#include <linux/string.h>#include <rsbac/types.h>#include <rsbac/aci.h>#include <rsbac/rc.h>#include <rsbac/adf_main.h>#include <rsbac/error.h>#include <rsbac/debug.h>#include <rsbac/helpers.h>#include <rsbac/getname.h>#include <rsbac/rc_getname.h>#include <rsbac/rkmem.h>Go to the source code of this file.
|
||||||||||||||||||||
|
Definition at line 312 of file rc_main.c. References A_rc_role, FALSE, get_rc_special_right_name(), GRANTED, NOT_GRANTED, rsbac_target_id_t::process, RC, rsbac_attribute_value_t::rc_role, RC_type_max_value, RCR_ASSIGN, RI_type_comp_dev, RI_type_comp_fd, RI_type_comp_group, RI_type_comp_ipc, RI_type_comp_netdev, RI_type_comp_netobj, RI_type_comp_nettemp, RI_type_comp_process, RI_type_comp_user, rsbac_get_attr, rsbac_kfree(), rsbac_kmalloc(), RSBAC_MAXNAMELEN, rsbac_printk(), rsbac_rc_check_comp(), T_DEV, T_DIR, T_FD, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_PROCESS, T_SYMLINK, T_USER, and rsbac_rc_target_id_t::type. Referenced by rsbac_adf_request_rc(), rsbac_rc_sys_copy_type(), rsbac_rc_sys_get_item(), and rsbac_rc_sys_set_item(). 00316 {
00317 int err;
00318 union rsbac_target_id_t i_tid;
00319 union rsbac_attribute_value_t i_attr_val1;
00320
00321 union rsbac_rc_target_id_t i_rc_subtid;
00322 enum rsbac_rc_item_t i_rc_item;
00323
00324 if(!caller_pid)
00325 caller_pid = current->pid;
00326 /*
00327 * we don't care about tried assignments of special type values,
00328 * but deny other accesses to those
00329 */
00330 if(type > RC_type_max_value)
00331 {
00332 if(request == RCR_ASSIGN)
00333 return GRANTED;
00334 else
00335 return NOT_GRANTED;
00336 }
00337
00338 /* get rc_role from process */
00339 i_tid.process = caller_pid;
00340 if ((err=rsbac_get_attr(RC,
00341 T_PROCESS,
00342 i_tid,
00343 A_rc_role,
00344 &i_attr_val1,
00345 FALSE)))
00346 {
00347 rsbac_ds_get_error("rsbac_rc_check_type_comp", A_rc_role);
00348 return(NOT_GRANTED);
00349 }
00350 switch(target)
00351 {
00352 case T_FILE:
00353 case T_DIR:
00354 case T_FIFO:
00355 case T_SYMLINK:
00356 case T_FD:
00357 i_rc_item = RI_type_comp_fd;
00358 break;
00359 case T_DEV:
00360 i_rc_item = RI_type_comp_dev;
00361 break;
00362 case T_USER:
00363 i_rc_item = RI_type_comp_user;
00364 break;
00365 case T_PROCESS:
00366 i_rc_item = RI_type_comp_process;
00367 break;
00368 case T_IPC:
00369 i_rc_item = RI_type_comp_ipc;
00370 break;
00371 #if defined(CONFIG_RSBAC_RC_UM_PROT)
00372 case T_GROUP:
00373 i_rc_item = RI_type_comp_group;
00374 break;
00375 #endif
00376 #if defined(CONFIG_RSBAC_RC_NET_DEV_PROT)
00377 case T_NETDEV:
00378 i_rc_item = RI_type_comp_netdev;
00379 break;
00380 #endif
00381 #if defined(CONFIG_RSBAC_RC_NET_OBJ_PROT)
00382 case T_NETTEMP:
00383 i_rc_item = RI_type_comp_nettemp;
00384 break;
00385 case T_NETOBJ:
00386 i_rc_item = RI_type_comp_netobj;
00387 break;
00388 #endif
00389
00390 default:
00391 rsbac_printk(KERN_WARNING "rsbac_rc_check_type_comp(): invalid target %i!\n",target);
00392 return(NOT_GRANTED);
00393 }
00394 /* check type_comp_xxx of role */
00395 i_rc_subtid.type = type;
00396 if(rsbac_rc_check_comp(i_attr_val1.rc_role,
00397 i_rc_subtid,
00398 i_rc_item,
00399 request))
00400 return(GRANTED);
00401 else
00402 {
00403 #ifdef CONFIG_RSBAC_DEBUG
00404 if(rsbac_debug_adf_rc)
00405 {
00406 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00407
00408 if(tmp)
00409 {
00410 rsbac_printk(KERN_DEBUG "rsbac_rc_check_type_comp(): rc_role is %i, rc_type is %i, request is %s -> NOT_GRANTED!\n",
00411 i_attr_val1.rc_role, type, get_rc_special_right_name(tmp, request));
00412 rsbac_kfree(tmp);
00413 }
00414 }
00415 #endif
00416 return(NOT_GRANTED);
00417 }
00418 }
|
|
|
Definition at line 1364 of file rc_syscalls.c. References A_rc_role, rsbac_target_id_t::process, RC, rsbac_attribute_value_t::rc_role, RI_role_comp, rsbac_rc_target_id_t::role, RSBAC_EWRITEFAILED, rsbac_get_attr, rsbac_printk(), rsbac_rc_check_comp(), rsbac_set_attr, T_PROCESS, and TRUE. Referenced by sys_rsbac_rc_change_role(). 01365 {
01366 union rsbac_target_id_t i_tid;
01367 union rsbac_attribute_value_t i_attr_val1;
01368 #if !defined(CONFIG_RSBAC_MAINT)
01369 #ifdef CONFIG_RSBAC_SWITCH_RC
01370 if(rsbac_switch_rc)
01371 #endif
01372 {
01373 int err;
01374 union rsbac_rc_target_id_t i_rc_subtid;
01375
01376 i_tid.process = current->pid;
01377 /* get rc_role of process */
01378 if ((err=rsbac_get_attr(RC,
01379 T_PROCESS,
01380 i_tid,
01381 A_rc_role,
01382 &i_attr_val1,
01383 TRUE)))
01384 {
01385 rsbac_printk(KERN_WARNING
01386 "rsbac_rc_sys_change_role(): rsbac_get_attr() returned error %i!\n",err);
01387 return err;
01388 }
01389
01390 /* check role_comp of role */
01391 i_rc_subtid.role = role;
01392 if (!rsbac_rc_check_comp(i_attr_val1.rc_role,
01393 i_rc_subtid,
01394 RI_role_comp,
01395 0))
01396 {
01397 rsbac_uid_t user;
01398
01399 if(!rsbac_get_owner(&user))
01400 {
01401 rsbac_printk(KERN_INFO
01402 "rsbac_rc_sys_change role(): changing from role %u to %u denied for pid %u, user %u, role %u - roles not compatible!\n",
01403 i_attr_val1.rc_role,
01404 role,
01405 i_tid.process,
01406 user,
01407 i_attr_val1.rc_role);
01408 }
01409 #ifdef CONFIG_RSBAC_SOFTMODE
01410 if( !rsbac_softmode
01411 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01412 && !rsbac_ind_softmode[RC]
01413 #endif
01414 )
01415 #endif
01416 return -EPERM;
01417 }
01418 }
01419 #endif /* !MAINT */
01420
01421 /* OK, check passed. Set role. */
01422 i_tid.process = current->pid;
01423 i_attr_val1.rc_role = role;
01424 if (rsbac_set_attr(RC, T_PROCESS,
01425 i_tid,
01426 A_rc_role,
01427 i_attr_val1))
01428 { /* failed! */
01429 rsbac_printk(KERN_WARNING "rsbac_rc_sys_change_role(): rsbac_set_attr() returned error!\n");
01430 return(-RSBAC_EWRITEFAILED);
01431 }
01432 /* Ready. */
01433 return(0);
01434 }
|
|
||||||||||||||||
|
Definition at line 54 of file rc_syscalls.c. References RC, rsbac_printk(), rsbac_rc_copy_role(), rsbac_rc_role_exists(), rsbac_rc_test_admin_roles(), rsbac_rc_test_role_admin(), and TRUE. Referenced by sys_rsbac_rc_copy_role(). 00058 {
00059 #if !defined(CONFIG_RSBAC_MAINT)
