Home Esplora Aiuto
Registrati Accedi
phyus
/
linux-vybrid_public
8
0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Albero (Tree): 34c8e3d2bb
Rami (Branch) Tag
linux-vybrid_pu...
/
security
/
tomoyo
/
load_policy.c

load_policy.c 2.2 KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081 
  1. /*
    2. 

  2.  * security/tomoyo/load_policy.c
    3. 

  3.  *
    4. 

  4.  * Policy loader launcher for TOMOYO.
    5. 

  5.  *
    6. 

  6.  * Copyright (C) 2005-2010  NTT DATA CORPORATION
    7. 

  7.  */
    8. 

  8. 

  9. #include "common.h"
    10. 

  10. 

  11. /* path to policy loader */
    12. 

  12. static const char *tomoyo_loader = "/sbin/tomoyo-init";
    13. 

  13. 

  14. /**
    15. 

  15.  * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
    16. 

  16.  *
    17. 

  17.  * Returns true if /sbin/tomoyo-init exists, false otherwise.
    18. 

  18.  */
    19. 

  19. static bool tomoyo_policy_loader_exists(void)
    20. 

  20. {
    21. 

  21. 	/*
    22. 

  22. 	 * Don't activate MAC if the policy loader doesn't exist.
    23. 

  23. 	 * If the initrd includes /sbin/init but real-root-dev has not
    24. 

  24. 	 * mounted on / yet, activating MAC will block the system since
    25. 

  25. 	 * policies are not loaded yet.
    26. 

  26. 	 * Thus, let do_execve() call this function everytime.
    27. 

  27. 	 */
    28. 

  28. 	struct path path;
    29. 

  29. 

  30. 	if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
    31. 

  31. 		printk(KERN_INFO "Not activating Mandatory Access Control now "
    32. 

  32. 		       "since %s doesn't exist.\n", tomoyo_loader);
    33. 

  33. 		return false;
    34. 

  34. 	}
    35. 

  35. 	path_put(&path);
    36. 

  36. 	return true;
    37. 

  37. }
    38. 

  38. 

  39. /**
    40. 

  40.  * tomoyo_load_policy - Run external policy loader to load policy.
    41. 

  41.  *
    42. 

  42.  * @filename: The program about to start.
    43. 

  43.  *
    44. 

  44.  * This function checks whether @filename is /sbin/init , and if so
    45. 

  45.  * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
    46. 

  46.  * and then continues invocation of /sbin/init.
    47. 

  47.  * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
    48. 

  48.  * writes to /sys/kernel/security/tomoyo/ interfaces.
    49. 

  49.  *
    50. 

  50.  * Returns nothing.
    51. 

  51.  */
    52. 

  52. void tomoyo_load_policy(const char *filename)
    53. 

  53. {
    54. 

  54. 	char *argv[2];
    55. 

  55. 	char *envp[3];
    56. 

  56. 

  57. 	if (tomoyo_policy_loaded)
    58. 

  58. 		return;
    59. 

  59. 	/*
    60. 

  60. 	 * Check filename is /sbin/init or /sbin/tomoyo-start.
    61. 

  61. 	 * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
    62. 

  62. 	 * be passed.
    63. 

  63. 	 * You can create /sbin/tomoyo-start by
    64. 

  64. 	 * "ln -s /bin/true /sbin/tomoyo-start".
    65. 

  65. 	 */
    66. 

  66. 	if (strcmp(filename, "/sbin/init") &&
    67. 

  67. 	    strcmp(filename, "/sbin/tomoyo-start"))
    68. 

  68. 		return;
    69. 

  69. 	if (!tomoyo_policy_loader_exists())
    70. 

  70. 		return;
    71. 

  71. 

  72. 	printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
    73. 

  73. 	       tomoyo_loader);
    74. 

  74. 	argv[0] = (char *) tomoyo_loader;
    75. 

  75. 	argv[1] = NULL;
    76. 

  76. 	envp[0] = "HOME=/";
    77. 

  77. 	envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
    78. 

  78. 	envp[2] = NULL;
    79. 

  79. 	call_usermodehelper(argv[0], argv, envp, 1);
    80. 

  80. 	tomoyo_check_profile();
    81. 

  81. }
    82.