init/config_process_mgmt_utils.sh - mirrors/cros/chromiumos/platform2 - Git at Google

 #!/bin/sh
 # Copyright 2018 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 # Functions for configuring process management policies in the chromiumos LSM.

 # Path to the securityfs file for configuring process management security
 # policies in the chromiumos LSM (used for kernel version <= 4.4).
 # TODO(mortonm): Remove this and the corresponding line in
 # add_process_mgmt_policy when all devices have been updated/backported to get
 # the SafeSetID LSM functionality.
 CHROMIUMOS_PROCESS_MGMT_POLICIES="/sys/kernel/security/chromiumos\
 /process_management_policies/add_whitelist_policy"

 # Path to the securityfs file for configuring process management security
 # policies in the SafeSetID LSM (used for kernel version >= 4.14).
 SAFESETID_PROCESS_MGMT_POLICIES="/sys/kernel/security/safesetid\
 /whitelist_policy"

 # Path to the securityfs file for configuring process management security
 # policies in the SafeSetID LSM (used for kernel version >= 5.9).
 SAFESETID_PROCESS_MGMT_POLICIES_UID="/sys/kernel/security/safesetid\
 /uid_allowlist_policy"

 # Path to securityfs file for configuring GID policies in the SafeSetID
 # LSM. (only used/tested in kernels >= 5.9)
 SAFESETID_PROCESS_MGMT_POLICIES_GID="/sys/kernel/security/safesetid\
 /gid_allowlist_policy"

 # Project-specific process management policies. Projects may add policies by
 # adding a file under /usr/share/cros/startup/process_management_policies/
 # for UID's and under /usr/share/cros/startup/gid_process_management_policies/
 # for GID's, whose contents are one or more lines specifying a parent ID and a
 # child ID that the parent can use for the purposes of process management.
 # There should be one line for every mapping that is to be put in the
 # allowlist. Lines in the file should use the following format:
 # <UID>:<UID> or <GID>:<GID>
 #
 # For example, if the 'shill' user needs to use 'dhcp', 'openvpn' and 'ipsec'
 # and 'syslog' for process management, the file would look like:
 # 20104:224
 # 20104:217
 # 20104:212
 # 20104:202

 # _accumulate_policy_files takes in all the files contained in "${filepaths}"
 # reads their contents, copies and appends them to a file determined by
 # "${output}"
 _accumulate_policy_files() {
   local file policy
   local accum=""
   local output="$1"
   shift
   for file in "$@"; do
     if [ -f "${file}" ]; then
       while read -r policy; do
         case "${policy}" in
         # Ignore blank lines.
         "") ;;
         # Ignore comments.
         "#"*) ;;
         # Don't record GID policies into CHROMIUMOS_PROCESS_MGMT_POLICIES.
         *)
           if [ -e "${CHROMIUMOS_PROCESS_MGMT_POLICIES}" ]; then
             if [ "${output}" != \
                   "${SAFESETID_PROCESS_MGMT_POLICIES_GID}" ]; then
               printf "%s" "${policy}" > "${CHROMIUMOS_PROCESS_MGMT_POLICIES}"
             fi
           else
             accum="${accum}${policy}\n"
           fi
           ;;
         esac
       done < "${file}"
     fi
   done
   if [ ! -e "${CHROMIUMOS_PROCESS_MGMT_POLICIES}" ]; then
     printf "%b" "${accum}" > "${output}"
   fi
 }

 # Determine where securityfs files are placed.
 # No inputs, checks for which securityfs file paths
 # exist and accumulates files for securityfs.
 configure_process_mgmt_security() {
   # For UID relevant files.
   if [ -e "${SAFESETID_PROCESS_MGMT_POLICIES_UID}" ]; then
     _accumulate_policy_files \
       "${SAFESETID_PROCESS_MGMT_POLICIES_UID}" \
       /usr/share/cros/startup/process_management_policies/*
   elif [ -e "${SAFESETID_PROCESS_MGMT_POLICIES}" ]; then
     _accumulate_policy_files \
       "${SAFESETID_PROCESS_MGMT_POLICIES}" \
       /usr/share/cros/startup/process_management_policies/*
   else
     # ${CHROMIUMOS_PROCESSS_MGMT_POLICIES} exists. In this function
     # call, parameter "${output}" is irrelevant to function behavior.
     _accumulate_policy_files \
       "${CHROMIUMOS_PROCESS_MGMT_POLICIES}" \
       /usr/share/cros/startup/process_management_policies/*
   fi
   # For GID relevant files.
   if [ -e "${SAFESETID_PROCESS_MGMT_POLICIES_GID}" ]; then
     _accumulate_policy_files \
       "${SAFESETID_PROCESS_MGMT_POLICIES_GID}" \
       /usr/share/cros/startup/gid_process_management_policies/*
   fi
 }
	#!/bin/sh
	# Copyright 2018 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	# Functions for configuring process management policies in the chromiumos LSM.

