#include <linux/init.h>#include <rsbac/types.h>#include <rsbac/debug.h>#include <rsbac/fs.h>#include <linux/types.h>#include <linux/dcache.h>Go to the source code of this file.
Functions | |
| void | rsbac_init_adf (void) __init |
| enum rsbac_adf_req_ret_t | rsbac_adf_request_int (enum rsbac_adf_request_t request, rsbac_pid_t caller_pid, enum rsbac_target_t target, union rsbac_target_id_t *tid_p, enum rsbac_attribute_t attr, union rsbac_attribute_value_t *attr_val_p, enum rsbac_switch_target_t ignore_module) |
| enum rsbac_adf_req_ret_t | rsbac_adf_request (enum rsbac_adf_request_t, rsbac_pid_t, enum rsbac_target_t, union rsbac_target_id_t, enum rsbac_attribute_t, union rsbac_attribute_value_t) |
| int | rsbac_adf_set_attr (enum rsbac_adf_request_t, rsbac_pid_t, enum rsbac_target_t, union rsbac_target_id_t, enum rsbac_target_t, union rsbac_target_id_t, enum rsbac_attribute_t, union rsbac_attribute_value_t) |
| int | rsbac_sec_del (struct dentry *dentry_p) |
| int | rsbac_sec_trunc (struct dentry *dentry_p, loff_t new_len, loff_t old_len) |
| char * | rsbac_symlink_redirect (struct dentry *dentry_p, const char *name, u_int maxlen) |
| int | rsbac_set_audit_uid (rsbac_uid_t uid) |
|
||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||
|
Definition at line 161 of file adf_main.c. References A_audit_uid, A_local_log_array_high, A_local_log_array_low, A_log_array_high, A_log_array_low, A_log_program_based, A_log_user_based, A_none, A_pseudo, A_remote_ip, A_remote_log_array_high, A_remote_log_array_low, ACL, adf_and_plus(), rsbac_attribute_value_t::audit_uid, AUTH, CAP, DAZ, DO_NOT_CARE, rsbac_attribute_value_t::dummy, FALSE, FF, GEN, get_attribute_name(), get_attribute_value_name(), get_request_name(), get_result_name(), get_target_name(), GRANTED, JAIL, LL_denied, LL_full, LL_request, rsbac_attribute_value_t::log_array_high, rsbac_attribute_value_t::log_array_low, rsbac_attribute_value_t::log_program_based, rsbac_attribute_value_t::log_user_based, MAC, NIPQUAD, NOT_GRANTED, NULL, rsbac_attribute_value_t::owner, PAX, PM, rsbac_target_id_t::process, rsbac_attribute_value_t::pseudo, R_CHANGE_DAC_EFF_GROUP, R_CHANGE_DAC_EFF_OWNER, R_CHANGE_DAC_FS_GROUP, R_CHANGE_DAC_FS_OWNER, R_CHANGE_GROUP, R_CHANGE_OWNER, R_CHDIR, R_CLOSE, R_GET_PERMISSIONS_DATA, R_GET_STATUS_DATA, R_NONE, R_READ, R_READ_ATTRIBUTE, R_SEARCH, R_TERMINATE, RC, REG, rsbac_attribute_value_t::remote_ip, RES, rsbac_adf_request_acl(), rsbac_adf_request_auth(), rsbac_adf_request_cap(), rsbac_adf_request_check(), rsbac_adf_request_count, rsbac_adf_request_daz(), rsbac_adf_request_ff(), rsbac_adf_request_jail(), rsbac_adf_request_mac(), rsbac_adf_request_pax(), rsbac_adf_request_pm(), rsbac_adf_request_rc(), rsbac_adf_request_reg(), rsbac_adf_request_res(), RSBAC_EINVALIDDEV, rsbac_get_attr, rsbac_get_full_path(), rsbac_get_super_block(), rsbac_is_initialized(), rsbac_kfree(), rsbac_kmalloc(), rsbac_log_levels, RSBAC_MAXNAMELEN, rsbac_min, rsbac_net_remote_request(), RSBAC_NO_USER, rsbac_printk(), rsbac_remove_target, rsbac_um_group_exists(), rsbac_um_user_exists(), SW_NONE, T_DEV, T_DIR, T_FIFO, T_FILE, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NONE, T_PROCESS, T_SYMLINK, T_USER, TRUE, UNDEFINED, and rsbac_target_id_t::user. Referenced by rsbac_adf_request(), and rsbac_pm(). 00168 {
00169 union rsbac_target_id_t i_tid;
00170 union rsbac_attribute_value_t i_attr_val;
00171 rsbac_uid_t owner=0;
00172 int tmperr=0;
00173 enum rsbac_adf_req_ret_t result = DO_NOT_CARE;
00174 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00175 enum rsbac_adf_req_ret_t ret_result = DO_NOT_CARE;
00176 #endif
00177 #ifndef CONFIG_RSBAC_MAINT
00178 enum rsbac_adf_req_ret_t mod_result[SW_NONE + 1] = {
00179 DO_NOT_CARE,
00180 DO_NOT_CARE,
00181 DO_NOT_CARE,
00182 DO_NOT_CARE,
00183 DO_NOT_CARE,
00184 DO_NOT_CARE,
00185 DO_NOT_CARE,
00186 DO_NOT_CARE,
00187 DO_NOT_CARE,
00188 DO_NOT_CARE,
00189 DO_NOT_CARE,
00190 DO_NOT_CARE,
00191 DO_NOT_CARE,
00192 DO_NOT_CARE,
00193 DO_NOT_CARE,
00194 DO_NOT_CARE,
00195 DO_NOT_CARE,
00196 DO_NOT_CARE
00197 };
00198 #endif
00199 rsbac_boolean_t do_log = FALSE;
00200 rsbac_boolean_t log_on_request = TRUE;
00201 /* only if individual logging is enabled */
00202 #if defined(CONFIG_RSBAC_IND_LOG) || defined(CONFIG_RSBAC_IND_NETDEV_LOG) || defined(CONFIG_RSBAC_IND_NETOBJ_LOG)
00203 union rsbac_attribute_value_t i_attr_val2;
00204 enum rsbac_log_level_t log_level;
00205 #endif
00206 struct super_block * sb_p;
00207 #ifdef CONFIG_RSBAC_SOFTMODE
00208 rsbac_boolean_t rsbac_internal = FALSE;
00209 #endif
00210
00211 /* No decision possible before init (called at boot time) -> don't care */
00212 if (!rsbac_is_initialized())
00213 return(DO_NOT_CARE);
00214
00215 /* Always granted for kernel (pid 0) and logging daemon */
00216 if ( !caller_pid
00217 #if defined(CONFIG_RSBAC_LOG_REMOTE)
00218 || (caller_pid == rsbaclogd_pid)
00219 #endif
00220 )
00221 return(GRANTED);
00222
00223 /* Checking base values */
00224 if( request >= R_NONE
00225 || target > T_NONE
00226 || attr > A_none)
00227 {
00228 rsbac_printk(KERN_WARNING
00229 "rsbac_adf_request(): called with invalid request, target or attribute\n");
00230 return(NOT_GRANTED);
00231 }
00232
00233 if (in_interrupt())
00234 {
00235 char * request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00236
00237 if(request_name)
00238 {
00239 get_request_name(request_name, request);
00240 rsbac_printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %s, pid %u, attr_val %u!\n",
00241 request_name, caller_pid, attr_val_p->dummy);
00242 kfree(request_name);
00243 }
00244 else
00245 {
00246 rsbac_printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %u, pid %u!\n",
00247 request, caller_pid);
00248 }
00249 // return DO_NOT_CARE;
00250 }
00251
00252 /* Getting basic information about this request */
00253
00254 /* only useful for real process, not idle or init */
00255 if (caller_pid > 1)
00256 {
00257 tmperr = rsbac_get_owner(&owner);
00258 if(tmperr)
00259 {
00260 rsbac_printk(KERN_DEBUG
00261 "rsbac_adf_request(): caller_pid %i, RSBAC not initialized, returning DO_NOT_CARE",
00262 caller_pid);
00263 return(DO_NOT_CARE); /* Startup-Sequence (see above) */
00264 }
00265 }
00266 else /* caller_pid = 1 -> init, always owned by root */
00267 owner = 0;
00268
00269
00270 /******************************************************/
00271 /* General work for all modules - before module calls */
00272 /* test target on rsbac_internal */
00273 switch(target)
00274 {
00275 case T_FILE:
00276 case T_DIR:
00277 case T_FIFO:
00278 case T_SYMLINK:
00279 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00280 if ( ((sb_p = rsbac_get_super_block(tid_p->file.device)))
00281 && ( (sb_p->s_magic == NFS_SUPER_MAGIC)
00282 || (sb_p->s_magic == CODA_SUPER_MAGIC)
00283 || (sb_p->s_magic == NCP_SUPER_MAGIC)
00284 || (sb_p->s_magic == SMB_SUPER_MAGIC)
00285 )
00286 )
00287 {
00288 result = DO_NOT_CARE;
00289 goto log;
00290 }
00291 #endif
00292 /* No decision on pseudo pipefs */
00293 if( (target == T_FIFO)
00294 && ((sb_p = rsbac_get_super_block(tid_p->file.device)))
00295 && (sb_p->s_magic == PIPEFS_MAGIC)
00296 )
00297 return DO_NOT_CARE;
00298 #if 0 && LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
00299 /* No decision on pseudo sockfs */
00300 if( (target == T_FILE)
00301 && (!RSBAC_MAJOR(tid_p->file.device))
00302 && (!RSBAC_MINOR(tid_p->file.device))
00303 )
00304 return DO_NOT_CARE;
00305 #endif
00306 switch(request)
00307 {
00308 case R_GET_STATUS_DATA:
00309 case R_GET_PERMISSIONS_DATA:
