#include <linux/string.h>#include <rsbac/types.h>#include <rsbac/aci.h>#include <rsbac/mac.h>#include <rsbac/adf_main.h>#include <rsbac/error.h>#include <rsbac/helpers.h>#include <rsbac/getname.h>#include <rsbac/debug.h>#include <rsbac/rkmem.h>Go to the source code of this file.
Functions | |
| static int | mac_sys_check_role (enum rsbac_system_role_t role) |
| int | rsbac_mac_set_curr_level (rsbac_security_level_t level, rsbac_mac_category_vector_t categories) |
| int | rsbac_mac_get_curr_level (rsbac_security_level_t *level_p, rsbac_mac_category_vector_t *categories_p) |
| int | rsbac_mac_get_max_level (rsbac_security_level_t *level_p, rsbac_mac_category_vector_t *categories_p) |
| int | rsbac_mac_get_min_level (rsbac_security_level_t *level_p, rsbac_mac_category_vector_t *categories_p) |
| int | rsbac_mac_add_p_tru (rsbac_list_ta_number_t ta_number, rsbac_pid_t pid, rsbac_uid_t uid, rsbac_time_t ttl) |
| int | rsbac_mac_remove_p_tru (rsbac_list_ta_number_t ta_number, rsbac_pid_t pid, rsbac_uid_t uid) |
| int | rsbac_mac_add_f_tru (rsbac_list_ta_number_t ta_number, rsbac_mac_file_t file, rsbac_uid_t uid, rsbac_time_t ttl) |
| int | rsbac_mac_remove_f_tru (rsbac_list_ta_number_t ta_number, rsbac_mac_file_t file, rsbac_uid_t uid) |
|
|
Definition at line 33 of file mac_syscalls.c. References A_mac_role, MAC, rsbac_get_attr, rsbac_attribute_value_t::system_role, T_USER, TRUE, and rsbac_target_id_t::user. Referenced by rsbac_mac_add_f_tru(), rsbac_mac_add_p_tru(), rsbac_mac_remove_f_tru(), and rsbac_mac_remove_p_tru(). 00034 {
00035 union rsbac_target_id_t i_tid;
00036 union rsbac_attribute_value_t i_attr_val1;
00037
00038 i_tid.user = current->uid;
00039 if (rsbac_get_attr(MAC,
00040 T_USER,
00041 i_tid,
00042 A_mac_role,
00043 &i_attr_val1,
00044 TRUE))
00045 {
00046 rsbac_ds_get_error("mac_sys_check_role", A_mac_role);
00047 return -EPERM;
00048 }
00049 /* if correct role, then grant */
00050 if (i_attr_val1.system_role == role)
00051 return 0;
00052 else
00053 return -EPERM;
00054 }
|
|
||||||||||||||||||||
|
Definition at line 632 of file mac_syscalls.c. References MAC, mac_sys_check_role(), RSBAC_EWRITEFAILED, rsbac_mac_add_to_f_truset(), rsbac_printk(), and SR_security_officer. Referenced by sys_rsbac_mac_add_f_tru(). 00637 {
00638 /* check only in non-maint mode */
00639 #if !defined(CONFIG_RSBAC_MAINT)
00640 #ifdef CONFIG_RSBAC_SWITCH_MAC
00641 if(rsbac_switch_mac)
00642 #endif
00643 {
00644 if(mac_sys_check_role(SR_security_officer))
00645 {
00646 rsbac_printk(KERN_INFO
00647 "rsbac_mac_add_f_tru(): adding MAC trusted user %u to file %u on device %02u:%02u denied for process %u!\n",
00648 uid,
00649 file.inode,
00650 MAJOR(file.device),
00651 MINOR(file.device),
00652 current->pid);
00653 #ifdef CONFIG_RSBAC_SOFTMODE
00654 if( !rsbac_softmode
00655 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00656 && !rsbac_ind_softmode[MAC]
00657 #endif
00658 )
00659 #endif
00660 return(-EPERM);
00661 }
00662 }
00663 #endif
00664
00665 if(rsbac_mac_add_to_f_truset(ta_number, file, uid, ttl))
00666 {
00667 rsbac_printk(KERN_WARNING
00668 "rsbac_mac_add_f_tru(): rsbac_mac_add_to_f_truset() returned error!\n");
00669 return(-RSBAC_EWRITEFAILED);
00670 }
00671 return 0;
00672 }
|
|
||||||||||||||||||||
|
Definition at line 558 of file mac_syscalls.c. References MAC, mac_sys_check_role(), RSBAC_EWRITEFAILED, rsbac_mac_add_to_p_truset(), rsbac_printk(), and SR_security_officer. Referenced by sys_rsbac_mac_add_p_tru(). 00563 {
