Main Page | Alphabetical List | Data Structures | Directories | File List | Data Fields | Globals | Search for 
tmp / linux-rsbac-1.2 / include / rsbac

aci_data_structures.h

Go to the documentation of this file.
00001 /**************************************/
00002 /* Rule Set Based Access Control      */
00003 /* Author and (c) 1999-2005: Amon Ott */
00004 /* Data structures                    */
00005 /* Last modified: 02/Aug/2005         */
00006 /**************************************/
00007 
00008 #ifndef __RSBAC_DATA_STRUC_H
00009 #define __RSBAC_DATA_STRUC_H
00010 
00011 #ifdef __KERNEL__   /* only include in kernel code */
00012 #include <linux/types.h>
00013 #include <linux/fs.h>
00014 #include <linux/wait.h>
00015 #include <linux/interrupt.h>
00016 #include <asm/semaphore.h>
00017 #include <rsbac/types.h>
00018 #include <linux/spinlock.h>
00019 #include <rsbac/pm_types.h>
00020 #include <rsbac/rc_types.h>
00021 #include <rsbac/aci.h>
00022 #include <rsbac/debug.h>
00023 #include <rsbac/lists.h>
00024 #endif /* __KERNEL__ */
00025 
00026 /* First of all we define dirname and filenames for saving the ACIs to disk. */
00027 /* The path must be a valid single dir name! Each mounted device gets its    */
00028 /* own file set, residing in 'DEVICE_ROOT/RSBAC_ACI_PATH/'.                  */
00029 /* The FD filename gets a suffix for the list number (see RSBAC_NR_FD_LISTS),*/
00030 /* so we have RSBAC_NR_FD_LISTS files for file/dir ACI and one for user ACI. */
00031 /* The dynamic data structures for PM, RC and ACL are kept in their own files.*/
00032 /* All user access to these files will be denied.                            */
00033 /* Backups are kept in FILENAMEb.                                            */
00034 
00035 #ifdef __KERNEL__
00036 #define RSBAC_LOG_BUF_LEN (16384)
00037 
00038 #define RSBAC_ACI_PATH          "rsbac.dat"
00039 
00040 #define RSBAC_GEN_FD_NAME       "fd_gen."
00041 #define RSBAC_MAC_FD_NAME       "fd_mac."
00042 #define RSBAC_PM_FD_NAME        "fd_pm."
00043 #define RSBAC_DAZ_FD_NAME       "fd_dazt."
00044 #define RSBAC_DAZ_SCANNED_FD_NAME "fd_dazs."
00045 #define RSBAC_FF_FD_NAME        "fd_ff."
00046 #define RSBAC_RC_FD_NAME        "fd_rc."
00047 #define RSBAC_AUTH_FD_NAME      "fd_auth."
00048 #define RSBAC_CAP_FD_NAME       "fd_cap."
00049 #define RSBAC_PAX_FD_NAME       "fd_pax."
00050 #define RSBAC_RES_FD_NAME       "fd_res."
00051 
00052 #define RSBAC_ACI_USER_NAME     "useraci"
00053 /* dir creation mode for discretionary access control: no rights*/
00054 #define RSBAC_ACI_DIR_MODE       (S_IFDIR)
00055 /* file creation mode for discretionary access control: rw for user only*/
00056 #define RSBAC_ACI_FILE_MODE      (S_IFREG | S_IRUSR | S_IWUSR)
00057 /* minimal mem chunk size available to try write_partial_fd_list, else defer */
00058 #define RSBAC_MIN_WRITE_FD_BUF_LEN 32768
00059 /* max size for write_chunks */
00060 #define RSBAC_MAX_WRITE_CHUNK ((1 << 15) - 1)
00061 
00062 /* Since we will use a simple hash function for file/dir aci, we define   */
00063 /* the table size here. WARNING: If this value is changed, aci data on    */
00064 /* disk may become invalid and should be converted explicitly using       */
00065 /* rsbac_change_nr kernel parameter on next boot!                         */
00066 /* To remain compliant with all file systems, this value should not       */
00067 /* exceed 100 (8.3 convention: 0-99 + b). */
00068 
00069 #define RSBAC_GEN_NR_FD_LISTS  8
00070 #define RSBAC_MAC_NR_FD_LISTS  32
00071 #define RSBAC_PM_NR_FD_LISTS   16
00072 #define RSBAC_DAZ_NR_FD_LISTS   2
00073 #define RSBAC_DAZ_SCANNED_NR_FD_LISTS 32
00074 #define RSBAC_FF_NR_FD_LISTS   8
00075 #define RSBAC_RC_NR_FD_LISTS   16
00076 #define RSBAC_AUTH_NR_FD_LISTS 2
00077 #define RSBAC_CAP_NR_FD_LISTS  4
00078 #define RSBAC_PAX_NR_FD_LISTS  2
00079 #define RSBAC_RES_NR_FD_LISTS  4
00080 
00081 #ifdef CONFIG_RSBAC_INIT_THREAD
00082 /* Check and set init timeout */
00083 #if CONFIG_RSBAC_MAX_INIT_TIME >= 5
00084 #define RSBAC_MAX_INIT_TIME CONFIG_RSBAC_MAX_INIT_TIME
00085 #else
00086 #define RSBAC_MAX_INIT_TIME 5
00087 #endif
00088 #endif /* INIT_THREAD */
00089 
00090 #endif /* __KERNEL__ */
00091 
00092 /* The following structures privide attributes for all possible targets.  */
00093 /* The data structures are kept in double linked lists, and are optimized */
00094 /* by hash functions.                                                     */
00095 
00096 /* Only ATTRIBUTES are saved in those structures, that are saved to disk, */
00097 /* because saving sublists means breaking up the structures for every     */
00098 /* single list.                                                           */
00099 /* If a list of policy dependant items is to be stored, this is done in   */
00100 /* the policy dependant data structures. Here only an ID as a handle is   */
00101 /* supported.                                                             */
00102 
00103 /* OK, first we define the file/dir ACI, holding all file/dir information */
00104 /* the ADF needs for decisions.                                           */
00105 
00106 /* Caution: whenever ACI changes, version and old_version should be increased!            */
00107 
00108 #define RSBAC_GEN_FD_ACI_VERSION 7
00109 #define RSBAC_GEN_FD_ACI_KEY 1001
00110 struct rsbac_gen_fd_aci_t            
00111   {
00112     rsbac_log_array_t           log_array_low;    /* file/dir based logging, */
00113     rsbac_log_array_t           log_array_high;   /* high and low bits */
00114     rsbac_request_vector_t      log_program_based; /* Program based logging */
00115     rsbac_enum_t                symlink_add_remote_ip;
00116     rsbac_enum_t                symlink_add_uid;
00117     rsbac_enum_t                symlink_add_mac_level;
00118     rsbac_enum_t                symlink_add_rc_role;
00119     rsbac_enum_t                linux_dac_disable;
00120     rsbac_fake_root_uid_int_t   fake_root_uid;
00121     rsbac_uid_t                 auid_exempt;
00122   };
00123 #define DEFAULT_GEN_FD_ACI \
00124     { \
00125       .log_array_low = -1, \
00126       .log_array_high = -1, \
00127       .log_program_based = 0, \
00128       .symlink_add_uid = FALSE, \
00129       .symlink_add_mac_level = FALSE, \
00130       .symlink_add_rc_role = FALSE, \
00131       .linux_dac_disable = LDD_inherit, \
00132       .fake_root_uid = FR_off, \
00133       .auid_exempt = RSBAC_NO_USER, \
00134     }
00135 
00136 #define DEFAULT_GEN_ROOT_DIR_ACI \
00137     { \
00138       .log_array_low = -1, \
00139       .log_array_high = -1, \
00140       .log_program_based = 0, \
00141       .symlink_add_uid = FALSE, \
00142       .symlink_add_mac_level = FALSE, \
00143       .symlink_add_rc_role = FALSE, \
00144       .linux_dac_disable = LDD_false, \
00145       .fake_root_uid = FR_off, \
00146       .auid_exempt = RSBAC_NO_USER, \
00147     }
00148 
00149 #define RSBAC_GEN_FD_OLD_ACI_VERSION 6
00150 struct rsbac_gen_fd_old_aci_t            
00151   {
00152     rsbac_log_array_t           log_array_low;    /* file/dir based logging, */
00153     rsbac_log_array_t           log_array_high;   /* high and low bits */
00154     rsbac_request_vector_t      log_program_based; /* Program based logging */
00155     rsbac_enum_t                symlink_add_uid;
00156     rsbac_enum_t                symlink_add_mac_level;
00157     rsbac_enum_t                symlink_add_rc_role;
00158     rsbac_enum_t                linux_dac_disable;
00159     rsbac_fake_root_uid_int_t   fake_root_uid;
00160     rsbac_uid_t                 auid_exempt;
00161   };
00162 
00163 #define RSBAC_GEN_FD_OLD_OLD_ACI_VERSION 5
00164 struct rsbac_gen_fd_old_old_aci_t            
00165   {
00166     rsbac_log_array_t           log_array_low;    /* file/dir based logging, */
00167     rsbac_log_array_t           log_array_high;   /* high and low bits */
00168     rsbac_request_vector_t      log_program_based; /* Program based logging */
00169     rsbac_enum_t                symlink_add_uid;
00170     rsbac_enum_t                symlink_add_mac_level;
00171     rsbac_enum_t                symlink_add_rc_role;
00172     rsbac_enum_t                linux_dac_disable;
00173     rsbac_fake_root_uid_int_t   fake_root_uid;
00174   };
00175 
00176 #define RSBAC_GEN_FD_OLD_OLD_OLD_ACI_VERSION 4
00177 struct rsbac_gen_fd_old_old_old_aci_t            
00178   {
00179     rsbac_log_array_t           log_array_low;    /* file/dir based logging, */
00180     rsbac_log_array_t           log_array_high;   /* high and low bits */
00181     rsbac_request_vector_t      log_program_based; /* Program based logging */
