	list_for_each_entry(ptr, &pattern_list, list) {
+		if (saved == ptr->pattern) {
+			ptr->is_deleted = is_delete;
+			error = 0;
+			goto out;
+		}
+	}
+
+	if (is_delete) {
+		error = -ENOENT;
+		goto out;
+	}
+
+	new_entry = tmy_alloc_element(sizeof(*new_entry));
+
+	if (!new_entry)
+		goto out;
+	new_entry->pattern = saved;
+	list_add_tail_mb(&new_entry->list, &pattern_list);
+	error = 0;
+out: ;
+	mutex_unlock(&mutex);
+	return error;
+}
+
+static const struct path_info *tmy_get_pattern(const struct path_info *filename)
+{
+	struct pattern_entry *ptr;
+	const struct path_info *pattern = NULL;
+
+	list_for_each_entry(ptr, &pattern_list, list) {
+		if (ptr->is_deleted)
+			continue;
+		if (!tmy_path_match(filename, ptr->pattern))
+			continue;
+		pattern = ptr->pattern;
+		if (!tmy_strendswith(pattern->name, "/\\*"))
+			break;
+	}
+
+	if (pattern)
+		filename = pattern;
+
+	return filename;
+}
+
+/**
+ * tmy_add_pattern_policy - add or delete file pattern policy.
+ * @pattern:   pointer to file pattern entry.
+ * @is_delete: is this delete request?
+ *
+ * Returns zero on success.
+ * Returns nonzero on failure.
+ */
+int tmy_add_pattern_policy(char *pattern, const bool is_delete)
+{
+	return tmy_add_pattern_entry(pattern, is_delete);
+}
+
+/**
+ * tmy_read_pattern_policy - read file pattern policy.
+ * @head: pointer to "struct io_buffer".
+ *
+ * Returns nonzero if reading incomplete.
+ * Returns zero otherwise.
+ */
+int tmy_read_pattern_policy(struct io_buffer *head)
+{
+	struct list_head *pos;
+	list_for_each_cookie(pos, head->read_var2, &pattern_list) {
+		struct pattern_entry *ptr;
+		ptr = list_entry(pos, struct pattern_entry, list);
+		if (ptr->is_deleted)
+			continue;
+		if (tmy_io_printf(head, TMY_FILE_PATTERN "%s\n",
+				  ptr->pattern->name))
+			return -ENOMEM;
+	}
+	return 0;
+}
+
+/***********************  NON REWRITABLE FILE HANDLER  ***********************/
+
+static LIST_HEAD(no_rewrite_list);
+
+static int tmy_add_no_rewrite_entry(const char *pattern, const bool is_delete)
+{
+	struct no_rewrite_entry *new_entry;
+	struct no_rewrite_entry *ptr;
+	static DEFINE_MUTEX(mutex);
+	const struct path_info *saved;
+	int error = -ENOMEM;
+
+	if (!tmy_correct_path(pattern, 0, 0, 0, __FUNCTION__))
+		return -EINVAL;
+	saved = tmy_save_name(pattern);
+	if (!saved)
+		return -ENOMEM;
+
+	mutex_lock(&mutex);
+	list_for_each_entry(ptr, &no_rewrite_list, list) {
+		if (ptr->pattern == saved) {
+			ptr->is_deleted = is_delete;
+			error = 0;
+			goto out;
+		}
+	}
+
+	if (is_delete) {
+		error = -ENOENT;
+		goto out;
+	}
+
+	new_entry = tmy_alloc_element(sizeof(*new_entry));
+	if (!new_entry)
+		goto out;
+
+	new_entry->pattern = saved;
+	list_add_tail_mb(&new_entry->list, &no_rewrite_list);
+	error = 0;
+out: ;
+	mutex_unlock(&mutex);
+
+	return error;
+}
+
+static int tmy_is_no_rewrite_file(const struct path_info *filename)
+{
+	struct no_rewrite_entry *ptr;
+
+	list_for_each_entry(ptr, &no_rewrite_list, list) {
+		if (ptr->is_deleted)
+			continue;
+		if (!tmy_path_match(filename, ptr->pattern))
+			continue;
+		return 1;
+	}
+
+	return 0;
+}
+
+/**
+ * tmy_add_no_rewrite_policy - add or delete no-rewrite policy.
