| 1 |
#! /bin/sh |
| 2 |
# |
| 3 |
# Policy Loader. |
| 4 |
# |
| 5 |
# Copyright (C) 2005-2008 NTT DATA CORPORATION |
| 6 |
# |
| 7 |
# Version: 1.6.2-pre 2008/06/10 |
| 8 |
# |
| 9 |
# This program is executed automatically by kernel |
| 10 |
# when execution of /sbin/init is requested. |
| 11 |
# |
| 12 |
|
| 13 |
PROFILE="default" |
| 14 |
TOMOYO_NOLOAD=0 |
| 15 |
TOMOYO_QUIET=0 |
| 16 |
PROC_UNMOUNT=0 |
| 17 |
CHDIR_OK=0 |
| 18 |
|
| 19 |
# Mount /proc if not mounted. |
| 20 |
if [ ! -d /proc/self/ ]; then |
| 21 |
mount -nt proc none /proc && PROC_UNMOUNT=1 |
| 22 |
fi |
| 23 |
|
| 24 |
# Unmount /proc and exit if policy interface doesn't exist. |
| 25 |
if [ ! -d /proc/ccs/ ]; then |
| 26 |
[ $PROC_UNMOUNT -eq 1 ] && umount -n /proc |
| 27 |
exit 1 |
| 28 |
fi |
| 29 |
|
| 30 |
# Open /dev/console if stdio are not connected. |
| 31 |
# |
| 32 |
# WARNING: Don't let this program be invoked implicitly |
| 33 |
# if you are not operating from console. |
| 34 |
# Otherwise, you will get unable to respond to prompt |
| 35 |
# if something went wrong. |
| 36 |
if [ ! -r /proc/self/fd/0 ]; then |
| 37 |
exec 0< /dev/console |
| 38 |
exec 1> /dev/console |
| 39 |
exec 2> /dev/console |
| 40 |
fi |
| 41 |
|
| 42 |
# Check /proc/cmdline and /proc/self/cmdline |
| 43 |
for i in `cat /proc/cmdline` "$@" |
| 44 |
do |
| 45 |
case $i in |
| 46 |
(CCS=ask) |
| 47 |
PROFILE="ask" |
| 48 |
;; |
| 49 |
(CCS=default) |
| 50 |
PROFILE="default" |
| 51 |
;; |
| 52 |
(CCS=disabled) |
| 53 |
PROFILE="disable" |
| 54 |
;; |
| 55 |
(CCS=*) |
| 56 |
PROFILE=`echo $i | cut -b 5-` |
| 57 |
;; |
| 58 |
(TOMOYO_NOLOAD) |
| 59 |
TOMOYO_NOLOAD=1 |
| 60 |
;; |
| 61 |
(TOMOYO_QUIET) |
| 62 |
TOMOYO_QUIET=1 |
| 63 |
;; |
| 64 |
esac |
| 65 |
done |
| 66 |
|
| 67 |
# Does policy directory exist? |
| 68 |
if cd /etc/ccs/ 2> /dev/null; then |
| 69 |
CHDIR_OK=1 |
| 70 |
else |
| 71 |
PROFILE="disable" |
| 72 |
fi |
| 73 |
|
| 74 |
# Does selected profile exist? |
| 75 |
if [ $CHDIR_OK -eq 1 ]; then |
| 76 |
if [ "x$PROFILE" = "xdefault" ]; then |
| 77 |
if [ ! -r profile.conf ]; then |
| 78 |
echo "TOMOYO Linux: Default profile doesn't exist." |
| 79 |
PROFILE="ask" |
| 80 |
fi |
| 81 |
elif [ "x$PROFILE" != "xask" -a "x$PROFILE" != "xdisable" ]; then |
| 82 |
if [ ! -r profile-$PROFILE.conf ]; then |
| 83 |
echo "TOMOYO Linux: Specified profile doesn't exist." |
| 84 |
PROFILE="ask" |
| 85 |
fi |
| 86 |
fi |
| 87 |
fi |
| 88 |
|
| 89 |
# Show prompt if something went wrong or explicitly asked. |
| 90 |
if [ "x$PROFILE" = "xask" ]; then |
| 91 |
while : |
| 92 |
do |
| 93 |
echo "TOMOYO Linux: Select a profile from the following list." |
| 94 |
if [ $CHDIR_OK -eq 1 ]; then |
| 95 |
# Show profiles in policy directory. |
| 96 |
[ -r profile.conf ] && echo "default" |