00182     rsbac_enum_t                symlink_add_uid;
00183     rsbac_enum_t                symlink_add_mac_level;
00184     rsbac_enum_t                symlink_add_rc_role;
00185     rsbac_enum_t                linux_dac_disable;
00186   };
00187 
00188 #if defined(CONFIG_RSBAC_MAC)
00189 #define RSBAC_MAC_FD_ACI_VERSION 5
00190 #define RSBAC_MAC_FD_ACI_KEY 1001
00191 struct rsbac_mac_fd_aci_t            
00192   {
00193     rsbac_security_level_t      sec_level;        /* MAC */
00194     rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00195     rsbac_mac_auto_int_t        mac_auto;         /* auto-adjust current level */
00196     rsbac_boolean_int_t         mac_prop_trusted; /* Keep trusted flag when executing this file */
00197     rsbac_mac_file_flags_t      mac_file_flags;   /* allow write_up, read_up etc. to it */
00198   };
00199 
00200 #define RSBAC_MAC_FD_OLD_ACI_VERSION 4
00201 struct rsbac_mac_fd_old_aci_t            
00202   {
00203     rsbac_security_level_t      sec_level;        /* MAC */
00204     rsbac_uid_t                 mac_trusted_for_user; /* MAC (for FILE only) */
00205     rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00206     rsbac_mac_auto_int_t        mac_auto;         /* auto-adjust current level */
00207     rsbac_boolean_int_t         mac_prop_trusted; /* Keep trusted flag when executing this file */
00208     rsbac_mac_file_flags_t      mac_file_flags;   /* allow write_up, read_up etc. to it */
00209   };
00210 
00211 #define RSBAC_MAC_FD_OLD_OLD_ACI_VERSION 3
00212 struct rsbac_mac_fd_old_old_aci_t            
00213   {
00214     rsbac_security_level_t      sec_level;        /* MAC */
00215     rsbac_uid_t                 mac_trusted_for_user; /* MAC (for FILE only) */
00216     rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00217     rsbac_mac_auto_int_t        mac_auto;         /* auto-adjust current level */
00218     rsbac_boolean_int_t         mac_prop_trusted; /* Keep trusted flag when executing this file */
00219     rsbac_boolean_int_t         mac_shared;       /* Shared dir, i.e., allow write_up to it */
00220   };
00221 
00222 #define RSBAC_MAC_FD_OLD_OLD_OLD_ACI_VERSION 2
00223 struct rsbac_mac_fd_old_old_old_aci_t            
00224   {
00225     rsbac_security_level_t      sec_level;        /* MAC */
00226     rsbac_uid_t                 mac_trusted_for_user; /* MAC (for FILE only) */
00227     rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00228     rsbac_mac_auto_int_t        mac_auto;         /* auto-adjust current level */
00229   };
00230 
00231 #define DEFAULT_MAC_FD_ACI_INH \
00232     { \
00233       .sec_level = SL_inherit, \
00234       .mac_categories = RSBAC_MAC_INHERIT_CAT_VECTOR, \
00235       .mac_auto = MA_inherit, \
00236       .mac_prop_trusted = FALSE, \
00237       .mac_file_flags = 0, \
00238     }
00239 #define DEFAULT_MAC_FD_ACI_NO_INH \
00240     { \
00241       .sec_level = SL_unclassified, \
00242       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00243       .mac_auto = MA_yes, \
00244       .mac_prop_trusted = FALSE, \
00245       .mac_file_flags = 0, \
00246     }
00247 
00248 #ifdef CONFIG_RSBAC_MAC_DEF_INHERIT
00249 #define DEFAULT_MAC_FD_ACI DEFAULT_MAC_FD_ACI_INH
00250 #else
00251 #define DEFAULT_MAC_FD_ACI DEFAULT_MAC_FD_ACI_NO_INH
00252 #endif /* MAC_DEF_INHERIT */
00253 
00254 #define DEFAULT_MAC_ROOT_DIR_ACI \
00255     { \
00256       .sec_level = SL_unclassified, \
00257       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00258       .mac_auto = MA_yes, \
00259       .mac_prop_trusted = FALSE, \
00260       .mac_file_flags = 0, \
00261     }
00262 #endif
00263 
00264 #if defined(CONFIG_RSBAC_PM)
00265 #define RSBAC_PM_FD_ACI_VERSION 1
00266 #define RSBAC_PM_FD_ACI_KEY 1001
00267 struct rsbac_pm_fd_aci_t            
00268   {
00269     rsbac_pm_object_class_id_t  pm_object_class;  /* PM  */
00270     rsbac_pm_tp_id_t            pm_tp;            /* PM (for FILE only) */
00271     rsbac_pm_object_type_int_t  pm_object_type;   /* PM (enum rsbac_pm_object_type_t -> __u8) */
00272   };
00273 
00274 #define DEFAULT_PM_FD_ACI \
00275     { \
00276       .pm_object_class = 0, \
00277       .pm_tp = 0, \
00278       .pm_object_type = PO_none, \
00279     }
00280 #endif
00281 
00282 #if defined(CONFIG_RSBAC_DAZ)
00283 #define RSBAC_DAZ_FD_ACI_VERSION 1
00284 #define RSBAC_DAZ_FD_ACI_KEY 10535
00285 #define RSBAC_DAZ_CACHE_CLEANUP_INTERVAL 86400
00286 #define RSBAC_DAZ_SCANNED_FD_ACI_VERSION 1
00287 struct rsbac_daz_fd_aci_t            
00288   {
00289     rsbac_daz_scanner_t   daz_scanner;       /* DAZ (for FILE only) (boolean) */
00290   };
00291 
00292 #define DEFAULT_DAZ_FD_ACI \
00293     { \
00294       .daz_scanner = FALSE \
00295     }
00296 
00297 #define DEFAULT_DAZ_ROOT_DIR_ACI \
00298     { \
00299       .daz_scanner = FALSE \
00300     }
00301 #endif
00302 
00303 #if defined(CONFIG_RSBAC_FF)
00304 #define RSBAC_FF_FD_ACI_VERSION 1
00305 #define RSBAC_FF_FD_ACI_KEY 1001
00306 #endif
00307 
00308 #if defined(CONFIG_RSBAC_RC)
00309 #define RSBAC_RC_FD_ACI_VERSION 1
00310 #define RSBAC_RC_FD_ACI_KEY 1001
00311 struct rsbac_rc_fd_aci_t            
00312   {
00313     rsbac_rc_type_id_t          rc_type_fd;       /* RC */
00314     rsbac_rc_role_id_t          rc_force_role;    /* RC */
00315     rsbac_rc_role_id_t          rc_initial_role;  /* RC */
00316   };
00317 
00318 #define DEFAULT_RC_FD_ACI \
00319     { \
00320       .rc_type_fd = RC_type_inherit_parent, \
00321       .rc_force_role = RC_default_force_role, \
00322       .rc_initial_role = RC_default_initial_role, \
00323     }
00324 #define DEFAULT_RC_ROOT_DIR_ACI \
00325     { \
00326       .rc_type_fd = RSBAC_RC_GENERAL_TYPE, \
00327       .rc_force_role = RC_default_root_dir_force_role, \
00328       .rc_initial_role = RC_default_root_dir_initial_role, \
00329     }
00330 #endif
00331 
00332 #if defined(CONFIG_RSBAC_AUTH)
00333 #define RSBAC_AUTH_FD_ACI_VERSION 2
00334 #define RSBAC_AUTH_FD_OLD_ACI_VERSION 1
00335 #define RSBAC_AUTH_FD_ACI_KEY 1001
00336 struct rsbac_auth_fd_aci_t            
00337   {
00338     __u8                        auth_may_setuid;  /* AUTH (enum) */
00339     __u8                        auth_may_set_cap; /* AUTH (boolean) */
00340     __u8                        auth_learn;       /* AUTH (boolean) */
00341   };
00342 
00343 struct rsbac_auth_fd_old_aci_t            
00344   {
00345     __u8                        auth_may_setuid;  /* AUTH (boolean) */
00346     __u8                        auth_may_set_cap; /* AUTH (boolean) */
00347   };
00348 
00349 #define DEFAULT_AUTH_FD_ACI \
00350     { \
00351       .auth_may_setuid = FALSE, \
00352       .auth_may_set_cap = FALSE, \
00353       .auth_learn = FALSE, \
00354     }
00355 #endif
00356 
00357 #if defined(CONFIG_RSBAC_CAP)
00358 #define RSBAC_CAP_FD_ACI_VERSION 1
00359 #define RSBAC_CAP_FD_ACI_KEY 1001
00360 struct rsbac_cap_fd_aci_t            
00361   {
00362     rsbac_cap_vector_t          min_caps;      /* Program forced minimum Linux capabilities */
00363     rsbac_cap_vector_t          max_caps;      /* Program max Linux capabilities */
00364   };
00365 #define DEFAULT_CAP_FD_ACI \
00366     { \
00367       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00368       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00369     }
00370 #endif
00371 
00372 #if defined(CONFIG_RSBAC_PAX)
00373 #define RSBAC_PAX_FD_ACI_VERSION 1
00374 #define RSBAC_PAX_FD_ACI_KEY 100112
00375 #endif
00376 
00377 #if defined(CONFIG_RSBAC_RES)
00378 #define RSBAC_RES_FD_ACI_VERSION 1
00379 #define RSBAC_RES_FD_ACI_KEY 1002
00380 struct rsbac_res_fd_aci_t            
00381   {
00382     rsbac_res_array_t           res_min;
00383     rsbac_res_array_t           res_max;
00384   };
00385 #define DEFAULT_RES_FD_ACI \
00386     { \
00387       .res_min = { \
00388         RSBAC_RES_UNSET,           /* cpu time */ \
00389         RSBAC_RES_UNSET,           /* file size */ \
00390         RSBAC_RES_UNSET,           /* process data segment size */ \
00391         RSBAC_RES_UNSET,           /* stack size */ \
00392         RSBAC_RES_UNSET,           /* core dump size */ \
00393         RSBAC_RES_UNSET,           /* resident memory set size */ \
00394         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00395         RSBAC_RES_UNSET,           /* number of files */ \
00396         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00397         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00398         RSBAC_RES_UNSET            /* maximum file locks */ \
00399       }, \
00400       .res_max = { \
00401         RSBAC_RES_UNSET,           /* cpu time */ \
