LXR linux/security/tomoyo/load

   1// SPDX-License-Identifier: GPL-2.0
   2/*
   3 * security/tomoyo/load_policy.c
   4 *
   5 * Copyright (C) 2005-2011  NTT DATA CORPORATION
   6 */
   7
   8#include "common.h"
   9
  10#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
  11
  12/*
  13 * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER)
  14 */
  15static const char *tomoyo_loader;
  16
  17/**
  18 * tomoyo_loader_setup - Set policy loader.
  19 *
  20 * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ).
  21 *
  22 * Returns 0.
  23 */
  24static int __init tomoyo_loader_setup(char *str)
  25{
  26        tomoyo_loader = str;
  27        return 0;
  28}
  29
  30__setup("TOMOYO_loader=", tomoyo_loader_setup);
  31
  32/**
  33 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
  34 *
  35 * Returns true if /sbin/tomoyo-init exists, false otherwise.
  36 */
  37static bool tomoyo_policy_loader_exists(void)
  38{
  39        struct path path;
  40
  41        if (!tomoyo_loader)
  42                tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER;
  43        if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
  44                pr_info("Not activating Mandatory Access Control as %s does not exist.\n",
  45                        tomoyo_loader);
  46                return false;
  47        }
  48        path_put(&path);
  49        return true;
  50}
  51
  52/*
  53 * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER)
  54 */
  55static const char *tomoyo_trigger;
  56
  57/**
  58 * tomoyo_trigger_setup - Set trigger for activation.
  59 *
  60 * @str: Program to use as an activation trigger (e.g. /sbin/init ).
  61 *
  62 * Returns 0.
  63 */
  64static int __init tomoyo_trigger_setup(char *str)
  65{
  66        tomoyo_trigger = str;
  67        return 0;
  68}
  69
  70__setup("TOMOYO_trigger=", tomoyo_trigger_setup);
  71
  72/**
  73 * tomoyo_load_policy - Run external policy loader to load policy.
  74 *
  75 * @filename: The program about to start.
  76 *
  77 * This function checks whether @filename is /sbin/init , and if so
  78 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
  79 * and then continues invocation of /sbin/init.
  80 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
  81 * writes to /sys/kernel/security/tomoyo/ interfaces.
  82 *
  83 * Returns nothing.
  84 */
  85void tomoyo_load_policy(const char *filename)
  86{
  87        static bool done;
  88        char *argv[2];
  89        char *envp[3];
  90
  91        if (tomoyo_policy_loaded || done)
  92                return;
  93        if (!tomoyo_trigger)
  94                tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER;
  95        if (strcmp(filename, tomoyo_trigger))
  96                return;
  97        if (!tomoyo_policy_loader_exists())
  98                return;
  99        done = true;
 100        pr_info("Calling %s to load policy. Please wait.\n", tomoyo_loader);
 101        argv[0] = (char *) tomoyo_loader;
 102        argv[1] = NULL;
 103        envp[0] = "HOME=/";
 104        envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
 105        envp[2] = NULL;
 106        call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
 107        tomoyo_check_profile();
 108}
 109
 110#endif
 111