00564 /* check only in non-maint mode */
00565 #if !defined(CONFIG_RSBAC_MAINT)
00566 #ifdef CONFIG_RSBAC_SWITCH_MAC
00567 if(rsbac_switch_mac)
00568 #endif
00569 {
00570 if(mac_sys_check_role(SR_security_officer))
00571 {
00572 rsbac_printk(KERN_INFO
00573 "rsbac_mac_add_p_tru(): adding MAC trusted user %u to process %u denied for process %u!\n",
00574 uid,
00575 pid,
00576 current->pid);
00577 #ifdef CONFIG_RSBAC_SOFTMODE
00578 if( !rsbac_softmode
00579 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00580 && !rsbac_ind_softmode[MAC]
00581 #endif
00582 )
00583 #endif
00584 return(-EPERM);
00585 }
00586 }
00587 #endif
00588
00589 /* OK, check passed. Add the truability. */
00590 if(rsbac_mac_add_to_p_truset(ta_number, pid, uid, ttl))
00591 {
00592 rsbac_printk(KERN_WARNING
00593 "rsbac_mac_add_p_tru(): rsbac_mac_add_to_p_truset() returned error!\n");
00594 return(-RSBAC_EWRITEFAILED);
00595 }
00596 return 0;
00597 }
|
|
||||||||||||
|
Definition at line 443 of file mac_syscalls.c. References A_current_sec_level, A_mac_curr_categories, A_none, rsbac_attribute_value_t::current_sec_level, FALSE, MAC, rsbac_attribute_value_t::mac_categories, rsbac_target_id_t::process, RSBAC_EREADFAILED, rsbac_get_attr, and T_PROCESS. Referenced by sys_rsbac_mac_get_curr_level(). 00445 {
00446 union rsbac_target_id_t tid;
00447 union rsbac_attribute_value_t attr_val;
00448
00449 tid.process = current->pid;
00450 if(level_p)
00451 {
00452 if (rsbac_get_attr(MAC,
00453 T_PROCESS,
00454 tid,
00455 A_current_sec_level,
00456 &attr_val,
00457 FALSE))
00458 { /* failed! */
00459 rsbac_ds_get_error("rsbac_mac_get_curr_level", A_none);
00460 return(-RSBAC_EREADFAILED);
00461 }
00462 *level_p = attr_val.current_sec_level;
00463 }
00464 if(categories_p)
00465 {
00466 if (rsbac_get_attr(MAC,
00467 T_PROCESS,
00468 tid,
00469 A_mac_curr_categories,
00470 &attr_val,
00471 FALSE))
00472 { /* failed! */
00473 rsbac_ds_get_error("rsbac_mac_get_curr_level", A_none);
00474 return(-RSBAC_EREADFAILED);
00475 }
00476 *categories_p = attr_val.mac_categories;
00477 }
00478 return 0;
00479 }
|
|
||||||||||||
|
Definition at line 481 of file mac_syscalls.c. References A_mac_categories, A_none, A_security_level, FALSE, MAC, rsbac_attribute_value_t::mac_categories, rsbac_target_id_t::process, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_attribute_value_t::security_level, and T_PROCESS. Referenced by sys_rsbac_mac_get_max_level(). 00483 {
00484 union rsbac_target_id_t tid;
00485 union rsbac_attribute_value_t attr_val;
00486
00487 tid.process = current->pid;
00488 if(level_p)
00489 {
00490 if (rsbac_get_attr(MAC,
00491 T_PROCESS,
00492 tid,
00493 A_security_level,
00494 &attr_val,
00495 FALSE))
00496 { /* failed! */
00497 rsbac_ds_get_error("rsbac_mac_get_max_level", A_none);
00498 return(-RSBAC_EREADFAILED);
00499 }
00500 *level_p = attr_val.security_level;
00501 }
00502 if(categories_p)
00503 {
00504 if (rsbac_get_attr(MAC,
00505 T_PROCESS,
00506 tid,
00507 A_mac_categories,
00508 &attr_val,
00509 FALSE))
00510 { /* failed! */
00511 rsbac_ds_get_error("rsbac_mac_get_max_level", A_none);
00512 return(-RSBAC_EREADFAILED);
00513 }
00514 *categories_p = attr_val.mac_categories;
00515 }
00516 return 0;
00517 }
|
|
||||||||||||
|
Definition at line 520 of file mac_syscalls.c. References A_mac_min_categories, A_min_security_level, A_none, FALSE, MAC, rsbac_attribute_value_t::mac_categories, rsbac_target_id_t::process, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_attribute_value_t::security_level, and T_PROCESS. Referenced by sys_rsbac_mac_get_min_level(). 00522 {
