Main Page | Alphabetical List | Data Structures | Directories | File List | Data Fields | Globals | Search for 
tmp / linux-rsbac-1.2 / rsbac / adf

adf_main.c

Go to the documentation of this file.
00001 /*************************************************** */
00002 /* Rule Set Based Access Control                     */
00003 /* Implementation of the Access Control Decision     */
00004 /* Facility (ADF) - Main file main.c                 */
00005 /*                                                   */
00006 /* Author and (c) 1999-2005: Amon Ott <ao@rsbac.org> */
00007 /*                                                   */
00008 /* Last modified: 15/Jul/2005                        */
00009 /*************************************************** */
00010 
00011 #include <linux/string.h>
00012 #include <linux/init.h>
00013 #include <linux/config.h>
00014 #include <linux/module.h>
00015 #include <rsbac/types.h>
00016 #include <rsbac/aci.h>
00017 #include <rsbac/adf.h>
00018 #include <rsbac/adf_main.h>
00019 #include <rsbac/error.h>
00020 #include <rsbac/helpers.h>
00021 #include <rsbac/getname.h>
00022 #include <rsbac/cap_getname.h>
00023 #include <rsbac/jail_getname.h>
00024 #include <rsbac/rkmem.h>
00025 #include <rsbac/network.h>
00026 #if defined(CONFIG_RSBAC_UM_EXCL)
00027 #include <rsbac/um.h>
00028 #endif
00029 
00030 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00031 #include <linux/nfs_fs.h>
00032 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00033 #include <linux/coda.h>
00034 #endif
00035 #include <linux/coda_psdev.h>
00036 #include <linux/ncp_fs.h>
00037 #include <linux/smb.h>
00038 #endif
00039 
00040 #ifdef CONFIG_RSBAC_SECDEL
00041 #include <linux/types.h>
00042 #include <linux/dcache.h>
00043 #include <asm/uaccess.h>
00044 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00045 #include <linux/buffer_head.h>
00046 #endif
00047 #endif /* SECDEL */
00048 
00049 /************************************************* */
00050 /*           Global Variables                      */
00051 /************************************************* */
00052 
00053 u_long rsbac_adf_request_count[T_NONE+1] = {0,0,0,0,0,0,0,0};
00054 u_long rsbac_adf_set_attr_count[T_NONE+1] = {0,0,0,0,0,0,0,0};
00055 #ifdef CONFIG_RSBAC_XSTATS
00056 u_long rsbac_adf_request_xcount[T_NONE+1][R_NONE];
00057 u_long rsbac_adf_set_attr_xcount[T_NONE+1][R_NONE];
00058 #endif
00059 
00060 /******* MAC ********/
00061 #ifdef CONFIG_RSBAC_SWITCH_MAC
00062 rsbac_boolean_t rsbac_switch_mac = TRUE;
00063 #endif  /* MAC */
00064 
00065 /******* PM ********/
00066 #ifdef CONFIG_RSBAC_SWITCH_PM
00067 rsbac_boolean_t rsbac_switch_pm = TRUE;
00068 #endif  /* PM */
00069 
00070 /******* DAZ ********/
00071 #ifdef CONFIG_RSBAC_SWITCH_DAZ
00072 rsbac_boolean_t rsbac_switch_daz = TRUE;
00073 #endif  /* DAZ */
00074 
00075 /******* FF ********/
00076 #ifdef CONFIG_RSBAC_SWITCH_FF
00077 rsbac_boolean_t rsbac_switch_ff = TRUE;
00078 #endif  /* FF */
00079 
00080 /******* RC ********/
00081 #ifdef CONFIG_RSBAC_SWITCH_RC
00082 rsbac_boolean_t rsbac_switch_rc = TRUE;
00083 #endif  /* RC */
00084 
00085 /****** AUTH *******/
00086 #ifdef CONFIG_RSBAC_SWITCH_AUTH
00087 rsbac_boolean_t rsbac_switch_auth = TRUE;
00088 #endif  /* AUTH */
00089 
00090 /****** ACL *******/
00091 #ifdef CONFIG_RSBAC_SWITCH_ACL
00092 rsbac_boolean_t rsbac_switch_acl = TRUE;
00093 #endif  /* ACL */
00094 
00095 /****** CAP *******/
00096 #ifdef CONFIG_RSBAC_SWITCH_CAP
00097 rsbac_boolean_t rsbac_switch_cap = TRUE;
00098 #endif  /* CAP */
00099 
00100 /****** JAIL *******/
00101 #ifdef CONFIG_RSBAC_SWITCH_JAIL
00102 rsbac_boolean_t rsbac_switch_jail = TRUE;
00103 #endif  /* JAIL */
00104 
00105 /****** PAX ********/
00106 #ifdef CONFIG_RSBAC_SWITCH_PAX
00107 rsbac_boolean_t rsbac_switch_pax = TRUE;
00108 #endif  /* PAX */
00109 
00110 /****** RES *******/
00111 #ifdef CONFIG_RSBAC_SWITCH_RES
00112 rsbac_boolean_t rsbac_switch_res = TRUE;
00113 #endif  /* RES */
00114 
00115 /************************************************* */
00116 /*          Internal Help functions                */
00117 /************************************************* */
00118 
00119 /************************************************* */
00120 /*          Externally visible functions           */
00121 /************************************************* */
00122 
00123 /* Init function, calls inits for all sub-modules  */
00124 
00125 #ifdef CONFIG_RSBAC_INIT_DELAY
00126 void rsbac_init_adf(void)
00127 #else
00128 void __init rsbac_init_adf(void)
00129 #endif
00130   {
00131     #if defined(CONFIG_RSBAC_REG)
00132     rsbac_reg_init();
00133     #endif
00134   };
00135 
00136 enum rsbac_adf_req_ret_t
00137     adf_and_plus(enum rsbac_adf_req_ret_t res1,
00138                  enum rsbac_adf_req_ret_t res2)
00139   {
00140     switch (res1)
00141       {
00142         case GRANTED:     if (res2 == DO_NOT_CARE)
00143                             return (GRANTED);
00144                           else
00145                             return (res2);
00146         case NOT_GRANTED: if (res2 == UNDEFINED)
00147                             return (UNDEFINED);
00148                           else
00149                             return (NOT_GRANTED);
00150         case DO_NOT_CARE: return (res2);
00151         default:          return (UNDEFINED);
00152       }
00153   };
00154 
00155 /*********************************************************************/
00156 /* rsbac_adf_request()                                               */
00157 /* This function is the main decision function, called from the AEF. */
00158 
00159 EXPORT_SYMBOL(rsbac_adf_request_int);
00160 enum rsbac_adf_req_ret_t
00161    rsbac_adf_request_int(enum  rsbac_adf_request_t     request,
00162                                rsbac_pid_t             caller_pid,
00163                          enum  rsbac_target_t          target,
00164                          union rsbac_target_id_t     * tid_p,
00165                          enum  rsbac_attribute_t       attr,
00166                          union rsbac_attribute_value_t * attr_val_p,
00167                          enum  rsbac_switch_target_t   ignore_module)
00168   {
00169     union rsbac_target_id_t        i_tid;
00170     union rsbac_attribute_value_t  i_attr_val;
00171           rsbac_uid_t              owner=0;
00172     int tmperr=0;
00173     enum rsbac_adf_req_ret_t   result = DO_NOT_CARE;
00174 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00175     enum rsbac_adf_req_ret_t   ret_result = DO_NOT_CARE;
00176 #endif
00177 #ifndef CONFIG_RSBAC_MAINT
00178     enum rsbac_adf_req_ret_t   mod_result[SW_NONE + 1] = {
00179                                    DO_NOT_CARE,
00180                                    DO_NOT_CARE,
00181                                    DO_NOT_CARE,
00182                                    DO_NOT_CARE,
00183                                    DO_NOT_CARE,
00184                                    DO_NOT_CARE,
00185                                    DO_NOT_CARE,
00186                                    DO_NOT_CARE,
00187                                    DO_NOT_CARE,
00188                                    DO_NOT_CARE,
00189                                    DO_NOT_CARE,
00190                                    DO_NOT_CARE,
00191                                    DO_NOT_CARE,
00192                                    DO_NOT_CARE,
00193                                    DO_NOT_CARE,
00194                                    DO_NOT_CARE,
00195                                    DO_NOT_CARE,
00196                                    DO_NOT_CARE
00197                                  };
00198 #endif
00199     rsbac_boolean_t do_log = FALSE;
00200     rsbac_boolean_t log_on_request = TRUE;
00201 /* only if individual logging is enabled */
00202 #if defined(CONFIG_RSBAC_IND_LOG) || defined(CONFIG_RSBAC_IND_NETDEV_LOG) || defined(CONFIG_RSBAC_IND_NETOBJ_LOG)
00203     union rsbac_attribute_value_t  i_attr_val2;
00204     enum rsbac_log_level_t log_level;
00205 #endif
00206     struct super_block * sb_p;
00207 #ifdef CONFIG_RSBAC_SOFTMODE
00208     rsbac_boolean_t rsbac_internal = FALSE;
00209 #endif
00210 
00211 /* No decision possible before init (called at boot time) -> don't care */
00212     if (!rsbac_is_initialized())
00213       return(DO_NOT_CARE);
00214 
00215 /* Always granted for kernel (pid 0) and logging daemon */
00216     if (   !caller_pid
00217         #if defined(CONFIG_RSBAC_LOG_REMOTE)
00218         || (caller_pid == rsbaclogd_pid)
00219         #endif
00220        )
00221       return(GRANTED);
00222 
00223 /* Checking base values */
00224     if(   request >= R_NONE
00225        || target > T_NONE
00226        || attr > A_none)
00227       {
00228         rsbac_printk(KERN_WARNING
00229                "rsbac_adf_request(): called with invalid request, target or attribute\n");
00230         return(NOT_GRANTED);
00231       }
00232 
00233     if (in_interrupt())
00234       {
00235         char * request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00236 
00237         if(request_name)
00238           {
00239             get_request_name(request_name, request);
00240             rsbac_printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %s, pid %u, attr_val %u!\n",
00241                    request_name, caller_pid, attr_val_p->dummy);
00242             kfree(request_name);
00243           }
00244         else
00245           {
00246             rsbac_printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %u, pid %u!\n",
00247                    request, caller_pid);
00248           }
00249 //        return DO_NOT_CARE;
00250       }
00251 
00252 /* Getting basic information about this request */
00253 
00254     /* only useful for real process, not idle or init */
00255     if (caller_pid > 1)
00256       {
00257         tmperr = rsbac_get_owner(&owner);
00258         if(tmperr)
00259           {
00260             rsbac_printk(KERN_DEBUG
00261                    "rsbac_adf_request(): caller_pid %i, RSBAC not initialized, returning DO_NOT_CARE",
00262                    caller_pid);
00263             return(DO_NOT_CARE);      /* Startup-Sequence (see above) */
00264           }
00265       }
00266     else  /* caller_pid = 1 -> init, always owned by root */
00267       owner = 0;
00268 
00269 
00270 /******************************************************/
00271 /* General work for all modules - before module calls */
00272     /* test target on rsbac_internal */
00273     switch(target)
00274       {
00275         case T_FILE:
00276         case T_DIR:
00277         case T_FIFO:
00278         case T_SYMLINK:
00279 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00280           if (   ((sb_p = rsbac_get_super_block(tid_p->file.device)))
00281               && (   (sb_p->s_magic == NFS_SUPER_MAGIC)
00282                   || (sb_p->s_magic == CODA_SUPER_MAGIC)
00283                   || (sb_p->s_magic == NCP_SUPER_MAGIC)
00284                   || (sb_p->s_magic == SMB_SUPER_MAGIC)
00285                  )
00286              )
00287             {
00288               result = DO_NOT_CARE;
00289               goto log;
00290             }
00291 #endif
00292           /* No decision on pseudo pipefs */
00293           if(   (target == T_FIFO)
00294              && ((sb_p = rsbac_get_super_block(tid_p->file.device)))
00295              && (sb_p->s_magic == PIPEFS_MAGIC)
00296             )
00297             return DO_NOT_CARE;
00298 #if 0 && LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
00299           /* No decision on pseudo sockfs */
00300           if(   (target == T_FILE)
00301              && (!RSBAC_MAJOR(tid_p->file.device))
00302              && (!RSBAC_MINOR(tid_p->file.device))
00303             )
00304             return DO_NOT_CARE;
00305 #endif
00306           switch(request)
00307             {
00308               case R_GET_STATUS_DATA:
00309               case R_GET_PERMISSIONS_DATA:
00310               case R_READ_ATTRIBUTE:
00311 #ifdef CONFIG_RSBAC_DAT_VISIBLE
00312               case R_SEARCH:
00313               case R_READ:
00314               case R_CLOSE:
00315               case R_CHDIR:
00316 #endif
00317                 break;
00318 
00319               default:
00320                 if ((tmperr = rsbac_get_attr(GEN,
00321                                              target,
00322                                              *tid_p,
00323                                              A_internal,
00324                                              &i_attr_val,
00325                                              TRUE) ))
00326                   {
00327                     if(tmperr == -RSBAC_EINVALIDDEV)
00328                       {
00329 //                        rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr);
00330                         return(DO_NOT_CARE);  /* last calls on shutdown */
00331                       }
00332                     else
00333                       {
00334                         rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr);
00335                         return(NOT_GRANTED);  /* something weird happened */
00336                       }
00337                   }
00338                 /* no access to rsbac_internal objects is granted in any case */
00339                 if (i_attr_val.internal)
00340                   {
00341                     rsbac_printk(KERN_WARNING
00342                            "rsbac_adf_request(): trial to access object declared RSBAC-internal!\n");
00343                     result = NOT_GRANTED;
00344                     #ifndef CONFIG_RSBAC_MAINT
00345                     mod_result[SW_NONE] = NOT_GRANTED;
00346                     #endif
00347                     #ifdef CONFIG_RSBAC_SOFTMODE
00348                     #ifdef CONFIG_RSBAC_SOFTMODE_IND
00349                     ret_result = NOT_GRANTED;
00350                     #endif
00351                     rsbac_internal = TRUE;
00352                     #endif
00353                   }
00354             }
00355           break;
00356 
00357 #if defined(CONFIG_RSBAC_UM_EXCL)
00358         case T_PROCESS:
00359           switch(request)
00360             {
00361               case R_CHANGE_OWNER:
00362 #ifdef CONFIG_RSBAC_DAC_OWNER
00363               case R_CHANGE_DAC_EFF_OWNER:
00364               case R_CHANGE_DAC_FS_OWNER:
00365 #endif
00366                 if(   (attr == A_owner)
00367                    && !rsbac_um_no_excl
00368                    && !rsbac_um_user_exists(0, attr_val_p->owner)
00369                   )
00370                   {
00371                     rsbac_printk(KERN_INFO
00372                                  "rsbac_adf_request(): uid %u not known to RSBAC User Management!\n",
00373                                  attr_val_p->owner);
00374                     result = adf_and_plus(result, NOT_GRANTED);
00375 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00376                     ret_result = adf_and_plus(ret_result, NOT_GRANTED);
00377 #endif
00378                   }
00379                 break;
00380 
00381               case R_CHANGE_GROUP:
00382 #ifdef CONFIG_RSBAC_DAC_OWNER
00383               case R_CHANGE_DAC_EFF_GROUP:
00384               case R_CHANGE_DAC_FS_GROUP:
00385 #endif
00386                 if(   (attr == A_group)
