mirror of https://gitee.com/openkylin/linux.git
TOMOYO: Add built-in policy support.
To be able to start using enforcing mode from the early stage of boot sequence, this patch adds support for built-in policy configuration (and next patch adds support for activating access control without calling external policy loader program). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
b22b8b9fd9
commit
efe836ab2b
|
@ -1 +1,48 @@
|
|||
obj-y = audit.o common.o domain.o file.o gc.o group.o load_policy.o memory.o mount.o realpath.o securityfs_if.o tomoyo.o util.o
|
||||
|
||||
$(obj)/policy/profile.conf:
|
||||
@mkdir -p $(obj)/policy/
|
||||
@echo Creating an empty policy/profile.conf
|
||||
@touch $@
|
||||
|
||||
$(obj)/policy/exception_policy.conf:
|
||||
@mkdir -p $(obj)/policy/
|
||||
@echo Creating a default policy/exception_policy.conf
|
||||
@echo initialize_domain /sbin/modprobe from any >> $@
|
||||
@echo initialize_domain /sbin/hotplug from any >> $@
|
||||
|
||||
$(obj)/policy/domain_policy.conf:
|
||||
@mkdir -p $(obj)/policy/
|
||||
@echo Creating an empty policy/domain_policy.conf
|
||||
@touch $@
|
||||
|
||||
$(obj)/policy/manager.conf:
|
||||
@mkdir -p $(obj)/policy/
|
||||
@echo Creating an empty policy/manager.conf
|
||||
@touch $@
|
||||
|
||||
$(obj)/policy/stat.conf:
|
||||
@mkdir -p $(obj)/policy/
|
||||
@echo Creating an empty policy/stat.conf
|
||||
@touch $@
|
||||
|
||||
$(obj)/builtin-policy.h: $(obj)/policy/profile.conf $(obj)/policy/exception_policy.conf $(obj)/policy/domain_policy.conf $(obj)/policy/manager.conf $(obj)/policy/stat.conf
|
||||
@echo Generating built-in policy for TOMOYO 2.4.x.
|
||||
@echo "static char tomoyo_builtin_profile[] __initdata =" > $@.tmp
|
||||
@sed -e 's/\\/\\\\/g' -e 's/\"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $(obj)/policy/profile.conf >> $@.tmp
|
||||
@echo "\"\";" >> $@.tmp
|
||||
@echo "static char tomoyo_builtin_exception_policy[] __initdata =" >> $@.tmp
|
||||
@sed -e 's/\\/\\\\/g' -e 's/\"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $(obj)/policy/exception_policy.conf >> $@.tmp
|
||||
@echo "\"\";" >> $@.tmp
|
||||
@echo "static char tomoyo_builtin_domain_policy[] __initdata =" >> $@.tmp
|
||||
@sed -e 's/\\/\\\\/g' -e 's/\"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $(obj)/policy/domain_policy.conf >> $@.tmp
|
||||
@echo "\"\";" >> $@.tmp
|
||||
@echo "static char tomoyo_builtin_manager[] __initdata =" >> $@.tmp
|
||||
@sed -e 's/\\/\\\\/g' -e 's/\"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $(obj)/policy/manager.conf >> $@.tmp
|
||||
@echo "\"\";" >> $@.tmp
|
||||
@echo "static char tomoyo_builtin_stat[] __initdata =" >> $@.tmp
|
||||
@sed -e 's/\\/\\\\/g' -e 's/\"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $(obj)/policy/stat.conf >> $@.tmp
|
||||
@echo "\"\";" >> $@.tmp
|
||||
@mv $@.tmp $@
|
||||
|
||||
$(obj)/common.o: $(obj)/builtin-policy.h
|
||||
|
|
|
@ -2361,3 +2361,63 @@ void tomoyo_check_profile(void)
|
|||
tomoyo_read_unlock(idx);
|
||||
printk(KERN_INFO "Mandatory Access Control activated.\n");
|
||||
}
|
||||
|
||||
/**
|
||||
* tomoyo_load_builtin_policy - Load built-in policy.
