adf_main.c File Reference

#include <linux/string.h>
#include <linux/init.h>
#include <linux/config.h>
#include <linux/module.h>
#include <rsbac/types.h>
#include <rsbac/aci.h>
#include <rsbac/adf.h>
#include <rsbac/adf_main.h>
#include <rsbac/error.h>
#include <rsbac/helpers.h>
#include <rsbac/getname.h>
#include <rsbac/cap_getname.h>
#include <rsbac/jail_getname.h>
#include <rsbac/rkmem.h>
#include <rsbac/network.h>

Go to the source code of this file.

Functions
void __init	rsbac_init_adf (void)
enum rsbac_adf_req_ret_t	adf_and_plus (enum rsbac_adf_req_ret_t res1, enum rsbac_adf_req_ret_t res2)
	EXPORT_SYMBOL (rsbac_adf_request_int)
enum rsbac_adf_req_ret_t	rsbac_adf_request_int (enum rsbac_adf_request_t request, rsbac_pid_t caller_pid, enum rsbac_target_t target, union rsbac_target_id_t *tid_p, enum rsbac_attribute_t attr, union rsbac_attribute_value_t *attr_val_p, enum rsbac_switch_target_t ignore_module)
enum rsbac_adf_req_ret_t	rsbac_adf_request (enum rsbac_adf_request_t request, rsbac_pid_t caller_pid, enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t attr_val)
	EXPORT_SYMBOL (rsbac_adf_set_attr)
int	rsbac_adf_set_attr (enum rsbac_adf_request_t request, rsbac_pid_t caller_pid, enum rsbac_target_t target, union rsbac_target_id_t tid, enum rsbac_target_t new_target, union rsbac_target_id_t new_tid, enum rsbac_attribute_t attr, union rsbac_attribute_value_t attr_val)
	EXPORT_SYMBOL (rsbac_sec_trunc)
int	rsbac_sec_trunc (struct dentry *dentry_p, loff_t new_len, loff_t old_len)
	EXPORT_SYMBOL (rsbac_sec_del)
int	rsbac_sec_del (struct dentry *dentry_p)
int	rsbac_set_audit_uid (rsbac_uid_t uid)
Variables
u_long	rsbac_adf_request_count [T_NONE+1] = {0,0,0,0,0,0,0,0}
u_long	rsbac_adf_set_attr_count [T_NONE+1] = {0,0,0,0,0,0,0,0}

---

Function Documentation

enum rsbac_adf_req_ret_t adf_and_plus (  enum rsbac_adf_req_ret_t  res1, enum rsbac_adf_req_ret_t  res2 )

Definition at line 137 of file adf_main.c. References DO_NOT_CARE, GRANTED, NOT_GRANTED, and UNDEFINED. Referenced by rsbac_adf_request_int(), and rsbac_adf_request_reg(). { switch (res1) { case GRANTED: if (res2 == DO_NOT_CARE) return (GRANTED); else return (res2); case NOT_GRANTED: if (res2 == UNDEFINED) return (UNDEFINED); else return (NOT_GRANTED); case DO_NOT_CARE: return (res2); default: return (UNDEFINED); } };

EXPORT_SYMBOL (  rsbac_sec_del   )

EXPORT_SYMBOL (  rsbac_sec_trunc   )

EXPORT_SYMBOL (  rsbac_adf_set_attr   )

EXPORT_SYMBOL (  rsbac_adf_request_int   )

enum rsbac_adf_req_ret_t rsbac_adf_request (  enum rsbac_adf_request_t  request, rsbac_pid_t  caller_pid, enum rsbac_target_t  target, union rsbac_target_id_t  tid, enum rsbac_attribute_t  attr, union rsbac_attribute_value_t  attr_val )

Definition at line 1331 of file adf_main.c. References rsbac_adf_request_int(), and SW_NONE. Referenced by rsbac_aef_file_permission(), rsbac_aef_inode_create(), rsbac_aef_inode_follow_link(), rsbac_aef_inode_getattr(), rsbac_aef_inode_link(), rsbac_aef_inode_mkdir(), rsbac_aef_inode_mknod(), rsbac_aef_inode_readlink(), rsbac_aef_inode_rename(), rsbac_aef_inode_symlink(), rsbac_aef_msg_queue_alloc_security(), rsbac_aef_ptrace(), rsbac_aef_sb_mount(), rsbac_aef_sb_pivotroot(), rsbac_aef_sb_umount(), rsbac_aef_shm_alloc_security(), rsbac_aef_shm_shmat(), rsbac_aef_statfs(), rsbac_aef_sysctl(), rsbac_aef_task_kill(), rsbac_aef_task_setgid(), rsbac_aef_task_setgroups(), rsbac_aef_task_setrlimit(), rsbac_aef_task_setuid(), rsbac_stats_acl(), rsbac_stats_auth(), rsbac_stats_mac(), rsbac_stats_um(), sys_rsbac_adf_log_switch(), sys_rsbac_auth_add_f_cap(), sys_rsbac_auth_get_f_caplist(), sys_rsbac_auth_get_p_caplist(), sys_rsbac_auth_remove_f_cap(), sys_rsbac_check(), sys_rsbac_get_adf_log(), sys_rsbac_get_attr(), sys_rsbac_get_attr_n(), sys_rsbac_net_list_all_template(), sys_rsbac_net_template(), sys_rsbac_remove_target(), sys_rsbac_remove_target_n(), sys_rsbac_set_attr(), sys_rsbac_set_attr_n(), sys_rsbac_stats(), sys_rsbac_stats_pm(), sys_rsbac_switch(), sys_rsbac_um_add_gm(), sys_rsbac_um_add_group(), sys_rsbac_um_add_user(), sys_rsbac_um_check_account(), sys_rsbac_um_check_account_name(), sys_rsbac_um_get_gid(), sys_rsbac_um_get_gm_list(), sys_rsbac_um_get_gm_user_list(), sys_rsbac_um_get_group_item(), sys_rsbac_um_get_group_list(), sys_rsbac_um_get_next_user(), sys_rsbac_um_get_uid(), sys_rsbac_um_get_user_item(), sys_rsbac_um_get_user_list(), sys_rsbac_um_group_exists(), sys_rsbac_um_mod_group(), sys_rsbac_um_mod_user(), sys_rsbac_um_remove_gm(), sys_rsbac_um_remove_group(), sys_rsbac_um_remove_user(), sys_rsbac_um_set_group_pass(), sys_rsbac_um_set_pass(), sys_rsbac_um_user_exists(), and sys_rsbac_write(). { return(rsbac_adf_request_int(request, caller_pid, target, &tid, attr, &attr_val, SW_NONE)); }

enum rsbac_adf_req_ret_t rsbac_adf_request_int (  enum rsbac_adf_request_t  request, rsbac_pid_t  caller_pid, enum rsbac_target_t  target, union rsbac_target_id_t *  tid_p, enum rsbac_attribute_t  attr, union rsbac_attribute_value_t *  attr_val_p, enum rsbac_switch_target_t  ignore_module )