00387                    && !rsbac_um_no_excl
00388                    && !rsbac_um_group_exists(0, attr_val_p->group)
00389                   )
00390                   {
00391                     rsbac_printk(KERN_INFO
00392                                  "rsbac_adf_request(): gid %u not known to RSBAC User Management!\n",
00393                                  attr_val_p->group);
00394                     result = adf_and_plus(result, NOT_GRANTED);
00395 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00396                     ret_result = adf_and_plus(ret_result, NOT_GRANTED);
00397 #endif
00398                   }
00399                 break;
00400 
00401               default:
00402                 break;
00403             }
00404           break;
00405 #endif /* UM_EXCL */
00406 
00407         default:
00408           break;
00409       }
00410       
00411 /**********************************************************/
00412 /* calling all decision modules, building a common result */
00413 
00414 #ifdef CONFIG_RSBAC_DEBUG
00415 /* first, check for valid request/target combination      */
00416 /* (undefined should only happen in _check and means a real bug!) */
00417   result = adf_and_plus(result,rsbac_adf_request_check(request,
00418                                                        caller_pid,
00419                                                        target,
00420                                                        tid_p,
00421                                                        attr,
00422                                                        attr_val_p,
00423                                                        owner) );
00424 
00425 if(result == UNDEFINED)
00426   goto log;
00427 #endif
00428 
00429 #if !defined(CONFIG_RSBAC_MAINT)
00430 /******* MAC ********/
00431 #if defined(CONFIG_RSBAC_MAC)
00432 #ifdef CONFIG_RSBAC_SWITCH_MAC
00433 if (rsbac_switch_mac)
00434 #endif
00435   /* no need to call module, if to be ignored */
00436   if(ignore_module != MAC)
00437     {
00438       mod_result[MAC] = rsbac_adf_request_mac(request,
00439                                               caller_pid,
00440                                               target,
00441                                               *tid_p,
00442                                               attr,
00443                                               *attr_val_p,
00444                                               owner);
00445       result = adf_and_plus(result, mod_result[MAC]);
00446 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00447       if(!rsbac_ind_softmode[MAC])
00448         ret_result = adf_and_plus(ret_result, mod_result[MAC]);
00449 #endif
00450     }
00451 #endif  /* MAC */
00452 
00453 /******* PM ********/
00454 #if defined(CONFIG_RSBAC_PM)
00455 #ifdef CONFIG_RSBAC_SWITCH_PM
00456 if (rsbac_switch_pm)
00457 #endif
00458   /* no need to call module, if to be ignored */
00459   if(ignore_module != PM)
00460     {
00461       mod_result[PM]  = rsbac_adf_request_pm (request,
00462                                               caller_pid,
00463                                               target,
00464                                               *tid_p,
00465                                               attr,
00466                                               *attr_val_p,
00467                                               owner);
00468       result = adf_and_plus(result, mod_result[PM]);
00469 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00470       if(!rsbac_ind_softmode[PM])
00471         ret_result = adf_and_plus(ret_result, mod_result[PM]);
00472 #endif
00473     }
00474 #endif  /* PM */
00475 
00476 /******* DAZ ********/
00477 #if defined(CONFIG_RSBAC_DAZ)
00478 #ifdef CONFIG_RSBAC_SWITCH_DAZ
00479 if (rsbac_switch_daz)
00480 #endif
00481   /* no need to call module, if to be ignored */
00482   if(ignore_module != DAZ)
00483     {
00484       mod_result[DAZ]  = rsbac_adf_request_daz (request,
00485                                               caller_pid,
00486                                               target,
00487                                               *tid_p,
00488                                               attr,
00489                                               *attr_val_p,
00490                                               owner);
00491       result = adf_and_plus(result, mod_result[DAZ]);
00492 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00493       if(!rsbac_ind_softmode[DAZ])
00494         ret_result = adf_and_plus(ret_result, mod_result[DAZ]);
00495 #endif
00496     }
00497 #endif  /* DAZ */
00498 
00499 /******* FF ********/
00500 #if defined(CONFIG_RSBAC_FF)
00501 #ifdef CONFIG_RSBAC_SWITCH_FF
00502 if (rsbac_switch_ff)
00503 #endif
00504   /* no need to call module, if to be ignored */
00505   if(ignore_module != FF)
00506     {
00507       mod_result[FF]  = rsbac_adf_request_ff (request,
00508                                               caller_pid,
00509                                               target,
00510                                               *tid_p,
00511                                               attr,
00512                                               *attr_val_p,
00513                                               owner);
00514       result = adf_and_plus(result, mod_result[FF]);
00515 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00516       if(!rsbac_ind_softmode[FF])
00517         ret_result = adf_and_plus(ret_result, mod_result[FF]);
00518 #endif
00519     }
00520 #endif  /* FF */
00521 
00522 /******* RC ********/
00523 #if defined(CONFIG_RSBAC_RC)
00524 #ifdef CONFIG_RSBAC_SWITCH_RC
00525 if (rsbac_switch_rc)
00526 #endif
00527   /* no need to call module, if to be ignored */
00528   if(ignore_module != RC)
00529     {
00530       mod_result[RC]  = rsbac_adf_request_rc (request,
00531                                               caller_pid,
00532                                               target,
00533                                               *tid_p,
00534                                               attr,
00535                                               *attr_val_p,
00536                                               owner);
00537       result = adf_and_plus(result, mod_result[RC]);
00538 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00539       if(!rsbac_ind_softmode[RC])
00540         ret_result = adf_and_plus(ret_result, mod_result[RC]);
00541 #endif
00542     }
00543 #endif  /* RC */
00544 
00545 /****** AUTH *******/
00546 #if defined(CONFIG_RSBAC_AUTH)
00547 #ifdef CONFIG_RSBAC_SWITCH_AUTH
00548 if (rsbac_switch_auth)
00549 #endif
00550   /* no need to call module, if to be ignored */
00551   if(ignore_module != AUTH)
00552     {
00553       mod_result[AUTH]= rsbac_adf_request_auth(request,
00554                                               caller_pid,
00555                                               target,
00556                                               *tid_p,
00557                                               attr,
00558                                               *attr_val_p,
00559                                               owner);
00560       result = adf_and_plus(result, mod_result[AUTH]);
00561 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00562       if(!rsbac_ind_softmode[AUTH])
00563         ret_result = adf_and_plus(ret_result, mod_result[AUTH]);
00564 #endif
00565     }
00566 #endif  /* AUTH */
00567 
00568 /****** ACL *******/
00569 #if defined(CONFIG_RSBAC_ACL)
00570 #ifdef CONFIG_RSBAC_SWITCH_ACL
00571 if (rsbac_switch_acl)
00572 #endif
00573   /* no need to call module, if to be ignored */
00574   if(ignore_module != ACL)
00575     {
00576       mod_result[ACL] = rsbac_adf_request_acl(request,
00577                                               caller_pid,
00578                                               target,
00579                                               *tid_p,
00580                                               attr,
00581                                               *attr_val_p,
00582                                               owner);
00583       result = adf_and_plus(result, mod_result[ACL]);
00584 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00585       if(!rsbac_ind_softmode[ACL])
00586         ret_result = adf_and_plus(ret_result, mod_result[ACL]);
00587 #endif
00588     }
00589 #endif  /* ACL */
00590 
00591 /****** CAP *******/
00592 #if defined(CONFIG_RSBAC_CAP)
00593 #ifdef CONFIG_RSBAC_SWITCH_CAP
00594 if (rsbac_switch_cap)
00595 #endif
00596   /* no need to call module, if to be ignored */
00597   if(ignore_module != CAP)
00598     {
00599       mod_result[CAP] = rsbac_adf_request_cap(request,
00600                                               caller_pid,
00601                                               target,
00602                                               *tid_p,
00603                                               attr,
00604                                               *attr_val_p,
00605                                               owner);
00606       result = adf_and_plus(result, mod_result[CAP]);
00607 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00608       if(!rsbac_ind_softmode[CAP])
00609         ret_result = adf_and_plus(ret_result, mod_result[CAP]);
00610 #endif
00611     }
00612 #endif  /* CAP */
00613 
00614 /****** JAIL *******/
00615 #if defined(CONFIG_RSBAC_JAIL)
00616 #ifdef CONFIG_RSBAC_SWITCH_JAIL
00617 if (rsbac_switch_jail)
00618 #endif
00619   /* no need to call module, if to be ignored */
00620   if(ignore_module != JAIL)
00621     {
00622       mod_result[JAIL]= rsbac_adf_request_jail(request,
00623                                               caller_pid,
00624                                               target,
00625                                               *tid_p,
00626                                               attr,
00627                                               *attr_val_p,
00628                                               owner);
00629       result = adf_and_plus(result, mod_result[JAIL]);
00630 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00631       if(!rsbac_ind_softmode[JAIL])
00632         ret_result = adf_and_plus(ret_result, mod_result[JAIL]);
00633 #endif
00634     }
00635 #endif  /* JAIL */
00636 
00637 /******* PAX ********/
00638 #if defined(CONFIG_RSBAC_PAX)
00639 #ifdef CONFIG_RSBAC_SWITCH_PAX
00640 if (rsbac_switch_pax)
00641 #endif
00642   /* no need to call module, if to be ignored */
00643   if(ignore_module != PAX)
00644     {
00645       mod_result[PAX]  = rsbac_adf_request_pax (request,
00646                                               caller_pid,
00647                                               target,
00648                                               *tid_p,
00649                                               attr,
00650                                               *attr_val_p,
00651                                               owner);
00652       result = adf_and_plus(result, mod_result[PAX]);
00653 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00654       if(!rsbac_ind_softmode[PAX])
00655         ret_result = adf_and_plus(ret_result, mod_result[PAX]);
00656 #endif
00657     }
00658 #endif  /* PAX */
00659 
00660 /****** RES *******/
00661 #if defined(CONFIG_RSBAC_RES)
00662 #ifdef CONFIG_RSBAC_SWITCH_RES
00663 if (rsbac_switch_res)
00664 #endif
00665   /* no need to call module, if to be ignored */
00666   if(ignore_module != RES)
00667     {
00668       mod_result[RES] = rsbac_adf_request_res(request,
00669                                               caller_pid,
00670                                               target,
00671                                               *tid_p,
00672                                               attr,
00673                                               *attr_val_p,
00674                                               owner);
00675       result = adf_and_plus(result, mod_result[RES]);
00676 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00677       if(!rsbac_ind_softmode[RES])
00678         ret_result = adf_and_plus(ret_result, mod_result[RES]);
00679 #endif
00680     }
00681 #endif  /* RES */
00682 
00683 /****** REG *******/
00684 #if defined(CONFIG_RSBAC_REG)
00685 if(ignore_module != REG)
00686   {
00687     mod_result[REG]= rsbac_adf_request_reg (request,
00688                                             caller_pid,
00689                                             target,
00690                                             *tid_p,
00691                                             attr,
00692                                             *attr_val_p,
00693                                             owner);
00694     result = adf_and_plus(result, mod_result[REG]);
00695 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00696     if(!rsbac_ind_softmode[REG])
00697       ret_result = adf_and_plus(ret_result, mod_result[REG]);
00698 #endif
00699   }
00700 #endif  /* REG */
00701 
00702 #endif /* !MAINT */
00703 
00704 /****************************/
00705 
00706 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
00707     if(    rsbac_debug_adf_net
00708        && (   (target == T_NETDEV)
00709            || (target == T_NETTEMP)
00710            || (target == T_NETOBJ)
00711           )
00712       )
00713       do_log = TRUE;
00714 #endif
00715 
00716 /* log based on process owner */
00717 #ifdef CONFIG_RSBAC_IND_USER_LOG
00718     i_tid.user = owner;
00719     if (rsbac_get_attr(GEN,
00720                        T_USER,
00721                        i_tid,
00722                        A_log_user_based,
00723                        &i_attr_val,
00724                        FALSE))
00725       {
00726         rsbac_ds_get_error("rsbac_adf_request()", A_log_user_based);
00727       }
00728     else
00729       {
00730         if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based) 
00731           do_log = TRUE;
00732       }
00733 #endif /* CONFIG_RSBAC_IND_USER_LOG */
00734 
00735 /* log based on program */
00736 #ifdef CONFIG_RSBAC_IND_PROG_LOG
00737     if(!do_log)
00738       {
00739         i_tid.process = caller_pid;
00740         if (rsbac_get_attr(GEN,
00741                            T_PROCESS,
00742                            i_tid,
00743                            A_log_program_based,
00744                            &i_attr_val,
00745                            FALSE))
00746           {
00747             rsbac_ds_get_error("rsbac_adf_request()", A_log_program_based);
00748           }
00749         else
00750           {
00751             if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) 
00752               do_log = TRUE;
00753           }
00754       }
00755 #endif /* CONFIG_RSBAC_IND_PROG_LOG */
00756 
00757 /*****************************************************/
00758 /* General work for all modules - after module calls */
00759 /* Note: the process' individual logging attributes are needed above */
00760     switch(request)
00761       {
00762         case R_TERMINATE:
00763             if (target == T_PROCESS)
00764               rsbac_remove_target(T_PROCESS,*tid_p);
00765             break;
00766         default:
00767             break;
00768       }
00769 
00770 /* logging request on info level, if requested by file/dir/dev attributes */
