Main Page | Alphabetical List | Data Structures | Directories | File List | Data Fields | Globals | Search for 
linux-2.6.16-rsbac-1.2.6 / include / rsbac

aci_data_structures.h

Go to the documentation of this file.
00001 /**************************************/
00002 /* Rule Set Based Access Control      */
00003 /* Author and (c) 1999-2005: Amon Ott */
00004 /* Data structures                    */
00005 /* Last modified: 02/Aug/2005         */
00006 /**************************************/
00007 
00008 #ifndef __RSBAC_DATA_STRUC_H
00009 #define __RSBAC_DATA_STRUC_H
00010 
00011 #ifdef __KERNEL__   /* only include in kernel code */
00012 #include <linux/types.h>
00013 #include <linux/fs.h>
00014 #include <linux/wait.h>
00015 #include <linux/interrupt.h>
00016 #include <asm/semaphore.h>
00017 #include <rsbac/types.h>
00018 #include <linux/spinlock.h>
00019 #include <rsbac/pm_types.h>
00020 #include <rsbac/rc_types.h>
00021 #include <rsbac/aci.h>
00022 #include <rsbac/debug.h>
00023 #include <rsbac/lists.h>
00024 #endif /* __KERNEL__ */
00025 
00026 /* First of all we define dirname and filenames for saving the ACIs to disk. */
00027 /* The path must be a valid single dir name! Each mounted device gets its    */
00028 /* own file set, residing in 'DEVICE_ROOT/RSBAC_ACI_PATH/'.                  */
00029 /* The FD filename gets a suffix for the list number (see RSBAC_NR_FD_LISTS),*/
00030 /* so we have RSBAC_NR_FD_LISTS files for file/dir ACI and one for user ACI. */
00031 /* The dynamic data structures for PM, RC and ACL are kept in their own files.*/
00032 /* All user access to these files will be denied.                            */
00033 /* Backups are kept in FILENAMEb.                                            */
00034 
00035 #ifdef __KERNEL__
00036 #define RSBAC_LOG_BUF_LEN (16384)
00037 
00038 #define RSBAC_ACI_PATH          "rsbac.dat"
00039 
00040 #define RSBAC_GEN_FD_NAME       "fd_gen."
00041 #define RSBAC_MAC_FD_NAME       "fd_mac."
00042 #define RSBAC_PM_FD_NAME        "fd_pm."
00043 #define RSBAC_DAZ_FD_NAME       "fd_dazt."
00044 #define RSBAC_DAZ_SCANNED_FD_NAME "fd_dazs."
00045 #define RSBAC_FF_FD_NAME        "fd_ff."
00046 #define RSBAC_RC_FD_NAME        "fd_rc."
00047 #define RSBAC_AUTH_FD_NAME      "fd_auth."
00048 #define RSBAC_CAP_FD_NAME       "fd_cap."
00049 #define RSBAC_PAX_FD_NAME       "fd_pax."
00050 #define RSBAC_RES_FD_NAME       "fd_res."
00051 
00052 #define RSBAC_ACI_USER_NAME     "useraci"
00053 /* dir creation mode for discretionary access control: no rights*/
00054 #define RSBAC_ACI_DIR_MODE       (S_IFDIR)
00055 /* file creation mode for discretionary access control: rw for user only*/
00056 #define RSBAC_ACI_FILE_MODE      (S_IFREG | S_IRUSR | S_IWUSR)
00057 /* minimal mem chunk size available to try write_partial_fd_list, else defer */
00058 #define RSBAC_MIN_WRITE_FD_BUF_LEN 32768
00059 /* max size for write_chunks */
00060 #define RSBAC_MAX_WRITE_CHUNK ((1 << 15) - 1)
00061 
00062 /* Since we will use a simple hash function for file/dir aci, we define   */
00063 /* the table size here. WARNING: If this value is changed, aci data on    */
00064 /* disk may become invalid and should be converted explicitly using       */
00065 /* rsbac_change_nr kernel parameter on next boot!                         */
00066 /* To remain compliant with all file systems, this value should not       */
00067 /* exceed 100 (8.3 convention: 0-99 + b). */
00068 
00069 #define RSBAC_GEN_NR_FD_LISTS  8
00070 #define RSBAC_MAC_NR_FD_LISTS  32
00071 #define RSBAC_PM_NR_FD_LISTS   16
00072 #define RSBAC_DAZ_NR_FD_LISTS   2
00073 #define RSBAC_DAZ_SCANNED_NR_FD_LISTS 32
00074 #define RSBAC_FF_NR_FD_LISTS   8
00075 #define RSBAC_RC_NR_FD_LISTS   16
00076 #define RSBAC_AUTH_NR_FD_LISTS 2
00077 #define RSBAC_CAP_NR_FD_LISTS  4
00078 #define RSBAC_PAX_NR_FD_LISTS  2
00079 #define RSBAC_RES_NR_FD_LISTS  4
00080 
00081 #ifdef CONFIG_RSBAC_INIT_THREAD
00082 /* Check and set init timeout */
00083 #if CONFIG_RSBAC_MAX_INIT_TIME >= 5
00084 #define RSBAC_MAX_INIT_TIME CONFIG_RSBAC_MAX_INIT_TIME
00085 #else
00086 #define RSBAC_MAX_INIT_TIME 5
00087 #endif
00088 #endif /* INIT_THREAD */
00089 
00090 #endif /* __KERNEL__ */
00091 
00092 /* The following structures privide attributes for all possible targets.  */
00093 /* The data structures are kept in double linked lists, and are optimized */
00094 /* by hash functions.                                                     */
00095 
00096 /* Only ATTRIBUTES are saved in those structures, that are saved to disk, */
00097 /* because saving sublists means breaking up the structures for every     */
00098 /* single list.                                                           */
00099 /* If a list of policy dependant items is to be stored, this is done in   */
00100 /* the policy dependant data structures. Here only an ID as a handle is   */
00101 /* supported.                                                             */
00102 
00103 /* OK, first we define the file/dir ACI, holding all file/dir information */
00104 /* the ADF needs for decisions.                                           */
00105 
00106 /* Caution: whenever ACI changes, version and old_version should be increased!            */
00107 
00108 #define RSBAC_GEN_FD_ACI_VERSION 7
00109 #define RSBAC_GEN_FD_ACI_KEY 1001
00110 struct rsbac_gen_fd_aci_t            
00111   {
00112     rsbac_log_array_t           log_array_low;    /* file/dir based logging, */
00113     rsbac_log_array_t           log_array_high;   /* high and low bits */
00114     rsbac_request_vector_t      log_program_based; /* Program based logging */
00115     rsbac_enum_t                symlink_add_remote_ip;
00116     rsbac_enum_t                symlink_add_uid;
00117     rsbac_enum_t                symlink_add_mac_level;
00118     rsbac_enum_t                symlink_add_rc_role;
00119     rsbac_enum_t                linux_dac_disable;
00120     rsbac_fake_root_uid_int_t   fake_root_uid;
00121     rsbac_uid_t                 auid_exempt;
00122   };
00123 #define DEFAULT_GEN_FD_ACI \
00124     { \
00125       .log_array_low = -1, \
00126       .log_array_high = -1, \
00127       .log_program_based = 0, \
00128       .symlink_add_uid = FALSE, \
00129       .symlink_add_mac_level = FALSE, \
00130       .symlink_add_rc_role = FALSE, \
00131       .linux_dac_disable = LDD_inherit, \
00132       .fake_root_uid = FR_off, \
00133       .auid_exempt = RSBAC_NO_USER, \
00134     }
00135 
00136 #define DEFAULT_GEN_ROOT_DIR_ACI \
00137     { \
00138       .log_array_low = -1, \
00139       .log_array_high = -1, \
00140       .log_program_based = 0, \
00141       .symlink_add_uid = FALSE, \
00142       .symlink_add_mac_level = FALSE, \
00143       .symlink_add_rc_role = FALSE, \
00144       .linux_dac_disable = LDD_false, \
00145       .fake_root_uid = FR_off, \
00146       .auid_exempt = RSBAC_NO_USER, \
00147     }
00148 
00149 #define RSBAC_GEN_FD_OLD_ACI_VERSION 6
00150 struct rsbac_gen_fd_old_aci_t            
00151   {
00152     rsbac_log_array_t           log_array_low;    /* file/dir based logging, */
00153     rsbac_log_array_t           log_array_high;   /* high and low bits */
00154     rsbac_request_vector_t      log_program_based; /* Program based logging */
00155     rsbac_enum_t                symlink_add_uid;
00156     rsbac_enum_t                symlink_add_mac_level;
00157     rsbac_enum_t                symlink_add_rc_role;
00158     rsbac_enum_t                linux_dac_disable;
00159     rsbac_fake_root_uid_int_t   fake_root_uid;
00160     rsbac_uid_t                 auid_exempt;
00161   };
00162 
00163 #define RSBAC_GEN_FD_OLD_OLD_ACI_VERSION 5
00164 struct rsbac_gen_fd_old_old_aci_t            
00165   {
00166     rsbac_log_array_t           log_array_low;    /* file/dir based logging, */
00167     rsbac_log_array_t           log_array_high;   /* high and low bits */
00168     rsbac_request_vector_t      log_program_based; /* Program based logging */
00169     rsbac_enum_t                symlink_add_uid;
00170     rsbac_enum_t                symlink_add_mac_level;
00171     rsbac_enum_t                symlink_add_rc_role;
00172     rsbac_enum_t                linux_dac_disable;
00173     rsbac_fake_root_uid_int_t   fake_root_uid;
00174   };
00175 
00176 #define RSBAC_GEN_FD_OLD_OLD_OLD_ACI_VERSION 4
00177 struct rsbac_gen_fd_old_old_old_aci_t            
00178   {
00179     rsbac_log_array_t           log_array_low;    /* file/dir based logging, */
00180     rsbac_log_array_t           log_array_high;   /* high and low bits */
00181     rsbac_request_vector_t      log_program_based; /* Program based logging */
00182     rsbac_enum_t                symlink_add_uid;
00183     rsbac_enum_t                symlink_add_mac_level;
00184     rsbac_enum_t                symlink_add_rc_role;
00185     rsbac_enum_t                linux_dac_disable;
00186   };
00187 
00188 #if defined(CONFIG_RSBAC_MAC)
00189 #define RSBAC_MAC_FD_ACI_VERSION 5
00190 #define RSBAC_MAC_FD_ACI_KEY 1001
00191 struct rsbac_mac_fd_aci_t            
00192   {
00193     rsbac_security_level_t      sec_level;        /* MAC */
00194     rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00195     rsbac_mac_auto_int_t        mac_auto;         /* auto-adjust current level */
