#include <linux/init.h>#include <rsbac/types.h>Go to the source code of this file.
|
||||||||||||||||||||||||
|
Definition at line 9340 of file acl_data_structures.c. References ACLG_NONE, group_last_new, rsbac_acl_group_entry_t::id, rsbac_acl_group_entry_t::name, rsbac_acl_group_entry_t::owner, RSBAC_ACL_GROUP_NAMELEN, RSBAC_ECOULDNOTADDITEM, RSBAC_EEXISTS, RSBAC_EINVALIDPOINTER, RSBAC_EINVALIDVALUE, rsbac_ta_list_add_ttl(), rsbac_ta_list_exist(), and rsbac_acl_group_entry_t::type. Referenced by rsbac_acl_sys_group(). 09346 {
09347 struct rsbac_acl_group_entry_t entry;
09348 int err=0;
09349
09350 if(type >= ACLG_NONE)
09351 return -RSBAC_EINVALIDVALUE;
09352 if(!name || !group_id_p)
09353 return -RSBAC_EINVALIDPOINTER;
09354 if(!name[0])
09355 return -RSBAC_EINVALIDVALUE;
09356 entry.owner = owner;
09357 entry.type = type;
09358 strncpy(entry.name, name, RSBAC_ACL_GROUP_NAMELEN-1);
09359 entry.name[RSBAC_ACL_GROUP_NAMELEN-1] = 0;
09360 if(!*group_id_p)
09361 {
09362 /* step new group counter */
09363 group_last_new++;
09364 /* Just in case the counter has wrapped. It is almost impossible that all IDs are in use. */
09365 while(!group_last_new || rsbac_ta_list_exist(ta_number, group_handle, &group_last_new))
09366 group_last_new++;
09367
09368 entry.id = group_last_new;
09369 }
09370 else
09371 {
09372 if(rsbac_ta_list_exist(ta_number, group_handle, group_id_p))
09373 {
09374 return(-RSBAC_EEXISTS);
09375 }
09376 else
09377 entry.id = *group_id_p;
09378 }
09379 if(rsbac_ta_list_add_ttl(ta_number, group_handle, 0, &entry.id, &entry))
09380 err = -RSBAC_ECOULDNOTADDITEM;
09381 else
09382 {
09383 *group_id_p = entry.id;
09384 }
09385 return(err);
09386 }
|
|
||||||||||||||||||||
|
Definition at line 9497 of file acl_data_structures.c. References NULL, RSBAC_EINVALIDVALUE, rsbac_ta_list_exist(), rsbac_ta_list_lol_add_ttl(), rsbac_ta_list_lol_exist(), and rsbac_ta_list_lol_subadd_ttl(). Referenced by rsbac_acl_sys_group(). 09502 {
09503 int err = 0;
09504
09505 if(!group)
09506 return -RSBAC_EINVALIDVALUE;
09507 if(!rsbac_ta_list_exist(ta_number, group_handle, &group))
09508 return -RSBAC_EINVALIDVALUE;
09509
09510 if(!rsbac_ta_list_lol_exist(ta_number, gm_handle, &user))
09511 {
09512 err = rsbac_ta_list_lol_add_ttl(ta_number, gm_handle, 0, &user, NULL);
09513 if(err)
09514 return err;
09515 }
09516 return rsbac_ta_list_lol_subadd_ttl(ta_number, gm_handle, ttl, &user, &group, NULL);
09517 }
|
|
||||||||||||||||||||||||||||||||
|
Definition at line 5794 of file acl_data_structures.c. References acl_lookup_device(), ACLS_NONE, AST_none, D_block, D_block_major, D_char, D_char_major, rsbac_target_id_t::dev, fd_hash(), rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handles, I_none, rsbac_target_id_t::ipc, rsbac_acl_device_list_head_t::lock, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, NULL, rsbac_target_id_t::process, RSBAC_ACL_DEFAULT_DEV_MASK, RSBAC_ACL_DEFAULT_FD_MASK, RSBAC_ACL_DEFAULT_G_MASK, RSBAC_ACL_DEFAULT_NETDEV_MASK, RSBAC_ACL_DEFAULT_NETOBJ_MASK, RSBAC_ACL_DEFAULT_NETTEMP_MASK, RSBAC_ACL_DEFAULT_SCD_MASK, RSBAC_ACL_DEFAULT_U_MASK, RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_add_ttl(), rsbac_ta_list_get_data_ttl(), rsbac_ta_list_lol_add_ttl(), rsbac_ta_list_lol_exist(), rsbac_ta_list_lol_get_subdata_ttl(), rsbac_ta_list_lol_subadd_ttl(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, rsbac_acl_entry_desc_t::subj_id, rsbac_acl_entry_desc_t::subj_type, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_PROCESS, T_SCD, T_SYMLINK, T_USER, rsbac_ipc_t::type, rsbac_dev_desc_t::type, and rsbac_target_id_t::user. Referenced by rsbac_acl_check_right(), and rsbac_acl_sys_add_to_acl_entry(). 05802 {
05803 int err = 0;
05804 int list_no;
05805 struct rsbac_acl_device_list_item_t * device_p;
05806 rsbac_acl_rights_vector_t old_rights;
05807 struct rsbac_acl_entry_desc_t desc;
05808 u_long dflags;
05809
05810 if (!rsbac_is_initialized())
05811 {
05812 rsbac_printk(KERN_WARNING "rsbac_acl_add_to_acl_entry(): RSBAC not initialized\n");
05813 return(-RSBAC_ENOTINITIALIZED);
05814 }
05815 if (subj_type >= ACLS_NONE)
05816 return(-RSBAC_EINVALIDVALUE);
05817 #ifdef CONFIG_RSBAC_DEBUG
05818 if (in_interrupt())
05819 {
05820 rsbac_printk(KERN_WARNING "rsbac_acl_add_to_acl_entry(): called from interrupt!\n");
05821 }
05822 #endif
05823 desc.subj_type = subj_type;
05824 desc.subj_id = subj_id;
05825
05826 switch (target)
05827 {
05828 case T_FILE:
05829 case T_DIR:
05830 case T_FIFO:
05831 case T_SYMLINK:
05832 /*
05833 #ifdef CONFIG_RSBAC_DEBUG
05834 if (rsbac_debug_ds_acl)
05835 {
05836 rsbac_printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n",
05837 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode);
05838 }
05839 #endif
05840 */
05841 /* default entry? */
05842 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p)
05843 {
05844 if(!rsbac_ta_list_get_data_ttl(ta_number, default_fd_handle, NULL, &desc, &old_rights))
05845 rights |= old_rights;
05846 return rsbac_ta_list_add_ttl(ta_number, default_fd_handle, ttl, &desc, &rights);
05847 }
05848 /* wait for read access to device_list_head */
05849 rsbac_read_lock(&device_list_head.lock, &dflags);
05850 /* OK, go on */
05851 /* lookup device */
05852 device_p = acl_lookup_device(tid.file.device);
05853 if (!device_p)
05854 {
05855 /* trigger rsbac_mount() */
05856 rsbac_read_unlock(&device_list_head.lock, &dflags);
05857 rsbac_get_super_block(tid.file.device);
05858 /* retry */
05859 rsbac_read_lock(&device_list_head.lock, &dflags);
05860 device_p = acl_lookup_device(tid.file.device);
05861 if(!device_p)
05862 {
05863 rsbac_printk(KERN_WARNING
05864 "rsbac_acl_set_acl_entry(): Could not lookup device!\n");
05865 /* free read lock */
05866 rsbac_read_unlock(&device_list_head.lock, &dflags);
05867 return(-RSBAC_EINVALIDDEV);
05868 }
05869 }
05870 /* protect this list */
05871 list_no = fd_hash(tid.file.inode);
05872 if(!rsbac_ta_list_lol_exist(ta_number, device_p->handles[list_no], &tid.file.inode))
05873 { /* new acl */
05874 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_FD_MASK;
05875
05876 err = rsbac_ta_list_lol_add_ttl(ta_number, device_p->handles[list_no],
05877 0, &tid.file.inode, &mask);
05878 if(err)
05879 {
05880 rsbac_read_unlock(&device_list_head.lock, &dflags);
05881 return err;
05882 }
05883 }
05884 else
05885 { /* old entry? */
05886 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
05887 device_p->handles[list_no],
05888 NULL,
05889 &tid.file.inode,
05890 &desc,
05891 &old_rights))
05892 rights |= old_rights;
05893 }
05894 err = rsbac_ta_list_lol_subadd_ttl(ta_number,
05895 device_p->handles[list_no],
05896 ttl,
05897 &tid.file.inode,
05898 &desc,
05899 &rights);
05900 rsbac_read_unlock(&device_list_head.lock, &dflags);
05901 /* ready. */
05902 return err;
05903
05904 case T_DEV:
05905 /*
05906 #ifdef CONFIG_RSBAC_DEBUG
05907 if (rsbac_debug_ds_acl)
05908 rsbac_printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to device ACL entry for dev %c %02u:%02u\n",
05909 'B'+tid.dev.type,
05910 tid.dev.major,
05911 tid.dev.minor);
05912 #endif
05913 */
05914 /* default entry? */
05915 if(RSBAC_IS_ZERO_DEV_DESC(tid.dev))
05916 {
05917 if(!rsbac_ta_list_get_data_ttl(ta_number, default_dev_handle,
05918 NULL, &desc, &old_rights))
05919 rights |= old_rights;
05920 return rsbac_ta_list_add_ttl(ta_number, default_dev_handle, ttl, &desc, &rights);
05921 }
05922 switch(tid.dev.type)
05923 {
05924 case D_char:
05925 case D_block:
05926 if(!rsbac_ta_list_lol_exist(ta_number, dev_handle, &tid.dev))
05927 { /* new acl */
05928 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_DEV_MASK;
05929
05930 err = rsbac_ta_list_lol_add_ttl(ta_number, dev_handle,
05931 0, &tid.dev, &mask);
05932 if(err)
05933 return err;
05934 }
05935 else
05936 { /* old entry? */
05937 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number, dev_handle,
05938 NULL,
05939 &tid.dev,
05940 &desc,
05941 &old_rights))
05942 rights |= old_rights;
05943 }
05944 return rsbac_ta_list_lol_subadd_ttl(ta_number, dev_handle,
05945 ttl,
05946 &tid.dev,
05947 &desc,
05948 &rights);
05949
05950 case D_char_major:
05951 case D_block_major:
05952 tid.dev.type -= (D_block_major - D_block);
05953 if(!rsbac_ta_list_lol_exist(ta_number, dev_major_handle, &tid.dev))
05954 { /* new acl */
05955 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_DEV_MASK;
05956
05957 err = rsbac_ta_list_lol_add_ttl(ta_number, dev_major_handle,
05958 0, &tid.dev, &mask);
05959 if(err)
05960 return err;
05961 }
05962 else
05963 { /* old entry? */
05964 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number, dev_major_handle,
05965 NULL,
05966 &tid.dev,
05967 &desc,
05968 &old_rights))
05969 rights |= old_rights;
05970 }
05971 return rsbac_ta_list_lol_subadd_ttl(ta_number, dev_major_handle,
05972 ttl,
05973 &tid.dev,
05974 &desc,
05975 &rights);
05976
05977 default:
05978 return -RSBAC_EINVALIDTARGET;
05979 }
05980
05981 case T_IPC:
05982 /*
05983 #ifdef CONFIG_RSBAC_DEBUG
05984 if (rsbac_debug_ds_acl)
05985 rsbac_printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to IPC ACL for type %u\n",
05986 tid.ipc.type);
05987 #endif
05988 */
05989 /* default entry? */
05990 if(tid.ipc.type == I_none)
05991 {
05992 if(!rsbac_ta_list_get_data_ttl(ta_number, default_ipc_handle,
05993 NULL, &desc, &old_rights))
05994 rights |= old_rights;
05995 return rsbac_ta_list_add_ttl(ta_number, default_ipc_handle, ttl, &desc, &rights);
05996 }
05997 else
05998 return -RSBAC_EINVALIDTARGET;
05999
06000 case T_SCD:
06001 /*
06002 #ifdef CONFIG_RSBAC_DEBUG
06003 if (rsbac_debug_ds_acl)
06004 {
06005 char tmp[80];
06006
06007 rsbac_printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to SCD ACL entry for %s\n",
06008 get_acl_scd_type_name(tmp, tid.scd));
06009 }
06010 #endif
06011 */
06012 /* default entry? */
06013 if(tid.scd == AST_none)
06014 {
06015 if(!rsbac_ta_list_get_data_ttl(ta_number, default_scd_handle,
06016 NULL, &desc, &old_rights))
06017 rights |= old_rights;
06018 return rsbac_ta_list_add_ttl(ta_number, default_scd_handle, ttl, &desc, &rights);
06019 }
06020 if(!rsbac_ta_list_lol_exist(ta_number, scd_handle, &tid.scd))
06021 { /* new acl */
06022 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_SCD_MASK;
06023
06024 err = rsbac_ta_list_lol_add_ttl(ta_number, scd_handle, 0, &tid.scd, &mask);
06025 if(err)
06026 return err;
06027 }
06028 else
06029 { /* old entry? */
06030 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06031 scd_handle,
06032 NULL,
06033 &tid.scd,
06034 &desc,
06035 &old_rights))
06036 rights |= old_rights;
06037 }
06038 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06039 scd_handle,
06040 ttl,
06041 &tid.scd,
06042 &desc,
06043 &rights);
06044
06045 case T_USER:
06046 /*
06047 #ifdef CONFIG_RSBAC_DEBUG
06048 if (rsbac_debug_ds_acl)
06049 rsbac_printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to user ACL for user %u\n",
06050 tid.user);
06051 #endif
06052 */
06053 /* default entry? */
06054 if(tid.user == RSBAC_NO_USER)
06055 {
06056 if(!rsbac_ta_list_get_data_ttl(ta_number, default_u_handle, NULL, &desc, &old_rights))
06057 rights |= old_rights;
06058 return rsbac_ta_list_add_ttl(ta_number, default_u_handle, ttl, &desc, &rights);
06059 }
06060 if(!rsbac_ta_list_lol_exist(ta_number, u_handle, &tid.user))
06061 { /* new acl */
06062 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_U_MASK;
06063
06064 err = rsbac_ta_list_lol_add_ttl(ta_number, u_handle, 0, &tid.user, &mask);
06065 if(err)
06066 return err;
06067 }
06068 else
06069 { /* old subentry? */
06070 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06071 u_handle,
06072 NULL,
06073 &tid.user,
06074 &desc,
06075 &old_rights))
06076 rights |= old_rights;
06077 }
06078 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06079 u_handle,
06080 ttl,
06081 &tid.user,
06082 &desc,
06083 &rights);
06084
06085 case T_PROCESS:
06086 /*
06087 #ifdef CONFIG_RSBAC_DEBUG
06088 if (rsbac_debug_ds_acl)
06089 rsbac_printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to process ACL for pid %u\n",
06090 tid.process);
06091 #endif
06092 */
06093 /* default entry? */
06094 if(!tid.process)
06095 {
06096 if(!rsbac_ta_list_get_data_ttl(ta_number, default_p_handle, NULL, &desc, &old_rights))
06097 rights |= old_rights;
06098 return rsbac_ta_list_add_ttl(ta_number, default_p_handle, ttl, &desc, &rights);
06099 }
06100 else
06101 return -RSBAC_EINVALIDTARGET;
06102
06103 #ifdef CONFIG_RSBAC_ACL_UM_PROT
06104 case T_GROUP:
06105 /*
06106 #ifdef CONFIG_RSBAC_DEBUG
06107 if (rsbac_debug_ds_acl)
06108 rsbac_printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to Linux group ACL for group %u\n",
06109 tid.group);
06110 #endif
06111 */
06112 /* default entry? */
06113 if(tid.group == RSBAC_NO_GROUP)
06114 {
06115 if(!rsbac_ta_list_get_data_ttl(ta_number, default_g_handle, NULL, &desc, &old_rights))
06116 rights |= old_rights;
06117 return rsbac_ta_list_add_ttl(ta_number, default_g_handle, ttl, &desc, &rights);
06118 }
06119 if(!rsbac_ta_list_lol_exist(ta_number, g_handle, &tid.group))
06120 { /* new acl */
06121 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_G_MASK;
06122
06123 err = rsbac_ta_list_lol_add_ttl(ta_number, g_handle, 0, &tid.group, &mask);
06124 if(err)
06125 return err;
06126 }
06127 else
06128 { /* old subentry? */
06129 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06130 g_handle,
06131 NULL,
06132 &tid.group,
06133 &desc,
06134 &old_rights))
06135 rights |= old_rights;
06136 }
06137 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06138 g_handle,
06139 ttl,
06140 &tid.group,
06141 &desc,
06142 &rights);
06143 #endif
06144
06145 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
06146 case T_NETDEV:
06147 /*
06148 #ifdef CONFIG_RSBAC_DEBUG
06149 if (rsbac_debug_ds_acl)
06150 rsbac_printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to network device ACL entry for netdev %s\n",
06151 tid.netdev);
06152 #endif
06153 */
06154 /* default entry? */
06155 if(!tid.netdev[0])
06156 {
06157 if(!rsbac_ta_list_get_data_ttl(ta_number, default_netdev_handle, NULL, &desc, &old_rights))
06158 rights |= old_rights;
06159 return rsbac_ta_list_add_ttl(ta_number, default_netdev_handle, ttl, &desc, &rights);
06160 }
06161 if(!rsbac_ta_list_lol_exist(ta_number, netdev_handle, &tid.netdev))
06162 { /* new acl */
06163 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETDEV_MASK;
06164
06165 err = rsbac_ta_list_lol_add_ttl(ta_number, netdev_handle, 0, &tid.netdev, &mask);
06166 if(err)
06167 return err;
06168 }
06169 else
06170 { /* old entry? */
06171 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06172 netdev_handle,
06173 NULL,
06174 &tid.netdev,
06175 &desc,
06176 &old_rights))
06177 rights |= old_rights;
06178 }
06179 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06180 netdev_handle,
06181 ttl,
06182 &tid.netdev,
06183 &desc,
06184 &rights);
06185 #endif
06186
06187 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
06188 case T_NETTEMP_NT:
06189 /*
06190 #ifdef CONFIG_RSBAC_DEBUG
06191 if (rsbac_debug_ds_acl)
06192 rsbac_printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to network template NT ACL entry for nettemp_nt %u\n",
06193 tid.nettemp);
06194 #endif
06195 */
06196 /* default entry? */
06197 if(!tid.nettemp)
06198 {
06199 if(!rsbac_ta_list_get_data_ttl(ta_number, default_nettemp_nt_handle, NULL, &desc, &old_rights))
06200 rights |= old_rights;
06201 return rsbac_ta_list_add_ttl(ta_number, default_nettemp_nt_handle, ttl, &desc, &rights);
06202 }
06203 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06204 return -RSBAC_EINVALIDTARGET;
06205 if(!rsbac_ta_list_lol_exist(ta_number, nettemp_nt_handle, &tid.nettemp))
06206 { /* new acl */
06207 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETTEMP_MASK;
06208
06209 err = rsbac_ta_list_lol_add_ttl(ta_number, nettemp_nt_handle, 0, &tid.nettemp, &mask);
06210 if(err)
06211 return err;
06212 }
06213 else
06214 { /* old entry? */
06215 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06216 nettemp_nt_handle,
06217 NULL,
06218 &tid.nettemp,
06219 &desc,
06220 &old_rights))
06221 rights |= old_rights;
06222 }
06223 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06224 nettemp_nt_handle,
06225 ttl,
06226 &tid.nettemp,
06227 &desc,
06228 &rights);
06229 case T_NETTEMP:
06230 /*
06231 #ifdef CONFIG_RSBAC_DEBUG
06232 if (rsbac_debug_ds_acl)
06233 rsbac_printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to network template ACL entry for nettemp %u\n",
06234 tid.nettemp);
06235 #endif
06236 */
06237 /* default entry? */
06238 if(!tid.nettemp)
06239 {
06240 return -RSBAC_EINVALIDTARGET;
06241 }
06242 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06243 return -RSBAC_EINVALIDTARGET;
06244 if(!rsbac_ta_list_lol_exist(ta_number, nettemp_handle, &tid.nettemp))
06245 { /* new acl */
06246 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
06247
06248 err = rsbac_ta_list_lol_add_ttl(ta_number, nettemp_handle, 0, &tid.nettemp, &mask);
06249 if(err)
06250 return err;
06251 }
06252 else
06253 { /* old entry? */
06254 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number, nettemp_handle,
06255 NULL, &tid.nettemp,
06256 &desc,
06257 &old_rights))
06258 rights |= old_rights;
06259 }
06260 return rsbac_ta_list_lol_subadd_ttl(ta_number, nettemp_handle,
06261 ttl,
06262 &tid.nettemp,
06263 &desc,
06264 &rights);
06265 case T_NETOBJ:
06266 /*
06267 #ifdef CONFIG_RSBAC_DEBUG
06268 if (rsbac_debug_ds_acl)
06269 rsbac_printk(KERN_DEBUG "rsbac_acl_add_to_acl_entry(): Adding to network object ACL entry for netobj %p\n",
06270 tid.netobj.sock_p);
06271 #endif
06272 */
06273 /* default entry? */
06274 if(!tid.netobj.sock_p)
06275 {
06276 if(!rsbac_ta_list_get_data_ttl(ta_number, default_netobj_handle, NULL, &desc, &old_rights))
06277 rights |= old_rights;
06278 return rsbac_ta_list_add_ttl(ta_number, default_netobj_handle, ttl,&desc, &rights);
06279 }
06280 if(!rsbac_ta_list_lol_exist(ta_number, netobj_handle, &tid.netobj.sock_p))
06281 { /* new acl */
06282 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
06283
06284 err = rsbac_ta_list_lol_add_ttl(ta_number, netobj_handle, 0, &tid.netobj.sock_p, &mask);
06285 if(err)
06286 return err;
06287 }
06288 else
06289 { /* old entry? */
06290 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06291 netobj_handle,
06292 NULL,
06293 &tid.netobj.sock_p,
06294 &desc,
06295 &old_rights))
06296 rights |= old_rights;
06297 }
06298 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06299 netobj_handle,
06300 ttl,
06301 &tid.netobj.sock_p,
06302 &desc,
06303 &rights);
06304 #endif /* NET_OBJ_PROT */
06305
06306 default:
06307 return -RSBAC_EINVALIDTARGET;
06308 }
06309 }
|
|
||||||||||||||||||||||||
|
Definition at line 9388 of file acl_data_structures.c. References rsbac_acl_group_entry_t::id, rsbac_acl_group_entry_t::name, rsbac_acl_group_entry_t::owner, RSBAC_ACL_GROUP_NAMELEN, RSBAC_EINVALIDPOINTER, RSBAC_EINVALIDVALUE, RSBAC_ENOTFOUND, rsbac_ta_list_add_ttl(), rsbac_ta_list_exist(), and rsbac_acl_group_entry_t::type. Referenced by rsbac_acl_sys_group(). 09394 {
09395 struct rsbac_acl_group_entry_t entry;
09396
09397 if(!id)
09398 return -RSBAC_EINVALIDVALUE;
09399 if(!rsbac_ta_list_exist(ta_number, group_handle, &id))
09400 return(-RSBAC_ENOTFOUND);
09401 if(!name)
09402 return -RSBAC_EINVALIDPOINTER;
09403 if(!name[0])
09404 return -RSBAC_EINVALIDVALUE;
09405 entry.id = id;
09406 entry.owner = owner;
09407 entry.type = type;
09408 strncpy(entry.name, name, RSBAC_ACL_GROUP_NAMELEN);
09409 entry.name[RSBAC_ACL_GROUP_NAMELEN-1] = 0;
09410 return rsbac_ta_list_add_ttl(ta_number, group_handle, 0, &entry.id, &entry);
09411 }
|
|
||||||||||||
|
|
|
||||||||||||
|
|
|
||||||||||||||||
|
Definition at line 9436 of file acl_data_structures.c. References NULL, RSBAC_EINVALIDPOINTER, RSBAC_EINVALIDVALUE, and rsbac_ta_list_get_data_ttl(). Referenced by rsbac_acl_sys_group(), sys_rsbac_acl(), sys_rsbac_acl_get_rights(), sys_rsbac_acl_get_rights_n(), and sys_rsbac_acl_n(). 09440 {
09441 if(!group)
09442 return -RSBAC_EINVALIDVALUE;
09443 if(!entry_p)
09444 return -RSBAC_EINVALIDPOINTER;
09445 return rsbac_ta_list_get_data_ttl(ta_number, group_handle, NULL, &group, entry_p);
09446 }
|
|
||||||||||||||||||||||||
|
Definition at line 9564 of file acl_data_structures.c. References NULL, RSBAC_EINVALIDPOINTER, RSBAC_EINVALIDVALUE, rsbac_ta_list_exist(), rsbac_ta_list_lol_get_all_desc(), rsbac_ta_list_lol_get_subdata_ttl(), and rsbac_vfree. Referenced by rsbac_acl_sys_group(). 09570 {
09571 long desc_count;
09572 long i;
09573 rsbac_uid_t * user_p;
09574 int err = 0;
09575
09576 if(!group || (maxnum <= 0))
09577 return -RSBAC_EINVALIDVALUE;
09578 if(!rsbac_ta_list_exist(ta_number, group_handle, &group))
09579 return -RSBAC_EINVALIDVALUE;
09580 if(!user_array)
09581 return -RSBAC_EINVALIDPOINTER;
09582
09583 /* traverse group memberships */
09584 desc_count = rsbac_ta_list_lol_get_all_desc(ta_number, gm_handle, (void **) &user_p);
09585 if(desc_count > 0)
09586 {
09587 rsbac_time_t ttl;
09588
09589 for(i=0; i<desc_count; i++)
09590 {
09591 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number, gm_handle, &ttl, &user_p[i], &group, NULL))
09592 {
09593 user_array[err] = user_p[i];
09594 if(ttl_array)
09595 ttl_array[err] = ttl;
09596 err++;
09597 if(err >= maxnum)
09598 break;
09599 }
09600 }
09601 rsbac_vfree(user_p);
09602 }
09603 return(err);
09604 }
|
|
||||||||||||||||||||
|
Definition at line 7052 of file acl_data_structures.c. References acl_lookup_device(), AST_none, D_block, D_block_major, D_char, D_char_major, D_none, rsbac_target_id_t::dev, fd_hash(), rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handles, rsbac_acl_device_list_head_t::lock, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, NULL, RSBAC_ACL_DEFAULT_DEV_MASK, RSBAC_ACL_DEFAULT_FD_MASK, RSBAC_ACL_DEFAULT_G_MASK, RSBAC_ACL_DEFAULT_NETDEV_MASK, RSBAC_ACL_DEFAULT_NETOBJ_MASK, RSBAC_ACL_DEFAULT_NETTEMP_MASK, RSBAC_ACL_DEFAULT_SCD_MASK, RSBAC_ACL_DEFAULT_U_MASK, RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_ENOTFOUND, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_lol_get_data_ttl(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_NONE, T_SCD, T_SYMLINK, T_USER, rsbac_dev_desc_t::type, and rsbac_target_id_t::user. 07057 {
07058 int err = 0;
07059 int list_no;
07060 struct rsbac_acl_device_list_item_t * device_p;
07061 u_long dflags;
07062
07063 if (!rsbac_is_initialized())
07064 {
07065 rsbac_printk(KERN_WARNING "rsbac_acl_get_mask(): RSBAC not initialized\n");
07066 return(-RSBAC_ENOTINITIALIZED);
07067 }
07068 if (target >= T_NONE)
07069 return(-RSBAC_EINVALIDTARGET);
07070 #ifdef CONFIG_RSBAC_DEBUG
07071 if (in_interrupt())
07072 {
07073 rsbac_printk(KERN_WARNING "rsbac_acl_get_mask(): called from interrupt!\n");
07074 }
07075 #endif
07076 switch (target)
07077 {
07078 case T_FILE:
07079 case T_DIR:
07080 case T_FIFO:
07081 case T_SYMLINK:
07082 /* default entry? */
07083 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p)
07084 {
07085 return -RSBAC_EINVALIDTARGET;
07086 }
07087 /*
07088 #ifdef CONFIG_RSBAC_DEBUG
07089 if (rsbac_debug_ds_acl)
07090 rsbac_printk(KERN_DEBUG "rsbac_acl_get_mask(): Getting file/dir/fifo/symlink inheritance mask for device %02u:%02u, inode %u\n",
07091 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode);
07092 #endif
07093 */
07094 /* wait for read access to device_list_head */
07095 rsbac_read_lock(&device_list_head.lock, &dflags);
07096 /* OK, go on */
07097 /* lookup device */
07098 device_p = acl_lookup_device(tid.file.device);
07099 if (!device_p)
07100 {
07101 /* trigger rsbac_mount() */
07102 rsbac_read_unlock(&device_list_head.lock, &dflags);
07103 rsbac_get_super_block(tid.file.device);
07104 /* retry */
07105 rsbac_read_lock(&device_list_head.lock, &dflags);
07106 device_p = acl_lookup_device(tid.file.device);
07107 if(!device_p)
07108 {
07109 rsbac_printk(KERN_WARNING
07110 "rsbac_acl_get_mask(): Could not lookup device!\n");
07111 /* free read lock */
07112 rsbac_read_unlock(&device_list_head.lock, &dflags);
07113 return(-RSBAC_EINVALIDDEV);
07114 }
07115 }
07116 list_no = fd_hash(tid.file.inode);
07117 err = rsbac_ta_list_lol_get_data_ttl(ta_number, device_p->handles[list_no],
07118 NULL, &tid.file.inode, mask_p);
07119 /* unlock */
07120 rsbac_read_unlock(&device_list_head.lock, &dflags);
07121 if(err == -RSBAC_ENOTFOUND)
07122 {
07123 *mask_p = RSBAC_ACL_DEFAULT_FD_MASK;
07124 err = 0;
07125 }
07126 /* ready. */
07127 return err;
07128
07129 case T_DEV:
07130 /* default entry? */
07131 if(tid.dev.type == D_none)
07132 {
07133 return -RSBAC_EINVALIDTARGET;
07134 }
07135 /*
07136 #ifdef CONFIG_RSBAC_DEBUG
07137 if (rsbac_debug_ds_acl)
07138 rsbac_printk(KERN_DEBUG "rsbac_acl_get_mask(): Getting device inheritance mask for dev %c %02u:%02u\n",
07139 'B'+tid.dev.type,
07140 tid.dev.major,
07141 tid.dev.minor);
07142 #endif
07143 */
07144 switch(tid.dev.type)
07145 {
07146 case D_char:
07147 case D_block:
07148 err = rsbac_ta_list_lol_get_data_ttl(ta_number, dev_handle,
07149 NULL, &tid.dev, mask_p);
07150 break;
07151
07152 case D_char_major:
07153 case D_block_major:
07154 tid.dev.type -= (D_block_major - D_block);
07155 err = rsbac_ta_list_lol_get_data_ttl(ta_number, dev_major_handle,
07156 NULL, &tid.dev, mask_p);
07157 break;
07158
07159 default:
07160 return -RSBAC_EINVALIDTARGET;
07161 }
07162 if(err == -RSBAC_ENOTFOUND)
07163 {
07164 *mask_p = RSBAC_ACL_DEFAULT_DEV_MASK;
07165 err = 0;
07166 }
07167 /* ready. */
07168 return err;
07169
07170 case T_SCD:
07171 /* default entry? */
07172 if(tid.scd == AST_none)
07173 {
07174 return -RSBAC_EINVALIDTARGET;
07175 }
07176 err = rsbac_ta_list_lol_get_data_ttl(ta_number, scd_handle, NULL,
07177 &tid.scd, mask_p);
07178 if(err == -RSBAC_ENOTFOUND)
07179 {
07180 *mask_p = RSBAC_ACL_DEFAULT_SCD_MASK;
07181 err = 0;
07182 }
07183 /* ready. */
07184 return err;
07185
07186 case T_USER:
07187 /* default entry? */
07188 if(tid.user == RSBAC_NO_USER)
07189 {
07190 return -RSBAC_EINVALIDTARGET;
07191 }
07192 err = rsbac_ta_list_lol_get_data_ttl(ta_number, u_handle, NULL,
07193 &tid.user, mask_p);
07194 if(err == -RSBAC_ENOTFOUND)
07195 {
07196 *mask_p = RSBAC_ACL_DEFAULT_U_MASK;
07197 err = 0;
07198 }
07199 /* ready. */
07200 return err;
07201
07202 #ifdef CONFIG_RSBAC_ACL_UM_PROT
07203 case T_GROUP:
07204 /* default entry? */
07205 if(tid.group == RSBAC_NO_GROUP)
07206 {
07207 return -RSBAC_EINVALIDTARGET;
07208 }
07209 err = rsbac_ta_list_lol_get_data_ttl(ta_number, g_handle, NULL,
07210 &tid.group, mask_p);
07211 if(err == -RSBAC_ENOTFOUND)
07212 {
07213 *mask_p = RSBAC_ACL_DEFAULT_G_MASK;
07214 err = 0;
07215 }
07216 /* ready. */
07217 return err;
07218 #endif
07219
07220 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
07221 case T_NETDEV:
07222 /* default entry? */
07223 if(!tid.netdev[0])
07224 {
07225 return -RSBAC_EINVALIDTARGET;
07226 }
07227 /*
07228 #ifdef CONFIG_RSBAC_DEBUG
07229 if (rsbac_debug_ds_acl)
07230 rsbac_printk(KERN_DEBUG
07231 "rsbac_acl_get_mask(): Getting network device inheritance mask for netdev %s\n",
07232 tid.netdev);
07233 #endif
07234 */
07235 err = rsbac_ta_list_lol_get_data_ttl(ta_number, netdev_handle,
07236 NULL, &tid.netdev, mask_p);
07237 if(err == -RSBAC_ENOTFOUND)
07238 {
07239 *mask_p = RSBAC_ACL_DEFAULT_NETDEV_MASK;
07240 err = 0;
07241 }
07242 /* ready. */
07243 return err;
07244 #endif
07245
07246 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
07247 case T_NETTEMP_NT:
07248 /* default entry? */
07249 if(!tid.nettemp)
07250 {
07251 return -RSBAC_EINVALIDTARGET;
07252 }
07253 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
07254 return -RSBAC_EINVALIDTARGET;
07255 /*
07256 #ifdef CONFIG_RSBAC_DEBUG
