1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * security/tomoyo/condition.c
4 *
5 * Copyright (C) 2005-2011 NTT DATA CORPORATION
6 */
7
8 #include "common.h"
9 #include <linux/slab.h>
10
11 /* List of "struct tomoyo_condition". */
12 LIST_HEAD(tomoyo_condition_list);
13
14 /**
15 * tomoyo_argv - Check argv[] in "struct linux_binbrm".
16 *
17 * @index: Index number of @arg_ptr.
18 * @arg_ptr: Contents of argv[@index].
19 * @argc: Length of @argv.
20 * @argv: Pointer to "struct tomoyo_argv".
21 * @checked: Set to true if @argv[@index] was found.
22 *
23 * Returns true on success, false otherwise.
24 */
25 static bool tomoyo_argv(const unsigned int index, const char *arg_ptr,
26 const int argc, const struct tomoyo_argv *argv,
27 u8 *checked)
28 {
29 int i;
30 struct tomoyo_path_info arg;
31
32 arg.name = arg_ptr;
33 for (i = 0; i < argc; argv++, checked++, i++) {
34 bool result;
35
36 if (index != argv->index)
37 continue;
38 *checked = 1;
39 tomoyo_fill_path_info(&arg);
40 result = tomoyo_path_matches_pattern(&arg, argv->value);
41 if (argv->is_not)
42 result = !result;
43 if (!result)
44 return false;
45 }
46 return true;
47 }
48
49 /**
50 * tomoyo_envp - Check envp[] in "struct linux_binbrm".
51 *
52 * @env_name: The name of environment variable.
53 * @env_value: The value of environment variable.
54 * @envc: Length of @envp.
55 * @envp: Pointer to "struct tomoyo_envp".
56 * @checked: Set to true if @envp[@env_name] was found.
57 *
58 * Returns true on success, false otherwise.
59 */
60 static bool tomoyo_envp(const char *env_name, const char *env_value,
61 const int envc, const struct tomoyo_envp *envp,
62 u8 *checked)
63 {
64 int i;
65 struct tomoyo_path_info name;
66 struct tomoyo_path_info value;
67
68 name.name = env_name;
69 tomoyo_fill_path_info(&name);
70 value.name = env_value;
71 tomoyo_fill_path_info(&value);
72 for (i = 0; i < envc; envp++, checked++, i++) {
73 bool result;
74
75 if (!tomoyo_path_matches_pattern(&name, envp->name))
76 continue;
77 *checked = 1;
78 if (envp->value) {
79 result = tomoyo_path_matches_pattern(&value,
80 envp->value);
81 if (envp->is_not)
82 result = !result;
83 } else {
84 result = true;
85 if (!envp->is_not)
86 result = !result;
87 }
88 if (!result)
89 return false;
90 }
91 return true;
92 }
93
94 /**
95 * tomoyo_scan_bprm - Scan "struct linux_binprm".
96 *
97 * @ee: Pointer to "struct tomoyo_execve".
98 * @argc: Length of @argc.
99 * @argv: Pointer to "struct tomoyo_argv".
100 * @envc: Length of @envp.
101 * @envp: Poiner to "struct tomoyo_envp".
102 *
103 * Returns true on success, false otherwise.
104 */
105 static bool tomoyo_scan_bprm(struct tomoyo_execve *ee,
106 const u16 argc, const struct tomoyo_argv *argv,
107 const u16 envc, const struct tomoyo_envp *envp)
108 {
109 struct linux_binprm *bprm = ee->bprm;
110 struct tomoyo_page_dump *dump = &ee->dump;
111 char *arg_ptr = ee->tmp;
112 int arg_len = 0;
113 unsigned long pos = bprm->p;
114 int offset = pos % PAGE_SIZE;
115 int argv_count = bprm->argc;
116 int envp_count = bprm->envc;
117 bool result = true;
118 u8 local_checked[32];
119 u8 *checked;
120
121 if (argc + envc <= sizeof(local_checked)) {
122 checked = local_checked;
123 memset(local_checked, 0, sizeof(local_checked));
124 } else {
125 checked = kzalloc(argc + envc, GFP_NOFS);
126 if (!checked)
127 return false;
128 }
129 while (argv_count || envp_count) {
130 if (!tomoyo_dump_page(bprm, pos, dump)) {
131 result = false;
132 goto out;
133 }
134 pos += PAGE_SIZE - offset;
135 while (offset < PAGE_SIZE) {
136 /* Read. */
137 const char *kaddr = dump->data;
138 const unsigned char c = kaddr[offset++];
139
140 if (c && arg_len < TOMOYO_EXEC_TMPSIZE - 10) {
141 if (c == '\\') {
142 arg_ptr[arg_len++] = '\\';
143 arg_ptr[arg_len++] = '\\';
144 } else if (c > ' ' && c < 127) {
145 arg_ptr[arg_len++] = c;
146 } else {
147 arg_ptr[arg_len++] = '\\';
148 arg_ptr[arg_len++] = (c >> 6) + '0';
149 arg_ptr[arg_len++] =
150 ((c >> 3) & 7) + '0';
151 arg_ptr[arg_len++] = (c & 7) + '0';
152 }
153 } else {
154 arg_ptr[arg_len] = '\0';
155 }
156 if (c)
157 continue;
158 /* Check. */
159 if (argv_count) {
160 if (!tomoyo_argv(bprm->argc - argv_count,
161 arg_ptr, argc, argv,
162 checked)) {
163 result = false;
164 break;
165 }
166 argv_count--;
167 } else if (envp_count) {
168 char *cp = strchr(arg_ptr, '=');
169
170 if (cp) {
171 *cp = '\0';
172 if (!tomoyo_envp(arg_ptr, cp + 1,
173 envc, envp,
174 checked + argc)) {
175 result = false;
176 break;
177 }
178 }
179 envp_count--;
180 } else {
181 break;
182 }
183 arg_len = 0;
184 }
185 offset = 0;
186 if (!result)
187 break;
188 }
189 out:
190 if (result) {
191 int i;
192
193 /* Check not-yet-checked entries. */
194 for (i = 0; i < argc; i++) {
195 if (checked[i])
196 continue;
197 /*
198 * Return true only if all unchecked indexes in
199 * bprm->argv[] are not matched.