00196     rsbac_boolean_int_t         mac_prop_trusted; /* Keep trusted flag when executing this file */
00197     rsbac_mac_file_flags_t      mac_file_flags;   /* allow write_up, read_up etc. to it */
00198   };
00199 
00200 #define RSBAC_MAC_FD_OLD_ACI_VERSION 4
00201 struct rsbac_mac_fd_old_aci_t            
00202   {
00203     rsbac_security_level_t      sec_level;        /* MAC */
00204     rsbac_uid_t                 mac_trusted_for_user; /* MAC (for FILE only) */
00205     rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00206     rsbac_mac_auto_int_t        mac_auto;         /* auto-adjust current level */
00207     rsbac_boolean_int_t         mac_prop_trusted; /* Keep trusted flag when executing this file */
00208     rsbac_mac_file_flags_t      mac_file_flags;   /* allow write_up, read_up etc. to it */
00209   };
00210 
00211 #define RSBAC_MAC_FD_OLD_OLD_ACI_VERSION 3
00212 struct rsbac_mac_fd_old_old_aci_t            
00213   {
00214     rsbac_security_level_t      sec_level;        /* MAC */
00215     rsbac_uid_t                 mac_trusted_for_user; /* MAC (for FILE only) */
00216     rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00217     rsbac_mac_auto_int_t        mac_auto;         /* auto-adjust current level */
00218     rsbac_boolean_int_t         mac_prop_trusted; /* Keep trusted flag when executing this file */
00219     rsbac_boolean_int_t         mac_shared;       /* Shared dir, i.e., allow write_up to it */
00220   };
00221 
00222 #define RSBAC_MAC_FD_OLD_OLD_OLD_ACI_VERSION 2
00223 struct rsbac_mac_fd_old_old_old_aci_t            
00224   {
00225     rsbac_security_level_t      sec_level;        /* MAC */
00226     rsbac_uid_t                 mac_trusted_for_user; /* MAC (for FILE only) */
00227     rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00228     rsbac_mac_auto_int_t        mac_auto;         /* auto-adjust current level */
00229   };
00230 
00231 #define DEFAULT_MAC_FD_ACI_INH \
00232     { \
00233       .sec_level = SL_inherit, \
00234       .mac_categories = RSBAC_MAC_INHERIT_CAT_VECTOR, \
00235       .mac_auto = MA_inherit, \
00236       .mac_prop_trusted = FALSE, \
00237       .mac_file_flags = 0, \
00238     }
00239 #define DEFAULT_MAC_FD_ACI_NO_INH \
00240     { \
00241       .sec_level = SL_unclassified, \
00242       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00243       .mac_auto = MA_yes, \
00244       .mac_prop_trusted = FALSE, \
00245       .mac_file_flags = 0, \
00246     }
00247 
00248 #ifdef CONFIG_RSBAC_MAC_DEF_INHERIT
00249 #define DEFAULT_MAC_FD_ACI DEFAULT_MAC_FD_ACI_INH
00250 #else
00251 #define DEFAULT_MAC_FD_ACI DEFAULT_MAC_FD_ACI_NO_INH
00252 #endif /* MAC_DEF_INHERIT */
00253 
00254 #define DEFAULT_MAC_ROOT_DIR_ACI \
00255     { \
00256       .sec_level = SL_unclassified, \
00257       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00258       .mac_auto = MA_yes, \
00259       .mac_prop_trusted = FALSE, \
00260       .mac_file_flags = 0, \
00261     }
00262 #endif
00263 
00264 #if defined(CONFIG_RSBAC_PM)
00265 #define RSBAC_PM_FD_ACI_VERSION 1
00266 #define RSBAC_PM_FD_ACI_KEY 1001
00267 struct rsbac_pm_fd_aci_t            
00268   {
00269     rsbac_pm_object_class_id_t  pm_object_class;  /* PM  */
00270     rsbac_pm_tp_id_t            pm_tp;            /* PM (for FILE only) */
00271     rsbac_pm_object_type_int_t  pm_object_type;   /* PM (enum rsbac_pm_object_type_t -> __u8) */
00272   };
00273 
00274 #define DEFAULT_PM_FD_ACI \
00275     { \
00276       .pm_object_class = 0, \
00277       .pm_tp = 0, \
00278       .pm_object_type = PO_none, \
00279     }
00280 #endif
00281 
00282 #if defined(CONFIG_RSBAC_DAZ)
00283 #define RSBAC_DAZ_FD_ACI_VERSION 1
00284 #define RSBAC_DAZ_FD_ACI_KEY 10535
00285 #define RSBAC_DAZ_CACHE_CLEANUP_INTERVAL 86400
00286 #define RSBAC_DAZ_SCANNED_FD_ACI_VERSION 1
00287 struct rsbac_daz_fd_aci_t            
00288   {
00289     rsbac_daz_scanner_t   daz_scanner;       /* DAZ (for FILE only) (boolean) */
00290   };
00291 
00292 #define DEFAULT_DAZ_FD_ACI \
00293     { \
00294       .daz_scanner = FALSE \
00295     }
00296 
00297 #define DEFAULT_DAZ_ROOT_DIR_ACI \
00298     { \
00299       .daz_scanner = FALSE \
00300     }
00301 #endif
00302 
00303 #if defined(CONFIG_RSBAC_FF)
00304 #define RSBAC_FF_FD_ACI_VERSION 1
00305 #define RSBAC_FF_FD_ACI_KEY 1001
00306 #endif
00307 
00308 #if defined(CONFIG_RSBAC_RC)
00309 #define RSBAC_RC_FD_ACI_VERSION 1
00310 #define RSBAC_RC_FD_ACI_KEY 1001
00311 struct rsbac_rc_fd_aci_t            
00312   {
00313     rsbac_rc_type_id_t          rc_type_fd;       /* RC */
00314     rsbac_rc_role_id_t          rc_force_role;    /* RC */
00315     rsbac_rc_role_id_t          rc_initial_role;  /* RC */
00316   };
00317 
00318 #define DEFAULT_RC_FD_ACI \
00319     { \
00320       .rc_type_fd = RC_type_inherit_parent, \
00321       .rc_force_role = RC_default_force_role, \
00322       .rc_initial_role = RC_default_initial_role, \
00323     }
00324 #define DEFAULT_RC_ROOT_DIR_ACI \
00325     { \
00326       .rc_type_fd = RSBAC_RC_GENERAL_TYPE, \
00327       .rc_force_role = RC_default_root_dir_force_role, \
00328       .rc_initial_role = RC_default_root_dir_initial_role, \
00329     }
00330 #endif
00331 
00332 #if defined(CONFIG_RSBAC_AUTH)
00333 #define RSBAC_AUTH_FD_ACI_VERSION 2
00334 #define RSBAC_AUTH_FD_OLD_ACI_VERSION 1
00335 #define RSBAC_AUTH_FD_ACI_KEY 1001
00336 struct rsbac_auth_fd_aci_t            
00337   {
00338     __u8                        auth_may_setuid;  /* AUTH (enum) */
00339     __u8                        auth_may_set_cap; /* AUTH (boolean) */
00340     __u8                        auth_learn;       /* AUTH (boolean) */
00341   };
00342 
00343 struct rsbac_auth_fd_old_aci_t            
00344   {
00345     __u8                        auth_may_setuid;  /* AUTH (boolean) */
00346     __u8                        auth_may_set_cap; /* AUTH (boolean) */
00347   };
00348 
00349 #define DEFAULT_AUTH_FD_ACI \
00350     { \
00351       .auth_may_setuid = FALSE, \
00352       .auth_may_set_cap = FALSE, \
00353       .auth_learn = FALSE, \
00354     }
00355 #endif
00356 
00357 #if defined(CONFIG_RSBAC_CAP)
00358 #define RSBAC_CAP_FD_ACI_VERSION 1
00359 #define RSBAC_CAP_FD_ACI_KEY 1001
00360 struct rsbac_cap_fd_aci_t            
00361   {
00362     rsbac_cap_vector_t          min_caps;      /* Program forced minimum Linux capabilities */
00363     rsbac_cap_vector_t          max_caps;      /* Program max Linux capabilities */
00364   };
00365 #define DEFAULT_CAP_FD_ACI \
00366     { \
00367       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00368       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00369     }
00370 #endif
00371 
00372 #if defined(CONFIG_RSBAC_PAX)
00373 #define RSBAC_PAX_FD_ACI_VERSION 1
00374 #define RSBAC_PAX_FD_ACI_KEY 100112
00375 #endif
00376 
00377 #if defined(CONFIG_RSBAC_RES)
00378 #define RSBAC_RES_FD_ACI_VERSION 1
00379 #define RSBAC_RES_FD_ACI_KEY 1002
00380 struct rsbac_res_fd_aci_t            
00381   {
00382     rsbac_res_array_t           res_min;
00383     rsbac_res_array_t           res_max;
00384   };
00385 #define DEFAULT_RES_FD_ACI \
00386     { \
00387       .res_min = { \
00388         RSBAC_RES_UNSET,           /* cpu time */ \
00389         RSBAC_RES_UNSET,           /* file size */ \
00390         RSBAC_RES_UNSET,           /* process data segment size */ \
00391         RSBAC_RES_UNSET,           /* stack size */ \
00392         RSBAC_RES_UNSET,           /* core dump size */ \
00393         RSBAC_RES_UNSET,           /* resident memory set size */ \
00394         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00395         RSBAC_RES_UNSET,           /* number of files */ \
00396         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00397         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00398         RSBAC_RES_UNSET            /* maximum file locks */ \
00399       }, \
00400       .res_max = { \
00401         RSBAC_RES_UNSET,           /* cpu time */ \
00402         RSBAC_RES_UNSET,           /* file size */ \
00403         RSBAC_RES_UNSET,           /* process data segment size */ \
00404         RSBAC_RES_UNSET,           /* stack size */ \
00405         RSBAC_RES_UNSET,           /* core dump size */ \
00406         RSBAC_RES_UNSET,           /* resident memory set size */ \
00407         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00408         RSBAC_RES_UNSET,           /* number of files */ \
00409         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00410         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00411         RSBAC_RES_UNSET            /* maximum file locks */ \
00412       } \
00413     }
00414 #endif
00415 
00416 #define RSBAC_FD_NR_ATTRIBUTES 31
00417 #define RSBAC_FD_ATTR_LIST { \
00418       A_security_level, \
00419       A_mac_categories, \
00420       A_mac_auto, \
00421       A_mac_prop_trusted, \
00422       A_mac_file_flags, \
00423       A_pm_object_class, \
00424       A_pm_tp, \
00425       A_pm_object_type, \
00426       A_daz_scanner, \
00427       A_ff_flags, \
00428       A_rc_type_fd, \
00429       A_rc_force_role, \
00430       A_rc_initial_role, \
00431       A_auth_may_setuid, \
