5 |
* |
* |
6 |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
7 |
* |
* |
8 |
* Version: 1.6.0-pre 2008/03/11 |
* Version: 1.6.0-pre 2008/03/24 |
9 |
* |
* |
10 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
11 |
* See README.ccs for ChangeLog. |
* See README.ccs for ChangeLog. |
22 |
* and dramatically reduces the policy definition labors. |
* and dramatically reduces the policy definition labors. |
23 |
* |
* |
24 |
* TOMOYO is applicable to figuring out the system's behavior, for |
* TOMOYO is applicable to figuring out the system's behavior, for |
25 |
* TOMOYO uses the canonicalized absolute pathnames and TreeView style domain transitions. |
* TOMOYO uses the canonicalized absolute pathnames and |
26 |
|
* TreeView style domain transitions. |
27 |
*/ |
*/ |
28 |
|
|
29 |
#ifndef _LINUX_TOMOYO_H |
#ifndef _LINUX_TOMOYO_H |
30 |
#define _LINUX_TOMOYO_H |
#define _LINUX_TOMOYO_H |
31 |
|
|
32 |
|
#include <linux/version.h> |
33 |
|
|
34 |
#ifndef __user |
#ifndef __user |
35 |
#define __user |
#define __user |
36 |
#endif |
#endif |
37 |
|
|
|
/***** TOMOYO Linux start. *****/ |
|
|
|
|
38 |
struct path_info; |
struct path_info; |
39 |
struct dentry; |
struct dentry; |
40 |
struct vfsmount; |
struct vfsmount; |
43 |
struct pt_regs; |
struct pt_regs; |
44 |
struct ccs_page_buffer; |
struct ccs_page_buffer; |
45 |
|
|
|
#define CheckSingleWritePermission CheckSinglePathPermission |
|
|
#define CheckDoubleWritePermission CheckDoublePathPermission |
|
|
|
|
46 |
#if defined(CONFIG_TOMOYO) |
#if defined(CONFIG_TOMOYO) |
47 |
|
|
48 |
int CheckFilePerm(const char *filename, const u8 perm, const char *operation); |
int ccs_check_file_perm(const char *filename, const u8 perm, |
49 |
int CheckExecPerm(const struct path_info *filename, struct linux_binprm *bprm, struct ccs_page_buffer *buf); |
const char *operation); |
50 |
int CheckOpenPermission(struct dentry *dentry, struct vfsmount *mnt, const int flag); |
int ccs_check_exec_perm(const struct path_info *filename, |
51 |
int CheckSinglePathPermission(const u8 operation, struct dentry *dentry, struct vfsmount *mnt); |
struct linux_binprm *bprm, |
52 |
int CheckDoublePathPermission(const u8 operation, struct dentry *dentry1, struct vfsmount *mnt1, struct dentry *dentry2, struct vfsmount *mnt2); |
struct ccs_page_buffer *buf); |
53 |
int CheckReWritePermission(struct file *filp); |
int ccs_check_open_permission(struct dentry *dentry, struct vfsmount *mnt, |
54 |
|
const int flag); |
55 |
|
int ccs_check_single_path_permission(const u8 operation, |
56 |
|
struct dentry *dentry, |
57 |
|
struct vfsmount *mnt); |
58 |
|
int ccs_check_double_path_permission(const u8 operation, |
59 |
|
struct dentry *dentry1, |
60 |
|
struct vfsmount *mnt1, |
61 |
|
struct dentry *dentry2, |
62 |
|
struct vfsmount *mnt2); |
63 |
|
int ccs_check_rewrite_permission(struct file *filp); |
64 |
|
|
65 |
/* Check whether the basename of program and argv0 is allowed to differ. */ |
