123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653 |
- /*
- * linux/graphene/graphene.c
- *
- * Copyright (C) 2013-, Chia-Che Tsai, Bhushan Jain and Donald Porter
- *
- * Manage the graphene information and security policies.
- */
- #include <linux/version.h>
- #include <linux/atomic.h>
- #include <linux/slab.h>
- #include <linux/sched.h>
- #include <linux/fs.h>
- #include <linux/file.h>
- #include <linux/fdtable.h>
- #include <linux/dcache.h>
- #include <linux/namei.h>
- #include <linux/fs_struct.h>
- #include <linux/mount.h>
- #include <linux/rcupdate.h>
- #include <linux/uaccess.h>
- #include <linux/module.h>
- #include <linux/un.h>
- #include <linux/net.h>
- #include <net/sock.h>
- #include <net/inet_sock.h>
- #include <net/tcp_states.h>
- #include <linux/pipe_fs_i.h>
- #include <../fs/internal.h>
- #include <../security/apparmor/include/audit.h>
- #include "graphene.h"
- #include "graphene-ipc.h"
- static struct list_head unix_list = LIST_HEAD_INIT(unix_list);
- static DEFINE_SPINLOCK(unix_list_lock);
- static atomic_t gipc_session;
- static int add_graphene_unix(struct graphene_unix *u)
- {
- struct graphene_unix *tmp;
- int err = 0;
- rcu_read_lock();
- list_for_each_entry_rcu(tmp, &unix_list, list) {
- if (u->root.mnt) {
- if (!tmp->root.mnt)
- continue;
- if (!path_equal(&tmp->root, &u->root))
- continue;
- }
- if (u->prefix.len) {
- int len;
- if (!tmp->prefix.len)
- continue;
- len = u->prefix.len < tmp->prefix.len ?
- u->prefix.len : tmp->prefix.len;
- if (!strncmp(u->prefix.name, tmp->prefix.name, len)) {
- err = -EACCES;
- break;
- }
- }
- }
- if (!err) {
- spin_lock(&unix_list_lock);
- list_add_tail_rcu(&u->list, &unix_list);
- spin_unlock(&unix_list_lock);
- }
- rcu_read_unlock();
- return err;;
- }
- int dup_graphene_struct(struct task_struct *tsk)
- {
- struct graphene_struct *gs, *new;
- struct graphene_info *gi;
- if (!(tsk->graphene))
- return 0;
- if (tsk->group_leader != tsk) {
- atomic_inc(&tsk->graphene->g_count);
- return 0;
- }
- gs = tsk->graphene;
- new = kmalloc(sizeof(struct graphene_struct), GFP_KERNEL);
- if (!new)
- return -ENOMEM;
- spin_lock(&gs->g_lock);
- gi = gs->g_info;
- atomic_inc(&gi->gi_count);
- new->g_info = gi;
- spin_unlock(&gs->g_lock);
- atomic_set(&new->g_count, 1);
- spin_lock_init(&new->g_lock);
- tsk->graphene = new;
- return 0;
- }
- static void drop_graphene_info(struct graphene_info *info)
- {
- struct graphene_path *p, *n;
- int i;
- list_for_each_entry_safe(p, n, &info->gi_paths, list) {
- path_put(&p->path);
- kfree(p);
- }
- list_for_each_entry_safe(p, n, &info->gi_rpaths, list) {
- path_put(&p->path);
- kfree(p);
- }
- if (info->gi_libexec.dentry)
- path_put(&info->gi_libexec);
- if (info->gi_unix) {
- struct graphene_unix *u = info->gi_unix;
- if (!atomic_dec_return(&u->count)) {
- spin_lock(&unix_list_lock);
- if (!list_empty(&u->list)) {
- list_del_rcu(&u->list);
- spin_unlock(&unix_list_lock);
- synchronize_rcu();
- }
- if (u->root.mnt)
- path_put(&u->root);
- if (u->prefix.len)
- kfree(u->prefix.name);
- kfree(u);
- }
- }
- for (i = 0 ; i < 3 ; i++)
- if (info->gi_console[i].mnt)
- path_put(&info->gi_console[i]);
- kfree(info);
- }
- static void put_graphene_info(struct graphene_info *info)
- {
- if (!atomic_dec_return(&info->gi_count))
- drop_graphene_info(info);
- }
- void put_graphene_struct(struct task_struct *tsk)
- {
- struct graphene_struct *gs = tsk->graphene;
- if (gs) {
- tsk->graphene = NULL;
- if (atomic_dec_return(&gs->g_count))
- return;
- put_graphene_info(gs->g_info);
- kfree(gs);
- }
- }
- static inline
- struct graphene_info *get_graphene_info(struct graphene_struct *gs)
- {
- struct graphene_info *info;
- if (!gs)
- return NULL;
- rcu_read_lock();
- info = rcu_dereference_check(gs->g_info,
- lockdep_is_held(&gs->g_lock) ||
- atomic_read(&gs->g_count) == 1 ||
- rcu_my_thread_group_empty());
- rcu_read_unlock();
- return info;
- }
- #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0)
- # define FILE_INODE(file) ((file)->f_inode)
- #else
- # define FILE_INODE(file) ((file)->f_dentry->d_inode)
- #endif
- static loff_t graphene_lib_llseek(struct file *file, loff_t offset, int origin)
- {
- struct inode *inode = FILE_INODE(file);
- if (!inode)
- return -EINVAL;
- if (!inode->i_fop || !inode->i_fop->llseek)
- return -EINVAL;
- return inode->i_fop->llseek(file, offset, origin);
- }
- static ssize_t graphene_lib_read (struct file *file, char __user *buf,
- size_t len, loff_t *ppos)
- {
- struct inode *inode = FILE_INODE(file);
- if (!inode)
