Main Page | Alphabetical List | Data Structures | Directories | File List | Data Fields | Globals | Search for 
linux-2.6.16-rsbac-1.2.6 / rsbac / adf

adf_main.c

Go to the documentation of this file.
00001 /*************************************************** */
00002 /* Rule Set Based Access Control                     */
00003 /* Implementation of the Access Control Decision     */
00004 /* Facility (ADF) - Main file main.c                 */
00005 /*                                                   */
00006 /* Author and (c) 1999-2005: Amon Ott <ao@rsbac.org> */
00007 /*                                                   */
00008 /* Last modified: 15/Jul/2005                        */
00009 /*************************************************** */
00010 
00011 #include <linux/string.h>
00012 #include <linux/init.h>
00013 #include <linux/config.h>
00014 #include <linux/module.h>
00015 #include <rsbac/types.h>
00016 #include <rsbac/aci.h>
00017 #include <rsbac/adf.h>
00018 #include <rsbac/adf_main.h>
00019 #include <rsbac/error.h>
00020 #include <rsbac/helpers.h>
00021 #include <rsbac/getname.h>
00022 #include <rsbac/cap_getname.h>
00023 #include <rsbac/jail_getname.h>
00024 #include <rsbac/rkmem.h>
00025 #include <rsbac/network.h>
00026 #if defined(CONFIG_RSBAC_UM_EXCL)
00027 #include <rsbac/um.h>
00028 #endif
00029 
00030 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00031 #include <linux/nfs_fs.h>
00032 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00033 #include <linux/coda.h>
00034 #endif
00035 #include <linux/coda_psdev.h>
00036 #include <linux/ncp_fs.h>
00037 #include <linux/smb.h>
00038 #endif
00039 
00040 #ifdef CONFIG_RSBAC_SECDEL
00041 #include <linux/types.h>
00042 #include <linux/dcache.h>
00043 #include <asm/uaccess.h>
00044 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00045 #include <linux/buffer_head.h>
00046 #endif
00047 #endif /* SECDEL */
00048 
00049 /************************************************* */
00050 /*           Global Variables                      */
00051 /************************************************* */
00052 
00053 u_long rsbac_adf_request_count[T_NONE+1] = {0,0,0,0,0,0,0,0};
00054 u_long rsbac_adf_set_attr_count[T_NONE+1] = {0,0,0,0,0,0,0,0};
00055 #ifdef CONFIG_RSBAC_XSTATS
00056 u_long rsbac_adf_request_xcount[T_NONE+1][R_NONE];
00057 u_long rsbac_adf_set_attr_xcount[T_NONE+1][R_NONE];
00058 #endif
00059 
00060 /******* MAC ********/
00061 #ifdef CONFIG_RSBAC_SWITCH_MAC
00062 rsbac_boolean_t rsbac_switch_mac = TRUE;
00063 #endif  /* MAC */
00064 
00065 /******* PM ********/
00066 #ifdef CONFIG_RSBAC_SWITCH_PM
00067 rsbac_boolean_t rsbac_switch_pm = TRUE;
00068 #endif  /* PM */
00069 
00070 /******* DAZ ********/
00071 #ifdef CONFIG_RSBAC_SWITCH_DAZ
00072 rsbac_boolean_t rsbac_switch_daz = TRUE;
00073 #endif  /* DAZ */
00074 
00075 /******* FF ********/
00076 #ifdef CONFIG_RSBAC_SWITCH_FF
00077 rsbac_boolean_t rsbac_switch_ff = TRUE;
00078 #endif  /* FF */
00079 
00080 /******* RC ********/
00081 #ifdef CONFIG_RSBAC_SWITCH_RC
00082 rsbac_boolean_t rsbac_switch_rc = TRUE;
00083 #endif  /* RC */
00084 
00085 /****** AUTH *******/
00086 #ifdef CONFIG_RSBAC_SWITCH_AUTH
00087 rsbac_boolean_t rsbac_switch_auth = TRUE;
00088 #endif  /* AUTH */
00089 
00090 /****** ACL *******/
00091 #ifdef CONFIG_RSBAC_SWITCH_ACL
00092 rsbac_boolean_t rsbac_switch_acl = TRUE;
00093 #endif  /* ACL */
00094 
00095 /****** CAP *******/
00096 #ifdef CONFIG_RSBAC_SWITCH_CAP
00097 rsbac_boolean_t rsbac_switch_cap = TRUE;
00098 #endif  /* CAP */
00099 
00100 /****** JAIL *******/
00101 #ifdef CONFIG_RSBAC_SWITCH_JAIL
00102 rsbac_boolean_t rsbac_switch_jail = TRUE;
00103 #endif  /* JAIL */
00104 
00105 /****** PAX ********/
00106 #ifdef CONFIG_RSBAC_SWITCH_PAX
00107 rsbac_boolean_t rsbac_switch_pax = TRUE;
00108 #endif  /* PAX */
00109 
00110 /****** RES *******/
00111 #ifdef CONFIG_RSBAC_SWITCH_RES
00112 rsbac_boolean_t rsbac_switch_res = TRUE;
00113 #endif  /* RES */
00114 
00115 /************************************************* */
00116 /*          Internal Help functions                */
00117 /************************************************* */
00118 
00119 /************************************************* */
00120 /*          Externally visible functions           */
00121 /************************************************* */
00122 
00123 /* Init function, calls inits for all sub-modules  */
00124 
00125 #ifdef CONFIG_RSBAC_INIT_DELAY
00126 void rsbac_init_adf(void)
00127 #else
00128 void __init rsbac_init_adf(void)
00129 #endif
00130   {
00131     #if defined(CONFIG_RSBAC_REG)
00132     rsbac_reg_init();
00133     #endif
00134   };
00135 
00136 enum rsbac_adf_req_ret_t
00137     adf_and_plus(enum rsbac_adf_req_ret_t res1,
00138                  enum rsbac_adf_req_ret_t res2)
00139   {
00140     switch (res1)
00141       {
00142         case GRANTED:     if (res2 == DO_NOT_CARE)
00143                             return (GRANTED);
00144                           else
00145                             return (res2);
00146         case NOT_GRANTED: if (res2 == UNDEFINED)
00147                             return (UNDEFINED);
00148                           else
00149                             return (NOT_GRANTED);
00150         case DO_NOT_CARE: return (res2);
00151         default:          return (UNDEFINED);
00152       }
00153   };
00154 
00155 /*********************************************************************/
00156 /* rsbac_adf_request()                                               */
00157 /* This function is the main decision function, called from the AEF. */
00158 
00159 EXPORT_SYMBOL(rsbac_adf_request_int);
00160 enum rsbac_adf_req_ret_t
00161    rsbac_adf_request_int(enum  rsbac_adf_request_t     request,
00162                                rsbac_pid_t             caller_pid,
00163                          enum  rsbac_target_t          target,
00164                          union rsbac_target_id_t     * tid_p,
00165                          enum  rsbac_attribute_t       attr,
00166                          union rsbac_attribute_value_t * attr_val_p,
00167                          enum  rsbac_switch_target_t   ignore_module)
00168   {
00169     union rsbac_target_id_t        i_tid;
00170     union rsbac_attribute_value_t  i_attr_val;
00171           rsbac_uid_t              owner=0;
00172     int tmperr=0;
00173     enum rsbac_adf_req_ret_t   result = DO_NOT_CARE;
00174 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00175     enum rsbac_adf_req_ret_t   ret_result = DO_NOT_CARE;
00176 #endif
00177 #ifndef CONFIG_RSBAC_MAINT
00178     enum rsbac_adf_req_ret_t   mod_result[SW_NONE + 1] = {
00179                                    DO_NOT_CARE,
00180                                    DO_NOT_CARE,
00181                                    DO_NOT_CARE,
00182                                    DO_NOT_CARE,
00183                                    DO_NOT_CARE,
00184                                    DO_NOT_CARE,
00185                                    DO_NOT_CARE,
00186                                    DO_NOT_CARE,
00187                                    DO_NOT_CARE,
00188                                    DO_NOT_CARE,
00189                                    DO_NOT_CARE,
00190                                    DO_NOT_CARE,
00191                                    DO_NOT_CARE,
00192                                    DO_NOT_CARE,
00193                                    DO_NOT_CARE,
00194                                    DO_NOT_CARE,
00195                                    DO_NOT_CARE,
00196                                    DO_NOT_CARE
00197                                  };
00198 #endif
00199     rsbac_boolean_t do_log = FALSE;
00200     rsbac_boolean_t log_on_request = TRUE;
00201 /* only if individual logging is enabled */
00202 #if defined(CONFIG_RSBAC_IND_LOG) || defined(CONFIG_RSBAC_IND_NETDEV_LOG) || defined(CONFIG_RSBAC_IND_NETOBJ_LOG)
00203     union rsbac_attribute_value_t  i_attr_val2;
00204     enum rsbac_log_level_t log_level;
00205 #endif
00206     struct super_block * sb_p;
00207 #ifdef CONFIG_RSBAC_SOFTMODE
00208     rsbac_boolean_t rsbac_internal = FALSE;
00209 #endif
00210 
00211 /* No decision possible before init (called at boot time) -> don't care */
00212     if (!rsbac_is_initialized())
00213       return(DO_NOT_CARE);
00214 
00215 /* Always granted for kernel (pid 0) and logging daemon */
00216     if (   !caller_pid
00217         #if defined(CONFIG_RSBAC_LOG_REMOTE)
00218         || (caller_pid == rsbaclogd_pid)
00219         #endif
00220        )
00221       return(GRANTED);
00222 
00223 /* Checking base values */
00224     if(   request >= R_NONE
00225        || target > T_NONE
00226        || attr > A_none)
00227       {
00228         rsbac_printk(KERN_WARNING
00229                "rsbac_adf_request(): called with invalid request, target or attribute\n");
00230         return(NOT_GRANTED);
00231       }
00232 
00233     if (in_interrupt())
00234       {
00235         char * request_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00236 
00237         if(request_name)
00238           {
00239             get_request_name(request_name, request);
00240             rsbac_printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %s, pid %u, attr_val %u!\n",
00241                    request_name, caller_pid, attr_val_p->dummy);
00242             kfree(request_name);
00243           }
00244         else
00245           {
00246             rsbac_printk(KERN_WARNING "rsbac_adf_request(): called from interrupt: request %u, pid %u!\n",
00247                    request, caller_pid);
00248           }
00249 //        return DO_NOT_CARE;
00250       }
00251 
00252 /* Getting basic information about this request */
00253 
00254     /* only useful for real process, not idle or init */
00255     if (caller_pid > 1)
00256       {
00257         tmperr = rsbac_get_owner(&owner);
00258         if(tmperr)
00259           {
00260             rsbac_printk(KERN_DEBUG
00261                    "rsbac_adf_request(): caller_pid %i, RSBAC not initialized, returning DO_NOT_CARE",
00262                    caller_pid);
00263             return(DO_NOT_CARE);      /* Startup-Sequence (see above) */
00264           }
00265       }
00266     else  /* caller_pid = 1 -> init, always owned by root */
00267       owner = 0;
00268 
00269 
00270 /******************************************************/
00271 /* General work for all modules - before module calls */
00272     /* test target on rsbac_internal */
00273     switch(target)
00274       {
00275         case T_FILE:
00276         case T_DIR:
00277         case T_FIFO:
00278         case T_SYMLINK:
00279 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
00280           if (   ((sb_p = rsbac_get_super_block(tid_p->file.device)))
00281               && (   (sb_p->s_magic == NFS_SUPER_MAGIC)
00282                   || (sb_p->s_magic == CODA_SUPER_MAGIC)
00283                   || (sb_p->s_magic == NCP_SUPER_MAGIC)
00284                   || (sb_p->s_magic == SMB_SUPER_MAGIC)
00285                  )
00286              )
00287             {
00288               result = DO_NOT_CARE;
00289               goto log;
00290             }
00291 #endif
00292           /* No decision on pseudo pipefs */
00293           if(   (target == T_FIFO)
00294              && ((sb_p = rsbac_get_super_block(tid_p->file.device)))
00295              && (sb_p->s_magic == PIPEFS_MAGIC)
00296             )
00297             return DO_NOT_CARE;
00298 #if 0 && LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
00299           /* No decision on pseudo sockfs */
00300           if(   (target == T_FILE)
00301              && (!RSBAC_MAJOR(tid_p->file.device))
00302              && (!RSBAC_MINOR(tid_p->file.device))
00303             )
00304             return DO_NOT_CARE;
00305 #endif
00306           switch(request)
00307             {
00308               case R_GET_STATUS_DATA:
00309               case R_GET_PERMISSIONS_DATA:
00310               case R_READ_ATTRIBUTE:
00311 #ifdef CONFIG_RSBAC_DAT_VISIBLE
00312               case R_SEARCH:
00313               case R_READ:
00314               case R_CLOSE:
00315               case R_CHDIR:
00316 #endif
00317                 break;
00318 
00319               default:
00320                 if ((tmperr = rsbac_get_attr(GEN,
00321                                              target,
00322                                              *tid_p,
00323                                              A_internal,
00324                                              &i_attr_val,
00325                                              TRUE) ))
00326                   {
00327                     if(tmperr == -RSBAC_EINVALIDDEV)
00328                       {
00329 //                        rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr);
00330                         return(DO_NOT_CARE);  /* last calls on shutdown */
00331                       }
00332                     else
00333                       {
00334                         rsbac_ds_get_error_num("rsbac_adf_request()", A_internal, tmperr);
00335                         return(NOT_GRANTED);  /* something weird happened */
00336                       }
00337                   }
00338                 /* no access to rsbac_internal objects is granted in any case */
00339                 if (i_attr_val.internal)
00340                   {
00341                     rsbac_printk(KERN_WARNING
00342                            "rsbac_adf_request(): trial to access object declared RSBAC-internal!\n");
00343                     result = NOT_GRANTED;
00344                     #ifndef CONFIG_RSBAC_MAINT
00345                     mod_result[SW_NONE] = NOT_GRANTED;
00346                     #endif
00347                     #ifdef CONFIG_RSBAC_SOFTMODE
00348                     #ifdef CONFIG_RSBAC_SOFTMODE_IND
00349                     ret_result = NOT_GRANTED;
00350                     #endif
00351                     rsbac_internal = TRUE;
00352                     #endif
00353                   }
00354             }
00355           break;
00356 
00357 #if defined(CONFIG_RSBAC_UM_EXCL)
00358         case T_PROCESS:
00359           switch(request)
00360             {
00361               case R_CHANGE_OWNER:
00362 #ifdef CONFIG_RSBAC_DAC_OWNER
00363               case R_CHANGE_DAC_EFF_OWNER:
00364               case R_CHANGE_DAC_FS_OWNER:
00365 #endif
00366                 if(   (attr == A_owner)
00367                    && !rsbac_um_no_excl
00368                    && !rsbac_um_user_exists(0, attr_val_p->owner)
00369                   )
00370                   {
00371                     rsbac_printk(KERN_INFO
00372                                  "rsbac_adf_request(): uid %u not known to RSBAC User Management!\n",
00373                                  attr_val_p->owner);
00374                     result = adf_and_plus(result, NOT_GRANTED);
00375 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00376                     ret_result = adf_and_plus(ret_result, NOT_GRANTED);
00377 #endif
00378                   }
00379                 break;
00380 
00381               case R_CHANGE_GROUP:
00382 #ifdef CONFIG_RSBAC_DAC_OWNER
00383               case R_CHANGE_DAC_EFF_GROUP:
00384               case R_CHANGE_DAC_FS_GROUP:
00385 #endif
00386                 if(   (attr == A_group)
00387                    && !rsbac_um_no_excl
00388                    && !rsbac_um_group_exists(0, attr_val_p->group)
00389                   )
00390                   {
00391                     rsbac_printk(KERN_INFO