00771 /* log_array_low/high, or, if that is requested, if enabled for this request */
00772 /* type (attributes state level, or that request based level is to be taken) */
00773 /* loglevel 2: log everything */
00774 /* loglevel 1: log, if denied */
00775 /* loglevel 0: log nothing */
00776 
00777 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */
00778     /* if file/dir/dev, depend log on log_arrays */
00779     /* (but not for file.device = 0) */
00780     /* log_on_request is TRUE */
00781     if(   !do_log
00782        && (   (   (   (target == T_FILE)
00783                    || (target == T_DIR)
00784                    || (target == T_FIFO)
00785                    || (target == T_SYMLINK)
00786                   )
00787                && RSBAC_MAJOR(tid_p->file.device)
00788                && RSBAC_MINOR(tid_p->file.device)
00789               )
00790            || (target == T_DEV)
00791           )
00792       )
00793       {
00794         if (rsbac_get_attr(GEN,
00795                            target,
00796                            *tid_p,
00797                            A_log_array_low,
00798                            &i_attr_val,
00799                            FALSE))
00800           {
00801             rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low);
00802           }
00803         else
00804           {
00805             if (rsbac_get_attr(GEN,
00806                                target,
00807                                *tid_p,
00808                                A_log_array_high,
00809                                &i_attr_val2,
00810                                FALSE))
00811               {
00812                 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high);
00813               }
00814             else
00815               { /* ll = low-bit for request | (high-bit for request as bit 1) */
00816                 /* WARNING: we deal with u64 here, only logical operations and */
00817                 /* shifts work correctly! */
00818                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
00819                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00820                 if (   log_level == LL_full
00821                     || (   log_level == LL_denied
00822                         && (result == NOT_GRANTED
00823                             || result == UNDEFINED)) )
00824                   {
00825                     do_log = TRUE;
00826                   }
00827                 if(log_level != LL_request)
00828                   log_on_request = FALSE;
00829               }
00830           }
00831       }
00832 #endif /* CONFIG_RSBAC_IND_LOG */
00833 
00834 #ifdef CONFIG_RSBAC_IND_NETDEV_LOG /* only if individual logging for netdev is enabled */
00835     /* if netdev, depend log on log_arrays */
00836     /* log_on_request is TRUE */
00837     if(   !do_log
00838        && (target == T_NETDEV)
00839       )
00840       {
00841         if (rsbac_get_attr(GEN,
00842                            target,
00843                            *tid_p,
00844                            A_log_array_low,
00845                            &i_attr_val,
00846                            FALSE))
00847           {
00848             rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low);
00849           }
00850         else
00851           {
00852             if (rsbac_get_attr(GEN,
00853                                target,
00854                                *tid_p,
00855                                A_log_array_high,
00856                                &i_attr_val2,
00857                                FALSE))
00858               {
00859                 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high);
00860               }
00861             else
00862               { /* ll = low-bit for request | (high-bit for request as bit 1) */
00863                 /* WARNING: we deal with u64 here, only logical operations and */
00864                 /* shifts work correctly! */
00865                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
00866                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00867                 if (   log_level == LL_full
00868                     || (   log_level == LL_denied
00869                         && (result == NOT_GRANTED
00870                             || result == UNDEFINED)) )
00871                   {
00872                     do_log = TRUE;
00873                   }
00874                 if(log_level != LL_request)
00875                   log_on_request = FALSE;
00876               }
00877           }
00878       }
00879 #endif /* CONFIG_RSBAC_IND_NETDEV_LOG */
00880 
00881 #ifdef CONFIG_RSBAC_IND_NETOBJ_LOG /* only if individual logging for net objects is enabled */
00882     /* if nettemp, netobj, depend log on log_arrays */
00883     /* (but not for file.device = 0) */
00884     /* log_on_request is TRUE */
00885     if(   !do_log
00886        && (   (target == T_NETTEMP)
00887            || (target == T_NETOBJ)
00888           )
00889       )
00890       {
00891         enum rsbac_attribute_t i_attr1, i_attr2;
00892 
00893         if(target == T_NETOBJ)
00894           {
00895             if(rsbac_net_remote_request(request))
00896               {
00897                 i_attr1 = A_remote_log_array_low;
00898                 i_attr2 = A_remote_log_array_high;
00899               }
00900             else
00901               {
00902                 i_attr1 = A_local_log_array_low;
00903                 i_attr2 = A_local_log_array_high;
00904               }
00905           }
00906         else
00907           {
00908             i_attr1 = A_log_array_low;
00909             i_attr2 = A_log_array_high;
00910           }
00911         if (rsbac_get_attr(GEN,
00912                            target,
00913                            *tid_p,
00914                            i_attr1,
00915                            &i_attr_val,
00916                            FALSE))
00917           {
00918             rsbac_ds_get_error("rsbac_adf_request()", i_attr1);
00919           }
00920         else
00921           {
00922             if (rsbac_get_attr(GEN,
00923                                target,
00924                                *tid_p,
00925                                i_attr2,
00926                                &i_attr_val2,
00927                                FALSE))
00928               {
00929                 rsbac_ds_get_error("rsbac_adf_request()", i_attr2);
00930               }
00931             else
00932               { /* ll = low-bit for request | (high-bit for request as bit 1) */
00933                 /* WARNING: we deal with u64 here, only logical operations and */
00934                 /* shifts work correctly! */
00935                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
00936                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00937                 if (   log_level == LL_full
00938                     || (   log_level == LL_denied
00939                         && (result == NOT_GRANTED
00940                             || result == UNDEFINED)) )
00941                   {
00942                     do_log = TRUE;
00943                   }
00944                 if(log_level != LL_request)
00945                   log_on_request = FALSE;
00946               }
00947           }
00948       }
00949 #endif /* CONFIG_RSBAC_IND_NETOBJ_LOG */
00950 
00951 log:
00952     /* if enabled, try request based log level */
00953     if (   !do_log
00954         && log_on_request
00955         && (   rsbac_log_levels[request][target] == LL_full
00956             || (   rsbac_log_levels[request][target] == LL_denied
00957                 && (result == NOT_GRANTED
00958                     || result == UNDEFINED)) ) )
00959       do_log = TRUE;
00960 
00961     if(do_log)
00962       {
00963         char * request_name;
00964         char * res_name;
00965         char * res_mods;
00966         char * target_type_name;
00967         char * target_id_name;
00968         char * attr_name;
00969         char * attr_val_name;
00970 #ifdef CONFIG_RSBAC_NET_OBJ
00971         char * remote_ip_name;
00972 #else
00973         char remote_ip_name[1];
00974 #endif
00975         char * audit_uid_name;
00976         char  command[17];
00977         rsbac_pid_t parent_pid = 0;
00978         rsbac_uid_t audit_uid;
00979 #ifdef CONFIG_RSBAC_LOG_PSEUDO
00980         rsbac_pseudo_t  pseudo = 0;
00981 #endif
00982         char * program_path;
00983 
00984         /* parent pid */
00985         #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00986         if(current->parent)
00987           parent_pid = current->parent->pid;
00988         #else
00989         if(current->p_pptr)
00990           parent_pid = current->p_pptr->pid;
00991         #endif
00992 
00993         /* rsbac_kmalloc all memory */
00994         request_name = rsbac_kmalloc(32);
00995         res_name = rsbac_kmalloc(32);
00996         res_mods = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00997         target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00998         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
00999         target_id_name
01000          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01001            /* max. path name len + some extra */
01002         #else
01003         target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01004            /* max. file name len + some extra */
01005         #endif
01006         #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE
01007         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01008         program_path
01009          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01010            /* max. path name len + some extra */
01011         #else
01012         program_path = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01013            /* max. file name len + some extra */
01014         #endif
01015         #else
01016         program_path = rsbac_kmalloc(2);
01017         #endif
01018         attr_name = rsbac_kmalloc(32);
01019         attr_val_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01020 #ifdef CONFIG_RSBAC_NET_OBJ
01021         remote_ip_name = rsbac_kmalloc(32);
01022 #endif
01023         audit_uid_name = rsbac_kmalloc(32);
01024 
01025         request_name[0] = (char) 0;
01026         target_type_name[0] = (char) 0;
01027         target_id_name[0] = (char) 0;
01028         program_path[0] = (char) 0;
01029         attr_name[0] = (char) 0;
01030         attr_val_name[0] = (char) 0;
01031         remote_ip_name[0] = (char) 0;
01032         audit_uid_name[0] = (char) 0;
01033         res_name[0] = (char) 0;
01034         res_mods[0] = (char) 0;
01035         command[0] = (char) 0;
01036         get_request_name(request_name, request);
01037     #if !defined(CONFIG_RSBAC_MAINT)
01038 /*
01039         if(result == mod_result[SW_NONE])
01040           {
01041             strcat(res_mods, " GEN");
01042           }
01043 */
01044     #if defined(CONFIG_RSBAC_MAC)
01045         if(result == mod_result[MAC])
01046           {
01047             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01048             if(rsbac_ind_softmode[MAC])
01049               strcat(res_mods, " MAC(Softmode)");
01050             else
01051             #endif
01052               strcat(res_mods, " MAC");
01053           }
01054     #endif
01055     #if defined(CONFIG_RSBAC_PM)
01056         if(result == mod_result[PM])
01057           {
01058             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01059             if(rsbac_ind_softmode[PM])
01060               strcat(res_mods, " PM(Softmode)");
01061             else
01062             #endif
01063               strcat(res_mods, " PM");
01064           }
01065     #endif
01066     #if defined(CONFIG_RSBAC_DAZ)
01067         if(result == mod_result[DAZ])
01068           {
01069             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01070             if(rsbac_ind_softmode[DAZ])
01071               strcat(res_mods, " DAZ(Softmode)");
01072             else
01073             #endif
01074               strcat(res_mods, " DAZ");
01075           }
01076     #endif
01077     #ifdef CONFIG_RSBAC_FF
01078         if(result == mod_result[FF])
01079           {
01080             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01081             if(rsbac_ind_softmode[FF])
01082               strcat(res_mods, " FF(Softmode)");
01083             else
01084             #endif
01085               strcat(res_mods, " FF");
01086           }
01087     #endif
01088     #ifdef CONFIG_RSBAC_RC
01089         if(result == mod_result[RC])
01090           {
01091             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01092             if(rsbac_ind_softmode[RC])
01093               strcat(res_mods, " RC(Softmode)");
01094             else
01095             #endif
01096               strcat(res_mods, " RC");
01097           }
01098     #endif
01099     #ifdef CONFIG_RSBAC_AUTH
01100         if(result == mod_result[AUTH])
01101           {
01102             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01103             if(rsbac_ind_softmode[AUTH])
01104               strcat(res_mods, " AUTH(Softmode)");
01105             else
01106             #endif
01107               strcat(res_mods, " AUTH");
01108           }
01109     #endif
01110     #ifdef CONFIG_RSBAC_ACL
01111         if(result == mod_result[ACL])
01112           {
01113             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01114             if(rsbac_ind_softmode[ACL])
01115               strcat(res_mods, " ACL(Softmode)");
01116             else
01117             #endif
01118               strcat(res_mods, " ACL");
01119           }
01120     #endif
01121     #ifdef CONFIG_RSBAC_CAP
01122         if(result == mod_result[CAP])
01123           {
01124             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01125             if(rsbac_ind_softmode[CAP])
01126               strcat(res_mods, " CAP(Softmode)");
01127             else
01128             #endif
01129               strcat(res_mods, " CAP");
01130           }
01131     #endif
01132     #ifdef CONFIG_RSBAC_JAIL
01133         if(result == mod_result[JAIL])
01134           {
01135             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01136             if(rsbac_ind_softmode[JAIL])
01137               strcat(res_mods, " JAIL(Softmode)");
01138             else
01139             #endif
01140               strcat(res_mods, " JAIL");
01141           }
01142     #endif
01143     #ifdef CONFIG_RSBAC_RES
01144         if(result == mod_result[RES])
01145           {
01146             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01147             if(rsbac_ind_softmode[RES])
01148               strcat(res_mods, " RES(Softmode)");
01149             else
01150             #endif
01151               strcat(res_mods, " RES");
01152           }
01153     #endif
01154     #ifdef CONFIG_RSBAC_REG
01155         if(result == mod_result[REG])
01156           {
01157             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01158             if(rsbac_ind_softmode[REG])
01159               strcat(res_mods, " REG(Softmode)");
01160             else
01161             #endif
