1 /* 2 * security/tomoyo/load_policy.c 3 * 4 * Policy loader launcher for TOMOYO. 5 * 6 * Copyright (C) 2005-2010 NTT DATA CORPORATION 7 */ 8 9 #include "common.h" 10 11 /* path to policy loader */ 12 static const char *tomoyo_loader = "/sbin/tomoyo-init"; 13 14 /** 15 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists. 16 * 17 * Returns true if /sbin/tomoyo-init exists, false otherwise. 18 */ 19 static bool tomoyo_policy_loader_exists(void) 20 { 21 /* 22 * Don't activate MAC if the policy loader doesn't exist. 23 * If the initrd includes /sbin/init but real-root-dev has not 24 * mounted on / yet, activating MAC will block the system since 25 * policies are not loaded yet. 26 * Thus, let do_execve() call this function everytime. 27 */ 28 struct path path; 29 30 if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) { 31 printk(KERN_INFO "Not activating Mandatory Access Control now " 32 "since %s doesn't exist.\n", tomoyo_loader); 33 return false; 34 } 35 path_put(&path); 36 return true; 37 } 38 39 /** 40 * tomoyo_load_policy - Run external policy loader to load policy. 41 * 42 * @filename: The program about to start. 43 * 44 * This function checks whether @filename is /sbin/init , and if so 45 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init 46 * and then continues invocation of /sbin/init. 47 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and 48 * writes to /sys/kernel/security/tomoyo/ interfaces. 49 * 50 * Returns nothing. 51 */ 52 void tomoyo_load_policy(const char *filename) 53 { 54 char *argv[2]; 55 char *envp[3]; 56 57 if (tomoyo_policy_loaded) 58 return; 59 /* 60 * Check filename is /sbin/init or /sbin/tomoyo-start. 61 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't 62 * be passed. 63 * You can create /sbin/tomoyo-start by 64 * "ln -s /bin/true /sbin/tomoyo-start". 65 */ 66 if (strcmp(filename, "/sbin/init") && 67 strcmp(filename, "/sbin/tomoyo-start")) 68 return; 69 if (!tomoyo_policy_loader_exists()) 70 return; 71 72 printk(KERN_INFO "Calling %s to load policy. Please wait.\n", 73 tomoyo_loader); 74 argv[0] = (char *) tomoyo_loader; 75 argv[1] = NULL; 76 envp[0] = "HOME=/"; 77 envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin"; 78 envp[2] = NULL; 79 call_usermodehelper(argv[0], argv, envp, 1); 80 tomoyo_check_profile(); 81 } 82