- return -EINVAL;
- if (!inode->i_fop || !inode->i_fop->read)
- return -EINVAL;
- return inode->i_fop->read(file, buf, len, ppos);
- }
- static ssize_t graphene_lib_aio_read (struct kiocb *iocb, const struct iovec *iov,
- unsigned long nr_segs, loff_t pos)
- {
- struct inode *inode = FILE_INODE(iocb->ki_filp);
- if (!inode)
- return -EINVAL;
- if (!inode->i_fop || !inode->i_fop->aio_read)
- return -EINVAL;
- return inode->i_fop->aio_read(iocb, iov, nr_segs, pos);
- }
- static int graphene_lib_mmap(struct file *file, struct vm_area_struct *vma)
- {
- struct inode *inode = FILE_INODE(file);
- if (!inode)
- return -EINVAL;
- if (!inode->i_fop || !inode->i_fop->mmap)
- return -EINVAL;
- return inode->i_fop->mmap(file, vma);
- }
- static int graphene_lib_release(struct inode *inode, struct file *file)
- {
- if (!inode)
- return -EINVAL;
- if (!inode->i_fop || !inode->i_fop->release)
- return -EINVAL;
- return inode->i_fop->release(inode, file);
- }
- #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 7, 0)
- # define DEFINE_PATH_BUFFER(fn, kpath, max) struct filename *fn; char *kpath; int max;
- #else
- # define DEFINE_PATH_BUFFER(fn, kpath, max) char * kpath; int max;
- #endif
- #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 7, 0)
- # define GET_PATH_BUFFER(fn, kpath, max) \
- fn = __getname(); \
- kpath = (char *) fn + sizeof(*fn); \
- max = PATH_MAX - sizeof(*fn);
- #else
- # define GET_PATH_BUFFER(fn, kpath, max) \
- kpath = __getname(); \
- max = PATH_MAX;
- #endif
- #define DEFINE_PATH(dp, path, fn, kpath, max) \
- DEFINE_PATH_BUFFER(fn, kpath, max) \
- char *dp; \
- GET_PATH_BUFFER(fn, kpath, max) \
- dp = d_path(path, kpath, max);
- #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 7, 0)
- # define PUT_PATH_BUFFER(fn, kpath) final_putname(fn);
- #else
- # define PUT_PATH_BUFFER(fn, kpath) putname(kpath);
- #endif
- static unsigned long
- graphene_lib_get_area(struct file *file, unsigned long addr, unsigned long len,
- unsigned long pgoff, unsigned long flags)
- {
- struct task_struct *current_tsk = current;
- struct graphene_info *gi = get_graphene_info(current_tsk->graphene);
- struct inode *inode = FILE_INODE(file);
- unsigned long (*get_area) (struct file *, unsigned long, unsigned long,
- unsigned long, unsigned long);
- if (!inode)
- return -EINVAL;
- if (gi->gi_libaddr) {
- if (!path_equal(&file->f_path, &gi->gi_libexec))
- BUG();
- if (!addr)
- addr = gi->gi_libaddr + pgoff * PAGE_SIZE;
- #ifdef CONFIG_GRAPHENE_DEBUG
- {
- DEFINE_PATH(dp, &file->f_path, fn, kpath, max)
- if (!IS_ERR(dp))
- printk(KERN_INFO "Graphene: PID %d MAP FILE %s"
- " OFF 0x%08lx AT 0x%016lx\n",
- current->pid, dp,
- pgoff * PAGE_SIZE, addr);
- PUT_PATH_BUFFER(fn, kpath)
- }
- #endif
- return addr;
- }
- get_area = (inode->i_fop && inode->i_fop->get_unmapped_area) ?
- inode->i_fop->get_unmapped_area :
- current_tsk->mm->get_unmapped_area;
- return get_area(file, addr, len, pgoff, flags);
- }
- /* These are file oprations required for execve */
- static struct file_operations graphene_lib_operations = {
- .llseek = graphene_lib_llseek,
- .read = graphene_lib_read,
- .aio_read = graphene_lib_aio_read,
- .mmap = graphene_lib_mmap,
- .get_unmapped_area = graphene_lib_get_area,
- .release = graphene_lib_release,
- };
- #ifdef CONFIG_GRAPHENE_DEBUG
- static void print_path(const char * fmt, struct path *path)
- {
- DEFINE_PATH(dp, path, fn, kpath, max)
- printk(fmt, current->pid, IS_ERR(dp) ? "(unknown)" : dp);
- PUT_PATH_BUFFER(fn, kpath)
- }
- #else
- # define print_path(...) do {} while (0)
- #endif
- int graphene_execve_open(struct file *file)
- {
- struct task_struct *current_tsk = current;
- struct graphene_info *gi = get_graphene_info(current_tsk->graphene);
- if (!current_tsk->in_execve)
- BUG();
- if (!path_equal(&file->f_path, &gi->gi_libexec)) {
- print_path(KERN_INFO "Graphene: DENY EXEC PID %d PATH %s\n",
- &file->f_path);
- return -EACCES;
- }
- if (!gi->gi_libaddr)
- goto accepted;
- file->f_op = &graphene_lib_operations;
- accepted:
- print_path(KERN_INFO "Graphene: ALLOW EXEC PID %d PATH %s\n",
- &file->f_path);
- return 0;
- }
- static int graphene_check_path(struct graphene_info *gi, int op, u32 mask,
- struct path *path, struct graphene_path *gp,
- int is_recursive)
- {
- if (!path_equal(path, &gp->path))
- return 0;
- if (mask & (MAY_READ|MAY_EXEC|MAY_ACCESS|
- AA_MAY_META_READ|AA_EXEC_MMAP|AA_MAY_LINK)) {
- if (!(gp->type & GRAPHENE_FS_READ))
- return -EACCES;
- }
- if (mask & (MAY_WRITE|MAY_APPEND|
