1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * security/tomoyo/load_policy.c 4 * 5 * Copyright (C) 2005-2011 NTT DATA CORPORATION 6 */ 7 8 #include "common.h" 9 10 #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER 11 12 /* 13 * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER) 14 */ 15 static const char *tomoyo_loader; 16 17 /** 18 * tomoyo_loader_setup - Set policy loader. 19 * 20 * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ). 21 * 22 * Returns 0. 23 */ 24 static int __init tomoyo_loader_setup(char *str) 25 { 26 tomoyo_loader = str; 27 return 0; 28 } 29 30 __setup("TOMOYO_loader=", tomoyo_loader_setup); 31 32 /** 33 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists. 34 * 35 * Returns true if /sbin/tomoyo-init exists, false otherwise. 36 */ 37 static bool tomoyo_policy_loader_exists(void) 38 { 39 struct path path; 40 if (!tomoyo_loader) 41 tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER; 42 if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) { 43 printk(KERN_INFO "Not activating Mandatory Access Control " 44 "as %s does not exist.\n", tomoyo_loader); 45 return false; 46 } 47 path_put(&path); 48 return true; 49 } 50 51 /* 52 * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER) 53 */ 54 static const char *tomoyo_trigger; 55 56 /** 57 * tomoyo_trigger_setup - Set trigger for activation. 58 * 59 * @str: Program to use as an activation trigger (e.g. /sbin/init ). 60 * 61 * Returns 0. 62 */ 63 static int __init tomoyo_trigger_setup(char *str) 64 { 65 tomoyo_trigger = str; 66 return 0; 67 } 68 69 __setup("TOMOYO_trigger=", tomoyo_trigger_setup); 70 71 /** 72 * tomoyo_load_policy - Run external policy loader to load policy. 73 * 74 * @filename: The program about to start. 75 * 76 * This function checks whether @filename is /sbin/init , and if so 77 * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init 78 * and then continues invocation of /sbin/init. 79 * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and 80 * writes to /sys/kernel/security/tomoyo/ interfaces. 81 * 82 * Returns nothing. 83 */ 84 void tomoyo_load_policy(const char *filename) 85 { 86 static bool done; 87 char *argv[2]; 88 char *envp[3]; 89 90 if (tomoyo_policy_loaded || done) 91 return; 92 if (!tomoyo_trigger) 93 tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER; 94 if (strcmp(filename, tomoyo_trigger)) 95 return; 96 if (!tomoyo_policy_loader_exists()) 97 return; 98 done = true; 99 printk(KERN_INFO "Calling %s to load policy. Please wait.\n", 100 tomoyo_loader); 101 argv[0] = (char *) tomoyo_loader; 102 argv[1] = NULL; 103 envp[0] = "HOME=/"; 104 envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin"; 105 envp[2] = NULL; 106 call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC); 107 tomoyo_check_profile(); 108 } 109 110 #endif 111