]>
Commit | Line | Data |
---|---|---|
c3ef1500 TH |
1 | /* |
2 | * security/tomoyo/load_policy.c | |
3 | * | |
4 | * Policy loader launcher for TOMOYO. | |
5 | * | |
6 | * Copyright (C) 2005-2010 NTT DATA CORPORATION | |
7 | */ | |
8 | ||
9 | #include "common.h" | |
10 | ||
11 | /* path to policy loader */ | |
12 | static const char *tomoyo_loader = "/sbin/tomoyo-init"; | |
13 | ||
14 | /** | |
15 | * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists. | |
16 | * | |
17 | * Returns true if /sbin/tomoyo-init exists, false otherwise. | |
18 | */ | |
19 | static bool tomoyo_policy_loader_exists(void) | |
20 | { | |
21 | /* | |
22 | * Don't activate MAC if the policy loader doesn't exist. | |
23 | * If the initrd includes /sbin/init but real-root-dev has not | |
24 | * mounted on / yet, activating MAC will block the system since | |
25 | * policies are not loaded yet. | |
25985edc | 26 | * Thus, let do_execve() call this function every time. |
c3ef1500 TH |
27 | */ |
28 | struct path path; | |
29 | ||
30 | if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) { | |
31 | printk(KERN_INFO "Not activating Mandatory Access Control now " | |
32 | "since %s doesn't exist.\n", tomoyo_loader); | |
33 | return false; | |
34 | } | |
35 | path_put(&path); | |
36 | return true; | |
37 | } | |
38 | ||
39 | /** | |
40 | * tomoyo_load_policy - Run external policy loader to load policy. | |
41 | * | |
42 | * @filename: The program about to start. | |
43 | * | |
44 | * This function checks whether @filename is /sbin/init , and if so | |
45 | * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init | |
46 | * and then continues invocation of /sbin/init. | |
47 | * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and | |
48 | * writes to /sys/kernel/security/tomoyo/ interfaces. | |
49 | * | |
50 | * Returns nothing. | |
51 | */ | |
52 | void tomoyo_load_policy(const char *filename) | |
53 | { | |
54 | char *argv[2]; | |
55 | char *envp[3]; | |
56 | ||
57 | if (tomoyo_policy_loaded) | |
58 | return; | |
59 | /* | |
60 | * Check filename is /sbin/init or /sbin/tomoyo-start. | |
61 | * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't | |
62 | * be passed. | |
63 | * You can create /sbin/tomoyo-start by | |
64 | * "ln -s /bin/true /sbin/tomoyo-start". | |
65 | */ | |
66 | if (strcmp(filename, "/sbin/init") && | |
67 | strcmp(filename, "/sbin/tomoyo-start")) | |
68 | return; | |
69 | if (!tomoyo_policy_loader_exists()) | |
70 | return; | |
71 | ||
72 | printk(KERN_INFO "Calling %s to load policy. Please wait.\n", | |
73 | tomoyo_loader); | |
74 | argv[0] = (char *) tomoyo_loader; | |
75 | argv[1] = NULL; | |
76 | envp[0] = "HOME=/"; | |
77 | envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin"; | |
78 | envp[2] = NULL; | |
79 | call_usermodehelper(argv[0], argv, envp, 1); | |
80 | tomoyo_check_profile(); | |
81 | } |