00392                                  "rsbac_adf_request(): gid %u not known to RSBAC User Management!\n",
00393                                  attr_val_p->group);
00394                     result = adf_and_plus(result, NOT_GRANTED);
00395 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00396                     ret_result = adf_and_plus(ret_result, NOT_GRANTED);
00397 #endif
00398                   }
00399                 break;
00400 
00401               default:
00402                 break;
00403             }
00404           break;
00405 #endif /* UM_EXCL */
00406 
00407         default:
00408           break;
00409       }
00410       
00411 /**********************************************************/
00412 /* calling all decision modules, building a common result */
00413 
00414 #ifdef CONFIG_RSBAC_DEBUG
00415 /* first, check for valid request/target combination      */
00416 /* (undefined should only happen in _check and means a real bug!) */
00417   result = adf_and_plus(result,rsbac_adf_request_check(request,
00418                                                        caller_pid,
00419                                                        target,
00420                                                        tid_p,
00421                                                        attr,
00422                                                        attr_val_p,
00423                                                        owner) );
00424 
00425 if(result == UNDEFINED)
00426   goto log;
00427 #endif
00428 
00429 #if !defined(CONFIG_RSBAC_MAINT)
00430 /******* MAC ********/
00431 #if defined(CONFIG_RSBAC_MAC)
00432 #ifdef CONFIG_RSBAC_SWITCH_MAC
00433 if (rsbac_switch_mac)
00434 #endif
00435   /* no need to call module, if to be ignored */
00436   if(ignore_module != MAC)
00437     {
00438       mod_result[MAC] = rsbac_adf_request_mac(request,
00439                                               caller_pid,
00440                                               target,
00441                                               *tid_p,
00442                                               attr,
00443                                               *attr_val_p,
00444                                               owner);
00445       result = adf_and_plus(result, mod_result[MAC]);
00446 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00447       if(!rsbac_ind_softmode[MAC])
00448         ret_result = adf_and_plus(ret_result, mod_result[MAC]);
00449 #endif
00450     }
00451 #endif  /* MAC */
00452 
00453 /******* PM ********/
00454 #if defined(CONFIG_RSBAC_PM)
00455 #ifdef CONFIG_RSBAC_SWITCH_PM
00456 if (rsbac_switch_pm)
00457 #endif
00458   /* no need to call module, if to be ignored */
00459   if(ignore_module != PM)
00460     {
00461       mod_result[PM]  = rsbac_adf_request_pm (request,
00462                                               caller_pid,
00463                                               target,
00464                                               *tid_p,
00465                                               attr,
00466                                               *attr_val_p,
00467                                               owner);
00468       result = adf_and_plus(result, mod_result[PM]);
00469 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00470       if(!rsbac_ind_softmode[PM])
00471         ret_result = adf_and_plus(ret_result, mod_result[PM]);
00472 #endif
00473     }
00474 #endif  /* PM */
00475 
00476 /******* DAZ ********/
00477 #if defined(CONFIG_RSBAC_DAZ)
00478 #ifdef CONFIG_RSBAC_SWITCH_DAZ
00479 if (rsbac_switch_daz)
00480 #endif
00481   /* no need to call module, if to be ignored */
00482   if(ignore_module != DAZ)
00483     {
00484       mod_result[DAZ]  = rsbac_adf_request_daz (request,
00485                                               caller_pid,
00486                                               target,
00487                                               *tid_p,
00488                                               attr,
00489                                               *attr_val_p,
00490                                               owner);
00491       result = adf_and_plus(result, mod_result[DAZ]);
00492 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00493       if(!rsbac_ind_softmode[DAZ])
00494         ret_result = adf_and_plus(ret_result, mod_result[DAZ]);
00495 #endif
00496     }
00497 #endif  /* DAZ */
00498 
00499 /******* FF ********/
00500 #if defined(CONFIG_RSBAC_FF)
00501 #ifdef CONFIG_RSBAC_SWITCH_FF
00502 if (rsbac_switch_ff)
00503 #endif
00504   /* no need to call module, if to be ignored */
00505   if(ignore_module != FF)
00506     {
00507       mod_result[FF]  = rsbac_adf_request_ff (request,
00508                                               caller_pid,
00509                                               target,
00510                                               *tid_p,
00511                                               attr,
00512                                               *attr_val_p,
00513                                               owner);
00514       result = adf_and_plus(result, mod_result[FF]);
00515 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00516       if(!rsbac_ind_softmode[FF])
00517         ret_result = adf_and_plus(ret_result, mod_result[FF]);
00518 #endif
00519     }
00520 #endif  /* FF */
00521 
00522 /******* RC ********/
00523 #if defined(CONFIG_RSBAC_RC)
00524 #ifdef CONFIG_RSBAC_SWITCH_RC
00525 if (rsbac_switch_rc)
00526 #endif
00527   /* no need to call module, if to be ignored */
00528   if(ignore_module != RC)
00529     {
00530       mod_result[RC]  = rsbac_adf_request_rc (request,
00531                                               caller_pid,
00532                                               target,
00533                                               *tid_p,
00534                                               attr,
00535                                               *attr_val_p,
00536                                               owner);
00537       result = adf_and_plus(result, mod_result[RC]);
00538 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00539       if(!rsbac_ind_softmode[RC])
00540         ret_result = adf_and_plus(ret_result, mod_result[RC]);
00541 #endif
00542     }
00543 #endif  /* RC */
00544 
00545 /****** AUTH *******/
00546 #if defined(CONFIG_RSBAC_AUTH)
00547 #ifdef CONFIG_RSBAC_SWITCH_AUTH
00548 if (rsbac_switch_auth)
00549 #endif
00550   /* no need to call module, if to be ignored */
00551   if(ignore_module != AUTH)
00552     {
00553       mod_result[AUTH]= rsbac_adf_request_auth(request,
00554                                               caller_pid,
00555                                               target,
00556                                               *tid_p,
00557                                               attr,
00558                                               *attr_val_p,
00559                                               owner);
00560       result = adf_and_plus(result, mod_result[AUTH]);
00561 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00562       if(!rsbac_ind_softmode[AUTH])
00563         ret_result = adf_and_plus(ret_result, mod_result[AUTH]);
00564 #endif
00565     }
00566 #endif  /* AUTH */
00567 
00568 /****** ACL *******/
00569 #if defined(CONFIG_RSBAC_ACL)
00570 #ifdef CONFIG_RSBAC_SWITCH_ACL
00571 if (rsbac_switch_acl)
00572 #endif
00573   /* no need to call module, if to be ignored */
00574   if(ignore_module != ACL)
00575     {
00576       mod_result[ACL] = rsbac_adf_request_acl(request,
00577                                               caller_pid,
00578                                               target,
00579                                               *tid_p,
00580                                               attr,
00581                                               *attr_val_p,
00582                                               owner);
00583       result = adf_and_plus(result, mod_result[ACL]);
00584 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00585       if(!rsbac_ind_softmode[ACL])
00586         ret_result = adf_and_plus(ret_result, mod_result[ACL]);
00587 #endif
00588     }
00589 #endif  /* ACL */
00590 
00591 /****** CAP *******/
00592 #if defined(CONFIG_RSBAC_CAP)
00593 #ifdef CONFIG_RSBAC_SWITCH_CAP
00594 if (rsbac_switch_cap)
00595 #endif
00596   /* no need to call module, if to be ignored */
00597   if(ignore_module != CAP)
00598     {
00599       mod_result[CAP] = rsbac_adf_request_cap(request,
00600                                               caller_pid,
00601                                               target,
00602                                               *tid_p,
00603                                               attr,
00604                                               *attr_val_p,
00605                                               owner);
00606       result = adf_and_plus(result, mod_result[CAP]);
00607 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00608       if(!rsbac_ind_softmode[CAP])
00609         ret_result = adf_and_plus(ret_result, mod_result[CAP]);
00610 #endif
00611     }
00612 #endif  /* CAP */
00613 
00614 /****** JAIL *******/
00615 #if defined(CONFIG_RSBAC_JAIL)
00616 #ifdef CONFIG_RSBAC_SWITCH_JAIL
00617 if (rsbac_switch_jail)
00618 #endif
00619   /* no need to call module, if to be ignored */
00620   if(ignore_module != JAIL)
00621     {
00622       mod_result[JAIL]= rsbac_adf_request_jail(request,
00623                                               caller_pid,
00624                                               target,
00625                                               *tid_p,
00626                                               attr,
00627                                               *attr_val_p,
00628                                               owner);
00629       result = adf_and_plus(result, mod_result[JAIL]);
00630 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00631       if(!rsbac_ind_softmode[JAIL])
00632         ret_result = adf_and_plus(ret_result, mod_result[JAIL]);
00633 #endif
00634     }
00635 #endif  /* JAIL */
00636 
00637 /******* PAX ********/
00638 #if defined(CONFIG_RSBAC_PAX)
00639 #ifdef CONFIG_RSBAC_SWITCH_PAX
00640 if (rsbac_switch_pax)
00641 #endif
00642   /* no need to call module, if to be ignored */
00643   if(ignore_module != PAX)
00644     {
00645       mod_result[PAX]  = rsbac_adf_request_pax (request,
00646                                               caller_pid,
00647                                               target,
00648                                               *tid_p,
00649                                               attr,
00650                                               *attr_val_p,
00651                                               owner);
00652       result = adf_and_plus(result, mod_result[PAX]);
00653 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00654       if(!rsbac_ind_softmode[PAX])
00655         ret_result = adf_and_plus(ret_result, mod_result[PAX]);
00656 #endif
00657     }
00658 #endif  /* PAX */
00659 
00660 /****** RES *******/
00661 #if defined(CONFIG_RSBAC_RES)
00662 #ifdef CONFIG_RSBAC_SWITCH_RES
00663 if (rsbac_switch_res)
00664 #endif
00665   /* no need to call module, if to be ignored */
00666   if(ignore_module != RES)
00667     {
00668       mod_result[RES] = rsbac_adf_request_res(request,
00669                                               caller_pid,
00670                                               target,
00671                                               *tid_p,
00672                                               attr,
00673                                               *attr_val_p,
00674                                               owner);
00675       result = adf_and_plus(result, mod_result[RES]);
00676 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00677       if(!rsbac_ind_softmode[RES])
00678         ret_result = adf_and_plus(ret_result, mod_result[RES]);
00679 #endif
00680     }
00681 #endif  /* RES */
00682 
00683 /****** REG *******/
00684 #if defined(CONFIG_RSBAC_REG)
00685 if(ignore_module != REG)
00686   {
00687     mod_result[REG]= rsbac_adf_request_reg (request,
00688                                             caller_pid,
00689                                             target,
00690                                             *tid_p,
00691                                             attr,
00692                                             *attr_val_p,
00693                                             owner);
00694     result = adf_and_plus(result, mod_result[REG]);
00695 #ifdef CONFIG_RSBAC_SOFTMODE_IND
00696     if(!rsbac_ind_softmode[REG])
00697       ret_result = adf_and_plus(ret_result, mod_result[REG]);
00698 #endif
00699   }
00700 #endif  /* REG */
00701 
00702 #endif /* !MAINT */
00703 
00704 /****************************/
00705 
00706 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
00707     if(    rsbac_debug_adf_net
00708        && (   (target == T_NETDEV)
00709            || (target == T_NETTEMP)
00710            || (target == T_NETOBJ)
00711           )
00712       )
00713       do_log = TRUE;
00714 #endif
00715 
00716 /* log based on process owner */
00717 #ifdef CONFIG_RSBAC_IND_USER_LOG
00718     i_tid.user = owner;
00719     if (rsbac_get_attr(GEN,
00720                        T_USER,
00721                        i_tid,
00722                        A_log_user_based,
00723                        &i_attr_val,
00724                        FALSE))
00725       {
00726         rsbac_ds_get_error("rsbac_adf_request()", A_log_user_based);
00727       }
00728     else
00729       {
00730         if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based) 
00731           do_log = TRUE;
00732       }
00733 #endif /* CONFIG_RSBAC_IND_USER_LOG */
00734 
00735 /* log based on program */
00736 #ifdef CONFIG_RSBAC_IND_PROG_LOG
00737     if(!do_log)
00738       {
00739         i_tid.process = caller_pid;
00740         if (rsbac_get_attr(GEN,
00741                            T_PROCESS,
00742                            i_tid,
00743                            A_log_program_based,
00744                            &i_attr_val,
00745                            FALSE))
00746           {
00747             rsbac_ds_get_error("rsbac_adf_request()", A_log_program_based);
00748           }
00749         else
00750           {
00751             if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) 
00752               do_log = TRUE;
00753           }
00754       }
00755 #endif /* CONFIG_RSBAC_IND_PROG_LOG */
00756 
00757 /*****************************************************/
00758 /* General work for all modules - after module calls */
00759 /* Note: the process' individual logging attributes are needed above */
00760     switch(request)
00761       {
00762         case R_TERMINATE:
00763             if (target == T_PROCESS)
00764               rsbac_remove_target(T_PROCESS,*tid_p);
00765             break;
00766         default:
00767             break;
00768       }
00769 
00770 /* logging request on info level, if requested by file/dir/dev attributes */
00771 /* log_array_low/high, or, if that is requested, if enabled for this request */
00772 /* type (attributes state level, or that request based level is to be taken) */
00773 /* loglevel 2: log everything */
00774 /* loglevel 1: log, if denied */
00775 /* loglevel 0: log nothing */
00776 
00777 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */
00778     /* if file/dir/dev, depend log on log_arrays */