00402         RSBAC_RES_UNSET,           /* file size */ \
00403         RSBAC_RES_UNSET,           /* process data segment size */ \
00404         RSBAC_RES_UNSET,           /* stack size */ \
00405         RSBAC_RES_UNSET,           /* core dump size */ \
00406         RSBAC_RES_UNSET,           /* resident memory set size */ \
00407         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00408         RSBAC_RES_UNSET,           /* number of files */ \
00409         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00410         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00411         RSBAC_RES_UNSET            /* maximum file locks */ \
00412       } \
00413     }
00414 #endif
00415 
00416 #define RSBAC_FD_NR_ATTRIBUTES 31
00417 #define RSBAC_FD_ATTR_LIST { \
00418       A_security_level, \
00419       A_mac_categories, \
00420       A_mac_auto, \
00421       A_mac_prop_trusted, \
00422       A_mac_file_flags, \
00423       A_pm_object_class, \
00424       A_pm_tp, \
00425       A_pm_object_type, \
00426       A_daz_scanner, \
00427       A_ff_flags, \
00428       A_rc_type_fd, \
00429       A_rc_force_role, \
00430       A_rc_initial_role, \
00431       A_auth_may_setuid, \
00432       A_auth_may_set_cap, \
00433       A_auth_learn, \
00434       A_log_array_low, \
00435       A_log_array_high, \
00436       A_log_program_based, \
00437       A_symlink_add_remote_ip, \
00438       A_symlink_add_uid, \
00439       A_symlink_add_mac_level, \
00440       A_symlink_add_rc_role, \
00441       A_linux_dac_disable, \
00442       A_min_caps, \
00443       A_max_caps, \
00444       A_res_min, \
00445       A_res_max, \
00446       A_pax_flags, \
00447       A_fake_root_uid, \
00448       A_auid_exempt \
00449       }
00450 
00451 #ifdef __KERNEL__
00452 struct rsbac_fd_list_handles_t
00453     {
00454       rsbac_list_handle_t gen[RSBAC_GEN_NR_FD_LISTS];
00455 #if defined(CONFIG_RSBAC_MAC)
00456       rsbac_list_handle_t mac[RSBAC_MAC_NR_FD_LISTS];
00457 #endif
00458 #if defined(CONFIG_RSBAC_PM)
00459       rsbac_list_handle_t pm[RSBAC_PM_NR_FD_LISTS];
00460 #endif
00461 #if defined(CONFIG_RSBAC_DAZ)
00462       rsbac_list_handle_t daz[RSBAC_DAZ_NR_FD_LISTS];
00463 #if defined(CONFIG_RSBAC_DAZ_CACHE)
00464       rsbac_list_handle_t dazs[RSBAC_DAZ_SCANNED_NR_FD_LISTS];
00465 #endif
00466 #endif
00467 #if defined(CONFIG_RSBAC_FF)
00468       rsbac_list_handle_t ff[RSBAC_FF_NR_FD_LISTS];
00469 #endif
00470 #if defined(CONFIG_RSBAC_RC)
00471       rsbac_list_handle_t rc[RSBAC_RC_NR_FD_LISTS];
00472 #endif
00473 #if defined(CONFIG_RSBAC_AUTH)
00474       rsbac_list_handle_t auth[RSBAC_AUTH_NR_FD_LISTS];
00475 #endif
00476 #if defined(CONFIG_RSBAC_CAP)
00477       rsbac_list_handle_t cap[RSBAC_CAP_NR_FD_LISTS];
00478 #endif
00479 #if defined(CONFIG_RSBAC_PAX)
00480       rsbac_list_handle_t pax[RSBAC_PAX_NR_FD_LISTS];
00481 #endif
00482 #if defined(CONFIG_RSBAC_RES)
00483       rsbac_list_handle_t res[RSBAC_RES_NR_FD_LISTS];
00484 #endif
00485     };
00486 
00487 /* The list of devices is also a double linked list, so we define list    */
00488 /* items and a list head.                                                 */
00489 
00490 struct rsbac_device_list_item_t
00491     {
00492       kdev_t                              id;
00493       struct dentry                     * d_covers;
00494       u_int                               mount_count;
00495       struct rsbac_fd_list_handles_t      handles;
00496       struct dentry                     * rsbac_dir_dentry_p;
00497       struct super_block                * sb_p;
00498       rsbac_inode_nr_t                    rsbac_dir_inode;
00499       struct rsbac_device_list_item_t   * prev;
00500       struct rsbac_device_list_item_t   * next;
00501     };
00502     
00503 /* To provide consistency we use spinlocks for all list accesses. The     */
00504 /* 'curr' entry is used to avoid repeated lookups for the same item.       */    
00505     
00506 struct rsbac_device_list_head_t
00507     {
00508       struct rsbac_device_list_item_t * head;
00509       struct rsbac_device_list_item_t * tail;
00510       struct rsbac_device_list_item_t * curr;
00511       rwlock_t                          lock;
00512       u_int                             count;
00513     };
00514 
00515 #endif /* __KERNEL__ */
00516 
00517 /******************************/
00518 /* OK, now we define the block/char device ACI, holding all dev information */
00519 /* the ADF needs for decisions.                                           */
00520 
00521 #define RSBAC_GEN_ACI_DEV_NAME       "dev_gen"
00522 #define RSBAC_MAC_ACI_DEV_NAME       "dev_mac"
00523 #define RSBAC_PM_ACI_DEV_NAME        "dev_pm"
00524 #define RSBAC_RC_ACI_DEV_MAJOR_NAME  "devm_rc"
00525 #define RSBAC_RC_ACI_DEV_NAME        "dev_rc"
00526 
00527 /* Caution: whenever ACI changes, version should be increased!            */
00528 
00529 #define RSBAC_GEN_DEV_ACI_VERSION 2
00530 #define RSBAC_GEN_DEV_OLD_ACI_VERSION 1
00531 #define RSBAC_GEN_DEV_ACI_KEY 1001
00532 
00533 struct rsbac_gen_dev_aci_t            
00534   {                                
00535            rsbac_log_array_t          log_array_low;   /* dev based logging, */
00536            rsbac_log_array_t          log_array_high;  /* high and low bits */
00537   };
00538 #define DEFAULT_GEN_DEV_ACI \
00539     { \
00540       .log_array_low = -1, \
00541       .log_array_high = -1, \
00542     }
00543 
00544 #if defined(CONFIG_RSBAC_MAC)
00545 #define RSBAC_MAC_DEV_ACI_VERSION 2
00546 #define RSBAC_MAC_DEV_OLD_ACI_VERSION 1
00547 #define RSBAC_MAC_DEV_ACI_KEY 1001
00548 struct rsbac_mac_dev_aci_t            
00549   {                                
00550            rsbac_security_level_t     sec_level;       /* MAC */
00551            rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00552            __u8                       mac_check;       /* MAC (boolean) */
00553   };
00554 #define DEFAULT_MAC_DEV_ACI \
00555     { \
00556       .sec_level = SL_unclassified, \
00557       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00558       .mac_check = FALSE, \
00559     }
00560 #endif
00561 
00562 #if defined(CONFIG_RSBAC_PM)
00563 #define RSBAC_PM_DEV_ACI_VERSION 2
00564 #define RSBAC_PM_DEV_OLD_ACI_VERSION 1
00565 #define RSBAC_PM_DEV_ACI_KEY 1001
00566 struct rsbac_pm_dev_aci_t            
00567   {
00568     rsbac_pm_object_type_int_t pm_object_type;  /* PM (enum rsbac_pm_object_type_t) */
00569     rsbac_pm_object_class_id_t pm_object_class; /* dev only */
00570   };
00571 
00572 #define DEFAULT_PM_DEV_ACI \
00573     { \
00574       .pm_object_type = PO_none, \
00575       .pm_object_class = 0, \
00576     }
00577 #endif
00578 
00579 #if defined(CONFIG_RSBAC_RC)
00580 #define RSBAC_RC_DEV_ACI_VERSION 2
00581 #define RSBAC_RC_DEV_OLD_ACI_VERSION 1
00582 #define RSBAC_RC_DEV_ACI_KEY 1001
00583 #endif
00584 
00585 #define RSBAC_DEV_NR_ATTRIBUTES 8
00586 #define RSBAC_DEV_ATTR_LIST { \
00587       A_security_level, \
00588       A_mac_categories, \
00589       A_mac_check, \
00590       A_pm_object_type, \
00591       A_pm_object_class, \
00592       A_rc_type, \
00593       A_log_array_low, \
00594       A_log_array_high \
00595       }
00596 
00597 #ifdef __KERNEL__
00598 struct rsbac_dev_handles_t
00599     {
00600       rsbac_list_handle_t gen;
00601 #if defined(CONFIG_RSBAC_MAC)
00602       rsbac_list_handle_t mac;
00603 #endif
00604 #if defined(CONFIG_RSBAC_PM)
00605       rsbac_list_handle_t pm;
00606 #endif
00607 #if defined(CONFIG_RSBAC_RC)
00608       rsbac_list_handle_t rc;
00609 #endif
00610     };
00611 #endif /* __KERNEL__ */
00612 
00613 /**************************************************************************/
00614 /* Next we define the ipc ACI, holding all ipc information                */
00615 /* the ADF needs for decisions.                                           */
00616 
00617 #define RSBAC_MAC_ACI_IPC_NAME   "ipc_mac"
00618 #define RSBAC_PM_ACI_IPC_NAME    "ipc_pm"
00619 #define RSBAC_RC_ACI_IPC_NAME    "ipc_rc"
00620 #define RSBAC_JAIL_ACI_IPC_NAME  "ipc_jai"
00621 
00622 #if defined(CONFIG_RSBAC_MAC)
00623 #define RSBAC_MAC_IPC_ACI_VERSION 1
00624 #define RSBAC_MAC_IPC_ACI_KEY 1001
00625 struct rsbac_mac_ipc_aci_t
00626     {
00627       rsbac_security_level_t     sec_level; /* enum old_rsbac_security_level_t / __u8 */
00628       rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00629     };
00630 #define DEFAULT_MAC_IPC_ACI \
00631     { \
00632       .sec_level = SL_unclassified, \
00633       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00634     }
00635 #endif
00636 
00637 #if defined(CONFIG_RSBAC_PM)