+ * @pattern:   pointer to no-rewrite entry.
+ * @is_delete: is this delete request?
+ *
+ * Returns zero on success.
+ * Returns nonzero on failure.
+ */
+int tmy_add_no_rewrite_policy(char *pattern, const bool is_delete)
+{
+	return tmy_add_no_rewrite_entry(pattern, is_delete);
+}
+
+/**
+ * tmy_read_no_rewrite_policy - read no-rewrite policy.
+ * @head: pointer to "struct io_buffer".
+ *
+ * Returns nonzero if reading incomplete.
+ * Returns zero otherwise.
+ */
+int tmy_read_no_rewrite_policy(struct io_buffer *head)
+{
+	struct list_head *pos;
+	list_for_each_cookie(pos, head->read_var2, &no_rewrite_list) {
+		struct no_rewrite_entry *ptr;
+		ptr = list_entry(pos, struct no_rewrite_entry, list);
+		if (ptr->is_deleted)
+			continue;
+		if (tmy_io_printf(head, TMY_DENY_REWRITE "%s\n",
+				  ptr->pattern->name))
+			return -ENOMEM;
+	}
+	return 0;
+}
+
+/*************************  FILE ACL HANDLER  *************************/
+
+static int tmy_add_file_acl(const char *filename,
+			    u8 perm,
+			    struct domain_info * const domain,
+			    const struct condition_list *cond,
+			    const bool is_delete)
+{
+	const struct path_info *saved;
+	struct acl_info *ptr;
+	struct file_acl *acl;
+	int error = -ENOMEM;
+	bool is_group = 0;
+
+	if (!domain)
+		return -EINVAL;
+	if (perm > 7 || !perm) {
+		printk(KERN_DEBUG "%s: Invalid permission '%d %s'\n",
+		       __FUNCTION__, perm, filename);
+		return -EINVAL;
+	}
+	if (!tmy_correct_path(filename, 0, 0, 0, __FUNCTION__))
+		return -EINVAL;
+
+	if (filename[0] == '@') {
+		/* This cast is OK because I don't dereference. */
+		saved = (struct path_info *) tmy_new_path_group(filename + 1);
+		if (!saved)
+			return -ENOMEM;
+		is_group = 1;
+	} else {
+
+		if (tmy_strendswith(filename, "/"))
+			/*
+			 * Valid permissions for directory are
+			 * only 'allow_mkdir' and 'allow_rmdir'.
+			 */
+			return 0;
+
+		saved = tmy_save_name(filename);
+		if (!saved)
+			return -ENOMEM;
+
+		if (!is_delete && perm == 4 &&
+		    tmy_globally_readable(saved))
+			return 0;
+
+	}
+
+	mutex_lock(&domain_acl_lock);
+
+	if (is_delete)
+		goto remove;
+
+	list_for_each_entry(ptr, &domain->acl_info_list, list) {
+		acl = container_of(ptr, struct file_acl, head);
+		if ((ptr->type == TMY_TYPE_FILE_ACL) &&
+		    ptr->cond == cond &&
+		    (acl->u.filename == saved)) {
+			if (ptr->is_deleted) {
+				acl->perm = 0;
+				mb(); /* Avoid out-of-order execution. */
+				ptr->is_deleted = 0;
+			}
+			/* Found. Just 'OR' the permission bits. */
+			acl->perm |= perm;
+			error = 0;
+			tmy_update_counter(TMY_UPDATE_DOMAINPOLICY);
+			goto ok;
+		}
+	}
+	/* Not found. Append it to the tail. */
+	acl = tmy_alloc_element(sizeof(*acl));
+	if (!acl)
+		goto ok;
+
+	acl->head.type = TMY_TYPE_FILE_ACL;
+	acl->head.cond = cond;
+	acl->perm = perm;
+	acl->u_is_group = is_group;
+	acl->u.filename = saved;
+	error = tmy_add_acl(domain, &acl->head);
