mac_data_structures.c

Go to the documentation of this file.

/*************************************************** */
/* Rule Set Based Access Control                     */
/* Implementation of MAC data structures            */
/* Author and (c) 1999-2005: Amon Ott <ao@rsbac.org> */
/*                                                   */
/* Last modified: 14/Jul/2005                        */
/*************************************************** */

#include <linux/types.h>
#include <linux/sched.h>
#include <linux/mm.h>
#include <linux/init.h>
#include <linux/ext2_fs.h>
#include <asm/uaccess.h>
#include <rsbac/types.h>
#include <rsbac/aci_data_structures.h>
#include <rsbac/mac_data_structures.h>
#include <rsbac/error.h>
#include <rsbac/helpers.h>
#include <rsbac/adf.h>
#include <rsbac/aci.h>
#include <rsbac/lists.h>
#include <rsbac/proc_fs.h>
#include <rsbac/rkmem.h>
#include <rsbac/getname.h>
#include <linux/string.h>
#include <linux/smp_lock.h>

/************************************************************************** */
/*                          Global Variables                                */
/************************************************************************** */

static struct rsbac_mac_device_list_head_t      device_list_head;

static rsbac_list_handle_t process_handle = NULL;

/**************************************************/
/*       Declarations of external functions       */
/**************************************************/

rsbac_boolean_t writable(struct super_block * sb_p);

/**************************************************/
/*       Declarations of internal functions       */
/**************************************************/

/************************************************* */
/*               Internal Help functions           */
/************************************************* */

static inline int fd_hash(rsbac_inode_nr_t inode)
  {
    return(inode % RSBAC_MAC_NR_TRU_FD_LISTS);
  }

/* mac_register_fd_lists() */
/* register fd ACL lists for device */

static int mac_register_fd_lists(struct rsbac_mac_device_list_item_t * device_p,
                                  kdev_t kdev)
  {
    char                          * name;
    int                             err = 0;
    int                             tmperr;
    char                            number[10];
    u_int                           file_no;
    struct rsbac_list_lol_info_t lol_info;

    if(!device_p)
      return(-RSBAC_EINVALIDPOINTER);
    name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
    if(!name)
      return -RSBAC_ENOMEM;

    /* register all the MAC lists of lists */
    for (file_no = 0; file_no < RSBAC_MAC_NR_TRU_FD_LISTS; file_no++)
      {
        /* construct name from base name + number */
        strcpy(name, RSBAC_MAC_FD_FILENAME);
        strcat(name, inttostr(number,file_no) );

        lol_info.version = RSBAC_MAC_FD_LIST_VERSION;
        lol_info.key = RSBAC_MAC_LIST_KEY;
        lol_info.desc_size = sizeof(rsbac_inode_nr_t);
        lol_info.data_size = 0;
        lol_info.subdesc_size = sizeof(rsbac_uid_t);
        lol_info.subdata_size = 0; /* rights */
        lol_info.max_age = 0;
        tmperr = rsbac_list_lol_register(RSBAC_LIST_VERSION,
                                         &(device_p->handles[file_no]),
                                         &lol_info,
                                         RSBAC_LIST_PERSIST | RSBAC_LIST_DEF_DATA,
                                         rsbac_list_compare_u32,
                                         rsbac_list_compare_u32,
                                         NULL,
                                         NULL,
                                         NULL,
                                         NULL,
                                         name,
                                         kdev);
        if(tmperr)
          {
            char * tmp;

            tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
            if(tmp)
              {
                rsbac_printk(KERN_WARNING
                       "mac_register_fd_lists(): registering list %s for device %02u:%02u failed with error %s!\n",
                       name,
                       RSBAC_MAJOR(kdev),
                       RSBAC_MINOR(kdev),
                       get_error_name(tmp, tmperr));
                rsbac_kfree(tmp);
              }
            err = tmperr;
          }
      }
    return err;
  }

/* mac_detach_fd_lists() */
/* detach from fd MAC lists for device */

static int mac_detach_fd_lists(struct rsbac_mac_device_list_item_t * device_p)
  {
    char                          * name;
    int                             err = 0;
    int                             tmperr;
    char                            number[10];
    u_int                           file_no;

    if(!device_p)
      return(-RSBAC_EINVALIDPOINTER);
    name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
    if(!name)
      return -RSBAC_ENOMEM;

    /* detach all the MAC lists of lists */
    for (file_no = 0; file_no < RSBAC_MAC_NR_TRU_FD_LISTS; file_no++)
      {
        /* construct name from base name + number */
        strcpy(name, RSBAC_MAC_FD_FILENAME);
        strcat(name, inttostr(number,file_no) );

        tmperr = rsbac_list_lol_detach(&device_p->handles[file_no],
                                       RSBAC_MAC_LIST_KEY);
        if(tmperr)
          {
            char * tmp;

            tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
            if(tmp)
              {
                rsbac_printk(KERN_WARNING
                       "mac_detach_fd_lists(): detaching from list %s for device %02u:%02u failed with error %s!\n",
                       name,
                       RSBAC_MAJOR(device_p->id),
                       RSBAC_MINOR(device_p->id),
                       get_error_name(tmp, tmperr));
                rsbac_kfree(tmp);
              }
            err = tmperr;
          }
      }
    return err;
  }

/************************************************************************** */
/* The lookup functions return NULL, if the item is not found, and a        */
/* pointer to the item otherwise.                                           */

/* first the device item lookup */
static struct rsbac_mac_device_list_item_t * lookup_device(kdev_t kdev)
    {
      struct rsbac_mac_device_list_item_t  * curr = device_list_head.curr;
      
      /* if there is no current item or it is not the right one, search... */
      if(! (   curr
            && (RSBAC_MAJOR(curr->id) == RSBAC_MAJOR(kdev))
            && (RSBAC_MINOR(curr->id) == RSBAC_MINOR(kdev))
           )
        )
        {
          curr = device_list_head.head;
          while(   curr
                && (   (RSBAC_MAJOR(curr->id) != RSBAC_MAJOR(kdev))
                    || (RSBAC_MINOR(curr->id) != RSBAC_MINOR(kdev))
                   )
               )
            {
              curr = curr->next;
            }
          if (curr)
            device_list_head.curr=curr;
        }
      /* it is the current item -> return it */
        return (curr);
    };

/************************************************************************** */
/* The add_item() functions add an item to the list, set head.curr to it,   */
/* and return a pointer to the item.                                        */
/* These functions will NOT check, if there is already an item under the    */
/* same ID! If this happens, the lookup functions will return the old item! */
/* All list manipulation is protected by rw-spinlocks to prevent inconsistency */
/* and undefined behaviour in other concurrent functions.                   */