00060 #ifdef CONFIG_RSBAC_SWITCH_RC
00061 if(rsbac_switch_rc)
00062 #endif
00063 {
00064 int err;
00065 /* source role must be in admin roles or caller must be role_admin */
00066 if ( (err=rsbac_rc_test_admin_roles(from_role, TRUE))
00067 && rsbac_rc_test_role_admin(TRUE)
00068 )
00069 {
00070 if(err == -EPERM)
00071 {
00072 rsbac_uid_t user;
00073
00074 if(!rsbac_get_owner(&user))
00075 {
00076 rsbac_printk(KERN_INFO
00077 "rsbac_rc_sys_copy_role(): copying of role %u denied for pid %u, user %u - not in admin_roles!\n",
00078 from_role,
00079 current->pid,
00080 user);
00081 }
00082 #ifdef CONFIG_RSBAC_SOFTMODE
00083 if( !rsbac_softmode
00084 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00085 && !rsbac_ind_softmode[RC]
00086 #endif
00087 )
00088 #endif
00089 return err;
00090 }
00091 else
00092 return err;
00093 }
00094 /* only role_admins may copy to existing targets */
00095 if ( rsbac_rc_role_exists(ta_number, to_role)
00096 && rsbac_rc_test_role_admin(TRUE)
00097 )
00098 {
00099 rsbac_uid_t user;
00100
00101 if(!rsbac_get_owner(&user))
00102 {
00103 rsbac_printk(KERN_INFO
00104 "rsbac_rc_sys_copy_role(): overwriting of existing role %u denied for pid %u, user %u - no role_admin!\n",
00105 to_role,
00106 current->pid,
00107 user);
00108 }
00109 #ifdef CONFIG_RSBAC_SOFTMODE
00110 if( !rsbac_softmode
00111 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00112 && !rsbac_ind_softmode[RC]
00113 #endif
00114 )
00115 #endif
00116 return -EPERM;
00117 }
00118 }
00119 #endif /* !MAINT */
00120
00121 /* pass on */
00122 return(rsbac_rc_copy_role(ta_number, from_role, to_role));
00123 }
|
|
||||||||||||||||||||
|
Definition at line 126 of file rc_syscalls.c. References FALSE, get_target_name_only(), GRANTED, RC, RCR_ADMIN, RSBAC_EINVALIDTARGET, rsbac_kfree(), rsbac_kmalloc(), RSBAC_MAXNAMELEN, rsbac_printk(), rsbac_rc_check_type_comp(), rsbac_rc_copy_type(), rsbac_rc_test_role_admin(), rsbac_rc_type_exists(), T_DEV, T_DIR, T_FD, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_PROCESS, T_SYMLINK, T_USER, and TRUE. Referenced by sys_rsbac_rc_copy_type(). 00131 {
00132 #if !defined(CONFIG_RSBAC_MAINT)
00133 #ifdef CONFIG_RSBAC_SWITCH_RC
00134 if(rsbac_switch_rc)
00135 #endif
00136 {
00137 int err;
00138
00139 switch(target)
00140 {
00141 case T_FILE:
00142 case T_DIR:
00143 case T_FIFO:
00144 case T_SYMLINK:
00145 target = T_FD;
00146 break;
00147 case T_FD:
00148 case T_DEV:
00149 case T_USER:
00150 case T_PROCESS:
00151 case T_IPC:
00152 case T_GROUP:
00153 case T_NETDEV:
00154 case T_NETTEMP:
00155 case T_NETOBJ:
00156 break;
00157
00158 default:
00159 return -RSBAC_EINVALIDTARGET;
00160 }
00161 /* need ADMIN right to source type or caller must be role_admin */
00162 if( (rsbac_rc_check_type_comp(target, from_type, RCR_ADMIN, 0) != GRANTED)
00163 && (err=rsbac_rc_test_role_admin(FALSE))
00164 )
00165 {
00166 if(err == -EPERM)
00167 {
00168 rsbac_uid_t user;
00169
00170 if(!rsbac_get_owner(&user))
00171 {
00172 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00173
00174 if(tmp)
00175 {
00176 rsbac_printk(KERN_INFO
00177 "rsbac_rc_sys_copy_type(): copying of %s type %u denied for pid %u, user %u - not in admin_roles!\n",
00178 get_target_name_only(tmp, target),
00179 from_type,
00180 current->pid,
00181 user);
00182 rsbac_kfree(tmp);
00183 }
00184 }
00185 #ifdef CONFIG_RSBAC_SOFTMODE
00186 if( !rsbac_softmode
00187 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00188 && !rsbac_ind_softmode[RC]
00189 #endif
00190 )
00191 #endif
00192 return err;
00193 }
00194 else
00195 return err;
00196 }
00197 /* only role_admins may copy to existing targets */
00198 if ( rsbac_rc_type_exists(ta_number, target, to_type)
00199 && rsbac_rc_test_role_admin(TRUE)
00200 )
00201 {
00202 rsbac_uid_t user;
00203
00204 if(!rsbac_get_owner(&user))
00205 {
00206 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00207
00208 if(tmp)
00209 {
00210 rsbac_printk(KERN_INFO
00211 "rsbac_rc_sys_copy_type(): overwriting of existing %s type %u denied for pid %u, user %u - no role_admin!\n",
00212 get_target_name_only(tmp, target),
00213 to_type,
00214 current->pid,
00215 user);
00216 rsbac_kfree(tmp);
00217 }
00218 }
00219 #ifdef CONFIG_RSBAC_SOFTMODE
00220 if( !rsbac_softmode
00221 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00222 && !rsbac_ind_softmode[RC]
00223 #endif
00224 )
00225 #endif
00226 return -EPERM;
00227 }
00228 }
00229 #endif /* !MAINT */
00230
00231 /* pass on */
00232 return(rsbac_rc_copy_type(ta_number, target, from_type, to_type));
00233 }
|
|
|
Definition at line 1552 of file rc_syscalls.c. References A_rc_role, rsbac_target_id_t::process, RC, rsbac_attribute_value_t::rc_role, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_printk(), T_PROCESS, and TRUE. Referenced by sys_rsbac_rc_get_current_role(). 01553 {
01554 union rsbac_target_id_t i_tid;
01555 union rsbac_attribute_value_t i_attr_val1;
01556 int err;
01557
01558 /* get rc_role of process */
01559 i_tid.process = current->pid;
01560 if ((err=rsbac_get_attr(RC, T_PROCESS,
01561 i_tid,
01562 A_rc_role,
01563 &i_attr_val1,
01564 TRUE)))
01565 {
01566 rsbac_printk(KERN_WARNING
01567 "rsbac_rc_sys_get_current_role(): rsbac_get_attr() returned error %i!\n",err);
01568 return -RSBAC_EREADFAILED;
01569 }
01570 *role_p = i_attr_val1.rc_role;
01571 /* Ready. */
01572 return(0);
01573 }
|
|
||||||||||||||||||||||||
|
Definition at line 1437 of file rc_syscalls.c. References A_none, A_rc_role, A_rc_type, A_rc_type_fd, A_rc_type_nt, rsbac_target_id_t::process, RC, rsbac_attribute_value_t::rc_role, rsbac_attribute_value_t::rc_type, RI_type_comp_dev, RI_type_comp_fd, RI_type_comp_group, RI_type_comp_ipc, RI_type_comp_netdev, RI_type_comp_netobj, RI_type_comp_nettemp, RI_type_comp_process, RI_type_comp_scd, rsbac_rc_item_value_t::rights, rsbac_rc_target_id_t::role, RSBAC_EINVALIDTARGET, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_printk(), rsbac_rc_get_item(), RST_none, RT_ROLE, rsbac_target_id_t::scd, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_PROCESS, T_SCD, T_SYMLINK, TRUE, and rsbac_rc_target_id_t::type. Referenced by sys_rsbac_rc_get_eff_rights_n(). 01443 {
