From: Kentaro Takeda <takedakn@nttdata.co.jp>
To: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Cc: chrisw@sous-sol.org
Subject: [TOMOYO 11/15](repost) Signal transmission control functions.
Date: Tue, 02 Oct 2007 16:37:45 +0900 [thread overview]
Message-ID: <4701F549.6060602@nttdata.co.jp> (raw)
In-Reply-To: <4701F285.5000206@nttdata.co.jp>
Signal control functions for TOMOYO Linux.
TOMOYO Linux checks sending signal by signal number and
the domain of target process. In order to check signal
permission, LSM expansion patch [TOMOYO 14/15] is needed.
Each permission can be automatically accumulated into
the policy of each domain using 'learning mode'.
Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
security/tomoyo/signal.c | 229 +++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 229 insertions(+)
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6/security/tomoyo/signal.c 2007-10-02 11:26:22.000000000 +0900
@@ -0,0 +1,229 @@
+/*
+ * security/tomoyo/signal.c
+ *
+ * Signal access contol functions for TOMOYO Linux.
+ */
+
+#include "tomoyo.h"
+#include "realpath.h"
+
+/************************* AUDIT FUNCTIONS *************************/
+
+static int tmy_audit_signal_log(const int signal,
+ const struct path_info *dest_domain,
+ const u8 is_granted,
+ const u8 is_enforce)
+{
+ char *buf;
+ int len;
+
+ if (is_granted) {
+ if (!tmy_audit_grant())
+ return 0;
+ } else {
+ if (!tmy_audit_reject())
+ return 0;
+ }
+
+ len = dest_domain->total_len;
+ buf = tmy_init_audit_log(&len);
+
+ if (!buf)
+ return -ENOMEM;
+
+ snprintf(buf + strlen(buf),
+ len - strlen(buf) - 1,
+ "%s%d %s",
+ TMY_ALLOW_SIGNAL, signal, dest_domain->name);
+
+ return tmy_write_audit_log(buf, is_granted, is_enforce);
+}
+
+/************************* SIGNAL ACL HANDLER *************************/
+
+static int tmy_add_signal_entry(const u16 sig, const char *dest_pattern,
+ struct domain_info *domain,
+ const struct condition_list *cond,
+ const u8 is_delete)
+{
+ struct acl_info *ptr;
+ const struct path_info *saved_dest_pattern;
+ int error = -ENOMEM;
+
+ if (!domain)
+ return -EINVAL;
+ if (!dest_pattern ||
+ !tmy_is_correct_domain(dest_pattern, __FUNCTION__))
+ return -EINVAL;
+
+ saved_dest_pattern = tmy_save_name(dest_pattern);
+ if (!saved_dest_pattern)
+ return -ENOMEM;
+
+ down(&domain_acl_lock);
+
+ if (is_delete)
+ goto remove;
+
+ ptr = domain->first_acl_ptr;
+ if (!ptr)
+ goto first_entry;
+
+ while (1) {
+ struct signal_acl *acl = (struct signal_acl *) ptr;
+
+ if (ptr->type == TMY_TYPE_SIGNAL_ACL && acl->sig == sig
+ && ptr->cond == cond
+ && !tmy_pathcmp(acl->domainname, saved_dest_pattern)) {
+ ptr->is_deleted = 0;
+ /* Found. Nothing to do. */
+ error = 0;
+ break;
+ }
+
+ if (ptr->next) {
+ ptr = ptr->next;
+ continue;
+ }
+
+first_entry: ;
+ /* Not found. Append it to the tail. */
+ acl = tmy_alloc_element(sizeof(*acl));
+ if (!acl)
+ break;
+
+ acl->head.type = TMY_TYPE_SIGNAL_ACL;
+ acl->head.cond = cond;
+ acl->sig = sig;
+ acl->domainname = saved_dest_pattern;
+ error = tmy_add_acl(ptr, domain, (struct acl_info *) acl);
+ break;
+ }
+ goto ok;
+remove: ;
+ error = -ENOENT;
+ for (ptr = domain->first_acl_ptr; ptr; ptr = ptr->next) {
+ struct signal_acl *acl = (struct signal_acl *) ptr;
+ if (ptr->type != TMY_TYPE_SIGNAL_ACL || ptr->cond != cond ||
+ ptr->is_deleted || acl->sig != sig ||
+ tmy_pathcmp(acl->domainname, saved_dest_pattern))
+ continue;
+ error = tmy_del_acl(ptr);
+ break;
+ }
+
+ok: ;
+ up(&domain_acl_lock);
+
+ return error;
+}
+
+/**
+ * tmy_signal_acl - check permission for kill(2)/tkill(2)/tgkill(2).