00432       A_auth_may_set_cap, \
00433       A_auth_learn, \
00434       A_log_array_low, \
00435       A_log_array_high, \
00436       A_log_program_based, \
00437       A_symlink_add_remote_ip, \
00438       A_symlink_add_uid, \
00439       A_symlink_add_mac_level, \
00440       A_symlink_add_rc_role, \
00441       A_linux_dac_disable, \
00442       A_min_caps, \
00443       A_max_caps, \
00444       A_res_min, \
00445       A_res_max, \
00446       A_pax_flags, \
00447       A_fake_root_uid, \
00448       A_auid_exempt \
00449       }
00450 
00451 #ifdef __KERNEL__
00452 struct rsbac_fd_list_handles_t
00453     {
00454       rsbac_list_handle_t gen[RSBAC_GEN_NR_FD_LISTS];
00455 #if defined(CONFIG_RSBAC_MAC)
00456       rsbac_list_handle_t mac[RSBAC_MAC_NR_FD_LISTS];
00457 #endif
00458 #if defined(CONFIG_RSBAC_PM)
00459       rsbac_list_handle_t pm[RSBAC_PM_NR_FD_LISTS];
00460 #endif
00461 #if defined(CONFIG_RSBAC_DAZ)
00462       rsbac_list_handle_t daz[RSBAC_DAZ_NR_FD_LISTS];
00463 #if defined(CONFIG_RSBAC_DAZ_CACHE)
00464       rsbac_list_handle_t dazs[RSBAC_DAZ_SCANNED_NR_FD_LISTS];
00465 #endif
00466 #endif
00467 #if defined(CONFIG_RSBAC_FF)
00468       rsbac_list_handle_t ff[RSBAC_FF_NR_FD_LISTS];
00469 #endif
00470 #if defined(CONFIG_RSBAC_RC)
00471       rsbac_list_handle_t rc[RSBAC_RC_NR_FD_LISTS];
00472 #endif
00473 #if defined(CONFIG_RSBAC_AUTH)
00474       rsbac_list_handle_t auth[RSBAC_AUTH_NR_FD_LISTS];
00475 #endif
00476 #if defined(CONFIG_RSBAC_CAP)
00477       rsbac_list_handle_t cap[RSBAC_CAP_NR_FD_LISTS];
00478 #endif
00479 #if defined(CONFIG_RSBAC_PAX)
00480       rsbac_list_handle_t pax[RSBAC_PAX_NR_FD_LISTS];
00481 #endif
00482 #if defined(CONFIG_RSBAC_RES)
00483       rsbac_list_handle_t res[RSBAC_RES_NR_FD_LISTS];
00484 #endif
00485     };
00486 
00487 /* The list of devices is also a double linked list, so we define list    */
00488 /* items and a list head.                                                 */
00489 
00490 struct rsbac_device_list_item_t
00491     {
00492       kdev_t                              id;
00493       struct dentry                     * d_covers;
00494       u_int                               mount_count;
00495       struct rsbac_fd_list_handles_t      handles;
00496       struct dentry                     * rsbac_dir_dentry_p;
00497       struct super_block                * sb_p;
00498       rsbac_inode_nr_t                    rsbac_dir_inode;
00499       struct rsbac_device_list_item_t   * prev;
00500       struct rsbac_device_list_item_t   * next;
00501     };
00502     
00503 /* To provide consistency we use spinlocks for all list accesses. The     */
00504 /* 'curr' entry is used to avoid repeated lookups for the same item.       */    
00505     
00506 struct rsbac_device_list_head_t
00507     {
00508       struct rsbac_device_list_item_t * head;
00509       struct rsbac_device_list_item_t * tail;
00510       struct rsbac_device_list_item_t * curr;
00511       rwlock_t                          lock;
00512       u_int                             count;
00513     };
00514 
00515 #endif /* __KERNEL__ */
00516 
00517 /******************************/
00518 /* OK, now we define the block/char device ACI, holding all dev information */
00519 /* the ADF needs for decisions.                                           */
00520 
00521 #define RSBAC_GEN_ACI_DEV_NAME       "dev_gen"
00522 #define RSBAC_MAC_ACI_DEV_NAME       "dev_mac"
00523 #define RSBAC_PM_ACI_DEV_NAME        "dev_pm"
00524 #define RSBAC_RC_ACI_DEV_MAJOR_NAME  "devm_rc"
00525 #define RSBAC_RC_ACI_DEV_NAME        "dev_rc"
00526 
00527 /* Caution: whenever ACI changes, version should be increased!            */
00528 
00529 #define RSBAC_GEN_DEV_ACI_VERSION 2
00530 #define RSBAC_GEN_DEV_OLD_ACI_VERSION 1
00531 #define RSBAC_GEN_DEV_ACI_KEY 1001
00532 
00533 struct rsbac_gen_dev_aci_t            
00534   {                                
00535            rsbac_log_array_t          log_array_low;   /* dev based logging, */
00536            rsbac_log_array_t          log_array_high;  /* high and low bits */
00537   };
00538 #define DEFAULT_GEN_DEV_ACI \
00539     { \
00540       .log_array_low = -1, \
00541       .log_array_high = -1, \
00542     }
00543 
00544 #if defined(CONFIG_RSBAC_MAC)
00545 #define RSBAC_MAC_DEV_ACI_VERSION 2
00546 #define RSBAC_MAC_DEV_OLD_ACI_VERSION 1
00547 #define RSBAC_MAC_DEV_ACI_KEY 1001
00548 struct rsbac_mac_dev_aci_t            
00549   {                                
00550            rsbac_security_level_t     sec_level;       /* MAC */
00551            rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00552            __u8                       mac_check;       /* MAC (boolean) */
00553   };
00554 #define DEFAULT_MAC_DEV_ACI \
00555     { \
00556       .sec_level = SL_unclassified, \
00557       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00558       .mac_check = FALSE, \
00559     }
00560 #endif
00561 
00562 #if defined(CONFIG_RSBAC_PM)
00563 #define RSBAC_PM_DEV_ACI_VERSION 2
00564 #define RSBAC_PM_DEV_OLD_ACI_VERSION 1
00565 #define RSBAC_PM_DEV_ACI_KEY 1001
00566 struct rsbac_pm_dev_aci_t            
00567   {
00568     rsbac_pm_object_type_int_t pm_object_type;  /* PM (enum rsbac_pm_object_type_t) */
00569     rsbac_pm_object_class_id_t pm_object_class; /* dev only */
00570   };
00571 
00572 #define DEFAULT_PM_DEV_ACI \
00573     { \
00574       .pm_object_type = PO_none, \
00575       .pm_object_class = 0, \
00576     }
00577 #endif
00578 
00579 #if defined(CONFIG_RSBAC_RC)
00580 #define RSBAC_RC_DEV_ACI_VERSION 2
00581 #define RSBAC_RC_DEV_OLD_ACI_VERSION 1
00582 #define RSBAC_RC_DEV_ACI_KEY 1001
00583 #endif
00584 
00585 #define RSBAC_DEV_NR_ATTRIBUTES 8
00586 #define RSBAC_DEV_ATTR_LIST { \
00587       A_security_level, \
00588       A_mac_categories, \
00589       A_mac_check, \
00590       A_pm_object_type, \
00591       A_pm_object_class, \
00592       A_rc_type, \
00593       A_log_array_low, \
00594       A_log_array_high \
00595       }
00596 
00597 #ifdef __KERNEL__
00598 struct rsbac_dev_handles_t
00599     {
00600       rsbac_list_handle_t gen;
00601 #if defined(CONFIG_RSBAC_MAC)
00602       rsbac_list_handle_t mac;
00603 #endif
00604 #if defined(CONFIG_RSBAC_PM)
00605       rsbac_list_handle_t pm;
00606 #endif
00607 #if defined(CONFIG_RSBAC_RC)
00608       rsbac_list_handle_t rc;
00609 #endif
00610     };
00611 #endif /* __KERNEL__ */
00612 
00613 /**************************************************************************/
00614 /* Next we define the ipc ACI, holding all ipc information                */
00615 /* the ADF needs for decisions.                                           */
00616 
00617 #define RSBAC_MAC_ACI_IPC_NAME   "ipc_mac"
00618 #define RSBAC_PM_ACI_IPC_NAME    "ipc_pm"
00619 #define RSBAC_RC_ACI_IPC_NAME    "ipc_rc"
00620 #define RSBAC_JAIL_ACI_IPC_NAME  "ipc_jai"
00621 
00622 #if defined(CONFIG_RSBAC_MAC)
00623 #define RSBAC_MAC_IPC_ACI_VERSION 1
00624 #define RSBAC_MAC_IPC_ACI_KEY 1001
00625 struct rsbac_mac_ipc_aci_t
00626     {
00627       rsbac_security_level_t     sec_level; /* enum old_rsbac_security_level_t / __u8 */
00628       rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00629     };
00630 #define DEFAULT_MAC_IPC_ACI \
00631     { \
00632       .sec_level = SL_unclassified, \
00633       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00634     }
00635 #endif
00636 
00637 #if defined(CONFIG_RSBAC_PM)
00638 #define RSBAC_PM_IPC_ACI_VERSION 1
00639 #define RSBAC_PM_IPC_ACI_KEY 1001
00640 struct rsbac_pm_ipc_aci_t
00641     {
00642       rsbac_pm_object_class_id_t pm_object_class; /* ipc only */
00643       rsbac_pm_purpose_id_t      pm_ipc_purpose;
00644       rsbac_pm_object_type_int_t pm_object_type; /* enum rsbac_pm_object_type_t */
00645     };
00646 #define DEFAULT_PM_IPC_ACI \
00647     { \
00648       .pm_object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID, \
00649       .pm_ipc_purpose = 0, \
00650       .pm_object_type = PO_ipc, \
00651     }
00652 #endif
00653 
00654 #if defined(CONFIG_RSBAC_RC)
00655 #define RSBAC_RC_IPC_ACI_VERSION 1
00656 #define RSBAC_RC_IPC_ACI_KEY 1001
00657 #endif
00658 
00659 #if defined(CONFIG_RSBAC_JAIL)
00660 #define RSBAC_JAIL_IPC_ACI_VERSION 1
00661 #define RSBAC_JAIL_IPC_ACI_KEY 1001
00662 #endif
00663 
00664 #define RSBAC_IPC_NR_ATTRIBUTES 7
00665 #define RSBAC_IPC_ATTR_LIST { \
00666       A_security_level, \
00667       A_mac_categories, \
00668       A_pm_object_class, \
00669       A_pm_ipc_purpose, \
00670       A_pm_object_type, \
00671       A_rc_type, \
00672       A_jail_id \
00673       }
00674 
00675 #ifdef __KERNEL__
00676 struct rsbac_ipc_handles_t
00677     {
00678 #if defined(CONFIG_RSBAC_MAC)
00679       rsbac_list_handle_t mac;
00680 #endif
00681 #if defined(CONFIG_RSBAC_PM)
00682       rsbac_list_handle_t pm;
00683 #endif
00684 #if defined(CONFIG_RSBAC_RC)
00685       rsbac_list_handle_t rc;
00686 #endif
00687 #if defined(CONFIG_RSBAC_JAIL)
00688       rsbac_list_handle_t jail;
00689 #endif
00690     };
00691 #endif /* __KERNEL__ */
00692 
00693 /*************************************/
00694 /* The user ACI holds all user information the ADF needs. */
00695 
00696 #define RSBAC_GEN_ACI_USER_NAME   "u_gen"
00697 #define RSBAC_MAC_ACI_USER_NAME   "u_mac"
