TOMOYO: Add mount restriction.

mount(2) has three string and one numeric parameters.
Split mount restriction code from security/tomoyo/file.c .
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>

security/tomoyo/Makefile

-obj-y = common.o realpath.o tomoyo.o domain.o file.o gc.o path_group.o number_group.o
+obj-y = common.o realpath.o tomoyo.o domain.o file.o gc.o path_group.o number_group.o mount.o

security/tomoyo/common.c

@@ -1075,6 +1075,10 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r)
 				if (perm & (1 << i))
 					count++;
 			break;
+		case TOMOYO_TYPE_MOUNT_ACL:
+			if (!container_of(ptr, struct tomoyo_mount_acl, head)->
+			    is_deleted)
+				count++;
 		}
 	}
 	if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY))
@@ -1576,6 +1580,8 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
 		domain->ignore_global_allow_read = !is_delete;
 		return 0;
 	}
+        if (tomoyo_str_starts(&data, TOMOYO_KEYWORD_ALLOW_MOUNT))
+                return tomoyo_write_mount_policy(data, domain, is_delete);
 	return tomoyo_write_file_policy(data, domain, is_delete);
 }
 
@@ -1720,6 +1726,30 @@ static bool tomoyo_print_path_number3_acl(struct tomoyo_io_buffer *head,
 	return false;
 }
 
+/**
+ * tomoyo_print_mount_acl - Print a mount ACL entry.
+ *
+ * @head: Pointer to "struct tomoyo_io_buffer".
+ * @ptr:  Pointer to "struct tomoyo_mount_acl".
+ *
+ * Returns true on success, false otherwise.
+ */
+static bool tomoyo_print_mount_acl(struct tomoyo_io_buffer *head,
+				   struct tomoyo_mount_acl *ptr)
+{
+	const int pos = head->read_avail;
+	if (!tomoyo_io_printf(head, TOMOYO_KEYWORD_ALLOW_MOUNT) ||
+	    !tomoyo_print_name_union(head, &ptr->dev_name) ||
+	    !tomoyo_print_name_union(head, &ptr->dir_name) ||
+	    !tomoyo_print_name_union(head, &ptr->fs_type) ||
+	    !tomoyo_print_number_union(head, &ptr->flags) ||
+	    !tomoyo_io_printf(head, "\n")) {
+		head->read_avail = pos;
+		return false;
+	}
+	return true;
+}
+
 /**
  * tomoyo_print_entry - Print an ACL entry.
  *
@@ -1755,6 +1785,11 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
 				       head);
 		return tomoyo_print_path_number3_acl(head, acl);
 	}
+	if (acl_type == TOMOYO_TYPE_MOUNT_ACL) {
+		struct tomoyo_mount_acl *acl
+			= container_of(ptr, struct tomoyo_mount_acl, head);
+		return tomoyo_print_mount_acl(head, acl);
+	}
 	BUG(); /* This must not happen. */
 	return false;
 }

security/tomoyo/common.h

@@ -53,6 +53,7 @@ enum tomoyo_mode_index {
 
 /* Keywords for ACLs. */
 #define TOMOYO_KEYWORD_ALIAS                     "alias "
+#define TOMOYO_KEYWORD_ALLOW_MOUNT               "allow_mount "
 #define TOMOYO_KEYWORD_ALLOW_READ                "allow_read "
 #define TOMOYO_KEYWORD_DELETE                    "delete "
 #define TOMOYO_KEYWORD_DENY_REWRITE              "deny_rewrite "
@@ -90,6 +91,7 @@ enum tomoyo_acl_entry_type_index {
 	TOMOYO_TYPE_PATH2_ACL,
 	TOMOYO_TYPE_PATH_NUMBER_ACL,
 	TOMOYO_TYPE_PATH_NUMBER3_ACL,
+	TOMOYO_TYPE_MOUNT_ACL,
 };
 