+	goto ok;
+remove: ;
+	error = -ENOENT;
+	list_for_each_entry(ptr, &domain->acl_info_list, list) {
+		acl = container_of(ptr, struct file_acl, head);
+		if (ptr->type != TMY_TYPE_FILE_ACL ||
+		    ptr->cond != cond ||
+		    ptr->is_deleted ||
+		    acl->perm != perm ||
+		    acl->u.filename != saved)
+			continue;
+		error = tmy_del_acl(ptr);
+		break;
+	}
+ok: ;
+	mutex_unlock(&domain_acl_lock);
+	return error;
+}
+
+static int tmy_file_acl(const struct path_info *filename, const u8 perm,
+			struct obj_info *obj)
+{
+	const struct domain_info *domain = TMY_SECURITY->domain;
+	struct acl_info *ptr;
+	const int may_use_pat = ((perm & 1) == 0);
+
+	if (!tmy_flags(TMY_MAC_FOR_FILE))
+		return 0;
+	if (!filename->is_dir) {
+		if (perm == 4 && tmy_globally_readable(filename))
+			return 0;
+	}
+
+	list_for_each_entry(ptr, &domain->acl_info_list, list) {
+		struct file_acl *acl;
+		acl = container_of(ptr, struct file_acl, head);
+
+		if (ptr->type != TMY_TYPE_FILE_ACL ||
+		    ptr->is_deleted ||
+		    (acl->perm & perm) != perm ||
+		    tmy_check_condition(ptr->cond, obj))
+			continue;
+
+		if (acl->u_is_group) {
+			if (tmy_path_match_group(filename,
+						 acl->u.group,
+						 may_use_pat))
+				return 0;
+		} else {
+			if ((may_use_pat || !acl->u.filename->is_patterned) &&
+			    tmy_path_match(filename, acl->u.filename))
+				return 0;
+		}
+	}
+
+	return -EPERM;
+}
+
+static int tmy_file_perm2(const struct path_info *filename,
+			  const u8 perm,
+			  struct obj_info *obj,
+			  const char *operation)
+{
+	int error = 0;
+	struct domain_info * const domain = TMY_SECURITY->domain;
+	const u8 profile = domain->profile;
+	const unsigned int mode = tmy_flags(TMY_MAC_FOR_FILE);
+	const bool is_enforce = (mode == 3);
+
+	if (!filename)
+		return 0;
+
+	error = tmy_file_acl(filename, perm, obj);
+
+	tmy_audit_file_log(filename, perm, !error, profile, mode);
+
+	if (!error)
+		return error;
+
+	if (tmy_flags(TMY_VERBOSE))
+		tmy_audit("TOMOYO-%s: Access %d(%s) to %s denied for %s\n",
+			  tmy_getmsg(is_enforce), perm, operation,
+			  filename->name, tmy_lastname(domain));
+
+	if (is_enforce)
+		error =	tmy_supervisor("%s\n%d %s\n",
+				       domain->domainname->name,
+				       perm, filename->name);
+
+	else if (mode == 1 && tmy_quota()) {
+		/* Don't use patterns if execution bit is on. */
+		const struct path_info *patterned =
+			((perm & 1) == 0) ?
+			tmy_get_pattern(filename) : filename;
+		tmy_add_file_acl(patterned->name, perm, domain, NULL, 0);
+	}
+
+	if (!is_enforce)
+		error = 0;
+
+	return error;
+}
+
+/**
+ * tmy_file_perm - check permission for sysctl(2) operation.
+ * @filename0: pointer to filename returned by sysctlpath_from_table().
+ * @perm:      mode (read = 4, write = 2, read-write = 6).
+ * @operation: pointer to error message.
+ *
+ * Returns zero if permission granted.
+ * Returns nonzero if permission denied.