/* Create a device item without adding to list. No locking needed. */
static struct rsbac_mac_device_list_item_t 
          * create_device_item(kdev_t kdev)
    {
      struct rsbac_mac_device_list_item_t * new_item_p;
      int i;

      /* allocate memory for new device, return NULL, if failed */
      if ( !(new_item_p = (struct rsbac_mac_device_list_item_t *)
                    rsbac_kmalloc(sizeof(*new_item_p)) ) )
         return(NULL);
         
      new_item_p->id = kdev;
      new_item_p->mount_count = 1;

      /* init file/dir sublists */
      for(i=0 ; i < RSBAC_MAC_NR_TRU_FD_LISTS ; i++)
        new_item_p->handles[i] = NULL;
      return(new_item_p);
    };

/* Add an existing device item to list. Locking needed. */
static struct rsbac_mac_device_list_item_t 
          * add_device_item(struct rsbac_mac_device_list_item_t * device_p)
    {
      if (!device_p)
         return(NULL);
         
      /* add new device to device list */
      if (!device_list_head.head)
        { /* first device */
          device_list_head.head=device_p;
          device_list_head.tail=device_p;
          device_list_head.curr=device_p;
          device_list_head.count=1;
          device_p->prev=NULL;
          device_p->next=NULL;
        }  
      else
        { /* there is another device -> hang to tail */
          device_p->prev=device_list_head.tail;
          device_p->next=NULL;
          device_list_head.tail->next=device_p;
          device_list_head.tail=device_p;
          device_list_head.curr=device_p;
          device_list_head.count++;
        };
      return(device_p);
    };

/************************************************************************** */
/* The remove_item() functions remove an item from the list. If this item   */
/* is head, tail or curr, these pointers are set accordingly.               */
/* To speed up removing several subsequent items, curr is set to the next   */
/* item, if possible.                                                       */
/* If the item is not found, nothing is done.                               */

static void clear_device_item(struct rsbac_mac_device_list_item_t * item_p)
    {
      if(!item_p)
        return;

      /* First deregister lists... */
      mac_detach_fd_lists(item_p);
      /* OK, lets remove the device item itself */
      rsbac_kfree(item_p);
    }; /* end of clear_device_item() */

static void remove_device_item(kdev_t kdev)
    {
      struct rsbac_mac_device_list_item_t    * item_p;

      /* first we must locate the item. */
      if ( (item_p = lookup_device(kdev)) )
        { /* ok, item was found */
          if (device_list_head.head == item_p)  
             { /* item is head */
               if (device_list_head.tail == item_p)
                 { /* item is head and tail = only item -> list will be empty*/
                   device_list_head.head = NULL;
                   device_list_head.tail = NULL;
                 }
               else
                 { /* item is head, but not tail -> next item becomes head */
                   item_p->next->prev = NULL;
                   device_list_head.head = item_p->next;
                 };
             }
          else
             { /* item is not head */
               if (device_list_head.tail == item_p)
                 { /*item is not head, but tail -> previous item becomes tail*/
                   item_p->prev->next = NULL;
                   device_list_head.tail = item_p->prev;
                 }
               else
                 { /* item is neither head nor tail -> item is cut out */
                   item_p->prev->next = item_p->next;
                   item_p->next->prev = item_p->prev;
                 };
             };
             
          /* curr is no longer valid -> reset.                              */
          device_list_head.curr=NULL;
          /* adjust counter */
          device_list_head.count--;
          
          /* now we can remove the item from memory. This means cleaning up */
          /* everything below. */
          clear_device_item(item_p);
        };  /* end of if: item was found */

    }; /* end of remove_device_item() */

/************************************************************************** */
/* The copy_fp_tru_set_item() function copies a file cap set to a process   */
/* cap set */

static int copy_fp_tru_set_item(struct rsbac_mac_device_list_item_t * device_p,
                                rsbac_mac_file_t    file,
                                rsbac_pid_t pid)
    {
      rsbac_uid_t  * tru_item_p;
      rsbac_time_t * ttl_p;
      int i;
      long count;
      enum  rsbac_target_t target = T_FILE;
      union rsbac_target_id_t tid;

      rsbac_list_lol_remove(process_handle, &pid);
      count = rsbac_list_lol_get_all_subdesc_ttl(device_p->handles[fd_hash(file.inode)],
                                                 &file.inode,
                                                 (void **) &tru_item_p,
                                                 &ttl_p);
      if(   !count
         || (count == -RSBAC_ENOTFOUND)
        )
        {
          tid.file = file;
          if(!rsbac_get_parent(target, tid, &target, &tid))
            count = rsbac_list_lol_get_all_subdesc_ttl(device_p->handles[fd_hash(tid.file.inode)],
                                                       &tid.file.inode,
                                                       (void **) &tru_item_p,
                                                       &ttl_p);
        }
      if(count > 0)
        {
          for(i=0; i < count ; i++)
            {
              rsbac_list_lol_subadd_ttl(process_handle,
                                        ttl_p[i],
                                        &pid,
                                        &tru_item_p[i],
                                        NULL);
            }
          rsbac_vfree(tru_item_p);
          rsbac_vfree(ttl_p);
        }
      else
        {
          if(   (count < 0)
             && (count != -RSBAC_ENOTFOUND)
            )
            return count;
        }

      return 0;
    }; /* end of copy_fp_tru_set_item() */

/************************************************************************** */
/* The copy_pp_tru_set_item() function copies a process cap set to another  */

static int copy_pp_tru_set_item_handle(rsbac_list_handle_t handle,
                                       rsbac_pid_t old_pid,
                                       rsbac_pid_t new_pid)
    {
      rsbac_uid_t  * tru_item_p;
      rsbac_time_t * ttl_p;
      int i;
      long count;

      rsbac_list_lol_remove(handle, &new_pid);
      count = rsbac_list_lol_get_all_subdesc_ttl(handle,
                                                 &old_pid,
                                                 (void **) &tru_item_p,
                                                 &ttl_p);
      if(count > 0)
        {
          for(i=0; i < count ; i++)
            {
              rsbac_list_lol_subadd_ttl(handle,
                                        ttl_p[i],
                                        &new_pid,
                                        &tru_item_p[i],
                                        NULL);
            }
          rsbac_vfree(tru_item_p);
          rsbac_vfree(ttl_p);
        }
      else
        {
          if(count < 0)
            return count;
        }
      return 0;
    }

static int copy_pp_tru_set_item(rsbac_pid_t old_pid,
                                rsbac_pid_t new_pid)
    {
      return copy_pp_tru_set_item_handle(process_handle, old_pid, new_pid);
    }; /* end of copy_pp_tru_set_item() */