01444 union rsbac_target_id_t i_tid;
01445 enum rsbac_attribute_t i_attr = A_none;
01446 union rsbac_attribute_value_t i_attr_val1;
01447 union rsbac_attribute_value_t i_attr_val2;
01448 int err;
01449 enum rsbac_rc_item_t i_rc_item;
01450 union rsbac_rc_target_id_t i_rc_tid;
01451 union rsbac_rc_target_id_t i_rc_subtid;
01452 union rsbac_rc_item_value_t i_rc_item_val1;
01453
01454 i_tid.process = current->pid;
01455 /* get rc_role of process */
01456 if ((err=rsbac_get_attr(RC, T_PROCESS,
01457 i_tid,
01458 A_rc_role,
01459 &i_attr_val1,
01460 TRUE)))
01461 {
01462 rsbac_printk(KERN_WARNING
01463 "rsbac_rc_sys_get_eff_rights(): rsbac_get_attr() returned error %i!\n",err);
01464 return -RSBAC_EREADFAILED;
01465 }
01466
01467 switch(target)
01468 {
01469 case T_FILE:
01470 case T_DIR:
01471 case T_FIFO:
01472 case T_SYMLINK:
01473 i_attr = A_rc_type_fd;
01474 i_rc_item = RI_type_comp_fd;
01475 break;
01476 case T_DEV:
01477 i_attr = A_rc_type;
01478 i_rc_item = RI_type_comp_dev;
01479 break;
01480 case T_IPC:
01481 i_attr = A_rc_type;
01482 i_rc_item = RI_type_comp_ipc;
01483 break;
01484 case T_PROCESS:
01485 i_attr = A_rc_type;
01486 i_rc_item = RI_type_comp_process;
01487 break;
01488 case T_SCD: /* special case! */
01489 if(tid.scd >= RST_none)
01490 return -RSBAC_EINVALIDTARGET;
01491 i_rc_item = RI_type_comp_scd;
01492 break;
01493 case T_GROUP:
01494 i_attr = A_rc_type;
01495 i_rc_item = RI_type_comp_group;
01496 break;
01497 case T_NETDEV:
01498 i_attr = A_rc_type;
01499 i_rc_item = RI_type_comp_netdev;
01500 break;
01501 case T_NETTEMP:
01502 i_attr = A_rc_type_nt;
01503 i_rc_item = RI_type_comp_nettemp;
01504 break;
01505 case T_NETOBJ:
01506 i_attr = A_rc_type;
01507 i_rc_item = RI_type_comp_netobj;
01508 break;
01509 default:
01510 return -RSBAC_EINVALIDTARGET;
01511 }
01512 /* get rc_type of target */
01513 if(target == T_SCD)
01514 {
01515 i_attr_val2.rc_type = tid.scd;
01516 }
01517 else
01518 {
01519 if ((err=rsbac_get_attr(RC,
01520 target,
01521 tid,
01522 i_attr,
01523 &i_attr_val2,
01524 TRUE)))
01525 {
01526 rsbac_printk(KERN_WARNING
01527 "rsbac_rc_sys_get_eff_rights(): rsbac_get_attr() returned error %i!\n",err);
01528 return -RSBAC_EREADFAILED;
01529 }
01530 }
01531 /* get type_comp_xxx of role for type and target */
01532 i_rc_tid.role = i_attr_val1.rc_role;
01533 i_rc_subtid.type = i_attr_val2.rc_type;
01534 if ((err=rsbac_rc_get_item(ta_number,
01535 RT_ROLE,
01536 i_rc_tid,
01537 i_rc_subtid,
01538 i_rc_item,
01539 &i_rc_item_val1,
01540 ttl_p)))
01541 {
01542 rsbac_printk(KERN_WARNING
01543 "rsbac_rc_sys_get_eff_rights(): rsbac_rc_get_item() returned error %i!\n",err);
01544 return -RSBAC_EREADFAILED;
01545 }
01546 /* extract value */
01547 *request_vector = i_rc_item_val1.rights;
01548 /* Ready. */
01549 return(0);
01550 }
|
|
||||||||||||||||||||||||||||||||
|
Definition at line 236 of file rc_syscalls.c. References FALSE, RC, RCR_ADMIN, RI_name, RI_type_dev_name, RI_type_fd_name, RI_type_fd_need_secdel, RI_type_group_name, RI_type_ipc_name, RI_type_netdev_name, RI_type_netobj_name, RI_type_nettemp_name, RI_type_process_name, RI_type_scd_name, RI_type_user_name, rsbac_rc_target_id_t::role, RSBAC_EINVALIDATTR, RSBAC_EINVALIDTARGET, rsbac_printk(), rsbac_rc_check_type_comp(), rsbac_rc_get_item(), rsbac_rc_test_admin_roles(), rsbac_rc_test_role_admin(), RT_ROLE, RT_TYPE, T_FILE, and rsbac_rc_target_id_t::type. Referenced by sys_rsbac_rc_get_item(). 00244 {
00245 #if !defined(CONFIG_RSBAC_MAINT)
00246 #ifdef CONFIG_RSBAC_SWITCH_RC
00247 if(rsbac_switch_rc)
00248 #endif
00249 {
00250 int err;
00251
00252 switch(item)
00253 {
00254 case RI_name:
00255 case RI_type_fd_name:
00256 case RI_type_dev_name:
00257 case RI_type_ipc_name:
00258 case RI_type_user_name:
00259 case RI_type_process_name:
00260 case RI_type_scd_name:
00261 case RI_type_group_name:
00262 case RI_type_netdev_name:
00263 case RI_type_nettemp_name:
00264 case RI_type_netobj_name:
00265 /* getting names is always allowed */
00266 break;
00267
00268 case RI_type_fd_need_secdel:
00269 if(target != RT_TYPE)
00270 return -RSBAC_EINVALIDTARGET;
00271 if( (err=rsbac_rc_check_type_comp(T_FILE, tid.type, RCR_ADMIN, 0))
00272 && (err=rsbac_rc_test_role_admin(FALSE))
00273 )
00274 {
00275 if(err == -EPERM)
00276 {
00277 rsbac_uid_t user;
00278
00279 if(!rsbac_get_owner(&user))
00280 {
00281 rsbac_printk(KERN_INFO
00282 "rsbac_rc_sys_get_item(): reading fd_need_secdel of type %u denied for pid %u, user %u - no ADMIN right!\n",
00283 tid.type,
00284 current->pid,
00285 user);
00286 }
00287 #ifdef CONFIG_RSBAC_SOFTMODE
00288 if( !rsbac_softmode
00289 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00290 && !rsbac_ind_softmode[RC]
00291 #endif
00292 )
00293 #endif
00294 return err;
00295 }
00296 else
00297 return err;
00298 }
00299 break;
00300
00301 default:
00302 if(target != RT_ROLE)
00303 return -RSBAC_EINVALIDATTR;
00304 /* test admin_roles or admin_type of process' role / no modify */
00305 if ( (err=rsbac_rc_test_admin_roles(tid.role, FALSE))
00306 && (err=rsbac_rc_test_role_admin(FALSE))
00307 )
00308 {
00309 if(err == -EPERM)
00310 {
00311 rsbac_uid_t user;
00312
00313 if(!rsbac_get_owner(&user))
00314 {
00315 rsbac_printk(KERN_INFO
00316 "rsbac_rc_sys_get_item(): getting item of role %u denied for pid %u, user %u - not in admin_roles!\n",
00317 tid.role,
00318 current->pid,
00319 user);
00320 }
00321 #ifdef CONFIG_RSBAC_SOFTMODE
00322 if( !rsbac_softmode
00323 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00324 && !rsbac_ind_softmode[RC]
00325 #endif
00326 )
00327 #endif
00328 return err;
00329 }
00330 else
00331 return err;
00332 }
00333 }
00334 }
00335 #endif /* !MAINT */
00336
00337 /* pass on */
00338 return(rsbac_rc_get_item(ta_number,target, tid, subtid, item, value_p, ttl_p));
00339 };
|
|
||||||||||||||||||||||||||||||||
|
