TOMOYO: Add auditing interface.

obj-y = common.o domain.o file.o gc.o group.o load_policy.o memory.o mount.o realpath.o securityfs_if.o tomoyo.o util.o

obj-y = audit.o common.o domain.o file.o gc.o group.o load_policy.o memory.o mount.o realpath.o securityfs_if.o tomoyo.o util.o

/*

 * security/tomoyo/audit.c

 *

 * Pathname restriction functions.

 *

 * Copyright (C) 2005-2010  NTT DATA CORPORATION

 */

#include "common.h"

#include <linux/slab.h>

/**

 * tomoyo_convert_time - Convert time_t to YYYY/MM/DD hh/mm/ss.

 *

 * @time:  Seconds since 1970/01/01 00:00:00.

 * @stamp: Pointer to "struct tomoyo_time".

 *

 * Returns nothing.

 *

 * This function does not handle Y2038 problem.

 */

static void tomoyo_convert_time(time_t time, struct tomoyo_time *stamp)

{

	static const u16 tomoyo_eom[2][12] = {

		{ 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 365 },

		{ 31, 60, 91, 121, 152, 182, 213, 244, 274, 305, 335, 366 }

	};

	u16 y;

	u8 m;

	bool r;

	stamp->sec = time % 60;

	time /= 60;

	stamp->min = time % 60;

	time /= 60;

	stamp->hour = time % 24;

	time /= 24;

	for (y = 1970; ; y++) {

		const unsigned short days = (y & 3) ? 365 : 366;

		if (time < days)

			break;

		time -= days;

	}

	r = (y & 3) == 0;

	for (m = 0; m < 11 && time >= tomoyo_eom[r][m]; m++)

		;

	if (m)

		time -= tomoyo_eom[r][m - 1];

	stamp->year = y;

	stamp->month = ++m;

	stamp->day = ++time;

}

/**

 * tomoyo_print_header - Get header line of audit log.

 *

 * @r: Pointer to "struct tomoyo_request_info".

 *

 * Returns string representation.

 *

 * This function uses kmalloc(), so caller must kfree() if this function

 * didn't return NULL.

 */

static char *tomoyo_print_header(struct tomoyo_request_info *r)

{

	struct tomoyo_time stamp;

	const pid_t gpid = task_pid_nr(current);

	static const int tomoyo_buffer_len = 4096;

	char *buffer = kmalloc(tomoyo_buffer_len, GFP_NOFS);

	pid_t ppid;

	if (!buffer)

		return NULL;

	{

		struct timeval tv;

		do_gettimeofday(&tv);

		tomoyo_convert_time(tv.tv_sec, &stamp);

	}

	rcu_read_lock();

	ppid = task_tgid_vnr(current->real_parent);

	rcu_read_unlock();

	snprintf(buffer, tomoyo_buffer_len - 1,

		 "#%04u/%02u/%02u %02u:%02u:%02u# profile=%u mode=%s "

		 "granted=%s (global-pid=%u) task={ pid=%u ppid=%u "

		 "uid=%u gid=%u euid=%u egid=%u suid=%u sgid=%u "

		 "fsuid=%u fsgid=%u }",

		 stamp.year, stamp.month, stamp.day, stamp.hour,

		 stamp.min, stamp.sec, r->profile, tomoyo_mode[r->mode],

		 tomoyo_yesno(r->granted), gpid, task_tgid_vnr(current), ppid,

		 current_uid(), current_gid(), current_euid(), current_egid(),

		 current_suid(), current_sgid(), current_fsuid(),

		 current_fsgid());

	return buffer;

}

/**

 * tomoyo_init_log - Allocate buffer for audit logs.

 *

 * @r:    Pointer to "struct tomoyo_request_info".

 * @len:  Buffer size needed for @fmt and @args.

 * @fmt:  The printf()'s format string.

 * @args: va_list structure for @fmt.

 *

 * Returns pointer to allocated memory.

 *

 * This function uses kzalloc(), so caller must kfree() if this function

 * didn't return NULL.