/************************************************* */
/*               proc functions                    */
/************************************************* */

#if defined(CONFIG_RSBAC_PROC) && defined(CONFIG_PROC_FS)
static int
mac_devices_proc_info(char *buffer, char **start, off_t offset, int length)
{
  int len = 0;
  off_t pos   = 0;
  off_t begin = 0;
  struct rsbac_mac_device_list_item_t   * device_p;
  u_long dflags;

  if (!rsbac_is_initialized()) return (-ENOSYS);

  len += sprintf(buffer, "%u RSBAC MAC Devices\n-------------------\n",
                 device_list_head.count);

  /* wait for read access to device_list_head */
  rsbac_read_lock(&device_list_head.lock, &dflags);
  /* OK, go on */
  for (device_p = device_list_head.head; device_p; device_p = device_p->next)
    {
      len += sprintf(buffer + len, "%02u:%02u with mount_count = %u\n",
                     RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id),
                     device_p->mount_count);
      pos = begin + len;
      if (pos < offset)
        {
          len = 0;
          begin = pos;
        }
      if (pos > offset+length)
        break;
    }
  
  /* free access to device_list_head */
  rsbac_read_unlock(&device_list_head.lock, &dflags);

  *start = buffer + (offset - begin);
  len -= (offset - begin);
  
  if (len > length)
    len = length;
  return len;
}

static int
stats_mac_proc_info(char *buffer, char **start, off_t offset, int length)
{
    u_int len = 0;
    off_t pos   = 0;
    off_t begin = 0;

    u_int                                     tru_set_count = 0;
    u_int                                     member_count = 0;
    u_long dflags;
    struct rsbac_mac_device_list_item_t   * device_p;
    int i;

    union rsbac_target_id_t       rsbac_target_id;
    union rsbac_attribute_value_t rsbac_attribute_value;

    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "stats_mac_proc_info(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }
#ifdef CONFIG_RSBAC_DEBUG
    if (rsbac_debug_aef_mac)
      {
        rsbac_printk(KERN_DEBUG "stats_mac_proc_info(): calling ADF\n");
      }
#endif
    rsbac_target_id.scd = ST_rsbac;
    rsbac_attribute_value.dummy = 0;
    if (!rsbac_adf_request(R_GET_STATUS_DATA,
                           current->pid,
                           T_SCD,
                           rsbac_target_id,
                           A_none,
                           rsbac_attribute_value))
      {
        return -EPERM;
      }

    len += sprintf(buffer, "MAC Status\n----------\n");

    len += sprintf(buffer + len, "%lu process trusted user set items, sum of %lu members\n",
                   rsbac_list_lol_count(process_handle),
                   rsbac_list_lol_all_subcount(process_handle));
    pos = begin + len;
    if (pos < offset)
      {
        len = 0;
        begin = pos;
      }
    if (pos > offset+length)
      goto out;

    /* protect device list */
    rsbac_read_lock(&device_list_head.lock, &dflags);
    device_p = device_list_head.head;
    while(device_p)
      {
        /* reset counters */
        tru_set_count = 0;
        member_count = 0;
        for(i=0 ; i < RSBAC_MAC_NR_TRU_FD_LISTS; i++)
          {
            tru_set_count += rsbac_list_lol_count(device_p->handles[i]);
            member_count += rsbac_list_lol_all_subcount(device_p->handles[i]);
          }
        len += sprintf(buffer + len, "device %02u:%02u has %u file trusted user set items, sum of %u members\n",
                       RSBAC_MAJOR(device_p->id),
                       RSBAC_MINOR(device_p->id),
                       tru_set_count,member_count);
        pos = begin + len;
        if (pos < offset)
          {
            len = 0;
            begin = pos;
          }
        if (pos > offset+length)
          goto out_unlock;

        device_p = device_p->next;
      }
out_unlock:
    /* unprotect device list */
    rsbac_read_unlock(&device_list_head.lock, &dflags);

out:
  *start = buffer + (offset - begin);
  len -= (offset - begin);
  
  if (len > length)
    len = length;
  return len;
}

static int
mac_trulist_proc_info(char *buffer, char **start, off_t offset, int length)
{
    u_int len = 0;
    off_t pos   = 0;
    off_t begin = 0;

    u_int                                      count = 0;
    u_int                                      member_count = 0;
    u_long                                     all_member_count;
    u_long dflags;
    int i,j,list;
    struct rsbac_mac_device_list_item_t   * device_p;
    rsbac_pid_t * p_list;
    rsbac_inode_nr_t * f_list;
    rsbac_uid_t * tru_list;

    union rsbac_target_id_t       rsbac_target_id;
    union rsbac_attribute_value_t rsbac_attribute_value;

    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "mac_trulist_proc_info(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }
#ifdef CONFIG_RSBAC_DEBUG
    if (rsbac_debug_aef_mac)
      {
        rsbac_printk(KERN_DEBUG "mac_trulist_proc_info(): calling ADF\n");
      }
#endif
    rsbac_target_id.scd = ST_rsbac;
    rsbac_attribute_value.dummy = 0;
    if (!rsbac_adf_request(R_GET_STATUS_DATA,
                           current->pid,
                           T_SCD,
                           rsbac_target_id,
                           A_none,
                           rsbac_attribute_value))
      {
        return -EPERM;
      }

    len += sprintf(buffer, "MAC Trusted User Lists\n---------------------\n");

    /* protect process cap set list */
    len += sprintf(buffer + len, "Process trusted user sets:\nset-id  count   members");
    pos = begin + len;
    if (pos < offset)
      {
        len = 0;
        begin = pos;
      }
    if (pos > offset+length)
      goto out;

    all_member_count = 0;
    count = rsbac_list_lol_get_all_desc(process_handle,
                                        (void **) &p_list);
    if(count > 0)
      {
        for(i=0; i<count; i++)
          {
            member_count = rsbac_list_lol_get_all_subdesc(process_handle,
                                                          &p_list[i],
                                                          (void **) &tru_list);
            len += sprintf(buffer + len, "\n %u\t%u\t",
                           p_list[i],
                           member_count);
            if(member_count > 0)
              {
                for(j=0; j<member_count; j++)
                  {
                    len += sprintf(buffer + len, "%u ",
                                   tru_list[j]);
                    pos = begin + len;
                    if (pos < offset)
                      {
                        len = 0;
                        begin = pos;
                      }
                    if (pos > offset+length)
                      {
                        rsbac_vfree(tru_list);
                        rsbac_vfree(p_list);
                        goto out;
                      }
                  }
                rsbac_vfree(tru_list);
                all_member_count += member_count;
              }
            pos = begin + len;
            if (pos < offset)
              {
                len = 0;
                begin = pos;
              }
            if (pos > offset+length)
              {
                rsbac_vfree(p_list);
                goto out;
              }
          }
        rsbac_vfree(p_list);
      }
    len += sprintf(buffer + len, "\n%u process trusted user set items, sum of %lu members\n",
                   count,all_member_count);
    pos = begin + len;
    if (pos < offset)
      {
        len = 0;
        begin = pos;
      }
    if (pos > offset+length)
      goto out;

    len += sprintf(buffer + len, "\nFile trusted user sets:\nset-id  count   members");
    pos = begin + len;
    if (pos < offset)
      {
        len = 0;
        begin = pos;
      }
    if (pos > offset+length)
      goto out;