Definition at line 161 of file adf_main.c. References A_audit_uid, A_local_log_array_high, A_local_log_array_low, A_log_array_high, A_log_array_low, A_log_program_based, A_log_user_based, A_none, A_pseudo, A_remote_ip, A_remote_log_array_high, A_remote_log_array_low, ACL, adf_and_plus(), rsbac_attribute_value_t::audit_uid, AUTH, CAP, DAZ, DO_NOT_CARE, rsbac_attribute_value_t::dummy, FALSE, FF, GEN, get_attribute_name(), get_attribute_value_name(), get_request_name(), get_result_name(), get_target_name(), GRANTED, JAIL, LL_denied, LL_full, LL_request, rsbac_attribute_value_t::log_array_high, rsbac_attribute_value_t::log_array_low, rsbac_attribute_value_t::log_program_based, rsbac_attribute_value_t::log_user_based, MAC, NIPQUAD, NOT_GRANTED, NULL, rsbac_attribute_value_t::owner, PAX, PM, rsbac_target_id_t::process, rsbac_attribute_value_t::pseudo, R_CHANGE_DAC_EFF_GROUP, R_CHANGE_DAC_EFF_OWNER, R_CHANGE_DAC_FS_GROUP, R_CHANGE_DAC_FS_OWNER, R_CHANGE_GROUP, R_CHANGE_OWNER, R_CHDIR, R_CLOSE, R_GET_PERMISSIONS_DATA, R_GET_STATUS_DATA, R_NONE, R_READ, R_READ_ATTRIBUTE, R_SEARCH, R_TERMINATE, RC, REG, rsbac_attribute_value_t::remote_ip, RES, rsbac_adf_request_acl(), rsbac_adf_request_auth(), rsbac_adf_request_cap(), rsbac_adf_request_check(), rsbac_adf_request_count, rsbac_adf_request_daz(), rsbac_adf_request_ff(), rsbac_adf_request_jail(), rsbac_adf_request_mac(), rsbac_adf_request_pax(), rsbac_adf_request_pm(), rsbac_adf_request_rc(), rsbac_adf_request_reg(), rsbac_adf_request_res(), RSBAC_EINVALIDDEV, rsbac_get_attr, rsbac_get_full_path(), rsbac_get_super_block(), rsbac_is_initialized(), rsbac_kfree(), rsbac_kmalloc(), rsbac_log_levels, RSBAC_MAXNAMELEN, rsbac_min, rsbac_net_remote_request(), RSBAC_NO_USER, rsbac_printk(), rsbac_remove_target, rsbac_um_group_exists(), rsbac_um_user_exists(), SW_NONE, T_DEV, T_DIR, T_FIFO, T_FILE, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NONE, T_PROCESS, T_SYMLINK, T_USER, TRUE, UNDEFINED, and rsbac_target_id_t::user. Referenced by rsbac_adf_request(), and rsbac_pm(). { union rsbac_target_id_t i_tid; union rsbac_attribute_value_t i_attr_val; rsbac_uid_t owner=0; int tmperr=0; enum rsbac_adf_req_ret_t result = DO_NOT_CARE; #ifdef CONFIG_RSBAC_SOFTMODE_IND enum rsbac_adf_req_ret_t ret_result = DO_NOT_CARE; #endif #ifndef CONFIG_RSBAC_MAINT enum rsbac_adf_req_ret_t mod_result[SW_NONE + 1] = { DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE, DO_NOT_CARE }; #endif rsbac_boolean_t do_log = FALSE; rsbac_boolean_t log_on_request = TRUE; /* only if individual logging is enabled */ #if defined(CONFIG_RSBAC_IND_LOG) || defined(CONFIG_RSBAC_IND_NETDEV_LOG) || defined(CONFIG_RSBAC_IND_NETOBJ_LOG) union rsbac_attribute_value_t i_attr_val2; enum rsbac_log_level_t log_level; #endif struct super_block * sb_p; #ifdef CONFIG_RSBAC_SOFTMODE rsbac_boolean_t rsbac_internal = FALSE; #endif /* No decision possible before init (called at boot time) -> don't care */ if (!rsbac_is_initialized()) return(DO_NOT_CARE); /* Always granted for kernel (pid 0) and logging daemon */ if ( !caller_pid #if defined(CONFIG_RSBAC_LOG_REMOTE) || (caller_pid == rsbaclogd_pid) #endif ) return(GRANTED); /* Checking base values */ if( request >= R_NONE || target > T_NONE || attr > A_none) { rsbac_printk(KERN_WARNING "rsbac_adf_request(): called with invalid request, target or attribute\n"); return(NOT_GRANTED); } if (in_interrupt()) { char * request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); if(request_name) { get_request_name(request_name, request); rsbac_printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %s, pid %u, attr_val %u!\n", request_name, caller_pid, attr_val_p->dummy); kfree(request_name); } else { rsbac_printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %u, pid %u!\n", request, caller_pid); } // return DO_NOT_CARE; } /* Getting basic information about this request */ /* only useful for real process, not idle or init */ if (caller_pid > 1) { tmperr = rsbac_get_owner(&owner); if(tmperr) { rsbac_printk(KERN_DEBUG "rsbac_adf_request(): caller_pid %i, RSBAC not initialized, returning DO_NOT_CARE", caller_pid); return(DO_NOT_CARE); /* Startup-Sequence (see above) */ } } else /* caller_pid = 1 -> init, always owned by root */ owner = 0; /******************************************************/ /* General work for all modules - before module calls */ /* test target on rsbac_internal */ switch(target) { case T_FILE: case T_DIR: case T_FIFO: case T_SYMLINK: #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT if ( ((sb_p = rsbac_get_super_block(tid_p->file.device))) && ( (sb_p->s_magic == NFS_SUPER_MAGIC) || (sb_p->s_magic == CODA_SUPER_MAGIC) || (sb_p->s_magic == NCP_SUPER_MAGIC) || (sb_p->s_magic == SMB_SUPER_MAGIC) ) ) { result = DO_NOT_CARE; goto log; } #endif /* No decision on pseudo pipefs */ if( (target == T_FIFO) && ((sb_p = rsbac_get_super_block(tid_p->file.device))) && (sb_p->s_magic == PIPEFS_MAGIC) ) return DO_NOT_CARE; #if 0 && LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) /* No decision on pseudo sockfs */ if( (target == T_FILE) && (!RSBAC_MAJOR(tid_p->file.device)) && (!RSBAC_MINOR(tid_p->file.device)) ) return DO_NOT_CARE; #endif switch(request) { case R_GET_STATUS_DATA: case R_GET_PERMISSIONS_DATA: case R_READ_ATTRIBUTE: #ifdef CONFIG_RSBAC_DAT_VISIBLE case R_SEARCH: case R_READ: case R_CLOSE: case R_CHDIR: #endif break; default: if ((tmperr = rsbac_get_attr(GEN, target, *tid_p, A_internal, &i_attr_val, TRUE) )) { if(tmperr == -RSBAC_EINVALIDDEV) { // rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr); return(DO_NOT_CARE); /* last calls on shutdown */ } else { rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr); return(NOT_GRANTED); /* something weird happened */ } } /* no access to rsbac_internal objects is granted in any case */ if (i_attr_val.internal) { rsbac_printk(KERN_WARNING "rsbac_adf_request(): trial to access object declared RSBAC-internal!\n"); result = NOT_GRANTED; #ifndef CONFIG_RSBAC_MAINT mod_result[SW_NONE] = NOT_GRANTED; #endif #ifdef CONFIG_RSBAC_SOFTMODE #ifdef CONFIG_RSBAC_SOFTMODE_IND ret_result = NOT_GRANTED; #endif rsbac_internal = TRUE; #endif } } break; #if defined(CONFIG_RSBAC_UM_EXCL) case T_PROCESS: switch(request) { case R_CHANGE_OWNER: #ifdef CONFIG_RSBAC_DAC_OWNER case R_CHANGE_DAC_EFF_OWNER: case R_CHANGE_DAC_FS_OWNER: #endif if( (attr == A_owner) && !rsbac_um_no_excl && !rsbac_um_user_exists(0, attr_val_p->owner) ) { rsbac_printk(KERN_INFO "rsbac_adf_request(): uid %u not known to RSBAC User Management!