load_policy.c 2.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * security/tomoyo/load_policy.c
  4. *
  5. * Copyright (C) 2005-2011 NTT DATA CORPORATION
  6. */
  7. #include "common.h"
  8. #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
  9. /*
  10. * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER)
  11. */
  12. static const char *tomoyo_loader;
  13. /**
  14. * tomoyo_loader_setup - Set policy loader.
  15. *
  16. * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ).
  17. *
  18. * Returns 0.
  19. */
  20. static int __init tomoyo_loader_setup(char *str)
  21. {
  22. tomoyo_loader = str;
  23. return 0;
  24. }
  25. __setup("TOMOYO_loader=", tomoyo_loader_setup);
  26. /**
  27. * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
  28. *
  29. * Returns true if /sbin/tomoyo-init exists, false otherwise.
  30. */
  31. static bool tomoyo_policy_loader_exists(void)
  32. {
  33. struct path path;
  34. if (!tomoyo_loader)
  35. tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER;
  36. if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
  37. printk(KERN_INFO "Not activating Mandatory Access Control "
  38. "as %s does not exist.\n", tomoyo_loader);
  39. return false;
  40. }
  41. path_put(&path);
  42. return true;
  43. }
  44. /*
  45. * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER)
  46. */
  47. static const char *tomoyo_trigger;
  48. /**
  49. * tomoyo_trigger_setup - Set trigger for activation.
  50. *
  51. * @str: Program to use as an activation trigger (e.g. /sbin/init ).
  52. *
  53. * Returns 0.
  54. */
  55. static int __init tomoyo_trigger_setup(char *str)
  56. {
  57. tomoyo_trigger = str;
  58. return 0;
  59. }
  60. __setup("TOMOYO_trigger=", tomoyo_trigger_setup);
  61. /**
  62. * tomoyo_load_policy - Run external policy loader to load policy.
  63. *
  64. * @filename: The program about to start.
  65. *
  66. * This function checks whether @filename is /sbin/init , and if so
  67. * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
  68. * and then continues invocation of /sbin/init.
  69. * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
  70. * writes to /sys/kernel/security/tomoyo/ interfaces.
  71. *
  72. * Returns nothing.
  73. */
  74. void tomoyo_load_policy(const char *filename)
  75. {
  76. static bool done;
  77. char *argv[2];
  78. char *envp[3];
  79. if (tomoyo_policy_loaded || done)
  80. return;
  81. if (!tomoyo_trigger)
  82. tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER;
  83. if (strcmp(filename, tomoyo_trigger))
  84. return;
  85. if (!tomoyo_policy_loader_exists())
  86. return;
  87. done = true;
  88. printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
  89. tomoyo_loader);
  90. argv[0] = (char *) tomoyo_loader;
  91. argv[1] = NULL;
  92. envp[0] = "HOME=/";
  93. envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
  94. envp[2] = NULL;
  95. call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
  96. tomoyo_check_profile();
  97. }
  98. #endif