TOMOYO: Add environment variable name restriction support.
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Sat, 10 Sep 2011 06:22:48 +0000 (15:22 +0900)
committerJames Morris <jmorris@namei.org>
Tue, 13 Sep 2011 22:27:05 +0000 (08:27 +1000)
This patch adds support for checking environment variable's names.
Although TOMOYO already provides ability to check argv[]/envp[] passed to
execve() requests,

  file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar"

will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not
defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined,
administrators have to specify like

  file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib"
  file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL

. Since there are many environment variables whereas conditional checks are
applied as "&&", it is difficult to cover all combinations. Therefore, this
patch supports conditional checks that are applied as "||", by specifying like

  file execute /bin/sh
  misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib"

which means "grant execution of /bin/sh if environment variable is not defined
or is defined and its value is /system/lib".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
security/tomoyo/Makefile
security/tomoyo/common.c
security/tomoyo/common.h
security/tomoyo/domain.c
security/tomoyo/environ.c [new file with mode: 0644]
security/tomoyo/gc.c
security/tomoyo/util.c

index 95278b71fc2155ccb4ac603d5b1e93da44d56f59..f7ade960f6cf8c2afc3493965780515fb2299bc1 100644 (file)
@@ -1,4 +1,4 @@
-obj-y = audit.o common.o condition.o domain.o file.o gc.o group.o load_policy.o memory.o mount.o realpath.o securityfs_if.o tomoyo.o util.o
+obj-y = audit.o common.o condition.o domain.o environ.o file.o gc.o group.o load_policy.o memory.o mount.o realpath.o securityfs_if.o tomoyo.o util.o
 
 $(obj)/policy/profile.conf:
        @mkdir -p $(obj)/policy/
index c8439cf2a448869820cc5dbf175c45956d9d7698..d116e1ece3e6b2e88fdad721c1db6c9404fff917 100644 (file)
@@ -20,6 +20,7 @@ const char * const tomoyo_mode[TOMOYO_CONFIG_MAX_MODE] = {
 /* String table for /sys/kernel/security/tomoyo/profile */
 const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
                                       + TOMOYO_MAX_MAC_CATEGORY_INDEX] = {
+       /* CONFIG::file group */
        [TOMOYO_MAC_FILE_EXECUTE]    = "execute",
        [TOMOYO_MAC_FILE_OPEN]       = "open",
        [TOMOYO_MAC_FILE_CREATE]     = "create",
@@ -43,7 +44,11 @@ const char * const tomoyo_mac_keywords[TOMOYO_MAX_MAC_INDEX
        [TOMOYO_MAC_FILE_MOUNT]      = "mount",
        [TOMOYO_MAC_FILE_UMOUNT]     = "unmount",
        [TOMOYO_MAC_FILE_PIVOT_ROOT] = "pivot_root",
+       /* CONFIG::misc group */
+       [TOMOYO_MAC_ENVIRON] = "env",
+       /* CONFIG group */
        [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_FILE] = "file",
+       [TOMOYO_MAX_MAC_INDEX + TOMOYO_MAC_CATEGORY_MISC] = "misc",
 };
 
 /* String table for conditions. */
@@ -133,7 +138,8 @@ const char * const tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
 /* String table for categories. */
 static const char * const tomoyo_category_keywords
 [TOMOYO_MAX_MAC_CATEGORY_INDEX] = {
-       [TOMOYO_MAC_CATEGORY_FILE]       = "file",
+       [TOMOYO_MAC_CATEGORY_FILE] = "file",
+       [TOMOYO_MAC_CATEGORY_MISC] = "misc",
 };
 