 */

char *tomoyo_init_log(struct tomoyo_request_info *r, int len, const char *fmt,

		      va_list args)

{

	char *buf = NULL;

	const char *header = NULL;

	int pos;

	const char *domainname = tomoyo_domain()->domainname->name;

	header = tomoyo_print_header(r);

	if (!header)

		return NULL;

	/* +10 is for '\n' etc. and '\0'. */

	len += strlen(domainname) + strlen(header) + 10;

	len = tomoyo_round2(len);

	buf = kzalloc(len, GFP_NOFS);

	if (!buf)

		goto out;

	len--;

	pos = snprintf(buf, len, "%s", header);

	pos += snprintf(buf + pos, len - pos, "\n%s\n", domainname);

	vsnprintf(buf + pos, len - pos, fmt, args);

out:

	kfree(header);

	return buf;

}

/* Wait queue for /sys/kernel/security/tomoyo/audit. */

static DECLARE_WAIT_QUEUE_HEAD(tomoyo_log_wait);

/* Structure for audit log. */

struct tomoyo_log {

	struct list_head list;

	char *log;

	int size;

};

/* The list for "struct tomoyo_log". */

static LIST_HEAD(tomoyo_log);

/* Lock for "struct list_head tomoyo_log". */

static DEFINE_SPINLOCK(tomoyo_log_lock);

/* Length of "stuct list_head tomoyo_log". */

static unsigned int tomoyo_log_count;

/**

 * tomoyo_get_audit - Get audit mode.

 *

 * @profile:     Profile number.

 * @index:       Index number of functionality.

 * @is_granted:  True if granted log, false otherwise.

 *

 * Returns true if this request should be audited, false otherwise.

 */

static bool tomoyo_get_audit(const u8 profile, const u8 index,

			     const bool is_granted)

{

	u8 mode;

	const u8 category = TOMOYO_MAC_CATEGORY_FILE + TOMOYO_MAX_MAC_INDEX;

	struct tomoyo_profile *p;

	if (!tomoyo_policy_loaded)

		return false;

	p = tomoyo_profile(profile);

	if (tomoyo_log_count >= p->pref[TOMOYO_PREF_MAX_AUDIT_LOG])

		return false;

	mode = p->config[index];

	if (mode == TOMOYO_CONFIG_USE_DEFAULT)

		mode = p->config[category];

	if (mode == TOMOYO_CONFIG_USE_DEFAULT)

		mode = p->default_config;

	if (is_granted)

		return mode & TOMOYO_CONFIG_WANT_GRANT_LOG;

	return mode & TOMOYO_CONFIG_WANT_REJECT_LOG;

}

/**

 * tomoyo_write_log2 - Write an audit log.

 *

 * @r:    Pointer to "struct tomoyo_request_info".

 * @len:  Buffer size needed for @fmt and @args.

 * @fmt:  The printf()'s format string.

 * @args: va_list structure for @fmt.

 *

 * Returns nothing.

 */

void tomoyo_write_log2(struct tomoyo_request_info *r, int len, const char *fmt,

		       va_list args)

{

	char *buf;

	struct tomoyo_log *entry;

	bool quota_exceeded = false;

	if (!tomoyo_get_audit(r->profile, r->type, r->granted))

		goto out;

	buf = tomoyo_init_log(r, len, fmt, args);

	if (!buf)

		goto out;

	entry = kzalloc(sizeof(*entry), GFP_NOFS);

	if (!entry) {

		kfree(buf);

		goto out;

	}

	entry->log = buf;

	len = tomoyo_round2(strlen(buf) + 1);

	/*

	 * The entry->size is used for memory quota checks.

	 * Don't go beyond strlen(entry->log).