01162               strcat(res_mods, " REG");
01163           }
01164     #endif
01165     #endif /* !MAINT */
01166         if(!res_mods[0])
01167           strcat(res_mods, " ADF");
01168 
01169         /* Get process audit_uid */
01170         i_tid.process = caller_pid;
01171         if (rsbac_get_attr(GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE))
01172           {
01173             rsbac_ds_get_error("rsbac_adf_request()", A_audit_uid);
01174             return(NOT_GRANTED);  /* something weird happened */
01175           }
01176         audit_uid = i_attr_val.audit_uid;
01177         if(audit_uid == RSBAC_NO_USER)
01178           audit_uid = owner;
01179         else
01180           sprintf(audit_uid_name, "audit uid %u, ", audit_uid);
01181 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01182         /* Get owner's logging pseudo */
01183         i_tid.user = audit_uid;
01184         if (rsbac_get_attr(GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE))
01185           {
01186             rsbac_ds_get_error("rsbac_adf_request()", A_pseudo);
01187             return(NOT_GRANTED);  /* something weird happened */
01188           }
01189         /* if pseudo is not registered, return attribute value is 0 (see later) */
01190         pseudo = i_attr_val.pseudo;
01191 #endif
01192 
01193 #ifdef CONFIG_RSBAC_NET_OBJ
01194         /* Get process remote_ip */
01195         i_tid.process = caller_pid;
01196         if (rsbac_get_attr(GEN,T_PROCESS,i_tid,A_remote_ip,&i_attr_val,FALSE))
01197           {
01198             rsbac_ds_get_error("rsbac_adf_request()", A_remote_ip);
01199             return(NOT_GRANTED);  /* something weird happened */
01200           }
01201         if(i_attr_val.remote_ip)
01202           sprintf(remote_ip_name, "remote ip %u.%u.%u.%u, ", NIPQUAD(i_attr_val.remote_ip));
01203 #endif
01204 
01205         #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE
01206         {
01207           struct mm_struct * mm;
01208           struct vm_area_struct * vma;
01209           struct dentry * dentry_p = NULL;
01210 
01211           mm = current->mm;
01212           if(mm)
01213             {
01214               atomic_inc(&mm->mm_users);
01215               if(!down_read_trylock(&mm->mmap_sem))
01216                 goto down_failed;
01217               vma = mm->mmap;
01218               while (vma)
01219                 {
01220                   if(   (vma->vm_flags & VM_EXECUTABLE)
01221                      && vma->vm_file)
01222                     {
01223                       dentry_p = dget(vma->vm_file->f_dentry);
01224                       break;
01225                     }
01226                   vma = vma->vm_next;
01227                 }
01228               up_read(&mm->mmap_sem);
01229               if(dentry_p)
01230                 {
01231                   char * p = program_path;
01232 
01233                   p += sprintf(program_path, ", prog_file ");
01234                   #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01235                   rsbac_get_full_path(dentry_p, p, CONFIG_RSBAC_MAX_PATH_LEN);
01236                   #else
01237                   int namelen = rsbac_min(dentry_p->d_name.len, RSBAC_MAXNAMELEN);
01238 
01239                   strncpy(p, dentry_p->d_name.name, namelen);
01240                   p[namelen]=0;
01241                   #endif
01242                   dput(dentry_p);
01243                 }
01244 down_failed:
01245               mmput(mm);
01246             }
01247         }
01248         #endif
01249         get_target_name(target_type_name, target, target_id_name, *tid_p);
01250         get_attribute_name(attr_name, attr);
01251         get_attribute_value_name(attr_val_name, attr, attr_val_p);
01252         get_result_name(res_name, result);
01253         if ((current) && (current->comm))
01254           {
01255             strncpy(command,current->comm,16);          
01256             command[16] = (char) 0;
01257           }
01258 
01259 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01260         /* if pseudo is set, its value is != 0, else -> use id */
01261         if (pseudo)
01262           {
01263     #ifdef CONFIG_RSBAC_SOFTMODE
01264             if(rsbac_softmode)
01265               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01266                            request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01267             else
01268     #endif
01269               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01270                            request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01271           }
01272         else
01273 #endif
01274           {
01275     #ifdef CONFIG_RSBAC_SOFTMODE
01276             if(rsbac_softmode)
01277               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01278                            request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01279             else
01280     #endif
01281               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01282                            request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01283           }
01284         /* rsbac_kfree all helper mem */
01285         rsbac_kfree(request_name);
01286         rsbac_kfree(res_name);
01287         rsbac_kfree(res_mods);
01288         rsbac_kfree(target_type_name);
01289         rsbac_kfree(target_id_name);
01290         rsbac_kfree(program_path);
01291         rsbac_kfree(attr_name);
01292         rsbac_kfree(attr_val_name);
01293 #ifdef CONFIG_RSBAC_NET_OBJ
01294         rsbac_kfree(remote_ip_name);
01295 #endif
01296         rsbac_kfree(audit_uid_name);
01297       }
01298 
01299 /* UNDEFINED must never be returned -> change result */
01300     if(result == UNDEFINED)
01301       result = NOT_GRANTED;
01302 
01303 /* count */
01304     rsbac_adf_request_count[target]++;
01305 #ifdef CONFIG_RSBAC_XSTATS
01306     rsbac_adf_request_xcount[target][request]++;
01307 #endif
01308 
01309 /* return result */
01310     #ifdef CONFIG_RSBAC_SOFTMODE
01311     if(rsbac_softmode && !rsbac_internal)
01312       return DO_NOT_CARE;
01313     else
01314     #endif
01315     #ifdef CONFIG_RSBAC_SOFTMODE_IND
01316       return ret_result;
01317     #else
01318       return result; /* change for debugging! */
01319     #endif
01320   } /* end of rsbac_adf_request_int() */
01321 
01322 
01323 /*********************************************************************/
01324 /* rsbac_adf_request()                                               */
01325 /* This function is the main decision function, called from the AEF. */
01326 /* It is a simple wrapper to the internal function, setting          */
01327 /* ignore_module to SW_NONE.                                         */
01328 
01329 EXPORT_SYMBOL(rsbac_adf_request);
01330 enum rsbac_adf_req_ret_t
01331    rsbac_adf_request( enum  rsbac_adf_request_t     request,
01332                             rsbac_pid_t             caller_pid,
01333                       enum  rsbac_target_t          target,
01334                       union rsbac_target_id_t       tid,
01335                       enum  rsbac_attribute_t       attr,
01336                       union rsbac_attribute_value_t attr_val)
01337   {
01338     return(rsbac_adf_request_int(request,
01339                                  caller_pid,
01340                                  target,
01341                                  &tid,
01342                                  attr,
01343                                  &attr_val,
01344                                  SW_NONE));
01345   }
01346 
01347 /*****************************************************************************/
01348 /* If the request returned granted and the operation is performed,           */
01349 /* the following function is called by the AEF to get all aci set correctly. */
01350 /* The second instance of target specification is the new target, if one has */
01351 /* been created, otherwise its values are ignored.                           */
01352 /* It returns 0 on success and an error from error.h otherwise.              */
01353 
01354 EXPORT_SYMBOL(rsbac_adf_set_attr);
01355 int  rsbac_adf_set_attr(
01356                       enum  rsbac_adf_request_t     request,
01357                             rsbac_pid_t             caller_pid,
01358                       enum  rsbac_target_t          target,
01359                       union rsbac_target_id_t       tid,
01360                       enum  rsbac_target_t          new_target,
01361                       union rsbac_target_id_t       new_tid,
01362                       enum  rsbac_attribute_t       attr,
01363                       union rsbac_attribute_value_t attr_val)
01364   {
01365     union rsbac_target_id_t i_tid;
01366     rsbac_uid_t owner;
01367     int   error = 0;
01368     rsbac_boolean_t do_log = FALSE;
01369     rsbac_boolean_t log_on_request = TRUE;
01370     union rsbac_attribute_value_t i_attr_val;
01371 #ifdef CONFIG_RSBAC_IND_LOG
01372     union rsbac_attribute_value_t i_attr_val2;
01373     enum rsbac_log_level_t log_level;
01374 #endif
01375 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
01376     struct super_block * sb_p;
01377 #endif
01378 
01379 /* No attribute setting possible before init (called at boot time) */
01380 
01381    if (!rsbac_is_initialized())
01382       return(0);
01383 
01384 /* kernel (pid 0) is ignored */
01385     if (   !caller_pid
01386         #if defined(CONFIG_RSBAC_LOG_REMOTE)
01387         || (caller_pid == rsbaclogd_pid)
01388         #endif
01389        )
01390       return(0);
01391 
01392 /* Checking base values */
01393     if(   request >= R_NONE
01394        || target > T_NONE
01395        || new_target > T_NONE
01396        || attr > A_none)
01397       {
01398         rsbac_printk(KERN_WARNING
01399                "rsbac_adf_set_attr(): called with invalid request, target or attribute\n");
01400         return(-RSBAC_EINVALIDVALUE);
01401       }
01402 
01403 /* Getting basic information about this adf_set_attr-call */
01404 
01405     owner = RSBAC_NO_USER;
01406     /* only useful for real process, not idle or init */
01407     if (caller_pid > 1)
01408       {
01409         error = rsbac_get_owner(&owner);
01410         if(error)
01411           {
01412             rsbac_printk(KERN_DEBUG
01413                    "rsbac_adf_set_attr(): caller_pid %i, RSBAC not initialized, returning 0",
01414                    caller_pid);
01415             return(0);      /* Startup-Sequence (see above) */
01416           }
01417       }
01418     else /* caller_pid = 1  -> init -> owner = root */
01419       owner = 0;
01420 
01421 /*************************************************/
01422 /* General work for all modules - before modules */
01423 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
01424     if (   (   (target == T_FILE)
01425             || (target == T_DIR)
01426             || (target == T_FIFO)
01427             || (target == T_SYMLINK)
01428            )
01429         && ((sb_p = rsbac_get_super_block(tid.file.device)))
01430         && (   (sb_p->s_magic == NFS_SUPER_MAGIC)
01431             || (sb_p->s_magic == CODA_SUPER_MAGIC)
01432             || (sb_p->s_magic == NCP_SUPER_MAGIC)
01433             || (sb_p->s_magic == SMB_SUPER_MAGIC)
01434            )
01435        )
01436       {
01437         error = 0;
01438         goto log;
01439       }
01440 #endif
01441 
01442 /**********************************************************/
01443 /* calling all decision modules, building a common result */
01444 
01445 
01446 #ifdef CONFIG_RSBAC_DEBUG
01447 /* first, check for valid request/target combination      */
01448 error |= rsbac_adf_set_attr_check(request,
01449                                   caller_pid,
01450                                   target,
01451                                   tid,
01452                                   new_target,
01453                                   new_tid,
01454                                   attr,
01455                                   attr_val,
01456                                   owner);
01457 if(error)
01458   goto general_work;
01459 #endif
01460 
01461 #if !defined(CONFIG_RSBAC_MAINT)
01462 /******* MAC ********/
01463 #if defined(CONFIG_RSBAC_MAC)
01464 #ifdef CONFIG_RSBAC_SWITCH_MAC
01465 if (rsbac_switch_mac)
01466 #endif
01467   error |= rsbac_adf_set_attr_mac(request,
01468                                   caller_pid,
01469                                   target,
01470                                   tid,
01471                                   new_target,
01472                                   new_tid,
01473                                   attr,
01474                                   attr_val,
01475                                   owner);
01476 #endif  /* MAC */
01477 
01478 /******* PM ********/
01479 #ifdef CONFIG_RSBAC_PM
01480 #ifdef CONFIG_RSBAC_SWITCH_PM
01481 if (rsbac_switch_pm)
01482 #endif
01483   error |= rsbac_adf_set_attr_pm (request,
01484                                   caller_pid,
01485                                   target,
01486                                   tid,
01487                                   new_target,
01488                                   new_tid,
01489                                   attr,
01490                                   attr_val,
01491                                   owner);
01492 #endif  /* PM */
01493 
01494 /******* DAZ ********/
01495 #ifdef CONFIG_RSBAC_DAZ
01496 #ifdef CONFIG_RSBAC_SWITCH_DAZ
01497 if (rsbac_switch_daz)
01498 #endif
01499   error |= rsbac_adf_set_attr_daz (request,
01500                                   caller_pid,
01501                                   target,
01502                                   tid,
01503                                   new_target,
01504                                   new_tid,
01505                                   attr,
01506                                   attr_val,
01507                                   owner);
01508 #endif  /* DAZ */
01509 
01510 /******* FF ********/
01511 #if 0 /* Nothing to do in there */
01512 #ifdef CONFIG_RSBAC_FF
01513 #ifdef CONFIG_RSBAC_SWITCH_FF
01514 if (rsbac_switch_ff)
01515 #endif
01516   error |= rsbac_adf_set_attr_ff (request,
01517                                   caller_pid,
01518                                   target,
01519                                   tid,
01520                                   new_target,
01521                                   new_tid,
01522                                   attr,
01523                                   attr_val,
01524                                   owner);
01525 #endif  /* FF */
01526 #endif /* 0 */
01527 
01528 /******* RC ********/
01529 #ifdef CONFIG_RSBAC_RC
01530 #ifdef CONFIG_RSBAC_SWITCH_RC
01531 if (rsbac_switch_rc)
01532 #endif
01533   error |= rsbac_adf_set_attr_rc (request,
01534                                   caller_pid,
01535                                   target,
01536                                   tid,
01537                                   new_target,
01538                                   new_tid,
01539                                   attr,
01540                                   attr_val,
01541                                   owner);
01542 #endif  /* RC */
01543 
01544 /****** AUTH *******/
01545 #ifdef CONFIG_RSBAC_AUTH