00638 #define RSBAC_PM_IPC_ACI_VERSION 1
00639 #define RSBAC_PM_IPC_ACI_KEY 1001
00640 struct rsbac_pm_ipc_aci_t
00641     {
00642       rsbac_pm_object_class_id_t pm_object_class; /* ipc only */
00643       rsbac_pm_purpose_id_t      pm_ipc_purpose;
00644       rsbac_pm_object_type_int_t pm_object_type; /* enum rsbac_pm_object_type_t */
00645     };
00646 #define DEFAULT_PM_IPC_ACI \
00647     { \
00648       .pm_object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID, \
00649       .pm_ipc_purpose = 0, \
00650       .pm_object_type = PO_ipc, \
00651     }
00652 #endif
00653 
00654 #if defined(CONFIG_RSBAC_RC)
00655 #define RSBAC_RC_IPC_ACI_VERSION 1
00656 #define RSBAC_RC_IPC_ACI_KEY 1001
00657 #endif
00658 
00659 #if defined(CONFIG_RSBAC_JAIL)
00660 #define RSBAC_JAIL_IPC_ACI_VERSION 1
00661 #define RSBAC_JAIL_IPC_ACI_KEY 1001
00662 #endif
00663 
00664 #define RSBAC_IPC_NR_ATTRIBUTES 7
00665 #define RSBAC_IPC_ATTR_LIST { \
00666       A_security_level, \
00667       A_mac_categories, \
00668       A_pm_object_class, \
00669       A_pm_ipc_purpose, \
00670       A_pm_object_type, \
00671       A_rc_type, \
00672       A_jail_id \
00673       }
00674 
00675 #ifdef __KERNEL__
00676 struct rsbac_ipc_handles_t
00677     {
00678 #if defined(CONFIG_RSBAC_MAC)
00679       rsbac_list_handle_t mac;
00680 #endif
00681 #if defined(CONFIG_RSBAC_PM)
00682       rsbac_list_handle_t pm;
00683 #endif
00684 #if defined(CONFIG_RSBAC_RC)
00685       rsbac_list_handle_t rc;
00686 #endif
00687 #if defined(CONFIG_RSBAC_JAIL)
00688       rsbac_list_handle_t jail;
00689 #endif
00690     };
00691 #endif /* __KERNEL__ */
00692 
00693 /*************************************/
00694 /* The user ACI holds all user information the ADF needs. */
00695 
00696 #define RSBAC_GEN_ACI_USER_NAME   "u_gen"
00697 #define RSBAC_MAC_ACI_USER_NAME   "u_mac"
00698 #define RSBAC_PM_ACI_USER_NAME    "u_pm"
00699 #define RSBAC_DAZ_ACI_USER_NAME    "u_daz"
00700 #define RSBAC_FF_ACI_USER_NAME    "u_ff"
00701 #define RSBAC_RC_ACI_USER_NAME    "u_rc"
00702 #define RSBAC_AUTH_ACI_USER_NAME  "u_auth"
00703 #define RSBAC_CAP_ACI_USER_NAME   "u_cap"
00704 #define RSBAC_JAIL_ACI_USER_NAME  "u_jail"
00705 #define RSBAC_PAX_ACI_USER_NAME   "u_pax"
00706 #define RSBAC_RES_ACI_USER_NAME   "u_res"
00707 
00708 #define RSBAC_GEN_USER_ACI_VERSION 1
00709 #define RSBAC_GEN_USER_ACI_KEY 1001
00710 struct rsbac_gen_user_aci_t
00711     {
00712       rsbac_pseudo_t           pseudo;
00713       rsbac_request_vector_t   log_user_based; /* User based logging */
00714     };
00715 #define DEFAULT_GEN_U_ACI \
00716     { \
00717       .pseudo = (rsbac_pseudo_t) 0, \
00718       .log_user_based = 0, \
00719     }
00720 
00721 #if defined(CONFIG_RSBAC_MAC)
00722 #define RSBAC_MAC_USER_ACI_VERSION 4
00723 #define RSBAC_MAC_USER_OLD_ACI_VERSION 3
00724 #define RSBAC_MAC_USER_OLD_OLD_ACI_VERSION 2
00725 #define RSBAC_MAC_USER_OLD_OLD_OLD_ACI_VERSION 1
00726 #define RSBAC_MAC_USER_ACI_KEY 1001
00727 struct rsbac_mac_user_aci_t
00728     {
00729       rsbac_security_level_t      security_level;    /* maximum level */
00730       rsbac_security_level_t      initial_security_level;    /* maximum level */
00731       rsbac_security_level_t      min_security_level;    /* minimum level / __u8 */
00732       rsbac_mac_category_vector_t mac_categories;   /* MAC max category set */
00733       rsbac_mac_category_vector_t mac_initial_categories;   /* MAC max category set */
00734       rsbac_mac_category_vector_t mac_min_categories;   /* MAC min category set */
00735       rsbac_system_role_int_t     system_role;    /* enum rsbac_system_role_t */
00736       rsbac_mac_user_flags_t      mac_user_flags; /* flags (override, trusted, allow_auto etc.) */
00737     };
00738 struct rsbac_mac_user_old_aci_t
00739     {
00740       rsbac_security_level_t      access_appr;    /* maximum level */
00741       rsbac_security_level_t      min_access_appr;    /* minimum level / __u8 */
00742       rsbac_mac_category_vector_t mac_categories;   /* MAC max category set */
00743       rsbac_mac_category_vector_t mac_min_categories;   /* MAC min category set */
00744       rsbac_system_role_int_t     system_role;    /* enum rsbac_system_role_t */
00745       rsbac_boolean_int_t         mac_allow_auto; /* allow to auto-adjust current level */
00746     };
00747 struct rsbac_mac_user_old_old_aci_t
00748     {
00749       rsbac_security_level_t      access_appr;    /* maximum level */
00750       rsbac_security_level_t      min_access_appr;    /* minimum level / __u8 */
00751       rsbac_mac_category_vector_t mac_categories;   /* MAC max category set */
00752       rsbac_mac_category_vector_t mac_min_categories;   /* MAC min category set */
00753       rsbac_system_role_int_t     system_role;    /* enum rsbac_system_role_t */
00754     };
00755 struct rsbac_mac_user_old_old_old_aci_t
00756     {
00757       rsbac_security_level_t      access_appr;    /* enum old_rsbac_security_level_t / __u8 */
00758       rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00759       rsbac_system_role_int_t     system_role;    /* enum rsbac_system_role_t */
00760     };
00761 #define DEFAULT_MAC_U_ACI \
00762     { \
00763       .security_level = SL_unclassified, \
00764       .initial_security_level = SL_unclassified, \
00765       .min_security_level = SL_unclassified, \
00766       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00767       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00768       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00769       .system_role = SR_user, \
00770       .mac_user_flags = RSBAC_MAC_DEF_U_FLAGS, \
00771     }
00772 #define DEFAULT_MAC_U_SYSADM_ACI \
00773     { \
00774       .security_level = SL_unclassified, \
00775       .initial_security_level = SL_unclassified, \
00776       .min_security_level = SL_unclassified, \
00777       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00778       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00779       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00780       .system_role = SR_administrator, \
00781       .mac_user_flags = RSBAC_MAC_DEF_SYSADM_U_FLAGS, \
00782     }
00783 #define DEFAULT_MAC_U_SECOFF_ACI \
00784     { \
00785       .security_level = SL_unclassified, \
00786       .initial_security_level = SL_unclassified, \
00787       .min_security_level = SL_unclassified, \
00788       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00789       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00790       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00791       .system_role = SR_security_officer, \
00792       .mac_user_flags = RSBAC_MAC_DEF_SECOFF_U_FLAGS, \
00793     }
00794 #define DEFAULT_MAC_U_AUDITOR_ACI \
00795     { \
00796       .security_level = SL_unclassified, \
00797       .initial_security_level = SL_unclassified, \
00798       .min_security_level = SL_unclassified, \
00799       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00800       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00801       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00802       .system_role = SR_auditor, \
00803       .mac_user_flags = RSBAC_MAC_DEF_U_FLAGS, \
00804     }
00805 #endif
00806 
00807 #if defined(CONFIG_RSBAC_PM)
00808 #define RSBAC_PM_USER_ACI_VERSION 1
00809 #define RSBAC_PM_USER_ACI_KEY 1001
00810 struct rsbac_pm_user_aci_t
00811     {
00812       rsbac_pm_task_set_id_t   pm_task_set;
00813       rsbac_pm_role_int_t      pm_role;        /* enum rsbac_pm_role_t */
00814     };
00815 #define DEFAULT_PM_U_ACI \
00816     { \
00817       .pm_task_set = 0, \
00818       .pm_role = PR_user, \
00819     }
00820 #define DEFAULT_PM_U_SYSADM_ACI \
00821     { \
00822       .pm_task_set = 0, \
00823       .pm_role = PR_system_admin, \
00824     }
00825 #define DEFAULT_PM_U_SECOFF_ACI \
00826     { \
00827       .pm_task_set = 0, \
00828       .pm_role = PR_security_officer, \
00829     }
00830 #define DEFAULT_PM_U_DATAPROT_ACI \
00831     { \
00832       .pm_task_set = 0, \
00833       .pm_role = PR_data_protection_officer, \
00834     }
00835 #define DEFAULT_PM_U_TPMAN_ACI \
00836     { \
00837       .pm_task_set = 0, \
00838       .pm_role = PR_tp_manager, \
00839     }
00840 #endif
00841 
00842 #if defined(CONFIG_RSBAC_DAZ)
00843 #define RSBAC_DAZ_USER_ACI_VERSION 1
00844 #define RSBAC_DAZ_USER_ACI_KEY 1001
00845 #endif
00846 
00847 #if defined(CONFIG_RSBAC_FF)
00848 #define RSBAC_FF_USER_ACI_VERSION 1
00849 #define RSBAC_FF_USER_ACI_KEY 1001
00850 #endif
00851 
00852 #if defined(CONFIG_RSBAC_RC)
00853 #define RSBAC_RC_USER_ACI_VERSION 2
00854 #define RSBAC_RC_USER_OLD_ACI_VERSION 1