Definition at line 342 of file rc_syscalls.c. References A_rc_role, get_rc_item_name(), NOT_GRANTED, NULL, rsbac_target_id_t::process, R_NONE, RC, rsbac_attribute_value_t::rc_role, RCR_ACCESS_CONTROL, RCR_ADMIN, RCR_ASSIGN, RCR_SUPERVISOR, RI_admin_roles, RI_admin_type, RI_assign_roles, RI_boot_role, RI_def_fd_create_type, RI_def_fd_ind_create_type, RI_def_fd_ind_create_type_remove, RI_def_group_create_type, RI_def_ipc_create_type, RI_def_process_chown_type, RI_def_process_create_type, RI_def_process_execute_type, RI_def_user_create_type, RI_name, RI_remove_role, RI_role_comp, RI_type_comp_dev, RI_type_comp_fd, RI_type_comp_group, RI_type_comp_ipc, RI_type_comp_netdev, RI_type_comp_netobj, RI_type_comp_nettemp, RI_type_comp_process, RI_type_comp_scd, RI_type_comp_user, RI_type_dev_name, RI_type_dev_remove, RI_type_fd_name, RI_type_fd_need_secdel, RI_type_fd_remove, RI_type_group_name, RI_type_group_remove, RI_type_ipc_name, RI_type_ipc_remove, RI_type_netdev_name, RI_type_netdev_remove, RI_type_netobj_name, RI_type_netobj_remove, RI_type_nettemp_name, RI_type_nettemp_remove, RI_type_process_name, RI_type_process_remove, RI_type_scd_name, RI_type_user_name, RI_type_user_remove, rsbac_rc_item_value_t::rights, rsbac_rc_target_id_t::role, RSBAC_ALL_REQUEST_VECTOR, RSBAC_EINVALIDATTR, RSBAC_EINVALIDTARGET, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_printk(), rsbac_rc_check_comp(), rsbac_rc_check_type_comp(), rsbac_rc_get_item(), RSBAC_RC_RIGHTS_VECTOR, rsbac_rc_set_item(), RSBAC_RC_SPECIAL_RIGHTS_VECTOR, rsbac_rc_test_admin_roles(), rsbac_rc_test_role_admin(), RT_ROLE, RT_TYPE, T_DEV, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_PROCESS, T_SCD, T_USER, TRUE, rsbac_rc_target_id_t::type, rsbac_rc_item_value_t::type_id, and UNDEFINED. Referenced by sys_rsbac_rc_set_item(). 00350 {
00351 #if !defined(CONFIG_RSBAC_MAINT)
00352 #ifdef CONFIG_RSBAC_SWITCH_RC
00353 if(rsbac_switch_rc)
00354 #endif
00355 {
00356 int err;
00357
00358 switch(item)
00359 {
00360 /* type targets */
00361 case RI_type_fd_name:
00362 case RI_type_fd_need_secdel:
00363 case RI_type_fd_remove:
00364 if(target != RT_TYPE)
00365 return -RSBAC_EINVALIDTARGET;
00366 if( (rsbac_rc_check_type_comp(T_FILE, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00367 && (err=rsbac_rc_test_role_admin(TRUE))
00368 )
00369 {
00370 if(err == -EPERM)
00371 {
00372 rsbac_uid_t user;
00373 char tmp[80];
00374
00375 if(!rsbac_get_owner(&user))
00376 {
00377 rsbac_printk(KERN_INFO
00378 "rsbac_rc_sys_set_item(): changing %s of FD type %u denied for pid %u, user %u - no ADMIN right!\n",
00379 get_rc_item_name(tmp, item),
00380 tid.type,
00381 current->pid,
00382 user);
00383 }
00384 #ifdef CONFIG_RSBAC_SOFTMODE
00385 if( !rsbac_softmode
00386 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00387 && !rsbac_ind_softmode[RC]
00388 #endif
00389 )
00390 #endif
00391 return err;
00392 }
00393 else
00394 return err;
00395 }
00396 break;
00397 case RI_type_dev_name:
00398 case RI_type_dev_remove:
00399 if(target != RT_TYPE)
00400 return -RSBAC_EINVALIDTARGET;
00401 if( (rsbac_rc_check_type_comp(T_DEV, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00402 && (err=rsbac_rc_test_role_admin(TRUE))
00403 )
00404 {
00405 if(err == -EPERM)
00406 {
00407 rsbac_uid_t user;
00408
00409 if(!rsbac_get_owner(&user))
00410 {
00411 rsbac_printk(KERN_INFO
00412 "rsbac_rc_sys_set_item(): changing name or removing of DEV type %u denied for pid %u, user %u - no ADMIN right!\n",
00413 tid.type,
00414 current->pid,
00415 user);
00416 }
00417 #ifdef CONFIG_RSBAC_SOFTMODE
00418 if( !rsbac_softmode
00419 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00420 && !rsbac_ind_softmode[RC]
00421 #endif
00422 )
00423 #endif
00424 return err;
00425 }
00426 else
00427 return err;
00428 }
00429 break;
00430 case RI_type_ipc_name:
00431 case RI_type_ipc_remove:
00432 if(target != RT_TYPE)
00433 return -RSBAC_EINVALIDTARGET;
00434 if( (rsbac_rc_check_type_comp(T_IPC, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00435 && (err=rsbac_rc_test_role_admin(TRUE))
00436 )
00437 {
00438 if(err == -EPERM)
00439 {
00440 rsbac_uid_t user;
00441
00442 if(!rsbac_get_owner(&user))
00443 {
00444 rsbac_printk(KERN_INFO
00445 "rsbac_rc_sys_set_item(): changing name or removing of IPC type %u denied for pid %u, user %u - no ADMIN right!\n",
00446 tid.type,
00447 current->pid,
00448 user);
00449 }
00450 #ifdef CONFIG_RSBAC_SOFTMODE
00451 if( !rsbac_softmode
00452 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00453 && !rsbac_ind_softmode[RC]
00454 #endif
00455 )
00456 #endif
00457 return err;
00458 }
00459 else
00460 return err;
00461 }
00462 break;
00463 case RI_type_user_name:
00464 case RI_type_user_remove:
00465 if(target != RT_TYPE)
00466 return -RSBAC_EINVALIDTARGET;
00467 if( (rsbac_rc_check_type_comp(T_USER, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00468 && (err=rsbac_rc_test_role_admin(TRUE))
00469 )
00470 {
00471 if(err == -EPERM)
00472 {
00473 rsbac_uid_t user;
00474
00475 if(!rsbac_get_owner(&user))
00476 {
00477 rsbac_printk(KERN_INFO
00478 "rsbac_rc_sys_set_item(): changing name or removing of USER type %u denied for pid %u, user %u - no ADMIN right!\n",
00479 tid.type,
00480 current->pid,
00481 user);
00482 }
00483 #ifdef CONFIG_RSBAC_SOFTMODE
00484 if( !rsbac_softmode
00485 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00486 && !rsbac_ind_softmode[RC]
00487 #endif
00488 )
00489 #endif
00490 return err;
00491 }
00492 else
00493 return err;
00494 }
00495 break;
00496 case RI_type_process_name:
00497 case RI_type_process_remove:
00498 if(target != RT_TYPE)
00499 return -RSBAC_EINVALIDTARGET;
00500 if( (rsbac_rc_check_type_comp(T_PROCESS, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00501 && (err=rsbac_rc_test_role_admin(TRUE))
00502 )
00503 {
00504 if(err == -EPERM)
00505 {
00506 rsbac_uid_t user;
00507
00508 if(!rsbac_get_owner(&user))
00509 {
00510 rsbac_printk(KERN_INFO
00511 "rsbac_rc_sys_set_item(): changing name or removing of process type %u denied for pid %u, user %u - no ADMIN right!\n",
00512 tid.type,
00513 current->pid,
00514 user);
00515 }
00516 #ifdef CONFIG_RSBAC_SOFTMODE
00517 if( !rsbac_softmode
00518 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00519 && !rsbac_ind_softmode[RC]
00520 #endif
00521 )
00522 #endif
00523 return err;
