TOMOYO: Make several options configurable.

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

To be able to start using enforcing mode from the early stage of boot sequence,
this patch adds support for activating access control without calling external
policy loader program. This will be useful for systems where operations which
can lead to the hijacking of the boot sequence are needed before loading the
policy. For example, you can activate immediately after loading the fixed part
of policy which will allow only operations needed for mounting a partition
which contains the variant part of policy and verifying (e.g. running GPG
check) and loading the variant part of policy. Since you can start using
enforcing mode from the beginning, you can reduce the possibility of hijacking
the boot sequence.

This patch makes several variables configurable on build time. This patch also
adds TOMOYO_loader= and TOMOYO_trigger= kernel command line option to boot the
same kernel in two different init systems (BSD-style init and systemd).

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>

authored by

Tetsuo Handa and committed by

James Morris 14 years ago 0e4ae0e0 efe836ab

+117 -23

3 changed files

expand all

security

tomoyo

Kconfig

common.c

load_policy.c

+61

security/tomoyo/Kconfig

··· 9 9 Required userspace tools and further information may be 10 10 found at <http://tomoyo.sourceforge.jp/>. 11 11 If you are unsure how to answer this question, answer N. 12 + 13 + config SECURITY_TOMOYO_MAX_ACCEPT_ENTRY 14 + int "Default maximal count for learning mode" 15 + default 2048 16 + range 0 2147483647 17 + depends on SECURITY_TOMOYO 18 + help 19 + This is the default value for maximal ACL entries 20 + that are automatically appended into policy at "learning mode". 21 + Some programs access thousands of objects, so running 22 + such programs in "learning mode" dulls the system response 23 + and consumes much memory. 24 + This is the safeguard for such programs. 25 + 26 + config SECURITY_TOMOYO_MAX_AUDIT_LOG 27 + int "Default maximal count for audit log" 28 + default 1024 29 + range 0 2147483647 30 + depends on SECURITY_TOMOYO 31 + help 32 + This is the default value for maximal entries for 33 + audit logs that the kernel can hold on memory. 34 + You can read the log via /sys/kernel/security/tomoyo/audit. 35 + If you don't need audit logs, you may set this value to 0. 36 + 37 + config SECURITY_TOMOYO_OMIT_USERSPACE_LOADER 38 + bool "Activate without calling userspace policy loader." 39 + default n 40 + depends on SECURITY_TOMOYO 41 + ---help--- 42 + Say Y here if you want to activate access control as soon as built-in 43 + policy was loaded. This option will be useful for systems where 44 + operations which can lead to the hijacking of the boot sequence are 45 + needed before loading the policy. For example, you can activate 46 + immediately after loading the fixed part of policy which will allow 47 + only operations needed for mounting a partition which contains the 48 + variant part of policy and verifying (e.g. running GPG check) and 49 + loading the variant part of policy. Since you can start using 50 + enforcing mode from the beginning, you can reduce the possibility of 51 + hijacking the boot sequence. 52 + 53 + config SECURITY_TOMOYO_POLICY_LOADER 54 + string "Location of userspace policy loader" 55 + default "/sbin/tomoyo-init" 56 + depends on SECURITY_TOMOYO 57 + depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER 58 + ---help--- 59 + This is the default pathname of policy loader which is called before 60 + activation. You can override this setting via TOMOYO_loader= kernel 61 + command line option. 62 + 63 + config SECURITY_TOMOYO_ACTIVATION_TRIGGER 64 + string "Trigger for calling userspace policy loader" 65 + default "/sbin/init" 66 + depends on SECURITY_TOMOYO 67 + depends on !SECURITY_TOMOYO_OMIT_USERSPACE_LOADER 68 + ---help--- 69 + This is the default pathname of activation trigger. 70 + You can override this setting via TOMOYO_trigger= kernel command line 71 + option. For example, if you pass init=/bin/systemd option, you may 72 + want to also pass TOMOYO_trigger=/bin/systemd option.

security/tomoyo/common.c

··· 2420 2420 } 2421 2421 } 2422 2422 tomoyo_read_unlock(idx); 2423 + #ifdef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER 2424 + tomoyo_check_profile(); 2425 + #endif 2423 2426 }