00310 case R_READ_ATTRIBUTE:
00311 #ifdef CONFIG_RSBAC_DAT_VISIBLE
00312 case R_SEARCH:
00313 case R_READ:
00314 case R_CLOSE:
00315 case R_CHDIR:
00316 #endif
00317 break;
00318
00319 default:
00320 if ((tmperr = rsbac_get_attr(GEN,
00321 target,
00322 *tid_p,
00323 A_internal,
00324 &i_attr_val,
00325 TRUE) ))
00326 {
00327 if(tmperr == -RSBAC_EINVALIDDEV)
00328 {
00329 // rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr);
00330 return(DO_NOT_CARE); /* last calls on shutdown */
00331 }
00332 else
00333 {
00334 rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr);
00335 return(NOT_GRANTED); /* something weird happened */
00336 }
00337 }
00338 /* no access to rsbac_internal objects is granted in any case */
00339 if (i_attr_val.internal)
00340 {
00341 rsbac_printk(KERN_WARNING
00342 "rsbac_adf_request(): trial to access object declared RSBAC-internal!\n");
00343 result = NOT_GRANTED;
00344 #ifndef CONFIG_RSBAC_MAINT
00345 mod_result[SW_NONE] = NOT_GRANTED;
00346 #endif
00347 #ifdef CONFIG_RSBAC_SOFTMODE
00348 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00349 ret_result = NOT_GRANTED;
00350 #endif
00351 rsbac_internal = TRUE;
00352 #endif
00353 }
00354 }
00355 break;
00356
00357 #if defined(CONFIG_RSBAC_UM_EXCL)
00358 case T_PROCESS:
00359 switch(request)
00360 {
00361 case R_CHANGE_OWNER:
00362 #ifdef CONFIG_RSBAC_DAC_OWNER
00363 case R_CHANGE_DAC_EFF_OWNER:
00364 case R_CHANGE_DAC_FS_OWNER:
00365 #endif
00366 if( (attr == A_owner)
00367 && !rsbac_um_no_excl
00368 && !rsbac_um_user_exists(0, attr_val_p->owner)
00369 )
00370 {
00371 rsbac_printk(KERN_INFO
00372 "rsbac_adf_request(): uid %u not known to RSBAC User Management!\n",
00373 attr_val_p->owner);
00374 result = adf_and_plus(result, NOT_GRANTED);
00375 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00376 ret_result = adf_and_plus(ret_result, NOT_GRANTED);
00377 #endif
00378 }
00379 break;
00380
00381 case R_CHANGE_GROUP:
00382 #ifdef CONFIG_RSBAC_DAC_OWNER
00383 case R_CHANGE_DAC_EFF_GROUP:
00384 case R_CHANGE_DAC_FS_GROUP:
00385 #endif
00386 if( (attr == A_group)
00387 && !rsbac_um_no_excl
00388 && !rsbac_um_group_exists(0, attr_val_p->group)
00389 )
00390 {
00391 rsbac_printk(KERN_INFO
00392 "rsbac_adf_request(): gid %u not known to RSBAC User Management!\n",
00393 attr_val_p->group);
00394 result = adf_and_plus(result, NOT_GRANTED);
00395 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00396 ret_result = adf_and_plus(ret_result, NOT_GRANTED);
00397 #endif
00398 }
00399 break;
00400
00401 default:
00402 break;
00403 }
00404 break;
00405 #endif /* UM_EXCL */
00406
00407 default:
00408 break;
00409 }
00410
00411 /**********************************************************/
00412 /* calling all decision modules, building a common result */
00413
00414 #ifdef CONFIG_RSBAC_DEBUG
00415 /* first, check for valid request/target combination */
00416 /* (undefined should only happen in _check and means a real bug!) */
00417 result = adf_and_plus(result,rsbac_adf_request_check(request,
00418 caller_pid,
00419 target,
00420 tid_p,
00421 attr,
00422 attr_val_p,
00423 owner) );
00424
00425 if(result == UNDEFINED)
00426 goto log;
00427 #endif
00428
00429 #if !defined(CONFIG_RSBAC_MAINT)
00430 /******* MAC ********/
00431 #if defined(CONFIG_RSBAC_MAC)
00432 #ifdef CONFIG_RSBAC_SWITCH_MAC
00433 if (rsbac_switch_mac)
00434 #endif
00435 /* no need to call module, if to be ignored */
00436 if(ignore_module != MAC)
00437 {
00438 mod_result[MAC] = rsbac_adf_request_mac(request,
00439 caller_pid,
00440 target,
00441 *tid_p,
00442 attr,
00443 *attr_val_p,
00444 owner);
00445 result = adf_and_plus(result, mod_result[MAC]);
00446 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00447 if(!rsbac_ind_softmode[MAC])
00448 ret_result = adf_and_plus(ret_result, mod_result[MAC]);
00449 #endif
00450 }
00451 #endif /* MAC */
00452
00453 /******* PM ********/
00454 #if defined(CONFIG_RSBAC_PM)
00455 #ifdef CONFIG_RSBAC_SWITCH_PM
00456 if (rsbac_switch_pm)
00457 #endif
00458 /* no need to call module, if to be ignored */
00459 if(ignore_module != PM)
00460 {
00461 mod_result[PM] = rsbac_adf_request_pm (request,
00462 caller_pid,
00463 target,
00464 *tid_p,
00465 attr,
00466 *attr_val_p,
00467 owner);
00468 result = adf_and_plus(result, mod_result[PM]);
00469 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00470 if(!rsbac_ind_softmode[PM])
00471 ret_result = adf_and_plus(ret_result, mod_result[PM]);
00472 #endif
00473 }
00474 #endif /* PM */
00475
00476 /******* DAZ ********/
00477 #if defined(CONFIG_RSBAC_DAZ)
00478 #ifdef CONFIG_RSBAC_SWITCH_DAZ
00479 if (rsbac_switch_daz)
00480 #endif
00481 /* no need to call module, if to be ignored */
00482 if(ignore_module != DAZ)
00483 {
00484 mod_result[DAZ] = rsbac_adf_request_daz (request,
00485 caller_pid,
00486 target,
00487 *tid_p,
00488 attr,
00489 *attr_val_p,
00490 owner);
00491 result = adf_and_plus(result, mod_result[DAZ]);
00492 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00493 if(!rsbac_ind_softmode[DAZ])
00494 ret_result = adf_and_plus(ret_result, mod_result[DAZ]);
00495 #endif
00496 }
00497 #endif /* DAZ */
00498
00499 /******* FF ********/
00500 #if defined(CONFIG_RSBAC_FF)
00501 #ifdef CONFIG_RSBAC_SWITCH_FF
00502 if (rsbac_switch_ff)
00503 #endif
00504 /* no need to call module, if to be ignored */
00505 if(ignore_module != FF)
00506 {
00507 mod_result[FF] = rsbac_adf_request_ff (request,
00508 caller_pid,
00509 target,
00510 *tid_p,
00511 attr,
00512 *attr_val_p,
00513 owner);
00514 result = adf_and_plus(result, mod_result[FF]);
00515 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00516 if(!rsbac_ind_softmode[FF])
00517 ret_result = adf_and_plus(ret_result, mod_result[FF]);
00518 #endif
00519 }
00520 #endif /* FF */
00521
00522 /******* RC ********/
00523 #if defined(CONFIG_RSBAC_RC)
00524 #ifdef CONFIG_RSBAC_SWITCH_RC
00525 if (rsbac_switch_rc)
00526 #endif
00527 /* no need to call module, if to be ignored */
00528 if(ignore_module != RC)
00529 {
00530 mod_result[RC] = rsbac_adf_request_rc (request,
00531 caller_pid,
00532 target,
00533 *tid_p,
00534 attr,
00535 *attr_val_p,
00536 owner);
00537 result = adf_and_plus(result, mod_result[RC]);
00538 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00539 if(!rsbac_ind_softmode[RC])
00540 ret_result = adf_and_plus(ret_result, mod_result[RC]);
00541 #endif
00542 }
00543 #endif /* RC */
00544
00545 /****** AUTH *******/
00546 #if defined(CONFIG_RSBAC_AUTH)
00547 #ifdef CONFIG_RSBAC_SWITCH_AUTH
00548 if (rsbac_switch_auth)
00549 #endif
00550 /* no need to call module, if to be ignored */
00551 if(ignore_module != AUTH)
00552 {
00553 mod_result[AUTH]= rsbac_adf_request_auth(request,
00554 caller_pid,
00555 target,
00556 *tid_p,
00557 attr,
00558 *attr_val_p,
00559 owner);
00560 result = adf_and_plus(result, mod_result[AUTH]);
00561 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00562 if(!rsbac_ind_softmode[AUTH])
00563 ret_result = adf_and_plus(ret_result, mod_result[AUTH]);
00564 #endif
00565 }
00566 #endif /* AUTH */
00567
00568 /****** ACL *******/
00569 #if defined(CONFIG_RSBAC_ACL)
00570 #ifdef CONFIG_RSBAC_SWITCH_ACL
00571 if (rsbac_switch_acl)
00572 #endif
00573 /* no need to call module, if to be ignored */
00574 if(ignore_module != ACL)
00575 {
00576 mod_result[ACL] = rsbac_adf_request_acl(request,
00577 caller_pid,
00578 target,
00579 *tid_p,
00580 attr,
00581 *attr_val_p,
00582 owner);
00583 result = adf_and_plus(result, mod_result[ACL]);
00584 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00585 if(!rsbac_ind_softmode[ACL])