+ */
+int tmy_file_perm(const char *filename0, const u8 perm, const char *operation)
+{
+	struct path_info filename;
+
+	if (!tmy_flags(TMY_MAC_FOR_FILE))
+		return 0;
+
+	filename.name = filename0;
+	tmy_fill_path_info(&filename);
+
+	return tmy_file_perm2(&filename, perm, NULL, operation);
+}
+
+/**
+ * tmy_add_file_policy - add or delete file policy.
+ * @data:      a line to parse.
+ * @domain:    pointer to "struct domain_info".
+ * @cond:      pointer to "struct condition_list". May be NULL.
+ * @is_delete: is this delete request?
+ *
+ * Returns zero on success.
+ * Returns nonzero on failure.
+ */
+int tmy_add_file_policy(char *data,
+			struct domain_info *domain,
+			const struct condition_list *cond,
+			const bool is_delete)
+{
+	char *filename = strchr(data, ' ');
+	unsigned int perm;
+	u8 type;
+
+	if (!filename)
+		return -EINVAL;
+	*filename++ = '\0';
+
+	if (sscanf(data, "%u", &perm) == 1)
+		return tmy_add_file_acl(filename, (u8) perm, domain, cond,
+					is_delete);
+
+	if (strncmp(data, "allow_", 6))
+		goto out;
+
+	data += 6;
+
+	for (type = 0; acl_type_array[type].keyword; type++) {
+		if (strcmp(data, acl_type_array[type].keyword))
+			continue;
+
+		if (acl_type_array[type].paths == 2) {
+			char *filename2 = strchr(filename, ' ');
+
+			if (!filename2)
+				break;
+			*filename2++ = '\0';
+			return tmy_add_double_write_acl(type, filename,
+							filename2,
+							domain, cond,
+							is_delete);
+		} else
+			return tmy_add_single_write_acl(type, filename,
+							domain, cond,
+							is_delete);
+
+		break;
+	}
+out: ;
+	return -EINVAL;
+}
+
+static int tmy_add_single_write_acl(const u8 type,
+				    const char *filename,
+				    struct domain_info * const domain,
+				    const struct condition_list *cond,
+				    const bool is_delete)
+{
+	const struct path_info *saved;
+	struct acl_info *ptr;
+	struct single_acl *acl;
+	int error = -ENOMEM;
+	bool is_group = 0;
+
+	if (!domain)
+		return -EINVAL;
+	if (!tmy_correct_path(filename, 0, 0, 0, __FUNCTION__))
+		return -EINVAL;
+
+	if (filename[0] == '@') {
+		/* This cast is OK because I don't dereference. */
+		saved = (struct path_info *) tmy_new_path_group(filename + 1);
+		if (!saved)
+			return -ENOMEM;
+		is_group = 1;
+	} else {
+		saved = tmy_save_name(filename);
+		if (!saved)
+			return -ENOMEM;
+	}
+
+	mutex_lock(&domain_acl_lock);
+	if (is_delete)
+		goto remove;
+
+	list_for_each_entry(ptr, &domain->acl_info_list, list) {
+		acl = container_of(ptr, struct single_acl, head);
+		if (ptr->type == type && ptr->cond == cond) {
+			if (acl->u.filename == saved) {
+				ptr->is_deleted = 0;
+				/* Found. Nothing to do. */
+				error = 0;
+				goto ok;
+			}
+		}
+	}
+	/* Not found. Append it to the tail. */
+	acl = tmy_alloc_element(sizeof(*acl));
+	if (!acl)
+		goto ok;
+
+	acl->head.type = type;
+	acl->head.cond = cond;
+	acl->u_is_group = is_group;
+	acl->u.filename = saved;
+	error = tmy_add_acl(domain, &acl->head);
+	goto ok;
+remove: ;
+	error = -ENOENT;
+	list_for_each_entry(ptr, &domain->acl_info_list, list) {
+		acl = container_of(ptr, struct single_acl, head);
+