	# Path to the securityfs file for configuring process management security
	# policies in the chromiumos LSM (used for kernel version <= 4.4).
	# TODO(mortonm): Remove this and the corresponding line in
	# add_process_mgmt_policy when all devices have been updated/backported to get
	# the SafeSetID LSM functionality.
	CHROMIUMOS_PROCESS_MGMT_POLICIES="/sys/kernel/security/chromiumos\
	/process_management_policies/add_whitelist_policy"

	# Path to the securityfs file for configuring process management security
	# policies in the SafeSetID LSM (used for kernel version >= 4.14).
	SAFESETID_PROCESS_MGMT_POLICIES="/sys/kernel/security/safesetid\
	/whitelist_policy"

	# Path to the securityfs file for configuring process management security
	# policies in the SafeSetID LSM (used for kernel version >= 5.9).
	SAFESETID_PROCESS_MGMT_POLICIES_UID="/sys/kernel/security/safesetid\
	/uid_allowlist_policy"

	# Path to securityfs file for configuring GID policies in the SafeSetID
	# LSM. (only used/tested in kernels >= 5.9)
	SAFESETID_PROCESS_MGMT_POLICIES_GID="/sys/kernel/security/safesetid\
	/gid_allowlist_policy"

	# Project-specific process management policies. Projects may add policies by
	# adding a file under /usr/share/cros/startup/process_management_policies/
	# for UID's and under /usr/share/cros/startup/gid_process_management_policies/
	# for GID's, whose contents are one or more lines specifying a parent ID and a
	# child ID that the parent can use for the purposes of process management.
	# There should be one line for every mapping that is to be put in the
	# allowlist. Lines in the file should use the following format:
	# <UID>:<UID> or <GID>:<GID>
	#
	# For example, if the 'shill' user needs to use 'dhcp', 'openvpn' and 'ipsec'
	# and 'syslog' for process management, the file would look like:
	# 20104:224
	# 20104:217
	# 20104:212
	# 20104:202

	# _accumulate_policy_files takes in all the files contained in "${filepaths}"
	# reads their contents, copies and appends them to a file determined by
	# "${output}"
	_accumulate_policy_files() {
	local file policy
	local accum=""
	local output="$1"
	shift
	for file in "$@"; do
	if [ -f "${file}" ]; then
	while read -r policy; do
	case "${policy}" in
	# Ignore blank lines.
	"") ;;
	# Ignore comments.
	"#"*) ;;
	# Don't record GID policies into CHROMIUMOS_PROCESS_MGMT_POLICIES.
	*)
	if [ -e "${CHROMIUMOS_PROCESS_MGMT_POLICIES}" ]; then
	if [ "${output}" != \
	"${SAFESETID_PROCESS_MGMT_POLICIES_GID}" ]; then
	printf "%s" "${policy}" > "${CHROMIUMOS_PROCESS_MGMT_POLICIES}"
	fi
	else
	accum="${accum}${policy}\n"
	fi
	;;
	esac
	done < "${file}"
	fi
	done
	if [ ! -e "${CHROMIUMOS_PROCESS_MGMT_POLICIES}" ]; then
	printf "%b" "${accum}" > "${output}"
	fi
	}

	# Determine where securityfs files are placed.
	# No inputs, checks for which securityfs file paths
	# exist and accumulates files for securityfs.
	configure_process_mgmt_security() {
	# For UID relevant files.
	if [ -e "${SAFESETID_PROCESS_MGMT_POLICIES_UID}" ]; then
	_accumulate_policy_files \
	"${SAFESETID_PROCESS_MGMT_POLICIES_UID}" \
	/usr/share/cros/startup/process_management_policies/*
	elif [ -e "${SAFESETID_PROCESS_MGMT_POLICIES}" ]; then
	_accumulate_policy_files \
	"${SAFESETID_PROCESS_MGMT_POLICIES}" \
	/usr/share/cros/startup/process_management_policies/*
	else
	# ${CHROMIUMOS_PROCESSS_MGMT_POLICIES} exists. In this function
	# call, parameter "${output}" is irrelevant to function behavior.
	_accumulate_policy_files \
	"${CHROMIUMOS_PROCESS_MGMT_POLICIES}" \
	/usr/share/cros/startup/process_management_policies/*
	fi
	# For GID relevant files.
	if [ -e "${SAFESETID_PROCESS_MGMT_POLICIES_GID}" ]; then
	_accumulate_policy_files \
	"${SAFESETID_PROCESS_MGMT_POLICIES_GID}" \
	/usr/share/cros/startup/gid_process_management_policies/*
	fi
	}