00779     /* (but not for file.device = 0) */
00780     /* log_on_request is TRUE */
00781     if(   !do_log
00782        && (   (   (   (target == T_FILE)
00783                    || (target == T_DIR)
00784                    || (target == T_FIFO)
00785                    || (target == T_SYMLINK)
00786                   )
00787                && RSBAC_MAJOR(tid_p->file.device)
00788                && RSBAC_MINOR(tid_p->file.device)
00789               )
00790            || (target == T_DEV)
00791           )
00792       )
00793       {
00794         if (rsbac_get_attr(GEN,
00795                            target,
00796                            *tid_p,
00797                            A_log_array_low,
00798                            &i_attr_val,
00799                            FALSE))
00800           {
00801             rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low);
00802           }
00803         else
00804           {
00805             if (rsbac_get_attr(GEN,
00806                                target,
00807                                *tid_p,
00808                                A_log_array_high,
00809                                &i_attr_val2,
00810                                FALSE))
00811               {
00812                 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high);
00813               }
00814             else
00815               { /* ll = low-bit for request | (high-bit for request as bit 1) */
00816                 /* WARNING: we deal with u64 here, only logical operations and */
00817                 /* shifts work correctly! */
00818                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
00819                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00820                 if (   log_level == LL_full
00821                     || (   log_level == LL_denied
00822                         && (result == NOT_GRANTED
00823                             || result == UNDEFINED)) )
00824                   {
00825                     do_log = TRUE;
00826                   }
00827                 if(log_level != LL_request)
00828                   log_on_request = FALSE;
00829               }
00830           }
00831       }
00832 #endif /* CONFIG_RSBAC_IND_LOG */
00833 
00834 #ifdef CONFIG_RSBAC_IND_NETDEV_LOG /* only if individual logging for netdev is enabled */
00835     /* if netdev, depend log on log_arrays */
00836     /* log_on_request is TRUE */
00837     if(   !do_log
00838        && (target == T_NETDEV)
00839       )
00840       {
00841         if (rsbac_get_attr(GEN,
00842                            target,
00843                            *tid_p,
00844                            A_log_array_low,
00845                            &i_attr_val,
00846                            FALSE))
00847           {
00848             rsbac_ds_get_error("rsbac_adf_request()", A_log_array_low);
00849           }
00850         else
00851           {
00852             if (rsbac_get_attr(GEN,
00853                                target,
00854                                *tid_p,
00855                                A_log_array_high,
00856                                &i_attr_val2,
00857                                FALSE))
00858               {
00859                 rsbac_ds_get_error("rsbac_adf_request()", A_log_array_high);
00860               }
00861             else
00862               { /* ll = low-bit for request | (high-bit for request as bit 1) */
00863                 /* WARNING: we deal with u64 here, only logical operations and */
00864                 /* shifts work correctly! */
00865                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
00866                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00867                 if (   log_level == LL_full
00868                     || (   log_level == LL_denied
00869                         && (result == NOT_GRANTED
00870                             || result == UNDEFINED)) )
00871                   {
00872                     do_log = TRUE;
00873                   }
00874                 if(log_level != LL_request)
00875                   log_on_request = FALSE;
00876               }
00877           }
00878       }
00879 #endif /* CONFIG_RSBAC_IND_NETDEV_LOG */
00880 
00881 #ifdef CONFIG_RSBAC_IND_NETOBJ_LOG /* only if individual logging for net objects is enabled */
00882     /* if nettemp, netobj, depend log on log_arrays */
00883     /* (but not for file.device = 0) */
00884     /* log_on_request is TRUE */
00885     if(   !do_log
00886        && (   (target == T_NETTEMP)
00887            || (target == T_NETOBJ)
00888           )
00889       )
00890       {
00891         enum rsbac_attribute_t i_attr1, i_attr2;
00892 
00893         if(target == T_NETOBJ)
00894           {
00895             if(rsbac_net_remote_request(request))
00896               {
00897                 i_attr1 = A_remote_log_array_low;
00898                 i_attr2 = A_remote_log_array_high;
00899               }
00900             else
00901               {
00902                 i_attr1 = A_local_log_array_low;
00903                 i_attr2 = A_local_log_array_high;
00904               }
00905           }
00906         else
00907           {
00908             i_attr1 = A_log_array_low;
00909             i_attr2 = A_log_array_high;
00910           }
00911         if (rsbac_get_attr(GEN,
00912                            target,
00913                            *tid_p,
00914                            i_attr1,
00915                            &i_attr_val,
00916                            FALSE))
00917           {
00918             rsbac_ds_get_error("rsbac_adf_request()", i_attr1);
00919           }
00920         else
00921           {
00922             if (rsbac_get_attr(GEN,
00923                                target,
00924                                *tid_p,
00925                                i_attr2,
00926                                &i_attr_val2,
00927                                FALSE))
00928               {
00929                 rsbac_ds_get_error("rsbac_adf_request()", i_attr2);
00930               }
00931             else
00932               { /* ll = low-bit for request | (high-bit for request as bit 1) */
00933                 /* WARNING: we deal with u64 here, only logical operations and */
00934                 /* shifts work correctly! */
00935                 log_level =   ((i_attr_val.log_array_low   >> request) & 1)
00936                           | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
00937                 if (   log_level == LL_full
00938                     || (   log_level == LL_denied
00939                         && (result == NOT_GRANTED
00940                             || result == UNDEFINED)) )
00941                   {
00942                     do_log = TRUE;
00943                   }
00944                 if(log_level != LL_request)
00945                   log_on_request = FALSE;
00946               }
00947           }
00948       }
00949 #endif /* CONFIG_RSBAC_IND_NETOBJ_LOG */
00950 
00951 log:
00952     /* if enabled, try request based log level */
00953     if (   !do_log
00954         && log_on_request
00955         && (   rsbac_log_levels[request][target] == LL_full
00956             || (   rsbac_log_levels[request][target] == LL_denied
00957                 && (result == NOT_GRANTED
00958                     || result == UNDEFINED)) ) )
00959       do_log = TRUE;
00960 
00961     if(do_log)
00962       {
00963         char * request_name;
00964         char * res_name;
00965         char * res_mods;
00966         char * target_type_name;
00967         char * target_id_name;
00968         char * attr_name;
00969         char * attr_val_name;
00970 #ifdef CONFIG_RSBAC_NET_OBJ
00971         char * remote_ip_name;
00972 #else
00973         char remote_ip_name[1];
00974 #endif
00975         char * audit_uid_name;
00976         char  command[17];
00977         rsbac_pid_t parent_pid = 0;
00978         rsbac_uid_t audit_uid;
00979 #ifdef CONFIG_RSBAC_LOG_PSEUDO
00980         rsbac_pseudo_t  pseudo = 0;
00981 #endif
00982         char * program_path;
00983 
00984         /* parent pid */
00985         #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00986         if(current->parent)
00987           parent_pid = current->parent->pid;
00988         #else
00989         if(current->p_pptr)
00990           parent_pid = current->p_pptr->pid;
00991         #endif
00992 
00993         /* rsbac_kmalloc all memory */
00994         request_name = rsbac_kmalloc(32);
00995         res_name = rsbac_kmalloc(32);
00996         res_mods = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00997         target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
00998         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
00999         target_id_name
01000          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01001            /* max. path name len + some extra */
01002         #else
01003         target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01004            /* max. file name len + some extra */
01005         #endif
01006         #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE
01007         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01008         program_path
01009          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
01010            /* max. path name len + some extra */
01011         #else
01012         program_path = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
01013            /* max. file name len + some extra */
01014         #endif
01015         #else
01016         program_path = rsbac_kmalloc(2);
01017         #endif
01018         attr_name = rsbac_kmalloc(32);
01019         attr_val_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
01020 #ifdef CONFIG_RSBAC_NET_OBJ
01021         remote_ip_name = rsbac_kmalloc(32);
01022 #endif
01023         audit_uid_name = rsbac_kmalloc(32);
01024 
01025         request_name[0] = (char) 0;
01026         target_type_name[0] = (char) 0;
01027         target_id_name[0] = (char) 0;
01028         program_path[0] = (char) 0;
01029         attr_name[0] = (char) 0;
01030         attr_val_name[0] = (char) 0;
01031         remote_ip_name[0] = (char) 0;
01032         audit_uid_name[0] = (char) 0;
01033         res_name[0] = (char) 0;
01034         res_mods[0] = (char) 0;
01035         command[0] = (char) 0;
01036         get_request_name(request_name, request);
01037     #if !defined(CONFIG_RSBAC_MAINT)
01038 /*
01039         if(result == mod_result[SW_NONE])
01040           {
01041             strcat(res_mods, " GEN");
01042           }
01043 */
01044     #if defined(CONFIG_RSBAC_MAC)
01045         if(result == mod_result[MAC])
01046           {
01047             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01048             if(rsbac_ind_softmode[MAC])
01049               strcat(res_mods, " MAC(Softmode)");
01050             else
01051             #endif
01052               strcat(res_mods, " MAC");
01053           }
01054     #endif
01055     #if defined(CONFIG_RSBAC_PM)
01056         if(result == mod_result[PM])
01057           {
01058             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01059             if(rsbac_ind_softmode[PM])
01060               strcat(res_mods, " PM(Softmode)");
01061             else
01062             #endif
01063               strcat(res_mods, " PM");
01064           }
01065     #endif
01066     #if defined(CONFIG_RSBAC_DAZ)
01067         if(result == mod_result[DAZ])
01068           {
01069             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01070             if(rsbac_ind_softmode[DAZ])
01071               strcat(res_mods, " DAZ(Softmode)");
01072             else
01073             #endif
01074               strcat(res_mods, " DAZ");
01075           }
01076     #endif
01077     #ifdef CONFIG_RSBAC_FF
01078         if(result == mod_result[FF])
01079           {
01080             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01081             if(rsbac_ind_softmode[FF])
01082               strcat(res_mods, " FF(Softmode)");
01083             else
01084             #endif
01085               strcat(res_mods, " FF");
01086           }
01087     #endif
01088     #ifdef CONFIG_RSBAC_RC
01089         if(result == mod_result[RC])
01090           {
01091             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01092             if(rsbac_ind_softmode[RC])
01093               strcat(res_mods, " RC(Softmode)");
01094             else
01095             #endif
01096               strcat(res_mods, " RC");
01097           }
01098     #endif
01099     #ifdef CONFIG_RSBAC_AUTH
01100         if(result == mod_result[AUTH])
01101           {
01102             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01103             if(rsbac_ind_softmode[AUTH])
01104               strcat(res_mods, " AUTH(Softmode)");
01105             else
01106             #endif
01107               strcat(res_mods, " AUTH");
01108           }
01109     #endif
01110     #ifdef CONFIG_RSBAC_ACL
01111         if(result == mod_result[ACL])
01112           {
01113             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01114             if(rsbac_ind_softmode[ACL])
01115               strcat(res_mods, " ACL(Softmode)");
01116             else
01117             #endif
01118               strcat(res_mods, " ACL");
01119           }
01120     #endif
01121     #ifdef CONFIG_RSBAC_CAP
01122         if(result == mod_result[CAP])
01123           {
01124             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01125             if(rsbac_ind_softmode[CAP])
01126               strcat(res_mods, " CAP(Softmode)");
01127             else
01128             #endif
01129               strcat(res_mods, " CAP");
01130           }
01131     #endif
01132     #ifdef CONFIG_RSBAC_JAIL
01133         if(result == mod_result[JAIL])
01134           {
01135             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01136             if(rsbac_ind_softmode[JAIL])
01137               strcat(res_mods, " JAIL(Softmode)");
01138             else
01139             #endif
01140               strcat(res_mods, " JAIL");
01141           }
01142     #endif
01143     #ifdef CONFIG_RSBAC_RES
01144         if(result == mod_result[RES])
01145           {
01146             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01147             if(rsbac_ind_softmode[RES])
01148               strcat(res_mods, " RES(Softmode)");
01149             else
01150             #endif
01151               strcat(res_mods, " RES");
01152           }
01153     #endif
01154     #ifdef CONFIG_RSBAC_REG
01155         if(result == mod_result[REG])
01156           {
01157             #ifdef CONFIG_RSBAC_SOFTMODE_IND
01158             if(rsbac_ind_softmode[REG])
01159               strcat(res_mods, " REG(Softmode)");
01160             else
01161             #endif
01162               strcat(res_mods, " REG");
01163           }
01164     #endif
01165     #endif /* !MAINT */
01166         if(!res_mods[0])
01167           strcat(res_mods, " ADF");
01168 
01169         /* Get process audit_uid */
01170         i_tid.process = caller_pid;
01171         if (rsbac_get_attr(GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE))
01172           {
01173             rsbac_ds_get_error("rsbac_adf_request()", A_audit_uid);
01174             return(NOT_GRANTED);  /* something weird happened */
01175           }
01176         audit_uid = i_attr_val.audit_uid;
01177         if(audit_uid == RSBAC_NO_USER)
01178           audit_uid = owner;