+		if (ptr->type != type || ptr->is_deleted ||
+		    ptr->cond != cond || acl->u.filename != saved)
+			continue;
+
+		error = tmy_del_acl(ptr);
+		break;
+	}
+ok: ;
+	mutex_unlock(&domain_acl_lock);
+
+	return error;
+}
+
+static int tmy_add_double_write_acl(const u8 type,
+				    const char *filename1,
+				    const char *filename2,
+				    struct domain_info * const domain,
+				    const struct condition_list *cond,
+				    const bool is_delete)
+{
+	const struct path_info *saved1;
+	const struct path_info *saved2;
+	struct acl_info *ptr;
+	struct double_acl *acl;
+	int error = -ENOMEM;
+	bool is_group1 = 0;
+	bool is_group2 = 0;
+
+	if (!domain)
+		return -EINVAL;
+	if (!tmy_correct_path(filename1, 0, 0, 0, __FUNCTION__) ||
+	    !tmy_correct_path(filename2, 0, 0, 0, __FUNCTION__))
+		return -EINVAL;
+
+	if (filename1[0] == '@') {
+		/* This cast is OK because I don't dereference. */
+		saved1 = (struct path_info *) tmy_new_path_group(filename1 + 1);
+		if (!saved1)
+			return -ENOMEM;
+		is_group1 = 1;
+	} else {
+		saved1 = tmy_save_name(filename1);
+		if (!saved1)
+			return -ENOMEM;
+	}
+
+	if (filename2[0] == '@') {
+		/* This cast is OK because I don't dereference. */
+		saved2 = (struct path_info *) tmy_new_path_group(filename2 + 1);
+		if (!saved2)
+			return -ENOMEM;
+		is_group2 = 1;
+	} else {
+		saved2 = tmy_save_name(filename2);
+		if (!saved2)
+			return -ENOMEM;
+	}
+
+	mutex_lock(&domain_acl_lock);
+
+	if (is_delete)
+		goto remove;
+
+	list_for_each_entry(ptr, &domain->acl_info_list, list) {
+		acl = container_of(ptr, struct double_acl, head);
+		if (ptr->type == type && ptr->cond == cond) {
+			if (acl->u1.filename1 == saved1 &&
+			    acl->u2.filename2 == saved2) {
+				ptr->is_deleted = 0;
+				/* Found. Nothing to do. */
+				error = 0;
+				goto ok;
+			}
+		}
+	}
+	/* Not found. Append it to the tail. */
+	acl = tmy_alloc_element(sizeof(*acl));
+	if (!acl)
+		goto ok;
+
+	acl->head.type = type;
+	acl->head.cond = cond;
+	acl->u1_is_group = is_group1;
+	acl->u2_is_group = is_group2;
+	acl->u1.filename1 = saved1;
+	acl->u2.filename2 = saved2;
+	error = tmy_add_acl(domain, &acl->head);
+	goto ok;
+remove: ;
+	error = -ENOENT;
+	list_for_each_entry(ptr, &domain->acl_info_list, list) {
+		acl = container_of(ptr, struct double_acl, head);
+		if (ptr->type != type || ptr->is_deleted ||
+		    ptr->cond != cond ||
+		    acl->u1.filename1 != saved1 ||
+		    acl->u2.filename2 != saved2)
+			continue;
+		error = tmy_del_acl(ptr);
+		break;
+	}
+ ok: ;
+	mutex_unlock(&domain_acl_lock);
+	return error;
+}
+
+static int tmy_single_write_acl(const u8 type,
+				const struct path_info *filename,
+				struct obj_info *obj)
+{
+	const struct domain_info *domain = TMY_SECURITY->domain;
+	struct acl_info *ptr;
+
+	if (!tmy_flags(TMY_MAC_FOR_FILE))
+		return 0;
+
+	list_for_each_entry(ptr, &domain->acl_info_list, list) {
+		struct single_acl *acl;
+		acl = container_of(ptr, struct single_acl, head);
+
+		if (ptr->type != type || ptr->is_deleted ||
+		    tmy_check_condition(ptr->cond, obj))
+			continue;
+
+		if (acl->u_is_group) {