    /* protect device list */
    rsbac_read_lock(&device_list_head.lock, &dflags);
    device_p = device_list_head.head;
    while(device_p)
      {
        /* reset counters */
        all_member_count = 0;
        for(list=0 ; list < RSBAC_MAC_NR_TRU_FD_LISTS; list++)
          {
            count = rsbac_list_lol_get_all_desc(device_p->handles[list],
                                                (void **) &f_list);
            if(count > 0)
              {
                for(i=0; i<count; i++)
                  {
                    member_count = rsbac_list_lol_get_all_subdesc(device_p->handles[list],
                                                                  &f_list[i],
                                                                  (void **) &tru_list);
                    len += sprintf(buffer + len, "\n %u\t%u\t",
                                   f_list[i],
                                   member_count);
                    if(member_count > 0)
                      {
                        for(j=0; j<member_count; j++)
                          {
                            len += sprintf(buffer + len, "%u ",
                                           tru_list[j]);
                            pos = begin + len;
                            if (pos < offset)
                              {
                                len = 0;
                                begin = pos;
                              }
                            if (pos > offset+length)
                              {
                                rsbac_vfree(tru_list);
                                rsbac_vfree(f_list);
                                goto out_unlock;
                              }
                          }
                        rsbac_vfree(tru_list);
                        all_member_count += member_count;
                      }
                    pos = begin + len;
                    if (pos < offset)
                      {
                        len = 0;
                        begin = pos;
                      }
                    if (pos > offset+length)
                      {
                        rsbac_vfree(f_list);
                        goto out_unlock;
                      }
                  }
                rsbac_vfree(f_list);
              }
          }
        len += sprintf(buffer + len, "\ndevice %02u:%02u has %u file trusted user set items, sum of %lu members\n",
                       RSBAC_MAJOR(device_p->id),
                       RSBAC_MINOR(device_p->id),
                       count, all_member_count);
        pos = begin + len;
        if (pos < offset)
          {
            len = 0;
            begin = pos;
          }
        if (pos > offset+length)
          goto out_unlock;

        device_p = device_p->next;
      }
out_unlock:
    /* unprotect device list */
    rsbac_read_unlock(&device_list_head.lock, &dflags);

out:
  *start = buffer + (offset - begin);
  len -= (offset - begin);
  
  if (len > length)
    len = length;
  return len;
}
#endif /* CONFIG_PROC_FS && CONFIG_RSBAC_PROC */

/************************************************* */
/*               Init functions                    */
/************************************************* */

/* All functions return 0, if no error occurred, and a negative error code  */
/* otherwise. The error codes are defined in rsbac/error.h.                 */

/************************************************************************** */
/* Initialization of all MAC data structures. After this call, all MAC    */
/* data is kept in memory for performance reasons, but is written to disk   */
/* on every change. */

/* Because there can be no access to aci data structures before init,       */
/* rsbac_init_mac() will initialize all rw-spinlocks to unlocked.          */

#ifdef CONFIG_RSBAC_INIT_DELAY
int rsbac_init_mac(void)
#else
int __init rsbac_init_mac(void)
#endif
  {
    int  err = 0;
    struct rsbac_mac_device_list_item_t * device_p = NULL;
    u_long dflags;
    struct proc_dir_entry * tmp_entry_p;
    struct rsbac_list_lol_info_t lol_info;

    if (rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_init_mac(): RSBAC already initialized\n");
        return(-RSBAC_EREINIT);
      }

    /* set rw-spinlocks to unlocked status and init data structures */
    rsbac_printk(KERN_INFO "rsbac_init_mac(): Initializing RSBAC: MAC subsystem\n");

    lol_info.version = RSBAC_MAC_P_LIST_VERSION;
    lol_info.key = RSBAC_MAC_LIST_KEY;
    lol_info.desc_size = sizeof(rsbac_pid_t);
    lol_info.data_size = 0;
    lol_info.subdesc_size = sizeof(rsbac_uid_t);
    lol_info.subdata_size = 0;
    lol_info.max_age = 0;
    err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
                                  &process_handle,
                                  &lol_info,
                                  RSBAC_LIST_DEF_DATA,
                                  NULL,
                                  NULL,
                                  NULL,
                                  NULL,
                                  NULL,
                                  NULL,
                                  RSBAC_MAC_P_LIST_NAME,
                                  RSBAC_AUTO_DEV);
    if(err)
      {
        char * tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);

        if(tmp)
          {
            rsbac_printk(KERN_WARNING
                   "rsbac_init_mac(): Registering MAC process trusted user list failed with error %s\n",
                   get_error_name(tmp, err));
            rsbac_kfree(tmp);
          }
      }

    /* Init FD lists */
    device_list_head.lock = RW_LOCK_UNLOCKED;
    device_list_head.head = NULL;
    device_list_head.tail = NULL;
    device_list_head.curr = NULL;
    device_list_head.count = 0;

    /* read all data */
#ifdef CONFIG_RSBAC_DEBUG
    if (rsbac_debug_ds_mac)
      {
        rsbac_printk(KERN_INFO "rsbac_init_mac(): Registering FD lists\n");
      }
#endif
    device_p = create_device_item(rsbac_root_dev);
    if (!device_p)
      {
        rsbac_printk(KERN_CRIT "rsbac_init_mac(): Could not add device!\n");
        return(-RSBAC_ECOULDNOTADDDEVICE);
      }
    if((err = mac_register_fd_lists(device_p,rsbac_root_dev)))
      {
        char tmp[RSBAC_MAXNAMELEN];

        rsbac_printk(KERN_WARNING
               "rsbac_init_mac(): File/Dir trusted user set registration failed for dev %02u:%02u, err %s!\n",
               RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev), get_error_name(tmp,err));
      }
    /* wait for write access to device_list_head */
    rsbac_write_lock_irq(&device_list_head.lock, &dflags);
    device_p = add_device_item(device_p);
    /* device was added, allow access */
    rsbac_write_unlock_irq(&device_list_head.lock, &dflags);
    if (!device_p)
      {
        rsbac_printk(KERN_CRIT "rsbac_init_mac(): Could not add device!\n");
        return(-RSBAC_ECOULDNOTADDDEVICE);
      }