/* Check whether the basename of program and argv0 is allowed to differ. */ |
66 |
int CheckArgv0Perm(const struct path_info *filename, const char *argv0); |
int ccs_check_argv0_perm(const struct path_info *filename, const char *argv0); |
67 |
|
|
68 |
/* Check whether the given environment is allowed to be received. */ |
/* Check whether the given environment is allowed to be received. */ |
69 |
int CheckEnvPerm(const char *env, const u8 profile, const u8 mode); |
int ccs_check_env_perm(const char *env, const u8 profile, const u8 mode); |
70 |
|
|
71 |
/* Check whether the given IP address and port number are allowed to use. */ |
/* Check whether the given IP address and port number are allowed to use. */ |
72 |
int CheckNetworkListenACL(const _Bool is_ipv6, const u8 *address, const u16 port); |
int ccs_check_network_listen_acl(const _Bool is_ipv6, const u8 *address, |
73 |
int CheckNetworkConnectACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port); |
const u16 port); |
74 |
int CheckNetworkBindACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port); |
int ccs_check_network_connect_acl(const _Bool is_ipv6, const int sock_type, |
75 |
int CheckNetworkAcceptACL(const _Bool is_ipv6, const u8 *address, const u16 port); |
const u8 *address, const u16 port); |
76 |
int CheckNetworkSendMsgACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port); |
int ccs_check_network_bind_acl(const _Bool is_ipv6, const int sock_type, |
77 |
int CheckNetworkRecvMsgACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port); |
const u8 *address, const u16 port); |
78 |
|
int ccs_check_network_accept_acl(const _Bool is_ipv6, const u8 *address, |
79 |
|
const u16 port); |
80 |
|
int ccs_check_network_sendmsg_acl(const _Bool is_ipv6, const int sock_type, |
81 |
|
const u8 *address, const u16 port); |
82 |
|
int ccs_check_network_recvmsg_acl(const _Bool is_ipv6, const int sock_type, |
83 |
|
const u8 *address, const u16 port); |
84 |
|
|
85 |
/* Check whether the given signal is allowed to use. */ |
/* Check whether the given signal is allowed to use. */ |
86 |
int CheckSignalACL(const int sig, const int pid); |
int ccs_check_signal_acl(const int sig, const int pid); |
87 |
|
|
88 |
/* Check whether the given capability is allowed to use. */ |
/* Check whether the given capability is allowed to use. */ |
89 |
int CheckCapabilityACL(const u8 operation); |
int ccs_capable(const u8 operation); |
90 |
|
|
91 |
#else |
#else |
92 |
|
|
93 |
static inline int CheckFilePerm(const char *filename, const u8 perm, const char *operation) { return 0; } |
static inline int ccs_check_file_perm(const char *filename, const u8 perm, |
94 |
static inline int CheckExecPerm(const struct path_info *filename, struct linux_binprm *bprm, struct ccs_page_buffer *buf) { return 0; } |
const char *operation) |
95 |
static inline int CheckOpenPermission(struct dentry *dentry, struct vfsmount *mnt, const int flag) { return 0; } |
{ |
96 |