07257 if (rsbac_debug_ds_acl)
07258 rsbac_printk(KERN_DEBUG
07259 "rsbac_acl_get_mask(): Getting network template NT inheritance mask for nettemp %u\n",
07260 tid.nettemp);
07261 #endif
07262 */
07263 err = rsbac_ta_list_lol_get_data_ttl(ta_number, nettemp_nt_handle,
07264 NULL, &tid.nettemp, mask_p);
07265 if(err == -RSBAC_ENOTFOUND)
07266 {
07267 *mask_p = RSBAC_ACL_DEFAULT_NETTEMP_MASK;
07268 err = 0;
07269 }
07270 /* ready. */
07271 return err;
07272 case T_NETTEMP:
07273 /* default entry? */
07274 if(!tid.nettemp)
07275 {
07276 return -RSBAC_EINVALIDTARGET;
07277 }
07278 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
07279 return -RSBAC_EINVALIDTARGET;
07280 /*
07281 #ifdef CONFIG_RSBAC_DEBUG
07282 if (rsbac_debug_ds_acl)
07283 rsbac_printk(KERN_DEBUG
07284 "rsbac_acl_get_mask(): Getting network template inheritance mask for nettemp %u\n",
07285 tid.nettemp);
07286 #endif
07287 */
07288 err = rsbac_ta_list_lol_get_data_ttl(ta_number, nettemp_handle,
07289 NULL, &tid.nettemp, mask_p);
07290 if(err == -RSBAC_ENOTFOUND)
07291 {
07292 *mask_p = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
07293 err = 0;
07294 }
07295 /* ready. */
07296 return err;
07297 case T_NETOBJ:
07298 /* default entry? */
07299 if(!tid.netobj.sock_p)
07300 {
07301 return -RSBAC_EINVALIDTARGET;
07302 }
07303 /*
07304 #ifdef CONFIG_RSBAC_DEBUG
07305 if (rsbac_debug_ds_acl)
07306 rsbac_printk(KERN_DEBUG
07307 "rsbac_acl_get_mask(): Getting network object inheritance mask for netobj %p\n",
07308 tid.netobj.sock_p);
07309 #endif
07310 */
07311 err = rsbac_ta_list_lol_get_data_ttl(ta_number, netobj_handle,
07312 NULL, &tid.netobj.sock_p, mask_p);
07313 if(err == -RSBAC_ENOTFOUND)
07314 {
07315 *mask_p = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
07316 err = 0;
07317 }
07318 /* ready. */
07319 return err;
07320 #endif
07321
07322 default:
07323 err = -RSBAC_EINVALIDTARGET;
07324 }
07325 return(err);
07326 }
|
|
||||||||||||||||||||||||||||||||
|
Definition at line 7335 of file acl_data_structures.c. References acl_lookup_device(), ACLS_NONE, AST_none, D_block, D_block_major, D_char_major, default_dev_rights, default_fd_rights, default_ipc_rights, default_p_rights, default_scd_rights, default_u_rights, rsbac_target_id_t::dev, fd_hash(), rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handles, rsbac_acl_device_list_head_t::lock, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, NULL, RSBAC_ACL_DEFAULT_DEV_MASK, RSBAC_ACL_DEFAULT_FD_MASK, RSBAC_ACL_DEFAULT_G_MASK, RSBAC_ACL_DEFAULT_NETDEV_MASK, RSBAC_ACL_DEFAULT_NETOBJ_MASK, RSBAC_ACL_DEFAULT_NETTEMP_MASK, RSBAC_ACL_DEFAULT_SCD_MASK, RSBAC_ACL_DEFAULT_U_MASK, RSBAC_EINVALIDDEV, RSBAC_EINVALIDPOINTER, RSBAC_EINVALIDTARGET, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_get_parent(), rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_get_data_ttl(), rsbac_ta_list_lol_get_data_ttl(), rsbac_ta_list_lol_get_subdata_ttl(), rsbac_ta_net_lookup_templates(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, ST_none, rsbac_acl_entry_desc_t::subj_id, rsbac_acl_entry_desc_t::subj_type, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_PROCESS, T_SCD, T_SYMLINK, T_USER, rsbac_dev_desc_t::type, and rsbac_target_id_t::user. 07343 {
07344 int err = 0;
07345 int list_no;
07346 struct rsbac_acl_device_list_item_t * device_p;
07347 u_long dflags;
07348 struct rsbac_acl_entry_desc_t desc;
07349 rsbac_acl_rights_vector_t i_rights = 0;
07350 rsbac_acl_rights_vector_t mask = -1;
07351
07352 if (!rsbac_is_initialized())
07353 {
07354 rsbac_printk(KERN_WARNING "rsbac_acl_get_rights(): RSBAC not initialized\n");
07355 return(-RSBAC_ENOTINITIALIZED);
07356 }
07357 if (!rights_p)
07358 return(-RSBAC_EINVALIDPOINTER);
07359 if (subj_type >= ACLS_NONE)
07360 return(-RSBAC_EINVALIDVALUE);
07361 #ifdef CONFIG_RSBAC_DEBUG
07362 if (in_interrupt())
07363 {
07364 rsbac_printk(KERN_WARNING "rsbac_acl_get_rights(): called from interrupt!\n");
07365 }
07366 #endif
07367 desc.subj_type = subj_type;
07368 desc.subj_id = subj_id;
07369
07370 switch (target)
07371 {
07372 case T_FILE:
07373 case T_DIR:
07374 case T_FIFO:
07375 case T_SYMLINK:
07376 /*
07377 #ifdef CONFIG_RSBAC_DEBUG
07378 if (rsbac_debug_ds_acl)
07379 {
07380 char tmp[20];
07381 rsbac_printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting rights of %s %u for device %02u:%02u, inode %u\n",
07382 get_acl_subject_type_name(tmp,subj_type), subj_id, RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode);
07383 }
07384 #endif
07385 */
07386 /* default entry? */
07387 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p)
07388 {
07389 if(rsbac_ta_list_get_data_ttl(ta_number, default_fd_handle,
07390 NULL, &desc, rights_p))
07391 {
07392 /* last resort: default rights */
07393 *rights_p = default_fd_rights;
07394 }
07395 return 0;
07396 }
07397 *rights_p = 0;
07398 /* wait for read access to device_list_head */
07399 rsbac_read_lock(&device_list_head.lock, &dflags);
07400 /* OK, go on */
07401 /* use loop for inheritance - used to be recursive calls */
07402 for (;;)
07403 {
07404 /* lookup device */
07405 device_p = acl_lookup_device(tid.file.device);
07406 if (!device_p)
07407 {
07408 /* trigger rsbac_mount() */
07409 rsbac_read_unlock(&device_list_head.lock, &dflags);
07410 rsbac_get_super_block(tid.file.device);
07411 /* retry */
07412 rsbac_read_lock(&device_list_head.lock, &dflags);
07413 device_p = acl_lookup_device(tid.file.device);
07414 if(!device_p)
07415 {
07416 rsbac_printk(KERN_WARNING
07417 "rsbac_acl_get_rights(): Could not lookup device %02u:%02u!\n",
07418 RSBAC_MAJOR(tid.file.device),RSBAC_MINOR(tid.file.device));
07419 /* free read lock */
07420 rsbac_read_unlock(&device_list_head.lock, &dflags);
07421 return(-RSBAC_EINVALIDDEV);
07422 }
07423 }
07424 list_no = fd_hash(tid.file.inode);
07425 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07426 device_p->handles[list_no],
07427 NULL,
07428 &tid.file.inode,
07429 &desc,
07430 &i_rights))
07431 {
07432 *rights_p |= (i_rights & mask);
07433 /* leave loop */
07434 break;
07435 }
07436 else
07437 if(inherit)
07438 {
07439 enum rsbac_target_t parent_target;
07440 union rsbac_target_id_t parent_tid;
07441 rsbac_acl_rights_vector_t i_mask;
07442
07443 /* get mask to filter through in next round */
07444 if(rsbac_ta_list_lol_get_data_ttl(ta_number,
07445 device_p->handles[list_no],
07446 NULL,
07447 &tid.file.inode,
07448 &i_mask))
07449 {
07450 /* no mask found, set default */
07451 i_mask = RSBAC_ACL_DEFAULT_FD_MASK;
07452 }
07453 /* mask into cumulative mask */
07454 mask &= i_mask;
07455
07456 /* inheritance possible? */
07457 if(!rsbac_get_parent(target, tid, &parent_target, &parent_tid))
07458 {
07459 target = parent_target;
07460 tid = parent_tid;
07461 /* next round */
07462 continue;
07463 }
07464 else
07465 {
07466 /* no inheritance possible -> try default_fd_acl */
07467 if(!rsbac_ta_list_get_data_ttl(ta_number,
07468 default_fd_handle,
07469 NULL,
07470 &desc,
07471 &i_rights))
07472 {
07473 /* found, use it */
07474 *rights_p |= (i_rights & mask);
07475 }
07476 else
07477 {
07478 /* last resort: default rights */
07479 *rights_p |= (default_fd_rights & mask);
07480 }
07481 }
07482 /* leave loop */
07483 break;
07484 }
07485 else /* do not inherit */
07486 {
07487 /* last resort: default rights */
07488 *rights_p |= default_fd_rights;
07489 /* leave loop */
07490 break;
07491 }
07492 } /* end of for(;;) inheritance loop */
07493 /* unprotect */
07494 rsbac_read_unlock(&device_list_head.lock, &dflags);
07495 return err;
07496
07497 case T_DEV:
07498 /* default entry? */
07499 /*
07500 #ifdef CONFIG_RSBAC_DEBUG
07501 if (rsbac_debug_ds_acl)
07502 rsbac_printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting device rights for dev %c %02u:%02u\n",
07503 'B'+tid.dev.type,
07504 tid.dev.major,
07505 tid.dev.minor);
07506 #endif
07507 */
07508 if(RSBAC_IS_ZERO_DEV_DESC(tid.dev))
07509 {
07510 if(rsbac_ta_list_get_data_ttl(ta_number, default_dev_handle,
07511 NULL, &desc, rights_p))
07512 {
07513 /* last resort: default rights */
07514 *rights_p = default_dev_rights;
07515 }
07516 return 0;
07517 }
07518 if( (tid.dev.type >= D_char_major)
07519 || (tid.dev.type == D_block_major)
07520 )
07521 {
07522 tid.dev.type -= (D_block_major - D_block);
07523 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07524 dev_major_handle,
07525 NULL,
07526 &tid.dev,
07527 &desc,
07528 &i_rights))
07529 {
07530 *rights_p |= i_rights;
07531 }
07532 else
07533 {
07534 rsbac_acl_rights_vector_t mask2;
07535
07536 /* get mask to filter through */
07537 if(rsbac_ta_list_lol_get_data_ttl(ta_number,
07538 dev_major_handle,
07539 NULL,
07540 &tid.dev,
07541 &mask2))
07542 {
07543 /* no mask found, set default */
07544 mask2 = RSBAC_ACL_DEFAULT_DEV_MASK;
07545 }
07546 /* try default_dev_acl */
07547 if(!rsbac_ta_list_get_data_ttl(ta_number, default_dev_handle,
07548 NULL, &desc, rights_p))
07549 {
07550 *rights_p &= mask2;
07551 }
07552 else
07553 {
07554 /* last resort: default rights */
07555 *rights_p = default_dev_rights & mask2;
07556 }
07557 }
07558 return 0;
07559 }
07560 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07561 dev_handle,
07562 NULL,
07563 &tid.dev,
07564 &desc,
07565 &i_rights))
07566 {
07567 *rights_p |= i_rights;
07568 }
07569 else
07570 {
07571 rsbac_acl_rights_vector_t mask;
07572
07573 /* get mask to filter through */
07574 if(rsbac_ta_list_lol_get_data_ttl(ta_number,
07575 dev_handle,
07576 NULL,
07577 &tid.dev,
07578 &mask))
07579 {
07580 /* no mask found, set default */
07581 mask = RSBAC_ACL_DEFAULT_DEV_MASK;
07582 }
07583 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07584 dev_major_handle,
07585 NULL,
07586 &tid.dev,
07587 &desc,
07588 &i_rights))
07589 {
07590 i_rights &= mask;
07591 *rights_p |= i_rights;
07592 }
07593 else
07594 {
07595 rsbac_acl_rights_vector_t mask2;
07596
07597 /* get mask to filter through */
07598 if(rsbac_ta_list_lol_get_data_ttl(ta_number,
07599 dev_major_handle,
07600 NULL,
07601 &tid.dev,
07602 &mask2))
07603 {
07604 /* no mask found, set default */
07605 mask2 = RSBAC_ACL_DEFAULT_DEV_MASK;
07606 }
07607 /* try default_dev_acl */
07608 if(!rsbac_ta_list_get_data_ttl(ta_number, default_dev_handle,
07609 NULL, &desc, rights_p))
07610 {
07611 *rights_p &= mask;
07612 *rights_p &= mask2;
07613 }
07614 else
07615 {
07616 /* last resort: default rights */
07617 *rights_p = default_dev_rights & mask & mask2;
07618 }
07619 }
07620 }
07621 return 0;
07622
07623 case T_IPC:
07624 /*
07625 #ifdef CONFIG_RSBAC_DEBUG
07626 if (rsbac_debug_ds_acl)
07627 rsbac_printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting IPC rights for type %u\n",
07628 tid.ipc.type);
07629 #endif
07630 */
07631 /* Use default ACL */
07632 if(rsbac_ta_list_get_data_ttl(ta_number, default_ipc_handle,
07633 NULL, &desc, rights_p))
07634 {
07635 /* last resort: default rights */
07636 *rights_p = default_ipc_rights;
07637 }
07638 return 0;
07639
07640 case T_SCD:
07641 /* default entry? */
07642 if( (tid.scd == AST_none)
07643 || (tid.scd == ST_none)
07644 )
07645 {
07646 if(rsbac_ta_list_get_data_ttl(ta_number, default_scd_handle,
07647 NULL, &desc, rights_p))
07648 {
07649 /* last resort: default rights */
07650 *rights_p = default_scd_rights;
07651 }
07652 return 0;
07653 }
07654 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07655 scd_handle,
07656 NULL,
07657 &tid.scd,
07658 &desc,
07659 &i_rights))
07660 {
07661 *rights_p |= i_rights;
07662 }
07663 else
07664 {
07665 rsbac_acl_rights_vector_t mask;
07666
07667 /* get mask to filter through */
07668 if(rsbac_ta_list_lol_get_data_ttl(ta_number,
07669 scd_handle,
07670 NULL,
07671 &tid.scd,
07672 &mask))
07673 {
07674 /* no mask found, set default */
07675 mask = RSBAC_ACL_DEFAULT_SCD_MASK;
07676 }
07677 /* try default_dev_acl */
07678 if(!rsbac_ta_list_get_data_ttl(ta_number, default_scd_handle,
07679 NULL, &desc, rights_p))
07680 {
07681 *rights_p &= mask;
07682 }
07683 else
07684 {
07685 /* last resort: default rights */
07686 *rights_p = default_scd_rights & mask;
07687 }
07688 }
07689 return 0;
07690
07691 case T_USER:
07692 /* default entry? */
07693 if(tid.user == RSBAC_NO_USER)
07694 {
07695 if(rsbac_ta_list_get_data_ttl(ta_number, default_u_handle,
07696 NULL, &desc, rights_p))
07697 {
07698 /* last resort: default rights */
07699 *rights_p = default_u_rights;
07700 }
07701 return 0;
07702 }
07703 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07704 u_handle,
07705 NULL,
07706 &tid.user,
07707 &desc,
07708 &i_rights))
07709 {
07710 *rights_p |= i_rights;
07711 }
07712 else
07713 {
07714 rsbac_acl_rights_vector_t mask;
07715
07716 /* get mask to filter through */
07717 if(rsbac_ta_list_lol_get_data_ttl(ta_number,
07718 u_handle,
07719 NULL,
07720 &tid.user,
07721 &mask))
07722 {
07723 /* no mask found, set default */
07724 mask = RSBAC_ACL_DEFAULT_U_MASK;
07725 }
07726 /* try default_u_acl */
07727 if(!rsbac_ta_list_get_data_ttl(ta_number, default_u_handle,
07728 NULL, &desc, rights_p))
07729 {
07730 *rights_p &= mask;
07731 }
07732 else
07733 {
07734 /* last resort: default rights */
07735 *rights_p = default_u_rights & mask;
07736 }
07737 }
07738 return 0;
07739
07740 case T_PROCESS:
07741 /*
07742 #ifdef CONFIG_RSBAC_DEBUG
07743 if (rsbac_debug_ds_acl)
07744 rsbac_printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting process rights for pid %u\n",
07745 tid.process);
07746 #endif
07747 */
07748 /* Use default entry */
07749 if(rsbac_ta_list_get_data_ttl(ta_number, default_p_handle,
07750 NULL, &desc, rights_p))
07751 {
07752 /* last resort: default rights */
07753 *rights_p = default_p_rights;
07754 }
07755 return 0;
07756
07757 #ifdef CONFIG_RSBAC_ACL_UM_PROT
07758 case T_GROUP:
07759 /* default entry? */
07760 if(tid.group == RSBAC_NO_GROUP)
07761 {
07762 if(rsbac_ta_list_get_data_ttl(ta_number, default_g_handle,
07763 NULL, &desc, rights_p))
07764 {
07765 /* last resort: default rights */
07766 *rights_p = default_g_rights;
07767 }
07768 return 0;
07769 }
07770 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07771 g_handle,
07772 NULL,
07773 &tid.group,
07774 &desc,
07775 &i_rights))
07776 {
07777 *rights_p |= i_rights;
07778 }
07779 else
07780 {
07781 rsbac_acl_rights_vector_t mask;
07782
07783 /* get mask to filter through */
07784 if(rsbac_ta_list_lol_get_data_ttl(ta_number,
07785 g_handle,
07786 NULL,
07787 &tid.group,
07788 &mask))
07789 {
07790 /* no mask found, set default */
07791 mask = RSBAC_ACL_DEFAULT_G_MASK;
07792 }
07793 /* try default_u_acl */
07794 if(!rsbac_ta_list_get_data_ttl(ta_number, default_g_handle,
07795 NULL, &desc, rights_p))
07796 {
07797 *rights_p &= mask;
07798 }
07799 else
07800 {
07801 /* last resort: default rights */
07802 *rights_p = default_g_rights & mask;
07803 }
07804 }
07805 return 0;
07806 #endif
07807
07808 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
07809 case T_NETDEV:
07810 /* default entry? */
07811 /*
07812 #ifdef CONFIG_RSBAC_DEBUG
07813 if (rsbac_debug_ds_acl)
07814 rsbac_printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting network device rights for netdev %s\n",
07815 tid.netdev);
07816 #endif
07817 */
07818 if(!tid.netdev[0])
07819 {
07820 if(rsbac_ta_list_get_data_ttl(ta_number, default_netdev_handle,
07821 NULL, &desc, rights_p))
07822 {
07823 /* last resort: default rights */
07824 *rights_p = default_netdev_rights;
07825 }
07826 return 0;
07827 }
07828 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07829 netdev_handle,
07830 NULL,
07831 &tid.netdev,
07832 &desc,
07833 &i_rights))
07834 {
07835 *rights_p |= i_rights;
07836 }
07837 else
07838 {
07839 rsbac_acl_rights_vector_t mask;
07840
07841 /* get mask to filter through */
07842 if(rsbac_ta_list_lol_get_data_ttl(ta_number,
07843 netdev_handle,
07844 NULL,
07845 &tid.netdev,
07846 &mask))
07847 {
07848 /* no mask found, set default */
07849 mask = RSBAC_ACL_DEFAULT_NETDEV_MASK;
07850 }
07851 /* try default_dev_acl */
07852 if(!rsbac_ta_list_get_data_ttl(ta_number, default_netdev_handle,
07853 NULL, &desc, rights_p))
07854 {
07855 *rights_p &= mask;
07856 }
07857 else
07858 {
07859 /* last resort: default rights */
07860 *rights_p = default_netdev_rights & mask;
07861 }
07862 }
07863 return 0;
07864 #endif
07865
07866 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
07867 /* rights to template itself */
07868 case T_NETTEMP_NT:
07869 /* default entry? */
07870 /*
07871 #ifdef CONFIG_RSBAC_DEBUG
07872 if (rsbac_debug_ds_acl)
07873 rsbac_printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting network template NT rights for nettemp %u\n",
07874 tid.nettemp);
07875 #endif
07876 */
07877 if(!tid.nettemp)
07878 {
07879 if(rsbac_ta_list_get_data_ttl(ta_number, default_nettemp_nt_handle,
07880 NULL, &desc, rights_p))
07881 {
07882 /* last resort: default rights */
07883 *rights_p = default_nettemp_nt_rights;
07884 }
07885 return 0;
07886 }
07887 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
07888 return -RSBAC_EINVALIDTARGET;
07889 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07890 nettemp_nt_handle,
07891 NULL,
07892 &tid.nettemp,
07893 &desc,
07894 &i_rights))
07895 {
07896 *rights_p |= i_rights;
07897 }
07898 else
07899 {
07900 rsbac_acl_rights_vector_t mask;
07901
07902 /* get mask to filter through */
07903 if(rsbac_ta_list_lol_get_data_ttl(ta_number,
07904 nettemp_nt_handle,
07905 NULL,
07906 &tid.nettemp,
07907 &mask))
07908 {
07909 /* no mask found, set default */
07910 mask = RSBAC_ACL_DEFAULT_NETTEMP_MASK;
07911 }
07912 /* try default_dev_acl */
07913 if(!rsbac_ta_list_get_data_ttl(ta_number, default_nettemp_nt_handle,
07914 NULL, &desc, rights_p))
07915 {
07916 *rights_p &= mask;
07917 }
07918 else
07919 {
07920 /* last resort: default rights */
07921 *rights_p = default_nettemp_nt_rights & mask;
07922 }
07923 }
07924 return 0;
07925
07926 /* rights to netobjs fitting this template */
07927 case T_NETTEMP:
07928 /* default entry? */
07929 /*
07930 #ifdef CONFIG_RSBAC_DEBUG
07931 if (rsbac_debug_ds_acl)
07932 rsbac_printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting network template rights for nettemp %u\n",
07933 tid.nettemp);
07934 #endif
07935 */
07936 if(!tid.nettemp)
07937 {
07938 if(rsbac_ta_list_get_data_ttl(ta_number, default_netobj_handle,
07939 NULL, &desc, rights_p))
07940 {
07941 /* last resort: default rights */
07942 *rights_p = default_netobj_rights;
07943 }
07944 return 0;
07945 }
07946 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
07947 return -RSBAC_EINVALIDTARGET;
07948 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
07949 nettemp_handle,
07950 NULL,
07951 &tid.nettemp,
07952 &desc,
07953 &i_rights))
07954 {
07955 *rights_p |= i_rights;
07956 }
07957 else
07958 {
07959 rsbac_acl_rights_vector_t mask;
07960
07961 /* get mask to filter through */
07962 if(rsbac_ta_list_lol_get_data_ttl(ta_number,
07963 nettemp_handle,
07964 NULL,
07965 &tid.nettemp,
07966 &mask))
07967 {
07968 /* no mask found, set default */
07969 mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
07970 }
07971 /* try default_dev_acl */
07972 if(!rsbac_ta_list_get_data_ttl(ta_number, default_netobj_handle,
07973 NULL, &desc, rights_p))
07974 {
07975 *rights_p &= mask;
07976 }
07977 else
07978 {
07979 /* last resort: default rights */
07980 *rights_p = default_netobj_rights & mask;
07981 }
07982 }
07983 return 0;
07984
07985 case T_NETOBJ:
07986 /* default entry? */
07987 /*
07988 #ifdef CONFIG_RSBAC_DEBUG
07989 if (rsbac_debug_ds_acl)
07990 rsbac_printk(KERN_DEBUG "rsbac_acl_get_rights(): Getting network object rights for netobj %p\n",
07991 tid.netobj.sock_p);
07992 #endif
07993 */
07994 if(!tid.nettemp)
07995 {
07996 if(rsbac_ta_list_get_data_ttl(ta_number, default_netobj_handle,
07997 NULL, &desc, rights_p))
07998 {
07999 /* last resort: default rights */
08000 *rights_p = default_netobj_rights;
08001 }
08002 return 0;
08003 }
08004 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
08005 netobj_handle,
08006 NULL,
08007 &tid.netobj.sock_p,
08008 &desc,
08009 &i_rights))
08010 {
08011 *rights_p |= i_rights;
08012 }
08013 else
08014 {
08015 rsbac_acl_rights_vector_t mask;
08016 rsbac_net_temp_id_t temp = 0;
08017
08018 /* get mask to filter through */
08019 if(rsbac_ta_list_lol_get_data_ttl(ta_number,
08020 nettemp_handle,
08021 NULL,
08022 &temp,
08023 &mask))
08024 {
08025 /* no mask found, set default */
08026 mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
08027 }
08028 /* try nettemp_acl */
08029 rsbac_ta_net_lookup_templates(ta_number,
08030 &tid.netobj,
08031 &temp,
08032 NULL);
08033
08034 if( temp
08035 && !rsbac_ta_list_lol_get_subdata_ttl(ta_number,
08036 nettemp_handle,
08037 NULL,
08038 &temp,
08039 &desc,
08040 &i_rights))
08041 {
08042 *rights_p |= i_rights;
08043 }
08044 else
08045 {
08046 /* get mask to filter through */
08047 if( temp
08048 && rsbac_ta_list_lol_get_data_ttl(ta_number,
08049 nettemp_handle,
08050 NULL,
08051 &temp,
08052 &mask))
08053 {
08054 /* no mask found, set default */
08055 mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
08056 }
08057 /* try default_netobj_acl */
08058 if(!rsbac_ta_list_get_data_ttl(ta_number, default_netobj_handle,
08059 NULL, &desc, rights_p))
08060 {
08061 *rights_p &= mask;
08062 }
08063 else
08064 {
08065 /* last resort: default rights */
08066 *rights_p = default_netobj_rights & mask;
08067 }
08068 }
08069 }
08070 return 0;
08071 #endif /* NET_OBJ_PROT */
08072
08073 default:
08074 return -RSBAC_EINVALIDTARGET;
08075 }
08076 }
|
|
||||||||||||||||||||||||||||
|
Definition at line 8085 of file acl_data_structures.c. References acl_lookup_device(), ACLR_NONE, ACLR_SUPERVISOR, ACLS_NONE, AST_none, D_block, D_block_major, default_dev_rights, default_fd_rights, default_ipc_rights, default_p_rights, default_scd_rights, default_u_rights, rsbac_target_id_t::dev, FALSE, fd_hash(), rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handles, rsbac_acl_device_list_head_t::lock, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, NULL, R_CREATE, RSBAC_EINVALIDPOINTER, RSBAC_EINVALIDTARGET, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_get_parent(), rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, rsbac_net_remote_request(), rsbac_net_template_exist(), RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_get_data_ttl(), rsbac_ta_list_lol_get_data_ttl(), rsbac_ta_list_lol_get_subdata_ttl(), rsbac_ta_net_lookup_templates(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, rsbac_acl_entry_desc_t::subj_id, rsbac_acl_entry_desc_t::subj_type, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_PROCESS, T_SCD, T_SYMLINK, T_USER, TRUE, rsbac_dev_desc_t::type, and rsbac_target_id_t::user. Referenced by rsbac_acl_check_right(), rsbac_acl_check_super(), and rsbac_acl_sys_get_rights(). 08091 {
08092 int list_no;
08093 struct rsbac_acl_device_list_item_t * device_p;
08094 u_long dflags;
08095 rsbac_acl_rights_vector_t i_rvec;
08096 rsbac_acl_rights_vector_t i_rights;
08097 struct rsbac_acl_entry_desc_t desc;
08098
08099 if (!rsbac_is_initialized())
08100 {
08101 rsbac_printk(KERN_WARNING "rsbac_acl_get_single_right(): RSBAC not initialized\n");
08102 return(-RSBAC_ENOTINITIALIZED);
08103 }
08104 if (!result)
08105 return(-RSBAC_EINVALIDPOINTER);
08106 if ( (subj_type >= ACLS_NONE)
08107 || (right >= ACLR_NONE)
08108 )
08109 return(-RSBAC_EINVALIDVALUE);
08110 #ifdef CONFIG_RSBAC_DEBUG
08111 if (in_interrupt())
08112 {
08113 rsbac_printk(KERN_WARNING "rsbac_acl_get_single_right(): called from interrupt!\n");
08114 }
08115 #endif
08116 i_rvec = (rsbac_acl_rights_vector_t) 1 << right;
08117
08118 desc.subj_type = subj_type;
08119 desc.subj_id = subj_id;
08120
08121 switch (target)
08122 {
08123 case T_FILE:
08124 case T_DIR:
08125 case T_FIFO:
08126 case T_SYMLINK:
08127 /*
08128 #ifdef CONFIG_RSBAC_DEBUG
08129 if (rsbac_debug_ds_acl)
08130 rsbac_printk(KERN_DEBUG "rsbac_acl_get_single_right(): Checking right of subject %u,%u for device %02u:%02u, inode %u\n",
08131 subj_type, subj_id, RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode);
08132 #endif
08133 */
08134 /* default entry? */
08135 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p)
08136 {
08137 if(!rsbac_ta_list_get_data_ttl(0, default_fd_handle,
08138 NULL, &desc, &i_rights))
08139 {
08140 if(i_rights & i_rvec)
08141 *result = TRUE;
08142 else
08143 *result = FALSE;
08144 }
08145 else
08146 {
08147 if(default_fd_rights & i_rvec)
08148 *result = TRUE;
08149 else
08150 *result = FALSE;
08151 }
08152 return 0;
08153 }
08154 /* wait for read access to device_list_head */
08155 rsbac_read_lock(&device_list_head.lock, &dflags);
08156 /* OK, go on */
08157 /* use loop for inheritance - used to be recursive calls */
08158 for (;;)
08159 {
08160 /* lookup device */
08161 device_p = acl_lookup_device(tid.file.device);
08162 if (!device_p)
08163 {
08164 /* trigger rsbac_mount() */
08165 rsbac_read_unlock(&device_list_head.lock, &dflags);
08166 rsbac_get_super_block(tid.file.device);
08167 /* retry */
08168 rsbac_read_lock(&device_list_head.lock, &dflags);
08169 device_p = acl_lookup_device(tid.file.device);
08170 if(!device_p)
08171 {
08172 rsbac_printk(KERN_WARNING
08173 "rsbac_acl_get_single_right(): Could not lookup device, blindly granting access!\n");
08174 /* free read lock */
08175 rsbac_read_unlock(&device_list_head.lock, &dflags);
08176 *result = TRUE;
08177 return 0;
08178 }
08179 }
08180 list_no = fd_hash(tid.file.inode);
08181 if( !rsbac_ta_list_lol_get_subdata_ttl(0,
08182 device_p->handles[list_no],
08183 NULL,
08184 &tid.file.inode,
08185 &desc,
08186 &i_rights)
08187 )
08188 {
08189 if(i_rights & i_rvec)
08190 *result = TRUE;
08191 else
08192 *result = FALSE;
08193 rsbac_read_unlock(&device_list_head.lock, &dflags);
08194 return 0;
08195 }
08196
08197 {
08198 enum rsbac_target_t parent_target;
08199 union rsbac_target_id_t parent_tid;
08200
08201 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08202 if(right != ACLR_SUPERVISOR)
08203 #endif
08204 {
08205 rsbac_acl_rights_vector_t mask;
08206
08207 /* get mask to filter through */
08208 if( !rsbac_ta_list_lol_get_data_ttl(0,
08209 device_p->handles[list_no],
08210 NULL,
08211 &tid.file.inode,
08212 &mask)
08213 && !(mask & i_rvec)
08214 )
08215 {
08216 rsbac_read_unlock(&device_list_head.lock, &dflags);
08217 *result = FALSE;
08218 return 0;
08219 }
08220 }
08221
08222 /* inheritance possible? */
08223 if(!rsbac_get_parent(target, tid, &parent_target, &parent_tid))
08224 {
08225 target = parent_target;
08226 tid = parent_tid;
08227 continue;
08228 }
08229 else
08230 {
08231 /* no inheritance possible -> try default_fd_acl */
08232 if( !rsbac_ta_list_get_data_ttl(0, default_fd_handle,
08233 NULL,
08234 &desc,
08235 &i_rights)
08236 )
08237 {
08238 if(i_rights & i_rvec)
08239 *result = TRUE;
08240 else
08241 *result = FALSE;
08242 }
08243 else
08244 {
08245 if(default_fd_rights & i_rvec)
08246 *result = TRUE;
08247 else
08248 *result = FALSE;
08249 }
08250 /* free access to device_list_head - see above */
08251 rsbac_read_unlock(&device_list_head.lock, &dflags);
08252 return 0;
08253 }
08254 }
08255 } /* end of for(;;) for inheritance */
08256
08257 case T_DEV:
08258 /*
08259 #ifdef CONFIG_RSBAC_DEBUG
08260 if (rsbac_debug_ds_acl)
08261 rsbac_printk(KERN_DEBUG "rsbac_acl_get_single_right(): Getting right for dev %c %02u:%02u\n",
08262 'B'+tid.dev.type,
08263 tid.dev.major,
08264 tid.dev.minor);
08265 #endif
08266 */
08267 if(RSBAC_IS_ZERO_DEV_DESC(tid.dev))
08268 {
08269 if(!rsbac_ta_list_get_data_ttl(0, default_dev_handle,
08270 NULL, &desc, &i_rights))
08271 {
08272 if(i_rights & i_rvec)
08273 *result = TRUE;
08274 else
08275 *result = FALSE;
08276 }
08277 else
08278 {
08279 if(default_dev_rights & i_rvec)
08280 *result = TRUE;
08281 else
08282 *result = FALSE;