00855 #define RSBAC_RC_USER_ACI_KEY 1001
00856 struct rsbac_rc_user_aci_t
00857     {
00858       rsbac_rc_role_id_t          rc_role;
00859       rsbac_rc_type_id_t          rc_type;
00860     };
00861 #define DEFAULT_RC_U_ACI \
00862     { \
00863       .rc_role = RSBAC_RC_GENERAL_ROLE, \
00864       .rc_type = RSBAC_RC_GENERAL_TYPE, \
00865     }
00866 #define DEFAULT_RC_U_SYSADM_ACI \
00867     { \
00868       .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, /* rc_role (RC) */ \
00869       .rc_type = RSBAC_RC_SYS_TYPE, \
00870     }
00871 #define DEFAULT_RC_U_SECOFF_ACI \
00872     { \
00873       .rc_role = RSBAC_RC_ROLE_ADMIN_ROLE, /* rc_role (RC) */ \
00874       .rc_type = RSBAC_RC_SEC_TYPE, \
00875     }
00876 #define DEFAULT_RC_U_AUDITOR_ACI \
00877     { \
00878       .rc_role = RSBAC_RC_AUDITOR_ROLE, /* rc_role (RC) */ \
00879       .rc_type = RSBAC_RC_SEC_TYPE, \
00880     }
00881 #endif
00882 
00883 #if defined(CONFIG_RSBAC_AUTH)
00884 #define RSBAC_AUTH_USER_ACI_VERSION 1
00885 #define RSBAC_AUTH_USER_ACI_KEY 1001
00886 
00887 #endif /* AUTH */
00888 
00889 #if defined(CONFIG_RSBAC_CAP)
00890 #define RSBAC_CAP_USER_ACI_VERSION 1
00891 #define RSBAC_CAP_USER_ACI_KEY 1001
00892 struct rsbac_cap_user_aci_t            
00893   {
00894     rsbac_system_role_int_t     cap_role;      /* System role for CAP administration */
00895     rsbac_cap_vector_t          min_caps;      /* User forced minimum Linux capabilities */
00896     rsbac_cap_vector_t          max_caps;      /* User max Linux capabilities */
00897   };
00898 #define DEFAULT_CAP_U_ACI \
00899     { \
00900       .cap_role = SR_user, \
00901       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00902       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00903     }
00904 #define DEFAULT_CAP_U_SYSADM_ACI \
00905     { \
00906       .cap_role = SR_administrator, \
00907       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00908       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00909     }
00910 #define DEFAULT_CAP_U_SECOFF_ACI \
00911     { \
00912       .cap_role = SR_security_officer, \
00913       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00914       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00915     }
00916 #define DEFAULT_CAP_U_AUDITOR_ACI \
00917     { \
00918       .cap_role = SR_auditor, \
00919       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00920       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00921     }
00922 #endif
00923 
00924 #if defined(CONFIG_RSBAC_JAIL)
00925 #define RSBAC_JAIL_USER_ACI_VERSION 1
00926 #define RSBAC_JAIL_USER_ACI_KEY 1001
00927 #endif
00928 
00929 #if defined(CONFIG_RSBAC_PAX)
00930 #define RSBAC_PAX_USER_ACI_VERSION 1
00931 #define RSBAC_PAX_USER_ACI_KEY 1001221
00932 #endif
00933 
00934 #if defined(CONFIG_RSBAC_RES)
00935 #define RSBAC_RES_USER_ACI_VERSION 1
00936 #define RSBAC_RES_USER_ACI_KEY 1002
00937 struct rsbac_res_user_aci_t            
00938   {
00939     rsbac_system_role_int_t     res_role;          /* System role for RES administration */
00940     rsbac_res_array_t           res_min;
00941     rsbac_res_array_t           res_max;
00942   };
00943 #define DEFAULT_RES_U_ACI \
00944     { \
00945       .res_role = SR_user, \
00946       .res_min = { \
00947         RSBAC_RES_UNSET,           /* cpu time */ \
00948         RSBAC_RES_UNSET,           /* file size */ \
00949         RSBAC_RES_UNSET,           /* process data segment size */ \
00950         RSBAC_RES_UNSET,           /* stack size */ \
00951         RSBAC_RES_UNSET,           /* core dump size */ \
00952         RSBAC_RES_UNSET,           /* resident memory set size */ \
00953         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00954         RSBAC_RES_UNSET,           /* number of files */ \
00955         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00956         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00957         RSBAC_RES_UNSET            /* maximum file locks */ \
00958       }, \
00959       .res_max = { \
00960         RSBAC_RES_UNSET,           /* cpu time */ \
00961         RSBAC_RES_UNSET,           /* file size */ \
00962         RSBAC_RES_UNSET,           /* process data segment size */ \
00963         RSBAC_RES_UNSET,           /* stack size */ \
00964         RSBAC_RES_UNSET,           /* core dump size */ \
00965         RSBAC_RES_UNSET,           /* resident memory set size */ \
00966         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00967         RSBAC_RES_UNSET,           /* number of files */ \
00968         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00969         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00970         RSBAC_RES_UNSET            /* maximum file locks */ \
00971       }, \
00972     }
00973 #define DEFAULT_RES_U_SYSADM_ACI \
00974     { \
00975       .res_role = SR_administrator, \
00976       .res_min = { \
00977         RSBAC_RES_UNSET,           /* cpu time */ \
00978         RSBAC_RES_UNSET,           /* file size */ \
00979         RSBAC_RES_UNSET,           /* process data segment size */ \
00980         RSBAC_RES_UNSET,           /* stack size */ \
00981         RSBAC_RES_UNSET,           /* core dump size */ \
00982         RSBAC_RES_UNSET,           /* resident memory set size */ \
00983         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00984         RSBAC_RES_UNSET,           /* number of files */ \
00985         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00986         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00987         RSBAC_RES_UNSET            /* maximum file locks */ \
00988       }, \
00989       .res_max = { \
00990         RSBAC_RES_UNSET,           /* cpu time */ \
00991         RSBAC_RES_UNSET,           /* file size */ \
00992         RSBAC_RES_UNSET,           /* process data segment size */ \
00993         RSBAC_RES_UNSET,           /* stack size */ \
00994         RSBAC_RES_UNSET,           /* core dump size */ \
00995         RSBAC_RES_UNSET,           /* resident memory set size */ \
00996         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00997         RSBAC_RES_UNSET,           /* number of files */ \
00998         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00999         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01000         RSBAC_RES_UNSET            /* maximum file locks */ \
01001       } \
01002     }
01003 #define DEFAULT_RES_U_SECOFF_ACI \
01004     { \
01005       .res_role = SR_security_officer, \
01006       .res_min = { \
01007         RSBAC_RES_UNSET,           /* cpu time */ \
01008         RSBAC_RES_UNSET,           /* file size */ \
01009         RSBAC_RES_UNSET,           /* process data segment size */ \
01010         RSBAC_RES_UNSET,           /* stack size */ \
01011         RSBAC_RES_UNSET,           /* core dump size */ \
01012         RSBAC_RES_UNSET,           /* resident memory set size */ \
01013         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01014         RSBAC_RES_UNSET,           /* number of files */ \
01015         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01016         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01017         RSBAC_RES_UNSET            /* maximum file locks */ \
01018       }, \
01019       .res_max = { \
01020         RSBAC_RES_UNSET,           /* cpu time */ \
01021         RSBAC_RES_UNSET,           /* file size */ \
01022         RSBAC_RES_UNSET,           /* process data segment size */ \
01023         RSBAC_RES_UNSET,           /* stack size */ \
01024         RSBAC_RES_UNSET,           /* core dump size */ \
01025         RSBAC_RES_UNSET,           /* resident memory set size */ \
01026         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01027         RSBAC_RES_UNSET,           /* number of files */ \
01028         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01029         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01030         RSBAC_RES_UNSET            /* maximum file locks */ \
01031       } \
01032     }
01033 #define DEFAULT_RES_U_AUDITOR_ACI \
01034     { \
01035       .res_role = SR_auditor, \
01036       .res_min = { \
01037         RSBAC_RES_UNSET,           /* cpu time */ \
01038         RSBAC_RES_UNSET,           /* file size */ \
01039         RSBAC_RES_UNSET,           /* process data segment size */ \
01040         RSBAC_RES_UNSET,           /* stack size */ \
01041         RSBAC_RES_UNSET,           /* core dump size */ \
01042         RSBAC_RES_UNSET,           /* resident memory set size */ \
