condition: detect TOMOYO MAC (#7249)

TOMOYO is a Mandatory Access Control security module for Linux. Rather than ship rules, TOMOYO features a learning mode. http://tomoyo.osdn.jp/ http://tomoyo.osdn.jp/2.5/index.html.en
2017-11-07 08:12:36 -08:00 · 2017-11-07 08:12:36 -08:00 · ed440f6be9
parent 4b742c8acd
commit ed440f6be9
5 changed files with 62 additions and 0 deletions
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@ -952,6 +952,7 @@
        system. Currently, the recognized values are
        <varname>selinux</varname>,
        <varname>apparmor</varname>,
+        <varname>tomoyo</varname>,
        <varname>ima</varname>,
        <varname>smack</varname> and
        <varname>audit</varname>. The test may be negated by
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@ -54,6 +54,7 @@
 #include "stat-util.h"
 #include "string-table.h"
 #include "string-util.h"
+#include "tomoyo-util.h"
 #include "user-util.h"
 #include "util.h"
 #include "virt.h"
@ -301,6 +302,8 @@ static int condition_test_security(Condition *c) {
                return use_audit();
        if (streq(c->parameter, "ima"))
                return use_ima();
+        if (streq(c->parameter, "tomoyo"))
+                return mac_tomoyo_use();

        return false;
 }
--- a/src/shared/meson.build
+++ b/src/shared/meson.build
@ -88,6 +88,8 @@ shared_sources = '''
        sysctl-util.h
        tests.c
        tests.h
+        tomoyo-util.c
+        tomoyo-util.h
        udev-util.h
        udev-util.c
        uid-range.c
--- a/src/shared/tomoyo-util.c
+++ b/src/shared/tomoyo-util.c
@ -0,0 +1,32 @@
+/***
+  This file is part of systemd.
+
+  Copyright 2017 Shawn Landden
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <unistd.h>
+
+#include "tomoyo-util.h"
+
+bool mac_tomoyo_use(void) {
+        static int cached_use = -1;
+
+        if (cached_use < 0)
+                cached_use = (access("/sys/kernel/security/tomoyo/version",
+                                     F_OK) == 0);
+
+        return cached_use;
+}
--- a/src/shared/tomoyo-util.h
+++ b/src/shared/tomoyo-util.h
@ -0,0 +1,24 @@
+#pragma once
+
+/***
+  This file is part of systemd.
+
+  Copyright 2017 Shawn Landden
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <stdbool.h>
+
+bool mac_tomoyo_use(void);