08283 }
08284 return 0;
08285 }
08286
08287 if(tid.dev.type >= D_block_major)
08288 {
08289 tid.dev.type -= (D_block_major - D_block);
08290 if(!rsbac_ta_list_lol_get_subdata_ttl(0, dev_major_handle,
08291 NULL,
08292 &tid.dev,
08293 &desc,
08294 &i_rights)
08295 )
08296 {
08297 if(i_rights & i_rvec)
08298 *result = TRUE;
08299 else
08300 *result = FALSE;
08301 return 0;
08302 }
08303 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08304 if(right != ACLR_SUPERVISOR)
08305 #endif
08306 {
08307 rsbac_acl_rights_vector_t mask;
08308
08309 /* get mask to filter through */
08310 if( !rsbac_ta_list_lol_get_data_ttl(0, dev_major_handle,
08311 NULL,
08312 &tid.dev,
08313 &mask)
08314 && !(mask & i_rvec)
08315 )
08316 {
08317 *result = FALSE;
08318 return 0;
08319 }
08320 }
08321 /* no inheritance possible -> try default acl */
08322 if(!rsbac_ta_list_get_data_ttl(0, default_dev_handle,
08323 NULL,
08324 &desc,
08325 &i_rights)
08326 )
08327 {
08328 if(i_rights & i_rvec)
08329 *result = TRUE;
08330 else
08331 *result = FALSE;
08332 }
08333 else
08334 {
08335 if(default_dev_rights & i_rvec)
08336 *result = TRUE;
08337 else
08338 *result = FALSE;
08339 }
08340 return 0;
08341 }
08342 if(!rsbac_ta_list_lol_get_subdata_ttl(0, dev_handle,
08343 NULL,
08344 &tid.dev,
08345 &desc,
08346 &i_rights)
08347 )
08348 {
08349 if(i_rights & i_rvec)
08350 *result = TRUE;
08351 else
08352 *result = FALSE;
08353 return 0;
08354 }
08355 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08356 if(right != ACLR_SUPERVISOR)
08357 #endif
08358 {
08359 rsbac_acl_rights_vector_t mask;
08360
08361 /* get mask to filter through */
08362 if( !rsbac_ta_list_lol_get_data_ttl(0, dev_handle,
08363 NULL,
08364 &tid.dev,
08365 &mask)
08366 && !(mask & i_rvec)
08367 )
08368 {
08369 *result = FALSE;
08370 return 0;
08371 }
08372 }
08373 if(!rsbac_ta_list_lol_get_subdata_ttl(0, dev_major_handle,
08374 NULL,
08375 &tid.dev,
08376 &desc,
08377 &i_rights)
08378 )
08379 {
08380 if(i_rights & i_rvec)
08381 *result = TRUE;
08382 else
08383 *result = FALSE;
08384 return 0;
08385 }
08386 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08387 if(right != ACLR_SUPERVISOR)
08388 #endif
08389 {
08390 rsbac_acl_rights_vector_t mask;
08391
08392 /* get mask to filter through */
08393 if( !rsbac_ta_list_lol_get_data_ttl(0, dev_major_handle,
08394 NULL,
08395 &tid.dev,
08396 &mask)
08397 && !(mask & i_rvec)
08398 )
08399 {
08400 *result = FALSE;
08401 return 0;
08402 }
08403 }
08404 /* no inheritance possible -> try default acl */
08405 if(!rsbac_ta_list_get_data_ttl(0, default_dev_handle,
08406 NULL,
08407 &desc,
08408 &i_rights)
08409 )
08410 {
08411 if(i_rights & i_rvec)
08412 *result = TRUE;
08413 else
08414 *result = FALSE;
08415 }
08416 else
08417 {
08418 if(default_dev_rights & i_rvec)
08419 *result = TRUE;
08420 else
08421 *result = FALSE;
08422 }
08423 return 0;
08424
08425 case T_IPC:
08426 /*
08427 #ifdef CONFIG_RSBAC_DEBUG
08428 if (rsbac_debug_ds_acl)
08429 rsbac_printk(KERN_DEBUG "rsbac_acl_get_single_right(): Getting right for type %u\n",
08430 tid.ipc.type);
08431 #endif
08432 */
08433 /* Use default entry */
08434 if(!rsbac_ta_list_get_data_ttl(0, default_ipc_handle,
08435 NULL, &desc, &i_rights))
08436 {
08437 if(i_rights & i_rvec)
08438 *result = TRUE;
08439 else
08440 *result = FALSE;
08441 }
08442 else
08443 {
08444 if(default_ipc_rights & i_rvec)
08445 *result = TRUE;
08446 else
08447 *result = FALSE;
08448 }
08449 return 0;
08450
08451 case T_SCD:
08452 if(tid.scd == AST_none)
08453 {
08454 if(!rsbac_ta_list_get_data_ttl(0, default_scd_handle,
08455 NULL, &desc, &i_rights))
08456 {
08457 if(i_rights & i_rvec)
08458 *result = TRUE;
08459 else
08460 *result = FALSE;
08461 }
08462 else
08463 {
08464 if(default_scd_rights & i_rvec)
08465 *result = TRUE;
08466 else
08467 *result = FALSE;
08468 }
08469 return 0;
08470 }
08471
08472 if( !rsbac_ta_list_lol_get_subdata_ttl(0, scd_handle,
08473 NULL,
08474 &tid.scd,
08475 &desc,
08476 &i_rights)
08477 )
08478 {
08479 if(i_rights & i_rvec)
08480 *result = TRUE;
08481 else
08482 *result = FALSE;
08483 return 0;
08484 }
08485 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08486 if(right != ACLR_SUPERVISOR)
08487 #endif
08488 {
08489 rsbac_acl_rights_vector_t mask;
08490
08491 /* get mask to filter through */
08492 if( !rsbac_ta_list_lol_get_data_ttl(0, scd_handle,
08493 NULL,
08494 &tid.scd,
08495 &mask)
08496 && !(mask & i_rvec)
08497 )
08498 {
08499 *result = FALSE;
08500 return 0;
08501 }
08502 }
08503
08504 /* no inheritance possible -> try default acl */
08505 if( !rsbac_ta_list_get_data_ttl(0, default_scd_handle,
08506 NULL,
08507 &desc,
08508 &i_rights)
08509 )
08510 {
08511 if(i_rights & i_rvec)
08512 *result = TRUE;
08513 else
08514 *result = FALSE;
08515 }
08516 else
08517 {
08518 if(default_scd_rights & i_rvec)
08519 *result = TRUE;
08520 else
08521 *result = FALSE;
08522 }
08523 return 0;
08524
08525 case T_USER:
08526 if(tid.user == RSBAC_NO_USER)
08527 {
08528 if(!rsbac_ta_list_get_data_ttl(0, default_u_handle,
08529 NULL, &desc, &i_rights))
08530 {
08531 if(i_rights & i_rvec)
08532 *result = TRUE;
08533 else
08534 *result = FALSE;
08535 }
08536 else
08537 {
08538 if(default_u_rights & i_rvec)
08539 *result = TRUE;
08540 else
08541 *result = FALSE;
08542 }
08543 return 0;
08544 }
08545
08546 if( !rsbac_ta_list_lol_get_subdata_ttl(0, u_handle,
08547 NULL,
08548 &tid.user,
08549 &desc,
08550 &i_rights)
08551 )
08552 {
08553 if(i_rights & i_rvec)
08554 *result = TRUE;
08555 else
08556 *result = FALSE;
08557 return 0;
08558 }
08559 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08560 if(right != ACLR_SUPERVISOR)
08561 #endif
08562 {
08563 rsbac_acl_rights_vector_t mask;
08564
08565 /* get mask to filter through */
08566 if( !rsbac_ta_list_lol_get_data_ttl(0, u_handle,
08567 NULL,
08568 &tid.user,
08569 &mask)
08570 && !(mask & i_rvec)
08571 )
08572 {
08573 *result = FALSE;
08574 return 0;
08575 }
08576 }
08577
08578 /* no inheritance possible -> try default acl */
08579 if( !rsbac_ta_list_get_data_ttl(0, default_u_handle,
08580 NULL,
08581 &desc,
08582 &i_rights)
08583 )
08584 {
08585 if(i_rights & i_rvec)
08586 *result = TRUE;
08587 else
08588 *result = FALSE;
08589 }
08590 else
08591 {
08592 if(default_u_rights & i_rvec)
08593 *result = TRUE;
08594 else
08595 *result = FALSE;
08596 }
08597 return 0;
08598
08599 case T_PROCESS:
08600 /* Use default entry */
08601 if(!rsbac_ta_list_get_data_ttl(0, default_p_handle,
08602 NULL, &desc, &i_rights))
08603 {
08604 if(i_rights & i_rvec)
08605 *result = TRUE;
08606 else
08607 *result = FALSE;
08608 }
08609 else
08610 {
08611 if(default_p_rights & i_rvec)
08612 *result = TRUE;
08613 else
08614 *result = FALSE;
08615 }
08616 return 0;
08617
08618 #ifdef CONFIG_RSBAC_ACL_UM_PROT
08619 case T_GROUP:
08620 if(tid.group == RSBAC_NO_GROUP)
08621 {
08622 if(!rsbac_ta_list_get_data_ttl(0, default_g_handle,
08623 NULL, &desc, &i_rights))
08624 {
08625 if(i_rights & i_rvec)
08626 *result = TRUE;
08627 else
08628 *result = FALSE;
08629 }
08630 else
08631 {
08632 if(default_g_rights & i_rvec)
08633 *result = TRUE;
08634 else
08635 *result = FALSE;
08636 }
08637 return 0;
08638 }
08639
08640 if( !rsbac_ta_list_lol_get_subdata_ttl(0, g_handle,
08641 NULL,
08642 &tid.group,
08643 &desc,
08644 &i_rights)
08645 )
08646 {
08647 if(i_rights & i_rvec)
08648 *result = TRUE;
08649 else
08650 *result = FALSE;
08651 return 0;
08652 }
08653 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08654 if(right != ACLR_SUPERVISOR)
08655 #endif
08656 {
08657 rsbac_acl_rights_vector_t mask;
08658
08659 /* get mask to filter through */
08660 if( !rsbac_ta_list_lol_get_data_ttl(0, g_handle,
08661 NULL,
08662 &tid.group,
08663 &mask)
08664 && !(mask & i_rvec)
08665 )
08666 {
08667 *result = FALSE;
08668 return 0;
08669 }
08670 }
08671
08672 /* no inheritance possible -> try default acl */
08673 if( !rsbac_ta_list_get_data_ttl(0, default_g_handle,
08674 NULL,
08675 &desc,
08676 &i_rights)
08677 )
08678 {
08679 if(i_rights & i_rvec)
08680 *result = TRUE;
08681 else
08682 *result = FALSE;
08683 }
08684 else
08685 {
08686 if(default_g_rights & i_rvec)
08687 *result = TRUE;
08688 else
08689 *result = FALSE;
08690 }
08691 return 0;
08692 #endif
08693
08694 #if defined(CONFIG_RSBAC_ACL_NET_DEV_PROT)
08695 case T_NETDEV:
08696 /*
08697 #ifdef CONFIG_RSBAC_DEBUG
08698 if (rsbac_debug_ds_acl)
08699 rsbac_printk(KERN_DEBUG "rsbac_acl_get_single_right(): Getting right for netdev %s\n",
08700 tid.netdev);
08701 #endif
08702 */
08703 if(!tid.netdev[0])
08704 {
08705 if(!rsbac_ta_list_get_data_ttl(0, default_netdev_handle,
08706 NULL, &desc, &i_rights))
08707 {
08708 if(i_rights & i_rvec)
08709 *result = TRUE;
08710 else
08711 *result = FALSE;
08712 }
08713 else
08714 {
08715 if(default_netdev_rights & i_rvec)
08716 *result = TRUE;
08717 else
08718 *result = FALSE;
08719 }
08720 return 0;
08721 }
08722
08723 if( !rsbac_ta_list_lol_get_subdata_ttl(0, netdev_handle,
08724 NULL,
08725 &tid.netdev,
08726 &desc,
08727 &i_rights)
08728 )
08729 {
08730 if(i_rights & i_rvec)
08731 *result = TRUE;
08732 else
08733 *result = FALSE;
08734 return 0;
08735 }
08736 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08737 if(right != ACLR_SUPERVISOR)
08738 #endif
08739 {
08740 rsbac_acl_rights_vector_t mask;
08741
08742 /* get mask to filter through */
08743 if( !rsbac_ta_list_lol_get_data_ttl(0, netdev_handle,
08744 NULL,
08745 &tid.netdev,
08746 &mask)
08747 && !(mask & i_rvec)
08748 )
08749 {
08750 *result = FALSE;
08751 return 0;
08752 }
08753 }
08754
08755 /* no inheritance possible -> try default acl */
08756 if( !rsbac_ta_list_get_data_ttl(0, default_netdev_handle,
08757 NULL,
08758 &desc,
08759 &i_rights)
08760 )
08761 {
08762 if(i_rights & i_rvec)
08763 *result = TRUE;
08764 else
08765 *result = FALSE;
08766 }
08767 else
08768 {
08769 if(default_netdev_rights & i_rvec)
08770 *result = TRUE;
08771 else
08772 *result = FALSE;
08773 }
08774 return 0;
08775 #endif
08776
08777 #if defined(CONFIG_RSBAC_ACL_NET_OBJ_PROT)
08778 case T_NETTEMP_NT:
08779 case T_NETTEMP:
08780 /*
08781 #ifdef CONFIG_RSBAC_DEBUG
08782 if (rsbac_debug_ds_acl)
08783 rsbac_printk(KERN_DEBUG "rsbac_acl_get_single_right(): Getting right for nettemp %u\n",
08784 tid.nettemp);
08785 #endif
08786 */
08787 if(!tid.nettemp)
08788 {
08789 if(!rsbac_ta_list_get_data_ttl(0, default_nettemp_nt_handle,
08790 NULL, &desc, &i_rights))
08791 {
08792 if(i_rights & i_rvec)
08793 *result = TRUE;
08794 else
08795 *result = FALSE;
08796 }
08797 else
08798 {
08799 if(default_nettemp_nt_rights & i_rvec)
08800 *result = TRUE;
08801 else
08802 *result = FALSE;
08803 }
08804 return 0;
08805 }
08806
08807 /* There should be no template, which is to be created, so skip nettemp_nt list */
08808 if(right != R_CREATE)
08809 {
08810 if(!rsbac_net_template_exist(tid.nettemp))
08811 return FALSE;
08812 if( !rsbac_ta_list_lol_get_subdata_ttl(0, nettemp_nt_handle,
08813 NULL,
08814 &tid.nettemp,
08815 &desc,
08816 &i_rights)
08817 && (i_rights & i_rvec)
08818 )
08819 {
08820 *result = TRUE;
08821 return 0;
08822 }
08823 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08824 if(right != ACLR_SUPERVISOR)
08825 #endif
08826 {
08827 rsbac_acl_rights_vector_t mask;
08828
08829 /* get mask to filter through */
08830 if( !rsbac_ta_list_lol_get_data_ttl(0, nettemp_nt_handle,
08831 NULL,
08832 &tid.nettemp,
08833 &mask)
08834 && !(mask & i_rvec)
08835 )
08836 {
08837 *result = FALSE;
08838 return 0;
08839 }
08840 }
08841 }
08842
08843 /* no inheritance possible -> try default acl */
08844 if( !rsbac_ta_list_get_data_ttl(0, default_nettemp_nt_handle,
08845 NULL,
08846 &desc,
08847 &i_rights)
08848 )
08849 {
08850 if(i_rights & i_rvec)
08851 *result = TRUE;
08852 else
08853 *result = FALSE;
08854 }
08855 else
08856 {
08857 if(default_nettemp_nt_rights & i_rvec)
08858 *result = TRUE;
08859 else
08860 *result = FALSE;
08861 }
08862 return 0;
08863
08864 case T_NETOBJ:
08865 /*
08866 #ifdef CONFIG_RSBAC_DEBUG
08867 if (rsbac_debug_ds_acl)
08868 rsbac_printk(KERN_DEBUG "rsbac_acl_get_single_right(): Getting right for netobj %p\n",
08869 tid.netobj.sock_p);
08870 #endif
08871 */
08872 if(!tid.netobj.sock_p)
08873 {
08874 if(!rsbac_ta_list_get_data_ttl(0, default_netobj_handle,
08875 NULL, &desc, &i_rights))
08876 {
08877 if(i_rights & i_rvec)
08878 *result = TRUE;
08879 else
08880 *result = FALSE;
08881 }
08882 else
08883 {
08884 if(default_netobj_rights & i_rvec)
08885 *result = TRUE;
08886 else
08887 *result = FALSE;
08888 }
08889 return 0;
08890 }
08891
08892 if( !rsbac_ta_list_lol_get_subdata_ttl(0, netobj_handle,
08893 NULL,
08894 &tid.netobj.sock_p,
08895 &desc,
08896 &i_rights)
08897 )
08898 {
08899 if(i_rights & i_rvec)
08900 *result = TRUE;
08901 else
08902 *result = FALSE;
08903 return 0;
08904 }
08905 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08906 if(right != ACLR_SUPERVISOR)
08907 #endif
08908 {
08909 rsbac_acl_rights_vector_t mask;
08910
08911 /* get mask to filter through */
08912 if( !rsbac_ta_list_lol_get_data_ttl(0, netobj_handle,
08913 NULL,
08914 &tid.netobj.sock_p,
08915 &mask)
08916 && !(mask & i_rvec)
08917 )
08918 {
08919 *result = FALSE;
08920 return 0;
08921 }
08922 }
08923 /* Try net template */
08924 {
08925 rsbac_net_temp_id_t temp = 0;
08926
08927 if(rsbac_net_remote_request(right))
08928 rsbac_ta_net_lookup_templates(0,
08929 &tid.netobj,
08930 NULL,
08931 &temp);
08932 else
08933 rsbac_ta_net_lookup_templates(0,
08934 &tid.netobj,
08935 &temp,
08936 NULL);
08937 if( temp
08938 && !rsbac_ta_list_lol_get_subdata_ttl(0, nettemp_handle,
08939 NULL,
08940 &temp,
08941 &desc,
08942 &i_rights)
08943 )
08944 {
08945 if(i_rights & i_rvec)
08946 *result = TRUE;
08947 else
08948 *result = FALSE;
08949 return 0;
08950 }
08951 #ifndef CONFIG_RSBAC_ACL_SUPER_FILTER
08952 if(right != ACLR_SUPERVISOR)
08953 #endif
08954 {
08955 rsbac_acl_rights_vector_t mask;
08956
08957 /* get mask from template to filter through */
08958 if( !rsbac_ta_list_lol_get_data_ttl(0, nettemp_handle,
08959 NULL,
08960 &temp,
08961 &mask)
08962 && !(mask & i_rvec)
08963 )
08964 {
08965 *result = FALSE;
08966 return 0;
08967 }
08968 }
08969 }
08970
08971 /* no inheritance possible -> try default acl */
08972 if( !rsbac_ta_list_get_data_ttl(0, default_netobj_handle,
08973 NULL,
08974 &desc,
08975 &i_rights)
08976 )
08977 {
08978 if(i_rights & i_rvec)
08979 *result = TRUE;
08980 else
08981 *result = FALSE;
08982 }
08983 else
08984 {
08985 if(default_netobj_rights & i_rvec)
08986 *result = TRUE;
08987 else
08988 *result = FALSE;
08989 }
08990 return 0;
08991 #endif /* NET_OBJ_PROT */
08992
08993 default:
08994 return -RSBAC_EINVALIDTARGET;
08995 }
08996 }
|
|
||||||||||||||||||||||||
|
Definition at line 9003 of file acl_data_structures.c. References acl_lookup_device(), AST_none, D_block, D_block_major, D_char, D_char_major, rsbac_target_id_t::dev, fd_hash(), rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handles, rsbac_acl_device_list_head_t::lock, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, RSBAC_EINVALIDDEV, RSBAC_EINVALIDPOINTER, RSBAC_EINVALIDTARGET, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_get_all_items_ttl(), rsbac_ta_list_lol_get_all_subitems_ttl(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, ST_none, T_DEV, T_DIR, T_FD, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_PROCESS, T_SCD, T_SYMLINK, T_USER, rsbac_dev_desc_t::type, and rsbac_target_id_t::user. 09009 {
09010 int count = 0;
09011 int list_no;
09012 struct rsbac_acl_device_list_item_t * device_p;
09013 u_long dflags;
09014
09015 if (!rsbac_is_initialized())
09016 {
09017 rsbac_printk(KERN_WARNING "rsbac_acl_get_tlist(): RSBAC not initialized\n");
09018 return(-RSBAC_ENOTINITIALIZED);
09019 }
09020 if (!entry_pp)
09021 return(-RSBAC_EINVALIDPOINTER);
09022 #ifdef CONFIG_RSBAC_DEBUG
09023 if (in_interrupt())
09024 {
09025 rsbac_printk(KERN_WARNING "rsbac_acl_get_tlist(): called from interrupt!\n");
09026 }
09027 #endif
09028 switch (target)
09029 {
09030 case T_FD:
09031 case T_FILE:
09032 case T_DIR:
09033 case T_FIFO:
09034 case T_SYMLINK:
09035 /*
09036 #ifdef CONFIG_RSBAC_DEBUG
09037 if (rsbac_debug_ds_acl)
09038 rsbac_printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for device %02u:%02u, inode %u\n",
09039 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode);
09040 #endif
09041 */
09042 /* default entry? */
09043 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p)
09044 return rsbac_ta_list_get_all_items_ttl(ta_number,
09045 default_fd_handle,
09046 (void **) entry_pp,
09047 ttl_pp);
09048 /* wait for read access to device_list_head */
09049 rsbac_read_lock(&device_list_head.lock, &dflags);
09050 /* OK, go on */
09051 /* lookup device */
09052 device_p = acl_lookup_device(tid.file.device);
09053 if (!device_p)
09054 {
09055 /* trigger rsbac_mount() */
09056 rsbac_read_unlock(&device_list_head.lock, &dflags);
09057 rsbac_get_super_block(tid.file.device);
09058 /* retry */
09059 rsbac_read_lock(&device_list_head.lock, &dflags);
09060 device_p = acl_lookup_device(tid.file.device);
09061 if(!device_p)
09062 {
09063 rsbac_printk(KERN_WARNING
09064 "rsbac_acl_get_tlist(): Could not lookup device!\n");
09065 /* free read lock */
09066 rsbac_read_unlock(&device_list_head.lock, &dflags);
09067 return(-RSBAC_EINVALIDDEV);
09068 }
09069 }
09070 /* protect this list */
09071 list_no = fd_hash(tid.file.inode);
09072 count = rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
09073 device_p->handles[list_no],
09074 &tid.file.inode,
09075 (void **) entry_pp,
09076 ttl_pp);
09077 rsbac_read_unlock(&device_list_head.lock, &dflags);
09078 /* ready. */
09079 return count;
09080
09081 case T_DEV:
09082 /*
09083 #ifdef CONFIG_RSBAC_DEBUG
09084 if (rsbac_debug_ds_acl)
09085 rsbac_printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for dev %c %02u:%02u\n",
09086 'B'+tid.dev.type,
09087 tid.dev.major,
09088 tid.dev.minor);
09089 #endif
09090 */
09091 if(RSBAC_IS_ZERO_DEV_DESC(tid.dev))
09092 return rsbac_ta_list_get_all_items_ttl(ta_number,
09093 default_dev_handle,
09094 (void **) entry_pp,
09095 ttl_pp);
09096 else
09097 switch(tid.dev.type)
09098 {
09099 case D_char:
09100 case D_block:
09101 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
09102 dev_handle,
09103 &tid.dev,
09104 (void **) entry_pp,
09105 ttl_pp);
09106
09107 case D_char_major:
09108 case D_block_major:
09109 tid.dev.type -= (D_block_major - D_block);
09110 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
09111 dev_major_handle,
09112 &tid.dev,
09113 (void **) entry_pp,
09114 ttl_pp);
09115
09116 default:
09117 return -RSBAC_EINVALIDTARGET;
09118 }
09119
09120 case T_IPC:
09121 /* default entry */
09122 return rsbac_ta_list_get_all_items_ttl(ta_number,
09123 default_ipc_handle,
09124 (void **) entry_pp,
09125 ttl_pp);
09126
09127 case T_SCD:
09128 if( (tid.scd == AST_none)
09129 || (tid.scd == ST_none)
09130 )
09131 return rsbac_ta_list_get_all_items_ttl(ta_number,
09132 default_scd_handle,
09133 (void **) entry_pp,
09134 ttl_pp);
09135 else
09136 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
09137 scd_handle,
09138 &tid.scd,
09139 (void **) entry_pp,
09140 ttl_pp);
09141
09142 case T_USER:
09143 if(tid.user == RSBAC_NO_USER)
09144 return rsbac_ta_list_get_all_items_ttl(ta_number,
09145 default_u_handle,
09146 (void **) entry_pp,
09147 ttl_pp);
09148 else
09149 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
09150 u_handle,
09151 &tid.user,
09152 (void **) entry_pp,
09153 ttl_pp);
09154
09155 case T_PROCESS:
09156 return rsbac_ta_list_get_all_items_ttl(ta_number,
09157 default_p_handle,
09158 (void **) entry_pp,
09159 ttl_pp);
09160
09161 #ifdef CONFIG_RSBAC_ACL_UM_PROT
09162 case T_GROUP:
09163 if(tid.group == RSBAC_NO_GROUP)
09164 return rsbac_ta_list_get_all_items_ttl(ta_number,
09165 default_g_handle,
09166 (void **) entry_pp,
09167 ttl_pp);
09168 else
09169 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
09170 g_handle,
09171 &tid.group,
09172 (void **) entry_pp,
09173 ttl_pp);
09174 #endif
09175
09176 #if defined(CONFIG_RSBAC_ACL_NET_DEV_PROT)
09177 case T_NETDEV:
09178 /*
09179 #ifdef CONFIG_RSBAC_DEBUG
09180 if (rsbac_debug_ds_acl)
09181 rsbac_printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for netdev %s\n",
09182 tid.netdev);
09183 #endif
09184 */
09185 if(!tid.netdev[0])
09186 return rsbac_ta_list_get_all_items_ttl(ta_number,
09187 default_netdev_handle,
09188 (void **) entry_pp,
09189 ttl_pp);
09190 else
09191 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
09192 netdev_handle,
09193 &tid.netdev,
09194 (void **) entry_pp,
09195 ttl_pp);
09196 #endif
09197
09198 #if defined(CONFIG_RSBAC_ACL_NET_OBJ_PROT)
09199 case T_NETTEMP_NT:
09200 /*
09201 #ifdef CONFIG_RSBAC_DEBUG
09202 if (rsbac_debug_ds_acl)
09203 rsbac_printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for nettemp_nt %u\n",
09204 tid.nettemp);
09205 #endif
09206 */
09207 if(!tid.nettemp)
09208 return rsbac_ta_list_get_all_items_ttl(ta_number,
09209 default_nettemp_nt_handle,
09210 (void **) entry_pp,
09211 ttl_pp);
09212 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
09213 return -RSBAC_EINVALIDTARGET;
09214 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
09215 nettemp_nt_handle,
09216 &tid.nettemp,
09217 (void **) entry_pp,
09218 ttl_pp);
09219
09220 case T_NETTEMP:
09221 /*
09222 #ifdef CONFIG_RSBAC_DEBUG
09223 if (rsbac_debug_ds_acl)
09224 rsbac_printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for nettemp %u\n",
09225 tid.nettemp);
09226 #endif
09227 */
09228 if(!tid.nettemp)
09229 return -RSBAC_EINVALIDTARGET;
09230 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
09231 return -RSBAC_EINVALIDTARGET;
09232 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
09233 nettemp_handle,
09234 &tid.nettemp,
09235 (void **) entry_pp,
09236 ttl_pp);
09237
09238 case T_NETOBJ:
09239 /*
09240 #ifdef CONFIG_RSBAC_DEBUG
09241 if (rsbac_debug_ds_acl)
09242 rsbac_printk(KERN_DEBUG "rsbac_acl_get_tlist(): Getting tlist for netobj %p\n",
09243 tid.netobj.sock_p);
09244 #endif
09245 */
09246 if(!tid.nettemp)
09247 return rsbac_ta_list_get_all_items_ttl(ta_number,
09248 default_netobj_handle,
09249 (void **) entry_pp,
09250 ttl_pp);
09251 else
09252 return rsbac_ta_list_lol_get_all_subitems_ttl(ta_number,
09253 netobj_handle,
09254 &tid.netobj.sock_p,
09255 (void **) entry_pp,
09256 ttl_pp);
09257 #endif /* NET_OBJ_PROT */
09258
09259 default:
09260 return -RSBAC_EINVALIDTARGET;
09261 }
09262 }
|
|
||||||||||||||||||||
|
Definition at line 9550 of file acl_data_structures.c. References rsbac_ta_list_lol_get_all_subdesc_ttl(). Referenced by rsbac_acl_check_right(), rsbac_acl_check_super(), rsbac_acl_sys_get_rights(), and rsbac_acl_sys_group(). 09555 {
09556 return rsbac_ta_list_lol_get_all_subdesc_ttl(ta_number,
09557 gm_handle,
09558 &user,
09559 (void **) group_pp,
09560 ttl_pp);
09561 }
|
|
|
Definition at line 9490 of file acl_data_structures.c. References rsbac_ta_list_exist(), and TRUE. 09491 {
09492 if(!group)
09493 return TRUE;
09494 return rsbac_ta_list_exist(0, group_handle, &group);
09495 }
|
|
||||||||||||
|
Definition at line 9542 of file acl_data_structures.c. References rsbac_ta_list_lol_subexist(). 09543 {
09544 return rsbac_ta_list_lol_subexist(0, gm_handle, &user, &group);
09545 }
|
|
||||||||||||
|
Definition at line 9606 of file acl_data_structures.c. References rsbac_ta_list_lol_count(), and rsbac_ta_list_lol_get_all_desc(). 09609 {
09610 if(id_pp)
09611 return rsbac_ta_list_lol_get_all_desc(ta_number, dev_handle, (void **) id_pp);
09612 else
09613 return rsbac_ta_list_lol_count(ta_number, dev_handle);
09614 }
|
|
||||||||||||
|
Referenced by sys_rsbac_acl_list_all_group(). |
|
||||||||||||
|
Definition at line 9616 of file acl_data_structures.c. References D_block, D_block_major, rsbac_ta_list_lol_count(), rsbac_ta_list_lol_get_all_desc(), and rsbac_dev_desc_t::type. Referenced by sys_rsbac_acl_list_all_dev(). 09619 {
09620 if(id_pp)
09621 {
09622 int count;
09623
09624 count = rsbac_ta_list_lol_get_all_desc(ta_number, dev_major_handle, (void **) id_pp);
09625 if(count > 0)
09626 {
09627 u_int i;
09628 struct rsbac_dev_desc_t * tmp_p;
09629
09630 tmp_p = *id_pp;
09631 for(i=0; i<count; i++)
09632 tmp_p[i].type += (D_block_major - D_block);
09633 }
09634 return count;
09635 }
09636 else
09637 return rsbac_ta_list_lol_count(ta_number, dev_major_handle);
09638 }
|
|
||||||||||||
|
Definition at line 9640 of file acl_data_structures.c. References rsbac_ta_list_lol_count(), and rsbac_ta_list_lol_get_all_desc(). 09643 {
09644 if(id_pp)
09645 return rsbac_ta_list_lol_get_all_desc(ta_number, u_handle, (void **) id_pp);
09646 else
09647 return rsbac_ta_list_lol_count(ta_number, u_handle);
09648 }
|
|
||||||||||||||||||||
|
Definition at line 9448 of file acl_data_structures.c. References ACLG_GLOBAL, RSBAC_EINVALIDPOINTER, RSBAC_ENOMEM, rsbac_ta_list_get_all_data(), rsbac_vfree, and rsbac_vmalloc. Referenced by rsbac_acl_sys_group(). 09453 {
09454 long count;
09455 struct rsbac_acl_group_entry_t * local_entry_p;
09456
09457 if(!entry_pp)
09458 return -RSBAC_EINVALIDPOINTER;
09459 count = rsbac_ta_list_get_all_data(ta_number, group_handle, (void **) &local_entry_p);
09460 if(count > 0)
09461 {
09462 long i;
09463 long rescount = 0;
09464
09465 *entry_pp = rsbac_vmalloc(count * sizeof(**entry_pp));
09466 if(!*entry_pp)
09467 {
09468 rsbac_vfree(local_entry_p);
09469 return -RSBAC_ENOMEM;
09470 }
09471 for(i=0; i<count; i++)
09472 {
09473 if( (local_entry_p[i].owner == owner)
09474 || ( include_global
09475 && (local_entry_p[i].type == ACLG_GLOBAL)
09476 )
09477 )
09478 {
09479 memcpy(&(*entry_pp)[rescount], &local_entry_p[i], sizeof(local_entry_p[i]));
09480 rescount++;
09481 }
09482 }
09483 rsbac_vfree(local_entry_p);
09484 count = rescount;
09485 }
09486 return count;
09487 }
|
|
||||||||||||||||
|
Definition at line 5586 of file acl_data_structures.c. References acl_lookup_device(), AST_none, D_block, D_block_major, D_char, D_char_major, rsbac_target_id_t::dev, fd_hash(), get_acl_scd_type_name(), rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handles, rsbac_acl_device_list_head_t::lock, rsbac_dev_desc_t::major, rsbac_dev_desc_t::minor, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_lol_remove(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_SCD, T_SYMLINK, T_USER, rsbac_dev_desc_t::type, and rsbac_target_id_t::user. Referenced by rsbac_acl_sys_remove_acl(), and rsbac_ta_remove_target(). 05590 {
05591 int err = 0;
05592 int list_no;
05593 struct rsbac_acl_device_list_item_t * device_p;
05594 u_long dflags;
05595
05596 if (!rsbac_is_initialized())
05597 {
05598 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl(): RSBAC not initialized\n");
05599 return(-RSBAC_ENOTINITIALIZED);
05600 }
05601 #ifdef CONFIG_RSBAC_DEBUG
05602 if (in_interrupt())
05603 {
05604 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl(): called from interrupt!\n");
05605 }
05606 #endif
05607 switch (target)
05608 {
05609 case T_FILE:
05610 case T_DIR:
05611 case T_FIFO:
05612 case T_SYMLINK:
05613 #ifdef CONFIG_RSBAC_DEBUG
05614 if (rsbac_debug_ds_acl)
05615 {
05616 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n",
05617 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode);
05618 }
05619 #endif
05620 /* default entry? */
05621 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p)
05622 return -RSBAC_EINVALIDTARGET;
05623
05624 /* wait for read access to device_list_head */
05625 rsbac_read_lock(&device_list_head.lock, &dflags);
05626 /* OK, go on */
05627 /* lookup device */
05628 device_p = acl_lookup_device(tid.file.device);
05629 if (!device_p)
05630 {
05631 /* trigger rsbac_mount() */
05632 rsbac_read_unlock(&device_list_head.lock, &dflags);