01546 #ifdef CONFIG_RSBAC_SWITCH_AUTH
01547 if (rsbac_switch_auth)
01548 #endif
01549   error |= rsbac_adf_set_attr_auth(request,
01550                                    caller_pid,
01551                                    target,
01552                                    tid,
01553                                    new_target,
01554                                    new_tid,
01555                                    attr,
01556                                    attr_val,
01557                                    owner);
01558 #endif  /* AUTH */
01559 
01560 /****** ACL *******/
01561 #if 0 /* Nothing there */
01562 #ifdef CONFIG_RSBAC_ACL
01563 #ifdef CONFIG_RSBAC_SWITCH_ACL
01564 if (rsbac_switch_acl)
01565 #endif
01566   error |= rsbac_adf_set_attr_acl (request,
01567                                    caller_pid,
01568                                    target,
01569                                    tid,
01570                                    new_target,
01571                                    new_tid,
01572                                    attr,
01573                                    attr_val,
01574                                    owner);
01575 #endif  /* ACL */
01576 #endif
01577 
01578 /****** CAP *******/
01579 #ifdef CONFIG_RSBAC_CAP
01580 #ifdef CONFIG_RSBAC_SWITCH_CAP
01581 if (rsbac_switch_cap)
01582 #endif
01583   error |= rsbac_adf_set_attr_cap (request,
01584                                    caller_pid,
01585                                    target,
01586                                    tid,
01587                                    new_target,
01588                                    new_tid,
01589                                    attr,
01590                                    attr_val,
01591                                    owner);
01592 #endif  /* CAP */
01593 
01594 /****** JAIL *******/
01595 #ifdef CONFIG_RSBAC_JAIL
01596 #ifdef CONFIG_RSBAC_SWITCH_JAIL
01597 if (rsbac_switch_jail)
01598 #endif
01599   error |= rsbac_adf_set_attr_jail(request,
01600                                    caller_pid,
01601                                    target,
01602                                    tid,
01603                                    new_target,
01604                                    new_tid,
01605                                    attr,
01606                                    attr_val,
01607                                    owner);
01608 #endif  /* JAIL */
01609 
01610 /******* PAX ********/
01611 #ifdef CONFIG_RSBAC_PAX
01612 #ifdef CONFIG_RSBAC_SWITCH_PAX
01613 if (rsbac_switch_pax)
01614 #endif
01615   error |= rsbac_adf_set_attr_pax (request,
01616                                   caller_pid,
01617                                   target,
01618                                   tid,
01619                                   new_target,
01620                                   new_tid,
01621                                   attr,
01622                                   attr_val,
01623                                   owner);
01624 #endif  /* PAX */
01625 
01626 /****** RES *******/
01627 #ifdef CONFIG_RSBAC_RES
01628 #ifdef CONFIG_RSBAC_SWITCH_RES
01629 if (rsbac_switch_res)
01630 #endif
01631   error |= rsbac_adf_set_attr_res (request,
01632                                    caller_pid,
01633                                    target,
01634                                    tid,
01635                                    new_target,
01636                                    new_tid,
01637                                    attr,
01638                                    attr_val,
01639                                    owner);
01640 #endif  /* RES */
01641 
01642 /****** REG *******/
01643 #ifdef CONFIG_RSBAC_REG
01644   error |= rsbac_adf_set_attr_reg (request,
01645                                    caller_pid,
01646                                    target,
01647                                    tid,
01648                                    new_target,
01649                                    new_tid,
01650                                    attr,
01651                                    attr_val,
01652                                    owner);
01653 #endif  /* REG */
01654 #endif /* !MAINT */
01655 
01656 /* General work for all modules (after set_attr call) */
01657 #ifdef CONFIG_RSBAC_DEBUG
01658 general_work:
01659 #endif
01660     switch(request)
01661       {
01662         /* remove deleted item from rsbac data */
01663         case R_DELETE :
01664             switch (target)
01665               {
01666                 case T_FILE:
01667                 case T_FIFO:
01668                 case T_SYMLINK:
01669                   /* Only remove file/fifo target on deletion of last link */
01670                   if (   (attr == A_nlink)
01671                       && (attr_val.nlink > 1)
01672                      )
01673                      break;
01674                   /* fall through */
01675                 case T_DIR:
01676                   rsbac_remove_target(target,tid);
01677                   break;
01678                 case T_IPC:
01679                   /* shm removal delayed and removed directly, when destroyed */
01680                   if(tid.ipc.type != I_shm)
01681                     rsbac_remove_target(target,tid);
01682                   break;
01683                 default:
01684                   break;
01685               }
01686             break;
01687 
01688         case R_CLONE:
01689             switch (target)
01690               {
01691                 case T_PROCESS:
01692                   #if defined(CONFIG_RSBAC_IND_PROG_LOG)
01693                   /* get program based log from old process */
01694                   if (rsbac_get_attr(GEN,
01695                                      target,
01696                                      tid,
01697                                      A_log_program_based,
01698                                      &i_attr_val,
01699                                      FALSE))
01700                     {
01701                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
01702                     }
01703                   else
01704                     { /* only set, of not default value 0 */
01705                       if(i_attr_val.log_program_based)
01706                         {
01707                           /* set program based log for new process */
01708                           if (rsbac_set_attr(GEN, new_target,
01709                                              new_tid,
01710                                              A_log_program_based,
01711                                              i_attr_val))
01712                             {
01713                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based);
01714                             }
01715                         }
01716                     }
01717                   #endif
01718                   #if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01719                   /* get fake_root_uid from old process */
01720                   if (rsbac_get_attr(GEN,
01721                                      target,
01722                                      tid,
01723                                      A_fake_root_uid,
01724                                      &i_attr_val,
01725                                      FALSE))
01726                     {
01727                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid);
01728                     }
01729                   else
01730                     { /* only set, of not default value 0 */
01731                       if(i_attr_val.fake_root_uid)
01732                         {
01733                           /* set program based log for new process */
01734                           if (rsbac_set_attr(GEN, new_target,
01735                                              new_tid,
01736                                              A_fake_root_uid,
01737                                              i_attr_val))
01738                             {
01739                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
01740                             }
01741                         }
01742                     }
01743                   #endif
01744                   #if defined(CONFIG_RSBAC_NET)
01745                   /* get remote_ip from old process */
01746                   if (rsbac_get_attr(GEN,
01747                                      target,
01748                                      tid,
01749                                      A_remote_ip,
01750                                      &i_attr_val,
01751                                      FALSE))
01752                     {
01753                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_remote_ip);
01754                     }
01755                   else
01756                     { /* only set, of not default value 0 */
01757                       if(i_attr_val.remote_ip)
01758                         {
01759                           /* set program based log for new process */
01760                           if (rsbac_set_attr(GEN, new_target,
01761                                              new_tid,
01762                                              A_remote_ip,
01763                                              i_attr_val))
01764                             {
01765                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip);
01766                             }
01767                         }
01768                     }
01769                   #endif
01770                   /* get audit_uid from old process */
01771                   if (rsbac_get_attr(GEN,
01772                                      target,
01773                                      tid,
01774                                      A_audit_uid,
01775                                      &i_attr_val,
01776                                      FALSE))
01777                     {
01778                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid);
01779                     }
01780                   else
01781                     { /* only set, of not default value NO_USER */
01782                       if(i_attr_val.audit_uid != RSBAC_NO_USER)
01783                         {
01784                           /* set audit uid for new process */
01785                           if (rsbac_set_attr(GEN,
01786                                              new_target,
01787                                              new_tid,
01788                                              A_audit_uid,
01789                                              i_attr_val))
01790                             {
01791                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_audit_uid);
01792                             }
01793                         }
01794                     }
01795                   /* get auid_exempt from old process */
01796                   if (rsbac_get_attr(GEN,
01797                                      target,
01798                                      tid,
01799                                      A_auid_exempt,
01800                                      &i_attr_val,
01801                                      FALSE))
01802                     {
01803                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt);
01804                     }
01805                   else
01806                     { /* only set, of not default value NO_USER */
01807                       if(i_attr_val.auid_exempt != RSBAC_NO_USER)
01808                         {
01809                           /* set program based log for new process */
01810                           if (rsbac_set_attr(GEN,
01811                                              new_target,
01812                                              new_tid,
01813                                              A_auid_exempt,
01814                                              i_attr_val))
01815                             {
01816                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt);
01817                             }
01818                         }
01819                     }
01820                   break;
01821 
01822                 default:
01823                   break;
01824               }
01825             break;
01826 
01827 #ifdef CONFIG_RSBAC_NET_OBJ
01828         case R_CLOSE:
01829             switch (target)
01830               {
01831                 case T_NETOBJ:
01832                   rsbac_remove_target(target,tid);
01833                   break;
01834 
01835                 default:
01836                   break;
01837               }
01838             break;
01839         case R_ACCEPT:
01840             switch (target)
01841               {
01842                 case T_NETOBJ:
01843                   /* store remote IP */
01844                   if(   tid.netobj.sock_p
01845                      && tid.netobj.sock_p->ops
01846                      && tid.netobj.sock_p->sk
01847                      && (tid.netobj.sock_p->ops->family == AF_INET)
01848                     )
01849                     {
01850                       i_tid.process = caller_pid;
01851 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01852                       i_attr_val.remote_ip = inet_sk(tid.netobj.sock_p->sk)->daddr;
01853 #else
01854                       i_attr_val.remote_ip = tid.netobj.sock_p->sk->daddr;
01855 #endif
01856                       /* set program based log for new process */
01857                       if (rsbac_set_attr(GEN,
01858                                          T_PROCESS,
01859                                          i_tid,
01860                                          A_remote_ip,
01861                                          i_attr_val))
01862                         {
01863                           rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip);
01864                         }
01865                     }
01866                   break;
01867 
01868                 default:
01869                   break;
01870               }
01871             break;
01872 #endif /* CONFIG_RSBAC_NET_OBJ */
01873 
01874         case R_EXECUTE :
01875             switch (target)
01876               {
01877                 case T_FILE:
01878                   #if defined(CONFIG_RSBAC_IND_PROG_LOG)
01879                   /* get program based log from file */
01880                   if (rsbac_get_attr(GEN,
01881                                      target,
01882                                      tid,
01883                                      A_log_program_based,
01884                                      &i_attr_val,
01885                                      FALSE))
01886                     {
01887                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
01888                     }
01889                   else
01890                     {
01891                       /* set program based log for process */
01892                       i_tid.process = caller_pid;
01893                       if (rsbac_set_attr(GEN, T_PROCESS,
01894                                          i_tid,
01895                                          A_log_program_based,
01896                                          i_attr_val))
01897                         {
01898                           rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based);
