Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
awilliam
GitHub Repository: awilliam/linux-vfio
 Path: blob/master/security/tomoyo/load_policy.c
10814 views
1
/*

2
 * security/tomoyo/load_policy.c

3
 *

4
 * Policy loader launcher for TOMOYO.

5
 *

6
 * Copyright (C) 2005-2010  NTT DATA CORPORATION

7
 */

8


9
#include "common.h"

10


11
/* path to policy loader */

12
static const char *tomoyo_loader = "/sbin/tomoyo-init";

13


14
/**

15
 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.

16
 *

17
 * Returns true if /sbin/tomoyo-init exists, false otherwise.

18
 */

19
static bool tomoyo_policy_loader_exists(void)

20
{

21
	/*

22
	 * Don't activate MAC if the policy loader doesn't exist.

23
	 * If the initrd includes /sbin/init but real-root-dev has not

24
	 * mounted on / yet, activating MAC will block the system since

25
	 * policies are not loaded yet.

26
	 * Thus, let do_execve() call this function every time.

27
	 */

28
	struct path path;

29


30
	if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {

31
		printk(KERN_INFO "Not activating Mandatory Access Control now "

32
		       "since %s doesn't exist.\n", tomoyo_loader);

33
		return false;

34
	}

35
	path_put(&path);

36
	return true;

37
}

38


39
/**

40
 * tomoyo_load_policy - Run external policy loader to load policy.

41
 *

42
 * @filename: The program about to start.

43
 *

44
 * This function checks whether @filename is /sbin/init , and if so

45
 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init

46
 * and then continues invocation of /sbin/init.

47
 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and

48
 * writes to /sys/kernel/security/tomoyo/ interfaces.

49
 *

50
 * Returns nothing.

51
 */

52
void tomoyo_load_policy(const char *filename)

53
{

54
	char *argv[2];

55
	char *envp[3];

56


57
	if (tomoyo_policy_loaded)

58
		return;

59
	/*

60
	 * Check filename is /sbin/init or /sbin/tomoyo-start.

61
	 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't

62
	 * be passed.

63
	 * You can create /sbin/tomoyo-start by

64
	 * "ln -s /bin/true /sbin/tomoyo-start".

65
	 */

66
	if (strcmp(filename, "/sbin/init") &&

67
	    strcmp(filename, "/sbin/tomoyo-start"))

68
		return;

69
	if (!tomoyo_policy_loader_exists())

70
		return;

71


72
	printk(KERN_INFO "Calling %s to load policy. Please wait.\n",

73
	       tomoyo_loader);

74
	argv[0] = (char *) tomoyo_loader;

75
	argv[1] = NULL;

76
	envp[0] = "HOME=/";

77
	envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";

78
	envp[2] = NULL;

79
	call_usermodehelper(argv[0], argv, envp, 1);

80
	tomoyo_check_profile();

81
}

82


83