Memory and pathname management functions.
TOMOYO Linux performs pathname based access control.
To remove factors that make pathname based access control difficult
(e.g. symbolic links, "..", "//" etc.), TOMOYO Linux derives realpath
of requested pathname from "struct dentry" and "struct vfsmount".
The maximum length of string data is limited to 4000 including trailing '\0'.
Since TOMOYO Linux uses '\ooo' style representation for non ASCII printable
characters, maybe TOMOYO Linux should be able to support 16336 (which means
(NAME_MAX * (PATH_MAX / (NAME_MAX + 1)) * 4 + (PATH_MAX / (NAME_MAX + 1)))
including trailing '\0'), but I think 4000 is enough for practical use.
TOMOYO uses only 0x21 - 0x7E (as printable characters) and 0x20 (as word
delimiter) and 0x0A (as line delimiter).
0x01 - 0x20 and 0x80 - 0xFF is handled in \ooo style representation.
The reason to use \ooo is to guarantee that "%s" won't damage logs.
Userland program can request
open("/tmp/file granted.\nAccess /tmp/file ", O_WRONLY | O_CREAT, 0600)
and logging such crazy pathname using "Access %s denied.\n" format will cause
"fabrication of logs" like
Access /tmp/file granted.
Access /tmp/file denied.
TOMOYO converts such characters to \ooo so that the logs will become
Access /tmp/file\040granted.\012Access\040/tmp/file denied.
and the administrator can read the logs safely using /bin/cat .
Likewise, a crazy request like
open("/tmp/\x01\x02\x03\x04\x05\x06\x07\x08\x09", O_WRONLY | O_CREAT, 0600)
will be processed safely by converting to
Access /tmp/\001\002\003\004\005\006\007\010\011 denied.
Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
2009-02-05 08:18:12 +00:00
|
|
|
/*
|
|
|
|
|
* security/tomoyo/realpath.h
|
|
|
|
|
*
|
|
|
|
|
* Get the canonicalized absolute pathnames. The basis for TOMOYO.
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2005-2009 NTT DATA CORPORATION
|
|
|
|
|
*
|
2009-04-08 13:31:28 +00:00
|
|
|
* Version: 2.2.0 2009/04/01
|
Memory and pathname management functions.
TOMOYO Linux performs pathname based access control.
To remove factors that make pathname based access control difficult
(e.g. symbolic links, "..", "//" etc.), TOMOYO Linux derives realpath
of requested pathname from "struct dentry" and "struct vfsmount".
The maximum length of string data is limited to 4000 including trailing '\0'.
Since TOMOYO Linux uses '\ooo' style representation for non ASCII printable
characters, maybe TOMOYO Linux should be able to support 16336 (which means
(NAME_MAX * (PATH_MAX / (NAME_MAX + 1)) * 4 + (PATH_MAX / (NAME_MAX + 1)))
including trailing '\0'), but I think 4000 is enough for practical use.
TOMOYO uses only 0x21 - 0x7E (as printable characters) and 0x20 (as word
delimiter) and 0x0A (as line delimiter).
0x01 - 0x20 and 0x80 - 0xFF is handled in \ooo style representation.
The reason to use \ooo is to guarantee that "%s" won't damage logs.
Userland program can request
open("/tmp/file granted.\nAccess /tmp/file ", O_WRONLY | O_CREAT, 0600)
and logging such crazy pathname using "Access %s denied.\n" format will cause
"fabrication of logs" like
Access /tmp/file granted.
Access /tmp/file denied.
TOMOYO converts such characters to \ooo so that the logs will become
Access /tmp/file\040granted.\012Access\040/tmp/file denied.
and the administrator can read the logs safely using /bin/cat .
Likewise, a crazy request like
open("/tmp/\x01\x02\x03\x04\x05\x06\x07\x08\x09", O_WRONLY | O_CREAT, 0600)
will be processed safely by converting to
Access /tmp/\001\002\003\004\005\006\007\010\011 denied.
Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
2009-02-05 08:18:12 +00:00
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef _SECURITY_TOMOYO_REALPATH_H
|
|
|
|
|
#define _SECURITY_TOMOYO_REALPATH_H
|
|
|
|
|
|
|
|
|
|
struct path;
|
|
|
|
|
struct tomoyo_path_info;
|
|
|
|
|
struct tomoyo_io_buffer;
|
|
|
|
|
|
|
|
|
|
/* Convert binary string to ascii string. */
|
|
|
|
|
int tomoyo_encode(char *buffer, int buflen, const char *str);
|
|
|
|
|
|
|
|
|
|
/* Returns realpath(3) of the given pathname but ignores chroot'ed root. */
|
|
|
|
|
int tomoyo_realpath_from_path2(struct path *path, char *newname,
|
|
|
|
|
int newname_len);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Returns realpath(3) of the given pathname but ignores chroot'ed root.
|
|
|
|
|
* These functions use tomoyo_alloc(), so the caller must call tomoyo_free()
|
|
|
|
|
* if these functions didn't return NULL.
|
|
|
|
|
*/
|
|
|
|
|
char *tomoyo_realpath(const char *pathname);
|
|
|
|
|
/*
|
|
|
|
|
* Same with tomoyo_realpath() except that it doesn't follow the final symlink.
|
|
|
|
|
*/
|
|
|
|
|
char *tomoyo_realpath_nofollow(const char *pathname);
|
|
|
|
|
/* Same with tomoyo_realpath() except that the pathname is already solved. */
|
|
|
|
|
char *tomoyo_realpath_from_path(struct path *path);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Allocate memory for ACL entry.
|
|
|
|
|
* The RAM is chunked, so NEVER try to kfree() the returned pointer.
|
|
|
|
|
*/
|
|
|
|
|
void *tomoyo_alloc_element(const unsigned int size);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Keep the given name on the RAM.
|
|
|
|
|
* The RAM is shared, so NEVER try to modify or kfree() the returned name.
|
|
|
|
|
*/
|
|
|
|
|
const struct tomoyo_path_info *tomoyo_save_name(const char *name);
|
|
|
|
|
|
|
|
|
|
/* Allocate memory for temporary use (e.g. permission checks). */
|
|
|
|
|
void *tomoyo_alloc(const size_t size);
|
|
|
|
|
|
|
|
|
|
/* Free memory allocated by tomoyo_alloc(). */
|
|
|
|
|
void tomoyo_free(const void *p);
|
|
|
|
|
|
|
|
|
|
/* Check for memory usage. */
|
|
|
|
|
int tomoyo_read_memory_counter(struct tomoyo_io_buffer *head);
|
|
|
|
|
|
|
|
|
|
/* Set memory quota. */
|
|
|
|
|
int tomoyo_write_memory_quota(struct tomoyo_io_buffer *head);
|
|
|
|
|
|
2009-02-21 11:40:50 +00:00
|
|
|
/* Initialize realpath related code. */
|
|
|
|
|
void __init tomoyo_realpath_init(void);
|
|
|
|
|
|
Memory and pathname management functions.
TOMOYO Linux performs pathname based access control.
To remove factors that make pathname based access control difficult
(e.g. symbolic links, "..", "//" etc.), TOMOYO Linux derives realpath
of requested pathname from "struct dentry" and "struct vfsmount".
The maximum length of string data is limited to 4000 including trailing '\0'.
Since TOMOYO Linux uses '\ooo' style representation for non ASCII printable
characters, maybe TOMOYO Linux should be able to support 16336 (which means
(NAME_MAX * (PATH_MAX / (NAME_MAX + 1)) * 4 + (PATH_MAX / (NAME_MAX + 1)))
including trailing '\0'), but I think 4000 is enough for practical use.
TOMOYO uses only 0x21 - 0x7E (as printable characters) and 0x20 (as word
delimiter) and 0x0A (as line delimiter).
0x01 - 0x20 and 0x80 - 0xFF is handled in \ooo style representation.
The reason to use \ooo is to guarantee that "%s" won't damage logs.
Userland program can request
open("/tmp/file granted.\nAccess /tmp/file ", O_WRONLY | O_CREAT, 0600)
and logging such crazy pathname using "Access %s denied.\n" format will cause
"fabrication of logs" like
Access /tmp/file granted.
Access /tmp/file denied.
TOMOYO converts such characters to \ooo so that the logs will become
Access /tmp/file\040granted.\012Access\040/tmp/file denied.
and the administrator can read the logs safely using /bin/cat .
Likewise, a crazy request like
open("/tmp/\x01\x02\x03\x04\x05\x06\x07\x08\x09", O_WRONLY | O_CREAT, 0600)
will be processed safely by converting to
Access /tmp/\001\002\003\004\005\006\007\010\011 denied.
Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
2009-02-05 08:18:12 +00:00
|
|
|
#endif /* !defined(_SECURITY_TOMOYO_REALPATH_H) */
|