This patch contains code for checking mount operations. Checking mount operations is a part of checking file operations, but the code is separated from file access because the code is complicated. Signed-off-by: Tetsuo Handa --- security/tomoyo/mount.c | 366 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 366 insertions(+) --- /dev/null +++ security-testing-2.6/security/tomoyo/mount.c @@ -0,0 +1,366 @@ +/* + * security/tomoyo/mount.c + * + * Copyright (C) 2005-2009 NTT DATA CORPORATION + */ +#include "internal.h" + +/* Keywords for mount restrictions. */ + +/* Allow to call 'mount --bind /source_dir /dest_dir' */ +#define TOMOYO_MOUNT_BIND_KEYWORD "--bind" +/* Allow to call 'mount --move /old_dir /new_dir ' */ +#define TOMOYO_MOUNT_MOVE_KEYWORD "--move" +/* Allow to call 'mount -o remount /dir ' */ +#define TOMOYO_MOUNT_REMOUNT_KEYWORD "--remount" +/* Allow to call 'mount --make-unbindable /dir' */ +#define TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD "--make-unbindable" +/* Allow to call 'mount --make-private /dir' */ +#define TOMOYO_MOUNT_MAKE_PRIVATE_KEYWORD "--make-private" +/* Allow to call 'mount --make-slave /dir' */ +#define TOMOYO_MOUNT_MAKE_SLAVE_KEYWORD "--make-slave" +/* Allow to call 'mount --make-shared /dir' */ +#define TOMOYO_MOUNT_MAKE_SHARED_KEYWORD "--make-shared" + +/** + * tomoyo_audit_mount_log - Audit mount log. + * + * @r: Pointer to "struct tomoyo_request_info". + * @dev_name: Device file. + * @dir_name: Mount point. + * @type: Filesystem type. + * @flags: Mount flags. + * @is_granted: True if this is a granted log. + * + * Returns 0 on success, negative value otherwise. + */ +static int tomoyo_audit_mount_log(struct tomoyo_request_info *r, + const char *dev_name, const char *dir_name, + const char *type, const unsigned long flags, + const bool is_granted) +{ + if (!is_granted) { + if (!strcmp(type, TOMOYO_MOUNT_REMOUNT_KEYWORD)) + tomoyo_warn_log(r, "mount -o remount %s 0x%lX", + dir_name, flags); + else if (!strcmp(type, TOMOYO_MOUNT_BIND_KEYWORD) + || !strcmp(type, TOMOYO_MOUNT_MOVE_KEYWORD)) + tomoyo_warn_log(r, "mount %s %s %s 0x%lX", type, + dev_name, dir_name, flags); + else if (!strcmp(type, TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD) || + !strcmp(type, TOMOYO_MOUNT_MAKE_PRIVATE_KEYWORD) || + !strcmp(type, TOMOYO_MOUNT_MAKE_SLAVE_KEYWORD) || + !strcmp(type, TOMOYO_MOUNT_MAKE_SHARED_KEYWORD)) + tomoyo_warn_log(r, "mount %s %s 0x%lX", type, dir_name, + flags); + else + tomoyo_warn_log(r, "mount -t %s %s %s 0x%lX", type, + dev_name, dir_name, flags); + } + return tomoyo_write_audit_log(is_granted, r, TOMOYO_KEYWORD_ALLOW_MOUNT + "%s %s %s 0x%lu\n", dev_name, dir_name, + type, flags); +} + +/** + * tomoyo_mount_acl2 - Check permission for mount() operation. + * + * @r: Pointer to "struct tomoyo_request_info". + * @dev_name: Name of device file. + * @dir: Pointer to "struct path". + * @type: Name of filesystem type. + * @flags: Mount options. + * + * Returns 0 on success, negative value otherwise. + * + * Caller holds tomoyo_read_lock(). + */ +static int tomoyo_mount_acl2(struct tomoyo_request_info *r, char *dev_name, + struct path *dir, char *type, unsigned long flags) +{ + struct tomoyo_obj_info obj = { }; + struct path path; + struct tomoyo_acl_info *ptr; + struct file_system_type *fstype = NULL; + const char *requested_type = NULL; + const char *requested_dir_name = NULL; + const char *requested_dev_name = NULL; + struct tomoyo_path_info rtype; + struct tomoyo_path_info rdev; + struct tomoyo_path_info rdir; + int need_dev = 0; + int error = -ENOMEM; + r->obj = &obj; + + /* Get fstype. */ + requested_type = tomoyo_encode(type); + if (!requested_type) + goto out; + rtype.name = requested_type; + tomoyo_fill_path_info(&rtype); + + /* Get mount point. */ + obj.path2 = *dir; + requested_dir_name = tomoyo_realpath_from_path(dir); + if (!requested_dir_name) { + error = -ENOMEM; + goto out; + } + rdir.name = requested_dir_name; + tomoyo_fill_path_info(&rdir); + + /* Compare fs name. */ + if (!strcmp(type, TOMOYO_MOUNT_REMOUNT_KEYWORD)) { + /* dev_name is ignored. */ + } else if (!strcmp(type, TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD) || + !strcmp(type, TOMOYO_MOUNT_MAKE_PRIVATE_KEYWORD) || + !strcmp(type, TOMOYO_MOUNT_MAKE_SLAVE_KEYWORD) || + !strcmp(type, TOMOYO_MOUNT_MAKE_SHARED_KEYWORD)) { + /* dev_name is ignored. */ + } else if (!strcmp(type, TOMOYO_MOUNT_BIND_KEYWORD) || + !strcmp(type, TOMOYO_MOUNT_MOVE_KEYWORD)) { + need_dev = -1; /* dev_name is a directory */ + } else { + fstype = get_fs_type(type); + if (!fstype) { + error = -ENODEV; + goto out; + } + if (fstype->fs_flags & FS_REQUIRES_DEV) + /* dev_name is a block device file. */ + need_dev = 1; + } + if (need_dev) { + /* Get mount point or device file. */ + if (tomoyo_get_path(dev_name, &path)) { + error = -ENOENT; + goto out; + } + obj.path1 = path; + requested_dev_name = tomoyo_realpath_from_path(&path); + if (!requested_dev_name) { + error = -ENOENT; + goto out; + } + } else { + /* Map dev_name to "" if no dev_name given. */ + if (!dev_name) + dev_name = ""; + requested_dev_name = tomoyo_encode(dev_name); + if (!requested_dev_name) { + error = -ENOMEM; + goto out; + } + } + rdev.name = requested_dev_name; + tomoyo_fill_path_info(&rdev); + list_for_each_entry_rcu(ptr, &r->domain->acl_info_list, list) { + struct tomoyo_mount_acl *acl; + if (ptr->is_deleted || ptr->type != TOMOYO_TYPE_MOUNT_ACL) + continue; + acl = container_of(ptr, struct tomoyo_mount_acl, + head); + if (!tomoyo_compare_number_union(flags, &acl->flags) || + !tomoyo_compare_name_union(&rtype, &acl->fs_type) || + !tomoyo_compare_name_union(&rdir, &acl->dir_name) || + (need_dev && + !tomoyo_compare_name_union(&rdev, &acl->dev_name)) || + !tomoyo_condition(r, ptr)) + continue; + r->cond = ptr->cond; + error = 0; + break; + } + tomoyo_audit_mount_log(r, requested_dev_name, requested_dir_name, + requested_type, flags, !error); + if (error) + error = tomoyo_supervisor(r, TOMOYO_KEYWORD_ALLOW_MOUNT + "%s %s %s 0x%lX\n", + tomoyo_file_pattern(&rdev), + tomoyo_file_pattern(&rdir), + requested_type, flags); + out: + kfree(requested_dev_name); + kfree(requested_dir_name); + if (fstype) + put_filesystem(fstype); + kfree(requested_type); + /* Drop refcount obtained by tomoyo_get_path(). */ + if (obj.path1.dentry) + path_put(&obj.path1); + return error; +} + +/** + * tomoyo_mount_acl - Check permission for mount() operation. + * + * @r: Pointer to "struct tomoyo_request_info". + * @dev_name: Name of device file. + * @dir: Pointer to "struct path". + * @type: Name of filesystem type. + * @flags: Mount options. + * + * Returns 0 on success, negative value otherwise. + * + * Caller holds tomoyo_read_lock(). + */ +static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name, + struct path *dir, char *type, unsigned long flags) +{ + int error; + error = -EPERM; + if ((flags & MS_MGC_MSK) == MS_MGC_VAL) + flags &= ~MS_MGC_MSK; + switch (flags & (MS_REMOUNT | MS_MOVE | MS_BIND)) { + case MS_REMOUNT: + case MS_MOVE: + case MS_BIND: + case 0: + break; + default: + printk(KERN_WARNING "ERROR: " + "%s%s%sare given for single mount operation.\n", + flags & MS_REMOUNT ? "'remount' " : "", + flags & MS_MOVE ? "'move' " : "", + flags & MS_BIND ? "'bind' " : ""); + return -EINVAL; + } + switch (flags & (MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED)) { + case MS_UNBINDABLE: + case MS_PRIVATE: + case MS_SLAVE: + case MS_SHARED: + case 0: + break; + default: + printk(KERN_WARNING "ERROR: " + "%s%s%s%sare given for single mount operation.