\n", attr_val_p->owner); result = adf_and_plus(result, NOT_GRANTED); #ifdef CONFIG_RSBAC_SOFTMODE_IND ret_result = adf_and_plus(ret_result, NOT_GRANTED); #endif } break; case R_CHANGE_GROUP: #ifdef CONFIG_RSBAC_DAC_OWNER case R_CHANGE_DAC_EFF_GROUP: case R_CHANGE_DAC_FS_GROUP: #endif if( (attr == A_group) && !rsbac_um_no_excl && !rsbac_um_group_exists(0, attr_val_p->group) ) { rsbac_printk(KERN_INFO "rsbac_adf_request(): gid %u not known to RSBAC User Management!\n", attr_val_p->group); result = adf_and_plus(result, NOT_GRANTED); #ifdef CONFIG_RSBAC_SOFTMODE_IND ret_result = adf_and_plus(ret_result, NOT_GRANTED); #endif } break; default: break; } break; #endif /* UM_EXCL */ default: break; } /**********************************************************/ /* calling all decision modules, building a common result */ #ifdef CONFIG_RSBAC_DEBUG /* first, check for valid request/target combination */ /* (undefined should only happen in _check and means a real bug!) */ result = adf_and_plus(result,rsbac_adf_request_check(request, caller_pid, target, tid_p, attr, attr_val_p, owner) ); if(result == UNDEFINED) goto log; #endif #if !defined(CONFIG_RSBAC_MAINT) /******* MAC ********/ #if defined(CONFIG_RSBAC_MAC) #ifdef CONFIG_RSBAC_SWITCH_MAC if (rsbac_switch_mac) #endif /* no need to call module, if to be ignored */ if(ignore_module != MAC) { mod_result[MAC] = rsbac_adf_request_mac(request, caller_pid, target, *tid_p, attr, *attr_val_p, owner); result = adf_and_plus(result, mod_result[MAC]); #ifdef CONFIG_RSBAC_SOFTMODE_IND if(!rsbac_ind_softmode[MAC]) ret_result = adf_and_plus(ret_result, mod_result[MAC]); #endif } #endif /* MAC */ /******* PM ********/ #if defined(CONFIG_RSBAC_PM) #ifdef CONFIG_RSBAC_SWITCH_PM if (rsbac_switch_pm) #endif /* no need to call module, if to be ignored */ if(ignore_module != PM) { mod_result[PM] = rsbac_adf_request_pm (request, caller_pid, target, *tid_p, attr, *attr_val_p, owner); result = adf_and_plus(result, mod_result[PM]); #ifdef CONFIG_RSBAC_SOFTMODE_IND if(!rsbac_ind_softmode[PM]) ret_result = adf_and_plus(ret_result, mod_result[PM]); #endif } #endif /* PM */ /******* DAZ ********/ #if defined(CONFIG_RSBAC_DAZ) #ifdef CONFIG_RSBAC_SWITCH_DAZ if (rsbac_switch_daz) #endif /* no need to call module, if to be ignored */ if(ignore_module != DAZ) { mod_result[DAZ] = rsbac_adf_request_daz (request, caller_pid, target, *tid_p, attr, *attr_val_p, owner); result = adf_and_plus(result, mod_result[DAZ]); #ifdef CONFIG_RSBAC_SOFTMODE_IND if(!rsbac_ind_softmode[DAZ]) ret_result = adf_and_plus(ret_result, mod_result[DAZ]); #endif } #endif /* DAZ */ /******* FF ********/ #if defined(CONFIG_RSBAC_FF) #ifdef CONFIG_RSBAC_SWITCH_FF if (rsbac_switch_ff) #endif /* no need to call module, if to be ignored */ if(ignore_module != FF) { mod_result[FF] = rsbac_adf_request_ff (request, caller_pid, target, *tid_p, attr, *attr_val_p, owner); result = adf_and_plus(result, mod_result[FF]); #ifdef CONFIG_RSBAC_SOFTMODE_IND if(!rsbac_ind_softmode[FF]) ret_result = adf_and_plus(ret_result, mod_result[FF]); #endif } #endif /* FF */ /******* RC ********/ #if defined(CONFIG_RSBAC_RC) #ifdef CONFIG_RSBAC_SWITCH_RC if (rsbac_switch_rc) #endif /* no need to call module, if to be ignored */ if(ignore_module != RC) { mod_result[RC] = rsbac_adf_request_rc (request, caller_pid, target, *tid_p, attr, *attr_val_p, owner); result = adf_and_plus(result, mod_result[RC]); #ifdef CONFIG_RSBAC_SOFTMODE_IND if(!rsbac_ind_softmode[RC]) ret_result = adf_and_plus(ret_result, mod_result[RC]); #endif } #endif /* RC */ /****** AUTH *******/ #if defined(CONFIG_RSBAC_AUTH) #ifdef CONFIG_RSBAC_SWITCH_AUTH if (rsbac_switch_auth) #endif /* no need to call module, if to be ignored */ if(ignore_module != AUTH) { mod_result[AUTH]= rsbac_adf_request_auth(request, caller_pid, target, *tid_p, attr, *attr_val_p, owner); result = adf_and_plus(result, mod_result[AUTH]); #ifdef CONFIG_RSBAC_SOFTMODE_IND if(!rsbac_ind_softmode[AUTH]) ret_result = adf_and_plus(ret_result, mod_result[AUTH]); #endif } #endif /* AUTH */ /****** ACL *******/ #if defined(CONFIG_RSBAC_ACL) #ifdef CONFIG_RSBAC_SWITCH_ACL if (rsbac_switch_acl) #endif /* no need to call module, if to be ignored */ if(ignore_module != ACL) { mod_result[ACL] = rsbac_adf_request_acl(request, caller_pid, target, *tid_p, attr, *attr_val_p, owner); result = adf_and_plus(result, mod_result[ACL]); #ifdef CONFIG_RSBAC_SOFTMODE_IND if(!rsbac_ind_softmode[ACL]) ret_result = adf_and_plus(ret_result, mod_result[ACL]); #endif } #endif /* ACL */ /****** CAP *******/ #if defined(CONFIG_RSBAC_CAP) #ifdef CONFIG_RSBAC_SWITCH_CAP if (rsbac_switch_cap) #endif /* no need to call module, if to be ignored */ if(ignore_module != CAP) { mod_result[CAP] = rsbac_adf_request_cap(request, caller_pid, target, *tid_p, attr, *attr_val_p, owner); result = adf_and_plus(result, mod_result[CAP]); #ifdef CONFIG_RSBAC_SOFTMODE_IND if(!rsbac_ind_softmode[CAP]) ret_result = adf_and_plus(ret_result, mod_result[CAP]); #endif } #endif /* CAP */ /****** JAIL *******/ #if defined(CONFIG_RSBAC_JAIL) #ifdef CONFIG_RSBAC_SWITCH_JAIL if (rsbac_switch_jail) #endif /* no need to call module, if to be ignored */ if(ignore_module != JAIL) { mod_result[JAIL]= rsbac_adf_request_jail(request, caller_pid, target, *tid_p, attr, *attr_val_p, owner); result = adf_and_plus(result, mod_result[JAIL]); #ifdef CONFIG_RSBAC_SOFTMODE_IND if(!rsbac_ind_softmode[JAIL]) ret_result = adf_and_plus(ret_result, mod_result[JAIL]); #endif } #endif /* JAIL */ /******* PAX ********/ #if defined(CONFIG_RSBAC_PAX) #ifdef CONFIG_RSBAC_SWITCH_PAX if (rsbac_switch_pax) #endif /* no need to call module, if to be ignored */ if(ignore_module != PAX) { mod_result[PAX] = rsbac_adf_request_pax (request, caller_pid, target, *tid_p, attr, *attr_val_p, owner); result = adf_and_plus(result, mod_result[PAX]); #ifdef CONFIG_RSBAC_SOFTMODE_IND if(!rsbac_ind_softmode[PAX]) ret_result = adf_and_plus(ret_result, mod_result[PAX]); #endif } #endif /* PAX */ /****** RES *******/ #if defined(CONFIG_RSBAC_RES) #ifdef CONFIG_RSBAC_SWITCH_RES if (rsbac_switch_res) #endif /* no need to call module, if to be ignored */ if(ignore_module != RES) { mod_result[RES] = rsbac_adf_request_res(request, caller_pid, target, *tid_p, attr, *attr_val_p, owner); result = adf_and_plus(result, mod_result[RES]); #ifdef CONFIG_RSBAC_SOFTMODE_IND if(!rsbac_ind_softmode[RES]) ret_result = adf_and_plus(ret_result, mod_result[RES]); #endif } #endif /* RES */ /****** REG *******/ #if defined(CONFIG_RSBAC_REG) if(ignore_module != REG) { mod_result[REG]= rsbac_adf_request_reg (request, caller_pid, target, *tid_p, attr, *attr_val_p, owner); result = adf_and_plus(result, mod_result[REG]); #ifdef CONFIG_RSBAC_SOFTMODE_IND if(!rsbac_ind_softmode[REG]) ret_result = adf_and_plus(ret_result, mod_result[REG]); #endif } #endif /* REG */ #endif /* !MAINT */ /****************************/ #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET) if( rsbac_debug_adf_net && ( (target == T_NETDEV) || (target == T_NETTEMP) || (target == T_NETOBJ) ) ) do_log = TRUE; #endif /* log based on process owner */ #ifdef CONFIG_RSBAC_IND_USER_LOG i_tid.user = owner; if (rsbac_get_attr(GEN, T_USER, i_tid, A_log_user_based, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_request()", A_log_user_based); } else { if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based) do_log = TRUE; } #endif /* CONFIG_RSBAC_IND_USER_LOG */ /* log based on program */ #ifdef CONFIG_RSBAC_IND_PROG_LOG if(!do_log) { i_tid.process = caller_pid; if (rsbac_get_attr(GEN, T_PROCESS, i_tid, A_log_program_based, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_request()", A_log_program_based); } else { if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) do_log = TRUE; } } #endif /* CONFIG_RSBAC_IND_PROG_LOG */ /*****************************************************/ /* General work for all modules - after module calls */ /* Note: the process' individual logging attributes are needed above */ switch(request) { case R_TERMINATE: if (target == T_PROCESS) rsbac_remove_target(T_PROCESS,*tid_p); break; default: break; } /* logging request on info level, if requested by file/dir/dev attributes */ /* log_array_low/high, or, if that is requested, if enabled for this request */ /* type (attributes state level, or that request based level is to be taken) */ /* loglevel 2: log everything */ /* loglevel 1: log, if denied */ /* loglevel 0: log nothing */ #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */ /* if file/dir/dev, depend log on log_arrays */ /* (but not for file.device = 0) */ /* log_on_request is TRUE */ if( !do_log && ( ( ( (target == T_FILE) || (target == T_DIR) || (target == T_FIFO) || (target == T_SYMLINK) ) && RSBAC_MAJOR(tid_p->file.device) && RSBAC_MINOR(tid_p->file.device) ) || (target == T_DEV) ) ) { if (rsbac_get_attr(GEN, target, *tid_p, A_log_array_low, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low); } else { if (rsbac_get_attr(GEN, target, *tid_p, A_log_array_high, &i_attr_val2, FALSE)) { rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high); } else { /* ll = low-bit for request | (high-bit for request as bit 1) */ /* WARNING: we deal with u64 here, only logical operations and */ /* shifts work correctly! */ log_level = ((i_attr_val.log_array_low >> request) & 1) | ( ((i_attr_val2.log_array_high >> request) & 1) << 1); if ( log_level == LL_full || ( log_level == LL_denied && (result == NOT_GRANTED || result == UNDEFINED)) ) { do_log = TRUE; } if(log_level != LL_request) log_on_request = FALSE; } } } #endif /* CONFIG_RSBAC_IND_LOG */ #ifdef CONFIG_RSBAC_IND_NETDEV_LOG /* only if individual logging for netdev is enabled */ /* if netdev, depend log on log_arrays */ /* log_on_request is TRUE */ if( !do_log && (target == T_NETDEV) ) { if (rsbac_get_attr(GEN, target, *tid_p, A_log_array_low, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low); } else { if (rsbac_get_attr(GEN, target, *tid_p, A_log_array_high, &i_attr_val2, FALSE)) { rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high); } else { /* ll = low-bit for request | (high-bit for request as bit 1) */ /* WARNING: we deal with u64 here, only logical operations and */ /* shifts work correctly! */ log_level = ((i_attr_val.log_array_low >> request) & 1) | ( ((i_attr_val2.log_array_high >> request) & 1) << 1); if ( log_level == LL_full || ( log_level == LL_denied && (result == NOT_GRANTED || result == UNDEFINED)) ) { do_log = TRUE; } if(log_level != LL_request) log_on_request = FALSE; } } } #endif /* CONFIG_RSBAC_IND_NETDEV_LOG */ #ifdef CONFIG_RSBAC_IND_NETOBJ_LOG /* only if individual logging for net objects is enabled */ /* if nettemp, netobj, depend log on log_arrays */ /* (but not for file.device = 0) */ /* log_on_request is TRUE */ if( !do_log && ( (target == T_NETTEMP) || (target == T_NETOBJ) ) ) { enum rsbac_attribute_t i_attr1, i_attr2; if(target == T_NETOBJ) { if(rsbac_net_remote_request(request)) { i_attr1 = A_remote_log_array_low; i_attr2 = A_remote_log_array_high; } else { i_attr1 = A_local_log_array_low; i_attr2 = A_local_log_array_high; } } else { i_attr1 = A_log_array_low; i_attr2 = A_log_array_high; } if (rsbac_get_attr(GEN, target, *tid_p, i_attr1, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_request()", i_attr1); } else { if (rsbac_get_attr(GEN, target, *tid_p, i_attr2, &i_attr_val2, FALSE)) { rsbac_ds_get_error("rsbac_adf_request()", i_attr2); } else { /* ll = low-bit for request | (high-bit for request as bit 1) */ /* WARNING: we deal with u64 here, only logical operations and */ /* shifts work correctly! */ log_level = ((i_attr_val.log_array_low >> request) & 1) | ( ((i_attr_val2.log_array_high >> request) & 1) << 1); if ( log_level == LL_full || ( log_level == LL_denied && (result == NOT_GRANTED || result == UNDEFINED)) ) { do_log = TRUE; } if(log_level != LL_request) log_on_request = FALSE; } } } #endif /* CONFIG_RSBAC_IND_NETOBJ_LOG */ log: /* if enabled, try request based log level */ if ( !do_log && log_on_request && ( rsbac_log_levels[request][target] == LL_full || ( rsbac_log_levels[request][target] == LL_denied && (result == NOT_GRANTED || result == UNDEFINED)) ) ) do_log = TRUE; if(do_log) { char * request_name; char * res_name; char * res_mods; char * target_type_name; char * target_id_name; char * attr_name; char * attr_val_name; #ifdef CONFIG_RSBAC_NET_OBJ char * remote_ip_name; #else char remote_ip_name[1]; #endif char * audit_uid_name; char command[17]; rsbac_pid_t parent_pid = 0; rsbac_uid_t audit_uid; #ifdef CONFIG_RSBAC_LOG_PSEUDO rsbac_pseudo_t pseudo = 0; #endif char * program_path; /* parent pid */ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) if(current->parent) parent_pid = current->parent->pid; #else if(current->p_pptr) parent_pid = current->p_pptr->pid; #endif /* rsbac_kmalloc all memory */ request_name = rsbac_kmalloc(32); res_name = rsbac_kmalloc(32); res_mods = rsbac_kmalloc(RSBAC_MAXNAMELEN); target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); #ifdef CONFIG_RSBAC_LOG_FULL_PATH target_id_name = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); /* max. path name len + some extra */ #else target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); /* max. file name len + some extra */ #endif #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE #ifdef CONFIG_RSBAC_LOG_FULL_PATH program_path = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); /* max. path name len + some extra */ #else program_path = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); /* max. file name len + some extra */ #endif #else program_path = rsbac_kmalloc(2); #endif attr_name = rsbac_kmalloc(32); attr_val_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); #ifdef CONFIG_RSBAC_NET_OBJ remote_ip_name = rsbac_kmalloc(32); #endif audit_uid_name = rsbac_kmalloc(32); request_name[0] = (char) 0; target_type_name[0] = (char) 0; target_id_name[0] = (char) 0; program_path[0] = (char) 0; attr_name[0] = (char) 0; attr_val_name[0] = (char) 0; remote_ip_name[0] = (char) 0; audit_uid_name[0] = (char) 0; res_name[0] = (char) 0; res_mods[0] = (char) 0; command[0] = (char) 0; get_request_name(request_name, request); #if !defined(CONFIG_RSBAC_MAINT) /* if(result == mod_result[SW_NONE]) { strcat(res_mods, " GEN"); } */ #if defined(CONFIG_RSBAC_MAC) if(result == mod_result[MAC]) { #ifdef CONFIG_RSBAC_SOFTMODE_IND if(rsbac_ind_softmode[MAC]) strcat(res_mods, " MAC(Softmode)"); else #endif strcat(res_mods, " MAC"); } #endif #if defined(CONFIG_RSBAC_PM) if(result == mod_result[PM]) { #ifdef CONFIG_RSBAC_SOFTMODE_IND if(rsbac_ind_softmode[PM]) strcat(res_mods, " PM(Softmode)"); else #endif strcat(res_mods, " PM"); } #endif #if defined(CONFIG_RSBAC_DAZ) if(result == mod_result[DAZ]) { #ifdef CONFIG_RSBAC_SOFTMODE_IND if(rsbac_ind_softmode[DAZ]) strcat(res_mods, " DAZ(Softmode)"); else #endif strcat(res_mods, " DAZ"); } #endif #ifdef CONFIG_RSBAC_FF if(result == mod_result[FF]) { #ifdef CONFIG_RSBAC_SOFTMODE_IND if(rsbac_ind_softmode[FF]) strcat(res_mods, " FF(Softmode)"); else #endif strcat(res_mods, " FF"); } #endif #ifdef CONFIG_RSBAC_RC if(result == mod_result[RC]) { #ifdef CONFIG_RSBAC_SOFTMODE_IND if(rsbac_ind_softmode[RC]) strcat(res_mods, " RC(Softmode)"); else #endif strcat(res_mods, " RC"); } #endif #ifdef CONFIG_RSBAC_AUTH if(result == mod_result[AUTH]) { #ifdef CONFIG_RSBAC_SOFTMODE_IND if(rsbac_ind_softmode[AUTH]) strcat(res_mods, " AUTH(Softmode)"); else #endif strcat(res_mods, " AUTH"); } #endif #ifdef CONFIG_RSBAC_ACL if(result == mod_result[ACL]) { #ifdef CONFIG_RSBAC_SOFTMODE_IND if(rsbac_ind_softmode[ACL]) strcat(res_mods, " ACL(Softmode)"); else #endif strcat(res_mods, " ACL"); } #endif #ifdef CONFIG_RSBAC_CAP if(result == mod_result[CAP]) { #ifdef CONFIG_RSBAC_SOFTMODE_IND if(rsbac_ind_softmode[CAP]) strcat(res_mods, " CAP(Softmode)"); else #endif strcat(res_mods, " CAP"); } #endif #ifdef CONFIG_RSBAC_JAIL if(result == mod_result[JAIL]) { #ifdef CONFIG_RSBAC_SOFTMODE_IND if(rsbac_ind_softmode[JAIL]) strcat(res_mods, " JAIL(Softmode)"); else #endif strcat(res_mods, " JAIL"); } #endif #ifdef CONFIG_RSBAC_RES if(result == mod_result[RES]) { #ifdef CONFIG_RSBAC_SOFTMODE_IND if(rsbac_ind_softmode[RES]) strcat(res_mods, " RES(Softmode)"); else #endif strcat(res_mods, " RES"); } #endif #ifdef CONFIG_RSBAC_REG if(result == mod_result[REG]) { #ifdef CONFIG_RSBAC_SOFTMODE_IND if(rsbac_ind_softmode[REG]) strcat(res_mods, " REG(Softmode)"); else #endif strcat(res_mods, " REG"); } #endif #endif /* !MAINT */ if(!res_mods[0]) strcat(res_mods, " ADF"); /* Get process audit_uid */ i_tid.process = caller_pid; if (rsbac_get_attr(GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE)) { rsbac_ds_get_error("rsbac_adf_request()", A_audit_uid); return(NOT_GRANTED); /* something weird happened */ } audit_uid = i_attr_val.audit_uid; if(audit_uid == RSBAC_NO_USER) audit_uid = owner; else sprintf(audit_uid_name, "audit uid %u, ", audit_uid); #ifdef CONFIG_RSBAC_LOG_PSEUDO /* Get owner's logging pseudo */ i_tid.user = audit_uid; if (rsbac_get_attr(GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE)) { rsbac_ds_get_error("rsbac_adf_request()", A_pseudo); return(NOT_GRANTED); /* something weird happened */ } /* if pseudo is not registered, return attribute value is 0 (see later) */ pseudo = i_attr_val.pseudo; #endif #ifdef CONFIG_RSBAC_NET_OBJ /* Get process remote_ip */ i_tid.process = caller_pid; if (rsbac_get_attr(GEN,T_PROCESS,i_tid,A_remote_ip,&i_attr_val,FALSE)) { rsbac_ds_get_error("rsbac_adf_request()", A_remote_ip); return(NOT_GRANTED); /* something weird happened */ } if(i_attr_val.remote_ip) sprintf(remote_ip_name, "remote ip %u.%u.%u.%u, ", NIPQUAD(i_attr_val.remote_ip)); #endif #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE { struct mm_struct * mm; struct vm_area_struct * vma; struct dentry * dentry_p = NULL; mm = current->mm; if(mm) { atomic_inc(&mm->mm_users); if(!down_read_trylock(&mm->mmap_sem)) goto down_failed; vma = mm->mmap; while (vma) { if( (vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) { dentry_p = dget(vma->vm_file->f_dentry); break; } vma = vma->vm_next; } up_read(&mm->mmap_sem); if(dentry_p) { char * p = program_path; p += sprintf(program_path, ", prog_file "); #ifdef CONFIG_RSBAC_LOG_FULL_PATH rsbac_get_full_path(dentry_p, p, CONFIG_RSBAC_MAX_PATH_LEN); #else int namelen = rsbac_min(dentry_p->d_name.len, RSBAC_MAXNAMELEN); strncpy(p, dentry_p->d_name.name, namelen); p[namelen]=0; #endif dput(dentry_p); } down_failed: mmput(mm); } } #endif get_target_name(target_type_name, target, target_id_name, *tid_p); get_attribute_name(attr_name, attr); get_attribute_value_name(attr_val_name, attr, attr_val_p); get_result_name(res_name, result); if ((current) && (current->comm)) { strncpy(command,current->comm,16); command[16] = (char) 0; } #ifdef CONFIG_RSBAC_LOG_PSEUDO /* if pseudo is set, its value is != 0, else -> use id */ if (pseudo) { #ifdef CONFIG_RSBAC_SOFTMODE if(rsbac_softmode) rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n", request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods); else #endif rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s by%s\n", request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods); } else #endif { #ifdef CONFIG_RSBAC_SOFTMODE if(rsbac_softmode) rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n", request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods); else #endif rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s by%s\n", request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods); } /* rsbac_kfree all helper mem */ rsbac_kfree(request_name); rsbac_kfree(res_name); rsbac_kfree(res_mods); rsbac_kfree(target_type_name); rsbac_kfree(target_id_name); rsbac_kfree(program_path); rsbac_kfree(attr_name); rsbac_kfree(attr_val_name); #ifdef CONFIG_RSBAC_NET_OBJ rsbac_kfree(remote_ip_name); #endif rsbac_kfree(audit_uid_name); } /* UNDEFINED must never be returned -> change result */ if(result == UNDEFINED) result = NOT_GRANTED; /* count */ rsbac_adf_request_count[target]++; #ifdef CONFIG_RSBAC_XSTATS rsbac_adf_request_xcount[target][request]++; #endif /* return result */ #ifdef CONFIG_RSBAC_SOFTMODE if(rsbac_softmode && !rsbac_internal) return DO_NOT_CARE; else #endif #ifdef CONFIG_RSBAC_SOFTMODE_IND return ret_result; #else return result; /* change for debugging! */ #endif } /* end of rsbac_adf_request_int() */

