xref: /OK3568_Linux_fs/kernel/security/tomoyo/load_policy.c (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun  * security/tomoyo/load_policy.c
4*4882a593Smuzhiyun  *
5*4882a593Smuzhiyun  * Copyright (C) 2005-2011  NTT DATA CORPORATION
6*4882a593Smuzhiyun  */
7*4882a593Smuzhiyun 
8*4882a593Smuzhiyun #include "common.h"
9*4882a593Smuzhiyun 
10*4882a593Smuzhiyun #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
11*4882a593Smuzhiyun 
12*4882a593Smuzhiyun /*
13*4882a593Smuzhiyun  * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER)
14*4882a593Smuzhiyun  */
15*4882a593Smuzhiyun static const char *tomoyo_loader;
16*4882a593Smuzhiyun 
17*4882a593Smuzhiyun /**
18*4882a593Smuzhiyun  * tomoyo_loader_setup - Set policy loader.
19*4882a593Smuzhiyun  *
20*4882a593Smuzhiyun  * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ).
21*4882a593Smuzhiyun  *
22*4882a593Smuzhiyun  * Returns 0.
23*4882a593Smuzhiyun  */
tomoyo_loader_setup(char * str)24*4882a593Smuzhiyun static int __init tomoyo_loader_setup(char *str)
25*4882a593Smuzhiyun {
26*4882a593Smuzhiyun 	tomoyo_loader = str;
27*4882a593Smuzhiyun 	return 1;
28*4882a593Smuzhiyun }
29*4882a593Smuzhiyun 
30*4882a593Smuzhiyun __setup("TOMOYO_loader=", tomoyo_loader_setup);
31*4882a593Smuzhiyun 
32*4882a593Smuzhiyun /**
33*4882a593Smuzhiyun  * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
34*4882a593Smuzhiyun  *
35*4882a593Smuzhiyun  * Returns true if /sbin/tomoyo-init exists, false otherwise.
36*4882a593Smuzhiyun  */
tomoyo_policy_loader_exists(void)37*4882a593Smuzhiyun static bool tomoyo_policy_loader_exists(void)
38*4882a593Smuzhiyun {
39*4882a593Smuzhiyun 	struct path path;
40*4882a593Smuzhiyun 
41*4882a593Smuzhiyun 	if (!tomoyo_loader)
42*4882a593Smuzhiyun 		tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER;
43*4882a593Smuzhiyun 	if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
44*4882a593Smuzhiyun 		pr_info("Not activating Mandatory Access Control as %s does not exist.\n",
45*4882a593Smuzhiyun 			tomoyo_loader);
46*4882a593Smuzhiyun 		return false;
47*4882a593Smuzhiyun 	}
48*4882a593Smuzhiyun 	path_put(&path);
49*4882a593Smuzhiyun 	return true;
50*4882a593Smuzhiyun }
51*4882a593Smuzhiyun 
52*4882a593Smuzhiyun /*
53*4882a593Smuzhiyun  * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER)
54*4882a593Smuzhiyun  */
55*4882a593Smuzhiyun static const char *tomoyo_trigger;
56*4882a593Smuzhiyun 
57*4882a593Smuzhiyun /**
58*4882a593Smuzhiyun  * tomoyo_trigger_setup - Set trigger for activation.
59*4882a593Smuzhiyun  *
60*4882a593Smuzhiyun  * @str: Program to use as an activation trigger (e.g. /sbin/init ).
61*4882a593Smuzhiyun  *
62*4882a593Smuzhiyun  * Returns 0.
63*4882a593Smuzhiyun  */
tomoyo_trigger_setup(char * str)64*4882a593Smuzhiyun static int __init tomoyo_trigger_setup(char *str)
65*4882a593Smuzhiyun {
66*4882a593Smuzhiyun 	tomoyo_trigger = str;
67*4882a593Smuzhiyun 	return 1;
68*4882a593Smuzhiyun }
69*4882a593Smuzhiyun 
70*4882a593Smuzhiyun __setup("TOMOYO_trigger=", tomoyo_trigger_setup);
71*4882a593Smuzhiyun 
72*4882a593Smuzhiyun /**
73*4882a593Smuzhiyun  * tomoyo_load_policy - Run external policy loader to load policy.
74*4882a593Smuzhiyun  *
75*4882a593Smuzhiyun  * @filename: The program about to start.
76*4882a593Smuzhiyun  *
77*4882a593Smuzhiyun  * This function checks whether @filename is /sbin/init , and if so
78*4882a593Smuzhiyun  * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
79*4882a593Smuzhiyun  * and then continues invocation of /sbin/init.
80*4882a593Smuzhiyun  * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
81*4882a593Smuzhiyun  * writes to /sys/kernel/security/tomoyo/ interfaces.
82*4882a593Smuzhiyun  *
83*4882a593Smuzhiyun  * Returns nothing.
84*4882a593Smuzhiyun  */
tomoyo_load_policy(const char * filename)85*4882a593Smuzhiyun void tomoyo_load_policy(const char *filename)
86*4882a593Smuzhiyun {
87*4882a593Smuzhiyun 	static bool done;
88*4882a593Smuzhiyun 	char *argv[2];
89*4882a593Smuzhiyun 	char *envp[3];
90*4882a593Smuzhiyun 
91*4882a593Smuzhiyun 	if (tomoyo_policy_loaded || done)
92*4882a593Smuzhiyun 		return;
93*4882a593Smuzhiyun 	if (!tomoyo_trigger)
94*4882a593Smuzhiyun 		tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER;
95*4882a593Smuzhiyun 	if (strcmp(filename, tomoyo_trigger))
96*4882a593Smuzhiyun 		return;
97*4882a593Smuzhiyun 	if (!tomoyo_policy_loader_exists())
98*4882a593Smuzhiyun 		return;
99*4882a593Smuzhiyun 	done = true;
100*4882a593Smuzhiyun 	pr_info("Calling %s to load policy. Please wait.\n", tomoyo_loader);
101*4882a593Smuzhiyun 	argv[0] = (char *) tomoyo_loader;
102*4882a593Smuzhiyun 	argv[1] = NULL;
103*4882a593Smuzhiyun 	envp[0] = "HOME=/";
104*4882a593Smuzhiyun 	envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
105*4882a593Smuzhiyun 	envp[2] = NULL;
106*4882a593Smuzhiyun 	call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
107*4882a593Smuzhiyun 	tomoyo_check_profile();
108*4882a593Smuzhiyun }
109*4882a593Smuzhiyun 
110*4882a593Smuzhiyun #endif
111