00523 union rsbac_target_id_t tid;
00524 union rsbac_attribute_value_t attr_val;
00525
00526 tid.process = current->pid;
00527 if(level_p)
00528 {
00529 if (rsbac_get_attr(MAC,
00530 T_PROCESS,
00531 tid,
00532 A_min_security_level,
00533 &attr_val,
00534 FALSE))
00535 { /* failed! */
00536 rsbac_ds_get_error("rsbac_mac_get_min_level", A_none);
00537 return(-RSBAC_EREADFAILED);
00538 }
00539 *level_p = attr_val.security_level;
00540 }
00541 if(categories_p)
00542 {
00543 if (rsbac_get_attr(MAC,
00544 T_PROCESS,
00545 tid,
00546 A_mac_min_categories,
00547 &attr_val,
00548 FALSE))
00549 { /* failed! */
00550 rsbac_ds_get_error("rsbac_mac_get_min_level", A_none);
00551 return(-RSBAC_EREADFAILED);
00552 }
00553 *categories_p = attr_val.mac_categories;
00554 }
00555 return 0;
00556 }
|
|
||||||||||||||||
|
Definition at line 674 of file mac_syscalls.c. References MAC, mac_sys_check_role(), rsbac_mac_remove_from_f_truset(), rsbac_printk(), and SR_security_officer. Referenced by sys_rsbac_mac_remove_f_tru(). 00678 {
00679 /* check only in non-maint mode */
00680 #if !defined(CONFIG_RSBAC_MAINT)
00681 #ifdef CONFIG_RSBAC_SWITCH_MAC
00682 if(rsbac_switch_mac)
00683 #endif
00684 {
00685 if(mac_sys_check_role(SR_security_officer))
00686 {
00687 rsbac_printk(KERN_INFO
00688 "rsbac_mac_remove_f_tru(): removing MAC trusted user %u from file %u on device %02u:%02u denied for process %u!\n",
00689 uid,
00690 file.inode,
00691 MAJOR(file.device),
00692 MINOR(file.device),
00693 current->pid);
00694 #ifdef CONFIG_RSBAC_SOFTMODE
00695 if( !rsbac_softmode
00696 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00697 && !rsbac_ind_softmode[MAC]
00698 #endif
00699 )
00700 #endif
00701 return(-EPERM);
00702 }
00703 }
00704 #endif
00705
00706 return(rsbac_mac_remove_from_f_truset(ta_number, file, uid));
00707 }
|
|
||||||||||||||||
|
Definition at line 599 of file mac_syscalls.c. References MAC, mac_sys_check_role(), rsbac_mac_remove_from_p_truset(), rsbac_printk(), and SR_security_officer. Referenced by sys_rsbac_mac_remove_p_tru(). 00603 {
00604 /* check only in non-maint mode */
00605 #if !defined(CONFIG_RSBAC_MAINT)
00606 #ifdef CONFIG_RSBAC_SWITCH_MAC
00607 if(rsbac_switch_mac)
00608 #endif
00609 {
00610 if(mac_sys_check_role(SR_security_officer))
00611 {
00612 rsbac_printk(KERN_INFO
00613 "rsbac_mac_remove_p_tru(): removing MAC trusted user %u from process %u denied for process %u!\n",
00614 uid,
00615 pid,
00616 current->pid);
00617 #ifdef CONFIG_RSBAC_SOFTMODE
00618 if( !rsbac_softmode
00619 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00620 && !rsbac_ind_softmode[MAC]
00621 #endif
00622 )
00623 #endif
00624 return(-EPERM);
00625 }
00626 }
00627 #endif
00628 /* OK, check passed. Try to remove the trusted user */
00629 return(rsbac_mac_remove_from_p_truset(ta_number, pid, uid));
00630 }
|
|
||||||||||||
|
Definition at line 68 of file mac_syscalls.c. References A_current_sec_level, A_mac_categories, A_mac_curr_categories, A_mac_min_categories, A_mac_process_flags, A_max_read_categories, A_max_read_open, A_min_security_level, A_min_write_categories, A_min_write_open, A_none, A_security_level, rsbac_attribute_value_t::current_sec_level, FALSE, MAC, MAC_auto, rsbac_attribute_value_t::mac_categories, MAC_override, rsbac_attribute_value_t::mac_process_flags, MAC_trusted, rsbac_attribute_value_t::max_read_open, rsbac_attribute_value_t::min_write_open, rsbac_target_id_t::process, RSBAC_EINVALIDVALUE, RSBAC_EREADFAILED, RSBAC_EWRITEFAILED, rsbac_get_attr, rsbac_kfree(), rsbac_kmalloc(), RSBAC_MAC_MIN_CAT_VECTOR, RSBAC_MAXNAMELEN, rsbac_printk(), rsbac_set_attr, rsbac_attribute_value_t::security_level, SL_max, SL_none, T_PROCESS, and u64tostrmac(). Referenced by sys_rsbac_mac_set_curr_level(). 00070 {