- AA_MAY_CREATE|AA_MAY_DELETE|AA_MAY_META_WRITE|
- AA_MAY_CHMOD|AA_MAY_CHOWN)) {
- if (!(gp->type & GRAPHENE_FS_WRITE))
- return -EACCES;
- }
- return 1;
- }
- static int __common_perm(struct graphene_info *gi, int op, struct path *target,
- u32 mask)
- {
- struct graphene_path *p;
- struct path root, path = *target;
- struct qstr last;
- int rv = 0, i;
- BUG_ON(!path.dentry);
- path_get(&path);
- if (op == OP_OPEN) {
- int minor = iminor(path.dentry->d_inode);
- if (minor == GRAPHENE_MINOR)
- goto out;
- if (minor == GIPC_MINOR)
- goto out;
- }
- rcu_read_lock();
- for (i = 0 ; i < 3 ; i++) {
- if (!gi->gi_console[i].mnt)
- continue;
- if (path_equal(&gi->gi_console[i], &path))
- goto out;
- }
- list_for_each_entry_rcu(p, &gi->gi_paths, list) {
- rv = graphene_check_path(gi, op, mask, &path, p, 0);
- if (rv)
- goto out;
- }
- if (gi->gi_libexec.mnt && path_equal(&path, &gi->gi_libexec)) {
- rv = 0;
- goto out;
- }
- get_fs_root(current->fs, &root);
- last.len = 0;
- while (!path_equal(&path, &root)) {
- int is_recursive = 0;
- list_for_each_entry_rcu(p, &gi->gi_rpaths, list) {
- rv = graphene_check_path(gi, op, mask, &path, p,
- is_recursive);
- if (rv)
- goto out_root;
- }
- if (gi->gi_unix && gi->gi_unix->root.mnt) {
- struct graphene_unix *u = gi->gi_unix;
- if (path_equal(&path, &u->root)) {
- rv = 0;
- if (op == OP_MKNOD)
- goto out_root;
- if (op == OP_UNLINK) {
- if (!u->prefix.len)
- goto out_root;
- if (last.len) {
- int len = u->prefix.len;
- if (last.len < len)
- len = last.len;
- if (!strncmp(last.name,
- u->prefix.name,
- len))
- goto out_root;
- }
- }
- break;
- }
- }
- last = path.dentry->d_name;
- while(1) {
- struct dentry *old = path.dentry;
- if (path_equal(&path, &root))
- break;
- if (path.dentry != path.mnt->mnt_root) {
- path.dentry = dget_parent(path.dentry);
- dput(old);
- break;
- }
- if (!follow_up(&path))
- break;
- }
- is_recursive = 1;
- }
- rv = -EACCES;
- out_root:
- path_put(&root);
- out:
- rcu_read_unlock();
- path_put(&path);
- if (rv >= 0) {
- rv = 0;
- print_path(KERN_INFO "Graphene: ALLOW PID %d PATH %s\n", target);
- } else {
- print_path(KERN_INFO "Graphene: DENY PID %d PATH %s\n", target);
- }
- return rv;
- }
- int graphene_common_perm(int op, struct path *path, u32 mask)
- {
- struct graphene_info *gi = get_graphene_info(current->graphene);
- if (!gi)
- return 0;
- return __common_perm(gi, op, path, mask);
- }
- static int __unix_perm(struct sockaddr *address, int addrlen)
- {
- struct graphene_info *gi = get_graphene_info(current->graphene);
- const char *path, *sun_path;
- struct nameidata nd;
- struct path *p = NULL;
- int err = 0;
- if (!gi->gi_unix)
- return -EPERM;
- path = sun_path = ((struct sockaddr_un *) address)->sun_path;
- if (gi->gi_unix->root.mnt) {
- #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 6, 0)
- struct path parent;
- err = kern_path(path, LOOKUP_FOLLOW, &nd.path);
- if (!err)
- return err;
- p = &nd.path;
- err = vfs_path_lookup(nd.path.dentry, nd.path.mnt, "..", 0,
- &parent);
- if (!err)
- goto denied;
- if (!path_equal(&gi->gi_unix->root, &parent))
- goto denied;
- path_put(&parent);
- path = nd.path.dentry->d_name.name;
- #else
- err = kern_path_parent(path, &nd);
- if (!err)
- return err;
- path_put(&nd.path);
- path = nd.last.name;
- if (!path_equal(&gi->gi_unix->root, &nd.path))
- goto denied;
- #endif
- }
- if (gi->gi_unix->prefix.len &&
- memcmp(path, gi->gi_unix->prefix.name,
- gi->gi_unix->prefix.len))
- err = -EPERM;
- if (p)
- path_put(p);
- if (!err)
- return 0;
- denied:
- #ifdef CONFIG_GRAPHENE_DEBUG
- printk(KERN_INFO "Graphene: DENY PID %d SOCKET %s\n",
- current->pid, sun_path);
- #endif
- if (p)
- path_put(p);
- return -EPERM;
- }
- static int net_cmp(int family, int addr_any, int port_any,
- struct graphene_net_addr *ga,
- struct sockaddr *addr, int addrlen)
- {
- switch(family) {
- case AF_INET: {
- struct sockaddr_in *a = (void *) addr;
- if (!addr_any) {
- if (a->sin_addr.s_addr != ga->addr.sin_addr.s_addr)
- return -EPERM;
- }
- if (!port_any) {
- unsigned short port = ntohs(a->sin_port);
- if (!(port >= ga->port_begin && port <= ga->port_end))
- return -EPERM;
- }
- break;
- }
- #ifdef CONFIG_IPV6
- case AF_INET6: {
- struct sockaddr_in6 *a6 = (void *) addr;
- if (!addr_any) {
- if (memcmp(&a6->sin6_addr, &ga->addr.sin6_addr,
- sizeof(struct in6_addr)))
- return -EPERM;
- }
- if (!port_any) {
- unsigned short port = ntohs(a6->sin6_port);
- if (!(port >= ga->port_begin && port <= ga->port_end))
- return -EPERM;
- }
- break;
- }
- #endif
- }
- return 0;
- }