200 */
201 if (argv[i].is_not)
202 continue;
203 result = false;
204 break;
205 }
206 for (i = 0; i < envc; envp++, i++) {
207 if (checked[argc + i])
208 continue;
209 /*
210 * Return true only if all unchecked environ variables
211 * in bprm->envp[] are either undefined or not matched.
212 */
213 if ((!envp->value && !envp->is_not) ||
214 (envp->value && envp->is_not))
215 continue;
216 result = false;
217 break;
218 }
219 }
220 if (checked != local_checked)
221 kfree(checked);
222 return result;
223 }
224
225 /**
226 * tomoyo_scan_exec_realpath - Check "exec.realpath" parameter of "struct tomoyo_condition".
227 *
228 * @file: Pointer to "struct file".
229 * @ptr: Pointer to "struct tomoyo_name_union".
230 * @match: True if "exec.realpath=", false if "exec.realpath!=".
231 *
232 * Returns true on success, false otherwise.
233 */
234 static bool tomoyo_scan_exec_realpath(struct file *file,
235 const struct tomoyo_name_union *ptr,
236 const bool match)
237 {
238 bool result;
239 struct tomoyo_path_info exe;
240
241 if (!file)
242 return false;
243 exe.name = tomoyo_realpath_from_path(&file->f_path);
244 if (!exe.name)
245 return false;
246 tomoyo_fill_path_info(&exe);
247 result = tomoyo_compare_name_union(&exe, ptr);
248 kfree(exe.name);
249 return result == match;
250 }
251
252 /**
253 * tomoyo_get_dqword - tomoyo_get_name() for a quoted string.
254 *
255 * @start: String to save.
256 *
257 * Returns pointer to "struct tomoyo_path_info" on success, NULL otherwise.
258 */
259 static const struct tomoyo_path_info *tomoyo_get_dqword(char *start)
260 {
261 char *cp = start + strlen(start) - 1;
262
263 if (cp == start || *start++ != '"' || *cp != '"')
264 return NULL;
265 *cp = '\0';
266 if (*start && !tomoyo_correct_word(start))
267 return NULL;
268 return tomoyo_get_name(start);
269 }
270
271 /**
272 * tomoyo_parse_name_union_quoted - Parse a quoted word.
273 *
274 * @param: Pointer to "struct tomoyo_acl_param".
275 * @ptr: Pointer to "struct tomoyo_name_union".
276 *
277 * Returns true on success, false otherwise.
278 */
279 static bool tomoyo_parse_name_union_quoted(struct tomoyo_acl_param *param,
280 struct tomoyo_name_union *ptr)
281 {
282 char *filename = param->data;
283
284 if (*filename == '@')
285 return tomoyo_parse_name_union(param, ptr);
286 ptr->filename = tomoyo_get_dqword(filename);
287 return ptr->filename != NULL;
288 }
289
290 /**
291 * tomoyo_parse_argv - Parse an argv[] condition part.
292 *
293 * @left: Lefthand value.
294 * @right: Righthand value.
295 * @argv: Pointer to "struct tomoyo_argv".
296 *
297 * Returns true on success, false otherwise.
298 */
299 static bool tomoyo_parse_argv(char *left, char *right,
300 struct tomoyo_argv *argv)
301 {
302 if (tomoyo_parse_ulong(&argv->index, &left) !=
303 TOMOYO_VALUE_TYPE_DECIMAL || *left++ != ']' || *left)
304 return false;
305 argv->value = tomoyo_get_dqword(right);
306 return argv->value != NULL;
307 }
308
309 /**
310 * tomoyo_parse_envp - Parse an envp[] condition part.