 /* Index numbers for File Controls. */
@@ -116,7 +118,6 @@ enum tomoyo_path_acl_index {
 	TOMOYO_TYPE_SYMLINK,
 	TOMOYO_TYPE_REWRITE,
 	TOMOYO_TYPE_CHROOT,
-	TOMOYO_TYPE_MOUNT,
 	TOMOYO_TYPE_UMOUNT,
 	TOMOYO_MAX_PATH_OPERATION
 };
@@ -360,8 +361,8 @@ struct tomoyo_domain_info {
  *
  * Directives held by this structure are "allow_read/write", "allow_execute",
  * "allow_read", "allow_write", "allow_unlink", "allow_rmdir",
- * "allow_truncate", "allow_symlink", "allow_rewrite", "allow_chroot",
- * "allow_mount" and "allow_unmount".
+ * "allow_truncate", "allow_symlink", "allow_rewrite", "allow_chroot" and
+ * "allow_unmount".
  */
 struct tomoyo_path_acl {
 	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_PATH_ACL */
@@ -434,6 +435,29 @@ struct tomoyo_path2_acl {
 	struct tomoyo_name_union name2;
 };
 
+/*
+ * tomoyo_mount_acl is a structure which is used for holding an
+ * entry for mount operation.
+ * It has following fields.
+ *
+ *  (1) "head" which is a "struct tomoyo_acl_info".
+ *  (2) "is_deleted" is boolean.
+ *  (3) "dev_name" is the device name.
+ *  (4) "dir_name" is the mount point.
+ *  (5) "flags" is the mount flags.
+ *
+ * Directives held by this structure are "allow_rename", "allow_link" and
+ * "allow_pivot_root".
+ */
+struct tomoyo_mount_acl {
+	struct tomoyo_acl_info head; /* type = TOMOYO_TYPE_MOUNT_ACL */
+	bool is_deleted;
+	struct tomoyo_name_union dev_name;
+	struct tomoyo_name_union dir_name;
+	struct tomoyo_name_union fs_type;
+	struct tomoyo_number_union flags;
+};
+
 /*
  * tomoyo_io_buffer is a structure which is used for reading and modifying
  * configuration via /sys/kernel/security/tomoyo/ interface.
@@ -638,6 +662,9 @@ struct tomoyo_policy_manager_entry {
 /* Check whether the given name matches the given name_union. */
 bool tomoyo_compare_name_union(const struct tomoyo_path_info *name,
 			       const struct tomoyo_name_union *ptr);
+/* Check whether the given number matches the given number_union. */
+bool tomoyo_compare_number_union(const unsigned long value,
+				 const struct tomoyo_number_union *ptr);
 /* Check whether the domain has too many ACL entries to hold. */
 bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r);
 /* Transactional sprintf() for policy dump. */
@@ -699,6 +726,12 @@ const char *tomoyo_path_number32keyword(const u8 operation);
 const char *tomoyo_get_last_name(const struct tomoyo_domain_info *domain);
 /* Convert single path operation to operation name. */
 const char *tomoyo_path2keyword(const u8 operation);
+/* Fill "struct tomoyo_request_info". */
+int tomoyo_init_request_info(struct tomoyo_request_info *r,
+			     struct tomoyo_domain_info *domain);
+/* Check permission for mount operation. */
+int tomoyo_mount_permission(char *dev_name, struct path *path, char *type,
+			    unsigned long flags, void *data_page);
 /* Create "alias" entry in exception policy. */
 int tomoyo_write_alias_policy(char *data, const bool is_delete);
 /*
@@ -721,6 +754,9 @@ int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
 			     const bool is_delete);
 /* Create "allow_read" entry in exception policy. */
 int tomoyo_write_globally_readable_policy(char *data, const bool is_delete);
+/* Create "allow_mount" entry in domain policy. */
+int tomoyo_write_mount_policy(char *data, struct tomoyo_domain_info *domain,
+			      const bool is_delete);
 /* Create "deny_rewrite" entry in exception policy. */
 int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete);
 /* Create "file_pattern" entry in exception policy. */
@@ -735,7 +771,9 @@ struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname);
 struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char *
 							    domainname,
 							    const u8 profile);
-
+/* Get patterned pathname. */
+const struct tomoyo_path_info *
+tomoyo_get_file_pattern(const struct tomoyo_path_info *filename);
 /* Allocate memory for "struct tomoyo_path_group". */
 struct tomoyo_path_group *tomoyo_get_path_group(const char *group_name);
 struct tomoyo_number_group *tomoyo_get_number_group(const char *group_name);
@@ -972,6 +1010,16 @@ static inline bool tomoyo_is_same_path_number_acl
 		&& tomoyo_is_same_number_union(&p1->number, &p2->number);
 }
 