- #ifdef CONFIG_GRAPHENE_DEBUG
- static void print_net(int allow, int family, int op,
- struct sockaddr *local_addr, int local_addrlen,
- struct sockaddr *peer_addr, int peer_addrlen)
- {
- const char *allow_str = allow ? "ALLOW" : "DENY";
- const char *op_str = "";
- int print_peer = (op == OP_CONNECT || op == OP_SENDMSG);
- switch(op) {
- case OP_BIND: op_str = "BIND"; break;
- case OP_LISTEN: op_str = "LISTEN"; break;
- case OP_CONNECT: op_str = "CONNECT"; break;
- case OP_SENDMSG: op_str = "SENDMSG"; break;
- case OP_RECVMSG: op_str = "RECVMSG"; break;
- }
- if (family == AF_INET) {
- struct sockaddr_in *la = (void *) local_addr;
- u8 *a1 = (u8 *) &la->sin_addr.s_addr;
- struct sockaddr_in *pa = (void *) peer_addr;
- u8 *a2 = (u8 *) &pa->sin_addr.s_addr;
- if (print_peer && peer_addr) {
- printk(KERN_INFO "Graphene: %s %s PID %d SOCKET "
- "%d.%d.%d.%d:%d:%d.%d.%d.%d:%d\n",
- allow_str, op_str, current->pid,
- a1[0], a1[1], a1[2], a1[3], ntohs(la->sin_port),
- a2[0], a2[1], a2[2], a2[3], ntohs(pa->sin_port));
- } else {
- printk(KERN_INFO "Graphene: %s %s PID %d SOCKET "
- "%d.%d.%d.%d:%d\n",
- allow_str, op_str, current->pid,
- a1[0], a1[1], a1[2], a1[3], ntohs(la->sin_port));
- }
- }
- #ifdef CONFIG_IPV6
- if (family == AF_INET6) {
- struct sockaddr_in6 *la = (void *) local_addr;
- u16 *a1 = (u16 *) &la->sin6_addr.s6_addr;
- struct sockaddr_in6 *pa = (void *) peer_addr;
- u16 *a2 = (u16 *) &pa->sin6_addr.s6_addr;
- if (print_peer) {
- printk(KERN_INFO "Graphene: %s %s PID %d SOCKET "
- "[%d:%d:%d:%d:%d:%d:%d:%d]:%d:"
- "[%d.%d.%d.%d:%d:%d:%d:%d]:%d\n",
- allow_str, op_str, current->pid,
- a1[0], a1[1], a1[2], a1[3],
- a1[4], a1[5], a1[6], a1[7], ntohs(la->sin6_port),
- a2[0], a2[1], a2[2], a2[3],
- a2[4], a2[5], a2[6], a2[7], ntohs(pa->sin6_port));
- } else {
- printk(KERN_INFO "Graphene: %s %s PID %d SOCKET "
- "[%d.%d.%d.%d:%d:%d:%d:%d]:%d\n",
- allow_str, op_str, current->pid,
- a1[0], a1[1], a1[2], a1[3],
- a1[4], a1[5], a1[6], a1[7], ntohs(la->sin6_port));
- }
- }
- #endif
- }
- #else
- # define print_net(...) do {} while (0)
- #endif
- /*
- * network rules:
- * bind:
- * input addr/port match local addr/port
- * listen:
- * local addr/port match local addr/port
- * allow ANY peer addr/port
- * connect:
- * local/remote addr/port match local/remote addr/port
- * sendmsg:
- * EITHER stream socket OR no inport addr/port OR
- * local/remote addr/port match local/remote addr/port
- * recvmsg:
- * EITHER stream socket OR connected OR
- * allow ANY peer addr/port
- */
- static
- int __common_net_perm(struct graphene_info *gi, int op, struct socket *sock,
- struct sockaddr *address, int addrlen)
- {
- struct sock *sk = sock->sk;
- struct inet_sock *inet = inet_sk(sk);
- struct graphene_net *gn;
- struct sockaddr_storage addrbuf;
- struct sockaddr * local_addr = NULL, * peer_addr = NULL;
- int local_addrlen, peer_addrlen;
- int local_needcmp = 0, peer_needcmp = 0;
- int local_needany = 0, peer_needany = 0;
- int err;
- if (sk->sk_type != SOCK_STREAM && sk->sk_type != SOCK_DGRAM)
- return -EPERM;
- #ifdef CONFIG_IPV6
- if (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)
- #else
- if (sk->sk_family != AF_INET)
- #endif
- return -EPERM;
- if (list_empty(&gi->gi_net))
- return -EPERM;
- if (op == OP_LISTEN)
- peer_needany = 1;
- if (op == OP_RECVMSG) {
- if (inet->inet_dport)
- return 0;
- peer_needany = 1;
- }
- if (op == OP_CONNECT || op == OP_SENDMSG) {
- BUG_ON(!address);
- peer_addr = address;
- peer_addrlen = addrlen;
- peer_needcmp = 1;
- }
- if (op == OP_BIND) {
- BUG_ON(!address);
- local_addr = address;
- local_addrlen = addrlen;
- local_needcmp = 1;
- if (sk->sk_type == SOCK_DGRAM)
- peer_needany = 1;
- } else {
- local_addr = (struct sockaddr *) &addrbuf;
- local_needcmp = 1;
- err = sock->ops->getname(sock, local_addr, &local_addrlen, 0);
- if (err < 0)
- return err;
- }
- list_for_each_entry(gn, &gi->gi_net, list) {
- if (gn->family != sk->sk_family)
- continue;
- if (local_needany &&
- (gn->flags & (LOCAL_ADDR_ANY|LOCAL_PORT_ANY)) !=
- (LOCAL_ADDR_ANY|LOCAL_PORT_ANY))
- continue;
- if (peer_needany &&
- (gn->flags & (PEER_ADDR_ANY|PEER_PORT_ANY)) !=
- (PEER_ADDR_ANY|PEER_PORT_ANY))
- continue;
- if (local_needcmp) {
- err = net_cmp(sk->sk_family, gn->flags & LOCAL_ADDR_ANY,
- gn->flags & LOCAL_PORT_ANY,
- &gn->local, local_addr, local_addrlen);
- if (err < 0)
- continue;
- }
- if (peer_needcmp) {
- err = net_cmp(sk->sk_family, gn->flags & PEER_ADDR_ANY,
- gn->flags & PEER_PORT_ANY,
- &gn->peer, peer_addr, peer_addrlen);