01043         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01044         RSBAC_RES_UNSET,           /* number of files */ \
01045         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01046         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01047         RSBAC_RES_UNSET            /* maximum file locks */ \
01048       }, \
01049       .res_max = { \
01050         RSBAC_RES_UNSET,           /* cpu time */ \
01051         RSBAC_RES_UNSET,           /* file size */ \
01052         RSBAC_RES_UNSET,           /* process data segment size */ \
01053         RSBAC_RES_UNSET,           /* stack size */ \
01054         RSBAC_RES_UNSET,           /* core dump size */ \
01055         RSBAC_RES_UNSET,           /* resident memory set size */ \
01056         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01057         RSBAC_RES_UNSET,           /* number of files */ \
01058         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01059         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01060         RSBAC_RES_UNSET            /* maximum file locks */ \
01061       } \
01062     }
01063 #endif
01064 
01065 #define RSBAC_USER_NR_ATTRIBUTES 23
01066 #define RSBAC_USER_ATTR_LIST { \
01067       A_pseudo, \
01068       A_log_user_based, \
01069       A_security_level, \
01070       A_initial_security_level, \
01071       A_min_security_level, \
01072       A_mac_categories, \
01073       A_mac_initial_categories, \
01074       A_mac_min_categories, \
01075       A_mac_role, \
01076       A_mac_user_flags, \
01077       A_daz_role, \
01078       A_ff_role, \
01079       A_auth_role, \
01080       A_pm_task_set, \
01081       A_pm_role, \
01082       A_rc_def_role, \
01083       A_rc_type, \
01084       A_min_caps, \
01085       A_max_caps, \
01086       A_cap_role, \
01087       A_jail_role, \
01088       A_res_role, \
01089       A_pax_role \
01090       }
01091 
01092 #ifdef __KERNEL__
01093 struct rsbac_user_handles_t
01094     {
01095       rsbac_list_handle_t gen;
01096 #if defined(CONFIG_RSBAC_MAC)
01097       rsbac_list_handle_t mac;
01098 #endif
01099 #if defined(CONFIG_RSBAC_PM)
01100       rsbac_list_handle_t pm;
01101 #endif
01102 #if defined(CONFIG_RSBAC_DAZ)
01103       rsbac_list_handle_t daz;
01104 #endif
01105 #if defined(CONFIG_RSBAC_FF)
01106       rsbac_list_handle_t ff;
01107 #endif
01108 #if defined(CONFIG_RSBAC_RC)
01109       rsbac_list_handle_t rc;
01110 #endif
01111 #if defined(CONFIG_RSBAC_AUTH)
01112       rsbac_list_handle_t auth;
01113 #endif
01114 #if defined(CONFIG_RSBAC_CAP)
01115       rsbac_list_handle_t cap;
01116 #endif
01117 #if defined(CONFIG_RSBAC_JAIL)
01118       rsbac_list_handle_t jail;
01119 #endif
01120 #if defined(CONFIG_RSBAC_PAX)
01121       rsbac_list_handle_t pax;
01122 #endif
01123 #if defined(CONFIG_RSBAC_RES)
01124       rsbac_list_handle_t res;
01125 #endif
01126     };
01127 #endif 
01128 
01129 /********************************/
01130 /* Process ACI. */
01131 
01132 #define RSBAC_GEN_ACI_PROCESS_NAME   "process_gen."
01133 #define RSBAC_MAC_ACI_PROCESS_NAME   "process_mac."
01134 #define RSBAC_PM_ACI_PROCESS_NAME    "process_pm"
01135 #define RSBAC_DAZ_ACI_PROCESS_NAME    "process_daz"
01136 #define RSBAC_RC_ACI_PROCESS_NAME    "process_rc."
01137 #define RSBAC_AUTH_ACI_PROCESS_NAME    "process_auth"
01138 #define RSBAC_CAP_ACI_PROCESS_NAME    "process_cap"
01139 #define RSBAC_JAIL_ACI_PROCESS_NAME    "process_jail"
01140 
01141 #define RSBAC_GEN_PROCESS_ACI_VERSION 1
01142 #define RSBAC_GEN_PROCESS_ACI_KEY 1001
01143 struct rsbac_gen_process_aci_t
01144     {
01145       rsbac_request_vector_t      log_program_based;
01146       rsbac_fake_root_uid_int_t   fake_root_uid;
01147       rsbac_uid_t                 audit_uid;
01148       rsbac_uid_t                 auid_exempt;
01149       __u32                       remote_ip;
01150     };
01151 #define DEFAULT_GEN_P_ACI \
01152     { \
01153       .log_program_based = 0, \
01154       .fake_root_uid = FR_off, \
01155       .audit_uid = RSBAC_NO_USER, \
01156       .auid_exempt = RSBAC_NO_USER, \
01157       .remote_ip = 0, \
01158     }
01159 
01160 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01161 #define RSBAC_MAC_PROCESS_ACI_VERSION 1
01162 #define RSBAC_MAC_PROCESS_ACI_KEY 1001
01163 struct rsbac_mac_process_aci_t
01164     {
01165       rsbac_security_level_t      owner_sec_level;     /* enum old_rsbac_security_level_t */
01166       rsbac_security_level_t      owner_initial_sec_level; /* enum old_rsbac_security_level_t */
01167       rsbac_security_level_t      owner_min_sec_level; /* enum old_rsbac_security_level_t */
01168       rsbac_mac_category_vector_t mac_owner_categories; /* MAC category set */
01169       rsbac_mac_category_vector_t mac_owner_initial_categories; /* MAC category set */
01170       rsbac_mac_category_vector_t mac_owner_min_categories; /* MAC category set */
01171       rsbac_security_level_t      current_sec_level;   /* enum rsbac_security_level_t */
01172       rsbac_mac_category_vector_t mac_curr_categories; /* MAC current category set */
01173       rsbac_security_level_t      min_write_open;      /* for *-property, enum rsbac_security_level_t */
01174       rsbac_mac_category_vector_t min_write_categories; /* MAC, for *-property */
01175       rsbac_security_level_t      max_read_open;       /* for *-property, enum rsbac_security_level_t */
01176       rsbac_mac_category_vector_t max_read_categories; /* MAC, for *-property */
01177       rsbac_mac_process_flags_t   mac_process_flags;   /* flags (override, trusted, auto etc.) */
01178     };
01179 #define DEFAULT_MAC_P_ACI \
01180     { \
01181       .owner_sec_level = SL_unclassified, \
01182       .owner_initial_sec_level = SL_unclassified, \
01183       .owner_min_sec_level = SL_unclassified, \
01184       .mac_owner_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01185       .mac_owner_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01186       .mac_owner_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01187       .current_sec_level = SL_unclassified, \
01188       .mac_curr_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01189       .min_write_open = SL_max, \
01190       .min_write_categories = RSBAC_MAC_MAX_CAT_VECTOR, \
01191       .max_read_open = SL_unclassified, \
01192       .max_read_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01193       .mac_process_flags = RSBAC_MAC_DEF_P_FLAGS, \
01194     }
01195 #define DEFAULT_MAC_P_INIT_ACI \
01196     { \
01197       .owner_sec_level = SL_unclassified, \
01198       .owner_initial_sec_level = SL_unclassified, \
01199       .owner_min_sec_level = SL_unclassified, \
01200       .mac_owner_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01201       .mac_owner_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01202       .mac_owner_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01203       .current_sec_level = SL_unclassified, \
01204       .mac_curr_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01205       .min_write_open = SL_max, \
01206       .min_write_categories = RSBAC_MAC_MAX_CAT_VECTOR, \
01207       .max_read_open = SL_unclassified, \
01208       .max_read_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01209       .mac_process_flags = RSBAC_MAC_DEF_INIT_P_FLAGS, \
01210     }
01211 #endif
01212 
01213 #if defined(CONFIG_RSBAC_PM)
01214 #define RSBAC_PM_PROCESS_ACI_VERSION 1
01215 #define RSBAC_PM_PROCESS_ACI_KEY 1001
01216 struct rsbac_pm_process_aci_t
01217     {
01218       rsbac_pm_tp_id_t            pm_tp;
01219       rsbac_pm_task_id_t          pm_current_task;
01220       rsbac_pm_process_type_int_t pm_process_type;     /* enum rsbac_pm_process_type_t */
01221     };
01222 #define DEFAULT_PM_P_ACI \
01223     { \
01224       .pm_tp = 0, \
01225       .pm_current_task = 0, \
01226       .pm_process_type = PP_none, \
01227     }
01228 #endif
01229 
01230 #if defined(CONFIG_RSBAC_DAZ)
01231 #define RSBAC_DAZ_PROCESS_ACI_VERSION 1
01232 #define RSBAC_DAZ_PROCESS_ACI_KEY 1001
01233 struct rsbac_daz_process_aci_t
01234     {
01235       rsbac_boolean_int_t          daz_scanner;          /* DAZ, boolean */
01236     };
01237 #define DEFAULT_DAZ_P_ACI \
01238     { \
01239       .daz_scanner = FALSE, \
01240     }
01241 #endif
01242 
01243 #if defined(CONFIG_RSBAC_RC)
01244 #define RSBAC_RC_PROCESS_ACI_VERSION 1
01245 #define RSBAC_RC_PROCESS_ACI_KEY 1001
01246 struct rsbac_rc_process_aci_t
01247     {
01248       rsbac_rc_role_id_t          rc_role;             /* RC */
01249       rsbac_rc_type_id_t          rc_type;             /* RC */
01250       rsbac_rc_role_id_t          rc_force_role;       /* RC */