311 *
312 * @left: Lefthand value.
313 * @right: Righthand value.
314 * @envp: Pointer to "struct tomoyo_envp".
315 *
316 * Returns true on success, false otherwise.
317 */
318 static bool tomoyo_parse_envp(char *left, char *right,
319 struct tomoyo_envp *envp)
320 {
321 const struct tomoyo_path_info *name;
322 const struct tomoyo_path_info *value;
323 char *cp = left + strlen(left) - 1;
324
325 if (*cp-- != ']' || *cp != '"')
326 goto out;
327 *cp = '\0';
328 if (!tomoyo_correct_word(left))
329 goto out;
330 name = tomoyo_get_name(left);
331 if (!name)
332 goto out;
333 if (!strcmp(right, "NULL")) {
334 value = NULL;
335 } else {
336 value = tomoyo_get_dqword(right);
337 if (!value) {
338 tomoyo_put_name(name);
339 goto out;
340 }
341 }
342 envp->name = name;
343 envp->value = value;
344 return true;
345 out:
346 return false;
347 }
348
349 /**
350 * tomoyo_same_condition - Check for duplicated "struct tomoyo_condition" entry.
351 *
352 * @a: Pointer to "struct tomoyo_condition".
353 * @b: Pointer to "struct tomoyo_condition".
354 *
355 * Returns true if @a == @b, false otherwise.
356 */
357 static inline bool tomoyo_same_condition(const struct tomoyo_condition *a,
358 const struct tomoyo_condition *b)
359 {
360 return a->size == b->size && a->condc == b->condc &&
361 a->numbers_count == b->numbers_count &&
362 a->names_count == b->names_count &&
363 a->argc == b->argc && a->envc == b->envc &&
364 a->grant_log == b->grant_log && a->transit == b->transit &&
365 !memcmp(a + 1, b + 1, a->size - sizeof(*a));
366 }
367
368 /**
369 * tomoyo_condition_type - Get condition type.
370 *
371 * @word: Keyword string.
372 *
373 * Returns one of values in "enum tomoyo_conditions_index" on success,
374 * TOMOYO_MAX_CONDITION_KEYWORD otherwise.
375 */
376 static u8 tomoyo_condition_type(const char *word)
377 {
378 u8 i;
379
380 for (i = 0; i < TOMOYO_MAX_CONDITION_KEYWORD; i++) {
381 if (!strcmp(word, tomoyo_condition_keyword[i]))
382 break;
383 }
384 return i;
385 }
386
387 /* Define this to enable debug mode. */
388 /* #define DEBUG_CONDITION */
389
390 #ifdef DEBUG_CONDITION
391 #define dprintk printk
392 #else
393 #define dprintk(...) do { } while (0)
394 #endif
395
396 /**
397 * tomoyo_commit_condition - Commit "struct tomoyo_condition".
398 *
399 * @entry: Pointer to "struct tomoyo_condition".
400 *
401 * Returns pointer to "struct tomoyo_condition" on success, NULL otherwise.
402 *
403 * This function merges duplicated entries. This function returns NULL if
404 * @entry is not duplicated but memory quota for policy has exceeded.
405 */
406 static struct tomoyo_condition *tomoyo_commit_condition
407 (struct tomoyo_condition *entry)
408 {
409 struct tomoyo_condition *ptr;
410 bool found = false;
411
412 if (mutex_lock_interruptible(&tomoyo_policy_lock)) {
413 dprintk(KERN_WARNING "%u: %s failed\n", __LINE__, __func__);
414 ptr = NULL;
415 found = true;
416 goto out;
417 }
418 list_for_each_entry(ptr, &tomoyo_condition_list, head.list) {
419 if (!tomoyo_same_condition(ptr, entry) ||
420 atomic_read(&ptr->head.users) == TOMOYO_GC_IN_PROGRESS)
421 continue;
422 /* Same entry found. Share this entry. */
423 atomic_inc(&ptr->head.users);
424 found = true;
425 break;
426 }
427 if (!found) {
428 if (tomoyo_memory_ok(entry)) {
429 atomic_set(&entry->head.users, 1);
430 list_add(&entry->head.list, &tomoyo_condition_list);
431 } else {
432 found = true;
433 ptr = NULL;
434 }
435 }
436 mutex_unlock(&tomoyo_policy_lock);
437 out:
438 if (found) {
439 tomoyo_del_condition(&entry->head.list);
440 kfree(entry);
441 entry = ptr;
442 }
443 return entry;
444 }
445
446 /**
447 * tomoyo_get_transit_preference - Parse domain transition preference for execve().
448 *
449 * @param: Pointer to "struct tomoyo_acl_param".
450 * @e: Pointer to "struct tomoyo_condition".
451 *
452 * Returns the condition string part.