- if (err < 0)
- continue;
- }
- print_net(1, sk->sk_family, op, local_addr, local_addrlen,
- peer_addr, peer_addrlen);
- return 0;
- }
- print_net(0, sk->sk_family, op, local_addr, local_addrlen,
- peer_addr, peer_addrlen);
- return -EPERM;
- }
- int graphene_socket_bind(struct socket *sock,
- struct sockaddr *address, int addrlen)
- {
- if (GRAPHENE_ENABLED()) {
- struct graphene_info *gi = get_graphene_info(current->graphene);
- if (!sock || !sock->sk)
- return 0;
- if (sock->sk->sk_family == PF_UNIX) {
- if (sock->sk->sk_type != SOCK_STREAM)
- return -EPERM;
- return __unix_perm(address, addrlen);
- }
- return __common_net_perm(gi, OP_BIND, sock, address, addrlen);
- }
- return 0;
- }
- int graphene_socket_listen(struct socket *sock, int backlog)
- {
- if (GRAPHENE_ENABLED()) {
- struct graphene_info *gi = get_graphene_info(current->graphene);
- if (!sock || !sock->sk || sock->sk->sk_family == PF_UNIX)
- return 0;
- return __common_net_perm(gi, OP_LISTEN, sock, NULL, 0);
- }
- return 0;
- }
- int graphene_socket_connect(struct socket *sock,
- struct sockaddr *address, int addrlen)
- {
- if (GRAPHENE_ENABLED()) {
- struct graphene_info *gi = get_graphene_info(current->graphene);
- if (!sock || !sock->sk)
- return 0;
- if (sock->sk->sk_family == PF_UNIX) {
- if (sock->sk->sk_type != SOCK_STREAM)
- return -EPERM;
- return __unix_perm(address, addrlen);
- }
- return __common_net_perm(gi, OP_CONNECT, sock, address,
- addrlen);
- }
- return 0;
- }
- int graphene_socket_sendmsg(struct socket *sock,
- struct msghdr *msg, int size)
- {
- if (GRAPHENE_ENABLED()) {
- struct graphene_info *gi = get_graphene_info(current->graphene);
- if (!sock || !sock->sk || sock->sk->sk_family == PF_UNIX)
- return 0;
- if (sock->sk->sk_type == SOCK_STREAM)
- return 0;
- if (!msg->msg_name)
- return 0;
- return __common_net_perm(gi, OP_SENDMSG, sock,
- msg->msg_name, msg->msg_namelen);
- }
- return 0;
- }
- int graphene_socket_recvmsg(struct socket *sock,
- struct msghdr *msg, int size, int flags)
- {
- if (GRAPHENE_ENABLED()) {
- struct graphene_info *gi = get_graphene_info(current->graphene);
- if (!sock || !sock->sk || sock->sk->sk_family == PF_UNIX)
- return 0;
- if (sock->sk->sk_type == SOCK_STREAM)
- return 0;
- return __common_net_perm(gi, OP_RECVMSG, sock, NULL, 0);
- }
- return 0;
- }
- int graphene_task_kill(struct task_struct *tsk, struct siginfo *info,
- int sig, u32 secid)
- {
- struct task_struct *current_tsk = current;
- if (!current_tsk->graphene)
- return 0;
- if (sig != SIGCONT)
- return -EPERM;
- return (tsk->tgid == current_tsk->tgid) ? 0 : -EPERM;
- }
- static void get_console(struct graphene_info *gi, struct files_struct *files)
- {
- int i, j, n = 0;
- struct fdtable *fdt = files_fdtable(files);
- j = 0;
- rcu_read_lock();
- fdt = files_fdtable(files);
- rcu_read_unlock();
- for (;;) {
- unsigned long set;
- #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
- i = j * BITS_PER_LONG;
- #else
- i = j * __NFDBITS;
- #endif
- if (i >= fdt->max_fds)
- break;
- #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
- set = fdt->open_fds[j++];
- #else
- set = fdt->open_fds->fds_bits[j++];
- #endif
- for ( ; set ; i++, set >>= 1) {
- struct file *file;
- int k;
- if (!(set & 1))
- continue;
- if (i > 2)
- goto out;
- file = xchg(&fdt->fd[i], NULL);
- if (!file)
- continue;
- for (k = 0 ; k < n ; k++)
- if (path_equal(&file->f_path, &gi->gi_console[k]))
- break;
- if (k == n) {
- path_get(&file->f_path);
- gi->gi_console[n++] = file->f_path;
- }
- #ifdef CONFIG_GRAPHENE_DEBUG
- {
- DEFINE_PATH(dp, &file->f_path, fn, kpath, max)
- if (!IS_ERR(dp))
- printk(KERN_INFO "Graphene: "
- "PID %d CONSOLE %s\n",
- current->pid, dp);
- PUT_PATH_BUFFER(fn, kpath)
- }
- #endif
- xchg(&fdt->fd[i], file);
- }
- }
- out:
- for ( ; n < 3 ; n++)
- gi->gi_console[n].mnt = NULL;
- }
- static int update_graphene(struct task_struct *current_tsk,
- struct graphene_info *gi);
- #ifdef CONFIG_GRAPHENE_DEBUG
- static void print_net_rule(const char *fmt, struct graphene_net *n)
- {
- # ifdef CONFIG_IPV6
- # define ADDR_STR_MAX 128
- # else
- # define ADDR_STR_MAX 48
- # endif
- char str[ADDR_STR_MAX];
- int len = 0, i;
- for (i = 0; i < 2; i++) {
- unsigned char addr_any = i ? PEER_ADDR_ANY : LOCAL_ADDR_ANY;
- unsigned char port_any = i ? PEER_PORT_ANY : LOCAL_PORT_ANY;
- struct graphene_net_addr *a = i ? &n->peer : &n->local;
- if (i)
- str[len++] = ':';
- switch(n->family) {
- case AF_INET:
- if (n->flags & addr_any) {
- str[len++] = ':';
- } else {