00586 ret_result = adf_and_plus(ret_result, mod_result[ACL]);
00587 #endif
00588 }
00589 #endif /* ACL */
00590
00591 /****** CAP *******/
00592 #if defined(CONFIG_RSBAC_CAP)
00593 #ifdef CONFIG_RSBAC_SWITCH_CAP
00594 if (rsbac_switch_cap)
00595 #endif
00596 /* no need to call module, if to be ignored */
00597 if(ignore_module != CAP)
00598 {
00599 mod_result[CAP] = rsbac_adf_request_cap(request,
00600 caller_pid,
00601 target,
00602 *tid_p,
00603 attr,
00604 *attr_val_p,
00605 owner);
00606 result = adf_and_plus(result, mod_result[CAP]);
00607 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00608 if(!rsbac_ind_softmode[CAP])
00609 ret_result = adf_and_plus(ret_result, mod_result[CAP]);
00610 #endif
00611 }
00612 #endif /* CAP */
00613
00614 /****** JAIL *******/
00615 #if defined(CONFIG_RSBAC_JAIL)
00616 #ifdef CONFIG_RSBAC_SWITCH_JAIL
00617 if (rsbac_switch_jail)
00618 #endif
00619 /* no need to call module, if to be ignored */
00620 if(ignore_module != JAIL)
00621 {
00622 mod_result[JAIL]= rsbac_adf_request_jail(request,
00623 caller_pid,
00624 target,
00625 *tid_p,
00626 attr,
00627 *attr_val_p,
00628 owner);
00629 result = adf_and_plus(result, mod_result[JAIL]);
00630 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00631 if(!rsbac_ind_softmode[JAIL])
00632 ret_result = adf_and_plus(ret_result, mod_result[JAIL]);
00633 #endif
00634 }
00635 #endif /* JAIL */
00636
00637 /******* PAX ********/
00638 #if defined(CONFIG_RSBAC_PAX)
00639 #ifdef CONFIG_RSBAC_SWITCH_PAX
00640 if (rsbac_switch_pax)
00641 #endif
00642 /* no need to call module, if to be ignored */
00643 if(ignore_module != PAX)
00644 {
00645 mod_result[PAX] = rsbac_adf_request_pax (request,
00646 caller_pid,
00647 target,
00648 *tid_p,
00649 attr,
00650 *attr_val_p,
00651 owner);
00652 result = adf_and_plus(result, mod_result[PAX]);
00653 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00654 if(!rsbac_ind_softmode[PAX])
00655 ret_result = adf_and_plus(ret_result, mod_result[PAX]);
00656 #endif
00657 }
00658 #endif /* PAX */
00659
00660 /****** RES *******/
00661 #if defined(CONFIG_RSBAC_RES)
00662 #ifdef CONFIG_RSBAC_SWITCH_RES
00663 if (rsbac_switch_res)
00664 #endif
00665 /* no need to call module, if to be ignored */
00666 if(ignore_module != RES)
00667 {
00668 mod_result[RES] = rsbac_adf_request_res(request,
00669 caller_pid,
00670 target,
00671 *tid_p,
00672 attr,
00673 *attr_val_p,
00674 owner);
00675 result = adf_and_plus(result, mod_result[RES]);
00676 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00677 if(!rsbac_ind_softmode[RES])
00678 ret_result = adf_and_plus(ret_result, mod_result[RES]);
00679 #endif
00680 }
00681 #endif /* RES */
00682
00683 /****** REG *******/
00684 #if defined(CONFIG_RSBAC_REG)
00685 if(ignore_module != REG)
00686 {
00687 mod_result[REG]= rsbac_adf_request_reg (request,
00688 caller_pid,
00689 target,
00690 *tid_p,
00691 attr,
00692 *attr_val_p,
00693 owner);
00694 result = adf_and_plus(result, mod_result[REG]);
00695 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00696 if(!rsbac_ind_softmode[REG])
00697 ret_result = adf_and_plus(ret_result, mod_result[REG]);
00698 #endif
00699 }
00700 #endif /* REG */
00701
00702 #endif /* !MAINT */
00703
00704 /****************************/
00705
00706 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
00707 if( rsbac_debug_adf_net
00708 && ( (target == T_NETDEV)
00709 || (target == T_NETTEMP)
00710 || (target == T_NETOBJ)
00711 )
00712 )
00713 do_log = TRUE;
00714 #endif
00715
00716 /* log based on process owner */
00717 #ifdef CONFIG_RSBAC_IND_USER_LOG
00718 i_tid.user = owner;
00719 if (rsbac_get_attr(GEN,
00720 T_USER,
00721 i_tid,
00722 A_log_user_based,
00723 &i_attr_val,
00724 FALSE))
00725 {
00726 rsbac_ds_get_error("rsbac_adf_request()", A_log_user_based);
00727 }
00728 else
00729 {
00730 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based)
00731 do_log = TRUE;
00732 }
00733 #endif /* CONFIG_RSBAC_IND_USER_LOG */
00734
00735 /* log based on program */
00736 #ifdef CONFIG_RSBAC_IND_PROG_LOG
00737 if(!do_log)
00738 {
00739 i_tid.process = caller_pid;
00740 if (rsbac_get_attr(GEN,
00741 T_PROCESS,
00742 i_tid,
00743 A_log_program_based,
00744 &i_attr_val,
00745 FALSE))
00746 {
00747 rsbac_ds_get_error("rsbac_adf_request()", A_log_program_based);
00748 }
00749 else
00750 {
00751 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based)
00752 do_log = TRUE;
00753 }
00754 }
00755 #endif /* CONFIG_RSBAC_IND_PROG_LOG */
00756
00757 /*****************************************************/
00758 /* General work for all modules - after module calls */
00759 /* Note: the process' individual logging attributes are needed above */
00760 switch(request)
00761 {
00762 case R_TERMINATE:
00763 if (target == T_PROCESS)
00764 rsbac_remove_target(T_PROCESS,*tid_p);
00765 break;
00766 default:
00767 break;
00768 }
00769
00770 /* logging request on info level, if requested by file/dir/dev attributes */
00771 /* log_array_low/high, or, if that is requested, if enabled for this request */
00772 /* type (attributes state level, or that request based level is to be taken) */
00773 /* loglevel 2: log everything */
00774 /* loglevel 1: log, if denied */
00775 /* loglevel 0: log nothing */
00776
00777 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */
00778 /* if file/dir/dev, depend log on log_arrays */
00779 /* (but not for file.device = 0) */
00780 /* log_on_request is TRUE */
00781 if( !do_log
00782 && ( ( ( (target == T_FILE)
00783 || (target == T_DIR)
00784 || (target == T_FIFO)
00785 || (target == T_SYMLINK)
00786 )
00787 && RSBAC_MAJOR(tid_p->file.device)
00788 && RSBAC_MINOR(tid_p->file.device)
00789 )
00790 || (target == T_DEV)
00791 )
00792 )
00793 {
00794 if (rsbac_get_attr(GEN,
00795 target,
00796 *tid_p,
00797 A_log_array_low,
00798 &i_attr_val,
00799 FALSE))
00800 {
00801 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low);
00802 }
00803 else
00804 {
00805 if (rsbac_get_attr(GEN,
00806 target,
00807 *tid_p,
00808 A_log_array_high,
00809 &i_attr_val2,
00810 FALSE))
00811 {
00812 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high);
00813 }
00814 else
00815 { /* ll = low-bit for request | (high-bit for request as bit 1) */
00816 /* WARNING: we deal with u64 here, only logical operations and */
00817 /* shifts work correctly! */
00818 log_level = ((i_attr_val.log_array_low >> request) & 1)
00819 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00820 if ( log_level == LL_full
00821 || ( log_level == LL_denied
00822 && (result == NOT_GRANTED
00823 || result == UNDEFINED)) )
00824 {
00825 do_log = TRUE;
00826 }
00827 if(log_level != LL_request)
00828 log_on_request = FALSE;
00829 }
00830 }
00831 }
00832 #endif /* CONFIG_RSBAC_IND_LOG */
00833
00834 #ifdef CONFIG_RSBAC_IND_NETDEV_LOG /* only if individual logging for netdev is enabled */
00835 /* if netdev, depend log on log_arrays */
00836 /* log_on_request is TRUE */
00837 if( !do_log
00838 && (target == T_NETDEV)
00839 )
00840 {
00841 if (rsbac_get_attr(GEN,
00842 target,
00843 *tid_p,
00844 A_log_array_low,
00845 &i_attr_val,
00846 FALSE))
00847 {
00848 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low);
00849 }
00850 else
00851 {
00852 if (rsbac_get_attr(GEN,
00853 target,
00854 *tid_p,
00855 A_log_array_high,
00856 &i_attr_val2,
00857 FALSE))
00858 {
00859 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high);
00860 }
00861 else
00862 { /* ll = low-bit for request | (high-bit for request as bit 1) */
00863 /* WARNING: we deal with u64 here, only logical operations and */