	 */

	entry->size = len + tomoyo_round2(sizeof(*entry));

	spin_lock(&tomoyo_log_lock);

	if (tomoyo_memory_quota[TOMOYO_MEMORY_AUDIT] &&

	    tomoyo_memory_used[TOMOYO_MEMORY_AUDIT] + entry->size >=

	    tomoyo_memory_quota[TOMOYO_MEMORY_AUDIT]) {

		quota_exceeded = true;

	} else {

		tomoyo_memory_used[TOMOYO_MEMORY_AUDIT] += entry->size;

		list_add_tail(&entry->list, &tomoyo_log);

		tomoyo_log_count++;

	}

	spin_unlock(&tomoyo_log_lock);

	if (quota_exceeded) {

		kfree(buf);

		kfree(entry);

		goto out;

	}

	wake_up(&tomoyo_log_wait);

out:

	return;

}

/**

 * tomoyo_write_log - Write an audit log.

 *

 * @r:   Pointer to "struct tomoyo_request_info".

 * @fmt: The printf()'s format string, followed by parameters.

 *

 * Returns nothing.

 */

void tomoyo_write_log(struct tomoyo_request_info *r, const char *fmt, ...)

{

	va_list args;

	int len;

	va_start(args, fmt);

	len = vsnprintf((char *) &len, 1, fmt, args) + 1;

	va_end(args);

	va_start(args, fmt);

	tomoyo_write_log2(r, len, fmt, args);

	va_end(args);

}

/**

 * tomoyo_read_log - Read an audit log.

 *

 * @head: Pointer to "struct tomoyo_io_buffer".

 *

 * Returns nothing.

 */

void tomoyo_read_log(struct tomoyo_io_buffer *head)

{

	struct tomoyo_log *ptr = NULL;

	if (head->r.w_pos)

		return;

	kfree(head->read_buf);

	head->read_buf = NULL;

	spin_lock(&tomoyo_log_lock);

	if (!list_empty(&tomoyo_log)) {

		ptr = list_entry(tomoyo_log.next, typeof(*ptr), list);

		list_del(&ptr->list);

		tomoyo_log_count--;

		tomoyo_memory_used[TOMOYO_MEMORY_AUDIT] -= ptr->size;

	}

	spin_unlock(&tomoyo_log_lock);

	if (ptr) {

		head->read_buf = ptr->log;

		head->r.w[head->r.w_pos++] = head->read_buf;

		kfree(ptr);

	}

}

/**

 * tomoyo_poll_log - Wait for an audit log.

 *

 * @file: Pointer to "struct file".

 * @wait: Pointer to "poll_table".

 *

 * Returns POLLIN | POLLRDNORM when ready to read an audit log.

 */

int tomoyo_poll_log(struct file *file, poll_table *wait)

{

	if (tomoyo_log_count)

		return POLLIN | POLLRDNORM;

	poll_wait(file, &tomoyo_log_wait, wait);

	if (tomoyo_log_count)

		return POLLIN | POLLRDNORM;

	return 0;

}

/* Profile table. Memory is allocated as needed. */

static struct tomoyo_profile *tomoyo_profile_ptr[TOMOYO_MAX_PROFILES];

/* String table for functionality that takes 4 modes. */

static const char *tomoyo_mode[4] = {

	"disabled", "learning", "permissive", "enforcing"

/* String table for operation mode. */

const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE] = {

	[TOMOYO_CONFIG_DISABLED]   = "disabled",

	[TOMOYO_CONFIG_LEARNING]   = "learning",

	[TOMOYO_CONFIG_PERMISSIVE] = "permissive",

	[TOMOYO_CONFIG_ENFORCING]  = "enforcing"

};

/* String table for /sys/kernel/security/tomoyo/profile */

/* String table for PREFERENCE keyword. */

static const char * const tomoyo_pref_keywords[TOMOYO_MAX_PREF] = {

	[TOMOYO_PREF_MAX_AUDIT_LOG]      = "max_audit_log",

	[TOMOYO_PREF_MAX_LEARNING_ENTRY] = "max_learning_entry",

};

 *

 * @value: Bool value.