01899                         }
01900                     }
01901                   #endif
01902                   #if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01903                   /* get fake_root_uid from file */
01904                   if (rsbac_get_attr(GEN,
01905                                      target,
01906                                      tid,
01907                                      A_fake_root_uid,
01908                                      &i_attr_val,
01909                                      FALSE))
01910                     {
01911                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid);
01912                     }
01913                   else
01914                     {
01915                       /* set fake_root_uid for process */
01916                       if(i_attr_val.fake_root_uid)
01917                         {
01918                           i_tid.process = caller_pid;
01919                           if (rsbac_set_attr(GEN, T_PROCESS,
01920                                              i_tid,
01921                                              A_fake_root_uid,
01922                                              i_attr_val))
01923                             {
01924                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
01925                             }
01926                         }
01927                     }
01928                   #endif
01929                   /* get auid_exempt from file */
01930                   if (rsbac_get_attr(GEN,
01931                                      target,
01932                                      tid,
01933                                      A_auid_exempt,
01934                                      &i_attr_val,
01935                                      FALSE))
01936                     {
01937                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt);
01938                     }
01939                   else
01940                     {
01941                       if(i_attr_val.auid_exempt != RSBAC_NO_USER)
01942                         {
01943                           /* set auid_exempt for process */
01944                           i_tid.process = caller_pid;
01945                           if (rsbac_set_attr(GEN, T_PROCESS,
01946                                              i_tid,
01947                                              A_auid_exempt,
01948                                              i_attr_val))
01949                             {
01950                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt);
01951                             }
01952                         }
01953                     }
01954                   break;
01955 
01956                 default:
01957                   break;
01958               }
01959             break;
01960 
01961         default:
01962             break;
01963       }
01964 
01965 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
01966     if(    rsbac_debug_adf_net
01967        && (   (target == T_NETDEV)
01968            || (target == T_NETTEMP)
01969            || (target == T_NETOBJ)
01970           )
01971       )
01972       do_log = TRUE;
01973 #endif
01974 
01975 /* log based on process owner */
01976 #ifdef CONFIG_RSBAC_IND_USER_LOG
01977     i_tid.user = owner;
01978     if (rsbac_get_attr(GEN,
01979                        T_USER,
01980                        i_tid,
01981                        A_log_user_based,
01982                        &i_attr_val,
01983                        FALSE))
01984       {
01985         rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_user_based);
01986       }
01987     else
01988       {
01989         if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based) 
01990           do_log = TRUE;
01991       }
01992 #endif /* CONFIG_RSBAC_IND_USER_LOG */
01993 
01994 /* log based on program */
01995 #ifdef CONFIG_RSBAC_IND_PROG_LOG
01996     if(!do_log)
01997       {
01998         i_tid.process = caller_pid;
01999         if (rsbac_get_attr(GEN,
02000                            T_PROCESS,
02001                            i_tid,
02002                            A_log_program_based,
02003                            &i_attr_val,
02004                            FALSE))
02005           {
02006             rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
02007           }
02008         else
02009           {
02010             if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) 
02011               do_log = TRUE;
02012           }
02013       }
02014 #endif /* CONFIG_RSBAC_IND_PROG_LOG */
02015 
02016 
02017 /* logging request on info level, if requested by file/dir/dev attributes */
02018 /* log_array_low/high, or, if that is requested, if enabled for this request */
02019 /* type (attributes state level, or that request based level is to be taken) */
02020 /* loglevel 2: log everything */
02021 /* loglevel 1: log, if denied */
02022 /* loglevel 0: log nothing */
02023 
02024 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */
02025     /* if file/dir/dev, depend log on log_arrays */
02026     /* (but not for file.device = 0) */
02027     /* log_on_request is TRUE */
02028     if(!do_log)
02029       {
02030         if(   (   (   (target == T_FILE)
02031                    || (target == T_DIR)
02032                    || (target == T_FIFO)
02033                    || (target == T_SYMLINK)
02034                   )
02035                && RSBAC_MAJOR(tid.file.device)
02036                && RSBAC_MINOR(tid.file.device)
02037               )
02038            || (target == T_DEV)
02039           )
02040           {
02041             if (rsbac_get_attr(GEN,
02042                                target,
02043                                tid,
02044                                A_log_array_low,
02045                                &i_attr_val,
02046                                FALSE))
02047               {
02048                 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_low);
02049               }
02050             else
02051               {
02052                 if (rsbac_get_attr(GEN,
02053                                    target,
02054                                    tid,
02055                                    A_log_array_high,
02056                                    &i_attr_val2,
02057                                    FALSE))
02058                   {
02059                     rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_high);
02060                   }
02061                 else
02062                   { /* ll = low-bit for request | (high-bit for request as bit 1) */
02063                     log_level =   ((i_attr_val.log_array_low   >> request) & 1)
02064                               | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
02065                     if (   log_level == LL_full
02066                         || (   log_level == LL_denied
02067                             && error) )
02068                       {
02069                         do_log = TRUE;
02070                       }
02071                     if(log_level != LL_request)
02072                       log_on_request = FALSE;
02073                   }
02074               }
02075           }
02076       }
02077 #endif /* CONFIG_RSBAC_IND_LOG */
02078 
02079 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
02080 log:
02081 #endif
02082     /* if enabled, try request based log level */
02083     if (log_on_request
02084         && (   rsbac_log_levels[request][target] == LL_full
02085             || (   rsbac_log_levels[request][target] == LL_denied
02086                 && error) ) )
02087       do_log = TRUE;
02088 
02089     if(do_log)
02090       {
02091         char * request_name;
02092         char * target_type_name;
02093         char * new_target_type_name;
02094         char * target_id_name;
02095         char * new_target_id_name;
02096         char * attr_name;
02097         rsbac_uid_t audit_uid;
02098 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02099         rsbac_pseudo_t  pseudo = 0;
02100 #endif
02101 
02102         /* Get process audit_uid */
02103         i_tid.process = caller_pid;
02104         if (rsbac_get_attr(GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE))
02105           {
02106             rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid);
02107             return -RSBAC_EREADFAILED;  /* something weird happened */
02108           }
02109         audit_uid = i_attr_val.audit_uid;
02110         if(audit_uid == RSBAC_NO_USER)
02111           audit_uid = owner;
02112 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02113         /* Get owner's logging pseudo */
02114         i_tid.user = audit_uid;
02115         if (rsbac_get_attr(GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE))
02116           {
02117             rsbac_ds_get_error("rsbac_adf_set_attr()", A_pseudo);
02118             return -RSBAC_EREADFAILED;  /* something weird happened */
02119           }
02120         /* if pseudo is not registered, return attribute value is 0 (see later) */
02121         pseudo = i_attr_val.pseudo;
02122 #endif
02123 
02124         /* rsbac_kmalloc all memory */
02125         request_name = rsbac_kmalloc(32);
02126         target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02127         new_target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02128         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
02129         target_id_name
02130          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
02131         new_target_id_name
02132          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
02133            /* max. path name len + some extra */
02134         #else
02135         target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
02136         new_target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
02137            /* max. file name len + some extra */
02138         #endif
02139         attr_name = rsbac_kmalloc(32);
02140 
02141         /* Getting basic information about this request */
02142         request_name[0] = (char) 0;
02143         target_type_name[0] = (char) 0;
02144         target_id_name[0] = (char) 0;
02145         new_target_type_name[0] = (char) 0;
02146         new_target_id_name[0] = (char) 0;
02147         attr_name[0] = (char) 0;
02148         get_request_name(request_name, request);
02149         get_target_name(target_type_name, target, target_id_name, tid);
02150         get_target_name(new_target_type_name, new_target,
02151                         new_target_id_name, new_tid);
02152         get_attribute_name(attr_name, attr);
02153 
02154 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02155         if(pseudo)
02156           rsbac_printk(KERN_INFO
02157                        "rsbac_adf_set_attr(): request %s, pid %u, pseudo %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02158                        request_name, (u_int) caller_pid, pseudo, target_type_name, target_id_name,
02159                        new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
02160         else
02161 #endif
02162           rsbac_printk(KERN_INFO
02163                        "rsbac_adf_set_attr(): request %s, pid %u, uid %u, audit_uid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02164                        request_name, (u_int) caller_pid, owner, audit_uid, target_type_name, target_id_name,
02165                        new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
02166         /* rsbac_kfree all helper mem */
02167         rsbac_kfree(request_name);
02168         rsbac_kfree(target_type_name);
02169         rsbac_kfree(new_target_type_name);
02170         rsbac_kfree(target_id_name);
02171         rsbac_kfree(new_target_id_name);
02172         rsbac_kfree(attr_name);
02173       }
02174 
02175 /* count */
02176     rsbac_adf_set_attr_count[target]++;
02177 #ifdef CONFIG_RSBAC_XSTATS
02178     rsbac_adf_set_attr_xcount[target][request]++;
02179 #endif
02180 
02181     return(error);
02182   } /* end of rsbac_adf_set_attr() */
02183 
02184 
02185 /****************
02186  *
02187  * Secure Delete
02188  *
02189  ****************/
02190 
02191 #ifdef CONFIG_RSBAC_SECDEL
02192 
02193 /* open_by_dentry */
02194 /* This is done by hand (copy from rsbac_read_open), because system calls */
02195 /* are currently blocked by rsbac */
02196 
02197 static int open_by_dentry(struct dentry * file_dentry_p, struct file * file_p)
02198   {
02199     int tmperr;
02200 
02201     if ( !(S_ISREG(file_dentry_p->d_inode->i_mode)) )
02202       { /* this is not a file! -> error! */
02203         rsbac_printk(KERN_WARNING
02204                "open_by_dentry(): expected file is not a file!\n");
02205         return (-RSBAC_EWRITEFAILED);
02206       }
02207     /* Now we fill the file structure, and */
02208     /* if there is an open func, use it, otherwise ignore */
02209     if ((tmperr = init_private_file(file_p, file_dentry_p, O_WRONLY | O_SYNC)))
02210       {
02211         rsbac_printk(KERN_WARNING
02212                "open_by_dentry(): could not open file!\n");
02213         return (-RSBAC_EWRITEFAILED);
02214       }
02215     /* Without a write function we get into troubles -> error */
02216     if ((!file_p->f_op) || (!file_p->f_op->write))
02217       {
02218         rsbac_printk(KERN_WARNING
02219                "open_by_dentry(): file write function missing!\n");
02220         if (file_p->f_op && file_p->f_op->release)
02221           file_p->f_op->release(file_dentry_p->d_inode,file_p);
02222         return(-RSBAC_EWRITEFAILED);
02223       }
02224     /* trying to get write access                                   */
02225 /*
02226     if (get_write_access(file_dentry_p->d_inode))
02227       {
02228         rsbac_printk(KERN_WARNING
02229                "rsbac_write_open(): could not get write access!\n");
02230         if (file_p->f_op->release)
02231           file_p->f_op->release(file_dentry_p->d_inode,file_p);
02232         return(-RSBAC_EWRITEFAILED);
02233       }
02234 */
02235     return 0;
02236   }
02237 
02238 /*
02239  **********************
02240  * Secure File Truncation
02241  */
02242 rsbac_boolean_t writable(struct super_block * sb_p);
02243 
02244 static int do_rsbac_sec_trunc(struct dentry * dentry_p,
02245                               loff_t new_len,
02246                               loff_t old_len,
02247                               rsbac_boolean_t need_lock)
02248   {
02249 #if defined(CONFIG_RSBAC_MAINT)
02250     return 0;
02251 #else
02252     int                           err = 0;
02253     rsbac_boolean_t                       need_overwrite = FALSE;
02254 
02255     if (!rsbac_is_initialized())
02256       return 0;
02257     /* security checks */
02258     if(   !dentry_p
02259        || !dentry_p->d_inode)
02260       return -RSBAC_EINVALIDPOINTER;
02261     if(!S_ISREG(dentry_p->d_inode->i_mode))
02262       return -RSBAC_EINVALIDTARGET;
02263     if(dentry_p->d_sb->s_magic == PIPEFS_MAGIC)
02264       return 0;
02265     if(new_len >= old_len)
02266       return 0;
02267 
02268     if(dentry_p->d_inode && !writable(dentry_p->d_inode->i_sb))
02269       {
02270 #ifdef CONFIG_RSBAC_DEBUG
02271         if(rsbac_debug_write)
02272           {