+static inline bool tomoyo_is_same_mount_acl(const struct tomoyo_mount_acl *p1,
+					    const struct tomoyo_mount_acl *p2)
+{
+	return tomoyo_is_same_acl_head(&p1->head, &p2->head) &&
+		tomoyo_is_same_name_union(&p1->dev_name, &p2->dev_name) &&
+		tomoyo_is_same_name_union(&p1->dir_name, &p2->dir_name) &&
+		tomoyo_is_same_name_union(&p1->fs_type, &p2->fs_type) &&
+		tomoyo_is_same_number_union(&p1->flags, &p2->flags);
+}
+
 static inline bool tomoyo_is_same_domain_initializer_entry
 (const struct tomoyo_domain_initializer_entry *p1,
  const struct tomoyo_domain_initializer_entry *p2)

security/tomoyo/file.c

@@ -24,7 +24,6 @@ static const char *tomoyo_path_keyword[TOMOYO_MAX_PATH_OPERATION] = {
 	[TOMOYO_TYPE_SYMLINK]    = "symlink",
 	[TOMOYO_TYPE_REWRITE]    = "rewrite",
 	[TOMOYO_TYPE_CHROOT]     = "chroot",
-	[TOMOYO_TYPE_MOUNT]      = "mount",
 	[TOMOYO_TYPE_UMOUNT]     = "unmount",
 };
 
@@ -108,8 +107,8 @@ bool tomoyo_compare_number_union(const unsigned long value,
  *
  * Returns mode.
  */
-static int tomoyo_init_request_info(struct tomoyo_request_info *r,
-				    struct tomoyo_domain_info *domain)
+int tomoyo_init_request_info(struct tomoyo_request_info *r,
+			     struct tomoyo_domain_info *domain)
 {
 	memset(r, 0, sizeof(*r));
 	if (!domain)
@@ -487,7 +486,7 @@ static int tomoyo_update_file_pattern_entry(const char *pattern,
  *
  * Caller holds tomoyo_read_lock().
  */
-static const struct tomoyo_path_info *
+const struct tomoyo_path_info *
 tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
 {
 	struct tomoyo_pattern_entry *ptr;
@@ -1418,7 +1417,7 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
 }
 
 /**
- * tomoyo_path_perm - Check permission for "unlink", "rmdir", "truncate", "symlink", "rewrite", "chroot", "mount" and "unmount".
+ * tomoyo_path_perm - Check permission for "unlink", "rmdir", "truncate", "symlink", "rewrite", "chroot" and "unmount".
  *
  * @operation: Type of operation.
  * @path:      Pointer to "struct path".

security/tomoyo/gc.c

@@ -124,6 +124,16 @@ static void tomoyo_del_acl(struct tomoyo_acl_info *acl)
 			tomoyo_put_number_union(&entry->minor);
 		}
 		break;
+	case TOMOYO_TYPE_MOUNT_ACL:
+		{
+			struct tomoyo_mount_acl *entry
+				= container_of(acl, typeof(*entry), head);
+			tomoyo_put_name_union(&entry->dev_name);
+			tomoyo_put_name_union(&entry->dir_name);
+			tomoyo_put_name_union(&entry->fs_type);
+			tomoyo_put_number_union(&entry->flags);
+		}
+		break;
 	default:
 		printk(KERN_WARNING "Unknown type\n");
 		break;

security/tomoyo/tomoyo.c

@@ -226,7 +226,7 @@ static int tomoyo_path_chroot(struct path *path)
 static int tomoyo_sb_mount(char *dev_name, struct path *path,
 			   char *type, unsigned long flags, void *data)
 {
-	return tomoyo_path_perm(TOMOYO_TYPE_MOUNT, path);
+	return tomoyo_mount_permission(dev_name, path, type, flags, data);
 }
 
 static int tomoyo_sb_umount(struct vfsmount *mnt, int flags)