01251     };
01252 #define DEFAULT_RC_P_ACI \
01253     { \
01254       .rc_role = RSBAC_RC_GENERAL_ROLE, \
01255       .rc_type = RSBAC_RC_GENERAL_TYPE, \
01256       .rc_force_role = RC_default_force_role, \
01257     }
01258 #define DEFAULT_RC_P_INIT_ACI \
01259     { \
01260       .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, \
01261       .rc_type = RSBAC_RC_GENERAL_TYPE, \
01262       .rc_force_role = RC_default_force_role, \
01263     }
01264 #define DEFAULT_RC_P_KERNEL_ACI \
01265     { \
01266       .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, \
01267       .rc_type = CONFIG_RSBAC_RC_KERNEL_PROCESS_TYPE, \
01268       .rc_force_role = RC_default_force_role, \
01269     }
01270 #endif
01271 
01272 #if defined(CONFIG_RSBAC_AUTH)
01273 #define RSBAC_AUTH_PROCESS_ACI_VERSION 1
01274 #define RSBAC_AUTH_PROCESS_ACI_KEY 1001
01275 struct rsbac_auth_process_aci_t
01276     {
01277       __u8                        auth_may_setuid;     /* AUTH (boolean) */
01278       __u8                        auth_may_set_cap;    /* AUTH (boolean) */
01279       rsbac_uid_t                 auth_last_auth;
01280     #if defined(CONFIG_RSBAC_AUTH_LEARN) && defined(__KERNEL__)
01281       struct rsbac_fs_file_t      auth_program_file;
01282       rsbac_uid_t                 auth_start_uid;
01283     #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER
01284       rsbac_uid_t                 auth_start_euid;
01285     #endif
01286     #ifdef CONFIG_RSBAC_AUTH_GROUP
01287       rsbac_gid_t                 auth_start_gid;
01288     #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP
01289       rsbac_gid_t                 auth_start_egid;
01290     #endif
01291     #endif
01292       __u8                        auth_learn;          /* AUTH (boolean) */
01293     #endif
01294     };
01295 
01296 #if defined(CONFIG_RSBAC_AUTH_LEARN)
01297 #define DEFAULT_AUTH_P_ACI \
01298     { \
01299       .auth_may_setuid = FALSE, \
01300       .auth_may_set_cap = FALSE, \
01301       .auth_last_auth = RSBAC_NO_USER, \
01302       .auth_program_file = { RSBAC_ZERO_DEV, 0, NULL }, \
01303       .auth_start_uid = 0, \
01304       .auth_learn = 0, \
01305     }
01306 #else
01307 #define DEFAULT_AUTH_P_ACI \
01308     { \
01309       .auth_may_setuid = FALSE, \
01310       .auth_may_set_cap = FALSE, \
01311       .auth_last_auth = RSBAC_NO_USER, \
01312     }
01313 #endif
01314 #endif
01315 
01316 
01317 #if defined(CONFIG_RSBAC_CAP)
01318 #define RSBAC_CAP_PROCESS_ACI_VERSION 1
01319 #define RSBAC_CAP_PROCESS_ACI_KEY 10013283
01320 struct rsbac_cap_process_aci_t
01321     {
01322       rsbac_cap_process_hiding_int_t cap_process_hiding;
01323 #ifdef CONFIG_RSBAC_CAP_LOG_MISSING
01324       rsbac_cap_vector_t             max_caps_user;
01325       rsbac_cap_vector_t             max_caps_program;
01326 #endif
01327     };
01328 
01329 #ifdef CONFIG_RSBAC_CAP_LOG_MISSING
01330 #define DEFAULT_CAP_P_ACI \
01331     { \
01332       .cap_process_hiding = PH_off, \
01333       .max_caps_user = RSBAC_CAP_DEFAULT_MAX, \
01334       .max_caps_program = RSBAC_CAP_DEFAULT_MAX, \
01335     }
01336 #else
01337 #define DEFAULT_CAP_P_ACI \
01338     { \
01339       .cap_process_hiding = PH_off, \
01340     }
01341 #endif
01342 #endif
01343 
01344 #if defined(CONFIG_RSBAC_JAIL)
01345 #define RSBAC_JAIL_PROCESS_ACI_VERSION 1
01346 #define RSBAC_JAIL_PROCESS_ACI_KEY 1001
01347 struct rsbac_jail_process_aci_t
01348     {
01349       rsbac_jail_id_t id;
01350       rsbac_jail_ip_t ip;
01351       rsbac_jail_flags_t flags;
01352       rsbac_cap_vector_t max_caps;      /* Program max Linux capabilities */
01353       rsbac_jail_scd_vector_t scd_get;  /* SCD targets GET_STATUS_DATA */
01354       rsbac_jail_scd_vector_t scd_modify;  /* SCD targets MODIFY_SYSTEM_DATA */
01355     };
01356 #define DEFAULT_JAIL_P_ACI \
01357     { \
01358       .id = 0, \
01359       .ip = 0, \
01360       .flags = 0, \
01361       .max_caps = -1, \
01362       .scd_get = 0, \
01363       .scd_modify = 0, \
01364     }
01365 #endif
01366 
01367 #define RSBAC_PROCESS_NR_ATTRIBUTES 36
01368 #define RSBAC_PROCESS_ATTR_LIST { \
01369       A_security_level, \
01370       A_min_security_level, \
01371       A_mac_categories, \
01372       A_mac_min_categories, \
01373       A_current_sec_level, \
01374       A_mac_curr_categories, \
01375       A_min_write_open, \
01376       A_min_write_categories, \
01377       A_max_read_open, \
01378       A_max_read_categories, \
01379       A_mac_process_flags, \
01380       A_pm_tp, \
01381       A_pm_current_task, \
01382       A_pm_process_type, \
01383       A_daz_scanner, \
01384       A_rc_role, \
01385       A_rc_type, \
01386       A_rc_force_role, \
01387       A_auth_may_setuid, \
01388       A_auth_may_set_cap, \
01389       A_auth_learn, \
01390       A_cap_process_hiding, \
01391       A_max_caps_user, \
01392       A_max_caps_program, \
01393       A_jail_id, \
01394       A_jail_ip, \
01395       A_jail_flags, \
01396       A_jail_max_caps, \
01397       A_jail_scd_get, \
01398       A_jail_scd_modify, \
01399       A_log_program_based, \
01400       A_fake_root_uid, \
01401       A_audit_uid, \
01402       A_auid_exempt, \
01403       A_auth_last_auth, \
01404       A_remote_ip \
01405       }
01406 
01407 #ifdef __KERNEL__
01408 struct rsbac_process_handles_t
01409     {
01410       rsbac_list_handle_t gen[CONFIG_RSBAC_GEN_NR_P_LISTS];
01411 #if defined(CONFIG_RSBAC_MAC)
01412       rsbac_list_handle_t mac[CONFIG_RSBAC_MAC_NR_P_LISTS];
01413 #endif
01414 #if defined(CONFIG_RSBAC_PM)
01415       rsbac_list_handle_t pm;
01416 #endif
01417 #if defined(CONFIG_RSBAC_DAZ)
01418       rsbac_list_handle_t daz;
01419 #endif
01420 #if defined(CONFIG_RSBAC_RC)
01421       rsbac_list_handle_t rc[CONFIG_RSBAC_RC_NR_P_LISTS];
01422 #endif
01423 #if defined(CONFIG_RSBAC_AUTH)
01424       rsbac_list_handle_t auth;
01425 #endif
01426 #if defined(CONFIG_RSBAC_CAP)
01427       rsbac_list_handle_t cap;
01428 #endif
01429 #if defined(CONFIG_RSBAC_JAIL)
01430       rsbac_list_handle_t jail[CONFIG_RSBAC_JAIL_NR_P_LISTS];
01431 #endif
01432     };
01433 #endif /* __KERNEL__ */
01434 
01435 
01436 /******************************/
01437 /* OK, now we define the UM group ACI, holding all information */
01438 /* the ADF needs for decisions.                                */
01439 
01440 #define RSBAC_RC_ACI_GROUP_NAME    "grouprc"
01441 
01442 /* Caution: whenever ACI changes, version should be increased!            */
01443 
01444 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01445 #define RSBAC_RC_GROUP_ACI_VERSION 1
01446 #define RSBAC_RC_GROUP_ACI_KEY 13276142
01447 #endif
01448 
01449 #define RSBAC_GROUP_NR_ATTRIBUTES 1
01450 #define RSBAC_GROUP_ATTR_LIST { \
01451       A_rc_type \
01452       }
01453 
01454 #ifdef __KERNEL__
01455 struct rsbac_group_handles_t
01456     {
01457 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01458       rsbac_list_handle_t rc;
01459 #endif
01460     };
01461 #endif /* __KERNEL__ */
01462 
01463 /********************************/
01464 /* NETDEV ACI */
01465 
01466 #define RSBAC_GEN_ACI_NETDEV_NAME   "nd_gen"
01467 #define RSBAC_RC_ACI_NETDEV_NAME    "nd_rc"
01468 
01469 #define RSBAC_GEN_NETDEV_ACI_VERSION 1
01470 #define RSBAC_GEN_NETDEV_ACI_KEY 1001
01471 struct rsbac_gen_netdev_aci_t
01472     {
01473       rsbac_log_array_t           log_array_low;    /* netdev based logging, */
01474       rsbac_log_array_t           log_array_high;   /* high and low bits */
01475     };
01476 #define DEFAULT_GEN_NETDEV_ACI \
01477     { \
01478       .log_array_low = -1, \
01479       .log_array_high = -1, \
01480     }
01481 
01482 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01483 #define RSBAC_RC_NETDEV_ACI_VERSION 1
01484 #define RSBAC_RC_NETDEV_ACI_KEY 1001
01485 #endif
01486 
01487 #define RSBAC_NETDEV_NR_ATTRIBUTES 3
01488 #define RSBAC_NETDEV_ATTR_LIST { \
01489       A_rc_type, \
01490       A_log_array_low, \
01491       A_log_array_high \
01492       }
01493 
01494 #ifdef __KERNEL__
01495 struct rsbac_netdev_handles_t
01496     {
01497 #if defined(CONFIG_RSBAC_IND_NETDEV_LOG)
01498       rsbac_list_handle_t gen;
01499 #endif
01500 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01501       rsbac_list_handle_t rc;
01502 #endif
01503     };
01504 #endif /* __KERNEL__ */
01505 
01506 /********************************/
01507 /* NETTEMP ACI */
01508 
01509 #define RSBAC_GEN_ACI_NETTEMP_NAME   "nt_gen"
01510 #define RSBAC_MAC_ACI_NETTEMP_NAME   "nt_mac"
01511 #define RSBAC_PM_ACI_NETTEMP_NAME    "nt_pm"
01512 #define RSBAC_RC_ACI_NETTEMP_NAME    "nt_rc"
01513 