02273             rsbac_printk(KERN_DEBUG
02274                    "do_rsbac_sec_trunc(): ignoring file %lu on network device %02u:%02u!\n",
02275                    dentry_p->d_inode->i_ino,
02276                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02277                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02278           }
02279 #endif
02280         return 0;
02281       }
02282 
02283     /******* PM ********/
02284     #ifdef CONFIG_RSBAC_PM
02285     #ifdef CONFIG_RSBAC_SWITCH_PM
02286     if (rsbac_switch_pm)
02287     #endif
02288       /* no need to call module, if already need_overwrite */
02289       if(!need_overwrite)
02290         need_overwrite = rsbac_need_overwrite_pm(dentry_p);
02291     #endif  /* PM */
02292 
02293     /******* FF ********/
02294     #ifdef CONFIG_RSBAC_FF
02295     #ifdef CONFIG_RSBAC_SWITCH_FF
02296     if (rsbac_switch_ff)
02297     #endif
02298       /* no need to call module, if already need_overwrite */
02299       if(!need_overwrite)
02300         need_overwrite = rsbac_need_overwrite_ff(dentry_p);
02301     #endif  /* FF */
02302 
02303     /******* RC ********/
02304     #ifdef CONFIG_RSBAC_RC
02305     #ifdef CONFIG_RSBAC_SWITCH_RC
02306     if (rsbac_switch_rc)
02307     #endif
02308       /* no need to call module, if already need_overwrite */
02309       if(!need_overwrite)
02310         need_overwrite = rsbac_need_overwrite_rc(dentry_p);
02311     #endif  /* RC */
02312 
02313     /****** RES *******/
02314     #ifdef CONFIG_RSBAC_RES
02315     #ifdef CONFIG_RSBAC_SWITCH_RES
02316     if (rsbac_switch_res)
02317     #endif
02318       /* no need to call module, if already need_overwrite */
02319       if(!need_overwrite)
02320         need_overwrite = rsbac_need_overwrite_res(dentry_p);
02321     #endif  /* RES */
02322 
02323     /****** REG *******/
02324     #ifdef CONFIG_RSBAC_REG
02325     if(!need_overwrite)
02326       need_overwrite = rsbac_need_overwrite_reg(dentry_p);
02327     #endif  /* REG */
02328 
02329     if(need_overwrite)
02330       {
02331         char            * buffer;
02332         rsbac_boolean_t   vmalloc_used;
02333         struct file       file;
02334         int               tmperr = 0;
02335         int               len;
02336         mm_segment_t      oldfs;
02337 
02338         buffer = rsbac_vkmalloc(RSBAC_SEC_DEL_CHUNK_SIZE, &vmalloc_used);
02339         if(!buffer)
02340           return -RSBAC_ENOMEM;
02341 
02342 #ifdef CONFIG_RSBAC_DEBUG
02343         if(rsbac_debug_write)
02344           {
02345             rsbac_printk(KERN_DEBUG
02346                    "rsbac_sec_trunc(): zeroing of file %lu on device %02u:%02u from byte %lu to %lu!\n",
02347                    dentry_p->d_inode->i_ino,
02348                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02349                    MINOR(dentry_p->d_inode->i_sb->s_dev),
02350                    (u_long) new_len,
02351                    (u_long) old_len-1);
02352           }
02353 #endif
02354         /* open */
02355         err = open_by_dentry(dentry_p, &file);
02356         if(err)
02357           {
02358             rsbac_vkfree(buffer, vmalloc_used);
02359             return(err);
02360           }
02361 
02362 #ifdef CONFIG_RSBAC_DEBUG
02363         if(rsbac_debug_write)
02364           {
02365             rsbac_printk(KERN_DEBUG
02366                    "rsbac_sec_trunc(): file %lu on device %02u:%02u is open, seeking to %lu!\n",
02367                    dentry_p->d_inode->i_ino,
02368                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02369                    MINOR(dentry_p->d_inode->i_sb->s_dev),
02370                    (u_long) new_len);
02371           }
02372 #endif
02373 
02374         /* OK, now we can start writing */
02375 
02376         /* Set current user space to kernel space, because write() reads
02377          * from user space
02378          */
02379         oldfs = get_fs();
02380         set_fs(KERNEL_DS);
02381 
02382 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02383         if(file.f_op->llseek)
02384           file.f_op->llseek(&file,new_len,0);
02385         else
02386 #endif
02387           { /* taken from fs/read_write.c */
02388             file.f_pos = new_len;
02389 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02390             file.f_reada = 0;
02391 #endif
02392 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02393             file.f_version = ++event;
02394 #else
02395             file.f_version = 0;
02396 #endif
02397           }
02398         memset(buffer,0,RSBAC_SEC_DEL_CHUNK_SIZE);
02399 
02400 #ifdef CONFIG_RSBAC_DEBUG
02401         if(rsbac_debug_write)
02402           {
02403             rsbac_printk(KERN_DEBUG
02404                    "rsbac_sec_trunc(): file %lu on device %02u:%02u is positioned, starting to write!\n",
02405                    dentry_p->d_inode->i_ino,
02406                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02407                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02408           }
02409 #endif
02410 
02411         while(new_len < old_len)
02412           {
02413             len = rsbac_min(RSBAC_SEC_DEL_CHUNK_SIZE, old_len-new_len);
02414 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02415             tmperr = file.f_op->write(&file,
02416                                      buffer,
02417                                      len,
02418                                      &file.f_pos);
02419 #else
02420             if(need_lock)
02421               tmperr = file.f_op->write(&file,
02422                                         buffer,
02423                                         len,
02424                                         &file.f_pos);
02425             else
02426               {
02427                 struct iovec local_iov = { .iov_base = (void __user *)buffer,
02428                                         .iov_len = len };
02429 
02430                 tmperr = generic_file_write_nolock(&file,
02431                                                    &local_iov,
02432                                                    1,
02433                                                    &file.f_pos);
02434               }
02435 #endif
02436             /* if none written, end of file is reached -> complain and return */
02437             if (tmperr <= 0)
02438               {
02439                 rsbac_printk(KERN_WARNING
02440                        "rsbac_sec_trunc(): write error on file!\n");
02441                 err = -RSBAC_EWRITEFAILED;
02442                 goto out;
02443               }
02444             new_len += tmperr;
02445           }
02446 
02447         out:
02448         /* Set current user space back to user space, because read() writes */
02449         /* to user space */
02450         set_fs(oldfs);
02451 
02452 #ifdef CONFIG_RSBAC_DEBUG
02453 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0))
02454         if(need_lock)
02455 #endif
02456         if(rsbac_debug_write)
02457           {
02458             rsbac_printk(KERN_DEBUG
02459                    "rsbac_sec_trunc(): syncing file %lu on device %02u:%02u!\n",
02460                    dentry_p->d_inode->i_ino,
02461                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02462                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02463           }
02464 #endif
02465 
02466 //        err = fsync_inode_buffers(dentry_p->d_inode);
02467 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02468         err = fsync_inode_data_buffers(dentry_p->d_inode);
02469 #else
02470         if(need_lock)
02471           err = file_fsync(&file, dentry_p, 1);
02472 #endif
02473           
02474 /*
02475         if (file.f_op->flush)
02476           file.f_op->flush(&file);
02477         if (file.f_op->release)
02478           file.f_op->release(dentry_p->d_inode,&file);
02479 */
02480         /* End of write access                     */
02481 //        put_write_access(dentry_p->d_inode);
02482 
02483         rsbac_vkfree(buffer, vmalloc_used);
02484       }
02485 
02486     /* Ready. */
02487     return(err);
02488 
02489 #endif /* else of MAINT */
02490   }
02491 
02492 EXPORT_SYMBOL(rsbac_sec_trunc);
02493 int rsbac_sec_trunc(struct dentry * dentry_p,
02494                     loff_t new_len, loff_t old_len)
02495   {
02496     return do_rsbac_sec_trunc(dentry_p, new_len, old_len, TRUE);
02497   }
02498 
02499 EXPORT_SYMBOL(rsbac_sec_del);
02500 int rsbac_sec_del(struct dentry * dentry_p)
02501   {
02502     return do_rsbac_sec_trunc(dentry_p,
02503                               0,
02504                               dentry_p->d_inode->i_size,
02505                               FALSE);
02506   }
02507 
02508 #else /* no SECDEL */
02509 EXPORT_SYMBOL(rsbac_sec_trunc);
02510 int rsbac_sec_trunc(struct dentry * dentry_p,
02511                     loff_t new_len, loff_t old_len)
02512   {
02513     return 0;
02514   }
02515 EXPORT_SYMBOL(rsbac_sec_del);
02516 int rsbac_sec_del(struct dentry * dentry_p)
02517   {
02518     return 0;
02519   }
02520 #endif /* SECDEL */
02521 
02522 #ifdef CONFIG_RSBAC_SYM_REDIR
02523 EXPORT_SYMBOL(rsbac_symlink_redirect);
02524 
02525 /* This function changes the symlink content by adding a suffix, if
02526  * requested. It returns NULL, if unchanged, or a pointer to a
02527  * kmalloc'd new char * otherwise, which has to be kfree'd after use.
02528  */
02529 char * rsbac_symlink_redirect(
02530   struct dentry * dentry_p,
02531   const char * name,
02532   u_int maxlen)
02533   {
02534     int                            err;
02535     union rsbac_target_id_t        i_tid;
02536     char                         * new_name = NULL;
02537 #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) || defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC)
02538     union rsbac_target_id_t        i_tid2;
02539 #endif
02540     union rsbac_attribute_value_t  i_attr_val;
02541 
02542     if(!name)
02543       return NULL;
02544     if(!dentry_p || !dentry_p->d_inode)
02545       return NULL;
02546     if (!rsbac_is_initialized())
02547       return NULL;
02548 
02549     if(!S_ISLNK(dentry_p->d_inode->i_mode))
02550       {
02551         rsbac_printk(KERN_DEBUG
02552                "rsbac_symlink_redirect(): called for non-symlink inode %u on dev %02u:%02u!\n",
02553                i_tid.symlink.inode,
02554                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02555         return NULL;
02556       }
02557 
02558     i_tid.symlink.device = dentry_p->d_inode->i_sb->s_dev;
02559     i_tid.symlink.inode = dentry_p->d_inode->i_ino;
02560     i_tid.symlink.dentry_p = dentry_p;
02561 #ifdef CONFIG_RSBAC_DEBUG
02562     if (rsbac_debug_aef)
02563       {
02564         rsbac_printk(KERN_DEBUG
02565                "rsbac_symlink_redirect(): called for symlink inode %u on dev %02u:%02u!\n",
02566                i_tid.symlink.inode,
02567                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02568       }
02569 #endif
02570 
02571 #ifdef CONFIG_RSBAC_SYM_REDIR_REMOTE_IP
02572     if ((err = rsbac_get_attr(GEN,
02573                               T_SYMLINK,
02574                               i_tid,
02575                               A_symlink_add_remote_ip,
02576                               &i_attr_val,
02577                               FALSE) ))
02578       {
02579         rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_remote_ip, err);
02580         if(new_name)
02581           kfree(new_name);
02582         return NULL;  /* something weird happened */
02583       }
02584     if(i_attr_val.symlink_add_remote_ip)
02585       {
02586         u_int len;
02587         rsbac_enum_t add_remote_ip;
02588         __u32 addr;
02589 
02590         len = strlen(name);
02591         while(   len
02592               && (name[len-1] >= '0')
02593               && (name[len-1] <= '9')
02594              )
02595           len--;
02596         if(len > (maxlen - 20))
02597           {
02598             if(new_name)
02599               kfree(new_name);
02600             rsbac_printk(KERN_DEBUG
02601                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02602                i_tid.symlink.inode,
02603                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02604             return NULL;
02605           }
02606         add_remote_ip = i_attr_val.symlink_add_remote_ip;
02607         i_tid2.process = current->pid;
02608         if ((err = rsbac_get_attr(GEN,
02609                                   T_PROCESS,
02610                                   i_tid2,
02611                                   A_remote_ip,
02612                                   &i_attr_val,
02613                                   FALSE) ))
02614           {
02615             rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_remote_ip, err);
02616             if(new_name)
02617               kfree(new_name);
02618             return NULL;  /* something weird happened */
02619           }
02620         addr = i_attr_val.remote_ip;
02621         if(!new_name)
02622           {
02623             new_name = kmalloc(maxlen, GFP_KERNEL);
02624             if(!new_name)
02625               {
02626                 rsbac_printk(KERN_DEBUG
02627                              "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02628                              i_tid.symlink.inode,
02629                              RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02630                 return NULL;
02631               }
02632             strcpy(new_name, name);
02633           }
02634         switch(add_remote_ip)
02635           {
02636             case 1:
02637               sprintf(new_name+len, "%u",
02638                       ((unsigned char *)&addr)[0]);
02639               break;
02640             case 2:
02641               sprintf(new_name+len, "%u.%u",
02642                       ((unsigned char *)&addr)[0],
02643                       ((unsigned char *)&addr)[1]);
02644               break;
02645             case 3:
02646               sprintf(new_name+len, "%u.%u.%u",
02647                       ((unsigned char *)&addr)[0],
02648                       ((unsigned char *)&addr)[1],
02649                       ((unsigned char *)&addr)[2]);
02650               break;
02651             default:
02652               sprintf(new_name+len, "%u.%u.%u.%u",
02653                       ((unsigned char *)&addr)[0],
02654                       ((unsigned char *)&addr)[1],
02655                       ((unsigned char *)&addr)[2],
02656                       ((unsigned char *)&addr)[3]);
02657           }
02658       }
02659 #endif
02660 
02661 #ifdef CONFIG_RSBAC_SYM_REDIR_UID
02662     if ((err = rsbac_get_attr(GEN,
02663                               T_SYMLINK,
02664                               i_tid,
02665                               A_symlink_add_uid,
02666                               &i_attr_val,
02667                               FALSE) ))
02668       {
02669         rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_uid, err);
02670         if(new_name)
02671           kfree(new_name);
02672             rsbac_printk(KERN_DEBUG
02673                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02674                i_tid.symlink.inode,