453 */
454 static char *tomoyo_get_transit_preference(struct tomoyo_acl_param *param,
455 struct tomoyo_condition *e)
456 {
457 char * const pos = param->data;
458 bool flag;
459
460 if (*pos == '<') {
461 e->transit = tomoyo_get_domainname(param);
462 goto done;
463 }
464 {
465 char *cp = strchr(pos, ' ');
466
467 if (cp)
468 *cp = '\0';
469 flag = tomoyo_correct_path(pos) || !strcmp(pos, "keep") ||
470 !strcmp(pos, "initialize") || !strcmp(pos, "reset") ||
471 !strcmp(pos, "child") || !strcmp(pos, "parent");
472 if (cp)
473 *cp = ' ';
474 }
475 if (!flag)
476 return pos;
477 e->transit = tomoyo_get_name(tomoyo_read_token(param));
478 done:
479 if (e->transit)
480 return param->data;
481 /*
482 * Return a bad read-only condition string that will let
483 * tomoyo_get_condition() return NULL.
484 */
485 return "/";
486 }
487
488 /**
489 * tomoyo_get_condition - Parse condition part.
490 *
491 * @param: Pointer to "struct tomoyo_acl_param".
492 *
493 * Returns pointer to "struct tomoyo_condition" on success, NULL otherwise.
494 */
495 struct tomoyo_condition *tomoyo_get_condition(struct tomoyo_acl_param *param)
496 {
497 struct tomoyo_condition *entry = NULL;
498 struct tomoyo_condition_element *condp = NULL;
499 struct tomoyo_number_union *numbers_p = NULL;
500 struct tomoyo_name_union *names_p = NULL;
501 struct tomoyo_argv *argv = NULL;
502 struct tomoyo_envp *envp = NULL;
503 struct tomoyo_condition e = { };
504 char * const start_of_string =
505 tomoyo_get_transit_preference(param, &e);
506 char * const end_of_string = start_of_string + strlen(start_of_string);
507 char *pos;
508
509 rerun:
510 pos = start_of_string;
511 while (1) {
512 u8 left = -1;
513 u8 right = -1;
514 char *left_word = pos;
515 char *cp;
516 char *right_word;
517 bool is_not;
518
519 if (!*left_word)
520 break;
521 /*
522 * Since left-hand condition does not allow use of "path_group"
523 * or "number_group" and environment variable's names do not
524 * accept '=', it is guaranteed that the original line consists
525 * of one or more repetition of $left$operator$right blocks
526 * where "$left is free from '=' and ' '" and "$operator is
527 * either '=' or '!='" and "$right is free from ' '".
528 * Therefore, we can reconstruct the original line at the end
529 * of dry run even if we overwrite $operator with '\0'.
530 */
531 cp = strchr(pos, ' ');
532 if (cp) {
533 *cp = '\0'; /* Will restore later. */
534 pos = cp + 1;
535 } else {
536 pos = "";
537 }
538 right_word = strchr(left_word, '=');
539 if (!right_word || right_word == left_word)
540 goto out;
541 is_not = *(right_word - 1) == '!';
542 if (is_not)
543 *(right_word++ - 1) = '\0'; /* Will restore later. */
544 else if (*(right_word + 1) != '=')
545 *right_word++ = '\0'; /* Will restore later. */
546 else
547 goto out;
548 dprintk(KERN_WARNING "%u: <%s>%s=<%s>\n", __LINE__, left_word,
549 is_not ? "!" : "", right_word);
550 if (!strcmp(left_word, "grant_log")) {
551 if (entry) {
552 if (is_not ||
553 entry->grant_log != TOMOYO_GRANTLOG_AUTO)
554 goto out;
555 else if (!strcmp(right_word, "yes"))
556 entry->grant_log = TOMOYO_GRANTLOG_YES;
557 else if (!strcmp(right_word, "no"))
558 entry->grant_log = TOMOYO_GRANTLOG_NO;
559 else
560 goto out;
561 }
562 continue;
563 }
564 if (!strncmp(left_word, "exec.argv[", 10)) {
565 if (!argv) {
566 e.argc++;
567 e.condc++;
568 } else {
569 e.argc--;
570 e.condc--;
571 left = TOMOYO_ARGV_ENTRY;
572 argv->is_not = is_not;
573 if (!tomoyo_parse_argv(left_word + 10,
574 right_word, argv++))
575 goto out;
576 }
577 goto store_value;
578 }
579 if (!strncmp(left_word, "exec.envp[\"", 11)) {
580 if (!envp) {
581 e.envc++;
582 e.condc++;
583 } else {
584 e.envc--;
585 e.condc--;
586 left = TOMOYO_ENVP_ENTRY;
587 envp->is_not = is_not;
588 if (!tomoyo_parse_envp(left_word + 11,
589 right_word, envp++))
590 goto out;
591 }
592 goto store_value;
593 }
594 left = tomoyo_condition_type(left_word);
595 dprintk(KERN_WARNING "%u: <%s> left=%u\n", __LINE__, left_word,
596 left);
597 if (left == TOMOYO_MAX_CONDITION_KEYWORD) {