+			if (!tmy_path_match_group(filename, acl->u.group, 1))
+				continue;
+		} else {
+			if (!tmy_path_match(filename, acl->u.filename))
+				continue;
+		}
+		return 0;
+	}
+
+	return -EPERM;
+}
+
+static int tmy_double_write_acl(const u8 type,
+				const struct path_info *filename1,
+				const struct path_info *filename2,
+				struct obj_info *obj)
+{
+	const struct domain_info *domain = TMY_SECURITY->domain;
+	struct acl_info *ptr;
+
+	if (!tmy_flags(TMY_MAC_FOR_FILE))
+		return 0;
+
+	list_for_each_entry(ptr, &domain->acl_info_list, list) {
+		struct double_acl *acl;
+		acl = container_of(ptr, struct double_acl, head);
+
+		if (ptr->type != type || ptr->is_deleted ||
+		    tmy_check_condition(ptr->cond, obj))
+			continue;
+
+		if (acl->u1_is_group) {
+			if (!tmy_path_match_group(filename1,
+						  acl->u1.group1, 1))
+				continue;
+		} else {
+			if (!tmy_path_match(filename1, acl->u1.filename1))
+				continue;
+		}
+
+		if (acl->u2_is_group) {
+			if (!tmy_path_match_group(filename2,
+						  acl->u2.group2, 1))
+				continue;
+		} else {
+			if (!tmy_path_match(filename2, acl->u2.filename2))
+				continue;
+		}
+
+		return 0;
+	}
+
+	return -EPERM;
+}
+
+static int tmy_single_write_perm2(const unsigned int operation,
+				  const struct path_info *filename,
+				  struct obj_info *obj)
+{
+	int error;
+	struct domain_info * const domain = TMY_SECURITY->domain;
+	const u8 profile = domain->profile;
+	const unsigned int mode = tmy_flags(TMY_MAC_FOR_FILE);
+	const bool is_enforce = (mode == 3);
+
+	if (!mode)
+		return 0;
+
+	error = tmy_single_write_acl(operation, filename, obj);
+
+	tmy_audit_write_log(tmy_acltype2keyword(operation),
+			    filename, NULL, !error, profile, mode);
+
+	if (!error)
+		goto ok;
+
+	if (tmy_flags(TMY_VERBOSE))
+		tmy_audit("TOMOYO-%s: Access '%s %s' denied for %s\n",
+			  tmy_getmsg(is_enforce),
+			  tmy_acltype2keyword(operation), filename->name,
+			  tmy_lastname(domain));
+
+	if (is_enforce)
+		error = tmy_supervisor("%s\nallow_%s %s\n",
+				       domain->domainname->name,
+				       tmy_acltype2keyword(operation),
+				       filename->name);
+
+	else if (mode == 1 && tmy_quota())
+		tmy_add_single_write_acl(operation,
+					 tmy_get_pattern(filename)->name,
+					 domain, NULL, 0);
+
+	if (!is_enforce)
+		error = 0;
+
+ok: ;
+	if (!error && operation == TMY_TYPE_TRUNCATE_ACL &&
+	    tmy_is_no_rewrite_file(filename))
+		error = tmy_single_write_perm2(TMY_TYPE_REWRITE_ACL,
+					       filename, obj);
+
+	return error;
+}
+
+/**
+ * tmy_exec_perm - check permission for execve(2) operation.
+ * @filename: pointer to filename to execute.
+ * @filp:     pointer to "struct file".
+ *
+ * Returns zero if permission granted.
+ * Returns nonzero if permission denied.
+ */
+int tmy_exec_perm(const struct path_info *filename, struct file *filp)
+{
+	struct obj_info obj;
+	if (!tmy_flags(TMY_MAC_FOR_FILE))
+		return 0;
+	memset(&obj, 0, sizeof(obj));
+	obj.path1_dentry = filp->f_dentry;
+	obj.path1_vfsmnt = filp->f_vfsmnt;
+	return tmy_file_perm2(filename, 1, &obj, "do_execve");
+}
+
+/**
+ * tmy_open_perm - check permission for open(2) operation.