 /* Permit policy management by non-root user? */
@@ -1036,11 +1042,13 @@ static int tomoyo_write_domain2(struct tomoyo_policy_namespace *ns,
        static const struct {
                const char *keyword;
                int (*write) (struct tomoyo_acl_param *);
-       } tomoyo_callback[1] = {
+       } tomoyo_callback[2] = {
                { "file ", tomoyo_write_file },
+               { "misc ", tomoyo_write_misc },
        };
        u8 i;
-       for (i = 0; i < 1; i++) {
+
+       for (i = 0; i < ARRAY_SIZE(tomoyo_callback); i++) {
                if (!tomoyo_str_starts(&param.data,
                                       tomoyo_callback[i].keyword))
                        continue;
@@ -1375,6 +1383,12 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
                tomoyo_print_name_union(head, &ptr->dir_name);
                tomoyo_print_name_union(head, &ptr->fs_type);
                tomoyo_print_number_union(head, &ptr->flags);
+       } else if (acl_type == TOMOYO_TYPE_ENV_ACL) {
+               struct tomoyo_env_acl *ptr =
+                       container_of(acl, typeof(*ptr), head);
+
+               tomoyo_set_group(head, "misc env ");
+               tomoyo_set_string(head, ptr->env->name);
        }
        if (acl->cond) {
                head->r.print_cond_part = true;
index f7fbaa66e443dcd95aaa4002eedd49f87ffedde1..63720a328eddce5bfb4889a958c2d93327597160 100644 (file)
@@ -196,6 +196,7 @@ enum tomoyo_acl_entry_type_index {
        TOMOYO_TYPE_PATH_NUMBER_ACL,
        TOMOYO_TYPE_MKDEV_ACL,
        TOMOYO_TYPE_MOUNT_ACL,
+       TOMOYO_TYPE_ENV_ACL,
 };
 
 /* Index numbers for access controls with one pathname. */
@@ -300,12 +301,14 @@ enum tomoyo_mac_index {
        TOMOYO_MAC_FILE_MOUNT,
        TOMOYO_MAC_FILE_UMOUNT,
        TOMOYO_MAC_FILE_PIVOT_ROOT,
+       TOMOYO_MAC_ENVIRON,
        TOMOYO_MAX_MAC_INDEX
 };
 
 /* Index numbers for category of functionality. */
 enum tomoyo_mac_category_index {
        TOMOYO_MAC_CATEGORY_FILE,
+       TOMOYO_MAC_CATEGORY_MISC,
        TOMOYO_MAX_MAC_CATEGORY_INDEX
 };
 
@@ -396,6 +399,9 @@ struct tomoyo_request_info {
                         */
                        u8 operation;
                } path_number;
+               struct {
+                       const struct tomoyo_path_info *name;
+               } environ;
                struct {
                        const struct tomoyo_path_info *type;
                        const struct tomoyo_path_info *dir;
@@ -638,6 +644,12 @@ struct tomoyo_mount_acl {
        struct tomoyo_number_union flags;
 };
 
+/* Structure for "misc env" directive in domain policy. */
+struct tomoyo_env_acl {
+       struct tomoyo_acl_info head;        /* type = TOMOYO_TYPE_ENV_ACL  */
+       const struct tomoyo_path_info *env; /* environment variable */
+};
+
 /* Structure for holding a line from /sys/kernel/security/tomoyo/ interface. */
 struct tomoyo_acl_param {
        char *data;
@@ -820,6 +832,7 @@ const struct tomoyo_path_info *tomoyo_path_matches_group
 int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
                                 struct path *path, const int flag);
 int tomoyo_close_control(struct tomoyo_io_buffer *head);
+int tomoyo_env_perm(struct tomoyo_request_info *r, const char *env);
 int tomoyo_find_next_domain(struct linux_binprm *bprm);
 int tomoyo_get_mode(const struct tomoyo_policy_namespace *ns, const u8 profile,
                    const u8 index);
@@ -860,6 +873,7 @@ int tomoyo_update_policy(struct tomoyo_acl_head *new_entry, const int size,
 int tomoyo_write_aggregator(struct tomoyo_acl_param *param);
 int tomoyo_write_file(struct tomoyo_acl_param *param);
 int tomoyo_write_group(struct tomoyo_acl_param *param, const u8 type);
+int tomoyo_write_misc(struct tomoyo_acl_param *param);
 int tomoyo_write_transition_control(struct tomoyo_acl_param *param,
                                    const u8 type);
 ssize_t tomoyo_read_control(struct tomoyo_io_buffer *head, char __user *buffer,
index cd0f92d88bb43a35c99230c52effb311da0d5213..5931fb1c04d5cd598c491c85bb097c195a7f60c8 100644 (file)
@@ -562,6 +562,92 @@ out:
        return entry;
 }
 