01514 #define RSBAC_MAC_ACI_LNETOBJ_NAME   "lnetobj_mac"
01515 #define RSBAC_PM_ACI_LNETOBJ_NAME    "lnetobj_pm"
01516 #define RSBAC_RC_ACI_LNETOBJ_NAME    "lnetobj_rc"
01517 #define RSBAC_MAC_ACI_RNETOBJ_NAME   "rnetobj_mac"
01518 #define RSBAC_PM_ACI_RNETOBJ_NAME    "rnetobj_pm"
01519 #define RSBAC_RC_ACI_RNETOBJ_NAME    "rnetobj_rc"
01520 
01521 #define RSBAC_GEN_NETOBJ_ACI_VERSION 1
01522 #define RSBAC_GEN_NETOBJ_ACI_KEY 1001
01523 struct rsbac_gen_netobj_aci_t
01524     {
01525       rsbac_log_array_t           log_array_low;    /* nettemp/netobj based logging, */
01526       rsbac_log_array_t           log_array_high;   /* high and low bits */
01527     };
01528 #define DEFAULT_GEN_NETOBJ_ACI \
01529     { \
01530       .log_array_low = -1, \
01531       .log_array_high = -1, \
01532     }
01533 
01534 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01535 #define RSBAC_MAC_NETOBJ_ACI_VERSION 1
01536 #define RSBAC_MAC_NETOBJ_ACI_KEY 1001
01537 struct rsbac_mac_netobj_aci_t
01538     {
01539       rsbac_security_level_t     sec_level; /* enum old_rsbac_security_level_t / __u8 */
01540       rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
01541     };
01542 #define DEFAULT_MAC_NETOBJ_ACI \
01543     { \
01544       .sec_level = SL_unclassified,  /* security_level (MAC) */ \
01545       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01546     }
01547 #endif
01548 
01549 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01550 #define RSBAC_PM_NETOBJ_ACI_VERSION 1
01551 #define RSBAC_PM_NETOBJ_ACI_KEY 1001
01552 struct rsbac_pm_netobj_aci_t
01553     {
01554       rsbac_pm_object_class_id_t pm_object_class; /* netobj only */
01555       rsbac_pm_purpose_id_t      pm_ipc_purpose;
01556       rsbac_pm_object_type_int_t pm_object_type; /* enum rsbac_pm_object_type_t */
01557     };
01558 #define DEFAULT_PM_NETOBJ_ACI \
01559     { \
01560       .pm_object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID, \
01561       .pm_ipc_purpose = 0, \
01562       .pm_object_type = PO_ipc, \
01563     }
01564 #endif
01565 
01566 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01567 #define RSBAC_RC_NETOBJ_ACI_VERSION 1
01568 #define RSBAC_RC_NETOBJ_ACI_KEY 1001
01569 #define RSBAC_RC_NETTEMP_ACI_VERSION 1
01570 #define RSBAC_RC_NETTEMP_ACI_KEY 1002
01571 
01572 struct rsbac_rc_nettemp_aci_t
01573     {
01574       rsbac_rc_type_id_t          netobj_type;    /* type inherited to netobj */
01575       rsbac_rc_type_id_t          nettemp_type;   /* type of this tenplate */
01576     };
01577 #define DEFAULT_RC_NETTEMP_ACI \
01578     { \
01579       .netobj_type = RSBAC_RC_GENERAL_TYPE, \
01580       .nettemp_type = RSBAC_RC_GENERAL_TYPE, \
01581     }
01582 #endif
01583 
01584 #define RSBAC_NETTEMP_NR_ATTRIBUTES 9
01585 #define RSBAC_NETTEMP_ATTR_LIST { \
01586       A_security_level, \
01587       A_mac_categories, \
01588       A_pm_object_class, \
01589       A_pm_ipc_purpose, \
01590       A_pm_object_type, \
01591       A_rc_type, \
01592       A_rc_type_nt, \
01593       A_log_array_low, \
01594       A_log_array_high \
01595       }
01596 
01597 #define RSBAC_NETOBJ_NR_ATTRIBUTES 16
01598 #define RSBAC_NETOBJ_ATTR_LIST { \
01599       A_local_sec_level, \
01600       A_remote_sec_level, \
01601       A_local_mac_categories, \
01602       A_remote_mac_categories, \
01603       A_local_pm_object_class, \
01604       A_remote_pm_object_class, \
01605       A_local_pm_ipc_purpose, \
01606       A_remote_pm_ipc_purpose, \
01607       A_local_pm_object_type, \
01608       A_remote_pm_object_type, \
01609       A_local_rc_type, \
01610       A_remote_rc_type, \
01611       A_local_log_array_low, \
01612       A_remote_log_array_low, \
01613       A_local_log_array_high, \
01614       A_remote_log_array_high \
01615       }
01616 
01617 #ifdef __KERNEL__
01618 struct rsbac_nettemp_handles_t
01619     {
01620 #if defined(CONFIG_RSBAC_IND_NETOBJ_LOG)
01621       rsbac_list_handle_t gen;
01622 #endif
01623 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01624       rsbac_list_handle_t mac;
01625 #endif
01626 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01627       rsbac_list_handle_t pm;
01628 #endif
01629 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01630       rsbac_list_handle_t rc;
01631 #endif
01632     };
01633 
01634 struct rsbac_lnetobj_handles_t
01635     {
01636 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01637       rsbac_list_handle_t mac;
01638 #endif
01639 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01640       rsbac_list_handle_t pm;
01641 #endif
01642 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01643       rsbac_list_handle_t rc;
01644 #endif
01645     };
01646 struct rsbac_rnetobj_handles_t
01647     {
01648 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01649       rsbac_list_handle_t mac;
01650 #endif
01651 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01652       rsbac_list_handle_t pm;
01653 #endif
01654 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01655       rsbac_list_handle_t rc;
01656 #endif
01657     };
01658 #endif /* __KERNEL__ */
01659 
01660 
01661 /**********************************************/
01662 /*              Declarations                  */
01663 /**********************************************/
01664 
01665 #ifdef __KERNEL__
01666 extern kdev_t rsbac_root_dev;
01667 
01668 int rsbac_read_open (char *,
01669                      struct file  *,    /* file */
01670                      kdev_t);
01671 
01672 int rsbac_write_open(char *,
01673                      struct file  *,    /* file */
01674                      kdev_t);
01675 
01676 void rsbac_read_close(struct file *);
01677 
01678 void rsbac_write_close(struct file *);
01679 
01680 extern struct semaphore rsbac_write_sem;
01681 
01682 /**********************************************/
01683 /*              Locks                         */
01684 /**********************************************/
01685 
01686 extern inline void rsbac_read_lock(rwlock_t * lock_p, u_long * flags_p)
01687   {
01688     read_lock(lock_p);
01689   };
01690 
01691 extern inline void rsbac_read_unlock(rwlock_t * lock_p, u_long * flags_p)
01692   {
01693     read_unlock(lock_p);
01694   };
01695 
01696 extern inline void rsbac_write_lock(rwlock_t * lock_p, u_long * flags_p)
01697   {
01698     write_lock(lock_p);
01699   };
01700 
01701 extern inline void rsbac_write_unlock(rwlock_t * lock_p, u_long * flags_p)
01702   {
01703     write_unlock(lock_p);
01704   };
01705 
01706 extern inline void rsbac_write_lock_irq(rwlock_t * lock_p, u_long * flags_p)
01707   {
01708     write_lock_irq(lock_p);
01709   };
01710 
01711 extern inline void rsbac_write_unlock_irq(rwlock_t * lock_p, u_long * flags_p)
01712   {
01713     write_unlock_irq(lock_p);
01714   };
01715 
01716 #endif /* __KERNEL__ */
01717 
01718 /**********************************************/
01719 /*          External Declarations             */
01720 /**********************************************/
01721 
01722 #ifdef __KERNEL__
01723 
01724 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01725 static inline struct dentry *lock_parent(struct dentry *dentry)
01726 {
01727         struct dentry *dir = dget(dentry->d_parent);
01728 
01729         down(&dir->d_inode->i_sem);
01730         return dir;
01731 }
01732 
01733 static inline void unlock_dir(struct dentry *dir)
01734 {
01735         up(&dir->d_inode->i_sem);
01736         dput(dir);
01737 }
01738 
01739 static inline void double_down(struct semaphore *s1, struct semaphore *s2)
01740 {
01741         if (s1 != s2) {
01742                 if ((unsigned long) s1 < (unsigned long) s2) {
01743                         struct semaphore *tmp = s2;
01744                         s2 = s1; s1 = tmp;
01745                 }
01746                 down(s1);
01747         }
01748         down(s2);
01749 }
01750 
01751 static inline void double_up(struct semaphore *s1, struct semaphore *s2)
01752 {
01753         up(s1);
01754         if (s1 != s2)
01755                 up(s2);
01756 }
01757 
01758 static inline void double_lock(struct dentry *d1, struct dentry *d2)
01759 {
01760         double_down(&d1->d_inode->i_sem, &d2->d_inode->i_sem);
01761 }
01762 
01763 static inline void double_unlock(struct dentry *d1, struct dentry *d2)
01764 {
01765         double_up(&d1->d_inode->i_sem,&d2->d_inode->i_sem);
01766         dput(d1);
01767         dput(d2);
01768 }
01769 #else
01770 extern inline struct dentry *lock_parent(struct dentry *dentry);
01771 #endif
01772 
01773 #endif /* __KERNEL__ */
01774 
01775 #endif
Generated on Thu Sep 22 16:42:13 2005 for RSBAC by  doxygen 1.4.2