Main Page | Alphabetical List | Data Structures | Directories | File List | Data Fields | Globals | Search for 
linux-2.6.16-rsbac-1.2.6 / rsbac / adf / pax

pax_main.c

Go to the documentation of this file.
00001 /**************************************************** */
00002 /* Rule Set Based Access Control                      */
00003 /* Implementation of the Access Control Decision      */
00004 /* Facility (ADF) - PAX                               */
00005 /* File: rsbac/adf/pax/pax_main.c                     */
00006 /*                                                    */
00007 /* Author and (c) 1999-2005: Amon Ott <ao@rsbac.org>  */
00008 /*                                                    */
00009 /* Last modified: 18/Jul/2005                         */
00010 /**************************************************** */
00011 
00012 #include <linux/string.h>
00013 #include <linux/binfmts.h>
00014 #include <linux/mm.h>
00015 #include <rsbac/types.h>
00016 #include <rsbac/aci.h>
00017 #include <rsbac/adf_main.h>
00018 #include <rsbac/error.h>
00019 #include <rsbac/helpers.h>
00020 #include <rsbac/getname.h>
00021 #include <rsbac/pax_getname.h>
00022 #include <rsbac/debug.h>
00023 
00024 /************************************************* */
00025 /*           Global Variables                      */
00026 /************************************************* */
00027 
00028 /************************************************* */
00029 /*          Internal Help functions                */
00030 /************************************************* */
00031 
00032 /************************************************* */
00033 /*          Externally visible functions           */
00034 /************************************************* */
00035 
00036 /**** PaX set flags func ****/
00037 #if defined(CONFIG_RSBAC_PAX) && (defined(CONFIG_PAX_HAVE_ACL_FLAGS) || defined(CONFIG_PAX_HOOK_ACL_FLAGS))
00038 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,10)
00039 #if defined(CONFIG_PAX_HAVE_ACL_FLAGS)
00040 void pax_set_initial_flags(struct linux_binprm * bprm)
00041 #else
00042 void rsbac_pax_set_flags_func(struct linux_binprm * bprm)
00043 #endif
00044 #else
00045 #if defined(CONFIG_PAX_HAVE_ACL_FLAGS)
00046 void pax_set_flags(struct linux_binprm * bprm)
00047 #else
00048 void rsbac_pax_set_flags_func(struct linux_binprm * bprm)
00049 #endif
00050 #endif
00051   {
00052     int err;
00053     union rsbac_target_id_t tid;
00054     union rsbac_attribute_value_t attr_val;
00055 
00056     if(!rsbac_is_initialized())
00057       return;
00058     tid.file.device = bprm->file->f_dentry->d_sb->s_dev;
00059     tid.file.inode = bprm->file->f_dentry->d_inode->i_ino;
00060     tid.file.dentry_p = bprm->file->f_dentry;
00061     err = rsbac_get_attr(PAX,
00062                          T_FILE,
00063                          tid,
00064                          A_pax_flags,
00065                          &attr_val,
00066                          TRUE);
00067     if(!err)
00068       {
00069         pax_check_flags(&attr_val.pax_flags);
00070 #ifdef CONFIG_RSBAC_DEBUG
00071         if(rsbac_debug_adf_pax)
00072           {
00073             rsbac_printk(KERN_DEBUG
00074                    "rsbac_pax_set_flags_func(): changing flags for process %u from %lx to %lx from device %02u:%02u inode %u\n",
00075                    current->pid,
00076                    current->flags & RSBAC_PAX_ALL_FLAGS,
00077                    attr_val.pax_flags,
00078                    MAJOR(tid.file.device),MINOR(tid.file.device),
00079                    tid.file.inode);
00080           }
00081 #endif
00082         /* Set flags for process */
00083 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,10)
00084         current->mm->pax_flags = (current->mm->pax_flags & ~RSBAC_PAX_ALL_FLAGS) | attr_val.pax_flags;
00085 #else
00086         current->flags = (current->flags & ~RSBAC_PAX_ALL_FLAGS) | attr_val.pax_flags;
00087 #endif
00088       }
00089     else
00090       {
00091         rsbac_printk(KERN_WARNING
00092                "rsbac_pax_set_flags_func(): get_data for device %02u:%02u, inode %u returned error %i!\n",
00093                MAJOR(tid.file.device),
00094                MINOR(tid.file.device),
00095                tid.file.inode,
00096                err);
00097       }
00098   }
00099 #endif
00100 
00101 
00102 enum rsbac_adf_req_ret_t
00103    rsbac_adf_request_pax (enum  rsbac_adf_request_t     request,
00104                                 rsbac_pid_t             caller_pid,
00105                           enum  rsbac_target_t          target,
00106                           union rsbac_target_id_t       tid,
00107                           enum  rsbac_attribute_t       attr,
00108                           union rsbac_attribute_value_t attr_val,
00109                                 rsbac_uid_t             owner)
00110   {
00111     union rsbac_target_id_t       i_tid;
00112     union rsbac_attribute_value_t i_attr_val1;
00113 
00114     switch (request)
00115       {
00116         case R_MODIFY_ATTRIBUTE:
00117             switch(attr)
00118               {
00119                 case A_system_role:
00120                 case A_pax_role:
00121                 case A_pax_flags:
00122                 /* All attributes (remove target!) */
00123                 case A_none:
00124                   /* Security Officer? */
00125                   i_tid.user = owner;
00126                   if (rsbac_get_attr(PAX,
00127                                      T_USER,
00128                                      i_tid,
00129                                      A_pax_role,
00130                                      &i_attr_val1,
00131                                      TRUE))
00132                     {
00133                       rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00134                       return(NOT_GRANTED);
00135                     }
00136                   /* if sec_officer, then grant */
00137                   if (i_attr_val1.system_role == SR_security_officer)
00138                     return(GRANTED);
00139                   else
00140                     return(NOT_GRANTED);