598 if (!numbers_p) {
599 e.numbers_count++;
600 } else {
601 e.numbers_count--;
602 left = TOMOYO_NUMBER_UNION;
603 param->data = left_word;
604 if (*left_word == '@' ||
605 !tomoyo_parse_number_union(param,
606 numbers_p++))
607 goto out;
608 }
609 }
610 if (!condp)
611 e.condc++;
612 else
613 e.condc--;
614 if (left == TOMOYO_EXEC_REALPATH ||
615 left == TOMOYO_SYMLINK_TARGET) {
616 if (!names_p) {
617 e.names_count++;
618 } else {
619 e.names_count--;
620 right = TOMOYO_NAME_UNION;
621 param->data = right_word;
622 if (!tomoyo_parse_name_union_quoted(param,
623 names_p++))
624 goto out;
625 }
626 goto store_value;
627 }
628 right = tomoyo_condition_type(right_word);
629 if (right == TOMOYO_MAX_CONDITION_KEYWORD) {
630 if (!numbers_p) {
631 e.numbers_count++;
632 } else {
633 e.numbers_count--;
634 right = TOMOYO_NUMBER_UNION;
635 param->data = right_word;
636 if (!tomoyo_parse_number_union(param,
637 numbers_p++))
638 goto out;
639 }
640 }
641 store_value:
642 if (!condp) {
643 dprintk(KERN_WARNING "%u: dry_run left=%u right=%u match=%u\n",
644 __LINE__, left, right, !is_not);
645 continue;
646 }
647 condp->left = left;
648 condp->right = right;
649 condp->equals = !is_not;
650 dprintk(KERN_WARNING "%u: left=%u right=%u match=%u\n",
651 __LINE__, condp->left, condp->right,
652 condp->equals);
653 condp++;
654 }
655 dprintk(KERN_INFO "%u: cond=%u numbers=%u names=%u ac=%u ec=%u\n",
656 __LINE__, e.condc, e.numbers_count, e.names_count, e.argc,
657 e.envc);
658 if (entry) {
659 BUG_ON(e.names_count | e.numbers_count | e.argc | e.envc |
660 e.condc);
661 return tomoyo_commit_condition(entry);
662 }
663 e.size = sizeof(*entry)
664 + e.condc * sizeof(struct tomoyo_condition_element)
665 + e.numbers_count * sizeof(struct tomoyo_number_union)
666 + e.names_count * sizeof(struct tomoyo_name_union)
667 + e.argc * sizeof(struct tomoyo_argv)
668 + e.envc * sizeof(struct tomoyo_envp);
669 entry = kzalloc(e.size, GFP_NOFS);
670 if (!entry)
671 goto out2;
672 *entry = e;
673 e.transit = NULL;
674 condp = (struct tomoyo_condition_element *) (entry + 1);
675 numbers_p = (struct tomoyo_number_union *) (condp + e.condc);
676 names_p = (struct tomoyo_name_union *) (numbers_p + e.numbers_count);
677 argv = (struct tomoyo_argv *) (names_p + e.names_count);
678 envp = (struct tomoyo_envp *) (argv + e.argc);
679 {
680 bool flag = false;
681
682 for (pos = start_of_string; pos < end_of_string; pos++) {
683 if (*pos)
684 continue;
685 if (flag) /* Restore " ". */
686 *pos = ' ';
687 else if (*(pos + 1) == '=') /* Restore "!=". */
688 *pos = '!';
689 else /* Restore "=". */
690 *pos = '=';
691 flag = !flag;
692 }
693 }
694 goto rerun;
695 out:
696 dprintk(KERN_WARNING "%u: %s failed\n", __LINE__, __func__);
697 if (entry) {
698 tomoyo_del_condition(&entry->head.list);
699 kfree(entry);
700 }
701 out2:
702 tomoyo_put_name(e.transit);
703 return NULL;
704 }
705
706 /**
707 * tomoyo_get_attributes - Revalidate "struct inode".
708 *
709 * @obj: Pointer to "struct tomoyo_obj_info".
710 *
711 * Returns nothing.
712 */
713 void tomoyo_get_attributes(struct tomoyo_obj_info *obj)
714 {
715 u8 i;
716 struct dentry *dentry = NULL;
717
718 for (i = 0; i < TOMOYO_MAX_PATH_STAT; i++) {
719 struct inode *inode;
720
721 switch (i) {
722 case TOMOYO_PATH1:
723 dentry = obj->path1.dentry;
724 if (!dentry)
725 continue;
726 break;
727 case TOMOYO_PATH2:
728 dentry = obj->path2.dentry;
729 if (!dentry)
730 continue;
731 break;
732 default:
733 if (!dentry)
734 continue;
735 dentry = dget_parent(dentry);
736 break;
737 }
738 inode = d_backing_inode(dentry);
739 if (inode) {
740 struct tomoyo_mini_stat *stat = &obj->stat[i];
741
742 stat->uid = inode->i_uid;
743 stat->gid = inode->i_gid;
744 stat->ino = inode->i_ino;
745 stat->mode = inode->i_mode;
746 stat->dev = inode->i_sb->s_dev;
747 stat->rdev = inode->i_rdev;
748 obj->stat_valid[i] = true;
749 }
750 if (i & 1) /* TOMOYO_PATH1_PARENT or TOMOYO_PATH2_PARENT */
751 dput(dentry);
752 }
753 }
754
755 /**
756 * tomoyo_condition - Check condition part.