00698 #define RSBAC_PM_ACI_USER_NAME    "u_pm"
00699 #define RSBAC_DAZ_ACI_USER_NAME    "u_daz"
00700 #define RSBAC_FF_ACI_USER_NAME    "u_ff"
00701 #define RSBAC_RC_ACI_USER_NAME    "u_rc"
00702 #define RSBAC_AUTH_ACI_USER_NAME  "u_auth"
00703 #define RSBAC_CAP_ACI_USER_NAME   "u_cap"
00704 #define RSBAC_JAIL_ACI_USER_NAME  "u_jail"
00705 #define RSBAC_PAX_ACI_USER_NAME   "u_pax"
00706 #define RSBAC_RES_ACI_USER_NAME   "u_res"
00707 
00708 #define RSBAC_GEN_USER_ACI_VERSION 1
00709 #define RSBAC_GEN_USER_ACI_KEY 1001
00710 struct rsbac_gen_user_aci_t
00711     {
00712       rsbac_pseudo_t           pseudo;
00713       rsbac_request_vector_t   log_user_based; /* User based logging */
00714     };
00715 #define DEFAULT_GEN_U_ACI \
00716     { \
00717       .pseudo = (rsbac_pseudo_t) 0, \
00718       .log_user_based = 0, \
00719     }
00720 
00721 #if defined(CONFIG_RSBAC_MAC)
00722 #define RSBAC_MAC_USER_ACI_VERSION 4
00723 #define RSBAC_MAC_USER_OLD_ACI_VERSION 3
00724 #define RSBAC_MAC_USER_OLD_OLD_ACI_VERSION 2
00725 #define RSBAC_MAC_USER_OLD_OLD_OLD_ACI_VERSION 1
00726 #define RSBAC_MAC_USER_ACI_KEY 1001
00727 struct rsbac_mac_user_aci_t
00728     {
00729       rsbac_security_level_t      security_level;    /* maximum level */
00730       rsbac_security_level_t      initial_security_level;    /* maximum level */
00731       rsbac_security_level_t      min_security_level;    /* minimum level / __u8 */
00732       rsbac_mac_category_vector_t mac_categories;   /* MAC max category set */
00733       rsbac_mac_category_vector_t mac_initial_categories;   /* MAC max category set */
00734       rsbac_mac_category_vector_t mac_min_categories;   /* MAC min category set */
00735       rsbac_system_role_int_t     system_role;    /* enum rsbac_system_role_t */
00736       rsbac_mac_user_flags_t      mac_user_flags; /* flags (override, trusted, allow_auto etc.) */
00737     };
00738 struct rsbac_mac_user_old_aci_t
00739     {
00740       rsbac_security_level_t      access_appr;    /* maximum level */
00741       rsbac_security_level_t      min_access_appr;    /* minimum level / __u8 */
00742       rsbac_mac_category_vector_t mac_categories;   /* MAC max category set */
00743       rsbac_mac_category_vector_t mac_min_categories;   /* MAC min category set */
00744       rsbac_system_role_int_t     system_role;    /* enum rsbac_system_role_t */
00745       rsbac_boolean_int_t         mac_allow_auto; /* allow to auto-adjust current level */
00746     };
00747 struct rsbac_mac_user_old_old_aci_t
00748     {
00749       rsbac_security_level_t      access_appr;    /* maximum level */
00750       rsbac_security_level_t      min_access_appr;    /* minimum level / __u8 */
00751       rsbac_mac_category_vector_t mac_categories;   /* MAC max category set */
00752       rsbac_mac_category_vector_t mac_min_categories;   /* MAC min category set */
00753       rsbac_system_role_int_t     system_role;    /* enum rsbac_system_role_t */
00754     };
00755 struct rsbac_mac_user_old_old_old_aci_t
00756     {
00757       rsbac_security_level_t      access_appr;    /* enum old_rsbac_security_level_t / __u8 */
00758       rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
00759       rsbac_system_role_int_t     system_role;    /* enum rsbac_system_role_t */
00760     };
00761 #define DEFAULT_MAC_U_ACI \
00762     { \
00763       .security_level = SL_unclassified, \
00764       .initial_security_level = SL_unclassified, \
00765       .min_security_level = SL_unclassified, \
00766       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00767       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00768       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00769       .system_role = SR_user, \
00770       .mac_user_flags = RSBAC_MAC_DEF_U_FLAGS, \
00771     }
00772 #define DEFAULT_MAC_U_SYSADM_ACI \
00773     { \
00774       .security_level = SL_unclassified, \
00775       .initial_security_level = SL_unclassified, \
00776       .min_security_level = SL_unclassified, \
00777       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00778       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00779       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00780       .system_role = SR_administrator, \
00781       .mac_user_flags = RSBAC_MAC_DEF_SYSADM_U_FLAGS, \
00782     }
00783 #define DEFAULT_MAC_U_SECOFF_ACI \
00784     { \
00785       .security_level = SL_unclassified, \
00786       .initial_security_level = SL_unclassified, \
00787       .min_security_level = SL_unclassified, \
00788       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00789       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00790       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00791       .system_role = SR_security_officer, \
00792       .mac_user_flags = RSBAC_MAC_DEF_SECOFF_U_FLAGS, \
00793     }
00794 #define DEFAULT_MAC_U_AUDITOR_ACI \
00795     { \
00796       .security_level = SL_unclassified, \
00797       .initial_security_level = SL_unclassified, \
00798       .min_security_level = SL_unclassified, \
00799       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00800       .mac_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
00801       .mac_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
00802       .system_role = SR_auditor, \
00803       .mac_user_flags = RSBAC_MAC_DEF_U_FLAGS, \
00804     }
00805 #endif
00806 
00807 #if defined(CONFIG_RSBAC_PM)
00808 #define RSBAC_PM_USER_ACI_VERSION 1
00809 #define RSBAC_PM_USER_ACI_KEY 1001
00810 struct rsbac_pm_user_aci_t
00811     {
00812       rsbac_pm_task_set_id_t   pm_task_set;
00813       rsbac_pm_role_int_t      pm_role;        /* enum rsbac_pm_role_t */
00814     };
00815 #define DEFAULT_PM_U_ACI \
00816     { \
00817       .pm_task_set = 0, \
00818       .pm_role = PR_user, \
00819     }
00820 #define DEFAULT_PM_U_SYSADM_ACI \
00821     { \
00822       .pm_task_set = 0, \
00823       .pm_role = PR_system_admin, \
00824     }
00825 #define DEFAULT_PM_U_SECOFF_ACI \
00826     { \
00827       .pm_task_set = 0, \
00828       .pm_role = PR_security_officer, \
00829     }
00830 #define DEFAULT_PM_U_DATAPROT_ACI \
00831     { \
00832       .pm_task_set = 0, \
00833       .pm_role = PR_data_protection_officer, \
00834     }
00835 #define DEFAULT_PM_U_TPMAN_ACI \
00836     { \
00837       .pm_task_set = 0, \
00838       .pm_role = PR_tp_manager, \
00839     }
00840 #endif
00841 
00842 #if defined(CONFIG_RSBAC_DAZ)
00843 #define RSBAC_DAZ_USER_ACI_VERSION 1
00844 #define RSBAC_DAZ_USER_ACI_KEY 1001
00845 #endif
00846 
00847 #if defined(CONFIG_RSBAC_FF)
00848 #define RSBAC_FF_USER_ACI_VERSION 1
00849 #define RSBAC_FF_USER_ACI_KEY 1001
00850 #endif
00851 
00852 #if defined(CONFIG_RSBAC_RC)
00853 #define RSBAC_RC_USER_ACI_VERSION 2
00854 #define RSBAC_RC_USER_OLD_ACI_VERSION 1
00855 #define RSBAC_RC_USER_ACI_KEY 1001
00856 struct rsbac_rc_user_aci_t
00857     {
00858       rsbac_rc_role_id_t          rc_role;
00859       rsbac_rc_type_id_t          rc_type;
00860     };
00861 #define DEFAULT_RC_U_ACI \
00862     { \
00863       .rc_role = RSBAC_RC_GENERAL_ROLE, \
00864       .rc_type = RSBAC_RC_GENERAL_TYPE, \
00865     }
00866 #define DEFAULT_RC_U_SYSADM_ACI \
00867     { \
00868       .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, /* rc_role (RC) */ \
00869       .rc_type = RSBAC_RC_SYS_TYPE, \
00870     }
00871 #define DEFAULT_RC_U_SECOFF_ACI \
00872     { \
00873       .rc_role = RSBAC_RC_ROLE_ADMIN_ROLE, /* rc_role (RC) */ \
00874       .rc_type = RSBAC_RC_SEC_TYPE, \
00875     }
00876 #define DEFAULT_RC_U_AUDITOR_ACI \
00877     { \
00878       .rc_role = RSBAC_RC_AUDITOR_ROLE, /* rc_role (RC) */ \
00879       .rc_type = RSBAC_RC_SEC_TYPE, \
00880     }
00881 #endif
00882 
00883 #if defined(CONFIG_RSBAC_AUTH)
00884 #define RSBAC_AUTH_USER_ACI_VERSION 1
00885 #define RSBAC_AUTH_USER_ACI_KEY 1001
00886 
00887 #endif /* AUTH */
00888 
00889 #if defined(CONFIG_RSBAC_CAP)
00890 #define RSBAC_CAP_USER_ACI_VERSION 1
00891 #define RSBAC_CAP_USER_ACI_KEY 1001
00892 struct rsbac_cap_user_aci_t            
00893   {
00894     rsbac_system_role_int_t     cap_role;      /* System role for CAP administration */
00895     rsbac_cap_vector_t          min_caps;      /* User forced minimum Linux capabilities */
00896     rsbac_cap_vector_t          max_caps;      /* User max Linux capabilities */
00897   };
00898 #define DEFAULT_CAP_U_ACI \
00899     { \
00900       .cap_role = SR_user, \
00901       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00902       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00903     }
00904 #define DEFAULT_CAP_U_SYSADM_ACI \
00905     { \
00906       .cap_role = SR_administrator, \
00907       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00908       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00909     }
00910 #define DEFAULT_CAP_U_SECOFF_ACI \
00911     { \
00912       .cap_role = SR_security_officer, \
00913       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00914       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00915     }
00916 #define DEFAULT_CAP_U_AUDITOR_ACI \
00917     { \
00918       .cap_role = SR_auditor, \
00919       .min_caps = RSBAC_CAP_DEFAULT_MIN, \