00864 /* shifts work correctly! */
00865 log_level = ((i_attr_val.log_array_low >> request) & 1)
00866 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00867 if ( log_level == LL_full
00868 || ( log_level == LL_denied
00869 && (result == NOT_GRANTED
00870 || result == UNDEFINED)) )
00871 {
00872 do_log = TRUE;
00873 }
00874 if(log_level != LL_request)
00875 log_on_request = FALSE;
00876 }
00877 }
00878 }
00879 #endif /* CONFIG_RSBAC_IND_NETDEV_LOG */
00880
00881 #ifdef CONFIG_RSBAC_IND_NETOBJ_LOG /* only if individual logging for net objects is enabled */
00882 /* if nettemp, netobj, depend log on log_arrays */
00883 /* (but not for file.device = 0) */
00884 /* log_on_request is TRUE */
00885 if( !do_log
00886 && ( (target == T_NETTEMP)
00887 || (target == T_NETOBJ)
00888 )
00889 )
00890 {
00891 enum rsbac_attribute_t i_attr1, i_attr2;
00892
00893 if(target == T_NETOBJ)
00894 {
00895 if(rsbac_net_remote_request(request))
00896 {
00897 i_attr1 = A_remote_log_array_low;
00898 i_attr2 = A_remote_log_array_high;
00899 }
00900 else
00901 {
00902 i_attr1 = A_local_log_array_low;
00903 i_attr2 = A_local_log_array_high;
00904 }
00905 }
00906 else
00907 {
00908 i_attr1 = A_log_array_low;
00909 i_attr2 = A_log_array_high;
00910 }
00911 if (rsbac_get_attr(GEN,
00912 target,
00913 *tid_p,
00914 i_attr1,
00915 &i_attr_val,
00916 FALSE))
00917 {
00918 rsbac_ds_get_error("rsbac_adf_request()", i_attr1);
00919 }
00920 else
00921 {
00922 if (rsbac_get_attr(GEN,
00923 target,
00924 *tid_p,
00925 i_attr2,
00926 &i_attr_val2,
00927 FALSE))
00928 {
00929 rsbac_ds_get_error("rsbac_adf_request()", i_attr2);
00930 }
00931 else
00932 { /* ll = low-bit for request | (high-bit for request as bit 1) */
00933 /* WARNING: we deal with u64 here, only logical operations and */
00934 /* shifts work correctly! */
00935 log_level = ((i_attr_val.log_array_low >> request) & 1)
00936 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00937 if ( log_level == LL_full
00938 || ( log_level == LL_denied
00939 && (result == NOT_GRANTED
00940 || result == UNDEFINED)) )
00941 {
00942 do_log = TRUE;
00943 }
00944 if(log_level != LL_request)
00945 log_on_request = FALSE;
00946 }
00947 }
00948 }
00949 #endif /* CONFIG_RSBAC_IND_NETOBJ_LOG */
00950
00951 log:
00952 /* if enabled, try request based log level */
00953 if ( !do_log
00954 && log_on_request
00955 && ( rsbac_log_levels[request][target] == LL_full
00956 || ( rsbac_log_levels[request][target] == LL_denied
00957 && (result == NOT_GRANTED
00958 || result == UNDEFINED)) ) )
00959 do_log = TRUE;
00960
00961 if(do_log)
00962 {
00963 char * request_name;
00964 char * res_name;
00965 char * res_mods;
00966 char * target_type_name;
00967 char * target_id_name;
00968 char * attr_name;
00969 char * attr_val_name;
00970 #ifdef CONFIG_RSBAC_NET_OBJ
00971 char * remote_ip_name;
00972 #else
00973 char remote_ip_name[1];
00974 #endif
00975 char * audit_uid_name;
00976 char command[17];
00977 rsbac_pid_t parent_pid = 0;
00978 rsbac_uid_t audit_uid;
00979 #ifdef CONFIG_RSBAC_LOG_PSEUDO
00980 rsbac_pseudo_t pseudo = 0;
00981 #endif
00982 char * program_path;
00983
00984 /* parent pid */
00985 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00986 if(current->parent)
00987 parent_pid = current->parent->pid;
00988 #else
00989 if(current->p_pptr)
00990 parent_pid = current->p_pptr->pid;
00991 #endif
00992
00993 /* rsbac_kmalloc all memory */
00994 request_name = rsbac_kmalloc(32);
00995 res_name = rsbac_kmalloc(32);
00996 res_mods = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00997 target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00998 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
00999 target_id_name
01000 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01001 /* max. path name len + some extra */
01002 #else
01003 target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01004 /* max. file name len + some extra */
01005 #endif
01006 #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE
01007 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01008 program_path
01009 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01010 /* max. path name len + some extra */
01011 #else
01012 program_path = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01013 /* max. file name len + some extra */
01014 #endif
01015 #else
01016 program_path = rsbac_kmalloc(2);
01017 #endif
01018 attr_name = rsbac_kmalloc(32);
01019 attr_val_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01020 #ifdef CONFIG_RSBAC_NET_OBJ
01021 remote_ip_name = rsbac_kmalloc(32);
01022 #endif
01023 audit_uid_name = rsbac_kmalloc(32);
01024
01025 request_name[0] = (char) 0;
01026 target_type_name[0] = (char) 0;
01027 target_id_name[0] = (char) 0;
01028 program_path[0] = (char) 0;
01029 attr_name[0] = (char) 0;
01030 attr_val_name[0] = (char) 0;
01031 remote_ip_name[0] = (char) 0;
01032 audit_uid_name[0] = (char) 0;
01033 res_name[0] = (char) 0;
01034 res_mods[0] = (char) 0;
01035 command[0] = (char) 0;
01036 get_request_name(request_name, request);
01037 #if !defined(CONFIG_RSBAC_MAINT)
01038 /*
01039 if(result == mod_result[SW_NONE])
01040 {
01041 strcat(res_mods, " GEN");
01042 }
01043 */
01044 #if defined(CONFIG_RSBAC_MAC)
01045 if(result == mod_result[MAC])
01046 {
01047 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01048 if(rsbac_ind_softmode[MAC])
01049 strcat(res_mods, " MAC(Softmode)");
01050 else
01051 #endif
01052 strcat(res_mods, " MAC");
01053 }
01054 #endif
01055 #if defined(CONFIG_RSBAC_PM)
01056 if(result == mod_result[PM])
01057 {
01058 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01059 if(rsbac_ind_softmode[PM])
01060 strcat(res_mods, " PM(Softmode)");
01061 else
01062 #endif
01063 strcat(res_mods, " PM");
01064 }
01065 #endif
01066 #if defined(CONFIG_RSBAC_DAZ)
01067 if(result == mod_result[DAZ])
01068 {
01069 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01070 if(rsbac_ind_softmode[DAZ])
01071 strcat(res_mods, " DAZ(Softmode)");
01072 else
01073 #endif
01074 strcat(res_mods, " DAZ");
01075 }
01076 #endif
01077 #ifdef CONFIG_RSBAC_FF
01078 if(result == mod_result[FF])
01079 {
01080 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01081 if(rsbac_ind_softmode[FF])
01082 strcat(res_mods, " FF(Softmode)");
01083 else
01084 #endif
01085 strcat(res_mods, " FF");
01086 }
01087 #endif
01088 #ifdef CONFIG_RSBAC_RC
01089 if(result == mod_result[RC])
01090 {
01091 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01092 if(rsbac_ind_softmode[RC])
01093 strcat(res_mods, " RC(Softmode)");
01094 else
01095 #endif
01096 strcat(res_mods, " RC");
01097 }
01098 #endif
01099 #ifdef CONFIG_RSBAC_AUTH
01100 if(result == mod_result[AUTH])
01101 {
01102 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01103 if(rsbac_ind_softmode[AUTH])
01104 strcat(res_mods, " AUTH(Softmode)");
01105 else
01106 #endif
01107 strcat(res_mods, " AUTH");
01108 }
01109 #endif
01110 #ifdef CONFIG_RSBAC_ACL
01111 if(result == mod_result[ACL])
01112 {
01113 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01114 if(rsbac_ind_softmode[ACL])
01115 strcat(res_mods, " ACL(Softmode)");
01116 else
01117 #endif
01118 strcat(res_mods, " ACL");
01119 }
01120 #endif
01121 #ifdef CONFIG_RSBAC_CAP
01122 if(result == mod_result[CAP])
01123 {
01124 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01125 if(rsbac_ind_softmode[CAP])
01126 strcat(res_mods, " CAP(Softmode)");
01127 else
01128 #endif
01129 strcat(res_mods, " CAP");
01130 }
01131 #endif
01132 #ifdef CONFIG_RSBAC_JAIL