05633 rsbac_get_super_block(tid.file.device);
05634 /* retry */
05635 rsbac_read_lock(&device_list_head.lock, &dflags);
05636 device_p = acl_lookup_device(tid.file.device);
05637 if(!device_p)
05638 {
05639 rsbac_printk(KERN_WARNING
05640 "rsbac_acl_remove_acl(): Could not lookup device!\n");
05641 rsbac_read_unlock(&device_list_head.lock, &dflags);
05642 return -RSBAC_EINVALIDDEV;
05643 }
05644 }
05645 list_no = fd_hash(tid.file.inode);
05646 err = rsbac_ta_list_lol_remove(ta_number, device_p->handles[list_no], &tid.file.inode);
05647 rsbac_read_unlock(&device_list_head.lock, &dflags);
05648 return err;
05649
05650 case T_DEV:
05651 #ifdef CONFIG_RSBAC_DEBUG
05652 if (rsbac_debug_ds_acl)
05653 {
05654 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing device ACL for dev %c %02u:%02u\n",
05655 'B'+tid.dev.type,
05656 tid.dev.major,
05657 tid.dev.minor);
05658 }
05659 #endif
05660 /* default entry? */
05661 if(RSBAC_IS_ZERO_DEV_DESC(tid.dev))
05662 return -RSBAC_EINVALIDTARGET;
05663 switch(tid.dev.type)
05664 {
05665 case D_char:
05666 case D_block:
05667 return rsbac_ta_list_lol_remove(ta_number, dev_handle, &tid.dev);
05668
05669 case D_char_major:
05670 case D_block_major:
05671 tid.dev.type -= (D_block_major - D_block);
05672 return rsbac_ta_list_lol_remove(ta_number, dev_major_handle, &tid.dev);
05673
05674 default:
05675 return -RSBAC_EINVALIDTARGET;
05676 }
05677
05678 case T_SCD:
05679 #ifdef CONFIG_RSBAC_DEBUG
05680 if (rsbac_debug_ds_acl)
05681 {
05682 char tmp[80];
05683
05684 get_acl_scd_type_name(tmp, tid.scd);
05685 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing SCD ACL for %s\n",
05686 tmp);
05687 }
05688 #endif
05689 /* default entry? */
05690 if(tid.scd == AST_none)
05691 return -RSBAC_EINVALIDTARGET;
05692 else
05693 return rsbac_ta_list_lol_remove(ta_number, scd_handle, &tid.scd);
05694
05695 case T_USER:
05696 #ifdef CONFIG_RSBAC_DEBUG
05697 if (rsbac_debug_ds_acl)
05698 {
05699 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing user ACL for user %u\n",
05700 tid.user);
05701 }
05702 #endif
05703 /* default entry? */
05704 if(tid.user == RSBAC_NO_USER)
05705 return -RSBAC_EINVALIDTARGET;
05706 else
05707 return rsbac_ta_list_lol_remove(ta_number, u_handle, &tid.user);
05708
05709 #ifdef CONFIG_RSBAC_ACL_UM_PROT
05710 case T_GROUP:
05711 #ifdef CONFIG_RSBAC_DEBUG
05712 if (rsbac_debug_ds_acl)
05713 {
05714 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing Linux group ACL for group %u\n",
05715 tid.group);
05716 }
05717 #endif
05718 /* default entry? */
05719 if(tid.group == RSBAC_NO_GROUP)
05720 return -RSBAC_EINVALIDTARGET;
05721 else
05722 return rsbac_ta_list_lol_remove(ta_number, g_handle, &tid.group);
05723 #endif
05724
05725 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
05726 case T_NETDEV:
05727 #ifdef CONFIG_RSBAC_DEBUG
05728 if (rsbac_debug_ds_acl)
05729 {
05730 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing network device ACL for netdev %s\n",
05731 tid.netdev);
05732 }
05733 #endif
05734 /* default entry? */
05735 if(!tid.netdev[0])
05736 return -RSBAC_EINVALIDTARGET;
05737 else
05738 return rsbac_ta_list_lol_remove(ta_number, netdev_handle, &tid.netdev);
05739 #endif
05740
05741 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
05742 case T_NETTEMP_NT:
05743 #ifdef CONFIG_RSBAC_DEBUG
05744 if (rsbac_debug_ds_acl)
05745 {
05746 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing network template NT ACL for nettemp_nt %u\n",
05747 tid.nettemp);
05748 }
05749 #endif
05750 /* default entry? */
05751 if(!tid.nettemp)
05752 return -RSBAC_EINVALIDTARGET;
05753 else
05754 return rsbac_ta_list_lol_remove(ta_number, nettemp_nt_handle, &tid.nettemp);
05755 case T_NETTEMP:
05756 #ifdef CONFIG_RSBAC_DEBUG
05757 if (rsbac_debug_ds_acl)
05758 {
05759 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing network template ACL for nettemp %u\n",
05760 tid.nettemp);
05761 }
05762 #endif
05763 /* default entry? */
05764 if(!tid.nettemp)
05765 return -RSBAC_EINVALIDTARGET;
05766 else
05767 return rsbac_ta_list_lol_remove(ta_number, nettemp_handle, &tid.nettemp);
05768 case T_NETOBJ:
05769 #ifdef CONFIG_RSBAC_DEBUG
05770 if (rsbac_debug_ds_acl)
05771 {
05772 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl(): Removing network object ACL for netobj %p\n",
05773 tid.netobj.sock_p);
05774 }
05775 #endif
05776 /* default entry? */
05777 if(!tid.netobj.sock_p)
05778 return -RSBAC_EINVALIDTARGET;
05779 else
05780 return rsbac_ta_list_lol_remove(ta_number, netobj_handle, &tid.netobj.sock_p);
05781 #endif
05782
05783 default:
05784 err = -RSBAC_EINVALIDTARGET;
05785 }
05786 return(err);
05787 }
|
|
||||||||||||||||||||||||
|
Definition at line 5203 of file acl_data_structures.c. References acl_lookup_device(), ACLS_NONE, AST_none, D_block, D_block_major, D_char, D_char_major, rsbac_target_id_t::dev, fd_hash(), get_acl_scd_type_name(), get_acl_subject_type_name(), rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handles, I_none, rsbac_target_id_t::ipc, rsbac_acl_device_list_head_t::lock, rsbac_dev_desc_t::major, rsbac_dev_desc_t::minor, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, NULL, rsbac_target_id_t::process, RSBAC_ACL_DEFAULT_DEV_MASK, RSBAC_ACL_DEFAULT_FD_MASK, RSBAC_ACL_DEFAULT_G_MASK, RSBAC_ACL_DEFAULT_NETDEV_MASK, RSBAC_ACL_DEFAULT_NETOBJ_MASK, RSBAC_ACL_DEFAULT_NETTEMP_MASK, RSBAC_ACL_DEFAULT_SCD_MASK, RSBAC_ACL_DEFAULT_U_MASK, RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_MAXNAMELEN, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_lol_get_data_ttl(), rsbac_ta_list_lol_remove(), rsbac_ta_list_lol_subcount(), rsbac_ta_list_lol_subremove(), rsbac_ta_list_remove(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, rsbac_acl_entry_desc_t::subj_id, rsbac_acl_entry_desc_t::subj_type, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_PROCESS, T_SCD, T_SYMLINK, T_USER, rsbac_ipc_t::type, rsbac_dev_desc_t::type, and rsbac_target_id_t::user. Referenced by rsbac_acl_sys_remove_acl_entry(). 05209 {
05210 int err = 0;
05211 int list_no;
05212 struct rsbac_acl_device_list_item_t * device_p;
05213 struct rsbac_acl_entry_desc_t desc;
05214 u_long dflags;
05215 rsbac_acl_rights_vector_t mask;
05216
05217 if (!rsbac_is_initialized())
05218 {
05219 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl_entry(): RSBAC not initialized\n");
05220 return(-RSBAC_ENOTINITIALIZED);
05221 }
05222 if (subj_type >= ACLS_NONE)
05223 return(-RSBAC_EINVALIDVALUE);
05224 #ifdef CONFIG_RSBAC_DEBUG
05225 if (in_interrupt())
05226 {
05227 rsbac_printk(KERN_WARNING "rsbac_acl_remove_acl_entry(): called from interrupt!\n");
05228 }
05229 #endif
05230 desc.subj_type = subj_type;
05231 desc.subj_id = subj_id;
05232
05233 switch (target)
05234 {
05235 case T_FILE:
05236 case T_DIR:
05237 case T_FIFO:
05238 case T_SYMLINK:
05239 #ifdef CONFIG_RSBAC_DEBUG
05240 if (rsbac_debug_ds_acl)
05241 {
05242 char tmp[RSBAC_MAXNAMELEN];
05243
05244 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing file/dir/fifo/symlink ACL entry %s %u for device %02u:%02u, inode %u\n",
05245 get_acl_subject_type_name(tmp,desc.subj_type), desc.subj_id,
05246 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode);
05247 }
05248 #endif
05249 /* default entry? */
05250 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p)
05251 return rsbac_ta_list_remove(ta_number, default_fd_handle, &desc);
05252
05253 /* wait for read access to device_list_head */
05254 rsbac_read_lock(&device_list_head.lock, &dflags);
05255 /* OK, go on */
05256 /* lookup device */
05257 device_p = acl_lookup_device(tid.file.device);
05258 if (!device_p)
05259 {
05260 /* trigger rsbac_mount() */
05261 rsbac_read_unlock(&device_list_head.lock, &dflags);
05262 rsbac_get_super_block(tid.file.device);
05263 /* retry */
05264 rsbac_read_lock(&device_list_head.lock, &dflags);
05265 device_p = acl_lookup_device(tid.file.device);
05266 if(!device_p)
05267 {
05268 rsbac_printk(KERN_WARNING
05269 "rsbac_acl_remove_acl_entry(): Could not lookup device!\n");
05270 /* free read lock */
05271 rsbac_read_unlock(&device_list_head.lock, &dflags);
05272 return(-RSBAC_EINVALIDDEV);
05273 }
05274 }
05275 list_no = fd_hash(tid.file.inode);
05276 err = rsbac_ta_list_lol_subremove(ta_number, device_p->handles[list_no], &tid.file.inode, &desc);
05277 /* if ACL is empty, remove it */
05278 if( !err
05279 && !rsbac_ta_list_lol_subcount(ta_number, device_p->handles[list_no], &tid.file.inode)
05280 && !rsbac_ta_list_lol_get_data_ttl(ta_number, device_p->handles[list_no],
05281 NULL,
05282 &tid.file.inode,
05283 &mask)
05284 && (mask == RSBAC_ACL_DEFAULT_FD_MASK)
05285 )
05286 {
05287 err = rsbac_ta_list_lol_remove(ta_number, device_p->handles[list_no], &tid.file.inode);
05288 }
05289 rsbac_read_unlock(&device_list_head.lock, &dflags);
05290 /* ready. */
05291 return err;
05292
05293 case T_DEV:
05294 #ifdef CONFIG_RSBAC_DEBUG
05295 if (rsbac_debug_ds_acl)
05296 {
05297 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing device ACL entry for dev %c %02u:%02u\n",
05298 'B'+tid.dev.type,
05299 tid.dev.major,
05300 tid.dev.minor);
05301 }
05302 #endif
05303 /* default entry? */
05304 if(RSBAC_IS_ZERO_DEV_DESC(tid.dev))
05305 return rsbac_ta_list_remove(ta_number, default_dev_handle, &desc);
05306
05307 {
05308 switch(tid.dev.type)
05309 {
05310 case D_char:
05311 case D_block:
05312 err = rsbac_ta_list_lol_subremove(ta_number, dev_handle, &tid.dev, &desc);
05313 /* if ACL is empty, remove it */
05314 if( !err
05315 && !rsbac_ta_list_lol_subcount(ta_number, dev_handle, &tid.dev)
05316 && !rsbac_ta_list_lol_get_data_ttl(ta_number, dev_handle,
05317 NULL,
05318 &tid.dev,
05319 &mask)
05320 && (mask == RSBAC_ACL_DEFAULT_DEV_MASK)
05321 )
05322 {
05323 err = rsbac_ta_list_lol_remove(ta_number, dev_handle, &tid.dev);
05324 }
05325 return err;
05326
05327 case D_char_major:
05328 case D_block_major:
05329 tid.dev.type -= (D_block_major - D_block);
05330 err = rsbac_ta_list_lol_subremove(ta_number, dev_major_handle, &tid.dev, &desc);
05331 /* if ACL is empty, remove it */
05332 if( !err
05333 && !rsbac_ta_list_lol_subcount(ta_number, dev_major_handle, &tid.dev)
05334 && !rsbac_ta_list_lol_get_data_ttl(ta_number, dev_major_handle,
05335 NULL,
05336 &tid.dev,
05337 &mask)
05338 && (mask == RSBAC_ACL_DEFAULT_DEV_MASK)
05339 )
05340 {
05341 err = rsbac_ta_list_lol_remove(ta_number, dev_major_handle, &tid.dev);
05342 }
05343 return err;
05344
05345 default:
05346 return -RSBAC_EINVALIDTARGET;
05347 }
05348 }
05349
05350 case T_IPC:
05351 #ifdef CONFIG_RSBAC_DEBUG
05352 if (rsbac_debug_ds_acl)
05353 {
05354 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing IPC ACL for type %u\n",
05355 tid.ipc.type);
05356 }
05357 #endif
05358 /* default entry? */
05359 if(tid.ipc.type == I_none)
05360 return rsbac_ta_list_remove(ta_number, default_ipc_handle, &desc);
05361 else
05362 return -RSBAC_EINVALIDTARGET;
05363
05364 case T_SCD:
05365 #ifdef CONFIG_RSBAC_DEBUG
05366 if (rsbac_debug_ds_acl)
05367 {
05368 char tmp[80];
05369
05370 get_acl_scd_type_name(tmp, tid.scd);
05371 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing SCD ACL entry for %s\n",
05372 tmp);
05373 }
05374 #endif
05375 /* default entry? */
05376 if(tid.scd == AST_none)
05377 return rsbac_ta_list_remove(ta_number, default_scd_handle, &desc);
05378 err = rsbac_ta_list_lol_subremove(ta_number, scd_handle, &tid.scd, &desc);
05379 /* if ACL is empty, remove it */
05380 if( !err
05381 && !rsbac_ta_list_lol_subcount(ta_number, scd_handle, &tid.scd)
05382 && !rsbac_ta_list_lol_get_data_ttl(ta_number, scd_handle,
05383 NULL,
05384 &tid.scd,
05385 &mask)
05386 && (mask == RSBAC_ACL_DEFAULT_SCD_MASK)
05387 )
05388 {
05389 err = rsbac_ta_list_lol_remove(ta_number, scd_handle, &tid.scd);
05390 }
05391 return err;
05392
05393 case T_USER:
05394 #ifdef CONFIG_RSBAC_DEBUG
05395 if (rsbac_debug_ds_acl)
05396 {
05397 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing user ACL for user %u\n",
05398 tid.user);
05399 }
05400 #endif
05401 /* default entry? */
05402 if(tid.user == RSBAC_NO_USER)
05403 return rsbac_ta_list_remove(ta_number, default_u_handle, &desc);
05404 err = rsbac_ta_list_lol_subremove(ta_number, u_handle, &tid.user, &desc);
05405 /* if ACL is empty, remove it */
05406 if( !err
05407 && !rsbac_ta_list_lol_subcount(ta_number, u_handle, &tid.user)
05408 && !rsbac_ta_list_lol_get_data_ttl(ta_number, u_handle,
05409 NULL,
05410 &tid.user,
05411 &mask)
05412 && (mask == RSBAC_ACL_DEFAULT_U_MASK)
05413 )
05414 {
05415 err = rsbac_ta_list_lol_remove(ta_number, u_handle, &tid.user);
05416 }
05417 return err;
05418
05419 case T_PROCESS:
05420 #ifdef CONFIG_RSBAC_DEBUG
05421 if (rsbac_debug_ds_acl)
05422 {
05423 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing process ACL for pid %u\n",
05424 tid.process);
05425 }
05426 #endif
05427 /* default entry? */
05428 if(!tid.process)
05429 return rsbac_ta_list_remove(ta_number, default_p_handle, &desc);
05430 else
05431 return -RSBAC_EINVALIDTARGET;
05432
05433 #ifdef CONFIG_RSBAC_ACL_UM_PROT
05434 case T_GROUP:
05435 #ifdef CONFIG_RSBAC_DEBUG
05436 if (rsbac_debug_ds_acl)
05437 {
05438 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing Linux group ACL for group %u\n",
05439 tid.group);
05440 }
05441 #endif
05442 /* default entry? */
05443 if(tid.group == RSBAC_NO_GROUP)
05444 return rsbac_ta_list_remove(ta_number, default_g_handle, &desc);
05445 err = rsbac_ta_list_lol_subremove(ta_number, g_handle, &tid.group, &desc);
05446 /* if ACL is empty, remove it */
05447 if( !err
05448 && !rsbac_ta_list_lol_subcount(ta_number, g_handle, &tid.group)
05449 && !rsbac_ta_list_lol_get_data_ttl(ta_number, g_handle,
05450 NULL,
05451 &tid.group,
05452 &mask)
05453 && (mask == RSBAC_ACL_DEFAULT_G_MASK)
05454 )
05455 {
05456 err = rsbac_ta_list_lol_remove(ta_number, g_handle, &tid.group);
05457 }
05458 return err;
05459 #endif
05460
05461 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
05462 case T_NETDEV:
05463 #ifdef CONFIG_RSBAC_DEBUG
05464 if (rsbac_debug_ds_acl)
05465 {
05466 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing network device ACL entry for netdev %s\n",
05467 tid.netdev);
05468 }
05469 #endif
05470 /* default entry? */
05471 if(!tid.netdev[0])
05472 return rsbac_ta_list_remove(ta_number, default_netdev_handle, &desc);
05473
05474 err = rsbac_ta_list_lol_subremove(ta_number, netdev_handle, &tid.netdev, &desc);
05475 /* if ACL is empty, remove it */
05476 if( !err
05477 && !rsbac_ta_list_lol_subcount(ta_number, netdev_handle, &tid.netdev)
05478 && !rsbac_ta_list_lol_get_data_ttl(ta_number, netdev_handle,
05479 NULL,
05480 &tid.netdev,
05481 &mask)
05482 && (mask == RSBAC_ACL_DEFAULT_NETDEV_MASK)
05483 )
05484 {
05485 err = rsbac_ta_list_lol_remove(ta_number, netdev_handle, &tid.netdev);
05486 }
05487 return err;
05488 #endif
05489
05490 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
05491 case T_NETTEMP_NT:
05492 #ifdef CONFIG_RSBAC_DEBUG
05493 if (rsbac_debug_ds_acl)
05494 {
05495 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing network template NT ACL entry for nettemp_nt %u\n",
05496 tid.nettemp);
05497 }
05498 #endif
05499 /* default entry? */
05500 if(!tid.nettemp)
05501 return rsbac_ta_list_remove(ta_number, default_nettemp_nt_handle, &desc);
05502 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
05503 return -RSBAC_EINVALIDTARGET;
05504
05505 err = rsbac_ta_list_lol_subremove(ta_number, nettemp_nt_handle, &tid.nettemp, &desc);
05506 /* if ACL is empty, remove it */
05507 if( !err
05508 && !rsbac_ta_list_lol_subcount(ta_number, nettemp_nt_handle, &tid.nettemp)
05509 && !rsbac_ta_list_lol_get_data_ttl(ta_number, nettemp_nt_handle,
05510 NULL,
05511 &tid.nettemp,
05512 &mask)
05513 && (mask == RSBAC_ACL_DEFAULT_NETTEMP_MASK)
05514 )
05515 {
05516 err = rsbac_ta_list_lol_remove(ta_number, nettemp_nt_handle, &tid.nettemp);
05517 }
05518 return err;
05519
05520 case T_NETTEMP:
05521 #ifdef CONFIG_RSBAC_DEBUG
05522 if (rsbac_debug_ds_acl)
05523 {
05524 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing network template ACL entry for nettemp_nt %u\n",
05525 tid.nettemp);
05526 }
05527 #endif
05528 /* default entry? */
05529 if(!tid.nettemp)
05530 return -RSBAC_EINVALIDTARGET;
05531 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
05532 return -RSBAC_EINVALIDTARGET;
05533
05534 err = rsbac_ta_list_lol_subremove(ta_number, nettemp_handle, &tid.nettemp, &desc);
05535 /* if ACL is empty, remove it */
05536 if( !err
05537 && !rsbac_ta_list_lol_subcount(ta_number, nettemp_handle, &tid.nettemp)
05538 && !rsbac_ta_list_lol_get_data_ttl(ta_number, nettemp_handle,
05539 NULL,
05540 &tid.nettemp,
05541 &mask)
05542 && (mask == RSBAC_ACL_DEFAULT_NETOBJ_MASK)
05543 )
05544 {
05545 err = rsbac_ta_list_lol_remove(ta_number, nettemp_handle, &tid.nettemp);
05546 }
05547 return err;
05548
05549 case T_NETOBJ:
05550 #ifdef CONFIG_RSBAC_DEBUG
05551 if (rsbac_debug_ds_acl)
05552 {
05553 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_acl_entry(): Removing network object ACL entry for netobj %p\n",
05554 tid.netobj.sock_p);
05555 }
05556 #endif
05557 /* default entry? */
05558 if(!tid.netobj.sock_p)
05559 return rsbac_ta_list_remove(ta_number, default_netobj_handle, &desc);
05560
05561 err = rsbac_ta_list_lol_subremove(ta_number, netobj_handle, &tid.netobj.sock_p, &desc);
05562 /* if ACL is empty, remove it */
05563 if( !err
05564 && !rsbac_ta_list_lol_subcount(ta_number, netobj_handle, &tid.netobj.sock_p)
05565 && !rsbac_ta_list_lol_get_data_ttl(ta_number, netobj_handle,
05566 NULL,
05567 &tid.netobj,
05568 &mask)
05569 && (mask == RSBAC_ACL_DEFAULT_NETOBJ_MASK)
05570 )
05571 {
05572 err = rsbac_ta_list_lol_remove(ta_number, netobj_handle, &tid.netobj.sock_p);
05573 }
05574 return err;
05575 #endif /* NET_OBJ_PROT */
05576
05577 default:
05578 return -RSBAC_EINVALIDTARGET;
05579 }
05580 }
|
|
||||||||||||||||||||||||||||
|
Definition at line 6318 of file acl_data_structures.c. References acl_lookup_device(), ACLS_NONE, AST_none, D_block, D_block_major, D_char, D_char_major, rsbac_target_id_t::dev, fd_hash(), rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handles, I_none, rsbac_target_id_t::ipc, rsbac_acl_device_list_head_t::lock, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, rsbac_target_id_t::process, RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_add_ttl(), rsbac_ta_list_get_data_ttl(), rsbac_ta_list_lol_get_subdata_ttl(), rsbac_ta_list_lol_subadd_ttl(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, rsbac_acl_entry_desc_t::subj_id, rsbac_acl_entry_desc_t::subj_type, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_PROCESS, T_SCD, T_SYMLINK, T_USER, rsbac_ipc_t::type, rsbac_dev_desc_t::type, and rsbac_target_id_t::user. Referenced by rsbac_acl_sys_remove_from_acl_entry(). 06325 {
06326 int err = 0;
06327 int list_no;
06328 struct rsbac_acl_device_list_item_t * device_p;
06329 rsbac_acl_rights_vector_t old_rights;
06330 struct rsbac_acl_entry_desc_t desc;
06331 u_long dflags;
06332 rsbac_time_t ttl;
06333
06334 if (!rsbac_is_initialized())
06335 {
06336 rsbac_printk(KERN_WARNING "rsbac_acl_remove_from_acl_entry(): RSBAC not initialized\n");
06337 return(-RSBAC_ENOTINITIALIZED);
06338 }
06339 if (subj_type >= ACLS_NONE)
06340 return(-RSBAC_EINVALIDVALUE);
06341 #ifdef CONFIG_RSBAC_DEBUG
06342 if (in_interrupt())
06343 {
06344 rsbac_printk(KERN_WARNING "rsbac_acl_remove_from_acl_entry(): called from interrupt!\n");
06345 }
06346 #endif
06347 desc.subj_type = subj_type;
06348 desc.subj_id = subj_id;
06349
06350 switch (target)
06351 {
06352 case T_FILE:
06353 case T_DIR:
06354 case T_FIFO:
06355 case T_SYMLINK:
06356 /*
06357 #ifdef CONFIG_RSBAC_DEBUG
06358 if (rsbac_debug_ds_acl)
06359 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n",
06360 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode);
06361 #endif
06362 */
06363 /* default entry? */
06364 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p)
06365 {
06366 if(!rsbac_ta_list_get_data_ttl(ta_number, default_fd_handle,
06367 &ttl, &desc, &old_rights))
06368 {
06369 old_rights &= ~rights;
06370 return rsbac_ta_list_add_ttl(ta_number, default_fd_handle,
06371 ttl, &desc, &old_rights);
06372 }
06373 else
06374 return 0;
06375 }
06376 /* wait for read access to device_list_head */
06377 rsbac_read_lock(&device_list_head.lock, &dflags);
06378 /* OK, go on */
06379 /* lookup device */
06380 device_p = acl_lookup_device(tid.file.device);
06381 if (!device_p)
06382 {
06383 /* trigger rsbac_mount() */
06384 rsbac_read_unlock(&device_list_head.lock, &dflags);
06385 rsbac_get_super_block(tid.file.device);
06386 /* retry */
06387 rsbac_read_lock(&device_list_head.lock, &dflags);
06388 device_p = acl_lookup_device(tid.file.device);
06389 if(!device_p)
06390 {
06391 rsbac_printk(KERN_WARNING
06392 "rsbac_acl_remove_from_acl_entry(): Could not lookup device!\n");
06393 /* free read lock */
06394 rsbac_read_unlock(&device_list_head.lock, &dflags);
06395 return(-RSBAC_EINVALIDDEV);
06396 }
06397 }
06398 list_no = fd_hash(tid.file.inode);
06399 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06400 device_p->handles[list_no],
06401 &ttl,
06402 &tid.file.inode,
06403 &desc,
06404 &old_rights))
06405 {
06406 old_rights &= ~rights;
06407 err = rsbac_ta_list_lol_subadd_ttl(ta_number,
06408 device_p->handles[list_no],
06409 ttl,
06410 &tid.file.inode,
06411 &desc,
06412 &old_rights);
06413 }
06414 else
06415 err = 0;
06416 rsbac_read_unlock(&device_list_head.lock, &dflags);
06417 return err;
06418
06419 case T_DEV:
06420 /*
06421 #ifdef CONFIG_RSBAC_DEBUG
06422 if (rsbac_debug_ds_acl)
06423 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from device ACL entry for dev %c %02u:%02u\n",
06424 'B'+tid.dev.type,
06425 tid.dev.major,
06426 tid.dev.minor);
06427 #endif
06428 */
06429 /* default entry? */
06430 if(RSBAC_IS_ZERO_DEV_DESC(tid.dev))
06431 {
06432 if(!rsbac_ta_list_get_data_ttl(ta_number, default_dev_handle,
06433 &ttl, &desc, &old_rights))
06434 {
06435 old_rights &= ~rights;
06436 return rsbac_ta_list_add_ttl(ta_number, default_dev_handle,
06437 ttl, &desc, &old_rights);
06438 }
06439 else
06440 return 0;
06441 }
06442 switch(tid.dev.type)
06443 {
06444 case D_char:
06445 case D_block:
06446 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number, dev_handle,
06447 &ttl,
06448 &tid.dev,
06449 &desc,
06450 &old_rights))
06451 {
06452 old_rights &= ~rights;
06453 return rsbac_ta_list_lol_subadd_ttl(ta_number, dev_handle,
06454 ttl,
06455 &tid.dev,
06456 &desc,
06457 &old_rights);
06458 }
06459 else
06460 return 0;
06461
06462 case D_char_major:
06463 case D_block_major:
06464 tid.dev.type -= (D_block_major - D_block);
06465 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06466 dev_major_handle,
06467 &ttl,
06468 &tid.dev,
06469 &desc,
06470 &old_rights))
06471 {
06472 old_rights &= ~rights;
06473 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06474 dev_major_handle,
06475 ttl,
06476 &tid.dev,
06477 &desc,
06478 &old_rights);
06479 }
06480 else
06481 return 0;
06482
06483 default:
06484 return -RSBAC_EINVALIDTARGET;
06485 }
06486
06487 case T_IPC:
06488 /*
06489 #ifdef CONFIG_RSBAC_DEBUG
06490 if (rsbac_debug_ds_acl)
06491 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from IPC ACL for type %u\n",
06492 tid.ipc.type);
06493 #endif
06494 */
06495 /* default entry? */
06496 if(tid.ipc.type == I_none)
06497 {
06498 if(!rsbac_ta_list_get_data_ttl(ta_number, default_ipc_handle,
06499 &ttl, &desc, &old_rights))
06500 {
06501 old_rights &= ~rights;
06502 return rsbac_ta_list_add_ttl(ta_number, default_ipc_handle,
06503 ttl, &desc, &old_rights);
06504 }
06505 else
06506 return 0;
06507 }
06508 else
06509 return -RSBAC_EINVALIDTARGET;
06510
06511 case T_SCD:
06512 /*
06513 #ifdef CONFIG_RSBAC_DEBUG
06514 if (rsbac_debug_ds_acl)
06515 {
06516 char tmp[80];
06517
06518 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from SCD ACL entry for %s\n",
06519 get_acl_scd_type_name(tmp, tid.dev.id));
06520 }
06521 #endif
06522 */
06523 /* default entry? */
06524 if(tid.scd == AST_none)
06525 {
06526 if(!rsbac_ta_list_get_data_ttl(ta_number, default_scd_handle,
06527 &ttl, &desc, &old_rights))
06528 {
06529 old_rights &= ~rights;
06530 return rsbac_ta_list_add_ttl(ta_number, default_scd_handle,
06531 ttl, &desc, &old_rights);
06532 }
06533 else
06534 return 0;
06535 }
06536 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06537 scd_handle,
06538 &ttl,
06539 &tid.scd,
06540 &desc,
06541 &old_rights))
06542 {
06543 old_rights &= ~rights;
06544 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06545 scd_handle,
06546 ttl,
06547 &tid.scd,
06548 &desc,
06549 &old_rights);
06550 }
06551 else
06552 return 0;
06553
06554 case T_USER:
06555 /*
06556 #ifdef CONFIG_RSBAC_DEBUG
06557 if (rsbac_debug_ds_acl)
06558 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from user ACL for user %u\n",
06559 tid.user);
06560 #endif
06561 */
06562 /* default entry? */
06563 if(tid.user == RSBAC_NO_USER)
06564 {
06565 if(!rsbac_ta_list_get_data_ttl(ta_number, default_u_handle,
06566 &ttl, &desc, &old_rights))
06567 {
06568 old_rights &= ~rights;
06569 return rsbac_ta_list_add_ttl(ta_number, default_u_handle,
06570 ttl, &desc, &old_rights);
06571 }
06572 else
06573 return 0;
06574 }
06575 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06576 u_handle,
06577 &ttl,
06578 &tid.user,
06579 &desc,
06580 &old_rights))
06581 {
06582 old_rights &= ~rights;
06583 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06584 u_handle,
06585 ttl,
06586 &tid.user,
06587 &desc,
06588 &old_rights);
06589 }
06590 else
06591 return 0;
06592
06593 case T_PROCESS:
06594 /*
06595 #ifdef CONFIG_RSBAC_DEBUG
06596 if (rsbac_debug_ds_acl)
06597 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from process ACL for pid %u\n",
06598 tid.process);
06599 #endif
06600 */
06601 /* default entry? */
06602 if(!tid.process)
06603 {
06604 if(!rsbac_ta_list_get_data_ttl(ta_number, default_p_handle,
06605 &ttl, &desc, &old_rights))
06606 {
06607 old_rights &= ~rights;
06608 return rsbac_ta_list_add_ttl(ta_number, default_p_handle,
06609 ttl, &desc, &old_rights);
06610 }
06611 else
06612 return 0;
06613 }
06614 else
06615 return -RSBAC_EINVALIDTARGET;
06616
06617 #ifdef CONFIG_RSBAC_ACL_UM_PROT
06618 case T_GROUP:
06619 /*
06620 #ifdef CONFIG_RSBAC_DEBUG
06621 if (rsbac_debug_ds_acl)
06622 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from Linux group ACL for group %u\n",
06623 tid.group);
06624 #endif
06625 */
06626 /* default entry? */
06627 if(tid.group == RSBAC_NO_GROUP)
06628 {
06629 if(!rsbac_ta_list_get_data_ttl(ta_number, default_g_handle,
06630 &ttl, &desc, &old_rights))
06631 {
06632 old_rights &= ~rights;
06633 return rsbac_ta_list_add_ttl(ta_number, default_g_handle,
06634 ttl, &desc, &old_rights);
06635 }
06636 else
06637 return 0;
06638 }
06639 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06640 g_handle,
06641 &ttl,
06642 &tid.group,
06643 &desc,
06644 &old_rights))
06645 {
06646 old_rights &= ~rights;
06647 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06648 g_handle,
06649 ttl,
06650 &tid.group,
06651 &desc,
06652 &old_rights);
06653 }
06654 else
06655 return 0;
06656 #endif
06657
06658 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
06659 case T_NETDEV:
06660 /*
06661 #ifdef CONFIG_RSBAC_DEBUG
06662 if (rsbac_debug_ds_acl)
06663 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from network device ACL entry for netdev %s\n",
06664 tid.netdev);
06665 #endif
06666 */
06667 /* default entry? */
06668 if(!tid.netdev[0])
06669 {
06670 if(!rsbac_ta_list_get_data_ttl(ta_number, default_netdev_handle,
06671 &ttl, &desc, &old_rights))
06672 {
06673 old_rights &= ~rights;
