xref: /openbmc/linux/security/tomoyo/load_policy.c (revision d7a3d85e)
1 /*
2  * security/tomoyo/load_policy.c
3  *
4  * Copyright (C) 2005-2011  NTT DATA CORPORATION
5  */
6 
7 #include "common.h"
8 
9 #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
10 
11 /*
12  * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER)
13  */
14 static const char *tomoyo_loader;
15 
16 /**
17  * tomoyo_loader_setup - Set policy loader.
18  *
19  * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ).
20  *
21  * Returns 0.
22  */
23 static int __init tomoyo_loader_setup(char *str)
24 {
25 	tomoyo_loader = str;
26 	return 0;
27 }
28 
29 __setup("TOMOYO_loader=", tomoyo_loader_setup);
30 
31 /**
32  * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
33  *
34  * Returns true if /sbin/tomoyo-init exists, false otherwise.
35  */
36 static bool tomoyo_policy_loader_exists(void)
37 {
38 	struct path path;
39 	if (!tomoyo_loader)
40 		tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER;
41 	if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
42 		printk(KERN_INFO "Not activating Mandatory Access Control "
43 		       "as %s does not exist.\n", tomoyo_loader);
44 		return false;
45 	}
46 	path_put(&path);
47 	return true;
48 }
49 
50 /*
51  * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER)
52  */
53 static const char *tomoyo_trigger;
54 
55 /**
56  * tomoyo_trigger_setup - Set trigger for activation.
57  *
58  * @str: Program to use as an activation trigger (e.g. /sbin/init ).
59  *
60  * Returns 0.
61  */
62 static int __init tomoyo_trigger_setup(char *str)
63 {
64 	tomoyo_trigger = str;
65 	return 0;
66 }
67 
68 __setup("TOMOYO_trigger=", tomoyo_trigger_setup);
69 
70 /**
71  * tomoyo_load_policy - Run external policy loader to load policy.
72  *
73  * @filename: The program about to start.
74  *
75  * This function checks whether @filename is /sbin/init , and if so
76  * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
77  * and then continues invocation of /sbin/init.
78  * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
79  * writes to /sys/kernel/security/tomoyo/ interfaces.
80  *
81  * Returns nothing.
82  */
83 void tomoyo_load_policy(const char *filename)
84 {
85 	static bool done;
86 	char *argv[2];
87 	char *envp[3];
88 
89 	if (tomoyo_policy_loaded || done)
90 		return;
91 	if (!tomoyo_trigger)
92 		tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER;
93 	if (strcmp(filename, tomoyo_trigger))
94 		return;
95 	if (!tomoyo_policy_loader_exists())
96 		return;
97 	done = true;
98 	printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
99 	       tomoyo_loader);
100 	argv[0] = (char *) tomoyo_loader;
101 	argv[1] = NULL;
102 	envp[0] = "HOME=/";
103 	envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
104 	envp[2] = NULL;
105 	call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC);
106 	tomoyo_check_profile();
107 }
108 
109 #endif
110