+/**
+ * tomoyo_environ - Check permission for environment variable names.
+ *
+ * @ee: Pointer to "struct tomoyo_execve".
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
+static int tomoyo_environ(struct tomoyo_execve *ee)
+{
+       struct tomoyo_request_info *r = &ee->r;
+       struct linux_binprm *bprm = ee->bprm;
+       /* env_page.data is allocated by tomoyo_dump_page(). */
+       struct tomoyo_page_dump env_page = { };
+       char *arg_ptr; /* Size is TOMOYO_EXEC_TMPSIZE bytes */
+       int arg_len = 0;
+       unsigned long pos = bprm->p;
+       int offset = pos % PAGE_SIZE;
+       int argv_count = bprm->argc;
+       int envp_count = bprm->envc;
+       int error = -ENOMEM;
+
+       ee->r.type = TOMOYO_MAC_ENVIRON;
+       ee->r.profile = r->domain->profile;
+       ee->r.mode = tomoyo_get_mode(r->domain->ns, ee->r.profile,
+                                    TOMOYO_MAC_ENVIRON);
+       if (!r->mode || !envp_count)
+               return 0;
+       arg_ptr = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS);
+       if (!arg_ptr)
+               goto out;
+       while (error == -ENOMEM) {
+               if (!tomoyo_dump_page(bprm, pos, &env_page))
+                       goto out;
+               pos += PAGE_SIZE - offset;
+               /* Read. */
+               while (argv_count && offset < PAGE_SIZE) {
+                       if (!env_page.data[offset++])
+                               argv_count--;
+               }
+               if (argv_count) {
+                       offset = 0;
+                       continue;
+               }
+               while (offset < PAGE_SIZE) {
+                       const unsigned char c = env_page.data[offset++];
+
+                       if (c && arg_len < TOMOYO_EXEC_TMPSIZE - 10) {
+                               if (c == '=') {
+                                       arg_ptr[arg_len++] = '\0';
+                               } else if (c == '\\') {
+                                       arg_ptr[arg_len++] = '\\';
+                                       arg_ptr[arg_len++] = '\\';
+                               } else if (c > ' ' && c < 127) {
+                                       arg_ptr[arg_len++] = c;
+                               } else {
+                                       arg_ptr[arg_len++] = '\\';
+                                       arg_ptr[arg_len++] = (c >> 6) + '0';
+                                       arg_ptr[arg_len++]
+                                               = ((c >> 3) & 7) + '0';
+                                       arg_ptr[arg_len++] = (c & 7) + '0';
+                               }
+                       } else {
+                               arg_ptr[arg_len] = '\0';
+                       }
+                       if (c)
+                               continue;
+                       if (tomoyo_env_perm(r, arg_ptr)) {
+                               error = -EPERM;
+                               break;
+                       }
+                       if (!--envp_count) {
+                               error = 0;
+                               break;
+                       }
+                       arg_len = 0;
+               }
+               offset = 0;
+       }
+out:
+       if (r->mode != TOMOYO_CONFIG_ENFORCING)
+               error = 0;
+       kfree(env_page.data);
+       kfree(arg_ptr);
+       return error;
+}
+
 /**
  * tomoyo_find_next_domain - Find a domain.
  *
@@ -581,6 +667,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
        bool reject_on_transition_failure = false;
        struct tomoyo_path_info rn = { }; /* real name */
        struct tomoyo_execve *ee = kzalloc(sizeof(*ee), GFP_NOFS);
+
        if (!ee)
                return -ENOMEM;
        ee->tmp = kzalloc(TOMOYO_EXEC_TMPSIZE, GFP_NOFS);
@@ -713,6 +800,10 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
        bprm->cred->security = domain;
        if (need_kfree)
                kfree(rn.name);
+       if (!retval) {
+               ee->r.domain = domain;
+               retval = tomoyo_environ(ee);
+       }
        kfree(ee->tmp);
        kfree(ee->dump.data);
        kfree(ee);
@@ -732,7 +823,8 @@ bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos,
                      struct tomoyo_page_dump *dump)
 {
        struct page *page;
-       /* dump->data is released by tomoyo_finish_execve(). */
+
+       /* dump->data is released by tomoyo_find_next_domain(). */
        if (!dump->data) {