06674 return rsbac_ta_list_add_ttl(ta_number, default_netdev_handle,
06675 ttl, &desc, &old_rights);
06676 }
06677 else
06678 return 0;
06679 }
06680 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06681 netdev_handle,
06682 &ttl,
06683 &tid.netdev,
06684 &desc,
06685 &old_rights))
06686 {
06687 old_rights &= ~rights;
06688 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06689 netdev_handle,
06690 ttl,
06691 &tid.netdev,
06692 &desc,
06693 &old_rights);
06694 }
06695 else
06696 return 0;
06697 #endif
06698
06699 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
06700 case T_NETTEMP_NT:
06701 /*
06702 #ifdef CONFIG_RSBAC_DEBUG
06703 if (rsbac_debug_ds_acl)
06704 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from network template NT ACL entry for nettemp_nt %u\n",
06705 tid.nettemp);
06706 #endif
06707 */
06708 /* default entry? */
06709 if(!tid.nettemp)
06710 {
06711 if(!rsbac_ta_list_get_data_ttl(ta_number, default_nettemp_nt_handle,
06712 &ttl, &desc, &old_rights))
06713 {
06714 old_rights &= ~rights;
06715 return rsbac_ta_list_add_ttl(ta_number, default_nettemp_nt_handle,
06716 ttl, &desc, &old_rights);
06717 }
06718 else
06719 return 0;
06720 }
06721 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06722 return -RSBAC_EINVALIDTARGET;
06723 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06724 nettemp_nt_handle,
06725 &ttl,
06726 &tid.nettemp,
06727 &desc,
06728 &old_rights))
06729 {
06730 old_rights &= ~rights;
06731 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06732 nettemp_nt_handle,
06733 ttl,
06734 &tid.nettemp,
06735 &desc,
06736 &old_rights);
06737 }
06738 else
06739 return 0;
06740 case T_NETTEMP:
06741 /*
06742 #ifdef CONFIG_RSBAC_DEBUG
06743 if (rsbac_debug_ds_acl)
06744 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from network template ACL entry for nettemp %u\n",
06745 tid.nettemp);
06746 #endif
06747 */
06748 /* default entry? */
06749 if(!tid.nettemp)
06750 {
06751 return -RSBAC_EINVALIDTARGET;
06752 }
06753 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06754 return -RSBAC_EINVALIDTARGET;
06755 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06756 nettemp_handle,
06757 &ttl,
06758 &tid.nettemp,
06759 &desc,
06760 &old_rights))
06761 {
06762 old_rights &= ~rights;
06763 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06764 nettemp_handle,
06765 ttl,
06766 &tid.nettemp,
06767 &desc,
06768 &old_rights);
06769 }
06770 else
06771 return 0;
06772 case T_NETOBJ:
06773 /*
06774 #ifdef CONFIG_RSBAC_DEBUG
06775 if (rsbac_debug_ds_acl)
06776 rsbac_printk(KERN_DEBUG "rsbac_acl_remove_from_acl_entry(): Removing from network object ACL entry for netobj %p\n",
06777 tid.netobj.sock_p);
06778 #endif
06779 */
06780 /* default entry? */
06781 if(!tid.netobj.sock_p)
06782 {
06783 if(!rsbac_ta_list_get_data_ttl(ta_number, default_netobj_handle,
06784 &ttl, &desc, &old_rights))
06785 {
06786 old_rights &= ~rights;
06787 return rsbac_ta_list_add_ttl(ta_number, default_netobj_handle,
06788 ttl, &desc, &old_rights);
06789 }
06790 else
06791 return 0;
06792 }
06793 if(!rsbac_ta_list_lol_get_subdata_ttl(ta_number,
06794 netobj_handle,
06795 &ttl,
06796 &tid.netobj.sock_p,
06797 &desc,
06798 &old_rights))
06799 {
06800 old_rights &= ~rights;
06801 return rsbac_ta_list_lol_subadd_ttl(ta_number,
06802 netobj_handle,
06803 ttl,
06804 &tid.netobj.sock_p,
06805 &desc,
06806 &old_rights);
06807 }
06808 else
06809 return 0;
06810 #endif /* NET_OBJ_PROT */
06811
06812 default:
06813 return -RSBAC_EINVALIDTARGET;
06814 }
06815 }
|
|
||||||||||||
|
Definition at line 9413 of file acl_data_structures.c. References ACLS_GROUP, rsbac_acl_remove_subject(), RSBAC_EINVALIDVALUE, rsbac_ta_list_lol_subremove_from_all(), rsbac_ta_list_remove(), rsbac_acl_entry_desc_t::subj_id, and rsbac_acl_entry_desc_t::subj_type. Referenced by rsbac_acl_sys_group(). 09416 {
09417 int err=0;
09418
09419 if(!id)
09420 return -RSBAC_EINVALIDVALUE;
09421
09422 err = rsbac_ta_list_remove(ta_number, group_handle, &id);
09423 if(!err)
09424 {
09425 struct rsbac_acl_entry_desc_t desc;
09426
09427 /* cleanup group memberships */
09428 rsbac_ta_list_lol_subremove_from_all(ta_number, gm_handle, &id);
09429 desc.subj_type = ACLS_GROUP;
09430 desc.subj_id = id;
09431 err = rsbac_acl_remove_subject(ta_number, desc);
09432 }
09433 return(err);
09434 }
|
|
||||||||||||||||
|
Definition at line 9519 of file acl_data_structures.c. References RSBAC_EINVALIDVALUE, rsbac_ta_list_exist(), rsbac_ta_list_lol_remove(), rsbac_ta_list_lol_subcount(), and rsbac_ta_list_lol_subremove(). Referenced by rsbac_acl_sys_group(). 09523 {
09524 int err;
09525
09526 if(!group)
09527 return -RSBAC_EINVALIDVALUE;
09528 if(!rsbac_ta_list_exist(ta_number, group_handle, &group))
09529 return -RSBAC_EINVALIDVALUE;
09530
09531 err = rsbac_ta_list_lol_subremove(ta_number, gm_handle, &user, &group);
09532 /* cleanup empty gm items */
09533 if( !err
09534 && !rsbac_ta_list_lol_subcount(ta_number, gm_handle, &user)
09535 )
09536 err = rsbac_ta_list_lol_remove(ta_number, gm_handle, &user);
09537
09538 return err;
09539 }
|
|
||||||||||||
|
Definition at line 9265 of file acl_data_structures.c. References ACLS_NONE, rsbac_acl_device_list_item_t::handles, rsbac_acl_device_list_head_t::head, rsbac_acl_device_list_head_t::lock, rsbac_acl_device_list_item_t::next, RSBAC_EINVALIDVALUE, rsbac_ta_list_lol_subremove_from_all(), rsbac_ta_list_remove(), and rsbac_acl_entry_desc_t::subj_type. Referenced by rsbac_acl_remove_group(), rsbac_acl_remove_user(), and rsbac_rc_set_item(). 09268 {
09269 struct rsbac_acl_device_list_item_t * device_p;
09270 u_long dflags;
09271 u_int i;
09272
09273 if(desc.subj_type >= ACLS_NONE)
09274 return -RSBAC_EINVALIDVALUE;
09275
09276 /* remove from default ACLs */
09277 rsbac_ta_list_remove(ta_number, default_fd_handle, &desc);
09278 rsbac_ta_list_remove(ta_number, default_dev_handle, &desc);
09279 rsbac_ta_list_remove(ta_number, default_ipc_handle, &desc);
09280 rsbac_ta_list_remove(ta_number, default_scd_handle, &desc);
09281 rsbac_ta_list_remove(ta_number, default_u_handle, &desc);
09282 rsbac_ta_list_remove(ta_number, default_p_handle, &desc);
09283 #ifdef CONFIG_RSBAC_ACL_UM_PROT
09284 rsbac_ta_list_remove(ta_number, default_g_handle, &desc);
09285 #endif
09286 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
09287 rsbac_ta_list_remove(ta_number, default_netdev_handle, &desc);
09288 #endif
09289 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
09290 rsbac_ta_list_remove(ta_number, default_nettemp_nt_handle, &desc);
09291 rsbac_ta_list_remove(ta_number, default_netobj_handle, &desc);
09292 #endif
09293
09294 /* protect device list */
09295 rsbac_read_lock(&device_list_head.lock, &dflags);
09296 device_p = device_list_head.head;
09297 while(device_p)
09298 {
09299 for(i=0; i<RSBAC_ACL_NR_FD_LISTS; i++)
09300 {
09301 rsbac_ta_list_lol_subremove_from_all(ta_number,
09302 device_p->handles[i],
09303 &desc);
09304 }
09305 device_p = device_p->next;
09306 }
09307 /* unprotect device list */
09308 rsbac_read_unlock(&device_list_head.lock, &dflags);
09309
09310 /* dev list */
09311 rsbac_ta_list_lol_subremove_from_all(ta_number, dev_major_handle, &desc);
09312 rsbac_ta_list_lol_subremove_from_all(ta_number, dev_handle, &desc);
09313
09314 /* scd list */
09315 rsbac_ta_list_lol_subremove_from_all(ta_number, scd_handle, &desc);
09316
09317 /* user list */
09318 rsbac_ta_list_lol_subremove_from_all(ta_number, u_handle, &desc);
09319
09320 #ifdef CONFIG_RSBAC_ACL_UM_PROT
09321 /* Linux group list */
09322 rsbac_ta_list_lol_subremove_from_all(ta_number, g_handle, &desc);
09323 #endif
09324
09325 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
09326 /* netdev list */
09327 rsbac_ta_list_lol_subremove_from_all(ta_number, netdev_handle, &desc);
09328 #endif
09329 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
09330 rsbac_ta_list_lol_subremove_from_all(ta_number, nettemp_nt_handle, &desc);
09331 rsbac_ta_list_lol_subremove_from_all(ta_number, nettemp_handle, &desc);
09332 rsbac_ta_list_lol_subremove_from_all(ta_number, netobj_handle, &desc);
09333 #endif
09334
09335 return 0;
09336 }
|
|
||||||||||||
|
Definition at line 9664 of file acl_data_structures.c. References ACLS_USER, rsbac_acl_remove_subject(), rsbac_ta_list_get_all_data(), rsbac_ta_list_lol_remove(), rsbac_ta_list_lol_subremove_from_all(), rsbac_ta_list_remove(), rsbac_vfree, rsbac_acl_entry_desc_t::subj_id, and rsbac_acl_entry_desc_t::subj_type. Referenced by rsbac_acl_sys_remove_user(). 09667 {
09668 u_long i;
09669 struct rsbac_acl_group_entry_t * entry_p;
09670 long desc_count;
09671 struct rsbac_acl_entry_desc_t desc;
09672
09673 rsbac_ta_list_lol_remove(ta_number, gm_handle, &user);
09674 /* traverse groups for this owner */
09675 desc_count = rsbac_ta_list_get_all_data(ta_number, group_handle, (void **) &entry_p);
09676 if(desc_count > 0)
09677 {
09678 for(i=0; i<desc_count; i++)
09679 {
09680 if(entry_p[i].owner == user)
09681 {
09682 rsbac_ta_list_remove(ta_number, group_handle, &entry_p[i].id);
09683 /* cleanup group memberships */
09684 rsbac_ta_list_lol_subremove_from_all(ta_number,
09685 gm_handle,
09686 &entry_p[i].id);
09687 }
09688 }
09689 rsbac_vfree(entry_p);
09690 }
09691
09692 desc.subj_type = ACLS_USER;
09693 desc.subj_id = user;
09694
09695 return rsbac_acl_remove_subject(ta_number, desc);
09696 }
|
|
||||||||||||||||||||||||||||||||
|
Definition at line 4830 of file acl_data_structures.c. References acl_lookup_device(), ACLS_NONE, AST_none, D_block, D_block_major, D_char, D_char_major, rsbac_target_id_t::dev, fd_hash(), rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handles, I_none, rsbac_target_id_t::ipc, rsbac_acl_device_list_head_t::lock, rsbac_dev_desc_t::major, rsbac_dev_desc_t::minor, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, rsbac_target_id_t::process, RSBAC_ACL_DEFAULT_DEV_MASK, RSBAC_ACL_DEFAULT_FD_MASK, RSBAC_ACL_DEFAULT_G_MASK, RSBAC_ACL_DEFAULT_NETDEV_MASK, RSBAC_ACL_DEFAULT_NETOBJ_MASK, RSBAC_ACL_DEFAULT_NETTEMP_MASK, RSBAC_ACL_DEFAULT_SCD_MASK, RSBAC_ACL_DEFAULT_U_MASK, RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_EINVALIDVALUE, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_add_ttl(), rsbac_ta_list_lol_add_ttl(), rsbac_ta_list_lol_exist(), rsbac_ta_list_lol_subadd_ttl(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, rsbac_acl_entry_desc_t::subj_id, rsbac_acl_entry_desc_t::subj_type, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_IPC, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_PROCESS, T_SCD, T_SYMLINK, T_USER, rsbac_ipc_t::type, rsbac_dev_desc_t::type, and rsbac_target_id_t::user. Referenced by rsbac_acl_sys_set_acl_entry(). 04838 {
04839 int err = 0;
04840 int list_no;
04841 struct rsbac_acl_device_list_item_t * device_p;
04842 struct rsbac_acl_entry_desc_t desc;
04843 u_long dflags;
04844
04845 if (!rsbac_is_initialized())
04846 {
04847 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): RSBAC not initialized\n");
04848 return(-RSBAC_ENOTINITIALIZED);
04849 }
04850 if (subj_type >= ACLS_NONE)
04851 return(-RSBAC_EINVALIDVALUE);
04852 #ifdef CONFIG_RSBAC_DEBUG
04853 if (in_interrupt())
04854 {
04855 rsbac_printk(KERN_WARNING "rsbac_acl_set_acl_entry(): called from interrupt!\n");
04856 }
04857 #endif
04858 desc.subj_type = subj_type;
04859 desc.subj_id = subj_id;
04860
04861 switch (target)
04862 {
04863 case T_FILE:
04864 case T_DIR:
04865 case T_FIFO:
04866 case T_SYMLINK:
04867 #ifdef CONFIG_RSBAC_DEBUG
04868 if (rsbac_debug_ds_acl)
04869 {
04870 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting file/dir/fifo/symlink ACL for device %02u:%02u, inode %u\n",
04871 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode);
04872 }
04873 #endif
04874 /* default entry? */
04875 if(RSBAC_IS_ZERO_DEV(tid.file.device) && !tid.file.inode && !tid.file.dentry_p)
04876 return rsbac_ta_list_add_ttl(ta_number, default_fd_handle, ttl, &desc, &rights);
04877 /* wait for read access to device_list_head */
04878 rsbac_read_lock(&device_list_head.lock, &dflags);
04879 /* OK, go on */
04880 /* lookup device */
04881 device_p = acl_lookup_device(tid.file.device);
04882 if (!device_p)
04883 {
04884 /* trigger rsbac_mount() */
04885 rsbac_read_unlock(&device_list_head.lock, &dflags);
04886 rsbac_get_super_block(tid.file.device);
04887 /* retry */
04888 rsbac_read_lock(&device_list_head.lock, &dflags);
04889 device_p = acl_lookup_device(tid.file.device);
04890 if(!device_p)
04891 {
04892 rsbac_printk(KERN_WARNING
04893 "rsbac_acl_set_acl_entry(): Could not lookup device!\n");
04894 /* free read lock */
04895 rsbac_read_unlock(&device_list_head.lock, &dflags);
04896 return(-RSBAC_EINVALIDDEV);
04897 }
04898 }
04899 list_no = fd_hash(tid.file.inode);
04900 if(!rsbac_ta_list_lol_exist(ta_number, device_p->handles[list_no], &tid.file.inode))
04901 {
04902 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_FD_MASK;
04903
04904 err = rsbac_ta_list_lol_add_ttl(ta_number,
04905 device_p->handles[list_no],
04906 0,
04907 &tid.file.inode,
04908 &mask);
04909 if(err)
04910 {
04911 rsbac_read_unlock(&device_list_head.lock, &dflags);
04912 return err;
04913 }
04914 }
04915 err = rsbac_ta_list_lol_subadd_ttl(ta_number, device_p->handles[list_no], ttl, &tid.file.inode, &desc, &rights);
04916 rsbac_read_unlock(&device_list_head.lock, &dflags);
04917 /* ready. */
04918 return err;
04919
04920 case T_DEV:
04921 #ifdef CONFIG_RSBAC_DEBUG
04922 if (rsbac_debug_ds_acl)
04923 {
04924 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting device ACL for dev %c %02u:%02u\n",
04925 'B'+tid.dev.type,
04926 tid.dev.major,
04927 tid.dev.minor);
04928 }
04929 #endif
04930 /* default entry? */
04931 if(RSBAC_IS_ZERO_DEV_DESC(tid.dev))
04932 return rsbac_ta_list_add_ttl(ta_number, default_dev_handle, ttl, &desc, &rights);
04933
04934 {
04935 switch(tid.dev.type)
04936 {
04937 case D_char:
04938 case D_block:
04939 if(!rsbac_ta_list_lol_exist(ta_number, dev_handle, &tid.dev))
04940 {
04941 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_DEV_MASK;
04942
04943 err = rsbac_ta_list_lol_add_ttl(ta_number, dev_handle,
04944 0, &tid.dev, &mask);
04945 if(err)
04946 return err;
04947 }
04948 return rsbac_ta_list_lol_subadd_ttl(ta_number, dev_handle, ttl, &tid.dev, &desc, &rights);
04949
04950 case D_char_major:
04951 case D_block_major:
04952 tid.dev.type -= (D_block_major - D_block);
04953 if(!rsbac_ta_list_lol_exist(ta_number, dev_major_handle, &tid.dev))
04954 {
04955 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_DEV_MASK;
04956
04957 err = rsbac_ta_list_lol_add_ttl(ta_number, dev_major_handle,
04958 0, &tid.dev, &mask);
04959 if(err)
04960 return err;
04961 }
04962 return rsbac_ta_list_lol_subadd_ttl(ta_number, dev_major_handle, ttl, &tid.dev, &desc, &rights);
04963
04964 default:
04965 return -RSBAC_EINVALIDTARGET;
04966 }
04967 }
04968
04969 case T_IPC:
04970 /*
04971 #ifdef CONFIG_RSBAC_DEBUG
04972 if (rsbac_debug_ds_acl)
04973 {
04974 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting IPC ACL for type %u\n",
04975 tid.ipc.type);
04976 }
04977 #endif
04978 */
04979 /* default entry? */
04980 if(tid.ipc.type == I_none)
04981 return rsbac_ta_list_add_ttl(ta_number, default_ipc_handle, ttl, &desc, &rights);
04982 else
04983 return -RSBAC_EINVALIDTARGET;
04984
04985 case T_SCD:
04986 /*
04987 #ifdef CONFIG_RSBAC_DEBUG
04988 if (rsbac_debug_ds_acl)
04989 {
04990 char tmp[80];
04991 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting SCD ACL for %s\n",
04992 get_acl_scd_type_name(tmp, tid.scd));
04993 }
04994 #endif
04995 */
04996 /* default entry? */
04997 if(tid.scd == AST_none)
04998 return rsbac_ta_list_add_ttl(ta_number, default_scd_handle, ttl, &desc, &rights);
04999
05000 if(!rsbac_ta_list_lol_exist(ta_number, scd_handle, &tid.scd))
05001 {
05002 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_SCD_MASK;
05003
05004 err = rsbac_ta_list_lol_add_ttl(ta_number,
05005 scd_handle,
05006 0,
05007 &tid.scd,
05008 &mask);
05009 if(err)
05010 return err;
05011 }
05012 return rsbac_ta_list_lol_subadd_ttl(ta_number, scd_handle, ttl, &tid.scd, &desc, &rights);
05013
05014 case T_USER:
05015 /*
05016 #ifdef CONFIG_RSBAC_DEBUG
05017 if (rsbac_debug_ds_acl)
05018 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting user ACL for user %u\n",
05019 tid.user);
05020 #endif
05021 */
05022 /* default entry? */
05023 if(tid.user == RSBAC_NO_USER)
05024 return rsbac_ta_list_add_ttl(ta_number, default_u_handle, ttl, &desc, &rights);
05025 if(!rsbac_ta_list_lol_exist(ta_number, u_handle, &tid.user))
05026 {
05027 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_U_MASK;
05028
05029 err = rsbac_ta_list_lol_add_ttl(ta_number,
05030 u_handle,
05031 0,
05032 &tid.user,
05033 &mask);
05034 if(err)
05035 return err;
05036 }
05037 return rsbac_ta_list_lol_subadd_ttl(ta_number, u_handle, ttl, &tid.user, &desc, &rights);
05038
05039
05040 case T_PROCESS:
05041 /*
05042 #ifdef CONFIG_RSBAC_DEBUG
05043 if (rsbac_debug_ds_acl)
05044 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting process ACL for pid %u\n",
05045 tid.process);
05046 #endif
05047 */
05048 /* default entry? */
05049 if(!tid.process)
05050 return rsbac_ta_list_add_ttl(ta_number, default_p_handle, ttl, &desc, &rights);
05051 else
05052 return -RSBAC_EINVALIDTARGET;
05053
05054 #ifdef CONFIG_RSBAC_ACL_UM_PROT
05055 case T_GROUP:
05056 /*
05057 #ifdef CONFIG_RSBAC_DEBUG
05058 if (rsbac_debug_ds_acl)
05059 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting group ACL for group %u\n",
05060 tid.group);
05061 #endif
05062 */
05063 /* default entry? */
05064 if(tid.group == RSBAC_NO_GROUP)
05065 return rsbac_ta_list_add_ttl(ta_number, default_g_handle, ttl, &desc, &rights);
05066 if(!rsbac_ta_list_lol_exist(ta_number, g_handle, &tid.group))
05067 {
05068 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_G_MASK;
05069
05070 err = rsbac_ta_list_lol_add_ttl(ta_number,
05071 g_handle,
05072 0,
05073 &tid.group,
05074 &mask);
05075 if(err)
05076 return err;
05077 }
05078 return rsbac_ta_list_lol_subadd_ttl(ta_number, g_handle, ttl, &tid.group, &desc, &rights);
05079 #endif
05080
05081 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
05082 case T_NETDEV:
05083 #ifdef CONFIG_RSBAC_DEBUG
05084 if (rsbac_debug_ds_acl)
05085 {
05086 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting network device ACL for netdev %s\n",
05087 tid.netdev);
05088 }
05089 #endif
05090 /* default entry? */
05091 if(!tid.netdev[0])
05092 return rsbac_ta_list_add_ttl(ta_number, default_netdev_handle, ttl, &desc, &rights);
05093
05094 if(!rsbac_ta_list_lol_exist(ta_number, netdev_handle, &tid.netdev))
05095 {
05096 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETDEV_MASK;
05097
05098 err = rsbac_ta_list_lol_add_ttl(ta_number,
05099 netdev_handle,
05100 0,
05101 &tid.netdev,
05102 &mask);
05103 if(err)
05104 return err;
05105 }
05106 return rsbac_ta_list_lol_subadd_ttl(ta_number, netdev_handle, ttl, &tid.netdev, &desc, &rights);
05107 #endif
05108
05109 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
05110 case T_NETTEMP_NT:
05111 #ifdef CONFIG_RSBAC_DEBUG
05112 if (rsbac_debug_ds_acl)
05113 {
05114 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting network template NT ACL for nettemp_nt %u\n",
05115 tid.nettemp);
05116 }
05117 #endif
05118 /* default entry? */
05119 if(!tid.nettemp)
05120 return rsbac_ta_list_add_ttl(ta_number, default_nettemp_nt_handle, ttl, &desc, &rights);
05121
05122 if(!rsbac_ta_list_lol_exist(ta_number, nettemp_nt_handle, &tid.nettemp))
05123 {
05124 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETTEMP_MASK;
05125
05126 err = rsbac_ta_list_lol_add_ttl(ta_number,
05127 nettemp_nt_handle,
05128 0,
05129 &tid.nettemp,
05130 &mask);
05131 if(err)
05132 return err;
05133 }
05134 return rsbac_ta_list_lol_subadd_ttl(ta_number, nettemp_nt_handle, ttl, &tid.nettemp, &desc, &rights);
05135
05136 case T_NETTEMP:
05137 #ifdef CONFIG_RSBAC_DEBUG
05138 if (rsbac_debug_ds_acl)
05139 {
05140 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting network template ACL for nettemp %u\n",
05141 tid.nettemp);
05142 }
05143 #endif
05144 /* default entry? */
05145 if(!tid.nettemp)
05146 return -RSBAC_EINVALIDTARGET;
05147 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
05148 return -RSBAC_EINVALIDTARGET;
05149
05150 if(!rsbac_ta_list_lol_exist(ta_number, nettemp_handle, &tid.nettemp))
05151 {
05152 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
05153
05154 err = rsbac_ta_list_lol_add_ttl(ta_number,
05155 nettemp_handle,
05156 0,
05157 &tid.nettemp,
05158 &mask);
05159 if(err)
05160 return err;
05161 }
05162 return rsbac_ta_list_lol_subadd_ttl(ta_number, nettemp_handle, ttl, &tid.nettemp, &desc, &rights);
05163
05164 case T_NETOBJ:
05165 #ifdef CONFIG_RSBAC_DEBUG
05166 if (rsbac_debug_ds_acl)
05167 {
05168 rsbac_printk(KERN_DEBUG "rsbac_acl_set_acl_entry(): Setting network object ACL for netobj %p\n",
05169 tid.netobj.sock_p);
05170 }
05171 #endif
05172 /* default entry? */
05173 if(!tid.netobj.sock_p)
05174 return rsbac_ta_list_add_ttl(ta_number, default_netobj_handle, ttl, &desc, &rights);
05175
05176 if(!rsbac_ta_list_lol_exist(ta_number, netobj_handle, &tid.netobj.sock_p))
05177 {
05178 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_NETOBJ_MASK;
05179
05180 err = rsbac_ta_list_lol_add_ttl(ta_number,
05181 netobj_handle,
05182 0,
05183 &tid.netobj.sock_p,
05184 &mask);
05185 if(err)
05186 return err;
05187 }
05188 return rsbac_ta_list_lol_subadd_ttl(ta_number, netobj_handle, ttl, &tid.netobj.sock_p, &desc, &rights);
05189 #endif /* NET_OBJ_PROT */
05190
05191
05192 default:
05193 err = -RSBAC_EINVALIDTARGET;
05194 }
05195 return(err);
05196 }
|
|
||||||||||||||||||||
|
Definition at line 6822 of file acl_data_structures.c. References acl_lookup_device(), AST_none, D_block, D_block_major, D_char, D_char_major, D_none, rsbac_target_id_t::dev, fd_hash(), get_acl_scd_type_name(), rsbac_target_id_t::group, rsbac_acl_device_list_item_t::handles, rsbac_acl_device_list_head_t::lock, rsbac_dev_desc_t::major, rsbac_dev_desc_t::minor, rsbac_target_id_t::netdev, rsbac_target_id_t::netobj, rsbac_target_id_t::nettemp, RSBAC_EINVALIDDEV, RSBAC_EINVALIDTARGET, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), RSBAC_IS_ZERO_DEV_DESC, RSBAC_NO_GROUP, RSBAC_NO_USER, rsbac_printk(), rsbac_ta_list_lol_add_ttl(), rsbac_ta_net_template_exist(), rsbac_target_id_t::scd, rsbac_net_obj_desc_t::sock_p, T_DEV, T_DIR, T_FIFO, T_FILE, T_GROUP, T_NETDEV, T_NETOBJ, T_NETTEMP, T_NETTEMP_NT, T_NONE, T_SCD, T_SYMLINK, T_USER, rsbac_dev_desc_t::type, and rsbac_target_id_t::user. Referenced by rsbac_acl_sys_set_mask(). 06827 {
06828 int err = 0;
06829 int list_no;
06830 struct rsbac_acl_device_list_item_t * device_p;
06831 u_long dflags;
06832
06833 if (!rsbac_is_initialized())
06834 {
06835 rsbac_printk(KERN_WARNING "rsbac_acl_set_mask(): RSBAC not initialized\n");
06836 return(-RSBAC_ENOTINITIALIZED);
06837 }
06838 if (target >= T_NONE)
06839 return(-RSBAC_EINVALIDTARGET);
06840 #ifdef CONFIG_RSBAC_DEBUG
06841 if (in_interrupt())
06842 {
06843 rsbac_printk(KERN_WARNING "rsbac_acl_set_mask(): called from interrupt!\n");
06844 }
06845 #endif
06846 switch (target)
06847 {
06848 case T_FILE:
06849 case T_DIR:
06850 case T_FIFO:
06851 case T_SYMLINK:
06852 /* default entry? */
06853 if(RSBAC_IS_ZERO_DEV_DESC(tid.dev))
06854 {
06855 return -RSBAC_EINVALIDTARGET;
06856 }
06857 #ifdef CONFIG_RSBAC_DEBUG
06858 if (rsbac_debug_ds_acl)
06859 {
06860 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting file/dir/fifo/symlink inheritance mask for device %02u:%02u, inode %u\n",
06861 RSBAC_MAJOR(tid.file.device), RSBAC_MINOR(tid.file.device), tid.file.inode);
06862 }
06863 #endif
06864 /* wait for read access to device_list_head */
06865 rsbac_read_lock(&device_list_head.lock, &dflags);
06866 /* OK, go on */
06867 /* lookup device */
06868 device_p = acl_lookup_device(tid.file.device);
06869 if (!device_p)
06870 {
06871 /* trigger rsbac_mount() */
06872 rsbac_read_unlock(&device_list_head.lock, &dflags);
06873 rsbac_get_super_block(tid.file.device);
06874 /* retry */
06875 rsbac_read_lock(&device_list_head.lock, &dflags);
06876 device_p = acl_lookup_device(tid.file.device);
06877 if(!device_p)
06878 {
06879 rsbac_printk(KERN_WARNING
06880 "rsbac_acl_set_mask(): Could not lookup device!\n");
06881 /* free read lock */
06882 rsbac_read_unlock(&device_list_head.lock, &dflags);
06883 return(-RSBAC_EINVALIDDEV);
06884 }
06885 }
06886 list_no = fd_hash(tid.file.inode);
06887 err = rsbac_ta_list_lol_add_ttl(ta_number, device_p->handles[list_no],
06888 0, &tid.file.inode, &mask);
06889 rsbac_read_unlock(&device_list_head.lock, &dflags);
06890 /* ready. */
06891 return err;
06892
06893 case T_DEV:
06894 /* default entry? */
06895 if(tid.dev.type == D_none)
06896 {
06897 return -RSBAC_EINVALIDTARGET;
06898 }
06899 #ifdef CONFIG_RSBAC_DEBUG
06900 if (rsbac_debug_ds_acl)
06901 {
06902 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting device inheritance mask for dev %c %02u:%02u\n",
06903 'B'+tid.dev.type,
06904 tid.dev.major,
06905 tid.dev.minor);
06906 }
06907 #endif
06908 switch(tid.dev.type)
06909 {
06910 case D_char:
06911 case D_block:
06912 return rsbac_ta_list_lol_add_ttl(ta_number, dev_handle, 0, &tid.dev, &mask);
06913
06914 case D_char_major:
06915 case D_block_major:
06916 tid.dev.type -= (D_block_major - D_block);
06917 return rsbac_ta_list_lol_add_ttl(ta_number, dev_major_handle, 0, &tid.dev, &mask);
06918
06919 default:
06920 return -RSBAC_EINVALIDTARGET;
06921 }
06922
06923 case T_SCD:
06924 /* default entry? */
06925 if(tid.scd == AST_none)
06926 {
06927 return -RSBAC_EINVALIDTARGET;
06928 }
06929 #ifdef CONFIG_RSBAC_DEBUG
06930 if (rsbac_debug_ds_acl)
06931 {
06932 char tmp[80];
06933
06934 get_acl_scd_type_name(tmp, tid.scd);
06935 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting SCD inheritance mask for %s\n",
06936 tmp);
06937 }
06938 #endif
06939 return rsbac_ta_list_lol_add_ttl(ta_number, scd_handle, 0, &tid.scd, &mask);
06940
06941 case T_USER:
06942 /* default entry? */
06943 if(tid.user == RSBAC_NO_USER)
06944 {
06945 return -RSBAC_EINVALIDTARGET;
06946 }
06947 #ifdef CONFIG_RSBAC_DEBUG
06948 if (rsbac_debug_ds_acl)
06949 {
06950 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting user inheritance mask for user %u\n",
06951 tid.user);
06952 }
06953 #endif
06954 return rsbac_ta_list_lol_add_ttl(ta_number, u_handle, 0, &tid.user, &mask);
06955
06956 #ifdef CONFIG_RSBAC_ACL_UM_PROT
06957 case T_GROUP:
06958 /* default entry? */
06959 if(tid.group == RSBAC_NO_GROUP)
06960 {
06961 return -RSBAC_EINVALIDTARGET;
06962 }
06963 #ifdef CONFIG_RSBAC_DEBUG
06964 if (rsbac_debug_ds_acl)
06965 {
06966 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting Linux group inheritance mask for group %u\n",
06967 tid.group);
06968 }
06969 #endif
06970 return rsbac_ta_list_lol_add_ttl(ta_number, g_handle, 0, &tid.group, &mask);
06971 #endif
06972
06973 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
06974 case T_NETDEV:
06975 /* default entry? */
06976 if(!tid.netdev[0])
06977 {
06978 return -RSBAC_EINVALIDTARGET;
06979 }
06980 #ifdef CONFIG_RSBAC_DEBUG
06981 if (rsbac_debug_ds_acl)
06982 {
06983 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting network device inheritance mask for netdev %s\n",
06984 tid.netdev);
06985 }
06986 #endif
06987 return rsbac_ta_list_lol_add_ttl(ta_number, netdev_handle, 0, &tid.netdev, &mask);
06988 #endif
06989
06990 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
06991 case T_NETTEMP_NT:
06992 /* default entry? */
06993 if(!tid.nettemp)
06994 {
06995 return -RSBAC_EINVALIDTARGET;
06996 }
06997 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
06998 return -RSBAC_EINVALIDTARGET;
