load_policy.c revision 0f2a55d5bb2372058275b0b343d90dd5d640d045 
1/*
2 * security/tomoyo/load_policy.c
3 *
4 * Copyright (C) 2005-2011  NTT DATA CORPORATION
5 */
6
7#include "common.h"
8
9#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
10
11/*
12 * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER)
13 */
14static const char *tomoyo_loader;
15
16/**
17 * tomoyo_loader_setup - Set policy loader.
18 *
19 * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ).
20 *
21 * Returns 0.
22 */
23static int __init tomoyo_loader_setup(char *str)
24{
25	tomoyo_loader = str;
26	return 0;
27}
28
29__setup("TOMOYO_loader=", tomoyo_loader_setup);
30
31/**
32 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
33 *
34 * Returns true if /sbin/tomoyo-init exists, false otherwise.
35 */
36static bool tomoyo_policy_loader_exists(void)
37{
38	struct path path;
39	if (!tomoyo_loader)
40		tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER;
41	if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
42		printk(KERN_INFO "Not activating Mandatory Access Control "
43		       "as %s does not exist.\n", tomoyo_loader);
44		return false;
45	}
46	path_put(&path);
47	return true;
48}
49
50/*
51 * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER)
52 */
53static const char *tomoyo_trigger;
54
55/**
56 * tomoyo_trigger_setup - Set trigger for activation.
57 *
58 * @str: Program to use as an activation trigger (e.g. /sbin/init ).
59 *
60 * Returns 0.
61 */
62static int __init tomoyo_trigger_setup(char *str)
63{
64	tomoyo_trigger = str;
65	return 0;
66}
67
68__setup("TOMOYO_trigger=", tomoyo_trigger_setup);
69
70/**
71 * tomoyo_load_policy - Run external policy loader to load policy.
72 *
73 * @filename: The program about to start.
74 *
75 * This function checks whether @filename is /sbin/init , and if so
76 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
77 * and then continues invocation of /sbin/init.
78 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
79 * writes to /sys/kernel/security/tomoyo/ interfaces.
80 *
81 * Returns nothing.
82 */
83void tomoyo_load_policy(const char *filename)
84{
85	static bool done;
86	char *argv[2];
87	char *envp[3];
88
89	if (tomoyo_policy_loaded || done)
90		return;
91	if (!tomoyo_trigger)
92		tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER;
93	if (strcmp(filename, tomoyo_trigger))
94		return;
95	if (!tomoyo_policy_loader_exists())
96		return;
97	done = true;
98	printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
99	       tomoyo_loader);
100	argv[0] = (char *) tomoyo_loader;
101	argv[1] = NULL;
102	envp[0] = "HOME=/";
103	envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
104	envp[2] = NULL;
105	call_usermodehelper(argv[0], argv, envp, 1);
106	tomoyo_check_profile();
107}
108
109#endif
110