From ed440f6be935faeea3192c9509ef262fddb3fc33 Mon Sep 17 00:00:00 2001 From: Shawn Landden Date: Tue, 7 Nov 2017 08:12:36 -0800 Subject: [PATCH] condition: detect TOMOYO MAC (#7249) TOMOYO is a Mandatory Access Control security module for Linux. Rather than ship rules, TOMOYO features a learning mode. http://tomoyo.osdn.jp/ http://tomoyo.osdn.jp/2.5/index.html.en --- man/systemd.unit.xml | 1 + src/shared/condition.c | 3 +++ src/shared/meson.build | 2 ++ src/shared/tomoyo-util.c | 32 ++++++++++++++++++++++++++++++++ src/shared/tomoyo-util.h | 24 ++++++++++++++++++++++++ 5 files changed, 62 insertions(+) create mode 100644 src/shared/tomoyo-util.c create mode 100644 src/shared/tomoyo-util.h diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index ab7613dcc4..738cc4c9b3 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -952,6 +952,7 @@ system. Currently, the recognized values are selinux, apparmor, + tomoyo, ima, smack and audit. The test may be negated by diff --git a/src/shared/condition.c b/src/shared/condition.c index 74d5e854e1..a25c825a09 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c @@ -54,6 +54,7 @@ #include "stat-util.h" #include "string-table.h" #include "string-util.h" +#include "tomoyo-util.h" #include "user-util.h" #include "util.h" #include "virt.h" @@ -301,6 +302,8 @@ static int condition_test_security(Condition *c) { return use_audit(); if (streq(c->parameter, "ima")) return use_ima(); + if (streq(c->parameter, "tomoyo")) + return mac_tomoyo_use(); return false; } diff --git a/src/shared/meson.build b/src/shared/meson.build index 883821352e..9e3e462854 100644 --- a/src/shared/meson.build +++ b/src/shared/meson.build @@ -88,6 +88,8 @@ shared_sources = ''' sysctl-util.h tests.c tests.h + tomoyo-util.c + tomoyo-util.h udev-util.h udev-util.c uid-range.c diff --git a/src/shared/tomoyo-util.c b/src/shared/tomoyo-util.c new file mode 100644 index 0000000000..f5b07888a4 --- /dev/null +++ b/src/shared/tomoyo-util.c @@ -0,0 +1,32 @@ +/*** + This file is part of systemd. + + Copyright 2017 Shawn Landden + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see . +***/ + +#include + +#include "tomoyo-util.h" + +bool mac_tomoyo_use(void) { + static int cached_use = -1; + + if (cached_use < 0) + cached_use = (access("/sys/kernel/security/tomoyo/version", + F_OK) == 0); + + return cached_use; +} diff --git a/src/shared/tomoyo-util.h b/src/shared/tomoyo-util.h new file mode 100644 index 0000000000..746e97c256 --- /dev/null +++ b/src/shared/tomoyo-util.h @@ -0,0 +1,24 @@ +#pragma once + +/*** + This file is part of systemd. + + Copyright 2017 Shawn Landden + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see . +***/ + +#include + +bool mac_tomoyo_use(void);