06999 #ifdef CONFIG_RSBAC_DEBUG
07000 if (rsbac_debug_ds_acl)
07001 {
07002 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting network template NT inheritance mask for nettemp %u\n",
07003 tid.nettemp);
07004 }
07005 #endif
07006 return rsbac_ta_list_lol_add_ttl(ta_number, nettemp_nt_handle, 0, &tid.nettemp, &mask);
07007
07008 case T_NETTEMP:
07009 /* default entry? */
07010 if(!tid.nettemp)
07011 {
07012 return -RSBAC_EINVALIDTARGET;
07013 }
07014 if(!rsbac_ta_net_template_exist(ta_number, tid.nettemp))
07015 return -RSBAC_EINVALIDTARGET;
07016 #ifdef CONFIG_RSBAC_DEBUG
07017 if (rsbac_debug_ds_acl)
07018 {
07019 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting network template inheritance mask for nettemp %u\n",
07020 tid.nettemp);
07021 }
07022 #endif
07023 return rsbac_ta_list_lol_add_ttl(ta_number, nettemp_handle, 0, &tid.nettemp, &mask);
07024
07025 case T_NETOBJ:
07026 /* default entry? */
07027 if(!tid.netobj.sock_p)
07028 {
07029 return -RSBAC_EINVALIDTARGET;
07030 }
07031 #ifdef CONFIG_RSBAC_DEBUG
07032 if (rsbac_debug_ds_acl)
07033 {
07034 rsbac_printk(KERN_DEBUG "rsbac_acl_set_mask(): Setting network object inheritance mask for netobj %p\n",
07035 tid.netobj.sock_p);
07036 }
07037 #endif
07038 return rsbac_ta_list_lol_add_ttl(ta_number, netobj_handle, 0, &tid.netobj.sock_p, &mask);
07039 #endif /* NET_OBJ_PROT */
07040
07041 default:
07042 err = -RSBAC_EINVALIDTARGET;
07043 }
07044 return(err);
07045 }
|
|
||||||||||||
|
Definition at line 3715 of file acl_data_structures.c. References ACLS_GROUP, ACLS_ROLE, rsbac_acl_device_list_head_t::count, rsbac_acl_device_list_item_t::handles, rsbac_acl_device_list_head_t::head, rsbac_acl_device_list_item_t::id, rsbac_acl_device_list_head_t::lock, rsbac_acl_device_list_item_t::next, NULL, RC_role_max_value, RSBAC_ENOTINITIALIZED, rsbac_get_super_block(), rsbac_is_initialized(), rsbac_list_count(), rsbac_list_exist(), rsbac_list_lol_count(), rsbac_list_lol_get_all_desc(), rsbac_list_lol_get_all_subdesc(), rsbac_list_lol_remove(), rsbac_list_lol_subremove(), rsbac_printk(), and rsbac_vfree. Referenced by rsbac_do_init(), and sys_rsbac_check(). 03716 {
03717 struct rsbac_acl_device_list_item_t * device_p;
03718 u_long f_count = 0, f_sum = 0, tmp_count,
03719 r_count, u_count, b_count, no_member_count;
03720 int list_no;
03721 u_long dflags;
03722 long desc_count;
03723 long sub_desc_count;
03724 rsbac_inode_nr_t * fd_desc_p;
03725 struct rsbac_dev_desc_t * dev_desc_p;
03726 __u8 * scd_desc_p;
03727 rsbac_uid_t * u_desc_p;
03728 #ifdef CONFIG_RSBAC_ACL_UM_PROT
03729 rsbac_gid_t * g_desc_p;
03730 #endif
03731 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
03732 rsbac_netdev_id_t * netdev_desc_p;
03733 #endif
03734 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
03735 rsbac_net_temp_id_t * nettemp_desc_p;
03736 rsbac_net_obj_id_t * netobj_desc_p;
03737 #endif
03738 struct rsbac_acl_entry_desc_t * sub_desc_p;
03739 struct super_block * sb_p;
03740 struct inode * inode_p;
03741 rsbac_uid_t * user_p;
03742 rsbac_acl_group_id_t * group_p;
03743 u_int i,j;
03744
03745 if (!rsbac_is_initialized())
03746 {
03747 rsbac_printk(KERN_WARNING "rsbac_check_acl(): RSBAC not initialized\n");
03748 return(-RSBAC_ENOTINITIALIZED);
03749 }
03750
03751 /* group membership list */
03752 tmp_count = 0;
03753 desc_count = rsbac_list_lol_get_all_desc(gm_handle, (void **) &user_p);
03754 if(desc_count > 0)
03755 {
03756 for(i=0; i<desc_count; i++)
03757 {
03758 sub_desc_count = rsbac_list_lol_get_all_subdesc(gm_handle, &user_p[i], (void **) &group_p);
03759 if(sub_desc_count > 0)
03760 {
03761 for(j=0; j<sub_desc_count; j++)
03762 {
03763 if(!rsbac_list_exist(group_handle, &group_p[j]))
03764 {
03765 rsbac_printk(KERN_WARNING
03766 "rsbac_check_acl(): removing user %u membership in non-existent group %u!\n",
03767 user_p[i], group_p[j]);
03768 rsbac_list_lol_subremove(gm_handle, &user_p[i], &group_p[j]);
03769 }
03770 }
03771 rsbac_vfree(group_p);
03772 }
03773 else
03774 {
03775 /* remove empty membership list */
03776 if(!sub_desc_count)
03777 rsbac_list_lol_remove(gm_handle, &user_p[i]);
03778 }
03779 }
03780 rsbac_vfree(user_p);
03781 }
03782 /* recalculated values! */
03783 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li group membership items\n",
03784 rsbac_list_lol_count(gm_handle));
03785
03786 /* group list */
03787 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li group items\n",
03788 rsbac_list_count(group_handle));
03789
03790 /* wait for read access to device_list_head */
03791 rsbac_read_lock(&device_list_head.lock, &dflags);
03792 /* OK, go on */
03793 /* rsbac_printk(KERN_INFO "rsbac_check_acl(): currently %u processes working on file/dir aci\n",
03794 device_list_head.lock.lock); */
03795 device_p = device_list_head.head;
03796 while (device_p)
03797 { /* for all sublists */
03798 f_count = 0;
03799 r_count = 0;
03800 u_count = 0;
03801 b_count = 0;
03802 no_member_count = 0;
03803 if(check_inode)
03804 {
03805 sb_p = rsbac_get_super_block(device_p->id);
03806 if(!sb_p)
03807 {
03808 rsbac_printk(KERN_WARNING "rsbac_check_acl(): no super block for device %02u:%02u!\n",
03809 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id));
03810 }
03811 }
03812 else
03813 sb_p = NULL;
03814
03815 /* OK, go ahead */
03816 for(list_no = 0; list_no < RSBAC_ACL_NR_FD_LISTS; list_no++)
03817 {
03818 /* rsbac_printk(KERN_INFO "rsbac_check_acl(): list %u\n",
03819 list_no); */
03820 tmp_count = 0;
03821 desc_count = rsbac_list_lol_get_all_desc(device_p->handles[list_no], (void **) &fd_desc_p);
03822 if(desc_count > 0)
03823 {
03824 for(i=0; i<desc_count; i++)
03825 {
03826 /* check for inode on disk (but not for reiserfs, because of 64bit inode numbers) */
03827 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
03828 if(sb_p)
03829 #else
03830 if(sb_p && !sb_p->s_op->read_inode2)
03831 #endif
03832 {
03833 inode_p = iget(sb_p, fd_desc_p[i]);
03834 if(is_bad_inode(inode_p))
03835 { /* inode is bad -> remove */
03836 b_count++;
03837 if(correct)
03838 {
03839 rsbac_printk(KERN_INFO
03840 "rsbac_check_acl(): fd_item for bad inode %u on device %02u:%02u, list %u, removing!\n",
03841 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no);
03842 rsbac_list_lol_remove(device_p->handles[list_no], &fd_desc_p[i]);
03843 continue;
03844 }
03845 else
03846 {
03847 rsbac_printk(KERN_INFO
03848 "rsbac_check_acl(): fd_item for bad inode %u on device %02u:%02u, list %u!\n",
03849 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no);
03850 }
03851 } /* end of bad_inode */
03852 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0)
03853 else
03854 { /* good inode */
03855 /* currently only deletion checking of ext2 inodes is possible */
03856 if(sb_p->s_magic == EXT2_SUPER_MAGIC)
03857 {
03858 if(inode_p->u.ext2_i.i_dtime)
03859 { /* inode has been deleted -> remove */
03860 r_count++;
03861 if(correct)
03862 {
03863 rsbac_printk(KERN_INFO
03864 "rsbac_check_acl(): fd_item for deleted inode %u on device %02u:%02u, list %u, removing!\n",
03865 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no);
03866 rsbac_list_lol_remove(device_p->handles[list_no], &fd_desc_p[i]);
03867 continue;
03868 }
03869 else
03870 {
03871 rsbac_printk(KERN_INFO
03872 "rsbac_check_acl(): fd_item for deleted inode %u on device %02u:%02u, list %u!\n",
03873 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no);
03874 }
03875 }
03876 else
03877 {
03878 if(inode_p->i_nlink <= 0)
03879 { /* inode has been unlinked, but no dtime is set -> warn */
03880 u_count++;
03881 if(correct >= 2)
03882 {
03883 rsbac_printk(KERN_INFO
03884 "rsbac_check_acl(): fd_item for inode %u with nlink <= 0 on device %02u:%02u, list %u, removing!\n",
03885 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no);
03886 rsbac_list_lol_remove(device_p->handles[list_no], &fd_desc_p[i]);
03887 continue;
03888 }
03889 else
03890 {
03891 rsbac_printk(KERN_INFO
03892 "rsbac_check_acl(): deleted inode %u on device %02u:%02u, list %u, has no dtime!\n",
03893 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no);
03894 }
03895 }
03896 }
03897 }
03898 } /* end of is_good_inode */
03899 #endif /* VERSION < 2.6.0 */
03900 iput(inode_p);
03901 } /* end of sb_p */
03902
03903 /* check for group existence of all ACL entries for groups */
03904 sub_desc_count = rsbac_list_lol_get_all_subdesc(device_p->handles[list_no],
03905 &fd_desc_p[i],
03906 (void **) &sub_desc_p);
03907 if(sub_desc_count > 0)
03908 {
03909 for(j=0; j<sub_desc_count; j++)
03910 {
03911 if( (sub_desc_p[j].subj_type == ACLS_GROUP)
03912 && sub_desc_p[j].subj_id
03913 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id))
03914 {
03915 if(correct)
03916 {
03917 /* remove sub item and complain */
03918 #ifdef CONFIG_RSBAC_DEBUG
03919 if(rsbac_debug_ds)
03920 {
03921 rsbac_printk(KERN_DEBUG
03922 "rsbac_check_acl(): fd_item for inode %u on device %02u:%02u, list %u, has invalid group %u in ACL -> removing entry!\n",
03923 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no, sub_desc_p[j].subj_id);
03924 }
03925 #endif
03926 rsbac_list_lol_subremove(device_p->handles[list_no],
03927 &fd_desc_p[i], &sub_desc_p[j]);
03928 }
03929 else
03930 {
03931 /* complain */
03932 #ifdef CONFIG_RSBAC_DEBUG
03933 if(rsbac_debug_ds)
03934 {
03935 rsbac_printk(KERN_DEBUG
03936 "rsbac_check_acl(): fd_item for inode %u on device %02u:%02u, list %u, has invalid group %u in ACL!\n",
03937 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no, sub_desc_p[j].subj_id);
03938 }
03939 #endif
03940 }
03941 }
03942 #if defined(CONFIG_RSBAC_RC)
03943 else
03944 if( (sub_desc_p[j].subj_type == ACLS_ROLE)
03945 && (sub_desc_p[j].subj_id > RC_role_max_value)
03946 )
03947 {
03948 if(correct)
03949 {
03950 /* remove sub item and complain */
03951 #ifdef CONFIG_RSBAC_DEBUG
03952 if(rsbac_debug_ds)
03953 {
03954 rsbac_printk(KERN_DEBUG
03955 "rsbac_check_acl(): fd_item for inode %u on device %02u:%02u, list %u, has invalid RC role %u in ACL -> removing entry!\n",
03956 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no, sub_desc_p[j].subj_id);
03957 }
03958 #endif
03959 rsbac_list_lol_subremove(device_p->handles[list_no],
03960 &fd_desc_p[i], &sub_desc_p[j]);
03961 }
03962 else
03963 {
03964 /* complain */
03965 #ifdef CONFIG_RSBAC_DEBUG
03966 if(rsbac_debug_ds)
03967 {
03968 rsbac_printk(KERN_DEBUG
03969 "rsbac_check_acl(): fd_item for inode %u on device %02u:%02u, list %u, has invalid role %u in ACL!\n",
03970 fd_desc_p[i], RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), list_no, sub_desc_p[j].subj_id);
03971 }
03972 #endif
03973 }
03974 }
03975 #endif
03976 }
03977 rsbac_vfree(sub_desc_p);
03978 }
03979 }
03980 tmp_count++;
03981 rsbac_vfree(fd_desc_p);
03982 f_count += desc_count;
03983 }
03984 } /* end of for-fd-list-array */
03985
03986 switch(correct)
03987 {
03988 case 2:
03989 rsbac_printk(KERN_INFO
03990 "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu unlinked inodes, %lu had no members and default mask))\n",
03991 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, b_count + r_count + u_count + no_member_count,
03992 b_count, r_count, u_count, no_member_count);
03993 break;
03994 case 1:
03995 rsbac_printk(KERN_INFO
03996 "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu removed (%lu bad inodes, %lu dtimed inodes, %lu had no members and default mask), %lu unlinked inodes)\n",
03997 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count, b_count + r_count + no_member_count,
03998 b_count, r_count, no_member_count, u_count);
03999 break;
04000 default:
04001 rsbac_printk(KERN_INFO
04002 "rsbac_check_acl(): Device %02u:%02u has %lu file/dir ACLs (%lu with bad inodes, %lu with dtimed inodes, %lu unlinked inodes, %lu without members and with default mask)\n",
04003 RSBAC_MAJOR(device_p->id), RSBAC_MINOR(device_p->id), f_count,
04004 b_count, r_count, u_count, no_member_count);
04005 }
04006 f_sum += f_count;
04007 /* go on */
04008 device_p = device_p->next;
04009 }
04010 rsbac_printk(KERN_INFO "rsbac_check_acl(): Sum of %u Devices with %lu file/dir ACLs\n",
04011 device_list_head.count, f_sum);
04012 /* free access to device_list_head */
04013 rsbac_read_unlock(&device_list_head.lock, &dflags);
04014
04015 /* dev list */
04016 tmp_count = 0;
04017 desc_count = rsbac_list_lol_get_all_desc(dev_handle, (void **) &dev_desc_p);
04018 if(desc_count > 0)
04019 {
04020 for(i=0; i<desc_count; i++)
04021 {
04022 /* check for group existence of all ACL entries for groups */
04023 sub_desc_count = rsbac_list_lol_get_all_subdesc(dev_handle,
04024 &dev_desc_p[i],
04025 (void **) &sub_desc_p);
04026 if(sub_desc_count > 0)
04027 {
04028 for(j=0; j<sub_desc_count; j++)
04029 {
04030 if( (sub_desc_p[j].subj_type == ACLS_GROUP)
04031 && sub_desc_p[j].subj_id
04032 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id))
04033 {
04034 if(correct)
04035 {
04036 /* remove sub item and complain */
04037 #ifdef CONFIG_RSBAC_DEBUG
04038 if(rsbac_debug_ds)
04039 {
04040 rsbac_printk(KERN_DEBUG
04041 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid group %u in ACL -> removing entry!\n",
04042 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id);
04043 }
04044 #endif
04045 rsbac_list_lol_subremove(dev_handle, &dev_desc_p[i], &sub_desc_p[j]);
04046 }
04047 else
04048 {
04049 #ifdef CONFIG_RSBAC_DEBUG
04050 /* complain */
04051 if(rsbac_debug_ds)
04052 {
04053 rsbac_printk(KERN_DEBUG
04054 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid group %u in ACL!\n",
04055 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id);
04056 }
04057 #endif
04058 }
04059 }
04060 #if defined(CONFIG_RSBAC_RC)
04061 else
04062 if( (sub_desc_p[j].subj_type == ACLS_ROLE)
04063 && (sub_desc_p[j].subj_id > RC_role_max_value)
04064 )
04065 {
04066 if(correct)
04067 {
04068 /* remove sub item and complain */
04069 #ifdef CONFIG_RSBAC_DEBUG
04070 if(rsbac_debug_ds)
04071 {
04072 rsbac_printk(KERN_DEBUG
04073 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid role %u in ACL -> removing entry!\n",
04074 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id);
04075 }
04076 #endif
04077 rsbac_list_lol_subremove(dev_handle, &dev_desc_p[i], &sub_desc_p[j]);
04078 }
04079 else
04080 {
04081 #ifdef CONFIG_RSBAC_DEBUG
04082 /* complain */
04083 if(rsbac_debug_ds)
04084 {
04085 rsbac_printk(KERN_DEBUG
04086 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid role %u in ACL!\n",
04087 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id);
04088 }
04089 #endif
04090 }
04091 }
04092 #endif
04093 }
04094 rsbac_vfree(sub_desc_p);
04095 }
04096 }
04097 rsbac_vfree(dev_desc_p);
04098 f_sum += desc_count;
04099 }
04100 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li device items\n",
04101 desc_count);
04102 tmp_count = 0;
04103 desc_count = rsbac_list_lol_get_all_desc(dev_major_handle, (void **) &dev_desc_p);
04104 if(desc_count > 0)
04105 {
04106 for(i=0; i<desc_count; i++)
04107 {
04108 /* check for group existence of all ACL entries for groups */
04109 sub_desc_count = rsbac_list_lol_get_all_subdesc(dev_major_handle,
04110 &dev_desc_p[i],
04111 (void **) &sub_desc_p);
04112 if(sub_desc_count > 0)
04113 {
04114 for(j=0; j<sub_desc_count; j++)
04115 {
04116 if( (sub_desc_p[j].subj_type == ACLS_GROUP)
04117 && sub_desc_p[j].subj_id
04118 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id))
04119 {
04120 if(correct)
04121 {
04122 /* remove sub item and complain */
04123 #ifdef CONFIG_RSBAC_DEBUG
04124 if(rsbac_debug_ds)
04125 {
04126 rsbac_printk(KERN_DEBUG
04127 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid group %u in ACL -> removing entry!\n",
04128 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id);
04129 }
04130 #endif
04131 rsbac_list_lol_subremove(dev_major_handle, &dev_desc_p[i], &sub_desc_p[j]);
04132 }
04133 else
04134 {
04135 #ifdef CONFIG_RSBAC_DEBUG
04136 /* complain */
04137 if(rsbac_debug_ds)
04138 {
04139 rsbac_printk(KERN_DEBUG
04140 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid group %u in ACL!\n",
04141 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id);
04142 }
04143 #endif
04144 }
04145 }
04146 #if defined(CONFIG_RSBAC_RC)
04147 else
04148 if( (sub_desc_p[j].subj_type == ACLS_ROLE)
04149 && (sub_desc_p[j].subj_id > RC_role_max_value)
04150 )
04151 {
04152 if(correct)
04153 {
04154 /* remove sub item and complain */
04155 #ifdef CONFIG_RSBAC_DEBUG
04156 if(rsbac_debug_ds)
04157 {
04158 rsbac_printk(KERN_DEBUG
04159 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid role %u in ACL -> removing entry!\n",
04160 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id);
04161 }
04162 #endif
04163 rsbac_list_lol_subremove(dev_major_handle, &dev_desc_p[i], &sub_desc_p[j]);
04164 }
04165 else
04166 {
04167 #ifdef CONFIG_RSBAC_DEBUG
04168 /* complain */
04169 if(rsbac_debug_ds)
04170 {
04171 rsbac_printk(KERN_DEBUG
04172 "rsbac_check_acl(): dev_item %c%02u:%02u, has invalid role %u in ACL!\n",
04173 'B'+dev_desc_p[i].type, dev_desc_p[i].major, dev_desc_p[i].minor, sub_desc_p[j].subj_id);
04174 }
04175 #endif
04176 }
04177 }
04178 #endif
04179 }
04180 rsbac_vfree(sub_desc_p);
04181 }
04182 }
04183 rsbac_vfree(dev_desc_p);
04184 f_sum += desc_count;
04185 }
04186 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li device items\n",
04187 desc_count);
04188
04189 /* SCD list */
04190 tmp_count = 0;
04191 desc_count = rsbac_list_lol_get_all_desc(scd_handle, (void **) &scd_desc_p);
04192 if(desc_count > 0)
04193 {
04194 for(i=0; i<desc_count; i++)
04195 {
04196 /* check for group existence of all ACL entries for groups */
04197 sub_desc_count = rsbac_list_lol_get_all_subdesc(scd_handle,
04198 &scd_desc_p[i],
04199 (void **) &sub_desc_p);
04200 if(sub_desc_count > 0)
04201 {
04202 for(j=0; j<sub_desc_count; j++)
04203 {
04204 if( (sub_desc_p[j].subj_type == ACLS_GROUP)
04205 && sub_desc_p[j].subj_id
04206 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id))
04207 {
04208 if(correct)
04209 {
04210 /* remove sub item and complain */
04211 #ifdef CONFIG_RSBAC_DEBUG
04212 if(rsbac_debug_ds)
04213 {
04214 rsbac_printk(KERN_DEBUG
04215 "rsbac_check_acl(): scd_item %u has invalid group %u in ACL -> removing entry!\n",
04216 scd_desc_p[i], sub_desc_p[j].subj_id);
04217 }
04218 #endif
04219 rsbac_list_lol_subremove(scd_handle, &scd_desc_p[i], &sub_desc_p[j]);
04220 }
04221 else
04222 {
04223 #ifdef CONFIG_RSBAC_DEBUG
04224 /* complain */
04225 if(rsbac_debug_ds)
04226 {
04227 rsbac_printk(KERN_DEBUG
04228 "rsbac_check_acl(): scd_item %u has invalid group %u in ACL!\n",
04229 scd_desc_p[i], sub_desc_p[j].subj_id);
04230 }
04231 #endif
04232 }
04233 }
04234 #if defined(CONFIG_RSBAC_RC)
04235 else
04236 if( (sub_desc_p[j].subj_type == ACLS_ROLE)
04237 && (sub_desc_p[j].subj_id > RC_role_max_value)
04238 )
04239 {
04240 if(correct)
04241 {
04242 /* remove sub item and complain */
04243 #ifdef CONFIG_RSBAC_DEBUG
04244 if(rsbac_debug_ds)
04245 {
04246 rsbac_printk(KERN_DEBUG
04247 "rsbac_check_acl(): scd_item %u has invalid role %u in ACL -> removing entry!\n",
04248 scd_desc_p[i], sub_desc_p[j].subj_id);
04249 }
04250 #endif
04251 rsbac_list_lol_subremove(scd_handle, &scd_desc_p[i], &sub_desc_p[j]);
04252 }
04253 else
04254 {
04255 #ifdef CONFIG_RSBAC_DEBUG
04256 /* complain */
04257 if(rsbac_debug_ds)
04258 {
04259 rsbac_printk(KERN_DEBUG
04260 "rsbac_check_acl(): scd_item %u has invalid role %u in ACL!\n",
04261 scd_desc_p[i], sub_desc_p[j].subj_id);
04262 }
04263 #endif
04264 }
04265 }
04266 #endif
04267 }
04268 rsbac_vfree(sub_desc_p);
04269 }
04270 }
04271 rsbac_vfree(scd_desc_p);
04272 f_sum += desc_count;
04273 }
04274 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li SCD items\n",
04275 desc_count);
04276
04277 /* User list */
04278 tmp_count = 0;
04279 desc_count = rsbac_list_lol_get_all_desc(u_handle, (void **) &u_desc_p);
04280 if(desc_count > 0)
04281 {
04282 for(i=0; i<desc_count; i++)
04283 {
04284 /* check for group existence of all ACL entries for groups */
04285 sub_desc_count = rsbac_list_lol_get_all_subdesc(u_handle,
04286 &u_desc_p[i],
04287 (void **) &sub_desc_p);
04288 if(sub_desc_count > 0)
04289 {
04290 for(j=0; j<sub_desc_count; j++)
04291 {
04292 if( (sub_desc_p[j].subj_type == ACLS_GROUP)
04293 && sub_desc_p[j].subj_id
04294 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id))
04295 {
04296 if(correct)
04297 {
04298 /* remove sub item and complain */
04299 #ifdef CONFIG_RSBAC_DEBUG
04300 if(rsbac_debug_ds)
04301 {
04302 rsbac_printk(KERN_DEBUG
04303 "rsbac_check_acl(): u_item %u has invalid group %u in ACL -> removing entry!\n",
04304 u_desc_p[i], sub_desc_p[j].subj_id);
04305 }
04306 #endif
04307 rsbac_list_lol_subremove(u_handle, &u_desc_p[i], &sub_desc_p[j]);
04308 }
04309 else
04310 {
04311 #ifdef CONFIG_RSBAC_DEBUG
04312 /* complain */
04313 if(rsbac_debug_ds)
04314 {
04315 rsbac_printk(KERN_DEBUG
04316 "rsbac_check_acl(): u_item %u has invalid group %u in ACL!\n",
04317 u_desc_p[i], sub_desc_p[j].subj_id);
04318 }
04319 #endif
04320 }
04321 }
04322 #if defined(CONFIG_RSBAC_RC)
04323 else
04324 if( (sub_desc_p[j].subj_type == ACLS_ROLE)
04325 && (sub_desc_p[j].subj_id > RC_role_max_value)
04326 )
04327 {
04328 if(correct)
04329 {
04330 /* remove sub item and complain */
04331 #ifdef CONFIG_RSBAC_DEBUG
04332 if(rsbac_debug_ds)
04333 {
04334 rsbac_printk(KERN_DEBUG
04335 "rsbac_check_acl(): u_item %u has invalid role %u in ACL -> removing entry!\n",
04336 u_desc_p[i], sub_desc_p[j].subj_id);
04337 }
04338 #endif
04339 rsbac_list_lol_subremove(u_handle, &u_desc_p[i], &sub_desc_p[j]);
04340 }
04341 else
04342 {
04343 #ifdef CONFIG_RSBAC_DEBUG
04344 /* complain */
04345 if(rsbac_debug_ds)
04346 {
04347 rsbac_printk(KERN_DEBUG
04348 "rsbac_check_acl(): u_item %u has invalid role %u in ACL!\n",
04349 u_desc_p[i], sub_desc_p[j].subj_id);
04350 }
04351 #endif
04352 }
04353 }
04354 #endif
04355 }
04356 rsbac_vfree(sub_desc_p);
04357 }
04358 }
04359 rsbac_vfree(u_desc_p);
04360 f_sum += desc_count;
04361 }
04362 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li user items\n",
04363 desc_count);
04364
04365 #ifdef CONFIG_RSBAC_ACL_UM_PROT
04366 /* User list */
04367 tmp_count = 0;
04368 desc_count = rsbac_list_lol_get_all_desc(g_handle, (void **) &g_desc_p);
04369 if(desc_count > 0)
04370 {
04371 for(i=0; i<desc_count; i++)
04372 {
04373 /* check for group existence of all ACL entries for groups */
04374 sub_desc_count = rsbac_list_lol_get_all_subdesc(g_handle,
04375 &g_desc_p[i],
04376 (void **) &sub_desc_p);
04377 if(sub_desc_count > 0)
04378 {
04379 for(j=0; j<sub_desc_count; j++)
04380 {
04381 if( (sub_desc_p[j].subj_type == ACLS_GROUP)
04382 && sub_desc_p[j].subj_id
04383 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id))
04384 {
04385 if(correct)
04386 {
04387 /* remove sub item and complain */
04388 #ifdef CONFIG_RSBAC_DEBUG
04389 if(rsbac_debug_ds)
04390 {
04391 rsbac_printk(KERN_DEBUG
04392 "rsbac_check_acl(): g_item %u has invalid group %u in ACL -> removing entry!\n",
04393 g_desc_p[i], sub_desc_p[j].subj_id);
04394 }
04395 #endif
04396 rsbac_list_lol_subremove(g_handle, &g_desc_p[i], &sub_desc_p[j]);
04397 }
04398 else
04399 {
04400 #ifdef CONFIG_RSBAC_DEBUG
04401 /* complain */
04402 if(rsbac_debug_ds)
04403 {
04404 rsbac_printk(KERN_DEBUG
04405 "rsbac_check_acl(): g_item %u has invalid group %u in ACL!\n",
04406 g_desc_p[i], sub_desc_p[j].subj_id);
04407 }
04408 #endif
04409 }
04410 }
04411 #if defined(CONFIG_RSBAC_RC)
04412 else
04413 if( (sub_desc_p[j].subj_type == ACLS_ROLE)
04414 && (sub_desc_p[j].subj_id > RC_role_max_value)
04415 )
04416 {
04417 if(correct)
04418 {
04419 /* remove sub item and complain */
04420 #ifdef CONFIG_RSBAC_DEBUG
04421 if(rsbac_debug_ds)
04422 {
04423 rsbac_printk(KERN_DEBUG
04424 "rsbac_check_acl(): g_item %u has invalid role %u in ACL -> removing entry!\n",
04425 g_desc_p[i], sub_desc_p[j].subj_id);
04426 }
04427 #endif
04428 rsbac_list_lol_subremove(g_handle, &g_desc_p[i], &sub_desc_p[j]);
04429 }
04430 else
04431 {
04432 #ifdef CONFIG_RSBAC_DEBUG
04433 /* complain */
04434 if(rsbac_debug_ds)
04435 {
04436 rsbac_printk(KERN_DEBUG
04437 "rsbac_check_acl(): g_item %u has invalid role %u in ACL!\n",
04438 g_desc_p[i], sub_desc_p[j].subj_id);
04439 }
04440 #endif
04441 }
04442 }
04443 #endif
04444 }
04445 rsbac_vfree(sub_desc_p);
04446 }
04447 }
04448 rsbac_vfree(g_desc_p);
04449 f_sum += desc_count;
04450 }
04451 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li Linux group items\n",
04452 desc_count);
04453 #endif
04454
04455 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
04456 /* netdev list */
04457 tmp_count = 0;
04458 desc_count = rsbac_list_lol_get_all_desc(netdev_handle, (void **) &netdev_desc_p);
04459 if(desc_count > 0)
04460 {
04461 for(i=0; i<desc_count; i++)
04462 {
04463 /* check for group existence of all ACL entries for groups */
04464 sub_desc_count = rsbac_list_lol_get_all_subdesc(netdev_handle,
04465 &netdev_desc_p[i],
04466 (void **) &sub_desc_p);
04467 if(sub_desc_count > 0)
04468 {
04469 for(j=0; j<sub_desc_count; j++)
04470 {
04471 if( (sub_desc_p[j].subj_type == ACLS_GROUP)
04472 && sub_desc_p[j].subj_id
04473 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id))
04474 {
04475 if(correct)
04476 {
04477 /* remove sub item and complain */
04478 #ifdef CONFIG_RSBAC_DEBUG
04479 if(rsbac_debug_ds)
04480 {
04481 rsbac_printk(KERN_DEBUG
04482 "rsbac_check_acl(): netdev_item %s has invalid group %u in ACL -> removing entry!\n",
04483 netdev_desc_p[i], sub_desc_p[j].subj_id);
04484 }
04485 #endif
04486 rsbac_list_lol_subremove(netdev_handle, &netdev_desc_p[i], &sub_desc_p[j]);
04487 }
04488 else
04489 {
04490 #ifdef CONFIG_RSBAC_DEBUG
04491 /* complain */
04492 if(rsbac_debug_ds)
04493 {
04494 rsbac_printk(KERN_DEBUG
04495 "rsbac_check_acl(): netdev_item %s has invalid group %u in ACL!\n",
04496 netdev_desc_p[i], sub_desc_p[j].subj_id);
04497 }
04498 #endif
04499 }
04500 }
04501 #if defined(CONFIG_RSBAC_RC)
04502 else
04503 if( (sub_desc_p[j].subj_type == ACLS_ROLE)
04504 && (sub_desc_p[j].subj_id > RC_role_max_value)
04505 )
04506 {
04507 if(correct)
04508 {
04509 /* remove sub item and complain */
04510 #ifdef CONFIG_RSBAC_DEBUG
04511 if(rsbac_debug_ds)
04512 {
04513 rsbac_printk(KERN_DEBUG
04514 "rsbac_check_acl(): netdev_item %s has invalid role %u in ACL -> removing entry!\n",
04515 netdev_desc_p[i], sub_desc_p[j].subj_id);
04516 }
04517 #endif
04518 rsbac_list_lol_subremove(netdev_handle, &netdev_desc_p[i], &sub_desc_p[j]);
04519 }
04520 else
04521 {
04522 #ifdef CONFIG_RSBAC_DEBUG
04523 /* complain */
04524 if(rsbac_debug_ds)
04525 {
04526 rsbac_printk(KERN_DEBUG
04527 "rsbac_check_acl(): netdev_item %s has invalid role %u in ACL!\n",
04528 netdev_desc_p[i], sub_desc_p[j].subj_id);
04529 }
04530 #endif
04531 }
04532 }
04533 #endif
04534 }
04535 rsbac_vfree(sub_desc_p);
04536 }
04537 }
04538 rsbac_vfree(netdev_desc_p);
04539 f_sum += desc_count;
04540 }
04541 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network device items\n",
04542 desc_count);
04543 #endif /* NET_DEV_PROT */
04544
04545 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
04546 /* nettemp_nt list */
04547 tmp_count = 0;
04548 desc_count = rsbac_list_lol_get_all_desc(nettemp_nt_handle, (void **) &nettemp_desc_p);
04549 if(desc_count > 0)
04550 {
04551 for(i=0; i<desc_count; i++)
04552 {
04553 /* check for group existence of all ACL entries for groups */
04554 sub_desc_count = rsbac_list_lol_get_all_subdesc(nettemp_nt_handle,
04555 &nettemp_desc_p[i],
04556 (void **) &sub_desc_p);
04557 if(sub_desc_count > 0)
04558 {
04559 for(j=0; j<sub_desc_count; j++)
04560 {
04561 if( (sub_desc_p[j].subj_type == ACLS_GROUP)
04562 && sub_desc_p[j].subj_id
04563 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id))
04564 {
04565 if(correct)
04566 {
04567 /* remove sub item and complain */
04568 #ifdef CONFIG_RSBAC_DEBUG
04569 if(rsbac_debug_ds)
04570 {
04571 rsbac_printk(KERN_DEBUG
04572 "rsbac_check_acl(): nettemp_nt_item %u has invalid group %u in ACL -> removing entry!\n",
04573 nettemp_desc_p[i], sub_desc_p[j].subj_id);
04574 }
04575 #endif
04576 rsbac_list_lol_subremove(nettemp_nt_handle, &nettemp_desc_p[i], &sub_desc_p[j]);
04577 }
04578 else
04579 {
04580 #ifdef CONFIG_RSBAC_DEBUG
04581 /* complain */
04582 if(rsbac_debug_ds)
04583 {
04584 rsbac_printk(KERN_DEBUG
04585 "rsbac_check_acl(): nettemp_nt_item %u has invalid group %u in ACL!\n",
04586 nettemp_desc_p[i], sub_desc_p[j].subj_id);
04587 }
04588 #endif
04589 }
04590 }
04591 #if defined(CONFIG_RSBAC_RC)
04592 else
04593 if( (sub_desc_p[j].subj_type == ACLS_ROLE)
04594 && (sub_desc_p[j].subj_id > RC_role_max_value)
04595 )
04596 {
04597 if(correct)
04598 {
04599 /* remove sub item and complain */
04600 #ifdef CONFIG_RSBAC_DEBUG
04601 if(rsbac_debug_ds)
04602 {
04603 rsbac_printk(KERN_DEBUG
04604 "rsbac_check_acl(): nettemp_nt_item %u has invalid role %u in ACL -> removing entry!\n",
04605 nettemp_desc_p[i], sub_desc_p[j].subj_id);
04606 }
04607 #endif
04608 rsbac_list_lol_subremove(nettemp_nt_handle, &nettemp_desc_p[i], &sub_desc_p[j]);
04609 }
04610 else
04611 {
04612 #ifdef CONFIG_RSBAC_DEBUG
04613 /* complain */
04614 if(rsbac_debug_ds)
04615 {
04616 rsbac_printk(KERN_DEBUG
04617 "rsbac_check_acl(): nettemp_nt_item %u has invalid role %u in ACL!\n",
04618 nettemp_desc_p[i], sub_desc_p[j].subj_id);
04619 }
04620 #endif
04621 }
04622 }
04623 #endif
04624 }
04625 rsbac_vfree(sub_desc_p);
04626 }
04627 }
04628 rsbac_vfree(nettemp_desc_p);
04629 f_sum += desc_count;
04630 }
04631 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network template NT items\n",
04632 desc_count);
04633
04634 /* nettemp list */
04635 tmp_count = 0;
04636 desc_count = rsbac_list_lol_get_all_desc(nettemp_handle, (void **) &nettemp_desc_p);
04637 if(desc_count > 0)
04638 {
04639 for(i=0; i<desc_count; i++)
04640 {
04641 /* check for group existence of all ACL entries for groups */
04642 sub_desc_count = rsbac_list_lol_get_all_subdesc(nettemp_handle,
04643 &nettemp_desc_p[i],
04644 (void **) &sub_desc_p);
04645 if(sub_desc_count > 0)
04646 {
04647 for(j=0; j<sub_desc_count; j++)
04648 {
04649 if( (sub_desc_p[j].subj_type == ACLS_GROUP)
04650 && sub_desc_p[j].subj_id
04651 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id))
04652 {
04653 if(correct)
04654 {
04655 /* remove sub item and complain */
04656 #ifdef CONFIG_RSBAC_DEBUG
04657 if(rsbac_debug_ds)
04658 {
04659 rsbac_printk(KERN_DEBUG
04660 "rsbac_check_acl(): nettemp_item %u has invalid group %u in ACL -> removing entry!\n",
04661 nettemp_desc_p[i], sub_desc_p[j].subj_id);
04662 }
04663 #endif
04664 rsbac_list_lol_subremove(nettemp_handle, &nettemp_desc_p[i], &sub_desc_p[j]);
04665 }
04666 else
04667 {
04668 #ifdef CONFIG_RSBAC_DEBUG
04669 /* complain */
04670 if(rsbac_debug_ds)
04671 {
04672 rsbac_printk(KERN_DEBUG
04673 "rsbac_check_acl(): nettemp_item %u has invalid group %u in ACL!\n",
04674 nettemp_desc_p[i], sub_desc_p[j].subj_id);
04675 }
04676 #endif
04677 }
04678 }
04679 #if defined(CONFIG_RSBAC_RC)
04680 else
04681 if( (sub_desc_p[j].subj_type == ACLS_ROLE)
04682 && (sub_desc_p[j].subj_id > RC_role_max_value)
04683 )
04684 {
04685 if(correct)
04686 {
04687 /* remove sub item and complain */
04688 #ifdef CONFIG_RSBAC_DEBUG
04689 if(rsbac_debug_ds)
04690 {
04691 rsbac_printk(KERN_DEBUG
04692 "rsbac_check_acl(): nettemp_item %u has invalid role %u in ACL -> removing entry!\n",
04693 nettemp_desc_p[i], sub_desc_p[j].subj_id);
04694 }
04695 #endif
04696 rsbac_list_lol_subremove(nettemp_handle, &nettemp_desc_p[i], &sub_desc_p[j]);
04697 }
04698 else
04699 {
04700 #ifdef CONFIG_RSBAC_DEBUG
04701 /* complain */
04702 if(rsbac_debug_ds)
04703 {
04704 rsbac_printk(KERN_DEBUG
04705 "rsbac_check_acl(): nettemp_item %u has invalid role %u in ACL!\n",
04706 nettemp_desc_p[i], sub_desc_p[j].subj_id);
04707 }
04708 #endif
04709 }
04710 }
04711 #endif
04712 }
04713 rsbac_vfree(sub_desc_p);
04714 }
04715 }
04716 rsbac_vfree(nettemp_desc_p);
04717 f_sum += desc_count;
04718 }
04719 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network template items\n",
04720 desc_count);
04721
04722 /* netobj list */
04723 tmp_count = 0;
04724 desc_count = rsbac_list_lol_get_all_desc(netobj_handle, (void **) &netobj_desc_p);
04725 if(desc_count > 0)
04726 {
04727 for(i=0; i<desc_count; i++)
04728 {
04729 /* check for group existence of all ACL entries for groups */
04730 sub_desc_count = rsbac_list_lol_get_all_subdesc(netobj_handle,
04731 &netobj_desc_p[i],
04732 (void **) &sub_desc_p);
04733 if(sub_desc_count > 0)
04734 {
04735 for(j=0; j<sub_desc_count; j++)
04736 {
04737 if( (sub_desc_p[j].subj_type == ACLS_GROUP)
04738 && sub_desc_p[j].subj_id
04739 && !rsbac_list_exist(group_handle, &sub_desc_p[j].subj_id))
04740 {
04741 if(correct)
04742 {
04743 /* remove sub item and complain */
04744 #ifdef CONFIG_RSBAC_DEBUG
04745 if(rsbac_debug_ds)
04746 {
04747 rsbac_printk(KERN_DEBUG
04748 "rsbac_check_acl(): netobj_item %p has invalid group %u in ACL -> removing entry!\n",
04749 netobj_desc_p[i], sub_desc_p[j].subj_id);
04750 }
04751 #endif
04752 rsbac_list_lol_subremove(netobj_handle, &netobj_desc_p[i], &sub_desc_p[j]);
04753 }
04754 else
04755 {
04756 #ifdef CONFIG_RSBAC_DEBUG
04757 /* complain */
04758 if(rsbac_debug_ds)
04759 {
04760 rsbac_printk(KERN_DEBUG
04761 "rsbac_check_acl(): netobj_item %p has invalid group %u in ACL!\n",
04762 netobj_desc_p[i], sub_desc_p[j].subj_id);
04763 }
04764 #endif
04765 }
04766 }
04767 #if defined(CONFIG_RSBAC_RC)
04768 else
04769 if( (sub_desc_p[j].subj_type == ACLS_ROLE)
04770 && (sub_desc_p[j].subj_id > RC_role_max_value)
04771 )
04772 {
04773 if(correct)
04774 {
04775 /* remove sub item and complain */
04776 #ifdef CONFIG_RSBAC_DEBUG
04777 if(rsbac_debug_ds)
04778 {
04779 rsbac_printk(KERN_DEBUG
04780 "rsbac_check_acl(): netobj_item %p has invalid role %u in ACL -> removing entry!\n",
04781 netobj_desc_p[i], sub_desc_p[j].subj_id);
04782 }
04783 #endif
04784 rsbac_list_lol_subremove(netobj_handle, &netobj_desc_p[i], &sub_desc_p[j]);
04785 }
04786 else
04787 {
04788 #ifdef CONFIG_RSBAC_DEBUG
04789 /* complain */
04790 if(rsbac_debug_ds)
04791 {
04792 rsbac_printk(KERN_DEBUG
04793 "rsbac_check_acl(): netobj_item %p has invalid role %u in ACL!\n",
04794 netobj_desc_p[i], sub_desc_p[j].subj_id);
04795 }
04796 #endif
04797 }
04798 }
04799 #endif
04800 }
04801 rsbac_vfree(sub_desc_p);
04802 }
04803 }
04804 rsbac_vfree(netobj_desc_p);
04805 f_sum += desc_count;
04806 }
04807 rsbac_printk(KERN_INFO "rsbac_check_acl(): %li network object items\n",
04808 desc_count);
04809 #endif /* NET_OBJ_PROT */
04810
04811 rsbac_printk(KERN_INFO
04812 "rsbac_check_acl(): Total of %lu registered ACLs\n",
04813 f_sum);
04814
04815 return(0);
04816 };
|
|
|
Definition at line 2503 of file acl_data_structures.c. References acl_register_fd_lists(), add_device_item(), rsbac_acl_device_list_head_t::count, create_device_item(), rsbac_acl_device_list_head_t::curr, rsbac_list_lol_info_t::data_size, rsbac_list_info_t::data_size, def_dev_get_conv(), def_fd_get_conv(), def_g_get_conv(), def_ipc_get_conv(), def_netdev_get_conv(), def_netobj_get_conv(), def_nettemp_nt_get_conv(), def_p_get_conv(), def_scd_get_conv(), def_u_get_conv(), rsbac_list_lol_info_t::desc_size, rsbac_list_info_t::desc_size, dev_compare(), dev_get_conv(), dev_get_subconv(), dev_major_compare(), entry_compare(), get_error_name(), group_last_new, rsbac_acl_device_list_head_t::head, rsbac_list_lol_info_t::key, rsbac_list_info_t::key, rsbac_acl_device_list_head_t::lock, rsbac_list_lol_info_t::max_age, rsbac_list_info_t::max_age, netdev_get_conv(), netdev_get_subconv(), nettemp_get_conv(), nettemp_get_subconv(), nettemp_nt_get_conv(), nettemp_nt_get_subconv(), NULL, proc_rsbac_root_p, registration_error(), rsbac_acl_entry_t::rights, RSBAC_ACL_ACMAN_DEV_ENTRY, RSBAC_ACL_ACMAN_FD_ENTRY, RSBAC_ACL_ACMAN_G_ENTRY, RSBAC_ACL_ACMAN_IPC_ENTRY, RSBAC_ACL_ACMAN_NETDEV_ENTRY, RSBAC_ACL_ACMAN_NETOBJ_ENTRY, RSBAC_ACL_ACMAN_NETTEMP_NT_ENTRY, RSBAC_ACL_ACMAN_P_ENTRY, RSBAC_ACL_ACMAN_SCD_ENTRY, RSBAC_ACL_ACMAN_SCD_OTHER_ENTRY, RSBAC_ACL_ACMAN_U_ENTRY, RSBAC_ACL_AUDITOR_SCD_RSBACLOG_ENTRY, RSBAC_ACL_DEF_DEV_FILENAME, RSBAC_ACL_DEF_DEV_LIST_VERSION, RSBAC_ACL_DEF_FD_FILENAME, RSBAC_ACL_DEF_FD_LIST_VERSION, RSBAC_ACL_DEF_G_FILENAME, RSBAC_ACL_DEF_G_LIST_VERSION, RSBAC_ACL_DEF_IPC_FILENAME, RSBAC_ACL_DEF_IPC_LIST_VERSION, RSBAC_ACL_DEF_NETDEV_FILENAME, RSBAC_ACL_DEF_NETDEV_LIST_VERSION, RSBAC_ACL_DEF_NETOBJ_FILENAME, RSBAC_ACL_DEF_NETOBJ_LIST_VERSION, RSBAC_ACL_DEF_NETTEMP_NT_FILENAME, RSBAC_ACL_DEF_NETTEMP_NT_LIST_VERSION, RSBAC_ACL_DEF_P_FILENAME, RSBAC_ACL_DEF_P_LIST_VERSION, RSBAC_ACL_DEF_SCD_FILENAME, RSBAC_ACL_DEF_SCD_LIST_VERSION, RSBAC_ACL_DEF_U_FILENAME, RSBAC_ACL_DEF_U_LIST_VERSION, RSBAC_ACL_DEFAULT_DEV_MASK, RSBAC_ACL_DEFAULT_G_MASK, RSBAC_ACL_DEFAULT_NETDEV_MASK, RSBAC_ACL_DEFAULT_NETOBJ_MASK, RSBAC_ACL_DEFAULT_NETTEMP_MASK, RSBAC_ACL_DEFAULT_SCD_MASK, RSBAC_ACL_DEFAULT_U_MASK, RSBAC_ACL_DEV_FILENAME, RSBAC_ACL_DEV_LIST_VERSION, RSBAC_ACL_DEV_MAJOR_FILENAME, RSBAC_ACL_G_FILENAME, RSBAC_ACL_G_LIST_VERSION, RSBAC_ACL_GENERAL_DEV_ENTRY, RSBAC_ACL_GENERAL_FD_ENTRY, RSBAC_ACL_GENERAL_G_ENTRY, RSBAC_ACL_GENERAL_IPC_ENTRY, RSBAC_ACL_GENERAL_NETDEV_ENTRY, RSBAC_ACL_GENERAL_NETOBJ_ENTRY, RSBAC_ACL_GENERAL_NETTEMP_NT_ENTRY, RSBAC_ACL_GENERAL_P_ENTRY, RSBAC_ACL_GENERAL_SCD_ENTRY, RSBAC_ACL_GENERAL_SCD_NETWORK_ENTRY, RSBAC_ACL_GENERAL_SCD_OTHER_ENTRY, RSBAC_ACL_GENERAL_U_ENTRY, RSBAC_ACL_GM_FILENAME, RSBAC_ACL_GM_VERSION, RSBAC_ACL_GROUP_FILENAME, RSBAC_ACL_GROUP_VERSION, RSBAC_ACL_LIST_KEY, RSBAC_ACL_NETDEV_FILENAME, RSBAC_ACL_NETDEV_LIST_VERSION, RSBAC_ACL_NETOBJ_FILENAME, RSBAC_ACL_NETOBJ_LIST_VERSION, RSBAC_ACL_NETTEMP_FILENAME, RSBAC_ACL_NETTEMP_LIST_VERSION, RSBAC_ACL_NETTEMP_NT_FILENAME, RSBAC_ACL_NETTEMP_NT_LIST_VERSION, RSBAC_ACL_SCD_FILENAME, RSBAC_ACL_SCD_LIST_VERSION, RSBAC_ACL_SYSADM_DEV_ENTRY, RSBAC_ACL_SYSADM_FD_ENTRY, RSBAC_ACL_SYSADM_G_ENTRY, RSBAC_ACL_SYSADM_IPC_ENTRY, RSBAC_ACL_SYSADM_NETDEV_ENTRY, RSBAC_ACL_SYSADM_NETOBJ_ENTRY, RSBAC_ACL_SYSADM_NETTEMP_NT_ENTRY, RSBAC_ACL_SYSADM_P_ENTRY, RSBAC_ACL_SYSADM_SCD_ENTRY, RSBAC_ACL_SYSADM_SCD_OTHER_ENTRY, RSBAC_ACL_SYSADM_U_ENTRY, RSBAC_ACL_U_FILENAME, RSBAC_ACL_U_LIST_VERSION, RSBAC_ECOULDNOTADDDEVICE, RSBAC_EREINIT, rsbac_is_initialized(), rsbac_list_add(), RSBAC_LIST_BACKUP, rsbac_list_compare_u32(), rsbac_list_count(), RSBAC_LIST_DEF_DATA, rsbac_list_get_max_desc(), rsbac_list_lol_add(), rsbac_list_lol_count(), rsbac_list_lol_register(), rsbac_list_lol_subadd(), RSBAC_LIST_PERSIST, rsbac_list_register(), RSBAC_LIST_VERSION, rsbac_no_defaults, rsbac_printk(), rsbac_root_dev, scd_get_conv(), scd_get_subconv(), ST_firewall, ST_ioports, ST_kmem, ST_network, ST_none, ST_other, ST_priority, ST_quota, ST_rlimit, ST_rsbac, ST_rsbaclog, ST_sysfs, ST_time_strucs, rsbac_list_lol_info_t::subdata_size, rsbac_list_lol_info_t::subdesc_size, rsbac_acl_entry_t::subj_id, rsbac_acl_entry_desc_t::subj_id, rsbac_acl_entry_t::subj_type, rsbac_acl_entry_desc_t::subj_type, rsbac_acl_device_list_head_t::tail, rsbac_list_lol_info_t::version, and rsbac_list_info_t::version. Referenced by rsbac_do_init(). 02505 {
02506 int err = 0;
02507 struct rsbac_acl_device_list_item_t * device_p = NULL;
02508 char tmp[80];
02509 u_long flags;
02510 struct proc_dir_entry * tmp_entry_p;
02511 struct rsbac_list_lol_info_t lol_info;
02512 struct rsbac_list_info_t list_info;
02513 rsbac_acl_rights_vector_t def_mask;
02514
02515 if (rsbac_is_initialized())
02516 {
02517 rsbac_printk(KERN_WARNING "rsbac_init_acl(): RSBAC already initialized\n");
02518 return(-RSBAC_EREINIT);
02519 }
02520
02521 /* set rw-spinlocks to unlocked status and init data structures */
02522 rsbac_printk(KERN_INFO "rsbac_init_acl(): Initializing RSBAC: ACL subsystem\n");
02523
02524 /* Init device list */
02525 device_list_head.lock = RW_LOCK_UNLOCKED;
02526 device_list_head.head = NULL;
02527 device_list_head.tail = NULL;
02528 device_list_head.curr = NULL;
02529 device_list_head.count = 0;
02530
02531 /* register ACL lists */
02532 #ifdef CONFIG_RSBAC_DEBUG
02533 if (rsbac_debug_ds_acl)
02534 {
02535 rsbac_printk(KERN_DEBUG "rsbac_init_acl(): Registering lists\n");
02536 }
02537 #endif
02538 device_p = create_device_item(rsbac_root_dev);
02539 if (!device_p)
02540 {
02541 rsbac_printk(KERN_CRIT "rsbac_init_acl(): Could not create device!\n");
02542 return(-RSBAC_ECOULDNOTADDDEVICE);
02543 }
02544 if((err = acl_register_fd_lists(device_p,rsbac_root_dev)))
02545 {
02546 rsbac_printk(KERN_WARNING
02547 "rsbac_init_acl(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n",
02548 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev), get_error_name(tmp,err));
02549 }
02550 /* wait for write access to device_list_head */
02551 rsbac_write_lock_irq(&device_list_head.lock, &flags);
02552 device_p = add_device_item(device_p);
02553 /* device was added, allow access */
02554 rsbac_write_unlock_irq(&device_list_head.lock, &flags);
02555 if (!device_p)
02556 {
02557 rsbac_printk(KERN_CRIT "rsbac_init_acl(): Could not add device!\n");
02558 return(-RSBAC_ECOULDNOTADDDEVICE);
02559 }
02560
02561 list_info.version = RSBAC_ACL_DEF_FD_LIST_VERSION;
02562 list_info.key = RSBAC_ACL_LIST_KEY;
02563 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
02564 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
02565 list_info.max_age = 0;
02566 err = rsbac_list_register(RSBAC_LIST_VERSION,
02567 &default_fd_handle,
02568 &list_info,
02569 #if defined(CONFIG_RSBAC_ACL_BACKUP)
02570 RSBAC_LIST_BACKUP |
02571 #endif
02572 RSBAC_LIST_PERSIST,
02573 entry_compare,
02574 def_fd_get_conv,
02575 NULL,
02576 RSBAC_ACL_DEF_FD_FILENAME,
02577 RSBAC_AUTO_DEV);
02578 if(err)
02579 {
02580 registration_error(err, "default fd");
02581 }
02582 if(!rsbac_no_defaults && !rsbac_list_count(default_fd_handle))
02583 {
02584 struct rsbac_acl_entry_desc_t desc;
02585 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_FD_ENTRY;
02586 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_FD_ENTRY;
02587 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_FD_ENTRY;
02588
02589 rsbac_printk(KERN_WARNING
02590 "rsbac_init_acl(): File/Dir default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02591 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev));
02592 desc.subj_type = acman_entry.subj_type;
02593 desc.subj_id = acman_entry.subj_id;
02594 rsbac_list_add(default_fd_handle, &desc, &acman_entry.rights);
02595 desc.subj_type = sysadm_entry.subj_type;
02596 desc.subj_id = sysadm_entry.subj_id;
02597 rsbac_list_add(default_fd_handle, &desc, &sysadm_entry.rights);
02598 desc.subj_type = gen_entry.subj_type;
02599 desc.subj_id = gen_entry.subj_id;
02600 rsbac_list_add(default_fd_handle, &desc, &gen_entry.rights);
02601 }
02602
02603 lol_info.version = RSBAC_ACL_DEV_LIST_VERSION;
02604 lol_info.key = RSBAC_ACL_LIST_KEY;
02605 lol_info.desc_size = sizeof(struct rsbac_dev_desc_t);
02606 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
02607 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
02608 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
02609 lol_info.max_age = 0;
02610 def_mask=RSBAC_ACL_DEFAULT_DEV_MASK;
02611 err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
02612 &dev_handle,
02613 &lol_info,
02614 #if defined(CONFIG_RSBAC_ACL_BACKUP)
02615 RSBAC_LIST_BACKUP |
02616 #endif
02617 RSBAC_LIST_PERSIST | RSBAC_LIST_DEF_DATA,
02618 dev_compare,
02619 entry_compare,
02620 dev_get_conv,
02621 dev_get_subconv,
02622 &def_mask,
02623 NULL,
02624 RSBAC_ACL_DEV_FILENAME,
02625 RSBAC_AUTO_DEV);
02626 if(err)
02627 {
02628 registration_error(err, "dev");
02629 }
02630 lol_info.version = RSBAC_ACL_DEV_LIST_VERSION;
02631 lol_info.key = RSBAC_ACL_LIST_KEY;
02632 lol_info.desc_size = sizeof(struct rsbac_dev_desc_t);
02633 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
02634 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
02635 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
02636 lol_info.max_age = 0;
02637 def_mask=RSBAC_ACL_DEFAULT_DEV_MASK;
02638 err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
02639 &dev_major_handle,
02640 &lol_info,
02641 #if defined(CONFIG_RSBAC_ACL_BACKUP)
02642 RSBAC_LIST_BACKUP |
02643 #endif
02644 RSBAC_LIST_PERSIST | RSBAC_LIST_DEF_DATA,
02645 dev_major_compare,
02646 entry_compare,
02647 dev_get_conv,
02648 dev_get_subconv,
02649 &def_mask,
02650 NULL,
02651 RSBAC_ACL_DEV_MAJOR_FILENAME,
02652 RSBAC_AUTO_DEV);
02653 if(err)
02654 {
02655 registration_error(err, "dev major");
02656 }
02657 list_info.version = RSBAC_ACL_DEF_DEV_LIST_VERSION;
02658 list_info.key = RSBAC_ACL_LIST_KEY;
02659 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
02660 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
02661 list_info.max_age = 0;
02662 err = rsbac_list_register(RSBAC_LIST_VERSION,
02663 &default_dev_handle,
02664 &list_info,
02665 #if defined(CONFIG_RSBAC_ACL_BACKUP)
02666 RSBAC_LIST_BACKUP |
02667 #endif
02668 RSBAC_LIST_PERSIST,
02669 entry_compare,
02670 def_dev_get_conv,
02671 NULL,
02672 RSBAC_ACL_DEF_DEV_FILENAME,
02673 RSBAC_AUTO_DEV);
02674 if(err)
02675 {
02676 registration_error(err, "default dev");
02677 }
02678 if(!rsbac_no_defaults && !rsbac_list_count(default_dev_handle))
02679 {
02680 struct rsbac_acl_entry_desc_t desc;
02681 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_DEV_ENTRY;
02682 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_DEV_ENTRY;
02683 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_DEV_ENTRY;
02684
02685 rsbac_printk(KERN_WARNING
02686 "rsbac_init_acl(): Device default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02687 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev));
02688 desc.subj_type = acman_entry.subj_type;
02689 desc.subj_id = acman_entry.subj_id;
02690 rsbac_list_add(default_dev_handle, &desc, &acman_entry.rights);
02691 desc.subj_type = sysadm_entry.subj_type;
02692 desc.subj_id = sysadm_entry.subj_id;
02693 rsbac_list_add(default_dev_handle, &desc, &sysadm_entry.rights);
02694 desc.subj_type = gen_entry.subj_type;
02695 desc.subj_id = gen_entry.subj_id;
02696 rsbac_list_add(default_dev_handle, &desc, &gen_entry.rights);
02697 }
02698
02699 list_info.version = RSBAC_ACL_DEF_IPC_LIST_VERSION;
02700 list_info.key = RSBAC_ACL_LIST_KEY;
02701 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
02702 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
02703 list_info.max_age = 0;
02704 err = rsbac_list_register(RSBAC_LIST_VERSION,
02705 &default_ipc_handle,
02706 &list_info,
02707 #if defined(CONFIG_RSBAC_ACL_BACKUP)
02708 RSBAC_LIST_BACKUP |
02709 #endif
02710 RSBAC_LIST_PERSIST,
02711 entry_compare,
02712 def_ipc_get_conv,
02713 NULL,
02714 RSBAC_ACL_DEF_IPC_FILENAME,
02715 RSBAC_AUTO_DEV);
02716 if(err)
02717 {
02718 registration_error(err, "default ipc");
02719 }
02720 if(!rsbac_no_defaults && !rsbac_list_count(default_ipc_handle))
02721 {
02722 struct rsbac_acl_entry_desc_t desc;
02723 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_IPC_ENTRY;
02724 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_IPC_ENTRY;
02725 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_IPC_ENTRY;
02726
02727 rsbac_printk(KERN_WARNING
02728 "rsbac_init_acl(): IPC default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02729 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev));
02730 desc.subj_type = acman_entry.subj_type;
02731 desc.subj_id = acman_entry.subj_id;
02732 rsbac_list_add(default_ipc_handle, &desc, &acman_entry.rights);
02733 desc.subj_type = sysadm_entry.subj_type;
02734 desc.subj_id = sysadm_entry.subj_id;
02735 rsbac_list_add(default_ipc_handle, &desc, &sysadm_entry.rights);
02736 desc.subj_type = gen_entry.subj_type;
02737 desc.subj_id = gen_entry.subj_id;
02738 rsbac_list_add(default_ipc_handle, &desc, &gen_entry.rights);
02739 }
02740
02741 lol_info.version = RSBAC_ACL_SCD_LIST_VERSION;
02742 lol_info.key = RSBAC_ACL_LIST_KEY;
02743 lol_info.desc_size = sizeof(__u8);
02744 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
02745 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
02746 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
02747 lol_info.max_age = 0;
02748 def_mask=RSBAC_ACL_DEFAULT_SCD_MASK;
02749 err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
02750 &scd_handle,
02751 &lol_info,
02752 #if defined(CONFIG_RSBAC_ACL_BACKUP)
02753 RSBAC_LIST_BACKUP |
02754 #endif
02755 RSBAC_LIST_PERSIST | RSBAC_LIST_DEF_DATA,
02756 NULL,
02757 entry_compare,
02758 scd_get_conv,
02759 scd_get_subconv,
02760 &def_mask,
02761 NULL,
02762 RSBAC_ACL_SCD_FILENAME,
02763 RSBAC_AUTO_DEV);
02764 if(err)
02765 {
02766 registration_error(err, "scd");
02767 }
02768 if(!rsbac_no_defaults && !rsbac_list_lol_count(scd_handle))
02769 {
02770 struct rsbac_acl_entry_desc_t desc;
02771 rsbac_acl_rights_vector_t mask = RSBAC_ACL_DEFAULT_SCD_MASK;
02772 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_SCD_ENTRY;
02773 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM
02774 struct rsbac_acl_entry_t gen_ioports_entry = RSBAC_ACL_GENERAL_SCD_IOPORTS_ENTRY;
02775 #endif
02776 struct rsbac_acl_entry_t gen_other_entry = RSBAC_ACL_GENERAL_SCD_OTHER_ENTRY;
02777 struct rsbac_acl_entry_t gen_network_entry = RSBAC_ACL_GENERAL_SCD_NETWORK_ENTRY;
02778 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_SCD_ENTRY;
02779 struct rsbac_acl_entry_t sysadm_other_entry = RSBAC_ACL_SYSADM_SCD_OTHER_ENTRY;
02780 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM
02781 struct rsbac_acl_entry_t sysadm_kmem_entry = RSBAC_ACL_SYSADM_SCD_KMEM_ENTRY;
02782 #endif
02783 struct rsbac_acl_entry_t acman_other_entry = RSBAC_ACL_ACMAN_SCD_OTHER_ENTRY;
02784 struct rsbac_acl_entry_t auditor_rsbaclog_entry = RSBAC_ACL_AUDITOR_SCD_RSBACLOG_ENTRY;
02785 __u8 scd;
02786
02787 rsbac_printk(KERN_WARNING
02788 "rsbac_init_acl(): SCD ACLs empty on dev %02u:%02u, generating standard entries!\n",
02789 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev));
02790 scd = ST_rlimit;
02791 if(!rsbac_list_lol_add(scd_handle, &scd, &mask))
02792 {
02793 desc.subj_type = gen_entry.subj_type;
02794 desc.subj_id = gen_entry.subj_id;
02795 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &gen_entry.rights);
02796 }
02797 for(scd=ST_time_strucs; scd<=ST_rsbac; scd++)
02798 {
02799 if(!rsbac_list_lol_add(scd_handle, &scd, &mask))
02800 {
02801 desc.subj_type = sysadm_entry.subj_type;
02802 desc.subj_id = sysadm_entry.subj_id;
02803 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_entry.rights);
02804 }
02805 }
02806 scd = ST_rsbaclog;
02807 if(!rsbac_list_lol_add(scd_handle, &scd, &mask))
02808 {
02809 desc.subj_type = auditor_rsbaclog_entry.subj_type;
02810 desc.subj_id = auditor_rsbaclog_entry.subj_id;
02811 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &auditor_rsbaclog_entry.rights);
02812 }
02813 scd=ST_network;
02814 if(!rsbac_list_lol_add(scd_handle, &scd, &mask))
02815 {
02816 desc.subj_type = sysadm_entry.subj_type;
02817 desc.subj_id = sysadm_entry.subj_id;
02818 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_entry.rights);
02819 desc.subj_type = gen_network_entry.subj_type;
02820 desc.subj_id = gen_network_entry.subj_id;
02821 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &gen_network_entry.rights);
02822 }
02823 scd=ST_firewall;
02824 if(!rsbac_list_lol_add(scd_handle, &scd, &mask))
02825 {
02826 desc.subj_type = sysadm_entry.subj_type;
02827 desc.subj_id = sysadm_entry.subj_id;
02828 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_entry.rights);
02829 desc.subj_type = gen_network_entry.subj_type;
02830 desc.subj_id = gen_network_entry.subj_id;
02831 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &gen_network_entry.rights);
02832 }
02833 scd=ST_priority;
02834 if(!rsbac_list_lol_add(scd_handle, &scd, &mask))
02835 {
02836 desc.subj_type = sysadm_entry.subj_type;
02837 desc.subj_id = sysadm_entry.subj_id;
02838 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_entry.rights);
02839 }
02840 scd=ST_sysfs;
02841 if(!rsbac_list_lol_add(scd_handle, &scd, &mask))
02842 {
02843 desc.subj_type = sysadm_entry.subj_type;
02844 desc.subj_id = sysadm_entry.subj_id;
02845 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_entry.rights);
02846 }
02847 for(scd = ST_quota; scd < ST_none; scd++)
02848 if(!rsbac_list_lol_add(scd_handle, &scd, &mask))
02849 {
02850 desc.subj_type = sysadm_entry.subj_type;
02851 desc.subj_id = sysadm_entry.subj_id;
02852 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_entry.rights);
02853 }
02854 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM
02855 scd = ST_ioports;
02856 if(!rsbac_list_lol_add(scd_handle, &scd, &mask))
02857 {
02858 desc.subj_type = gen_ioports_entry.subj_type;
02859 desc.subj_id = gen_ioports_entry.subj_id;
02860 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &gen_ioports_entry.rights);
02861 }
02862 scd = ST_kmem;
02863 if(!rsbac_list_lol_add(scd_handle, &scd, &mask))
02864 {
02865 desc.subj_type = sysadm_kmem_entry.subj_type;
02866 desc.subj_id = sysadm_kmem_entry.subj_id;
02867 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_kmem_entry.rights);
02868 }
02869 #endif
02870
02871 scd = ST_other;
02872 if(!rsbac_list_lol_add(scd_handle, &scd, &mask))
02873 {
02874 desc.subj_type = sysadm_other_entry.subj_type;
02875 desc.subj_id = sysadm_other_entry.subj_id;
02876 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &sysadm_other_entry.rights);
02877 desc.subj_type = acman_other_entry.subj_type;
02878 desc.subj_id = acman_other_entry.subj_id;
02879 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &acman_other_entry.rights);
02880 desc.subj_type = gen_other_entry.subj_type;
02881 desc.subj_id = gen_other_entry.subj_id;
02882 rsbac_list_lol_subadd(scd_handle, &scd, &desc, &gen_other_entry.rights);
02883 }
02884 }
02885
02886 list_info.version = RSBAC_ACL_DEF_SCD_LIST_VERSION;
02887 list_info.key = RSBAC_ACL_LIST_KEY;
02888 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
02889 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
02890 list_info.max_age = 0;
02891 err = rsbac_list_register(RSBAC_LIST_VERSION,
02892 &default_scd_handle,
02893 &list_info,
02894 #if defined(CONFIG_RSBAC_ACL_BACKUP)
02895 RSBAC_LIST_BACKUP |
02896 #endif
02897 RSBAC_LIST_PERSIST,
02898 entry_compare,
02899 def_scd_get_conv,
02900 NULL,
02901 RSBAC_ACL_DEF_SCD_FILENAME,
02902 RSBAC_AUTO_DEV);
02903 if(err)
02904 {
02905 registration_error(err, "default scd");
02906 }
02907 if(!rsbac_no_defaults && !rsbac_list_count(default_scd_handle))
02908 {
02909 struct rsbac_acl_entry_desc_t desc;
02910 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_SCD_ENTRY;
02911
02912 rsbac_printk(KERN_WARNING
02913 "rsbac_init_acl(): SCD default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02914 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev));
02915 desc.subj_type = acman_entry.subj_type;
02916 desc.subj_id = acman_entry.subj_id;
02917 rsbac_list_add(default_scd_handle, &desc, &acman_entry.rights);
02918 }
02919
02920 lol_info.version = RSBAC_ACL_U_LIST_VERSION;
02921 lol_info.key = RSBAC_ACL_LIST_KEY;
02922 lol_info.desc_size = sizeof(rsbac_uid_t);
02923 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
02924 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
02925 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
02926 lol_info.max_age = 0;
02927 def_mask=RSBAC_ACL_DEFAULT_U_MASK;
02928 err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
02929 &u_handle,
02930 &lol_info,
02931 #if defined(CONFIG_RSBAC_ACL_BACKUP)
