condition: detect TOMOYO MAC (#7249)

TOMOYO is a Mandatory Access Control security module for Linux.
Rather than ship rules, TOMOYO features a learning mode.

http://tomoyo.osdn.jp/
http://tomoyo.osdn.jp/2.5/index.html.en

diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index ab7613d..738cc4c 100644 (file)
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -952,6 +952,7 @@
         system. Currently, the recognized values are
         <varname>selinux</varname>,
         <varname>apparmor</varname>,
+        <varname>tomoyo</varname>,
         <varname>ima</varname>,
         <varname>smack</varname> and
         <varname>audit</varname>. The test may be negated by

diff --git a/src/shared/condition.c b/src/shared/condition.c
index 74d5e85..a25c825 100644 (file)
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -54,6 +54,7 @@
 #include "stat-util.h"
 #include "string-table.h"
 #include "string-util.h"
+#include "tomoyo-util.h"
 #include "user-util.h"
 #include "util.h"
 #include "virt.h"
@@ -301,6 +302,8 @@ static int condition_test_security(Condition *c) {
                 return use_audit();
         if (streq(c->parameter, "ima"))
                 return use_ima();
+        if (streq(c->parameter, "tomoyo"))
+                return mac_tomoyo_use();
 
         return false;
 }

diff --git a/src/shared/meson.build b/src/shared/meson.build
index 8838213..9e3e462 100644 (file)
--- a/src/shared/meson.build
+++ b/src/shared/meson.build
@@ -88,6 +88,8 @@ shared_sources = '''
         sysctl-util.h
         tests.c
         tests.h
+        tomoyo-util.c
+        tomoyo-util.h
         udev-util.h
         udev-util.c
         uid-range.c

diff --git a/src/shared/tomoyo-util.c b/src/shared/tomoyo-util.c
new file mode 100644 (file)
index 0000000..f5b0788
--- /dev/null
+++ b/src/shared/tomoyo-util.c
@@ -0,0 +1,32 @@
+/***
+  This file is part of systemd.
+
+  Copyright 2017 Shawn Landden
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <unistd.h>
+
+#include "tomoyo-util.h"
+
+bool mac_tomoyo_use(void) {
+        static int cached_use = -1;
+
+        if (cached_use < 0)
+                cached_use = (access("/sys/kernel/security/tomoyo/version",
+                                     F_OK) == 0);
+
+        return cached_use;
+}

diff --git a/src/shared/tomoyo-util.h b/src/shared/tomoyo-util.h
new file mode 100644 (file)
index 0000000..746e97c
--- /dev/null
+++ b/src/shared/tomoyo-util.h
@@ -0,0 +1,24 @@
+#pragma once
+
+/***
+  This file is part of systemd.
+
+  Copyright 2017 Shawn Landden
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <stdbool.h>
+
+bool mac_tomoyo_use(void);