LXR linux/security/tomoyo/load

   1/*
   2 * security/tomoyo/load_policy.c
   3 *
   4 * Copyright (C) 2005-2011  NTT DATA CORPORATION
   5 */
   6
   7#include "common.h"
   8
   9#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
  10
  11/*
  12 * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER)
  13 */
  14static const char *tomoyo_loader;
  15
  16/**
  17 * tomoyo_loader_setup - Set policy loader.
  18 *
  19 * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ).
  20 *
  21 * Returns 0.
  22 */
  23static int __init tomoyo_loader_setup(char *str)
  24{
  25        tomoyo_loader = str;
  26        return 0;
  27}
  28
  29__setup("TOMOYO_loader=", tomoyo_loader_setup);
  30
  31/**
  32 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
  33 *
  34 * Returns true if /sbin/tomoyo-init exists, false otherwise.
  35 */
  36static bool tomoyo_policy_loader_exists(void)
  37{
  38        struct path path;
  39        if (!tomoyo_loader)
  40                tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER;
  41        if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
  42                printk(KERN_INFO "Not activating Mandatory Access Control "
  43                       "as %s does not exist.\n", tomoyo_loader);
  44                return false;
  45        }
  46        path_put(&path);
  47        return true;
  48}
  49
  50/*
  51 * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER)
  52 */
  53static const char *tomoyo_trigger;
  54
  55/**
  56 * tomoyo_trigger_setup - Set trigger for activation.
  57 *
  58 * @str: Program to use as an activation trigger (e.g. /sbin/init ).
  59 *
  60 * Returns 0.
  61 */
  62static int __init tomoyo_trigger_setup(char *str)
  63{
  64        tomoyo_trigger = str;
  65        return 0;
  66}
  67
  68__setup("TOMOYO_trigger=", tomoyo_trigger_setup);
  69
  70/**
  71 * tomoyo_load_policy - Run external policy loader to load policy.
  72 *
  73 * @filename: The program about to start.
  74 *
  75 * This function checks whether @filename is /sbin/init , and if so
  76 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
  77 * and then continues invocation of /sbin/init.
  78 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
  79 * writes to /sys/kernel/security/tomoyo/ interfaces.
  80 *
  81 * Returns nothing.
  82 */
  83void tomoyo_load_policy(const char *filename)
  84{
  85        static bool done;
  86        char *argv[2];
  87        char *envp[3];
  88
  89        if (tomoyo_policy_loaded || done)
  90                return;
  91        if (!tomoyo_trigger)
  92                tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER;
  93        if (strcmp(filename, tomoyo_trigger))
  94                return;
  95        if (!tomoyo_policy_loader_exists())
  96                return;
  97        done = true;
  98        printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
  99               tomoyo_loader);
 100        argv[0] = (char *) tomoyo_loader;
 101        argv[1] = NULL;
 102        envp[0] = "HOME=/";
 103        envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
 104        envp[2] = NULL;
 105        call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
 106        tomoyo_check_profile();
 107}
 108
 109#endif
 110