 */

/*

static const char *tomoyo_yesno(const unsigned int value)

const char *tomoyo_yesno(const unsigned int value)

{

	return value ? "yes" : "no";

}

*/

/**

 * tomoyo_addprintf - strncat()-like-snprintf().

		head->r.w[0] = w;

		if (*w)

			return false;

		/* Add '\0' for query. */

		/* Add '\0' for audit logs and query. */

		if (head->poll) {

			if (!head->read_user_buf_avail ||

			    copy_to_user(head->read_user_buf, "", 1))

	ptr = tomoyo_profile_ptr[profile];

	if (!ptr && tomoyo_memory_ok(entry)) {

		ptr = entry;

		ptr->default_config = TOMOYO_CONFIG_DISABLED;

		ptr->default_config = TOMOYO_CONFIG_DISABLED |

			TOMOYO_CONFIG_WANT_GRANT_LOG |

			TOMOYO_CONFIG_WANT_REJECT_LOG;

		memset(ptr->config, TOMOYO_CONFIG_USE_DEFAULT,

		       sizeof(ptr->config));

		ptr->pref[TOMOYO_PREF_MAX_AUDIT_LOG] = 1024;

		ptr->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] = 2048;

		mb(); /* Avoid out-of-order execution. */

		tomoyo_profile_ptr[profile] = ptr;

 *

 * Returns 1 if "@find=yes" was found, 0 if "@find=no" was found, -1 otherwise.

 */

/*

static s8 tomoyo_find_yesno(const char *string, const char *find)

{

	const char *cp = strstr(string, find);

	}

	return -1;

}

*/

/**

 * tomoyo_set_uint - Set value for specified preference.

				 * 'config' from 'TOMOYO_CONFIG_USE_DEAFULT'.

				 */

				config = (config & ~7) | mode;

		if (config != TOMOYO_CONFIG_USE_DEFAULT) {

			switch (tomoyo_find_yesno(value, "grant_log")) {

			case 1:

				config |= TOMOYO_CONFIG_WANT_GRANT_LOG;

				break;

			case 0:

				config &= ~TOMOYO_CONFIG_WANT_GRANT_LOG;

				break;

			}

			switch (tomoyo_find_yesno(value, "reject_log")) {

			case 1:

				config |= TOMOYO_CONFIG_WANT_REJECT_LOG;

				break;

			case 0:

				config &= ~TOMOYO_CONFIG_WANT_REJECT_LOG;

				break;

			}

		}

	}

	if (i < TOMOYO_MAX_MAC_INDEX + TOMOYO_MAX_MAC_CATEGORY_INDEX)

		profile->config[i] = config;

	return tomoyo_set_mode(data, cp, profile);

}

/**

 * tomoyo_print_config - Print mode for specified functionality.

 *

 * @head:   Pointer to "struct tomoyo_io_buffer".

 * @config: Mode for that functionality.

 *

 * Returns nothing.

 *

 * Caller prints functionality's name.

 */

static void tomoyo_print_config(struct tomoyo_io_buffer *head, const u8 config)

{

	tomoyo_io_printf(head, "={ mode=%s }\n", tomoyo_mode[config & 3]);

	tomoyo_io_printf(head, "={ mode=%s grant_log=%s reject_log=%s }\n",

			 tomoyo_mode[config & 3],

			 tomoyo_yesno(config & TOMOYO_CONFIG_WANT_GRANT_LOG),

			 tomoyo_yesno(config & TOMOYO_CONFIG_WANT_REJECT_LOG));

}

/**

 * tomoyo_read_profile - Read profile table.

 *

 * @head: Pointer to "struct tomoyo_io_buffer".

 *

 * Returns nothing.

 */

static void tomoyo_read_profile(struct tomoyo_io_buffer *head)

{

	profile = tomoyo_profile_ptr[index];

	switch (head->r.step) {

	case 0:

		tomoyo_io_printf(head, "PROFILE_VERSION=%s\n", "20090903");

		tomoyo_io_printf(head, "PROFILE_VERSION=%u\n", 20090903);

		head->r.step++;

		break;

	case 1:

	head->r.eof = true;

}

/**

 * tomoyo_print_header - Get header line of audit log.