| 97 |
echo profile-*.conf | awk ' { gsub("profile-default.conf", ""); gsub("profile-disable.conf", ""); gsub("profile-", ""); gsub(".conf", ""); if ( $0 != "*") print $0; } ' |
| 98 |
fi |
| 99 |
echo "disable" |
| 100 |
PROFILE="" |
| 101 |
read -p "> " PROFILE |
| 102 |
if [ $CHDIR_OK -eq 1 ]; then |
| 103 |
[ -r profile.conf -a "x$PROFILE" = "xdefault" ] && break |
| 104 |
[ "x$PROFILE" != "xdefault" -a "x$PROFILE" != "xdisable" -a -r profile-$PROFILE.conf ] && break |
| 105 |
fi |
| 106 |
[ "x$PROFILE" = "xdisable" ] && break |
| 107 |
[ "x$PROFILE" = "xTOMOYO_NOLOAD" ] && TOMOYO_NOLOAD=1 |
| 108 |
[ "x$PROFILE" = "xTOMOYO_QUIET" ] && TOMOYO_QUIET=1 |
| 109 |
done |
| 110 |
fi |
| 111 |
|
| 112 |
# Load policy. |
| 113 |
if [ $CHDIR_OK -eq 1 ]; then |
| 114 |
[ -r manager.conf ] && cat manager.conf > /proc/ccs/manager |
| 115 |
[ -r system_policy.conf -a -w /proc/ccs/system_policy ] && cat system_policy.conf > /proc/ccs/system_policy |
| 116 |
[ -r exception_policy.conf -a -w /proc/ccs/exception_policy ] && cat exception_policy.conf > /proc/ccs/exception_policy |
| 117 |
[ $TOMOYO_NOLOAD -eq 0 -a -r domain_policy.conf -a -w /proc/ccs/domain_policy ] && cat domain_policy.conf > /proc/ccs/domain_policy |
| 118 |
if [ "x$PROFILE" = "xdefault" ]; then |
| 119 |
[ -r profile.conf ] && cat profile.conf > /proc/ccs/profile |
| 120 |
elif [ "x$PROFILE" != "xdisable" ]; then |
| 121 |
[ -r profile-$PROFILE.conf ] && cat profile-$PROFILE.conf > /proc/ccs/profile |
| 122 |
fi |
| 123 |
fi |
| 124 |
|
| 125 |
# Use disabled mode? |
| 126 |
if [ "x$PROFILE" = "xdisable" ]; then |
| 127 |
for i in `seq 0 255`; do echo $i-COMMENT= ; done > /proc/ccs/profile |
| 128 |
grep -vF -- -COMMENT= /proc/ccs/profile | sed -e 's/[0-9]*$/0/' > /proc/ccs/profile |
| 129 |
fi |
| 130 |
|
| 131 |
# Disable verbose mode? |
| 132 |
if [ $TOMOYO_QUIET -eq 1 ]; then |
| 133 |
grep -F TOMOYO_VERBOSE /proc/ccs/profile | sed -e 's/[0-9]*$/0/' > /proc/ccs/profile |
| 134 |
fi |
| 135 |
|
| 136 |
# Do additional initialization. |
| 137 |
[ -x /etc/ccs/ccs-post-init ] && /etc/ccs/ccs-post-init |
| 138 |
|
| 139 |
[ -r /proc/ccs/domain_policy ] && awk ' BEGIN { domain=0; acl=0; } { if ( $1 == "<kernel>" ) domain++; else if ( $1 != "" && $1 != "use_profile") acl++; } END { print domain " domains. " acl " ACL entries."; } ' /proc/ccs/domain_policy |
| 140 |
|
| 141 |
# Show memory usage. |
| 142 |
awk ' BEGIN { shared_mem=0; private_mem=0; } { if ( $1 == "Shared:" ) shared_mem = $2 / 1024; else if ( $1 == "Private:" ) private_mem = $2 / 1024; } END { print shared_mem " KB shared. " private_mem " KB private."; } ' /proc/ccs/meminfo |
| 143 |
|
| 144 |
[ $PROC_UNMOUNT -eq 1 ] && umount -n /proc |
| 145 |
exit 0 |
TOMOYO
Parent Directory
Revision Log