    #if defined(CONFIG_RSBAC_PROC) && defined(CONFIG_PROC_FS)
    tmp_entry_p = create_proc_entry("mac_devices",
                                    S_IFREG | S_IRUGO | S_IWUGO,
                                    proc_rsbac_root_p);
    if(tmp_entry_p)
      {
        tmp_entry_p->get_info = mac_devices_proc_info;
      }
    tmp_entry_p = create_proc_entry("stats_mac",
                                    S_IFREG | S_IRUGO,
                                    proc_rsbac_root_p);
    if(tmp_entry_p)
      {
        tmp_entry_p->get_info = stats_mac_proc_info;
      }
    tmp_entry_p = create_proc_entry("mac_trusted",
                                    S_IFREG | S_IRUGO,
                                    proc_rsbac_root_p);
    if(tmp_entry_p)
      {
        tmp_entry_p->get_info = mac_trulist_proc_info;
      }
    #endif

#ifdef CONFIG_RSBAC_DEBUG
    if (rsbac_debug_ds_mac)
      {
        rsbac_printk(KERN_DEBUG "rsbac_init_mac(): Ready.\n");
      }
#endif
    return(err);
  };

int rsbac_mount_mac(kdev_t kdev)
  {
    int err = 0;
    struct rsbac_mac_device_list_item_t * device_p;
    struct rsbac_mac_device_list_item_t * new_device_p;
    u_long dflags;

    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_mount_mac(): RSBAC not initialized\n");
          return(-RSBAC_ENOTINITIALIZED);
      }
#ifdef CONFIG_RSBAC_DEBUG
    if (rsbac_debug_ds_mac)
      {
        rsbac_printk(KERN_DEBUG "rsbac_mount_mac(): mounting device %02u:%02u\n",
               RSBAC_MAJOR(kdev),RSBAC_MINOR(kdev));
      }
#endif
    /* wait for write access to device_list_head */
    rsbac_read_lock(&device_list_head.lock, &dflags);
    device_p = lookup_device(kdev);
    /* repeated mount? */
    if(device_p)
      {
        rsbac_printk(KERN_WARNING "rsbac_mount_mac: repeated mount %u of device %02u:%02u\n",
               device_p->mount_count, RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
        device_p->mount_count++;
        rsbac_read_unlock(&device_list_head.lock, &dflags);
        return 0;
      }
    rsbac_read_unlock(&device_list_head.lock, &dflags);

    new_device_p = create_device_item(kdev);
    if(!new_device_p)
      return -RSBAC_ECOULDNOTADDDEVICE;

    /* register lists */
    if((err = mac_register_fd_lists(new_device_p, kdev)))
      {
        char tmp[RSBAC_MAXNAMELEN];

        rsbac_printk(KERN_WARNING
               "rsbac_mount_mac(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n",
               RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev), get_error_name(tmp,err));
      }

    /* wait for read access to device_list_head */
    rsbac_read_lock(&device_list_head.lock, &dflags);
    /* make sure to only add, if this device item has not been added in the meantime */
    device_p = lookup_device(kdev);
    if(device_p)
      {
        rsbac_printk(KERN_WARNING
               "rsbac_mount_mac(): mount race for device %02u:%02u detected!\n",
               RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
        device_p->mount_count++;
        rsbac_read_unlock(&device_list_head.lock, &dflags);
        clear_device_item(new_device_p);
      }
    else
      {
        rsbac_read_unlock(&device_list_head.lock, &dflags);
        rsbac_write_lock_irq(&device_list_head.lock, &dflags);
        device_p = add_device_item(new_device_p);
        rsbac_write_unlock_irq(&device_list_head.lock, &dflags);
        if(!device_p)
          {
            rsbac_printk(KERN_WARNING "rsbac_mount_mac: adding device %02u:%02u failed!\n",
                   RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
            clear_device_item(new_device_p);
            err = -RSBAC_ECOULDNOTADDDEVICE;
          }
      }
    return(err);
  };
  
/* When umounting a device, its file lists must be removed. */

int rsbac_umount_mac(kdev_t kdev)
  {
    u_long flags;
    struct rsbac_mac_device_list_item_t * device_p;

    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_umount(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }

#ifdef CONFIG_RSBAC_DEBUG
    if (rsbac_debug_ds_mac)
      {
        rsbac_printk(KERN_DEBUG "rsbac_umount_mac(): umounting device %02u:%02u\n",
               RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
      }
#endif
    /* sync of attribute lists was done in rsbac_umount */
    /* wait for write access to device_list_head */
    rsbac_write_lock(&device_list_head.lock, &flags);
    /* OK, nobody else is working on it... */
    device_p = lookup_device(kdev);
    if(device_p)
      {
        if(device_p->mount_count == 1)
          remove_device_item(kdev);
        else
          {
            if(device_p->mount_count > 1)
              {
                device_p->mount_count--;
              }
            else
              {
                rsbac_printk(KERN_WARNING "rsbac_mount_mac: device %02u:%02u has mount_count < 1!\n",
                       RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
              }
          }
      }

    /* allow access */
    rsbac_write_unlock(&device_list_head.lock, &flags);
    return(0);
  };

/***************************************************/
/* We also need some status information...         */

int rsbac_stats_mac(void)
  {
    u_int                                     tru_set_count = 0;
    u_int                                     member_count = 0;
    u_long dflags;
    struct rsbac_mac_device_list_item_t   * device_p;
    int i;
  
    union rsbac_target_id_t       rsbac_target_id;
    union rsbac_attribute_value_t rsbac_attribute_value;

    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_stats_mac(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }
#ifdef CONFIG_RSBAC_DEBUG
    if (rsbac_debug_aef_mac)
      {
        rsbac_printk(KERN_DEBUG "rsbac_stats_mac(): calling ADF\n");
      }
#endif
    rsbac_target_id.scd = ST_rsbac;
    rsbac_attribute_value.dummy = 0;
    if (!rsbac_adf_request(R_GET_STATUS_DATA,
                           current->pid,
                           T_SCD,
                           rsbac_target_id,
                           A_none,
                           rsbac_attribute_value))
      {
        return -EPERM;
      }

    rsbac_printk(KERN_INFO "MAC Status\n----------\n");

    rsbac_printk(KERN_INFO "%lu process trusted user set items, sum of %lu members\n",
                   rsbac_list_lol_count(process_handle),
                   rsbac_list_lol_all_subcount(process_handle));