00920       .max_caps = RSBAC_CAP_DEFAULT_MAX, \
00921     }
00922 #endif
00923 
00924 #if defined(CONFIG_RSBAC_JAIL)
00925 #define RSBAC_JAIL_USER_ACI_VERSION 1
00926 #define RSBAC_JAIL_USER_ACI_KEY 1001
00927 #endif
00928 
00929 #if defined(CONFIG_RSBAC_PAX)
00930 #define RSBAC_PAX_USER_ACI_VERSION 1
00931 #define RSBAC_PAX_USER_ACI_KEY 1001221
00932 #endif
00933 
00934 #if defined(CONFIG_RSBAC_RES)
00935 #define RSBAC_RES_USER_ACI_VERSION 1
00936 #define RSBAC_RES_USER_ACI_KEY 1002
00937 struct rsbac_res_user_aci_t            
00938   {
00939     rsbac_system_role_int_t     res_role;          /* System role for RES administration */
00940     rsbac_res_array_t           res_min;
00941     rsbac_res_array_t           res_max;
00942   };
00943 #define DEFAULT_RES_U_ACI \
00944     { \
00945       .res_role = SR_user, \
00946       .res_min = { \
00947         RSBAC_RES_UNSET,           /* cpu time */ \
00948         RSBAC_RES_UNSET,           /* file size */ \
00949         RSBAC_RES_UNSET,           /* process data segment size */ \
00950         RSBAC_RES_UNSET,           /* stack size */ \
00951         RSBAC_RES_UNSET,           /* core dump size */ \
00952         RSBAC_RES_UNSET,           /* resident memory set size */ \
00953         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00954         RSBAC_RES_UNSET,           /* number of files */ \
00955         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00956         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00957         RSBAC_RES_UNSET            /* maximum file locks */ \
00958       }, \
00959       .res_max = { \
00960         RSBAC_RES_UNSET,           /* cpu time */ \
00961         RSBAC_RES_UNSET,           /* file size */ \
00962         RSBAC_RES_UNSET,           /* process data segment size */ \
00963         RSBAC_RES_UNSET,           /* stack size */ \
00964         RSBAC_RES_UNSET,           /* core dump size */ \
00965         RSBAC_RES_UNSET,           /* resident memory set size */ \
00966         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00967         RSBAC_RES_UNSET,           /* number of files */ \
00968         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00969         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00970         RSBAC_RES_UNSET            /* maximum file locks */ \
00971       }, \
00972     }
00973 #define DEFAULT_RES_U_SYSADM_ACI \
00974     { \
00975       .res_role = SR_administrator, \
00976       .res_min = { \
00977         RSBAC_RES_UNSET,           /* cpu time */ \
00978         RSBAC_RES_UNSET,           /* file size */ \
00979         RSBAC_RES_UNSET,           /* process data segment size */ \
00980         RSBAC_RES_UNSET,           /* stack size */ \
00981         RSBAC_RES_UNSET,           /* core dump size */ \
00982         RSBAC_RES_UNSET,           /* resident memory set size */ \
00983         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00984         RSBAC_RES_UNSET,           /* number of files */ \
00985         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00986         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
00987         RSBAC_RES_UNSET            /* maximum file locks */ \
00988       }, \
00989       .res_max = { \
00990         RSBAC_RES_UNSET,           /* cpu time */ \
00991         RSBAC_RES_UNSET,           /* file size */ \
00992         RSBAC_RES_UNSET,           /* process data segment size */ \
00993         RSBAC_RES_UNSET,           /* stack size */ \
00994         RSBAC_RES_UNSET,           /* core dump size */ \
00995         RSBAC_RES_UNSET,           /* resident memory set size */ \
00996         RSBAC_RES_UNSET,           /* number of processes for this user */ \
00997         RSBAC_RES_UNSET,           /* number of files */ \
00998         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
00999         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01000         RSBAC_RES_UNSET            /* maximum file locks */ \
01001       } \
01002     }
01003 #define DEFAULT_RES_U_SECOFF_ACI \
01004     { \
01005       .res_role = SR_security_officer, \
01006       .res_min = { \
01007         RSBAC_RES_UNSET,           /* cpu time */ \
01008         RSBAC_RES_UNSET,           /* file size */ \
01009         RSBAC_RES_UNSET,           /* process data segment size */ \
01010         RSBAC_RES_UNSET,           /* stack size */ \
01011         RSBAC_RES_UNSET,           /* core dump size */ \
01012         RSBAC_RES_UNSET,           /* resident memory set size */ \
01013         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01014         RSBAC_RES_UNSET,           /* number of files */ \
01015         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01016         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01017         RSBAC_RES_UNSET            /* maximum file locks */ \
01018       }, \
01019       .res_max = { \
01020         RSBAC_RES_UNSET,           /* cpu time */ \
01021         RSBAC_RES_UNSET,           /* file size */ \
01022         RSBAC_RES_UNSET,           /* process data segment size */ \
01023         RSBAC_RES_UNSET,           /* stack size */ \
01024         RSBAC_RES_UNSET,           /* core dump size */ \
01025         RSBAC_RES_UNSET,           /* resident memory set size */ \
01026         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01027         RSBAC_RES_UNSET,           /* number of files */ \
01028         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01029         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01030         RSBAC_RES_UNSET            /* maximum file locks */ \
01031       } \
01032     }
01033 #define DEFAULT_RES_U_AUDITOR_ACI \
01034     { \
01035       .res_role = SR_auditor, \
01036       .res_min = { \
01037         RSBAC_RES_UNSET,           /* cpu time */ \
01038         RSBAC_RES_UNSET,           /* file size */ \
01039         RSBAC_RES_UNSET,           /* process data segment size */ \
01040         RSBAC_RES_UNSET,           /* stack size */ \
01041         RSBAC_RES_UNSET,           /* core dump size */ \
01042         RSBAC_RES_UNSET,           /* resident memory set size */ \
01043         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01044         RSBAC_RES_UNSET,           /* number of files */ \
01045         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01046         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01047         RSBAC_RES_UNSET            /* maximum file locks */ \
01048       }, \
01049       .res_max = { \
01050         RSBAC_RES_UNSET,           /* cpu time */ \
01051         RSBAC_RES_UNSET,           /* file size */ \
01052         RSBAC_RES_UNSET,           /* process data segment size */ \
01053         RSBAC_RES_UNSET,           /* stack size */ \
01054         RSBAC_RES_UNSET,           /* core dump size */ \
01055         RSBAC_RES_UNSET,           /* resident memory set size */ \
01056         RSBAC_RES_UNSET,           /* number of processes for this user */ \
01057         RSBAC_RES_UNSET,           /* number of files */ \
01058         RSBAC_RES_UNSET,           /* locked-in-memory address space */ \
01059         RSBAC_RES_UNSET,           /* address space (virtual memory) limit */ \
01060         RSBAC_RES_UNSET            /* maximum file locks */ \
01061       } \
01062     }
01063 #endif
01064 
01065 #define RSBAC_USER_NR_ATTRIBUTES 23
01066 #define RSBAC_USER_ATTR_LIST { \
01067       A_pseudo, \
01068       A_log_user_based, \
01069       A_security_level, \
01070       A_initial_security_level, \
01071       A_min_security_level, \
01072       A_mac_categories, \
01073       A_mac_initial_categories, \
01074       A_mac_min_categories, \
01075       A_mac_role, \
01076       A_mac_user_flags, \
01077       A_daz_role, \
01078       A_ff_role, \
01079       A_auth_role, \
01080       A_pm_task_set, \
01081       A_pm_role, \
01082       A_rc_def_role, \
01083       A_rc_type, \
01084       A_min_caps, \
01085       A_max_caps, \
01086       A_cap_role, \
01087       A_jail_role, \
01088       A_res_role, \
01089       A_pax_role \
01090       }
01091 
01092 #ifdef __KERNEL__
01093 struct rsbac_user_handles_t
01094     {
01095       rsbac_list_handle_t gen;
01096 #if defined(CONFIG_RSBAC_MAC)
01097       rsbac_list_handle_t mac;
01098 #endif
01099 #if defined(CONFIG_RSBAC_PM)
01100       rsbac_list_handle_t pm;
01101 #endif
01102 #if defined(CONFIG_RSBAC_DAZ)
01103       rsbac_list_handle_t daz;
01104 #endif
01105 #if defined(CONFIG_RSBAC_FF)
01106       rsbac_list_handle_t ff;
01107 #endif
01108 #if defined(CONFIG_RSBAC_RC)
01109       rsbac_list_handle_t rc;
01110 #endif
01111 #if defined(CONFIG_RSBAC_AUTH)
01112       rsbac_list_handle_t auth;
01113 #endif
01114 #if defined(CONFIG_RSBAC_CAP)
01115       rsbac_list_handle_t cap;
01116 #endif
01117 #if defined(CONFIG_RSBAC_JAIL)
01118       rsbac_list_handle_t jail;
01119 #endif
01120 #if defined(CONFIG_RSBAC_PAX)
01121       rsbac_list_handle_t pax;
01122 #endif
01123 #if defined(CONFIG_RSBAC_RES)
01124       rsbac_list_handle_t res;
01125 #endif
01126     };
01127 #endif 
01128 
01129 /********************************/
01130 /* Process ACI. */
01131 
01132 #define RSBAC_GEN_ACI_PROCESS_NAME   "process_gen."