01179         else
01180           sprintf(audit_uid_name, "audit uid %u, ", audit_uid);
01181 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01182         /* Get owner's logging pseudo */
01183         i_tid.user = audit_uid;
01184         if (rsbac_get_attr(GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE))
01185           {
01186             rsbac_ds_get_error("rsbac_adf_request()", A_pseudo);
01187             return(NOT_GRANTED);  /* something weird happened */
01188           }
01189         /* if pseudo is not registered, return attribute value is 0 (see later) */
01190         pseudo = i_attr_val.pseudo;
01191 #endif
01192 
01193 #ifdef CONFIG_RSBAC_NET_OBJ
01194         /* Get process remote_ip */
01195         i_tid.process = caller_pid;
01196         if (rsbac_get_attr(GEN,T_PROCESS,i_tid,A_remote_ip,&i_attr_val,FALSE))
01197           {
01198             rsbac_ds_get_error("rsbac_adf_request()", A_remote_ip);
01199             return(NOT_GRANTED);  /* something weird happened */
01200           }
01201         if(i_attr_val.remote_ip)
01202           sprintf(remote_ip_name, "remote ip %u.%u.%u.%u, ", NIPQUAD(i_attr_val.remote_ip));
01203 #endif
01204 
01205         #ifdef CONFIG_RSBAC_LOG_PROGRAM_FILE
01206         {
01207           struct mm_struct * mm;
01208           struct vm_area_struct * vma;
01209           struct dentry * dentry_p = NULL;
01210 
01211           mm = current->mm;
01212           if(mm)
01213             {
01214               atomic_inc(&mm->mm_users);
01215               if(!down_read_trylock(&mm->mmap_sem))
01216                 goto down_failed;
01217               vma = mm->mmap;
01218               while (vma)
01219                 {
01220                   if(   (vma->vm_flags & VM_EXECUTABLE)
01221                      && vma->vm_file)
01222                     {
01223                       dentry_p = dget(vma->vm_file->f_dentry);
01224                       break;
01225                     }
01226                   vma = vma->vm_next;
01227                 }
01228               up_read(&mm->mmap_sem);
01229               if(dentry_p)
01230                 {
01231                   char * p = program_path;
01232 
01233                   p += sprintf(program_path, ", prog_file ");
01234                   #ifdef CONFIG_RSBAC_LOG_FULL_PATH
01235                   rsbac_get_full_path(dentry_p, p, CONFIG_RSBAC_MAX_PATH_LEN);
01236                   #else
01237                   int namelen = rsbac_min(dentry_p->d_name.len, RSBAC_MAXNAMELEN);
01238 
01239                   strncpy(p, dentry_p->d_name.name, namelen);
01240                   p[namelen]=0;
01241                   #endif
01242                   dput(dentry_p);
01243                 }
01244 down_failed:
01245               mmput(mm);
01246             }
01247         }
01248         #endif
01249         get_target_name(target_type_name, target, target_id_name, *tid_p);
01250         get_attribute_name(attr_name, attr);
01251         get_attribute_value_name(attr_val_name, attr, attr_val_p);
01252         get_result_name(res_name, result);
01253         if ((current) && (current->comm))
01254           {
01255             strncpy(command,current->comm,16);          
01256             command[16] = (char) 0;
01257           }
01258 
01259 #ifdef CONFIG_RSBAC_LOG_PSEUDO
01260         /* if pseudo is set, its value is != 0, else -> use id */
01261         if (pseudo)
01262           {
01263     #ifdef CONFIG_RSBAC_SOFTMODE
01264             if(rsbac_softmode)
01265               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01266                            request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01267             else
01268     #endif
01269               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, pseudo %u, %starget_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01270                            request_name, caller_pid, parent_pid, command, program_path, pseudo, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01271           }
01272         else
01273 #endif
01274           {
01275     #ifdef CONFIG_RSBAC_SOFTMODE
01276             if(rsbac_softmode)
01277               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s (Softmode) by%s\n",
01278                            request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01279             else
01280     #endif
01281               rsbac_printk(KERN_INFO "rsbac_adf_request(): request %s, pid %u, ppid %u, prog_name %s%s, uid %u, %s%starget_type %s, tid %s, attr %s, value %s, result %s by%s\n",
01282                            request_name, caller_pid, parent_pid, command, program_path, owner, audit_uid_name, remote_ip_name, target_type_name, target_id_name, attr_name, attr_val_name, res_name, res_mods);
01283           }
01284         /* rsbac_kfree all helper mem */
01285         rsbac_kfree(request_name);
01286         rsbac_kfree(res_name);
01287         rsbac_kfree(res_mods);
01288         rsbac_kfree(target_type_name);
01289         rsbac_kfree(target_id_name);
01290         rsbac_kfree(program_path);
01291         rsbac_kfree(attr_name);
01292         rsbac_kfree(attr_val_name);
01293 #ifdef CONFIG_RSBAC_NET_OBJ
01294         rsbac_kfree(remote_ip_name);
01295 #endif
01296         rsbac_kfree(audit_uid_name);
01297       }
01298 
01299 /* UNDEFINED must never be returned -> change result */
01300     if(result == UNDEFINED)
01301       result = NOT_GRANTED;
01302 
01303 /* count */
01304     rsbac_adf_request_count[target]++;
01305 #ifdef CONFIG_RSBAC_XSTATS
01306     rsbac_adf_request_xcount[target][request]++;
01307 #endif
01308 
01309 /* return result */
01310     #ifdef CONFIG_RSBAC_SOFTMODE
01311     if(rsbac_softmode && !rsbac_internal)
01312       return DO_NOT_CARE;
01313     else
01314     #endif
01315     #ifdef CONFIG_RSBAC_SOFTMODE_IND
01316       return ret_result;
01317     #else
01318       return result; /* change for debugging! */
01319     #endif
01320   } /* end of rsbac_adf_request_int() */
01321 
01322 
01323 /*********************************************************************/
01324 /* rsbac_adf_request()                                               */
01325 /* This function is the main decision function, called from the AEF. */
01326 /* It is a simple wrapper to the internal function, setting          */
01327 /* ignore_module to SW_NONE.                                         */
01328 
01329 EXPORT_SYMBOL(rsbac_adf_request);
01330 enum rsbac_adf_req_ret_t
01331    rsbac_adf_request( enum  rsbac_adf_request_t     request,
01332                             rsbac_pid_t             caller_pid,
01333                       enum  rsbac_target_t          target,
01334                       union rsbac_target_id_t       tid,
01335                       enum  rsbac_attribute_t       attr,
01336                       union rsbac_attribute_value_t attr_val)
01337   {
01338     return(rsbac_adf_request_int(request,
01339                                  caller_pid,
01340                                  target,
01341                                  &tid,
01342                                  attr,
01343                                  &attr_val,
01344                                  SW_NONE));
01345   }
01346 
01347 /*****************************************************************************/
01348 /* If the request returned granted and the operation is performed,           */
01349 /* the following function is called by the AEF to get all aci set correctly. */
01350 /* The second instance of target specification is the new target, if one has */
01351 /* been created, otherwise its values are ignored.                           */
01352 /* It returns 0 on success and an error from error.h otherwise.              */
01353 
01354 EXPORT_SYMBOL(rsbac_adf_set_attr);
01355 int  rsbac_adf_set_attr(
01356                       enum  rsbac_adf_request_t     request,
01357                             rsbac_pid_t             caller_pid,
01358                       enum  rsbac_target_t          target,
01359                       union rsbac_target_id_t       tid,
01360                       enum  rsbac_target_t          new_target,
01361                       union rsbac_target_id_t       new_tid,
01362                       enum  rsbac_attribute_t       attr,
01363                       union rsbac_attribute_value_t attr_val)
01364   {
01365     union rsbac_target_id_t i_tid;
01366     rsbac_uid_t owner;
01367     int   error = 0;
01368     rsbac_boolean_t do_log = FALSE;
01369     rsbac_boolean_t log_on_request = TRUE;
01370     union rsbac_attribute_value_t i_attr_val;
01371 #ifdef CONFIG_RSBAC_IND_LOG
01372     union rsbac_attribute_value_t i_attr_val2;
01373     enum rsbac_log_level_t log_level;
01374 #endif
01375 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
01376     struct super_block * sb_p;
01377 #endif
01378 
01379 /* No attribute setting possible before init (called at boot time) */
01380 
01381    if (!rsbac_is_initialized())
01382       return(0);
01383 
01384 /* kernel (pid 0) is ignored */
01385     if (   !caller_pid
01386         #if defined(CONFIG_RSBAC_LOG_REMOTE)
01387         || (caller_pid == rsbaclogd_pid)
01388         #endif
01389        )
01390       return(0);
01391 
01392 /* Checking base values */
01393     if(   request >= R_NONE
01394        || target > T_NONE
01395        || new_target > T_NONE
01396        || attr > A_none)
01397       {
01398         rsbac_printk(KERN_WARNING
01399                "rsbac_adf_set_attr(): called with invalid request, target or attribute\n");
01400         return(-RSBAC_EINVALIDVALUE);
01401       }
01402 
01403 /* Getting basic information about this adf_set_attr-call */
01404 
01405     owner = RSBAC_NO_USER;
01406     /* only useful for real process, not idle or init */
01407     if (caller_pid > 1)
01408       {
01409         error = rsbac_get_owner(&owner);
01410         if(error)
01411           {
01412             rsbac_printk(KERN_DEBUG
01413                    "rsbac_adf_set_attr(): caller_pid %i, RSBAC not initialized, returning 0",
01414                    caller_pid);
01415             return(0);      /* Startup-Sequence (see above) */
01416           }
01417       }
01418     else /* caller_pid = 1  -> init -> owner = root */
01419       owner = 0;
01420 
01421 /*************************************************/
01422 /* General work for all modules - before modules */
01423 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
01424     if (   (   (target == T_FILE)
01425             || (target == T_DIR)
01426             || (target == T_FIFO)
01427             || (target == T_SYMLINK)
01428            )
01429         && ((sb_p = rsbac_get_super_block(tid.file.device)))
01430         && (   (sb_p->s_magic == NFS_SUPER_MAGIC)
01431             || (sb_p->s_magic == CODA_SUPER_MAGIC)
01432             || (sb_p->s_magic == NCP_SUPER_MAGIC)
01433             || (sb_p->s_magic == SMB_SUPER_MAGIC)
01434            )
01435        )
01436       {
01437         error = 0;
01438         goto log;
01439       }
01440 #endif
01441 
01442 /**********************************************************/
01443 /* calling all decision modules, building a common result */
01444 
01445 
01446 #ifdef CONFIG_RSBAC_DEBUG
01447 /* first, check for valid request/target combination      */
01448 error |= rsbac_adf_set_attr_check(request,
01449                                   caller_pid,
01450                                   target,
01451                                   tid,
01452                                   new_target,
01453                                   new_tid,
01454                                   attr,
01455                                   attr_val,
01456                                   owner);
01457 if(error)
01458   goto general_work;
01459 #endif
01460 
01461 #if !defined(CONFIG_RSBAC_MAINT)
01462 /******* MAC ********/
01463 #if defined(CONFIG_RSBAC_MAC)
01464 #ifdef CONFIG_RSBAC_SWITCH_MAC
01465 if (rsbac_switch_mac)
01466 #endif
01467   error |= rsbac_adf_set_attr_mac(request,
01468                                   caller_pid,
01469                                   target,
01470                                   tid,
01471                                   new_target,
01472                                   new_tid,
01473                                   attr,
01474                                   attr_val,
01475                                   owner);
01476 #endif  /* MAC */
01477 
01478 /******* PM ********/
01479 #ifdef CONFIG_RSBAC_PM
01480 #ifdef CONFIG_RSBAC_SWITCH_PM
01481 if (rsbac_switch_pm)
01482 #endif
01483   error |= rsbac_adf_set_attr_pm (request,
01484                                   caller_pid,
01485                                   target,
01486                                   tid,
01487                                   new_target,
01488                                   new_tid,
01489                                   attr,
01490                                   attr_val,
01491                                   owner);
01492 #endif  /* PM */
01493 
01494 /******* DAZ ********/
01495 #ifdef CONFIG_RSBAC_DAZ
01496 #ifdef CONFIG_RSBAC_SWITCH_DAZ
01497 if (rsbac_switch_daz)
01498 #endif
01499   error |= rsbac_adf_set_attr_daz (request,
01500                                   caller_pid,
01501                                   target,
01502                                   tid,
01503                                   new_target,
01504                                   new_tid,
01505                                   attr,
01506                                   attr_val,
01507                                   owner);
01508 #endif  /* DAZ */
01509 
01510 /******* FF ********/
01511 #if 0 /* Nothing to do in there */
01512 #ifdef CONFIG_RSBAC_FF
01513 #ifdef CONFIG_RSBAC_SWITCH_FF
01514 if (rsbac_switch_ff)
01515 #endif
01516   error |= rsbac_adf_set_attr_ff (request,
01517                                   caller_pid,
01518                                   target,
01519                                   tid,
01520                                   new_target,
01521                                   new_tid,
01522                                   attr,
01523                                   attr_val,
01524                                   owner);
01525 #endif  /* FF */
01526 #endif /* 0 */
01527 
01528 /******* RC ********/
01529 #ifdef CONFIG_RSBAC_RC
01530 #ifdef CONFIG_RSBAC_SWITCH_RC
01531 if (rsbac_switch_rc)
01532 #endif
01533   error |= rsbac_adf_set_attr_rc (request,
01534                                   caller_pid,
01535                                   target,
01536                                   tid,
01537                                   new_target,
01538                                   new_tid,
01539                                   attr,
01540                                   attr_val,
01541                                   owner);
01542 #endif  /* RC */
01543 
01544 /****** AUTH *******/
01545 #ifdef CONFIG_RSBAC_AUTH
01546 #ifdef CONFIG_RSBAC_SWITCH_AUTH
01547 if (rsbac_switch_auth)
01548 #endif
01549   error |= rsbac_adf_set_attr_auth(request,
01550                                    caller_pid,
01551                                    target,
01552                                    tid,
01553                                    new_target,
01554                                    new_tid,
01555                                    attr,
01556                                    attr_val,
01557                                    owner);
01558 #endif  /* AUTH */
01559 