01133 if(result == mod_result[JAIL])
01134 {
01135 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01136 if(rsbac_ind_softmode[JAIL])
01137 strcat(res_mods, " JAIL(Softmode)");
01138 else
01139 #endif
01140 strcat(res_mods, " JAIL");
01141 }
01142 #endif
01143 #ifdef CONFIG_RSBAC_RES
01144 if(result == mod_result[RES])
01145 {
01146 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01147 if(rsbac_ind_softmode[RES])
01148 strcat(res_mods, " RES(Softmode)");
01149 else
01150 #endif
01151 strcat(res_mods, " RES");
01152 }
01153 #endif
01154 #ifdef CONFIG_RSBAC_REG
01155 if(result == mod_result[REG])
01156 {
01157 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01158 if(rsbac_ind_softmode[REG])
01159 strcat(res_mods, " REG(Softmode)");
01160 else
01161 #endif
01162 strcat(res_mods, " REG");
01163 }
01164 #endif
01165 #endif /* !MAINT */
01166 if(!res_mods[0])
01167 strcat(res_mods, " ADF");
01168
01169 /* Get process audit_uid */
01170 i_tid.process = caller_pid;
01171 if (rsbac_get_attr(GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE))
01172 {
01173 rsbac_ds_get_error("rsbac_adf_request()", A_audit_uid);
01174 return(NOT_GRANTED); /* something weird happened */
01175 }
01176 audit_uid = i_attr_val.audit_uid;
01177 if(audit_uid == RSBAC_NO_USER)
01178 audit_uid = owner;
01179 else
01180 sprintf(audit_uid_name, "audit uid %u, ", audit_uid);
01181 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01182 /* Get owner's logging pseudo */
01183 i_tid.user = audit_uid;
01184 if (rsbac_get_attr(GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE))
01185 {
01186 rsbac_ds_get_error("rsbac_adf_request()", A_pseudo);
01187 return(NOT_GRANTED); /* something weird happened */
01188 }
01189 /* if pseudo is not registered, return attribute value is 0 (see later) */
01190 pseudo = i_attr_val.pseudo;
01191 #endif
01192
01193 #ifdef CONFIG_RSBAC_NET_OBJ
01194 /* Get process remote_ip */
01195 i_tid.process = caller_pid;
01196 if (rsbac_get_attr(GEN,T_PROCESS,i_tid,A_remote_ip,&i_attr_val,FALSE))
01197 {
01198 rsbac_ds_get_error("rsbac_adf_request()", A_remote_ip);
01199 return(NOT_GRANTED); /* something weird happened */
01200 }
01201 if(i_attr_val.remote_ip)
01202 sprintf(remote_ip_name, "remote ip %u.%u.%u.%u, ", NIPQUAD(i_attr_val.remote_ip));
01203 #endif
01204
01205 #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE
01206 {
01207 struct mm_struct * mm;
01208 struct vm_area_struct * vma;
01209 struct dentry * dentry_p = NULL;
01210
01211 mm = current->mm;
01212 if(mm)
01213 {
01214 atomic_inc(&mm->mm_users);
01215 if(!down_read_trylock(&mm->mmap_sem))
01216 goto down_failed;
01217 vma = mm->mmap;
01218 while (vma)
01219 {
01220 if( (vma->vm_flags & VM_EXECUTABLE)
01221 && vma->vm_file)
01222 {
01223 dentry_p = dget(vma->vm_file->f_dentry);
01224 break;
01225 }
01226 vma = vma->vm_next;
01227 }
01228 up_read(&mm->mmap_sem);
01229 if(dentry_p)
01230 {
01231 char * p = program_path;
01232
01233 p += sprintf(program_path, ", prog_file ");
01234 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01235 rsbac_get_full_path(dentry_p, p, CONFIG_RSBAC_MAX_PATH_LEN);
01236 #else
01237 int namelen = rsbac_min(dentry_p->d_name.len, RSBAC_MAXNAMELEN);
01238
01239 strncpy(p, dentry_p->d_name.name, namelen);
01240 p[namelen]=0;
01241 #endif
01242 dput(dentry_p);
01243 }
01244 down_failed:
01245 mmput(mm);
01246 }
01247 }
01248 #endif
01249 get_target_name(target_type_name, target, target_id_name, *tid_p);
01250 get_attribute_name(attr_name, attr);
01251 get_attribute_value_name(attr_val_name, attr, attr_val_p);
01252 get_result_name(res_name, result);
01253 if ((current) && (current->comm))
01254 {
01255 strncpy(command,current->comm,16);
01256 command[16] = (char) 0;
01257 }
01258
01259 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01260 /* if pseudo is set, its value is != 0, else -> use id */
01261 if (pseudo)
01262 {
01263 #ifdef CONFIG_RSBAC_SOFTMODE
01264 if(rsbac_softmode)
01265 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01266 request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01267 else
01268 #endif
01269 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01270 request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01271 }
01272 else
01273 #endif
01274 {
01275 #ifdef CONFIG_RSBAC_SOFTMODE
01276 if(rsbac_softmode)
01277 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01278 request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01279 else
01280 #endif
01281 rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01282 request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01283 }
01284 /* rsbac_kfree all helper mem */
01285 rsbac_kfree(request_name);
01286 rsbac_kfree(res_name);
01287 rsbac_kfree(res_mods);
01288 rsbac_kfree(target_type_name);
01289 rsbac_kfree(target_id_name);
01290 rsbac_kfree(program_path);
01291 rsbac_kfree(attr_name);
01292 rsbac_kfree(attr_val_name);
01293 #ifdef CONFIG_RSBAC_NET_OBJ
01294 rsbac_kfree(remote_ip_name);
01295 #endif
01296 rsbac_kfree(audit_uid_name);
01297 }
01298
01299 /* UNDEFINED must never be returned -> change result */
01300 if(result == UNDEFINED)
01301 result = NOT_GRANTED;
01302
01303 /* count */
01304 rsbac_adf_request_count[target]++;
01305 #ifdef CONFIG_RSBAC_XSTATS
01306 rsbac_adf_request_xcount[target][request]++;
01307 #endif
01308
01309 /* return result */
01310 #ifdef CONFIG_RSBAC_SOFTMODE
01311 if(rsbac_softmode && !rsbac_internal)
01312 return DO_NOT_CARE;
01313 else
01314 #endif
01315 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01316 return ret_result;
01317 #else
01318 return result; /* change for debugging! */
01319 #endif
01320 } /* end of rsbac_adf_request_int() */
|
|
||||||||||||||||||||||||||||||||||||
|
Definition at line 1355 of file adf_main.c. References A_audit_uid, A_auid_exempt, A_fake_root_uid, A_log_array_high, A_log_array_low, A_log_program_based, A_log_user_based, A_none, A_pseudo, A_remote_ip, rsbac_attribute_value_t::audit_uid, rsbac_attribute_value_t::auid_exempt, rsbac_attribute_value_t::dummy, rsbac_attribute_value_t::fake_root_uid, FALSE, GEN, get_attribute_name(), get_request_name(), get_target_name(), I_shm, rsbac_target_id_t::ipc, LL_denied, LL_full, LL_request, rsbac_attribute_value_t::log_array_high, rsbac_attribute_value_t::log_array_low, rsbac_attribute_value_t::log_program_based, rsbac_attribute_value_t::log_user_based, rsbac_target_id_t::netobj, rsbac_target_id_t::process, rsbac_attribute_value_t::pseudo, R_ACCEPT, R_CLONE, R_CLOSE, R_DELETE, R_EXECUTE, R_NONE, rsbac_attribute_value_t::remote_ip, rsbac_adf_set_attr_acl(), rsbac_adf_set_attr_auth(), rsbac_adf_set_attr_cap(), rsbac_adf_set_attr_check(), rsbac_adf_set_attr_count, rsbac_adf_set_attr_daz(), rsbac_adf_set_attr_ff(), rsbac_adf_set_attr_jail(), rsbac_adf_set_attr_mac(), rsbac_adf_set_attr_pax(), rsbac_adf_set_attr_pm(), rsbac_adf_set_attr_rc(), rsbac_adf_set_attr_reg(), rsbac_adf_set_attr_res(), RSBAC_EINVALIDVALUE, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_get_super_block(), rsbac_is_initialized(), rsbac_kfree(), rsbac_kmalloc(), rsbac_log_levels, RSBAC_MAXNAMELEN, RSBAC_NO_USER, rsbac_printk(), rsbac_remove_target, rsbac_set_attr, rsbac_net_obj_desc_t::sock_p, T_DEV, T_DIR, T_FIFO, T_FILE, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NONE, T_PROCESS, T_SYMLINK, T_USER, TRUE, rsbac_ipc_t::type, and rsbac_target_id_t::user. Referenced by rsbac_aef_inode_post_create(), rsbac_aef_inode_post_mkdir(), rsbac_aef_inode_post_mknod(), rsbac_aef_inode_post_symlink(), sys_rsbac_um_add_group(), sys_rsbac_um_add_user(), sys_rsbac_um_remove_group(), and sys_rsbac_um_remove_user(). 01364 {