|
||||
*
|
||||
* Returns nothing.
|
||||
*/
|
||||
void __init tomoyo_load_builtin_policy(void)
|
||||
{
|
||||
/*
|
||||
* This include file is manually created and contains built-in policy
|
||||
* named "tomoyo_builtin_profile", "tomoyo_builtin_exception_policy",
|
||||
* "tomoyo_builtin_domain_policy", "tomoyo_builtin_manager",
|
||||
* "tomoyo_builtin_stat" in the form of "static char [] __initdata".
|
||||
*/
|
||||
#include "builtin-policy.h"
|
||||
u8 i;
|
||||
const int idx = tomoyo_read_lock();
|
||||
for (i = 0; i < 5; i++) {
|
||||
struct tomoyo_io_buffer head = { };
|
||||
char *start = "";
|
||||
switch (i) {
|
||||
case 0:
|
||||
start = tomoyo_builtin_profile;
|
||||
head.type = TOMOYO_PROFILE;
|
||||
head.write = tomoyo_write_profile;
|
||||
break;
|
||||
case 1:
|
||||
start = tomoyo_builtin_exception_policy;
|
||||
head.type = TOMOYO_EXCEPTIONPOLICY;
|
||||
head.write = tomoyo_write_exception;
|
||||
break;
|
||||
case 2:
|
||||
start = tomoyo_builtin_domain_policy;
|
||||
head.type = TOMOYO_DOMAINPOLICY;
|
||||
head.write = tomoyo_write_domain;
|
||||
break;
|
||||
case 3:
|
||||
start = tomoyo_builtin_manager;
|
||||
head.type = TOMOYO_MANAGER;
|
||||
head.write = tomoyo_write_manager;
|
||||
break;
|
||||
case 4:
|
||||
start = tomoyo_builtin_stat;
|
||||
head.type = TOMOYO_STAT;
|
||||
head.write = tomoyo_write_stat;
|
||||
break;
|
||||
}
|
||||
while (1) {
|
||||
char *end = strchr(start, '\n');
|
||||
if (!end)
|
||||
break;
|
||||
*end = '\0';
|
||||
tomoyo_normalize_line(start);
|
||||
head.write_buf = start;
|
||||
tomoyo_parse_policy(&head, start);
|
||||
start = end + 1;
|
||||
}
|
||||
}
|
||||
tomoyo_read_unlock(idx);
|
||||
}
|
||||
|
|
|
@ -662,6 +662,7 @@ const struct tomoyo_path_info *tomoyo_get_name(const char *name);
|
|||
void tomoyo_convert_time(time_t time, struct tomoyo_time *stamp);
|
||||
void tomoyo_update_stat(const u8 index);
|
||||
void __init tomoyo_mm_init(void);
|
||||
void __init tomoyo_load_builtin_policy(void);
|
||||
int tomoyo_path_permission(struct tomoyo_request_info *r, u8 operation,
|
||||
const struct tomoyo_path_info *filename);
|
||||
int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
|
||||
|
|
|
@ -215,14 +215,4 @@ void __init tomoyo_mm_init(void)
|
|||
INIT_LIST_HEAD(&tomoyo_kernel_domain.acl_info_list);
|
||||
tomoyo_kernel_domain.domainname = tomoyo_get_name("<kernel>");
|
||||
list_add_tail_rcu(&tomoyo_kernel_domain.list, &tomoyo_domain_list);
|
||||
#if 0
|
||||
/* Will be replaced with tomoyo_load_builtin_policy(). */
|
||||
{
|
||||
/* Load built-in policy. */
|
||||
tomoyo_write_transition_control("/sbin/hotplug", false,
|
||||
TOMOYO_TRANSITION_CONTROL_INITIALIZE);
|
||||
tomoyo_write_transition_control("/sbin/modprobe", false,
|
||||
TOMOYO_TRANSITION_CONTROL_INITIALIZE);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue