From d58e0da854376841ac99defeb117a83f086715c6 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Sat, 10 Sep 2011 15:22:48 +0900 Subject: TOMOYO: Add environment variable name restriction support. This patch adds support for checking environment variable's names. Although TOMOYO already provides ability to check argv[]/envp[] passed to execve() requests, file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar" will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined, administrators have to specify like file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib" file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL . Since there are many environment variables whereas conditional checks are applied as "&&", it is difficult to cover all combinations. Therefore, this patch supports conditional checks that are applied as "||", by specifying like file execute /bin/sh misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib" which means "grant execution of /bin/sh if environment variable is not defined or is defined and its value is /system/lib". Signed-off-by: Tetsuo Handa Signed-off-by: James Morris --- security/tomoyo/domain.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 94 insertions(+), 1 deletion(-) (limited to 'security/tomoyo/domain.c') diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index cd0f92d88bb4..5931fb1c04d5 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -562,6 +562,92 @@ out: return entry; } +/** + * tomoyo_environ - Check permission for environment variable names. + * + * @ee: Pointer to "struct tomoyo_execve". + * + * Returns 0 on success, negative value otherwise. + */ +static int tomoyo_environ(struct tomoyo_execve *ee) +{ + struct tomoyo_request_info *r = &ee->r; + struct linux_binprm *bprm = ee->bprm; + /* env_page.data is allocated by tomoyo_dump_page(). */ + struct tomoyo_page_dump env_page = { }; + char *arg_ptr; /* Size is TOMOYO_EXEC_TMPSIZE bytes */ + int arg_len = 0; + unsigned long pos = bprm->p; + int offset = pos % PAGE_SIZE; + int argv_count = bprm->argc; + int envp_count = bprm->envc; + int error = -ENOMEM; + + ee->r.type = TOMOYO_MAC_ENVIRON; + ee->r.profile = r->domain->profile; + ee->r.mode = tomoyo_get_mode(r->domain->ns, ee->r.profile, + TOMOYO_MAC_ENVIRON); + if (!r->mode || !envp_count) + return 0; + arg_ptr = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS); + if (!arg_ptr) + goto out; + while (error == -ENOMEM) { + if (!tomoyo_dump_page(bprm, pos, &env_page)) + goto out; + pos += PAGE_SIZE - offset; + /* Read. */ + while (argv_count && offset < PAGE_SIZE) { + if (!env_page.data[offset++]) + argv_count--; + } + if (argv_count) { + offset = 0; + continue; + } + while (offset < PAGE_SIZE) { + const unsigned char c = env_page.data[offset++]; + + if (c && arg_len < TOMOYO_EXEC_TMPSIZE - 10) { + if (c == '=') { + arg_ptr[arg_len++] = '\0'; + } else if (c == '\\') { + arg_ptr[arg_len++] = '\\'; + arg_ptr[arg_len++] = '\\'; + } else if (c > ' ' && c < 127) { + arg_ptr[arg_len++] = c; + } else { + arg_ptr[arg_len++] = '\\'; + arg_ptr[arg_len++] = (c >> 6) + '0'; + arg_ptr[arg_len++] + = ((c >> 3) & 7) + '0'; + arg_ptr[arg_len++] = (c & 7) + '0'; + } + } else { + arg_ptr[arg_len] = '\0'; + } + if (c) + continue; + if (tomoyo_env_perm(r, arg_ptr)) { + error = -EPERM; + break; + } + if (!