+ * @dentry: pointer to "struct dentry".
+ * @mnt:    pointer to "struct vfsmount".
+ * @flag:   open flags.
+ *
+ * Returns zero if permission granted.
+ * Returns nonzero if permission denied.
+ */
+int tmy_open_perm(struct dentry *dentry,
+		  struct vfsmount *mnt,
+		  const int flag)
+{
+	struct obj_info obj;
+	const int acc_mode = ACC_MODE(flag);
+	int error = -ENOMEM;
+	struct path_info *buf;
+	const unsigned int mode = tmy_flags(TMY_MAC_FOR_FILE);
+	const bool is_enforce = (mode == 3);
+
+	if (!mode)
+		return 0;
+	if (acc_mode == 0)
+		return 0;
+	if (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode))
+		/* I don't check directories here             */
+		/* because mkdir() and rmdir() don't call me. */
+		return 0;
+
+	buf = tmy_get_path(dentry, mnt);
+
+	if (!buf)
+		goto out;
+
+	memset(&obj, 0, sizeof(obj));
+	obj.path1_dentry = dentry;
+	obj.path1_vfsmnt = mnt;
+
+	error = 0;
+	if ((acc_mode & MAY_WRITE) &&
+	    ((flag & O_TRUNC) || !(flag & O_APPEND)) &&
+	    tmy_is_no_rewrite_file(buf))
+		error = tmy_single_write_perm2(TMY_TYPE_REWRITE_ACL,
+					       buf, &obj);
+
+	if (error == 0)
+		error = tmy_file_perm2(buf, acc_mode, &obj, "open");
+
+	if (error == 0 && (flag & O_TRUNC))
+		error = tmy_single_write_perm2(TMY_TYPE_TRUNCATE_ACL,
+					       buf, &obj);
+
+	tmy_free(buf);
+
+out: ;
+	if (!is_enforce)
+		error = 0;
+	return error;
+}
+
+/**
+ * tmy_single_write_perm - check permission for create(2) etc. operation.
+ * @operation: operation index number.
+ * @dentry:    pointer to "struct dentry".
+ * @mnt:       pointer to "struct vfsmount".
+ *
+ * Returns zero if permission granted.
+ * Returns nonzero if permission denied.
+ */
+int tmy_single_write_perm(const unsigned int operation,
+			  struct dentry *dentry,
+			  struct vfsmount *mnt)
+{
+	struct obj_info obj;
+	int error = -ENOMEM;
+	struct path_info *buf;
+	const unsigned int mode = tmy_flags(TMY_MAC_FOR_FILE);
+	const bool is_enforce = (mode == 3);
+
+	if (!mode)
+		return 0;
+
+	buf = tmy_get_path(dentry, mnt);
+
+	if (!buf)
+		goto out;
+
+	memset(&obj, 0, sizeof(obj));
+	obj.path1_dentry = dentry;
+	obj.path1_vfsmnt = mnt;
+
+	switch (operation) {
+	case TMY_TYPE_MKDIR_ACL:
+	case TMY_TYPE_RMDIR_ACL:
+		if (!buf->is_dir) {
+			strcat((char *) buf->name, "/");
+			tmy_fill_path_info(buf);
+		}
+	}
+	error = tmy_single_write_perm2(operation, buf, &obj);
+	tmy_free(buf);
+
+out: ;
+	if (!is_enforce)
+		error = 0;
+
+	return error;
+}
+
+/**
+ * tmy_rewrite_perm - check permission for truncate/overwrite operation.
+ * @filp: pointer to "struct file".
+ *
+ * Returns zero if permission granted.
+ * Returns nonzero if permission denied.