757 *
758 * @r: Pointer to "struct tomoyo_request_info".
759 * @cond: Pointer to "struct tomoyo_condition". Maybe NULL.
760 *
761 * Returns true on success, false otherwise.
762 *
763 * Caller holds tomoyo_read_lock().
764 */
765 bool tomoyo_condition(struct tomoyo_request_info *r,
766 const struct tomoyo_condition *cond)
767 {
768 u32 i;
769 unsigned long min_v[2] = { 0, 0 };
770 unsigned long max_v[2] = { 0, 0 };
771 const struct tomoyo_condition_element *condp;
772 const struct tomoyo_number_union *numbers_p;
773 const struct tomoyo_name_union *names_p;
774 const struct tomoyo_argv *argv;
775 const struct tomoyo_envp *envp;
776 struct tomoyo_obj_info *obj;
777 u16 condc;
778 u16 argc;
779 u16 envc;
780 struct linux_binprm *bprm = NULL;
781
782 if (!cond)
783 return true;
784 condc = cond->condc;
785 argc = cond->argc;
786 envc = cond->envc;
787 obj = r->obj;
788 if (r->ee)
789 bprm = r->ee->bprm;
790 if (!bprm && (argc || envc))
791 return false;
792 condp = (struct tomoyo_condition_element *) (cond + 1);
793 numbers_p = (const struct tomoyo_number_union *) (condp + condc);
794 names_p = (const struct tomoyo_name_union *)
795 (numbers_p + cond->numbers_count);
796 argv = (const struct tomoyo_argv *) (names_p + cond->names_count);
797 envp = (const struct tomoyo_envp *) (argv + argc);
798 for (i = 0; i < condc; i++) {
799 const bool match = condp->equals;
800 const u8 left = condp->left;
801 const u8 right = condp->right;
802 bool is_bitop[2] = { false, false };
803 u8 j;
804
805 condp++;
806 /* Check argv[] and envp[] later. */
807 if (left == TOMOYO_ARGV_ENTRY || left == TOMOYO_ENVP_ENTRY)
808 continue;
809 /* Check string expressions. */
810 if (right == TOMOYO_NAME_UNION) {
811 const struct tomoyo_name_union *ptr = names_p++;
812 struct tomoyo_path_info *symlink;
813 struct tomoyo_execve *ee;
814 struct file *file;
815
816 switch (left) {
817 case TOMOYO_SYMLINK_TARGET:
818 symlink = obj ? obj->symlink_target : NULL;
819 if (!symlink ||
820 !tomoyo_compare_name_union(symlink, ptr)
821 == match)
822 goto out;
823 break;
824 case TOMOYO_EXEC_REALPATH:
825 ee = r->ee;
826 file = ee ? ee->bprm->file : NULL;
827 if (!tomoyo_scan_exec_realpath(file, ptr,
828 match))
829 goto out;
830 break;
831 }
832 continue;
833 }
834 /* Check numeric or bit-op expressions. */
835 for (j = 0; j < 2; j++) {
836 const u8 index = j ? right : left;
837 unsigned long value = 0;
838
839 switch (index) {
840 case TOMOYO_TASK_UID:
841 value = from_kuid(&init_user_ns, current_uid());
842 break;
843 case TOMOYO_TASK_EUID:
844 value = from_kuid(&init_user_ns, current_euid());
845 break;
846 case TOMOYO_TASK_SUID:
847 value = from_kuid(&init_user_ns, current_suid());
848 break;
849 case TOMOYO_TASK_FSUID:
850 value = from_kuid(&init_user_ns, current_fsuid());
851 break;
852 case TOMOYO_TASK_GID:
853 value = from_kgid(&init_user_ns, current_gid());
854 break;
855 case TOMOYO_TASK_EGID:
856 value = from_kgid(&init_user_ns, current_egid());
857 break;
858 case TOMOYO_TASK_SGID:
859 value = from_kgid(&init_user_ns, current_sgid());
860 break;
861 case TOMOYO_TASK_FSGID:
862 value = from_kgid(&init_user_ns, current_fsgid());
863 break;
864 case TOMOYO_TASK_PID:
