Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/security/tomoyo/load_policy.c
26378 views
1
// SPDX-License-Identifier: GPL-2.0

2
/*

3
 * security/tomoyo/load_policy.c

4
 *

5
 * Copyright (C) 2005-2011  NTT DATA CORPORATION

6
 */

7


8
#include "common.h"

9


10
#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER

11


12
/*

13
 * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER)

14
 */

15
static const char *tomoyo_loader;

16


17
/**

18
 * tomoyo_loader_setup - Set policy loader.

19
 *

20
 * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ).

21
 *

22
 * Returns 0.

23
 */

24
static int __init tomoyo_loader_setup(char *str)

25
{

26
	tomoyo_loader = str;

27
	return 1;

28
}

29


30
__setup("TOMOYO_loader=", tomoyo_loader_setup);

31


32
/**

33
 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.

34
 *

35
 * Returns true if /sbin/tomoyo-init exists, false otherwise.

36
 */

37
static bool tomoyo_policy_loader_exists(void)

38
{

39
	struct path path;

40


41
	if (!tomoyo_loader)

42
		tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER;

43
	if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {

44
		pr_info("Not activating Mandatory Access Control as %s does not exist.\n",

45
			tomoyo_loader);

46
		return false;

47
	}

48
	path_put(&path);

49
	return true;

50
}

51


52
/*

53
 * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER)

54
 */

55
static const char *tomoyo_trigger;

56


57
/**

58
 * tomoyo_trigger_setup - Set trigger for activation.

59
 *

60
 * @str: Program to use as an activation trigger (e.g. /sbin/init ).

61
 *

62
 * Returns 0.

63
 */

64
static int __init tomoyo_trigger_setup(char *str)

65
{

66
	tomoyo_trigger = str;

67
	return 1;

68
}

69


70
__setup("TOMOYO_trigger=", tomoyo_trigger_setup);

71


72
/**

73
 * tomoyo_load_policy - Run external policy loader to load policy.

74
 *

75
 * @filename: The program about to start.

76
 *

77
 * This function checks whether @filename is /sbin/init , and if so

78
 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init

79
 * and then continues invocation of /sbin/init.

80
 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and

81
 * writes to /sys/kernel/security/tomoyo/ interfaces.

82
 *

83
 * Returns nothing.

84
 */

85
void tomoyo_load_policy(const char *filename)

86
{

87
	static bool done;

88
	char *argv[2];

89
	char *envp[3];

90


91
	if (tomoyo_policy_loaded || done)

92
		return;

93
	if (!tomoyo_trigger)

94
		tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER;

95
	if (strcmp(filename, tomoyo_trigger))

96
		return;

97
	if (!tomoyo_policy_loader_exists())

98
		return;

99
	done = true;

100
	pr_info("Calling %s to load policy. Please wait.\n", tomoyo_loader);

101
	argv[0] = (char *) tomoyo_loader;

102
	argv[1] = NULL;

103
	envp[0] = "HOME=/";

104
	envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";

105
	envp[2] = NULL;

106
	call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);

107
	tomoyo_check_profile();

108
}

109


110
#endif

111


112