--envp_count) { + error = 0; + break; + } + arg_len = 0; + } + offset = 0; + } +out: + if (r->mode != TOMOYO_CONFIG_ENFORCING) + error = 0; + kfree(env_page.data); + kfree(arg_ptr); + return error; +} + /** * tomoyo_find_next_domain - Find a domain. * @@ -581,6 +667,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) bool reject_on_transition_failure = false; struct tomoyo_path_info rn = { }; /* real name */ struct tomoyo_execve *ee = kzalloc(sizeof(*ee), GFP_NOFS); + if (!ee) return -ENOMEM; ee->tmp = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS); @@ -713,6 +800,10 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) bprm->cred->security = domain; if (need_kfree) kfree(rn.name); + if (!retval) { + ee->r.domain = domain; + retval = tomoyo_environ(ee); + } kfree(ee->tmp); kfree(ee->dump.data); kfree(ee); @@ -732,7 +823,8 @@ bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos, struct tomoyo_page_dump *dump) { struct page *page; - /* dump->data is released by tomoyo_finish_execve(). */ + + /* dump->data is released by tomoyo_find_next_domain(). */ if (!dump->data) { dump->data = kzalloc(PAGE_SIZE, GFP_NOFS); if (!dump->data) @@ -753,6 +845,7 @@ bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos, * So do I. */ char *kaddr = kmap_atomic(page, KM_USER0); + dump->page = page; memcpy(dump->data + offset, kaddr + offset, PAGE_SIZE - offset); -- cgit v1.2.3 From 1f067a682a9bd252107ac6f6946b7332fde42344 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Sat, 10 Sep 2011 15:24:56 +0900 Subject: TOMOYO: Allow controlling generation of access granted logs for per an entry basis. Add per-entry flag which controls generation of grant logs because Xen and KVM issues ioctl requests so frequently. For example, file ioctl /dev/null 0x5401 grant_log=no will suppress /sys/kernel/security/tomoyo/audit even if preference says grant_log=yes . Signed-off-by: Tetsuo Handa Signed-off-by: James Morris --- security/tomoyo/domain.c | 1 + 1 file changed, 1 insertion(+) (limited to 'security/tomoyo/domain.c') diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index 5931fb1c04d5..498fea732f48 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -157,6 +157,7 @@ retry: continue; if (!tomoyo_condition(r, ptr->cond)) continue; + r->matched_acl = ptr; r->granted = true; return; } -- cgit v1.2.3 From a8f7640963ada66c412314c3559c11ff6946c1a5 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Sat, 10 Sep 2011 15:27:12 +0900 Subject: TOMOYO: Avoid race when retrying "file execute" permission check. There was a race window that the pathname which is subjected to "file execute" permission check when retrying via supervisor's decision because the pathname was recalculated upon retry. Though, there is an inevitable race window even without supervisor, for we have to calculate the symbolic link's pathname from "struct linux_binprm"->filename rather than from "struct linux_binprm"->file because we cannot back calculate the symbolic link's pathname from the dereferenced pathname. Signed-off-by: Tetsuo Handa Signed-off-by: James Morris --- security/tomoyo/domain.c | 56 +++++++++++++++++++----------------------------- 1 file changed, 22 insertions(+), 34 deletions(-) (limited to 'security/tomoyo/domain.c') diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index 498fea732f48..a1fc6b5f6125 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -664,9 +664,9 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) struct tomoyo_domain_info *domain = NULL; const char *original_name = bprm->filename; int retval = -ENOMEM; - bool need_kfree = false; bool reject_on_transition_failure = false; - struct tomoyo_path_info rn = { }; /* real name */ + const struct tomoyo_path_info *candidate; + struct tomoyo_path_info exename; struct tomoyo_execve *ee = kzalloc(sizeof(*ee), GFP_NOFS); if (!ee) @@ -682,40 +682,33 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) ee->bprm = bprm; ee->r.obj = &ee->obj; ee->obj.path1 = bprm->file->f_path; - retry: - if (need_kfree) { - kfree(rn.name); - need_kfree = false; - } /* Get symlink's pathname of program. */ retval = -ENOENT; - rn.name = tomoyo_realpath_nofollow(original_name); - if (!rn.name) + exename.name = tomoyo_realpath_nofollow(original_name); + if (!exename.name) goto out; - tomoyo_fill_path_info(&rn); - need_kfree = true; - + tomoyo_fill_path_info(&exename); +retry: /* Check 'aggregator' directive. */ { struct