01133 #define RSBAC_MAC_ACI_PROCESS_NAME   "process_mac."
01134 #define RSBAC_PM_ACI_PROCESS_NAME    "process_pm"
01135 #define RSBAC_DAZ_ACI_PROCESS_NAME    "process_daz"
01136 #define RSBAC_RC_ACI_PROCESS_NAME    "process_rc."
01137 #define RSBAC_AUTH_ACI_PROCESS_NAME    "process_auth"
01138 #define RSBAC_CAP_ACI_PROCESS_NAME    "process_cap"
01139 #define RSBAC_JAIL_ACI_PROCESS_NAME    "process_jail"
01140 
01141 #define RSBAC_GEN_PROCESS_ACI_VERSION 2
01142 #define RSBAC_GEN_PROCESS_ACI_KEY 1001
01143 struct rsbac_gen_process_aci_t
01144     {
01145       rsbac_request_vector_t      log_program_based;
01146       rsbac_fake_root_uid_int_t   fake_root_uid;
01147       rsbac_uid_t                 audit_uid;
01148       rsbac_uid_t                 auid_exempt;
01149       __u32                       remote_ip;
01150       rsbac_boolean_t kernel_thread;
01151     };
01152 #define DEFAULT_GEN_P_ACI \
01153     { \
01154       .log_program_based = 0, \
01155       .fake_root_uid = FR_off, \
01156       .audit_uid = RSBAC_NO_USER, \
01157       .auid_exempt = RSBAC_NO_USER, \
01158       .remote_ip = 0, \
01159       .kernel_thread = 0, \
01160     }
01161 
01162 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01163 #define RSBAC_MAC_PROCESS_ACI_VERSION 1
01164 #define RSBAC_MAC_PROCESS_ACI_KEY 1001
01165 struct rsbac_mac_process_aci_t
01166     {
01167       rsbac_security_level_t      owner_sec_level;     /* enum old_rsbac_security_level_t */
01168       rsbac_security_level_t      owner_initial_sec_level; /* enum old_rsbac_security_level_t */
01169       rsbac_security_level_t      owner_min_sec_level; /* enum old_rsbac_security_level_t */
01170       rsbac_mac_category_vector_t mac_owner_categories; /* MAC category set */
01171       rsbac_mac_category_vector_t mac_owner_initial_categories; /* MAC category set */
01172       rsbac_mac_category_vector_t mac_owner_min_categories; /* MAC category set */
01173       rsbac_security_level_t      current_sec_level;   /* enum rsbac_security_level_t */
01174       rsbac_mac_category_vector_t mac_curr_categories; /* MAC current category set */
01175       rsbac_security_level_t      min_write_open;      /* for *-property, enum rsbac_security_level_t */
01176       rsbac_mac_category_vector_t min_write_categories; /* MAC, for *-property */
01177       rsbac_security_level_t      max_read_open;       /* for *-property, enum rsbac_security_level_t */
01178       rsbac_mac_category_vector_t max_read_categories; /* MAC, for *-property */
01179       rsbac_mac_process_flags_t   mac_process_flags;   /* flags (override, trusted, auto etc.) */
01180     };
01181 #define DEFAULT_MAC_P_ACI \
01182     { \
01183       .owner_sec_level = SL_unclassified, \
01184       .owner_initial_sec_level = SL_unclassified, \
01185       .owner_min_sec_level = SL_unclassified, \
01186       .mac_owner_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01187       .mac_owner_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01188       .mac_owner_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01189       .current_sec_level = SL_unclassified, \
01190       .mac_curr_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01191       .min_write_open = SL_max, \
01192       .min_write_categories = RSBAC_MAC_MAX_CAT_VECTOR, \
01193       .max_read_open = SL_unclassified, \
01194       .max_read_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01195       .mac_process_flags = RSBAC_MAC_DEF_P_FLAGS, \
01196     }
01197 #define DEFAULT_MAC_P_INIT_ACI \
01198     { \
01199       .owner_sec_level = SL_unclassified, \
01200       .owner_initial_sec_level = SL_unclassified, \
01201       .owner_min_sec_level = SL_unclassified, \
01202       .mac_owner_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01203       .mac_owner_initial_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01204       .mac_owner_min_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01205       .current_sec_level = SL_unclassified, \
01206       .mac_curr_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01207       .min_write_open = SL_max, \
01208       .min_write_categories = RSBAC_MAC_MAX_CAT_VECTOR, \
01209       .max_read_open = SL_unclassified, \
01210       .max_read_categories = RSBAC_MAC_MIN_CAT_VECTOR, \
01211       .mac_process_flags = RSBAC_MAC_DEF_INIT_P_FLAGS, \
01212     }
01213 #endif
01214 
01215 #if defined(CONFIG_RSBAC_PM)
01216 #define RSBAC_PM_PROCESS_ACI_VERSION 1
01217 #define RSBAC_PM_PROCESS_ACI_KEY 1001
01218 struct rsbac_pm_process_aci_t
01219     {
01220       rsbac_pm_tp_id_t            pm_tp;
01221       rsbac_pm_task_id_t          pm_current_task;
01222       rsbac_pm_process_type_int_t pm_process_type;     /* enum rsbac_pm_process_type_t */
01223     };
01224 #define DEFAULT_PM_P_ACI \
01225     { \
01226       .pm_tp = 0, \
01227       .pm_current_task = 0, \
01228       .pm_process_type = PP_none, \
01229     }
01230 #endif
01231 
01232 #if defined(CONFIG_RSBAC_DAZ)
01233 #define RSBAC_DAZ_PROCESS_ACI_VERSION 1
01234 #define RSBAC_DAZ_PROCESS_ACI_KEY 1001
01235 struct rsbac_daz_process_aci_t
01236     {
01237       rsbac_boolean_int_t          daz_scanner;          /* DAZ, boolean */
01238     };
01239 #define DEFAULT_DAZ_P_ACI \
01240     { \
01241       .daz_scanner = FALSE, \
01242     }
01243 #endif
01244 
01245 #if defined(CONFIG_RSBAC_RC)
01246 #define RSBAC_RC_PROCESS_ACI_VERSION 1
01247 #define RSBAC_RC_PROCESS_ACI_KEY 1001
01248 struct rsbac_rc_process_aci_t
01249     {
01250       rsbac_rc_role_id_t          rc_role;             /* RC */
01251       rsbac_rc_type_id_t          rc_type;             /* RC */
01252       rsbac_rc_role_id_t          rc_force_role;       /* RC */
01253     };
01254 #define DEFAULT_RC_P_ACI \
01255     { \
01256       .rc_role = RSBAC_RC_GENERAL_ROLE, \
01257       .rc_type = RSBAC_RC_GENERAL_TYPE, \
01258       .rc_force_role = RC_default_force_role, \
01259     }
01260 #define DEFAULT_RC_P_INIT_ACI \
01261     { \
01262       .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, \
01263       .rc_type = RSBAC_RC_GENERAL_TYPE, \
01264       .rc_force_role = RC_default_force_role, \
01265     }
01266 #define DEFAULT_RC_P_KERNEL_ACI \
01267     { \
01268       .rc_role = RSBAC_RC_SYSTEM_ADMIN_ROLE, \
01269       .rc_type = CONFIG_RSBAC_RC_KERNEL_PROCESS_TYPE, \
01270       .rc_force_role = RC_default_force_role, \
01271     }
01272 #endif
01273 
01274 #if defined(CONFIG_RSBAC_AUTH)
01275 #define RSBAC_AUTH_PROCESS_ACI_VERSION 1
01276 #define RSBAC_AUTH_PROCESS_ACI_KEY 1001
01277 struct rsbac_auth_process_aci_t
01278     {
01279       __u8                        auth_may_setuid;     /* AUTH (boolean) */
01280       __u8                        auth_may_set_cap;    /* AUTH (boolean) */
01281       rsbac_uid_t                 auth_last_auth;
01282     #if defined(CONFIG_RSBAC_AUTH_LEARN) && defined(__KERNEL__)
01283       struct rsbac_fs_file_t      auth_program_file;
01284       rsbac_uid_t                 auth_start_uid;
01285     #ifdef CONFIG_RSBAC_AUTH_DAC_OWNER
01286       rsbac_uid_t                 auth_start_euid;
01287     #endif
01288     #ifdef CONFIG_RSBAC_AUTH_GROUP
01289       rsbac_gid_t                 auth_start_gid;
01290     #ifdef CONFIG_RSBAC_AUTH_DAC_GROUP
01291       rsbac_gid_t                 auth_start_egid;
01292     #endif
01293     #endif
01294       __u8                        auth_learn;          /* AUTH (boolean) */
01295     #endif
01296     };
01297 
01298 #if defined(CONFIG_RSBAC_AUTH_LEARN)
01299 #define DEFAULT_AUTH_P_ACI \
01300     { \
01301       .auth_may_setuid = FALSE, \
01302       .auth_may_set_cap = FALSE, \
01303       .auth_last_auth = RSBAC_NO_USER, \
01304       .auth_program_file = { RSBAC_ZERO_DEV, 0, NULL }, \
01305       .auth_start_uid = 0, \
01306       .auth_learn = 0, \
01307     }
01308 #else
01309 #define DEFAULT_AUTH_P_ACI \
01310     { \
01311       .auth_may_setuid = FALSE, \
01312       .auth_may_set_cap = FALSE, \
01313       .auth_last_auth = RSBAC_NO_USER, \
01314     }
01315 #endif
01316 #endif
01317 
