Commit | Line | Data |
---|---|---|
b2441318 | 1 | // SPDX-License-Identifier: GPL-2.0 |
c3ef1500 TH |
2 | /* |
3 | * security/tomoyo/load_policy.c | |
4 | * | |
0f2a55d5 | 5 | * Copyright (C) 2005-2011 NTT DATA CORPORATION |
c3ef1500 TH |
6 | */ |
7 | ||
8 | #include "common.h" | |
9 | ||
0e4ae0e0 TH |
10 | #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER |
11 | ||
12 | /* | |
13 | * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER) | |
14 | */ | |
15 | static const char *tomoyo_loader; | |
16 | ||
17 | /** | |
18 | * tomoyo_loader_setup - Set policy loader. | |
19 | * | |
20 | * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ). | |
21 | * | |
22 | * Returns 0. | |
23 | */ | |
24 | static int __init tomoyo_loader_setup(char *str) | |
25 | { | |
26 | tomoyo_loader = str; | |
27 | return 0; | |
28 | } | |
29 | ||
30 | __setup("TOMOYO_loader=", tomoyo_loader_setup); | |
c3ef1500 TH |
31 | |
32 | /** | |
33 | * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists. | |
34 | * | |
35 | * Returns true if /sbin/tomoyo-init exists, false otherwise. | |
36 | */ | |
37 | static bool tomoyo_policy_loader_exists(void) | |
38 | { | |
c3ef1500 | 39 | struct path path; |
0e4ae0e0 TH |
40 | if (!tomoyo_loader) |
41 | tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER; | |
c3ef1500 | 42 | if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) { |
0e4ae0e0 TH |
43 | printk(KERN_INFO "Not activating Mandatory Access Control " |
44 | "as %s does not exist.\n", tomoyo_loader); | |
c3ef1500 TH |
45 | return false; |
46 | } | |
47 | path_put(&path); | |
48 | return true; | |
49 | } | |
50 | ||
0e4ae0e0 TH |
51 | /* |
52 | * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER) | |
53 | */ | |
54 | static const char *tomoyo_trigger; | |
55 | ||
56 | /** | |
57 | * tomoyo_trigger_setup - Set trigger for activation. | |
58 | * | |
59 | * @str: Program to use as an activation trigger (e.g. /sbin/init ). | |
60 | * | |
61 | * Returns 0. | |
62 | */ | |
63 | static int __init tomoyo_trigger_setup(char *str) | |
64 | { | |
65 | tomoyo_trigger = str; | |
66 | return 0; | |
67 | } | |
68 | ||
69 | __setup("TOMOYO_trigger=", tomoyo_trigger_setup); | |
70 | ||
c3ef1500 TH |
71 | /** |
72 | * tomoyo_load_policy - Run external policy loader to load policy. | |
73 | * | |
74 | * @filename: The program about to start. | |
75 | * | |
76 | * This function checks whether @filename is /sbin/init , and if so | |
77 | * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init | |
78 | * and then continues invocation of /sbin/init. | |
79 | * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and | |
80 | * writes to /sys/kernel/security/tomoyo/ interfaces. | |
81 | * | |
82 | * Returns nothing. | |
83 | */ | |
84 | void tomoyo_load_policy(const char *filename) | |
85 | { | |
0e4ae0e0 | 86 | static bool done; |
c3ef1500 TH |
87 | char *argv[2]; |
88 | char *envp[3]; | |
89 | ||
0e4ae0e0 | 90 | if (tomoyo_policy_loaded || done) |
c3ef1500 | 91 | return; |
0e4ae0e0 TH |
92 | if (!tomoyo_trigger) |
93 | tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER; | |
94 | if (strcmp(filename, tomoyo_trigger)) | |
c3ef1500 TH |
95 | return; |
96 | if (!tomoyo_policy_loader_exists()) | |
97 | return; | |
0e4ae0e0 | 98 | done = true; |
c3ef1500 TH |
99 | printk(KERN_INFO "Calling %s to load policy. Please wait.\n", |
100 | tomoyo_loader); | |
101 | argv[0] = (char *) tomoyo_loader; | |
102 | argv[1] = NULL; | |
103 | envp[0] = "HOME=/"; | |
104 | envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin"; | |
105 | envp[2] = NULL; | |
70834d30 | 106 | call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC); |
c3ef1500 TH |
107 | tomoyo_check_profile(); |
108 | } | |
0e4ae0e0 TH |
109 | |
110 | #endif |