\n", + flags & MS_UNBINDABLE ? "'unbindable' " : "", + flags & MS_PRIVATE ? "'private' " : "", + flags & MS_SLAVE ? "'slave' " : "", + flags & MS_SHARED ? "'shared' " : ""); + return -EINVAL; + } + if (flags & MS_REMOUNT) + error = tomoyo_mount_acl(r, dev_name, dir, + TOMOYO_MOUNT_REMOUNT_KEYWORD, + flags & ~MS_REMOUNT); + else if (flags & MS_MOVE) + error = tomoyo_mount_acl(r, dev_name, dir, + TOMOYO_MOUNT_MOVE_KEYWORD, + flags & ~MS_MOVE); + else if (flags & MS_BIND) + error = tomoyo_mount_acl(r, dev_name, dir, + TOMOYO_MOUNT_BIND_KEYWORD, + flags & ~MS_BIND); + else if (flags & MS_UNBINDABLE) + error = tomoyo_mount_acl(r, dev_name, dir, + TOMOYO_MOUNT_MAKE_UNBINDABLE_KEYWORD, + flags & ~MS_UNBINDABLE); + else if (flags & MS_PRIVATE) + error = tomoyo_mount_acl(r, dev_name, dir, + TOMOYO_MOUNT_MAKE_PRIVATE_KEYWORD, + flags & ~MS_PRIVATE); + else if (flags & MS_SLAVE) + error = tomoyo_mount_acl(r, dev_name, dir, + TOMOYO_MOUNT_MAKE_SLAVE_KEYWORD, + flags & ~MS_SLAVE); + else if (flags & MS_SHARED) + error = tomoyo_mount_acl(r, dev_name, dir, + TOMOYO_MOUNT_MAKE_SHARED_KEYWORD, + flags & ~MS_SHARED); + else + do { + error = tomoyo_mount_acl2(r, dev_name, dir, type, + flags); + } while (error == 1); + if (r->mode != TOMOYO_CONFIG_ENFORCING) + error = 0; + return error; +} + +/** + * tomoyo_mount_permission - Check permission for mount() operation. + * + * @dev_name: Name of device file. + * @dir: Pointer to "struct path". + * @type: Name of filesystem type. May be NULL. + * @flags: Mount options. + * + * Returns 0 on success, negative value otherwise. + */ +int tomoyo_mount_permission(char *dev_name, struct path *dir, char *type, + const unsigned long flags) +{ + struct tomoyo_request_info r; + int error; + int idx; + if (!tomoyo_capable(TOMOYO_SYS_MOUNT)) + return -EPERM; + if (tomoyo_init_request_info(&r, NULL, TOMOYO_MAC_FILE_MOUNT) + == TOMOYO_CONFIG_DISABLED) + return 0; + if (!type) + type = ""; + idx = tomoyo_read_lock(); + error = tomoyo_mount_acl(&r, dev_name, dir, type, flags); + tomoyo_read_unlock(idx); + return error; +} + +/** + * tomoyo_write_mount_policy - Write "struct tomoyo_mount_acl" list. + * + * @data: String to parse. + * @domain: Pointer to "struct tomoyo_domain_info". + * @condition: Pointer to "struct tomoyo_condition". May be NULL. + * @is_delete: True if it is a delete request. + * + * Returns 0 on success, negative value otherwise. + */ +int tomoyo_write_mount_policy(char *data, struct tomoyo_domain_info *domain, + struct tomoyo_condition *condition, + const bool is_delete) +{ + struct tomoyo_mount_acl *entry = NULL; + struct tomoyo_acl_info *ptr; + struct tomoyo_mount_acl e = { .head.type = TOMOYO_TYPE_MOUNT_ACL, + .head.cond = condition }; + int error = is_delete ? -ENOENT : -ENOMEM; + char *w[4]; + if (!tomoyo_tokenize(data, w, sizeof(w)) || !w[3][0]) + return -EINVAL; + if (!tomoyo_parse_name_union(w[0], &e.dev_name) || + !tomoyo_parse_name_union(w[1], &e.dir_name) || + !tomoyo_parse_name_union(w[2], &e.fs_type) || + !tomoyo_parse_number_union(w[3], &e.flags)) + goto out; + if (!is_delete) + entry = kmalloc(sizeof(e), GFP_KERNEL); + mutex_lock(&tomoyo_policy_lock); + list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) { + struct tomoyo_mount_acl *acl = + container_of(ptr, struct tomoyo_mount_acl, head); + if (ptr->type != TOMOYO_TYPE_MOUNT_ACL || + ptr->cond != condition + || tomoyo_memcmp(acl, &e, offsetof(typeof(e), dev_name), + sizeof(e))) + continue; + ptr->is_deleted = is_delete; + error = 0; + break; + } + if (!is_delete && error && tomoyo_commit_ok(entry, &e, sizeof(e))) { + tomoyo_add_domain_acl(domain, &entry->head); + entry = NULL; + error = 0; + } + mutex_unlock(&tomoyo_policy_lock); + out: + tomoyo_put_name_union(&e.dev_name); + tomoyo_put_name_union(&e.dir_name); + tomoyo_put_name_union(&e.fs_type); + tomoyo_put_number_union(&e.flags); + kfree(entry); + return error; +} -- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/