tomoyo_aggregator *ptr; struct list_head *list = &old_domain->ns->policy_list[TOMOYO_ID_AGGREGATOR]; /* Check 'aggregator' directive. */ + candidate = &exename; list_for_each_entry_rcu(ptr, list, head.list) { if (ptr->head.is_deleted || - !tomoyo_path_matches_pattern(&rn, + !tomoyo_path_matches_pattern(&exename, ptr->original_name)) continue; - kfree(rn.name); - need_kfree = false; - /* This is OK because it is read only. */ - rn = *ptr->aggregated_name; + candidate = ptr->aggregated_name; break; } } /* Check execute permission. */ - retval = tomoyo_path_permission(&ee->r, TOMOYO_TYPE_EXECUTE, &rn); + retval = tomoyo_path_permission(&ee->r, TOMOYO_TYPE_EXECUTE, + candidate); if (retval == TOMOYO_RETRY_REQUEST) goto retry; if (retval < 0) @@ -726,20 +719,16 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) * wildcard) rather than the pathname passed to execve() * (which never contains wildcard). */ - if (ee->r.param.path.matched_path) { - if (need_kfree) - kfree(rn.name); - need_kfree = false; - /* This is OK because it is read only. */ - rn = *ee->r.param.path.matched_path; - } + if (ee->r.param.path.matched_path) + candidate = ee->r.param.path.matched_path; /* Calculate domain to transit to. */ switch (tomoyo_transition_type(old_domain->ns, old_domain->domainname, - &rn)) { + candidate)) { case TOMOYO_TRANSITION_CONTROL_RESET: /* Transit to the root of specified namespace. */ - snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "<%s>", rn.name); + snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "<%s>", + candidate->name); /* * Make do_execve() fail if domain transition across namespaces * has failed. @@ -749,7 +738,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) case TOMOYO_TRANSITION_CONTROL_INITIALIZE: /* Transit to the child of current namespace's root. */ snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", - old_domain->ns->name, rn.name); + old_domain->ns->name, candidate->name); break; case TOMOYO_TRANSITION_CONTROL_KEEP: /* Keep current domain. */ @@ -765,11 +754,11 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) * before /sbin/init. */ domain = old_domain; - } else { - /* Normal domain transition. */ - snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", - old_domain->domainname->name, rn.name); + break; } + /* Normal domain transition. */ + snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", + old_domain->domainname->name, candidate->name); break; } if (!domain) @@ -799,8 +788,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm) /* Update reference count on "struct tomoyo_domain_info". */ atomic_inc(&domain->users); bprm->cred->security = domain; - if (need_kfree) - kfree(rn.name); + kfree(exename.name); if (!retval) { ee->r.domain = domain; retval = tomoyo_environ(ee); -- cgit v1.2.3 From 6bce98edc3365a8f780ff3944ac7992544c194fe Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Fri, 16 Sep 2011 22:54:25 +0900 Subject: TOMOYO: Allow specifying domain transition preference. I got an opinion that it is difficult to use exception policy's domain transition control directives because they need to match the pathname specified to "file execute" directives. For example, if "file execute /bin/\*\-ls\-cat" is given, corresponding domain transition control directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any". If we can specify like below, it will become more convenient. file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls" file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat" file execute /bin/\*\-ls\-cat child file execute /usr/sbin/httpd exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd" In above examples, "keep" works as if keep_domain is specified, "child" works as if "no_reset_domain" and "no_initialize_domain" and "no_keep_domain" are specified, "" causes domain transition to domain upon successful execve() operation. Moreover, we can also allow transition to different domains based on conditions like below example. /usr/sbin/sshd file execute /bin/bash /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c" file execute /bin/bash /usr/sbin/sshd //root-session task.uid=0 file execute /bin/bash /usr/sbin/sshd //nonroot-session task.uid!