[TOMOYO 09/15] Argv[0] access control functions.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kentaro Takeda <k.takeda26@gmail.com>
To: linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org, chrisw@sous-sol.org
Subject: [TOMOYO 09/15] Argv[0] access control functions.
Date: Fri, 24 Aug 2007 21:53:48 +0900	[thread overview]
Message-ID: <46CED4DC.5040405@gmail.com> (raw)
In-Reply-To: <46CED214.6050505@gmail.com>

argv[0] check functions for TOMOYO Linux.
If the executed program name and argv[0] is different,
TOMOYO Linux checks permission.

Each permission can be automatically accumulated into
the policy of each domain using 'learning mode'.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 security/tomoyo/exec.c |  230 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 230 insertions(+)

--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6/security/tomoyo/exec.c	2007-08-24 15:51:37.000000000 +0900
@@ -0,0 +1,230 @@
+/*
+ * security/tomoyo/exec.c
+ *
+ * Argv0 access control functions for TOMOYO Linux.
+ */
+
+#include "tomoyo.h"
+#include "realpath.h"
+
+/*************************  AUDIT FUNCTIONS  *************************/
+
+static int tmy_audit_argv0_log(const struct path_info *filename,
+			       const char *argv0,
+			       const int is_granted,
+			       const int is_enforce)
+{
+	char *buf;
+	int len;
+
+	if (is_granted) {
+		if (!tmy_audit_grant())
+			return 0;
+	} else {
+		if (!tmy_audit_reject())
+			return 0;
+	}
+
+	len = filename->total_len + strlen(argv0) + 8;
+	buf = tmy_init_audit_log(&len);
+
+	if (!buf)
+		return -ENOMEM;
+
+	snprintf(buf + strlen(buf),
+		 len - strlen(buf) - 1,
+		 TMY_ALLOW_ARGV0 "%s %s",
+		 filename->name,
+		 argv0);
+
+	return tmy_write_audit_log(buf, is_granted, is_enforce);
+}
+
+/*************************  ARGV0 MISMATCH HANDLER  *************************/
+
+/*
+ * @is_add:   1  add this entry if not quota exceeded
+ *           -1  always add this entry
+ *            0  remove this entry
+ */
+static int tmy_add_argv0_entry(const char *filename,
+			       const char *argv0,
+			       struct domain_info *domain,
+			       const struct condition_list *cond,
+			       const u8 is_add)
+{
+	struct acl_info *ptr;
+	const struct path_info *saved_filename;
+	const struct path_info *saved_argv0;
+	int error = -ENOMEM;
+
+	if (!tmy_correct_path(filename, 1, 0, -1, __FUNCTION__) ||
+	    !tmy_correct_path(argv0, -1, 0, -1, __FUNCTION__) ||
+	    strchr(argv0, '/'))
+		return -EINVAL;
+
+	saved_filename = tmy_save_name(filename);
+	saved_argv0 = tmy_save_name(argv0);
+	if (!saved_filename || !saved_argv0)
+		return -ENOMEM;
+
+	down(&domain_acl_lock);
+
+	if (!is_add)
+		goto remove;
+
+	ptr = domain->first_acl_ptr;
+	if (!ptr)
+		goto first_entry;
+	while (1) {
+		struct argv0_acl *acl = (struct argv0_acl *) ptr;
+
+		if (ptr->type == TMY_TYPE_ARGV0_ACL && ptr->cond == cond &&
+		    acl->filename == saved_filename &&
+		    acl->argv0 == saved_argv0) {
+			ptr->is_deleted = 0;
+			/* Found. Nothing to do. */
+			error = 0;
+			break;
+		}
+
+		if (ptr->next) {
+			ptr = ptr->next;
+			continue;
+		}
+
+first_entry: ;
+		if (is_add == 1 && tmy_too_many_acl(domain))
+			break;
+
+		/* Not found. Append it to the tail. */
+		acl = tmy_alloc_element(sizeof(*acl));
+		if (!acl)
+			break;
+
+		acl->head.type = TMY_TYPE_ARGV0_ACL;
+		acl->head.cond = cond;
+		acl->filename = saved_filename;
+		acl->argv0 = saved_argv0;
+		error = tmy_add_acl(ptr, domain,
+				    (struct acl_info *) acl);
+
+		break;
+	}
+	goto ok;
+remove: ;
+	error = -ENOENT;
+	for (ptr = domain->first_acl_ptr; ptr; ptr = ptr->next) {
+		struct argv0_acl *acl = (struct argv0_acl *) ptr;
+
+		if (ptr->type != TMY_TYPE_ARGV0_ACL ||
+		    ptr->cond != cond || ptr->is_deleted ||
+		    acl->filename != saved_filename ||
+		    acl->argv0 != saved_argv0)
+			continue;
+
+		error = tmy_del_acl(ptr);
+		break;
+	}
+ok: ;
+	up(&domain_acl_lock);
+
+	return error;
+}
+
+static int tmy_argv0_acl(const struct path_info *filename,
+			 const char *argv0_)
+{
+	const struct domain_info *domain = TMY_SECURITY->domain;
+	int error = -EPERM;
+	struct acl_info *ptr;
+	struct path_info argv0;
+
+	if (!tmy_flags(TMY_MAC_FOR_ARGV0))
+		return 0;
+
+	argv0.name = argv0_;
+	tmy_fill_path_info(&argv0);
+
+	for (ptr = domain->first_acl_ptr; ptr; ptr = ptr->next) {
+		struct argv0_acl *acl = (struct argv0_acl *) ptr;
+
+		if (ptr->type == TMY_TYPE_ARGV0_ACL &&
+		    ptr->is_deleted == 0 &&
+		    tmy_check_condition(ptr->cond, NULL) == 0 &&
+		    tmy_path_match(filename, acl->filename) &&
+		    tmy_path_match(&argv0, acl->argv0)) {
+			error = 0;
+			break;
+		}
+	}
+
+	return error;
+}
+
+/**
+ * tmy_argv0_perm - check for argv[0] permission.
+ * @filename: pointer to filename.
+ * @argv0:    pointer to basename of argv[0].
+ *
+ * Returns zero if permission granted.
+ * Returns nonzero if permission denied.
+ */
+int tmy_argv0_perm(const struct path_info *filename, const char *argv0)
+{
+	int error = 0;
+	const int is_enforce = tmy_enforce(TMY_MAC_FOR_ARGV0);
+
+	if (!tmy_flags(TMY_MAC_FOR_ARGV0))
+		return 0;
+	if (!filename || !argv0 || !*argv0)
+		return 0;
+
+	error = tmy_argv0_acl(filename, argv0);
+
+	tmy_audit_argv0_log(filename, argv0, !error, is_enforce);
+
+	if (error) {
+		struct domain_info * const domain = TMY_SECURITY->domain;
+
+		if (is_enforce)
+			error = tmy_supervisor("%s\n" TMY_ALLOW_ARGV0 "%s %s\n",
+					       domain->domainname->name,
+					       filename->name, argv0);
+
+		else if (tmy_accept(TMY_MAC_FOR_ARGV0))
+			tmy_add_argv0_entry(filename->name, argv0, domain,
+					    NULL, 1);
+
+		if (!is_enforce)
+			error = 0;
+	}
+
+	return error;
+}
+
+/**
+ * tmy_add_argv0_policy - add or delete argv[0] policy.
+ * @data:      a line to parse.
+ * @domain:    pointer to "struct domain_info".
+ * @cond:      pointer to "struct condition_list". May be NULL.
+ * @is_delete: is this delete request?
+ *
+ * Returns zero on success.
+ * Returns nonzero on failure.
+ */
+int tmy_add_argv0_policy(char *data,
+			 struct domain_info *domain,
+			 const struct condition_list *cond,
+			 const int is_delete)
+{
+	char *argv0 = strchr(data, ' ');
+
+	if (!argv0)
+		return -EINVAL;
+
+	*argv0++ = '\0';
+
+	return tmy_add_argv0_entry(data, argv0, domain, cond,
+				   is_delete ? 0 : -1);
+}