                dump->data = kzalloc(PAGE_SIZE, GFP_NOFS);
                if (!dump->data)
@@ -753,6 +845,7 @@ bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos,
                 * So do I.
                 */
                char *kaddr = kmap_atomic(page, KM_USER0);
+
                dump->page = page;
                memcpy(dump->data + offset, kaddr + offset,
                       PAGE_SIZE - offset);
diff --git a/security/tomoyo/environ.c b/security/tomoyo/environ.c
new file mode 100644 (file)
index 0000000..ad4c6e1
--- /dev/null
@@ -0,0 +1,122 @@
+/*
+ * security/tomoyo/environ.c
+ *
+ * Copyright (C) 2005-2011  NTT DATA CORPORATION
+ */
+
+#include "common.h"
+
+/**
+ * tomoyo_check_env_acl - Check permission for environment variable's name.
+ *
+ * @r:   Pointer to "struct tomoyo_request_info".
+ * @ptr: Pointer to "struct tomoyo_acl_info".
+ *
+ * Returns true if granted, false otherwise.
+ */
+static bool tomoyo_check_env_acl(struct tomoyo_request_info *r,
+                                const struct tomoyo_acl_info *ptr)
+{
+       const struct tomoyo_env_acl *acl =
+               container_of(ptr, typeof(*acl), head);
+
+       return tomoyo_path_matches_pattern(r->param.environ.name, acl->env);
+}
+
+/**
+ * tomoyo_audit_env_log - Audit environment variable name log.
+ *
+ * @r: Pointer to "struct tomoyo_request_info".
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
+static int tomoyo_audit_env_log(struct tomoyo_request_info *r)
+{
+       return tomoyo_supervisor(r, "misc env %s\n",
+                                r->param.environ.name->name);
+}
+
+/**
+ * tomoyo_env_perm - Check permission for environment variable's name.
+ *
+ * @r:   Pointer to "struct tomoyo_request_info".
+ * @env: The name of environment variable.
+ *
+ * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
+ */
+int tomoyo_env_perm(struct tomoyo_request_info *r, const char *env)
+{
+       struct tomoyo_path_info environ;
+       int error;
+
+       if (!env || !*env)
+               return 0;
+       environ.name = env;
+       tomoyo_fill_path_info(&environ);
+       r->param_type = TOMOYO_TYPE_ENV_ACL;
+       r->param.environ.name = &environ;
+       do {
+               tomoyo_check_acl(r, tomoyo_check_env_acl);
+               error = tomoyo_audit_env_log(r);
+       } while (error == TOMOYO_RETRY_REQUEST);
+       return error;
+}
+
+/**
+ * tomoyo_same_env_acl - Check for duplicated "struct tomoyo_env_acl" entry.
+ *
+ * @a: Pointer to "struct tomoyo_acl_info".
+ * @b: Pointer to "struct tomoyo_acl_info".
+ *
+ * Returns true if @a == @b, false otherwise.
+ */
+static bool tomoyo_same_env_acl(const struct tomoyo_acl_info *a,
+                               const struct tomoyo_acl_info *b)
+{
+       const struct tomoyo_env_acl *p1 = container_of(a, typeof(*p1), head);
+       const struct tomoyo_env_acl *p2 = container_of(b, typeof(*p2), head);
+
+       return p1->env == p2->env;
+}
+
+/**
+ * tomoyo_write_env - Write "struct tomoyo_env_acl" list.
+ *
+ * @param: Pointer to "struct tomoyo_acl_param".
+ *
+ * Returns 0 on success, negative value otherwise.
+ *
+ * Caller holds tomoyo_read_lock().
+ */
+static int tomoyo_write_env(struct tomoyo_acl_param *param)
+{
+       struct tomoyo_env_acl e = { .head.type = TOMOYO_TYPE_ENV_ACL };
+       int error = -ENOMEM;
+       const char *data = tomoyo_read_token(param);
+
+       if (!tomoyo_correct_word(data) || strchr(data, '='))
+               return -EINVAL;
+       e.env = tomoyo_get_name(data);
+       if (!e.env)
+               return error;
+       error = tomoyo_update_domain(&e.head, sizeof(e), param,
+                                 tomoyo_same_env_acl, NULL);
+       tomoyo_put_name(e.env);
+       return error;
+}
+
+/**
+ * tomoyo_write_misc - Update environment variable list.
+ *
+ * @param: Pointer to "struct tomoyo_acl_param".
+ *
+ * Returns 0 on success, negative value otherwise.
+ */
+int tomoyo_write_misc(struct tomoyo_acl_param *param)
+{
+       if (tomoyo_str_starts(&param->data, "env "))
+               return tomoyo_write_env(param);
+       return -EINVAL;
+}
index 5295b5caaa21f54435c4f4b05ef2248651e4d8b9..818b07998111d748e7e5e6844703b016bb0cf1f6 100644 (file)
@@ -36,6 +36,7 @@ static const u8 tomoyo_acl_size[] = {
        [TOMOYO_TYPE_PATH_NUMBER_ACL] = sizeof(struct tomoyo_path_number_acl),
        [TOMOYO_TYPE_MKDEV_ACL] = sizeof(struct tomoyo_mkdev_acl),
        [TOMOYO_TYPE_MOUNT_ACL] = sizeof(struct tomoyo_mount_acl),
+       [TOMOYO_TYPE_ENV_ACL] = sizeof(struct tomoyo_env_acl),
 };
 