865 value = tomoyo_sys_getpid();
866 break;
867 case TOMOYO_TASK_PPID:
868 value = tomoyo_sys_getppid();
869 break;
870 case TOMOYO_TYPE_IS_SOCKET:
871 value = S_IFSOCK;
872 break;
873 case TOMOYO_TYPE_IS_SYMLINK:
874 value = S_IFLNK;
875 break;
876 case TOMOYO_TYPE_IS_FILE:
877 value = S_IFREG;
878 break;
879 case TOMOYO_TYPE_IS_BLOCK_DEV:
880 value = S_IFBLK;
881 break;
882 case TOMOYO_TYPE_IS_DIRECTORY:
883 value = S_IFDIR;
884 break;
885 case TOMOYO_TYPE_IS_CHAR_DEV:
886 value = S_IFCHR;
887 break;
888 case TOMOYO_TYPE_IS_FIFO:
889 value = S_IFIFO;
890 break;
891 case TOMOYO_MODE_SETUID:
892 value = S_ISUID;
893 break;
894 case TOMOYO_MODE_SETGID:
895 value = S_ISGID;
896 break;
897 case TOMOYO_MODE_STICKY:
898 value = S_ISVTX;
899 break;
900 case TOMOYO_MODE_OWNER_READ:
901 value = 0400;
902 break;
903 case TOMOYO_MODE_OWNER_WRITE:
904 value = 0200;
905 break;
906 case TOMOYO_MODE_OWNER_EXECUTE:
907 value = 0100;
908 break;
909 case TOMOYO_MODE_GROUP_READ:
910 value = 0040;
911 break;
912 case TOMOYO_MODE_GROUP_WRITE:
913 value = 0020;
914 break;
915 case TOMOYO_MODE_GROUP_EXECUTE:
916 value = 0010;
917 break;
918 case TOMOYO_MODE_OTHERS_READ:
919 value = 0004;
920 break;
921 case TOMOYO_MODE_OTHERS_WRITE:
922 value = 0002;
923 break;
924 case TOMOYO_MODE_OTHERS_EXECUTE:
925 value = 0001;
926 break;
927 case TOMOYO_EXEC_ARGC:
928 if (!bprm)
929 goto out;
930 value = bprm->argc;
931 break;
932 case TOMOYO_EXEC_ENVC:
933 if (!bprm)
934 goto out;
935 value = bprm->envc;
936 break;
937 case TOMOYO_NUMBER_UNION:
938 /* Fetch values later. */
939 break;
940 default:
941 if (!obj)
942 goto out;
943 if (!obj->validate_done) {
944 tomoyo_get_attributes(obj);
945 obj->validate_done = true;
946 }
947 {
948 u8 stat_index;
949 struct tomoyo_mini_stat *stat;
950
951 switch (index) {
952 case TOMOYO_PATH1_UID:
953 case TOMOYO_PATH1_GID:
954 case TOMOYO_PATH1_INO:
955 case TOMOYO_PATH1_MAJOR:
956 case TOMOYO_PATH1_MINOR:
957 case TOMOYO_PATH1_TYPE:
958 case TOMOYO_PATH1_DEV_MAJOR:
959 case TOMOYO_PATH1_DEV_MINOR:
960 case TOMOYO_PATH1_PERM:
961 stat_index = TOMOYO_PATH1;
962 break;
963 case TOMOYO_PATH2_UID:
964 case TOMOYO_PATH2_GID:
965 case TOMOYO_PATH2_INO:
966 case TOMOYO_PATH2_MAJOR:
967 case TOMOYO_PATH2_MINOR:
968 case TOMOYO_PATH2_TYPE:
969 case TOMOYO_PATH2_DEV_MAJOR:
970 case TOMOYO_PATH2_DEV_MINOR:
971 case TOMOYO_PATH2_PERM:
972 stat_index = TOMOYO_PATH2;
973 break;
974 case TOMOYO_PATH1_PARENT_UID:
975 case TOMOYO_PATH1_PARENT_GID:
976 case TOMOYO_PATH1_PARENT_INO:
977 case TOMOYO_PATH1_PARENT_PERM:
978 stat_index =
979 TOMOYO_PATH1_PARENT;
980 break;
981 case TOMOYO_PATH2_PARENT_UID:
982 case TOMOYO_PATH2_PARENT_GID:
983 case TOMOYO_PATH2_PARENT_INO:
984 case TOMOYO_PATH2_PARENT_PERM:
985 stat_index =
986 TOMOYO_PATH2_PARENT;
987 break;
988 default:
989 goto out;
990 }
991 if (!obj->stat_valid[stat_index])
992 goto out;
993 stat = &obj->stat[stat_index];
994 switch (index) {
995 case TOMOYO_PATH1_UID:
996 case TOMOYO_PATH2_UID:
997 case TOMOYO_PATH1_PARENT_UID:
998 case TOMOYO_PATH2_PARENT_UID:
999 value = from_kuid(&init_user_ns, stat->uid);
1000 break;
1001 case TOMOYO_PATH1_GID:
1002 case TOMOYO_PATH2_GID:
