security/tomoyo/load_policy.c

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  * security/tomoyo/load_policy.c
0004  *
0005  * Copyright (C) 2005-2011  NTT DATA CORPORATION
0006  */
0007
0008 #include "common.h"
0009
0010 #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
0011
0012 /*
0013  * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER)
0014  */
0015 static const char *tomoyo_loader;
0016
0017 /**
0018  * tomoyo_loader_setup - Set policy loader.
0019  *
0020  * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ).
0021  *
0022  * Returns 0.
0023  */
0024 static int __init tomoyo_loader_setup(char *str)
0025 {
0026     tomoyo_loader = str;
0027     return 1;
0028 }
0029
0030 __setup("TOMOYO_loader=", tomoyo_loader_setup);
0031
0032 /**
0033  * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
0034  *
0035  * Returns true if /sbin/tomoyo-init exists, false otherwise.
0036  */
0037 static bool tomoyo_policy_loader_exists(void)
0038 {
0039     struct path path;
0040
0041     if (!tomoyo_loader)
0042         tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER;
0043     if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
0044         pr_info("Not activating Mandatory Access Control as %s does not exist.\n",
0045             tomoyo_loader);
0046         return false;
0047     }
0048     path_put(&path);
0049     return true;
0050 }
0051
0052 /*
0053  * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER)
0054  */
0055 static const char *tomoyo_trigger;
0056
0057 /**
0058  * tomoyo_trigger_setup - Set trigger for activation.
0059  *
0060  * @str: Program to use as an activation trigger (e.g. /sbin/init ).
0061  *
0062  * Returns 0.
0063  */
0064 static int __init tomoyo_trigger_setup(char *str)
0065 {
0066     tomoyo_trigger = str;
0067     return 1;
0068 }
0069
0070 __setup("TOMOYO_trigger=", tomoyo_trigger_setup);
0071
0072 /**
0073  * tomoyo_load_policy - Run external policy loader to load policy.
0074  *
0075  * @filename: The program about to start.
0076  *
0077  * This function checks whether @filename is /sbin/init , and if so
0078  * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
0079  * and then continues invocation of /sbin/init.
0080  * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
0081  * writes to /sys/kernel/security/tomoyo/ interfaces.
0082  *
0083  * Returns nothing.
0084  */
0085 void tomoyo_load_policy(const char *filename)
0086 {
0087     static bool done;
0088     char *argv[2];
0089     char *envp[3];
0090
0091     if (tomoyo_policy_loaded || done)
0092         return;
0093     if (!tomoyo_trigger)
0094         tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER;
0095     if (strcmp(filename, tomoyo_trigger))
0096         return;
0097     if (!tomoyo_policy_loader_exists())
0098         return;
0099     done = true;
0100     pr_info("Calling %s to load policy. Please wait.\n", tomoyo_loader);
0101     argv[0] = (char *) tomoyo_loader;
0102     argv[1] = NULL;
0103     envp[0] = "HOME=/";
0104     envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
0105     envp[2] = NULL;
0106     call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
0107     tomoyo_check_profile();
0108 }
0109
0110 #endif