security/tomoyo/load_policy.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /*
   3  * security/tomoyo/load_policy.c
   4  *
   5  * Copyright (C) 2005-2011  NTT DATA CORPORATION
   6  */
   7
   8 #include "common.h"
   9
  10 #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
  11
  12 /*
  13  * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER)
  14  */
  15 static const char *tomoyo_loader;
  16
  17 /**
  18  * tomoyo_loader_setup - Set policy loader.
  19  *
  20  * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ).
  21  *
  22  * Returns 0.
  23  */
  24 static int __init tomoyo_loader_setup(char *str)
  25 {
  26         tomoyo_loader = str;
  27         return 0;
  28 }
  29
  30 __setup("TOMOYO_loader=", tomoyo_loader_setup);
  31
  32 /**
  33  * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
  34  *
  35  * Returns true if /sbin/tomoyo-init exists, false otherwise.
  36  */
  37 static bool tomoyo_policy_loader_exists(void)
  38 {
  39         struct path path;
  40         if (!tomoyo_loader)
  41                 tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER;
  42         if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
  43                 printk(KERN_INFO "Not activating Mandatory Access Control "
  44                        "as %s does not exist.\n", tomoyo_loader);
  45                 return false;
  46         }
  47         path_put(&path);
  48         return true;
  49 }
  50
  51 /*
  52  * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER)
  53  */
  54 static const char *tomoyo_trigger;
  55
  56 /**
  57  * tomoyo_trigger_setup - Set trigger for activation.
  58  *
  59  * @str: Program to use as an activation trigger (e.g. /sbin/init ).
  60  *
  61  * Returns 0.
  62  */
  63 static int __init tomoyo_trigger_setup(char *str)
  64 {
  65         tomoyo_trigger = str;
  66         return 0;
  67 }
  68
  69 __setup("TOMOYO_trigger=", tomoyo_trigger_setup);
  70
  71 /**
  72  * tomoyo_load_policy - Run external policy loader to load policy.
  73  *
  74  * @filename: The program about to start.
  75  *
  76  * This function checks whether @filename is /sbin/init , and if so
  77  * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
  78  * and then continues invocation of /sbin/init.
  79  * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
  80  * writes to /sys/kernel/security/tomoyo/ interfaces.
  81  *
  82  * Returns nothing.
  83  */
  84 void tomoyo_load_policy(const char *filename)
  85 {
  86         static bool done;
  87         char *argv[2];
  88         char *envp[3];
  89
  90         if (tomoyo_policy_loaded || done)
  91                 return;
  92         if (!tomoyo_trigger)
  93                 tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER;
  94         if (strcmp(filename, tomoyo_trigger))
  95                 return;
  96         if (!tomoyo_policy_loader_exists())
  97                 return;
  98         done = true;
  99         printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
 100                tomoyo_loader);
 101         argv[0] = (char *) tomoyo_loader;
 102         argv[1] = NULL;
 103         envp[0] = "HOME=/";
 104         envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
 105         envp[2] = NULL;
 106         call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
 107         tomoyo_check_profile();
 108 }
 109
 110 #endif