    /* protect device list */
    rsbac_read_lock(&device_list_head.lock, &dflags);
    device_p = device_list_head.head;
    while(device_p)
      {
        /* reset counters */
        tru_set_count = 0;
        member_count = 0;
        for(i=0 ; i < RSBAC_MAC_NR_TRU_FD_LISTS; i++)
          {
            tru_set_count += rsbac_list_lol_count(device_p->handles[i]);
            member_count += rsbac_list_lol_all_subcount(device_p->handles[i]);
          }
        rsbac_printk(KERN_INFO "device %02u:%02u has %u file trusted user set items, sum of %u members\n",
                         RSBAC_MAJOR(device_p->id),
                         RSBAC_MINOR(device_p->id),
                         tru_set_count,member_count);
        device_p = device_p->next;
      }
    /* unprotect device list */
    rsbac_read_unlock(&device_list_head.lock, &dflags);
    return(0);
  };

/***************************************************/
/* consistency checking (as far as possible)       */

#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
int rsbac_check_mac(int correct, int check_inode)
  {
    struct rsbac_mac_device_list_item_t * device_p;
    u_long                              f_count = 0, f_sum = 0, tmp_count,
                                        r_count, u_count, b_count, no_member_count;
    long                                desc_count;
    u_int                               i,list_no;
    u_long                              dflags;
    struct super_block                * sb_p;
    struct inode                      * inode_p;
    rsbac_inode_nr_t                  * fd_desc_p;
  
    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_check_mac(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }

    /* wait for read access to device_list_head */
    rsbac_read_lock(&device_list_head.lock, &dflags);
    /* OK, go on */
/*    rsbac_printk(KERN_INFO "rsbac_check_mac(): currently %u processes working on file/dir aci\n",
                     device_list_head.lock.lock); */
    device_p = device_list_head.head;
    while (device_p)
      { /* for all sublists */
        f_count = 0;
        r_count = 0;
        u_count = 0;
        b_count = 0;
        no_member_count = 0;
        if(check_inode)
          {
            sb_p = rsbac_get_super_block(device_p->id);
            if(!sb_p)
              {
                rsbac_printk(KERN_WARNING "rsbac_check_mac(): no super block for device %02u:%02u!\n",
                       RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id));
              }
          }
        else
          sb_p = NULL;

        /* OK, go ahead */
        for(list_no = 0; list_no < RSBAC_MAC_NR_TRU_FD_LISTS; list_no++)
          {
/*            rsbac_printk(KERN_INFO "rsbac_check_mac(): list %u\n",
                   list_no); */
            tmp_count = 0;
            desc_count = rsbac_list_lol_get_all_desc(device_p->handles[list_no], (void **) &fd_desc_p);
            if(desc_count > 0)
              {
                for(i=0; i<desc_count; i++)
                  {
                    /* check for inode on disk (but not for reiserfs, because of 64bit inode numbers) */
                    #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
                    if(sb_p)
                    #else
                    if(sb_p && !sb_p->s_op->read_inode2)
                    #endif
                      {
                        inode_p = iget(sb_p, fd_desc_p[i]);
                        if(is_bad_inode(inode_p))
                          { /* inode is bad -> remove */
                            b_count++;
                            if(correct)
                              {
                                rsbac_printk(KERN_INFO
                                       "rsbac_check_mac(): fd_item for bad inode %u on device %02u:%02u, list %u, removing!\n",
                                        fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no);
                                rsbac_list_lol_remove(device_p->handles[list_no], &fd_desc_p[i]);
                                continue;
                              }
                            else
                              {
                                rsbac_printk(KERN_INFO
                                       "rsbac_check_mac(): fd_item for bad inode %u on device %02u:%02u, list %u!\n",
                                       fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no);
                              }
                          } /* end of bad_inode */
                        else
                          { /* good inode */
                            /* currently only deletion checking of ext2 inodes is possible */
                            if(sb_p->s_magic == EXT2_SUPER_MAGIC)
                              {
                                if(inode_p->u.ext2_i.i_dtime)
                                  { /* inode has been deleted -> remove */
                                    r_count++;
                                    if(correct)
                                      {
                                        rsbac_printk(KERN_INFO
                                               "rsbac_check_mac(): fd_item for deleted inode %u on device %02u:%02u, list %u, removing!\n",
                                               fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no);
                                        rsbac_list_lol_remove(device_p->handles[list_no], &fd_desc_p[i]);
                                        continue;
                                      }
                                    else
                                      {
                                        rsbac_printk(KERN_INFO
                                               "rsbac_check_mac(): fd_item for deleted inode %u on device %02u:%02u, list %u!\n",
                                               fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no);
                                      }
                                  }
                                else
                                  {
                                    if(inode_p->i_nlink <= 0)
                                      { /* inode has been unlinked, but no dtime is set -> warn */
                                        u_count++;
                                        if(correct >= 2)
                                          {
                                            rsbac_printk(KERN_INFO
                                                   "rsbac_check_mac(): fd_item for inode %u with nlink <= 0 on device %02u:%02u, list %u, removing!\n",
                                                   fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no);
                                            rsbac_list_lol_remove(device_p->handles[list_no], &fd_desc_p[i]);
                                            continue;
                                          }
                                        else
                                          {
                                            rsbac_printk(KERN_INFO
                                                   "rsbac_check_mac(): deleted inode %u on device %02u:%02u, list %u, has no dtime!\n",
                                                   fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no);
                                          }
                                      }
                                  }
                              }
                          } /* end of is_good_inode */
                        iput(inode_p);
                      } /* end of sb_p */
                  }
                tmp_count++;
                rsbac_vfree(fd_desc_p);
                f_count += desc_count;
              }
          } /* end of for-fd-list-array */

        switch(correct)
          {
            case 2:
              rsbac_printk(KERN_INFO
                     "rsbac_check_mac(): Device %02u:%02u has %lu file/dir trusted user sets (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu unlinked inodes, %lu had no members and default mask))\n",
                     RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, b_count + r_count + u_count + no_member_count,
                     b_count, r_count, u_count, no_member_count);
              break;
            case 1:
              rsbac_printk(KERN_INFO
                     "rsbac_check_mac(): Device %02u:%02u has %lu file/dir trusted user sets (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu had no members and default mask), %lu unlinked inodes)\n",
                     RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, b_count + r_count + no_member_count,
                     b_count, r_count, no_member_count, u_count);
              break;
            default:
              rsbac_printk(KERN_INFO
                     "rsbac_check_mac(): Device %02u:%02u has %lu file/dir trusted user sets (%lu with bad inodes, %lu with dtimed inodes, %lu unlinked inodes, %lu without members and with default mask)\n",
                     RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count,
                     b_count, r_count, u_count, no_member_count);
          }
        f_sum += f_count;
        /* go on */
        device_p = device_p->next;
      }
    rsbac_printk(KERN_INFO "rsbac_check_mac(): Sum of %u Devices with %lu file/dir trusted user sets\n",
                 device_list_head.count, f_sum);
    /* free access to device_list_head */
    rsbac_read_unlock(&device_list_head.lock, &dflags);
    
    rsbac_printk(KERN_INFO
           "rsbac_check_mac(): Total of %lu registered mac items\n",
           f_sum);
    return(0);
  }
#endif /* VERSION < 2.6.0 */

