1 |
#! /bin/sh |
2 |
# |
3 |
# Policy Loader. |
4 |
# |
5 |
# Copyright (C) 2005-2008 NTT DATA CORPORATION |
6 |
# |
7 |
# Version: 1.6.2-pre 2008/06/10 |
8 |
# |
9 |
# This program is executed automatically by kernel |
10 |
# when execution of /sbin/init is requested. |
11 |
# |
12 |
|
13 |
PROFILE="default" |
14 |
TOMOYO_NOLOAD=0 |
15 |
TOMOYO_QUIET=0 |
16 |
PROC_UNMOUNT=0 |
17 |
CHDIR_OK=0 |
18 |
|
19 |
# Mount /proc if not mounted. |
20 |
if [ ! -d /proc/self/ ]; then |
21 |
mount -nt proc none /proc && PROC_UNMOUNT=1 |
22 |
fi |
23 |
|
24 |
# Unmount /proc and exit if policy interface doesn't exist. |
25 |
if [ ! -d /proc/ccs/ ]; then |
26 |
[ $PROC_UNMOUNT -eq 1 ] && umount -n /proc |
27 |
exit 1 |
28 |
fi |
29 |
|
30 |
# Open /dev/console if stdio are not connected. |
31 |
# |
32 |
# WARNING: Don't let this program be invoked implicitly |
33 |
# if you are not operating from console. |
34 |
# Otherwise, you will get unable to respond to prompt |
35 |
# if something went wrong. |
36 |
if [ ! -r /proc/self/fd/0 ]; then |
37 |
exec 0< /dev/console |
38 |
exec 1> /dev/console |
39 |
exec 2> /dev/console |
40 |
fi |
41 |
|
42 |
# Check /proc/cmdline and /proc/self/cmdline |
43 |
for i in `cat /proc/cmdline` "$@" |
44 |
do |
45 |
case $i in |
46 |
(CCS=ask) |
47 |
PROFILE="ask" |
48 |
;; |
49 |
(CCS=default) |
50 |
PROFILE="default" |
51 |
;; |
52 |
(CCS=disabled) |
53 |
PROFILE="disable" |
54 |
;; |
55 |
(CCS=*) |
56 |
PROFILE=`echo $i | cut -b 5-` |
57 |
;; |
58 |
(TOMOYO_NOLOAD) |
59 |
TOMOYO_NOLOAD=1 |
60 |
;; |
61 |
(TOMOYO_QUIET) |
62 |
TOMOYO_QUIET=1 |
63 |
;; |
64 |
esac |
65 |
done |
66 |
|
67 |
# Does policy directory exist? |
68 |
if cd /etc/ccs/ 2> /dev/null; then |
69 |
CHDIR_OK=1 |
70 |
else |
71 |
PROFILE="disable" |
72 |
fi |
73 |
|
74 |
# Does selected profile exist? |
75 |
if [ $CHDIR_OK -eq 1 ]; then |
76 |
if [ "x$PROFILE" = "xdefault" ]; then |
77 |
if [ ! -r profile.conf ]; then |
78 |
echo "TOMOYO Linux: Default profile doesn't exist." |
79 |
PROFILE="ask" |
80 |
fi |
81 |
elif [ "x$PROFILE" != "xask" -a "x$PROFILE" != "xdisable" ]; then |
82 |
if [ ! -r profile-$PROFILE.conf ]; then |
83 |
echo "TOMOYO Linux: Specified profile doesn't exist." |
84 |
PROFILE="ask" |
85 |
fi |
86 |
fi |
87 |
fi |
88 |
|
89 |
# Show prompt if something went wrong or explicitly asked. |
90 |
if [ "x$PROFILE" = "xask" ]; then |
91 |
while : |
92 |
do |
93 |
echo "TOMOYO Linux: Select a profile from the following list." |
94 |
if [ $CHDIR_OK -eq 1 ]; then |
95 |
# Show profiles in policy directory. |
96 |
[ -r profile.conf ] && echo "default" |
97 |