=0 Signed-off-by: Tetsuo Handa Signed-off-by: James Morris --- security/tomoyo/domain.c | 53 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 50 insertions(+), 3 deletions(-) (limited to 'security/tomoyo/domain.c') diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index a1fc6b5f6125..860390ee1fbe 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -102,6 +102,15 @@ int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size, new_entry->cond = tomoyo_get_condition(param); if (!new_entry->cond) return -EINVAL; + /* + * Domain transition preference is allowed for only + * "file execute" entries. + */ + if (new_entry->cond->transit && + !(new_entry->type == TOMOYO_TYPE_PATH_ACL && + container_of(new_entry, struct tomoyo_path_acl, head) + ->perm == 1 << TOMOYO_TYPE_EXECUTE)) + goto out; } if (mutex_lock_interruptible(&tomoyo_policy_lock)) goto out; @@ -707,8 +716,7 @@ retry: } /* Check execute permission. */ - retval = tomoyo_path_permission(&ee->r, TOMOYO_TYPE_EXECUTE, - candidate); + retval = tomoyo_execute_permission(&ee->r, candidate); if (retval == TOMOYO_RETRY_REQUEST) goto retry; if (retval < 0) @@ -722,10 +730,45 @@ retry: if (ee->r.param.path.matched_path) candidate = ee->r.param.path.matched_path; - /* Calculate domain to transit to. */ + /* + * Check for domain transition preference if "file execute" matched. + * If preference is given, make do_execve() fail if domain transition + * has failed, for domain transition preference should be used with + * destination domain defined. + */ + if (ee->transition) { + const char *domainname = ee->transition->name; + reject_on_transition_failure = true; + if (!strcmp(domainname, "keep")) + goto force_keep_domain; + if (!strcmp(domainname, "child")) + goto force_child_domain; + if (!strcmp(domainname, "reset")) + goto force_reset_domain; + if (!strcmp(domainname, "initialize")) + goto force_initialize_domain; + if (!strcmp(domainname, "parent")) { + char *cp; + strncpy(ee->tmp, old_domain->domainname->name, + TOMOYO_EXEC_TMPSIZE - 1); + cp = strrchr(ee->tmp, ' '); + if (cp) + *cp = '\0'; + } else if (*domainname == '<') + strncpy(ee->tmp, domainname, TOMOYO_EXEC_TMPSIZE - 1); + else + snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", + old_domain->domainname->name, domainname); + goto force_jump_domain; + } + /* + * No domain transition preference specified. + * Calculate domain to transit to. + */ switch (tomoyo_transition_type(old_domain->ns, old_domain->domainname, candidate)) { case TOMOYO_TRANSITION_CONTROL_RESET: +force_reset_domain: /* Transit to the root of specified namespace. */ snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "<%s>", candidate->name); @@ -736,11 +779,13 @@ retry: reject_on_transition_failure = true; break; case TOMOYO_TRANSITION_CONTROL_INITIALIZE: +force_initialize_domain: /* Transit to the child of current namespace's root. */ snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", old_domain->ns->name, candidate->name); break; case TOMOYO_TRANSITION_CONTROL_KEEP: +force_keep_domain: /* Keep current domain. */ domain = old_domain; break; @@ -756,11 +801,13 @@ retry: domain = old_domain; break; } +force_child_domain: /* Normal domain transition. */ snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s", old_domain->domainname->name, candidate->name); break; } +force_jump_domain: if (!domain) domain = tomoyo_assign_domain(ee->tmp, true); if (domain) -- cgit v1.2.3 From 778c4a4d60d932c1df6d270dcbc88365823c3963 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Sun, 25 Sep 2011 