static inline int CheckSinglePathPermission(const u8 operation, struct dentry *dentry, struct vfsmount *mnt) { return 0; } |
return 0; |
97 |
static inline int CheckDoublePathPermission(const u8 operation, struct dentry *dentry1, struct vfsmount *mnt1, struct dentry *dentry2, struct vfsmount *mnt2) { return 0; } |
} |
98 |
static inline int CheckReWritePermission(struct file *filp) { return 0; } |
static inline int ccs_check_exec_perm(const struct path_info *filename, |
99 |
static inline int CheckArgv0Perm(const struct path_info *filename, const char *argv0) { return 0; } |
struct linux_binprm *bprm, |
100 |
static inline int CheckEnvPerm(const char *env, const u8 profile, const u8 mode) { return 0; } |
struct ccs_page_buffer *buf) |
101 |
static inline int CheckNetworkListenACL(const _Bool is_ipv6, const u8 *address, const u16 port) { return 0; } |
{ |
102 |
static inline int CheckNetworkConnectACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port) { return 0; } |
return 0; |
103 |
static inline int CheckNetworkBindACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port) { return 0; } |
} |
104 |
static inline int CheckNetworkAcceptACL(const _Bool is_ipv6, const u8 *address, const u16 port) { return 0; } |
static inline int ccs_check_open_permission(struct dentry *dentry, |
105 |
static inline int CheckNetworkSendMsgACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port) { return 0; } |
struct vfsmount *mnt, |
106 |
static inline int CheckNetworkRecvMsgACL(const _Bool is_ipv6, const int sock_type, const u8 *address, const u16 port) { return 0; } |
const int flag) |
107 |
static inline int CheckSignalACL(const int sig, const int pid) { return 0; } |
{ |
108 |
static inline int CheckCapabilityACL(const u8 operation) { return 0; } |
return 0; |
109 |
|
} |
110 |
|
static inline int ccs_check_single_path_permission(const u8 operation, |
111 |
|
struct dentry *dentry, |
112 |
|
struct vfsmount *mnt) |
113 |
|
{ |
114 |
|
return 0; |
115 |
|
} |
116 |
|
static inline int ccs_check_double_path_permission(const u8 operation, |
117 |
|
struct dentry *dentry1, |
118 |
|
struct vfsmount *mnt1, |
119 |
|
struct dentry *dentry2, |
120 |
|
struct vfsmount *mnt2) |
121 |
|
{ |
122 |
|
return 0; |
123 |
|
} |
124 |
|
static inline int ccs_check_rewrite_permission(struct file *filp) |
125 |
|
{ |
126 |
|
return 0; |
127 |
|
} |
128 |
|
static inline int ccs_check_argv0_perm(const struct path_info *filename, |
129 |
|
const char *argv0) |
130 |
|
{ |
131 |
|
return 0; |
132 |
|
} |
133 |
|
static inline int ccs_check_env_perm(const char *env, const u8 profile, |
134 |
|
const u8 mode) |
135 |
|
{ |
136 |
|
return 0; |
137 |
|
} |
138 |
|
static inline int ccs_check_network_listen_acl(const _Bool is_ipv6, |
139 |
|
const u8 *address, |
140 |
|
const u16 port) |
141 |
|
{ |
142 |
|
return 0; |
143 |
|
} |
144 |
|
static inline int ccs_check_network_connect_acl(const _Bool is_ipv6, |
145 |
|
const int sock_type, |
146 |
|