/************************************************* */
/*               Access functions                  */
/************************************************* */

/* All these procedures handle the rw-spinlocks to protect the targets during */
/* access.                                                                  */
/* Trying to access a never created or removed set returns an error! */

/* rsbac_mac_add_to_truset */
/* Add a set member to a set sublist. Set behaviour: also returns success, */
/* if member was already in set! */

int rsbac_mac_add_to_p_truset(
  rsbac_list_ta_number_t ta_number,
  rsbac_pid_t pid,
  rsbac_uid_t member,
  rsbac_time_t ttl)
  {
    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_add_to_p_truset(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }
    if (in_interrupt())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_add_to_p_truset(): called from interrupt!\n");
      }
    return rsbac_ta_list_lol_subadd_ttl(ta_number, process_handle, ttl, &pid, &member, NULL);
  }

int rsbac_mac_add_to_f_truset(
  rsbac_list_ta_number_t ta_number,
  rsbac_mac_file_t file,
  rsbac_uid_t member,
  rsbac_time_t ttl)
  {
    int                                     err=0;
    u_long dflags;
    struct rsbac_mac_device_list_item_t   * device_p;

    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_add_to_f_truset(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }
    if (in_interrupt())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_add_to_f_truset(): called from interrupt!\n");
      }

    /* protect device list */
    rsbac_read_lock(&device_list_head.lock, &dflags);
    device_p = lookup_device(file.device);
    if(!device_p)
      {
        /* trigger rsbac_mount() */
        rsbac_read_unlock(&device_list_head.lock, &dflags);
        rsbac_get_super_block(file.device);
        /* retry */
        rsbac_read_lock(&device_list_head.lock, &dflags);
        device_p = lookup_device(file.device);
        if(!device_p)
          {
            rsbac_printk(KERN_WARNING "rsbac_mac_add_to_f_truset(): invalid device %02u:%02u!\n",
                   RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device));
            rsbac_read_unlock(&device_list_head.lock, &dflags);
            return(-RSBAC_EINVALIDDEV);
          }
      }

    err = rsbac_ta_list_lol_subadd_ttl(ta_number,
                                       device_p->handles[fd_hash(file.inode)],
                                       ttl, &file.inode, &member, NULL);
    rsbac_read_unlock(&device_list_head.lock, &dflags);
    return(err);
  }

/* rsbac_mac_remove_from_truset */
/* Remove a set member from a sublist. Set behaviour: Returns no error, if */
/* member is not in list.                                                  */

int rsbac_mac_remove_from_p_truset(
  rsbac_list_ta_number_t ta_number,
  rsbac_pid_t pid,
  rsbac_uid_t member)
  {
    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_remove_from_p_truset(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }
    if (in_interrupt())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_remove_from_p_truset(): called from interrupt!\n");
      }
    return rsbac_ta_list_lol_subremove(ta_number, process_handle, &pid, &member);
  }

int rsbac_mac_remove_from_f_truset(
  rsbac_list_ta_number_t ta_number,
  rsbac_mac_file_t file,
  rsbac_uid_t member)
  {
    int                                    err=0;
    u_long dflags;
    struct rsbac_mac_device_list_item_t   * device_p;

    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_remove_from_f_truset(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }
    if (in_interrupt())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_remove_from_f_truset(): called from interrupt!\n");
      }

    /* protect device list */
    rsbac_read_lock(&device_list_head.lock, &dflags);
    device_p = lookup_device(file.device);
    if(!device_p)
      {
        /* trigger rsbac_mount() */
        rsbac_read_unlock(&device_list_head.lock, &dflags);
        rsbac_get_super_block(file.device);
        /* retry */
        rsbac_read_lock(&device_list_head.lock, &dflags);
        device_p = lookup_device(file.device);
        if(!device_p)
          {
            rsbac_printk(KERN_WARNING "rsbac_mac_remove_from_f_truset(): invalid device %02u:%02u!\n",
                   RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device));
            rsbac_read_unlock(&device_list_head.lock, &dflags);
            return(-RSBAC_EINVALIDDEV);
          }
      }
    err = rsbac_ta_list_lol_subremove(ta_number,
                                      device_p->handles[fd_hash(file.inode)],
                                      &file.inode,
                                      &member);
    rsbac_read_unlock(&device_list_head.lock, &dflags);
    return(err);
  }

/* rsbac_mac_clear_truset */
/* Remove all set members from a sublist. Set behaviour: Returns no error, */
/* if list is empty.                                                       */

int rsbac_mac_clear_p_truset(
  rsbac_list_ta_number_t ta_number,
  rsbac_pid_t pid)
  {
    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_clear_p_truset(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }
    if (in_interrupt())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_clear_p_truset(): called from interrupt!\n");
      }
    return rsbac_ta_list_lol_remove(ta_number, process_handle, &pid);
  }

int rsbac_mac_clear_f_truset(
  rsbac_list_ta_number_t ta_number,
  rsbac_mac_file_t file)
  {
    int                                    err=0;
    u_long dflags;
    struct rsbac_mac_device_list_item_t   * device_p;

    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_clear_f_truset(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }
    if (in_interrupt())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_clear_f_truset(): called from interrupt!\n");
      }
    /* protect device list */
    rsbac_read_lock(&device_list_head.lock, &dflags);
    device_p = lookup_device(file.device);
    if(!device_p)
      {
        /* trigger rsbac_mount() */
        rsbac_read_unlock(&device_list_head.lock, &dflags);
        rsbac_get_super_block(file.device);
        /* retry */
        rsbac_read_lock(&device_list_head.lock, &dflags);
        device_p = lookup_device(file.device);
        if(!device_p)
          {
            rsbac_printk(KERN_WARNING "rsbac_mac_clear_f_truset(): invalid device %02u:%02u!\n",
                   RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device));
            rsbac_read_unlock(&device_list_head.lock, &dflags);
            return(-RSBAC_EINVALIDDEV);
          }
      }
    err = rsbac_ta_list_lol_remove(ta_number, device_p->handles[fd_hash(file.inode)], &file.inode);
    rsbac_read_unlock(&device_list_head.lock, &dflags);
    return(err);
  }