1003 case TOMOYO_PATH1_PARENT_GID:
1004 case TOMOYO_PATH2_PARENT_GID:
1005 value = from_kgid(&init_user_ns, stat->gid);
1006 break;
1007 case TOMOYO_PATH1_INO:
1008 case TOMOYO_PATH2_INO:
1009 case TOMOYO_PATH1_PARENT_INO:
1010 case TOMOYO_PATH2_PARENT_INO:
1011 value = stat->ino;
1012 break;
1013 case TOMOYO_PATH1_MAJOR:
1014 case TOMOYO_PATH2_MAJOR:
1015 value = MAJOR(stat->dev);
1016 break;
1017 case TOMOYO_PATH1_MINOR:
1018 case TOMOYO_PATH2_MINOR:
1019 value = MINOR(stat->dev);
1020 break;
1021 case TOMOYO_PATH1_TYPE:
1022 case TOMOYO_PATH2_TYPE:
1023 value = stat->mode & S_IFMT;
1024 break;
1025 case TOMOYO_PATH1_DEV_MAJOR:
1026 case TOMOYO_PATH2_DEV_MAJOR:
1027 value = MAJOR(stat->rdev);
1028 break;
1029 case TOMOYO_PATH1_DEV_MINOR:
1030 case TOMOYO_PATH2_DEV_MINOR:
1031 value = MINOR(stat->rdev);
1032 break;
1033 case TOMOYO_PATH1_PERM:
1034 case TOMOYO_PATH2_PERM:
1035 case TOMOYO_PATH1_PARENT_PERM:
1036 case TOMOYO_PATH2_PARENT_PERM:
1037 value = stat->mode & S_IALLUGO;
1038 break;
1039 }
1040 }
1041 break;
1042 }
1043 max_v[j] = value;
1044 min_v[j] = value;
1045 switch (index) {
1046 case TOMOYO_MODE_SETUID:
1047 case TOMOYO_MODE_SETGID:
1048 case TOMOYO_MODE_STICKY:
1049 case TOMOYO_MODE_OWNER_READ:
1050 case TOMOYO_MODE_OWNER_WRITE:
1051 case TOMOYO_MODE_OWNER_EXECUTE:
1052 case TOMOYO_MODE_GROUP_READ:
1053 case TOMOYO_MODE_GROUP_WRITE:
1054 case TOMOYO_MODE_GROUP_EXECUTE:
1055 case TOMOYO_MODE_OTHERS_READ:
1056 case TOMOYO_MODE_OTHERS_WRITE:
1057 case TOMOYO_MODE_OTHERS_EXECUTE:
1058 is_bitop[j] = true;
1059 }
1060 }
1061 if (left == TOMOYO_NUMBER_UNION) {
1062 /* Fetch values now. */
1063 const struct tomoyo_number_union *ptr = numbers_p++;
1064
1065 min_v[0] = ptr->values[0];
1066 max_v[0] = ptr->values[1];
1067 }
1068 if (right == TOMOYO_NUMBER_UNION) {
1069 /* Fetch values now. */
1070 const struct tomoyo_number_union *ptr = numbers_p++;
1071
1072 if (ptr->group) {
1073 if (tomoyo_number_matches_group(min_v[0],
1074 max_v[0],
1075 ptr->group)
1076 == match)
1077 continue;
1078 } else {
1079 if ((min_v[0] <= ptr->values[1] &&
1080 max_v[0] >= ptr->values[0]) == match)
1081 continue;
1082 }
1083 goto out;
1084 }
1085 /*
1086 * Bit operation is valid only when counterpart value
1087 * represents permission.
1088 */
1089 if (is_bitop[0] && is_bitop[1]) {
1090 goto out;
1091 } else if (is_bitop[0]) {
1092 switch (right) {
1093 case TOMOYO_PATH1_PERM:
1094 case TOMOYO_PATH1_PARENT_PERM:
1095 case TOMOYO_PATH2_PERM:
1096 case TOMOYO_PATH2_PARENT_PERM:
1097 if (!(max_v[0] & max_v[1]) == !match)
1098 continue;
1099 }
1100 goto out;
1101 } else if (is_bitop[1]) {
1102 switch (left) {
1103 case TOMOYO_PATH1_PERM:
1104 case TOMOYO_PATH1_PARENT_PERM:
1105 case TOMOYO_PATH2_PERM:
1106 case TOMOYO_PATH2_PARENT_PERM:
1107 if (!(max_v[0] & max_v[1]) == !match)
1108 continue;
1109 }
1110 goto out;
1111 }
1112 /* Normal value range comparison. */
1113 if ((min_v[0] <= max_v[1] && max_v[0] >= min_v[1]) == match)
1114 continue;
1115 out:
1116 return false;
1117 }
1118 /* Check argv[] and envp[] now. */
1119 if (r->ee && (argc || envc))
1120 return tomoyo_scan_bprm(r->ee, argc, argv, envc, envp);
1121 return true;
1122 }