02675                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02676         return NULL;  /* something weird happened */
02677       }
02678     if(i_attr_val.symlink_add_uid)
02679       {
02680         rsbac_uid_t user;
02681         u_int len;
02682 
02683         len = strlen(name);
02684         while(   len
02685               && (name[len-1] >= '0')
02686               && (name[len-1] <= '9')
02687              )
02688           len--;
02689         if(len > (maxlen - 20))
02690           {
02691             if(new_name)
02692               kfree(new_name);
02693             rsbac_printk(KERN_DEBUG
02694                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02695                i_tid.symlink.inode,
02696                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02697             return NULL;
02698           }
02699         if(!rsbac_get_owner(&user))
02700           {
02701             if(!new_name)
02702               {
02703                 new_name = kmalloc(maxlen, GFP_KERNEL);
02704                 if(!new_name)
02705                   {
02706                     rsbac_printk(KERN_DEBUG
02707                                  "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02708                                  i_tid.symlink.inode,
02709                                  RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02710                     return NULL;
02711                   }
02712                 strcpy(new_name, name);
02713               }
02714             ulongtostr(new_name+len, user);
02715           }
02716       }
02717 #endif
02718 
02719 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC
02720     if ((err = rsbac_get_attr(GEN,
02721                               T_SYMLINK,
02722                               i_tid,
02723                               A_symlink_add_mac_level,
02724                               &i_attr_val,
02725                               FALSE) ))
02726       {
02727         rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_mac_level, err);
02728         if(new_name)
02729           kfree(new_name);
02730         return NULL;  /* something weird happened */
02731       }
02732     if(i_attr_val.symlink_add_mac_level)
02733       {
02734         u_int len;
02735 
02736         len = strlen(name);
02737         while(   len
02738               && (   (   (name[len-1] >= '0')
02739                       && (name[len-1] <= '9')
02740                      )
02741 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02742                   || (name[len-1] == ':')
02743 #endif
02744                  )
02745              )
02746           len--;
02747 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02748         if(len > (maxlen - 85))
02749 #else
02750         if(len > (maxlen - 20))
02751 #endif
02752           {
02753             if(new_name)
02754               kfree(new_name);
02755             rsbac_printk(KERN_DEBUG
02756                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02757                i_tid.symlink.inode,
02758                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02759             return NULL;
02760           }
02761 
02762         i_tid2.process = current->pid;
02763         if ((err = rsbac_get_attr(MAC,
02764                                   T_PROCESS,
02765                                   i_tid2,
02766                                   A_current_sec_level,
02767                                   &i_attr_val,
02768                                   FALSE) ))
02769           {
02770             rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_current_sec_level, err);
02771             if(new_name)
02772               kfree(new_name);
02773             return NULL;  /* something weird happened */
02774           }
02775 
02776         if(!new_name)
02777           {
02778             new_name = kmalloc(maxlen, GFP_KERNEL);
02779             if(!new_name)
02780               {
02781                 rsbac_printk(KERN_DEBUG
02782                              "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02783                              i_tid.symlink.inode,
02784                              RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02785                 return NULL;
02786               }
02787             strcpy(new_name, name);
02788           }
02789 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02790         len+=sprintf(new_name+len, "%u:", i_attr_val.current_sec_level);
02791 #else
02792         len+=sprintf(new_name+len, "%u", i_attr_val.current_sec_level);
02793 #endif
02794 
02795 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02796         if ((err = rsbac_get_attr(MAC,
02797                                   T_PROCESS,
02798                                   i_tid2,
02799                                   A_mac_curr_categories,
02800                                   &i_attr_val,
02801                                   FALSE) ))
02802           {
02803             rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_mac_curr_categories, err);
02804             if(new_name)
02805               kfree(new_name);
02806             return NULL;  /* something weird happened */
02807           }
02808         u64tostrmac(new_name+len, i_attr_val.mac_categories);
02809 #endif
02810       }
02811 #endif
02812 
02813 #ifdef CONFIG_RSBAC_SYM_REDIR_RC
02814     if ((err = rsbac_get_attr(GEN,
02815                               T_SYMLINK,
02816                               i_tid,
02817                               A_symlink_add_rc_role,
02818                               &i_attr_val,
02819                               FALSE) ))
02820       {
02821         rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_rc_role, err);
02822         if(new_name)
02823           kfree(new_name);
02824         return NULL;  /* something weird happened */
02825       }
02826     if(i_attr_val.symlink_add_rc_role)
02827       {
02828         u_int len;
02829 
02830         len = strlen(name);
02831         while(   len
02832               && (name[len-1] >= '0')
02833               && (name[len-1] <= '9')
02834              )
02835           len--;
02836         if(len > (maxlen - 20))
02837           {
02838             if(new_name)
02839               kfree(new_name);
02840             rsbac_printk(KERN_DEBUG
02841                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02842                i_tid.symlink.inode,
02843                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02844             return NULL;
02845           }
02846 
02847         i_tid2.process = current->pid;
02848         if ((err = rsbac_get_attr(RC,
02849                                   T_PROCESS,
02850                                   i_tid2,
02851                                   A_rc_role,
02852                                   &i_attr_val,
02853                                   FALSE) ))
02854           {
02855             rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_rc_role, err);
02856             if(new_name)
02857               kfree(new_name);
02858             return NULL;  /* something weird happened */
02859           }
02860 
02861         if(!new_name)
02862           {
02863             new_name = kmalloc(maxlen, GFP_KERNEL);
02864             if(!new_name)
02865               {
02866                 rsbac_printk(KERN_DEBUG
02867                              "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02868                              i_tid.symlink.inode,
02869                              RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02870                 return NULL;
02871               }
02872             strcpy(new_name, name);
02873           }
02874         ulongtostr(new_name+len, i_attr_val.rc_role);
02875       }
02876 #endif
02877 
02878     return new_name;
02879   }
02880 #endif
02881 
02882 #ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
02883 int rsbac_dac_part_disabled(struct dentry * dentry_p)
02884   {
02885     int                            err;
02886     enum  rsbac_target_t           i_target;
02887     union rsbac_target_id_t        i_tid;
02888     union rsbac_attribute_value_t  i_attr_val;
02889 
02890     if(!dentry_p || !dentry_p->d_inode || !dentry_p->d_inode->i_sb->s_dev || !rsbac_is_initialized())
02891       return FALSE;
02892 
02893     if(S_ISREG(dentry_p->d_inode->i_mode))
02894       i_target = T_FILE;
02895     else
02896     if(S_ISDIR(dentry_p->d_inode->i_mode))
02897       i_target = T_DIR;
02898     else
02899     if(S_ISFIFO(dentry_p->d_inode->i_mode))
02900       i_target = T_FIFO;
02901     else
02902     if(S_ISLNK(dentry_p->d_inode->i_mode))
02903       i_target = T_SYMLINK;
02904     else
02905       return FALSE;
02906 
02907     i_tid.file.device = dentry_p->d_sb->s_dev;
02908     i_tid.file.inode = dentry_p->d_inode->i_ino;
02909     i_tid.file.dentry_p = dentry_p;
02910 
02911 #ifdef CONFIG_RSBAC_DEBUG
02912     if (rsbac_debug_aef)
02913       {
02914         rsbac_printk(KERN_DEBUG
02915                "rsbac_dac_part_disable(): called for dentry_p->d_inode %u on dev %02u:%02u, dentry_p %p!\n",
02916                i_tid.file.inode,
02917                RSBAC_MAJOR(i_tid.file.device), RSBAC_MINOR(i_tid.file.device),
02918                i_tid.file.dentry_p );
02919       }
02920 #endif
02921 
02922     if ((err = rsbac_get_attr(GEN,
02923                               i_target,
02924                               i_tid,
02925                               A_linux_dac_disable,
02926                               &i_attr_val,
02927                               TRUE) ))
02928       {
02929         rsbac_printk(KERN_WARNING
02930                "rsbac_dac_part_disable(): rsbac_get_attr() for linux_dac_disable returned error %i!\n",
02931                err);
02932         return FALSE;  /* something weird happened */
02933       }
02934     if(i_attr_val.linux_dac_disable == LDD_true)
02935       return TRUE;
02936     else
02937       return FALSE;
02938   }
02939 #endif
02940 
02941 #ifdef CONFIG_RSBAC_FAKE_ROOT_UID
02942 rsbac_uid_t rsbac_fake_uid(void)
02943   {
02944     int                            err;
02945     union rsbac_target_id_t        i_tid;
02946     union rsbac_attribute_value_t  i_attr_val;
02947 
02948     if(!current->uid)
02949       return 0;
02950     if (!rsbac_is_initialized())
02951       return current->uid;
02952 
02953     i_tid.process = current->pid;
02954     if ((err = rsbac_get_attr(GEN,
02955                               T_PROCESS,
02956                               i_tid,
02957                               A_fake_root_uid,
02958                               &i_attr_val,
02959                               FALSE) ))
02960       {
02961         rsbac_ds_get_error("rsbac_fake_uid()", A_fake_root_uid);
02962         return current->uid;  /* something weird happened */
02963       }
02964     switch(i_attr_val.fake_root_uid)
02965       {
02966         case FR_both:
02967         case FR_uid_only:
02968           return 0;
02969         default:
02970           return current->uid;
02971       }
02972   }
02973 
02974 rsbac_uid_t rsbac_fake_euid(void)
02975   {
02976     int                            err;
02977     union rsbac_target_id_t        i_tid;
02978     union rsbac_attribute_value_t  i_attr_val;
02979 
02980     if(!current->euid)
02981       return 0;
02982     if (!rsbac_is_initialized())
02983       return current->euid;
02984 
02985     i_tid.process = current->pid;
02986     if ((err = rsbac_get_attr(GEN,
02987                               T_PROCESS,
02988                               i_tid,
02989                               A_fake_root_uid,
02990                               &i_attr_val,
02991                               FALSE) ))
02992       {
02993         rsbac_ds_get_error("rsbac_fake_euid()", A_fake_root_uid);
02994         return current->euid;  /* something weird happened */
02995       }
02996     switch(i_attr_val.fake_root_uid)
02997       {
02998         case FR_both:
02999         case FR_euid_only:
03000           return 0;
03001         default:
03002           return current->euid;
03003       }
03004   }
03005 
03006 int rsbac_uid_faked(void)
03007   {
03008     int                            err;
03009     union rsbac_target_id_t        i_tid;
03010     union rsbac_attribute_value_t  i_attr_val;
03011 
03012     if (!rsbac_is_initialized())
03013       return 0;
03014 
03015     i_tid.process = current->pid;
03016     if ((err = rsbac_get_attr(GEN,
03017                               T_PROCESS,
03018                               i_tid,
03019                               A_fake_root_uid,
03020                               &i_attr_val,
03021                               FALSE) ))
03022       {
03023         rsbac_ds_get_error("rsbac_uid_faked()", A_fake_root_uid);
03024         return 0;  /* something weird happened */
03025       }
03026     switch(i_attr_val.fake_root_uid)
03027       {
03028         case FR_both:
03029         case FR_uid_only:
03030           return 1;
03031         default:
03032           return 0;
03033       }
03034   }
03035 
03036 #endif
03037 
03038 int rsbac_set_audit_uid(rsbac_uid_t uid)
03039   {
03040     union rsbac_target_id_t       tid;
03041     union rsbac_attribute_value_t attr_val;
03042 
03043     if(!uid || (uid == current->uid))
03044       return 0;
03045     tid.process = current->pid;
03046     if (rsbac_get_attr(GEN,
03047                        T_PROCESS,
03048                        tid,
03049                        A_audit_uid,
03050                        &attr_val,
03051                        FALSE))
03052       {
03053         rsbac_ds_get_error("rsbac_set_audit_uid()", A_audit_uid);
03054         return -RSBAC_EREADFAILED;
03055       }
03056     if(attr_val.audit_uid != RSBAC_NO_USER)
03057       return 0;
03058 
03059     if (rsbac_get_attr(GEN,
03060                        T_PROCESS,
03061                        tid,
03062                        A_auid_exempt,
03063                        &attr_val,
03064                        FALSE))
03065       {
03066         rsbac_ds_get_error("rsbac_set_audit_uid()", A_auid_exempt);
03067         return -RSBAC_EREADFAILED;
03068       }
03069     if(attr_val.auid_exempt == uid)
03070       return 0;
03071 
03072     attr_val.audit_uid = uid;
03073     if (rsbac_set_attr(GEN,
03074                        T_PROCESS,
03075                        tid,
03076                        A_audit_uid,
03077                        attr_val))
03078       {
03079         rsbac_ds_set_error("rsbac_set_audit_uid()", A_audit_uid);
03080         return -RSBAC_EWRITEFAILED;
03081       }
03082     return 0;
03083   }
03084 
03085 #if defined(CONFIG_RSBAC_CAP_LOG_MISSING) || defined(CONFIG_RSBAC_JAIL_LOG_MISSING)
03086 EXPORT_SYMBOL(rsbac_log_missing_cap);
03087 
03088 void rsbac_log_missing_cap(int cap)
03089   {
03090     #if defined(CONFIG_RSBAC_CAP_LOG_MISSING)
03091     if(rsbac_cap_log_missing)
03092       rsbac_cap_log_missing_cap(cap);
03093     #endif
03094     #if defined(CONFIG_RSBAC_JAIL_LOG_MISSING)
03095     if(rsbac_jail_log_missing)
03096       rsbac_jail_log_missing_cap(cap);
03097     #endif
03098   }
03099 #endif
03100 
03101 /* end of rsbac/adf/main.c */
Generated on Thu Sep 22 16:42:14 2005 for RSBAC by  doxygen 1.4.2