From patchwork Fri Oct 21 12:49:08 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tetsuo Handa X-Patchwork-Id: 9388901 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6EEC1607F0 for ; Fri, 21 Oct 2016 12:50:57 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 619612A177 for ; Fri, 21 Oct 2016 12:50:57 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 560F72A183; Fri, 21 Oct 2016 12:50:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 021C52A177 for ; Fri, 21 Oct 2016 12:50:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755362AbcJUMuW (ORCPT ); Fri, 21 Oct 2016 08:50:22 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:39040 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933538AbcJUMti (ORCPT ); Fri, 21 Oct 2016 08:49:38 -0400 Received: from fsav301.sakura.ne.jp (fsav301.sakura.ne.jp [153.120.85.132]) by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id u9LCnTjL029111; Fri, 21 Oct 2016 21:49:30 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav301.sakura.ne.jp (F-Secure/fsigk_smtp/530/fsav301.sakura.ne.jp); Fri, 21 Oct 2016 21:49:29 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav301.sakura.ne.jp) Received: from ccsecurity.localdomain (softbank126227147111.bbtec.net [126.227.147.111]) (authenticated bits=0) by www262.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id u9LCnMFq029053 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 21 Oct 2016 21:49:29 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) From: Tetsuo Handa To: linux-security-module@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Tetsuo Handa Subject: [PATCH 6/8] CaitSith: Add policy loader functions. Date: Fri, 21 Oct 2016 21:49:08 +0900 Message-Id: <1477054150-4772-7-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1477054150-4772-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> References: <1477054150-4772-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This file allows userspace tools to load policy configuration unless CONFIG_SECURITY_CAITSITH_OMIT_USERSPACE_LOADER is defined. If CONFIG_SECURITY_CAITSITH_OMIT_USERSPACE_LOADER is defined, only built-in policy configuration which is generated as security/caitsith/builtin-policy.h at compilation time from security/caitsith/policy/policy.conf will be loaded. Signed-off-by: Tetsuo Handa --- security/caitsith/load_policy.c | 106 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 security/caitsith/load_policy.c diff --git a/security/caitsith/load_policy.c b/security/caitsith/load_policy.c new file mode 100644 index 0000000..e9b9706 --- /dev/null +++ b/security/caitsith/load_policy.c @@ -0,0 +1,106 @@ +/* + * security/caitsith/load_policy.c + * + * Copyright (C) 2005-2012 NTT DATA CORPORATION + */ + +#include "caitsith.h" + +#ifndef CONFIG_SECURITY_CAITSITH_OMIT_USERSPACE_LOADER + +/* Path to the policy loader. */ +static const char *cs_loader; + +/** + * cs_loader_setup - Set policy loader. + * + * @str: Program to use as a policy loader (e.g. /sbin/caitsith-init ). + * + * Returns 0. + */ +static int __init cs_loader_setup(char *str) +{ + cs_loader = str; + return 0; +} + +__setup("CS_loader=", cs_loader_setup); + +/** + * cs_policy_loader_exists - Check whether /sbin/caitsith-init exists. + * + * Returns true if /sbin/caitsith-init exists, false otherwise. + */ +static bool cs_policy_loader_exists(void) +{ + struct path path; + + if (!cs_loader) + cs_loader = CONFIG_SECURITY_CAITSITH_POLICY_LOADER; + if (kern_path(cs_loader, LOOKUP_FOLLOW, &path) == 0) { + path_put(&path); + return true; + } + printk(KERN_INFO "Not activating CaitSith as %s does not exist.\n", + cs_loader); + return false; +} + +/* Path to the trigger. */ +static const char *cs_trigger; + +/** + * cs_trigger_setup - Set trigger for activation. + * + * @str: Program to use as an activation trigger (e.g. /sbin/init ). + * + * Returns 0. + */ +static int __init cs_trigger_setup(char *str) +{ + cs_trigger = str; + return 0; +} + +__setup("CS_trigger=", cs_trigger_setup); + +/** + * cs_load_policy - Run external policy loader to load policy. + * + * @filename: The program about to start. + * + * Returns nothing. + * + * This function checks whether @filename is /sbin/init, and if so + * invoke /sbin/caitsith-init and wait for the termination of + * /sbin/caitsith-init and then continues invocation of /sbin/init. + * /sbin/caitsith-init reads policy files in /etc/caitsith/ directory and + * writes to /sys/kernel/security/caitsith/ interfaces. + */ +void cs_load_policy(const char *filename) +{ + static _Bool done; + char *argv[2]; + char *envp[3]; + + if (done) + return; + if (!cs_trigger) + cs_trigger = CONFIG_SECURITY_CAITSITH_ACTIVATION_TRIGGER; + if (strcmp(filename, cs_trigger)) + return; + if (!cs_policy_loader_exists()) + return; + done = 1; + printk(KERN_INFO "Calling %s to load policy. Please wait.\n", + cs_loader); + argv[0] = (char *) cs_loader; + argv[1] = NULL; + envp[0] = "HOME=/"; + envp[1] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin"; + envp[2] = NULL; + call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC); + cs_check_profile(); +} + +#endif