00524 }
00525 else
00526 return err;
00527 }
00528 break;
00529 case RI_type_scd_name:
00530 if(target != RT_TYPE)
00531 return -RSBAC_EINVALIDTARGET;
00532 if( (rsbac_rc_check_type_comp(T_SCD, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00533 && (err=rsbac_rc_test_role_admin(TRUE))
00534 )
00535 {
00536 if(err == -EPERM)
00537 {
00538 rsbac_uid_t user;
00539
00540 if(!rsbac_get_owner(&user))
00541 {
00542 rsbac_printk(KERN_INFO
00543 "rsbac_rc_sys_set_item(): changing name or removing of SCD type %u denied for pid %u, user %u - no ADMIN right!\n",
00544 tid.type,
00545 current->pid,
00546 user);
00547 }
00548 #ifdef CONFIG_RSBAC_SOFTMODE
00549 if( !rsbac_softmode
00550 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00551 && !rsbac_ind_softmode[RC]
00552 #endif
00553 )
00554 #endif
00555 return err;
00556 }
00557 else
00558 return err;
00559 }
00560 break;
00561 case RI_type_group_name:
00562 case RI_type_group_remove:
00563 if(target != RT_TYPE)
00564 return -RSBAC_EINVALIDTARGET;
00565 if( (rsbac_rc_check_type_comp(T_GROUP, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00566 && (err=rsbac_rc_test_role_admin(TRUE))
00567 )
00568 {
00569 if(err == -EPERM)
00570 {
00571 rsbac_uid_t user;
00572
00573 if(!rsbac_get_owner(&user))
00574 {
00575 rsbac_printk(KERN_INFO
00576 "rsbac_rc_sys_set_item(): changing name or removing of GROUP type %u denied for pid %u, user %u - no ADMIN right!\n",
00577 tid.type,
00578 current->pid,
00579 user);
00580 }
00581 #ifdef CONFIG_RSBAC_SOFTMODE
00582 if( !rsbac_softmode
00583 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00584 && !rsbac_ind_softmode[RC]
00585 #endif
00586 )
00587 #endif
00588 return err;
00589 }
00590 else
00591 return err;
00592 }
00593 break;
00594 case RI_type_netdev_name:
00595 case RI_type_netdev_remove:
00596 if(target != RT_TYPE)
00597 return -RSBAC_EINVALIDTARGET;
00598 if( (rsbac_rc_check_type_comp(T_NETDEV, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00599 && (err=rsbac_rc_test_role_admin(TRUE))
00600 )
00601 {
00602 if(err == -EPERM)
00603 {
00604 rsbac_uid_t user;
00605
00606 if(!rsbac_get_owner(&user))
00607 {
00608 rsbac_printk(KERN_INFO
00609 "rsbac_rc_sys_set_item(): changing name or removing of NETDEV type %u denied for pid %u, user %u - no ADMIN right!\n",
00610 tid.type,
00611 current->pid,
00612 user);
00613 }
00614 #ifdef CONFIG_RSBAC_SOFTMODE
00615 if( !rsbac_softmode
00616 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00617 && !rsbac_ind_softmode[RC]
00618 #endif
00619 )
00620 #endif
00621 return err;
00622 }
00623 else
00624 return err;
00625 }
00626 break;
00627 case RI_type_nettemp_name:
00628 case RI_type_nettemp_remove:
00629 if(target != RT_TYPE)
00630 return -RSBAC_EINVALIDTARGET;
00631 if( (rsbac_rc_check_type_comp(T_NETTEMP, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00632 && (err=rsbac_rc_test_role_admin(TRUE))
00633 )
00634 {
00635 if(err == -EPERM)
00636 {
00637 rsbac_uid_t user;
00638
00639 if(!rsbac_get_owner(&user))
00640 {
00641 rsbac_printk(KERN_INFO
00642 "rsbac_rc_sys_set_item(): changing name or removing of NETTEMP type %u denied for pid %u, user %u - no ADMIN right!\n",
00643 tid.type,
00644 current->pid,
00645 user);
00646 }
00647 #ifdef CONFIG_RSBAC_SOFTMODE
00648 if( !rsbac_softmode
00649 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00650 && !rsbac_ind_softmode[RC]
00651 #endif
00652 )
00653 #endif
00654 return err;
00655 }
00656 else
00657 return err;
00658 }
00659 break;
00660 case RI_type_netobj_name:
00661 case RI_type_netobj_remove:
00662 if(target != RT_TYPE)
00663 return -RSBAC_EINVALIDTARGET;
00664 if( (rsbac_rc_check_type_comp(T_NETOBJ, tid.type, RCR_ADMIN, 0) == NOT_GRANTED)
00665 && (err=rsbac_rc_test_role_admin(TRUE))
00666 )
00667 {
00668 if(err == -EPERM)
00669 {
00670 rsbac_uid_t user;
00671
00672 if(!rsbac_get_owner(&user))
00673 {
00674 rsbac_printk(KERN_INFO
00675 "rsbac_rc_sys_set_item(): changing name or removing of NETOBJ type %u denied for pid %u, user %u - no ADMIN right!\n",
00676 tid.type,
00677 current->pid,
00678 user);
00679 }
00680 #ifdef CONFIG_RSBAC_SOFTMODE
00681 if( !rsbac_softmode
00682 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00683 && !rsbac_ind_softmode[RC]
00684 #endif
00685 )
00686 #endif
00687 return err;
00688 }
00689 else
00690 return err;
00691 }
00692 break;
00693
00694 /* roles only from here */
00695 case RI_role_comp:
00696 /* need admin for this role, assign for changed compatible roles */
00697 {
00698 union rsbac_target_id_t i_tid;
00699 union rsbac_attribute_value_t i_attr_val1;
00700
00701 if(target != RT_ROLE)
00702 return -RSBAC_EINVALIDATTR;
00703 if(!rsbac_rc_test_role_admin(TRUE))
00704 break;
00705 /* test admin_role of process / modify */
00706 if((err=rsbac_rc_test_admin_roles(tid.role, TRUE)))
00707 {
00708 if(err == -EPERM)
00709 {
00710 rsbac_uid_t user;
00711
00712 if(!rsbac_get_owner(&user))
00713 {
00714 rsbac_printk(KERN_INFO
00715 "rsbac_rc_sys_set_item(): changing role_comp of role %u denied for pid %u, user %u - not in admin_roles!\n",
00716 tid.role,
00717 current->pid,
00718 user);
00719 }
00720 #ifdef CONFIG_RSBAC_SOFTMODE
00721 if( !rsbac_softmode
00722 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00723 && !rsbac_ind_softmode[RC]
00724 #endif
00725 )
00726 #endif
00727 return err;
00728 }
00729 else
00730 return err;
00731 }
00732 /* now check assign for changed comp role. */
00733 /* get rc_role of process */
00734 i_tid.process = current->pid;
00735 if ((err=rsbac_get_attr(RC, T_PROCESS,
00736 i_tid,
00737 A_rc_role,
00738 &i_attr_val1,
00739 TRUE)))
00740 {
00741 rsbac_ds_get_error("rsbac_rc_sys_set_item()", A_rc_role);
00742 return -RSBAC_EREADFAILED;
00743 }
00744 /* check assign_roles of role */
00745 if (!rsbac_rc_check_comp(i_attr_val1.rc_role,
00746 tid,
00747 RI_assign_roles,
00748 R_NONE))
00749 {
00750 rsbac_uid_t user;
00751 if(!rsbac_get_owner(&user))
00752 {
00753 rsbac_printk(KERN_INFO
00754 "rsbac_rc_sys_set_item(): changing role_comp for role %u denied for user %u, role %u - not in assign_roles!\n",
00755 tid.role,