const u8 *address, |
147 |
|
const u16 port) |
148 |
|
{ |
149 |
|
return 0; |
150 |
|
} |
151 |
|
static inline int ccs_check_network_bind_acl(const _Bool is_ipv6, |
152 |
|
const int sock_type, |
153 |
|
const u8 *address, const u16 port) |
154 |
|
{ |
155 |
|
return 0; |
156 |
|
} |
157 |
|
static inline int ccs_check_network_accept_acl(const _Bool is_ipv6, |
158 |
|
const u8 *address, |
159 |
|
const u16 port) |
160 |
|
{ |
161 |
|
return 0; |
162 |
|
} |
163 |
|
static inline int ccs_check_network_sendmsg_acl(const _Bool is_ipv6, |
164 |
|
const int sock_type, |
165 |
|
const u8 *address, |
166 |
|
const u16 port) |
167 |
|
{ |
168 |
|
return 0; |
169 |
|
} |
170 |
|
static inline int ccs_check_network_recvmsg_acl(const _Bool is_ipv6, |
171 |
|
const int sock_type, |
172 |
|
const u8 *address, |
173 |
|
const u16 port) |
174 |
|
{ |
175 |
|
return 0; |
176 |
|
} |
177 |
|
static inline int ccs_check_signal_acl(const int sig, const int pid) |
178 |
|
{ |
179 |
|
return 0; |
180 |
|
} |
181 |
|
static inline int ccs_capable(const u8 operation) |
182 |
|
{ |
183 |
|
return 0; |
184 |
|
} |
185 |
|
|
186 |
#endif |
#endif |
187 |
|
|
188 |
#include <linux/version.h> |
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0) |
|
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,5,0) |
|
189 |
int pre_vfs_mknod(struct inode *dir, struct dentry *dentry); |
int pre_vfs_mknod(struct inode *dir, struct dentry *dentry); |
190 |
#else |
#else |
191 |
int pre_vfs_mknod(struct inode *dir, struct dentry *dentry, int mode); |
int pre_vfs_mknod(struct inode *dir, struct dentry *dentry, int mode); |
192 |
#endif |
#endif |
193 |
|
|
194 |
int search_binary_handler_with_transition(struct linux_binprm *bprm, struct pt_regs *regs); |
int search_binary_handler_with_transition(struct linux_binprm *bprm, |
195 |
|
struct pt_regs *regs); |
196 |
#define TOMOYO_CHECK_READ_FOR_OPEN_EXEC 1 |
#define TOMOYO_CHECK_READ_FOR_OPEN_EXEC 1 |
197 |
#define CCS_DONT_SLEEP_ON_ENFORCE_ERROR 2 |
#define CCS_DONT_SLEEP_ON_ENFORCE_ERROR 2 |
198 |
|
|
199 |
/************************* Index numbers for Access Controls. *************************/ |
/* Index numbers for Access Controls. */ |
200 |
|
|
201 |
#define TYPE_SINGLE_PATH_ACL 0 |
#define TYPE_SINGLE_PATH_ACL 0 |
202 |
#define TYPE_DOUBLE_PATH_ACL 1 |
#define TYPE_DOUBLE_PATH_ACL 1 |
208 |
#define TYPE_PREFERRED_EXECUTE_HANDLER 7 |
#define TYPE_PREFERRED_EXECUTE_HANDLER 7 |
209 |
#define TYPE_DEFAULT_EXECUTE_HANDLER 8 |
#define TYPE_DEFAULT_EXECUTE_HANDLER 8 |
210 |
|
|
211 |
/************************* Index numbers for File Controls. *************************/ |
/* Index numbers for File Controls. */ |
212 |
|
|
213 |
/* |
/* |
214 |
* TYPE_READ_WRITE_ACL is special. TYPE_READ_WRITE_ACL is automatically set |
* TYPE_READ_WRITE_ACL is special. TYPE_READ_WRITE_ACL is automatically set |
240 |
#define TYPE_RENAME_ACL 1 |
#define TYPE_RENAME_ACL 1 |
241 |
#define MAX_DOUBLE_PATH_OPERATION 2 |