01560 /****** ACL *******/
01561 #if 0 /* Nothing there */
01562 #ifdef CONFIG_RSBAC_ACL
01563 #ifdef CONFIG_RSBAC_SWITCH_ACL
01564 if (rsbac_switch_acl)
01565 #endif
01566   error |= rsbac_adf_set_attr_acl (request,
01567                                    caller_pid,
01568                                    target,
01569                                    tid,
01570                                    new_target,
01571                                    new_tid,
01572                                    attr,
01573                                    attr_val,
01574                                    owner);
01575 #endif  /* ACL */
01576 #endif
01577 
01578 /****** CAP *******/
01579 #ifdef CONFIG_RSBAC_CAP
01580 #ifdef CONFIG_RSBAC_SWITCH_CAP
01581 if (rsbac_switch_cap)
01582 #endif
01583   error |= rsbac_adf_set_attr_cap (request,
01584                                    caller_pid,
01585                                    target,
01586                                    tid,
01587                                    new_target,
01588                                    new_tid,
01589                                    attr,
01590                                    attr_val,
01591                                    owner);
01592 #endif  /* CAP */
01593 
01594 /****** JAIL *******/
01595 #ifdef CONFIG_RSBAC_JAIL
01596 #ifdef CONFIG_RSBAC_SWITCH_JAIL
01597 if (rsbac_switch_jail)
01598 #endif
01599   error |= rsbac_adf_set_attr_jail(request,
01600                                    caller_pid,
01601                                    target,
01602                                    tid,
01603                                    new_target,
01604                                    new_tid,
01605                                    attr,
01606                                    attr_val,
01607                                    owner);
01608 #endif  /* JAIL */
01609 
01610 /******* PAX ********/
01611 #ifdef CONFIG_RSBAC_PAX
01612 #ifdef CONFIG_RSBAC_SWITCH_PAX
01613 if (rsbac_switch_pax)
01614 #endif
01615   error |= rsbac_adf_set_attr_pax (request,
01616                                   caller_pid,
01617                                   target,
01618                                   tid,
01619                                   new_target,
01620                                   new_tid,
01621                                   attr,
01622                                   attr_val,
01623                                   owner);
01624 #endif  /* PAX */
01625 
01626 /****** RES *******/
01627 #ifdef CONFIG_RSBAC_RES
01628 #ifdef CONFIG_RSBAC_SWITCH_RES
01629 if (rsbac_switch_res)
01630 #endif
01631   error |= rsbac_adf_set_attr_res (request,
01632                                    caller_pid,
01633                                    target,
01634                                    tid,
01635                                    new_target,
01636                                    new_tid,
01637                                    attr,
01638                                    attr_val,
01639                                    owner);
01640 #endif  /* RES */
01641 
01642 /****** REG *******/
01643 #ifdef CONFIG_RSBAC_REG
01644   error |= rsbac_adf_set_attr_reg (request,
01645                                    caller_pid,
01646                                    target,
01647                                    tid,
01648                                    new_target,
01649                                    new_tid,
01650                                    attr,
01651                                    attr_val,
01652                                    owner);
01653 #endif  /* REG */
01654 #endif /* !MAINT */
01655 
01656 /* General work for all modules (after set_attr call) */
01657 #ifdef CONFIG_RSBAC_DEBUG
01658 general_work:
01659 #endif
01660     switch(request)
01661       {
01662         /* remove deleted item from rsbac data */
01663         case R_DELETE :
01664             switch (target)
01665               {
01666                 case T_FILE:
01667                 case T_FIFO:
01668                 case T_SYMLINK:
01669                   /* Only remove file/fifo target on deletion of last link */
01670                   if (   (attr == A_nlink)
01671                       && (attr_val.nlink > 1)
01672                      )
01673                      break;
01674                   /* fall through */
01675                 case T_DIR:
01676                   rsbac_remove_target(target,tid);
01677                   break;
01678                 case T_IPC:
01679                   /* shm removal delayed and removed directly, when destroyed */
01680                   if(tid.ipc.type != I_shm)
01681                     rsbac_remove_target(target,tid);
01682                   break;
01683                 default:
01684                   break;
01685               }
01686             break;
01687 
01688         case R_CLONE:
01689             switch (target)
01690               {
01691                 case T_PROCESS:
01692                   #if defined(CONFIG_RSBAC_IND_PROG_LOG)
01693                   /* get program based log from old process */
01694                   if (rsbac_get_attr(GEN,
01695                                      target,
01696                                      tid,
01697                                      A_log_program_based,
01698                                      &i_attr_val,
01699                                      FALSE))
01700                     {
01701                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
01702                     }
01703                   else
01704                     { /* only set, of not default value 0 */
01705                       if(i_attr_val.log_program_based)
01706                         {
01707                           /* set program based log for new process */
01708                           if (rsbac_set_attr(GEN, new_target,
01709                                              new_tid,
01710                                              A_log_program_based,
01711                                              i_attr_val))
01712                             {
01713                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based);
01714                             }
01715                         }
01716                     }
01717                   #endif
01718                   #if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01719                   /* get fake_root_uid from old process */
01720                   if (rsbac_get_attr(GEN,
01721                                      target,
01722                                      tid,
01723                                      A_fake_root_uid,
01724                                      &i_attr_val,
01725                                      FALSE))
01726                     {
01727                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid);
01728                     }
01729                   else
01730                     { /* only set, of not default value 0 */
01731                       if(i_attr_val.fake_root_uid)
01732                         {
01733                           /* set program based log for new process */
01734                           if (rsbac_set_attr(GEN, new_target,
01735                                              new_tid,
01736                                              A_fake_root_uid,
01737                                              i_attr_val))
01738                             {
01739                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
01740                             }
01741                         }
01742                     }
01743                   #endif
01744                   #if defined(CONFIG_RSBAC_NET)
01745                   /* get remote_ip from old process */
01746                   if (rsbac_get_attr(GEN,
01747                                      target,
01748                                      tid,
01749                                      A_remote_ip,
01750                                      &i_attr_val,
01751                                      FALSE))
01752                     {
01753                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_remote_ip);
01754                     }
01755                   else
01756                     { /* only set, of not default value 0 */
01757                       if(i_attr_val.remote_ip)
01758                         {
01759                           /* set program based log for new process */
01760                           if (rsbac_set_attr(GEN, new_target,
01761                                              new_tid,
01762                                              A_remote_ip,
01763                                              i_attr_val))
01764                             {
01765                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip);
01766                             }
01767                         }
01768                     }
01769                   #endif
01770                         /* get kernel_thread from old process */
01771                         if (rsbac_get_attr(GEN,
01772                                         target,
01773                                         tid,
01774                                         A_kernel_thread,
01775                                         &i_attr_val, FALSE)) {
01776                                 rsbac_ds_get_error("rsbac_adf_set_attr()",
01777                                                 A_kernel_thread);
01778                         } else {
01779                                 if (i_attr_val.kernel_thread) {
01780                                         if (rsbac_set_attr(GEN, new_target,
01781                                                         new_tid,
01782                                                         A_kernel_thread,
01783                                                         i_attr_val)) {
01784                                                 rsbac_ds_set_error
01785                                                         ("rsbac_adf_set_attr()",
01786                                                          A_kernel_thread);
01787                                         }
01788                                 }
01789                         }
01790 
01791                   /* get audit_uid from old process */
01792                   if (rsbac_get_attr(GEN,
01793                                      target,
01794                                      tid,
01795                                      A_audit_uid,
01796                                      &i_attr_val,
01797                                      FALSE))
01798                     {
01799                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid);
01800                     }
01801                   else
01802                     { /* only set, of not default value NO_USER */
01803                       if(i_attr_val.audit_uid != RSBAC_NO_USER)
01804                         {
01805                           /* set audit uid for new process */
01806                           if (rsbac_set_attr(GEN,
01807                                              new_target,
01808                                              new_tid,
01809                                              A_audit_uid,
01810                                              i_attr_val))
01811                             {
01812                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_audit_uid);
01813                             }
01814                         }
01815                     }
01816                   /* get auid_exempt from old process */
01817                   if (rsbac_get_attr(GEN,
01818                                      target,
01819                                      tid,
01820                                      A_auid_exempt,
01821                                      &i_attr_val,
01822                                      FALSE))
01823                     {
01824                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt);
01825                     }
01826                   else
01827                     { /* only set, of not default value NO_USER */
01828                       if(i_attr_val.auid_exempt != RSBAC_NO_USER)
01829                         {
01830                           /* set program based log for new process */
01831                           if (rsbac_set_attr(GEN,
01832                                              new_target,
01833                                              new_tid,
01834                                              A_auid_exempt,
01835                                              i_attr_val))
01836                             {
01837                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt);
01838                             }
01839                         }
01840                     }
01841                   break;
01842 
01843                 default:
01844                   break;
01845               }
01846             break;
01847 
01848 #ifdef CONFIG_RSBAC_NET_OBJ
01849         case R_CLOSE:
01850             switch (target)
01851               {
01852                 case T_NETOBJ:
01853                   rsbac_remove_target(target,tid);
01854                   break;
01855 
01856                 default:
01857                   break;
01858               }
01859             break;
01860         case R_ACCEPT:
01861             switch (target)
01862               {
01863                 case T_NETOBJ:
01864                   /* store remote IP */
01865                   if(   tid.netobj.sock_p
01866                      && tid.netobj.sock_p->ops
01867                      && tid.netobj.sock_p->sk
01868                      && (tid.netobj.sock_p->ops->family == AF_INET)
01869                     )
01870                     {
01871                       i_tid.process = caller_pid;
01872 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01873                       i_attr_val.remote_ip = inet_sk(tid.netobj.sock_p->sk)->daddr;
01874 #else
01875                       i_attr_val.remote_ip = tid.netobj.sock_p->sk->daddr;
01876 #endif
01877                       /* set program based log for new process */
01878                       if (rsbac_set_attr(GEN,
01879                                          T_PROCESS,
01880                                          i_tid,
01881                                          A_remote_ip,
01882                                          i_attr_val))
01883                         {
01884                           rsbac_ds_set_error("rsbac_adf_set_attr()", A_remote_ip);
01885                         }
01886                     }
01887                   break;
01888 
01889                 default:
01890                   break;
01891               }
01892             break;
01893 #endif /* CONFIG_RSBAC_NET_OBJ */
01894 
01895         case R_EXECUTE :
01896             switch (target)
01897               {
01898                 case T_FILE:
01899                   #if defined(CONFIG_RSBAC_IND_PROG_LOG)
01900                   /* get program based log from file */
01901                   if (rsbac_get_attr(GEN,
01902                                      target,
01903                                      tid,
01904                                      A_log_program_based,
01905                                      &i_attr_val,
01906                                      FALSE))
01907                     {
01908                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
01909                     }
