xref: /openbmc/linux/security/tomoyo/load_policy.c (revision 4800cd83)
1 /*
2  * security/tomoyo/load_policy.c
3  *
4  * Policy loader launcher for TOMOYO.
5  *
6  * Copyright (C) 2005-2010  NTT DATA CORPORATION
7  */
8 
9 #include "common.h"
10 
11 /* path to policy loader */
12 static const char *tomoyo_loader = "/sbin/tomoyo-init";
13 
14 /**
15  * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
16  *
17  * Returns true if /sbin/tomoyo-init exists, false otherwise.
18  */
19 static bool tomoyo_policy_loader_exists(void)
20 {
21 	/*
22 	 * Don't activate MAC if the policy loader doesn't exist.
23 	 * If the initrd includes /sbin/init but real-root-dev has not
24 	 * mounted on / yet, activating MAC will block the system since
25 	 * policies are not loaded yet.
26 	 * Thus, let do_execve() call this function everytime.
27 	 */
28 	struct path path;
29 
30 	if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
31 		printk(KERN_INFO "Not activating Mandatory Access Control now "
32 		       "since %s doesn't exist.\n", tomoyo_loader);
33 		return false;
34 	}
35 	path_put(&path);
36 	return true;
37 }
38 
39 /**
40  * tomoyo_load_policy - Run external policy loader to load policy.
41  *
42  * @filename: The program about to start.
43  *
44  * This function checks whether @filename is /sbin/init , and if so
45  * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
46  * and then continues invocation of /sbin/init.
47  * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
48  * writes to /sys/kernel/security/tomoyo/ interfaces.
49  *
50  * Returns nothing.
51  */
52 void tomoyo_load_policy(const char *filename)
53 {
54 	char *argv[2];
55 	char *envp[3];
56 
57 	if (tomoyo_policy_loaded)
58 		return;
59 	/*
60 	 * Check filename is /sbin/init or /sbin/tomoyo-start.
61 	 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
62 	 * be passed.
63 	 * You can create /sbin/tomoyo-start by
64 	 * "ln -s /bin/true /sbin/tomoyo-start".
65 	 */
66 	if (strcmp(filename, "/sbin/init") &&
67 	    strcmp(filename, "/sbin/tomoyo-start"))
68 		return;
69 	if (!tomoyo_policy_loader_exists())
70 		return;
71 
72 	printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
73 	       tomoyo_loader);
74 	argv[0] = (char *) tomoyo_loader;
75 	argv[1] = NULL;
76 	envp[0] = "HOME=/";
77 	envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
78 	envp[2] = NULL;
79 	call_usermodehelper(argv[0], argv, envp, 1);
80 	tomoyo_check_profile();
81 }
82