- u8 *ip = (u8 *) &a->addr.sin_addr.s_addr;
- len += snprintf(str + len,
- ADDR_STR_MAX - len,
- "%u.%u.%u.%u:",
- ip[0], ip[1], ip[2], ip[3]);
- }
- break;
- #ifdef CONFIG_IPV6
- case AF_INET6:
- if (n->flags & addr_any) {
- str[len++] = '[';
- str[len++] = ']';
- str[len++] = ':';
- } else {
- u16 *ip = (u16 *) &a->addr.sin6_addr.s6_addr;
- len += snprintf(str + len,
- ADDR_STR_MAX - len,
- "[%u:%u:%u:%u:%u:%u:%u:%u]:",
- ip[0], ip[1], ip[2], ip[3],
- ip[4], ip[5], ip[6], ip[7]);
- }
- break;
- #endif /* CONFIG_IPV6 */
- }
- if (!(n->flags & port_any)) {
- if (a->port_begin == a->port_end)
- len += snprintf(str + len, ADDR_STR_MAX - len,
- "%u", a->port_begin);
- else
- len += snprintf(str + len, ADDR_STR_MAX - len,
- "%u-%u",
- a->port_begin, a->port_end);
- }
- }
- BUG_ON(len >= ADDR_STR_MAX);
- str[len] = 0;
- printk(fmt, current->pid, str);
- }
- #else
- # define print_net_rule(...) do {} while (0)
- #endif
- static int set_net_rule(struct graphene_net_policy *np,
- struct graphene_info *gi)
- {
- struct graphene_net *n;
- int i;
- #ifdef CONFIG_IPV6
- if (np->family != AF_INET && np->family != AF_INET6)
- #else
- if (np->family != AF_INET)
- #endif
- return -EINVAL;
- n = kmalloc(sizeof(struct graphene_net), GFP_KERNEL);
- if (!n)
- return -ENOMEM;
- n->family = np->family;
- n->flags = 0;
- n->local = np->local;
- n->peer = np->peer;
- for (i = 0; i < 2; i++) {
- unsigned char addr_any = i ? PEER_ADDR_ANY : LOCAL_ADDR_ANY;
- unsigned char port_any = i ? PEER_PORT_ANY : LOCAL_PORT_ANY;
- struct graphene_net_addr *a = i ? &n->peer : &n->local;
- switch(n->family) {
- case AF_INET:
- if (!a->addr.sin_addr.s_addr)
- n->flags |= addr_any;
- break;
- #ifdef CONFIG_IPV6
- case AF_INET6:
- if (!memcmp(&a->addr.sin6_addr.s6_addr, &in6addr_any, 16))
- n->flags |= addr_any;
- break;
- #endif /* CONFIG_IPV6 */
- }
- if (a->port_begin == 0 && a->port_end == 65535)
- n->flags |= port_any;
- }
- INIT_LIST_HEAD(&n->list);
- list_add_tail(&n->list, &gi->gi_net);
- print_net_rule(KERN_INFO "Graphene: PID %d NET RULE %s\n", n);
- return 0;
- }
- u32 gipc_get_session(struct task_struct *tsk)
- {
- struct graphene_info *gi = get_graphene_info(tsk->graphene);
- return gi ? gi->gi_gipc_session : 0;
- }
- int set_graphene(struct task_struct *current_tsk,
- const struct graphene_policies __user *gpolicies)
- {
- int npolicies;
- const struct graphene_user_policy __user *policies = gpolicies->policies;
- struct graphene_info *gi;
- struct graphene_user_policy ptmp;
- struct graphene_path *p;
- struct graphene_unix *u;
- int i, rv = 0;
- DEFINE_PATH_BUFFER(fn, kpath, max)
- #ifdef CONFIG_GRAPHENE_DEBUG
- char *dp;
- #endif
- rv = copy_from_user(&npolicies, &gpolicies->npolicies, sizeof(int));
- if (rv < 0)
- return -EFAULT;
- if (npolicies && !policies)
- return -EINVAL;
- #ifndef CONFIG_GRAPHENE_ISOLATE
- if (current_tsk->graphene)
- return -EAGAIN;
- if (current_tsk != current_tsk->group_leader)
- return -EPERM;
- #endif
- gi = kmalloc(sizeof(struct graphene_info), GFP_KERNEL);
- if (!gi)
- return -ENOMEM;
- GET_PATH_BUFFER(fn, kpath, max)
- memset(gi, 0, sizeof(struct graphene_info));
- INIT_LIST_HEAD(&gi->gi_paths);
- INIT_LIST_HEAD(&gi->gi_rpaths);
- INIT_LIST_HEAD(&gi->gi_net);
- gi->gi_gipc_session = atomic_inc_return(&gipc_session);
- #ifdef CONFIG_GRAPHENE_DEBUG
- printk(KERN_INFO "Graphene: PID %d GIPC SESSION %u\n",
- current_tsk->pid, gi->gi_gipc_session);
- #endif
- for (i = 0 ; i < npolicies ; i++) {
- int type, flags;
- rv = copy_from_user(&ptmp, policies + i,
- sizeof(struct graphene_user_policy));
- if (rv < 0)
- goto err;
- if (!ptmp.value) {
- rv = -EINVAL;
- goto err;
- }
- type = ptmp.type & ~(GRAPHENE_FS_READ | GRAPHENE_FS_WRITE);
- flags = ptmp.type & ~type;
- switch(type) {
- case GRAPHENE_LIB_NAME:
- rv = strncpy_from_user(kpath, ptmp.value, max);
- if (rv < 0)
- goto err;
- rv = kern_path(kpath, LOOKUP_FOLLOW, &gi->gi_libexec);
- if (rv)
- goto err;
- #ifdef CONFIG_GRAPHENE_DEBUG
- dp = d_path(&gi->gi_libexec, kpath, max);
- if (IS_ERR(dp)) {
- rv = -EINVAL;
- goto err;
- }
- printk(KERN_INFO "Graphene: PID %d LIB NAME %s\n",
- current_tsk->pid, dp);
- #endif
- break;
- case GRAPHENE_LIB_ADDR:
- gi->gi_libaddr = (u64) ptmp.value;
- #ifdef CONFIG_GRAPHENE_DEBUG
- printk(KERN_INFO "Graphene: PID %d LIB ADDR 0x%016llx\n",
- current_tsk->pid, gi->gi_libaddr);
- #endif
- break;
- case GRAPHENE_UNIX_ROOT:
- rv = strncpy_from_user(kpath, ptmp.value, max);
- if (rv < 0)
- goto err;
- u = gi->gi_unix;
- if (!u) {
- u = kmalloc(sizeof(struct graphene_unix),