 /**
@@ -293,6 +294,14 @@ static void tomoyo_del_acl(struct list_head *element)
                        tomoyo_put_number_union(&entry->flags);
                }
                break;
+       case TOMOYO_TYPE_ENV_ACL:
+               {
+                       struct tomoyo_env_acl *entry =
+                               container_of(acl, typeof(*entry), head);
+
+                       tomoyo_put_name(entry->env);
+               }
+               break;
        }
 }
 
index 6a4195a4b93c45a8a4715b737a0c2ad87d3e55f8..cb7d507b6312a55b822beb99594b253d54a1443a 100644 (file)
@@ -42,6 +42,8 @@ const u8 tomoyo_index2category[TOMOYO_MAX_MAC_INDEX] = {
        [TOMOYO_MAC_FILE_MOUNT]      = TOMOYO_MAC_CATEGORY_FILE,
        [TOMOYO_MAC_FILE_UMOUNT]     = TOMOYO_MAC_CATEGORY_FILE,
        [TOMOYO_MAC_FILE_PIVOT_ROOT] = TOMOYO_MAC_CATEGORY_FILE,
+       /* CONFIG::misc group */
+       [TOMOYO_MAC_ENVIRON]         = TOMOYO_MAC_CATEGORY_MISC,
 };
 
 /**
@@ -920,15 +922,17 @@ int tomoyo_get_mode(const struct tomoyo_policy_namespace *ns, const u8 profile,
                    const u8 index)
 {
        u8 mode;
-       const u8 category = TOMOYO_MAC_CATEGORY_FILE;
+       struct tomoyo_profile *p;
+
        if (!tomoyo_policy_loaded)
                return TOMOYO_CONFIG_DISABLED;
-       mode = tomoyo_profile(ns, profile)->config[index];
+       p = tomoyo_profile(ns, profile);
+       mode = p->config[index];
        if (mode == TOMOYO_CONFIG_USE_DEFAULT)
-               mode = tomoyo_profile(ns, profile)->config
-                       [category + TOMOYO_MAX_MAC_INDEX];
+               mode = p->config[tomoyo_index2category[index]
+                                + TOMOYO_MAX_MAC_INDEX];
        if (mode == TOMOYO_CONFIG_USE_DEFAULT)
-               mode = tomoyo_profile(ns, profile)->default_config;
+               mode = p->default_config;
        return mode & 3;
 }