+ * @sig: signal number.
+ * @pid: pid of destination process.
+ *
+ * Returns zero if permission granted.
+ * Returns nonzero if permission denied.
+ */
+int tmy_signal_acl(const int sig, const int pid)
+{
+ struct domain_info *domain = TMY_SECURITY->domain;
+ struct domain_info *dest = NULL;
+ const char *dest_pattern;
+ struct acl_info *ptr;
+ const u16 hash = sig;
+ const u8 is_enforce = tmy_enforce(TMY_MAC_FOR_SIGNAL);
+
+ if (!tmy_flags(TMY_MAC_FOR_SIGNAL))
+ return 0;
+ if (!sig)
+ return 0; /* No check for NULL signal. */
+ if (current->pid == pid) {
+ tmy_audit_signal_log(sig, domain->domainname, 1, is_enforce);
+ return 0; /* No check for self. */
+ }
+
+ { /* Simplified checking. */
+ struct task_struct *p = NULL;
+ read_lock(&tasklist_lock);
+ if (pid > 0)
+ p = find_task_by_pid((pid_t) pid);
+ else if (pid == 0)
+ p = current;
+ else if (pid == -1)
+ dest = &KERNEL_DOMAIN;
+ else
+ p = find_task_by_pid((pid_t) -pid);
+ if (p)
+ /* "struct task_struct"->security is not NULL. */
+ dest = ((struct tmy_security *) p->security)->domain;
+ read_unlock(&tasklist_lock);
+ if (!dest)
+ return 0; /* I can't find destinatioin. */
+ }
+
+ if (domain == dest) {
+ tmy_audit_signal_log(sig, dest->domainname, 1, is_enforce);
+ return 0;
+ }
+
+ dest_pattern = dest->domainname->name;
+ for (ptr = domain->first_acl_ptr; ptr; ptr = ptr->next) {
+ struct signal_acl *acl = (struct signal_acl *) ptr;
+
+ if (ptr->type == TMY_TYPE_SIGNAL_ACL && ptr->is_deleted == 0
+ && acl->sig == hash &&
+ tmy_check_condition(ptr->cond, NULL) == 0) {
+ const int len = acl->domainname->total_len;
+
+ if (strncmp(acl->domainname->name,
+ dest_pattern, len) == 0
+ && (dest_pattern[len] == ' ' ||
+ dest_pattern[len] == '\0'))
+ break;
+
+ }
+ }
+
+ if (ptr) {
+ tmy_audit_signal_log(sig, dest->domainname, 1, is_enforce);
+ return 0;
+ }
+
+ tmy_audit_signal_log(sig, dest->domainname, 0, is_enforce);
+ if (is_enforce)
+ return tmy_supervisor("%s\n" TMY_ALLOW_SIGNAL "%d %s\n",
+ domain->domainname->name,
+ sig, dest_pattern);
+ if (tmy_accept(TMY_MAC_FOR_SIGNAL, domain))
+ tmy_add_signal_entry(sig, dest_pattern, domain, NULL, 0);
+
+ return 0;
+}
+
+/**
+ * tmy_add_signal_policy - add or delete signal policy.
+ * @data: a line to parse.
+ * @domain: pointer to "struct domain_info".
+ * @cond: pointer to "struct condition_list". May be NULL.
+ * @is_delete: is this delete request?
+ *
+ * Returns zero on success.
+ * Returns nonzero on failure.
