load_policy.c 2.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110
  1. /*
  2. * security/tomoyo/load_policy.c
  3. *
  4. * Copyright (C) 2005-2011 NTT DATA CORPORATION
  5. */
  6. #include "common.h"
  7. #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
  8. /*
  9. * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER)
  10. */
  11. static const char *tomoyo_loader;
  12. /**
  13. * tomoyo_loader_setup - Set policy loader.
  14. *
  15. * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ).
  16. *
  17. * Returns 0.
  18. */
  19. static int __init tomoyo_loader_setup(char *str)
  20. {
  21. tomoyo_loader = str;
  22. return 0;
  23. }
  24. __setup("TOMOYO_loader=", tomoyo_loader_setup);
  25. /**
  26. * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
  27. *
  28. * Returns true if /sbin/tomoyo-init exists, false otherwise.
  29. */
  30. static bool tomoyo_policy_loader_exists(void)
  31. {
  32. struct path path;
  33. if (!tomoyo_loader)
  34. tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER;
  35. if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
  36. printk(KERN_INFO "Not activating Mandatory Access Control "
  37. "as %s does not exist.\n", tomoyo_loader);
  38. return false;
  39. }
  40. path_put(&path);
  41. return true;
  42. }
  43. /*
  44. * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER)
  45. */
  46. static const char *tomoyo_trigger;
  47. /**
  48. * tomoyo_trigger_setup - Set trigger for activation.
  49. *
  50. * @str: Program to use as an activation trigger (e.g. /sbin/init ).
  51. *
  52. * Returns 0.
  53. */
  54. static int __init tomoyo_trigger_setup(char *str)
  55. {
  56. tomoyo_trigger = str;
  57. return 0;
  58. }
  59. __setup("TOMOYO_trigger=", tomoyo_trigger_setup);
  60. /**
  61. * tomoyo_load_policy - Run external policy loader to load policy.
  62. *
  63. * @filename: The program about to start.
  64. *
  65. * This function checks whether @filename is /sbin/init , and if so
  66. * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
  67. * and then continues invocation of /sbin/init.
  68. * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
  69. * writes to /sys/kernel/security/tomoyo/ interfaces.
  70. *
  71. * Returns nothing.
  72. */
  73. void tomoyo_load_policy(const char *filename)
  74. {
  75. static bool done;
  76. char *argv[2];
  77. char *envp[3];
  78. if (tomoyo_policy_loaded || done)
  79. return;
  80. if (!tomoyo_trigger)
  81. tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER;
  82. if (strcmp(filename, tomoyo_trigger))
  83. return;
  84. if (!tomoyo_policy_loader_exists())
  85. return;
  86. done = true;
  87. printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
  88. tomoyo_loader);
  89. argv[0] = (char *) tomoyo_loader;
  90. argv[1] = NULL;
  91. envp[0] = "HOME=/";
  92. envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
  93. envp[2] = NULL;
  94. call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
  95. tomoyo_check_profile();
  96. }
  97. #endif