00756 user,
00757 i_attr_val1.rc_role);
00758 }
00759 #ifdef CONFIG_RSBAC_SOFTMODE
00760 if( !rsbac_softmode
00761 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00762 && !rsbac_ind_softmode[RC]
00763 #endif
00764 )
00765 #endif
00766 return -EPERM;
00767 }
00768 }
00769 break;
00770
00771 case RI_admin_type:
00772 case RI_admin_roles:
00773 case RI_assign_roles:
00774 case RI_boot_role:
00775 /* admin_type role_admin */
00776 if((err=rsbac_rc_test_role_admin(TRUE)))
00777 {
00778 if(err == -EPERM)
00779 {
00780 rsbac_uid_t user;
00781 char tmp[80];
00782
00783 if(!rsbac_get_owner(&user))
00784 {
00785 rsbac_printk(KERN_INFO
00786 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - no Role Admin!\n",
00787 get_rc_item_name(tmp, item),
00788 tid.role,
00789 current->pid,
00790 user);
00791 }
00792 #ifdef CONFIG_RSBAC_SOFTMODE
00793 if( !rsbac_softmode
00794 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00795 && !rsbac_ind_softmode[RC]
00796 #endif
00797 )
00798 #endif
00799 return err;
00800 }
00801 else
00802 return err;
00803 }
00804 break;
00805 case RI_name:
00806 /* admin for this role */
00807 /* test admin_role of process / modify */
00808 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
00809 && (err=rsbac_rc_test_role_admin(TRUE))
00810 )
00811 {
00812 if(err == -EPERM)
00813 {
00814 rsbac_uid_t user;
00815
00816 if(!rsbac_get_owner(&user))
00817 {
00818 rsbac_printk(KERN_INFO
00819 "rsbac_rc_sys_set_item(): changing name of role %u denied for pid %u, user %u - not in admin_roles!\n",
00820 tid.role,
00821 current->pid,
00822 user);
00823 }
00824 #ifdef CONFIG_RSBAC_SOFTMODE
00825 if( !rsbac_softmode
00826 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00827 && !rsbac_ind_softmode[RC]
00828 #endif
00829 )
00830 #endif
00831 return err;
00832 }
00833 else
00834 return err;
00835 }
00836 break;
00837
00838 case RI_remove_role:
00839 /* test admin_role of process role / modify */
00840 if((err=rsbac_rc_test_role_admin(TRUE)))
00841 {
00842 if(err == -EPERM)
00843 {
00844 rsbac_uid_t user;
00845
00846 if(!rsbac_get_owner(&user))
00847 {
00848 rsbac_printk(KERN_INFO
00849 "rsbac_rc_sys_set_item(): removing of role %u denied for pid %u, user %u - not in admin_roles!\n",
00850 tid.role,
00851 current->pid,
00852 user);
00853 }
00854 #ifdef CONFIG_RSBAC_SOFTMODE
00855 if( !rsbac_softmode
00856 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00857 && !rsbac_ind_softmode[RC]
00858 #endif
00859 )
00860 #endif
00861 return err;
00862 }
00863 else
00864 return err;
00865 }
00866 break;
00867
00868 case RI_def_fd_create_type:
00869 case RI_def_fd_ind_create_type:
00870 /* admin for this role and assign for target type */
00871 /* test admin_role of process / modify */
00872 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
00873 && (err=rsbac_rc_test_role_admin(TRUE))
00874 )
00875 {
00876 if(err == -EPERM)
00877 {
00878 rsbac_uid_t user;
00879
00880 if(!rsbac_get_owner(&user))
00881 {
00882 rsbac_printk(KERN_INFO
00883 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
00884 tid.role,
00885 current->pid,
00886 user);
00887 }
00888 #ifdef CONFIG_RSBAC_SOFTMODE
00889 if( !rsbac_softmode
00890 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00891 && !rsbac_ind_softmode[RC]
00892 #endif
00893 )
00894 #endif
00895 return err;
00896 }
00897 else
00898 return err;
00899 }
00900 else
00901 {
00902 enum rsbac_adf_req_ret_t result;
00903
00904 result = rsbac_rc_check_type_comp(T_FILE, value.type_id, RCR_ASSIGN, 0);
00905 if( ( (result == NOT_GRANTED)
00906 || (result == UNDEFINED)
00907 )
00908 && (err=rsbac_rc_test_role_admin(TRUE))
00909 )
00910 {
00911 rsbac_uid_t user;
00912
00913 if(!rsbac_get_owner(&user))
00914 {
00915 rsbac_printk(KERN_INFO
00916 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
00917 tid.role,
00918 value.type_id,
00919 user);
00920 }
00921 #ifdef CONFIG_RSBAC_SOFTMODE
00922 if( !rsbac_softmode
00923 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00924 && !rsbac_ind_softmode[RC]
00925 #endif
00926 )
00927 #endif
00928 return -EPERM;
00929 }
00930 }
00931 break;
00932
00933 case RI_def_fd_ind_create_type_remove:
00934 /* test admin_role of process / modify */
00935 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
00936 && (err=rsbac_rc_test_role_admin(TRUE))
00937 )
00938 {
00939 if(err == -EPERM)
00940 {
00941 rsbac_uid_t user;
00942
00943 if(!rsbac_get_owner(&user))
00944 {
00945 rsbac_printk(KERN_INFO
00946 "rsbac_rc_sys_set_item(): changing def_fd_[ind_]create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
00947 tid.role,
00948 current->pid,
00949 user);
00950 }
00951 #ifdef CONFIG_RSBAC_SOFTMODE
00952 if( !rsbac_softmode
00953 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00954 && !rsbac_ind_softmode[RC]
00955 #endif
00956 )
00957 #endif
00958 return err;
00959 }
00960 else
00961 return err;
00962 }
00963 break;
00964
00965 case RI_def_user_create_type:
00966 /* admin for this role and assign for target type */
00967 /* test admin_role of process / modify */
00968 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
00969 && (err=rsbac_rc_test_role_admin(TRUE))
00970 )
00971 {
00972 if(err == -EPERM)
00973 {
00974 rsbac_uid_t user;
00975
00976 if(!rsbac_get_owner(&user))
00977 {
00978 rsbac_printk(KERN_INFO
00979 "rsbac_rc_sys_set_item(): changing def_user_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
00980 tid.role,
00981 current->pid,
00982 user);
00983 }
00984 #ifdef CONFIG_RSBAC_SOFTMODE
00985 if( !rsbac_softmode
00986 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00987 && !rsbac_ind_softmode[RC]
00988 #endif
00989 )
00990 #endif
00991 return err;
00992 }
00993 else
00994 return err;
00995 }
00996 else
00997 {
00998 enum rsbac_adf_req_ret_t result;
00999
01000 result = rsbac_rc_check_type_comp(T_USER, value.type_id, RCR_ASSIGN, 0);
01001 if( ( (result == NOT_GRANTED)
01002 || (result == UNDEFINED)
01003 )
01004 && (err=rsbac_rc_test_role_admin(TRUE))
01005 )
01006 {
01007 rsbac_uid_t user;
01008
01009 if(!rsbac_get_owner(&user))
01010 {
01011 rsbac_printk(KERN_INFO
