LXR linux/security/tomoyo/load

   1// SPDX-License-Identifier: GPL-2.0
   2/*
   3 * security/tomoyo/load_policy.c
   4 *
   5 * Copyright (C) 2005-2011  NTT DATA CORPORATION
   6 */
   7
   8#include "common.h"
   9
  10#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
  11
  12/*
  13 * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER)
  14 */
  15static const char *tomoyo_loader;
  16
  17/**
  18 * tomoyo_loader_setup - Set policy loader.
  19 *
  20 * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ).
  21 *
  22 * Returns 0.
  23 */
  24static int __init tomoyo_loader_setup(char *str)
  25{
  26        tomoyo_loader = str;
  27        return 0;
  28}
  29
  30__setup("TOMOYO_loader=", tomoyo_loader_setup);
  31
  32/**
  33 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
  34 *
  35 * Returns true if /sbin/tomoyo-init exists, false otherwise.
  36 */
  37static bool tomoyo_policy_loader_exists(void)
  38{
  39        struct path path;
  40        if (!tomoyo_loader)
  41                tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER;
  42        if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
  43                printk(KERN_INFO "Not activating Mandatory Access Control "
  44                       "as %s does not exist.\n", tomoyo_loader);
  45                return false;
  46        }
  47        path_put(&path);
  48        return true;
  49}
  50
  51/*
  52 * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER)
  53 */
  54static const char *tomoyo_trigger;
  55
  56/**
  57 * tomoyo_trigger_setup - Set trigger for activation.
  58 *
  59 * @str: Program to use as an activation trigger (e.g. /sbin/init ).
  60 *
  61 * Returns 0.
  62 */
  63static int __init tomoyo_trigger_setup(char *str)
  64{
  65        tomoyo_trigger = str;
  66        return 0;
  67}
  68
  69__setup("TOMOYO_trigger=", tomoyo_trigger_setup);
  70
  71/**
  72 * tomoyo_load_policy - Run external policy loader to load policy.
  73 *
  74 * @filename: The program about to start.
  75 *
  76 * This function checks whether @filename is /sbin/init , and if so
  77 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
  78 * and then continues invocation of /sbin/init.
  79 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
  80 * writes to /sys/kernel/security/tomoyo/ interfaces.
  81 *
  82 * Returns nothing.
  83 */
  84void tomoyo_load_policy(const char *filename)
  85{
  86        static bool done;
  87        char *argv[2];
  88        char *envp[3];
  89
  90        if (tomoyo_policy_loaded || done)
  91                return;
  92        if (!tomoyo_trigger)
  93                tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER;
  94        if (strcmp(filename, tomoyo_trigger))
  95                return;
  96        if (!tomoyo_policy_loader_exists())
  97                return;
  98        done = true;
  99        printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
 100               tomoyo_loader);
 101        argv[0] = (char *) tomoyo_loader;
 102        argv[1] = NULL;
 103        envp[0] = "HOME=/";
 104        envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
 105        envp[2] = NULL;
 106        call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
 107        tomoyo_check_profile();
 108}
 109
 110#endif
 111