01365 union rsbac_target_id_t i_tid;
01366 rsbac_uid_t owner;
01367 int error = 0;
01368 rsbac_boolean_t do_log = FALSE;
01369 rsbac_boolean_t log_on_request = TRUE;
01370 union rsbac_attribute_value_t i_attr_val;
01371 #ifdef CONFIG_RSBAC_IND_LOG
01372 union rsbac_attribute_value_t i_attr_val2;
01373 enum rsbac_log_level_t log_level;
01374 #endif
01375 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
01376 struct super_block * sb_p;
01377 #endif
01378
01379 /* No attribute setting possible before init (called at boot time) */
01380
01381 if (!rsbac_is_initialized())
01382 return(0);
01383
01384 /* kernel (pid 0) is ignored */
01385 if ( !caller_pid
01386 #if defined(CONFIG_RSBAC_LOG_REMOTE)
01387 || (caller_pid == rsbaclogd_pid)
01388 #endif
01389 )
01390 return(0);
01391
01392 /* Checking base values */
01393 if( request >= R_NONE
01394 || target > T_NONE
01395 || new_target > T_NONE
01396 || attr > A_none)
01397 {
01398 rsbac_printk(KERN_WARNING
01399 "rsbac_adf_set_attr(): called with invalid request, target or attribute\n");
01400 return(-RSBAC_EINVALIDVALUE);
01401 }
01402
01403 /* Getting basic information about this adf_set_attr-call */
01404
01405 owner = RSBAC_NO_USER;
01406 /* only useful for real process, not idle or init */
01407 if (caller_pid > 1)
01408 {
01409 error = rsbac_get_owner(&owner);
01410 if(error)
01411 {
01412 rsbac_printk(KERN_DEBUG
01413 "rsbac_adf_set_attr(): caller_pid %i, RSBAC not initialized, returning 0",
01414 caller_pid);
01415 return(0); /* Startup-Sequence (see above) */
01416 }
01417 }
01418 else /* caller_pid = 1 -> init -> owner = root */
01419 owner = 0;
01420
01421 /*************************************************/
01422 /* General work for all modules - before modules */
01423 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
01424 if ( ( (target == T_FILE)
01425 || (target == T_DIR)
01426 || (target == T_FIFO)
01427 || (target == T_SYMLINK)
01428 )
01429 && ((sb_p = rsbac_get_super_block(tid.file.device)))
01430 && ( (sb_p->s_magic == NFS_SUPER_MAGIC)
01431 || (sb_p->s_magic == CODA_SUPER_MAGIC)
01432 || (sb_p->s_magic == NCP_SUPER_MAGIC)
01433 || (sb_p->s_magic == SMB_SUPER_MAGIC)
01434 )
01435 )
01436 {
01437 error = 0;
01438 goto log;
01439 }
01440 #endif
01441
01442 /**********************************************************/
01443 /* calling all decision modules, building a common result */
01444
01445
01446 #ifdef CONFIG_RSBAC_DEBUG
01447 /* first, check for valid request/target combination */
01448 error |= rsbac_adf_set_attr_check(request,
01449 caller_pid,
01450 target,
01451 tid,
01452 new_target,
01453 new_tid,
01454 attr,
01455 attr_val,
01456 owner);
01457 if(error)
01458 goto general_work;
01459 #endif
01460
01461 #if !defined(CONFIG_RSBAC_MAINT)
01462 /******* MAC ********/
01463 #if defined(CONFIG_RSBAC_MAC)
01464 #ifdef CONFIG_RSBAC_SWITCH_MAC
01465 if (rsbac_switch_mac)
01466 #endif
01467 error |= rsbac_adf_set_attr_mac(request,
01468 caller_pid,
01469 target,
01470 tid,
01471 new_target,
01472 new_tid,
01473 attr,
01474 attr_val,
01475 owner);
01476 #endif /* MAC */
01477
01478 /******* PM ********/
01479 #ifdef CONFIG_RSBAC_PM
01480 #ifdef CONFIG_RSBAC_SWITCH_PM
01481 if (rsbac_switch_pm)
01482 #endif
01483 error |= rsbac_adf_set_attr_pm (request,
01484 caller_pid,
01485 target,
01486 tid,
01487 new_target,
01488 new_tid,
01489 attr,
01490 attr_val,
01491 owner);
01492 #endif /* PM */
01493
01494 /******* DAZ ********/
01495 #ifdef CONFIG_RSBAC_DAZ
01496 #ifdef CONFIG_RSBAC_SWITCH_DAZ
01497 if (rsbac_switch_daz)
01498 #endif
01499 error |= rsbac_adf_set_attr_daz (request,
01500 caller_pid,
01501 target,
01502 tid,
01503 new_target,
01504 new_tid,
01505 attr,
01506 attr_val,
01507 owner);
01508 #endif /* DAZ */
01509
01510 /******* FF ********/
01511 #if 0 /* Nothing to do in there */
01512 #ifdef CONFIG_RSBAC_FF
01513 #ifdef CONFIG_RSBAC_SWITCH_FF
01514 if (rsbac_switch_ff)
01515 #endif
01516 error |= rsbac_adf_set_attr_ff (request,
01517 caller_pid,
01518 target,
01519 tid,
01520 new_target,
01521 new_tid,
01522 attr,
01523 attr_val,
01524 owner);
01525 #endif /* FF */
01526 #endif /* 0 */
01527
01528 /******* RC ********/
01529 #ifdef CONFIG_RSBAC_RC
01530 #ifdef CONFIG_RSBAC_SWITCH_RC
01531 if (rsbac_switch_rc)
01532 #endif
01533 error |= rsbac_adf_set_attr_rc (request,
01534 caller_pid,
01535 target,
01536 tid,
01537 new_target,
01538 new_tid,
01539 attr,
01540 attr_val,
01541 owner);
01542 #endif /* RC */
01543
01544 /****** AUTH *******/
01545 #ifdef CONFIG_RSBAC_AUTH
01546 #ifdef CONFIG_RSBAC_SWITCH_AUTH
01547 if (rsbac_switch_auth)
01548 #endif
01549 error |= rsbac_adf_set_attr_auth(request,
01550 caller_pid,
01551 target,
01552 tid,
01553 new_target,
01554 new_tid,
01555 attr,
01556 attr_val,
01557 owner);
01558 #endif /* AUTH */
01559
01560 /****** ACL *******/
01561 #if 0 /* Nothing there */
01562 #ifdef CONFIG_RSBAC_ACL
01563 #ifdef CONFIG_RSBAC_SWITCH_ACL
01564 if (rsbac_switch_acl)
01565 #endif
01566 error |= rsbac_adf_set_attr_acl (request,
01567 caller_pid,
01568 target,
01569 tid,
01570 new_target,
01571 new_tid,
01572 attr,
01573 attr_val,
01574 owner);
01575 #endif /* ACL */
01576 #endif
01577
01578 /****** CAP *******/
01579 #ifdef CONFIG_RSBAC_CAP
01580 #ifdef CONFIG_RSBAC_SWITCH_CAP
01581 if (rsbac_switch_cap)
01582 #endif
01583 error |= rsbac_adf_set_attr_cap (request,
01584 caller_pid,
01585 target,
01586 tid,
01587 new_target,
01588 new_tid,
01589 attr,
01590 attr_val,
01591 owner);
01592 #endif /* CAP */
01593
01594 /****** JAIL *******/
01595 #ifdef CONFIG_RSBAC_JAIL
01596 #ifdef CONFIG_RSBAC_SWITCH_JAIL
01597 if (rsbac_switch_jail)
01598 #endif
01599 error |= rsbac_adf_set_attr_jail(request,
01600 caller_pid,
01601 target,
01602 tid,
01603 new_target,
01604 new_tid,
01605 attr,
01606 attr_val,
01607 owner);
01608 #endif /* JAIL */
01609
01610 /******* PAX ********/
01611 #ifdef CONFIG_RSBAC_PAX
01612 #ifdef CONFIG_RSBAC_SWITCH_PAX
01613 if (rsbac_switch_pax)
01614 #endif
01615 error |= rsbac_adf_set_attr_pax (request,
01616 caller_pid,
01617 target,
01618 tid,
01619 new_target,
01620 new_tid,
01621 attr,
01622 attr_val,
01623 owner);
01624 #endif /* PAX */
01625
01626 /****** RES *******/
01627 #ifdef CONFIG_RSBAC_RES
01628 #ifdef CONFIG_RSBAC_SWITCH_RES
01629 if (rsbac_switch_res)
01630 #endif
01631 error |= rsbac_adf_set_attr_res (request,
01632 caller_pid,
01633 target,
01634 tid,
01635 new_target,
01636 new_tid,
01637 attr,
01638 attr_val,
01639 owner);
01640 #endif /* RES */
01641
01642 /****** REG *******/
01643 #ifdef CONFIG_RSBAC_REG
01644 error |= rsbac_adf_set_attr_reg (request,
01645 caller_pid,
01646 target,
01647 tid,
01648 new_target,
01649 new_tid,
01650 attr,
01651 attr_val,
01652 owner);
01653 #endif /* REG */
01654 #endif /* !MAINT */
01655
01656 /* General work for all modules (after set_attr call) */
01657 #ifdef CONFIG_RSBAC_DEBUG
01658 general_work:
01659 #endif
01660 switch(request)
01661 {
01662 /* remove deleted item from rsbac data */
01663 case R_DELETE :
01664 switch (target)
01665 {
01666 case T_FILE:
01667 case T_FIFO:
01668 case T_SYMLINK:
01669 /* Only remove file/fifo target on deletion of last link */
01670 if ( (attr == A_nlink)
01671 && (attr_val.nlink > 1)
01672 )
01673 break;
01674 /* fall through */
01675 case T_DIR:
01676 rsbac_remove_target(target,tid);
01677 break;
01678 case T_IPC:
01679 /* shm removal delayed and removed directly, when destroyed */
