1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * security/tomoyo/load_policy.c |
4 | * |
5 | * Copyright (C) 2005-2011 NTT DATA CORPORATION |
6 | */ |
7 | |
8 | #include "common.h" |
9 | |
10 | #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER |
11 | |
12 | /* |
13 | * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER) |
14 | */ |
15 | static const char *tomoyo_loader; |
16 | |
17 | /** |
18 | * tomoyo_loader_setup - Set policy loader. |
19 | * |
20 | * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ). |
21 | * |
22 | * Returns 0. |
23 | */ |
24 | static int __init tomoyo_loader_setup(char *str) |
25 | { |
26 | tomoyo_loader = str; |
27 | return 1; |
28 | } |
29 | |
30 | __setup("TOMOYO_loader=" , tomoyo_loader_setup); |
31 | |
32 | /** |
33 | * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists. |
34 | * |
35 | * Returns true if /sbin/tomoyo-init exists, false otherwise. |
36 | */ |
37 | static bool tomoyo_policy_loader_exists(void) |
38 | { |
39 | struct path path; |
40 | |
41 | if (!tomoyo_loader) |
42 | tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER; |
43 | if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) { |
44 | pr_info("Not activating Mandatory Access Control as %s does not exist.\n" , |
45 | tomoyo_loader); |
46 | return false; |
47 | } |
48 | path_put(&path); |
49 | return true; |
50 | } |
51 | |
52 | /* |
53 | * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER) |
54 | */ |
55 | static const char *tomoyo_trigger; |
56 | |
57 | /** |
58 | * tomoyo_trigger_setup - Set trigger for activation. |
59 | * |
60 | * @str: Program to use as an activation trigger (e.g. /sbin/init ). |
61 | * |
62 | * Returns 0. |
63 | */ |
64 | static int __init tomoyo_trigger_setup(char *str) |
65 | { |
66 | tomoyo_trigger = str; |
67 | return 1; |
68 | } |
69 | |
70 | __setup("TOMOYO_trigger=" , tomoyo_trigger_setup); |
71 | |
72 | /** |
73 | * tomoyo_load_policy - Run external policy loader to load policy. |
74 | * |
75 | * @filename: The program about to start. |
76 | * |
77 | * This function checks whether @filename is /sbin/init , and if so |
78 | * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init |
79 | * and then continues invocation of /sbin/init. |
80 | * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and |
81 | * writes to /sys/kernel/security/tomoyo/ interfaces. |
82 | * |
83 | * Returns nothing. |
84 | */ |
85 | void tomoyo_load_policy(const char *filename) |
86 | { |
87 | static bool done; |
88 | char *argv[2]; |
89 | char *envp[3]; |
90 | |
91 | if (tomoyo_policy_loaded || done) |
92 | return; |
93 | if (!tomoyo_trigger) |
94 | tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER; |
95 | if (strcmp(filename, tomoyo_trigger)) |
96 | return; |
97 | if (!tomoyo_policy_loader_exists()) |
98 | return; |
99 | done = true; |
100 | pr_info("Calling %s to load policy. Please wait.\n" , tomoyo_loader); |
101 | argv[0] = (char *) tomoyo_loader; |
102 | argv[1] = NULL; |
103 | envp[0] = "HOME=/" ; |
104 | envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin" ; |
105 | envp[2] = NULL; |
106 | call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC); |
107 | tomoyo_check_profile(); |
108 | } |
109 | |
110 | #endif |
111 | |