Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755483AbcJUMuZ (ORCPT ); Fri, 21 Oct 2016 08:50:25 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:39040 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933538AbcJUMti (ORCPT ); Fri, 21 Oct 2016 08:49:38 -0400 From: Tetsuo Handa To: linux-security-module@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Tetsuo Handa Subject: [PATCH 6/8] CaitSith: Add policy loader functions. Date: Fri, 21 Oct 2016 21:49:08 +0900 Message-Id: <1477054150-4772-7-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1477054150-4772-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> References: <1477054150-4772-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3290 Lines: 128 This file allows userspace tools to load policy configuration unless CONFIG_SECURITY_CAITSITH_OMIT_USERSPACE_LOADER is defined. If CONFIG_SECURITY_CAITSITH_OMIT_USERSPACE_LOADER is defined, only built-in policy configuration which is generated as security/caitsith/builtin-policy.h at compilation time from security/caitsith/policy/policy.conf will be loaded. Signed-off-by: Tetsuo Handa --- security/caitsith/load_policy.c | 106 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 security/caitsith/load_policy.c diff --git a/security/caitsith/load_policy.c b/security/caitsith/load_policy.c new file mode 100644 index 0000000..e9b9706 --- /dev/null +++ b/security/caitsith/load_policy.c @@ -0,0 +1,106 @@ +/* + * security/caitsith/load_policy.c + * + * Copyright (C) 2005-2012 NTT DATA CORPORATION + */ + +#include "caitsith.h" + +#ifndef CONFIG_SECURITY_CAITSITH_OMIT_USERSPACE_LOADER + +/* Path to the policy loader. */ +static const char *cs_loader; + +/** + * cs_loader_setup - Set policy loader. + * + * @str: Program to use as a policy loader (e.g. /sbin/caitsith-init ). + * + * Returns 0. + */ +static int __init cs_loader_setup(char *str) +{ + cs_loader = str; + return 0; +} + +__setup("CS_loader=", cs_loader_setup); + +/** + * cs_policy_loader_exists - Check whether /sbin/caitsith-init exists. + * + * Returns true if /sbin/caitsith-init exists, false otherwise. + */ +static bool cs_policy_loader_exists(void) +{ + struct path path; + + if (!cs_loader) + cs_loader = CONFIG_SECURITY_CAITSITH_POLICY_LOADER; + if (kern_path(cs_loader, LOOKUP_FOLLOW, &path) == 0) { + path_put(&path); + return true; + } + printk(KERN_INFO "Not activating CaitSith as %s does not exist.\n", + cs_loader); + return false; +} + +/* Path to the trigger. */ +static const char *cs_trigger; + +/** + * cs_trigger_setup - Set trigger for activation. + * + * @str: Program to use as an activation trigger (e.g. /sbin/init ). + * + * Returns 0. + */ +static int __init cs_trigger_setup(char *str) +{ + cs_trigger = str; + return 0; +} + +__setup("CS_trigger=", cs_trigger_setup); + +/** + * cs_load_policy - Run external policy loader to load policy. + * + * @filename: The program about to start. + * + * Returns nothing. + * + * This function checks whether @filename is /sbin/init, and if so + * invoke /sbin/caitsith-init and wait for the termination of + * /sbin/caitsith-init and then continues invocation of /sbin/init. + * /sbin/caitsith-init reads policy files in /etc/caitsith/ directory and + * writes to /sys/kernel/security/caitsith/ interfaces. + */ +void cs_load_policy(const char *filename) +{ + static _Bool done; + char *argv[2]; + char *envp[3]; + + if (done) + return; + if (!cs_trigger) + cs_trigger = CONFIG_SECURITY_CAITSITH_ACTIVATION_TRIGGER; + if (strcmp(filename, cs_trigger)) + return; + if (!cs_policy_loader_exists()) + return; + done = 1; + printk(KERN_INFO "Calling %s to load policy. Please wait.\n", + cs_loader); + argv[0] = (char *) cs_loader; + argv[1] = NULL; + envp[0] = "HOME=/"; + envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin"; + envp[2] = NULL; + call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC); + cs_check_profile(); +} + +#endif -- 1.8.3.1