 *

 * @r: Pointer to "struct tomoyo_request_info".

 *

 * Returns string representation.

 *

 * This function uses kmalloc(), so caller must kfree() if this function

 * didn't return NULL.

 */

static char *tomoyo_print_header(struct tomoyo_request_info *r)

{

	struct timeval tv;

	const pid_t gpid = task_pid_nr(current);

	static const int tomoyo_buffer_len = 4096;

	char *buffer = kmalloc(tomoyo_buffer_len, GFP_NOFS);

	pid_t ppid;

	if (!buffer)

		return NULL;

	do_gettimeofday(&tv);

	rcu_read_lock();

	ppid = task_tgid_vnr(current->real_parent);

	rcu_read_unlock();

	snprintf(buffer, tomoyo_buffer_len - 1,

		 "#timestamp=%lu profile=%u mode=%s (global-pid=%u)"

		 " task={ pid=%u ppid=%u uid=%u gid=%u euid=%u"

		 " egid=%u suid=%u sgid=%u fsuid=%u fsgid=%u }",

		 tv.tv_sec, r->profile, tomoyo_mode[r->mode], gpid,

		 task_tgid_vnr(current), ppid,

		 current_uid(), current_gid(), current_euid(),

		 current_egid(), current_suid(), current_sgid(),

		 current_fsuid(), current_fsgid());

	return buffer;

}

/**

 * tomoyo_init_audit_log - Allocate buffer for audit logs.

 *

 * @len: Required size.

 * @r:   Pointer to "struct tomoyo_request_info".

 *

 * Returns pointer to allocated memory.

 *

 * The @len is updated to add the header lines' size on success.

 *

 * This function uses kzalloc(), so caller must kfree() if this function

 * didn't return NULL.

 */

static char *tomoyo_init_audit_log(int *len, struct tomoyo_request_info *r)

{

	char *buf = NULL;

	const char *header;

	const char *domainname;

	if (!r->domain)

		r->domain = tomoyo_domain();

	domainname = r->domain->domainname->name;

	header = tomoyo_print_header(r);

	if (!header)

		return NULL;

	*len += strlen(domainname) + strlen(header) + 10;

	buf = kzalloc(*len, GFP_NOFS);

	if (buf)

		snprintf(buf, (*len) - 1, "%s\n%s\n", header, domainname);

	kfree(header);

	return buf;

}

/* Wait queue for tomoyo_query_list. */

/* Wait queue for kernel -> userspace notification. */

static DECLARE_WAIT_QUEUE_HEAD(tomoyo_query_wait);

/* Lock for manipulating tomoyo_query_list. */

static DEFINE_SPINLOCK(tomoyo_query_list_lock);

/* Wait queue for userspace -> kernel notification. */

static DECLARE_WAIT_QUEUE_HEAD(tomoyo_answer_wait);

/* Structure for query. */

struct tomoyo_query {

	struct list_head list;

	char *query;

	int query_len;

	size_t query_len;

	unsigned int serial;

	int timer;

	int answer;

	u8 timer;

	u8 answer;

	u8 retry;

};

/* The list for "struct tomoyo_query". */

static LIST_HEAD(tomoyo_query_list);

/* Lock for manipulating tomoyo_query_list. */

static DEFINE_SPINLOCK(tomoyo_query_list_lock);

/*

 * Number of "struct file" referring /sys/kernel/security/tomoyo/query

 * interface.

 */

static atomic_t tomoyo_query_observers = ATOMIC_INIT(0);

/**

 * tomoyo_add_entry - Add an ACL to current thread's domain. Used by learning mode.

 *

 * @domain: Pointer to "struct tomoyo_domain_info".

 * @header: Lines containing ACL.

 *

 * Returns nothing.