01680 if(tid.ipc.type != I_shm)
01681 rsbac_remove_target(target,tid);
01682 break;
01683 default:
01684 break;
01685 }
01686 break;
01687
01688 case R_CLONE:
01689 switch (target)
01690 {
01691 case T_PROCESS:
01692 #if defined(CONFIG_RSBAC_IND_PROG_LOG)
01693 /* get program based log from old process */
01694 if (rsbac_get_attr(GEN,
01695 target,
01696 tid,
01697 A_log_program_based,
01698 &i_attr_val,
01699 FALSE))
01700 {
01701 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
01702 }
01703 else
01704 { /* only set, of not default value 0 */
01705 if(i_attr_val.log_program_based)
01706 {
01707 /* set program based log for new process */
01708 if (rsbac_set_attr(GEN, new_target,
01709 new_tid,
01710 A_log_program_based,
01711 i_attr_val))
01712 {
01713 rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based);
01714 }
01715 }
01716 }
01717 #endif
01718 #if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01719 /* get fake_root_uid from old process */
01720 if (rsbac_get_attr(GEN,
01721 target,
01722 tid,
01723 A_fake_root_uid,
01724 &i_attr_val,
01725 FALSE))
01726 {
01727 rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid);
01728 }
01729 else
01730 { /* only set, of not default value 0 */
01731 if(i_attr_val.fake_root_uid)
01732 {
01733 /* set program based log for new process */
01734 if (rsbac_set_attr(GEN, new_target,
01735 new_tid,
01736 A_fake_root_uid,
01737 i_attr_val))
01738 {
01739 rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
01740 }
01741 }
01742 }
01743 #endif
01744 #if defined(CONFIG_RSBAC_NET)
01745 /* get remote_ip from old process */
01746 if (rsbac_get_attr(GEN,
01747 target,
01748 tid,
01749 A_remote_ip,
01750 &i_attr_val,
01751 FALSE))
01752 {
01753 rsbac_ds_get_error("rsbac_adf_set_attr()", A_remote_ip);
01754 }
01755 else
01756 { /* only set, of not default value 0 */
01757 if(i_attr_val.remote_ip)
01758 {
01759 /* set program based log for new process */
01760 if (rsbac_set_attr(GEN, new_target,
01761 new_tid,
01762 A_remote_ip,
01763 i_attr_val))
01764 {
01765 rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip);
01766 }
01767 }
01768 }
01769 #endif
01770 /* get audit_uid from old process */
01771 if (rsbac_get_attr(GEN,
01772 target,
01773 tid,
01774 A_audit_uid,
01775 &i_attr_val,
01776 FALSE))
01777 {
01778 rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid);
01779 }
01780 else
01781 { /* only set, of not default value NO_USER */
01782 if(i_attr_val.audit_uid != RSBAC_NO_USER)
01783 {
01784 /* set audit uid for new process */
01785 if (rsbac_set_attr(GEN,
01786 new_target,
01787 new_tid,
01788 A_audit_uid,
01789 i_attr_val))
01790 {
01791 rsbac_ds_set_error("rsbac_adf_set_attr()", A_audit_uid);
01792 }
01793 }
01794 }
01795 /* get auid_exempt from old process */
01796 if (rsbac_get_attr(GEN,
01797 target,
01798 tid,
01799 A_auid_exempt,
01800 &i_attr_val,
01801 FALSE))
01802 {
01803 rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt);
01804 }
01805 else
01806 { /* only set, of not default value NO_USER */
01807 if(i_attr_val.auid_exempt != RSBAC_NO_USER)
01808 {
01809 /* set program based log for new process */
01810 if (rsbac_set_attr(GEN,
01811 new_target,
01812 new_tid,
01813 A_auid_exempt,
01814 i_attr_val))
01815 {
01816 rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt);
01817 }
01818 }
01819 }
01820 break;
01821
01822 default:
01823 break;
01824 }
01825 break;
01826
01827 #ifdef CONFIG_RSBAC_NET_OBJ
01828 case R_CLOSE:
01829 switch (target)
01830 {
01831 case T_NETOBJ:
01832 rsbac_remove_target(target,tid);
01833 break;
01834
01835 default:
01836 break;
01837 }
01838 break;
01839 case R_ACCEPT:
01840 switch (target)
01841 {
01842 case T_NETOBJ:
01843 /* store remote IP */
01844 if( tid.netobj.sock_p
01845 && tid.netobj.sock_p->ops
01846 && tid.netobj.sock_p->sk
01847 && (tid.netobj.sock_p->ops->family == AF_INET)
01848 )
01849 {
01850 i_tid.process = caller_pid;
01851 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01852 i_attr_val.remote_ip = inet_sk(tid.netobj.sock_p->sk)->daddr;
01853 #else
01854 i_attr_val.remote_ip = tid.netobj.sock_p->sk->daddr;
01855 #endif
01856 /* set program based log for new process */
01857 if (rsbac_set_attr(GEN,
01858 T_PROCESS,
01859 i_tid,
01860 A_remote_ip,
01861 i_attr_val))
01862 {
01863 rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip);
01864 }
01865 }
01866 break;
01867
01868 default:
01869 break;
01870 }
01871 break;
01872 #endif /* CONFIG_RSBAC_NET_OBJ */
01873
01874 case R_EXECUTE :
01875 switch (target)
01876 {
01877 case T_FILE:
01878 #if defined(CONFIG_RSBAC_IND_PROG_LOG)
01879 /* get program based log from file */
01880 if (rsbac_get_attr(GEN,
01881 target,
01882 tid,
01883 A_log_program_based,
01884 &i_attr_val,
01885 FALSE))
01886 {
01887 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
01888 }
01889 else
01890 {
01891 /* set program based log for process */
01892 i_tid.process = caller_pid;
01893 if (rsbac_set_attr(GEN, T_PROCESS,
01894 i_tid,
01895 A_log_program_based,
01896 i_attr_val))
01897 {
01898 rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based);
01899 }
01900 }
01901 #endif
01902 #if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01903 /* get fake_root_uid from file */
01904 if (rsbac_get_attr(GEN,
01905 target,
01906 tid,
01907 A_fake_root_uid,
01908 &i_attr_val,
01909 FALSE))
01910 {
01911 rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid);
01912 }
01913 else
01914 {
01915 /* set fake_root_uid for process */
01916 if(i_attr_val.fake_root_uid)
01917 {
01918 i_tid.process = caller_pid;
01919 if (rsbac_set_attr(GEN, T_PROCESS,
01920 i_tid,
01921 A_fake_root_uid,
01922 i_attr_val))
01923 {
01924 rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
01925 }
01926 }
01927 }
01928 #endif
01929 /* get auid_exempt from file */
01930 if (rsbac_get_attr(GEN,
01931 target,
01932 tid,
01933 A_auid_exempt,
01934 &i_attr_val,
01935 FALSE))
01936 {
01937 rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt);
01938 }
01939 else
01940 {
01941 if(i_attr_val.auid_exempt != RSBAC_NO_USER)
01942 {
01943 /* set auid_exempt for process */
01944 i_tid.process = caller_pid;
01945 if (rsbac_set_attr(GEN, T_PROCESS,
01946 i_tid,
01947 A_auid_exempt,
01948 i_attr_val))
01949 {
01950 rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt);
01951 }
01952 }
01953 }
01954 break;
01955
01956 default:
01957 break;
01958 }
01959 break;
01960
01961 default:
01962 break;
01963 }
01964
01965 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
01966 if( rsbac_debug_adf_net
01967 && ( (target == T_NETDEV)
01968 || (target == T_NETTEMP)
01969 || (target == T_NETOBJ)
01970 )
01971 )
01972 do_log = TRUE;
01973 #endif
01974
01975 /* log based on process owner */
01976 #ifdef CONFIG_RSBAC_IND_USER_LOG
01977 i_tid.user = owner;
01978 if (rsbac_get_attr(GEN,
01979 T_USER,
01980 i_tid,
01981 A_log_user_based,
01982 &i_attr_val,
01983 FALSE))
01984 {
01985 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_user_based);
01986 }
01987 else
01988 {
01989 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based)
01990 do_log = TRUE;
01991 }
01992 #endif /* CONFIG_RSBAC_IND_USER_LOG */
01993
01994 /* log based on program */
01995 #ifdef CONFIG_RSBAC_IND_PROG_LOG
01996 if(!do_log)
01997 {
01998 i_tid.process = caller_pid;
01999 if (rsbac_get_attr(GEN,
02000 T_PROCESS,
02001 i_tid,
02002 A_log_program_based,
02003 &i_attr_val,
02004 FALSE))
02005 {
02006 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
02007 }
02008 else
02009 {
02010 if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based)