/* rsbac_mac_truset_member */
/* Return truth value, whether member is in set */

rsbac_boolean_t rsbac_mac_p_truset_member(
  rsbac_pid_t pid,
  rsbac_uid_t member)
  {
    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_p_truset_member(): RSBAC not initialized\n");
        return FALSE;
      }
    if (in_interrupt())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_p_truset_member(): called from interrupt!\n");
      }
    if(rsbac_list_lol_subexist(process_handle, &pid, &member))
      return TRUE;
    member = RSBAC_ALL_USERS;
    return rsbac_list_lol_subexist(process_handle, &pid, &member);
  }

/* rsbac_mac_remove_truset */
/* Remove a full set. For cleanup, if object is deleted. */
/* To empty an existing set use rsbac_mac_clear_truset. */

int rsbac_mac_remove_p_trusets(rsbac_pid_t pid)
  {
    return rsbac_mac_clear_p_truset(FALSE, pid);
  }

int rsbac_mac_remove_f_trusets(rsbac_mac_file_t file)
  {
    return rsbac_mac_clear_f_truset(FALSE, file);
  }

int rsbac_mac_copy_fp_truset(rsbac_mac_file_t    file,
                              rsbac_pid_t p_tru_set_id)
  {
    u_long dflags;
    struct rsbac_mac_device_list_item_t * device_p;
    int err=0;

    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_copy_fp_truset(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }
    if (in_interrupt())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_copy_fp_truset(): called from interrupt!\n");
      }
/*
#ifdef CONFIG_RSBAC_DEBUG
    if (rsbac_debug_ds_mac)
      rsbac_printk(KERN_DEBUG
             "rsbac_mac_copy_fp_truset(): Copying file cap set data to process cap set\n");
#endif
*/
    /* protect device list */
    rsbac_read_lock(&device_list_head.lock, &dflags);
    device_p = lookup_device(file.device);
    if(!device_p)
      {
        /* trigger rsbac_mount() */
        rsbac_read_unlock(&device_list_head.lock, &dflags);
        rsbac_get_super_block(file.device);
        /* retry */
        rsbac_read_lock(&device_list_head.lock, &dflags);
        device_p = lookup_device(file.device);
        if(!device_p)
          {
            rsbac_printk(KERN_WARNING "rsbac_mac_copy_fp_truset(): invalid device %02u:%02u!\n",
                   RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device));
            rsbac_read_unlock(&device_list_head.lock, &dflags);
            return(-RSBAC_EINVALIDDEV);
          }
      }
    /* call the copy function */
    err = copy_fp_tru_set_item(device_p,file,p_tru_set_id);
    rsbac_read_unlock(&device_list_head.lock, &dflags);
    return(err);
  }

int rsbac_mac_copy_pp_truset(rsbac_pid_t old_p_set_id,
                              rsbac_pid_t new_p_set_id)
  {
    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_copy_pp_truset(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }
    if (in_interrupt())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_copy_pp_truset(): called from interrupt!\n");
      }
/*
#ifdef CONFIG_RSBAC_DEBUG
    if (rsbac_debug_ds_mac)
      rsbac_printk(KERN_DEBUG
             "rsbac_mac_copy_pp_truset(): Copying process cap set data to process cap set\n");
#endif
*/
    /* call the copy function */
    return copy_pp_tru_set_item(old_p_set_id,new_p_set_id);
  }

int rsbac_mac_get_f_trulist(
  rsbac_list_ta_number_t ta_number,
  rsbac_mac_file_t file,
  rsbac_uid_t **trulist_p,
  rsbac_time_t **ttllist_p)
  {
    u_long dflags;
    struct rsbac_mac_device_list_item_t * device_p;
    long count;

    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_get_f_trulist(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }
    if (in_interrupt())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_get_f_trulist(): called from interrupt!\n");
      }
/*
#ifdef CONFIG_RSBAC_DEBUG
    if (rsbac_debug_ds_mac)
      rsbac_printk(KERN_DEBUG
             "rsbac_mac_get_f_trulist(): Getting file/dir trusted user set list\n");
#endif
*/
    /* protect device list */
    rsbac_read_lock(&device_list_head.lock, &dflags);
    device_p = lookup_device(file.device);
    if(!device_p)
      {
        /* trigger rsbac_mount() */
        rsbac_read_unlock(&device_list_head.lock, &dflags);
        rsbac_get_super_block(file.device);
        /* retry */
        rsbac_read_lock(&device_list_head.lock, &dflags);
        device_p = lookup_device(file.device);
        if(!device_p)
          {
            rsbac_printk(KERN_WARNING "rsbac_mac_get_f_trulist(): invalid device %02u:%02u!\n",
                   RSBAC_MAJOR(file.device),RSBAC_MINOR(file.device));
            rsbac_read_unlock(&device_list_head.lock, &dflags);
            return(-RSBAC_EINVALIDDEV);
          }
      }
    count = rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number,
                                                  device_p->handles[fd_hash(file.inode)],
                                                  &file.inode,
                                                  (void **) trulist_p,
                                                  ttllist_p);
    rsbac_read_unlock(&device_list_head.lock, &dflags);
    return(count);
  }

int rsbac_mac_get_p_trulist(
  rsbac_list_ta_number_t ta_number,
  rsbac_pid_t pid,
  rsbac_uid_t **trulist_p,
  rsbac_time_t **ttllist_p)
  {
    if (!rsbac_is_initialized())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_get_p_trulist(): RSBAC not initialized\n");
        return(-RSBAC_ENOTINITIALIZED);
      }
    if (in_interrupt())
      {
        rsbac_printk(KERN_WARNING "rsbac_mac_get_p_trulist(): called from interrupt!\n");
      }
/*
#ifdef CONFIG_RSBAC_DEBUG
    if (rsbac_debug_ds_mac)
      rsbac_printk(KERN_DEBUG
             "rsbac_mac_get_p_trulist(): Getting process trusted user set list\n");
#endif
*/
    return rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number,
                                                 process_handle,
                                                 &pid,
                                                 (void **) trulist_p,
                                                 ttllist_p);
  }

/* end of mac_data_structures.c */

---