01910                   else
01911                     {
01912                       /* set program based log for process */
01913                       i_tid.process = caller_pid;
01914                       if (rsbac_set_attr(GEN, T_PROCESS,
01915                                          i_tid,
01916                                          A_log_program_based,
01917                                          i_attr_val))
01918                         {
01919                           rsbac_ds_set_error("rsbac_adf_set_attr()", A_log_program_based);
01920                         }
01921                     }
01922                   #endif
01923                   #if defined(CONFIG_RSBAC_FAKE_ROOT_UID)
01924                   /* get fake_root_uid from file */
01925                   if (rsbac_get_attr(GEN,
01926                                      target,
01927                                      tid,
01928                                      A_fake_root_uid,
01929                                      &i_attr_val,
01930                                      FALSE))
01931                     {
01932                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_fake_root_uid);
01933                     }
01934                   else
01935                     {
01936                       /* set fake_root_uid for process */
01937                       if(i_attr_val.fake_root_uid)
01938                         {
01939                           i_tid.process = caller_pid;
01940                           if (rsbac_set_attr(GEN, T_PROCESS,
01941                                              i_tid,
01942                                              A_fake_root_uid,
01943                                              i_attr_val))
01944                             {
01945                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_fake_root_uid);
01946                             }
01947                         }
01948                     }
01949                   #endif
01950                   /* get auid_exempt from file */
01951                   if (rsbac_get_attr(GEN,
01952                                      target,
01953                                      tid,
01954                                      A_auid_exempt,
01955                                      &i_attr_val,
01956                                      FALSE))
01957                     {
01958                       rsbac_ds_get_error("rsbac_adf_set_attr()", A_auid_exempt);
01959                     }
01960                   else
01961                     {
01962                       if(i_attr_val.auid_exempt != RSBAC_NO_USER)
01963                         {
01964                           /* set auid_exempt for process */
01965                           i_tid.process = caller_pid;
01966                           if (rsbac_set_attr(GEN, T_PROCESS,
01967                                              i_tid,
01968                                              A_auid_exempt,
01969                                              i_attr_val))
01970                             {
01971                               rsbac_ds_set_error("rsbac_adf_set_attr()", A_auid_exempt);
01972                             }
01973                         }
01974                     }
01975                   break;
01976 
01977                 default:
01978                   break;
01979               }
01980             break;
01981 
01982         default:
01983             break;
01984       }
01985 
01986 #if defined(CONFIG_RSBAC_DEBUG) && defined(CONFIG_RSBAC_NET)
01987     if(    rsbac_debug_adf_net
01988        && (   (target == T_NETDEV)
01989            || (target == T_NETTEMP)
01990            || (target == T_NETOBJ)
01991           )
01992       )
01993       do_log = TRUE;
01994 #endif
01995 
01996 /* log based on process owner */
01997 #ifdef CONFIG_RSBAC_IND_USER_LOG
01998     i_tid.user = owner;
01999     if (rsbac_get_attr(GEN,
02000                        T_USER,
02001                        i_tid,
02002                        A_log_user_based,
02003                        &i_attr_val,
02004                        FALSE))
02005       {
02006         rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_user_based);
02007       }
02008     else
02009       {
02010         if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_user_based) 
02011           do_log = TRUE;
02012       }
02013 #endif /* CONFIG_RSBAC_IND_USER_LOG */
02014 
02015 /* log based on program */
02016 #ifdef CONFIG_RSBAC_IND_PROG_LOG
02017     if(!do_log)
02018       {
02019         i_tid.process = caller_pid;
02020         if (rsbac_get_attr(GEN,
02021                            T_PROCESS,
02022                            i_tid,
02023                            A_log_program_based,
02024                            &i_attr_val,
02025                            FALSE))
02026           {
02027             rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_program_based);
02028           }
02029         else
02030           {
02031             if(((rsbac_request_vector_t) 1 << request) & i_attr_val.log_program_based) 
02032               do_log = TRUE;
02033           }
02034       }
02035 #endif /* CONFIG_RSBAC_IND_PROG_LOG */
02036 
02037 
02038 /* logging request on info level, if requested by file/dir/dev attributes */
02039 /* log_array_low/high, or, if that is requested, if enabled for this request */
02040 /* type (attributes state level, or that request based level is to be taken) */
02041 /* loglevel 2: log everything */
02042 /* loglevel 1: log, if denied */
02043 /* loglevel 0: log nothing */
02044 
02045 #ifdef CONFIG_RSBAC_IND_LOG /* only if individual logging is enabled */
02046     /* if file/dir/dev, depend log on log_arrays */
02047     /* (but not for file.device = 0) */
02048     /* log_on_request is TRUE */
02049     if(!do_log)
02050       {
02051         if(   (   (   (target == T_FILE)
02052                    || (target == T_DIR)
02053                    || (target == T_FIFO)
02054                    || (target == T_SYMLINK)
02055                   )
02056                && RSBAC_MAJOR(tid.file.device)
02057                && RSBAC_MINOR(tid.file.device)
02058               )
02059            || (target == T_DEV)
02060           )
02061           {
02062             if (rsbac_get_attr(GEN,
02063                                target,
02064                                tid,
02065                                A_log_array_low,
02066                                &i_attr_val,
02067                                FALSE))
02068               {
02069                 rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_low);
02070               }
02071             else
02072               {
02073                 if (rsbac_get_attr(GEN,
02074                                    target,
02075                                    tid,
02076                                    A_log_array_high,
02077                                    &i_attr_val2,
02078                                    FALSE))
02079                   {
02080                     rsbac_ds_get_error("rsbac_adf_set_attr()", A_log_array_high);
02081                   }
02082                 else
02083                   { /* ll = low-bit for request | (high-bit for request as bit 1) */
02084                     log_level =   ((i_attr_val.log_array_low   >> request) & 1)
02085                               | ( ((i_attr_val2.log_array_high >> request) & 1) << 1);
02086                     if (   log_level == LL_full
02087                         || (   log_level == LL_denied
02088                             && error) )
02089                       {
02090                         do_log = TRUE;
02091                       }
02092                     if(log_level != LL_request)
02093                       log_on_request = FALSE;
02094                   }
02095               }
02096           }
02097       }
02098 #endif /* CONFIG_RSBAC_IND_LOG */
02099 
02100 #ifdef CONFIG_RSBAC_NO_DECISION_ON_NETMOUNT
02101 log:
02102 #endif
02103     /* if enabled, try request based log level */
02104     if (log_on_request
02105         && (   rsbac_log_levels[request][target] == LL_full
02106             || (   rsbac_log_levels[request][target] == LL_denied
02107                 && error) ) )
02108       do_log = TRUE;
02109 
02110     if(do_log)
02111       {
02112         char * request_name;
02113         char * target_type_name;
02114         char * new_target_type_name;
02115         char * target_id_name;
02116         char * new_target_id_name;
02117         char * attr_name;
02118         rsbac_uid_t audit_uid;
02119 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02120         rsbac_pseudo_t  pseudo = 0;
02121 #endif
02122 
02123         /* Get process audit_uid */
02124         i_tid.process = caller_pid;
02125         if (rsbac_get_attr(GEN,T_PROCESS,i_tid,A_audit_uid,&i_attr_val,FALSE))
02126           {
02127             rsbac_ds_get_error("rsbac_adf_set_attr()", A_audit_uid);
02128             return -RSBAC_EREADFAILED;  /* something weird happened */
02129           }
02130         audit_uid = i_attr_val.audit_uid;
02131         if(audit_uid == RSBAC_NO_USER)
02132           audit_uid = owner;
02133 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02134         /* Get owner's logging pseudo */
02135         i_tid.user = audit_uid;
02136         if (rsbac_get_attr(GEN,T_USER,i_tid,A_pseudo,&i_attr_val,FALSE))
02137           {
02138             rsbac_ds_get_error("rsbac_adf_set_attr()", A_pseudo);
02139             return -RSBAC_EREADFAILED;  /* something weird happened */
02140           }
02141         /* if pseudo is not registered, return attribute value is 0 (see later) */
02142         pseudo = i_attr_val.pseudo;
02143 #endif
02144 
02145         /* rsbac_kmalloc all memory */
02146         request_name = rsbac_kmalloc(32);
02147         target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02148         new_target_type_name = rsbac_kmalloc(RSBAC_MAXNAMELEN);
02149         #ifdef CONFIG_RSBAC_LOG_FULL_PATH
02150         target_id_name
02151          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
02152         new_target_id_name
02153          = rsbac_kmalloc(CONFIG_RSBAC_MAX_PATH_LEN + RSBAC_MAXNAMELEN);
02154            /* max. path name len + some extra */
02155         #else
02156         target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
02157         new_target_id_name = rsbac_kmalloc(2 * RSBAC_MAXNAMELEN);
02158            /* max. file name len + some extra */
02159         #endif
02160         attr_name = rsbac_kmalloc(32);
02161 
02162         /* Getting basic information about this request */
02163         request_name[0] = (char) 0;
02164         target_type_name[0] = (char) 0;
02165         target_id_name[0] = (char) 0;
02166         new_target_type_name[0] = (char) 0;
02167         new_target_id_name[0] = (char) 0;
02168         attr_name[0] = (char) 0;
02169         get_request_name(request_name, request);
02170         get_target_name(target_type_name, target, target_id_name, tid);
02171         get_target_name(new_target_type_name, new_target,
02172                         new_target_id_name, new_tid);
02173         get_attribute_name(attr_name, attr);
02174 
02175 #ifdef CONFIG_RSBAC_LOG_PSEUDO
02176         if(pseudo)
02177           rsbac_printk(KERN_INFO
02178                        "rsbac_adf_set_attr(): request %s, pid %u, pseudo %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02179                        request_name, (u_int) caller_pid, pseudo, target_type_name, target_id_name,
02180                        new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
02181         else
02182 #endif
02183           rsbac_printk(KERN_INFO
02184                        "rsbac_adf_set_attr(): request %s, pid %u, uid %u, audit_uid %u, target_type %s, tid %s, new_target_type %s, new_tid %s, attr %s, value %u, error %i\n",
02185                        request_name, (u_int) caller_pid, owner, audit_uid, target_type_name, target_id_name,
02186                        new_target_type_name, new_target_id_name, attr_name, attr_val.dummy, error);
02187         /* rsbac_kfree all helper mem */
02188         rsbac_kfree(request_name);
02189         rsbac_kfree(target_type_name);
02190         rsbac_kfree(new_target_type_name);
02191         rsbac_kfree(target_id_name);
02192         rsbac_kfree(new_target_id_name);
02193         rsbac_kfree(attr_name);
02194       }
02195 
02196 /* count */
02197     rsbac_adf_set_attr_count[target]++;
02198 #ifdef CONFIG_RSBAC_XSTATS
02199     rsbac_adf_set_attr_xcount[target][request]++;
02200 #endif
02201 
02202     return(error);
02203   } /* end of rsbac_adf_set_attr() */
02204 
02205 
02206 /****************
02207  *
02208  * Secure Delete
02209  *
02210  ****************/
02211 
02212 #ifdef CONFIG_RSBAC_SECDEL
02213 
02214 /* open_by_dentry */
02215 /* This is done by hand (copy from rsbac_read_open), because system calls */
02216 /* are currently blocked by rsbac */
02217 
02218 static int open_by_dentry(struct dentry * file_dentry_p, struct file * file_p)
02219   {
02220     int tmperr;
02221 
02222     if ( !(S_ISREG(file_dentry_p->d_inode->i_mode)) )
02223       { /* this is not a file! -> error! */
02224         rsbac_printk(KERN_WARNING
02225                "open_by_dentry(): expected file is not a file!\n");
02226         return (-RSBAC_EWRITEFAILED);
02227       }
02228     /* Now we fill the file structure, and */
02229     /* if there is an open func, use it, otherwise ignore */
02230     if ((tmperr = init_private_file(file_p, file_dentry_p, O_WRONLY | O_SYNC)))
02231       {
02232         rsbac_printk(KERN_WARNING
02233                "open_by_dentry(): could not open file!\n");
02234         return (-RSBAC_EWRITEFAILED);
02235       }
02236     /* Without a write function we get into troubles -> error */
02237     if ((!file_p->f_op) || (!file_p->f_op->write))
02238       {
02239         rsbac_printk(KERN_WARNING
02240                "open_by_dentry(): file write function missing!\n");
02241         if (file_p->f_op && file_p->f_op->release)
02242           file_p->f_op->release(file_dentry_p->d_inode,file_p);
02243         return(-RSBAC_EWRITEFAILED);
02244       }
02245     /* trying to get write access                                   */
02246 /*
02247     if (get_write_access(file_dentry_p->d_inode))
02248       {
02249         rsbac_printk(KERN_WARNING
02250                "rsbac_write_open(): could not get write access!\n");
02251         if (file_p->f_op->release)
02252           file_p->f_op->release(file_dentry_p->d_inode,file_p);
02253         return(-RSBAC_EWRITEFAILED);
02254       }
02255 */
02256     return 0;
02257   }
02258 
02259 /*
02260  **********************
02261  * Secure File Truncation
02262  */
02263 rsbac_boolean_t writable(struct super_block * sb_p);
02264 
02265 static int do_rsbac_sec_trunc(struct dentry * dentry_p,
02266                               loff_t new_len,
02267                               loff_t old_len,
02268                               rsbac_boolean_t need_lock)
02269   {
02270 #if defined(CONFIG_RSBAC_MAINT)
02271     return 0;
02272 #else
02273     int                           err = 0;
02274     rsbac_boolean_t                       need_overwrite = FALSE;
02275 
02276     if (!rsbac_is_initialized())
02277       return 0;
02278     /* security checks */
02279     if(   !dentry_p
02280        || !dentry_p->d_inode)
02281       return -RSBAC_EINVALIDPOINTER;
02282     if(!S_ISREG(dentry_p->d_inode->i_mode))