02011 do_log = TRUE;
02012 }
02013 }
02014 #endif /* CONFIG_RSBAC_IND_PROG_LOG */
02015
02016
02017 /* logging request on info level, if requested by file/dir/dev attributes */
02018 /* log_array_low/high, or, if that is requested, if enabled for this request */
02019 /* type (attributes state level, or that request based level is to be taken) */
02020 /* loglevel 2: log everything */
02021 /* loglevel 1: log, if denied */
02022 /* loglevel 0: log nothing */
02023
02024 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */
02025 /* if file/dir/dev, depend log on log_arrays */
02026 /* (but not for file.device = 0) */
02027 /* log_on_request is TRUE */
02028 if(!do_log)
02029 {
02030 if( ( ( (target == T_FILE)
02031 || (target == T_DIR)
02032 || (target == T_FIFO)
02033 || (target == T_SYMLINK)
02034 )
02035 && RSBAC_MAJOR(tid.file.device)
02036 && RSBAC_MINOR(tid.file.device)
02037 )
02038 || (target == T_DEV)
02039 )
02040 {
02041 if (rsbac_get_attr(GEN,
02042 target,
02043 tid,
02044 A_log_array_low,
02045 &i_attr_val,
02046 FALSE))
02047 {
02048 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_low);
02049 }
02050 else
02051 {
02052 if (rsbac_get_attr(GEN,
02053 target,
02054 tid,
02055 A_log_array_high,
02056 &i_attr_val2,
02057 FALSE))
02058 {
02059 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_high);
02060 }
02061 else
02062 { /* ll = low-bit for request | (high-bit for request as bit 1) */
02063 log_level = ((i_attr_val.log_array_low >> request) & 1)
02064 | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
02065 if ( log_level == LL_full
02066 || ( log_level == LL_denied
02067 && error) )
02068 {
02069 do_log = TRUE;
02070 }
02071 if(log_level != LL_request)
02072 log_on_request = FALSE;
02073 }
02074 }
02075 }
02076 }
02077 #endif /* CONFIG_RSBAC_IND_LOG */
02078
02079 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
02080 log:
02081 #endif
02082 /* if enabled, try request based log level */
02083 if (log_on_request
02084 && ( rsbac_log_levels[request][target] == LL_full
02085 || ( rsbac_log_levels[request][target] == LL_denied
02086 && error) ) )
02087 do_log = TRUE;
02088
02089 if(do_log)
02090 {
02091 char * request_name;
02092 char * target_type_name;
02093 char * new_target_type_name;
02094 char * target_id_name;
02095 char * new_target_id_name;
02096 char * attr_name;
02097 rsbac_uid_t audit_uid;
02098 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02099 rsbac_pseudo_t pseudo = 0;
02100 #endif
02101
02102 /* Get process audit_uid */
02103 i_tid.process = caller_pid;
02104 if (rsbac_get_attr(GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE))
02105 {
02106 rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid);
02107 return -RSBAC_EREADFAILED; /* something weird happened */
02108 }
02109 audit_uid = i_attr_val.audit_uid;
02110 if(audit_uid == RSBAC_NO_USER)
02111 audit_uid = owner;
02112 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02113 /* Get owner's logging pseudo */
02114 i_tid.user = audit_uid;
02115 if (rsbac_get_attr(GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE))
02116 {
02117 rsbac_ds_get_error("rsbac_adf_set_attr()", A_pseudo);
02118 return -RSBAC_EREADFAILED; /* something weird happened */
02119 }
02120 /* if pseudo is not registered, return attribute value is 0 (see later) */
02121 pseudo = i_attr_val.pseudo;
02122 #endif
02123
02124 /* rsbac_kmalloc all memory */
02125 request_name = rsbac_kmalloc(32);
02126 target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02127 new_target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02128 #ifdef CONFIG_RSBAC_LOG_FULL_PATH
02129 target_id_name
02130 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
02131 new_target_id_name
02132 = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
02133 /* max. path name len + some extra */
02134 #else
02135 target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
02136 new_target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
02137 /* max. file name len + some extra */
02138 #endif
02139 attr_name = rsbac_kmalloc(32);
02140
02141 /* Getting basic information about this request */
02142 request_name[0] = (char) 0;
02143 target_type_name[0] = (char) 0;
02144 target_id_name[0] = (char) 0;
02145 new_target_type_name[0] = (char) 0;
02146 new_target_id_name[0] = (char) 0;
02147 attr_name[0] = (char) 0;
02148 get_request_name(request_name, request);
02149 get_target_name(target_type_name, target, target_id_name, tid);
02150 get_target_name(new_target_type_name, new_target,
02151 new_target_id_name, new_tid);
02152 get_attribute_name(attr_name, attr);
02153
02154 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02155 if(pseudo)
02156 rsbac_printk(KERN_INFO
02157 "rsbac_adf_set_attr(): request %s, pid %u, pseudo %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02158 request_name, (u_int) caller_pid, pseudo, target_type_name, target_id_name,
02159 new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
02160 else
02161 #endif
02162 rsbac_printk(KERN_INFO
02163 "rsbac_adf_set_attr(): request %s, pid %u, uid %u, audit_uid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02164 request_name, (u_int) caller_pid, owner, audit_uid, target_type_name, target_id_name,
02165 new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
02166 /* rsbac_kfree all helper mem */
02167 rsbac_kfree(request_name);
02168 rsbac_kfree(target_type_name);
02169 rsbac_kfree(new_target_type_name);
02170 rsbac_kfree(target_id_name);
02171 rsbac_kfree(new_target_id_name);
02172 rsbac_kfree(attr_name);
02173 }
02174
02175 /* count */
02176 rsbac_adf_set_attr_count[target]++;
02177 #ifdef CONFIG_RSBAC_XSTATS
02178 rsbac_adf_set_attr_xcount[target][request]++;
02179 #endif
02180
02181 return(error);
02182 } /* end of rsbac_adf_set_attr() */
|
|
|
Definition at line 128 of file adf_main.c. References rsbac_reg_init(). Referenced by rsbac_do_init(). 00130 {
00131 #if defined(CONFIG_RSBAC_REG)
00132 rsbac_reg_init();
00133 #endif
00134 };
|
|
|
Definition at line 2516 of file adf_main.c. 02517 {
02518 return 0;
02519 }
|
|
||||||||||||||||
|
Definition at line 2510 of file adf_main.c. 02512 {
02513 return 0;
02514 }
|
|
|
Definition at line 3038 of file adf_main.c. References A_audit_uid, A_auid_exempt, rsbac_attribute_value_t::audit_uid, rsbac_attribute_value_t::auid_exempt, GEN, rsbac_target_id_t::process, RSBAC_EREADFAILED, RSBAC_EWRITEFAILED, rsbac_get_attr, RSBAC_NO_USER, rsbac_set_attr, and T_PROCESS. 03039 {
03040 union rsbac_target_id_t tid;
03041 union rsbac_attribute_value_t attr_val;
03042
03043 if(!uid || (uid == current->uid))
03044 return 0;
03045 tid.process = current->pid;
03046 if (rsbac_get_attr(GEN,
03047 T_PROCESS,
03048 tid,
03049 A_audit_uid,
03050 &attr_val,
03051 FALSE))
03052 {
03053 rsbac_ds_get_error("rsbac_set_audit_uid()", A_audit_uid);
03054 return -RSBAC_EREADFAILED;
03055 }
03056 if(attr_val.audit_uid != RSBAC_NO_USER)
03057 return 0;
03058
03059 if (rsbac_get_attr(GEN,
03060 T_PROCESS,
03061 tid,
03062 A_auid_exempt,
03063 &attr_val,
03064 FALSE))
03065 {
03066 rsbac_ds_get_error("rsbac_set_audit_uid()", A_auid_exempt);
03067 return -RSBAC_EREADFAILED;
03068 }
03069 if(attr_val.auid_exempt == uid)
03070 return 0;
03071
03072 attr_val.audit_uid = uid;
03073 if (rsbac_set_attr(GEN,
03074 T_PROCESS,
03075 tid,
03076 A_audit_uid,
03077 attr_val))
03078 {
03079 rsbac_ds_set_error("rsbac_set_audit_uid()", A_audit_uid);
03080 return -RSBAC_EWRITEFAILED;
03081 }
03082 return 0;
03083 }
|
|
||||||||||||||||
|
|
1.4.2