+ */
+int tmy_rewrite_perm(struct file *filp)
+{
+	int error = -ENOMEM;
+	const unsigned int mode = tmy_flags(TMY_MAC_FOR_FILE);
+	const bool is_enforce = (mode == 3);
+	struct path_info *buf;
+
+	if (!mode)
+		return 0;
+
+	buf = tmy_get_path(filp->f_dentry, filp->f_vfsmnt);
+	if (!buf)
+		goto out;
+
+	if (tmy_is_no_rewrite_file(buf)) {
+		struct obj_info obj;
+		memset(&obj, 0, sizeof(obj));
+		obj.path1_dentry = filp->f_dentry;
+		obj.path1_vfsmnt = filp->f_vfsmnt;
+		error = tmy_single_write_perm2(TMY_TYPE_REWRITE_ACL,
+					       buf, &obj);
+	} else
+		error = 0;
+
+	tmy_free(buf);
+
+out: ;
+	if (!is_enforce)
+		error = 0;
+	return error;
+}
+
+/**
+ * tmy_double_write_perm - check permission for link(2)/rename(2) operation.
+ * @operation: operation index number.
+ * @dentry1:   pointer to "struct dentry".
+ * @mnt1:      pointer to "struct vfsmount".
+ * @dentry2:   pointer to "struct dentry".
+ * @mnt2:      pointer to "struct vfsmount".
+ *
+ * Returns zero if permission granted.
+ * Returns nonzero if permission denied.
+ */
+int tmy_double_write_perm(const unsigned int operation,
+			  struct dentry *dentry1,
+			  struct vfsmount *mnt1,
+			  struct dentry *dentry2,
+			  struct vfsmount *mnt2)
+{
+	struct obj_info obj;
+	int error = -ENOMEM;
+	struct path_info *buf1;
+	struct path_info *buf2;
+	struct domain_info * const domain = TMY_SECURITY->domain;
+	const u8 profile = domain->profile;
+	const unsigned int mode = tmy_flags(TMY_MAC_FOR_FILE);
+	const bool is_enforce = (mode == 3);
+
+	if (!mode)
+		return 0;
+	buf1 = tmy_get_path(dentry1, mnt1);
+	buf2 = tmy_get_path(dentry2, mnt2);
+
+	if (!buf1 || !buf2)
+		goto out;
+
+	memset(&obj, 0, sizeof(obj));
+	obj.path1_dentry = dentry1;
+	obj.path1_vfsmnt = mnt1;
+	obj.path2_dentry = dentry2;
+	obj.path2_vfsmnt = mnt2;
+	if (operation == TMY_TYPE_RENAME_ACL) {
+		/* TMY_TYPE_LINK_ACL can't reach here for directory. */
+		if (dentry1->d_inode && S_ISDIR(dentry1->d_inode->i_mode)) {
+			if (!buf1->is_dir) {
+				strcat((char *) buf1->name, "/");
+				tmy_fill_path_info(buf1);
+			}
+			if (!buf2->is_dir) {
+				strcat((char *) buf2->name, "/");
+				tmy_fill_path_info(buf2);
+			}
+		}
+	}
+	error = tmy_double_write_acl(operation, buf1, buf2, &obj);
+
+	tmy_audit_write_log(tmy_acltype2keyword(operation),
+			    buf1, buf2, !error, profile, mode);
+
+	if (!error)
+		goto out;
+
+	if (tmy_flags(TMY_VERBOSE))
+		tmy_audit("TOMOYO-%s: Access '%s %s %s' denied for %s\n",
+			  tmy_getmsg(is_enforce),
+			  tmy_acltype2keyword(operation),
+			  buf1->name, buf2->name, tmy_lastname(domain));
+
+	if (is_enforce)
+		error = tmy_supervisor("%s\nallow_%s %s %s\n",
+				       domain->domainname->name,
+				       tmy_acltype2keyword(operation),
+				       buf1->name, buf2->name);
+	else if (mode == 1 && tmy_quota())
+		tmy_add_double_write_acl(operation,
+					 tmy_get_pattern(buf1)->name,
+					 tmy_get_pattern(buf2)->name,
+					 domain, NULL, 0);
+
+out: ;
+	tmy_free(buf1);
+	tmy_free(buf2);
+	if (!is_enforce)
+		error = 0;
+	return error;
+}

--