01012 "rsbac_rc_sys_set_item(): changing def_user_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01013 tid.role,
01014 value.type_id,
01015 user);
01016 }
01017 #ifdef CONFIG_RSBAC_SOFTMODE
01018 if( !rsbac_softmode
01019 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01020 && !rsbac_ind_softmode[RC]
01021 #endif
01022 )
01023 #endif
01024 return -EPERM;
01025 }
01026 }
01027 break;
01028
01029 case RI_def_process_create_type:
01030 case RI_def_process_chown_type:
01031 case RI_def_process_execute_type:
01032 /* admin for this role and assign for target type */
01033 /* test admin_role of process / modify */
01034 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01035 && (err=rsbac_rc_test_role_admin(TRUE))
01036 )
01037 {
01038 if(err == -EPERM)
01039 {
01040 rsbac_uid_t user;
01041 char tmp[80];
01042
01043 if(!rsbac_get_owner(&user))
01044 {
01045 rsbac_printk(KERN_INFO
01046 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n",
01047 get_rc_item_name(tmp, item),
01048 tid.role,
01049 current->pid,
01050 user);
01051 }
01052 #ifdef CONFIG_RSBAC_SOFTMODE
01053 if( !rsbac_softmode
01054 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01055 && !rsbac_ind_softmode[RC]
01056 #endif
01057 )
01058 #endif
01059 return err;
01060 }
01061 else
01062 return err;
01063 }
01064 else
01065 {
01066 enum rsbac_adf_req_ret_t result;
01067
01068 result = rsbac_rc_check_type_comp(T_PROCESS, value.type_id, RCR_ASSIGN, 0);
01069 if( ( (result == NOT_GRANTED)
01070 || (result == UNDEFINED)
01071 )
01072 && (err=rsbac_rc_test_role_admin(TRUE))
01073 )
01074 {
01075 rsbac_uid_t user;
01076
01077 if(!rsbac_get_owner(&user))
01078 {
01079 rsbac_printk(KERN_INFO
01080 "rsbac_rc_sys_set_item(): changing def_process_*_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01081 tid.role,
01082 value.type_id,
01083 user);
01084 }
01085 #ifdef CONFIG_RSBAC_SOFTMODE
01086 if( !rsbac_softmode
01087 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01088 && !rsbac_ind_softmode[RC]
01089 #endif
01090 )
01091 #endif
01092 return -EPERM;
01093 }
01094 }
01095 break;
01096 case RI_def_ipc_create_type:
01097 /* admin for this role and assign for target type */
01098 /* test admin_role of process / modify */
01099 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01100 && (err=rsbac_rc_test_role_admin(TRUE))
01101 )
01102 {
01103 if(err == -EPERM)
01104 {
01105 rsbac_uid_t user;
01106
01107 if(!rsbac_get_owner(&user))
01108 {
01109 rsbac_printk(KERN_INFO
01110 "rsbac_rc_sys_set_item(): changing def_ipc_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01111 tid.role,
01112 current->pid,
01113 user);
01114 }
01115 #ifdef CONFIG_RSBAC_SOFTMODE
01116 if( !rsbac_softmode
01117 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01118 && !rsbac_ind_softmode[RC]
01119 #endif
01120 )
01121 #endif
01122 return err;
01123 }
01124 else
01125 return err;
01126 }
01127 else
01128 {
01129 enum rsbac_adf_req_ret_t result;
01130
01131 result = rsbac_rc_check_type_comp(T_IPC, value.type_id, RCR_ASSIGN, 0);
01132 if( ( (result == NOT_GRANTED)
01133 || (result == UNDEFINED)
01134 )
01135 && (err=rsbac_rc_test_role_admin(TRUE))
01136 )
01137 {
01138 rsbac_uid_t user;
01139
01140 if(!rsbac_get_owner(&user))
01141 {
01142 rsbac_printk(KERN_INFO
01143 "rsbac_rc_sys_set_item(): changing def_ipc_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01144 tid.role,
01145 value.type_id,
01146 user);
01147 }
01148 #ifdef CONFIG_RSBAC_SOFTMODE
01149 if( !rsbac_softmode
01150 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01151 && !rsbac_ind_softmode[RC]
01152 #endif
01153 )
01154 #endif
01155 return -EPERM;
01156 }
01157 }
01158 break;
01159 case RI_def_group_create_type:
01160 /* admin for this role and assign for target type */
01161 /* test admin_role of process / modify */
01162 if( (err=rsbac_rc_test_admin_roles(tid.role, TRUE))
01163 && (err=rsbac_rc_test_role_admin(TRUE))
01164 )
01165 {
01166 if(err == -EPERM)
01167 {
01168 rsbac_uid_t user;
01169
01170 if(!rsbac_get_owner(&user))
01171 {
01172 rsbac_printk(KERN_INFO
01173 "rsbac_rc_sys_set_item(): changing def_group_create_type of role %u denied for pid %u, user %u - not in admin_roles!\n",
01174 tid.role,
01175 current->pid,
01176 user);
01177 }
01178 #ifdef CONFIG_RSBAC_SOFTMODE
01179 if( !rsbac_softmode
01180 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01181 && !rsbac_ind_softmode[RC]
01182 #endif
01183 )
01184 #endif
01185 return err;
01186 }
01187 else
01188 return err;
01189 }
01190 else
01191 {
01192 enum rsbac_adf_req_ret_t result;
01193
01194 result = rsbac_rc_check_type_comp(T_GROUP, value.type_id, RCR_ASSIGN, 0);
01195 if( ( (result == NOT_GRANTED)
01196 || (result == UNDEFINED)
01197 )
01198 && (err=rsbac_rc_test_role_admin(TRUE))
01199 )
01200 {
01201 rsbac_uid_t user;
01202
01203 if(!rsbac_get_owner(&user))
01204 {
01205 rsbac_printk(KERN_INFO
01206 "rsbac_rc_sys_set_item(): changing def_group_create_type for role %u to %u denied for user %u - no ASSIGN right for type!\n",
01207 tid.role,
01208 value.type_id,
01209 user);
01210 }
01211 #ifdef CONFIG_RSBAC_SOFTMODE
01212 if( !rsbac_softmode
01213 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01214 && !rsbac_ind_softmode[RC]
01215 #endif
01216 )
01217 #endif
01218 return -EPERM;
01219 }
01220 }
01221 break;
01222
01223 case RI_type_comp_fd:
01224 case RI_type_comp_dev:
01225 case RI_type_comp_user:
01226 case RI_type_comp_process:
01227 case RI_type_comp_ipc:
01228 case RI_type_comp_scd:
01229 case RI_type_comp_group:
01230 case RI_type_comp_netdev:
01231 case RI_type_comp_nettemp:
01232 case RI_type_comp_netobj:
01233 {
01234 union rsbac_rc_item_value_t old_value, my_value;
01235 union rsbac_target_id_t i_tid;
01236 union rsbac_attribute_value_t i_attr_val1;
01237 union rsbac_rc_target_id_t i_rc_tid;
01238
01239 if(target != RT_ROLE)
01240 return -RSBAC_EINVALIDATTR;
01241 if(!rsbac_rc_test_role_admin(TRUE))
01242 break;
01243 /* test admin_role of process / modify */
01244 if((err=rsbac_rc_test_admin_roles(tid.role, TRUE)))
01245 {
01246 if(err == -EPERM)
01247 {
01248 rsbac_uid_t user;
01249 char tmp[80];