- GFP_KERNEL);
- if (!u) {
- rv = -ENOMEM;
- goto err;
- }
- u->root.mnt = NULL;
- u->prefix.len = 0;
- atomic_set(&u->count, 1);
- INIT_LIST_HEAD(&u->list);
- gi->gi_unix = u;
- }
- if (u && u->root.mnt)
- path_put(&u->root);
- rv = kern_path(kpath, LOOKUP_FOLLOW, &u->root);
- if (rv)
- goto err;
- #ifdef CONFIG_GRAPHENE_DEBUG
- dp = d_path(&u->root, kpath, max);
- if (IS_ERR(dp)) {
- rv = -EINVAL;
- goto err;
- }
- printk(KERN_INFO "Graphene: PID %d UNIX ROOT %s\n",
- current_tsk->pid, dp);
- #endif
- break;
- case GRAPHENE_UNIX_PREFIX: {
- char * prefix;
- rv = strncpy_from_user(kpath, ptmp.value, max);
- if (rv < 0)
- goto err;
- u = gi->gi_unix;
- if (!u) {
- u = kmalloc(sizeof(struct graphene_unix),
- GFP_KERNEL);
- if (!u) {
- rv = -ENOMEM;
- goto err;
- }
- u->root.mnt = NULL;
- u->prefix.len = 0;
- atomic_set(&u->count, 1);
- INIT_LIST_HEAD(&u->list);
- gi->gi_unix = u;
- }
- if (u && u->prefix.len)
- kfree(&u->prefix.name);
- prefix = kmalloc(rv + 1, GFP_KERNEL);
- if (!prefix) {
- rv = -ENOMEM;
- goto err;
- }
- memcpy(prefix, kpath, rv + 1);
- u->prefix.len = rv;
- u->prefix.name = prefix;
- #ifdef CONFIG_GRAPHENE_DEBUG
- printk(KERN_INFO "Graphene: PID %d UNIX PREFIX %s\n",
- current_tsk->pid, kpath);
- #endif
- break;
- }
- case GRAPHENE_NET_RULE: {
- struct graphene_net_policy np;
- rv = copy_from_user(&np, ptmp.value,
- sizeof(struct graphene_net_policy));
- if (rv < 0)
- goto err;
- rv = set_net_rule(&np, gi);
- if (rv < 0)
- goto err;
- break;
- }
- case GRAPHENE_FS_PATH:
- case GRAPHENE_FS_RECURSIVE:
- rv = strncpy_from_user(kpath, ptmp.value, max);
- if (rv < 0)
- goto err;
- p = kmalloc(sizeof(struct graphene_path),
- GFP_KERNEL);
- if (!p) {
- rv = -ENOMEM;
- goto err;
- }
- rv = kern_path(kpath, LOOKUP_FOLLOW, &p->path);
- if (rv) {
- kfree(p);
- goto err;
- }
- #ifdef CONFIG_GRAPHENE_DEBUG
- dp = d_path(&p->path, kpath, max);
- if (IS_ERR(dp)) {
- rv = -EINVAL;
- kfree(p);
- goto err;
- }
- printk(KERN_INFO "Graphene: PID %d PATH %s%s\n",
- current_tsk->pid, dp,
- type == GRAPHENE_FS_PATH ? "" :
- " (recursive)");
- #endif
- p->type = flags;
- INIT_LIST_HEAD(&p->list);
- list_add_tail(&p->list,
- type == GRAPHENE_FS_PATH ?
- &gi->gi_paths : &gi->gi_rpaths);
- break;
- }
- }
- if (!current_tsk->graphene) {
- struct graphene_struct *gs;
- if (gi->gi_unix) {
- rv = add_graphene_unix(gi->gi_unix);
- if (rv < 0)
- goto err;
- }
- get_console(gi, current_tsk->files);
- gs = kmalloc(sizeof(struct graphene_struct), GFP_KERNEL);
- if (!gs) {
- rv = -ENOMEM;
- goto err;
- }
- atomic_set(&gs->g_count, 1);
- gs->g_info = gi;
- spin_lock_init(&gs->g_lock);
- current_tsk->graphene = gs;
- printk(KERN_INFO "Graphene: PID %d registered\n",
- current_tsk->pid);
- }
- #ifdef CONFIG_GRAPHENE_ISOLATE
- else {
- if ((rv = update_graphene(current_tsk, gi)) < 0) {
- printk(KERN_INFO "Graphene: PID %d cannot be updated (%d)\n",
- current_tsk->pid, rv);
- goto err;
- }
- printk(KERN_INFO "Graphene: PID %d updated\n",
- current_tsk->pid);
- }
- #endif
- rv = 0;
- goto out;
- err:
- drop_graphene_info(gi);
- out:
- PUT_PATH_BUFFER(fn, kpath)
- return rv;
- }
- #ifdef CONFIG_GRAPHENE_ISOLATE
- static int do_close_sock(struct graphene_info *gi, struct socket *sock,
- int close_unix)
- {
- struct sock *sk = sock->sk;
- struct sockaddr_storage address;
- struct sockaddr *addr = (void *) &address;
- struct inet_sock *inet;
- int len, err;
- if (!sk)
- return 0;
- if (sk->sk_family == PF_UNIX)
- return close_unix ? -EPERM : 0;
- inet = inet_sk(sk);
- if (inet->inet_dport) {
- err = sock->ops->getname(sock, addr, &len, 1);
- if (err < 0)
- return err;
- err = __common_net_perm(gi, OP_CONNECT, sock, addr, len);
- if (err < 0)
- return err;
- return 0;
- }
- if (!inet->inet_num)
- return 0;
- if (sk->sk_state == TCP_LISTEN) {
- err = __common_net_perm(gi, OP_LISTEN, sock, NULL, 0);
- } else {
- err = sock->ops->getname(sock, addr, &len, 0);
- if (err < 0)
- return err;
- err = __common_net_perm(gi, OP_BIND, sock, addr, len);
- }
- return err;
- }
- static int do_close_fds(struct graphene_info *gi, struct files_struct *files,
- int close_unix)
- {
- int i, j;
- struct fdtable *fdt = files_fdtable(files);
- j = 0;
- rcu_read_lock();
- fdt = files_fdtable(files);
- rcu_read_unlock();
- for (;;) {
- unsigned long set;
- #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
- i = j * BITS_PER_LONG;
- #else
- i = j * __NFDBITS;
- #endif
- if (i >= fdt->max_fds)
- break;
- #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
