Kentaro Takeda | f743324 | 2009-02-05 17:18:16 +0900 | [diff] [blame] | 1 | /* |
| 2 | * security/tomoyo/tomoyo.h |
| 3 | * |
| 4 | * Implementation of the Domain-Based Mandatory Access Control. |
| 5 | * |
| 6 | * Copyright (C) 2005-2009 NTT DATA CORPORATION |
| 7 | * |
Tetsuo Handa | 39826a1 | 2009-04-08 22:31:28 +0900 | [diff] [blame^] | 8 | * Version: 2.2.0 2009/04/01 |
Kentaro Takeda | f743324 | 2009-02-05 17:18:16 +0900 | [diff] [blame] | 9 | * |
| 10 | */ |
| 11 | |
| 12 | #ifndef _SECURITY_TOMOYO_TOMOYO_H |
| 13 | #define _SECURITY_TOMOYO_TOMOYO_H |
| 14 | |
| 15 | struct tomoyo_path_info; |
| 16 | struct path; |
| 17 | struct inode; |
| 18 | struct linux_binprm; |
| 19 | struct pt_regs; |
| 20 | struct tomoyo_page_buffer; |
| 21 | |
| 22 | int tomoyo_check_file_perm(struct tomoyo_domain_info *domain, |
| 23 | const char *filename, const u8 perm); |
| 24 | int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain, |
| 25 | const struct tomoyo_path_info *filename, |
| 26 | struct tomoyo_page_buffer *buf); |
| 27 | int tomoyo_check_open_permission(struct tomoyo_domain_info *domain, |
| 28 | struct path *path, const int flag); |
| 29 | int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain, |
| 30 | const u8 operation, struct path *path); |
| 31 | int tomoyo_check_2path_perm(struct tomoyo_domain_info *domain, |
| 32 | const u8 operation, struct path *path1, |
| 33 | struct path *path2); |
| 34 | int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain, |
| 35 | struct file *filp); |
| 36 | int tomoyo_find_next_domain(struct linux_binprm *bprm, |
| 37 | struct tomoyo_domain_info **next_domain); |
| 38 | |
| 39 | /* Index numbers for Access Controls. */ |
| 40 | |
| 41 | #define TOMOYO_TYPE_SINGLE_PATH_ACL 0 |
| 42 | #define TOMOYO_TYPE_DOUBLE_PATH_ACL 1 |
| 43 | |
| 44 | /* Index numbers for File Controls. */ |
| 45 | |
| 46 | /* |
| 47 | * TYPE_READ_WRITE_ACL is special. TYPE_READ_WRITE_ACL is automatically set |
| 48 | * if both TYPE_READ_ACL and TYPE_WRITE_ACL are set. Both TYPE_READ_ACL and |
| 49 | * TYPE_WRITE_ACL are automatically set if TYPE_READ_WRITE_ACL is set. |
| 50 | * TYPE_READ_WRITE_ACL is automatically cleared if either TYPE_READ_ACL or |
| 51 | * TYPE_WRITE_ACL is cleared. Both TYPE_READ_ACL and TYPE_WRITE_ACL are |
| 52 | * automatically cleared if TYPE_READ_WRITE_ACL is cleared. |
| 53 | */ |
| 54 | |
| 55 | #define TOMOYO_TYPE_READ_WRITE_ACL 0 |
| 56 | #define TOMOYO_TYPE_EXECUTE_ACL 1 |
| 57 | #define TOMOYO_TYPE_READ_ACL 2 |
| 58 | #define TOMOYO_TYPE_WRITE_ACL 3 |
| 59 | #define TOMOYO_TYPE_CREATE_ACL 4 |
| 60 | #define TOMOYO_TYPE_UNLINK_ACL 5 |
| 61 | #define TOMOYO_TYPE_MKDIR_ACL 6 |
| 62 | #define TOMOYO_TYPE_RMDIR_ACL 7 |
| 63 | #define TOMOYO_TYPE_MKFIFO_ACL 8 |
| 64 | #define TOMOYO_TYPE_MKSOCK_ACL 9 |
| 65 | #define TOMOYO_TYPE_MKBLOCK_ACL 10 |
| 66 | #define TOMOYO_TYPE_MKCHAR_ACL 11 |
| 67 | #define TOMOYO_TYPE_TRUNCATE_ACL 12 |
| 68 | #define TOMOYO_TYPE_SYMLINK_ACL 13 |
| 69 | #define TOMOYO_TYPE_REWRITE_ACL 14 |
| 70 | #define TOMOYO_MAX_SINGLE_PATH_OPERATION 15 |
| 71 | |
| 72 | #define TOMOYO_TYPE_LINK_ACL 0 |
| 73 | #define TOMOYO_TYPE_RENAME_ACL 1 |
| 74 | #define TOMOYO_MAX_DOUBLE_PATH_OPERATION 2 |
| 75 | |
| 76 | #define TOMOYO_DOMAINPOLICY 0 |
| 77 | #define TOMOYO_EXCEPTIONPOLICY 1 |
| 78 | #define TOMOYO_DOMAIN_STATUS 2 |
| 79 | #define TOMOYO_PROCESS_STATUS 3 |
| 80 | #define TOMOYO_MEMINFO 4 |
| 81 | #define TOMOYO_SELFDOMAIN 5 |
| 82 | #define TOMOYO_VERSION 6 |
| 83 | #define TOMOYO_PROFILE 7 |
| 84 | #define TOMOYO_MANAGER 8 |
| 85 | |
| 86 | extern struct tomoyo_domain_info tomoyo_kernel_domain; |
| 87 | |
| 88 | static inline struct tomoyo_domain_info *tomoyo_domain(void) |
| 89 | { |
| 90 | return current_cred()->security; |
| 91 | } |
| 92 | |
| 93 | /* Caller holds tasklist_lock spinlock. */ |
| 94 | static inline struct tomoyo_domain_info *tomoyo_real_domain(struct task_struct |
| 95 | *task) |
| 96 | { |
| 97 | /***** CRITICAL SECTION START *****/ |
| 98 | const struct cred *cred = get_task_cred(task); |
| 99 | struct tomoyo_domain_info *domain = cred->security; |
| 100 | |
| 101 | put_cred(cred); |
| 102 | return domain; |
| 103 | /***** CRITICAL SECTION END *****/ |
| 104 | } |
| 105 | |
| 106 | #endif /* !defined(_SECURITY_TOMOYO_TOMOYO_H) */ |