17:49:09 +0900 Subject: TOMOYO: Fix make namespacecheck warnings. Commit efe836ab "TOMOYO: Add built-in policy support." introduced tomoyo_load_builtin_policy() but was by error called from nowhere. Commit b22b8b9f "TOMOYO: Rename meminfo to stat and show more statistics." introduced tomoyo_update_stat() but was by error not called from tomoyo_assign_domain(). Also, mark tomoyo_io_printf() and tomoyo_path_permission() static functions, as reported by "make namespacecheck". Signed-off-by: Tetsuo Handa Signed-off-by: James Morris --- security/tomoyo/domain.c | 1 + 1 file changed, 1 insertion(+) (limited to 'security/tomoyo/domain.c') diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index 860390ee1fbe..70acf7aebbda 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -567,6 +567,7 @@ out: tomoyo_write_log(&r, "use_profile %u\n", entry->profile); tomoyo_write_log(&r, "use_group %u\n", entry->group); + tomoyo_update_stat(TOMOYO_STAT_POLICY_UPDATES); } } return entry; -- cgit v1.2.3 From f9732ea145886786a6f8b0493bc2239e70cbacdb Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Sun, 25 Sep 2011 17:50:23 +0900 Subject: TOMOYO: Simplify garbage collector. When TOMOYO started using garbage collector at commit 847b173e "TOMOYO: Add garbage collector.", we waited for close() before kfree(). Thus, elements to be kfree()d were queued up using tomoyo_gc_list list. But it turned out that tomoyo_element_linked_by_gc() tends to choke garbage collector when certain pattern of entries are queued. Since garbage collector is no longer waiting for close() since commit 2e503bbb "TOMOYO: Fix lockdep warning.", we can remove tomoyo_gc_list list and tomoyo_element_linked_by_gc() by doing sequential processing. Signed-off-by: Tetsuo Handa Signed-off-by: James Morris --- security/tomoyo/domain.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'security/tomoyo/domain.c') diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index 70acf7aebbda..da16dfeed728 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -39,6 +39,8 @@ int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size, if (mutex_lock_interruptible(&tomoyo_policy_lock)) return -ENOMEM; list_for_each_entry_rcu(entry, list, list) { + if (entry->is_deleted == TOMOYO_GC_IN_PROGRESS) + continue; if (!check_duplicate(entry, new_entry)) continue; entry->is_deleted = param->is_delete; @@ -115,6 +117,8 @@ int tomoyo_update_domain(struct tomoyo_acl_info *new_entry, const int size, if (mutex_lock_interruptible(&tomoyo_policy_lock)) goto out; list_for_each_entry_rcu(entry, list, list) { + if (entry->is_deleted == TOMOYO_GC_IN_PROGRESS) + continue; if (!tomoyo_same_acl_head(entry, new_entry) || !check_duplicate(entry, new_entry)) continue; -- cgit v1.2.3 From e00fb3f7af111d1b3252f7d622213d2e22be65f5 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Tue, 27 Sep 2011 11:48:53 +0900 Subject: TOMOYO: Fix domain transition failure warning. Commit bd03a3e4 "TOMOYO: Add policy namespace support." introduced policy namespace. But as of /sbin/modprobe is executed from initramfs/initrd, profiles for target domain's namespace is not defined because /sbin/tomoyo-init is not yet called. Reported-by: Jamie Nguyen Signed-off-by: Tetsuo Handa Signed-off-by: James Morris --- security/tomoyo/domain.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'security/tomoyo/domain.c') diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c index da16dfeed728..9027ac1534af 100644 --- a/security/tomoyo/domain.c +++ b/security/tomoyo/domain.c @@ -515,7 +515,8 @@ struct tomoyo_domain_info *tomoyo_assign_domain(const char *domainname, * that domain. Do not perform domain transition if * profile for that domain is not yet created. */ - if (!entry->ns->profile_ptr[entry->profile]) + if (tomoyo_policy_loaded && + !entry->ns->profile_ptr[entry->profile]) return NULL; } return entry; -- cgit v1.2.3