#define MAX_DOUBLE_PATH_OPERATION 2 |
242 |
|
|
243 |
/************************* Index numbers for Capability Controls. *************************/ |
/* Index numbers for Capability Controls. */ |
244 |
|
|
245 |
#define TOMOYO_INET_STREAM_SOCKET_CREATE 0 /* socket(PF_INET or PF_INET6, SOCK_STREAM, *) */ |
/* socket(PF_INET or PF_INET6, SOCK_STREAM, *) */ |
246 |
#define TOMOYO_INET_STREAM_SOCKET_LISTEN 1 /* listen() for PF_INET or PF_INET6, SOCK_STREAM */ |
#define TOMOYO_INET_STREAM_SOCKET_CREATE 0 |
247 |
#define TOMOYO_INET_STREAM_SOCKET_CONNECT 2 /* connect() for PF_INET or PF_INET6, SOCK_STREAM */ |
/* listen() for PF_INET or PF_INET6, SOCK_STREAM */ |
248 |
#define TOMOYO_USE_INET_DGRAM_SOCKET 3 /* socket(PF_INET or PF_INET6, SOCK_DGRAM, *) */ |
#define TOMOYO_INET_STREAM_SOCKET_LISTEN 1 |
249 |
#define TOMOYO_USE_INET_RAW_SOCKET 4 /* socket(PF_INET or PF_INET6, SOCK_RAW, *) */ |
/* connect() for PF_INET or PF_INET6, SOCK_STREAM */ |
250 |
#define TOMOYO_USE_ROUTE_SOCKET 5 /* socket(PF_ROUTE, *, *) */ |
#define TOMOYO_INET_STREAM_SOCKET_CONNECT 2 |
251 |
#define TOMOYO_USE_PACKET_SOCKET 6 /* socket(PF_PACKET, *, *) */ |
/* socket(PF_INET or PF_INET6, SOCK_DGRAM, *) */ |
252 |
#define TOMOYO_SYS_MOUNT 7 /* sys_mount() */ |
#define TOMOYO_USE_INET_DGRAM_SOCKET 3 |
253 |
#define TOMOYO_SYS_UMOUNT 8 /* sys_umount() */ |
/* socket(PF_INET or PF_INET6, SOCK_RAW, *) */ |
254 |
#define TOMOYO_SYS_REBOOT 9 /* sys_reboot() */ |
#define TOMOYO_USE_INET_RAW_SOCKET 4 |
255 |
#define TOMOYO_SYS_CHROOT 10 /* sys_chroot() */ |
/* socket(PF_ROUTE, *, *) */ |
256 |
#define TOMOYO_SYS_KILL 11 /* sys_kill(), sys_tkill(), sys_tgkill() */ |
#define TOMOYO_USE_ROUTE_SOCKET 5 |
257 |
#define TOMOYO_SYS_VHANGUP 12 /* sys_vhangup() */ |
/* socket(PF_PACKET, *, *) */ |
258 |
#define TOMOYO_SYS_SETTIME 13 /* do_settimeofday(), sys_adjtimex() */ |
#define TOMOYO_USE_PACKET_SOCKET 6 |
259 |
#define TOMOYO_SYS_NICE 14 /* sys_nice(), sys_setpriority() */ |
/* sys_mount() */ |
260 |
#define TOMOYO_SYS_SETHOSTNAME 15 /* sys_sethostname(), sys_setdomainname() */ |
#define TOMOYO_SYS_MOUNT 7 |
261 |
#define TOMOYO_USE_KERNEL_MODULE 16 /* sys_create_module(), sys_init_module(), sys_delete_module() */ |
/* sys_umount() */ |
262 |
#define TOMOYO_CREATE_FIFO 17 /* sys_mknod(S_IFIFO) */ |
#define TOMOYO_SYS_UMOUNT 8 |
263 |
#define TOMOYO_CREATE_BLOCK_DEV 18 /* sys_mknod(S_IFBLK) */ |
/* sys_reboot() */ |
264 |
#define TOMOYO_CREATE_CHAR_DEV 19 /* sys_mknod(S_IFCHR) */ |
#define TOMOYO_SYS_REBOOT 9 |
265 |
#define TOMOYO_CREATE_UNIX_SOCKET 20 /* sys_mknod(S_IFSOCK) */ |
/* sys_chroot() */ |
266 |
#define TOMOYO_SYS_LINK 21 /* sys_link() */ |
#define TOMOYO_SYS_CHROOT 10 |
267 |
#define TOMOYO_SYS_SYMLINK 22 /* sys_symlink() */ |
/* sys_kill(), sys_tkill(), sys_tgkill() */ |
268 |
#define TOMOYO_SYS_RENAME 23 /* sys_rename() */ |
#define TOMOYO_SYS_KILL 11 |
269 |
#define TOMOYO_SYS_UNLINK 24 /* sys_unlink() */ |
/* sys_vhangup() */ |
270 |