- set = fdt->open_fds[j++];
- #else
- set = fdt->open_fds->fds_bits[j++];
- #endif
- for ( ; set ; i++, set >>= 1) {
- struct socket *sock = NULL;
- struct file *file;
- int err;
- if (!(set & 1))
- continue;
- #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 6, 0)
- sock = sockfd_lookup(i, &err);
- #endif
- file = xchg(&fdt->fd[i], NULL);
- if (!file)
- continue;
- #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 6, 0)
- sock = sock_from_file(file, &err);
- #endif
- if (sock) {
- err = do_close_sock(gi, sock, close_unix);
- if (!err)
- goto allow;
- goto deny;
- }
- if (get_pipe_info(file))
- goto deny;
- err = __common_perm(gi, OP_OPEN, &file->f_path,
- aa_map_file_to_perms(file));
- if (!err) {
- allow:
- xchg(&fdt->fd[i], file);
- continue;
- }
- deny:
- filp_close(file, files);
- cond_resched();
- }
- }
- return 0;
- }
- static
- int net_check (int family, int addr_any, int port_any,
- int flags1, struct graphene_net_addr * addr1,
- int flags2, struct graphene_net_addr * addr2)
- {
- if (flags2 & addr_any)
- goto port;
- if (flags1 & addr_any)
- goto port;
-
- switch (family) {
- case AF_INET:
- if (memcmp(&addr1->addr.sin_addr,
- &addr2->addr.sin_addr,
- sizeof(struct in_addr)))
- return -EACCES;
- break;
- case AF_INET6:
- if (memcmp(&addr1->addr.sin6_addr,
- &addr2->addr.sin6_addr,
- sizeof(struct in6_addr)))
- return -EACCES;
- break;
- }
- port:
- if (flags2 & port_any)
- return 0;
- if (flags1 & port_any)
- return 0;
- if (addr1->port_begin < addr2->port_begin ||
- addr1->port_end > addr2->port_end)
- return -EACCES;
- return 0;
- }
- static int update_graphene(struct task_struct *current_tsk,
- struct graphene_info *new)
- {
- struct graphene_struct *gs = current_tsk->graphene;
- struct graphene_info *gi = get_graphene_info(gs);
- struct graphene_path *p;
- struct graphene_net *n1, *n2;
- int i = 0, close_unix = 0;
- if (new->gi_unix) {
- if (!new->gi_unix->root.mnt &&
- gi->gi_unix && gi->gi_unix->root.mnt) {
- if (!path_equal(&new->gi_unix->root,
- &gi->gi_unix->root))
- return -EACCES;
- path_get(&gi->gi_unix->root);
- new->gi_unix->root = gi->gi_unix->root;
- }
- if (new->gi_unix->prefix.len) {
- int err = add_graphene_unix(new->gi_unix);
- if (err < 0)
- return err;
- }
- close_unix = 1;
- }
- for (i = 0 ; i < 3 ; i++)
- if (gi->gi_console[i].mnt) {
- path_get(&gi->gi_console[i]);
- new->gi_console[i] = gi->gi_console[i];
- } else {
- new->gi_console[i].mnt = NULL;
- }
- list_for_each_entry(p, &new->gi_paths, list) {
- u32 mask = 0;
- if (p->type & GRAPHENE_FS_READ)
- mask |= MAY_READ;
- if (p->type & GRAPHENE_FS_WRITE)
- mask |= MAY_WRITE;
- print_path(KERN_INFO "Graphene: PID %d CHECK RULE %s\n",
- &p->path);
- if (__common_perm(gi, OP_OPEN, &p->path, mask) < 0)
- return -EACCES;
- }
- list_for_each_entry(n1, &new->gi_net, list) {
- bool accepted = false;
- print_net_rule(KERN_INFO "Graphene: PID %d CHECK RULE %s\n",
- n1);
- list_for_each_entry(n2, &gi->gi_net, list) {
- if (n1->family != n2->family)
- continue;
- if (net_check(n1->family,
- LOCAL_ADDR_ANY, LOCAL_PORT_ANY,
- n1->flags, &n1->local,
- n2->flags, &n2->local) < 0)
- continue;
- if (net_check(n1->family,
- PEER_ADDR_ANY, PEER_PORT_ANY,
- n1->flags, &n1->peer,
- n2->flags, &n2->peer) < 0)
- continue;
- accepted = true;
- print_net_rule(KERN_INFO "Graphene: PID %d ALLOW %s\n",
- n1);
- break;
- }
- if (!accepted) {
- print_net_rule(KERN_INFO "Graphene: PID %d DENY %s\n",
- n1);
- return -EACCES;
- }
- }
- spin_lock(&gs->g_lock);
- put_graphene_info(gs->g_info);
- gs->g_info = new;
- spin_unlock(&gs->g_lock);
- do_close_fds(new, current_tsk->files, close_unix);
- return 0;
- }
- #endif /* CONFIG_GRAPHENE_ISOLATE */
- static long graphene_ioctl(struct file *file, unsigned int cmd,
- unsigned long arg)
- {
- struct task_struct *current_tsk = current;
- switch (cmd) {
- case GRAPHENE_SET_TASK:
- return set_graphene(current_tsk,
- (const struct graphene_policies __user *) arg);
- default:
- return -ENOSYS;
- }
- }
- static struct file_operations graphene_operations = {
- .unlocked_ioctl = graphene_ioctl,
- .compat_ioctl = graphene_ioctl,
- .llseek = noop_llseek,
- };
- static struct miscdevice graphene_dev = {
- .minor = GRAPHENE_MINOR,
- .name = "graphene",
- .fops = &graphene_operations,
- .mode = 0666,
- };
- static int __init graphene_init(void)
- {
- int rv;
- rv = misc_register(&graphene_dev);
- if (rv) {
- printk(KERN_ERR "Graphene error: "
- "failed to add a char device (rv=%d)\n", rv);
- return rv;
- }
- return 0;
- }
- device_initcall(graphene_init);
|