01250
01251 if(!rsbac_get_owner(&user))
01252 {
01253 rsbac_printk(KERN_INFO
01254 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - not in admin_roles!\n",
01255 get_rc_item_name(tmp, item),
01256 tid.role,
01257 current->pid,
01258 user);
01259 }
01260 #ifdef CONFIG_RSBAC_SOFTMODE
01261 if( !rsbac_softmode
01262 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01263 && !rsbac_ind_softmode[RC]
01264 #endif
01265 )
01266 #endif
01267 return err;
01268 }
01269 else
01270 return err;
01271 }
01272 /* test caller's RCR_ACCESS_CONTROL for the type, if we change normal access */
01273 /* and caller's RCR_SUPERVISOR for the type, if we change special rights */
01274 /* first get old setting */
01275 err = rsbac_rc_get_item(ta_number, target, tid, subtid, item, &old_value, NULL);
01276 if(err)
01277 return(err);
01278
01279 /* get rc_role of process */
01280 i_tid.process = current->pid;
01281 if ((err=rsbac_get_attr(RC, T_PROCESS,
01282 i_tid,
01283 A_rc_role,
01284 &i_attr_val1,
01285 TRUE)))
01286 {
01287 rsbac_ds_get_error("rsbac_rc_sys_set_item()", A_rc_role);
01288 return err;
01289 }
01290 /* get item of process role */
01291 i_rc_tid.role = i_attr_val1.rc_role;
01292 if ((err=rsbac_rc_get_item(ta_number,
01293 RT_ROLE,
01294 i_rc_tid,
01295 subtid,
01296 item,
01297 &my_value,
01298 NULL)))
01299 {
01300 rsbac_rc_ds_get_error("rsbac_rc_sys_set_item()", item);
01301 return err;
01302 }
01303
01304 /* check planned changes for type */
01305 if( /* Want to change normal rights to this type? Need RCR_ACCESS_CONTROL. */
01306 ( ( (old_value.rights & RSBAC_ALL_REQUEST_VECTOR)
01307 != (value.rights & RSBAC_ALL_REQUEST_VECTOR)
01308 )
01309 && (!(my_value.rights & RSBAC_RC_RIGHTS_VECTOR(RCR_ACCESS_CONTROL)))
01310 )
01311 ||
01312 /* Want to change special rights to this type? Need RCR_SUPERVISOR. */
01313 ( ( (old_value.rights & RSBAC_RC_SPECIAL_RIGHTS_VECTOR)
01314 != (value.rights & RSBAC_RC_SPECIAL_RIGHTS_VECTOR)
01315 )
01316 && (!(my_value.rights & RSBAC_RC_RIGHTS_VECTOR(RCR_SUPERVISOR)))
01317 )
01318 )
01319 {
01320 /* check failed. Last resort: Classical admin_type. */
01321 if((err=rsbac_rc_test_role_admin(TRUE)))
01322 {
01323 if(err == -EPERM)
01324 {
01325 rsbac_uid_t user;
01326 char tmp[80];
01327
01328 if(!rsbac_get_owner(&user))
01329 {
01330 rsbac_printk(KERN_INFO
01331 "rsbac_rc_sys_set_item(): changing %s of role %u denied for pid %u, user %u - insufficent rights!\n",
01332 get_rc_item_name(tmp, item),
01333 tid.role,
01334 current->pid,
01335 user);
01336 }
01337 #ifdef CONFIG_RSBAC_SOFTMODE
01338 if( !rsbac_softmode
01339 #ifdef CONFIG_RSBAC_SOFTMODE_IND
01340 && !rsbac_ind_softmode[RC]
01341 #endif
01342 )
01343 #endif
01344 return err;
01345 }
01346 else
01347 return err;
01348 }
01349 }
01350 }
01351 break;
01352
01353 default:
01354 return -RSBAC_EINVALIDATTR;
01355 }
01356 }
01357 #endif /* !MAINT */
01358
01359 /* pass on */
01360 return(rsbac_rc_set_item(ta_number, target, tid, subtid, item, value, ttl));
01361 }
|
|
||||||||||||
|
Definition at line 210 of file rc_main.c. References A_rc_role, rsbac_target_id_t::process, R_NONE, RC, rsbac_attribute_value_t::rc_role, RC_role_max_value, RI_admin_roles, RI_assign_roles, rsbac_rc_target_id_t::role, RSBAC_EINVALIDVALUE, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_rc_check_comp(), T_PROCESS, and TRUE. Referenced by rsbac_rc_sys_copy_role(), rsbac_rc_sys_get_item(), and rsbac_rc_sys_set_item(). 00211 {
00212 int err;
00213 union rsbac_target_id_t i_tid;
00214 union rsbac_attribute_value_t i_attr_val1;
00215 union rsbac_rc_target_id_t i_rc_subtid;
00216
00217 if(t_role > RC_role_max_value)
00218 return -RSBAC_EINVALIDVALUE;
00219 /* get rc_role of process */
00220 i_tid.process = current->pid;
00221 if ((err=rsbac_get_attr(RC, T_PROCESS,
00222 i_tid,
00223 A_rc_role,
00224 &i_attr_val1,
00225 TRUE)))
00226 {
00227 rsbac_ds_get_error("rsbac_rc_test_admin_roles", A_rc_role);
00228 return -RSBAC_EREADFAILED;
00229 }
00230
00231 i_rc_subtid.role = t_role;
00232 /* read_only? -> assign_roles membership is enough */
00233 if(!modify)
00234 {
00235 if(rsbac_rc_check_comp(i_attr_val1.rc_role,
00236 i_rc_subtid,
00237 RI_assign_roles,
00238 R_NONE))
00239 return 0;
00240 /* fall through */
00241 }
00242 /* check admin_roles of role */
00243 if(rsbac_rc_check_comp(i_attr_val1.rc_role,
00244 i_rc_subtid,
00245 RI_admin_roles,
00246 R_NONE))
00247 return 0;
00248 else
00249 return -EPERM;
00250 }
|
|
|
Definition at line 421 of file rc_main.c. References A_rc_role, rsbac_rc_item_value_t::admin_type, NULL, rsbac_target_id_t::process, RC, rsbac_attribute_value_t::rc_role, RC_role_admin, RC_system_admin, RI_admin_type, rsbac_rc_target_id_t::role, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_rc_get_item(), RT_ROLE, T_PROCESS, and TRUE. Referenced by rsbac_adf_request_rc(), rsbac_rc_sys_copy_role(), rsbac_rc_sys_copy_type(), rsbac_rc_sys_get_item(), and rsbac_rc_sys_set_item(). 00422 {
00423 int err;
00424 union rsbac_target_id_t i_tid;
00425 union rsbac_attribute_value_t i_attr_val1;
00426 union rsbac_rc_target_id_t i_rc_tid;
00427 union rsbac_rc_item_value_t i_rc_item_val1;
00428
00429 /* get rc_role of process */
00430 i_tid.process = current->pid;
00431 if ((err=rsbac_get_attr(RC, T_PROCESS,
00432 i_tid,
00433 A_rc_role,
00434 &i_attr_val1,
00435 TRUE)))
00436 {
00437 rsbac_ds_get_error("rsbac_rc_test_role_admin", A_rc_role);
00438 return -RSBAC_EREADFAILED;
00439 }
00440
00441 /* get admin_type of role */
00442 i_rc_tid.role = i_attr_val1.rc_role;
00443 if ((err=rsbac_rc_get_item(0,
00444 RT_ROLE,
00445 i_rc_tid,
00446 i_rc_tid, /* dummy */
00447 RI_admin_type,
00448 &i_rc_item_val1,
00449 NULL)))
00450 {
00451 rsbac_rc_ds_get_error("rsbac_rc_test_role_admin", RI_admin_type);
00452 return -RSBAC_EREADFAILED;
00453 }
00454
00455 /* allow, if RC_role_admin or (read_only and RC_system_admin) */
00456 if ( (i_rc_item_val1.admin_type == RC_role_admin)
00457 || ( !modify
00458 && (i_rc_item_val1.admin_type == RC_system_admin)
00459 )
00460 )
00461 return 0;
00462 else
00463 return -EPERM;
00464 }
|
1.4.2