1 files changed, 81 insertions, 0 deletions
diff --git a/security/tomoyo/load_policy.c b/security/tomoyo/load_policy.c
new file mode 100644
index 00000000000..bbada7ca1b9
--- /dev/null
+++ b/security/tomoyo/load_policy.c
@@ -0,0 +1,81 @@
+/*
+ * security/tomoyo/load_policy.c
+ *
+ * Policy loader launcher for TOMOYO.
+ *
+ * Copyright (C) 2005-2010  NTT DATA CORPORATION
+ */
+#include "common.h"
+/* path to policy loader */
+static const char *tomoyo_loader = "/sbin/tomoyo-init";
+/**
+ * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
+ *
+ * Returns true if /sbin/tomoyo-init exists, false otherwise.
+ */
+static bool tomoyo_policy_loader_exists(void)
+{
+        /*
+         * Don't activate MAC if the policy loader doesn't exist.
+         * If the initrd includes /sbin/init but real-root-dev has not
+         * mounted on / yet, activating MAC will block the system since
+         * policies are not loaded yet.
+         * Thus, let do_execve() call this function everytime.
+         */
+        struct path path;
+        if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
+                printk(KERN_INFO "Not activating Mandatory Access Control now "
+                       "since %s doesn't exist.\n", tomoyo_loader);
+                return false;
+        }
+        path_put(&path);
+        return true;
+}
+/**
+ * tomoyo_load_policy - Run external policy loader to load policy.
+ *
+ * @filename: The program about to start.
+ *
+ * This function checks whether @filename is /sbin/init , and if so
+ * invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
+ * and then continues invocation of /sbin/init.
+ * /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
+ * writes to /sys/kernel/security/tomoyo/ interfaces.
+ *
+ * Returns nothing.
+ */
+void tomoyo_load_policy(const char *filename)
+{
+        char *argv[2];
+        char *envp[3];
+        if (tomoyo_policy_loaded)
+                return;
+        /*
+         * Check filename is /sbin/init or /sbin/tomoyo-start.
+         * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
+         * be passed.
+         * You can create /sbin/tomoyo-start by
+         * "ln -s /bin/true /sbin/tomoyo-start".
+         */
+        if (strcmp(filename, "/sbin/init") &&
+            strcmp(filename, "/sbin/tomoyo-start"))
+                return;
+        if (!tomoyo_policy_loader_exists())
+                return;
+        printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
+               tomoyo_loader);
+        argv[0] = (char *) tomoyo_loader;
+        argv[1] = NULL;
+        envp[0] = "HOME=/";
+        envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
+        envp[2] = NULL;
+        call_usermodehelper(argv[0], argv, envp, 1);
+        tomoyo_check_profile();
+}

diff --git a/security/tomoyo/load_policy.c b/security/tomoyo/load_policy.c new file mode 100644 index 00000000000..bbada7ca1b9 --- /dev/null +++ b/security/tomoyo/load_policy.c
@@ -0,0 +1,81 @@
	1	/*
	2	* security/tomoyo/load_policy.c
	3	*
	4	* Policy loader launcher for TOMOYO.
	5	*
	6	* Copyright (C) 2005-2010 NTT DATA CORPORATION
	7	*/
	8
	9	#include "common.h"
	10
	11	/* path to policy loader */
	12	static const char *tomoyo_loader = "/sbin/tomoyo-init";
	13
	14	/**
	15	* tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists.
	16	*
	17	* Returns true if /sbin/tomoyo-init exists, false otherwise.
	18	*/
	19	static bool tomoyo_policy_loader_exists(void)
	20	{
	21	/*
	22	* Don't activate MAC if the policy loader doesn't exist.
	23	* If the initrd includes /sbin/init but real-root-dev has not
	24	* mounted on / yet, activating MAC will block the system since
	25	* policies are not loaded yet.
	26	* Thus, let do_execve() call this function everytime.
	27	*/
	28	struct path path;
	29
	30	if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) {
	31	printk(KERN_INFO "Not activating Mandatory Access Control now "
	32	"since %s doesn't exist.\n", tomoyo_loader);
	33	return false;
	34	}
	35	path_put(&path);
	36	return true;
	37	}
	38
	39	/**
	40	* tomoyo_load_policy - Run external policy loader to load policy.
	41	*
	42	* @filename: The program about to start.
	43	*
	44	* This function checks whether @filename is /sbin/init , and if so
	45	* invoke /sbin/tomoyo-init and wait for the termination of /sbin/tomoyo-init
	46	* and then continues invocation of /sbin/init.
	47	* /sbin/tomoyo-init reads policy files in /etc/tomoyo/ directory and
	48	* writes to /sys/kernel/security/tomoyo/ interfaces.
	49	*
	50	* Returns nothing.
	51	*/
	52	void tomoyo_load_policy(const char *filename)
	53	{
	54	char *argv[2];
	55	char *envp[3];
	56
	57	if (tomoyo_policy_loaded)
	58	return;
	59	/*
	60	* Check filename is /sbin/init or /sbin/tomoyo-start.
	61	* /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't
	62	* be passed.
	63	* You can create /sbin/tomoyo-start by
	64	* "ln -s /bin/true /sbin/tomoyo-start".
	65	*/
	66	if (strcmp(filename, "/sbin/init") &&
	67	strcmp(filename, "/sbin/tomoyo-start"))
	68	return;
	69	if (!tomoyo_policy_loader_exists())
	70	return;
	71
	72	printk(KERN_INFO "Calling %s to load policy. Please wait.\n",
	73	tomoyo_loader);
	74	argv[0] = (char *) tomoyo_loader;
	75	argv[1] = NULL;
	76	envp[0] = "HOME=/";
	77	envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
	78	envp[2] = NULL;
	79	call_usermodehelper(argv[0], argv, envp, 1);
	80	tomoyo_check_profile();
	81	}