+53 -23

security/tomoyo/load_policy.c

··· 8 8 9 9 #include "common.h" 10 10 11 - /* path to policy loader */ 12 - static const char *tomoyo_loader = "/sbin/tomoyo-init"; 11 + #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER 12 + 13 + /* 14 + * Path to the policy loader. (default = CONFIG_SECURITY_TOMOYO_POLICY_LOADER) 15 + */ 16 + static const char *tomoyo_loader; 17 + 18 + /** 19 + * tomoyo_loader_setup - Set policy loader. 20 + * 21 + * @str: Program to use as a policy loader (e.g. /sbin/tomoyo-init ). 22 + * 23 + * Returns 0. 24 + */ 25 + static int __init tomoyo_loader_setup(char *str) 26 + { 27 + tomoyo_loader = str; 28 + return 0; 29 + } 30 + 31 + __setup("TOMOYO_loader=", tomoyo_loader_setup); 13 32 14 33 /** 15 34 * tomoyo_policy_loader_exists - Check whether /sbin/tomoyo-init exists. ··· 37 18 */ 38 19 static bool tomoyo_policy_loader_exists(void) 39 20 { 40 - /* 41 - * Don't activate MAC if the policy loader doesn't exist. 42 - * If the initrd includes /sbin/init but real-root-dev has not 43 - * mounted on / yet, activating MAC will block the system since 44 - * policies are not loaded yet. 45 - * Thus, let do_execve() call this function every time. 46 - */ 47 21 struct path path; 48 - 22 + if (!tomoyo_loader) 23 + tomoyo_loader = CONFIG_SECURITY_TOMOYO_POLICY_LOADER; 49 24 if (kern_path(tomoyo_loader, LOOKUP_FOLLOW, &path)) { 50 - printk(KERN_INFO "Not activating Mandatory Access Control now " 51 - "since %s doesn't exist.\n", tomoyo_loader); 25 + printk(KERN_INFO "Not activating Mandatory Access Control " 26 + "as %s does not exist.\n", tomoyo_loader); 52 27 return false; 53 28 } 54 29 path_put(&path); 55 30 return true; 56 31 } 32 + 33 + /* 34 + * Path to the trigger. (default = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER) 35 + */ 36 + static const char *tomoyo_trigger; 37 + 38 + /** 39 + * tomoyo_trigger_setup - Set trigger for activation. 40 + * 41 + * @str: Program to use as an activation trigger (e.g. /sbin/init ). 42 + * 43 + * Returns 0. 44 + */ 45 + static int __init tomoyo_trigger_setup(char *str) 46 + { 47 + tomoyo_trigger = str; 48 + return 0; 49 + } 50 + 51 + __setup("TOMOYO_trigger=", tomoyo_trigger_setup); 57 52 58 53 /** 59 54 * tomoyo_load_policy - Run external policy loader to load policy. ··· 84 51 */ 85 52 void tomoyo_load_policy(const char *filename) 86 53 { 54 + static bool done; 87 55 char *argv[2]; 88 56 char *envp[3]; 89 57 90 - if (tomoyo_policy_loaded) 58 + if (tomoyo_policy_loaded || done) 91 59 return; 92 - /* 93 - * Check filename is /sbin/init or /sbin/tomoyo-start. 94 - * /sbin/tomoyo-start is a dummy filename in case where /sbin/init can't 95 - * be passed. 96 - * You can create /sbin/tomoyo-start by 97 - * "ln -s /bin/true /sbin/tomoyo-start". 98 - */ 99 - if (strcmp(filename, "/sbin/init") && 100 - strcmp(filename, "/sbin/tomoyo-start")) 60 + if (!tomoyo_trigger) 61 + tomoyo_trigger = CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER; 62 + if (strcmp(filename, tomoyo_trigger)) 101 63 return; 102 64 if (!tomoyo_policy_loader_exists()) 103 65 return; 104 - 66 + done = true; 105 67 printk(KERN_INFO "Calling %s to load policy. Please wait.\n", 106 68 tomoyo_loader); 107 69 argv[0] = (char *) tomoyo_loader; ··· 107 79 call_usermodehelper(argv[0], argv, envp, 1); 108 80 tomoyo_check_profile(); 109 81 } 82 + 83 + #endif