tomoyo: preparation step for building as a loadable LSM module

In order to allow Makefile to generate tomoyo.ko as output, rename
tomoyo.c to hooks.h and cut out LSM hook registration part that will be
built into vmlinux from hooks.h to init.c . Also, update comments and
relocate some variables. No behavior changes.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
This commit is contained in:
Tetsuo Handa 2024-09-23 19:00:21 +09:00
parent de5cb0dcb7
commit 268225a1de
6 changed files with 112 additions and 116 deletions

View File

@ -1,5 +1,5 @@
# SPDX-License-Identifier: GPL-2.0 # SPDX-License-Identifier: GPL-2.0
obj-y = audit.o common.o condition.o domain.o environ.o file.o gc.o group.o load_policy.o memory.o mount.o network.o realpath.o securityfs_if.o tomoyo.o util.o obj-y = audit.o common.o condition.o domain.o environ.o file.o gc.o group.o init.o load_policy.o memory.o mount.o network.o realpath.o securityfs_if.o util.o
targets += builtin-policy.h targets += builtin-policy.h

View File

@ -9,6 +9,9 @@
#include <linux/kthread.h> #include <linux/kthread.h>
#include <linux/slab.h> #include <linux/slab.h>
/* Lock for GC. */
DEFINE_SRCU(tomoyo_ss);
/** /**
* tomoyo_memory_free - Free memory for elements. * tomoyo_memory_free - Free memory for elements.
* *

View File

@ -1,12 +1,10 @@
// SPDX-License-Identifier: GPL-2.0 // SPDX-License-Identifier: GPL-2.0
/* /*
* security/tomoyo/tomoyo.c * security/tomoyo/hooks.h
* *
* Copyright (C) 2005-2011 NTT DATA CORPORATION * Copyright (C) 2005-2011 NTT DATA CORPORATION
*/ */
#include <linux/lsm_hooks.h>
#include <uapi/linux/lsm.h>
#include "common.h" #include "common.h"
/** /**
@ -18,10 +16,6 @@ struct tomoyo_domain_info *tomoyo_domain(void)
{ {
struct tomoyo_task *s = tomoyo_task(current); struct tomoyo_task *s = tomoyo_task(current);
if (s->old_domain_info && !current->in_execve) {
atomic_dec(&s->old_domain_info->users);
s->old_domain_info = NULL;
}
return s->domain_info; return s->domain_info;
} }
@ -62,26 +56,6 @@ static void tomoyo_bprm_committed_creds(const struct linux_binprm *bprm)
s->old_domain_info = NULL; s->old_domain_info = NULL;
} }
#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
/**
* tomoyo_bprm_creds_for_exec - Target for security_bprm_creds_for_exec().
*
* @bprm: Pointer to "struct linux_binprm".
*
* Returns 0.
*/
static int tomoyo_bprm_creds_for_exec(struct linux_binprm *bprm)
{
/*
* Load policy if /sbin/tomoyo-init exists and /sbin/init is requested
* for the first time.
*/
if (!tomoyo_policy_loaded)
tomoyo_load_policy(bprm->filename);
return 0;
}
#endif
/** /**
* tomoyo_bprm_check_security - Target for security_bprm_check(). * tomoyo_bprm_check_security - Target for security_bprm_check().
* *
@ -501,10 +475,6 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
return tomoyo_socket_sendmsg_permission(sock, msg, size); return tomoyo_socket_sendmsg_permission(sock, msg, size);
} }
struct lsm_blob_sizes tomoyo_blob_sizes __ro_after_init = {
.lbs_task = sizeof(struct tomoyo_task),
};
/** /**
* tomoyo_task_alloc - Target for security_task_alloc(). * tomoyo_task_alloc - Target for security_task_alloc().
* *
@ -543,81 +513,3 @@ static void tomoyo_task_free(struct task_struct *task)
s->old_domain_info = NULL; s->old_domain_info = NULL;
} }
} }
static const struct lsm_id tomoyo_lsmid = {
.name = "tomoyo",
.id = LSM_ID_TOMOYO,
};
/*
* tomoyo_security_ops is a "struct security_operations" which is used for
* registering TOMOYO.
*/
static struct security_hook_list tomoyo_hooks[] __ro_after_init = {
LSM_HOOK_INIT(cred_prepare, tomoyo_cred_prepare),
LSM_HOOK_INIT(bprm_committed_creds, tomoyo_bprm_committed_creds),
LSM_HOOK_INIT(task_alloc, tomoyo_task_alloc),
LSM_HOOK_INIT(task_free, tomoyo_task_free),
#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
LSM_HOOK_INIT(bprm_creds_for_exec, tomoyo_bprm_creds_for_exec),
#endif
LSM_HOOK_INIT(bprm_check_security, tomoyo_bprm_check_security),
LSM_HOOK_INIT(file_fcntl, tomoyo_file_fcntl),
LSM_HOOK_INIT(file_open, tomoyo_file_open),
LSM_HOOK_INIT(file_truncate, tomoyo_file_truncate),
LSM_HOOK_INIT(path_truncate, tomoyo_path_truncate),
LSM_HOOK_INIT(path_unlink, tomoyo_path_unlink),
LSM_HOOK_INIT(path_mkdir, tomoyo_path_mkdir),
LSM_HOOK_INIT(path_rmdir, tomoyo_path_rmdir),
LSM_HOOK_INIT(path_symlink, tomoyo_path_symlink),
LSM_HOOK_INIT(path_mknod, tomoyo_path_mknod),
LSM_HOOK_INIT(path_link, tomoyo_path_link),
LSM_HOOK_INIT(path_rename, tomoyo_path_rename),
LSM_HOOK_INIT(inode_getattr, tomoyo_inode_getattr),
LSM_HOOK_INIT(file_ioctl, tomoyo_file_ioctl),
LSM_HOOK_INIT(file_ioctl_compat, tomoyo_file_ioctl),
LSM_HOOK_INIT(path_chmod, tomoyo_path_chmod),
LSM_HOOK_INIT(path_chown, tomoyo_path_chown),
LSM_HOOK_INIT(path_chroot, tomoyo_path_chroot),
LSM_HOOK_INIT(sb_mount, tomoyo_sb_mount),
LSM_HOOK_INIT(sb_umount, tomoyo_sb_umount),
LSM_HOOK_INIT(sb_pivotroot, tomoyo_sb_pivotroot),
LSM_HOOK_INIT(socket_bind, tomoyo_socket_bind),
LSM_HOOK_INIT(socket_connect, tomoyo_socket_connect),
LSM_HOOK_INIT(socket_listen, tomoyo_socket_listen),
LSM_HOOK_INIT(socket_sendmsg, tomoyo_socket_sendmsg),
};
/* Lock for GC. */
DEFINE_SRCU(tomoyo_ss);
int tomoyo_enabled __ro_after_init = 1;
/**
* tomoyo_init - Register TOMOYO Linux as a LSM module.
*
* Returns 0.
*/
static int __init tomoyo_init(void)
{
struct tomoyo_task *s = tomoyo_task(current);
/* register ourselves with the security framework */
security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks),
&tomoyo_lsmid);
pr_info("TOMOYO Linux initialized\n");
s->domain_info = &tomoyo_kernel_domain;
atomic_inc(&tomoyo_kernel_domain.users);
s->old_domain_info = NULL;
tomoyo_mm_init();
return 0;
}
DEFINE_LSM(tomoyo) = {
.name = "tomoyo",
.enabled = &tomoyo_enabled,
.flags = LSM_FLAG_LEGACY_MAJOR,
.blobs = &tomoyo_blob_sizes,
.init = tomoyo_init,
};

104
security/tomoyo/init.c Normal file
View File

@ -0,0 +1,104 @@
// SPDX-License-Identifier: GPL-2.0
/*
* security/tomoyo/init.c
*
* Copyright (C) 2005-2011 NTT DATA CORPORATION
*/
#include <linux/lsm_hooks.h>
#include <uapi/linux/lsm.h>
#include "common.h"
#include "hooks.h"
#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
static int tomoyo_bprm_creds_for_exec(struct linux_binprm *bprm)
{
/*
* Load policy if /sbin/tomoyo-init exists and /sbin/init is requested
* for the first time.
*/
if (!tomoyo_policy_loaded)
tomoyo_load_policy(bprm->filename);
return 0;
}
#endif
struct lsm_blob_sizes tomoyo_blob_sizes __ro_after_init = {
.lbs_task = sizeof(struct tomoyo_task),
};
static const struct lsm_id tomoyo_lsmid = {
.name = "tomoyo",
.id = LSM_ID_TOMOYO,
};
/* tomoyo_hooks is used for registering TOMOYO. */
static struct security_hook_list tomoyo_hooks[] __ro_after_init = {
LSM_HOOK_INIT(cred_prepare, tomoyo_cred_prepare),
LSM_HOOK_INIT(bprm_committed_creds, tomoyo_bprm_committed_creds),
LSM_HOOK_INIT(task_alloc, tomoyo_task_alloc),
LSM_HOOK_INIT(task_free, tomoyo_task_free),
#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
LSM_HOOK_INIT(bprm_creds_for_exec, tomoyo_bprm_creds_for_exec),
#endif
LSM_HOOK_INIT(bprm_check_security, tomoyo_bprm_check_security),
LSM_HOOK_INIT(file_fcntl, tomoyo_file_fcntl),
LSM_HOOK_INIT(file_open, tomoyo_file_open),
LSM_HOOK_INIT(file_truncate, tomoyo_file_truncate),
LSM_HOOK_INIT(path_truncate, tomoyo_path_truncate),
LSM_HOOK_INIT(path_unlink, tomoyo_path_unlink),
LSM_HOOK_INIT(path_mkdir, tomoyo_path_mkdir),
LSM_HOOK_INIT(path_rmdir, tomoyo_path_rmdir),
LSM_HOOK_INIT(path_symlink, tomoyo_path_symlink),
LSM_HOOK_INIT(path_mknod, tomoyo_path_mknod),
LSM_HOOK_INIT(path_link, tomoyo_path_link),
LSM_HOOK_INIT(path_rename, tomoyo_path_rename),
LSM_HOOK_INIT(inode_getattr, tomoyo_inode_getattr),
LSM_HOOK_INIT(file_ioctl, tomoyo_file_ioctl),
LSM_HOOK_INIT(file_ioctl_compat, tomoyo_file_ioctl),
LSM_HOOK_INIT(path_chmod, tomoyo_path_chmod),
LSM_HOOK_INIT(path_chown, tomoyo_path_chown),
LSM_HOOK_INIT(path_chroot, tomoyo_path_chroot),
LSM_HOOK_INIT(sb_mount, tomoyo_sb_mount),
LSM_HOOK_INIT(sb_umount, tomoyo_sb_umount),
LSM_HOOK_INIT(sb_pivotroot, tomoyo_sb_pivotroot),
LSM_HOOK_INIT(socket_bind, tomoyo_socket_bind),
LSM_HOOK_INIT(socket_connect, tomoyo_socket_connect),
LSM_HOOK_INIT(socket_listen, tomoyo_socket_listen),
LSM_HOOK_INIT(socket_sendmsg, tomoyo_socket_sendmsg),
};
int tomoyo_enabled __ro_after_init = 1;
/* Has /sbin/init started? */
bool tomoyo_policy_loaded;
/**
* tomoyo_init - Register TOMOYO Linux as a LSM module.
*
* Returns 0.
*/
static int __init tomoyo_init(void)
{
struct tomoyo_task *s = tomoyo_task(current);
/* register ourselves with the security framework */
security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks),
&tomoyo_lsmid);
pr_info("TOMOYO Linux initialized\n");
s->domain_info = &tomoyo_kernel_domain;
atomic_inc(&tomoyo_kernel_domain.users);
s->old_domain_info = NULL;
tomoyo_mm_init();
return 0;
}
DEFINE_LSM(tomoyo) = {
.name = "tomoyo",
.enabled = &tomoyo_enabled,
.flags = LSM_FLAG_LEGACY_MAJOR,
.blobs = &tomoyo_blob_sizes,
.init = tomoyo_init,
};

View File

@ -229,11 +229,11 @@ static void __init tomoyo_create_entry(const char *name, const umode_t mode,
} }
/** /**
* tomoyo_initerface_init - Initialize /sys/kernel/security/tomoyo/ interface. * tomoyo_interface_init - Initialize /sys/kernel/security/tomoyo/ interface.
* *
* Returns 0. * Returns 0.
*/ */
static int __init tomoyo_initerface_init(void) static int __init tomoyo_interface_init(void)
{ {
struct tomoyo_domain_info *domain; struct tomoyo_domain_info *domain;
struct dentry *tomoyo_dir; struct dentry *tomoyo_dir;
@ -270,4 +270,4 @@ static int __init tomoyo_initerface_init(void)
return 0; return 0;
} }
fs_initcall(tomoyo_initerface_init); fs_initcall(tomoyo_interface_init);

View File

@ -13,9 +13,6 @@
/* Lock for protecting policy. */ /* Lock for protecting policy. */
DEFINE_MUTEX(tomoyo_policy_lock); DEFINE_MUTEX(tomoyo_policy_lock);
/* Has /sbin/init started? */
bool tomoyo_policy_loaded;
/* /*
* Mapping table from "enum tomoyo_mac_index" to * Mapping table from "enum tomoyo_mac_index" to
* "enum tomoyo_mac_category_index". * "enum tomoyo_mac_category_index".