00071 union rsbac_target_id_t tid;
00072 union rsbac_attribute_value_t attr_val1;
00073 #ifndef CONFIG_RSBAC_MAINT
00074 rsbac_mac_process_flags_t flags;
00075 #endif
00076
00077 if( (level > SL_max)
00078 && (level != SL_none)
00079 )
00080 return -RSBAC_EINVALIDVALUE;
00081
00082 tid.process = current->pid;
00083
00084 #ifndef CONFIG_RSBAC_MAINT
00085 /* check flags */
00086 if (rsbac_get_attr(MAC,
00087 T_PROCESS,
00088 tid,
00089 A_mac_process_flags,
00090 &attr_val1,
00091 FALSE))
00092 { /* failed! */
00093 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00094 return(-RSBAC_EREADFAILED);
00095 }
00096 flags = attr_val1.mac_process_flags;
00097 if( !(flags & MAC_auto)
00098 && !(flags & MAC_trusted)
00099 && !(flags & MAC_override)
00100 )
00101 {
00102 rsbac_printk(KERN_INFO
00103 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: no auto, trusted or override -> not granted \n",
00104 current->uid,
00105 current->pid,
00106 current->comm);
00107 #ifdef CONFIG_RSBAC_SOFTMODE
00108 if( !rsbac_softmode
00109 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00110 && !rsbac_ind_softmode[MAC]
00111 #endif
00112 )
00113 #endif
00114 return -EPERM;
00115 }
00116
00117 /* override allows full range */
00118 if(!(flags & MAC_override))
00119 {
00120 if(level != SL_none)
00121 {
00122 /* get maximum security level */
00123 tid.process = current->pid;
00124 if (rsbac_get_attr(MAC,
00125 T_PROCESS,
00126 tid,
00127 A_security_level,
00128 &attr_val1,
00129 FALSE))
00130 { /* failed! */
00131 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00132 return(-RSBAC_EREADFAILED);
00133 }
00134 /* if level is too high -> error */
00135 if (level > attr_val1.security_level)
00136 {
00137 rsbac_printk(KERN_INFO
00138 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u over max level %u, no override -> not granted \n",
00139 current->uid,
00140 current->pid,
00141 current->comm,
00142 level,
00143 attr_val1.security_level);
00144 #ifdef CONFIG_RSBAC_SOFTMODE
00145 if( !rsbac_softmode
00146 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00147 && !rsbac_ind_softmode[MAC]
00148 #endif
00149 )
00150 #endif
00151 return -EPERM;
00152 }
00153 /* get minimum security level */
00154 tid.process = current->pid;
00155 if (rsbac_get_attr(MAC,
00156 T_PROCESS,
00157 tid,
00158 A_min_security_level,
00159 &attr_val1,
00160 FALSE))
00161 { /* failed! */
00162 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00163 return(-RSBAC_EREADFAILED);
00164 }
00165 /* if level is too low -> error */
00166 if (level < attr_val1.security_level)
00167 {
00168 rsbac_printk(KERN_INFO
00169 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u under min level %u, no override -> not granted \n",
00170 current->uid,
00171 current->pid,
00172 current->comm,
00173 level,
00174 attr_val1.security_level);
00175 #ifdef CONFIG_RSBAC_SOFTMODE
00176 if( !rsbac_softmode
00177 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00178 && !rsbac_ind_softmode[MAC]
00179 #endif
00180 )
00181 #endif
00182 return -EPERM;
00183 }
00184