00141 
00142                 default:
00143                   return(DO_NOT_CARE);
00144               }
00145 
00146         case R_READ_ATTRIBUTE:
00147             switch(attr)
00148               {
00149                 case A_system_role:
00150                 case A_pax_role:
00151                 case A_pax_flags:
00152                 /* All attributes (remove target!) */
00153                 case A_none:
00154                   /* Security Officer or Admin? */
00155                   i_tid.user = owner;
00156                   if (rsbac_get_attr(PAX,
00157                                      T_USER,
00158                                      i_tid,
00159                                      A_pax_role,
00160                                      &i_attr_val1,
00161                                      TRUE))
00162                     {
00163                       rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00164                       return(NOT_GRANTED);
00165                     }
00166                   /* if sec_officer, then grant */
00167                   if(   (i_attr_val1.system_role == SR_security_officer)
00168                      || (i_attr_val1.system_role == SR_administrator)
00169                     )
00170                     return(GRANTED);
00171                   else
00172                     return(NOT_GRANTED);
00173 
00174                 default:
00175                   return(DO_NOT_CARE);
00176               }
00177 
00178         case R_SWITCH_LOG:
00179             switch(target)
00180               {
00181                 case T_NONE:
00182                   /* test owner's pax_role */
00183                   i_tid.user = owner;
00184                   if (rsbac_get_attr(PAX,
00185                                      T_USER,
00186                                      i_tid,
00187                                      A_pax_role,
00188                                      &i_attr_val1,
00189                                      TRUE))
00190                     {
00191                       rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00192                       return(NOT_GRANTED);
00193                     }
00194                   /* security officer? -> grant  */
00195                   if (i_attr_val1.system_role == SR_security_officer)
00196                     return(GRANTED);
00197                   else
00198                     return(NOT_GRANTED);
00199 
00200                 /* all other cases are unknown */
00201                 default: return(DO_NOT_CARE);
00202               }
00203 
00204         case R_SWITCH_MODULE:
00205             switch(target)
00206               {
00207                 case T_NONE:
00208                   /* we need the switch_target */
00209                   if(attr != A_switch_target)
00210                     return(UNDEFINED);
00211                   /* do not care for other modules */
00212                   if(   (attr_val.switch_target != PAX)
00213                      #ifdef CONFIG_RSBAC_SOFTMODE
00214                      && (attr_val.switch_target != SOFTMODE)
00215                      #endif
00216                      #ifdef CONFIG_RSBAC_FREEZE
00217                      && (attr_val.switch_target != FREEZE)
00218                      #endif
00219                     )
00220                     return(DO_NOT_CARE);
00221                   /* test owner's pax_role */
00222                   i_tid.user = owner;
00223                   if (rsbac_get_attr(PAX,
00224                                      T_USER,
00225                                      i_tid,
00226                                      A_pax_role,
00227                                      &i_attr_val1,
00228                                      TRUE))
00229                     {
00230                       rsbac_ds_get_error("rsbac_adf_request_pax()", A_pax_role);
00231                       return(NOT_GRANTED);
00232                     }
00233                   /* security officer? -> grant  */
00234                   if (i_attr_val1.system_role == SR_security_officer)
00235                     return(GRANTED);
00236                   else
00237                     return(NOT_GRANTED);
00238 
00239                 /* all other cases are unknown */
00240                 default: return(DO_NOT_CARE);
00241               }
00242 
00243 /*********************/
00244         default: return DO_NOT_CARE;
00245       }
00246 
00247     return DO_NOT_CARE;
00248   } /* end of rsbac_adf_request_pax() */
00249 
00250 
00251 /*****************************************************************************/
00252 /* If the request returned granted and the operation is performed,           */
00253 /* the following function can be called by the AEF to get all aci set        */
00254 /* correctly. For write accesses that are performed fully within the kernel, */
00255 /* this is usually not done to prevent extra calls, including R_CLOSE for    */
00256 /* cleaning up.                                                              */
00257 /* The second instance of target specification is the new target, if one has */
00258 /* been created, otherwise its values are ignored.                           */
00259 /* On success, 0 is returned, and an error from rsbac/error.h otherwise.     */
00260 
00261 int  rsbac_adf_set_attr_pax(
00262                       enum  rsbac_adf_request_t     request,
00263                             rsbac_pid_t             caller_pid,
00264                       enum  rsbac_target_t          target,
00265                       union rsbac_target_id_t       tid,
00266                       enum  rsbac_target_t          new_target,
00267                       union rsbac_target_id_t       new_tid,
00268                       enum  rsbac_attribute_t       attr,
00269                       union rsbac_attribute_value_t attr_val,
00270                             rsbac_uid_t             owner)
00271   {
00272     return 0;
00273   } /* end of rsbac_adf_set_attr_pax() */
00274 
00275 /* end of rsbac/adf/pax/pax_main.c */
Generated on Sun May 21 14:30:50 2006 for RSBAC by  doxygen 1.4.2