02283       return -RSBAC_EINVALIDTARGET;
02284     if(dentry_p->d_sb->s_magic == PIPEFS_MAGIC)
02285       return 0;
02286     if(new_len >= old_len)
02287       return 0;
02288 
02289     if(dentry_p->d_inode && !writable(dentry_p->d_inode->i_sb))
02290       {
02291 #ifdef CONFIG_RSBAC_DEBUG
02292         if(rsbac_debug_write)
02293           {
02294             rsbac_printk(KERN_DEBUG
02295                    "do_rsbac_sec_trunc(): ignoring file %lu on network device %02u:%02u!\n",
02296                    dentry_p->d_inode->i_ino,
02297                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02298                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02299           }
02300 #endif
02301         return 0;
02302       }
02303 
02304     /******* PM ********/
02305     #ifdef CONFIG_RSBAC_PM
02306     #ifdef CONFIG_RSBAC_SWITCH_PM
02307     if (rsbac_switch_pm)
02308     #endif
02309       /* no need to call module, if already need_overwrite */
02310       if(!need_overwrite)
02311         need_overwrite = rsbac_need_overwrite_pm(dentry_p);
02312     #endif  /* PM */
02313 
02314     /******* FF ********/
02315     #ifdef CONFIG_RSBAC_FF
02316     #ifdef CONFIG_RSBAC_SWITCH_FF
02317     if (rsbac_switch_ff)
02318     #endif
02319       /* no need to call module, if already need_overwrite */
02320       if(!need_overwrite)
02321         need_overwrite = rsbac_need_overwrite_ff(dentry_p);
02322     #endif  /* FF */
02323 
02324     /******* RC ********/
02325     #ifdef CONFIG_RSBAC_RC
02326     #ifdef CONFIG_RSBAC_SWITCH_RC
02327     if (rsbac_switch_rc)
02328     #endif
02329       /* no need to call module, if already need_overwrite */
02330       if(!need_overwrite)
02331         need_overwrite = rsbac_need_overwrite_rc(dentry_p);
02332     #endif  /* RC */
02333 
02334     /****** RES *******/
02335     #ifdef CONFIG_RSBAC_RES
02336     #ifdef CONFIG_RSBAC_SWITCH_RES
02337     if (rsbac_switch_res)
02338     #endif
02339       /* no need to call module, if already need_overwrite */
02340       if(!need_overwrite)
02341         need_overwrite = rsbac_need_overwrite_res(dentry_p);
02342     #endif  /* RES */
02343 
02344     /****** REG *******/
02345     #ifdef CONFIG_RSBAC_REG
02346     if(!need_overwrite)
02347       need_overwrite = rsbac_need_overwrite_reg(dentry_p);
02348     #endif  /* REG */
02349 
02350     if(need_overwrite)
02351       {
02352         char            * buffer;
02353         rsbac_boolean_t   vmalloc_used;
02354         struct file       file;
02355         int               tmperr = 0;
02356         int               len;
02357         mm_segment_t      oldfs;
02358 
02359         buffer = rsbac_vkmalloc(RSBAC_SEC_DEL_CHUNK_SIZE, &vmalloc_used);
02360         if(!buffer)
02361           return -RSBAC_ENOMEM;
02362 
02363 #ifdef CONFIG_RSBAC_DEBUG
02364         if(rsbac_debug_write)
02365           {
02366             rsbac_printk(KERN_DEBUG
02367                    "rsbac_sec_trunc(): zeroing of file %lu on device %02u:%02u from byte %lu to %lu!\n",
02368                    dentry_p->d_inode->i_ino,
02369                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02370                    MINOR(dentry_p->d_inode->i_sb->s_dev),
02371                    (u_long) new_len,
02372                    (u_long) old_len-1);
02373           }
02374 #endif
02375         /* open */
02376         err = open_by_dentry(dentry_p, &file);
02377         if(err)
02378           {
02379             rsbac_vkfree(buffer, vmalloc_used);
02380             return(err);
02381           }
02382 
02383 #ifdef CONFIG_RSBAC_DEBUG
02384         if(rsbac_debug_write)
02385           {
02386             rsbac_printk(KERN_DEBUG
02387                    "rsbac_sec_trunc(): file %lu on device %02u:%02u is open, seeking to %lu!\n",
02388                    dentry_p->d_inode->i_ino,
02389                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02390                    MINOR(dentry_p->d_inode->i_sb->s_dev),
02391                    (u_long) new_len);
02392           }
02393 #endif
02394 
02395         /* OK, now we can start writing */
02396 
02397         /* Set current user space to kernel space, because write() reads
02398          * from user space
02399          */
02400         oldfs = get_fs();
02401         set_fs(KERNEL_DS);
02402 
02403 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02404         if(file.f_op->llseek)
02405           file.f_op->llseek(&file,new_len,0);
02406         else
02407 #endif
02408           { /* taken from fs/read_write.c */
02409             file.f_pos = new_len;
02410 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02411             file.f_reada = 0;
02412 #endif
02413 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02414             file.f_version = ++event;
02415 #else
02416             file.f_version = 0;
02417 #endif
02418           }
02419         memset(buffer,0,RSBAC_SEC_DEL_CHUNK_SIZE);
02420 
02421 #ifdef CONFIG_RSBAC_DEBUG
02422         if(rsbac_debug_write)
02423           {
02424             rsbac_printk(KERN_DEBUG
02425                    "rsbac_sec_trunc(): file %lu on device %02u:%02u is positioned, starting to write!\n",
02426                    dentry_p->d_inode->i_ino,
02427                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02428                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02429           }
02430 #endif
02431 
02432         while(new_len < old_len)
02433           {
02434             len = rsbac_min(RSBAC_SEC_DEL_CHUNK_SIZE, old_len-new_len);
02435 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02436             tmperr = file.f_op->write(&file,
02437                                      buffer,
02438                                      len,
02439                                      &file.f_pos);
02440 #else
02441             if(need_lock)
02442               tmperr = file.f_op->write(&file,
02443                                         buffer,
02444                                         len,
02445                                         &file.f_pos);
02446             else
02447               {
02448                 struct iovec local_iov = { .iov_base = (void __user *)buffer,
02449                                         .iov_len = len };
02450 
02451                 tmperr = generic_file_write_nolock(&file,
02452                                                    &local_iov,
02453                                                    1,
02454                                                    &file.f_pos);
02455               }
02456 #endif
02457             /* if none written, end of file is reached -> complain and return */
02458             if (tmperr <= 0)
02459               {
02460                 rsbac_printk(KERN_WARNING
02461                        "rsbac_sec_trunc(): write error on file!\n");
02462                 err = -RSBAC_EWRITEFAILED;
02463                 goto out;
02464               }
02465             new_len += tmperr;
02466           }
02467 
02468         out:
02469         /* Set current user space back to user space, because read() writes */
02470         /* to user space */
02471         set_fs(oldfs);
02472 
02473 #ifdef CONFIG_RSBAC_DEBUG
02474 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0))
02475         if(need_lock)
02476 #endif
02477         if(rsbac_debug_write)
02478           {
02479             rsbac_printk(KERN_DEBUG
02480                    "rsbac_sec_trunc(): syncing file %lu on device %02u:%02u!\n",
02481                    dentry_p->d_inode->i_ino,
02482                    MAJOR(dentry_p->d_inode->i_sb->s_dev),
02483                    MINOR(dentry_p->d_inode->i_sb->s_dev));
02484           }
02485 #endif
02486 
02487 //        err = fsync_inode_buffers(dentry_p->d_inode);
02488 #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0))
02489         err = fsync_inode_data_buffers(dentry_p->d_inode);
02490 #else
02491         if(need_lock)
02492           err = file_fsync(&file, dentry_p, 1);
02493 #endif
02494           
02495 /*
02496         if (file.f_op->flush)
02497           file.f_op->flush(&file);
02498         if (file.f_op->release)
02499           file.f_op->release(dentry_p->d_inode,&file);
02500 */
02501         /* End of write access                     */
02502 //        put_write_access(dentry_p->d_inode);
02503 
02504         rsbac_vkfree(buffer, vmalloc_used);
02505       }
02506 
02507     /* Ready. */
02508     return(err);
02509 
02510 #endif /* else of MAINT */
02511   }
02512 
02513 EXPORT_SYMBOL(rsbac_sec_trunc);
02514 int rsbac_sec_trunc(struct dentry * dentry_p,
02515                     loff_t new_len, loff_t old_len)
02516   {
02517     return do_rsbac_sec_trunc(dentry_p, new_len, old_len, TRUE);
02518   }
02519 
02520 EXPORT_SYMBOL(rsbac_sec_del);
02521 int rsbac_sec_del(struct dentry * dentry_p)
02522   {
02523     return do_rsbac_sec_trunc(dentry_p,
02524                               0,
02525                               dentry_p->d_inode->i_size,
02526                               FALSE);
02527   }
02528 
02529 #else /* no SECDEL */
02530 EXPORT_SYMBOL(rsbac_sec_trunc);
02531 int rsbac_sec_trunc(struct dentry * dentry_p,
02532                     loff_t new_len, loff_t old_len)
02533   {
02534     return 0;
02535   }
02536 EXPORT_SYMBOL(rsbac_sec_del);
02537 int rsbac_sec_del(struct dentry * dentry_p)
02538   {
02539     return 0;
02540   }
02541 #endif /* SECDEL */
02542 
02543 #ifdef CONFIG_RSBAC_SYM_REDIR
02544 EXPORT_SYMBOL(rsbac_symlink_redirect);
02545 
02546 /* This function changes the symlink content by adding a suffix, if
02547  * requested. It returns NULL, if unchanged, or a pointer to a
02548  * kmalloc'd new char * otherwise, which has to be kfree'd after use.
02549  */
02550 char * rsbac_symlink_redirect(
02551   struct dentry * dentry_p,
02552   const char * name,
02553   u_int maxlen)
02554   {
02555     int                            err;
02556     union rsbac_target_id_t        i_tid;
02557     char                         * new_name = NULL;
02558 #if defined(CONFIG_RSBAC_SYM_REDIR_REMOTE_IP) || defined(CONFIG_RSBAC_SYM_REDIR_MAC) || defined(CONFIG_RSBAC_SYM_REDIR_RC)
02559     union rsbac_target_id_t        i_tid2;
02560 #endif
02561     union rsbac_attribute_value_t  i_attr_val;
02562 
02563     if(!name)
02564       return NULL;
02565     if(!dentry_p || !dentry_p->d_inode)
02566       return NULL;
02567     if (!rsbac_is_initialized())
02568       return NULL;
02569 
02570     if(!S_ISLNK(dentry_p->d_inode->i_mode))
02571       {
02572         rsbac_printk(KERN_DEBUG
02573                "rsbac_symlink_redirect(): called for non-symlink inode %u on dev %02u:%02u!\n",
02574                i_tid.symlink.inode,
02575                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02576         return NULL;
02577       }
02578 
02579     i_tid.symlink.device = dentry_p->d_inode->i_sb->s_dev;
02580     i_tid.symlink.inode = dentry_p->d_inode->i_ino;
02581     i_tid.symlink.dentry_p = dentry_p;
02582 #ifdef CONFIG_RSBAC_DEBUG
02583     if (rsbac_debug_aef)
02584       {
02585         rsbac_printk(KERN_DEBUG
02586                "rsbac_symlink_redirect(): called for symlink inode %u on dev %02u:%02u!\n",
02587                i_tid.symlink.inode,
02588                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02589       }
02590 #endif
02591 
02592 #ifdef CONFIG_RSBAC_SYM_REDIR_REMOTE_IP
02593     if ((err = rsbac_get_attr(GEN,
02594                               T_SYMLINK,
02595                               i_tid,
02596                               A_symlink_add_remote_ip,
02597                               &i_attr_val,
02598                               FALSE) ))
02599       {
02600         rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_remote_ip, err);
02601         if(new_name)
02602           kfree(new_name);
02603         return NULL;  /* something weird happened */
02604       }
02605     if(i_attr_val.symlink_add_remote_ip)
02606       {
02607         u_int len;
02608         rsbac_enum_t add_remote_ip;
02609         __u32 addr;
02610 
02611         len = strlen(name);
02612         while(   len
02613               && (name[len-1] >= '0')
02614               && (name[len-1] <= '9')
02615              )
02616           len--;
02617         if(len > (maxlen - 20))
02618           {
02619             if(new_name)
02620               kfree(new_name);
02621             rsbac_printk(KERN_DEBUG
02622                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02623                i_tid.symlink.inode,
02624                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02625             return NULL;
02626           }
02627         add_remote_ip = i_attr_val.symlink_add_remote_ip;
02628         i_tid2.process = current->pid;
02629         if ((err = rsbac_get_attr(GEN,
02630                                   T_PROCESS,
02631                                   i_tid2,
02632                                   A_remote_ip,
02633                                   &i_attr_val,
02634                                   FALSE) ))
02635           {
02636             rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_remote_ip, err);
02637             if(new_name)
02638               kfree(new_name);
02639             return NULL;  /* something weird happened */
02640           }
02641         addr = i_attr_val.remote_ip;
02642         if(!new_name)
02643           {
02644             new_name = kmalloc(maxlen, GFP_KERNEL);
02645             if(!new_name)
02646               {
02647                 rsbac_printk(KERN_DEBUG
02648                              "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02649                              i_tid.symlink.inode,
02650                              RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02651                 return NULL;
02652               }
02653             strcpy(new_name, name);
02654           }
02655         switch(add_remote_ip)
02656           {
02657             case 1:
02658               sprintf(new_name+len, "%u",
02659                       ((unsigned char *)&addr)[0]);
02660               break;
02661             case 2:
02662               sprintf(new_name+len, "%u.%u",
02663                       ((unsigned char *)&addr)[0],
02664                       ((unsigned char *)&addr)[1]);
02665               break;
02666             case 3:
02667               sprintf(new_name+len, "%u.%u.%u",
02668                       ((unsigned char *)&addr)[0],
02669                       ((unsigned char *)&addr)[1],
02670                       ((unsigned char *)&addr)[2]);
02671               break;
02672             default:
02673               sprintf(new_name+len, "%u.%u.%u.%u",
02674                       ((unsigned char *)&addr)[0],
02675                       ((unsigned char *)&addr)[1],
02676                       ((unsigned char *)&addr)[2],
02677                       ((unsigned char *)&addr)[3]);
02678           }
02679       }
02680 #endif
02681 
02682 #ifdef CONFIG_RSBAC_SYM_REDIR_UID
02683     if ((err = rsbac_get_attr(GEN,
02684                               T_SYMLINK,
02685                               i_tid,
02686                               A_symlink_add_uid,
02687                               &i_attr_val,
02688                               FALSE) ))
02689       {
02690         rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_uid, err);
02691         if(new_name)
02692           kfree(new_name);
02693             rsbac_printk(KERN_DEBUG