 */

static void tomoyo_add_entry(struct tomoyo_domain_info *domain, char *header)

{

	char *buffer;

	char *cp = strchr(header, '\n');

	int len;

	if (!cp)

		return;

	cp = strchr(cp + 1, '\n');

	if (!cp)

		return;

	*cp++ = '\0';

	len = strlen(cp) + 1;

	buffer = kmalloc(len, GFP_NOFS);

	if (!buffer)

		return;

	snprintf(buffer, len - 1, "%s", cp);

	tomoyo_normalize_line(buffer);

	tomoyo_write_domain2(&domain->acl_info_list, buffer, false);

	kfree(buffer);

}

/**

 * tomoyo_supervisor - Ask for the supervisor's decision.

 *

int tomoyo_supervisor(struct tomoyo_request_info *r, const char *fmt, ...)

{

	va_list args;

	int error = -EPERM;

	int pos;

	int error;

	int len;

	static unsigned int tomoyo_serial;

	struct tomoyo_query *entry = NULL;

	struct tomoyo_query entry = { };

	bool quota_exceeded = false;

	char *header;

	switch (r->mode) {

		char *buffer;

	case TOMOYO_CONFIG_LEARNING:

		if (!tomoyo_domain_quota_is_ok(r))

			return 0;

	va_start(args, fmt);

		len = vsnprintf((char *) &pos, sizeof(pos) - 1, fmt, args) + 4;

	len = vsnprintf((char *) &len, 1, fmt, args) + 1;

	va_end(args);

		buffer = kmalloc(len, GFP_NOFS);

		if (!buffer)

			return 0;

	/* Write /sys/kernel/security/tomoyo/audit. */

	va_start(args, fmt);

		vsnprintf(buffer, len - 1, fmt, args);

	tomoyo_write_log2(r, len, fmt, args);

	va_end(args);

		tomoyo_normalize_line(buffer);

		tomoyo_write_domain2(&r->domain->acl_info_list, buffer, false);

		kfree(buffer);

	/* Nothing more to do if granted. */

	if (r->granted)

		return 0;

	switch (r->mode) {

	case TOMOYO_CONFIG_ENFORCING:

		error = -EPERM;

		if (atomic_read(&tomoyo_query_observers))

			break;

		goto out;

	case TOMOYO_CONFIG_LEARNING:

		error = 0;

		/* Check max_learning_entry parameter. */

		if (tomoyo_domain_quota_is_ok(r))

			break;

		/* fall through */

	case TOMOYO_CONFIG_PERMISSIVE:

	default:

		return 0;

	}

	if (!r->domain)

		r->domain = tomoyo_domain();

	if (!atomic_read(&tomoyo_query_observers))

		return -EPERM;

	/* Get message. */

	va_start(args, fmt);

	len = vsnprintf((char *) &pos, sizeof(pos) - 1, fmt, args) + 32;

	entry.query = tomoyo_init_log(r, len, fmt, args);

	va_end(args);

	header = tomoyo_init_audit_log(&len, r);

	if (!header)

	if (!entry.query)

		goto out;

	entry = kzalloc(sizeof(*entry), GFP_NOFS);

	if (!entry)

		goto out;

	entry->query = kzalloc(len, GFP_NOFS);

	if (!entry->query)

	entry.query_len = strlen(entry.query) + 1;

	if (!error) {

		tomoyo_add_entry(r->domain, entry.query);

		goto out;

	len = ksize(entry->query);

	}

	len = tomoyo_round2(entry.query_len);

	spin_lock(&tomoyo_query_list_lock);

	if (tomoyo_quota_for_query && tomoyo_query_memory_size + len +

	    sizeof(*entry) >= tomoyo_quota_for_query) {

	if (tomoyo_memory_quota[TOMOYO_MEMORY_QUERY] &&

	    tomoyo_memory_used[TOMOYO_MEMORY_QUERY] + len

	    >= tomoyo_memory_quota[TOMOYO_MEMORY_QUERY]) {

		quota_exceeded = true;

	} else {

		tomoyo_query_memory_size += len + sizeof(*entry);

		entry->serial = tomoyo_serial++;

		entry.serial = tomoyo_serial++;

		entry.retry = r->retry;