int rsbac_adf_set_attr (  enum rsbac_adf_request_t  request, rsbac_pid_t  caller_pid, enum rsbac_target_t  target, union rsbac_target_id_t  tid, enum rsbac_target_t  new_target, union rsbac_target_id_t  new_tid, enum rsbac_attribute_t  attr, union rsbac_attribute_value_t  attr_val )

Definition at line 1355 of file adf_main.c. References A_audit_uid, A_auid_exempt, A_fake_root_uid, A_log_array_high, A_log_array_low, A_log_program_based, A_log_user_based, A_none, A_pseudo, A_remote_ip, rsbac_attribute_value_t::audit_uid, rsbac_attribute_value_t::auid_exempt, rsbac_attribute_value_t::dummy, rsbac_attribute_value_t::fake_root_uid, FALSE, GEN, get_attribute_name(), get_request_name(), get_target_name(), I_shm, rsbac_target_id_t::ipc, LL_denied, LL_full, LL_request, rsbac_attribute_value_t::log_array_high, rsbac_attribute_value_t::log_array_low, rsbac_attribute_value_t::log_program_based, rsbac_attribute_value_t::log_user_based, rsbac_target_id_t::netobj, rsbac_target_id_t::process, rsbac_attribute_value_t::pseudo, R_ACCEPT, R_CLONE, R_CLOSE, R_DELETE, R_EXECUTE, R_NONE, rsbac_attribute_value_t::remote_ip, rsbac_adf_set_attr_acl(), rsbac_adf_set_attr_auth(), rsbac_adf_set_attr_cap(), rsbac_adf_set_attr_check(), rsbac_adf_set_attr_count, rsbac_adf_set_attr_daz(), rsbac_adf_set_attr_ff(), rsbac_adf_set_attr_jail(), rsbac_adf_set_attr_mac(), rsbac_adf_set_attr_pax(), rsbac_adf_set_attr_pm(), rsbac_adf_set_attr_rc(), rsbac_adf_set_attr_reg(), rsbac_adf_set_attr_res(), RSBAC_EINVALIDVALUE, RSBAC_EREADFAILED, rsbac_get_attr, rsbac_get_super_block(), rsbac_is_initialized(), rsbac_kfree(), rsbac_kmalloc(), rsbac_log_levels, RSBAC_MAXNAMELEN, RSBAC_NO_USER, rsbac_printk(), rsbac_remove_target, rsbac_set_attr, rsbac_net_obj_desc_t::sock_p, T_DEV, T_DIR, T_FIFO, T_FILE, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NONE, T_PROCESS, T_SYMLINK, T_USER, TRUE, rsbac_ipc_t::type, and rsbac_target_id_t::user. Referenced by rsbac_aef_inode_post_create(), rsbac_aef_inode_post_mkdir(), rsbac_aef_inode_post_mknod(), rsbac_aef_inode_post_symlink(), sys_rsbac_um_add_group(), sys_rsbac_um_add_user(), sys_rsbac_um_remove_group(), and sys_rsbac_um_remove_user(). { union rsbac_target_id_t i_tid; rsbac_uid_t owner; int error = 0; rsbac_boolean_t do_log = FALSE; rsbac_boolean_t log_on_request = TRUE; union rsbac_attribute_value_t i_attr_val; #ifdef CONFIG_RSBAC_IND_LOG union rsbac_attribute_value_t i_attr_val2; enum rsbac_log_level_t log_level; #endif #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT struct super_block * sb_p; #endif /* No attribute setting possible before init (called at boot time) */ if (!rsbac_is_initialized()) return(0); /* kernel (pid 0) is ignored */ if ( !caller_pid #if defined(CONFIG_RSBAC_LOG_REMOTE) || (caller_pid == rsbaclogd_pid) #endif ) return(0); /* Checking base values */ if( request >= R_NONE || target > T_NONE || new_target > T_NONE || attr > A_none) { rsbac_printk(KERN_WARNING "rsbac_adf_set_attr(): called with invalid request, target or attribute\n"); return(-RSBAC_EINVALIDVALUE); } /* Getting basic information about this adf_set_attr-call */ owner = RSBAC_NO_USER; /* only useful for real process, not idle or init */ if (caller_pid > 1) { error = rsbac_get_owner(&owner); if(error) { rsbac_printk(KERN_DEBUG "rsbac_adf_set_attr(): caller_pid %i, RSBAC not initialized, returning 0", caller_pid); return(0); /* Startup-Sequence (see above) */ } } else /* caller_pid = 1 -> init -> owner = root */ owner = 0; /*************************************************/ /* General work for all modules - before modules */ #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT if ( ( (target == T_FILE) || (target == T_DIR) || (target == T_FIFO) || (target == T_SYMLINK) ) && ((sb_p = rsbac_get_super_block(tid.file.device))) && ( (sb_p->s_magic == NFS_SUPER_MAGIC) || (sb_p->s_magic == CODA_SUPER_MAGIC) || (sb_p->s_magic == NCP_SUPER_MAGIC) || (sb_p->s_magic == SMB_SUPER_MAGIC) ) ) { error = 0; goto log; } #endif /**********************************************************/ /* calling all decision modules, building a common result */ #ifdef CONFIG_RSBAC_DEBUG /* first, check for valid request/target combination */ error |= rsbac_adf_set_attr_check(request, caller_pid, target, tid, new_target, new_tid, attr, attr_val, owner); if(error) goto general_work; #endif #if !defined(CONFIG_RSBAC_MAINT) /******* MAC ********/ #if defined(CONFIG_RSBAC_MAC) #ifdef CONFIG_RSBAC_SWITCH_MAC if (rsbac_switch_mac) #endif error |= rsbac_adf_set_attr_mac(request, caller_pid, target, tid, new_target, new_tid, attr, attr_val, owner); #endif /* MAC */ /******* PM ********/ #ifdef CONFIG_RSBAC_PM #ifdef CONFIG_RSBAC_SWITCH_PM if (rsbac_switch_pm) #endif error |= rsbac_adf_set_attr_pm (request, caller_pid, target, tid, new_target, new_tid, attr, attr_val, owner); #endif /* PM */ /******* DAZ ********/ #ifdef CONFIG_RSBAC_DAZ #ifdef CONFIG_RSBAC_SWITCH_DAZ if (rsbac_switch_daz) #endif error |= rsbac_adf_set_attr_daz (request, caller_pid, target, tid, new_target, new_tid, attr, attr_val, owner); #endif /* DAZ */ /******* FF ********/ #if 0 /* Nothing to do in there */ #ifdef CONFIG_RSBAC_FF #ifdef CONFIG_RSBAC_SWITCH_FF if (rsbac_switch_ff) #endif error |= rsbac_adf_set_attr_ff (request, caller_pid, target, tid, new_target, new_tid, attr, attr_val, owner); #endif /* FF */ #endif /* 0 */ /******* RC ********/ #ifdef CONFIG_RSBAC_RC #ifdef CONFIG_RSBAC_SWITCH_RC if (rsbac_switch_rc) #endif error |= rsbac_adf_set_attr_rc (request, caller_pid, target, tid, new_target, new_tid, attr, attr_val, owner); #endif /* RC */ /****** AUTH *******/ #ifdef CONFIG_RSBAC_AUTH #ifdef CONFIG_RSBAC_SWITCH_AUTH if (rsbac_switch_auth) #endif error |= rsbac_adf_set_attr_auth(request, caller_pid, target, tid, new_target, new_tid, attr, attr_val, owner); #endif /* AUTH */ /****** ACL *******/ #if 0 /* Nothing there */ #ifdef CONFIG_RSBAC_ACL #ifdef CONFIG_RSBAC_SWITCH_ACL if (rsbac_switch_acl) #endif error |= rsbac_adf_set_attr_acl (request, caller_pid, target, tid, new_target, new_tid, attr, attr_val, owner); #endif /* ACL */ #endif /****** CAP *******/ #ifdef CONFIG_RSBAC_CAP #ifdef CONFIG_RSBAC_SWITCH_CAP if (rsbac_switch_cap) #endif error |= rsbac_adf_set_attr_cap (request, caller_pid, target, tid, new_target, new_tid, attr, attr_val, owner); #endif /* CAP */ /****** JAIL *******/ #ifdef CONFIG_RSBAC_JAIL #ifdef CONFIG_RSBAC_SWITCH_JAIL if (rsbac_switch_jail) #endif error |= rsbac_adf_set_attr_jail(request, caller_pid, target, tid, new_target, new_tid, attr, attr_val, owner); #endif /* JAIL */ /******* PAX ********/ #ifdef CONFIG_RSBAC_PAX #ifdef CONFIG_RSBAC_SWITCH_PAX if (rsbac_switch_pax) #endif error |= rsbac_adf_set_attr_pax (request, caller_pid, target, tid, new_target, new_tid, attr, attr_val, owner); #endif /* PAX */ /****** RES *******/ #ifdef CONFIG_RSBAC_RES #ifdef CONFIG_RSBAC_SWITCH_RES if (rsbac_switch_res) #endif error |= rsbac_adf_set_attr_res (request, caller_pid, target, tid, new_target, new_tid, attr, attr_val, owner); #endif /* RES */ /****** REG *******/ #ifdef CONFIG_RSBAC_REG error |= rsbac_adf_set_attr_reg (request, caller_pid, target, tid, new_target, new_tid, attr, attr_val, owner); #endif /* REG */ #endif /* !MAINT */ /* General work for all modules (after set_attr call) */ #ifdef CONFIG_RSBAC_DEBUG general_work: #endif switch(request) { /* remove deleted item from rsbac data */ case R_DELETE : switch (target) { case T_FILE: case T_FIFO: case T_SYMLINK: /* Only remove file/fifo target on deletion of last link */ if ( (attr == A_nlink) && (attr_val.nlink > 1) ) break; /* fall through */ case T_DIR: rsbac_remove_target(target,tid); break; case T_IPC: /* shm removal delayed and removed directly, when destroyed */ if(tid.ipc.type != I_shm) rsbac_remove_target(target,tid); break; default: break; } break; case R_CLONE: switch (target) { case T_PROCESS: #if defined(CONFIG_RSBAC_IND_PROG_LOG) /* get program based log from old process */ if (rsbac_get_attr(GEN, target, tid, A_log_program_based, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based); } else { /* only set, of not default value 0 */ if(i_attr_val.log_program_based) { /* set program based log for new process */ if (rsbac_set_attr(GEN, new_target, new_tid, A_log_program_based, i_attr_val)) { rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based); } } } #endif #if defined(CONFIG_RSBAC_FAKE_ROOT_UID) /* get fake_root_uid from old process */ if (rsbac_get_attr(GEN, target, tid, A_fake_root_uid, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid); } else { /* only set, of not default value 0 */ if(i_attr_val.fake_root_uid) { /* set program based log for new process */ if (rsbac_set_attr(GEN, new_target, new_tid, A_fake_root_uid, i_attr_val)) { rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid); } } } #endif #if defined(CONFIG_RSBAC_NET) /* get remote_ip from old process */ if (rsbac_get_attr(GEN, target, tid, A_remote_ip, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_remote_ip); } else { /* only set, of not default value 0 */ if(i_attr_val.remote_ip) { /* set program based log for new process */ if (rsbac_set_attr(GEN, new_target, new_tid, A_remote_ip, i_attr_val)) { rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip); } } } #endif /* get kernel_thread from old process */ if (rsbac_get_attr(GEN, target, tid, A_kernel_thread, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_kernel_thread); } else { if (i_attr_val.kernel_thread) { if (rsbac_set_attr(GEN, new_target, new_tid, A_kernel_thread, i_attr_val)) { rsbac_ds_set_error ("rsbac_adf_set_attr()", A_kernel_thread); } } } /* get audit_uid from old process */ if (rsbac_get_attr(GEN, target, tid, A_audit_uid, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid); } else { /* only set, of not default value NO_USER */ if(i_attr_val.audit_uid != RSBAC_NO_USER) { /* set audit uid for new process */ if (rsbac_set_attr(GEN, new_target, new_tid, A_audit_uid, i_attr_val)) { rsbac_ds_set_error("rsbac_adf_set_attr()", A_audit_uid); } } } /* get auid_exempt from old process */ if (rsbac_get_attr(GEN, target, tid, A_auid_exempt, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt); } else { /* only set, of not default value NO_USER */ if(i_attr_val.auid_exempt != RSBAC_NO_USER) { /* set program based log for new process */ if (rsbac_set_attr(GEN, new_target, new_tid, A_auid_exempt, i_attr_val)) { rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt); } } } break; default: break; } break; #ifdef CONFIG_RSBAC_NET_OBJ case R_CLOSE: switch (target) { case T_NETOBJ: rsbac_remove_target(target,tid); break; default: break; } break; case R_ACCEPT: switch (target) { case T_NETOBJ: /* store remote IP */ if( tid.netobj.sock_p && tid.netobj.sock_p->ops && tid.netobj.sock_p->sk && (tid.netobj.sock_p->ops->family == AF_INET) ) { i_tid.process = caller_pid; #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) i_attr_val.remote_ip = inet_sk(tid.netobj.sock_p->sk)->daddr; #else i_attr_val.remote_ip = tid.netobj.sock_p->sk->daddr; #endif /* set program based log for new process */ if (rsbac_set_attr(GEN, T_PROCESS, i_tid, A_remote_ip, i_attr_val)) { rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip); } } break; default: break; } break; #endif /* CONFIG_RSBAC_NET_OBJ */ case R_EXECUTE : switch (target) { case T_FILE: #if defined(CONFIG_RSBAC_IND_PROG_LOG) /* get program based log from file */ if (rsbac_get_attr(GEN, target, tid, A_log_program_based, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based); } else { /* set program based log for process */ i_tid.process = caller_pid; if (rsbac_set_attr(GEN, T_PROCESS, i_tid, A_log_program_based, i_attr_val)) { rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based); } } #endif #if defined(CONFIG_RSBAC_FAKE_ROOT_UID) /* get fake_root_uid from file */ if (rsbac_get_attr(GEN, target, tid, A_fake_root_uid, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid); } else { /* set fake_root_uid for process */ if(i_attr_val.fake_root_uid) { i_tid.process = caller_pid; if (rsbac_set_attr(GEN, T_PROCESS, i_tid, A_fake_root_uid, i_attr_val)) { rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid); } } } #endif /* get auid_exempt from file */ if (rsbac_get_attr(GEN, target, tid, A_auid_exempt, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt); } else { if(i_attr_val.auid_exempt != RSBAC_NO_USER) { /* set auid_exempt for process */ i_tid.process = caller_pid; if (rsbac_set_attr(GEN, T_PROCESS, i_tid, A_auid_exempt, i_attr_val)) { rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt); } } } break; default: break; } break; default: break; } #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET) if( rsbac_debug_adf_net && ( (target == T_NETDEV) || (target == T_NETTEMP) || (target == T_NETOBJ) ) ) do_log = TRUE; #endif /* log based on process owner */ #ifdef CONFIG_RSBAC_IND_USER_LOG i_tid.user = owner; if (rsbac_get_attr(GEN, T_USER, i_tid, A_log_user_based, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_user_based); } else { if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based) do_log = TRUE; } #endif /* CONFIG_RSBAC_IND_USER_LOG */ /* log based on program */ #ifdef CONFIG_RSBAC_IND_PROG_LOG if(!do_log) { i_tid.process = caller_pid; if (rsbac_get_attr(GEN, T_PROCESS, i_tid, A_log_program_based, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based); } else { if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) do_log = TRUE; } } #endif /* CONFIG_RSBAC_IND_PROG_LOG */ /* logging request on info level, if requested by file/dir/dev attributes */ /* log_array_low/high, or, if that is requested, if enabled for this request */ /* type (attributes state level, or that request based level is to be taken) */ /* loglevel 2: log everything */ /* loglevel 1: log, if denied */ /* loglevel 0: log nothing */ #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */ /* if file/dir/dev, depend log on log_arrays */ /* (but not for file.device = 0) */ /* log_on_request is TRUE */ if(!do_log) { if( ( ( (target == T_FILE) || (target == T_DIR) || (target == T_FIFO) || (target == T_SYMLINK) ) && RSBAC_MAJOR(tid.file.device) && RSBAC_MINOR(tid.file.device) ) || (target == T_DEV) ) { if (rsbac_get_attr(GEN, target, tid, A_log_array_low, &i_attr_val, FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_low); } else { if (rsbac_get_attr(GEN, target, tid, A_log_array_high, &i_attr_val2, FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_high); } else { /* ll = low-bit for request | (high-bit for request as bit 1) */ log_level = ((i_attr_val.log_array_low >> request) & 1) | ( ((i_attr_val2.log_array_high >> request) & 1) << 1); if ( log_level == LL_full || ( log_level == LL_denied && error) ) { do_log = TRUE; } if(log_level != LL_request) log_on_request = FALSE; } } } } #endif /* CONFIG_RSBAC_IND_LOG */ #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT log: #endif /* if enabled, try request based log level */ if (log_on_request && ( rsbac_log_levels[request][target] == LL_full || ( rsbac_log_levels[request][target] == LL_denied && error) ) ) do_log = TRUE; if(do_log) { char * request_name; char * target_type_name; char * new_target_type_name; char * target_id_name; char * new_target_id_name; char * attr_name; rsbac_uid_t audit_uid; #ifdef CONFIG_RSBAC_LOG_PSEUDO rsbac_pseudo_t pseudo = 0; #endif /* Get process audit_uid */ i_tid.process = caller_pid; if (rsbac_get_attr(GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid); return -RSBAC_EREADFAILED; /* something weird happened */ } audit_uid = i_attr_val.audit_uid; if(audit_uid == RSBAC_NO_USER) audit_uid = owner; #ifdef CONFIG_RSBAC_LOG_PSEUDO /* Get owner's logging pseudo */ i_tid.user = audit_uid; if (rsbac_get_attr(GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE)) { rsbac_ds_get_error("rsbac_adf_set_attr()", A_pseudo); return -RSBAC_EREADFAILED; /* something weird happened */ } /* if pseudo is not registered, return attribute value is 0 (see later) */ pseudo = i_attr_val.pseudo; #endif /* rsbac_kmalloc all memory */ request_name = rsbac_kmalloc(32); target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); new_target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN); #ifdef CONFIG_RSBAC_LOG_FULL_PATH target_id_name = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); new_target_id_name = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN); /* max. path name len + some extra */ #else target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); new_target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN); /* max. file name len + some extra */ #endif attr_name = rsbac_kmalloc(32); /* Getting basic information about this request */ request_name[0] = (char) 0; target_type_name[0] = (char) 0; target_id_name[0] = (char) 0; new_target_type_name[0] = (char) 0; new_target_id_name[0] = (char) 0; attr_name[0] = (char) 0; get_request_name(request_name, request); get_target_name(target_type_name, target, target_id_name, tid); get_target_name(new_target_type_name, new_target, new_target_id_name, new_tid); get_attribute_name(attr_name, attr); #ifdef CONFIG_RSBAC_LOG_PSEUDO if(pseudo) rsbac_printk(KERN_INFO "rsbac_adf_set_attr(): request %s, pid %u, pseudo %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n", request_name, (u_int) caller_pid, pseudo, target_type_name, target_id_name, new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error); else #endif rsbac_printk(KERN_INFO "rsbac_adf_set_attr(): request %s, pid %u, uid %u, audit_uid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n", request_name, (u_int) caller_pid, owner, audit_uid, target_type_name, target_id_name, new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error); /* rsbac_kfree all helper mem */ rsbac_kfree(request_name); rsbac_kfree(target_type_name); rsbac_kfree(new_target_type_name); rsbac_kfree(target_id_name); rsbac_kfree(new_target_id_name); rsbac_kfree(attr_name); } /* count */ rsbac_adf_set_attr_count[target]++; #ifdef CONFIG_RSBAC_XSTATS rsbac_adf_set_attr_xcount[target][request]++; #endif return(error); } /* end of rsbac_adf_set_attr() */