02694                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02695                i_tid.symlink.inode,
02696                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02697         return NULL;  /* something weird happened */
02698       }
02699     if(i_attr_val.symlink_add_uid)
02700       {
02701         rsbac_uid_t user;
02702         u_int len;
02703 
02704         len = strlen(name);
02705         while(   len
02706               && (name[len-1] >= '0')
02707               && (name[len-1] <= '9')
02708              )
02709           len--;
02710         if(len > (maxlen - 20))
02711           {
02712             if(new_name)
02713               kfree(new_name);
02714             rsbac_printk(KERN_DEBUG
02715                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02716                i_tid.symlink.inode,
02717                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02718             return NULL;
02719           }
02720         if(!rsbac_get_owner(&user))
02721           {
02722             if(!new_name)
02723               {
02724                 new_name = kmalloc(maxlen, GFP_KERNEL);
02725                 if(!new_name)
02726                   {
02727                     rsbac_printk(KERN_DEBUG
02728                                  "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02729                                  i_tid.symlink.inode,
02730                                  RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02731                     return NULL;
02732                   }
02733                 strcpy(new_name, name);
02734               }
02735             ulongtostr(new_name+len, user);
02736           }
02737       }
02738 #endif
02739 
02740 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC
02741     if ((err = rsbac_get_attr(GEN,
02742                               T_SYMLINK,
02743                               i_tid,
02744                               A_symlink_add_mac_level,
02745                               &i_attr_val,
02746                               FALSE) ))
02747       {
02748         rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_mac_level, err);
02749         if(new_name)
02750           kfree(new_name);
02751         return NULL;  /* something weird happened */
02752       }
02753     if(i_attr_val.symlink_add_mac_level)
02754       {
02755         u_int len;
02756 
02757         len = strlen(name);
02758         while(   len
02759               && (   (   (name[len-1] >= '0')
02760                       && (name[len-1] <= '9')
02761                      )
02762 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02763                   || (name[len-1] == ':')
02764 #endif
02765                  )
02766              )
02767           len--;
02768 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02769         if(len > (maxlen - 85))
02770 #else
02771         if(len > (maxlen - 20))
02772 #endif
02773           {
02774             if(new_name)
02775               kfree(new_name);
02776             rsbac_printk(KERN_DEBUG
02777                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02778                i_tid.symlink.inode,
02779                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02780             return NULL;
02781           }
02782 
02783         i_tid2.process = current->pid;
02784         if ((err = rsbac_get_attr(MAC,
02785                                   T_PROCESS,
02786                                   i_tid2,
02787                                   A_current_sec_level,
02788                                   &i_attr_val,
02789                                   FALSE) ))
02790           {
02791             rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_current_sec_level, err);
02792             if(new_name)
02793               kfree(new_name);
02794             return NULL;  /* something weird happened */
02795           }
02796 
02797         if(!new_name)
02798           {
02799             new_name = kmalloc(maxlen, GFP_KERNEL);
02800             if(!new_name)
02801               {
02802                 rsbac_printk(KERN_DEBUG
02803                              "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02804                              i_tid.symlink.inode,
02805                              RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02806                 return NULL;
02807               }
02808             strcpy(new_name, name);
02809           }
02810 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02811         len+=sprintf(new_name+len, "%u:", i_attr_val.current_sec_level);
02812 #else
02813         len+=sprintf(new_name+len, "%u", i_attr_val.current_sec_level);
02814 #endif
02815 
02816 #ifdef CONFIG_RSBAC_SYM_REDIR_MAC_CAT
02817         if ((err = rsbac_get_attr(MAC,
02818                                   T_PROCESS,
02819                                   i_tid2,
02820                                   A_mac_curr_categories,
02821                                   &i_attr_val,
02822                                   FALSE) ))
02823           {
02824             rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_mac_curr_categories, err);
02825             if(new_name)
02826               kfree(new_name);
02827             return NULL;  /* something weird happened */
02828           }
02829         u64tostrmac(new_name+len, i_attr_val.mac_categories);
02830 #endif
02831       }
02832 #endif
02833 
02834 #ifdef CONFIG_RSBAC_SYM_REDIR_RC
02835     if ((err = rsbac_get_attr(GEN,
02836                               T_SYMLINK,
02837                               i_tid,
02838                               A_symlink_add_rc_role,
02839                               &i_attr_val,
02840                               FALSE) ))
02841       {
02842         rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_symlink_add_rc_role, err);
02843         if(new_name)
02844           kfree(new_name);
02845         return NULL;  /* something weird happened */
02846       }
02847     if(i_attr_val.symlink_add_rc_role)
02848       {
02849         u_int len;
02850 
02851         len = strlen(name);
02852         while(   len
02853               && (name[len-1] >= '0')
02854               && (name[len-1] <= '9')
02855              )
02856           len--;
02857         if(len > (maxlen - 20))
02858           {
02859             if(new_name)
02860               kfree(new_name);
02861             rsbac_printk(KERN_DEBUG
02862                "rsbac_symlink_redirect(): not enough space for symlink inode %u on dev %02u:%02u!\n",
02863                i_tid.symlink.inode,
02864                RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02865             return NULL;
02866           }
02867 
02868         i_tid2.process = current->pid;
02869         if ((err = rsbac_get_attr(RC,
02870                                   T_PROCESS,
02871                                   i_tid2,
02872                                   A_rc_role,
02873                                   &i_attr_val,
02874                                   FALSE) ))
02875           {
02876             rsbac_ds_get_error_num("rsbac_symlink_redirect()", A_rc_role, err);
02877             if(new_name)
02878               kfree(new_name);
02879             return NULL;  /* something weird happened */
02880           }
02881 
02882         if(!new_name)
02883           {
02884             new_name = kmalloc(maxlen, GFP_KERNEL);
02885             if(!new_name)
02886               {
02887                 rsbac_printk(KERN_DEBUG
02888                              "rsbac_symlink_redirect(): could not allocate memory for redirection of inode %u on dev %02u:%02u!\n",
02889                              i_tid.symlink.inode,
02890                              RSBAC_MAJOR(i_tid.symlink.device), RSBAC_MINOR(i_tid.symlink.device) );
02891                 return NULL;
02892               }
02893             strcpy(new_name, name);
02894           }
02895         ulongtostr(new_name+len, i_attr_val.rc_role);
02896       }
02897 #endif
02898 
02899     return new_name;
02900   }
02901 #endif
02902 
02903 #ifdef CONFIG_RSBAC_ALLOW_DAC_DISABLE_PART
02904 int rsbac_dac_part_disabled(struct dentry * dentry_p)
02905   {
02906     int                            err;
02907     enum  rsbac_target_t           i_target;
02908     union rsbac_target_id_t        i_tid;
02909     union rsbac_attribute_value_t  i_attr_val;
02910 
02911     if(!dentry_p || !dentry_p->d_inode || !dentry_p->d_inode->i_sb->s_dev || !rsbac_is_initialized())
02912       return FALSE;
02913 
02914     if(S_ISREG(dentry_p->d_inode->i_mode))
02915       i_target = T_FILE;
02916     else
02917     if(S_ISDIR(dentry_p->d_inode->i_mode))
02918       i_target = T_DIR;
02919     else
02920     if(S_ISFIFO(dentry_p->d_inode->i_mode))
02921       i_target = T_FIFO;
02922     else
02923     if(S_ISLNK(dentry_p->d_inode->i_mode))
02924       i_target = T_SYMLINK;
02925     else
02926       return FALSE;
02927 
02928     i_tid.file.device = dentry_p->d_sb->s_dev;
02929     i_tid.file.inode = dentry_p->d_inode->i_ino;
02930     i_tid.file.dentry_p = dentry_p;
02931 
02932 #ifdef CONFIG_RSBAC_DEBUG
02933     if (rsbac_debug_aef)
02934       {
02935         rsbac_printk(KERN_DEBUG
02936                "rsbac_dac_part_disable(): called for dentry_p->d_inode %u on dev %02u:%02u, dentry_p %p!\n",
02937                i_tid.file.inode,
02938                RSBAC_MAJOR(i_tid.file.device), RSBAC_MINOR(i_tid.file.device),
02939                i_tid.file.dentry_p );
02940       }
02941 #endif
02942 
02943     if ((err = rsbac_get_attr(GEN,
02944                               i_target,
02945                               i_tid,
02946                               A_linux_dac_disable,
02947                               &i_attr_val,
02948                               TRUE) ))
02949       {
02950         rsbac_printk(KERN_WARNING
02951                "rsbac_dac_part_disable(): rsbac_get_attr() for linux_dac_disable returned error %i!\n",
02952                err);
02953         return FALSE;  /* something weird happened */
02954       }
02955     if(i_attr_val.linux_dac_disable == LDD_true)
02956       return TRUE;
02957     else
02958       return FALSE;
02959   }
02960 #endif
02961 
02962 #ifdef CONFIG_RSBAC_FAKE_ROOT_UID
02963 rsbac_uid_t rsbac_fake_uid(void)
02964   {
02965     int                            err;
02966     union rsbac_target_id_t        i_tid;
02967     union rsbac_attribute_value_t  i_attr_val;
02968 
02969     if(!current->uid)
02970       return 0;
02971     if (!rsbac_is_initialized())
02972       return current->uid;
02973 
02974     i_tid.process = current->pid;
02975     if ((err = rsbac_get_attr(GEN,
02976                               T_PROCESS,
02977                               i_tid,
02978                               A_fake_root_uid,
02979                               &i_attr_val,
02980                               FALSE) ))
02981       {
02982         rsbac_ds_get_error("rsbac_fake_uid()", A_fake_root_uid);
02983         return current->uid;  /* something weird happened */
02984       }
02985     switch(i_attr_val.fake_root_uid)
02986       {
02987         case FR_both:
02988         case FR_uid_only:
02989           return 0;
02990         default:
02991           return current->uid;
02992       }
02993   }
02994 
02995 rsbac_uid_t rsbac_fake_euid(void)
02996   {
02997     int                            err;
02998     union rsbac_target_id_t        i_tid;
02999     union rsbac_attribute_value_t  i_attr_val;
03000 
03001     if(!current->euid)
03002       return 0;
03003     if (!rsbac_is_initialized())
03004       return current->euid;
03005 
03006     i_tid.process = current->pid;
03007     if ((err = rsbac_get_attr(GEN,
03008                               T_PROCESS,
03009                               i_tid,
03010                               A_fake_root_uid,
03011                               &i_attr_val,
03012                               FALSE) ))
03013       {
03014         rsbac_ds_get_error("rsbac_fake_euid()", A_fake_root_uid);
03015         return current->euid;  /* something weird happened */
03016       }
03017     switch(i_attr_val.fake_root_uid)
03018       {
03019         case FR_both:
03020         case FR_euid_only:
03021           return 0;
03022         default:
03023           return current->euid;
03024       }
03025   }
03026 
03027 int rsbac_uid_faked(void)
03028   {
03029     int                            err;
03030     union rsbac_target_id_t        i_tid;
03031     union rsbac_attribute_value_t  i_attr_val;
03032 
03033     if (!rsbac_is_initialized())
03034       return 0;
03035 
03036     i_tid.process = current->pid;
03037     if ((err = rsbac_get_attr(GEN,
03038                               T_PROCESS,
03039                               i_tid,
03040                               A_fake_root_uid,
03041                               &i_attr_val,
03042                               FALSE) ))
03043       {
03044         rsbac_ds_get_error("rsbac_uid_faked()", A_fake_root_uid);
03045         return 0;  /* something weird happened */
03046       }
03047     switch(i_attr_val.fake_root_uid)
03048       {
03049         case FR_both:
03050         case FR_uid_only:
03051           return 1;
03052         default:
03053           return 0;
03054       }
03055   }
03056 
03057 #endif
03058 
03059 int rsbac_set_audit_uid(rsbac_uid_t uid)
03060   {
03061     union rsbac_target_id_t       tid;
03062     union rsbac_attribute_value_t attr_val;
03063 
03064     if(!uid || (uid == current->uid))
03065       return 0;
03066     tid.process = current->pid;
03067     if (rsbac_get_attr(GEN,
03068                        T_PROCESS,
03069                        tid,
03070                        A_audit_uid,
03071                        &attr_val,
03072                        FALSE))
03073       {
03074         rsbac_ds_get_error("rsbac_set_audit_uid()", A_audit_uid);
03075         return -RSBAC_EREADFAILED;
03076       }
03077     if(attr_val.audit_uid != RSBAC_NO_USER)
03078       return 0;
03079 
03080     if (rsbac_get_attr(GEN,
03081                        T_PROCESS,
03082                        tid,
03083                        A_auid_exempt,
03084                        &attr_val,
03085                        FALSE))
03086       {
03087         rsbac_ds_get_error("rsbac_set_audit_uid()", A_auid_exempt);
03088         return -RSBAC_EREADFAILED;
03089       }
03090     if(attr_val.auid_exempt == uid)
03091       return 0;
03092 
03093     attr_val.audit_uid = uid;
03094     if (rsbac_set_attr(GEN,
03095                        T_PROCESS,
03096                        tid,
03097                        A_audit_uid,
03098                        attr_val))
03099       {
03100         rsbac_ds_set_error("rsbac_set_audit_uid()", A_audit_uid);
03101         return -RSBAC_EWRITEFAILED;
03102       }
03103     return 0;
03104   }
03105 
03106 #if defined(CONFIG_RSBAC_CAP_LOG_MISSING) || defined(CONFIG_RSBAC_JAIL_LOG_MISSING)
03107 EXPORT_SYMBOL(rsbac_log_missing_cap);
03108 
03109 void rsbac_log_missing_cap(int cap)
03110   {
03111     #if defined(CONFIG_RSBAC_CAP_LOG_MISSING)
03112     if(rsbac_cap_log_missing)
03113       rsbac_cap_log_missing_cap(cap);
03114     #endif
03115     #if defined(CONFIG_RSBAC_JAIL_LOG_MISSING)
03116     if(rsbac_jail_log_missing)
03117       rsbac_jail_log_missing_cap(cap);
03118     #endif
03119   }
03120 #endif
03121 
03122 /* end of rsbac/adf/main.c */
Generated on Sun May 21 14:30:49 2006 for RSBAC by  doxygen 1.4.2