01318 
01319 #if defined(CONFIG_RSBAC_CAP)
01320 #define RSBAC_CAP_PROCESS_ACI_VERSION 1
01321 #define RSBAC_CAP_PROCESS_ACI_KEY 10013283
01322 struct rsbac_cap_process_aci_t
01323     {
01324       rsbac_cap_process_hiding_int_t cap_process_hiding;
01325 #ifdef CONFIG_RSBAC_CAP_LOG_MISSING
01326       rsbac_cap_vector_t             max_caps_user;
01327       rsbac_cap_vector_t             max_caps_program;
01328 #endif
01329     };
01330 
01331 #ifdef CONFIG_RSBAC_CAP_LOG_MISSING
01332 #define DEFAULT_CAP_P_ACI \
01333     { \
01334       .cap_process_hiding = PH_off, \
01335       .max_caps_user = RSBAC_CAP_DEFAULT_MAX, \
01336       .max_caps_program = RSBAC_CAP_DEFAULT_MAX, \
01337     }
01338 #else
01339 #define DEFAULT_CAP_P_ACI \
01340     { \
01341       .cap_process_hiding = PH_off, \
01342     }
01343 #endif
01344 #endif
01345 
01346 #if defined(CONFIG_RSBAC_JAIL)
01347 #define RSBAC_JAIL_PROCESS_ACI_VERSION 1
01348 #define RSBAC_JAIL_PROCESS_ACI_KEY 1001
01349 struct rsbac_jail_process_aci_t
01350     {
01351       rsbac_jail_id_t id;
01352       rsbac_jail_ip_t ip;
01353       rsbac_jail_flags_t flags;
01354       rsbac_cap_vector_t max_caps;      /* Program max Linux capabilities */
01355       rsbac_jail_scd_vector_t scd_get;  /* SCD targets GET_STATUS_DATA */
01356       rsbac_jail_scd_vector_t scd_modify;  /* SCD targets MODIFY_SYSTEM_DATA */
01357     };
01358 #define DEFAULT_JAIL_P_ACI \
01359     { \
01360       .id = 0, \
01361       .ip = 0, \
01362       .flags = 0, \
01363       .max_caps = -1, \
01364       .scd_get = 0, \
01365       .scd_modify = 0, \
01366     }
01367 #endif
01368 
01369 #define RSBAC_PROCESS_NR_ATTRIBUTES 36
01370 #define RSBAC_PROCESS_ATTR_LIST { \
01371       A_security_level, \
01372       A_min_security_level, \
01373       A_mac_categories, \
01374       A_mac_min_categories, \
01375       A_current_sec_level, \
01376       A_mac_curr_categories, \
01377       A_min_write_open, \
01378       A_min_write_categories, \
01379       A_max_read_open, \
01380       A_max_read_categories, \
01381       A_mac_process_flags, \
01382       A_pm_tp, \
01383       A_pm_current_task, \
01384       A_pm_process_type, \
01385       A_daz_scanner, \
01386       A_rc_role, \
01387       A_rc_type, \
01388       A_rc_force_role, \
01389       A_auth_may_setuid, \
01390       A_auth_may_set_cap, \
01391       A_auth_learn, \
01392       A_cap_process_hiding, \
01393       A_max_caps_user, \
01394       A_max_caps_program, \
01395       A_jail_id, \
01396       A_jail_ip, \
01397       A_jail_flags, \
01398       A_jail_max_caps, \
01399       A_jail_scd_get, \
01400       A_jail_scd_modify, \
01401       A_log_program_based, \
01402       A_fake_root_uid, \
01403       A_audit_uid, \
01404       A_auid_exempt, \
01405       A_auth_last_auth, \
01406       A_remote_ip \
01407       }
01408 
01409 #ifdef __KERNEL__
01410 struct rsbac_process_handles_t
01411     {
01412       rsbac_list_handle_t gen[CONFIG_RSBAC_GEN_NR_P_LISTS];
01413 #if defined(CONFIG_RSBAC_MAC)
01414       rsbac_list_handle_t mac[CONFIG_RSBAC_MAC_NR_P_LISTS];
01415 #endif
01416 #if defined(CONFIG_RSBAC_PM)
01417       rsbac_list_handle_t pm;
01418 #endif
01419 #if defined(CONFIG_RSBAC_DAZ)
01420       rsbac_list_handle_t daz;
01421 #endif
01422 #if defined(CONFIG_RSBAC_RC)
01423       rsbac_list_handle_t rc[CONFIG_RSBAC_RC_NR_P_LISTS];
01424 #endif
01425 #if defined(CONFIG_RSBAC_AUTH)
01426       rsbac_list_handle_t auth;
01427 #endif
01428 #if defined(CONFIG_RSBAC_CAP)
01429       rsbac_list_handle_t cap;
01430 #endif
01431 #if defined(CONFIG_RSBAC_JAIL)
01432       rsbac_list_handle_t jail[CONFIG_RSBAC_JAIL_NR_P_LISTS];
01433 #endif
01434     };
01435 #endif /* __KERNEL__ */
01436 
01437 
01438 /******************************/
01439 /* OK, now we define the UM group ACI, holding all information */
01440 /* the ADF needs for decisions.                                */
01441 
01442 #define RSBAC_RC_ACI_GROUP_NAME    "grouprc"
01443 
01444 /* Caution: whenever ACI changes, version should be increased!            */
01445 
01446 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01447 #define RSBAC_RC_GROUP_ACI_VERSION 1
01448 #define RSBAC_RC_GROUP_ACI_KEY 13276142
01449 #endif
01450 
01451 #define RSBAC_GROUP_NR_ATTRIBUTES 1
01452 #define RSBAC_GROUP_ATTR_LIST { \
01453       A_rc_type \
01454       }
01455 
01456 #ifdef __KERNEL__
01457 struct rsbac_group_handles_t
01458     {
01459 #if defined(CONFIG_RSBAC_RC_UM_PROT)
01460       rsbac_list_handle_t rc;
01461 #endif
01462     };
01463 #endif /* __KERNEL__ */
01464 
01465 /********************************/
01466 /* NETDEV ACI */
01467 
01468 #define RSBAC_GEN_ACI_NETDEV_NAME   "nd_gen"
01469 #define RSBAC_RC_ACI_NETDEV_NAME    "nd_rc"
01470 
01471 #define RSBAC_GEN_NETDEV_ACI_VERSION 1
01472 #define RSBAC_GEN_NETDEV_ACI_KEY 1001
01473 struct rsbac_gen_netdev_aci_t
01474     {
01475       rsbac_log_array_t           log_array_low;    /* netdev based logging, */
01476       rsbac_log_array_t           log_array_high;   /* high and low bits */
01477     };
01478 #define DEFAULT_GEN_NETDEV_ACI \
01479     { \
01480       .log_array_low = -1, \
01481       .log_array_high = -1, \
01482     }
01483 
01484 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01485 #define RSBAC_RC_NETDEV_ACI_VERSION 1
01486 #define RSBAC_RC_NETDEV_ACI_KEY 1001
01487 #endif
01488 
01489 #define RSBAC_NETDEV_NR_ATTRIBUTES 3
01490 #define RSBAC_NETDEV_ATTR_LIST { \
01491       A_rc_type, \
01492       A_log_array_low, \
01493       A_log_array_high \
01494       }
01495 
01496 #ifdef __KERNEL__
01497 struct rsbac_netdev_handles_t
01498     {
01499 #if defined(CONFIG_RSBAC_IND_NETDEV_LOG)
01500       rsbac_list_handle_t gen;
01501 #endif
01502 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01503       rsbac_list_handle_t rc;
01504 #endif
01505     };
01506 #endif /* __KERNEL__ */
01507 
01508 /********************************/
01509 /* NETTEMP ACI */
01510 
01511 #define RSBAC_GEN_ACI_NETTEMP_NAME   "nt_gen"
01512 #define RSBAC_MAC_ACI_NETTEMP_NAME   "nt_mac"
01513 #define RSBAC_PM_ACI_NETTEMP_NAME    "nt_pm"
01514 #define RSBAC_RC_ACI_NETTEMP_NAME    "nt_rc"
01515 
01516 #define RSBAC_MAC_ACI_LNETOBJ_NAME   "lnetobj_mac"
01517 #define RSBAC_PM_ACI_LNETOBJ_NAME    "lnetobj_pm"
01518 #define RSBAC_RC_ACI_LNETOBJ_NAME    "lnetobj_rc"
01519 #define RSBAC_MAC_ACI_RNETOBJ_NAME   "rnetobj_mac"
01520 #define RSBAC_PM_ACI_RNETOBJ_NAME    "rnetobj_pm"
01521 #define RSBAC_RC_ACI_RNETOBJ_NAME    "rnetobj_rc"
01522 
01523 #define RSBAC_GEN_NETOBJ_ACI_VERSION 1
01524 #define RSBAC_GEN_NETOBJ_ACI_KEY 1001
01525 struct rsbac_gen_netobj_aci_t
01526     {
01527       rsbac_log_array_t           log_array_low;    /* nettemp/netobj based logging, */
01528       rsbac_log_array_t           log_array_high;   /* high and low bits */
01529     };
01530 #define DEFAULT_GEN_NETOBJ_ACI \
01531     { \
01532       .log_array_low = -1, \
01533       .log_array_high = -1, \
01534     }
01535 
01536 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01537 #define RSBAC_MAC_NETOBJ_ACI_VERSION 1
01538 #define RSBAC_MAC_NETOBJ_ACI_KEY 1001
01539 struct rsbac_mac_netobj_aci_t
01540     {
01541       rsbac_security_level_t     sec_level; /* enum old_rsbac_security_level_t / __u8 */
01542       rsbac_mac_category_vector_t mac_categories;   /* MAC category set */
01543     };
01544 #define DEFAULT_MAC_NETOBJ_ACI \
01545     { \
01546       .sec_level = SL_unclassified,  /* security_level (MAC) */ \
01547       .mac_categories = RSBAC_MAC_DEF_CAT_VECTOR, \
01548     }
01549 #endif
01550 
01551 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01552 #define RSBAC_PM_NETOBJ_ACI_VERSION 1
01553 #define RSBAC_PM_NETOBJ_ACI_KEY 1001
01554 struct rsbac_pm_netobj_aci_t
01555     {
01556       rsbac_pm_object_class_id_t pm_object_class; /* netobj only */
01557       rsbac_pm_purpose_id_t      pm_ipc_purpose;
01558       rsbac_pm_object_type_int_t pm_object_type; /* enum rsbac_pm_object_type_t */
01559     };
01560 #define DEFAULT_PM_NETOBJ_ACI \
01561     { \