00185 /* auto needed? -> stay inside boundaries */
00186 if(!flags & MAC_trusted)
00187 {
00188 /* check against upper/write boundary */
00189 if (rsbac_get_attr(MAC,
00190 T_PROCESS,
00191 tid,
00192 A_min_write_open,
00193 &attr_val1,
00194 FALSE))
00195 { /* failed! */
00196 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00197 return(-RSBAC_EREADFAILED);
00198 }
00199 if (level > attr_val1.min_write_open)
00200 {
00201 rsbac_printk(KERN_INFO
00202 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested level %u over min_write_open %u, no override or trusted -> not granted \n",
00203 current->uid,
00204 current->pid,
00205 current->comm,
00206 level,
00207 attr_val1.min_write_open);
00208 #ifdef CONFIG_RSBAC_SOFTMODE
00209 if( !rsbac_softmode
00210 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00211 && !rsbac_ind_softmode[MAC]
00212 #endif
00213 )
00214 #endif
00215 return -EPERM;
00216 }
00217
00218 /* check against lower/read boundary */
00219 if (rsbac_get_attr(MAC,
00220 T_PROCESS,
00221 tid,
00222 A_max_read_open,
00223 &attr_val1,
00224 FALSE))
00225 { /* failed! */
00226 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00227 return(-RSBAC_EREADFAILED);
00228 }
00229 if (level < attr_val1.max_read_open)
00230 return(-EPERM);
00231 }
00232 }
00233 if(categories != RSBAC_MAC_MIN_CAT_VECTOR)
00234 {
00235 /* get maximum categories */
00236 tid.process = current->pid;
00237 if (rsbac_get_attr(MAC,
00238 T_PROCESS,
00239 tid,
00240 A_mac_categories,
00241 &attr_val1,
00242 FALSE))
00243 { /* failed! */
00244 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00245 return(-RSBAC_EREADFAILED);
00246 }
00247 /* if categories are no subset -> error */
00248 if ((categories & attr_val1.mac_categories) != categories)
00249 {
00250 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00251
00252 if(tmp)
00253 {
00254 char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00255
00256 if(tmp2)
00257 {
00258 rsbac_printk(KERN_INFO
00259 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s over max categories %s, no override -> not granted \n",
00260 current->uid,
00261 current->pid,
00262 current->comm,
00263 u64tostrmac(tmp, categories),
00264 u64tostrmac(tmp2, attr_val1.mac_categories));
00265 rsbac_kfree(tmp2);
00266 }
00267 rsbac_kfree(tmp);
00268 }
00269 #ifdef CONFIG_RSBAC_SOFTMODE
00270 if( !rsbac_softmode
00271 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00272 && !rsbac_ind_softmode[MAC]
00273 #endif
00274 )
00275 #endif
00276 return -EPERM;
00277 }
00278 /* get minimum categories */
00279 tid.process = current->pid;
00280 if (rsbac_get_attr(MAC,
00281 T_PROCESS,
00282 tid,
00283 A_mac_min_categories,
00284 &attr_val1,
00285 FALSE))
00286 { /* failed! */
00287 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00288 return(-RSBAC_EREADFAILED);
00289 }
00290 /* if level is too low -> error */
00291 if ((categories & attr_val1.mac_categories) != attr_val1.mac_categories)
00292 {
00293 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00294
00295 if(tmp)
00296 {
00297 char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00298
00299 if(tmp2)
00300 {
00301 rsbac_printk(KERN_INFO
00302 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s under min categories %s, no override -> not granted \n",
00303 current->uid,
00304 current->pid,
00305 current->comm,
00306 u64tostrmac(tmp, categories),
00307 u64tostrmac(tmp2, attr_val1.mac_categories));
00308 rsbac_kfree(tmp2);
00309 }