void __init rsbac_init_adf (  void   )

Definition at line 128 of file adf_main.c. References rsbac_reg_init(). Referenced by rsbac_do_init(). { #if defined(CONFIG_RSBAC_REG) rsbac_reg_init(); #endif };

int rsbac_sec_del (  struct dentry *  dentry_p  )

Definition at line 2537 of file adf_main.c. { return 0; }

int rsbac_sec_trunc (  struct dentry *  dentry_p, loff_t  new_len, loff_t  old_len )

Definition at line 2531 of file adf_main.c. { return 0; }

int rsbac_set_audit_uid (  rsbac_uid_t  uid  )

Definition at line 3059 of file adf_main.c. References A_audit_uid, A_auid_exempt, rsbac_attribute_value_t::audit_uid, rsbac_attribute_value_t::auid_exempt, GEN, rsbac_target_id_t::process, RSBAC_EREADFAILED, RSBAC_EWRITEFAILED, rsbac_get_attr, RSBAC_NO_USER, rsbac_set_attr, and T_PROCESS. { union rsbac_target_id_t tid; union rsbac_attribute_value_t attr_val; if(!uid || (uid == current->uid)) return 0; tid.process = current->pid; if (rsbac_get_attr(GEN, T_PROCESS, tid, A_audit_uid, &attr_val, FALSE)) { rsbac_ds_get_error("rsbac_set_audit_uid()", A_audit_uid); return -RSBAC_EREADFAILED; } if(attr_val.audit_uid != RSBAC_NO_USER) return 0; if (rsbac_get_attr(GEN, T_PROCESS, tid, A_auid_exempt, &attr_val, FALSE)) { rsbac_ds_get_error("rsbac_set_audit_uid()", A_auid_exempt); return -RSBAC_EREADFAILED; } if(attr_val.auid_exempt == uid) return 0; attr_val.audit_uid = uid; if (rsbac_set_attr(GEN, T_PROCESS, tid, A_audit_uid, attr_val)) { rsbac_ds_set_error("rsbac_set_audit_uid()", A_audit_uid); return -RSBAC_EWRITEFAILED; } return 0; }

---

Variable Documentation

u_long rsbac_adf_request_count[T_NONE+1] = {0,0,0,0,0,0,0,0}

Definition at line 53 of file adf_main.c. Referenced by rsbac_adf_request_int(), and rsbac_stats().

u_long rsbac_adf_set_attr_count[T_NONE+1] = {0,0,0,0,0,0,0,0}

Definition at line 54 of file adf_main.c. Referenced by rsbac_adf_set_attr(), and rsbac_stats().

---