01562       .pm_object_class = RSBAC_PM_IPC_OBJECT_CLASS_ID, \
01563       .pm_ipc_purpose = 0, \
01564       .pm_object_type = PO_ipc, \
01565     }
01566 #endif
01567 
01568 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01569 #define RSBAC_RC_NETOBJ_ACI_VERSION 1
01570 #define RSBAC_RC_NETOBJ_ACI_KEY 1001
01571 #define RSBAC_RC_NETTEMP_ACI_VERSION 1
01572 #define RSBAC_RC_NETTEMP_ACI_KEY 1002
01573 
01574 struct rsbac_rc_nettemp_aci_t
01575     {
01576       rsbac_rc_type_id_t          netobj_type;    /* type inherited to netobj */
01577       rsbac_rc_type_id_t          nettemp_type;   /* type of this tenplate */
01578     };
01579 #define DEFAULT_RC_NETTEMP_ACI \
01580     { \
01581       .netobj_type = RSBAC_RC_GENERAL_TYPE, \
01582       .nettemp_type = RSBAC_RC_GENERAL_TYPE, \
01583     }
01584 #endif
01585 
01586 #define RSBAC_NETTEMP_NR_ATTRIBUTES 9
01587 #define RSBAC_NETTEMP_ATTR_LIST { \
01588       A_security_level, \
01589       A_mac_categories, \
01590       A_pm_object_class, \
01591       A_pm_ipc_purpose, \
01592       A_pm_object_type, \
01593       A_rc_type, \
01594       A_rc_type_nt, \
01595       A_log_array_low, \
01596       A_log_array_high \
01597       }
01598 
01599 #define RSBAC_NETOBJ_NR_ATTRIBUTES 16
01600 #define RSBAC_NETOBJ_ATTR_LIST { \
01601       A_local_sec_level, \
01602       A_remote_sec_level, \
01603       A_local_mac_categories, \
01604       A_remote_mac_categories, \
01605       A_local_pm_object_class, \
01606       A_remote_pm_object_class, \
01607       A_local_pm_ipc_purpose, \
01608       A_remote_pm_ipc_purpose, \
01609       A_local_pm_object_type, \
01610       A_remote_pm_object_type, \
01611       A_local_rc_type, \
01612       A_remote_rc_type, \
01613       A_local_log_array_low, \
01614       A_remote_log_array_low, \
01615       A_local_log_array_high, \
01616       A_remote_log_array_high \
01617       }
01618 
01619 #ifdef __KERNEL__
01620 struct rsbac_nettemp_handles_t
01621     {
01622 #if defined(CONFIG_RSBAC_IND_NETOBJ_LOG)
01623       rsbac_list_handle_t gen;
01624 #endif
01625 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01626       rsbac_list_handle_t mac;
01627 #endif
01628 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01629       rsbac_list_handle_t pm;
01630 #endif
01631 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01632       rsbac_list_handle_t rc;
01633 #endif
01634     };
01635 
01636 struct rsbac_lnetobj_handles_t
01637     {
01638 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01639       rsbac_list_handle_t mac;
01640 #endif
01641 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01642       rsbac_list_handle_t pm;
01643 #endif
01644 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01645       rsbac_list_handle_t rc;
01646 #endif
01647     };
01648 struct rsbac_rnetobj_handles_t
01649     {
01650 #if defined(CONFIG_RSBAC_MAC) || defined(CONFIG_RSBAC_MAC_MAINT)
01651       rsbac_list_handle_t mac;
01652 #endif
01653 #if defined(CONFIG_RSBAC_PM) || defined(CONFIG_RSBAC_PM_MAINT)
01654       rsbac_list_handle_t pm;
01655 #endif
01656 #if defined(CONFIG_RSBAC_RC) || defined(CONFIG_RSBAC_RC_MAINT)
01657       rsbac_list_handle_t rc;
01658 #endif
01659     };
01660 #endif /* __KERNEL__ */
01661 
01662 
01663 /**********************************************/
01664 /*              Declarations                  */
01665 /**********************************************/
01666 
01667 #ifdef __KERNEL__
01668 extern kdev_t rsbac_root_dev;
01669 
01670 int rsbac_read_open (char *,
01671                      struct file  *,    /* file */
01672                      kdev_t);
01673 
01674 int rsbac_write_open(char *,
01675                      struct file  *,    /* file */
01676                      kdev_t);
01677 
01678 void rsbac_read_close(struct file *);
01679 
01680 void rsbac_write_close(struct file *);
01681 
01682 extern struct semaphore rsbac_write_sem;
01683 
01684 /**********************************************/
01685 /*              Locks                         */
01686 /**********************************************/
01687 
01688 extern inline void rsbac_read_lock(rwlock_t * lock_p, u_long * flags_p)
01689   {
01690     read_lock(lock_p);
01691   };
01692 
01693 extern inline void rsbac_read_unlock(rwlock_t * lock_p, u_long * flags_p)
01694   {
01695     read_unlock(lock_p);
01696   };
01697 
01698 extern inline void rsbac_write_lock(rwlock_t * lock_p, u_long * flags_p)
01699   {
01700     write_lock(lock_p);
01701   };
01702 
01703 extern inline void rsbac_write_unlock(rwlock_t * lock_p, u_long * flags_p)
01704   {
01705     write_unlock(lock_p);
01706   };
01707 
01708 extern inline void rsbac_write_lock_irq(rwlock_t * lock_p, u_long * flags_p)
01709   {
01710     write_lock_irq(lock_p);
01711   };
01712 
01713 extern inline void rsbac_write_unlock_irq(rwlock_t * lock_p, u_long * flags_p)
01714   {
01715     write_unlock_irq(lock_p);
01716   };
01717 
01718 #endif /* __KERNEL__ */
01719 
01720 /**********************************************/
01721 /*          External Declarations             */
01722 /**********************************************/
01723 
01724 #ifdef __KERNEL__
01725 
01726 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01727 static inline struct dentry *lock_parent(struct dentry *dentry)
01728 {
01729         struct dentry *dir = dget(dentry->d_parent);
01730 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01731         mutex_lock(&dir->d_inode->i_mutex);
01732 #else
01733         down(&dir->d_inode->i_sem);
01734 #endif
01735         return dir;
01736 }
01737 
01738 static inline void unlock_dir(struct dentry *dir)
01739 {
01740 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01741         mutex_unlock(&dir->d_inode->i_mutex);
01742 #else
01743         up(&dir->d_inode->i_sem);
01744 #endif
01745         dput(dir);
01746 }
01747 
01748 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01749 static inline void double_mutex_lock(struct mutex *m1, struct mutex *m2)
01750 {
01751         if (m1 != m2) {
01752                 if ((unsigned long) m1 < (unsigned long) m2) {
01753                         struct mutex *tmp = m2;
01754                         m2 = m1; m1 = tmp;
01755                 }
01756                 mutex_lock(m1);
01757         }
01758         mutex_lock(m2);
01759 }
01760 
01761 static inline void double_mutex_unlock(struct mutex *m1, struct mutex *m2)
01762 {
01763         mutex_unlock(m1);
01764         if (m1 != m2)
01765                 mutex_unlock(m2);
01766 }
01767 #else
01768 static inline void double_down(struct semaphore *s1, struct semaphore *s2)
01769 {
01770         if (s1 != s2) {
01771                 if ((unsigned long) s1 < (unsigned long) s2) {
01772                         struct semaphore *tmp = s2;
01773                         s2 = s1; s1 = tmp;
01774                 }
01775                 down(s1);
01776         }
01777         down(s2);
01778 }
01779 
01780 static inline void double_up(struct semaphore *s1, struct semaphore *s2)
01781 {
01782         up(s1);
01783         if (s1 != s2)
01784                 up(s2);
01785 }
01786 #endif
01787 
01788 static inline void double_lock(struct dentry *d1, struct dentry *d2)
01789 {
01790 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01791         double_mutex_lock(&d1->d_inode->i_mutex, &d2->d_inode->i_mutex);
01792 #else
01793         double_down(&d1->d_inode->i_sem, &d2->d_inode->i_sem);
01794 #endif
01795 }
01796 
01797 static inline void double_unlock(struct dentry *d1, struct dentry *d2)
01798 {
01799 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
01800         double_mutex_unlock(&d1->d_inode->i_mutex,&d2->d_inode->i_mutex);
01801 #else
01802         double_up(&d1->d_inode->i_sem,&d2->d_inode->i_sem);
01803 #endif
01804         dput(d1);
01805         dput(d2);
01806 }
01807 #else
01808 extern inline struct dentry *lock_parent(struct dentry *dentry);
01809 #endif
01810 
01811 #endif /* __KERNEL__ */
01812 
01813 #endif
Generated on Sun May 21 14:30:48 2006 for RSBAC by  doxygen 1.4.2