00310 rsbac_kfree(tmp);
00311 }
00312 #ifdef CONFIG_RSBAC_SOFTMODE
00313 if( !rsbac_softmode
00314 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00315 && !rsbac_ind_softmode[MAC]
00316 #endif
00317 )
00318 #endif
00319 return -EPERM;
00320 }
00321
00322 /* auto needed? -> stay inside boundaries */
00323 if(!flags & MAC_trusted)
00324 {
00325 /* check against upper/write boundary */
00326 if (rsbac_get_attr(MAC,
00327 T_PROCESS,
00328 tid,
00329 A_min_write_categories,
00330 &attr_val1,
00331 FALSE))
00332 { /* failed! */
00333 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00334 return(-RSBAC_EREADFAILED);
00335 }
00336 if ((categories & attr_val1.mac_categories) != categories)
00337 {
00338 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00339
00340 if(tmp)
00341 {
00342 char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00343
00344 if(tmp2)
00345 {
00346 rsbac_printk(KERN_INFO
00347 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s over min_write categories %s, no override or trusted -> not granted \n",
00348 current->uid,
00349 current->pid,
00350 current->comm,
00351 u64tostrmac(tmp, categories),
00352 u64tostrmac(tmp2, attr_val1.mac_categories));
00353 rsbac_kfree(tmp2);
00354 }
00355 rsbac_kfree(tmp);
00356 }
00357 #ifdef CONFIG_RSBAC_SOFTMODE
00358 if( !rsbac_softmode
00359 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00360 && !rsbac_ind_softmode[MAC]
00361 #endif
00362 )
00363 #endif
00364 return -EPERM;
00365 }
00366 /* check against lower/read boundary */
00367 if (rsbac_get_attr(MAC,
00368 T_PROCESS,
00369 tid,
00370 A_max_read_categories,
00371 &attr_val1,
00372 FALSE))
00373 { /* failed! */
00374 rsbac_ds_get_error("rsbac_mac_set_curr_level", A_none);
00375 return(-RSBAC_EREADFAILED);
00376 }
00377 if ((categories & attr_val1.mac_categories) != attr_val1.mac_categories)
00378 {
00379 char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00380
00381 if(tmp)
00382 {
00383 char * tmp2 = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00384
00385 if(tmp2)
00386 {
00387 rsbac_printk(KERN_INFO
00388 "rsbac_mac_set_curr_level(): uid %u, pid %u/%.15s: requested categories %s under max_read categories %s, no override or trusted -> not granted \n",
00389 current->uid,
00390 current->pid,
00391 current->comm,
00392 u64tostrmac(tmp, categories),
00393 u64tostrmac(tmp2, attr_val1.mac_categories));
00394 rsbac_kfree(tmp2);
00395 }
00396 rsbac_kfree(tmp);
00397 }
00398 #ifdef CONFIG_RSBAC_SOFTMODE
00399 if( !rsbac_softmode
00400 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00401 && !rsbac_ind_softmode[MAC]
00402 #endif
00403 )
00404 #endif
00405 return -EPERM;
00406 }
00407 }
00408 }
00409 }
00410 #endif /* ifndef CONFIG_RSBAC_MAINT */
00411
00412 /* OK, checks passed: set values */
00413 if(level != SL_none)
00414 {
00415 attr_val1.current_sec_level = level;
00416 if (rsbac_set_attr(MAC,
00417 T_PROCESS,
00418 tid,
00419 A_current_sec_level,
00420 attr_val1))
00421 { /* failed! */
00422 rsbac_ds_set_error("rsbac_mac_set_curr_level", A_none);
00423 return(-RSBAC_EWRITEFAILED);
00424 }
00425 }
00426 if(categories != RSBAC_MAC_MIN_CAT_VECTOR)
00427 {
00428 attr_val1.mac_categories = categories;
00429 if (rsbac_set_attr(MAC,
00430 T_PROCESS,
00431 tid,
00432 A_mac_curr_categories,
00433 attr_val1))
00434 { /* failed! */
00435 rsbac_ds_set_error("rsbac_mac_set_curr_level", A_none);
00436 return(-RSBAC_EWRITEFAILED);
00437 }
00438 }
00439 return(0);
00440 }
|
1.4.2