#define TOMOYO_SYS_CHMOD 25 /* sys_chmod(), sys_fchmod() */ |
#define TOMOYO_SYS_VHANGUP 12 |
271 |
#define TOMOYO_SYS_CHOWN 26 /* sys_chown(), sys_fchown(), sys_lchown() */ |
/* do_settimeofday(), sys_adjtimex() */ |
272 |
#define TOMOYO_SYS_IOCTL 27 /* sys_ioctl(), compat_sys_ioctl() */ |
#define TOMOYO_SYS_SETTIME 13 |
273 |
#define TOMOYO_SYS_KEXEC_LOAD 28 /* sys_kexec_load() */ |
/* sys_nice(), sys_setpriority() */ |
274 |
#define TOMOYO_SYS_PIVOT_ROOT 29 /* sys_pivot_root() */ |
#define TOMOYO_SYS_NICE 14 |
275 |
#define TOMOYO_SYS_PTRACE 30 /* sys_ptrace() */ |
/* sys_sethostname(), sys_setdomainname() */ |
276 |
|
#define TOMOYO_SYS_SETHOSTNAME 15 |
277 |
|
/* sys_create_module(), sys_init_module(), sys_delete_module() */ |
278 |
|
#define TOMOYO_USE_KERNEL_MODULE 16 |
279 |
|
/* sys_mknod(S_IFIFO) */ |
280 |
|
#define TOMOYO_CREATE_FIFO 17 |
281 |
|
/* sys_mknod(S_IFBLK) */ |
282 |
|
#define TOMOYO_CREATE_BLOCK_DEV 18 |
283 |
|
/* sys_mknod(S_IFCHR) */ |
284 |
|
#define TOMOYO_CREATE_CHAR_DEV 19 |
285 |
|
/* sys_mknod(S_IFSOCK) */ |
286 |
|
#define TOMOYO_CREATE_UNIX_SOCKET 20 |
287 |
|
/* sys_link() */ |
288 |
|
#define TOMOYO_SYS_LINK 21 |
289 |
|
/* sys_symlink() */ |
290 |
|
#define TOMOYO_SYS_SYMLINK 22 |
291 |
|
/* sys_rename() */ |
292 |
|
#define TOMOYO_SYS_RENAME 23 |
293 |
|
/* sys_unlink() */ |
294 |
|
#define TOMOYO_SYS_UNLINK 24 |
295 |
|
/* sys_chmod(), sys_fchmod() */ |
296 |
|
#define TOMOYO_SYS_CHMOD 25 |
297 |
|
/* sys_chown(), sys_fchown(), sys_lchown() */ |
298 |
|
#define TOMOYO_SYS_CHOWN 26 |
299 |
|
/* sys_ioctl(), compat_sys_ioctl() */ |
300 |
|
#define TOMOYO_SYS_IOCTL 27 |
301 |
|
/* sys_kexec_load() */ |
302 |
|
#define TOMOYO_SYS_KEXEC_LOAD 28 |
303 |
|
/* sys_pivot_root() */ |
304 |
|
#define TOMOYO_SYS_PIVOT_ROOT 29 |
305 |
|
/* sys_ptrace() */ |
306 |
|
#define TOMOYO_SYS_PTRACE 30 |
307 |
#define TOMOYO_MAX_CAPABILITY_INDEX 31 |
#define TOMOYO_MAX_CAPABILITY_INDEX 31 |
308 |
|
|
309 |
/************************* Index numbers for Network Controls. *************************/ |
/* Index numbers for Network Controls. */ |
310 |
|
|
311 |
#define NETWORK_ACL_UDP_BIND 0 |
#define NETWORK_ACL_UDP_BIND 0 |
312 |
#define NETWORK_ACL_UDP_CONNECT 1 |
#define NETWORK_ACL_UDP_CONNECT 1 |
317 |
#define NETWORK_ACL_RAW_BIND 6 |
#define NETWORK_ACL_RAW_BIND 6 |
318 |
#define NETWORK_ACL_RAW_CONNECT 7 |
#define NETWORK_ACL_RAW_CONNECT 7 |
319 |
|
|
320 |
/***** TOMOYO Linux end. *****/ |
/* For compatibility with 1.4.x/1.5.x patches */ |
321 |
|
#define CheckSingleWritePermission ccs_check_single_path_permission |
322 |
|
#define CheckDoubleWritePermission ccs_check_double_path_permission |
323 |
|
#define CheckCapabilityACL ccs_capable |
324 |
|
#define CheckFilePerm ccs_check_file_perm |
325 |
|
#define CheckSignalACL ccs_check_signal_acl |
326 |
|
#define CheckOpenPermission ccs_check_open_permission |
327 |
|
#define CheckReWritePermission ccs_check_rewrite_permission |
328 |
|
|
329 |
#endif |
#endif |