echo profile-*.conf | awk ' { gsub("profile-default.conf", ""); gsub("profile-disable.conf", ""); gsub("profile-", ""); gsub(".conf", ""); if ( $0 != "*") print $0; } ' |
98 |
fi |
99 |
echo "disable" |
100 |
PROFILE="" |
101 |
read -p "> " PROFILE |
102 |
if [ $CHDIR_OK -eq 1 ]; then |
103 |
[ -r profile.conf -a "x$PROFILE" = "xdefault" ] && break |
104 |
[ "x$PROFILE" != "xdefault" -a "x$PROFILE" != "xdisable" -a -r profile-$PROFILE.conf ] && break |
105 |
fi |
106 |
[ "x$PROFILE" = "xdisable" ] && break |
107 |
[ "x$PROFILE" = "xTOMOYO_NOLOAD" ] && TOMOYO_NOLOAD=1 |
108 |
[ "x$PROFILE" = "xTOMOYO_QUIET" ] && TOMOYO_QUIET=1 |
109 |
done |
110 |
fi |
111 |
|
112 |
# Load policy. |
113 |
if [ $CHDIR_OK -eq 1 ]; then |
114 |
[ -r manager.conf ] && cat manager.conf > /proc/ccs/manager |
115 |
[ -r system_policy.conf -a -w /proc/ccs/system_policy ] && cat system_policy.conf > /proc/ccs/system_policy |
116 |
[ -r exception_policy.conf -a -w /proc/ccs/exception_policy ] && cat exception_policy.conf > /proc/ccs/exception_policy |
117 |
[ $TOMOYO_NOLOAD -eq 0 -a -r domain_policy.conf -a -w /proc/ccs/domain_policy ] && cat domain_policy.conf > /proc/ccs/domain_policy |
118 |
if [ "x$PROFILE" = "xdefault" ]; then |
119 |
[ -r profile.conf ] && cat profile.conf > /proc/ccs/profile |
120 |
elif [ "x$PROFILE" != "xdisable" ]; then |
121 |
[ -r profile-$PROFILE.conf ] && cat profile-$PROFILE.conf > /proc/ccs/profile |
122 |
fi |
123 |
fi |
124 |
|
125 |
# Use disabled mode? |
126 |
if [ "x$PROFILE" = "xdisable" ]; then |
127 |
for i in `seq 0 255`; do echo $i-COMMENT= ; done > /proc/ccs/profile |
128 |
grep -vF -- -COMMENT= /proc/ccs/profile | sed -e 's/[0-9]*$/0/' > /proc/ccs/profile |
129 |
fi |
130 |
|
131 |
# Disable verbose mode? |
132 |
if [ $TOMOYO_QUIET -eq 1 ]; then |
133 |
grep -F TOMOYO_VERBOSE /proc/ccs/profile | sed -e 's/[0-9]*$/0/' > /proc/ccs/profile |
134 |
fi |
135 |
|
136 |
# Do additional initialization. |
137 |
[ -x /etc/ccs/ccs-post-init ] && /etc/ccs/ccs-post-init |
138 |
|
139 |
[ -r /proc/ccs/domain_policy ] && awk ' BEGIN { domain=0; acl=0; } { if ( $1 == "<kernel>" ) domain++; else if ( $1 != "" && $1 != "use_profile") acl++; } END { print domain " domains. " acl " ACL entries."; } ' /proc/ccs/domain_policy |
140 |
|
141 |
# Show memory usage. |
142 |
awk ' BEGIN { shared_mem=0; private_mem=0; } { if ( $1 == "Shared:" ) shared_mem = $2 / 1024; else if ( $1 == "Private:" ) private_mem = $2 / 1024; } END { print shared_mem " KB shared. " private_mem " KB private."; } ' /proc/ccs/meminfo |
143 |
|
144 |
[ $PROC_UNMOUNT -eq 1 ] && umount -n /proc |
145 |
exit 0 |