02932 RSBAC_LIST_BACKUP |
02933 #endif
02934 RSBAC_LIST_PERSIST,
02935 rsbac_list_compare_u32,
02936 entry_compare,
02937 NULL,
02938 NULL,
02939 &def_mask,
02940 NULL,
02941 RSBAC_ACL_U_FILENAME,
02942 RSBAC_AUTO_DEV);
02943 if(err)
02944 {
02945 registration_error(err, "user");
02946 }
02947 list_info.version = RSBAC_ACL_DEF_U_LIST_VERSION;
02948 list_info.key = RSBAC_ACL_LIST_KEY;
02949 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
02950 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
02951 list_info.max_age = 0;
02952 err = rsbac_list_register(RSBAC_LIST_VERSION,
02953 &default_u_handle,
02954 &list_info,
02955 #if defined(CONFIG_RSBAC_ACL_BACKUP)
02956 RSBAC_LIST_BACKUP |
02957 #endif
02958 RSBAC_LIST_PERSIST,
02959 entry_compare,
02960 def_u_get_conv,
02961 NULL,
02962 RSBAC_ACL_DEF_U_FILENAME,
02963 RSBAC_AUTO_DEV);
02964 if(err)
02965 {
02966 registration_error(err, "default user");
02967 }
02968 if(!rsbac_no_defaults && !rsbac_list_count(default_u_handle))
02969 {
02970 struct rsbac_acl_entry_desc_t desc;
02971 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_U_ENTRY;
02972 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_U_ENTRY;
02973 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_U_ENTRY;
02974
02975 rsbac_printk(KERN_WARNING
02976 "rsbac_init_acl(): User default ACL empty on dev %02u:%02u, generating standard ACL!\n",
02977 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev));
02978 desc.subj_type = sysadm_entry.subj_type;
02979 desc.subj_id = sysadm_entry.subj_id;
02980 rsbac_list_add(default_u_handle, &desc, &sysadm_entry.rights);
02981 desc.subj_type = acman_entry.subj_type;
02982 desc.subj_id = acman_entry.subj_id;
02983 rsbac_list_add(default_u_handle, &desc, &acman_entry.rights);
02984 desc.subj_type = gen_entry.subj_type;
02985 desc.subj_id = gen_entry.subj_id;
02986 rsbac_list_add(default_u_handle, &desc, &gen_entry.rights);
02987 }
02988
02989 list_info.version = RSBAC_ACL_DEF_P_LIST_VERSION;
02990 list_info.key = RSBAC_ACL_LIST_KEY;
02991 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
02992 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
02993 list_info.max_age = 0;
02994 err = rsbac_list_register(RSBAC_LIST_VERSION,
02995 &default_p_handle,
02996 &list_info,
02997 #if defined(CONFIG_RSBAC_ACL_BACKUP)
02998 RSBAC_LIST_BACKUP |
02999 #endif
03000 RSBAC_LIST_PERSIST,
03001 entry_compare,
03002 def_p_get_conv,
03003 NULL,
03004 RSBAC_ACL_DEF_P_FILENAME,
03005 RSBAC_AUTO_DEV);
03006 if(err)
03007 {
03008 registration_error(err, "default process");
03009 }
03010 if(!rsbac_no_defaults && !rsbac_list_count(default_p_handle))
03011 {
03012 struct rsbac_acl_entry_desc_t desc;
03013 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_P_ENTRY;
03014 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_P_ENTRY;
03015 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_P_ENTRY;
03016
03017 rsbac_printk(KERN_WARNING
03018 "rsbac_init_acl(): Process default ACL empty on dev %02u:%02u, generating standard ACL!\n",
03019 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev));
03020 desc.subj_type = sysadm_entry.subj_type;
03021 desc.subj_id = sysadm_entry.subj_id;
03022 rsbac_list_add(default_p_handle, &desc, &sysadm_entry.rights);
03023 desc.subj_type = acman_entry.subj_type;
03024 desc.subj_id = acman_entry.subj_id;
03025 rsbac_list_add(default_p_handle, &desc, &acman_entry.rights);
03026 desc.subj_type = gen_entry.subj_type;
03027 desc.subj_id = gen_entry.subj_id;
03028 rsbac_list_add(default_p_handle, &desc, &gen_entry.rights);
03029 }
03030
03031 #ifdef CONFIG_RSBAC_ACL_UM_PROT
03032 lol_info.version = RSBAC_ACL_G_LIST_VERSION;
03033 lol_info.key = RSBAC_ACL_LIST_KEY;
03034 lol_info.desc_size = sizeof(rsbac_gid_t);
03035 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
03036 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
03037 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
03038 lol_info.max_age = 0;
03039 def_mask=RSBAC_ACL_DEFAULT_G_MASK;
03040 err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
03041 &g_handle,
03042 &lol_info,
03043 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03044 RSBAC_LIST_BACKUP |
03045 #endif
03046 RSBAC_LIST_PERSIST,
03047 rsbac_list_compare_u32,
03048 entry_compare,
03049 NULL,
03050 NULL,
03051 &def_mask,
03052 NULL,
03053 RSBAC_ACL_G_FILENAME,
03054 RSBAC_AUTO_DEV);
03055 if(err)
03056 {
03057 registration_error(err, "Linux group");
03058 }
03059 list_info.version = RSBAC_ACL_DEF_G_LIST_VERSION;
03060 list_info.key = RSBAC_ACL_LIST_KEY;
03061 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
03062 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
03063 list_info.max_age = 0;
03064 err = rsbac_list_register(RSBAC_LIST_VERSION,
03065 &default_g_handle,
03066 &list_info,
03067 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03068 RSBAC_LIST_BACKUP |
03069 #endif
03070 RSBAC_LIST_PERSIST,
03071 entry_compare,
03072 def_g_get_conv,
03073 NULL,
03074 RSBAC_ACL_DEF_G_FILENAME,
03075 RSBAC_AUTO_DEV);
03076 if(err)
03077 {
03078 registration_error(err, "default Linux group");
03079 }
03080 if(!rsbac_no_defaults && !rsbac_list_count(default_g_handle))
03081 {
03082 struct rsbac_acl_entry_desc_t desc;
03083 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_G_ENTRY;
03084 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_G_ENTRY;
03085 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_G_ENTRY;
03086
03087 rsbac_printk(KERN_WARNING
03088 "rsbac_init_acl(): Linux group default ACL empty on dev %02u:%02u, generating standard ACL!\n",
03089 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev));
03090 desc.subj_type = sysadm_entry.subj_type;
03091 desc.subj_id = sysadm_entry.subj_id;
03092 rsbac_list_add(default_g_handle, &desc, &sysadm_entry.rights);
03093 desc.subj_type = acman_entry.subj_type;
03094 desc.subj_id = acman_entry.subj_id;
03095 rsbac_list_add(default_g_handle, &desc, &acman_entry.rights);
03096 desc.subj_type = gen_entry.subj_type;
03097 desc.subj_id = gen_entry.subj_id;
03098 rsbac_list_add(default_g_handle, &desc, &gen_entry.rights);
03099 }
03100 #endif
03101
03102 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
03103 lol_info.version = RSBAC_ACL_NETDEV_LIST_VERSION;
03104 lol_info.key = RSBAC_ACL_LIST_KEY;
03105 lol_info.desc_size = sizeof(rsbac_netdev_id_t);
03106 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
03107 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
03108 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
03109 lol_info.max_age = 0;
03110 def_mask=RSBAC_ACL_DEFAULT_NETDEV_MASK;
03111 err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
03112 &netdev_handle,
03113 &lol_info,
03114 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03115 RSBAC_LIST_BACKUP |
03116 #endif
03117 RSBAC_LIST_PERSIST | RSBAC_LIST_DEF_DATA,
03118 netdev_compare,
03119 entry_compare,
03120 netdev_get_conv,
03121 netdev_get_subconv,
03122 &def_mask,
03123 NULL,
03124 RSBAC_ACL_NETDEV_FILENAME,
03125 RSBAC_AUTO_DEV);
03126 if(err)
03127 {
03128 registration_error(err, "netdev");
03129 }
03130 list_info.version = RSBAC_ACL_DEF_NETDEV_LIST_VERSION;
03131 list_info.key = RSBAC_ACL_LIST_KEY;
03132 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
03133 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
03134 list_info.max_age = 0;
03135 err = rsbac_list_register(RSBAC_LIST_VERSION,
03136 &default_netdev_handle,
03137 &list_info,
03138 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03139 RSBAC_LIST_BACKUP |
03140 #endif
03141 RSBAC_LIST_PERSIST,
03142 entry_compare,
03143 def_netdev_get_conv,
03144 NULL,
03145 RSBAC_ACL_DEF_NETDEV_FILENAME,
03146 RSBAC_AUTO_DEV);
03147 if(err)
03148 {
03149 registration_error(err, "default netdev");
03150 }
03151 if(!rsbac_no_defaults && !rsbac_list_count(default_netdev_handle))
03152 {
03153 struct rsbac_acl_entry_desc_t desc;
03154 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_NETDEV_ENTRY;
03155 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_NETDEV_ENTRY;
03156 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_NETDEV_ENTRY;
03157
03158 rsbac_printk(KERN_WARNING
03159 "rsbac_init_acl(): Network Device default ACL empty on dev %02u:%02u, generating standard ACL!\n",
03160 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev));
03161 desc.subj_type = acman_entry.subj_type;
03162 desc.subj_id = acman_entry.subj_id;
03163 rsbac_list_add(default_netdev_handle, &desc, &acman_entry.rights);
03164 desc.subj_type = sysadm_entry.subj_type;
03165 desc.subj_id = sysadm_entry.subj_id;
03166 rsbac_list_add(default_netdev_handle, &desc, &sysadm_entry.rights);
03167 desc.subj_type = gen_entry.subj_type;
03168 desc.subj_id = gen_entry.subj_id;
03169 rsbac_list_add(default_netdev_handle, &desc, &gen_entry.rights);
03170 }
03171 #endif
03172
03173 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
03174 lol_info.version = RSBAC_ACL_NETTEMP_NT_LIST_VERSION;
03175 lol_info.key = RSBAC_ACL_LIST_KEY;
03176 lol_info.desc_size = sizeof(rsbac_net_temp_id_t);
03177 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
03178 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
03179 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
03180 lol_info.max_age = 0;
03181 def_mask=RSBAC_ACL_DEFAULT_NETTEMP_MASK;
03182 err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
03183 &nettemp_nt_handle,
03184 &lol_info,
03185 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03186 RSBAC_LIST_BACKUP |
03187 #endif
03188 RSBAC_LIST_PERSIST,
03189 rsbac_list_compare_u32,
03190 entry_compare,
03191 nettemp_nt_get_conv,
03192 nettemp_nt_get_subconv,
03193 &def_mask,
03194 NULL,
03195 RSBAC_ACL_NETTEMP_NT_FILENAME,
03196 RSBAC_AUTO_DEV);
03197 if(err)
03198 {
03199 registration_error(err, "nettemp_nt");
03200 }
03201 list_info.version = RSBAC_ACL_DEF_NETTEMP_NT_LIST_VERSION;
03202 list_info.key = RSBAC_ACL_LIST_KEY;
03203 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
03204 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
03205 list_info.max_age = 0;
03206 err = rsbac_list_register(RSBAC_LIST_VERSION,
03207 &default_nettemp_nt_handle,
03208 &list_info,
03209 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03210 RSBAC_LIST_BACKUP |
03211 #endif
03212 RSBAC_LIST_PERSIST,
03213 entry_compare,
03214 def_nettemp_nt_get_conv,
03215 NULL,
03216 RSBAC_ACL_DEF_NETTEMP_NT_FILENAME,
03217 RSBAC_AUTO_DEV);
03218 if(err)
03219 {
03220 registration_error(err, "default nettemp_nt");
03221 }
03222 if(!rsbac_no_defaults && !rsbac_list_count(default_nettemp_nt_handle))
03223 {
03224 struct rsbac_acl_entry_desc_t desc;
03225 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_NETTEMP_NT_ENTRY;
03226 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_NETTEMP_NT_ENTRY;
03227 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_NETTEMP_NT_ENTRY;
03228
03229 rsbac_printk(KERN_WARNING
03230 "rsbac_init_acl(): Network Template NT (template protection) default ACL empty on dev %02u:%02u, generating standard ACL!\n",
03231 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev));
03232 desc.subj_type = acman_entry.subj_type;
03233 desc.subj_id = acman_entry.subj_id;
03234 rsbac_list_add(default_nettemp_nt_handle, &desc, &acman_entry.rights);
03235 desc.subj_type = sysadm_entry.subj_type;
03236 desc.subj_id = sysadm_entry.subj_id;
03237 rsbac_list_add(default_nettemp_nt_handle, &desc, &sysadm_entry.rights);
03238 desc.subj_type = gen_entry.subj_type;
03239 desc.subj_id = gen_entry.subj_id;
03240 rsbac_list_add(default_nettemp_nt_handle, &desc, &gen_entry.rights);
03241 }
03242 lol_info.version = RSBAC_ACL_NETTEMP_LIST_VERSION;
03243 lol_info.key = RSBAC_ACL_LIST_KEY;
03244 lol_info.desc_size = sizeof(rsbac_net_temp_id_t);
03245 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
03246 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
03247 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
03248 lol_info.max_age = 0;
03249 def_mask=RSBAC_ACL_DEFAULT_NETOBJ_MASK;
03250 err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
03251 &nettemp_handle,
03252 &lol_info,
03253 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03254 RSBAC_LIST_BACKUP |
03255 #endif
03256 RSBAC_LIST_PERSIST,
03257 rsbac_list_compare_u32,
03258 entry_compare,
03259 nettemp_get_conv,
03260 nettemp_get_subconv,
03261 &def_mask,
03262 NULL,
03263 RSBAC_ACL_NETTEMP_FILENAME,
03264 RSBAC_AUTO_DEV);
03265 if(err)
03266 {
03267 registration_error(err, "nettemp");
03268 }
03269 lol_info.version = RSBAC_ACL_NETOBJ_LIST_VERSION;
03270 lol_info.key = RSBAC_ACL_LIST_KEY;
03271 lol_info.desc_size = sizeof(rsbac_net_obj_id_t);
03272 lol_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* mask */
03273 lol_info.subdesc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
03274 lol_info.subdata_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
03275 lol_info.max_age = 0;
03276 def_mask=RSBAC_ACL_DEFAULT_NETOBJ_MASK;
03277 err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
03278 &netobj_handle,
03279 &lol_info,
03280 0,
03281 rsbac_list_compare_u32,
03282 entry_compare,
03283 NULL,
03284 NULL,
03285 &def_mask,
03286 NULL,
03287 RSBAC_ACL_NETOBJ_FILENAME,
03288 RSBAC_AUTO_DEV);
03289 if(err)
03290 {
03291 registration_error(err, "netobj");
03292 }
03293 list_info.version = RSBAC_ACL_DEF_NETOBJ_LIST_VERSION;
03294 list_info.key = RSBAC_ACL_LIST_KEY;
03295 list_info.desc_size = sizeof(struct rsbac_acl_entry_desc_t); /* subj_type + subj_id */
03296 list_info.data_size = sizeof(rsbac_acl_rights_vector_t); /* rights */
03297 list_info.max_age = 0;
03298 err = rsbac_list_register(RSBAC_LIST_VERSION,
03299 &default_netobj_handle,
03300 &list_info,
03301 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03302 RSBAC_LIST_BACKUP |
03303 #endif
03304 RSBAC_LIST_PERSIST,
03305 entry_compare,
03306 def_netobj_get_conv,
03307 NULL,
03308 RSBAC_ACL_DEF_NETOBJ_FILENAME,
03309 RSBAC_AUTO_DEV);
03310 if(err)
03311 {
03312 registration_error(err, "default netobj");
03313 }
03314 if(!rsbac_no_defaults && !rsbac_list_count(default_netobj_handle))
03315 {
03316 struct rsbac_acl_entry_desc_t desc;
03317 struct rsbac_acl_entry_t acman_entry = RSBAC_ACL_ACMAN_NETOBJ_ENTRY;
03318 struct rsbac_acl_entry_t sysadm_entry = RSBAC_ACL_SYSADM_NETOBJ_ENTRY;
03319 struct rsbac_acl_entry_t gen_entry = RSBAC_ACL_GENERAL_NETOBJ_ENTRY;
03320
03321 rsbac_printk(KERN_WARNING
03322 "rsbac_init_acl(): Network Object default ACL empty on dev %02u:%02u, generating standard ACL!\n",
03323 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev));
03324 desc.subj_type = acman_entry.subj_type;
03325 desc.subj_id = acman_entry.subj_id;
03326 rsbac_list_add(default_netobj_handle, &desc, &acman_entry.rights);
03327 desc.subj_type = sysadm_entry.subj_type;
03328 desc.subj_id = sysadm_entry.subj_id;
03329 rsbac_list_add(default_netobj_handle, &desc, &sysadm_entry.rights);
03330 desc.subj_type = gen_entry.subj_type;
03331 desc.subj_id = gen_entry.subj_id;
03332 rsbac_list_add(default_netobj_handle, &desc, &gen_entry.rights);
03333 }
03334 #endif /* NET_OBJ_PROT */
03335
03336 /* groups */
03337 list_info.version = RSBAC_ACL_GROUP_VERSION;
03338 list_info.key = RSBAC_ACL_LIST_KEY;
03339 list_info.desc_size = sizeof(rsbac_acl_group_id_t);
03340 list_info.data_size = sizeof(struct rsbac_acl_group_entry_t);
03341 list_info.max_age = 0;
03342 err = rsbac_list_register(RSBAC_LIST_VERSION,
03343 &group_handle,
03344 &list_info,
03345 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03346 RSBAC_LIST_BACKUP |
03347 #endif
03348 RSBAC_LIST_PERSIST,
03349 rsbac_list_compare_u32,
03350 NULL,
03351 NULL,
03352 RSBAC_ACL_GROUP_FILENAME,
03353 RSBAC_AUTO_DEV);
03354 if(err)
03355 {
03356 registration_error(err, "group");
03357 }
03358 if(!rsbac_no_defaults && !rsbac_list_count(group_handle))
03359 {
03360 rsbac_printk(KERN_WARNING
03361 "rsbac_init_acl(): Group list empty on dev %02u:%02u!\n",
03362 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev));
03363 }
03364 else
03365 {
03366 rsbac_list_get_max_desc(group_handle, &group_last_new);
03367 }
03368
03369 /* group memberships */
03370 lol_info.version = RSBAC_ACL_GM_VERSION;
03371 lol_info.key = RSBAC_ACL_LIST_KEY;
03372 lol_info.desc_size = sizeof(rsbac_uid_t);
03373 lol_info.data_size = 0;
03374 lol_info.subdesc_size = sizeof(rsbac_acl_group_id_t);
03375 lol_info.subdata_size = 0;
03376 lol_info.max_age = 0;
03377 err = rsbac_list_lol_register(RSBAC_LIST_VERSION,
03378 &gm_handle,
03379 &lol_info,
03380 #if defined(CONFIG_RSBAC_ACL_BACKUP)
03381 RSBAC_LIST_BACKUP |
03382 #endif
03383 RSBAC_LIST_PERSIST | RSBAC_LIST_DEF_DATA,
03384 rsbac_list_compare_u32,
03385 rsbac_list_compare_u32,
03386 NULL,
03387 NULL,
03388 NULL,
03389 NULL,
03390 RSBAC_ACL_GM_FILENAME,
03391 RSBAC_AUTO_DEV);
03392 if(err)
03393 {
03394 registration_error(err, "gm");
03395 }
03396 if(!rsbac_no_defaults && !rsbac_list_lol_count(gm_handle))
03397 {
03398 rsbac_printk(KERN_WARNING
03399 "rsbac_init_acl(): Group membership list empty on dev %02u:%02u!\n",
03400 RSBAC_MAJOR(rsbac_root_dev), RSBAC_MINOR(rsbac_root_dev));
03401 }
03402
03403 #if defined(CONFIG_RSBAC_PROC) && defined(CONFIG_PROC_FS)
03404 tmp_entry_p = create_proc_entry("acl_devices",
03405 S_IFREG | S_IRUGO,
03406 proc_rsbac_root_p);
03407 if(tmp_entry_p)
03408 {
03409 tmp_entry_p->get_info = acl_devices_proc_info;
03410 }
03411 tmp_entry_p = create_proc_entry("stats_acl",
03412 S_IFREG | S_IRUGO,
03413 proc_rsbac_root_p);
03414 if(tmp_entry_p)
03415 {
03416 tmp_entry_p->get_info = stats_acl_proc_info;
03417 }
03418 tmp_entry_p = create_proc_entry("acl_acllist",
03419 S_IFREG | S_IRUGO,
03420 proc_rsbac_root_p);
03421 if(tmp_entry_p)
03422 {
03423 tmp_entry_p->get_info = acl_acllist_proc_info;
03424 }
03425 tmp_entry_p = create_proc_entry("acl_grouplist",
03426 S_IFREG | S_IRUGO,
03427 proc_rsbac_root_p);
03428 if(tmp_entry_p)
03429 {
03430 tmp_entry_p->get_info = acl_grouplist_proc_info;
03431 }
03432 #endif
03433
03434 #ifdef CONFIG_RSBAC_DEBUG
03435 if (rsbac_debug_ds_acl)
03436 {
03437 rsbac_printk(KERN_DEBUG "rsbac_init_acl(): Ready.\n");
03438 }
03439 #endif
03440 return(err);
03441 };
|
|
|
Definition at line 3443 of file acl_data_structures.c. References acl_lookup_device(), acl_register_fd_lists(), add_device_item(), clear_device_item(), create_device_item(), get_error_name(), rsbac_acl_device_list_head_t::lock, rsbac_acl_device_list_item_t::mount_count, RSBAC_ECOULDNOTADDDEVICE, RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), rsbac_kfree(), rsbac_kmalloc(), RSBAC_MAXNAMELEN, and rsbac_printk(). Referenced by rsbac_mount(). 03444 {
03445 int err = 0;
03446 struct rsbac_acl_device_list_item_t * device_p;
03447 struct rsbac_acl_device_list_item_t * new_device_p;
03448 u_long flags;
03449
03450 if (!rsbac_is_initialized())
03451 {
03452 rsbac_printk(KERN_WARNING "rsbac_mount_acl(): RSBAC not initialized\n");
03453 return(-RSBAC_ENOTINITIALIZED);
03454 }
03455 #ifdef CONFIG_RSBAC_DEBUG
03456 if (rsbac_debug_ds_acl)
03457 {
03458 rsbac_printk(KERN_DEBUG "rsbac_mount_acl(): mounting device %02u:%02u\n",
03459 RSBAC_MAJOR(kdev),RSBAC_MINOR(kdev));
03460 }
03461 #endif
03462 /* wait for read access to device_list_head */
03463 rsbac_read_lock(&device_list_head.lock, &flags);
03464 device_p = acl_lookup_device(kdev);
03465 /* repeated mount? */
03466 if(device_p)
03467 {
03468 rsbac_printk(KERN_INFO "rsbac_mount_acl: repeated mount %u of device %02u:%02u\n",
03469 device_p->mount_count, RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
03470 device_p->mount_count++;
03471 rsbac_read_unlock(&device_list_head.lock, &flags);
03472 return 0;
03473 }
03474 rsbac_read_unlock(&device_list_head.lock, &flags);
03475 /* OK, go on */
03476 new_device_p = create_device_item(kdev);
03477 if(!new_device_p)
03478 return -RSBAC_ECOULDNOTADDDEVICE;
03479
03480 if((err = acl_register_fd_lists(new_device_p, kdev)))
03481 {
03482 char * tmp;
03483
03484 tmp = rsbac_kmalloc(RSBAC_MAXNAMELEN);
03485 if(tmp)
03486 {
03487 rsbac_printk(KERN_WARNING
03488 "rsbac_mount_acl(): File/Dir ACL registration failed for dev %02u:%02u, err %s!\n",
03489 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev), get_error_name(tmp,err));
03490 rsbac_kfree(tmp);
03491 }
03492 }
03493
03494 /* wait for read access to device_list_head */
03495 rsbac_read_lock(&device_list_head.lock, &flags);
03496 /* make sure to only add, if this device item has not been added in the meantime */
03497 device_p = acl_lookup_device(kdev);
03498 if(device_p)
03499 {
03500 rsbac_printk(KERN_WARNING
03501 "rsbac_mount_acl(): mount race for device %02u:%02u detected!\n",
03502 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
03503 device_p->mount_count++;
03504 /* also detaches lists */
03505 clear_device_item(new_device_p);
03506 rsbac_read_unlock(&device_list_head.lock, &flags);
03507 }
03508 else
03509 {
03510 rsbac_read_unlock(&device_list_head.lock, &flags);
03511 rsbac_write_lock_irq(&device_list_head.lock, &flags);
03512 device_p = add_device_item(new_device_p);
03513 rsbac_write_unlock_irq(&device_list_head.lock, &flags);
03514 if(!device_p)
03515 {
03516 rsbac_printk(KERN_WARNING "rsbac_mount_acl: adding device %02u:%02u failed!\n",
03517 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
03518 /* also detaches lists */
03519 clear_device_item(new_device_p);
03520 err = -RSBAC_ECOULDNOTADDDEVICE;
03521 }
03522 }
03523
03524 return(err);
03525 };
|
|
|
Definition at line 3577 of file acl_data_structures.c. References A_none, rsbac_attribute_value_t::dummy, group_last_new, rsbac_acl_device_list_item_t::handles, rsbac_acl_device_list_head_t::head, rsbac_acl_device_list_item_t::id, rsbac_acl_device_list_head_t::lock, rsbac_acl_device_list_item_t::next, R_GET_STATUS_DATA, rsbac_adf_request(), RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), rsbac_list_count(), rsbac_list_lol_all_subcount(), rsbac_list_lol_count(), rsbac_printk(), rsbac_target_id_t::scd, ST_rsbac, and T_SCD. Referenced by rsbac_stats(). 03578 {
03579 u_int item_count = 0;
03580 u_int member_count = 0;
03581 int tmp_count;
03582 u_int i;
03583 u_long dflags;
03584 struct rsbac_acl_device_list_item_t * device_p;
03585
03586 union rsbac_target_id_t rsbac_target_id;
03587 union rsbac_attribute_value_t rsbac_attribute_value;
03588
03589 if (!rsbac_is_initialized())
03590 {
03591 rsbac_printk(KERN_WARNING "rsbac_stats_acl(): RSBAC not initialized\n");
03592 return(-RSBAC_ENOTINITIALIZED);
03593 }
03594 #ifdef CONFIG_RSBAC_DEBUG
03595 if (rsbac_debug_aef_acl)
03596 {
03597 rsbac_printk(KERN_DEBUG "rsbac_stats_acl(): calling ADF\n");
03598 }
03599 #endif
03600 rsbac_target_id.scd = ST_rsbac;
03601 rsbac_attribute_value.dummy = 0;
03602 if (!rsbac_adf_request(R_GET_STATUS_DATA,
03603 current->pid,
03604 T_SCD,
03605 rsbac_target_id,
03606 A_none,
03607 rsbac_attribute_value))
03608 {
03609 return -EPERM;
03610 }
03611
03612 rsbac_printk(KERN_INFO "ACL Status\n-----------\n");
03613
03614 /* protect device list */
03615 rsbac_read_lock(&device_list_head.lock, &dflags);
03616 device_p = device_list_head.head;
03617 while(device_p)
03618 {
03619 /* reset counters */
03620 item_count = 0;
03621 member_count = 0;
03622 for(i=0; i<RSBAC_ACL_NR_FD_LISTS; i++)
03623 {
03624 tmp_count = rsbac_list_lol_count(device_p->handles[i]);
03625 if(tmp_count > 0)
03626 item_count+=tmp_count;
03627 tmp_count = rsbac_list_lol_all_subcount(device_p->handles[i]);
03628 if(tmp_count > 0)
03629 member_count += tmp_count;
03630 }
03631 rsbac_printk(KERN_INFO
03632 "device %02u:%02u has %u file ACLs, sum of %u members\n",
03633 RSBAC_MAJOR(device_p->id),
03634 RSBAC_MINOR(device_p->id),
03635 item_count,
03636 member_count);
03637 device_p = device_p->next;
03638 }
03639 /* unprotect device list */
03640 rsbac_read_unlock(&device_list_head.lock, &dflags);
03641
03642 /* dev list */
03643 rsbac_printk(KERN_INFO
03644 "%li device major ACL items, sum of %li members\n",
03645 rsbac_list_lol_count(dev_major_handle),
03646 rsbac_list_lol_all_subcount(dev_major_handle));
03647 rsbac_printk(KERN_INFO
03648 "%li device ACL items, sum of %li members\n",
03649 rsbac_list_lol_count(dev_handle),
03650 rsbac_list_lol_all_subcount(dev_handle));
03651
03652 /* SCD list */
03653 rsbac_printk(KERN_INFO
03654 "%li scd ACL items, sum of %li members\n",
03655 rsbac_list_lol_count(scd_handle),
03656 rsbac_list_lol_all_subcount(scd_handle));
03657
03658 /* user list */
03659 rsbac_printk(KERN_INFO
03660 "%li user ACL items, sum of %li members\n",
03661 rsbac_list_lol_count(u_handle),
03662 rsbac_list_lol_all_subcount(u_handle));
03663
03664 #ifdef CONFIG_RSBAC_ACL_UM_PROT
03665 /* Linux group list */
03666 rsbac_printk(KERN_INFO
03667 "%li Linux group ACL items, sum of %li members\n",
03668 rsbac_list_lol_count(g_handle),
03669 rsbac_list_lol_all_subcount(g_handle));
03670 #endif
03671
03672 #ifdef CONFIG_RSBAC_ACL_NET_DEV_PROT
03673 /* netdev list */
03674 rsbac_printk(KERN_INFO
03675 "%li network device ACL items, sum of %li members\n",
03676 rsbac_list_lol_count(netdev_handle),
03677 rsbac_list_lol_all_subcount(netdev_handle));
03678 #endif
03679
03680 #ifdef CONFIG_RSBAC_ACL_NET_OBJ_PROT
03681 /* nettemp_nt list */
03682 rsbac_printk(KERN_INFO
03683 "%li network template NT ACL items, sum of %li members\n",
03684 rsbac_list_lol_count(nettemp_nt_handle),
03685 rsbac_list_lol_all_subcount(nettemp_nt_handle));
03686 /* nettemp list */
03687 rsbac_printk(KERN_INFO
03688 "%li network template ACL items, sum of %li members\n",
03689 rsbac_list_lol_count(nettemp_handle),
03690 rsbac_list_lol_all_subcount(nettemp_handle));
03691 /* netobj list */
03692 rsbac_printk(KERN_INFO
03693 "%li network object ACL items, sum of %li members\n",
03694 rsbac_list_lol_count(netobj_handle),
03695 rsbac_list_lol_all_subcount(netobj_handle));
03696 #endif
03697
03698 rsbac_printk(KERN_INFO
03699 "%li groups, last new is %u\n",
03700 rsbac_list_count(group_handle),
03701 group_last_new);
03702
03703 /* protect gm list */
03704 rsbac_printk(KERN_INFO
03705 "%li group member items, sum of %li group memberships\n",
03706 rsbac_list_lol_count(gm_handle),
03707 rsbac_list_lol_all_subcount(gm_handle));
03708
03709 return(0);
03710 };
|
|
|
Definition at line 3529 of file acl_data_structures.c. References acl_lookup_device(), rsbac_acl_device_list_head_t::lock, rsbac_acl_device_list_item_t::mount_count, remove_device_item(), RSBAC_ENOTINITIALIZED, rsbac_is_initialized(), and rsbac_printk(). Referenced by rsbac_umount(). 03530 {
03531 u_long flags;
03532 struct rsbac_acl_device_list_item_t * device_p;
03533
03534 if (!rsbac_is_initialized())
03535 {
03536 rsbac_printk(KERN_WARNING "rsbac_umount(): RSBAC not initialized\n");
03537 return(-RSBAC_ENOTINITIALIZED);
03538 }
03539
03540 #ifdef CONFIG_RSBAC_DEBUG
03541 if (rsbac_debug_ds)
03542 {
03543 rsbac_printk(KERN_DEBUG "rsbac_umount_acl(): umounting device %02u:%02u\n",
03544 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
03545 }
03546 #endif
03547 /* sync of attribute lists was done in rsbac_umount */
03548 /* wait for write access to device_list_head */
03549 rsbac_write_lock(&device_list_head.lock, &flags);
03550 /* OK, nobody else is working on it... */
03551 device_p = acl_lookup_device(kdev);
03552 if(device_p)
03553 {
03554 if(device_p->mount_count == 1)
03555 remove_device_item(kdev);
03556 else
03557 {
03558 if(device_p->mount_count > 1)
03559 {
03560 device_p->mount_count--;
03561 }
03562 else
03563 {
03564 rsbac_printk(KERN_WARNING "rsbac_umount_acl: device %02u:%02u has mount_count < 1!\n",
03565 RSBAC_MAJOR(kdev), RSBAC_MINOR(kdev));
03566 }
03567 }
03568 }
03569 /* allow access */
03570 rsbac_write_unlock(&device_list_head.lock, &flags);
03571 return(0);
03572 };
|
1.4.2