next prev parent reply	other threads:[~2007-08-24 12:54 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-08-24 12:41 [TOMOYO 00/15] TOMOYO Linux - MAC based on process invocation histroy Kentaro Takeda
2007-08-24 12:44 ` [TOMOYO 01/15] Allow use of namespace_sem from LSM module Kentaro Takeda
2007-08-24 12:45 ` [TOMOYO 02/15] Kconfig and Makefile for TOMOYO Linux Kentaro Takeda
2007-08-24 12:50   ` Jiri Kosina
2007-08-24 12:46 ` [TOMOYO 03/15] Data structures and prototypes definition Kentaro Takeda
2007-08-24 12:48 ` [TOMOYO 04/15] Memory and pathname management functions Kentaro Takeda
2007-08-24 12:49 ` [TOMOYO 05/15] Utility functions and /proc interface for policy manipulation Kentaro Takeda
2007-08-24 12:50 ` [TOMOYO 06/15] Domain transition handler functions Kentaro Takeda
2007-08-24 12:52 ` [TOMOYO 07/15] Auditing interface Kentaro Takeda
2007-08-24 12:53 ` [TOMOYO 08/15] File access control functions Kentaro Takeda
2007-08-24 12:53 ` Kentaro Takeda [this message]
2007-08-24 12:54 ` [TOMOYO 10/15] Networking " Kentaro Takeda
2007-08-24 12:55 ` [TOMOYO 11/15] Namespace manipulation " Kentaro Takeda
2007-08-24 12:56 ` [TOMOYO 12/15] Signal transmission " Kentaro Takeda
2007-08-24 12:56 ` [TOMOYO 13/15] LSM adapter for TOMOYO Kentaro Takeda
2007-08-24 12:57 ` [TOMOYO 14/15] Conditional permission support Kentaro Takeda
2007-08-25 11:08   ` Pavel Machek
2007-08-25 22:46     ` Toshiharu Harada
2007-08-26  2:13     ` Tetsuo Handa
2007-08-27 12:11       ` Kyle Moffett
2007-08-28 13:00         ` Tetsuo Handa
2007-08-24 12:58 ` [TOMOYO 15/15] LSM expansion for TOMOYO Linux Kentaro Takeda
2007-08-27 14:49   ` Paul Moore
2007-08-28 10:39     ` Tetsuo Handa
2007-08-28 13:21       ` Paul Moore
2007-09-03 13:15         ` Tetsuo Handa
2007-09-04 11:53           ` Paul Moore
2007-09-04 14:02             ` Tetsuo Handa
2007-09-04 14:13               ` Kyle Moffett
2007-09-05 14:06               ` Paul Moore
2007-09-06 13:04                 ` Tetsuo Handa
2007-09-06 15:25                   ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46CED4DC.5040405@gmail.com \
    --to=k.takeda26@gmail.com \
    --cc=chrisw@sous-sol.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.