+ */
+int tmy_add_signal_policy(char *data,
+ struct domain_info *domain,
+ const struct condition_list *cond,
+ const u8 is_delete)
+{
+ int sig;
+ char *domainname = strchr(data, ' ');
+
+ if (sscanf(data, "%d", &sig) == 1 && domainname &&
+ tmy_is_domain_def(domainname + 1))
+ return tmy_add_signal_entry(sig, domainname + 1, domain,
+ cond, is_delete);
+
+ return -EINVAL;
+}
next prev parent reply other threads:[~2007-10-02 7:38 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-02 7:25 [TOMOYO 00/15](repost) TOMOYO Linux - MAC based on process invocation history Kentaro Takeda
2007-10-02 7:28 ` [TOMOYO 01/15](repost) Allow use of namespace_sem from LSM module Kentaro Takeda
2007-10-02 7:29 ` [TOMOYO 02/15](repost) Data structures and prototypes definition Kentaro Takeda
2007-10-02 7:30 ` [TOMOYO 03/15](repost) Memory and pathname management functions Kentaro Takeda
2007-10-03 7:39 ` James Morris
2007-10-03 11:12 ` Tetsuo Handa
2007-10-02 7:31 ` [TOMOYO 04/15](repost) Utility functions and securityfs interface for policy manipulation Kentaro Takeda
2007-10-02 8:05 ` Paul Mundt
2007-10-02 14:15 ` Greg KH
2007-10-02 7:32 ` [TOMOYO 05/15](repost) Domain transition handler functions Kentaro Takeda
2007-10-02 11:15 ` James Morris
2007-10-02 12:44 ` Tetsuo Handa
2007-10-02 13:00 ` YOSHIFUJI Hideaki / 吉藤英明
2007-10-02 13:07 ` James Morris
2007-10-02 14:50 ` Andi Kleen
2007-10-03 11:24 ` Tetsuo Handa
2007-10-03 11:43 ` YOSHIFUJI Hideaki / 吉藤英明
2007-10-03 12:37 ` James Morris
2007-10-03 13:04 ` Tetsuo Handa
2007-10-03 13:11 ` YOSHIFUJI Hideaki / 吉藤英明
2007-10-03 13:14 ` KaiGai Kohei
2007-10-03 13:59 ` Tetsuo Handa
2007-10-03 14:07 ` Peter Zijlstra
2007-10-03 14:26 ` Tetsuo Handa
2007-10-03 14:26 ` Peter Zijlstra
2007-10-03 14:32 ` YOSHIFUJI Hideaki / 吉藤英明
2007-10-03 14:39 ` James Morris
2007-10-03 14:56 ` Tetsuo Handa
2007-10-04 12:57 ` Tetsuo Handa
2007-10-03 14:37 ` Jiri Kosina
2007-10-07 10:38 ` Sleeping in RCU list traversal Tetsuo Handa
2007-10-03 13:24 ` [TOMOYO 05/15](repost) Domain transition handler functions Peter Zijlstra
2007-10-03 14:19 ` Tetsuo Handa
2007-10-03 14:28 ` Peter Zijlstra
2007-10-15 11:46 ` Tetsuo Handa
2007-10-03 14:35 ` David P. Quigley
2007-10-15 12:09 ` Tetsuo Handa
2007-10-02 7:33 ` [TOMOYO 06/15](repost) Auditing interface Kentaro Takeda
2007-10-02 7:34 ` [TOMOYO 07/15](repost) File access control functions Kentaro Takeda
2007-10-02 7:35 ` [TOMOYO 08/15](repost) Argv[0] " Kentaro Takeda
2007-10-02 7:36 ` [TOMOYO 09/15](repost) Networking " Kentaro Takeda
2007-10-02 7:37 ` [TOMOYO 10/15](repost) Namespace manipulation " Kentaro Takeda
2007-10-02 7:37 ` Kentaro Takeda [this message]
2007-10-02 7:38 ` [TOMOYO 12/15](repost) LSM adapter for TOMOYO Kentaro Takeda
2007-10-02 7:39 ` [TOMOYO 13/15](repost) Conditional permission support Kentaro Takeda
2007-10-02 7:39 ` [TOMOYO 14/15](repost) LSM expansion for TOMOYO Linux Kentaro Takeda
2007-10-02 12:48 ` James Morris
2007-10-02 13:33 ` Tetsuo Handa
2007-10-02 14:36 ` James Morris
2007-10-02 21:49 ` Tetsuo Handa
2007-10-02 7:40 ` [TOMOYO 15/15](repost) Kconfig and Makefile " Kentaro Takeda
2007-10-02 7:42 ` [TOMOYO 00/15](repost) TOMOYO Linux - MAC based on process invocation history Kentaro Takeda
2007-10-02 10:37 ` James Morris
2007-10-02 10:58 ` Kentaro Takeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4701F549.6060602@nttdata.co.jp \
--to=takedakn@nttdata.co.jp \
--cc=chrisw@sous-sol.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox