3 files changed, 117 insertions, 23 deletions

diff --git a/security/tomoyo/Kconfig b/security/tomoyo/Kconfig
index c8f385793235..7c7f8c16c10f 100644
--- a/security/tomoyo/Kconfig
+++ b/security/tomoyo/Kconfig
@@ -9,3 +9,64 @@ config SECURITY_TOMOYO
           Required userspace tools and further information may be
           found at <http://tomoyo.sourceforge.jp/>.
           If you are unsure how to answer this question, answer N.
+
+config SECURITY_TOMOYO_MAX_ACCEPT_ENTRY
+        int "Default maximal count for learning mode"
+        default 2048
+        range 0 2147483647
+        depends on SECURITY_TOMOYO
+        help
+          This is the default value for maximal ACL entries
+          that are automatically appended into policy at "learning mode".
+          Some programs access thousands of objects, so running
+          such programs in "learning mode" dulls the system response
+          and consumes much memory.
+          This is the safeguard for such programs.
+
+config SECURITY_TOMOYO_MAX_AUDIT_LOG
+        int "Default maximal count for audit log"
+        default 1024
+        range 0 2147483647
+        depends on SECURITY_TOMOYO
+        help
+          This is the default value for maximal entries for
+          audit logs that the kernel can hold on memory.
+          You can read the log via /sys/kernel/security/tomoyo/audit.
+          If you don't need audit logs, you may set this value to 0.
+
+config SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
+        bool "Activate without calling userspace policy loader."
+        default n
+        depends on SECURITY_TOMOYO
+        ---help---
+          Say Y here if you want to activate access control as soon as built-in
+          policy was loaded. This option will be useful for systems where
+          operations which can lead to the hijacking of the boot sequence are
+          needed before loading the policy. For example, you can activate
+          immediately after loading the fixed part of policy which will allow
+          only operations needed for mounting a partition which contains the
+          variant part of policy and verifying (e.g. running GPG check) and
+          loading the variant part of policy. Since you can start using
+          enforcing mode from the beginning, you can reduce the possibility of
+          hijacking the boot sequence.
+
+config SECURITY_TOMOYO_POLICY_LOADER
+        string "Location of userspace policy loader"
+        default "/sbin/tomoyo-init"
+        depends on SECURITY_TOMOYO
+        depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
+        ---help---
+          This is the default pathname of policy loader which is called before
+          activation. You can override this setting via TOMOYO_loader= kernel
+          command line option.
+
+config SECURITY_TOMOYO_ACTIVATION_TRIGGER
+        string "Trigger for calling userspace policy loader"
+        default "/sbin/init"
+        depends on SECURITY_TOMOYO
+        depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
+        ---help---
+          This is the default pathname of activation trigger.
+          You can override this setting via TOMOYO_trigger= kernel command line
+          option. For example, if you pass init=/bin/systemd option, you may
+          want to also pass TOMOYO_trigger=/bin/systemd option.
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 01e60ad68b3a..8b14cef2338d 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2420,4 +2420,7 @@ void __init tomoyo_load_builtin_policy(void)
                 }
         }
         tomoyo_read_unlock(idx);
+#ifdef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
+        tomoyo_check_profile();
+#endif
 }
diff --git a/security/tomoyo/load_policy.c b/security/tomoyo/load_policy.c
index 3312e5624f24..6a5463d26635 100644
--- a/security/tomoyo/load_policy.c
+++ b/security/tomoyo/load_policy.c
@@ -8,8 +8,27 @@
 
 #include "common.h"
 
-/* path to policy loader */
-static const char *tomoyo_loader = "/sbin/tomoyo-init";
+#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
+
+/*
+ * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER)
+ */
+static const char *tomoyo_loader;
+
+/**
+ * tomoyo_loader_setup - Set policy loader.
+ *
+ * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ).
+ *
+ * Returns 0.
+ */
+static int __init tomoyo_loader_setup(char *str)
+{
+        tomoyo_loader = str;
+        return 0;
+}
+
+__setup("TOMOYO_loader=", tomoyo_loader_setup);
 
 /**
  * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
@@ -18,24 +37,38 @@ static const char *tomoyo_loader = "/sbin/tomoyo-init";
  */
 static bool tomoyo_policy_loader_exists(void)
 {
-        /*
-         * Don't activate MAC if the policy loader doesn't exist.
-         * If the initrd includes /sbin/init but real-root-dev has not
-         * mounted on / yet, activating MAC will block the system since
-         * policies are not loaded yet.
-         * Thus, let do_execve() call this function every time.
-         */
         struct path path;
-
+        if (!tomoyo_loader)
+                tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER;
         if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
-                printk(KERN_INFO "Not activating Mandatory Access Control now "
-                       "since %s doesn't exist.\n", tomoyo_loader);
+                printk(KERN_INFO "Not activating Mandatory Access Control "
+                       "as %s does not exist.\n", tomoyo_loader);
                 return false;
         }
         path_put(&path);
         return true;
 }
 
+/*
+ * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER)
+ */
+static const char *tomoyo_trigger;
+
+/**
+ * tomoyo_trigger_setup - Set trigger for activation.
+ *
+ * @str: Program to use as an activation trigger (e.g. /sbin/init ).
+ *
+ * Returns 0.
+ */
+static int __init tomoyo_trigger_setup(char *str)
+{
+        tomoyo_trigger = str;
+        return 0;
+}
+
+__setup("TOMOYO_trigger=", tomoyo_trigger_setup);
+
 /**
  * tomoyo_load_policy - Run external policy loader to load policy.
  *
@@ -51,24 +84,19 @@ static bool tomoyo_policy_loader_exists(void)
  */
 void tomoyo_load_policy(const char *filename)
 {
+        static bool done;
         char *argv[2];
         char *envp[3];
 
-        if (tomoyo_policy_loaded)
+        if (tomoyo_policy_loaded || done)
                 return;
-        /*
-         * Check filename is /sbin/init or /sbin/tomoyo-start.
-         * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
-         * be passed.
-         * You can create /sbin/tomoyo-start by
-         * "ln -s /bin/true /sbin/tomoyo-start".
-         */
-        if (strcmp(filename, "/sbin/init") &&
-            strcmp(filename, "/sbin/tomoyo-start"))
+        if (!tomoyo_trigger)
+                tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER;
+        if (strcmp(filename, tomoyo_trigger))
                 return;
         if (!tomoyo_policy_loader_exists())
                 return;
-
+        done = true;
         printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
                tomoyo_loader);
         argv[0] = (char *) tomoyo_loader;
@@ -79,3 +107,5 @@ void tomoyo_load_policy(const char *filename)
         call_usermodehelper(argv[0], argv, envp, 1);
         tomoyo_check_profile();
 }
+
+#endif